[v4,2/6] IMA: conditionally allow empty rule data

Message ID	20200923192011.5293-3-tusharsu@linux.microsoft.com (mailing list archive)
State	Not Applicable, archived
Delegated to:	Mike Snitzer
Headers	show Return-Path: <SRS0=2WxD=DB=redhat.com=dm-devel-bounces@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BC7342388A From: Tushar Sugandhi <tusharsu@linux.microsoft.com> To: zohar@linux.ibm.com, stephen.smalley.work@gmail.com, casey@schaufler-ca.com, agk@redhat.com, snitzer@redhat.com, gmazyland@gmail.com Date: Wed, 23 Sep 2020 12:20:07 -0700 Message-Id: <20200923192011.5293-3-tusharsu@linux.microsoft.com> In-Reply-To: <20200923192011.5293-1-tusharsu@linux.microsoft.com> References: <20200923192011.5293-1-tusharsu@linux.microsoft.com> X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false Cc: sashal@kernel.org, dm-devel@redhat.com, selinux@vger.kernel.org, jmorris@namei.org, linux-kernel@vger.kernel.org, nramas@linux.microsoft.com, linux-security-module@vger.kernel.org, tyhicks@linux.microsoft.com, linux-integrity@vger.kernel.org Subject: [dm-devel] [PATCH v4 2/6] IMA: conditionally allow empty rule data Precedence: junk MIME-Version: 1.0 Sender: dm-devel-bounces@redhat.com Errors-To: dm-devel-bounces@redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit
Series	IMA: Infrastructure for measurement of critical kernel data \| expand [v4,0/6] IMA: Infrastructure for measurement of critical kernel data [v4,1/6] IMA: generalize keyring specific measurement constructs [v4,2/6] IMA: conditionally allow empty rule data [v4,3/6] IMA: update process_buffer_measurement to measure buffer hash [v4,4/6] IMA: add policy to measure critical data from kernel components [v4,5/6] IMA: add hook to measure critical data from kernel components [v4,6/6] IMA: validate supported kernel data sources before measurement

Message ID

20200923192011.5293-3-tusharsu@linux.microsoft.com (mailing list archive)

State

Not Applicable, archived

Delegated to:

Mike Snitzer

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BC7342388A
From: Tushar Sugandhi <tusharsu@linux.microsoft.com>
To: zohar@linux.ibm.com, stephen.smalley.work@gmail.com,
	casey@schaufler-ca.com, agk@redhat.com, snitzer@redhat.com,
	gmazyland@gmail.com
Date: Wed, 23 Sep 2020 12:20:07 -0700
Message-Id: <20200923192011.5293-3-tusharsu@linux.microsoft.com>
In-Reply-To: <20200923192011.5293-1-tusharsu@linux.microsoft.com>
References: <20200923192011.5293-1-tusharsu@linux.microsoft.com>
Cc: sashal@kernel.org, dm-devel@redhat.com, selinux@vger.kernel.org,
	jmorris@namei.org, linux-kernel@vger.kernel.org,
	nramas@linux.microsoft.com, linux-security-module@vger.kernel.org,
	tyhicks@linux.microsoft.com, linux-integrity@vger.kernel.org
Subject: [dm-devel] [PATCH v4 2/6] IMA: conditionally allow empty rule data
Precedence: junk
MIME-Version: 1.0
Sender: dm-devel-bounces@redhat.com
Errors-To: dm-devel-bounces@redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Series

IMA: Infrastructure for measurement of critical kernel data | expand

Commit Message

Tushar Sugandhi Sept. 23, 2020, 7:20 p.m. UTC

ima_match_rule_data() permits the func to pass empty func_data.
For instance, for the following func, the func_data keyrings= is
optional.
    measure func=KEY_CHECK keyrings=.ima

But a new func in future may want to constrain the func_data to
be non-empty.  ima_match_rule_data() should support this constraint
and it shouldn't be hard-coded in ima_match_rule_data().

Update ima_match_rule_data() to conditionally allow empty func_data
for the func that needs it.

Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
---
 security/integrity/ima/ima_policy.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Comments

Mimi Zohar Oct. 22, 2020, 8:38 p.m. UTC | #1

Hi Tushar,

On Wed, 2020-09-23 at 12:20 -0700, Tushar Sugandhi wrote:
> ima_match_rule_data() permits the func to pass empty func_data.
> For instance, for the following func, the func_data keyrings= is
> optional.
>     measure func=KEY_CHECK keyrings=.ima
> 
> But a new func in future may want to constrain the func_data to
> be non-empty.  ima_match_rule_data() should support this constraint
> and it shouldn't be hard-coded in ima_match_rule_data().
> 
> Update ima_match_rule_data() to conditionally allow empty func_data
> for the func that needs it.
> 
> Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>

Policy rules may constrain what is measured, but that decision should
be left to the system owner or admin.

Mimi

--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel

Tushar Sugandhi Oct. 23, 2020, 10:39 p.m. UTC | #2

On 2020-10-22 1:38 p.m., Mimi Zohar wrote:
> Hi Tushar,
> 
> On Wed, 2020-09-23 at 12:20 -0700, Tushar Sugandhi wrote:
>> ima_match_rule_data() permits the func to pass empty func_data.
>> For instance, for the following func, the func_data keyrings= is
>> optional.
>>      measure func=KEY_CHECK keyrings=.ima
>>
>> But a new func in future may want to constrain the func_data to
>> be non-empty.  ima_match_rule_data() should support this constraint
>> and it shouldn't be hard-coded in ima_match_rule_data().
>>
>> Update ima_match_rule_data() to conditionally allow empty func_data
>> for the func that needs it.
>>
>> Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
> 
> Policy rules may constrain what is measured, but that decision should
> be left to the system owner or admin.
> 
> Mimi
> 
Agreed. As you mentioned in the patch 5/6 of this series,
I will get rid of this patch.

~Tushar

--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 31a772d8a86b..8866e84d0062 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -456,6 +456,7 @@  int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
  * @rule: IMA policy rule
  * @opt_list: rule data to match func_data against
  * @func_data: data to match against the measure rule data
+ * @allow_empty_opt_list: If true matches all func_data
  * @cred: a pointer to a credentials structure for user validation
  *
  * Returns true if func_data matches one in the rule, false otherwise.
@@ -463,6 +464,7 @@  int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
 static bool ima_match_rule_data(struct ima_rule_entry *rule,
 				const struct ima_rule_opt_list *opt_list,
 				const char *func_data,
+				bool allow_empty_opt_list,
 				const struct cred *cred)
 {
 	bool matched = false;
@@ -472,7 +474,7 @@  static bool ima_match_rule_data(struct ima_rule_entry *rule,
 		return false;
 
 	if (!opt_list)
-		return true;
+		return allow_empty_opt_list;
 
 	if (!func_data)
 		return false;
@@ -509,7 +511,7 @@  static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
 	if (func == KEY_CHECK) {
 		return (rule->flags & IMA_FUNC) && (rule->func == func) &&
 		       ima_match_rule_data(rule, rule->keyrings, func_data,
-					   cred);
+					   true, cred);
 	}
 	if ((rule->flags & IMA_FUNC) &&
 	    (rule->func != func && func != POST_SETATTR))

[v4,2/6] IMA: conditionally allow empty rule data

Commit Message

Comments

Patch