On Tue, 2026-05-26 at 15:51 +0200, Enrico Bravi wrote: > When a signed policy is not mandatory, it is possible to write the IMA > policy directly on the corresponding securityfs file: > > echo -e "measure func=BPRM_CHECK mask=MAY_EXEC\n" \ > "audit func=BPRM_CHECK mask=MAY_EXEC\n" \ > > /sys/kernel/security/ima/policy
Or by cat'ing the entire IMA custom policy file. > > Add input buffer measurement, regardless of whether the new policy > will be accepted or not, that can be caught when > 'measure func=POLICY_CHECK' is enabled (e.g., ima_policy=tcb). Enrco, Roberto, a reason for measuring invalid or malformed IMA policy rules needs to be provided here. In addition to the "ima_policy" critical data, why is this mechanism needed? > The > measurement template is forced to ima-buf. Please include directions for verifying the measurement record here in the patch description. > > Suggested-by: Roberto Sassu <[email protected]> > Signed-off-by: Enrico Bravi <[email protected]> > --- > security/integrity/ima/ima.h | 1 + > security/integrity/ima/ima_fs.c | 1 + > security/integrity/ima/ima_main.c | 19 +++++++++++++++++++ > security/integrity/ima/ima_policy.c | 3 +++ > 4 files changed, 24 insertions(+) > > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > index a223d3f30d88..320c80a1a847 100644 > --- a/security/integrity/ima/ima.h > +++ b/security/integrity/ima/ima.h > @@ -426,6 +426,7 @@ void *ima_policy_next(struct seq_file *m, void *v, loff_t > *pos); > void ima_policy_stop(struct seq_file *m, void *v); > int ima_policy_show(struct seq_file *m, void *v); > void ima_measure_loaded_policy(void); > +int ima_measure_policy_buf(const char *buf, size_t buf_len); > > /* Appraise integrity measurements */ > #define IMA_APPRAISE_ENFORCE 0x01 > diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c > index 75cb308cf01f..601718e02429 100644 > --- a/security/integrity/ima/ima_fs.c > +++ b/security/integrity/ima/ima_fs.c > @@ -362,6 +362,7 @@ static ssize_t ima_write_policy(struct file *file, const > char __user *buf, > 1, 0); > result = -EACCES; > } else { > + ima_measure_policy_buf(data, datalen); > result = ima_parse_add_rule(data); > } > mutex_unlock(&ima_write_mutex); > diff --git a/security/integrity/ima/ima_main.c > b/security/integrity/ima/ima_main.c > index 1d6229b156fb..174110da0030 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -1204,6 +1204,25 @@ int ima_measure_critical_data(const char *event_label, > } > EXPORT_SYMBOL_GPL(ima_measure_critical_data); > > +/** > + * ima_measure_policy_buf - Measure the policy write buffer > + * @buf: pointer to the buffer containing the policy write data > + * @buf_len: size of the buffer > + * > + * Measure the buffer sent to the IMA policy securityfs file. > + * > + * Return 0 on success, a negative value otherwise. > + */ > +int ima_measure_policy_buf(const char *buf, size_t buf_len) > +{ > + if (!buf || !buf_len) > + return -ENOPARAM; Please return -EINVAL. > + > + return process_buffer_measurement(&nop_mnt_idmap, NULL, buf, buf_len, > + "ima_write_policy_buf", POLICY_CHECK, > + 0, NULL, false, NULL, 0); Parallel to "ima_policy_loaded" consider naming the record as "ima_policy_written". The indentation is off by a character. > +} > + > #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS > > /** [...] thanks, Mimi
