From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Miklos Szeredi <miklos@szeredi.hu>,
Seth Forshee <seth.forshee@canonical.com>,
"Eric W . Biederman" <ebiederm@xmission.com>,
Dongsu Park <dongsu@kinvolk.io>, Alban Crequy <alban@kinvolk.io>,
"Serge E . Hallyn" <serge@hallyn.com>
Subject: [PATCH v1 1/2] ima: fail signature verification on untrusted filesystems
Date: Mon, 19 Feb 2018 10:18:02 -0500 [thread overview]
Message-ID: <1519053483-18396-2-git-send-email-zohar@linux.vnet.ibm.com> (raw)
In-Reply-To: <1519053483-18396-1-git-send-email-zohar@linux.vnet.ibm.com>
Files on untrusted filesystems, such as fuse, can change at any time,
making the measurement(s) and by extension signature verification
meaningless.
FUSE can be mounted by unprivileged users either today with fusermount
installed with setuid, or soon with the upcoming patches to allow FUSE
mounts in a non-init user namespace.
This patch differentiates between the new unprivileged non-init mounted
filesystems and everything else, by always failing file signature
verification on unprivileged non-init mounted untrusted filesystems, but
only failing everything else based on policy to avoid breaking existing
systems.
This patch defines a new sb->s_iflags option named SB_I_IMA_UNTRUSTED_FS
and a new builtin IMA policy named "untrusted_fs".
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: Seth Forshee <seth.forshee@canonical.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Dongsu Park <dongsu@kinvolk.io>
Cc: Alban Crequy <alban@kinvolk.io>
Cc: Serge E. Hallyn <serge@hallyn.com>
---
Changelog v1:
- Merged the unprivileged and privileged patches.
- Dropped IMA fsname support.
- Introduced a new IMA builtin policy named "untrusted_fs".
- Replaced fs_type flag with sb->s_iflags flag.
Documentation/admin-guide/kernel-parameters.txt | 6 +++++-
include/linux/fs.h | 1 +
security/integrity/ima/ima_appraise.c | 16 +++++++++++++++-
security/integrity/ima/ima_policy.c | 5 +++++
security/integrity/integrity.h | 1 +
5 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 90cefbddf1ed..f9eb24cea9a6 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -1522,7 +1522,7 @@
ima_policy= [IMA]
The builtin policies to load during IMA setup.
- Format: "tcb | appraise_tcb | secure_boot"
+ Format: "tcb | appraise_tcb | secure_boot | untrusted_fs"
The "tcb" policy measures all programs exec'd, files
mmap'd for exec, and all files opened with the read
@@ -1537,6 +1537,10 @@
of files (eg. kexec kernel image, kernel modules,
firmware, policy, etc) based on file signatures.
+ The "untrusted_fs" policy fails the file signature
+ verification on privileged mounted untrusted
+ filesystems.
+
ima_tcb [IMA] Deprecated. Use ima_policy= instead.
Load a policy which meets the needs of the Trusted
Computing Base. This means IMA will measure all
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 2a815560fda0..1d3fe0fe49ee 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1320,6 +1320,7 @@ extern int send_sigurg(struct fown_struct *fown);
/* sb->s_iflags to limit user namespace mounts */
#define SB_I_USERNS_VISIBLE 0x00000010 /* fstype already mounted */
+#define SB_I_IMA_UNTRUSTED_FS 0x00000020 /* Kernel unaware of fs changes */
/* Possible states of 'frozen' field */
enum {
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index f2803a40ff82..ebfeec9b579f 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -292,7 +292,20 @@ int ima_appraise_measurement(enum ima_hooks func,
}
out:
- if (status != INTEGRITY_PASS) {
+ /*
+ * Files on both privileged and unprivileged mounted untrusted
+ * filesystems (eg. FUSE) should fail signature verification, but
+ * this might break existing systems. Differentiate between the
+ * new unprivileged non-init mounted filesystems and everything else.
+ */
+ if ((inode->i_sb->s_iflags & SB_I_IMA_UNTRUSTED_FS) &&
+ ((inode->i_sb->s_user_ns != &init_user_ns) ||
+ (iint->flags & IMA_FAIL_UNTRUSTED_FS))) {
+ status = INTEGRITY_FAIL;
+ cause = "untrusted-filesystem";
+ integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
+ op, cause, rc, 0);
+ } else if (status != INTEGRITY_PASS) {
if ((ima_appraise & IMA_APPRAISE_FIX) &&
(!xattr_value ||
xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
@@ -309,6 +322,7 @@ int ima_appraise_measurement(enum ima_hooks func,
} else {
ima_cache_flags(iint, func);
}
+
ima_set_cache_status(iint, func, status);
return status;
}
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 915f5572c6ff..43fb05b9686d 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -188,6 +188,7 @@ __setup("ima_tcb", default_measure_policy_setup);
static bool ima_use_appraise_tcb __initdata;
static bool ima_use_secure_boot __initdata;
+static bool ima_fail_untrusted_fs __initdata;
static int __init policy_setup(char *str)
{
char *p;
@@ -201,6 +202,8 @@ static int __init policy_setup(char *str)
ima_use_appraise_tcb = true;
else if (strcmp(p, "secure_boot") == 0)
ima_use_secure_boot = true;
+ else if (strcmp(p, "untrusted_fs") == 0)
+ ima_fail_untrusted_fs = true;
}
return 1;
@@ -385,6 +388,8 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
if (entry->action & IMA_APPRAISE) {
action |= get_subaction(entry, func);
action ^= IMA_HASH;
+ if (ima_fail_untrusted_fs)
+ action |= IMA_FAIL_UNTRUSTED_FS;
}
if (entry->action & IMA_DO_MASK)
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 50a8e3365df7..f8fa60f560a6 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -35,6 +35,7 @@
#define IMA_PERMIT_DIRECTIO 0x02000000
#define IMA_NEW_FILE 0x04000000
#define EVM_IMMUTABLE_DIGSIG 0x08000000
+#define IMA_FAIL_UNTRUSTED_FS 0x10000000
#define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
IMA_HASH | IMA_APPRAISE_SUBMASK)
--
2.7.5
WARNING: multiple messages have this Message-ID (diff)
From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v1 1/2] ima: fail signature verification on untrusted filesystems
Date: Mon, 19 Feb 2018 10:18:02 -0500 [thread overview]
Message-ID: <1519053483-18396-2-git-send-email-zohar@linux.vnet.ibm.com> (raw)
In-Reply-To: <1519053483-18396-1-git-send-email-zohar@linux.vnet.ibm.com>
Files on untrusted filesystems, such as fuse, can change at any time,
making the measurement(s) and by extension signature verification
meaningless.
FUSE can be mounted by unprivileged users either today with fusermount
installed with setuid, or soon with the upcoming patches to allow FUSE
mounts in a non-init user namespace.
This patch differentiates between the new unprivileged non-init mounted
filesystems and everything else, by always failing file signature
verification on unprivileged non-init mounted untrusted filesystems, but
only failing everything else based on policy to avoid breaking existing
systems.
This patch defines a new sb->s_iflags option named SB_I_IMA_UNTRUSTED_FS
and a new builtin IMA policy named "untrusted_fs".
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: Seth Forshee <seth.forshee@canonical.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Dongsu Park <dongsu@kinvolk.io>
Cc: Alban Crequy <alban@kinvolk.io>
Cc: Serge E. Hallyn <serge@hallyn.com>
---
Changelog v1:
- Merged the unprivileged and privileged patches.
- Dropped IMA fsname support.
- Introduced a new IMA builtin policy named "untrusted_fs".
- Replaced fs_type flag with sb->s_iflags flag.
Documentation/admin-guide/kernel-parameters.txt | 6 +++++-
include/linux/fs.h | 1 +
security/integrity/ima/ima_appraise.c | 16 +++++++++++++++-
security/integrity/ima/ima_policy.c | 5 +++++
security/integrity/integrity.h | 1 +
5 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 90cefbddf1ed..f9eb24cea9a6 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -1522,7 +1522,7 @@
ima_policy= [IMA]
The builtin policies to load during IMA setup.
- Format: "tcb | appraise_tcb | secure_boot"
+ Format: "tcb | appraise_tcb | secure_boot | untrusted_fs"
The "tcb" policy measures all programs exec'd, files
mmap'd for exec, and all files opened with the read
@@ -1537,6 +1537,10 @@
of files (eg. kexec kernel image, kernel modules,
firmware, policy, etc) based on file signatures.
+ The "untrusted_fs" policy fails the file signature
+ verification on privileged mounted untrusted
+ filesystems.
+
ima_tcb [IMA] Deprecated. Use ima_policy= instead.
Load a policy which meets the needs of the Trusted
Computing Base. This means IMA will measure all
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 2a815560fda0..1d3fe0fe49ee 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1320,6 +1320,7 @@ extern int send_sigurg(struct fown_struct *fown);
/* sb->s_iflags to limit user namespace mounts */
#define SB_I_USERNS_VISIBLE 0x00000010 /* fstype already mounted */
+#define SB_I_IMA_UNTRUSTED_FS 0x00000020 /* Kernel unaware of fs changes */
/* Possible states of 'frozen' field */
enum {
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index f2803a40ff82..ebfeec9b579f 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -292,7 +292,20 @@ int ima_appraise_measurement(enum ima_hooks func,
}
out:
- if (status != INTEGRITY_PASS) {
+ /*
+ * Files on both privileged and unprivileged mounted untrusted
+ * filesystems (eg. FUSE) should fail signature verification, but
+ * this might break existing systems. Differentiate between the
+ * new unprivileged non-init mounted filesystems and everything else.
+ */
+ if ((inode->i_sb->s_iflags & SB_I_IMA_UNTRUSTED_FS) &&
+ ((inode->i_sb->s_user_ns != &init_user_ns) ||
+ (iint->flags & IMA_FAIL_UNTRUSTED_FS))) {
+ status = INTEGRITY_FAIL;
+ cause = "untrusted-filesystem";
+ integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
+ op, cause, rc, 0);
+ } else if (status != INTEGRITY_PASS) {
if ((ima_appraise & IMA_APPRAISE_FIX) &&
(!xattr_value ||
xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
@@ -309,6 +322,7 @@ int ima_appraise_measurement(enum ima_hooks func,
} else {
ima_cache_flags(iint, func);
}
+
ima_set_cache_status(iint, func, status);
return status;
}
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 915f5572c6ff..43fb05b9686d 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -188,6 +188,7 @@ __setup("ima_tcb", default_measure_policy_setup);
static bool ima_use_appraise_tcb __initdata;
static bool ima_use_secure_boot __initdata;
+static bool ima_fail_untrusted_fs __initdata;
static int __init policy_setup(char *str)
{
char *p;
@@ -201,6 +202,8 @@ static int __init policy_setup(char *str)
ima_use_appraise_tcb = true;
else if (strcmp(p, "secure_boot") == 0)
ima_use_secure_boot = true;
+ else if (strcmp(p, "untrusted_fs") == 0)
+ ima_fail_untrusted_fs = true;
}
return 1;
@@ -385,6 +388,8 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
if (entry->action & IMA_APPRAISE) {
action |= get_subaction(entry, func);
action ^= IMA_HASH;
+ if (ima_fail_untrusted_fs)
+ action |= IMA_FAIL_UNTRUSTED_FS;
}
if (entry->action & IMA_DO_MASK)
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 50a8e3365df7..f8fa60f560a6 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -35,6 +35,7 @@
#define IMA_PERMIT_DIRECTIO 0x02000000
#define IMA_NEW_FILE 0x04000000
#define EVM_IMMUTABLE_DIGSIG 0x08000000
+#define IMA_FAIL_UNTRUSTED_FS 0x10000000
#define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
IMA_HASH | IMA_APPRAISE_SUBMASK)
--
2.7.5
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-02-19 15:18 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-19 15:18 [PATCH v1 0/2] ima: untrusted filesystems Mimi Zohar
2018-02-19 15:18 ` Mimi Zohar
2018-02-19 15:18 ` Mimi Zohar [this message]
2018-02-19 15:18 ` [PATCH v1 1/2] ima: fail signature verification on " Mimi Zohar
2018-02-19 21:47 ` Eric W. Biederman
2018-02-19 21:47 ` Eric W. Biederman
2018-02-20 0:52 ` James Morris
2018-02-20 0:52 ` James Morris
2018-02-20 2:02 ` Eric W. Biederman
2018-02-20 2:02 ` Eric W. Biederman
2018-02-20 14:02 ` Mimi Zohar
2018-02-20 14:02 ` Mimi Zohar
2018-02-20 14:02 ` Mimi Zohar
2018-02-20 20:16 ` Serge E. Hallyn
2018-02-20 20:16 ` Serge E. Hallyn
2018-02-20 20:16 ` Serge E. Hallyn
2018-02-21 14:46 ` Mimi Zohar
2018-02-21 14:46 ` Mimi Zohar
2018-02-21 14:46 ` Mimi Zohar
2018-02-21 22:46 ` Eric W. Biederman
2018-02-21 22:46 ` Eric W. Biederman
2018-02-21 22:46 ` Eric W. Biederman
2018-02-21 22:57 ` Mimi Zohar
2018-02-21 22:57 ` Mimi Zohar
2018-02-21 22:57 ` Mimi Zohar
2018-02-21 23:12 ` Eric W. Biederman
2018-02-21 23:12 ` Eric W. Biederman
2018-02-21 23:12 ` Eric W. Biederman
2018-02-21 23:32 ` Mimi Zohar
2018-02-21 23:32 ` Mimi Zohar
2018-02-21 23:32 ` Mimi Zohar
2018-02-27 2:12 ` Eric W. Biederman
2018-02-27 2:12 ` Eric W. Biederman
2018-02-27 2:12 ` Eric W. Biederman
2018-02-21 22:53 ` Eric W. Biederman
2018-02-21 22:53 ` Eric W. Biederman
2018-02-21 22:53 ` Eric W. Biederman
2018-02-21 23:03 ` Mimi Zohar
2018-02-21 23:03 ` Mimi Zohar
2018-02-21 23:03 ` Mimi Zohar
2018-02-19 22:50 ` kbuild test robot
2018-02-19 22:50 ` kbuild test robot
2018-02-19 22:50 ` kbuild test robot
2018-02-19 23:36 ` kbuild test robot
2018-02-19 23:36 ` kbuild test robot
2018-02-19 23:36 ` kbuild test robot
2018-02-19 15:18 ` [PATCH v1 2/2] fuse: define the filesystem as untrusted Mimi Zohar
2018-02-19 15:18 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1519053483-18396-2-git-send-email-zohar@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=alban@kinvolk.io \
--cc=dongsu@kinvolk.io \
--cc=ebiederm@xmission.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=serge@hallyn.com \
--cc=seth.forshee@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.