tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

ima: add policy support for file system uuid

The IMA policy permits specifying rules to enable or disable
measurement/appraisal/audit based on the file system magic number.
If, for example, the policy contains an ext4 measurement rule,
the rule is enabled for all ext4 partitions.

Sometimes it might be necessary to enable measurement/appraisal/audit
only for one partition and disable it for another partition of the
same type. With the existing IMA policy syntax, this can not be done.

This patch provides support for IMA policy rules to specify the file
system by its UUID (eg. fsuuid=397449cd-687d-4145-8698-7fed4a3e0363).

For partitions not being appraised, it might be a good idea to mount
file systems with the 'noexec' option to prevent executing non-verified
binaries.

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

authored by

Dmitry Kasatkin and committed by
Mimi Zohar 85865c1f 74de6684

+24 -2
+3 -1
Documentation/ABI/testing/ima_policy
··· 19 19 20 20 action: measure | dont_measure | appraise | dont_appraise | audit 21 21 condition:= base | lsm [option] 22 - base: [[func=] [mask=] [fsmagic=] [uid=] [fowner]] 22 + base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] 23 + [fowner]] 23 24 lsm: [[subj_user=] [subj_role=] [subj_type=] 24 25 [obj_user=] [obj_role=] [obj_type=]] 25 26 option: [[appraise_type=]] ··· 28 27 base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK] 29 28 mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] 30 29 fsmagic:= hex value 30 + fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6) 31 31 uid:= decimal value 32 32 fowner:=decimal value 33 33 lsm: are LSM specific
+21 -1
security/integrity/ima/ima_policy.c
··· 16 16 #include <linux/magic.h> 17 17 #include <linux/parser.h> 18 18 #include <linux/slab.h> 19 + #include <linux/genhd.h> 19 20 20 21 #include "ima.h" 21 22 ··· 26 25 #define IMA_FSMAGIC 0x0004 27 26 #define IMA_UID 0x0008 28 27 #define IMA_FOWNER 0x0010 28 + #define IMA_FSUUID 0x0020 29 29 30 30 #define UNKNOWN 0 31 31 #define MEASURE 0x0001 /* same as IMA_MEASURE */ ··· 47 45 enum ima_hooks func; 48 46 int mask; 49 47 unsigned long fsmagic; 48 + u8 fsuuid[16]; 50 49 kuid_t uid; 51 50 kuid_t fowner; 52 51 struct { ··· 174 171 return false; 175 172 if ((rule->flags & IMA_FSMAGIC) 176 173 && rule->fsmagic != inode->i_sb->s_magic) 174 + return false; 175 + if ((rule->flags & IMA_FSUUID) && 176 + memcmp(rule->fsuuid, inode->i_sb->s_uuid, sizeof(rule->fsuuid))) 177 177 return false; 178 178 if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid)) 179 179 return false; ··· 352 346 Opt_obj_user, Opt_obj_role, Opt_obj_type, 353 347 Opt_subj_user, Opt_subj_role, Opt_subj_type, 354 348 Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner, 355 - Opt_appraise_type 349 + Opt_appraise_type, Opt_fsuuid 356 350 }; 357 351 358 352 static match_table_t policy_tokens = { ··· 370 364 {Opt_func, "func=%s"}, 371 365 {Opt_mask, "mask=%s"}, 372 366 {Opt_fsmagic, "fsmagic=%s"}, 367 + {Opt_fsuuid, "fsuuid=%s"}, 373 368 {Opt_uid, "uid=%s"}, 374 369 {Opt_fowner, "fowner=%s"}, 375 370 {Opt_appraise_type, "appraise_type=%s"}, ··· 525 518 &entry->fsmagic); 526 519 if (!result) 527 520 entry->flags |= IMA_FSMAGIC; 521 + break; 522 + case Opt_fsuuid: 523 + ima_log_string(ab, "fsuuid", args[0].from); 524 + 525 + if (memchr_inv(entry->fsuuid, 0x00, 526 + sizeof(entry->fsuuid))) { 527 + result = -EINVAL; 528 + break; 529 + } 530 + 531 + part_pack_uuid(args[0].from, entry->fsuuid); 532 + entry->flags |= IMA_FSUUID; 533 + result = 0; 528 534 break; 529 535 case Opt_uid: 530 536 ima_log_string(ab, "uid", args[0].from);