From: Igor Stoppa <igor.stoppa@gmail.com>
Cc: Igor Stoppa <igor.stoppa@huawei.com>,
Andy Lutomirski <luto@amacapital.net>,
Nadav Amit <nadav.amit@gmail.com>,
Matthew Wilcox <willy@infradead.org>,
Peter Zijlstra <peterz@infradead.org>,
Kees Cook <keescook@chromium.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Thiago Jung Bauermann <bauerman@linux.ibm.com>,
Ahmed Soliman <ahmedsoliman@mena.vt.edu>,
linux-integrity@vger.kernel.org,
kernel-hardening@lists.openwall.com, linux-mm@kvack.org,
linux-kernel@vger.kernel.org
Subject: [RFC PATCH v5 12/12] IMA: turn ima_policy_flags into __wr_after_init
Date: Thu, 14 Feb 2019 00:41:41 +0200 [thread overview]
Message-ID: <db669d1d6cd5a830ad80d41487608f8b3cc5a05e.1550097697.git.igor.stoppa@huawei.com> (raw)
In-Reply-To: <cover.1550097697.git.igor.stoppa@huawei.com>
The policy flags could be targeted by an attacker aiming at disabling IMA,
so that there would be no trace of a file system modification in the
measurement list.
Since the flags can be altered at runtime, it is not possible to make
them become fully read-only, for example with __ro_after_init.
__wr_after_init can still provide some protection, at least against
simple memory overwrite attacks
Signed-off-by: Igor Stoppa <igor.stoppa@huawei.com>
CC: Andy Lutomirski <luto@amacapital.net>
CC: Nadav Amit <nadav.amit@gmail.com>
CC: Matthew Wilcox <willy@infradead.org>
CC: Peter Zijlstra <peterz@infradead.org>
CC: Kees Cook <keescook@chromium.org>
CC: Dave Hansen <dave.hansen@linux.intel.com>
CC: Mimi Zohar <zohar@linux.vnet.ibm.com>
CC: Thiago Jung Bauermann <bauerman@linux.ibm.com>
CC: Ahmed Soliman <ahmedsoliman@mena.vt.edu>
CC: linux-integrity@vger.kernel.org
CC: kernel-hardening@lists.openwall.com
CC: linux-mm@kvack.org
CC: linux-kernel@vger.kernel.org
---
security/integrity/ima/ima.h | 3 ++-
security/integrity/ima/ima_policy.c | 9 +++++----
2 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index cc12f3449a72..297c25f5122e 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -24,6 +24,7 @@
#include <linux/hash.h>
#include <linux/tpm.h>
#include <linux/audit.h>
+#include <linux/prmem.h>
#include <crypto/hash_info.h>
#include "../integrity.h"
@@ -50,7 +51,7 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
#define IMA_TEMPLATE_IMA_FMT "d|n"
/* current content of the policy */
-extern int ima_policy_flag;
+extern int ima_policy_flag __wr_after_init;
/* set during initialization */
extern int ima_hash_algo;
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 8bc8a1c8cb3f..d49c545b9cfb 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -48,7 +48,7 @@
#define INVALID_PCR(a) (((a) < 0) || \
(a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8))
-int ima_policy_flag;
+int ima_policy_flag __wr_after_init;
static int temp_ima_appraise;
static int build_ima_appraise __ro_after_init;
@@ -460,12 +460,13 @@ void ima_update_policy_flag(void)
list_for_each_entry(entry, ima_rules, list) {
if (entry->action & IMA_DO_MASK)
- ima_policy_flag |= entry->action;
+ wr_assign(ima_policy_flag,
+ ima_policy_flag | entry->action);
}
ima_appraise |= (build_ima_appraise | temp_ima_appraise);
if (!ima_appraise)
- ima_policy_flag &= ~IMA_APPRAISE;
+ wr_assign(ima_policy_flag, ima_policy_flag & ~IMA_APPRAISE);
}
static int ima_appraise_flag(enum ima_hooks func)
@@ -651,7 +652,7 @@ void ima_update_policy(void)
list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu);
if (ima_rules != policy) {
- ima_policy_flag = 0;
+ wr_assign(ima_policy_flag, 0);
ima_rules = policy;
/*
--
2.19.1
prev parent reply other threads:[~2019-02-13 22:41 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-13 22:41 [RFC PATCH v5 00/12] hardening: statically allocated protected memory Igor Stoppa
2019-02-13 22:41 ` [RFC PATCH v5 02/12] __wr_after_init: linker section and attribute Igor Stoppa
2019-02-13 22:41 ` [RFC PATCH v5 03/12] __wr_after_init: Core and default arch Igor Stoppa
2019-02-14 11:28 ` Peter Zijlstra
2019-02-14 23:10 ` Igor Stoppa
2019-02-15 8:57 ` Peter Zijlstra
2019-02-16 15:15 ` Igor Stoppa
2019-02-13 22:41 ` [RFC PATCH v5 04/12] __wr_after_init: x86_64: randomize mapping offset Igor Stoppa
2019-02-13 22:41 ` [RFC PATCH v5 05/12] __wr_after_init: x86_64: enable Igor Stoppa
2019-02-13 22:41 ` [RFC PATCH v5 06/12] __wr_after_init: arm64: enable Igor Stoppa
2019-02-13 22:41 ` [RFC PATCH v5 07/12] __wr_after_init: Documentation: self-protection Igor Stoppa
2019-02-13 22:41 ` [RFC PATCH v5 08/12] __wr_after_init: lkdtm test Igor Stoppa
2019-02-13 22:41 ` [RFC PATCH v5 09/12] __wr_after_init: rodata_test: refactor tests Igor Stoppa
2019-02-13 22:41 ` [RFC PATCH v5 10/12] __wr_after_init: rodata_test: test __wr_after_init Igor Stoppa
2019-02-13 22:41 ` [RFC PATCH v5 11/12] __wr_after_init: test write rare functionality Igor Stoppa
2019-02-13 22:41 ` Igor Stoppa [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=db669d1d6cd5a830ad80d41487608f8b3cc5a05e.1550097697.git.igor.stoppa@huawei.com \
--to=igor.stoppa@gmail.com \
--cc=ahmedsoliman@mena.vt.edu \
--cc=bauerman@linux.ibm.com \
--cc=dave.hansen@linux.intel.com \
--cc=igor.stoppa@huawei.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@amacapital.net \
--cc=nadav.amit@gmail.com \
--cc=peterz@infradead.org \
--cc=willy@infradead.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).