Commit e58bb688 authored by Mimi Zohar's avatar Mimi Zohar

Merge branch 'measure-critical-data' into next-integrity

From "IMA: support for measuring kernel integrity critical data"
coverletter.

IMA measures files and buffer data such as keys, command-line arguments
passed to the kernel on kexec system call, etc.  While these measurements
are necessary for monitoring and validating the integrity of the system,
they are not sufficient.  Various data structures, policies, and states
stored in kernel memory also impact the integrity of the system.
Several kernel subsystems contain such integrity critical data -
e.g. LSMs like SELinux, AppArmor etc. or device-mapper targets like
dm-crypt, dm-verity, dm-integrity etc.  These kernel subsystems help
protect the integrity of a system.  Their integrity critical data is not
expected to change frequently during run-time.  Some of these structures
cannot be defined as __ro_after_init, because they are initialized later.

For a given system, various external services/infrastructure tools
(including the attestation service) interact with it - both during the
setup and during rest of the system run-time.  They share sensitive data
and/or execute critical workload on that system.  The external services
may want to verify the current run-time state of the relevant kernel
subsystems before fully trusting the system with business critical
data/workload.  For instance, verifying that SELinux is in "enforce" mode
along with the expected policy, disks are encrypted with a certain
configuration, secure boot is enabled etc.

This series provides the necessary IMA functionality for kernel
subsystems to ensure their configuration can be measured:
  - by kernel subsystems themselves,
  - in a tamper resistant way,
  - and re-measured - triggered on state/configuration change.

This patch set:
  - defines a new IMA hook ima_measure_critical_data() to measure
    integrity critical data,
  - limits the critical data being measured based on a label,
  - defines a builtin critical data measurement policy,
  - and includes an SELinux consumer of the new IMA critical data hook.
parents ccf11dba fdd1ffe8
...@@ -32,7 +32,7 @@ Description: ...@@ -32,7 +32,7 @@ Description:
func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK]MODULE_CHECK] func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK]MODULE_CHECK]
[FIRMWARE_CHECK] [FIRMWARE_CHECK]
[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
[KEXEC_CMDLINE] [KEY_CHECK] [KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA]
mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
[[^]MAY_EXEC] [[^]MAY_EXEC]
fsmagic:= hex value fsmagic:= hex value
...@@ -52,6 +52,9 @@ Description: ...@@ -52,6 +52,9 @@ Description:
template:= name of a defined IMA template type template:= name of a defined IMA template type
(eg, ima-ng). Only valid when action is "measure". (eg, ima-ng). Only valid when action is "measure".
pcr:= decimal value pcr:= decimal value
label:= [selinux]|[data_label]
data_label:= a unique string used for grouping and limiting critical data.
For example, "selinux" to measure critical data for SELinux.
default policy: default policy:
# PROC_SUPER_MAGIC # PROC_SUPER_MAGIC
......
...@@ -1746,7 +1746,7 @@ ...@@ -1746,7 +1746,7 @@
ima_policy= [IMA] ima_policy= [IMA]
The builtin policies to load during IMA setup. The builtin policies to load during IMA setup.
Format: "tcb | appraise_tcb | secure_boot | Format: "tcb | appraise_tcb | secure_boot |
fail_securely" fail_securely | critical_data"
The "tcb" policy measures all programs exec'd, files The "tcb" policy measures all programs exec'd, files
mmap'd for exec, and all files opened with the read mmap'd for exec, and all files opened with the read
...@@ -1765,6 +1765,9 @@ ...@@ -1765,6 +1765,9 @@
filesystems with the SB_I_UNVERIFIABLE_SIGNATURE filesystems with the SB_I_UNVERIFIABLE_SIGNATURE
flag. flag.
The "critical_data" policy measures kernel integrity
critical data.
ima_tcb [IMA] Deprecated. Use ima_policy= instead. ima_tcb [IMA] Deprecated. Use ima_policy= instead.
Load a policy which meets the needs of the Trusted Load a policy which meets the needs of the Trusted
Computing Base. This means IMA will measure all Computing Base. This means IMA will measure all
......
...@@ -31,6 +31,10 @@ extern void ima_post_path_mknod(struct dentry *dentry); ...@@ -31,6 +31,10 @@ extern void ima_post_path_mknod(struct dentry *dentry);
extern int ima_file_hash(struct file *file, char *buf, size_t buf_size); extern int ima_file_hash(struct file *file, char *buf, size_t buf_size);
extern int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size); extern int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size);
extern void ima_kexec_cmdline(int kernel_fd, const void *buf, int size); extern void ima_kexec_cmdline(int kernel_fd, const void *buf, int size);
extern void ima_measure_critical_data(const char *event_label,
const char *event_name,
const void *buf, size_t buf_len,
bool hash);
#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM
extern void ima_appraise_parse_cmdline(void); extern void ima_appraise_parse_cmdline(void);
...@@ -128,6 +132,12 @@ static inline int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size ...@@ -128,6 +132,12 @@ static inline int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size
} }
static inline void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) {} static inline void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) {}
static inline void ima_measure_critical_data(const char *event_label,
const char *event_name,
const void *buf, size_t buf_len,
bool hash) {}
#endif /* CONFIG_IMA */ #endif /* CONFIG_IMA */
#ifndef CONFIG_IMA_KEXEC #ifndef CONFIG_IMA_KEXEC
......
...@@ -201,6 +201,7 @@ static inline unsigned int ima_hash_key(u8 *digest) ...@@ -201,6 +201,7 @@ static inline unsigned int ima_hash_key(u8 *digest)
hook(POLICY_CHECK, policy) \ hook(POLICY_CHECK, policy) \
hook(KEXEC_CMDLINE, kexec_cmdline) \ hook(KEXEC_CMDLINE, kexec_cmdline) \
hook(KEY_CHECK, key) \ hook(KEY_CHECK, key) \
hook(CRITICAL_DATA, critical_data) \
hook(MAX_CHECK, none) hook(MAX_CHECK, none)
#define __ima_hook_enumify(ENUM, str) ENUM, #define __ima_hook_enumify(ENUM, str) ENUM,
...@@ -256,7 +257,7 @@ static inline void ima_process_queued_keys(void) {} ...@@ -256,7 +257,7 @@ static inline void ima_process_queued_keys(void) {}
int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid,
int mask, enum ima_hooks func, int *pcr, int mask, enum ima_hooks func, int *pcr,
struct ima_template_desc **template_desc, struct ima_template_desc **template_desc,
const char *keyring); const char *func_data);
int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func); int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);
int ima_collect_measurement(struct integrity_iint_cache *iint, int ima_collect_measurement(struct integrity_iint_cache *iint,
struct file *file, void *buf, loff_t size, struct file *file, void *buf, loff_t size,
...@@ -268,7 +269,8 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, ...@@ -268,7 +269,8 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
struct ima_template_desc *template_desc); struct ima_template_desc *template_desc);
void process_buffer_measurement(struct inode *inode, const void *buf, int size, void process_buffer_measurement(struct inode *inode, const void *buf, int size,
const char *eventname, enum ima_hooks func, const char *eventname, enum ima_hooks func,
int pcr, const char *keyring); int pcr, const char *func_data,
bool buf_hash);
void ima_audit_measurement(struct integrity_iint_cache *iint, void ima_audit_measurement(struct integrity_iint_cache *iint,
const unsigned char *filename); const unsigned char *filename);
int ima_alloc_init_template(struct ima_event_data *event_data, int ima_alloc_init_template(struct ima_event_data *event_data,
...@@ -284,7 +286,7 @@ const char *ima_d_path(const struct path *path, char **pathbuf, char *filename); ...@@ -284,7 +286,7 @@ const char *ima_d_path(const struct path *path, char **pathbuf, char *filename);
int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
enum ima_hooks func, int mask, int flags, int *pcr, enum ima_hooks func, int mask, int flags, int *pcr,
struct ima_template_desc **template_desc, struct ima_template_desc **template_desc,
const char *keyring); const char *func_data);
void ima_init_policy(void); void ima_init_policy(void);
void ima_update_policy(void); void ima_update_policy(void);
void ima_update_policy_flag(void); void ima_update_policy_flag(void);
......
...@@ -170,13 +170,13 @@ void ima_add_violation(struct file *file, const unsigned char *filename, ...@@ -170,13 +170,13 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
* @func: caller identifier * @func: caller identifier
* @pcr: pointer filled in if matched measure policy sets pcr= * @pcr: pointer filled in if matched measure policy sets pcr=
* @template_desc: pointer filled in if matched measure policy sets template= * @template_desc: pointer filled in if matched measure policy sets template=
* @keyring: keyring name used to determine the action * @func_data: func specific data, may be NULL
* *
* The policy is defined in terms of keypairs: * The policy is defined in terms of keypairs:
* subj=, obj=, type=, func=, mask=, fsmagic= * subj=, obj=, type=, func=, mask=, fsmagic=
* subj,obj, and type: are LSM specific. * subj,obj, and type: are LSM specific.
* func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK * func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK
* | KEXEC_CMDLINE | KEY_CHECK * | KEXEC_CMDLINE | KEY_CHECK | CRITICAL_DATA
* mask: contains the permission mask * mask: contains the permission mask
* fsmagic: hex value * fsmagic: hex value
* *
...@@ -186,14 +186,14 @@ void ima_add_violation(struct file *file, const unsigned char *filename, ...@@ -186,14 +186,14 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid,
int mask, enum ima_hooks func, int *pcr, int mask, enum ima_hooks func, int *pcr,
struct ima_template_desc **template_desc, struct ima_template_desc **template_desc,
const char *keyring) const char *func_data)
{ {
int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH; int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH;
flags &= ima_policy_flag; flags &= ima_policy_flag;
return ima_match_policy(inode, cred, secid, func, mask, flags, pcr, return ima_match_policy(inode, cred, secid, func, mask, flags, pcr,
template_desc, keyring); template_desc, func_data);
} }
/* /*
......
...@@ -352,7 +352,7 @@ int ima_check_blacklist(struct integrity_iint_cache *iint, ...@@ -352,7 +352,7 @@ int ima_check_blacklist(struct integrity_iint_cache *iint,
if ((rc == -EPERM) && (iint->flags & IMA_MEASURE)) if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
process_buffer_measurement(NULL, digest, digestsize, process_buffer_measurement(NULL, digest, digestsize,
"blacklisted-hash", NONE, "blacklisted-hash", NONE,
pcr, NULL); pcr, NULL, false);
} }
return rc; return rc;
......
...@@ -60,5 +60,5 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key, ...@@ -60,5 +60,5 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key,
*/ */
process_buffer_measurement(NULL, payload, payload_len, process_buffer_measurement(NULL, payload, payload_len,
keyring->description, KEY_CHECK, 0, keyring->description, KEY_CHECK, 0,
keyring->description); keyring->description, false);
} }
...@@ -809,20 +809,22 @@ int ima_post_load_data(char *buf, loff_t size, ...@@ -809,20 +809,22 @@ int ima_post_load_data(char *buf, loff_t size,
} }
/* /*
* process_buffer_measurement - Measure the buffer to ima log. * process_buffer_measurement - Measure the buffer or the buffer data hash
* @inode: inode associated with the object being measured (NULL for KEY_CHECK) * @inode: inode associated with the object being measured (NULL for KEY_CHECK)
* @buf: pointer to the buffer that needs to be added to the log. * @buf: pointer to the buffer that needs to be added to the log.
* @size: size of buffer(in bytes). * @size: size of buffer(in bytes).
* @eventname: event name to be used for the buffer entry. * @eventname: event name to be used for the buffer entry.
* @func: IMA hook * @func: IMA hook
* @pcr: pcr to extend the measurement * @pcr: pcr to extend the measurement
* @keyring: keyring name to determine the action to be performed * @func_data: func specific data, may be NULL
* @buf_hash: measure buffer data hash
* *
* Based on policy, the buffer is measured into the ima log. * Based on policy, either the buffer data or buffer data hash is measured
*/ */
void process_buffer_measurement(struct inode *inode, const void *buf, int size, void process_buffer_measurement(struct inode *inode, const void *buf, int size,
const char *eventname, enum ima_hooks func, const char *eventname, enum ima_hooks func,
int pcr, const char *keyring) int pcr, const char *func_data,
bool buf_hash)
{ {
int ret = 0; int ret = 0;
const char *audit_cause = "ENOMEM"; const char *audit_cause = "ENOMEM";
...@@ -837,6 +839,8 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size, ...@@ -837,6 +839,8 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size,
struct ima_digest_data hdr; struct ima_digest_data hdr;
char digest[IMA_MAX_DIGEST_SIZE]; char digest[IMA_MAX_DIGEST_SIZE];
} hash = {}; } hash = {};
char digest_hash[IMA_MAX_DIGEST_SIZE];
int digest_hash_len = hash_digest_size[ima_hash_algo];
int violation = 0; int violation = 0;
int action = 0; int action = 0;
u32 secid; u32 secid;
...@@ -861,7 +865,7 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size, ...@@ -861,7 +865,7 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size,
if (func) { if (func) {
security_task_getsecid(current, &secid); security_task_getsecid(current, &secid);
action = ima_get_action(inode, current_cred(), secid, 0, func, action = ima_get_action(inode, current_cred(), secid, 0, func,
&pcr, &template, keyring); &pcr, &template, func_data);
if (!(action & IMA_MEASURE)) if (!(action & IMA_MEASURE))
return; return;
} }
...@@ -879,13 +883,27 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size, ...@@ -879,13 +883,27 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size,
goto out; goto out;
} }
if (buf_hash) {
memcpy(digest_hash, hash.hdr.digest, digest_hash_len);
ret = ima_calc_buffer_hash(digest_hash, digest_hash_len,
iint.ima_hash);
if (ret < 0) {
audit_cause = "hashing_error";
goto out;
}
event_data.buf = digest_hash;
event_data.buf_len = digest_hash_len;
}
ret = ima_alloc_init_template(&event_data, &entry, template); ret = ima_alloc_init_template(&event_data, &entry, template);
if (ret < 0) { if (ret < 0) {
audit_cause = "alloc_entry"; audit_cause = "alloc_entry";
goto out; goto out;
} }
ret = ima_store_template(entry, violation, NULL, buf, pcr); ret = ima_store_template(entry, violation, NULL, event_data.buf, pcr);
if (ret < 0) { if (ret < 0) {
audit_cause = "store_entry"; audit_cause = "store_entry";
ima_free_template_entry(entry); ima_free_template_entry(entry);
...@@ -920,10 +938,37 @@ void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) ...@@ -920,10 +938,37 @@ void ima_kexec_cmdline(int kernel_fd, const void *buf, int size)
return; return;
process_buffer_measurement(file_inode(f.file), buf, size, process_buffer_measurement(file_inode(f.file), buf, size,
"kexec-cmdline", KEXEC_CMDLINE, 0, NULL); "kexec-cmdline", KEXEC_CMDLINE, 0, NULL,
false);
fdput(f); fdput(f);
} }
/**
* ima_measure_critical_data - measure kernel integrity critical data
* @event_label: unique event label for grouping and limiting critical data
* @event_name: event name for the record in the IMA measurement list
* @buf: pointer to buffer data
* @buf_len: length of buffer data (in bytes)
* @hash: measure buffer data hash
*
* Measure data critical to the integrity of the kernel into the IMA log
* and extend the pcr. Examples of critical data could be various data
* structures, policies, and states stored in kernel memory that can
* impact the integrity of the system.
*/
void ima_measure_critical_data(const char *event_label,
const char *event_name,
const void *buf, size_t buf_len,
bool hash)
{
if (!event_name || !event_label || !buf || !buf_len)
return;
process_buffer_measurement(NULL, buf, buf_len, event_name,
CRITICAL_DATA, 0, event_label,
hash);
}
static int __init init_ima(void) static int __init init_ima(void)
{ {
int error; int error;
......
...@@ -34,6 +34,7 @@ ...@@ -34,6 +34,7 @@
#define IMA_PCR 0x0100 #define IMA_PCR 0x0100
#define IMA_FSNAME 0x0200 #define IMA_FSNAME 0x0200
#define IMA_KEYRINGS 0x0400 #define IMA_KEYRINGS 0x0400
#define IMA_LABEL 0x0800
#define UNKNOWN 0 #define UNKNOWN 0
#define MEASURE 0x0001 /* same as IMA_MEASURE */ #define MEASURE 0x0001 /* same as IMA_MEASURE */
...@@ -85,6 +86,7 @@ struct ima_rule_entry { ...@@ -85,6 +86,7 @@ struct ima_rule_entry {
} lsm[MAX_LSM_RULES]; } lsm[MAX_LSM_RULES];
char *fsname; char *fsname;
struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */ struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */
struct ima_rule_opt_list *label; /* Measure data grouped under this label */
struct ima_template_desc *template; struct ima_template_desc *template;
}; };
...@@ -204,6 +206,10 @@ static struct ima_rule_entry secure_boot_rules[] __ro_after_init = { ...@@ -204,6 +206,10 @@ static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED}, .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
}; };
static struct ima_rule_entry critical_data_rules[] __ro_after_init = {
{.action = MEASURE, .func = CRITICAL_DATA, .flags = IMA_FUNC},
};
/* An array of architecture specific rules */ /* An array of architecture specific rules */
static struct ima_rule_entry *arch_policy_entry __ro_after_init; static struct ima_rule_entry *arch_policy_entry __ro_after_init;
...@@ -226,6 +232,7 @@ __setup("ima_tcb", default_measure_policy_setup); ...@@ -226,6 +232,7 @@ __setup("ima_tcb", default_measure_policy_setup);
static bool ima_use_appraise_tcb __initdata; static bool ima_use_appraise_tcb __initdata;
static bool ima_use_secure_boot __initdata; static bool ima_use_secure_boot __initdata;
static bool ima_use_critical_data __initdata;
static bool ima_fail_unverifiable_sigs __ro_after_init; static bool ima_fail_unverifiable_sigs __ro_after_init;
static int __init policy_setup(char *str) static int __init policy_setup(char *str)
{ {
...@@ -240,6 +247,8 @@ static int __init policy_setup(char *str) ...@@ -240,6 +247,8 @@ static int __init policy_setup(char *str)
ima_use_appraise_tcb = true; ima_use_appraise_tcb = true;
else if (strcmp(p, "secure_boot") == 0) else if (strcmp(p, "secure_boot") == 0)
ima_use_secure_boot = true; ima_use_secure_boot = true;
else if (strcmp(p, "critical_data") == 0)
ima_use_critical_data = true;
else if (strcmp(p, "fail_securely") == 0) else if (strcmp(p, "fail_securely") == 0)
ima_fail_unverifiable_sigs = true; ima_fail_unverifiable_sigs = true;
else else
...@@ -453,30 +462,46 @@ int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, ...@@ -453,30 +462,46 @@ int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
} }
/** /**
* ima_match_keyring - determine whether the keyring matches the measure rule * ima_match_rule_data - determine whether func_data matches the policy rule
* @rule: a pointer to a rule * @rule: a pointer to a rule
* @keyring: name of the keyring to match against the measure rule * @func_data: data to match against the measure rule data
* @cred: a pointer to a credentials structure for user validation * @cred: a pointer to a credentials structure for user validation
* *
* Returns true if keyring matches one in the rule, false otherwise. * Returns true if func_data matches one in the rule, false otherwise.
*/ */
static bool ima_match_keyring(struct ima_rule_entry *rule, static bool ima_match_rule_data(struct ima_rule_entry *rule,
const char *keyring, const struct cred *cred) const char *func_data,
const struct cred *cred)
{ {
const struct ima_rule_opt_list *opt_list = NULL;
bool matched = false; bool matched = false;
size_t i; size_t i;
if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
return false; return false;
switch (rule->func) {
case KEY_CHECK:
if (!rule->keyrings) if (!rule->keyrings)
return true; return true;
if (!keyring) opt_list = rule->keyrings;
break;
case CRITICAL_DATA:
if (!rule->label)
return true;
opt_list = rule->label;
break;
default:
return false;
}
if (!func_data)
return false; return false;
for (i = 0; i < rule->keyrings->count; i++) { for (i = 0; i < opt_list->count; i++) {
if (!strcmp(rule->keyrings->items[i], keyring)) { if (!strcmp(opt_list->items[i], func_data)) {
matched = true; matched = true;
break; break;
} }
...@@ -493,24 +518,30 @@ static bool ima_match_keyring(struct ima_rule_entry *rule, ...@@ -493,24 +518,30 @@ static bool ima_match_keyring(struct ima_rule_entry *rule,
* @secid: the secid of the task to be validated * @secid: the secid of the task to be validated
* @func: LIM hook identifier * @func: LIM hook identifier
* @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
* @keyring: keyring name to check in policy for KEY_CHECK func * @func_data: func specific data, may be NULL
* *
* Returns true on rule match, false on failure. * Returns true on rule match, false on failure.
*/ */
static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
const struct cred *cred, u32 secid, const struct cred *cred, u32 secid,
enum ima_hooks func, int mask, enum ima_hooks func, int mask,
const char *keyring) const char *func_data)
{ {
int i; int i;
if (func == KEY_CHECK) {
return (rule->flags & IMA_FUNC) && (rule->func == func) &&
ima_match_keyring(rule, keyring, cred);
}
if ((rule->flags & IMA_FUNC) && if ((rule->flags & IMA_FUNC) &&
(rule->func != func && func != POST_SETATTR)) (rule->func != func && func != POST_SETATTR))
return false; return false;
switch (func) {
case KEY_CHECK:
case CRITICAL_DATA:
return ((rule->func == func) &&
ima_match_rule_data(rule, func_data, cred));
default:
break;
}
if ((rule->flags & IMA_MASK) && if ((rule->flags & IMA_MASK) &&
(rule->mask != mask && func != POST_SETATTR)) (rule->mask != mask && func != POST_SETATTR))
return false; return false;
...@@ -610,8 +641,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) ...@@ -610,8 +641,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
* @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
* @pcr: set the pcr to extend * @pcr: set the pcr to extend
* @template_desc: the template that should be used for this rule * @template_desc: the template that should be used for this rule
* @keyring: the keyring name, if given, to be used to check in the policy. * @func_data: func specific data, may be NULL
* keyring can be NULL if func is anything other than KEY_CHECK.
* *
* Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
* conditions. * conditions.
...@@ -623,7 +653,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) ...@@ -623,7 +653,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
enum ima_hooks func, int mask, int flags, int *pcr, enum ima_hooks func, int mask, int flags, int *pcr,
struct ima_template_desc **template_desc, struct ima_template_desc **template_desc,
const char *keyring) const char *func_data)
{ {
struct ima_rule_entry *entry; struct ima_rule_entry *entry;
int action = 0, actmask = flags | (flags << 1); int action = 0, actmask = flags | (flags << 1);
...@@ -638,7 +668,7 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, ...@@ -638,7 +668,7 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
continue; continue;
if (!ima_match_rules(entry, inode, cred, secid, func, mask, if (!ima_match_rules(entry, inode, cred, secid, func, mask,
keyring)) func_data))
continue; continue;
action |= entry->flags & IMA_ACTION_FLAGS; action |= entry->flags & IMA_ACTION_FLAGS;
...@@ -848,6 +878,11 @@ void __init ima_init_policy(void) ...@@ -848,6 +878,11 @@ void __init ima_init_policy(void)
ARRAY_SIZE(default_appraise_rules), ARRAY_SIZE(default_appraise_rules),
IMA_DEFAULT_POLICY); IMA_DEFAULT_POLICY);
if (ima_use_critical_data)
add_rules(critical_data_rules,
ARRAY_SIZE(critical_data_rules),
IMA_DEFAULT_POLICY);
ima_update_policy_flag(); ima_update_policy_flag();
} }
...@@ -907,7 +942,7 @@ enum { ...@@ -907,7 +942,7 @@ enum {
Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
Opt_appraise_type, Opt_appraise_flag, Opt_appraise_type, Opt_appraise_flag,
Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings,
Opt_err Opt_label, Opt_err
}; };
static const match_table_t policy_tokens = { static const match_table_t policy_tokens = {
...@@ -944,6 +979,7 @@ static const match_table_t policy_tokens = { ...@@ -944,6 +979,7 @@ static const match_table_t policy_tokens = {
{Opt_pcr, "pcr=%s"}, {Opt_pcr, "pcr=%s"},
{Opt_template, "template=%s"}, {Opt_template, "template=%s"},
{Opt_keyrings, "keyrings=%s"}, {Opt_keyrings, "keyrings=%s"},
{Opt_label, "label=%s"},
{Opt_err, NULL} {Opt_err, NULL}
}; };
...@@ -1106,6 +1142,18 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) ...@@ -1106,6 +1142,18 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
if (ima_rule_contains_lsm_cond(entry)) if (ima_rule_contains_lsm_cond(entry))
return false; return false;
break;
case CRITICAL_DATA:
if (entry->action & ~(MEASURE | DONT_MEASURE))
return false;
if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR |
IMA_LABEL))
return false;
if (ima_rule_contains_lsm_cond(entry))
return false;
break; break;
default: default:
return false; return false;
...@@ -1238,6 +1286,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) ...@@ -1238,6 +1286,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) && else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) &&
strcmp(args[0].from, "KEY_CHECK") == 0) strcmp(args[0].from, "KEY_CHECK") == 0)
entry->func = KEY_CHECK; entry->func = KEY_CHECK;
else if (strcmp(args[0].from, "CRITICAL_DATA") == 0)
entry->func = CRITICAL_DATA;
else else
result = -EINVAL; result = -EINVAL;
if (!result) if (!result)
...@@ -1308,6 +1358,23 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) ...@@ -1308,6 +1358,23 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
entry->flags |= IMA_KEYRINGS; entry->flags |= IMA_KEYRINGS;
break; break;
case Opt_label:
ima_log_string(ab, "label", args[0].from);
if (entry->label) {
result = -EINVAL;
break;
}
entry->label = ima_alloc_rule_opt_list(args);
if (IS_ERR(entry->label)) {
result = PTR_ERR(entry->label);
entry->label = NULL;
break;
}
entry->flags |= IMA_LABEL;
break;
case Opt_fsuuid: case Opt_fsuuid:
ima_log_string(ab, "fsuuid", args[0].from); ima_log_string(ab, "fsuuid", args[0].from);
...@@ -1688,6 +1755,12 @@ int ima_policy_show(struct seq_file *m, void *v) ...@@ -1688,6 +1755,12 @@ int ima_policy_show(struct seq_file *m, void *v)
seq_puts(m, " "); seq_puts(m, " ");
} }
if (entry->flags & IMA_LABEL) {
seq_puts(m, "label=");
ima_show_rule_opt_list(m, entry->label);
seq_puts(m, " ");
}
if (entry->flags & IMA_PCR) { if (entry->flags & IMA_PCR) {
snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr);
seq_printf(m, pt(Opt_pcr), tbuf); seq_printf(m, pt(Opt_pcr), tbuf);
......
...@@ -162,7 +162,8 @@ void ima_process_queued_keys(void) ...@@ -162,7 +162,8 @@ void ima_process_queued_keys(void)
entry->payload_len, entry->payload_len,
entry->keyring_name, entry->keyring_name,
KEY_CHECK, 0, KEY_CHECK, 0,
entry->keyring_name); entry->keyring_name,
false);
list_del(&entry->list); list_del(&entry->list);
ima_free_key_entry(entry); ima_free_key_entry(entry);
} }
......
...@@ -16,6 +16,8 @@ selinux-$(CONFIG_NETLABEL) += netlabel.o ...@@ -16,6 +16,8 @@ selinux-$(CONFIG_NETLABEL) += netlabel.o
selinux-$(CONFIG_SECURITY_INFINIBAND) += ibpkey.o selinux-$(CONFIG_SECURITY_INFINIBAND) += ibpkey.o
selinux-$(CONFIG_IMA) += ima.o
ccflags-y := -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include ccflags-y := -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include
$(addprefix $(obj)/,$(selinux-y)): $(obj)/flask.h $(addprefix $(obj)/,$(selinux-y)): $(obj)/flask.h
......
// SPDX-License-Identifier: GPL-2.0+
/*
* Copyright (C) 2021 Microsoft Corporation
*
* Author: Lakshmi Ramasubramanian (nramas@linux.microsoft.com)
*
* Measure critical data structures maintainted by SELinux
* using IMA subsystem.
*/
#include <linux/vmalloc.h>
#include <linux/ima.h>
#include "security.h"
#include "ima.h"
/*
* selinux_ima_measure_state - Measure hash of the SELinux policy
*
* @state: selinux state struct
*
* NOTE: This function must be called with policy_mutex held.
*/
void selinux_ima_measure_state(struct selinux_state *state)
{
void *policy = NULL;
size_t policy_len;
int rc = 0;
/*
* Measure SELinux policy only after initialization is completed.
*/
if (!selinux_initialized(state))
return;
rc = security_read_state_kernel(state, &policy, &policy_len);
if (rc) {
pr_err("SELinux: %s: failed to read policy %d.\n", __func__, rc);
return;
}
ima_measure_critical_data("selinux", "selinux-policy-hash",
policy, policy_len, true);
vfree(policy);
}
/* SPDX-License-Identifier: GPL-2.0+ */
/*
* Copyright (C) 2021 Microsoft Corporation
*
* Author: Lakshmi Ramasubramanian (nramas@linux.microsoft.com)
*
* Measure critical data structures maintainted by SELinux
* using IMA subsystem.
*/
#ifndef _SELINUX_IMA_H_
#define _SELINUX_IMA_H_
#include "security.h"
#ifdef CONFIG_IMA
extern void selinux_ima_measure_state(struct selinux_state *selinux_state);
#else
static inline void selinux_ima_measure_state(struct selinux_state *selinux_state)
{
}
#endif
#endif /* _SELINUX_IMA_H_ */
...@@ -229,7 +229,8 @@ void selinux_policy_cancel(struct selinux_state *state, ...@@ -229,7 +229,8 @@ void selinux_policy_cancel(struct selinux_state *state,
struct selinux_policy *policy); struct selinux_policy *policy);
int security_read_policy(struct selinux_state *state, int security_read_policy(struct selinux_state *state,
void **data, size_t *len); void **data, size_t *len);
int security_read_state_kernel(struct selinux_state *state,
void **data, size_t *len);
int security_policycap_supported(struct selinux_state *state, int security_policycap_supported(struct selinux_state *state,
unsigned int req_cap); unsigned int req_cap);
......
...@@ -65,6 +65,7 @@ ...@@ -65,6 +65,7 @@
#include "ebitmap.h" #include "ebitmap.h"
#include "audit.h" #include "audit.h"
#include "policycap_names.h" #include "policycap_names.h"
#include "ima.h"
/* Forward declaration. */ /* Forward declaration. */
static int context_struct_to_string(struct policydb *policydb, static int context_struct_to_string(struct policydb *policydb,
...@@ -2178,6 +2179,7 @@ static void selinux_notify_policy_change(struct selinux_state *state, ...@@ -2178,6 +2179,7 @@ static void selinux_notify_policy_change(struct selinux_state *state,
selinux_status_update_policyload(state, seqno); selinux_status_update_policyload(state, seqno);
selinux_netlbl_cache_invalidate(); selinux_netlbl_cache_invalidate();
selinux_xfrm_notify_policyload(); selinux_xfrm_notify_policyload();
selinux_ima_measure_state(state);
} }
void selinux_policy_commit(struct selinux_state *state, void selinux_policy_commit(struct selinux_state *state,
...@@ -3873,8 +3875,33 @@ int security_netlbl_sid_to_secattr(struct selinux_state *state, ...@@ -3873,8 +3875,33 @@ int security_netlbl_sid_to_secattr(struct selinux_state *state,
} }
#endif /* CONFIG_NETLABEL */ #endif /* CONFIG_NETLABEL */
/**
* __security_read_policy - read the policy.
* @policy: SELinux policy
* @data: binary policy data
* @len: length of data in bytes
*
*/
static int __security_read_policy(struct selinux_policy *policy,
void *data, size_t *len)
{
int rc;
struct policy_file fp;
fp.data = data;
fp.len = *len;
rc = policydb_write(&policy->policydb, &fp);
if (rc)
return rc;
*len = (unsigned long)fp.data - (unsigned long)data;
return 0;
}
/** /**
* security_read_policy - read the policy. * security_read_policy - read the policy.
* @state: selinux_state
* @data: binary policy data * @data: binary policy data
* @len: length of data in bytes * @len: length of data in bytes
* *
...@@ -3883,8 +3910,6 @@ int security_read_policy(struct selinux_state *state, ...@@ -3883,8 +3910,6 @@ int security_read_policy(struct selinux_state *state,
void **data, size_t *len) void **data, size_t *len)
{ {
struct selinux_policy *policy; struct selinux_policy *policy;
int rc;
struct policy_file fp;
policy = rcu_dereference_protected( policy = rcu_dereference_protected(
state->policy, lockdep_is_held(&state->policy_mutex)); state->policy, lockdep_is_held(&state->policy_mutex));
...@@ -3896,14 +3921,35 @@ int security_read_policy(struct selinux_state *state, ...@@ -3896,14 +3921,35 @@ int security_read_policy(struct selinux_state *state,
if (!*data) if (!*data)
return -ENOMEM; return -ENOMEM;
fp.data = *data; return __security_read_policy(policy, *data, len);
fp.len = *len; }
rc = policydb_write(&policy->policydb, &fp); /**
if (rc) * security_read_state_kernel - read the policy.
return rc; * @state: selinux_state
* @data: binary policy data
* @len: length of data in bytes
*
* Allocates kernel memory for reading SELinux policy.
* This function is for internal use only and should not
* be used for returning data to user space.
*
* This function must be called with policy_mutex held.
*/
int security_read_state_kernel(struct selinux_state *state,
void **data, size_t *len)
{
struct selinux_policy *policy;
*len = (unsigned long)fp.data - (unsigned long)*data; policy = rcu_dereference_protected(
return 0; state->policy, lockdep_is_held(&state->policy_mutex));
if (!policy)
return -EINVAL;
*len = policy->policydb.len;
*data = vmalloc(*len);
if (!*data)
return -ENOMEM;
return __security_read_policy(policy, *data, len);
} }
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment