From: david.safford@gmail.com
To: Janne Karhunen <janne.karhunen@gmail.com>,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, zohar@linux.ibm.com
Cc: kgold@linux.ibm.com, "Wiseman, Monty (GE Global Research,
US)" <monty.wiseman@ge.com>, Mimi Zohar <zohar@linux.ibm.com>
Subject: Re: [PATCH v2] ima: export the measurement list when needed
Date: Fri, 24 Jan 2020 09:46:57 -0500 [thread overview]
Message-ID: <1a8c2fb4698eaa72be219413e373c5829a7cd652.camel@gmail.com> (raw)
In-Reply-To: <20200108111743.23393-1-janne.karhunen@gmail.com>
On Wed, 2020-01-08 at 13:17 +0200, Janne Karhunen wrote:
> Some systems can end up carrying lots of entries in the ima
> measurement list. Since every entry is using a bit of kernel
> memory, allow the sysadmin to export the measurement list to
> the filesystem to free up some memory.
>
> Signed-off-by: Janne Karhunen <janne.karhunen@gmail.com>
I like this approach, as it will work easily for measurement lists in
any format, and it will work for user or kernel triggering.
I'm getting an OOPS, though, whenever I write a filename to the
securityfs file (e.g. echo /var/log/ima.log > list_name).
Here's the relevant from syslog:
BUG: unable to handle page fault for address: 00005650a0e7fe30
#PF: supervisor read access in kernel mode
#PF: error_code(0x0001) - permissions violation
Oops: 0001 [#1] SMP NOPTI
RIP: 0010:ima_write_list_name+0x35/0x114
I haven't had time to debug this. Any suggestions?
Also, one embedded comment follows...
> ---
> security/integrity/ima/ima.h | 7 +-
> security/integrity/ima/ima_fs.c | 171 +++++++++++++++++++++++++++++
> security/integrity/ima/ima_queue.c | 2 +-
> 3 files changed, 175 insertions(+), 5 deletions(-)
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index 19769bf5f6ab..78f0b706848d 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -151,20 +151,19 @@ int template_desc_init_fields(const char *template_fmt,
> struct ima_template_desc *ima_template_desc_current(void);
> struct ima_template_desc *lookup_template_desc(const char *name);
> bool ima_template_has_modsig(const struct ima_template_desc *ima_template);
> +void ima_free_template_entry(struct ima_template_entry *entry);
> int ima_restore_measurement_entry(struct ima_template_entry *entry);
> int ima_restore_measurement_list(loff_t bufsize, void *buf);
> int ima_measurements_show(struct seq_file *m, void *v);
> unsigned long ima_get_binary_runtime_size(void);
> int ima_init_template(void);
> void ima_init_template_list(void);
> +int ima_export_list(const char *from);
> int __init ima_init_digests(void);
> int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
> void *lsm_data);
>
> -/*
> - * used to protect h_table and sha_table
> - */
> -extern spinlock_t ima_queue_lock;
> +extern struct mutex ima_extend_list_mutex;
>
> struct ima_h_table {
> atomic_long_t len; /* number of stored measurements in the list */
> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
> index 2000e8df0301..b60a241b0d8b 100644
> --- a/security/integrity/ima/ima_fs.c
> +++ b/security/integrity/ima/ima_fs.c
> @@ -22,10 +22,17 @@
> #include <linux/rcupdate.h>
> #include <linux/parser.h>
> #include <linux/vmalloc.h>
> +#include <linux/fs_struct.h>
> +#include <linux/syscalls.h>
>
> #include "ima.h"
>
> +#define secfs_mnt "/sys/kernel/security"
> +#define am_filename "/integrity/ima/ascii_runtime_measurements"
You probably really want to export the binary data, as that's
what's needed for attestation. (Or both, but that's trickier.)
dave
> +
> static DEFINE_MUTEX(ima_write_mutex);
> +static DEFINE_MUTEX(ima_list_mutex);
> +static char *ima_msmt_list_name;
>
>
next prev parent reply other threads:[~2020-01-24 14:47 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-08 11:17 [PATCH v2] ima: export the measurement list when needed Janne Karhunen
2020-01-10 8:48 ` Janne Karhunen
2020-01-22 15:56 ` Mimi Zohar
2020-01-23 8:41 ` Janne Karhunen
2020-01-26 17:01 ` Mimi Zohar
2020-01-27 9:03 ` Janne Karhunen
2020-02-06 14:13 ` Mimi Zohar
2020-02-10 8:04 ` Janne Karhunen
2020-02-10 15:26 ` Mimi Zohar
2020-02-10 18:18 ` david.safford
2020-02-10 20:24 ` Mimi Zohar
2020-02-11 8:06 ` Janne Karhunen
2020-02-11 16:10 ` david.safford
2020-02-11 23:10 ` Mimi Zohar
2020-02-12 21:08 ` david.safford
2020-02-13 1:03 ` Mimi Zohar
2020-02-13 6:41 ` Janne Karhunen
2020-02-18 15:36 ` Mimi Zohar
2020-02-13 20:11 ` Ken Goldman
2020-02-18 14:50 ` david.safford
2020-01-24 14:46 ` david.safford [this message]
2020-01-27 8:48 ` Janne Karhunen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1a8c2fb4698eaa72be219413e373c5829a7cd652.camel@gmail.com \
--to=david.safford@gmail.com \
--cc=janne.karhunen@gmail.com \
--cc=kgold@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=monty.wiseman@ge.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.