[PATCH v1 3/5] ima: limit including fs-verity's file digest in measurement list
From: Mimi Zohar
Date: Thu Dec 02 2021 - 16:55:58 EST
Without the file signature included in the IMA measurement list, the type
of file digest is unclear. Set up the plumbing to limit including
fs-verity's file digest in the IMA measurement list based on whether the
template name is ima-sig. In the future, this could be relaxed to include
any template format that includes the file signature.
Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
---
Changelog v1:
- Updated patch description to indicate this is a prepartory patch.
- Addressed Eric's comment: use lowercase 'true'/'false'.
- Fixed patch description based on Lakshmi's review.
Documentation/security/IMA-templates.rst | 9 +++++++--
security/integrity/ima/ima.h | 3 ++-
security/integrity/ima/ima_api.c | 3 ++-
security/integrity/ima/ima_appraise.c | 3 ++-
security/integrity/ima/ima_main.c | 7 ++++++-
security/integrity/ima/ima_template_lib.c | 3 ++-
6 files changed, 21 insertions(+), 7 deletions(-)
diff --git a/Documentation/security/IMA-templates.rst b/Documentation/security/IMA-templates.rst
index 1a91d92950a7..28640b543340 100644
--- a/Documentation/security/IMA-templates.rst
+++ b/Documentation/security/IMA-templates.rst
@@ -70,8 +70,8 @@ descriptors by adding their identifier to the format string
prefix is shown only if the hash algorithm is not SHA1 or MD5);
- 'd-modsig': the digest of the event without the appended modsig;
- 'n-ng': the name of the event, without size limitations;
- - 'sig': the file signature, or the EVM portable signature if the file
- signature is not found;
+ - 'sig': the file signature, based on either the file's/fsverity's digest[1],
+ or the EVM portable signature if the file signature is not found;
- 'modsig' the appended file signature;
- 'buf': the buffer data that was used to generate the hash without size limitations;
- 'evmsig': the EVM portable signature;
@@ -106,3 +106,8 @@ currently the following methods are supported:
the ``ima_template=`` parameter;
- register a new template descriptor with custom format through the kernel
command line parameter ``ima_template_fmt=``.
+
+
+References
+==========
+[1] Documentation/filesystems/fsverity.rst
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index be965a8715e4..ab257e404f8e 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -262,7 +262,8 @@ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode,
int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);
int ima_collect_measurement(struct integrity_iint_cache *iint,
struct file *file, void *buf, loff_t size,
- enum hash_algo algo, struct modsig *modsig);
+ enum hash_algo algo, struct modsig *modsig,
+ bool veritysig);
void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
const unsigned char *filename,
struct evm_ima_xattr_data *xattr_value,
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index a64fb0130b01..7505563315cb 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -212,7 +212,8 @@ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode,
*/
int ima_collect_measurement(struct integrity_iint_cache *iint,
struct file *file, void *buf, loff_t size,
- enum hash_algo algo, struct modsig *modsig)
+ enum hash_algo algo, struct modsig *modsig,
+ bool veritysig)
{
const char *audit_cause = "failed";
struct inode *inode = file_inode(file);
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index d43a27a9a9b6..549fe051269a 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -510,7 +510,8 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
!(iint->flags & IMA_HASH))
return;
- rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, NULL);
+ rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo,
+ NULL, false);
if (rc < 0)
return;
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 465865412100..4b6b13becb16 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -216,6 +216,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
bool violation_check;
enum hash_algo hash_algo;
unsigned int allowed_algos = 0;
+ int veritysig = false;
if (!ima_policy_flag || !S_ISREG(inode->i_mode))
return 0;
@@ -333,8 +334,12 @@ static int process_measurement(struct file *file, const struct cred *cred,
}
hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
+ if (xattr_value && xattr_value->type == IMA_VERITY_DIGSIG &&
+ strcmp(template_desc->name, "ima-sig") == 0)
+ veritysig = true;
- rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig);
+ rc = ima_collect_measurement(iint, file, buf, size, hash_algo,
+ modsig, veritysig);
if (rc != 0 && rc != -EBADF && rc != -EINVAL)
goto out_locked;
diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
index ca017cae73eb..5bad251f3b07 100644
--- a/security/integrity/ima/ima_template_lib.c
+++ b/security/integrity/ima/ima_template_lib.c
@@ -478,7 +478,8 @@ int ima_eventsig_init(struct ima_event_data *event_data,
{
struct evm_ima_xattr_data *xattr_value = event_data->xattr_value;
- if ((!xattr_value) || (xattr_value->type != EVM_IMA_XATTR_DIGSIG))
+ if ((!xattr_value) || !(xattr_value->type == EVM_IMA_XATTR_DIGSIG ||
+ xattr_value->type == IMA_VERITY_DIGSIG))
return ima_eventevmsig_init(event_data, field_data);
return ima_write_template_field_data(xattr_value, event_data->xattr_len,
--
2.27.0