In order to tune appraise mode in runtime, writing a PKCS#7 signature
corresponding the signed content is required. The content should be off,
enforce, log or fix. Given a simple way to archive this:
$ echo -n off > mode
$ openssl smime -sign -nocerts -noattr -binary \
-in mode -inkey <system_trusted_key> \
-signer <cert> -outform der -out mode.p7s
$ sudo cat mode.p7s \
> /sys/kernel/security/ima/appraise_mode
Note that the signing key must be a trust key located in
system trusted keyring. So even the root privilege cannot
simply disable the enforcement.
Signed-off-by: luanshi <[email protected]>
Signed-off-by: Tianjia Zhang <[email protected]>
---
security/integrity/ima/ima_fs.c | 102 ++++++++++++++++++++++++++++++++
1 file changed, 102 insertions(+)
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 65384f6ac0d9..c21ca145de0f 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -20,11 +20,15 @@
#include <linux/rcupdate.h>
#include <linux/parser.h>
#include <linux/vmalloc.h>
+#include <linux/verification.h>
#include "ima.h"
static DEFINE_MUTEX(ima_write_mutex);
+/* maximum length of token allowed for signed appraise mode */
+#define APPRAISE_MAX_TOKEN_SIZE (512 * 1024)
+
bool ima_canonical_fmt;
static int __init default_canonical_fmt_setup(char *str)
{
@@ -466,8 +470,106 @@ static ssize_t ima_appraise_mode_read(struct file *filp,
return simple_read_from_buffer(buf, count, ppos, mode, strlen(mode));
}
+static int check_signature_info(char *buf, size_t count)
+{
+ u8 *p;
+
+ /*
+ * In order to tune the appraise mode, a PKCS#7 signature is
+ * supplied.
+ *
+ * Assuming ASN.1 encoding supplied, the minimal length would be
+ * 4-byte header plus at least 256-byte payload.
+ */
+ if (count < 260)
+ return -EINVAL;
+
+ p = (u8 *)buf;
+
+ /* The primitive type must be a sequence */
+ if (p[0] != 0x30 || p[1] != 0x82)
+ return -EINVAL;
+
+ /* Match up the length of the supplied buffer */
+ if (be16_to_cpup((__be16 *)(p + 2)) != count - 4)
+ return -EINVAL;
+
+ return 0;
+}
+
+/* Verify the supplied PKCS#7 signature. The signed content may be off,
+ * enforce, log, fix.
+ */
+static int repopulate_ima_appraise_mode(void *pkcs7, size_t pkcs7_len)
+{
+ static char *appraise_mode_strings[] = { "off", "enforce", "fix", "log" };
+ static int appraise_modes[] = {
+ 0,
+ IMA_APPRAISE_ENFORCE,
+ IMA_APPRAISE_FIX,
+ IMA_APPRAISE_LOG,
+ };
+ int index, ret = -1;
+ const char *s;
+ int size = ARRAY_SIZE(appraise_mode_strings);
+
+ for (index = 0; index < size; index++) {
+ s = appraise_mode_strings[index];
+ ret = verify_pkcs7_signature(s, strlen(s), pkcs7, pkcs7_len,
+ NULL, VERIFYING_UNSPECIFIED_SIGNATURE,
+ NULL, NULL);
+ if (!ret)
+ break;
+ }
+
+ if (index == size)
+ goto out;
+
+ ima_appraise = appraise_modes[index];
+
+out:
+ return ret;
+}
+
+static ssize_t ima_appraise_mode_write(struct file *filp,
+ const char __user *ubuf,
+ size_t count, loff_t *ppos)
+{
+ char *buf;
+ ssize_t ret;
+
+ if (*ppos > 1)
+ return -EFBIG;
+
+ if (count > APPRAISE_MAX_TOKEN_SIZE)
+ return -EFBIG;
+
+ buf = kmalloc(count, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+
+ ret = simple_write_to_buffer(buf, count, ppos, ubuf, count);
+ if (ret <= 0)
+ goto out;
+
+ ret = check_signature_info(buf, count);
+ if (ret)
+ goto out;
+
+ ret = repopulate_ima_appraise_mode(buf, count);
+ if (ret)
+ goto out;
+
+ ret = count;
+
+out:
+ kfree(buf);
+ return ret;
+}
+
static const struct file_operations ima_appraise_mode_ops = {
.read = ima_appraise_mode_read,
+ .write = ima_appraise_mode_write,
.llseek = generic_file_llseek,
};
--
2.17.1
Hi Tianjia,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on integrity/next-integrity]
[also build test ERROR on v5.6 next-20200408]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system. BTW, we also suggest to use '--base' option to specify the
base tree in git format-patch, please see https://stackoverflow.com/a/37406982]
url: https://github.com/0day-ci/linux/commits/Tianjia-Zhang/support-to-read-and-tune-appraise-mode-in-runtime/20200409-114057
base: https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity
config: c6x-randconfig-a001-20200409 (attached as .config)
compiler: c6x-elf-gcc (GCC) 9.3.0
reproduce:
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
GCC_VERSION=9.3.0 make.cross ARCH=c6x
If you fix the issue, kindly add following tag as appropriate
Reported-by: kbuild test robot <[email protected]>
All errors (new ones prefixed by >>):
security/integrity/ima/ima_fs.c: In function 'repopulate_ima_appraise_mode':
>> security/integrity/ima/ima_fs.c:518:9: error: implicit declaration of function 'verify_pkcs7_signature' [-Werror=implicit-function-declaration]
518 | ret = verify_pkcs7_signature(s, strlen(s), pkcs7, pkcs7_len,
| ^~~~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
vim +/verify_pkcs7_signature +518 security/integrity/ima/ima_fs.c
499
500 /* Verify the supplied PKCS#7 signature. The signed content may be off,
501 * enforce, log, fix.
502 */
503 static int repopulate_ima_appraise_mode(void *pkcs7, size_t pkcs7_len)
504 {
505 static char *appraise_mode_strings[] = { "off", "enforce", "fix", "log" };
506 static int appraise_modes[] = {
507 0,
508 IMA_APPRAISE_ENFORCE,
509 IMA_APPRAISE_FIX,
510 IMA_APPRAISE_LOG,
511 };
512 int index, ret = -1;
513 const char *s;
514 int size = ARRAY_SIZE(appraise_mode_strings);
515
516 for (index = 0; index < size; index++) {
517 s = appraise_mode_strings[index];
> 518 ret = verify_pkcs7_signature(s, strlen(s), pkcs7, pkcs7_len,
519 NULL, VERIFYING_UNSPECIFIED_SIGNATURE,
520 NULL, NULL);
521 if (!ret)
522 break;
523 }
524
525 if (index == size)
526 goto out;
527
528 ima_appraise = appraise_modes[index];
529
530 out:
531 return ret;
532 }
533
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]