From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:41181 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751024AbdGZNXc (ORCPT ); Wed, 26 Jul 2017 09:23:32 -0400 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id v6QDJ2TL072983 for ; Wed, 26 Jul 2017 09:23:32 -0400 Received: from e23smtp01.au.ibm.com (e23smtp01.au.ibm.com [202.81.31.143]) by mx0b-001b2d01.pphosted.com with ESMTP id 2bxrgsjn1s-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Wed, 26 Jul 2017 09:23:31 -0400 Received: from localhost by e23smtp01.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 26 Jul 2017 23:23:29 +1000 From: Mimi Zohar To: Christoph Hellwig , Al Viro Cc: Mimi Zohar , James Morris , linux-fsdevel@vger.kernel.org, linux-ima-devel@lists.sourceforge.net, linux-security-module@vger.kernel.org Subject: [PATCH v4 0/5] define new fs integrity_read method Date: Wed, 26 Jul 2017 09:22:50 -0400 Message-Id: <1501075375-29469-1-git-send-email-zohar@linux.vnet.ibm.com> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: With the introduction of IMA-appraisal and the need to write file hashes as security xattrs, IMA needed to take the global i_mutex lock. process_measurement() took the iint->mutex first and then the i_mutex, while setxattr, chmod and chown took the locks in reverse order. To resolve this potential deadlock, the iint->mutex was removed. Some filesystems have recently replaced their filesystem dependent lock with the global i_rwsem (formerly the i_mutex) to read a file. As a result, when IMA attempts to calculate the file hash, reading the file attempts to take the i_rwsem again. To resolve this locking problem, this patch set introduces a new ->integrity_read file operation method. Until all filesystems define the new ->integrity_read method, files that were previously measured might not be currently measured and files that were previously appraised might fail to be appraised properly. Version 2 of this patch set, introduced measurement entries and IMA-audit messages containing file hash values containing 0's, instead of the actual file hash, for files which the file hash could not be calculated. Like for any other file signature verification error, file access/execute permission will be denied, for files in policy that the file hash could not be calculated. To override the IMA policy, allowing unverified code to be accessed/executed on filesystems not supported by IMA, version 2 of this patch set defined a new policy "action" named "dont_failsafe" and a new builtin policy named "fs_unsafe", which can be specified on the boot command line. The new ->integrity_read method supports opening files with O_DIRECT on block devices that support direct IO and are mounted with the "-o dax" option. Version 4 of this patch set removes the "permit_direction" IMA policy option, which is no longer necessary. Change log v4: - define ext2/4 specific ->integrity_read functions based Jan Kara's review. - properly fail file open with O_DIRECT on filesystems not mounted with "-o dax". - remove the "permit_directio" IMA policy option. Change log v3: - define simple_read_iter_from_buffer - replace the existing efivarfs ->read method with ->read_iter method. - squashed other fs definitions of ->integrity_read with this patch. - include dont_failsafe rule when displaying policy. - fail attempt to add dont_failsafe rule when appending to the policy. - moved '---' divider before change log, as requested in review. Mimi Christoph Hellwig (1): ima: use fs method to read integrity data Mimi Zohar (4): ima: always measure and audit files in policy ima: define "dont_failsafe" policy action rule ima: define "fs_unsafe" builtin policy ima: remove permit_directio policy option Documentation/ABI/testing/ima_policy | 5 ++- Documentation/admin-guide/kernel-parameters.txt | 8 +++- fs/btrfs/file.c | 1 + fs/efivarfs/file.c | 12 +++--- fs/ext2/file.c | 17 ++++++++ fs/ext4/file.c | 23 +++++++++++ fs/f2fs/file.c | 1 + fs/gfs2/file.c | 2 + fs/jffs2/file.c | 1 + fs/jfs/file.c | 1 + fs/libfs.c | 32 +++++++++++++++ fs/nilfs2/file.c | 1 + fs/ocfs2/file.c | 1 + fs/ramfs/file-mmu.c | 1 + fs/ramfs/file-nommu.c | 1 + fs/ubifs/file.c | 1 + fs/xfs/xfs_file.c | 21 ++++++++++ include/linux/fs.h | 3 ++ mm/shmem.c | 1 + security/integrity/iint.c | 20 +++++++--- security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_api.c | 52 ++++++++++++++----------- security/integrity/ima/ima_main.c | 18 ++++++--- security/integrity/ima/ima_policy.c | 49 +++++++++++++++++++---- security/integrity/integrity.h | 1 - 25 files changed, 222 insertions(+), 52 deletions(-) -- 2.7.4 From mboxrd@z Thu Jan 1 00:00:00 1970 From: zohar@linux.vnet.ibm.com (Mimi Zohar) Date: Wed, 26 Jul 2017 09:22:50 -0400 Subject: [PATCH v4 0/5] define new fs integrity_read method Message-ID: <1501075375-29469-1-git-send-email-zohar@linux.vnet.ibm.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org With the introduction of IMA-appraisal and the need to write file hashes as security xattrs, IMA needed to take the global i_mutex lock. process_measurement() took the iint->mutex first and then the i_mutex, while setxattr, chmod and chown took the locks in reverse order. To resolve this potential deadlock, the iint->mutex was removed. Some filesystems have recently replaced their filesystem dependent lock with the global i_rwsem (formerly the i_mutex) to read a file. As a result, when IMA attempts to calculate the file hash, reading the file attempts to take the i_rwsem again. To resolve this locking problem, this patch set introduces a new ->integrity_read file operation method. Until all filesystems define the new ->integrity_read method, files that were previously measured might not be currently measured and files that were previously appraised might fail to be appraised properly. Version 2 of this patch set, introduced measurement entries and IMA-audit messages containing file hash values containing 0's, instead of the actual file hash, for files which the file hash could not be calculated. Like for any other file signature verification error, file access/execute permission will be denied, for files in policy that the file hash could not be calculated. To override the IMA policy, allowing unverified code to be accessed/executed on filesystems not supported by IMA, version 2 of this patch set defined a new policy "action" named "dont_failsafe" and a new builtin policy named "fs_unsafe", which can be specified on the boot command line. The new ->integrity_read method supports opening files with O_DIRECT on block devices that support direct IO and are mounted with the "-o dax" option. Version 4 of this patch set removes the "permit_direction" IMA policy option, which is no longer necessary. Change log v4: - define ext2/4 specific ->integrity_read functions based Jan Kara's review. - properly fail file open with O_DIRECT on filesystems not mounted with "-o dax". - remove the "permit_directio" IMA policy option. Change log v3: - define simple_read_iter_from_buffer - replace the existing efivarfs ->read method with ->read_iter method. - squashed other fs definitions of ->integrity_read with this patch. - include dont_failsafe rule when displaying policy. - fail attempt to add dont_failsafe rule when appending to the policy. - moved '---' divider before change log, as requested in review. Mimi Christoph Hellwig (1): ima: use fs method to read integrity data Mimi Zohar (4): ima: always measure and audit files in policy ima: define "dont_failsafe" policy action rule ima: define "fs_unsafe" builtin policy ima: remove permit_directio policy option Documentation/ABI/testing/ima_policy | 5 ++- Documentation/admin-guide/kernel-parameters.txt | 8 +++- fs/btrfs/file.c | 1 + fs/efivarfs/file.c | 12 +++--- fs/ext2/file.c | 17 ++++++++ fs/ext4/file.c | 23 +++++++++++ fs/f2fs/file.c | 1 + fs/gfs2/file.c | 2 + fs/jffs2/file.c | 1 + fs/jfs/file.c | 1 + fs/libfs.c | 32 +++++++++++++++ fs/nilfs2/file.c | 1 + fs/ocfs2/file.c | 1 + fs/ramfs/file-mmu.c | 1 + fs/ramfs/file-nommu.c | 1 + fs/ubifs/file.c | 1 + fs/xfs/xfs_file.c | 21 ++++++++++ include/linux/fs.h | 3 ++ mm/shmem.c | 1 + security/integrity/iint.c | 20 +++++++--- security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_api.c | 52 ++++++++++++++----------- security/integrity/ima/ima_main.c | 18 ++++++--- security/integrity/ima/ima_policy.c | 49 +++++++++++++++++++---- security/integrity/integrity.h | 1 - 25 files changed, 222 insertions(+), 52 deletions(-) -- 2.7.4 -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html