From: Kees Cook <keescook@chromium.org>
To: Scott Branden <scott.branden@broadcom.com>
Cc: Kees Cook <keescook@chromium.org>,
Mimi Zohar <zohar@linux.ibm.com>,
Matthew Wilcox <willy@infradead.org>,
James Morris <jmorris@namei.org>,
Luis Chamberlain <mcgrof@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Rafael J. Wysocki" <rafael@kernel.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Jessica Yu <jeyu@kernel.org>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Casey Schaufler <casey@schaufler-ca.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Peter Zijlstra <peterz@infradead.org>,
Matthew Garrett <matthewgarrett@google.com>,
David Howells <dhowells@redhat.com>,
Mauro Carvalho Chehab <mchehab+huawei@kernel.org>,
Randy Dunlap <rdunlap@infradead.org>,
"Joel Fernandes (Google)" <joel@joelfernandes.org>,
KP Singh <kpsingh@google.com>, Dave Olsthoorn <dave@bewaar.me>,
Hans de Goede <hdegoede@redhat.com>,
Peter Jones <pjones@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Stephen Boyd <stephen.boyd@linaro.org>,
Paul Moore <paul@paul-moore.com>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
linux-security-module@vger.kernel.org,
linux-integrity@vger.kernel.org, selinux@vger.kernel.org,
linux-fsdevel@vger.kernel.org, kexec@lists.infradead.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 10/13] firmware_loader: Use security_post_load_data()
Date: Fri, 17 Jul 2020 10:43:05 -0700 [thread overview]
Message-ID: <20200717174309.1164575-11-keescook@chromium.org> (raw)
In-Reply-To: <20200717174309.1164575-1-keescook@chromium.org>
Now that security_post_load_data() is wired up, use it instead
of the NULL file argument style of security_post_read_file(),
and update the security_kernel_load_data() call to indicate that a
security_kernel_post_load_data() call is expected.
Wire up the IMA check to match earlier logic. Perhaps a generalized
change to ima_post_load_data() might look something like this:
return process_buffer_measurement(buf, size,
kernel_load_data_id_str(load_id),
read_idmap[load_id] ?: FILE_CHECK,
0, NULL);
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/base/firmware_loader/fallback.c | 8 ++++----
.../base/firmware_loader/fallback_platform.c | 7 ++++++-
security/integrity/ima/ima_main.c | 20 +++++++++----------
3 files changed, 20 insertions(+), 15 deletions(-)
diff --git a/drivers/base/firmware_loader/fallback.c b/drivers/base/firmware_loader/fallback.c
index a196aacce22c..7cfdfdcb819c 100644
--- a/drivers/base/firmware_loader/fallback.c
+++ b/drivers/base/firmware_loader/fallback.c
@@ -272,9 +272,9 @@ static ssize_t firmware_loading_store(struct device *dev,
dev_err(dev, "%s: map pages failed\n",
__func__);
else
- rc = security_kernel_post_read_file(NULL,
- fw_priv->data, fw_priv->size,
- READING_FIRMWARE);
+ rc = security_kernel_post_load_data(fw_priv->data,
+ fw_priv->size,
+ LOADING_FIRMWARE);
/*
* Same logic as fw_load_abort, only the DONE bit
@@ -613,7 +613,7 @@ static bool fw_run_sysfs_fallback(u32 opt_flags)
return false;
/* Also permit LSMs and IMA to fail firmware sysfs fallback */
- ret = security_kernel_load_data(LOADING_FIRMWARE, false);
+ ret = security_kernel_load_data(LOADING_FIRMWARE, true);
if (ret < 0)
return false;
diff --git a/drivers/base/firmware_loader/fallback_platform.c b/drivers/base/firmware_loader/fallback_platform.c
index a12c79d47efc..4d1157af0e86 100644
--- a/drivers/base/firmware_loader/fallback_platform.c
+++ b/drivers/base/firmware_loader/fallback_platform.c
@@ -17,7 +17,7 @@ int firmware_fallback_platform(struct fw_priv *fw_priv, u32 opt_flags)
if (!(opt_flags & FW_OPT_FALLBACK_PLATFORM))
return -ENOENT;
- rc = security_kernel_load_data(LOADING_FIRMWARE, false);
+ rc = security_kernel_load_data(LOADING_FIRMWARE, true);
if (rc)
return rc;
@@ -27,6 +27,11 @@ int firmware_fallback_platform(struct fw_priv *fw_priv, u32 opt_flags)
if (fw_priv->data && size > fw_priv->allocated_size)
return -ENOMEM;
+
+ rc = security_kernel_post_load_data((u8 *)data, size, LOADING_FIRMWARE);
+ if (rc)
+ return rc;
+
if (!fw_priv->data)
fw_priv->data = vmalloc(size);
if (!fw_priv->data)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 85000dc8595c..1a7bc4c7437d 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -648,15 +648,6 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
enum ima_hooks func;
u32 secid;
- if (!file && read_id == READING_FIRMWARE) {
- if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
- (ima_appraise & IMA_APPRAISE_ENFORCE)) {
- pr_err("Prevent firmware loading_store.\n");
- return -EACCES; /* INTEGRITY_UNKNOWN */
- }
- return 0;
- }
-
/* permit signed certs */
if (!file && read_id == READING_X509_CERTIFICATE)
return 0;
@@ -706,7 +697,7 @@ int ima_load_data(enum kernel_load_data_id id, bool contents)
}
break;
case LOADING_FIRMWARE:
- if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE)) {
+ if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE) && !contents) {
pr_err("Prevent firmware sysfs fallback loading.\n");
return -EACCES; /* INTEGRITY_UNKNOWN */
}
@@ -739,6 +730,15 @@ int ima_load_data(enum kernel_load_data_id id, bool contents)
*/
int ima_post_load_data(char *buf, loff_t size, enum kernel_load_data_id load_id)
{
+ if (load_id == LOADING_FIRMWARE) {
+ if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
+ (ima_appraise & IMA_APPRAISE_ENFORCE)) {
+ pr_err("Prevent firmware loading_store.\n");
+ return -EACCES; /* INTEGRITY_UNKNOWN */
+ }
+ return 0;
+ }
+
return 0;
}
--
2.25.1
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Scott Branden <scott.branden@broadcom.com>
Cc: "Rafael J. Wysocki" <rafael@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Stephen Boyd <stephen.boyd@linaro.org>,
Mimi Zohar <zohar@linux.ibm.com>,
David Howells <dhowells@redhat.com>,
Peter Jones <pjones@redhat.com>,
"Joel Fernandes (Google)" <joel@joelfernandes.org>,
linux-security-module@vger.kernel.org,
Paul Moore <paul@paul-moore.com>,
Mauro Carvalho Chehab <mchehab+huawei@kernel.org>,
Matthew Garrett <matthewgarrett@google.com>,
James Morris <jmorris@namei.org>,
Matthew Wilcox <willy@infradead.org>,
KP Singh <kpsingh@google.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Kees Cook <keescook@chromium.org>,
selinux@vger.kernel.org, Jessica Yu <jeyu@kernel.org>,
Hans de Goede <hdegoede@redhat.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
linux-integrity@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Randy Dunlap <rdunlap@infradead.org>,
kexec@lists.infradead.org, linux-kernel@vger.kernel.org,
Luis Chamberlain <mcgrof@kernel.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Dave Olsthoorn <dave@bewaar.me>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Casey Schaufler <casey@schaufler-ca.com>,
linux-fsdevel@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH 10/13] firmware_loader: Use security_post_load_data()
Date: Fri, 17 Jul 2020 10:43:05 -0700 [thread overview]
Message-ID: <20200717174309.1164575-11-keescook@chromium.org> (raw)
In-Reply-To: <20200717174309.1164575-1-keescook@chromium.org>
Now that security_post_load_data() is wired up, use it instead
of the NULL file argument style of security_post_read_file(),
and update the security_kernel_load_data() call to indicate that a
security_kernel_post_load_data() call is expected.
Wire up the IMA check to match earlier logic. Perhaps a generalized
change to ima_post_load_data() might look something like this:
return process_buffer_measurement(buf, size,
kernel_load_data_id_str(load_id),
read_idmap[load_id] ?: FILE_CHECK,
0, NULL);
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/base/firmware_loader/fallback.c | 8 ++++----
.../base/firmware_loader/fallback_platform.c | 7 ++++++-
security/integrity/ima/ima_main.c | 20 +++++++++----------
3 files changed, 20 insertions(+), 15 deletions(-)
diff --git a/drivers/base/firmware_loader/fallback.c b/drivers/base/firmware_loader/fallback.c
index a196aacce22c..7cfdfdcb819c 100644
--- a/drivers/base/firmware_loader/fallback.c
+++ b/drivers/base/firmware_loader/fallback.c
@@ -272,9 +272,9 @@ static ssize_t firmware_loading_store(struct device *dev,
dev_err(dev, "%s: map pages failed\n",
__func__);
else
- rc = security_kernel_post_read_file(NULL,
- fw_priv->data, fw_priv->size,
- READING_FIRMWARE);
+ rc = security_kernel_post_load_data(fw_priv->data,
+ fw_priv->size,
+ LOADING_FIRMWARE);
/*
* Same logic as fw_load_abort, only the DONE bit
@@ -613,7 +613,7 @@ static bool fw_run_sysfs_fallback(u32 opt_flags)
return false;
/* Also permit LSMs and IMA to fail firmware sysfs fallback */
- ret = security_kernel_load_data(LOADING_FIRMWARE, false);
+ ret = security_kernel_load_data(LOADING_FIRMWARE, true);
if (ret < 0)
return false;
diff --git a/drivers/base/firmware_loader/fallback_platform.c b/drivers/base/firmware_loader/fallback_platform.c
index a12c79d47efc..4d1157af0e86 100644
--- a/drivers/base/firmware_loader/fallback_platform.c
+++ b/drivers/base/firmware_loader/fallback_platform.c
@@ -17,7 +17,7 @@ int firmware_fallback_platform(struct fw_priv *fw_priv, u32 opt_flags)
if (!(opt_flags & FW_OPT_FALLBACK_PLATFORM))
return -ENOENT;
- rc = security_kernel_load_data(LOADING_FIRMWARE, false);
+ rc = security_kernel_load_data(LOADING_FIRMWARE, true);
if (rc)
return rc;
@@ -27,6 +27,11 @@ int firmware_fallback_platform(struct fw_priv *fw_priv, u32 opt_flags)
if (fw_priv->data && size > fw_priv->allocated_size)
return -ENOMEM;
+
+ rc = security_kernel_post_load_data((u8 *)data, size, LOADING_FIRMWARE);
+ if (rc)
+ return rc;
+
if (!fw_priv->data)
fw_priv->data = vmalloc(size);
if (!fw_priv->data)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 85000dc8595c..1a7bc4c7437d 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -648,15 +648,6 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
enum ima_hooks func;
u32 secid;
- if (!file && read_id == READING_FIRMWARE) {
- if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
- (ima_appraise & IMA_APPRAISE_ENFORCE)) {
- pr_err("Prevent firmware loading_store.\n");
- return -EACCES; /* INTEGRITY_UNKNOWN */
- }
- return 0;
- }
-
/* permit signed certs */
if (!file && read_id == READING_X509_CERTIFICATE)
return 0;
@@ -706,7 +697,7 @@ int ima_load_data(enum kernel_load_data_id id, bool contents)
}
break;
case LOADING_FIRMWARE:
- if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE)) {
+ if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE) && !contents) {
pr_err("Prevent firmware sysfs fallback loading.\n");
return -EACCES; /* INTEGRITY_UNKNOWN */
}
@@ -739,6 +730,15 @@ int ima_load_data(enum kernel_load_data_id id, bool contents)
*/
int ima_post_load_data(char *buf, loff_t size, enum kernel_load_data_id load_id)
{
+ if (load_id == LOADING_FIRMWARE) {
+ if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
+ (ima_appraise & IMA_APPRAISE_ENFORCE)) {
+ pr_err("Prevent firmware loading_store.\n");
+ return -EACCES; /* INTEGRITY_UNKNOWN */
+ }
+ return 0;
+ }
+
return 0;
}
--
2.25.1
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2020-07-17 17:43 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-17 17:42 [PATCH 00/13] Introduce partial kernel_read_file() support Kees Cook
2020-07-17 17:42 ` Kees Cook
2020-07-17 17:42 ` [PATCH 01/13] firmware_loader: EFI firmware loader must handle pre-allocated buffer Kees Cook
2020-07-17 17:42 ` Kees Cook
2020-07-17 19:08 ` Scott Branden
2020-07-17 19:08 ` Scott Branden
2020-07-17 17:42 ` [PATCH 02/13] fs/kernel_read_file: Remove FIRMWARE_PREALLOC_BUFFER enum Kees Cook
2020-07-17 17:42 ` Kees Cook
2020-07-17 19:09 ` Scott Branden
2020-07-17 19:09 ` Scott Branden
2020-07-17 17:42 ` [PATCH 03/13] fs/kernel_read_file: Remove FIRMWARE_EFI_EMBEDDED enum Kees Cook
2020-07-17 17:42 ` Kees Cook
2020-07-17 19:10 ` Scott Branden
2020-07-17 19:10 ` Scott Branden
2020-07-17 17:42 ` [PATCH 04/13] fs/kernel_read_file: Split into separate include file Kees Cook
2020-07-17 17:42 ` Kees Cook
2020-07-17 17:43 ` [PATCH 05/13] fs/kernel_read_file: Split into separate source file Kees Cook
2020-07-17 17:43 ` Kees Cook
2020-07-17 19:11 ` Scott Branden
2020-07-17 19:11 ` Scott Branden
2020-07-17 17:43 ` [PATCH 06/13] fs/kernel_read_file: Remove redundant size argument Kees Cook
2020-07-17 17:43 ` Kees Cook
2020-07-17 19:04 ` Scott Branden
2020-07-17 19:04 ` Scott Branden
2020-07-17 19:55 ` Scott Branden
2020-07-17 19:55 ` Scott Branden
2020-07-17 22:06 ` Kees Cook
2020-07-17 22:06 ` Kees Cook
2020-07-18 5:44 ` Scott Branden
2020-07-18 5:44 ` Scott Branden
2020-07-21 21:43 ` Scott Branden
2020-07-21 21:43 ` Scott Branden
2020-07-21 21:50 ` Kees Cook
2020-07-21 21:50 ` Kees Cook
2020-07-17 17:43 ` [PATCH 07/13] fs/kernel_read_file: Switch buffer size arg to size_t Kees Cook
2020-07-17 17:43 ` Kees Cook
2020-07-20 8:34 ` David Laight
2020-07-20 8:34 ` David Laight
2020-07-17 17:43 ` [PATCH 08/13] fs/kernel_read_file: Add file_size output argument Kees Cook
2020-07-17 17:43 ` Kees Cook
2020-07-17 17:43 ` [PATCH 09/13] LSM: Introduce kernel_post_load_data() hook Kees Cook
2020-07-17 17:43 ` Kees Cook
2020-07-17 17:43 ` Kees Cook [this message]
2020-07-17 17:43 ` [PATCH 10/13] firmware_loader: Use security_post_load_data() Kees Cook
2020-07-17 17:43 ` [PATCH 11/13] module: Call security_kernel_post_load_data() Kees Cook
2020-07-17 17:43 ` Kees Cook
2020-07-17 17:43 ` [PATCH 12/13] LSM: Add "contents" flag to kernel_read_file hook Kees Cook
2020-07-17 17:43 ` Kees Cook
2020-07-17 17:43 ` [PATCH 13/13] fs/kernel_file_read: Add "offset" arg for partial reads Kees Cook
2020-07-17 17:43 ` Kees Cook
2020-07-17 19:17 ` [PATCH 00/13] Introduce partial kernel_read_file() support Scott Branden
2020-07-17 19:17 ` Scott Branden
2020-07-17 22:10 ` Kees Cook
2020-07-17 22:10 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200717174309.1164575-11-keescook@chromium.org \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=casey@schaufler-ca.com \
--cc=dave@bewaar.me \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=gregkh@linuxfoundation.org \
--cc=hdegoede@redhat.com \
--cc=jeyu@kernel.org \
--cc=jmorris@namei.org \
--cc=joel@joelfernandes.org \
--cc=kexec@lists.infradead.org \
--cc=kpsingh@google.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthewgarrett@google.com \
--cc=mcgrof@kernel.org \
--cc=mchehab+huawei@kernel.org \
--cc=paul@paul-moore.com \
--cc=peterz@infradead.org \
--cc=pjones@redhat.com \
--cc=rafael@kernel.org \
--cc=rdunlap@infradead.org \
--cc=scott.branden@broadcom.com \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=stephen.boyd@linaro.org \
--cc=stephen.smalley.work@gmail.com \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.