From patchwork Thu May 17 14:48:44 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 10406925 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 5F49E6037D for ; Thu, 17 May 2018 14:52:23 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 48666285FC for ; Thu, 17 May 2018 14:52:23 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 452FD286A2; Thu, 17 May 2018 14:52:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7A5C828999 for ; Thu, 17 May 2018 14:51:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752106AbeEQOtq (ORCPT ); Thu, 17 May 2018 10:49:46 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:35986 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752446AbeEQOtn (ORCPT ); Thu, 17 May 2018 10:49:43 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w4HEjSva145620 for ; Thu, 17 May 2018 10:49:43 -0400 Received: from e06smtp13.uk.ibm.com (e06smtp13.uk.ibm.com [195.75.94.109]) by mx0b-001b2d01.pphosted.com with ESMTP id 2j199r82xq-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 17 May 2018 10:49:42 -0400 Received: from localhost by e06smtp13.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 17 May 2018 15:49:40 +0100 Received: from b06cxnps3074.portsmouth.uk.ibm.com (9.149.109.194) by e06smtp13.uk.ibm.com (192.168.101.143) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 17 May 2018 15:49:35 +0100 Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w4HEnZhX59703366; Thu, 17 May 2018 14:49:35 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id F26024C04A; Thu, 17 May 2018 15:41:23 +0100 (BST) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 39FCA4C044; Thu, 17 May 2018 15:41:22 +0100 (BST) Received: from localhost.ibm.com (unknown [9.80.108.64]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 17 May 2018 15:41:22 +0100 (BST) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, David Howells , "Luis R . Rodriguez" , Eric Biederman , kexec@lists.infradead.org, Andres Rodriguez , Greg Kroah-Hartman , Ard Biesheuvel , Kees Cook , Casey Schaufler Subject: [PATCH v2 3/9] security: define security_kernel_read_blob() wrapper Date: Thu, 17 May 2018 10:48:44 -0400 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1526568530-9144-1-git-send-email-zohar@linux.vnet.ibm.com> References: <1526568530-9144-1-git-send-email-zohar@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 18051714-0012-0000-0000-000005D7A6FD X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18051714-0013-0000-0000-00001954D356 Message-Id: <1526568530-9144-4-git-send-email-zohar@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-05-17_08:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1805170137 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP In order for LSMs and IMA-appraisal to differentiate between the original and new syscalls (eg. kexec, kernel modules, firmware), both the original and new syscalls must call an LSM hook. Commit 2e72d51b4ac3 ("security: introduce kernel_module_from_file hook") introduced calling security_kernel_module_from_file() in both the original and new syscalls. Commit a1db74209483 ("module: replace copy_module_from_fd with kernel version") replaced these LSM calls with security_kernel_read_file(). Commit e40ba6d56b41 ("firmware: replace call to fw_read_file_contents() with kernel version") and commit b804defe4297 ("kexec: replace call to copy_file_from_fd() with kernel version") replaced their own version of reading a file from the kernel with the generic kernel_read_file_from_path/fd() versions, which call the pre and post security_kernel_read_file LSM hooks. Missing are LSM calls in the original kexec syscall and firmware sysfs fallback method. From a technical perspective there is no justification for defining a new LSM hook, as the existing security_kernel_read_file() works just fine. The original syscalls, however, do not read a file, so the security hook name is inappropriate. Instead of defining a new LSM hook, this patch defines security_kernel_read_blob() as a wrapper for the existing LSM security_kernel_file_read() hook. Signed-off-by: Mimi Zohar Cc: Eric Biederman Cc: Luis R. Rodriguez Cc: Kees Cook Cc: David Howells Cc: Casey Schaufler Changelog v2: - Define a generic wrapper named security_kernel_read_blob() for security_kernel_read_file(). Changelog v1: - Define and call security_kexec_load(), a wrapper for security_kernel_read_file(). Nacked-by: "Eric W. Biederman" --- include/linux/security.h | 6 ++++++ security/security.c | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index 63030c85ee19..4db1967a688b 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -323,6 +323,7 @@ int security_kernel_module_request(char *kmod_name); int security_kernel_read_file(struct file *file, enum kernel_read_file_id id); int security_kernel_post_read_file(struct file *file, char *buf, loff_t size, enum kernel_read_file_id id); +int security_kernel_read_blob(enum kernel_read_file_id id); int security_task_fix_setuid(struct cred *new, const struct cred *old, int flags); int security_task_setpgid(struct task_struct *p, pid_t pgid); @@ -922,6 +923,11 @@ static inline int security_kernel_post_read_file(struct file *file, return 0; } +static inline int security_kernel_read_blob(enum kernel_read_file_id id) +{ + return 0; +} + static inline int security_task_fix_setuid(struct cred *new, const struct cred *old, int flags) diff --git a/security/security.c b/security/security.c index 68f46d849abe..8f199b2bf4a2 100644 --- a/security/security.c +++ b/security/security.c @@ -1044,6 +1044,12 @@ int security_kernel_read_file(struct file *file, enum kernel_read_file_id id) } EXPORT_SYMBOL_GPL(security_kernel_read_file); +int security_kernel_read_blob(enum kernel_read_file_id id) +{ + return security_kernel_read_file(NULL, id); +} +EXPORT_SYMBOL_GPL(security_kernel_read_blob); + int security_kernel_post_read_file(struct file *file, char *buf, loff_t size, enum kernel_read_file_id id) {