From patchwork Thu Jan 11 19:51:50 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dongsu Park X-Patchwork-Id: 10158425 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 79268602D8 for ; Thu, 11 Jan 2018 19:51:06 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6B516287F4 for ; Thu, 11 Jan 2018 19:51:06 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6023328803; Thu, 11 Jan 2018 19:51:06 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B3156287F4 for ; Thu, 11 Jan 2018 19:51:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935697AbeAKTux (ORCPT ); Thu, 11 Jan 2018 14:50:53 -0500 Received: from mail-wm0-f66.google.com ([74.125.82.66]:44340 "EHLO mail-wm0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935681AbeAKTuk (ORCPT ); Thu, 11 Jan 2018 14:50:40 -0500 Received: by mail-wm0-f66.google.com with SMTP id t8so7759541wmc.3 for ; Thu, 11 Jan 2018 11:50:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kinvolk.io; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :in-reply-to:references; bh=9d56tky+mDr6NMBr9J6FKVM7efGT2jqqqII7PGlq7W8=; b=Gk8g6AlqXnGYDKEOfjs5VmAcjbcX4UygAWM+g3ceNpOhkOYDPVINY2K+HGP8Z5fzUh OF/k+YDz8mnIQFCLeAGvQy0D9uUHDiE3AGqTo+DIpsGwub0hBwLevKplrLtdoLdkkVh+ 1uMTh6pIWqqRcTA82AxAw5Buh5vjZs3YBSWTU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:in-reply-to:references; bh=9d56tky+mDr6NMBr9J6FKVM7efGT2jqqqII7PGlq7W8=; b=qVyFhW/jaI+mzjUqqaeOCUCa/VpbprAbP0sgFQk1kbPqjj378eSdLngzRrWY4nlcvA GgdLsgNkpf28uUXhfMD6Yp0q7udwPWOj6Pl71i8MnwYUOsMEF73a59TSZpxNqDmDv6FF kSCxB+nqntW/aHOgzNRZz/74z9v0emeN1EYax6OjdN5Xy/pPDzQ6n0uSrCYzsitq1t4N KqthapYGKCyWslAMLWqshlYfFOvshWqwLqk7XKhJRqvc117tJtpvU4Oxtu7KM+KoDFK1 9KxRE3BJvMDRff5T87fEDE4qIZIybQ9rofSW6DsZhdve1L2uC9GV7iGvoOpczs0A2YTB h0aw== X-Gm-Message-State: AKGB3mJjrMnGfnkuo98qlVhVOQ7zDxDMBVPtid+xvAiTQSVDWZ7JQbn9 6ltTMJrLMs5gUBEgOAzWfvpv9w== X-Google-Smtp-Source: ACJfBos8lZzPCZFQQP6XzLed+D/1oTddS3bgh9OtYp8o6GjAisukwP8vVkcgYR4HCGPeusbLrRTPnA== X-Received: by 10.80.192.70 with SMTP id u6mr32526122edd.109.1515700239349; Thu, 11 Jan 2018 11:50:39 -0800 (PST) Received: from dberlin.localdomain ([5.28.125.168]) by smtp.gmail.com with ESMTPSA id o60sm11802823edb.79.2018.01.11.11.50.38 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 11 Jan 2018 11:50:38 -0800 (PST) From: Dongsu Park To: linux-kernel@vger.kernel.org Cc: Alban Crequy , Miklos Szeredi , Mimi Zohar , Seth Forshee , Dongsu Park , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH 2/2] ima: turn on force option for FUSE in builtin policies Date: Thu, 11 Jan 2018 20:51:50 +0100 Message-Id: <7a89ce9a7b8264f83fa5d61e146c01571017cca0.1515682581.git.dongsu@kinvolk.io> X-Mailer: git-send-email 2.13.6 In-Reply-To: References: In-Reply-To: References: Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP In case of FUSE filesystem, cached integrity results in IMA could be reused, when the userspace FUSE process has changed the underlying files. To be able to avoid such cases, we need to turn on the force option in builtin policies, for actions of measure and appraise. Then integrity values become re-measured and re-appraised. In that way, cached integrity results won't be used. This patch depends on the patch "ima: define a new policy option named force" by Mimi. [1] How to test the force option written by Alban: ==== The test I did was using a patched version of the memfs FUSE driver [2][3] and two very simple "hello-world" programs [5] (prog1 prints "hello world: 1" and prog2 prints "hello world: 2"). I copy prog1 and prog2 in the fuse-memfs mount point, execute them and check the sha1 hash in "/sys/kernel/security/ima/ascii_runtime_measurements". My patch on the memfs FUSE driver added a backdoor command to serve prog1 when the kernel asks for prog2 or vice-versa. In this way, I can exec prog1 and get it to print "hello world: 2" without ever replacing the file via the VFS, so the kernel is not aware of the change. The test was done using the branch "dongsu/fuse-userns-v5-2" [4], including both this new force option and Sascha's patch ("ima: Use i_version only when filesystem supports it"). Step by step test procedure: 1. Mount the memfs FUSE using [3]: rm -f /tmp/memfs-switch* ; memfs -L DEBUG /mnt/memfs 2. Copy prog1 and prog2 using [5] cp prog1 /mnt/memfs/prog1 cp prog2 /mnt/memfs/prog2 3. Lookup the files and let the FUSE driver to keep the handles open: dd if=/mnt/memfs/prog1 bs=1 | (read -n 1 x ; sleep 3600 ) & dd if=/mnt/memfs/prog2 bs=1 | (read -n 1 x ; sleep 3600 ) & 4. Check the 2 programs work correctly: $ /mnt/memfs/prog1 hello world: 1 $ /mnt/memfs/prog2 hello world: 2 5. Check the measurements for prog1 and prog2: $ sudo cat /sys/kernel/security/ima/ascii_runtime_measurements|grep /mnt/memfs/prog 10 7ac5aed52061cb09120e977c6d04ee5c7b11c371 ima-ng sha1:ac14c9268cd2811f7a5adea17b27d84f50e1122c /mnt/memfs/prog1 10 9acc17a9a32aec4a676b8f6558e17a3d6c9a78e6 ima-ng sha1:799cb5d1e06d5c37ae7a76ba25ecd1bd01476383 /mnt/memfs/prog2 6. Use the backdoor command in my patched memfs to redirect file operations on file handle 3 to file handle 2: rm -f /tmp/memfs-switch* ; touch /tmp/memfs-switch-3-2 7. Check how the FUSE driver serves different content for the files: $ /mnt/memfs/prog1 hello world: 2 $ /mnt/memfs/prog2 hello world: 2 8. Check the measurements: sudo cat /sys/kernel/security/ima/ascii_runtime_measurements|grep /mnt/memfs/prog Without the patches, on a vanilla kernel, there are no new measurements, despite the FUSE driver having served different executables. However, with the "force" option enabled, I can see additional measurements for prog1 and prog2 with the hashes reversed when the FUSE driver served the alternative content. ==== [1] https://www.spinics.net/lists/linux-integrity/msg00948.html [2] https://github.com/bbengfort/memfs [3] https://github.com/kinvolk/memfs/commits/alban/switch-files [4] https://github.com/kinvolk/linux/commits/dongsu/fuse-userns-v5-2 [5] https://github.com/kinvolk/fuse-userns-patches/commit/cf1f5750cab0 Cc: linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: Miklos Szeredi Cc: Mimi Zohar Cc: Seth Forshee Tested-by: Alban Crequy Signed-off-by: Dongsu Park --- security/integrity/ima/ima_policy.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index fddef8f8..8de40d85 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -127,6 +127,7 @@ static struct ima_rule_entry default_measurement_rules[] __ro_after_init = { {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC}, + {.action = MEASURE, .fsmagic = FUSE_SUPER_MAGIC, .flags = IMA_FSMAGIC | IMA_FORCE}, }; static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { @@ -154,6 +155,7 @@ static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED}, #endif + {.action = APPRAISE, .fsmagic = FUSE_SUPER_MAGIC, .flags = IMA_FSMAGIC | IMA_FORCE}, }; static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {