[RFC] IMA: New IMA measurements for dm-crypt and selinux

Stephen Smalley stephen.smalley at gmail.com
Sat Apr 11 19:05:07 UTC 2020

On Wed, Apr 8, 2020 at 6:28 AM Tushar Sugandhi
<tusharsu at linux.microsoft.com> wrote:
> Measuring SELinux status and various SELinux policies can help ensure
> mandatory access control of the system is not compromised.
> B. Measuring selinux constructs:
>      We propose to add an IMA hook in enforcing_set() present under
>      security/selinux/include/security.h.
>      enforcing_set() sets the selinux state to enforcing/permissive etc.
>      and is called from key places like selinux_init(),
>      sel_write_enforce() etc.
>      The hook will measure various attributes related to selinux status.
>      Majority of the attributes are present in the struct selinux_state
>      present in security/selinux/include/security.h
>      e.g.
>      $sestatus
>             SELinux status:              enabled
>             SELinuxfs mount:             /sys/fs/selinux
>             SELinux root directory:      /etc/selinux
>             Loaded policy name:          default
>             Current mode:                permissive
>             Mode from config file:       permissive
>             Policy MLS status:           enabled
>             Policy deny_unknown status:  allowed
>             Memory protection checking:  requested (insecure)
>             Max kernel policy version:   32
>      The above attributes will be serialized into a set of key=value
>      pairs when passed to IMA for measurement.
>      Proposed Function Signature of the IMA hook:
>      void ima_selinux_status(void *selinux_status, int len);

This won't detect changes to any of these state variables via a kernel
write vulnerability,
so it would be good to provide a way to trigger measurement of the
current values on
You'll also likely want to measure parts of the child structures of
selinux_state, e.g. selinux_ss,
especially selinux_map and policydb.  You can simplify measurement of
the policydb by
serializing it first via policydb_write() and hashing the result. I
suppose one question is whether you can do all of this
already from userspace by just having userspace read
/sys/fs/selinux/enforce, /sys/fs/selinux/policy, etc.

More information about the Linux-security-module-archive mailing list