Re: [PATCH] integrity: Always reference the blacklist keyring with apprasial

[Mimi Zohar <zohar@linux.ibm.com>]

Hi Eric,

On Fri, 2023-06-30 at 12:57 -0400, Eric Snowberg wrote:
> Commit 273df864cf746 ("ima: Check against blacklisted hashes for files with
> modsig") introduced an appraise_flag option for referencing the blacklist
> keyring.  Any matching binary found on this keyring fails signature
> validation. This flag only works with module appended signatures.

Prior to the above change, keys could be revoked.  Finer granularity
was added based on file hash to block loading a specific kexec kernel
image on powerpc.

My concern back then with making this generic was scalability and
performance.

> An important part of a PKI infrastructure is to have the ability to do
> revocation at a later time should a vulnerability be found.  Expand the
> revocation flag usage to all appraisal functions. The flag is now
> enabled by default. Setting the flag with an IMA policy has been
> deprecated. Without a revocation capability like this in place, only
> authenticity can be maintained. With this change, integrity can now be
> achieved with digital signature based IMA appraisal.
> 
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>

Agreed, support for finer revocaton granularity based on file hash is
needed.

> ---
>  Documentation/ABI/testing/ima_policy  |  6 +++---
>  security/integrity/ima/ima_appraise.c | 12 +++++++-----
>  security/integrity/ima/ima_policy.c   | 10 +++++-----
>  3 files changed, 15 insertions(+), 13 deletions(-)
> 
> diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
> index 49db0ff288e5..a712c396f6e9 100644
> --- a/Documentation/ABI/testing/ima_policy
> +++ b/Documentation/ABI/testing/ima_policy
> @@ -57,9 +57,9 @@ Description:
>  				stored in security.ima xattr. Requires
>  				specifying "digest_type=verity" first.)
>  
> -			appraise_flag:= [check_blacklist]
> -			Currently, blacklist check is only for files signed with appended
> -			signature.
> +			appraise_flag:= [check_blacklist] (deprecated)
> +			Setting the check_blacklist flag is no longer necessary.
> +			All apprasial functions set it by default.
>  			digest_type:= verity
>  			    Require fs-verity's file digest instead of the
>  			    regular IMA file hash.
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 491c1aca0b1c..870dde67707b 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -458,11 +458,13 @@ int ima_check_blacklist(struct integrity_iint_cache *iint,
>  		ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);
>  
>  		rc = is_binary_blacklisted(digest, digestsize);
> -		if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
> -			process_buffer_measurement(&nop_mnt_idmap, NULL, digest, digestsize,
> -						   "blacklisted-hash", NONE,
> -						   pcr, NULL, false, NULL, 0);
> -	}
> +	} else if (iint->flags & IMA_DIGSIG_REQUIRED && iint->ima_hash)
> +		rc = is_binary_blacklisted(iint->ima_hash->digest, iint->ima_hash->length);
> +
> +	if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
> +		process_buffer_measurement(&nop_mnt_idmap, NULL, digest, digestsize,
> +					   "blacklisted-hash", NONE,
> +					   pcr, NULL, false, NULL, 0);
>  
>  	return rc;
>  }
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 3ca8b7348c2e..71e270141101 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -1279,7 +1279,7 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
>  				     IMA_FSNAME | IMA_GID | IMA_EGID |
>  				     IMA_FGROUP | IMA_DIGSIG_REQUIRED |
>  				     IMA_PERMIT_DIRECTIO | IMA_VALIDATE_ALGOS |
> -				     IMA_VERITY_REQUIRED))
> +				     IMA_CHECK_BLACKLIST | IMA_VERITY_REQUIRED))
>  			return false;
>  
>  		break;
> @@ -1354,7 +1354,7 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
>  
>  	/* Ensure that combinations of flags are compatible with each other */
>  	if (entry->flags & IMA_CHECK_BLACKLIST &&
> -	    !(entry->flags & IMA_MODSIG_ALLOWED))
> +	    !(entry->flags & IMA_DIGSIG_REQUIRED))
>  		return false;
>  
>  	/*
> @@ -1802,11 +1802,11 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
>  				if (entry->flags & IMA_VERITY_REQUIRED)
>  					result = -EINVAL;
>  				else
> -					entry->flags |= IMA_DIGSIG_REQUIRED;
> +					entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST;
>  			} else if (strcmp(args[0].from, "sigv3") == 0) {
>  				/* Only fsverity supports sigv3 for now */
>  				if (entry->flags & IMA_VERITY_REQUIRED)
> -					entry->flags |= IMA_DIGSIG_REQUIRED;
> +					entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST;
>  				else
>  					result = -EINVAL;
>  			} else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
> @@ -1815,7 +1815,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
>  					result = -EINVAL;
>  				else
>  					entry->flags |= IMA_DIGSIG_REQUIRED |
> -						IMA_MODSIG_ALLOWED;
> +						IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST;
>  			} else {
>  				result = -EINVAL;
>  			}

Please update the "case Opt_appraise_flag:" and remove "appraise_flag="
in the powerpc arch specific policy rules.

-- 
thanks,

Mimi