Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp1653974pxb; Fri, 6 Nov 2020 15:54:15 -0800 (PST) X-Google-Smtp-Source: ABdhPJys78vduxcmhgKhUlfDhONpkMYHRZDLr27fXk1ujYzLUKFFWOWiC5gT3j5GXHO2xJVBb/Sf X-Received: by 2002:a17:906:3ada:: with SMTP id z26mr4380411ejd.151.1604706855021; Fri, 06 Nov 2020 15:54:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604706855; cv=none; d=google.com; s=arc-20160816; b=GhWWLd/DOiOwjGt63RgprcKuaMiLucUQsGIpRcf1woelmydZuuGdKUL5/rxsr0iAur 47bdFmAaX7vd8Fux7g7vw1XJ2cOMSLa5K36ud7DD+x2e8dpv71nKbHoGM6mRZIIVcLgv OLnHMqHOVM32+YXS2DjseYZRIyHX5kJM2UVYIqcYcDRhPT+S+WLVgAkC63dm3I2NpxxH la7kvUkHKaoV9/nxJp5dvw+xa/mFoYa1hDH0weKdnJH9Phf9z/KPbpY+BPNxhATVVo1Z p8wLAOvtOSbgCsG2gfi85shnIiMsVD2CRftJExuJP7V483DYLrP9+kZIy+aHSaSe203F MCng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:references:cc :to:from:subject:dkim-signature:dkim-filter; bh=kxGG60RxNjicxicPDbW3b+qxMgL79W4w0YXfA5Y3vXU=; b=LZ4r78Hp5i2TxUAfG8jJCkguN778eut+Dmx9TIaxANlpBGIExaDY7/cHpkHs4iHWjX SGMot0gNNusSledb276mGi839RDO+K0JHtIjAEcurrSt/clbCRosQeBR4fqpPdWDiEUX oS8SY4NMqv929PZzVdSrjFIch4kOzLOB9W0G8J0EBjQkjsnp86w6AuAuWV7Vi0m5m0TC tAdQQlKlhixYDOiPnEJ1tN733DEuIzz47b83yrV7luPx9oFYoxUdFIfTqLJgHEQ1qIfh ssQSvfVgnXMCbhwRsrYwin/okX7J/YsiWm7EXZ6U/nyAHFTZznSfQU3sFYIBThhjIIri ytHg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=ex4EsTrt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w22si2204187edl.537.2020.11.06.15.53.52; Fri, 06 Nov 2020 15:54:15 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=ex4EsTrt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728259AbgKFXwR (ORCPT + 99 others); Fri, 6 Nov 2020 18:52:17 -0500 Received: from linux.microsoft.com ([13.77.154.182]:35246 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727257AbgKFXv5 (ORCPT ); Fri, 6 Nov 2020 18:51:57 -0500 Received: from [192.168.0.104] (c-73-42-176-67.hsd1.wa.comcast.net [73.42.176.67]) by linux.microsoft.com (Postfix) with ESMTPSA id 65C7C20B4905; Fri, 6 Nov 2020 15:51:56 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 65C7C20B4905 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1604706716; bh=kxGG60RxNjicxicPDbW3b+qxMgL79W4w0YXfA5Y3vXU=; h=Subject:From:To:Cc:References:Date:In-Reply-To:From; b=ex4EsTrt+j5vt4L1eNjZYdFgpeTFKDoZ5jgR2zpjEXTnRPKKHXcfm+Ynn9jNE9hvc NwVziSgFGzqJfvGTP9cytdr4U6rByB3I49bfWK3vXJZSrSfWDqjltnJgYD04Tksm/k Gr8k8DbOaTjLewSUY1EooTrwSI9KK+zMWouAhXG4= Subject: Re: [PATCH v5 6/7] IMA: add critical_data to the built-in policy rules From: Lakshmi Ramasubramanian To: Mimi Zohar , Tushar Sugandhi , stephen.smalley.work@gmail.com, casey@schaufler-ca.com, agk@redhat.com, snitzer@redhat.com, gmazyland@gmail.com, paul@paul-moore.com Cc: tyhicks@linux.microsoft.com, sashal@kernel.org, jmorris@namei.org, linux-integrity@vger.kernel.org, selinux@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dm-devel@redhat.com References: <20201101222626.6111-1-tusharsu@linux.microsoft.com> <20201101222626.6111-7-tusharsu@linux.microsoft.com> <7219f4404bc1bed6eb090b94363c283ec3266a17.camel@linux.ibm.com> Message-ID: Date: Fri, 6 Nov 2020 15:51:51 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=iso-8859-15; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/6/20 7:37 AM, Lakshmi Ramasubramanian wrote: Hi Mimi, > >> Hi Lakshmi, Tushar, >> >> This patch defines a new critical_data builtin policy.? Please update >> the Subject line. >> >> On Sun, 2020-11-01 at 14:26 -0800, Tushar Sugandhi wrote: >>> From: Lakshmi Ramasubramanian >>> >>> The IMA hook to measure kernel critical data, namely >>> ima_measure_critical_data(), could be called before a custom IMA policy >>> is loaded. For example, SELinux calls ima_measure_critical_data() to >>> measure its state and policy when they are initialized. This occurs >>> before a custom IMA policy is loaded, and hence IMA hook will not >>> measure the data. A built-in policy is therefore needed to measure >>> critical data provided by callers before a custom IMA policy is loaded. >> >> ^Define a new critical data builtin policy to allow measuring early >> kernel integrity critical data before a custom IMA policy is loaded. > > I will add the above line in the patch description. > >> >> Either remove the references to SELinux or move this patch after the >> subsequent patch which measures SELinux critical data. > > I will remove the reference to SELinux. > I think it would be better to have this patch before the SELinux > measurement patch. > >> >>> >>> Add CRITICAL_DATA to built-in IMA rules if the kernel command line >>> contains "ima_policy=critical_data". Set the IMA template for this rule >>> to "ima-buf" since ima_measure_critical_data() measures a buffer. >>> >>> Signed-off-by: Lakshmi Ramasubramanian >> >>> --- >>> ? security/integrity/ima/ima_policy.c | 32 +++++++++++++++++++++++++++++ >>> ? 1 file changed, 32 insertions(+) >>> >>> diff --git a/security/integrity/ima/ima_policy.c >>> b/security/integrity/ima/ima_policy.c >>> index ec99e0bb6c6f..dc8fe969d3fe 100644 >>> --- a/security/integrity/ima/ima_policy.c >>> +++ b/security/integrity/ima/ima_policy.c >> >>> @@ -875,6 +884,29 @@ void __init ima_init_policy(void) >>> ??????????????? ARRAY_SIZE(default_appraise_rules), >>> ??????????????? IMA_DEFAULT_POLICY); >>> +??? if (ima_use_critical_data) { >>> +??????? template = lookup_template_desc("ima-buf"); >>> +??????? if (!template) { >>> +??????????? ret = -EINVAL; >>> +??????????? goto out; >>> +??????? } >>> + >>> +??????? ret = template_desc_init_fields(template->fmt, >>> +??????????????????????? &(template->fields), >>> +??????????????????????? &(template->num_fields)); >> >> The default IMA template when measuring buffer data is "ima_buf".?? Is >> there a reason for allocating and initializing it here and not >> deferring it until process_buffer_measurement()? >> > > You are right - good catch. > I will remove the above and validate. > process_buffer_measurement() allocates and initializes "ima-buf" template only when the parameter "func" is NONE. Currently, only ima_check_blacklist() passes NONE for func when calling process_buffer_measurement(). If "func" is anything other than NONE, ima_match_policy() picks the default IMA template if the IMA policy rule does not specify a template. We need to add "ima-buf" in the built-in policy for critical_data so that the default template is not used for buffer measurement. Please let me know if I am missing something. thanks, -lakshmi >> >>> +??????? if (ret) >>> +??????????? goto out; >>> + >>> +??????? critical_data_rules[0].template = template; >>> +??????? add_rules(critical_data_rules, >>> +????????????? ARRAY_SIZE(critical_data_rules), >>> +????????????? IMA_DEFAULT_POLICY); >>> +??? } >>> + >>> +out: >>> +??? if (ret) >>> +??????? pr_err("%s failed, result: %d\n", __func__, ret); >>> + >>> ????? ima_update_policy_flag(); >>> ? } >> >