提交 ab8c2a63 编写于 作者: R Roberto Sassu 提交者: Zheng Zengkai

ima: Add meta_immutable appraisal type

hulk inclusion
category: feature
feature: IMA Digest Lists extension
bugzilla: 46797

-------------------------------------------------

Currently, IMA supports the appraise_type=imasig option in the policy to
require file signatures. This patch introduces the new option
appraise_type=meta_immutable to require that file metadata are signed and
immutable. This requirement can be satisfied by portable signatures and
by digest lists if they are marked as immutable.

The main purpose of this option is to ensure that file metadata are correct
at the time of access, so that policies relying on labels can be correctly
enforced. For example, requiring immutable metadata would prevent an
administrator from altering the label assigned to a process during
execve() by changing the label of the executable.
Signed-off-by: NRoberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: NTianxing Zhang <zhangtianxing3@huawei.com>
Reviewed-by: NJason Yan <yanaijie@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
上级 f51e0ce9
...@@ -457,6 +457,15 @@ int ima_appraise_measurement(enum ima_hooks func, ...@@ -457,6 +457,15 @@ int ima_appraise_measurement(enum ima_hooks func,
WARN_ONCE(true, "Unexpected integrity status %d\n", status); WARN_ONCE(true, "Unexpected integrity status %d\n", status);
} }
if ((iint->flags & IMA_META_IMMUTABLE_REQUIRED) &&
status != INTEGRITY_PASS_IMMUTABLE) {
status = INTEGRITY_FAIL;
cause = "metadata-modifiable";
integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
filename, op, cause, rc, 0);
goto out;
}
if (xattr_value) if (xattr_value)
rc = xattr_verify(func, iint, xattr_value, xattr_len, &status, rc = xattr_verify(func, iint, xattr_value, xattr_len, &status,
&cause, found_digest); &cause, found_digest);
......
...@@ -1044,7 +1044,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) ...@@ -1044,7 +1044,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
return false; return false;
if (entry->action != APPRAISE && if (entry->action != APPRAISE &&
entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST)) entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED |
IMA_CHECK_BLACKLIST | IMA_META_IMMUTABLE_REQUIRED))
return false; return false;
/* /*
...@@ -1075,7 +1076,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) ...@@ -1075,7 +1076,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
IMA_UID | IMA_FOWNER | IMA_FSUUID | IMA_UID | IMA_FOWNER | IMA_FSUUID |
IMA_INMASK | IMA_EUID | IMA_PCR | IMA_INMASK | IMA_EUID | IMA_PCR |
IMA_FSNAME | IMA_DIGSIG_REQUIRED | IMA_FSNAME | IMA_DIGSIG_REQUIRED |
IMA_PERMIT_DIRECTIO)) IMA_PERMIT_DIRECTIO |
IMA_META_IMMUTABLE_REQUIRED))
return false; return false;
break; break;
...@@ -1087,7 +1089,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) ...@@ -1087,7 +1089,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
IMA_INMASK | IMA_EUID | IMA_PCR | IMA_INMASK | IMA_EUID | IMA_PCR |
IMA_FSNAME | IMA_DIGSIG_REQUIRED | IMA_FSNAME | IMA_DIGSIG_REQUIRED |
IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED | IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED |
IMA_CHECK_BLACKLIST)) IMA_CHECK_BLACKLIST |
IMA_META_IMMUTABLE_REQUIRED))
return false; return false;
break; break;
...@@ -1432,6 +1435,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) ...@@ -1432,6 +1435,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
strcmp(args[0].from, "imasig|modsig") == 0) strcmp(args[0].from, "imasig|modsig") == 0)
entry->flags |= IMA_DIGSIG_REQUIRED | entry->flags |= IMA_DIGSIG_REQUIRED |
IMA_MODSIG_ALLOWED; IMA_MODSIG_ALLOWED;
else if (strcmp(args[0].from, "meta_immutable") == 0)
entry->flags |= IMA_META_IMMUTABLE_REQUIRED;
else else
result = -EINVAL; result = -EINVAL;
break; break;
...@@ -1782,6 +1787,8 @@ int ima_policy_show(struct seq_file *m, void *v) ...@@ -1782,6 +1787,8 @@ int ima_policy_show(struct seq_file *m, void *v)
} }
if (entry->flags & IMA_CHECK_BLACKLIST) if (entry->flags & IMA_CHECK_BLACKLIST)
seq_puts(m, "appraise_flag=check_blacklist "); seq_puts(m, "appraise_flag=check_blacklist ");
if (entry->flags & IMA_META_IMMUTABLE_REQUIRED)
seq_puts(m, "appraise_type=meta_immutable ");
if (entry->flags & IMA_PERMIT_DIRECTIO) if (entry->flags & IMA_PERMIT_DIRECTIO)
seq_puts(m, "permit_directio "); seq_puts(m, "permit_directio ");
rcu_read_unlock(); rcu_read_unlock();
......
...@@ -40,6 +40,7 @@ ...@@ -40,6 +40,7 @@
#define IMA_FAIL_UNVERIFIABLE_SIGS 0x10000000 #define IMA_FAIL_UNVERIFIABLE_SIGS 0x10000000
#define IMA_MODSIG_ALLOWED 0x20000000 #define IMA_MODSIG_ALLOWED 0x20000000
#define IMA_CHECK_BLACKLIST 0x40000000 #define IMA_CHECK_BLACKLIST 0x40000000
#define IMA_META_IMMUTABLE_REQUIRED 0x80000000
#define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \ #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
IMA_HASH | IMA_APPRAISE_SUBMASK) IMA_HASH | IMA_APPRAISE_SUBMASK)
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册