summaryrefslogtreecommitdiff
path: root/src/core
diff options
context:
space:
mode:
authorStefan Berger <stefanb@us.ibm.com>2016-11-29 10:47:20 -0500
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2016-11-29 10:47:20 -0500
commite8e42b31c5a950a7b43d64f4a531ec59750e823e (patch)
tree13859dcc19a89f0c663b138fb8ccb83368dae99d /src/core
parent664e7984f8a96c1962961fcc1ebe6bd4a0c58c5f (diff)
ima: Write the policy filename into IMA's sysfs policy file (#4766)
IMA validates file signatures based on the security.ima xattr. As of Linux-4.7, instead of copying the IMA policy into the securityfs policy, the IMA policy pathname can be written, allowing the IMA policy file signature to be validated. This patch modifies the existing code to first attempt to write the pathname, but on failure falls back to copying the IMA policy contents.
Diffstat (limited to 'src/core')
-rw-r--r--src/core/ima-setup.c22
1 files changed, 18 insertions, 4 deletions
diff --git a/src/core/ima-setup.c b/src/core/ima-setup.c
index d1b0ce76ef..94ae429f46 100644
--- a/src/core/ima-setup.c
+++ b/src/core/ima-setup.c
@@ -44,6 +44,22 @@ int ima_setup(void) {
return 0;
}
+ if (access(IMA_SECFS_POLICY, W_OK) < 0) {
+ log_warning("Another IMA custom policy has already been loaded, ignoring.");
+ return 0;
+ }
+
+ imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC);
+ if (imafd < 0) {
+ log_error_errno(errno, "Failed to open the IMA kernel interface "IMA_SECFS_POLICY", ignoring: %m");
+ return 0;
+ }
+
+ /* attempt to write the name of the policy file into sysfs file */
+ if (write(imafd, IMA_POLICY_PATH, strlen(IMA_POLICY_PATH)) > 0)
+ goto done;
+
+ /* fall back to copying the policy line-by-line */
input = fopen(IMA_POLICY_PATH, "re");
if (!input) {
log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_WARNING, errno,
@@ -51,10 +67,7 @@ int ima_setup(void) {
return 0;
}
- if (access(IMA_SECFS_POLICY, F_OK) < 0) {
- log_warning("Another IMA custom policy has already been loaded, ignoring.");
- return 0;
- }
+ close(imafd);
imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC);
if (imafd < 0) {
@@ -74,6 +87,7 @@ int ima_setup(void) {
lineno);
}
+done:
log_info("Successfully loaded the IMA custom policy "IMA_POLICY_PATH".");
#endif /* HAVE_IMA */
return 0;