From: Dave Young <dyoung@redhat.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: linux-security-module@vger.kernel.org,
Kees Cook <keescook@chromium.org>,
fsdevel@vger.kernel.org, David Woodhouse <dwmw2@infradead.org>,
"Luis R. Rodriguez" <mcgrof@suse.com>,
Dmitry Torokhov <dmitry.torokhov@gmail.com>,
kexec@lists.infradead.org, David Howells <dhowells@redhat.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-modules@vger.kernel.org
Subject: Re: [RFC PATCH v2 06/11] kexec: replace call to copy_file_from_fd() with kernel version
Date: Mon, 25 Jan 2016 14:37:12 +0800 [thread overview]
Message-ID: <20160125063712.GC5616@dhcp-128-65.nay.redhat.com> (raw)
In-Reply-To: <1453129886-20192-7-git-send-email-zohar@linux.vnet.ibm.com>
Hi, Mimi
Besides of code issues, I have several thing to be understand:
What is the effect to kexec behavior with this patchset?
- without IMA enabled (kconfig or kernel cmdline) it will be same as before?
- with IMA enabled for kernel bzImage, kexec_file_load will check both ima
signature and original pe file signature, those two mechanisms are
somehow duplicated. I'm not sure if we need both for bzImage.
Do you have a simple usage documentation about how to test it?
On 01/18/16 at 10:11am, Mimi Zohar wrote:
> This patch defines kernel_read_file_from_fd(), a wrapper for the VFS
> common kernel_read_file(), and replaces the kexec copy_file_from_fd()
> calls with the kernel_read_file_from_fd() wrapper.
>
> Two new IMA policy identifiers named KEXEC_CHECK and INITRAMFS_CHECK
> are defined for measuring, appraising or auditing the kexec image
> and initramfs.
>
> Changelog v1:
> - re-order and squash the kexec patches
>
> v3: ima: measure and appraise kexec image and initramfs (squashed)
> - rename ima_read_hooks enumeration to ima_policy_id
> - use kstat file size type loff_t, not size_t
> - add union name "hooks" to fix sparse warning
>
> v2:
> - Calculate the file hash from the in memory buffer
> (suggested by Dave Young)
> - Rename ima_read_and_process_file() to ima_hash_and_process_file()
> - replace individual case statements with range:
> KEXEC_CHECK ... IMA_MAX_READ_CHECK - 1
> v1:
> - Instead of ima_read_and_process_file() allocating memory, the caller
> allocates and frees the memory.
> - Moved the kexec measurement/appraisal call to copy_file_from_fd(). The
> same call now measures and appraises both the kexec image and initramfs.
>
> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> ---
> Documentation/ABI/testing/ima_policy | 2 +-
> fs/exec.c | 15 ++++++++
> include/linux/fs.h | 1 +
> include/linux/ima.h | 2 +
> kernel/kexec_file.c | 72 ++++-------------------------------
> security/integrity/ima/ima.h | 9 ++++-
> security/integrity/ima/ima_appraise.c | 7 ++++
> security/integrity/ima/ima_policy.c | 27 ++++++++++---
> 8 files changed, 64 insertions(+), 71 deletions(-)
>
> diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
> index 0a378a8..e80f767 100644
> --- a/Documentation/ABI/testing/ima_policy
> +++ b/Documentation/ABI/testing/ima_policy
> @@ -26,7 +26,7 @@ Description:
> option: [[appraise_type=]] [permit_directio]
>
> base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
> - [FIRMWARE_CHECK]
> + [FIRMWARE_CHECK] [KEXEC_CHECK] [INITRAMFS_CHECK]
> mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
> [[^]MAY_EXEC]
> fsmagic:= hex value
> diff --git a/fs/exec.c b/fs/exec.c
> index 211b81c..a5ae51e 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -884,6 +884,21 @@ out:
> }
> EXPORT_SYMBOL_GPL(kernel_read_file);
>
> +int kernel_read_file_from_fd(int fd, void **buf, loff_t *size, loff_t max_size,
> + int policy_id)
Though this is only used in kexec now, it looks more a general function, move it
to general code should be fine along with kernel_read_file
> +{
> + struct fd f = fdget(fd);
> + int ret = -ENOEXEC;
-EBADF looks better?
> +
> + if (!f.file)
> + goto out;
> +
> + ret = kernel_read_file(f.file, buf, size, max_size, policy_id);
> +out:
> + fdput(f);
> + return ret;
> +}
> +
> ssize_t read_code(struct file *file, unsigned long addr, loff_t pos, size_t len)
> {
> ssize_t res = vfs_read(file, (void __user *)addr, len, &pos);
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index 9b1468c..9642623 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -2528,6 +2528,7 @@ extern int do_pipe_flags(int *, int);
>
> extern int kernel_read(struct file *, loff_t, char *, unsigned long);
> extern int kernel_read_file(struct file *, void **, loff_t *, loff_t, int);
> +extern int kernel_read_file_from_fd(int, void **, loff_t *, loff_t, int);
> extern ssize_t kernel_write(struct file *, const char *, size_t, loff_t);
> extern ssize_t __kernel_write(struct file *, const char *, size_t, loff_t *);
> extern struct file * open_exec(const char *);
> diff --git a/include/linux/ima.h b/include/linux/ima.h
> index ca76f60..ae91938 100644
> --- a/include/linux/ima.h
> +++ b/include/linux/ima.h
> @@ -14,6 +14,8 @@
> struct linux_binprm;
>
> enum ima_policy_id {
> + KEXEC_CHECK = 1,
> + INITRAMFS_CHECK,
Change to below should be better:
KEXEC_KERNEL_CHECK
KEXEC_INITRAMFS_CHECK
> IMA_MAX_READ_CHECK
> };
>
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index b70ada0..f7c3ce4 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -18,6 +18,7 @@
> #include <linux/kexec.h>
> #include <linux/mutex.h>
> #include <linux/list.h>
> +#include <linux/ima.h>
> #include <crypto/hash.h>
> #include <crypto/sha.h>
> #include <linux/syscalls.h>
> @@ -33,65 +34,6 @@ size_t __weak kexec_purgatory_size = 0;
>
> static int kexec_calculate_store_digests(struct kimage *image);
>
> -static int copy_file_from_fd(int fd, void **buf, unsigned long *buf_len)
> -{
> - struct fd f = fdget(fd);
> - int ret;
> - struct kstat stat;
> - loff_t pos;
> - ssize_t bytes = 0;
> -
> - if (!f.file)
> - return -EBADF;
> -
> - ret = vfs_getattr(&f.file->f_path, &stat);
> - if (ret)
> - goto out;
> -
> - if (stat.size > INT_MAX) {
> - ret = -EFBIG;
> - goto out;
> - }
> -
> - /* Don't hand 0 to vmalloc, it whines. */
> - if (stat.size == 0) {
> - ret = -EINVAL;
> - goto out;
> - }
> -
> - *buf = vmalloc(stat.size);
> - if (!*buf) {
> - ret = -ENOMEM;
> - goto out;
> - }
> -
> - pos = 0;
> - while (pos < stat.size) {
> - bytes = kernel_read(f.file, pos, (char *)(*buf) + pos,
> - stat.size - pos);
> - if (bytes < 0) {
> - vfree(*buf);
> - ret = bytes;
> - goto out;
> - }
> -
> - if (bytes == 0)
> - break;
> - pos += bytes;
> - }
> -
> - if (pos != stat.size) {
> - ret = -EBADF;
> - vfree(*buf);
> - goto out;
> - }
> -
> - *buf_len = pos;
> -out:
> - fdput(f);
> - return ret;
> -}
> -
> /* Architectures can provide this probe function */
> int __weak arch_kexec_kernel_image_probe(struct kimage *image, void *buf,
> unsigned long buf_len)
> @@ -180,16 +122,17 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
> {
> int ret = 0;
> void *ldata;
> + loff_t size;
>
> - ret = copy_file_from_fd(kernel_fd, &image->kernel_buf,
> - &image->kernel_buf_len);
> + ret = kernel_read_file_from_fd(kernel_fd, &image->kernel_buf,
> + &size, INT_MAX, KEXEC_CHECK);
> if (ret)
> return ret;
> + image->kernel_buf_len = size;
>
> /* Call arch image probe handlers */
> ret = arch_kexec_kernel_image_probe(image, image->kernel_buf,
> image->kernel_buf_len);
> -
> if (ret)
> goto out;
>
> @@ -204,10 +147,11 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
> #endif
> /* It is possible that there no initramfs is being loaded */
> if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {
> - ret = copy_file_from_fd(initrd_fd, &image->initrd_buf,
> - &image->initrd_buf_len);
> + ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf,
> + &size, INT_MAX, INITRAMFS_CHECK);
> if (ret)
> goto out;
> + image->initrd_buf_len = size;
> }
>
> if (cmdline_len) {
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index 06bcc24..b98dbd5 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -160,7 +160,14 @@ void ima_free_template_entry(struct ima_template_entry *entry);
> const char *ima_d_path(struct path *path, char **pathbuf);
>
> /* IMA policy related functions */
> -enum ima_hooks { FILE_CHECK = 1, MMAP_CHECK, BPRM_CHECK, MODULE_CHECK, FIRMWARE_CHECK, POST_SETATTR };
> +enum ima_hooks {
> + FILE_CHECK = IMA_MAX_READ_CHECK,
> + MMAP_CHECK,
> + BPRM_CHECK,
> + MODULE_CHECK,
> + FIRMWARE_CHECK,
> + POST_SETATTR
> +};
>
> int ima_match_policy(struct inode *inode, int func, int mask, int flags);
> void ima_init_policy(void);
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 4edf47f..3adf937 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -78,6 +78,8 @@ enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
> return iint->ima_module_status;
> case FIRMWARE_CHECK:
> return iint->ima_firmware_status;
> + case KEXEC_CHECK ... IMA_MAX_READ_CHECK - 1:
> + return iint->ima_read_status;
> case FILE_CHECK:
> default:
> return iint->ima_file_status;
> @@ -100,6 +102,9 @@ static void ima_set_cache_status(struct integrity_iint_cache *iint,
> case FIRMWARE_CHECK:
> iint->ima_firmware_status = status;
> break;
> + case KEXEC_CHECK ... IMA_MAX_READ_CHECK - 1:
> + iint->ima_read_status = status;
> + break;
> case FILE_CHECK:
> default:
> iint->ima_file_status = status;
> @@ -122,6 +127,8 @@ static void ima_cache_flags(struct integrity_iint_cache *iint, int func)
> case FIRMWARE_CHECK:
> iint->flags |= (IMA_FIRMWARE_APPRAISED | IMA_APPRAISED);
> break;
> + case KEXEC_CHECK ... IMA_MAX_READ_CHECK - 1:
> + break;
> case FILE_CHECK:
> default:
> iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 595e038..4711083 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -306,6 +306,8 @@ static int get_subaction(struct ima_rule_entry *rule, int func)
> return IMA_MODULE_APPRAISE;
> case FIRMWARE_CHECK:
> return IMA_FIRMWARE_APPRAISE;
> + case KEXEC_CHECK ... IMA_MAX_READ_CHECK - 1:
> + return IMA_READ_APPRAISE;
> case FILE_CHECK:
> default:
> return IMA_FILE_APPRAISE;
> @@ -614,6 +616,10 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
> entry->hooks.func = MMAP_CHECK;
> else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
> entry->hooks.func = BPRM_CHECK;
> + else if (strcmp(args[0].from, "KEXEC_CHECK") == 0)
> + entry->hooks.policy_id = KEXEC_CHECK;
> + else if (strcmp(args[0].from, "INITRAMFS_CHECK") == 0)
> + entry->hooks.policy_id = INITRAMFS_CHECK;
> else
> result = -EINVAL;
> if (!result)
> @@ -867,7 +873,9 @@ static char *func_tokens[] = {
> "BPRM_CHECK",
> "MODULE_CHECK",
> "FIRMWARE_CHECK",
> - "POST_SETATTR"
> + "POST_SETATTR",
> + "KEXEC_CHECK",
> + "INITRAMFS_CHECK",
> };
>
> void *ima_policy_start(struct seq_file *m, loff_t *pos)
> @@ -948,10 +956,19 @@ int ima_policy_show(struct seq_file *m, void *v)
> seq_printf(m, pt(Opt_func), ft(func_post));
> break;
> default:
> - snprintf(tbuf, sizeof(tbuf), "%d",
> - entry->hooks.func);
> - seq_printf(m, pt(Opt_func), tbuf);
> - break;
> + switch (entry->hooks.policy_id) {
> + case KEXEC_CHECK:
> + seq_printf(m, pt(Opt_func), ft(func_kexec));
> + break;
> + case INITRAMFS_CHECK:
> + seq_printf(m, pt(Opt_func), ft(func_initramfs));
> + break;
> + default:
> + snprintf(tbuf, sizeof(tbuf), "%d",
> + entry->hooks.func);
> + seq_printf(m, pt(Opt_func), tbuf);
> + break;
> + }
> }
> seq_puts(m, " ");
> }
> --
> 2.1.0
>
>
> _______________________________________________
> kexec mailing list
> kexec@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/kexec
WARNING: multiple messages have this Message-ID (diff)
From: Dave Young <dyoung@redhat.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Kees Cook <keescook@chromium.org>,
fsdevel@vger.kernel.org,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
"Luis R. Rodriguez" <mcgrof@suse.com>,
Dmitry Torokhov <dmitry.torokhov@gmail.com>,
kexec@lists.infradead.org, David Howells <dhowells@redhat.com>,
linux-security-module@vger.kernel.org,
David Woodhouse <dwmw2@infradead.org>,
linux-modules@vger.kernel.org
Subject: Re: [RFC PATCH v2 06/11] kexec: replace call to copy_file_from_fd() with kernel version
Date: Mon, 25 Jan 2016 14:37:12 +0800 [thread overview]
Message-ID: <20160125063712.GC5616@dhcp-128-65.nay.redhat.com> (raw)
In-Reply-To: <1453129886-20192-7-git-send-email-zohar@linux.vnet.ibm.com>
Hi, Mimi
Besides of code issues, I have several thing to be understand:
What is the effect to kexec behavior with this patchset?
- without IMA enabled (kconfig or kernel cmdline) it will be same as before?
- with IMA enabled for kernel bzImage, kexec_file_load will check both ima
signature and original pe file signature, those two mechanisms are
somehow duplicated. I'm not sure if we need both for bzImage.
Do you have a simple usage documentation about how to test it?
On 01/18/16 at 10:11am, Mimi Zohar wrote:
> This patch defines kernel_read_file_from_fd(), a wrapper for the VFS
> common kernel_read_file(), and replaces the kexec copy_file_from_fd()
> calls with the kernel_read_file_from_fd() wrapper.
>
> Two new IMA policy identifiers named KEXEC_CHECK and INITRAMFS_CHECK
> are defined for measuring, appraising or auditing the kexec image
> and initramfs.
>
> Changelog v1:
> - re-order and squash the kexec patches
>
> v3: ima: measure and appraise kexec image and initramfs (squashed)
> - rename ima_read_hooks enumeration to ima_policy_id
> - use kstat file size type loff_t, not size_t
> - add union name "hooks" to fix sparse warning
>
> v2:
> - Calculate the file hash from the in memory buffer
> (suggested by Dave Young)
> - Rename ima_read_and_process_file() to ima_hash_and_process_file()
> - replace individual case statements with range:
> KEXEC_CHECK ... IMA_MAX_READ_CHECK - 1
> v1:
> - Instead of ima_read_and_process_file() allocating memory, the caller
> allocates and frees the memory.
> - Moved the kexec measurement/appraisal call to copy_file_from_fd(). The
> same call now measures and appraises both the kexec image and initramfs.
>
> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> ---
> Documentation/ABI/testing/ima_policy | 2 +-
> fs/exec.c | 15 ++++++++
> include/linux/fs.h | 1 +
> include/linux/ima.h | 2 +
> kernel/kexec_file.c | 72 ++++-------------------------------
> security/integrity/ima/ima.h | 9 ++++-
> security/integrity/ima/ima_appraise.c | 7 ++++
> security/integrity/ima/ima_policy.c | 27 ++++++++++---
> 8 files changed, 64 insertions(+), 71 deletions(-)
>
> diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
> index 0a378a8..e80f767 100644
> --- a/Documentation/ABI/testing/ima_policy
> +++ b/Documentation/ABI/testing/ima_policy
> @@ -26,7 +26,7 @@ Description:
> option: [[appraise_type=]] [permit_directio]
>
> base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
> - [FIRMWARE_CHECK]
> + [FIRMWARE_CHECK] [KEXEC_CHECK] [INITRAMFS_CHECK]
> mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
> [[^]MAY_EXEC]
> fsmagic:= hex value
> diff --git a/fs/exec.c b/fs/exec.c
> index 211b81c..a5ae51e 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -884,6 +884,21 @@ out:
> }
> EXPORT_SYMBOL_GPL(kernel_read_file);
>
> +int kernel_read_file_from_fd(int fd, void **buf, loff_t *size, loff_t max_size,
> + int policy_id)
Though this is only used in kexec now, it looks more a general function, move it
to general code should be fine along with kernel_read_file
> +{
> + struct fd f = fdget(fd);
> + int ret = -ENOEXEC;
-EBADF looks better?
> +
> + if (!f.file)
> + goto out;
> +
> + ret = kernel_read_file(f.file, buf, size, max_size, policy_id);
> +out:
> + fdput(f);
> + return ret;
> +}
> +
> ssize_t read_code(struct file *file, unsigned long addr, loff_t pos, size_t len)
> {
> ssize_t res = vfs_read(file, (void __user *)addr, len, &pos);
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index 9b1468c..9642623 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -2528,6 +2528,7 @@ extern int do_pipe_flags(int *, int);
>
> extern int kernel_read(struct file *, loff_t, char *, unsigned long);
> extern int kernel_read_file(struct file *, void **, loff_t *, loff_t, int);
> +extern int kernel_read_file_from_fd(int, void **, loff_t *, loff_t, int);
> extern ssize_t kernel_write(struct file *, const char *, size_t, loff_t);
> extern ssize_t __kernel_write(struct file *, const char *, size_t, loff_t *);
> extern struct file * open_exec(const char *);
> diff --git a/include/linux/ima.h b/include/linux/ima.h
> index ca76f60..ae91938 100644
> --- a/include/linux/ima.h
> +++ b/include/linux/ima.h
> @@ -14,6 +14,8 @@
> struct linux_binprm;
>
> enum ima_policy_id {
> + KEXEC_CHECK = 1,
> + INITRAMFS_CHECK,
Change to below should be better:
KEXEC_KERNEL_CHECK
KEXEC_INITRAMFS_CHECK
> IMA_MAX_READ_CHECK
> };
>
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index b70ada0..f7c3ce4 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -18,6 +18,7 @@
> #include <linux/kexec.h>
> #include <linux/mutex.h>
> #include <linux/list.h>
> +#include <linux/ima.h>
> #include <crypto/hash.h>
> #include <crypto/sha.h>
> #include <linux/syscalls.h>
> @@ -33,65 +34,6 @@ size_t __weak kexec_purgatory_size = 0;
>
> static int kexec_calculate_store_digests(struct kimage *image);
>
> -static int copy_file_from_fd(int fd, void **buf, unsigned long *buf_len)
> -{
> - struct fd f = fdget(fd);
> - int ret;
> - struct kstat stat;
> - loff_t pos;
> - ssize_t bytes = 0;
> -
> - if (!f.file)
> - return -EBADF;
> -
> - ret = vfs_getattr(&f.file->f_path, &stat);
> - if (ret)
> - goto out;
> -
> - if (stat.size > INT_MAX) {
> - ret = -EFBIG;
> - goto out;
> - }
> -
> - /* Don't hand 0 to vmalloc, it whines. */
> - if (stat.size == 0) {
> - ret = -EINVAL;
> - goto out;
> - }
> -
> - *buf = vmalloc(stat.size);
> - if (!*buf) {
> - ret = -ENOMEM;
> - goto out;
> - }
> -
> - pos = 0;
> - while (pos < stat.size) {
> - bytes = kernel_read(f.file, pos, (char *)(*buf) + pos,
> - stat.size - pos);
> - if (bytes < 0) {
> - vfree(*buf);
> - ret = bytes;
> - goto out;
> - }
> -
> - if (bytes == 0)
> - break;
> - pos += bytes;
> - }
> -
> - if (pos != stat.size) {
> - ret = -EBADF;
> - vfree(*buf);
> - goto out;
> - }
> -
> - *buf_len = pos;
> -out:
> - fdput(f);
> - return ret;
> -}
> -
> /* Architectures can provide this probe function */
> int __weak arch_kexec_kernel_image_probe(struct kimage *image, void *buf,
> unsigned long buf_len)
> @@ -180,16 +122,17 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
> {
> int ret = 0;
> void *ldata;
> + loff_t size;
>
> - ret = copy_file_from_fd(kernel_fd, &image->kernel_buf,
> - &image->kernel_buf_len);
> + ret = kernel_read_file_from_fd(kernel_fd, &image->kernel_buf,
> + &size, INT_MAX, KEXEC_CHECK);
> if (ret)
> return ret;
> + image->kernel_buf_len = size;
>
> /* Call arch image probe handlers */
> ret = arch_kexec_kernel_image_probe(image, image->kernel_buf,
> image->kernel_buf_len);
> -
> if (ret)
> goto out;
>
> @@ -204,10 +147,11 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
> #endif
> /* It is possible that there no initramfs is being loaded */
> if (!(flags & KEXEC_FILE_NO_INITRAMFS)) {
> - ret = copy_file_from_fd(initrd_fd, &image->initrd_buf,
> - &image->initrd_buf_len);
> + ret = kernel_read_file_from_fd(initrd_fd, &image->initrd_buf,
> + &size, INT_MAX, INITRAMFS_CHECK);
> if (ret)
> goto out;
> + image->initrd_buf_len = size;
> }
>
> if (cmdline_len) {
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index 06bcc24..b98dbd5 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -160,7 +160,14 @@ void ima_free_template_entry(struct ima_template_entry *entry);
> const char *ima_d_path(struct path *path, char **pathbuf);
>
> /* IMA policy related functions */
> -enum ima_hooks { FILE_CHECK = 1, MMAP_CHECK, BPRM_CHECK, MODULE_CHECK, FIRMWARE_CHECK, POST_SETATTR };
> +enum ima_hooks {
> + FILE_CHECK = IMA_MAX_READ_CHECK,
> + MMAP_CHECK,
> + BPRM_CHECK,
> + MODULE_CHECK,
> + FIRMWARE_CHECK,
> + POST_SETATTR
> +};
>
> int ima_match_policy(struct inode *inode, int func, int mask, int flags);
> void ima_init_policy(void);
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 4edf47f..3adf937 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -78,6 +78,8 @@ enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
> return iint->ima_module_status;
> case FIRMWARE_CHECK:
> return iint->ima_firmware_status;
> + case KEXEC_CHECK ... IMA_MAX_READ_CHECK - 1:
> + return iint->ima_read_status;
> case FILE_CHECK:
> default:
> return iint->ima_file_status;
> @@ -100,6 +102,9 @@ static void ima_set_cache_status(struct integrity_iint_cache *iint,
> case FIRMWARE_CHECK:
> iint->ima_firmware_status = status;
> break;
> + case KEXEC_CHECK ... IMA_MAX_READ_CHECK - 1:
> + iint->ima_read_status = status;
> + break;
> case FILE_CHECK:
> default:
> iint->ima_file_status = status;
> @@ -122,6 +127,8 @@ static void ima_cache_flags(struct integrity_iint_cache *iint, int func)
> case FIRMWARE_CHECK:
> iint->flags |= (IMA_FIRMWARE_APPRAISED | IMA_APPRAISED);
> break;
> + case KEXEC_CHECK ... IMA_MAX_READ_CHECK - 1:
> + break;
> case FILE_CHECK:
> default:
> iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 595e038..4711083 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -306,6 +306,8 @@ static int get_subaction(struct ima_rule_entry *rule, int func)
> return IMA_MODULE_APPRAISE;
> case FIRMWARE_CHECK:
> return IMA_FIRMWARE_APPRAISE;
> + case KEXEC_CHECK ... IMA_MAX_READ_CHECK - 1:
> + return IMA_READ_APPRAISE;
> case FILE_CHECK:
> default:
> return IMA_FILE_APPRAISE;
> @@ -614,6 +616,10 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
> entry->hooks.func = MMAP_CHECK;
> else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
> entry->hooks.func = BPRM_CHECK;
> + else if (strcmp(args[0].from, "KEXEC_CHECK") == 0)
> + entry->hooks.policy_id = KEXEC_CHECK;
> + else if (strcmp(args[0].from, "INITRAMFS_CHECK") == 0)
> + entry->hooks.policy_id = INITRAMFS_CHECK;
> else
> result = -EINVAL;
> if (!result)
> @@ -867,7 +873,9 @@ static char *func_tokens[] = {
> "BPRM_CHECK",
> "MODULE_CHECK",
> "FIRMWARE_CHECK",
> - "POST_SETATTR"
> + "POST_SETATTR",
> + "KEXEC_CHECK",
> + "INITRAMFS_CHECK",
> };
>
> void *ima_policy_start(struct seq_file *m, loff_t *pos)
> @@ -948,10 +956,19 @@ int ima_policy_show(struct seq_file *m, void *v)
> seq_printf(m, pt(Opt_func), ft(func_post));
> break;
> default:
> - snprintf(tbuf, sizeof(tbuf), "%d",
> - entry->hooks.func);
> - seq_printf(m, pt(Opt_func), tbuf);
> - break;
> + switch (entry->hooks.policy_id) {
> + case KEXEC_CHECK:
> + seq_printf(m, pt(Opt_func), ft(func_kexec));
> + break;
> + case INITRAMFS_CHECK:
> + seq_printf(m, pt(Opt_func), ft(func_initramfs));
> + break;
> + default:
> + snprintf(tbuf, sizeof(tbuf), "%d",
> + entry->hooks.func);
> + seq_printf(m, pt(Opt_func), tbuf);
> + break;
> + }
> }
> seq_puts(m, " ");
> }
> --
> 2.1.0
>
>
> _______________________________________________
> kexec mailing list
> kexec@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/kexec
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2016-01-25 6:37 UTC|newest]
Thread overview: 100+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-18 15:11 [RFC PATCH v2 00/11] vfss: support for a common kernel file loader Mimi Zohar
2016-01-18 15:11 ` Mimi Zohar
2016-01-18 15:11 ` [RFC PATCH v2 01/11] ima: separate 'security.ima' reading functionality from collect Mimi Zohar
2016-01-18 15:11 ` Mimi Zohar
2016-01-19 20:00 ` Dmitry Kasatkin
2016-01-19 20:00 ` Dmitry Kasatkin
2016-01-21 13:19 ` Mimi Zohar
2016-01-21 13:19 ` Mimi Zohar
2016-01-21 18:18 ` Dmitry Kasatkin
2016-01-21 18:18 ` Dmitry Kasatkin
2016-01-18 15:11 ` [RFC PATCH v2 02/11] vfs: define a generic function to read a file from the kernel Mimi Zohar
2016-01-18 15:11 ` Mimi Zohar
2016-01-20 1:09 ` Luis R. Rodriguez
2016-01-20 1:09 ` Luis R. Rodriguez
2016-01-21 13:24 ` Mimi Zohar
2016-01-21 13:24 ` Mimi Zohar
2016-01-18 15:11 ` [RFC PATCH v2 03/11] ima: provide buffer hash calculation function Mimi Zohar
2016-01-18 15:11 ` Mimi Zohar
2016-01-19 19:26 ` Dmitry Kasatkin
2016-01-19 19:26 ` Dmitry Kasatkin
2016-01-21 13:18 ` Mimi Zohar
2016-01-21 13:18 ` Mimi Zohar
2016-01-18 15:11 ` [RFC PATCH v2 04/11] ima: calculate the hash of a buffer using aynchronous hash(ahash) Mimi Zohar
2016-01-18 15:11 ` Mimi Zohar
2016-01-18 15:11 ` [RFC PATCH v2 05/11] ima: define a new hook to measure and appraise a file already in memory Mimi Zohar
2016-01-18 15:11 ` Mimi Zohar
2016-01-18 15:11 ` [RFC PATCH v2 06/11] kexec: replace call to copy_file_from_fd() with kernel version Mimi Zohar
2016-01-18 15:11 ` Mimi Zohar
2016-01-20 3:22 ` Minfei Huang
2016-01-20 3:22 ` Minfei Huang
2016-01-20 23:12 ` Luis R. Rodriguez
2016-01-20 23:12 ` Luis R. Rodriguez
2016-01-21 0:27 ` Dmitry Torokhov
2016-01-21 0:27 ` Dmitry Torokhov
2016-01-25 6:37 ` Dave Young [this message]
2016-01-25 6:37 ` Dave Young
2016-01-25 7:02 ` Dave Young
2016-01-25 7:02 ` Dave Young
2016-01-25 15:04 ` Mimi Zohar
2016-01-25 15:04 ` Mimi Zohar
2016-01-25 20:34 ` Luis R. Rodriguez
2016-01-25 20:34 ` Luis R. Rodriguez
2016-01-25 23:48 ` Mimi Zohar
2016-01-25 23:48 ` Mimi Zohar
2016-01-26 20:48 ` Luis R. Rodriguez
2016-01-26 20:48 ` Luis R. Rodriguez
2016-01-26 1:20 ` Dave Young
2016-01-26 1:20 ` Dave Young
2016-01-26 16:40 ` Mimi Zohar
2016-01-26 16:40 ` Mimi Zohar
2016-01-27 1:50 ` Dave Young
2016-01-27 1:50 ` Dave Young
2016-01-18 15:11 ` [RFC PATCH v2 07/11] firmware: replace call to fw_read_file_contents() " Mimi Zohar
2016-01-18 15:11 ` Mimi Zohar
2016-01-20 0:10 ` Kees Cook
2016-01-20 0:10 ` Kees Cook
2016-01-21 12:04 ` Mimi Zohar
2016-01-21 12:04 ` Mimi Zohar
2016-01-20 23:39 ` Luis R. Rodriguez
2016-01-20 23:39 ` Luis R. Rodriguez
2016-01-20 23:56 ` Luis R. Rodriguez
2016-01-20 23:56 ` Luis R. Rodriguez
2016-01-21 12:05 ` Mimi Zohar
2016-01-21 12:05 ` Mimi Zohar
2016-01-21 16:49 ` Luis R. Rodriguez
2016-01-21 16:49 ` Luis R. Rodriguez
2016-01-18 15:11 ` [RFC PATCH v2 08/11] module: replace copy_module_from_fd " Mimi Zohar
2016-01-18 15:11 ` Mimi Zohar
2016-01-21 0:03 ` Luis R. Rodriguez
2016-01-21 0:03 ` Luis R. Rodriguez
2016-01-21 13:12 ` Mimi Zohar
2016-01-21 13:12 ` Mimi Zohar
2016-01-21 15:45 ` Paul Moore
2016-01-21 15:45 ` Paul Moore
2016-01-21 21:15 ` Mimi Zohar
2016-01-21 21:15 ` Mimi Zohar
2016-01-21 21:26 ` Paul Moore
2016-01-21 21:26 ` Paul Moore
2016-01-21 21:58 ` Kees Cook
2016-01-21 21:58 ` Kees Cook
2016-01-21 16:56 ` Luis R. Rodriguez
2016-01-21 16:56 ` Luis R. Rodriguez
2016-01-21 20:37 ` Mimi Zohar
2016-01-21 20:37 ` Mimi Zohar
2016-01-18 15:11 ` [RFC PATCH v2 09/11] ima: load policy using path Mimi Zohar
2016-01-18 15:11 ` Mimi Zohar
2016-01-21 0:05 ` Luis R. Rodriguez
2016-01-21 0:05 ` Luis R. Rodriguez
2016-01-21 13:15 ` Mimi Zohar
2016-01-21 13:15 ` Mimi Zohar
2016-01-23 2:59 ` Luis R. Rodriguez
2016-01-23 2:59 ` Luis R. Rodriguez
2016-01-18 15:11 ` [RFC PATCH v2 10/11] ima: measure and appraise the IMA policy itself Mimi Zohar
2016-01-18 15:11 ` Mimi Zohar
2016-01-18 15:11 ` [RFC PATCH v2 11/11] ima: require signed IMA policy Mimi Zohar
2016-01-18 15:11 ` Mimi Zohar
2016-01-21 20:16 ` [RFC PATCH v2 00/11] vfss: support for a common kernel file loader Luis R. Rodriguez
2016-01-21 20:16 ` Luis R. Rodriguez
2016-01-21 20:18 ` Mimi Zohar
2016-01-21 20:18 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160125063712.GC5616@dhcp-128-65.nay.redhat.com \
--to=dyoung@redhat.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dmitry.torokhov@gmail.com \
--cc=dwmw2@infradead.org \
--cc=fsdevel@vger.kernel.org \
--cc=keescook@chromium.org \
--cc=kexec@lists.infradead.org \
--cc=linux-modules@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mcgrof@suse.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.