lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Mon, 09 Dec 2013 08:52:22 -0500
From:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
To:	Roberto Sassu <roberto.sassu@...ito.it>
Cc:	linux-security-module@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	linux-ima-devel@...ts.sourceforge.net, zohar@...ibm.com,
	d.kasatkin@...sung.com, james.l.morris@...cle.com
Subject: Re: [PATCH-v2 4/6] ima: added ima_template and ima_template_fmt new
 policy options

On Tue, 2013-11-19 at 13:33 +0100, Roberto Sassu wrote: 
> This patch adds the support for 'ima_template' and 'ima_template_fmt'
> policy options. They allow to define which template should be used
> and, thus, which information should be included in measurements entries
> generated from events that match other rules' criteria.
> 
> With this feature, it is possible to include for each measurement entry
> only relevant information. For example, while measurements that report
> the execution of the execve() system call may contain the credentials
> being installed on the current process (stored in the 'cred' field of the
> 'linux_binprm' structure), others should not include it (also because
> the pointer to the above structure is not available from other IMA hooks).
> 
> A sample policy to add to measurement entries the LSM label in the
> 'linux_binprm' structure only for file execution events should be:

As mentioned for the cover letter, please simplify the example.

> ---
> measure func=BPRM_CHECK mask=MAY_EXEC \
>     ima_template_fmt=d-ng|n-ng|target-subj
> measure func=FILE_MMAP mask=MAY_EXEC
> ---
> 
> where 'target-subj' is the identifier of a new field (whose code is not yet
> upstreamed) which displays the additional information.
> 
> Signed-off-by: Roberto Sassu <roberto.sassu@...ito.it>
> ---
>  Documentation/ABI/testing/ima_policy     |  6 +++++-
>  Documentation/security/IMA-templates.txt | 19 +++++++++++--------
>  security/integrity/ima/ima_policy.c      | 32 +++++++++++++++++++++++++++++++-
>  3 files changed, 47 insertions(+), 10 deletions(-)
> 
> diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
> index f1c5cc9..7fbe47d 100644
> --- a/Documentation/ABI/testing/ima_policy
> +++ b/Documentation/ABI/testing/ima_policy
> @@ -23,7 +23,7 @@ Description:
>  				 [fowner]]
>  			lsm:	[[subj_user=] [subj_role=] [subj_type=]
>  				 [obj_user=] [obj_role=] [obj_type=]]
> -			option:	[[appraise_type=]]
> +			option:	[[appraise_type=] [ima_template=] [ima_template_fmt=]]
> 
>  		base: 	func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
>  			mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC]
> @@ -33,6 +33,10 @@ Description:
>  			fowner:=decimal value
>  		lsm:  	are LSM specific
>  		option:	appraise_type:= [imasig]
> +			ima_template:= an already defined template
> +			ima_template_fmt:= a custom template format
> +					   (see Documentation/security/IMA-templates.txt
> +					   for more details)
> 
>  		default policy:
>  			# PROC_SUPER_MAGIC
> diff --git a/Documentation/security/IMA-templates.txt b/Documentation/security/IMA-templates.txt
> index 08ea2da..61d9f0d 100644
> --- a/Documentation/security/IMA-templates.txt
> +++ b/Documentation/security/IMA-templates.txt
> @@ -36,13 +36,14 @@ from the set of the supported ones.
>  After the initialization step, IMA will call ima_alloc_init_template()
>  (new function defined within the patches for the new template management
>  mechanism) to generate a new measurement entry by using the template
> -descriptor chosen through the kernel configuration or through the newly
> -introduced 'ima_template' and 'ima_template_fmt' kernel command line parameters.
> -It is during this phase that the advantages of the new architecture are
> -clearly shown: the latter function will not contain specific code to handle
> -a given template but, instead, it simply calls the init() method of the template
> -fields associated to the chosen template descriptor and store the result
> -(pointer to allocated data and data length) in the measurement entry structure.
> +descriptor chosen through the kernel configuration, the newly introduced
> +'ima_template' and 'ima_template_fmt' kernel command line parameters and
> +new policy options with the same names. It is during this phase that the
> +advantages of the new architecture are clearly shown: the latter function
> +will not contain specific code to handle a given template but, instead, it
> +simply calls the init() method of the template fields associated to the
> +chosen template descriptor and store the result (pointer to allocated data
> +and data length) in the measurement entry structure.
> 
>  The same mechanism is employed to display measurements entries.
>  The functions ima[_ascii]_measurements_show() retrieve, for each entry,
> @@ -83,4 +84,6 @@ currently the following methods are supported:
>   - specify a template descriptor name from the kernel command line through
>     the 'ima_template=' parameter;
>   - register a new template descriptor with custom format through the kernel
> -   command line parameter 'ima_template_fmt='.
> +   command line parameter 'ima_template_fmt=';
> + - provide desired template name or custom format for specific events through
> +   the new policy options 'ima_template=' and 'ima_template_fmt='.
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index a9c3d3c..f4b3fd0 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -50,6 +50,7 @@ struct ima_rule_entry {
>  	u8 fsuuid[16];
>  	kuid_t uid;
>  	kuid_t fowner;
> +	struct ima_template_desc *desc;
>  	struct {
>  		void *rule;	/* LSM file metadata specific */
>  		void *args_p;	/* audit value */
> @@ -351,7 +352,8 @@ enum {
>  	Opt_obj_user, Opt_obj_role, Opt_obj_type,
>  	Opt_subj_user, Opt_subj_role, Opt_subj_type,
>  	Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner,
> -	Opt_appraise_type, Opt_fsuuid
> +	Opt_appraise_type, Opt_fsuuid,
> +	Opt_ima_template, Opt_ima_template_fmt
>  };
> 
>  static match_table_t policy_tokens = {
> @@ -373,6 +375,8 @@ static match_table_t policy_tokens = {
>  	{Opt_uid, "uid=%s"},
>  	{Opt_fowner, "fowner=%s"},
>  	{Opt_appraise_type, "appraise_type=%s"},
> +	{Opt_ima_template, "ima_template=%s"},
> +	{Opt_ima_template_fmt, "ima_template_fmt=%s"},
>  	{Opt_err, NULL}
>  };
> 
> @@ -621,6 +625,32 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
>  			else
>  				result = -EINVAL;
>  			break;
> +		case Opt_ima_template:
> +			ima_log_string(ab, "ima_template", args[0].from);
> +
> +			if (entry->desc) {
> +				result = -EINVAL;
> +				break;
> +			}
> +

Right, this prevents overwriting a prior defined template.  Perhaps add
a short comment on the 'if (entry->desc) {' statement.

thanks,

Mimi

> +			entry->desc = ima_get_template_desc(args[0].from, NULL);
> +			if (entry->desc == NULL)
> +				result = -EINVAL;
> +
> +			break;
> +		case Opt_ima_template_fmt:
> +			ima_log_string(ab, "ima_template_fmt", args[0].from);
> +
> +			if (entry->desc) {
> +				result = -EINVAL;
> +				break;
> +			}
> +
> +			entry->desc = ima_get_template_desc(NULL, args[0].from);
> +			if (entry->desc == NULL)
> +				result = -EINVAL;
> +
> +			break;
>  		case Opt_err:
>  			ima_log_string(ab, "UNKNOWN", p);
>  			result = -EINVAL;


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ