Hi Enrico, On Tue, 2025-12-16 at 17:56 +0100, Enrico Bravi wrote: > When signed a policy is not mandatory, it is possile to write the IMA > policy directly on the corresponding securityfs file: > > echo -e "measure func=BPRM_CHECK mask=MAY_EXEC\n" \ > "audit func=BPRM_CHECK mask=MAY_EXEC\n" \ > > /sys/kernel/security/ima/policy > > Add input buffer measurement that can be caught when 'measure > func=POLICY_CHECK' is enabled (e.g., ima_policy=tcb). > > Suggested-by: Roberto Sassu <[email protected]> > Signed-off-by: Enrico Bravi <[email protected]> > --- > security/integrity/ima/ima.h | 1 + > security/integrity/ima/ima_fs.c | 1 + > security/integrity/ima/ima_main.c | 38 +++++++++++++++++++++++++++++++ > 3 files changed, 40 insertions(+) > > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > index ca7b96663623..3b00c298355b 100644 > --- a/security/integrity/ima/ima.h > +++ b/security/integrity/ima/ima.h > @@ -426,6 +426,7 @@ void *ima_policy_next(struct seq_file *m, void *v, loff_t > *pos); > void ima_policy_stop(struct seq_file *m, void *v); > int ima_policy_show(struct seq_file *m, void *v); > void ima_measure_loaded_policy(void); > +int ima_measure_policy_write(char *buf, size_t size); > > /* Appraise integrity measurements */ > #define IMA_APPRAISE_ENFORCE 0x01 > diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c > index 89946d803d44..f1a5edd060ad 100644 > --- a/security/integrity/ima/ima_fs.c > +++ b/security/integrity/ima/ima_fs.c > @@ -362,6 +362,7 @@ static ssize_t ima_write_policy(struct file *file, const > char __user *buf, > 1, 0); > result = -EACCES; > } else { > + ima_measure_policy_write(data, datalen); > result = ima_parse_add_rule(data); > } > mutex_unlock(&ima_write_mutex); > diff --git a/security/integrity/ima/ima_main.c > b/security/integrity/ima/ima_main.c > index cdd225f65a62..6a8ad4714881 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -28,6 +28,7 @@ > #include <linux/iversion.h> > #include <linux/evm.h> > #include <linux/crash_dump.h> > +#include <linux/shmem_fs.h> > > #include "ima.h" > > @@ -986,6 +987,43 @@ static int ima_post_load_data(char *buf, loff_t size, > return 0; > } > > +/** > + * ima_measure_policy_write - Measure the policy write buffer > + * @buf: pointer to the buffer containing the policy write data > + * @size: size of the buffer > + * > + * Measure the buffer sent to the IMA policy securityfs file. > + * > + * Return 0 on success, a negative value otherwise. > + */ > +int ima_measure_policy_write(char *buf, size_t size0 > +{ > + static const char op[] = "measure_ima_policy_write"; > + const char *file_name = "ima_write_policy_buffer"; > + static char *audit_cause = "ENOMEM"; > + struct file *policy_file = NULL; > + struct lsm_prop prop; > + int ret = 0; > + > + policy_file = shmem_kernel_file_setup(file_name, 0, 0); > + if (IS_ERR(policy_file)) { > + ret = PTR_ERR(policy_file); > + audit_cause = "alloc_file"; > + integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL, > "ima_policy_write", > + op, audit_cause, ret, 1); > + goto out; > + } > + > + security_current_getlsmprop_subj(&prop); > + > + ret = process_measurement(policy_file, current_cred(), &prop, buf, size, > + MAY_READ, POLICY_CHECK);
The purpose of this patch is to measure IMA policy rules as they're written to the <securityfs> IMA policy file, based on the IMA "measure func=POLICY_CHECK" policy rule. Like critical data, it should be calling process_buffer_measurement(), not process_measurement(). The functions ima_match_rules() and ima_match_rule_data() need to be updated to support POLICY_CHECK. This function naming is off and should be renamed to ima_measure_policy_buf(). Please update the patch description accordingly. Mimi > + fput(policy_file); > + > +out: > + return ret; > +} > + > /** > * process_buffer_measurement - Measure the buffer or the buffer data hash > * @idmap: idmap of the mount the inode was found from
