From: Roberto Sassu <roberto.sassu@huawei.com> To: <zohar@linux.ibm.com>, <dmitry.kasatkin@huawei.com>, <mjg59@google.com> Cc: <linux-integrity@vger.kernel.org>, <linux-security-module@vger.kernel.org>, <linux-fsdevel@vger.kernel.org>, <linux-doc@vger.kernel.org>, <linux-kernel@vger.kernel.org>, <silviu.vlasceanu@huawei.com>, Roberto Sassu <roberto.sassu@huawei.com> Subject: [PATCH v4 10/14] ima: load parser digests and execute the parser at boot time Date: Fri, 14 Jun 2019 19:55:09 +0200 Message-ID: <20190614175513.27097-11-roberto.sassu@huawei.com> (raw) In-Reply-To: <20190614175513.27097-1-roberto.sassu@huawei.com> Digest lists should be uploaded to IMA as soon as possible, otherwise file digests would appear in the measurement list or access would be denied if appraisal is in enforcing mode. This patch adds a call to ima_load_parser_digest_list() in integrity_load_keys(), so that the function is executed when rootfs becomes available, before the init process is executed. ima_load_parser_digest_list() loads a compact list containing the digests of the parser and the shared libraries. This list is measured and appraised depending on the current IMA policy. Then, the function executes the parser executable with the User-Mode-Helper (UMH). Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> --- security/integrity/iint.c | 1 + security/integrity/ima/Kconfig | 15 +++++++++ security/integrity/ima/ima_digest_list.c | 42 ++++++++++++++++++++++++ security/integrity/integrity.h | 8 +++++ 4 files changed, 66 insertions(+) diff --git a/security/integrity/iint.c b/security/integrity/iint.c index e12c4900510f..de73baccc847 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -213,6 +213,7 @@ void __init integrity_load_keys(void) { ima_load_x509(); evm_load_x509(); + ima_load_parser_digest_list(); } static int __init integrity_fs_init(void) diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index b3a7b46d21cf..c1bb9fedeccc 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -307,3 +307,18 @@ config IMA_DIGEST_LIST of accessed files are found in one of those lists, no new entries are added to the measurement list, and access to the file is granted if appraisal is in enforcing mode. + +config IMA_PARSER_DIGEST_LIST_PATH + string "Path of the parser digest list" + depends on IMA_DIGEST_LIST + default "/etc/ima/digest_lists/compact-upload_digest_lists" + help + This option defines the path of the digest list containing the + digest of the parser. + +config IMA_PARSER_BINARY_PATH + string "Path of the parser binary" + depends on IMA_DIGEST_LIST + default "/usr/bin/upload_digest_lists" + help + This option defines the path of the parser binary. diff --git a/security/integrity/ima/ima_digest_list.c b/security/integrity/ima/ima_digest_list.c index 3aaa26d6e8e3..532aaf5145ae 100644 --- a/security/integrity/ima/ima_digest_list.c +++ b/security/integrity/ima/ima_digest_list.c @@ -240,3 +240,45 @@ struct ima_digest *ima_digest_allow(struct ima_digest *digest, int action) return digest; } + +/******************** + * Parser execution * + ********************/ +static void ima_exec_parser(void) +{ + char *argv[2] = {NULL}, *envp[1] = {NULL}; + + argv[0] = (char *)CONFIG_IMA_PARSER_BINARY_PATH; + call_usermodehelper(argv[0], argv, envp, UMH_WAIT_PROC); +} + +void __init ima_load_parser_digest_list(void) +{ + void *datap; + loff_t size; + int ret; + + if (!(ima_digest_list_actions & ima_policy_flag)) + return; + + ima_set_parser(current); + ret = kernel_read_file_from_path(CONFIG_IMA_PARSER_DIGEST_LIST_PATH, + &datap, &size, 0, READING_DIGEST_LIST); + ima_set_parser(NULL); + + if (ret < 0) { + if (ret != -ENOENT) + pr_err("Unable to open file: %s (%d)", + CONFIG_IMA_PARSER_DIGEST_LIST_PATH, ret); + return; + } + + ret = ima_parse_compact_list(size, datap); + + vfree(datap); + + if (ret < 0) + return; + + ima_exec_parser(); +} diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 1a9bff2e01ec..8c4cf5127a8b 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -213,6 +213,14 @@ static inline void evm_load_x509(void) } #endif +#ifdef CONFIG_IMA_DIGEST_LIST +void __init ima_load_parser_digest_list(void); +#else +static inline void ima_load_parser_digest_list(void) +{ +} +#endif + #ifdef CONFIG_INTEGRITY_AUDIT /* declarations */ void integrity_audit_msg(int audit_msgno, struct inode *inode, -- 2.17.1
next prev parent reply index Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-06-14 17:54 [PATCH v4 00/14] ima: introduce IMA Digest Lists extension Roberto Sassu 2019-06-14 17:55 ` [PATCH v4 01/14] ima: read hash algorithm from security.ima even if appraisal is not enabled Roberto Sassu 2019-06-14 17:55 ` [PATCH v4 02/14] ima: generalize ima_read_policy() Roberto Sassu 2019-06-14 17:55 ` [PATCH v4 03/14] ima: generalize ima_write_policy() and raise uploaded data size limit Roberto Sassu 2019-06-14 17:55 ` [PATCH v4 04/14] ima: generalize policy file operations Roberto Sassu 2019-06-14 17:55 ` [PATCH v4 05/14] ima: use ima_show_htable_value to show violations and hash table data Roberto Sassu 2019-06-14 17:55 ` [PATCH v4 06/14] ima: add parser of compact digest list Roberto Sassu 2019-06-14 17:55 ` [PATCH v4 07/14] ima: restrict upload of converted digest lists Roberto Sassu 2019-06-14 17:55 ` [PATCH v4 08/14] ima: prevent usage of digest lists that are not measured/appraised Roberto Sassu 2019-06-14 17:55 ` [PATCH v4 09/14] ima: introduce new securityfs files Roberto Sassu 2019-06-14 17:55 ` Roberto Sassu [this message] 2019-06-14 17:55 ` [PATCH v4 11/14] ima: add support for measurement with digest lists Roberto Sassu 2019-06-14 17:55 ` [PATCH v4 12/14] ima: add support for appraisal " Roberto Sassu 2019-06-14 17:55 ` [PATCH v4 13/14] ima: introduce new policies initrd and appraise_initrd Roberto Sassu 2019-06-14 17:55 ` [PATCH v4 14/14] ima: add Documentation/security/IMA-digest-lists.txt Roberto Sassu 2019-06-17 6:56 ` [PATCH v4 00/14] ima: introduce IMA Digest Lists extension Roberto Sassu 2019-06-25 12:57 ` Roberto Sassu 2019-06-25 17:35 ` Mimi Zohar 2019-06-26 11:38 ` Roberto Sassu
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190614175513.27097-11-roberto.sassu@huawei.com \ --to=roberto.sassu@huawei.com \ --cc=dmitry.kasatkin@huawei.com \ --cc=linux-doc@vger.kernel.org \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-integrity@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=mjg59@google.com \ --cc=silviu.vlasceanu@huawei.com \ --cc=zohar@linux.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Linux-Security-Module Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \ linux-security-module@vger.kernel.org public-inbox-index linux-security-module Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module AGPL code for this site: git clone https://public-inbox.org/public-inbox.git