[RFC,2/7] ima: Introduce new policy keyword use_diglim

Message ID	20210930115533.878169-3-roberto.sassu@huawei.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-integrity-owner@kernel.org> From: Roberto Sassu <roberto.sassu@huawei.com> To: <zohar@linux.ibm.com>, <gregkh@linuxfoundation.org>, <mchehab+huawei@kernel.org> CC: <linux-integrity@vger.kernel.org>, <linux-security-module@vger.kernel.org>, <linux-kernel@vger.kernel.org>, Roberto Sassu <roberto.sassu@huawei.com> Subject: [RFC][PATCH 2/7] ima: Introduce new policy keyword use_diglim Date: Thu, 30 Sep 2021 13:55:28 +0200 Message-ID: <20210930115533.878169-3-roberto.sassu@huawei.com> In-Reply-To: <20210930115533.878169-1-roberto.sassu@huawei.com> References: <20210930115533.878169-1-roberto.sassu@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII Precedence: bulk
Series	ima: Measure and appraise files with DIGLIM \| expand [RFC,0/7] ima: Measure and appraise files with DIGLIM [RFC,1/7] integrity: Change type of IMA rule-related flags to u64 [RFC,2/7] ima: Introduce new policy keyword use_diglim [RFC,3/7] ima: Introduce diglim and appraise_diglim policies [RFC,4/7] ima: Query file digest and retrieve info from its digest lists [RFC,5/7] ima: Query metadata digest and retrieve info from its digest lists [RFC,6/7] ima: Skip measurement of files found in DIGLIM hash table [RFC,7/7] ima: Add support for appraisal with digest lists

diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index a8a5791db14c..4979fc068b0e 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -27,7 +27,7 @@ Description: lsm: [[subj_user=] [subj_role=] [subj_type=] [obj_user=] [obj_role=] [obj_type=]] option: [[appraise_type=]] [template=] [permit_directio] - [appraise_flag=] [appraise_algos=] [keyrings=] + [appraise_flag=] [appraise_algos=] [keyrings=] [use_diglim] base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] [FIRMWARE_CHECK] @@ -60,6 +60,8 @@ Description: For example, "sha256,sha512" to only accept to appraise files where the security.ima xattr was hashed with one of these two algorithms. + use_diglim: enables usage of DIGLIM for measurement and + appraisal default policy: # PROC_SUPER_MAGIC diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 084b5d9257da..dfab21aeb7e1 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -1048,7 +1048,7 @@ enum { Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, Opt_appraise_type, Opt_appraise_flag, Opt_appraise_algos, Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, - Opt_label, Opt_err + Opt_label, Opt_use_diglim, Opt_err }; static const match_table_t policy_tokens = { @@ -1087,6 +1087,7 @@ static const match_table_t policy_tokens = { {Opt_template, "template=%s"}, {Opt_keyrings, "keyrings=%s"}, {Opt_label, "label=%s"}, + {Opt_use_diglim, "use_diglim"}, {Opt_err, NULL} }; @@ -1181,6 +1182,15 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) if (entry->action != MEASURE && entry->flags & IMA_PCR) return false; + /* + * Ensure that measurements made with DIGLIM don't have the standard + * IMA PCR. + */ + if ((entry->flags & IMA_USE_DIGLIM_MEASURE) && + (!(entry->flags & IMA_PCR) || + entry->pcr == CONFIG_IMA_MEASURE_PCR_IDX)) + return false; + if (entry->action != APPRAISE && entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS | @@ -1215,7 +1225,9 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) IMA_INMASK | IMA_EUID | IMA_PCR | IMA_FSNAME | IMA_DIGSIG_REQUIRED | IMA_PERMIT_DIRECTIO | IMA_VALIDATE_ALGOS | - IMA_META_IMMUTABLE_REQUIRED)) + IMA_META_IMMUTABLE_REQUIRED | + IMA_USE_DIGLIM_MEASURE | + IMA_USE_DIGLIM_APPRAISE)) return false; break; @@ -1229,7 +1241,9 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) IMA_FSNAME | IMA_DIGSIG_REQUIRED | IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS | - IMA_META_IMMUTABLE_REQUIRED)) + IMA_META_IMMUTABLE_REQUIRED | + IMA_USE_DIGLIM_MEASURE | + IMA_USE_DIGLIM_APPRAISE)) return false; break; @@ -1719,6 +1733,19 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) &(template_desc->num_fields)); entry->template = template_desc; break; + case Opt_use_diglim: + ima_log_string(ab, "use_diglim", args[0].from); + if (entry->action != IMA_MEASURE && + entry->action != IMA_APPRAISE) { + result = -EINVAL; + break; + } + + if (entry->action == IMA_MEASURE) + entry->flags |= IMA_USE_DIGLIM_MEASURE; + else + entry->flags |= IMA_USE_DIGLIM_APPRAISE; + break; case Opt_err: ima_log_string(ab, "UNKNOWN", p); result = -EINVAL; @@ -2058,6 +2085,9 @@ int ima_policy_show(struct seq_file *m, void *v) seq_puts(m, "appraise_type=meta_immutable "); if (entry->flags & IMA_PERMIT_DIRECTIO) seq_puts(m, "permit_directio "); + if ((entry->flags & IMA_USE_DIGLIM_MEASURE) || + (entry->flags & IMA_USE_DIGLIM_APPRAISE)) + seq_puts(m, "use_diglim "); rcu_read_unlock(); seq_puts(m, "\n"); return 0; diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index cb4a8cd2a213..89ed87a957bc 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -44,6 +44,8 @@ #define IMA_MODSIG_ALLOWED 0x0000000020000000 #define IMA_CHECK_BLACKLIST 0x0000000040000000 #define IMA_META_IMMUTABLE_REQUIRED 0x0000000080000000 +#define IMA_USE_DIGLIM_MEASURE 0x0000000100000000 +#define IMA_USE_DIGLIM_APPRAISE 0x0000000200000000 #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \ IMA_HASH | IMA_APPRAISE_SUBMASK)

[RFC,2/7] ima: Introduce new policy keyword use_diglim

Commit Message

Patch