Re: [PATCH v1 6/7] ima: measure and appraise the IMA policy itself

Luis R. Rodriguez Thu, 17 Dec 2015 14:04:03 -0800

On Tue, Dec 08, 2015 at 01:01:23PM -0500, Mimi Zohar wrote:
> diff --git a/security/integrity/iint.c b/security/integrity/iint.c
> index 8a45576..4d149c9 100644
> --- a/security/integrity/iint.c
> +++ b/security/integrity/iint.c
> @@ -222,6 +223,11 @@ int integrity_read_file(const char *path, char **data)
>               return rc;
>       }
>  
> +     if (!S_ISREG(file_inode(file)->i_mode)) {
> +             rc = -EACCES;
> +             goto out;
> +     }
> +
>       size = i_size_read(file_inode(file));
>       if (size <= 0)
>               goto out;


This hunk seems to be unrelated to this patch? If so can it be split out?

> @@ -232,13 +238,18 @@ int integrity_read_file(const char *path, char **data)
>               goto out;
>       }
>  
> -     rc = integrity_kernel_read(file, 0, buf, size);
> +     rc = ima_read_and_process_file(file, read_func, buf, size);
> +     if (rc == -EOPNOTSUPP) {
> +             rc = integrity_kernel_read(file, 0, buf, size);
> +             if (rc > 0 && rc != size)
> +                     rc = -EIO;
> +     }
>       if (rc < 0)
>               kfree(buf);
> -     else if (rc != size)
> -             rc = -EIO;
> -     else
> +     else {
> +             rc = size;
>               *data = buf;
> +     }
>  out:
>       fput(file);
>       return rc;
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index 548b258..40a24c3 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -180,6 +180,7 @@ int ima_policy_show(struct seq_file *m, void *v);
>  #define IMA_APPRAISE_LOG     0x04
>  #define IMA_APPRAISE_MODULES 0x08
>  #define IMA_APPRAISE_FIRMWARE        0x10
> +#define IMA_APPRAISE_POLICY  0x20
>  
>  #ifdef CONFIG_IMA_APPRAISE
>  int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
> diff --git a/security/integrity/ima/ima_appraise.c 
> b/security/integrity/ima/ima_appraise.c
> index b83049b..1e1a759 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -79,6 +79,7 @@ enum integrity_status ima_get_cache_status(struct 
> integrity_iint_cache *iint,
>       case FIRMWARE_CHECK:
>       case KEXEC_CHECK:
>       case INITRAMFS_CHECK:
> +     case POLICY_CHECK:
>               return iint->ima_read_status;
>       case FILE_CHECK:
>       default:

Hrm this uses an int for the func.

> @@ -102,6 +103,7 @@ static void ima_set_cache_status(struct 
> integrity_iint_cache *iint,
>       case FIRMWARE_CHECK:
>       case KEXEC_CHECK:
>       case INITRAMFS_CHECK:
> +     case POLICY_CHECK:
>               iint->ima_read_status = status;
>               break;
>       case FILE_CHECK:

This uses an enum.

> @@ -126,6 +128,7 @@ static void ima_cache_flags(struct integrity_iint_cache 
> *iint, int func)
>       case FIRMWARE_CHECK:
>       case KEXEC_CHECK:
>       case INITRAMFS_CHECK:
> +     case POLICY_CHECK:
>               iint->flags |= (IMA_READ_APPRAISED | IMA_APPRAISED);
>               break;
>       case FILE_CHECK:

This uses an enum.

All of these have a common set of funcs that will do similar things, what about
just OR'ing them up in one place? That would make future additions one line
instead of 3.

  Luis
--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v1 6/7] ima: measure and appraise the IMA policy itself

Reply via email to