Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp841928pxb; Thu, 19 Nov 2020 15:29:25 -0800 (PST) X-Google-Smtp-Source: ABdhPJy7ePQlMepy/a8QeNHbYpFfZxYOiqN43MCaXFssYneBXdAM2UNsxvVWBQRbpbyS30hZNh1i X-Received: by 2002:a17:906:d0cd:: with SMTP id bq13mr29437142ejb.372.1605828565737; Thu, 19 Nov 2020 15:29:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605828565; cv=none; d=google.com; s=arc-20160816; b=WVf3H7w4e9L5AyMUmbPrBd64wgMSian81Lupd5Gs1RvGbjRM2I6Co/823OOjn7YD8K P1dEKrzHinZjisUhOYfDZFlGAebP7zNli0ST9I2mLXo6Qqrt/qdh7Zzb3Mr6UxF09NKl ohsBVP09wsI3uMCUNkegqy/wkkGUXXuhVntasj3q85LWB9ZWd8EAPtV+pyhLbqWFUlLx nJprLMwJ13kyFjmPd2u5uQTcCZ6x+uhQdWRLnp9p+tpOfla6twaqXery0sHEx51MgM3k 5wUsagHF7YY37DGexG9Kb7tFiOHPoJXa01iQKLt9EiAa2F7ikO68oAKCj9owb6X131eG ebsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:references:in-reply-to:message-id:date:subject :cc:to:from:dkim-signature:dkim-filter; bh=sxVlLAkqjda0ZXj26t6BGZjCQWun9IH/OvCSStwtKOs=; b=ZrhWDcfK32dpbG6s72x8gyAn+ct1oEA8TQ3azb+nvU7G30NoqqRJfYlCPGTtH6JcyJ 44flZhrFN2NNEcW+V7sB1w6twOt5DPznPJoBe+liyqMLgHVK6bHnq+P4v6Nlg+4srcKG 7cWhRUJrVWnK8lrOGzwCIC3goiDG6mknUZxRvdTCjqZZNNnBQupCXJUjamN4/jp19Qmn DmS69cXCZ3n/funsu+3mISeuF1PY7liudrwkYq8kCCdgXgbmfWxmRCof5ruYBwpr7Mid 2a1FcJB2LA3JdgkUqzTcUnJvbMsLdAgsU41OtDh1d4iUwaD1aYekNjo0dHKuVHe5eIpn sCmw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=evICjJiY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id pk19si674345ejb.413.2020.11.19.15.29.01; Thu, 19 Nov 2020 15:29:25 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=evICjJiY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727130AbgKSX03 (ORCPT + 99 others); Thu, 19 Nov 2020 18:26:29 -0500 Received: from linux.microsoft.com ([13.77.154.182]:32948 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727060AbgKSX0Y (ORCPT ); Thu, 19 Nov 2020 18:26:24 -0500 Received: from tusharsu-Ubuntu.lan (c-71-197-163-6.hsd1.wa.comcast.net [71.197.163.6]) by linux.microsoft.com (Postfix) with ESMTPSA id B8C1E20B7125; Thu, 19 Nov 2020 15:26:22 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com B8C1E20B7125 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1605828383; bh=sxVlLAkqjda0ZXj26t6BGZjCQWun9IH/OvCSStwtKOs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=evICjJiYyEEAVnbZPLvH2k3cp2ZId1S4M7yN1pvKJnzRTwjpVmtENHoyn1Sov2Lwv 0zO/bW/WET+7WOMSQZKYOKOeK0peizS6Yh73HfWylcBoXJ27xXOM1Ydt2IhCU9ygpO cttU8Nfnxf8HKu4zYCr/qccZ4CO3J7jEtAHJTsLM= From: Tushar Sugandhi To: zohar@linux.ibm.com, stephen.smalley.work@gmail.com, casey@schaufler-ca.com, agk@redhat.com, snitzer@redhat.com, gmazyland@gmail.com, paul@paul-moore.com Cc: tyhicks@linux.microsoft.com, sashal@kernel.org, jmorris@namei.org, nramas@linux.microsoft.com, linux-integrity@vger.kernel.org, selinux@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dm-devel@redhat.com Subject: [PATCH v6 4/8] IMA: add policy rule to measure critical data Date: Thu, 19 Nov 2020 15:26:07 -0800 Message-Id: <20201119232611.30114-5-tusharsu@linux.microsoft.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201119232611.30114-1-tusharsu@linux.microsoft.com> References: <20201119232611.30114-1-tusharsu@linux.microsoft.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org A new IMA policy rule is needed for the IMA hook ima_measure_critical_data() and the corresponding func CRITICAL_DATA for measuring the input buffer. The policy rule should ensure the buffer would get measured only when the policy rule allows the action. The policy rule should also support the necessary constraints (flags etc.) for integrity critical buffer data measurements. Add a policy rule to define the constraints for restricting integrity critical data measurements. Signed-off-by: Tushar Sugandhi --- security/integrity/ima/ima_policy.c | 35 +++++++++++++++++++++++++---- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 2a0c0603626e..583be7674f3e 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -34,6 +34,7 @@ #define IMA_PCR 0x0100 #define IMA_FSNAME 0x0200 #define IMA_KEYRINGS 0x0400 +#define IMA_DATA_SOURCES 0x0800 #define UNKNOWN 0 #define MEASURE 0x0001 /* same as IMA_MEASURE */ @@ -85,6 +86,7 @@ struct ima_rule_entry { } lsm[MAX_LSM_RULES]; char *fsname; struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */ + struct ima_rule_opt_list *data_sources; /* Measure data from these sources */ struct ima_template_desc *template; }; @@ -479,6 +481,12 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule, else opt_list = rule->keyrings; break; + case CRITICAL_DATA: + if (!rule->data_sources) + return true; + else + opt_list = rule->data_sources; + break; default: break; } @@ -518,13 +526,19 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, { int i; - if (func == KEY_CHECK) { - return (rule->flags & IMA_FUNC) && (rule->func == func) && - ima_match_rule_data(rule, func_data, cred); - } if ((rule->flags & IMA_FUNC) && (rule->func != func && func != POST_SETATTR)) return false; + + switch (func) { + case KEY_CHECK: + case CRITICAL_DATA: + return ((rule->func == func) && + ima_match_rule_data(rule, func_data, cred)); + default: + break; + } + if ((rule->flags & IMA_MASK) && (rule->mask != mask && func != POST_SETATTR)) return false; @@ -1119,6 +1133,19 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) if (ima_rule_contains_lsm_cond(entry)) return false; + break; + case CRITICAL_DATA: + if (entry->action & ~(MEASURE | DONT_MEASURE)) + return false; + + if (!(entry->flags & IMA_DATA_SOURCES) || + (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | + IMA_DATA_SOURCES))) + return false; + + if (ima_rule_contains_lsm_cond(entry)) + return false; + break; default: return false; -- 2.17.1