[meta-security][PATCH 08/14] ima-policy-hashed: add new recipe

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Armin Kuster <akuster808@gmail.com>
To: yocto@yoctoproject.org
Subject: [meta-security][PATCH 08/14] ima-policy-hashed: add new recipe
Date: Sun, 26 May 2019 21:56:35 -0700	[thread overview]
Message-ID: <20190527045641.18884-9-akuster808@gmail.com> (raw)
In-Reply-To: <20190527045641.18884-1-akuster808@gmail.com>

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../ima_policy_hashed/files/ima_policy_hashed | 77 +++++++++++++++++++
 .../ima-policy-hashed_1.0.bb                  | 20 +++++
 2 files changed, 97 insertions(+)
 create mode 100644 meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed
 create mode 100644 meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb

diff --git a/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed b/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed
new file mode 100644
index 0000000..7f89c8d
--- /dev/null
+++ b/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed
@@ -0,0 +1,77 @@
+# With this policy, all files on regular partitions are
+# appraised. Files with signed IMA hash and normal hash are
+# accepted. Signed files cannot be modified while hashed files can be
+# (which will also update the hash). However, signed files can
+# be deleted, so in practice it is still possible to replace them
+# with a modified version.
+#
+# Without EVM, this is obviously not very secure, so this policy is
+# just an example and/or basis for further improvements. For that
+# purpose, some comments show what could be added to make the policy
+# more secure.
+#
+# With EVM the situation might be different because access
+# to the EVM key can be restricted.
+#
+# Files which are appraised are also measured. This allows
+# debugging whether a file is in policy by looking at
+# /sys/kernel/security/ima/ascii_runtime_measurements
+
+# PROC_SUPER_MAGIC
+dont_appraise fsmagic=0x9fa0
+dont_measure fsmagic=0x9fa0
+# SYSFS_MAGIC
+dont_appraise fsmagic=0x62656572
+dont_measure fsmagic=0x62656572
+# DEBUGFS_MAGIC
+dont_appraise fsmagic=0x64626720
+dont_measure fsmagic=0x64626720
+# TMPFS_MAGIC
+dont_appraise fsmagic=0x01021994
+dont_measure fsmagic=0x01021994
+# RAMFS_MAGIC
+dont_appraise fsmagic=0x858458f6
+dont_measure fsmagic=0x858458f6
+# DEVPTS_SUPER_MAGIC
+dont_appraise fsmagic=0x1cd1
+dont_measure fsmagic=0x1cd1
+# BIFMT
+dont_appraise fsmagic=0x42494e4d
+dont_measure fsmagic=0x42494e4d
+# SECURITYFS_MAGIC
+dont_appraise fsmagic=0x73636673
+dont_measure fsmagic=0x73636673
+# SELINUXFS_MAGIC
+dont_appraise fsmagic=0xf97cff8c
+dont_measure fsmagic=0xf97cff8c
+# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel)
+dont_appraise fsmagic=0x6e736673
+dont_measure fsmagic=0x6e736673
+# SMACK_MAGIC
+dont_appraise fsmagic=0x43415d53
+dont_measure fsmagic=0x43415d53
+# CGROUP_SUPER_MAGIC
+dont_appraise fsmagic=0x27e0eb
+dont_measure fsmagic=0x27e0eb
+# EFIVARFS_MAGIC
+dont_appraise fsmagic=0xde5e81e4
+dont_measure fsmagic=0xde5e81e4
+
+# Special partition, no checking done.
+# dont_measure  fsuuid=a11234...
+# dont_appraise fsuuid=a11243...
+
+# Special immutable group.
+# appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ fgroup=200
+
+# All executables must be signed - too strict, we need to
+# allow installing executables on the device.
+# appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC
+# appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC
+
+# Default rule. Would be needed also when other rules were added that
+# determine what to do in case of reading (mask=MAY_READ or
+# mask=MAY_EXEC) because otherwise writing does not update the file
+# hash.
+appraise
+measure
diff --git a/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb b/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
new file mode 100644
index 0000000..3352daa
--- /dev/null
+++ b/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
@@ -0,0 +1,20 @@
+SUMMARY = "IMA sample hash policy"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+# This policy file will get installed as /etc/ima/ima-policy.
+# It is located via the normal file search path, so a .bbappend
+# to this recipe can just point towards one of its own files.
+IMA_POLICY ?= "ima_policy_hashed"
+
+SRC_URI = " \
+    file://${IMA_POLICY} \
+"
+
+do_install () {
+    install -d ${D}/${sysconfdir}/ima
+    install ${WORKDIR}/${IMA_POLICY}  ${D}/${sysconfdir}/ima/ima-policy
+}
+
+FILES_${PN} = "${sysconfdir}/ima"
+RDEPENDS_${PN} = "ima-evm-utils"
-- 
2.17.1

next prev parent reply	other threads:[~2019-05-27  4:56 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-27  4:56 [meta-security][PATCH 00/14] Port over meta-integrity Armin Kuster
2019-05-27  4:56 ` [meta-security][PATCH 01/14] meta-integrity: port over from meta-intel-iot-security Armin Kuster
2019-05-27  4:56 ` [meta-security][PATCH 02/14] layer.conf: add LAYERSERIES_COMPAT Armin Kuster
2019-05-27  4:56 ` [meta-security][PATCH 03/14] README: update Armin Kuster
2019-05-27  4:56 ` [meta-security][PATCH 04/14] ima-evm-utils: cleanup and update to tip Armin Kuster
2019-05-27  4:56 ` [meta-security][PATCH 05/14] ima.cfg: update to 5.0 kernel Armin Kuster
2019-05-27  4:56 ` [meta-security][PATCH 06/14] linux: update bbappend Armin Kuster
2019-05-27  4:56 ` [meta-security][PATCH 07/14] base-files: add appending to automount securityfs Armin Kuster
2019-05-27  4:56 ` Armin Kuster [this message]
2019-05-27  4:56 ` [meta-security][PATCH 09/14] ima_policy_simple: add another sample policy Armin Kuster
2019-05-27  4:56 ` [meta-security][PATCH 10/14] policy: add ima appraise all policy Armin Kuster
2019-05-27  4:56 ` [meta-security][PATCH 11/14] data: remove policies Armin Kuster
2019-05-27  4:56 ` [meta-security][PATCH 12/14] initramfs: clean up to pull in packages Armin Kuster
2019-05-27  4:56 ` [meta-security][PATCH 13/14] runtime qa: moderize ima test Armin Kuster
2019-05-27  4:56 ` [meta-security][PATCH 14/14] image: add image for testing Armin Kuster

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:7f89c8d dfblob:3352daa )
 OR (
bs:"[meta-security][PATCH 08/14] ima-policy-hashed: add new recipe" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190527045641.18884-9-akuster808@gmail.com \
    --to=akuster808@gmail.com \
    --cc=yocto@yoctoproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.