Commit e681d686 authored by Roberto Sassu's avatar Roberto Sassu Committed by zgzxx
Browse files

ima: Introduce appraise_exec_tcb policy 

euleros inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I91FSN


CVE: NA

-------------------------------------------------

This patch introduces a new hard-coded policy to appraise executable code:

appraise func=MODULE_CHECK appraise_type=imasig
appraise func=FIRMWARE_CHECK appraise_type=imasig
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig
appraise func=POLICY_CHECK appraise_type=imasig
appraise func=DIGEST_LIST_CHECK appraise_type=imasig
dont_appraise fsmagic=0x9fa0
dont_appraise fsmagic=0x62656572
dont_appraise fsmagic=0x64626720
dont_appraise fsmagic=0x858458f6
dont_appraise fsmagic=0x1cd1
dont_appraise fsmagic=0x42494e4d
dont_appraise fsmagic=0x73636673
dont_appraise fsmagic=0xf97cff8c
dont_appraise fsmagic=0x43415d53
dont_appraise fsmagic=0x6e736673
dont_appraise fsmagic=0xde5e81e4
dont_appraise fsmagic=0x27e0eb
dont_appraise fsmagic=0x63677270
appraise func=BPRM_CHECK appraise_type=imasig
appraise func=MMAP_CHECK appraise_type=imasig

The new policy can be selected by specifying ima_policy=appraise_exec_tcb
in the kernel command line.

Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: default avatarTianxing Zhang <zhangtianxing3@huawei.com>
Reviewed-by: default avatarJason Yan <yanaijie@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
Signed-off-by: default avatarzhoushuiqing <zhoushuiqing2@huawei.com>
Signed-off-by: default avatarzhangguangzhi <zhangguangzhi3@huawei.com>
parent 62e99ea2

Documentation/admin-guide/kernel-parameters.txt

+5 −0
Original line number Diff line number Diff line
@@ -2046,6 +2046,11 @@ 
			of files (eg. kexec kernel image, kernel modules,

			firmware, policy, etc) based on file signatures.



			The "appraise_exec_tcb" includes the "secure_boot"

			policy and additionally includes all programs exec'd and

			files mmap'd for exec. Files in the tmpfs filesystem are

			not excluded from appraisal.



			The "fail_securely" policy forces file signature

			verification failure also on privileged mounted

			filesystems with the SB_I_UNVERIFIABLE_SIGNATURE

security/integrity/ima/ima_policy.c

+38 −0
Original line number Diff line number Diff line
@@ -226,6 +226,14 @@ static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { 
#endif

};



#ifdef CONFIG_IMA_DIGEST_LIST

static struct ima_rule_entry appraise_exec_rules[] __ro_after_init = {

	{.action = APPRAISE, .func = BPRM_CHECK,

	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},

	{.action = APPRAISE, .func = MMAP_CHECK,

	 .flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},

};

#endif

static struct ima_rule_entry build_appraise_rules[] __ro_after_init = {

#ifdef CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS

	{.action = APPRAISE, .func = MODULE_CHECK,
@@ -285,6 +293,9 @@ static int __init default_measure_policy_setup(char *str) 
__setup("ima_tcb", default_measure_policy_setup);



static bool ima_use_appraise_tcb __initdata;

#ifdef CONFIG_IMA_DIGEST_LIST

static bool ima_use_appraise_exec_tcb __initdata;

#endif

static bool ima_use_secure_boot __initdata;

static bool ima_use_critical_data __initdata;

static bool ima_fail_unverifiable_sigs __ro_after_init;
@@ -303,6 +314,10 @@ static int __init policy_setup(char *str) 
#endif

		else if (strcmp(p, "appraise_tcb") == 0)

			ima_use_appraise_tcb = true;

#ifdef CONFIG_IMA_DIGEST_LIST

		else if (strcmp(p, "appraise_exec_tcb") == 0)

			ima_use_appraise_exec_tcb = true;

#endif

		else if (strcmp(p, "secure_boot") == 0)

			ima_use_secure_boot = true;

		else if (strcmp(p, "critical_data") == 0)
@@ -902,6 +917,15 @@ static void add_rules(struct ima_rule_entry *entries, int count, 
				    entries[i].func == FILE_CHECK)

					continue;

		}

		if (ima_use_appraise_exec_tcb) {

			if (entries == default_appraise_rules) {

				if (entries[i].action != DONT_APPRAISE)

					continue;

				if ((entries[i].flags & IMA_FSMAGIC) &&

				    entries[i].fsmagic == TMPFS_MAGIC)

					continue;

			}

		}

#endif

		if (policy_rule & IMA_DEFAULT_POLICY)

			list_add_tail(&entries[i].list, &ima_default_rules);
@@ -1018,7 +1042,11 @@ void __init ima_init_policy(void) 
	 * Insert the builtin "secure_boot" policy rules requiring file

	 * signatures, prior to other appraise rules.

	 */

#ifdef CONFIG_IMA_DIGEST_LIST

	if (ima_use_secure_boot || ima_use_appraise_exec_tcb)

#else

	if (ima_use_secure_boot)

#endif

		add_rules(secure_boot_rules, ARRAY_SIZE(secure_boot_rules),

			  IMA_DEFAULT_POLICY);
@@ -1038,11 +1066,21 @@ void __init ima_init_policy(void) 
				  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);

	}



#ifdef CONFIG_IMA_DIGEST_LIST

	if (ima_use_appraise_tcb || ima_use_appraise_exec_tcb)

#else

	if (ima_use_appraise_tcb)

#endif

		add_rules(default_appraise_rules,

			  ARRAY_SIZE(default_appraise_rules),

			  IMA_DEFAULT_POLICY);



#ifdef CONFIG_IMA_DIGEST_LIST

	if (ima_use_appraise_exec_tcb)

		add_rules(appraise_exec_rules,

			  ARRAY_SIZE(appraise_exec_rules),

			  IMA_DEFAULT_POLICY);

#endif

	if (ima_use_critical_data)

		add_rules(critical_data_rules,

			  ARRAY_SIZE(critical_data_rules),