Commit 2fe5d6de authored Feb 13, 2012 by Mimi Zohar

ima: integrity appraisal extension



IMA currently maintains an integrity measurement list used to assert the
integrity of the running system to a third party.  The IMA-appraisal
extension adds local integrity validation and enforcement of the
measurement against a "good" value stored as an extended attribute
'security.ima'.  The initial methods for validating 'security.ima' are
hashed based, which provides file data integrity, and digital signature
based, which in addition to providing file data integrity, provides
authenticity.

This patch creates and maintains the 'security.ima' xattr, containing
the file data hash measurement.  Protection of the xattr is provided by
EVM, if enabled and configured.

Based on policy, IMA calls evm_verifyxattr() to verify a file's metadata
integrity and, assuming success, compares the file's current hash value
with the one stored as an extended attribute in 'security.ima'.

Changelov v4:
- changed iint cache flags to hex values

Changelog v3:
- change appraisal default for filesystems without xattr support to fail

Changelog v2:
- fix audit msg 'res' value
- removed unused 'ima_appraise=' values

Changelog v1:
- removed unused iint mutex (Dmitry Kasatkin)
- setattr hook must not reset appraised (Dmitry Kasatkin)
- evm_verifyxattr() now differentiates between no 'security.evm' xattr
  (INTEGRITY_NOLABEL) and no EVM 'protected' xattrs included in the
  'security.evm' (INTEGRITY_NOXATTRS).
- replace hash_status with ima_status (Dmitry Kasatkin)
- re-initialize slab element ima_status on free (Dmitry Kasatkin)
- include 'security.ima' in EVM if CONFIG_IMA_APPRAISE, not CONFIG_IMA
- merged half "ima: ima_must_appraise_or_measure API change" (Dmitry Kasatkin)
- removed unnecessary error variable in process_measurement() (Dmitry Kasatkin)
- use ima_inode_post_setattr() stub function, if IMA_APPRAISE not configured
  (moved ima_inode_post_setattr() to ima_appraise.c)
- make sure ima_collect_measurement() can read file

Changelog:
- add 'iint' to evm_verifyxattr() call (Dimitry Kasatkin)
- fix the race condition between chmod, which takes the i_mutex and then
  iint->mutex, and ima_file_free() and process_measurement(), which take
  the locks in the reverse order, by eliminating iint->mutex. (Dmitry Kasatkin)
- cleanup of ima_appraise_measurement() (Dmitry Kasatkin)
- changes as a result of the iint not allocated for all regular files, but
  only for those measured/appraised.
- don't try to appraise new/empty files
- expanded ima_appraisal description in ima/Kconfig
- IMA appraise definitions required even if IMA_APPRAISE not enabled
- add return value to ima_must_appraise() stub
- unconditionally set status = INTEGRITY_PASS *after* testing status,
  not before.  (Found by Joe Perches)

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>

parent 4199d35c

Documentation/kernel-parameters.txt

+4 −0

Original line number	Diff line number	Diff line
		@@ -1051,6 +1051,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
		ihash_entries= [KNL]
		Set number of hash buckets for inode cache.

		ima_appraise= [IMA] appraise integrity measurements
		Format: { "off" \| "enforce" \| "fix" }
		default: "enforce"

		ima_audit= [IMA]
		Format: { "0" \| "1" }
		0 -- integrity auditing messages. (Default)

include/linux/xattr.h

+3 −0

Original line number	Diff line number	Diff line
		@@ -33,6 +33,9 @@
		#define XATTR_EVM_SUFFIX "evm"
		#define XATTR_NAME_EVM XATTR_SECURITY_PREFIX XATTR_EVM_SUFFIX

		#define XATTR_IMA_SUFFIX "ima"
		#define XATTR_NAME_IMA XATTR_SECURITY_PREFIX XATTR_IMA_SUFFIX

		#define XATTR_SELINUX_SUFFIX "selinux"
		#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX

security/integrity/evm/evm_main.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -33,6 +33,9 @@ char *evm_config_xattrnames[] = {
		#endif
		#ifdef CONFIG_SECURITY_SMACK
		XATTR_NAME_SMACK,
		#endif
		#ifdef CONFIG_IMA_APPRAISE
		XATTR_NAME_IMA,
		#endif
		XATTR_NAME_CAPS,
		NULL

security/integrity/iint.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -74,6 +74,7 @@ static void iint_free(struct integrity_iint_cache *iint)
		{
		iint->version = 0;
		iint->flags = 0UL;
		iint->ima_status = INTEGRITY_UNKNOWN;
		iint->evm_status = INTEGRITY_UNKNOWN;
		kmem_cache_free(iint_cache, iint);
		}
		@@ -157,7 +158,7 @@ static void init_once(void *foo)
		memset(iint, 0, sizeof *iint);
		iint->version = 0;
		iint->flags = 0UL;
		mutex_init(&iint->mutex);
		iint->ima_status = INTEGRITY_UNKNOWN;
		iint->evm_status = INTEGRITY_UNKNOWN;
		}

security/integrity/ima/Kconfig

+15 −0

Original line number	Diff line number	Diff line
		@@ -56,3 +56,18 @@ config IMA_LSM_RULES
		default y
		help
		Disabling this option will disregard LSM based policy rules.

		config IMA_APPRAISE
		bool "Appraise integrity measurements"
		depends on IMA
		default n
		help
		This option enables local measurement integrity appraisal.
		It requires the system to be labeled with a security extended
		attribute containing the file hash measurement. To protect
		the security extended attributes from offline attack, enable
		and configure EVM.

		For more information on integrity appraisal refer to:
		<http://linux-ima.sourceforge.net>
		If unsure, say N.