From: Dmitry Kasatkin <dmitry.kasatkin@huawei.com> To: Petko Manolov <petkan@mip-labs.com>, Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: "linux-security-module@vger.kernel.org" <linux-security-module@vger.kernel.org>, "Luis R. Rodriguez" <mcgrof@suse.com>, "kexec@lists.infradead.org" <kexec@lists.infradead.org>, "linux-modules@vger.kernel.org" <linux-modules@vger.kernel.org>, "fsdevel@vger.kernel.org" <fsdevel@vger.kernel.org>, David Howells <dhowells@redhat.com>, David Woodhouse <dwmw2@infradead.org>, Kees Cook <keescook@chromium.org>, Dmitry Torokhov <dmitry.torokhov@gmail.com>, "Dmitry Kasatkin" <dmitry.kasatkin@gmail.com>, Eric Biederman <ebiederm@xmission.com>, Rusty Russell <rusty@rustcorp.com.au>, Dmitry Kasatkin <d.kasatkin@samsung.com> Subject: RE: [PATCH v3 20/22] ima: load policy using path Date: Mon, 8 Feb 2016 09:58:16 +0000 [thread overview] Message-ID: <C2D7A727C393B644B70DF4B4DCFB60B9C8A843@lhreml507-mbx.china.huawei.com> (raw) In-Reply-To: <20160207195945.GG17321@localhost> ________________________________________ From: Petko Manolov [petkan@mip-labs.com] Sent: Sunday, February 07, 2016 9:59 PM To: Mimi Zohar Cc: linux-security-module@vger.kernel.org; Luis R. Rodriguez; kexec@lists.infradead.org; linux-modules@vger.kernel.org; fsdevel@vger.kernel.org; David Howells; David Woodhouse; Kees Cook; Dmitry Torokhov; Dmitry Kasatkin; Eric Biederman; Rusty Russell; Dmitry Kasatkin; Dmitry Kasatkin Subject: Re: [PATCH v3 20/22] ima: load policy using path On 16-02-03 14:06:28, Mimi Zohar wrote: > From: Dmitry Kasatkin <d.kasatkin@samsung.com> > > We currently cannot do appraisal or signature vetting of IMA policies > since we currently can only load IMA policies by writing the contents > of the policy directly in, as follows: > > cat policy-file > <securityfs>/ima/policy > > If we provide the kernel the path to the IMA policy so it can load > the policy itself it'd be able to later appraise or vet the file > signature if it has one. This patch adds support to load the IMA > policy with a given path as follows: > > echo /etc/ima/ima_policy > /sys/kernel/security/ima/policy > > Changelog v3: > - moved kernel_read_file_from_path() to a separate patch > v2: > - after re-ordering the patches, replace calling integrity_kernel_read() > to read the file with kernel_read_file_from_path() (Mimi) > - Patch description re-written by Luis R. Rodriguez > > Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com> > Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> > --- > include/linux/fs.h | 1 + > security/integrity/ima/ima_fs.c | 43 +++++++++++++++++++++++++++++++++++++++-- > 2 files changed, 42 insertions(+), 2 deletions(-) > > diff --git a/include/linux/fs.h b/include/linux/fs.h > index d4d556e..b648e6d 100644 > --- a/include/linux/fs.h > +++ b/include/linux/fs.h > @@ -2531,6 +2531,7 @@ enum kernel_read_file_id { > READING_MODULE, > READING_KEXEC_IMAGE, > READING_KEXEC_INITRAMFS, > + READING_POLICY, > READING_MAX_ID > }; > > diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c > index f355231..00ccd67 100644 > --- a/security/integrity/ima/ima_fs.c > +++ b/security/integrity/ima/ima_fs.c > @@ -22,6 +22,7 @@ > #include <linux/rculist.h> > #include <linux/rcupdate.h> > #include <linux/parser.h> > +#include <linux/vmalloc.h> > > #include "ima.h" > > @@ -258,6 +259,41 @@ static const struct file_operations ima_ascii_measurements_ops = { > .release = seq_release, > }; > > +static ssize_t ima_read_policy(char *path) > +{ > + void *data; > + char *datap; > + loff_t size; > + int rc, pathlen = strlen(path); > + > + char *p; > + > + /* remove \n */ > + datap = path; > + strsep(&datap, "\n"); > + > + rc = kernel_read_file_from_path(path, &data, &size, 0, READING_POLICY); > + if (rc < 0) > + return rc; > + > + datap = data; > + while (size > 0 && (p = strsep(&datap, "\n"))) { > + pr_debug("rule: %s\n", p); > + rc = ima_parse_add_rule(p); > + if (rc < 0) > + break; > + size -= rc; > + } > + > + vfree(data); > + if (rc < 0) > + return rc; > + else if (size) > + return -EINVAL; > + else > + return pathlen; > +} > + > static ssize_t ima_write_policy(struct file *file, const char __user *buf, > size_t datalen, loff_t *ppos) > { > @@ -286,9 +322,12 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf, > result = mutex_lock_interruptible(&ima_write_mutex); > if (result < 0) > goto out_free; > - result = ima_parse_add_rule(data); > - mutex_unlock(&ima_write_mutex); > > + if (data[0] == '/') >It seems that if we feed relative path to ima_policy the update will fail... Yes, i think it is always a good idea to pass absolute path. Dmitry > + result = ima_read_policy(data); > + else > + result = ima_parse_add_rule(data); > + mutex_unlock(&ima_write_mutex); > out_free: > kfree(data); > out: > -- > 2.1.0 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Dmitry Kasatkin <dmitry.kasatkin@huawei.com> To: Petko Manolov <petkan@mip-labs.com>, Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: Rusty Russell <rusty@rustcorp.com.au>, Kees Cook <keescook@chromium.org>, "fsdevel@vger.kernel.org" <fsdevel@vger.kernel.org>, Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, "Luis R. Rodriguez" <mcgrof@suse.com>, Dmitry Torokhov <dmitry.torokhov@gmail.com>, "kexec@lists.infradead.org" <kexec@lists.infradead.org>, David Howells <dhowells@redhat.com>, "linux-security-module@vger.kernel.org" <linux-security-module@vger.kernel.org>, Eric Biederman <ebiederm@xmission.com>, Dmitry Kasatkin <d.kasatkin@samsung.com>, David Woodhouse <dwmw2@infradead.org>, "linux-modules@vger.kernel.org" <linux-modules@vger.kernel.org> Subject: RE: [PATCH v3 20/22] ima: load policy using path Date: Mon, 8 Feb 2016 09:58:16 +0000 [thread overview] Message-ID: <C2D7A727C393B644B70DF4B4DCFB60B9C8A843@lhreml507-mbx.china.huawei.com> (raw) In-Reply-To: <20160207195945.GG17321@localhost> ________________________________________ From: Petko Manolov [petkan@mip-labs.com] Sent: Sunday, February 07, 2016 9:59 PM To: Mimi Zohar Cc: linux-security-module@vger.kernel.org; Luis R. Rodriguez; kexec@lists.infradead.org; linux-modules@vger.kernel.org; fsdevel@vger.kernel.org; David Howells; David Woodhouse; Kees Cook; Dmitry Torokhov; Dmitry Kasatkin; Eric Biederman; Rusty Russell; Dmitry Kasatkin; Dmitry Kasatkin Subject: Re: [PATCH v3 20/22] ima: load policy using path On 16-02-03 14:06:28, Mimi Zohar wrote: > From: Dmitry Kasatkin <d.kasatkin@samsung.com> > > We currently cannot do appraisal or signature vetting of IMA policies > since we currently can only load IMA policies by writing the contents > of the policy directly in, as follows: > > cat policy-file > <securityfs>/ima/policy > > If we provide the kernel the path to the IMA policy so it can load > the policy itself it'd be able to later appraise or vet the file > signature if it has one. This patch adds support to load the IMA > policy with a given path as follows: > > echo /etc/ima/ima_policy > /sys/kernel/security/ima/policy > > Changelog v3: > - moved kernel_read_file_from_path() to a separate patch > v2: > - after re-ordering the patches, replace calling integrity_kernel_read() > to read the file with kernel_read_file_from_path() (Mimi) > - Patch description re-written by Luis R. Rodriguez > > Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com> > Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> > --- > include/linux/fs.h | 1 + > security/integrity/ima/ima_fs.c | 43 +++++++++++++++++++++++++++++++++++++++-- > 2 files changed, 42 insertions(+), 2 deletions(-) > > diff --git a/include/linux/fs.h b/include/linux/fs.h > index d4d556e..b648e6d 100644 > --- a/include/linux/fs.h > +++ b/include/linux/fs.h > @@ -2531,6 +2531,7 @@ enum kernel_read_file_id { > READING_MODULE, > READING_KEXEC_IMAGE, > READING_KEXEC_INITRAMFS, > + READING_POLICY, > READING_MAX_ID > }; > > diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c > index f355231..00ccd67 100644 > --- a/security/integrity/ima/ima_fs.c > +++ b/security/integrity/ima/ima_fs.c > @@ -22,6 +22,7 @@ > #include <linux/rculist.h> > #include <linux/rcupdate.h> > #include <linux/parser.h> > +#include <linux/vmalloc.h> > > #include "ima.h" > > @@ -258,6 +259,41 @@ static const struct file_operations ima_ascii_measurements_ops = { > .release = seq_release, > }; > > +static ssize_t ima_read_policy(char *path) > +{ > + void *data; > + char *datap; > + loff_t size; > + int rc, pathlen = strlen(path); > + > + char *p; > + > + /* remove \n */ > + datap = path; > + strsep(&datap, "\n"); > + > + rc = kernel_read_file_from_path(path, &data, &size, 0, READING_POLICY); > + if (rc < 0) > + return rc; > + > + datap = data; > + while (size > 0 && (p = strsep(&datap, "\n"))) { > + pr_debug("rule: %s\n", p); > + rc = ima_parse_add_rule(p); > + if (rc < 0) > + break; > + size -= rc; > + } > + > + vfree(data); > + if (rc < 0) > + return rc; > + else if (size) > + return -EINVAL; > + else > + return pathlen; > +} > + > static ssize_t ima_write_policy(struct file *file, const char __user *buf, > size_t datalen, loff_t *ppos) > { > @@ -286,9 +322,12 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf, > result = mutex_lock_interruptible(&ima_write_mutex); > if (result < 0) > goto out_free; > - result = ima_parse_add_rule(data); > - mutex_unlock(&ima_write_mutex); > > + if (data[0] == '/') >It seems that if we feed relative path to ima_policy the update will fail... Yes, i think it is always a good idea to pass absolute path. Dmitry > + result = ima_read_policy(data); > + else > + result = ima_parse_add_rule(data); > + mutex_unlock(&ima_write_mutex); > out_free: > kfree(data); > out: > -- > 2.1.0 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html _______________________________________________ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2016-02-08 9:58 UTC|newest] Thread overview: 154+ messages / expand[flat|nested] mbox.gz Atom feed top 2016-02-03 19:06 [PATCH v3 00/22] vfs: support for a common kernel file loader Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-03 19:06 ` [PATCH v3 01/22] ima: separate 'security.ima' reading functionality from collect Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-03 19:06 ` [PATCH v3 02/22] ima: refactor ima_policy_show() to display "ima_hooks" rules Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-07 19:45 ` Petko Manolov 2016-02-07 19:45 ` Petko Manolov 2016-02-10 19:33 ` Dmitry Kasatkin 2016-02-10 19:33 ` Dmitry Kasatkin 2016-02-03 19:06 ` [PATCH v3 03/22] ima: use "ima_hooks" enum as function argument Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-07 19:46 ` Petko Manolov 2016-02-07 19:46 ` Petko Manolov 2016-02-10 19:35 ` Dmitry Kasatkin 2016-02-10 19:35 ` Dmitry Kasatkin 2016-02-03 19:06 ` [PATCH v3 04/22] firmware: simplify dev_*() print messages for generic helpers Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-04 17:26 ` Kees Cook 2016-02-04 17:26 ` Kees Cook 2016-02-03 19:06 ` [PATCH v3 05/22] firmware: move completing fw into a helper Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-04 17:27 ` Kees Cook 2016-02-04 17:27 ` Kees Cook 2016-02-03 19:06 ` [PATCH v3 06/22] firmware: fold successful fw read early Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-04 17:36 ` Kees Cook 2016-02-04 17:36 ` Kees Cook 2016-02-04 20:26 ` Luis R. Rodriguez 2016-02-04 20:26 ` Luis R. Rodriguez 2016-02-03 19:06 ` [PATCH v3 07/22] vfs: define a generic function to read a file from the kernel Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-04 17:41 ` Kees Cook 2016-02-04 17:41 ` Kees Cook 2016-02-03 19:06 ` [PATCH v3 08/22] vfs: define kernel_read_file_id enumeration Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-04 17:41 ` Kees Cook 2016-02-04 17:41 ` Kees Cook 2016-02-04 19:45 ` Luis R. Rodriguez 2016-02-04 19:45 ` Luis R. Rodriguez 2016-02-03 19:06 ` [PATCH v3 09/22] ima: provide buffer hash calculation function Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-03 19:06 ` [PATCH v3 10/22] ima: calculate the hash of a buffer using aynchronous hash(ahash) Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-10 19:58 ` Dmitry Kasatkin 2016-02-10 19:58 ` Dmitry Kasatkin 2016-02-03 19:06 ` [PATCH v3 11/22] ima: define a new hook to measure and appraise a file already in memory Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-10 20:27 ` Dmitry Kasatkin 2016-02-10 20:27 ` Dmitry Kasatkin 2016-02-03 19:06 ` [PATCH v3 12/22] vfs: define kernel_read_file_from_path Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-04 17:46 ` Kees Cook 2016-02-04 17:46 ` Kees Cook 2016-02-04 19:47 ` Luis R. Rodriguez 2016-02-04 19:47 ` Luis R. Rodriguez 2016-02-03 19:06 ` [PATCH v3 13/22] firmware: replace call to fw_read_file_contents() with kernel version Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-04 17:56 ` Kees Cook 2016-02-04 17:56 ` Kees Cook 2016-02-04 19:51 ` Luis R. Rodriguez 2016-02-04 19:51 ` Luis R. Rodriguez 2016-02-03 19:06 ` [PATCH v3 14/22] security: define kernel_read_file hook Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-04 17:57 ` Kees Cook 2016-02-04 17:57 ` Kees Cook 2016-02-04 19:54 ` Luis R. Rodriguez 2016-02-04 19:54 ` Luis R. Rodriguez 2016-02-11 16:54 ` Casey Schaufler 2016-02-11 16:54 ` Casey Schaufler 2016-02-11 19:35 ` Mimi Zohar 2016-02-11 19:35 ` Mimi Zohar 2016-02-03 19:06 ` [PATCH v3 15/22] vfs: define kernel_copy_file_from_fd() Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-04 17:58 ` Kees Cook 2016-02-04 17:58 ` Kees Cook 2016-02-04 19:55 ` Luis R. Rodriguez 2016-02-04 19:55 ` Luis R. Rodriguez 2016-02-03 19:06 ` [PATCH v3 16/22] module: replace copy_module_from_fd with kernel version Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-04 18:04 ` Kees Cook 2016-02-04 18:04 ` Kees Cook 2016-02-04 19:56 ` Luis R. Rodriguez 2016-02-04 19:56 ` Luis R. Rodriguez 2016-02-05 0:19 ` Mimi Zohar 2016-02-05 0:19 ` Mimi Zohar 2016-02-03 19:06 ` [PATCH v3 17/22] ima: remove firmware and module specific cached status info Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-07 19:56 ` Petko Manolov 2016-02-07 19:56 ` Petko Manolov 2016-02-10 20:18 ` Dmitry Kasatkin 2016-02-10 20:18 ` Dmitry Kasatkin 2016-02-10 23:14 ` Mimi Zohar 2016-02-10 23:14 ` Mimi Zohar 2016-02-03 19:06 ` [PATCH v3 18/22] kexec: replace call to copy_file_from_fd() with kernel version Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-04 18:05 ` Kees Cook 2016-02-04 18:05 ` Kees Cook 2016-02-04 19:57 ` Luis R. Rodriguez 2016-02-04 19:57 ` Luis R. Rodriguez 2016-02-12 12:50 ` Dave Young 2016-02-12 12:50 ` Dave Young 2016-02-03 19:06 ` [PATCH v3 19/22] ima: support for kexec image and initramfs Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-07 20:10 ` Petko Manolov 2016-02-07 20:10 ` Petko Manolov 2016-02-08 23:34 ` Mimi Zohar 2016-02-08 23:34 ` Mimi Zohar 2016-02-10 21:09 ` Dmitry Kasatkin 2016-02-10 21:09 ` Dmitry Kasatkin 2016-02-10 23:21 ` Mimi Zohar 2016-02-10 23:21 ` Mimi Zohar [not found] ` <CACE9dm8OJ1cgbKszUG-pCiEMVarUFLLWi_jewVV-JEMGAJsA-g@mail.gmail.com> 2016-02-11 2:08 ` Mimi Zohar 2016-02-11 2:08 ` Mimi Zohar 2016-02-11 8:47 ` Dmitry Kasatkin 2016-02-11 8:47 ` Dmitry Kasatkin 2016-02-11 12:16 ` Mimi Zohar 2016-02-11 12:16 ` Mimi Zohar 2016-02-12 12:53 ` Dave Young 2016-02-12 12:53 ` Dave Young 2016-02-12 13:09 ` Mimi Zohar 2016-02-12 13:09 ` Mimi Zohar 2016-02-03 19:06 ` [PATCH v3 20/22] ima: load policy using path Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-07 19:59 ` Petko Manolov 2016-02-07 19:59 ` Petko Manolov 2016-02-08 9:58 ` Dmitry Kasatkin [this message] 2016-02-08 9:58 ` Dmitry Kasatkin 2016-02-08 10:35 ` Petko Manolov 2016-02-08 10:35 ` Petko Manolov 2016-02-08 10:45 ` Dmitry Kasatkin 2016-02-08 10:45 ` Dmitry Kasatkin 2016-02-08 21:12 ` Mimi Zohar 2016-02-08 21:12 ` Mimi Zohar 2016-02-09 7:47 ` Petko Manolov 2016-02-09 7:47 ` Petko Manolov 2016-02-03 19:06 ` [PATCH v3 21/22] ima: measure and appraise the IMA policy itself Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-07 20:01 ` Petko Manolov 2016-02-07 20:01 ` Petko Manolov 2016-02-10 20:22 ` Dmitry Kasatkin 2016-02-10 20:22 ` Dmitry Kasatkin 2016-02-10 23:15 ` Mimi Zohar 2016-02-10 23:15 ` Mimi Zohar 2016-02-03 19:06 ` [PATCH v3 22/22] ima: require signed IMA policy Mimi Zohar 2016-02-03 19:06 ` Mimi Zohar 2016-02-07 20:02 ` Petko Manolov 2016-02-07 20:02 ` Petko Manolov 2016-02-10 20:24 ` Dmitry Kasatkin 2016-02-10 20:24 ` Dmitry Kasatkin 2016-02-04 18:15 ` [PATCH v3 00/22] vfs: support for a common kernel file loader Kees Cook 2016-02-04 18:15 ` Kees Cook 2016-02-04 23:54 ` Mimi Zohar 2016-02-04 23:54 ` Mimi Zohar
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=C2D7A727C393B644B70DF4B4DCFB60B9C8A843@lhreml507-mbx.china.huawei.com \ --to=dmitry.kasatkin@huawei.com \ --cc=d.kasatkin@samsung.com \ --cc=dhowells@redhat.com \ --cc=dmitry.kasatkin@gmail.com \ --cc=dmitry.torokhov@gmail.com \ --cc=dwmw2@infradead.org \ --cc=ebiederm@xmission.com \ --cc=fsdevel@vger.kernel.org \ --cc=keescook@chromium.org \ --cc=kexec@lists.infradead.org \ --cc=linux-modules@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=mcgrof@suse.com \ --cc=petkan@mip-labs.com \ --cc=rusty@rustcorp.com.au \ --cc=zohar@linux.vnet.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.