From 16cac49f727621c6b0467ffe15ed72c2febb1296 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Thu, 13 Dec 2012 11:15:04 -0500 Subject: ima: rename FILE_MMAP to MMAP_CHECK Rename FILE_MMAP hook to MMAP_CHECK to be consistent with the other hook names. Signed-off-by: Mimi Zohar --- Documentation/ABI/testing/ima_policy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Documentation/ABI/testing') diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index ec0a38ef3145..6a0fc808fb6d 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -23,7 +23,7 @@ Description: lsm: [[subj_user=] [subj_role=] [subj_type=] [obj_user=] [obj_role=] [obj_type=]] - base: func:= [BPRM_CHECK][FILE_MMAP][FILE_CHECK][MODULE_CHECK] + base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK] mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] fsmagic:= hex value uid:= decimal value -- cgit v1.2.3 From 0e5a247cb37a97d843ef76d09d5f80deb7893ba3 Mon Sep 17 00:00:00 2001 From: Dmitry Kasatkin Date: Fri, 8 Jun 2012 13:58:49 +0300 Subject: ima: added policy support for 'security.ima' type The 'security.ima' extended attribute may contain either the file data's hash or a digital signature. This patch adds support for requiring a specific extended attribute type. It extends the IMA policy with a new keyword 'appraise_type=imasig'. (Default is hash.) Changelog v2: - Fixed Documentation/ABI/testing/ima_policy option syntax Changelog v1: - Differentiate between 'required' vs. 'actual' extended attribute Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar --- Documentation/ABI/testing/ima_policy | 4 +++- security/integrity/ima/ima_appraise.c | 5 +++++ security/integrity/ima/ima_main.c | 1 + security/integrity/ima/ima_policy.c | 18 +++++++++++++++++- security/integrity/integrity.h | 2 ++ 5 files changed, 28 insertions(+), 2 deletions(-) (limited to 'Documentation/ABI/testing') diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index 6a0fc808fb6d..de16de3f148d 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -18,10 +18,11 @@ Description: rule format: action [condition ...] action: measure | dont_measure | appraise | dont_appraise | audit - condition:= base | lsm + condition:= base | lsm [option] base: [[func=] [mask=] [fsmagic=] [uid=] [fowner]] lsm: [[subj_user=] [subj_role=] [subj_type=] [obj_user=] [obj_role=] [obj_type=]] + option: [[appraise_type=]] base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK] mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] @@ -29,6 +30,7 @@ Description: uid:= decimal value fowner:=decimal value lsm: are LSM specific + option: appraise_type:= [imasig] default policy: # PROC_SUPER_MAGIC diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index fa675c907e0f..8004332ccb8f 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -102,6 +102,11 @@ int ima_appraise_measurement(struct integrity_iint_cache *iint, switch (xattr_value->type) { case IMA_XATTR_DIGEST: + if (iint->flags & IMA_DIGSIG_REQUIRED) { + cause = "IMA signature required"; + status = INTEGRITY_FAIL; + break; + } rc = memcmp(xattr_value->digest, iint->ima_xattr.digest, IMA_DIGEST_SIZE); if (rc) { diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index cd00ba39e8e0..3cdd78768c29 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -169,6 +169,7 @@ static int process_measurement(struct file *file, const char *filename, * (IMA_MEASURE, IMA_MEASURED, IMA_APPRAISE, IMA_APPRAISED, * IMA_AUDIT, IMA_AUDITED) */ iint->flags |= action; + action &= IMA_DO_MASK; action &= ~((iint->flags & IMA_DONE_MASK) >> 1); /* Nothing to do, just return existing appraised status */ diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 95194539d75e..1a2543a8ee53 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -245,6 +245,8 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, if (!ima_match_rules(entry, inode, func, mask)) continue; + action |= entry->flags & IMA_ACTION_FLAGS; + action |= entry->action & IMA_DO_MASK; if (entry->action & IMA_DO_MASK) actmask &= ~(entry->action | entry->action << 1); @@ -318,7 +320,8 @@ enum { Opt_audit, Opt_obj_user, Opt_obj_role, Opt_obj_type, Opt_subj_user, Opt_subj_role, Opt_subj_type, - Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner + Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner, + Opt_appraise_type }; static match_table_t policy_tokens = { @@ -338,6 +341,7 @@ static match_table_t policy_tokens = { {Opt_fsmagic, "fsmagic=%s"}, {Opt_uid, "uid=%s"}, {Opt_fowner, "fowner=%s"}, + {Opt_appraise_type, "appraise_type=%s"}, {Opt_err, NULL} }; @@ -560,6 +564,18 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) LSM_SUBJ_TYPE, AUDIT_SUBJ_TYPE); break; + case Opt_appraise_type: + if (entry->action != APPRAISE) { + result = -EINVAL; + break; + } + + ima_log_string(ab, "appraise_type", args[0].from); + if ((strcmp(args[0].from, "imasig")) == 0) + entry->flags |= IMA_DIGSIG_REQUIRED; + else + result = -EINVAL; + break; case Opt_err: ima_log_string(ab, "UNKNOWN", p); result = -EINVAL; diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 0a298def5036..9334691b2b75 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -26,7 +26,9 @@ #define IMA_AUDITED 0x0080 /* iint cache flags */ +#define IMA_ACTION_FLAGS 0xff00 #define IMA_DIGSIG 0x0100 +#define IMA_DIGSIG_REQUIRED 0x0200 #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT) #define IMA_DONE_MASK (IMA_MEASURED | IMA_APPRAISED | IMA_AUDITED \ -- cgit v1.2.3 From 85865c1fa189fcba49089e6254a0226f2269bebc Mon Sep 17 00:00:00 2001 From: Dmitry Kasatkin Date: Mon, 3 Sep 2012 23:23:13 +0300 Subject: ima: add policy support for file system uuid The IMA policy permits specifying rules to enable or disable measurement/appraisal/audit based on the file system magic number. If, for example, the policy contains an ext4 measurement rule, the rule is enabled for all ext4 partitions. Sometimes it might be necessary to enable measurement/appraisal/audit only for one partition and disable it for another partition of the same type. With the existing IMA policy syntax, this can not be done. This patch provides support for IMA policy rules to specify the file system by its UUID (eg. fsuuid=397449cd-687d-4145-8698-7fed4a3e0363). For partitions not being appraised, it might be a good idea to mount file systems with the 'noexec' option to prevent executing non-verified binaries. Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar --- Documentation/ABI/testing/ima_policy | 4 +++- security/integrity/ima/ima_policy.c | 22 +++++++++++++++++++++- 2 files changed, 24 insertions(+), 2 deletions(-) (limited to 'Documentation/ABI/testing') diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index de16de3f148d..f1c5cc9d17a8 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -19,7 +19,8 @@ Description: action: measure | dont_measure | appraise | dont_appraise | audit condition:= base | lsm [option] - base: [[func=] [mask=] [fsmagic=] [uid=] [fowner]] + base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] + [fowner]] lsm: [[subj_user=] [subj_role=] [subj_type=] [obj_user=] [obj_role=] [obj_type=]] option: [[appraise_type=]] @@ -27,6 +28,7 @@ Description: base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK] mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] fsmagic:= hex value + fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6) uid:= decimal value fowner:=decimal value lsm: are LSM specific diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 4adcd0f8c1dd..23f49e37a957 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -16,6 +16,7 @@ #include #include #include +#include #include "ima.h" @@ -25,6 +26,7 @@ #define IMA_FSMAGIC 0x0004 #define IMA_UID 0x0008 #define IMA_FOWNER 0x0010 +#define IMA_FSUUID 0x0020 #define UNKNOWN 0 #define MEASURE 0x0001 /* same as IMA_MEASURE */ @@ -45,6 +47,7 @@ struct ima_rule_entry { enum ima_hooks func; int mask; unsigned long fsmagic; + u8 fsuuid[16]; kuid_t uid; kuid_t fowner; struct { @@ -172,6 +175,9 @@ static bool ima_match_rules(struct ima_rule_entry *rule, if ((rule->flags & IMA_FSMAGIC) && rule->fsmagic != inode->i_sb->s_magic) return false; + if ((rule->flags & IMA_FSUUID) && + memcmp(rule->fsuuid, inode->i_sb->s_uuid, sizeof(rule->fsuuid))) + return false; if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid)) return false; if ((rule->flags & IMA_FOWNER) && !uid_eq(rule->fowner, inode->i_uid)) @@ -346,7 +352,7 @@ enum { Opt_obj_user, Opt_obj_role, Opt_obj_type, Opt_subj_user, Opt_subj_role, Opt_subj_type, Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner, - Opt_appraise_type + Opt_appraise_type, Opt_fsuuid }; static match_table_t policy_tokens = { @@ -364,6 +370,7 @@ static match_table_t policy_tokens = { {Opt_func, "func=%s"}, {Opt_mask, "mask=%s"}, {Opt_fsmagic, "fsmagic=%s"}, + {Opt_fsuuid, "fsuuid=%s"}, {Opt_uid, "uid=%s"}, {Opt_fowner, "fowner=%s"}, {Opt_appraise_type, "appraise_type=%s"}, @@ -519,6 +526,19 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) if (!result) entry->flags |= IMA_FSMAGIC; break; + case Opt_fsuuid: + ima_log_string(ab, "fsuuid", args[0].from); + + if (memchr_inv(entry->fsuuid, 0x00, + sizeof(entry->fsuuid))) { + result = -EINVAL; + break; + } + + part_pack_uuid(args[0].from, entry->fsuuid); + entry->flags |= IMA_FSUUID; + result = 0; + break; case Opt_uid: ima_log_string(ab, "uid", args[0].from); -- cgit v1.2.3