| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20200926164000.2926-1-nramas@linux.microsoft.com>
Date: Sat, 26 Sep 2020 09:39:59 -0700
From: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
To: zohar@...ux.ibm.com, stephen.smalley.work@...il.com,
paul@...l-moore.com, omosnace@...hat.com
Cc: tyhicks@...ux.microsoft.com, tusharsu@...ux.microsoft.com,
sashal@...nel.org, linux-integrity@...r.kernel.org,
selinux@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH v2 0/1] selinux: Measure state and hash of policy using IMA
Critical data structures of security modules are currently not measured.
Therefore an attestation service, for instance, would not be able to
attest whether the security modules are always operating with the policies
and configurations that the system administrator had setup. The policies
and configurations for the security modules could be tampered by rogue
user mode agents or modified through some inadvertent actions on
the system. Measuring such critical data would enable an attestation
service to reliably assess the security configuration of the system.
SELinux configuration and policy are some of the critical data for this
security module that need to be measured. This measurement can be used
by an attestation service, for instance, to verify if the configurations
and policies have been setup correctly and that they haven't been
tampered at run-time.
This patch set adds support for measuring SELinux configuration,
policy capabilities settings, and the hash of the loaded policy by
calling the IMA hook ima_measure_critical_data().
Since the size of the loaded policy can be large (several MB), hash
of the policy is measured instead of the entire policy to avoid
bloating the IMA log entry.
This patch is based on commit 8861d0af642c ("selinux: Add helper functions to get and set checkreqprot")
in "next" branch in https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
This patch is dependent on the following patch series and must be
applied in the given order:
1, https://patchwork.kernel.org/patch/11709527/
2, https://patchwork.kernel.org/patch/11795559/
3, https://patchwork.kernel.org/patch/11801525/
Lakshmi Ramasubramanian (1):
selinux: Measure state and hash of policy using IMA
security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_queue_data.c | 5 +-
security/selinux/Makefile | 2 +
security/selinux/hooks.c | 3 +
security/selinux/include/security.h | 11 +-
security/selinux/measure.c | 154 ++++++++++++++++++++++++
security/selinux/selinuxfs.c | 9 ++
security/selinux/ss/services.c | 71 +++++++++--
8 files changed, 244 insertions(+), 12 deletions(-)
create mode 100644 security/selinux/measure.c
--
2.28.0
Powered by blists - more mailing lists