From: Roberto Sassu <roberto.sassu@huawei.com>
To: <zohar@linux.ibm.com>
Cc: <linux-integrity@vger.kernel.org>,
<linux-security-module@vger.kernel.org>,
<linux-kernel@vger.kernel.org>,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: [PATCH 2/7] ima: Add meta_immutable appraisal type
Date: Fri, 9 Apr 2021 13:43:08 +0200 [thread overview]
Message-ID: <20210409114313.4073-3-roberto.sassu@huawei.com> (raw)
In-Reply-To: <20210409114313.4073-1-roberto.sassu@huawei.com>
Currently, IMA supports the appraise_type=imasig option in the policy to
require signed file content or metadata. This patch introduces the new
option appraise_type=meta_immutable to require that file metadata is also
immutable, i.e. it cannot have been produced by the system itself but only
from a vendor whose signing key is trusted by the kernel. Currently, this
requirement can be satisfied only by portable signatures.
The main purpose of this option is to ensure a proper label transition
during binary execution, when the target label depends on the label of the
binary being executed. Without it, an administrator might obtain a
different target label by changing the label of the executable.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
Documentation/ABI/testing/ima_policy | 2 +-
security/integrity/ima/ima_appraise.c | 9 +++++++++
security/integrity/ima/ima_policy.c | 13 ++++++++++---
security/integrity/integrity.h | 1 +
4 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index 070779e8d836..bc6597db7c78 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -42,7 +42,7 @@ Description:
fowner:= decimal value
lsm: are LSM specific
option:
- appraise_type:= [imasig] [imasig|modsig]
+ appraise_type:= [imasig] [imasig|modsig] [meta_immutable]
appraise_flag:= [check_blacklist]
Currently, blacklist check is only for files signed with appended
signature.
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 45e244fc2ef2..5814b8cbe86c 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -430,6 +430,15 @@ int ima_appraise_measurement(enum ima_hooks func,
WARN_ONCE(true, "Unexpected integrity status %d\n", status);
}
+ if ((iint->flags & IMA_META_IMMUTABLE_REQUIRED) &&
+ status != INTEGRITY_PASS_IMMUTABLE) {
+ status = INTEGRITY_FAIL;
+ cause = "metadata-modifiable";
+ integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
+ filename, op, cause, rc, 0);
+ goto out;
+ }
+
if (xattr_value)
rc = xattr_verify(func, iint, xattr_value, xattr_len, &status,
&cause);
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 4f8cb155e4fd..33b5133645b3 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1079,7 +1079,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
return false;
if (entry->action != APPRAISE &&
- entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST))
+ entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED |
+ IMA_CHECK_BLACKLIST | IMA_META_IMMUTABLE_REQUIRED))
return false;
/*
@@ -1109,7 +1110,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
IMA_UID | IMA_FOWNER | IMA_FSUUID |
IMA_INMASK | IMA_EUID | IMA_PCR |
IMA_FSNAME | IMA_DIGSIG_REQUIRED |
- IMA_PERMIT_DIRECTIO))
+ IMA_PERMIT_DIRECTIO |
+ IMA_META_IMMUTABLE_REQUIRED))
return false;
break;
@@ -1121,7 +1123,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
IMA_INMASK | IMA_EUID | IMA_PCR |
IMA_FSNAME | IMA_DIGSIG_REQUIRED |
IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED |
- IMA_CHECK_BLACKLIST))
+ IMA_CHECK_BLACKLIST |
+ IMA_META_IMMUTABLE_REQUIRED))
return false;
break;
@@ -1495,6 +1498,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
strcmp(args[0].from, "imasig|modsig") == 0)
entry->flags |= IMA_DIGSIG_REQUIRED |
IMA_MODSIG_ALLOWED;
+ else if (strcmp(args[0].from, "meta_immutable") == 0)
+ entry->flags |= IMA_META_IMMUTABLE_REQUIRED;
else
result = -EINVAL;
break;
@@ -1850,6 +1855,8 @@ int ima_policy_show(struct seq_file *m, void *v)
}
if (entry->flags & IMA_CHECK_BLACKLIST)
seq_puts(m, "appraise_flag=check_blacklist ");
+ if (entry->flags & IMA_META_IMMUTABLE_REQUIRED)
+ seq_puts(m, "appraise_type=meta_immutable ");
if (entry->flags & IMA_PERMIT_DIRECTIO)
seq_puts(m, "permit_directio ");
rcu_read_unlock();
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 547425c20e11..be501a63ae30 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -39,6 +39,7 @@
#define IMA_FAIL_UNVERIFIABLE_SIGS 0x10000000
#define IMA_MODSIG_ALLOWED 0x20000000
#define IMA_CHECK_BLACKLIST 0x40000000
+#define IMA_META_IMMUTABLE_REQUIRED 0x80000000
#define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
IMA_HASH | IMA_APPRAISE_SUBMASK)
--
2.26.2
next prev parent reply other threads:[~2021-04-09 11:43 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-09 11:43 [PATCH 0/7] ima/evm: Small enhancements Roberto Sassu
2021-04-09 11:43 ` [PATCH 1/7] ima: Avoid measurement and audit if access to the file will be denied Roberto Sassu
2021-04-09 11:43 ` Roberto Sassu [this message]
2021-04-09 11:43 ` [PATCH 3/7] ima: Introduce exec_tcb and tmpfs policies Roberto Sassu
2021-04-09 11:43 ` [PATCH 4/7] ima: Introduce appraise_exec_tcb and appraise_tmpfs policies Roberto Sassu
2021-04-09 11:43 ` [PATCH 5/7] ima: Introduce appraise_exec_immutable policy Roberto Sassu
2021-04-09 11:43 ` [PATCH 6/7] evm: Allow choice of hash algorithm for HMAC Roberto Sassu
2021-04-09 11:43 ` [PATCH 7/7] evm: Extend evm= with allow_metadata_writes and complete values Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210409114313.4073-3-roberto.sassu@huawei.com \
--to=roberto.sassu@huawei.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).