Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp2679973pxa; Mon, 17 Aug 2020 16:26:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxPjZOJHgM81Rak885K1c7rzJ+I/SW6fwGP9T+NKpTGpkT7USQx57KJC4j8hwSh2Q2h5gDe X-Received: by 2002:a17:906:f0cc:: with SMTP id dk12mr16769979ejb.97.1597706789613; Mon, 17 Aug 2020 16:26:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597706789; cv=none; d=google.com; s=arc-20160816; b=AuEtkcbebYD/+SV57RIeQd5DmkW4D++D71SCxQk5VKCZ9iFA6baPk+tpW9wSb04NJ1 7JBp58BdY+e6loGbYczoLkBpZBDm9CW3QAICVSRD8ngxA/hEy9Ja6ZjZg2WKYyZcYBJC 0SZKCYTGpsYDft2XwZJ7kR++/fSdSGj/Qdw4ViWGbz6gPl2tuWB6gqdRMlJvbe9aYI1p HxD98WeDM7M8eTGof73hsYi5tRQOCcDnny+NB0vsvOkj2Ew0Uc+JBBl627+I1XfTHeHR Ca6HY6z6YKyrIJ9YWET9a7kcdvcps+pBE4ZY98pGaoDvHEQlL0A1vZzL+xjDde+k+831 6zxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature:dkim-filter; bh=A+zf61jOkHNDiHT7zD/PpNx0R2iUw1Lg8D+5Srdt20k=; b=oBNxvKu+SZfEkOyZtwpUOhvtszEQsPSUgvCW5oJSiQVHWogCuSaWil+GFuZG1UaZcM F57cIRV1JnOhce099lg/S/TSZyysQ/rUCCDVfA2a1Cjw0IFXDe8ZT/IBAdS1T1Nn9/j3 BzMPj8+brSWdQZ9vq8VOa0yS8MFVyjKVn9YpsiS+JsVOs3DMc7yJAuC4FJERxjYZARKG YJKyOKpBVa0tFJtVPbEPzz1/ogsVMZ+tdeSisn14woOQtOr4D3bJ1wlkWsHchw9qmCN8 cwcqxtZpJiAnwU4J+AP70EzFgOwkCsVhvtDgApLPEZ94YYaIgxx0ZyiEzPJ/F9YxkGjr xMAw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=HeTPrkfo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dk14si12093271edb.61.2020.08.17.16.26.06; Mon, 17 Aug 2020 16:26:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=HeTPrkfo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726682AbgHQXU1 (ORCPT + 99 others); Mon, 17 Aug 2020 19:20:27 -0400 Received: from linux.microsoft.com ([13.77.154.182]:60590 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726196AbgHQXU1 (ORCPT ); Mon, 17 Aug 2020 19:20:27 -0400 Received: from [192.168.0.104] (c-73-42-176-67.hsd1.wa.comcast.net [73.42.176.67]) by linux.microsoft.com (Postfix) with ESMTPSA id 8422020B4908; Mon, 17 Aug 2020 16:20:25 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 8422020B4908 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1597706425; bh=A+zf61jOkHNDiHT7zD/PpNx0R2iUw1Lg8D+5Srdt20k=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=HeTPrkfo2JeC1OZcPHHMnV8MGL8cu0d1d5OOXT4L9DHQiG8T1Dgn3c7LTfgWTEZZd n4Uq67TxTcTfoMKnRYkUQ+g4beV4ftHzQMXyGGcbHtjlrnPOn0lfF5OQ2Q2el9kMP/ lzlBfI0f+p1Ix+KNyiMLVzg0ZWN+/fUIXlFzdDs8= Subject: Re: [PATCH 2/2] SELinux: Measure state and hash of policy using IMA To: Mimi Zohar , Casey Schaufler , Stephen Smalley Cc: Tyler Hicks , tusharsu@linux.microsoft.com, sashal@kernel.org, James Morris , linux-integrity@vger.kernel.org, SElinux list , LSM List , linux-kernel , paul Moore References: <20200813170707.2659-1-nramas@linux.microsoft.com> <20200813170707.2659-3-nramas@linux.microsoft.com> <5f738fd8-fe28-5358-b3d8-b671b45caa7f@gmail.com> <7315b7e8-2c53-2555-bc2e-aae42e16aaa2@linux.microsoft.com> <3679df359c35561f5bf6608911f96cc0292c7854.camel@linux.ibm.com> <57f972a7-26f1-3ac7-4001-54c0bc7e12a8@schaufler-ca.com> <089ca24d-863b-ca84-4859-d2d6e4f09b4c@linux.microsoft.com> <082a4311cd9211475df4c694f310f652d51e5d64.camel@linux.ibm.com> From: Lakshmi Ramasubramanian Message-ID: Date: Mon, 17 Aug 2020 16:20:24 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <082a4311cd9211475df4c694f310f652d51e5d64.camel@linux.ibm.com> Content-Type: text/plain; charset=iso-8859-15; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 8/17/20 4:11 PM, Mimi Zohar wrote: > On Mon, 2020-08-17 at 15:33 -0700, Lakshmi Ramasubramanian wrote: >> On 8/17/20 3:00 PM, Casey Schaufler wrote: >>> On 8/17/2020 2:31 PM, Mimi Zohar wrote: >>>> On Thu, 2020-08-13 at 14:13 -0400, Stephen Smalley wrote: >>>>> On Thu, Aug 13, 2020 at 2:03 PM Lakshmi Ramasubramanian >>>>> wrote: >>>>>> On 8/13/20 10:58 AM, Stephen Smalley wrote: >>>>>>> On Thu, Aug 13, 2020 at 1:52 PM Lakshmi Ramasubramanian >>>>>>> wrote: >>>>>>>> On 8/13/20 10:42 AM, Stephen Smalley wrote: >>>>>>>> >>>>>>>>>> diff --git a/security/selinux/measure.c b/security/selinux/measure.c >>>>>>>>>> new file mode 100644 >>>>>>>>>> index 000000000000..f21b7de4e2ae >>>>>>>>>> --- /dev/null >>>>>>>>>> +++ b/security/selinux/measure.c >>>>>>>>>> @@ -0,0 +1,204 @@ >>>>>>>>>> +static int selinux_hash_buffer(void *buf, size_t buf_len, >>>>>>>>>> + void **buf_hash, int *buf_hash_len) >>>>>>>>>> +{ >>>>>>>>>> + struct crypto_shash *tfm; >>>>>>>>>> + struct shash_desc *desc = NULL; >>>>>>>>>> + void *digest = NULL; >>>>>>>>>> + int desc_size; >>>>>>>>>> + int digest_size; >>>>>>>>>> + int ret = 0; >>>>>>>>>> + >>>>>>>>>> + tfm = crypto_alloc_shash("sha256", 0, 0); >>>>>>>>>> + if (IS_ERR(tfm)) >>>>>>>>>> + return PTR_ERR(tfm); >>>>>>>>> Can we make the algorithm selectable via kernel parameter and/or writing >>>>>>>>> to a new selinuxfs node? >>>>>>>> I can add a kernel parameter to select this hash algorithm. >>>>>>> Also can we provide a Kconfig option for the default value like IMA does? >>>>>>> >>>>>> Would we need both - Kconfig and kernel param? >>>>>> >>>>>> The other option is to provide an IMA function to return the current >>>>>> hash algorithm used for measurement. That way a consistent hash >>>>>> algorithm can be employed by both IMA and the callers. Would that be better? >>>>> This is why I preferred just passing the serialized policy buffer to >>>>> IMA and letting it handle the hashing. But apparently that approach >>>>> wouldn't fly. IMA appears to support both a Kconfig option for >>>>> selecting a default algorithm and a kernel parameter for overriding >>>>> it. I assume the idea is that the distros can pick a reasonable >>>>> default and then the end users can override that if they have specific >>>>> requirements. I'd want the same for SELinux. If IMA is willing to >>>>> export its hash algorithm to external components, then I'm willing to >>>>> reuse that but not sure if that's a layering violation. >>>> With the new ima_measure_critical_data() hook, I agree with you and >>>> Casey it doesn't make sense for each caller to have to write their own >>>> function. Casey suggested exporting IMA's hash function or defining a >>>> new common hash function. There's nothing specific to IMA. >>> >>> Except that no one is going to use the function unless they're >>> doing an IMA operation. >> >> Can we do the following instead: >> >> In ima_measure_critical_data() IMA hook, we can add another param for >> the caller to indicate whether >> >> => The contents of "buf" needs to be measured >> OR >> => Hash of the contents of "buf" needs to be measured. >> >> This way IMA doesn't need to export any new function to meet the hashing >> requirement. > > I'm not sure overloading the parameters is a good idea, but extending > ima_measure_critical_data() to calculate a simple buffer hash should be > fine. > Sorry I wasn't clear - I didn't mean to say overload existing parameters, but extending the IMA hook to calculate the hash of the buffer - like the following: int ima_measure_critical_data(const char *event_name, const char *event_data_source, const void *buf, int buf_len, bool measure_buf_hash); If measure_buf_hash is true, IMA will calculate the hash of contents of "buf" and measure the hash. Else, IMA will measure the contents of "buf". -lakshmi