2011-03-09 22:13:22 +03:00
/*
* Copyright ( C ) 2009 - 2010 IBM Corporation
*
* Authors :
* Mimi Zohar < zohar @ us . ibm . com >
*
* This program is free software ; you can redistribute it and / or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation , version 2 of the
* License .
*
*/
# include <linux/types.h>
# include <linux/integrity.h>
# include <crypto/sha.h>
/* iint cache flags */
ima: integrity appraisal extension
IMA currently maintains an integrity measurement list used to assert the
integrity of the running system to a third party. The IMA-appraisal
extension adds local integrity validation and enforcement of the
measurement against a "good" value stored as an extended attribute
'security.ima'. The initial methods for validating 'security.ima' are
hashed based, which provides file data integrity, and digital signature
based, which in addition to providing file data integrity, provides
authenticity.
This patch creates and maintains the 'security.ima' xattr, containing
the file data hash measurement. Protection of the xattr is provided by
EVM, if enabled and configured.
Based on policy, IMA calls evm_verifyxattr() to verify a file's metadata
integrity and, assuming success, compares the file's current hash value
with the one stored as an extended attribute in 'security.ima'.
Changelov v4:
- changed iint cache flags to hex values
Changelog v3:
- change appraisal default for filesystems without xattr support to fail
Changelog v2:
- fix audit msg 'res' value
- removed unused 'ima_appraise=' values
Changelog v1:
- removed unused iint mutex (Dmitry Kasatkin)
- setattr hook must not reset appraised (Dmitry Kasatkin)
- evm_verifyxattr() now differentiates between no 'security.evm' xattr
(INTEGRITY_NOLABEL) and no EVM 'protected' xattrs included in the
'security.evm' (INTEGRITY_NOXATTRS).
- replace hash_status with ima_status (Dmitry Kasatkin)
- re-initialize slab element ima_status on free (Dmitry Kasatkin)
- include 'security.ima' in EVM if CONFIG_IMA_APPRAISE, not CONFIG_IMA
- merged half "ima: ima_must_appraise_or_measure API change" (Dmitry Kasatkin)
- removed unnecessary error variable in process_measurement() (Dmitry Kasatkin)
- use ima_inode_post_setattr() stub function, if IMA_APPRAISE not configured
(moved ima_inode_post_setattr() to ima_appraise.c)
- make sure ima_collect_measurement() can read file
Changelog:
- add 'iint' to evm_verifyxattr() call (Dimitry Kasatkin)
- fix the race condition between chmod, which takes the i_mutex and then
iint->mutex, and ima_file_free() and process_measurement(), which take
the locks in the reverse order, by eliminating iint->mutex. (Dmitry Kasatkin)
- cleanup of ima_appraise_measurement() (Dmitry Kasatkin)
- changes as a result of the iint not allocated for all regular files, but
only for those measured/appraised.
- don't try to appraise new/empty files
- expanded ima_appraisal description in ima/Kconfig
- IMA appraise definitions required even if IMA_APPRAISE not enabled
- add return value to ima_must_appraise() stub
- unconditionally set status = INTEGRITY_PASS *after* testing status,
not before. (Found by Joe Perches)
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2012-02-13 19:15:05 +04:00
# define IMA_MEASURE 0x01
# define IMA_MEASURED 0x02
# define IMA_APPRAISE 0x04
# define IMA_APPRAISED 0x08
# define IMA_COLLECTED 0x10
ima: digital signature verification support
This patch adds support for digital signature based integrity appraisal.
With this patch, 'security.ima' contains either the file data hash or
a digital signature of the file data hash. The file data hash provides
the security attribute of file integrity. In addition to file integrity,
a digital signature provides the security attribute of authenticity.
Unlike EVM, when the file metadata changes, the digital signature is
replaced with an HMAC, modification of the file data does not cause the
'security.ima' digital signature to be replaced with a hash. As a
result, after any modification, subsequent file integrity appraisals
would fail.
Although digitally signed files can be modified, but by not updating
'security.ima' to reflect these modifications, in essence digitally
signed files could be considered 'immutable'.
IMA uses a different keyring than EVM. While the EVM keyring should not
be updated after initialization and locked, the IMA keyring should allow
updating or adding new keys when upgrading or installing packages.
Changelog v4:
- Change IMA_DIGSIG to hex equivalent
Changelog v3:
- Permit files without any 'security.ima' xattr to be labeled properly.
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2011-08-31 15:07:06 +04:00
# define IMA_DIGSIG 0x20
2011-03-09 22:13:22 +03:00
2011-03-09 22:28:20 +03:00
enum evm_ima_xattr_type {
IMA_XATTR_DIGEST = 0x01 ,
EVM_XATTR_HMAC ,
EVM_IMA_XATTR_DIGSIG ,
} ;
struct evm_ima_xattr_data {
u8 type ;
u8 digest [ SHA1_DIGEST_SIZE ] ;
} __attribute__ ( ( packed ) ) ;
2011-03-09 22:13:22 +03:00
/* integrity data associated with an inode */
struct integrity_iint_cache {
struct rb_node rb_node ; /* rooted in integrity_iint_tree */
struct inode * inode ; /* back pointer to inode in question */
u64 version ; /* track inode changes */
unsigned char flags ;
2012-01-10 07:59:36 +04:00
struct evm_ima_xattr_data ima_xattr ;
ima: integrity appraisal extension
IMA currently maintains an integrity measurement list used to assert the
integrity of the running system to a third party. The IMA-appraisal
extension adds local integrity validation and enforcement of the
measurement against a "good" value stored as an extended attribute
'security.ima'. The initial methods for validating 'security.ima' are
hashed based, which provides file data integrity, and digital signature
based, which in addition to providing file data integrity, provides
authenticity.
This patch creates and maintains the 'security.ima' xattr, containing
the file data hash measurement. Protection of the xattr is provided by
EVM, if enabled and configured.
Based on policy, IMA calls evm_verifyxattr() to verify a file's metadata
integrity and, assuming success, compares the file's current hash value
with the one stored as an extended attribute in 'security.ima'.
Changelov v4:
- changed iint cache flags to hex values
Changelog v3:
- change appraisal default for filesystems without xattr support to fail
Changelog v2:
- fix audit msg 'res' value
- removed unused 'ima_appraise=' values
Changelog v1:
- removed unused iint mutex (Dmitry Kasatkin)
- setattr hook must not reset appraised (Dmitry Kasatkin)
- evm_verifyxattr() now differentiates between no 'security.evm' xattr
(INTEGRITY_NOLABEL) and no EVM 'protected' xattrs included in the
'security.evm' (INTEGRITY_NOXATTRS).
- replace hash_status with ima_status (Dmitry Kasatkin)
- re-initialize slab element ima_status on free (Dmitry Kasatkin)
- include 'security.ima' in EVM if CONFIG_IMA_APPRAISE, not CONFIG_IMA
- merged half "ima: ima_must_appraise_or_measure API change" (Dmitry Kasatkin)
- removed unnecessary error variable in process_measurement() (Dmitry Kasatkin)
- use ima_inode_post_setattr() stub function, if IMA_APPRAISE not configured
(moved ima_inode_post_setattr() to ima_appraise.c)
- make sure ima_collect_measurement() can read file
Changelog:
- add 'iint' to evm_verifyxattr() call (Dimitry Kasatkin)
- fix the race condition between chmod, which takes the i_mutex and then
iint->mutex, and ima_file_free() and process_measurement(), which take
the locks in the reverse order, by eliminating iint->mutex. (Dmitry Kasatkin)
- cleanup of ima_appraise_measurement() (Dmitry Kasatkin)
- changes as a result of the iint not allocated for all regular files, but
only for those measured/appraised.
- don't try to appraise new/empty files
- expanded ima_appraisal description in ima/Kconfig
- IMA appraise definitions required even if IMA_APPRAISE not enabled
- add return value to ima_must_appraise() stub
- unconditionally set status = INTEGRITY_PASS *after* testing status,
not before. (Found by Joe Perches)
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
2012-02-13 19:15:05 +04:00
enum integrity_status ima_status ;
2011-05-06 12:34:17 +04:00
enum integrity_status evm_status ;
2011-03-09 22:13:22 +03:00
} ;
/* rbtree tree calls to lookup, insert, delete
* integrity data associated with an inode .
*/
struct integrity_iint_cache * integrity_iint_insert ( struct inode * inode ) ;
struct integrity_iint_cache * integrity_iint_find ( struct inode * inode ) ;
2011-08-17 04:34:33 +04:00
2011-10-05 12:54:46 +04:00
# define INTEGRITY_KEYRING_EVM 0
# define INTEGRITY_KEYRING_MODULE 1
# define INTEGRITY_KEYRING_IMA 2
# define INTEGRITY_KEYRING_MAX 3
2012-01-17 19:12:07 +04:00
# ifdef CONFIG_INTEGRITY_SIGNATURE
2011-10-05 12:54:46 +04:00
int integrity_digsig_verify ( const unsigned int id , const char * sig , int siglen ,
const char * digest , int digestlen ) ;
# else
static inline int integrity_digsig_verify ( const unsigned int id ,
const char * sig , int siglen ,
const char * digest , int digestlen )
{
return - EOPNOTSUPP ;
}
2012-01-17 19:12:07 +04:00
# endif /* CONFIG_INTEGRITY_SIGNATURE */
2011-10-05 12:54:46 +04:00
2011-08-17 04:34:33 +04:00
/* set during initialization */
extern int iint_initialized ;
