[systemd-devel] [PATCH 1/2] ima: Have IMA policy loaded from /etc/sysconfig or /etc/default.
Stefan Berger
stefanb at linux.vnet.ibm.com
Mon Nov 28 19:17:19 UTC 2016
From: Stefan Berger <stefanb at us.ibm.com>
Fedora has its policy in /etc/sysconfig/ima-policy while Ubuntu
has it in /etc/default/ima-policy. So we try to read the IMA policy
from one location and try it from another location if it couldn't
be found. To maintainer backwards compatibility, we also try
/etc/ima/ima-policy.
Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
---
src/core/ima-setup.c | 74 ++++++++++++++++++++++++++++++++++++++--------------
1 file changed, 54 insertions(+), 20 deletions(-)
diff --git a/src/core/ima-setup.c b/src/core/ima-setup.c
index d1b0ce7..220492b 100644
--- a/src/core/ima-setup.c
+++ b/src/core/ima-setup.c
@@ -5,6 +5,8 @@
Copyright (C) 2012 Roberto Sassu - Politecnico di Torino, Italy
TORSEC group — http://security.polito.it
+ Copyright (C) 2016 IBM Corporation
+
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
@@ -30,27 +32,28 @@
#define IMA_SECFS_DIR "/sys/kernel/security/ima"
#define IMA_SECFS_POLICY IMA_SECFS_DIR "/policy"
-#define IMA_POLICY_PATH "/etc/ima/ima-policy"
-int ima_setup(void) {
#ifdef HAVE_IMA
- _cleanup_fclose_ FILE *input = NULL;
+static const char *ima_policy_paths[] = {
+ "/etc/ima/ima-policy",
+ "/etc/sysconfig/ima-policy",
+ "/etc/default/ima-policy",
+ NULL,
+};
+
+/*
+ * ima_load_policy: Load the ima policy at the given path.
+ *
+ * ima_load_policy: Load the ima policy from the given file. First
+ * try loading it by writing the name of file policy's file into IMA
+ * sysfs policy file. If this fails, fall back to copying the policy
+ * in the sysfs policy file.
+ */
+static int ima_load_policy(FILE *input, const char *policy_path) {
_cleanup_close_ int imafd = -1;
unsigned lineno = 0;
char line[page_size()];
- if (access(IMA_SECFS_DIR, F_OK) < 0) {
- log_debug("IMA support is disabled in the kernel, ignoring.");
- return 0;
- }
-
- input = fopen(IMA_POLICY_PATH, "re");
- if (!input) {
- log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_WARNING, errno,
- "Failed to open the IMA custom policy file "IMA_POLICY_PATH", ignoring: %m");
- return 0;
- }
-
if (access(IMA_SECFS_POLICY, F_OK) < 0) {
log_warning("Another IMA custom policy has already been loaded, ignoring.");
return 0;
@@ -63,18 +66,49 @@ int ima_setup(void) {
}
FOREACH_LINE(line, input,
- return log_error_errno(errno, "Failed to read the IMA custom policy file "IMA_POLICY_PATH": %m")) {
+ return log_error_errno(errno, "Failed to read the IMA custom policy file %s: %m", policy_path)) {
size_t len;
len = strlen(line);
lineno++;
if (len > 0 && write(imafd, line, len) < 0)
- return log_error_errno(errno, "Failed to load the IMA custom policy file "IMA_POLICY_PATH"%u: %m",
- lineno);
+ return log_error_errno(errno, "Failed to load the IMA custom policy file %s %u: %m",
+ policy_path, lineno);
}
- log_info("Successfully loaded the IMA custom policy "IMA_POLICY_PATH".");
-#endif /* HAVE_IMA */
+ log_info("Successfully loaded the IMA custom policy %s.", policy_path);
+
+ return 0;
+}
+
+int ima_setup(void) {
+ int i = 0;
+ const char *policy_path;
+ _cleanup_fclose_ FILE *input;
+
+ if (access(IMA_SECFS_DIR, F_OK) < 0) {
+ log_debug("IMA support is disabled in the kernel, ignoring.");
+ return 0;
+ }
+
+ while ((policy_path = ima_policy_paths[i++]) != NULL) {
+ input = fopen(policy_path, "re");
+ if (!input) {
+ log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_WARNING, errno,
+ "Failed to open the IMA custom policy file %s, ignoring: %m", policy_path);
+ continue;
+ }
+ ima_load_policy(input, policy_path);
+ break;
+ }
return 0;
}
+
+#else
+
+int ima_setup(void) {
+ return 0;
+}
+
+#endif /* HAVE_IMA */
--
2.7.4
More information about the systemd-devel
mailing list