All of lore.kernel.org
 help / color / mirror / Atom feed
From: Roberto Sassu <roberto.sassu@huawei.com>
To: <zohar@linux.ibm.com>
Cc: <linux-integrity@vger.kernel.org>,
	<linux-security-module@vger.kernel.org>,
	<linux-kernel@vger.kernel.org>,
	Roberto Sassu <roberto.sassu@huawei.com>
Subject: [PATCH 5/7] ima: Introduce appraise_exec_immutable policy
Date: Fri, 9 Apr 2021 13:43:11 +0200	[thread overview]
Message-ID: <20210409114313.4073-6-roberto.sassu@huawei.com> (raw)
In-Reply-To: <20210409114313.4073-1-roberto.sassu@huawei.com>

This patch modifies the existing "appraise_exec_tcb" policy, by adding the
appraise_type=meta_immutable requirement for executed files. This policy
can be selected by specifying
ima_policy="appraise_exec_tcb|appraise_exec_immutable" in the kernel
command line.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 Documentation/admin-guide/kernel-parameters.txt | 4 ++++
 security/integrity/ima/ima_policy.c             | 8 +++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 93c5f78905e2..265f7657f59d 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -1780,6 +1780,10 @@
 			appraised (with imasig requirement) instead of files
 			owned by root.
 
+			The "appraise_exec_immutable" policy requires immutable
+			metadata for executed files, if the "appraise_exec_tcb"
+			policy is selected.
+
 			The "appraise_tmpfs" policy excludes the dont_appraise
 			rule for the tmpfs and ramfs filesystems for the
 			"appraise_tcb" and "appraise_exec_tcb" policies.
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index a45e494e06e8..6249817ebd04 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -243,6 +243,7 @@ __setup("ima_tcb", default_measure_policy_setup);
 static unsigned int ima_measure_skip_flags __initdata;
 static unsigned int ima_appraise_skip_flags __initdata;
 static bool ima_use_appraise_tcb __initdata;
+static bool ima_use_appraise_exec_immutable __initdata;
 static bool ima_use_secure_boot __initdata;
 static bool ima_use_critical_data __initdata;
 static bool ima_fail_unverifiable_sigs __ro_after_init;
@@ -267,7 +268,9 @@ static int __init policy_setup(char *str)
 		else if (strcmp(p, "appraise_exec_tcb") == 0) {
 			ima_use_appraise_tcb = true;
 			ima_appraise_skip_flags |= IMA_SKIP_OPEN;
-		} else if (strcmp(p, "secure_boot") == 0)
+		} else if (strcmp(p, "appraise_exec_immutable") == 0)
+			ima_use_appraise_exec_immutable = true;
+		else if (strcmp(p, "secure_boot") == 0)
 			ima_use_secure_boot = true;
 		else if (strcmp(p, "critical_data") == 0)
 			ima_use_critical_data = true;
@@ -913,6 +916,9 @@ void __init ima_init_policy(void)
 				  IMA_DEFAULT_POLICY, 0);
 	}
 
+	if (ima_use_appraise_exec_immutable)
+		appraise_exec_rules[0].flags |= IMA_META_IMMUTABLE_REQUIRED;
+
 	if (ima_use_critical_data)
 		add_rules(critical_data_rules,
 			  ARRAY_SIZE(critical_data_rules),
-- 
2.26.2


  parent reply	other threads:[~2021-04-09 11:45 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-09 11:43 [PATCH 0/7] ima/evm: Small enhancements Roberto Sassu
2021-04-09 11:43 ` [PATCH 1/7] ima: Avoid measurement and audit if access to the file will be denied Roberto Sassu
2021-04-09 11:43 ` [PATCH 2/7] ima: Add meta_immutable appraisal type Roberto Sassu
2021-04-09 11:43 ` [PATCH 3/7] ima: Introduce exec_tcb and tmpfs policies Roberto Sassu
2021-04-09 11:43 ` [PATCH 4/7] ima: Introduce appraise_exec_tcb and appraise_tmpfs policies Roberto Sassu
2021-04-09 11:43 ` Roberto Sassu [this message]
2021-04-09 11:43 ` [PATCH 6/7] evm: Allow choice of hash algorithm for HMAC Roberto Sassu
2021-04-09 11:43 ` [PATCH 7/7] evm: Extend evm= with allow_metadata_writes and complete values Roberto Sassu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210409114313.4073-6-roberto.sassu@huawei.com \
    --to=roberto.sassu@huawei.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.