From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: zohar@linux.ibm.com, linux-integrity@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, keyrings@vger.kernel.org
Subject: [PATCH v8 1/5] IMA: Add KEY_CHECK func to measure keys
Date: Mon, 18 Nov 2019 22:38:14 +0000 [thread overview]
Message-ID: <20191118223818.3353-2-nramas@linux.microsoft.com> (raw)
In-Reply-To: <20191118223818.3353-1-nramas@linux.microsoft.com>
Measure keys loaded onto any keyring.
This patch defines a new IMA policy func namely KEY_CHECK to
measure keys. Updated ima_match_rules() to check for KEY_CHECK
and ima_parse_rule() to handle KEY_CHECK.
Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Cc: Sasha Levin <sashal@kernel.org>
Cc: James Morris <jamorris@linux.microsoft.com>
---
Documentation/ABI/testing/ima_policy | 7 ++++++-
security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_policy.c | 4 +++-
3 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index 29aaedf33246..3823c27894c5 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -29,7 +29,7 @@ Description:
base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
[FIRMWARE_CHECK]
[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
- [KEXEC_CMDLINE]
+ [KEXEC_CMDLINE] [KEY_CHECK]
mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
[[^]MAY_EXEC]
fsmagic:= hex value
@@ -113,3 +113,8 @@ Description:
Example of appraise rule allowing modsig appended signatures:
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig
+
+ Example of measure rule using KEY_CHECK to measure all keys:
+
+ measure func=KEY_CHECK
+
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index df4ca482fb53..fe6c698617bd 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -193,6 +193,7 @@ static inline unsigned long ima_hash_key(u8 *digest)
hook(KEXEC_INITRAMFS_CHECK) \
hook(POLICY_CHECK) \
hook(KEXEC_CMDLINE) \
+ hook(KEY_CHECK) \
hook(MAX_CHECK)
#define __ima_hook_enumify(ENUM) ENUM,
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index f19a895ad7cd..1525a28fd705 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -373,7 +373,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
{
int i;
- if (func = KEXEC_CMDLINE) {
+ if ((func = KEXEC_CMDLINE) || (func = KEY_CHECK)) {
if ((rule->flags & IMA_FUNC) && (rule->func = func))
return true;
return false;
@@ -997,6 +997,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
entry->func = POLICY_CHECK;
else if (strcmp(args[0].from, "KEXEC_CMDLINE") = 0)
entry->func = KEXEC_CMDLINE;
+ else if (strcmp(args[0].from, "KEY_CHECK") = 0)
+ entry->func = KEY_CHECK;
else
result = -EINVAL;
if (!result)
--
2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: zohar@linux.ibm.com, linux-integrity@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, keyrings@vger.kernel.org
Subject: [PATCH v8 1/5] IMA: Add KEY_CHECK func to measure keys
Date: Mon, 18 Nov 2019 14:38:14 -0800 [thread overview]
Message-ID: <20191118223818.3353-2-nramas@linux.microsoft.com> (raw)
In-Reply-To: <20191118223818.3353-1-nramas@linux.microsoft.com>
Measure keys loaded onto any keyring.
This patch defines a new IMA policy func namely KEY_CHECK to
measure keys. Updated ima_match_rules() to check for KEY_CHECK
and ima_parse_rule() to handle KEY_CHECK.
Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Cc: Sasha Levin <sashal@kernel.org>
Cc: James Morris <jamorris@linux.microsoft.com>
---
Documentation/ABI/testing/ima_policy | 7 ++++++-
security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_policy.c | 4 +++-
3 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index 29aaedf33246..3823c27894c5 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -29,7 +29,7 @@ Description:
base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
[FIRMWARE_CHECK]
[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
- [KEXEC_CMDLINE]
+ [KEXEC_CMDLINE] [KEY_CHECK]
mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
[[^]MAY_EXEC]
fsmagic:= hex value
@@ -113,3 +113,8 @@ Description:
Example of appraise rule allowing modsig appended signatures:
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig
+
+ Example of measure rule using KEY_CHECK to measure all keys:
+
+ measure func=KEY_CHECK
+
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index df4ca482fb53..fe6c698617bd 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -193,6 +193,7 @@ static inline unsigned long ima_hash_key(u8 *digest)
hook(KEXEC_INITRAMFS_CHECK) \
hook(POLICY_CHECK) \
hook(KEXEC_CMDLINE) \
+ hook(KEY_CHECK) \
hook(MAX_CHECK)
#define __ima_hook_enumify(ENUM) ENUM,
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index f19a895ad7cd..1525a28fd705 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -373,7 +373,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
{
int i;
- if (func == KEXEC_CMDLINE) {
+ if ((func == KEXEC_CMDLINE) || (func == KEY_CHECK)) {
if ((rule->flags & IMA_FUNC) && (rule->func == func))
return true;
return false;
@@ -997,6 +997,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
entry->func = POLICY_CHECK;
else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0)
entry->func = KEXEC_CMDLINE;
+ else if (strcmp(args[0].from, "KEY_CHECK") == 0)
+ entry->func = KEY_CHECK;
else
result = -EINVAL;
if (!result)
--
2.17.1
next prev parent reply other threads:[~2019-11-18 22:38 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-18 22:38 [PATCH v8 0/5] KEYS: Measure keys when they are created or updated Lakshmi Ramasubramanian
2019-11-18 22:38 ` Lakshmi Ramasubramanian
2019-11-18 22:38 ` Lakshmi Ramasubramanian [this message]
2019-11-18 22:38 ` [PATCH v8 1/5] IMA: Add KEY_CHECK func to measure keys Lakshmi Ramasubramanian
2019-11-18 22:38 ` [PATCH v8 2/5] IMA: Define an IMA hook " Lakshmi Ramasubramanian
2019-11-18 22:38 ` Lakshmi Ramasubramanian
2019-11-20 23:28 ` Eric Snowberg
2019-11-20 23:28 ` Eric Snowberg
2019-11-20 23:40 ` Lakshmi Ramasubramanian
2019-11-20 23:40 ` Lakshmi Ramasubramanian
2019-11-21 1:22 ` Mimi Zohar
2019-11-21 1:22 ` Mimi Zohar
2019-11-21 1:32 ` Lakshmi Ramasubramanian
2019-11-21 1:32 ` Lakshmi Ramasubramanian
2019-11-21 17:16 ` Lakshmi Ramasubramanian
2019-11-21 17:16 ` Lakshmi Ramasubramanian
2019-11-18 22:38 ` [PATCH v8 3/5] KEYS: Call the " Lakshmi Ramasubramanian
2019-11-18 22:38 ` Lakshmi Ramasubramanian
2019-11-19 1:18 ` Eric Snowberg
2019-11-19 1:18 ` Eric Snowberg
2019-11-19 1:58 ` Lakshmi Ramasubramanian
2019-11-19 1:58 ` Lakshmi Ramasubramanian
2019-11-18 22:38 ` [PATCH v8 4/5] IMA: Add support to limit measuring keys Lakshmi Ramasubramanian
2019-11-18 22:38 ` Lakshmi Ramasubramanian
2019-11-20 16:30 ` Validating key measurement Lakshmi Ramasubramanian
2019-11-20 23:19 ` [PATCH v8 4/5] IMA: Add support to limit measuring keys Mimi Zohar
2019-11-20 23:19 ` Mimi Zohar
2019-11-21 0:03 ` Lakshmi Ramasubramanian
2019-11-21 0:03 ` Lakshmi Ramasubramanian
2019-11-21 0:53 ` Mimi Zohar
2019-11-21 0:53 ` Mimi Zohar
2019-11-21 3:11 ` Lakshmi Ramasubramanian
2019-11-18 22:38 ` [PATCH v8 5/5] IMA: Read keyrings= option from the IMA policy Lakshmi Ramasubramanian
2019-11-18 22:38 ` Lakshmi Ramasubramanian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191118223818.3353-2-nramas@linux.microsoft.com \
--to=nramas@linux.microsoft.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.