lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <9ad079ff-1bd4-1302-e6fb-25a7396ef12f@linux.microsoft.com>
Date:   Wed, 5 Aug 2020 10:25:41 -0700
From:   Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
To:     Mimi Zohar <zohar@...ux.ibm.com>,
        Tyler Hicks <tyhicks@...ux.microsoft.com>,
        Casey Schaufler <casey@...aufler-ca.com>
Cc:     stephen.smalley.work@...il.com, sashal@...nel.org,
        jmorris@...ei.org, linux-integrity@...r.kernel.org,
        selinux@...r.kernel.org, linux-security-module@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v6 0/4] LSM: Measure security module data

On 8/5/20 10:03 AM, Mimi Zohar wrote:
> On Wed, 2020-08-05 at 10:45 -0500, Tyler Hicks wrote:
> 
>> In addition to SELINUX_STATE and SELINUX_POLICY, we should also consider
>> the proposed LSM_STATE and LSM_POLICY func values but require an "lsm"
>> rule conditional.
>>
>> So the current proposed rules:
>>
>>   measure func=LSM_STATE
>>   measure func=LSM_POLICY
>>
>> Would become:
>>
>>   measure func=LSM_STATE lsm=selinux
>>   measure func=LSM_POLICY lsm=selinux
>>
>> The following rules would be rejected:
>>
>>   measure func=LSM_STATE
>>   measure func=LSM_POLICY
>>   measure func=LSM_STATE lsm=apparmor
>>   measure func=LSM_POLICY lsm=smack
> 
> Kees is cleaning up the firmware code which differentiated between how
> firmware was loaded.   There will be a single firmware enumeration.
> 
> Similarly, the new IMA hook to measure critical state may be placed in
> multiple places.  Is there really a need from a policy perspective for
> differentiating the source of the critical state being measurind?   The
> data being measured should include some identifying information.

Yes Mimi - SELinux is including the identifying information in the 
"event name" field. Please see a sample measurement of STATE and POLICY 
for SELinux below:

10 e32e...5ac3 ima-buf sha256:86e8...4594 
selinux-state-1595389364:287899386 
696e697469616c697a65643d313b656e61626c65643d313b656e666f7263696e673d303b636865636b72657170726f743d313b6e6574776f726b5f706565725f636f6e74726f6c733d313b6f70656e5f7065726d733d313b657874656e6465645f736f636b65745f636c6173733d313b616c776179735f636865636b5f6e6574776f726b3d303b6367726f75705f7365636c6162656c3d313b6e6e705f6e6f737569645f7472616e736974696f6e3d313b67656e66735f7365636c6162656c5f73796d6c696e6b733d303

10 f4a7...9408 ima-ng sha256:8d1d...1834 
selinux-policy-hash-1595389353:863934271

> 
> I think moving away from the idea that measuring "critical" data should
> be limited to LSMs, will clarify this.
> 

Are you suggesting that instead of calling the hooks LSM_STATE and 
LSM_POLICY, we should keep it more generic so that it can be utilized by 
any subsystem to measure their "critical data"?

I think that is a good idea.

  -lakshmi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ