From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 133121864 for ; Wed, 20 Apr 2022 14:07:05 +0000 (UTC) Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 23KBxvoE000685; Wed, 20 Apr 2022 14:06:47 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=LdoIkb8O2Lj+PFSyRz0UfBy1F3qn+mr4nlWpVkgYsxU=; b=nqiL1Z6ybhNyX0QLdFwyAB7MOzzmvDciZ1xB8o1l4YeL3uLx3cssSC/jsJYSeGtoNCz1 4MMMFlXpvS3Cw/C8eN2Qs8zED3QUM9l4V/+HDSQVfb1KTejzkbPAxWAHBOiZyIm+O5jt Oj3Gp32XS6Wavw1wcQygxsjPzJwuwhSyFOLnhWxPju34rkJ2ci4ri7xamnc+7REi5fUV SQAH0yOTsAgTcVk1n+PEI8UJEuLEcGVosxRzcSaaHZLeP98GAUbN6x0e9INnsy73FXnD t2B6sAAixF4Jbw4AHc7msxPzsrYIOR+dNpDBc/hYACZL+U8lOM6/WqyQx3+aOOomRm/p pQ== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 3fjhsxjsbd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 20 Apr 2022 14:06:47 +0000 Received: from m0098409.ppops.net (m0098409.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 23KDeJKm020014; Wed, 20 Apr 2022 14:06:46 GMT Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.10]) by mx0a-001b2d01.pphosted.com with ESMTP id 3fjhsxjsas-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 20 Apr 2022 14:06:46 +0000 Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1]) by ppma02dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 23KE31Os020594; Wed, 20 Apr 2022 14:06:45 GMT Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com [9.57.198.25]) by ppma02dal.us.ibm.com with ESMTP id 3ffneabv56-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 20 Apr 2022 14:06:45 +0000 Received: from b01ledav005.gho.pok.ibm.com (b01ledav005.gho.pok.ibm.com [9.57.199.110]) by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 23KE6ido25821662 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 20 Apr 2022 14:06:44 GMT Received: from b01ledav005.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 13B96AE06D; Wed, 20 Apr 2022 14:06:44 +0000 (GMT) Received: from b01ledav005.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 00419AE06A; Wed, 20 Apr 2022 14:06:44 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by b01ledav005.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 20 Apr 2022 14:06:43 +0000 (GMT) From: Stefan Berger To: linux-integrity@vger.kernel.org Cc: zohar@linux.ibm.com, serge@hallyn.com, christian.brauner@ubuntu.com, containers@lists.linux.dev, dmitry.kasatkin@gmail.com, ebiederm@xmission.com, krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com, mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com, puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com, linux-kernel@vger.kernel.org, paul@paul-moore.com, rgb@redhat.com, linux-security-module@vger.kernel.org, jmorris@namei.org, jpenumak@redhat.com, Stefan Berger Subject: [PATCH v12 22/26] ima: Introduce securityfs file to activate an IMA namespace Date: Wed, 20 Apr 2022 10:06:29 -0400 Message-Id: <20220420140633.753772-23-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220420140633.753772-1-stefanb@linux.ibm.com> References: <20220420140633.753772-1-stefanb@linux.ibm.com> Precedence: bulk X-Mailing-List: containers@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: m_KviDsFaeLUd6xEnp35ScDcwxmuZflH X-Proofpoint-GUID: epMHt6AFuxlzGhvYGzLvRRb6JHiST_zi X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-04-20_04,2022-04-20_01,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 clxscore=1015 lowpriorityscore=0 adultscore=0 mlxlogscore=984 priorityscore=1501 spamscore=0 phishscore=0 bulkscore=0 suspectscore=0 impostorscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2204200084 Introduce the IMA securityfs file 'active' that users now need to write a "1" into (precisely a '1\0' or '1\n') to activate an IMA namespace. When reading from the file, it shows either '0' or '1'. The rationale for introducing a file to activate an IMA namespace is that subsequent support for IMA-measurement and IMA-appraisal will add configuration files for selecting for example the template that an IMA namespace is supposed to use for logging measurements, which will add an IMA namespace configuration stage (using securityfs files) before its activation. Besides that it allows to create a user namespace with securityfs mounted and an inactive IMA namespace. Also, introduce ns_is_active() to be used in those places where the ima_namespace pointer may either be NULL or where the active flag may not have been set, yet. An inactive IMA namespace should never be accessed since it has not been initialized, yet. Set the init_ima_ns's active flag since it is considered active right from the beginning. Signed-off-by: Stefan Berger --- v12: - Fixed uninitialized ret if IS_ERR(active) was true v11: - Move code from ima_fs_add_ns_files() into ima_fs_ns_init() - Use ima_ns_flags and IMA_NS_ACTIVE instead of 'atomic_t active' v10: - use memdup_user_nul to copy input from user - propagating error returned from ima_fs_add_ns_files() --- security/integrity/ima/ima.h | 6 +++ security/integrity/ima/ima_fs.c | 64 ++++++++++++++++++++++++ security/integrity/ima/ima_init_ima_ns.c | 1 + security/integrity/ima/ima_main.c | 2 +- 4 files changed, 72 insertions(+), 1 deletion(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 801dc3c8bfde..2cc286f9e839 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -126,6 +126,7 @@ struct ima_namespace { unsigned long ima_ns_flags; /* Bit numbers for above flags; use BIT() to get flag */ #define IMA_NS_LSM_UPDATE_RULES 0 +#define IMA_NS_ACTIVE 1 struct rb_root ns_status_tree; rwlock_t ns_tree_lock; @@ -158,6 +159,11 @@ struct ima_namespace { } __randomize_layout; extern struct ima_namespace init_ima_ns; +static inline bool ns_is_active(struct ima_namespace *ns) +{ + return (ns && test_bit(IMA_NS_ACTIVE, &ns->ima_ns_flags)); +} + extern const int read_idmap[]; #ifdef CONFIG_HAVE_IMA_KEXEC diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index 84cd02a9e19b..301c717e029f 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -451,6 +451,57 @@ static const struct file_operations ima_measure_policy_ops = { .llseek = generic_file_llseek, }; +static ssize_t ima_show_active(struct file *filp, + char __user *buf, + size_t count, loff_t *ppos) +{ + struct ima_namespace *ns = &init_ima_ns; + char tmpbuf[2]; + ssize_t len; + + len = scnprintf(tmpbuf, sizeof(tmpbuf), + "%d\n", !!test_bit(IMA_NS_ACTIVE, &ns->ima_ns_flags)); + return simple_read_from_buffer(buf, count, ppos, tmpbuf, len); +} + +static ssize_t ima_write_active(struct file *filp, + const char __user *buf, + size_t count, loff_t *ppos) +{ + struct ima_namespace *ns = &init_ima_ns; + unsigned int active; + char *kbuf; + int err; + + if (ns_is_active(ns)) + return -EBUSY; + + /* accepting '1\n' and '1\0' and no partial writes */ + if (count >= 3 || *ppos != 0) + return -EINVAL; + + kbuf = memdup_user_nul(buf, count); + if (IS_ERR(kbuf)) + return PTR_ERR(kbuf); + + err = kstrtouint(kbuf, 10, &active); + kfree(kbuf); + if (err) + return err; + + if (active != 1) + return -EINVAL; + + set_bit(IMA_NS_ACTIVE, &ns->ima_ns_flags); + + return count; +} + +static const struct file_operations ima_active_ops = { + .read = ima_show_active, + .write = ima_write_active, +}; + int ima_fs_ns_init(struct user_namespace *user_ns, struct dentry *root) { struct ima_namespace *ns = ima_ns_from_user_ns(user_ns); @@ -461,6 +512,7 @@ int ima_fs_ns_init(struct user_namespace *user_ns, struct dentry *root) struct dentry *ascii_runtime_measurements = NULL; struct dentry *runtime_measurements_count = NULL; struct dentry *violations = NULL; + struct dentry *active = NULL; int ret; /* FIXME: update when evm and integrity are namespaced */ @@ -531,8 +583,20 @@ int ima_fs_ns_init(struct user_namespace *user_ns, struct dentry *root) } } + if (ns != &init_ima_ns) { + active = + securityfs_create_file("active", + S_IRUSR | S_IWUSR | S_IRGRP, ima_dir, + NULL, &ima_active_ops); + if (IS_ERR(active)) { + ret = PTR_ERR(active); + goto out; + } + } + return 0; out: + securityfs_remove(active); securityfs_remove(ns->ima_policy); securityfs_remove(violations); securityfs_remove(runtime_measurements_count); diff --git a/security/integrity/ima/ima_init_ima_ns.c b/security/integrity/ima/ima_init_ima_ns.c index 41e7db0c9749..5c57abfc70ea 100644 --- a/security/integrity/ima/ima_init_ima_ns.c +++ b/security/integrity/ima/ima_init_ima_ns.c @@ -58,5 +58,6 @@ struct ima_namespace init_ima_ns = { .ima_lsm_policy_notifier = { .notifier_call = ima_lsm_policy_change, }, + .ima_ns_flags = BIT(IMA_NS_ACTIVE), }; EXPORT_SYMBOL(init_ima_ns); diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 26faf9f75645..194dc4557caa 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -441,7 +441,7 @@ static int process_measurement(struct user_namespace *user_ns, while (user_ns) { ns = ima_ns_from_user_ns(user_ns); - if (ns) { + if (ns_is_active(ns)) { int rc; rc = __process_measurement(ns, file, cred, secid, buf, -- 2.34.1