[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1593125804.27152.426.camel@linux.ibm.com>
Date: Thu, 25 Jun 2020 18:56:44 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Tyler Hicks <tyhicks@...ux.microsoft.com>,
Dmitry Kasatkin <dmitry.kasatkin@...il.com>
Cc: James Morris <jmorris@...ei.org>,
"Serge E . Hallyn" <serge@...lyn.com>,
Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
Prakhar Srivastava <prsriva02@...il.com>,
linux-kernel@...r.kernel.org, linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org,
Eric Biederman <ebiederm@...ssion.com>,
kexec@...ts.infradead.org
Subject: Re: [PATCH 12/12] ima: Support additional conditionals in the
KEXEC_CMDLINE hook function
On Mon, 2020-06-22 at 19:32 -0500, Tyler Hicks wrote:
> Take the properties of the kexec kernel's inode and the current task
> ownership into consideration when matching a KEXEC_CMDLINE operation to
> the rules in the IMA policy. This allows for some uniformity when
> writing IMA policy rules for KEXEC_KERNEL_CHECK, KEXEC_INITRAMFS_CHECK,
> and KEXEC_CMDLINE operations.
>
> Prior to this patch, it was not possible to write a set of rules like
> this:
>
> dont_measure func=KEXEC_KERNEL_CHECK obj_type=foo_t
> dont_measure func=KEXEC_INITRAMFS_CHECK obj_type=foo_t
> dont_measure func=KEXEC_CMDLINE obj_type=foo_t
> measure func=KEXEC_KERNEL_CHECK
> measure func=KEXEC_INITRAMFS_CHECK
> measure func=KEXEC_CMDLINE
>
> The inode information associated with the kernel being loaded by a
> kexec_kernel_load(2) syscall can now be included in the decision to
> measure or not
>
> Additonally, the uid, euid, and subj_* conditionals can also now be
> used in KEXEC_CMDLINE rules. There was no technical reason as to why
> those conditionals weren't being considered previously other than
> ima_match_rules() didn't have a valid inode to use so it immediately
> bailed out for KEXEC_CMDLINE operations rather than going through the
> full list of conditional comparisons.
This makes a lot of sense.
<snip>
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index c1583d98c5e5..82acd66bf653 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -731,13 +731,15 @@ int ima_load_data(enum kernel_load_data_id id)
> * @eventname: event name to be used for the buffer entry.
> * @func: IMA hook
> * @pcr: pcr to extend the measurement
> + * @inode: inode associated with the object being measured (NULL for KEY_CHECK)
> * @keyring: keyring name to determine the action to be performed
> *
> * Based on policy, the buffer is measured into the ima log.
> */
> void process_buffer_measurement(const void *buf, int size,
> const char *eventname, enum ima_hooks func,
> - int pcr, const char *keyring)
> + int pcr, struct inode *inode,
> + const char *keyring)
> {
The file descriptor is passed as the first arg to
process_measurement(). Sorry for the patch churn, but could we do the
same for process_buffer_measurements. As much as possible lets keep
them in same.
thanks,
Mimi
Powered by blists - more mailing lists