From patchwork Tue Jul 14 18:16:38 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 11663337 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3867913B1 for ; Tue, 14 Jul 2020 18:26:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2976322838 for ; Tue, 14 Jul 2020 18:26:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728364AbgGNS0U (ORCPT ); Tue, 14 Jul 2020 14:26:20 -0400 Received: from smtp-190a.mail.infomaniak.ch ([185.125.25.10]:34293 "EHLO smtp-190a.mail.infomaniak.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728117AbgGNS0U (ORCPT ); Tue, 14 Jul 2020 14:26:20 -0400 Received: from smtp-3-0000.mail.infomaniak.ch (unknown [10.4.36.107]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4B5pd63Mp5zlhfRJ; Tue, 14 Jul 2020 20:16:58 +0200 (CEST) Received: from localhost (unknown [94.23.54.103]) by smtp-3-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4B5pd573ZLzlh8T2; Tue, 14 Jul 2020 20:16:57 +0200 (CEST) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: linux-kernel@vger.kernel.org Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Aleksa Sarai , Alexei Starovoitov , Al Viro , Andrew Morton , Andy Lutomirski , Christian Brauner , Christian Heimes , Daniel Borkmann , Deven Bowers , Dmitry Vyukov , Eric Biggers , Eric Chiang , Florian Weimer , James Morris , Jan Kara , Jann Horn , Jonathan Corbet , Kees Cook , Lakshmi Ramasubramanian , Matthew Garrett , Matthew Wilcox , Michael Kerrisk , =?utf-8?q?Micka=C3=ABl_Sala=C3=BC?= =?utf-8?q?n?= , Mimi Zohar , =?utf-8?q?Philippe_Tr=C3=A9buchet?= , Scott Shell , Sean Christopherson , Shuah Khan , Steve Dower , Steve Grubb , Tetsuo Handa , Thibaut Sautereau , Vincent Strubel , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: [PATCH v6 7/7] ima: add policy support for the new file open MAY_OPENEXEC flag Date: Tue, 14 Jul 2020 20:16:38 +0200 Message-Id: <20200714181638.45751-8-mic@digikod.net> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200714181638.45751-1-mic@digikod.net> References: <20200714181638.45751-1-mic@digikod.net> MIME-Version: 1.0 X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8 X-Antivirus-Code: 0x100000 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org From: Mimi Zohar The kernel has no way of differentiating between a file containing data or code being opened by an interpreter. The proposed O_MAYEXEC openat2(2) flag bridges this gap by defining and enabling the MAY_OPENEXEC flag. This patch adds IMA policy support for the new MAY_OPENEXEC flag. Example: measure func=FILE_CHECK mask=^MAY_OPENEXEC appraise func=FILE_CHECK appraise_type=imasig mask=^MAY_OPENEXEC Signed-off-by: Mimi Zohar Reviewed-by: Lakshmi Ramasubramanian Acked-by: Mickaël Salaün Link: https://lore.kernel.org/r/1588167523-7866-3-git-send-email-zohar@linux.ibm.com --- Documentation/ABI/testing/ima_policy | 2 +- security/integrity/ima/ima_main.c | 3 ++- security/integrity/ima/ima_policy.c | 15 +++++++++++---- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index cd572912c593..caca46125fe0 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy @@ -31,7 +31,7 @@ Description: [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] [KEXEC_CMDLINE] [KEY_CHECK] mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] - [[^]MAY_EXEC] + [[^]MAY_EXEC] [[^]MAY_OPENEXEC] fsmagic:= hex value fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6) uid:= decimal value diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index c1583d98c5e5..59fd1658a203 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -490,7 +490,8 @@ int ima_file_check(struct file *file, int mask) security_task_getsecid(current, &secid); return process_measurement(file, current_cred(), secid, NULL, 0, - mask & (MAY_READ | MAY_WRITE | MAY_EXEC | + mask & (MAY_READ | MAY_WRITE | + MAY_EXEC | MAY_OPENEXEC | MAY_APPEND), FILE_CHECK); } EXPORT_SYMBOL_GPL(ima_file_check); diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index e493063a3c34..6487f0b2afdd 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -406,7 +406,8 @@ static bool ima_match_keyring(struct ima_rule_entry *rule, * @cred: a pointer to a credentials structure for user validation * @secid: the secid of the task to be validated * @func: LIM hook identifier - * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) + * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC | + * MAY_OPENEXEC) * @keyring: keyring name to check in policy for KEY_CHECK func * * Returns true on rule match, false on failure. @@ -527,7 +528,8 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func) * being made * @secid: LSM secid of the task to be validated * @func: IMA hook identifier - * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) + * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC | + * MAY_OPENEXEC) * @pcr: set the pcr to extend * @template_desc: the template that should be used for this rule * @keyring: the keyring name, if given, to be used to check in the policy. @@ -1091,6 +1093,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) entry->mask = MAY_READ; else if (strcmp(from, "MAY_APPEND") == 0) entry->mask = MAY_APPEND; + else if (strcmp(from, "MAY_OPENEXEC") == 0) + entry->mask = MAY_OPENEXEC; else result = -EINVAL; if (!result) @@ -1422,14 +1426,15 @@ const char *const func_tokens[] = { #ifdef CONFIG_IMA_READ_POLICY enum { - mask_exec = 0, mask_write, mask_read, mask_append + mask_exec = 0, mask_write, mask_read, mask_append, mask_openexec }; static const char *const mask_tokens[] = { "^MAY_EXEC", "^MAY_WRITE", "^MAY_READ", - "^MAY_APPEND" + "^MAY_APPEND", + "^MAY_OPENEXEC" }; void *ima_policy_start(struct seq_file *m, loff_t *pos) @@ -1518,6 +1523,8 @@ int ima_policy_show(struct seq_file *m, void *v) seq_printf(m, pt(Opt_mask), mt(mask_read) + offset); if (entry->mask & MAY_APPEND) seq_printf(m, pt(Opt_mask), mt(mask_append) + offset); + if (entry->mask & MAY_OPENEXEC) + seq_printf(m, pt(Opt_mask), mt(mask_openexec) + offset); seq_puts(m, " "); }