From patchwork Thu Oct 13 22:36:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13006511 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AA89CC4332F for ; Thu, 13 Oct 2022 22:37:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229696AbiJMWhA (ORCPT ); Thu, 13 Oct 2022 18:37:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43394 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229526AbiJMWg7 (ORCPT ); Thu, 13 Oct 2022 18:36:59 -0400 Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 808A4BA938 for ; Thu, 13 Oct 2022 15:36:57 -0700 (PDT) Received: by mail-pl1-x630.google.com with SMTP id c24so3121871plo.3 for ; Thu, 13 Oct 2022 15:36:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=eKnBh/rdccA0d/5kVDkVm6ZffK/rrsQm1/mENkeAGwY=; b=MRwg26DsZVrrk+VGAgo/rSdkC/qC7KiEipRVjOFTuBqV9YnpOxXq7E9su5tYXVzB5g nYaDzinYZhQP2TEUi4jYSOCbNfOziDti66Jt/gbuqcSNDZW1aI5wNfEX4pS1AlWJoAkB n3TZsGwPtpDgaZdB04jwByap6i2mjq1+rmKSE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eKnBh/rdccA0d/5kVDkVm6ZffK/rrsQm1/mENkeAGwY=; b=ChxFvCPnMC4sNwY8vSezWb60ALxvWGpd9PxjQho+e2wYcrwV5KILOiGcVauVHaOFhO +f6ZHTymmrxvR634r+wRYrCcpzInXDZKklCk7DASnskQrRBImK7sBXgc0c3SCaHEnO9Q xa5Cr3kgKRd5Dt8t9NNqAAOa/8GXy0AWo8v0rgVsvzlywwIpGfKaGKCu3efs8zQf9Zsa om3WNVtCmzjnBV1QPWcFucrlfv9dVslqN0pFT7UIsxIcyW1i/t3YD3YSbHIv79KfcuCu yIHbeE5EKBydHAkHkFxlO6MG68u8HQb/D/82n5GjYz5/eXM9IYkk0Sv0Jmkug8UlATgj 1RUw== X-Gm-Message-State: ACrzQf04T8tYEAPUf40cYc07wK/YvmxldxSHX2QfB4BIvxaXGI3rGmG7 xlxBvmEi4joQKzJaX7Q31Mncjw== X-Google-Smtp-Source: AMsMyM6AR8Y27aSqTIfnLE/BszoK27vRlaEd7LbSvPopybAXc6YTPDuZpOauIOTSzwLP5wpPYw1+Fw== X-Received: by 2002:a17:90b:4b47:b0:20a:cfcb:8561 with SMTP id mi7-20020a17090b4b4700b0020acfcb8561mr2139159pjb.55.1665700616917; Thu, 13 Oct 2022 15:36:56 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id q13-20020a170902dacd00b00176a715653dsm336002plx.145.2022.10.13.15.36.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Oct 2022 15:36:56 -0700 (PDT) From: Kees Cook To: Mimi Zohar Cc: Kees Cook , Paul Moore , James Morris , "Serge E. Hallyn" , Dmitry Kasatkin , =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= , linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, KP Singh , Casey Schaufler , John Johansen , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 1/9] integrity: Prepare for having "ima" and "evm" available in "integrity" LSM Date: Thu, 13 Oct 2022 15:36:46 -0700 Message-Id: <20221013223654.659758-1-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221013222702.never.990-kees@kernel.org> References: <20221013222702.never.990-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4972; h=from:subject; bh=X25ar5cnDAOImSwIPi4dRS33/W6S8V04RVdvF3svy1g=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjSJMEI4he7aV1fUMbAUP8+xOlSU/Mc/mejIzZVgwZ MgicjxaJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY0iTBAAKCRCJcvTf3G3AJi2ID/ 9IBaUFqXWRxmua4MK2h4HUvB+6dgAfWu8nN+BNz69h5r6S4m+jTtsTJ4xDfUgtPrnzzm8Z6rL/5UzJ R1QclfS45ROQRyvcqlyzKJqsxMZIRjzbWLmW0wnmOktcinGIbcvzYoVNZHTvmD+ALd2KNfkHIrXX6J 97OKhNAwRpbcLcitq566kjcbJvGDwYdRwlUa5Ft5l3a6cGqES+sm3RSc95zLLf5UBLgFq/sVPDacYt RdKywXjefO9oqFW54hg2ehfZEHkRENdcZvfIeIrNiJibJ9KYGamJ9xAY4HEFfcCns8CVpiRjdl9dhq zmgmyFKvwDFcZWE1qwxgsuVRQDVxqKEhozcV26CoiS5SzYhZqiTEoOzNv/ZyNjVGLVIiGI3dQpggTA bckOlVsVLymnQw1ab3sddZ4I9MCjbCYTwIQBw76dqO4MfgaHbejC6naXOaI5SDxxIeH9a58xHLsnV5 OeSpsGDa4xAWuQejlQMVcJA5/CodmZiWoScJ7ALKEuLwHahBlNzxsPL48hu3zYfimHTArbc34fvgyr 5R8O7Sfp1ApmjbKchmAIfdZoK6AqzMECbgiBAAAVfIcRms6TP4OJF9O6jSPHHBzfmnk9vSJ2rMVDML y/8VotNFwVeFAazDw8bmqdealoYdhDXNGpWOoxUOSg7LufhqzZlv4hZymShA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Move "integrity" LSM to the end of the Kconfig list and prepare for having ima and evm LSM initialization called from the top-level "integrity" LSM. Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: Mimi Zohar Cc: Dmitry Kasatkin Cc: "Mickaël Salaün" Cc: linux-security-module@vger.kernel.org Cc: linux-integrity@vger.kernel.org Signed-off-by: Kees Cook --- security/Kconfig | 10 +++++----- security/integrity/evm/evm_main.c | 4 ++++ security/integrity/iint.c | 17 +++++++++++++---- security/integrity/ima/ima_main.c | 4 ++++ security/integrity/integrity.h | 6 ++++++ 5 files changed, 32 insertions(+), 9 deletions(-) diff --git a/security/Kconfig b/security/Kconfig index e6db09a779b7..d472e87a2fc4 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -246,11 +246,11 @@ endchoice config LSM string "Ordered list of enabled LSMs" - default "landlock,lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK - default "landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR - default "landlock,lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO - default "landlock,lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC - default "landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf" + default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf,integrity" if DEFAULT_SECURITY_SMACK + default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf,integrity" if DEFAULT_SECURITY_APPARMOR + default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf,integrity" if DEFAULT_SECURITY_TOMOYO + default "landlock,lockdown,yama,loadpin,safesetid,bpf,integrity" if DEFAULT_SECURITY_DAC + default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf,integrity" help A comma-separated list of LSMs, in initialization order. Any LSMs left off this list will be ignored. This can be diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 2e6fb6e2ffd2..1ef965089417 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -904,3 +904,7 @@ static int __init init_evm(void) } late_initcall(init_evm); + +void __init integrity_lsm_evm_init(void) +{ +} diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 8638976f7990..4f322324449d 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -18,7 +18,6 @@ #include #include #include -#include #include "integrity.h" static struct rb_root integrity_iint_tree = RB_ROOT; @@ -172,19 +171,29 @@ static void init_once(void *foo) mutex_init(&iint->mutex); } -static int __init integrity_iintcache_init(void) +void __init integrity_add_lsm_hooks(struct security_hook_list *hooks, + int count) +{ + security_add_hooks(hooks, count, "integrity"); +} + +static int __init integrity_lsm_init(void) { iint_cache = kmem_cache_create("iint_cache", sizeof(struct integrity_iint_cache), 0, SLAB_PANIC, init_once); + + integrity_lsm_ima_init(); + integrity_lsm_evm_init(); + return 0; } + DEFINE_LSM(integrity) = { .name = "integrity", - .init = integrity_iintcache_init, + .init = integrity_lsm_init, }; - /* * integrity_kernel_read - read data from the file * diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 040b03ddc1c7..e617863af5ff 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -1076,3 +1076,7 @@ static int __init init_ima(void) } late_initcall(init_ima); /* Start IMA after the TPM is available */ + +void __init integrity_lsm_ima_init(void) +{ +} diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 7167a6e99bdc..3707349271c9 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -18,6 +18,7 @@ #include #include #include +#include /* iint action cache flags */ #define IMA_MEASURE 0x00000001 @@ -191,6 +192,11 @@ extern struct dentry *integrity_dir; struct modsig; +void __init integrity_lsm_ima_init(void); +void __init integrity_lsm_evm_init(void); +void __init integrity_add_lsm_hooks(struct security_hook_list *hooks, + int count); + #ifdef CONFIG_INTEGRITY_SIGNATURE int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, From patchwork Thu Oct 13 22:36:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13006513 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2C53CC4332F for ; Thu, 13 Oct 2022 22:37:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229590AbiJMWhF (ORCPT ); Thu, 13 Oct 2022 18:37:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43484 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229541AbiJMWhC (ORCPT ); Thu, 13 Oct 2022 18:37:02 -0400 Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 28489144E16 for ; Thu, 13 Oct 2022 15:37:00 -0700 (PDT) Received: by mail-pj1-x1032.google.com with SMTP id h12so3318006pjk.0 for ; Thu, 13 Oct 2022 15:36:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4QtMvi+okgythLC0BZ5AgbF6b/T036dwH9EuwQzqT3w=; b=oPHpU2FNCIKE86DHkbE5v7YdCVfFxuOh2IeHYY2DreHarIwYexNLRoxwOscPXlk54Z 2XsBONOx9Ca9mdC2873canzK4z+yM15aoISs7hNWPzcT1YPJUreGCcYGFpRBB6gle9kl 5vsX6q8Bvc8b4zxMGfPt3LYcWr74dN592yUGU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4QtMvi+okgythLC0BZ5AgbF6b/T036dwH9EuwQzqT3w=; b=e623BhqDAeVxtsI3Z49+C21aiYrkPaTXPqbgODmV6yrM5EaGzBqT4S16TCAALEb9SN XUNyTPzvpS0CxvWeoJ/fc5xaxKQY45zRRAhOdCUczSWxUfNOacBxMOhrWwfo/RBSZzqL j2q2Usxs8bpgD1/IafF2Wzg9j2EJfdYphUzx0mEL5zkJ3mzgh2f73GOLWOCqink0NYYM D1GDtixbWUUFgpVmW1/onDo0w1Myh/igj5zTk/YQyYdcCcELknslj9myTxwxAJXomLlC NaEtcQWFnLiFno4dxd7QIXUND1RaF65NO0lwZtH2sbTXN81w2ADH/8mSkv82+bCAwxGY o1pA== X-Gm-Message-State: ACrzQf1FSfkfMvxIYv5n9WUsnMKy/MpBfzPLAJ1vXsrqwZ2aqRVZfZCt gbmNmUSHqSjXQALLcavoFM2oWE9Vl8N1jg== X-Google-Smtp-Source: AMsMyM7DkLAz0Cr9hMytTafIU8DIO/pBbqK97OoNMRskAoB4QQPwJmbuNvvmOIVcxdwboNWl3p7lxw== X-Received: by 2002:a17:90b:1e0b:b0:20d:7ddf:9b08 with SMTP id pg11-20020a17090b1e0b00b0020d7ddf9b08mr2169714pjb.187.1665700618898; Thu, 13 Oct 2022 15:36:58 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id q135-20020a632a8d000000b004277f43b736sm188041pgq.92.2022.10.13.15.36.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Oct 2022 15:36:56 -0700 (PDT) From: Kees Cook To: Mimi Zohar Cc: Kees Cook , Paul Moore , James Morris , "Serge E. Hallyn" , Dmitry Kasatkin , =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= , Petr Vorel , Borislav Petkov , Takashi Iwai , Jonathan McDowell , linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, KP Singh , Casey Schaufler , John Johansen , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 2/9] security: Move trivial IMA hooks into LSM Date: Thu, 13 Oct 2022 15:36:47 -0700 Message-Id: <20221013223654.659758-2-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221013222702.never.990-kees@kernel.org> References: <20221013222702.never.990-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=11716; h=from:subject; bh=JPYrXEme63zNrHu8RasMAYqzn5dsYfwQ9sKlRFYwCmg=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjSJMEBD/MwZ0ABEhYQJlMhma7ILk1MIOCXpU03Rs0 Pj96qRKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY0iTBAAKCRCJcvTf3G3AJgJlEA Cl24Ozc1VocmsUXHG32wY4+VYx+AcAuzOiJniFxKvvLj9WZt1tVP6AZjctFfMVwWIYt2Nlp0w5NaLq KR6DqQStima1UGNyAr4KydA8JnaQnpwN77IwaHZ1ICYrUrKzOrdOXu5F+QhyxgHODuswpWPtwVK+ew x8JxGGC1WNatLweiisDHYYWDztKqyLRM5zAdyVG29XHOoXyKvEcLVuYuRaJFLZhCgoL6rWTqQHibTE L3ZJ15erp8I3sBCswkF/cutq1D/h4FkF0ipjXmE4sq5Q4sDFAMLzsVeLoS+77uNySIufqHNEzEJvsv MtkRe9YfjdQ1ebLBOmRTwJ4DK9ygu5UYyEFE3DVjl6s9WCF7xoeeyw1xGeAmWZCGEISesOX3EK1qc6 QG2Qvh0zysfKi4bQh+X/w7YHus44k+O8wibXQXMCOeMA7MayrCMPXDiSLOU13TyewKQKYAR1MaNfMo T2CssSFp7cVYpPa2V1ko6UScmuAnLVwuzGlDI97OoskTZeNpZUCU0SDObm1+NrjbO/OVm4Oz6q3Rry hToO3DDPLYNqpYUahPlARDjFN5Yd85npwGh+K3T3xS75m7UM1ZXJnG1yltz+N2SBik1ARXebC7yHhh PymeAcPzWH1I8+VKQ4In6NgU0I2xesFr6C2GXdeu8txN30aQHn3wLGlT3Y0A== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org This moves the trivial hard-coded stacking of IMA LSM hooks into the existing LSM infrastructure. Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: Mimi Zohar Cc: Dmitry Kasatkin Cc: "Mickaël Salaün" Cc: Petr Vorel Cc: Borislav Petkov Cc: Takashi Iwai Cc: Jonathan McDowell Cc: linux-security-module@vger.kernel.org Cc: linux-integrity@vger.kernel.org Signed-off-by: Kees Cook --- include/linux/ima.h | 50 ----------------------------- security/integrity/ima/ima_main.c | 40 +++++++++++++++++------- security/security.c | 52 ++++++------------------------- 3 files changed, 37 insertions(+), 105 deletions(-) diff --git a/include/linux/ima.h b/include/linux/ima.h index 81708ca0ebc7..3c641cc65270 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -16,20 +16,10 @@ struct linux_binprm; #ifdef CONFIG_IMA extern enum hash_algo ima_get_current_hash_algo(void); -extern int ima_bprm_check(struct linux_binprm *bprm); extern int ima_file_check(struct file *file, int mask); extern void ima_post_create_tmpfile(struct user_namespace *mnt_userns, struct inode *inode); extern void ima_file_free(struct file *file); -extern int ima_file_mmap(struct file *file, unsigned long prot); -extern int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot); -extern int ima_load_data(enum kernel_load_data_id id, bool contents); -extern int ima_post_load_data(char *buf, loff_t size, - enum kernel_load_data_id id, char *description); -extern int ima_read_file(struct file *file, enum kernel_read_file_id id, - bool contents); -extern int ima_post_read_file(struct file *file, void *buf, loff_t size, - enum kernel_read_file_id id); extern void ima_post_path_mknod(struct user_namespace *mnt_userns, struct dentry *dentry); extern int ima_file_hash(struct file *file, char *buf, size_t buf_size); @@ -56,11 +46,6 @@ static inline enum hash_algo ima_get_current_hash_algo(void) return HASH_ALGO__LAST; } -static inline int ima_bprm_check(struct linux_binprm *bprm) -{ - return 0; -} - static inline int ima_file_check(struct file *file, int mask) { return 0; @@ -76,41 +61,6 @@ static inline void ima_file_free(struct file *file) return; } -static inline int ima_file_mmap(struct file *file, unsigned long prot) -{ - return 0; -} - -static inline int ima_file_mprotect(struct vm_area_struct *vma, - unsigned long prot) -{ - return 0; -} - -static inline int ima_load_data(enum kernel_load_data_id id, bool contents) -{ - return 0; -} - -static inline int ima_post_load_data(char *buf, loff_t size, - enum kernel_load_data_id id, - char *description) -{ - return 0; -} - -static inline int ima_read_file(struct file *file, enum kernel_read_file_id id, - bool contents) -{ - return 0; -} - -static inline int ima_post_read_file(struct file *file, void *buf, loff_t size, - enum kernel_read_file_id id) -{ - return 0; -} - static inline void ima_post_path_mknod(struct user_namespace *mnt_userns, struct dentry *dentry) { diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index e617863af5ff..2cff001b02e4 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -395,6 +395,7 @@ static int process_measurement(struct file *file, const struct cred *cred, /** * ima_file_mmap - based on policy, collect/store measurement. * @file: pointer to the file to be measured (May be NULL) + * @reqprot: contains the protection that will be applied by the kernel. * @prot: contains the protection that will be applied by the kernel. * * Measure files being mmapped executable based on the ima_must_measure() @@ -403,11 +404,12 @@ static int process_measurement(struct file *file, const struct cred *cred, * On success return 0. On integrity appraisal error, assuming the file * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. */ -int ima_file_mmap(struct file *file, unsigned long prot) +static int ima_file_mmap(struct file *file, unsigned long reqprot, + unsigned long prot, unsigned long flags) { u32 secid; - if (file && (prot & PROT_EXEC)) { + if (file && (reqprot & PROT_EXEC)) { security_current_getsecid_subj(&secid); return process_measurement(file, current_cred(), secid, NULL, 0, MAY_EXEC, MMAP_CHECK); @@ -419,6 +421,7 @@ int ima_file_mmap(struct file *file, unsigned long prot) /** * ima_file_mprotect - based on policy, limit mprotect change * @vma: vm_area_struct protection is set to + * @reqprot: contains the protection that were requested. * @prot: contains the protection that will be applied by the kernel. * * Files can be mmap'ed read/write and later changed to execute to circumvent @@ -429,7 +432,8 @@ int ima_file_mmap(struct file *file, unsigned long prot) * * On mprotect change success, return 0. On failure, return -EACESS. */ -int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) +static int ima_file_mprotect(struct vm_area_struct *vma, + unsigned long reqprot, unsigned long prot) { struct ima_template_desc *template = NULL; struct file *file; @@ -483,7 +487,7 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) * On success return 0. On integrity appraisal error, assuming the file * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. */ -int ima_bprm_check(struct linux_binprm *bprm) +static int ima_bprm_check(struct linux_binprm *bprm) { int ret; u32 secid; @@ -706,8 +710,8 @@ void ima_post_path_mknod(struct user_namespace *mnt_userns, * * For permission return 0, otherwise return -EACCES. */ -int ima_read_file(struct file *file, enum kernel_read_file_id read_id, - bool contents) +static int ima_read_file(struct file *file, enum kernel_read_file_id read_id, + bool contents) { enum ima_hooks func; u32 secid; @@ -756,8 +760,8 @@ const int read_idmap[READING_MAX_ID] = { * On success return 0. On integrity appraisal error, assuming the file * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. */ -int ima_post_read_file(struct file *file, void *buf, loff_t size, - enum kernel_read_file_id read_id) +static int ima_post_read_file(struct file *file, char *buf, loff_t size, + enum kernel_read_file_id read_id) { enum ima_hooks func; u32 secid; @@ -790,7 +794,7 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, * * For permission return 0, otherwise return -EACCES. */ -int ima_load_data(enum kernel_load_data_id id, bool contents) +static int ima_load_data(enum kernel_load_data_id id, bool contents) { bool ima_enforce, sig_enforce; @@ -844,9 +848,9 @@ int ima_load_data(enum kernel_load_data_id id, bool contents) * On success return 0. On integrity appraisal error, assuming the file * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. */ -int ima_post_load_data(char *buf, loff_t size, - enum kernel_load_data_id load_id, - char *description) +static int ima_post_load_data(char *buf, loff_t size, + enum kernel_load_data_id load_id, + char *description) { if (load_id == LOADING_FIRMWARE) { if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && @@ -1077,6 +1081,18 @@ static int __init init_ima(void) late_initcall(init_ima); /* Start IMA after the TPM is available */ +static struct security_hook_list ima_hooks[] __lsm_ro_after_init = { + LSM_HOOK_INIT(bprm_check_security, ima_bprm_check), + LSM_HOOK_INIT(mmap_file, ima_file_mmap), + LSM_HOOK_INIT(file_mprotect, ima_file_mprotect), + LSM_HOOK_INIT(kernel_read_file, ima_read_file), + LSM_HOOK_INIT(kernel_post_read_file, ima_post_read_file), + LSM_HOOK_INIT(kernel_load_data, ima_load_data), + LSM_HOOK_INIT(kernel_post_load_data, ima_post_load_data), +}; + void __init integrity_lsm_ima_init(void) { + pr_info("Integrity LSM enabling IMA\n"); + integrity_add_lsm_hooks(ima_hooks, ARRAY_SIZE(ima_hooks)); } diff --git a/security/security.c b/security/security.c index 14d30fec8a00..8f7c1b5fa5fa 100644 --- a/security/security.c +++ b/security/security.c @@ -862,12 +862,7 @@ int security_bprm_creds_from_file(struct linux_binprm *bprm, struct file *file) int security_bprm_check(struct linux_binprm *bprm) { - int ret; - - ret = call_int_hook(bprm_check_security, 0, bprm); - if (ret) - return ret; - return ima_bprm_check(bprm); + return call_int_hook(bprm_check_security, 0, bprm); } void security_bprm_committing_creds(struct linux_binprm *bprm) @@ -1589,12 +1584,8 @@ static inline unsigned long mmap_prot(struct file *file, unsigned long prot) int security_mmap_file(struct file *file, unsigned long prot, unsigned long flags) { - int ret; - ret = call_int_hook(mmap_file, 0, file, prot, - mmap_prot(file, prot), flags); - if (ret) - return ret; - return ima_file_mmap(file, prot); + return call_int_hook(mmap_file, 0, file, prot, + mmap_prot(file, prot), flags); } int security_mmap_addr(unsigned long addr) @@ -1605,12 +1596,7 @@ int security_mmap_addr(unsigned long addr) int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, unsigned long prot) { - int ret; - - ret = call_int_hook(file_mprotect, 0, vma, reqprot, prot); - if (ret) - return ret; - return ima_file_mprotect(vma, prot); + return call_int_hook(file_mprotect, 0, vma, reqprot, prot); } int security_file_lock(struct file *file, unsigned int cmd) @@ -1746,35 +1732,20 @@ int security_kernel_module_request(char *kmod_name) int security_kernel_read_file(struct file *file, enum kernel_read_file_id id, bool contents) { - int ret; - - ret = call_int_hook(kernel_read_file, 0, file, id, contents); - if (ret) - return ret; - return ima_read_file(file, id, contents); + return call_int_hook(kernel_read_file, 0, file, id, contents); } EXPORT_SYMBOL_GPL(security_kernel_read_file); int security_kernel_post_read_file(struct file *file, char *buf, loff_t size, enum kernel_read_file_id id) { - int ret; - - ret = call_int_hook(kernel_post_read_file, 0, file, buf, size, id); - if (ret) - return ret; - return ima_post_read_file(file, buf, size, id); + return call_int_hook(kernel_post_read_file, 0, file, buf, size, id); } EXPORT_SYMBOL_GPL(security_kernel_post_read_file); int security_kernel_load_data(enum kernel_load_data_id id, bool contents) { - int ret; - - ret = call_int_hook(kernel_load_data, 0, id, contents); - if (ret) - return ret; - return ima_load_data(id, contents); + return call_int_hook(kernel_load_data, 0, id, contents); } EXPORT_SYMBOL_GPL(security_kernel_load_data); @@ -1782,13 +1753,8 @@ int security_kernel_post_load_data(char *buf, loff_t size, enum kernel_load_data_id id, char *description) { - int ret; - - ret = call_int_hook(kernel_post_load_data, 0, buf, size, id, - description); - if (ret) - return ret; - return ima_post_load_data(buf, size, id, description); + return call_int_hook(kernel_post_load_data, 0, buf, size, id, + description); } EXPORT_SYMBOL_GPL(security_kernel_post_load_data); From patchwork Thu Oct 13 22:36:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13006512 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A65FAC43219 for ; Thu, 13 Oct 2022 22:37:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229703AbiJMWhB (ORCPT ); Thu, 13 Oct 2022 18:37:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43402 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229682AbiJMWhA (ORCPT ); Thu, 13 Oct 2022 18:37:00 -0400 Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 69C6726116 for ; Thu, 13 Oct 2022 15:36:58 -0700 (PDT) Received: by mail-pg1-x535.google.com with SMTP id f193so2802673pgc.0 for ; Thu, 13 Oct 2022 15:36:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ceH/RO/hzWXDxSnFXezZugzYqMJL0QzXH8UIXIXwz2A=; b=RdhSRBgdbmEcHTzPfBXbR/j//1diduAVoeDH1mUi7dimeFgOmnh8JxLdvqI6aFAqBz +W54LtdTNlzsY0BuVAZcaQ18xSVO9N4yN4MAX4tdqqKJ7gE+3ebIB5Mxixuf0FmFxpfX 1xPv6UCAlHueIHgZUQRe7YD+3yXNAwKrcBkjI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ceH/RO/hzWXDxSnFXezZugzYqMJL0QzXH8UIXIXwz2A=; b=MNSsa/veOLFxCu4dvfjREkxLn2xQEuwUsZrZmg1sA+3w7axP/W0W4Wlhv74pg+5IhY TSSJcOX1KBi84vpDB/bE7JElXVrxzdX8e9wdbbBWj1uuG88xKzOOMKaXnykAm+I3BIRF FYd9YaSdMnHfXmplMyU0pCJZ+d2cTrUw/x7AqbQJA+P/2OswpNiTsXrNxAGVDK32QyKC HzeFQR5L2+SPbbf9KSs1ZUuol8pr4tRTmXURkrgfLCb50nHg+FCfeRvla2QRm0KlUtPl Qj0pAx2KVHQ2qGgmnTS24TPz34Oa9vZhL9hcF/KAd88trFYlrIz78ouqKMECirXf6Cyw T/HA== X-Gm-Message-State: ACrzQf0DC+9ouHj4pUiZvYRDZ29KP0KkhKAMkLxqz7bR1+ri9n4dDRGR Zn2sOLYUZfPP2DZ2NucW1qaIRyLAFwQX8A== X-Google-Smtp-Source: AMsMyM5yQgu7plQb5tA8UN7RTNMLDoQSRx/AdI4uSOPG/bXTseMCJK5g17Varuq0uDdYUYmvddK0dA== X-Received: by 2002:a63:1162:0:b0:450:a0e9:c996 with SMTP id 34-20020a631162000000b00450a0e9c996mr1848284pgr.140.1665700617354; Thu, 13 Oct 2022 15:36:57 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id t21-20020a635355000000b0043c9da02729sm210127pgl.6.2022.10.13.15.36.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Oct 2022 15:36:55 -0700 (PDT) From: Kees Cook To: Mimi Zohar Cc: Kees Cook , Dmitry Kasatkin , Paul Moore , James Morris , "Serge E. Hallyn" , Borislav Petkov , Jonathan McDowell , Takashi Iwai , Petr Vorel , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , KP Singh , Casey Schaufler , John Johansen , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 3/9] ima: Move xattr hooks into LSM Date: Thu, 13 Oct 2022 15:36:48 -0700 Message-Id: <20221013223654.659758-3-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221013222702.never.990-kees@kernel.org> References: <20221013222702.never.990-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=7063; h=from:subject; bh=UwVZQhUAV34kLZLvWg3gW0Y3AxAoqPtrDDTwL+QIuyQ=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjSJMEHh/BpJ8T/UrB3miOUYuzJYjTTQP/es9Hk0XI dfZG4xuJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY0iTBAAKCRCJcvTf3G3AJpZ/EA CGzX2dABmN4vM8z88raKKj3Nl+cOZLLMTHDR3tYm9/U+nievEWZnBIMlbRSDXwjwhv8yOEwkXHomUz EOhnf8FmyzCzjBzXnEacLLLfu6c+5Saz5VuJI11paPu8IUUHHbI8A2c2OOjXaunaJ0pNAuWBpzwIjJ nSNOFNj20t+3vJ/urzKa9/Pqyg8zDHFD9qqpqaBtGGoUwjY3m7XrMqpeKtruZlJUoixyAKUCBR2G+E qW868F9IuhZf12kNaRzP9ehAlWXDreKSeD9GCy8U4uy/FxHNU0llHWLXPJlznr6rSrOov5sVsAOh4Q 92NaFx4RN8V24y4Bkgxkr36IkQ+5+x4uVSNvPGIUVme+c2kVGxGFf9Z5IfDxgYkbyPBl64CF3alsB7 9Jcz7EIvyrYTFXKJapKa3vqpUrdC7L1TJrBfC8OGD2a3nk1E/Z73ZX6TKvIDfOwqY+0SP9s+ptf76q F1AL5hiY+SDsmrM8Q1aWF+Z95WVrcbfNJNezm6/hS9xn3IEeeEdiDeugPyFCMHbzxJ4Zu+GXw+rgPB aoYvjD+300H3Q//lbzYWmc3NCxS0rEwy44q2AQ+r+uqoAMcaa3j3YrJdYPCRearUIv1xpNBoeAzUtb Lr7vob6z1IlkP5lAd+cjBvbd9IbQKJNYK/WtqiqjtVs8HzFa6aaYPjxGpRYw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Move the xattr IMA hooks into normal LSM layer. As with SELinux and Smack, handle calling cap_inode_setxattr() internally. Cc: Mimi Zohar Cc: Dmitry Kasatkin Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: Borislav Petkov Cc: Jonathan McDowell Cc: Takashi Iwai Cc: Petr Vorel Cc: linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook --- include/linux/ima.h | 16 ---------------- security/integrity/ima/ima.h | 10 ++++++++++ security/integrity/ima/ima_appraise.c | 19 ++++++++++++++++--- security/integrity/ima/ima_main.c | 4 ++++ security/security.c | 10 ++-------- 5 files changed, 32 insertions(+), 27 deletions(-) diff --git a/include/linux/ima.h b/include/linux/ima.h index 3c641cc65270..6dc5143f89f2 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -135,9 +135,6 @@ static inline void ima_post_key_create_or_update(struct key *keyring, extern bool is_ima_appraise_enabled(void); extern void ima_inode_post_setattr(struct user_namespace *mnt_userns, struct dentry *dentry); -extern int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, - const void *xattr_value, size_t xattr_value_len); -extern int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name); #else static inline bool is_ima_appraise_enabled(void) { @@ -150,19 +147,6 @@ static inline void ima_inode_post_setattr(struct user_namespace *mnt_userns, return; } -static inline int ima_inode_setxattr(struct dentry *dentry, - const char *xattr_name, - const void *xattr_value, - size_t xattr_value_len) -{ - return 0; -} - -static inline int ima_inode_removexattr(struct dentry *dentry, - const char *xattr_name) -{ - return 0; -} #endif /* CONFIG_IMA_APPRAISE */ #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index be965a8715e4..15a369df4c00 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -168,6 +168,16 @@ int __init ima_init_digests(void); int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, void *lsm_data); +/* LSM hooks */ +#ifdef CONFIG_IMA_APPRAISE +int ima_inode_setxattr(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *xattr_name, + const void *xattr_value, size_t xattr_value_len, + int flags); +int ima_inode_removexattr(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *xattr_name); +#endif + /* * used to protect h_table and sha_table */ diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index bde74fcecee3..ddd9df6b7dac 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -744,8 +744,10 @@ static int validate_hash_algo(struct dentry *dentry, return -EACCES; } -int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, - const void *xattr_value, size_t xattr_value_len) +int ima_inode_setxattr(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *xattr_name, + const void *xattr_value, size_t xattr_value_len, + int flags) { const struct evm_ima_xattr_data *xvalue = xattr_value; int digsig = 0; @@ -754,6 +756,11 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, result = ima_protect_xattr(dentry, xattr_name, xattr_value, xattr_value_len); if (result == 1) { + result = cap_inode_setxattr(dentry, xattr_name, xattr_value, + xattr_value_len, flags); + if (result) + return result; + if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) return -EINVAL; digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); @@ -770,11 +777,17 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, return result; } -int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name) +int ima_inode_removexattr(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *xattr_name) { int result; result = ima_protect_xattr(dentry, xattr_name, NULL, 0); + if (result == 1) { + result = cap_inode_removexattr(mnt_userns, dentry, xattr_name); + if (result) + return result; + } if (result == 1 || evm_revalidate_status(xattr_name)) { ima_reset_appraise_flags(d_backing_inode(dentry), 0); if (result == 1) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 2cff001b02e4..b3b79d030a67 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -1089,6 +1089,10 @@ static struct security_hook_list ima_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(kernel_post_read_file, ima_post_read_file), LSM_HOOK_INIT(kernel_load_data, ima_load_data), LSM_HOOK_INIT(kernel_post_load_data, ima_post_load_data), +#ifdef CONFIG_IMA_APPRAISE + LSM_HOOK_INIT(inode_setxattr, ima_inode_setxattr), + LSM_HOOK_INIT(inode_removexattr, ima_inode_removexattr), +#endif }; void __init integrity_lsm_ima_init(void) diff --git a/security/security.c b/security/security.c index 8f7c1b5fa5fa..ca731132a0e9 100644 --- a/security/security.c +++ b/security/security.c @@ -1349,7 +1349,7 @@ int security_inode_setxattr(struct user_namespace *mnt_userns, if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) return 0; /* - * SELinux and Smack integrate the cap call, + * SELinux, Smack, and IMA integrate the cap call, * so assume that all LSMs supplying this call do so. */ ret = call_int_hook(inode_setxattr, 1, mnt_userns, dentry, name, value, @@ -1357,9 +1357,6 @@ int security_inode_setxattr(struct user_namespace *mnt_userns, if (ret == 1) ret = cap_inode_setxattr(dentry, name, value, size, flags); - if (ret) - return ret; - ret = ima_inode_setxattr(dentry, name, value, size); if (ret) return ret; return evm_inode_setxattr(mnt_userns, dentry, name, value, size); @@ -1396,15 +1393,12 @@ int security_inode_removexattr(struct user_namespace *mnt_userns, if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) return 0; /* - * SELinux and Smack integrate the cap call, + * SELinux, Smack, and IMA integrate the cap call, * so assume that all LSMs supplying this call do so. */ ret = call_int_hook(inode_removexattr, 1, mnt_userns, dentry, name); if (ret == 1) ret = cap_inode_removexattr(mnt_userns, dentry, name); - if (ret) - return ret; - ret = ima_inode_removexattr(dentry, name); if (ret) return ret; return evm_inode_removexattr(mnt_userns, dentry, name); From patchwork Thu Oct 13 22:36:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13006514 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 21426C43217 for ; Thu, 13 Oct 2022 22:37:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229676AbiJMWhI (ORCPT ); Thu, 13 Oct 2022 18:37:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43566 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229747AbiJMWhF (ORCPT ); Thu, 13 Oct 2022 18:37:05 -0400 Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B8E1EBC613 for ; Thu, 13 Oct 2022 15:37:00 -0700 (PDT) Received: by mail-pf1-x42b.google.com with SMTP id m6so3275886pfb.0 for ; Thu, 13 Oct 2022 15:37:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=RwwHIW9ubgGCNZI9bpt1owrfiGZeXb5wwl1H6trWtBY=; b=NPbuugnsa8ZjJmuKOsOOSrzjod1kIYqRgRjmTGaTWJUUqeqq4o26Thx5EwcjH8ntOg 2FXLuaMoSoMJWiLmgy0LqmQpFgBGbd/D2jky5NbREy2VZpMXlHQhUgKFk4GR4LHv+2Yh AhE40vgIjDEMlzjYgT0H7Xngnyh4qql/BXqpA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RwwHIW9ubgGCNZI9bpt1owrfiGZeXb5wwl1H6trWtBY=; b=qKzqb5vYBRTHDNV8ODCcj5Zzg9uduC0D9j2WJgLW9ZdSEu6iboXHoH+urjRsVA+LCi D+t+zMQ7usdLgwbob0HOdF8gWALubiWDd/9FLGLJglUQlfdbRN6yDavCsTERkhQqO2G+ v1k9ozDwO8f1MQo+Na4t8sq3EJTZkt5g6ho0ce3soKHLORjv8tb2s4YnM9JHzn9J4V9j nbkNmhnwm/dntBaQelh3hqn1aI3uT4A3a6/ENcUWe1JDFlAKE9rWYCnKbjGJ+yeM7t6p 01CFvx7soCGVAggs2EmATXrM6gEgf4zRJjUOamEX9nn5VXkGMT/mstB2suFId0no1BWk Y1gw== X-Gm-Message-State: ACrzQf0y4JF9cQ2jrWAifnlNs49qQfWo3qWyoK9xZXA48gCqdK+I5H71 p6oIvy1vOSyzlnjeaomKzquD6Q== X-Google-Smtp-Source: AMsMyM7usifpi6LURddo97Cesgs33dYbMjwLNWCksMM3VKB/UvdMIMsKuI4q2JXtvsvm+MCed0mIbA== X-Received: by 2002:a63:4753:0:b0:462:b3f0:a984 with SMTP id w19-20020a634753000000b00462b3f0a984mr1760357pgk.501.1665700619583; Thu, 13 Oct 2022 15:36:59 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id a6-20020a170902710600b0016d773aae60sm363047pll.19.2022.10.13.15.36.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Oct 2022 15:36:56 -0700 (PDT) From: Kees Cook To: Mimi Zohar Cc: Kees Cook , Dmitry Kasatkin , Paul Moore , James Morris , "Serge E. Hallyn" , Petr Vorel , Jonathan McDowell , Borislav Petkov , Takashi Iwai , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , KP Singh , Casey Schaufler , John Johansen , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 4/9] ima: Move ima_file_free() into LSM Date: Thu, 13 Oct 2022 15:36:49 -0700 Message-Id: <20221013223654.659758-4-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221013222702.never.990-kees@kernel.org> References: <20221013222702.never.990-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3106; h=from:subject; bh=j7SUgkDxPUE08MqOt4a9Z07kxHXSo2qyUDZKl6O5dvY=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjSJME98uVBOBVBjxVK8UcpHvXl8yakzz5L2nvmUUm /7U1ct+JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY0iTBAAKCRCJcvTf3G3AJlXUD/ 9LlocRqLBjy5RTiLduzQ0vovRa//i2jiaWLU4i+ih50alFhDMD02D29Huhx1Bpfkxw3tEd5uirD4Qm woZnL++HqvBws+6hGWHagdC04silwQ+UneqsQ9+EwvYKkgPjAXUf8EqEiroy2E5PW6tvyWQGp7DE04 5fMsRSD1C33QHyVeVM7PoXVrtGzW7ZXZRlq9qLdxpIfMps7lsUPsMQTc2kI0mXBsFDmzmFC+dvs9Kk TBA2b7kANBV4ws5RZBLHQlcNlcorhUbixldb3SD4Igl+MJgA67JGenetiOgFwYTBZT1K73uJbk5yUk WZQc601AOB4dC1ijypfacOlZMsqn3UAybG24Vl3JBK6k9KVLuk//880teg87CIZ3aouwk8oaGFjJCb MGXsSIxvhXFzaDBaD+6ZerRPCd6plADAlHpnOft2dB4URCIbURA0fsBQocvf8yBHNcbIDACPNQ+vsD o2HdBbh3bSEvxx+IZz7MNSOJtcgg19X9ybRdJ2DWUahXj4tAVcVFScJ9Y59q3grUFY4qHgtvQuDUsV VXEVwWI71XFXuUiZWOk3URctGgJ8R6g+ke4PyNtO7Os8N9dDI8SUiFqBidQyChnIfDZLrBJ3kZBTvq Fucu8VZ0mHiRAoMrfyl5lQR9vABa7Kxyt11ZCZCO9fEMV4YrarDv6b7dG5ZA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The file_free_security hook already exists for managing notification of released files. Use the LSM hook instead of open-coded stacking. Cc: Mimi Zohar Cc: Dmitry Kasatkin Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: Petr Vorel Cc: Jonathan McDowell Cc: Borislav Petkov Cc: Takashi Iwai Cc: linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook --- fs/file_table.c | 1 - include/linux/ima.h | 6 ------ security/integrity/ima/ima_main.c | 3 ++- 3 files changed, 2 insertions(+), 8 deletions(-) diff --git a/fs/file_table.c b/fs/file_table.c index 99c6796c9f28..fa707d221a43 100644 --- a/fs/file_table.c +++ b/fs/file_table.c @@ -311,7 +311,6 @@ static void __fput(struct file *file) eventpoll_release(file); locks_remove_file(file); - ima_file_free(file); if (unlikely(file->f_flags & FASYNC)) { if (file->f_op->fasync) file->f_op->fasync(-1, file, 0); diff --git a/include/linux/ima.h b/include/linux/ima.h index 6dc5143f89f2..9f18df366064 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -19,7 +19,6 @@ extern enum hash_algo ima_get_current_hash_algo(void); extern int ima_file_check(struct file *file, int mask); extern void ima_post_create_tmpfile(struct user_namespace *mnt_userns, struct inode *inode); -extern void ima_file_free(struct file *file); extern void ima_post_path_mknod(struct user_namespace *mnt_userns, struct dentry *dentry); extern int ima_file_hash(struct file *file, char *buf, size_t buf_size); @@ -56,11 +55,6 @@ static inline void ima_post_create_tmpfile(struct user_namespace *mnt_userns, { } -static inline void ima_file_free(struct file *file) -{ - return; -} - static inline void ima_post_path_mknod(struct user_namespace *mnt_userns, struct dentry *dentry) { diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index b3b79d030a67..94379ba40b58 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -183,7 +183,7 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint, * * Flag files that changed, based on i_version */ -void ima_file_free(struct file *file) +static void ima_file_free(struct file *file) { struct inode *inode = file_inode(file); struct integrity_iint_cache *iint; @@ -1085,6 +1085,7 @@ static struct security_hook_list ima_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(bprm_check_security, ima_bprm_check), LSM_HOOK_INIT(mmap_file, ima_file_mmap), LSM_HOOK_INIT(file_mprotect, ima_file_mprotect), + LSM_HOOK_INIT(file_free_security, ima_file_free), LSM_HOOK_INIT(kernel_read_file, ima_read_file), LSM_HOOK_INIT(kernel_post_read_file, ima_post_read_file), LSM_HOOK_INIT(kernel_load_data, ima_load_data), From patchwork Thu Oct 13 22:36:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13006518 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 57BBBC4332F for ; Thu, 13 Oct 2022 22:37:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229844AbiJMWhS (ORCPT ); Thu, 13 Oct 2022 18:37:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43528 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229799AbiJMWhI (ORCPT ); Thu, 13 Oct 2022 18:37:08 -0400 Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3DAC2196B43 for ; Thu, 13 Oct 2022 15:37:02 -0700 (PDT) Received: by mail-pj1-x102b.google.com with SMTP id t10-20020a17090a4e4a00b0020af4bcae10so3139589pjl.3 for ; Thu, 13 Oct 2022 15:37:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=YsVURujdxv2TmCZAOzBG5PyJ5Db0orOcMu9GXfW9Fck=; b=Q6uQT6cZ6HlnR383h6WH/uQ3S8aFq0qFNpnMDAPTNxVKhhUPExQlulnkpOZFEcG4DO rkvGu+fypFN8ukziyyJYzxxpoBTmyy1iUMJDn54cWfAj/wTnNaO3mMX3ID9iCOFpoe8X RsBJfdcTkFBtAvNEDyiSrCSfUxIE9g7TpRhNg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YsVURujdxv2TmCZAOzBG5PyJ5Db0orOcMu9GXfW9Fck=; b=4UtXJl3YVi9I07xQ3viGezAeonIpsZDhEGmBFYA9YVAhS9FlBA/XKDKnF3p1QX0UOt GkIXQ46uFYRTaMkb6yQW9M6EhMTv9aOrmd8gXVv1/TRJ4EgId8UXvArl3R8mr6WKBbev NAbFAV3dCJjfzeuCDzySvrQnsBXxDssonCTbErY5rtDt7PJvbEATj/5NE5HNDooAD4yY gIh4tIG0OEg9ZB6QPGTznHBjrM6JTcKGjCpFfwGsaROvz9RKQrobDplnOPqZZWm2cE7I 5LBXj/AfEy4hevttfZwQcUpeXfiBz+IlW+newld7PqUZ0XtGhFl5k4sFHUdyjBpwhNX8 KjFQ== X-Gm-Message-State: ACrzQf2oz8CpDafk16+HctD+N2S8L9eWLnMC2kdXYtmbd8kLk5Hh1vk7 6xNzs/VHIWS6ZBYHPdyG/ghdgw== X-Google-Smtp-Source: AMsMyM7imnz6ZZQ3TevCrG0iuI2bK+HUr3oLsWudqm7wRbi/ZzdALNZlnC9CYelAiPLCRmpxIoMRsw== X-Received: by 2002:a17:902:da90:b0:17e:c64c:99c2 with SMTP id j16-20020a170902da9000b0017ec64c99c2mr1943103plx.85.1665700621712; Thu, 13 Oct 2022 15:37:01 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id e2-20020a17090ab38200b0020aaa678098sm234714pjr.49.2022.10.13.15.36.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Oct 2022 15:37:00 -0700 (PDT) From: Kees Cook To: Mimi Zohar Cc: Kees Cook , Dmitry Kasatkin , Paul Moore , James Morris , "Serge E. Hallyn" , Takashi Iwai , Jonathan McDowell , Casey Schaufler , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , KP Singh , John Johansen , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 5/9] LSM: Introduce inode_post_setattr hook Date: Thu, 13 Oct 2022 15:36:50 -0700 Message-Id: <20221013223654.659758-5-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221013222702.never.990-kees@kernel.org> References: <20221013222702.never.990-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=7546; h=from:subject; bh=Xca597ImY3Tk10E6V1MSqwTfNHEUXjfa0mP2kJeVjWU=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjSJMESltMyWfjIAxwaRChBzXRUlWazuBJOtIDnt/w 1MfQKfKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY0iTBAAKCRCJcvTf3G3AJvKrEA Cv4dUFIPRnCesIjZqkLeNcMzFfxbwiPE1sa41CkqiusWgCWPpw9xThOQPNFPRXFGxfmAC4WWW1s8Pg Egp8ySPdL2Z2ZoFWspeAtEgLvpvnmuRcX6fwwpY2ScnK5la6MfxFZkePaPw3Id+v98xX/AHDV1pWNb vs8AhqXnNpd3RRPq/KFMBRDfTo+AzEHouQwqd5mlYQASMCBHJoRkJEAzhRhKOAbNE8Un0qFFOJM127 f+ack2Ke7ExNavXK4FkwW2up2biDDSZlkFUKz7WtrVP+2dS2WsYjcjfUfjUvXLm2fuSJyTDpyYSnZg W1Vs4h3zeVaiPxoX+hqHJml8C9VfVSJ9TyAL9EnML3kB6wPrlAYaqYr/P4FBqsahnbuK/7vQT0Qs/F 2KI+L2CxqiFt0ts5Kh7SShJDqx8Dm/dCYydir3f9GaGEb6RkbgNa8H7dBgr9Tlen2YDZSz3/wB/V3p r9zop5w9BfLKWggfjpWH9k4e6NNtTN7hk1PuK/D+wMADD2V6v6bJl59WNYw1ImFIlznT+6PlF00Wah zmdHVen0w0epT+QxM9hC6wN3T/hhqp0jbalmg2KFioZBCZzR3xgqQpLeWgKM3lmcI7hv1IJ2iN7MQq ScwM1fPFxBDOAqCV+moVHEi1Vs8HGXUZc8I8Xrbi4Dx7pg5pfU3LkeZ3D/eg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org IMA and EVM need to hook after setattr finishes. Introduce this hook and move IMA and EVM's open-coded stacking to use it. Cc: Mimi Zohar Cc: Dmitry Kasatkin Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: Takashi Iwai Cc: Jonathan McDowell Cc: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook --- fs/attr.c | 3 +-- include/linux/evm.h | 6 ------ include/linux/ima.h | 9 --------- include/linux/lsm_hook_defs.h | 3 +++ security/integrity/evm/evm_main.c | 10 +++++++++- security/integrity/ima/ima.h | 2 ++ security/integrity/ima/ima_appraise.c | 2 +- security/integrity/ima/ima_main.c | 1 + security/security.c | 8 ++++++++ 9 files changed, 25 insertions(+), 19 deletions(-) diff --git a/fs/attr.c b/fs/attr.c index 1552a5f23d6b..e5731057426b 100644 --- a/fs/attr.c +++ b/fs/attr.c @@ -423,8 +423,7 @@ int notify_change(struct user_namespace *mnt_userns, struct dentry *dentry, if (!error) { fsnotify_change(dentry, ia_valid); - ima_inode_post_setattr(mnt_userns, dentry); - evm_inode_post_setattr(dentry, ia_valid); + security_inode_post_setattr(mnt_userns, dentry, ia_valid); } return error; diff --git a/include/linux/evm.h b/include/linux/evm.h index aa63e0b3c0a2..53f402bfb9f1 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -23,7 +23,6 @@ extern enum integrity_status evm_verifyxattr(struct dentry *dentry, struct integrity_iint_cache *iint); extern int evm_inode_setattr(struct user_namespace *mnt_userns, struct dentry *dentry, struct iattr *attr); -extern void evm_inode_post_setattr(struct dentry *dentry, int ia_valid); extern int evm_inode_setxattr(struct user_namespace *mnt_userns, struct dentry *dentry, const char *name, const void *value, size_t size); @@ -75,11 +74,6 @@ static inline int evm_inode_setattr(struct user_namespace *mnt_userns, return 0; } -static inline void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) -{ - return; -} - static inline int evm_inode_setxattr(struct user_namespace *mnt_userns, struct dentry *dentry, const char *name, const void *value, size_t size) diff --git a/include/linux/ima.h b/include/linux/ima.h index 9f18df366064..70180b9bd974 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -127,20 +127,11 @@ static inline void ima_post_key_create_or_update(struct key *keyring, #ifdef CONFIG_IMA_APPRAISE extern bool is_ima_appraise_enabled(void); -extern void ima_inode_post_setattr(struct user_namespace *mnt_userns, - struct dentry *dentry); #else static inline bool is_ima_appraise_enabled(void) { return 0; } - -static inline void ima_inode_post_setattr(struct user_namespace *mnt_userns, - struct dentry *dentry) -{ - return; -} - #endif /* CONFIG_IMA_APPRAISE */ #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 806448173033..0b01473eee8a 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -135,6 +135,9 @@ LSM_HOOK(int, 0, inode_follow_link, struct dentry *dentry, struct inode *inode, bool rcu) LSM_HOOK(int, 0, inode_permission, struct inode *inode, int mask) LSM_HOOK(int, 0, inode_setattr, struct dentry *dentry, struct iattr *attr) +LSM_HOOK(void, LSM_RET_VOID, inode_post_setattr, + struct user_namespace *mnt_userns, struct dentry *dentry, + unsigned int ia_valid) LSM_HOOK(int, 0, inode_getattr, const struct path *path) LSM_HOOK(int, 0, inode_setxattr, struct user_namespace *mnt_userns, struct dentry *dentry, const char *name, const void *value, diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 1ef965089417..aca689dc0576 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -817,7 +817,9 @@ int evm_inode_setattr(struct user_namespace *mnt_userns, struct dentry *dentry, * This function is called from notify_change(), which expects the caller * to lock the inode's i_mutex. */ -void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) +static void evm_inode_post_setattr(struct user_namespace *mnt_userns, + struct dentry *dentry, + unsigned int ia_valid) { if (!evm_revalidate_status(NULL)) return; @@ -905,6 +907,12 @@ static int __init init_evm(void) late_initcall(init_evm); +static struct security_hook_list evm_hooks[] __lsm_ro_after_init = { + LSM_HOOK_INIT(inode_post_setattr, evm_inode_post_setattr), +}; + void __init integrity_lsm_evm_init(void) { + pr_info("Integrity LSM enabling EVM\n"); + integrity_add_lsm_hooks(evm_hooks, ARRAY_SIZE(evm_hooks)); } diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 15a369df4c00..5c95ea6e6c94 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -176,6 +176,8 @@ int ima_inode_setxattr(struct user_namespace *mnt_userns, int flags); int ima_inode_removexattr(struct user_namespace *mnt_userns, struct dentry *dentry, const char *xattr_name); +void ima_inode_post_setattr(struct user_namespace *mnt_userns, + struct dentry *dentry, unsigned int ia_valid); #endif /* diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index ddd9df6b7dac..ccd54b50fe48 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -631,7 +631,7 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file) * to lock the inode's i_mutex. */ void ima_inode_post_setattr(struct user_namespace *mnt_userns, - struct dentry *dentry) + struct dentry *dentry, unsigned int ia_valid) { struct inode *inode = d_backing_inode(dentry); struct integrity_iint_cache *iint; diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 94379ba40b58..ffebd3236f24 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -1093,6 +1093,7 @@ static struct security_hook_list ima_hooks[] __lsm_ro_after_init = { #ifdef CONFIG_IMA_APPRAISE LSM_HOOK_INIT(inode_setxattr, ima_inode_setxattr), LSM_HOOK_INIT(inode_removexattr, ima_inode_removexattr), + LSM_HOOK_INIT(inode_post_setattr, ima_inode_post_setattr), #endif }; diff --git a/security/security.c b/security/security.c index ca731132a0e9..af42264ad3e2 100644 --- a/security/security.c +++ b/security/security.c @@ -1333,6 +1333,14 @@ int security_inode_setattr(struct user_namespace *mnt_userns, } EXPORT_SYMBOL_GPL(security_inode_setattr); +void security_inode_post_setattr(struct user_namespace *mnt_userns, + struct dentry *dentry, unsigned int ia_valid) +{ + if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) + return; + call_void_hook(inode_post_setattr, mnt_userns, dentry, ia_valid); +} + int security_inode_getattr(const struct path *path) { if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry)))) From patchwork Thu Oct 13 22:36:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13006516 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 62E2FC43217 for ; Thu, 13 Oct 2022 22:37:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229807AbiJMWhK (ORCPT ); Thu, 13 Oct 2022 18:37:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43626 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229773AbiJMWhG (ORCPT ); Thu, 13 Oct 2022 18:37:06 -0400 Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com [IPv6:2607:f8b0:4864:20::534]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A0FB915203E for ; Thu, 13 Oct 2022 15:37:02 -0700 (PDT) Received: by mail-pg1-x534.google.com with SMTP id 129so2764899pgc.5 for ; Thu, 13 Oct 2022 15:37:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=i0+hkpiHQzJ8+JNug0yAZuhS5yrr5xFtDUDfT1r5L18=; b=QYx587gsPoZ2Rt2D31lwneKBIE0nlruGRbmbSxEd/wU1/e+ZARKYeK3iBavfszJMpM 1rdsc3DARoEg5VnS/veGem8AflPWSHFlpLtT8GshvYDBN7qk5Mr4i5Pqa0foKF19eZSx b8TpbYuA0q39bY4XbbSsFmEZKiZC2QIMQjSrk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=i0+hkpiHQzJ8+JNug0yAZuhS5yrr5xFtDUDfT1r5L18=; b=L0zhmmG5QkNHMNzMnfKu4g5u4HCWq/WG0wuaErOGyui8vWoj2ZbzzRFmR1ZosgHXX4 w7T0UMTMDbzTekku62ijro83xj4ukgrTVKKTZukA9pPO+k+LY+7VTDAu0V+P7VwVcF08 aOEi2nSfcDQHQsBg/efcTsg0zT6gfZchRWJQzrvsxFajvKvqONTVAzwchJvOVQh7e2V+ BwolNkf/1nRqR1L54p9E49vrVaa7JRAy7kbDntnddyZ36dYfi60LF2sPic0Nzaxjp0Ic VeNlCrBCDDhH1mxKjSkZeEbZWfBYyiGXpnjSqjLgu+XPWcNxgj1EfiWEYtqxQZ8jodHv J4zw== X-Gm-Message-State: ACrzQf1kACUpU0o9TkR/88/Nh4CJ0fvuQ6YapNmCrTWrcY/AO8CeMERd Sr3b9xfICPvtTW2NWTW30Izbfg== X-Google-Smtp-Source: AMsMyM7iuUG1hw2g/PAu9q8nxzAsPSN9r57AroDs/Upt+xwaCwIIpPJYtSzeXfEsnOhlRci73+L8Hg== X-Received: by 2002:a05:6a00:2393:b0:566:813c:ae26 with SMTP id f19-20020a056a00239300b00566813cae26mr185199pfc.8.1665700621319; Thu, 13 Oct 2022 15:37:01 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id q6-20020a170902f78600b001769cfa5cd4sm356820pln.49.2022.10.13.15.36.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Oct 2022 15:37:00 -0700 (PDT) From: Kees Cook To: Mimi Zohar Cc: Kees Cook , John Johansen , Paul Moore , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , KP Singh , Casey Schaufler , linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 6/9] fs: Introduce file_to_perms() helper Date: Thu, 13 Oct 2022 15:36:51 -0700 Message-Id: <20221013223654.659758-6-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221013222702.never.990-kees@kernel.org> References: <20221013222702.never.990-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2624; h=from:subject; bh=kHSufPh8mIo/bjTRCkWIphPq0T9RFTX/D7KSIVqq6E4=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjSJMFgxBLCCrCvM8fbbAU6HUNSc0X+NBZd2coINEr PLUeV+uJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY0iTBQAKCRCJcvTf3G3AJuVVD/ 9dmweB5gcNNSwinfSOe+1SYjVoMp4pO/YbGKyzqp9iSQDnAu53m7/BKTysFNovCaUKyEh7197U6MUp LUlQFWZ0CQWe0ka2lwW89FLpkV2OI0Bd6U3SUeprwQa2Xm1ttkhbUuoUCH+IPzzpntm5qSaJ99vZcS zymhCi9swcwU28oJ6sd46pKWNe8UCm1d19nZbAFtIX17D07kJ026Aj8ODCCy2P6nMrLAGUJmaLkx9r 0+pX3zQpYs64lI1r953yaxCB/BIlz1RJrnyT1mz8fGVAH55bKakonK2JEd9CRd8KGNa+kRc83RDhA4 lFPpkEh/aNMoSXbYKrfc8SkyyDTOXJ5vDZ2KCWLZdwQIpac0vqg1CLH9N2sm0W6TckUP7vPvOmOM4Z f5eTZrLB84wp0DHMJCXrRZO79S56OiUwLCarTCtv0f5BZpgnThuf6BYDrLC054KiryunDIv2oAklMu p0Khd4nmP2MDptUEyCH2zfVmqZu9uoljoXA/Ry+tm/0Az96oaddZz6DS+mNs/sI8Q/F7PVMSVWbgGP 3Xow9kjRWe1Gybq5wjsfkZS/r7XPQih8TCBKJY7MBEguI9la9e/RULiGW2vtROMTuQ20u2IoU9zcp4 bpHEEfkAQeBR301m7ACV50ZLukKFNsCdbLDykTL4Q/jWHPFmMvi0iMknRKZw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Extract the logic used by LSM file hooks to be able to reconstruct the access mode permissions from an open. Cc: John Johansen Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook --- include/linux/fs.h | 22 ++++++++++++++++++++++ security/apparmor/include/file.h | 18 ++++-------------- 2 files changed, 26 insertions(+), 14 deletions(-) diff --git a/include/linux/fs.h b/include/linux/fs.h index 9eced4cc286e..814f10d4132e 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -993,6 +993,28 @@ static inline struct file *get_file(struct file *f) #define get_file_rcu(x) atomic_long_inc_not_zero(&(x)->f_count) #define file_count(x) atomic_long_read(&(x)->f_count) +/* Calculate the basic MAY_* flags needed for a given file. */ +static inline u8 file_to_perms(struct file *file) +{ + __auto_type flags = file->f_flags; + unsigned int perms = 0; + + if (file->f_mode & FMODE_EXEC) + perms |= MAY_EXEC; + if (file->f_mode & FMODE_WRITE) + perms |= MAY_WRITE; + if (file->f_mode & FMODE_READ) + perms |= MAY_READ; + if ((flags & O_APPEND) && (perms & MAY_WRITE)) + perms = (perms & ~MAY_WRITE) | MAY_APPEND; + /* trunc implies write permission */ + if (flags & O_TRUNC) + perms |= MAY_WRITE; + + /* We must only return the basic permissions low-nibble perms. */ + return (perms | (MAY_EXEC | MAY_WRITE | MAY_READ | MAY_APPEND)); +} + #define MAX_NON_LFS ((1UL<<31) - 1) /* Page cache limit. The filesystems should put that into their s_maxbytes diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h index 029cb20e322d..505d6da02af3 100644 --- a/security/apparmor/include/file.h +++ b/security/apparmor/include/file.h @@ -218,20 +218,10 @@ static inline void aa_free_file_rules(struct aa_file_rules *rules) */ static inline u32 aa_map_file_to_perms(struct file *file) { - int flags = file->f_flags; - u32 perms = 0; - - if (file->f_mode & FMODE_WRITE) - perms |= MAY_WRITE; - if (file->f_mode & FMODE_READ) - perms |= MAY_READ; - - if ((flags & O_APPEND) && (perms & MAY_WRITE)) - perms = (perms & ~MAY_WRITE) | MAY_APPEND; - /* trunc implies write permission */ - if (flags & O_TRUNC) - perms |= MAY_WRITE; - if (flags & O_CREAT) + u32 perms = file_to_perms(file); + + /* Also want to check O_CREAT */ + if (file->f_flags & O_CREAT) perms |= AA_MAY_CREATE; return perms; From patchwork Thu Oct 13 22:36:52 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13006520 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C5EF4C433FE for ; Thu, 13 Oct 2022 22:38:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229560AbiJMWiu (ORCPT ); Thu, 13 Oct 2022 18:38:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43568 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229460AbiJMWif (ORCPT ); Thu, 13 Oct 2022 18:38:35 -0400 Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7532819C041 for ; Thu, 13 Oct 2022 15:37:03 -0700 (PDT) Received: by mail-pj1-x1031.google.com with SMTP id fw14so3272143pjb.3 for ; Thu, 13 Oct 2022 15:37:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=BUjOn5k+MDTd5PUbkTwlrTScouGBjar5cnIPsWYV3Wg=; b=XGpcmGIGlJvbK+PB64IhAkNpyqWLSCW2DYyaXePgdi05Efu5gl3N0K/4rH7qa7wR2G NhgH5dEPf4bukJHrR7zvYZrFreOBcpgAzxeVjzSSwrYkx4aMtW4lC77LLu3BXkyNO5Mx WRVlvhh8AeS/RL37yp6cImouUfSHqHYIF71eE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BUjOn5k+MDTd5PUbkTwlrTScouGBjar5cnIPsWYV3Wg=; b=6LTSGDZSnSZz12v6Mc3clokEPUHpr2/bacVdL/FNpnII22fFzFogUsY0qqbjYQgx7m unw3PH68oe/gGi7hxDV2V9KUFzdX0JQobtNpkpvtfvQkPqyeOeKjIKHmWBreTzYifMx1 tAryLuViU/JTKNXkarkTROwwfFgGG8bG8cZ94yaksySEwzDOS3o4GsveQjhas6bevdKF 5TSGrL8Tm1GJ7MDjdL7kI73+O5SHxxHprZFrJm8DJlNa04JM5/4cDTWKLIOSIWRyT1Ud DRjEGNqzkIjczMbb5SYOjIf/1YI/JnkxFn/GK1F2T1NeW5v4xXExLJ7fmisWEc7Fuo7/ WPPQ== X-Gm-Message-State: ACrzQf1sce2bGSHfVdzmkQJKpBZ7FneRSAwdPlCD1I1rT5u/TPkuVdBe j2LdIkGNecwG2JQepZHTbC6CiA== X-Google-Smtp-Source: AMsMyM7lmGE7iSzcgY7jgVxZ9Mj/vs91Xdkm9UEpv0CL1c5bc3mYipHsQLdJBURHMD2yFwzNrwyn2g== X-Received: by 2002:a17:90b:180f:b0:20d:4e7f:5f52 with SMTP id lw15-20020a17090b180f00b0020d4e7f5f52mr13961271pjb.119.1665700622896; Thu, 13 Oct 2022 15:37:02 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id f8-20020a170902ce8800b00179eb1576bbsm322449plg.190.2022.10.13.15.36.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Oct 2022 15:37:00 -0700 (PDT) From: Kees Cook To: Mimi Zohar Cc: Kees Cook , Dmitry Kasatkin , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan McDowell , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , KP Singh , Casey Schaufler , John Johansen , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 7/9] ima: Move ima_file_check() into LSM Date: Thu, 13 Oct 2022 15:36:52 -0700 Message-Id: <20221013223654.659758-7-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221013222702.never.990-kees@kernel.org> References: <20221013222702.never.990-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=5346; h=from:subject; bh=riUsZQZoVxlZeA/zVYk5CSKXRI6ewCrtesJchBkc+2o=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjSJMF+CD8myWrdyIkpdz8Alc9mimWJRlQS/0/dBUs QZL6Lr2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY0iTBQAKCRCJcvTf3G3AJprMD/ 9DPdjF0nwZkAf61pNj44lk1w0pWPPsk+HTALzRGT8PvX4Qvtb+QPpOc+DSnxDdxsG1ExBqHxyr7PwY QKSjmLiFPdg77UH6m5Ifh8aXoRh7/Go0JSkxa8fLFjiuyqCzHSg5qsNwlUgGDuF+1tq/Obcl5272w0 zfvSXVlJxLxilUYRIm8jBLu5sQt9sFpBh2v4OlCdwo9Yfd2iP6wRBOY3XHSFQ6WNhPZkCPFQ/2eaCe aOHcJzozEs+UJ3k8VpfAybP2MK6ULPjPHEq7Nn+89BLF0DhnQLFKPoTqpG87NbtJuEHwcvKuPaqsjK epfWQ5HPx/WUNCbCPLkWrG3RJ5aYI/ZdHoWrhEGwPLILXvGO1xMyfgONsq3O89wwqROU95CEal7mqm 0bNbFa+3i1Qr7rHNNb7pXMtjr4H21i9/Uds+CZSMWkqaD/VLq1ahOxnoRHRuP8b4EpjZjUZxJY5XJp gro3IQrX94VDspAGt+cbC94kD5veVUHLyK0K3KyFbpc2vAvsmPP9XzupgcI84gEE0Voobxv4bGcBDU qJ+a7mbzxlbv9e3e2rzF9Twie6YgFoYm5r2iGk1VuNy88PEpTY28MpO474gixLp0ejVmwclt4uriEa PZzfyuo3/VsLdMZ3MrVpZ6/Y/jhjTOD9IPJdoIQq/LAwm+ES2ll6ez08qjfg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The "file_open" hook in the LSM is the correct place to add the ima_file_check() callback. Rename it to ima_file_open(), and use the newly created helper to construct the permissions mask from the file flags and fmode. For reference, the LSM hooks across an open are: do_filp_open(dfd, filename, open_flags) path_openat(nameidata, open_flags, flags) file = alloc_empty_file(open_flags, current_cred()); do_open(nameidata, file, open_flags) may_open(path, acc_mode, open_flag) inode_permission(inode, MAY_OPEN | acc_mode) ----> security_inode_permission(inode, acc_mode) vfs_open(path, file) do_dentry_open(file, path->dentry->d_inode, open) ----> security_file_open(f) open() The open-coded hook in the VFS and NFS are removed, as they are fully covered by the security_file_open() hook. Cc: Mimi Zohar Cc: Dmitry Kasatkin Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: Jonathan McDowell Cc: linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook --- fs/namei.c | 2 -- fs/nfsd/vfs.c | 6 ------ include/linux/ima.h | 6 ------ security/integrity/ima/ima_main.c | 14 +++++++------- 4 files changed, 7 insertions(+), 21 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index 53b4bc094db2..d9bd3887e823 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -3555,8 +3555,6 @@ static int do_open(struct nameidata *nd, error = may_open(mnt_userns, &nd->path, acc_mode, open_flag); if (!error && !(file->f_mode & FMODE_OPENED)) error = vfs_open(&nd->path, file); - if (!error) - error = ima_file_check(file, op->acc_mode); if (!error && do_truncate) error = handle_truncate(mnt_userns, file); if (unlikely(error > 0)) { diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c index 9f486b788ed0..33fe326272df 100644 --- a/fs/nfsd/vfs.c +++ b/fs/nfsd/vfs.c @@ -762,12 +762,6 @@ __nfsd_open(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type, goto out_nfserr; } - host_err = ima_file_check(file, may_flags); - if (host_err) { - fput(file); - goto out_nfserr; - } - if (may_flags & NFSD_MAY_64BIT_COOKIE) file->f_mode |= FMODE_64BITHASH; else diff --git a/include/linux/ima.h b/include/linux/ima.h index 70180b9bd974..cf1e48a2d97d 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -16,7 +16,6 @@ struct linux_binprm; #ifdef CONFIG_IMA extern enum hash_algo ima_get_current_hash_algo(void); -extern int ima_file_check(struct file *file, int mask); extern void ima_post_create_tmpfile(struct user_namespace *mnt_userns, struct inode *inode); extern void ima_post_path_mknod(struct user_namespace *mnt_userns, @@ -45,11 +44,6 @@ static inline enum hash_algo ima_get_current_hash_algo(void) return HASH_ALGO__LAST; } -static inline int ima_file_check(struct file *file, int mask) -{ - return 0; -} - static inline void ima_post_create_tmpfile(struct user_namespace *mnt_userns, struct inode *inode) { diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index ffebd3236f24..823d660b53ec 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -12,7 +12,7 @@ * * File: ima_main.c * implements the IMA hooks: ima_bprm_check, ima_file_mmap, - * and ima_file_check. + * and ima_file_open. */ #include @@ -504,25 +504,24 @@ static int ima_bprm_check(struct linux_binprm *bprm) } /** - * ima_file_check - based on policy, collect/store measurement. + * ima_file_open - based on policy, collect/store measurement. * @file: pointer to the file to be measured - * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND * * Measure files based on the ima_must_measure() policy decision. * * On success return 0. On integrity appraisal error, assuming the file * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. */ -int ima_file_check(struct file *file, int mask) +static int ima_file_open(struct file *file) { + u32 perms = file_to_perms(file); u32 secid; security_current_getsecid_subj(&secid); + return process_measurement(file, current_cred(), secid, NULL, 0, - mask & (MAY_READ | MAY_WRITE | MAY_EXEC | - MAY_APPEND), FILE_CHECK); + perms, FILE_CHECK); } -EXPORT_SYMBOL_GPL(ima_file_check); static int __ima_inode_hash(struct inode *inode, struct file *file, char *buf, size_t buf_size) @@ -1085,6 +1084,7 @@ static struct security_hook_list ima_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(bprm_check_security, ima_bprm_check), LSM_HOOK_INIT(mmap_file, ima_file_mmap), LSM_HOOK_INIT(file_mprotect, ima_file_mprotect), + LSM_HOOK_INIT(file_open, ima_file_open), LSM_HOOK_INIT(file_free_security, ima_file_free), LSM_HOOK_INIT(kernel_read_file, ima_read_file), LSM_HOOK_INIT(kernel_post_read_file, ima_post_read_file), From patchwork Thu Oct 13 22:36:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13006517 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4032FC4332F for ; Thu, 13 Oct 2022 22:37:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229775AbiJMWhO (ORCPT ); Thu, 13 Oct 2022 18:37:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43566 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229791AbiJMWhH (ORCPT ); Thu, 13 Oct 2022 18:37:07 -0400 Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3D4F7196B42 for ; Thu, 13 Oct 2022 15:37:03 -0700 (PDT) Received: by mail-pj1-x1031.google.com with SMTP id pq16so3285267pjb.2 for ; Thu, 13 Oct 2022 15:37:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=th8D9izQjJ998cI4/KZV6eZrR/ZwkBVpvdjFCGv+/SY=; b=oFkXChlXsxAQj3qYnpkg6w5DgXNz015acDxzTjiFNg+LPH4YFf92tFiNq4ILnZ5rcm K3clpPlkpKwoIQHEettguvBV3del7f89KcoavahMxa6b2QTiXUdmY3ocXpTyN4+3xWMK jQIjOmzIQzSGzLhrORBO/14AVFbusiMzsb3S8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=th8D9izQjJ998cI4/KZV6eZrR/ZwkBVpvdjFCGv+/SY=; b=Qwsiin0lezUHUGAPpWURPzxWPnuGylxI62mw5lqrlWzFFgqWRcw1U2nfYTEHk4UQ1O 20iIYD1572YyTJjyijdHjNk2xygWGZ6AusB689EHrvapjhEBFtNNeXgBbnVvEI3t/e5e U7sQCqTM+yR+0Rv6n88+voM7xCRyVDqASj4STIlUs03uVSh8q2zeKvkMlRS3utmPxuTa fZthhr6MDKTrw/fzyoil8cmLjzJfDjx9Ys8u2Hzbw23TYlpUQ724favdU9mBqOj2gvXR ksbO62fxFO9oTg9FjGaOLJ1cVSN2iq/UG6XhuVWO4tTIocUJktzN/d4KZgucp2tMIV7A pA+g== X-Gm-Message-State: ACrzQf1HWrBf9pvlmas4kp6lLjDu+DtB3anpbDaM3iJ3NsKt4KO03aou zcEJcS2EqznQ2AyiFS5vFkZf/Q== X-Google-Smtp-Source: AMsMyM7tkx1yJHuadWcKXwPV4On6zhRvtyoz+baP5KndPSoG2rbNgBdgDCGHyqjuRTZm/+LgVODdCg== X-Received: by 2002:a17:902:e806:b0:181:ebae:3ec3 with SMTP id u6-20020a170902e80600b00181ebae3ec3mr1980728plg.26.1665700622253; Thu, 13 Oct 2022 15:37:02 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id w2-20020a62c702000000b00562f431f3d2sm210782pfg.83.2022.10.13.15.36.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Oct 2022 15:37:00 -0700 (PDT) From: Kees Cook To: Mimi Zohar Cc: Kees Cook , Dmitry Kasatkin , Paul Moore , James Morris , "Serge E. Hallyn" , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , KP Singh , Casey Schaufler , John Johansen , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 8/9] integrity: Move trivial hooks into LSM Date: Thu, 13 Oct 2022 15:36:53 -0700 Message-Id: <20221013223654.659758-8-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221013222702.never.990-kees@kernel.org> References: <20221013222702.never.990-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4421; h=from:subject; bh=7RyqoeAwl+CutBMqosFojTLcMBHMS4XEBmxI0jo4aFA=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjSJMFaAp8ZLEl5taZLtxuA8Zx52dQdOpANz9PD0qy VL3NtaGJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY0iTBQAKCRCJcvTf3G3AJmDRD/ sGbgLjktgWkI9wVyG3hDP77jeZhaQHdStjWDHx6ecJa2lN/99sa8q6HtTYZWdm4T0fCfe5Q4qnD7z1 x5AR3/XV/qu6daTmfLuNpw4bTa6e9JXdjF1IogdsY84KxiiPv+l0Xfaoz16seZkRLWVammSxE/HyCA PdyZFCVy26Txvk5ACr4uI/1/M8Fy44cQFEgmlGf6soXGSRrQ8QK8xSBGLPugaexsT31/uww4f3lWin LxWBZmdWAnlbLl64IVofxF79qApzSX3+arh8wVl4nPLARJlC50nqaCnMZDKV1xGKUYU1eIjw9KxG3i 7jdDYHnP6d3rQTh5z99hPcv9oq2vip7hulX/lSYzKRZ/b9dmBAWnHPW8NYAP3iV9BoFZq/GTG2v/xp lnaCanFIfe/KCZS2w4wCEZpPmOVpchqiJ93O94AbpZ4zkdldPW3K9p0VoJKjcAniGDg9Xno2g7bVs0 YGLQ+cgp7NhiKjk520yyUpO9evF8lJhvYleFH9zTspxMeeBxC8XM79h5Vq55Ln0moqIlgGl9Pu1pwM NxcBaMQdwesGAqSTG++wsXi3vOaogZEw/7QUCPnXEw92OwhSFWYgGffJtMPIgw44YpkmYwkOAaRuKh q7uepCQceWY6ZotfI49P1IDKJ7oE8dKO04WpFF4dbcS7EwEJNyd7k9ylJgtQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Move the integrity_inode_free and integrity_kernel_module_request hooks into the LSM. Cc: Mimi Zohar Cc: Dmitry Kasatkin Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook --- include/linux/integrity.h | 19 ------------------- security/integrity/iint.c | 11 ++++++++++- security/integrity/integrity.h | 1 + security/security.c | 8 +------- 4 files changed, 12 insertions(+), 27 deletions(-) diff --git a/include/linux/integrity.h b/include/linux/integrity.h index 2ea0f2f65ab6..c86bcf6b866b 100644 --- a/include/linux/integrity.h +++ b/include/linux/integrity.h @@ -22,7 +22,6 @@ enum integrity_status { /* List of EVM protected security xattrs */ #ifdef CONFIG_INTEGRITY extern struct integrity_iint_cache *integrity_inode_get(struct inode *inode); -extern void integrity_inode_free(struct inode *inode); extern void __init integrity_load_keys(void); #else @@ -32,27 +31,9 @@ static inline struct integrity_iint_cache * return NULL; } -static inline void integrity_inode_free(struct inode *inode) -{ - return; -} - static inline void integrity_load_keys(void) { } #endif /* CONFIG_INTEGRITY */ -#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS - -extern int integrity_kernel_module_request(char *kmod_name); - -#else - -static inline int integrity_kernel_module_request(char *kmod_name) -{ - return 0; -} - -#endif /* CONFIG_INTEGRITY_ASYMMETRIC_KEYS */ - #endif /* _LINUX_INTEGRITY_H */ diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 4f322324449d..dea4dbb93a53 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -142,7 +142,7 @@ struct integrity_iint_cache *integrity_inode_get(struct inode *inode) * * Free the integrity information(iint) associated with an inode. */ -void integrity_inode_free(struct inode *inode) +static void integrity_inode_free(struct inode *inode) { struct integrity_iint_cache *iint; @@ -177,12 +177,21 @@ void __init integrity_add_lsm_hooks(struct security_hook_list *hooks, security_add_hooks(hooks, count, "integrity"); } +static struct security_hook_list integrity_hooks[] __lsm_ro_after_init = { + LSM_HOOK_INIT(inode_free_security, integrity_inode_free), +#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS + LSM_HOOK_INIT(kernel_module_request, integrity_kernel_module_request), +#endif +}; + static int __init integrity_lsm_init(void) { iint_cache = kmem_cache_create("iint_cache", sizeof(struct integrity_iint_cache), 0, SLAB_PANIC, init_once); + integrity_add_lsm_hooks(integrity_hooks, ARRAY_SIZE(integrity_hooks)); + integrity_lsm_ima_init(); integrity_lsm_evm_init(); diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 3707349271c9..93f35b208809 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -237,6 +237,7 @@ static inline int __init integrity_load_cert(const unsigned int id, #endif /* CONFIG_INTEGRITY_SIGNATURE */ #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS +int integrity_kernel_module_request(char *kmod_name); int asymmetric_verify(struct key *keyring, const char *sig, int siglen, const char *data, int datalen); #else diff --git a/security/security.c b/security/security.c index af42264ad3e2..60c0ed336b23 100644 --- a/security/security.c +++ b/security/security.c @@ -1036,7 +1036,6 @@ static void inode_free_by_rcu(struct rcu_head *head) void security_inode_free(struct inode *inode) { - integrity_inode_free(inode); call_void_hook(inode_free_security, inode); /* * The inode may still be referenced in a path walk and @@ -1723,12 +1722,7 @@ int security_kernel_create_files_as(struct cred *new, struct inode *inode) int security_kernel_module_request(char *kmod_name) { - int ret; - - ret = call_int_hook(kernel_module_request, 0, kmod_name); - if (ret) - return ret; - return integrity_kernel_module_request(kmod_name); + return call_int_hook(kernel_module_request, 0, kmod_name); } int security_kernel_read_file(struct file *file, enum kernel_read_file_id id, From patchwork Thu Oct 13 22:36:54 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13006519 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 773C1C4332F for ; Thu, 13 Oct 2022 22:37:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229931AbiJMWhw (ORCPT ); Thu, 13 Oct 2022 18:37:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43498 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229824AbiJMWhN (ORCPT ); Thu, 13 Oct 2022 18:37:13 -0400 Received: from mail-pg1-x529.google.com (mail-pg1-x529.google.com [IPv6:2607:f8b0:4864:20::529]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1EE3019C04C for ; Thu, 13 Oct 2022 15:37:04 -0700 (PDT) Received: by mail-pg1-x529.google.com with SMTP id r18so2741505pgr.12 for ; Thu, 13 Oct 2022 15:37:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=NfEEfwgV0r1esosEkP9F/ee8FXM+KPxMeG8W8EWcy+c=; b=JW1eReH2xnq/C7+qm0+Z9UsAitzAXfF7GB0HYN1tCAYKUKow3bX0dKmchXFpJokbg8 8ulCWFvoB+AlAS/hs/dQjHvgdTJZWh8sTWXS57Kyfm6/B4XXSIb3Y0YtToM6dnSU+K9I 1uP8vopBMgYMNvwEnNqbcKWN4XM7T4uvLVwTY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NfEEfwgV0r1esosEkP9F/ee8FXM+KPxMeG8W8EWcy+c=; b=pRE0XQ7N3tElagNiKvU3sxbL37VBdxvsVcF6CmI+/VZhlXt5VVVA1vRQWRO34xSyYS O1RjcdYix/0Wy/QZvUgcXWXB3nucL4OtjzKBmwMgJ/hM26ZTy7QVWFYsoxy5SFJplKT8 AIC7pWOH262rnUCIauJ3qPVB5t6stITQrlYvoL7Z9n/sPlAqwZH8FMWjVlrvhFk6ERGR 3421q5ZJcnTF+xqy7aTf0oy4Vj/OELpyGWhd9glwf7KRt2qgiT+QYXAEKT7OMuXnsmli c09rnXWQqRPqAxkYq4ejHZpJLkamkHQZgKbtyQYpp4jAT/q4dWblmr51wNqJMApiZfuM PstQ== X-Gm-Message-State: ACrzQf2/LaAOseR8nhxwHauo1UIBmm5qPjj6s6d5DunnygHxE7wiijnj oitAbTJYdMcWdhletczrtPcWUQ== X-Google-Smtp-Source: AMsMyM6ixmF/Cza7ZgkkuryxEzoa1v2tdo5DyCND7oB7+nJU7GcCrnsApxrn3IdkHVa2ykn4dDvzKA== X-Received: by 2002:a65:4508:0:b0:43c:e3c6:d1c2 with SMTP id n8-20020a654508000000b0043ce3c6d1c2mr1821471pgq.582.1665700623894; Thu, 13 Oct 2022 15:37:03 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id 201-20020a6215d2000000b00563933243adsm207496pfv.85.2022.10.13.15.36.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Oct 2022 15:37:00 -0700 (PDT) From: Kees Cook To: Mimi Zohar Cc: Kees Cook , Dmitry Kasatkin , Paul Moore , James Morris , "Serge E. Hallyn" , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , KP Singh , Casey Schaufler , John Johansen , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 9/9] integrity: Move integrity_inode_get() out of global header Date: Thu, 13 Oct 2022 15:36:54 -0700 Message-Id: <20221013223654.659758-9-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221013222702.never.990-kees@kernel.org> References: <20221013222702.never.990-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1875; h=from:subject; bh=FjECzdw5vk4KbUumDxIRN5saJ9SkT4eAnWhKYkWPT8g=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjSJMFeyBOTwM/Gd1K9I43czpeG1w4C1JSQ7QXid4d 6uJrx+6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY0iTBQAKCRCJcvTf3G3AJvg9D/ oCYzGgLf4XwARfk6jZrk9TCXMGlneCjrt3Gciwcp8nh2moA085Sy+H0pocKDwzK2B6x1FgES5wCFaj ip2gVoCE8odPeGoYFCvO9A8xfM67uTH8W+BFNRnZIBnpMyWTlg4yCMMmaH5j1PPHWo7woQjrPdQPbf 0robFn9Qwaof2KTzywOGeALzfmUxWyjJGYrTbIrC1RyVwsnb1TvJVA7s6C2vU8zE7v6B0SL0x4VtKc ZzV8KpARqMpRIsLRclCbmJMRhCI+12kyHo+JNa/aHQlFNrHd2R8H5ej6kDY7UQ702ENB2Ud0I9hJjC 6fljP9Veexa4NXymEnDY8h3l+8DbAcH0/K1fSCzsU5oTNg9gd0/O8wHYUvuI82Pmz7+aXNlrUDYKVS kpce6gLgeLYBHgzuEbHJSx/R6ll1rWcsuEsiH9xvZeUwd64HbldzGDIdzwLIIjIU/hU61wBSyWFkOb o8z7/uYYAl1LKsa+7RQxRyVg6N5EWswXFNV59ThfGsrd9KR40lIeODNjy1OIcr5HGfxrNi3YsZH3aB pKdtGVi+VacVhfIu36bTLd2C+jDeHa+QkZBj4SuxgrAaWqKwGK0cWUlFZ2pDwsZVxP28zx6Ob12ZCu Mqoav641GmnwnvGBx6N8pWg45UosfbKi5OHrlP/eO0f5KAWbN42ubgkcp+ig== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The function integrity_inode_get() does not need to be shared with the rest of the kernel, so move it into the internal integrity.h header. Cc: Mimi Zohar Cc: Dmitry Kasatkin Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook --- include/linux/integrity.h | 11 +---------- security/integrity/integrity.h | 1 + 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/include/linux/integrity.h b/include/linux/integrity.h index c86bcf6b866b..4c6fd79b5bf8 100644 --- a/include/linux/integrity.h +++ b/include/linux/integrity.h @@ -21,19 +21,10 @@ enum integrity_status { /* List of EVM protected security xattrs */ #ifdef CONFIG_INTEGRITY -extern struct integrity_iint_cache *integrity_inode_get(struct inode *inode); extern void __init integrity_load_keys(void); - #else -static inline struct integrity_iint_cache * - integrity_inode_get(struct inode *inode) -{ - return NULL; -} - static inline void integrity_load_keys(void) -{ -} +{ } #endif /* CONFIG_INTEGRITY */ #endif /* _LINUX_INTEGRITY_H */ diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 93f35b208809..acd904c12f87 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -178,6 +178,7 @@ struct integrity_iint_cache { * integrity data associated with an inode. */ struct integrity_iint_cache *integrity_iint_find(struct inode *inode); +struct integrity_iint_cache *integrity_inode_get(struct inode *inode); int integrity_kernel_read(struct file *file, loff_t offset, void *addr, unsigned long count);