[PATCH v1 3/7] ima: load policy using path

[Mimi Zohar]

From: Dmitry Kasatkin <d.kasat...@samsung.com>

Currently the IMA policy is loaded by writing the policy rules to
'<securityfs>/ima/policy'. That way the policy cannot be measured
or appraised. This patch extends the policy loading interface with
the possibility to load the policy using a pathname. The policy can
be loaded like:

echo /etc/ima/ima_policy > /sys/kernel/security/ima/policy

Signed-off-by: Dmitry Kasatkin <d.kasat...@samsung.com>
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
 security/integrity/iint.c       |  4 +---
 security/integrity/ima/ima_fs.c | 39 ++++++++++++++++++++++++++++++++++++++-
 security/integrity/integrity.h  |  2 +-
 3 files changed, 40 insertions(+), 5 deletions(-)

diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 2de9c82..54b51a4 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -203,10 +203,8 @@ int integrity_kernel_read(struct file *file, loff_t offset,
  * This is function opens a file, allocates the buffer of required
  * size, read entire file content to the buffer and closes the file
  *
- * It is used only by init code.
- *
  */
-int __init integrity_read_file(const char *path, char **data)
+int integrity_read_file(const char *path, char **data)
 {
        struct file *file;
        loff_t size;
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index eebb985..f902b6b 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -258,6 +258,40 @@ static const struct file_operations 
ima_ascii_measurements_ops = {
        .release = seq_release,
 };
 
+static ssize_t ima_read_policy(char *path)
+{
+       char *data, *datap;
+       int rc, size, pathlen = strlen(path);
+       char *p;
+
+       /* remove \n */
+       datap = path;
+       strsep(&datap, "\n");
+
+       rc = integrity_read_file(path, &data);
+       if (rc < 0)
+               return rc;
+
+       size = rc;
+       datap = data;
+
+       while (size > 0 && (p = strsep(&datap, "\n"))) {
+               pr_debug("rule: %s\n", p);
+               rc = ima_parse_add_rule(p);
+               if (rc < 0)
+                       break;
+               size -= rc;
+       }
+
+       kfree(data);
+       if (rc < 0)
+               return rc;
+       else if (size)
+               return -EINVAL;
+       else
+               return pathlen;
+}
+
 static ssize_t ima_write_policy(struct file *file, const char __user *buf,
                                size_t datalen, loff_t *ppos)
 {
@@ -288,7 +322,10 @@ static ssize_t ima_write_policy(struct file *file, const 
char __user *buf,
        if (copy_from_user(data, buf, datalen))
                goto out;
 
-       result = ima_parse_add_rule(data);
+       if (data[0] == '/')
+               result = ima_read_policy(data);
+       else
+               result = ima_parse_add_rule(data);
 out:
        if (result < 0)
                valid_policy = 0;
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 5efe2ec..5413f22 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -122,7 +122,7 @@ struct integrity_iint_cache *integrity_iint_find(struct 
inode *inode);
 
 int integrity_kernel_read(struct file *file, loff_t offset,
                          char *addr, unsigned long count);
-int __init integrity_read_file(const char *path, char **data);
+int integrity_read_file(const char *path, char **data);
 
 #define INTEGRITY_KEYRING_EVM          0
 #define INTEGRITY_KEYRING_IMA          1
-- 
2.1.0

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html