Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp905516imu; Fri, 16 Nov 2018 12:11:35 -0800 (PST) X-Google-Smtp-Source: AJdET5fvXozfdHX4BLzI2AWNo6CghVX6U88dhgB4KD9tBNFuGXLd7blOGX21kvKltc4f0ayOoxDb X-Received: by 2002:a63:a552:: with SMTP id r18mr11281509pgu.176.1542399095768; Fri, 16 Nov 2018 12:11:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542399095; cv=none; d=google.com; s=arc-20160816; b=dnz+gFEoTBspjd3RdV5rx8rQGOASAWlDjsbC+kGsizW9UcDWm/7WCmAlrhihuH4eDu Nq64Xz5lRcyGZk1BcD2ivIblC5lD5lI3ZVxn4YZDdMTp5WVuefl7ynoqdxppFVbzuMFU pj2g9lOGId6qOwg2/NNjFzfcBYhrvIlIAH8TehOKdoeb67ot+zYp0MULHPJPHIFnE1LS qe4VwoplFeVOXJajDY9MRpPx4WJ9WSit3EHgVyajbuXjAldECNmQZE0INxazCkvcPVWT d+yyItfibJtGDYHBiAZjTIBXCDuzc8qMJx2ViNkTGkDoAsLU4Lf7mXpLemneABUzgGWw xnsA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:references:in-reply-to:date :subject:cc:to:from; bh=AqyPHpRUG/DD9s+1KQAkHX1KWTRichYLlnBSBhxk8vM=; b=PpC4CU1PtcMu0+AlT0OmVt30i5Fa0G4hXPtOTVKZZ+pBajy87lrdI1IZIvpsntjvpx gzbCoZcC5Co+03bo/kPtGFa8kuINtuOQRKpLKejTFmncHhuExEZDeXDwv/4tVEX06NLT NhH8+4io6BWfbZiYaJQQq3UdJuRNztjdYSZ69f98iFaqEIrd3D/0VOAUpAm+v/owPNdh JmDDzggkKCsHMIKXTtwuvI9J2FL4BzCF5oHlPInBty9dFi8ethyCcJds2psORpjYLNEC rAeDXgXtzjGsYWNrq9sjmUjnc9TYr92+ZHQWX6fLrL671HNGK5FxDVqPOpaz2jQe1aQ8 7V+Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g22si17311873pfj.222.2018.11.16.12.11.20; Fri, 16 Nov 2018 12:11:35 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727261AbeKQGYO (ORCPT + 99 others); Sat, 17 Nov 2018 01:24:14 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:60184 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725964AbeKQGYN (ORCPT ); Sat, 17 Nov 2018 01:24:13 -0500 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id wAGKAKF6122626 for ; Fri, 16 Nov 2018 15:10:23 -0500 Received: from e11.ny.us.ibm.com (e11.ny.us.ibm.com [129.33.205.201]) by mx0b-001b2d01.pphosted.com with ESMTP id 2nt2cjwj8s-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 16 Nov 2018 15:10:19 -0500 Received: from localhost by e11.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 16 Nov 2018 20:09:11 -0000 Received: from b01cxnp22036.gho.pok.ibm.com (9.57.198.26) by e11.ny.us.ibm.com (146.89.104.198) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Fri, 16 Nov 2018 20:09:05 -0000 Received: from b01ledav006.gho.pok.ibm.com (b01ledav006.gho.pok.ibm.com [9.57.199.111]) by b01cxnp22036.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id wAGK93iC31260838 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 16 Nov 2018 20:09:04 GMT Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DA752AC062; Fri, 16 Nov 2018 20:09:03 +0000 (GMT) Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0051BAC059; Fri, 16 Nov 2018 20:09:00 +0000 (GMT) Received: from morokweng.localdomain.com (unknown [9.80.224.199]) by b01ledav006.gho.pok.ibm.com (Postfix) with ESMTP; Fri, 16 Nov 2018 20:08:59 +0000 (GMT) From: Thiago Jung Bauermann To: linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, Mimi Zohar , Dmitry Kasatkin , James Morris , "Serge E. Hallyn" , David Howells , David Woodhouse , Jessica Yu , Herbert Xu , "David S. Miller" , Jonathan Corbet , "AKASHI, Takahiro" , Thiago Jung Bauermann Subject: [PATCH v8 10/14] ima: Add modsig appraise_type option for module-style appended signatures Date: Fri, 16 Nov 2018 18:07:08 -0200 X-Mailer: git-send-email 2.17.2 In-Reply-To: <20181116200712.14154-1-bauerman@linux.ibm.com> References: <20181116200712.14154-1-bauerman@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 18111620-2213-0000-0000-00000318DE72 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00010063; HX=3.00000242; KW=3.00000007; PH=3.00000004; SC=3.00000270; SDB=6.01118417; UDB=6.00580177; IPR=6.00898526; MB=3.00024197; MTD=3.00000008; XFM=3.00000015; UTC=2018-11-16 20:09:09 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18111620-2214-0000-0000-00005C46B11F Message-Id: <20181116200712.14154-11-bauerman@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-11-16_11:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1811160179 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Introduce the modsig keyword to the IMA policy syntax to specify that a given hook should expect the file to have the IMA signature appended to it. Here is how it can be used in a rule: appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig With this rule, IMA will accept either a signature stored in the extended attribute or an appended signature. For now, the rule above will behave exactly the same as if appraise_type=imasig was specified. The actual modsig implementation will be introduced separately. Suggested-by: Mimi Zohar Signed-off-by: Thiago Jung Bauermann --- Documentation/ABI/testing/ima_policy | 6 +++++- security/integrity/ima/Kconfig | 10 +++++++++ security/integrity/ima/Makefile | 1 + security/integrity/ima/ima.h | 9 ++++++++ security/integrity/ima/ima_modsig.c | 31 ++++++++++++++++++++++++++++ security/integrity/ima/ima_policy.c | 12 +++++++++-- security/integrity/integrity.h | 1 + 7 files changed, 67 insertions(+), 3 deletions(-) diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index 74c6702de74e..9d1dfd0a8891 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -37,7 +37,7 @@ Description: euid:= decimal value fowner:= decimal value lsm: are LSM specific - option: appraise_type:= [imasig] + option: appraise_type:= [imasig] [imasig|modsig] pcr:= decimal value default policy: @@ -103,3 +103,7 @@ Description: measure func=KEXEC_KERNEL_CHECK pcr=4 measure func=KEXEC_INITRAMFS_CHECK pcr=5 + + Example of appraise rule allowing modsig appended signatures: + + appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index a18f8c6d13b5..bba19f9ea184 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -231,6 +231,16 @@ config IMA_APPRAISE_BOOTPARAM This option enables the different "ima_appraise=" modes (eg. fix, log) from the boot command line. +config IMA_APPRAISE_MODSIG + bool "Support module-style signatures for appraisal" + depends on IMA_APPRAISE + default n + help + Adds support for signatures appended to files. The format of the + appended signature is the same used for signed kernel modules. + The modsig keyword can be used in the IMA policy to allow a hook + to accept such signatures. + config IMA_TRUSTED_KEYRING bool "Require all keys on the .ima keyring be signed (deprecated)" depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile index d921dc4f9eb0..31d57cdf2421 100644 --- a/security/integrity/ima/Makefile +++ b/security/integrity/ima/Makefile @@ -9,5 +9,6 @@ obj-$(CONFIG_IMA) += ima.o ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \ ima_policy.o ima_template.o ima_template_lib.o ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o +ima-$(CONFIG_IMA_APPRAISE_MODSIG) += ima_modsig.o ima-$(CONFIG_HAVE_IMA_KEXEC) += ima_kexec.o obj-$(CONFIG_IMA_BLACKLIST_KEYRING) += ima_mok.o diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index f0bc2a182cbf..69c06e2d7bd6 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -299,6 +299,15 @@ static inline int ima_read_xattr(struct dentry *dentry, #endif /* CONFIG_IMA_APPRAISE */ +#ifdef CONFIG_IMA_APPRAISE_MODSIG +bool ima_hook_supports_modsig(enum ima_hooks func); +#else +static inline bool ima_hook_supports_modsig(enum ima_hooks func) +{ + return false; +} +#endif /* CONFIG_IMA_APPRAISE_MODSIG */ + /* LSM based policy rules require audit */ #ifdef CONFIG_IMA_LSM_RULES diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c new file mode 100644 index 000000000000..84d428cbbca8 --- /dev/null +++ b/security/integrity/ima/ima_modsig.c @@ -0,0 +1,31 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * IMA support for appraising module-style appended signatures. + * + * Copyright (C) 2018 IBM Corporation + * + * Author: + * Thiago Jung Bauermann + */ + +#include "ima.h" + +/** + * ima_hook_supports_modsig - can the policy allow modsig for this hook? + * + * modsig is only supported by hooks using ima_post_read_file, because only they + * preload the contents of the file in a buffer. FILE_CHECK does that in some + * cases, but not when reached from vfs_open. POLICY_CHECK can support it, but + * it's not useful in practice because it's a text file so deny. + */ +bool ima_hook_supports_modsig(enum ima_hooks func) +{ + switch (func) { + case FIRMWARE_CHECK: + case KEXEC_KERNEL_CHECK: + case KEXEC_INITRAMFS_CHECK: + return true; + default: + return false; + } +} diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index fd31e42c2bad..3e5a64053aa8 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -1034,6 +1034,10 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) ima_log_string(ab, "appraise_type", args[0].from); if ((strcmp(args[0].from, "imasig")) == 0) entry->flags |= IMA_DIGSIG_REQUIRED; + else if (ima_hook_supports_modsig(entry->func) && + strcmp(args[0].from, "imasig|modsig") == 0) + entry->flags |= IMA_DIGSIG_REQUIRED + | IMA_MODSIG_ALLOWED; else result = -EINVAL; break; @@ -1326,8 +1330,12 @@ int ima_policy_show(struct seq_file *m, void *v) } } } - if (entry->flags & IMA_DIGSIG_REQUIRED) - seq_puts(m, "appraise_type=imasig "); + if (entry->flags & IMA_DIGSIG_REQUIRED) { + if (entry->flags & IMA_MODSIG_ALLOWED) + seq_puts(m, "appraise_type=imasig|modsig "); + else + seq_puts(m, "appraise_type=imasig "); + } if (entry->flags & IMA_PERMIT_DIRECTIO) seq_puts(m, "permit_directio "); rcu_read_unlock(); diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index ae3c79c63674..a55dcd235dc0 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -36,6 +36,7 @@ #define IMA_NEW_FILE 0x04000000 #define EVM_IMMUTABLE_DIGSIG 0x08000000 #define IMA_FAIL_UNVERIFIABLE_SIGS 0x10000000 +#define IMA_MODSIG_ALLOWED 0x20000000 #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \ IMA_HASH | IMA_APPRAISE_SUBMASK)