From: Stefan Berger <stefanb@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: zohar@linux.ibm.com, serge@hallyn.com,
christian.brauner@ubuntu.com, containers@lists.linux.dev,
dmitry.kasatkin@gmail.com, ebiederm@xmission.com,
krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com,
mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com,
puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com,
linux-kernel@vger.kernel.org, paul@paul-moore.com,
rgb@redhat.com, linux-security-module@vger.kernel.org,
jmorris@namei.org, jpenumak@redhat.com,
Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>,
Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH v12 19/26] ima: Namespace audit status flags
Date: Wed, 20 Apr 2022 10:06:26 -0400 [thread overview]
Message-ID: <20220420140633.753772-20-stefanb@linux.ibm.com> (raw)
In-Reply-To: <20220420140633.753772-1-stefanb@linux.ibm.com>
From: Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>
The iint cache stores whether the file is measured, appraised, audited
etc. This patch moves the IMA_AUDIT and IMA_AUDITED flags into the
per-namespace ns_status, enabling IMA audit mechanism to audit the same
file each time it is accessed in a new namespace.
Read and write operations on the iint flags is replaced with function
calls. For reading, iint_flags() returns the bitwise OR of iint->flags
and ns_status->flags. The ns_status flags are masked with
IMA_NS_STATUS_FLAGS (currently only IMA_AUDIT & IMA_AUDITED) while the
iint flags are masked with ~IMA_NS_STATUS_FLAGS. Similarly,
set_iint_flags() writes the one masked portion to the ns_status flags,
while the iint flags receive the remaining flags. The ns_status
parameter added to ima_audit_measurement() is used with the above
functions to query and set the ns_status flags.
Replace all occurrences where the IMA_AUDITED flag is set with the
iint_flags() and set_iint_flags() operations so that the splitting
and merging of the flags works properly. Whenever the IMA_AUDITED flag is
tested, use iint_flags() to receive the merged version of the flags.
Since IMA_AUDITED is also part of the IMA_DONE_MASK, use the new
functions wherever the IMA_DONE_MASK is involved.
Move the IMA_AUDIT flag also into the ns_status flags since this flag
is dependent on policy rules that may be different per namespace.
Signed-off-by: Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
v9:
- Use ns_status also in non-namespaced case and use same flag splitting
for namespaced and non-namespaced case, thus use one implementation
for iint_flags() and set_iint_flags()
- Merge-in patch 'Enable re-auditing of modified files'
- Use one implementation of mask_iint_ns_status_flags() for namespaced
and non-namespaced case
- Added IMA_AUDIT to IMA_NS_STATUS_FLAGS since it's a per namespace flag
---
security/integrity/ima/ima.h | 40 ++++++++++++++++++++--
security/integrity/ima/ima_api.c | 8 +++--
security/integrity/ima/ima_main.c | 56 ++++++++++++++++++++++++++-----
security/integrity/integrity.h | 3 ++
4 files changed, 94 insertions(+), 13 deletions(-)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 7a08fdce7ebc..b7e1f4b5eb30 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -314,7 +314,8 @@ int process_buffer_measurement(struct ima_namespace *ns,
int pcr, const char *func_data,
bool buf_hash, u8 *digest, size_t digest_len);
void ima_audit_measurement(struct integrity_iint_cache *iint,
- const unsigned char *filename);
+ const unsigned char *filename,
+ struct ns_status *ns_status);
int ima_alloc_init_template(struct ima_event_data *event_data,
struct ima_template_entry **entry,
struct ima_template_desc *template_desc);
@@ -497,6 +498,34 @@ static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
#define POLICY_FILE_FLAGS S_IWUSR
#endif /* CONFIG_IMA_READ_POLICY */
+#define IMA_NS_STATUS_ACTIONS IMA_AUDIT
+#define IMA_NS_STATUS_FLAGS (IMA_AUDIT | IMA_AUDITED)
+
+static inline unsigned long iint_flags(struct integrity_iint_cache *iint,
+ struct ns_status *ns_status)
+{
+ if (!ns_status)
+ return iint->flags;
+
+ return (iint->flags & ~IMA_NS_STATUS_FLAGS) |
+ (ns_status->flags & IMA_NS_STATUS_FLAGS);
+}
+
+static inline unsigned long set_iint_flags(struct integrity_iint_cache *iint,
+ struct ns_status *ns_status,
+ unsigned long flags)
+{
+ unsigned long ns_status_flags = flags & IMA_NS_STATUS_FLAGS;
+
+ WARN_ON(!ns_status && ns_status_flags);
+
+ iint->flags = flags & ~IMA_NS_STATUS_FLAGS;
+ if (ns_status)
+ ns_status->flags = ns_status_flags;
+
+ return flags;
+}
+
static inline
struct user_namespace *ima_user_ns_from_file(const struct file *filp)
{
@@ -534,7 +563,14 @@ static inline struct ns_status *ima_get_ns_status
struct inode *inode,
struct integrity_iint_cache *iint)
{
- return NULL;
+ struct ns_status *ns_status = &iint->ns_status;
+
+ if (list_empty(&iint->ns_list)) {
+ ns_status_init(ns_status);
+ list_add(&ns_status->ns_next, &iint->ns_list);
+ }
+
+ return ns_status;
}
#endif /* CONFIG_IMA_NS */
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 1b6c3e6174cd..d179cb41b8c8 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -346,14 +346,16 @@ void ima_store_measurement(struct ima_namespace *ns,
}
void ima_audit_measurement(struct integrity_iint_cache *iint,
- const unsigned char *filename)
+ const unsigned char *filename,
+ struct ns_status *ns_status)
{
struct audit_buffer *ab;
char *hash;
const char *algo_name = hash_algo_name[iint->ima_hash->algo];
int i;
+ unsigned long flags = iint_flags(iint, ns_status);
- if (iint->flags & IMA_AUDITED)
+ if (flags & IMA_AUDITED)
return;
hash = kzalloc((iint->ima_hash->length * 2) + 1, GFP_KERNEL);
@@ -376,7 +378,7 @@ void ima_audit_measurement(struct integrity_iint_cache *iint,
audit_log_task_info(ab);
audit_log_end(ab);
- iint->flags |= IMA_AUDITED;
+ set_iint_flags(iint, ns_status, flags | IMA_AUDITED);
out:
kfree(hash);
return;
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 17eb2971eb36..26faf9f75645 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -149,6 +149,31 @@ static void ima_rdwr_violation_check(struct ima_namespace *ns,
"invalid_pcr", "open_writers");
}
+static void mask_iint_ns_status_flags(struct integrity_iint_cache *iint,
+ unsigned long mask)
+{
+ struct ns_status *ns_status;
+ unsigned long flags;
+
+ read_lock(&iint->ns_list_lock);
+ if (list_empty(&iint->ns_list)) {
+ /*
+ * An empty list is possible due to __process_measurement only
+ * creating ns_status for IMA_NS_STATUS_ACTIONS.
+ * No ns_status being used implies that for example IMA_AUDIT
+ * was never used and thus IMA_AUDITED cannot have been set.
+ */
+ flags = iint_flags(iint, NULL) & mask;
+ set_iint_flags(iint, NULL, flags);
+ } else {
+ list_for_each_entry(ns_status, &iint->ns_list, ns_next) {
+ flags = iint_flags(iint, ns_status) & mask;
+ set_iint_flags(iint, ns_status, flags);
+ }
+ }
+ read_unlock(&iint->ns_list_lock);
+}
+
static void ima_check_last_writer(struct integrity_iint_cache *iint,
struct inode *inode, struct file *file)
{
@@ -165,8 +190,11 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
if (!IS_I_VERSION(inode) ||
!inode_eq_iversion(inode, iint->version) ||
(iint->flags & IMA_NEW_FILE)) {
- iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
+ mask_iint_ns_status_flags
+ (iint,
+ ~(IMA_DONE_MASK | IMA_NEW_FILE));
iint->measured_pcrs = 0;
+
if (update)
ima_update_xattr(iint, file);
}
@@ -203,6 +231,7 @@ static int __process_measurement(struct ima_namespace *ns,
{
struct inode *inode = file_inode(file);
struct integrity_iint_cache *iint = NULL;
+ struct ns_status *ns_status = NULL;
struct ima_template_desc *template_desc = NULL;
char *pathbuf = NULL;
char filename[NAME_MAX];
@@ -215,6 +244,7 @@ static int __process_measurement(struct ima_namespace *ns,
bool violation_check;
enum hash_algo hash_algo;
unsigned int allowed_algos = 0;
+ unsigned long flags;
if (!ns->ima_policy_flag || !S_ISREG(inode->i_mode))
return 0;
@@ -243,6 +273,14 @@ static int __process_measurement(struct ima_namespace *ns,
iint = integrity_inode_get(inode);
if (!iint)
rc = -ENOMEM;
+
+ if (!rc && (action & IMA_NS_STATUS_ACTIONS)) {
+ ns_status = ima_get_ns_status(ns, inode, iint);
+ if (IS_ERR(ns_status)) {
+ rc = PTR_ERR(ns_status);
+ ns_status = NULL;
+ }
+ }
}
if (!rc && violation_check)
@@ -258,11 +296,13 @@ static int __process_measurement(struct ima_namespace *ns,
mutex_lock(&iint->mutex);
+ flags = iint_flags(iint, ns_status);
+
if (test_and_clear_bit(IMA_CHANGE_ATTR, &iint->atomic_flags))
/* reset appraisal flags if ima_inode_post_setattr was called */
- iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
- IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
- IMA_NONACTION_FLAGS);
+ flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
+ IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
+ IMA_NONACTION_FLAGS);
/*
* Re-evaulate the file if either the xattr has changed or the
@@ -273,7 +313,7 @@ static int __process_measurement(struct ima_namespace *ns,
((inode->i_sb->s_iflags & SB_I_IMA_UNVERIFIABLE_SIGNATURE) &&
!(inode->i_sb->s_iflags & SB_I_UNTRUSTED_MOUNTER) &&
!(action & IMA_FAIL_UNVERIFIABLE_SIGS))) {
- iint->flags &= ~IMA_DONE_MASK;
+ flags &= ~IMA_DONE_MASK;
iint->measured_pcrs = 0;
}
@@ -281,9 +321,9 @@ static int __process_measurement(struct ima_namespace *ns,
* (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
* IMA_AUDIT, IMA_AUDITED)
*/
- iint->flags |= action;
+ flags = set_iint_flags(iint, ns_status, flags | action);
action &= IMA_DO_MASK;
- action &= ~((iint->flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1);
+ action &= ~((flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1);
/* If target pcr is already measured, unset IMA_MEASURE action */
if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr)))
@@ -358,7 +398,7 @@ static int __process_measurement(struct ima_namespace *ns,
&pathname, filename);
}
if (action & IMA_AUDIT)
- ima_audit_measurement(iint, pathname);
+ ima_audit_measurement(iint, pathname, ns_status);
if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO))
rc = 0;
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index ae0da8f1ba7e..33084ab2addd 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -181,6 +181,9 @@ struct integrity_iint_cache {
*/
rwlock_t ns_list_lock;
struct list_head ns_list;
+#ifndef CONFIG_IMA_NS
+ struct ns_status ns_status;
+#endif
};
/* rbtree tree calls to lookup, insert, delete
--
2.34.1
next prev parent reply other threads:[~2022-04-20 14:07 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-20 14:06 [PATCH v12 00/26] ima: Namespace IMA with audit support in IMA-ns Stefan Berger
2022-04-20 14:06 ` [PATCH v12 01/26] securityfs: rework dentry creation Stefan Berger
2022-05-09 19:54 ` Serge E. Hallyn
2022-05-09 20:36 ` Serge E. Hallyn
2022-05-10 8:43 ` Amir Goldstein
2022-05-10 10:38 ` Christian Brauner
2022-05-10 14:51 ` Serge E. Hallyn
2022-05-10 14:53 ` Serge E. Hallyn
2022-05-10 10:26 ` Christian Brauner
2022-05-10 10:25 ` Christian Brauner
2022-05-10 14:10 ` Serge E. Hallyn
2022-05-10 15:51 ` Christian Brauner
2022-05-10 18:51 ` Serge E. Hallyn
2022-05-10 20:41 ` Serge E. Hallyn
2022-06-09 14:27 ` Mimi Zohar
2022-05-10 16:50 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 02/26] securityfs: Extend securityfs with namespacing support Stefan Berger
2022-05-21 2:23 ` Serge E. Hallyn
2022-05-21 9:38 ` Christian Brauner
2022-05-21 15:09 ` Serge E. Hallyn
2022-07-07 14:34 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 03/26] ima: Define ima_namespace struct and start moving variables into it Stefan Berger
2022-05-21 2:33 ` Serge E. Hallyn
2022-05-24 14:57 ` Stefan Berger
2022-05-24 15:05 ` Serge E. Hallyn
2022-05-24 16:18 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 04/26] ima: Move arch_policy_entry into ima_namespace Stefan Berger
2022-05-21 2:46 ` Serge E. Hallyn
2022-05-21 3:07 ` Serge E. Hallyn
2022-07-07 14:12 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 05/26] ima: Move ima_htable " Stefan Berger
2022-05-21 2:50 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 06/26] ima: Move measurement list related variables " Stefan Berger
2022-05-21 2:55 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 07/26] ima: Move some IMA policy and filesystem " Stefan Berger
2022-05-21 3:03 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 08/26] ima: Move IMA securityfs files into ima_namespace or onto stack Stefan Berger
2022-05-21 3:24 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 09/26] ima: Move ima_lsm_policy_notifier into ima_namespace Stefan Berger
2022-05-22 2:35 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 10/26] ima: Switch to lazy lsm policy updates for better performance Stefan Berger
2022-05-22 17:06 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 11/26] ima: Define mac_admin_ns_capable() as a wrapper for ns_capable() Stefan Berger
2022-05-22 17:31 ` Serge E. Hallyn
2022-05-24 14:17 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 12/26] ima: Only accept AUDIT rules for non-init_ima_ns namespaces for now Stefan Berger
2022-05-22 17:38 ` Serge E. Hallyn
2022-05-24 13:25 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 13/26] userns: Add pointer to ima_namespace to user_namespace Stefan Berger
2022-05-22 18:24 ` Serge E. Hallyn
2022-05-23 9:59 ` Christian Brauner
2022-05-23 11:31 ` Stefan Berger
2022-05-23 12:41 ` Christian Brauner
2022-05-23 12:58 ` Stefan Berger
2022-05-23 14:25 ` Serge E. Hallyn
2022-07-07 14:14 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 14/26] ima: Implement hierarchical processing of file accesses Stefan Berger
2022-05-23 0:42 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 15/26] ima: Implement ima_free_policy_rules() for freeing of an ima_namespace Stefan Berger
2022-05-23 0:43 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 16/26] ima: Add functions for creating and " Stefan Berger
2022-05-30 1:07 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 17/26] integrity/ima: Define ns_status for storing namespaced iint data Stefan Berger
2022-04-20 14:06 ` [PATCH v12 18/26] integrity: Add optional callback function to integrity_inode_free() Stefan Berger
2022-04-20 14:06 ` Stefan Berger [this message]
2022-04-20 14:06 ` [PATCH v12 20/26] ima: Remove unused iints from the integrity_iint_cache Stefan Berger
2022-04-20 14:06 ` [PATCH v12 21/26] ima: Setup securityfs for IMA namespace Stefan Berger
2022-05-30 1:16 ` Serge E. Hallyn
2022-05-31 19:26 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 22/26] ima: Introduce securityfs file to activate an " Stefan Berger
2022-04-20 14:06 ` [PATCH v12 23/26] ima: Show owning user namespace's uid and gid when displaying policy Stefan Berger
2022-05-22 17:54 ` Serge E. Hallyn
2022-05-24 13:19 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 24/26] ima: Limit number of policy rules in non-init_ima_ns Stefan Berger
2022-04-20 14:06 ` [PATCH v12 25/26] ima: Restrict informational audit messages to init_ima_ns Stefan Berger
2022-04-20 14:06 ` [PATCH v12 26/26] ima: Enable IMA namespaces Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220420140633.753772-20-stefanb@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux.dev \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jamjoom@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=jpenumak@redhat.com \
--cc=krzysztof.struczynski@huawei.com \
--cc=lhinds@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lsturman@redhat.com \
--cc=mkayaalp@linux.vnet.ibm.com \
--cc=mpeters@redhat.com \
--cc=paul@paul-moore.com \
--cc=puiterwi@redhat.com \
--cc=rgb@redhat.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.