From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Matthew Garrett <mjg59@google.com>, linux-integrity@vger.kernel.org
Subject: Re: [PATCH 1/6] IMA: Allow EVM validation on appraisal even without a symmetric key
Date: Sat, 30 Sep 2017 22:08:02 -0400 [thread overview]
Message-ID: <1506823682.5691.173.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20170927221653.11219-2-mjg59@google.com>
On Wed, 2017-09-27 at 15:16 -0700, Matthew Garrett wrote:
> A reasonable configuration is to use IMA to appraise a subset of files
> (based on user, security label or other features supported by IMA) but
> to also want to use EVM to validate not only the state of the IMA hash
> but also additional metadata on the file. Right now this is only
> possible if a symmetric key has been loaded, which may not be desirable
> in all cases (eg, one where EVM digital signatures are shipped to end
> systems rather than EVM HMACs being generated locally).
Commit 26ddabfe96bb "evm: enable EVM when X509 certificate is loaded"
already allows EVM to be enabled without loading a symmetric key.
Mimi
> Add an
> additional "require_evm" keyword to the IMA policy language in order to
> permit the local admin to indicate that they wish EVM validation to
> occur even if no symmetric key has been loaded.
>
> Signed-off-by: Matthew Garrett <mjg59@google.com>
> ---
> Documentation/ABI/testing/ima_policy | 3 ++-
> include/linux/evm.h | 6 ++++--
> security/integrity/evm/evm_main.c | 6 ++++--
> security/integrity/ima/ima_appraise.c | 11 ++++++++++-
> security/integrity/ima/ima_policy.c | 12 +++++++++++-
> security/integrity/integrity.h | 3 ++-
> 6 files changed, 33 insertions(+), 8 deletions(-)
>
> diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
> index 5dc9eed035fb..ea2703c847f6 100644
> --- a/Documentation/ABI/testing/ima_policy
> +++ b/Documentation/ABI/testing/ima_policy
> @@ -23,7 +23,8 @@ Description:
> [euid=] [fowner=]]
> lsm: [[subj_user=] [subj_role=] [subj_type=]
> [obj_user=] [obj_role=] [obj_type=]]
> - option: [[appraise_type=]] [permit_directio]
> + option: [[appraise_type=] [permit_directio]
> + [require_evm]]
>
> base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
> [FIRMWARE_CHECK]
> diff --git a/include/linux/evm.h b/include/linux/evm.h
> index 35ed9a8a403a..7661f3085942 100644
> --- a/include/linux/evm.h
> +++ b/include/linux/evm.h
> @@ -19,7 +19,8 @@ extern enum integrity_status evm_verifyxattr(struct dentry *dentry,
> const char *xattr_name,
> void *xattr_value,
> size_t xattr_value_len,
> - struct integrity_iint_cache *iint);
> + struct integrity_iint_cache *iint,
> + bool force);
> extern int evm_inode_setattr(struct dentry *dentry, struct iattr *attr);
> extern void evm_inode_post_setattr(struct dentry *dentry, int ia_valid);
> extern int evm_inode_setxattr(struct dentry *dentry, const char *name,
> @@ -54,7 +55,8 @@ static inline enum integrity_status evm_verifyxattr(struct dentry *dentry,
> const char *xattr_name,
> void *xattr_value,
> size_t xattr_value_len,
> - struct integrity_iint_cache *iint)
> + struct integrity_iint_cache *iint,
> + bool force)
> {
> return INTEGRITY_UNKNOWN;
> }
> diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
> index 063d38aef64e..44e4f4fda965 100644
> --- a/security/integrity/evm/evm_main.c
> +++ b/security/integrity/evm/evm_main.c
> @@ -223,6 +223,7 @@ static int evm_protected_xattr(const char *req_xattr_name)
> * @xattr_name: requested xattr
> * @xattr_value: requested xattr value
> * @xattr_value_len: requested xattr value length
> + * @force: force verification even if no EVM symmetric key is loaded
> *
> * Calculate the HMAC for the given dentry and verify it against the stored
> * security.evm xattr. For performance, use the xattr value and length
> @@ -236,9 +237,10 @@ static int evm_protected_xattr(const char *req_xattr_name)
> enum integrity_status evm_verifyxattr(struct dentry *dentry,
> const char *xattr_name,
> void *xattr_value, size_t xattr_value_len,
> - struct integrity_iint_cache *iint)
> + struct integrity_iint_cache *iint,
> + bool force)
> {
> - if (!evm_initialized || !evm_protected_xattr(xattr_name))
> + if ((!evm_initialized || !evm_protected_xattr(xattr_name)) && !force)
> return INTEGRITY_UNKNOWN;
>
> if (!iint) {
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index edb82e722a0d..9df1148f17cc 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -217,6 +217,7 @@ int ima_appraise_measurement(enum ima_hooks func,
> struct inode *inode = d_backing_inode(dentry);
> enum integrity_status status = INTEGRITY_UNKNOWN;
> int rc = xattr_len, hash_start = 0;
> + bool evm_force = false;
>
> if (!(inode->i_opflags & IOP_XATTR))
> return INTEGRITY_UNKNOWN;
> @@ -236,7 +237,15 @@ int ima_appraise_measurement(enum ima_hooks func,
> goto out;
> }
>
> - status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
> + /*
> + * Check if policy specifies that we should perform EVM
> + * validation even in the absence of an EVM symmetric key
> + */
> + if (iint->flags & IMA_EVM_REQUIRED)
> + evm_force = true;
> +
> + status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint,
> + evm_force);
> if ((status != INTEGRITY_PASS) && (status != INTEGRITY_UNKNOWN)) {
> if ((status == INTEGRITY_NOLABEL)
> || (status == INTEGRITY_NOXATTRS))
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index a6e14c532627..db4a0c968e00 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -531,7 +531,7 @@ enum {
> Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
> Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
> Opt_appraise_type, Opt_permit_directio,
> - Opt_pcr
> + Opt_pcr, Opt_require_evm,
> };
>
> static match_table_t policy_tokens = {
> @@ -562,6 +562,7 @@ static match_table_t policy_tokens = {
> {Opt_appraise_type, "appraise_type=%s"},
> {Opt_permit_directio, "permit_directio"},
> {Opt_pcr, "pcr=%s"},
> + {Opt_require_evm, "require_evm"},
> {Opt_err, NULL}
> };
>
> @@ -876,6 +877,13 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
> else
> entry->flags |= IMA_PCR;
>
> + break;
> + case Opt_require_evm:
> + if (entry->action != APPRAISE) {
> + result = -EINVAL;
> + break;
> + }
> + entry->flags |= IMA_EVM_REQUIRED;
> break;
> case Opt_err:
> ima_log_string(ab, "UNKNOWN", p);
> @@ -1142,6 +1150,8 @@ int ima_policy_show(struct seq_file *m, void *v)
> }
> }
> }
> + if (entry->flags & IMA_EVM_REQUIRED)
> + seq_puts(m, "require_evm ");
> if (entry->flags & IMA_DIGSIG_REQUIRED)
> seq_puts(m, "appraise_type=imasig ");
> if (entry->flags & IMA_PERMIT_DIRECTIO)
> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> index 45ba0e4501d6..2fa0d7bc55fb 100644
> --- a/security/integrity/integrity.h
> +++ b/security/integrity/integrity.h
> @@ -28,11 +28,12 @@
>
> /* iint cache flags */
> #define IMA_ACTION_FLAGS 0xff000000
> -#define IMA_ACTION_RULE_FLAGS 0x06000000
> +#define IMA_ACTION_RULE_FLAGS 0x16000000
> #define IMA_DIGSIG 0x01000000
> #define IMA_DIGSIG_REQUIRED 0x02000000
> #define IMA_PERMIT_DIRECTIO 0x04000000
> #define IMA_NEW_FILE 0x08000000
> +#define IMA_EVM_REQUIRED 0x10000000
>
> #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
> IMA_APPRAISE_SUBMASK)
next prev parent reply other threads:[~2017-10-01 2:08 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-27 22:16 RFC: Make it practical to ship EVM signatures Matthew Garrett
2017-09-27 22:16 ` [PATCH 1/6] IMA: Allow EVM validation on appraisal even without a symmetric key Matthew Garrett
2017-10-01 2:08 ` Mimi Zohar [this message]
2017-10-02 17:02 ` Matthew Garrett
2017-10-02 19:41 ` Mimi Zohar
2017-09-27 22:16 ` [PATCH 2/6] EVM: Add infrastructure for making EVM fields optional Matthew Garrett
2017-09-27 22:16 ` [PATCH 3/6] EVM: Allow userland to override the default EVM attributes Matthew Garrett
2017-09-27 22:16 ` [PATCH 4/6] EVM: Add an hmac_ng xattr format Matthew Garrett
2017-09-27 22:16 ` [PATCH 5/6] EVM: Write out HMAC xattrs in the new format Matthew Garrett
2017-09-27 22:16 ` [PATCH 6/6] EVM: Add a new digital signature format Matthew Garrett
2017-09-28 20:12 ` RFC: Make it practical to ship EVM signatures Mimi Zohar
2017-09-28 21:13 ` Matthew Garrett
2017-09-29 0:53 ` Mimi Zohar
2017-09-29 18:09 ` Matthew Garrett
2017-09-29 19:02 ` Mimi Zohar
2017-09-29 19:17 ` Matthew Garrett
2017-09-29 20:01 ` Mimi Zohar
2017-09-29 20:09 ` Matthew Garrett
2017-10-01 2:36 ` Mimi Zohar
2017-10-02 17:09 ` Matthew Garrett
2017-10-02 19:54 ` Mimi Zohar
[not found] ` <CACdnJutYw7Pgh-EwWuwp9Wz+5KzoreZVr+c6UV30zC__8FZSVA@mail.gmail.com>
[not found] ` <1506974574.5691.304.camel@linux.vnet.ibm.com>
2017-10-02 20:07 ` Matthew Garrett
2017-10-09 17:51 ` Mimi Zohar
2017-10-09 17:59 ` Matthew Garrett
2017-10-09 18:15 ` Mimi Zohar
2017-10-09 18:18 ` Matthew Garrett
2017-10-09 18:40 ` Mimi Zohar
[not found] ` <20171009232314.545de76a@totoro>
[not found] ` <1507583449.3748.46.camel@linux.vnet.ibm.com>
[not found] ` <20171010003326.6409ae23@totoro>
2017-10-09 21:40 ` Mimi Zohar
2017-10-09 23:10 ` Mikhail Kurinnoi
2017-10-10 19:07 ` Mimi Zohar
2017-10-12 23:09 ` Dmitry Kasatkin
2017-10-18 19:48 ` Dmitry Kasatkin
2017-10-18 20:30 ` Mimi Zohar
2017-10-18 20:37 ` Dmitry Kasatkin
2017-10-18 21:02 ` Mikhail Kurinnoi
2017-10-18 21:07 ` Mimi Zohar
2017-10-19 10:14 ` Dmitry Kasatkin
2017-10-19 11:43 ` Mimi Zohar
2017-10-19 17:08 ` Matthew Garrett
2017-10-19 18:38 ` Dmitry Kasatkin
2017-10-19 10:36 ` Dmitry Kasatkin
2017-10-19 11:45 ` Mimi Zohar
2017-10-02 14:53 ` Roberto Sassu
2017-10-02 8:55 ` Roberto Sassu
-- strict thread matches above, loose matches on Subject: below --
2017-10-19 16:12 [PATCH 1/6] IMA: Allow EVM validation on appraisal even without a symmetric key Dmitry Kasatkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1506823682.5691.173.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=mjg59@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).