[PATCH v6 1/4] IMA: Add func to measure LSM state and policy

Mimi Zohar zohar at linux.ibm.com
Wed Aug 5 13:19:51 UTC 2020 

On Wed, 2020-08-05 at 09:03 -0400, Stephen Smalley wrote:
> On Wed, Aug 5, 2020 at 8:57 AM Mimi Zohar <zohar at linux.ibm.com> wrote:
> > On Wed, 2020-08-05 at 08:46 -0400, Stephen Smalley wrote:
> > > On 8/4/20 11:25 PM, Mimi Zohar wrote:
> > > 
> > > > Hi Lakshmi,
> > > > 
> > > > There's still  a number of other patch sets needing to be reviewed
> > > > before my getting to this one.  The comment below is from a high level.
> > > > 
> > > > On Tue, 2020-08-04 at 17:43 -0700, Lakshmi Ramasubramanian wrote:
> > > > > Critical data structures of security modules need to be measured to
> > > > > enable an attestation service to verify if the configuration and
> > > > > policies for the security modules have been setup correctly and
> > > > > that they haven't been tampered with at runtime. A new IMA policy is
> > > > > required for handling this measurement.
> > > > > 
> > > > > Define two new IMA policy func namely LSM_STATE and LSM_POLICY to
> > > > > measure the state and the policy provided by the security modules.
> > > > > Update ima_match_rules() and ima_validate_rule() to check for
> > > > > the new func and ima_parse_rule() to handle the new func.
> > > > I can understand wanting to measure the in kernel LSM memory state to
> > > > make sure it hasn't changed, but policies are stored as files.  Buffer
> > > > measurements should be limited  to those things that are not files.
> > > > 
> > > > Changing how data is passed to the kernel has been happening for a
> > > > while.  For example, instead of passing the kernel module or kernel
> > > > image in a buffer, the new syscalls - finit_module, kexec_file_load -
> > > > pass an open file descriptor.  Similarly, instead of loading the IMA
> > > > policy data, a pathname may be provided.
> > > > 
> > > > Pre and post security hooks already exist for reading files.   Instead
> > > > of adding IMA support for measuring the policy file data, update the
> > > > mechanism for loading the LSM policy.  Then not only will you be able
> > > > to measure the policy, you'll also be able to require the policy be
> > > > signed.
> > > 
> > > To clarify, the policy being measured by this patch series is a
> > > serialized representation of the in-memory policy data structures being
> > > enforced by SELinux.  Not the file that was loaded.  Hence, this
> > > measurement would detect tampering with the in-memory policy data
> > > structures after the policy has been loaded.  In the case of SELinux,
> > > one can read this serialized representation via /sys/fs/selinux/policy.
> > > The result is not byte-for-byte identical to the policy file that was
> > > loaded but can be semantically compared via sediff and other tools to
> > > determine whether it is equivalent.
> > 
> > Thank you for the clarification.   Could the policy hash be included
> > with the other critical data?  Does it really need to be measured
> > independently?
> 
> They were split into two separate functions because we wanted to be
> able to support using different templates for them (ima-buf for the
> state variables so that the measurement includes the original buffer,
> which is small and relatively fixed-size, and ima-ng for the policy
> because it is large and we just want to capture the hash for later
> comparison against known-good).  Also, the state variables are
> available for measurement always from early initialization, whereas
> the policy is only available for measurement once we have loaded an
> initial policy.

Ok, measuring the policy separately from other critical data makes
sense.  Instead of measuring the policy, which is large, measure the
policy hash.

Mimi

More information about the Linux-security-module-archive mailing list