From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Dongsu Park <dongsu@kinvolk.io>, linux-kernel@vger.kernel.org
Cc: Alban Crequy <alban@kinvolk.io>,
Miklos Szeredi <miklos@szeredi.hu>,
Seth Forshee <seth.forshee@canonical.com>,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH 2/2] ima: turn on force option for FUSE in builtin policies
Date: Fri, 12 Jan 2018 10:33:10 -0500 [thread overview]
Message-ID: <1515771190.3420.144.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <7a89ce9a7b8264f83fa5d61e146c01571017cca0.1515682581.git.dongsu@kinvolk.io>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index fddef8f8..8de40d85 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -127,6 +127,7 @@ static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
> {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
> {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
> {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
> + {.action = MEASURE, .fsmagic = FUSE_SUPER_MAGIC, .flags = IMA_FSMAGIC | IMA_FORCE},
> };
Depending on the ordering of the policies and the number of "actions",
this works. It also matches all hooks, not only those in the
default_measurement_rule policy.
Although the rules are walked sequentially, there is an optimization
in ima_match_rules(), which ends walking the list early, as soon as
the last "action" rule is matched. Look at "actmask".
> static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
> @@ -154,6 +155,7 @@ static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
> {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq,
> .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED},
> #endif
> + {.action = APPRAISE, .fsmagic = FUSE_SUPER_MAGIC, .flags = IMA_FSMAGIC | IMA_FORCE},
> };
>
> static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
This rule applies to the secure-boot rules as well. (How likely is it
to load a kernel module, kexec from a fuse filsystem?) However, after
replacing the builtin policies with a custom policy, the custom policy
might not contain the requirement to re-appraise fuse files.
With the "lockdown" patches, booting with secure-boot enabled, and
after loading a custom policy, the "secure-boot" rules are still
enabled. But now if the custom policy does not require fuse files to
be re-appraised, the secure boot rules will not require fuse files to
be re-appraised either.
This patch is simple and straight forward. It would be nice if it
worked in all cases. Unfortunately, there are a number of situations,
as described, that will not work.
Mimi
next prev parent reply other threads:[~2018-01-12 15:33 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <cover.1515682581.git.dongsu@kinvolk.io>
2018-01-11 19:51 ` [PATCH 1/2] fs/fuse: move SUPER_MAGIC definitions to linux/magic.h Dongsu Park
2018-01-11 19:51 ` [PATCH 2/2] ima: turn on force option for FUSE in builtin policies Dongsu Park
2018-01-12 15:33 ` Mimi Zohar [this message]
2018-01-14 19:09 ` kbuild test robot
2018-01-16 10:47 ` Dongsu Park
[not found] ` <20180115144804.GA28856@infradead.org>
2018-01-15 16:32 ` [PATCH 0/2] " Mimi Zohar
2018-01-15 17:18 ` Christoph Hellwig
2018-01-15 21:00 ` Mimi Zohar
2018-01-16 10:41 ` [PATCH] ima,fuse: introduce new fs flag FS_NO_IMA_CACHE Alban Crequy
2018-01-16 11:26 ` Alban Crequy
2018-01-16 11:35 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1515771190.3420.144.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=alban@kinvolk.io \
--cc=dongsu@kinvolk.io \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=seth.forshee@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox