Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp654204pxk; Wed, 23 Sep 2020 12:23:40 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz3fJZ7qqBW4841WxfLOArRqN+Atoo3wWqp419q8johCjPutdET4Cf9F4yx2JbMK5FWwcR9 X-Received: by 2002:aa7:c987:: with SMTP id c7mr850120edt.385.1600889020607; Wed, 23 Sep 2020 12:23:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600889020; cv=none; d=google.com; s=arc-20160816; b=FzwfJ4ONOo+JEG/vsmeUzV+S22c4WNNJUtKufkd7LdZiq8RJ/foIOntxyyJ/wJz7cR HCwcIvdA9OtGDujvW81coGOsacqPEqv0BB5mdlZrldKXQmnzuhZbsU0o4fB9Zyma3BBE T2s5zJ6kp1VuDxKY2iDHgiLI/FpI4H6pOW1wyOrK30Aw9ujWXRTnx0qUyg6H49G+ewF8 IhwSlQAmKmlz55QeVOJ1mnvrcPHrkrWGC2VyO4pR2n/e7HnYNPkR/OiiTbdvzXyua249 UZSSwI6XYhjgnxKS6nfkWD0AMU+uGBcTJDCn9Iiq7aR0u+hs6QaUAgzvmBrclb1pAyl4 fRuw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:references:in-reply-to:message-id:date:subject :cc:to:from:dkim-signature:dkim-filter; bh=msIiW4AnSlFN198DxHsM0/k20Lg9ddIuwcYdunV1Csc=; b=Gw/t7v5fjsiiFriFmt2qmQjXSbVmZYEP1vohuYO8A8ROQb05HiySLjKYrSR7hiBCti 0+zzoxqpDc2F811Ozr9c6zOn3RlsxuD8Vt+5/vI5JsZ9QlNzgI/cuUNAumgbjdahV2mJ 2F0jl14T+0hx4m7g2Lr/g0p4sE3BN49c/kefzxo+895hxaLnmEFRc3jB6oYdYez4H9oT +EB8D8YMkl9ZBPC8PG2OAV8J2b9VZw2WQ6O1WQLZf2+UdbbUP6BoPLTbBHisx9LDjnZN SPgxaMH70qlPlfQcAmhlmQfxk10fVIvZSN50NGJvzO1TYv6EIrO9jn4t7K2dRfUXRCSr 9KAg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=m7RL+cJJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q17si529663eju.141.2020.09.23.12.23.16; Wed, 23 Sep 2020 12:23:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=m7RL+cJJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726768AbgIWTUW (ORCPT + 99 others); Wed, 23 Sep 2020 15:20:22 -0400 Received: from linux.microsoft.com ([13.77.154.182]:47374 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726498AbgIWTUU (ORCPT ); Wed, 23 Sep 2020 15:20:20 -0400 Received: from tusharsu-Ubuntu.lan (c-71-197-163-6.hsd1.wa.comcast.net [71.197.163.6]) by linux.microsoft.com (Postfix) with ESMTPSA id BF3E420B36E7; Wed, 23 Sep 2020 12:20:19 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com BF3E420B36E7 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1600888820; bh=msIiW4AnSlFN198DxHsM0/k20Lg9ddIuwcYdunV1Csc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=m7RL+cJJpxVV/AF4UUNJvcJiibwinq+e4AdIbro/l70SzJ8ilEVriJlWR++7+6Dtr qagJZPU4s+bB8ndhibWdoJwooDaIRdh4+tM+dsymPoWroOA3XcVhOAjScdGjxpXMAN P/TKZdqRZ46Lb04mkQbRKAzBspH94cABUafIGPWc= From: Tushar Sugandhi To: zohar@linux.ibm.com, stephen.smalley.work@gmail.com, casey@schaufler-ca.com, agk@redhat.com, snitzer@redhat.com, gmazyland@gmail.com Cc: tyhicks@linux.microsoft.com, sashal@kernel.org, jmorris@namei.org, nramas@linux.microsoft.com, linux-integrity@vger.kernel.org, selinux@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dm-devel@redhat.com Subject: [PATCH v4 2/6] IMA: conditionally allow empty rule data Date: Wed, 23 Sep 2020 12:20:07 -0700 Message-Id: <20200923192011.5293-3-tusharsu@linux.microsoft.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200923192011.5293-1-tusharsu@linux.microsoft.com> References: <20200923192011.5293-1-tusharsu@linux.microsoft.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org ima_match_rule_data() permits the func to pass empty func_data. For instance, for the following func, the func_data keyrings= is optional. measure func=KEY_CHECK keyrings=.ima But a new func in future may want to constrain the func_data to be non-empty. ima_match_rule_data() should support this constraint and it shouldn't be hard-coded in ima_match_rule_data(). Update ima_match_rule_data() to conditionally allow empty func_data for the func that needs it. Signed-off-by: Tushar Sugandhi --- security/integrity/ima/ima_policy.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 31a772d8a86b..8866e84d0062 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -456,6 +456,7 @@ int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, * @rule: IMA policy rule * @opt_list: rule data to match func_data against * @func_data: data to match against the measure rule data + * @allow_empty_opt_list: If true matches all func_data * @cred: a pointer to a credentials structure for user validation * * Returns true if func_data matches one in the rule, false otherwise. @@ -463,6 +464,7 @@ int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, static bool ima_match_rule_data(struct ima_rule_entry *rule, const struct ima_rule_opt_list *opt_list, const char *func_data, + bool allow_empty_opt_list, const struct cred *cred) { bool matched = false; @@ -472,7 +474,7 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule, return false; if (!opt_list) - return true; + return allow_empty_opt_list; if (!func_data) return false; @@ -509,7 +511,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, if (func == KEY_CHECK) { return (rule->flags & IMA_FUNC) && (rule->func == func) && ima_match_rule_data(rule, rule->keyrings, func_data, - cred); + true, cred); } if ((rule->flags & IMA_FUNC) && (rule->func != func && func != POST_SETATTR)) -- 2.17.1