Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1391056ybh; Thu, 16 Jul 2020 10:44:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzpHZe9ItB/w4oludnq9p6r/UNteOBvZtJO6y/lrAXbo0zpFE1V70VO+tZe1wLr0PdGa4wS X-Received: by 2002:a17:906:a459:: with SMTP id cb25mr4798986ejb.234.1594921493154; Thu, 16 Jul 2020 10:44:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594921493; cv=none; d=google.com; s=arc-20160816; b=wecEme6BenHN74LLaR1UtONYqfsyuSr5ne8CUehrE97wM5VQqKcooJPnh3bplOe04F rUekuZYzs0XMuNvksAg6WU+dd7OqYLR+G8cJi07B7E0Z5HgX1oQ2UR18X8MBNk/9F4Ax sw55GVPKMe4n7T4kbq+JrRJAAoj2jRSdFkw7aRvjbtBWjYdIiiFxvKe8vQJeRqMyRfcL iPbEUzixDRH9tpG9QnU0T2ubQ/ASaOLNG39MOFPMZqwwE5UaOLRZhr7U7IjBVTB93xOO p8EqigD63aATz2MBq3MUEDflkGnYEsVhrVP+iRgACeOullE0Tk/85C1AI09JMpWu0+E0 cnIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-filter; bh=JPlRumbOfvyOco8L8nkT1d2Rp+0/lx8FfGi5jva830E=; b=HjYsIABXro5eEjlp13hg10hVUWRtnCoHXIepUsJz9mrvk7oNxOqUGMaQz+WOVIMToJ 7LcY1iNAgzvIZthWmFqOqQOjzU7JH5u4CTstpRFMKnq39SPtrkPuJ4MqdiVZLKmXdNCn tg+8hqkbfV3A1Mp3JDJvkzcUwDgPAbyZttl/ksWVuaPbenp/YAcvsR2aev2PhG9YjsJc /7KVEgQMSC7fDIasHZl5L2cxs3M9QjTdLL5l5N2BpgT4OjiBYTPgHh0svgbzHFVwu2vk dehFGAhFEgadlvg2VXQFdUjNW6xJosclD5dqDuPlG6ECE1s6GFlBwAo/rtKc6LADTr0v Ut2A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=apr1YUY8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ca10si3613551edb.224.2020.07.16.10.44.29; Thu, 16 Jul 2020 10:44:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=apr1YUY8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729455AbgGPRoF (ORCPT + 99 others); Thu, 16 Jul 2020 13:44:05 -0400 Received: from linux.microsoft.com ([13.77.154.182]:54466 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728705AbgGPRoE (ORCPT ); Thu, 16 Jul 2020 13:44:04 -0400 Received: from localhost.localdomain (c-73-42-176-67.hsd1.wa.comcast.net [73.42.176.67]) by linux.microsoft.com (Postfix) with ESMTPSA id 0416720B490A; Thu, 16 Jul 2020 10:44:02 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 0416720B490A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1594921443; bh=JPlRumbOfvyOco8L8nkT1d2Rp+0/lx8FfGi5jva830E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=apr1YUY8lUr0p4AFF0sGw6AFS27S8wFf3xBss3qRcwYGv2VPW3FxF4nll3LQuhXog aacXn6a6kYy9vuvbncgTDkQl6RvcM6JAo9iiaSd3pIeveQIFFCI+haNN44PZwSRd2x +Z7/+7jLkmJo6IOgx6HmmnfCIvUBQNEIZgndodBM= From: Lakshmi Ramasubramanian To: zohar@linux.ibm.com, stephen.smalley.work@gmail.com, casey@schaufler-ca.com Cc: jmorris@namei.org, linux-integrity@vger.kernel.org, selinux@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 1/5] IMA: Add LSM_STATE func to measure LSM data Date: Thu, 16 Jul 2020 10:43:47 -0700 Message-Id: <20200716174351.20128-2-nramas@linux.microsoft.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200716174351.20128-1-nramas@linux.microsoft.com> References: <20200716174351.20128-1-nramas@linux.microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Critical data structures of security modules need to be measured to enable an attestation service to verify if the policies and configuration have been setup correctly and that they haven't been tampered with at runtime. A new IMA policy is required for handling this measurement. Define a new IMA policy func namely LSM_STATE to measure data provided by security modules. Update ima_match_rules() to check for LSM_STATE and ima_parse_rule() to handle LSM_STATE. Signed-off-by: Lakshmi Ramasubramanian --- Documentation/ABI/testing/ima_policy | 6 +++++- security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_policy.c | 29 +++++++++++++++++++++++----- 4 files changed, 31 insertions(+), 7 deletions(-) diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index cd572912c593..355bc3eade33 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -29,7 +29,7 @@ Description: base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] [FIRMWARE_CHECK] [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] - [KEXEC_CMDLINE] [KEY_CHECK] + [KEXEC_CMDLINE] [KEY_CHECK] [LSM_STATE] mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] [[^]MAY_EXEC] fsmagic:= hex value @@ -125,3 +125,7 @@ Description: keys added to .builtin_trusted_keys or .ima keyring: measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima + + Example of measure rule using LSM_STATE to measure LSM data: + + measure func=LSM_STATE diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 4515975cc540..880fda11a61b 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -200,6 +200,7 @@ static inline unsigned int ima_hash_key(u8 *digest) hook(POLICY_CHECK, policy) \ hook(KEXEC_CMDLINE, kexec_cmdline) \ hook(KEY_CHECK, key) \ + hook(LSM_STATE, lsm_state) \ hook(MAX_CHECK, none) #define __ima_hook_enumify(ENUM, str) ENUM, diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index bf22de8b7ce0..0cebd2404dcf 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -176,7 +176,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * subj=, obj=, type=, func=, mask=, fsmagic= * subj,obj, and type: are LSM specific. * func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK - * | KEXEC_CMDLINE | KEY_CHECK + * | KEXEC_CMDLINE | KEY_CHECK | LSM_STATE * mask: contains the permission mask * fsmagic: hex value * diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 66aa3e17a888..fc8457d9242b 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -417,15 +417,31 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, const char *keyring) { int i; + int funcmatch = 0; - if ((func == KEXEC_CMDLINE) || (func == KEY_CHECK)) { + switch (func) { + case KEXEC_CMDLINE: + case KEY_CHECK: + case LSM_STATE: if ((rule->flags & IMA_FUNC) && (rule->func == func)) { if (func == KEY_CHECK) - return ima_match_keyring(rule, keyring, cred); - return true; - } - return false; + funcmatch = ima_match_keyring(rule, keyring, + cred) ? 1 : -1; + else + funcmatch = 1; + } else + funcmatch = -1; + + break; + + default: + funcmatch = 0; + break; } + + if (funcmatch) + return (funcmatch == 1) ? true : false; + if ((rule->flags & IMA_FUNC) && (rule->func != func && func != POST_SETATTR)) return false; @@ -1068,6 +1084,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) entry->func = KEXEC_CMDLINE; else if (strcmp(args[0].from, "KEY_CHECK") == 0) entry->func = KEY_CHECK; + else if (strcmp(args[0].from, "LSM_STATE") == 0) + entry->func = LSM_STATE; + else result = -EINVAL; if (!result) -- 2.27.0