[PATCH v6 0/3] IMA policy read/write and new IMA keyrings;

[Petko Manolov]

Difference since v5 of the patches:

 - better description of patch #3;
 - added missing IMA_DIGSIG_REQUIRED & IMA_PERMIT_DIRECTIO flags;

This patch-set consists of three separate patches that do the following:

1) Allows multiple writes to the IMA policy.  This is considered useful to do in
a long lived systems with multiple tenants and where reboots are not
recommended.  The new IMA rules are appended to the existing ones, effectively
forming a queue.  The code also replaces the mutexes with RCU read locks.

2) Adds two more system keyrings - .ima_mok, which is used to create a simple CA
hierarchy for the trusted IMA keyring and .ima_blacklist, which keeps all
revoked IMA keys.  When the IMA_TRUSTED_KEYRING is enabled it is impossible to
import a key into .ima if it has not been signed by a key in either .system or
.ima_mok keyrings.  Before performing signature checks .ima_blacklist is
consulted first and if an offending key is found the requested operation is
rejected.

3) Allows reading back the current IMA policy.It is often useful to be able to
read back the IMA policy.  It is even more important after introducing
CONFIG_IMA_WRITE_POLICY. This option allows the root user to see the current
policy rules.


Petko Manolov (3):
  IMA policy can now be updated multiple times.
  Create IMA machine owner and blacklist keyrings;
  Allows reading back the current IMA policy.

 crypto/asymmetric_keys/x509_public_key.c |   2 +
 include/keys/system_keyring.h|  24 +++
 security/integrity/digsig_asymmetric.c   |  14 ++
 security/integrity/ima/Kconfig   |  39 +
 security/integrity/ima/Makefile  |   1 +
 security/integrity/ima/ima.h |  15 +-
 security/integrity/ima/ima_fs.c  |  42 -
 security/integrity/ima/ima_mok.c |  54 ++
 security/integrity/ima/ima_policy.c  | 286 +++
 9 files changed, 441 insertions(+), 36 deletions(-)
 create mode 100644 security/integrity/ima/ima_mok.c

-- 
2.6.2

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v6 0/3] IMA policy read/write and new IMA keyrings;

[Mimi Zohar]

On Wed, 2015-12-02 at 17:47 +0200, Petko Manolov wrote:
> Difference since v5 of the patches:
> 
>  - better description of patch #3;
>  - added missing IMA_DIGSIG_REQUIRED & IMA_PERMIT_DIRECTIO flags;
> 
> This patch-set consists of three separate patches that do the following:
> 
> 1) Allows multiple writes to the IMA policy.  This is considered useful to do 
> in
> a long lived systems with multiple tenants and where reboots are not
> recommended.  The new IMA rules are appended to the existing ones, effectively
> forming a queue.  The code also replaces the mutexes with RCU read locks.
> 
> 2) Adds two more system keyrings - .ima_mok, which is used to create a simple 
> CA
> hierarchy for the trusted IMA keyring and .ima_blacklist, which keeps all
> revoked IMA keys.  When the IMA_TRUSTED_KEYRING is enabled it is impossible to
> import a key into .ima if it has not been signed by a key in either .system or
> .ima_mok keyrings.  Before performing signature checks .ima_blacklist is
> consulted first and if an offending key is found the requested operation is
> rejected.
> 
> 3) Allows reading back the current IMA policy.It is often useful to be able to
> read back the IMA policy.  It is even more important after introducing
> CONFIG_IMA_WRITE_POLICY. This option allows the root user to see the current
> policy rules.

Thank you for the patches.   I've taken the liberty to prefix the patch
names with the subsystem.

IMA: allow reading back the current IMA policy
IMA: create machine owner and blacklist keyrings
IMA: policy can now be updated multiple times

The patches are available from:
git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
ima-keyrings.

Mimi

--
To unsubscribe from this list: send the line "unsubscribe 
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html