Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d906c10d authored by Matthew Garrett's avatar Matthew Garrett Committed by Mimi Zohar
Browse files

IMA: Support using new creds in appraisal policy 



The existing BPRM_CHECK functionality in IMA validates against the
credentials of the existing process, not any new credentials that the
child process may transition to. Add an additional CREDS_CHECK target
and refactor IMA to pass the appropriate creds structure. In
ima_bprm_check(), check with both the existing process credentials and
the credentials that will be committed when the new process is started.
This will not change behaviour unless the system policy is extended to
include CREDS_CHECK targets - BPRM_CHECK will continue to check the same
credentials that it did previously.

After this patch, an IMA policy rule along the lines of:

measure func=CREDS_CHECK subj_type=unconfined_t

will trigger if a process is executed and runs as unconfined_t, ignoring
the context of the parent process. This is in contrast to:

measure func=BPRM_CHECK subj_type=unconfined_t

which will trigger if the process that calls exec() is already executing
in unconfined_t, ignoring the context that the child process executes
into.

Signed-off-by: default avatarMatthew Garrett <mjg59@google.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>

Changelog:
- initialize ima_creds_status
parent 3ec30113

Documentation/ABI/testing/ima_policy

+1 −1
Original line number Diff line number Diff line
@@ -26,7 +26,7 @@ Description: 
				 [obj_user=] [obj_role=] [obj_type=]]

			option:	[[appraise_type=]] [permit_directio]



		base: 	func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]

		base: 	func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]

				[FIRMWARE_CHECK]

				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]

			mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]

security/integrity/iint.c

+2 −0
Original line number Diff line number Diff line
@@ -79,6 +79,7 @@ static void iint_free(struct integrity_iint_cache *iint) 
	iint->ima_mmap_status = INTEGRITY_UNKNOWN;

	iint->ima_bprm_status = INTEGRITY_UNKNOWN;

	iint->ima_read_status = INTEGRITY_UNKNOWN;

	iint->ima_creds_status = INTEGRITY_UNKNOWN;

	iint->evm_status = INTEGRITY_UNKNOWN;

	iint->measured_pcrs = 0;

	kmem_cache_free(iint_cache, iint);
@@ -158,6 +159,7 @@ static void init_once(void *foo) 
	iint->ima_mmap_status = INTEGRITY_UNKNOWN;

	iint->ima_bprm_status = INTEGRITY_UNKNOWN;

	iint->ima_read_status = INTEGRITY_UNKNOWN;

	iint->ima_creds_status = INTEGRITY_UNKNOWN;

	iint->evm_status = INTEGRITY_UNKNOWN;

	mutex_init(&iint->mutex);

}

security/integrity/ima/ima.h

+5 −4
Original line number Diff line number Diff line
@@ -177,6 +177,7 @@ static inline unsigned long ima_hash_key(u8 *digest) 
	hook(FILE_CHECK)		\

	hook(MMAP_CHECK)		\

	hook(BPRM_CHECK)		\

	hook(CREDS_CHECK)		\

	hook(POST_SETATTR)		\

	hook(MODULE_CHECK)		\

	hook(FIRMWARE_CHECK)		\
@@ -191,8 +192,8 @@ enum ima_hooks { 
};



/* LIM API function definitions */

int ima_get_action(struct inode *inode, int mask,

		   enum ima_hooks func, int *pcr);

int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid,

		   int mask, enum ima_hooks func, int *pcr);

int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);

int ima_collect_measurement(struct integrity_iint_cache *iint,

			    struct file *file, void *buf, loff_t size,
@@ -212,8 +213,8 @@ void ima_free_template_entry(struct ima_template_entry *entry); 
const char *ima_d_path(const struct path *path, char **pathbuf, char *filename);



/* IMA policy related functions */

int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,

		     int flags, int *pcr);

int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,

		     enum ima_hooks func, int mask, int flags, int *pcr);

void ima_init_policy(void);

void ima_update_policy(void);

void ima_update_policy_flag(void);

security/integrity/ima/ima_api.c

+6 −3
Original line number Diff line number Diff line
@@ -158,6 +158,8 @@ void ima_add_violation(struct file *file, const unsigned char *filename, 
/**

 * ima_get_action - appraise & measure decision based on policy.

 * @inode: pointer to inode to measure

 * @cred: pointer to credentials structure to validate

 * @secid: secid of the task being validated

 * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC,

 *        MAY_APPEND)

 * @func: caller identifier
@@ -166,20 +168,21 @@ void ima_add_violation(struct file *file, const unsigned char *filename, 
 * The policy is defined in terms of keypairs:

 *		subj=, obj=, type=, func=, mask=, fsmagic=

 *	subj,obj, and type: are LSM specific.

 *	func: FILE_CHECK | BPRM_CHECK | MMAP_CHECK | MODULE_CHECK

 *	func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK

 *	mask: contains the permission mask

 *	fsmagic: hex value

 *

 * Returns IMA_MEASURE, IMA_APPRAISE mask.

 *

 */

int ima_get_action(struct inode *inode, int mask, enum ima_hooks func, int *pcr)

int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid,

		   int mask, enum ima_hooks func, int *pcr)

{

	int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH;



	flags &= ima_policy_flag;



	return ima_match_policy(inode, func, mask, flags, pcr);

	return ima_match_policy(inode, cred, secid, func, mask, flags, pcr);

}



/*

security/integrity/ima/ima_appraise.c

+12 −2
Original line number Diff line number Diff line
@@ -50,11 +50,14 @@ bool is_ima_appraise_enabled(void) 
 */

int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)

{

	u32 secid;



	if (!ima_appraise)

		return 0;



	return ima_match_policy(inode, func, mask, IMA_APPRAISE | IMA_HASH,

				NULL);

	security_task_getsecid(current, &secid);

	return ima_match_policy(inode, current_cred(), secid, func, mask,

				IMA_APPRAISE | IMA_HASH, NULL);

}



static int ima_fix_xattr(struct dentry *dentry,
@@ -87,6 +90,8 @@ enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, 
		return iint->ima_mmap_status;

	case BPRM_CHECK:

		return iint->ima_bprm_status;

	case CREDS_CHECK:

		return iint->ima_creds_status;

	case FILE_CHECK:

	case POST_SETATTR:

		return iint->ima_file_status;
@@ -107,6 +112,8 @@ static void ima_set_cache_status(struct integrity_iint_cache *iint, 
	case BPRM_CHECK:

		iint->ima_bprm_status = status;

		break;

	case CREDS_CHECK:

		iint->ima_creds_status = status;

	case FILE_CHECK:

	case POST_SETATTR:

		iint->ima_file_status = status;
@@ -128,6 +135,9 @@ static void ima_cache_flags(struct integrity_iint_cache *iint, 
	case BPRM_CHECK:

		iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED);

		break;

	case CREDS_CHECK:

		iint->flags |= (IMA_CREDS_APPRAISED | IMA_APPRAISED);

		break;

	case FILE_CHECK:

	case POST_SETATTR:

		iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);