From: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> To: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: Christoph Hellwig <hch@lst.de>, Al Viro <viro@zeniv.linux.org.uk>, linux-fsdevel@vger.kernel.org, linux-ima-devel <linux-ima-devel@lists.sourceforge.net>, linux-security-module <linux-security-module@vger.kernel.org> Subject: Re: [Linux-ima-devel] [PATCH v4 3/5] ima: define "dont_failsafe" policy action rule Date: Tue, 22 Aug 2017 12:34:31 +0300 [thread overview] Message-ID: <CACE9dm_LW+-BsTdTiUd3wA+ToeZZh5tQaW3qObY=urYWyTgAxA@mail.gmail.com> (raw) In-Reply-To: <1501075375-29469-4-git-send-email-zohar@linux.vnet.ibm.com> On Wed, Jul 26, 2017 at 4:22 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote: > Permit normally denied access/execute permission for files in policy > on IMA unsupported filesystems. This patch defines the "dont_failsafe" > policy action rule. > > Mimi Zohar <zohar@linux.vnet.ibm.com> > > --- > Changelog v3: > - include dont_failsafe rule when displaying policy > - fail attempt to add dont_failsafe rule when appending to the policy > > Documentation/ABI/testing/ima_policy | 3 ++- > security/integrity/ima/ima.h | 1 + > security/integrity/ima/ima_main.c | 11 ++++++++++- > security/integrity/ima/ima_policy.c | 29 ++++++++++++++++++++++++++++- > 4 files changed, 41 insertions(+), 3 deletions(-) > > diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy > index e76432b9954d..f271207743e5 100644 > --- a/Documentation/ABI/testing/ima_policy > +++ b/Documentation/ABI/testing/ima_policy > @@ -17,7 +17,8 @@ Description: > > rule format: action [condition ...] > > - action: measure | dont_measure | appraise | dont_appraise | audit > + action: measure | dont_meaure | appraise | dont_appraise | > + audit | dont_failsafe > condition:= base | lsm [option] > base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] > [euid=] [fowner=]] > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > index d52b487ad259..c5f34f7c5b0f 100644 > --- a/security/integrity/ima/ima.h > +++ b/security/integrity/ima/ima.h > @@ -224,6 +224,7 @@ void *ima_policy_start(struct seq_file *m, loff_t *pos); > void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos); > void ima_policy_stop(struct seq_file *m, void *v); > int ima_policy_show(struct seq_file *m, void *v); > +void set_failsafe(bool flag); > > /* Appraise integrity measurements */ > #define IMA_APPRAISE_ENFORCE 0x01 > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index 3941371402ff..664edab0f758 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -38,6 +38,11 @@ int ima_appraise; > int ima_hash_algo = HASH_ALGO_SHA1; > static int hash_setup_done; > > +static bool ima_failsafe = 1; > +void set_failsafe(bool flag) { > + ima_failsafe = flag; > +} > + > static int __init hash_setup(char *str) > { > struct ima_template_desc *template_desc = ima_template_desc_current(); > @@ -263,8 +268,12 @@ static int process_measurement(struct file *file, char *buf, loff_t size, > __putname(pathbuf); > out: > inode_unlock(inode); > - if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE)) > + if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE)) { > + if (!ima_failsafe && rc == -EBADF) > + return 0; > + By default IMA is failsaif. ima_failsafe is true. Return 0 is needed in failsafe mode. right? But in this logic it will happen if ima_failsafe is false. meaning it is not failsafe. Is it a typo? > return -EACCES; > + } > return 0; > } > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index 95209a5f8595..43b85a4fb8e8 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -40,12 +40,14 @@ > #define APPRAISE 0x0004 /* same as IMA_APPRAISE */ > #define DONT_APPRAISE 0x0008 > #define AUDIT 0x0040 > +#define DONT_FAILSAFE 0x0400 > > #define INVALID_PCR(a) (((a) < 0) || \ > (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8)) > > int ima_policy_flag; > static int temp_ima_appraise; > +static bool temp_failsafe = 1; > > #define MAX_LSM_RULES 6 > enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, > @@ -513,6 +515,9 @@ void ima_update_policy(void) > if (ima_rules != policy) { > ima_policy_flag = 0; > ima_rules = policy; > + > + /* Only update on initial policy replacement, not append */ > + set_failsafe(temp_failsafe); > } > ima_update_policy_flag(); > } > @@ -529,7 +534,7 @@ enum { > Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, > Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, > Opt_appraise_type, Opt_permit_directio, > - Opt_pcr > + Opt_pcr, Opt_dont_failsafe > }; > > static match_table_t policy_tokens = { > @@ -560,6 +565,7 @@ static match_table_t policy_tokens = { > {Opt_appraise_type, "appraise_type=%s"}, > {Opt_permit_directio, "permit_directio"}, > {Opt_pcr, "pcr=%s"}, > + {Opt_dont_failsafe, "dont_failsafe"}, > {Opt_err, NULL} > }; > > @@ -630,6 +636,11 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) > if ((*p == '\0') || (*p == ' ') || (*p == '\t')) > continue; > token = match_token(p, policy_tokens, args); > + if (entry->action == DONT_FAILSAFE) { > + /* no args permitted, force invalid rule */ > + token = Opt_dont_failsafe; > + } > + > switch (token) { > case Opt_measure: > ima_log_string(ab, "action", "measure"); > @@ -671,6 +682,19 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) > > entry->action = AUDIT; > break; > + case Opt_dont_failsafe: > + ima_log_string(ab, "action", "dont_failsafe"); > + > + if (entry->action != UNKNOWN) > + result = -EINVAL; > + > + /* Permit on initial policy replacement only */ > + if (ima_rules != &ima_policy_rules) > + temp_failsafe = 0; > + else > + result = -EINVAL; > + entry->action = DONT_FAILSAFE; > + break; > case Opt_func: > ima_log_string(ab, "func", args[0].from); > > @@ -949,6 +973,7 @@ void ima_delete_rules(void) > int i; > > temp_ima_appraise = 0; > + temp_failsafe = 1; > list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { > for (i = 0; i < MAX_LSM_RULES; i++) > kfree(entry->lsm[i].args_p); > @@ -1040,6 +1065,8 @@ int ima_policy_show(struct seq_file *m, void *v) > seq_puts(m, pt(Opt_dont_appraise)); > if (entry->action & AUDIT) > seq_puts(m, pt(Opt_audit)); > + if (entry->action & DONT_FAILSAFE) > + seq_puts(m, pt(Opt_dont_failsafe)); > > seq_puts(m, " "); > > -- > 2.7.4 > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Linux-ima-devel mailing list > Linux-ima-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/linux-ima-devel -- Thanks, Dmitry
WARNING: multiple messages have this Message-ID (diff)
From: dmitry.kasatkin@gmail.com (Dmitry Kasatkin) To: linux-security-module@vger.kernel.org Subject: [Linux-ima-devel] [PATCH v4 3/5] ima: define "dont_failsafe" policy action rule Date: Tue, 22 Aug 2017 12:34:31 +0300 [thread overview] Message-ID: <CACE9dm_LW+-BsTdTiUd3wA+ToeZZh5tQaW3qObY=urYWyTgAxA@mail.gmail.com> (raw) In-Reply-To: <1501075375-29469-4-git-send-email-zohar@linux.vnet.ibm.com> On Wed, Jul 26, 2017 at 4:22 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote: > Permit normally denied access/execute permission for files in policy > on IMA unsupported filesystems. This patch defines the "dont_failsafe" > policy action rule. > > Mimi Zohar <zohar@linux.vnet.ibm.com> > > --- > Changelog v3: > - include dont_failsafe rule when displaying policy > - fail attempt to add dont_failsafe rule when appending to the policy > > Documentation/ABI/testing/ima_policy | 3 ++- > security/integrity/ima/ima.h | 1 + > security/integrity/ima/ima_main.c | 11 ++++++++++- > security/integrity/ima/ima_policy.c | 29 ++++++++++++++++++++++++++++- > 4 files changed, 41 insertions(+), 3 deletions(-) > > diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy > index e76432b9954d..f271207743e5 100644 > --- a/Documentation/ABI/testing/ima_policy > +++ b/Documentation/ABI/testing/ima_policy > @@ -17,7 +17,8 @@ Description: > > rule format: action [condition ...] > > - action: measure | dont_measure | appraise | dont_appraise | audit > + action: measure | dont_meaure | appraise | dont_appraise | > + audit | dont_failsafe > condition:= base | lsm [option] > base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] > [euid=] [fowner=]] > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > index d52b487ad259..c5f34f7c5b0f 100644 > --- a/security/integrity/ima/ima.h > +++ b/security/integrity/ima/ima.h > @@ -224,6 +224,7 @@ void *ima_policy_start(struct seq_file *m, loff_t *pos); > void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos); > void ima_policy_stop(struct seq_file *m, void *v); > int ima_policy_show(struct seq_file *m, void *v); > +void set_failsafe(bool flag); > > /* Appraise integrity measurements */ > #define IMA_APPRAISE_ENFORCE 0x01 > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index 3941371402ff..664edab0f758 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -38,6 +38,11 @@ int ima_appraise; > int ima_hash_algo = HASH_ALGO_SHA1; > static int hash_setup_done; > > +static bool ima_failsafe = 1; > +void set_failsafe(bool flag) { > + ima_failsafe = flag; > +} > + > static int __init hash_setup(char *str) > { > struct ima_template_desc *template_desc = ima_template_desc_current(); > @@ -263,8 +268,12 @@ static int process_measurement(struct file *file, char *buf, loff_t size, > __putname(pathbuf); > out: > inode_unlock(inode); > - if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE)) > + if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE)) { > + if (!ima_failsafe && rc == -EBADF) > + return 0; > + By default IMA is failsaif. ima_failsafe is true. Return 0 is needed in failsafe mode. right? But in this logic it will happen if ima_failsafe is false. meaning it is not failsafe. Is it a typo? > return -EACCES; > + } > return 0; > } > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index 95209a5f8595..43b85a4fb8e8 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -40,12 +40,14 @@ > #define APPRAISE 0x0004 /* same as IMA_APPRAISE */ > #define DONT_APPRAISE 0x0008 > #define AUDIT 0x0040 > +#define DONT_FAILSAFE 0x0400 > > #define INVALID_PCR(a) (((a) < 0) || \ > (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8)) > > int ima_policy_flag; > static int temp_ima_appraise; > +static bool temp_failsafe = 1; > > #define MAX_LSM_RULES 6 > enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, > @@ -513,6 +515,9 @@ void ima_update_policy(void) > if (ima_rules != policy) { > ima_policy_flag = 0; > ima_rules = policy; > + > + /* Only update on initial policy replacement, not append */ > + set_failsafe(temp_failsafe); > } > ima_update_policy_flag(); > } > @@ -529,7 +534,7 @@ enum { > Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, > Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, > Opt_appraise_type, Opt_permit_directio, > - Opt_pcr > + Opt_pcr, Opt_dont_failsafe > }; > > static match_table_t policy_tokens = { > @@ -560,6 +565,7 @@ static match_table_t policy_tokens = { > {Opt_appraise_type, "appraise_type=%s"}, > {Opt_permit_directio, "permit_directio"}, > {Opt_pcr, "pcr=%s"}, > + {Opt_dont_failsafe, "dont_failsafe"}, > {Opt_err, NULL} > }; > > @@ -630,6 +636,11 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) > if ((*p == '\0') || (*p == ' ') || (*p == '\t')) > continue; > token = match_token(p, policy_tokens, args); > + if (entry->action == DONT_FAILSAFE) { > + /* no args permitted, force invalid rule */ > + token = Opt_dont_failsafe; > + } > + > switch (token) { > case Opt_measure: > ima_log_string(ab, "action", "measure"); > @@ -671,6 +682,19 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) > > entry->action = AUDIT; > break; > + case Opt_dont_failsafe: > + ima_log_string(ab, "action", "dont_failsafe"); > + > + if (entry->action != UNKNOWN) > + result = -EINVAL; > + > + /* Permit on initial policy replacement only */ > + if (ima_rules != &ima_policy_rules) > + temp_failsafe = 0; > + else > + result = -EINVAL; > + entry->action = DONT_FAILSAFE; > + break; > case Opt_func: > ima_log_string(ab, "func", args[0].from); > > @@ -949,6 +973,7 @@ void ima_delete_rules(void) > int i; > > temp_ima_appraise = 0; > + temp_failsafe = 1; > list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { > for (i = 0; i < MAX_LSM_RULES; i++) > kfree(entry->lsm[i].args_p); > @@ -1040,6 +1065,8 @@ int ima_policy_show(struct seq_file *m, void *v) > seq_puts(m, pt(Opt_dont_appraise)); > if (entry->action & AUDIT) > seq_puts(m, pt(Opt_audit)); > + if (entry->action & DONT_FAILSAFE) > + seq_puts(m, pt(Opt_dont_failsafe)); > > seq_puts(m, " "); > > -- > 2.7.4 > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Linux-ima-devel mailing list > Linux-ima-devel at lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/linux-ima-devel -- Thanks, Dmitry -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-08-22 9:34 UTC|newest] Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-07-26 13:22 [PATCH v4 0/5] define new fs integrity_read method Mimi Zohar 2017-07-26 13:22 ` Mimi Zohar 2017-07-26 13:22 ` [PATCH v4 1/5] ima: always measure and audit files in policy Mimi Zohar 2017-07-26 13:22 ` Mimi Zohar 2017-08-22 9:24 ` [Linux-ima-devel] " Dmitry Kasatkin 2017-08-22 9:24 ` Dmitry Kasatkin 2017-07-26 13:22 ` [PATCH v4 2/5] ima: use fs method to read integrity data Mimi Zohar 2017-07-26 13:22 ` Mimi Zohar 2017-07-31 7:01 ` Jan Kara 2017-07-31 7:01 ` Jan Kara 2017-07-31 19:08 ` Mimi Zohar 2017-07-31 19:08 ` Mimi Zohar 2017-08-01 10:42 ` Jan Kara 2017-08-01 10:42 ` Jan Kara 2017-08-01 15:38 ` Mimi Zohar 2017-08-01 15:38 ` Mimi Zohar 2017-08-01 20:24 ` [PATCH v4 2/5] ima: use fs method to read integrity data [updated] Mimi Zohar 2017-08-01 20:24 ` Mimi Zohar 2017-08-02 8:01 ` Jan Kara 2017-08-02 8:01 ` Jan Kara 2017-08-02 17:11 ` Mimi Zohar 2017-08-02 17:11 ` Mimi Zohar 2017-08-03 10:56 ` Jan Kara 2017-08-03 10:56 ` Jan Kara 2017-08-04 21:07 ` Mimi Zohar 2017-08-04 21:07 ` Mimi Zohar 2017-08-07 10:04 ` Jan Kara 2017-08-07 10:04 ` Jan Kara 2017-08-07 20:12 ` Mimi Zohar 2017-08-07 20:12 ` Mimi Zohar 2017-08-08 11:17 ` Jan Kara 2017-08-08 11:17 ` Jan Kara 2017-08-22 9:59 ` [PATCH v4 2/5] ima: use fs method to read integrity data Dmitry Kasatkin 2017-08-22 9:59 ` Dmitry Kasatkin 2017-07-26 13:22 ` [PATCH v4 3/5] ima: define "dont_failsafe" policy action rule Mimi Zohar 2017-07-26 13:22 ` Mimi Zohar 2017-08-22 9:34 ` Dmitry Kasatkin [this message] 2017-08-22 9:34 ` [Linux-ima-devel] " Dmitry Kasatkin 2017-08-22 9:39 ` Dmitry Kasatkin 2017-08-22 9:39 ` Dmitry Kasatkin 2017-07-26 13:22 ` [PATCH v4 4/5] ima: define "fs_unsafe" builtin policy Mimi Zohar 2017-07-26 13:22 ` Mimi Zohar 2017-08-22 9:36 ` [Linux-ima-devel] " Dmitry Kasatkin 2017-08-22 9:36 ` Dmitry Kasatkin 2017-07-26 13:22 ` [PATCH v4 5/5] ima: remove permit_directio policy option Mimi Zohar 2017-07-26 13:22 ` Mimi Zohar 2017-08-22 9:27 ` [Linux-ima-devel] " Dmitry Kasatkin 2017-08-22 9:27 ` Dmitry Kasatkin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to='CACE9dm_LW+-BsTdTiUd3wA+ToeZZh5tQaW3qObY=urYWyTgAxA@mail.gmail.com' \ --to=dmitry.kasatkin@gmail.com \ --cc=hch@lst.de \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-ima-devel@lists.sourceforge.net \ --cc=linux-security-module@vger.kernel.org \ --cc=viro@zeniv.linux.org.uk \ --cc=zohar@linux.vnet.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.