Message ID | 20190418035120.2354-13-bauerman@linux.ibm.com (mailing list archive) |
---|---|
State | Not Applicable |
Delegated to: | Herbert Xu |
Headers | show |
Series | Appended signatures support for IMA appraisal | expand |
Hi Thiago, On Thu, 2019-04-18 at 00:51 -0300, Thiago Jung Bauermann wrote: > If the IMA template contains the "modsig" or "d-modsig" field, then the > modsig should be added to the measurement list when the file is appraised. > > And that is what normally happens, but if a measurement rule caused a file > containing a modsig to be measured before a different rule causes it to be > appraised, the resulting measurement entry will not contain the modsig > because it is only fetched during appraisal. When the appraisal rule > triggers, it won't store a new measurement containing the modsig because > the file was already measured. > > We need to detect that situation and store an additional measurement with > the modsig. This is done by adding an IMA_MEASURE action flag if we read a > modsig and the IMA template contains a modsig field. With the new per policy rule "template" support being added, this patch needs to be modified so that the per policy "template" format is checked. ima_template_has_modsig() should be called with the template_desc being used. thanks, Mimi > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index 8e6475854351..f91ed4189f98 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -282,9 +282,17 @@ static int process_measurement(struct file *file, const struct cred *cred, > /* read 'security.ima' */ > xattr_len = ima_read_xattr(file_dentry(file), &xattr_value); > > - /* Read the appended modsig if allowed by the policy. */ > - if (iint->flags & IMA_MODSIG_ALLOWED) > - ima_read_modsig(func, buf, size, &modsig); > + /* > + * Read the appended modsig, if allowed by the policy, and allow > + * an additional measurement list entry, if needed, based on the > + * template format. > + */ > + if (iint->flags & IMA_MODSIG_ALLOWED) { > + rc = ima_read_modsig(func, buf, size, &modsig); > + > + if (!rc && ima_template_has_modsig()) > + action |= IMA_MEASURE; > + } >
Mimi Zohar <zohar@linux.ibm.com> writes: > Hi Thiago, > > On Thu, 2019-04-18 at 00:51 -0300, Thiago Jung Bauermann wrote: >> If the IMA template contains the "modsig" or "d-modsig" field, then the >> modsig should be added to the measurement list when the file is appraised. >> >> And that is what normally happens, but if a measurement rule caused a file >> containing a modsig to be measured before a different rule causes it to be >> appraised, the resulting measurement entry will not contain the modsig >> because it is only fetched during appraisal. When the appraisal rule >> triggers, it won't store a new measurement containing the modsig because >> the file was already measured. >> >> We need to detect that situation and store an additional measurement with >> the modsig. This is done by adding an IMA_MEASURE action flag if we read a >> modsig and the IMA template contains a modsig field. > > With the new per policy rule "template" support being added, this > patch needs to be modified so that the per policy "template" format is > checked. ima_template_has_modsig() should be called with the > template_desc being used. Right. Thanks for point out what needs to be done. After rebasing on top of Matthew Garret's "IMA: Allow profiles to define the desired IMA template" patch I changed ima_template_has_modsig() to check the template_desc obtained from process_measurement(). -- Thiago Jung Bauermann IBM Linux Technology Center
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 4e51290b149d..4e504c011b69 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -148,6 +148,7 @@ int ima_init_crypto(void); void ima_putc(struct seq_file *m, void *data, int datalen); void ima_print_digest(struct seq_file *m, u8 *digest, u32 size); struct ima_template_desc *ima_template_desc_current(void); +bool ima_template_has_modsig(void); int ima_restore_measurement_entry(struct ima_template_entry *entry); int ima_restore_measurement_list(loff_t bufsize, void *buf); int ima_measurements_show(struct seq_file *m, void *v); diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 3ef48d516f02..663805887fac 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -212,6 +212,14 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, char digest[IMA_MAX_DIGEST_SIZE]; } hash; + /* + * Always collect the modsig, because IMA might have already collected + * the file digest without collecting the modsig in a previous + * measurement rule. + */ + if (modsig) + ima_collect_modsig(modsig, buf, size); + if (iint->flags & IMA_COLLECTED) goto out; @@ -245,9 +253,6 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, memcpy(iint->ima_hash, &hash, length); iint->version = i_version; - if (modsig) - ima_collect_modsig(modsig, buf, size); - /* Possibly temporary failure due to type of read (eg. O_DIRECT) */ if (!result) iint->flags |= IMA_COLLECTED; @@ -296,7 +301,13 @@ void ima_store_measurement(struct integrity_iint_cache *iint, .modsig = modsig }; int violation = 0; - if (iint->measured_pcrs & (0x1 << pcr)) + /* + * We still need to store the measurement in the case of MODSIG because + * we only have its contents to put in the list at the time of + * appraisal, but a file measurement from earlier might already exist in + * the measurement list. + */ + if (iint->measured_pcrs & (0x1 << pcr) && !modsig) return; result = ima_alloc_init_template(&event_data, &entry); diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 8e6475854351..f91ed4189f98 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -282,9 +282,17 @@ static int process_measurement(struct file *file, const struct cred *cred, /* read 'security.ima' */ xattr_len = ima_read_xattr(file_dentry(file), &xattr_value); - /* Read the appended modsig if allowed by the policy. */ - if (iint->flags & IMA_MODSIG_ALLOWED) - ima_read_modsig(func, buf, size, &modsig); + /* + * Read the appended modsig, if allowed by the policy, and allow + * an additional measurement list entry, if needed, based on the + * template format. + */ + if (iint->flags & IMA_MODSIG_ALLOWED) { + rc = ima_read_modsig(func, buf, size, &modsig); + + if (!rc && ima_template_has_modsig()) + action |= IMA_MEASURE; + } } hash_algo = ima_get_hash_algo(xattr_value, xattr_len); diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c index b05a14821a08..db3b4257e58b 100644 --- a/security/integrity/ima/ima_template.c +++ b/security/integrity/ima/ima_template.c @@ -57,6 +57,26 @@ static int template_desc_init_fields(const char *template_fmt, const struct ima_template_field ***fields, int *num_fields); +/* Whether the current template has fields referencing a file's signature. */ +static bool template_has_modsig; + +static bool find_modsig_in_template(void) +{ + int i; + + for (i = 0; i < ima_template->num_fields; i++) + if (!strcmp(ima_template->fields[i]->field_id, "modsig") || + !strcmp(ima_template->fields[i]->field_id, "d-modsig")) + return true; + + return false; +} + +bool ima_template_has_modsig(void) +{ + return template_has_modsig; +} + static int __init ima_template_setup(char *str) { struct ima_template_desc *template_desc; @@ -89,6 +109,8 @@ static int __init ima_template_setup(char *str) } ima_template = template_desc; + template_has_modsig = find_modsig_in_template(); + return 1; } __setup("ima_template=", ima_template_setup); @@ -108,6 +130,7 @@ static int __init ima_template_fmt_setup(char *str) builtin_templates[num_templates - 1].fmt = str; ima_template = builtin_templates + num_templates - 1; + template_has_modsig = find_modsig_in_template(); return 1; } @@ -230,6 +253,7 @@ struct ima_template_desc *ima_template_desc_current(void) ima_init_template_list(); ima_template = lookup_template_desc(CONFIG_IMA_DEFAULT_TEMPLATE); + template_has_modsig = find_modsig_in_template(); } return ima_template; }
If the IMA template contains the "modsig" or "d-modsig" field, then the modsig should be added to the measurement list when the file is appraised. And that is what normally happens, but if a measurement rule caused a file containing a modsig to be measured before a different rule causes it to be appraised, the resulting measurement entry will not contain the modsig because it is only fetched during appraisal. When the appraisal rule triggers, it won't store a new measurement containing the modsig because the file was already measured. We need to detect that situation and store an additional measurement with the modsig. This is done by adding an IMA_MEASURE action flag if we read a modsig and the IMA template contains a modsig field. Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com> --- security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_api.c | 19 +++++++++++++++---- security/integrity/ima/ima_main.c | 14 +++++++++++--- security/integrity/ima/ima_template.c | 24 ++++++++++++++++++++++++ 4 files changed, 51 insertions(+), 7 deletions(-)