diff mbox series

[v1,3/5] ima: limit including fs-verity's file digest in measurement list

Message ID 20211202215507.298415-4-zohar@linux.ibm.com (mailing list archive)
State Superseded
Headers show
Series ima: support fs-verity signatures stored as | expand

Commit Message

Mimi Zohar Dec. 2, 2021, 9:55 p.m. UTC
Without the file signature included in the IMA measurement list, the type
of file digest is unclear.  Set up the plumbing to limit including
fs-verity's file digest in the IMA measurement list based on whether the
template name is ima-sig.  In the future, this could be relaxed to include
any template format that includes the file signature.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
Changelog v1:
- Updated patch description to indicate this is a prepartory patch.
- Addressed Eric's comment: use lowercase 'true'/'false'.
- Fixed patch description based on Lakshmi's review.


 Documentation/security/IMA-templates.rst  | 9 +++++++--
 security/integrity/ima/ima.h              | 3 ++-
 security/integrity/ima/ima_api.c          | 3 ++-
 security/integrity/ima/ima_appraise.c     | 3 ++-
 security/integrity/ima/ima_main.c         | 7 ++++++-
 security/integrity/ima/ima_template_lib.c | 3 ++-
 6 files changed, 21 insertions(+), 7 deletions(-)

Comments

Eric Biggers Dec. 2, 2021, 10:22 p.m. UTC | #1
On Thu, Dec 02, 2021 at 04:55:05PM -0500, Mimi Zohar wrote:
> Without the file signature included in the IMA measurement list, the type
> of file digest is unclear.  Set up the plumbing to limit including
> fs-verity's file digest in the IMA measurement list based on whether the
> template name is ima-sig.  In the future, this could be relaxed to include
> any template format that includes the file signature.
> 

Does it make sense to tie IMA's fs-verity support to files having signatures?
What about IMA audit mode?  I thought that is just about collecting hashes, and
has nothing to do with signatures.

- Eric
Mimi Zohar Dec. 2, 2021, 10:55 p.m. UTC | #2
On Thu, 2021-12-02 at 14:22 -0800, Eric Biggers wrote:
> On Thu, Dec 02, 2021 at 04:55:05PM -0500, Mimi Zohar wrote:
> > Without the file signature included in the IMA measurement list, the type
> > of file digest is unclear.  Set up the plumbing to limit including
> > fs-verity's file digest in the IMA measurement list based on whether the
> > template name is ima-sig.  In the future, this could be relaxed to include
> > any template format that includes the file signature.
> > 
> 
> Does it make sense to tie IMA's fs-verity support to files having signatures?
> What about IMA audit mode?  I thought that is just about collecting hashes, and
> has nothing to do with signatures.

There's IMA-measurement, IMA-audit, and IMA-appraisal.  IMA-audit
refers to adding the file hash to the audit log record.  IMA-
measurement stores the collected hash in the IMA measurement list and
extends the TPM with the measurement, if there's a TPM.  Based on
policy, determines whether the file is measured, audited, and/or
appraised.  I actually do think it makes sense to require a signature,
but not necessarily enforce signature verification, in order to
differentiate the type of measurement being included in the measurement
list.

thanks,

Mimi
diff mbox series

Patch

diff --git a/Documentation/security/IMA-templates.rst b/Documentation/security/IMA-templates.rst
index 1a91d92950a7..28640b543340 100644
--- a/Documentation/security/IMA-templates.rst
+++ b/Documentation/security/IMA-templates.rst
@@ -70,8 +70,8 @@  descriptors by adding their identifier to the format string
    prefix is shown only if the hash algorithm is not SHA1 or MD5);
  - 'd-modsig': the digest of the event without the appended modsig;
  - 'n-ng': the name of the event, without size limitations;
- - 'sig': the file signature, or the EVM portable signature if the file
-   signature is not found;
+ - 'sig': the file signature, based on either the file's/fsverity's digest[1],
+   or the EVM portable signature if the file signature is not found;
  - 'modsig' the appended file signature;
  - 'buf': the buffer data that was used to generate the hash without size limitations;
  - 'evmsig': the EVM portable signature;
@@ -106,3 +106,8 @@  currently the following methods are supported:
    the ``ima_template=`` parameter;
  - register a new template descriptor with custom format through the kernel
    command line parameter ``ima_template_fmt=``.
+
+
+References
+==========
+[1] Documentation/filesystems/fsverity.rst
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index be965a8715e4..ab257e404f8e 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -262,7 +262,8 @@  int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode,
 int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);
 int ima_collect_measurement(struct integrity_iint_cache *iint,
 			    struct file *file, void *buf, loff_t size,
-			    enum hash_algo algo, struct modsig *modsig);
+			    enum hash_algo algo, struct modsig *modsig,
+			    bool veritysig);
 void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
 			   const unsigned char *filename,
 			   struct evm_ima_xattr_data *xattr_value,
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index a64fb0130b01..7505563315cb 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -212,7 +212,8 @@  int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode,
  */
 int ima_collect_measurement(struct integrity_iint_cache *iint,
 			    struct file *file, void *buf, loff_t size,
-			    enum hash_algo algo, struct modsig *modsig)
+			    enum hash_algo algo, struct modsig *modsig,
+			    bool veritysig)
 {
 	const char *audit_cause = "failed";
 	struct inode *inode = file_inode(file);
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index d43a27a9a9b6..549fe051269a 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -510,7 +510,8 @@  void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
 	    !(iint->flags & IMA_HASH))
 		return;
 
-	rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, NULL);
+	rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo,
+				     NULL, false);
 	if (rc < 0)
 		return;
 
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 465865412100..4b6b13becb16 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -216,6 +216,7 @@  static int process_measurement(struct file *file, const struct cred *cred,
 	bool violation_check;
 	enum hash_algo hash_algo;
 	unsigned int allowed_algos = 0;
+	int veritysig = false;
 
 	if (!ima_policy_flag || !S_ISREG(inode->i_mode))
 		return 0;
@@ -333,8 +334,12 @@  static int process_measurement(struct file *file, const struct cred *cred,
 	}
 
 	hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
+	if (xattr_value && xattr_value->type == IMA_VERITY_DIGSIG &&
+	    strcmp(template_desc->name, "ima-sig") == 0)
+		veritysig = true;
 
-	rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig);
+	rc = ima_collect_measurement(iint, file, buf, size, hash_algo,
+				     modsig, veritysig);
 	if (rc != 0 && rc != -EBADF && rc != -EINVAL)
 		goto out_locked;
 
diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
index ca017cae73eb..5bad251f3b07 100644
--- a/security/integrity/ima/ima_template_lib.c
+++ b/security/integrity/ima/ima_template_lib.c
@@ -478,7 +478,8 @@  int ima_eventsig_init(struct ima_event_data *event_data,
 {
 	struct evm_ima_xattr_data *xattr_value = event_data->xattr_value;
 
-	if ((!xattr_value) || (xattr_value->type != EVM_IMA_XATTR_DIGSIG))
+	if ((!xattr_value) || !(xattr_value->type == EVM_IMA_XATTR_DIGSIG ||
+				xattr_value->type == IMA_VERITY_DIGSIG))
 		return ima_eventevmsig_init(event_data, field_data);
 
 	return ima_write_template_field_data(xattr_value, event_data->xattr_len,