[Linux-ima-user] IMA policy with LSM rules not correctly loaded

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi all

i have tried to write an IMA policy in order to measure all files, in a system 
with SELinux installed, accessed by subjects with security context starting as 
"system_u:system_r" and to skip files with label "initrc_var_run_t" 
(/var/run/utmp) which is the origin of multiple violations. 
The policy is:

--------
dont_measure obj_type=initrc_var_run_t
measure subj_user=system_u func=PATH_CHECK mask=MAY_READ
measure subj_role=system_r func=PATH_CHECK mask=MAY_READ
--------

Depending on the order of directives i got different results.
I searched in the kernel code where the IMA policy is loaded and i see that in 
the file "security/integrity/ima/ima_policy.c" only an entry is created for 
every LSM rules even if there are different directives "measure/dont_measure".
Then i modified the code in order to create an new object of  "struct 
ima_measure_rule_entry" for each line of the policy which will contain the 
criteria parsed and it will have associated an action (measure/dont_measure).
After the parsing procedure each new object is added to the list referenced by 
the variable "measure_policy_rules".
Finally i modified the measurement decision logic located in the function 
"ima_match_policy".
The procedure scans the list which contains the policy loaded and we have the 
following cases: 
- if none of rules loaded are matched by the subject/object security context 
the decision taken is "false" (this case is handled by the variable 
"flag_matched"); 
- the function will return "true" if, for all rules matched by the current 
subject/object security context, the bound action is "measure"; if just one 
rule contains the action "dont_measure" the result returned will be "false". 

I have not verified the correctness for all possible cases, but with the 
proposed modification, i can have a list of measured files accessed during the 
boot procedure (my system is a Fedora 11) without any violation.
The file attached contains the patch i have applied to the vanilla kernel 
version 2.6.31.3.