The goals of the kernel integrity subsystem are to detect if files have been accidentally or maliciously altered, both remotely and locally, appraise a file's measurement against a "good" value stored as an extended attribute, and enforce local file integrity [1]. To achieve these goals, IMA subsystem measures several in-memory constructs and files. We propose to measure constructs in dm-crypt and selinux to further enhance measuring capabilities of IMA. If there is existing or planned work to measure dm-crypt and selinux constructs, we would like to contribute to that. dm-crypt is a subsystem used for encryption of the block device, which is essential for ensuring protection of data and secrets at rest. Measuring encryption status of the device will ensure the device is not maliciously reporting false encryption status - thus, it can be entrusted with sensitive data to be protected at rest. SELinux is an implementation of mandatory access controls (MAC) on Linux. Mandatory access controls allow an administrator of a system to define how applications and users can access different resources - such as files, devices, networks and inter-process communication. With SELinux an administrator can differentiate a user from the applications a user runs [2]. Measuring SELinux status and various SELinux policies can help ensure mandatory access control of the system is not compromised. Proposal: --------- A. Measuring dmcrypt constructs: We can add an IMA hook in crypt_ctr() present in drivers/md/dm-crypt.c, so that IMA can start measuring the status of various dm-crypt targets (represented by crypt_target struct - also defined in dm-crypt.c). The mapping table[3] has information of devices being encrypted (start sector, size, target name, cypher, key, device path, and other optional parameters.) e.g. 0 417792 crypt serpent-cbc-essiv:sha256 a7f67ad520bd83b9725df6ebd76c3eee 0 /dev/sdb 0 1 allow_discards We can pass various attributes of mapping table to IMA through a key value pair of various dmcrypt constructs. Proposed Function Signature of the IMA hook: void ima_dmcrypt_status(void *dmcrypt_status, int len); B. Measuring selinux constructs: We propose to add an IMA hook in enforcing_set() present under security/selinux/include/security.h. enforcing_set() sets the selinux state to enforcing/permissive etc. and is called from key places like selinux_init(), sel_write_enforce() etc. The hook will measure various attributes related to selinux status. Majority of the attributes are present in the struct selinux_state present in security/selinux/include/security.h e.g. $sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: default Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: requested (insecure) Max kernel policy version: 32 The above attributes will be serialized into a set of key=value pairs when passed to IMA for measurement. Proposed Function Signature of the IMA hook: void ima_selinux_status(void *selinux_status, int len); Please provide comments\feedback on the proposal. Thanks, Tushar [1] https://sourceforge.net/p/linux-ima/wiki/Home/ [2] https://selinuxproject.org/page/FAQ [3] https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt -- dm-devel mailing list dm-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/dm-devel