[RFC][PATCH v3 07/10] ima: Store verified usage in digest cache based on integrity metadata flags

Roberto Sassu <roberto.sassu@xxxxxxxxxxxxxxx> · Thu, 5 Sep 2024 17:25:09 +0200

From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>

The Integrity Digest Cache allows integrity providers to record how the
digest list being used to populate the digest cache was verified.

Integrity providers can register a kernel_post_read_file LSM hook
implementation, and call digest_cache_verif_set() providing the result of
the digest list verification, together with the digest list file
descriptor.

IMA implements ima_digest_cache_store_verified_usage(), storing verified
usage of the digest cache based on whether or not the digest list the
digest cache is being populated from was measured/appraised.

If the digest list was measured (IMA_MEASURED set in iint->flags),
ima_digest_cache_store_verified_usage() sets the
IMA_DIGEST_CACHE_MEASURE_DATA in the verified usage. If the digest list was
appraised (IMA_APPRAISED_SUBMASK), ima_digest_cache_store_verified_usage()
sets the IMA_DIGEST_CACHE_APPRAISE_DATA in the verified usage.

Verified usage based on integrity metadata will be ANDed with the policy
usage from the IMA policy. Then, the final decision will ultimately depend
on whether or not the calculated digest of the accessed file was found in
the digest cache.

ANDing the verified usage with the policy usage prevents remote verifiers
from receiving an incomplete IMA measurement list, where measurements are
skipped, but there isn't the digest list the calculated file digest was
searched into. It also prevents successful appraisal without appraising the
digest list itself.

Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
---
 security/integrity/ima/ima_digest_cache.c | 35 +++++++++++++++++++++++
 security/integrity/ima/ima_digest_cache.h |  7 +++++
 security/integrity/ima/ima_main.c         |  3 ++
 3 files changed, 45 insertions(+)

diff --git a/security/integrity/ima/ima_digest_cache.c b/security/integrity/ima/ima_digest_cache.c
index bf720684b7b1..baa3faae77d2 100644
--- a/security/integrity/ima/ima_digest_cache.c
+++ b/security/integrity/ima/ima_digest_cache.c
@@ -47,3 +47,38 @@ bool ima_digest_cache_get_check(struct dentry *dentry,
 	digest_cache_put(digest_cache);
 	return false;
 }
+
+/**
+ * ima_digest_cache_store_verified_usage - Store verified usage in digest cache
+ * @file: Digest list file descriptor
+ * @iint: Inode integrity metadata
+ *
+ * Set digest cache verified usage in the digest cache associated to the
+ * digest list file descriptor. Verified usage is based on whether or not the
+ * digest list was measured/appraised, and is ANDed with the policy usage to
+ * make the final decision on whether a digest cache can be used for a specific
+ * IMA action.
+ */
+void ima_digest_cache_store_verified_usage(struct file *file,
+					   struct ima_iint_cache *iint)
+{
+	u64 verified_usage = 0;
+	int rc;
+
+	if (iint->flags & IMA_MEASURED)
+		verified_usage |= IMA_DIGEST_CACHE_MEASURE_DATA;
+	if (iint->flags & IMA_APPRAISED_SUBMASK)
+		verified_usage |= IMA_DIGEST_CACHE_APPRAISE_DATA;
+
+	/*
+	 * Set digest cache verified usage from integrity metadata flags for
+	 * later use.
+	 */
+	rc = digest_cache_verif_set(file, "ima", &verified_usage,
+				    sizeof(verified_usage));
+
+	/* Ignore if fd doesn't have digest cache set (prefetching). */
+	if (rc && rc != -ENOENT)
+		pr_debug("Cannot set verified usage for %s, ret: %d, ignoring\n",
+			 file_dentry(file)->d_name.name, rc);
+}
diff --git a/security/integrity/ima/ima_digest_cache.h b/security/integrity/ima/ima_digest_cache.h
index 75b6ac8732d3..1544dc798631 100644
--- a/security/integrity/ima/ima_digest_cache.h
+++ b/security/integrity/ima/ima_digest_cache.h
@@ -12,6 +12,8 @@
 #ifdef CONFIG_INTEGRITY_DIGEST_CACHE
 bool ima_digest_cache_get_check(struct dentry *dentry,
 				struct ima_iint_cache *iint);
+void ima_digest_cache_store_verified_usage(struct file *file,
+					   struct ima_iint_cache *iint);
 #else
 static inline bool ima_digest_cache_get_check(struct dentry *dentry,
 					      struct ima_iint_cache *iint)
@@ -19,4 +21,9 @@ static inline bool ima_digest_cache_get_check(struct dentry *dentry,
 	return false;
 }
 
+static inline void
+ima_digest_cache_store_verified_usage(struct file *file,
+				      struct ima_iint_cache *iint)
+{ }
+
 #endif /* CONFIG_INTEGRITY_DIGEST_CACHE */
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index ae106f1fe144..97ece2abb0b9 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -29,6 +29,7 @@
 #include <linux/evm.h>
 
 #include "ima.h"
+#include "ima_digest_cache.h"
 
 #ifdef CONFIG_IMA_APPRAISE
 int ima_appraise = IMA_APPRAISE_ENFORCE;
@@ -420,6 +421,8 @@ static int process_measurement(struct file *file, const struct cred *cred,
 	if ((mask & MAY_WRITE) && test_bit(IMA_DIGSIG, &iint->atomic_flags) &&
 	     !(iint->flags & IMA_NEW_FILE))
 		rc = -EACCES;
+	if (!rc && func == DIGEST_LIST_CHECK)
+		ima_digest_cache_store_verified_usage(file, iint);
 	mutex_unlock(&iint->mutex);
 	kfree(xattr_value);
 	ima_free_modsig(modsig);
-- 
2.34.1








