ima: Check against blacklisted hashes for files with modsig

author Nayna Jain <nayna@linux.ibm.com>

Thu, 31 Oct 2019 03:31:32 +0000 (23:31 -0400)

committer Michael Ellerman <mpe@ellerman.id.au>

Tue, 12 Nov 2019 01:25:50 +0000 (12:25 +1100)
author Nayna Jain <nayna@linux.ibm.com>
Thu, 31 Oct 2019 03:31:32 +0000 (23:31 -0400)
committer Michael Ellerman <mpe@ellerman.id.au>
Tue, 12 Nov 2019 01:25:50 +0000 (12:25 +1100)
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy

index 29ebe9afdac42c9148b1a54a90f0a92154ee63f5..29aaedf332461cb5256f7fe0d792a179f6cb6b39 100644 (file)
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -25,6 +25,7 @@ Description:
                         lsm:    [[subj_user=] [subj_role=] [subj_type=]
                                  [obj_user=] [obj_role=] [obj_type=]]
                         option: [[appraise_type=]] [template=] [permit_directio]
+                               [appraise_flag=]
                 base:   func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
                                 [FIRMWARE_CHECK]
                                 [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
@@ -38,6 +39,9 @@ Description:
                         fowner:= decimal value
                 lsm:    are LSM specific
                 option: appraise_type:= [imasig] [imasig|modsig]
+                       appraise_flag:= [check_blacklist]
+                       Currently, blacklist check is only for files signed with appended
+                       signature.
                         template:= name of a defined IMA template type
                         (eg, ima-ng). Only valid when action is "measure".
                         pcr:= decimal value
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h

index a65772ffa427eed5d0b9c2353cbc9176acb632b7..df4ca482fb53c4893c5c808d238774515e8795b2 100644 (file)
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -256,6 +256,8 @@ int ima_policy_show(struct seq_file *m, void *v);
  #define IMA_APPRAISE_KEXEC     0x40
  
  #ifdef CONFIG_IMA_APPRAISE
+int ima_check_blacklist(struct integrity_iint_cache *iint,
+                       const struct modsig *modsig, int pcr);
  int ima_appraise_measurement(enum ima_hooks func,
                              struct integrity_iint_cache *iint,
                              struct file *file, const unsigned char *filename,
@@ -271,6 +273,12 @@ int ima_read_xattr(struct dentry *dentry,
                    struct evm_ima_xattr_data **xattr_value);
  
  #else
+static inline int ima_check_blacklist(struct integrity_iint_cache *iint,
+                                     const struct modsig *modsig, int pcr)
+{
+       return 0;
+}
+
  static inline int ima_appraise_measurement(enum ima_hooks func,
                                            struct integrity_iint_cache *iint,
                                            struct file *file,
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c

index 136ae4e0ee92124c219e9c031060db439f1b4d54..300c8d2943c573e2bd8cb5540656d9b12100aac3 100644 (file)
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -12,6 +12,7 @@
  #include <linux/magic.h>
  #include <linux/ima.h>
  #include <linux/evm.h>
+#include <keys/system_keyring.h>
  
  #include "ima.h"
  
@@ -303,6 +304,38 @@ static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,
         return rc;
  }
  
+/*
+ * ima_check_blacklist - determine if the binary is blacklisted.
+ *
+ * Add the hash of the blacklisted binary to the measurement list, based
+ * on policy.
+ *
+ * Returns -EPERM if the hash is blacklisted.
+ */
+int ima_check_blacklist(struct integrity_iint_cache *iint,
+                       const struct modsig *modsig, int pcr)
+{
+       enum hash_algo hash_algo;
+       const u8 *digest = NULL;
+       u32 digestsize = 0;
+       int rc = 0;
+
+       if (!(iint->flags & IMA_CHECK_BLACKLIST))
+               return 0;
+
+       if (iint->flags & IMA_MODSIG_ALLOWED && modsig) {
+               ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);
+
+               rc = is_binary_blacklisted(digest, digestsize);
+               if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
+                       process_buffer_measurement(digest, digestsize,
+                                                  "blacklisted-hash", NONE,
+                                                  pcr);
+       }
+
+       return rc;
+}
+
  /*
   * ima_appraise_measurement - appraise file measurement
   *
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c

index a26e3ad4e886ccd3cf8ccd53f37776e1b42144bc..d7e987baf127419cfe40288aff333c5b474e29fa 100644 (file)
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -335,10 +335,14 @@ static int process_measurement(struct file *file, const struct cred *cred,
                                       xattr_value, xattr_len, modsig, pcr,
                                       template_desc);
         if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {
-               inode_lock(inode);
-               rc = ima_appraise_measurement(func, iint, file, pathname,
-                                             xattr_value, xattr_len, modsig);
-               inode_unlock(inode);
+               rc = ima_check_blacklist(iint, modsig, pcr);
+               if (rc != -EPERM) {
+                       inode_lock(inode);
+                       rc = ima_appraise_measurement(func, iint, file,
+                                                     pathname, xattr_value,
+                                                     xattr_len, modsig);
+                       inode_unlock(inode);
+               }
                 if (!rc)
                         rc = mmap_violation_check(func, file, &pathbuf,
                                                   &pathname, filename);
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c

index 5380aca2b35181b1c1788bd09f7065539b98a995..f19a895ad7cdf6c9bf24e05ffc6ee394ab3363ab 100644 (file)
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -765,8 +765,8 @@ enum {
         Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq,
         Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
         Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
-       Opt_appraise_type, Opt_permit_directio,
-       Opt_pcr, Opt_template, Opt_err
+       Opt_appraise_type, Opt_appraise_flag,
+       Opt_permit_directio, Opt_pcr, Opt_template, Opt_err
  };
  
  static const match_table_t policy_tokens = {
@@ -798,6 +798,7 @@ static const match_table_t policy_tokens = {
         {Opt_euid_lt, "euid<%s"},
         {Opt_fowner_lt, "fowner<%s"},
         {Opt_appraise_type, "appraise_type=%s"},
+       {Opt_appraise_flag, "appraise_flag=%s"},
         {Opt_permit_directio, "permit_directio"},
         {Opt_pcr, "pcr=%s"},
         {Opt_template, "template=%s"},
@@ -1172,6 +1173,11 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
                         else
                                 result = -EINVAL;
                         break;
+               case Opt_appraise_flag:
+                       ima_log_string(ab, "appraise_flag", args[0].from);
+                       if (strstr(args[0].from, "blacklist"))
+                               entry->flags |= IMA_CHECK_BLACKLIST;
+                       break;
                 case Opt_permit_directio:
                         entry->flags |= IMA_PERMIT_DIRECTIO;
                         break;
@@ -1500,6 +1506,8 @@ int ima_policy_show(struct seq_file *m, void *v)
                 else
                         seq_puts(m, "appraise_type=imasig ");
         }
+       if (entry->flags & IMA_CHECK_BLACKLIST)
+               seq_puts(m, "appraise_flag=check_blacklist ");
         if (entry->flags & IMA_PERMIT_DIRECTIO)
                 seq_puts(m, "permit_directio ");
         rcu_read_unlock();
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h

index d9323d31a3a83c207297ae79d1a568ecf4955643..73fc286834d7bc368914d3f8056da80d80d975bc 100644 (file)
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -32,6 +32,7 @@
  #define EVM_IMMUTABLE_DIGSIG   0x08000000
  #define IMA_FAIL_UNVERIFIABLE_SIGS     0x10000000
  #define IMA_MODSIG_ALLOWED     0x20000000
+#define IMA_CHECK_BLACKLIST    0x40000000
  
  #define IMA_DO_MASK            (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
                                  IMA_HASH | IMA_APPRAISE_SUBMASK)
author	Nayna Jain <nayna@linux.ibm.com>
	Thu, 31 Oct 2019 03:31:32 +0000 (23:31 -0400)
committer	Michael Ellerman <mpe@ellerman.id.au>
	Tue, 12 Nov 2019 01:25:50 +0000 (12:25 +1100)
Documentation/ABI/testing/ima_policy		patch \| blob \| history
security/integrity/ima/ima.h		patch \| blob \| history
security/integrity/ima/ima_appraise.c		patch \| blob \| history
security/integrity/ima/ima_main.c		patch \| blob \| history
security/integrity/ima/ima_policy.c		patch \| blob \| history
security/integrity/integrity.h		patch \| blob \| history