Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp113612pxa; Tue, 4 Aug 2020 18:15:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxiP/1yCK7WRgeQp6UsX9tZVJI7YVsNDbrIXye5ji3kBTh5sN1ZdsDm/TMTPZPGXMvoNIfB X-Received: by 2002:a17:906:3b45:: with SMTP id h5mr870482ejf.136.1596590118339; Tue, 04 Aug 2020 18:15:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596590118; cv=none; d=google.com; s=arc-20160816; b=QQXFTYCJo5Zr6+mItr3Aj4ZhQFDxAb8vIteHNKOd58+hKQfzsmy13b8ORUKDGvp2Oh s5eioFURpYyjMl9fo0PCjhuegLxo6nlsORVR0uS4gLsZXrEZZMLHE4tKi8e5WUexexXz EXW4aXGkDIfuKEpEs8SixTJtQK+L8FHlI/2XUa8Xr9iEYabOV+ZH2e+faQVMNASoyAgk gvA5323kbey61jvyRSe0rRiksKVqeLuYT2pen77BYV3bZZIbesDpQ7eG5i7dhuSUy14P P8nLHx+yNshN65djvue9SL7RLP3AiK4jDmSXWWz+CZfsUMHXsIQCNCeXZaKkWkRzzJ9N 895Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature:dkim-filter; bh=pB9tfJI+Mi5/kik0aQ3aA0nv5uOOIUeHWkkSk/Xfujo=; b=W9KkqAZgMMdOXEN9pKxk8b1GicMw0Ys6WcJtsEJlcADCzwhRJfpmAfij/AD02NM9Gv aDZVKQ2G6NaaB42FWqdORmbld8R3n+0zlm4MqeobYMu57gjnfK1wxa6Q3S5f6xEF/Y8g 0bo40OzLB3TAymim5cHxN/Ia2EllSgUJOrBiXoQsi32ghslhRVDQEyVx4TuIirO25xBz wSrrT/kj/9t/TU5vJChKIUJMt+Xzwt3D6sb0BvfAkfJGcfFzmy3RhoR+03PhR58VCcwO +tbGxDP9ylIbKPl0XHJyh/JPUJYW8kSxRkcisuFpXYr9GvGjXYLa/Ftu4EJ4oLADB+c/ xy9g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=EbI78P7a; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id rl26si299235ejb.568.2020.08.04.18.14.52; Tue, 04 Aug 2020 18:15:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=EbI78P7a; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726799AbgHEBOl (ORCPT + 99 others); Tue, 4 Aug 2020 21:14:41 -0400 Received: from linux.microsoft.com ([13.77.154.182]:42320 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725863AbgHEBOl (ORCPT ); Tue, 4 Aug 2020 21:14:41 -0400 Received: from [192.168.0.104] (c-73-42-176-67.hsd1.wa.comcast.net [73.42.176.67]) by linux.microsoft.com (Postfix) with ESMTPSA id 7C12820B4908; Tue, 4 Aug 2020 18:14:40 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 7C12820B4908 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1596590080; bh=pB9tfJI+Mi5/kik0aQ3aA0nv5uOOIUeHWkkSk/Xfujo=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=EbI78P7aDi5mfRJqIsbxK5gSUDMZJRJp/gj2DLzS10v74xXb4N4dR9l+KIT+gaRM5 CJBMkGNUsbZ+OoWuW/9qBMwGJ8DYiXCz6/6XcxRM6YrDhOn3Z0+jRiT1fQOW8LLDI5 EeSAg0z5plYEDTyUOIy9vOOnUMnF1ZdmyRhRk+/8= Subject: Re: [PATCH v6 0/4] LSM: Measure security module data To: Casey Schaufler , zohar@linux.ibm.com, stephen.smalley.work@gmail.com Cc: tyhicks@linux.microsoft.com, sashal@kernel.org, jmorris@namei.org, linux-integrity@vger.kernel.org, selinux@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org References: <20200805004331.20652-1-nramas@linux.microsoft.com> From: Lakshmi Ramasubramanian Message-ID: <50587a3e-bcb5-c68e-c16c-41baf68b4d4a@linux.microsoft.com> Date: Tue, 4 Aug 2020 18:14:36 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 8/4/20 6:04 PM, Casey Schaufler wrote: > On 8/4/2020 5:43 PM, Lakshmi Ramasubramanian wrote: >> Critical data structures of security modules are currently not measured. >> Therefore an attestation service, for instance, would not be able to >> attest whether the security modules are always operating with the policies >> and configuration that the system administrator had setup. The policies >> and configuration for the security modules could be tampered with by >> malware by exploiting kernel vulnerabilities or modified through some >> inadvertent actions on the system. Measuring such critical data would >> enable an attestation service to better assess the state of the system. > > I still wonder why you're calling this an LSM change/feature when > all the change is in IMA and SELinux. You're not putting anything > into the LSM infrastructure, not are you using the LSM infrastructure > to achieve your ends. Sure, you *could* support other security modules > using this scheme, but you have a configuration dependency on > SELinux, so that's at best going to be messy. If you want this to > be an LSM "feature" you need to use the LSM hooking mechanism. > > I'm not objecting to the feature. It adds value. But as you've > implemented it it is either an IMA extension to SELinux, or an > SELiux extension to IMA. Could AppArmor add hooks for this without > changing the IMA code? It doesn't look like it to me. The check in IMA to allow the new IMA hook func LSM_STATE and LSM_POLICY when SELinux is enabled is just because SELinux is the only security module using these hooks now. To enable AppArmor, for instance, to use the new IMA hooks to measure state and policy would just require adding the check for CONFIG_SECURITY_APPARMOR. Other than that, there are no IMA changes needed to support AppArmor or other such security modules. Please see Patch 1/4 + else if (IS_ENABLED(CONFIG_SECURITY_SELINUX) && + strcmp(args[0].from, "LSM_STATE") == 0) + entry->func = LSM_STATE; + else if (IS_ENABLED(CONFIG_SECURITY_SELINUX) && + strcmp(args[0].from, "LSM_POLICY") == 0) + entry->func = LSM_POLICY; And, if early boot measurement is needed for AppArmor the following change in IMA's Kconfig Patch 4/4 +config IMA_QUEUE_EARLY_BOOT_DATA bool + depends on SECURITY_SELINUX || (IMA_MEASURE_ASYMMETRIC_KEYS && SYSTEM_TRUSTED_KEYRING) default y If you think calling this an "LSM feature" is not appropriate, please suggest a better phrase. But like I said above, with minimal change in IMA other security modules can be supported to measure STATE and POLICY data. -lakshmi