[RFC][PATCH 4/4] eCryptfs: added ima_file_check() call to ecryptfs_init_lower_file()

[Roberto Sassu]

This patch adds the call to the ima_file_check() function in the eCryptfs
code in order to measure inodes opened in the lower filesystem.

Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxx>
---
 Documentation/filesystems/ecryptfs-security.txt |   98 +++++++++++++++++++++++
 fs/ecryptfs/main.c                              |    5 +
 2 files changed, 103 insertions(+), 0 deletions(-)
 create mode 100644 Documentation/filesystems/ecryptfs-security.txt

diff --git a/Documentation/filesystems/ecryptfs-security.txt b/Documentation/filesystems/ecryptfs-security.txt
new file mode 100644
index 0000000..f923553
--- /dev/null
+++ b/Documentation/filesystems/ecryptfs-security.txt
@@ -0,0 +1,98 @@
+			ECryptfs security considerations
+
+ECryptfs belongs to the class of stacked filesystems, which present an
+interface where data flow, also called upper layer, perform some transformations
+on them and store the result in another filesystem, called lower layer.
+
+Access control is performed on both the upper and the lower layer and depends
+on how the security attributes are assigned to inodes. Since eCryptfs does not
+store extended attributes by itself but relies on the underlying filesystem to
+perform this task, security attributes are the same for both the upper and the
+lower inodes. However, in the SELinux's case, the security policy can be
+configured to assign to upper inodes a static label while lower inodes are
+initialized with the label stored in their extended attributes.
+
+When a process opens an eCryptfs file, the access control mechanism first
+verifies if the request can be satisfied by checking the process's credentials,
+the security attribute of the upper inode and the operation type.
+
+Then, internally, eCryptfs opens the correspondent inode in the lower filesystem
+by providing its own credentials and obtains a file descriptor which is shared
+between processes that concurrently access the upper inode. The credentials
+provided by eCryptfs are the initial credentials built by the function
+prepare_kernel_cred(), which grant root privileges.
+
+Each eCryptfs filesystem may have assigned its own label, in order to identify
+or restrict the actions it can perform, by overriding the initial credentials
+with this additional mount parameter:
+
+ecryptfs_security_ctx="system_u:system_r:ecryptfs_agent_t:s0" (SELinux)
+
+or:
+
+ecryptfs_security_ctx="mylabel" (SMACK)
+
+
+In SELinux, a policy must be defined for the type specified, which contains the
+declaration and the set of required rules. In particular, the type must be
+allowed to access files and directories in the underlying filesystem and shared
+file descriptors must be usable by accessing processes. Below in this file there
+is a sample policy for the type 'ecryptfs_agent_t'.
+
+Further, the process which mounts the eCryptfs filesystem overriding the initial
+credentials requires this permission:
+
+allow unconfined_mount_t ecryptfs_agent_t: kernel_service use_as_override;
+
+
+where 'unconfined_mount_t' is the domain assigned to the mount program executed
+from a root shell.
+
+Before using the mounted filesystem it is possible to specify a policy for IMA,
+in order to measure accessed files. This command must be specified from a root
+shell:
+
+(SELinux)
+echo "measure fowner_type=ecryptfs_agent_t" > /sys/kernel/security/ima/policy
+
+(SMACK)
+echo "measure fowner_user=mylabel" > /sys/kernel/security/ima/policy
+
+
+It is possible to see measurements collected by executing:
+
+cat /sys/kernel/security/ima/ascii_runtime_measurements
+
+
+The following is the source of a SELinux policy module that contains the policy
+for the type 'ecryptfs_agent_t'.
+
+
+------- ecryptfs_agent.te -------
+
+policy_module(ecryptfs_agent, 1.0.0)
+
+gen_require(`
+        attribute file_type;
+        attribute domain;
+        type unconfined_mount_t;
+')
+
+type ecryptfs_agent_t;
+allow ecryptfs_agent_t file_type: file manage_file_perms;
+allow ecryptfs_agent_t file_type: dir manage_dir_perms;
+allow unconfined_mount_t ecryptfs_agent_t: kernel_service use_as_override;
+allow domain ecryptfs_agent_t: fd use;
+role system_r types ecryptfs_agent_t;
+
+---------------------------------
+
+
+Compile the module (instructions for Fedora 14):
+
+make -f /usr/share/selinux/devel/Makefile ecryptfs_agent.pp
+
+
+Load the module:
+
+semodule -i ecryptfs_agent.pp
diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c
index 075634b..8ac7885 100644
--- a/fs/ecryptfs/main.c
+++ b/fs/ecryptfs/main.c
@@ -37,6 +37,7 @@
 #include <linux/fs_stack.h>
 #include <linux/slab.h>
 #include <linux/magic.h>
+#include <linux/ima.h>
 #include "ecryptfs_kernel.h"
 
 /**
@@ -141,7 +142,11 @@ static int ecryptfs_init_lower_file(struct dentry *dentry,
 		       "for lower_dentry [0x%p] and lower_mnt [0x%p]; "
 		       "rc = [%d]\n", lower_dentry, lower_mnt, rc);
 		(*lower_file) = NULL;
+		goto out;
 	}
+	rc = ima_file_check((*lower_file), IS_RDONLY(lower_dentry->d_inode) ?
+			    MAY_READ : MAY_READ | MAY_WRITE);
+out:
 	return rc;
 }
 
-- 
1.7.4.4

Attachment: smime.p7s
Description: S/MIME cryptographic signature