From: Mimi Zohar <zohar@linux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
linux-integrity@vger.kernel.org
Cc: eric.snowberg@oracle.com, dhowells@redhat.com,
matthewgarrett@google.com, sashal@kernel.org,
jamorris@linux.microsoft.com, linux-kernel@vger.kernel.org,
keyrings@vger.kernel.org
Subject: Re: [PATCH v0 2/2] IMA: Call queue functions to measure keys
Date: Mon, 02 Dec 2019 19:02:33 -0500 [thread overview]
Message-ID: <1575331353.4793.471.camel@linux.ibm.com> (raw)
In-Reply-To: <20191127025212.3077-3-nramas@linux.microsoft.com>
Hi Lakshmi,
On Tue, 2019-11-26 at 18:52 -0800, Lakshmi Ramasubramanian wrote:
> Keys should be queued for measurement if custom IMA policies have
> not yet been applied. Keys queued for measurement, if any, need to be
> processed when custom IMA policies have been applied.
Please start with the problem description. For example, measuring
keys requires loading a custom IMA policy.
>
> This patch adds the call to ima_queue_key_for_measurement() in
> the IMA hook function if ima_process_keys_for_measurement flag is set
> to false. And, the call to ima_process_queued_keys_for_measurement()
> when custom IMA policies have been applied in ima_update_policy().
This reads like pseudo code. Please summarize the purpose of this
patch.
>
> NOTE:
> If the kernel is built with CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> enabled then the IMA policy should be applied as custom IMA policies.
>
> Keys will be queued up until custom policies are applied and processed
> when custom policies have been applied.
>
> Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
> ---
> security/integrity/ima/ima_asymmetric_keys.c | 16 ++++++++++++++++
> security/integrity/ima/ima_policy.c | 12 ++++++++++++
> 2 files changed, 28 insertions(+)
>
> diff --git a/security/integrity/ima/ima_asymmetric_keys.c b/security/integrity/ima/ima_asymmetric_keys.c
> index 10deb77b22a0..adb7a307190f 100644
> --- a/security/integrity/ima/ima_asymmetric_keys.c
> +++ b/security/integrity/ima/ima_asymmetric_keys.c
> @@ -157,6 +157,8 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key,
> const void *payload, size_t payload_len,
> unsigned long flags, bool create)
> {
> + bool key_queued = false;
> +
> /* Only asymmetric keys are handled by this hook. */
> if (key->type != &key_type_asymmetric)
> return;
> @@ -164,6 +166,20 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key,
> if (!payload || (payload_len == 0))
> return;
>
> + if (!ima_process_keys_for_measurement)
> + key_queued = ima_queue_key_for_measurement(keyring,
> + payload,
> + payload_len);
> +
> + /*
> + * Need to check again if the key was queued or not because
> + * ima_process_keys_for_measurement could have flipped from
> + * false to true after it was checked above, but before the key
> + * could be queued by ima_queue_key_for_measurement().
> + */
You're describing a race condition.
> + if (key_queued)
> + return;
> +
> /*
> * keyring->description points to the name of the keyring
> * (such as ".builtin_trusted_keys", ".ima", etc.) to
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 78b25f083fe1..a2e30a90f97d 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -812,6 +812,18 @@ void ima_update_policy(void)
> kfree(arch_policy_entry);
> }
> ima_update_policy_flag();
> +
> + /*
> + * Custom IMA policies have been setup.
> + * Process key(s) queued up for measurement now.
> + *
> + * NOTE:
> + * Custom IMA policies always overwrite builtin policies
> + * (policies compiled in code). If one wants measurement
> + * of asymmetric keys then it has to be configured in
> + * custom policies and updated here.
> + */
The "NOTE" is over commenting the code and belongs in the patch
description.
> + ima_process_queued_keys_for_measurement();
Overwriting the initial policy is highly recommended, but not everyone
defines a custom policy. Should there be a time limit or some other
criteria before deleting the key measurement queue?
Mimi
> }
>
> /* Keep the enumeration in sync with the policy_tokens! */
next prev parent reply other threads:[~2019-12-03 0:03 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-27 2:52 [PATCH v0 0/2] IMA: Deferred measurement of keys Lakshmi Ramasubramanian
2019-11-27 2:52 ` [PATCH v0 1/2] IMA: Defined queue functions Lakshmi Ramasubramanian
2019-11-27 20:38 ` Mimi Zohar
2019-11-27 21:11 ` Lakshmi Ramasubramanian
2019-12-02 18:00 ` Mimi Zohar
2019-12-02 18:39 ` Lakshmi Ramasubramanian
2019-12-02 19:11 ` Mimi Zohar
2019-12-02 20:24 ` Lakshmi Ramasubramanian
2019-12-03 0:02 ` Mimi Zohar
2019-11-27 2:52 ` [PATCH v0 2/2] IMA: Call queue functions to measure keys Lakshmi Ramasubramanian
2019-12-03 0:02 ` Mimi Zohar [this message]
2019-12-03 16:09 ` Lakshmi Ramasubramanian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1575331353.4793.471.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=eric.snowberg@oracle.com \
--cc=jamorris@linux.microsoft.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=matthewgarrett@google.com \
--cc=nramas@linux.microsoft.com \
--cc=sashal@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).