[PATCH v2 0/2] support to read and tune appraise mode in runtime

[PATCH v2 0/2] support to read and tune appraise mode in runtime

[Tianjia Zhang]

Support the read and write operations of ima_appraise by adding a
securifyfs file 'appraise_mode'.

In order to tune appraise mode in runtime, writing a PKCS#7 signature
corresponding the signed content is required. The content should be off,
enforce, log or fix. Given a simple way to archive this:

$ echo -n off > mode
$ openssl smime -sign -nocerts -noattr -binary \
    -in mode -inkey <system_trusted_key> \
    -signer <cert> -outform der -out mode.p7s
$ sudo cat mode.p7s \
    > /sys/kernel/security/ima/appraise_mode

Note that the signing key must be a trust key located in
system trusted keyring. So even the root privilege cannot
simply disable the enforcement.

---
v2 change: fix build error.

Tianjia Zhang (2):
  ima: support to read appraise mode
  ima: support to tune appraise mode in runtime

 security/integrity/ima/ima_fs.c | 140 +++++++++++++++++++++++++++++++-
 1 file changed, 139 insertions(+), 1 deletion(-)

-- 
2.17.1

[PATCH v2 1/2] ima: support to read appraise mode

[Tianjia Zhang]

Support to read appraise mode in runtime through securityfs file
'integrity/ima/appraise_mode'.

Signed-off-by: luanshi <zhangliguang@linux.alibaba.com>
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
---
 security/integrity/ima/ima_fs.c | 32 +++++++++++++++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index a71e822a6e92..65384f6ac0d9 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -360,6 +360,7 @@ static struct dentry *ascii_runtime_measurements;
 static struct dentry *runtime_measurements_count;
 static struct dentry *violations;
 static struct dentry *ima_policy;
+static struct dentry *appraise_mode;
 
 enum ima_fs_flags {
 	IMA_FS_BUSY,
@@ -447,6 +448,29 @@ static const struct file_operations ima_measure_policy_ops = {
 	.llseek = generic_file_llseek,
 };
 
+static ssize_t ima_appraise_mode_read(struct file *filp,
+					char __user *buf,
+					size_t count, loff_t *ppos)
+{
+	const char *mode;
+
+	if (ima_appraise & IMA_APPRAISE_ENFORCE)
+		mode = "enforce";
+	else if (ima_appraise & IMA_APPRAISE_FIX)
+		mode = "fix";
+	else if (ima_appraise & IMA_APPRAISE_LOG)
+		mode = "log";
+	else
+		mode = "off";
+
+	return simple_read_from_buffer(buf, count, ppos, mode, strlen(mode));
+}
+
+static const struct file_operations ima_appraise_mode_ops = {
+	.read = ima_appraise_mode_read,
+	.llseek = generic_file_llseek,
+};
+
 int __init ima_fs_init(void)
 {
 	ima_dir = securityfs_create_dir("ima", integrity_dir);
@@ -491,14 +515,20 @@ int __init ima_fs_init(void)
 	if (IS_ERR(ima_policy))
 		goto out;
 
+	appraise_mode =
+	    securityfs_create_file("appraise_mode", S_IRUSR | S_IRGRP,
+				   ima_dir, NULL, &ima_appraise_mode_ops);
+	if (IS_ERR(appraise_mode))
+		goto out;
+
 	return 0;
 out:
+	securityfs_remove(ima_policy);
 	securityfs_remove(violations);
 	securityfs_remove(runtime_measurements_count);
 	securityfs_remove(ascii_runtime_measurements);
 	securityfs_remove(binary_runtime_measurements);
 	securityfs_remove(ima_symlink);
 	securityfs_remove(ima_dir);
-	securityfs_remove(ima_policy);
 	return -1;
 }
-- 
2.17.1

[PATCH v2 2/2] ima: support to tune appraise mode in runtime

[Tianjia Zhang]

In order to tune appraise mode in runtime, writing a PKCS#7 signature
corresponding the signed content is required. The content should be off,
enforce, log or fix. Given a simple way to archive this:

$ echo -n off > mode
$ openssl smime -sign -nocerts -noattr -binary \
    -in mode -inkey <system_trusted_key> \
    -signer <cert> -outform der -out mode.p7s
$ sudo cat mode.p7s \
    > /sys/kernel/security/ima/appraise_mode

Note that the signing key must be a trust key located in
system trusted keyring. So even the root privilege cannot
simply disable the enforcement.

Signed-off-by: luanshi <zhangliguang@linux.alibaba.com>
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
---
 security/integrity/ima/ima_fs.c | 108 ++++++++++++++++++++++++++++++++
 1 file changed, 108 insertions(+)

diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 65384f6ac0d9..4de904c5623d 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -20,11 +20,15 @@
 #include <linux/rcupdate.h>
 #include <linux/parser.h>
 #include <linux/vmalloc.h>
+#include <linux/verification.h>
 
 #include "ima.h"
 
 static DEFINE_MUTEX(ima_write_mutex);
 
+/* maximum length of token allowed for signed appraise mode */
+#define APPRAISE_MAX_TOKEN_SIZE (512 * 1024)
+
 bool ima_canonical_fmt;
 static int __init default_canonical_fmt_setup(char *str)
 {
@@ -466,8 +470,112 @@ static ssize_t ima_appraise_mode_read(struct file *filp,
 	return simple_read_from_buffer(buf, count, ppos, mode, strlen(mode));
 }
 
+#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
+
+static int check_signature_info(char *buf, size_t count)
+{
+	u8 *p;
+
+	/*
+	 * In order to tune the appraise mode, a PKCS#7 signature is
+	 * supplied.
+	 *
+	 * Assuming ASN.1 encoding supplied, the minimal length would be
+	 * 4-byte header plus at least 256-byte payload.
+	 */
+	if (count < 260)
+		return -EINVAL;
+
+	p = (u8 *)buf;
+
+	/* The primitive type must be a sequence */
+	if (p[0] != 0x30 || p[1] != 0x82)
+		return -EINVAL;
+
+	/* Match up the length of the supplied buffer */
+	if (be16_to_cpup((__be16 *)(p + 2)) != count - 4)
+		return -EINVAL;
+
+	return 0;
+}
+
+/* Verify the supplied PKCS#7 signature. The signed content may be off,
+ * enforce, log, fix.
+ */
+static int repopulate_ima_appraise_mode(void *pkcs7, size_t pkcs7_len)
+{
+	static char *appraise_mode_strings[] = { "off", "enforce", "fix", "log" };
+	static int appraise_modes[] = {
+		0,
+		IMA_APPRAISE_ENFORCE,
+		IMA_APPRAISE_FIX,
+		IMA_APPRAISE_LOG,
+	};
+	int index, ret = -1;
+	const char *s;
+	int size = ARRAY_SIZE(appraise_mode_strings);
+
+	for (index = 0; index < size; index++) {
+		s = appraise_mode_strings[index];
+		ret = verify_pkcs7_signature(s, strlen(s), pkcs7, pkcs7_len,
+					    NULL, VERIFYING_UNSPECIFIED_SIGNATURE,
+					    NULL, NULL);
+		if (!ret)
+			break;
+	}
+
+	if (index == size)
+		goto out;
+
+	ima_appraise = appraise_modes[index];
+
+out:
+	return ret;
+}
+
+static ssize_t ima_appraise_mode_write(struct file *filp,
+					const char __user *ubuf,
+					size_t count, loff_t *ppos)
+{
+	char *buf;
+	ssize_t ret;
+
+	if (*ppos > 1)
+		return -EFBIG;
+
+	if (count > APPRAISE_MAX_TOKEN_SIZE)
+		return -EFBIG;
+
+	buf = kmalloc(count, GFP_KERNEL);
+	if (!buf)
+		return -ENOMEM;
+
+	ret = simple_write_to_buffer(buf, count, ppos, ubuf, count);
+	if (ret <= 0)
+		goto out;
+
+	ret = check_signature_info(buf, count);
+	if (ret)
+		goto out;
+
+	ret = repopulate_ima_appraise_mode(buf, count);
+	if (ret)
+		goto out;
+
+	ret = count;
+
+out:
+	kfree(buf);
+	return ret;
+}
+
+#endif
+
 static const struct file_operations ima_appraise_mode_ops = {
 	.read = ima_appraise_mode_read,
+#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
+	.write = ima_appraise_mode_write,
+#endif
 	.llseek = generic_file_llseek,
 };
 
-- 
2.17.1

Re: [PATCH v2 0/2] support to read and tune appraise mode in runtime

[Nayna]

On 4/9/20 6:34 AM, Tianjia Zhang wrote:
> Support the read and write operations of ima_appraise by adding a
> securifyfs file 'appraise_mode'.
>
> In order to tune appraise mode in runtime, writing a PKCS#7 signature

I am curious to know why would you tune appraise mode in runtime ?

Thanks & Regards,

       - Nayna

Re: [PATCH v2 0/2] support to read and tune appraise mode in runtime

[Tianjia Zhang]

On 2020/4/12 5:43, Nayna wrote:
> 
> On 4/9/20 6:34 AM, Tianjia Zhang wrote:
>> Support the read and write operations of ima_appraise by adding a
>> securifyfs file 'appraise_mode'.
>>
>> In order to tune appraise mode in runtime, writing a PKCS#7 signature
> 
> I am curious to know why would you tune appraise mode in runtime ?
> 
> Thanks & Regards,
> 
>        - Nayna

Mainly used for emergency shutdown under some abnormal conditions.

Thanks,
Tianjia