From patchwork Tue Nov 7 10:37:08 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roberto Sassu X-Patchwork-Id: 10046281 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id ACDD8605A8 for ; Tue, 7 Nov 2017 10:46:25 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8EC2129C91 for ; Tue, 7 Nov 2017 10:46:25 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 835492A0FD; Tue, 7 Nov 2017 10:46:25 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EE95C2A0BA for ; Tue, 7 Nov 2017 10:46:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753072AbdKGKqB (ORCPT ); Tue, 7 Nov 2017 05:46:01 -0500 Received: from lhrrgout.huawei.com ([194.213.3.17]:39784 "EHLO lhrrgout.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752080AbdKGKpz (ORCPT ); Tue, 7 Nov 2017 05:45:55 -0500 Received: from 172.18.7.190 (EHLO lhreml701-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DSD64912; Tue, 07 Nov 2017 10:45:53 +0000 (GMT) Received: from localhost.localdomain (10.204.65.254) by smtpsuk.huawei.com (10.201.108.42) with Microsoft SMTP Server (TLS) id 14.3.361.1; Tue, 7 Nov 2017 10:45:47 +0000 From: Roberto Sassu To: CC: , , , , , Roberto Sassu Subject: [PATCH v2 13/15] evm: add kernel command line option to select protected xattrs Date: Tue, 7 Nov 2017 11:37:08 +0100 Message-ID: <20171107103710.10883-14-roberto.sassu@huawei.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171107103710.10883-1-roberto.sassu@huawei.com> References: <20171107103710.10883-1-roberto.sassu@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.204.65.254] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020203.5A018EE2.0041, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 78c1803af7f618e33e99a742a16d0380 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP EVM protects all extended attributes defined by LSMs, if LSMs are enabled in the kernel configuration. It is desirable to select a subset of extended attributes at run-time, so that setting remaining extended attributes is allowed if they should not be protected. At the moment, this option can be used to select security.ima and ignore other extended attributes. Protecting only security.ima is useful when the IMA policy does not rely on the correctness of file metadata (e.g. when only rules based on subject criteria are specified). Signed-off-by: Roberto Sassu --- Documentation/admin-guide/kernel-parameters.txt | 4 +++ include/linux/evm.h | 6 +++++ security/integrity/evm/evm_main.c | 36 +++++++++++++++++++++++++ 3 files changed, 46 insertions(+) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 05496622b4ef..ac292121bd90 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -1149,6 +1149,10 @@ Permit 'security.evm' to be updated regardless of current integrity status. + evm_xattrs= [EVM] + Format: { "security.ima" } + Protect only security.ima extended attribute. + failslab= fail_page_alloc= fail_make_request=[KNL] diff --git a/include/linux/evm.h b/include/linux/evm.h index 35ed9a8a403a..d31c02fb2ac1 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -14,6 +14,7 @@ struct integrity_iint_cache; #ifdef CONFIG_EVM +extern int evm_set_includes_protected_xattrs(char **set, int count); extern int evm_set_key(void *key, size_t keylen); extern enum integrity_status evm_verifyxattr(struct dentry *dentry, const char *xattr_name, @@ -44,6 +45,11 @@ static inline int posix_xattr_acl(const char *xattrname) #endif #else +static inline int evm_set_includes_protected_xattrs(char **set, int count) +{ + return 1; +} + static inline int evm_set_key(void *key, size_t keylen) { return -EOPNOTSUPP; diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 9826c02e2db8..afd6ee027250 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -68,6 +68,18 @@ static int __init evm_set_fixmode(char *str) } __setup("evm=", evm_set_fixmode); +static int __init evm_select_xattrs(char *str) +{ +#ifdef CONFIG_IMA_APPRAISE + if (strcmp(str, XATTR_NAME_IMA) == 0) { + evm_config_xattrnames[0] = XATTR_NAME_IMA; + evm_config_xattrnames[1] = NULL; + } +#endif + return 0; +} +__setup("evm_xattrs=", evm_select_xattrs); + static void __init evm_init_config(void) { #ifdef CONFIG_EVM_ATTR_FSUUID @@ -221,6 +233,30 @@ static int evm_protected_xattr(const char *req_xattr_name) } /** + * evm_set_includes_protected_xattrs - check if set includes protected xattrs + * @set: array of extended attribute names to check + * @count: size of array + * + * Check if the provided set includes all EVM protected extended attributes. + * + * Return: 1 if set includes all protected xattrs, 0 otherwise. + */ +int evm_set_includes_protected_xattrs(char **set, int count) +{ + char **xattr; + int i, found = 1; + + for (xattr = evm_config_xattrnames; *xattr != NULL; xattr++) { + for (i = 0; i < count; i++) + if (strcmp(set[i], *xattr) == 0) + break; + if (i == count) + return 0; + } + return found; +} + +/** * evm_verifyxattr - verify the integrity of the requested xattr * @dentry: object of the verify xattr * @xattr_name: requested xattr