[v12,04/26] ima: Move arch_policy_entry into ima_namespace

Message ID	20220420140633.753772-5-stefanb@linux.ibm.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-security-module-owner@kernel.org> From: Stefan Berger <stefanb@linux.ibm.com> To: linux-integrity@vger.kernel.org Cc: zohar@linux.ibm.com, serge@hallyn.com, christian.brauner@ubuntu.com, containers@lists.linux.dev, dmitry.kasatkin@gmail.com, ebiederm@xmission.com, krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com, mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com, puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com, linux-kernel@vger.kernel.org, paul@paul-moore.com, rgb@redhat.com, linux-security-module@vger.kernel.org, jmorris@namei.org, jpenumak@redhat.com, Stefan Berger <stefanb@linux.ibm.com>, Christian Brauner <brauner@kernel.org> Subject: [PATCH v12 04/26] ima: Move arch_policy_entry into ima_namespace Date: Wed, 20 Apr 2022 10:06:11 -0400 Message-Id: <20220420140633.753772-5-stefanb@linux.ibm.com> In-Reply-To: <20220420140633.753772-1-stefanb@linux.ibm.com> References: <20220420140633.753772-1-stefanb@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	ima: Namespace IMA with audit support in IMA-ns \| expand [v12,00/26] ima: Namespace IMA with audit support in IMA-ns [v12,01/26] securityfs: rework dentry creation [v12,02/26] securityfs: Extend securityfs with namespacing support [v12,03/26] ima: Define ima_namespace struct and start moving variables into it [v12,04/26] ima: Move arch_policy_entry into ima_namespace [v12,05/26] ima: Move ima_htable into ima_namespace [v12,06/26] ima: Move measurement list related variables into ima_namespace [v12,07/26] ima: Move some IMA policy and filesystem related variables into ima_namespace [v12,08/26] ima: Move IMA securityfs files into ima_namespace or onto stack [v12,09/26] ima: Move ima_lsm_policy_notifier into ima_namespace [v12,10/26] ima: Switch to lazy lsm policy updates for better performance [v12,11/26] ima: Define mac_admin_ns_capable() as a wrapper for ns_capable() [v12,12/26] ima: Only accept AUDIT rules for non-init_ima_ns namespaces for now [v12,13/26] userns: Add pointer to ima_namespace to user_namespace [v12,14/26] ima: Implement hierarchical processing of file accesses [v12,15/26] ima: Implement ima_free_policy_rules() for freeing of an ima_namespace [v12,16/26] ima: Add functions for creating and freeing of an ima_namespace [v12,17/26] integrity/ima: Define ns_status for storing namespaced iint data [v12,18/26] integrity: Add optional callback function to integrity_inode_free() [v12,19/26] ima: Namespace audit status flags [v12,20/26] ima: Remove unused iints from the integrity_iint_cache [v12,21/26] ima: Setup securityfs for IMA namespace [v12,22/26] ima: Introduce securityfs file to activate an IMA namespace [v12,23/26] ima: Show owning user namespace's uid and gid when displaying policy [v12,24/26] ima: Limit number of policy rules in non-init_ima_ns [v12,25/26] ima: Restrict informational audit messages to init_ima_ns [v12,26/26] ima: Enable IMA namespaces

Message ID

20220420140633.753772-5-stefanb@linux.ibm.com (mailing list archive)

State

New, archived

Headers

From: Stefan Berger <stefanb@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: zohar@linux.ibm.com, serge@hallyn.com,
        christian.brauner@ubuntu.com, containers@lists.linux.dev,
        dmitry.kasatkin@gmail.com, ebiederm@xmission.com,
        krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com,
        mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com,
        puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com,
        linux-kernel@vger.kernel.org, paul@paul-moore.com, rgb@redhat.com,
        linux-security-module@vger.kernel.org, jmorris@namei.org,
        jpenumak@redhat.com, Stefan Berger <stefanb@linux.ibm.com>,
        Christian Brauner <brauner@kernel.org>
Subject: [PATCH v12 04/26] ima: Move arch_policy_entry into ima_namespace
Date: Wed, 20 Apr 2022 10:06:11 -0400
Message-Id: <20220420140633.753772-5-stefanb@linux.ibm.com>
In-Reply-To: <20220420140633.753772-1-stefanb@linux.ibm.com>
References: <20220420140633.753772-1-stefanb@linux.ibm.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

ima: Namespace IMA with audit support in IMA-ns | expand

Commit Message

Stefan Berger April 20, 2022, 2:06 p.m. UTC

The architecture-specific policy rules, currently defined for EFI and
powerpc, require the kexec kernel image and kernel modules to be
validly signed and measured, based on the system's secure boot and/or
trusted boot mode and the IMA_ARCH_POLICY Kconfig option being enabled.

To avoid special-casing init_ima_ns as much as possible, move the
arch_policy_entry into the ima_namespace.

When freeing the arch_policy_entry set the pointer to NULL.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Acked-by: Christian Brauner <brauner@kernel.org>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
---
 security/integrity/ima/ima.h             |  3 +++
 security/integrity/ima/ima_init_ima_ns.c |  1 +
 security/integrity/ima/ima_policy.c      | 23 +++++++++++------------
 3 files changed, 15 insertions(+), 12 deletions(-)

Comments

Serge E. Hallyn May 21, 2022, 2:46 a.m. UTC | #1

On Wed, Apr 20, 2022 at 10:06:11AM -0400, Stefan Berger wrote:
> The architecture-specific policy rules, currently defined for EFI and
> powerpc, require the kexec kernel image and kernel modules to be
> validly signed and measured, based on the system's secure boot and/or
> trusted boot mode and the IMA_ARCH_POLICY Kconfig option being enabled.
> 
> To avoid special-casing init_ima_ns as much as possible, move the
> arch_policy_entry into the ima_namespace.
> 
> When freeing the arch_policy_entry set the pointer to NULL.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> Acked-by: Christian Brauner <brauner@kernel.org>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>  security/integrity/ima/ima.h             |  3 +++
>  security/integrity/ima/ima_init_ima_ns.c |  1 +
>  security/integrity/ima/ima_policy.c      | 23 +++++++++++------------
>  3 files changed, 15 insertions(+), 12 deletions(-)
> 
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index 9bcde1a24e74..2305bf223a98 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -125,6 +125,9 @@ struct ima_namespace {
>  
>  	struct list_head __rcu *ima_rules;  /* Pointer to the current policy */
>  	int ima_policy_flag;
> +
> +	/* An array of architecture specific rules */
> +	struct ima_rule_entry *arch_policy_entry;
>  } __randomize_layout;
>  extern struct ima_namespace init_ima_ns;
>  
> diff --git a/security/integrity/ima/ima_init_ima_ns.c b/security/integrity/ima/ima_init_ima_ns.c
> index c919a456b525..ae33621c3955 100644
> --- a/security/integrity/ima/ima_init_ima_ns.c
> +++ b/security/integrity/ima/ima_init_ima_ns.c
> @@ -15,6 +15,7 @@ static int ima_init_namespace(struct ima_namespace *ns)
>  	INIT_LIST_HEAD(&ns->ima_temp_rules);
>  	ns->ima_rules = (struct list_head __rcu *)(&ns->ima_default_rules);
>  	ns->ima_policy_flag = 0;
> +	ns->arch_policy_entry = NULL;
>  
>  	return 0;
>  }
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 69b19f4d5fee..0a7c61ca3265 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -228,9 +228,6 @@ static struct ima_rule_entry critical_data_rules[] __ro_after_init = {
>  	{.action = MEASURE, .func = CRITICAL_DATA, .flags = IMA_FUNC},
>  };
>  
> -/* An array of architecture specific rules */
> -static struct ima_rule_entry *arch_policy_entry __ro_after_init;
> -
>  static int ima_policy __initdata;
>  
>  static int __init default_measure_policy_setup(char *str)
> @@ -859,9 +856,10 @@ static int __init ima_init_arch_policy(struct ima_namespace *ns)
>  	for (rules = arch_rules; *rules != NULL; rules++)
>  		arch_entries++;
>  
> -	arch_policy_entry = kcalloc(arch_entries + 1,
> -				    sizeof(*arch_policy_entry), GFP_KERNEL);
> -	if (!arch_policy_entry)
> +	ns->arch_policy_entry = kcalloc(arch_entries + 1,
> +					sizeof(*ns->arch_policy_entry),
> +					GFP_KERNEL);
> +	if (!ns->arch_policy_entry)
>  		return 0;
>  
>  	/* Convert each policy string rules to struct ima_rule_entry format */
> @@ -871,13 +869,13 @@ static int __init ima_init_arch_policy(struct ima_namespace *ns)
>  
>  		result = strscpy(rule, *rules, sizeof(rule));
>  
> -		INIT_LIST_HEAD(&arch_policy_entry[i].list);
> -		result = ima_parse_rule(ns, rule, &arch_policy_entry[i]);
> +		INIT_LIST_HEAD(&ns->arch_policy_entry[i].list);
> +		result = ima_parse_rule(ns, rule, &ns->arch_policy_entry[i]);
>  		if (result) {
>  			pr_warn("Skipping unknown architecture policy rule: %s\n",
>  				rule);
> -			memset(&arch_policy_entry[i], 0,
> -			       sizeof(*arch_policy_entry));
> +			memset(&ns->arch_policy_entry[i], 0,
> +			       sizeof(ns->arch_policy_entry[i]));
>  			continue;
>  		}
>  		i++;
> @@ -925,7 +923,7 @@ void __init ima_init_policy(struct ima_namespace *ns)
>  	if (!arch_entries)
>  		pr_info("No architecture policies found\n");
>  	else
> -		add_rules(ns, arch_policy_entry, arch_entries,
> +		add_rules(ns, ns->arch_policy_entry, arch_entries,
>  			  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
>  
>  	/*
> @@ -1005,7 +1003,8 @@ void ima_update_policy(struct ima_namespace *ns)
>  		 * on boot.  After loading a custom policy, free the
>  		 * architecture specific rules stored as an array.
>  		 */
> -		kfree(arch_policy_entry);
> +		kfree(ns->arch_policy_entry);
> +		ns->arch_policy_entry = NULL;

So the thing that prevents multiple racing occurances of the above two lines is
that ima_open_policy() sets IMA_FS_BUSY (or returns EBUSY) and then removes
this file before clearing the flag, right?

Seems good.

Reviewed-by: Serge Hallyn <serge@hallyn.com>


>  	}
>  	ima_update_policy_flags(ns);
>  
> -- 
> 2.34.1

Serge E. Hallyn May 21, 2022, 3:07 a.m. UTC | #2

On Fri, May 20, 2022 at 09:46:33PM -0500, Serge E. Hallyn wrote:
> On Wed, Apr 20, 2022 at 10:06:11AM -0400, Stefan Berger wrote:
> > The architecture-specific policy rules, currently defined for EFI and
> > powerpc, require the kexec kernel image and kernel modules to be
> > validly signed and measured, based on the system's secure boot and/or
> > trusted boot mode and the IMA_ARCH_POLICY Kconfig option being enabled.
> > 
> > To avoid special-casing init_ima_ns as much as possible, move the
> > arch_policy_entry into the ima_namespace.
> > 
> > When freeing the arch_policy_entry set the pointer to NULL.
> > 
> > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> > Acked-by: Christian Brauner <brauner@kernel.org>
> > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> > ---
> >  security/integrity/ima/ima.h             |  3 +++
> >  security/integrity/ima/ima_init_ima_ns.c |  1 +
> >  security/integrity/ima/ima_policy.c      | 23 +++++++++++------------
> >  3 files changed, 15 insertions(+), 12 deletions(-)
> > 
> > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> > index 9bcde1a24e74..2305bf223a98 100644
> > --- a/security/integrity/ima/ima.h
> > +++ b/security/integrity/ima/ima.h
> > @@ -125,6 +125,9 @@ struct ima_namespace {
> >  
> >  	struct list_head __rcu *ima_rules;  /* Pointer to the current policy */
> >  	int ima_policy_flag;
> > +
> > +	/* An array of architecture specific rules */
> > +	struct ima_rule_entry *arch_policy_entry;
> >  } __randomize_layout;
> >  extern struct ima_namespace init_ima_ns;
> >  
> > diff --git a/security/integrity/ima/ima_init_ima_ns.c b/security/integrity/ima/ima_init_ima_ns.c
> > index c919a456b525..ae33621c3955 100644
> > --- a/security/integrity/ima/ima_init_ima_ns.c
> > +++ b/security/integrity/ima/ima_init_ima_ns.c
> > @@ -15,6 +15,7 @@ static int ima_init_namespace(struct ima_namespace *ns)
> >  	INIT_LIST_HEAD(&ns->ima_temp_rules);
> >  	ns->ima_rules = (struct list_head __rcu *)(&ns->ima_default_rules);
> >  	ns->ima_policy_flag = 0;
> > +	ns->arch_policy_entry = NULL;
> >  
> >  	return 0;
> >  }
> > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > index 69b19f4d5fee..0a7c61ca3265 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -228,9 +228,6 @@ static struct ima_rule_entry critical_data_rules[] __ro_after_init = {
> >  	{.action = MEASURE, .func = CRITICAL_DATA, .flags = IMA_FUNC},
> >  };
> >  
> > -/* An array of architecture specific rules */
> > -static struct ima_rule_entry *arch_policy_entry __ro_after_init;
> > -
> >  static int ima_policy __initdata;
> >  
> >  static int __init default_measure_policy_setup(char *str)
> > @@ -859,9 +856,10 @@ static int __init ima_init_arch_policy(struct ima_namespace *ns)
> >  	for (rules = arch_rules; *rules != NULL; rules++)
> >  		arch_entries++;
> >  
> > -	arch_policy_entry = kcalloc(arch_entries + 1,
> > -				    sizeof(*arch_policy_entry), GFP_KERNEL);
> > -	if (!arch_policy_entry)
> > +	ns->arch_policy_entry = kcalloc(arch_entries + 1,
> > +					sizeof(*ns->arch_policy_entry),
> > +					GFP_KERNEL);
> > +	if (!ns->arch_policy_entry)
> >  		return 0;
> >  
> >  	/* Convert each policy string rules to struct ima_rule_entry format */
> > @@ -871,13 +869,13 @@ static int __init ima_init_arch_policy(struct ima_namespace *ns)
> >  
> >  		result = strscpy(rule, *rules, sizeof(rule));
> >  
> > -		INIT_LIST_HEAD(&arch_policy_entry[i].list);
> > -		result = ima_parse_rule(ns, rule, &arch_policy_entry[i]);
> > +		INIT_LIST_HEAD(&ns->arch_policy_entry[i].list);
> > +		result = ima_parse_rule(ns, rule, &ns->arch_policy_entry[i]);
> >  		if (result) {
> >  			pr_warn("Skipping unknown architecture policy rule: %s\n",
> >  				rule);
> > -			memset(&arch_policy_entry[i], 0,
> > -			       sizeof(*arch_policy_entry));
> > +			memset(&ns->arch_policy_entry[i], 0,
> > +			       sizeof(ns->arch_policy_entry[i]));
> >  			continue;
> >  		}
> >  		i++;
> > @@ -925,7 +923,7 @@ void __init ima_init_policy(struct ima_namespace *ns)
> >  	if (!arch_entries)
> >  		pr_info("No architecture policies found\n");
> >  	else
> > -		add_rules(ns, arch_policy_entry, arch_entries,
> > +		add_rules(ns, ns->arch_policy_entry, arch_entries,
> >  			  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
> >  
> >  	/*
> > @@ -1005,7 +1003,8 @@ void ima_update_policy(struct ima_namespace *ns)
> >  		 * on boot.  After loading a custom policy, free the
> >  		 * architecture specific rules stored as an array.
> >  		 */
> > -		kfree(arch_policy_entry);
> > +		kfree(ns->arch_policy_entry);
> > +		ns->arch_policy_entry = NULL;
> 
> So the thing that prevents multiple racing occurances of the above two lines is
> that ima_open_policy() sets IMA_FS_BUSY (or returns EBUSY) and then removes
> this file before clearing the flag, right?

(To correct the above: ima_update_policy completes before the flag is
cleared.  The file is not removed in all cases but that's ok.)

> Seems good.
> 
> Reviewed-by: Serge Hallyn <serge@hallyn.com>
> 
> 
> >  	}
> >  	ima_update_policy_flags(ns);
> >  
> > -- 
> > 2.34.1

Stefan Berger July 7, 2022, 2:12 p.m. UTC | #3

On 5/20/22 22:46, Serge E. Hallyn wrote:
> On Wed, Apr 20, 2022 at 10:06:11AM -0400, Stefan Berger wrote:

>> @@ -1005,7 +1003,8 @@ void ima_update_policy(struct ima_namespace *ns)
>>   		 * on boot.  After loading a custom policy, free the
>>   		 * architecture specific rules stored as an array.
>>   		 */
>> -		kfree(arch_policy_entry);
>> +		kfree(ns->arch_policy_entry);
>> +		ns->arch_policy_entry = NULL;
> 
> So the thing that prevents multiple racing occurances of the above two lines is
> that ima_open_policy() sets IMA_FS_BUSY (or returns EBUSY) and then removes
> this file before clearing the flag, right?

Correct.

> 
> Seems good.
> 
> Reviewed-by: Serge Hallyn <serge@hallyn.com>
> 
> 
>>   	}
>>   	ima_update_policy_flags(ns);
>>   
>> -- 
>> 2.34.1

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 9bcde1a24e74..2305bf223a98 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -125,6 +125,9 @@  struct ima_namespace {
 
 	struct list_head __rcu *ima_rules;  /* Pointer to the current policy */
 	int ima_policy_flag;
+
+	/* An array of architecture specific rules */
+	struct ima_rule_entry *arch_policy_entry;
 } __randomize_layout;
 extern struct ima_namespace init_ima_ns;
 
diff --git a/security/integrity/ima/ima_init_ima_ns.c b/security/integrity/ima/ima_init_ima_ns.c
index c919a456b525..ae33621c3955 100644
--- a/security/integrity/ima/ima_init_ima_ns.c
+++ b/security/integrity/ima/ima_init_ima_ns.c
@@ -15,6 +15,7 @@  static int ima_init_namespace(struct ima_namespace *ns)
 	INIT_LIST_HEAD(&ns->ima_temp_rules);
 	ns->ima_rules = (struct list_head __rcu *)(&ns->ima_default_rules);
 	ns->ima_policy_flag = 0;
+	ns->arch_policy_entry = NULL;
 
 	return 0;
 }
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 69b19f4d5fee..0a7c61ca3265 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -228,9 +228,6 @@  static struct ima_rule_entry critical_data_rules[] __ro_after_init = {
 	{.action = MEASURE, .func = CRITICAL_DATA, .flags = IMA_FUNC},
 };
 
-/* An array of architecture specific rules */
-static struct ima_rule_entry *arch_policy_entry __ro_after_init;
-
 static int ima_policy __initdata;
 
 static int __init default_measure_policy_setup(char *str)
@@ -859,9 +856,10 @@  static int __init ima_init_arch_policy(struct ima_namespace *ns)
 	for (rules = arch_rules; *rules != NULL; rules++)
 		arch_entries++;
 
-	arch_policy_entry = kcalloc(arch_entries + 1,
-				    sizeof(*arch_policy_entry), GFP_KERNEL);
-	if (!arch_policy_entry)
+	ns->arch_policy_entry = kcalloc(arch_entries + 1,
+					sizeof(*ns->arch_policy_entry),
+					GFP_KERNEL);
+	if (!ns->arch_policy_entry)
 		return 0;
 
 	/* Convert each policy string rules to struct ima_rule_entry format */
@@ -871,13 +869,13 @@  static int __init ima_init_arch_policy(struct ima_namespace *ns)
 
 		result = strscpy(rule, *rules, sizeof(rule));
 
-		INIT_LIST_HEAD(&arch_policy_entry[i].list);
-		result = ima_parse_rule(ns, rule, &arch_policy_entry[i]);
+		INIT_LIST_HEAD(&ns->arch_policy_entry[i].list);
+		result = ima_parse_rule(ns, rule, &ns->arch_policy_entry[i]);
 		if (result) {
 			pr_warn("Skipping unknown architecture policy rule: %s\n",
 				rule);
-			memset(&arch_policy_entry[i], 0,
-			       sizeof(*arch_policy_entry));
+			memset(&ns->arch_policy_entry[i], 0,
+			       sizeof(ns->arch_policy_entry[i]));
 			continue;
 		}
 		i++;
@@ -925,7 +923,7 @@  void __init ima_init_policy(struct ima_namespace *ns)
 	if (!arch_entries)
 		pr_info("No architecture policies found\n");
 	else
-		add_rules(ns, arch_policy_entry, arch_entries,
+		add_rules(ns, ns->arch_policy_entry, arch_entries,
 			  IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
 
 	/*
@@ -1005,7 +1003,8 @@  void ima_update_policy(struct ima_namespace *ns)
 		 * on boot.  After loading a custom policy, free the
 		 * architecture specific rules stored as an array.
 		 */
-		kfree(arch_policy_entry);
+		kfree(ns->arch_policy_entry);
+		ns->arch_policy_entry = NULL;
 	}
 	ima_update_policy_flags(ns);

[v12,04/26] ima: Move arch_policy_entry into ima_namespace

Commit Message

Comments

Patch