From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751901AbdJZUHu (ORCPT <rfc822;w@1wt.eu>);
        Thu, 26 Oct 2017 16:07:50 -0400
Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:40216 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1751533AbdJZUHq (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 26 Oct 2017 16:07:46 -0400
Subject: Re: [PATCH v5 18/18] ima: Write modsig to the measurement list
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>,
        linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
        linux-crypto@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
        linux-kernel@vger.kernel.org,
        Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
        James Morris <james.l.morris@oracle.com>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        David Howells <dhowells@redhat.com>,
        David Woodhouse <dwmw2@infradead.org>, Jessica Yu <jeyu@redhat.com>,
        Rusty Russell <rusty@rustcorp.com.au>,
        Herbert Xu <herbert@gondor.apana.org.au>,
        "David S. Miller" <davem@davemloft.net>,
        "AKASHI, Takahiro" <takahiro.akashi@linaro.org>
Date: Thu, 26 Oct 2017 16:07:34 -0400
In-Reply-To: <20171018005331.2688-19-bauerman@linux.vnet.ibm.com>
References: <20171018005331.2688-1-bauerman@linux.vnet.ibm.com>
         <20171018005331.2688-19-bauerman@linux.vnet.ibm.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TM-AS-GCONF: 00
x-cbid: 17102620-0040-0000-0000-000004075782
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 17102620-0041-0000-0000-000020A9CDC6
Message-Id: <1509048454.5886.108.camel@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-10-26_08:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 malwarescore=0 suspectscore=3 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000
 definitions=main-1710260252
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 2017-10-17 at 22:53 -0200, Thiago Jung Bauermann wrote:

> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 6a2d960fbd92..0d3390de7432 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -246,7 +246,35 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
>  		rc = ima_appraise_measurement(func, iint, file, buf, size,
>  					      pathname, &xattr_value,
>  					      &xattr_len, opened);
> -	if (action & IMA_MEASURE)
> +
> +	/*
> +	 * MODSIG has one corner case we need to deal with here:
> +	 *
> +	 * Suppose the policy has one measure rule for one hook and an appraise
> +	 * rule for a different hook. Suppose also that the template requires
> +	 * the signature to be stored in the measurement list.
> +	 *
> +	 * If a file containing a MODSIG is measured by the first hook before
> +	 * being appraised by the second one, the corresponding entry in the
> +	 * measurement list will not contain the MODSIG because we only fetch it
> +	 * for IMA_APPRAISAL. We don't fetch it earlier because if the file has
> +	 * both a DIGSIG and a MODSIG it's not possible to know which one will
> +	 * be valid without actually doing the appraisal.
> +	 *
> +	 * Therefore, after appraisal of a MODSIG signature we need to store the
> +	 * measurement again if the current template requires storing the
> +	 * signature.

Yes, all true, but this long comment doesn't belong here in the middle
of process_measurement(). 

> +	 * With the opposite ordering (the appraise rule triggering before the
> +	 * measurement rule) there is the same problem but it's not possible to
> +	 * do anything about it because at the time we are appraising the
> +	 * signature it's impossible to know whether a measurement will ever
> +	 * need to be stored for this file.
> +	 */

With the template format "ima-sig", the verified file signature needs
to be included in the measurement list.  Based on this file signature,
the attestation server can validate the signature.

In this case, where the appraisal comes first followed by the
measurement, the appraised file signature is included in the
measurement list.  I don't see the problem here.

> +	if ((action & IMA_MEASURE) || ((iint->flags & IMA_MEASURE) &&
> +				       xattr_value &&
> +				       xattr_value->type == IMA_MODSIG &&
> +				       ima_current_template_has_sig()))

Like the clean up you did elsewhere, this new set of tests should be
made into a function.  The comment could placed along with the new
function.

Mimi

>  		ima_store_measurement(iint, file, pathname,
>  				      xattr_value, xattr_len, pcr);
>  	if (action & IMA_AUDIT)
>