| Message ID | 20200409033907.102833-3-tianjia.zhang@linux.alibaba.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | support to read and tune appraise mode in runtime | expand |
Hi Tianjia,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on integrity/next-integrity]
[also build test ERROR on v5.6 next-20200408]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system. BTW, we also suggest to use '--base' option to specify the
base tree in git format-patch, please see https://stackoverflow.com/a/37406982]
url: https://github.com/0day-ci/linux/commits/Tianjia-Zhang/support-to-read-and-tune-appraise-mode-in-runtime/20200409-114057
base: https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity
config: c6x-randconfig-a001-20200409 (attached as .config)
compiler: c6x-elf-gcc (GCC) 9.3.0
reproduce:
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
GCC_VERSION=9.3.0 make.cross ARCH=c6x
If you fix the issue, kindly add following tag as appropriate
Reported-by: kbuild test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
security/integrity/ima/ima_fs.c: In function 'repopulate_ima_appraise_mode':
>> security/integrity/ima/ima_fs.c:518:9: error: implicit declaration of function 'verify_pkcs7_signature' [-Werror=implicit-function-declaration]
518 | ret = verify_pkcs7_signature(s, strlen(s), pkcs7, pkcs7_len,
| ^~~~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
vim +/verify_pkcs7_signature +518 security/integrity/ima/ima_fs.c
499
500 /* Verify the supplied PKCS#7 signature. The signed content may be off,
501 * enforce, log, fix.
502 */
503 static int repopulate_ima_appraise_mode(void *pkcs7, size_t pkcs7_len)
504 {
505 static char *appraise_mode_strings[] = { "off", "enforce", "fix", "log" };
506 static int appraise_modes[] = {
507 0,
508 IMA_APPRAISE_ENFORCE,
509 IMA_APPRAISE_FIX,
510 IMA_APPRAISE_LOG,
511 };
512 int index, ret = -1;
513 const char *s;
514 int size = ARRAY_SIZE(appraise_mode_strings);
515
516 for (index = 0; index < size; index++) {
517 s = appraise_mode_strings[index];
> 518 ret = verify_pkcs7_signature(s, strlen(s), pkcs7, pkcs7_len,
519 NULL, VERIFYING_UNSPECIFIED_SIGNATURE,
520 NULL, NULL);
521 if (!ret)
522 break;
523 }
524
525 if (index == size)
526 goto out;
527
528 ima_appraise = appraise_modes[index];
529
530 out:
531 return ret;
532 }
533
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 65384f6ac0d9..c21ca145de0f 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -20,11 +20,15 @@ #include <linux/rcupdate.h> #include <linux/parser.h> #include <linux/vmalloc.h> +#include <linux/verification.h> #include "ima.h" static DEFINE_MUTEX(ima_write_mutex); +/* maximum length of token allowed for signed appraise mode */ +#define APPRAISE_MAX_TOKEN_SIZE (512 * 1024) + bool ima_canonical_fmt; static int __init default_canonical_fmt_setup(char *str) { @@ -466,8 +470,106 @@ static ssize_t ima_appraise_mode_read(struct file *filp, return simple_read_from_buffer(buf, count, ppos, mode, strlen(mode)); } +static int check_signature_info(char *buf, size_t count) +{ + u8 *p; + + /* + * In order to tune the appraise mode, a PKCS#7 signature is + * supplied. + * + * Assuming ASN.1 encoding supplied, the minimal length would be + * 4-byte header plus at least 256-byte payload. + */ + if (count < 260) + return -EINVAL; + + p = (u8 *)buf; + + /* The primitive type must be a sequence */ + if (p[0] != 0x30 || p[1] != 0x82) + return -EINVAL; + + /* Match up the length of the supplied buffer */ + if (be16_to_cpup((__be16 *)(p + 2)) != count - 4) + return -EINVAL; + + return 0; +} + +/* Verify the supplied PKCS#7 signature. The signed content may be off, + * enforce, log, fix. + */ +static int repopulate_ima_appraise_mode(void *pkcs7, size_t pkcs7_len) +{ + static char *appraise_mode_strings[] = { "off", "enforce", "fix", "log" }; + static int appraise_modes[] = { + 0, + IMA_APPRAISE_ENFORCE, + IMA_APPRAISE_FIX, + IMA_APPRAISE_LOG, + }; + int index, ret = -1; + const char *s; + int size = ARRAY_SIZE(appraise_mode_strings); + + for (index = 0; index < size; index++) { + s = appraise_mode_strings[index]; + ret = verify_pkcs7_signature(s, strlen(s), pkcs7, pkcs7_len, + NULL, VERIFYING_UNSPECIFIED_SIGNATURE, + NULL, NULL); + if (!ret) + break; + } + + if (index == size) + goto out; + + ima_appraise = appraise_modes[index]; + +out: + return ret; +} + +static ssize_t ima_appraise_mode_write(struct file *filp, + const char __user *ubuf, + size_t count, loff_t *ppos) +{ + char *buf; + ssize_t ret; + + if (*ppos > 1) + return -EFBIG; + + if (count > APPRAISE_MAX_TOKEN_SIZE) + return -EFBIG; + + buf = kmalloc(count, GFP_KERNEL); + if (!buf) + return -ENOMEM; + + ret = simple_write_to_buffer(buf, count, ppos, ubuf, count); + if (ret <= 0) + goto out; + + ret = check_signature_info(buf, count); + if (ret) + goto out; + + ret = repopulate_ima_appraise_mode(buf, count); + if (ret) + goto out; + + ret = count; + +out: + kfree(buf); + return ret; +} + static const struct file_operations ima_appraise_mode_ops = { .read = ima_appraise_mode_read, + .write = ima_appraise_mode_write, .llseek = generic_file_llseek, };
In order to tune appraise mode in runtime, writing a PKCS#7 signature corresponding the signed content is required. The content should be off, enforce, log or fix. Given a simple way to archive this: $ echo -n off > mode $ openssl smime -sign -nocerts -noattr -binary \ -in mode -inkey <system_trusted_key> \ -signer <cert> -outform der -out mode.p7s $ sudo cat mode.p7s \ > /sys/kernel/security/ima/appraise_mode Note that the signing key must be a trust key located in system trusted keyring. So even the root privilege cannot simply disable the enforcement. Signed-off-by: luanshi <zhangliguang@linux.alibaba.com> Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> --- security/integrity/ima/ima_fs.c | 102 ++++++++++++++++++++++++++++++++ 1 file changed, 102 insertions(+)