From: "Serge E. Hallyn" <serge@hallyn.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, Miklos Szeredi <miklos@szeredi.hu>,
Seth Forshee <seth.forshee@canonical.com>,
"Eric W . Biederman" <ebiederm@xmission.com>,
Dongsu Park <dongsu@kinvolk.io>, Alban Crequy <alban@kinvolk.io>,
"Serge E . Hallyn" <serge@hallyn.com>
Subject: Re: [PATCH v2 3/4] ima: fail signature verification based on policy
Date: Tue, 27 Feb 2018 16:35:45 -0600 [thread overview]
Message-ID: <20180227223545.GB18767@mail.hallyn.com> (raw)
In-Reply-To: <1519335184-17808-4-git-send-email-zohar@linux.vnet.ibm.com>
Quoting Mimi Zohar (zohar@linux.vnet.ibm.com):
> This patch addresses the fuse privileged mounted filesystems in
> environments which are unwilling to accept the risk of trusting the
> signature verification and want to always fail safe, but are for
> example using a pre-built kernel.
>
> This patch defines a new builtin policy "unverifiable_sigs", which can
How about recalc_unverifiable_sigs? It's long, but unverifiable_sigs
is not clear about whether the intent is to accept or recalculate them.
(or fail_unverifiable_sigs like the flag)
> be specified on the boot command line as an argument to "ima_policy=".
>
> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> Cc: Miklos Szeredi <miklos@szeredi.hu>
> Cc: Seth Forshee <seth.forshee@canonical.com>
> Cc: Eric W. Biederman <ebiederm@xmission.com>
> Cc: Dongsu Park <dongsu@kinvolk.io>
> Cc: Alban Crequy <alban@kinvolk.io>
> Cc: Serge E. Hallyn <serge@hallyn.com>
>
> Changelog v2:
> - address the fail safe environement
> ---
> Documentation/admin-guide/kernel-parameters.txt | 8 +++++++-
> security/integrity/ima/ima_appraise.c | 10 ++++++----
> security/integrity/ima/ima_main.c | 3 ++-
> security/integrity/ima/ima_policy.c | 5 +++++
> security/integrity/integrity.h | 1 +
> 5 files changed, 21 insertions(+), 6 deletions(-)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 1d1d53f85ddd..c655cd8dbaa0 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -1525,7 +1525,8 @@
>
> ima_policy= [IMA]
> The builtin policies to load during IMA setup.
> - Format: "tcb | appraise_tcb | secure_boot"
> + Format: "tcb | appraise_tcb | secure_boot |
> + unverifiable_sigs"
>
> The "tcb" policy measures all programs exec'd, files
> mmap'd for exec, and all files opened with the read
> @@ -1540,6 +1541,11 @@
> of files (eg. kexec kernel image, kernel modules,
> firmware, policy, etc) based on file signatures.
>
> + The "unverifiable_sigs" policy forces file signature
> + verification failure on privileged mounted
> + filesystems with the SB_I_UNVERIFIABLE_SIGNATURE
> + flag.
> +
> ima_tcb [IMA] Deprecated. Use ima_policy= instead.
> Load a policy which meets the needs of the Trusted
> Computing Base. This means IMA will measure all
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index f34901069e78..3034935e1eb3 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -304,11 +304,13 @@ int ima_appraise_measurement(enum ima_hooks func,
> out:
> /*
> * File signatures on some filesystems can not be properly verified.
> - * On these filesytems, that are mounted by an untrusted mounter,
> - * fail the file signature verification.
> + * On these filesytems, that are mounted by an untrusted mounter or
> + * for systems not willing to accept the risk, fail the file signature
> + * verification.
> */
> - if (inode->i_sb->s_iflags &
> - (SB_I_IMA_UNVERIFIABLE_SIGNATURE | SB_I_UNTRUSTED_MOUNTER)) {
> + if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
> + ((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) ||
> + (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) {
> status = INTEGRITY_FAIL;
> cause = "unverifiable-signature";
> integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index f550f25294a3..5d122daf5c8a 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -238,7 +238,8 @@ static int process_measurement(struct file *file, const struct cred *cred,
> */
> if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags) ||
> ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
> - !(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER))) {
> + !(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) &&
> + !(action & IMA_FAIL_UNVERIFIABLE_SIGS))) {
> iint->flags &= ~IMA_DONE_MASK;
> iint->measured_pcrs = 0;
> }
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index e3da29af2c16..ead3f7fe6998 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -188,6 +188,7 @@ __setup("ima_tcb", default_measure_policy_setup);
>
> static bool ima_use_appraise_tcb __initdata;
> static bool ima_use_secure_boot __initdata;
> +static bool ima_fail_unverifiable_sigs __ro_after_init;
> static int __init policy_setup(char *str)
> {
> char *p;
> @@ -201,6 +202,8 @@ static int __init policy_setup(char *str)
> ima_use_appraise_tcb = true;
> else if (strcmp(p, "secure_boot") == 0)
> ima_use_secure_boot = true;
> + else if (strcmp(p, "unverifiable_sigs") == 0)
> + ima_fail_unverifiable_sigs = true;
> }
>
> return 1;
> @@ -390,6 +393,8 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
> if (entry->action & IMA_APPRAISE) {
> action |= get_subaction(entry, func);
> action ^= IMA_HASH;
> + if (ima_fail_unverifiable_sigs)
> + action |= IMA_FAIL_UNVERIFIABLE_SIGS;
> }
>
> if (entry->action & IMA_DO_MASK)
> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> index 843ae23ba0ac..8224880935e0 100644
> --- a/security/integrity/integrity.h
> +++ b/security/integrity/integrity.h
> @@ -35,6 +35,7 @@
> #define IMA_PERMIT_DIRECTIO 0x02000000
> #define IMA_NEW_FILE 0x04000000
> #define EVM_IMMUTABLE_DIGSIG 0x08000000
> +#define IMA_FAIL_UNVERIFIABLE_SIGS 0x10000000
>
> #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
> IMA_HASH | IMA_APPRAISE_SUBMASK)
> --
> 2.7.5
next prev parent reply other threads:[~2018-02-27 22:35 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-22 21:33 [PATCH v2 0/4] ima: unverifiable file signatures Mimi Zohar
2018-02-22 21:33 ` [PATCH v2 1/4] ima: fail file signature verification on non-init mounted filesystems Mimi Zohar
2018-02-27 1:47 ` Eric W. Biederman
2018-02-27 15:33 ` Mimi Zohar
2018-02-22 21:33 ` [PATCH v2 2/4] ima: re-evaluate files on privileged " Mimi Zohar
2018-02-22 21:33 ` [PATCH v2 3/4] ima: fail signature verification based on policy Mimi Zohar
2018-02-27 22:35 ` Serge E. Hallyn [this message]
2018-02-28 11:38 ` Mimi Zohar
2018-02-28 15:30 ` Serge E. Hallyn
2018-03-02 21:10 ` Mimi Zohar
2018-02-22 21:33 ` [PATCH v2 4/4] fuse: define the filesystem as untrusted Mimi Zohar
2018-02-23 4:00 ` [PATCH v2 0/4] ima: unverifiable file signatures James Morris
2018-02-27 2:08 ` Eric W. Biederman
2018-02-27 16:17 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180227223545.GB18767@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=alban@kinvolk.io \
--cc=dongsu@kinvolk.io \
--cc=ebiederm@xmission.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=seth.forshee@canonical.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).