Hello, This patchset provides extension to IMA to protect appraisal of directories. Both IMA-appraisal and EVM protect the integrity of regular files. IMA protects file data integrity, while EVM protects the file meta-data integrity, such as file attributes and extended attributes. This patch set adds offline directory integrity protection. An inode itself does not have any file name associated with it. The association of the file name to inode is done via directory entries. On a running system, mandatory and/or discretionary access control prevent unprivileged file deletion, file name change, or hardlink creation. In an offline attack, without these protections, the association between a file name and an inode is unprotected. Files can be deleted, renamed or moved from one directory to another. In all of these cases, the integrity of the file data and metadata are good. To prevent such attacks, it is necessary to protect the integrity of the directory content. This patchset calculates a hash of the directory content and verify this hash against good reference value stored in 'security.ima' extended attribute. The directory hash is a hash over the list of directory entries, that includes name, ino, d_type. Initial idea how to calculate the directory hash was suggested by Jayant Mangalampalli (Intel). This patchset adds 2 new hooks for directory integrity protection: ima_dir_check() and ima_dir_update(). ima_dir_check() verifies the directory integrity during the initial path lookup, when the dentry is just being created and may block. It allocates the needed data structures and performs the integrity verification. The results of which are cached. Subsequent calls mostly happen under RCU locking, when the code may not block, and returns immediately with the cached verification status. So ima_dir_check() does not interrupt RCU path walk. ima_dir_update(), which is called from several places in namei.c when the directory content is changing, for updating the directory hash. - Dmitry Dmitry Kasatkin (2): ima: hooks for directory integrity protection ima: directory integrity protection implementation fs/namei.c | 42 ++++- fs/open.c | 6 + include/linux/ima.h | 23 +++ net/unix/af_unix.c | 2 + security/integrity/ima/Kconfig | 10 + security/integrity/ima/Makefile | 1 + security/integrity/ima/ima.h | 3 +- security/integrity/ima/ima_dir.c | 358 ++++++++++++++++++++++++++++++++++++ security/integrity/ima/ima_main.c | 3 + security/integrity/ima/ima_policy.c | 2 + 10 files changed, 446 insertions(+), 4 deletions(-) create mode 100644 security/integrity/ima/ima_dir.c -- 1.8.3.2 -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
