On Sat, Apr 11, 2020 at 10:07 PM Stephen Smalley <stephen.smalley@xxxxxxxxx> wrote: > > On Wed, Apr 8, 2020 at 6:28 AM Tushar Sugandhi > <tusharsu@xxxxxxxxxxxxxxxxxxx> wrote: > > Measuring SELinux status and various SELinux policies can help ensure > > mandatory access control of the system is not compromised. > <snip> > > B. Measuring selinux constructs: > > We propose to add an IMA hook in enforcing_set() present under > > security/selinux/include/security.h. > > enforcing_set() sets the selinux state to enforcing/permissive etc. > > and is called from key places like selinux_init(), > > sel_write_enforce() etc. > > The hook will measure various attributes related to selinux status. > > Majority of the attributes are present in the struct selinux_state > > present in security/selinux/include/security.h > > e.g. > > $sestatus > > SELinux status: enabled > > SELinuxfs mount: /sys/fs/selinux > > SELinux root directory: /etc/selinux > > Loaded policy name: default > > Current mode: permissive > > Mode from config file: permissive > > Policy MLS status: enabled > > Policy deny_unknown status: allowed > > Memory protection checking: requested (insecure) > > Max kernel policy version: 32 > > > > The above attributes will be serialized into a set of key=value > > pairs when passed to IMA for measurement. > > > > Proposed Function Signature of the IMA hook: > > void ima_selinux_status(void *selinux_status, int len); > > This won't detect changes to any of these state variables via a kernel > write vulnerability, > so it would be good to provide a way to trigger measurement of the > current values on > demand. > You'll also likely want to measure parts of the child structures of > selinux_state, e.g. selinux_ss, > especially selinux_map and policydb. You can simplify measurement of > the policydb by > serializing it first via policydb_write() and hashing the result. I > suppose one question is whether you can do all of this > already from userspace by just having userspace read > /sys/fs/selinux/enforce, /sys/fs/selinux/policy, etc. It sees to me that LKRG (kernel run time guard) takes the role of measuring kernel structures. Perhaps you need to consult with LKRG guys. Lev.
