Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1278480pxf; Fri, 9 Apr 2021 04:45:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJweHEOIfzjrFmGrG4jWgPFfXhxbjCw7CSAm6qQ15J6tJQk47Wxmg2vZdOv2MfMfDMD84Jd2 X-Received: by 2002:aa7:8681:0:b029:23f:8cf:fb6b with SMTP id d1-20020aa786810000b029023f08cffb6bmr11924052pfo.44.1617968752984; Fri, 09 Apr 2021 04:45:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617968752; cv=none; d=google.com; s=arc-20160816; b=w+Z6BsWV7OMm2YNBIeRYdpWsf4zCOQ8GIJCN+AyPfPsb3f6xuCJyY4htYcb9f6C7kM VDoUqH8tAdihK0IJzBSTdqF45D44IKAVhGmUJrdHJOg0SZVoJgNFEJsMP1GGzxsYLnQr 7CJzCSPpksKdgrGTXv0tNOu0xsDhs6UCdzPuQoVkOrJ371Hw2FAhWJ2fc+Tpi8b3bvSr IVRtUrEfzQTutexLXNRSOpqFLoZDuim9GORXM1d3qaK864J+z7JOhF7lsJMfWMhWzKkS NKg9BVz7o769V0190PwoKI/svUSiEbUZ/LToZqPcvgTdw2eDisgsJjLz4OUKwbMGyYZt 2bJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=4uFzBa/HpNFGP315RNmzvHqv5D0RyrLS6u6oYEYO+Gc=; b=xL141df6qrxq0zaivkFBAp/nT/6qLpFOQOO5Ie7OWPZfqOAG/DUTx+U8raFW4kHLSB N+N3zk2o39CMrNuLFX8/ApAQXgzfVEGJKZXXwNZYmgKwljAQMh7+um9zKymC+YLqN6jG 1GoEtiQTlFa/LzmBZvHEjJcewWo8+wqflJcHy6h2YLpB+t0hVj0G2U0EGNCCWtZdSocb +pcZ7ISYNFCnWEyYcT1j5kWc9sVg/6LiLIOTyPkNYNrxqBipVAV99YFFcFpyDomK4H1r saocrAP7KS35NY27OMbhRfskjFQ3vom8GvHj8clIfF1fkuG+9EPHT7HrNH49rk0h+Zt6 BmPA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y7si209670plg.223.2021.04.09.04.45.40; Fri, 09 Apr 2021 04:45:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232892AbhDILpL (ORCPT + 99 others); Fri, 9 Apr 2021 07:45:11 -0400 Received: from frasgout.his.huawei.com ([185.176.79.56]:2823 "EHLO frasgout.his.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232295AbhDILpJ (ORCPT ); Fri, 9 Apr 2021 07:45:09 -0400 Received: from fraeml714-chm.china.huawei.com (unknown [172.18.147.206]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4FGwzW2VhVz67w98; Fri, 9 Apr 2021 19:35:19 +0800 (CST) Received: from fraphisprd00473.huawei.com (7.182.8.141) by fraeml714-chm.china.huawei.com (10.206.15.33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Fri, 9 Apr 2021 13:44:55 +0200 From: Roberto Sassu To: CC: , , , Roberto Sassu Subject: [PATCH 5/7] ima: Introduce appraise_exec_immutable policy Date: Fri, 9 Apr 2021 13:43:11 +0200 Message-ID: <20210409114313.4073-6-roberto.sassu@huawei.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210409114313.4073-1-roberto.sassu@huawei.com> References: <20210409114313.4073-1-roberto.sassu@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [7.182.8.141] X-ClientProxiedBy: lhreml754-chm.china.huawei.com (10.201.108.204) To fraeml714-chm.china.huawei.com (10.206.15.33) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patch modifies the existing "appraise_exec_tcb" policy, by adding the appraise_type=meta_immutable requirement for executed files. This policy can be selected by specifying ima_policy="appraise_exec_tcb|appraise_exec_immutable" in the kernel command line. Signed-off-by: Roberto Sassu --- Documentation/admin-guide/kernel-parameters.txt | 4 ++++ security/integrity/ima/ima_policy.c | 8 +++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 93c5f78905e2..265f7657f59d 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -1780,6 +1780,10 @@ appraised (with imasig requirement) instead of files owned by root. + The "appraise_exec_immutable" policy requires immutable + metadata for executed files, if the "appraise_exec_tcb" + policy is selected. + The "appraise_tmpfs" policy excludes the dont_appraise rule for the tmpfs and ramfs filesystems for the "appraise_tcb" and "appraise_exec_tcb" policies. diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index a45e494e06e8..6249817ebd04 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -243,6 +243,7 @@ __setup("ima_tcb", default_measure_policy_setup); static unsigned int ima_measure_skip_flags __initdata; static unsigned int ima_appraise_skip_flags __initdata; static bool ima_use_appraise_tcb __initdata; +static bool ima_use_appraise_exec_immutable __initdata; static bool ima_use_secure_boot __initdata; static bool ima_use_critical_data __initdata; static bool ima_fail_unverifiable_sigs __ro_after_init; @@ -267,7 +268,9 @@ static int __init policy_setup(char *str) else if (strcmp(p, "appraise_exec_tcb") == 0) { ima_use_appraise_tcb = true; ima_appraise_skip_flags |= IMA_SKIP_OPEN; - } else if (strcmp(p, "secure_boot") == 0) + } else if (strcmp(p, "appraise_exec_immutable") == 0) + ima_use_appraise_exec_immutable = true; + else if (strcmp(p, "secure_boot") == 0) ima_use_secure_boot = true; else if (strcmp(p, "critical_data") == 0) ima_use_critical_data = true; @@ -913,6 +916,9 @@ void __init ima_init_policy(void) IMA_DEFAULT_POLICY, 0); } + if (ima_use_appraise_exec_immutable) + appraise_exec_rules[0].flags |= IMA_META_IMMUTABLE_REQUIRED; + if (ima_use_critical_data) add_rules(critical_data_rules, ARRAY_SIZE(critical_data_rules), -- 2.26.2