From patchwork Thu Nov 30 10:56:10 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Roberto Sassu <roberto.sassu@huawei.com>
X-Patchwork-Id: 10084607
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	E03A560586
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Thu, 30 Nov 2017 11:02:13 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C130829F3A
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Thu, 30 Nov 2017 11:02:13 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id B5FE929F3E; Thu, 30 Nov 2017 11:02:13 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7135529F3A
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Thu, 30 Nov 2017 11:02:13 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751443AbdK3LCM (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Thu, 30 Nov 2017 06:02:12 -0500
Received: from lhrrgout.huawei.com ([194.213.3.17]:61901 "EHLO huawei.com"
	rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
	id S1751177AbdK3LCM (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Thu, 30 Nov 2017 06:02:12 -0500
Received: from LHREML713-CAH.china.huawei.com (unknown [172.18.7.107])
	by Forcepoint Email with ESMTP id C109949AC2674;
	Thu, 30 Nov 2017 11:02:07 +0000 (GMT)
Received: from localhost.localdomain (10.204.65.254) by smtpsuk.huawei.com
	(10.201.108.36) with Microsoft SMTP Server (TLS) id 14.3.361.1;
	Thu, 30 Nov 2017 11:02:03 +0000
From: Roberto Sassu <roberto.sassu@huawei.com>
To: <linux-integrity@vger.kernel.org>
CC: <linux-security-module@vger.kernel.org>, <silviu.vlasceanu@huawei.com>,
	Roberto Sassu <roberto.sassu@huawei.com>
Subject: [RFC][PATCH v2 9/9] ima: don't measure files with valid appraisal
	status
Date: Thu, 30 Nov 2017 11:56:10 +0100
Message-ID: <20171130105610.15761-10-roberto.sassu@huawei.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20171130105610.15761-1-roberto.sassu@huawei.com>
References: <20171130105610.15761-1-roberto.sassu@huawei.com>
MIME-Version: 1.0
X-Originating-IP: [10.204.65.254]
X-CFilter-Loop: Reflected
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

If an integrity model is selected, access to mutable files is restricted to
TCB processes or mutable files are demoted. Then, files with a valid
appraisal status can be excluded from measurement because they won't
compromise the TCB. Remote verifiers would only require that the file
didn't contain malformed data at first access (which can be guaranteed for
example with a digital signature).

Changelog

v1
- don't clear IMA_MEASURE for files with digital signature
- clear IMA_MEASURE for any integrity model
- don't measure mutable files also if ima_appraise == IMA_APPRAISE_LOG

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 security/integrity/ima/ima_main.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 0f746b8bd965..6f1e23682c90 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -221,6 +221,12 @@ static int process_measurement(struct file *file, const struct cred *cred,
 		/* access will be denied */
 		if (model_violation)
 			action &= ~IMA_APPRAISE;
+
+		/* do not measure mutable files, if they are appraised */
+		if (ima_appraise & (IMA_APPRAISE_ENFORCE | IMA_APPRAISE_LOG) &&
+		    iint && (iint->flags & IMA_APPRAISED) &&
+		    !(iint->flags & IMA_DIGSIG))
+			action &= ~IMA_MEASURE;
 	}
 
 	if (violation_check)
@@ -265,9 +271,17 @@ static int process_measurement(struct file *file, const struct cred *cred,
 	if (!pathbuf)	/* ima_rdwr_violation possibly pre-fetched */
 		pathname = ima_d_path(&file->f_path, &pathbuf, filename);
 
-	if (rc == 0 && (action & IMA_APPRAISE_SUBMASK))
+	if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {
 		rc = ima_appraise_measurement(func, iint, file, pathname,
 					      xattr_value, xattr_len, opened);
+		/* do not measure mutable files, if rc == INTEGRITY_PASS */
+		if (!rc && ima_integrity_model &&
+		    ima_appraise & (IMA_APPRAISE_ENFORCE | IMA_APPRAISE_LOG) &&
+		    !(iint->flags & IMA_DIGSIG)) {
+			iint->flags &= ~IMA_MEASURE;
+			action &= ~IMA_MEASURE;
+		}
+	}
 	if (action & IMA_MEASURE)
 		ima_store_measurement(iint, file, pathname,
 				      xattr_value, xattr_len, pcr);