Menu
▾
▴
linux-ima-user — Q&A for users of IMA
This list is closed, nobody may subscribe to it.
| 2007 |
Jan
|
Feb
(10) |
Mar
(26) |
Apr
(8) |
May
(3) |
Jun
|
Jul
(26) |
Aug
(10) |
Sep
|
Oct
|
Nov
(2) |
Dec
(4) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 |
Jan
|
Feb
(13) |
Mar
(4) |
Apr
(3) |
May
(5) |
Jun
|
Jul
(7) |
Aug
(8) |
Sep
(5) |
Oct
(16) |
Nov
|
Dec
(6) |
| 2009 |
Jan
(2) |
Feb
|
Mar
(3) |
Apr
|
May
|
Jun
(19) |
Jul
(4) |
Aug
|
Sep
(13) |
Oct
(10) |
Nov
(12) |
Dec
(2) |
| 2010 |
Jan
|
Feb
(2) |
Mar
(17) |
Apr
(28) |
May
|
Jun
(17) |
Jul
(11) |
Aug
(12) |
Sep
(2) |
Oct
|
Nov
|
Dec
(1) |
| 2011 |
Jan
|
Feb
|
Mar
(20) |
Apr
(10) |
May
(1) |
Jun
|
Jul
|
Aug
(15) |
Sep
(14) |
Oct
(2) |
Nov
|
Dec
|
| 2012 |
Jan
(1) |
Feb
(53) |
Mar
(15) |
Apr
(4) |
May
(2) |
Jun
(13) |
Jul
|
Aug
|
Sep
(12) |
Oct
|
Nov
|
Dec
(6) |
| 2013 |
Jan
(7) |
Feb
(8) |
Mar
(4) |
Apr
(5) |
May
|
Jun
|
Jul
|
Aug
(5) |
Sep
(6) |
Oct
|
Nov
(5) |
Dec
(8) |
| 2014 |
Jan
(17) |
Feb
(24) |
Mar
(8) |
Apr
(7) |
May
(18) |
Jun
(15) |
Jul
(5) |
Aug
(2) |
Sep
(49) |
Oct
(28) |
Nov
(7) |
Dec
(30) |
| 2015 |
Jan
(40) |
Feb
|
Mar
(9) |
Apr
(2) |
May
(9) |
Jun
(31) |
Jul
(33) |
Aug
(5) |
Sep
(20) |
Oct
|
Nov
(3) |
Dec
(12) |
| 2016 |
Jan
(14) |
Feb
(29) |
Mar
(10) |
Apr
(4) |
May
(4) |
Jun
|
Jul
(5) |
Aug
(19) |
Sep
(21) |
Oct
(2) |
Nov
(36) |
Dec
(30) |
| 2017 |
Jan
(101) |
Feb
(12) |
Mar
(7) |
Apr
(2) |
May
(29) |
Jun
(22) |
Jul
(7) |
Aug
(93) |
Sep
(27) |
Oct
(39) |
Nov
|
Dec
|
|
From: Lennart P. <le...@po...> - 2012-03-14 16:54:22
|
On Tue, 13.03.12 19:38, Roberto Sassu (rob...@po...) wrote:
> >> static const MountPoint mount_table[] = {
> >> { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
> >> { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
> >> { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID, true },
> >>+ { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
> >
> >Failure to mount securtiyfs might be fatal for _your_ purposes, but I'd
> >wager that not only are some people not interested in this, but some
> >people (myself included) might not even have securityfs in their kernel.
> >
>
> Hi Dave
>
> i think i can change this to false without breaking
> the other code, because at the beginning of the new
> file 'src/ima-setup.c' i check for the IMA support in
> the kernel by checking the existence of the
> '/sys/kernel/security/ima' directory. If the mount
> fails, this will be handled as the same as when the
> IMA support is disabled in the kernel.
> This could be acceptable because IMA requires the
> security filesystem as dependency.
>
> I'll wait for other comments before reposting the patches.
Yes, please change this. It is important to us that systemd works well
on kernels without any special security features enabled.
Also, may I ask you to turn this feature on in configure, by default? I
presume that machines with this feature built into systemd but with no
policy file around will boot just fine, right? Hence enabling this by
default shouldn't hurt.
(The reason that I want this enabled by default is that I -- or other
devs -- build this locally the code as comprehensively as possible so
that things don't start to bitrot that easily)
Lennart
--
Lennart Poettering - Red Hat, Inc.
|
|
From: Roberto S. <rob...@po...> - 2012-03-13 18:41:07
|
On 03/13/2012 06:39 PM, Dave Reisner wrote:
> On Tue, Mar 13, 2012 at 05:15:35PM +0100, Roberto Sassu wrote:
>> The mount of the securityfs filesystem is now performed in the main systemd
>> executable as it is used by IMA to provide the interface for loading custom
>> policies. The unit file 'units/sys-kernel-security.mount' has been removed
>> because it is not longer necessary.
>>
>> Signed-off-by: Roberto Sassu<rob...@po...>
>> Acked-by: Gianluca Ramunno<ra...@po...>
>> ---
>> Makefile.am | 3 ---
>> src/mount-setup.c | 6 ++++--
>> units/sys-kernel-security.mount | 17 -----------------
>> 3 files changed, 4 insertions(+), 22 deletions(-)
>> delete mode 100644 units/sys-kernel-security.mount
>>
>> diff --git a/Makefile.am b/Makefile.am
>> index d2bd340..c0fcd70 100644
>> --- a/Makefile.am
>> +++ b/Makefile.am
>> @@ -291,7 +291,6 @@ dist_systemunit_DATA = \
>> units/dev-mqueue.mount \
>> units/sys-kernel-config.mount \
>> units/sys-kernel-debug.mount \
>> - units/sys-kernel-security.mount \
>> units/sys-fs-fuse-connections.mount \
>> units/var-run.mount \
>> units/media.mount \
>> @@ -2342,7 +2341,6 @@ systemd-install-data-hook:
>> dev-mqueue.mount \
>> sys-kernel-config.mount \
>> sys-kernel-debug.mount \
>> - sys-kernel-security.mount \
>> sys-fs-fuse-connections.mount \
>> systemd-modules-load.service \
>> systemd-tmpfiles-setup.service \
>> @@ -2352,7 +2350,6 @@ systemd-install-data-hook:
>> $(LN_S) ../dev-mqueue.mount dev-mqueue.mount&& \
>> $(LN_S) ../sys-kernel-config.mount sys-kernel-config.mount&& \
>> $(LN_S) ../sys-kernel-debug.mount sys-kernel-debug.mount&& \
>> - $(LN_S) ../sys-kernel-security.mount sys-kernel-security.mount&& \
>> $(LN_S) ../sys-fs-fuse-connections.mount sys-fs-fuse-connections.mount&& \
>> $(LN_S) ../systemd-modules-load.service systemd-modules-load.service&& \
>> $(LN_S) ../systemd-tmpfiles-setup.service systemd-tmpfiles-setup.service&& \
>> diff --git a/src/mount-setup.c b/src/mount-setup.c
>> index 7c14ea8..75d5cae 100644
>> --- a/src/mount-setup.c
>> +++ b/src/mount-setup.c
>> @@ -51,13 +51,15 @@ typedef struct MountPoint {
>> } MountPoint;
>>
>> /* The first three entries we might need before SELinux is up. The
>> - * other ones we can delay until SELinux is loaded. */
>> -#define N_EARLY_MOUNT 3
>> + * fourth (securityfs) is needed by IMA to load a custom policy. The
>> + * other ones we can delay until SELinux and IMA are loaded. */
>> +#define N_EARLY_MOUNT 4
>>
>> static const MountPoint mount_table[] = {
>> { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
>> { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
>> { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID, true },
>> + { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
>
> Failure to mount securtiyfs might be fatal for _your_ purposes, but I'd
> wager that not only are some people not interested in this, but some
> people (myself included) might not even have securityfs in their kernel.
>
Hi Dave
i think i can change this to false without breaking
the other code, because at the beginning of the new
file 'src/ima-setup.c' i check for the IMA support in
the kernel by checking the existence of the
'/sys/kernel/security/ima' directory. If the mount
fails, this will be handled as the same as when the
IMA support is disabled in the kernel.
This could be acceptable because IMA requires the
security filesystem as dependency.
I'll wait for other comments before reposting the patches.
Thanks
Roberto Sassu
> dave
>
>> { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV, true },
>> { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, false },
>> { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV, true },
>> diff --git a/units/sys-kernel-security.mount b/units/sys-kernel-security.mount
>> deleted file mode 100644
>> index 80cd761..0000000
>> --- a/units/sys-kernel-security.mount
>> +++ /dev/null
>> @@ -1,17 +0,0 @@
>> -# This file is part of systemd.
>> -#
>> -# systemd is free software; you can redistribute it and/or modify it
>> -# under the terms of the GNU General Public License as published by
>> -# the Free Software Foundation; either version 2 of the License, or
>> -# (at your option) any later version.
>> -
>> -[Unit]
>> -Description=Security File System
>> -DefaultDependencies=no
>> -ConditionPathExists=/sys/kernel/security
>> -Before=sysinit.target
>> -
>> -[Mount]
>> -What=securityfs
>> -Where=/sys/kernel/security
>> -Type=securityfs
>> --
>> 1.7.7.6
>>
>
>
>
>> _______________________________________________
>> systemd-devel mailing list
>> sys...@li...
>> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>
|
|
From: Dave R. <d...@fa...> - 2012-03-13 18:01:20
|
On Tue, Mar 13, 2012 at 05:15:35PM +0100, Roberto Sassu wrote:
> The mount of the securityfs filesystem is now performed in the main systemd
> executable as it is used by IMA to provide the interface for loading custom
> policies. The unit file 'units/sys-kernel-security.mount' has been removed
> because it is not longer necessary.
>
> Signed-off-by: Roberto Sassu <rob...@po...>
> Acked-by: Gianluca Ramunno <ra...@po...>
> ---
> Makefile.am | 3 ---
> src/mount-setup.c | 6 ++++--
> units/sys-kernel-security.mount | 17 -----------------
> 3 files changed, 4 insertions(+), 22 deletions(-)
> delete mode 100644 units/sys-kernel-security.mount
>
> diff --git a/Makefile.am b/Makefile.am
> index d2bd340..c0fcd70 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -291,7 +291,6 @@ dist_systemunit_DATA = \
> units/dev-mqueue.mount \
> units/sys-kernel-config.mount \
> units/sys-kernel-debug.mount \
> - units/sys-kernel-security.mount \
> units/sys-fs-fuse-connections.mount \
> units/var-run.mount \
> units/media.mount \
> @@ -2342,7 +2341,6 @@ systemd-install-data-hook:
> dev-mqueue.mount \
> sys-kernel-config.mount \
> sys-kernel-debug.mount \
> - sys-kernel-security.mount \
> sys-fs-fuse-connections.mount \
> systemd-modules-load.service \
> systemd-tmpfiles-setup.service \
> @@ -2352,7 +2350,6 @@ systemd-install-data-hook:
> $(LN_S) ../dev-mqueue.mount dev-mqueue.mount && \
> $(LN_S) ../sys-kernel-config.mount sys-kernel-config.mount && \
> $(LN_S) ../sys-kernel-debug.mount sys-kernel-debug.mount && \
> - $(LN_S) ../sys-kernel-security.mount sys-kernel-security.mount && \
> $(LN_S) ../sys-fs-fuse-connections.mount sys-fs-fuse-connections.mount && \
> $(LN_S) ../systemd-modules-load.service systemd-modules-load.service && \
> $(LN_S) ../systemd-tmpfiles-setup.service systemd-tmpfiles-setup.service && \
> diff --git a/src/mount-setup.c b/src/mount-setup.c
> index 7c14ea8..75d5cae 100644
> --- a/src/mount-setup.c
> +++ b/src/mount-setup.c
> @@ -51,13 +51,15 @@ typedef struct MountPoint {
> } MountPoint;
>
> /* The first three entries we might need before SELinux is up. The
> - * other ones we can delay until SELinux is loaded. */
> -#define N_EARLY_MOUNT 3
> + * fourth (securityfs) is needed by IMA to load a custom policy. The
> + * other ones we can delay until SELinux and IMA are loaded. */
> +#define N_EARLY_MOUNT 4
>
> static const MountPoint mount_table[] = {
> { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
> { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
> { "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID, true },
> + { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
Failure to mount securtiyfs might be fatal for _your_ purposes, but I'd
wager that not only are some people not interested in this, but some
people (myself included) might not even have securityfs in their kernel.
dave
> { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV, true },
> { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, false },
> { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV, true },
> diff --git a/units/sys-kernel-security.mount b/units/sys-kernel-security.mount
> deleted file mode 100644
> index 80cd761..0000000
> --- a/units/sys-kernel-security.mount
> +++ /dev/null
> @@ -1,17 +0,0 @@
> -# This file is part of systemd.
> -#
> -# systemd is free software; you can redistribute it and/or modify it
> -# under the terms of the GNU General Public License as published by
> -# the Free Software Foundation; either version 2 of the License, or
> -# (at your option) any later version.
> -
> -[Unit]
> -Description=Security File System
> -DefaultDependencies=no
> -ConditionPathExists=/sys/kernel/security
> -Before=sysinit.target
> -
> -[Mount]
> -What=securityfs
> -Where=/sys/kernel/security
> -Type=securityfs
> --
> 1.7.7.6
>
> _______________________________________________
> systemd-devel mailing list
> sys...@li...
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
|
|
From: Roberto S. <rob...@po...> - 2012-03-13 16:19:21
|
The new function ima_setup() loads an IMA custom policy from a file in the
default location '/etc/ima/ima-policy', if present, and writes it to the
path 'ima/policy' in the security filesystem. This function is executed
at early stage in order to avoid that some file operations are not measured
by IMA and it is placed after the initialization of SELinux because IMA
needs the latter (or other security modules) to understand LSM-specific
rules. This feature is disabled by default and can be enabled by providing
the option '--enable-ima' to the configure script.
Signed-off-by: Roberto Sassu <rob...@po...>
Acked-by: Gianluca Ramunno <ra...@po...>
---
Makefile.am | 1 +
configure.ac | 14 +++++++
src/build.h | 8 +++-
src/ima-setup.c | 115 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
src/ima-setup.h | 29 ++++++++++++++
src/main.c | 6 ++-
6 files changed, 171 insertions(+), 2 deletions(-)
create mode 100644 src/ima-setup.c
create mode 100644 src/ima-setup.h
diff --git a/Makefile.am b/Makefile.am
index c0fcd70..08c7ea7 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -516,6 +516,7 @@ libsystemd_core_la_SOURCES = \
src/mount-setup.c \
src/hostname-setup.c \
src/selinux-setup.c \
+ src/ima-setup.c \
src/loopback-setup.c \
src/kmod-setup.c \
src/locale-setup.c \
diff --git a/configure.ac b/configure.ac
index 3860088..0fe29b1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -127,6 +127,19 @@ PKG_CHECK_MODULES(UDEV, [ libudev >= 172 ])
PKG_CHECK_MODULES(DBUS, [ dbus-1 >= 1.3.2 ])
PKG_CHECK_MODULES(KMOD, [ libkmod >= 5 ])
+have_ima=no
+AC_ARG_ENABLE([ima], AS_HELP_STRING([--disable-ima],[Disable optional IMA support]),
+ [case "${enableval}" in
+ yes) have_ima=yes ;;
+ no) have_ima=no ;;
+ *) AC_MSG_ERROR(bad value ${enableval} for --disable-ima) ;;
+ esac],
+ [have_ima=no])
+
+if test "x${have_ima}" != xno ; then
+ AC_DEFINE(HAVE_IMA, 1, [Define if IMA is available])
+fi
+
have_selinux=no
AC_ARG_ENABLE(selinux, AS_HELP_STRING([--disable-selinux], [Disable optional SELINUX support]))
if test "x$enable_selinux" != "xno"; then
@@ -629,6 +642,7 @@ AC_MSG_RESULT([
tcpwrap: ${have_tcpwrap}
PAM: ${have_pam}
AUDIT: ${have_audit}
+ IMA: ${have_ima}
SELinux: ${have_selinux}
XZ: ${have_xz}
ACL: ${have_acl}
diff --git a/src/build.h b/src/build.h
index 50cd79d..0619013 100644
--- a/src/build.h
+++ b/src/build.h
@@ -46,6 +46,12 @@
#define _SELINUX_FEATURE_ "-SELINUX"
#endif
+#ifdef HAVE_IMA
+#define _IMA_FEATURE_ "+IMA"
+#else
+#define _IMA_FEATURE_ "-IMA"
+#endif
+
#ifdef HAVE_SYSV_COMPAT
#define _SYSVINIT_FEATURE_ "+SYSVINIT"
#else
@@ -58,6 +64,6 @@
#define _LIBCRYPTSETUP_FEATURE_ "-LIBCRYPTSETUP"
#endif
-#define SYSTEMD_FEATURES _PAM_FEATURE_ " " _LIBWRAP_FEATURE_ " " _AUDIT_FEATURE_ " " _SELINUX_FEATURE_ " " _SYSVINIT_FEATURE_ " " _LIBCRYPTSETUP_FEATURE_
+#define SYSTEMD_FEATURES _PAM_FEATURE_ " " _LIBWRAP_FEATURE_ " " _AUDIT_FEATURE_ " " _SELINUX_FEATURE_ " " _IMA_FEATURE_ " " _SYSVINIT_FEATURE_ " " _LIBCRYPTSETUP_FEATURE_
#endif
diff --git a/src/ima-setup.c b/src/ima-setup.c
new file mode 100644
index 0000000..18ed49b
--- /dev/null
+++ b/src/ima-setup.c
@@ -0,0 +1,115 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+/***
+ This file is part of systemd.
+
+ Copyright 2010 Lennart Poettering
+ Copyright (C) 2012 Roberto Sassu - Politecnico di Torino, Italy
+ TORSEC group -- http://security.polito.it
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <unistd.h>
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+
+#include "ima-setup.h"
+#include "mount-setup.h"
+#include "macro.h"
+#include "util.h"
+#include "log.h"
+#include "label.h"
+
+#define IMA_SECFS_DIR "/sys/kernel/security/ima"
+#define IMA_SECFS_POLICY IMA_SECFS_DIR "/policy"
+#define IMA_POLICY_PATH "/etc/ima/ima-policy"
+
+int ima_setup(void) {
+
+#ifdef HAVE_IMA
+ struct stat st;
+ ssize_t policy_size = 0, written = 0;
+ char *policy;
+ int policyfd = -1, imafd = -1;
+ int result = 0;
+
+#ifndef HAVE_SELINUX
+ /* Mount the securityfs filesystem */
+ mount_setup_early();
+#endif
+
+ if (stat(IMA_POLICY_PATH, &st) < 0)
+ return 0;
+
+ policy_size = st.st_size;
+ if (stat(IMA_SECFS_DIR, &st) < 0) {
+ log_debug("IMA support is disabled in the kernel, ignoring.");
+ return 0;
+ }
+
+ if (stat(IMA_SECFS_POLICY, &st) < 0) {
+ log_error("Another IMA custom policy has already been loaded, "
+ "ignoring.");
+ return 0;
+ }
+
+ policyfd = open(IMA_POLICY_PATH, O_RDONLY|O_CLOEXEC);
+ if (policyfd < 0) {
+ log_error("Failed to open the IMA custom policy file %s (%m), "
+ "ignoring.", IMA_POLICY_PATH);
+ return 0;
+ }
+
+ imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC);
+ if (imafd < 0) {
+ log_error("Failed to open the IMA kernel interface %s (%m), "
+ "ignoring.", IMA_SECFS_POLICY);
+ goto out;
+ }
+
+ policy = mmap(NULL, policy_size, PROT_READ, MAP_PRIVATE, policyfd, 0);
+ if (policy == MAP_FAILED) {
+ log_error("mmap() failed (%m), freezing");
+ result = -errno;
+ goto out;
+ }
+
+ written = loop_write(imafd, policy, (size_t)policy_size, false);
+ if (written != policy_size) {
+ log_error("Failed to load the IMA custom policy file %s (%m), "
+ "ignoring.", IMA_POLICY_PATH);
+ goto out_mmap;
+ }
+
+ log_info("Successfully loaded the IMA custom policy %s.",
+ IMA_POLICY_PATH);
+out_mmap:
+ munmap(policy, policy_size);
+out:
+ if (policyfd >= 0)
+ close_nointr_nofail(policyfd);
+ if (imafd >= 0)
+ close_nointr_nofail(imafd);
+ if (result)
+ return result;
+#endif /* HAVE_IMA */
+
+ return 0;
+}
diff --git a/src/ima-setup.h b/src/ima-setup.h
new file mode 100644
index 0000000..7d677cf
--- /dev/null
+++ b/src/ima-setup.h
@@ -0,0 +1,29 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+#ifndef fooimasetuphfoo
+#define fooimasetuphfoo
+
+/***
+ This file is part of systemd.
+
+ Copyright 2010 Lennart Poettering
+ Copyright (C) 2012 Roberto Sassu - Politecnico di Torino, Italy
+ TORSEC group -- http://security.polito.it
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+int ima_setup(void);
+
+#endif
diff --git a/src/main.c b/src/main.c
index ed317b4..7ae8841 100644
--- a/src/main.c
+++ b/src/main.c
@@ -41,6 +41,7 @@
#include "kmod-setup.h"
#include "locale-setup.h"
#include "selinux-setup.h"
+#include "ima-setup.h"
#include "machine-id-setup.h"
#include "load-fragment.h"
#include "fdset.h"
@@ -1203,9 +1204,12 @@ int main(int argc, char *argv[]) {
arg_running_as = MANAGER_SYSTEM;
log_set_target(detect_container(NULL) > 0 ? LOG_TARGET_CONSOLE : LOG_TARGET_JOURNAL_OR_KMSG);
- if (!is_reexec)
+ if (!is_reexec) {
if (selinux_setup(&loaded_policy) < 0)
goto finish;
+ if (ima_setup() < 0)
+ goto finish;
+ }
log_open();
--
1.7.7.6
|
|
From: Roberto S. <rob...@po...> - 2012-03-13 16:19:14
|
The mount of the securityfs filesystem is now performed in the main systemd
executable as it is used by IMA to provide the interface for loading custom
policies. The unit file 'units/sys-kernel-security.mount' has been removed
because it is not longer necessary.
Signed-off-by: Roberto Sassu <rob...@po...>
Acked-by: Gianluca Ramunno <ra...@po...>
---
Makefile.am | 3 ---
src/mount-setup.c | 6 ++++--
units/sys-kernel-security.mount | 17 -----------------
3 files changed, 4 insertions(+), 22 deletions(-)
delete mode 100644 units/sys-kernel-security.mount
diff --git a/Makefile.am b/Makefile.am
index d2bd340..c0fcd70 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -291,7 +291,6 @@ dist_systemunit_DATA = \
units/dev-mqueue.mount \
units/sys-kernel-config.mount \
units/sys-kernel-debug.mount \
- units/sys-kernel-security.mount \
units/sys-fs-fuse-connections.mount \
units/var-run.mount \
units/media.mount \
@@ -2342,7 +2341,6 @@ systemd-install-data-hook:
dev-mqueue.mount \
sys-kernel-config.mount \
sys-kernel-debug.mount \
- sys-kernel-security.mount \
sys-fs-fuse-connections.mount \
systemd-modules-load.service \
systemd-tmpfiles-setup.service \
@@ -2352,7 +2350,6 @@ systemd-install-data-hook:
$(LN_S) ../dev-mqueue.mount dev-mqueue.mount && \
$(LN_S) ../sys-kernel-config.mount sys-kernel-config.mount && \
$(LN_S) ../sys-kernel-debug.mount sys-kernel-debug.mount && \
- $(LN_S) ../sys-kernel-security.mount sys-kernel-security.mount && \
$(LN_S) ../sys-fs-fuse-connections.mount sys-fs-fuse-connections.mount && \
$(LN_S) ../systemd-modules-load.service systemd-modules-load.service && \
$(LN_S) ../systemd-tmpfiles-setup.service systemd-tmpfiles-setup.service && \
diff --git a/src/mount-setup.c b/src/mount-setup.c
index 7c14ea8..75d5cae 100644
--- a/src/mount-setup.c
+++ b/src/mount-setup.c
@@ -51,13 +51,15 @@ typedef struct MountPoint {
} MountPoint;
/* The first three entries we might need before SELinux is up. The
- * other ones we can delay until SELinux is loaded. */
-#define N_EARLY_MOUNT 3
+ * fourth (securityfs) is needed by IMA to load a custom policy. The
+ * other ones we can delay until SELinux and IMA are loaded. */
+#define N_EARLY_MOUNT 4
static const MountPoint mount_table[] = {
{ "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
{ "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
{ "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID, true },
+ { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
{ "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV, true },
{ "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, false },
{ "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV, true },
diff --git a/units/sys-kernel-security.mount b/units/sys-kernel-security.mount
deleted file mode 100644
index 80cd761..0000000
--- a/units/sys-kernel-security.mount
+++ /dev/null
@@ -1,17 +0,0 @@
-# This file is part of systemd.
-#
-# systemd is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-
-[Unit]
-Description=Security File System
-DefaultDependencies=no
-ConditionPathExists=/sys/kernel/security
-Before=sysinit.target
-
-[Mount]
-What=securityfs
-Where=/sys/kernel/security
-Type=securityfs
--
1.7.7.6
|
|
From: Seiji M. <sei...@gm...> - 2012-03-06 00:29:51
|
Hi On Sat, Feb 25, 2012 at 3:57 AM, William Rettig <wr...@tr...> wrote: > I’d to know that I can trust the integrity of the boot chain. It looks like > I will be fine with the 2.6.32 kernel. However, I’m not exactly sure what I > will have to do to GRUB. It looks to me like I need to build > TrustedGRUB1.1.5 and follow the guidance on its Wiki. What I don’t see > there is a solid test for the entire boot chain. My TPM 1.2 appears to be > working with 2.6.32 and tpm-tools fine. OpenPTS provide a validation of transitive trust chain. but it has limitation depend on BIOS and IPL. Supported configurations are; - Legacy BIOS + GRUB legacy with GRUB-IMA patch - Legacy BIOS + tboot (Intel TXT) - UEFI BIOS + tboot (Intel TXT) What hardware (vendor, machine type) are you using now? regards, -- Seiji |
|
From: Mimi Z. <zo...@li...> - 2012-03-05 18:15:52
|
On Mon, 2012-03-05 at 17:15 +0100, Roberto Sassu wrote:
> On 03/05/2012 03:39 PM, Lennart Poettering wrote:
> > On Wed, 22.02.12 15:52, Roberto Sassu (rob...@po...) wrote:
> >
> > Heya,
> >
> >> + policy = mmap(NULL, policy_size, PROT_READ, MAP_PRIVATE, policyfd, 0);
> >> + if (policy == MAP_FAILED) {
> >> + log_error("mmap() failed (%m), freezing");
> >> + result = -errno;
> >> + goto out;
> >> + }
> >> +
> >> + while(written< policy_size) {
> >> + ssize_t len = write(imafd, policy + written,
> >> + policy_size - written);
> >> + if (len<= 0) {
> >> + if (errno == EINVAL)
> >> + log_error("Invalid line #%d in the IMA custom policy file %s",
> >> + policy_line_number, IMA_POLICY_PATH);
> >> +
> >> + log_error("Failed to load the IMA custom policy "
> >> + "file %s (%m), ignoring.", IMA_POLICY_PATH);
> >> + goto out_mmap;
> >> + }
> >> + written += len;
> >> + policy_line_number++;
> >
> > I don't understand the counting here of policy_line_number? You attempt
> > to write the whole policy at once, no? How does this counting of line
> > numbers work here then? Or does the write() call on the kernel file
> > actually only accept one line at a time? If that's the case is it really
> > a good idea to rely on that behaviour? Knowing how these things go
> > eventually things might get optimized to read more than one line at once
> > and then the counting here will be off. Maybe it makes sense to drop the
> > counting entirely here?
> >
>
> Hi Lennart
>
> yes, the kernel interface accepts only one line at time. I implemented
> this code because it is not possible to known from the kernel logs what
> is the invalid line if the policy contains several lines. Indeed, IMA
> sends an audit message for each parsed rule, so that some are dropped
> due to the rate limit of audit.
>
> I agree that is not a good idea writing a code that depends on the
> specific implementation of how the policy loading is handled. So, a
> solution may be to drop the counting code here and to solve the issue
> by allowing IMA to send an audit message only when an invalid rule is
> encountered.
>
> Mimi, do you agree with that?
With the audit log rate limiting, the current method is not very
informative. How about implementing the securityfs 'read' ops to
display the rules? Then, displaying only the invalid rule makes sense.
thanks,
Mimi
|
|
From: Roberto S. <rob...@po...> - 2012-03-05 16:45:44
|
On 03/05/2012 03:39 PM, Lennart Poettering wrote:
> On Wed, 22.02.12 15:52, Roberto Sassu (rob...@po...) wrote:
>
> Heya,
>
>> + policy = mmap(NULL, policy_size, PROT_READ, MAP_PRIVATE, policyfd, 0);
>> + if (policy == MAP_FAILED) {
>> + log_error("mmap() failed (%m), freezing");
>> + result = -errno;
>> + goto out;
>> + }
>> +
>> + while(written< policy_size) {
>> + ssize_t len = write(imafd, policy + written,
>> + policy_size - written);
>> + if (len<= 0) {
>> + if (errno == EINVAL)
>> + log_error("Invalid line #%d in the IMA custom policy file %s",
>> + policy_line_number, IMA_POLICY_PATH);
>> +
>> + log_error("Failed to load the IMA custom policy "
>> + "file %s (%m), ignoring.", IMA_POLICY_PATH);
>> + goto out_mmap;
>> + }
>> + written += len;
>> + policy_line_number++;
>
> I don't understand the counting here of policy_line_number? You attempt
> to write the whole policy at once, no? How does this counting of line
> numbers work here then? Or does the write() call on the kernel file
> actually only accept one line at a time? If that's the case is it really
> a good idea to rely on that behaviour? Knowing how these things go
> eventually things might get optimized to read more than one line at once
> and then the counting here will be off. Maybe it makes sense to drop the
> counting entirely here?
>
Hi Lennart
yes, the kernel interface accepts only one line at time. I implemented
this code because it is not possible to known from the kernel logs what
is the invalid line if the policy contains several lines. Indeed, IMA
sends an audit message for each parsed rule, so that some are dropped
due to the rate limit of audit.
I agree that is not a good idea writing a code that depends on the
specific implementation of how the policy loading is handled. So, a
solution may be to drop the counting code here and to solve the issue
by allowing IMA to send an audit message only when an invalid rule is
encountered.
Mimi, do you agree with that?
Thanks
Roberto Sassu
> (Something else thing that gets me thinking: by mmap()ing the source
> file you imply that the policy can never grow beyond 2G or so. I presume
> that's not a problem, right?)
>
> Otherwise looks good.
>
> Lennart
>
|
|
From: Lennart P. <le...@po...> - 2012-03-05 14:40:04
|
On Wed, 22.02.12 15:52, Roberto Sassu (rob...@po...) wrote:
Heya,
> + policy = mmap(NULL, policy_size, PROT_READ, MAP_PRIVATE, policyfd, 0);
> + if (policy == MAP_FAILED) {
> + log_error("mmap() failed (%m), freezing");
> + result = -errno;
> + goto out;
> + }
> +
> + while(written < policy_size) {
> + ssize_t len = write(imafd, policy + written,
> + policy_size - written);
> + if (len <= 0) {
> + if (errno == EINVAL)
> + log_error("Invalid line #%d in the IMA custom policy file %s",
> + policy_line_number, IMA_POLICY_PATH);
> +
> + log_error("Failed to load the IMA custom policy "
> + "file %s (%m), ignoring.", IMA_POLICY_PATH);
> + goto out_mmap;
> + }
> + written += len;
> + policy_line_number++;
I don't understand the counting here of policy_line_number? You attempt
to write the whole policy at once, no? How does this counting of line
numbers work here then? Or does the write() call on the kernel file
actually only accept one line at a time? If that's the case is it really
a good idea to rely on that behaviour? Knowing how these things go
eventually things might get optimized to read more than one line at once
and then the counting here will be off. Maybe it makes sense to drop the
counting entirely here?
(Something else thing that gets me thinking: by mmap()ing the source
file you imply that the policy can never grow beyond 2G or so. I presume
that's not a problem, right?)
Otherwise looks good.
Lennart
--
Lennart Poettering - Red Hat, Inc.
|
|
From: Mimi Z. <zo...@li...> - 2012-03-02 16:30:05
|
On Wed, 2012-02-22 at 10:45 +1100, m.c...@gm... wrote: > Hi Mimi, > Could you please elaborate on the wiki what the ima_appraise options > actually mean? I can take a guess, but a simple table explaining > exactly what they are would be useful. Same with the evm options. Thanks for the suggestions. > Additionally, the wiki (as I have read it) suggests that measuring is > enabled and on when the ima_tcb kernel option is given. From what > you've written on the list, it should be possible to appraise when a > file is mmapped, opened or executed according to the policy without > being measured. Can you make this a bit more explicit in the wiki, > explaining what the measurement options are to enable/disable > measurement? If this is done via the policy instead of via a kernel > option, can you adjust that as well (I don't know if there's a policy > option of appraise only)? These are all good questions. For IMA measurement, the chain of trust needs to be there before we access any files, including the measurement policy; so we require a builtin policy. Is this also necessary for appraisal? Perhaps, but I'm not sure. It might suffice to provide dracut, or equivalent, with the measurement/appraisal policy name on the boot command line. > You're doing some great work here. While I'm not using IMA for > attestation, I'm planning on verifying all my configuration files and > executables. The features you've got ready for the 3.3 merge seem to > fit exactly what I'm after, but I need to know what to set in kernel > first. Keep up the good work. Thank you for your support! Unfortunately, the benefits of the 3.3 features - verifying and appraising files - requires IMA-appraisal, which is still a proposed patch set. git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity #next-ima-appraisal For the IMA-appraisal patches to be upstreamed, we most likely need some additional reviews/Acks. :) The patches were last posted http://marc.info/?l=linux-security-module&m=133062939721505&w=2 thanks, Mimi |
|
From: William R. <wr...@tr...> - 2012-02-24 18:59:41
|
Hello, I'm an IMA novice but am interested to know what it would take to properly configure and test it on CentOS 6.2. I'm not interested in appraisal or EVM at the moment. I'd simply like to be sure that the components of the architecture are properly installed/configured and that all PCRs are correct. To be honest, I'm still unsure of what my definitive guide sources should be. I'd to know that I can trust the integrity of the boot chain. It looks like I will be fine with the 2.6.32 kernel. However, I'm not exactly sure what I will have to do to GRUB. It looks to me like I need to build TrustedGRUB1.1.5 and follow the guidance on its Wiki. What I don't see there is a solid test for the entire boot chain. My TPM 1.2 appears to be working with 2.6.32 and tpm-tools fine. I am willing to help with testing IMA. Any help is greatly appreciated. Bill |
|
From: Roberto S. <rob...@po...> - 2012-02-22 14:56:43
|
The new function ima_setup() loads an IMA custom policy from a file in the
default location '/etc/ima/ima-policy', if present, and writes it to the
path 'ima/policy' in the security filesystem. This function is executed
at early stage in order to avoid that some file operations are not measured
by IMA and it is placed after the initialization of SELinux because IMA
needs the latter (or other security modules) to understand LSM-specific
rules. This feature is disabled by default and can be enabled by providing
the option '--enable-ima' to the configure script.
Signed-off-by: Roberto Sassu <rob...@po...>
Acked-by: Gianluca Ramunno <ra...@po...>
---
Makefile.am | 1 +
configure.ac | 14 ++++++
src/build.h | 8 +++-
src/ima-setup.c | 125 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
src/ima-setup.h | 29 +++++++++++++
src/main.c | 6 ++-
6 files changed, 181 insertions(+), 2 deletions(-)
create mode 100644 src/ima-setup.c
create mode 100644 src/ima-setup.h
diff --git a/Makefile.am b/Makefile.am
index 5a50e15..6e6d79e 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -515,6 +515,7 @@ libsystemd_core_la_SOURCES = \
src/mount-setup.c \
src/hostname-setup.c \
src/selinux-setup.c \
+ src/ima-setup.c \
src/loopback-setup.c \
src/kmod-setup.c \
src/locale-setup.c \
diff --git a/configure.ac b/configure.ac
index 62e8cdf..93d3984 100644
--- a/configure.ac
+++ b/configure.ac
@@ -127,6 +127,19 @@ PKG_CHECK_MODULES(UDEV, [ libudev >= 172 ])
PKG_CHECK_MODULES(DBUS, [ dbus-1 >= 1.3.2 ])
PKG_CHECK_MODULES(KMOD, [ libkmod >= 5 ])
+have_ima=no
+AC_ARG_ENABLE([ima], AS_HELP_STRING([--disable-ima],[Disable optional IMA support]),
+ [case "${enableval}" in
+ yes) have_ima=yes ;;
+ no) have_ima=no ;;
+ *) AC_MSG_ERROR(bad value ${enableval} for --disable-ima) ;;
+ esac],
+ [have_ima=no])
+
+if test "x${have_ima}" != xno ; then
+ AC_DEFINE(HAVE_IMA, 1, [Define if IMA is available])
+fi
+
have_selinux=no
AC_ARG_ENABLE(selinux, AS_HELP_STRING([--disable-selinux], [Disable optional SELINUX support]))
if test "x$enable_selinux" != "xno"; then
@@ -628,6 +641,7 @@ AC_MSG_RESULT([
tcpwrap: ${have_tcpwrap}
PAM: ${have_pam}
AUDIT: ${have_audit}
+ IMA: ${have_ima}
SELinux: ${have_selinux}
XZ: ${have_xz}
ACL: ${have_acl}
diff --git a/src/build.h b/src/build.h
index 50cd79d..0619013 100644
--- a/src/build.h
+++ b/src/build.h
@@ -46,6 +46,12 @@
#define _SELINUX_FEATURE_ "-SELINUX"
#endif
+#ifdef HAVE_IMA
+#define _IMA_FEATURE_ "+IMA"
+#else
+#define _IMA_FEATURE_ "-IMA"
+#endif
+
#ifdef HAVE_SYSV_COMPAT
#define _SYSVINIT_FEATURE_ "+SYSVINIT"
#else
@@ -58,6 +64,6 @@
#define _LIBCRYPTSETUP_FEATURE_ "-LIBCRYPTSETUP"
#endif
-#define SYSTEMD_FEATURES _PAM_FEATURE_ " " _LIBWRAP_FEATURE_ " " _AUDIT_FEATURE_ " " _SELINUX_FEATURE_ " " _SYSVINIT_FEATURE_ " " _LIBCRYPTSETUP_FEATURE_
+#define SYSTEMD_FEATURES _PAM_FEATURE_ " " _LIBWRAP_FEATURE_ " " _AUDIT_FEATURE_ " " _SELINUX_FEATURE_ " " _IMA_FEATURE_ " " _SYSVINIT_FEATURE_ " " _LIBCRYPTSETUP_FEATURE_
#endif
diff --git a/src/ima-setup.c b/src/ima-setup.c
new file mode 100644
index 0000000..81eb043
--- /dev/null
+++ b/src/ima-setup.c
@@ -0,0 +1,125 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+/***
+ This file is part of systemd.
+
+ Copyright 2010 Lennart Poettering
+ Copyright (C) 2012 Roberto Sassu - Politecnico di Torino, Italy
+ TORSEC group -- http://security.polito.it
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <unistd.h>
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+
+#include "ima-setup.h"
+#include "mount-setup.h"
+#include "macro.h"
+#include "util.h"
+#include "log.h"
+#include "label.h"
+
+#define IMA_SECFS_DIR "/sys/kernel/security/ima"
+#define IMA_SECFS_POLICY IMA_SECFS_DIR "/policy"
+#define IMA_POLICY_PATH "/etc/ima/ima-policy"
+
+int ima_setup(void) {
+
+#ifdef HAVE_IMA
+ struct stat st;
+ ssize_t policy_size = 0, written = 0;
+ char *policy;
+ int policyfd = -1, imafd = -1;
+ int policy_line_number = 1;
+ int result = 0;
+
+#ifndef HAVE_SELINUX
+ /* Mount the securityfs filesystem */
+ mount_setup_early();
+#endif
+
+ if (stat(IMA_POLICY_PATH, &st) < 0)
+ return 0;
+
+ policy_size = st.st_size;
+ if (stat(IMA_SECFS_DIR, &st) < 0) {
+ log_debug("IMA support is disabled in the kernel, ignoring.");
+ return 0;
+ }
+
+ if (stat(IMA_SECFS_POLICY, &st) < 0) {
+ log_error("Another IMA custom policy has already been loaded, "
+ "ignoring.");
+ return 0;
+ }
+
+ policyfd = open(IMA_POLICY_PATH, O_RDONLY|O_CLOEXEC);
+ if (policyfd < 0) {
+ log_error("Failed to open the IMA custom policy file %s (%m), "
+ "ignoring.", IMA_POLICY_PATH);
+ return 0;
+ }
+
+ imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC);
+ if (imafd < 0) {
+ log_error("Failed to open the IMA kernel interface %s (%m), "
+ "ignoring.", IMA_SECFS_POLICY);
+ goto out;
+ }
+
+ policy = mmap(NULL, policy_size, PROT_READ, MAP_PRIVATE, policyfd, 0);
+ if (policy == MAP_FAILED) {
+ log_error("mmap() failed (%m), freezing");
+ result = -errno;
+ goto out;
+ }
+
+ while(written < policy_size) {
+ ssize_t len = write(imafd, policy + written,
+ policy_size - written);
+ if (len <= 0) {
+ if (errno == EINVAL)
+ log_error("Invalid line #%d in the IMA custom policy file %s",
+ policy_line_number, IMA_POLICY_PATH);
+
+ log_error("Failed to load the IMA custom policy "
+ "file %s (%m), ignoring.", IMA_POLICY_PATH);
+ goto out_mmap;
+ }
+ written += len;
+ policy_line_number++;
+ }
+
+ log_info("Successfully loaded the IMA custom policy %s.",
+ IMA_POLICY_PATH);
+out_mmap:
+ munmap(policy, policy_size);
+out:
+ if (policyfd >= 0)
+ close_nointr_nofail(policyfd);
+ if (imafd >= 0)
+ close_nointr_nofail(imafd);
+ if (result)
+ return result;
+#endif /* HAVE_IMA */
+
+ return 0;
+}
diff --git a/src/ima-setup.h b/src/ima-setup.h
new file mode 100644
index 0000000..7d677cf
--- /dev/null
+++ b/src/ima-setup.h
@@ -0,0 +1,29 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+#ifndef fooimasetuphfoo
+#define fooimasetuphfoo
+
+/***
+ This file is part of systemd.
+
+ Copyright 2010 Lennart Poettering
+ Copyright (C) 2012 Roberto Sassu - Politecnico di Torino, Italy
+ TORSEC group -- http://security.polito.it
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+int ima_setup(void);
+
+#endif
diff --git a/src/main.c b/src/main.c
index ed317b4..7ae8841 100644
--- a/src/main.c
+++ b/src/main.c
@@ -41,6 +41,7 @@
#include "kmod-setup.h"
#include "locale-setup.h"
#include "selinux-setup.h"
+#include "ima-setup.h"
#include "machine-id-setup.h"
#include "load-fragment.h"
#include "fdset.h"
@@ -1203,9 +1204,12 @@ int main(int argc, char *argv[]) {
arg_running_as = MANAGER_SYSTEM;
log_set_target(detect_container(NULL) > 0 ? LOG_TARGET_CONSOLE : LOG_TARGET_JOURNAL_OR_KMSG);
- if (!is_reexec)
+ if (!is_reexec) {
if (selinux_setup(&loaded_policy) < 0)
goto finish;
+ if (ima_setup() < 0)
+ goto finish;
+ }
log_open();
--
1.7.7.6
|
|
From: Roberto S. <rob...@po...> - 2012-02-22 14:56:24
|
The mount of the securityfs filesystem is now performed in the main systemd
executable as it is used by IMA to provide the interface for loading custom
policies. The unit file 'units/sys-kernel-security.mount' has been removed
because it is not longer necessary.
Signed-off-by: Roberto Sassu <rob...@po...>
Acked-by: Gianluca Ramunno <ra...@po...>
---
Makefile.am | 3 ---
src/mount-setup.c | 6 ++++--
units/sys-kernel-security.mount | 17 -----------------
3 files changed, 4 insertions(+), 22 deletions(-)
delete mode 100644 units/sys-kernel-security.mount
diff --git a/Makefile.am b/Makefile.am
index ab5000b..5a50e15 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -291,7 +291,6 @@ dist_systemunit_DATA = \
units/dev-mqueue.mount \
units/sys-kernel-config.mount \
units/sys-kernel-debug.mount \
- units/sys-kernel-security.mount \
units/sys-fs-fuse-connections.mount \
units/var-run.mount \
units/media.mount \
@@ -2342,7 +2341,6 @@ systemd-install-data-hook:
dev-mqueue.mount \
sys-kernel-config.mount \
sys-kernel-debug.mount \
- sys-kernel-security.mount \
sys-fs-fuse-connections.mount \
systemd-modules-load.service \
systemd-tmpfiles-setup.service \
@@ -2352,7 +2350,6 @@ systemd-install-data-hook:
$(LN_S) ../dev-mqueue.mount dev-mqueue.mount && \
$(LN_S) ../sys-kernel-config.mount sys-kernel-config.mount && \
$(LN_S) ../sys-kernel-debug.mount sys-kernel-debug.mount && \
- $(LN_S) ../sys-kernel-security.mount sys-kernel-security.mount && \
$(LN_S) ../sys-fs-fuse-connections.mount sys-fs-fuse-connections.mount && \
$(LN_S) ../systemd-modules-load.service systemd-modules-load.service && \
$(LN_S) ../systemd-tmpfiles-setup.service systemd-tmpfiles-setup.service && \
diff --git a/src/mount-setup.c b/src/mount-setup.c
index 7c14ea8..75d5cae 100644
--- a/src/mount-setup.c
+++ b/src/mount-setup.c
@@ -51,13 +51,15 @@ typedef struct MountPoint {
} MountPoint;
/* The first three entries we might need before SELinux is up. The
- * other ones we can delay until SELinux is loaded. */
-#define N_EARLY_MOUNT 3
+ * fourth (securityfs) is needed by IMA to load a custom policy. The
+ * other ones we can delay until SELinux and IMA are loaded. */
+#define N_EARLY_MOUNT 4
static const MountPoint mount_table[] = {
{ "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
{ "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
{ "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID, true },
+ { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
{ "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV, true },
{ "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, false },
{ "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV, true },
diff --git a/units/sys-kernel-security.mount b/units/sys-kernel-security.mount
deleted file mode 100644
index 80cd761..0000000
--- a/units/sys-kernel-security.mount
+++ /dev/null
@@ -1,17 +0,0 @@
-# This file is part of systemd.
-#
-# systemd is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-
-[Unit]
-Description=Security File System
-DefaultDependencies=no
-ConditionPathExists=/sys/kernel/security
-Before=sysinit.target
-
-[Mount]
-What=securityfs
-Where=/sys/kernel/security
-Type=securityfs
--
1.7.7.6
|
|
From: <m.c...@gm...> - 2012-02-21 23:45:21
|
<html><head> <meta http-equiv="content-type" content="text/html; charset=us-ascii"> <title>Re: [Linux-ima-user] [systemd-devel] [PATCH 2/2] main: added support for loading IMA custom policies</title> </head><body><br> <br> <div class="gmail_quote">On 22 February 2012 04:54, Mimi Zohar <span dir="ltr"><zo...@li...></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Hi Roberto,<br> <br> The only package we have at the moment is Dmitry Kasatkin's evm-utils<br> git://<a href="http://linux-ima.git.sourceforge.net/gitroot/linux-ima/evm-utils" target="_blank">linux-ima.git.<wbr>sourceforge.net/gitroot/linux-<wbr >ima/evm-utils</a> used for<br> labeling the filesystem with security.evm/security.ima digital<br> signatures.<br> <br> There's still a lot left to do, but we've started updating the linux-ima<br> Wiki:<br> <a href="https://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_ Page" target="_blank">https://sourceforge.net/apps/<wbr >mediawiki/linux-ima/index.php?<wbr>title=Main_Page</a><br> <div class="HOEnZb"><div class="h5"><br> thanks,<br> <br> Mimi<br clear="all"> </div> </div> </blockquote> </div> <br> Hi Mimi,<br> Could you please elaborate on the wiki what the ima_appraise options actually mean? I can take a guess, but a simple table explaining exactly what they are would be useful. Same with the evm options.<br> <br> Additionally, the wiki (as I have read it) suggests that measuring is enabled and on when the ima_tcb kernel option is given. From what you've written on the list, it should be possible to appraise when a file is mmapped, opened or executed according to the policy without being measured. Can you make this a bit more explicit in the wiki, explaining what the measurement options are to enable/disable measurement? If this is done via the policy instead of via a kernel option, can you adjust that as well (I don't know if there's a policy option of appraise only)?<br> <br> You're doing some great work here. While I'm not using IMA for attestation, I'm planning on verifying all my configuration files and executables. The features you've got ready for the 3.3 merge seem to fit exactly what I'm after, but I need to know what to set in kernel first. Keep up the good work.<br> <br> -- <br> Michael Cassaniti<br> <a href="http://mcassaniti.dyndns.org" target="_blank" >http://mcassaniti.dyndns.org</a><br> <br> </body></html> |
|
From: Kay S. <kay...@vr...> - 2012-02-21 19:13:05
|
On Tue, Feb 21, 2012 at 19:07, Roberto Sassu <rob...@po...> wrote: > On 02/21/2012 06:56 PM, Kay Sievers wrote: > ok, that was because Systemd also checks for the presence of libselinux > in order to enable the SELinux support. Yeah, systemd provides a shared lib which we need to link against, hence the systemd is needed at build time, and needs to be in the buildroot and we can do the auto-detect here. If ima will ever need a shared lib or other files at build time, we can change that. > I will introduce in the next > version of the patches only the new configure parameter '--enable_ima' > without additional checks. Sounds good. Options are usually a ll dashes not underscores, you can check the current ones with ./configure --help. Thanks, Kay |
|
From: Roberto S. <rob...@po...> - 2012-02-21 18:09:59
|
On 02/21/2012 06:56 PM, Kay Sievers wrote: > On Tue, Feb 21, 2012 at 18:32, Roberto Sassu<rob...@po...> wrote: > >> I meant we can create a new package called for example 'ima-utils' >> that can be used by Systemd to determine, at compile time, whether >> the IMA support for loading custom policies should be enabled or not. > > That's not needed. There is no problem enabling ima support > conditionally in ./configure. > > Build systems are unlikely to install ima in the buildroot anyway, > when there is no library or anything to link against, so > auto-detection is not really useful. > > A default to off and requiring an explicit enable sounds sufficient here. > Hi Kay ok, that was because Systemd also checks for the presence of libselinux in order to enable the SELinux support. I will introduce in the next version of the patches only the new configure parameter '--enable_ima' without additional checks. Thanks Roberto Sassu > Kay |
|
From: Mimi Z. <zo...@li...> - 2012-02-21 17:58:57
|
Hi Roberto, The only package we have at the moment is Dmitry Kasatkin's evm-utils git://linux-ima.git.sourceforge.net/gitroot/linux-ima/evm-utils used for labeling the filesystem with security.evm/security.ima digital signatures. There's still a lot left to do, but we've started updating the linux-ima Wiki: https://sourceforge.net/apps/mediawiki/linux-ima/index.php?title=Main_Page thanks, Mimi |
|
From: Kay S. <kay...@vr...> - 2012-02-21 17:56:50
|
On Tue, Feb 21, 2012 at 18:32, Roberto Sassu <rob...@po...> wrote: > I meant we can create a new package called for example 'ima-utils' > that can be used by Systemd to determine, at compile time, whether > the IMA support for loading custom policies should be enabled or not. That's not needed. There is no problem enabling ima support conditionally in ./configure. Build systems are unlikely to install ima in the buildroot anyway, when there is no library or anything to link against, so auto-detection is not really useful. A default to off and requiring an explicit enable sounds sufficient here. Kay |
|
From: Roberto S. <rob...@po...> - 2012-02-21 17:35:24
|
On 02/21/2012 05:15 PM, Mimi Zohar wrote: > On Tue, 2012-02-21 at 14:58 +0100, Roberto Sassu wrote: >> Hi Mimi >> >> do you intend a patch to reintroduce the 'ima=' kernel parameter for >> enabling/disabling IMA? If so, i have not actually thought about this >> but it should be not difficult to implement. Probably we can support >> these modes: > > I'm not sure. There was a lot of complaint way back when. Before > re-introducing it, I'd prefer to hear from others how they feel. > Ok, it is better to wait until this point becomes clear. >> - disabled: IMA returns immediately to the system call; > > Today this is done by booting with a null policy. > I think 'disabled' would mean that the hooks implementation should consist only in a immediate return without the execution of any specific code (in the IMA case, the function ima_must_measure()). Probably it is a good idea to allow to completely disable IMA at runtime. >> - measure_only: IMA performs only measurements and does not return any >> error to the system call; > > Booting with a policy, will achieve this result. > The purpose of the 'ima=' kernel parameter can be also to select the IMA features to be enabled at runtime. So, to avoid confusion, we can use it to disable all features, to enable the measure or appraise capabilities or both. Then, we can keep the existing 'ima_appraise=' parameter while defining the values 'permissive' and 'enforcing'. >> - appraise_permissive: IMA stores measurements in the files extended >> attribute and in the measurements list but does not return any error >> to the system call even if the integrity check fails; > > IMA and IMA-appraisal are different features and should not be combined. > Currently, one can be enabled without the other. For example, some may > only want the measurement list, while others may only want integrity > enforcement. > Maybe both can be useful. For example, the appraise feature allows to detect if a file has been tampered with while the measurement feature allows verifiers to determine if the value stored can be considered good or not. >> - appraise_enforce: IMA does the same as the previous mode but returns >> an error to the system call if the integrity check fails. > > "ima_appraise= enabled | fix | off" are currently supported. > >> Further, we can have a simple user-space package which will contain the >> documentation about how to write a policy (so that it will be more >> easy to find in respect to the whole kernel documentation) and a tool >> that will fix/verify the measurements stored in the files extended >> attribute. >> >> Having a separate user-space package will simplify the interaction for >> users with the IMA kernel-space portion and will allow to determine >> whether the IMA support should be enabled in Systemd. > > Having a Systemd config file wouldn't change the need for the existing > boot command line options. None of them can or should go away, since > IMA must start measuring before any files are accessed, including the > config and policy files, otherwise the chain of trust would be lost. > I meant we can create a new package called for example 'ima-utils' that can be used by Systemd to determine, at compile time, whether the IMA support for loading custom policies should be enabled or not. At runtime, Systemd could inspect the kernel command line looking for IMA-related parameters (this solution is actually not available) or, as implemented in my patch, it will only check for the presence of the policy file in the default location. This file will be measured by the boot loader, together with the Systemd main executable, to preserve the chain of trust. Thanks Roberto Sassu > thanks, > > Mimi > |
|
From: Mimi Z. <zo...@li...> - 2012-02-21 16:19:55
|
On Tue, 2012-02-21 at 14:58 +0100, Roberto Sassu wrote: > Hi Mimi > > do you intend a patch to reintroduce the 'ima=' kernel parameter for > enabling/disabling IMA? If so, i have not actually thought about this > but it should be not difficult to implement. Probably we can support > these modes: I'm not sure. There was a lot of complaint way back when. Before re-introducing it, I'd prefer to hear from others how they feel. > - disabled: IMA returns immediately to the system call; Today this is done by booting with a null policy. > - measure_only: IMA performs only measurements and does not return any > error to the system call; Booting with a policy, will achieve this result. > - appraise_permissive: IMA stores measurements in the files extended > attribute and in the measurements list but does not return any error > to the system call even if the integrity check fails; IMA and IMA-appraisal are different features and should not be combined. Currently, one can be enabled without the other. For example, some may only want the measurement list, while others may only want integrity enforcement. > - appraise_enforce: IMA does the same as the previous mode but returns > an error to the system call if the integrity check fails. "ima_appraise= enabled | fix | off" are currently supported. > Further, we can have a simple user-space package which will contain the > documentation about how to write a policy (so that it will be more > easy to find in respect to the whole kernel documentation) and a tool > that will fix/verify the measurements stored in the files extended > attribute. > > Having a separate user-space package will simplify the interaction for > users with the IMA kernel-space portion and will allow to determine > whether the IMA support should be enabled in Systemd. Having a Systemd config file wouldn't change the need for the existing boot command line options. None of them can or should go away, since IMA must start measuring before any files are accessed, including the config and policy files, otherwise the chain of trust would be lost. thanks, Mimi |
|
From: Roberto S. <rob...@po...> - 2012-02-21 14:01:18
|
On 02/21/2012 02:01 PM, Mimi Zohar wrote: > On Tue, 2012-02-21 at 11:05 +0100, Roberto Sassu wrote: > >> Ok. this should be not a problem because all errors (IMA support not >> included in the kernel, policy file access denied, ...) are ignored >> except for the mmap() failure. > > Hi Roberto, IMA should never return an error, only IMA-appraisal should > enforce file integrity. Can you please show me or send a patch? > Hi Mimi do you intend a patch to reintroduce the 'ima=' kernel parameter for enabling/disabling IMA? If so, i have not actually thought about this but it should be not difficult to implement. Probably we can support these modes: - disabled: IMA returns immediately to the system call; - measure_only: IMA performs only measurements and does not return any error to the system call; - appraise_permissive: IMA stores measurements in the files extended attribute and in the measurements list but does not return any error to the system call even if the integrity check fails; - appraise_enforce: IMA does the same as the previous mode but returns an error to the system call if the integrity check fails. Further, we can have a simple user-space package which will contain the documentation about how to write a policy (so that it will be more easy to find in respect to the whole kernel documentation) and a tool that will fix/verify the measurements stored in the files extended attribute. Having a separate user-space package will simplify the interaction for users with the IMA kernel-space portion and will allow to determine whether the IMA support should be enabled in Systemd. Thanks Roberto Sassu > thanks, > > Mimi > |
|
From: Mimi Z. <zo...@li...> - 2012-02-21 13:05:59
|
On Tue, 2012-02-21 at 11:05 +0100, Roberto Sassu wrote: > Ok. this should be not a problem because all errors (IMA support not > included in the kernel, policy file access denied, ...) are ignored > except for the mmap() failure. Hi Roberto, IMA should never return an error, only IMA-appraisal should enforce file integrity. Can you please show me or send a patch? thanks, Mimi |
|
From: Mimi Z. <zo...@li...> - 2012-02-21 12:28:25
|
On Mon, 2012-02-20 at 20:18 +0100, Lennart Poettering wrote: > On Mon, 20.02.12 20:06, Roberto Sassu (rob...@po...) wrote: > > > >We moved SELinux loading out of the initrd into systemd, in order to > > >support fully featured initrd-less boots. I don't think we should reopen > > >this problem set by having IMA in the initrd. I believe IMA should be > > >treated pretty much exactly like SELinux here: the policy should be > > >loaded from PID1 and it needs to be a compile time option, and it needs > > >a kernel cmdline option to disable it (i.e. like selinux=0). > > > > > > > If the SELinux module in dracut is to be considered definitively broken > > probably also the IMA module should be removed, because it will not be > > possible to load policies with LSM rules. But i don't know how this > > feature can be supported by distributions without Systemd installed. > > Well, if the rumours I keep hearing are true Ubuntu might join the > systemd camp too after their LTS release. Maybe the supporting > non-systemd systems issues solves itself by that for you? > > > Regarding the kernel option, actually there is no a specific parameter > > to disable IMA. However, it can be introduced in the patches proposed > > by Mimi Zohar about the 'ima-appraisal' feature. This can allow to > > disable IMA or to put it in permissive/enforce mode as it happens for > > example in SELinux. > > Whether there is a kernel option to enable/disable IMA will not stop > these patches from getting into systemd. But I am quite sure they will > stop IMA from getting any wider coverage in the mainstream distributions > (if you care for that). Really? The original IMA patch set defined CONFIG_IMA_BOOTPARAM and CONFIG_IMA_BOOTPARAM_VALUE, but based on the lkml discussion, I removed support for them. (May 2008) In lieu of a switch to enable/disable IMA, the default measurement policy is null, so that nothing is measured, unless 'ima_tcb' is provided on the boot command line. > Oh, and one more thing: it matters to me that this doesn't break my > build. So it needs to allow me booting when enabled in configure, but > without any IMA policy around. > > Lennart Of course IMA should work with/without updating the measurement policy. thanks, Mimi |
|
From: Roberto S. <rob...@po...> - 2012-02-21 10:08:39
|
On 02/20/2012 08:18 PM, Lennart Poettering wrote: > On Mon, 20.02.12 20:06, Roberto Sassu (rob...@po...) wrote: > >>> We moved SELinux loading out of the initrd into systemd, in order to >>> support fully featured initrd-less boots. I don't think we should reopen >>> this problem set by having IMA in the initrd. I believe IMA should be >>> treated pretty much exactly like SELinux here: the policy should be >>> loaded from PID1 and it needs to be a compile time option, and it needs >>> a kernel cmdline option to disable it (i.e. like selinux=0). >>> >> >> If the SELinux module in dracut is to be considered definitively broken >> probably also the IMA module should be removed, because it will not be >> possible to load policies with LSM rules. But i don't know how this >> feature can be supported by distributions without Systemd installed. > > Well, if the rumours I keep hearing are true Ubuntu might join the > systemd camp too after their LTS release. Maybe the supporting > non-systemd systems issues solves itself by that for you? > The code for loading IMA custom policies was placed in the initial ramdisk with the purpose to avoid distribution specific dependencies. However, since the SELinux initialization has been moved to Systemd and Systemd itself will be used by the major distributions, i think placing the IMA code here is the best solution, even if it is not the most general. >> Regarding the kernel option, actually there is no a specific parameter >> to disable IMA. However, it can be introduced in the patches proposed >> by Mimi Zohar about the 'ima-appraisal' feature. This can allow to >> disable IMA or to put it in permissive/enforce mode as it happens for >> example in SELinux. > > Whether there is a kernel option to enable/disable IMA will not stop > these patches from getting into systemd. But I am quite sure they will > stop IMA from getting any wider coverage in the mainstream distributions > (if you care for that). > Actually, IMA doesn't take any action if the policy is not provided nor it consumes additional system resources. Further, in the current implementation, even if IMA measures files it does not return any error to the system call being executed. > Oh, and one more thing: it matters to me that this doesn't break my > build. So it needs to allow me booting when enabled in configure, but > without any IMA policy around. > Ok. this should be not a problem because all errors (IMA support not included in the kernel, policy file access denied, ...) are ignored except for the mmap() failure. Thanks Roberto Sassu > Lennart > |
|
From: Roberto S. <rob...@po...> - 2012-02-21 09:20:53
|
On 02/20/2012 08:07 PM, Lennart Poettering wrote: > On Mon, 20.02.12 19:36, Roberto Sassu (rob...@po...) wrote: > >> >> On 02/20/2012 06:14 PM, Lennart Poettering wrote: >>> On Wed, 15.02.12 18:12, Roberto Sassu (rob...@po...) wrote: >>> >>>> The location of the policy file is not IMA dependent. I chose that >>>> because it seemed to me the right place where to put this file. >>>> So, i can easily modify the location to be distribution independent >>>> but i don't known which directory would be appropriate. >>>> Any proposal? >>> >>> /etc/ima.conf or /etc/ima/ima.conf sound like obvious candidates. >>> >> >> I prefer the first one, because the second pathname raises the problem >> of creating a new subdirectory. However, i think we should keep the >> word 'policy' in the file name to avoid users believe that is a >> configuration file. > > Creating a subdir is a problem? How so? > The problem i see is who creates the subdirectory. In the Systemd case, i think this should be accomplished in the Makefile or in the RPM script. Other boot solutions should implement something like that and they need to create the subdirectory as well. This because, as said above, there is no an IMA userspace package to perform the operation. However, if the creation is made by the boot software i think this should not be a problem. > You should use a subdir /etc/ima/ if there's the chance that sooner or > later you might have to add another config file of some sorts to IMA. If > you are really sure that never happens, then you don't need the dir, but > if you are in doubt, better use one. (But this is the policy file, > right? so i figure you might end up with adding a conf file with options > like selinux' enforcing/permissive later on, so i think you should > better add a dir) > Ok, probably is better to add a new subdirectory to support additional IMA configuration files. Maybe Mimi Zohar knows if there are plans to introduce new files. > (Oh, and in contrast to what i suggested, if this is the policy file, > and not a configuration file, the .conf suffix of course makes little sense) > So, finally i think we can agree to use '/etc/ima/ima-policy' as pathname for the IMA custom policy. Thanks Roberto Sassu > Lennart > |
32 messages has been excluded from this view by a project administrator.
