Re: [PATCH v6 0/4] LSM: Measure security module data

From: Lakshmi Ramasubramanian
Date: Tue Aug 04 2020 - 21:14:50 EST

Next message: kernel test robot: "ed66f991bb ("module: Refactor section attr into bin attribute"): [ 70.645135] BUG: KASAN: slab-out-of-bounds in vsnprintf"
Previous message: pr-tracker-bot: "Re: [GIT PULL] dma-mapping updates for 5.9"
In reply to: Casey Schaufler: "Re: [PATCH v6 0/4] LSM: Measure security module data"
Next in thread: Casey Schaufler: "Re: [PATCH v6 0/4] LSM: Measure security module data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 8/4/20 6:04 PM, Casey Schaufler wrote:

On 8/4/2020 5:43 PM, Lakshmi Ramasubramanian wrote:

Critical data structures of security modules are currently not measured.
Therefore an attestation service, for instance, would not be able to
attest whether the security modules are always operating with the policies
and configuration that the system administrator had setup. The policies
and configuration for the security modules could be tampered with by
malware by exploiting kernel vulnerabilities or modified through some
inadvertent actions on the system. Measuring such critical data would
enable an attestation service to better assess the state of the system.

I still wonder why you're calling this an LSM change/feature when
all the change is in IMA and SELinux. You're not putting anything
into the LSM infrastructure, not are you using the LSM infrastructure
to achieve your ends. Sure, you *could* support other security modules
using this scheme, but you have a configuration dependency on
SELinux, so that's at best going to be messy. If you want this to
be an LSM "feature" you need to use the LSM hooking mechanism.

I'm not objecting to the feature. It adds value. But as you've
implemented it it is either an IMA extension to SELinux, or an
SELiux extension to IMA. Could AppArmor add hooks for this without
changing the IMA code? It doesn't look like it to me.

The check in IMA to allow the new IMA hook func LSM_STATE and LSM_POLICY when SELinux is enabled is just because SELinux is the only security module using these hooks now.

To enable AppArmor, for instance, to use the new IMA hooks to measure state and policy would just require adding the check for CONFIG_SECURITY_APPARMOR. Other than that, there are no IMA changes needed to support AppArmor or other such security modules.

Please see Patch 1/4

+ else if (IS_ENABLED(CONFIG_SECURITY_SELINUX) &&
+ strcmp(args[0].from, "LSM_STATE") == 0)
+ entry->func = LSM_STATE;
+ else if (IS_ENABLED(CONFIG_SECURITY_SELINUX) &&
+ strcmp(args[0].from, "LSM_POLICY") == 0)
+ entry->func = LSM_POLICY;

And, if early boot measurement is needed for AppArmor the following change in IMA's Kconfig

Patch 4/4

+config IMA_QUEUE_EARLY_BOOT_DATA
bool
+ depends on SECURITY_SELINUX || (IMA_MEASURE_ASYMMETRIC_KEYS && SYSTEM_TRUSTED_KEYRING)
default y

If you think calling this an "LSM feature" is not appropriate, please suggest a better phrase.

But like I said above, with minimal change in IMA other security modules can be supported to measure STATE and POLICY data.

-lakshmi

Next message: kernel test robot: "ed66f991bb ("module: Refactor section attr into bin attribute"): [ 70.645135] BUG: KASAN: slab-out-of-bounds in vsnprintf"
Previous message: pr-tracker-bot: "Re: [GIT PULL] dma-mapping updates for 5.9"
In reply to: Casey Schaufler: "Re: [PATCH v6 0/4] LSM: Measure security module data"
Next in thread: Casey Schaufler: "Re: [PATCH v6 0/4] LSM: Measure security module data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]