From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: Mimi Zohar <zohar@linux.ibm.com>,
Casey Schaufler <casey@schaufler-ca.com>,
James Morris <jmorris@namei.org>,
linux-integrity@vger.kernel.org,
SElinux list <selinux@vger.kernel.org>,
LSM List <linux-security-module@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v3 4/5] LSM: Define SELinux function to measure security state
Date: Mon, 20 Jul 2020 10:34:06 -0700 [thread overview]
Message-ID: <bea0cb52-2e13-fb14-b66c-b57287c23c3f@linux.microsoft.com> (raw)
In-Reply-To: <CAEjxPJ7VH18bEo6+U1GWrx=tHVGr=6XtF5_ygcfQYgdtZ74J+g@mail.gmail.com>
On 7/20/20 10:06 AM, Stephen Smalley wrote:
>> The above will ensure the following sequence will be measured:
>> #1 State A - Measured
>> #2 Change from State A to State B - Measured
>> #3 Change from State B back to State A - Since the measured data is
>> same as in #1, the change will be measured only if the event name is
>> different between #1 and #3
>
> Perhaps the timestamp / sequence number should be part of the hashed
> data instead of the event name?
If the timestamp/seqno is part of the hashed data, on every call to
measure IMA will add a new entry in the IMA log. This would fill up the
IMA log - even when there is no change in the measured data.
To avoid that I keep the last measurement in SELinux and measure only
when there is a change with the timestamp in the event name.
> I can see the appraiser wanting to know two things:
> 1) The current state of the system (e.g. is it enforcing, is the
> currently loaded policy the expected one?).
> 2) Has the system ever been in an unexpected state (e.g. was it
> temporarily switched to permissive or had an unexpected policy
> loaded?)
Yes - you are right.
The appraiser will have to look at the entire IMA log (and the
corresponding TPM PCR data) to know the above.
Time t0 => State of the system measured
Time tn => State changed and the new state measured
Time tm => State changed again and the new state measured.
Say, the measurement at "Time tn" was an illegal change, the appraiser
would know.
>
> I applied the patch series on top of the next-integrity branch, added
> measure func=LSM_STATE to ima-policy, and booted that kernel. I get
> the following entries in ascii_runtime_measurements, but seemingly
> missing the final field:
>
> 10 8a09c48af4f8a817f59b495bd82971e096e2e367 ima-ng
> sha256:21c3d7b09b62b4d0b3ed15ba990f816b94808f90b76787bfae755c4b3a44cd24
> selinux-state
> 10 e610908931d70990a2855ddb33c16af2d82ce56a ima-ng
> sha256:c8898652afd5527ef4eaf8d85f5fee1d91fcccee34bc97f6e55b96746bedb318
> selinux-policy-hash
>
> Thus, I cannot verify. What am I missing?
>
Looks like the template used is ima-ng which doesn't include the
measured buffer. Please set template to "ima-buf" in the policy.
For example,
measure func=LSM_STATE template=ima-buf
thanks,
-lakshmi
next prev parent reply other threads:[~2020-07-20 17:34 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-17 22:28 [PATCH v3 0/5] LSM: Measure security module state Lakshmi Ramasubramanian
2020-07-17 22:28 ` [PATCH v3 1/5] IMA: Add LSM_STATE func to measure LSM data Lakshmi Ramasubramanian
2020-07-17 22:28 ` [PATCH v3 2/5] IMA: Define an IMA hook " Lakshmi Ramasubramanian
2020-07-17 22:28 ` [PATCH v3 3/5] LSM: Add security_measure_data in lsm_info struct Lakshmi Ramasubramanian
2020-07-17 22:28 ` [PATCH v3 4/5] LSM: Define SELinux function to measure security state Lakshmi Ramasubramanian
2020-07-18 3:14 ` kernel test robot
2020-07-18 3:14 ` kernel test robot
2020-07-20 2:04 ` Lakshmi Ramasubramanian
2020-07-18 3:38 ` kernel test robot
2020-07-18 3:38 ` kernel test robot
2020-07-18 15:31 ` kernel test robot
2020-07-18 15:31 ` kernel test robot
2020-07-18 15:31 ` [RFC PATCH] LSM: security_read_selinux_policy() can be static kernel test robot
2020-07-18 15:31 ` kernel test robot
2020-07-20 14:31 ` [PATCH v3 4/5] LSM: Define SELinux function to measure security state Stephen Smalley
2020-07-20 15:17 ` Lakshmi Ramasubramanian
2020-07-20 17:06 ` Stephen Smalley
2020-07-20 17:26 ` Mimi Zohar
2020-07-20 17:34 ` Lakshmi Ramasubramanian [this message]
2020-07-20 17:40 ` Stephen Smalley
2020-07-20 17:49 ` Stephen Smalley
2020-07-20 18:27 ` Lakshmi Ramasubramanian
2020-07-20 18:44 ` Stephen Smalley
2020-07-20 18:59 ` Lakshmi Ramasubramanian
2020-07-17 22:28 ` [PATCH v3 5/5] LSM: Define workqueue for measuring security module state Lakshmi Ramasubramanian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bea0cb52-2e13-fb14-b66c-b57287c23c3f@linux.microsoft.com \
--to=nramas@linux.microsoft.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.