From: Mimi Zohar <zohar@linux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
linux-integrity@vger.kernel.org
Cc: Jann Horn <jannh@google.com>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Eric Biggers <ebiggers@kernel.org>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH] ima: verify mprotect change is consistent with mmap policy
Date: Tue, 05 May 2020 11:33:05 -0400 [thread overview]
Message-ID: <1588692785.5157.11.camel@linux.ibm.com> (raw)
In-Reply-To: <7812a3a7-f47d-c924-c12e-f417bb6f43dc@linux.microsoft.com>
On Mon, 2020-05-04 at 15:51 -0700, Lakshmi Ramasubramanian wrote:
> On 5/4/20 2:17 PM, Mimi Zohar wrote:
>
> Hi Mimi,
>
> > +int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot)
> > +{
> > + struct ima_template_desc *template;
> > + struct inode *inode;
> > + int result = 0;
> > + int action;
> > + u32 secid;
> > + int pcr;
> > +
> > + if (vma->vm_file && (prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
>
> Just a suggestion:
> Maybe you could do the negative of the above check and return, so that
> the block within the if statement doesn't have to be indented.
Good suggestion.
>
> > + inode = file_inode(vma->vm_file);
> > +
> > + security_task_getsecid(current, &secid);
> > + action = ima_get_action(inode, current_cred(), secid, MAY_EXEC,
> > + MMAP_CHECK, &pcr, &template, 0);
> > +
> > + if (action & IMA_APPRAISE_SUBMASK)
> > + result = -EPERM;
> > +
> > + if ((action & IMA_APPRAISE_SUBMASK) || (action & IMA_MEASURE)) {
>
> action is checked for IMA_APPRAISE_SUBMASK bits in the previous if
> statement. Does it need to be checked again in the above if statement?
Agreed, the code should be cleaned up here too. In either the
measurement or the appraisal case, mprotect modifying the execute mmap
flag should be audited, but only in the appraisal case is the request
denied.
Mimi
>
> > + struct file *file = vma->vm_file;
> > + char *pathbuf = NULL;
> > + const char *pathname;
> > + char filename[NAME_MAX];
> > +
> > + pathname = ima_d_path(&file->f_path, &pathbuf,
> > + filename);
> > + integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
> > + pathname, "collect_data",
> > + "failed-mprotect", result, 0);
> > +
> > + if (pathbuf)
> > + __putname(pathbuf);
> > + }
> > + }
> > + return result;
> > +}
>
> thanks,
> -lakshmi
>
next prev parent reply other threads:[~2020-05-05 15:33 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-04 21:17 [RFC PATCH] ima: verify mprotect change is consistent with mmap policy Mimi Zohar
2020-05-04 22:51 ` Lakshmi Ramasubramanian
2020-05-05 15:33 ` Mimi Zohar [this message]
2020-05-05 0:15 ` Jann Horn
2020-05-05 14:16 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1588692785.5157.11.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=ebiggers@kernel.org \
--cc=jannh@google.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).