]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/core/ima-setup.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
man: add an additional note about journalctl -u
[thirdparty/systemd.git] / src / core / ima-setup.c
CommitLineData
53e1b683 1/* SPDX-License-Identifier: LGPL-2.1+ */
81611586
RS		 2/***
3 This file is part of systemd.
4
5 Copyright 2010 Lennart Poettering
6 Copyright (C) 2012 Roberto Sassu - Politecnico di Torino, Italy
ccddd104 7 TORSEC group — http://security.polito.it
81611586
RS		 8
9 systemd is free software; you can redistribute it and/or modify it
5430f7f2
LP		 10 under the terms of the GNU Lesser General Public License as published by
11 the Free Software Foundation; either version 2.1 of the License, or
81611586
RS		 12 (at your option) any later version.
13
14 systemd is distributed in the hope that it will be useful, but
15 WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2 17 Lesser General Public License for more details.
81611586 18
5430f7f2 19 You should have received a copy of the GNU Lesser General Public License
81611586
RS		 20 along with systemd; If not, see <http://www.gnu.org/licenses/>.
21***/
22
81611586 23#include <errno.h>
cf0fbc49 24#include <unistd.h>
81611586 25
3ffd4af2 26#include "fd-util.h"
0d39fa9c 27#include "fileio.h"
81611586 28#include "ima-setup.h"
81611586 29#include "log.h"
3ffd4af2 30#include "util.h"
81611586
RS		 31
32#define IMA_SECFS_DIR "/sys/kernel/security/ima"
33#define IMA_SECFS_POLICY IMA_SECFS_DIR "/policy"
34#define IMA_POLICY_PATH "/etc/ima/ima-policy"
35
36int ima_setup(void) {
392fd235 37#if ENABLE_IMA
92994160
ZJS		 38 _cleanup_fclose_ FILE *input = NULL;
39 _cleanup_close_ int imafd = -1;
40 unsigned lineno = 0;
41 char line[page_size()];
4ab72d6f 42
4dfb1892 43 if (access(IMA_SECFS_DIR, F_OK) < 0) {
4ab72d6f
WW		 44 log_debug("IMA support is disabled in the kernel, ignoring.");
45 return 0;
46 }
47
e8e42b31
SB		 48 if (access(IMA_SECFS_POLICY, W_OK) < 0) {
49 log_warning("Another IMA custom policy has already been loaded, ignoring.");
50 return 0;
51 }
52
a2c74c0c
BG		 53 if (access(IMA_POLICY_PATH, F_OK) < 0) {
54 log_debug("No IMA custom policy file "IMA_POLICY_PATH", ignoring.");
55 return 0;
56 }
57
e8e42b31
SB		 58 imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC);
59 if (imafd < 0) {
60 log_error_errno(errno, "Failed to open the IMA kernel interface "IMA_SECFS_POLICY", ignoring: %m");
61 return 0;
62 }
63
64 /* attempt to write the name of the policy file into sysfs file */
fbd0b64f 65 if (write(imafd, IMA_POLICY_PATH, STRLEN(IMA_POLICY_PATH)) > 0)
e8e42b31
SB		 66 goto done;
67
68 /* fall back to copying the policy line-by-line */
92994160
ZJS		 69 input = fopen(IMA_POLICY_PATH, "re");
70 if (!input) {
a2c74c0c 71 log_warning_errno(errno, "Failed to open the IMA custom policy file "IMA_POLICY_PATH", ignoring: %m");
4ab72d6f
WW		 72 return 0;
73 }
74
e8e42b31 75 close(imafd);
4ab72d6f
WW		 76
77 imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC);
78 if (imafd < 0) {
4dfb1892
ZJS		 79 log_error_errno(errno, "Failed to open the IMA kernel interface "IMA_SECFS_POLICY", ignoring: %m");
80 return 0;
4ab72d6f
WW		 81 }
82
92994160
ZJS		 83 FOREACH_LINE(line, input,
84 return log_error_errno(errno, "Failed to read the IMA custom policy file "IMA_POLICY_PATH": %m")) {
85 size_t len;
116b6c86 86
92994160
ZJS		 87 len = strlen(line);
88 lineno++;
116b6c86 89
92994160
ZJS		 90 if (len > 0 && write(imafd, line, len) < 0)
91 return log_error_errno(errno, "Failed to load the IMA custom policy file "IMA_POLICY_PATH"%u: %m",
92 lineno);
93 }
4ab72d6f 94
e8e42b31 95done:
92994160 96 log_info("Successfully loaded the IMA custom policy "IMA_POLICY_PATH".");
392fd235 97#endif /* ENABLE_IMA */
92994160 98 return 0;
81611586 99}
Unnamed repository; edit this file 'description' to name the repository.