Re: [PATCH v5 17/18] ima: Implement support for module-style appended signatures
From: Mimi Zohar <hidden>
Date: 2017-10-31 13:31:49
Also in:
keyrings, linux-crypto, linux-integrity, linux-security-module, lkml
On Tue, 2017-10-17 at 22:53 -0200, Thiago Jung Bauermann wrote: Below are a few additional comments.
quoted hunk ↗ jump to hunk
@@ -200,18 +239,28 @@ int ima_read_xattr(struct dentry *dentry, */ int ima_appraise_measurement(enum ima_hooks func, struct integrity_iint_cache *iint, - struct file *file, const unsigned char *filename, - struct evm_ima_xattr_data *xattr_value, - int xattr_len, int opened) + struct file *file, const void *buf, loff_t size, + const unsigned char *filename, + struct evm_ima_xattr_data **xattr_value_, + int *xattr_len_, int opened) { static const char op[] = "appraise_data"; const char *cause = "unknown"; struct dentry *dentry = file_dentry(file); struct inode *inode = d_backing_inode(dentry); enum integrity_status status = INTEGRITY_UNKNOWN; - int rc = xattr_len, hash_start = 0; + struct evm_ima_xattr_data *xattr_value = *xattr_value_; + int xattr_len = *xattr_len_, rc = xattr_len, hash_start = 0; + bool appraising_modsig = false; + + if (iint->flags & IMA_MODSIG_ALLOWED && + !ima_read_modsig(func, buf, size, &xattr_value, &xattr_len)) { + appraising_modsig = true; + rc = xattr_len; + } - if (!(inode->i_opflags & IOP_XATTR)) + /* If not appraising a modsig, we need an xattr. */ + if (!appraising_modsig && !(inode->i_opflags & IOP_XATTR)) return INTEGRITY_UNKNOWN; if (rc <= 0) {@@ -235,6 +284,9 @@ int ima_appraise_measurement(enum ima_hooks func, case INTEGRITY_UNKNOWN: break; case INTEGRITY_NOXATTRS: /* No EVM protected xattrs. */ + /* It's fine not to have xattrs when using a modsig. */ + if (appraising_modsig) + break; case INTEGRITY_NOLABEL: /* No security.evm xattr. */ cause = "missing-HMAC"; goto out;@@ -242,6 +294,8 @@ int ima_appraise_measurement(enum ima_hooks func, cause = "invalid-HMAC"; goto out; } + + retry: switch (xattr_value->type) { case IMA_XATTR_DIGEST_NG: /* first byte contains algorithm id */@@ -285,6 +339,61 @@ int ima_appraise_measurement(enum ima_hooks func, status = INTEGRITY_PASS; } break; + case IMA_MODSIG: + /* + * To avoid being tricked into an infinite loop, we don't allow + * a modsig stored in the xattr. + */ + if (!appraising_modsig) { + status = INTEGRITY_UNKNOWN; + cause = "unknown-ima-data"; + break; + } + rc = appraise_modsig(iint, xattr_value, xattr_len); + if (!rc) { + kfree(*xattr_value_); + *xattr_value_ = xattr_value; + *xattr_len_ = xattr_len; + + status = INTEGRITY_PASS; + break; + } + + ima_free_xattr_data(xattr_value); + + /* + * The appended signature failed verification. If there's a + * signature in the extended attribute, let's fall back to it. + */ + if (inode->i_opflags & IOP_XATTR && *xattr_len_ != 0 && + *xattr_len_ != -ENODATA) {
At this point, there was an appended signature verification failure.
If there isn't an xattr, for whatever reason, shouldn't we be
returning "invalid_signature" and "INTEGRITY_FAIL". If so, then the
above test could be simplified to check whether there is any data,
like this:
if ((inode->i_opflags & IOP_XATTR) && (*xattr_len_ > 0)) {
+ const char *modsig_cause = rc == -EOPNOTSUPP ? + "unknown" : "invalid-signature";
This can then be cleaned up as well.
+ + /* First, log that the modsig verification failed. */ + integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, + filename, op, modsig_cause, rc, 0);
I'm not sure that we want to audit intermediary signature verification failures. Perhaps this audit message should be considered "additional", meaning it is only emitted if the "integrity_audit" boot command line option is enabled. Change the last field to 1 to indicate it is an "additional" audit message.
+ + xattr_len = rc = *xattr_len_; + xattr_value = *xattr_value_; + appraising_modsig = false; + + if (rc > 0)
This test becomes redundant.
+ /* Process xattr contents. */
+ goto retry;
+
+ /* Unexpected error reading xattr. */
+ status = INTEGRITY_UNKNOWN;
+ } else {
+ if (rc == -EOPNOTSUPP)
+ status = INTEGRITY_UNKNOWN;
+ else {
+ cause = "invalid-signature";
+ status = INTEGRITY_FAIL;
+ }
+ }
+ break;I think the rest can be simplified to: cause = "invalid-signature"; status = INTEGRITY_FAIL; Mimi