* [GIT PULL] Security subsystem updates for 4.14
@ 2017-09-04 10:29 ` James Morris
0 siblings, 0 replies; 46+ messages in thread
From: James Morris @ 2017-09-04 10:29 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-kernel, linux-security-module
Hi Linus,
Here are the security subsystem updates for 4.14. Highlights:
AppArmor:
- Add mediation of mountpoints and signals
- Add support for absolute root view based labels
- add base infastructure for socket mediation
LSM:
- Remove unused security_task_create() hook
TPM:
- Some constification and minor updates.
IMA:
- A new integrity_read file operation method, avoids races when
calculating file hashes
SELinux:
- from Paul Moore:
"A relatively quiet period for SELinux, 11 patches with only two/three
having any substantive changes. These noteworthy changes include
another tweak to the NNP/nosuid handling, per-file labeling for
cgroups, and an object class fix for AF_UNIX/SOCK_RAW sockets; the rest
of the changes are minor tweaks or administrative updates (Stephen's
email update explains the file explosion in the diffstat)."
Seccomp:
- from Kees Cook:
"Major additions:
- sysctl and seccomp operation to discover available actions. (tyhicks)
- new per-filter configurable logging infrastructure and sysctl. (tyhicks)
- SECCOMP_RET_LOG to log allowed syscalls. (tyhicks)
- SECCOMP_RET_KILL_PROCESS as the new strictest possible action.
- self-tests for new behaviors."
And nothing for Smack, for the first time perhaps.
Please pull.
---
The following changes since commit 81a84ad3cb5711cec79f4dd53a4ce026b092c432:
Merge branch 'docs-next' of git://git.lwn.net/linux (2017-09-03 21:07:29 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next
Antonio Murdaca (1):
selinux: allow per-file labeling for cgroupfs
Arvind Yadav (3):
tpm: tpm_crb: constify acpi_device_id.
tpm: vtpm: constify vio_device_id
selinux: constify nf_hook_ops
Christoph Hellwig (1):
ima: use fs method to read integrity data
Christos Gkekas (1):
apparmor: Fix logical error in verify_header()
Dan Carpenter (1):
apparmor: Fix an error code in aafs_create()
Enric Balletbo i Serra (1):
Documentation: tpm: add powered-while-suspended binding documentation
Geert Uytterhoeven (1):
apparmor: Fix shadowed local variable in unpack_trans_table()
Hamza Attak (1):
tpm: replace msleep() with usleep_range() in TPM 1.2/2.0 generic drivers
James Morris (3):
sync to Linus v4.13-rc2 for subsystem developers to work against
Merge tag 'seccomp-next' of git://git.kernel.org/.../kees/linux into next
Merge tag 'selinux-pr-20170831' of git://git.kernel.org/.../pcmoore/selinux into next
John Johansen (13):
apparmor: Redundant condition: prev_ns. in [label.c:1498]
apparmor: add the ability to mediate signals
apparmor: add mount mediation
apparmor: cleanup conditional check for label in label_print
apparmor: add support for absolute root view based labels
apparmor: make policy_unpack able to audit different info messages
apparmor: add more debug asserts to apparmorfs
apparmor: add base infastructure for socket mediation
apparmor: move new_null_profile to after profile lookup fns()
apparmor: fix race condition in null profile creation
apparmor: ensure unconfined profiles have dfas initialized
apparmor: fix incorrect type assignment when freeing proxies
apparmor: fix build failure on sparc caused by undeclared, signals
Kees Cook (9):
selftests/seccomp: Add tests for basic ptrace actions
selftests/seccomp: Add simple seccomp overhead benchmark
selftests/seccomp: Refactor RET_ERRNO tests
seccomp: Provide matching filter for introspection
seccomp: Rename SECCOMP_RET_KILL to SECCOMP_RET_KILL_THREAD
seccomp: Introduce SECCOMP_RET_KILL_PROCESS
seccomp: Implement SECCOMP_RET_KILL_PROCESS action
selftests/seccomp: Test thread vs process killing
samples: Unrename SECCOMP_RET_KILL
Luis Ressel (1):
selinux: Assign proper class to PF_UNIX/SOCK_RAW sockets
Michal Hocko (1):
selinux: use GFP_NOWAIT in the AVC kmem_caches
Michal Suchanek (1):
tpm: ibmvtpm: simplify crq initialization and document crq format
Mimi Zohar (6):
ima: don't remove the securityfs policy file
libfs: define simple_read_iter_from_buffer
efivarfs: replaces the read file operation with read_iter
ima: always measure and audit files in policy
ima: define "dont_failsafe" policy action rule
ima: define "fs_unsafe" builtin policy
Paul Moore (4):
credits: update Paul Moore's info
selinux: update the selinux info in MAINTAINERS
MAINTAINERS: update the NetLabel and Labeled Networking information
MAINTAINERS: update the NetLabel and Labeled Networking information
Stefan Berger (1):
security: fix description of values returned by cap_inode_need_killpriv
Stephen Smalley (4):
selinux: genheaders should fail if too many permissions are defined
selinux: Generalize support for NNP/nosuid SELinux domain transitions
selinux: update my email address
lsm_audit: update my email address
Tetsuo Handa (2):
LSM: Remove security_task_create() hook.
tomoyo: Update URLs in Documentation/admin-guide/LSM/tomoyo.rst
Tyler Hicks (6):
seccomp: Sysctl to display available actions
seccomp: Operation for checking if an action is available
seccomp: Sysctl to configure actions that are allowed to be logged
seccomp: Selftest for detection of filter flag support
seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW
seccomp: Action to log before allowing
CREDITS | 8 +-
Documentation/ABI/testing/ima_policy | 3 +-
Documentation/admin-guide/LSM/tomoyo.rst | 24 +-
Documentation/admin-guide/kernel-parameters.txt | 8 +-
.../devicetree/bindings/security/tpm/tpm-i2c.txt | 6 +
Documentation/networking/filter.txt | 2 +-
Documentation/sysctl/kernel.txt | 1 +
Documentation/userspace-api/seccomp_filter.rst | 52 ++-
MAINTAINERS | 29 +-
drivers/char/tpm/tpm-interface.c | 10 +-
drivers/char/tpm/tpm.h | 9 +-
drivers/char/tpm/tpm2-cmd.c | 2 +-
drivers/char/tpm/tpm_crb.c | 2 +-
drivers/char/tpm/tpm_ibmvtpm.c | 98 ++-
drivers/char/tpm/tpm_infineon.c | 6 +-
drivers/char/tpm/tpm_tis_core.c | 8 +-
fs/btrfs/file.c | 1 +
fs/efivarfs/file.c | 12 +-
fs/ext2/file.c | 17 +
fs/ext4/file.c | 20 +
fs/f2fs/file.c | 1 +
fs/jffs2/file.c | 1 +
fs/jfs/file.c | 1 +
fs/libfs.c | 32 +
fs/nilfs2/file.c | 1 +
fs/ramfs/file-mmu.c | 1 +
fs/ramfs/file-nommu.c | 1 +
fs/ubifs/file.c | 1 +
fs/xfs/xfs_file.c | 21 +
include/linux/audit.h | 6 +-
include/linux/fs.h | 3 +
include/linux/lsm_audit.h | 2 +-
include/linux/lsm_hooks.h | 7 -
include/linux/seccomp.h | 3 +-
include/linux/security.h | 6 -
include/uapi/linux/seccomp.h | 23 +-
kernel/fork.c | 4 -
kernel/seccomp.c | 321 +++++++++-
mm/shmem.c | 1 +
scripts/selinux/genheaders/genheaders.c | 7 +-
security/apparmor/.gitignore | 1 +
security/apparmor/Makefile | 43 ++-
security/apparmor/apparmorfs.c | 37 +-
security/apparmor/domain.c | 4 +-
security/apparmor/file.c | 30 +
security/apparmor/include/apparmor.h | 2 +
security/apparmor/include/audit.h | 39 +-
security/apparmor/include/domain.h | 5 +
security/apparmor/include/ipc.h | 6 +
security/apparmor/include/label.h | 1 +
security/apparmor/include/mount.h | 54 ++
security/apparmor/include/net.h | 114 ++++
security/apparmor/include/perms.h | 5 +-
security/apparmor/include/policy.h | 13 +
security/apparmor/include/sig_names.h | 98 +++
security/apparmor/ipc.c | 99 +++
security/apparmor/label.c | 36 +-
security/apparmor/lib.c | 5 +-
security/apparmor/lsm.c | 472 +++++++++++++
security/apparmor/mount.c | 696 ++++++++++++++++++++
security/apparmor/net.c | 184 ++++++
security/apparmor/policy.c | 166 +++---
security/apparmor/policy_ns.c | 2 +
security/apparmor/policy_unpack.c | 105 +++-
security/commoncap.c | 6 +-
security/integrity/iint.c | 20 +-
security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_api.c | 67 ++-
security/integrity/ima/ima_crypto.c | 10 +
security/integrity/ima/ima_fs.c | 4 +-
security/integrity/ima/ima_main.c | 19 +-
security/integrity/ima/ima_policy.c | 41 ++-
security/lsm_audit.c | 2 +-
security/security.c | 5 -
security/selinux/avc.c | 16 +-
security/selinux/hooks.c | 56 ++-
security/selinux/include/avc.h | 2 +-
security/selinux/include/avc_ss.h | 2 +-
security/selinux/include/classmap.h | 2 +
security/selinux/include/objsec.h | 2 +-
security/selinux/include/security.h | 4 +-
security/selinux/ss/avtab.c | 2 +-
security/selinux/ss/avtab.h | 2 +-
security/selinux/ss/constraint.h | 2 +-
security/selinux/ss/context.h | 2 +-
security/selinux/ss/ebitmap.c | 2 +-
security/selinux/ss/ebitmap.h | 2 +-
security/selinux/ss/hashtab.c | 2 +-
security/selinux/ss/hashtab.h | 2 +-
security/selinux/ss/mls.c | 2 +-
security/selinux/ss/mls.h | 2 +-
security/selinux/ss/mls_types.h | 2 +-
security/selinux/ss/policydb.c | 2 +-
security/selinux/ss/policydb.h | 2 +-
security/selinux/ss/services.c | 9 +-
security/selinux/ss/services.h | 2 +-
security/selinux/ss/sidtab.c | 2 +-
security/selinux/ss/sidtab.h | 2 +-
security/selinux/ss/symtab.c | 2 +-
security/selinux/ss/symtab.h | 2 +-
tools/testing/selftests/seccomp/Makefile | 18 +-
.../testing/selftests/seccomp/seccomp_benchmark.c | 99 +++
tools/testing/selftests/seccomp/seccomp_bpf.c | 610 +++++++++++++++---
103 files changed, 3540 insertions(+), 469 deletions(-)
create mode 100644 security/apparmor/include/mount.h
create mode 100644 security/apparmor/include/net.h
create mode 100644 security/apparmor/include/sig_names.h
create mode 100644 security/apparmor/mount.c
create mode 100644 security/apparmor/net.c
create mode 100644 tools/testing/selftests/seccomp/seccomp_benchmark.c
^ permalink raw reply [flat|nested] 46+ messages in thread* [GIT PULL] Security subsystem updates for 4.14 @ 2017-09-04 10:29 ` James Morris 0 siblings, 0 replies; 46+ messages in thread From: James Morris @ 2017-09-04 10:29 UTC (permalink / raw) To: linux-security-module Hi Linus, Here are the security subsystem updates for 4.14. Highlights: AppArmor: - Add mediation of mountpoints and signals - Add support for absolute root view based labels - add base infastructure for socket mediation LSM: - Remove unused security_task_create() hook TPM: - Some constification and minor updates. IMA: - A new integrity_read file operation method, avoids races when calculating file hashes SELinux: - from Paul Moore: "A relatively quiet period for SELinux, 11 patches with only two/three having any substantive changes. These noteworthy changes include another tweak to the NNP/nosuid handling, per-file labeling for cgroups, and an object class fix for AF_UNIX/SOCK_RAW sockets; the rest of the changes are minor tweaks or administrative updates (Stephen's email update explains the file explosion in the diffstat)." Seccomp: - from Kees Cook: "Major additions: - sysctl and seccomp operation to discover available actions. (tyhicks) - new per-filter configurable logging infrastructure and sysctl. (tyhicks) - SECCOMP_RET_LOG to log allowed syscalls. (tyhicks) - SECCOMP_RET_KILL_PROCESS as the new strictest possible action. - self-tests for new behaviors." And nothing for Smack, for the first time perhaps. Please pull. --- The following changes since commit 81a84ad3cb5711cec79f4dd53a4ce026b092c432: Merge branch 'docs-next' of git://git.lwn.net/linux (2017-09-03 21:07:29 -0700) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next Antonio Murdaca (1): selinux: allow per-file labeling for cgroupfs Arvind Yadav (3): tpm: tpm_crb: constify acpi_device_id. tpm: vtpm: constify vio_device_id selinux: constify nf_hook_ops Christoph Hellwig (1): ima: use fs method to read integrity data Christos Gkekas (1): apparmor: Fix logical error in verify_header() Dan Carpenter (1): apparmor: Fix an error code in aafs_create() Enric Balletbo i Serra (1): Documentation: tpm: add powered-while-suspended binding documentation Geert Uytterhoeven (1): apparmor: Fix shadowed local variable in unpack_trans_table() Hamza Attak (1): tpm: replace msleep() with usleep_range() in TPM 1.2/2.0 generic drivers James Morris (3): sync to Linus v4.13-rc2 for subsystem developers to work against Merge tag 'seccomp-next' of git://git.kernel.org/.../kees/linux into next Merge tag 'selinux-pr-20170831' of git://git.kernel.org/.../pcmoore/selinux into next John Johansen (13): apparmor: Redundant condition: prev_ns. in [label.c:1498] apparmor: add the ability to mediate signals apparmor: add mount mediation apparmor: cleanup conditional check for label in label_print apparmor: add support for absolute root view based labels apparmor: make policy_unpack able to audit different info messages apparmor: add more debug asserts to apparmorfs apparmor: add base infastructure for socket mediation apparmor: move new_null_profile to after profile lookup fns() apparmor: fix race condition in null profile creation apparmor: ensure unconfined profiles have dfas initialized apparmor: fix incorrect type assignment when freeing proxies apparmor: fix build failure on sparc caused by undeclared, signals Kees Cook (9): selftests/seccomp: Add tests for basic ptrace actions selftests/seccomp: Add simple seccomp overhead benchmark selftests/seccomp: Refactor RET_ERRNO tests seccomp: Provide matching filter for introspection seccomp: Rename SECCOMP_RET_KILL to SECCOMP_RET_KILL_THREAD seccomp: Introduce SECCOMP_RET_KILL_PROCESS seccomp: Implement SECCOMP_RET_KILL_PROCESS action selftests/seccomp: Test thread vs process killing samples: Unrename SECCOMP_RET_KILL Luis Ressel (1): selinux: Assign proper class to PF_UNIX/SOCK_RAW sockets Michal Hocko (1): selinux: use GFP_NOWAIT in the AVC kmem_caches Michal Suchanek (1): tpm: ibmvtpm: simplify crq initialization and document crq format Mimi Zohar (6): ima: don't remove the securityfs policy file libfs: define simple_read_iter_from_buffer efivarfs: replaces the read file operation with read_iter ima: always measure and audit files in policy ima: define "dont_failsafe" policy action rule ima: define "fs_unsafe" builtin policy Paul Moore (4): credits: update Paul Moore's info selinux: update the selinux info in MAINTAINERS MAINTAINERS: update the NetLabel and Labeled Networking information MAINTAINERS: update the NetLabel and Labeled Networking information Stefan Berger (1): security: fix description of values returned by cap_inode_need_killpriv Stephen Smalley (4): selinux: genheaders should fail if too many permissions are defined selinux: Generalize support for NNP/nosuid SELinux domain transitions selinux: update my email address lsm_audit: update my email address Tetsuo Handa (2): LSM: Remove security_task_create() hook. tomoyo: Update URLs in Documentation/admin-guide/LSM/tomoyo.rst Tyler Hicks (6): seccomp: Sysctl to display available actions seccomp: Operation for checking if an action is available seccomp: Sysctl to configure actions that are allowed to be logged seccomp: Selftest for detection of filter flag support seccomp: Filter flag to log all actions except SECCOMP_RET_ALLOW seccomp: Action to log before allowing CREDITS | 8 +- Documentation/ABI/testing/ima_policy | 3 +- Documentation/admin-guide/LSM/tomoyo.rst | 24 +- Documentation/admin-guide/kernel-parameters.txt | 8 +- .../devicetree/bindings/security/tpm/tpm-i2c.txt | 6 + Documentation/networking/filter.txt | 2 +- Documentation/sysctl/kernel.txt | 1 + Documentation/userspace-api/seccomp_filter.rst | 52 ++- MAINTAINERS | 29 +- drivers/char/tpm/tpm-interface.c | 10 +- drivers/char/tpm/tpm.h | 9 +- drivers/char/tpm/tpm2-cmd.c | 2 +- drivers/char/tpm/tpm_crb.c | 2 +- drivers/char/tpm/tpm_ibmvtpm.c | 98 ++- drivers/char/tpm/tpm_infineon.c | 6 +- drivers/char/tpm/tpm_tis_core.c | 8 +- fs/btrfs/file.c | 1 + fs/efivarfs/file.c | 12 +- fs/ext2/file.c | 17 + fs/ext4/file.c | 20 + fs/f2fs/file.c | 1 + fs/jffs2/file.c | 1 + fs/jfs/file.c | 1 + fs/libfs.c | 32 + fs/nilfs2/file.c | 1 + fs/ramfs/file-mmu.c | 1 + fs/ramfs/file-nommu.c | 1 + fs/ubifs/file.c | 1 + fs/xfs/xfs_file.c | 21 + include/linux/audit.h | 6 +- include/linux/fs.h | 3 + include/linux/lsm_audit.h | 2 +- include/linux/lsm_hooks.h | 7 - include/linux/seccomp.h | 3 +- include/linux/security.h | 6 - include/uapi/linux/seccomp.h | 23 +- kernel/fork.c | 4 - kernel/seccomp.c | 321 +++++++++- mm/shmem.c | 1 + scripts/selinux/genheaders/genheaders.c | 7 +- security/apparmor/.gitignore | 1 + security/apparmor/Makefile | 43 ++- security/apparmor/apparmorfs.c | 37 +- security/apparmor/domain.c | 4 +- security/apparmor/file.c | 30 + security/apparmor/include/apparmor.h | 2 + security/apparmor/include/audit.h | 39 +- security/apparmor/include/domain.h | 5 + security/apparmor/include/ipc.h | 6 + security/apparmor/include/label.h | 1 + security/apparmor/include/mount.h | 54 ++ security/apparmor/include/net.h | 114 ++++ security/apparmor/include/perms.h | 5 +- security/apparmor/include/policy.h | 13 + security/apparmor/include/sig_names.h | 98 +++ security/apparmor/ipc.c | 99 +++ security/apparmor/label.c | 36 +- security/apparmor/lib.c | 5 +- security/apparmor/lsm.c | 472 +++++++++++++ security/apparmor/mount.c | 696 ++++++++++++++++++++ security/apparmor/net.c | 184 ++++++ security/apparmor/policy.c | 166 +++--- security/apparmor/policy_ns.c | 2 + security/apparmor/policy_unpack.c | 105 +++- security/commoncap.c | 6 +- security/integrity/iint.c | 20 +- security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_api.c | 67 ++- security/integrity/ima/ima_crypto.c | 10 + security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_main.c | 19 +- security/integrity/ima/ima_policy.c | 41 ++- security/lsm_audit.c | 2 +- security/security.c | 5 - security/selinux/avc.c | 16 +- security/selinux/hooks.c | 56 ++- security/selinux/include/avc.h | 2 +- security/selinux/include/avc_ss.h | 2 +- security/selinux/include/classmap.h | 2 + security/selinux/include/objsec.h | 2 +- security/selinux/include/security.h | 4 +- security/selinux/ss/avtab.c | 2 +- security/selinux/ss/avtab.h | 2 +- security/selinux/ss/constraint.h | 2 +- security/selinux/ss/context.h | 2 +- security/selinux/ss/ebitmap.c | 2 +- security/selinux/ss/ebitmap.h | 2 +- security/selinux/ss/hashtab.c | 2 +- security/selinux/ss/hashtab.h | 2 +- security/selinux/ss/mls.c | 2 +- security/selinux/ss/mls.h | 2 +- security/selinux/ss/mls_types.h | 2 +- security/selinux/ss/policydb.c | 2 +- security/selinux/ss/policydb.h | 2 +- security/selinux/ss/services.c | 9 +- security/selinux/ss/services.h | 2 +- security/selinux/ss/sidtab.c | 2 +- security/selinux/ss/sidtab.h | 2 +- security/selinux/ss/symtab.c | 2 +- security/selinux/ss/symtab.h | 2 +- tools/testing/selftests/seccomp/Makefile | 18 +- .../testing/selftests/seccomp/seccomp_benchmark.c | 99 +++ tools/testing/selftests/seccomp/seccomp_bpf.c | 610 +++++++++++++++--- 103 files changed, 3540 insertions(+), 469 deletions(-) create mode 100644 security/apparmor/include/mount.h create mode 100644 security/apparmor/include/net.h create mode 100644 security/apparmor/include/sig_names.h create mode 100644 security/apparmor/mount.c create mode 100644 security/apparmor/net.c create mode 100644 tools/testing/selftests/seccomp/seccomp_benchmark.c -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [GIT PULL] Security subsystem updates for 4.14 2017-09-04 10:29 ` James Morris @ 2017-09-07 18:19 ` Linus Torvalds -1 siblings, 0 replies; 46+ messages in thread From: Linus Torvalds @ 2017-09-07 18:19 UTC (permalink / raw) To: James Morris; +Cc: Linux Kernel Mailing List, LSM List On Mon, Sep 4, 2017 at 3:29 AM, James Morris <jmorris@namei.org> wrote: > > IMA: > - A new integrity_read file operation method, avoids races when > calculating file hashes Honestly, this seems really odd. It documents that it needs to be called with i_rwsem held exclusively, and even has a lockdep assert to that effect (well, not really: the code claims "exclusive", but the lockdep assert does not), but I'm not actually seeing anybody doing it. Quite the reverse, I just see integrity_read_file() doing filp_open() on the pathname and passing it to integrity_kernel_read() with no locking. It really looks like just pure garbage to me. I pulled, and I'm not unpulling the whole thing. I don't think it's been tested, and I don't think it can be right. Tell me why I'm wrong, or tell me why that garbage made it in in the first place? Linus ^ permalink raw reply [flat|nested] 46+ messages in thread
* [GIT PULL] Security subsystem updates for 4.14 @ 2017-09-07 18:19 ` Linus Torvalds 0 siblings, 0 replies; 46+ messages in thread From: Linus Torvalds @ 2017-09-07 18:19 UTC (permalink / raw) To: linux-security-module On Mon, Sep 4, 2017 at 3:29 AM, James Morris <jmorris@namei.org> wrote: > > IMA: > - A new integrity_read file operation method, avoids races when > calculating file hashes Honestly, this seems really odd. It documents that it needs to be called with i_rwsem held exclusively, and even has a lockdep assert to that effect (well, not really: the code claims "exclusive", but the lockdep assert does not), but I'm not actually seeing anybody doing it. Quite the reverse, I just see integrity_read_file() doing filp_open() on the pathname and passing it to integrity_kernel_read() with no locking. It really looks like just pure garbage to me. I pulled, and I'm not unpulling the whole thing. I don't think it's been tested, and I don't think it can be right. Tell me why I'm wrong, or tell me why that garbage made it in in the first place? Linus -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [GIT PULL] Security subsystem updates for 4.14 2017-09-07 18:19 ` Linus Torvalds @ 2017-09-08 4:48 ` James Morris -1 siblings, 0 replies; 46+ messages in thread From: James Morris @ 2017-09-08 4:48 UTC (permalink / raw) To: Linus Torvalds Cc: Linux Kernel Mailing List, LSM List, Mimi Zohar, Christoph Hellwig On Thu, 7 Sep 2017, Linus Torvalds wrote: > On Mon, Sep 4, 2017 at 3:29 AM, James Morris <jmorris@namei.org> wrote: > > > > IMA: > > - A new integrity_read file operation method, avoids races when > > calculating file hashes > > Honestly, this seems really odd. > > It documents that it needs to be called with i_rwsem held exclusively, > and even has a lockdep assert to that effect (well, not really: the > code claims "exclusive", but the lockdep assert does not), but I'm not > actually seeing anybody doing it. > > Quite the reverse, I just see integrity_read_file() doing filp_open() > on the pathname and passing it to integrity_kernel_read() with no > locking. > > It really looks like just pure garbage to me. I pulled, and I'm not > unpulling the whole thing. I don't think it's been tested, and I don't > think it can be right. > > Tell me why I'm wrong, or tell me why that garbage made it in in the > first place? Mimi and Christoph worked together on this over several iterations -- I'll let them respond. -- James Morris <jmorris@namei.org> ^ permalink raw reply [flat|nested] 46+ messages in thread
* [GIT PULL] Security subsystem updates for 4.14 @ 2017-09-08 4:48 ` James Morris 0 siblings, 0 replies; 46+ messages in thread From: James Morris @ 2017-09-08 4:48 UTC (permalink / raw) To: linux-security-module On Thu, 7 Sep 2017, Linus Torvalds wrote: > On Mon, Sep 4, 2017 at 3:29 AM, James Morris <jmorris@namei.org> wrote: > > > > IMA: > > - A new integrity_read file operation method, avoids races when > > calculating file hashes > > Honestly, this seems really odd. > > It documents that it needs to be called with i_rwsem held exclusively, > and even has a lockdep assert to that effect (well, not really: the > code claims "exclusive", but the lockdep assert does not), but I'm not > actually seeing anybody doing it. > > Quite the reverse, I just see integrity_read_file() doing filp_open() > on the pathname and passing it to integrity_kernel_read() with no > locking. > > It really looks like just pure garbage to me. I pulled, and I'm not > unpulling the whole thing. I don't think it's been tested, and I don't > think it can be right. > > Tell me why I'm wrong, or tell me why that garbage made it in in the > first place? Mimi and Christoph worked together on this over several iterations -- I'll let them respond. -- James Morris <jmorris@namei.org> -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [GIT PULL] Security subsystem updates for 4.14 2017-09-08 4:48 ` James Morris @ 2017-09-08 7:09 ` Christoph Hellwig -1 siblings, 0 replies; 46+ messages in thread From: Christoph Hellwig @ 2017-09-08 7:09 UTC (permalink / raw) To: James Morris Cc: Linus Torvalds, Linux Kernel Mailing List, LSM List, Mimi Zohar, Christoph Hellwig The reason why I send out the original version of this patch is because IMA used to call ->read under i_rwsem, and that deadlocked on XFS and NFS, or ext3/4 with DAX. The call path for that is process_measurement (takes i_rwsem) -> ima_collect_measurement -> ima_calc_file_hash -> ima_calc_file_ahash / ima_calc_file_shash -> ima_calc_file_hash_atfm / ima_calc_file_hash_tfm -> integrity_kernel_read ima_check_last_writer (takes i_rwsem) -> ima_update_xattr -> ima_collect_measurement -> (as above) But yes, for the init-time integrity_read_file this is incorrect. It never tripped up, and I explicitly added the lockdep annotations so that anything would show up, and it's been half a year since I sent that first RFC patch.. ^ permalink raw reply [flat|nested] 46+ messages in thread
* [GIT PULL] Security subsystem updates for 4.14 @ 2017-09-08 7:09 ` Christoph Hellwig 0 siblings, 0 replies; 46+ messages in thread From: Christoph Hellwig @ 2017-09-08 7:09 UTC (permalink / raw) To: linux-security-module The reason why I send out the original version of this patch is because IMA used to call ->read under i_rwsem, and that deadlocked on XFS and NFS, or ext3/4 with DAX. The call path for that is process_measurement (takes i_rwsem) -> ima_collect_measurement -> ima_calc_file_hash -> ima_calc_file_ahash / ima_calc_file_shash -> ima_calc_file_hash_atfm / ima_calc_file_hash_tfm -> integrity_kernel_read ima_check_last_writer (takes i_rwsem) -> ima_update_xattr -> ima_collect_measurement -> (as above) But yes, for the init-time integrity_read_file this is incorrect. It never tripped up, and I explicitly added the lockdep annotations so that anything would show up, and it's been half a year since I sent that first RFC patch.. -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [GIT PULL] Security subsystem updates for 4.14 2017-09-08 7:09 ` Christoph Hellwig @ 2017-09-08 17:25 ` Linus Torvalds -1 siblings, 0 replies; 46+ messages in thread From: Linus Torvalds @ 2017-09-08 17:25 UTC (permalink / raw) To: Christoph Hellwig Cc: James Morris, Linux Kernel Mailing List, LSM List, Mimi Zohar On Fri, Sep 8, 2017 at 12:09 AM, Christoph Hellwig <hch@infradead.org> wrote: > > But yes, for the init-time integrity_read_file this is incorrect. > It never tripped up, and I explicitly added the lockdep annotations > so that anything would show up, and it's been half a year since > I sent that first RFC patch.. I don't think anybody actually tests linux-next kernels in any big way, and the automated tests that do get run probably don't run with any integrity checking enabled. Which is why I actually look at the code when merging unexpected stuff. This is also why I tend to prefer getting multiple branches for independent things. Now the whole security pull will be ignored because of this thing. I refuse to pull garbage where I notice major fundamental problems in code that has obviously never ever been tested. Side note: one of the reasons why I _looked_ at this code was because the exclusive lock requirement was entirely unexplained in the first place. Linus ^ permalink raw reply [flat|nested] 46+ messages in thread
* [GIT PULL] Security subsystem updates for 4.14 @ 2017-09-08 17:25 ` Linus Torvalds 0 siblings, 0 replies; 46+ messages in thread From: Linus Torvalds @ 2017-09-08 17:25 UTC (permalink / raw) To: linux-security-module On Fri, Sep 8, 2017 at 12:09 AM, Christoph Hellwig <hch@infradead.org> wrote: > > But yes, for the init-time integrity_read_file this is incorrect. > It never tripped up, and I explicitly added the lockdep annotations > so that anything would show up, and it's been half a year since > I sent that first RFC patch.. I don't think anybody actually tests linux-next kernels in any big way, and the automated tests that do get run probably don't run with any integrity checking enabled. Which is why I actually look at the code when merging unexpected stuff. This is also why I tend to prefer getting multiple branches for independent things. Now the whole security pull will be ignored because of this thing. I refuse to pull garbage where I notice major fundamental problems in code that has obviously never ever been tested. Side note: one of the reasons why I _looked_ at this code was because the exclusive lock requirement was entirely unexplained in the first place. Linus -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [GIT PULL] Security subsystem updates for 4.14 2017-09-08 17:25 ` Linus Torvalds @ 2017-09-08 17:36 ` Paul Moore -1 siblings, 0 replies; 46+ messages in thread From: Paul Moore @ 2017-09-08 17:36 UTC (permalink / raw) To: Linus Torvalds, James Morris, LSM List Cc: Christoph Hellwig, Linux Kernel Mailing List, Mimi Zohar On Fri, Sep 8, 2017 at 1:25 PM, Linus Torvalds <torvalds@linux-foundation.org> wrote: > On Fri, Sep 8, 2017 at 12:09 AM, Christoph Hellwig <hch@infradead.org> wrote: >> >> But yes, for the init-time integrity_read_file this is incorrect. >> It never tripped up, and I explicitly added the lockdep annotations >> so that anything would show up, and it's been half a year since >> I sent that first RFC patch.. > > I don't think anybody actually tests linux-next kernels in any big > way, and the automated tests that do get run probably don't run with > any integrity checking enabled. > > Which is why I actually look at the code when merging unexpected stuff. > > This is also why I tend to prefer getting multiple branches for > independent things. > > Now the whole security pull will be ignored because of this thing. I > refuse to pull garbage where I notice major fundamental problems in > code that has obviously never ever been tested. Is it time to start sending pull request for each LSM and thing under security/ directly? I'm not sure I have a strong preference either way, I just don't want to see the SELinux changes ignored during the merge window. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 46+ messages in thread
* [GIT PULL] Security subsystem updates for 4.14 @ 2017-09-08 17:36 ` Paul Moore 0 siblings, 0 replies; 46+ messages in thread From: Paul Moore @ 2017-09-08 17:36 UTC (permalink / raw) To: linux-security-module On Fri, Sep 8, 2017 at 1:25 PM, Linus Torvalds <torvalds@linux-foundation.org> wrote: > On Fri, Sep 8, 2017 at 12:09 AM, Christoph Hellwig <hch@infradead.org> wrote: >> >> But yes, for the init-time integrity_read_file this is incorrect. >> It never tripped up, and I explicitly added the lockdep annotations >> so that anything would show up, and it's been half a year since >> I sent that first RFC patch.. > > I don't think anybody actually tests linux-next kernels in any big > way, and the automated tests that do get run probably don't run with > any integrity checking enabled. > > Which is why I actually look at the code when merging unexpected stuff. > > This is also why I tend to prefer getting multiple branches for > independent things. > > Now the whole security pull will be ignored because of this thing. I > refuse to pull garbage where I notice major fundamental problems in > code that has obviously never ever been tested. Is it time to start sending pull request for each LSM and thing under security/ directly? I'm not sure I have a strong preference either way, I just don't want to see the SELinux changes ignored during the merge window. -- paul moore www.paul-moore.com -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [GIT PULL] Security subsystem updates for 4.14 2017-09-08 17:36 ` Paul Moore @ 2017-09-10 4:32 ` James Morris -1 siblings, 0 replies; 46+ messages in thread From: James Morris @ 2017-09-10 4:32 UTC (permalink / raw) To: Paul Moore Cc: Linus Torvalds, LSM List, Christoph Hellwig, Linux Kernel Mailing List, Mimi Zohar On Fri, 8 Sep 2017, Paul Moore wrote: > > This is also why I tend to prefer getting multiple branches for > > independent things. [...] > > Is it time to start sending pull request for each LSM and thing under > security/ directly? I'm not sure I have a strong preference either > way, I just don't want to see the SELinux changes ignored during the > merge window. They won't be ignored, we just need to get this issue resolved now and figure out how to implement multiple branches in the security tree. Looking at other git repos, the x86 folk have multiple branches. One option for me would be to publish the trees I pull from as branches along side mine, with 'next' being a merge of all of directly applied patchsets and those ready for Linus to pull as one. So, branches in git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security might be: next-selinux (Paul's next branch) next-apparmor-next (JJ's next branch) next-integrity-next (Mimi's) next-tpm-next (Jarkko's) [etc.] next (merge all of the above to here) That way, we have a coherent 'next' branch for people to develop against and to push to Linus, but he can pull individual branches feeding into it if something is broken in one of them. Does that sound useful? -- James Morris <jmorris@namei.org> ^ permalink raw reply [flat|nested] 46+ messages in thread
* [GIT PULL] Security subsystem updates for 4.14 @ 2017-09-10 4:32 ` James Morris 0 siblings, 0 replies; 46+ messages in thread From: James Morris @ 2017-09-10 4:32 UTC (permalink / raw) To: linux-security-module On Fri, 8 Sep 2017, Paul Moore wrote: > > This is also why I tend to prefer getting multiple branches for > > independent things. [...] > > Is it time to start sending pull request for each LSM and thing under > security/ directly? I'm not sure I have a strong preference either > way, I just don't want to see the SELinux changes ignored during the > merge window. They won't be ignored, we just need to get this issue resolved now and figure out how to implement multiple branches in the security tree. Looking at other git repos, the x86 folk have multiple branches. One option for me would be to publish the trees I pull from as branches along side mine, with 'next' being a merge of all of directly applied patchsets and those ready for Linus to pull as one. So, branches in git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security might be: next-selinux (Paul's next branch) next-apparmor-next (JJ's next branch) next-integrity-next (Mimi's) next-tpm-next (Jarkko's) [etc.] next (merge all of the above to here) That way, we have a coherent 'next' branch for people to develop against and to push to Linus, but he can pull individual branches feeding into it if something is broken in one of them. Does that sound useful? -- James Morris <jmorris@namei.org> -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [GIT PULL] Security subsystem updates for 4.14 2017-09-10 4:32 ` James Morris @ 2017-09-10 4:53 ` James Morris -1 siblings, 0 replies; 46+ messages in thread From: James Morris @ 2017-09-10 4:53 UTC (permalink / raw) To: Paul Moore Cc: Linus Torvalds, LSM List, Christoph Hellwig, Linux Kernel Mailing List, Mimi Zohar On Sun, 10 Sep 2017, James Morris wrote: > next-apparmor-next (JJ's next branch) > next-integrity-next (Mimi's) > next-tpm-next (Jarkko's) without '-next' on the end... (editing while jetlagged). -- James Morris <jmorris@namei.org> ^ permalink raw reply [flat|nested] 46+ messages in thread
* [GIT PULL] Security subsystem updates for 4.14 @ 2017-09-10 4:53 ` James Morris 0 siblings, 0 replies; 46+ messages in thread From: James Morris @ 2017-09-10 4:53 UTC (permalink / raw) To: linux-security-module On Sun, 10 Sep 2017, James Morris wrote: > next-apparmor-next (JJ's next branch) > next-integrity-next (Mimi's) > next-tpm-next (Jarkko's) without '-next' on the end... (editing while jetlagged). -- James Morris <jmorris@namei.org> -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [GIT PULL] Security subsystem updates for 4.14 2017-09-10 4:32 ` James Morris @ 2017-09-11 22:30 ` Paul Moore -1 siblings, 0 replies; 46+ messages in thread From: Paul Moore @ 2017-09-11 22:30 UTC (permalink / raw) To: James Morris, Linus Torvalds Cc: LSM List, Christoph Hellwig, Linux Kernel Mailing List, Mimi Zohar On Sun, Sep 10, 2017 at 12:32 AM, James Morris <jmorris@namei.org> wrote: > On Fri, 8 Sep 2017, Paul Moore wrote: > >> > This is also why I tend to prefer getting multiple branches for >> > independent things. > > [...] > >> >> Is it time to start sending pull request for each LSM and thing under >> security/ directly? I'm not sure I have a strong preference either >> way, I just don't want to see the SELinux changes ignored during the >> merge window. > > They won't be ignored, we just need to get this issue resolved now and > figure out how to implement multiple branches in the security tree. Once again, I don't really care too much either way. My only selfish motivation is to make it as frictionless as possible to get the SELinux tree merged into Linus' tree. > Looking at other git repos, the x86 folk have multiple branches. I don't really understand what advantage one repo with multiple branches has over multiple repos, e.g. Linus' just pulling from the individual LSM trees directly. I suppose one could make an argument about linux-next, but I know they prefer to pull from the individual repos directly (they pull selinux/next directly). Is it to help reduce the load on Linus? >From my perspective, the linux-security tree only introduces another opportunity for things to go wrong during the merge window (as evidenced by this latest snafu). Help me understand why a single tree with multiple branches is beneficial to multiple trees? Also, to be clear, I'm not picking on IMA or Mimi; this could have easily been SELinux screwing things up for IMA (or Smack, or AppArmor, etc.). > One option for me would be to publish the trees I pull from as branches > along side mine, with 'next' being a merge of all of directly applied > patchsets and those ready for Linus to pull as one. > > So, branches in > git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security > > might be: > > next-selinux (Paul's next branch) > next-apparmor-next (JJ's next branch) > next-integrity-next (Mimi's) > next-tpm-next (Jarkko's) > [etc.] > > next (merge all of the above to here) > > That way, we have a coherent 'next' branch for people to develop against > and to push to Linus, but he can pull individual branches feeding into it > if something is broken in one of them. > > Does that sound useful? -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 46+ messages in thread
* [GIT PULL] Security subsystem updates for 4.14 @ 2017-09-11 22:30 ` Paul Moore 0 siblings, 0 replies; 46+ messages in thread From: Paul Moore @ 2017-09-11 22:30 UTC (permalink / raw) To: linux-security-module On Sun, Sep 10, 2017 at 12:32 AM, James Morris <jmorris@namei.org> wrote: > On Fri, 8 Sep 2017, Paul Moore wrote: > >> > This is also why I tend to prefer getting multiple branches for >> > independent things. > > [...] > >> >> Is it time to start sending pull request for each LSM and thing under >> security/ directly? I'm not sure I have a strong preference either >> way, I just don't want to see the SELinux changes ignored during the >> merge window. > > They won't be ignored, we just need to get this issue resolved now and > figure out how to implement multiple branches in the security tree. Once again, I don't really care too much either way. My only selfish motivation is to make it as frictionless as possible to get the SELinux tree merged into Linus' tree. > Looking at other git repos, the x86 folk have multiple branches. I don't really understand what advantage one repo with multiple branches has over multiple repos, e.g. Linus' just pulling from the individual LSM trees directly. I suppose one could make an argument about linux-next, but I know they prefer to pull from the individual repos directly (they pull selinux/next directly). Is it to help reduce the load on Linus? >From my perspective, the linux-security tree only introduces another opportunity for things to go wrong during the merge window (as evidenced by this latest snafu). Help me understand why a single tree with multiple branches is beneficial to multiple trees? Also, to be clear, I'm not picking on IMA or Mimi; this could have easily been SELinux screwing things up for IMA (or Smack, or AppArmor, etc.). > One option for me would be to publish the trees I pull from as branches > along side mine, with 'next' being a merge of all of directly applied > patchsets and those ready for Linus to pull as one. > > So, branches in > git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security > > might be: > > next-selinux (Paul's next branch) > next-apparmor-next (JJ's next branch) > next-integrity-next (Mimi's) > next-tpm-next (Jarkko's) > [etc.] > > next (merge all of the above to here) > > That way, we have a coherent 'next' branch for people to develop against > and to push to Linus, but he can pull individual branches feeding into it > if something is broken in one of them. > > Does that sound useful? -- paul moore www.paul-moore.com -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [GIT PULL] Security subsystem updates for 4.14 2017-09-10 4:32 ` James Morris @ 2017-09-14 21:09 ` Kees Cook -1 siblings, 0 replies; 46+ messages in thread From: Kees Cook @ 2017-09-14 21:09 UTC (permalink / raw) To: James Morris Cc: Paul Moore, Linus Torvalds, LSM List, Christoph Hellwig, Linux Kernel Mailing List, Mimi Zohar On Sat, Sep 9, 2017 at 9:32 PM, James Morris <jmorris@namei.org> wrote: > On Fri, 8 Sep 2017, Paul Moore wrote: > >> > This is also why I tend to prefer getting multiple branches for >> > independent things. > > [...] > >> >> Is it time to start sending pull request for each LSM and thing under >> security/ directly? I'm not sure I have a strong preference either >> way, I just don't want to see the SELinux changes ignored during the >> merge window. > > They won't be ignored, we just need to get this issue resolved now and > figure out how to implement multiple branches in the security tree. > > Looking at other git repos, the x86 folk have multiple branches. Yeah, the x86 approach is what inspired my tree layout. > One option for me would be to publish the trees I pull from as branches > along side mine, with 'next' being a merge of all of directly applied > patchsets and those ready for Linus to pull as one. > > So, branches in > git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security > > might be: > > next-selinux (Paul's next branch) > next-apparmor (JJ's next branch) > next-integrity (Mimi's) > next-tpm (Jarkko's) > [etc.] > > next (merge all of the above to here) > > That way, we have a coherent 'next' branch for people to develop against > and to push to Linus, but he can pull individual branches feeding into it > if something is broken in one of them. > > Does that sound useful? This is what I do with the KSPP tree (since it has a few unrelated things in it), but you run the risk of getting too fine-grain and creating dependencies between trees (e.g. adding a new hook that two LSMs implement means either they depend on each other or both depend on some third "core" tree). How separable are the patches, normally? -Kees -- Kees Cook Pixel Security ^ permalink raw reply [flat|nested] 46+ messages in thread
* [GIT PULL] Security subsystem updates for 4.14 @ 2017-09-14 21:09 ` Kees Cook 0 siblings, 0 replies; 46+ messages in thread From: Kees Cook @ 2017-09-14 21:09 UTC (permalink / raw) To: linux-security-module On Sat, Sep 9, 2017 at 9:32 PM, James Morris <jmorris@namei.org> wrote: > On Fri, 8 Sep 2017, Paul Moore wrote: > >> > This is also why I tend to prefer getting multiple branches for >> > independent things. > > [...] > >> >> Is it time to start sending pull request for each LSM and thing under >> security/ directly? I'm not sure I have a strong preference either >> way, I just don't want to see the SELinux changes ignored during the >> merge window. > > They won't be ignored, we just need to get this issue resolved now and > figure out how to implement multiple branches in the security tree. > > Looking at other git repos, the x86 folk have multiple branches. Yeah, the x86 approach is what inspired my tree layout. > One option for me would be to publish the trees I pull from as branches > along side mine, with 'next' being a merge of all of directly applied > patchsets and those ready for Linus to pull as one. > > So, branches in > git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security > > might be: > > next-selinux (Paul's next branch) > next-apparmor (JJ's next branch) > next-integrity (Mimi's) > next-tpm (Jarkko's) > [etc.] > > next (merge all of the above to here) > > That way, we have a coherent 'next' branch for people to develop against > and to push to Linus, but he can pull individual branches feeding into it > if something is broken in one of them. > > Does that sound useful? This is what I do with the KSPP tree (since it has a few unrelated things in it), but you run the risk of getting too fine-grain and creating dependencies between trees (e.g. adding a new hook that two LSMs implement means either they depend on each other or both depend on some third "core" tree). How separable are the patches, normally? -Kees -- Kees Cook Pixel Security -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [GIT PULL] Security subsystem updates for 4.14 2017-09-14 21:09 ` Kees Cook @ 2017-09-14 21:13 ` James Morris -1 siblings, 0 replies; 46+ messages in thread From: James Morris @ 2017-09-14 21:13 UTC (permalink / raw) To: Kees Cook Cc: Paul Moore, Linus Torvalds, LSM List, Christoph Hellwig, Linux Kernel Mailing List, Mimi Zohar On Thu, 14 Sep 2017, Kees Cook wrote: > How separable are the patches, normally? They're usually mostly separate, but may depend on some core LSM change, or similar. Casey has mentioned off-list that it is useful to have a coherent up to date security branch to work against when making core LSM changes. -- James Morris <jmorris@namei.org> ^ permalink raw reply [flat|nested] 46+ messages in thread
* [GIT PULL] Security subsystem updates for 4.14 @ 2017-09-14 21:13 ` James Morris 0 siblings, 0 replies; 46+ messages in thread From: James Morris @ 2017-09-14 21:13 UTC (permalink / raw) To: linux-security-module On Thu, 14 Sep 2017, Kees Cook wrote: > How separable are the patches, normally? They're usually mostly separate, but may depend on some core LSM change, or similar. Casey has mentioned off-list that it is useful to have a coherent up to date security branch to work against when making core LSM changes. -- James Morris <jmorris@namei.org> -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [GIT PULL] Security subsystem updates for 4.14 2017-09-14 21:13 ` James Morris @ 2017-09-14 21:25 ` Kees Cook -1 siblings, 0 replies; 46+ messages in thread From: Kees Cook @ 2017-09-14 21:25 UTC (permalink / raw) To: James Morris Cc: Paul Moore, Linus Torvalds, LSM List, Christoph Hellwig, Linux Kernel Mailing List, Mimi Zohar On Thu, Sep 14, 2017 at 2:13 PM, James Morris <jmorris@namei.org> wrote: > On Thu, 14 Sep 2017, Kees Cook wrote: > >> How separable are the patches, normally? > > They're usually mostly separate, but may depend on some core LSM change, > or similar. > > Casey has mentioned off-list that it is useful to have a coherent up to > date security branch to work against when making core LSM changes. Yeah, for sure. This "merge all topics" tree is what I have for KSPP (and it's what I hand to -next). -Kees -- Kees Cook Pixel Security ^ permalink raw reply [flat|nested] 46+ messages in thread
* [GIT PULL] Security subsystem updates for 4.14 @ 2017-09-14 21:25 ` Kees Cook 0 siblings, 0 replies; 46+ messages in thread From: Kees Cook @ 2017-09-14 21:25 UTC (permalink / raw) To: linux-security-module On Thu, Sep 14, 2017 at 2:13 PM, James Morris <jmorris@namei.org> wrote: > On Thu, 14 Sep 2017, Kees Cook wrote: > >> How separable are the patches, normally? > > They're usually mostly separate, but may depend on some core LSM change, > or similar. > > Casey has mentioned off-list that it is useful to have a coherent up to > date security branch to work against when making core LSM changes. Yeah, for sure. This "merge all topics" tree is what I have for KSPP (and it's what I hand to -next). -Kees -- Kees Cook Pixel Security -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [GIT PULL] Security subsystem updates for 4.14 2017-09-08 17:25 ` Linus Torvalds @ 2017-09-08 19:57 ` James Morris -1 siblings, 0 replies; 46+ messages in thread From: James Morris @ 2017-09-08 19:57 UTC (permalink / raw) To: Linus Torvalds Cc: Christoph Hellwig, Linux Kernel Mailing List, LSM List, Mimi Zohar On Fri, 8 Sep 2017, Linus Torvalds wrote: > Now the whole security pull will be ignored because of this thing. I > refuse to pull garbage where I notice major fundamental problems in > code that has obviously never ever been tested. If I revert the change from my my tree, will you pull it then? -- James Morris <jmorris@namei.org> ^ permalink raw reply [flat|nested] 46+ messages in thread
* [GIT PULL] Security subsystem updates for 4.14 @ 2017-09-08 19:57 ` James Morris 0 siblings, 0 replies; 46+ messages in thread From: James Morris @ 2017-09-08 19:57 UTC (permalink / raw) To: linux-security-module On Fri, 8 Sep 2017, Linus Torvalds wrote: > Now the whole security pull will be ignored because of this thing. I > refuse to pull garbage where I notice major fundamental problems in > code that has obviously never ever been tested. If I revert the change from my my tree, will you pull it then? -- James Morris <jmorris@namei.org> -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [GIT PULL] Security subsystem updates for 4.14 2017-09-08 19:57 ` James Morris @ 2017-09-17 7:36 ` Mimi Zohar -1 siblings, 0 replies; 46+ messages in thread From: Mimi Zohar @ 2017-09-17 7:36 UTC (permalink / raw) To: James Morris, Linus Torvalds Cc: Christoph Hellwig, Linux Kernel Mailing List, LSM List On Sat, 2017-09-09 at 05:57 +1000, James Morris wrote: > On Fri, 8 Sep 2017, Linus Torvalds wrote: > > > Now the whole security pull will be ignored because of this thing. I > > refuse to pull garbage where I notice major fundamental problems in > > code that has obviously never ever been tested. > > If I revert the change from my my tree, will you pull it then? Sigh, none of the patches, other than those included in Paul's pull request, are in 4.14-rc1. I feel really horrible! Linus, there would never have been a good time for something like this to happen, but this past week, in case you didn't realize, most of us were at the Linux Security Summit. The timing couldn't have been worse. Mimi ^ permalink raw reply [flat|nested] 46+ messages in thread
* [GIT PULL] Security subsystem updates for 4.14 @ 2017-09-17 7:36 ` Mimi Zohar 0 siblings, 0 replies; 46+ messages in thread From: Mimi Zohar @ 2017-09-17 7:36 UTC (permalink / raw) To: linux-security-module On Sat, 2017-09-09 at 05:57 +1000, James Morris wrote: > On Fri, 8 Sep 2017, Linus Torvalds wrote: > > > Now the whole security pull will be ignored because of this thing. I > > refuse to pull garbage where I notice major fundamental problems in > > code that has obviously never ever been tested. > > If I revert the change from my my tree, will you pull it then? Sigh, none of the patches, other than those included in Paul's pull request, are in 4.14-rc1. ?I feel really horrible! Linus, there would never have been a good time for something like this to happen, but this past week, in case you didn't realize, most of us were at the Linux Security Summit. ?The timing couldn't have been worse. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [GIT PULL] Security subsystem updates for 4.14 2017-09-08 17:25 ` Linus Torvalds @ 2017-09-10 8:10 ` Christoph Hellwig -1 siblings, 0 replies; 46+ messages in thread From: Christoph Hellwig @ 2017-09-10 8:10 UTC (permalink / raw) To: Linus Torvalds Cc: Christoph Hellwig, James Morris, Linux Kernel Mailing List, LSM List, Mimi Zohar, Dmitry Kasatkin, 5ac7eace2d00eab5ae0e9fdee63e38aee6001f7c On Fri, Sep 08, 2017 at 10:25:53AM -0700, Linus Torvalds wrote: > I don't think anybody actually tests linux-next kernels in any big > way, and the automated tests that do get run probably don't run with > any integrity checking enabled. Well, for the atual IMA deadlock issue I asked Mimi to produce automated tests and we get started on it. I was pretty pissed about the assumptions IMA made on the fs, whch weren't documented or automatically tested - coming from the XFS background where we want all our features to run through automated tests that was just not how I'd expect thing to work. But now as part of that I messed up the other caller of it, so I shouldn't complain too loud.. That being said - I really hink the certificate loading should not even go thorught this whole call path, but use our common helper to load a file into a buffer. Something like the patch below, I'm just not sure if the last policy argument is what people want or if we'd need to add a new policy type for certificates. --- >From 3092ca95dfeff0dbd4e03ae62a51762facb15592 Mon Sep 17 00:00:00 2001 From: Christoph Hellwig <hch@lst.de> Date: Sun, 10 Sep 2017 09:49:45 +0200 Subject: security/digisig: read file using kernel_read_file_from_path This avoid using the new integrity_read file operation which requires i_rwsem already to be held, and avoids a lot of code duplication and call the proper LSM hooks. [also constifies the path argument to kernel_read_file_from_path, as the callers needs it. Should probably be split into a separate patch] Signed-off-by: Christoph Hellwig <hch@lst.de> --- fs/exec.c | 2 +- include/linux/fs.h | 2 +- security/integrity/digsig.c | 8 ++++--- security/integrity/iint.c | 49 ------------------------------------------ security/integrity/integrity.h | 2 -- 5 files changed, 7 insertions(+), 56 deletions(-) diff --git a/fs/exec.c b/fs/exec.c index 01a9fb9d8ac3..957a8ce294af 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -974,7 +974,7 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size, } EXPORT_SYMBOL_GPL(kernel_read_file); -int kernel_read_file_from_path(char *path, void **buf, loff_t *size, +int kernel_read_file_from_path(const char *path, void **buf, loff_t *size, loff_t max_size, enum kernel_read_file_id id) { struct file *file; diff --git a/include/linux/fs.h b/include/linux/fs.h index 2d0e6748e46e..58855daba1eb 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -2791,7 +2791,7 @@ static inline const char *kernel_read_file_id_str(enum kernel_read_file_id id) extern int kernel_read(struct file *, loff_t, char *, unsigned long); extern int kernel_read_file(struct file *, void **, loff_t *, loff_t, enum kernel_read_file_id); -extern int kernel_read_file_from_path(char *, void **, loff_t *, loff_t, +extern int kernel_read_file_from_path(const char *, void **, loff_t *, loff_t, enum kernel_read_file_id); extern int kernel_read_file_from_fd(int, void **, loff_t *, loff_t, enum kernel_read_file_id); diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 06554c448dce..8112cdeeee3c 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -112,13 +112,15 @@ int __init integrity_init_keyring(const unsigned int id) int __init integrity_load_x509(const unsigned int id, const char *path) { key_ref_t key; - char *data; + void *data = NULL; + loff_t size; int rc; if (!keyring[id]) return -EINVAL; - rc = integrity_read_file(path, &data); + rc = kernel_read_file_from_path(path, data, &size, + 0, READING_POLICY); if (rc < 0) return rc; @@ -139,6 +141,6 @@ int __init integrity_load_x509(const unsigned int id, const char *path) key_ref_to_ptr(key)->description, path); key_ref_put(key); } - kfree(data); + vfree(data); return 0; } diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 6fc888ca468e..c84e05866052 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -200,55 +200,6 @@ int integrity_kernel_read(struct file *file, loff_t offset, } /* - * integrity_read_file - read entire file content into the buffer - * - * This is function opens a file, allocates the buffer of required - * size, read entire file content to the buffer and closes the file - * - * It is used only by init code. - * - */ -int __init integrity_read_file(const char *path, char **data) -{ - struct file *file; - loff_t size; - char *buf; - int rc = -EINVAL; - - if (!path || !*path) - return -EINVAL; - - file = filp_open(path, O_RDONLY, 0); - if (IS_ERR(file)) { - rc = PTR_ERR(file); - pr_err("Unable to open file: %s (%d)", path, rc); - return rc; - } - - size = i_size_read(file_inode(file)); - if (size <= 0) - goto out; - - buf = kmalloc(size, GFP_KERNEL); - if (!buf) { - rc = -ENOMEM; - goto out; - } - - rc = integrity_kernel_read(file, 0, buf, size); - if (rc == size) { - *data = buf; - } else { - kfree(buf); - if (rc >= 0) - rc = -EIO; - } -out: - fput(file); - return rc; -} - -/* * integrity_load_keys - load integrity keys hook * * Hooks is called from init/main.c:kernel_init_freeable() diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index a53e7e4ab06c..e1bf040fb110 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -120,8 +120,6 @@ struct integrity_iint_cache *integrity_iint_find(struct inode *inode); int integrity_kernel_read(struct file *file, loff_t offset, void *addr, unsigned long count); -int __init integrity_read_file(const char *path, char **data); - #define INTEGRITY_KEYRING_EVM 0 #define INTEGRITY_KEYRING_IMA 1 #define INTEGRITY_KEYRING_MODULE 2 -- 2.11.0 ^ permalink raw reply related [flat|nested] 46+ messages in thread
* [GIT PULL] Security subsystem updates for 4.14 @ 2017-09-10 8:10 ` Christoph Hellwig 0 siblings, 0 replies; 46+ messages in thread From: Christoph Hellwig @ 2017-09-10 8:10 UTC (permalink / raw) To: linux-security-module On Fri, Sep 08, 2017 at 10:25:53AM -0700, Linus Torvalds wrote: > I don't think anybody actually tests linux-next kernels in any big > way, and the automated tests that do get run probably don't run with > any integrity checking enabled. Well, for the atual IMA deadlock issue I asked Mimi to produce automated tests and we get started on it. I was pretty pissed about the assumptions IMA made on the fs, whch weren't documented or automatically tested - coming from the XFS background where we want all our features to run through automated tests that was just not how I'd expect thing to work. But now as part of that I messed up the other caller of it, so I shouldn't complain too loud.. That being said - I really hink the certificate loading should not even go thorught this whole call path, but use our common helper to load a file into a buffer. Something like the patch below, I'm just not sure if the last policy argument is what people want or if we'd need to add a new policy type for certificates. --- >From 3092ca95dfeff0dbd4e03ae62a51762facb15592 Mon Sep 17 00:00:00 2001 From: Christoph Hellwig <hch@lst.de> Date: Sun, 10 Sep 2017 09:49:45 +0200 Subject: security/digisig: read file using kernel_read_file_from_path This avoid using the new integrity_read file operation which requires i_rwsem already to be held, and avoids a lot of code duplication and call the proper LSM hooks. [also constifies the path argument to kernel_read_file_from_path, as the callers needs it. Should probably be split into a separate patch] Signed-off-by: Christoph Hellwig <hch@lst.de> --- fs/exec.c | 2 +- include/linux/fs.h | 2 +- security/integrity/digsig.c | 8 ++++--- security/integrity/iint.c | 49 ------------------------------------------ security/integrity/integrity.h | 2 -- 5 files changed, 7 insertions(+), 56 deletions(-) diff --git a/fs/exec.c b/fs/exec.c index 01a9fb9d8ac3..957a8ce294af 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -974,7 +974,7 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size, } EXPORT_SYMBOL_GPL(kernel_read_file); -int kernel_read_file_from_path(char *path, void **buf, loff_t *size, +int kernel_read_file_from_path(const char *path, void **buf, loff_t *size, loff_t max_size, enum kernel_read_file_id id) { struct file *file; diff --git a/include/linux/fs.h b/include/linux/fs.h index 2d0e6748e46e..58855daba1eb 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -2791,7 +2791,7 @@ static inline const char *kernel_read_file_id_str(enum kernel_read_file_id id) extern int kernel_read(struct file *, loff_t, char *, unsigned long); extern int kernel_read_file(struct file *, void **, loff_t *, loff_t, enum kernel_read_file_id); -extern int kernel_read_file_from_path(char *, void **, loff_t *, loff_t, +extern int kernel_read_file_from_path(const char *, void **, loff_t *, loff_t, enum kernel_read_file_id); extern int kernel_read_file_from_fd(int, void **, loff_t *, loff_t, enum kernel_read_file_id); diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 06554c448dce..8112cdeeee3c 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -112,13 +112,15 @@ int __init integrity_init_keyring(const unsigned int id) int __init integrity_load_x509(const unsigned int id, const char *path) { key_ref_t key; - char *data; + void *data = NULL; + loff_t size; int rc; if (!keyring[id]) return -EINVAL; - rc = integrity_read_file(path, &data); + rc = kernel_read_file_from_path(path, data, &size, + 0, READING_POLICY); if (rc < 0) return rc; @@ -139,6 +141,6 @@ int __init integrity_load_x509(const unsigned int id, const char *path) key_ref_to_ptr(key)->description, path); key_ref_put(key); } - kfree(data); + vfree(data); return 0; } diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 6fc888ca468e..c84e05866052 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -200,55 +200,6 @@ int integrity_kernel_read(struct file *file, loff_t offset, } /* - * integrity_read_file - read entire file content into the buffer - * - * This is function opens a file, allocates the buffer of required - * size, read entire file content to the buffer and closes the file - * - * It is used only by init code. - * - */ -int __init integrity_read_file(const char *path, char **data) -{ - struct file *file; - loff_t size; - char *buf; - int rc = -EINVAL; - - if (!path || !*path) - return -EINVAL; - - file = filp_open(path, O_RDONLY, 0); - if (IS_ERR(file)) { - rc = PTR_ERR(file); - pr_err("Unable to open file: %s (%d)", path, rc); - return rc; - } - - size = i_size_read(file_inode(file)); - if (size <= 0) - goto out; - - buf = kmalloc(size, GFP_KERNEL); - if (!buf) { - rc = -ENOMEM; - goto out; - } - - rc = integrity_kernel_read(file, 0, buf, size); - if (rc == size) { - *data = buf; - } else { - kfree(buf); - if (rc >= 0) - rc = -EIO; - } -out: - fput(file); - return rc; -} - -/* * integrity_load_keys - load integrity keys hook * * Hooks is called from init/main.c:kernel_init_freeable() diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index a53e7e4ab06c..e1bf040fb110 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -120,8 +120,6 @@ struct integrity_iint_cache *integrity_iint_find(struct inode *inode); int integrity_kernel_read(struct file *file, loff_t offset, void *addr, unsigned long count); -int __init integrity_read_file(const char *path, char **data); - #define INTEGRITY_KEYRING_EVM 0 #define INTEGRITY_KEYRING_IMA 1 #define INTEGRITY_KEYRING_MODULE 2 -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply related [flat|nested] 46+ messages in thread
* Re: [GIT PULL] Security subsystem updates for 4.14 2017-09-10 8:10 ` Christoph Hellwig @ 2017-09-10 14:02 ` Mimi Zohar -1 siblings, 0 replies; 46+ messages in thread From: Mimi Zohar @ 2017-09-10 14:02 UTC (permalink / raw) To: Christoph Hellwig, Linus Torvalds Cc: James Morris, Linux Kernel Mailing List, LSM List, Dmitry Kasatkin, 5ac7eace2d00eab5ae0e9fdee63e38aee6001f7c On Sun, 2017-09-10 at 01:10 -0700, Christoph Hellwig wrote: > On Fri, Sep 08, 2017 at 10:25:53AM -0700, Linus Torvalds wrote: > > I don't think anybody actually tests linux-next kernels in any big > > way, and the automated tests that do get run probably don't run with > > any integrity checking enabled. > > Well, for the atual IMA deadlock issue I asked Mimi to produce automated > tests and we get started on it. I was pretty pissed about the > assumptions IMA made on the fs, whch weren't documented or automatically > tested - coming from the XFS background where we want all our features > to run through automated tests that was just not how I'd expect thing > to work. > > But now as part of that I messed up the other caller of it, so I > shouldn't complain too loud.. > > That being said - I really hink the certificate loading should not > even go thorught this whole call path, but use our common helper to > load a file into a buffer. Something like the patch below, I'm just > not sure if the last policy argument is what people want or if we'd need > to add a new policy type for certificates. We need to differentiate between policies and x509 certificates. In the policy case, they need to be signed and appraised, while in the x509 certificate case, the certificate itself is signed so the file doesn't need to be signed or verified. > > --- > From 3092ca95dfeff0dbd4e03ae62a51762facb15592 Mon Sep 17 00:00:00 2001 > From: Christoph Hellwig <hch@lst.de> > Date: Sun, 10 Sep 2017 09:49:45 +0200 > Subject: security/digisig: read file using kernel_read_file_from_path > > This avoid using the new integrity_read file operation which requires > i_rwsem already to be held, and avoids a lot of code duplication and > call the proper LSM hooks. > > [also constifies the path argument to kernel_read_file_from_path, > as the callers needs it. Should probably be split into a separate patch] > > Signed-off-by: Christoph Hellwig <hch@lst.de> > --- > fs/exec.c | 2 +- > include/linux/fs.h | 2 +- > security/integrity/digsig.c | 8 ++++--- > security/integrity/iint.c | 49 ------------------------------------------ > security/integrity/integrity.h | 2 -- > 5 files changed, 7 insertions(+), 56 deletions(-) > > diff --git a/fs/exec.c b/fs/exec.c > index 01a9fb9d8ac3..957a8ce294af 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -974,7 +974,7 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size, > } > EXPORT_SYMBOL_GPL(kernel_read_file); > > -int kernel_read_file_from_path(char *path, void **buf, loff_t *size, > +int kernel_read_file_from_path(const char *path, void **buf, loff_t *size, > loff_t max_size, enum kernel_read_file_id id) > { > struct file *file; > diff --git a/include/linux/fs.h b/include/linux/fs.h > index 2d0e6748e46e..58855daba1eb 100644 > --- a/include/linux/fs.h > +++ b/include/linux/fs.h > @@ -2791,7 +2791,7 @@ static inline const char *kernel_read_file_id_str(enum kernel_read_file_id id) > extern int kernel_read(struct file *, loff_t, char *, unsigned long); > extern int kernel_read_file(struct file *, void **, loff_t *, loff_t, > enum kernel_read_file_id); > -extern int kernel_read_file_from_path(char *, void **, loff_t *, loff_t, > +extern int kernel_read_file_from_path(const char *, void **, loff_t *, loff_t, > enum kernel_read_file_id); > extern int kernel_read_file_from_fd(int, void **, loff_t *, loff_t, > enum kernel_read_file_id); > diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c > index 06554c448dce..8112cdeeee3c 100644 > --- a/security/integrity/digsig.c > +++ b/security/integrity/digsig.c > @@ -112,13 +112,15 @@ int __init integrity_init_keyring(const unsigned int id) > int __init integrity_load_x509(const unsigned int id, const char *path) > { > key_ref_t key; > - char *data; > + void *data = NULL; > + loff_t size; > int rc; > > if (!keyring[id]) > return -EINVAL; > > - rc = integrity_read_file(path, &data); > + rc = kernel_read_file_from_path(path, data, &size, > + 0, READING_POLICY); READING_X509_CERT? > if (rc < 0) > return rc; > > @@ -139,6 +141,6 @@ int __init integrity_load_x509(const unsigned int id, const char *path) > key_ref_to_ptr(key)->description, path); > key_ref_put(key); > } > - kfree(data); > + vfree(data); > return 0; > } > diff --git a/security/integrity/iint.c b/security/integrity/iint.c > index 6fc888ca468e..c84e05866052 100644 > --- a/security/integrity/iint.c > +++ b/security/integrity/iint.c > @@ -200,55 +200,6 @@ int integrity_kernel_read(struct file *file, loff_t offset, > } > > /* > - * integrity_read_file - read entire file content into the buffer > - * > - * This is function opens a file, allocates the buffer of required > - * size, read entire file content to the buffer and closes the file > - * > - * It is used only by init code. > - * > - */ > -int __init integrity_read_file(const char *path, char **data) > -{ > - struct file *file; > - loff_t size; > - char *buf; > - int rc = -EINVAL; > - > - if (!path || !*path) > - return -EINVAL; > - > - file = filp_open(path, O_RDONLY, 0); > - if (IS_ERR(file)) { > - rc = PTR_ERR(file); > - pr_err("Unable to open file: %s (%d)", path, rc); > - return rc; > - } > - > - size = i_size_read(file_inode(file)); > - if (size <= 0) > - goto out; > - > - buf = kmalloc(size, GFP_KERNEL); > - if (!buf) { > - rc = -ENOMEM; > - goto out; > - } > - > - rc = integrity_kernel_read(file, 0, buf, size); > - if (rc == size) { > - *data = buf; > - } else { > - kfree(buf); > - if (rc >= 0) > - rc = -EIO; > - } > -out: > - fput(file); > - return rc; > -} > - > -/* > * integrity_load_keys - load integrity keys hook > * > * Hooks is called from init/main.c:kernel_init_freeable() > diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h > index a53e7e4ab06c..e1bf040fb110 100644 > --- a/security/integrity/integrity.h > +++ b/security/integrity/integrity.h > @@ -120,8 +120,6 @@ struct integrity_iint_cache *integrity_iint_find(struct inode *inode); > int integrity_kernel_read(struct file *file, loff_t offset, > void *addr, unsigned long count); > > -int __init integrity_read_file(const char *path, char **data); > - > #define INTEGRITY_KEYRING_EVM 0 > #define INTEGRITY_KEYRING_IMA 1 > #define INTEGRITY_KEYRING_MODULE 2 ^ permalink raw reply [flat|nested] 46+ messages in thread
* [GIT PULL] Security subsystem updates for 4.14 @ 2017-09-10 14:02 ` Mimi Zohar 0 siblings, 0 replies; 46+ messages in thread From: Mimi Zohar @ 2017-09-10 14:02 UTC (permalink / raw) To: linux-security-module On Sun, 2017-09-10 at 01:10 -0700, Christoph Hellwig wrote: > On Fri, Sep 08, 2017 at 10:25:53AM -0700, Linus Torvalds wrote: > > I don't think anybody actually tests linux-next kernels in any big > > way, and the automated tests that do get run probably don't run with > > any integrity checking enabled. > > Well, for the atual IMA deadlock issue I asked Mimi to produce automated > tests and we get started on it. I was pretty pissed about the > assumptions IMA made on the fs, whch weren't documented or automatically > tested - coming from the XFS background where we want all our features > to run through automated tests that was just not how I'd expect thing > to work. > > But now as part of that I messed up the other caller of it, so I > shouldn't complain too loud.. > > That being said - I really hink the certificate loading should not > even go thorught this whole call path, but use our common helper to > load a file into a buffer. Something like the patch below, I'm just > not sure if the last policy argument is what people want or if we'd need > to add a new policy type for certificates. We need to differentiate between policies and x509 certificates. ?In the policy case, they need to be signed and appraised, while in the x509 certificate case, the certificate itself is signed so the file doesn't need to be signed or verified. > > --- > From 3092ca95dfeff0dbd4e03ae62a51762facb15592 Mon Sep 17 00:00:00 2001 > From: Christoph Hellwig <hch@lst.de> > Date: Sun, 10 Sep 2017 09:49:45 +0200 > Subject: security/digisig: read file using kernel_read_file_from_path > > This avoid using the new integrity_read file operation which requires > i_rwsem already to be held, and avoids a lot of code duplication and > call the proper LSM hooks. > > [also constifies the path argument to kernel_read_file_from_path, > as the callers needs it. Should probably be split into a separate patch] > > Signed-off-by: Christoph Hellwig <hch@lst.de> > --- > fs/exec.c | 2 +- > include/linux/fs.h | 2 +- > security/integrity/digsig.c | 8 ++++--- > security/integrity/iint.c | 49 ------------------------------------------ > security/integrity/integrity.h | 2 -- > 5 files changed, 7 insertions(+), 56 deletions(-) > > diff --git a/fs/exec.c b/fs/exec.c > index 01a9fb9d8ac3..957a8ce294af 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -974,7 +974,7 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size, > } > EXPORT_SYMBOL_GPL(kernel_read_file); > > -int kernel_read_file_from_path(char *path, void **buf, loff_t *size, > +int kernel_read_file_from_path(const char *path, void **buf, loff_t *size, > loff_t max_size, enum kernel_read_file_id id) > { > struct file *file; > diff --git a/include/linux/fs.h b/include/linux/fs.h > index 2d0e6748e46e..58855daba1eb 100644 > --- a/include/linux/fs.h > +++ b/include/linux/fs.h > @@ -2791,7 +2791,7 @@ static inline const char *kernel_read_file_id_str(enum kernel_read_file_id id) > extern int kernel_read(struct file *, loff_t, char *, unsigned long); > extern int kernel_read_file(struct file *, void **, loff_t *, loff_t, > enum kernel_read_file_id); > -extern int kernel_read_file_from_path(char *, void **, loff_t *, loff_t, > +extern int kernel_read_file_from_path(const char *, void **, loff_t *, loff_t, > enum kernel_read_file_id); > extern int kernel_read_file_from_fd(int, void **, loff_t *, loff_t, > enum kernel_read_file_id); > diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c > index 06554c448dce..8112cdeeee3c 100644 > --- a/security/integrity/digsig.c > +++ b/security/integrity/digsig.c > @@ -112,13 +112,15 @@ int __init integrity_init_keyring(const unsigned int id) > int __init integrity_load_x509(const unsigned int id, const char *path) > { > key_ref_t key; > - char *data; > + void *data = NULL; > + loff_t size; > int rc; > > if (!keyring[id]) > return -EINVAL; > > - rc = integrity_read_file(path, &data); > + rc = kernel_read_file_from_path(path, data, &size, > + 0, READING_POLICY); READING_X509_CERT? > if (rc < 0) > return rc; > > @@ -139,6 +141,6 @@ int __init integrity_load_x509(const unsigned int id, const char *path) > key_ref_to_ptr(key)->description, path); > key_ref_put(key); > } > - kfree(data); > + vfree(data); > return 0; > } > diff --git a/security/integrity/iint.c b/security/integrity/iint.c > index 6fc888ca468e..c84e05866052 100644 > --- a/security/integrity/iint.c > +++ b/security/integrity/iint.c > @@ -200,55 +200,6 @@ int integrity_kernel_read(struct file *file, loff_t offset, > } > > /* > - * integrity_read_file - read entire file content into the buffer > - * > - * This is function opens a file, allocates the buffer of required > - * size, read entire file content to the buffer and closes the file > - * > - * It is used only by init code. > - * > - */ > -int __init integrity_read_file(const char *path, char **data) > -{ > - struct file *file; > - loff_t size; > - char *buf; > - int rc = -EINVAL; > - > - if (!path || !*path) > - return -EINVAL; > - > - file = filp_open(path, O_RDONLY, 0); > - if (IS_ERR(file)) { > - rc = PTR_ERR(file); > - pr_err("Unable to open file: %s (%d)", path, rc); > - return rc; > - } > - > - size = i_size_read(file_inode(file)); > - if (size <= 0) > - goto out; > - > - buf = kmalloc(size, GFP_KERNEL); > - if (!buf) { > - rc = -ENOMEM; > - goto out; > - } > - > - rc = integrity_kernel_read(file, 0, buf, size); > - if (rc == size) { > - *data = buf; > - } else { > - kfree(buf); > - if (rc >= 0) > - rc = -EIO; > - } > -out: > - fput(file); > - return rc; > -} > - > -/* > * integrity_load_keys - load integrity keys hook > * > * Hooks is called from init/main.c:kernel_init_freeable() > diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h > index a53e7e4ab06c..e1bf040fb110 100644 > --- a/security/integrity/integrity.h > +++ b/security/integrity/integrity.h > @@ -120,8 +120,6 @@ struct integrity_iint_cache *integrity_iint_find(struct inode *inode); > int integrity_kernel_read(struct file *file, loff_t offset, > void *addr, unsigned long count); > > -int __init integrity_read_file(const char *path, char **data); > - > #define INTEGRITY_KEYRING_EVM 0 > #define INTEGRITY_KEYRING_IMA 1 > #define INTEGRITY_KEYRING_MODULE 2 -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [GIT PULL] Security subsystem updates for 4.14 2017-09-10 14:02 ` Mimi Zohar @ 2017-09-11 6:38 ` Christoph Hellwig -1 siblings, 0 replies; 46+ messages in thread From: Christoph Hellwig @ 2017-09-11 6:38 UTC (permalink / raw) To: Mimi Zohar Cc: Christoph Hellwig, Linus Torvalds, James Morris, Linux Kernel Mailing List, LSM List, Dmitry Kasatkin, 5ac7eace2d00eab5ae0e9fdee63e38aee6001f7c On Sun, Sep 10, 2017 at 10:02:42AM -0400, Mimi Zohar wrote: > We need to differentiate between policies and x509 certificates. In > the policy case, they need to be signed and appraised, while in the > x509 certificate case, the certificate itself is signed so the file > doesn't need to be signed or verified. How about you take this sketch over - I don't know much about the integrity code, and it seems like you actually wrote kernel_read_file_from_path as well - so you're at least 3 times as qualified as I am in this area.. ^ permalink raw reply [flat|nested] 46+ messages in thread
* [GIT PULL] Security subsystem updates for 4.14 @ 2017-09-11 6:38 ` Christoph Hellwig 0 siblings, 0 replies; 46+ messages in thread From: Christoph Hellwig @ 2017-09-11 6:38 UTC (permalink / raw) To: linux-security-module On Sun, Sep 10, 2017 at 10:02:42AM -0400, Mimi Zohar wrote: > We need to differentiate between policies and x509 certificates. ?In > the policy case, they need to be signed and appraised, while in the > x509 certificate case, the certificate itself is signed so the file > doesn't need to be signed or verified. How about you take this sketch over - I don't know much about the integrity code, and it seems like you actually wrote kernel_read_file_from_path as well - so you're at least 3 times as qualified as I am in this area.. -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [GIT PULL] Security subsystem updates for 4.14 2017-09-11 6:38 ` Christoph Hellwig @ 2017-09-11 21:34 ` Mimi Zohar -1 siblings, 0 replies; 46+ messages in thread From: Mimi Zohar @ 2017-09-11 21:34 UTC (permalink / raw) To: Christoph Hellwig Cc: Linus Torvalds, James Morris, Linux Kernel Mailing List, LSM List, Dmitry Kasatkin, 5ac7eace2d00eab5ae0e9fdee63e38aee6001f7c On Sun, 2017-09-10 at 23:38 -0700, Christoph Hellwig wrote: > On Sun, Sep 10, 2017 at 10:02:42AM -0400, Mimi Zohar wrote: > > We need to differentiate between policies and x509 certificates. In > > the policy case, they need to be signed and appraised, while in the > > x509 certificate case, the certificate itself is signed so the file > > doesn't need to be signed or verified. > > How about you take this sketch over - I don't know much about the > integrity code, and it seems like you actually wrote > kernel_read_file_from_path as well - so you're at least 3 times as > qualified as I am in this area.. Sure, it's been on my to do list. Mimi ^ permalink raw reply [flat|nested] 46+ messages in thread
* [GIT PULL] Security subsystem updates for 4.14 @ 2017-09-11 21:34 ` Mimi Zohar 0 siblings, 0 replies; 46+ messages in thread From: Mimi Zohar @ 2017-09-11 21:34 UTC (permalink / raw) To: linux-security-module On Sun, 2017-09-10 at 23:38 -0700, Christoph Hellwig wrote: > On Sun, Sep 10, 2017 at 10:02:42AM -0400, Mimi Zohar wrote: > > We need to differentiate between policies and x509 certificates. ?In > > the policy case, they need to be signed and appraised, while in the > > x509 certificate case, the certificate itself is signed so the file > > doesn't need to be signed or verified. > > How about you take this sketch over - I don't know much about the > integrity code, and it seems like you actually wrote > kernel_read_file_from_path as well - so you're at least 3 times as > qualified as I am in this area.. Sure, it's been on my to do list. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [GIT PULL] Security subsystem updates for 4.14 2017-09-08 4:48 ` James Morris @ 2017-09-08 22:38 ` Theodore Ts'o -1 siblings, 0 replies; 46+ messages in thread From: Theodore Ts'o @ 2017-09-08 22:38 UTC (permalink / raw) To: James Morris Cc: Linus Torvalds, Linux Kernel Mailing List, LSM List, Mimi Zohar, Christoph Hellwig On Fri, Sep 08, 2017 at 02:48:51PM +1000, James Morris wrote: > > Mimi and Christoph worked together on this over several iterations -- I'll > let them respond. Mimi --- we should chat next week in LA. I've been working on a design internally at work which proposes a generic VFS-layer library (ala how fscrypt in fs/crypto works) which provides data integrity using per-file Merkle trees. The goals of this design: * Simplicity; for ease in security review and upstream review and acceptance * Useful for multiple use cases. It is *not* Android/APK specific, and indeed can be used for other things * A better way of providing Linux IMA/EVM support for immutable files by moving the verification from time-of-open to time-of-readpage. (This significantly reduces the performance impact, since we don't need to lock down the file while the kernel needs to run SHA1 on potentially gigabytes worth of file data.) * Most use cases for file-level checksums are for files that don’t change over time (e.g., for Video, Audio, Backup files, etc.) This allows us to provide a cheap and efficient way to provide checksum protect against storage-level corruption fairly easily. So by supporting both SHA and CRC-32, we can make this feature useful for more than just the security heads. :-) * Like the encryption/fscrypt feature, most of the code to this feature can be in a VFS-level library, with minimal hooks needed to those file systems (ext4, f2fs) that wish to provide this functionality. - Ted ^ permalink raw reply [flat|nested] 46+ messages in thread
* [GIT PULL] Security subsystem updates for 4.14 @ 2017-09-08 22:38 ` Theodore Ts'o 0 siblings, 0 replies; 46+ messages in thread From: Theodore Ts'o @ 2017-09-08 22:38 UTC (permalink / raw) To: linux-security-module On Fri, Sep 08, 2017 at 02:48:51PM +1000, James Morris wrote: > > Mimi and Christoph worked together on this over several iterations -- I'll > let them respond. Mimi --- we should chat next week in LA. I've been working on a design internally at work which proposes a generic VFS-layer library (ala how fscrypt in fs/crypto works) which provides data integrity using per-file Merkle trees. The goals of this design: * Simplicity; for ease in security review and upstream review and acceptance * Useful for multiple use cases. It is *not* Android/APK specific, and indeed can be used for other things * A better way of providing Linux IMA/EVM support for immutable files by moving the verification from time-of-open to time-of-readpage. (This significantly reduces the performance impact, since we don't need to lock down the file while the kernel needs to run SHA1 on potentially gigabytes worth of file data.) * Most use cases for file-level checksums are for files that don?t change over time (e.g., for Video, Audio, Backup files, etc.) This allows us to provide a cheap and efficient way to provide checksum protect against storage-level corruption fairly easily. So by supporting both SHA and CRC-32, we can make this feature useful for more than just the security heads. :-) * Like the encryption/fscrypt feature, most of the code to this feature can be in a VFS-level library, with minimal hooks needed to those file systems (ext4, f2fs) that wish to provide this functionality. - Ted -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [GIT PULL] Security subsystem updates for 4.14 2017-09-08 22:38 ` Theodore Ts'o @ 2017-09-10 2:08 ` James Morris -1 siblings, 0 replies; 46+ messages in thread From: James Morris @ 2017-09-10 2:08 UTC (permalink / raw) To: Theodore Ts'o Cc: Linus Torvalds, Linux Kernel Mailing List, LSM List, Mimi Zohar, Christoph Hellwig On Fri, 8 Sep 2017, Theodore Ts'o wrote: > On Fri, Sep 08, 2017 at 02:48:51PM +1000, James Morris wrote: > > > > Mimi and Christoph worked together on this over several iterations -- I'll > > let them respond. > > Mimi --- we should chat next week in LA. I've been working on a > design internally at work which proposes a generic VFS-layer library > (ala how fscrypt in fs/crypto works) which provides data integrity > using per-file Merkle trees. It's possible we could add a BoF at LSS on the Thursday (from 5:45pm), or even Friday afternoon: http://events.linuxfoundation.org/events/linux-security-summit/program/schedule Let me know if you want to schedule something. -- James Morris <jmorris@namei.org> ^ permalink raw reply [flat|nested] 46+ messages in thread
* [GIT PULL] Security subsystem updates for 4.14 @ 2017-09-10 2:08 ` James Morris 0 siblings, 0 replies; 46+ messages in thread From: James Morris @ 2017-09-10 2:08 UTC (permalink / raw) To: linux-security-module On Fri, 8 Sep 2017, Theodore Ts'o wrote: > On Fri, Sep 08, 2017 at 02:48:51PM +1000, James Morris wrote: > > > > Mimi and Christoph worked together on this over several iterations -- I'll > > let them respond. > > Mimi --- we should chat next week in LA. I've been working on a > design internally at work which proposes a generic VFS-layer library > (ala how fscrypt in fs/crypto works) which provides data integrity > using per-file Merkle trees. It's possible we could add a BoF at LSS on the Thursday (from 5:45pm), or even Friday afternoon: http://events.linuxfoundation.org/events/linux-security-summit/program/schedule Let me know if you want to schedule something. -- James Morris <jmorris@namei.org> -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [GIT PULL] Security subsystem updates for 4.14 2017-09-08 22:38 ` Theodore Ts'o @ 2017-09-10 7:13 ` Mimi Zohar -1 siblings, 0 replies; 46+ messages in thread From: Mimi Zohar @ 2017-09-10 7:13 UTC (permalink / raw) To: Theodore Ts'o, James Morris Cc: Linus Torvalds, Linux Kernel Mailing List, LSM List, Christoph Hellwig On Fri, 2017-09-08 at 18:38 -0400, Theodore Ts'o wrote: > On Fri, Sep 08, 2017 at 02:48:51PM +1000, James Morris wrote: > > > > Mimi and Christoph worked together on this over several iterations -- I'll > > let them respond. > > Mimi --- we should chat next week in LA. I've been working on a > design internally at work which proposes a generic VFS-layer library > (ala how fscrypt in fs/crypto works) which provides data integrity > using per-file Merkle trees. > > The goals of this design: > > * Simplicity; for ease in security review and upstream review and > acceptance > * Useful for multiple use cases. It is *not* Android/APK specific, > and indeed can be used for other things > * A better way of providing Linux IMA/EVM support for immutable > files by moving the verification from time-of-open to > time-of-readpage. (This significantly reduces the performance > impact, since we don't need to lock down the file while the kernel > needs to run SHA1 on potentially gigabytes worth of file data.) > * Most use cases for file-level checksums are for files that > don’t change over time (e.g., for Video, Audio, Backup files, > etc.) This allows us to provide a cheap and efficient way to > provide checksum protect against storage-level corruption > fairly easily. So by supporting both SHA and CRC-32, we can > make this feature useful for more than just the security heads. :-) > * Like the encryption/fscrypt feature, most of the code to this > feature can be in a VFS-level library, with minimal hooks needed > to those file systems (ext4, f2fs) that wish to provide this > functionality. >From a file integrity perspective this would be interesting, but that only addresses IMA-appraisal, not IMA-integrity or IMA-audit. We would still need to calculate the file hash to be included in the measurement list and used for auditing. Have you done any work on protecting the directory information itself (eg. file names) using Merkle trees? Mimi ^ permalink raw reply [flat|nested] 46+ messages in thread
* [GIT PULL] Security subsystem updates for 4.14 @ 2017-09-10 7:13 ` Mimi Zohar 0 siblings, 0 replies; 46+ messages in thread From: Mimi Zohar @ 2017-09-10 7:13 UTC (permalink / raw) To: linux-security-module On Fri, 2017-09-08 at 18:38 -0400, Theodore Ts'o wrote: > On Fri, Sep 08, 2017 at 02:48:51PM +1000, James Morris wrote: > > > > Mimi and Christoph worked together on this over several iterations -- I'll > > let them respond. > > Mimi --- we should chat next week in LA. I've been working on a > design internally at work which proposes a generic VFS-layer library > (ala how fscrypt in fs/crypto works) which provides data integrity > using per-file Merkle trees. > > The goals of this design: > > * Simplicity; for ease in security review and upstream review and > acceptance > * Useful for multiple use cases. It is *not* Android/APK specific, > and indeed can be used for other things > * A better way of providing Linux IMA/EVM support for immutable > files by moving the verification from time-of-open to > time-of-readpage. (This significantly reduces the performance > impact, since we don't need to lock down the file while the kernel > needs to run SHA1 on potentially gigabytes worth of file data.) > * Most use cases for file-level checksums are for files that > don?t change over time (e.g., for Video, Audio, Backup files, > etc.) This allows us to provide a cheap and efficient way to > provide checksum protect against storage-level corruption > fairly easily. So by supporting both SHA and CRC-32, we can > make this feature useful for more than just the security heads. :-) > * Like the encryption/fscrypt feature, most of the code to this > feature can be in a VFS-level library, with minimal hooks needed > to those file systems (ext4, f2fs) that wish to provide this > functionality. >From a file integrity perspective this would be interesting, but that only addresses IMA-appraisal, not IMA-integrity or IMA-audit. ?We would still need to calculate the file hash to be included in the measurement list and used for auditing. Have you done any work on protecting the directory information itself (eg. file names) using Merkle trees? Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [GIT PULL] Security subsystem updates for 4.14 2017-09-10 7:13 ` Mimi Zohar @ 2017-09-10 12:17 ` Theodore Ts'o -1 siblings, 0 replies; 46+ messages in thread From: Theodore Ts'o @ 2017-09-10 12:17 UTC (permalink / raw) To: Mimi Zohar Cc: James Morris, Linus Torvalds, Linux Kernel Mailing List, LSM List, Christoph Hellwig On Sun, Sep 10, 2017 at 03:13:23AM -0400, Mimi Zohar wrote: > > From a file integrity perspective this would be interesting, but that > only addresses IMA-appraisal, not IMA-integrity or IMA-audit. We > would still need to calculate the file hash to be included in the > measurement list and used for auditing. > > Have you done any work on protecting the directory information itself > (eg. file names) using Merkle trees? I have not, because the problem that I was trying to address was primarily concerned with immutable files. I did do some brainstorming about adding the filename into the data integrity header to prevent someone who had direct access to the flash exchanging the inode numbers for "rm" and "ls", such that if you had a policy which required that all ELF executables be signed, that a trickster couldn't cause the user to run "rm" when they meant to run, say, "ls", just for the lulz. :-) But that would break various symlink or hardlinks that are legitimately present (e.g., /sbin/mkfs.ext[234] being a link to /sbin/mke2fs), and if the adversary can carry out a chip-off attack against your root file system, (a) it's not clear how much this would help, and (b) this is really what dm-verity is for. The main security problem I was looking at is one where the system image is already protected using dm-verity, but you might have (for example) some APK files which are downloaded once and stored in some shared-user directory hierarchy (so file-based encryption can't even provide pretend integrity protection), integrity checked at download time, and never checked again. Adding some kind of per-file Merkle tree might be useful in that particular use case. Cheers, - Ted ^ permalink raw reply [flat|nested] 46+ messages in thread
* [GIT PULL] Security subsystem updates for 4.14 @ 2017-09-10 12:17 ` Theodore Ts'o 0 siblings, 0 replies; 46+ messages in thread From: Theodore Ts'o @ 2017-09-10 12:17 UTC (permalink / raw) To: linux-security-module On Sun, Sep 10, 2017 at 03:13:23AM -0400, Mimi Zohar wrote: > > From a file integrity perspective this would be interesting, but that > only addresses IMA-appraisal, not IMA-integrity or IMA-audit. ?We > would still need to calculate the file hash to be included in the > measurement list and used for auditing. > > Have you done any work on protecting the directory information itself > (eg. file names) using Merkle trees? I have not, because the problem that I was trying to address was primarily concerned with immutable files. I did do some brainstorming about adding the filename into the data integrity header to prevent someone who had direct access to the flash exchanging the inode numbers for "rm" and "ls", such that if you had a policy which required that all ELF executables be signed, that a trickster couldn't cause the user to run "rm" when they meant to run, say, "ls", just for the lulz. :-) But that would break various symlink or hardlinks that are legitimately present (e.g., /sbin/mkfs.ext[234] being a link to /sbin/mke2fs), and if the adversary can carry out a chip-off attack against your root file system, (a) it's not clear how much this would help, and (b) this is really what dm-verity is for. The main security problem I was looking at is one where the system image is already protected using dm-verity, but you might have (for example) some APK files which are downloaded once and stored in some shared-user directory hierarchy (so file-based encryption can't even provide pretend integrity protection), integrity checked at download time, and never checked again. Adding some kind of per-file Merkle tree might be useful in that particular use case. Cheers, - Ted -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [GIT PULL] Security subsystem updates for 4.14 2017-09-07 18:19 ` Linus Torvalds @ 2017-09-10 6:46 ` Mimi Zohar -1 siblings, 0 replies; 46+ messages in thread From: Mimi Zohar @ 2017-09-10 6:46 UTC (permalink / raw) To: Linus Torvalds, James Morris; +Cc: Linux Kernel Mailing List, LSM List On Thu, 2017-09-07 at 11:19 -0700, Linus Torvalds wrote: > On Mon, Sep 4, 2017 at 3:29 AM, James Morris <jmorris@namei.org> wrote: > > > > IMA: > > - A new integrity_read file operation method, avoids races when > > calculating file hashes > > Honestly, this seems really odd. > > It documents that it needs to be called with i_rwsem held exclusively, > and even has a lockdep assert to that effect (well, not really: the > code claims "exclusive", but the lockdep assert does not), but I'm not > actually seeing anybody doing it. > > Quite the reverse, I just see integrity_read_file() doing filp_open() > on the pathname and passing it to integrity_kernel_read() with no > locking. > > It really looks like just pure garbage to me. I pulled, and I'm not > unpulling the whole thing. I don't think it's been tested, and I don't > think it can be right. > > Tell me why I'm wrong, or tell me why that garbage made it in in the > first place? I'm really sorry for the long delay in responding. I've been on vacation the last week, mostly without cell phone and very limited wifi access. True, there is a side case where integrity_read_file() is being called without first taking the i_rwsem. This side case permits signed x509 certificates to be loaded onto the trusted IMA/EVM keyrings, without verifying the file signature stored as security.ima/security.evm xattrs. Basically, the xattr signatures can not be verified until the keys are loaded. The main use case is embedded systems which do not have an initramfs, but have a specially crafted init script. It requires enabling CONFIG_IMA_LOAD_X509 or CONFIG_EVM_LOAD_X509. The new VFS integrity_read() file operation method would not be called. The main use case for the new VFS integrity_read() file operation method is to calculate the file hash, as Christoph described. Mimi ^ permalink raw reply [flat|nested] 46+ messages in thread
* [GIT PULL] Security subsystem updates for 4.14 @ 2017-09-10 6:46 ` Mimi Zohar 0 siblings, 0 replies; 46+ messages in thread From: Mimi Zohar @ 2017-09-10 6:46 UTC (permalink / raw) To: linux-security-module On Thu, 2017-09-07 at 11:19 -0700, Linus Torvalds wrote: > On Mon, Sep 4, 2017 at 3:29 AM, James Morris <jmorris@namei.org> wrote: > > > > IMA: > > - A new integrity_read file operation method, avoids races when > > calculating file hashes > > Honestly, this seems really odd. > > It documents that it needs to be called with i_rwsem held exclusively, > and even has a lockdep assert to that effect (well, not really: the > code claims "exclusive", but the lockdep assert does not), but I'm not > actually seeing anybody doing it. > > Quite the reverse, I just see integrity_read_file() doing filp_open() > on the pathname and passing it to integrity_kernel_read() with no > locking. > > It really looks like just pure garbage to me. I pulled, and I'm not > unpulling the whole thing. I don't think it's been tested, and I don't > think it can be right. > > Tell me why I'm wrong, or tell me why that garbage made it in in the > first place? I'm really sorry for the long delay in responding. ?I've been on vacation the last week, mostly without cell phone and very limited wifi access.? True, there is a side case where integrity_read_file() is being called without first taking the i_rwsem. ?This side case permits signed x509 certificates to be loaded onto the trusted IMA/EVM keyrings, without verifying the file signature stored as security.ima/security.evm xattrs. ?Basically, the xattr signatures can not be verified until the keys are loaded. ?The main use case is embedded systems which do not have an initramfs, but have a specially crafted init script. ?It requires enabling CONFIG_IMA_LOAD_X509 or CONFIG_EVM_LOAD_X509. ?The new VFS integrity_read() file operation method would not be called. The main use case for the new VFS integrity_read() file operation method is to calculate the file hash, as Christoph described. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 46+ messages in thread
end of thread, other threads:[~2017-09-17 7:36 UTC | newest] Thread overview: 46+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-09-04 10:29 [GIT PULL] Security subsystem updates for 4.14 James Morris 2017-09-04 10:29 ` James Morris 2017-09-07 18:19 ` Linus Torvalds 2017-09-07 18:19 ` Linus Torvalds 2017-09-08 4:48 ` James Morris 2017-09-08 4:48 ` James Morris 2017-09-08 7:09 ` Christoph Hellwig 2017-09-08 7:09 ` Christoph Hellwig 2017-09-08 17:25 ` Linus Torvalds 2017-09-08 17:25 ` Linus Torvalds 2017-09-08 17:36 ` Paul Moore 2017-09-08 17:36 ` Paul Moore 2017-09-10 4:32 ` James Morris 2017-09-10 4:32 ` James Morris 2017-09-10 4:53 ` James Morris 2017-09-10 4:53 ` James Morris 2017-09-11 22:30 ` Paul Moore 2017-09-11 22:30 ` Paul Moore 2017-09-14 21:09 ` Kees Cook 2017-09-14 21:09 ` Kees Cook 2017-09-14 21:13 ` James Morris 2017-09-14 21:13 ` James Morris 2017-09-14 21:25 ` Kees Cook 2017-09-14 21:25 ` Kees Cook 2017-09-08 19:57 ` James Morris 2017-09-08 19:57 ` James Morris 2017-09-17 7:36 ` Mimi Zohar 2017-09-17 7:36 ` Mimi Zohar 2017-09-10 8:10 ` Christoph Hellwig 2017-09-10 8:10 ` Christoph Hellwig 2017-09-10 14:02 ` Mimi Zohar 2017-09-10 14:02 ` Mimi Zohar 2017-09-11 6:38 ` Christoph Hellwig 2017-09-11 6:38 ` Christoph Hellwig 2017-09-11 21:34 ` Mimi Zohar 2017-09-11 21:34 ` Mimi Zohar 2017-09-08 22:38 ` Theodore Ts'o 2017-09-08 22:38 ` Theodore Ts'o 2017-09-10 2:08 ` James Morris 2017-09-10 2:08 ` James Morris 2017-09-10 7:13 ` Mimi Zohar 2017-09-10 7:13 ` Mimi Zohar 2017-09-10 12:17 ` Theodore Ts'o 2017-09-10 12:17 ` Theodore Ts'o 2017-09-10 6:46 ` Mimi Zohar 2017-09-10 6:46 ` Mimi Zohar
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.