| Message ID | 20210108040708.8389-6-tusharsu@linux.microsoft.com (mailing list archive) |
|---|---|
| State | Not Applicable, archived |
| Delegated to: | Mike Snitzer |
| Headers | show |
| Series | IMA: support for measuring kernel integrity critical data | expand |
On Thu, 2021-01-07 at 20:07 -0800, Tushar Sugandhi wrote: > Integrity critical data may belong to a single subsystem or it may > arise from cross subsystem interaction. Currently there is no mechanism > to group or limit the data based on certain label. Limiting and > grouping critical data based on a label would make it flexible and > configurable to measure. > > Define "label:=", a new IMA policy condition, for the IMA func > CRITICAL_DATA to allow grouping and limiting measurement of integrity > critical data. > > Limit the measurement to the labels that are specified in the IMA > policy - CRITICAL_DATA+"label:=". If "label:=" is not provided with > the func CRITICAL_DATA, measure all the input integrity critical data. > > Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com> > Reviewed-by: Tyler Hicks <tyhicks@linux.microsoft.com> This is looking a lot better. thanks, Mimi -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel
On 2021-01-13 6:09 p.m., Mimi Zohar wrote: > On Thu, 2021-01-07 at 20:07 -0800, Tushar Sugandhi wrote: >> Integrity critical data may belong to a single subsystem or it may >> arise from cross subsystem interaction. Currently there is no mechanism >> to group or limit the data based on certain label. Limiting and >> grouping critical data based on a label would make it flexible and >> configurable to measure. >> >> Define "label:=", a new IMA policy condition, for the IMA func >> CRITICAL_DATA to allow grouping and limiting measurement of integrity >> critical data. >> >> Limit the measurement to the labels that are specified in the IMA >> policy - CRITICAL_DATA+"label:=". If "label:=" is not provided with >> the func CRITICAL_DATA, measure all the input integrity critical data. >> >> Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com> >> Reviewed-by: Tyler Hicks <tyhicks@linux.microsoft.com> > > This is looking a lot better. > > thanks, > > Mimi > Thanks a lot for the feedback Mimi. Appreciate it. :) ~Tushar -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index 6ec7daa87cba..54fe1c15ed50 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -52,6 +52,8 @@ Description: template:= name of a defined IMA template type (eg, ima-ng). Only valid when action is "measure". pcr:= decimal value + label:= [data_label] + data_label:= a unique string used for grouping and limiting critical data. default policy: # PROC_SUPER_MAGIC diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 96ba4273c4d0..2c9db2d0b434 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -34,6 +34,7 @@ #define IMA_PCR 0x0100 #define IMA_FSNAME 0x0200 #define IMA_KEYRINGS 0x0400 +#define IMA_LABEL 0x0800 #define UNKNOWN 0 #define MEASURE 0x0001 /* same as IMA_MEASURE */ @@ -85,6 +86,7 @@ struct ima_rule_entry { } lsm[MAX_LSM_RULES]; char *fsname; struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */ + struct ima_rule_opt_list *label; /* Measure data grouped under this label */ struct ima_template_desc *template; }; @@ -479,7 +481,11 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule, opt_list = rule->keyrings; break; case CRITICAL_DATA: - return true; + if (!rule->label) + return true; + + opt_list = rule->label; + break; default: return false; } @@ -924,7 +930,7 @@ enum { Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, Opt_appraise_type, Opt_appraise_flag, Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, - Opt_err + Opt_label, Opt_err }; static const match_table_t policy_tokens = { @@ -961,6 +967,7 @@ static const match_table_t policy_tokens = { {Opt_pcr, "pcr=%s"}, {Opt_template, "template=%s"}, {Opt_keyrings, "keyrings=%s"}, + {Opt_label, "label=%s"}, {Opt_err, NULL} }; @@ -1128,7 +1135,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) if (entry->action & ~(MEASURE | DONT_MEASURE)) return false; - if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR)) + if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR | + IMA_LABEL)) return false; if (ima_rule_contains_lsm_cond(entry)) @@ -1338,6 +1346,23 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) entry->flags |= IMA_KEYRINGS; break; + case Opt_label: + ima_log_string(ab, "label", args[0].from); + + if (entry->label) { + result = -EINVAL; + break; + } + + entry->label = ima_alloc_rule_opt_list(args); + if (IS_ERR(entry->label)) { + result = PTR_ERR(entry->label); + entry->label = NULL; + break; + } + + entry->flags |= IMA_LABEL; + break; case Opt_fsuuid: ima_log_string(ab, "fsuuid", args[0].from); @@ -1718,6 +1743,12 @@ int ima_policy_show(struct seq_file *m, void *v) seq_puts(m, " "); } + if (entry->flags & IMA_LABEL) { + seq_puts(m, "label="); + ima_show_rule_opt_list(m, entry->label); + seq_puts(m, " "); + } + if (entry->flags & IMA_PCR) { snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); seq_printf(m, pt(Opt_pcr), tbuf);