Commit 47d76a48 authored by Tushar Sugandhi's avatar Tushar Sugandhi Committed by Mimi Zohar

IMA: limit critical data measurement based on a label

Integrity critical data may belong to a single subsystem or it may
arise from cross subsystem interaction.  Currently there is no mechanism
to group or limit the data based on certain label.  Limiting and
grouping critical data based on a label would make it flexible and
configurable to measure.

Define "label:=", a new IMA policy condition, for the IMA func
CRITICAL_DATA to allow grouping and limiting measurement of integrity
critical data.

Limit the measurement to the labels that are specified in the IMA
policy - CRITICAL_DATA+"label:=".  If "label:=" is not provided with
the func CRITICAL_DATA, measure all the input integrity critical data.
Signed-off-by: default avatarTushar Sugandhi <tusharsu@linux.microsoft.com>
Reviewed-by: default avatarTyler Hicks <tyhicks@linux.microsoft.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent c4e43aa2
...@@ -52,6 +52,8 @@ Description: ...@@ -52,6 +52,8 @@ Description:
template:= name of a defined IMA template type template:= name of a defined IMA template type
(eg, ima-ng). Only valid when action is "measure". (eg, ima-ng). Only valid when action is "measure".
pcr:= decimal value pcr:= decimal value
label:= [data_label]
data_label:= a unique string used for grouping and limiting critical data.
default policy: default policy:
# PROC_SUPER_MAGIC # PROC_SUPER_MAGIC
......
...@@ -34,6 +34,7 @@ ...@@ -34,6 +34,7 @@
#define IMA_PCR 0x0100 #define IMA_PCR 0x0100
#define IMA_FSNAME 0x0200 #define IMA_FSNAME 0x0200
#define IMA_KEYRINGS 0x0400 #define IMA_KEYRINGS 0x0400
#define IMA_LABEL 0x0800
#define UNKNOWN 0 #define UNKNOWN 0
#define MEASURE 0x0001 /* same as IMA_MEASURE */ #define MEASURE 0x0001 /* same as IMA_MEASURE */
...@@ -85,6 +86,7 @@ struct ima_rule_entry { ...@@ -85,6 +86,7 @@ struct ima_rule_entry {
} lsm[MAX_LSM_RULES]; } lsm[MAX_LSM_RULES];
char *fsname; char *fsname;
struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */ struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */
struct ima_rule_opt_list *label; /* Measure data grouped under this label */
struct ima_template_desc *template; struct ima_template_desc *template;
}; };
...@@ -479,7 +481,11 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule, ...@@ -479,7 +481,11 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule,
opt_list = rule->keyrings; opt_list = rule->keyrings;
break; break;
case CRITICAL_DATA: case CRITICAL_DATA:
return true; if (!rule->label)
return true;
opt_list = rule->label;
break;
default: default:
return false; return false;
} }
...@@ -924,7 +930,7 @@ enum { ...@@ -924,7 +930,7 @@ enum {
Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
Opt_appraise_type, Opt_appraise_flag, Opt_appraise_type, Opt_appraise_flag,
Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings,
Opt_err Opt_label, Opt_err
}; };
static const match_table_t policy_tokens = { static const match_table_t policy_tokens = {
...@@ -961,6 +967,7 @@ static const match_table_t policy_tokens = { ...@@ -961,6 +967,7 @@ static const match_table_t policy_tokens = {
{Opt_pcr, "pcr=%s"}, {Opt_pcr, "pcr=%s"},
{Opt_template, "template=%s"}, {Opt_template, "template=%s"},
{Opt_keyrings, "keyrings=%s"}, {Opt_keyrings, "keyrings=%s"},
{Opt_label, "label=%s"},
{Opt_err, NULL} {Opt_err, NULL}
}; };
...@@ -1128,7 +1135,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) ...@@ -1128,7 +1135,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
if (entry->action & ~(MEASURE | DONT_MEASURE)) if (entry->action & ~(MEASURE | DONT_MEASURE))
return false; return false;
if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR)) if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR |
IMA_LABEL))
return false; return false;
if (ima_rule_contains_lsm_cond(entry)) if (ima_rule_contains_lsm_cond(entry))
...@@ -1338,6 +1346,23 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) ...@@ -1338,6 +1346,23 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
entry->flags |= IMA_KEYRINGS; entry->flags |= IMA_KEYRINGS;
break; break;
case Opt_label:
ima_log_string(ab, "label", args[0].from);
if (entry->label) {
result = -EINVAL;
break;
}
entry->label = ima_alloc_rule_opt_list(args);
if (IS_ERR(entry->label)) {
result = PTR_ERR(entry->label);
entry->label = NULL;
break;
}
entry->flags |= IMA_LABEL;
break;
case Opt_fsuuid: case Opt_fsuuid:
ima_log_string(ab, "fsuuid", args[0].from); ima_log_string(ab, "fsuuid", args[0].from);
...@@ -1718,6 +1743,12 @@ int ima_policy_show(struct seq_file *m, void *v) ...@@ -1718,6 +1743,12 @@ int ima_policy_show(struct seq_file *m, void *v)
seq_puts(m, " "); seq_puts(m, " ");
} }
if (entry->flags & IMA_LABEL) {
seq_puts(m, "label=");
ima_show_rule_opt_list(m, entry->label);
seq_puts(m, " ");
}
if (entry->flags & IMA_PCR) { if (entry->flags & IMA_PCR) {
snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr);
seq_printf(m, pt(Opt_pcr), tbuf); seq_printf(m, pt(Opt_pcr), tbuf);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment