[thirdparty/systemd.git] / src / core / ima-setup.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering
  Copyright (C) 2012 Roberto Sassu - Politecnico di Torino, Italy
                                     TORSEC group -- http://security.polito.it

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <unistd.h>
#include <errno.h>
#include <fcntl.h>

#include "ima-setup.h"
#include "copy.h"
#include "util.h"
#include "log.h"

#define IMA_SECFS_DIR "/sys/kernel/security/ima"
#define IMA_SECFS_POLICY IMA_SECFS_DIR "/policy"
#define IMA_POLICY_PATH "/etc/ima/ima-policy"

int ima_setup(void) {
        int r = 0;

#ifdef HAVE_IMA
        _cleanup_close_ int policyfd = -1, imafd = -1;

        if (access(IMA_SECFS_DIR, F_OK) < 0) {
                log_debug("IMA support is disabled in the kernel, ignoring.");
                return 0;
        }

        policyfd = open(IMA_POLICY_PATH, O_RDONLY|O_CLOEXEC);
        if (policyfd < 0) {
                log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_WARNING, errno,
                               "Failed to open the IMA custom policy file "IMA_POLICY_PATH", ignoring: %m");
                return 0;
        }

        if (access(IMA_SECFS_POLICY, F_OK) < 0) {
                log_warning("Another IMA custom policy has already been loaded, ignoring.");
                return 0;
        }

        imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC);
        if (imafd < 0) {
                log_error_errno(errno, "Failed to open the IMA kernel interface "IMA_SECFS_POLICY", ignoring: %m");
                return 0;
        }

        r = copy_bytes(policyfd, imafd, (off_t) -1, false);
        if (r < 0)
                log_error_errno(r, "Failed to load the IMA custom policy file "IMA_POLICY_PATH": %m");
        else
                log_info("Successfully loaded the IMA custom policy "IMA_POLICY_PATH".");

#endif /* HAVE_IMA */
        return r;
}
Commit	Line	Data
81611586 RS	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2010 Lennart Poettering
	7	Copyright (C) 2012 Roberto Sassu - Politecnico di Torino, Italy
	8	TORSEC group -- http://security.polito.it
	9
	10	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	11	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	12	the Free Software Foundation; either version 2.1 of the License, or
81611586 RS	13	(at your option) any later version.
	14
	15	systemd is distributed in the hope that it will be useful, but
	16	WITHOUT ANY WARRANTY; without even the implied warranty of
	17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	18	Lesser General Public License for more details.
81611586	19
5430f7f2	20	You should have received a copy of the GNU Lesser General Public License
81611586 RS	21	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	22	***/
	23
	24	#include <unistd.h>
81611586	25	#include <errno.h>
4dfb1892	26	#include <fcntl.h>
81611586 RS	27
81611586 RS	28	#include "ima-setup.h"
4dfb1892	29	#include "copy.h"
81611586 RS	30	#include "util.h"
81611586 RS	31	#include "log.h"
81611586 RS	32
	33	#define IMA_SECFS_DIR "/sys/kernel/security/ima"
	34	#define IMA_SECFS_POLICY IMA_SECFS_DIR "/policy"
	35	#define IMA_POLICY_PATH "/etc/ima/ima-policy"
	36
	37	int ima_setup(void) {
553acb7b	38	int r = 0;
81611586 RS	39
81611586 RS	40	#ifdef HAVE_IMA
4ab72d6f	41	_cleanup_close_ int policyfd = -1, imafd = -1;
4ab72d6f	42
4dfb1892	43	if (access(IMA_SECFS_DIR, F_OK) < 0) {
4ab72d6f WW	44	log_debug("IMA support is disabled in the kernel, ignoring.");
	45	return 0;
	46	}
	47
4dfb1892 ZJS	48	policyfd = open(IMA_POLICY_PATH, O_RDONLY\|O_CLOEXEC);
	49	if (policyfd < 0) {
	50	log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_WARNING, errno,
	51	"Failed to open the IMA custom policy file "IMA_POLICY_PATH", ignoring: %m");
4ab72d6f WW	52	return 0;
	53	}
	54
4dfb1892 ZJS	55	if (access(IMA_SECFS_POLICY, F_OK) < 0) {
4dfb1892 ZJS	56	log_warning("Another IMA custom policy has already been loaded, ignoring.");
4ab72d6f WW	57	return 0;
	58	}
	59
	60	imafd = open(IMA_SECFS_POLICY, O_WRONLY\|O_CLOEXEC);
	61	if (imafd < 0) {
4dfb1892 ZJS	62	log_error_errno(errno, "Failed to open the IMA kernel interface "IMA_SECFS_POLICY", ignoring: %m");
4dfb1892 ZJS	63	return 0;
4ab72d6f WW	64	}
4ab72d6f WW	65
7430ec6a	66	r = copy_bytes(policyfd, imafd, (off_t) -1, false);
4dfb1892 ZJS	67	if (r < 0)
	68	log_error_errno(r, "Failed to load the IMA custom policy file "IMA_POLICY_PATH": %m");
	69	else
	70	log_info("Successfully loaded the IMA custom policy "IMA_POLICY_PATH".");
4ab72d6f	71
81611586	72	#endif /* HAVE_IMA */
553acb7b	73	return r;
81611586	74	}