[v3,01/12] ima: Have the LSM free its audit rule

Message ID	20200709061911.954326-2-tyhicks@linux.microsoft.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=TKeG=AU=vger.kernel.org=linux-security-module-owner@kernel.org> From: Tyler Hicks <tyhicks@linux.microsoft.com> To: Mimi Zohar <zohar@linux.ibm.com>, Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Cc: James Morris <jmorris@namei.org>, "Serge E . Hallyn" <serge@hallyn.com>, Lakshmi Ramasubramanian <nramas@linux.microsoft.com>, Prakhar Srivastava <prsriva02@gmail.com>, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, Janne Karhunen <janne.karhunen@gmail.com>, Casey Schaufler <casey@schaufler-ca.com> Subject: [PATCH v3 01/12] ima: Have the LSM free its audit rule Date: Thu, 9 Jul 2020 01:19:00 -0500 Message-Id: <20200709061911.954326-2-tyhicks@linux.microsoft.com> In-Reply-To: <20200709061911.954326-1-tyhicks@linux.microsoft.com> References: <20200709061911.954326-1-tyhicks@linux.microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk
Series	ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support \| expand [v3,00/12] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support [v3,01/12] ima: Have the LSM free its audit rule [v3,02/12] ima: Free the entire rule when deleting a list of rules [v3,03/12] ima: Free the entire rule if it fails to parse [v3,04/12] ima: Fail rule parsing when buffer hook functions have an invalid action [v3,05/12] ima: Fail rule parsing when the KEXEC_CMDLINE hook is combined with an invalid cond [v3,06/12] ima: Fail rule parsing when the KEY_CHECK hook is combined with an invalid cond [v3,07/12] ima: Fail rule parsing when appraise_flag=blacklist is unsupportable [v3,08/12] ima: Shallow copy the args_p member of ima_rule_entry.lsm elements [v3,09/12] ima: Use correct type for the args_p member of ima_rule_entry.lsm elements [v3,10/12] ima: Move comprehensive rule validation checks out of the token parser [v3,11/12] ima: Use the common function to detect LSM conditionals in a rule [v3,12/12] ima: Support additional conditionals in the KEXEC_CMDLINE hook function

Message ID

20200709061911.954326-2-tyhicks@linux.microsoft.com (mailing list archive)

State

New, archived

Headers

From: Tyler Hicks <tyhicks@linux.microsoft.com>
To: Mimi Zohar <zohar@linux.ibm.com>,
        Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: James Morris <jmorris@namei.org>,
        "Serge E . Hallyn" <serge@hallyn.com>,
        Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
        Prakhar Srivastava <prsriva02@gmail.com>,
        linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        Janne Karhunen <janne.karhunen@gmail.com>,
        Casey Schaufler <casey@schaufler-ca.com>
Subject: [PATCH v3 01/12] ima: Have the LSM free its audit rule
Date: Thu,  9 Jul 2020 01:19:00 -0500
Message-Id: <20200709061911.954326-2-tyhicks@linux.microsoft.com>
In-Reply-To: <20200709061911.954326-1-tyhicks@linux.microsoft.com>
References: <20200709061911.954326-1-tyhicks@linux.microsoft.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk

Series

ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support | expand

Commit Message

Tyler Hicks July 9, 2020, 6:19 a.m. UTC

Ask the LSM to free its audit rule rather than directly calling kfree().
Both AppArmor and SELinux do additional work in their audit_rule_free()
hooks. Fix memory leaks by allowing the LSMs to perform necessary work.

Fixes: b16942455193 ("ima: use the lsm policy update notifier")
Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Cc: Janne Karhunen <janne.karhunen@gmail.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
---

* v3
  - No change
* v2
  - Fixed build warning by dropping the 'return -EINVAL' from
    the stubbed out security_filter_rule_free() since it has a void
    return type
  - Added Mimi's Reviewed-by
  - Developed a follow-on patch to rename security_filter_rule_*()
    functions, to address Casey's request, but I'll submit it
    independently of this patch series since it is somewhat unrelated

 security/integrity/ima/ima.h        | 5 +++++
 security/integrity/ima/ima_policy.c | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

Comments

Nayna July 17, 2020, 7:20 p.m. UTC | #1

On 7/9/20 2:19 AM, Tyler Hicks wrote:
> Ask the LSM to free its audit rule rather than directly calling kfree().

Is it to be called audit rule or filter rule ?  Likewise in subject line.

Thanks & Regards,

     - Nayna

Tyler Hicks July 17, 2020, 7:24 p.m. UTC | #2

On 2020-07-17 15:20:22, Nayna wrote:
> 
> On 7/9/20 2:19 AM, Tyler Hicks wrote:
> > Ask the LSM to free its audit rule rather than directly calling kfree().
> 
> Is it to be called audit rule or filter rule ?  Likewise in subject line.

The security hooks call this "audit rule" but Mimi explained the
reasoning for IMA referring to this as an "audit filter" here:

 https://lore.kernel.org/lkml/1593466203.5085.62.camel@linux.ibm.com/

I would be fine with her renaming/rewording this patch, accordingly, in
next-integrity-testing.

Tyler

> 
> Thanks & Regards,
> 
>     - Nayna

Mimi Zohar July 19, 2020, 11:02 a.m. UTC | #3

On Fri, 2020-07-17 at 14:24 -0500, Tyler Hicks wrote:
> On 2020-07-17 15:20:22, Nayna wrote:
> > 
> > On 7/9/20 2:19 AM, Tyler Hicks wrote:
> > > Ask the LSM to free its audit rule rather than directly calling kfree().
> > 
> > Is it to be called audit rule or filter rule ?  Likewise in subject line.
> gt
> The security hooks call this "audit rule" but Mimi explained the
> reasoning for IMA referring to this as an "audit filter" here:
> 
>  https://lore.kernel.org/lkml/1593466203.5085.62.camel@linux.ibm.com/
> 
> I would be fine with her renaming/rewording this patch, accordingly, in
> next-integrity-testing.

Both here and "ima: AppArmor satisfies the audit rule requirements",
the subject is AppArmor/LSM, which do refer to the rules as "audit"
rules.  In the "ima: Rename internal audit rule functions" case, the
rule rename is internal to IMA.  Here it makes sense to replace
"audit" with "filter".  Tyler, I've gone ahead and made the change.

Mimi

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 4515975cc540..59ec28f5c117 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -420,6 +420,7 @@  static inline void ima_free_modsig(struct modsig *modsig)
 #ifdef CONFIG_IMA_LSM_RULES
 
 #define security_filter_rule_init security_audit_rule_init
+#define security_filter_rule_free security_audit_rule_free
 #define security_filter_rule_match security_audit_rule_match
 
 #else
@@ -430,6 +431,10 @@  static inline int security_filter_rule_init(u32 field, u32 op, char *rulestr,
 	return -EINVAL;
 }
 
+static inline void security_filter_rule_free(void *lsmrule)
+{
+}
+
 static inline int security_filter_rule_match(u32 secid, u32 field, u32 op,
 					     void *lsmrule)
 {
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 66aa3e17a888..d7c268c2b0ce 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -258,7 +258,7 @@  static void ima_lsm_free_rule(struct ima_rule_entry *entry)
 	int i;
 
 	for (i = 0; i < MAX_LSM_RULES; i++) {
-		kfree(entry->lsm[i].rule);
+		security_filter_rule_free(entry->lsm[i].rule);
 		kfree(entry->lsm[i].args_p);
 	}
 	kfree(entry);

[v3,01/12] ima: Have the LSM free its audit rule

Commit Message

Comments

Patch