This patch adds the call to the ima_file_check() function in the eCryptfs code in order to measure inodes opened in the lower filesystem. Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxx> --- Documentation/filesystems/ecryptfs-security.txt | 98 +++++++++++++++++++++++ fs/ecryptfs/main.c | 5 + 2 files changed, 103 insertions(+), 0 deletions(-) create mode 100644 Documentation/filesystems/ecryptfs-security.txt diff --git a/Documentation/filesystems/ecryptfs-security.txt b/Documentation/filesystems/ecryptfs-security.txt new file mode 100644 index 0000000..f923553 --- /dev/null +++ b/Documentation/filesystems/ecryptfs-security.txt @@ -0,0 +1,98 @@ + ECryptfs security considerations + +ECryptfs belongs to the class of stacked filesystems, which present an +interface where data flow, also called upper layer, perform some transformations +on them and store the result in another filesystem, called lower layer. + +Access control is performed on both the upper and the lower layer and depends +on how the security attributes are assigned to inodes. Since eCryptfs does not +store extended attributes by itself but relies on the underlying filesystem to +perform this task, security attributes are the same for both the upper and the +lower inodes. However, in the SELinux's case, the security policy can be +configured to assign to upper inodes a static label while lower inodes are +initialized with the label stored in their extended attributes. + +When a process opens an eCryptfs file, the access control mechanism first +verifies if the request can be satisfied by checking the process's credentials, +the security attribute of the upper inode and the operation type. + +Then, internally, eCryptfs opens the correspondent inode in the lower filesystem +by providing its own credentials and obtains a file descriptor which is shared +between processes that concurrently access the upper inode. The credentials +provided by eCryptfs are the initial credentials built by the function +prepare_kernel_cred(), which grant root privileges. + +Each eCryptfs filesystem may have assigned its own label, in order to identify +or restrict the actions it can perform, by overriding the initial credentials +with this additional mount parameter: + +ecryptfs_security_ctx="system_u:system_r:ecryptfs_agent_t:s0" (SELinux) + +or: + +ecryptfs_security_ctx="mylabel" (SMACK) + + +In SELinux, a policy must be defined for the type specified, which contains the +declaration and the set of required rules. In particular, the type must be +allowed to access files and directories in the underlying filesystem and shared +file descriptors must be usable by accessing processes. Below in this file there +is a sample policy for the type 'ecryptfs_agent_t'. + +Further, the process which mounts the eCryptfs filesystem overriding the initial +credentials requires this permission: + +allow unconfined_mount_t ecryptfs_agent_t: kernel_service use_as_override; + + +where 'unconfined_mount_t' is the domain assigned to the mount program executed +from a root shell. + +Before using the mounted filesystem it is possible to specify a policy for IMA, +in order to measure accessed files. This command must be specified from a root +shell: + +(SELinux) +echo "measure fowner_type=ecryptfs_agent_t" > /sys/kernel/security/ima/policy + +(SMACK) +echo "measure fowner_user=mylabel" > /sys/kernel/security/ima/policy + + +It is possible to see measurements collected by executing: + +cat /sys/kernel/security/ima/ascii_runtime_measurements + + +The following is the source of a SELinux policy module that contains the policy +for the type 'ecryptfs_agent_t'. + + +------- ecryptfs_agent.te ------- + +policy_module(ecryptfs_agent, 1.0.0) + +gen_require(` + attribute file_type; + attribute domain; + type unconfined_mount_t; +') + +type ecryptfs_agent_t; +allow ecryptfs_agent_t file_type: file manage_file_perms; +allow ecryptfs_agent_t file_type: dir manage_dir_perms; +allow unconfined_mount_t ecryptfs_agent_t: kernel_service use_as_override; +allow domain ecryptfs_agent_t: fd use; +role system_r types ecryptfs_agent_t; + +--------------------------------- + + +Compile the module (instructions for Fedora 14): + +make -f /usr/share/selinux/devel/Makefile ecryptfs_agent.pp + + +Load the module: + +semodule -i ecryptfs_agent.pp diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c index 075634b..8ac7885 100644 --- a/fs/ecryptfs/main.c +++ b/fs/ecryptfs/main.c @@ -37,6 +37,7 @@ #include <linux/fs_stack.h> #include <linux/slab.h> #include <linux/magic.h> +#include <linux/ima.h> #include "ecryptfs_kernel.h" /** @@ -141,7 +142,11 @@ static int ecryptfs_init_lower_file(struct dentry *dentry, "for lower_dentry [0x%p] and lower_mnt [0x%p]; " "rc = [%d]\n", lower_dentry, lower_mnt, rc); (*lower_file) = NULL; + goto out; } + rc = ima_file_check((*lower_file), IS_RDONLY(lower_dentry->d_inode) ? + MAY_READ : MAY_READ | MAY_WRITE); +out: return rc; } -- 1.7.4.4
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
