linux-ima-user — Q&A for users of IMA

[Linux-ima-user] How to configure measurement list

[Jason C. <jas...@gm...>]

Hi all,

I'm a newbie in IMA, and I'm very interested in it. Could you help me to
get familiar with it. Thanks a lot.

As I know, new kernel has already put IMA in mainline. And I have already
enabled it. But I'm confused with how to configure the measument list to
make it do a measument for files as I wished. However I cannot find any
documents about how to do this configuration. Any help from you will be
highly appreciated.

Thanks a lot.

Jason

Re: [Linux-ima-user] Measurement list and path of measured files

[Mimi Z. <zo...@li...>]

On Tue, 2012-06-19 at 09:14 +0200, Jordi Cucurull Juan wrote:
> Mimi,
> 
> I have seen the if clause you added. In which case "get_d_path()" would 
> return null?

Either kmalloc failed or d_path() returned an error.  In either case, we
revert to the current method of using the existing filename.

(In the future, please don't top append.)

thanks,

Mimi

Re: [Linux-ima-user] Measurement list and path of measured files

[Jordi C. J. <jor...@sc...>]

Mimi,

I have seen the if clause you added. In which case "get_d_path()" would 
return null?


Regards,
Jordi.




On 06/18/2012 08:58 PM, Mimi Zohar wrote:
> On Mon, 2012-06-18 at 08:40 -0700, Peter Moody wrote:
>> On Mon, Jun 18, 2012 at 5:05 AM, Mimi Zohar<zo...@li...>  wrote:
>>
>>> Thanks Dmitry.  Both this version and Peter Moody's post, which uses the
>>> existing upstream audit_log_d_path() and d_path(), use the full pathname
>>> only for auditing purposes.
>> I haven't seen any response from Al, has there been any answer offlist
>> that you know of?
> No.  Let's assume, unless we hear differently, it is ok.  I was thinking
> something like the following, where get_d_path() is similar to
> audit_log_d_path().
>
> @@ -170,12 +192,17 @@ static int process_measurement(struct file *file, const un
>          rc = ima_collect_measurement(iint, file);
>          if (rc != 0)
>                  goto out;
> +
> +       pathname = get_d_path(&file->f_path,&buffer, GFP_KERNEL);
>          if (action&  IMA_MEASURE)
> -               ima_store_measurement(iint, file, filename);
> +               ima_store_measurement(iint, file,
> +                                     !pathname ? filename: pathname);
>          if (action&  IMA_APPRAISE)
> -               rc = ima_appraise_measurement(iint, file, filename);
> +               rc = ima_appraise_measurement(iint, file,
> +                                     !pathname ? filename: pathname);
>          if (action&  IMA_AUDIT)
> -               ima_audit_measurement(iint, filename);
> +               ima_audit_measurement(iint, !pathname ? filename: pathname);
> +       kfree(buffer);
>   out:
>          mutex_unlock(&inode->i_mutex);
>          return (rc&&  must_appraise) ? -EACCES : 0;
>
> thanks,
>
> Mimi
>


-- 
Jordi Cucurull Juan
Researcher
Scytl Secure Electronic Voting
Plaça Gal·la Placidia, 1-3, 1st floor · 08006 Barcelona
jor...@sc...
http://www.scytl.com

NOTICE: The information in this e-mail and in any of its attachments is confidential and intended solely for the attention and use of the named addressee(s). If you are not the intended recipient, any disclosure, copying, distribution or retaining of this message or any part of it, without the prior written consent of Scytl Secure Electronic Voting, SA is prohibited and may be unlawful. If you have received this in error, please contact the sender and delete the material from any computer.

Your data are in a file owned by Scytl Secure Electronic Voting, S.A. You can exercice your rights of access, rectification, cancellation and opposition by contacting Scytl Secure Electronic Voting, S.A. at the following address: Gal·la Placídia, 1-3. 1st, 08006 Barcelona (Spain), according to the Organic Law 15/1999, of 13th December of Protection of Personal Data.

Re: [Linux-ima-user] Measurement list and path of measured files

[Peter M. <pm...@go...>]

On Mon, Jun 18, 2012 at 11:58 AM, Mimi Zohar <zo...@li...> wrote:
> On Mon, 2012-06-18 at 08:40 -0700, Peter Moody wrote:
>> On Mon, Jun 18, 2012 at 5:05 AM, Mimi Zohar <zo...@li...> wrote:
>>
>> > Thanks Dmitry.  Both this version and Peter Moody's post, which uses the
>> > existing upstream audit_log_d_path() and d_path(), use the full pathname
>> > only for auditing purposes.
>>
>> I haven't seen any response from Al, has there been any answer offlist
>> that you know of?
>
> No.  Let's assume, unless we hear differently, it is ok.  I was thinking
> something like the following, where get_d_path() is similar to
> audit_log_d_path().

This would definitely work for me.

-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

Re: [Linux-ima-user] Measurement list and path of measured files

[Mimi Z. <zo...@li...>]

On Mon, 2012-06-18 at 08:40 -0700, Peter Moody wrote:
> On Mon, Jun 18, 2012 at 5:05 AM, Mimi Zohar <zo...@li...> wrote:
> 
> > Thanks Dmitry.  Both this version and Peter Moody's post, which uses the
> > existing upstream audit_log_d_path() and d_path(), use the full pathname
> > only for auditing purposes.
> 
> I haven't seen any response from Al, has there been any answer offlist
> that you know of?

No.  Let's assume, unless we hear differently, it is ok.  I was thinking
something like the following, where get_d_path() is similar to
audit_log_d_path().

@@ -170,12 +192,17 @@ static int process_measurement(struct file *file, const un
        rc = ima_collect_measurement(iint, file);
        if (rc != 0)
                goto out;
+
+       pathname = get_d_path(&file->f_path, &buffer, GFP_KERNEL);
        if (action & IMA_MEASURE)
-               ima_store_measurement(iint, file, filename);
+               ima_store_measurement(iint, file,
+                                     !pathname ? filename: pathname);
        if (action & IMA_APPRAISE)
-               rc = ima_appraise_measurement(iint, file, filename);
+               rc = ima_appraise_measurement(iint, file,
+                                     !pathname ? filename: pathname);
        if (action & IMA_AUDIT)
-               ima_audit_measurement(iint, filename);
+               ima_audit_measurement(iint, !pathname ? filename: pathname);
+       kfree(buffer);
 out:
        mutex_unlock(&inode->i_mutex);
        return (rc && must_appraise) ? -EACCES : 0;

thanks,

Mimi

Re: [Linux-ima-user] Measurement list and path of measured files

[Peter M. <pm...@go...>]

On Mon, Jun 18, 2012 at 5:05 AM, Mimi Zohar <zo...@li...> wrote:

> Thanks Dmitry.  Both this version and Peter Moody's post, which uses the
> existing upstream audit_log_d_path() and d_path(), use the full pathname
> only for auditing purposes.

I haven't seen any response from Al, has there been any answer offlist
that you know of?

Cheers,
peter



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

Re: [Linux-ima-user] Measurement list and path of measured files

[Mimi Z. <zo...@li...>]

On Fri, 2012-06-15 at 13:25 +0300, Kasatkin, Dmitry wrote:
> actually here is a diff
> 
> http://git.kernel.org/?p=linux/kernel/git/kasatkin/linux-digsig.git;a=blobdiff;f=security/integrity/ima/ima_audit.c;h=b16eef4cfddbcb662c6fe10ce560d308e1cf4832;hp=21e96bf188dfcc12ff3b05226f3c7d83521dbc2b;hb=da64aee677a578a2ac66f641737fdc74e9259418;hpb=8e88fb141c9596e5efc1b72168c51484875ac5c2
> 
> 
> On Fri, Jun 15, 2012 at 1:23 PM, Kasatkin, Dmitry
> <dmi...@in...> wrote:
> > Hello,
> >
> > Actually in my tree there is a patch to show full path.
> > It does reverse path walk.
> >
> > http://git.kernel.org/?p=linux/kernel/git/kasatkin/linux-digsig.git;a=blob;f=security/integrity/ima/ima_audit.c;h=b16eef4cfddbcb662c6fe10ce560d308e1cf4832;hb=da64aee677a578a2ac66f641737fdc74e9259418
> >
> > - Dmitry

Thanks Dmitry.  Both this version and Peter Moody's post, which uses the
existing upstream audit_log_d_path() and d_path(), use the full pathname
only for auditing purposes.  

The discussion, here, is to simplify correlating the file measurement
list hashes with filenames.  We probably want a function similar to
audit_log_d_format(), but returns the allocated buffer instead of
freeing it, which could be used for both the measurement list and
auditing.

thanks,

Mimi

Re: [Linux-ima-user] Measurement list and path of measured files

[Jordi C. J. <jor...@sc...>]

Thank you for the patch Dmitry!

I hope it will eventually get integrated into the main branch!


Jordi.


On 06/15/2012 12:25 PM, Kasatkin, Dmitry wrote:
> actually here is a diff
>
> http://git.kernel.org/?p=linux/kernel/git/kasatkin/linux-digsig.git;a=blobdiff;f=security/integrity/ima/ima_audit.c;h=b16eef4cfddbcb662c6fe10ce560d308e1cf4832;hp=21e96bf188dfcc12ff3b05226f3c7d83521dbc2b;hb=da64aee677a578a2ac66f641737fdc74e9259418;hpb=8e88fb141c9596e5efc1b72168c51484875ac5c2
>
>
> On Fri, Jun 15, 2012 at 1:23 PM, Kasatkin, Dmitry
> <dmi...@in...>  wrote:
>> Hello,
>>
>> Actually in my tree there is a patch to show full path.
>> It does reverse path walk.
>>
>> http://git.kernel.org/?p=linux/kernel/git/kasatkin/linux-digsig.git;a=blob;f=security/integrity/ima/ima_audit.c;h=b16eef4cfddbcb662c6fe10ce560d308e1cf4832;hb=da64aee677a578a2ac66f641737fdc74e9259418
>>
>> - Dmitry
>>
>>
>> On Fri, Jun 15, 2012 at 11:17 AM, Jordi Cucurull Juan
>> <jor...@sc...>  wrote:
>>> Hi Mimi and Andrew,
>>>
>>> Mimi, what was the reason to forbid the use of d_path()? Maybe too much
>>> system information on the list? Is it a kernel developers' decision?
>>>
>>> Andrew, the approach you follow is fine, but still does not allow to
>>> know if a file with non matching hash and matching filename is a newly
>>> created file or a modified one. In order to check it you should manually
>>> search for all the files with the given filename and calculate their hash.
>>>
>>> Thanks for your answers!
>>> Jordi.
>>>
>>>
>>> On 06/15/2012 08:41 AM, Lunn Andrew RUAG D wrote:
>>>> From: Jordi Cucurull Juan [jor...@sc...]
>>>> Sent: 13 June 2012 14:32
>>>> To: lin...@li...
>>>> Subject: [Linux-ima-user] Measurement list and path of measured files
>>>>
>>>> Dear all,
>>>>
>>>> Recently I have started looking at IMA to explore the possibilities that
>>>> it offers. I have a question regarding the measurement list and the
>>>> files measured.
>>>>
>>>> The point is that it does not seem possible to uniquely identify a file
>>>> with the information in the field "file-hint". The absolute path of the
>>>> file is not always available, hence in many cases several entries with
>>>> the same file name will appear. This makes impossible to distinguish if
>>>> two entries with the same file-hint value correspond to two different
>>>> files in the file system or to a file that has been modified.
>>>>
>>>> Is it possible to include the file name with the complete absolute path
>>>> in the measurement list? If not, is there a reason for it? (maybe memory
>>>> used by the list?)
>>>>
>>>> Thanks and best regards,
>>>> Jordi.
>>>> _______________________________________________
>>>>
>>>>
>>>> Hi Jordi
>>>>
>>>> It is a bit annoying not having the path. So i process the IMA list the other
>>>> way around. I find matches on the hash in my known good database. For
>>>> hash matches i then check if there is a tail match between the filename hint in the
>>>> IMA and the corresponding entry in the known good database.
>>>>
>>>>        Andrew
>>>
>>> --
>>> Jordi Cucurull Juan
>>> Researcher
>>> Scytl Secure Electronic Voting
>>> Plaça Gal·la Placidia, 1-3, 1st floor · 08006 Barcelona
>>> jor...@sc...
>>> http://www.scytl.com
>>>
>>> NOTICE: The information in this e-mail and in any of its attachments is confidential and intended solely for the attention and use of the named addressee(s). If you are not the intended recipient, any disclosure, copying, distribution or retaining of this message or any part of it, without the prior written consent of Scytl Secure Electronic Voting, SA is prohibited and may be unlawful. If you have received this in error, please contact the sender and delete the material from any computer.
>>>
>>> Your data are in a file owned by Scytl Secure Electronic Voting, S.A. You can exercice your rights of access, rectification, cancellation and opposition by contacting Scytl Secure Electronic Voting, S.A. at the following address: Gal·la Placídia, 1-3. 1st, 08006 Barcelona (Spain), according to the Organic Law 15/1999, of 13th December of Protection of Personal Data.
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Live Security Virtual Conference
>>> Exclusive live event will cover all the ways today's security and
>>> threat landscape has changed and how IT managers can respond. Discussions
>>> will include endpoint security, mobile security and the latest in malware
>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> _______________________________________________
>>> Linux-ima-user mailing list
>>> Lin...@li...
>>> https://lists.sourceforge.net/lists/listinfo/linux-ima-user


-- 
Jordi Cucurull Juan
Researcher
Scytl Secure Electronic Voting
Plaça Gal·la Placidia, 1-3, 1st floor · 08006 Barcelona
jor...@sc...
http://www.scytl.com

NOTICE: The information in this e-mail and in any of its attachments is confidential and intended solely for the attention and use of the named addressee(s). If you are not the intended recipient, any disclosure, copying, distribution or retaining of this message or any part of it, without the prior written consent of Scytl Secure Electronic Voting, SA is prohibited and may be unlawful. If you have received this in error, please contact the sender and delete the material from any computer.

Your data are in a file owned by Scytl Secure Electronic Voting, S.A. You can exercice your rights of access, rectification, cancellation and opposition by contacting Scytl Secure Electronic Voting, S.A. at the following address: Gal·la Placídia, 1-3. 1st, 08006 Barcelona (Spain), according to the Organic Law 15/1999, of 13th December of Protection of Personal Data.

Re: [Linux-ima-user] Measurement list and path of measured files

[Kasatkin, D. <dmi...@in...>]

actually here is a diff

http://git.kernel.org/?p=linux/kernel/git/kasatkin/linux-digsig.git;a=blobdiff;f=security/integrity/ima/ima_audit.c;h=b16eef4cfddbcb662c6fe10ce560d308e1cf4832;hp=21e96bf188dfcc12ff3b05226f3c7d83521dbc2b;hb=da64aee677a578a2ac66f641737fdc74e9259418;hpb=8e88fb141c9596e5efc1b72168c51484875ac5c2


On Fri, Jun 15, 2012 at 1:23 PM, Kasatkin, Dmitry
<dmi...@in...> wrote:
> Hello,
>
> Actually in my tree there is a patch to show full path.
> It does reverse path walk.
>
> http://git.kernel.org/?p=linux/kernel/git/kasatkin/linux-digsig.git;a=blob;f=security/integrity/ima/ima_audit.c;h=b16eef4cfddbcb662c6fe10ce560d308e1cf4832;hb=da64aee677a578a2ac66f641737fdc74e9259418
>
> - Dmitry
>
>
> On Fri, Jun 15, 2012 at 11:17 AM, Jordi Cucurull Juan
> <jor...@sc...> wrote:
>> Hi Mimi and Andrew,
>>
>> Mimi, what was the reason to forbid the use of d_path()? Maybe too much
>> system information on the list? Is it a kernel developers' decision?
>>
>> Andrew, the approach you follow is fine, but still does not allow to
>> know if a file with non matching hash and matching filename is a newly
>> created file or a modified one. In order to check it you should manually
>> search for all the files with the given filename and calculate their hash.
>>
>> Thanks for your answers!
>> Jordi.
>>
>>
>> On 06/15/2012 08:41 AM, Lunn Andrew RUAG D wrote:
>>> From: Jordi Cucurull Juan [jor...@sc...]
>>> Sent: 13 June 2012 14:32
>>> To: lin...@li...
>>> Subject: [Linux-ima-user] Measurement list and path of measured files
>>>
>>> Dear all,
>>>
>>> Recently I have started looking at IMA to explore the possibilities that
>>> it offers. I have a question regarding the measurement list and the
>>> files measured.
>>>
>>> The point is that it does not seem possible to uniquely identify a file
>>> with the information in the field "file-hint". The absolute path of the
>>> file is not always available, hence in many cases several entries with
>>> the same file name will appear. This makes impossible to distinguish if
>>> two entries with the same file-hint value correspond to two different
>>> files in the file system or to a file that has been modified.
>>>
>>> Is it possible to include the file name with the complete absolute path
>>> in the measurement list? If not, is there a reason for it? (maybe memory
>>> used by the list?)
>>>
>>> Thanks and best regards,
>>> Jordi.
>>> _______________________________________________
>>>
>>>
>>> Hi Jordi
>>>
>>> It is a bit annoying not having the path. So i process the IMA list the other
>>> way around. I find matches on the hash in my known good database. For
>>> hash matches i then check if there is a tail match between the filename hint in the
>>> IMA and the corresponding entry in the known good database.
>>>
>>>       Andrew
>>
>>
>> --
>> Jordi Cucurull Juan
>> Researcher
>> Scytl Secure Electronic Voting
>> Plaça Gal·la Placidia, 1-3, 1st floor · 08006 Barcelona
>> jor...@sc...
>> http://www.scytl.com
>>
>> NOTICE: The information in this e-mail and in any of its attachments is confidential and intended solely for the attention and use of the named addressee(s). If you are not the intended recipient, any disclosure, copying, distribution or retaining of this message or any part of it, without the prior written consent of Scytl Secure Electronic Voting, SA is prohibited and may be unlawful. If you have received this in error, please contact the sender and delete the material from any computer.
>>
>> Your data are in a file owned by Scytl Secure Electronic Voting, S.A. You can exercice your rights of access, rectification, cancellation and opposition by contacting Scytl Secure Electronic Voting, S.A. at the following address: Gal·la Placídia, 1-3. 1st, 08006 Barcelona (Spain), according to the Organic Law 15/1999, of 13th December of Protection of Personal Data.
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Linux-ima-user mailing list
>> Lin...@li...
>> https://lists.sourceforge.net/lists/listinfo/linux-ima-user

Re: [Linux-ima-user] Measurement list and path of measured files

[Kasatkin, D. <dmi...@in...>]

Hello,

Actually in my tree there is a patch to show full path.
It does reverse path walk.

http://git.kernel.org/?p=linux/kernel/git/kasatkin/linux-digsig.git;a=blob;f=security/integrity/ima/ima_audit.c;h=b16eef4cfddbcb662c6fe10ce560d308e1cf4832;hb=da64aee677a578a2ac66f641737fdc74e9259418

- Dmitry


On Fri, Jun 15, 2012 at 11:17 AM, Jordi Cucurull Juan
<jor...@sc...> wrote:
> Hi Mimi and Andrew,
>
> Mimi, what was the reason to forbid the use of d_path()? Maybe too much
> system information on the list? Is it a kernel developers' decision?
>
> Andrew, the approach you follow is fine, but still does not allow to
> know if a file with non matching hash and matching filename is a newly
> created file or a modified one. In order to check it you should manually
> search for all the files with the given filename and calculate their hash.
>
> Thanks for your answers!
> Jordi.
>
>
> On 06/15/2012 08:41 AM, Lunn Andrew RUAG D wrote:
>> From: Jordi Cucurull Juan [jor...@sc...]
>> Sent: 13 June 2012 14:32
>> To: lin...@li...
>> Subject: [Linux-ima-user] Measurement list and path of measured files
>>
>> Dear all,
>>
>> Recently I have started looking at IMA to explore the possibilities that
>> it offers. I have a question regarding the measurement list and the
>> files measured.
>>
>> The point is that it does not seem possible to uniquely identify a file
>> with the information in the field "file-hint". The absolute path of the
>> file is not always available, hence in many cases several entries with
>> the same file name will appear. This makes impossible to distinguish if
>> two entries with the same file-hint value correspond to two different
>> files in the file system or to a file that has been modified.
>>
>> Is it possible to include the file name with the complete absolute path
>> in the measurement list? If not, is there a reason for it? (maybe memory
>> used by the list?)
>>
>> Thanks and best regards,
>> Jordi.
>> _______________________________________________
>>
>>
>> Hi Jordi
>>
>> It is a bit annoying not having the path. So i process the IMA list the other
>> way around. I find matches on the hash in my known good database. For
>> hash matches i then check if there is a tail match between the filename hint in the
>> IMA and the corresponding entry in the known good database.
>>
>>       Andrew
>
>
> --
> Jordi Cucurull Juan
> Researcher
> Scytl Secure Electronic Voting
> Plaça Gal·la Placidia, 1-3, 1st floor · 08006 Barcelona
> jor...@sc...
> http://www.scytl.com
>
> NOTICE: The information in this e-mail and in any of its attachments is confidential and intended solely for the attention and use of the named addressee(s). If you are not the intended recipient, any disclosure, copying, distribution or retaining of this message or any part of it, without the prior written consent of Scytl Secure Electronic Voting, SA is prohibited and may be unlawful. If you have received this in error, please contact the sender and delete the material from any computer.
>
> Your data are in a file owned by Scytl Secure Electronic Voting, S.A. You can exercice your rights of access, rectification, cancellation and opposition by contacting Scytl Secure Electronic Voting, S.A. at the following address: Gal·la Placídia, 1-3. 1st, 08006 Barcelona (Spain), according to the Organic Law 15/1999, of 13th December of Protection of Personal Data.
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Linux-ima-user mailing list
> Lin...@li...
> https://lists.sourceforge.net/lists/listinfo/linux-ima-user

Re: [Linux-ima-user] Measurement list and path of measured files

[Jordi C. J. <jor...@sc...>]

Hi Mimi and Andrew,

Mimi, what was the reason to forbid the use of d_path()? Maybe too much 
system information on the list? Is it a kernel developers' decision?

Andrew, the approach you follow is fine, but still does not allow to 
know if a file with non matching hash and matching filename is a newly 
created file or a modified one. In order to check it you should manually 
search for all the files with the given filename and calculate their hash.

Thanks for your answers!
Jordi.


On 06/15/2012 08:41 AM, Lunn Andrew RUAG D wrote:
> From: Jordi Cucurull Juan [jor...@sc...]
> Sent: 13 June 2012 14:32
> To: lin...@li...
> Subject: [Linux-ima-user] Measurement list and path of measured files
>
> Dear all,
>
> Recently I have started looking at IMA to explore the possibilities that
> it offers. I have a question regarding the measurement list and the
> files measured.
>
> The point is that it does not seem possible to uniquely identify a file
> with the information in the field "file-hint". The absolute path of the
> file is not always available, hence in many cases several entries with
> the same file name will appear. This makes impossible to distinguish if
> two entries with the same file-hint value correspond to two different
> files in the file system or to a file that has been modified.
>
> Is it possible to include the file name with the complete absolute path
> in the measurement list? If not, is there a reason for it? (maybe memory
> used by the list?)
>
> Thanks and best regards,
> Jordi.
> _______________________________________________
>
>
> Hi Jordi
>
> It is a bit annoying not having the path. So i process the IMA list the other
> way around. I find matches on the hash in my known good database. For
> hash matches i then check if there is a tail match between the filename hint in the
> IMA and the corresponding entry in the known good database.
>
>       Andrew


-- 
Jordi Cucurull Juan
Researcher
Scytl Secure Electronic Voting
Plaça Gal·la Placidia, 1-3, 1st floor · 08006 Barcelona
jor...@sc...
http://www.scytl.com

NOTICE: The information in this e-mail and in any of its attachments is confidential and intended solely for the attention and use of the named addressee(s). If you are not the intended recipient, any disclosure, copying, distribution or retaining of this message or any part of it, without the prior written consent of Scytl Secure Electronic Voting, SA is prohibited and may be unlawful. If you have received this in error, please contact the sender and delete the material from any computer.

Your data are in a file owned by Scytl Secure Electronic Voting, S.A. You can exercice your rights of access, rectification, cancellation and opposition by contacting Scytl Secure Electronic Voting, S.A. at the following address: Gal·la Placídia, 1-3. 1st, 08006 Barcelona (Spain), according to the Organic Law 15/1999, of 13th December of Protection of Personal Data.

Re: [Linux-ima-user] Measurement list and path of measured files

[Lunn A. R. D <And...@ru...>]

From: Jordi Cucurull Juan [jor...@sc...]
Sent: 13 June 2012 14:32
To: lin...@li...
Subject: [Linux-ima-user] Measurement list and path of measured files

Dear all,

Recently I have started looking at IMA to explore the possibilities that
it offers. I have a question regarding the measurement list and the
files measured.

The point is that it does not seem possible to uniquely identify a file
with the information in the field "file-hint". The absolute path of the
file is not always available, hence in many cases several entries with
the same file name will appear. This makes impossible to distinguish if
two entries with the same file-hint value correspond to two different
files in the file system or to a file that has been modified.

Is it possible to include the file name with the complete absolute path
in the measurement list? If not, is there a reason for it? (maybe memory
used by the list?)

Thanks and best regards,
Jordi.
_______________________________________________


Hi Jordi

It is a bit annoying not having the path. So i process the IMA list the other
way around. I find matches on the hash in my known good database. For 
hash matches i then check if there is a tail match between the filename hint in the
IMA and the corresponding entry in the known good database.

     Andrew

Re: [Linux-ima-user] Measurement list and path of measured files

[Mimi Z. <zo...@li...>]

On Wed, 2012-06-13 at 14:32 +0200, Jordi Cucurull Juan wrote:
> Dear all,
> 
> Recently I have started looking at IMA to explore the possibilities that 
> it offers. I have a question regarding the measurement list and the 
> files measured.
> 
> The point is that it does not seem possible to uniquely identify a file 
> with the information in the field "file-hint". The absolute path of the 
> file is not always available, hence in many cases several entries with 
> the same file name will appear. This makes impossible to distinguish if 
> two entries with the same file-hint value correspond to two different 
> files in the file system or to a file that has been modified.
> 
> Is it possible to include the file name with the complete absolute path 
> in the measurement list? If not, is there a reason for it? (maybe memory 
> used by the list?)
> 
> Thanks and best regards,
> Jordi.

Yes, this is a common complaint, which we started to address with
additional metadata (eg. uid/gid, LSM object/subject labels) -
http://sourceforge.net/mailarchive/message.php?msg_id=25460938, but
haven't yet upstreamed.  At the time, using d_path() in the critical
code path was not permitted.  Perhaps things have changed.  This exact
question was just asked on the LSM mailing list, but has not yet been
answered.

Mimi

[Linux-ima-user] Measurement list and path of measured files

[Jordi C. J. <jor...@sc...>]

Dear all,

Recently I have started looking at IMA to explore the possibilities that 
it offers. I have a question regarding the measurement list and the 
files measured.

The point is that it does not seem possible to uniquely identify a file 
with the information in the field "file-hint". The absolute path of the 
file is not always available, hence in many cases several entries with 
the same file name will appear. This makes impossible to distinguish if 
two entries with the same file-hint value correspond to two different 
files in the file system or to a file that has been modified.

Is it possible to include the file name with the complete absolute path 
in the measurement list? If not, is there a reason for it? (maybe memory 
used by the list?)

Thanks and best regards,
Jordi.

-- 
Jordi Cucurull Juan
Researcher
Scytl Secure Electronic Voting
Plaça Gal·la Placidia, 1-3, 1st floor · 08006 Barcelona
jor...@sc...
http://www.scytl.com

Re: [Linux-ima-user] IMA / EVM

[Mimi Z. <zo...@li...>]

On Fri, 2012-05-18 at 12:00 +0300, Kasatkin, Dmitry wrote:
> On Fri, May 18, 2012 at 10:46 AM, Kasatkin, Dmitry
> <dmi...@in...> wrote:
> > Hello,
> >
> > See comments inline...
> >
> > You could send question to: lin...@li...
> >
> > - Dmitry
> >
> > On Tue, May 15, 2012 at 7:45 PM, Sebastian Andrzej Siewior
> > <bi...@li...> wrote:
> >> Hi Dmitry,
> >>
> >> I just stumbled over security/integrity/evm/ in the linux kernel and it
> >> looks like something I could use or would like to use :)
> >> I failed to clone the userland tools from
> >>
> >>  git://linux-ima.git.sourceforge.net/linux-ima/ima-evm-utils.git/
> >>
> >
> > Did you try to look the linux-ima project page.
> > http://sourceforge.net/scm/?type=git&group_id=148288
> > It has info how to access gits....
> >
> > It says that repo url is:
> > git://linux-ima.git.sourceforge.net/gitroot/linux-ima/ima-evm-utils.git
> >
> > :)
> >
> >
> >> as git always said that remote closed the connection. In the end I extracted
> >> the source package from [0].
> >> I tried to follow the wiki at [1] and see how it works. Currently I am
> >> stuck at
> >>
> >> | #~ keyctl add trusted kmk-trusted "new 32" @u
> >> | add_key: No such device
> >>
> >
> > Trusted keys uses TPM..
> >
> > Have a look to source code:
> > tests/evm_genkey.sh
> > tests/evm_enable.sh
> >
> > It should how to use encrypted keys and public keys...
> >
> > Let us know how it works for you
> >
> > - Dmitry
> >
> >> And the kernel says.
> >>
> >> | trusted_key: key_create failed (-19)
> >>
> >> Another thing that I noticed is
> >>
> >> -r--r-----. 1 root root 0 May 15 18:41 /sys/kernel/security/evm
> >>
> >> as you see it is read-only. "echo 1 > evm" works (i.e. no access denied) but
> >> in dmesg I see
> >>
> >> | EVM: initialization failed
> >>
> >> So my question here is does it work? Or could it be that it got broken
> >> in v3.4.0-rc7?
> >>
> >> [0] ftp://ftp.nohats.ca/ima/evm-utils-0.1.0-1.fc17.src.rpm
> >> [1]
> >> http://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page
> >>
> >> Sebastian
> 
> Hi,
> 
> I have also updated Wiki page and added key generation and
> initramfs-tools/GRUB examples.
> 
> https://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page
> 
> - Dmitry
> 

Thanks Dmitry for updating the wiki with key generation support.

Sebastian,  if you're using dracut, it already has support for loading
the EVM symmetric key and updating the IMA policy, but needs to be
enabled.  To enable any dracut module, requires changing the
module_setup.sh: module_check() to return 0.

Dracut is available from:
git://git.kernel.org/pub/scm/boot/dracut/dracut.git.  

Current versions of Fedora, enable the SELinux policy in systemd, not
dracut.  If SELinux is enabled on your system, and you want to update
the default IMA policy based on SELinux labels, then replacing the IMA
policy should be delayed to systemd as well.  Roberto Sassu upstreamed
the systemd patch.

The patch, below, adds dracut support for enabling EVM/IMA digital
signatures, but still needs to be tested some, before being upstreamed.

thanks,

Mimi


diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh
index a4cdf45..4bceebb 100755
--- a/modules.d/98integrity/evm-enable.sh
+++ b/modules.d/98integrity/evm-enable.sh
@@ -54,6 +54,52 @@ load_evm_key()
     return 0
 }
 
+load_evm_ima_pubkey()
+{
+    # read the configuration from the config file
+    #[ -f "${EVMCONFIG}" ] && \
+    #    . ${EVMCONFIG}
+
+    # override the EVM key path name from the 'evmpubkey=' parameter in
+    # the kernel command line
+    EVMPUBKEYARG=$(getarg evmpubkey=)
+    [ $? -eq 0 ] && \
+        EVMPUBKEY=${EVMPUBKEYARG}
+
+    # set the default value
+    [ -z "${EVMPUBKEY}" ] && \
+        EVMPUBKEY="/etc/keys/pubkey_evm.pem";
+
+    # set the EVM public key path name
+    EVMPUBKEYPATH="${NEWROOT}${EVMPUBKEY}"
+
+    # check for EVM public key's existence
+    if [ ! -f "${EVMPUBKEYPATH}" ]; then
+        if [ "${RD_DEBUG}" = "yes" ]; then
+            info "integrity: EVM public key file not found: ${EVMPUBKEYPATH}"
+        fi
+        return 0
+    fi
+
+    # load the EVM public key onto the EVM keyring
+    evm_pubid=`keyctl newring _evm @u`
+    EVMPUBKEYID=$(evmctl import ${EVMPUBKEYPATH} ${evm_pubid})
+    [ $? -eq 0 ] || {
+        info "integrity: failed to load the EVM public key";
+        return 0;
+    }
+
+    # load the same public key onto the IMA keyring
+    ima_pubid=`keyctl newring _ima @u`
+    IMAPUBKEYID=$(evmctl import ${EVMPUBKEYPATH} ${ima_pubid})
+    [ $? -eq 0 ] || {
+        info "integrity: failed to load the IMA public key";
+        return 0;
+    }
+
+    return 0
+}
+
 unload_evm_key()
 {
     # unlink the EVM encrypted key
@@ -78,6 +124,9 @@ enable_evm()
     # load the EVM encrypted key
     load_evm_key || return 1
 
+    # load the EVM public key
+    load_evm_ima_pubkey
+
     # initialize EVM
     info "Enabling EVM"
     echo 1 > ${EVMSECFILE}
diff --git a/modules.d/98integrity/module-setup.sh b/modules.d/98integrity/module-setup.sh
index ff1b4aa..69addb2 100755
--- a/modules.d/98integrity/module-setup.sh
+++ b/modules.d/98integrity/module-setup.sh
@@ -3,7 +3,7 @@
 # ex: ts=8 sw=4 sts=4 et filetype=sh
 
 check() {
-    return 255
+    return 0 
 }
 
 depends() {
@@ -12,6 +12,7 @@ depends() {
 }
 
 install() {
+    inst_binary keyctl
     inst_hook pre-pivot 61 "$moddir/evm-enable.sh"
     inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh"
 }

Re: [Linux-ima-user] IMA / EVM

[Kasatkin, D. <dmi...@in...>]

On Fri, May 18, 2012 at 10:46 AM, Kasatkin, Dmitry
<dmi...@in...> wrote:
> Hello,
>
> See comments inline...
>
> You could send question to: lin...@li...
>
> - Dmitry
>
> On Tue, May 15, 2012 at 7:45 PM, Sebastian Andrzej Siewior
> <bi...@li...> wrote:
>> Hi Dmitry,
>>
>> I just stumbled over security/integrity/evm/ in the linux kernel and it
>> looks like something I could use or would like to use :)
>> I failed to clone the userland tools from
>>
>>  git://linux-ima.git.sourceforge.net/linux-ima/ima-evm-utils.git/
>>
>
> Did you try to look the linux-ima project page.
> http://sourceforge.net/scm/?type=git&group_id=148288
> It has info how to access gits....
>
> It says that repo url is:
> git://linux-ima.git.sourceforge.net/gitroot/linux-ima/ima-evm-utils.git
>
> :)
>
>
>> as git always said that remote closed the connection. In the end I extracted
>> the source package from [0].
>> I tried to follow the wiki at [1] and see how it works. Currently I am
>> stuck at
>>
>> | #~ keyctl add trusted kmk-trusted "new 32" @u
>> | add_key: No such device
>>
>
> Trusted keys uses TPM..
>
> Have a look to source code:
> tests/evm_genkey.sh
> tests/evm_enable.sh
>
> It should how to use encrypted keys and public keys...
>
> Let us know how it works for you
>
> - Dmitry
>
>> And the kernel says.
>>
>> | trusted_key: key_create failed (-19)
>>
>> Another thing that I noticed is
>>
>> -r--r-----. 1 root root 0 May 15 18:41 /sys/kernel/security/evm
>>
>> as you see it is read-only. "echo 1 > evm" works (i.e. no access denied) but
>> in dmesg I see
>>
>> | EVM: initialization failed
>>
>> So my question here is does it work? Or could it be that it got broken
>> in v3.4.0-rc7?
>>
>> [0] ftp://ftp.nohats.ca/ima/evm-utils-0.1.0-1.fc17.src.rpm
>> [1]
>> http://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page
>>
>> Sebastian

Hi,

I have also updated Wiki page and added key generation and
initramfs-tools/GRUB examples.

https://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page

- Dmitry

Re: [Linux-ima-user] Interpreter instead of script in IMA

[Mimi Z. <zo...@li...>]

On Fri, 2012-04-27 at 08:30 +0200, Andrew Lunn wrote:
> > It's definitely not the 'expected behavior', nor did it behave this way
> > originally.  I'm looking into it.
> 
> Hi Mimi
> 
> I had a quick look myself....
> 
> fs/exec.c contains:
> 
> /*
>  * cycle the list of binary formats handler, until one recognizes the image
>  */
> int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
> {
>         unsigned int depth = bprm->recursion_depth;
>         int try,retval;
>         struct linux_binfmt *fmt;
>         pid_t old_pid, old_vpid;
> 
>         retval = security_bprm_check(bprm);
>         if (retval)
>                 return retval;
> 
> It is this call to security_bprm_check which causes the entry in IMA.
> bprm->file is the struct file *file for the file contents and
> bprm->filename becomes the filename hint.
> 
> when the image is a script, this function will call various binfmt
> handlers, until the handler in fs/binfmt_script.c is called. It
> recognizes the #!, extracts the name of the interpreter, and sets
> bprm->file to point to the interpreter. However, it does not change
> bprm->filename. It then goes recursive, calling
> search_binary_handler() to find a handler for the interpreter
> image. We then get the second IMA entry for the interpreter image, but
> still using the old bprm->filename, i.e. the name of the script, not
> the interpreter.

Hi Andrew,

Yes, things have changed. The name of the interpreter was originally
copied to bprm->filename.  Currently bprm->filename and bprm->interp are
the same, but only differ when the script handler is called.  Instead of
passing bprm->filename to process_measurement(), we could pass
bprm->interp, but that just seems wrong.

Mimi

Re: [Linux-ima-user] Interpreter instead of script in IMA

[Andrew L. <an...@lu...>]

> It's definitely not the 'expected behavior', nor did it behave this way
> originally.  I'm looking into it.

Hi Mimi

I had a quick look myself....

fs/exec.c contains:

/*
 * cycle the list of binary formats handler, until one recognizes the image
 */
int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
{
        unsigned int depth = bprm->recursion_depth;
        int try,retval;
        struct linux_binfmt *fmt;
        pid_t old_pid, old_vpid;

        retval = security_bprm_check(bprm);
        if (retval)
                return retval;

It is this call to security_bprm_check which causes the entry in IMA.
bprm->file is the struct file *file for the file contents and
bprm->filename becomes the filename hint.

when the image is a script, this function will call various binfmt
handlers, until the handler in fs/binfmt_script.c is called. It
recognizes the #!, extracts the name of the interpreter, and sets
bprm->file to point to the interpreter. However, it does not change
bprm->filename. It then goes recursive, calling
search_binary_handler() to find a handler for the interpreter
image. We then get the second IMA entry for the interpreter image, but
still using the old bprm->filename, i.e. the name of the script, not
the interpreter.

    Andrew

Re: [Linux-ima-user] Interpreter instead of script in IMA

[Mimi Z. <zo...@li...>]

On Wed, 2012-04-25 at 12:05 +0200, Andrew Lunn wrote:
> Hi Folks
> 
> I've found something which does not make much sense to me. 
> 
> Linux kernel 3.3.0
> 
> In /sys/kernel/security/ima/ascii_runtime_measurements i have lots of
> entries, nearly all as expected. However, i also have:
> 
> 10 c6e74a02c40124914c1dc367f7b140b1ccadb017 ima c8df4bc0118711ae391df58e9a4381a0f64a458d /etc/init.d/rcS
> 10 29de86918f2697f1c8b83a5cde7105f415835a7b ima 968c2722e58d7851e8cd1d346131aebc36ef8774 /etc/init.d/rcS
> 
> and
> 
> 10 6df04e744253accd8243b5efa7eb1c7cadc8a038 ima 35dcb0f1d0d47395bc9c76c7922f7e7b25dbb4da /sbin/dhclient-script
> 10 e0eb67d8d2ca1e7ef7e86e47330863cb41336123 ima 5515a54302e5eecc6338ef7ff1300d2e94d204c3 /sbin/dhclient-script
> 
> The first of each pair is O.K:
> 
> sha1sum /etc/init.d/rcS /sbin/dhclient-script 
> c8df4bc0118711ae391df58e9a4381a0f64a458d  /etc/init.d/rcS
> 35dcb0f1d0d47395bc9c76c7922f7e7b25dbb4da  /sbin/dhclient-script
> 
> But the second entry for each pair causes lots of confusion. However,
> what i found is:
> 
> 968c2722e58d7851e8cd1d346131aebc36ef8774  /bin/dash
> 5515a54302e5eecc6338ef7ff1300d2e94d204c3  /bin/bash
> 
> So the second entry for each is the interpreter of the script, not the
> script itself as suggested by the filename hint.
> 
> Is this expected behavior?
> 
> Thanks
> 	Andrew

It's definitely not the 'expected behavior', nor did it behave this way
originally.  I'm looking into it.

thanks,

Mimi

[Linux-ima-user] Interpreter instead of script in IMA

[Andrew L. <an...@lu...>]

Hi Folks

I've found something which does not make much sense to me. 

Linux kernel 3.3.0

In /sys/kernel/security/ima/ascii_runtime_measurements i have lots of
entries, nearly all as expected. However, i also have:

10 c6e74a02c40124914c1dc367f7b140b1ccadb017 ima c8df4bc0118711ae391df58e9a4381a0f64a458d /etc/init.d/rcS
10 29de86918f2697f1c8b83a5cde7105f415835a7b ima 968c2722e58d7851e8cd1d346131aebc36ef8774 /etc/init.d/rcS

and

10 6df04e744253accd8243b5efa7eb1c7cadc8a038 ima 35dcb0f1d0d47395bc9c76c7922f7e7b25dbb4da /sbin/dhclient-script
10 e0eb67d8d2ca1e7ef7e86e47330863cb41336123 ima 5515a54302e5eecc6338ef7ff1300d2e94d204c3 /sbin/dhclient-script

The first of each pair is O.K:

sha1sum /etc/init.d/rcS /sbin/dhclient-script 
c8df4bc0118711ae391df58e9a4381a0f64a458d  /etc/init.d/rcS
35dcb0f1d0d47395bc9c76c7922f7e7b25dbb4da  /sbin/dhclient-script

But the second entry for each pair causes lots of confusion. However,
what i found is:

968c2722e58d7851e8cd1d346131aebc36ef8774  /bin/dash
5515a54302e5eecc6338ef7ff1300d2e94d204c3  /bin/bash

So the second entry for each is the interpreter of the script, not the
script itself as suggested by the filename hint.

Is this expected behavior?

Thanks
	Andrew

Re: [Linux-ima-user] [systemd-devel] [PATCH-v4 1/2] systemd: mount the securityfs filesystem at early stage

[Roberto S. <rob...@po...>]

On 03/22/2012 12:25 AM, Lennart Poettering wrote:
> On Thu, 15.03.12 19:06, Roberto Sassu (rob...@po...) wrote:
>
>> The mount of the securityfs filesystem is now performed in the main systemd
>> executable as it is used by IMA to provide the interface for loading custom
>> policies. The unit file 'units/sys-kernel-security.mount' has been removed
>> because it is not longer necessary.
>
> Applied both patches!
>

Hi Lennart

thanks for accepting them!

Regards

Roberto Sassu


> Thanks a lot for your work!
>
> Lennart
>

Re: [Linux-ima-user] [systemd-devel] [PATCH-v4 1/2] systemd: mount the securityfs filesystem at early stage

[Lennart P. <le...@po...>]

On Thu, 15.03.12 19:06, Roberto Sassu (rob...@po...) wrote:

> The mount of the securityfs filesystem is now performed in the main systemd
> executable as it is used by IMA to provide the interface for loading custom
> policies. The unit file 'units/sys-kernel-security.mount' has been removed
> because it is not longer necessary.

Applied both patches!

Thanks a lot for your work!

Lennart

-- 
Lennart Poettering - Red Hat, Inc.

[Linux-ima-user] [PATCH-v4 2/2] main: added support for loading IMA custom policies

[Roberto S. <rob...@po...>]

The new function ima_setup() loads an IMA custom policy from a file in the
default location '/etc/ima/ima-policy', if present, and writes it to the
path 'ima/policy' in the security filesystem. This function is executed
at early stage in order to avoid that some file operations are not measured
by IMA and it is placed after the initialization of SELinux because IMA
needs the latter (or other security modules) to understand LSM-specific
rules. This feature is enabled by default and can be disabled by providing
the option '--disable-ima' to the configure script.

Signed-off-by: Roberto Sassu <rob...@po...>
Acked-by: Gianluca Ramunno <ra...@po...>
---
 Makefile.am     |    1 +
 configure.ac    |   14 +++++++
 src/build.h     |    8 +++-
 src/ima-setup.c |  115 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 src/ima-setup.h |   29 ++++++++++++++
 src/main.c      |    6 ++-
 6 files changed, 171 insertions(+), 2 deletions(-)
 create mode 100644 src/ima-setup.c
 create mode 100644 src/ima-setup.h

diff --git a/Makefile.am b/Makefile.am
index c0fcd70..08c7ea7 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -516,6 +516,7 @@ libsystemd_core_la_SOURCES = \
 	src/mount-setup.c \
 	src/hostname-setup.c \
 	src/selinux-setup.c \
+	src/ima-setup.c \
 	src/loopback-setup.c \
 	src/kmod-setup.c \
 	src/locale-setup.c \
diff --git a/configure.ac b/configure.ac
index 3860088..b562078 100644
--- a/configure.ac
+++ b/configure.ac
@@ -127,6 +127,19 @@ PKG_CHECK_MODULES(UDEV, [ libudev >= 172 ])
 PKG_CHECK_MODULES(DBUS, [ dbus-1 >= 1.3.2 ])
 PKG_CHECK_MODULES(KMOD, [ libkmod >= 5 ])
 
+have_ima=yes
+AC_ARG_ENABLE([ima], AS_HELP_STRING([--disable-ima],[Disable optional IMA support]),
+                [case "${enableval}" in
+                        yes) have_ima=yes ;;
+                        no) have_ima=no ;;
+                        *) AC_MSG_ERROR(bad value ${enableval} for --disable-ima) ;;
+                esac],
+                [have_ima=yes])
+
+if test "x${have_ima}" != xno ; then
+        AC_DEFINE(HAVE_IMA, 1, [Define if IMA is available])
+fi
+
 have_selinux=no
 AC_ARG_ENABLE(selinux, AS_HELP_STRING([--disable-selinux], [Disable optional SELINUX support]))
 if test "x$enable_selinux" != "xno"; then
@@ -629,6 +642,7 @@ AC_MSG_RESULT([
         tcpwrap:                 ${have_tcpwrap}
         PAM:                     ${have_pam}
         AUDIT:                   ${have_audit}
+        IMA:                     ${have_ima}
         SELinux:                 ${have_selinux}
         XZ:                      ${have_xz}
         ACL:                     ${have_acl}
diff --git a/src/build.h b/src/build.h
index 50cd79d..0619013 100644
--- a/src/build.h
+++ b/src/build.h
@@ -46,6 +46,12 @@
 #define _SELINUX_FEATURE_ "-SELINUX"
 #endif
 
+#ifdef HAVE_IMA
+#define _IMA_FEATURE_ "+IMA"
+#else
+#define _IMA_FEATURE_ "-IMA"
+#endif
+
 #ifdef HAVE_SYSV_COMPAT
 #define _SYSVINIT_FEATURE_ "+SYSVINIT"
 #else
@@ -58,6 +64,6 @@
 #define _LIBCRYPTSETUP_FEATURE_ "-LIBCRYPTSETUP"
 #endif
 
-#define SYSTEMD_FEATURES _PAM_FEATURE_ " " _LIBWRAP_FEATURE_ " " _AUDIT_FEATURE_ " " _SELINUX_FEATURE_ " " _SYSVINIT_FEATURE_ " " _LIBCRYPTSETUP_FEATURE_
+#define SYSTEMD_FEATURES _PAM_FEATURE_ " " _LIBWRAP_FEATURE_ " " _AUDIT_FEATURE_ " " _SELINUX_FEATURE_ " " _IMA_FEATURE_ " " _SYSVINIT_FEATURE_ " " _LIBCRYPTSETUP_FEATURE_
 
 #endif
diff --git a/src/ima-setup.c b/src/ima-setup.c
new file mode 100644
index 0000000..03e43dc
--- /dev/null
+++ b/src/ima-setup.c
@@ -0,0 +1,115 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+/***
+  This file is part of systemd.
+
+  Copyright 2010 Lennart Poettering
+  Copyright (C) 2012 Roberto Sassu - Politecnico di Torino, Italy
+                                     TORSEC group -- http://security.polito.it
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU General Public License as published by
+  the Free Software Foundation; either version 2 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <unistd.h>
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+
+#include "ima-setup.h"
+#include "mount-setup.h"
+#include "macro.h"
+#include "util.h"
+#include "log.h"
+#include "label.h"
+
+#define IMA_SECFS_DIR "/sys/kernel/security/ima"
+#define IMA_SECFS_POLICY IMA_SECFS_DIR "/policy"
+#define IMA_POLICY_PATH "/etc/ima/ima-policy"
+
+int ima_setup(void) {
+
+#ifdef HAVE_IMA
+       struct stat st;
+       ssize_t policy_size = 0, written = 0;
+       char *policy;
+       int policyfd = -1, imafd = -1;
+       int result = 0;
+
+#ifndef HAVE_SELINUX
+       /* Mount the securityfs filesystem */
+       mount_setup_early();
+#endif
+
+       if (stat(IMA_POLICY_PATH, &st) < 0)
+               return 0;
+
+       policy_size = st.st_size;
+       if (stat(IMA_SECFS_DIR, &st) < 0) {
+               log_debug("IMA support is disabled in the kernel, ignoring.");
+               return 0;
+       }
+
+       if (stat(IMA_SECFS_POLICY, &st) < 0) {
+               log_error("Another IMA custom policy has already been loaded, "
+                         "ignoring.");
+               return 0;
+       }
+
+       policyfd = open(IMA_POLICY_PATH, O_RDONLY|O_CLOEXEC);
+       if (policyfd < 0) {
+               log_error("Failed to open the IMA custom policy file %s (%m), "
+                         "ignoring.", IMA_POLICY_PATH);
+               return 0;
+       }
+
+       imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC);
+       if (imafd < 0) {
+               log_error("Failed to open the IMA kernel interface %s (%m), "
+                         "ignoring.", IMA_SECFS_POLICY);
+               goto out;
+       }
+
+       policy = mmap(NULL, policy_size, PROT_READ, MAP_PRIVATE, policyfd, 0);
+       if (policy == MAP_FAILED) {
+               log_error("mmap() failed (%m), freezing");
+               result = -errno;
+               goto out;
+       }
+
+       written = loop_write(imafd, policy, (size_t)policy_size, false);
+       if (written != policy_size) {
+               log_error("Failed to load the IMA custom policy file %s (%m), "
+                         "ignoring.", IMA_POLICY_PATH);
+               goto out_mmap;
+       }
+
+       log_info("Successfully loaded the IMA custom policy %s.",
+                IMA_POLICY_PATH);
+out_mmap:
+       munmap(policy, policy_size);
+out:
+       if (policyfd >= 0)
+                close_nointr_nofail(policyfd);
+       if (imafd >= 0)
+                close_nointr_nofail(imafd);
+       if (result)
+                return result;
+#endif /* HAVE_IMA */
+
+       return 0;
+}
diff --git a/src/ima-setup.h b/src/ima-setup.h
new file mode 100644
index 0000000..7d677cf
--- /dev/null
+++ b/src/ima-setup.h
@@ -0,0 +1,29 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+#ifndef fooimasetuphfoo
+#define fooimasetuphfoo
+
+/***
+  This file is part of systemd.
+
+  Copyright 2010 Lennart Poettering
+  Copyright (C) 2012 Roberto Sassu - Politecnico di Torino, Italy
+                                     TORSEC group -- http://security.polito.it
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU General Public License as published by
+  the Free Software Foundation; either version 2 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+int ima_setup(void);
+
+#endif
diff --git a/src/main.c b/src/main.c
index ed317b4..7ae8841 100644
--- a/src/main.c
+++ b/src/main.c
@@ -41,6 +41,7 @@
 #include "kmod-setup.h"
 #include "locale-setup.h"
 #include "selinux-setup.h"
+#include "ima-setup.h"
 #include "machine-id-setup.h"
 #include "load-fragment.h"
 #include "fdset.h"
@@ -1203,9 +1204,12 @@ int main(int argc, char *argv[]) {
                 arg_running_as = MANAGER_SYSTEM;
                 log_set_target(detect_container(NULL) > 0 ? LOG_TARGET_CONSOLE : LOG_TARGET_JOURNAL_OR_KMSG);
 
-                if (!is_reexec)
+                if (!is_reexec) {
                         if (selinux_setup(&loaded_policy) < 0)
                                 goto finish;
+                        if (ima_setup() < 0)
+                                goto finish;
+                }
 
                 log_open();
 
-- 
1.7.7.6

[Linux-ima-user] [PATCH-v4 1/2] systemd: mount the securityfs filesystem at early stage

[Roberto S. <rob...@po...>]

The mount of the securityfs filesystem is now performed in the main systemd
executable as it is used by IMA to provide the interface for loading custom
policies. The unit file 'units/sys-kernel-security.mount' has been removed
because it is not longer necessary.

Signed-off-by: Roberto Sassu <rob...@po...>
Acked-by: Gianluca Ramunno <ra...@po...>
---
 Makefile.am                     |    3 ---
 src/mount-setup.c               |    6 ++++--
 units/sys-kernel-security.mount |   17 -----------------
 3 files changed, 4 insertions(+), 22 deletions(-)
 delete mode 100644 units/sys-kernel-security.mount

diff --git a/Makefile.am b/Makefile.am
index d2bd340..c0fcd70 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -291,7 +291,6 @@ dist_systemunit_DATA = \
 	units/dev-mqueue.mount \
 	units/sys-kernel-config.mount \
 	units/sys-kernel-debug.mount \
-	units/sys-kernel-security.mount \
 	units/sys-fs-fuse-connections.mount \
 	units/var-run.mount \
 	units/media.mount \
@@ -2342,7 +2341,6 @@ systemd-install-data-hook:
 			dev-mqueue.mount \
 			sys-kernel-config.mount \
 			sys-kernel-debug.mount \
-			sys-kernel-security.mount \
 			sys-fs-fuse-connections.mount \
 			systemd-modules-load.service \
 			systemd-tmpfiles-setup.service \
@@ -2352,7 +2350,6 @@ systemd-install-data-hook:
 		$(LN_S) ../dev-mqueue.mount dev-mqueue.mount && \
 		$(LN_S) ../sys-kernel-config.mount sys-kernel-config.mount && \
 		$(LN_S) ../sys-kernel-debug.mount sys-kernel-debug.mount && \
-		$(LN_S) ../sys-kernel-security.mount sys-kernel-security.mount && \
 		$(LN_S) ../sys-fs-fuse-connections.mount sys-fs-fuse-connections.mount && \
 		$(LN_S) ../systemd-modules-load.service systemd-modules-load.service && \
 		$(LN_S) ../systemd-tmpfiles-setup.service systemd-tmpfiles-setup.service && \
diff --git a/src/mount-setup.c b/src/mount-setup.c
index 7c14ea8..aaffb65 100644
--- a/src/mount-setup.c
+++ b/src/mount-setup.c
@@ -51,13 +51,15 @@ typedef struct MountPoint {
 } MountPoint;
 
 /* The first three entries we might need before SELinux is up. The
- * other ones we can delay until SELinux is loaded. */
-#define N_EARLY_MOUNT 3
+ * fourth (securityfs) is needed by IMA to load a custom policy. The
+ * other ones we can delay until SELinux and IMA are loaded. */
+#define N_EARLY_MOUNT 4
 
 static const MountPoint mount_table[] = {
         { "proc",     "/proc",                  "proc",     NULL,                MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
         { "sysfs",    "/sys",                   "sysfs",    NULL,                MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
         { "devtmpfs", "/dev",                   "devtmpfs", "mode=755",          MS_NOSUID,                    true },
+        { "securityfs", "/sys/kernel/security", "securityfs", NULL,              MS_NOSUID|MS_NOEXEC|MS_NODEV, false },
         { "tmpfs",    "/dev/shm",               "tmpfs",    "mode=1777",         MS_NOSUID|MS_NODEV,           true },
         { "devpts",   "/dev/pts",               "devpts",   "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, false },
         { "tmpfs",    "/run",                   "tmpfs",    "mode=755",          MS_NOSUID|MS_NODEV, true },
diff --git a/units/sys-kernel-security.mount b/units/sys-kernel-security.mount
deleted file mode 100644
index 80cd761..0000000
--- a/units/sys-kernel-security.mount
+++ /dev/null
@@ -1,17 +0,0 @@
-#  This file is part of systemd.
-#
-#  systemd is free software; you can redistribute it and/or modify it
-#  under the terms of the GNU General Public License as published by
-#  the Free Software Foundation; either version 2 of the License, or
-#  (at your option) any later version.
-
-[Unit]
-Description=Security File System
-DefaultDependencies=no
-ConditionPathExists=/sys/kernel/security
-Before=sysinit.target
-
-[Mount]
-What=securityfs
-Where=/sys/kernel/security
-Type=securityfs
-- 
1.7.7.6

Re: [Linux-ima-user] [systemd-devel] [PATCH-v3 1/2] systemd: mount the securityfs filesystem at early stage

[Roberto S. <rob...@po...>]

On 03/14/2012 05:54 PM, Lennart Poettering wrote:
> On Tue, 13.03.12 19:38, Roberto Sassu (rob...@po...) wrote:
>
>>>>   static const MountPoint mount_table[] = {
>>>>           { "proc",     "/proc",                  "proc",     NULL,                MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
>>>>           { "sysfs",    "/sys",                   "sysfs",    NULL,                MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
>>>>           { "devtmpfs", "/dev",                   "devtmpfs", "mode=755",          MS_NOSUID,                    true },
>>>> +        { "securityfs", "/sys/kernel/security", "securityfs", NULL,              MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
>>>
>>> Failure to mount securtiyfs might be fatal for _your_ purposes, but I'd
>>> wager that not only are some people not interested in this, but some
>>> people (myself included) might not even have securityfs in their kernel.
>>>
>>
>> Hi Dave
>>
>> i think i can change this to false without breaking
>> the other code, because at the beginning of the new
>> file 'src/ima-setup.c' i check for the IMA support in
>> the kernel by checking the existence of the
>> '/sys/kernel/security/ima' directory. If the mount
>> fails, this will be handled as the same as when the
>> IMA support is disabled in the kernel.
>> This could be acceptable because IMA requires the
>> security filesystem as dependency.
>>
>> I'll wait for other comments before reposting the patches.
>
> Yes, please change this. It is important to us that systemd works well
> on kernels without any special security features enabled.
>

Hi Lennart

ok, will do.


> Also, may I ask you to turn this feature on in configure, by default? I
> presume that machines with this feature built into systemd but with no
> policy file around will boot just fine, right? Hence enabling this by
> default shouldn't hurt.
>

Sure. Yes, the code returns immediately if the policy file is missing.


> (The reason that I want this enabled by default is that I -- or other
> devs -- build this locally the code as comprehensively as possible so
> that things don't start to bitrot that easily)
>

This is good, as users will not need to rebuild the RPM with the IMA
feature enabled but they can try this functionality if they want.

Regards

Roberto Sassu


> Lennart
>