[RFC,5/8] ima: Record IMA verification result of digest lists in digest cache

Commit Message

Roberto Sassu Feb. 14, 2024, 2:35 p.m. UTC

From: Roberto Sassu <roberto.sassu@huawei.com>

The digest_cache LSM allows integrity providers to record how the digest
list being used to populate the digest cache was verified.

Integrity providers can register a kernel_post_read_file LSM hook
implementation, and call digest_cache_verif_set() providing the result of
the digest list verification, together with the digest list file
descriptor.

IMA calls digest_cache_verif_set() during the DIGEST_LIST_CHECK hook
(kernel read with file type READING_DIGEST_LIST), and attaches to the
digest cache a u64 variable with the IMA_DIGEST_CACHE_MEASURE_CONTENT and
IMA_DIGEST_CACHE_APPRAISE_CONTENT flags set, if the digest list was
respectively measured and appraised.

The same flags are set in another u64 variable, if 'digest_cache=content'
appears respectively in a measure or appraise rule.

The final decision on whether the digest cache can be used for measurement
and appraisal depends on the AND of these two variables, so it must have
been authorized with the IMA policy and the same action must have been done
on the digest list.

This prevents remote verifiers from receiving an incomplete IMA measurement
list, where measurements are skipped, but there isn't the digest list the
calculated file digest was search into. It also prevents successful
appraisal without appraising the digest list itself.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 security/integrity/ima/ima.h      |  1 +
 security/integrity/ima/ima_main.c | 19 ++++++++++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

Comments

Mimi Zohar March 11, 2024, 2 p.m. UTC | #1

Roberto, please consider renaming this patch.

IMA is informing the digest_cache LSM of the digest_list verification result.
Instead of "ima: Record IMA verification result of digest lists in digest
cache", it should be "ima: inform digest_cache LSM of digest list verification
result".

Mimi

Patch

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index deee56d99d6f..2dbcaf0a9402 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -20,6 +20,7 @@ 
 #include <linux/hash.h>
 #include <linux/tpm.h>
 #include <linux/audit.h>
+#include <linux/digest_cache.h>
 #include <crypto/hash_info.h>
 
 #include "../integrity.h"
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index e3ca80098c4c..3fc48214850a 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -214,7 +214,7 @@  static int process_measurement(struct file *file, const struct cred *cred,
 	char *pathbuf = NULL;
 	char filename[NAME_MAX];
 	const char *pathname = NULL;
-	int rc = 0, action, must_appraise = 0;
+	int rc = 0, digest_cache_rc, action, must_appraise = 0;
 	int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
 	struct evm_ima_xattr_data *xattr_value = NULL;
 	struct modsig *modsig = NULL;
@@ -222,6 +222,7 @@  static int process_measurement(struct file *file, const struct cred *cred,
 	bool violation_check;
 	enum hash_algo hash_algo;
 	unsigned int allowed_algos = 0;
+	u64 verif_mask = 0;
 
 	if (!ima_policy_flag || !S_ISREG(inode->i_mode))
 		return 0;
@@ -399,6 +400,22 @@  static int process_measurement(struct file *file, const struct cred *cred,
 	if ((mask & MAY_WRITE) && test_bit(IMA_DIGSIG, &iint->atomic_flags) &&
 	     !(iint->flags & IMA_NEW_FILE))
 		rc = -EACCES;
+	if (!rc && func == DIGEST_LIST_CHECK) {
+		if (iint->flags & IMA_MEASURED)
+			verif_mask |= IMA_DIGEST_CACHE_MEASURE_CONTENT;
+		if (iint->flags & IMA_APPRAISED_SUBMASK)
+			verif_mask |= IMA_DIGEST_CACHE_APPRAISE_CONTENT;
+
+		/* Remember actions done on digest list for later use. */
+		digest_cache_rc = digest_cache_verif_set(file, "ima",
+							 &verif_mask,
+							 sizeof(verif_mask));
+		/* Ignore if fd doesn't have digest cache set (prefetching). */
+		if (digest_cache_rc && digest_cache_rc != -ENOENT)
+			pr_debug("Cannot set verification mask for %s, ret: %d, ignoring\n",
+				 file_dentry(file)->d_name.name,
+				 digest_cache_rc);
+	}
 	mutex_unlock(&iint->mutex);
 	kfree(xattr_value);
 	ima_free_modsig(modsig);