[v2] integrity: Always reference the blacklist keyring with apprasial
Commit Message
Commit 273df864cf746 ("ima: Check against blacklisted hashes for files with
modsig") introduced an appraise_flag option for referencing the blacklist
keyring. Any matching binary found on this keyring fails signature
validation. This flag only works with module appended signatures.
An important part of a PKI infrastructure is to have the ability to do
revocation at a later time should a vulnerability be found. Expand the
revocation flag usage to all appraisal functions. The flag is now
enabled by default. Setting the flag with an IMA policy has been
deprecated. Without a revocation capability like this in place, only
authenticity can be maintained. With this change, integrity can now be
achieved with digital signature based IMA appraisal.
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
v2 changes requested by Mimi:
Update the "case Opt_apprase_flag"
Removed "appraise_flag=" in the powerpc arch specific policy rules
---
Documentation/ABI/testing/ima_policy | 6 +++---
arch/powerpc/kernel/ima_arch.c | 8 ++++----
security/integrity/ima/ima_appraise.c | 12 +++++++-----
security/integrity/ima/ima_policy.c | 15 +++++----------
4 files changed, 19 insertions(+), 22 deletions(-)
Comments
On Wed, 2023-07-05 at 18:52 -0400, Eric Snowberg wrote:
> Commit 273df864cf746 ("ima: Check against blacklisted hashes for files with
> modsig") introduced an appraise_flag option for referencing the blacklist
> keyring. Any matching binary found on this keyring fails signature
> validation. This flag only works with module appended signatures.
>
> An important part of a PKI infrastructure is to have the ability to do
> revocation at a later time should a vulnerability be found. Expand the
> revocation flag usage to all appraisal functions. The flag is now
> enabled by default. Setting the flag with an IMA policy has been
> deprecated. Without a revocation capability like this in place, only
> authenticity can be maintained. With this change, integrity can now be
> achieved with digital signature based IMA appraisal.
>
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Thanks, Eric. Other than including "appraise_flag=check_blacklist"
when displaying the measurement list, it looks good.
> On Jul 12, 2023, at 11:40 AM, Mimi Zohar <zohar@linux.ibm.com> wrote:
>
> On Wed, 2023-07-05 at 18:52 -0400, Eric Snowberg wrote:
>> Commit 273df864cf746 ("ima: Check against blacklisted hashes for files with
>> modsig") introduced an appraise_flag option for referencing the blacklist
>> keyring. Any matching binary found on this keyring fails signature
>> validation. This flag only works with module appended signatures.
>>
>> An important part of a PKI infrastructure is to have the ability to do
>> revocation at a later time should a vulnerability be found. Expand the
>> revocation flag usage to all appraisal functions. The flag is now
>> enabled by default. Setting the flag with an IMA policy has been
>> deprecated. Without a revocation capability like this in place, only
>> authenticity can be maintained. With this change, integrity can now be
>> achieved with digital signature based IMA appraisal.
>>
>> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
>
> Thanks, Eric. Other than including "appraise_flag=check_blacklist"
> when displaying the measurement list, it looks good.
Thanks for your review.
I want to make sure I understand the request here. Do you mean you
don’t want to see “appraise_flag=check_blacklist” when you cat
/sys/kernel/security/ima/policy? Or are you referencing a change in the
/sys/kernel/security/ima/ascii_runtime_measurements list? Thanks.
On Wed, 2023-07-12 at 21:12 +0000, Eric Snowberg wrote:
>
> > On Jul 12, 2023, at 11:40 AM, Mimi Zohar <zohar@linux.ibm.com> wrote:
> >
> > On Wed, 2023-07-05 at 18:52 -0400, Eric Snowberg wrote:
> >> Commit 273df864cf746 ("ima: Check against blacklisted hashes for files with
> >> modsig") introduced an appraise_flag option for referencing the blacklist
> >> keyring. Any matching binary found on this keyring fails signature
> >> validation. This flag only works with module appended signatures.
> >>
> >> An important part of a PKI infrastructure is to have the ability to do
> >> revocation at a later time should a vulnerability be found. Expand the
> >> revocation flag usage to all appraisal functions. The flag is now
> >> enabled by default. Setting the flag with an IMA policy has been
> >> deprecated. Without a revocation capability like this in place, only
> >> authenticity can be maintained. With this change, integrity can now be
> >> achieved with digital signature based IMA appraisal.
> >>
> >> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
> >
> > Thanks, Eric. Other than including "appraise_flag=check_blacklist"
> > when displaying the measurement list, it looks good.
>
> Thanks for your review.
>
> I want to make sure I understand the request here. Do you mean you
> don’t want to see “appraise_flag=check_blacklist” when you cat
> /sys/kernel/security/ima/policy? Or are you referencing a change in the
> /sys/kernel/security/ima/ascii_runtime_measurements list? Thanks.
The IMA policy rules as displayed via <securityfs>/ima/policy should
not contain “appraise_flag=check_blacklist".
> On Jul 12, 2023, at 3:33 PM, Mimi Zohar <zohar@linux.ibm.com> wrote:
>
> On Wed, 2023-07-12 at 21:12 +0000, Eric Snowberg wrote:
>>
>>> On Jul 12, 2023, at 11:40 AM, Mimi Zohar <zohar@linux.ibm.com> wrote:
>>>
>>> On Wed, 2023-07-05 at 18:52 -0400, Eric Snowberg wrote:
>>>> Commit 273df864cf746 ("ima: Check against blacklisted hashes for files with
>>>> modsig") introduced an appraise_flag option for referencing the blacklist
>>>> keyring. Any matching binary found on this keyring fails signature
>>>> validation. This flag only works with module appended signatures.
>>>>
>>>> An important part of a PKI infrastructure is to have the ability to do
>>>> revocation at a later time should a vulnerability be found. Expand the
>>>> revocation flag usage to all appraisal functions. The flag is now
>>>> enabled by default. Setting the flag with an IMA policy has been
>>>> deprecated. Without a revocation capability like this in place, only
>>>> authenticity can be maintained. With this change, integrity can now be
>>>> achieved with digital signature based IMA appraisal.
>>>>
>>>> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
>>>
>>> Thanks, Eric. Other than including "appraise_flag=check_blacklist"
>>> when displaying the measurement list, it looks good.
>>
>> Thanks for your review.
>>
>> I want to make sure I understand the request here. Do you mean you
>> don’t want to see “appraise_flag=check_blacklist” when you cat
>> /sys/kernel/security/ima/policy? Or are you referencing a change in the
>> /sys/kernel/security/ima/ascii_runtime_measurements list? Thanks.
>
> The IMA policy rules as displayed via <securityfs>/ima/policy should
> not contain “appraise_flag=check_blacklist".
Ok, I will fix this in v3, thanks.
@@ -57,9 +57,9 @@ Description:
stored in security.ima xattr. Requires
specifying "digest_type=verity" first.)
- appraise_flag:= [check_blacklist]
- Currently, blacklist check is only for files signed with appended
- signature.
+ appraise_flag:= [check_blacklist] (deprecated)
+ Setting the check_blacklist flag is no longer necessary.
+ All apprasial functions set it by default.
digest_type:= verity
Require fs-verity's file digest instead of the
regular IMA file hash.
@@ -23,9 +23,9 @@ bool arch_ima_get_secureboot(void)
* is not enabled.
*/
static const char *const secure_rules[] = {
- "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
+ "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
#ifndef CONFIG_MODULE_SIG
- "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
+ "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
#endif
NULL
};
@@ -49,9 +49,9 @@ static const char *const trusted_rules[] = {
static const char *const secure_and_trusted_rules[] = {
"measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
"measure func=MODULE_CHECK template=ima-modsig",
- "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
+ "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
#ifndef CONFIG_MODULE_SIG
- "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
+ "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
#endif
NULL
};
@@ -458,11 +458,13 @@ int ima_check_blacklist(struct integrity_iint_cache *iint,
ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);
rc = is_binary_blacklisted(digest, digestsize);
- if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
- process_buffer_measurement(&nop_mnt_idmap, NULL, digest, digestsize,
- "blacklisted-hash", NONE,
- pcr, NULL, false, NULL, 0);
- }
+ } else if (iint->flags & IMA_DIGSIG_REQUIRED && iint->ima_hash)
+ rc = is_binary_blacklisted(iint->ima_hash->digest, iint->ima_hash->length);
+
+ if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
+ process_buffer_measurement(&nop_mnt_idmap, NULL, digest, digestsize,
+ "blacklisted-hash", NONE,
+ pcr, NULL, false, NULL, 0);
return rc;
}
@@ -1279,7 +1279,7 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
IMA_FSNAME | IMA_GID | IMA_EGID |
IMA_FGROUP | IMA_DIGSIG_REQUIRED |
IMA_PERMIT_DIRECTIO | IMA_VALIDATE_ALGOS |
- IMA_VERITY_REQUIRED))
+ IMA_CHECK_BLACKLIST | IMA_VERITY_REQUIRED))
return false;
break;
@@ -1354,7 +1354,7 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
/* Ensure that combinations of flags are compatible with each other */
if (entry->flags & IMA_CHECK_BLACKLIST &&
- !(entry->flags & IMA_MODSIG_ALLOWED))
+ !(entry->flags & IMA_DIGSIG_REQUIRED))
return false;
/*
@@ -1802,11 +1802,11 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
if (entry->flags & IMA_VERITY_REQUIRED)
result = -EINVAL;
else
- entry->flags |= IMA_DIGSIG_REQUIRED;
+ entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST;
} else if (strcmp(args[0].from, "sigv3") == 0) {
/* Only fsverity supports sigv3 for now */
if (entry->flags & IMA_VERITY_REQUIRED)
- entry->flags |= IMA_DIGSIG_REQUIRED;
+ entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST;
else
result = -EINVAL;
} else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
@@ -1815,18 +1815,13 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
result = -EINVAL;
else
entry->flags |= IMA_DIGSIG_REQUIRED |
- IMA_MODSIG_ALLOWED;
+ IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST;
} else {
result = -EINVAL;
}
break;
case Opt_appraise_flag:
ima_log_string(ab, "appraise_flag", args[0].from);
- if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
- strstr(args[0].from, "blacklist"))
- entry->flags |= IMA_CHECK_BLACKLIST;
- else
- result = -EINVAL;
break;
case Opt_appraise_algos:
ima_log_string(ab, "appraise_algos", args[0].from);