[Linux-ima-user] [RFC][PATCH][0/2] IMA

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Description of the issue: 

IMA performs measurement of files depending on a set of policy loaded. There
are two ways to specify the policy to be used: first by adding the string
"ima_tcb=1" to kernel command line (this causes the loading of a set of 
hard coded rules); the second by passing the content of a file containing a set
of custom rules through a special file exported by IMA in the "securityfs".
In both cases rules are stored in memory in a double linked list, which is 
used by the function "ima_match_policy" to determine if the file must be 
measured.
If the first method is used, then the list is populated when the initialization
function of IMA is called by the kernel; if not, custom policies can be loaded 
at any time and this operation is allowed only once.
Hard coded rules are stored in a static vector and the initialization function 
adds each item to the list by calling the function "list_add_tail". In the 
version of IMA shipped with the kernel 2.6.33 the list contains 9 items.
The parsing function is used only when custom rules must be loaded to replace 
the default ones, but a different behavior can be observed in respect to the 
first case: only one element is allocated and it is populated by the parsing 
function that recognizes the tokens ' ' and '\n'. 
So, having multiple lines in the file passed through the exported interface 
doesn't lead to the same number of rules in the list, since only one allocated
item is available. If a directive spans two different lines, only the last 
value is taken and the first one is overwritten.

Another issue is how IMA determines if a file must be measured or not: 
the behavior is to return the action expressed in the first rule of the list 
that matches criteria given.
This may cause unattended measurement operations: if there are two rules, 
one generic to measure all files with uid 0 and another not to measure files 
in "tmpfs" filesystem and these are written in this order, only the first one 
is considered for root owned files, because the first policy always matches. 
So, this means that all files with uid 0 in a "tmpfs" filesystem will 
be measured.

Solution proposed:

We decided to handle tokens ' ' and '\n' in a different way: first a new 
policy item is allocated each time the second token is encountered: 
so, each line of the file will correspond to a different element; second the 
parsing function will handle only the ' ' token and store the parsing result 
in the passed item. If an error happens in the middle of the procedure, the 
list is cleaned up as usual.
Another code update has been done to solve the second issue reported: in the 
function "ima_match_policy", instead of stopping at the first rule in the list
that matches the given criteria and returning the corresponding action, 
all items will inspected and the decision to measure will be taken only if 
there are no matching rules with action "don't measure". 
This solves the problem described in the previous section.

This patch set applies to kernel 2.6.32 series and 2.6.33 series.

Roberto Sassu (2):
	ima: fix loading multi line policies from userspace
	ima: policy matching decision depends on the overall "ima_measure" list