IMA: add policy rule to measure critical data

A new IMA policy rule is needed for the IMA hook
ima_measure_critical_data() and the corresponding func CRITICAL_DATA for
measuring the input buffer.  The policy rule should ensure the buffer
would get measured only when the policy rule allows the action.  The
policy rule should also support the necessary constraints (flags etc.)
for integrity critical buffer data measurements.

Add policy rule support for measuring integrity critical data.

Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
Reviewed-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index e35263f..6ec7daa 100644 (file)
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -32,7 +32,7 @@ Description:
                        func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK]MODULE_CHECK]
                                [FIRMWARE_CHECK]
                                [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
-                               [KEXEC_CMDLINE] [KEY_CHECK]
+                               [KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA]
                        mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
                               [[^]MAY_EXEC]
                        fsmagic:= hex value

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index b939660..96ba427 100644 (file)
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -478,6 +478,8 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule,
 
                opt_list = rule->keyrings;
                break;
+       case CRITICAL_DATA:
+               return true;
        default:
                return false;
        }
@@ -514,13 +516,19 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
 {
        int i;
 
-       if (func == KEY_CHECK) {
-               return (rule->flags & IMA_FUNC) && (rule->func == func) &&
-                       ima_match_rule_data(rule, func_data, cred);
-       }
        if ((rule->flags & IMA_FUNC) &&
            (rule->func != func && func != POST_SETATTR))
                return false;
+
+       switch (func) {
+       case KEY_CHECK:
+       case CRITICAL_DATA:
+               return ((rule->func == func) &&
+                       ima_match_rule_data(rule, func_data, cred));
+       default:
+               break;
+       }
+
        if ((rule->flags & IMA_MASK) &&
            (rule->mask != mask && func != POST_SETATTR))
                return false;
@@ -1115,6 +1123,17 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
                if (ima_rule_contains_lsm_cond(entry))
                        return false;
 
+               break;
+       case CRITICAL_DATA:
+               if (entry->action & ~(MEASURE | DONT_MEASURE))
+                       return false;
+
+               if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR))
+                       return false;
+
+               if (ima_rule_contains_lsm_cond(entry))
+                       return false;
+
                break;
        default:
                return false;
@@ -1247,6 +1266,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
                        else if (IS_ENABLED(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) &&
                                 strcmp(args[0].from, "KEY_CHECK") == 0)
                                entry->func = KEY_CHECK;
+                       else if (strcmp(args[0].from, "CRITICAL_DATA") == 0)
+                               entry->func = CRITICAL_DATA;
                        else
                                result = -EINVAL;
                        if (!result)