From patchwork Wed Feb 14 13:35:14 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 10218865 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 13F346055C for ; Wed, 14 Feb 2018 13:35:59 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 01A0528DC2 for ; Wed, 14 Feb 2018 13:35:59 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E7DD228F9D; Wed, 14 Feb 2018 13:35:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7885E28F9D for ; Wed, 14 Feb 2018 13:35:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1030225AbeBNNf5 (ORCPT ); Wed, 14 Feb 2018 08:35:57 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:45962 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1030202AbeBNNf5 (ORCPT ); Wed, 14 Feb 2018 08:35:57 -0500 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w1EDZWdK041838 for ; Wed, 14 Feb 2018 08:35:56 -0500 Received: from e06smtp10.uk.ibm.com (e06smtp10.uk.ibm.com [195.75.94.106]) by mx0a-001b2d01.pphosted.com with ESMTP id 2g4khcqed8-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Wed, 14 Feb 2018 08:35:55 -0500 Received: from localhost by e06smtp10.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 14 Feb 2018 13:35:36 -0000 Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197) by e06smtp10.uk.ibm.com (192.168.101.140) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 14 Feb 2018 13:35:32 -0000 Received: from d06av21.portsmouth.uk.ibm.com (d06av21.portsmouth.uk.ibm.com [9.149.105.232]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w1EDZWFr44826826; Wed, 14 Feb 2018 13:35:32 GMT Received: from d06av21.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0CD6052041; Wed, 14 Feb 2018 12:27:33 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.80.96.162]) by d06av21.portsmouth.uk.ibm.com (Postfix) with ESMTP id C2E305203F; Wed, 14 Feb 2018 12:27:31 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, Mimi Zohar , Miklos Szeredi , Seth Forshee , "Eric W . Biederman" , Dongsu Park , Alban Crequy , "Serge E. Hallyn" Subject: [RFC PATCH 3/4] ima: define a new policy option named "fail" Date: Wed, 14 Feb 2018 08:35:14 -0500 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1518615315-7162-1-git-send-email-zohar@linux.vnet.ibm.com> References: <1518615315-7162-1-git-send-email-zohar@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 18021413-0040-0000-0000-0000040FA7BC X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18021413-0041-0000-0000-000026136EC0 Message-Id: <1518615315-7162-3-git-send-email-zohar@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-02-14_05:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1802140161 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Verifying file signatures on untrusted filesystems is meaningless, as the filesystem can change the file at any time. This patch defines a new policy option named "fail", which fails signature verification on untrusted filesystems. Like any other signature verification failure, the measurement is still added to the measurement list and audited based on policy. Signed-off-by: Mimi Zohar Cc: Miklos Szeredi Cc: Seth Forshee Cc: Eric W. Biederman Cc: Dongsu Park Cc: Alban Crequy Cc: "Serge E. Hallyn" --- Documentation/ABI/testing/ima_policy | 2 +- security/integrity/ima/ima_appraise.c | 8 ++++++-- security/integrity/ima/ima_policy.c | 12 +++++++++++- security/integrity/integrity.h | 1 + 4 files changed, 19 insertions(+), 4 deletions(-) diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index aeb5c6326b9b..7c9529eb0f91 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -24,7 +24,7 @@ Description: [euid=] [fowner=] [fsname=]] lsm: [[subj_user=] [subj_role=] [subj_type=] [obj_user=] [obj_role=] [obj_type=]] - option: [[appraise_type=]] [permit_directio] + option: [[appraise_type=]] [permit_directio] [fail] base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK] [FIRMWARE_CHECK] diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index af8add31fe26..511448867f02 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -292,9 +292,13 @@ int ima_appraise_measurement(enum ima_hooks func, } out: - /* Fail untrusted and unpriviliged filesystems (eg FUSE) */ + /* + * Fail untrusted filesystems (eg. FUSE) that are either + * unprivileged or based on policy. + */ if ((inode->i_sb->s_type->fs_flags & FS_UNTRUSTED) && - (inode->i_sb->s_user_ns != &init_user_ns)) { + ((inode->i_sb->s_user_ns != &init_user_ns) || + (iint->flags & IMA_FAIL_UNTRUSTED))) { status = INTEGRITY_FAIL; cause = "untrusted-filesystem"; integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 54847e08e6c8..1130c6deee41 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -538,7 +538,7 @@ enum { Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, Opt_appraise_type, Opt_permit_directio, - Opt_pcr + Opt_pcr, Opt_fail }; static match_table_t policy_tokens = { @@ -572,6 +572,7 @@ static match_table_t policy_tokens = { {Opt_appraise_type, "appraise_type=%s"}, {Opt_permit_directio, "permit_directio"}, {Opt_pcr, "pcr=%s"}, + {Opt_fail, "fail"}, {Opt_err, NULL} }; @@ -912,6 +913,13 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) entry->flags |= IMA_PCR; break; + case Opt_fail: + if (entry->action != APPRAISE) { + result = -EINVAL; + break; + } + entry->flags |= IMA_FAIL_UNTRUSTED; + break; case Opt_err: ima_log_string(ab, "UNKNOWN", p); result = -EINVAL; @@ -1191,6 +1199,8 @@ int ima_policy_show(struct seq_file *m, void *v) seq_puts(m, "appraise_type=imasig "); if (entry->flags & IMA_PERMIT_DIRECTIO) seq_puts(m, "permit_directio "); + if (entry->flags & IMA_FAIL_UNTRUSTED) + seq_puts(m, "fail "); rcu_read_unlock(); seq_puts(m, "\n"); return 0; diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 50a8e3365df7..5c052258fd73 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -35,6 +35,7 @@ #define IMA_PERMIT_DIRECTIO 0x02000000 #define IMA_NEW_FILE 0x04000000 #define EVM_IMMUTABLE_DIGSIG 0x08000000 +#define IMA_FAIL_UNTRUSTED 0x10000000 #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \ IMA_HASH | IMA_APPRAISE_SUBMASK)