• Tyler Hicks's avatar
    ima: Support additional conditionals in the KEXEC_CMDLINE hook function · 4834177e
    Tyler Hicks authored
    Take the properties of the kexec kernel's inode and the current task
    ownership into consideration when matching a KEXEC_CMDLINE operation to
    the rules in the IMA policy. This allows for some uniformity when
    writing IMA policy rules for KEXEC_KERNEL_CHECK, KEXEC_INITRAMFS_CHECK,
    and KEXEC_CMDLINE operations.
    
    Prior to this patch, it was not possible to write a set of rules like
    this:
    
     dont_measure func=KEXEC_KERNEL_CHECK obj_type=foo_t
     dont_measure func=KEXEC_INITRAMFS_CHECK obj_type=foo_t
     dont_measure func=KEXEC_CMDLINE obj_type=foo_t
     measure func=KEXEC_KERNEL_CHECK
     measure func=KEXEC_INITRAMFS_CHECK
     measure func=KEXEC_CMDLINE
    
    The inode information associated with the kernel being loaded by a
    kexec_kernel_load(2) syscall can now be included in the decision to
    measure or not
    
    Additonally, the uid, euid, and subj_* conditionals can also now be
    used in KEXEC_CMDLINE rules. There was no technical reason as to why
    those conditionals weren't being considered previously other than
    ima_match_rules() didn't have a valid inode to use so it immediately
    bailed out for KEXEC_CMDLINE operations rather than going through the
    full list of conditional comparisons.
    Signed-off-by: default avatarTyler Hicks <tyhicks@linux.microsoft.com>
    Cc: Eric Biederman <ebiederm@xmission.com>
    Cc: kexec@lists.infradead.org
    Reviewed-by: default avatarLakshmi Ramasubramanian <nramas@linux.microsoft.com>
    Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
    4834177e
ima.h 13.3 KB