linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Cc: Mimi Zohar <zohar@linux.ibm.com>,
	Casey Schaufler <casey@schaufler-ca.com>,
	James Morris <jmorris@namei.org>,
	linux-integrity@vger.kernel.org,
	SElinux list <selinux@vger.kernel.org>,
	LSM List <linux-security-module@vger.kernel.org>,
	linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v3 4/5] LSM: Define SELinux function to measure security state
Date: Mon, 20 Jul 2020 13:06:21 -0400	[thread overview]
Message-ID: <CAEjxPJ7VH18bEo6+U1GWrx=tHVGr=6XtF5_ygcfQYgdtZ74J+g@mail.gmail.com> (raw)
In-Reply-To: <c0fbfcf3-ec36-872a-c389-b3fea214848c@linux.microsoft.com>

On Mon, Jul 20, 2020 at 11:17 AM Lakshmi Ramasubramanian
<nramas@linux.microsoft.com> wrote:
> Thanks for trying out the changes. Please let me know the defects you find.
>
> Just to let you know - I am making the following change (will update in
> the next patch):
>
>   => Save the last policy hash and state string in selinux_state struct.
>   => Measure policy and hash only if it has changed since the last
> measurement.
>   => Also, suffix the IMA event name used with time stamp. For example,
>
> 10 e32e...5ac3 ima-buf sha256:86e8...4594
> selinux-state-1595257807:874963248
> 656e61626c65643d313b656e666f7263696e673d303b636865636b72657170726f743d313b6e6574706565723d313b6f70656e7065726d3d313b657874736f636b636c6173733d313b616c776179736e6574776f726b3d303b6367726f75707365636c6162656c3d313b6e6e706e6f737569647472616e736974696f6e3d313b67656e66737365636c6162656c73796d6c696e6b3d303b
>
> 10 f4a7...9408 ima-buf sha256:4941...68fc
> selinux-policy-hash-1595257807:874963248
> 8d1d...1834
>
> The above will ensure the following sequence will be measured:
>   #1 State A - Measured
>   #2 Change from State A to State B - Measured
>   #3 Change from State B back to State A - Since the measured data is
> same as in #1, the change will be measured only if the event name is
> different between #1 and #3

Perhaps the timestamp / sequence number should be part of the hashed
data instead of the event name?
I can see the appraiser wanting to know two things:
1) The current state of the system (e.g. is it enforcing, is the
currently loaded policy the expected one?).
2) Has the system ever been in an unexpected state (e.g. was it
temporarily switched to permissive or had an unexpected policy
loaded?)

I applied the patch series on top of the next-integrity branch, added
measure func=LSM_STATE to ima-policy, and booted that kernel.  I get
the following entries in ascii_runtime_measurements, but seemingly
missing the final field:

10 8a09c48af4f8a817f59b495bd82971e096e2e367 ima-ng
sha256:21c3d7b09b62b4d0b3ed15ba990f816b94808f90b76787bfae755c4b3a44cd24
selinux-state
10 e610908931d70990a2855ddb33c16af2d82ce56a ima-ng
sha256:c8898652afd5527ef4eaf8d85f5fee1d91fcccee34bc97f6e55b96746bedb318
selinux-policy-hash

Thus, I cannot verify. What am I missing?

  reply	other threads:[~2020-07-20 17:06 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-17 22:28 [PATCH v3 0/5] LSM: Measure security module state Lakshmi Ramasubramanian
2020-07-17 22:28 ` [PATCH v3 1/5] IMA: Add LSM_STATE func to measure LSM data Lakshmi Ramasubramanian
2020-07-17 22:28 ` [PATCH v3 2/5] IMA: Define an IMA hook " Lakshmi Ramasubramanian
2020-07-17 22:28 ` [PATCH v3 3/5] LSM: Add security_measure_data in lsm_info struct Lakshmi Ramasubramanian
2020-07-17 22:28 ` [PATCH v3 4/5] LSM: Define SELinux function to measure security state Lakshmi Ramasubramanian
2020-07-18  3:14   ` kernel test robot
2020-07-20  2:04     ` Lakshmi Ramasubramanian
2020-07-18  3:38   ` kernel test robot
2020-07-18 15:31   ` kernel test robot
2020-07-18 15:31   ` [RFC PATCH] LSM: security_read_selinux_policy() can be static kernel test robot
2020-07-20 14:31   ` [PATCH v3 4/5] LSM: Define SELinux function to measure security state Stephen Smalley
2020-07-20 15:17     ` Lakshmi Ramasubramanian
2020-07-20 17:06       ` Stephen Smalley [this message]
2020-07-20 17:26         ` Mimi Zohar
2020-07-20 17:34         ` Lakshmi Ramasubramanian
2020-07-20 17:40           ` Stephen Smalley
2020-07-20 17:49             ` Stephen Smalley
2020-07-20 18:27               ` Lakshmi Ramasubramanian
2020-07-20 18:44                 ` Stephen Smalley
2020-07-20 18:59                   ` Lakshmi Ramasubramanian
2020-07-17 22:28 ` [PATCH v3 5/5] LSM: Define workqueue for measuring security module state Lakshmi Ramasubramanian

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAEjxPJ7VH18bEo6+U1GWrx=tHVGr=6XtF5_ygcfQYgdtZ74J+g@mail.gmail.com' \
    --to=stephen.smalley.work@gmail.com \
    --cc=casey@schaufler-ca.com \
    --cc=jmorris@namei.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=nramas@linux.microsoft.com \
    --cc=selinux@vger.kernel.org \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).