From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B5DE8C2BB85 for ; Sat, 11 Apr 2020 19:05:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 8722E20857 for ; Sat, 11 Apr 2020 19:05:24 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="TH+P+l7r" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726744AbgDKTFX (ORCPT ); Sat, 11 Apr 2020 15:05:23 -0400 Received: from mail-wr1-f67.google.com ([209.85.221.67]:37169 "EHLO mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726725AbgDKTFX (ORCPT ); Sat, 11 Apr 2020 15:05:23 -0400 Received: by mail-wr1-f67.google.com with SMTP id w10so5867680wrm.4; Sat, 11 Apr 2020 12:05:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JJ7hnNFhk/mxUWoU/yAmjq9znKBHBG2b6AkM8126D5U=; b=TH+P+l7rsmuAQ6hTbNyVs6lp/hvmL+1S5REtZKsQKG+cwgHbKS3IBC2ehBRCGXd8FW Uh0YXgBhhPW27yaWBe9P8HimTmsswTX2YuhIOx3TOJO4YmOY9R23AROxbqdS/A6h42uY BCfEbhzll/JNHX6FNa9/TMKY6D39S+cpSly35YyWP+2clduPrPeV47G5hW47iBhUEeq4 33wLGfK+gcHuso5D2IxMemQrVHg99hfHltH+Uj7E3djXSAcHsrZUKdyXLbMoeLYrT1eG Bw6ACWVsftDd1f9WVJU7qVN04QDsNXQfoshiRFWRDmFjKu7rGG+lJNnJbgd2b2lT2zGN zkEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JJ7hnNFhk/mxUWoU/yAmjq9znKBHBG2b6AkM8126D5U=; b=VO7vX7ZGk8rDoQlsNT8Ds/pxgkyCJ7CPDWYVCL3qnh/oBnuDndcPYbEwajKm++VOQE D00hs9D6BJ5OAe9cmwURmw0T7445fsHwbXIgTPOEYjNEFepPOH/HuFt0RR0bSsvflXgM 1w3+OGrW1YxpLDEGEukFMhbzMCO0CEJem/cASjkRgPtNIJnmv0pfNdvBrh7vbRhrpL9h Z4LTfltNwjP+7oraWvLvEA0Y5nwPJwYbwtGNIc1JtohTQNOyd2urH1e1j0nQ2qN92v0L dzniNhhiNBw02Q6Wtd1FA1q4NvasJ2OsvwVb/YccoP4VQj+URcQE6bIGcTd4/dHaz8yW x70w== X-Gm-Message-State: AGi0PuaRHx4sxpGpYvkVM2EavMfxECfjRBJNrP66H6qO1qZLFL4NVHeD +rIKafyLylGQpD+WxQ+RrMeta5nXv8CDVox3iOg= X-Google-Smtp-Source: APiQypJfCKuBECqeq8oDEtF/Z00WuOl3uUYTl8M4KrnDNnIXPvozYKdyuDjc253Vbg821RFqmPypKE6hVppwiaGCPwU= X-Received: by 2002:a5d:4111:: with SMTP id l17mr11678394wrp.271.1586631919839; Sat, 11 Apr 2020 12:05:19 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Stephen Smalley Date: Sat, 11 Apr 2020 15:05:07 -0400 Message-ID: Subject: Re: [RFC] IMA: New IMA measurements for dm-crypt and selinux To: Tushar Sugandhi Cc: linux-integrity@vger.kernel.org, Mimi Zohar , LSM List , SELinux , dm-devel@redhat.com, James Morris , chpebeni@linux.microsoft.com, nramas@linux.microsoft.com, balajib@microsoft.com, sashal@kernel.org, suredd@microsoft.com Content-Type: text/plain; charset="UTF-8" Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org On Wed, Apr 8, 2020 at 6:28 AM Tushar Sugandhi wrote: > Measuring SELinux status and various SELinux policies can help ensure > mandatory access control of the system is not compromised. > B. Measuring selinux constructs: > We propose to add an IMA hook in enforcing_set() present under > security/selinux/include/security.h. > enforcing_set() sets the selinux state to enforcing/permissive etc. > and is called from key places like selinux_init(), > sel_write_enforce() etc. > The hook will measure various attributes related to selinux status. > Majority of the attributes are present in the struct selinux_state > present in security/selinux/include/security.h > e.g. > $sestatus > SELinux status: enabled > SELinuxfs mount: /sys/fs/selinux > SELinux root directory: /etc/selinux > Loaded policy name: default > Current mode: permissive > Mode from config file: permissive > Policy MLS status: enabled > Policy deny_unknown status: allowed > Memory protection checking: requested (insecure) > Max kernel policy version: 32 > > The above attributes will be serialized into a set of key=value > pairs when passed to IMA for measurement. > > Proposed Function Signature of the IMA hook: > void ima_selinux_status(void *selinux_status, int len); This won't detect changes to any of these state variables via a kernel write vulnerability, so it would be good to provide a way to trigger measurement of the current values on demand. You'll also likely want to measure parts of the child structures of selinux_state, e.g. selinux_ss, especially selinux_map and policydb. You can simplify measurement of the policydb by serializing it first via policydb_write() and hashing the result. I suppose one question is whether you can do all of this already from userspace by just having userspace read /sys/fs/selinux/enforce, /sys/fs/selinux/policy, etc.