449080 – Loading new IMA policies fails with "write error: Invalid argument"

Bug 449080 - Loading new IMA policies fails with "write error: Invalid argument"

Summary: Loading new IMA policies fails with "write error: Invalid argument"

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2012-12-28 19:47 UTC by Sven Vermeulen (RETIRED)
Modified:	2012-12-29 14:56 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sven Vermeulen (RETIRED) gentoo-dev

2012-12-28 19:47:01 UTC

When trying to load the default policy, it looks like the code only goes halfway through before returning with "cat: write error: Invalid argument"

dmesg shows:
"""
[   48.646410] type=1805 audit(1356723853.967:36): action="dont_measure" fsmagic="0x9fa0" res=1
[   48.646430] type=1805 audit(1356723853.967:37): action="dont_appraise" fsmagic="0x9fa0" res=1
[   48.646455] type=1805 audit(1356723853.967:38): action="dont_measure" fsmagic="0x62656572" res=1
[   48.646471] type=1805 audit(1356723853.967:39): action="dont_appraise" fsmagic="0x62656572" res=1
[   48.646496] type=1805 audit(1356723853.967:40): action="dont_measure" fsmagic="0x64626720" res=1
[   48.646512] type=1805 audit(1356723853.967:41): action="dont_appraise" fsmagic="0x64626720" res=1
[   48.646536] type=1805 audit(1356723853.967:42): action="dont_measure" fsmagic="0x01021994" res=1
[   48.646551] type=1805 audit(1356723853.967:43): action="dont_appraise" fsmagic="0x01021994" res=1
[   48.646577] type=1805 audit(1356723853.967:44): action="dont_measure" fsmagic="0x858458f6" res=1
[   48.646592] type=1805 audit(1356723853.967:45): action="dont_appraise" fsmagic="0x858458f6" res=1
"""

After this, nothing. 

Currently used policy code:
"""
# Magics can be found in kernel/include/uapi/linux/magic.h
# Default can be found in security/integrity/ima/ima_policy.c
# PROC_SUPER_MAGIC = 0x9fa0
dont_measure fsmagic=0x9fa0
dont_appraise fsmagic=0x9fa0
# SYSFS_MAGIC = 0x62656572
dont_measure fsmagic=0x62656572
dont_appraise fsmagic=0x62656572
# DEBUGFS_MAGIC = 0x64626720
dont_measure fsmagic=0x64626720
dont_appraise fsmagic=0x64626720
# TMPFS_MAGIC = 0x01021994
dont_measure fsmagic=0x01021994
dont_appraise fsmagic=0x01021994
# RAMFS_MAGIC = 0x858458f6
dont_measure fsmagic=0x858458f6
dont_appraise fsmagic=0x858458f6
# DEVPTS_SUPER_MAGIC = 0x1cd1
dont_measure fsmagic=0x1cd1
dont_appraise fsmagic=0x1cd1
# BINFMTFS_MAGIC = 0x42494e4d
dont_measure fsmagic=0x42494e4d
dont_appraise fsmagic=0x42494e4d
# SECURITYFS_MAGIC = 0x73636673
dont_measure fsmagic=0x73636673
dont_appraise fsmagic=0x73636673
# SELINUX_MAGIC = 0xf97cff8c
dont_measure fsmagic=0xf97cff8c
dont_appraise fsmagic=0xf97cff8c
# CGROUP_SUPER_MAGIC = 0x27e0eb
dont_appraise fsmagic=0x27e0eb

dont_measure obj_type=logfile

measure func=FILE_MMAP mask=MAY_EXEC
measure func=BPRM_CHECK mask=MAY_EXEC
measure func=FILE_CHECK mask=MAX_READ uid=0
appraise fowner=0
"""

Except for the obj_type=logfile, this should be the default policy. I've tried removing the lines before and after the last one that got parsed (as well as the last one itself) to no avail.

Reproducible: Always

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2012-12-29 14:56:43 UTC

The problem was that the policy contains a blank line, which fails the in-kernel checks on the policy. Removing the blank lines works.

Documented in the ima-guide.xml.