[PATCH 2/7] ima: Add meta_immutable appraisal type

Roberto Sassu Fri, 09 Apr 2021 04:43:59 -0700

Currently, IMA supports the appraise_type=imasig option in the policy to
require signed file content or metadata. This patch introduces the new
option appraise_type=meta_immutable to require that file metadata is also
immutable, i.e. it cannot have been produced by the system itself but only
from a vendor whose signing key is trusted by the kernel. Currently, this
requirement can be satisfied only by portable signatures.


The main purpose of this option is to ensure a proper label transition
during binary execution, when the target label depends on the label of the
binary being executed. Without it, an administrator might obtain a
different target label by changing the label of the executable.

Signed-off-by: Roberto Sassu <roberto.sa...@huawei.com>
---
 Documentation/ABI/testing/ima_policy  |  2 +-
 security/integrity/ima/ima_appraise.c |  9 +++++++++
 security/integrity/ima/ima_policy.c   | 13 ++++++++++---
 security/integrity/integrity.h        |  1 +
 4 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/Documentation/ABI/testing/ima_policy 
b/Documentation/ABI/testing/ima_policy
index 070779e8d836..bc6597db7c78 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -42,7 +42,7 @@ Description:
                        fowner:= decimal value
                  lsm:  are LSM specific
                  option:
-                       appraise_type:= [imasig] [imasig|modsig]
+                       appraise_type:= [imasig] [imasig|modsig] 
[meta_immutable]
                        appraise_flag:= [check_blacklist]
                        Currently, blacklist check is only for files signed 
with appended
                        signature.
diff --git a/security/integrity/ima/ima_appraise.c 
b/security/integrity/ima/ima_appraise.c
index 45e244fc2ef2..5814b8cbe86c 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -430,6 +430,15 @@ int ima_appraise_measurement(enum ima_hooks func,
                WARN_ONCE(true, "Unexpected integrity status %d\n", status);
        }
 
+       if ((iint->flags & IMA_META_IMMUTABLE_REQUIRED) &&
+           status != INTEGRITY_PASS_IMMUTABLE) {
+               status = INTEGRITY_FAIL;
+               cause = "metadata-modifiable";
+               integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
+                                   filename, op, cause, rc, 0);
+               goto out;
+       }
+
        if (xattr_value)
                rc = xattr_verify(func, iint, xattr_value, xattr_len, &status,
                                  &cause);
diff --git a/security/integrity/ima/ima_policy.c 
b/security/integrity/ima/ima_policy.c
index 4f8cb155e4fd..33b5133645b3 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1079,7 +1079,8 @@ static bool ima_validate_rule(struct ima_rule_entry 
*entry)
                return false;
 
        if (entry->action != APPRAISE &&
-           entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | 
IMA_CHECK_BLACKLIST))
+           entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED |
+                           IMA_CHECK_BLACKLIST | IMA_META_IMMUTABLE_REQUIRED))
                return false;
 
        /*
@@ -1109,7 +1110,8 @@ static bool ima_validate_rule(struct ima_rule_entry 
*entry)
                                     IMA_UID | IMA_FOWNER | IMA_FSUUID |
                                     IMA_INMASK | IMA_EUID | IMA_PCR |
                                     IMA_FSNAME | IMA_DIGSIG_REQUIRED |
-                                    IMA_PERMIT_DIRECTIO))
+                                    IMA_PERMIT_DIRECTIO |
+                                    IMA_META_IMMUTABLE_REQUIRED))
                        return false;
 
                break;
@@ -1121,7 +1123,8 @@ static bool ima_validate_rule(struct ima_rule_entry 
*entry)
                                     IMA_INMASK | IMA_EUID | IMA_PCR |
                                     IMA_FSNAME | IMA_DIGSIG_REQUIRED |
                                     IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED |
-                                    IMA_CHECK_BLACKLIST))
+                                    IMA_CHECK_BLACKLIST |
+                                    IMA_META_IMMUTABLE_REQUIRED))
                        return false;
 
                break;
@@ -1495,6 +1498,8 @@ static int ima_parse_rule(char *rule, struct 
ima_rule_entry *entry)
                                 strcmp(args[0].from, "imasig|modsig") == 0)
                                entry->flags |= IMA_DIGSIG_REQUIRED |
                                                IMA_MODSIG_ALLOWED;
+                       else if (strcmp(args[0].from, "meta_immutable") == 0)
+                               entry->flags |= IMA_META_IMMUTABLE_REQUIRED;
                        else
                                result = -EINVAL;
                        break;
@@ -1850,6 +1855,8 @@ int ima_policy_show(struct seq_file *m, void *v)
        }
        if (entry->flags & IMA_CHECK_BLACKLIST)
                seq_puts(m, "appraise_flag=check_blacklist ");
+       if (entry->flags & IMA_META_IMMUTABLE_REQUIRED)
+               seq_puts(m, "appraise_type=meta_immutable ");
        if (entry->flags & IMA_PERMIT_DIRECTIO)
                seq_puts(m, "permit_directio ");
        rcu_read_unlock();
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 547425c20e11..be501a63ae30 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -39,6 +39,7 @@
 #define IMA_FAIL_UNVERIFIABLE_SIGS     0x10000000
 #define IMA_MODSIG_ALLOWED     0x20000000
 #define IMA_CHECK_BLACKLIST    0x40000000
+#define IMA_META_IMMUTABLE_REQUIRED    0x80000000
 
 #define IMA_DO_MASK            (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
                                 IMA_HASH | IMA_APPRAISE_SUBMASK)
-- 
2.26.2

[PATCH 2/7] ima: Add meta_immutable appraisal type

Reply via email to