From patchwork Thu Oct 13 22:36:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13006521 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id ED390C433FE for ; Thu, 13 Oct 2022 22:37:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229605AbiJMWhA (ORCPT ); Thu, 13 Oct 2022 18:37:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43384 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229511AbiJMWg6 (ORCPT ); Thu, 13 Oct 2022 18:36:58 -0400 Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7CC5CAE209 for ; Thu, 13 Oct 2022 15:36:57 -0700 (PDT) Received: by mail-pl1-x62b.google.com with SMTP id i6so3069665pli.12 for ; Thu, 13 Oct 2022 15:36:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=eKnBh/rdccA0d/5kVDkVm6ZffK/rrsQm1/mENkeAGwY=; b=MRwg26DsZVrrk+VGAgo/rSdkC/qC7KiEipRVjOFTuBqV9YnpOxXq7E9su5tYXVzB5g nYaDzinYZhQP2TEUi4jYSOCbNfOziDti66Jt/gbuqcSNDZW1aI5wNfEX4pS1AlWJoAkB n3TZsGwPtpDgaZdB04jwByap6i2mjq1+rmKSE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eKnBh/rdccA0d/5kVDkVm6ZffK/rrsQm1/mENkeAGwY=; b=12DQpfbkmmPForcj22KmbOE5hh7sn/wQNf1UCAhtViHkfUotFvxMur1MfSaq6GZgS/ OxYEvWzHPClIOaUKU+AJUrBIhmVn361i36++TCUReRiCRy5wwQ30QHTaYvxkl2n7lGYq Qz0QXay0TYvZwzersOrspNxw+8RCvBq9lleeurwG8rpT9wE22naKwayKdXwCg9Kxt7ZE jfJx/TRj1Dsse+S3HM1XWzxgxj2NBYXxf1xXBJ0hh6yJd4dY9EHbn6CTHLQvJSIkMYuW 6qXpz/rI/VHeRPhov1/QKAxBYfb3otLUBi1YonWXCwqedTkSLCmKuTsMfHj0kJb/JDSt w/tg== X-Gm-Message-State: ACrzQf3Y1IPe6S0yGLa2rioJvLzQb2HOzGe/OHrkpJcxAG+NXJdFIvr2 HigrW5sfGjQDZppelzHsVUV6pQ== X-Google-Smtp-Source: AMsMyM6AR8Y27aSqTIfnLE/BszoK27vRlaEd7LbSvPopybAXc6YTPDuZpOauIOTSzwLP5wpPYw1+Fw== X-Received: by 2002:a17:90b:4b47:b0:20a:cfcb:8561 with SMTP id mi7-20020a17090b4b4700b0020acfcb8561mr2139159pjb.55.1665700616917; Thu, 13 Oct 2022 15:36:56 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id q13-20020a170902dacd00b00176a715653dsm336002plx.145.2022.10.13.15.36.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Oct 2022 15:36:56 -0700 (PDT) From: Kees Cook To: Mimi Zohar Cc: Kees Cook , Paul Moore , James Morris , "Serge E. Hallyn" , Dmitry Kasatkin , =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= , linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, KP Singh , Casey Schaufler , John Johansen , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 1/9] integrity: Prepare for having "ima" and "evm" available in "integrity" LSM Date: Thu, 13 Oct 2022 15:36:46 -0700 Message-Id: <20221013223654.659758-1-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221013222702.never.990-kees@kernel.org> References: <20221013222702.never.990-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4972; h=from:subject; bh=X25ar5cnDAOImSwIPi4dRS33/W6S8V04RVdvF3svy1g=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjSJMEI4he7aV1fUMbAUP8+xOlSU/Mc/mejIzZVgwZ MgicjxaJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY0iTBAAKCRCJcvTf3G3AJi2ID/ 9IBaUFqXWRxmua4MK2h4HUvB+6dgAfWu8nN+BNz69h5r6S4m+jTtsTJ4xDfUgtPrnzzm8Z6rL/5UzJ R1QclfS45ROQRyvcqlyzKJqsxMZIRjzbWLmW0wnmOktcinGIbcvzYoVNZHTvmD+ALd2KNfkHIrXX6J 97OKhNAwRpbcLcitq566kjcbJvGDwYdRwlUa5Ft5l3a6cGqES+sm3RSc95zLLf5UBLgFq/sVPDacYt RdKywXjefO9oqFW54hg2ehfZEHkRENdcZvfIeIrNiJibJ9KYGamJ9xAY4HEFfcCns8CVpiRjdl9dhq zmgmyFKvwDFcZWE1qwxgsuVRQDVxqKEhozcV26CoiS5SzYhZqiTEoOzNv/ZyNjVGLVIiGI3dQpggTA bckOlVsVLymnQw1ab3sddZ4I9MCjbCYTwIQBw76dqO4MfgaHbejC6naXOaI5SDxxIeH9a58xHLsnV5 OeSpsGDa4xAWuQejlQMVcJA5/CodmZiWoScJ7ALKEuLwHahBlNzxsPL48hu3zYfimHTArbc34fvgyr 5R8O7Sfp1ApmjbKchmAIfdZoK6AqzMECbgiBAAAVfIcRms6TP4OJF9O6jSPHHBzfmnk9vSJ2rMVDML y/8VotNFwVeFAazDw8bmqdealoYdhDXNGpWOoxUOSg7LufhqzZlv4hZymShA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org Move "integrity" LSM to the end of the Kconfig list and prepare for having ima and evm LSM initialization called from the top-level "integrity" LSM. Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: Mimi Zohar Cc: Dmitry Kasatkin Cc: "Mickaël Salaün" Cc: linux-security-module@vger.kernel.org Cc: linux-integrity@vger.kernel.org Signed-off-by: Kees Cook --- security/Kconfig | 10 +++++----- security/integrity/evm/evm_main.c | 4 ++++ security/integrity/iint.c | 17 +++++++++++++---- security/integrity/ima/ima_main.c | 4 ++++ security/integrity/integrity.h | 6 ++++++ 5 files changed, 32 insertions(+), 9 deletions(-) diff --git a/security/Kconfig b/security/Kconfig index e6db09a779b7..d472e87a2fc4 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -246,11 +246,11 @@ endchoice config LSM string "Ordered list of enabled LSMs" - default "landlock,lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK - default "landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR - default "landlock,lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO - default "landlock,lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC - default "landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf" + default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf,integrity" if DEFAULT_SECURITY_SMACK + default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf,integrity" if DEFAULT_SECURITY_APPARMOR + default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf,integrity" if DEFAULT_SECURITY_TOMOYO + default "landlock,lockdown,yama,loadpin,safesetid,bpf,integrity" if DEFAULT_SECURITY_DAC + default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf,integrity" help A comma-separated list of LSMs, in initialization order. Any LSMs left off this list will be ignored. This can be diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 2e6fb6e2ffd2..1ef965089417 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -904,3 +904,7 @@ static int __init init_evm(void) } late_initcall(init_evm); + +void __init integrity_lsm_evm_init(void) +{ +} diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 8638976f7990..4f322324449d 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -18,7 +18,6 @@ #include #include #include -#include #include "integrity.h" static struct rb_root integrity_iint_tree = RB_ROOT; @@ -172,19 +171,29 @@ static void init_once(void *foo) mutex_init(&iint->mutex); } -static int __init integrity_iintcache_init(void) +void __init integrity_add_lsm_hooks(struct security_hook_list *hooks, + int count) +{ + security_add_hooks(hooks, count, "integrity"); +} + +static int __init integrity_lsm_init(void) { iint_cache = kmem_cache_create("iint_cache", sizeof(struct integrity_iint_cache), 0, SLAB_PANIC, init_once); + + integrity_lsm_ima_init(); + integrity_lsm_evm_init(); + return 0; } + DEFINE_LSM(integrity) = { .name = "integrity", - .init = integrity_iintcache_init, + .init = integrity_lsm_init, }; - /* * integrity_kernel_read - read data from the file * diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 040b03ddc1c7..e617863af5ff 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -1076,3 +1076,7 @@ static int __init init_ima(void) } late_initcall(init_ima); /* Start IMA after the TPM is available */ + +void __init integrity_lsm_ima_init(void) +{ +} diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 7167a6e99bdc..3707349271c9 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -18,6 +18,7 @@ #include #include #include +#include /* iint action cache flags */ #define IMA_MEASURE 0x00000001 @@ -191,6 +192,11 @@ extern struct dentry *integrity_dir; struct modsig; +void __init integrity_lsm_ima_init(void); +void __init integrity_lsm_evm_init(void); +void __init integrity_add_lsm_hooks(struct security_hook_list *hooks, + int count); + #ifdef CONFIG_INTEGRITY_SIGNATURE int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, From patchwork Thu Oct 13 22:36:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13006524 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 498AEC43219 for ; Thu, 13 Oct 2022 22:37:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229747AbiJMWhJ (ORCPT ); Thu, 13 Oct 2022 18:37:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43528 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229755AbiJMWhF (ORCPT ); Thu, 13 Oct 2022 18:37:05 -0400 Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 53FB0BA938 for ; Thu, 13 Oct 2022 15:37:00 -0700 (PDT) Received: by mail-pj1-x102b.google.com with SMTP id 70so3262047pjo.4 for ; Thu, 13 Oct 2022 15:36:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4QtMvi+okgythLC0BZ5AgbF6b/T036dwH9EuwQzqT3w=; b=oPHpU2FNCIKE86DHkbE5v7YdCVfFxuOh2IeHYY2DreHarIwYexNLRoxwOscPXlk54Z 2XsBONOx9Ca9mdC2873canzK4z+yM15aoISs7hNWPzcT1YPJUreGCcYGFpRBB6gle9kl 5vsX6q8Bvc8b4zxMGfPt3LYcWr74dN592yUGU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4QtMvi+okgythLC0BZ5AgbF6b/T036dwH9EuwQzqT3w=; b=zCZW2d0i02ujiIQbCCAXwg/NAYjU6zlkUpsjgYr/dktmtadIvwKQ6YFfLzl3LhMNR1 ve3f3o08UKxaPfJF6E/Vqp6dCr9fR8OqNHXaUYJb4Eg06b/tHTKOi3BApXJMqy09IU5Z yAaPpKpMxNZK47xGyVhHl34wjXJLnnl+t/DC1H1x1he3QXvR/pXtKUY9wbWDzXCNxZVd V5VlFaavrgt6bGiMsxn8ubQM1QWhauYadEzDVGz2J9dULVE50pdEwcPM+zO6npFIv1E0 5NF7deKEFCd2tTpieW5onx2mauxCLcPQI5LUs+2DCkMW1iSM2VJpTB+hDCCuS4VojNnh sKhw== X-Gm-Message-State: ACrzQf2O1V2hJNdHxLsgZ/ByorutJEn3OrlMAwQjccZfkbNODj2dyaLF faBu+BOJekhnDNo6Yhe7/LPa3w== X-Google-Smtp-Source: AMsMyM7DkLAz0Cr9hMytTafIU8DIO/pBbqK97OoNMRskAoB4QQPwJmbuNvvmOIVcxdwboNWl3p7lxw== X-Received: by 2002:a17:90b:1e0b:b0:20d:7ddf:9b08 with SMTP id pg11-20020a17090b1e0b00b0020d7ddf9b08mr2169714pjb.187.1665700618898; Thu, 13 Oct 2022 15:36:58 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id q135-20020a632a8d000000b004277f43b736sm188041pgq.92.2022.10.13.15.36.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Oct 2022 15:36:56 -0700 (PDT) From: Kees Cook To: Mimi Zohar Cc: Kees Cook , Paul Moore , James Morris , "Serge E. Hallyn" , Dmitry Kasatkin , =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= , Petr Vorel , Borislav Petkov , Takashi Iwai , Jonathan McDowell , linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, KP Singh , Casey Schaufler , John Johansen , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 2/9] security: Move trivial IMA hooks into LSM Date: Thu, 13 Oct 2022 15:36:47 -0700 Message-Id: <20221013223654.659758-2-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221013222702.never.990-kees@kernel.org> References: <20221013222702.never.990-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=11716; h=from:subject; bh=JPYrXEme63zNrHu8RasMAYqzn5dsYfwQ9sKlRFYwCmg=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjSJMEBD/MwZ0ABEhYQJlMhma7ILk1MIOCXpU03Rs0 Pj96qRKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY0iTBAAKCRCJcvTf3G3AJgJlEA Cl24Ozc1VocmsUXHG32wY4+VYx+AcAuzOiJniFxKvvLj9WZt1tVP6AZjctFfMVwWIYt2Nlp0w5NaLq KR6DqQStima1UGNyAr4KydA8JnaQnpwN77IwaHZ1ICYrUrKzOrdOXu5F+QhyxgHODuswpWPtwVK+ew x8JxGGC1WNatLweiisDHYYWDztKqyLRM5zAdyVG29XHOoXyKvEcLVuYuRaJFLZhCgoL6rWTqQHibTE L3ZJ15erp8I3sBCswkF/cutq1D/h4FkF0ipjXmE4sq5Q4sDFAMLzsVeLoS+77uNySIufqHNEzEJvsv MtkRe9YfjdQ1ebLBOmRTwJ4DK9ygu5UYyEFE3DVjl6s9WCF7xoeeyw1xGeAmWZCGEISesOX3EK1qc6 QG2Qvh0zysfKi4bQh+X/w7YHus44k+O8wibXQXMCOeMA7MayrCMPXDiSLOU13TyewKQKYAR1MaNfMo T2CssSFp7cVYpPa2V1ko6UScmuAnLVwuzGlDI97OoskTZeNpZUCU0SDObm1+NrjbO/OVm4Oz6q3Rry hToO3DDPLYNqpYUahPlARDjFN5Yd85npwGh+K3T3xS75m7UM1ZXJnG1yltz+N2SBik1ARXebC7yHhh PymeAcPzWH1I8+VKQ4In6NgU0I2xesFr6C2GXdeu8txN30aQHn3wLGlT3Y0A== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org This moves the trivial hard-coded stacking of IMA LSM hooks into the existing LSM infrastructure. Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: Mimi Zohar Cc: Dmitry Kasatkin Cc: "Mickaël Salaün" Cc: Petr Vorel Cc: Borislav Petkov Cc: Takashi Iwai Cc: Jonathan McDowell Cc: linux-security-module@vger.kernel.org Cc: linux-integrity@vger.kernel.org Signed-off-by: Kees Cook --- include/linux/ima.h | 50 ----------------------------- security/integrity/ima/ima_main.c | 40 +++++++++++++++++------- security/security.c | 52 ++++++------------------------- 3 files changed, 37 insertions(+), 105 deletions(-) diff --git a/include/linux/ima.h b/include/linux/ima.h index 81708ca0ebc7..3c641cc65270 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -16,20 +16,10 @@ struct linux_binprm; #ifdef CONFIG_IMA extern enum hash_algo ima_get_current_hash_algo(void); -extern int ima_bprm_check(struct linux_binprm *bprm); extern int ima_file_check(struct file *file, int mask); extern void ima_post_create_tmpfile(struct user_namespace *mnt_userns, struct inode *inode); extern void ima_file_free(struct file *file); -extern int ima_file_mmap(struct file *file, unsigned long prot); -extern int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot); -extern int ima_load_data(enum kernel_load_data_id id, bool contents); -extern int ima_post_load_data(char *buf, loff_t size, - enum kernel_load_data_id id, char *description); -extern int ima_read_file(struct file *file, enum kernel_read_file_id id, - bool contents); -extern int ima_post_read_file(struct file *file, void *buf, loff_t size, - enum kernel_read_file_id id); extern void ima_post_path_mknod(struct user_namespace *mnt_userns, struct dentry *dentry); extern int ima_file_hash(struct file *file, char *buf, size_t buf_size); @@ -56,11 +46,6 @@ static inline enum hash_algo ima_get_current_hash_algo(void) return HASH_ALGO__LAST; } -static inline int ima_bprm_check(struct linux_binprm *bprm) -{ - return 0; -} - static inline int ima_file_check(struct file *file, int mask) { return 0; @@ -76,41 +61,6 @@ static inline void ima_file_free(struct file *file) return; } -static inline int ima_file_mmap(struct file *file, unsigned long prot) -{ - return 0; -} - -static inline int ima_file_mprotect(struct vm_area_struct *vma, - unsigned long prot) -{ - return 0; -} - -static inline int ima_load_data(enum kernel_load_data_id id, bool contents) -{ - return 0; -} - -static inline int ima_post_load_data(char *buf, loff_t size, - enum kernel_load_data_id id, - char *description) -{ - return 0; -} - -static inline int ima_read_file(struct file *file, enum kernel_read_file_id id, - bool contents) -{ - return 0; -} - -static inline int ima_post_read_file(struct file *file, void *buf, loff_t size, - enum kernel_read_file_id id) -{ - return 0; -} - static inline void ima_post_path_mknod(struct user_namespace *mnt_userns, struct dentry *dentry) { diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index e617863af5ff..2cff001b02e4 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -395,6 +395,7 @@ static int process_measurement(struct file *file, const struct cred *cred, /** * ima_file_mmap - based on policy, collect/store measurement. * @file: pointer to the file to be measured (May be NULL) + * @reqprot: contains the protection that will be applied by the kernel. * @prot: contains the protection that will be applied by the kernel. * * Measure files being mmapped executable based on the ima_must_measure() @@ -403,11 +404,12 @@ static int process_measurement(struct file *file, const struct cred *cred, * On success return 0. On integrity appraisal error, assuming the file * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. */ -int ima_file_mmap(struct file *file, unsigned long prot) +static int ima_file_mmap(struct file *file, unsigned long reqprot, + unsigned long prot, unsigned long flags) { u32 secid; - if (file && (prot & PROT_EXEC)) { + if (file && (reqprot & PROT_EXEC)) { security_current_getsecid_subj(&secid); return process_measurement(file, current_cred(), secid, NULL, 0, MAY_EXEC, MMAP_CHECK); @@ -419,6 +421,7 @@ int ima_file_mmap(struct file *file, unsigned long prot) /** * ima_file_mprotect - based on policy, limit mprotect change * @vma: vm_area_struct protection is set to + * @reqprot: contains the protection that were requested. * @prot: contains the protection that will be applied by the kernel. * * Files can be mmap'ed read/write and later changed to execute to circumvent @@ -429,7 +432,8 @@ int ima_file_mmap(struct file *file, unsigned long prot) * * On mprotect change success, return 0. On failure, return -EACESS. */ -int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) +static int ima_file_mprotect(struct vm_area_struct *vma, + unsigned long reqprot, unsigned long prot) { struct ima_template_desc *template = NULL; struct file *file; @@ -483,7 +487,7 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot) * On success return 0. On integrity appraisal error, assuming the file * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. */ -int ima_bprm_check(struct linux_binprm *bprm) +static int ima_bprm_check(struct linux_binprm *bprm) { int ret; u32 secid; @@ -706,8 +710,8 @@ void ima_post_path_mknod(struct user_namespace *mnt_userns, * * For permission return 0, otherwise return -EACCES. */ -int ima_read_file(struct file *file, enum kernel_read_file_id read_id, - bool contents) +static int ima_read_file(struct file *file, enum kernel_read_file_id read_id, + bool contents) { enum ima_hooks func; u32 secid; @@ -756,8 +760,8 @@ const int read_idmap[READING_MAX_ID] = { * On success return 0. On integrity appraisal error, assuming the file * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. */ -int ima_post_read_file(struct file *file, void *buf, loff_t size, - enum kernel_read_file_id read_id) +static int ima_post_read_file(struct file *file, char *buf, loff_t size, + enum kernel_read_file_id read_id) { enum ima_hooks func; u32 secid; @@ -790,7 +794,7 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, * * For permission return 0, otherwise return -EACCES. */ -int ima_load_data(enum kernel_load_data_id id, bool contents) +static int ima_load_data(enum kernel_load_data_id id, bool contents) { bool ima_enforce, sig_enforce; @@ -844,9 +848,9 @@ int ima_load_data(enum kernel_load_data_id id, bool contents) * On success return 0. On integrity appraisal error, assuming the file * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. */ -int ima_post_load_data(char *buf, loff_t size, - enum kernel_load_data_id load_id, - char *description) +static int ima_post_load_data(char *buf, loff_t size, + enum kernel_load_data_id load_id, + char *description) { if (load_id == LOADING_FIRMWARE) { if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && @@ -1077,6 +1081,18 @@ static int __init init_ima(void) late_initcall(init_ima); /* Start IMA after the TPM is available */ +static struct security_hook_list ima_hooks[] __lsm_ro_after_init = { + LSM_HOOK_INIT(bprm_check_security, ima_bprm_check), + LSM_HOOK_INIT(mmap_file, ima_file_mmap), + LSM_HOOK_INIT(file_mprotect, ima_file_mprotect), + LSM_HOOK_INIT(kernel_read_file, ima_read_file), + LSM_HOOK_INIT(kernel_post_read_file, ima_post_read_file), + LSM_HOOK_INIT(kernel_load_data, ima_load_data), + LSM_HOOK_INIT(kernel_post_load_data, ima_post_load_data), +}; + void __init integrity_lsm_ima_init(void) { + pr_info("Integrity LSM enabling IMA\n"); + integrity_add_lsm_hooks(ima_hooks, ARRAY_SIZE(ima_hooks)); } diff --git a/security/security.c b/security/security.c index 14d30fec8a00..8f7c1b5fa5fa 100644 --- a/security/security.c +++ b/security/security.c @@ -862,12 +862,7 @@ int security_bprm_creds_from_file(struct linux_binprm *bprm, struct file *file) int security_bprm_check(struct linux_binprm *bprm) { - int ret; - - ret = call_int_hook(bprm_check_security, 0, bprm); - if (ret) - return ret; - return ima_bprm_check(bprm); + return call_int_hook(bprm_check_security, 0, bprm); } void security_bprm_committing_creds(struct linux_binprm *bprm) @@ -1589,12 +1584,8 @@ static inline unsigned long mmap_prot(struct file *file, unsigned long prot) int security_mmap_file(struct file *file, unsigned long prot, unsigned long flags) { - int ret; - ret = call_int_hook(mmap_file, 0, file, prot, - mmap_prot(file, prot), flags); - if (ret) - return ret; - return ima_file_mmap(file, prot); + return call_int_hook(mmap_file, 0, file, prot, + mmap_prot(file, prot), flags); } int security_mmap_addr(unsigned long addr) @@ -1605,12 +1596,7 @@ int security_mmap_addr(unsigned long addr) int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, unsigned long prot) { - int ret; - - ret = call_int_hook(file_mprotect, 0, vma, reqprot, prot); - if (ret) - return ret; - return ima_file_mprotect(vma, prot); + return call_int_hook(file_mprotect, 0, vma, reqprot, prot); } int security_file_lock(struct file *file, unsigned int cmd) @@ -1746,35 +1732,20 @@ int security_kernel_module_request(char *kmod_name) int security_kernel_read_file(struct file *file, enum kernel_read_file_id id, bool contents) { - int ret; - - ret = call_int_hook(kernel_read_file, 0, file, id, contents); - if (ret) - return ret; - return ima_read_file(file, id, contents); + return call_int_hook(kernel_read_file, 0, file, id, contents); } EXPORT_SYMBOL_GPL(security_kernel_read_file); int security_kernel_post_read_file(struct file *file, char *buf, loff_t size, enum kernel_read_file_id id) { - int ret; - - ret = call_int_hook(kernel_post_read_file, 0, file, buf, size, id); - if (ret) - return ret; - return ima_post_read_file(file, buf, size, id); + return call_int_hook(kernel_post_read_file, 0, file, buf, size, id); } EXPORT_SYMBOL_GPL(security_kernel_post_read_file); int security_kernel_load_data(enum kernel_load_data_id id, bool contents) { - int ret; - - ret = call_int_hook(kernel_load_data, 0, id, contents); - if (ret) - return ret; - return ima_load_data(id, contents); + return call_int_hook(kernel_load_data, 0, id, contents); } EXPORT_SYMBOL_GPL(security_kernel_load_data); @@ -1782,13 +1753,8 @@ int security_kernel_post_load_data(char *buf, loff_t size, enum kernel_load_data_id id, char *description) { - int ret; - - ret = call_int_hook(kernel_post_load_data, 0, buf, size, id, - description); - if (ret) - return ret; - return ima_post_load_data(buf, size, id, description); + return call_int_hook(kernel_post_load_data, 0, buf, size, id, + description); } EXPORT_SYMBOL_GPL(security_kernel_post_load_data); From patchwork Thu Oct 13 22:36:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13006522 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 62F90C4321E for ; Thu, 13 Oct 2022 22:37:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229704AbiJMWhB (ORCPT ); Thu, 13 Oct 2022 18:37:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43404 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229683AbiJMWhA (ORCPT ); Thu, 13 Oct 2022 18:37:00 -0400 Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 69CF2E09CD for ; Thu, 13 Oct 2022 15:36:58 -0700 (PDT) Received: by mail-pg1-x52b.google.com with SMTP id e129so2754599pgc.9 for ; Thu, 13 Oct 2022 15:36:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ceH/RO/hzWXDxSnFXezZugzYqMJL0QzXH8UIXIXwz2A=; b=RdhSRBgdbmEcHTzPfBXbR/j//1diduAVoeDH1mUi7dimeFgOmnh8JxLdvqI6aFAqBz +W54LtdTNlzsY0BuVAZcaQ18xSVO9N4yN4MAX4tdqqKJ7gE+3ebIB5Mxixuf0FmFxpfX 1xPv6UCAlHueIHgZUQRe7YD+3yXNAwKrcBkjI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ceH/RO/hzWXDxSnFXezZugzYqMJL0QzXH8UIXIXwz2A=; b=XfUd4x9S6TKhHFZoydliRlzRaSsm24AchRBt69Ru2p6HQQvvbeLQ7cE01Shxh7DY/Z fD/Bp1Sd+tQJ/2qlUuwZZmJP356FjDsI7y59MuGImtodLySBbaKlF5ErujwZ/hVOHPZu YjR+ruCGzD2ZQU6b7o0+vZYgCj/j0LztRmEpVcpWV45D5Wc0Lbp1kcn+/8B5o5CndBdA 75fmODND9wi2Woy+IpgqKTmhxW86K/aajRMTN+IRa7TLxNzlobL/enaqwtQd2dXT3CA1 SsS6GkBofGfWQr0uQ0RjCdIpAGa4+mGMwjiW/IJ8k+BGHqUcCDaR6s6iidNMDcy35n0X /aDA== X-Gm-Message-State: ACrzQf1Aw/HQU6Sy4R6eSwcDzOT09JF00YrJiWMJf1D965kO1xSdKn1i 6k7MxRK4yaBrcS4y8IKvV1bfKA== X-Google-Smtp-Source: AMsMyM5yQgu7plQb5tA8UN7RTNMLDoQSRx/AdI4uSOPG/bXTseMCJK5g17Varuq0uDdYUYmvddK0dA== X-Received: by 2002:a63:1162:0:b0:450:a0e9:c996 with SMTP id 34-20020a631162000000b00450a0e9c996mr1848284pgr.140.1665700617354; Thu, 13 Oct 2022 15:36:57 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id t21-20020a635355000000b0043c9da02729sm210127pgl.6.2022.10.13.15.36.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Oct 2022 15:36:55 -0700 (PDT) From: Kees Cook To: Mimi Zohar Cc: Kees Cook , Dmitry Kasatkin , Paul Moore , James Morris , "Serge E. Hallyn" , Borislav Petkov , Jonathan McDowell , Takashi Iwai , Petr Vorel , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , KP Singh , Casey Schaufler , John Johansen , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 3/9] ima: Move xattr hooks into LSM Date: Thu, 13 Oct 2022 15:36:48 -0700 Message-Id: <20221013223654.659758-3-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221013222702.never.990-kees@kernel.org> References: <20221013222702.never.990-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=7063; h=from:subject; bh=UwVZQhUAV34kLZLvWg3gW0Y3AxAoqPtrDDTwL+QIuyQ=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjSJMEHh/BpJ8T/UrB3miOUYuzJYjTTQP/es9Hk0XI dfZG4xuJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY0iTBAAKCRCJcvTf3G3AJpZ/EA CGzX2dABmN4vM8z88raKKj3Nl+cOZLLMTHDR3tYm9/U+nievEWZnBIMlbRSDXwjwhv8yOEwkXHomUz EOhnf8FmyzCzjBzXnEacLLLfu6c+5Saz5VuJI11paPu8IUUHHbI8A2c2OOjXaunaJ0pNAuWBpzwIjJ nSNOFNj20t+3vJ/urzKa9/Pqyg8zDHFD9qqpqaBtGGoUwjY3m7XrMqpeKtruZlJUoixyAKUCBR2G+E qW868F9IuhZf12kNaRzP9ehAlWXDreKSeD9GCy8U4uy/FxHNU0llHWLXPJlznr6rSrOov5sVsAOh4Q 92NaFx4RN8V24y4Bkgxkr36IkQ+5+x4uVSNvPGIUVme+c2kVGxGFf9Z5IfDxgYkbyPBl64CF3alsB7 9Jcz7EIvyrYTFXKJapKa3vqpUrdC7L1TJrBfC8OGD2a3nk1E/Z73ZX6TKvIDfOwqY+0SP9s+ptf76q F1AL5hiY+SDsmrM8Q1aWF+Z95WVrcbfNJNezm6/hS9xn3IEeeEdiDeugPyFCMHbzxJ4Zu+GXw+rgPB aoYvjD+300H3Q//lbzYWmc3NCxS0rEwy44q2AQ+r+uqoAMcaa3j3YrJdYPCRearUIv1xpNBoeAzUtb Lr7vob6z1IlkP5lAd+cjBvbd9IbQKJNYK/WtqiqjtVs8HzFa6aaYPjxGpRYw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org Move the xattr IMA hooks into normal LSM layer. As with SELinux and Smack, handle calling cap_inode_setxattr() internally. Cc: Mimi Zohar Cc: Dmitry Kasatkin Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: Borislav Petkov Cc: Jonathan McDowell Cc: Takashi Iwai Cc: Petr Vorel Cc: linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook --- include/linux/ima.h | 16 ---------------- security/integrity/ima/ima.h | 10 ++++++++++ security/integrity/ima/ima_appraise.c | 19 ++++++++++++++++--- security/integrity/ima/ima_main.c | 4 ++++ security/security.c | 10 ++-------- 5 files changed, 32 insertions(+), 27 deletions(-) diff --git a/include/linux/ima.h b/include/linux/ima.h index 3c641cc65270..6dc5143f89f2 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -135,9 +135,6 @@ static inline void ima_post_key_create_or_update(struct key *keyring, extern bool is_ima_appraise_enabled(void); extern void ima_inode_post_setattr(struct user_namespace *mnt_userns, struct dentry *dentry); -extern int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, - const void *xattr_value, size_t xattr_value_len); -extern int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name); #else static inline bool is_ima_appraise_enabled(void) { @@ -150,19 +147,6 @@ static inline void ima_inode_post_setattr(struct user_namespace *mnt_userns, return; } -static inline int ima_inode_setxattr(struct dentry *dentry, - const char *xattr_name, - const void *xattr_value, - size_t xattr_value_len) -{ - return 0; -} - -static inline int ima_inode_removexattr(struct dentry *dentry, - const char *xattr_name) -{ - return 0; -} #endif /* CONFIG_IMA_APPRAISE */ #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index be965a8715e4..15a369df4c00 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -168,6 +168,16 @@ int __init ima_init_digests(void); int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, void *lsm_data); +/* LSM hooks */ +#ifdef CONFIG_IMA_APPRAISE +int ima_inode_setxattr(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *xattr_name, + const void *xattr_value, size_t xattr_value_len, + int flags); +int ima_inode_removexattr(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *xattr_name); +#endif + /* * used to protect h_table and sha_table */ diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index bde74fcecee3..ddd9df6b7dac 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -744,8 +744,10 @@ static int validate_hash_algo(struct dentry *dentry, return -EACCES; } -int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, - const void *xattr_value, size_t xattr_value_len) +int ima_inode_setxattr(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *xattr_name, + const void *xattr_value, size_t xattr_value_len, + int flags) { const struct evm_ima_xattr_data *xvalue = xattr_value; int digsig = 0; @@ -754,6 +756,11 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, result = ima_protect_xattr(dentry, xattr_name, xattr_value, xattr_value_len); if (result == 1) { + result = cap_inode_setxattr(dentry, xattr_name, xattr_value, + xattr_value_len, flags); + if (result) + return result; + if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) return -EINVAL; digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); @@ -770,11 +777,17 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, return result; } -int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name) +int ima_inode_removexattr(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *xattr_name) { int result; result = ima_protect_xattr(dentry, xattr_name, NULL, 0); + if (result == 1) { + result = cap_inode_removexattr(mnt_userns, dentry, xattr_name); + if (result) + return result; + } if (result == 1 || evm_revalidate_status(xattr_name)) { ima_reset_appraise_flags(d_backing_inode(dentry), 0); if (result == 1) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 2cff001b02e4..b3b79d030a67 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -1089,6 +1089,10 @@ static struct security_hook_list ima_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(kernel_post_read_file, ima_post_read_file), LSM_HOOK_INIT(kernel_load_data, ima_load_data), LSM_HOOK_INIT(kernel_post_load_data, ima_post_load_data), +#ifdef CONFIG_IMA_APPRAISE + LSM_HOOK_INIT(inode_setxattr, ima_inode_setxattr), + LSM_HOOK_INIT(inode_removexattr, ima_inode_removexattr), +#endif }; void __init integrity_lsm_ima_init(void) diff --git a/security/security.c b/security/security.c index 8f7c1b5fa5fa..ca731132a0e9 100644 --- a/security/security.c +++ b/security/security.c @@ -1349,7 +1349,7 @@ int security_inode_setxattr(struct user_namespace *mnt_userns, if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) return 0; /* - * SELinux and Smack integrate the cap call, + * SELinux, Smack, and IMA integrate the cap call, * so assume that all LSMs supplying this call do so. */ ret = call_int_hook(inode_setxattr, 1, mnt_userns, dentry, name, value, @@ -1357,9 +1357,6 @@ int security_inode_setxattr(struct user_namespace *mnt_userns, if (ret == 1) ret = cap_inode_setxattr(dentry, name, value, size, flags); - if (ret) - return ret; - ret = ima_inode_setxattr(dentry, name, value, size); if (ret) return ret; return evm_inode_setxattr(mnt_userns, dentry, name, value, size); @@ -1396,15 +1393,12 @@ int security_inode_removexattr(struct user_namespace *mnt_userns, if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) return 0; /* - * SELinux and Smack integrate the cap call, + * SELinux, Smack, and IMA integrate the cap call, * so assume that all LSMs supplying this call do so. */ ret = call_int_hook(inode_removexattr, 1, mnt_userns, dentry, name); if (ret == 1) ret = cap_inode_removexattr(mnt_userns, dentry, name); - if (ret) - return ret; - ret = ima_inode_removexattr(dentry, name); if (ret) return ret; return evm_inode_removexattr(mnt_userns, dentry, name); From patchwork Thu Oct 13 22:36:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13006526 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 80B02C433FE for ; Thu, 13 Oct 2022 22:37:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229773AbiJMWhM (ORCPT ); Thu, 13 Oct 2022 18:37:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43624 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229775AbiJMWhG (ORCPT ); Thu, 13 Oct 2022 18:37:06 -0400 Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 052E2BC630 for ; Thu, 13 Oct 2022 15:37:00 -0700 (PDT) Received: by mail-pg1-x52d.google.com with SMTP id h185so2750546pgc.10 for ; Thu, 13 Oct 2022 15:37:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=RwwHIW9ubgGCNZI9bpt1owrfiGZeXb5wwl1H6trWtBY=; b=NPbuugnsa8ZjJmuKOsOOSrzjod1kIYqRgRjmTGaTWJUUqeqq4o26Thx5EwcjH8ntOg 2FXLuaMoSoMJWiLmgy0LqmQpFgBGbd/D2jky5NbREy2VZpMXlHQhUgKFk4GR4LHv+2Yh AhE40vgIjDEMlzjYgT0H7Xngnyh4qql/BXqpA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RwwHIW9ubgGCNZI9bpt1owrfiGZeXb5wwl1H6trWtBY=; b=kmmxVmJjAT0ZuMNhdUBw22OfjJr6GbguNcpzD9Qfwwa3TfP7HtmvhMmqNjtYrukcQh 91EOWyD87MeR+q/dYWDsLLa5V1/XOEP52QMa6LE+jNnsA7kHc5NIS4uEFRYbeZ6A+D76 GMctcILoO7C59X2c/xZDoPj3UxIGqSlJ+gboxZElA+UTs3rrGCCP7nBpbxZwbZTfXhjd Zyl+sPEG1sxfhQlxhYGHak0V5f9BZ0fmlRUM7k2yjyRkBg1qNmM4EwpJ9D0IM+QOmQzv 8R1zs/wuZFl6qqQaGny2CXPBNYh8H0yLouygvPCdtGO+6Hcfe8P/35kT75/2PWa0rz97 DVXA== X-Gm-Message-State: ACrzQf2TznzQaF1Km0bq9AXpSIlnRpvY4g8zxNtQ7OssNHjrPAUM7fDp axpJy5WFnKXFFgewvA9wbyYxkGvOkaINlA== X-Google-Smtp-Source: AMsMyM7usifpi6LURddo97Cesgs33dYbMjwLNWCksMM3VKB/UvdMIMsKuI4q2JXtvsvm+MCed0mIbA== X-Received: by 2002:a63:4753:0:b0:462:b3f0:a984 with SMTP id w19-20020a634753000000b00462b3f0a984mr1760357pgk.501.1665700619583; Thu, 13 Oct 2022 15:36:59 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id a6-20020a170902710600b0016d773aae60sm363047pll.19.2022.10.13.15.36.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Oct 2022 15:36:56 -0700 (PDT) From: Kees Cook To: Mimi Zohar Cc: Kees Cook , Dmitry Kasatkin , Paul Moore , James Morris , "Serge E. Hallyn" , Petr Vorel , Jonathan McDowell , Borislav Petkov , Takashi Iwai , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , KP Singh , Casey Schaufler , John Johansen , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 4/9] ima: Move ima_file_free() into LSM Date: Thu, 13 Oct 2022 15:36:49 -0700 Message-Id: <20221013223654.659758-4-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221013222702.never.990-kees@kernel.org> References: <20221013222702.never.990-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3106; h=from:subject; bh=j7SUgkDxPUE08MqOt4a9Z07kxHXSo2qyUDZKl6O5dvY=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjSJME98uVBOBVBjxVK8UcpHvXl8yakzz5L2nvmUUm /7U1ct+JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY0iTBAAKCRCJcvTf3G3AJlXUD/ 9LlocRqLBjy5RTiLduzQ0vovRa//i2jiaWLU4i+ih50alFhDMD02D29Huhx1Bpfkxw3tEd5uirD4Qm woZnL++HqvBws+6hGWHagdC04silwQ+UneqsQ9+EwvYKkgPjAXUf8EqEiroy2E5PW6tvyWQGp7DE04 5fMsRSD1C33QHyVeVM7PoXVrtGzW7ZXZRlq9qLdxpIfMps7lsUPsMQTc2kI0mXBsFDmzmFC+dvs9Kk TBA2b7kANBV4ws5RZBLHQlcNlcorhUbixldb3SD4Igl+MJgA67JGenetiOgFwYTBZT1K73uJbk5yUk WZQc601AOB4dC1ijypfacOlZMsqn3UAybG24Vl3JBK6k9KVLuk//880teg87CIZ3aouwk8oaGFjJCb MGXsSIxvhXFzaDBaD+6ZerRPCd6plADAlHpnOft2dB4URCIbURA0fsBQocvf8yBHNcbIDACPNQ+vsD o2HdBbh3bSEvxx+IZz7MNSOJtcgg19X9ybRdJ2DWUahXj4tAVcVFScJ9Y59q3grUFY4qHgtvQuDUsV VXEVwWI71XFXuUiZWOk3URctGgJ8R6g+ke4PyNtO7Os8N9dDI8SUiFqBidQyChnIfDZLrBJ3kZBTvq Fucu8VZ0mHiRAoMrfyl5lQR9vABa7Kxyt11ZCZCO9fEMV4YrarDv6b7dG5ZA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org The file_free_security hook already exists for managing notification of released files. Use the LSM hook instead of open-coded stacking. Cc: Mimi Zohar Cc: Dmitry Kasatkin Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: Petr Vorel Cc: Jonathan McDowell Cc: Borislav Petkov Cc: Takashi Iwai Cc: linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook --- fs/file_table.c | 1 - include/linux/ima.h | 6 ------ security/integrity/ima/ima_main.c | 3 ++- 3 files changed, 2 insertions(+), 8 deletions(-) diff --git a/fs/file_table.c b/fs/file_table.c index 99c6796c9f28..fa707d221a43 100644 --- a/fs/file_table.c +++ b/fs/file_table.c @@ -311,7 +311,6 @@ static void __fput(struct file *file) eventpoll_release(file); locks_remove_file(file); - ima_file_free(file); if (unlikely(file->f_flags & FASYNC)) { if (file->f_op->fasync) file->f_op->fasync(-1, file, 0); diff --git a/include/linux/ima.h b/include/linux/ima.h index 6dc5143f89f2..9f18df366064 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -19,7 +19,6 @@ extern enum hash_algo ima_get_current_hash_algo(void); extern int ima_file_check(struct file *file, int mask); extern void ima_post_create_tmpfile(struct user_namespace *mnt_userns, struct inode *inode); -extern void ima_file_free(struct file *file); extern void ima_post_path_mknod(struct user_namespace *mnt_userns, struct dentry *dentry); extern int ima_file_hash(struct file *file, char *buf, size_t buf_size); @@ -56,11 +55,6 @@ static inline void ima_post_create_tmpfile(struct user_namespace *mnt_userns, { } -static inline void ima_file_free(struct file *file) -{ - return; -} - static inline void ima_post_path_mknod(struct user_namespace *mnt_userns, struct dentry *dentry) { diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index b3b79d030a67..94379ba40b58 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -183,7 +183,7 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint, * * Flag files that changed, based on i_version */ -void ima_file_free(struct file *file) +static void ima_file_free(struct file *file) { struct inode *inode = file_inode(file); struct integrity_iint_cache *iint; @@ -1085,6 +1085,7 @@ static struct security_hook_list ima_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(bprm_check_security, ima_bprm_check), LSM_HOOK_INIT(mmap_file, ima_file_mmap), LSM_HOOK_INIT(file_mprotect, ima_file_mprotect), + LSM_HOOK_INIT(file_free_security, ima_file_free), LSM_HOOK_INIT(kernel_read_file, ima_read_file), LSM_HOOK_INIT(kernel_post_read_file, ima_post_read_file), LSM_HOOK_INIT(kernel_load_data, ima_load_data), From patchwork Thu Oct 13 22:36:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13006525 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 549F1C4332F for ; Thu, 13 Oct 2022 22:37:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229806AbiJMWhK (ORCPT ); Thu, 13 Oct 2022 18:37:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43606 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229771AbiJMWhF (ORCPT ); Thu, 13 Oct 2022 18:37:05 -0400 Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 55BFB152021 for ; Thu, 13 Oct 2022 15:37:02 -0700 (PDT) Received: by mail-pj1-x1033.google.com with SMTP id o9-20020a17090a0a0900b0020ad4e758b3so3136629pjo.4 for ; Thu, 13 Oct 2022 15:37:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=YsVURujdxv2TmCZAOzBG5PyJ5Db0orOcMu9GXfW9Fck=; b=Q6uQT6cZ6HlnR383h6WH/uQ3S8aFq0qFNpnMDAPTNxVKhhUPExQlulnkpOZFEcG4DO rkvGu+fypFN8ukziyyJYzxxpoBTmyy1iUMJDn54cWfAj/wTnNaO3mMX3ID9iCOFpoe8X RsBJfdcTkFBtAvNEDyiSrCSfUxIE9g7TpRhNg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YsVURujdxv2TmCZAOzBG5PyJ5Db0orOcMu9GXfW9Fck=; b=qnkFWh5ZNcnlOnMwcSXAMw5yD44J2Tq1h47QB8pzuGJx4Ks0u7XIAkHGDoDvsMXsaY gd60ygSSFmJkso4xppoNFWimKbTZiHpxRcUvzPPx6yIaop6Ove8gufxGRCdIa+iU4yw7 8bU7KfN6QesTVvp4VpKxHGzWzOi/Cu4YC83uW1D9WK1Chb/AjcHY52GWVS6kW0Qtg9Ar cHSf1Ea0Lwfwa6EeCwraU70QNwfKns0srMuzuMtBmGbuK6xX6uwpGDzUTurqG3FjWKNY KXrPBZxA1O67hV16rkqXCTDUYlkkhU46w2Hwu3DiHNkuKOyV3kpUj0Qag4rW0U7Dz2VM 7c1w== X-Gm-Message-State: ACrzQf3n8IBjXnBeBbeEsDRIf6L6x2n9WP8yMbjMT5u97p24JLPXj+5k 4SQZoK6hoto5RHEFkXLs/lGjEw== X-Google-Smtp-Source: AMsMyM7imnz6ZZQ3TevCrG0iuI2bK+HUr3oLsWudqm7wRbi/ZzdALNZlnC9CYelAiPLCRmpxIoMRsw== X-Received: by 2002:a17:902:da90:b0:17e:c64c:99c2 with SMTP id j16-20020a170902da9000b0017ec64c99c2mr1943103plx.85.1665700621712; Thu, 13 Oct 2022 15:37:01 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id e2-20020a17090ab38200b0020aaa678098sm234714pjr.49.2022.10.13.15.36.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Oct 2022 15:37:00 -0700 (PDT) From: Kees Cook To: Mimi Zohar Cc: Kees Cook , Dmitry Kasatkin , Paul Moore , James Morris , "Serge E. Hallyn" , Takashi Iwai , Jonathan McDowell , Casey Schaufler , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , KP Singh , John Johansen , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 5/9] LSM: Introduce inode_post_setattr hook Date: Thu, 13 Oct 2022 15:36:50 -0700 Message-Id: <20221013223654.659758-5-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221013222702.never.990-kees@kernel.org> References: <20221013222702.never.990-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=7546; h=from:subject; bh=Xca597ImY3Tk10E6V1MSqwTfNHEUXjfa0mP2kJeVjWU=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjSJMESltMyWfjIAxwaRChBzXRUlWazuBJOtIDnt/w 1MfQKfKJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY0iTBAAKCRCJcvTf3G3AJvKrEA Cv4dUFIPRnCesIjZqkLeNcMzFfxbwiPE1sa41CkqiusWgCWPpw9xThOQPNFPRXFGxfmAC4WWW1s8Pg Egp8ySPdL2Z2ZoFWspeAtEgLvpvnmuRcX6fwwpY2ScnK5la6MfxFZkePaPw3Id+v98xX/AHDV1pWNb vs8AhqXnNpd3RRPq/KFMBRDfTo+AzEHouQwqd5mlYQASMCBHJoRkJEAzhRhKOAbNE8Un0qFFOJM127 f+ack2Ke7ExNavXK4FkwW2up2biDDSZlkFUKz7WtrVP+2dS2WsYjcjfUfjUvXLm2fuSJyTDpyYSnZg W1Vs4h3zeVaiPxoX+hqHJml8C9VfVSJ9TyAL9EnML3kB6wPrlAYaqYr/P4FBqsahnbuK/7vQT0Qs/F 2KI+L2CxqiFt0ts5Kh7SShJDqx8Dm/dCYydir3f9GaGEb6RkbgNa8H7dBgr9Tlen2YDZSz3/wB/V3p r9zop5w9BfLKWggfjpWH9k4e6NNtTN7hk1PuK/D+wMADD2V6v6bJl59WNYw1ImFIlznT+6PlF00Wah zmdHVen0w0epT+QxM9hC6wN3T/hhqp0jbalmg2KFioZBCZzR3xgqQpLeWgKM3lmcI7hv1IJ2iN7MQq ScwM1fPFxBDOAqCV+moVHEi1Vs8HGXUZc8I8Xrbi4Dx7pg5pfU3LkeZ3D/eg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org IMA and EVM need to hook after setattr finishes. Introduce this hook and move IMA and EVM's open-coded stacking to use it. Cc: Mimi Zohar Cc: Dmitry Kasatkin Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: Takashi Iwai Cc: Jonathan McDowell Cc: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook --- fs/attr.c | 3 +-- include/linux/evm.h | 6 ------ include/linux/ima.h | 9 --------- include/linux/lsm_hook_defs.h | 3 +++ security/integrity/evm/evm_main.c | 10 +++++++++- security/integrity/ima/ima.h | 2 ++ security/integrity/ima/ima_appraise.c | 2 +- security/integrity/ima/ima_main.c | 1 + security/security.c | 8 ++++++++ 9 files changed, 25 insertions(+), 19 deletions(-) diff --git a/fs/attr.c b/fs/attr.c index 1552a5f23d6b..e5731057426b 100644 --- a/fs/attr.c +++ b/fs/attr.c @@ -423,8 +423,7 @@ int notify_change(struct user_namespace *mnt_userns, struct dentry *dentry, if (!error) { fsnotify_change(dentry, ia_valid); - ima_inode_post_setattr(mnt_userns, dentry); - evm_inode_post_setattr(dentry, ia_valid); + security_inode_post_setattr(mnt_userns, dentry, ia_valid); } return error; diff --git a/include/linux/evm.h b/include/linux/evm.h index aa63e0b3c0a2..53f402bfb9f1 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -23,7 +23,6 @@ extern enum integrity_status evm_verifyxattr(struct dentry *dentry, struct integrity_iint_cache *iint); extern int evm_inode_setattr(struct user_namespace *mnt_userns, struct dentry *dentry, struct iattr *attr); -extern void evm_inode_post_setattr(struct dentry *dentry, int ia_valid); extern int evm_inode_setxattr(struct user_namespace *mnt_userns, struct dentry *dentry, const char *name, const void *value, size_t size); @@ -75,11 +74,6 @@ static inline int evm_inode_setattr(struct user_namespace *mnt_userns, return 0; } -static inline void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) -{ - return; -} - static inline int evm_inode_setxattr(struct user_namespace *mnt_userns, struct dentry *dentry, const char *name, const void *value, size_t size) diff --git a/include/linux/ima.h b/include/linux/ima.h index 9f18df366064..70180b9bd974 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -127,20 +127,11 @@ static inline void ima_post_key_create_or_update(struct key *keyring, #ifdef CONFIG_IMA_APPRAISE extern bool is_ima_appraise_enabled(void); -extern void ima_inode_post_setattr(struct user_namespace *mnt_userns, - struct dentry *dentry); #else static inline bool is_ima_appraise_enabled(void) { return 0; } - -static inline void ima_inode_post_setattr(struct user_namespace *mnt_userns, - struct dentry *dentry) -{ - return; -} - #endif /* CONFIG_IMA_APPRAISE */ #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 806448173033..0b01473eee8a 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -135,6 +135,9 @@ LSM_HOOK(int, 0, inode_follow_link, struct dentry *dentry, struct inode *inode, bool rcu) LSM_HOOK(int, 0, inode_permission, struct inode *inode, int mask) LSM_HOOK(int, 0, inode_setattr, struct dentry *dentry, struct iattr *attr) +LSM_HOOK(void, LSM_RET_VOID, inode_post_setattr, + struct user_namespace *mnt_userns, struct dentry *dentry, + unsigned int ia_valid) LSM_HOOK(int, 0, inode_getattr, const struct path *path) LSM_HOOK(int, 0, inode_setxattr, struct user_namespace *mnt_userns, struct dentry *dentry, const char *name, const void *value, diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 1ef965089417..aca689dc0576 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -817,7 +817,9 @@ int evm_inode_setattr(struct user_namespace *mnt_userns, struct dentry *dentry, * This function is called from notify_change(), which expects the caller * to lock the inode's i_mutex. */ -void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) +static void evm_inode_post_setattr(struct user_namespace *mnt_userns, + struct dentry *dentry, + unsigned int ia_valid) { if (!evm_revalidate_status(NULL)) return; @@ -905,6 +907,12 @@ static int __init init_evm(void) late_initcall(init_evm); +static struct security_hook_list evm_hooks[] __lsm_ro_after_init = { + LSM_HOOK_INIT(inode_post_setattr, evm_inode_post_setattr), +}; + void __init integrity_lsm_evm_init(void) { + pr_info("Integrity LSM enabling EVM\n"); + integrity_add_lsm_hooks(evm_hooks, ARRAY_SIZE(evm_hooks)); } diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 15a369df4c00..5c95ea6e6c94 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -176,6 +176,8 @@ int ima_inode_setxattr(struct user_namespace *mnt_userns, int flags); int ima_inode_removexattr(struct user_namespace *mnt_userns, struct dentry *dentry, const char *xattr_name); +void ima_inode_post_setattr(struct user_namespace *mnt_userns, + struct dentry *dentry, unsigned int ia_valid); #endif /* diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index ddd9df6b7dac..ccd54b50fe48 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -631,7 +631,7 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file) * to lock the inode's i_mutex. */ void ima_inode_post_setattr(struct user_namespace *mnt_userns, - struct dentry *dentry) + struct dentry *dentry, unsigned int ia_valid) { struct inode *inode = d_backing_inode(dentry); struct integrity_iint_cache *iint; diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 94379ba40b58..ffebd3236f24 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -1093,6 +1093,7 @@ static struct security_hook_list ima_hooks[] __lsm_ro_after_init = { #ifdef CONFIG_IMA_APPRAISE LSM_HOOK_INIT(inode_setxattr, ima_inode_setxattr), LSM_HOOK_INIT(inode_removexattr, ima_inode_removexattr), + LSM_HOOK_INIT(inode_post_setattr, ima_inode_post_setattr), #endif }; diff --git a/security/security.c b/security/security.c index ca731132a0e9..af42264ad3e2 100644 --- a/security/security.c +++ b/security/security.c @@ -1333,6 +1333,14 @@ int security_inode_setattr(struct user_namespace *mnt_userns, } EXPORT_SYMBOL_GPL(security_inode_setattr); +void security_inode_post_setattr(struct user_namespace *mnt_userns, + struct dentry *dentry, unsigned int ia_valid) +{ + if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) + return; + call_void_hook(inode_post_setattr, mnt_userns, dentry, ia_valid); +} + int security_inode_getattr(const struct path *path) { if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry)))) From patchwork Thu Oct 13 22:36:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13006530 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 384E7C43219 for ; Thu, 13 Oct 2022 22:37:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229845AbiJMWhS (ORCPT ); Thu, 13 Oct 2022 18:37:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43662 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229792AbiJMWhH (ORCPT ); Thu, 13 Oct 2022 18:37:07 -0400 Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7B9A915203B for ; Thu, 13 Oct 2022 15:37:02 -0700 (PDT) Received: by mail-pg1-x535.google.com with SMTP id q1so2745463pgl.11 for ; Thu, 13 Oct 2022 15:37:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=i0+hkpiHQzJ8+JNug0yAZuhS5yrr5xFtDUDfT1r5L18=; b=QYx587gsPoZ2Rt2D31lwneKBIE0nlruGRbmbSxEd/wU1/e+ZARKYeK3iBavfszJMpM 1rdsc3DARoEg5VnS/veGem8AflPWSHFlpLtT8GshvYDBN7qk5Mr4i5Pqa0foKF19eZSx b8TpbYuA0q39bY4XbbSsFmEZKiZC2QIMQjSrk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=i0+hkpiHQzJ8+JNug0yAZuhS5yrr5xFtDUDfT1r5L18=; b=AaXThbhkCJFxskZQKVuaT2YRns9uMNa9VMlSFs3pmFAX9UzvxOMmPiiwtdOw53s9T7 dm/iD+2QLI7gHMiRrptjb4u0ub1NKonJVN1K6sDZMjSLgyFPMrUKA8FrQzAKt32bIICf GEL4JTx8StDhzeymKsbHIhVb0JEe8G9K0Jemgh9BmKmBLI0Ja3oBrxjsCqRN7XqHdfuB n9EGXiyfYLgFLKKouaN9HNFY2IdQe9SJRgwnbWBfIq/7wtRzbAoVVzRfYdHd8+7Q88HE PG4hfTCaZx7aZA4C8cwW5ujtnKZ6dV/HE1sAfJmRdnJRejpWzJFBy2lio2VmEaUxsRyR hAhA== X-Gm-Message-State: ACrzQf0vpL1Vua4YogDBs0dMNgke7sfi99dll/jkH+/vCNJgq8SoNDg+ 6NZYjrn1FzjqHcc02tMU3DMgLw== X-Google-Smtp-Source: AMsMyM7iuUG1hw2g/PAu9q8nxzAsPSN9r57AroDs/Upt+xwaCwIIpPJYtSzeXfEsnOhlRci73+L8Hg== X-Received: by 2002:a05:6a00:2393:b0:566:813c:ae26 with SMTP id f19-20020a056a00239300b00566813cae26mr185199pfc.8.1665700621319; Thu, 13 Oct 2022 15:37:01 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id q6-20020a170902f78600b001769cfa5cd4sm356820pln.49.2022.10.13.15.36.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Oct 2022 15:37:00 -0700 (PDT) From: Kees Cook To: Mimi Zohar Cc: Kees Cook , John Johansen , Paul Moore , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , KP Singh , Casey Schaufler , linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 6/9] fs: Introduce file_to_perms() helper Date: Thu, 13 Oct 2022 15:36:51 -0700 Message-Id: <20221013223654.659758-6-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221013222702.never.990-kees@kernel.org> References: <20221013222702.never.990-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2624; h=from:subject; bh=kHSufPh8mIo/bjTRCkWIphPq0T9RFTX/D7KSIVqq6E4=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjSJMFgxBLCCrCvM8fbbAU6HUNSc0X+NBZd2coINEr PLUeV+uJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY0iTBQAKCRCJcvTf3G3AJuVVD/ 9dmweB5gcNNSwinfSOe+1SYjVoMp4pO/YbGKyzqp9iSQDnAu53m7/BKTysFNovCaUKyEh7197U6MUp LUlQFWZ0CQWe0ka2lwW89FLpkV2OI0Bd6U3SUeprwQa2Xm1ttkhbUuoUCH+IPzzpntm5qSaJ99vZcS zymhCi9swcwU28oJ6sd46pKWNe8UCm1d19nZbAFtIX17D07kJ026Aj8ODCCy2P6nMrLAGUJmaLkx9r 0+pX3zQpYs64lI1r953yaxCB/BIlz1RJrnyT1mz8fGVAH55bKakonK2JEd9CRd8KGNa+kRc83RDhA4 lFPpkEh/aNMoSXbYKrfc8SkyyDTOXJ5vDZ2KCWLZdwQIpac0vqg1CLH9N2sm0W6TckUP7vPvOmOM4Z f5eTZrLB84wp0DHMJCXrRZO79S56OiUwLCarTCtv0f5BZpgnThuf6BYDrLC054KiryunDIv2oAklMu p0Khd4nmP2MDptUEyCH2zfVmqZu9uoljoXA/Ry+tm/0Az96oaddZz6DS+mNs/sI8Q/F7PVMSVWbgGP 3Xow9kjRWe1Gybq5wjsfkZS/r7XPQih8TCBKJY7MBEguI9la9e/RULiGW2vtROMTuQ20u2IoU9zcp4 bpHEEfkAQeBR301m7ACV50ZLukKFNsCdbLDykTL4Q/jWHPFmMvi0iMknRKZw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org Extract the logic used by LSM file hooks to be able to reconstruct the access mode permissions from an open. Cc: John Johansen Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook --- include/linux/fs.h | 22 ++++++++++++++++++++++ security/apparmor/include/file.h | 18 ++++-------------- 2 files changed, 26 insertions(+), 14 deletions(-) diff --git a/include/linux/fs.h b/include/linux/fs.h index 9eced4cc286e..814f10d4132e 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -993,6 +993,28 @@ static inline struct file *get_file(struct file *f) #define get_file_rcu(x) atomic_long_inc_not_zero(&(x)->f_count) #define file_count(x) atomic_long_read(&(x)->f_count) +/* Calculate the basic MAY_* flags needed for a given file. */ +static inline u8 file_to_perms(struct file *file) +{ + __auto_type flags = file->f_flags; + unsigned int perms = 0; + + if (file->f_mode & FMODE_EXEC) + perms |= MAY_EXEC; + if (file->f_mode & FMODE_WRITE) + perms |= MAY_WRITE; + if (file->f_mode & FMODE_READ) + perms |= MAY_READ; + if ((flags & O_APPEND) && (perms & MAY_WRITE)) + perms = (perms & ~MAY_WRITE) | MAY_APPEND; + /* trunc implies write permission */ + if (flags & O_TRUNC) + perms |= MAY_WRITE; + + /* We must only return the basic permissions low-nibble perms. */ + return (perms | (MAY_EXEC | MAY_WRITE | MAY_READ | MAY_APPEND)); +} + #define MAX_NON_LFS ((1UL<<31) - 1) /* Page cache limit. The filesystems should put that into their s_maxbytes diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h index 029cb20e322d..505d6da02af3 100644 --- a/security/apparmor/include/file.h +++ b/security/apparmor/include/file.h @@ -218,20 +218,10 @@ static inline void aa_free_file_rules(struct aa_file_rules *rules) */ static inline u32 aa_map_file_to_perms(struct file *file) { - int flags = file->f_flags; - u32 perms = 0; - - if (file->f_mode & FMODE_WRITE) - perms |= MAY_WRITE; - if (file->f_mode & FMODE_READ) - perms |= MAY_READ; - - if ((flags & O_APPEND) && (perms & MAY_WRITE)) - perms = (perms & ~MAY_WRITE) | MAY_APPEND; - /* trunc implies write permission */ - if (flags & O_TRUNC) - perms |= MAY_WRITE; - if (flags & O_CREAT) + u32 perms = file_to_perms(file); + + /* Also want to check O_CREAT */ + if (file->f_flags & O_CREAT) perms |= AA_MAY_CREATE; return perms; From patchwork Thu Oct 13 22:36:52 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13006529 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 31218C433FE for ; Thu, 13 Oct 2022 22:37:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229796AbiJMWhR (ORCPT ); Thu, 13 Oct 2022 18:37:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43626 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229755AbiJMWhK (ORCPT ); Thu, 13 Oct 2022 18:37:10 -0400 Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3CAAB144E16 for ; Thu, 13 Oct 2022 15:37:03 -0700 (PDT) Received: by mail-pj1-x1031.google.com with SMTP id 70so3262155pjo.4 for ; Thu, 13 Oct 2022 15:37:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=BUjOn5k+MDTd5PUbkTwlrTScouGBjar5cnIPsWYV3Wg=; b=XGpcmGIGlJvbK+PB64IhAkNpyqWLSCW2DYyaXePgdi05Efu5gl3N0K/4rH7qa7wR2G NhgH5dEPf4bukJHrR7zvYZrFreOBcpgAzxeVjzSSwrYkx4aMtW4lC77LLu3BXkyNO5Mx WRVlvhh8AeS/RL37yp6cImouUfSHqHYIF71eE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BUjOn5k+MDTd5PUbkTwlrTScouGBjar5cnIPsWYV3Wg=; b=sFG3bMwFvuXjgu9qFQlBAuvF6FkfZrPgTo+AImiTlKAPw7cFdRHEMwmyV9HaZ9Y49J 7IIdaxAWhBKdeI76o4tpMjBYo//hb1uYD4wPq1/LvXNB1m/jAWciyfeSw7z8WVPSG215 ePQRbGMlvCv1kfiA/weU5vDmpT301/aer0l8be59QDSQ68SW1QAgPPxeOEUnSI0G8JPL m9AtfCwchig0iE/woFQMxxoNB2mRmzVEfEOuimH+i6eCzFJllNJBDNBOm3E0AJyCGLFE db2X2Mv7uwkip78uFiVTY+xy0jasyyrfIRzuHr31LUstxnyqJwuf7MYOCJRYWcuLlWkR Vfcw== X-Gm-Message-State: ACrzQf1rlgXlcxSDid2XEy3Y58EM/IMpC8Bz0xrShqtyygIh6kOZLqQj TS48iyL0L8RaR222aZU0rOBgog== X-Google-Smtp-Source: AMsMyM7lmGE7iSzcgY7jgVxZ9Mj/vs91Xdkm9UEpv0CL1c5bc3mYipHsQLdJBURHMD2yFwzNrwyn2g== X-Received: by 2002:a17:90b:180f:b0:20d:4e7f:5f52 with SMTP id lw15-20020a17090b180f00b0020d4e7f5f52mr13961271pjb.119.1665700622896; Thu, 13 Oct 2022 15:37:02 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id f8-20020a170902ce8800b00179eb1576bbsm322449plg.190.2022.10.13.15.36.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Oct 2022 15:37:00 -0700 (PDT) From: Kees Cook To: Mimi Zohar Cc: Kees Cook , Dmitry Kasatkin , Paul Moore , James Morris , "Serge E. Hallyn" , Jonathan McDowell , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , KP Singh , Casey Schaufler , John Johansen , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 7/9] ima: Move ima_file_check() into LSM Date: Thu, 13 Oct 2022 15:36:52 -0700 Message-Id: <20221013223654.659758-7-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221013222702.never.990-kees@kernel.org> References: <20221013222702.never.990-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=5346; h=from:subject; bh=riUsZQZoVxlZeA/zVYk5CSKXRI6ewCrtesJchBkc+2o=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjSJMF+CD8myWrdyIkpdz8Alc9mimWJRlQS/0/dBUs QZL6Lr2JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY0iTBQAKCRCJcvTf3G3AJprMD/ 9DPdjF0nwZkAf61pNj44lk1w0pWPPsk+HTALzRGT8PvX4Qvtb+QPpOc+DSnxDdxsG1ExBqHxyr7PwY QKSjmLiFPdg77UH6m5Ifh8aXoRh7/Go0JSkxa8fLFjiuyqCzHSg5qsNwlUgGDuF+1tq/Obcl5272w0 zfvSXVlJxLxilUYRIm8jBLu5sQt9sFpBh2v4OlCdwo9Yfd2iP6wRBOY3XHSFQ6WNhPZkCPFQ/2eaCe aOHcJzozEs+UJ3k8VpfAybP2MK6ULPjPHEq7Nn+89BLF0DhnQLFKPoTqpG87NbtJuEHwcvKuPaqsjK epfWQ5HPx/WUNCbCPLkWrG3RJ5aYI/ZdHoWrhEGwPLILXvGO1xMyfgONsq3O89wwqROU95CEal7mqm 0bNbFa+3i1Qr7rHNNb7pXMtjr4H21i9/Uds+CZSMWkqaD/VLq1ahOxnoRHRuP8b4EpjZjUZxJY5XJp gro3IQrX94VDspAGt+cbC94kD5veVUHLyK0K3KyFbpc2vAvsmPP9XzupgcI84gEE0Voobxv4bGcBDU qJ+a7mbzxlbv9e3e2rzF9Twie6YgFoYm5r2iGk1VuNy88PEpTY28MpO474gixLp0ejVmwclt4uriEa PZzfyuo3/VsLdMZ3MrVpZ6/Y/jhjTOD9IPJdoIQq/LAwm+ES2ll6ez08qjfg== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org The "file_open" hook in the LSM is the correct place to add the ima_file_check() callback. Rename it to ima_file_open(), and use the newly created helper to construct the permissions mask from the file flags and fmode. For reference, the LSM hooks across an open are: do_filp_open(dfd, filename, open_flags) path_openat(nameidata, open_flags, flags) file = alloc_empty_file(open_flags, current_cred()); do_open(nameidata, file, open_flags) may_open(path, acc_mode, open_flag) inode_permission(inode, MAY_OPEN | acc_mode) ----> security_inode_permission(inode, acc_mode) vfs_open(path, file) do_dentry_open(file, path->dentry->d_inode, open) ----> security_file_open(f) open() The open-coded hook in the VFS and NFS are removed, as they are fully covered by the security_file_open() hook. Cc: Mimi Zohar Cc: Dmitry Kasatkin Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: Jonathan McDowell Cc: linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook --- fs/namei.c | 2 -- fs/nfsd/vfs.c | 6 ------ include/linux/ima.h | 6 ------ security/integrity/ima/ima_main.c | 14 +++++++------- 4 files changed, 7 insertions(+), 21 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index 53b4bc094db2..d9bd3887e823 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -3555,8 +3555,6 @@ static int do_open(struct nameidata *nd, error = may_open(mnt_userns, &nd->path, acc_mode, open_flag); if (!error && !(file->f_mode & FMODE_OPENED)) error = vfs_open(&nd->path, file); - if (!error) - error = ima_file_check(file, op->acc_mode); if (!error && do_truncate) error = handle_truncate(mnt_userns, file); if (unlikely(error > 0)) { diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c index 9f486b788ed0..33fe326272df 100644 --- a/fs/nfsd/vfs.c +++ b/fs/nfsd/vfs.c @@ -762,12 +762,6 @@ __nfsd_open(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type, goto out_nfserr; } - host_err = ima_file_check(file, may_flags); - if (host_err) { - fput(file); - goto out_nfserr; - } - if (may_flags & NFSD_MAY_64BIT_COOKIE) file->f_mode |= FMODE_64BITHASH; else diff --git a/include/linux/ima.h b/include/linux/ima.h index 70180b9bd974..cf1e48a2d97d 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -16,7 +16,6 @@ struct linux_binprm; #ifdef CONFIG_IMA extern enum hash_algo ima_get_current_hash_algo(void); -extern int ima_file_check(struct file *file, int mask); extern void ima_post_create_tmpfile(struct user_namespace *mnt_userns, struct inode *inode); extern void ima_post_path_mknod(struct user_namespace *mnt_userns, @@ -45,11 +44,6 @@ static inline enum hash_algo ima_get_current_hash_algo(void) return HASH_ALGO__LAST; } -static inline int ima_file_check(struct file *file, int mask) -{ - return 0; -} - static inline void ima_post_create_tmpfile(struct user_namespace *mnt_userns, struct inode *inode) { diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index ffebd3236f24..823d660b53ec 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -12,7 +12,7 @@ * * File: ima_main.c * implements the IMA hooks: ima_bprm_check, ima_file_mmap, - * and ima_file_check. + * and ima_file_open. */ #include @@ -504,25 +504,24 @@ static int ima_bprm_check(struct linux_binprm *bprm) } /** - * ima_file_check - based on policy, collect/store measurement. + * ima_file_open - based on policy, collect/store measurement. * @file: pointer to the file to be measured - * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND * * Measure files based on the ima_must_measure() policy decision. * * On success return 0. On integrity appraisal error, assuming the file * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. */ -int ima_file_check(struct file *file, int mask) +static int ima_file_open(struct file *file) { + u32 perms = file_to_perms(file); u32 secid; security_current_getsecid_subj(&secid); + return process_measurement(file, current_cred(), secid, NULL, 0, - mask & (MAY_READ | MAY_WRITE | MAY_EXEC | - MAY_APPEND), FILE_CHECK); + perms, FILE_CHECK); } -EXPORT_SYMBOL_GPL(ima_file_check); static int __ima_inode_hash(struct inode *inode, struct file *file, char *buf, size_t buf_size) @@ -1085,6 +1084,7 @@ static struct security_hook_list ima_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(bprm_check_security, ima_bprm_check), LSM_HOOK_INIT(mmap_file, ima_file_mmap), LSM_HOOK_INIT(file_mprotect, ima_file_mprotect), + LSM_HOOK_INIT(file_open, ima_file_open), LSM_HOOK_INIT(file_free_security, ima_file_free), LSM_HOOK_INIT(kernel_read_file, ima_read_file), LSM_HOOK_INIT(kernel_post_read_file, ima_post_read_file), From patchwork Thu Oct 13 22:36:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13006528 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66E9DC43219 for ; Thu, 13 Oct 2022 22:37:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229828AbiJMWhP (ORCPT ); Thu, 13 Oct 2022 18:37:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43652 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229780AbiJMWhH (ORCPT ); Thu, 13 Oct 2022 18:37:07 -0400 Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3E56E196B79 for ; Thu, 13 Oct 2022 15:37:03 -0700 (PDT) Received: by mail-pj1-x1033.google.com with SMTP id gf8so3254763pjb.5 for ; Thu, 13 Oct 2022 15:37:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=th8D9izQjJ998cI4/KZV6eZrR/ZwkBVpvdjFCGv+/SY=; b=oFkXChlXsxAQj3qYnpkg6w5DgXNz015acDxzTjiFNg+LPH4YFf92tFiNq4ILnZ5rcm K3clpPlkpKwoIQHEettguvBV3del7f89KcoavahMxa6b2QTiXUdmY3ocXpTyN4+3xWMK jQIjOmzIQzSGzLhrORBO/14AVFbusiMzsb3S8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=th8D9izQjJ998cI4/KZV6eZrR/ZwkBVpvdjFCGv+/SY=; b=GTVnnkgw6aNqvFXgc9+HmJYxrzUkTOvqqJYcZMlOrmGrrAgRHRcAI9YLQ6Zn4F2PQp dE1BG/seV1HJbQM05smensmill6kSDW3PbrYcw6gJlmfV4P8tf40EF7PfqcLkKCVubBy xzE6+mGwY/UXo1tG3JragbstIHWYLcZBO1FL3CezXx9vDZt9Dxo+P2jXH7rs9ZqfoL/0 tsFKtCz2CfY1+K2s19ghuRKLEvbbm0mCfL+R7QgShN0sK9MIi5z6CNO10pXqC+lm9Gwt T2ut3C9Wbsv3pCWilXb+QcjSt9dgbypvO71UUkQYcTHRN9aAf4R6y4UHnxvGVMnbyxgL y9AA== X-Gm-Message-State: ACrzQf1Q3qDrXmlt8Rcn9zfGVBEmqUomK00xXlZ+7ylmT9jwHJvqeQqC 45gP3jvl1jXO2SIDm9YOyL5Jfw== X-Google-Smtp-Source: AMsMyM7tkx1yJHuadWcKXwPV4On6zhRvtyoz+baP5KndPSoG2rbNgBdgDCGHyqjuRTZm/+LgVODdCg== X-Received: by 2002:a17:902:e806:b0:181:ebae:3ec3 with SMTP id u6-20020a170902e80600b00181ebae3ec3mr1980728plg.26.1665700622253; Thu, 13 Oct 2022 15:37:02 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id w2-20020a62c702000000b00562f431f3d2sm210782pfg.83.2022.10.13.15.36.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Oct 2022 15:37:00 -0700 (PDT) From: Kees Cook To: Mimi Zohar Cc: Kees Cook , Dmitry Kasatkin , Paul Moore , James Morris , "Serge E. Hallyn" , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , KP Singh , Casey Schaufler , John Johansen , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 8/9] integrity: Move trivial hooks into LSM Date: Thu, 13 Oct 2022 15:36:53 -0700 Message-Id: <20221013223654.659758-8-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221013222702.never.990-kees@kernel.org> References: <20221013222702.never.990-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4421; h=from:subject; bh=7RyqoeAwl+CutBMqosFojTLcMBHMS4XEBmxI0jo4aFA=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjSJMFaAp8ZLEl5taZLtxuA8Zx52dQdOpANz9PD0qy VL3NtaGJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY0iTBQAKCRCJcvTf3G3AJmDRD/ sGbgLjktgWkI9wVyG3hDP77jeZhaQHdStjWDHx6ecJa2lN/99sa8q6HtTYZWdm4T0fCfe5Q4qnD7z1 x5AR3/XV/qu6daTmfLuNpw4bTa6e9JXdjF1IogdsY84KxiiPv+l0Xfaoz16seZkRLWVammSxE/HyCA PdyZFCVy26Txvk5ACr4uI/1/M8Fy44cQFEgmlGf6soXGSRrQ8QK8xSBGLPugaexsT31/uww4f3lWin LxWBZmdWAnlbLl64IVofxF79qApzSX3+arh8wVl4nPLARJlC50nqaCnMZDKV1xGKUYU1eIjw9KxG3i 7jdDYHnP6d3rQTh5z99hPcv9oq2vip7hulX/lSYzKRZ/b9dmBAWnHPW8NYAP3iV9BoFZq/GTG2v/xp lnaCanFIfe/KCZS2w4wCEZpPmOVpchqiJ93O94AbpZ4zkdldPW3K9p0VoJKjcAniGDg9Xno2g7bVs0 YGLQ+cgp7NhiKjk520yyUpO9evF8lJhvYleFH9zTspxMeeBxC8XM79h5Vq55Ln0moqIlgGl9Pu1pwM NxcBaMQdwesGAqSTG++wsXi3vOaogZEw/7QUCPnXEw92OwhSFWYgGffJtMPIgw44YpkmYwkOAaRuKh q7uepCQceWY6ZotfI49P1IDKJ7oE8dKO04WpFF4dbcS7EwEJNyd7k9ylJgtQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org Move the integrity_inode_free and integrity_kernel_module_request hooks into the LSM. Cc: Mimi Zohar Cc: Dmitry Kasatkin Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook --- include/linux/integrity.h | 19 ------------------- security/integrity/iint.c | 11 ++++++++++- security/integrity/integrity.h | 1 + security/security.c | 8 +------- 4 files changed, 12 insertions(+), 27 deletions(-) diff --git a/include/linux/integrity.h b/include/linux/integrity.h index 2ea0f2f65ab6..c86bcf6b866b 100644 --- a/include/linux/integrity.h +++ b/include/linux/integrity.h @@ -22,7 +22,6 @@ enum integrity_status { /* List of EVM protected security xattrs */ #ifdef CONFIG_INTEGRITY extern struct integrity_iint_cache *integrity_inode_get(struct inode *inode); -extern void integrity_inode_free(struct inode *inode); extern void __init integrity_load_keys(void); #else @@ -32,27 +31,9 @@ static inline struct integrity_iint_cache * return NULL; } -static inline void integrity_inode_free(struct inode *inode) -{ - return; -} - static inline void integrity_load_keys(void) { } #endif /* CONFIG_INTEGRITY */ -#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS - -extern int integrity_kernel_module_request(char *kmod_name); - -#else - -static inline int integrity_kernel_module_request(char *kmod_name) -{ - return 0; -} - -#endif /* CONFIG_INTEGRITY_ASYMMETRIC_KEYS */ - #endif /* _LINUX_INTEGRITY_H */ diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 4f322324449d..dea4dbb93a53 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -142,7 +142,7 @@ struct integrity_iint_cache *integrity_inode_get(struct inode *inode) * * Free the integrity information(iint) associated with an inode. */ -void integrity_inode_free(struct inode *inode) +static void integrity_inode_free(struct inode *inode) { struct integrity_iint_cache *iint; @@ -177,12 +177,21 @@ void __init integrity_add_lsm_hooks(struct security_hook_list *hooks, security_add_hooks(hooks, count, "integrity"); } +static struct security_hook_list integrity_hooks[] __lsm_ro_after_init = { + LSM_HOOK_INIT(inode_free_security, integrity_inode_free), +#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS + LSM_HOOK_INIT(kernel_module_request, integrity_kernel_module_request), +#endif +}; + static int __init integrity_lsm_init(void) { iint_cache = kmem_cache_create("iint_cache", sizeof(struct integrity_iint_cache), 0, SLAB_PANIC, init_once); + integrity_add_lsm_hooks(integrity_hooks, ARRAY_SIZE(integrity_hooks)); + integrity_lsm_ima_init(); integrity_lsm_evm_init(); diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 3707349271c9..93f35b208809 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -237,6 +237,7 @@ static inline int __init integrity_load_cert(const unsigned int id, #endif /* CONFIG_INTEGRITY_SIGNATURE */ #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS +int integrity_kernel_module_request(char *kmod_name); int asymmetric_verify(struct key *keyring, const char *sig, int siglen, const char *data, int datalen); #else diff --git a/security/security.c b/security/security.c index af42264ad3e2..60c0ed336b23 100644 --- a/security/security.c +++ b/security/security.c @@ -1036,7 +1036,6 @@ static void inode_free_by_rcu(struct rcu_head *head) void security_inode_free(struct inode *inode) { - integrity_inode_free(inode); call_void_hook(inode_free_security, inode); /* * The inode may still be referenced in a path walk and @@ -1723,12 +1722,7 @@ int security_kernel_create_files_as(struct cred *new, struct inode *inode) int security_kernel_module_request(char *kmod_name) { - int ret; - - ret = call_int_hook(kernel_module_request, 0, kmod_name); - if (ret) - return ret; - return integrity_kernel_module_request(kmod_name); + return call_int_hook(kernel_module_request, 0, kmod_name); } int security_kernel_read_file(struct file *file, enum kernel_read_file_id id, From patchwork Thu Oct 13 22:36:54 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13006527 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5139AC4321E for ; Thu, 13 Oct 2022 22:37:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229541AbiJMWhO (ORCPT ); Thu, 13 Oct 2022 18:37:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43638 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229682AbiJMWhG (ORCPT ); Thu, 13 Oct 2022 18:37:06 -0400 Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8991C19C042 for ; Thu, 13 Oct 2022 15:37:04 -0700 (PDT) Received: by mail-pg1-x530.google.com with SMTP id q9so2752997pgq.8 for ; Thu, 13 Oct 2022 15:37:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=NfEEfwgV0r1esosEkP9F/ee8FXM+KPxMeG8W8EWcy+c=; b=JW1eReH2xnq/C7+qm0+Z9UsAitzAXfF7GB0HYN1tCAYKUKow3bX0dKmchXFpJokbg8 8ulCWFvoB+AlAS/hs/dQjHvgdTJZWh8sTWXS57Kyfm6/B4XXSIb3Y0YtToM6dnSU+K9I 1uP8vopBMgYMNvwEnNqbcKWN4XM7T4uvLVwTY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NfEEfwgV0r1esosEkP9F/ee8FXM+KPxMeG8W8EWcy+c=; b=3XvL8H0KqLCD2+maJ+4zFG3NxXwFOFWaYi7Kjx60xSQ+WhwBEnbuJWu2GBJUIoNEYa PlQb2t7NYIvRGEh5FuuH411d8c2n5wjYDKlsTe8HPhbPTIrksF7u37iIOW/3dehauspi C2ZAzdyM8A3fBBixJVOJOLZ6MByJyUAulCLwHQ/+OgcOho5aDG0NUDGBWBe6DazhxCa6 p+JmuLOSO26jCscqxvbcYheCiz+SPXrZEnaXDfv0IBYr/SmWPTPWmzx5DwfEod8TXger E9awcZ30WHHcWJVa1H8F3GaOovj5OMJ4mIy+DFPj4suk+vLIfbw/Ibot1G5MxJAmdt92 kkDw== X-Gm-Message-State: ACrzQf2JBTE3avrxxUiyEsoJsXBB5saWtzEWDsOwY2pcC/RIm0L72Yxo 0BiqW4+g8Yh6g5oDD/BI37tYAQ== X-Google-Smtp-Source: AMsMyM6ixmF/Cza7ZgkkuryxEzoa1v2tdo5DyCND7oB7+nJU7GcCrnsApxrn3IdkHVa2ykn4dDvzKA== X-Received: by 2002:a65:4508:0:b0:43c:e3c6:d1c2 with SMTP id n8-20020a654508000000b0043ce3c6d1c2mr1821471pgq.582.1665700623894; Thu, 13 Oct 2022 15:37:03 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id 201-20020a6215d2000000b00563933243adsm207496pfv.85.2022.10.13.15.36.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Oct 2022 15:37:00 -0700 (PDT) From: Kees Cook To: Mimi Zohar Cc: Kees Cook , Dmitry Kasatkin , Paul Moore , James Morris , "Serge E. Hallyn" , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , KP Singh , Casey Schaufler , John Johansen , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 9/9] integrity: Move integrity_inode_get() out of global header Date: Thu, 13 Oct 2022 15:36:54 -0700 Message-Id: <20221013223654.659758-9-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221013222702.never.990-kees@kernel.org> References: <20221013222702.never.990-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1875; h=from:subject; bh=FjECzdw5vk4KbUumDxIRN5saJ9SkT4eAnWhKYkWPT8g=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjSJMFeyBOTwM/Gd1K9I43czpeG1w4C1JSQ7QXid4d 6uJrx+6JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY0iTBQAKCRCJcvTf3G3AJvg9D/ oCYzGgLf4XwARfk6jZrk9TCXMGlneCjrt3Gciwcp8nh2moA085Sy+H0pocKDwzK2B6x1FgES5wCFaj ip2gVoCE8odPeGoYFCvO9A8xfM67uTH8W+BFNRnZIBnpMyWTlg4yCMMmaH5j1PPHWo7woQjrPdQPbf 0robFn9Qwaof2KTzywOGeALzfmUxWyjJGYrTbIrC1RyVwsnb1TvJVA7s6C2vU8zE7v6B0SL0x4VtKc ZzV8KpARqMpRIsLRclCbmJMRhCI+12kyHo+JNa/aHQlFNrHd2R8H5ej6kDY7UQ702ENB2Ud0I9hJjC 6fljP9Veexa4NXymEnDY8h3l+8DbAcH0/K1fSCzsU5oTNg9gd0/O8wHYUvuI82Pmz7+aXNlrUDYKVS kpce6gLgeLYBHgzuEbHJSx/R6ll1rWcsuEsiH9xvZeUwd64HbldzGDIdzwLIIjIU/hU61wBSyWFkOb o8z7/uYYAl1LKsa+7RQxRyVg6N5EWswXFNV59ThfGsrd9KR40lIeODNjy1OIcr5HGfxrNi3YsZH3aB pKdtGVi+VacVhfIu36bTLd2C+jDeHa+QkZBj4SuxgrAaWqKwGK0cWUlFZ2pDwsZVxP28zx6Ob12ZCu Mqoav641GmnwnvGBx6N8pWg45UosfbKi5OHrlP/eO0f5KAWbN42ubgkcp+ig== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Precedence: bulk List-ID: X-Mailing-List: linux-hardening@vger.kernel.org The function integrity_inode_get() does not need to be shared with the rest of the kernel, so move it into the internal integrity.h header. Cc: Mimi Zohar Cc: Dmitry Kasatkin Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook --- include/linux/integrity.h | 11 +---------- security/integrity/integrity.h | 1 + 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/include/linux/integrity.h b/include/linux/integrity.h index c86bcf6b866b..4c6fd79b5bf8 100644 --- a/include/linux/integrity.h +++ b/include/linux/integrity.h @@ -21,19 +21,10 @@ enum integrity_status { /* List of EVM protected security xattrs */ #ifdef CONFIG_INTEGRITY -extern struct integrity_iint_cache *integrity_inode_get(struct inode *inode); extern void __init integrity_load_keys(void); - #else -static inline struct integrity_iint_cache * - integrity_inode_get(struct inode *inode) -{ - return NULL; -} - static inline void integrity_load_keys(void) -{ -} +{ } #endif /* CONFIG_INTEGRITY */ #endif /* _LINUX_INTEGRITY_H */ diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 93f35b208809..acd904c12f87 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -178,6 +178,7 @@ struct integrity_iint_cache { * integrity data associated with an inode. */ struct integrity_iint_cache *integrity_iint_find(struct inode *inode); +struct integrity_iint_cache *integrity_inode_get(struct inode *inode); int integrity_kernel_read(struct file *file, loff_t offset, void *addr, unsigned long count);