Message ID | 20201212180251.9943-2-tusharsu@linux.microsoft.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | IMA: support for measuring kernel integrity critical data | expand |
On Sat, 2020-12-12 at 10:02 -0800, Tushar Sugandhi wrote: > > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index 68956e884403..e76ef4bfd0f4 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -786,13 +786,13 @@ int ima_post_load_data(char *buf, loff_t size, > * @eventname: event name to be used for the buffer entry. > * @func: IMA hook > * @pcr: pcr to extend the measurement > - * @keyring: keyring name to determine the action to be performed > + * @func_data: private data specific to @func, can be NULL. This can be simplified to "func specific data, may be NULL". Please update in all places. > * > * Based on policy, the buffer is measured into the ima log. > */ > void process_buffer_measurement(struct inode *inode, const void *buf, int size, > const char *eventname, enum ima_hooks func, > - int pcr, const char *keyring) > + int pcr, const char *func_data) > { > int ret = 0; > const char *audit_cause = "ENOMEM"; > @@ -831,7 +831,7 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size, > if (func) { > security_task_getsecid(current, &secid); > action = ima_get_action(inode, current_cred(), secid, 0, func, > - &pcr, &template, keyring); > + &pcr, &template, func_data); > if (!(action & IMA_MEASURE)) > return; > } > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index 823a0c1379cb..a09d1a41a290 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -453,30 +453,41 @@ int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, > } > > /** > - * ima_match_keyring - determine whether the keyring matches the measure rule > - * @rule: a pointer to a rule > - * @keyring: name of the keyring to match against the measure rule > + * ima_match_rule_data - determine whether the given func_data matches > + * the measure rule data After the function_name is a brief description of the function, which should not span multiple lines. Refer to Documentation/doc- guide/kernel-doc.rst for details. Please trim the function description to: determine whether func_data matches the policy rule > + * @rule: IMA policy rule This patch should be limited to renaming "keyring" to "func_data". It shouldn't make other changes, even simple ones like this. > + * @func_data: data to match against the measure rule data > * @cred: a pointer to a credentials structure for user validation > * > - * Returns true if keyring matches one in the rule, false otherwise. > + * Returns true if func_data matches one in the rule, false otherwise. > */ > -static bool ima_match_keyring(struct ima_rule_entry *rule, > - const char *keyring, const struct cred *cred) > +static bool ima_match_rule_data(struct ima_rule_entry *rule, > + const char *func_data, > + const struct cred *cred) > { > + const struct ima_rule_opt_list *opt_list = NULL; > bool matched = false; > size_t i; > > if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) > return false; > > - if (!rule->keyrings) > - return true; > + switch (rule->func) { > + case KEY_CHECK: > + if (!rule->keyrings) > + return true; > + > + opt_list = rule->keyrings; > + break; > + default: > + return false; > + } > > - if (!keyring) > + if (!func_data) > return false; > > - for (i = 0; i < rule->keyrings->count; i++) { > - if (!strcmp(rule->keyrings->items[i], keyring)) { > + for (i = 0; i < opt_list->count; i++) { > + if (!strcmp(opt_list->items[i], func_data)) { > matched = true; > break; > } > @@ -493,20 +504,20 @@ static bool ima_match_keyring(struct ima_rule_entry *rule, > * @secid: the secid of the task to be validated > * @func: LIM hook identifier > * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) > - * @keyring: keyring name to check in policy for KEY_CHECK func > + * @func_data: private data specific to @func, can be NULL. Update as previously suggested. > * > * Returns true on rule match, false on failure. > */ > static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, > const struct cred *cred, u32 secid, > enum ima_hooks func, int mask, > - const char *keyring) > + const char *func_data) > { > int i; > > if (func == KEY_CHECK) { > return (rule->flags & IMA_FUNC) && (rule->func == func) && > - ima_match_keyring(rule, keyring, cred); > + ima_match_rule_data(rule, func_data, cred); > } > if ((rule->flags & IMA_FUNC) && > (rule->func != func && func != POST_SETATTR)) > @@ -610,8 +621,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) > * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) > * @pcr: set the pcr to extend > * @template_desc: the template that should be used for this rule > - * @keyring: the keyring name, if given, to be used to check in the policy. > - * keyring can be NULL if func is anything other than KEY_CHECK. > + * @func_data: private data specific to @func, can be NULL. And again here. thanks, Mimi
Hello Mimi, Sorry for the late response. I was on vacation last week. On 2020-12-24 5:06 a.m., Mimi Zohar wrote: > On Sat, 2020-12-12 at 10:02 -0800, Tushar Sugandhi wrote: >> >> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c >> index 68956e884403..e76ef4bfd0f4 100644 >> --- a/security/integrity/ima/ima_main.c >> +++ b/security/integrity/ima/ima_main.c >> @@ -786,13 +786,13 @@ int ima_post_load_data(char *buf, loff_t size, >> * @eventname: event name to be used for the buffer entry. >> * @func: IMA hook >> * @pcr: pcr to extend the measurement >> - * @keyring: keyring name to determine the action to be performed >> + * @func_data: private data specific to @func, can be NULL. > > This can be simplified to "func specific data, may be NULL". Please > update in all places. > Ok, will do. >> * >> * Based on policy, the buffer is measured into the ima log. >> */ >> void process_buffer_measurement(struct inode *inode, const void *buf, int size, >> const char *eventname, enum ima_hooks func, >> - int pcr, const char *keyring) >> + int pcr, const char *func_data) >> { >> int ret = 0; >> const char *audit_cause = "ENOMEM"; >> @@ -831,7 +831,7 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size, >> if (func) { >> security_task_getsecid(current, &secid); >> action = ima_get_action(inode, current_cred(), secid, 0, func, >> - &pcr, &template, keyring); >> + &pcr, &template, func_data); >> if (!(action & IMA_MEASURE)) >> return; >> } >> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c >> index 823a0c1379cb..a09d1a41a290 100644 >> --- a/security/integrity/ima/ima_policy.c >> +++ b/security/integrity/ima/ima_policy.c >> @@ -453,30 +453,41 @@ int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, >> } >> >> /** >> - * ima_match_keyring - determine whether the keyring matches the measure rule >> - * @rule: a pointer to a rule >> - * @keyring: name of the keyring to match against the measure rule >> + * ima_match_rule_data - determine whether the given func_data matches >> + * the measure rule data > > After the function_name is a brief description of the function, which > should not span multiple lines. Refer to Documentation/doc- > guide/kernel-doc.rst for details. > > Please trim the function description to: > determine whether func_data matches the policy rule > Thanks, will do. >> + * @rule: IMA policy rule > > This patch should be limited to renaming "keyring" to "func_data". It > shouldn't make other changes, even simple ones like this. > Agreed. I will revert the rule description to the old one. >> + * @func_data: data to match against the measure rule data >> * @cred: a pointer to a credentials structure for user validation >> * >> - * Returns true if keyring matches one in the rule, false otherwise. >> + * Returns true if func_data matches one in the rule, false otherwise. >> */ >> -static bool ima_match_keyring(struct ima_rule_entry *rule, >> - const char *keyring, const struct cred *cred) >> +static bool ima_match_rule_data(struct ima_rule_entry *rule, >> + const char *func_data, >> + const struct cred *cred) >> { >> + const struct ima_rule_opt_list *opt_list = NULL; >> bool matched = false; >> size_t i; >> >> if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) >> return false; >> >> - if (!rule->keyrings) >> - return true; >> + switch (rule->func) { >> + case KEY_CHECK: >> + if (!rule->keyrings) >> + return true; >> + >> + opt_list = rule->keyrings; >> + break; >> + default: >> + return false; >> + } >> >> - if (!keyring) >> + if (!func_data) >> return false; >> >> - for (i = 0; i < rule->keyrings->count; i++) { >> - if (!strcmp(rule->keyrings->items[i], keyring)) { >> + for (i = 0; i < opt_list->count; i++) { >> + if (!strcmp(opt_list->items[i], func_data)) { >> matched = true; >> break; >> } >> @@ -493,20 +504,20 @@ static bool ima_match_keyring(struct ima_rule_entry *rule, >> * @secid: the secid of the task to be validated >> * @func: LIM hook identifier >> * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) >> - * @keyring: keyring name to check in policy for KEY_CHECK func >> + * @func_data: private data specific to @func, can be NULL. > > Update as previously suggested. > Yes. >> * >> * Returns true on rule match, false on failure. >> */ >> static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, >> const struct cred *cred, u32 secid, >> enum ima_hooks func, int mask, >> - const char *keyring) >> + const char *func_data) >> { >> int i; >> >> if (func == KEY_CHECK) { >> return (rule->flags & IMA_FUNC) && (rule->func == func) && >> - ima_match_keyring(rule, keyring, cred); >> + ima_match_rule_data(rule, func_data, cred); >> } >> if ((rule->flags & IMA_FUNC) && >> (rule->func != func && func != POST_SETATTR)) >> @@ -610,8 +621,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) >> * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) >> * @pcr: set the pcr to extend >> * @template_desc: the template that should be used for this rule >> - * @keyring: the keyring name, if given, to be used to check in the policy. >> - * keyring can be NULL if func is anything other than KEY_CHECK. >> + * @func_data: private data specific to @func, can be NULL. > > And again here. > Yes. > thanks, > > Mimi > Thanks, Tushar
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 8e8b1e3cb847..e5622ce8cbb1 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -256,7 +256,7 @@ static inline void ima_process_queued_keys(void) {} int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, int mask, enum ima_hooks func, int *pcr, struct ima_template_desc **template_desc, - const char *keyring); + const char *func_data); int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func); int ima_collect_measurement(struct integrity_iint_cache *iint, struct file *file, void *buf, loff_t size, @@ -268,7 +268,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, struct ima_template_desc *template_desc); void process_buffer_measurement(struct inode *inode, const void *buf, int size, const char *eventname, enum ima_hooks func, - int pcr, const char *keyring); + int pcr, const char *func_data); void ima_audit_measurement(struct integrity_iint_cache *iint, const unsigned char *filename); int ima_alloc_init_template(struct ima_event_data *event_data, @@ -284,7 +284,7 @@ const char *ima_d_path(const struct path *path, char **pathbuf, char *filename); int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, enum ima_hooks func, int mask, int flags, int *pcr, struct ima_template_desc **template_desc, - const char *keyring); + const char *func_data); void ima_init_policy(void); void ima_update_policy(void); void ima_update_policy_flag(void); diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 4f39fb93f278..af218babd198 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -170,7 +170,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename, * @func: caller identifier * @pcr: pointer filled in if matched measure policy sets pcr= * @template_desc: pointer filled in if matched measure policy sets template= - * @keyring: keyring name used to determine the action + * @func_data: private data specific to @func, can be NULL. * * The policy is defined in terms of keypairs: * subj=, obj=, type=, func=, mask=, fsmagic= @@ -186,14 +186,14 @@ void ima_add_violation(struct file *file, const unsigned char *filename, int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, int mask, enum ima_hooks func, int *pcr, struct ima_template_desc **template_desc, - const char *keyring) + const char *func_data) { int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH; flags &= ima_policy_flag; return ima_match_policy(inode, cred, secid, func, mask, flags, pcr, - template_desc, keyring); + template_desc, func_data); } /* diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 68956e884403..e76ef4bfd0f4 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -786,13 +786,13 @@ int ima_post_load_data(char *buf, loff_t size, * @eventname: event name to be used for the buffer entry. * @func: IMA hook * @pcr: pcr to extend the measurement - * @keyring: keyring name to determine the action to be performed + * @func_data: private data specific to @func, can be NULL. * * Based on policy, the buffer is measured into the ima log. */ void process_buffer_measurement(struct inode *inode, const void *buf, int size, const char *eventname, enum ima_hooks func, - int pcr, const char *keyring) + int pcr, const char *func_data) { int ret = 0; const char *audit_cause = "ENOMEM"; @@ -831,7 +831,7 @@ void process_buffer_measurement(struct inode *inode, const void *buf, int size, if (func) { security_task_getsecid(current, &secid); action = ima_get_action(inode, current_cred(), secid, 0, func, - &pcr, &template, keyring); + &pcr, &template, func_data); if (!(action & IMA_MEASURE)) return; } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 823a0c1379cb..a09d1a41a290 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -453,30 +453,41 @@ int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, } /** - * ima_match_keyring - determine whether the keyring matches the measure rule - * @rule: a pointer to a rule - * @keyring: name of the keyring to match against the measure rule + * ima_match_rule_data - determine whether the given func_data matches + * the measure rule data + * @rule: IMA policy rule + * @func_data: data to match against the measure rule data * @cred: a pointer to a credentials structure for user validation * - * Returns true if keyring matches one in the rule, false otherwise. + * Returns true if func_data matches one in the rule, false otherwise. */ -static bool ima_match_keyring(struct ima_rule_entry *rule, - const char *keyring, const struct cred *cred) +static bool ima_match_rule_data(struct ima_rule_entry *rule, + const char *func_data, + const struct cred *cred) { + const struct ima_rule_opt_list *opt_list = NULL; bool matched = false; size_t i; if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) return false; - if (!rule->keyrings) - return true; + switch (rule->func) { + case KEY_CHECK: + if (!rule->keyrings) + return true; + + opt_list = rule->keyrings; + break; + default: + return false; + } - if (!keyring) + if (!func_data) return false; - for (i = 0; i < rule->keyrings->count; i++) { - if (!strcmp(rule->keyrings->items[i], keyring)) { + for (i = 0; i < opt_list->count; i++) { + if (!strcmp(opt_list->items[i], func_data)) { matched = true; break; } @@ -493,20 +504,20 @@ static bool ima_match_keyring(struct ima_rule_entry *rule, * @secid: the secid of the task to be validated * @func: LIM hook identifier * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) - * @keyring: keyring name to check in policy for KEY_CHECK func + * @func_data: private data specific to @func, can be NULL. * * Returns true on rule match, false on failure. */ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, const struct cred *cred, u32 secid, enum ima_hooks func, int mask, - const char *keyring) + const char *func_data) { int i; if (func == KEY_CHECK) { return (rule->flags & IMA_FUNC) && (rule->func == func) && - ima_match_keyring(rule, keyring, cred); + ima_match_rule_data(rule, func_data, cred); } if ((rule->flags & IMA_FUNC) && (rule->func != func && func != POST_SETATTR)) @@ -610,8 +621,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) * @pcr: set the pcr to extend * @template_desc: the template that should be used for this rule - * @keyring: the keyring name, if given, to be used to check in the policy. - * keyring can be NULL if func is anything other than KEY_CHECK. + * @func_data: private data specific to @func, can be NULL. * * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) * conditions. @@ -623,7 +633,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, enum ima_hooks func, int mask, int flags, int *pcr, struct ima_template_desc **template_desc, - const char *keyring) + const char *func_data) { struct ima_rule_entry *entry; int action = 0, actmask = flags | (flags << 1); @@ -638,7 +648,7 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, continue; if (!ima_match_rules(entry, inode, cred, secid, func, mask, - keyring)) + func_data)) continue; action |= entry->flags & IMA_ACTION_FLAGS;