Re: [Linux-ima-devel] [PATCH v4 3/5] ima: define "dont_failsafe" policy action rule

Dmitry Kasatkin <dmitry.kasatkin@xxxxxxxxx> · Tue, 22 Aug 2017 12:39:37 +0300

Also where is checking for DONT_FAILSAFE (enforcement)?

On Tue, Aug 22, 2017 at 12:34 PM, Dmitry Kasatkin
<dmitry.kasatkin@xxxxxxxxx> wrote:
> On Wed, Jul 26, 2017 at 4:22 PM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
>> Permit normally denied access/execute permission for files in policy
>> on IMA unsupported filesystems.  This patch defines the "dont_failsafe"
>> policy action rule.
>>
>> Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>
>>
>> ---
>> Changelog v3:
>> - include dont_failsafe rule when displaying policy
>> - fail attempt to add dont_failsafe rule when appending to the policy
>>
>>  Documentation/ABI/testing/ima_policy |  3 ++-
>>  security/integrity/ima/ima.h         |  1 +
>>  security/integrity/ima/ima_main.c    | 11 ++++++++++-
>>  security/integrity/ima/ima_policy.c  | 29 ++++++++++++++++++++++++++++-
>>  4 files changed, 41 insertions(+), 3 deletions(-)
>>
>> diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
>> index e76432b9954d..f271207743e5 100644
>> --- a/Documentation/ABI/testing/ima_policy
>> +++ b/Documentation/ABI/testing/ima_policy
>> @@ -17,7 +17,8 @@ Description:
>>
>>                 rule format: action [condition ...]
>>
>> -               action: measure | dont_measure | appraise | dont_appraise | audit
>> +               action: measure | dont_meaure | appraise | dont_appraise |
>> +                       audit | dont_failsafe
>>                 condition:= base | lsm  [option]
>>                         base:   [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
>>                                 [euid=] [fowner=]]
>> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
>> index d52b487ad259..c5f34f7c5b0f 100644
>> --- a/security/integrity/ima/ima.h
>> +++ b/security/integrity/ima/ima.h
>> @@ -224,6 +224,7 @@ void *ima_policy_start(struct seq_file *m, loff_t *pos);
>>  void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos);
>>  void ima_policy_stop(struct seq_file *m, void *v);
>>  int ima_policy_show(struct seq_file *m, void *v);
>> +void set_failsafe(bool flag);
>>
>>  /* Appraise integrity measurements */
>>  #define IMA_APPRAISE_ENFORCE   0x01
>> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
>> index 3941371402ff..664edab0f758 100644
>> --- a/security/integrity/ima/ima_main.c
>> +++ b/security/integrity/ima/ima_main.c
>> @@ -38,6 +38,11 @@ int ima_appraise;
>>  int ima_hash_algo = HASH_ALGO_SHA1;
>>  static int hash_setup_done;
>>
>> +static bool ima_failsafe = 1;
>> +void set_failsafe(bool flag) {
>> +       ima_failsafe = flag;
>> +}
>> +
>>  static int __init hash_setup(char *str)
>>  {
>>         struct ima_template_desc *template_desc = ima_template_desc_current();
>> @@ -263,8 +268,12 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
>>                 __putname(pathbuf);
>>  out:
>>         inode_unlock(inode);
>> -       if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE))
>> +       if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE)) {
>> +               if (!ima_failsafe && rc == -EBADF)
>> +                       return 0;
>> +
>
> By default IMA is failsaif. ima_failsafe is true.
> Return 0 is needed in failsafe mode. right?
> But in this logic it will happen if ima_failsafe is false. meaning it
> is not failsafe.
> Is it a typo?
>
>
>>                 return -EACCES;
>> +       }
>>         return 0;
>>  }
>>
>> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
>> index 95209a5f8595..43b85a4fb8e8 100644
>> --- a/security/integrity/ima/ima_policy.c
>> +++ b/security/integrity/ima/ima_policy.c
>> @@ -40,12 +40,14 @@
>>  #define APPRAISE       0x0004  /* same as IMA_APPRAISE */
>>  #define DONT_APPRAISE  0x0008
>>  #define AUDIT          0x0040
>> +#define DONT_FAILSAFE  0x0400
>>
>>  #define INVALID_PCR(a) (((a) < 0) || \
>>         (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8))
>>
>>  int ima_policy_flag;
>>  static int temp_ima_appraise;
>> +static bool temp_failsafe = 1;
>>
>>  #define MAX_LSM_RULES 6
>>  enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
>> @@ -513,6 +515,9 @@ void ima_update_policy(void)
>>         if (ima_rules != policy) {
>>                 ima_policy_flag = 0;
>>                 ima_rules = policy;
>> +
>> +               /* Only update on initial policy replacement, not append */
>> +               set_failsafe(temp_failsafe);
>>         }
>>         ima_update_policy_flag();
>>  }
>> @@ -529,7 +534,7 @@ enum {
>>         Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
>>         Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
>>         Opt_appraise_type, Opt_permit_directio,
>> -       Opt_pcr
>> +       Opt_pcr, Opt_dont_failsafe
>>  };
>>
>>  static match_table_t policy_tokens = {
>> @@ -560,6 +565,7 @@ static match_table_t policy_tokens = {
>>         {Opt_appraise_type, "appraise_type=%s"},
>>         {Opt_permit_directio, "permit_directio"},
>>         {Opt_pcr, "pcr=%s"},
>> +       {Opt_dont_failsafe, "dont_failsafe"},
>>         {Opt_err, NULL}
>>  };
>>
>> @@ -630,6 +636,11 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
>>                 if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
>>                         continue;
>>                 token = match_token(p, policy_tokens, args);
>> +               if (entry->action == DONT_FAILSAFE) {
>> +                       /* no args permitted, force invalid rule */
>> +                       token = Opt_dont_failsafe;
>> +               }
>> +
>>                 switch (token) {
>>                 case Opt_measure:
>>                         ima_log_string(ab, "action", "measure");
>> @@ -671,6 +682,19 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
>>
>>                         entry->action = AUDIT;
>>                         break;
>> +               case Opt_dont_failsafe:
>> +                       ima_log_string(ab, "action", "dont_failsafe");
>> +
>> +                       if (entry->action != UNKNOWN)
>> +                               result = -EINVAL;
>> +
>> +                       /* Permit on initial policy replacement only */
>> +                       if (ima_rules != &ima_policy_rules)
>> +                               temp_failsafe = 0;
>> +                       else
>> +                               result = -EINVAL;
>> +                       entry->action = DONT_FAILSAFE;
>> +                       break;
>>                 case Opt_func:
>>                         ima_log_string(ab, "func", args[0].from);
>>
>> @@ -949,6 +973,7 @@ void ima_delete_rules(void)
>>         int i;
>>
>>         temp_ima_appraise = 0;
>> +       temp_failsafe = 1;
>>         list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
>>                 for (i = 0; i < MAX_LSM_RULES; i++)
>>                         kfree(entry->lsm[i].args_p);
>> @@ -1040,6 +1065,8 @@ int ima_policy_show(struct seq_file *m, void *v)
>>                 seq_puts(m, pt(Opt_dont_appraise));
>>         if (entry->action & AUDIT)
>>                 seq_puts(m, pt(Opt_audit));
>> +       if (entry->action & DONT_FAILSAFE)
>> +               seq_puts(m, pt(Opt_dont_failsafe));
>>
>>         seq_puts(m, " ");
>>
>> --
>> 2.7.4
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Linux-ima-devel mailing list
>> Linux-ima-devel@xxxxxxxxxxxxxxxxxxxxx
>> https://lists.sourceforge.net/lists/listinfo/linux-ima-devel
>
>
>
> --
> Thanks,
> Dmitry

-- 
Thanks,
Dmitry