[PATCH 0/2] ima: directory integrity appraisal

From: Dmitry Kasatkin
Date: Mon Nov 18 2013 - 15:26:16 EST

Next message: Dmitry Kasatkin: "[PATCH 2/2] ima: directory integrity protection implementation"
Previous message: Dmitry Kasatkin: "Re: [PATCH 5/6] ima: do not include field length in template digestcalc for ima template"
Next in thread: Dmitry Kasatkin: "[PATCH 2/2] ima: directory integrity protection implementation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

This patchset provides extension to IMA to protect appraisal of directories.

Both IMA-appraisal and EVM protect the integrity of regular files.
IMA protects file data integrity, while EVM protects the file meta-data
integrity, such as file attributes and extended attributes. This patch
set adds offline directory integrity protection.

An inode itself does not have any file name associated with it. The
association of the file name to inode is done via directory entries.
On a running system, mandatory and/or discretionary access control prevent
unprivileged file deletion, file name change, or hardlink creation.
In an offline attack, without these protections, the association between
a file name and an inode is unprotected. Files can be deleted, renamed
or moved from one directory to another. In all of these cases,
the integrity of the file data and metadata are good.

To prevent such attacks, it is necessary to protect the integrity of the
directory content. This patchset calculates a hash of the directory content
and verify this hash against good reference value stored in 'security.ima'
extended attribute. The directory hash is a hash over the list of directory
entries, that includes name, ino, d_type. Initial idea how to calculate the
directory hash was suggested by Jayant Mangalampalli (Intel).

This patchset adds 2 new hooks for directory integrity protection:
ima_dir_check() and ima_dir_update().

ima_dir_check() verifies the directory integrity during the initial path
lookup, when the dentry is just being created and may block. It allocates
the needed data structures and performs the integrity verification.
The results of which are cached. Subsequent calls mostly happen under
RCU locking, when the code may not block, and returns immediately with
the cached verification status. So ima_dir_check() does not interrupt
RCU path walk.

ima_dir_update(), which is called from several places in namei.c when
the directory content is changing, for updating the directory hash.

- Dmitry

Dmitry Kasatkin (2):
ima: hooks for directory integrity protection
ima: directory integrity protection implementation

fs/namei.c | 42 ++++-
fs/open.c | 6 +
include/linux/ima.h | 23 +++
net/unix/af_unix.c | 2 +
security/integrity/ima/Kconfig | 10 +
security/integrity/ima/Makefile | 1 +
security/integrity/ima/ima.h | 3 +-
security/integrity/ima/ima_dir.c | 358 ++++++++++++++++++++++++++++++++++++
security/integrity/ima/ima_main.c | 3 +
security/integrity/ima/ima_policy.c | 2 +
10 files changed, 446 insertions(+), 4 deletions(-)
create mode 100644 security/integrity/ima/ima_dir.c

--
1.8.3.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dmitry Kasatkin: "[PATCH 2/2] ima: directory integrity protection implementation"
Previous message: Dmitry Kasatkin: "Re: [PATCH 5/6] ima: do not include field length in template digestcalc for ima template"
Next in thread: Dmitry Kasatkin: "[PATCH 2/2] ima: directory integrity protection implementation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]