mbox series

[v2,00/12] IMA/EVM fixes

Message ID 20200904092339.19598-1-roberto.sassu@huawei.com
Headers show
Series IMA/EVM fixes | expand

Message

Roberto Sassu Sept. 4, 2020, 9:23 a.m. UTC
This patch set includes various fixes for IMA and EVM.

Patches 1-3 are trivial fixes. The remaining improve support and usability
of EVM portable signatures. In particular patch 4 allows EVM to be used
without an HMAC key. Patch 5 avoids appraisal verification of public keys
(they are already verified by the key subsystem).

Patches 6-7 allow metadata verification to be turned off when the HMAC key
is not already loaded and to use this mode in a safe way (by ensuring that
IMA revalidates metadata when there is a change).

Patches 8-9 make portable signatures more usable if metadata verification
cannot be turned off (because the HMAC key is loaded) by accepting any
metadata modification until signature verification succeeds (useful when
xattrs/attrs are copied in a sequence from a source) and by allowing
operations that don't change metadata.

Patch 10 makes it possible to use portable signatures when the IMA policy
requires file signatures and patch 11 shows portable signatures when the
ima-sig measurement list template is selected.

Lastly, patch 12 avoids undesired removal of security.ima when a file is
not selected by the IMA policy.

Roberto Sassu (12):
  ima: Don't ignore errors from crypto_shash_update()
  ima: Remove semicolon at the end of ima_get_binary_runtime_size()
  evm: Check size of security.evm before using it
  evm: Execute evm_inode_init_security() only when the HMAC key is
    loaded
  evm: Load EVM key in ima_load_x509() to avoid appraisal
  evm: Refuse EVM_ALLOW_METADATA_WRITES only if the HMAC key is loaded
  evm: Introduce EVM_RESET_STATUS atomic flag
  evm: Allow xattr/attr operations for portable signatures if check
    fails
  evm: Allow setxattr() and setattr() if metadata digest won't change
  ima: Allow imasig requirement to be satisfied by EVM portable
    signatures
  ima: Introduce template field evmsig and write to field sig as
    fallback
  ima: Don't remove security.ima if file must not be appraised

 Documentation/ABI/testing/evm             |   6 +-
 Documentation/security/IMA-templates.rst  |   4 +-
 include/linux/integrity.h                 |   1 +
 security/integrity/evm/evm_main.c         | 151 ++++++++++++++++++++--
 security/integrity/evm/evm_secfs.c        |   2 +-
 security/integrity/iint.c                 |   2 +
 security/integrity/ima/ima_appraise.c     |  26 ++--
 security/integrity/ima/ima_crypto.c       |   2 +
 security/integrity/ima/ima_init.c         |   4 +
 security/integrity/ima/ima_main.c         |   8 +-
 security/integrity/ima/ima_queue.c        |   2 +-
 security/integrity/ima/ima_template.c     |   2 +
 security/integrity/ima/ima_template_lib.c |  39 +++++-
 security/integrity/ima/ima_template_lib.h |   2 +
 security/integrity/integrity.h            |   1 +
 15 files changed, 225 insertions(+), 27 deletions(-)

Comments

Mimi Zohar Sept. 16, 2020, 4:14 p.m. UTC | #1
Hi Roberto,

On Fri, 2020-09-04 at 11:23 +0200, Roberto Sassu wrote:
> This patch set includes various fixes for IMA and EVM.
> 
> Patches 1-3 are trivial fixes. 

I've queued these patches in the next-integrity-testing branch for now.
When reposting this patch set please replace the cover letter subject
line with a more appropriate one.

> The remaining improve support and usability
> of EVM portable signatures. In particular patch 4 allows EVM to be used
> without an HMAC key.

EVM already supports using EVM portable and immutable sigatures without
an HMAC key.   

I was able to apply this patch set, but patch 10/12 does not apply
cleanly due to the "fallthrough" line.  Please hold off on reposting,
until I've finished reviewing the entire patch set.

thanks,

Mimi
Mimi Zohar Sept. 17, 2020, 2:33 p.m. UTC | #2
Hi Roberto,

On Wed, 2020-09-16 at 12:14 -0400, Mimi Zohar wrote:
> On Fri, 2020-09-04 at 11:23 +0200, Roberto Sassu wrote:
> > This patch set includes various fixes for IMA and EVM.
> > 
> > Patches 1-3 are trivial fixes. 
> 
> I've queued these patches in the next-integrity-testing branch for now.
> When reposting this patch set please replace the cover letter subject
> line with a more appropriate one.
> 
> > The remaining improve support and usability
> > of EVM portable signatures. In particular patch 4 allows EVM to be used
> > without an HMAC key.
> 
> EVM already supports using EVM portable and immutable sigatures without
> an HMAC key.   
> 
> I was able to apply this patch set, but patch 10/12 does not apply
> cleanly due to the "fallthrough" line.  Please hold off on reposting,
> until I've finished reviewing the entire patch set.

Done.  Other than the one issue of clearing the EVM_RESET_STATUS in
evm_verifyxattr(), the remaining changes are straight forward.

thanks,

Mimi