ima: fail signature verification based on policy

author Mimi Zohar <zohar@linux.vnet.ibm.com>

Wed, 21 Feb 2018 16:36:32 +0000 (11:36 -0500)

committer Mimi Zohar <zohar@linux.vnet.ibm.com>

Fri, 23 Mar 2018 10:31:37 +0000 (06:31 -0400)
author Mimi Zohar <zohar@linux.vnet.ibm.com>
Wed, 21 Feb 2018 16:36:32 +0000 (11:36 -0500)
committer Mimi Zohar <zohar@linux.vnet.ibm.com>
Fri, 23 Mar 2018 10:31:37 +0000 (06:31 -0400)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt

index 1d1d53f..2cc17dc 100644 (file)
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -1525,7 +1525,8 @@
  
         ima_policy=     [IMA]
                         The builtin policies to load during IMA setup.
-                       Format: "tcb | appraise_tcb | secure_boot"
+                       Format: "tcb | appraise_tcb | secure_boot |
+                                fail_securely"
  
                         The "tcb" policy measures all programs exec'd, files
                         mmap'd for exec, and all files opened with the read
@@ -1540,6 +1541,11 @@
                         of files (eg. kexec kernel image, kernel modules,
                         firmware, policy, etc) based on file signatures.
  
+                       The "fail_securely" policy forces file signature
+                       verification failure also on privileged mounted
+                       filesystems with the SB_I_UNVERIFIABLE_SIGNATURE
+                       flag.
+
         ima_tcb         [IMA] Deprecated.  Use ima_policy= instead.
                         Load a policy which meets the needs of the Trusted
                         Computing Base.  This means IMA will measure all
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c

index 4bafb39..0c5f94b 100644 (file)
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -304,12 +304,13 @@ int ima_appraise_measurement(enum ima_hooks func,
  out:
         /*
          * File signatures on some filesystems can not be properly verified.
-        * On these filesytems, that are mounted by an untrusted mounter,
-        * fail the file signature verification.
+        * When such filesystems are mounted by an untrusted mounter or on a
+        * system not willing to accept such a risk, fail the file signature
+        * verification.
          */
-       if ((inode->i_sb->s_iflags &
-           (SB_I_IMA_UNVERIFIABLE_SIGNATURE | SB_I_UNTRUSTED_MOUNTER)) ==
-           (SB_I_IMA_UNVERIFIABLE_SIGNATURE | SB_I_UNTRUSTED_MOUNTER)) {
+       if ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
+           ((inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) ||
+            (iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) {
                 status = INTEGRITY_FAIL;
                 cause = "unverifiable-signature";
                 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c

index f550f25..5d122da 100644 (file)
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -238,7 +238,8 @@ static int process_measurement(struct file *file, const struct cred *cred,
          */
         if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags) ||
             ((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
-            !(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER))) {
+            !(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) &&
+            !(action & IMA_FAIL_UNVERIFIABLE_SIGS))) {
                 iint->flags &= ~IMA_DONE_MASK;
                 iint->measured_pcrs = 0;
         }
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c

index 40557c0..51a4cd9 100644 (file)
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -188,6 +188,7 @@ __setup("ima_tcb", default_measure_policy_setup);
  
  static bool ima_use_appraise_tcb __initdata;
  static bool ima_use_secure_boot __initdata;
+static bool ima_fail_unverifiable_sigs __ro_after_init;
  static int __init policy_setup(char *str)
  {
         char *p;
@@ -201,6 +202,8 @@ static int __init policy_setup(char *str)
                         ima_use_appraise_tcb = true;
                 else if (strcmp(p, "secure_boot") == 0)
                         ima_use_secure_boot = true;
+               else if (strcmp(p, "fail_securely") == 0)
+                       ima_fail_unverifiable_sigs = true;
         }
  
         return 1;
@@ -390,6 +393,8 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
                 if (entry->action & IMA_APPRAISE) {
                         action |= get_subaction(entry, func);
                         action &= ~IMA_HASH;
+                       if (ima_fail_unverifiable_sigs)
+                               action |= IMA_FAIL_UNVERIFIABLE_SIGS;
                 }
  
                 if (entry->action & IMA_DO_MASK)
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h

index 843ae23..8224880 100644 (file)
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -35,6 +35,7 @@
  #define IMA_PERMIT_DIRECTIO    0x02000000
  #define IMA_NEW_FILE           0x04000000
  #define EVM_IMMUTABLE_DIGSIG   0x08000000
+#define IMA_FAIL_UNVERIFIABLE_SIGS     0x10000000
  
  #define IMA_DO_MASK            (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
                                  IMA_HASH | IMA_APPRAISE_SUBMASK)
author	Mimi Zohar <zohar@linux.vnet.ibm.com>
	Wed, 21 Feb 2018 16:36:32 +0000 (11:36 -0500)
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>
	Fri, 23 Mar 2018 10:31:37 +0000 (06:31 -0400)
Documentation/admin-guide/kernel-parameters.txt		patch \| blob \| history
security/integrity/ima/ima_appraise.c		patch \| blob \| history
security/integrity/ima/ima_main.c		patch \| blob \| history
security/integrity/ima/ima_policy.c		patch \| blob \| history
security/integrity/integrity.h		patch \| blob \| history