From: Stefan Berger <[email protected]> Fedora has its policy in /etc/sysconfig/ima-policy while Ubuntu has it in /etc/default/ima-policy. So we try to read the IMA policy from one location and try it from another location if it couldn't be found. To maintainer backwards compatibility, we also try /etc/ima/ima-policy.
Signed-off-by: Stefan Berger <[email protected]> --- src/core/ima-setup.c | 74 ++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 54 insertions(+), 20 deletions(-) diff --git a/src/core/ima-setup.c b/src/core/ima-setup.c index d1b0ce7..220492b 100644 --- a/src/core/ima-setup.c +++ b/src/core/ima-setup.c @@ -5,6 +5,8 @@ Copyright (C) 2012 Roberto Sassu - Politecnico di Torino, Italy TORSEC group — http://security.polito.it + Copyright (C) 2016 IBM Corporation + systemd is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or @@ -30,27 +32,28 @@ #define IMA_SECFS_DIR "/sys/kernel/security/ima" #define IMA_SECFS_POLICY IMA_SECFS_DIR "/policy" -#define IMA_POLICY_PATH "/etc/ima/ima-policy" -int ima_setup(void) { #ifdef HAVE_IMA - _cleanup_fclose_ FILE *input = NULL; +static const char *ima_policy_paths[] = { + "/etc/ima/ima-policy", + "/etc/sysconfig/ima-policy", + "/etc/default/ima-policy", + NULL, +}; + +/* + * ima_load_policy: Load the ima policy at the given path. + * + * ima_load_policy: Load the ima policy from the given file. First + * try loading it by writing the name of file policy's file into IMA + * sysfs policy file. If this fails, fall back to copying the policy + * in the sysfs policy file. + */ +static int ima_load_policy(FILE *input, const char *policy_path) { _cleanup_close_ int imafd = -1; unsigned lineno = 0; char line[page_size()]; - if (access(IMA_SECFS_DIR, F_OK) < 0) { - log_debug("IMA support is disabled in the kernel, ignoring."); - return 0; - } - - input = fopen(IMA_POLICY_PATH, "re"); - if (!input) { - log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_WARNING, errno, - "Failed to open the IMA custom policy file "IMA_POLICY_PATH", ignoring: %m"); - return 0; - } - if (access(IMA_SECFS_POLICY, F_OK) < 0) { log_warning("Another IMA custom policy has already been loaded, ignoring."); return 0; @@ -63,18 +66,49 @@ int ima_setup(void) { } FOREACH_LINE(line, input, - return log_error_errno(errno, "Failed to read the IMA custom policy file "IMA_POLICY_PATH": %m")) { + return log_error_errno(errno, "Failed to read the IMA custom policy file %s: %m", policy_path)) { size_t len; len = strlen(line); lineno++; if (len > 0 && write(imafd, line, len) < 0) - return log_error_errno(errno, "Failed to load the IMA custom policy file "IMA_POLICY_PATH"%u: %m", - lineno); + return log_error_errno(errno, "Failed to load the IMA custom policy file %s %u: %m", + policy_path, lineno); } - log_info("Successfully loaded the IMA custom policy "IMA_POLICY_PATH"."); -#endif /* HAVE_IMA */ + log_info("Successfully loaded the IMA custom policy %s.", policy_path); + + return 0; +} + +int ima_setup(void) { + int i = 0; + const char *policy_path; + _cleanup_fclose_ FILE *input; + + if (access(IMA_SECFS_DIR, F_OK) < 0) { + log_debug("IMA support is disabled in the kernel, ignoring."); + return 0; + } + + while ((policy_path = ima_policy_paths[i++]) != NULL) { + input = fopen(policy_path, "re"); + if (!input) { + log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_WARNING, errno, + "Failed to open the IMA custom policy file %s, ignoring: %m", policy_path); + continue; + } + ima_load_policy(input, policy_path); + break; + } return 0; } + +#else + +int ima_setup(void) { + return 0; +} + +#endif /* HAVE_IMA */ -- 2.7.4 _______________________________________________ systemd-devel mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/systemd-devel
