Re: [PATCH v10 12/12] ima: Store the measurement again when appraising a modsig

[PATCH v10 00/12] Appended signatures support for IMA appraisal · Thiago Jung Bauermann <hidden> · 2019-04-18
[PATCH v10 01/12] MODSIGN: Export module signature definitions · Thiago Jung Bauermann <hidden> · 2019-04-18
Re: [PATCH v10 01/12] MODSIGN: Export module signature definitions · Mimi Zohar <zohar@linux.ibm.com> · 2019-05-09
Re: [PATCH v10 01/12] MODSIGN: Export module signature definitions · Thiago Jung Bauermann <hidden> · 2019-05-28
[PATCH v10 02/12] PKCS#7: Refactor verify_pkcs7_signature() · Thiago Jung Bauermann <hidden> · 2019-04-18
Re: [PATCH v10 02/12] PKCS#7: Refactor verify_pkcs7_signature() · Mimi Zohar <zohar@linux.ibm.com> · 2019-05-09
[PATCH v10 03/12] PKCS#7: Introduce pkcs7_get_digest() · Thiago Jung Bauermann <hidden> · 2019-04-18
Re: [PATCH v10 03/12] PKCS#7: Introduce pkcs7_get_digest() · Mimi Zohar <zohar@linux.ibm.com> · 2019-05-09
[PATCH v10 04/12] integrity: Introduce struct evm_xattr · Thiago Jung Bauermann <hidden> · 2019-04-18
[PATCH v10 05/12] integrity: Select CONFIG_KEYS instead of depending on it · Thiago Jung Bauermann <hidden> · 2019-04-18
[PATCH v10 06/12] ima: Use designated initializers for struct ima_event_data · Thiago Jung Bauermann <hidden> · 2019-04-18
Re: [PATCH v10 06/12] ima: Use designated initializers for struct ima_event_data · Mimi Zohar <zohar@linux.ibm.com> · 2019-05-09
[PATCH v10 07/12] ima: Add modsig appraise_type option for module-style appended signatures · Thiago Jung Bauermann <hidden> · 2019-04-18
[PATCH v10 08/12] ima: Factor xattr_verify() out of ima_appraise_measurement() · Thiago Jung Bauermann <hidden> · 2019-04-18
Re: [PATCH v10 08/12] ima: Factor xattr_verify() out of ima_appraise_measurement() · Mimi Zohar <zohar@linux.ibm.com> · 2019-05-09
[PATCH v10 09/12] ima: Implement support for module-style appended signatures · Thiago Jung Bauermann <hidden> · 2019-04-18
Re: [PATCH v10 09/12] ima: Implement support for module-style appended signatures · Mimi Zohar <zohar@linux.ibm.com> · 2019-05-09
Re: [PATCH v10 09/12] ima: Implement support for module-style appended signatures · Thiago Jung Bauermann <hidden> · 2019-05-28
Re: [PATCH v10 09/12] ima: Implement support for module-style appended signatures · Mimi Zohar <zohar@linux.ibm.com> · 2019-05-28
Re: [PATCH v10 09/12] ima: Implement support for module-style appended signatures · Mimi Zohar <zohar@linux.ibm.com> · 2019-05-14
Re: [PATCH v10 09/12] ima: Implement support for module-style appended signatures · Thiago Jung Bauermann <hidden> · 2019-05-28
[PATCH v10 10/12] ima: Collect modsig · Thiago Jung Bauermann <hidden> · 2019-04-18
[PATCH v10 11/12] ima: Define ima-modsig template · Thiago Jung Bauermann <hidden> · 2019-04-18
Re: [PATCH v10 11/12] ima: Define ima-modsig template · Mimi Zohar <zohar@linux.ibm.com> · 2019-05-09
Re: [PATCH v10 11/12] ima: Define ima-modsig template · Thiago Jung Bauermann <hidden> · 2019-05-28
[PATCH v10 12/12] ima: Store the measurement again when appraising a modsig · Thiago Jung Bauermann <hidden> · 2019-04-18
Re: [PATCH v10 12/12] ima: Store the measurement again when appraising a modsig · Mimi Zohar <zohar@linux.ibm.com> · 2019-05-28
Re: [PATCH v10 12/12] ima: Store the measurement again when appraising a modsig · Thiago Jung Bauermann <hidden> · 2019-05-28

From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2019-05-28 14:19:57
Also in: keyrings, linux-crypto, linux-doc, linux-integrity, linuxppc-dev, lkml

Hi Thiago,

On Thu, 2019-04-18 at 00:51 -0300, Thiago Jung Bauermann wrote:

If the IMA template contains the "modsig" or "d-modsig" field, then the
modsig should be added to the measurement list when the file is appraised.

And that is what normally happens, but if a measurement rule caused a file
containing a modsig to be measured before a different rule causes it to be
appraised, the resulting measurement entry will not contain the modsig
because it is only fetched during appraisal. When the appraisal rule
triggers, it won't store a new measurement containing the modsig because
the file was already measured.

We need to detect that situation and store an additional measurement with
the modsig. This is done by adding an IMA_MEASURE action flag if we read a
modsig and the IMA template contains a modsig field.

With the new per policy rule "template" support being added, this
patch needs to be modified so that the per policy "template" format is
checked.  ima_template_has_modsig() should be called with the
template_desc being used.

thanks,

Mimi

quoted hunk ↗ jump to hunk

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 8e6475854351..f91ed4189f98 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c

@@ -282,9 +282,17 @@ static int process_measurement(struct file *file, const struct cred *cred,
 		/* read 'security.ima' */
 		xattr_len = ima_read_xattr(file_dentry(file), &xattr_value);
 
-		/* Read the appended modsig if allowed by the policy. */
-		if (iint->flags & IMA_MODSIG_ALLOWED)
-			ima_read_modsig(func, buf, size, &modsig);
+		/*
+		 * Read the appended modsig, if allowed by the policy, and allow
+		 * an additional measurement list entry, if needed, based on the
+		 * template format.
+		 */
+		if (iint->flags & IMA_MODSIG_ALLOWED) {
+			rc = ima_read_modsig(func, buf, size, &modsig);
+
+			if (!rc && ima_template_has_modsig())
+				action |= IMA_MEASURE;
+		}

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help