Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1609270ybt; Mon, 15 Jun 2020 05:02:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwkN/nvStPCSaV5d6OR66w8tBmryCLDptvgt8jpO2+8BF6pv1eicjVKq8GoH9RLnHv6C85O X-Received: by 2002:a05:6402:148d:: with SMTP id e13mr24108834edv.200.1592222576905; Mon, 15 Jun 2020 05:02:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592222576; cv=none; d=google.com; s=arc-20160816; b=XpiCO9aBOqkk4qEsBO3wxx8EssL5kj8emSISSW2usqr8xwt4d0LfK8CZEF521yDkBw IbvHT1NT9W/CSNHfsariTfZeQeMQmMZ+wGlwKZYp3aWF2XNcRUgrrE1ctSpUTBWhmEth mrb2E9TZyEe/fR2yfNTnY43s2I/hbdFXyEbTIcd0g45siseQxId9IGNF60mEuBNv6ifs gHcyPH/Ec4OLitaTbQBLB/MvJ2oEREAWGgHcCNmdcqt4YN5gl5EzRaV9x7loInLdvgs1 8Ksm6hO+Q53sILuKzHXJ98Tt77p7G5CgUJCjN/qdqmbatFX7lBrHHeV2TJcKvGoPe857 HMjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=R0P5cMrSEK9Tm95O2ZpUaePqKfNHRhXx34xpHo5o2b0=; b=o79pPvyU+9fQm78MWAYW0NF2TeV6CSA4KrC0H+7SgaNsyL/LXxkoxNjb0PDVwWIIE8 PACbgTsrnXA4ybVHLu1DIy0pMEo09hcQTnUlqAHpfEo+xiyX1GqBgP1byA0y7eV/982k iCrgZg1I/waG+tIjjbgZAYVQEF6dZVNsh6h5KTm6Ns286tcuRr8bxRztSJU/7UVCcK2K qN6SKH5I+DZ2ETFm0XIUQC+zFTnfUN+92Z5NfrYn5qevl+zCW1j7XDPrjotXq+M0c9cP PlgLP86CU/V2lvpvA/xeizKiweeEqPOja8qTmyOhzD8fTr1Ke9aNORG+IUaKX5IbMCYu Avbw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=KKFPDnAT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cy2si8206682edb.36.2020.06.15.05.02.33; Mon, 15 Jun 2020 05:02:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=KKFPDnAT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729788AbgFOL5y (ORCPT + 99 others); Mon, 15 Jun 2020 07:57:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42584 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728510AbgFOL5w (ORCPT ); Mon, 15 Jun 2020 07:57:52 -0400 Received: from mail-ot1-x341.google.com (mail-ot1-x341.google.com [IPv6:2607:f8b0:4864:20::341]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4BAF1C061A0E; Mon, 15 Jun 2020 04:57:52 -0700 (PDT) Received: by mail-ot1-x341.google.com with SMTP id m2so12847158otr.12; Mon, 15 Jun 2020 04:57:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=R0P5cMrSEK9Tm95O2ZpUaePqKfNHRhXx34xpHo5o2b0=; b=KKFPDnATCQdpxcvazDRCJ3tBuYdMbW0n+oIVf0fs9pLhg/wgMURu233HP+aFWAS1Ih A1OalkKQ+Y1PAIySt0DwvE+F+zfgnD4gos6GJAc/UviDZ5paVOFA/rgLs6vA8u/2+J2V kxKkqkiP/WbeaHlLiyBy478xI3B1pE7T1xcF3SrY9blbcToMfQ/SyrU8mk8Vw0DMntRU FUbMcvrzcSjKGs7yCoRERxjRd3YXUcOl0fw+WTQ1y8wwVMg+B35eFu9ebYbjT8rnXl9T YJvTL48DMeWUD50QkGb0mcKa9Zg2k0WFtH9jUhjSxd7dNJihH4EWyYsNzac4fP58wBgP mshw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=R0P5cMrSEK9Tm95O2ZpUaePqKfNHRhXx34xpHo5o2b0=; b=R4Df5u3Jma913mtN6DBX2Zr3XKHYGWHCv7K9CRfRDEx1saZO6XsVyPvyNp9G17HauA ljql7UUreUNc9IjL/2imAxkwaUm4WFeWXr2B+x6wkxRfmvyvlnCz31qzNAZB43r6LFSG ll22QWr4KdrkZUAaR5ze0/WyMMlAOnXBkuSe3rv4d0l0jEp14JsmqcaEXSwuLlquzzJ7 jg1UeNLepcBthF352Ea3HAJJ+TjUBniuFCu9Api+DxOp9HaBswho7wd4ljUe7m5t4naX J046PL4B01Fo+jrVbuseupH5Lj/Miog8B093Z2K7nQYG3nrQIeAJEfsPIj5AOJzwhe5R 3rAg== X-Gm-Message-State: AOAM533jpgPRSFirJv+dmAE6uHVnN2TxvfxM7I2DDYdSp4HZCUEhOJPK 7RF1eUJI9ql1z7lVanqv8h+NUp0QeVcaQMODdoI= X-Received: by 2002:a05:6830:2003:: with SMTP id e3mr20045702otp.89.1592222271339; Mon, 15 Jun 2020 04:57:51 -0700 (PDT) MIME-Version: 1.0 References: <20200613024130.3356-1-nramas@linux.microsoft.com> <20200613024130.3356-5-nramas@linux.microsoft.com> In-Reply-To: <20200613024130.3356-5-nramas@linux.microsoft.com> From: Stephen Smalley Date: Mon, 15 Jun 2020 07:57:40 -0400 Message-ID: Subject: Re: [PATCH 4/5] LSM: Define SELinux function to measure security state To: Lakshmi Ramasubramanian Cc: Mimi Zohar , Stephen Smalley , Casey Schaufler , James Morris , linux-integrity@vger.kernel.org, LSM List , linux-kernel Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jun 12, 2020 at 10:42 PM Lakshmi Ramasubramanian wrote: > > SELinux needs to implement the interface function, security_state(), for > the LSM to gather SELinux data for measuring. Define the security_state() > function in SELinux. > > The security modules should be able to notify the LSM when there is > a change in the module's data. Define a function namely > security_state_change() in the LSM that the security modules > can call to provide the updated data for measurement. > > Call security_state_change() function from SELinux to report data > when SELinux's state is updated. > > Signed-off-by: Lakshmi Ramasubramanian > --- > diff --git a/security/security.c b/security/security.c > index a6e2d1cd95af..e7175db5a093 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -238,6 +238,11 @@ static void __init initialize_lsm(struct lsm_info *lsm) > } > } > > +void security_state_change(char *lsm_name, void *state, int state_len) > +{ > + ima_lsm_state(lsm_name, state, state_len); > +} > + What's the benefit of this trivial function instead of just calling ima_lsm_state() directly? > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 7e954b555be6..bbc908a1fcd1 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -7225,6 +7225,47 @@ static __init int selinux_init(void) > return 0; > } > > +static int selinux_security_state(char **lsm_name, void **state, > + int *state_len) > +{ > + int rc = 0; > + char *new_state; > + static char *security_state_string = "enabled=%d;enforcing=%d"; > + > + *lsm_name = kstrdup("selinux", GFP_KERNEL); > + if (!*lsm_name) > + return -ENOMEM; > + > + new_state = kzalloc(strlen(security_state_string) + 1, GFP_KERNEL); > + if (!new_state) { > + kfree(*lsm_name); > + *lsm_name = NULL; > + rc = -ENOMEM; > + goto out; > + } > + > + *state_len = sprintf(new_state, security_state_string, > + !selinux_disabled(&selinux_state), > + enforcing_enabled(&selinux_state)); I think I mentioned this on a previous version of these patches, but I would recommend including more than just the enabled and enforcing states in your measurement. Other low-hanging fruit would be the other selinux_state booleans (checkreqprot, initialized, policycap[0..__POLICYDB_CAPABILITY_MAX]). Going a bit further one could take a hash of the loaded policy by using security_read_policy() and then computing a hash using whatever hash ima prefers over the returned data,len pair. You likely also need to think about how to allow future extensibility of the state in a backward-compatible manner, so that future additions do not immediately break systems relying on older measurements.