ima: Introduce exec_tcb policy

hulk inclusion category: feature feature: IMA Digest Lists extension bugzilla: 46797 ------------------------------------------------- This patch introduces a new hard-coded policy to measure executable code: dont_measure fsmagic=0x9fa0 dont_measure fsmagic=0x62656572 dont_measure fsmagic=0x64626720 dont_measure fsmagic=0x1cd1 dont_measure fsmagic=0x42494e4d dont_measure fsmagic=0x73636673 dont_measure fsmagic=0xf97cff8c dont_measure fsmagic=0x43415d53 dont_measure fsmagic=0x27e0eb dont_measure fsmagic=0x63677270 dont_measure fsmagic=0x6e736673 measure func=MMAP_CHECK mask=MAY_EXEC measure func=BPRM_CHECK mask=MAY_EXEC measure func=MODULE_CHECK measure func=FIRMWARE_CHECK measure func=POLICY_CHECK measure func=DIGEST_LIST_CHECK It can be selected by specifying ima_policy=exec_tcb in the kernel command line. Files in tmpfs are not excluded from measurement. Signed-off-by: N Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: N Tianxing Zhang <zhangtianxing3@huawei.com> Reviewed-by: N Jason Yan <yanaijie@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

ima: Introduce exec_tcb policy
hulk inclusion category: feature feature: IMA Digest Lists extension bugzilla: 46797 ------------------------------------------------- This patch introduces a new hard-coded policy to measure executable code: dont_measure fsmagic=0x9fa0 dont_measure fsmagic=0x62656572 dont_measure fsmagic=0x64626720 dont_measure fsmagic=0x1cd1 dont_measure fsmagic=0x42494e4d dont_measure fsmagic=0x73636673 dont_measure fsmagic=0xf97cff8c dont_measure fsmagic=0x43415d53 dont_measure fsmagic=0x27e0eb dont_measure fsmagic=0x63677270 dont_measure fsmagic=0x6e736673 measure func=MMAP_CHECK mask=MAY_EXEC measure func=BPRM_CHECK mask=MAY_EXEC measure func=MODULE_CHECK measure func=FIRMWARE_CHECK measure func=POLICY_CHECK measure func=DIGEST_LIST_CHECK It can be selected by specifying ima_policy=exec_tcb in the kernel command line. Files in tmpfs are not excluded from measurement. Signed-off-by: N Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: N Tianxing Zhang <zhangtianxing3@huawei.com> Reviewed-by: N Jason Yan <yanaijie@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
cb40a9b7 · Roberto Sassu · Zheng Zengkai · d1fdcdba · cb40a9b7 · cb40a9b7
隐藏空白更改
内联并排

Showing with 24 addition and 3 deletion

Documentation/admin-guide/kernel-parameters.txt Documentation/admin-guide/kernel-parameters.txt +5 -0

security/integrity/ima/ima_policy.c security/integrity/ima/ima_policy.c +19 -3

未找到文件。
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -1781,6 +1781,11 @@
 			mode bit set by either the effective uid (euid=0) or
 			uid=0.
+			The "exec_tcb" policy is similar to the "tcb" policy
+			except for file open, which is not considered. Files
+			in the tmpfs filesystem are not excluded from
+			measurement.
 			The "appraise_tcb" policy appraises the integrity of
 			all files owned by root.

--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -56,7 +56,7 @@ enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
 	LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE
 };
-enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB };
+enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB, EXEC_TCB };
 enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY };
@@ -239,6 +239,8 @@ static int __init policy_setup(char *str)
 			continue;
 		if ((strcmp(p, "tcb") == 0) && !ima_policy)
 			ima_policy = DEFAULT_TCB;
+		else if ((strcmp(p, "exec_tcb") == 0) && !ima_policy)
+			ima_policy = EXEC_TCB;
 		else if (strcmp(p, "appraise_tcb") == 0)
 			ima_use_appraise_tcb = true;
 		else if (strcmp(p, "secure_boot") == 0)
@@ -709,14 +711,26 @@ static int ima_appraise_flag(enum ima_hooks func)
 	return 0;
 }
-static void add_rules(struct ima_rule_entry *entries, int count,
+static void __init add_rules(struct ima_rule_entry *entries, int count,
-		      enum policy_rule_list policy_rule)
+			     enum policy_rule_list policy_rule)
 {
 	int i = 0;
 	for (i = 0; i < count; i++) {
 		struct ima_rule_entry *entry;
+		if (ima_policy == EXEC_TCB) {
+			if (entries == dont_measure_rules)
+				if ((entries[i].flags & IMA_FSMAGIC) &&
+				    entries[i].fsmagic == TMPFS_MAGIC)
+					continue;
+			if (entries == default_measurement_rules)
+				if ((entries[i].flags & IMA_FUNC) &&
+				    entries[i].func == FILE_CHECK)
+					continue;
+		}
 		if (policy_rule & IMA_DEFAULT_POLICY)
 			list_add_tail(&entries[i].list, &ima_default_rules);
@@ -803,6 +817,8 @@ void __init ima_init_policy(void)
 			  ARRAY_SIZE(original_measurement_rules),
 			  IMA_DEFAULT_POLICY);
 		break;
+	case EXEC_TCB:
+		fallthrough;
 	case DEFAULT_TCB:
 		add_rules(default_measurement_rules,
 			  ARRAY_SIZE(default_measurement_rules),