From: Igor Stoppa <igor.stoppa@gmail.com> To: unlisted-recipients:; (no To-header on input) Cc: Igor Stoppa <igor.stoppa@huawei.com>, Andy Lutomirski <luto@amacapital.net>, Nadav Amit <nadav.amit@gmail.com>, Matthew Wilcox <willy@infradead.org>, Peter Zijlstra <peterz@infradead.org>, Kees Cook <keescook@chromium.org>, Dave Hansen <dave.hansen@linux.intel.com>, Mimi Zohar <zohar@linux.vnet.ibm.com>, Thiago Jung Bauermann <bauerman@linux.ibm.com>, Ahmed Soliman <ahmedsoliman@mena.vt.edu>, linux-integrity@vger.kernel.org, kernel-hardening@lists.openwall.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH v5 12/12] IMA: turn ima_policy_flags into __wr_after_init Date: Thu, 14 Feb 2019 00:41:41 +0200 [thread overview] Message-ID: <db669d1d6cd5a830ad80d41487608f8b3cc5a05e.1550097697.git.igor.stoppa@huawei.com> (raw) In-Reply-To: <cover.1550097697.git.igor.stoppa@huawei.com> The policy flags could be targeted by an attacker aiming at disabling IMA, so that there would be no trace of a file system modification in the measurement list. Since the flags can be altered at runtime, it is not possible to make them become fully read-only, for example with __ro_after_init. __wr_after_init can still provide some protection, at least against simple memory overwrite attacks Signed-off-by: Igor Stoppa <igor.stoppa@huawei.com> CC: Andy Lutomirski <luto@amacapital.net> CC: Nadav Amit <nadav.amit@gmail.com> CC: Matthew Wilcox <willy@infradead.org> CC: Peter Zijlstra <peterz@infradead.org> CC: Kees Cook <keescook@chromium.org> CC: Dave Hansen <dave.hansen@linux.intel.com> CC: Mimi Zohar <zohar@linux.vnet.ibm.com> CC: Thiago Jung Bauermann <bauerman@linux.ibm.com> CC: Ahmed Soliman <ahmedsoliman@mena.vt.edu> CC: linux-integrity@vger.kernel.org CC: kernel-hardening@lists.openwall.com CC: linux-mm@kvack.org CC: linux-kernel@vger.kernel.org --- security/integrity/ima/ima.h | 3 ++- security/integrity/ima/ima_policy.c | 9 +++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index cc12f3449a72..297c25f5122e 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -24,6 +24,7 @@ #include <linux/hash.h> #include <linux/tpm.h> #include <linux/audit.h> +#include <linux/prmem.h> #include <crypto/hash_info.h> #include "../integrity.h" @@ -50,7 +51,7 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; #define IMA_TEMPLATE_IMA_FMT "d|n" /* current content of the policy */ -extern int ima_policy_flag; +extern int ima_policy_flag __wr_after_init; /* set during initialization */ extern int ima_hash_algo; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 8bc8a1c8cb3f..d49c545b9cfb 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -48,7 +48,7 @@ #define INVALID_PCR(a) (((a) < 0) || \ (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8)) -int ima_policy_flag; +int ima_policy_flag __wr_after_init; static int temp_ima_appraise; static int build_ima_appraise __ro_after_init; @@ -460,12 +460,13 @@ void ima_update_policy_flag(void) list_for_each_entry(entry, ima_rules, list) { if (entry->action & IMA_DO_MASK) - ima_policy_flag |= entry->action; + wr_assign(ima_policy_flag, + ima_policy_flag | entry->action); } ima_appraise |= (build_ima_appraise | temp_ima_appraise); if (!ima_appraise) - ima_policy_flag &= ~IMA_APPRAISE; + wr_assign(ima_policy_flag, ima_policy_flag & ~IMA_APPRAISE); } static int ima_appraise_flag(enum ima_hooks func) @@ -651,7 +652,7 @@ void ima_update_policy(void) list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu); if (ima_rules != policy) { - ima_policy_flag = 0; + wr_assign(ima_policy_flag, 0); ima_rules = policy; /* -- 2.19.1
WARNING: multiple messages have this Message-ID (diff)
From: Igor Stoppa <igor.stoppa@gmail.com> Cc: Igor Stoppa <igor.stoppa@huawei.com>, Andy Lutomirski <luto@amacapital.net>, Nadav Amit <nadav.amit@gmail.com>, Matthew Wilcox <willy@infradead.org>, Peter Zijlstra <peterz@infradead.org>, Kees Cook <keescook@chromium.org>, Dave Hansen <dave.hansen@linux.intel.com>, Mimi Zohar <zohar@linux.vnet.ibm.com>, Thiago Jung Bauermann <bauerman@linux.ibm.com>, Ahmed Soliman <ahmedsoliman@mena.vt.edu>, linux-integrity@vger.kernel.org, kernel-hardening@lists.openwall.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH v5 12/12] IMA: turn ima_policy_flags into __wr_after_init Date: Thu, 14 Feb 2019 00:41:41 +0200 [thread overview] Message-ID: <db669d1d6cd5a830ad80d41487608f8b3cc5a05e.1550097697.git.igor.stoppa@huawei.com> (raw) In-Reply-To: <cover.1550097697.git.igor.stoppa@huawei.com> The policy flags could be targeted by an attacker aiming at disabling IMA, so that there would be no trace of a file system modification in the measurement list. Since the flags can be altered at runtime, it is not possible to make them become fully read-only, for example with __ro_after_init. __wr_after_init can still provide some protection, at least against simple memory overwrite attacks Signed-off-by: Igor Stoppa <igor.stoppa@huawei.com> CC: Andy Lutomirski <luto@amacapital.net> CC: Nadav Amit <nadav.amit@gmail.com> CC: Matthew Wilcox <willy@infradead.org> CC: Peter Zijlstra <peterz@infradead.org> CC: Kees Cook <keescook@chromium.org> CC: Dave Hansen <dave.hansen@linux.intel.com> CC: Mimi Zohar <zohar@linux.vnet.ibm.com> CC: Thiago Jung Bauermann <bauerman@linux.ibm.com> CC: Ahmed Soliman <ahmedsoliman@mena.vt.edu> CC: linux-integrity@vger.kernel.org CC: kernel-hardening@lists.openwall.com CC: linux-mm@kvack.org CC: linux-kernel@vger.kernel.org --- security/integrity/ima/ima.h | 3 ++- security/integrity/ima/ima_policy.c | 9 +++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index cc12f3449a72..297c25f5122e 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -24,6 +24,7 @@ #include <linux/hash.h> #include <linux/tpm.h> #include <linux/audit.h> +#include <linux/prmem.h> #include <crypto/hash_info.h> #include "../integrity.h" @@ -50,7 +51,7 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; #define IMA_TEMPLATE_IMA_FMT "d|n" /* current content of the policy */ -extern int ima_policy_flag; +extern int ima_policy_flag __wr_after_init; /* set during initialization */ extern int ima_hash_algo; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 8bc8a1c8cb3f..d49c545b9cfb 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -48,7 +48,7 @@ #define INVALID_PCR(a) (((a) < 0) || \ (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8)) -int ima_policy_flag; +int ima_policy_flag __wr_after_init; static int temp_ima_appraise; static int build_ima_appraise __ro_after_init; @@ -460,12 +460,13 @@ void ima_update_policy_flag(void) list_for_each_entry(entry, ima_rules, list) { if (entry->action & IMA_DO_MASK) - ima_policy_flag |= entry->action; + wr_assign(ima_policy_flag, + ima_policy_flag | entry->action); } ima_appraise |= (build_ima_appraise | temp_ima_appraise); if (!ima_appraise) - ima_policy_flag &= ~IMA_APPRAISE; + wr_assign(ima_policy_flag, ima_policy_flag & ~IMA_APPRAISE); } static int ima_appraise_flag(enum ima_hooks func) @@ -651,7 +652,7 @@ void ima_update_policy(void) list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu); if (ima_rules != policy) { - ima_policy_flag = 0; + wr_assign(ima_policy_flag, 0); ima_rules = policy; /* -- 2.19.1
next prev parent reply other threads:[~2019-02-13 22:42 UTC|newest] Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-02-13 22:41 [RFC PATCH v5 00/12] hardening: statically allocated protected memory Igor Stoppa 2019-02-13 22:41 ` Igor Stoppa 2019-02-13 22:41 ` Igor Stoppa 2019-02-13 22:41 ` [RFC PATCH v5 02/12] __wr_after_init: linker section and attribute Igor Stoppa 2019-02-13 22:41 ` Igor Stoppa 2019-02-13 22:41 ` Igor Stoppa 2019-02-13 22:41 ` [RFC PATCH v5 03/12] __wr_after_init: Core and default arch Igor Stoppa 2019-02-13 22:41 ` Igor Stoppa 2019-02-13 22:41 ` Igor Stoppa 2019-02-14 11:28 ` Peter Zijlstra 2019-02-14 23:10 ` Igor Stoppa 2019-02-15 8:57 ` Peter Zijlstra 2019-02-16 15:15 ` Igor Stoppa 2019-02-13 22:41 ` [RFC PATCH v5 04/12] __wr_after_init: x86_64: randomize mapping offset Igor Stoppa 2019-02-13 22:41 ` Igor Stoppa 2019-02-13 22:41 ` Igor Stoppa 2019-02-13 22:41 ` [RFC PATCH v5 05/12] __wr_after_init: x86_64: enable Igor Stoppa 2019-02-13 22:41 ` Igor Stoppa 2019-02-13 22:41 ` Igor Stoppa 2019-02-13 22:41 ` [RFC PATCH v5 06/12] __wr_after_init: arm64: enable Igor Stoppa 2019-02-13 22:41 ` Igor Stoppa 2019-02-13 22:41 ` Igor Stoppa 2019-02-13 22:41 ` [RFC PATCH v5 07/12] __wr_after_init: Documentation: self-protection Igor Stoppa 2019-02-13 22:41 ` Igor Stoppa 2019-02-13 22:41 ` Igor Stoppa 2019-02-13 22:41 ` [RFC PATCH v5 08/12] __wr_after_init: lkdtm test Igor Stoppa 2019-02-13 22:41 ` Igor Stoppa 2019-02-13 22:41 ` Igor Stoppa 2019-02-13 22:41 ` [RFC PATCH v5 09/12] __wr_after_init: rodata_test: refactor tests Igor Stoppa 2019-02-13 22:41 ` Igor Stoppa 2019-02-13 22:41 ` Igor Stoppa 2019-02-13 22:41 ` [RFC PATCH v5 10/12] __wr_after_init: rodata_test: test __wr_after_init Igor Stoppa 2019-02-13 22:41 ` Igor Stoppa 2019-02-13 22:41 ` Igor Stoppa 2019-02-13 22:41 ` [RFC PATCH v5 11/12] __wr_after_init: test write rare functionality Igor Stoppa 2019-02-13 22:41 ` Igor Stoppa 2019-02-13 22:41 ` Igor Stoppa 2019-02-13 22:41 ` Igor Stoppa [this message] 2019-02-13 22:41 ` [RFC PATCH v5 12/12] IMA: turn ima_policy_flags into __wr_after_init Igor Stoppa
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=db669d1d6cd5a830ad80d41487608f8b3cc5a05e.1550097697.git.igor.stoppa@huawei.com \ --to=igor.stoppa@gmail.com \ --cc=ahmedsoliman@mena.vt.edu \ --cc=bauerman@linux.ibm.com \ --cc=dave.hansen@linux.intel.com \ --cc=igor.stoppa@huawei.com \ --cc=keescook@chromium.org \ --cc=kernel-hardening@lists.openwall.com \ --cc=linux-integrity@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=luto@amacapital.net \ --cc=nadav.amit@gmail.com \ --cc=peterz@infradead.org \ --cc=willy@infradead.org \ --cc=zohar@linux.vnet.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.