From: Tyler Hicks <tyhicks@linux.microsoft.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
James Morris <jmorris@namei.org>,
"Serge E . Hallyn" <serge@hallyn.com>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
Prakhar Srivastava <prsriva02@gmail.com>,
linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
Janne Karhunen <janne.karhunen@gmail.com>,
Eric Biederman <ebiederm@xmission.com>,
kexec@lists.infradead.org,
Casey Schaufler <casey@schaufler-ca.com>,
Nayna Jain <nayna@linux.ibm.com>
Subject: Re: [PATCH v3 00/12] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support
Date: Thu, 16 Jul 2020 23:34:21 -0500 [thread overview]
Message-ID: <20200717043421.GF3673@sequoia> (raw)
In-Reply-To: <1594960293.27397.2.camel@linux.ibm.com>
On 2020-07-17 00:31:33, Mimi Zohar wrote:
> On Thu, 2020-07-09 at 01:18 -0500, Tyler Hicks wrote:
> > This series ultimately extends the supported IMA rule conditionals for
> > the KEXEC_CMDLINE hook function. As of today, there's an imbalance in
> > IMA language conditional support for KEXEC_CMDLINE rules in comparison
> > to KEXEC_KERNEL_CHECK and KEXEC_INITRAMFS_CHECK rules. The KEXEC_CMDLINE
> > rules do not support *any* conditionals so you cannot have a sequence of
> > rules like this:
> >
> > dont_measure func=KEXEC_KERNEL_CHECK obj_type=foo_t
> > dont_measure func=KEXEC_INITRAMFS_CHECK obj_type=foo_t
> > dont_measure func=KEXEC_CMDLINE obj_type=foo_t
> > measure func=KEXEC_KERNEL_CHECK
> > measure func=KEXEC_INITRAMFS_CHECK
> > measure func=KEXEC_CMDLINE
> >
> > Instead, KEXEC_CMDLINE rules can only be measured or not measured and
> > there's no additional flexibility in today's implementation of the
> > KEXEC_CMDLINE hook function.
> >
> > With this series, the above sequence of rules becomes valid and any
> > calls to kexec_file_load() with a kernel and initramfs inode type of
> > foo_t will not be measured (that includes the kernel cmdline buffer)
> > while all other objects given to a kexec_file_load() syscall will be
> > measured. There's obviously not an inode directly associated with the
> > kernel cmdline buffer but this patch series ties the inode based
> > decision making for KEXEC_CMDLINE to the kernel's inode. I think this
> > will be intuitive to policy authors.
> >
> > While reading IMA code and preparing to make this change, I realized
> > that the buffer based hook functions (KEXEC_CMDLINE and KEY_CHECK) are
> > quite special in comparison to longer standing hook functions. These
> > buffer based hook functions can only support measure actions and there
> > are some restrictions on the conditionals that they support. However,
> > the rule parser isn't enforcing any of those restrictions and IMA policy
> > authors wouldn't have any immediate way of knowing that the policy that
> > they wrote is invalid. For example, the sequence of rules above parses
> > successfully in today's kernel but the
> > "dont_measure func=KEXEC_CMDLINE ..." rule is incorrectly handled in
> > ima_match_rules(). The dont_measure rule is *always* considered to be a
> > match so, surprisingly, no KEXEC_CMDLINE measurements are made.
> >
> > While making the rule parser more strict, I realized that the parser
> > does not correctly free all of the allocated memory associated with an
> > ima_rule_entry when going down some error paths. Invalid policy loaded
> > by the policy administrator could result in small memory leaks.
> >
> > I envision patches 1-7 going to stable. The series is ordered in a way
> > that has all the fixes up front, followed by cleanups, followed by the
> > feature patch. The breakdown of patches looks like so:
> >
> > Memory leak fixes: 1-3
> > Parser strictness fixes: 4-7
> > Code cleanups made possible by the fixes: 8-11
> > Extend KEXEC_CMDLINE rule support: 12
>
> Thanks, Tyler. This is a really nice patch set. The patches are now
> in the "next-integrity-testing" branch.
Thank you for all the helpful review comments. You know where to find me
if any bugs pop up during testing. :)
Tyler
>
> Mimi
WARNING: multiple messages have this Message-ID (diff)
From: Tyler Hicks <tyhicks@linux.microsoft.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: Nayna Jain <nayna@linux.ibm.com>,
Janne Karhunen <janne.karhunen@gmail.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Prakhar Srivastava <prsriva02@gmail.com>,
kexec@lists.infradead.org, James Morris <jmorris@namei.org>,
linux-kernel@vger.kernel.org,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
linux-security-module@vger.kernel.org,
Eric Biederman <ebiederm@xmission.com>,
Casey Schaufler <casey@schaufler-ca.com>,
linux-integrity@vger.kernel.org,
"Serge E . Hallyn" <serge@hallyn.com>
Subject: Re: [PATCH v3 00/12] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support
Date: Thu, 16 Jul 2020 23:34:21 -0500 [thread overview]
Message-ID: <20200717043421.GF3673@sequoia> (raw)
In-Reply-To: <1594960293.27397.2.camel@linux.ibm.com>
On 2020-07-17 00:31:33, Mimi Zohar wrote:
> On Thu, 2020-07-09 at 01:18 -0500, Tyler Hicks wrote:
> > This series ultimately extends the supported IMA rule conditionals for
> > the KEXEC_CMDLINE hook function. As of today, there's an imbalance in
> > IMA language conditional support for KEXEC_CMDLINE rules in comparison
> > to KEXEC_KERNEL_CHECK and KEXEC_INITRAMFS_CHECK rules. The KEXEC_CMDLINE
> > rules do not support *any* conditionals so you cannot have a sequence of
> > rules like this:
> >
> > dont_measure func=KEXEC_KERNEL_CHECK obj_type=foo_t
> > dont_measure func=KEXEC_INITRAMFS_CHECK obj_type=foo_t
> > dont_measure func=KEXEC_CMDLINE obj_type=foo_t
> > measure func=KEXEC_KERNEL_CHECK
> > measure func=KEXEC_INITRAMFS_CHECK
> > measure func=KEXEC_CMDLINE
> >
> > Instead, KEXEC_CMDLINE rules can only be measured or not measured and
> > there's no additional flexibility in today's implementation of the
> > KEXEC_CMDLINE hook function.
> >
> > With this series, the above sequence of rules becomes valid and any
> > calls to kexec_file_load() with a kernel and initramfs inode type of
> > foo_t will not be measured (that includes the kernel cmdline buffer)
> > while all other objects given to a kexec_file_load() syscall will be
> > measured. There's obviously not an inode directly associated with the
> > kernel cmdline buffer but this patch series ties the inode based
> > decision making for KEXEC_CMDLINE to the kernel's inode. I think this
> > will be intuitive to policy authors.
> >
> > While reading IMA code and preparing to make this change, I realized
> > that the buffer based hook functions (KEXEC_CMDLINE and KEY_CHECK) are
> > quite special in comparison to longer standing hook functions. These
> > buffer based hook functions can only support measure actions and there
> > are some restrictions on the conditionals that they support. However,
> > the rule parser isn't enforcing any of those restrictions and IMA policy
> > authors wouldn't have any immediate way of knowing that the policy that
> > they wrote is invalid. For example, the sequence of rules above parses
> > successfully in today's kernel but the
> > "dont_measure func=KEXEC_CMDLINE ..." rule is incorrectly handled in
> > ima_match_rules(). The dont_measure rule is *always* considered to be a
> > match so, surprisingly, no KEXEC_CMDLINE measurements are made.
> >
> > While making the rule parser more strict, I realized that the parser
> > does not correctly free all of the allocated memory associated with an
> > ima_rule_entry when going down some error paths. Invalid policy loaded
> > by the policy administrator could result in small memory leaks.
> >
> > I envision patches 1-7 going to stable. The series is ordered in a way
> > that has all the fixes up front, followed by cleanups, followed by the
> > feature patch. The breakdown of patches looks like so:
> >
> > Memory leak fixes: 1-3
> > Parser strictness fixes: 4-7
> > Code cleanups made possible by the fixes: 8-11
> > Extend KEXEC_CMDLINE rule support: 12
>
> Thanks, Tyler. This is a really nice patch set. The patches are now
> in the "next-integrity-testing" branch.
Thank you for all the helpful review comments. You know where to find me
if any bugs pop up during testing. :)
Tyler
>
> Mimi
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2020-07-17 4:34 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-09 6:18 [PATCH v3 00/12] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support Tyler Hicks
2020-07-09 6:18 ` Tyler Hicks
2020-07-09 6:19 ` [PATCH v3 01/12] ima: Have the LSM free its audit rule Tyler Hicks
2020-07-17 19:20 ` Nayna
2020-07-17 19:24 ` Tyler Hicks
2020-07-19 11:02 ` Mimi Zohar
2020-07-09 6:19 ` [PATCH v3 02/12] ima: Free the entire rule when deleting a list of rules Tyler Hicks
2020-07-09 6:19 ` [PATCH v3 03/12] ima: Free the entire rule if it fails to parse Tyler Hicks
2020-07-09 6:19 ` [PATCH v3 04/12] ima: Fail rule parsing when buffer hook functions have an invalid action Tyler Hicks
2020-07-09 6:19 ` [PATCH v3 05/12] ima: Fail rule parsing when the KEXEC_CMDLINE hook is combined with an invalid cond Tyler Hicks
2020-07-09 6:19 ` [PATCH v3 06/12] ima: Fail rule parsing when the KEY_CHECK " Tyler Hicks
2020-07-17 18:56 ` Nayna
2020-07-17 19:18 ` Tyler Hicks
2020-07-17 23:39 ` Tyler Hicks
2020-07-09 6:19 ` [PATCH v3 07/12] ima: Fail rule parsing when appraise_flag=blacklist is unsupportable Tyler Hicks
2020-07-16 18:14 ` Mimi Zohar
2020-07-16 18:20 ` Tyler Hicks
[not found] ` <76d2b27b-3b59-1852-046a-b1718c62b167@linux.vnet.ibm.com>
2020-07-17 18:11 ` Tyler Hicks
2020-07-20 17:02 ` Nayna
2020-07-09 6:19 ` [PATCH v3 08/12] ima: Shallow copy the args_p member of ima_rule_entry.lsm elements Tyler Hicks
2020-07-17 15:35 ` Konsta Karsisto
2020-07-17 16:51 ` Tyler Hicks
2020-07-09 6:19 ` [PATCH v3 09/12] ima: Use correct type for " Tyler Hicks
2020-07-09 6:19 ` [PATCH v3 10/12] ima: Move comprehensive rule validation checks out of the token parser Tyler Hicks
2020-07-09 6:19 ` [PATCH v3 11/12] ima: Use the common function to detect LSM conditionals in a rule Tyler Hicks
2020-07-09 6:19 ` [PATCH v3 12/12] ima: Support additional conditionals in the KEXEC_CMDLINE hook function Tyler Hicks
2020-07-09 6:19 ` Tyler Hicks
2020-07-17 4:31 ` [PATCH v3 00/12] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support Mimi Zohar
2020-07-17 4:34 ` Tyler Hicks [this message]
2020-07-17 4:34 ` Tyler Hicks
2020-07-20 21:38 ` Mimi Zohar
2020-07-20 21:38 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200717043421.GF3673@sequoia \
--to=tyhicks@linux.microsoft.com \
--cc=casey@schaufler-ca.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=janne.karhunen@gmail.com \
--cc=jmorris@namei.org \
--cc=kexec@lists.infradead.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=nramas@linux.microsoft.com \
--cc=prsriva02@gmail.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.