| Message ID | 20200811192621.281675-1-tyhicks@linux.microsoft.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | ima: Fix keyrings race condition and other key related bugs | expand |
Hi Tyler, On Tue, 2020-08-11 at 14:26 -0500, Tyler Hicks wrote: > v2: > - Always return an ERR_PTR from ima_alloc_rule_opt_list() (Nayna) > - Add Lakshmi's Reviewed-by to both patches > - Rebased on commit 3db0d0c276a7 ("integrity: remove redundant > initialization of variable ret") of next-integrity > v1: https://lore.kernel.org/lkml/20200727140831.64251-1-tyhicks@linux.microsoft.com/ > > Nayna pointed out that the "keyrings=" option in an IMA policy rule > should only be accepted when CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS is > enabled: > > https://lore.kernel.org/linux-integrity/336cc947-1f70-0286-6506-6df3d1d23a1d@linux.vnet.ibm.com/ > > While fixing this, the compiler warned me about the potential for the > ima_keyrings pointer to be NULL despite it being used, without a check > for NULL, as the destination address for the strcpy() in > ima_match_keyring(). > > It also became apparent that there was not adequate locking around the > use of the pre-allocated buffer that ima_keyrings points to. The kernel > keyring has a lock (.sem member of struct key) that ensures only one key > can be added to a given keyring at a time but there's no protection > against adding multiple keys to different keyrings at the same time. > > The first patch in this series fixes both ima_keyrings related issues by > parsing the list of keyrings in a KEY_CHECK rule at policy load time > rather than deferring the parsing to policy check time. Once that fix is > in place, the second patch can enforce that > CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS must be enabled in order to use > "func=KEY_CHECK" or "keyrings=" options in IMA policy. Thank you for fixing and cleaning up the existing keyring policy support. > > The new "keyrings=" value handling is done in a generic manner that can > be reused by other options in the future. This seems to make sense as > "appraise_type=" has similar style (though it doesn't need to be fully > parsed at this time) and using "|" as an alternation delimiter is > becoming the norm in IMA policy. Yes, thank you. Better extending existing key value pairs than defining new boot command line options. This patch set is now queued in next-integrity-testing. Mimi
On 2020-08-24 14:44:55, Mimi Zohar wrote: > Hi Tyler, > > On Tue, 2020-08-11 at 14:26 -0500, Tyler Hicks wrote: > > v2: > > - Always return an ERR_PTR from ima_alloc_rule_opt_list() (Nayna) > > - Add Lakshmi's Reviewed-by to both patches > > - Rebased on commit 3db0d0c276a7 ("integrity: remove redundant > > initialization of variable ret") of next-integrity > > v1: https://lore.kernel.org/lkml/20200727140831.64251-1-tyhicks@linux.microsoft.com/ > > > > Nayna pointed out that the "keyrings=" option in an IMA policy rule > > should only be accepted when CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS is > > enabled: > > > > https://lore.kernel.org/linux-integrity/336cc947-1f70-0286-6506-6df3d1d23a1d@linux.vnet.ibm.com/ > > > > While fixing this, the compiler warned me about the potential for the > > ima_keyrings pointer to be NULL despite it being used, without a check > > for NULL, as the destination address for the strcpy() in > > ima_match_keyring(). > > > > It also became apparent that there was not adequate locking around the > > use of the pre-allocated buffer that ima_keyrings points to. The kernel > > keyring has a lock (.sem member of struct key) that ensures only one key > > can be added to a given keyring at a time but there's no protection > > against adding multiple keys to different keyrings at the same time. > > > > The first patch in this series fixes both ima_keyrings related issues by > > parsing the list of keyrings in a KEY_CHECK rule at policy load time > > rather than deferring the parsing to policy check time. Once that fix is > > in place, the second patch can enforce that > > CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS must be enabled in order to use > > "func=KEY_CHECK" or "keyrings=" options in IMA policy. > > Thank you for fixing and cleaning up the existing keyring policy > support. > > > > > The new "keyrings=" value handling is done in a generic manner that can > > be reused by other options in the future. This seems to make sense as > > "appraise_type=" has similar style (though it doesn't need to be fully > > parsed at this time) and using "|" as an alternation delimiter is > > becoming the norm in IMA policy. > > Yes, thank you. Better extending existing key value pairs than > defining new boot command line options. > > This patch set is now queued in next-integrity-testing. Thanks! I'm glad you found it useful. Tyler > > Mimi
On 8/11/20 3:26 PM, Tyler Hicks wrote: > v2: > - Always return an ERR_PTR from ima_alloc_rule_opt_list() (Nayna) > - Add Lakshmi's Reviewed-by to both patches > - Rebased on commit 3db0d0c276a7 ("integrity: remove redundant > initialization of variable ret") of next-integrity > v1: https://lore.kernel.org/lkml/20200727140831.64251-1-tyhicks@linux.microsoft.com/ > > Nayna pointed out that the "keyrings=" option in an IMA policy rule > should only be accepted when CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS is > enabled: > > https://lore.kernel.org/linux-integrity/336cc947-1f70-0286-6506-6df3d1d23a1d@linux.vnet.ibm.com/ > > While fixing this, the compiler warned me about the potential for the > ima_keyrings pointer to be NULL despite it being used, without a check > for NULL, as the destination address for the strcpy() in > ima_match_keyring(). > > It also became apparent that there was not adequate locking around the > use of the pre-allocated buffer that ima_keyrings points to. The kernel > keyring has a lock (.sem member of struct key) that ensures only one key > can be added to a given keyring at a time but there's no protection > against adding multiple keys to different keyrings at the same time. > > The first patch in this series fixes both ima_keyrings related issues by > parsing the list of keyrings in a KEY_CHECK rule at policy load time > rather than deferring the parsing to policy check time. Once that fix is > in place, the second patch can enforce that > CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS must be enabled in order to use > "func=KEY_CHECK" or "keyrings=" options in IMA policy. > > The new "keyrings=" value handling is done in a generic manner that can > be reused by other options in the future. This seems to make sense as > "appraise_type=" has similar style (though it doesn't need to be fully > parsed at this time) and using "|" as an alternation delimiter is > becoming the norm in IMA policy. > > This series is based on commit 311aa6aafea4 ("ima: move > APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime") in > next-integrity. > > Tyler > > Tyler Hicks (2): > ima: Pre-parse the list of keyrings in a KEY_CHECK rule > ima: Fail rule parsing when asymmetric key measurement isn't > supportable > > security/integrity/ima/ima_policy.c | 142 +++++++++++++++++++--------- > 1 file changed, 96 insertions(+), 46 deletions(-) > Sorry for delay in responding. The patches look good. Feel free to add my tag Reviewed-by: Nayna Jain <nayna@linux.ibm.com> Thanks & Regards, - Nayna
v2: - Always return an ERR_PTR from ima_alloc_rule_opt_list() (Nayna) - Add Lakshmi's Reviewed-by to both patches - Rebased on commit 3db0d0c276a7 ("integrity: remove redundant initialization of variable ret") of next-integrity v1: https://lore.kernel.org/lkml/20200727140831.64251-1-tyhicks@linux.microsoft.com/ Nayna pointed out that the "keyrings=" option in an IMA policy rule should only be accepted when CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS is enabled: https://lore.kernel.org/linux-integrity/336cc947-1f70-0286-6506-6df3d1d23a1d@linux.vnet.ibm.com/ While fixing this, the compiler warned me about the potential for the ima_keyrings pointer to be NULL despite it being used, without a check for NULL, as the destination address for the strcpy() in ima_match_keyring(). It also became apparent that there was not adequate locking around the use of the pre-allocated buffer that ima_keyrings points to. The kernel keyring has a lock (.sem member of struct key) that ensures only one key can be added to a given keyring at a time but there's no protection against adding multiple keys to different keyrings at the same time. The first patch in this series fixes both ima_keyrings related issues by parsing the list of keyrings in a KEY_CHECK rule at policy load time rather than deferring the parsing to policy check time. Once that fix is in place, the second patch can enforce that CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS must be enabled in order to use "func=KEY_CHECK" or "keyrings=" options in IMA policy. The new "keyrings=" value handling is done in a generic manner that can be reused by other options in the future. This seems to make sense as "appraise_type=" has similar style (though it doesn't need to be fully parsed at this time) and using "|" as an alternation delimiter is becoming the norm in IMA policy. This series is based on commit 311aa6aafea4 ("ima: move APPRAISE_BOOTPARAM dependency on ARCH_POLICY to runtime") in next-integrity. Tyler Tyler Hicks (2): ima: Pre-parse the list of keyrings in a KEY_CHECK rule ima: Fail rule parsing when asymmetric key measurement isn't supportable security/integrity/ima/ima_policy.c | 142 +++++++++++++++++++--------- 1 file changed, 96 insertions(+), 46 deletions(-)