lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-id: <cover.1384806012.git.d.kasatkin@samsung.com>
Date:	Mon, 18 Nov 2013 22:24:57 +0200
From:	Dmitry Kasatkin <d.kasatkin@...sung.com>
To:	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
	viro@...iv.linux.org.uk, linux-security-module@...r.kernel.org,
	zohar@...ux.vnet.ibm.com, jmorris@...ei.org
Cc:	dmitry.kasatkin@...il.com, Dmitry Kasatkin <d.kasatkin@...sung.com>
Subject: [PATCH 0/2] ima: directory integrity appraisal

Hello,

This patchset provides extension to IMA to protect appraisal of directories.

Both IMA-appraisal and EVM protect the integrity of regular files.
IMA protects file data integrity, while EVM protects the file meta-data
integrity, such as file attributes and extended attributes. This patch
set adds offline directory integrity protection.

An inode itself does not have any file name associated with it. The
association of the file name to inode is done via directory entries.
On a running system, mandatory and/or discretionary access control prevent
unprivileged file deletion, file name change, or hardlink creation.
In an offline attack, without these protections, the association between
a file name and an inode is unprotected. Files can be deleted, renamed
or moved from one directory to another. In all of these cases,
the integrity of the file data and metadata are good.

To prevent such attacks, it is necessary to protect the integrity of the
directory content.  This patchset calculates a hash of the directory content
and verify this hash against good reference value stored in 'security.ima'
extended attribute. The directory hash is a hash over the list of directory
entries, that includes name, ino, d_type. Initial idea how to calculate the
directory hash was suggested by Jayant Mangalampalli (Intel).

This patchset adds 2 new hooks for directory integrity protection:
ima_dir_check() and ima_dir_update().

ima_dir_check() verifies the directory integrity during the initial path
lookup, when the dentry is just being created and may block. It allocates
the needed data structures and performs the integrity verification.
The results of which are cached. Subsequent calls mostly happen under
RCU locking, when the code may not block, and returns immediately with
the cached verification status. So ima_dir_check() does not interrupt
RCU path walk.

ima_dir_update(), which is called from several places in namei.c when
the directory content is changing, for updating the directory hash.

- Dmitry

Dmitry Kasatkin (2):
  ima: hooks for directory integrity protection
  ima: directory integrity protection implementation

 fs/namei.c                          |  42 ++++-
 fs/open.c                           |   6 +
 include/linux/ima.h                 |  23 +++
 net/unix/af_unix.c                  |   2 +
 security/integrity/ima/Kconfig      |  10 +
 security/integrity/ima/Makefile     |   1 +
 security/integrity/ima/ima.h        |   3 +-
 security/integrity/ima/ima_dir.c    | 358 ++++++++++++++++++++++++++++++++++++
 security/integrity/ima/ima_main.c   |   3 +
 security/integrity/ima/ima_policy.c |   2 +
 10 files changed, 446 insertions(+), 4 deletions(-)
 create mode 100644 security/integrity/ima/ima_dir.c

-- 
1.8.3.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ