[thirdparty/systemd.git] / src / core / ima-setup.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering
  Copyright (C) 2012 Roberto Sassu - Politecnico di Torino, Italy
                                     TORSEC group -- http://security.polito.it

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <unistd.h>
#include <errno.h>

#include "ima-setup.h"
#include "util.h"
#include "log.h"

#define IMA_SECFS_DIR "/sys/kernel/security/ima"
#define IMA_SECFS_POLICY IMA_SECFS_DIR "/policy"
#define IMA_POLICY_PATH "/etc/ima/ima-policy"

int ima_setup(void) {
#ifdef HAVE_IMA
        _cleanup_fclose_ FILE *input = NULL;
        _cleanup_close_ int imafd = -1;
        unsigned lineno = 0;
        char line[page_size()];

        if (access(IMA_SECFS_DIR, F_OK) < 0) {
                log_debug("IMA support is disabled in the kernel, ignoring.");
                return 0;
        }

        input = fopen(IMA_POLICY_PATH, "re");
        if (!input) {
                log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_WARNING, errno,
                               "Failed to open the IMA custom policy file "IMA_POLICY_PATH", ignoring: %m");
                return 0;
        }

        if (access(IMA_SECFS_POLICY, F_OK) < 0) {
                log_warning("Another IMA custom policy has already been loaded, ignoring.");
                return 0;
        }

        imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC);
        if (imafd < 0) {
                log_error_errno(errno, "Failed to open the IMA kernel interface "IMA_SECFS_POLICY", ignoring: %m");
                return 0;
        }

        FOREACH_LINE(line, input,
                     return log_error_errno(errno, "Failed to read the IMA custom policy file "IMA_POLICY_PATH": %m")) {
                size_t len;

                len = strlen(line);
                lineno++;

                if (len > 0 && write(imafd, line, len) < 0)
                        return log_error_errno(errno, "Failed to load the IMA custom policy file "IMA_POLICY_PATH"%u: %m",
                                               lineno);
        }

        log_info("Successfully loaded the IMA custom policy "IMA_POLICY_PATH".");
#endif /* HAVE_IMA */
        return 0;
}
Commit	Line	Data
81611586 RS	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2010 Lennart Poettering
	7	Copyright (C) 2012 Roberto Sassu - Politecnico di Torino, Italy
	8	TORSEC group -- http://security.polito.it
	9
	10	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	11	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	12	the Free Software Foundation; either version 2.1 of the License, or
81611586 RS	13	(at your option) any later version.
	14
	15	systemd is distributed in the hope that it will be useful, but
	16	WITHOUT ANY WARRANTY; without even the implied warranty of
	17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	18	Lesser General Public License for more details.
81611586	19
5430f7f2	20	You should have received a copy of the GNU Lesser General Public License
81611586 RS	21	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	22	***/
	23
	24	#include <unistd.h>
81611586	25	#include <errno.h>
81611586 RS	26
81611586 RS	27	#include "ima-setup.h"
81611586 RS	28	#include "util.h"
81611586 RS	29	#include "log.h"
81611586 RS	30
	31	#define IMA_SECFS_DIR "/sys/kernel/security/ima"
	32	#define IMA_SECFS_POLICY IMA_SECFS_DIR "/policy"
	33	#define IMA_POLICY_PATH "/etc/ima/ima-policy"
	34
	35	int ima_setup(void) {
81611586	36	#ifdef HAVE_IMA
92994160 ZJS	37	_cleanup_fclose_ FILE *input = NULL;
	38	_cleanup_close_ int imafd = -1;
	39	unsigned lineno = 0;
	40	char line[page_size()];
4ab72d6f	41
4dfb1892	42	if (access(IMA_SECFS_DIR, F_OK) < 0) {
4ab72d6f WW	43	log_debug("IMA support is disabled in the kernel, ignoring.");
	44	return 0;
	45	}
	46
92994160 ZJS	47	input = fopen(IMA_POLICY_PATH, "re");
92994160 ZJS	48	if (!input) {
4dfb1892 ZJS	49	log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_WARNING, errno,
4dfb1892 ZJS	50	"Failed to open the IMA custom policy file "IMA_POLICY_PATH", ignoring: %m");
4ab72d6f WW	51	return 0;
	52	}
	53
4dfb1892 ZJS	54	if (access(IMA_SECFS_POLICY, F_OK) < 0) {
4dfb1892 ZJS	55	log_warning("Another IMA custom policy has already been loaded, ignoring.");
4ab72d6f WW	56	return 0;
	57	}
	58
	59	imafd = open(IMA_SECFS_POLICY, O_WRONLY\|O_CLOEXEC);
	60	if (imafd < 0) {
4dfb1892 ZJS	61	log_error_errno(errno, "Failed to open the IMA kernel interface "IMA_SECFS_POLICY", ignoring: %m");
4dfb1892 ZJS	62	return 0;
4ab72d6f WW	63	}
4ab72d6f WW	64
92994160 ZJS	65	FOREACH_LINE(line, input,
	66	return log_error_errno(errno, "Failed to read the IMA custom policy file "IMA_POLICY_PATH": %m")) {
	67	size_t len;
116b6c86	68
92994160 ZJS	69	len = strlen(line);
92994160 ZJS	70	lineno++;
116b6c86	71
92994160 ZJS	72	if (len > 0 && write(imafd, line, len) < 0)
	73	return log_error_errno(errno, "Failed to load the IMA custom policy file "IMA_POLICY_PATH"%u: %m",
	74	lineno);
	75	}
4ab72d6f	76
92994160	77	log_info("Successfully loaded the IMA custom policy "IMA_POLICY_PATH".");
81611586	78	#endif /* HAVE_IMA */
92994160	79	return 0;
81611586	80	}