[RFC 09/20] ima: Only accept AUDIT rules for IMA non-init_ima_ns namespaces for now

[RFC 00/20] ima: Namespace IMA with audit support in IMA-ns · Stefan Berger <stefanb@linux.ibm.com> · 2021-11-30
[RFC 20/20] ima: Setup securityfs_ns for IMA namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-11-30
Re: [RFC 20/20] ima: Setup securityfs_ns for IMA namespace · James Bottomley <hidden> · 2021-12-01
Re: [RFC 20/20] ima: Setup securityfs_ns for IMA namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-01
Re: [RFC 20/20] ima: Setup securityfs_ns for IMA namespace · James Bottomley <hidden> · 2021-12-01
Re: [RFC 20/20] ima: Setup securityfs_ns for IMA namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-01
Re: [RFC 20/20] ima: Setup securityfs_ns for IMA namespace · James Bottomley <hidden> · 2021-12-01
Re: [RFC 20/20] ima: Setup securityfs_ns for IMA namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-01
Re: [RFC 20/20] ima: Setup securityfs_ns for IMA namespace · James Bottomley <hidden> · 2021-12-01
Re: [RFC 20/20] ima: Setup securityfs_ns for IMA namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-01
Re: [RFC 20/20] ima: Setup securityfs_ns for IMA namespace · James Bottomley <hidden> · 2021-12-01
Re: [RFC 20/20] ima: Setup securityfs_ns for IMA namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-02
Re: [RFC 20/20] ima: Setup securityfs_ns for IMA namespace · Christian Brauner <hidden> · 2021-12-02
Re: [RFC 20/20] ima: Setup securityfs_ns for IMA namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-02
[RFC 01/20] ima: Add IMA namespace support · Stefan Berger <stefanb@linux.ibm.com> · 2021-11-30
[RFC 14/20] ima: Move some IMA policy and filesystem related variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-11-30
[RFC 10/20] ima: Implement hierarchical processing of file accesses · Stefan Berger <stefanb@linux.ibm.com> · 2021-11-30
[RFC 09/20] ima: Only accept AUDIT rules for IMA non-init_ima_ns namespaces for now · Stefan Berger <stefanb@linux.ibm.com> · 2021-11-30
[RFC 17/20] ima: Use integrity_admin_ns_capable() to check corresponding capability · Stefan Berger <stefanb@linux.ibm.com> · 2021-11-30
Re: [RFC 17/20] ima: Use integrity_admin_ns_capable() to check corresponding capability · James Bottomley <hidden> · 2021-12-01
Re: [RFC 17/20] ima: Use integrity_admin_ns_capable() to check corresponding capability · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-01
Re: [RFC 17/20] ima: Use integrity_admin_ns_capable() to check corresponding capability · James Bottomley <hidden> · 2021-12-01
RE: [RFC 17/20] ima: Use integrity_admin_ns_capable() to check corresponding capability · Denis Semakin <hidden> · 2021-12-02
Re: [RFC 17/20] ima: Use integrity_admin_ns_capable() to check corresponding capability · James Bottomley <hidden> · 2021-12-02
Re: [RFC 17/20] ima: Use integrity_admin_ns_capable() to check corresponding capability · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-02
Re: [RFC 17/20] ima: Use integrity_admin_ns_capable() to check corresponding capability · Christian Brauner <hidden> · 2021-12-02
Re: [RFC 17/20] ima: Use integrity_admin_ns_capable() to check corresponding capability · Christian Brauner <hidden> · 2021-12-02
Re: [RFC 17/20] ima: Use integrity_admin_ns_capable() to check corresponding capability · Casey Schaufler <casey@schaufler-ca.com> · 2021-12-02
[RFC 13/20] securityfs: Build securityfs_ns for namespacing support · Stefan Berger <stefanb@linux.ibm.com> · 2021-11-30
Re: [RFC 13/20] securityfs: Build securityfs_ns for namespacing support · Christian Brauner <hidden> · 2021-12-02
Re: [RFC 13/20] securityfs: Build securityfs_ns for namespacing support · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-02
[RFC 07/20] ima: Move ima_htable into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-11-30
[RFC 02/20] ima: Define ns_status for storing namespaced iint data · Stefan Berger <stefanb@linux.ibm.com> · 2021-11-30
[RFC 16/20] ima: Use ns_capable() for namespace policy access · Stefan Berger <stefanb@linux.ibm.com> · 2021-11-30
[RFC 12/20] securityfs: Pass static variables as parameters from top level functions · Stefan Berger <stefanb@linux.ibm.com> · 2021-11-30
[RFC 18/20] userns: Introduce a refcount variable for calling early teardown function · Stefan Berger <stefanb@linux.ibm.com> · 2021-11-30
[RFC 03/20] ima: Namespace audit status flags · Stefan Berger <stefanb@linux.ibm.com> · 2021-11-30
[RFC 11/20] securityfs: Prefix global variables with securityfs_ · Stefan Berger <stefanb@linux.ibm.com> · 2021-11-30
[RFC 15/20] capabilities: Introduce CAP_INTEGRITY_ADMIN · Stefan Berger <stefanb@linux.ibm.com> · 2021-11-30
Re: [RFC 15/20] capabilities: Introduce CAP_INTEGRITY_ADMIN · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-30
Re: [RFC 15/20] capabilities: Introduce CAP_INTEGRITY_ADMIN · Stefan Berger <stefanb@linux.ibm.com> · 2021-11-30
Re: [RFC 15/20] capabilities: Introduce CAP_INTEGRITY_ADMIN · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-30
[RFC 04/20] ima: Move delayed work queue and variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-11-30
[RFC 08/20] ima: Move measurement list related variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-11-30
Re: [RFC 08/20] ima: Move measurement list related variables into ima_namespace · James Bottomley <hidden> · 2021-12-02
Re: [RFC 08/20] ima: Move measurement list related variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-02
Re: [RFC 08/20] ima: Move measurement list related variables into ima_namespace · James Bottomley <hidden> · 2021-12-02
Re: [RFC 08/20] ima: Move measurement list related variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-02
Re: [RFC 08/20] ima: Move measurement list related variables into ima_namespace · James Bottomley <hidden> · 2021-12-02
Re: [RFC 08/20] ima: Move measurement list related variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-12-02
Re: [RFC 08/20] ima: Move measurement list related variables into ima_namespace · James Bottomley <hidden> · 2021-12-02
[RFC 05/20] ima: Move IMA's keys queue related variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-11-30
[RFC 19/20] ima/userns: Define early teardown function for IMA namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-11-30
[RFC 06/20] ima: Move policy related variables into ima_namespace · Stefan Berger <stefanb@linux.ibm.com> · 2021-11-30

From: Stefan Berger <stefanb@linux.ibm.com>
Date: 2021-11-30 16:08:11
Also in: linux-security-module, lkml
Subsystem: extended verification module (evm), integrity measurement architecture (ima), security subsystem, the rest · Maintainers: Mimi Zohar, Roberto Sassu, Dmitry Kasatkin, Paul Moore, James Morris, "Serge E. Hallyn", Linus Torvalds

Only accept AUDIT rules for non-init_ima_ns namespaces rejecting all rules
that require support for measuring, appraisal, and hashing.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 security/integrity/ima/ima_policy.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 96e7d63167e8..02e96da2faff 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c

@@ -1785,6 +1785,16 @@ static int ima_parse_rule(struct ima_namespace *ns,
 			result = -EINVAL;
 			break;
 		}
+
+		/* IMA namespace only accepts AUDIT rules */
+		if (ns != &init_ima_ns) {
+			switch (entry->action) {
+			case MEASURE:
+			case APPRAISE:
+			case HASH:
+				result = -EINVAL;
+			}
+		}
 	}
 	if (!result && !ima_validate_rule(entry))
 		result = -EINVAL;

-- 
2.31.1

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help