From: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Christoph Hellwig <hch@lst.de>, Al Viro <viro@zeniv.linux.org.uk>,
linux-fsdevel@vger.kernel.org,
linux-ima-devel <linux-ima-devel@lists.sourceforge.net>,
linux-security-module <linux-security-module@vger.kernel.org>
Subject: Re: [Linux-ima-devel] [PATCH v4 3/5] ima: define "dont_failsafe" policy action rule
Date: Tue, 22 Aug 2017 12:34:31 +0300 [thread overview]
Message-ID: <CACE9dm_LW+-BsTdTiUd3wA+ToeZZh5tQaW3qObY=urYWyTgAxA@mail.gmail.com> (raw)
In-Reply-To: <1501075375-29469-4-git-send-email-zohar@linux.vnet.ibm.com>
On Wed, Jul 26, 2017 at 4:22 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> Permit normally denied access/execute permission for files in policy
> on IMA unsupported filesystems. This patch defines the "dont_failsafe"
> policy action rule.
>
> Mimi Zohar <zohar@linux.vnet.ibm.com>
>
> ---
> Changelog v3:
> - include dont_failsafe rule when displaying policy
> - fail attempt to add dont_failsafe rule when appending to the policy
>
> Documentation/ABI/testing/ima_policy | 3 ++-
> security/integrity/ima/ima.h | 1 +
> security/integrity/ima/ima_main.c | 11 ++++++++++-
> security/integrity/ima/ima_policy.c | 29 ++++++++++++++++++++++++++++-
> 4 files changed, 41 insertions(+), 3 deletions(-)
>
> diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
> index e76432b9954d..f271207743e5 100644
> --- a/Documentation/ABI/testing/ima_policy
> +++ b/Documentation/ABI/testing/ima_policy
> @@ -17,7 +17,8 @@ Description:
>
> rule format: action [condition ...]
>
> - action: measure | dont_measure | appraise | dont_appraise | audit
> + action: measure | dont_meaure | appraise | dont_appraise |
> + audit | dont_failsafe
> condition:= base | lsm [option]
> base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
> [euid=] [fowner=]]
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index d52b487ad259..c5f34f7c5b0f 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -224,6 +224,7 @@ void *ima_policy_start(struct seq_file *m, loff_t *pos);
> void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos);
> void ima_policy_stop(struct seq_file *m, void *v);
> int ima_policy_show(struct seq_file *m, void *v);
> +void set_failsafe(bool flag);
>
> /* Appraise integrity measurements */
> #define IMA_APPRAISE_ENFORCE 0x01
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 3941371402ff..664edab0f758 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -38,6 +38,11 @@ int ima_appraise;
> int ima_hash_algo = HASH_ALGO_SHA1;
> static int hash_setup_done;
>
> +static bool ima_failsafe = 1;
> +void set_failsafe(bool flag) {
> + ima_failsafe = flag;
> +}
> +
> static int __init hash_setup(char *str)
> {
> struct ima_template_desc *template_desc = ima_template_desc_current();
> @@ -263,8 +268,12 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
> __putname(pathbuf);
> out:
> inode_unlock(inode);
> - if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE))
> + if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE)) {
> + if (!ima_failsafe && rc == -EBADF)
> + return 0;
> +
By default IMA is failsaif. ima_failsafe is true.
Return 0 is needed in failsafe mode. right?
But in this logic it will happen if ima_failsafe is false. meaning it
is not failsafe.
Is it a typo?
> return -EACCES;
> + }
> return 0;
> }
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 95209a5f8595..43b85a4fb8e8 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -40,12 +40,14 @@
> #define APPRAISE 0x0004 /* same as IMA_APPRAISE */
> #define DONT_APPRAISE 0x0008
> #define AUDIT 0x0040
> +#define DONT_FAILSAFE 0x0400
>
> #define INVALID_PCR(a) (((a) < 0) || \
> (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8))
>
> int ima_policy_flag;
> static int temp_ima_appraise;
> +static bool temp_failsafe = 1;
>
> #define MAX_LSM_RULES 6
> enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
> @@ -513,6 +515,9 @@ void ima_update_policy(void)
> if (ima_rules != policy) {
> ima_policy_flag = 0;
> ima_rules = policy;
> +
> + /* Only update on initial policy replacement, not append */
> + set_failsafe(temp_failsafe);
> }
> ima_update_policy_flag();
> }
> @@ -529,7 +534,7 @@ enum {
> Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
> Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
> Opt_appraise_type, Opt_permit_directio,
> - Opt_pcr
> + Opt_pcr, Opt_dont_failsafe
> };
>
> static match_table_t policy_tokens = {
> @@ -560,6 +565,7 @@ static match_table_t policy_tokens = {
> {Opt_appraise_type, "appraise_type=%s"},
> {Opt_permit_directio, "permit_directio"},
> {Opt_pcr, "pcr=%s"},
> + {Opt_dont_failsafe, "dont_failsafe"},
> {Opt_err, NULL}
> };
>
> @@ -630,6 +636,11 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
> if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
> continue;
> token = match_token(p, policy_tokens, args);
> + if (entry->action == DONT_FAILSAFE) {
> + /* no args permitted, force invalid rule */
> + token = Opt_dont_failsafe;
> + }
> +
> switch (token) {
> case Opt_measure:
> ima_log_string(ab, "action", "measure");
> @@ -671,6 +682,19 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
>
> entry->action = AUDIT;
> break;
> + case Opt_dont_failsafe:
> + ima_log_string(ab, "action", "dont_failsafe");
> +
> + if (entry->action != UNKNOWN)
> + result = -EINVAL;
> +
> + /* Permit on initial policy replacement only */
> + if (ima_rules != &ima_policy_rules)
> + temp_failsafe = 0;
> + else
> + result = -EINVAL;
> + entry->action = DONT_FAILSAFE;
> + break;
> case Opt_func:
> ima_log_string(ab, "func", args[0].from);
>
> @@ -949,6 +973,7 @@ void ima_delete_rules(void)
> int i;
>
> temp_ima_appraise = 0;
> + temp_failsafe = 1;
> list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
> for (i = 0; i < MAX_LSM_RULES; i++)
> kfree(entry->lsm[i].args_p);
> @@ -1040,6 +1065,8 @@ int ima_policy_show(struct seq_file *m, void *v)
> seq_puts(m, pt(Opt_dont_appraise));
> if (entry->action & AUDIT)
> seq_puts(m, pt(Opt_audit));
> + if (entry->action & DONT_FAILSAFE)
> + seq_puts(m, pt(Opt_dont_failsafe));
>
> seq_puts(m, " ");
>
> --
> 2.7.4
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Linux-ima-devel mailing list
> Linux-ima-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/linux-ima-devel
--
Thanks,
Dmitry
WARNING: multiple messages have this Message-ID (diff)
From: dmitry.kasatkin@gmail.com (Dmitry Kasatkin)
To: linux-security-module@vger.kernel.org
Subject: [Linux-ima-devel] [PATCH v4 3/5] ima: define "dont_failsafe" policy action rule
Date: Tue, 22 Aug 2017 12:34:31 +0300 [thread overview]
Message-ID: <CACE9dm_LW+-BsTdTiUd3wA+ToeZZh5tQaW3qObY=urYWyTgAxA@mail.gmail.com> (raw)
In-Reply-To: <1501075375-29469-4-git-send-email-zohar@linux.vnet.ibm.com>
On Wed, Jul 26, 2017 at 4:22 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> Permit normally denied access/execute permission for files in policy
> on IMA unsupported filesystems. This patch defines the "dont_failsafe"
> policy action rule.
>
> Mimi Zohar <zohar@linux.vnet.ibm.com>
>
> ---
> Changelog v3:
> - include dont_failsafe rule when displaying policy
> - fail attempt to add dont_failsafe rule when appending to the policy
>
> Documentation/ABI/testing/ima_policy | 3 ++-
> security/integrity/ima/ima.h | 1 +
> security/integrity/ima/ima_main.c | 11 ++++++++++-
> security/integrity/ima/ima_policy.c | 29 ++++++++++++++++++++++++++++-
> 4 files changed, 41 insertions(+), 3 deletions(-)
>
> diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
> index e76432b9954d..f271207743e5 100644
> --- a/Documentation/ABI/testing/ima_policy
> +++ b/Documentation/ABI/testing/ima_policy
> @@ -17,7 +17,8 @@ Description:
>
> rule format: action [condition ...]
>
> - action: measure | dont_measure | appraise | dont_appraise | audit
> + action: measure | dont_meaure | appraise | dont_appraise |
> + audit | dont_failsafe
> condition:= base | lsm [option]
> base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
> [euid=] [fowner=]]
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index d52b487ad259..c5f34f7c5b0f 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -224,6 +224,7 @@ void *ima_policy_start(struct seq_file *m, loff_t *pos);
> void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos);
> void ima_policy_stop(struct seq_file *m, void *v);
> int ima_policy_show(struct seq_file *m, void *v);
> +void set_failsafe(bool flag);
>
> /* Appraise integrity measurements */
> #define IMA_APPRAISE_ENFORCE 0x01
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 3941371402ff..664edab0f758 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -38,6 +38,11 @@ int ima_appraise;
> int ima_hash_algo = HASH_ALGO_SHA1;
> static int hash_setup_done;
>
> +static bool ima_failsafe = 1;
> +void set_failsafe(bool flag) {
> + ima_failsafe = flag;
> +}
> +
> static int __init hash_setup(char *str)
> {
> struct ima_template_desc *template_desc = ima_template_desc_current();
> @@ -263,8 +268,12 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
> __putname(pathbuf);
> out:
> inode_unlock(inode);
> - if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE))
> + if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE)) {
> + if (!ima_failsafe && rc == -EBADF)
> + return 0;
> +
By default IMA is failsaif. ima_failsafe is true.
Return 0 is needed in failsafe mode. right?
But in this logic it will happen if ima_failsafe is false. meaning it
is not failsafe.
Is it a typo?
> return -EACCES;
> + }
> return 0;
> }
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 95209a5f8595..43b85a4fb8e8 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -40,12 +40,14 @@
> #define APPRAISE 0x0004 /* same as IMA_APPRAISE */
> #define DONT_APPRAISE 0x0008
> #define AUDIT 0x0040
> +#define DONT_FAILSAFE 0x0400
>
> #define INVALID_PCR(a) (((a) < 0) || \
> (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8))
>
> int ima_policy_flag;
> static int temp_ima_appraise;
> +static bool temp_failsafe = 1;
>
> #define MAX_LSM_RULES 6
> enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE,
> @@ -513,6 +515,9 @@ void ima_update_policy(void)
> if (ima_rules != policy) {
> ima_policy_flag = 0;
> ima_rules = policy;
> +
> + /* Only update on initial policy replacement, not append */
> + set_failsafe(temp_failsafe);
> }
> ima_update_policy_flag();
> }
> @@ -529,7 +534,7 @@ enum {
> Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
> Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
> Opt_appraise_type, Opt_permit_directio,
> - Opt_pcr
> + Opt_pcr, Opt_dont_failsafe
> };
>
> static match_table_t policy_tokens = {
> @@ -560,6 +565,7 @@ static match_table_t policy_tokens = {
> {Opt_appraise_type, "appraise_type=%s"},
> {Opt_permit_directio, "permit_directio"},
> {Opt_pcr, "pcr=%s"},
> + {Opt_dont_failsafe, "dont_failsafe"},
> {Opt_err, NULL}
> };
>
> @@ -630,6 +636,11 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
> if ((*p == '\0') || (*p == ' ') || (*p == '\t'))
> continue;
> token = match_token(p, policy_tokens, args);
> + if (entry->action == DONT_FAILSAFE) {
> + /* no args permitted, force invalid rule */
> + token = Opt_dont_failsafe;
> + }
> +
> switch (token) {
> case Opt_measure:
> ima_log_string(ab, "action", "measure");
> @@ -671,6 +682,19 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
>
> entry->action = AUDIT;
> break;
> + case Opt_dont_failsafe:
> + ima_log_string(ab, "action", "dont_failsafe");
> +
> + if (entry->action != UNKNOWN)
> + result = -EINVAL;
> +
> + /* Permit on initial policy replacement only */
> + if (ima_rules != &ima_policy_rules)
> + temp_failsafe = 0;
> + else
> + result = -EINVAL;
> + entry->action = DONT_FAILSAFE;
> + break;
> case Opt_func:
> ima_log_string(ab, "func", args[0].from);
>
> @@ -949,6 +973,7 @@ void ima_delete_rules(void)
> int i;
>
> temp_ima_appraise = 0;
> + temp_failsafe = 1;
> list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
> for (i = 0; i < MAX_LSM_RULES; i++)
> kfree(entry->lsm[i].args_p);
> @@ -1040,6 +1065,8 @@ int ima_policy_show(struct seq_file *m, void *v)
> seq_puts(m, pt(Opt_dont_appraise));
> if (entry->action & AUDIT)
> seq_puts(m, pt(Opt_audit));
> + if (entry->action & DONT_FAILSAFE)
> + seq_puts(m, pt(Opt_dont_failsafe));
>
> seq_puts(m, " ");
>
> --
> 2.7.4
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Linux-ima-devel mailing list
> Linux-ima-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/linux-ima-devel
--
Thanks,
Dmitry
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-08-22 9:34 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-26 13:22 [PATCH v4 0/5] define new fs integrity_read method Mimi Zohar
2017-07-26 13:22 ` Mimi Zohar
2017-07-26 13:22 ` [PATCH v4 1/5] ima: always measure and audit files in policy Mimi Zohar
2017-07-26 13:22 ` Mimi Zohar
2017-08-22 9:24 ` [Linux-ima-devel] " Dmitry Kasatkin
2017-08-22 9:24 ` Dmitry Kasatkin
2017-07-26 13:22 ` [PATCH v4 2/5] ima: use fs method to read integrity data Mimi Zohar
2017-07-26 13:22 ` Mimi Zohar
2017-07-31 7:01 ` Jan Kara
2017-07-31 7:01 ` Jan Kara
2017-07-31 19:08 ` Mimi Zohar
2017-07-31 19:08 ` Mimi Zohar
2017-08-01 10:42 ` Jan Kara
2017-08-01 10:42 ` Jan Kara
2017-08-01 15:38 ` Mimi Zohar
2017-08-01 15:38 ` Mimi Zohar
2017-08-01 20:24 ` [PATCH v4 2/5] ima: use fs method to read integrity data [updated] Mimi Zohar
2017-08-01 20:24 ` Mimi Zohar
2017-08-02 8:01 ` Jan Kara
2017-08-02 8:01 ` Jan Kara
2017-08-02 17:11 ` Mimi Zohar
2017-08-02 17:11 ` Mimi Zohar
2017-08-03 10:56 ` Jan Kara
2017-08-03 10:56 ` Jan Kara
2017-08-04 21:07 ` Mimi Zohar
2017-08-04 21:07 ` Mimi Zohar
2017-08-07 10:04 ` Jan Kara
2017-08-07 10:04 ` Jan Kara
2017-08-07 20:12 ` Mimi Zohar
2017-08-07 20:12 ` Mimi Zohar
2017-08-08 11:17 ` Jan Kara
2017-08-08 11:17 ` Jan Kara
2017-08-22 9:59 ` [PATCH v4 2/5] ima: use fs method to read integrity data Dmitry Kasatkin
2017-08-22 9:59 ` Dmitry Kasatkin
2017-07-26 13:22 ` [PATCH v4 3/5] ima: define "dont_failsafe" policy action rule Mimi Zohar
2017-07-26 13:22 ` Mimi Zohar
2017-08-22 9:34 ` Dmitry Kasatkin [this message]
2017-08-22 9:34 ` [Linux-ima-devel] " Dmitry Kasatkin
2017-08-22 9:39 ` Dmitry Kasatkin
2017-08-22 9:39 ` Dmitry Kasatkin
2017-07-26 13:22 ` [PATCH v4 4/5] ima: define "fs_unsafe" builtin policy Mimi Zohar
2017-07-26 13:22 ` Mimi Zohar
2017-08-22 9:36 ` [Linux-ima-devel] " Dmitry Kasatkin
2017-08-22 9:36 ` Dmitry Kasatkin
2017-07-26 13:22 ` [PATCH v4 5/5] ima: remove permit_directio policy option Mimi Zohar
2017-07-26 13:22 ` Mimi Zohar
2017-08-22 9:27 ` [Linux-ima-devel] " Dmitry Kasatkin
2017-08-22 9:27 ` Dmitry Kasatkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACE9dm_LW+-BsTdTiUd3wA+ToeZZh5tQaW3qObY=urYWyTgAxA@mail.gmail.com' \
--to=dmitry.kasatkin@gmail.com \
--cc=hch@lst.de \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-ima-devel@lists.sourceforge.net \
--cc=linux-security-module@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.