|
 |
923a60 |
From 21559c09b39155d44f8997703a35211623a38689 Mon Sep 17 00:00:00 2001
|
|
|
923a60 |
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
|
|
923a60 |
Date: Mon, 1 Jun 2015 10:33:48 -0400
|
|
|
923a60 |
Subject: [PATCH] Partially revert "ma-setup: simplify"
|
|
|
923a60 |
|
|
|
923a60 |
copy_bytes() tries to do the write in chunks, but ima kernel code
|
|
|
923a60 |
needs every rule to be written in one write. Writing the whole file
|
|
|
923a60 |
at once avoids the issue.
|
|
|
923a60 |
|
|
|
923a60 |
http://lists.freedesktop.org/archives/systemd-devel/2015-June/032623.html
|
|
|
923a60 |
http://sourceforge.net/p/linux-ima/mailman/message/34145236/
|
|
|
923a60 |
https://bugzilla.redhat.com/show_bug.cgi?id=1226948
|
|
|
923a60 |
(cherry picked from commit 116b6c8687e1da25fcecf80ba6ac16866e308d50)
|
|
|
923a60 |
|
|
|
923a60 |
Cherry-picked from: 116b6c8
|
|
|
923a60 |
Resolves: #1222517
|
|
|
923a60 |
---
|
|
|
923a60 |
src/core/ima-setup.c | 15 +++++++++++++--
|
|
|
923a60 |
1 file changed, 13 insertions(+), 2 deletions(-)
|
|
|
923a60 |
|
|
|
923a60 |
diff --git a/src/core/ima-setup.c b/src/core/ima-setup.c
|
|
|
923a60 |
index 0e0d16a7c9..1d4acfa3b1 100644
|
|
|
923a60 |
--- a/src/core/ima-setup.c
|
|
|
923a60 |
+++ b/src/core/ima-setup.c
|
|
|
923a60 |
@@ -27,9 +27,10 @@
|
|
|
923a60 |
#include <sys/types.h>
|
|
|
923a60 |
#include <sys/stat.h>
|
|
|
923a60 |
#include <fcntl.h>
|
|
|
923a60 |
+#include <sys/stat.h>
|
|
|
923a60 |
+#include <sys/mman.h>
|
|
|
923a60 |
|
|
|
923a60 |
#include "ima-setup.h"
|
|
|
923a60 |
-#include "copy.h"
|
|
|
923a60 |
#include "util.h"
|
|
|
923a60 |
#include "log.h"
|
|
|
923a60 |
|
|
|
923a60 |
@@ -42,6 +43,8 @@ int ima_setup(void) {
|
|
|
923a60 |
|
|
|
923a60 |
#ifdef HAVE_IMA
|
|
|
923a60 |
_cleanup_close_ int policyfd = -1, imafd = -1;
|
|
|
923a60 |
+ struct stat st;
|
|
|
923a60 |
+ char *policy;
|
|
|
923a60 |
|
|
|
923a60 |
if (access(IMA_SECFS_DIR, F_OK) < 0) {
|
|
|
923a60 |
log_debug("IMA support is disabled in the kernel, ignoring.");
|
|
|
923a60 |
@@ -66,12 +69,20 @@ int ima_setup(void) {
|
|
|
923a60 |
return 0;
|
|
|
923a60 |
}
|
|
|
923a60 |
|
|
|
923a60 |
- r = copy_bytes(policyfd, imafd, (off_t) -1, false);
|
|
|
923a60 |
+ if (fstat(policyfd, &st) < 0)
|
|
|
923a60 |
+ return log_error_errno(errno, "Failed to fstat "IMA_POLICY_PATH": %m");
|
|
|
923a60 |
+
|
|
|
923a60 |
+ policy = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, policyfd, 0);
|
|
|
923a60 |
+ if (policy == MAP_FAILED)
|
|
|
923a60 |
+ return log_error_errno(errno, "Failed to mmap "IMA_POLICY_PATH": %m");
|
|
|
923a60 |
+
|
|
|
923a60 |
+ r = loop_write(imafd, policy, (size_t) st.st_size, false);
|
|
|
923a60 |
if (r < 0)
|
|
|
923a60 |
log_error_errno(r, "Failed to load the IMA custom policy file "IMA_POLICY_PATH": %m");
|
|
|
923a60 |
else
|
|
|
923a60 |
log_info("Successfully loaded the IMA custom policy "IMA_POLICY_PATH".");
|
|
|
923a60 |
|
|
|
923a60 |
+ munmap(policy, st.st_size);
|
|
|
923a60 |
#endif /* HAVE_IMA */
|
|
|
923a60 |
return r;
|
|
|
923a60 |
}
|