From patchwork Thu Nov 30 10:56:06 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Roberto Sassu <roberto.sassu@huawei.com>
X-Patchwork-Id: 10084591
Return-Path: <linux-integrity-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	A5CA560586 for <patchwork-linux-integrity@patchwork.kernel.org>;
	Thu, 30 Nov 2017 11:00:08 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 83DDD29E65
	for <patchwork-linux-integrity@patchwork.kernel.org>;
	Thu, 30 Nov 2017 11:00:08 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 78F3729ED1; Thu, 30 Nov 2017 11:00:08 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 29EB629E78
	for <patchwork-linux-integrity@patchwork.kernel.org>;
	Thu, 30 Nov 2017 11:00:08 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752312AbdK3LAH (ORCPT
	<rfc822;patchwork-linux-integrity@patchwork.kernel.org>);
	Thu, 30 Nov 2017 06:00:07 -0500
Received: from lhrrgout.huawei.com ([194.213.3.17]:61897 "EHLO huawei.com"
	rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
	id S1752303AbdK3LAE (ORCPT <rfc822; linux-integrity@vger.kernel.org>);
	Thu, 30 Nov 2017 06:00:04 -0500
Received: from LHREML713-CAH.china.huawei.com (unknown [172.18.7.107])
	by Forcepoint Email with ESMTP id 026D5CF625370;
	Thu, 30 Nov 2017 11:00:01 +0000 (GMT)
Received: from localhost.localdomain (10.204.65.254) by smtpsuk.huawei.com
	(10.201.108.36) with Microsoft SMTP Server (TLS) id 14.3.361.1;
	Thu, 30 Nov 2017 10:59:53 +0000
From: Roberto Sassu <roberto.sassu@huawei.com>
To: <linux-integrity@vger.kernel.org>
CC: <linux-security-module@vger.kernel.org>, <silviu.vlasceanu@huawei.com>,
	Roberto Sassu <roberto.sassu@huawei.com>
Subject: [RFC][PATCH v2 5/9] ima: measure/appraise/audit inherited file
	descriptors
Date: Thu, 30 Nov 2017 11:56:06 +0100
Message-ID: <20171130105610.15761-6-roberto.sassu@huawei.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20171130105610.15761-1-roberto.sassu@huawei.com>
References: <20171130105610.15761-1-roberto.sassu@huawei.com>
MIME-Version: 1.0
X-Originating-IP: [10.204.65.254]
X-CFilter-Loop: Reflected
Sender: linux-integrity-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-integrity.vger.kernel.org>
X-Mailing-List: linux-integrity@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

IMA measures accessed files when the open() system call is executed. File
descriptors inherited during fork() can be used by another application, if
the child process invoked execve(). If credentials changed, it is possible
that opened files need to be measured/appraised/audited.

This patch introduces the function flush_unauthorized_files(), which
calls process_measurement() for each inherited file descriptors, and passes
to that function the new credentials of the process. If the appraisal
status is not valid, IMA prevents the process from using the inherited file
descriptor.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 security/integrity/ima/ima_main.c | 61 +++++++++++++++++++++++++++++++++++++--
 1 file changed, 59 insertions(+), 2 deletions(-)

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index fb144177a783..a12f8a148e5e 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -24,6 +24,7 @@
 #include <linux/slab.h>
 #include <linux/xattr.h>
 #include <linux/ima.h>
+#include <linux/fdtable.h>
 
 #include "ima.h"
 
@@ -279,6 +280,57 @@ static int process_measurement(struct file *file, const struct cred *cred,
 	return 0;
 }
 
+static int match_file(const void *p, struct file *file, unsigned int fd)
+{
+	*((struct file **) p) = file;
+	return fd + 1;
+}
+
+static int file_mode_to_mask(struct file *file)
+{
+	int mask = 0;
+
+	if (file->f_mode & FMODE_READ)
+		mask |= MAY_READ;
+	if (file->f_mode & FMODE_WRITE)
+		mask |= MAY_WRITE;
+	if (file->f_mode & FMODE_EXEC)
+		mask |= MAY_EXEC;
+
+	return mask;
+}
+
+/* derived from security/selinux/hooks.c */
+static inline void flush_unauthorized_files(const struct cred *cred,
+					    struct files_struct *files)
+{
+	struct file *devnull = NULL;
+	struct file *file;
+	int result, mask;
+
+	unsigned int n;
+
+	/* Revalidate access to inherited open files. */
+	n = iterate_fd(files, 0, match_file, &file);
+	if (!n) /* none found? */
+		return;
+
+	devnull = dentry_open(&ima_null, O_RDWR, cred);
+	if (IS_ERR(devnull))
+		devnull = NULL;
+	/* replace all the matching ones with this */
+	do {
+		mask = file_mode_to_mask(file);
+		result = process_measurement(file, cred, NULL, 0,
+				   mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
+				   MAY_APPEND), FILE_CHECK, 0);
+		if (result < 0)
+			replace_fd(n - 1, devnull, 0);
+	} while ((n = iterate_fd(files, n, match_file, &file)) != 0);
+	if (devnull)
+		fput(devnull);
+}
+
 /**
  * ima_file_mmap - based on policy, collect/store measurement.
  * @file: pointer to the file to be measured (May be NULL)
@@ -319,8 +371,13 @@ int ima_bprm_check(struct linux_binprm *bprm)
 				  MAY_EXEC, BPRM_CHECK, 0);
 	if (ret)
 		return ret;
-	return process_measurement(bprm->file, bprm->cred, NULL, 0,
-				   MAY_EXEC, CREDS_CHECK, 0);
+	ret = process_measurement(bprm->file, bprm->cred, NULL, 0,
+				  MAY_EXEC, CREDS_CHECK, 0);
+	if (ret)
+		return ret;
+
+	flush_unauthorized_files(bprm->cred, current->files);
+	return 0;
 }
 
 /**