| Message ID | 20211129170057.243127-4-zohar@linux.ibm.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | ima: support fs-verity signatures stored as | expand |
On Mon, Nov 29, 2021 at 12:00:56PM -0500, Mimi Zohar wrote: > Without the file signature included the IMA measurement list, the type > of file digest is unclear. Limit including fs-verity's file digest in > the IMA measurement list based on whether the template name is ima-sig. > In the future, this could be relaxed to include any template format that > includes the file signature. > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > --- > security/integrity/ima/ima.h | 3 ++- > security/integrity/ima/ima_api.c | 3 ++- > security/integrity/ima/ima_appraise.c | 3 ++- > security/integrity/ima/ima_main.c | 7 ++++++- > security/integrity/ima/ima_template_lib.c | 3 ++- > 5 files changed, 14 insertions(+), 5 deletions(-) > > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > index be965a8715e4..ab257e404f8e 100644 > --- a/security/integrity/ima/ima.h > +++ b/security/integrity/ima/ima.h > @@ -262,7 +262,8 @@ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, > int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func); > int ima_collect_measurement(struct integrity_iint_cache *iint, > struct file *file, void *buf, loff_t size, > - enum hash_algo algo, struct modsig *modsig); > + enum hash_algo algo, struct modsig *modsig, > + bool veritysig); > void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, > const unsigned char *filename, > struct evm_ima_xattr_data *xattr_value, > diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c > index 42c6ff7056e6..179c7f0364c2 100644 > --- a/security/integrity/ima/ima_api.c > +++ b/security/integrity/ima/ima_api.c > @@ -217,7 +217,8 @@ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, > */ > int ima_collect_measurement(struct integrity_iint_cache *iint, > struct file *file, void *buf, loff_t size, > - enum hash_algo algo, struct modsig *modsig) > + enum hash_algo algo, struct modsig *modsig, > + bool veritysig) 'veritysig' is being added here but it doesn't actually do anything. It seems this patchset is not split up correctly. > + rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, > + NULL, FALSE); > if (rc < 0) > return; false should be used instead of FALSE. > > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index 465865412100..a73e1e845ea8 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -216,6 +216,7 @@ static int process_measurement(struct file *file, const struct cred *cred, > bool violation_check; > enum hash_algo hash_algo; > unsigned int allowed_algos = 0; > + int veritysig = FALSE; Likewise. > + if (xattr_value && xattr_value->type == IMA_VERITY_DIGSIG && > + strcmp(template_desc->name, "ima-sig") == 0) > + veritysig = TRUE; Likewise, true instead of TRUE. - Eric
Hi Mimi, Just one nit comment below in the patch description. On 11/29/2021 9:00 AM, Mimi Zohar wrote: > Without the file signature included the IMA measurement list, the type Without the file signature included in the IMA measurement list, the type... -lakshmi > of file digest is unclear. Limit including fs-verity's file digest in > the IMA measurement list based on whether the template name is ima-sig. > In the future, this could be relaxed to include any template format that > includes the file signature. > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > --- > security/integrity/ima/ima.h | 3 ++- > security/integrity/ima/ima_api.c | 3 ++- > security/integrity/ima/ima_appraise.c | 3 ++- > security/integrity/ima/ima_main.c | 7 ++++++- > security/integrity/ima/ima_template_lib.c | 3 ++- > 5 files changed, 14 insertions(+), 5 deletions(-) > > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > index be965a8715e4..ab257e404f8e 100644 > --- a/security/integrity/ima/ima.h > +++ b/security/integrity/ima/ima.h > @@ -262,7 +262,8 @@ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, > int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func); > int ima_collect_measurement(struct integrity_iint_cache *iint, > struct file *file, void *buf, loff_t size, > - enum hash_algo algo, struct modsig *modsig); > + enum hash_algo algo, struct modsig *modsig, > + bool veritysig); > void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, > const unsigned char *filename, > struct evm_ima_xattr_data *xattr_value, > diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c > index 42c6ff7056e6..179c7f0364c2 100644 > --- a/security/integrity/ima/ima_api.c > +++ b/security/integrity/ima/ima_api.c > @@ -217,7 +217,8 @@ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, > */ > int ima_collect_measurement(struct integrity_iint_cache *iint, > struct file *file, void *buf, loff_t size, > - enum hash_algo algo, struct modsig *modsig) > + enum hash_algo algo, struct modsig *modsig, > + bool veritysig) > { > const char *audit_cause = "failed"; > struct inode *inode = file_inode(file); > diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c > index d43a27a9a9b6..b31be383e668 100644 > --- a/security/integrity/ima/ima_appraise.c > +++ b/security/integrity/ima/ima_appraise.c > @@ -510,7 +510,8 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file) > !(iint->flags & IMA_HASH)) > return; > > - rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, NULL); > + rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, > + NULL, FALSE); > if (rc < 0) > return; > > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index 465865412100..a73e1e845ea8 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -216,6 +216,7 @@ static int process_measurement(struct file *file, const struct cred *cred, > bool violation_check; > enum hash_algo hash_algo; > unsigned int allowed_algos = 0; > + int veritysig = FALSE; > > if (!ima_policy_flag || !S_ISREG(inode->i_mode)) > return 0; > @@ -333,8 +334,12 @@ static int process_measurement(struct file *file, const struct cred *cred, > } > > hash_algo = ima_get_hash_algo(xattr_value, xattr_len); > + if (xattr_value && xattr_value->type == IMA_VERITY_DIGSIG && > + strcmp(template_desc->name, "ima-sig") == 0) > + veritysig = TRUE; > > - rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig); > + rc = ima_collect_measurement(iint, file, buf, size, hash_algo, > + modsig, veritysig); > if (rc != 0 && rc != -EBADF && rc != -EINVAL) > goto out_locked; > > diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c > index ca017cae73eb..5bad251f3b07 100644 > --- a/security/integrity/ima/ima_template_lib.c > +++ b/security/integrity/ima/ima_template_lib.c > @@ -478,7 +478,8 @@ int ima_eventsig_init(struct ima_event_data *event_data, > { > struct evm_ima_xattr_data *xattr_value = event_data->xattr_value; > > - if ((!xattr_value) || (xattr_value->type != EVM_IMA_XATTR_DIGSIG)) > + if ((!xattr_value) || !(xattr_value->type == EVM_IMA_XATTR_DIGSIG || > + xattr_value->type == IMA_VERITY_DIGSIG)) > return ima_eventevmsig_init(event_data, field_data); > > return ima_write_template_field_data(xattr_value, event_data->xattr_len, >
Hi Eric, On Mon, 2021-11-29 at 18:35 -0800, Eric Biggers wrote: > > diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c > > index 42c6ff7056e6..179c7f0364c2 100644 > > --- a/security/integrity/ima/ima_api.c > > +++ b/security/integrity/ima/ima_api.c > > @@ -217,7 +217,8 @@ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, > > */ > > int ima_collect_measurement(struct integrity_iint_cache *iint, > > struct file *file, void *buf, loff_t size, > > - enum hash_algo algo, struct modsig *modsig) > > + enum hash_algo algo, struct modsig *modsig, > > + bool veritysig) > > 'veritysig' is being added here but it doesn't actually do anything. It seems > this patchset is not split up correctly. True, this patch just adds the plumbing. Reversing 3 & 4 could result in including the fs-verity digest, without the signature in the measurement list. The alternative is to squash patches 3 & 4. thanks, Mimi
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index be965a8715e4..ab257e404f8e 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -262,7 +262,8 @@ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func); int ima_collect_measurement(struct integrity_iint_cache *iint, struct file *file, void *buf, loff_t size, - enum hash_algo algo, struct modsig *modsig); + enum hash_algo algo, struct modsig *modsig, + bool veritysig); void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, const unsigned char *filename, struct evm_ima_xattr_data *xattr_value, diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 42c6ff7056e6..179c7f0364c2 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -217,7 +217,8 @@ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode, */ int ima_collect_measurement(struct integrity_iint_cache *iint, struct file *file, void *buf, loff_t size, - enum hash_algo algo, struct modsig *modsig) + enum hash_algo algo, struct modsig *modsig, + bool veritysig) { const char *audit_cause = "failed"; struct inode *inode = file_inode(file); diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index d43a27a9a9b6..b31be383e668 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -510,7 +510,8 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file) !(iint->flags & IMA_HASH)) return; - rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, NULL); + rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, + NULL, FALSE); if (rc < 0) return; diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 465865412100..a73e1e845ea8 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -216,6 +216,7 @@ static int process_measurement(struct file *file, const struct cred *cred, bool violation_check; enum hash_algo hash_algo; unsigned int allowed_algos = 0; + int veritysig = FALSE; if (!ima_policy_flag || !S_ISREG(inode->i_mode)) return 0; @@ -333,8 +334,12 @@ static int process_measurement(struct file *file, const struct cred *cred, } hash_algo = ima_get_hash_algo(xattr_value, xattr_len); + if (xattr_value && xattr_value->type == IMA_VERITY_DIGSIG && + strcmp(template_desc->name, "ima-sig") == 0) + veritysig = TRUE; - rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig); + rc = ima_collect_measurement(iint, file, buf, size, hash_algo, + modsig, veritysig); if (rc != 0 && rc != -EBADF && rc != -EINVAL) goto out_locked; diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c index ca017cae73eb..5bad251f3b07 100644 --- a/security/integrity/ima/ima_template_lib.c +++ b/security/integrity/ima/ima_template_lib.c @@ -478,7 +478,8 @@ int ima_eventsig_init(struct ima_event_data *event_data, { struct evm_ima_xattr_data *xattr_value = event_data->xattr_value; - if ((!xattr_value) || (xattr_value->type != EVM_IMA_XATTR_DIGSIG)) + if ((!xattr_value) || !(xattr_value->type == EVM_IMA_XATTR_DIGSIG || + xattr_value->type == IMA_VERITY_DIGSIG)) return ima_eventevmsig_init(event_data, field_data); return ima_write_template_field_data(xattr_value, event_data->xattr_len,
Without the file signature included the IMA measurement list, the type of file digest is unclear. Limit including fs-verity's file digest in the IMA measurement list based on whether the template name is ima-sig. In the future, this could be relaxed to include any template format that includes the file signature. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- security/integrity/ima/ima.h | 3 ++- security/integrity/ima/ima_api.c | 3 ++- security/integrity/ima/ima_appraise.c | 3 ++- security/integrity/ima/ima_main.c | 7 ++++++- security/integrity/ima/ima_template_lib.c | 3 ++- 5 files changed, 14 insertions(+), 5 deletions(-)