From patchwork Fri Aug 28 01:56:59 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tushar Sugandhi X-Patchwork-Id: 11742045 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 925B0722 for ; Fri, 28 Aug 2020 01:57:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 787AF20848 for ; Fri, 28 Aug 2020 01:57:48 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="jrZ4QsoV" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728372AbgH1B5Y (ORCPT ); Thu, 27 Aug 2020 21:57:24 -0400 Received: from linux.microsoft.com ([13.77.154.182]:38426 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728048AbgH1B5U (ORCPT ); Thu, 27 Aug 2020 21:57:20 -0400 Received: from tusharsu-Ubuntu.lan (c-71-197-163-6.hsd1.wa.comcast.net [71.197.163.6]) by linux.microsoft.com (Postfix) with ESMTPSA id 9790320B7179; Thu, 27 Aug 2020 18:57:17 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 9790320B7179 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1598579838; bh=kyLBeyHw68763pY/UIAlu+0vNqCE9GA4eKE1wEZjr24=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jrZ4QsoVbNm++ux/of4pfGkaNqonPhJjwWh6nubA6dJD/UOdSiL1nsjhm1YJeFBCn RD6WkjiXN/ExRo7v+LRhytbKCJYB7PKCRZ6ciRSmGIFnk7pS0wYe8fWGZRZuFBboZZ ESU/st0OPBtPs98yYzb8pv1IJA+oGZYFCbg6tOY8= From: Tushar Sugandhi To: zohar@linux.ibm.com, stephen.smalley.work@gmail.com, casey@schaufler-ca.com, agk@redhat.com, snitzer@redhat.com, gmazyland@gmail.com Cc: tyhicks@linux.microsoft.com, sashal@kernel.org, jmorris@namei.org, nramas@linux.microsoft.com, linux-integrity@vger.kernel.org, selinux@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dm-devel@redhat.com Subject: [PATCH v3 1/6] IMA: generalize keyring specific measurement constructs Date: Thu, 27 Aug 2020 18:56:59 -0700 Message-Id: <20200828015704.6629-2-tusharsu@linux.microsoft.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200828015704.6629-1-tusharsu@linux.microsoft.com> References: <20200828015704.6629-1-tusharsu@linux.microsoft.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: IMA functions such as ima_match_keyring(), process_buffer_measurement(), ima_match_policy() etc. handle data specific to keyrings. Currently, these constructs are not generic to handle any func specific data. This makes it harder to extend without code duplication. Refactor the keyring specific measurement constructs to be generic and reusable in other measurement scenarios. Signed-off-by: Tushar Sugandhi --- security/integrity/ima/ima.h | 6 ++--- security/integrity/ima/ima_api.c | 6 ++--- security/integrity/ima/ima_main.c | 6 ++--- security/integrity/ima/ima_policy.c | 42 ++++++++++++++++------------- 4 files changed, 33 insertions(+), 27 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 38043074ce5e..8875085db689 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -255,7 +255,7 @@ static inline void ima_process_queued_keys(void) {} int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, int mask, enum ima_hooks func, int *pcr, struct ima_template_desc **template_desc, - const char *keyring); + const char *func_data); int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func); int ima_collect_measurement(struct integrity_iint_cache *iint, struct file *file, void *buf, loff_t size, @@ -267,7 +267,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, struct ima_template_desc *template_desc); void process_buffer_measurement(struct inode *inode, const void *buf, int size, const char *eventname, enum ima_hooks func, - int pcr, const char *keyring); + int pcr, const char *func_data); void ima_audit_measurement(struct integrity_iint_cache *iint, const unsigned char *filename); int ima_alloc_init_template(struct ima_event_data *event_data, @@ -283,7 +283,7 @@ const char *ima_d_path(const struct path *path, char **pathbuf, char *filename); int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, enum ima_hooks func, int mask, int flags, int *pcr, struct ima_template_desc **template_desc, - const char *keyring); + const char *func_data); void ima_init_policy(void); void ima_update_policy(void); void ima_update_policy_flag(void); diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 4f39fb93f278..af218babd198 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -170,7 +170,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * @func: caller identifier * @pcr: pointer filled in if matched measure policy sets pcr= * @template_desc: pointer filled in if matched measure policy sets template= - * @keyring: keyring name used to determine the action + * @func_data: private data specific to @func, can be NULL. * * The policy is defined in terms of keypairs: * subj=, obj=, type=, func=, mask=, fsmagic= @@ -186,14 +186,14 @@ void ima_add_violation(struct file *file, const unsigned char *filename, int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, int mask, enum ima_hooks func, int *pcr, struct ima_template_desc **template_desc, - const char *keyring) + const char *func_data) { int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH; flags &= ima_policy_flag; return ima_match_policy(inode, cred, secid, func, mask, flags, pcr, - template_desc, keyring); + template_desc, func_data); } /* diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 8a91711ca79b..c870fd6d2f83 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -732,13 +732,13 @@ int ima_load_data(enum kernel_load_data_id id) * @eventname: event name to be used for the buffer entry. * @func: IMA hook * @pcr: pcr to extend the measurement - * @keyring: keyring name to determine the action to be performed + * @func_data: private data specific to @func, can be NULL. * * Based on policy, the buffer is measured into the ima log. */ void process_buffer_measurement(struct inode *inode, const void *buf, int size, const char *eventname, enum ima_hooks func, - int pcr, const char *keyring) + int pcr, const char *func_data) { int ret = 0; const char *audit_cause = "ENOMEM"; @@ -770,7 +770,7 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size, if (func) { security_task_getsecid(current, &secid); action = ima_get_action(inode, current_cred(), secid, 0, func, - &pcr, &template, keyring); + &pcr, &template, func_data); if (!(action & IMA_MEASURE)) return; } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index fe1df373c113..8866e84d0062 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -451,15 +451,21 @@ int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, } /** - * ima_match_keyring - determine whether the keyring matches the measure rule - * @rule: a pointer to a rule - * @keyring: name of the keyring to match against the measure rule + * ima_match_rule_data - determine whether the given func_data matches + * the measure rule data + * @rule: IMA policy rule + * @opt_list: rule data to match func_data against + * @func_data: data to match against the measure rule data + * @allow_empty_opt_list: If true matches all func_data * @cred: a pointer to a credentials structure for user validation * - * Returns true if keyring matches one in the rule, false otherwise. + * Returns true if func_data matches one in the rule, false otherwise. */ -static bool ima_match_keyring(struct ima_rule_entry *rule, - const char *keyring, const struct cred *cred) +static bool ima_match_rule_data(struct ima_rule_entry *rule, + const struct ima_rule_opt_list *opt_list, + const char *func_data, + bool allow_empty_opt_list, + const struct cred *cred) { bool matched = false; size_t i; @@ -467,14 +473,14 @@ static bool ima_match_keyring(struct ima_rule_entry *rule, if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) return false; - if (!rule->keyrings) - return true; + if (!opt_list) + return allow_empty_opt_list; - if (!keyring) + if (!func_data) return false; - for (i = 0; i < rule->keyrings->count; i++) { - if (!strcmp(rule->keyrings->items[i], keyring)) { + for (i = 0; i < opt_list->count; i++) { + if (!strcmp(opt_list->items[i], func_data)) { matched = true; break; } @@ -491,20 +497,21 @@ static bool ima_match_keyring(struct ima_rule_entry *rule, * @secid: the secid of the task to be validated * @func: LIM hook identifier * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) - * @keyring: keyring name to check in policy for KEY_CHECK func + * @func_data: private data specific to @func, can be NULL. * * Returns true on rule match, false on failure. */ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, const struct cred *cred, u32 secid, enum ima_hooks func, int mask, - const char *keyring) + const char *func_data) { int i; if (func == KEY_CHECK) { return (rule->flags & IMA_FUNC) && (rule->func == func) && - ima_match_keyring(rule, keyring, cred); + ima_match_rule_data(rule, rule->keyrings, func_data, + true, cred); } if ((rule->flags & IMA_FUNC) && (rule->func != func && func != POST_SETATTR)) @@ -608,8 +615,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) * @pcr: set the pcr to extend * @template_desc: the template that should be used for this rule - * @keyring: the keyring name, if given, to be used to check in the policy. - * keyring can be NULL if func is anything other than KEY_CHECK. + * @func_data: private data specific to @func, can be NULL. * * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) * conditions. @@ -621,7 +627,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, enum ima_hooks func, int mask, int flags, int *pcr, struct ima_template_desc **template_desc, - const char *keyring) + const char *func_data) { struct ima_rule_entry *entry; int action = 0, actmask = flags | (flags << 1); @@ -636,7 +642,7 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, continue; if (!ima_match_rules(entry, inode, cred, secid, func, mask, - keyring)) + func_data)) continue; action |= entry->flags & IMA_ACTION_FLAGS; From patchwork Fri Aug 28 01:57:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tushar Sugandhi X-Patchwork-Id: 11742057 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4FF771752 for ; Fri, 28 Aug 2020 01:57:52 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 347A02086A for ; Fri, 28 Aug 2020 01:57:52 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="AtqpjD/r" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728435AbgH1B5u (ORCPT ); Thu, 27 Aug 2020 21:57:50 -0400 Received: from linux.microsoft.com ([13.77.154.182]:38442 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728182AbgH1B5T (ORCPT ); Thu, 27 Aug 2020 21:57:19 -0400 Received: from tusharsu-Ubuntu.lan (c-71-197-163-6.hsd1.wa.comcast.net [71.197.163.6]) by linux.microsoft.com (Postfix) with ESMTPSA id 261DF2021532; Thu, 27 Aug 2020 18:57:18 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 261DF2021532 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1598579838; bh=2tw/WXqd1rFl00XCee3Jr+XIH39hEngqJ7UoxJMaINQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AtqpjD/rBb8rzAi7V8HoSi9S55QxM/huCfsBTjRaqiXn1SX/69pRkM/lBTd4Llzd8 2RiUSiD7ysC70GhPk3NhhmRi7Np2E/3vzCY9MWKc2J5bWn2nJVeJt+wyX250yT4bdS HLJGGew0L3GSU6urgP7G3PmZDeYrCKcqF9eyLdeY= From: Tushar Sugandhi To: zohar@linux.ibm.com, stephen.smalley.work@gmail.com, casey@schaufler-ca.com, agk@redhat.com, snitzer@redhat.com, gmazyland@gmail.com Cc: tyhicks@linux.microsoft.com, sashal@kernel.org, jmorris@namei.org, nramas@linux.microsoft.com, linux-integrity@vger.kernel.org, selinux@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dm-devel@redhat.com Subject: [PATCH v3 2/6] IMA: change process_buffer_measurement return type from void to int Date: Thu, 27 Aug 2020 18:57:00 -0700 Message-Id: <20200828015704.6629-3-tusharsu@linux.microsoft.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200828015704.6629-1-tusharsu@linux.microsoft.com> References: <20200828015704.6629-1-tusharsu@linux.microsoft.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: process_buffer_measurement() does not return the result of the operation. Therefore, the consumers of this function cannot act on it, if needed. Update return type of process_buffer_measurement() from void to int. Signed-off-by: Tushar Sugandhi --- security/integrity/ima/ima.h | 6 +++--- security/integrity/ima/ima_main.c | 14 +++++++------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 8875085db689..83ed57147e68 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -265,9 +265,9 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, struct evm_ima_xattr_data *xattr_value, int xattr_len, const struct modsig *modsig, int pcr, struct ima_template_desc *template_desc); -void process_buffer_measurement(struct inode *inode, const void *buf, int size, - const char *eventname, enum ima_hooks func, - int pcr, const char *func_data); +int process_buffer_measurement(struct inode *inode, const void *buf, int size, + const char *eventname, enum ima_hooks func, + int pcr, const char *func_data); void ima_audit_measurement(struct integrity_iint_cache *iint, const unsigned char *filename); int ima_alloc_init_template(struct ima_event_data *event_data, diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index c870fd6d2f83..0979a62a9257 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -736,9 +736,9 @@ int ima_load_data(enum kernel_load_data_id id) * * Based on policy, the buffer is measured into the ima log. */ -void process_buffer_measurement(struct inode *inode, const void *buf, int size, - const char *eventname, enum ima_hooks func, - int pcr, const char *func_data) +int process_buffer_measurement(struct inode *inode, const void *buf, int size, + const char *eventname, enum ima_hooks func, + int pcr, const char *func_data) { int ret = 0; const char *audit_cause = "ENOMEM"; @@ -758,7 +758,7 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size, u32 secid; if (!ima_policy_flag) - return; + return 0; /* * Both LSM hooks and auxilary based buffer measurements are @@ -772,7 +772,7 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size, action = ima_get_action(inode, current_cred(), secid, 0, func, &pcr, &template, func_data); if (!(action & IMA_MEASURE)) - return; + return 0; } if (!pcr) @@ -787,7 +787,7 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size, pr_err("template %s init failed, result: %d\n", (strlen(template->name) ? template->name : template->fmt), ret); - return; + return ret; } } @@ -819,7 +819,7 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size, func_measure_str(func), audit_cause, ret, 0, ret); - return; + return ret; } /** From patchwork Fri Aug 28 01:57:01 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tushar Sugandhi X-Patchwork-Id: 11742061 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D3D9A722 for ; Fri, 28 Aug 2020 01:58:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id BCBA82080C for ; Fri, 28 Aug 2020 01:58:00 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="so+9OqKE" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728406AbgH1B5t (ORCPT ); Thu, 27 Aug 2020 21:57:49 -0400 Received: from linux.microsoft.com ([13.77.154.182]:38460 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726147AbgH1B5U (ORCPT ); Thu, 27 Aug 2020 21:57:20 -0400 Received: from tusharsu-Ubuntu.lan (c-71-197-163-6.hsd1.wa.comcast.net [71.197.163.6]) by linux.microsoft.com (Postfix) with ESMTPSA id ADBF520B36E7; Thu, 27 Aug 2020 18:57:18 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com ADBF520B36E7 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1598579839; bh=o9Z9QfzzzN11WX4/gSUa5n5ylZI8mL1EV7qAQIWMWHg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=so+9OqKEkkfmC9UVTYeX2PUcF/rvRkDODMg9H5BMwOwZ6fX57DQ1MyqZZImv4hhep cEUzyzlAH846QPaB0sNfr8GQBXwUNy6TMYBr6igKmgEdrrHsAHiBqCQkc03UilDZPW YsnojcjvqrucDpk7YCJunJi6hIbv9YvqIiSijjqY= From: Tushar Sugandhi To: zohar@linux.ibm.com, stephen.smalley.work@gmail.com, casey@schaufler-ca.com, agk@redhat.com, snitzer@redhat.com, gmazyland@gmail.com Cc: tyhicks@linux.microsoft.com, sashal@kernel.org, jmorris@namei.org, nramas@linux.microsoft.com, linux-integrity@vger.kernel.org, selinux@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dm-devel@redhat.com Subject: [PATCH v3 3/6] IMA: update process_buffer_measurement to measure buffer hash Date: Thu, 27 Aug 2020 18:57:01 -0700 Message-Id: <20200828015704.6629-4-tusharsu@linux.microsoft.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200828015704.6629-1-tusharsu@linux.microsoft.com> References: <20200828015704.6629-1-tusharsu@linux.microsoft.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: process_buffer_measurement() currently only measures the input buffer. When the buffer being measured is too large, it may result in bloated IMA logs. Introduce a boolean parameter measure_buf_hash to support measuring hash of a buffer, which would be much smaller, instead of the buffer itself. Signed-off-by: Tushar Sugandhi --- security/integrity/ima/ima.h | 3 +- security/integrity/ima/ima_appraise.c | 2 +- security/integrity/ima/ima_asymmetric_keys.c | 2 +- security/integrity/ima/ima_main.c | 29 ++++++++++++++++++-- security/integrity/ima/ima_queue_keys.c | 3 +- 5 files changed, 32 insertions(+), 7 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 83ed57147e68..ba332de8ed0b 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -267,7 +267,8 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, struct ima_template_desc *template_desc); int process_buffer_measurement(struct inode *inode, const void *buf, int size, const char *eventname, enum ima_hooks func, - int pcr, const char *func_data); + int pcr, const char *func_data, + bool measure_buf_hash); void ima_audit_measurement(struct integrity_iint_cache *iint, const unsigned char *filename); int ima_alloc_init_template(struct ima_event_data *event_data, diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 372d16382960..20adffe5bf58 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -336,7 +336,7 @@ int ima_check_blacklist(struct integrity_iint_cache *iint, if ((rc == -EPERM) && (iint->flags & IMA_MEASURE)) process_buffer_measurement(NULL, digest, digestsize, "blacklisted-hash", NONE, - pcr, NULL); + pcr, NULL, false); } return rc; diff --git a/security/integrity/ima/ima_asymmetric_keys.c b/security/integrity/ima/ima_asymmetric_keys.c index 1c68c500c26f..a74095793936 100644 --- a/security/integrity/ima/ima_asymmetric_keys.c +++ b/security/integrity/ima/ima_asymmetric_keys.c @@ -60,5 +60,5 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key, */ process_buffer_measurement(NULL, payload, payload_len, keyring->description, KEY_CHECK, 0, - keyring->description); + keyring->description, false); } diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 0979a62a9257..52cbbc1f7ea2 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -733,17 +733,21 @@ int ima_load_data(enum kernel_load_data_id id) * @func: IMA hook * @pcr: pcr to extend the measurement * @func_data: private data specific to @func, can be NULL. + * @measure_buf_hash: if set to true - will measure hash of the buf, + * instead of buf * * Based on policy, the buffer is measured into the ima log. */ int process_buffer_measurement(struct inode *inode, const void *buf, int size, const char *eventname, enum ima_hooks func, - int pcr, const char *func_data) + int pcr, const char *func_data, + bool measure_buf_hash) { int ret = 0; const char *audit_cause = "ENOMEM"; struct ima_template_entry *entry = NULL; struct integrity_iint_cache iint = {}; + struct integrity_iint_cache digest_iint = {}; struct ima_event_data event_data = {.iint = &iint, .filename = eventname, .buf = buf, @@ -752,7 +756,7 @@ int process_buffer_measurement(struct inode *inode, const void *buf, int size, struct { struct ima_digest_data hdr; char digest[IMA_MAX_DIGEST_SIZE]; - } hash = {}; + } hash = {}, digest_hash = {}; int violation = 0; int action = 0; u32 secid; @@ -801,6 +805,24 @@ int process_buffer_measurement(struct inode *inode, const void *buf, int size, goto out; } + if (measure_buf_hash) { + digest_iint.ima_hash = &digest_hash.hdr; + digest_iint.ima_hash->algo = ima_hash_algo; + digest_iint.ima_hash->length = hash_digest_size[ima_hash_algo]; + + ret = ima_calc_buffer_hash(hash.hdr.digest, + iint.ima_hash->length, + digest_iint.ima_hash); + if (ret < 0) { + audit_cause = "digest_hashing_error"; + goto out; + } + + event_data.iint = &digest_iint; + event_data.buf = hash.hdr.digest; + event_data.buf_len = iint.ima_hash->length; + } + ret = ima_alloc_init_template(&event_data, &entry, template); if (ret < 0) { audit_cause = "alloc_entry"; @@ -842,7 +864,8 @@ void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) return; process_buffer_measurement(file_inode(f.file), buf, size, - "kexec-cmdline", KEXEC_CMDLINE, 0, NULL); + "kexec-cmdline", KEXEC_CMDLINE, 0, NULL, + false); fdput(f); } diff --git a/security/integrity/ima/ima_queue_keys.c b/security/integrity/ima/ima_queue_keys.c index 69a8626a35c0..c2f2ad34f9b7 100644 --- a/security/integrity/ima/ima_queue_keys.c +++ b/security/integrity/ima/ima_queue_keys.c @@ -162,7 +162,8 @@ void ima_process_queued_keys(void) entry->payload_len, entry->keyring_name, KEY_CHECK, 0, - entry->keyring_name); + entry->keyring_name, + false); list_del(&entry->list); ima_free_key_entry(entry); } From patchwork Fri Aug 28 01:57:02 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tushar Sugandhi X-Patchwork-Id: 11742049 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DF00C13B1 for ; Fri, 28 Aug 2020 01:57:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C7DA520848 for ; Fri, 28 Aug 2020 01:57:49 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="jIwOfUjv" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728356AbgH1B5X (ORCPT ); Thu, 27 Aug 2020 21:57:23 -0400 Received: from linux.microsoft.com ([13.77.154.182]:38468 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728335AbgH1B5U (ORCPT ); Thu, 27 Aug 2020 21:57:20 -0400 Received: from tusharsu-Ubuntu.lan (c-71-197-163-6.hsd1.wa.comcast.net [71.197.163.6]) by linux.microsoft.com (Postfix) with ESMTPSA id 39B5820553ED; Thu, 27 Aug 2020 18:57:19 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 39B5820553ED DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1598579839; bh=kFumSg9D6IWrKowDRCuR6JaYkRpAKGrG3kd2UMi5yG4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jIwOfUjvQXDXIMbP0VzJC16ORhjF/LMllEOYLfOMSnZnqc6XGKsLEaw8udDpMU8dN Pza7ffFGu1KYIZvITQ4jggbSl9W/OsUTNFMOrjlofkqOXk3o96hovIq4uFI4cfZHk+ CD61VH/PhTFB7JNgZAjeC5JE+HqVFpu978bUOJQA= From: Tushar Sugandhi To: zohar@linux.ibm.com, stephen.smalley.work@gmail.com, casey@schaufler-ca.com, agk@redhat.com, snitzer@redhat.com, gmazyland@gmail.com Cc: tyhicks@linux.microsoft.com, sashal@kernel.org, jmorris@namei.org, nramas@linux.microsoft.com, linux-integrity@vger.kernel.org, selinux@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dm-devel@redhat.com Subject: [PATCH v3 4/6] IMA: add policy to measure critical data from kernel components Date: Thu, 27 Aug 2020 18:57:02 -0700 Message-Id: <20200828015704.6629-5-tusharsu@linux.microsoft.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200828015704.6629-1-tusharsu@linux.microsoft.com> References: <20200828015704.6629-1-tusharsu@linux.microsoft.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: There would be several candidate kernel components suitable for IMA measurement. Not all of them would have support for IMA measurement. Also, system administrators may not want to measure data for all of them, even when they support IMA measurement. An IMA policy specific to various kernel components is needed to measure their respective critical data. Add a new IMA policy "critical_kernel_data_sources" to support measuring various critical kernel components. This policy would enable the system administrators to limit the measurement to the components, if the components support IMA measurement. Signed-off-by: Tushar Sugandhi --- Documentation/ABI/testing/ima_policy | 3 +++ security/integrity/ima/ima_policy.c | 29 +++++++++++++++++++++++++++- 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index cd572912c593..7ccdc1964e29 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -48,6 +48,9 @@ Description: template:= name of a defined IMA template type (eg, ima-ng). Only valid when action is "measure". pcr:= decimal value + critical_kernel_data_sources:= list of kernel + components (eg, selinux|apparmor|dm-crypt) that + contain data critical to the security of the kernel. default policy: # PROC_SUPER_MAGIC diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 8866e84d0062..c8a044705347 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -33,6 +33,7 @@ #define IMA_PCR 0x0100 #define IMA_FSNAME 0x0200 #define IMA_KEYRINGS 0x0400 +#define IMA_DATA_SOURCES 0x0800 #define UNKNOWN 0 #define MEASURE 0x0001 /* same as IMA_MEASURE */ @@ -84,6 +85,7 @@ struct ima_rule_entry { } lsm[MAX_LSM_RULES]; char *fsname; struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */ + struct ima_rule_opt_list *data_sources; /* Measure data from these sources */ struct ima_template_desc *template; }; @@ -911,7 +913,7 @@ enum { Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, Opt_appraise_type, Opt_appraise_flag, Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, - Opt_err + Opt_data_sources, Opt_err }; static const match_table_t policy_tokens = { @@ -948,6 +950,7 @@ static const match_table_t policy_tokens = { {Opt_pcr, "pcr=%s"}, {Opt_template, "template=%s"}, {Opt_keyrings, "keyrings=%s"}, + {Opt_data_sources, "critical_kernel_data_sources=%s"}, {Opt_err, NULL} }; @@ -1312,6 +1315,24 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) entry->flags |= IMA_KEYRINGS; break; + case Opt_data_sources: + ima_log_string(ab, "critical_kernel_data_sources", + args[0].from); + + if (entry->data_sources) { + result = -EINVAL; + break; + } + + entry->data_sources = ima_alloc_rule_opt_list(args); + if (IS_ERR(entry->data_sources)) { + result = PTR_ERR(entry->data_sources); + entry->data_sources = NULL; + break; + } + + entry->flags |= IMA_DATA_SOURCES; + break; case Opt_fsuuid: ima_log_string(ab, "fsuuid", args[0].from); @@ -1692,6 +1713,12 @@ int ima_policy_show(struct seq_file *m, void *v) seq_puts(m, " "); } + if (entry->flags & IMA_DATA_SOURCES) { + seq_puts(m, "critical_kernel_data_sources="); + ima_show_rule_opt_list(m, entry->data_sources); + seq_puts(m, " "); + } + if (entry->flags & IMA_PCR) { snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); seq_printf(m, pt(Opt_pcr), tbuf); From patchwork Fri Aug 28 01:57:03 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tushar Sugandhi X-Patchwork-Id: 11742037 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B4CC113B6 for ; Fri, 28 Aug 2020 01:57:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 9B06D20B80 for ; Fri, 28 Aug 2020 01:57:46 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="qQ8Cgste" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728379AbgH1B5Y (ORCPT ); Thu, 27 Aug 2020 21:57:24 -0400 Received: from linux.microsoft.com ([13.77.154.182]:38488 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728352AbgH1B5V (ORCPT ); Thu, 27 Aug 2020 21:57:21 -0400 Received: from tusharsu-Ubuntu.lan (c-71-197-163-6.hsd1.wa.comcast.net [71.197.163.6]) by linux.microsoft.com (Postfix) with ESMTPSA id BF96F20C27C2; Thu, 27 Aug 2020 18:57:19 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com BF96F20C27C2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1598579840; bh=nzyuBFV9kqZh5RxX8gM1RD80E78BulBKErd8/nU8wOk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qQ8CgstekmkhlgT3EHBgPitdAENMOLwat19paNBoRTiLk5rVm55zMx1m01d9hTdhI iqt1GFyGT8SoNc101UZkyHNbF4+BrMoMQKP356gnOcNe5F0opgu6YbtVb7Vqe/vVPc Ikyd8fsnAJGd6hpVVItcvTckgrkzPxvL68YLrMAA= From: Tushar Sugandhi To: zohar@linux.ibm.com, stephen.smalley.work@gmail.com, casey@schaufler-ca.com, agk@redhat.com, snitzer@redhat.com, gmazyland@gmail.com Cc: tyhicks@linux.microsoft.com, sashal@kernel.org, jmorris@namei.org, nramas@linux.microsoft.com, linux-integrity@vger.kernel.org, selinux@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dm-devel@redhat.com Subject: [PATCH v3 5/6] IMA: add hook to measure critical data from kernel components Date: Thu, 27 Aug 2020 18:57:03 -0700 Message-Id: <20200828015704.6629-6-tusharsu@linux.microsoft.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200828015704.6629-1-tusharsu@linux.microsoft.com> References: <20200828015704.6629-1-tusharsu@linux.microsoft.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: Currently, IMA does not provide a generic function for kernel components to measure their data. A generic function provided by IMA would enable various parts of the kernel with easier and faster on-boarding to use IMA infrastructure, would avoid code duplication, and consistent usage of IMA policy "critical_kernel_data_sources" across the kernel. Add a new IMA func CRITICAL_DATA and a corresponding IMA hook ima_measure_critical_data() to support measuring various critical kernel components. Limit the measurement to the components that are specified in the IMA policy - CRITICAL_DATA+critical_kernel_data_sources. Signed-off-by: Tushar Sugandhi --- Documentation/ABI/testing/ima_policy | 8 ++++++- include/linux/ima.h | 11 +++++++++ security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_main.c | 24 ++++++++++++++++++++ security/integrity/ima/ima_policy.c | 34 ++++++++++++++++++++++++---- 6 files changed, 73 insertions(+), 7 deletions(-) diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index 7ccdc1964e29..36d9cee9704d 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -29,7 +29,7 @@ Description: base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] [FIRMWARE_CHECK] [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] - [KEXEC_CMDLINE] [KEY_CHECK] + [KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA] mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] [[^]MAY_EXEC] fsmagic:= hex value @@ -51,6 +51,8 @@ Description: critical_kernel_data_sources:= list of kernel components (eg, selinux|apparmor|dm-crypt) that contain data critical to the security of the kernel. + Only valid when action is "measure" and func is + CRITICAL_DATA. default policy: # PROC_SUPER_MAGIC @@ -128,3 +130,7 @@ Description: keys added to .builtin_trusted_keys or .ima keyring: measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima + + Example of measure rule using CRITICAL_DATA to measure critical data + + measure func=CRITICAL_DATA critical_kernel_data_sources=selinux|apparmor|dm-crypt diff --git a/include/linux/ima.h b/include/linux/ima.h index d15100de6cdd..136fc02580db 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -26,6 +26,10 @@ extern int ima_post_read_file(struct file *file, void *buf, loff_t size, extern void ima_post_path_mknod(struct dentry *dentry); extern int ima_file_hash(struct file *file, char *buf, size_t buf_size); extern void ima_kexec_cmdline(int kernel_fd, const void *buf, int size); +extern int ima_measure_critical_data(const char *event_name, + const char *event_data_source, + const void *buf, int buf_len, + bool measure_buf_hash); #ifdef CONFIG_IMA_KEXEC extern void ima_add_kexec_buffer(struct kimage *image); @@ -104,6 +108,13 @@ static inline int ima_file_hash(struct file *file, char *buf, size_t buf_size) } static inline void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) {} +static inline int ima_measure_critical_data(const char *event_name, + const char *event_data_source, + const void *buf, int buf_len, + bool measure_buf_hash) +{ + return -EOPNOTSUPP; +} #endif /* CONFIG_IMA */ #ifndef CONFIG_IMA_KEXEC diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index ba332de8ed0b..00b84052c8f1 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -200,6 +200,7 @@ static inline unsigned int ima_hash_key(u8 *digest) hook(POLICY_CHECK, policy) \ hook(KEXEC_CMDLINE, kexec_cmdline) \ hook(KEY_CHECK, key) \ + hook(CRITICAL_DATA, critical_data) \ hook(MAX_CHECK, none) #define __ima_hook_enumify(ENUM, str) ENUM, diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index af218babd198..9917e1730cb6 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -176,7 +176,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * subj=, obj=, type=, func=, mask=, fsmagic= * subj,obj, and type: are LSM specific. * func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK - * | KEXEC_CMDLINE | KEY_CHECK + * | KEXEC_CMDLINE | KEY_CHECK | CRITICAL_DATA * mask: contains the permission mask * fsmagic: hex value * diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 52cbbc1f7ea2..a889bf40cb7e 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -869,6 +869,30 @@ void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) fdput(f); } +/** + * ima_measure_critical_data - measure critical data + * @event_name: name for the given data + * @event_data_source: name of the event data source + * @buf: pointer to buffer containing data to measure + * @buf_len: length of buffer(in bytes) + * @measure_buf_hash: if set to true - will measure hash of the buf, + * instead of buf + * + * Buffers can only be measured, not appraised. + */ +int ima_measure_critical_data(const char *event_name, + const char *event_data_source, + const void *buf, int buf_len, + bool measure_buf_hash) +{ + if (!event_name || !event_data_source || !buf || !buf_len) + return -EINVAL; + + return process_buffer_measurement(NULL, buf, buf_len, event_name, + CRITICAL_DATA, 0, event_data_source, + measure_buf_hash); +} + static int __init init_ima(void) { int error; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index c8a044705347..0c5202c1f26e 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -510,14 +510,23 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, { int i; - if (func == KEY_CHECK) { - return (rule->flags & IMA_FUNC) && (rule->func == func) && - ima_match_rule_data(rule, rule->keyrings, func_data, - true, cred); - } if ((rule->flags & IMA_FUNC) && (rule->func != func && func != POST_SETATTR)) return false; + + switch (func) { + case KEY_CHECK: + return ((rule->func == func) && + ima_match_rule_data(rule, rule->keyrings, + func_data, true, cred)); + case CRITICAL_DATA: + return ((rule->func == func) && + ima_match_rule_data(rule, rule->data_sources, + func_data, false, cred)); + default: + break; + } + if ((rule->flags & IMA_MASK) && (rule->mask != mask && func != POST_SETATTR)) return false; @@ -1113,6 +1122,19 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) if (ima_rule_contains_lsm_cond(entry)) return false; + break; + case CRITICAL_DATA: + if (entry->action & ~(MEASURE | DONT_MEASURE)) + return false; + + if (!(entry->flags & IMA_DATA_SOURCES) || + (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | + IMA_DATA_SOURCES))) + return false; + + if (ima_rule_contains_lsm_cond(entry)) + return false; + break; default: return false; @@ -1245,6 +1267,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) && strcmp(args[0].from, "KEY_CHECK") == 0) entry->func = KEY_CHECK; + else if (strcmp(args[0].from, "CRITICAL_DATA") == 0) + entry->func = CRITICAL_DATA; else result = -EINVAL; if (!result) From patchwork Fri Aug 28 01:57:04 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tushar Sugandhi X-Patchwork-Id: 11742031 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1F84213B1 for ; Fri, 28 Aug 2020 01:57:25 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 08CD320848 for ; Fri, 28 Aug 2020 01:57:24 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="Cyz/YHC3" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728367AbgH1B5Y (ORCPT ); Thu, 27 Aug 2020 21:57:24 -0400 Received: from linux.microsoft.com ([13.77.154.182]:38500 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728353AbgH1B5V (ORCPT ); Thu, 27 Aug 2020 21:57:21 -0400 Received: from tusharsu-Ubuntu.lan (c-71-197-163-6.hsd1.wa.comcast.net [71.197.163.6]) by linux.microsoft.com (Postfix) with ESMTPSA id 5BEF120C27C5; Thu, 27 Aug 2020 18:57:20 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 5BEF120C27C5 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1598579840; bh=/oNkgUW9zSIuVV9hzhJDu+lqIFChEKC0BuHbXmW5m3Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Cyz/YHC3WltXaOC2W1Hu7dvdzMKlVlrik0OyrAKvc3bYjiBOWarXk/sMLKG5Rg302 fbDJaPYrLp1qHtc2FhixkEyPt5aRcJ9BDsKfLQZuW7svV2PjA1czuY27qzJ0eRdFwn TEcJ+5giT+ILXTcXHTRG3KaEqEnPdHzOp8Y6cqDM= From: Tushar Sugandhi To: zohar@linux.ibm.com, stephen.smalley.work@gmail.com, casey@schaufler-ca.com, agk@redhat.com, snitzer@redhat.com, gmazyland@gmail.com Cc: tyhicks@linux.microsoft.com, sashal@kernel.org, jmorris@namei.org, nramas@linux.microsoft.com, linux-integrity@vger.kernel.org, selinux@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dm-devel@redhat.com Subject: [PATCH v3 6/6] IMA: validate supported kernel data sources before measurement Date: Thu, 27 Aug 2020 18:57:04 -0700 Message-Id: <20200828015704.6629-7-tusharsu@linux.microsoft.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200828015704.6629-1-tusharsu@linux.microsoft.com> References: <20200828015704.6629-1-tusharsu@linux.microsoft.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: Currently, IMA does not restrict random data sources from measuring their data using ima_measure_critical_data(). Any kernel data source can call the function, and it's data will get measured as long as the input event_data_source is part of the IMA policy - CRITICAL_DATA+critical_kernel_data_sources. This may result in IMA log getting bloated by random data sources. Supporting random data sources at run-time may also impact the reliability of the system. To ensure that only data from supported sources are measured, the kernel component needs to be added to a compile-time list of supported sources (an "allowed list of components") in ima.h. IMA then validates the input parameter - event_data_source passed to ima_measure_critical_data() against this allowed list at run-time. Provide an infrastructure for kernel data sources to be added to the supported data sources list at compile-time. Update ima_measure_critical_data() to validate, at run-time, that the data source is supported before measuring the data. Signed-off-by: Tushar Sugandhi --- security/integrity/ima/ima.h | 29 +++++++++++++++++++++++++++++ security/integrity/ima/ima_main.c | 3 +++ 2 files changed, 32 insertions(+) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 00b84052c8f1..ecb0a1e7378f 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -228,6 +228,35 @@ extern const char *const func_tokens[]; struct modsig; +#define __ima_supported_kernel_data_sources(source) \ + source(MIN_SOURCE, min_source) \ + source(MAX_SOURCE, max_source) + +#define __ima_enum_stringify(ENUM, str) (#str), + +enum ima_supported_kernel_data_sources { + __ima_supported_kernel_data_sources(__ima_hook_enumify) +}; + +static const char * const ima_supported_kernel_data_sources_str[] = { + __ima_supported_kernel_data_sources(__ima_enum_stringify) +}; + +static inline bool ima_kernel_data_source_is_supported(const char *source) +{ + int i; + + if (!source) + return false; + + for (i = MIN_SOURCE + 1; i < MAX_SOURCE; i++) { + if (!strcmp(ima_supported_kernel_data_sources_str[i], source)) + return true; + } + + return false; +} + #ifdef CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS /* * To track keys that need to be measured. diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index a889bf40cb7e..41be4d1d839e 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -888,6 +888,9 @@ int ima_measure_critical_data(const char *event_name, if (!event_name || !event_data_source || !buf || !buf_len) return -EINVAL; + if (!ima_kernel_data_source_is_supported(event_data_source)) + return -EPERM; + return process_buffer_measurement(NULL, buf, buf_len, event_name, CRITICAL_DATA, 0, event_data_source, measure_buf_hash);