From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: linux-security-module@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
Al Viro <viro@ZenIV.linux.org.uk>,
David Safford <safford@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Subject: [PATCH v3 00/12] ima: appraisal extension
Date: Wed, 21 Mar 2012 14:54:05 -0400 [thread overview]
Message-ID: <1332356057-3356-1-git-send-email-zohar@linux.vnet.ibm.com> (raw)
IMA currently maintains an integrity measurement list used to assert the
integrity of the running system to a third party. The IMA-appraisal
extension adds local integrity validation and enforcement of the
measurement against a "good" value stored as an extended attribute
'security.ima'. The initial methods for validating 'security.ima' are
hashed based, which provides file data integrity, and digital signature
based, which in addition to providing file data integrity, provides
authenticity.
New hooks:
ima_inode_setxattr(), ima_inode_removexattr(), ima_inode_post_setattr(),
and ima_defer_fput()
IMA-appraisal extends the measurement policy ABI with two new keywords:
appraise/dont_appraise and adds a new boot parameter 'ima_appraise_tcb'
to appraise all files owned by root. Like the ima_tcb measurement policy,
the ima_appraise_tcb policy does not appraise pseudo filesystem files
(eg. debugfs, tmpfs, securityfs, selinuxfs or ramfs.)
Additional rules can be added to the default IMA measurement/appraisal
policy, which take advantage of the SELinux labels, for a more fine
grained policy.
Locking changes:
The ima-appraisal extension maintains the file integrity measurement as
an extended attribute 'security.ima'. ima_file_free(), called on __fput(),
updates 'security.ima' to reflect any changes made to the file. In fix
mode, process_measurement() writes 'security.ima' to reflect the current
file hash. Writing extended attributes and other file metadata (eg. chmod),
requires taking the i_mutex. Both ima_file_free() and process_measurement()
took the iint->mutex and then the i_mutex, while chmod() took the locks in
reverse order. To resolve the potential lock inversion deadlock, the
redundant iint->mutex was eliminated.
Writing 'security.ima' from __fput() caused an mmap_sem/i_mutex lockdep,
when an mmapped file was closed before it was munmapped. To resolve this
lockdep, ima_defer_fput() defers the __fput, by incrementing the f_count
and creating/adding it to the workqueue.
Prereqs:
vfs: fix IMA lockdep circular locking dependency
vfs: iversion truncate bug fix
Changelog v3:
- defined the boot command line parameter 'ima_appraise_tcb' to permit
measuring without appraising, and appraising without measuring.
- use slab mempool to defer __fput() work
- change appraisal default for filesystems without xattr support to fail
Changelog v2:
- Split the "ima: allocating iint improvements" patch, making the
spinlock to rwlock/read_lock change into a separate patch.
- Removed the "vfs: Correctly set the dir i_mutex lockdep class" dependency.
- New: "ima: delay calling __fput()"
- Minor changes listed in individual patch descriptions
Changelog v1:
- Initial posting of the IMA-appraisal patches, separately from EVM.
Mimi
Dmitry Kasatkin (3):
ima: free securityfs violations file
ima: allocating iint improvements
ima: digital signature verification support
Mimi Zohar (9):
vfs: extend vfs_removexattr locking
vfs: move ima_file_free before releasing the file
ima: integrity appraisal extension
ima: add appraise action keywords and default rules
ima: replace iint spinlock with rwlock/read_lock
ima: add inode_post_setattr call
ima: add ima_inode_setxattr/removexattr function and calls
ima: defer calling __fput()
ima: add support for different security.ima data types
Documentation/ABI/testing/ima_policy | 25 ++-
Documentation/kernel-parameters.txt | 8 +
fs/attr.c | 2 +
fs/file_table.c | 2 +-
fs/xattr.c | 6 +-
include/linux/ima.h | 32 +++
include/linux/integrity.h | 7 +-
include/linux/xattr.h | 3 +
mm/mmap.c | 1 +
security/integrity/evm/evm_main.c | 3 +
security/integrity/iint.c | 64 +++----
security/integrity/ima/Kconfig | 15 ++
security/integrity/ima/Makefile | 2 +
security/integrity/ima/ima.h | 37 ++++-
security/integrity/ima/ima_api.c | 56 ++++--
security/integrity/ima/ima_appraise.c | 347 +++++++++++++++++++++++++++++++++
security/integrity/ima/ima_crypto.c | 8 +-
security/integrity/ima/ima_fs.c | 1 +
security/integrity/ima/ima_main.c | 89 ++++++---
security/integrity/ima/ima_policy.c | 181 +++++++++++++-----
security/integrity/integrity.h | 11 +-
security/security.c | 6 +
22 files changed, 757 insertions(+), 149 deletions(-)
create mode 100644 security/integrity/ima/ima_appraise.c
--
1.7.6.5
next reply other threads:[~2012-03-21 18:54 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-21 18:54 Mimi Zohar [this message]
2012-03-21 18:54 ` [PATCH v3 01/12] vfs: extend vfs_removexattr locking Mimi Zohar
2012-03-21 18:54 ` [PATCH v3 02/12] vfs: move ima_file_free before releasing the file Mimi Zohar
2012-03-22 14:23 ` Kasatkin, Dmitry
2012-03-21 18:54 ` [PATCH v3 03/12] ima: free securityfs violations file Mimi Zohar
2012-03-21 18:54 ` [PATCH v3 04/12] ima: integrity appraisal extension Mimi Zohar
2012-03-22 14:28 ` Kasatkin, Dmitry
2012-03-21 18:54 ` [PATCH v3 05/12] ima: add appraise action keywords and default rules Mimi Zohar
2012-03-22 14:27 ` Kasatkin, Dmitry
2012-03-21 18:54 ` [PATCH v3 06/12] ima: allocating iint improvements Mimi Zohar
2012-03-21 18:54 ` [PATCH v3 07/12] ima: replace iint spinlock with rwlock/read_lock Mimi Zohar
2012-03-21 18:54 ` [PATCH v3 08/12] ima: add inode_post_setattr call Mimi Zohar
2012-03-22 14:21 ` Kasatkin, Dmitry
2012-03-21 18:54 ` [PATCH v3 09/12] ima: add ima_inode_setxattr/removexattr function and calls Mimi Zohar
2012-03-22 14:22 ` Kasatkin, Dmitry
2012-03-21 18:54 ` [PATCH v3 10/12] ima: defer calling __fput() Mimi Zohar
2012-03-22 14:07 ` Kasatkin, Dmitry
2012-03-22 14:22 ` Al Viro
2012-03-22 14:53 ` Mimi Zohar
2012-03-22 14:58 ` Kasatkin, Dmitry
2012-03-22 15:09 ` Al Viro
2012-03-22 15:19 ` Kasatkin, Dmitry
2012-03-22 15:39 ` Al Viro
2012-03-23 14:55 ` Mimi Zohar
2012-03-21 18:54 ` [PATCH v3 11/12] ima: add support for different security.ima data types Mimi Zohar
2012-03-21 18:54 ` [PATCH v3 12/12] ima: digital signature verification support Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1332356057-3356-1-git-send-email-zohar@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=dmitry.kasatkin@intel.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=safford@linux.vnet.ibm.com \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).