From mboxrd@z Thu Jan 1 00:00:00 1970 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964814AbeALPdV (ORCPT + 1 other); Fri, 12 Jan 2018 10:33:21 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:43984 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S933968AbeALPdS (ORCPT ); Fri, 12 Jan 2018 10:33:18 -0500 Subject: Re: [PATCH 2/2] ima: turn on force option for FUSE in builtin policies From: Mimi Zohar To: Dongsu Park , linux-kernel@vger.kernel.org Cc: Alban Crequy , Miklos Szeredi , Seth Forshee , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Date: Fri, 12 Jan 2018 10:33:10 -0500 In-Reply-To: <7a89ce9a7b8264f83fa5d61e146c01571017cca0.1515682581.git.dongsu@kinvolk.io> References: <7a89ce9a7b8264f83fa5d61e146c01571017cca0.1515682581.git.dongsu@kinvolk.io> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 18011215-0008-0000-0000-000004C11837 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18011215-0009-0000-0000-00001E547831 Message-Id: <1515771190.3420.144.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-01-12_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1801120212 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index fddef8f8..8de40d85 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -127,6 +127,7 @@ static struct ima_rule_entry default_measurement_rules[] __ro_after_init = { > {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, > {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, > {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC}, > + {.action = MEASURE, .fsmagic = FUSE_SUPER_MAGIC, .flags = IMA_FSMAGIC | IMA_FORCE}, > }; Depending on the ordering of the policies and the number of "actions", this works.  It also matches all hooks, not only those in the default_measurement_rule policy. Although the rules are walked sequentially, there is an optimization in ima_match_rules(), which ends walking the list early, as soon as the last "action" rule is matched.  Look at "actmask". > static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { > @@ -154,6 +155,7 @@ static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { > {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .fowner_op = &uid_eq, > .flags = IMA_FOWNER | IMA_DIGSIG_REQUIRED}, > #endif > + {.action = APPRAISE, .fsmagic = FUSE_SUPER_MAGIC, .flags = IMA_FSMAGIC | IMA_FORCE}, > }; > > static struct ima_rule_entry secure_boot_rules[] __ro_after_init = { This rule applies to the secure-boot rules as well.  (How likely is it to load a kernel module, kexec from a fuse filsystem?)  However, after replacing the builtin policies with a custom policy, the custom policy might not contain the requirement to re-appraise fuse files. With the "lockdown" patches, booting with secure-boot enabled, and after loading a custom policy, the "secure-boot" rules are still enabled.  But now if the custom policy does not require fuse files to be re-appraised, the secure boot rules will not require fuse files to be re-appraised either. This patch is simple and straight forward.  It would be nice if it worked in all cases.  Unfortunately, there are a number of situations, as described, that will not work. Mimi