From patchwork Wed Sep 23 19:20:11 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tushar Sugandhi X-Patchwork-Id: 11796579 X-Patchwork-Delegate: snitzer@redhat.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 78BB06CB for ; Thu, 24 Sep 2020 08:31:26 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 21905206FC for ; Thu, 24 Sep 2020 08:31:26 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 21905206FC Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=dm-devel-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-227-CZPe7kfnO7GW4mfx51wP6g-1; Thu, 24 Sep 2020 04:31:23 -0400 X-MC-Unique: CZPe7kfnO7GW4mfx51wP6g-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 899001084C9A; Thu, 24 Sep 2020 08:31:18 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6D6C75DA81; Thu, 24 Sep 2020 08:31:18 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 3E1938C7A5; Thu, 24 Sep 2020 08:31:18 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 08NJKQMu024861 for ; Wed, 23 Sep 2020 15:20:26 -0400 Received: by smtp.corp.redhat.com (Postfix) id E8C01CF624; Wed, 23 Sep 2020 19:20:25 +0000 (UTC) Delivered-To: dm-devel@redhat.com Received: from mimecast-mx02.redhat.com (mimecast06.extmail.prod.ext.rdu2.redhat.com [10.11.55.22]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E36C12B4D37 for ; Wed, 23 Sep 2020 19:20:25 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id CAF6D185A78B for ; Wed, 23 Sep 2020 19:20:25 +0000 (UTC) Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by relay.mimecast.com with ESMTP id us-mta-446-B7jlPjaCPUSNoXWcstD9ag-1; Wed, 23 Sep 2020 15:20:23 -0400 X-MC-Unique: B7jlPjaCPUSNoXWcstD9ag-1 Received: from tusharsu-Ubuntu.lan (c-71-197-163-6.hsd1.wa.comcast.net [71.197.163.6]) by linux.microsoft.com (Postfix) with ESMTPSA id E0E2420C27C2; Wed, 23 Sep 2020 12:20:21 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com E0E2420C27C2 From: Tushar Sugandhi To: zohar@linux.ibm.com, stephen.smalley.work@gmail.com, casey@schaufler-ca.com, agk@redhat.com, snitzer@redhat.com, gmazyland@gmail.com Date: Wed, 23 Sep 2020 12:20:11 -0700 Message-Id: <20200923192011.5293-7-tusharsu@linux.microsoft.com> In-Reply-To: <20200923192011.5293-1-tusharsu@linux.microsoft.com> References: <20200923192011.5293-1-tusharsu@linux.microsoft.com> X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false; X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-loop: dm-devel@redhat.com X-Mailman-Approved-At: Thu, 24 Sep 2020 04:31:06 -0400 Cc: sashal@kernel.org, dm-devel@redhat.com, selinux@vger.kernel.org, jmorris@namei.org, linux-kernel@vger.kernel.org, nramas@linux.microsoft.com, linux-security-module@vger.kernel.org, tyhicks@linux.microsoft.com, linux-integrity@vger.kernel.org Subject: [dm-devel] [PATCH v4 6/6] IMA: validate supported kernel data sources before measurement X-BeenThere: dm-devel@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: device-mapper development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: dm-devel-bounces@redhat.com Errors-To: dm-devel-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dm-devel-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Currently, IMA does not restrict random data sources from measuring their data using ima_measure_critical_data(). Any kernel data source can call the function, and it's data will get measured as long as the input event_data_source is part of the IMA policy - RITICAL_DATA+data_sources. Supporting random data sources at run-time may impact the reliability of the system. To ensure that only data from supported sources are measured, the kernel component needs to be added to a compile-time list of supported sources (an "allowed list of components"). IMA then validates the input parameter - "event_data_source" passed to ima_measure_critical_data() against this allowed list at run-time. This compile time list must be updated when kernel components are updated to measure their data using IMA. Provide an infrastructure for kernel data sources to be added to IMA's supported data sources list at compile-time. Update ima_measure_critical_data() to validate, at run-time, that the data source is supported before measuring the data coming from that source. Signed-off-by: Tushar Sugandhi --- security/integrity/ima/ima.h | 29 +++++++++++++++++++++++++++++ security/integrity/ima/ima_main.c | 6 ++++++ 2 files changed, 35 insertions(+) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index c1acf88e1b5d..4a35db010d91 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -228,6 +228,35 @@ extern const char *const func_tokens[]; struct modsig; +#define __ima_supported_kernel_data_sources(source) \ + source(MIN_SOURCE, min_source) \ + source(MAX_SOURCE, max_source) + +#define __ima_enum_stringify(ENUM, str) (#str), + +enum ima_supported_kernel_data_sources { + __ima_supported_kernel_data_sources(__ima_hook_enumify) +}; + +static const char * const ima_supported_kernel_data_sources_str[] = { + __ima_supported_kernel_data_sources(__ima_enum_stringify) +}; + +static inline bool ima_kernel_data_source_is_supported(const char *source) +{ + int i; + + if (!source) + return false; + + for (i = MIN_SOURCE + 1; i < MAX_SOURCE; i++) { + if (!strcmp(ima_supported_kernel_data_sources_str[i], source)) + return true; + } + + return false; +} + #ifdef CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS /* * To track keys that need to be measured. diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index d55896f28790..61f9642747a8 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -888,6 +888,12 @@ void ima_measure_critical_data(const char *event_name, return; } + if (!ima_kernel_data_source_is_supported(event_data_source)) { + pr_err("measuring data source %s is not permitted", + event_data_source); + return; + } + process_buffer_measurement(NULL, buf, buf_len, event_name, CRITICAL_DATA, 0, event_data_source, measure_buf_hash);