From: Mimi Zohar <zohar@linux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
dhowells@redhat.com, matthewgarrett@google.com,
sashal@kernel.org, jamorris@linux.microsoft.com,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v6 1/3] IMA: Add KEY_CHECK func to measure keys
Date: Wed, 13 Nov 2019 20:14:26 +0000 [thread overview]
Message-ID: <1573676066.4843.18.camel@linux.ibm.com> (raw)
In-Reply-To: <20191113184658.2862-2-nramas@linux.microsoft.com>
On Wed, 2019-11-13 at 10:46 -0800, Lakshmi Ramasubramanian wrote:
> Measure keys loaded onto any keyring.
>
> This patch defines a new IMA policy func namely KEY_CHECK to
> measure keys. Updated ima_match_rules() to check for KEY_CHECK
> and ima_parse_rule() to handle KEY_CHECK.
>
> Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
> ---
> Documentation/ABI/testing/ima_policy | 6 +++++-
> security/integrity/ima/ima.h | 1 +
> security/integrity/ima/ima_main.c | 7 +++++++
> security/integrity/ima/ima_policy.c | 4 +++-
> 4 files changed, 16 insertions(+), 2 deletions(-)
>
> diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
> index 29aaedf33246..066d32797500 100644
> --- a/Documentation/ABI/testing/ima_policy
> +++ b/Documentation/ABI/testing/ima_policy
> @@ -29,7 +29,7 @@ Description:
> base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
> [FIRMWARE_CHECK]
> [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
> - [KEXEC_CMDLINE]
> + [KEXEC_CMDLINE] [KEY_CHECK]
> mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
> [[^]MAY_EXEC]
> fsmagic:= hex value
> @@ -113,3 +113,7 @@ Description:
> Example of appraise rule allowing modsig appended signatures:
>
> appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig
> +
> + Example of measure rule using KEY_CHECK to measure all keys:
> +
> + measure func=KEY_CHECK
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index df4ca482fb53..fe6c698617bd 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -193,6 +193,7 @@ static inline unsigned long ima_hash_key(u8 *digest)
> hook(KEXEC_INITRAMFS_CHECK) \
> hook(POLICY_CHECK) \
> hook(KEXEC_CMDLINE) \
> + hook(KEY_CHECK) \
> hook(MAX_CHECK)
> #define __ima_hook_enumify(ENUM) ENUM,
>
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index d7e987baf127..12684e8d7124 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -655,6 +655,13 @@ void process_buffer_measurement(const void *buf, int size,
> int action = 0;
> u32 secid;
>
> + /*
> + * If IMA is not yet initialized or IMA policy is empty
> + * then there is no need to measure.
> + */
> + if (!ima_policy_flag)
> + return;
> +
This addition has nothing to do with defining a new IMA hook and
should be a separate patch.  This can be posted independently of this
patch set.
Mimi
> /*
> * Both LSM hooks and auxilary based buffer measurements are
> * based on policy. To avoid code duplication, differentiate
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index f19a895ad7cd..1525a28fd705 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -373,7 +373,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
> {
> int i;
>
> - if (func = KEXEC_CMDLINE) {
> + if ((func = KEXEC_CMDLINE) || (func = KEY_CHECK)) {
> if ((rule->flags & IMA_FUNC) && (rule->func = func))
> return true;
> return false;
> @@ -997,6 +997,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
> entry->func = POLICY_CHECK;
> else if (strcmp(args[0].from, "KEXEC_CMDLINE") = 0)
> entry->func = KEXEC_CMDLINE;
> + else if (strcmp(args[0].from, "KEY_CHECK") = 0)
> + entry->func = KEY_CHECK;
> else
> result = -EINVAL;
> if (!result)
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
dhowells@redhat.com, matthewgarrett@google.com,
sashal@kernel.org, jamorris@linux.microsoft.com,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v6 1/3] IMA: Add KEY_CHECK func to measure keys
Date: Wed, 13 Nov 2019 15:14:26 -0500 [thread overview]
Message-ID: <1573676066.4843.18.camel@linux.ibm.com> (raw)
In-Reply-To: <20191113184658.2862-2-nramas@linux.microsoft.com>
On Wed, 2019-11-13 at 10:46 -0800, Lakshmi Ramasubramanian wrote:
> Measure keys loaded onto any keyring.
>
> This patch defines a new IMA policy func namely KEY_CHECK to
> measure keys. Updated ima_match_rules() to check for KEY_CHECK
> and ima_parse_rule() to handle KEY_CHECK.
>
> Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
> ---
> Documentation/ABI/testing/ima_policy | 6 +++++-
> security/integrity/ima/ima.h | 1 +
> security/integrity/ima/ima_main.c | 7 +++++++
> security/integrity/ima/ima_policy.c | 4 +++-
> 4 files changed, 16 insertions(+), 2 deletions(-)
>
> diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
> index 29aaedf33246..066d32797500 100644
> --- a/Documentation/ABI/testing/ima_policy
> +++ b/Documentation/ABI/testing/ima_policy
> @@ -29,7 +29,7 @@ Description:
> base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
> [FIRMWARE_CHECK]
> [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
> - [KEXEC_CMDLINE]
> + [KEXEC_CMDLINE] [KEY_CHECK]
> mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
> [[^]MAY_EXEC]
> fsmagic:= hex value
> @@ -113,3 +113,7 @@ Description:
> Example of appraise rule allowing modsig appended signatures:
>
> appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig
> +
> + Example of measure rule using KEY_CHECK to measure all keys:
> +
> + measure func=KEY_CHECK
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index df4ca482fb53..fe6c698617bd 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -193,6 +193,7 @@ static inline unsigned long ima_hash_key(u8 *digest)
> hook(KEXEC_INITRAMFS_CHECK) \
> hook(POLICY_CHECK) \
> hook(KEXEC_CMDLINE) \
> + hook(KEY_CHECK) \
> hook(MAX_CHECK)
> #define __ima_hook_enumify(ENUM) ENUM,
>
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index d7e987baf127..12684e8d7124 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -655,6 +655,13 @@ void process_buffer_measurement(const void *buf, int size,
> int action = 0;
> u32 secid;
>
> + /*
> + * If IMA is not yet initialized or IMA policy is empty
> + * then there is no need to measure.
> + */
> + if (!ima_policy_flag)
> + return;
> +
This addition has nothing to do with defining a new IMA hook and
should be a separate patch. This can be posted independently of this
patch set.
Mimi
> /*
> * Both LSM hooks and auxilary based buffer measurements are
> * based on policy. To avoid code duplication, differentiate
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index f19a895ad7cd..1525a28fd705 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -373,7 +373,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
> {
> int i;
>
> - if (func == KEXEC_CMDLINE) {
> + if ((func == KEXEC_CMDLINE) || (func == KEY_CHECK)) {
> if ((rule->flags & IMA_FUNC) && (rule->func == func))
> return true;
> return false;
> @@ -997,6 +997,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
> entry->func = POLICY_CHECK;
> else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0)
> entry->func = KEXEC_CMDLINE;
> + else if (strcmp(args[0].from, "KEY_CHECK") == 0)
> + entry->func = KEY_CHECK;
> else
> result = -EINVAL;
> if (!result)
next prev parent reply other threads:[~2019-11-13 20:14 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-13 18:46 [PATCH v6 0/3] KEYS: Measure keys when they are created or updated Lakshmi Ramasubramanian
2019-11-13 18:46 ` Lakshmi Ramasubramanian
2019-11-13 18:46 ` [PATCH v6 1/3] IMA: Add KEY_CHECK func to measure keys Lakshmi Ramasubramanian
2019-11-13 18:46 ` Lakshmi Ramasubramanian
2019-11-13 20:14 ` Mimi Zohar [this message]
2019-11-13 20:14 ` Mimi Zohar
2019-11-13 20:21 ` Lakshmi Ramasubramanian
2019-11-13 20:21 ` Lakshmi Ramasubramanian
2019-11-13 20:24 ` Mimi Zohar
2019-11-13 20:24 ` Mimi Zohar
2019-11-13 18:46 ` [PATCH v6 2/3] IMA: Define an IMA hook " Lakshmi Ramasubramanian
2019-11-13 18:46 ` Lakshmi Ramasubramanian
2019-11-13 20:09 ` Mimi Zohar
2019-11-13 20:09 ` Mimi Zohar
2019-11-13 20:52 ` Lakshmi Ramasubramanian
2019-11-13 20:52 ` Lakshmi Ramasubramanian
2019-11-13 21:18 ` Mimi Zohar
2019-11-13 21:18 ` Mimi Zohar
2019-11-13 22:01 ` Lakshmi Ramasubramanian
2019-11-13 22:01 ` Lakshmi Ramasubramanian
2019-11-13 18:46 ` [PATCH v6 3/3] KEYS: Call the " Lakshmi Ramasubramanian
2019-11-13 18:46 ` Lakshmi Ramasubramanian
2019-11-13 20:09 ` Mimi Zohar
2019-11-13 20:09 ` Mimi Zohar
2019-11-13 22:02 ` [PATCH v6 0/3] KEYS: Measure keys when they are created or updated Mimi Zohar
2019-11-13 22:02 ` Mimi Zohar
2019-11-13 22:04 ` Lakshmi Ramasubramanian
2019-11-13 22:04 ` Lakshmi Ramasubramanian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1573676066.4843.18.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=jamorris@linux.microsoft.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthewgarrett@google.com \
--cc=nramas@linux.microsoft.com \
--cc=sashal@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.