From: Stefan Berger <stefanb@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: zohar@linux.ibm.com, serge@hallyn.com,
christian.brauner@ubuntu.com, containers@lists.linux.dev,
dmitry.kasatkin@gmail.com, ebiederm@xmission.com,
krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com,
mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com,
puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com,
linux-kernel@vger.kernel.org, paul@paul-moore.com,
rgb@redhat.com, linux-security-module@vger.kernel.org,
jmorris@namei.org, jpenumak@redhat.com,
Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH v12 25/26] ima: Restrict informational audit messages to init_ima_ns
Date: Wed, 20 Apr 2022 10:06:32 -0400 [thread overview]
Message-ID: <20220420140633.753772-26-stefanb@linux.ibm.com> (raw)
In-Reply-To: <20220420140633.753772-1-stefanb@linux.ibm.com>
Since non-root users can create an IMA namespace they have indirect access
to the host's audit log. To avoid abuse, restrict the creation of those
informational audit messages that can currently be caused by IMA
namespacings to init_ima_ns.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
v12:
- Added missing 'struct ima_namespace' to ima_update_xattr() inline func
---
security/integrity/ima/ima.h | 9 ++++++---
security/integrity/ima/ima_api.c | 10 ++++++----
security/integrity/ima/ima_appraise.c | 6 ++++--
security/integrity/ima/ima_fs.c | 6 ++++--
security/integrity/ima/ima_main.c | 12 +++++++-----
security/integrity/ima/ima_policy.c | 20 ++++++++++++--------
6 files changed, 39 insertions(+), 24 deletions(-)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 2cc286f9e839..78af02e4814e 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -305,7 +305,8 @@ int ima_get_action(struct ima_namespace *ns,
struct ima_template_desc **template_desc,
const char *func_data, unsigned int *allowed_algos);
int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);
-int ima_collect_measurement(struct integrity_iint_cache *iint,
+int ima_collect_measurement(struct ima_namespace *ns,
+ struct integrity_iint_cache *iint,
struct file *file, void *buf, loff_t size,
enum hash_algo algo, struct modsig *modsig);
void ima_store_measurement(struct ima_namespace *ns,
@@ -373,7 +374,8 @@ int ima_appraise_measurement(enum ima_hooks func,
int ima_must_appraise(struct ima_namespace *ns,
struct user_namespace *mnt_userns, struct inode *inode,
int mask, enum ima_hooks func);
-void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file);
+void ima_update_xattr(struct ima_namespace *ns,
+ struct integrity_iint_cache *iint, struct file *file);
enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
enum ima_hooks func);
enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value,
@@ -408,7 +410,8 @@ static inline int ima_must_appraise(struct ima_namespace *ns,
return 0;
}
-static inline void ima_update_xattr(struct integrity_iint_cache *iint,
+static inline void ima_update_xattr(struct ima_namespace *ns,
+ struct integrity_iint_cache *iint,
struct file *file)
{
}
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index d179cb41b8c8..ab1ebc37c222 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -159,8 +159,9 @@ void ima_add_violation(struct ima_namespace *ns,
if (result < 0)
ima_free_template_entry(entry);
err_out:
- integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
- op, cause, result, 0);
+ if (ns == &init_ima_ns)
+ integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
+ op, cause, result, 0);
}
/**
@@ -215,7 +216,8 @@ int ima_get_action(struct ima_namespace *ns,
*
* Return 0 on success, error code otherwise
*/
-int ima_collect_measurement(struct integrity_iint_cache *iint,
+int ima_collect_measurement(struct ima_namespace *ns,
+ struct integrity_iint_cache *iint,
struct file *file, void *buf, loff_t size,
enum hash_algo algo, struct modsig *modsig)
{
@@ -274,7 +276,7 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
if (!result)
iint->flags |= IMA_COLLECTED;
out:
- if (result) {
+ if (result && ns == &init_ima_ns) {
if (file->f_flags & O_DIRECT)
audit_cause = "failed(directio)";
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index f1b99b895c68..666cf0e77e1f 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -494,7 +494,8 @@ int ima_appraise_measurement(enum ima_hooks func,
/*
* ima_update_xattr - update 'security.ima' hash value
*/
-void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
+void ima_update_xattr(struct ima_namespace *ns,
+ struct integrity_iint_cache *iint, struct file *file)
{
struct dentry *dentry = file_dentry(file);
int rc = 0;
@@ -507,7 +508,8 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
!(iint->flags & IMA_HASH))
return;
- rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo, NULL);
+ rc = ima_collect_measurement(ns, iint, file, NULL, 0, ima_hash_algo,
+ NULL);
if (rc < 0)
return;
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 301c717e029f..14dffeee727d 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -420,8 +420,10 @@ static int ima_release_policy(struct inode *inode, struct file *file)
}
pr_info("policy update %s\n", cause);
- integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL,
- "policy_update", cause, !ns->valid_policy, 0);
+ if (ns == &init_ima_ns)
+ integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL,
+ "policy_update", cause, !ns->valid_policy,
+ 0);
if (!ns->valid_policy) {
ima_delete_rules(ns);
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 194dc4557caa..fc05f0088f79 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -174,7 +174,8 @@ static void mask_iint_ns_status_flags(struct integrity_iint_cache *iint,
read_unlock(&iint->ns_list_lock);
}
-static void ima_check_last_writer(struct integrity_iint_cache *iint,
+static void ima_check_last_writer(struct ima_namespace *ns,
+ struct integrity_iint_cache *iint,
struct inode *inode, struct file *file)
{
fmode_t mode = file->f_mode;
@@ -196,7 +197,7 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
iint->measured_pcrs = 0;
if (update)
- ima_update_xattr(iint, file);
+ ima_update_xattr(ns, iint, file);
}
}
mutex_unlock(&iint->mutex);
@@ -221,7 +222,7 @@ void ima_file_free(struct file *file)
if (!iint)
return;
- ima_check_last_writer(iint, inode, file);
+ ima_check_last_writer(ns, iint, inode, file);
}
static int __process_measurement(struct ima_namespace *ns,
@@ -373,7 +374,8 @@ static int __process_measurement(struct ima_namespace *ns,
hash_algo = ima_get_hash_algo(xattr_value, xattr_len);
- rc = ima_collect_measurement(iint, file, buf, size, hash_algo, modsig);
+ rc = ima_collect_measurement(ns, iint, file, buf, size, hash_algo,
+ modsig);
if (rc != 0 && rc != -EBADF && rc != -EINVAL)
goto out_locked;
@@ -620,7 +622,7 @@ static int __ima_inode_hash(struct ima_namespace *ns, struct inode *inode,
tmp_iint.inode = inode;
mutex_init(&tmp_iint.mutex);
- rc = ima_collect_measurement(&tmp_iint, file, NULL, 0,
+ rc = ima_collect_measurement(ns, &tmp_iint, file, NULL, 0,
ima_hash_algo, NULL);
if (rc < 0)
return -EOPNOTSUPP;
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index a0bd8ffca88e..2a4e37a5a64d 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1365,15 +1365,16 @@ static unsigned int ima_parse_appraise_algos(char *arg)
static int ima_parse_rule(struct ima_namespace *ns,
char *rule, struct ima_rule_entry *entry)
{
- struct audit_buffer *ab;
+ struct audit_buffer *ab = NULL;
char *from;
char *p;
bool eid_token; /* either euid or egid */
struct ima_template_desc *template_desc;
int result = 0;
- ab = integrity_audit_log_start(audit_context(), GFP_KERNEL,
- AUDIT_INTEGRITY_POLICY_RULE);
+ if (ns == &init_ima_ns)
+ ab = integrity_audit_log_start(audit_context(), GFP_KERNEL,
+ AUDIT_INTEGRITY_POLICY_RULE);
entry->uid = INVALID_UID;
entry->gid = INVALID_GID;
@@ -1879,8 +1880,10 @@ ssize_t ima_parse_add_rule(struct ima_namespace *ns, char *rule)
entry = kzalloc(sizeof(*entry), GFP_KERNEL_ACCOUNT);
if (!entry) {
- integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
- NULL, op, "-ENOMEM", -ENOMEM, audit_info);
+ if (ns == &init_ima_ns)
+ integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
+ NULL, op, "-ENOMEM", -ENOMEM,
+ audit_info);
return -ENOMEM;
}
@@ -1889,9 +1892,10 @@ ssize_t ima_parse_add_rule(struct ima_namespace *ns, char *rule)
result = ima_parse_rule(ns, p, entry);
if (result) {
ima_free_rule(entry);
- integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
- NULL, op, "invalid-policy", result,
- audit_info);
+ if (ns == &init_ima_ns)
+ integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
+ NULL, op, "invalid-policy", result,
+ audit_info);
return result;
}
--
2.34.1
next prev parent reply other threads:[~2022-04-20 14:07 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-20 14:06 [PATCH v12 00/26] ima: Namespace IMA with audit support in IMA-ns Stefan Berger
2022-04-20 14:06 ` [PATCH v12 01/26] securityfs: rework dentry creation Stefan Berger
2022-05-09 19:54 ` Serge E. Hallyn
2022-05-09 20:36 ` Serge E. Hallyn
2022-05-10 8:43 ` Amir Goldstein
2022-05-10 10:38 ` Christian Brauner
2022-05-10 14:51 ` Serge E. Hallyn
2022-05-10 14:53 ` Serge E. Hallyn
2022-05-10 10:26 ` Christian Brauner
2022-05-10 10:25 ` Christian Brauner
2022-05-10 14:10 ` Serge E. Hallyn
2022-05-10 15:51 ` Christian Brauner
2022-05-10 18:51 ` Serge E. Hallyn
2022-05-10 20:41 ` Serge E. Hallyn
2022-06-09 14:27 ` Mimi Zohar
2022-05-10 16:50 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 02/26] securityfs: Extend securityfs with namespacing support Stefan Berger
2022-05-21 2:23 ` Serge E. Hallyn
2022-05-21 9:38 ` Christian Brauner
2022-05-21 15:09 ` Serge E. Hallyn
2022-07-07 14:34 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 03/26] ima: Define ima_namespace struct and start moving variables into it Stefan Berger
2022-05-21 2:33 ` Serge E. Hallyn
2022-05-24 14:57 ` Stefan Berger
2022-05-24 15:05 ` Serge E. Hallyn
2022-05-24 16:18 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 04/26] ima: Move arch_policy_entry into ima_namespace Stefan Berger
2022-05-21 2:46 ` Serge E. Hallyn
2022-05-21 3:07 ` Serge E. Hallyn
2022-07-07 14:12 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 05/26] ima: Move ima_htable " Stefan Berger
2022-05-21 2:50 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 06/26] ima: Move measurement list related variables " Stefan Berger
2022-05-21 2:55 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 07/26] ima: Move some IMA policy and filesystem " Stefan Berger
2022-05-21 3:03 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 08/26] ima: Move IMA securityfs files into ima_namespace or onto stack Stefan Berger
2022-05-21 3:24 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 09/26] ima: Move ima_lsm_policy_notifier into ima_namespace Stefan Berger
2022-05-22 2:35 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 10/26] ima: Switch to lazy lsm policy updates for better performance Stefan Berger
2022-05-22 17:06 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 11/26] ima: Define mac_admin_ns_capable() as a wrapper for ns_capable() Stefan Berger
2022-05-22 17:31 ` Serge E. Hallyn
2022-05-24 14:17 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 12/26] ima: Only accept AUDIT rules for non-init_ima_ns namespaces for now Stefan Berger
2022-05-22 17:38 ` Serge E. Hallyn
2022-05-24 13:25 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 13/26] userns: Add pointer to ima_namespace to user_namespace Stefan Berger
2022-05-22 18:24 ` Serge E. Hallyn
2022-05-23 9:59 ` Christian Brauner
2022-05-23 11:31 ` Stefan Berger
2022-05-23 12:41 ` Christian Brauner
2022-05-23 12:58 ` Stefan Berger
2022-05-23 14:25 ` Serge E. Hallyn
2022-07-07 14:14 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 14/26] ima: Implement hierarchical processing of file accesses Stefan Berger
2022-05-23 0:42 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 15/26] ima: Implement ima_free_policy_rules() for freeing of an ima_namespace Stefan Berger
2022-05-23 0:43 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 16/26] ima: Add functions for creating and " Stefan Berger
2022-05-30 1:07 ` Serge E. Hallyn
2022-04-20 14:06 ` [PATCH v12 17/26] integrity/ima: Define ns_status for storing namespaced iint data Stefan Berger
2022-04-20 14:06 ` [PATCH v12 18/26] integrity: Add optional callback function to integrity_inode_free() Stefan Berger
2022-04-20 14:06 ` [PATCH v12 19/26] ima: Namespace audit status flags Stefan Berger
2022-04-20 14:06 ` [PATCH v12 20/26] ima: Remove unused iints from the integrity_iint_cache Stefan Berger
2022-04-20 14:06 ` [PATCH v12 21/26] ima: Setup securityfs for IMA namespace Stefan Berger
2022-05-30 1:16 ` Serge E. Hallyn
2022-05-31 19:26 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 22/26] ima: Introduce securityfs file to activate an " Stefan Berger
2022-04-20 14:06 ` [PATCH v12 23/26] ima: Show owning user namespace's uid and gid when displaying policy Stefan Berger
2022-05-22 17:54 ` Serge E. Hallyn
2022-05-24 13:19 ` Stefan Berger
2022-04-20 14:06 ` [PATCH v12 24/26] ima: Limit number of policy rules in non-init_ima_ns Stefan Berger
2022-04-20 14:06 ` Stefan Berger [this message]
2022-04-20 14:06 ` [PATCH v12 26/26] ima: Enable IMA namespaces Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220420140633.753772-26-stefanb@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux.dev \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jamjoom@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=jpenumak@redhat.com \
--cc=krzysztof.struczynski@huawei.com \
--cc=lhinds@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lsturman@redhat.com \
--cc=mpeters@redhat.com \
--cc=paul@paul-moore.com \
--cc=puiterwi@redhat.com \
--cc=rgb@redhat.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.