From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: Paul Moore <paul@paul-moore.com>,
Tushar Sugandhi <tusharsu@linux.microsoft.com>
Cc: zohar@linux.ibm.com,
Stephen Smalley <stephen.smalley.work@gmail.com>,
casey@schaufler-ca.com, agk@redhat.com, snitzer@redhat.com,
gmazyland@gmail.com, tyhicks@linux.microsoft.com,
sashal@kernel.org, James Morris <jmorris@namei.org>,
linux-integrity@vger.kernel.org, selinux@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, dm-devel@redhat.com
Subject: Re: [PATCH v10 8/8] selinux: include a consumer of the new IMA critical data hook
Date: Tue, 12 Jan 2021 10:25:11 -0800 [thread overview]
Message-ID: <1b076701-3af8-6997-82ae-7196c263a7f4@linux.microsoft.com> (raw)
In-Reply-To: <CAHC9VhSJk0wG=WzO3bwsueiy19mMi9m6MamTrQfH8C=gXUtvGw@mail.gmail.com>
On 1/12/21 8:27 AM, Paul Moore wrote:
> On Thu, Jan 7, 2021 at 11:07 PM Tushar Sugandhi
> <tusharsu@linux.microsoft.com> wrote:
>> From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
>>
>> SELinux stores the active policy in memory, so the changes to this data
>> at runtime would have an impact on the security guarantees provided
>> by SELinux. Measuring in-memory SELinux policy through IMA subsystem
>> provides a secure way for the attestation service to remotely validate
>> the policy contents at runtime.
>>
>> Measure the hash of the loaded policy by calling the IMA hook
>> ima_measure_critical_data(). Since the size of the loaded policy
>> can be large (several MB), measure the hash of the policy instead of
>> the entire policy to avoid bloating the IMA log entry.
>>
>> To enable SELinux data measurement, the following steps are required:
>>
>> 1, Add "ima_policy=critical_data" to the kernel command line arguments
>> to enable measuring SELinux data at boot time.
>> For example,
>> BOOT_IMAGE=/boot/vmlinuz-5.10.0-rc1+ root=UUID=fd643309-a5d2-4ed3-b10d-3c579a5fab2f ro nomodeset security=selinux ima_policy=critical_data
>>
>> 2, Add the following rule to /etc/ima/ima-policy
>> measure func=CRITICAL_DATA label=selinux
>>
>> Sample measurement of the hash of SELinux policy:
>>
>> To verify the measured data with the current SELinux policy run
>> the following commands and verify the output hash values match.
>>
>> sha256sum /sys/fs/selinux/policy | cut -d' ' -f 1
>>
>> grep "selinux-policy-hash" /sys/kernel/security/integrity/ima/ascii_runtime_measurements | tail -1 | cut -d' ' -f 6
>>
>> Note that the actual verification of SELinux policy would require loading
>> the expected policy into an identical kernel on a pristine/known-safe
>> system and run the sha256sum /sys/kernel/selinux/policy there to get
>> the expected hash.
>>
>> Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
>> Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
>> Reviewed-by: Tyler Hicks <tyhicks@linux.microsoft.com>
>> ---
>> Documentation/ABI/testing/ima_policy | 3 +-
>> security/selinux/Makefile | 2 +
>> security/selinux/ima.c | 64 ++++++++++++++++++++++++++++
>> security/selinux/include/ima.h | 24 +++++++++++
>> security/selinux/include/security.h | 3 +-
>> security/selinux/ss/services.c | 64 ++++++++++++++++++++++++----
>> 6 files changed, 149 insertions(+), 11 deletions(-)
>> create mode 100644 security/selinux/ima.c
>> create mode 100644 security/selinux/include/ima.h
>
> I remain concerned about the possibility of bypassing a measurement by
> tampering with the time, but I appear to be the only one who is
> worried about this so I'm not going to block this patch on those
> grounds.
>
> Acked-by: Paul Moore <paul@paul-moore.com>
Thanks Paul.
-lakshmi
WARNING: multiple messages have this Message-ID (diff)
From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: Paul Moore <paul@paul-moore.com>,
Tushar Sugandhi <tusharsu@linux.microsoft.com>
Cc: sashal@kernel.org, dm-devel@redhat.com, snitzer@redhat.com,
selinux@vger.kernel.org,
Stephen Smalley <stephen.smalley.work@gmail.com>,
James Morris <jmorris@namei.org>,
zohar@linux.ibm.com, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
tyhicks@linux.microsoft.com, casey@schaufler-ca.com,
linux-integrity@vger.kernel.org, gmazyland@gmail.com,
agk@redhat.com
Subject: Re: [dm-devel] [PATCH v10 8/8] selinux: include a consumer of the new IMA critical data hook
Date: Tue, 12 Jan 2021 10:25:11 -0800 [thread overview]
Message-ID: <1b076701-3af8-6997-82ae-7196c263a7f4@linux.microsoft.com> (raw)
In-Reply-To: <CAHC9VhSJk0wG=WzO3bwsueiy19mMi9m6MamTrQfH8C=gXUtvGw@mail.gmail.com>
On 1/12/21 8:27 AM, Paul Moore wrote:
> On Thu, Jan 7, 2021 at 11:07 PM Tushar Sugandhi
> <tusharsu@linux.microsoft.com> wrote:
>> From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
>>
>> SELinux stores the active policy in memory, so the changes to this data
>> at runtime would have an impact on the security guarantees provided
>> by SELinux. Measuring in-memory SELinux policy through IMA subsystem
>> provides a secure way for the attestation service to remotely validate
>> the policy contents at runtime.
>>
>> Measure the hash of the loaded policy by calling the IMA hook
>> ima_measure_critical_data(). Since the size of the loaded policy
>> can be large (several MB), measure the hash of the policy instead of
>> the entire policy to avoid bloating the IMA log entry.
>>
>> To enable SELinux data measurement, the following steps are required:
>>
>> 1, Add "ima_policy=critical_data" to the kernel command line arguments
>> to enable measuring SELinux data at boot time.
>> For example,
>> BOOT_IMAGE=/boot/vmlinuz-5.10.0-rc1+ root=UUID=fd643309-a5d2-4ed3-b10d-3c579a5fab2f ro nomodeset security=selinux ima_policy=critical_data
>>
>> 2, Add the following rule to /etc/ima/ima-policy
>> measure func=CRITICAL_DATA label=selinux
>>
>> Sample measurement of the hash of SELinux policy:
>>
>> To verify the measured data with the current SELinux policy run
>> the following commands and verify the output hash values match.
>>
>> sha256sum /sys/fs/selinux/policy | cut -d' ' -f 1
>>
>> grep "selinux-policy-hash" /sys/kernel/security/integrity/ima/ascii_runtime_measurements | tail -1 | cut -d' ' -f 6
>>
>> Note that the actual verification of SELinux policy would require loading
>> the expected policy into an identical kernel on a pristine/known-safe
>> system and run the sha256sum /sys/kernel/selinux/policy there to get
>> the expected hash.
>>
>> Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
>> Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
>> Reviewed-by: Tyler Hicks <tyhicks@linux.microsoft.com>
>> ---
>> Documentation/ABI/testing/ima_policy | 3 +-
>> security/selinux/Makefile | 2 +
>> security/selinux/ima.c | 64 ++++++++++++++++++++++++++++
>> security/selinux/include/ima.h | 24 +++++++++++
>> security/selinux/include/security.h | 3 +-
>> security/selinux/ss/services.c | 64 ++++++++++++++++++++++++----
>> 6 files changed, 149 insertions(+), 11 deletions(-)
>> create mode 100644 security/selinux/ima.c
>> create mode 100644 security/selinux/include/ima.h
>
> I remain concerned about the possibility of bypassing a measurement by
> tampering with the time, but I appear to be the only one who is
> worried about this so I'm not going to block this patch on those
> grounds.
>
> Acked-by: Paul Moore <paul@paul-moore.com>
Thanks Paul.
-lakshmi
--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel
next prev parent reply other threads:[~2021-01-12 18:26 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-08 4:07 [PATCH v10 0/8] IMA: support for measuring kernel integrity critical data Tushar Sugandhi
2021-01-08 4:07 ` [dm-devel] " Tushar Sugandhi
2021-01-08 4:07 ` [PATCH v10 1/8] IMA: generalize keyring specific measurement constructs Tushar Sugandhi
2021-01-08 4:07 ` [dm-devel] " Tushar Sugandhi
2021-01-08 4:07 ` [PATCH v10 2/8] IMA: add support to measure buffer data hash Tushar Sugandhi
2021-01-08 4:07 ` [dm-devel] " Tushar Sugandhi
2021-01-08 4:07 ` [PATCH v10 3/8] IMA: define a hook to measure kernel integrity critical data Tushar Sugandhi
2021-01-08 4:07 ` [dm-devel] " Tushar Sugandhi
2021-01-08 4:07 ` [PATCH v10 4/8] IMA: add policy rule to measure " Tushar Sugandhi
2021-01-08 4:07 ` [dm-devel] " Tushar Sugandhi
2021-01-08 4:07 ` [PATCH v10 5/8] IMA: limit critical data measurement based on a label Tushar Sugandhi
2021-01-08 4:07 ` [dm-devel] " Tushar Sugandhi
2021-01-14 2:09 ` Mimi Zohar
2021-01-14 2:09 ` [dm-devel] " Mimi Zohar
2021-01-14 17:57 ` Tushar Sugandhi
2021-01-14 17:57 ` [dm-devel] " Tushar Sugandhi
2021-01-08 4:07 ` [PATCH v10 6/8] IMA: extend critical data hook to limit the " Tushar Sugandhi
2021-01-08 4:07 ` [dm-devel] " Tushar Sugandhi
2021-01-08 4:07 ` [PATCH v10 7/8] IMA: define a builtin critical data measurement policy Tushar Sugandhi
2021-01-08 4:07 ` [dm-devel] " Tushar Sugandhi
2021-01-08 4:07 ` [PATCH v10 8/8] selinux: include a consumer of the new IMA critical data hook Tushar Sugandhi
2021-01-08 4:07 ` [dm-devel] " Tushar Sugandhi
2021-01-12 16:27 ` Paul Moore
2021-01-12 16:27 ` [dm-devel] " Paul Moore
2021-01-12 18:25 ` Lakshmi Ramasubramanian [this message]
2021-01-12 18:25 ` Lakshmi Ramasubramanian
2021-01-13 19:13 ` Mimi Zohar
2021-01-13 19:13 ` [dm-devel] " Mimi Zohar
2021-01-13 19:19 ` Paul Moore
2021-01-13 19:19 ` [dm-devel] " Paul Moore
2021-01-13 21:11 ` Mimi Zohar
2021-01-13 21:11 ` [dm-devel] " Mimi Zohar
2021-01-13 22:10 ` Paul Moore
2021-01-13 22:10 ` [dm-devel] " Paul Moore
2021-01-13 23:10 ` Mimi Zohar
2021-01-13 23:10 ` [dm-devel] " Mimi Zohar
2021-01-14 2:40 ` Paul Moore
2021-01-14 2:40 ` [dm-devel] " Paul Moore
2021-01-14 2:49 ` Mimi Zohar
2021-01-14 2:49 ` [dm-devel] " Mimi Zohar
2021-01-14 16:22 ` Lakshmi Ramasubramanian
2021-01-14 16:22 ` [dm-devel] " Lakshmi Ramasubramanian
2021-01-14 16:44 ` Mimi Zohar
2021-01-14 16:44 ` [dm-devel] " Mimi Zohar
2021-01-14 16:50 ` Mimi Zohar
2021-01-14 16:50 ` [dm-devel] " Mimi Zohar
2021-01-14 17:48 ` Lakshmi Ramasubramanian
2021-01-14 17:48 ` [dm-devel] " Lakshmi Ramasubramanian
2021-01-14 19:21 ` Lakshmi Ramasubramanian
2021-01-14 19:21 ` [dm-devel] " Lakshmi Ramasubramanian
2021-01-14 16:51 ` Paul Moore
2021-01-14 16:51 ` [dm-devel] " Paul Moore
2021-01-15 12:54 ` [PATCH v10 0/8] IMA: support for measuring kernel integrity critical data Mimi Zohar
2021-01-15 12:54 ` [dm-devel] " Mimi Zohar
2021-01-15 17:26 ` Tushar Sugandhi
2021-01-15 17:26 ` [dm-devel] " Tushar Sugandhi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1b076701-3af8-6997-82ae-7196c263a7f4@linux.microsoft.com \
--to=nramas@linux.microsoft.com \
--cc=agk@redhat.com \
--cc=casey@schaufler-ca.com \
--cc=dm-devel@redhat.com \
--cc=gmazyland@gmail.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sashal@kernel.org \
--cc=selinux@vger.kernel.org \
--cc=snitzer@redhat.com \
--cc=stephen.smalley.work@gmail.com \
--cc=tusharsu@linux.microsoft.com \
--cc=tyhicks@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.