| Message ID | 20220104170416.1923685-14-stefanb@linux.vnet.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ima: Namespace IMA with audit support in IMA-ns | expand |
On Tue, Jan 04, 2022 at 12:04:10PM -0500, Stefan Berger wrote: > From: Stefan Berger <stefanb@linux.ibm.com> > > Implement create_ima_ns() to create and initialize an ima_namespace > and implement free_ima_ns() to free it. > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > --- > include/linux/ima.h | 13 +++++ > security/integrity/ima/Makefile | 1 + > security/integrity/ima/ima.h | 16 +++++++ > security/integrity/ima/ima_init_ima_ns.c | 2 +- > security/integrity/ima/ima_ns.c | 61 ++++++++++++++++++++++++ > 5 files changed, 92 insertions(+), 1 deletion(-) > create mode 100644 security/integrity/ima/ima_ns.c > > diff --git a/include/linux/ima.h b/include/linux/ima.h > index e1d65162d1fb..06c88cb17b21 100644 > --- a/include/linux/ima.h > +++ b/include/linux/ima.h > @@ -226,4 +226,17 @@ static inline bool ima_appraise_signature(enum kernel_read_file_id func) > return false; > } > #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ > + > +#ifdef CONFIG_IMA_NS > + > +void free_ima_ns(struct user_namespace *ns); > + > +#else > + > +static inline void free_ima_ns(struct user_namespace *user_ns) > +{ > +} > + > +#endif /* CONFIG_IMA_NS */ > + > #endif /* _LINUX_IMA_H */ > diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile > index f8a5e5f3975d..b86a35fbed60 100644 > --- a/security/integrity/ima/Makefile > +++ b/security/integrity/ima/Makefile > @@ -14,6 +14,7 @@ ima-$(CONFIG_HAVE_IMA_KEXEC) += ima_kexec.o > ima-$(CONFIG_IMA_BLACKLIST_KEYRING) += ima_mok.o > ima-$(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) += ima_asymmetric_keys.o > ima-$(CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS) += ima_queue_keys.o > +ima-$(CONFIG_IMA_NS) += ima_ns.o > > ifeq ($(CONFIG_EFI),y) > ima-$(CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT) += ima_efi.o > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > index f63c6f22b853..4255301e5b96 100644 > --- a/security/integrity/ima/ima.h > +++ b/security/integrity/ima/ima.h > @@ -163,6 +163,7 @@ extern bool ima_canonical_fmt; > int ima_init(void); > int ima_fs_init(void); > int ima_ns_init(void); > +int ima_init_namespace(struct ima_namespace *ns); > int ima_add_template_entry(struct ima_namespace *ns, > struct ima_template_entry *entry, int violation, > const char *op, struct inode *inode, > @@ -503,4 +504,19 @@ static inline struct ima_namespace *get_current_ns(void) > return &init_ima_ns; > } > > +#ifdef CONFIG_IMA_NS > + > +struct ima_namespace *create_ima_ns(struct user_namespace *user_ns); > + > +#else > + > +static inline struct ima_namespace * > +create_ima_ns(struct user_namespace *user_ns) Why are you introducing these functions in 13/19 when you're first using it in the last patch of this series? > +{ > + WARN(1, "Cannot create an IMA namespace\n"); > + return ERR_PTR(-EFAULT); > +} I think I pointed this out earlier or made illustrated it in my draft patch earlier. This function should not return a ptr to an ima namespace. That's just not necessary: the ima namespace _is stashed in struct user namespace_: static int create_ima_ns(struct uesr_namespace *user_ns) { [...] /* Pairs with [...] */ smp_store_release(&user_ns->ima_ns, ns); return 0; } and in the other case: static inline create_ima_ns(struct user_namespace *user_ns) { return -EINVAL; }
diff --git a/include/linux/ima.h b/include/linux/ima.h index e1d65162d1fb..06c88cb17b21 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -226,4 +226,17 @@ static inline bool ima_appraise_signature(enum kernel_read_file_id func) return false; } #endif /* CONFIG_IMA_APPRAISE && CONFIG_INTEGRITY_TRUSTED_KEYRING */ + +#ifdef CONFIG_IMA_NS + +void free_ima_ns(struct user_namespace *ns); + +#else + +static inline void free_ima_ns(struct user_namespace *user_ns) +{ +} + +#endif /* CONFIG_IMA_NS */ + #endif /* _LINUX_IMA_H */ diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile index f8a5e5f3975d..b86a35fbed60 100644 --- a/security/integrity/ima/Makefile +++ b/security/integrity/ima/Makefile @@ -14,6 +14,7 @@ ima-$(CONFIG_HAVE_IMA_KEXEC) += ima_kexec.o ima-$(CONFIG_IMA_BLACKLIST_KEYRING) += ima_mok.o ima-$(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) += ima_asymmetric_keys.o ima-$(CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS) += ima_queue_keys.o +ima-$(CONFIG_IMA_NS) += ima_ns.o ifeq ($(CONFIG_EFI),y) ima-$(CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT) += ima_efi.o diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index f63c6f22b853..4255301e5b96 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -163,6 +163,7 @@ extern bool ima_canonical_fmt; int ima_init(void); int ima_fs_init(void); int ima_ns_init(void); +int ima_init_namespace(struct ima_namespace *ns); int ima_add_template_entry(struct ima_namespace *ns, struct ima_template_entry *entry, int violation, const char *op, struct inode *inode, @@ -503,4 +504,19 @@ static inline struct ima_namespace *get_current_ns(void) return &init_ima_ns; } +#ifdef CONFIG_IMA_NS + +struct ima_namespace *create_ima_ns(struct user_namespace *user_ns); + +#else + +static inline struct ima_namespace * +create_ima_ns(struct user_namespace *user_ns) +{ + WARN(1, "Cannot create an IMA namespace\n"); + return ERR_PTR(-EFAULT); +} + +#endif /* CONFIG_IMA_NS */ + #endif /* __LINUX_IMA_H */ diff --git a/security/integrity/ima/ima_init_ima_ns.c b/security/integrity/ima/ima_init_ima_ns.c index 68671f976756..6eac998781c3 100644 --- a/security/integrity/ima/ima_init_ima_ns.c +++ b/security/integrity/ima/ima_init_ima_ns.c @@ -8,7 +8,7 @@ #include "ima.h" -static int ima_init_namespace(struct ima_namespace *ns) +int ima_init_namespace(struct ima_namespace *ns) { INIT_LIST_HEAD(&ns->ima_default_rules); INIT_LIST_HEAD(&ns->ima_policy_rules); diff --git a/security/integrity/ima/ima_ns.c b/security/integrity/ima/ima_ns.c new file mode 100644 index 000000000000..675466d292e8 --- /dev/null +++ b/security/integrity/ima/ima_ns.c @@ -0,0 +1,61 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * Copyright (C) 2016-2021 IBM Corporation + * Author: + * Yuqiong Sun <suny@us.ibm.com> + * Stefan Berger <stefanb@linux.vnet.ibm.com> + */ + +#include <linux/ima.h> + +#include "ima.h" + +static struct kmem_cache *imans_cachep; + +struct ima_namespace *create_ima_ns(struct user_namespace *user_ns) +{ + struct ima_namespace *ns; + int err; + + ns = kmem_cache_zalloc(imans_cachep, GFP_KERNEL); + if (!ns) + return ERR_PTR(-ENOMEM); + pr_debug("NEW ima_ns: %p\n", ns); + + err = ima_init_namespace(ns); + if (err) + goto fail_free; + + user_ns->ima_ns = ns; + + return ns; + +fail_free: + kmem_cache_free(imans_cachep, ns); + + return ERR_PTR(err); +} + +static void destroy_ima_ns(struct ima_namespace *ns) +{ + pr_debug("DESTROY ima_ns: %p\n", ns); + ima_free_policy_rules(ns); + kmem_cache_free(imans_cachep, ns); +} + +void free_ima_ns(struct user_namespace *user_ns) +{ + struct ima_namespace *ns = user_ns->ima_ns; + + if (!ns || WARN_ON(ns == &init_ima_ns)) + return; + + destroy_ima_ns(ns); +} + +static int __init imans_cache_init(void) +{ + imans_cachep = KMEM_CACHE(ima_namespace, SLAB_PANIC); + return 0; +} +subsys_initcall(imans_cache_init)