From: Stefan Berger <[email protected]> IMA validates file signatures based on the security.ima xattr. As of Linux-4.7, instead of copying the IMA policy into the securityfs policy, the IMA policy pathname can be written, allowing the IMA policy file signature to be validated.
This patch modifies the existing code to first attempt to write the pathname, but on failure falls back to copying the IMA policy contents. Signed-off-by: Stefan Berger <[email protected]> --- src/core/ima-setup.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/src/core/ima-setup.c b/src/core/ima-setup.c index 220492b..5142adb 100644 --- a/src/core/ima-setup.c +++ b/src/core/ima-setup.c @@ -54,7 +54,7 @@ static int ima_load_policy(FILE *input, const char *policy_path) { unsigned lineno = 0; char line[page_size()]; - if (access(IMA_SECFS_POLICY, F_OK) < 0) { + if (access(IMA_SECFS_POLICY, W_OK) < 0) { log_warning("Another IMA custom policy has already been loaded, ignoring."); return 0; } @@ -65,6 +65,19 @@ static int ima_load_policy(FILE *input, const char *policy_path) { return 0; } + /* attempt to write the name of the policy file into sysfs file */ + if (write(imafd, policy_path, strlen(policy_path)) > 0) + goto done; + + /* fall back to copying the policy line-by-line */ + close(imafd); + + imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC); + if (imafd < 0) { + log_error_errno(errno, "Failed to open the IMA kernel interface "IMA_SECFS_POLICY", ignoring: %m"); + return 0; + } + FOREACH_LINE(line, input, return log_error_errno(errno, "Failed to read the IMA custom policy file %s: %m", policy_path)) { size_t len; @@ -77,6 +90,7 @@ static int ima_load_policy(FILE *input, const char *policy_path) { policy_path, lineno); } +done: log_info("Successfully loaded the IMA custom policy %s.", policy_path); return 0; -- 2.7.4 _______________________________________________ systemd-devel mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/systemd-devel
