From mboxrd@z Thu Jan 1 00:00:00 1970 From: Igor Stoppa Subject: [PATCH 11/12] IMA: turn ima_policy_flags into __wr_after_init Date: Wed, 19 Dec 2018 23:33:37 +0200 Message-Id: <20181219213338.26619-12-igor.stoppa@huawei.com> In-Reply-To: <20181219213338.26619-1-igor.stoppa@huawei.com> References: <20181219213338.26619-1-igor.stoppa@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit To: Andy Lutomirski , Matthew Wilcox , Peter Zijlstra , Dave Hansen , Mimi Zohar Cc: igor.stoppa@huawei.com, Nadav Amit , Kees Cook , linux-integrity@vger.kernel.org, kernel-hardening@lists.openwall.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org List-ID: The policy flags could be targeted by an attacker aiming at disabling IMA, so that there would be no trace of a file system modification in the measurement list. Since the flags can be altered at runtime, it is not possible to make them become fully read-only, for example with __ro_after_init. __wr_after_init can still provide some protection, at least against simple memory overwrite attacks Signed-off-by: Igor Stoppa CC: Andy Lutomirski CC: Nadav Amit CC: Matthew Wilcox CC: Peter Zijlstra CC: Kees Cook CC: Dave Hansen CC: Mimi Zohar CC: linux-integrity@vger.kernel.org CC: kernel-hardening@lists.openwall.com CC: linux-mm@kvack.org CC: linux-kernel@vger.kernel.org --- security/integrity/ima/ima.h | 3 ++- security/integrity/ima/ima_init.c | 5 +++-- security/integrity/ima/ima_policy.c | 9 +++++---- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index cc12f3449a72..297c25f5122e 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -24,6 +24,7 @@ #include #include #include +#include #include #include "../integrity.h" @@ -50,7 +51,7 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; #define IMA_TEMPLATE_IMA_FMT "d|n" /* current content of the policy */ -extern int ima_policy_flag; +extern int ima_policy_flag __wr_after_init; /* set during initialization */ extern int ima_hash_algo; diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 59d834219cd6..5f4e13e671bf 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -21,6 +21,7 @@ #include #include #include +#include #include "ima.h" @@ -98,9 +99,9 @@ void __init ima_load_x509(void) { int unset_flags = ima_policy_flag & IMA_APPRAISE; - ima_policy_flag &= ~unset_flags; + wr_assign(ima_policy_flag, ima_policy_flag & ~unset_flags); integrity_load_x509(INTEGRITY_KEYRING_IMA, CONFIG_IMA_X509_PATH); - ima_policy_flag |= unset_flags; + wr_assign(ima_policy_flag, ima_policy_flag | unset_flags); } #endif diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 7489cb7de6dc..2004de818d92 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -47,7 +47,7 @@ #define INVALID_PCR(a) (((a) < 0) || \ (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8)) -int ima_policy_flag; +int ima_policy_flag __wr_after_init; static int temp_ima_appraise; static int build_ima_appraise __ro_after_init; @@ -452,12 +452,13 @@ void ima_update_policy_flag(void) list_for_each_entry(entry, ima_rules, list) { if (entry->action & IMA_DO_MASK) - ima_policy_flag |= entry->action; + wr_assign(ima_policy_flag, + ima_policy_flag | entry->action); } ima_appraise |= (build_ima_appraise | temp_ima_appraise); if (!ima_appraise) - ima_policy_flag &= ~IMA_APPRAISE; + wr_assign(ima_policy_flag, ima_policy_flag & ~IMA_APPRAISE); } static int ima_appraise_flag(enum ima_hooks func) @@ -574,7 +575,7 @@ void ima_update_policy(void) list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu); if (ima_rules != policy) { - ima_policy_flag = 0; + wr_assign(ima_policy_flag, 0); ima_rules = policy; } ima_update_policy_flag(); -- 2.19.1