[systemd-devel] [PATCH 2/2] ima: Write the policy filename into IMA's sysfs policy file

Stefan Berger stefanb at linux.vnet.ibm.com
Mon Nov 28 19:17:20 UTC 2016 

From: Stefan Berger <stefanb at us.ibm.com>

IMA validates file signatures based on the security.ima xattr. As of
Linux-4.7, instead of copying the IMA policy into the securityfs policy,
the IMA policy pathname can be written, allowing the IMA policy file
signature to be validated.

This patch modifies the existing code to first attempt to write the
pathname, but on failure falls back to copying the IMA policy contents.

Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
---
 src/core/ima-setup.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/core/ima-setup.c b/src/core/ima-setup.c
index 220492b..5142adb 100644
--- a/src/core/ima-setup.c
+++ b/src/core/ima-setup.c
@@ -54,7 +54,7 @@ static int ima_load_policy(FILE *input, const char *policy_path) {
         unsigned lineno = 0;
         char line[page_size()];
 
-        if (access(IMA_SECFS_POLICY, F_OK) < 0) {
+        if (access(IMA_SECFS_POLICY, W_OK) < 0) {
                 log_warning("Another IMA custom policy has already been loaded, ignoring.");
                 return 0;
         }
@@ -65,6 +65,19 @@ static int ima_load_policy(FILE *input, const char *policy_path) {
                 return 0;
         }
 
+        /* attempt to write the name of the policy file into sysfs file */
+        if (write(imafd, policy_path, strlen(policy_path)) > 0)
+                goto done;
+
+        /* fall back to copying the policy line-by-line */
+        close(imafd);
+
+        imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC);
+        if (imafd < 0) {
+                log_error_errno(errno, "Failed to open the IMA kernel interface "IMA_SECFS_POLICY", ignoring: %m");
+                return 0;
+        }
+
         FOREACH_LINE(line, input,
                      return log_error_errno(errno, "Failed to read the IMA custom policy file %s: %m", policy_path)) {
                 size_t len;
@@ -77,6 +90,7 @@ static int ima_load_policy(FILE *input, const char *policy_path) {
                                                policy_path, lineno);
         }
 
+done:
         log_info("Successfully loaded the IMA custom policy %s.", policy_path);
 
         return 0;
-- 
2.7.4

More information about the systemd-devel mailing list