From patchwork Thu Nov 30 10:56:06 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roberto Sassu X-Patchwork-Id: 10084589 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 8B3036035E for ; Thu, 30 Nov 2017 11:00:08 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 65E1E29E65 for ; Thu, 30 Nov 2017 11:00:08 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 595A929ED1; Thu, 30 Nov 2017 11:00:08 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CD23029E65 for ; Thu, 30 Nov 2017 11:00:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752316AbdK3LAH (ORCPT ); Thu, 30 Nov 2017 06:00:07 -0500 Received: from lhrrgout.huawei.com ([194.213.3.17]:61897 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752303AbdK3LAE (ORCPT ); Thu, 30 Nov 2017 06:00:04 -0500 Received: from LHREML713-CAH.china.huawei.com (unknown [172.18.7.107]) by Forcepoint Email with ESMTP id 026D5CF625370; Thu, 30 Nov 2017 11:00:01 +0000 (GMT) Received: from localhost.localdomain (10.204.65.254) by smtpsuk.huawei.com (10.201.108.36) with Microsoft SMTP Server (TLS) id 14.3.361.1; Thu, 30 Nov 2017 10:59:53 +0000 From: Roberto Sassu To: CC: , , Roberto Sassu Subject: [RFC][PATCH v2 5/9] ima: measure/appraise/audit inherited file descriptors Date: Thu, 30 Nov 2017 11:56:06 +0100 Message-ID: <20171130105610.15761-6-roberto.sassu@huawei.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171130105610.15761-1-roberto.sassu@huawei.com> References: <20171130105610.15761-1-roberto.sassu@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.204.65.254] X-CFilter-Loop: Reflected Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP IMA measures accessed files when the open() system call is executed. File descriptors inherited during fork() can be used by another application, if the child process invoked execve(). If credentials changed, it is possible that opened files need to be measured/appraised/audited. This patch introduces the function flush_unauthorized_files(), which calls process_measurement() for each inherited file descriptors, and passes to that function the new credentials of the process. If the appraisal status is not valid, IMA prevents the process from using the inherited file descriptor. Signed-off-by: Roberto Sassu --- security/integrity/ima/ima_main.c | 61 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 59 insertions(+), 2 deletions(-) diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index fb144177a783..a12f8a148e5e 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -24,6 +24,7 @@ #include #include #include +#include #include "ima.h" @@ -279,6 +280,57 @@ static int process_measurement(struct file *file, const struct cred *cred, return 0; } +static int match_file(const void *p, struct file *file, unsigned int fd) +{ + *((struct file **) p) = file; + return fd + 1; +} + +static int file_mode_to_mask(struct file *file) +{ + int mask = 0; + + if (file->f_mode & FMODE_READ) + mask |= MAY_READ; + if (file->f_mode & FMODE_WRITE) + mask |= MAY_WRITE; + if (file->f_mode & FMODE_EXEC) + mask |= MAY_EXEC; + + return mask; +} + +/* derived from security/selinux/hooks.c */ +static inline void flush_unauthorized_files(const struct cred *cred, + struct files_struct *files) +{ + struct file *devnull = NULL; + struct file *file; + int result, mask; + + unsigned int n; + + /* Revalidate access to inherited open files. */ + n = iterate_fd(files, 0, match_file, &file); + if (!n) /* none found? */ + return; + + devnull = dentry_open(&ima_null, O_RDWR, cred); + if (IS_ERR(devnull)) + devnull = NULL; + /* replace all the matching ones with this */ + do { + mask = file_mode_to_mask(file); + result = process_measurement(file, cred, NULL, 0, + mask & (MAY_READ | MAY_WRITE | MAY_EXEC | + MAY_APPEND), FILE_CHECK, 0); + if (result < 0) + replace_fd(n - 1, devnull, 0); + } while ((n = iterate_fd(files, n, match_file, &file)) != 0); + if (devnull) + fput(devnull); +} + /** * ima_file_mmap - based on policy, collect/store measurement. * @file: pointer to the file to be measured (May be NULL) @@ -319,8 +371,13 @@ int ima_bprm_check(struct linux_binprm *bprm) MAY_EXEC, BPRM_CHECK, 0); if (ret) return ret; - return process_measurement(bprm->file, bprm->cred, NULL, 0, - MAY_EXEC, CREDS_CHECK, 0); + ret = process_measurement(bprm->file, bprm->cred, NULL, 0, + MAY_EXEC, CREDS_CHECK, 0); + if (ret) + return ret; + + flush_unauthorized_files(bprm->cred, current->files); + return 0; } /**