From patchwork Wed Jul 25 23:31:57 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 10544915 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 15D25139A for ; Wed, 25 Jul 2018 23:32:16 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 03BAB2A8CA for ; Wed, 25 Jul 2018 23:32:16 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id EB84A2A8CD; Wed, 25 Jul 2018 23:32:15 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6E1A12A8CA for ; Wed, 25 Jul 2018 23:32:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731647AbeGZAqM (ORCPT ); Wed, 25 Jul 2018 20:46:12 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:57340 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731798AbeGZAqL (ORCPT ); Wed, 25 Jul 2018 20:46:11 -0400 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w6PNTREx020561 for ; Wed, 25 Jul 2018 19:32:13 -0400 Received: from e06smtp03.uk.ibm.com (e06smtp03.uk.ibm.com [195.75.94.99]) by mx0a-001b2d01.pphosted.com with ESMTP id 2kexu6gnn6-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 25 Jul 2018 19:32:13 -0400 Received: from localhost by e06smtp03.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 26 Jul 2018 00:32:10 +0100 Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197) by e06smtp03.uk.ibm.com (192.168.101.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 26 Jul 2018 00:32:07 +0100 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w6PNW6kY30670954 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 25 Jul 2018 23:32:06 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 45477AE056; Thu, 26 Jul 2018 02:32:14 +0100 (BST) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 644BAAE055; Thu, 26 Jul 2018 02:32:12 +0100 (BST) Received: from yorha.ibmmodules.com (unknown [9.80.225.100]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 26 Jul 2018 02:32:12 +0100 (BST) From: Eric Richter To: linux-integrity Cc: linux-security-module , linux-efi , linux-kernel , David Howells , Seth Forshee , Justin Forbes , Nayna Jain , Mimi Zohar Subject: [PATCH 1/4] ima: add support for arch specific policies Date: Wed, 25 Jul 2018 18:31:57 -0500 X-Mailer: git-send-email 2.14.4 In-Reply-To: <20180725233200.761-1-erichte@linux.vnet.ibm.com> References: <20180725233200.761-1-erichte@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 18072523-0012-0000-0000-0000028ED4EF X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18072523-0013-0000-0000-000020C0BE94 Message-Id: <20180725233200.761-2-erichte@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-07-25_06:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=2 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807250240 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Nayna Jain Builtin IMA policies can be enabled on the boot command line, and replaced with a custom policy, normally during early boot in the initramfs. Build time IMA policy rules were recently added. These rules are automatically enabled on boot and persist after loading a custom policy. There is a need for yet another type of policy, an architecture specific policy, which is derived at runtime during kernel boot, based on the runtime secure boot flags. Like the build time policy rules, these rules persist after loading a custom policy. This patch adds support for loading an architecture specific IMA policy. Signed-off-by: Nayna Jain - Defined function to convert the arch policy strings to an array of ima_entry_rules. The memory can then be freed after loading a custom policy. - Rename ima_get_arch_policy to arch_get_ima_policy. Signed-off-by: Mimi Zohar --- include/linux/ima.h | 5 ++ security/integrity/ima/ima_policy.c | 95 +++++++++++++++++++++++++++++++++++++ 2 files changed, 100 insertions(+) diff --git a/include/linux/ima.h b/include/linux/ima.h index 84806b54b50..7fd272f0b1f 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -30,6 +30,11 @@ extern void ima_post_path_mknod(struct dentry *dentry); extern void ima_add_kexec_buffer(struct kimage *image); #endif +static inline const char * const *arch_get_ima_policy(void) +{ + return NULL; +} + #else static inline int ima_bprm_check(struct linux_binprm *bprm) { diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 8c9499867c9..b47db4d7fea 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -20,6 +20,7 @@ #include #include #include +#include #include "ima.h" @@ -193,6 +194,10 @@ static struct ima_rule_entry secure_boot_rules[] __ro_after_init = { .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, }; +/* An array of architecture specific rules */ +struct ima_rule_entry **arch_policy_rules __ro_after_init; +struct ima_rule_entry *arch_policy_entry __ro_after_init; + static LIST_HEAD(ima_default_rules); static LIST_HEAD(ima_policy_rules); static LIST_HEAD(ima_temp_rules); @@ -473,6 +478,59 @@ static int ima_appraise_flag(enum ima_hooks func) return 0; } +static int ima_parse_rule(char *rule, struct ima_rule_entry *entry); + +/* + * ima_init_arch_policy - convert arch policy strings to rules + * + * Return number of arch specific rules. + */ +static int __init ima_init_arch_policy(void) +{ + const char * const *arch_rules; + const char * const *rules; + int arch_entries = 0; + int i = 0; + + arch_rules = arch_get_ima_policy(); + if (!arch_rules) { + pr_info("No architecture policy rules.\n"); + return arch_entries; + } + + /* Get number of rules */ + for (rules = arch_rules; *rules != NULL; rules++) + arch_entries++; + + arch_policy_rules = kcalloc(arch_entries + 1, + sizeof(*arch_policy_rules), GFP_KERNEL); + if (!arch_policy_rules) + return 0; + + arch_policy_entry = kcalloc(arch_entries + 1, + sizeof(*arch_policy_entry), GFP_KERNEL); + + /* Convert arch policy string rules to struct ima_rule_entry format */ + for (rules = arch_rules, i = 0; *rules != NULL; rules++) { + char rule[255]; + int result; + + result = strlcpy(rule, *rules, sizeof(rule)); + + INIT_LIST_HEAD(&arch_policy_entry[i].list); + result = ima_parse_rule(rule, &arch_policy_entry[i]); + if (result) { + pr_warn("Skipping unknown architecture policy rule: %s\n", rule); + memset(&arch_policy_entry[i], 0, + sizeof(*arch_policy_entry)); + continue; + } + arch_policy_rules[i] = &arch_policy_entry[i]; + i++; + } + return i; +} + /** * ima_init_policy - initialize the default measure rules. * @@ -482,6 +540,7 @@ static int ima_appraise_flag(enum ima_hooks func) void __init ima_init_policy(void) { int i, measure_entries, appraise_entries, secure_boot_entries; + int arch_policy_entries; /* if !ima_policy set entries = 0 so we load NO default rules */ measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0; @@ -507,6 +566,33 @@ void __init ima_init_policy(void) break; } + /* + * Based on runtime secure boot flags, insert arch specific measurement + * and appraise rules requiring file signatures for both the initial + * and custom policies, prior to other appraise rules. + * (Highest priority) + */ + arch_policy_entries = ima_init_arch_policy(); + if (arch_policy_entries > 0) + pr_info("Adding %d architecture policy rules.\n", arch_policy_entries); + for (i = 0; i < arch_policy_entries; i++) { + struct ima_rule_entry *entry; + + list_add_tail(&arch_policy_rules[i]->list, &ima_default_rules); + + entry = kmemdup(&arch_policy_entry[i], sizeof(*entry), + GFP_KERNEL); + if (!entry) { + WARN_ONCE(true, "Failed adding architecture rules to custom policy\n"); + continue; + } + + INIT_LIST_HEAD(&entry->list); + list_add_tail(&entry->list, &ima_policy_rules); + if (entry->action == APPRAISE) + build_ima_appraise |= ima_appraise_flag(entry->func); + } + /* * Insert the builtin "secure_boot" policy rules requiring file * signatures, prior to any other appraise rules. @@ -576,6 +662,15 @@ void ima_update_policy(void) if (ima_rules != policy) { ima_policy_flag = 0; ima_rules = policy; + + /* + * IMA architecture specific policy rules are specified + * as strings and converted to an array of ima_entry_rules + * on boot. After loading a custom policy, free the + * architecture specific rules stored as an array. + */ + kfree(arch_policy_rules); + kfree(arch_policy_entry); } ima_update_policy_flag(); } From patchwork Wed Jul 25 23:31:58 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 10544925 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 22648139A for ; Wed, 25 Jul 2018 23:32:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0FAC12A8D5 for ; Wed, 25 Jul 2018 23:32:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 042B92A8DB; Wed, 25 Jul 2018 23:32:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9A8992A8D5 for ; Wed, 25 Jul 2018 23:32:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731817AbeGZAqP (ORCPT ); Wed, 25 Jul 2018 20:46:15 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:47168 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1731573AbeGZAqO (ORCPT ); Wed, 25 Jul 2018 20:46:14 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w6PNTS57099588 for ; Wed, 25 Jul 2018 19:32:15 -0400 Received: from e06smtp03.uk.ibm.com (e06smtp03.uk.ibm.com [195.75.94.99]) by mx0b-001b2d01.pphosted.com with ESMTP id 2kf1vbstwk-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 25 Jul 2018 19:32:15 -0400 Received: from localhost by e06smtp03.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 26 Jul 2018 00:32:13 +0100 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp03.uk.ibm.com (192.168.101.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 26 Jul 2018 00:32:10 +0100 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w6PNW9YU22806674 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 25 Jul 2018 23:32:09 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CF1FEAE051; Thu, 26 Jul 2018 02:32:16 +0100 (BST) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 83034AE045; Thu, 26 Jul 2018 02:32:15 +0100 (BST) Received: from yorha.ibmmodules.com (unknown [9.80.225.100]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 26 Jul 2018 02:32:15 +0100 (BST) From: Eric Richter To: linux-integrity Cc: linux-security-module , linux-efi , linux-kernel , David Howells , Seth Forshee , Justin Forbes , Nayna Jain Subject: [PATCH 2/4] ima: add support for external setting of ima_appraise Date: Wed, 25 Jul 2018 18:31:58 -0500 X-Mailer: git-send-email 2.14.4 In-Reply-To: <20180725233200.761-1-erichte@linux.vnet.ibm.com> References: <20180725233200.761-1-erichte@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 18072523-0012-0000-0000-0000028ED4F0 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18072523-0013-0000-0000-000020C0BE96 Message-Id: <20180725233200.761-3-erichte@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-07-25_06:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807250240 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Nayna Jain The "ima_appraise" mode defaults to enforcing, unless configured to allow the boot command line "ima_appraise" option. This patch allows the "ima_appraise" mode to be defined based on the arch setting. Signed-off-by: Nayna Jain --- security/integrity/ima/ima.h | 5 +++++ security/integrity/ima/ima_appraise.c | 11 +++++++++-- security/integrity/ima/ima_policy.c | 5 ++++- 3 files changed, 18 insertions(+), 3 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 588e4813370..6e5fa7c4280 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -248,6 +248,7 @@ enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len); int ima_read_xattr(struct dentry *dentry, struct evm_ima_xattr_data **xattr_value); +void set_ima_appraise(char *str); #else static inline int ima_appraise_measurement(enum ima_hooks func, @@ -290,6 +291,10 @@ static inline int ima_read_xattr(struct dentry *dentry, return 0; } +static inline void set_ima_appraise(char *str) +{ +} + #endif /* CONFIG_IMA_APPRAISE */ /* LSM based policy rules require audit */ diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 8bd7a0733e5..e061613bcb8 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -18,15 +18,22 @@ #include "ima.h" -static int __init default_appraise_setup(char *str) +void set_ima_appraise(char *str) { -#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM if (strncmp(str, "off", 3) == 0) ima_appraise = 0; else if (strncmp(str, "log", 3) == 0) ima_appraise = IMA_APPRAISE_LOG; else if (strncmp(str, "fix", 3) == 0) ima_appraise = IMA_APPRAISE_FIX; + else if (strncmp(str, "enforce", 7) == 0) + ima_appraise = IMA_APPRAISE_ENFORCE; +} + +static int __init default_appraise_setup(char *str) +{ +#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM + set_ima_appraise(str); #endif return 1; } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index b47db4d7fea..402e5bd1093 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -573,8 +573,11 @@ void __init ima_init_policy(void) * (Highest priority) */ arch_policy_entries = ima_init_arch_policy(); - if (arch_policy_entries > 0) + if (arch_policy_entries > 0) { pr_info("Adding %d architecture policy rules.\n", arch_policy_entries); + set_ima_appraise("enforce"); + } + for (i = 0; i < arch_policy_entries; i++) { struct ima_rule_entry *entry; From patchwork Wed Jul 25 23:31:59 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 10544919 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AC696A517 for ; Wed, 25 Jul 2018 23:32:22 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 985E12A8D3 for ; Wed, 25 Jul 2018 23:32:22 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8C7BA2A8D7; Wed, 25 Jul 2018 23:32:22 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1E8382A8D3 for ; Wed, 25 Jul 2018 23:32:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731835AbeGZAqS (ORCPT ); Wed, 25 Jul 2018 20:46:18 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:45688 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1731831AbeGZAqR (ORCPT ); Wed, 25 Jul 2018 20:46:17 -0400 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w6PNTQpu171842 for ; Wed, 25 Jul 2018 19:32:18 -0400 Received: from e06smtp01.uk.ibm.com (e06smtp01.uk.ibm.com [195.75.94.97]) by mx0b-001b2d01.pphosted.com with ESMTP id 2kewv6k5re-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 25 Jul 2018 19:32:18 -0400 Received: from localhost by e06smtp01.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 26 Jul 2018 00:32:16 +0100 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp01.uk.ibm.com (192.168.101.131) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 26 Jul 2018 00:32:12 +0100 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w6PNWCYB38010976 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 25 Jul 2018 23:32:12 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 74691AE053; Thu, 26 Jul 2018 02:32:19 +0100 (BST) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 173B3AE051; Thu, 26 Jul 2018 02:32:18 +0100 (BST) Received: from yorha.ibmmodules.com (unknown [9.80.225.100]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 26 Jul 2018 02:32:17 +0100 (BST) From: Eric Richter To: linux-integrity Cc: linux-security-module , linux-efi , linux-kernel , David Howells , Seth Forshee , Justin Forbes , Eric Richter Subject: [PATCH 3/4] ima: add support for KEXEC_ORIG_KERNEL_CHECK Date: Wed, 25 Jul 2018 18:31:59 -0500 X-Mailer: git-send-email 2.14.4 In-Reply-To: <20180725233200.761-1-erichte@linux.vnet.ibm.com> References: <20180725233200.761-1-erichte@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 18072523-4275-0000-0000-0000029E0335 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18072523-4276-0000-0000-000037A60332 Message-Id: <20180725233200.761-4-erichte@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-07-25_06:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807250240 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP IMA can verify the signature of kernel images loaded with kexec_file_load, but can not verify images loaded with the regular kexec_load syscall. Therefore, the appraisal will automatically fail during kexec_load when an appraise policy rule is set for func=KEXEC_KERNEL_CHECK. This can be used to effectively disable the kexec_load syscall, while still allowing the kexec_file_load to operate so long as the target kernel image is signed. However, this conflicts with CONFIG_KEXEC_VERIFY_SIG. If that option is enabled and there is an appraise rule set, then the target kernel would have to be verifiable by both IMA and the architecture specific kernel verification procedure. This patch adds a new func= for IMA appraisal specifically for the original kexec_load syscall. Therefore, the kexec_load syscall can be effectively disabled via IMA policy, leaving the kexec_file_load syscall able to do its own signature verification, and not require it to be signed via IMA. To retain compatibility, the existing func=KEXEC_KERNEL_CHECK flag is unchanged, and thus enables appraisal for both kexec syscalls. Signed-off-by: Eric Richter --- Documentation/ABI/testing/ima_policy | 1 + security/integrity/ima/ima.h | 2 ++ security/integrity/ima/ima_main.c | 3 ++- security/integrity/ima/ima_policy.c | 5 +++++ 4 files changed, 10 insertions(+), 1 deletion(-) diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index 74c6702de74..031417779ec 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -29,6 +29,7 @@ Description: base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] [FIRMWARE_CHECK] [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] + [KEXEC_ORIG_KERNEL_CHECK] mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] [[^]MAY_EXEC] fsmagic:= hex value diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 6e5fa7c4280..c76e53c982b 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -181,6 +181,7 @@ static inline unsigned long ima_hash_key(u8 *digest) hook(MODULE_CHECK) \ hook(FIRMWARE_CHECK) \ hook(KEXEC_KERNEL_CHECK) \ + hook(KEXEC_ORIG_KERNEL_CHECK) \ hook(KEXEC_INITRAMFS_CHECK) \ hook(POLICY_CHECK) \ hook(MAX_CHECK) @@ -233,6 +234,7 @@ int ima_policy_show(struct seq_file *m, void *v); #define IMA_APPRAISE_FIRMWARE 0x10 #define IMA_APPRAISE_POLICY 0x20 #define IMA_APPRAISE_KEXEC 0x40 +#define IMA_APPRAISE_ORIG_KEXEC 0x80 #ifdef CONFIG_IMA_APPRAISE int ima_appraise_measurement(enum ima_hooks func, diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index dce0a8a217b..a7b4220043d 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -512,7 +512,8 @@ int ima_load_data(enum kernel_load_data_id id) switch (id) { case LOADING_KEXEC_IMAGE: - if (ima_appraise & IMA_APPRAISE_KEXEC) { + if (ima_appraise & + (IMA_APPRAISE_ORIG_KEXEC | IMA_APPRAISE_KEXEC)) { pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n"); return -EACCES; /* INTEGRITY_UNKNOWN */ } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 402e5bd1093..7a33e3f6eca 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -475,6 +475,8 @@ static int ima_appraise_flag(enum ima_hooks func) return IMA_APPRAISE_POLICY; else if (func == KEXEC_KERNEL_CHECK) return IMA_APPRAISE_KEXEC; + else if (func == KEXEC_ORIG_KERNEL_CHECK) + return IMA_APPRAISE_ORIG_KEXEC; return 0; } @@ -879,6 +881,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") == 0) entry->func = KEXEC_KERNEL_CHECK; + else if (strcmp(args[0].from, + "KEXEC_ORIG_KERNEL_CHECK") == 0) + entry->func = KEXEC_ORIG_KERNEL_CHECK; else if (strcmp(args[0].from, "KEXEC_INITRAMFS_CHECK") == 0) entry->func = KEXEC_INITRAMFS_CHECK; From patchwork Wed Jul 25 23:32:00 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Richter X-Patchwork-Id: 10544923 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AF1C8A517 for ; Wed, 25 Jul 2018 23:32:31 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9EA902A8D5 for ; Wed, 25 Jul 2018 23:32:31 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 92A392A8DA; Wed, 25 Jul 2018 23:32:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 836B82A8D5 for ; Wed, 25 Jul 2018 23:32:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731578AbeGZAq1 (ORCPT ); Wed, 25 Jul 2018 20:46:27 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:36850 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1731834AbeGZAqV (ORCPT ); Wed, 25 Jul 2018 20:46:21 -0400 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w6PNTPpS094654 for ; Wed, 25 Jul 2018 19:32:22 -0400 Received: from e06smtp03.uk.ibm.com (e06smtp03.uk.ibm.com [195.75.94.99]) by mx0b-001b2d01.pphosted.com with ESMTP id 2kf1rca5e8-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 25 Jul 2018 19:32:21 -0400 Received: from localhost by e06smtp03.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 26 Jul 2018 00:32:20 +0100 Received: from b06cxnps3074.portsmouth.uk.ibm.com (9.149.109.194) by e06smtp03.uk.ibm.com (192.168.101.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 26 Jul 2018 00:32:15 +0100 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w6PNWEDd42991802 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 25 Jul 2018 23:32:14 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 24862AE04D; Thu, 26 Jul 2018 02:32:22 +0100 (BST) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C4E2AAE045; Thu, 26 Jul 2018 02:32:20 +0100 (BST) Received: from yorha.ibmmodules.com (unknown [9.80.225.100]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 26 Jul 2018 02:32:20 +0100 (BST) From: Eric Richter To: linux-integrity Cc: linux-security-module , linux-efi , linux-kernel , David Howells , Seth Forshee , Justin Forbes , Eric Richter Subject: [PATCH 4/4] x86/ima: define arch_get_ima_policy() for x86 Date: Wed, 25 Jul 2018 18:32:00 -0500 X-Mailer: git-send-email 2.14.4 In-Reply-To: <20180725233200.761-1-erichte@linux.vnet.ibm.com> References: <20180725233200.761-1-erichte@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 18072523-0012-0000-0000-0000028ED4F4 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18072523-0013-0000-0000-000020C0BE99 Message-Id: <20180725233200.761-5-erichte@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-07-25_06:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=969 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807250240 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This patch implements an example arch-specific IMA policy for x86 to enable measurement and appraisal of any kernel images loaded for kexec, and disables the kexec_load syscall. To avoid conflicting with the existing CONFIG_KERNEL_VERIFY_SIG option, the policy only "appraises" the target image on kexec_load. Without this, the target kexec image would have to be verified by both the above option as well as by IMA appraisal. Since signature verification for kexec_load is not possible via appraisal (or VERIFY_SIG), this results in a failure and thus effectively prevents the kexec_load syscall from succeeding when set. Signed-off-by: Eric Richter --- arch/x86/kernel/Makefile | 2 ++ arch/x86/kernel/ima_arch.c | 27 +++++++++++++++++++++++++++ include/linux/ima.h | 8 ++++++++ security/integrity/ima/Kconfig | 8 ++++++++ 4 files changed, 45 insertions(+) create mode 100644 arch/x86/kernel/ima_arch.c diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile index 02d6f5cf4e7..f3e1d76ed9b 100644 --- a/arch/x86/kernel/Makefile +++ b/arch/x86/kernel/Makefile @@ -149,3 +149,5 @@ ifeq ($(CONFIG_X86_64),y) obj-$(CONFIG_MMCONF_FAM10H) += mmconf-fam10h_64.o obj-y += vsmp_64.o endif + +obj-$(CONFIG_IMA_ARCH_POLICY) += ima_arch.o diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c new file mode 100644 index 00000000000..5eb10e29db0 --- /dev/null +++ b/arch/x86/kernel/ima_arch.c @@ -0,0 +1,27 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * Copyright (C) 2018 IBM Corporation + */ +#include +#include + +extern struct boot_params boot_params; + +/* arch rules for audit and user mode */ +static const char * const sb_arch_rules[] = { +#ifdef CONFIG_KEXEC_VERIFY_SIG + "appraise func=KEXEC_ORIG_KERNEL_CHECK appraise_type=imasig", +#else + "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig", +#endif /* CONFIG_KEXEC_VERIFY_SIG */ + "measure func=KEXEC_KERNEL_CHECK", + NULL +}; + +const char * const *arch_get_ima_policy(void) +{ + if (efi_enabled(EFI_BOOT) && + (boot_params.secure_boot == efi_secureboot_mode_enabled)) + return sb_arch_rules; + return NULL; +} diff --git a/include/linux/ima.h b/include/linux/ima.h index 7fd272f0b1f..495fa290b14 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -30,10 +30,14 @@ extern void ima_post_path_mknod(struct dentry *dentry); extern void ima_add_kexec_buffer(struct kimage *image); #endif +#if defined(CONFIG_IMA_ARCH_POLICY) && defined(CONFIG_X86) +extern const char * const *arch_get_ima_policy(void); +#else static inline const char * const *arch_get_ima_policy(void) { return NULL; } +#endif #else static inline int ima_bprm_check(struct linux_binprm *bprm) @@ -77,6 +81,10 @@ static inline void ima_post_path_mknod(struct dentry *dentry) return; } +static inline const char * const *arch_get_ima_policy(void) +{ + return NULL; +} #endif /* CONFIG_IMA */ #ifndef CONFIG_IMA_KEXEC diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 13b446328dd..18de132bbda 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -157,6 +157,14 @@ config IMA_APPRAISE If unsure, say N. +config IMA_ARCH_POLICY + bool "Enable loading an IMA architecture specific policy" + depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS + default n + help + This option enables loading an IMA architecture specific policy + based on run time secure boot flags. + config IMA_APPRAISE_BUILD_POLICY bool "IMA build time configured policy rules" depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS