From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oi0-f68.google.com ([209.85.218.68]:36162 "EHLO mail-oi0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932322AbdHVJed (ORCPT ); Tue, 22 Aug 2017 05:34:33 -0400 MIME-Version: 1.0 In-Reply-To: <1501075375-29469-4-git-send-email-zohar@linux.vnet.ibm.com> References: <1501075375-29469-1-git-send-email-zohar@linux.vnet.ibm.com> <1501075375-29469-4-git-send-email-zohar@linux.vnet.ibm.com> From: Dmitry Kasatkin Date: Tue, 22 Aug 2017 12:34:31 +0300 Message-ID: Subject: Re: [Linux-ima-devel] [PATCH v4 3/5] ima: define "dont_failsafe" policy action rule To: Mimi Zohar Cc: Christoph Hellwig , Al Viro , linux-fsdevel@vger.kernel.org, linux-ima-devel , linux-security-module Content-Type: text/plain; charset="UTF-8" Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Wed, Jul 26, 2017 at 4:22 PM, Mimi Zohar wrote: > Permit normally denied access/execute permission for files in policy > on IMA unsupported filesystems. This patch defines the "dont_failsafe" > policy action rule. > > Mimi Zohar > > --- > Changelog v3: > - include dont_failsafe rule when displaying policy > - fail attempt to add dont_failsafe rule when appending to the policy > > Documentation/ABI/testing/ima_policy | 3 ++- > security/integrity/ima/ima.h | 1 + > security/integrity/ima/ima_main.c | 11 ++++++++++- > security/integrity/ima/ima_policy.c | 29 ++++++++++++++++++++++++++++- > 4 files changed, 41 insertions(+), 3 deletions(-) > > diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy > index e76432b9954d..f271207743e5 100644 > --- a/Documentation/ABI/testing/ima_policy > +++ b/Documentation/ABI/testing/ima_policy > @@ -17,7 +17,8 @@ Description: > > rule format: action [condition ...] > > - action: measure | dont_measure | appraise | dont_appraise | audit > + action: measure | dont_meaure | appraise | dont_appraise | > + audit | dont_failsafe > condition:= base | lsm [option] > base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] > [euid=] [fowner=]] > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > index d52b487ad259..c5f34f7c5b0f 100644 > --- a/security/integrity/ima/ima.h > +++ b/security/integrity/ima/ima.h > @@ -224,6 +224,7 @@ void *ima_policy_start(struct seq_file *m, loff_t *pos); > void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos); > void ima_policy_stop(struct seq_file *m, void *v); > int ima_policy_show(struct seq_file *m, void *v); > +void set_failsafe(bool flag); > > /* Appraise integrity measurements */ > #define IMA_APPRAISE_ENFORCE 0x01 > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index 3941371402ff..664edab0f758 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -38,6 +38,11 @@ int ima_appraise; > int ima_hash_algo = HASH_ALGO_SHA1; > static int hash_setup_done; > > +static bool ima_failsafe = 1; > +void set_failsafe(bool flag) { > + ima_failsafe = flag; > +} > + > static int __init hash_setup(char *str) > { > struct ima_template_desc *template_desc = ima_template_desc_current(); > @@ -263,8 +268,12 @@ static int process_measurement(struct file *file, char *buf, loff_t size, > __putname(pathbuf); > out: > inode_unlock(inode); > - if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE)) > + if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE)) { > + if (!ima_failsafe && rc == -EBADF) > + return 0; > + By default IMA is failsaif. ima_failsafe is true. Return 0 is needed in failsafe mode. right? But in this logic it will happen if ima_failsafe is false. meaning it is not failsafe. Is it a typo? > return -EACCES; > + } > return 0; > } > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index 95209a5f8595..43b85a4fb8e8 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -40,12 +40,14 @@ > #define APPRAISE 0x0004 /* same as IMA_APPRAISE */ > #define DONT_APPRAISE 0x0008 > #define AUDIT 0x0040 > +#define DONT_FAILSAFE 0x0400 > > #define INVALID_PCR(a) (((a) < 0) || \ > (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8)) > > int ima_policy_flag; > static int temp_ima_appraise; > +static bool temp_failsafe = 1; > > #define MAX_LSM_RULES 6 > enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, > @@ -513,6 +515,9 @@ void ima_update_policy(void) > if (ima_rules != policy) { > ima_policy_flag = 0; > ima_rules = policy; > + > + /* Only update on initial policy replacement, not append */ > + set_failsafe(temp_failsafe); > } > ima_update_policy_flag(); > } > @@ -529,7 +534,7 @@ enum { > Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, > Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, > Opt_appraise_type, Opt_permit_directio, > - Opt_pcr > + Opt_pcr, Opt_dont_failsafe > }; > > static match_table_t policy_tokens = { > @@ -560,6 +565,7 @@ static match_table_t policy_tokens = { > {Opt_appraise_type, "appraise_type=%s"}, > {Opt_permit_directio, "permit_directio"}, > {Opt_pcr, "pcr=%s"}, > + {Opt_dont_failsafe, "dont_failsafe"}, > {Opt_err, NULL} > }; > > @@ -630,6 +636,11 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) > if ((*p == '\0') || (*p == ' ') || (*p == '\t')) > continue; > token = match_token(p, policy_tokens, args); > + if (entry->action == DONT_FAILSAFE) { > + /* no args permitted, force invalid rule */ > + token = Opt_dont_failsafe; > + } > + > switch (token) { > case Opt_measure: > ima_log_string(ab, "action", "measure"); > @@ -671,6 +682,19 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) > > entry->action = AUDIT; > break; > + case Opt_dont_failsafe: > + ima_log_string(ab, "action", "dont_failsafe"); > + > + if (entry->action != UNKNOWN) > + result = -EINVAL; > + > + /* Permit on initial policy replacement only */ > + if (ima_rules != &ima_policy_rules) > + temp_failsafe = 0; > + else > + result = -EINVAL; > + entry->action = DONT_FAILSAFE; > + break; > case Opt_func: > ima_log_string(ab, "func", args[0].from); > > @@ -949,6 +973,7 @@ void ima_delete_rules(void) > int i; > > temp_ima_appraise = 0; > + temp_failsafe = 1; > list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { > for (i = 0; i < MAX_LSM_RULES; i++) > kfree(entry->lsm[i].args_p); > @@ -1040,6 +1065,8 @@ int ima_policy_show(struct seq_file *m, void *v) > seq_puts(m, pt(Opt_dont_appraise)); > if (entry->action & AUDIT) > seq_puts(m, pt(Opt_audit)); > + if (entry->action & DONT_FAILSAFE) > + seq_puts(m, pt(Opt_dont_failsafe)); > > seq_puts(m, " "); > > -- > 2.7.4 > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Linux-ima-devel mailing list > Linux-ima-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/linux-ima-devel -- Thanks, Dmitry From mboxrd@z Thu Jan 1 00:00:00 1970 From: dmitry.kasatkin@gmail.com (Dmitry Kasatkin) Date: Tue, 22 Aug 2017 12:34:31 +0300 Subject: [Linux-ima-devel] [PATCH v4 3/5] ima: define "dont_failsafe" policy action rule In-Reply-To: <1501075375-29469-4-git-send-email-zohar@linux.vnet.ibm.com> References: <1501075375-29469-1-git-send-email-zohar@linux.vnet.ibm.com> <1501075375-29469-4-git-send-email-zohar@linux.vnet.ibm.com> Message-ID: To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Wed, Jul 26, 2017 at 4:22 PM, Mimi Zohar wrote: > Permit normally denied access/execute permission for files in policy > on IMA unsupported filesystems. This patch defines the "dont_failsafe" > policy action rule. > > Mimi Zohar > > --- > Changelog v3: > - include dont_failsafe rule when displaying policy > - fail attempt to add dont_failsafe rule when appending to the policy > > Documentation/ABI/testing/ima_policy | 3 ++- > security/integrity/ima/ima.h | 1 + > security/integrity/ima/ima_main.c | 11 ++++++++++- > security/integrity/ima/ima_policy.c | 29 ++++++++++++++++++++++++++++- > 4 files changed, 41 insertions(+), 3 deletions(-) > > diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy > index e76432b9954d..f271207743e5 100644 > --- a/Documentation/ABI/testing/ima_policy > +++ b/Documentation/ABI/testing/ima_policy > @@ -17,7 +17,8 @@ Description: > > rule format: action [condition ...] > > - action: measure | dont_measure | appraise | dont_appraise | audit > + action: measure | dont_meaure | appraise | dont_appraise | > + audit | dont_failsafe > condition:= base | lsm [option] > base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] > [euid=] [fowner=]] > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h > index d52b487ad259..c5f34f7c5b0f 100644 > --- a/security/integrity/ima/ima.h > +++ b/security/integrity/ima/ima.h > @@ -224,6 +224,7 @@ void *ima_policy_start(struct seq_file *m, loff_t *pos); > void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos); > void ima_policy_stop(struct seq_file *m, void *v); > int ima_policy_show(struct seq_file *m, void *v); > +void set_failsafe(bool flag); > > /* Appraise integrity measurements */ > #define IMA_APPRAISE_ENFORCE 0x01 > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index 3941371402ff..664edab0f758 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -38,6 +38,11 @@ int ima_appraise; > int ima_hash_algo = HASH_ALGO_SHA1; > static int hash_setup_done; > > +static bool ima_failsafe = 1; > +void set_failsafe(bool flag) { > + ima_failsafe = flag; > +} > + > static int __init hash_setup(char *str) > { > struct ima_template_desc *template_desc = ima_template_desc_current(); > @@ -263,8 +268,12 @@ static int process_measurement(struct file *file, char *buf, loff_t size, > __putname(pathbuf); > out: > inode_unlock(inode); > - if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE)) > + if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE)) { > + if (!ima_failsafe && rc == -EBADF) > + return 0; > + By default IMA is failsaif. ima_failsafe is true. Return 0 is needed in failsafe mode. right? But in this logic it will happen if ima_failsafe is false. meaning it is not failsafe. Is it a typo? > return -EACCES; > + } > return 0; > } > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index 95209a5f8595..43b85a4fb8e8 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -40,12 +40,14 @@ > #define APPRAISE 0x0004 /* same as IMA_APPRAISE */ > #define DONT_APPRAISE 0x0008 > #define AUDIT 0x0040 > +#define DONT_FAILSAFE 0x0400 > > #define INVALID_PCR(a) (((a) < 0) || \ > (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8)) > > int ima_policy_flag; > static int temp_ima_appraise; > +static bool temp_failsafe = 1; > > #define MAX_LSM_RULES 6 > enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, > @@ -513,6 +515,9 @@ void ima_update_policy(void) > if (ima_rules != policy) { > ima_policy_flag = 0; > ima_rules = policy; > + > + /* Only update on initial policy replacement, not append */ > + set_failsafe(temp_failsafe); > } > ima_update_policy_flag(); > } > @@ -529,7 +534,7 @@ enum { > Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, > Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, > Opt_appraise_type, Opt_permit_directio, > - Opt_pcr > + Opt_pcr, Opt_dont_failsafe > }; > > static match_table_t policy_tokens = { > @@ -560,6 +565,7 @@ static match_table_t policy_tokens = { > {Opt_appraise_type, "appraise_type=%s"}, > {Opt_permit_directio, "permit_directio"}, > {Opt_pcr, "pcr=%s"}, > + {Opt_dont_failsafe, "dont_failsafe"}, > {Opt_err, NULL} > }; > > @@ -630,6 +636,11 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) > if ((*p == '\0') || (*p == ' ') || (*p == '\t')) > continue; > token = match_token(p, policy_tokens, args); > + if (entry->action == DONT_FAILSAFE) { > + /* no args permitted, force invalid rule */ > + token = Opt_dont_failsafe; > + } > + > switch (token) { > case Opt_measure: > ima_log_string(ab, "action", "measure"); > @@ -671,6 +682,19 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) > > entry->action = AUDIT; > break; > + case Opt_dont_failsafe: > + ima_log_string(ab, "action", "dont_failsafe"); > + > + if (entry->action != UNKNOWN) > + result = -EINVAL; > + > + /* Permit on initial policy replacement only */ > + if (ima_rules != &ima_policy_rules) > + temp_failsafe = 0; > + else > + result = -EINVAL; > + entry->action = DONT_FAILSAFE; > + break; > case Opt_func: > ima_log_string(ab, "func", args[0].from); > > @@ -949,6 +973,7 @@ void ima_delete_rules(void) > int i; > > temp_ima_appraise = 0; > + temp_failsafe = 1; > list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { > for (i = 0; i < MAX_LSM_RULES; i++) > kfree(entry->lsm[i].args_p); > @@ -1040,6 +1065,8 @@ int ima_policy_show(struct seq_file *m, void *v) > seq_puts(m, pt(Opt_dont_appraise)); > if (entry->action & AUDIT) > seq_puts(m, pt(Opt_audit)); > + if (entry->action & DONT_FAILSAFE) > + seq_puts(m, pt(Opt_dont_failsafe)); > > seq_puts(m, " "); > > -- > 2.7.4 > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Linux-ima-devel mailing list > Linux-ima-devel at lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/linux-ima-devel -- Thanks, Dmitry -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html