projects / thirdparty / systemd.git / blame
| Commit | Line | Data |
|---|---|---|
| 53e1b683 | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
| 81611586 | 2 | /*** |
| 810adae9 LP |
3 | Copyright © 2012 Roberto Sassu - Politecnico di Torino, Italy |
| 4 | TORSEC group — http://security.polito.it | |
| 81611586 RS |
5 | ***/ |
| 6 | ||
| 81611586 | 7 | #include <errno.h> |
| ca78ad1d ZJS |
8 | #include <fcntl.h> |
| 9 | #include <sys/stat.h> | |
| 10 | #include <sys/types.h> | |
| cf0fbc49 | 11 | #include <unistd.h> |
| 81611586 | 12 | |
| 2452419b | 13 | #include "alloc-util.h" |
| 3ffd4af2 | 14 | #include "fd-util.h" |
| 0d39fa9c | 15 | #include "fileio.h" |
| 81611586 | 16 | #include "ima-setup.h" |
| 81611586 | 17 | #include "log.h" |
| 81611586 RS |
18 | |
| 19 | #define IMA_SECFS_DIR "/sys/kernel/security/ima" | |
| 20 | #define IMA_SECFS_POLICY IMA_SECFS_DIR "/policy" | |
| 21 | #define IMA_POLICY_PATH "/etc/ima/ima-policy" | |
| 22 | ||
| 23 | int ima_setup(void) { | |
| 392fd235 | 24 | #if ENABLE_IMA |
| 92994160 ZJS |
25 | _cleanup_fclose_ FILE *input = NULL; |
| 26 | _cleanup_close_ int imafd = -1; | |
| 27 | unsigned lineno = 0; | |
| 2452419b | 28 | int r; |
| 4ab72d6f | 29 | |
| 4dfb1892 | 30 | if (access(IMA_SECFS_DIR, F_OK) < 0) { |
| b435812c | 31 | log_debug_errno(errno, "IMA support is disabled in the kernel, ignoring: %m"); |
| 4ab72d6f WW |
32 | return 0; |
| 33 | } | |
| 34 | ||
| e8e42b31 | 35 | if (access(IMA_SECFS_POLICY, W_OK) < 0) { |
| b435812c | 36 | log_warning_errno(errno, "Another IMA custom policy has already been loaded, ignoring: %m"); |
| e8e42b31 SB |
37 | return 0; |
| 38 | } | |
| 39 | ||
| a2c74c0c | 40 | if (access(IMA_POLICY_PATH, F_OK) < 0) { |
| b435812c | 41 | log_debug_errno(errno, "No IMA custom policy file "IMA_POLICY_PATH", ignoring: %m"); |
| a2c74c0c BG |
42 | return 0; |
| 43 | } | |
| 44 | ||
| e8e42b31 SB |
45 | imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC); |
| 46 | if (imafd < 0) { | |
| 47 | log_error_errno(errno, "Failed to open the IMA kernel interface "IMA_SECFS_POLICY", ignoring: %m"); | |
| 48 | return 0; | |
| 49 | } | |
| 50 | ||
| 51 | /* attempt to write the name of the policy file into sysfs file */ | |
| fbd0b64f | 52 | if (write(imafd, IMA_POLICY_PATH, STRLEN(IMA_POLICY_PATH)) > 0) |
| e8e42b31 SB |
53 | goto done; |
| 54 | ||
| 55 | /* fall back to copying the policy line-by-line */ | |
| 92994160 ZJS |
56 | input = fopen(IMA_POLICY_PATH, "re"); |
| 57 | if (!input) { | |
| a2c74c0c | 58 | log_warning_errno(errno, "Failed to open the IMA custom policy file "IMA_POLICY_PATH", ignoring: %m"); |
| 4ab72d6f WW |
59 | return 0; |
| 60 | } | |
| 61 | ||
| 1fb89422 | 62 | safe_close(imafd); |
| 4ab72d6f WW |
63 | |
| 64 | imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC); | |
| 65 | if (imafd < 0) { | |
| 4dfb1892 ZJS |
66 | log_error_errno(errno, "Failed to open the IMA kernel interface "IMA_SECFS_POLICY", ignoring: %m"); |
| 67 | return 0; | |
| 4ab72d6f WW |
68 | } |
| 69 | ||
| 2452419b LP |
70 | for (;;) { |
| 71 | _cleanup_free_ char *line = NULL; | |
| 92994160 | 72 | size_t len; |
| 116b6c86 | 73 | |
| 2452419b LP |
74 | r = read_line(input, LONG_LINE_MAX, &line); |
| 75 | if (r < 0) | |
| 76 | return log_error_errno(r, "Failed to read the IMA custom policy file "IMA_POLICY_PATH": %m"); | |
| 77 | if (r == 0) | |
| 78 | break; | |
| 79 | ||
| 92994160 ZJS |
80 | len = strlen(line); |
| 81 | lineno++; | |
| 116b6c86 | 82 | |
| 92994160 ZJS |
83 | if (len > 0 && write(imafd, line, len) < 0) |
| 84 | return log_error_errno(errno, "Failed to load the IMA custom policy file "IMA_POLICY_PATH"%u: %m", | |
| 85 | lineno); | |
| 86 | } | |
| 4ab72d6f | 87 | |
| e8e42b31 | 88 | done: |
| 92994160 | 89 | log_info("Successfully loaded the IMA custom policy "IMA_POLICY_PATH"."); |
| 392fd235 | 90 | #endif /* ENABLE_IMA */ |
| 92994160 | 91 | return 0; |
| 81611586 | 92 | } |