From patchwork Wed Oct 23 23:39:47 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lakshmi Ramasubramanian X-Patchwork-Id: 11208055 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 75B4F139A for ; Wed, 23 Oct 2019 23:40:19 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 54A402084C for ; Wed, 23 Oct 2019 23:40:19 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="jtlTG7GM" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392757AbfJWXj5 (ORCPT ); Wed, 23 Oct 2019 19:39:57 -0400 Received: from linux.microsoft.com ([13.77.154.182]:51362 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2392751AbfJWXj5 (ORCPT ); Wed, 23 Oct 2019 19:39:57 -0400 Received: from nramas-ThinkStation-P520.corp.microsoft.com (unknown [131.107.174.108]) by linux.microsoft.com (Postfix) with ESMTPSA id 0E21620106BF; Wed, 23 Oct 2019 16:39:56 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 0E21620106BF DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1571873996; bh=sVeuaw2KRkAf1CvJ/ee/ODALLBzP3mWEgOPtKKrnY/I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jtlTG7GMBYyeG0YstbTm8AEZu6XEkwEXnUXUl0pE6ekT99VgzJbBHG3xg9OfLyc2/ 9oT9Ov6uB77ZKD/kpMaPk5s6us16qm4xATgKrbFkSbRptdjihUut6S1OlqqTYL/grM Dc/IVCXAjz4OB7cIrxDFkqz5PFg8jTYaBAF4t45I= From: Lakshmi Ramasubramanian To: zohar@linux.ibm.com, dhowells@redhat.com, casey@schaufler-ca.com, sashal@kernel.org, jamorris@linux.microsoft.com, linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org Cc: nramas@linux.microsoft.com Subject: [PATCH v2 1/4] KEYS: Defined an ima hook for measuring keys on key create or update Date: Wed, 23 Oct 2019 16:39:47 -0700 Message-Id: <20191023233950.22072-2-nramas@linux.microsoft.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191023233950.22072-1-nramas@linux.microsoft.com> References: <20191023233950.22072-1-nramas@linux.microsoft.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: Defined an ima hook to measure keys created or updated in the system. Call this ima hook from key_create_or_update function when a new key is created or an existing key is updated. ima hook calls process_buffer_measurement function to measure the key if ima is initialized. If ima is not yet initialized, the ima hook currently does nothing. The change to queue the key for measurement and measure after ima is initialized is implemented in a later patch. This patch set depends on the following patch set provided by Nayna Jain from IBM (nayna@linux.ibm.com). That patch set is currently being reviewed: [PATCH v8 5/8] ima: make process_buffer_measurement() generic https://lore.kernel.org/linux-integrity/1569594360-7141-7-git-send-email-nayna@linux.ibm.com/ Signed-off-by: Lakshmi Ramasubramanian --- include/linux/ima.h | 8 ++++++++ security/integrity/ima/ima.h | 3 +++ security/integrity/ima/ima_init.c | 1 + security/integrity/ima/ima_main.c | 26 ++++++++++++++++++++++++++ security/keys/key.c | 9 +++++++++ 5 files changed, 47 insertions(+) diff --git a/include/linux/ima.h b/include/linux/ima.h index a20ad398d260..4df39aefcd06 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -24,6 +24,9 @@ extern int ima_post_read_file(struct file *file, void *buf, loff_t size, enum kernel_read_file_id id); extern void ima_post_path_mknod(struct dentry *dentry); extern void ima_kexec_cmdline(const void *buf, int size); +extern void ima_post_key_create_or_update(struct key *keyring, + struct key *key, + unsigned long flags, bool create); #ifdef CONFIG_IMA_KEXEC extern void ima_add_kexec_buffer(struct kimage *image); @@ -91,6 +94,11 @@ static inline void ima_post_path_mknod(struct dentry *dentry) } static inline void ima_kexec_cmdline(const void *buf, int size) {} + +static inline void ima_post_key_create_or_update(struct key *keyring, + struct key *key, + unsigned long flags, + bool create) {} #endif /* CONFIG_IMA */ #ifndef CONFIG_IMA_KEXEC diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 997a57137351..2d4130ff5655 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -21,6 +21,8 @@ #include #include #include +#include +#include #include "../integrity.h" @@ -52,6 +54,7 @@ extern int ima_policy_flag; extern int ima_hash_algo; extern int ima_appraise; extern struct tpm_chip *ima_tpm_chip; +extern bool ima_initialized; /* IMA event related data */ struct ima_event_data { diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 5d55ade5f3b9..52847ce765a4 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -23,6 +23,7 @@ /* name for boot aggregate entry */ static const char boot_aggregate_name[] = "boot_aggregate"; struct tpm_chip *ima_tpm_chip; +bool ima_initialized; /* Add the boot aggregate to the IMA measurement list and extend * the PCR register. diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 2b60d8fd017a..8bde12385912 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -693,6 +693,32 @@ void ima_kexec_cmdline(const void *buf, int size) } } +/** + * ima_post_key_create_or_update - measure keys + * @keyring: keyring to which the key is linked to + * @key: created or updated key + * @flags: key flags + * @create: flag indicating whether the key was created or updated + * + * Keys can only be measured, not appraised. + */ +void ima_post_key_create_or_update(struct key *keyring, struct key *key, + unsigned long flags, bool create) +{ + const struct public_key *pk; + + if (key->type != &key_type_asymmetric) + return; + + if (!ima_initialized) + return; + + pk = key->payload.data[asym_crypto]; + process_buffer_measurement(pk->key, pk->keylen, + key->description, + NONE, 0); +} + static int __init init_ima(void) { int error; diff --git a/security/keys/key.c b/security/keys/key.c index 764f4c57913e..7c39054d8da6 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include "internal.h" @@ -936,6 +937,9 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, goto error_link_end; } + /* let the ima module know about the created key. */ + ima_post_key_create_or_update(keyring, key, flags, true); + key_ref = make_key_ref(key, is_key_possessed(keyring_ref)); error_link_end: @@ -965,6 +969,11 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, } key_ref = __key_update(key_ref, &prep); + if (!IS_ERR(key_ref)) { + /* let the ima module know about the updated key. */ + ima_post_key_create_or_update(keyring, key, flags, false); + } + goto error_free_prep; } EXPORT_SYMBOL(key_create_or_update); From patchwork Wed Oct 23 23:39:48 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lakshmi Ramasubramanian X-Patchwork-Id: 11208039 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B8BC61920 for ; Wed, 23 Oct 2019 23:40:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 96A552086D for ; Wed, 23 Oct 2019 23:40:10 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="YD86IyjK" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2408045AbfJWXj6 (ORCPT ); Wed, 23 Oct 2019 19:39:58 -0400 Received: from linux.microsoft.com ([13.77.154.182]:51372 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2392752AbfJWXj5 (ORCPT ); Wed, 23 Oct 2019 19:39:57 -0400 Received: from nramas-ThinkStation-P520.corp.microsoft.com (unknown [131.107.174.108]) by linux.microsoft.com (Postfix) with ESMTPSA id 36CA42010AC3; Wed, 23 Oct 2019 16:39:56 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 36CA42010AC3 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1571873996; bh=TjZgExhOyS9lfgObayA5QjipEv197/miPQlmIXuI1sA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YD86IyjKkhcI2P1ZCoFpu3HtiH16eqctPx7rSgxp5L+9pPxQtOiKu2JCUk4j7lX8r +ySdN4SKkhxI7FX8RHT4MzbVHbmAl+HC7rltIXVFeaUS2AywG4DZ70864VbM/n2+3T dNDhG7EAoEJxHfh5hzgvHBpebuptE6TEhzbOADA0= From: Lakshmi Ramasubramanian To: zohar@linux.ibm.com, dhowells@redhat.com, casey@schaufler-ca.com, sashal@kernel.org, jamorris@linux.microsoft.com, linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org Cc: nramas@linux.microsoft.com Subject: [PATCH v2 2/4] KEYS: Queue key for measurement if ima is not initialized. Measure queued keys when ima is initialized Date: Wed, 23 Oct 2019 16:39:48 -0700 Message-Id: <20191023233950.22072-3-nramas@linux.microsoft.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191023233950.22072-1-nramas@linux.microsoft.com> References: <20191023233950.22072-1-nramas@linux.microsoft.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: Defined functions to queue key for measurement if ima is not yet initialized. ima hook function ima_post_key_create_or_update will queue the key if ima is not yet initialized. Process queued keys and measure them when ima initialization is completed. Signed-off-by: Lakshmi Ramasubramanian --- security/integrity/ima/ima.h | 13 +++++ security/integrity/ima/ima_init.c | 9 ++- security/integrity/ima/ima_main.c | 4 +- security/integrity/ima/ima_queue.c | 94 ++++++++++++++++++++++++++++++ 4 files changed, 118 insertions(+), 2 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 2d4130ff5655..38279707632a 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -199,6 +199,17 @@ enum ima_hooks { __ima_hooks(__ima_hook_enumify) }; +/* + * To track trusted keys that need to be measured when IMA is initialized. + */ +struct ima_trusted_key_entry { + struct list_head list; + void *public_key; + u32 public_key_len; + char *key_description; + enum ima_hooks func; +}; + /* LIM API function definitions */ int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, int mask, enum ima_hooks func, int *pcr, @@ -225,6 +236,8 @@ int ima_store_template(struct ima_template_entry *entry, int violation, const unsigned char *filename, int pcr); void ima_free_template_entry(struct ima_template_entry *entry); const char *ima_d_path(const struct path *path, char **pathbuf, char *filename); +int ima_queue_key_for_measurement(struct key *key, enum ima_hooks func); +void ima_measure_queued_keys(void); /* IMA policy related functions */ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 52847ce765a4..8734ed5322c7 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -132,5 +132,12 @@ int __init ima_init(void) ima_init_policy(); - return ima_fs_init(); + rc = ima_fs_init(); + if (rc != 0) + return rc; + + ima_initialized = true; + + ima_measure_queued_keys(); + return 0; } diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 8bde12385912..bce430b3386e 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -710,8 +710,10 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key, if (key->type != &key_type_asymmetric) return; - if (!ima_initialized) + if (!ima_initialized) { + ima_queue_key_for_measurement(key, NONE); return; + } pk = key->payload.data[asym_crypto]; process_buffer_measurement(pk->key, pk->keylen, diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c index 1ce8b1701566..d42987022c12 100644 --- a/security/integrity/ima/ima_queue.c +++ b/security/integrity/ima/ima_queue.c @@ -46,6 +46,13 @@ struct ima_h_table ima_htable = { */ static DEFINE_MUTEX(ima_extend_list_mutex); +/* + * Used to synchronize access to the list of trusted keys (ima_trusted_keys) + * that need to be measured when IMA is initialized. + */ +static DEFINE_MUTEX(ima_trusted_keys_mutex); +static LIST_HEAD(ima_trusted_keys); + /* lookup up the digest value in the hash table, and return the entry */ static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value, int pcr) @@ -232,3 +239,90 @@ int __init ima_init_digests(void) return 0; } + +static void ima_free_trusted_key_entry(struct ima_trusted_key_entry *entry) +{ + if (entry != NULL) { + if (entry->public_key != NULL) + kzfree(entry->public_key); + if (entry->key_description != NULL) + kzfree(entry->key_description); + kzfree(entry); + } +} + +static struct ima_trusted_key_entry *ima_alloc_trusted_queue_entry( + struct key *key, + enum ima_hooks func) +{ + int rc = 0; + const struct public_key *pk; + size_t key_description_len; + struct ima_trusted_key_entry *entry = NULL; + + pk = key->payload.data[asym_crypto]; + key_description_len = strlen(key->description) + 1; + entry = kzalloc(sizeof(*entry), GFP_KERNEL); + if (entry != NULL) { + entry->public_key = kzalloc(pk->keylen, GFP_KERNEL); + entry->key_description = + kzalloc(key_description_len, GFP_KERNEL); + } + + if ((entry == NULL) || (entry->public_key == NULL) || + (entry->key_description == NULL)) { + rc = -ENOMEM; + goto out; + } + + strcpy(entry->key_description, key->description); + memcpy(entry->public_key, pk->key, pk->keylen); + entry->public_key_len = pk->keylen; + entry->func = func; + rc = 0; + +out: + if (rc) { + ima_free_trusted_key_entry(entry); + entry = NULL; + } + + return entry; +} + +int ima_queue_key_for_measurement(struct key *key, enum ima_hooks func) +{ + int rc = 0; + struct ima_trusted_key_entry *entry = NULL; + + mutex_lock(&ima_trusted_keys_mutex); + + entry = ima_alloc_trusted_queue_entry(key, func); + if (entry != NULL) { + INIT_LIST_HEAD(&entry->list); + list_add_tail(&entry->list, &ima_trusted_keys); + } else + rc = -ENOMEM; + + mutex_unlock(&ima_trusted_keys_mutex); + + return rc; +} + +void ima_measure_queued_keys(void) +{ + struct ima_trusted_key_entry *entry, *tmp; + + mutex_lock(&ima_trusted_keys_mutex); + + list_for_each_entry_safe(entry, tmp, &ima_trusted_keys, list) { + process_buffer_measurement(entry->public_key, + entry->public_key_len, + entry->key_description, + NONE, 0); + list_del(&entry->list); + ima_free_trusted_key_entry(entry); + } + + mutex_unlock(&ima_trusted_keys_mutex); +} From patchwork Wed Oct 23 23:39:49 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lakshmi Ramasubramanian X-Patchwork-Id: 11208041 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EC5A3139A for ; Wed, 23 Oct 2019 23:40:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C21A22084C for ; Wed, 23 Oct 2019 23:40:10 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="OkAu7fQ7" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2408056AbfJWXj6 (ORCPT ); Wed, 23 Oct 2019 19:39:58 -0400 Received: from linux.microsoft.com ([13.77.154.182]:51382 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2392753AbfJWXj5 (ORCPT ); Wed, 23 Oct 2019 19:39:57 -0400 Received: from nramas-ThinkStation-P520.corp.microsoft.com (unknown [131.107.174.108]) by linux.microsoft.com (Postfix) with ESMTPSA id 637492010AC4; Wed, 23 Oct 2019 16:39:56 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 637492010AC4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1571873996; bh=4yuZ3A83R6RFlsx6gkiQGFNvjYib+E4kbmtDInCBuro=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OkAu7fQ7I+graidZ9eAuzXf6HTZdF7thexx9nZbcpJYzqslvwvF5abLWdcT0BVC2t 6dvc0xpaWI8WAtcTVoH173/wu/lGmpccS+4IjXqxsXBK28zHmixUqEGCd7CTD4cu3u K1KtolbAMdVLCHdBpJBAyd5sHXj4jNXz/Wz2/sRA= From: Lakshmi Ramasubramanian To: zohar@linux.ibm.com, dhowells@redhat.com, casey@schaufler-ca.com, sashal@kernel.org, jamorris@linux.microsoft.com, linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org Cc: nramas@linux.microsoft.com Subject: [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_keys keyring Date: Wed, 23 Oct 2019 16:39:49 -0700 Message-Id: <20191023233950.22072-4-nramas@linux.microsoft.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191023233950.22072-1-nramas@linux.microsoft.com> References: <20191023233950.22072-1-nramas@linux.microsoft.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: Added an ima policy hook BUILTIN_TRUSTED_KEYS to measure keys added to builtin_trusted_keys keyring. Added a helper function to check if the given keyring is the builtin_trusted_keys keyring. Defined a function to map the keyring to ima policy hook function and use it when measuring the key. Signed-off-by: Lakshmi Ramasubramanian --- Documentation/ABI/testing/ima_policy | 1 + certs/system_keyring.c | 5 +++++ include/keys/system_keyring.h | 2 ++ security/integrity/ima/ima.h | 2 ++ security/integrity/ima/ima_api.c | 1 + security/integrity/ima/ima_main.c | 25 +++++++++++++++++++++++-- security/integrity/ima/ima_queue.c | 2 +- 7 files changed, 35 insertions(+), 3 deletions(-) diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index fc376a323908..25566c74e679 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -29,6 +29,7 @@ Description: [FIRMWARE_CHECK] [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] [KEXEC_CMDLINE] + [BUILTIN_TRUSTED_KEYS] mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] [[^]MAY_EXEC] fsmagic:= hex value diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 1eba08a1af82..5533c7f92fef 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -283,3 +283,8 @@ void __init set_platform_trusted_keys(struct key *keyring) platform_trusted_keys = keyring; } #endif + +inline bool is_builtin_trusted_keyring(struct key *keyring) +{ + return (keyring == builtin_trusted_keys); +} diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index c1a96fdf598b..2bc0aaa07f05 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -66,4 +66,6 @@ static inline void set_platform_trusted_keys(struct key *keyring) } #endif +extern bool is_builtin_trusted_keyring(struct key *keyring); + #endif /* _KEYS_SYSTEM_KEYRING_H */ diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 38279707632a..92c25a6b4da7 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -23,6 +23,7 @@ #include #include #include +#include #include "../integrity.h" @@ -192,6 +193,7 @@ static inline unsigned long ima_hash_key(u8 *digest) hook(KEXEC_INITRAMFS_CHECK) \ hook(POLICY_CHECK) \ hook(KEXEC_CMDLINE) \ + hook(BUILTIN_TRUSTED_KEYS) \ hook(MAX_CHECK) #define __ima_hook_enumify(ENUM) ENUM, diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index f614e22bf39f..cc04706b7e7a 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -175,6 +175,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * subj,obj, and type: are LSM specific. * func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK * | KEXEC_CMDLINE + * | BUILTIN_TRUSTED_KEYS * mask: contains the permission mask * fsmagic: hex value * diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index bce430b3386e..986f80eead4d 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -605,6 +605,24 @@ int ima_load_data(enum kernel_load_data_id id) return 0; } +/* + * Maps the given keyring to a IMA Hook. + * @keyring: A keyring to which a key maybe linked to. + * + * This function currently handles only builtin_trusted_keys. + * To handle more keyrings, this function, ima hook and + * ima policy handler need to be updated. + */ +static enum ima_hooks keyring_policy_map(struct key *keyring) +{ + enum ima_hooks func = NONE; + + if (is_builtin_trusted_keyring(keyring)) + func = BUILTIN_TRUSTED_KEYS; + + return func; +} + /* * process_buffer_measurement - Measure the buffer to ima log. * @buf: pointer to the buffer that needs to be added to the log. @@ -706,19 +724,22 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key, unsigned long flags, bool create) { const struct public_key *pk; + enum ima_hooks func; if (key->type != &key_type_asymmetric) return; + func = keyring_policy_map(keyring); + if (!ima_initialized) { - ima_queue_key_for_measurement(key, NONE); + ima_queue_key_for_measurement(key, func); return; } pk = key->payload.data[asym_crypto]; process_buffer_measurement(pk->key, pk->keylen, key->description, - NONE, 0); + func, 0); } static int __init init_ima(void) diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c index d42987022c12..ed77c4dc0520 100644 --- a/security/integrity/ima/ima_queue.c +++ b/security/integrity/ima/ima_queue.c @@ -319,7 +319,7 @@ void ima_measure_queued_keys(void) process_buffer_measurement(entry->public_key, entry->public_key_len, entry->key_description, - NONE, 0); + entry->func, 0); list_del(&entry->list); ima_free_trusted_key_entry(entry); } From patchwork Wed Oct 23 23:39:50 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lakshmi Ramasubramanian X-Patchwork-Id: 11208053 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6F3DA1920 for ; Wed, 23 Oct 2019 23:40:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 44A482086D for ; Wed, 23 Oct 2019 23:40:18 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="KwrDmZZI" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392764AbfJWXj5 (ORCPT ); Wed, 23 Oct 2019 19:39:57 -0400 Received: from linux.microsoft.com ([13.77.154.182]:51392 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2392754AbfJWXj5 (ORCPT ); Wed, 23 Oct 2019 19:39:57 -0400 Received: from nramas-ThinkStation-P520.corp.microsoft.com (unknown [131.107.174.108]) by linux.microsoft.com (Postfix) with ESMTPSA id 8BC3F2010AC5; Wed, 23 Oct 2019 16:39:56 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 8BC3F2010AC5 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1571873996; bh=oW+D4pzJ9HOm7aty1xLpBXhe3vkoiV3VtOmUq5zybZE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=KwrDmZZIX88BVDaFpk62/UTRFfg8vDbcNg/bsMUDBiNi77P2GSx4LNT8y4J9GKkym Wtc46DQVk8VizdzAXeO6xaHmLPoewvNihz/8v19k4v5pUqILUk7NKyUv39pJZE02hz ER9MYfNKYCwEu+SdZkqeHNokHzuArKR4libWkqHk= From: Lakshmi Ramasubramanian To: zohar@linux.ibm.com, dhowells@redhat.com, casey@schaufler-ca.com, sashal@kernel.org, jamorris@linux.microsoft.com, linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org Cc: nramas@linux.microsoft.com Subject: [PATCH v2 4/4] KEYS: Enabled ima policy to measure keys added to builtin_trusted_keys keyring Date: Wed, 23 Oct 2019 16:39:50 -0700 Message-Id: <20191023233950.22072-5-nramas@linux.microsoft.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20191023233950.22072-1-nramas@linux.microsoft.com> References: <20191023233950.22072-1-nramas@linux.microsoft.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: Updated ima policy handler to check if the ima policy enables measurement of keys added to the builtin_trusted_keys keyring. With this patch measurement of keys added to the builtin_trusted_keys keyring is enabled end-to-end. Signed-off-by: Lakshmi Ramasubramanian --- security/integrity/ima/ima_policy.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 6df7f641ff66..944636076152 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -370,7 +370,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, { int i; - if (func == KEXEC_CMDLINE) { + if ((func == KEXEC_CMDLINE) || (func == BUILTIN_TRUSTED_KEYS)) { if ((rule->flags & IMA_FUNC) && (rule->func == func)) return true; return false; @@ -959,6 +959,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) entry->func = POLICY_CHECK; else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0) entry->func = KEXEC_CMDLINE; + else if (strcmp(args[0].from, + "BUILTIN_TRUSTED_KEYS") == 0) + entry->func = BUILTIN_TRUSTED_KEYS; else result = -EINVAL; if (!result)