Re: [PATCH v9 5/8] ima: make process_buffer_measurement() generic

2019-10-30 Thread Mimi Zohar 
On Wed, 2019-10-30 at 08:22 -0700, Lakshmi Ramasubramanian wrote:
> On 10/23/19 8:47 PM, Nayna Jain wrote:
> 
> Hi Nayna,
> 
> > process_buffer_measurement() is limited to measuring the kexec boot
> > command line. This patch makes process_buffer_measurement() more
> > generic, allowing it to measure other types of buffer data (e.g.
> > blacklisted binary hashes or key hashes).
> 
> Now that process_buffer_measurement() is being made generic to measure 
> any buffer, it would be good to add a tag to indicate what type of 
> buffer is being measured.
> 
> For example, if the buffer is kexec command line the log could look like:
> 
>   "kexec_cmdline: "
> 
> Similarly, if the buffer is blacklisted binary hash:
> 
>   "blacklist hash: ".
> 
> If the buffer is key hash:
> 
>   ": key data".
> 
> This would greatly help the consumer of the IMA log to know the type of 
> data represented in each IMA log entry.

Both the existing kexec command line and the new blacklist buffer
measurement pass that information in the eventname.   The [PATCH 7/8]
"ima: check against blacklisted hashes for files with modsig" patch
description includes an example.

Mimi

Re: [PATCH v9 5/8] ima: make process_buffer_measurement() generic

2019-10-30 Thread Lakshmi Ramasubramanian 

On 10/23/19 8:47 PM, Nayna Jain wrote:

Hi Nayna,


process_buffer_measurement() is limited to measuring the kexec boot
command line. This patch makes process_buffer_measurement() more
generic, allowing it to measure other types of buffer data (e.g.
blacklisted binary hashes or key hashes).


Now that process_buffer_measurement() is being made generic to measure 
any buffer, it would be good to add a tag to indicate what type of 
buffer is being measured.


For example, if the buffer is kexec command line the log could look like:

 "kexec_cmdline: "

Similarly, if the buffer is blacklisted binary hash:

 "blacklist hash: ".

If the buffer is key hash:

 ": key data".

This would greatly help the consumer of the IMA log to know the type of 
data represented in each IMA log entry.


thanks,
 -lakshmi

Re: [PATCH v9 5/8] ima: make process_buffer_measurement() generic

2019-10-26 Thread Mimi Zohar 
On Fri, 2019-10-25 at 10:32 -0700, Lakshmi Ramasubramanian wrote:
> 
> On 10/25/2019 10:24 AM, Nayna Jain wrote:
> > 
> > On 10/24/19 10:20 AM, Lakshmi Ramasubramanian wrote:
> >> On 10/23/19 8:47 PM, Nayna Jain wrote:
> >>
> >> Hi Nayna,
> >>
> >>> +void process_buffer_measurement(const void *buf, int size,
> >>> +    const char *eventname, enum ima_hooks func,
> >>> +    int pcr)
> >>>   {
> >>>   int ret = 0;
> >>>   struct ima_template_entry *entry = NULL;
> >>
> >>> +    if (func) {

Let's comment this line.  Perhaps something like /*Unnecessary for
auxiliary buffer measurements */
> >>> +    security_task_getsecid(current, );
> >>> +    action = ima_get_action(NULL, current_cred(), secid, 0, func,
> >>> +    , );
> >>> +    if (!(action & IMA_MEASURE))
> >>> +    return;
> >>> +    }
> >>
> >> In your change set process_buffer_measurement is called with NONE for 
> >> the parameter func. So ima_get_action (the above if block) will not be 
> >> executed.
> >>
> >> Wouldn't it better to update ima_get_action (and related functions) to 
> >> handle the ima policy (func param)?
> > 
> > 
> > The idea is to use ima-buf template for the auxiliary measurement 
> > record. The auxiliary measurement record is an additional record to the 
> > one already created based on the existing policy. When func is passed as 
> > NONE, it represents it is an additional record. I am not sure what you 
> > mean by updating ima_get_action, it is already handling the ima policy.
> >
> 
> I was referring to using "func" in process_buffer_measurement to 
> determine ima action. In my opinion, process_buffer_measurement should 
> be generic.
> 
> ima_get_action() should instead determine the required ima action, 
> template, pcr, etc. based on "func" passed to it.

Nayna's original patch moved ima_get_action() into the caller, but
that resulted in code duplication in each of the callers.  This
solution differentiates between the initial, which requires calling
ima_get_action(), and auxiliary buffer measurement records.

Mimi 

Re: [PATCH v9 5/8] ima: make process_buffer_measurement() generic

2019-10-25 Thread Lakshmi Ramasubramanian 




On 10/25/2019 10:24 AM, Nayna Jain wrote:


On 10/24/19 10:20 AM, Lakshmi Ramasubramanian wrote:

On 10/23/19 8:47 PM, Nayna Jain wrote:

Hi Nayna,


+void process_buffer_measurement(const void *buf, int size,
+    const char *eventname, enum ima_hooks func,
+    int pcr)
  {
  int ret = 0;
  struct ima_template_entry *entry = NULL;



+    if (func) {
+    security_task_getsecid(current, );
+    action = ima_get_action(NULL, current_cred(), secid, 0, func,
+    , );
+    if (!(action & IMA_MEASURE))
+    return;
+    }


In your change set process_buffer_measurement is called with NONE for 
the parameter func. So ima_get_action (the above if block) will not be 
executed.


Wouldn't it better to update ima_get_action (and related functions) to 
handle the ima policy (func param)?



The idea is to use ima-buf template for the auxiliary measurement 
record. The auxiliary measurement record is an additional record to the 
one already created based on the existing policy. When func is passed as 
NONE, it represents it is an additional record. I am not sure what you 
mean by updating ima_get_action, it is already handling the ima policy.




I was referring to using "func" in process_buffer_measurement to 
determine ima action. In my opinion, process_buffer_measurement should 
be generic.


ima_get_action() should instead determine the required ima action, 
template, pcr, etc. based on "func" passed to it.


thanks,
 -lakshmi

Re: [PATCH v9 5/8] ima: make process_buffer_measurement() generic

2019-10-25 Thread Nayna Jain 



On 10/24/19 10:20 AM, Lakshmi Ramasubramanian wrote:

On 10/23/19 8:47 PM, Nayna Jain wrote:

Hi Nayna,


+void process_buffer_measurement(const void *buf, int size,
+    const char *eventname, enum ima_hooks func,
+    int pcr)
  {
  int ret = 0;
  struct ima_template_entry *entry = NULL;



+    if (func) {
+    security_task_getsecid(current, );
+    action = ima_get_action(NULL, current_cred(), secid, 0, func,
+    , );
+    if (!(action & IMA_MEASURE))
+    return;
+    }


In your change set process_buffer_measurement is called with NONE for 
the parameter func. So ima_get_action (the above if block) will not be 
executed.


Wouldn't it better to update ima_get_action (and related functions) to 
handle the ima policy (func param)?



The idea is to use ima-buf template for the auxiliary measurement 
record. The auxiliary measurement record is an additional record to the 
one already created based on the existing policy. When func is passed as 
NONE, it represents it is an additional record. I am not sure what you 
mean by updating ima_get_action, it is already handling the ima policy.


Thanks & Regards,

    - Nayna

Re: [PATCH v9 5/8] ima: make process_buffer_measurement() generic

2019-10-24 Thread Lakshmi Ramasubramanian 

On 10/23/19 8:47 PM, Nayna Jain wrote:

Hi Nayna,


+void process_buffer_measurement(const void *buf, int size,
+   const char *eventname, enum ima_hooks func,
+   int pcr)
  {
int ret = 0;
struct ima_template_entry *entry = NULL;



+   if (func) {
+   security_task_getsecid(current, );
+   action = ima_get_action(NULL, current_cred(), secid, 0, func,
+   , );
+   if (!(action & IMA_MEASURE))
+   return;
+   }


In your change set process_buffer_measurement is called with NONE for 
the parameter func. So ima_get_action (the above if block) will not be 
executed.


Wouldn't it better to update ima_get_action (and related functions) to 
handle the ima policy (func param)?


thanks,
 -lakshmi