[PATCH 1/2] ima: define ima_trusted_for hook

[PATCH 1/2] ima: define ima_trusted_for hook

[Mimi Zohar]

A major interpreter integrity gap exists which allows files read by
the interpreter to be executed without measuring the file or verifying
the file's signature.

The kernel has no knowledge about the file being read by the interpreter.
Only the interpreter knows the context(eg. data, execute) and must be
trusted to provide that information accurately.

To close this integrity gap, define an ima_trusted_for hook to allow
IMA to measure the file and verify the file's signature based on policy.

Sample policy rules:
	measure func=TRUSTED_FOR_CHECK
	appraise func=TRUSTED_FOR_CHECK

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
Mickaël, here is the first LSM/integrity instantiation of the trusted_for
hook.

 Documentation/ABI/testing/ima_policy |  2 +-
 security/integrity/ima/ima.h         |  1 +
 security/integrity/ima/ima_main.c    | 23 +++++++++++++++++++++++
 security/integrity/ima/ima_policy.c  |  3 +++
 4 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index e1a04bd3b9e5..85618e726801 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -34,7 +34,7 @@ Description:
 				[FIRMWARE_CHECK]
 				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
 				[KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA]
-				[SETXATTR_CHECK]
+				[SETXATTR_CHECK] [TRUSTED_FOR_CHECK]
 			mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
 			       [[^]MAY_EXEC]
 			fsmagic:= hex value
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index be965a8715e4..827236dbbefb 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -202,6 +202,7 @@ static inline unsigned int ima_hash_key(u8 *digest)
 	hook(KEY_CHECK, key)				\
 	hook(CRITICAL_DATA, critical_data)		\
 	hook(SETXATTR_CHECK, setxattr_check)		\
+	hook(TRUSTED_FOR_CHECK, trusted_for_check)	\
 	hook(MAX_CHECK, none)
 
 #define __ima_hook_enumify(ENUM, str)	ENUM,
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 465865412100..e09054ac3352 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -26,6 +26,7 @@
 #include <linux/ima.h>
 #include <linux/iversion.h>
 #include <linux/fs.h>
+#include <uapi/linux/trusted-for.h>
 
 #include "ima.h"
 
@@ -519,6 +520,28 @@ int ima_file_check(struct file *file, int mask)
 }
 EXPORT_SYMBOL_GPL(ima_file_check);
 
+/**
+ * ima_trusted_for - based on policy, measure/appraise/audit measurement
+ * @file: pointer to the file to be measured/appraised/audit
+ * @usage: limit enumeration to TRUSTED_FOR_EXECUTION
+ *
+ * Measure/appraise/audit files being executed by an interpreter.
+ *
+ * On success return 0.  On integrity appraisal error, assuming the file
+ * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
+ */
+int ima_trusted_for(struct file *file, const enum trusted_for_usage usage)
+{
+	u32 secid;
+
+	if (usage != TRUSTED_FOR_EXECUTION)
+		return 0;
+
+	security_task_getsecid_subj(current, &secid);
+	return process_measurement(file, current_cred(), secid, NULL,
+				   0, MAY_EXEC, TRUSTED_FOR_CHECK);
+}
+
 static int __ima_inode_hash(struct inode *inode, char *buf, size_t buf_size)
 {
 	struct integrity_iint_cache *iint;
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 320ca80aacab..847803a24201 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1210,6 +1210,7 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
 	case POST_SETATTR:
 	case FIRMWARE_CHECK:
 	case POLICY_CHECK:
+	case TRUSTED_FOR_CHECK:
 		if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
 				     IMA_UID | IMA_FOWNER | IMA_FSUUID |
 				     IMA_INMASK | IMA_EUID | IMA_PCR |
@@ -1423,6 +1424,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 			/* PATH_CHECK is for backwards compat */
 			else if (strcmp(args[0].from, "PATH_CHECK") == 0)
 				entry->func = FILE_CHECK;
+			else if (strcmp(args[0].from, "TRUSTED_FOR_CHECK") == 0)
+				entry->func = TRUSTED_FOR_CHECK;
 			else if (strcmp(args[0].from, "MODULE_CHECK") == 0)
 				entry->func = MODULE_CHECK;
 			else if (strcmp(args[0].from, "FIRMWARE_CHECK") == 0)
-- 
2.27.0

[PATCH 2/2] fs: extend the trusted_for syscall to call IMA

[Mimi Zohar]

Extend the trusted_for syscall to call the newly defined
ima_trusted_for hook.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 fs/open.c           | 3 +++
 include/linux/ima.h | 9 +++++++++
 2 files changed, 12 insertions(+)

diff --git a/fs/open.c b/fs/open.c
index c79c138a638c..4d54e2a727e1 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -585,6 +585,9 @@ SYSCALL_DEFINE3(trusted_for, const int, fd, const enum trusted_for_usage, usage,
 	err = inode_permission(file_mnt_user_ns(f.file), inode,
 			mask | MAY_ACCESS);
 
+	if (!err)
+		err = ima_trusted_for(f.file, usage);
+
 out_fd:
 	fdput(f);
 	return err;
diff --git a/include/linux/ima.h b/include/linux/ima.h
index b6ab66a546ae..603df9932817 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -12,12 +12,15 @@
 #include <linux/security.h>
 #include <linux/kexec.h>
 #include <crypto/hash_info.h>
+#include <uapi/linux/trusted-for.h>
 struct linux_binprm;
 
 #ifdef CONFIG_IMA
 extern enum hash_algo ima_get_current_hash_algo(void);
 extern int ima_bprm_check(struct linux_binprm *bprm);
 extern int ima_file_check(struct file *file, int mask);
+extern int ima_trusted_for(struct file *file,
+			   const enum trusted_for_usage usage);
 extern void ima_post_create_tmpfile(struct user_namespace *mnt_userns,
 				    struct inode *inode);
 extern void ima_file_free(struct file *file);
@@ -81,6 +84,12 @@ static inline int ima_file_check(struct file *file, int mask)
 	return 0;
 }
 
+static inline int ima_trusted_for(struct file *file,
+				  const enum trusted_for_usage usage)
+{
+	return 0;
+}
+
 static inline void ima_post_create_tmpfile(struct user_namespace *mnt_userns,
 					   struct inode *inode)
 {
-- 
2.27.0

Re: [PATCH 1/2] ima: define ima_trusted_for hook

[Mimi Zohar]

On Wed, 2021-10-13 at 07:01 -0400, Mimi Zohar wrote:
> A major interpreter integrity gap exists which allows files read by
> the interpreter to be executed without measuring the file or verifying
> the file's signature.
> 
> The kernel has no knowledge about the file being read by the interpreter.
> Only the interpreter knows the context(eg. data, execute) and must be
> trusted to provide that information accurately.
> 
> To close this integrity gap, define an ima_trusted_for hook to allow
> IMA to measure the file and verify the file's signature based on policy.
> 
> Sample policy rules:
> 	measure func=TRUSTED_FOR_CHECK
> 	appraise func=TRUSTED_FOR_CHECK

To require file signatures, the policy rule should be:
	appraise func=TRUSTED_FOR_CHECK appraise_type=imasig
> 
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

Re: [PATCH 2/2] fs: extend the trusted_for syscall to call IMA

[Mickaël Salaün]

Nice!

On 13/10/2021 13:01, Mimi Zohar wrote:
> Extend the trusted_for syscall to call the newly defined
> ima_trusted_for hook.
> 
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>  fs/open.c           | 3 +++
>  include/linux/ima.h | 9 +++++++++
>  2 files changed, 12 insertions(+)
> 
> diff --git a/fs/open.c b/fs/open.c
> index c79c138a638c..4d54e2a727e1 100644
> --- a/fs/open.c
> +++ b/fs/open.c
> @@ -585,6 +585,9 @@ SYSCALL_DEFINE3(trusted_for, const int, fd, const enum trusted_for_usage, usage,
>  	err = inode_permission(file_mnt_user_ns(f.file), inode,
>  			mask | MAY_ACCESS);
>  
> +	if (!err)
> +		err = ima_trusted_for(f.file, usage);

Could you please implement a new LSM hook instead? Other LSMs may want
to use this information as well.

Re: [PATCH 2/2] fs: extend the trusted_for syscall to call IMA

[Mimi Zohar]

[CC'ing Casey]

On Wed, 2021-10-13 at 17:26 +0200, Mickaël Salaün wrote:
> Nice!
> 
> On 13/10/2021 13:01, Mimi Zohar wrote:
> > Extend the trusted_for syscall to call the newly defined
> > ima_trusted_for hook.
> > 
> > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> > ---
> >  fs/open.c           | 3 +++
> >  include/linux/ima.h | 9 +++++++++
> >  2 files changed, 12 insertions(+)
> > 
> > diff --git a/fs/open.c b/fs/open.c
> > index c79c138a638c..4d54e2a727e1 100644
> > --- a/fs/open.c
> > +++ b/fs/open.c
> > @@ -585,6 +585,9 @@ SYSCALL_DEFINE3(trusted_for, const int, fd, const enum trusted_for_usage, usage,
> >  	err = inode_permission(file_mnt_user_ns(f.file), inode,
> >  			mask | MAY_ACCESS);
> >  
> > +	if (!err)
> > +		err = ima_trusted_for(f.file, usage);
> 
> Could you please implement a new LSM hook instead? Other LSMs may want
> to use this information as well.

Casey normally pushes back on my defining a new LSM hook, when IMA is
the only user.  If any of the LSM maintainers are planning on defining
this hook, please chime in.

thanks,

Mimi

Re: [PATCH 2/2] fs: extend the trusted_for syscall to call IMA

[Casey Schaufler]

On 10/13/2021 8:45 AM, Mimi Zohar wrote:
> [CC'ing Casey]
>
> On Wed, 2021-10-13 at 17:26 +0200, Mickaël Salaün wrote:
>> Nice!
>>
>> On 13/10/2021 13:01, Mimi Zohar wrote:
>>> Extend the trusted_for syscall to call the newly defined
>>> ima_trusted_for hook.
>>>
>>> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
>>> ---
>>>  fs/open.c           | 3 +++
>>>  include/linux/ima.h | 9 +++++++++
>>>  2 files changed, 12 insertions(+)
>>>
>>> diff --git a/fs/open.c b/fs/open.c
>>> index c79c138a638c..4d54e2a727e1 100644
>>> --- a/fs/open.c
>>> +++ b/fs/open.c
>>> @@ -585,6 +585,9 @@ SYSCALL_DEFINE3(trusted_for, const int, fd, const enum trusted_for_usage, usage,
>>>  	err = inode_permission(file_mnt_user_ns(f.file), inode,
>>>  			mask | MAY_ACCESS);
>>>  
>>> +	if (!err)
>>> +		err = ima_trusted_for(f.file, usage);
>> Could you please implement a new LSM hook instead? Other LSMs may want
>> to use this information as well.
> Casey normally pushes back on my defining a new LSM hook, when IMA is
> the only user.  If any of the LSM maintainers are planning on defining
> this hook, please chime in.

That's correct. Adding the overhead of checking for security module hooks
when we know there aren't any does nothing to dispel the perception that
security developers don't care about performance.


> thanks,
>
> Mimi
>