kernel/security/integrity/ima/ima_policy.c, branch linux-4.3.y

ima: update builtin policies

2015-06-16T12:18:45Z

This patch defines a builtin measurement policy "tcb", similar to the existing "ima_tcb", but with additional rules to also measure files based on the effective uid and to measure files opened with the "read" mode bit set (eg. read, read-write). Changing the builtin "ima_tcb" policy could potentially break existing users. Instead of defining a new separate boot command line option each time the builtin measurement policy is modified, this patch defines a single generic boot command line option "ima_policy=" to specify the builtin policy and deprecates the use of the builtin ima_tcb policy. [The "ima_policy=" boot command line option is based on Roberto Sassu's "ima: added new policy type exec" patch.] Signed-off-by: Mimi Zohar Signed-off-by: Dr. Greg Wettstein Cc: stable@vger.kernel.org

ima: extend "mask" policy matching support

2015-06-16T12:18:44Z

The current "mask" policy option matches files opened as MAY_READ, MAY_WRITE, MAY_APPEND or MAY_EXEC. This patch extends the "mask" option to match files opened containing one of these modes. For example, "mask=^MAY_READ" would match files opened read-write. Signed-off-by: Mimi Zohar Signed-off-by: Dr. Greg Wettstein Cc: stable@vger.kernel.org

ima: add support for new "euid" policy condition

2015-06-16T12:18:43Z

The new "euid" policy condition measures files with the specified effective uid (euid). In addition, for CAP_SETUID files it measures files with the specified uid or suid. Changelog: - fixed checkpatch.pl warnings - fixed avc denied {setuid} messages - based on Roberto's feedback Signed-off-by: Mimi Zohar Signed-off-by: Dr. Greg Wettstein Cc: stable@vger.kernel.org

ima: do not measure or appraise the NSFS filesystem

2015-05-21T17:28:41Z

Include don't appraise or measure rules for the NSFS filesystem in the builtin ima_tcb and ima_appraise_tcb policies. Changelog: - Update documentation Signed-off-by: Mimi Zohar Cc: stable@vger.kernel.org # 3.19

ima: skip measurement of cgroupfs files and update documentation

2015-05-21T17:27:19Z

This patch adds a rule in the default measurement policy to skip inodes in the cgroupfs filesystem. Measurements for this filesystem can be avoided, as all the digests collected have the same value of the digest of an empty file. Furthermore, this patch updates the documentation of IMA policies in Documentation/ABI/testing/ima_policy to make it consistent with the policies set in security/integrity/ima/ima_policy.c. Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar

ima: cleanup ima_init_policy() a little

2015-05-13T10:07:19Z

It's a bit easier to read this if we split it up into two for loops. Signed-off-by: Dan Carpenter Signed-off-by: Mimi Zohar

ima: require signature based appraisal

2014-11-18T04:12:01Z

This patch provides CONFIG_IMA_APPRAISE_SIGNED_INIT kernel configuration option to force IMA appraisal using signatures. This is useful, when EVM key is not initialized yet and we want securely initialize integrity or any other functionality. It forces embedded policy to require signature. Signed initialization script can initialize EVM key, update the IMA policy and change further requirement of everything to be signed. Changes in v3: * kernel parameter fixed to configuration option in the patch description Changes in v2: * policy change of this patch separated from the key loading patch Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar

ima: use atomic bit operations to protect policy update interface

2014-10-12T03:33:02Z

The current implementation uses an atomic counter to provide exclusive access to the sysfs 'policy' entry to update the IMA policy. While it is highly unlikely, the usage of a counter might potentially allow another process to overflow the counter, open the interface and insert additional rules into the policy being loaded. This patch replaces using an atomic counter with atomic bit operations which is more reliable and a widely used method to provide exclusive access. As bit operation keep the interface locked after successful update, it makes it unnecessary to verify if the default policy was set or not during parsing and interface closing. This patch also removes that code. Changes in v3: * move audit log message to ima_relead_policy() to report successful and unsuccessful result * unnecessary comment removed Changes in v2: * keep interface locked after successful policy load as in original design * remove sysfs entry as in original design Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar

ima: ignore empty and with whitespaces policy lines

2014-10-12T03:29:19Z

Empty policy lines cause parsing failures which is, especially for new users, hard to spot. This patch prevents it. Changes in v2: * strip leading blanks and tabs in rules to prevent parsing failures Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar

ima: no need to allocate entry for comment

2014-10-12T03:28:07Z

If a rule is a comment, there is no need to allocate an entry. Move the checking for comments before allocating the entry. Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar