From: Casey Schaufler <casey@schaufler-ca.com>
To: Tushar Sugandhi <tusharsu@linux.microsoft.com>,
linux-integrity@vger.kernel.org, zohar@linux.ibm.com,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
dm-devel@redhat.com
Cc: jmorris@namei.org, chpebeni@linux.microsoft.com,
nramas@linux.microsoft.com, balajib@microsoft.com,
sashal@kernel.org, suredd@microsoft.com,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [RFC] IMA: New IMA measurements for dm-crypt and selinux
Date: Wed, 8 Apr 2020 09:34:47 -0700 [thread overview]
Message-ID: <b8dcaa3d-5006-2730-aa57-fb99e13c4472@schaufler-ca.com> (raw)
In-Reply-To: <f92bef0f-eb40-0e07-540c-321134e4b070@linux.microsoft.com>
On 4/8/2020 3:19 AM, Tushar Sugandhi wrote:
> The goals of the kernel integrity subsystem are to detect if files have
> been accidentally or maliciously altered, both remotely and locally,
> appraise a file's measurement against a "good" value stored as an
> extended attribute, and enforce local file integrity [1].
>
> To achieve these goals, IMA subsystem measures several in-memory
> constructs and files.
>
> We propose to measure constructs in dm-crypt and selinux to further
> enhance measuring capabilities of IMA.
>
> If there is existing or planned work to measure dm-crypt and selinux
> constructs, we would like to contribute to that.
>
> dm-crypt is a subsystem used for encryption of the block device, which
> is essential for ensuring protection of data and secrets at rest.
>
> Measuring encryption status of the device will ensure the device is not
> maliciously reporting false encryption status - thus, it can be
> entrusted with sensitive data to be protected at rest.
>
> SELinux is an implementation of mandatory access controls (MAC) on
> Linux. Mandatory access controls allow an administrator of a system to
> define how applications and users can access different resources - such
> as files, devices, networks and inter-process communication. With
> SELinux an administrator can differentiate a user from the applications
> a user runs [2].
>
> Measuring SELinux status and various SELinux policies can help ensure
> mandatory access control of the system is not compromised.
>
> Proposal:
> ---------
> A. Measuring dmcrypt constructs:
> We can add an IMA hook in crypt_ctr() present in
> drivers/md/dm-crypt.c, so that IMA can start measuring the status of
> various dm-crypt targets (represented by crypt_target struct - also
> defined in dm-crypt.c).
> The mapping table[3] has information of devices being encrypted
> (start sector, size, target name, cypher, key, device path, and
> other optional parameters.)
> e.g.
> 0 417792 crypt serpent-cbc-essiv:sha256
> a7f67ad520bd83b9725df6ebd76c3eee 0 /dev/sdb 0 1 allow_discards
>
> We can pass various attributes of mapping table to IMA through a key
> value pair of various dmcrypt constructs.
>
> Proposed Function Signature of the IMA hook:
> void ima_dmcrypt_status(void *dmcrypt_status, int len);
>
> B. Measuring selinux constructs:
> We propose to add an IMA hook in enforcing_set() present under
> security/selinux/include/security.h.
> enforcing_set() sets the selinux state to enforcing/permissive etc.
> and is called from key places like selinux_init(),
> sel_write_enforce() etc.
> The hook will measure various attributes related to selinux status.
> Majority of the attributes are present in the struct selinux_state
> present in security/selinux/include/security.h
> e.g.
> $sestatus
> SELinux status: enabled
> SELinuxfs mount: /sys/fs/selinux
> SELinux root directory: /etc/selinux
> Loaded policy name: default
> Current mode: permissive
> Mode from config file: permissive
> Policy MLS status: enabled
> Policy deny_unknown status: allowed
> Memory protection checking: requested (insecure)
> Max kernel policy version: 32
>
> The above attributes will be serialized into a set of key=value
> pairs when passed to IMA for measurement.
>
> Proposed Function Signature of the IMA hook:
> void ima_selinux_status(void *selinux_status, int len);
>
> Please provide comments\feedback on the proposal.
TL;DR - Why make this SELinux specific?
Integrating IMA and SELinux is a layering violation at best.
Why isn't this ima_lsm_status(void *lsm_status, int len)?
Or, better yet, how about ima_lsm_status(char *name, void *value, int len),
and you pass each name/value pair separately? That makes the
interface generally useful.
Believe it or not, there *ARE* security modules that
are not SELinux.
>
> Thanks,
> Tushar
>
> [1] https://sourceforge.net/p/linux-ima/wiki/Home/
> [2] https://selinuxproject.org/page/FAQ
> [3] https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt
next prev parent reply other threads:[~2020-04-08 16:34 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-08 10:19 [RFC] IMA: New IMA measurements for dm-crypt and selinux Tushar Sugandhi
2020-04-08 16:28 ` Milan Broz
2020-04-17 0:46 ` Tushar Sugandhi
2020-04-08 16:34 ` Casey Schaufler [this message]
2020-04-17 0:49 ` Tushar Sugandhi
2020-04-11 19:05 ` Stephen Smalley
2020-04-12 8:15 ` Lev R. Oshvang .
2020-04-14 1:11 ` Mimi Zohar
2020-04-14 10:06 ` Lev R. Oshvang .
2020-04-17 0:53 ` Tushar Sugandhi
2020-04-17 0:52 ` Tushar Sugandhi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b8dcaa3d-5006-2730-aa57-fb99e13c4472@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=balajib@microsoft.com \
--cc=chpebeni@linux.microsoft.com \
--cc=dm-devel@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=sashal@kernel.org \
--cc=selinux@vger.kernel.org \
--cc=suredd@microsoft.com \
--cc=tusharsu@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).