On Wed, 2026-06-10 at 14:59 -0400, Mimi Zohar wrote: > On Tue, 2026-05-26 at 15:51 +0200, Enrico Bravi wrote: > > When a signed policy is not mandatory, it is possible to write the IMA > > policy directly on the corresponding securityfs file: > > > > echo -e "measure func=BPRM_CHECK mask=MAY_EXEC\n" \ > > "audit func=BPRM_CHECK mask=MAY_EXEC\n" \ > > > /sys/kernel/security/ima/policy > > Or by cat'ing the entire IMA custom policy file. > > > > > Add input buffer measurement, regardless of whether the new policy > > will be accepted or not, that can be caught when > > 'measure func=POLICY_CHECK' is enabled (e.g., ima_policy=tcb). > > Enrco, Roberto, a reason for measuring invalid or malformed IMA policy rules > needs to be provided here.
One reason would be to be able to detect attempts to corrupt IMA by loading malformed data, since the measurement is performed before the policy is parsed. > In addition to the "ima_policy" critical data, why is this mechanism needed? POLICY_CHECK already measures partial policy load by file. This patch would just complete the POLICY_CHECK hook by measuring policy load by buffer. I believe they can both cohexist, both would allow to know which policy is loaded at any time. With the critical data, the existing policy is included in every entry, but it is easier to derive the current policy loaded. It would be up to the remote attestation solution to determine which solution is more suitable. Roberto > > The > > measurement template is forced to ima-buf. > > Please include directions for verifying the measurement record here in the > patch > description. > > > > > Suggested-by: Roberto Sassu <[email protected]> > > Signed-off-by: Enrico Bravi <[email protected]> > > --- > > security/integrity/ima/ima.h | 1 + > > security/integrity/ima/ima_fs.c | 1 + > > security/integrity/ima/ima_main.c | 19 +++++++++++++++++++ > > security/integrity/ima/ima_policy.c | 3 +++ > > 4 files changed, 24 insertions(+) > > > > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > > index a223d3f30d88..320c80a1a847 100644 > > --- a/security/integrity/ima/ima.h > > +++ b/security/integrity/ima/ima.h > > @@ -426,6 +426,7 @@ void *ima_policy_next(struct seq_file *m, void *v, > > loff_t *pos); > > void ima_policy_stop(struct seq_file *m, void *v); > > int ima_policy_show(struct seq_file *m, void *v); > > void ima_measure_loaded_policy(void); > > +int ima_measure_policy_buf(const char *buf, size_t buf_len); > > > > /* Appraise integrity measurements */ > > #define IMA_APPRAISE_ENFORCE 0x01 > > diff --git a/security/integrity/ima/ima_fs.c > > b/security/integrity/ima/ima_fs.c > > index 75cb308cf01f..601718e02429 100644 > > --- a/security/integrity/ima/ima_fs.c > > +++ b/security/integrity/ima/ima_fs.c > > @@ -362,6 +362,7 @@ static ssize_t ima_write_policy(struct file *file, > > const char __user *buf, > > 1, 0); > > result = -EACCES; > > } else { > > + ima_measure_policy_buf(data, datalen); > > result = ima_parse_add_rule(data); > > } > > mutex_unlock(&ima_write_mutex); > > diff --git a/security/integrity/ima/ima_main.c > > b/security/integrity/ima/ima_main.c > > index 1d6229b156fb..174110da0030 100644 > > --- a/security/integrity/ima/ima_main.c > > +++ b/security/integrity/ima/ima_main.c > > @@ -1204,6 +1204,25 @@ int ima_measure_critical_data(const char > > *event_label, > > } > > EXPORT_SYMBOL_GPL(ima_measure_critical_data); > > > > +/** > > + * ima_measure_policy_buf - Measure the policy write buffer > > + * @buf: pointer to the buffer containing the policy write data > > + * @buf_len: size of the buffer > > + * > > + * Measure the buffer sent to the IMA policy securityfs file. > > + * > > + * Return 0 on success, a negative value otherwise. > > + */ > > +int ima_measure_policy_buf(const char *buf, size_t buf_len) > > +{ > > + if (!buf || !buf_len) > > + return -ENOPARAM; > > Please return -EINVAL. > > > > + > > + return process_buffer_measurement(&nop_mnt_idmap, NULL, buf, buf_len, > > + "ima_write_policy_buf", POLICY_CHECK, > > + 0, NULL, false, NULL, 0); > > Parallel to "ima_policy_loaded" consider naming the record as > "ima_policy_written". > > The indentation is off by a character. > > > +} > > + > > #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS > > > > /** > > [...] > > thanks, > > Mimi >
