From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.4 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AA514C433E0 for ; Sat, 13 Jun 2020 02:41:44 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 85F93206A4 for ; Sat, 13 Jun 2020 02:41:44 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="o9UcLG+H" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726478AbgFMClj (ORCPT ); Fri, 12 Jun 2020 22:41:39 -0400 Received: from linux.microsoft.com ([13.77.154.182]:54102 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726396AbgFMClh (ORCPT ); Fri, 12 Jun 2020 22:41:37 -0400 Received: from localhost.localdomain (c-73-42-176-67.hsd1.wa.comcast.net [73.42.176.67]) by linux.microsoft.com (Postfix) with ESMTPSA id 28EFE20B4780; Fri, 12 Jun 2020 19:41:36 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 28EFE20B4780 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1592016096; bh=WVGmiiMS7vSH7gVwPrFMIQeJRoD4AACiFyCZE6Qm16s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=o9UcLG+H6pVJ4Co/Cd/R0cdp/JBg2sTz6B5yOd2ll61VQR+dKb5917dnnhSQ28r35 mQXDPqaJBdWPYpg10rZwjlVuT9iOcjhux7ec2SA2Caz6ebauM5JVA7wfI3cSL9zPy6 GGb2EKm282FN2mZM6Vzbg5AcVWDhWkHg6rzQNt2w= From: Lakshmi Ramasubramanian To: zohar@linux.ibm.com, stephen.smalley@gmail.com, casey@schaufler-ca.com Cc: jmorris@namei.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 1/5] IMA: Add LSM_STATE func to measure LSM data Date: Fri, 12 Jun 2020 19:41:26 -0700 Message-Id: <20200613024130.3356-2-nramas@linux.microsoft.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200613024130.3356-1-nramas@linux.microsoft.com> References: <20200613024130.3356-1-nramas@linux.microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Data provided by security modules need to be measured. A new IMA policy is required for handling this measurement. Define a new IMA policy func namely LSM_STATE to measure data provided by security modules. Update ima_match_rules() to check for LSM_STATE and ima_parse_rule() to handle LSM_STATE. Signed-off-by: Lakshmi Ramasubramanian --- Documentation/ABI/testing/ima_policy | 6 +++++- security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_policy.c | 28 +++++++++++++++++++++++----- 4 files changed, 30 insertions(+), 7 deletions(-) diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index cd572912c593..355bc3eade33 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -29,7 +29,7 @@ Description: base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] [FIRMWARE_CHECK] [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] - [KEXEC_CMDLINE] [KEY_CHECK] + [KEXEC_CMDLINE] [KEY_CHECK] [LSM_STATE] mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] [[^]MAY_EXEC] fsmagic:= hex value @@ -125,3 +125,7 @@ Description: keys added to .builtin_trusted_keys or .ima keyring: measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima + + Example of measure rule using LSM_STATE to measure LSM data: + + measure func=LSM_STATE diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index df93ac258e01..58c62269028a 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -200,6 +200,7 @@ static inline unsigned int ima_hash_key(u8 *digest) hook(POLICY_CHECK) \ hook(KEXEC_CMDLINE) \ hook(KEY_CHECK) \ + hook(LSM_STATE) \ hook(MAX_CHECK) #define __ima_hook_enumify(ENUM) ENUM, diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index bf22de8b7ce0..0cebd2404dcf 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -176,7 +176,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * subj=, obj=, type=, func=, mask=, fsmagic= * subj,obj, and type: are LSM specific. * func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK - * | KEXEC_CMDLINE | KEY_CHECK + * | KEXEC_CMDLINE | KEY_CHECK | LSM_STATE * mask: contains the permission mask * fsmagic: hex value * diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index e493063a3c34..1a6ee09e6993 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -417,15 +417,31 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, const char *keyring) { int i; + int funcmatch = 0; - if ((func == KEXEC_CMDLINE) || (func == KEY_CHECK)) { + switch (func) { + case KEXEC_CMDLINE: + case KEY_CHECK: + case LSM_STATE: if ((rule->flags & IMA_FUNC) && (rule->func == func)) { if (func == KEY_CHECK) - return ima_match_keyring(rule, keyring, cred); - return true; - } - return false; + funcmatch = ima_match_keyring(rule, keyring, + cred) ? 1 : -1; + else + funcmatch = 1; + } else + funcmatch = -1; + + break; + + default: + funcmatch = 0; + break; } + + if (funcmatch) + return (funcmatch == 1) ? true : false; + if ((rule->flags & IMA_FUNC) && (rule->func != func && func != POST_SETATTR)) return false; @@ -1068,6 +1084,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) entry->func = KEXEC_CMDLINE; else if (strcmp(args[0].from, "KEY_CHECK") == 0) entry->func = KEY_CHECK; + else if (strcmp(args[0].from, "LSM_STATE") == 0) + entry->func = LSM_STATE; else result = -EINVAL; if (!result) -- 2.27.0