8606404fa5
This patch adds support for digital signature based integrity appraisal. With this patch, 'security.ima' contains either the file data hash or a digital signature of the file data hash. The file data hash provides the security attribute of file integrity. In addition to file integrity, a digital signature provides the security attribute of authenticity. Unlike EVM, when the file metadata changes, the digital signature is replaced with an HMAC, modification of the file data does not cause the 'security.ima' digital signature to be replaced with a hash. As a result, after any modification, subsequent file integrity appraisals would fail. Although digitally signed files can be modified, but by not updating 'security.ima' to reflect these modifications, in essence digitally signed files could be considered 'immutable'. IMA uses a different keyring than EVM. While the EVM keyring should not be updated after initialization and locked, the IMA keyring should allow updating or adding new keys when upgrading or installing packages. Changelog v4: - Change IMA_DIGSIG to hex equivalent Changelog v3: - Permit files without any 'security.ima' xattr to be labeled properly. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
77 lines
1.9 KiB
C
77 lines
1.9 KiB
C
/*
|
|
* Copyright (C) 2009-2010 IBM Corporation
|
|
*
|
|
* Authors:
|
|
* Mimi Zohar <zohar@us.ibm.com>
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License as
|
|
* published by the Free Software Foundation, version 2 of the
|
|
* License.
|
|
*
|
|
*/
|
|
|
|
#include <linux/types.h>
|
|
#include <linux/integrity.h>
|
|
#include <crypto/sha.h>
|
|
|
|
/* iint cache flags */
|
|
#define IMA_MEASURE 0x01
|
|
#define IMA_MEASURED 0x02
|
|
#define IMA_APPRAISE 0x04
|
|
#define IMA_APPRAISED 0x08
|
|
#define IMA_COLLECTED 0x10
|
|
#define IMA_DIGSIG 0x20
|
|
|
|
enum evm_ima_xattr_type {
|
|
IMA_XATTR_DIGEST = 0x01,
|
|
EVM_XATTR_HMAC,
|
|
EVM_IMA_XATTR_DIGSIG,
|
|
};
|
|
|
|
struct evm_ima_xattr_data {
|
|
u8 type;
|
|
u8 digest[SHA1_DIGEST_SIZE];
|
|
} __attribute__((packed));
|
|
|
|
/* integrity data associated with an inode */
|
|
struct integrity_iint_cache {
|
|
struct rb_node rb_node; /* rooted in integrity_iint_tree */
|
|
struct inode *inode; /* back pointer to inode in question */
|
|
u64 version; /* track inode changes */
|
|
unsigned char flags;
|
|
struct evm_ima_xattr_data ima_xattr;
|
|
enum integrity_status ima_status;
|
|
enum integrity_status evm_status;
|
|
};
|
|
|
|
/* rbtree tree calls to lookup, insert, delete
|
|
* integrity data associated with an inode.
|
|
*/
|
|
struct integrity_iint_cache *integrity_iint_insert(struct inode *inode);
|
|
struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
|
|
|
|
#define INTEGRITY_KEYRING_EVM 0
|
|
#define INTEGRITY_KEYRING_MODULE 1
|
|
#define INTEGRITY_KEYRING_IMA 2
|
|
#define INTEGRITY_KEYRING_MAX 3
|
|
|
|
#ifdef CONFIG_INTEGRITY_SIGNATURE
|
|
|
|
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
|
|
const char *digest, int digestlen);
|
|
|
|
#else
|
|
|
|
static inline int integrity_digsig_verify(const unsigned int id,
|
|
const char *sig, int siglen,
|
|
const char *digest, int digestlen)
|
|
{
|
|
return -EOPNOTSUPP;
|
|
}
|
|
|
|
#endif /* CONFIG_INTEGRITY_SIGNATURE */
|
|
|
|
/* set during initialization */
|
|
extern int iint_initialized;
|