ima: load policy using path

We currently cannot do appraisal or signature vetting of IMA policies
since we currently can only load IMA policies by writing the contents
of the policy directly in, as follows:

cat policy-file > <securityfs>/ima/policy

If we provide the kernel the path to the IMA policy so it can load
the policy itself it'd be able to later appraise or vet the file
signature if it has one.  This patch adds support to load the IMA
policy with a given path as follows:

echo /etc/ima/ima_policy > /sys/kernel/security/ima/policy

Changelog v4+:
- moved kernel_read_file_from_path() error messages to callers
v3:
- moved kernel_read_file_from_path() to a separate patch
v2:
- after re-ordering the patches, replace calling integrity_kernel_read()
  to read the file with kernel_read_file_from_path() (Mimi)
- Patch description re-written by Luis R. Rodriguez

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

diff --git a/include/linux/fs.h b/include/linux/fs.h
index 52567252288e0ff51fc06bd97d6c8039e35e9815..e514f76db04f9f08a8275f8b810004a991760df6 100644 (file)
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2581,6 +2581,7 @@ enum kernel_read_file_id {
        READING_MODULE,
        READING_KEXEC_IMAGE,
        READING_KEXEC_INITRAMFS,
+       READING_POLICY,
        READING_MAX_ID
 };
 

diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index f355231997b462d1d6acee7664cabe9c51fdc91e..a6c61b351f36d2ad7ead627db60f12a8fca72eb4 100644 (file)
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -22,6 +22,7 @@
 #include <linux/rculist.h>
 #include <linux/rcupdate.h>
 #include <linux/parser.h>
+#include <linux/vmalloc.h>
 
 #include "ima.h"
 
@@ -258,6 +259,43 @@ static const struct file_operations ima_ascii_measurements_ops = {
        .release = seq_release,
 };
 
+static ssize_t ima_read_policy(char *path)
+{
+       void *data;
+       char *datap;
+       loff_t size;
+       int rc, pathlen = strlen(path);
+
+       char *p;
+
+       /* remove \n */
+       datap = path;
+       strsep(&datap, "\n");
+
+       rc = kernel_read_file_from_path(path, &data, &size, 0, READING_POLICY);
+       if (rc < 0) {
+               pr_err("Unable to open file: %s (%d)", path, rc);
+               return rc;
+       }
+
+       datap = data;
+       while (size > 0 && (p = strsep(&datap, "\n"))) {
+               pr_debug("rule: %s\n", p);
+               rc = ima_parse_add_rule(p);
+               if (rc < 0)
+                       break;
+               size -= rc;
+       }
+
+       vfree(data);
+       if (rc < 0)
+               return rc;
+       else if (size)
+               return -EINVAL;
+       else
+               return pathlen;
+}
+
 static ssize_t ima_write_policy(struct file *file, const char __user *buf,
                                size_t datalen, loff_t *ppos)
 {
@@ -286,9 +324,12 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf,
        result = mutex_lock_interruptible(&ima_write_mutex);
        if (result < 0)
                goto out_free;
-       result = ima_parse_add_rule(data);
-       mutex_unlock(&ima_write_mutex);
 
+       if (data[0] == '/')
+               result = ima_read_policy(data);
+       else 
+               result = ima_parse_add_rule(data);
+       mutex_unlock(&ima_write_mutex);
 out_free:
        kfree(data);
 out: