Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/Documentation/security/IMA-templates.rst 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  1) =================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  2) IMA Template Management Mechanism
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  3) =================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  4) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  5) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  6) Introduction
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  7) ============
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  8) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  9) The original ``ima`` template is fixed length, containing the filedata hash
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) and pathname. The filedata hash is limited to 20 bytes (md5/sha1).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) The pathname is a null terminated string, limited to 255 characters.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) To overcome these limitations and to add additional file metadata, it is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) necessary to extend the current version of IMA by defining additional
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) templates. For example, information that could be possibly reported are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) the inode UID/GID or the LSM labels either of the inode and of the process
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) that is accessing it.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) However, the main problem to introduce this feature is that, each time
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) a new template is defined, the functions that generate and display
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) the measurements list would include the code for handling a new format
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) and, thus, would significantly grow over the time.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) The proposed solution solves this problem by separating the template
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) management from the remaining IMA code. The core of this solution is the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) definition of two new data structures: a template descriptor, to determine
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) which information should be included in the measurement list; a template
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) field, to generate and display data of a given type.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) Managing templates with these structures is very simple. To support
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) a new data type, developers define the field identifier and implement
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) two functions, init() and show(), respectively to generate and display
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) measurement entries. Defining a new template descriptor requires
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) specifying the template format (a string of field identifiers separated
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) by the ``|`` character) through the ``ima_template_fmt`` kernel command line
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) parameter. At boot time, IMA initializes the chosen template descriptor
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) by translating the format into an array of template fields structures taken
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) from the set of the supported ones.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) After the initialization step, IMA will call ``ima_alloc_init_template()``
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) (new function defined within the patches for the new template management
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) mechanism) to generate a new measurement entry by using the template
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) descriptor chosen through the kernel configuration or through the newly
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) introduced ``ima_template`` and ``ima_template_fmt`` kernel command line parameters.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) It is during this phase that the advantages of the new architecture are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) clearly shown: the latter function will not contain specific code to handle
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) a given template but, instead, it simply calls the ``init()`` method of the template
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) fields associated to the chosen template descriptor and store the result
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) (pointer to allocated data and data length) in the measurement entry structure.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) The same mechanism is employed to display measurements entries.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) The functions ``ima[_ascii]_measurements_show()`` retrieve, for each entry,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) the template descriptor used to produce that entry and call the show()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) method for each item of the array of template fields structures.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) Supported Template Fields and Descriptors
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) =========================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) In the following, there is the list of supported template fields
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) ``('<identifier>': description)``, that can be used to define new template
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) descriptors by adding their identifier to the format string
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) (support for more data types will be added later):
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65)  - 'd': the digest of the event (i.e. the digest of a measured file),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66)    calculated with the SHA1 or MD5 hash algorithm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67)  - 'n': the name of the event (i.e. the file name), with size up to 255 bytes;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68)  - 'd-ng': the digest of the event, calculated with an arbitrary hash
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69)    algorithm (field format: [<hash algo>:]digest, where the digest
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70)    prefix is shown only if the hash algorithm is not SHA1 or MD5);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71)  - 'd-modsig': the digest of the event without the appended modsig;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72)  - 'n-ng': the name of the event, without size limitations;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73)  - 'sig': the file signature;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74)  - 'modsig' the appended file signature;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75)  - 'buf': the buffer data that was used to generate the hash without size limitations;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) Below, there is the list of defined template descriptors:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80)  - "ima": its format is ``d|n``;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81)  - "ima-ng" (default): its format is ``d-ng|n-ng``;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82)  - "ima-sig": its format is ``d-ng|n-ng|sig``;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83)  - "ima-buf": its format is ``d-ng|n-ng|buf``;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84)  - "ima-modsig": its format is ``d-ng|n-ng|sig|d-modsig|modsig``;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) Use
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) ===
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) To specify the template descriptor to be used to generate measurement entries,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) currently the following methods are supported:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93)  - select a template descriptor among those supported in the kernel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94)    configuration (``ima-ng`` is the default choice);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95)  - specify a template descriptor name from the kernel command line through
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96)    the ``ima_template=`` parameter;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97)  - register a new template descriptor with custom format through the kernel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98)    command line parameter ``ima_template_fmt=``.
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.