Commit 8b6852da authored Sep 12, 2023 by Roberto Sassu Committed by zgzxx Feb 18, 2024

ima: Introduce appraise_exec_immutable policy

euleros inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I91FSN


CVE: NA

-------------------------------------------------

This patch modifies the existing "appraise_exec_tcb" policy, by adding the
appraise_type=meta_immutable requirement for executed files:

appraise func=MODULE_CHECK appraise_type=imasig
appraise func=FIRMWARE_CHECK appraise_type=imasig
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig
appraise func=POLICY_CHECK appraise_type=imasig
appraise func=DIGEST_LIST_CHECK appraise_type=imasig
dont_appraise fsmagic=0x9fa0
dont_appraise fsmagic=0x62656572
dont_appraise fsmagic=0x64626720
dont_appraise fsmagic=0x858458f6
dont_appraise fsmagic=0x1cd1
dont_appraise fsmagic=0x42494e4d
dont_appraise fsmagic=0x73636673
dont_appraise fsmagic=0xf97cff8c
dont_appraise fsmagic=0x43415d53
dont_appraise fsmagic=0x6e736673
dont_appraise fsmagic=0xde5e81e4
dont_appraise fsmagic=0x27e0eb
dont_appraise fsmagic=0x63677270
appraise func=BPRM_CHECK appraise_type=imasig appraise_type=meta_immutable
appraise func=MMAP_CHECK appraise_type=imasig

This policy can be selected by specifying
ima_policy="appraise_exec_tcb|appraise_exec_immutable" in the kernel
command line.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Tianxing Zhang <zhangtianxing3@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
Signed-off-by: zhoushuiqing <zhoushuiqing2@huawei.com>
Signed-off-by: zhangguangzhi <zhangguangzhi3@huawei.com>

parent e681d686

Documentation/admin-guide/kernel-parameters.txt

+4 −0

Original line number	Diff line number	Diff line
		@@ -2051,6 +2051,10 @@
		files mmap'd for exec. Files in the tmpfs filesystem are
		not excluded from appraisal.

		The "appraise_exec_immutable" policy requires immutable
		metadata for executed files, if the "appraise_exec_tcb"
		policy is selected.

		The "fail_securely" policy forces file signature
		verification failure also on privileged mounted
		filesystems with the SB_I_UNVERIFIABLE_SIGNATURE

security/integrity/ima/ima_policy.c

+10 −0

Original line number	Diff line number	Diff line
		@@ -295,6 +295,7 @@ __setup("ima_tcb", default_measure_policy_setup);
		static bool ima_use_appraise_tcb __initdata;
		#ifdef CONFIG_IMA_DIGEST_LIST
		static bool ima_use_appraise_exec_tcb __initdata;
		static bool ima_use_appraise_exec_immutable __initdata;
		#endif
		static bool ima_use_secure_boot __initdata;
		static bool ima_use_critical_data __initdata;
		@@ -317,6 +318,8 @@ static int __init policy_setup(char *str)
		#ifdef CONFIG_IMA_DIGEST_LIST
		else if (strcmp(p, "appraise_exec_tcb") == 0)
		ima_use_appraise_exec_tcb = true;
		else if (strcmp(p, "appraise_exec_immutable") == 0)
		ima_use_appraise_exec_immutable = true;
		#endif
		else if (strcmp(p, "secure_boot") == 0)
		ima_use_secure_boot = true;
		@@ -926,6 +929,13 @@ static void add_rules(struct ima_rule_entry *entries, int count,
		continue;
		}
		}

		if (ima_use_appraise_exec_immutable)
		if (entries == appraise_exec_rules &&
		(entries[i].flags & IMA_FUNC) &&
		entries[i].func == BPRM_CHECK)
		entries[i].flags \|= IMA_META_IMMUTABLE_REQUIRED;

		#endif
		if (policy_rule & IMA_DEFAULT_POLICY)
		list_add_tail(&entries[i].list, &ima_default_rules);