aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2009-05-21 15:47:06 -0400
committerJames Morris <jmorris@namei.org>2009-05-21 19:31:20 -0400
commit5789ba3bd0a3cd20df5980ebf03358f2eb44fd67 (patch)
tree4ad5dc0496f0d6bc06e9614ff5edbc0400fcdb5d
parentc5642f4bbae30122beb696e723f6da273caa570e (diff)
IMA: Minimal IMA policy and boot param for TCB IMA policy
The IMA TCB policy is dangerous. A normal use can use all of a system's memory (which cannot be freed) simply by building and running lots of executables. The TCB policy is also nearly useless because logging in as root often causes a policy violation when dealing with utmp, thus rendering the measurements meaningless. There is no good fix for this in the kernel. A full TCB policy would need to be loaded in userspace using LSM rule matching to get both a protected and useful system. But, if too little is measured before userspace can load a real policy one again ends up with a meaningless set of measurements. One option would be to put the policy load inside the initrd in order to get it early enough in the boot sequence to be useful, but this runs into trouble with the LSM. For IMA to measure the LSM policy and the LSM policy loading mechanism it needs rules to do so, but we already talked about problems with defaulting to such broad rules.... IMA also depends on the files being measured to be on an FS which implements and supports i_version. Since the only FS with this support (ext4) doesn't even use it by default it seems silly to have any IMA rules by default. This should reduce the performance overhead of IMA to near 0 while still letting users who choose to configure their machine as such to inclue the ima_tcb kernel paramenter and get measurements during boot before they can load a customized, reasonable policy in userspace. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--Documentation/kernel-parameters.txt6
-rw-r--r--security/integrity/ima/ima_policy.c30
2 files changed, 33 insertions, 3 deletions
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index e87bdbfbcc75..d9a24a04cfb1 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -914,6 +914,12 @@ and is between 256 and 4096 characters. It is defined in the file
914 Formt: { "sha1" | "md5" } 914 Formt: { "sha1" | "md5" }
915 default: "sha1" 915 default: "sha1"
916 916
917 ima_tcb [IMA]
918 Load a policy which meets the needs of the Trusted
919 Computing Base. This means IMA will measure all
920 programs exec'd, files mmap'd for exec, and all files
921 opened for read by uid=0.
922
917 in2000= [HW,SCSI] 923 in2000= [HW,SCSI]
918 See header of drivers/scsi/in2000.c. 924 See header of drivers/scsi/in2000.c.
919 925
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 31d677f7c65f..4719bbf1641a 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -45,9 +45,17 @@ struct ima_measure_rule_entry {
45 } lsm[MAX_LSM_RULES]; 45 } lsm[MAX_LSM_RULES];
46}; 46};
47 47
48/* Without LSM specific knowledge, the default policy can only be 48/*
49 * Without LSM specific knowledge, the default policy can only be
49 * written in terms of .action, .func, .mask, .fsmagic, and .uid 50 * written in terms of .action, .func, .mask, .fsmagic, and .uid
50 */ 51 */
52
53/*
54 * The minimum rule set to allow for full TCB coverage. Measures all files
55 * opened or mmap for exec and everything read by root. Dangerous because
56 * normal users can easily run the machine out of memory simply building
57 * and running executables.
58 */
51static struct ima_measure_rule_entry default_rules[] = { 59static struct ima_measure_rule_entry default_rules[] = {
52 {.action = DONT_MEASURE,.fsmagic = PROC_SUPER_MAGIC,.flags = IMA_FSMAGIC}, 60 {.action = DONT_MEASURE,.fsmagic = PROC_SUPER_MAGIC,.flags = IMA_FSMAGIC},
53 {.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC}, 61 {.action = DONT_MEASURE,.fsmagic = SYSFS_MAGIC,.flags = IMA_FSMAGIC},
@@ -59,6 +67,8 @@ static struct ima_measure_rule_entry default_rules[] = {
59 .flags = IMA_FUNC | IMA_MASK}, 67 .flags = IMA_FUNC | IMA_MASK},
60 {.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC, 68 {.action = MEASURE,.func = BPRM_CHECK,.mask = MAY_EXEC,
61 .flags = IMA_FUNC | IMA_MASK}, 69 .flags = IMA_FUNC | IMA_MASK},
70 {.action = MEASURE,.func = PATH_CHECK,.mask = MAY_READ,.uid = 0,
71 .flags = IMA_FUNC | IMA_MASK | IMA_UID},
62}; 72};
63 73
64static LIST_HEAD(measure_default_rules); 74static LIST_HEAD(measure_default_rules);
@@ -67,6 +77,14 @@ static struct list_head *ima_measure;
67 77
68static DEFINE_MUTEX(ima_measure_mutex); 78static DEFINE_MUTEX(ima_measure_mutex);
69 79
80static bool ima_use_tcb __initdata;
81static int __init default_policy_setup(char *str)
82{
83 ima_use_tcb = 1;
84 return 1;
85}
86__setup("ima_tcb", default_policy_setup);
87
70/** 88/**
71 * ima_match_rules - determine whether an inode matches the measure rule. 89 * ima_match_rules - determine whether an inode matches the measure rule.
72 * @rule: a pointer to a rule 90 * @rule: a pointer to a rule
@@ -162,9 +180,15 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask)
162 */ 180 */
163void ima_init_policy(void) 181void ima_init_policy(void)
164{ 182{
165 int i; 183 int i, entries;
184
185 /* if !ima_use_tcb set entries = 0 so we load NO default rules */
186 if (ima_use_tcb)
187 entries = ARRAY_SIZE(default_rules);
188 else
189 entries = 0;
166 190
167 for (i = 0; i < ARRAY_SIZE(default_rules); i++) 191 for (i = 0; i < entries; i++)
168 list_add_tail(&default_rules[i].list, &measure_default_rules); 192 list_add_tail(&default_rules[i].list, &measure_default_rules);
169 ima_measure = &measure_default_rules; 193 ima_measure = &measure_default_rules;
170} 194}