linux-ima-user — Q&A for users of IMA

[Linux-ima-user] [RFC v5 00/11] RPM: Include and install file signatures

[<fi...@li...>]

IMA-appraisal, upstreamed in linux-3.7, enforces local file integrity based on
a known 'good' value stored as an extended attribute 'security.ima'. Labeling
the filesystem is currently done post install using a local private key.
Including file signatures in the package provides not only file integrity, but
file provenance.

This patch set extends the existing rpm signing tool to include file 
signatures in packages, and adds a plugin that installs file signatures using
the psm_post hook. 

There are new options to rpmsign - signfiles and fskpath.

rpm --addsign [--signfiles [--fskpath <file signing key>]] PACKAGE_FILE ...

Signfiles signs all the file digests included in the package with libimaevm
and stores the signatures in the package header under the tag
RPMTAG_FILESIGNATURES. The file signing key can be provided with the option
fskpath, or in a macro file with %_file_signing_key.

After including file signatures, the packages are signed normally.

When a package with signed files is installed, rpmfilesPopulate extracts file
signatures from the package header and stores them (in binary) in rpmfiles
struct. Then the ima plugin instantiates the psm_post hook and writes the file
signatures to security.ima xattr.

Changelog v5:
-config file signatures are filtered and not installed
-removed rpmfiFSignatureHex because it wasn't used
-added guard to file signature code in rpmfilesPopulate
-fixed whitespace in rpmfi.c
-reordered patches to fix dependencies

Changelog v4:
-split patch set into more patches
-added file signature interfaces to rpmfi
-fixed types and buffer sizes
-removed double logging of errors
-removed changes to API/ABI
-moved file signature installation to ima plugin
-removed support for inline signing of files

Changelog v3:
-split up patch

Changelog v2:
-support for inline signing of files
-command line option for file signing key
-include missing file
-fixed typo in rpmDigestAlgo

Signed-off-by: Fionnuala Gunter <fi...@li...>

Fionnuala Gunter (11):
  Refactor copyFile to not close files
  Export generateSignature
  Subroutine for dumping immutable region of header
  Add rpmtags for file signatures and their length
  Add support for file signatures to rpmfi and rpmfiles
  Configure option to build with imaevm support
  Add file signature support to rpmsign command
  Add file signature support to package signing
  Sign file digests and store signatures in header
  IMA plugin labels ima xattr with file signatures
  Documentation for file signing

 build/pack.c        |  90 +-----------------------
 configure.ac        |   8 +++
 doc/rpmsign.8       |  22 +++++-
 lib/Makefile.am     |   3 +-
 lib/rpmfi.c         |  45 +++++++++++-
 lib/rpmfi.h         |   8 +++
 lib/rpmfiles.h      |  10 +++
 lib/rpmsignfiles.c  | 124 ++++++++++++++++++++++++++++++++
 lib/rpmsignfiles.h  |  20 ++++++
 lib/rpmtag.h        |   2 +
 lib/signature.c     |  87 +++++++++++++++++++++++
 lib/signature.h     |  11 +++
 macros.in           |   1 +
 plugins/Makefile.am |   4 ++
 plugins/ima.c       |  60 ++++++++++++++++
 rpmpopt.in          |   1 +
 rpmsign.c           |  24 ++++++-
 sign/rpmgensig.c    | 199 ++++++++++++++++++++++++++++++++++++++++++++++------
 sign/rpmsign.h      |   1 +
 19 files changed, 605 insertions(+), 115 deletions(-)
 create mode 100644 lib/rpmsignfiles.c
 create mode 100644 lib/rpmsignfiles.h
 create mode 100644 plugins/ima.c

-- 
2.1.0

Re: [Linux-ima-user] Tried to sign files and read with getfattr (unsuccessfully)

[Curtis V. <cr...@so...>]

Thanks for the quick reply, that was exactly the problem.
can't believe I missed that. 

On Fri, Jan 23, 2015 at 03:58:35PM +0200, Dmitry Kasatkin wrote:
> Hi,
> 
> 
> On 23 January 2015 at 07:04, Curtis Veit <cr...@so...> wrote:
> 
> >
> > In all cases the result shown by "getfattr -e hex test.txt" is blank.
> > I was able to set and read xattrs with getfattr and also was able to
> > use -f to create a .sig file containing a signature.
> >
> >
> ​By default getfattr does not read "security" attributes.
> Use -m option
> 
> getfattr -h -e hex -d -m security foo
> 
> - Dmitry
> 

Looking forward to using my newfound xattr based security powers.

Best regards,
Curtis

Re: [Linux-ima-user] Tried to sign files and read with getfattr (unsuccessfully)

[Dmitry K. <dmi...@gm...>]

Hi,


On 23 January 2015 at 07:04, Curtis Veit <cr...@so...> wrote:

> Thanks for the help Mimi, Sorry about all the questions and issues.
> Hoping someone on the list might have an idea about what I'm doing wrong.
>
> I have found that something is going wrong when I attempt to sign files.
> I have tried the following on three systems.
> - Unbuntu 14.04 development system.
> - Ubuntu 14.04 server target system (pretty much bare bones)
> - Ubuntu 14.10 server (To try the Ubuntu compiled evmctl 0.8 from
>   ima-evm-utils deb)
> On the 14.04 systems I compiled the 0.9 version of ima-evm-utilities.
>
> I followed the instructions (all excpt TPM) for making keys and certs in
> the evmctl(1) document. There are a number of methods shown and honestly
> I am not sure which is best. (recommendations?) I have tried using several
> of the resulting keys for signing but would prefer to use "trusted"
>  keys signed as shown in the last section before the signing examples.
>
> I tried the following commands on a short text file and examined the result
> with "getfattr -e hex test.txt"
> "evmctl sign --imahash test.txt"
> "evmctl sign --rsa --imahash test.txt"
> "evmctl sign --imasig test.txt"
> "evmctl sign --rsa --imasig test.txt"
> "evmctl ima_sign test.txt"
> "evmctl ima_sign --rsa test.txt"
>
> In all cases the result shown by "getfattr -e hex test.txt" is blank.
> I was able to set and read xattrs with getfattr and also was able to
> use -f to create a .sig file containing a signature.
>
>
​By default getfattr does not read "security" attributes.
Use -m option

getfattr -h -e hex -d -m security foo

- Dmitry

​


> Any ideas about why I am not getting xattrs signatures when using evnctl?
>
> Thanks and best regards!
>
>
> ------------------------------------------------------------------------------
> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
> GigeNET is offering a free month of service with a new server in Ashburn.
> Choose from 2 high performing configs, both with 100TB of bandwidth.
> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
> http://p.sf.net/sfu/gigenet
> _______________________________________________
> Linux-ima-user mailing list
> Lin...@li...
> https://lists.sourceforge.net/lists/listinfo/linux-ima-user
>



-- 
Thanks,
Dmitry

[Linux-ima-user] Tried to sign files and read with getfattr (unsuccessfully)

[Curtis V. <cr...@so...>]

Thanks for the help Mimi, Sorry about all the questions and issues.
Hoping someone on the list might have an idea about what I'm doing wrong.

I have found that something is going wrong when I attempt to sign files.
I have tried the following on three systems.
- Unbuntu 14.04 development system.
- Ubuntu 14.04 server target system (pretty much bare bones)
- Ubuntu 14.10 server (To try the Ubuntu compiled evmctl 0.8 from
  ima-evm-utils deb)
On the 14.04 systems I compiled the 0.9 version of ima-evm-utilities.

I followed the instructions (all excpt TPM) for making keys and certs in 
the evmctl(1) document. There are a number of methods shown and honestly 
I am not sure which is best. (recommendations?) I have tried using several 
of the resulting keys for signing but would prefer to use "trusted"
 keys signed as shown in the last section before the signing examples.

I tried the following commands on a short text file and examined the result
with "getfattr -e hex test.txt"
"evmctl sign --imahash test.txt"
"evmctl sign --rsa --imahash test.txt"
"evmctl sign --imasig test.txt"
"evmctl sign --rsa --imasig test.txt"
"evmctl ima_sign test.txt"
"evmctl ima_sign --rsa test.txt"

In all cases the result shown by "getfattr -e hex test.txt" is blank.
I was able to set and read xattrs with getfattr and also was able to
use -f to create a .sig file containing a signature.

Any ideas about why I am not getting xattrs signatures when using evnctl?

Thanks and best regards!

Re: [Linux-ima-user] Is this a chicken and egg problem or am I taking the wrong approach?

[Mimi Z. <zo...@li...>]

On Wed, 2015-01-21 at 22:42 -0700, Curtis Veit wrote: 
> I have been experimenting a little with IMA and there seems to be 
> several chicken and egg problems...
> (I am working on a system without TPM. I am not certain if having a TPM would 
> change the result.)

Without a TPM, the measurements are added to the measurement list,
without extending the TPM PCR.  There should be a log message "No TPM
chip found, activating TPM-bypass!" noting this.

> First chicken and egg problem encountered:

The need for labeling the filesystem should be addressed when software
packages include and install the file signatures.  For now, the
filesystem needs to be labeled post install.

> I attempted to start a kernel with "ima_tcb and ima_appraise_tcb" on the 
> command line (no files have been hashed or signed)
> The kernel complains that init cannot be executed. (This was expected.)

> So I rebooted with kernel args = "ima_tcb and ima_appraise_tcb ima_appraise=fix"
> And of course the system operated correctly (and made hashes for items used 
> during boot looked at the ascii list of hashes and did other development 
> tasks on the system.)

The hashes are stored as extended attributes.  To view them, use
getfattr with the "-e hex" option.

> I changed the command line back to "ima_tcb and ima_appraise_tcb".
> Interesting enough the kernel seemed to freeze at
> [  9.705228] hrtimer:interrupt took 26204054 ns
> 
> I waited a bit and then hit "return" key. This gave a prompt.
> #
> So I tried
> #whoami
> I got an audit error with cause="missing hash"
> 
> So I tried
> #ls -l
> And got a directory listing
> 
> I successfully tried quite a number of things. The system is in a relatively 
> functional state. So I tried loading my test policy (which only prevents 
> executables owned by user 1000 from running)

Loading a different policy replaced the ima_appraise_tcb policy.  If you
didn't include the default rules, they're gone.  Any changes made after
that point were not reflected in the file hashes.

> #cat my_policy > /sys/kernel/security/ima/policy
> Too bad that directory does not exist. Nothing is mounted on /sys yet.

> I am not certain why we have enough hashes to allow an incomplete boot into 
> an almost working  system. While other hashes that I know I must have 
> generated in the previous boot seem to be gone.
> 
> I apparently have missed something important.

Something is probably not labeled properly.

> If I cannot have all my hashes available across reboots on a system without a 
> TPM then the default policy will pose a problem for booting a production 
> system. (Note that the TPM may have nothing to do with this...)

Extended attributes are persistent across reboots.

> The only other thing I can think of is that I may have forgotten 
> i_version support in mounting. Need to check that tomorrow. Any comments and 
> suggestions would be welcomed.
> 
> Another thought. When does IMA actually become active when booting with 
> and without an initrd/initramfs? (If using an initramfs delays ima becoming 
> active then perhaps that give a window for cleaning up? If so my booting 
> without might be contribting to the problem.

The initramfs patches I just posted have not been upstreamed yet.
Right, the initramfs is currently not being appraised.

Mimi

> next issue to be continued in another post.

Re: [Linux-ima-user] Is this a chicken and egg problem or am I taking the wrong approach?

[Curtis V. <cr...@so...>]

I thought I should add a quick comment or two.

- I did forget to add i_version to the mount options on this image.
I believe that the syntax in fstab for i_version is actually "iversion".
and that this allows the ima function to "notice" a filesystem change
so that it will remeasure a changed file. So this probably was not 
my problem. (I have now added iversion to my fstab.)

- my boot partition was set up to not automount so it is possible that
it was not measured but should have been measured. (I have changed this for 
testing - but would prefer to leave /boot unmounted during normal operation.
This can help avoid having an unbootable system after power failures.)

-unfortunatly I have changed to a kernel with a custom policy so it will be 
a little while before I can retest the boot behavior I mentioned in the post.


 

[Linux-ima-user] Is this a chicken and egg problem or am I taking the wrong approach?

[Curtis V. <cr...@so...>]

I have been experimenting a little with IMA and there seems to be 
several chicken and egg problems...
(I am working on a system without TPM. I am not certain if having a TPM would 
change the result.)

First chicken and egg problem encountered:
I attempted to start a kernel with "ima_tcb and ima_appraise_tcb" on the 
command line (no files have been hashed or signed)
The kernel complains that init cannot be executed. (This was expected.)

So I rebooted with kernel args = "ima_tcb and ima_appraise_tcb ima_appraise=fix"
And of course the system operated correctly (and made hashes for items used 
during boot looked at the ascii list of hashes and did other development 
tasks on the system.)

I changed the command line back to "ima_tcb and ima_appraise_tcb".
Interesting enough the kernel seemed to freeze at
[  9.705228] hrtimer:interrupt took 26204054 ns

I waited a bit and then hit "return" key. This gave a prompt.
#
So I tried
#whoami
I got an audit error with cause="missing hash"

So I tried
#ls -l
And got a directory listing

I successfully tried quite a number of things. The system is in a relatively 
functional state. So I tried loading my test policy (which only prevents 
executables owned by user 1000 from running) 
#cat my_policy > /sys/kernel/security/ima/policy
Too bad that directory does not exist. Nothing is mounted on /sys yet.

I am not certain why we have enough hashes to allow an incomplete boot into 
an almost working  system. While other hashes that I know I must have 
generated in the previous boot seem to be gone.

I apparently have missed something important.

If I cannot have all my hashes available across reboots on a system without a 
TPM then the default policy will pose a problem for booting a production 
system. (Note that the TPM may have nothing to do with this...)
The only other thing I can think of is that I may have forgotten 
i_version support in mounting. Need to check that tomorrow. Any comments and 
suggestions would be welcomed.

Another thought. When does IMA actually become active when booting with 
and without an initrd/initramfs? (If using an initramfs delays ima becoming 
active then perhaps that give a window for cleaning up? If so my booting 
without might be contribting to the problem.

next issue to be continued in another post.

Re: [Linux-ima-user] [RFC v4 08/11] Add file signature support to package signing

[<fi...@li...>]

From: Fionnuala Gunter <fi...@li...>

This update fixes two typos.
---
 sign/rpmgensig.c | 148 +++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 145 insertions(+), 3 deletions(-)

diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
index a48b4dd..848942c 100644
--- a/sign/rpmgensig.c
+++ b/sign/rpmgensig.c
@@ -16,9 +16,11 @@
 #include <rpm/rpmfileutil.h>	/* rpmMkTemp() */
 #include <rpm/rpmlog.h>
 #include <rpm/rpmstring.h>
+#include <rpmio/rpmio_internal.h>
 
 #include "lib/rpmlead.h"
 #include "lib/signature.h"
+#include "lib/rpmsignfiles.h"
 
 #include "debug.h"
 
@@ -487,14 +489,150 @@ static void unloadImmutableRegion(Header *hdrp, rpmTagVal tag, rpmtd utd)
     }
 }
 
+static rpmRC includeFileSignatures(FD_t fd, const char *rpm,
+				   Header *sigp, Header *hdrp,
+				   off_t sigStart, off_t headerStart)
+{
+    FD_t ofd = NULL;
+    struct rpmtd_s td;
+    char *trpm = NULL;
+    const char *key;
+    char *SHA1 = NULL;
+    uint8_t *MD5 = NULL;
+    unsigned char buf[32*BUFSIZ];
+    size_t sha1len;
+    size_t md5len;
+    off_t headerSize;
+    off_t archiveSize;
+    rpmRC rc = RPMRC_OK;
+
+    unloadImmutableRegion(hdrp, RPMTAG_HEADERIMMUTABLE, &td);
+
+    key = rpmExpand("%{?_file_signing_key}", NULL);
+
+    rc = rpmSignFiles(*hdrp, key);
+    if (rc != RPMRC_OK) {
+	goto exit;
+    }
+
+    *hdrp = headerReload(*hdrp, RPMTAG_HEADERIMMUTABLE);
+    if (*hdrp == NULL) {
+	rc = RPMRC_FAIL;
+	rpmlog(RPMLOG_ERR, _("headerReload failed\n"));
+	goto exit;
+    }
+
+    ofd = rpmMkTempFile(NULL, &trpm);
+    if (ofd == NULL || Ferror(ofd)) {
+	rc = RPMRC_FAIL;
+	rpmlog(RPMLOG_ERR, _("rpmMkTemp failed\n"));
+	goto exit;
+    }
+
+    /* Copy archive to temp file */
+    if (copyFile(&fd, rpm, &ofd, trpm)) {
+	rc = RPMRC_FAIL;
+	rpmlog(RPMLOG_ERR, _("copyFile failed\n"));
+	goto exit;
+    }
+
+    if (Fseek(fd, headerStart, SEEK_SET) < 0) {
+	rc = RPMRC_FAIL;
+	rpmlog(RPMLOG_ERR, _("Could not seek in file %s: %s\n"),
+		rpm, Fstrerror(fd));
+	goto exit;
+    }
+
+    /* Write header to rpm and recalculate SHA1 */
+    fdInitDigest(fd, PGPHASHALGO_SHA1, 0);
+    rc = headerWrite(fd, *hdrp, HEADER_MAGIC_YES);
+    if (rc != RPMRC_OK) {
+	rpmlog(RPMLOG_ERR, _("headerWrite failed\n"));
+	goto exit;
+    }
+    fdFiniDigest(fd, PGPHASHALGO_SHA1, (void **)&SHA1, &sha1len, 1);
+    headerSize = Ftell(fd) - headerStart;
+
+    /* Copy archive from temp file */
+    if (Fseek(ofd, 0, SEEK_SET) < 0) {
+	rc = RPMRC_FAIL;
+	rpmlog(RPMLOG_ERR, _("Could not seek in file %s: %s\n"),
+		rpm, Fstrerror(fd));
+	goto exit;
+    }
+    if (copyFile(&ofd, trpm, &fd, rpm)) {
+	rc = RPMRC_FAIL;
+	rpmlog(RPMLOG_ERR, _("copyFile failed\n"));
+	goto exit;
+    }
+    unlink(trpm);
+
+    /* Recalculate MD5 digest of header+archive */
+    if (Fseek(fd, headerStart, SEEK_SET) < 0) {
+	rc = RPMRC_FAIL;
+	rpmlog(RPMLOG_ERR, _("Could not seek in file %s: %s\n"),
+		rpm, Fstrerror(fd));
+	goto exit;
+    }
+    fdInitDigest(fd, PGPHASHALGO_MD5, 0);
+
+    while (Fread(buf, sizeof(buf[0]), sizeof(buf), fd) > 0);
+	;
+    if (Ferror(fd)) {
+	rc = RPMRC_FAIL;
+	rpmlog(RPMLOG_ERR, _("Fread failed in file %s: %s\n"),
+		rpm, Fstrerror(fd));
+	goto exit;
+    }
+    fdFiniDigest(fd, PGPHASHALGO_MD5, (void **)&MD5, &md5len, 0);
+
+    if (Fseek(fd, sigStart, SEEK_SET) < 0) {
+	rc = RPMRC_FAIL;
+	rpmlog(RPMLOG_ERR, _("Could not seek in file %s: %s\n"),
+		rpm, Fstrerror(fd));
+	goto exit;
+    }
+
+    /* Get payload size from signature tag */
+    archiveSize = headerGetNumber(*sigp, RPMSIGTAG_PAYLOADSIZE);
+    if (!archiveSize) {
+	archiveSize = headerGetNumber(*sigp, RPMSIGTAG_LONGARCHIVESIZE);
+    }
+
+    /* Replace old digests in sigh */
+    rc = rpmGenerateSignature(SHA1, MD5, headerSize, archiveSize, fd);
+    if (rc != RPMRC_OK) {
+	rpmlog(RPMLOG_ERR, _("generateSignature failed\n"));
+	goto exit;
+    }
+
+    if (Fseek(fd, sigStart, SEEK_SET) < 0) {
+	rc = RPMRC_FAIL;
+	rpmlog(RPMLOG_ERR, _("Could not seek in file %s: %s\n"),
+		rpm, Fstrerror(fd));
+	goto exit;
+    }
+
+    rc = rpmReadSignature(fd, sigp, RPMSIGTYPE_HEADERSIG, NULL);
+    if (rc != RPMRC_OK) {
+	rpmlog(RPMLOG_ERR, _("rpmReadSignature failed\n"));
+	goto exit;
+    }
+exit:
+if (ofd)    (void) closeFile(&ofd);
+    return rc;
+}
+
 /** \ingroup rpmcli
  * Create/modify elements in signature header.
  * @param rpm		path to package
  * @param deleting	adding or deleting signature?
+ * @param signfiles	sign files if non-zero
  * @param passPhrase	passPhrase (ignored when deleting)
  * @return		0 on success, -1 on error
  */
-static int rpmSign(const char *rpm, int deleting, const char *passPhrase)
+static int rpmSign(const char *rpm, int deleting, int signfiles,
+		   const char *passPhrase)
 {
     FD_t fd = NULL;
     FD_t ofd = NULL;
@@ -545,6 +683,10 @@ static int rpmSign(const char *rpm, int deleting, const char *passPhrase)
 	goto exit;
     }
 
+    if (signfiles) {
+	includeFileSignatures(fd, rpm, &sigh, &h, sigStart, headerStart);
+    }
+
     unloadImmutableRegion(&sigh, RPMTAG_HEADERSIGNATURES, &utd);
     origSigSize = headerSizeof(sigh, HEADER_MAGIC_YES);
 
@@ -695,7 +837,7 @@ int rpmPkgSign(const char *path,
 	}
     }
 
-    rc = rpmSign(path, 0, passPhrase);
+    rc = rpmSign(path, 0, args->signfiles, passPhrase);
 
     if (args) {
 	if (args->hashalgo) {
@@ -711,5 +853,5 @@ int rpmPkgSign(const char *path,
 
 int rpmPkgDelSign(const char *path)
 {
-    return rpmSign(path, 1, NULL);
+    return rpmSign(path, 1, 0, NULL);
 }
-- 
1.9.3

[Linux-ima-user] [RFC v4 11/11] Documentation for file signing

[<fi...@li...>]

This patch adds documentation for signing files.

Signed-off-by: Fionnuala Gunter <fi...@li...>
---
 doc/rpmsign.8 | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/doc/rpmsign.8 b/doc/rpmsign.8
index 53f2d70..b19f172 100644
--- a/doc/rpmsign.8
+++ b/doc/rpmsign.8
@@ -2,11 +2,17 @@
 .SH NAME
 rpmsign \- RPM Package Signing
 .SH SYNOPSIS
+.SS "SIGNING PACKAGES:"
+.PP
 
-\fBrpm\fR \fB--addsign|--resign\fR \fB\fIPACKAGE_FILE\fB\fR\fI ...\fR
+\fBrpm\fR \fB--addsign|--resign\fR [\fBrpmsign-options\fR] \fB\fIPACKAGE_FILE\fB\fR\fI ...\fR
 
 \fBrpm\fR \fB--delsign\fR \fB\fIPACKAGE_FILE\fB\fR\fI ...\fR
 
+.SS "rpmsign-options"
+.PP
+ \fB--fskpath \fIKEY\fB\fR] [\fB--signfiles\fR]
+
 .SH DESCRIPTION
 .PP
 Both of the \fB--addsign\fR and \fB--resign\fR
@@ -20,6 +26,19 @@ there is no difference in behavior currently.
 .PP
 Delete all signatures from each package \fIPACKAGE_FILE\fR given.
 
+.SS "SIGN OPTIONS"
+.PP
+.TP
+\fB--fskpath \fIKEY\fB\fR
+Used with \fB--signfiles\fR, use file signing key \fIKEY\fR.
+.TP
+\fB--signfiles\fR
+Sign package files. The macro \fB%_binary_filedigest_algorithm\fR must be set
+before building the package, and the macro must be set to a supported algorithm:
+2, 8, 9, or 10, which represent SHA1, SHA256, SHA384, and SHA512, respectively.
+The file signing key (RSA private key) can be configured on the command line
+with \fB--fskpath\fR or the macro \fB%_file_signing_key\fR.
+
 .SS "USING GPG TO SIGN PACKAGES"
 .PP
 In order to sign packages using GPG, \fBrpm\fR
@@ -78,4 +97,5 @@ Marc Ewing <ma...@re...>
 Jeff Johnson <jb...@re...>
 Erik Troan <ew...@re...>
 Panu Matilainen <pma...@re...>
+Fionnuala Gunter <fi...@li...>
 .fi
-- 
1.9.3

[Linux-ima-user] [RFC v4 10/11] IMA plugin labels ima xattr with file signatures

[<fi...@li...>]

This plugin extract file signatures from rpmfiles and writes them to
security.ima xattr.

Signed-off-by: Fionnnuala Gunter <fi...@li...>
---
 macros.in           |  1 +
 plugins/Makefile.am |  4 ++++
 plugins/ima.c       | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 62 insertions(+)
 create mode 100644 plugins/ima.c

diff --git a/macros.in b/macros.in
index 1647104..0b62991 100644
--- a/macros.in
+++ b/macros.in
@@ -1043,6 +1043,7 @@ done \
 %__transaction_systemd_inhibit	%{__plugindir}/systemd_inhibit.so
 %__transaction_selinux		%{__plugindir}/selinux.so
 %__transaction_syslog		%{__plugindir}/syslog.so
+%__transaction_ima		%{__plugindir}/ima.so
 
 #------------------------------------------------------------------------------
 # Macros for further automated spec %setup and patch application
diff --git a/plugins/Makefile.am b/plugins/Makefile.am
index 53b2450..5ddc174 100644
--- a/plugins/Makefile.am
+++ b/plugins/Makefile.am
@@ -31,3 +31,7 @@ endif
 syslog_la_SOURCES = syslog.c
 syslog_la_LIBADD = $(top_builddir)/lib/librpm.la $(top_builddir)/rpmio/librpmio.la
 plugins_LTLIBRARIES += syslog.la
+
+ima_la_sources = ima.c
+ima_la_LIBADD = $(top_builddir)/lib/librpm.la $(top_builddir)/rpmio/librpmio.la
+plugins_LTLIBRARIES += ima.la
diff --git a/plugins/ima.c b/plugins/ima.c
new file mode 100644
index 0000000..76f26b0
--- /dev/null
+++ b/plugins/ima.c
@@ -0,0 +1,57 @@
+#include <sys/xattr.h>
+
+#include <rpm/rpmfi.h>
+#include <rpm/rpmte.h>
+#include <rpm/rpmfiles.h>
+#include <rpm/rpmtypes.h>
+#include <rpmio/rpmstring.h>
+
+#include "lib/rpmfs.h"
+#include "lib/rpmplugin.h"
+#include "lib/rpmte_internal.h"
+
+#define XATTR_NAME_IMA "security.ima"
+
+static char * fsmFsPath(rpmfi fi, const char * suffix)
+{
+    return rstrscat(NULL, rpmfiDN(fi), rpmfiBN(fi), suffix? suffix : "", NULL);
+}
+
+static rpmRC ima_psm_post(rpmPlugin plugin, rpmte te, int res)
+{
+	rpmfiles files = rpmteFiles(te);
+	rpmfi fi = rpmteFI(te);
+	int i;
+	char *fpath;
+	const unsigned char * fsig = NULL;
+	size_t len;
+	int rc = 0;
+
+	if (fi == NULL) {
+	    rc = RPMERR_BAD_MAGIC;
+	    goto exit;
+	}
+
+	while (!rc) {
+	    rc = rpmfiNext(fi);
+	    i = rpmfiFX(fi);
+
+	    if (rc < 0) {
+		if (rc == RPMERR_ITER_END)
+		    rc = 0;
+		break;
+	    }
+
+	    fpath = fsmFsPath(fi, NULL);
+	    fsig = rpmfilesFSignature(files, i, &len);
+	    if (fsig) {
+		lsetxattr(fpath, XATTR_NAME_IMA, fsig, len, 0);
+	    }
+	}
+exit:
+	return rc;
+}
+
+struct rpmPluginHooks_s ima_hooks = {
+	.psm_post = ima_psm_post,
+};
-- 
1.9.3

[Linux-ima-user] [RFC v4 07/11] Add file signature support to rpmsign command

[<fi...@li...>]

This patch extends the rpmsign tool to sign package files. It adds new options
to rpmsign - signfiles and fskpath.

rpm --addsign [--signfiles [--fskpath <file-signing-key>]] PACKAGE

Signfiles signs all the file digests included in the package and stores the
signatures in the package header. The file signing key can be provided with
the new option fskpath, or in a macro file with %_file_signing_key. After 
including file signatures, the package is signed normally.

The package needs to be built with SHA-1 or SHA-2 digests before package files
are signed, this prerequisite is noted in rpmsign man page.

Signed-off-by: Fionnuala Gunter <fi...@li...>
---
 rpmpopt.in     |  1 +
 rpmsign.c      | 24 +++++++++++++++++++++++-
 sign/rpmsign.h |  1 +
 3 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/rpmpopt.in b/rpmpopt.in
index 036ab4e..df5e2ec 100644
--- a/rpmpopt.in
+++ b/rpmpopt.in
@@ -162,6 +162,7 @@ rpm	alias --httpproxy	--define '_httpproxy !#:+'
 rpm	exec --addsign		rpmsign --addsign
 rpm	exec --delsign		rpmsign --delsign
 rpm	exec --resign		rpmsign --resign
+#rpm	exec --signfiles	rpmsign --signfiles
 rpm	exec --checksig		rpmkeys --checksig
 rpm	exec -K			rpmkeys --checksig
 rpm	exec --import		rpmkeys --import
diff --git a/rpmsign.c b/rpmsign.c
index b8e5598..2e03de8 100644
--- a/rpmsign.c
+++ b/rpmsign.c
@@ -20,6 +20,9 @@ enum modes {
 
 static int mode = 0;
 
+static int signfiles = 0;
+static char * fileSigningKey = NULL;
+
 static struct poptOption signOptsTable[] = {
     { "addsign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_ADDSIGN,
 	N_("sign package(s)"), NULL },
@@ -27,6 +30,11 @@ static struct poptOption signOptsTable[] = {
 	N_("sign package(s) (identical to --addsign)"), NULL },
     { "delsign", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_DELSIGN,
 	N_("delete package signatures"), NULL },
+    { "signfiles", '\0', POPT_ARG_NONE, &signfiles, 0,
+	N_("sign package(s) files"), NULL},
+    { "fskpath", '\0', POPT_ARG_STRING, &fileSigningKey, 0,
+	N_("use file signing key <key>"),
+	N_("<key>") },
     POPT_TABLEEND
 };
 
@@ -113,12 +121,26 @@ static int doSign(poptContext optCon)
     int rc = EXIT_FAILURE;
     char * passPhrase = NULL;
     char * name = rpmExpand("%{?_gpg_name}", NULL);
+    struct rpmSignArgs sig = {NULL, 0, 0};
 
     if (rstreq(name, "")) {
 	fprintf(stderr, _("You must set \"%%_gpg_name\" in your macro file\n"));
 	goto exit;
     }
 
+    if (fileSigningKey) {
+	addMacro(NULL, "_file_signing_key", NULL, fileSigningKey, RMIL_GLOBAL);
+    }
+
+    if (signfiles) {
+	const char *key = rpmExpand("%{?_file_signing_key}", NULL);
+	if (rstreq(key, "")) {
+	    fprintf(stderr, _("You must set \"$$_file_signing_key\" in your macro file or on the command line with --fskpath\n"));
+	    goto exit;
+	}
+	sig.signfiles = 1;
+    }
+
     /* XXX FIXME: eliminate obsolete getpass() usage */
     passPhrase = getpass(_("Enter pass phrase: "));
     passPhrase = (passPhrase != NULL) ? rstrdup(passPhrase) : NULL;
@@ -127,7 +149,7 @@ static int doSign(poptContext optCon)
 	fprintf(stderr, _("Pass phrase is good.\n"));
 	rc = 0;
 	while ((arg = poptGetArg(optCon)) != NULL) {
-	    rc += rpmPkgSign(arg, NULL, passPhrase);
+	    rc += rpmPkgSign(arg, &sig, passPhrase);
 	}
     } else {
 	fprintf(stderr, _("Pass phrase check failed or gpg key expired\n"));
diff --git a/sign/rpmsign.h b/sign/rpmsign.h
index 15b3e0f..7a1b8e1 100644
--- a/sign/rpmsign.h
+++ b/sign/rpmsign.h
@@ -11,6 +11,7 @@ extern "C" {
 struct rpmSignArgs {
     char *keyid;
     pgpHashAlgo hashalgo;
+    int signfiles;
     /* ... what else? */
 };
 
-- 
1.9.3

[Linux-ima-user] [RFC v4 08/11] Add file signature support to package signing

[<fi...@li...>]

This patch modifies rpmSign to include file signatures in the header. Since the
header is altered, the package digest and package+archive digest are
recalculated and updated in the signature header.

I haven't updated this code since submitting v3, my next task is to improve this
patch. Perhaps there is a better way to calculate the package digets, or maybe
I can reorganize the patch so there isn't redundant file i/o. Any suggestions
are welcome.

Signed-off-by: Fionnuala Gunter <fi...@li...>
---
 sign/rpmgensig.c | 148 +++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 145 insertions(+), 3 deletions(-)

diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
index a48b4dd..d853350 100644
--- a/sign/rpmgensig.c
+++ b/sign/rpmgensig.c
@@ -16,9 +16,11 @@
 #include <rpm/rpmfileutil.h>	/* rpmMkTemp() */
 #include <rpm/rpmlog.h>
 #include <rpm/rpmstring.h>
+#include <rpmio/rpmio_internal.h>
 
 #include "lib/rpmlead.h"
 #include "lib/signature.h"
+#include "lib/rpmsignfiles.h"
 
 #include "debug.h"
 
@@ -487,14 +489,150 @@ static void unloadImmutableRegion(Header *hdrp, rpmTagVal tag, rpmtd utd)
     }
 }
 
+static rpmRC includeFileSignatures(FD_t fd, const char *rpm,
+				   Header *sigp, Header *hdrp,
+				   off_t sigStart, off_t headerStart)
+{
+    FD_t ofd = NULL;
+    struct rpmtd_s td;
+    char *trpm = NULL;
+    const char *key;
+    char *SHA1 = NULL;
+    uint8_t *MD5 = NULL;
+    unsigned char buf[32*BUFSIZ];
+    size_t sha1len;
+    size_t md5len;
+    off_t headerSize;
+    off_t archiveSize;
+    rpmRC rc = RPMRC_OK;
+
+    unloadImmutableRegion(hdrp, RPMTAG_HEADERIMMUTABLE, &td);
+
+    key = rpmExpand("%{?_file_signing_key}", NULL);
+
+    rc = rpmSignFiles(*hdrp, key);
+    if (rc != RPMRC_OK) {
+	goto exit;
+    }
+
+    *hdrp = headerReload(*hdrp, RPMTAG_HEADERIMMUTABLE);
+    if (*hdrp == NULL) {
+	rc = RPMRC_FAIL;
+	rpmlog(RPMLOG_ERR, _("headerReload failed\n"));
+	goto exit;
+    }
+
+    ofd = rpmMkTempFile(NULL, &trpm);
+    if (ofd == NULL || Ferror(ofd)) {
+	rc = RPMRC_FAIL;
+	rpmlog(RPMLOG_ERR, _("rpmMkTemp failed\n"));
+	goto exit;
+    }
+
+    /* Copy archive to temp file */
+    if (copyFile(&fd, rpm, &ofd, trpm)) {
+	rc = RPMRC_FAIL;
+	rpmlog(RPMLOG_ERR, _("copyFile failed\n"));
+	goto exit;
+    }
+
+    if (Fseek(fd, headerStart, SEEK_SET) < 0) {
+	rc = RPMRC_FAIL;
+	rpmlog(RPMLOG_ERR, _("Could not seek in file %s: %s\n"),
+		rpm, Fstrerror(fd));
+	goto exit;
+    }
+
+    /* Write header to rpm and recalculate SHA1 */
+    fdInitDigest(fd, PGPHASHALGO_SHA1, 0);
+    rc = headerWrite(fd, *hdrp, HEADER_MAGIC_YES);
+    if (rc != RPMRC_OK) {
+	rpmlog(RPMLOG_ERR, _("headerWrite failed\n"));
+	goto exit;
+    }
+    fdFiniDigest(fd, PGPHASHALGO_SHA1, (void **)&SHA1, &sha1len, 1);
+    headerSize = Ftell(fd) - headerStart;
+
+    /* Copy archive from temp file */
+    if (Fseek(ofd, 0, SEEK_SET) < 0) {
+	rc = RPMRC_FAIL;
+	rpmlog(RPMLOG_ERR, _("Could not seek in file %s: %s\n"),
+		rpm, Fstrerror(fd));
+	goto exit;
+    }
+    if (copyFile(&ofd, trpm, &fd, rpm)) {
+	rc = RPMRC_FAIL;
+	rpmlog(RPMLOG_ERR, _("copyFile failed\n"));
+	goto exit;
+    }
+    unlink(trpm);
+
+    /* Recalculate MD5 digest of header+archive */
+    if (Fseek(fd, headerStart, SEEK_SET) < 0) {
+	rc = RPMRC_FAIL;
+	rpmlog(RPMLOG_ERR, _("Could not seek in file %s: %s\n"),
+		rpm, Fstrerror(fd));
+	goto exit:
+    }
+    fdInitDigest(fd, PGPHASHALGO_MD5, 0);
+
+    while (Fread(buf, sizeof(buf[0]), sizeof(buf), fd) > 0);
+	;
+    if (Ferror(fd)) {
+	rc = RPMRC_FAIL;
+	rpmlog(RPMLOG_ERR, _("Fread failed in file %s: %s\n"),
+		rpm, Fstrerror(fd));
+	goto exit;
+    }
+    fdFiniDigest(fd, PGPHASHALGO_MD5, (void **)&MD5, &md5len, 0);
+
+    if (Fseek(fd, sigStart, SEEK_SET) < 0) {
+	rc = RPMRC_FAIL;
+	rpmlog(RPMLOG_ERR, _("Could not seek in file %s: %s\n"),
+		rpm, Fstrerror(fd));
+	goto exit;
+    }
+
+    /* Get payload size from signature tag */
+    archiveSize = headerGetNumber(*sigp, RPMSIGTAG_PAYLOADSIZE);
+    if (!archiveSize) {
+	archiveSize = headerGetNumber(*sigp, RPMSIGTAG_LONGARCHIVESIZE);
+    }
+
+    /* Replace old digests in sigh */
+    rc = rpmGenerateSignature(SHA1, MD5, headerSize, archiveSize, fd);
+    if (rc != RPMRC_OK) {
+	rpmlog(RPMLOG_ERR, _("generateSignature failed\n"));
+	goto exit;
+    }
+
+    if (Fseek(fd, sigStart, SEEK_SET) < 0) {
+	rc = RPMRC_FAIL;
+	rpmlog(RPMLOG_ERR, _("Could not seek in file %s: %s\n"),
+		rpm, Fstrerror(fd));
+	goto exit:
+    }
+
+    rc = rpmReadSignature(fd, sigp, RPMSIGTYPE_HEADERSIG, NULL);
+    if (rc != RPMRC_OK) {
+	rpmlog(RPMLOG_ERR, _("rpmReadSignature failed\n"));
+	goto exit;
+    }
+exit:
+if (ofd)    (void) closeFile(&ofd);
+    return rc;
+}
+
 /** \ingroup rpmcli
  * Create/modify elements in signature header.
  * @param rpm		path to package
  * @param deleting	adding or deleting signature?
+ * @param signfiles	sign files if non-zero
  * @param passPhrase	passPhrase (ignored when deleting)
  * @return		0 on success, -1 on error
  */
-static int rpmSign(const char *rpm, int deleting, const char *passPhrase)
+static int rpmSign(const char *rpm, int deleting, int signfiles,
+		   const char *passPhrase)
 {
     FD_t fd = NULL;
     FD_t ofd = NULL;
@@ -545,6 +683,10 @@ static int rpmSign(const char *rpm, int deleting, const char *passPhrase)
 	goto exit;
     }
 
+    if (signfiles) {
+	includeFileSignatures(fd, rpm, &sigh, &h, sigStart, headerStart);
+    }
+
     unloadImmutableRegion(&sigh, RPMTAG_HEADERSIGNATURES, &utd);
     origSigSize = headerSizeof(sigh, HEADER_MAGIC_YES);
 
@@ -695,7 +837,7 @@ int rpmPkgSign(const char *path,
 	}
     }
 
-    rc = rpmSign(path, 0, passPhrase);
+    rc = rpmSign(path, 0, args->signfiles, passPhrase);
 
     if (args) {
 	if (args->hashalgo) {
@@ -711,5 +853,5 @@ int rpmPkgSign(const char *path,
 
 int rpmPkgDelSign(const char *path)
 {
-    return rpmSign(path, 1, NULL);
+    return rpmSign(path, 1, 0, NULL);
 }
-- 
1.9.3

[Linux-ima-user] [RFC v4 06/11] Add rpmtags for file signatures and their length

[<fi...@li...>]

This patch adds rpmtags for file signatures and their length, so they can be
stored in the package header.

Signed-off-by: Fionnuala Gunter <fi...@li...>
---
 lib/rpmtag.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/rpmtag.h b/lib/rpmtag.h
index 58b2479..319fdcf 100644
--- a/lib/rpmtag.h
+++ b/lib/rpmtag.h
@@ -329,6 +329,8 @@ typedef enum rpmTag_e {
     RPMTAG_SUPPLEMENTNEVRS	= 5060, /* s[] extension */
     RPMTAG_ENHANCENEVRS		= 5061, /* s[] extension */
     RPMTAG_ENCODING		= 5062, /* s */
+    RPMTAG_FILESIGNATURES	= 5063, /* s[] */
+    RPMTAG_FILESIGNATURELENGTH  = 5064, /* i */
 
     RPMTAG_FIRSTFREE_TAG	/*!< internal */
 } rpmTag;
-- 
1.9.3

[Linux-ima-user] [RFC v4 04/11] Add support for file signatures to rpmfi and rpmfiles

[<fi...@li...>]

This patch adds file signatures and file signature length to rpmfiles. These
new members are set in rpmfilesPopulate, and they can be accessed with 
rpmfiFSignature.

Signed-off-by: Fionnuala Gunter <fi...@li...>
---
 lib/rpmfi.c    | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 lib/rpmfi.h    | 16 ++++++++++++++++
 lib/rpmfiles.h | 10 ++++++++++
 3 files changed, 81 insertions(+), 1 deletion(-)

diff --git a/lib/rpmfi.c b/lib/rpmfi.c
index 2fba707..d642f39 100644
--- a/lib/rpmfi.c
+++ b/lib/rpmfi.c
@@ -111,7 +111,9 @@ struct rpmfiles_s {
     struct fingerPrint_s * fps;	/*!< File fingerprint(s). */
 
     int digestalgo;		/*!< File digest algorithm */
+    int signaturelength;	/*!< File signature length */
     unsigned char * digests;	/*!< File digests in binary. */
+    unsigned char * signatures; /*!< File signatures in binary. */
 
     struct nlinkHash_s * nlinks;/*!< Files connected by hardlinks */
     rpm_off_t * replacedSizes;	/*!< (TR_ADDED) */
@@ -560,6 +562,31 @@ char * rpmfiFDigestHex(rpmfi fi, int *algo)
     return fdigest;
 }
 
+const unsigned char * rpmfilesFSignature(rpmfiles fi, int ix, size_t *len)
+{
+	const unsigned char *signature = NULL;
+
+	if (fi != NULL && ix >= 0 && ix < rpmfilesFC(fi)) {
+	     if (fi->signatures != NULL)
+		signature = fi->signatures + (fi->signaturelength * ix);
+	     if (len)
+		*len = fi->signaturelength;
+	}
+	return signature;
+}
+
+char *rpmfiFSignatureHex(rpmfi fi)
+{
+    size_t siglen = 0;
+    char *fsignature = NULL;
+    const unsigned char *signature = rpmfiFSignature(fi, &siglen);
+
+    if (signature) {
+	fsignature = pgpHexStr(signature, siglen);
+    }
+    return fsignature;
+}
+
 const char * rpmfilesFLink(rpmfiles fi, int ix)
 {
     const char * flink = NULL;
@@ -1146,6 +1173,7 @@ rpmfiles rpmfilesFree(rpmfiles fi)
 	fi->flinks = _free(fi->flinks);
 	fi->flangs = _free(fi->flangs);
 	fi->digests = _free(fi->digests);
+	fi->signatures = _free(fi->signatures);
 	fi->fcaps = _free(fi->fcaps);
 
 	fi->cdict = _free(fi->cdict);
@@ -1360,7 +1388,7 @@ static int rpmfilesPopulate(rpmfiles fi, Header h, rpmfiFlags flags)
     headerGetFlags scareFlags = (flags & RPMFI_KEEPHEADER) ? 
 				HEADERGET_MINMEM : HEADERGET_ALLOC;
     headerGetFlags defFlags = HEADERGET_ALLOC;
-    struct rpmtd_s fdigests, digalgo, td;
+    struct rpmtd_s fdigests, fsignatures, digalgo, td;
     unsigned char * t;
 
     /* XXX TODO: all these should be sanity checked, ugh... */
@@ -1411,6 +1439,8 @@ static int rpmfilesPopulate(rpmfiles fi, Header h, rpmfiFlags flags)
 	}
     }
 
+    fi->signaturelength = headerGetNumber(h, RPMTAG_FILESIGNATURELENGTH);
+
     fi->digests = NULL;
     /* grab hex digests from header and store in binary format */
     if (!(flags & RPMFI_NOFILEDIGESTS) &&
@@ -1431,10 +1461,29 @@ static int rpmfilesPopulate(rpmfiles fi, Header h, rpmfiFlags flags)
 	rpmtdFreeData(&fdigests);
     }
 
+    fi->signatures = NULL;
+    /* grab hex signatures from header and store in binary format */
+    if (headerGet(h, RPMTAG_FILESIGNATURES, &fsignatures, HEADERGET_MINMEM)) {
+	const char *fsignature;
+	fi->signatures = t = xmalloc(rpmtdCount(&fsignatures) * fi->signaturelength);
+
+	while ((fsignature = rpmtdNextString(&fsignatures))) {
+	    if (!(fsignature && *fsignature != '\0')) {
+		memset(t, 0, fi->signaturelength);
+		t += fi->signaturelength;
+		continue;
+	    }
+	    for (int j = 0; j < fi->signaturelength; j++, t++, fsignature += 2)
+		*t = (rnibble(fsignature[0]) << 4) | rnibble(fsignature[1]);
+	}
+	rpmtdFreeData(&fsignatures);
+    }
+
     /* XXX TR_REMOVED doesn;t need fmtimes, frdevs, finodes */
     if (!(flags & RPMFI_NOFILEMTIMES))
 	_hgfi(h, RPMTAG_FILEMTIMES, &td, scareFlags, fi->fmtimes);
     if (!(flags & RPMFI_NOFILERDEVS))
+
 	_hgfi(h, RPMTAG_FILERDEVS, &td, scareFlags, fi->frdevs);
     if (!(flags & RPMFI_NOFILEINODES)) {
 	_hgfi(h, RPMTAG_FILEINODES, &td, scareFlags, fi->finodes);
@@ -1662,6 +1711,11 @@ const unsigned char * rpmfiFDigest(rpmfi fi, int *algo, size_t *len)
     return rpmfilesFDigest(fi->files, fi ? fi->i : -1, algo, len);
 }
 
+const unsigned char * rpmfiFSignature(rpmfi fi, size_t *len)
+{
+    return rpmfilesFSignature(fi->files, fi ? fi->i : -1, len);
+}
+
 uint32_t rpmfiFDepends(rpmfi fi, const uint32_t ** fddictp)
 {
     return rpmfilesFDepends(fi->files,  fi ? fi->i : -1, fddictp);
diff --git a/lib/rpmfi.h b/lib/rpmfi.h
index dd44451..cc0917c 100644
--- a/lib/rpmfi.h
+++ b/lib/rpmfi.h
@@ -181,6 +181,22 @@ const unsigned char * rpmfiFDigest(rpmfi fi, int *algo, size_t *diglen);
 char * rpmfiFDigestHex(rpmfi fi, int *algo);
 
 /** \ingroup rpmfi
+ * Return current file (binary) signature of file info set iterator.
+ * @param fi		file info set iterator
+ * @retval siglen	signature length (pass NULL to ignore)
+ * @return		current file signature, NULL on invalid
+ */
+const unsigned char * rpmfiFSignature(rpmfi fi, size_t *siglen);
+
+/** \ingroup rpmfi
+ * Return current file (hex) signature of file info set iterator.
+ * The file info set iterator stores files signatures in binary format to
+ * conserve memory, this converts the binary data back to hex presentation used
+ * in headers.
+ */
+char * rpmfiFSignatureHex(rpmfi fi);
+
+/** \ingroup rpmfi
  * Return current file (binary) md5 digest from file info set iterator.
  * @deprecated		Use rpmfiFDigest() instead
  * @param fi		file info set iterator
diff --git a/lib/rpmfiles.h b/lib/rpmfiles.h
index 928c420..d966590 100644
--- a/lib/rpmfiles.h
+++ b/lib/rpmfiles.h
@@ -116,6 +116,7 @@ enum rpmfiFlags_e {
     RPMFI_NOFILECOLORS		= (1 << 15),
     RPMFI_NOFILEVERIFYFLAGS	= (1 << 16),
     RPMFI_NOFILEFLAGS		= (1 << 17),
+    RPMFI_NOFILESIGNATURES	= (1 << 18),
 };
 
 typedef rpmFlags rpmfiFlags;
@@ -417,6 +418,15 @@ rpm_mode_t rpmfilesFMode(rpmfiles fi, int ix);
 const unsigned char * rpmfilesFDigest(rpmfiles fi, int ix, int *algo, size_t *len);
 
 /** \ingroup rpmfiles
+ * Return file (binary) digest of file info set.
+ * @param fi            file info set
+ * @param ix            file index
+ * @retval siglen       signature length (pass NULL to ignore)
+ * @return              file signature, NULL on invalid
+ */
+const unsigned char * rpmfilesFSignature(rpmfiles fi, int ix, size_t *len);
+
+/** \ingroup rpmfiles
  * Return file rdev from file info set.
  * @param fi		file info set
  * @param ix		file index
-- 
1.9.3

[Linux-ima-user] [RFC v4 03/11] Subroutine for dumping immutable region of header

[<fi...@li...>]

This patch creates a subroutine for dumping the immutable region of a header.
It copies the header sections into a new header that can be altered.

Signed-off-by: Fionnuala Gunter <fi...@li...>
---
 sign/rpmgensig.c | 47 ++++++++++++++++++++++++++++-------------------
 1 file changed, 28 insertions(+), 19 deletions(-)

diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
index 983a2f7..a48b4dd 100644
--- a/sign/rpmgensig.c
+++ b/sign/rpmgensig.c
@@ -460,6 +460,33 @@ static int replaceSignature(Header sigh, sigTarget sigt1, sigTarget sigt2,
     return rc;
 }
 
+static void unloadImmutableRegion(Header *hdrp, rpmTagVal tag, rpmtd utd)
+{
+    struct rpmtd_s copytd;
+    Header nh;
+    Header oh;
+    HeaderIterator hi;
+
+    if (headerGet(*hdrp, tag, utd, HEADERGET_DEFAULT)) {
+	nh = headerNew();
+	oh = headerCopyLoad(utd->data);
+	hi = headerInitIterator(oh);
+
+	while (headerNext(hi, &copytd)) {
+	    if (copytd.data)
+		headerPut(nh, &copytd, HEADERPUT_DEFAULT);
+	    rpmtdFreeData(&copytd);
+	}
+
+	headerFreeIterator(hi);
+	headerFree(oh);
+	rpmtdFreeData(utd);
+
+	*hdrp = headerLink(nh);
+	headerFree(nh);
+    }
+}
+
 /** \ingroup rpmcli
  * Create/modify elements in signature header.
  * @param rpm		path to package
@@ -518,25 +545,7 @@ static int rpmSign(const char *rpm, int deleting, const char *passPhrase)
 	goto exit;
     }
 
-    /* Dump the immutable region (if present). */
-    if (headerGet(sigh, RPMTAG_HEADERSIGNATURES, &utd, HEADERGET_DEFAULT)) {
-	struct rpmtd_s copytd;
-	Header nh = headerNew();
-	Header oh = headerCopyLoad(utd.data);
-	HeaderIterator hi = headerInitIterator(oh);
-	while (headerNext(hi, &copytd)) {
-	    if (copytd.data)
-		headerPut(nh, &copytd, HEADERPUT_DEFAULT);
-	    rpmtdFreeData(&copytd);
-	}
-	headerFreeIterator(hi);
-	headerFree(oh);
-	rpmtdFreeData(&utd);
-
-	headerFree(sigh);
-	sigh = headerLink(nh);
-	headerFree(nh);
-    }
+    unloadImmutableRegion(&sigh, RPMTAG_HEADERSIGNATURES, &utd);
     origSigSize = headerSizeof(sigh, HEADER_MAGIC_YES);
 
     if (deleting) {	/* Nuke all the signature tags. */
-- 
1.9.3

[Linux-ima-user] [RFC v4 02/11] Export generateSignature

[<fi...@li...>]

This patch exports generateSignature under the new name rpmGenerateSignature so
that includeFileSignatures can call it.

Signed-off-by: Fionnuala Gunter <fi...@li...>
---
 build/pack.c    | 90 ++-------------------------------------------------------
 lib/signature.c | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 lib/signature.h | 11 +++++++
 3 files changed, 100 insertions(+), 88 deletions(-)

diff --git a/build/pack.c b/build/pack.c
index 15f005a..d1cabfa 100644
--- a/build/pack.c
+++ b/build/pack.c
@@ -268,92 +268,6 @@ static rpm_loff_t estimateCpioSize(Package pkg)
     return size;
 }
 
-static rpmRC generateSignature(char *SHA1, uint8_t *MD5, rpm_loff_t size,
-				rpm_loff_t payloadSize, FD_t fd)
-{
-    Header sig = NULL;
-    struct rpmtd_s td;
-    rpmRC rc = RPMRC_OK;
-    char *reservedSpace;
-    int spaceSize = 0;
-
-    /* Prepare signature */
-    sig = rpmNewSignature();
-
-    rpmtdReset(&td);
-    td.tag = RPMSIGTAG_SHA1;
-    td.count = 1;
-    td.type = RPM_STRING_TYPE;
-    td.data = SHA1;
-    headerPut(sig, &td, HEADERPUT_DEFAULT);
-
-    rpmtdReset(&td);
-    td.tag = RPMSIGTAG_MD5;
-    td.count = 16;
-    td.type = RPM_BIN_TYPE;
-    td.data = MD5;
-    headerPut(sig, &td, HEADERPUT_DEFAULT);
-
-    rpmtdReset(&td);
-    td.count = 1;
-    if (payloadSize < UINT32_MAX) {
-	rpm_off_t p = payloadSize;
-	rpm_off_t s = size;
-	td.type = RPM_INT32_TYPE;
-
-	td.tag = RPMSIGTAG_PAYLOADSIZE;
-	td.data = &p;
-	headerPut(sig, &td, HEADERPUT_DEFAULT);
-
-	td.tag = RPMSIGTAG_SIZE;
-	td.data = &s;
-	headerPut(sig, &td, HEADERPUT_DEFAULT);
-    } else {
-	rpm_loff_t p = payloadSize;
-	rpm_loff_t s = size;
-	td.type = RPM_INT64_TYPE;
-
-	td.tag = RPMSIGTAG_LONGARCHIVESIZE;
-	td.data = &p;
-	headerPut(sig, &td, HEADERPUT_DEFAULT);
-
-	td.tag = RPMSIGTAG_LONGSIZE;
-	td.data = &s;
-	headerPut(sig, &td, HEADERPUT_DEFAULT);
-    }
-
-    spaceSize = rpmExpandNumeric("%{__gpg_reserved_space}");
-    if(spaceSize > 0) {
-	reservedSpace = xcalloc(spaceSize, sizeof(char));
-	rpmtdReset(&td);
-	td.tag = RPMSIGTAG_RESERVEDSPACE;
-	td.count = spaceSize;
-	td.type = RPM_BIN_TYPE;
-	td.data = reservedSpace;
-	headerPut(sig, &td, HEADERPUT_DEFAULT);
-	free(reservedSpace);
-    }
-
-    /* Reallocate the signature into one contiguous region. */
-    sig = headerReload(sig, RPMTAG_HEADERSIGNATURES);
-    if (sig == NULL) { /* XXX can't happen */
-	rpmlog(RPMLOG_ERR, _("Unable to reload signature header.\n"));
-	rc = RPMRC_FAIL;
-	goto exit;
-    }
-
-    /* Write the signature section into the package. */
-    if (rpmWriteSignature(fd, sig)) {
-	rc = RPMRC_FAIL;
-	goto exit;
-    }
-
-exit:
-    rpmFreeSignature(sig);
-    return rc;
-}
-
-
 static rpmRC writeRPM(Package pkg, unsigned char ** pkgidp,
 		      const char *fileName, char **cookie)
 {
@@ -492,7 +406,7 @@ static rpmRC writeRPM(Package pkg, unsigned char ** pkgidp,
     sigStart = Ftell(fd);
 
     /* Generate and write a placeholder signature header */
-    rc = generateSignature(zerosS, zeros, 0, estimatedCpioSize, fd);
+    rc = rpmGenerateSignature(zerosS, zeros, 0, estimatedCpioSize, fd);
     if (rc != RPMRC_OK) {
 	rc = RPMRC_FAIL;
 	goto exit;
@@ -548,7 +462,7 @@ static rpmRC writeRPM(Package pkg, unsigned char ** pkgidp,
     }
 
     /* Generate the signature. Now with right values */
-    rc = generateSignature(SHA1, MD5, sigTargetSize, pkg->cpioArchiveSize, fd);
+    rc = rpmGenerateSignature(SHA1, MD5, sigTargetSize, pkg->cpioArchiveSize, fd);
     if (rc != RPMRC_OK) {
 	rc = RPMRC_FAIL;
 	goto exit;
diff --git a/lib/signature.c b/lib/signature.c
index 0defc81..972c0d5 100644
--- a/lib/signature.c
+++ b/lib/signature.c
@@ -12,6 +12,7 @@
 #include <rpm/rpmfileutil.h>
 #include <rpm/rpmlog.h>
 #include <rpm/rpmkeyring.h>
+#include <rpm/rpmmacro.h>
 
 #include "lib/rpmlead.h"
 #include "lib/signature.h"
@@ -296,6 +297,92 @@ Header rpmFreeSignature(Header sigh)
     return headerFree(sigh);
 }
 
+rpmRC rpmGenerateSignature(char *SHA1, uint8_t *MD5, rpm_loff_t size,
+                                rpm_loff_t payloadSize, FD_t fd)
+{
+    Header sig = NULL;
+    struct rpmtd_s td;
+    rpmRC rc = RPMRC_OK;
+    char *reservedSpace;
+    int spaceSize = 0;
+
+    /* Prepare signature */
+    sig = rpmNewSignature();
+
+    rpmtdReset(&td);
+    td.tag = RPMSIGTAG_SHA1;
+    td.count = 1;
+    td.type = RPM_STRING_TYPE;
+    td.data = SHA1;
+    headerPut(sig, &td, HEADERPUT_DEFAULT);
+
+    rpmtdReset(&td);
+    td.tag = RPMSIGTAG_MD5;
+    td.count = 16;
+    td.type = RPM_BIN_TYPE;
+    td.data = MD5;
+    headerPut(sig, &td, HEADERPUT_DEFAULT);
+
+    rpmtdReset(&td);
+    td.count = 1;
+    if (payloadSize < UINT32_MAX) {
+        rpm_off_t p = payloadSize;
+        rpm_off_t s = size;
+        td.type = RPM_INT32_TYPE;
+
+        td.tag = RPMSIGTAG_PAYLOADSIZE;
+        td.data = &p;
+        headerPut(sig, &td, HEADERPUT_DEFAULT);
+
+        td.tag = RPMSIGTAG_SIZE;
+        td.data = &s;
+        headerPut(sig, &td, HEADERPUT_DEFAULT);
+    } else {
+        rpm_loff_t p = payloadSize;
+        rpm_loff_t s = size;
+        td.type = RPM_INT64_TYPE;
+
+        td.tag = RPMSIGTAG_LONGARCHIVESIZE;
+        td.data = &p;
+        headerPut(sig, &td, HEADERPUT_DEFAULT);
+
+        td.tag = RPMSIGTAG_LONGSIZE;
+        td.data = &s;
+        headerPut(sig, &td, HEADERPUT_DEFAULT);
+    }
+
+    spaceSize = rpmExpandNumeric("%{__gpg_reserved_space}");
+    if(spaceSize > 0) {
+        reservedSpace = xcalloc(spaceSize, sizeof(char));
+        rpmtdReset(&td);
+        td.tag = RPMSIGTAG_RESERVEDSPACE;
+        td.count = spaceSize;
+        td.type = RPM_BIN_TYPE;
+        td.data = reservedSpace;
+        headerPut(sig, &td, HEADERPUT_DEFAULT);
+        free(reservedSpace);
+    }
+
+    /* Reallocate the signature into one contiguous region. */
+    sig = headerReload(sig, RPMTAG_HEADERSIGNATURES);
+    if (sig == NULL) { /* XXX can't happen */
+        rpmlog(RPMLOG_ERR, _("Unable to reload signature header.\n"));
+        rc = RPMRC_FAIL;
+        goto exit;
+    }
+
+    /* Write the signature section into the package. */
+    if (rpmWriteSignature(fd, sig)) {
+        rc = RPMRC_FAIL;
+        goto exit;
+    }
+
+exit:
+    rpmFreeSignature(sig);
+    return rc;
+}
+
+
 static const char * rpmSigString(rpmRC res)
 {
     const char * str;
diff --git a/lib/signature.h b/lib/signature.h
index e2db8fb..44a8b52 100644
--- a/lib/signature.h
+++ b/lib/signature.h
@@ -77,6 +77,17 @@ rpmRC rpmVerifySignature(rpmKeyring keyring, rpmtd sigtd, pgpDigParams sig,
  */
 Header rpmFreeSignature(Header h);
 
+/** \ingroup signature
+ * Generate signature and write to file
+ * @param SHA1		SHA1 digest
+ * @param MD5		MD5 digest
+ * @param size		size of header
+ * @param payloadSize	size of archive
+ * @param fd		output file
+ */
+rpmRC rpmGenerateSignature(char *SHA1, uint8_t *MD5, rpm_loff_t size,
+				rpm_loff_t payloadSize, FD_t fd);
+
 RPM_GNUC_INTERNAL
 rpmRC rpmSigInfoParse(rpmtd td, const char *origin,
                      struct sigtInfo_s *sigt, pgpDigParams *sigp, char **msg);
-- 
1.9.3

[Linux-ima-user] [RFC v4 00/11] RPM: Include and install file signatures

[<fi...@li...>]

IMA-appraisal, upstreamed in linux-3.7, enforces local file integrity based on
a known 'good' value stored as an extended attribute 'security.ima'. Labeling
the filesystem is currently done post install using a local private key.
Including file signatures in the package provides not only file integrity, but
file provenance.

This patch set extends the existing rpm signing tool to include file 
signatures in packages, and adds a plugin that installs file signatures using
the psm_post hook. 

There are new options to rpmsign - signfiles and fskpath.

rpm --addsign [--signfiles [--fskpath <file signing key>]] PACKAGE_FILE ...

Signfiles signs all the file digests included in the package with libimaevm
and stores the signatures in the package header under the tag
RPMTAG_FILESIGNATURES. The file signing key can be provided with the option
fskpath, or in a macro file with %_file_signing_key.

After including file signatures, the packages are signed normally.

When a package with signed files is installed, rpmfilesPopulate extracts file
signatures from the package header and stores them (in binary) in rpmfiles
struct. Then the ima plugin instantiates the psm_post hook and writes the file
signatures to security.ima xattr.

Changelog v4:
-split patch set into more patches
-added file signature interfaces to rpmfi
-fixed types and buffer sizes
-removed double logging of errors
-removed changes to API/ABI
-moved file signature installation to ima plugin
-removed support for inline signing of files

Changelog v3:
-split up patch

Changelog v2:
-support for inline signing of files
-command line option for file signing key
-include missing file
-fixed typo in rpmDigestAlgo

Signed-off-by: Fionnuala Gunter <fi...@li...>

Fionnuala Gunter (11):
  Refactor copyFile to not close files
  Export generateSignature
  Subroutine for dumping immutable region of header
  Add support for file signatures to rpmfi and rpmfiles
  Configure option to build with imaevm support
  Add rpmtags for file signatures and their length
  Add file signature support to rpmsign command
  Add file signature support to package signing
  Sign file digests and store signatures in header
  IMA plugin labels ima xattr with file signatures
  Documentation for file signing

 build/pack.c        |  90 +-----------------------
 configure.ac        |   8 +++
 doc/rpmsign.8       |  22 +++++-
 lib/Makefile.am     |   3 +-
 lib/rpmfi.c         |  56 ++++++++++++++-
 lib/rpmfi.h         |  16 +++++
 lib/rpmfiles.h      |  10 +++
 lib/rpmsignfiles.c  | 118 +++++++++++++++++++++++++++++++
 lib/rpmsignfiles.h  |  20 ++++++
 lib/rpmtag.h        |   2 +
 lib/signature.c     |  87 +++++++++++++++++++++++
 lib/signature.h     |  11 +++
 macros.in           |   1 +
 plugins/Makefile.am |   4 ++
 plugins/ima.c       |  57 +++++++++++++++
 rpmpopt.in          |   1 +
 rpmsign.c           |  24 ++++++-
 sign/rpmgensig.c    | 199 ++++++++++++++++++++++++++++++++++++++++++++++------
 sign/rpmsign.h      |   1 +
 19 files changed, 615 insertions(+), 115 deletions(-)
 create mode 100644 lib/rpmsignfiles.c
 create mode 100644 lib/rpmsignfiles.h
 create mode 100644 plugins/ima.c

-- 
1.9.3

[Linux-ima-user] [RFC v4 01/11] Refactor copyFile to not close files

[<fi...@li...>]

This patch refactors copyFile so that it doesn't close sfdp and tfdp, since
copyFile didn't open those files. Also, the caller to copyFile closes these
files. This patch also adds descriptions of copyFile parameters.

Signed-off-by: Fionnuala Gunter <fi...@li...>
---
 sign/rpmgensig.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
index 0bd14e3..983a2f7 100644
--- a/sign/rpmgensig.c
+++ b/sign/rpmgensig.c
@@ -88,6 +88,10 @@ static int manageFile(FD_t *fdp, const char *fn, int flags)
 
 /**
  * Copy header+payload, calculating digest(s) on the fly.
+ * @param sfdp source file
+ * @param sfnp source path
+ * @param tfdp destination file
+ * @param tfnp destination path
  */
 static int copyFile(FD_t *sfdp, const char *sfnp,
 		FD_t *tfdp, const char *tfnp)
@@ -121,8 +125,6 @@ static int copyFile(FD_t *sfdp, const char *sfnp,
     rc = 0;
 
 exit:
-    if (*sfdp)	(void) closeFile(sfdp);
-    if (*tfdp)	(void) closeFile(tfdp);
     return rc;
 }
 
-- 
1.9.3

[Linux-ima-user] why /ima/policy can not be written?

[jiangdahui <jd...@ye...>]

Hi All:
   have you tried defining policy? I followed the instruction that 
   " To replace the default policy 'cat' the custom IMA measurement policy and redirect the output to "< securityfs >/ima/policy" 
    with 
     "cat userdefinePolicy.sh > /sys/kernel/security/ima/policy".", 
     but output is "invalid parameter". have you ever met?


best regards!

Re: [Linux-ima-user] Clarification requested. Comments about some info in the wiki.

[Mimi Z. <zo...@li...>]

On Fri, 2015-01-09 at 12:19 -0700, Curtis Veit wrote: 
> Mimi,
> 
> Thanks for the answers to my questions. 
> 
> On Fri, Jan 09, 2015 at 09:32:58AM -0500, Mimi Zohar wrote:
> > On Thu, 2015-01-08 at 13:08 -0700, Curtis Veit wrote:
> 
> > > 1. How do I write a policy that ensures that the digital signature
> > > approach is required for specific groups of files?
> > 
> > Yes, on the policy rule requiring signatures add
> > "appraise_type:=imasig".

The above line should have been "appraise_type=imasig".

> > > 2. Do I understand correctly that if I am using the hash (no digital
> > > signature), if a malicious user or executable "updates" a file, the
> > 
> > Right, immutable files should be labeled with file signatures.  Mutable
> > files by definition change, requiring the security.ima xattr to change
> > to reflect the file data.
> > 
> > >     ... If the hashes are in the log is
> > > that log file protected from tampering? How?
> > 
> > The measurement log is stored in memory and can be attested to, so that
> > a remote host can verify the integrity of the system.
> 
> So, in the system I am working with there is no TPM and no requirement to
> attest for the various files.
> There is a requirement to ensure that executables, libraries and system
> config files have not been tampered with. 

Executables and libraries can be appraised using the BPRM_CHECK and
MMAP_CHECK hooks.  Unfortunately there isn't a specific
measurement/appraisal hook only for configuration files.  All files
opened for read can be appraised using the FILE_CHECK hook.  To
differentiate between files in policy from those that are not, the
policy rules can be written in terms of LSM labels.

> It sounds to me like I should skip measurement and just sign everything that
> must be treated as immutable.  (I will try this out based on my current 
> understanding.)

> Does that mean I can skip "ima_tcb" on the command like and just use
> "ima_appraise_tcb" ?

Before dismissing the need for measurement, read the initial white paper
"Overview of the linux-integrity subsystem".  It's a bit dated, but it
is a good place to start.

> Some additional questions: 
> What does "ima_template=ima-sig" do? is there any relationship to 
> this approach?

"ima_template=" refers to the measurement log format.  The default
ima-ng template includes a file hash and pathname.  In addition to the
ima-ng fields, the ima-sig contains the file signature stored in the
xattr, if available.

> I am currently on the 3.13 kernel (ubuntu 14.04) so I do not need to 
> worry about adding a key to the keyring. but is best practice to
> compile the kernel with a key or is there another approach to get that
> first "valid" signing key in the keyring for 3.17 and beyond?

Redhat has some patches, which I don't think have been upstreamed, that
add UEFI and Machine Owner Keys(MOK) db to the system keyring.  Either
build the local-ca key into the kernel or add it to the UEFI or MOK db.

> Is there a reference for policy syntax? (other than the end of the wiki)

The current version is in the kernel build tree
Documentation/ABI/testing/ima_policy.

> I am keeping notes and hope (eventually) to provide some reference material 
> that you could add to the wiki.

thanks :)

Mimi

Re: [Linux-ima-user] Clarification requested. Comments about some info in the wiki.

[Curtis V. <cr...@so...>]

Mimi,

Thanks for the answers to my questions. 

On Fri, Jan 09, 2015 at 09:32:58AM -0500, Mimi Zohar wrote:
> On Thu, 2015-01-08 at 13:08 -0700, Curtis Veit wrote:

> > 1. How do I write a policy that ensures that the digital signature
> > approach is required for specific groups of files?
> 
> Yes, on the policy rule requiring signatures add
> "appraise_type:=imasig".
> 
> > 2. Do I understand correctly that if I am using the hash (no digital
> > signature), if a malicious user or executable "updates" a file, the
> 
> Right, immutable files should be labeled with file signatures.  Mutable
> files by definition change, requiring the security.ima xattr to change
> to reflect the file data.
> 
> >     ... If the hashes are in the log is
> > that log file protected from tampering? How?
> 
> The measurement log is stored in memory and can be attested to, so that
> a remote host can verify the integrity of the system.

So, in the system I am working with there is no TPM and no requirement to
attest for the various files. 
There is a requirement to ensure that executables, libraries and system
config files have not been tampered with. 

It sounds to me like I should skip measurement and just sign everything that
must be treated as immutable.  (I will try this out based on my current 
understanding.)

Does that mean I can skip "ima_tcb" on the command like and just use
"ima_appraise_tcb" ?

Some additional questions: 
What does "ima_template=ima-sig" do? is there any relationship to 
this approach?

I am currently on the 3.13 kernel (ubuntu 14.04) so I do not need to 
worry about adding a key to the keyring. but is best practice to
compile the kernel with a key or is there another approach to get that
first "valid" signing key in the keyring for 3.17 and beyond?

Is there a reference for policy syntax? (other than the end of the wiki)

I am keeping notes and hope (eventually) to provide some reference material 
that you could add to the wiki.

Best regards,
Curtis

Re: [Linux-ima-user] Clarification requested. Comments about some info in the wiki.

[Mimi Z. <zo...@li...>]

On Thu, 2015-01-08 at 13:08 -0700, Curtis Veit wrote:
> Hi I am new to using IMA and am responsible for securing some systems,
> IMA looks like a great solution for maintain system integrity. As I
> read the documents I find there are areas that I think I understand
> but have some uncertainty.
> It would be greatly appreciated if anyone has time to help correct my
> errors in thought. Hopefully the comments and questions can be used to
> help improve the wiki. ( I would be happy to add to the wiki as well,
> if and when I understand enough to avoid introducing errors.)

> At
> http://sourceforge.net/p/linux-ima/wiki/Home/#understanding-the-ima-appraisal-policy
> Under the "IMA-appraisal" heading. The text reads, "The inital method
> for validating 'security.ima' are hashed based, which provides file
> data integrity, and digital signature based, which in addition to
> providing file data integrity, provides authenticity."
> 
> This brought at least one question to my mind...
> 
> 1. How do I write a policy that ensures that the digital signature
> approach is required for specific groups of files?

Yes, on the policy rule requiring signatures add
"appraise_type:=imasig".

> 2. Do I understand correctly that if I am using the hash (no digital
> signature), if a malicious user or executable "updates" a file, the
> system will automatically set an updated hash in the filesystem? I.e.
> there is a comment about hashes being used to prevent "off-line"
> filesystem modifications. If I understood then I think the wiki is
> pretty clear on this. (but it would be nice to be able to have
> certainty when reading.) If I misunderstood then clarification is
> badly needed.

Right, immutable files should be labeled with file signatures.  Mutable
files by definition change, requiring the security.ima xattr to change
to reflect the file data.

> Another question not specifically at that location: I seems like the
> hashes are associated with measurement not appraise. And that the
> hashes are not stored in the xattrs while the appraisal related
> signature are. Did I get that correct? If the hashes are in the log is
> that log file protected from tampering? How?

The measurement log is stored in memory and can be attested to, so that
a remote host can verify the integrity of the system.

> In the text under heading "Labeling the filesystem with 'security.ima'
> extended attributes" there is a difference in parameters given (log vs
> enforce). I am assuming that "enforce" is the correct parameter to
> use.
> 
> * ima_appraise= appraise integrity measurements\ Format: { "off" |
> "log" | "fix" } \
> off - is a runtime parameter that turns off integrity appraisal
> verification.
> enforce - verifies and enforces runtime file integrity. [default]
> fix - for non-digitally signed files, updates the 'security.ima' xattr
> to reflect the existing file hash.

You don't need to specify any option, except when labeling the
filesystem.  In that case you need to boot in "fix" mode.  

> I am sure there will be more questions as I check out using IMA. My
> main concerns with deploying at this point is wondering how best to
> manage:
> 
> 1. setting the initial policy for the target system. (Do I use hashes
> and/or signatures, and where for each?)

The two builtin policies are ima_tcb and ima_appraise_tcb.  Different
use case scenarios require different policies.  It would be nice to
document some best practices.  Perhaps people on this mailing list will
be willing to share their experiences and policies.

> 2. how to manage updates in the target system given a combination of
> distro updates and local updates? (given that the distros do not
> currently support IMA. And if they did I would potentially need two
> public keys, one for the distro signed matter and one for the locally
> signed matter. Does IMA even support using two keys?)

RHEL, Suse, and Ubuntu have all enabled IMA/IMA-appraisal in their
latest releases.  None of them include file signatures in their software
packages, so you'll need to locally label the filesystem and load the
public key on the IMA keyring.

To prevent just any key from being loaded on the IMA keyring, as of
linux-3.17, the IMA keyring is now a trusted keyring, meaning only keys
signed by a key on the system keyring can be loaded onto the IMA
keyring.

Mimi

[Linux-ima-user] Clarification requested. Comments about some info in the wiki.

[Curtis V. <cr...@so...>]

Hi I am new to using IMA and am responsible for securing some systems, IMA looks like a great solution for maintain system integrity. As I read the documents I find there are areas that I think I understand but have some uncertainty.
It would be greatly appreciated if anyone has time to help correct my errors in thought. Hopefully the comments and questions can be used to help improve the wiki. ( I would be happy to add to the wiki as well, if and when I understand enough to avoid introducing errors.)

At http://sourceforge.net/p/linux-ima/wiki/Home/#understanding-the-ima-appraisal-policy
Under  the "IMA-appraisal" heading. The text reads, "The inital method for validating 'security.ima' are hashed based, which provides file data integrity, and digital signature based, which in addition to providing file data integrity, provides authenticity."

This brought at least one question to my mind...

1.     How do I write a policy that ensures that the digital signature approach is required for specific groups of files?

2.     Do I understand correctly that if I am using the hash (no digital signature), if a malicious user or executable  "updates" a file, the system will automatically set an updated hash in the filesystem? I.e. there is a comment about hashes being used to prevent "off-line" filesystem modifications.  If I understood then I think the wiki is pretty clear on this. (but it would be nice to be able to have certainty when reading.) If I misunderstood then clarification is badly needed.





Another question not specifically at that location: I seems like the hashes are associated with measurement not appraise. And that the hashes are not stored in the xattrs while the appraisal related signature are. Did I get that correct? If the hashes are in the log is that log file protected from tampering? How?



In the text under heading "Labeling the filesystem with 'security.ima' extended attributes"  there is a difference in parameters given (log vs enforce). I am assuming that "enforce" is the correct parameter to use.

*         ima_appraise= appraise integrity measurements\ Format: { "off" | "log" | "fix" } \
off - is a runtime parameter that turns off integrity appraisal verification.
enforce - verifies and enforces runtime file integrity. [default]
fix - for non-digitally signed files, updates the 'security.ima' xattr to reflect the existing file hash.


I am sure there will be more questions as I check out using IMA. My main concerns with deploying at this point is wondering how best to manage:

1.       setting the initial policy for the target system. (Do I use hashes and/or signatures, and where for each?)

2.       how to manage updates in the target system given a combination of distro updates and local updates? (given that the distros do not currently support IMA. And if they did I would potentially need two public keys, one for the distro signed matter and one for the locally signed matter. Does IMA even support using two keys?)

Re: [Linux-ima-user] can I just label files which I want to be measured?

[Mimi Z. <zo...@li...>]

On Wed, 2015-01-07 at 11:54 +0800, jiangdahui wrote:
> Hi all:
>        somehow,I can not use ima-appraise, but just ima base, I just
> want to measure few files such as few executable files in few Dirs, so
> could that be configured by policy?

Both IMA and IMA-appraisal are policy based.  Path based policies are
not supported.  Refer to the Documentation/ABI/testing/ima_policy for
details.

Mimi 

[Linux-ima-user] can I just label files which I want to be measured?

[jiangdahui <jd...@ye...>]

Hi all:
       somehow,I can not use ima-appraise, but just ima base, I just want to measure few files such as few executable files in few Dirs, so could that be configured by policy?