From patchwork Fri Oct 20 15:41:38 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roberto Sassu X-Patchwork-Id: 10020545 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id EC2AD602CB for ; Fri, 20 Oct 2017 15:43:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C70C228F1A for ; Fri, 20 Oct 2017 15:43:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BA05828F1D; Fri, 20 Oct 2017 15:43:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2BB6828F1A for ; Fri, 20 Oct 2017 15:43:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751945AbdJTPnj (ORCPT ); Fri, 20 Oct 2017 11:43:39 -0400 Received: from lhrrgout.huawei.com ([194.213.3.17]:38346 "EHLO lhrrgout.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751018AbdJTPnj (ORCPT ); Fri, 20 Oct 2017 11:43:39 -0400 Received: from 172.18.7.190 (EHLO lhreml705-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DYD57894; Fri, 20 Oct 2017 15:43:38 +0000 (GMT) Received: from localhost.localdomain (10.204.65.254) by smtpsuk.huawei.com (10.201.108.46) with Microsoft SMTP Server (TLS) id 14.3.361.1; Fri, 20 Oct 2017 16:43:28 +0100 From: Roberto Sassu To: CC: Roberto Sassu Subject: [RFC][PATCH 2/2] ima: don't measure files in the TCB if Biba strict policy is enforced Date: Fri, 20 Oct 2017 17:41:38 +0200 Message-ID: <20171020154138.23635-3-roberto.sassu@huawei.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171020154138.23635-1-roberto.sassu@huawei.com> References: <20171020154138.23635-1-roberto.sassu@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.204.65.254] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A090202.59EA19AA.0079, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: d3dd6d8e388d51ecf0ec63e14debbbcb Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The Biba strict policy prevents processes outside the TCB from modifying appraised files. Then, since the integrity of those files is preserved, because only processes in the TCB can write appraised files, it is not necessary to measure them each time they are accessed by the TCB. This solves one of the main problems of binary attestation: when a modified file is accessed by the TCB, it was necessary to measure it because verifiers cannot determine from the measurement list if the writer belong or not to the TCB. Verifiers find an unknown digest and have to consider the whole system as compromised. If the Biba strict policy has been selected, and appraisal is in enforce mode, IMA measures files at first access, if they have a digital signature. Then, for subsequent accesses, files are not measured again, unless the appraisal status changes. Signed-off-by: Roberto Sassu --- security/integrity/ima/ima_main.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 6e85ea8e2373..16c2da0e32d9 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -200,10 +200,16 @@ static int process_measurement(struct file *file, char *buf, loff_t size, goto out; } - if (ima_integrity_policy) + if (ima_integrity_policy) { policy_violation = ima_appraise_biba_check(file, iint, must_appraise, &pathbuf, &pathname, filename); + /* do not measure mutable files, if they are appraised */ + if (ima_integrity_policy == BIBA_STRICT && + (ima_appraise & IMA_APPRAISE_ENFORCE)) + if (iint && (iint->flags & IMA_APPRAISED)) + action &= ~IMA_MEASURE; + } if (violation_check) ima_rdwr_violation_check(file, iint, action & IMA_MEASURE, &pathbuf, &pathname); @@ -246,9 +252,16 @@ static int process_measurement(struct file *file, char *buf, loff_t size, if (!pathbuf) /* ima_rdwr_violation possibly pre-fetched */ pathname = ima_d_path(&file->f_path, &pathbuf, filename); - if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) + if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) { rc = ima_appraise_measurement(func, iint, file, pathname, xattr_value, xattr_len, opened); + if (!rc && ima_integrity_policy == BIBA_STRICT && + (ima_appraise & IMA_APPRAISE_ENFORCE)) { + iint->flags &= ~IMA_MEASURE; + if (!(iint->flags & IMA_DIGSIG)) + action &= ~IMA_MEASURE; + } + } if (action & IMA_MEASURE) ima_store_measurement(iint, file, pathname, xattr_value, xattr_len, pcr);