diff mbox

[v6,6/6] ima: define "fs_unsafe" builtin policy

Message ID 1502808237-2035-7-git-send-email-zohar@linux.vnet.ibm.com (mailing list archive)
State New, archived
Headers show

Commit Message

Mimi Zohar Aug. 15, 2017, 2:43 p.m. UTC
Permit normally denied access/execute permission for files in policy
on IMA unsupported filesystems.  This patch defines "fs_unsafe", a
builtin policy.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

---
Changelog v3:
- include dont_failsafe rule when displaying policy
 
 Documentation/admin-guide/kernel-parameters.txt |  8 +++++++-
 security/integrity/ima/ima_policy.c             | 12 ++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

Comments

Dmitry Kasatkin Aug. 22, 2017, 10:07 a.m. UTC | #1
Looks good to me.


On Tue, Aug 15, 2017 at 5:43 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> Permit normally denied access/execute permission for files in policy
> on IMA unsupported filesystems.  This patch defines "fs_unsafe", a
> builtin policy.
>
> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
>
> ---
> Changelog v3:
> - include dont_failsafe rule when displaying policy
>
>  Documentation/admin-guide/kernel-parameters.txt |  8 +++++++-
>  security/integrity/ima/ima_policy.c             | 12 ++++++++++++
>  2 files changed, 19 insertions(+), 1 deletion(-)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index d9c171ce4190..4e303be83df6 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -1502,7 +1502,7 @@
>
>         ima_policy=     [IMA]
>                         The builtin policies to load during IMA setup.
> -                       Format: "tcb | appraise_tcb | secure_boot"
> +                       Format: "tcb | appraise_tcb | secure_boot | fs_unsafe"
>
>                         The "tcb" policy measures all programs exec'd, files
>                         mmap'd for exec, and all files opened with the read
> @@ -1517,6 +1517,12 @@
>                         of files (eg. kexec kernel image, kernel modules,
>                         firmware, policy, etc) based on file signatures.
>
> +                       The "fs_unsafe" policy permits normally denied
> +                       access/execute permission for files in policy on IMA
> +                       unsupported filesystems.  Note this option, as the
> +                       name implies, is not safe and not recommended for
> +                       any environments other than testing.
> +
>         ima_tcb         [IMA] Deprecated.  Use ima_policy= instead.
>                         Load a policy which meets the needs of the Trusted
>                         Computing Base.  This means IMA will measure all
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 43b85a4fb8e8..cddd9dfb01e1 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -169,6 +169,10 @@ static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
>          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
>  };
>
> +static struct ima_rule_entry dont_failsafe_rules[] __ro_after_init = {
> +       {.action = DONT_FAILSAFE}
> +};
> +
>  static LIST_HEAD(ima_default_rules);
>  static LIST_HEAD(ima_policy_rules);
>  static LIST_HEAD(ima_temp_rules);
> @@ -188,6 +192,7 @@ __setup("ima_tcb", default_measure_policy_setup);
>
>  static bool ima_use_appraise_tcb __initdata;
>  static bool ima_use_secure_boot __initdata;
> +static bool ima_use_dont_failsafe __initdata;
>  static int __init policy_setup(char *str)
>  {
>         char *p;
> @@ -201,6 +206,10 @@ static int __init policy_setup(char *str)
>                         ima_use_appraise_tcb = 1;
>                 else if (strcmp(p, "secure_boot") == 0)
>                         ima_use_secure_boot = 1;
> +               else if (strcmp(p, "fs_unsafe") == 0) {
> +                       ima_use_dont_failsafe = 1;
> +                       set_failsafe(0);
> +               }
>         }
>
>         return 1;
> @@ -470,6 +479,9 @@ void __init ima_init_policy(void)
>                         temp_ima_appraise |= IMA_APPRAISE_POLICY;
>         }
>
> +       if (ima_use_dont_failsafe)
> +               list_add_tail(&dont_failsafe_rules[0].list, &ima_default_rules);
> +
>         ima_rules = &ima_default_rules;
>         ima_update_policy_flag();
>  }
> --
> 2.7.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
Mimi Zohar Aug. 22, 2017, 1:13 p.m. UTC | #2
On Tue, 2017-08-22 at 13:07 +0300, Dmitry Kasatkin wrote:
> Looks good to me.

Thank you for reviewing the code!  Can I add your Reviewed-by/Acked-by?

Mimi

> 
> On Tue, Aug 15, 2017 at 5:43 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> > Permit normally denied access/execute permission for files in policy
> > on IMA unsupported filesystems.  This patch defines "fs_unsafe", a
> > builtin policy.
> >
> > Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> >
> > ---
> > Changelog v3:
> > - include dont_failsafe rule when displaying policy
> >
> >  Documentation/admin-guide/kernel-parameters.txt |  8 +++++++-
> >  security/integrity/ima/ima_policy.c             | 12 ++++++++++++
> >  2 files changed, 19 insertions(+), 1 deletion(-)
> >
> > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> > index d9c171ce4190..4e303be83df6 100644
> > --- a/Documentation/admin-guide/kernel-parameters.txt
> > +++ b/Documentation/admin-guide/kernel-parameters.txt
> > @@ -1502,7 +1502,7 @@
> >
> >         ima_policy=     [IMA]
> >                         The builtin policies to load during IMA setup.
> > -                       Format: "tcb | appraise_tcb | secure_boot"
> > +                       Format: "tcb | appraise_tcb | secure_boot | fs_unsafe"
> >
> >                         The "tcb" policy measures all programs exec'd, files
> >                         mmap'd for exec, and all files opened with the read
> > @@ -1517,6 +1517,12 @@
> >                         of files (eg. kexec kernel image, kernel modules,
> >                         firmware, policy, etc) based on file signatures.
> >
> > +                       The "fs_unsafe" policy permits normally denied
> > +                       access/execute permission for files in policy on IMA
> > +                       unsupported filesystems.  Note this option, as the
> > +                       name implies, is not safe and not recommended for
> > +                       any environments other than testing.
> > +
> >         ima_tcb         [IMA] Deprecated.  Use ima_policy= instead.
> >                         Load a policy which meets the needs of the Trusted
> >                         Computing Base.  This means IMA will measure all
> > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > index 43b85a4fb8e8..cddd9dfb01e1 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -169,6 +169,10 @@ static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
> >          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
> >  };
> >
> > +static struct ima_rule_entry dont_failsafe_rules[] __ro_after_init = {
> > +       {.action = DONT_FAILSAFE}
> > +};
> > +
> >  static LIST_HEAD(ima_default_rules);
> >  static LIST_HEAD(ima_policy_rules);
> >  static LIST_HEAD(ima_temp_rules);
> > @@ -188,6 +192,7 @@ __setup("ima_tcb", default_measure_policy_setup);
> >
> >  static bool ima_use_appraise_tcb __initdata;
> >  static bool ima_use_secure_boot __initdata;
> > +static bool ima_use_dont_failsafe __initdata;
> >  static int __init policy_setup(char *str)
> >  {
> >         char *p;
> > @@ -201,6 +206,10 @@ static int __init policy_setup(char *str)
> >                         ima_use_appraise_tcb = 1;
> >                 else if (strcmp(p, "secure_boot") == 0)
> >                         ima_use_secure_boot = 1;
> > +               else if (strcmp(p, "fs_unsafe") == 0) {
> > +                       ima_use_dont_failsafe = 1;
> > +                       set_failsafe(0);
> > +               }
> >         }
> >
> >         return 1;
> > @@ -470,6 +479,9 @@ void __init ima_init_policy(void)
> >                         temp_ima_appraise |= IMA_APPRAISE_POLICY;
> >         }
> >
> > +       if (ima_use_dont_failsafe)
> > +               list_add_tail(&dont_failsafe_rules[0].list, &ima_default_rules);
> > +
> >         ima_rules = &ima_default_rules;
> >         ima_update_policy_flag();
> >  }
> > --
> > 2.7.4
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 
>
Dmitry Kasatkin Aug. 22, 2017, 1:41 p.m. UTC | #3
Hi,

Yes, please add one of appropriate.

Thanks,
Dmitry

On Tue, Aug 22, 2017 at 4:13 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> On Tue, 2017-08-22 at 13:07 +0300, Dmitry Kasatkin wrote:
>> Looks good to me.
>
> Thank you for reviewing the code!  Can I add your Reviewed-by/Acked-by?
>
> Mimi
>
>>
>> On Tue, Aug 15, 2017 at 5:43 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>> > Permit normally denied access/execute permission for files in policy
>> > on IMA unsupported filesystems.  This patch defines "fs_unsafe", a
>> > builtin policy.
>> >
>> > Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
>> >
>> > ---
>> > Changelog v3:
>> > - include dont_failsafe rule when displaying policy
>> >
>> >  Documentation/admin-guide/kernel-parameters.txt |  8 +++++++-
>> >  security/integrity/ima/ima_policy.c             | 12 ++++++++++++
>> >  2 files changed, 19 insertions(+), 1 deletion(-)
>> >
>> > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
>> > index d9c171ce4190..4e303be83df6 100644
>> > --- a/Documentation/admin-guide/kernel-parameters.txt
>> > +++ b/Documentation/admin-guide/kernel-parameters.txt
>> > @@ -1502,7 +1502,7 @@
>> >
>> >         ima_policy=     [IMA]
>> >                         The builtin policies to load during IMA setup.
>> > -                       Format: "tcb | appraise_tcb | secure_boot"
>> > +                       Format: "tcb | appraise_tcb | secure_boot | fs_unsafe"
>> >
>> >                         The "tcb" policy measures all programs exec'd, files
>> >                         mmap'd for exec, and all files opened with the read
>> > @@ -1517,6 +1517,12 @@
>> >                         of files (eg. kexec kernel image, kernel modules,
>> >                         firmware, policy, etc) based on file signatures.
>> >
>> > +                       The "fs_unsafe" policy permits normally denied
>> > +                       access/execute permission for files in policy on IMA
>> > +                       unsupported filesystems.  Note this option, as the
>> > +                       name implies, is not safe and not recommended for
>> > +                       any environments other than testing.
>> > +
>> >         ima_tcb         [IMA] Deprecated.  Use ima_policy= instead.
>> >                         Load a policy which meets the needs of the Trusted
>> >                         Computing Base.  This means IMA will measure all
>> > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
>> > index 43b85a4fb8e8..cddd9dfb01e1 100644
>> > --- a/security/integrity/ima/ima_policy.c
>> > +++ b/security/integrity/ima/ima_policy.c
>> > @@ -169,6 +169,10 @@ static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
>> >          .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
>> >  };
>> >
>> > +static struct ima_rule_entry dont_failsafe_rules[] __ro_after_init = {
>> > +       {.action = DONT_FAILSAFE}
>> > +};
>> > +
>> >  static LIST_HEAD(ima_default_rules);
>> >  static LIST_HEAD(ima_policy_rules);
>> >  static LIST_HEAD(ima_temp_rules);
>> > @@ -188,6 +192,7 @@ __setup("ima_tcb", default_measure_policy_setup);
>> >
>> >  static bool ima_use_appraise_tcb __initdata;
>> >  static bool ima_use_secure_boot __initdata;
>> > +static bool ima_use_dont_failsafe __initdata;
>> >  static int __init policy_setup(char *str)
>> >  {
>> >         char *p;
>> > @@ -201,6 +206,10 @@ static int __init policy_setup(char *str)
>> >                         ima_use_appraise_tcb = 1;
>> >                 else if (strcmp(p, "secure_boot") == 0)
>> >                         ima_use_secure_boot = 1;
>> > +               else if (strcmp(p, "fs_unsafe") == 0) {
>> > +                       ima_use_dont_failsafe = 1;
>> > +                       set_failsafe(0);
>> > +               }
>> >         }
>> >
>> >         return 1;
>> > @@ -470,6 +479,9 @@ void __init ima_init_policy(void)
>> >                         temp_ima_appraise |= IMA_APPRAISE_POLICY;
>> >         }
>> >
>> > +       if (ima_use_dont_failsafe)
>> > +               list_add_tail(&dont_failsafe_rules[0].list, &ima_default_rules);
>> > +
>> >         ima_rules = &ima_default_rules;
>> >         ima_update_policy_flag();
>> >  }
>> > --
>> > 2.7.4
>> >
>> > --
>> > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
>> > the body of a message to majordomo@vger.kernel.org
>> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>>
>>
>
diff mbox

Patch

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index d9c171ce4190..4e303be83df6 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -1502,7 +1502,7 @@ 
 
 	ima_policy=	[IMA]
 			The builtin policies to load during IMA setup.
-			Format: "tcb | appraise_tcb | secure_boot"
+			Format: "tcb | appraise_tcb | secure_boot | fs_unsafe"
 
 			The "tcb" policy measures all programs exec'd, files
 			mmap'd for exec, and all files opened with the read
@@ -1517,6 +1517,12 @@ 
 			of files (eg. kexec kernel image, kernel modules,
 			firmware, policy, etc) based on file signatures.
 
+			The "fs_unsafe" policy permits normally denied
+			access/execute permission for files in policy on IMA
+			unsupported filesystems.  Note this option, as the
+			name implies, is not safe and not recommended for
+			any environments other than testing.
+
 	ima_tcb		[IMA] Deprecated.  Use ima_policy= instead.
 			Load a policy which meets the needs of the Trusted
 			Computing Base.  This means IMA will measure all
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 43b85a4fb8e8..cddd9dfb01e1 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -169,6 +169,10 @@  static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
 	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
 };
 
+static struct ima_rule_entry dont_failsafe_rules[] __ro_after_init = {
+	{.action = DONT_FAILSAFE}
+};
+
 static LIST_HEAD(ima_default_rules);
 static LIST_HEAD(ima_policy_rules);
 static LIST_HEAD(ima_temp_rules);
@@ -188,6 +192,7 @@  __setup("ima_tcb", default_measure_policy_setup);
 
 static bool ima_use_appraise_tcb __initdata;
 static bool ima_use_secure_boot __initdata;
+static bool ima_use_dont_failsafe __initdata;
 static int __init policy_setup(char *str)
 {
 	char *p;
@@ -201,6 +206,10 @@  static int __init policy_setup(char *str)
 			ima_use_appraise_tcb = 1;
 		else if (strcmp(p, "secure_boot") == 0)
 			ima_use_secure_boot = 1;
+		else if (strcmp(p, "fs_unsafe") == 0) {
+			ima_use_dont_failsafe = 1;
+			set_failsafe(0);
+		}
 	}
 
 	return 1;
@@ -470,6 +479,9 @@  void __init ima_init_policy(void)
 			temp_ima_appraise |= IMA_APPRAISE_POLICY;
 	}
 
+	if (ima_use_dont_failsafe)
+		list_add_tail(&dont_failsafe_rules[0].list, &ima_default_rules);
+
 	ima_rules = &ima_default_rules;
 	ima_update_policy_flag();
 }