Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp1863414pxu; Sun, 13 Dec 2020 05:58:03 -0800 (PST) X-Google-Smtp-Source: ABdhPJy6KnZvCd07OBX93WNdE8S/wFjIk5P8nkGzXZrk7KHOhqmgq4sLcW1bx6TC8WNugzFcOGAf X-Received: by 2002:aa7:d608:: with SMTP id c8mr20139624edr.260.1607867883205; Sun, 13 Dec 2020 05:58:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607867883; cv=none; d=google.com; s=arc-20160816; b=d94Lthz9rhEQIjNfaV65HSRSWZdkgoGbUq2Rx//LPpqGdbBzaSBr7LPTT5rXZaF+vR 4rT1+6n8b5OyhkIEsERjPgvTBNfOi0udD5Yl/Fqto8Dh5n/a+auFbfiHsL4wrrqOzJZm 28rgSp3lHACU9qGfxlkrDg5ORNLh5suaSVDvcoiEZPovNWWgbFyLSVVq8HJckF34LmPY ji15V3cV+K5cRPHpaofJrbcOYOBurwC3lAb+55XE/JhD5bHX3R9FTilFH2C+rxS1piba AThZLrCG6vrZhQ154ldSg5fbRSjiHIIK1YqiZM0XnOTgMiD0rnQtAX1pzPoBe8D33YeK Z9nA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature :dkim-filter; bh=IxyofULMIwKRiSil7XNF3s6H7NOefNAaufmv/Xws5tc=; b=kg+hHME79a6RjvBbFufsIiOkGdrvmGhFWilQo3Fg5gdxvaOvyhO9lkmEYqzLi0Wejp 73i5ukCr0AbHk3sgIEmg4Oj/GIAJxtepf7LCf/sQvfyhKwnnnCi3Uy7t1lXlrzfrd5mt n9cmVCD/ZwJ85DoLJgVAiY29s2KazPYQ+GjXdoXzjfLEJzCAaJj811Jk8I1A6N/6X7dH XGCC0tJCVN1tDUAs6LoPCVQqCwLZPb4Hqjf++qAQTlmLlyqizRDfBLtD/LluCPTuH057 plxGWSkL6zWQ2+uFR+vLKkz4DYC2AdwTvLDufjtIZpHG7ZockPZuEGZ3DqcxSugnq+p3 WEsg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b="evSx/T/F"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id hp25si7723309ejc.361.2020.12.13.05.57.40; Sun, 13 Dec 2020 05:58:03 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b="evSx/T/F"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2407327AbgLLAdF (ORCPT + 99 others); Fri, 11 Dec 2020 19:33:05 -0500 Received: from linux.microsoft.com ([13.77.154.182]:59158 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2407321AbgLLAc7 (ORCPT ); Fri, 11 Dec 2020 19:32:59 -0500 Received: from sequoia (162-237-133-238.lightspeed.rcsntx.sbcglobal.net [162.237.133.238]) by linux.microsoft.com (Postfix) with ESMTPSA id ED6B620B7187; Fri, 11 Dec 2020 16:32:16 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com ED6B620B7187 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1607733138; bh=IxyofULMIwKRiSil7XNF3s6H7NOefNAaufmv/Xws5tc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=evSx/T/FD+zPGKk6Ni88SIASdF11MzdBzZVBv/pPF4VG9+hfaG4KZb2a1roL44JuX 8jwlItXgd+a3WoubA20nzi47Bt1pAOu511uFxcmDFsz0gkRpygUNFpUw3wd5i/fiIP pDLDue3PJfW+lxShmJ9kX9Q2pGE/iagx2CPRHwkM= Date: Fri, 11 Dec 2020 18:32:15 -0600 From: Tyler Hicks To: Tushar Sugandhi Cc: zohar@linux.ibm.com, stephen.smalley.work@gmail.com, casey@schaufler-ca.com, agk@redhat.com, snitzer@redhat.com, gmazyland@gmail.com, paul@paul-moore.com, sashal@kernel.org, jmorris@namei.org, nramas@linux.microsoft.com, linux-integrity@vger.kernel.org, selinux@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dm-devel@redhat.com Subject: Re: [PATCH v8 8/8] selinux: include a consumer of the new IMA critical data hook Message-ID: <20201212003215.GG4951@sequoia> References: <20201211235807.30815-1-tusharsu@linux.microsoft.com> <20201211235807.30815-9-tusharsu@linux.microsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201211235807.30815-9-tusharsu@linux.microsoft.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2020-12-11 15:58:07, Tushar Sugandhi wrote: > From: Lakshmi Ramasubramanian > > SELinux stores the active policy in memory, so the changes to this data > at runtime would have an impact on the security guarantees provided > by SELinux. Measuring in-memory SELinux policy through IMA subsystem > provides a secure way for the attestation service to remotely validate > the policy contents at runtime. > > Measure the hash of the loaded policy by calling the IMA hook > ima_measure_critical_data(). Since the size of the loaded policy can > be large (several MB), measure the hash of the policy instead of > the entire policy to avoid bloating the IMA log entry. > > Add "selinux" to the list of supported data sources maintained by IMA > to enable measuring SELinux data. > > To enable SELinux data measurement, the following steps are required: > > 1, Add "ima_policy=critical_data" to the kernel command line arguments > to enable measuring SELinux data at boot time. > For example, > BOOT_IMAGE=/boot/vmlinuz-5.10.0-rc1+ root=UUID=fd643309-a5d2-4ed3-b10d-3c579a5fab2f ro nomodeset security=selinux ima_policy=critical_data > > 2, Add the following rule to /etc/ima/ima-policy > measure func=CRITICAL_DATA data_source=selinux > > Sample measurement of the hash of SELinux policy: > > To verify the measured data with the current SELinux policy run > the following commands and verify the output hash values match. > > sha256sum /sys/fs/selinux/policy | cut -d' ' -f 1 > > grep "selinux-policy-hash" /sys/kernel/security/integrity/ima/ascii_runtime_measurements | tail -1 | cut -d' ' -f 6 > > Note that the actual verification of SELinux policy would require loading > the expected policy into an identical kernel on a pristine/known-safe > system and run the sha256sum /sys/kernel/selinux/policy there to get > the expected hash. > > Signed-off-by: Lakshmi Ramasubramanian > Suggested-by: Stephen Smalley This looks good but I've got one small suggestion below if you roll a v9. Feel free to add: Reviewed-by: Tyler Hicks > diff --git a/security/selinux/measure.c b/security/selinux/measure.c > new file mode 100644 > index 000000000000..a070d8dae403 > --- /dev/null > +++ b/security/selinux/measure.c > @@ -0,0 +1,81 @@ > +// SPDX-License-Identifier: GPL-2.0-or-later > +/* > + * Measure SELinux state using IMA subsystem. > + */ > +#include > +#include > +#include > +#include "security.h" > + > +/* > + * This function creates a unique name by appending the timestamp to > + * the given string. This string is passed as "event_name" to the IMA > + * hook to measure the given SELinux data. > + * > + * The data provided by SELinux to the IMA subsystem for measuring may have > + * already been measured (for instance the same state existed earlier). > + * But for SELinux the current data represents a state change and hence > + * needs to be measured again. To enable this, pass a unique "event_name" > + * to the IMA hook so that IMA subsystem will always measure the given data. > + * > + * For example, > + * At time T0 SELinux data to be measured is "foo". IMA measures it. > + * At time T1 the data is changed to "bar". IMA measures it. > + * At time T2 the data is changed to "foo" again. IMA will not measure it > + * (since it was already measured) unless the event_name, for instance, > + * is different in this call. > + */ > +static char *selinux_event_name(const char *name_prefix) > +{ > + char *event_name = NULL; > + struct timespec64 cur_time; > + > + ktime_get_real_ts64(&cur_time); > + event_name = kasprintf(GFP_KERNEL, "%s-%lld:%09ld", name_prefix, > + cur_time.tv_sec, cur_time.tv_nsec); > + return event_name; There's no longer a need to store the return of kasprintf() in a variable. Just 'return kasprint(...);' and get rid of the event_name variable. Tyler