ima: Check against blacklisted hashes for files with modsig
authorNayna Jain <nayna@linux.ibm.com>
Thu, 31 Oct 2019 03:31:32 +0000 (23:31 -0400)
committerMichael Ellerman <mpe@ellerman.id.au>
Tue, 12 Nov 2019 01:25:50 +0000 (12:25 +1100)
Asymmetric private keys are used to sign multiple files. The kernel
currently supports checking against blacklisted keys. However, if the
public key is blacklisted, any file signed by the blacklisted key will
automatically fail signature verification. Blacklisting the public key
is not fine enough granularity, as we might want to only blacklist a
particular file.

This patch adds support for checking against the blacklisted hash of
the file, without the appended signature, based on the IMA policy. It
defines a new policy option "appraise_flag=check_blacklist".

In addition to the blacklisted binary hashes stored in the firmware
"dbx" variable, the Linux kernel may be configured to load blacklisted
binary hashes onto the .blacklist keyring as well. The following
example shows how to blacklist a specific kernel module hash.

  $ sha256sum kernel/kheaders.ko
  77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
  kernel/kheaders.ko

  $ grep BLACKLIST .config
  CONFIG_SYSTEM_BLACKLIST_KEYRING=y
  CONFIG_SYSTEM_BLACKLIST_HASH_LIST="blacklist-hash-list"

  $ cat certs/blacklist-hash-list
  "bin:77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3"

Update the IMA custom measurement and appraisal policy
rules (/etc/ima-policy):

  measure func=MODULE_CHECK template=ima-modsig
  appraise func=MODULE_CHECK appraise_flag=check_blacklist
  appraise_type=imasig|modsig

After building, installing, and rebooting the kernel:

   545660333 ---lswrv      0     0   \_ blacklist:
  bin:77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3

  measure func=MODULE_CHECK template=ima-modsig
  appraise func=MODULE_CHECK appraise_flag=check_blacklist
  appraise_type=imasig|modsig

  modprobe: ERROR: could not insert 'kheaders': Permission denied

  10 0c9834db5a0182c1fb0cdc5d3adcf11a11fd83dd ima-sig
  sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40
  2 /usr/lib/modules/5.4.0-rc3+/kernel/kernel/kheaders.ko

  10 82aad2bcc3fa8ed94762356b5c14838f3bcfa6a0 ima-modsig
  sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40
  2 /usr/lib/modules/5.4.0rc3+/kernel/kernel/kheaders.ko  sha256:77fa889b3
  5a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
  3082029a06092a864886f70d010702a082028b30820287020101310d300b0609608648
  016503040201300b06092a864886f70d01070131820264....

  10 25b72217cc1152b44b134ce2cd68f12dfb71acb3 ima-buf
  sha256:8b58427fedcf8f4b20bc8dc007f2e232bf7285d7b93a66476321f9c2a3aa132
  b blacklisted-hash
  77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
[zohar@linux.ibm.com: updated patch description]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/1572492694-6520-8-git-send-email-zohar@linux.ibm.com
Documentation/ABI/testing/ima_policy
security/integrity/ima/ima.h
security/integrity/ima/ima_appraise.c
security/integrity/ima/ima_main.c
security/integrity/ima/ima_policy.c
security/integrity/integrity.h

index 29ebe9afdac42c9148b1a54a90f0a92154ee63f5..29aaedf332461cb5256f7fe0d792a179f6cb6b39 100644 (file)
@@ -25,6 +25,7 @@ Description:
                        lsm:    [[subj_user=] [subj_role=] [subj_type=]
                                 [obj_user=] [obj_role=] [obj_type=]]
                        option: [[appraise_type=]] [template=] [permit_directio]
+                               [appraise_flag=]
                base:   func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
                                [FIRMWARE_CHECK]
                                [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
@@ -38,6 +39,9 @@ Description:
                        fowner:= decimal value
                lsm:    are LSM specific
                option: appraise_type:= [imasig] [imasig|modsig]
+                       appraise_flag:= [check_blacklist]
+                       Currently, blacklist check is only for files signed with appended
+                       signature.
                        template:= name of a defined IMA template type
                        (eg, ima-ng). Only valid when action is "measure".
                        pcr:= decimal value
index a65772ffa427eed5d0b9c2353cbc9176acb632b7..df4ca482fb53c4893c5c808d238774515e8795b2 100644 (file)
@@ -256,6 +256,8 @@ int ima_policy_show(struct seq_file *m, void *v);
 #define IMA_APPRAISE_KEXEC     0x40
 
 #ifdef CONFIG_IMA_APPRAISE
+int ima_check_blacklist(struct integrity_iint_cache *iint,
+                       const struct modsig *modsig, int pcr);
 int ima_appraise_measurement(enum ima_hooks func,
                             struct integrity_iint_cache *iint,
                             struct file *file, const unsigned char *filename,
@@ -271,6 +273,12 @@ int ima_read_xattr(struct dentry *dentry,
                   struct evm_ima_xattr_data **xattr_value);
 
 #else
+static inline int ima_check_blacklist(struct integrity_iint_cache *iint,
+                                     const struct modsig *modsig, int pcr)
+{
+       return 0;
+}
+
 static inline int ima_appraise_measurement(enum ima_hooks func,
                                           struct integrity_iint_cache *iint,
                                           struct file *file,
index 136ae4e0ee92124c219e9c031060db439f1b4d54..300c8d2943c573e2bd8cb5540656d9b12100aac3 100644 (file)
@@ -12,6 +12,7 @@
 #include <linux/magic.h>
 #include <linux/ima.h>
 #include <linux/evm.h>
+#include <keys/system_keyring.h>
 
 #include "ima.h"
 
@@ -303,6 +304,38 @@ static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,
        return rc;
 }
 
+/*
+ * ima_check_blacklist - determine if the binary is blacklisted.
+ *
+ * Add the hash of the blacklisted binary to the measurement list, based
+ * on policy.
+ *
+ * Returns -EPERM if the hash is blacklisted.
+ */
+int ima_check_blacklist(struct integrity_iint_cache *iint,
+                       const struct modsig *modsig, int pcr)
+{
+       enum hash_algo hash_algo;
+       const u8 *digest = NULL;
+       u32 digestsize = 0;
+       int rc = 0;
+
+       if (!(iint->flags & IMA_CHECK_BLACKLIST))
+               return 0;
+
+       if (iint->flags & IMA_MODSIG_ALLOWED && modsig) {
+               ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);
+
+               rc = is_binary_blacklisted(digest, digestsize);
+               if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
+                       process_buffer_measurement(digest, digestsize,
+                                                  "blacklisted-hash", NONE,
+                                                  pcr);
+       }
+
+       return rc;
+}
+
 /*
  * ima_appraise_measurement - appraise file measurement
  *
index a26e3ad4e886ccd3cf8ccd53f37776e1b42144bc..d7e987baf127419cfe40288aff333c5b474e29fa 100644 (file)
@@ -335,10 +335,14 @@ static int process_measurement(struct file *file, const struct cred *cred,
                                      xattr_value, xattr_len, modsig, pcr,
                                      template_desc);
        if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {
-               inode_lock(inode);
-               rc = ima_appraise_measurement(func, iint, file, pathname,
-                                             xattr_value, xattr_len, modsig);
-               inode_unlock(inode);
+               rc = ima_check_blacklist(iint, modsig, pcr);
+               if (rc != -EPERM) {
+                       inode_lock(inode);
+                       rc = ima_appraise_measurement(func, iint, file,
+                                                     pathname, xattr_value,
+                                                     xattr_len, modsig);
+                       inode_unlock(inode);
+               }
                if (!rc)
                        rc = mmap_violation_check(func, file, &pathbuf,
                                                  &pathname, filename);
index 5380aca2b35181b1c1788bd09f7065539b98a995..f19a895ad7cdf6c9bf24e05ffc6ee394ab3363ab 100644 (file)
@@ -765,8 +765,8 @@ enum {
        Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq,
        Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
        Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
-       Opt_appraise_type, Opt_permit_directio,
-       Opt_pcr, Opt_template, Opt_err
+       Opt_appraise_type, Opt_appraise_flag,
+       Opt_permit_directio, Opt_pcr, Opt_template, Opt_err
 };
 
 static const match_table_t policy_tokens = {
@@ -798,6 +798,7 @@ static const match_table_t policy_tokens = {
        {Opt_euid_lt, "euid<%s"},
        {Opt_fowner_lt, "fowner<%s"},
        {Opt_appraise_type, "appraise_type=%s"},
+       {Opt_appraise_flag, "appraise_flag=%s"},
        {Opt_permit_directio, "permit_directio"},
        {Opt_pcr, "pcr=%s"},
        {Opt_template, "template=%s"},
@@ -1172,6 +1173,11 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
                        else
                                result = -EINVAL;
                        break;
+               case Opt_appraise_flag:
+                       ima_log_string(ab, "appraise_flag", args[0].from);
+                       if (strstr(args[0].from, "blacklist"))
+                               entry->flags |= IMA_CHECK_BLACKLIST;
+                       break;
                case Opt_permit_directio:
                        entry->flags |= IMA_PERMIT_DIRECTIO;
                        break;
@@ -1500,6 +1506,8 @@ int ima_policy_show(struct seq_file *m, void *v)
                else
                        seq_puts(m, "appraise_type=imasig ");
        }
+       if (entry->flags & IMA_CHECK_BLACKLIST)
+               seq_puts(m, "appraise_flag=check_blacklist ");
        if (entry->flags & IMA_PERMIT_DIRECTIO)
                seq_puts(m, "permit_directio ");
        rcu_read_unlock();
index d9323d31a3a83c207297ae79d1a568ecf4955643..73fc286834d7bc368914d3f8056da80d80d975bc 100644 (file)
@@ -32,6 +32,7 @@
 #define EVM_IMMUTABLE_DIGSIG   0x08000000
 #define IMA_FAIL_UNVERIFIABLE_SIGS     0x10000000
 #define IMA_MODSIG_ALLOWED     0x20000000
+#define IMA_CHECK_BLACKLIST    0x40000000
 
 #define IMA_DO_MASK            (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
                                 IMA_HASH | IMA_APPRAISE_SUBMASK)