diff mbox series

[v2] ima: instantiate the bprm_creds_for_exec() hook

Message ID 20241203233424.287880-1-zohar@linux.ibm.com (mailing list archive)
State Superseded
Delegated to: Paul Moore
Headers show
Series [v2] ima: instantiate the bprm_creds_for_exec() hook | expand

Commit Message

Mimi Zohar Dec. 3, 2024, 11:34 p.m. UTC
Like direct file execution (e.g. ./script.sh), indirect file exection
(e.g. sh script.sh) needs to be measured and appraised.  Instantiate
the new security_bprm_creds_for_exec() hook to measure and verify the
indirect file's integrity.  Unlike direct file execution, indirect file
execution is optionally enforced by the interpreter.

Differentiate kernel and userspace enforced integrity audit messages.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
Changelog v2:
- Mickael: Use same audit messages with new audit message number
- Stefan Berger: Return boolean from is_bprm_creds_for_exec() 

 include/uapi/linux/audit.h            |  1 +
 security/integrity/ima/ima_appraise.c | 28 +++++++++++++++++++++++++--
 security/integrity/ima/ima_main.c     | 22 +++++++++++++++++++++
 3 files changed, 49 insertions(+), 2 deletions(-)

Comments

Mickaël Salaün Dec. 4, 2024, 10:15 a.m. UTC | #1
On Tue, Dec 03, 2024 at 06:34:24PM -0500, Mimi Zohar wrote:
> Like direct file execution (e.g. ./script.sh), indirect file exection
> (e.g. sh script.sh) needs to be measured and appraised.  Instantiate
> the new security_bprm_creds_for_exec() hook to measure and verify the
> indirect file's integrity.  Unlike direct file execution, indirect file
> execution is optionally enforced by the interpreter.
> 
> Differentiate kernel and userspace enforced integrity audit messages.
> 

I guess there is a missing tag:

Co-developed-by: Roberto Sassu <roberto.sassu@huawei.com>

> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

With some minor comments, this looks good to me. I'll include this patch
or the next one in my patch series.  Thanks!

> ---
> Changelog v2:
> - Mickael: Use same audit messages with new audit message number
> - Stefan Berger: Return boolean from is_bprm_creds_for_exec() 
> 
>  include/uapi/linux/audit.h            |  1 +
>  security/integrity/ima/ima_appraise.c | 28 +++++++++++++++++++++++++--
>  security/integrity/ima/ima_main.c     | 22 +++++++++++++++++++++
>  3 files changed, 49 insertions(+), 2 deletions(-)
> 
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 75e21a135483..826337905466 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -161,6 +161,7 @@
>  #define AUDIT_INTEGRITY_RULE	    1805 /* policy rule */
>  #define AUDIT_INTEGRITY_EVM_XATTR   1806 /* New EVM-covered xattr */
>  #define AUDIT_INTEGRITY_POLICY_RULE 1807 /* IMA policy rules */
> +#define AUDIT_INTEGRITY_DATA_CHECK  1808 /* Userspace enforced data integrity */
>  
>  #define AUDIT_KERNEL		2000	/* Asynchronous audit record. NOT A REQUEST. */
>  
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 656c709b974f..144e0b39fbcd 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -8,6 +8,7 @@
>  #include <linux/module.h>
>  #include <linux/init.h>
>  #include <linux/file.h>
> +#include <linux/binfmts.h>
>  #include <linux/fs.h>
>  #include <linux/xattr.h>
>  #include <linux/magic.h>
> @@ -469,6 +470,18 @@ int ima_check_blacklist(struct ima_iint_cache *iint,
>  	return rc;
>  }
>  
> +static bool is_bprm_creds_for_exec(enum ima_hooks func, struct file *file)
> +{
> +	struct linux_binprm *bprm = NULL;
> +
> +	if (func == BPRM_CHECK) {

struct linux_binprm *bprm;

> +		bprm = container_of(&file, struct linux_binprm, file);
> +		if (bprm->is_check)
> +			return true;

return bprm->is_check;

> +	}
> +	return false;
> +}
> +
>  /*
>   * ima_appraise_measurement - appraise file measurement
>   *
> @@ -483,6 +496,7 @@ int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
>  			     int xattr_len, const struct modsig *modsig)
>  {
>  	static const char op[] = "appraise_data";
> +	int audit_msgno = AUDIT_INTEGRITY_DATA;
>  	const char *cause = "unknown";
>  	struct dentry *dentry = file_dentry(file);
>  	struct inode *inode = d_backing_inode(dentry);
> @@ -494,6 +508,16 @@ int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
>  	if (!(inode->i_opflags & IOP_XATTR) && !try_modsig)
>  		return INTEGRITY_UNKNOWN;
>  
> +	/*
> +	 * Unlike any of the other LSM hooks where the kernel enforces file
> +	 * integrity, enforcing file integrity for the bprm_creds_for_exec()
> +	 * LSM hook with the AT_EXECVE_CHECK flag is left up to the discretion
> +	 * of the script interpreter(userspace). Differentiate kernel and
> +	 * userspace enforced integrity audit messages.
> +	 */
> +	if (is_bprm_creds_for_exec(func, file))
> +		audit_msgno = AUDIT_INTEGRITY_DATA_CHECK;
> +
>  	/* If reading the xattr failed and there's no modsig, error out. */
>  	if (rc <= 0 && !try_modsig) {
>  		if (rc && rc != -ENODATA)
> @@ -569,7 +593,7 @@ int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
>  	     (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) {
>  		status = INTEGRITY_FAIL;
>  		cause = "unverifiable-signature";
> -		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
> +		integrity_audit_msg(audit_msgno, inode, filename,
>  				    op, cause, rc, 0);
>  	} else if (status != INTEGRITY_PASS) {
>  		/* Fix mode, but don't replace file signatures. */
> @@ -589,7 +613,7 @@ int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
>  			status = INTEGRITY_PASS;
>  		}
>  
> -		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
> +		integrity_audit_msg(audit_msgno, inode, filename,
>  				    op, cause, rc, 0);
>  	} else {
>  		ima_cache_flags(iint, func);
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 06132cf47016..f0830e6d0cda 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -554,6 +554,27 @@ static int ima_bprm_check(struct linux_binprm *bprm)
>  				   MAY_EXEC, CREDS_CHECK);
>  }
>  
> +/**
> + * ima_bprm_creds_for_exec - collect/store/appraise measurement.
> + * @bprm: contains the linux_binprm structure
> + *
> + * Based on the IMA policy and the execvat(2) AT_CHECK flag, measure and

AT_EXECVE_CHECK

> + * appraise the integrity of a file to be executed by script interpreters.
> + * Unlike any of the other LSM hooks where the kernel enforces file integrity,
> + * enforcing file integrity is left up to the discretion of the script
> + * interpreter (userspace).
> + *
> + * On success return 0.  On integrity appraisal error, assuming the file
> + * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
> + */
> +static int ima_bprm_creds_for_exec(struct linux_binprm *bprm)
> +{

We could have a comment explaining that ima_bprm_check() will not be
called a second time bi the bprm_check_security hook if bprm->is_check
is true because this hook would then not be called.  This would not be a
security issue anyway, just a useless call.

> +	if (!bprm->is_check)
> +		return 0;
> +
> +	return ima_bprm_check(bprm);
> +}
> +
>  /**
>   * ima_file_check - based on policy, collect/store measurement.
>   * @file: pointer to the file to be measured
> @@ -1177,6 +1198,7 @@ static int __init init_ima(void)
>  
>  static struct security_hook_list ima_hooks[] __ro_after_init = {
>  	LSM_HOOK_INIT(bprm_check_security, ima_bprm_check),
> +	LSM_HOOK_INIT(bprm_creds_for_exec, ima_bprm_creds_for_exec),
>  	LSM_HOOK_INIT(file_post_open, ima_file_check),
>  	LSM_HOOK_INIT(inode_post_create_tmpfile, ima_post_create_tmpfile),
>  	LSM_HOOK_INIT(file_release, ima_file_free),
> -- 
> 2.47.0
> 
>
Mimi Zohar Dec. 4, 2024, 2:57 p.m. UTC | #2
On Wed, 2024-12-04 at 11:15 +0100, Mickaël Salaün wrote:
> On Tue, Dec 03, 2024 at 06:34:24PM -0500, Mimi Zohar wrote:
> > Like direct file execution (e.g. ./script.sh), indirect file exection
> > (e.g. sh script.sh) needs to be measured and appraised.  Instantiate
> > the new security_bprm_creds_for_exec() hook to measure and verify the
> > indirect file's integrity.  Unlike direct file execution, indirect file
> > execution is optionally enforced by the interpreter.
> > 
> > Differentiate kernel and userspace enforced integrity audit messages.
> > 
> 
> I guess there is a missing tag:
> 
> Co-developed-by: Roberto Sassu <roberto.sassu@huawei.com>

Having a different author with multiple "Signed-off-by" implies the patch
history, but adding the "Co-developed-by" is explicit.  I'll add the Co-
developed-by tag.

> 
> > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> 
> With some minor comments, this looks good to me. I'll include this patch
> or the next one in my patch series.  Thanks!

Thank you.

> 
> > ---
> > Changelog v2:
> > - Mickael: Use same audit messages with new audit message number
> > - Stefan Berger: Return boolean from is_bprm_creds_for_exec() 
> > 
> >  include/uapi/linux/audit.h            |  1 +
> >  security/integrity/ima/ima_appraise.c | 28 +++++++++++++++++++++++++--
> >  security/integrity/ima/ima_main.c     | 22 +++++++++++++++++++++
> >  3 files changed, 49 insertions(+), 2 deletions(-)
> > 
> > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > index 75e21a135483..826337905466 100644
> > --- a/include/uapi/linux/audit.h
> > +++ b/include/uapi/linux/audit.h
> > @@ -161,6 +161,7 @@
> >  #define AUDIT_INTEGRITY_RULE	    1805 /* policy rule */
> >  #define AUDIT_INTEGRITY_EVM_XATTR   1806 /* New EVM-covered xattr */
> >  #define AUDIT_INTEGRITY_POLICY_RULE 1807 /* IMA policy rules */
> > +#define AUDIT_INTEGRITY_DATA_CHECK  1808 /* Userspace enforced data integrity */
> >  
> >  #define AUDIT_KERNEL		2000	/* Asynchronous audit record. NOT A REQUEST. */
> >  
> > diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> > index 656c709b974f..144e0b39fbcd 100644
> > --- a/security/integrity/ima/ima_appraise.c
> > +++ b/security/integrity/ima/ima_appraise.c
> > @@ -8,6 +8,7 @@
> >  #include <linux/module.h>
> >  #include <linux/init.h>
> >  #include <linux/file.h>
> > +#include <linux/binfmts.h>
> >  #include <linux/fs.h>
> >  #include <linux/xattr.h>
> >  #include <linux/magic.h>
> > @@ -469,6 +470,18 @@ int ima_check_blacklist(struct ima_iint_cache *iint,
> >  	return rc;
> >  }
> >  
> > +static bool is_bprm_creds_for_exec(enum ima_hooks func, struct file *file)
> > +{
> > +	struct linux_binprm *bprm = NULL;
> > +
> > +	if (func == BPRM_CHECK) {
> 
> struct linux_binprm *bprm;

Local variables are normally defined at the beginning of the function.
> 
> > +		bprm = container_of(&file, struct linux_binprm, file);
> > +		if (bprm->is_check)
> > +			return true;
> 
> return bprm->is_check;

Yes, that's better.

> 
> > +	}
> > +	return false;
> > +}
> > +
> >  /*
> >   * ima_appraise_measurement - appraise file measurement
> >   *
> > @@ -483,6 +496,7 @@ int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
> >  			     int xattr_len, const struct modsig *modsig)
> >  {
> >  	static const char op[] = "appraise_data";
> > +	int audit_msgno = AUDIT_INTEGRITY_DATA;
> >  	const char *cause = "unknown";
> >  	struct dentry *dentry = file_dentry(file);
> >  	struct inode *inode = d_backing_inode(dentry);
> > @@ -494,6 +508,16 @@ int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
> >  	if (!(inode->i_opflags & IOP_XATTR) && !try_modsig)
> >  		return INTEGRITY_UNKNOWN;
> >  
> > +	/*
> > +	 * Unlike any of the other LSM hooks where the kernel enforces file
> > +	 * integrity, enforcing file integrity for the bprm_creds_for_exec()
> > +	 * LSM hook with the AT_EXECVE_CHECK flag is left up to the discretion
> > +	 * of the script interpreter(userspace). Differentiate kernel and
> > +	 * userspace enforced integrity audit messages.
> > +	 */
> > +	if (is_bprm_creds_for_exec(func, file))
> > +		audit_msgno = AUDIT_INTEGRITY_DATA_CHECK;
> > +
> >  	/* If reading the xattr failed and there's no modsig, error out. */
> >  	if (rc <= 0 && !try_modsig) {
> >  		if (rc && rc != -ENODATA)
> > @@ -569,7 +593,7 @@ int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
> >  	     (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) {
> >  		status = INTEGRITY_FAIL;
> >  		cause = "unverifiable-signature";
> > -		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
> > +		integrity_audit_msg(audit_msgno, inode, filename,
> >  				    op, cause, rc, 0);
> >  	} else if (status != INTEGRITY_PASS) {
> >  		/* Fix mode, but don't replace file signatures. */
> > @@ -589,7 +613,7 @@ int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
> >  			status = INTEGRITY_PASS;
> >  		}
> >  
> > -		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
> > +		integrity_audit_msg(audit_msgno, inode, filename,
> >  				    op, cause, rc, 0);
> >  	} else {
> >  		ima_cache_flags(iint, func);
> > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> > index 06132cf47016..f0830e6d0cda 100644
> > --- a/security/integrity/ima/ima_main.c
> > +++ b/security/integrity/ima/ima_main.c
> > @@ -554,6 +554,27 @@ static int ima_bprm_check(struct linux_binprm *bprm)
> >  				   MAY_EXEC, CREDS_CHECK);
> >  }
> >  
> > +/**
> > + * ima_bprm_creds_for_exec - collect/store/appraise measurement.
> > + * @bprm: contains the linux_binprm structure
> > + *
> > + * Based on the IMA policy and the execvat(2) AT_CHECK flag, measure and
> 
> AT_EXECVE_CHECK

Thanks, good catch.
> 
> > + * appraise the integrity of a file to be executed by script interpreters.
> > + * Unlike any of the other LSM hooks where the kernel enforces file integrity,
> > + * enforcing file integrity is left up to the discretion of the script
> > + * interpreter (userspace).
> > + *
> > + * On success return 0.  On integrity appraisal error, assuming the file
> > + * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
> > + */
> > +static int ima_bprm_creds_for_exec(struct linux_binprm *bprm)
> > +{
> 
> We could have a comment explaining that ima_bprm_check() will not be
> called a second time bi the bprm_check_security hook if bprm->is_check
> is true because this hook would then not be called.  This would not be a
> security issue anyway, just a useless call.

Proposed comment:
+       /* 
+        * As security_bprm_check() is called multiple times, both 
+        * the script and the shebang interpreter are measured, appraised,
+        * and audited. Limit usage of this LSM hook to just measuring,
+        * appraising, and auditing the indirect script execution
+        * (e.g. ./sh example.sh).
+        */

> 
> > +	if (!bprm->is_check)
> > +		return 0;
> > +
> > +	return ima_bprm_check(bprm);
> > +}
> > +
> >  /**
> >   * ima_file_check - based on policy, collect/store measurement.
> >   * @file: pointer to the file to be measured
> > @@ -1177,6 +1198,7 @@ static int __init init_ima(void)
> >  
> >  static struct security_hook_list ima_hooks[] __ro_after_init = {
> >  	LSM_HOOK_INIT(bprm_check_security, ima_bprm_check),
> > +	LSM_HOOK_INIT(bprm_creds_for_exec, ima_bprm_creds_for_exec),
> >  	LSM_HOOK_INIT(file_post_open, ima_file_check),
> >  	LSM_HOOK_INIT(inode_post_create_tmpfile, ima_post_create_tmpfile),
> >  	LSM_HOOK_INIT(file_release, ima_file_free),
> > -- 
> > 2.47.0
> > 
> >
Mickaël Salaün Dec. 4, 2024, 5:47 p.m. UTC | #3
On Wed, Dec 04, 2024 at 09:57:42AM -0500, Mimi Zohar wrote:
> On Wed, 2024-12-04 at 11:15 +0100, Mickaël Salaün wrote:
> > On Tue, Dec 03, 2024 at 06:34:24PM -0500, Mimi Zohar wrote:
> > > Like direct file execution (e.g. ./script.sh), indirect file exection
> > > (e.g. sh script.sh) needs to be measured and appraised.  Instantiate
> > > the new security_bprm_creds_for_exec() hook to measure and verify the
> > > indirect file's integrity.  Unlike direct file execution, indirect file
> > > execution is optionally enforced by the interpreter.
> > > 
> > > Differentiate kernel and userspace enforced integrity audit messages.
> > > 
> > 
> > I guess there is a missing tag:
> > 
> > Co-developed-by: Roberto Sassu <roberto.sassu@huawei.com>
> 
> Having a different author with multiple "Signed-off-by" implies the patch
> history, but adding the "Co-developed-by" is explicit.  I'll add the Co-
> developed-by tag.
> 
> > 
> > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> > 
> > With some minor comments, this looks good to me. I'll include this patch
> > or the next one in my patch series.  Thanks!
> 
> Thank you.
> 
> > 
> > > ---
> > > Changelog v2:
> > > - Mickael: Use same audit messages with new audit message number
> > > - Stefan Berger: Return boolean from is_bprm_creds_for_exec() 
> > > 
> > >  include/uapi/linux/audit.h            |  1 +
> > >  security/integrity/ima/ima_appraise.c | 28 +++++++++++++++++++++++++--
> > >  security/integrity/ima/ima_main.c     | 22 +++++++++++++++++++++
> > >  3 files changed, 49 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > > index 75e21a135483..826337905466 100644
> > > --- a/include/uapi/linux/audit.h
> > > +++ b/include/uapi/linux/audit.h
> > > @@ -161,6 +161,7 @@
> > >  #define AUDIT_INTEGRITY_RULE	    1805 /* policy rule */
> > >  #define AUDIT_INTEGRITY_EVM_XATTR   1806 /* New EVM-covered xattr */
> > >  #define AUDIT_INTEGRITY_POLICY_RULE 1807 /* IMA policy rules */
> > > +#define AUDIT_INTEGRITY_DATA_CHECK  1808 /* Userspace enforced data integrity */
> > >  
> > >  #define AUDIT_KERNEL		2000	/* Asynchronous audit record. NOT A REQUEST. */
> > >  
> > > diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> > > index 656c709b974f..144e0b39fbcd 100644
> > > --- a/security/integrity/ima/ima_appraise.c
> > > +++ b/security/integrity/ima/ima_appraise.c
> > > @@ -8,6 +8,7 @@
> > >  #include <linux/module.h>
> > >  #include <linux/init.h>
> > >  #include <linux/file.h>
> > > +#include <linux/binfmts.h>
> > >  #include <linux/fs.h>
> > >  #include <linux/xattr.h>
> > >  #include <linux/magic.h>
> > > @@ -469,6 +470,18 @@ int ima_check_blacklist(struct ima_iint_cache *iint,
> > >  	return rc;
> > >  }
> > >  
> > > +static bool is_bprm_creds_for_exec(enum ima_hooks func, struct file *file)
> > > +{
> > > +	struct linux_binprm *bprm = NULL;
> > > +
> > > +	if (func == BPRM_CHECK) {
> > 
> > struct linux_binprm *bprm;
> 
> Local variables are normally defined at the beginning of the function.
> > 
> > > +		bprm = container_of(&file, struct linux_binprm, file);
> > > +		if (bprm->is_check)
> > > +			return true;
> > 
> > return bprm->is_check;
> 
> Yes, that's better.
> 
> > 
> > > +	}
> > > +	return false;
> > > +}
> > > +
> > >  /*
> > >   * ima_appraise_measurement - appraise file measurement
> > >   *
> > > @@ -483,6 +496,7 @@ int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
> > >  			     int xattr_len, const struct modsig *modsig)
> > >  {
> > >  	static const char op[] = "appraise_data";
> > > +	int audit_msgno = AUDIT_INTEGRITY_DATA;
> > >  	const char *cause = "unknown";
> > >  	struct dentry *dentry = file_dentry(file);
> > >  	struct inode *inode = d_backing_inode(dentry);
> > > @@ -494,6 +508,16 @@ int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
> > >  	if (!(inode->i_opflags & IOP_XATTR) && !try_modsig)
> > >  		return INTEGRITY_UNKNOWN;
> > >  
> > > +	/*
> > > +	 * Unlike any of the other LSM hooks where the kernel enforces file
> > > +	 * integrity, enforcing file integrity for the bprm_creds_for_exec()
> > > +	 * LSM hook with the AT_EXECVE_CHECK flag is left up to the discretion
> > > +	 * of the script interpreter(userspace). Differentiate kernel and
> > > +	 * userspace enforced integrity audit messages.
> > > +	 */
> > > +	if (is_bprm_creds_for_exec(func, file))
> > > +		audit_msgno = AUDIT_INTEGRITY_DATA_CHECK;
> > > +
> > >  	/* If reading the xattr failed and there's no modsig, error out. */
> > >  	if (rc <= 0 && !try_modsig) {
> > >  		if (rc && rc != -ENODATA)
> > > @@ -569,7 +593,7 @@ int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
> > >  	     (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) {
> > >  		status = INTEGRITY_FAIL;
> > >  		cause = "unverifiable-signature";
> > > -		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
> > > +		integrity_audit_msg(audit_msgno, inode, filename,
> > >  				    op, cause, rc, 0);
> > >  	} else if (status != INTEGRITY_PASS) {
> > >  		/* Fix mode, but don't replace file signatures. */
> > > @@ -589,7 +613,7 @@ int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
> > >  			status = INTEGRITY_PASS;
> > >  		}
> > >  
> > > -		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
> > > +		integrity_audit_msg(audit_msgno, inode, filename,
> > >  				    op, cause, rc, 0);
> > >  	} else {
> > >  		ima_cache_flags(iint, func);
> > > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> > > index 06132cf47016..f0830e6d0cda 100644
> > > --- a/security/integrity/ima/ima_main.c
> > > +++ b/security/integrity/ima/ima_main.c
> > > @@ -554,6 +554,27 @@ static int ima_bprm_check(struct linux_binprm *bprm)
> > >  				   MAY_EXEC, CREDS_CHECK);
> > >  }
> > >  
> > > +/**
> > > + * ima_bprm_creds_for_exec - collect/store/appraise measurement.
> > > + * @bprm: contains the linux_binprm structure
> > > + *
> > > + * Based on the IMA policy and the execvat(2) AT_CHECK flag, measure and
> > 
> > AT_EXECVE_CHECK
> 
> Thanks, good catch.
> > 
> > > + * appraise the integrity of a file to be executed by script interpreters.
> > > + * Unlike any of the other LSM hooks where the kernel enforces file integrity,
> > > + * enforcing file integrity is left up to the discretion of the script
> > > + * interpreter (userspace).
> > > + *
> > > + * On success return 0.  On integrity appraisal error, assuming the file
> > > + * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
> > > + */
> > > +static int ima_bprm_creds_for_exec(struct linux_binprm *bprm)
> > > +{
> > 
> > We could have a comment explaining that ima_bprm_check() will not be
> > called a second time bi the bprm_check_security hook if bprm->is_check
> > is true because this hook would then not be called.  This would not be a
> > security issue anyway, just a useless call.
> 
> Proposed comment:
> +       /* 
> +        * As security_bprm_check() is called multiple times, both 
> +        * the script and the shebang interpreter are measured, appraised,
> +        * and audited. Limit usage of this LSM hook to just measuring,
> +        * appraising, and auditing the indirect script execution
> +        * (e.g. ./sh example.sh).
> +        */

Looks good!  Feel free to send a new patch with these changes.

> 
> > 
> > > +	if (!bprm->is_check)
> > > +		return 0;
> > > +
> > > +	return ima_bprm_check(bprm);
> > > +}
> > > +
> > >  /**
> > >   * ima_file_check - based on policy, collect/store measurement.
> > >   * @file: pointer to the file to be measured
> > > @@ -1177,6 +1198,7 @@ static int __init init_ima(void)
> > >  
> > >  static struct security_hook_list ima_hooks[] __ro_after_init = {
> > >  	LSM_HOOK_INIT(bprm_check_security, ima_bprm_check),
> > > +	LSM_HOOK_INIT(bprm_creds_for_exec, ima_bprm_creds_for_exec),
> > >  	LSM_HOOK_INIT(file_post_open, ima_file_check),
> > >  	LSM_HOOK_INIT(inode_post_create_tmpfile, ima_post_create_tmpfile),
> > >  	LSM_HOOK_INIT(file_release, ima_file_free),
> > > -- 
> > > 2.47.0
> > > 
> > > 
> 
>
Stefan Berger Dec. 4, 2024, 7:01 p.m. UTC | #4
On 12/3/24 6:34 PM, Mimi Zohar wrote:
> Like direct file execution (e.g. ./script.sh), indirect file exection

typo: execution

> (e.g. sh script.sh) needs to be measured and appraised.  Instantiate

If I understand the underlying patches correctly then 'sh script.sh' 
would be evaluated with execveat(AT_CHECK) but this requires the execute 
flag to be set. To maintain backwards compatibility  sh cannot assume 
that script.sh has the execute flag set since it doesn't need today:

$ echo 'echo hi' > foo.sh
$ sh foo.sh
hi

the same is true for python:

$ echo 'print("hi")' > foo.py
$ python foo.py
hi

I am not sure which interpreters are going to be able to take advantage 
of this or whether they will behave differently if the x bit is set 
versus when it is not set...?
Mickaël Salaün Dec. 5, 2024, 10:53 a.m. UTC | #5
On Wed, Dec 04, 2024 at 02:01:02PM -0500, Stefan Berger wrote:
> 
> 
> On 12/3/24 6:34 PM, Mimi Zohar wrote:
> > Like direct file execution (e.g. ./script.sh), indirect file exection
> 
> typo: execution
> 
> > (e.g. sh script.sh) needs to be measured and appraised.  Instantiate
> 
> If I understand the underlying patches correctly then 'sh script.sh' would
> be evaluated with execveat(AT_CHECK) but this requires the execute flag to
> be set. To maintain backwards compatibility  sh cannot assume that script.sh
> has the execute flag set since it doesn't need today:
> 
> $ echo 'echo hi' > foo.sh
> $ sh foo.sh
> hi
> 
> the same is true for python:
> 
> $ echo 'print("hi")' > foo.py
> $ python foo.py
> hi
> 
> I am not sure which interpreters are going to be able to take advantage of
> this or whether they will behave differently if the x bit is set versus when
> it is not set...?

This is a valid concern handled with two new securebits.  See the
related patch series and documentation:
https://lore.kernel.org/all/20241112191858.162021-3-mic@digikod.net/
Stefan Berger Dec. 5, 2024, 3:44 p.m. UTC | #6
On 12/3/24 6:34 PM, Mimi Zohar wrote:
> Like direct file execution (e.g. ./script.sh), indirect file exection
> (e.g. sh script.sh) needs to be measured and appraised.  Instantiate
> the new security_bprm_creds_for_exec() hook to measure and verify the
> indirect file's integrity.  Unlike direct file execution, indirect file
> execution is optionally enforced by the interpreter.
> 
> Differentiate kernel and userspace enforced integrity audit messages.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

Tested-by: Stefan Berger <stefanb@linux.ibm.com>
diff mbox series

Patch

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 75e21a135483..826337905466 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -161,6 +161,7 @@ 
 #define AUDIT_INTEGRITY_RULE	    1805 /* policy rule */
 #define AUDIT_INTEGRITY_EVM_XATTR   1806 /* New EVM-covered xattr */
 #define AUDIT_INTEGRITY_POLICY_RULE 1807 /* IMA policy rules */
+#define AUDIT_INTEGRITY_DATA_CHECK  1808 /* Userspace enforced data integrity */
 
 #define AUDIT_KERNEL		2000	/* Asynchronous audit record. NOT A REQUEST. */
 
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 656c709b974f..144e0b39fbcd 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -8,6 +8,7 @@ 
 #include <linux/module.h>
 #include <linux/init.h>
 #include <linux/file.h>
+#include <linux/binfmts.h>
 #include <linux/fs.h>
 #include <linux/xattr.h>
 #include <linux/magic.h>
@@ -469,6 +470,18 @@  int ima_check_blacklist(struct ima_iint_cache *iint,
 	return rc;
 }
 
+static bool is_bprm_creds_for_exec(enum ima_hooks func, struct file *file)
+{
+	struct linux_binprm *bprm = NULL;
+
+	if (func == BPRM_CHECK) {
+		bprm = container_of(&file, struct linux_binprm, file);
+		if (bprm->is_check)
+			return true;
+	}
+	return false;
+}
+
 /*
  * ima_appraise_measurement - appraise file measurement
  *
@@ -483,6 +496,7 @@  int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
 			     int xattr_len, const struct modsig *modsig)
 {
 	static const char op[] = "appraise_data";
+	int audit_msgno = AUDIT_INTEGRITY_DATA;
 	const char *cause = "unknown";
 	struct dentry *dentry = file_dentry(file);
 	struct inode *inode = d_backing_inode(dentry);
@@ -494,6 +508,16 @@  int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
 	if (!(inode->i_opflags & IOP_XATTR) && !try_modsig)
 		return INTEGRITY_UNKNOWN;
 
+	/*
+	 * Unlike any of the other LSM hooks where the kernel enforces file
+	 * integrity, enforcing file integrity for the bprm_creds_for_exec()
+	 * LSM hook with the AT_EXECVE_CHECK flag is left up to the discretion
+	 * of the script interpreter(userspace). Differentiate kernel and
+	 * userspace enforced integrity audit messages.
+	 */
+	if (is_bprm_creds_for_exec(func, file))
+		audit_msgno = AUDIT_INTEGRITY_DATA_CHECK;
+
 	/* If reading the xattr failed and there's no modsig, error out. */
 	if (rc <= 0 && !try_modsig) {
 		if (rc && rc != -ENODATA)
@@ -569,7 +593,7 @@  int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
 	     (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) {
 		status = INTEGRITY_FAIL;
 		cause = "unverifiable-signature";
-		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
+		integrity_audit_msg(audit_msgno, inode, filename,
 				    op, cause, rc, 0);
 	} else if (status != INTEGRITY_PASS) {
 		/* Fix mode, but don't replace file signatures. */
@@ -589,7 +613,7 @@  int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint,
 			status = INTEGRITY_PASS;
 		}
 
-		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
+		integrity_audit_msg(audit_msgno, inode, filename,
 				    op, cause, rc, 0);
 	} else {
 		ima_cache_flags(iint, func);
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 06132cf47016..f0830e6d0cda 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -554,6 +554,27 @@  static int ima_bprm_check(struct linux_binprm *bprm)
 				   MAY_EXEC, CREDS_CHECK);
 }
 
+/**
+ * ima_bprm_creds_for_exec - collect/store/appraise measurement.
+ * @bprm: contains the linux_binprm structure
+ *
+ * Based on the IMA policy and the execvat(2) AT_CHECK flag, measure and
+ * appraise the integrity of a file to be executed by script interpreters.
+ * Unlike any of the other LSM hooks where the kernel enforces file integrity,
+ * enforcing file integrity is left up to the discretion of the script
+ * interpreter (userspace).
+ *
+ * On success return 0.  On integrity appraisal error, assuming the file
+ * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
+ */
+static int ima_bprm_creds_for_exec(struct linux_binprm *bprm)
+{
+	if (!bprm->is_check)
+		return 0;
+
+	return ima_bprm_check(bprm);
+}
+
 /**
  * ima_file_check - based on policy, collect/store measurement.
  * @file: pointer to the file to be measured
@@ -1177,6 +1198,7 @@  static int __init init_ima(void)
 
 static struct security_hook_list ima_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(bprm_check_security, ima_bprm_check),
+	LSM_HOOK_INIT(bprm_creds_for_exec, ima_bprm_creds_for_exec),
 	LSM_HOOK_INIT(file_post_open, ima_file_check),
 	LSM_HOOK_INIT(inode_post_create_tmpfile, ima_post_create_tmpfile),
 	LSM_HOOK_INIT(file_release, ima_file_free),