diff options
| author | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2015-06-11 20:48:33 -0400 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2015-06-16 08:18:45 -0400 |
| commit | 24fd03c87695a76f0517df42a37e51b1597d2c8a (patch) | |
| tree | a08107bb7ad12b472a5b1b60cea8770211113c31 | |
| parent | 4351c294b8c1028077280f761e158d167b592974 (diff) | |
ima: update builtin policies
This patch defines a builtin measurement policy "tcb", similar to the
existing "ima_tcb", but with additional rules to also measure files
based on the effective uid and to measure files opened with the "read"
mode bit set (eg. read, read-write).
Changing the builtin "ima_tcb" policy could potentially break existing
users. Instead of defining a new separate boot command line option each
time the builtin measurement policy is modified, this patch defines a
single generic boot command line option "ima_policy=" to specify the
builtin policy and deprecates the use of the builtin ima_tcb policy.
[The "ima_policy=" boot command line option is based on Roberto Sassu's
"ima: added new policy type exec" patch.]
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Dr. Greg Wettstein <gw@idfusion.org>
Cc: stable@vger.kernel.org
| -rw-r--r-- | Documentation/kernel-parameters.txt | 10 | ||||
| -rw-r--r-- | security/integrity/ima/ima_policy.c | 65 |
2 files changed, 65 insertions, 10 deletions
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index abc496f95220..807b765087d4 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt | |||
| @@ -1398,7 +1398,15 @@ bytes respectively. Such letter suffixes can also be entirely omitted. | |||
| 1398 | The list of supported hash algorithms is defined | 1398 | The list of supported hash algorithms is defined |
| 1399 | in crypto/hash_info.h. | 1399 | in crypto/hash_info.h. |
| 1400 | 1400 | ||
| 1401 | ima_tcb [IMA] | 1401 | ima_policy= [IMA] |
| 1402 | The builtin measurement policy to load during IMA | ||
| 1403 | setup. Specyfing "tcb" as the value, measures all | ||
| 1404 | programs exec'd, files mmap'd for exec, and all files | ||
| 1405 | opened with the read mode bit set by either the | ||
| 1406 | effective uid (euid=0) or uid=0. | ||
| 1407 | Format: "tcb" | ||
| 1408 | |||
| 1409 | ima_tcb [IMA] Deprecated. Use ima_policy= instead. | ||
| 1402 | Load a policy which meets the needs of the Trusted | 1410 | Load a policy which meets the needs of the Trusted |
| 1403 | Computing Base. This means IMA will measure all | 1411 | Computing Base. This means IMA will measure all |
| 1404 | programs exec'd, files mmap'd for exec, and all files | 1412 | programs exec'd, files mmap'd for exec, and all files |
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index b3a2038ed424..3997e206f82d 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c | |||
| @@ -44,6 +44,8 @@ enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, | |||
| 44 | LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE | 44 | LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE |
| 45 | }; | 45 | }; |
| 46 | 46 | ||
| 47 | enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB }; | ||
| 48 | |||
| 47 | struct ima_rule_entry { | 49 | struct ima_rule_entry { |
| 48 | struct list_head list; | 50 | struct list_head list; |
| 49 | int action; | 51 | int action; |
| @@ -72,7 +74,7 @@ struct ima_rule_entry { | |||
| 72 | * normal users can easily run the machine out of memory simply building | 74 | * normal users can easily run the machine out of memory simply building |
| 73 | * and running executables. | 75 | * and running executables. |
| 74 | */ | 76 | */ |
| 75 | static struct ima_rule_entry default_rules[] = { | 77 | static struct ima_rule_entry dont_measure_rules[] = { |
| 76 | {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, | 78 | {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, |
| 77 | {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, | 79 | {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, |
| 78 | {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, | 80 | {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, |
| @@ -83,13 +85,29 @@ static struct ima_rule_entry default_rules[] = { | |||
| 83 | {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, | 85 | {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, |
| 84 | {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, | 86 | {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, |
| 85 | .flags = IMA_FSMAGIC}, | 87 | .flags = IMA_FSMAGIC}, |
| 86 | {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, | 88 | {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC} |
| 89 | }; | ||
| 90 | |||
| 91 | static struct ima_rule_entry original_measurement_rules[] = { | ||
| 92 | {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, | ||
| 93 | .flags = IMA_FUNC | IMA_MASK}, | ||
| 94 | {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, | ||
| 95 | .flags = IMA_FUNC | IMA_MASK}, | ||
| 96 | {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, | ||
| 97 | .uid = GLOBAL_ROOT_UID, .flags = IMA_FUNC | IMA_MASK | IMA_UID}, | ||
| 98 | {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, | ||
| 99 | {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, | ||
| 100 | }; | ||
| 101 | |||
| 102 | static struct ima_rule_entry default_measurement_rules[] = { | ||
| 87 | {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, | 103 | {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, |
| 88 | .flags = IMA_FUNC | IMA_MASK}, | 104 | .flags = IMA_FUNC | IMA_MASK}, |
| 89 | {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, | 105 | {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, |
| 90 | .flags = IMA_FUNC | IMA_MASK}, | 106 | .flags = IMA_FUNC | IMA_MASK}, |
| 91 | {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, .uid = GLOBAL_ROOT_UID, | 107 | {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, |
| 92 | .flags = IMA_FUNC | IMA_MASK | IMA_UID}, | 108 | .uid = GLOBAL_ROOT_UID, .flags = IMA_FUNC | IMA_INMASK | IMA_EUID}, |
| 109 | {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, | ||
| 110 | .uid = GLOBAL_ROOT_UID, .flags = IMA_FUNC | IMA_INMASK | IMA_UID}, | ||
| 93 | {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, | 111 | {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, |
| 94 | {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, | 112 | {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, |
| 95 | }; | 113 | }; |
| @@ -121,14 +139,29 @@ static struct list_head *ima_rules; | |||
| 121 | 139 | ||
| 122 | static DEFINE_MUTEX(ima_rules_mutex); | 140 | static DEFINE_MUTEX(ima_rules_mutex); |
| 123 | 141 | ||
| 124 | static bool ima_use_tcb __initdata; | 142 | static int ima_policy __initdata; |
| 125 | static int __init default_measure_policy_setup(char *str) | 143 | static int __init default_measure_policy_setup(char *str) |
| 126 | { | 144 | { |
| 127 | ima_use_tcb = 1; | 145 | if (ima_policy) |
| 146 | return 1; | ||
| 147 | |||
| 148 | ima_policy = ORIGINAL_TCB; | ||
| 128 | return 1; | 149 | return 1; |
| 129 | } | 150 | } |
| 130 | __setup("ima_tcb", default_measure_policy_setup); | 151 | __setup("ima_tcb", default_measure_policy_setup); |
| 131 | 152 | ||
| 153 | static int __init policy_setup(char *str) | ||
| 154 | { | ||
| 155 | if (ima_policy) | ||
| 156 | return 1; | ||
| 157 | |||
| 158 | if (strcmp(str, "tcb") == 0) | ||
| 159 | ima_policy = DEFAULT_TCB; | ||
| 160 | |||
| 161 | return 1; | ||
| 162 | } | ||
| 163 | __setup("ima_policy=", policy_setup); | ||
| 164 | |||
| 132 | static bool ima_use_appraise_tcb __initdata; | 165 | static bool ima_use_appraise_tcb __initdata; |
| 133 | static int __init default_appraise_policy_setup(char *str) | 166 | static int __init default_appraise_policy_setup(char *str) |
| 134 | { | 167 | { |
| @@ -352,13 +385,27 @@ void __init ima_init_policy(void) | |||
| 352 | { | 385 | { |
| 353 | int i, measure_entries, appraise_entries; | 386 | int i, measure_entries, appraise_entries; |
| 354 | 387 | ||
| 355 | /* if !ima_use_tcb set entries = 0 so we load NO default rules */ | 388 | /* if !ima_policy set entries = 0 so we load NO default rules */ |
| 356 | measure_entries = ima_use_tcb ? ARRAY_SIZE(default_rules) : 0; | 389 | measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0; |
| 357 | appraise_entries = ima_use_appraise_tcb ? | 390 | appraise_entries = ima_use_appraise_tcb ? |
| 358 | ARRAY_SIZE(default_appraise_rules) : 0; | 391 | ARRAY_SIZE(default_appraise_rules) : 0; |
| 359 | 392 | ||
| 360 | for (i = 0; i < measure_entries; i++) | 393 | for (i = 0; i < measure_entries; i++) |
| 361 | list_add_tail(&default_rules[i].list, &ima_default_rules); | 394 | list_add_tail(&dont_measure_rules[i].list, &ima_default_rules); |
| 395 | |||
| 396 | switch (ima_policy) { | ||
| 397 | case ORIGINAL_TCB: | ||
| 398 | for (i = 0; i < ARRAY_SIZE(original_measurement_rules); i++) | ||
| 399 | list_add_tail(&original_measurement_rules[i].list, | ||
| 400 | &ima_default_rules); | ||
| 401 | break; | ||
| 402 | case DEFAULT_TCB: | ||
| 403 | for (i = 0; i < ARRAY_SIZE(default_measurement_rules); i++) | ||
| 404 | list_add_tail(&default_measurement_rules[i].list, | ||
| 405 | &ima_default_rules); | ||
| 406 | default: | ||
| 407 | break; | ||
| 408 | } | ||
| 362 | 409 | ||
| 363 | for (i = 0; i < appraise_entries; i++) { | 410 | for (i = 0; i < appraise_entries; i++) { |
| 364 | list_add_tail(&default_appraise_rules[i].list, | 411 | list_add_tail(&default_appraise_rules[i].list, |