[PATCH v5 18/18] ima: Write modsig to the measurement list

Thiago Jung Bauermann bauerman at linux.vnet.ibm.com
Wed Oct 18 00:53:31 UTC 2017


Add modsig support for templates which require the contents of the file
signature to be included in the measurement list.

Suggested-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
Signed-off-by: Thiago Jung Bauermann <bauerman at linux.vnet.ibm.com>
---
 security/integrity/ima/ima.h              |  8 ++++++++
 security/integrity/ima/ima_api.c          |  8 +++++++-
 security/integrity/ima/ima_main.c         | 30 +++++++++++++++++++++++++++++-
 security/integrity/ima/ima_modsig.c       | 20 +++++++++++++++++++-
 security/integrity/ima/ima_template.c     | 12 ++++++++++++
 security/integrity/ima/ima_template_lib.c | 17 +++++++++++++++--
 6 files changed, 90 insertions(+), 5 deletions(-)

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index b082138461b3..68f471666151 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -148,6 +148,7 @@ int ima_init_crypto(void);
 void ima_putc(struct seq_file *m, void *data, int datalen);
 void ima_print_digest(struct seq_file *m, u8 *digest, u32 size);
 struct ima_template_desc *ima_template_desc_current(void);
+bool ima_current_template_has_sig(void);
 int ima_restore_measurement_entry(struct ima_template_entry *entry);
 int ima_restore_measurement_list(loff_t bufsize, void *buf);
 int ima_measurements_show(struct seq_file *m, void *v);
@@ -264,6 +265,7 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
 		    int *xattr_len);
 int ima_get_modsig_hash(struct evm_ima_xattr_data *hdr, enum hash_algo *algo,
 			void const **hash, u8 *len);
+int ima_modsig_serialize_data(struct evm_ima_xattr_data **data, int *data_len);
 int ima_modsig_verify(const unsigned int keyring_id,
 		      struct evm_ima_xattr_data *hdr);
 void ima_free_xattr_data(struct evm_ima_xattr_data *hdr);
@@ -334,6 +336,12 @@ static inline int ima_get_modsig_hash(struct evm_ima_xattr_data *hdr,
 	return -ENOTSUPP;
 }
 
+static inline int ima_modsig_serialize_data(struct evm_ima_xattr_data **data,
+					    int *data_len)
+{
+	return -ENOTSUPP;
+}
+
 static inline int ima_modsig_verify(const unsigned int keyring_id,
 				    struct evm_ima_xattr_data *hdr)
 {
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index c6d346e9f708..59a5b044b48b 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -284,7 +284,13 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
 					    xattr_len, NULL};
 	int violation = 0;
 
-	if (iint->measured_pcrs & (0x1 << pcr))
+	/*
+	 * We still need to store the measurement in the case of MODSIG because
+	 * we only have its contents to put in the list at the time of
+	 * appraisal. See comment in process_measurement for more details.
+	 */
+	if ((iint->measured_pcrs & (0x1 << pcr)) &&
+	    (!xattr_value || xattr_value->type != IMA_MODSIG))
 		return;
 
 	result = ima_alloc_init_template(&event_data, &entry);
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 6a2d960fbd92..0d3390de7432 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -246,7 +246,35 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
 		rc = ima_appraise_measurement(func, iint, file, buf, size,
 					      pathname, &xattr_value,
 					      &xattr_len, opened);
-	if (action & IMA_MEASURE)
+
+	/*
+	 * MODSIG has one corner case we need to deal with here:
+	 *
+	 * Suppose the policy has one measure rule for one hook and an appraise
+	 * rule for a different hook. Suppose also that the template requires
+	 * the signature to be stored in the measurement list.
+	 *
+	 * If a file containing a MODSIG is measured by the first hook before
+	 * being appraised by the second one, the corresponding entry in the
+	 * measurement list will not contain the MODSIG because we only fetch it
+	 * for IMA_APPRAISAL. We don't fetch it earlier because if the file has
+	 * both a DIGSIG and a MODSIG it's not possible to know which one will
+	 * be valid without actually doing the appraisal.
+	 *
+	 * Therefore, after appraisal of a MODSIG signature we need to store the
+	 * measurement again if the current template requires storing the
+	 * signature.
+	 *
+	 * With the opposite ordering (the appraise rule triggering before the
+	 * measurement rule) there is the same problem but it's not possible to
+	 * do anything about it because at the time we are appraising the
+	 * signature it's impossible to know whether a measurement will ever
+	 * need to be stored for this file.
+	 */
+	if ((action & IMA_MEASURE) || ((iint->flags & IMA_MEASURE) &&
+				       xattr_value &&
+				       xattr_value->type == IMA_MODSIG &&
+				       ima_current_template_has_sig()))
 		ima_store_measurement(iint, file, pathname,
 				      xattr_value, xattr_len, pcr);
 	if (action & IMA_AUDIT)
diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c
index 2786aa97060e..82c3e2693982 100644
--- a/security/integrity/ima/ima_modsig.c
+++ b/security/integrity/ima/ima_modsig.c
@@ -27,6 +27,10 @@ struct modsig_hdr {
 	const void *data;	/* Pointer to data covered by pkcs7_msg. */
 	size_t data_len;
 	struct pkcs7_message *pkcs7_msg;
+	int raw_pkcs7_len;
+
+	/* This will be in the measurement list if required by the template. */
+	struct evm_ima_xattr_data raw_pkcs7;
 };
 
 /**
@@ -86,7 +90,7 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
 	sig_len = be32_to_cpu(sig->sig_len);
 	buf_len -= sig_len + sizeof(*sig);
 
-	hdr = kmalloc(sizeof(*hdr), GFP_KERNEL);
+	hdr = kmalloc(sizeof(*hdr) + sig_len, GFP_KERNEL);
 	if (!hdr)
 		return -ENOMEM;
 
@@ -97,6 +101,10 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
 		return rc;
 	}
 
+	memcpy(hdr->raw_pkcs7.data, buf + buf_len, sig_len);
+	hdr->raw_pkcs7_len = sig_len + 1;
+	hdr->raw_pkcs7.type = IMA_MODSIG;
+
 	hdr->type = IMA_MODSIG;
 	hdr->data = buf;
 	hdr->data_len = buf_len;
@@ -129,6 +137,16 @@ int ima_get_modsig_hash(struct evm_ima_xattr_data *hdr, enum hash_algo *algo,
 	return 0;
 }
 
+int ima_modsig_serialize_data(struct evm_ima_xattr_data **data, int *data_len)
+{
+	struct modsig_hdr *modsig = (struct modsig_hdr *) *data;
+
+	*data = &modsig->raw_pkcs7;
+	*data_len = modsig->raw_pkcs7_len;
+
+	return 0;
+}
+
 int ima_modsig_verify(const unsigned int keyring_id,
 		      struct evm_ima_xattr_data *hdr)
 {
diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
index 3cc1d2763fd2..a5bad6996334 100644
--- a/security/integrity/ima/ima_template.c
+++ b/security/integrity/ima/ima_template.c
@@ -228,6 +228,18 @@ struct ima_template_desc *ima_template_desc_current(void)
 	return ima_template;
 }
 
+bool ima_current_template_has_sig(void)
+{
+	struct ima_template_desc *template = ima_template_desc_current();
+	int i;
+
+	for (i = 0; i < template->num_fields; i++)
+		if (!strcmp(template->fields[i]->field_id, "sig"))
+			return true;
+
+	return false;
+}
+
 int __init ima_init_template(void)
 {
 	struct ima_template_desc *template = ima_template_desc_current();
diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
index e8ec783b6a8d..d0e85def0ae9 100644
--- a/security/integrity/ima/ima_template_lib.c
+++ b/security/integrity/ima/ima_template_lib.c
@@ -379,10 +379,23 @@ int ima_eventsig_init(struct ima_event_data *event_data,
 		      struct ima_field_data *field_data)
 {
 	struct evm_ima_xattr_data *xattr_value = event_data->xattr_value;
+	int xattr_len = event_data->xattr_len;
 
-	if (!xattr_value || xattr_value->type != EVM_IMA_XATTR_DIGSIG)
+	if (!is_ima_sig(xattr_value))
 		return 0;
 
-	return ima_write_template_field_data(xattr_value, event_data->xattr_len,
+	/*
+	 * The xattr_value for IMA_MODSIG is a runtime structure containing
+	 * pointers. Get its raw data instead.
+	 */
+	if (xattr_value->type == IMA_MODSIG) {
+		int rc;
+
+		rc = ima_modsig_serialize_data(&xattr_value, &xattr_len);
+		if (rc)
+			return rc;
+	}
+
+	return ima_write_template_field_data(xattr_value, xattr_len,
 					     DATA_FMT_HEX, field_data);
 }

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the Linux-security-module-archive mailing list