Re: [PATCH 1/1] ima: check control characters in policy file path
From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2021-08-17 17:45:45
Also in:
linux-security-module, lkml
On Sat, 2021-08-14 at 16:27 +0800, Tianxing Zhang wrote:
quoted hunk ↗ jump to hunk
When a policy file path contains control characters like '\r' or '\b', invalid error messages can be printed to overwrite system messages: $ echo -e "/\rtest 12345678" > /sys/kernel/security/ima/policy This patch rejects policy paths with control characters. Signed-off-by: Tianxing Zhang <redacted> --- security/integrity/ima/ima_fs.c | 9 +++++++++ 1 file changed, 9 insertions(+)diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 3d8e9d5db5aa..e6daa138de89 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c@@ -316,6 +316,7 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf, { char *data; ssize_t result; + int i; if (datalen >= PAGE_SIZE) datalen = PAGE_SIZE - 1;@@ -331,6 +332,14 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf, goto out; } + for (i = 0; data[i] != '\n' && data[i] != '\0'; i++) { + if (iscntrl(data[i])) { + pr_err_once("file path with no control characters required\n"); + result = -EINVAL; + goto out_free; + } + } + result = mutex_lock_interruptible(&ima_write_mutex); if (result < 0) goto out_free;
The IMA audit messages already display pathnames via audit_log_untrustedstring(). Shouldn't any change be limited to the ima_policy_read() code path? thanks, Mimi