Commit 9e67028e authored by Mimi Zohar's avatar Mimi Zohar

ima: fail signature verification based on policy

This patch addresses the fuse privileged mounted filesystems in
environments which are unwilling to accept the risk of trusting the
signature verification and want to always fail safe, but are for example
using a pre-built kernel.

This patch defines a new builtin policy named "fail_securely", which can
be specified on the boot command line as an argument to "ima_policy=".
Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: Seth Forshee <seth.forshee@canonical.com>
Cc: Dongsu Park <dongsu@kinvolk.io>
Cc: Alban Crequy <alban@kinvolk.io>
Acked-by: default avatarSerge Hallyn <serge@hallyn.com>
Acked-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
parent a9a4935d
......@@ -1525,7 +1525,8 @@
ima_policy= [IMA]
The builtin policies to load during IMA setup.
Format: "tcb | appraise_tcb | secure_boot"
Format: "tcb | appraise_tcb | secure_boot |
fail_securely"
The "tcb" policy measures all programs exec'd, files
mmap'd for exec, and all files opened with the read
......@@ -1540,6 +1541,11 @@
of files (eg. kexec kernel image, kernel modules,
firmware, policy, etc) based on file signatures.
The "fail_securely" policy forces file signature
verification failure also on privileged mounted
filesystems with the SB_I_UNVERIFIABLE_SIGNATURE
flag.
ima_tcb [IMA] Deprecated. Use ima_policy= instead.
Load a policy which meets the needs of the Trusted
Computing Base. This means IMA will measure all
......
......@@ -304,12 +304,13 @@ int ima_appraise_measurement(enum ima_hooks func,
out:
/*
* File signatures on some filesystems can not be properly verified.
* On these filesytems, that are mounted by an untrusted mounter,
* fail the file signature verification.
* When such filesystems are mounted by an untrusted mounter or on a
* system not willing to accept such a risk, fail the file signature
* verification.
*/
if ((inode->i_sb->s_iflags &
(SB_I_IMA_UNVERIFIABLE_SIGNATURE | SB_I_UNTRUSTED_MOUNTER)) ==
(SB_I_IMA_UNVERIFIABLE_SIGNATURE | SB_I_UNTRUSTED_MOUNTER)) {
if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) ||
(iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) {
status = INTEGRITY_FAIL;
cause = "unverifiable-signature";
integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
......
......@@ -238,7 +238,8 @@ static int process_measurement(struct file *file, const struct cred *cred,
*/
if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags) ||
((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
!(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER))) {
!(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) &&
!(action & IMA_FAIL_UNVERIFIABLE_SIGS))) {
iint->flags &= ~IMA_DONE_MASK;
iint->measured_pcrs = 0;
}
......
......@@ -188,6 +188,7 @@ __setup("ima_tcb", default_measure_policy_setup);
static bool ima_use_appraise_tcb __initdata;
static bool ima_use_secure_boot __initdata;
static bool ima_fail_unverifiable_sigs __ro_after_init;
static int __init policy_setup(char *str)
{
char *p;
......@@ -201,6 +202,8 @@ static int __init policy_setup(char *str)
ima_use_appraise_tcb = true;
else if (strcmp(p, "secure_boot") == 0)
ima_use_secure_boot = true;
else if (strcmp(p, "fail_securely") == 0)
ima_fail_unverifiable_sigs = true;
}
return 1;
......@@ -390,6 +393,8 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
if (entry->action & IMA_APPRAISE) {
action |= get_subaction(entry, func);
action &= ~IMA_HASH;
if (ima_fail_unverifiable_sigs)
action |= IMA_FAIL_UNVERIFIABLE_SIGS;
}
if (entry->action & IMA_DO_MASK)
......
......@@ -35,6 +35,7 @@
#define IMA_PERMIT_DIRECTIO 0x02000000
#define IMA_NEW_FILE 0x04000000
#define EVM_IMMUTABLE_DIGSIG 0x08000000
#define IMA_FAIL_UNVERIFIABLE_SIGS 0x10000000
#define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
IMA_HASH | IMA_APPRAISE_SUBMASK)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment