Commit e58bb688 authored by Mimi Zohar's avatar Mimi Zohar
Browse files

Merge branch 'measure-critical-data' into next-integrity 

From "IMA: support for measuring kernel integrity critical data"
coverletter.

IMA measures files and buffer data such as keys, command-line arguments
passed to the kernel on kexec system call, etc.  While these measurements
are necessary for monitoring and validating the integrity of the system,
they are not sufficient.  Various data structures, policies, and states
stored in kernel memory also impact the integrity of the system.
Several kernel subsystems contain such integrity critical data -
e.g. LSMs like SELinux, AppArmor etc. or device-mapper targets like
dm-crypt, dm-verity, dm-integrity etc.  These kernel subsystems help
protect the integrity of a system.  Their integrity critical data is not
expected to change frequently during run-time.  Some of these structures
cannot be defined as __ro_after_init, because they are initialized later.

For a given system, various external services/infrastructure tools
(including the attestation service) interact with it - both during the
setup and during rest of the system run-time.  They share sensitive data
and/or execute critical workload on that system.  The external services
may want to verify the current run-time state of the relevant kernel
subsystems before fully trusting the system with business critical
data/workload.  For instance, verifying that SELinux is in "enforce" mode
along with the expected policy, disks are encrypted with a certain
configuration, secure boot is enabled etc.

This series provides the necessary IMA functionality for kernel
subsystems to ensure their configuration can be measured:
  - by kernel subsystems themselves,
  - in a tamper resistant way,
  - and re-measured - triggered on state/configuration change.

This patch set:
  - defines a new IMA hook ima_measure_critical_data() to measure
    integrity critical data,
  - limits the critical data being measured based on a label,
  - defines a builtin critical data measurement policy,
  - and includes an SELinux consumer of the new IMA critical data hook.
parents ccf11dba fdd1ffe8

Documentation/ABI/testing/ima_policy

+4 −1
Original line number Diff line number Diff line
@@ -32,7 +32,7 @@ Description: 
			func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK]MODULE_CHECK]

			        [FIRMWARE_CHECK]

				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]

				[KEXEC_CMDLINE] [KEY_CHECK]

				[KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA]

			mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]

			       [[^]MAY_EXEC]

			fsmagic:= hex value
@@ -52,6 +52,9 @@ Description: 
			template:= name of a defined IMA template type

			(eg, ima-ng). Only valid when action is "measure".

			pcr:= decimal value

			label:= [selinux]|[data_label]

			data_label:= a unique string used for grouping and limiting critical data.

			For example, "selinux" to measure critical data for SELinux.



		  default policy:

			# PROC_SUPER_MAGIC

Documentation/admin-guide/kernel-parameters.txt

+4 −1
Original line number Diff line number Diff line
@@ -1746,7 +1746,7 @@ 
	ima_policy=	[IMA]

			The builtin policies to load during IMA setup.

			Format: "tcb | appraise_tcb | secure_boot |

				 fail_securely"

				 fail_securely | critical_data"



			The "tcb" policy measures all programs exec'd, files

			mmap'd for exec, and all files opened with the read
@@ -1765,6 +1765,9 @@ 
			filesystems with the SB_I_UNVERIFIABLE_SIGNATURE

			flag.



			The "critical_data" policy measures kernel integrity

			critical data.



	ima_tcb		[IMA] Deprecated.  Use ima_policy= instead.

			Load a policy which meets the needs of the Trusted

			Computing Base.  This means IMA will measure all

include/linux/ima.h

+10 −0
Original line number Diff line number Diff line
@@ -31,6 +31,10 @@ extern void ima_post_path_mknod(struct dentry *dentry); 
extern int ima_file_hash(struct file *file, char *buf, size_t buf_size);

extern int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size);

extern void ima_kexec_cmdline(int kernel_fd, const void *buf, int size);

extern void ima_measure_critical_data(const char *event_label,

				      const char *event_name,

				      const void *buf, size_t buf_len,

				      bool hash);



#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM

extern void ima_appraise_parse_cmdline(void);
@@ -128,6 +132,12 @@ static inline int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size 
}



static inline void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) {}



static inline void ima_measure_critical_data(const char *event_label,

					     const char *event_name,

					     const void *buf, size_t buf_len,

					     bool hash) {}



#endif /* CONFIG_IMA */



#ifndef CONFIG_IMA_KEXEC

security/integrity/ima/ima.h

+5 −3
Original line number Diff line number Diff line
@@ -201,6 +201,7 @@ static inline unsigned int ima_hash_key(u8 *digest) 
	hook(POLICY_CHECK, policy)			\

	hook(KEXEC_CMDLINE, kexec_cmdline)		\

	hook(KEY_CHECK, key)				\

	hook(CRITICAL_DATA, critical_data)		\

	hook(MAX_CHECK, none)



#define __ima_hook_enumify(ENUM, str)	ENUM,
@@ -256,7 +257,7 @@ static inline void ima_process_queued_keys(void) {} 
int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid,

		   int mask, enum ima_hooks func, int *pcr,

		   struct ima_template_desc **template_desc,

		   const char *keyring);

		   const char *func_data);

int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);

int ima_collect_measurement(struct integrity_iint_cache *iint,

			    struct file *file, void *buf, loff_t size,
@@ -268,7 +269,8 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, 
			   struct ima_template_desc *template_desc);

void process_buffer_measurement(struct inode *inode, const void *buf, int size,

				const char *eventname, enum ima_hooks func,

				int pcr, const char *keyring);

				int pcr, const char *func_data,

				bool buf_hash);

void ima_audit_measurement(struct integrity_iint_cache *iint,

			   const unsigned char *filename);

int ima_alloc_init_template(struct ima_event_data *event_data,
@@ -284,7 +286,7 @@ const char *ima_d_path(const struct path *path, char **pathbuf, char *filename); 
int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,

		     enum ima_hooks func, int mask, int flags, int *pcr,

		     struct ima_template_desc **template_desc,

		     const char *keyring);

		     const char *func_data);

void ima_init_policy(void);

void ima_update_policy(void);

void ima_update_policy_flag(void);

security/integrity/ima/ima_api.c

+4 −4
Original line number Diff line number Diff line
@@ -170,13 +170,13 @@ void ima_add_violation(struct file *file, const unsigned char *filename, 
 * @func: caller identifier

 * @pcr: pointer filled in if matched measure policy sets pcr=

 * @template_desc: pointer filled in if matched measure policy sets template=

 * @keyring: keyring name used to determine the action

 * @func_data: func specific data, may be NULL

 *

 * The policy is defined in terms of keypairs:

 *		subj=, obj=, type=, func=, mask=, fsmagic=

 *	subj,obj, and type: are LSM specific.

 *	func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK

 *	| KEXEC_CMDLINE | KEY_CHECK

 *	| KEXEC_CMDLINE | KEY_CHECK | CRITICAL_DATA

 *	mask: contains the permission mask

 *	fsmagic: hex value

 *
@@ -186,14 +186,14 @@ void ima_add_violation(struct file *file, const unsigned char *filename, 
int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid,

		   int mask, enum ima_hooks func, int *pcr,

		   struct ima_template_desc **template_desc,

		   const char *keyring)

		   const char *func_data)

{

	int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH;



	flags &= ima_policy_flag;



	return ima_match_policy(inode, cred, secid, func, mask, flags, pcr,

				template_desc, keyring);

				template_desc, func_data);

}



/*