Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp429655imm; Wed, 19 Sep 2018 00:59:06 -0700 (PDT) X-Google-Smtp-Source: ANB0Vdbze7hSDkl9jNsJ/s2CAwYWWR3l8KQbhuWJZ1saMk6JkgHnmN7HUgjsjRzkDQdMvSBq/z/W X-Received: by 2002:a17:902:ac97:: with SMTP id h23-v6mr28840012plr.174.1537343946088; Wed, 19 Sep 2018 00:59:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537343946; cv=none; d=google.com; s=arc-20160816; b=bKulirRIqQJRCl3j+PP8T6//Edjlm4BDvIHve+uhz8gkD8AKiGY3nKVhauBzeGUbUF 5oPyIUneBYARnyyyqrS31NtPXbIELCT1VAZ6FdBEs9OC1h7pSFm2D7ODbmo4Lde7iqg8 ntcPbu9j88NhIvTI5dibCg+S1HPP9zrQON0M6uxJTmM4194/maU2kmnTS7AoEyCvPzzg gduxXOIRHP25tzmCoFOCTVb9YeuNRmijnv3x+3dFhLyDMYesTqwj3CLAMrwUFp005ZZ5 JQPSaIG+lXF6xCrquKq0O61iF7LqKterHemWuP3BjM229jaM0m8fBnapxSR8jjw88iPM fnbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:references:in-reply-to:date :subject:cc:to:from; bh=UGm7L794Akj8dLvccl0zJr/3XwniaDvxxliKPZqUE04=; b=CwqxIiMQg75nw9Pd2/tEMsc6DbvkAZ0aqxXfslXqXIRq06lo13B3w7wA+y7eMyAmof 3FXd5gb7DhIVoF+24SgtzdT2TY24AnM4Ix8WI0bZuYyzX3NCnEEP26L0GWr/MSG76kfd PO3pyrbSaFRbh8mgmp8aVgk4tdAGlEcLgY0m4a0A7u2lSHJyN4SgT7K2bBjjxS0NPBck F1MowZHhKo3eBLHnaxodRpMav18zER9mRRP7REYhkmQyw5DreYpJEE8Rq2I55edTMrDR AP23O83vZtLdvvp1hyhdIPwVjSvDS1Ms96ljDoTBMeE1frnievwvu0ChrOwfH3q/tWR4 uwKA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f13-v6si279876pgm.676.2018.09.19.00.58.50; Wed, 19 Sep 2018 00:59:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731028AbeISNfR (ORCPT + 99 others); Wed, 19 Sep 2018 09:35:17 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:52804 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731091AbeISNfR (ORCPT ); Wed, 19 Sep 2018 09:35:17 -0400 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w8J7s6sh143014 for ; Wed, 19 Sep 2018 03:58:33 -0400 Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98]) by mx0a-001b2d01.pphosted.com with ESMTP id 2mkfdw7bnn-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 19 Sep 2018 03:58:33 -0400 Received: from localhost by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 19 Sep 2018 08:58:30 +0100 Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197) by e06smtp02.uk.ibm.com (192.168.101.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Wed, 19 Sep 2018 08:58:28 +0100 Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w8J7wRKi62193732 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 19 Sep 2018 07:58:27 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6DAD3A4065; Wed, 19 Sep 2018 10:58:12 +0100 (BST) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0D832A4053; Wed, 19 Sep 2018 10:58:11 +0100 (BST) Received: from swastik.in.ibm.com (unknown [9.124.31.41]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 19 Sep 2018 10:58:10 +0100 (BST) From: Nayna Jain To: linux-integrity@vger.kernel.org Cc: zohar@linux.ibm.com, linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com, Nayna Jain Subject: [PATCH v3 4/6] ima: add support for arch specific policies Date: Wed, 19 Sep 2018 13:25:20 +0530 X-Mailer: git-send-email 2.13.6 In-Reply-To: <20180919075522.7684-1-nayna@linux.vnet.ibm.com> References: <20180919075522.7684-1-nayna@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 18091907-0008-0000-0000-0000027363FA X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18091907-0009-0000-0000-000021DBBBEF Message-Id: <20180919075522.7684-5-nayna@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-09-19_03:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=3 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1809190083 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Builtin IMA policies can be enabled on the boot command line, and replaced with a custom policy, normally during early boot in the initramfs. Build time IMA policy rules were recently added. These rules are automatically enabled on boot and persist after loading a custom policy. There is a need for yet another type of policy, an architecture specific policy, which is derived at runtime during kernel boot, based on the runtime secure boot flags. Like the build time policy rules, these rules persist after loading a custom policy. This patch adds support for loading an architecture specific IMA policy. Signed-off-by: Nayna Jain - Defined function to convert the arch policy strings to an array of ima_entry_rules. The memory can then be freed after loading a custom policy. - Rename ima_get_arch_policy to arch_get_ima_policy. Signed-off-by: Mimi Zohar - Modified ima_init_arch_policy() and ima_init_policy() to use add_rules() from previous patch. Signed-off-by: Nayna Jain --- include/linux/ima.h | 5 +++ security/integrity/ima/ima_policy.c | 70 +++++++++++++++++++++++++++++++++++-- 2 files changed, 73 insertions(+), 2 deletions(-) diff --git a/include/linux/ima.h b/include/linux/ima.h index 4852255aa4f4..350fa957f8a6 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -39,6 +39,11 @@ static inline bool arch_ima_get_secureboot(void) } #endif +static inline const char * const *arch_get_ima_policy(void) +{ + return NULL; +} + #else static inline int ima_bprm_check(struct linux_binprm *bprm) { diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index b58906a05736..23f3aa214016 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -20,6 +20,7 @@ #include #include #include +#include #include "ima.h" @@ -195,6 +196,9 @@ static struct ima_rule_entry secure_boot_rules[] __ro_after_init = { .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, }; +/* An array of architecture specific rules */ +struct ima_rule_entry *arch_policy_entry __ro_after_init; + static LIST_HEAD(ima_default_rules); static LIST_HEAD(ima_policy_rules); static LIST_HEAD(ima_temp_rules); @@ -492,7 +496,6 @@ static void add_rules(struct ima_rule_entry *entries, int count, if (!entry) continue; - INIT_LIST_HEAD(&entry->list); list_add_tail(&entry->list, &ima_policy_rules); } if (entries[i].action == APPRAISE) @@ -502,6 +505,48 @@ static void add_rules(struct ima_rule_entry *entries, int count, } } +static int ima_parse_rule(char *rule, struct ima_rule_entry *entry); + +static int __init ima_init_arch_policy(void) +{ + const char * const *arch_rules; + const char * const *rules; + int arch_entries = 0; + int i = 0; + + arch_rules = arch_get_ima_policy(); + if (!arch_rules) + return arch_entries; + + /* Get number of rules */ + for (rules = arch_rules; *rules != NULL; rules++) + arch_entries++; + + arch_policy_entry = kcalloc(arch_entries + 1, + sizeof(*arch_policy_entry), GFP_KERNEL); + if (!arch_policy_entry) + return 0; + + /* Convert each policy string rules to struct ima_rule_entry format */ + for (rules = arch_rules, i = 0; *rules != NULL; rules++) { + char rule[255]; + int result; + + result = strlcpy(rule, *rules, sizeof(rule)); + + INIT_LIST_HEAD(&arch_policy_entry[i].list); + result = ima_parse_rule(rule, &arch_policy_entry[i]); + if (result) { + pr_warn("Skipping unknown architecture policy rule: %s\n", rule); + memset(&arch_policy_entry[i], 0, + sizeof(*arch_policy_entry)); + continue; + } + i++; + } + return i; +} + /** * ima_init_policy - initialize the default measure rules. * @@ -510,7 +555,7 @@ static void add_rules(struct ima_rule_entry *entries, int count, */ void __init ima_init_policy(void) { - int build_appraise_entries; + int build_appraise_entries, arch_entries; /* if !ima_policy, we load NO default rules */ if (ima_policy) @@ -532,6 +577,19 @@ void __init ima_init_policy(void) } /* + * Based on runtime secure boot flags, insert arch specific measurement + * and appraise rules requiring file signatures for both the initial + * and custom policies, prior to other appraise rules. + * (Highest priority) + */ + arch_entries = ima_init_arch_policy(); + if (!arch_entries) + pr_info("No architecture policies found\n"); + else + add_rules(arch_policy_entry, arch_entries, + IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY); + + /* * Insert the builtin "secure_boot" policy rules requiring file * signatures, prior to any other appraise rules. */ @@ -592,6 +650,14 @@ void ima_update_policy(void) if (ima_rules != policy) { ima_policy_flag = 0; ima_rules = policy; + + /* + * IMA architecture specific policy rules are specified + * as strings and converted to an array of ima_entry_rules + * on boot. After loading a custom policy, free the + * architecture specific rules stored as an array. + */ + kfree(arch_policy_entry); } ima_update_policy_flag(); } -- 2.13.6