Behaviour regarding scripts when enforcing digital signatures

Behaviour regarding scripts when enforcing digital signatures

[Matthias Gerstner]

[-- Attachment #1: Type: multipart/signed, Size: 2624 bytes --]

Re: Behaviour regarding scripts when enforcing digital signatures

[Mimi Zohar]

On Fri, 2017-10-20 at 17:28 +0200, Matthias Gerstner wrote:
> Hi,
> 
> I'm currently experimenting with enforcing digital signatures for all
> root owned files and all files executed by root.
> 
> To achieve this I've created appropriate digital signatures in the
> security.ima attribute for all relevant files and loaded a policy like
> this:
> 
>     [default dont_appraise/dont_measure lines]
>     appraise func=BPRM_CHECK fowner=0 appraise_type=imasig
>     appraise func=FILE_MMAP fowner=0 mask=MAY_EXEC appraise_type=imasig
>     appraise func=MODULE_CHECK appraise_type=imasig
>     appraise func=FIRMWARE_CHECK appraise_type=imasig
> 
> This works fine so far and any files without a correct signature cannot
> be executed any more.
> 
> There is one issue with scripts, however. In practice scripts can
> always be executed even if they don't have digital signatures when they
> are passed explicitly to the interpreter like:
> 
>     /bin/bash /root/my_unsigned_script.sh
> 
> However, when executed implicitly via the shebang line, the execution
> will be prevented:
> 
>     $ /root/my_unsigned_script.sh
>     -bash: /root/my_unsigned_script.sh: Permission denied
> 
> I can see that preventing execution of unsigned scripts is difficult to
> achieve. However I'd like to make it possible to run scripts the usual
> way at least, without having to sign them or passing them to the
> interpeter explicitly. This way system administrators can write and
> handle custom scripts the way they are used to.
> 
> As far as I see it, allowing this is not possible at the moment given
> the currently available policy grammar. Can you confirm this?
> 
> Would it be possible to add this as a feature? I think the
> func=BPRM_CHECK could support an additional limiting condition.
> Something like:
> 
>     appraise func=BPRM_CHECK fowner=0 appraise_type=imasig permit_scripts
> 
> The code on the kernel side looks not like it would easily allow this,
> though. In search_binary_handler() the call to security_bprm_check() is
> made before we know which binfmt handler applies and whether we're
> dealing with a script. Maybe somebody does have additional thoughts on
> this anyways.

The same method that shebang uses for differentiating the interpreter
from the script could be used to implement "permit_scripts".  The
problem would be cleanly passing this information from the bprm_check
hook to process_measurement().

> Another question on a related topic: Is it possible to enforce a minimum
> key length and digest algorithm for signatures?

And the following question, would be is it possible to require
different keys for different IMA rules based on LSM labels?

The "Cryptography and key management", which has been on the Linux
Security Summit CFP for the past two years, still needs to be
addressed.

Mimi