Linux-Integrity Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 00/12] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support
@ 2020-06-23  0:32 Tyler Hicks
  2020-06-23  0:32 ` [PATCH 01/12] ima: Have the LSM free its audit rule Tyler Hicks
                   ` (11 more replies)
  0 siblings, 12 replies; 32+ messages in thread
From: Tyler Hicks @ 2020-06-23  0:32 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module, Janne Karhunen, Eric Biederman, kexec

This series ultimately extends the supported IMA rule conditionals for
the KEXEC_CMDLINE hook function. As of today, there's an imbalance in
IMA language conditional support for KEXEC_CMDLINE rules in comparison
to KEXEC_KERNEL_CHECK and KEXEC_INITRAMFS_CHECK rules. The KEXEC_CMDLINE
rules do not support *any* conditionals so you cannot have a sequence of
rules like this:

 dont_measure func=KEXEC_KERNEL_CHECK obj_type=foo_t
 dont_measure func=KEXEC_INITRAMFS_CHECK obj_type=foo_t
 dont_measure func=KEXEC_CMDLINE obj_type=foo_t
 measure func=KEXEC_KERNEL_CHECK
 measure func=KEXEC_INITRAMFS_CHECK
 measure func=KEXEC_CMDLINE

Instead, KEXEC_CMDLINE rules can only be measured or not measured and
there's no additional flexibility in today's implementation of the
KEXEC_CMDLINE hook function.

With this series, the above sequence of rules becomes valid and any
calls to kexec_file_load() with a kernel and initramfs inode type of
foo_t will not be measured (that includes the kernel cmdline buffer)
while all other objects given to a kexec_file_load() syscall will be
measured. There's obviously not an inode directly associated with the
kernel cmdline buffer but this patch series ties the inode based
decision making for KEXEC_CMDLINE to the kernel's inode. I think this
will be intuitive to policy authors.

While reading IMA code and preparing to make this change, I realized
that the buffer based hook functions (KEXEC_CMDLINE and KEY_CHECK) are
quite special in comparison to longer standing hook functions. These
buffer based hook functions can only support measure actions and there
are some restrictions on the conditionals that they support. However,
the rule parser isn't enforcing any of those restrictions and IMA policy
authors wouldn't have any immediate way of knowing that the policy that
they wrote is invalid. For example, the sequence of rules above parses
successfully in today's kernel but the
"dont_measure func=KEXEC_CMDLINE ..." rule is incorrectly handled in
ima_match_rules(). The dont_measure rule is *always* considered to be a
match so, surprisingly, no KEXEC_CMDLINE measurements are made.

While making the rule parser more strict, I realized that the parser
does not correctly free all of the allocated memory associated with an
ima_rule_entry when going down some error paths. Invalid policy loaded
by the policy administrator could result in small memory leaks.

I envision patches 1-7 going to stable. The series is ordered in a way
that has all the fixes up front, followed by cleanups, followed by the
feature patch. The breakdown of patches looks like so:

 Memory leak fixes: 1-4
 Parser strictness fixes: 5-7
 Code cleanups made possible by the fixes: 8-11
 Extend KEXEC_CMDLINE rule support: 12

Perhaps the most logical ordering for code review is:

 1, 2, 3, 4, 8, 9, 5, 6, 7, 10, 11, 12

If you'd like me to re-order or split up the series, just let me know.
Thanks for considering these patches!

Tyler

Tyler Hicks (12):
  ima: Have the LSM free its audit rule
  ima: Create a function to free a rule entry
  ima: Free the entire rule when deleting a list of rules
  ima: Free the entire rule if it fails to parse
  ima: Fail rule parsing when buffer hook functions have an invalid
    action
  ima: Fail rule parsing when the KEXEC_CMDLINE hook is combined with an
    invalid cond
  ima: Fail rule parsing when the KEY_CHECK hook is combined with an
    invalid cond
  ima: Shallow copy the args_p member of ima_rule_entry.lsm elements
  ima: Use correct type for the args_p member of ima_rule_entry.lsm
    elements
  ima: Move validation of the keyrings conditional into
    ima_validate_rule()
  ima: Use the common function to detect LSM conditionals in a rule
  ima: Support additional conditionals in the KEXEC_CMDLINE hook
    function

 include/linux/ima.h                          |   4 +-
 kernel/kexec_file.c                          |   2 +-
 security/integrity/ima/ima.h                 |   9 +-
 security/integrity/ima/ima_api.c             |   2 +-
 security/integrity/ima/ima_appraise.c        |   2 +-
 security/integrity/ima/ima_asymmetric_keys.c |   2 +-
 security/integrity/ima/ima_main.c            |  24 ++-
 security/integrity/ima/ima_policy.c          | 159 ++++++++++++++-----
 security/integrity/ima/ima_queue_keys.c      |   2 +-
 9 files changed, 148 insertions(+), 58 deletions(-)

-- 
2.25.1


^ permalink raw reply	[flat|nested] 32+ messages in thread

* [PATCH 01/12] ima: Have the LSM free its audit rule
  2020-06-23  0:32 [PATCH 00/12] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support Tyler Hicks
@ 2020-06-23  0:32 ` Tyler Hicks
  2020-06-23  0:55   ` Casey Schaufler
                     ` (2 more replies)
  2020-06-23  0:32 ` [PATCH 02/12] ima: Create a function to free a rule entry Tyler Hicks
                   ` (10 subsequent siblings)
  11 siblings, 3 replies; 32+ messages in thread
From: Tyler Hicks @ 2020-06-23  0:32 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module, Janne Karhunen

Ask the LSM to free its audit rule rather than directly calling kfree().
Both AppArmor and SELinux do additional work in their audit_rule_free()
hooks. Fix memory leaks by allowing the LSMs to perform necessary work.

Fixes: b16942455193 ("ima: use the lsm policy update notifier")
Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Cc: Janne Karhunen <janne.karhunen@gmail.com>
---
 security/integrity/ima/ima.h        | 6 ++++++
 security/integrity/ima/ima_policy.c | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index df93ac258e01..de05d7f1d3ec 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -404,6 +404,7 @@ static inline void ima_free_modsig(struct modsig *modsig)
 #ifdef CONFIG_IMA_LSM_RULES
 
 #define security_filter_rule_init security_audit_rule_init
+#define security_filter_rule_free security_audit_rule_free
 #define security_filter_rule_match security_audit_rule_match
 
 #else
@@ -414,6 +415,11 @@ static inline int security_filter_rule_init(u32 field, u32 op, char *rulestr,
 	return -EINVAL;
 }
 
+static inline void security_filter_rule_free(void *lsmrule)
+{
+	return -EINVAL;
+}
+
 static inline int security_filter_rule_match(u32 secid, u32 field, u32 op,
 					     void *lsmrule)
 {
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index e493063a3c34..236a731492d1 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -258,7 +258,7 @@ static void ima_lsm_free_rule(struct ima_rule_entry *entry)
 	int i;
 
 	for (i = 0; i < MAX_LSM_RULES; i++) {
-		kfree(entry->lsm[i].rule);
+		security_filter_rule_free(entry->lsm[i].rule);
 		kfree(entry->lsm[i].args_p);
 	}
 	kfree(entry);
-- 
2.25.1


^ permalink raw reply	[flat|nested] 32+ messages in thread

* [PATCH 02/12] ima: Create a function to free a rule entry
  2020-06-23  0:32 [PATCH 00/12] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support Tyler Hicks
  2020-06-23  0:32 ` [PATCH 01/12] ima: Have the LSM free its audit rule Tyler Hicks
@ 2020-06-23  0:32 ` Tyler Hicks
  2020-06-25 19:33   ` Mimi Zohar
  2020-06-23  0:32 ` [PATCH 03/12] ima: Free the entire rule when deleting a list of rules Tyler Hicks
                   ` (9 subsequent siblings)
  11 siblings, 1 reply; 32+ messages in thread
From: Tyler Hicks @ 2020-06-23  0:32 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module

There are several possible pieces of allocated memory in a rule entry.
Create a function that can free all allocated memory for a given rule
entry.

This patch introduces no functional changes but sets the groundwork for
some memory leak fixes.

Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
---
 security/integrity/ima/ima_policy.c | 33 +++++++++++++++++++++++++++--
 1 file changed, 31 insertions(+), 2 deletions(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 236a731492d1..1320333201c6 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -261,6 +261,27 @@ static void ima_lsm_free_rule(struct ima_rule_entry *entry)
 		security_filter_rule_free(entry->lsm[i].rule);
 		kfree(entry->lsm[i].args_p);
 	}
+}
+
+static void ima_free_rule(struct ima_rule_entry *entry)
+{
+	if (!entry)
+		return;
+
+	/*
+	 * entry->template->fields may be allocated in ima_parse_rule() but that
+	 * reference is owned by the corresponding ima_template_desc element in
+	 * the defined_templates list and cannot be freed here
+	 */
+
+	/*
+	 * When freeing newly added ima_rule_entry members, consider if you
+	 * need to disown any references after the shallow copy in
+	 * ima_lsm_copy_rule()
+	 */
+	kfree(entry->fsname);
+	kfree(entry->keyrings);
+	ima_lsm_free_rule(entry);
 	kfree(entry);
 }
 
@@ -298,10 +319,18 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
 			pr_warn("rule for LSM \'%s\' is undefined\n",
 				(char *)entry->lsm[i].args_p);
 	}
+
+	/* Disown all references that were shallow copied */
+	entry->fsname = NULL;
+	entry->keyrings = NULL;
+	entry->template = NULL;
 	return nentry;
 
 out_err:
-	ima_lsm_free_rule(nentry);
+	nentry->fsname = NULL;
+	nentry->keyrings = NULL;
+	nentry->template = NULL;
+	ima_free_rule(nentry);
 	return NULL;
 }
 
@@ -315,7 +344,7 @@ static int ima_lsm_update_rule(struct ima_rule_entry *entry)
 
 	list_replace_rcu(&entry->list, &nentry->list);
 	synchronize_rcu();
-	ima_lsm_free_rule(entry);
+	ima_free_rule(entry);
 
 	return 0;
 }
-- 
2.25.1


^ permalink raw reply	[flat|nested] 32+ messages in thread

* [PATCH 03/12] ima: Free the entire rule when deleting a list of rules
  2020-06-23  0:32 [PATCH 00/12] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support Tyler Hicks
  2020-06-23  0:32 ` [PATCH 01/12] ima: Have the LSM free its audit rule Tyler Hicks
  2020-06-23  0:32 ` [PATCH 02/12] ima: Create a function to free a rule entry Tyler Hicks
@ 2020-06-23  0:32 ` Tyler Hicks
  2020-06-25 21:05   ` Mimi Zohar
  2020-06-25 21:07   ` Mimi Zohar
  2020-06-23  0:32 ` [PATCH 04/12] ima: Free the entire rule if it fails to parse Tyler Hicks
                   ` (8 subsequent siblings)
  11 siblings, 2 replies; 32+ messages in thread
From: Tyler Hicks @ 2020-06-23  0:32 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module

Use ima_free_rule() to fix memory leaks of allocated ima_rule_entry
members, such as .fsname and .keyrings, when deleting a list of rules.

This fixes a memory leak seen when loading by a valid rule that contains
an additional piece of allocated memory, such as an fsname, followed by
an invalid rule that triggers a policy load failure:

 # echo -e "dont_measure fsname=securityfs\nbad syntax" > \
    /sys/kernel/security/ima/policy
 -bash: echo: write error: Invalid argument
 # echo scan > /sys/kernel/debug/kmemleak
 # cat /sys/kernel/debug/kmemleak
 unreferenced object 0xffff9bab67ca12c0 (size 16):
   comm "tee", pid 684, jiffies 4295212803 (age 252.344s)
   hex dump (first 16 bytes):
     73 65 63 75 72 69 74 79 66 73 00 6b 6b 6b 6b a5  securityfs.kkkk.
   backtrace:
     [<00000000adc80b1b>] kstrdup+0x2e/0x60
     [<00000000d504cb0d>] ima_parse_add_rule+0x7d4/0x1020
     [<00000000444825ac>] ima_write_policy+0xab/0x1d0
     [<000000002b7f0d6c>] vfs_write+0xde/0x1d0
     [<0000000096feedcf>] ksys_write+0x68/0xe0
     [<0000000052b544a2>] do_syscall_64+0x56/0xa0
     [<000000007ead1ba7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: f1b08bbcbdaf ("ima: define a new policy condition based on the filesystem name")
Fixes: 2b60c0ecedf8 ("IMA: Read keyrings= option from the IMA policy")
Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
---
 security/integrity/ima/ima_policy.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 1320333201c6..94ca3b8abb69 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1431,15 +1431,11 @@ ssize_t ima_parse_add_rule(char *rule)
 void ima_delete_rules(void)
 {
 	struct ima_rule_entry *entry, *tmp;
-	int i;
 
 	temp_ima_appraise = 0;
 	list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
-		for (i = 0; i < MAX_LSM_RULES; i++)
-			kfree(entry->lsm[i].args_p);
-
 		list_del(&entry->list);
-		kfree(entry);
+		ima_free_rule(entry);
 	}
 }
 
-- 
2.25.1


^ permalink raw reply	[flat|nested] 32+ messages in thread

* [PATCH 04/12] ima: Free the entire rule if it fails to parse
  2020-06-23  0:32 [PATCH 00/12] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support Tyler Hicks
                   ` (2 preceding siblings ...)
  2020-06-23  0:32 ` [PATCH 03/12] ima: Free the entire rule when deleting a list of rules Tyler Hicks
@ 2020-06-23  0:32 ` Tyler Hicks
  2020-06-23  0:32 ` [PATCH 05/12] ima: Fail rule parsing when buffer hook functions have an invalid action Tyler Hicks
                   ` (7 subsequent siblings)
  11 siblings, 0 replies; 32+ messages in thread
From: Tyler Hicks @ 2020-06-23  0:32 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module

Use ima_free_rule() to fix memory leaks of allocated ima_rule_entry
members, such as .fsname and .keyrings, when an error is encountered
during rule parsing.

Set the args_p pointer to NULL after freeing it in the error path of
ima_lsm_rule_init() so that it isn't freed twice.

This fixes a memory leak seen when loading an rule that contains an
additional piece of allocated memory, such as an fsname, followed by an
invalid conditional:

 # echo "measure fsname=tmpfs bad=cond" > /sys/kernel/security/ima/policy
 -bash: echo: write error: Invalid argument
 # echo scan > /sys/kernel/debug/kmemleak
 # cat /sys/kernel/debug/kmemleak
 unreferenced object 0xffff98e7e4ece6c0 (size 8):
   comm "bash", pid 672, jiffies 4294791843 (age 21.855s)
   hex dump (first 8 bytes):
     74 6d 70 66 73 00 6b a5                          tmpfs.k.
   backtrace:
     [<00000000abab7413>] kstrdup+0x2e/0x60
     [<00000000f11ede32>] ima_parse_add_rule+0x7d4/0x1020
     [<00000000f883dd7a>] ima_write_policy+0xab/0x1d0
     [<00000000b17cf753>] vfs_write+0xde/0x1d0
     [<00000000b8ddfdea>] ksys_write+0x68/0xe0
     [<00000000b8e21e87>] do_syscall_64+0x56/0xa0
     [<0000000089ea7b98>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: f1b08bbcbdaf ("ima: define a new policy condition based on the filesystem name")
Fixes: 2b60c0ecedf8 ("IMA: Read keyrings= option from the IMA policy")
Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
---
 security/integrity/ima/ima_policy.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 94ca3b8abb69..ee5152ecd3d9 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -919,6 +919,7 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry,
 
 		if (ima_rules == &ima_default_rules) {
 			kfree(entry->lsm[lsm_rule].args_p);
+			entry->lsm[lsm_rule].args_p = NULL;
 			result = -EINVAL;
 		} else
 			result = 0;
@@ -1410,7 +1411,7 @@ ssize_t ima_parse_add_rule(char *rule)
 
 	result = ima_parse_rule(p, entry);
 	if (result) {
-		kfree(entry);
+		ima_free_rule(entry);
 		integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
 				    NULL, op, "invalid-policy", result,
 				    audit_info);
-- 
2.25.1


^ permalink raw reply	[flat|nested] 32+ messages in thread

* [PATCH 05/12] ima: Fail rule parsing when buffer hook functions have an invalid action
  2020-06-23  0:32 [PATCH 00/12] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support Tyler Hicks
                   ` (3 preceding siblings ...)
  2020-06-23  0:32 ` [PATCH 04/12] ima: Free the entire rule if it fails to parse Tyler Hicks
@ 2020-06-23  0:32 ` Tyler Hicks
  2020-06-25 21:51   ` Mimi Zohar
  2020-06-23  0:32 ` [PATCH 06/12] ima: Fail rule parsing when the KEXEC_CMDLINE hook is combined with an invalid cond Tyler Hicks
                   ` (6 subsequent siblings)
  11 siblings, 1 reply; 32+ messages in thread
From: Tyler Hicks @ 2020-06-23  0:32 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module

Buffer based hook functions, such as KEXEC_CMDLINE and KEY_CHECK, can
only measure. The process_buffer_measurement() function quietly ignores
all actions except measure so make this behavior clear at the time of
policy load.

The parsing of the keyrings conditional had a check to ensure that it
was only specified with measure actions but the check should be on the
hook function and not the keyrings conditional since
"appraise func=KEY_CHECK" is not a valid rule.

Fixes: b0935123a183 ("IMA: Define a new hook to measure the kexec boot command line arguments")
Fixes: 5808611cccb2 ("IMA: Add KEY_CHECK func to measure keys")
Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
---
 security/integrity/ima/ima_policy.c | 36 +++++++++++++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index ee5152ecd3d9..ecc234b956a2 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -979,6 +979,39 @@ static void check_template_modsig(const struct ima_template_desc *template)
 #undef MSG
 }
 
+static bool ima_validate_rule(struct ima_rule_entry *entry)
+{
+	if (entry->action == UNKNOWN)
+		return false;
+
+	if (entry->flags & IMA_FUNC) {
+		switch (entry->func) {
+		case NONE:
+		case FILE_CHECK:
+		case MMAP_CHECK:
+		case BPRM_CHECK:
+		case CREDS_CHECK:
+		case POST_SETATTR:
+		case MODULE_CHECK:
+		case FIRMWARE_CHECK:
+		case KEXEC_KERNEL_CHECK:
+		case KEXEC_INITRAMFS_CHECK:
+		case POLICY_CHECK:
+			break;
+		case KEXEC_CMDLINE:
+		case KEY_CHECK:
+			if (entry->action & ~(MEASURE | DONT_MEASURE))
+				return false;
+
+			break;
+		default:
+			return false;
+		}
+	}
+
+	return true;
+}
+
 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 {
 	struct audit_buffer *ab;
@@ -1156,7 +1189,6 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 			keyrings_len = strlen(args[0].from) + 1;
 
 			if ((entry->keyrings) ||
-			    (entry->action != MEASURE) ||
 			    (entry->func != KEY_CHECK) ||
 			    (keyrings_len < 2)) {
 				result = -EINVAL;
@@ -1362,7 +1394,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 			break;
 		}
 	}
-	if (!result && (entry->action == UNKNOWN))
+	if (!result && !ima_validate_rule(entry))
 		result = -EINVAL;
 	else if (entry->action == APPRAISE)
 		temp_ima_appraise |= ima_appraise_flag(entry->func);
-- 
2.25.1


^ permalink raw reply	[flat|nested] 32+ messages in thread

* [PATCH 06/12] ima: Fail rule parsing when the KEXEC_CMDLINE hook is combined with an invalid cond
  2020-06-23  0:32 [PATCH 00/12] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support Tyler Hicks
                   ` (4 preceding siblings ...)
  2020-06-23  0:32 ` [PATCH 05/12] ima: Fail rule parsing when buffer hook functions have an invalid action Tyler Hicks
@ 2020-06-23  0:32 ` Tyler Hicks
  2020-06-25 21:53   ` Mimi Zohar
  2020-06-23  0:32 ` [PATCH 07/12] ima: Fail rule parsing when the KEY_CHECK " Tyler Hicks
                   ` (5 subsequent siblings)
  11 siblings, 1 reply; 32+ messages in thread
From: Tyler Hicks @ 2020-06-23  0:32 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module

The KEXEC_CMDLINE hook function only supports the pcr conditional. Make
this clear at policy load so that IMA policy authors don't assume that
other conditionals are supported.

Since KEXEC_CMDLINE's inception, ima_match_rules() has always returned
true on any loaded KEXEC_CMDLINE rule without any consideration for
other conditionals present in the rule. Make it clear that pcr is the
only supported KEXEC_CMDLINE conditional by returning an error during
policy load.

An example of why this is a problem can be explained with the following
rule:

 dont_measure func=KEXEC_CMDLINE obj_type=foo_t

An IMA policy author would have assumed that rule is valid because the
parser accepted it but the result was that measurements for all
KEXEC_CMDLINE operations would be disabled.

Fixes: b0935123a183 ("IMA: Define a new hook to measure the kexec boot command line arguments")
Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
---
 security/integrity/ima/ima_policy.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index ecc234b956a2..83975ad22907 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -349,6 +349,17 @@ static int ima_lsm_update_rule(struct ima_rule_entry *entry)
 	return 0;
 }
 
+static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry)
+{
+	int i;
+
+	for (i = 0; i < MAX_LSM_RULES; i++)
+		if (entry->lsm[i].args_p)
+			return true;
+
+	return false;
+}
+
 /*
  * The LSM policy can be reloaded, leaving the IMA LSM based rules referring
  * to the old, stale LSM policy.  Update the IMA LSM based rules to reflect
@@ -999,6 +1010,16 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
 		case POLICY_CHECK:
 			break;
 		case KEXEC_CMDLINE:
+			if (entry->action & ~(MEASURE | DONT_MEASURE))
+				return false;
+
+			if (entry->flags & ~(IMA_FUNC | IMA_PCR))
+				return false;
+
+			if (ima_rule_contains_lsm_cond(entry))
+				return false;
+
+			break;
 		case KEY_CHECK:
 			if (entry->action & ~(MEASURE | DONT_MEASURE))
 				return false;
-- 
2.25.1


^ permalink raw reply	[flat|nested] 32+ messages in thread

* [PATCH 07/12] ima: Fail rule parsing when the KEY_CHECK hook is combined with an invalid cond
  2020-06-23  0:32 [PATCH 00/12] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support Tyler Hicks
                   ` (5 preceding siblings ...)
  2020-06-23  0:32 ` [PATCH 06/12] ima: Fail rule parsing when the KEXEC_CMDLINE hook is combined with an invalid cond Tyler Hicks
@ 2020-06-23  0:32 ` Tyler Hicks
  2020-06-23  0:32 ` [PATCH 08/12] ima: Shallow copy the args_p member of ima_rule_entry.lsm elements Tyler Hicks
                   ` (4 subsequent siblings)
  11 siblings, 0 replies; 32+ messages in thread
From: Tyler Hicks @ 2020-06-23  0:32 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module

The KEY_CHECK function only supports the uid, pcr, and keyrings
conditionals. Make this clear at policy load so that IMA policy authors
don't assume that other conditionals are supported.

Fixes: 5808611cccb2 ("IMA: Add KEY_CHECK func to measure keys")
Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
---
 security/integrity/ima/ima_policy.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 83975ad22907..e33347148aa9 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1024,6 +1024,13 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
 			if (entry->action & ~(MEASURE | DONT_MEASURE))
 				return false;
 
+			if (entry->flags & ~(IMA_FUNC | IMA_UID | IMA_PCR |
+					     IMA_KEYRINGS))
+				return false;
+
+			if (ima_rule_contains_lsm_cond(entry))
+				return false;
+
 			break;
 		default:
 			return false;
-- 
2.25.1


^ permalink raw reply	[flat|nested] 32+ messages in thread

* [PATCH 08/12] ima: Shallow copy the args_p member of ima_rule_entry.lsm elements
  2020-06-23  0:32 [PATCH 00/12] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support Tyler Hicks
                   ` (6 preceding siblings ...)
  2020-06-23  0:32 ` [PATCH 07/12] ima: Fail rule parsing when the KEY_CHECK " Tyler Hicks
@ 2020-06-23  0:32 ` Tyler Hicks
  2020-06-25 21:18   ` Mimi Zohar
  2020-06-23  0:32 ` [PATCH 09/12] ima: Use correct type for " Tyler Hicks
                   ` (3 subsequent siblings)
  11 siblings, 1 reply; 32+ messages in thread
From: Tyler Hicks @ 2020-06-23  0:32 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module

The args_p member is a simple string that is allocated by
ima_rule_init(). Shallow copy it like other non-LSM references in
ima_rule_entry structs.

There are no longer any necessary error path cleanups to do in
ima_lsm_copy_rule() so reference ownership from entry to nentry becomes
easier.

Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
---
 security/integrity/ima/ima_policy.c | 13 ++-----------
 1 file changed, 2 insertions(+), 11 deletions(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index e33347148aa9..e9c7d318fdd4 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -306,10 +306,8 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
 			continue;
 
 		nentry->lsm[i].type = entry->lsm[i].type;
-		nentry->lsm[i].args_p = kstrdup(entry->lsm[i].args_p,
-						GFP_KERNEL);
-		if (!nentry->lsm[i].args_p)
-			goto out_err;
+		nentry->lsm[i].args_p = entry->lsm[i].args_p;
+		entry->lsm[i].args_p = NULL;
 
 		security_filter_rule_init(nentry->lsm[i].type,
 					  Audit_equal,
@@ -325,13 +323,6 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
 	entry->keyrings = NULL;
 	entry->template = NULL;
 	return nentry;
-
-out_err:
-	nentry->fsname = NULL;
-	nentry->keyrings = NULL;
-	nentry->template = NULL;
-	ima_free_rule(nentry);
-	return NULL;
 }
 
 static int ima_lsm_update_rule(struct ima_rule_entry *entry)
-- 
2.25.1


^ permalink raw reply	[flat|nested] 32+ messages in thread

* [PATCH 09/12] ima: Use correct type for the args_p member of ima_rule_entry.lsm elements
  2020-06-23  0:32 [PATCH 00/12] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support Tyler Hicks
                   ` (7 preceding siblings ...)
  2020-06-23  0:32 ` [PATCH 08/12] ima: Shallow copy the args_p member of ima_rule_entry.lsm elements Tyler Hicks
@ 2020-06-23  0:32 ` Tyler Hicks
  2020-06-25 21:20   ` Mimi Zohar
  2020-06-23  0:32 ` [PATCH 10/12] ima: Move validation of the keyrings conditional into ima_validate_rule() Tyler Hicks
                   ` (2 subsequent siblings)
  11 siblings, 1 reply; 32+ messages in thread
From: Tyler Hicks @ 2020-06-23  0:32 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module

Make args_p be of the char pointer type rather than have it be a void
pointer that gets casted to char pointer when it is used. It is a simple
NUL-terminated string as returned by match_strdup().

Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
---
 security/integrity/ima/ima_policy.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index e9c7d318fdd4..514baf24d6a5 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -74,7 +74,7 @@ struct ima_rule_entry {
 	int pcr;
 	struct {
 		void *rule;	/* LSM file metadata specific */
-		void *args_p;	/* audit value */
+		char *args_p;	/* audit value */
 		int type;	/* audit type */
 	} lsm[MAX_LSM_RULES];
 	char *fsname;
@@ -315,7 +315,7 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
 					  &nentry->lsm[i].rule);
 		if (!nentry->lsm[i].rule)
 			pr_warn("rule for LSM \'%s\' is undefined\n",
-				(char *)entry->lsm[i].args_p);
+				entry->lsm[i].args_p);
 	}
 
 	/* Disown all references that were shallow copied */
@@ -917,7 +917,7 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry,
 					   &entry->lsm[lsm_rule].rule);
 	if (!entry->lsm[lsm_rule].rule) {
 		pr_warn("rule for LSM \'%s\' is undefined\n",
-			(char *)entry->lsm[lsm_rule].args_p);
+			entry->lsm[lsm_rule].args_p);
 
 		if (ima_rules == &ima_default_rules) {
 			kfree(entry->lsm[lsm_rule].args_p);
@@ -1666,27 +1666,27 @@ int ima_policy_show(struct seq_file *m, void *v)
 			switch (i) {
 			case LSM_OBJ_USER:
 				seq_printf(m, pt(Opt_obj_user),
-					   (char *)entry->lsm[i].args_p);
+					   entry->lsm[i].args_p);
 				break;
 			case LSM_OBJ_ROLE:
 				seq_printf(m, pt(Opt_obj_role),
-					   (char *)entry->lsm[i].args_p);
+					   entry->lsm[i].args_p);
 				break;
 			case LSM_OBJ_TYPE:
 				seq_printf(m, pt(Opt_obj_type),
-					   (char *)entry->lsm[i].args_p);
+					   entry->lsm[i].args_p);
 				break;
 			case LSM_SUBJ_USER:
 				seq_printf(m, pt(Opt_subj_user),
-					   (char *)entry->lsm[i].args_p);
+					   entry->lsm[i].args_p);
 				break;
 			case LSM_SUBJ_ROLE:
 				seq_printf(m, pt(Opt_subj_role),
-					   (char *)entry->lsm[i].args_p);
+					   entry->lsm[i].args_p);
 				break;
 			case LSM_SUBJ_TYPE:
 				seq_printf(m, pt(Opt_subj_type),
-					   (char *)entry->lsm[i].args_p);
+					   entry->lsm[i].args_p);
 				break;
 			}
 			seq_puts(m, " ");
-- 
2.25.1


^ permalink raw reply	[flat|nested] 32+ messages in thread

* [PATCH 10/12] ima: Move validation of the keyrings conditional into ima_validate_rule()
  2020-06-23  0:32 [PATCH 00/12] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support Tyler Hicks
                   ` (8 preceding siblings ...)
  2020-06-23  0:32 ` [PATCH 09/12] ima: Use correct type for " Tyler Hicks
@ 2020-06-23  0:32 ` Tyler Hicks
  2020-06-25 19:50   ` Tyler Hicks
  2020-06-23  0:32 ` [PATCH 11/12] ima: Use the common function to detect LSM conditionals in a rule Tyler Hicks
  2020-06-23  0:32 ` [PATCH 12/12] ima: Support additional conditionals in the KEXEC_CMDLINE hook function Tyler Hicks
  11 siblings, 1 reply; 32+ messages in thread
From: Tyler Hicks @ 2020-06-23  0:32 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module

Use ima_validate_rule() to ensure that the combination of a hook
function and the keyrings conditional is valid and that the keyrings
conditional is not specified without an explicit KEY_CHECK func
conditional. This is a code cleanup and has no user-facing change.

Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
---
 security/integrity/ima/ima_policy.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 514baf24d6a5..ae2ec2a9cdb9 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -999,6 +999,12 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
 		case KEXEC_KERNEL_CHECK:
 		case KEXEC_INITRAMFS_CHECK:
 		case POLICY_CHECK:
+			if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
+					     IMA_UID | IMA_FOWNER | IMA_FSUUID |
+					     IMA_INMASK | IMA_EUID | IMA_PCR |
+					     IMA_FSNAME))
+				return false;
+
 			break;
 		case KEXEC_CMDLINE:
 			if (entry->action & ~(MEASURE | DONT_MEASURE))
@@ -1026,7 +1032,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
 		default:
 			return false;
 		}
-	}
+	} else if (entry->flags & IMA_KEYRINGS)
+		return false;
 
 	return true;
 }
@@ -1208,7 +1215,6 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 			keyrings_len = strlen(args[0].from) + 1;
 
 			if ((entry->keyrings) ||
-			    (entry->func != KEY_CHECK) ||
 			    (keyrings_len < 2)) {
 				result = -EINVAL;
 				break;
-- 
2.25.1


^ permalink raw reply	[flat|nested] 32+ messages in thread

* [PATCH 11/12] ima: Use the common function to detect LSM conditionals in a rule
  2020-06-23  0:32 [PATCH 00/12] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support Tyler Hicks
                   ` (9 preceding siblings ...)
  2020-06-23  0:32 ` [PATCH 10/12] ima: Move validation of the keyrings conditional into ima_validate_rule() Tyler Hicks
@ 2020-06-23  0:32 ` Tyler Hicks
  2020-06-25 22:45   ` Mimi Zohar
  2020-06-23  0:32 ` [PATCH 12/12] ima: Support additional conditionals in the KEXEC_CMDLINE hook function Tyler Hicks
  11 siblings, 1 reply; 32+ messages in thread
From: Tyler Hicks @ 2020-06-23  0:32 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module

Make broader use of ima_rule_contains_lsm_cond() to check if a given
rule contains an LSM conditional. This is a code cleanup and has no
user-facing change.

Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
---
 security/integrity/ima/ima_policy.c | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index ae2ec2a9cdb9..0ca9902287bf 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -359,17 +359,10 @@ static bool ima_rule_contains_lsm_cond(struct ima_rule_entry *entry)
 static void ima_lsm_update_rules(void)
 {
 	struct ima_rule_entry *entry, *e;
-	int i, result, needs_update;
+	int result;
 
 	list_for_each_entry_safe(entry, e, &ima_policy_rules, list) {
-		needs_update = 0;
-		for (i = 0; i < MAX_LSM_RULES; i++) {
-			if (entry->lsm[i].args_p) {
-				needs_update = 1;
-				break;
-			}
-		}
-		if (!needs_update)
+		if (!ima_rule_contains_lsm_cond(entry))
 			continue;
 
 		result = ima_lsm_update_rule(entry);
-- 
2.25.1


^ permalink raw reply	[flat|nested] 32+ messages in thread

* [PATCH 12/12] ima: Support additional conditionals in the KEXEC_CMDLINE hook function
  2020-06-23  0:32 [PATCH 00/12] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support Tyler Hicks
                   ` (10 preceding siblings ...)
  2020-06-23  0:32 ` [PATCH 11/12] ima: Use the common function to detect LSM conditionals in a rule Tyler Hicks
@ 2020-06-23  0:32 ` Tyler Hicks
  2020-06-25 22:56   ` Mimi Zohar
  11 siblings, 1 reply; 32+ messages in thread
From: Tyler Hicks @ 2020-06-23  0:32 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module, Eric Biederman, kexec

Take the properties of the kexec kernel's inode and the current task
ownership into consideration when matching a KEXEC_CMDLINE operation to
the rules in the IMA policy. This allows for some uniformity when
writing IMA policy rules for KEXEC_KERNEL_CHECK, KEXEC_INITRAMFS_CHECK,
and KEXEC_CMDLINE operations.

Prior to this patch, it was not possible to write a set of rules like
this:

 dont_measure func=KEXEC_KERNEL_CHECK obj_type=foo_t
 dont_measure func=KEXEC_INITRAMFS_CHECK obj_type=foo_t
 dont_measure func=KEXEC_CMDLINE obj_type=foo_t
 measure func=KEXEC_KERNEL_CHECK
 measure func=KEXEC_INITRAMFS_CHECK
 measure func=KEXEC_CMDLINE

The inode information associated with the kernel being loaded by a
kexec_kernel_load(2) syscall can now be included in the decision to
measure or not

Additonally, the uid, euid, and subj_* conditionals can also now be
used in KEXEC_CMDLINE rules. There was no technical reason as to why
those conditionals weren't being considered previously other than
ima_match_rules() didn't have a valid inode to use so it immediately
bailed out for KEXEC_CMDLINE operations rather than going through the
full list of conditional comparisons.

Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: kexec@lists.infradead.org
---
 include/linux/ima.h                          |  4 ++--
 kernel/kexec_file.c                          |  2 +-
 security/integrity/ima/ima.h                 |  3 ++-
 security/integrity/ima/ima_api.c             |  2 +-
 security/integrity/ima/ima_appraise.c        |  2 +-
 security/integrity/ima/ima_asymmetric_keys.c |  2 +-
 security/integrity/ima/ima_main.c            | 24 +++++++++++++++-----
 security/integrity/ima/ima_policy.c          | 17 +++++---------
 security/integrity/ima/ima_queue_keys.c      |  2 +-
 9 files changed, 33 insertions(+), 25 deletions(-)

diff --git a/include/linux/ima.h b/include/linux/ima.h
index 9164e1534ec9..d15100de6cdd 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -25,7 +25,7 @@ extern int ima_post_read_file(struct file *file, void *buf, loff_t size,
 			      enum kernel_read_file_id id);
 extern void ima_post_path_mknod(struct dentry *dentry);
 extern int ima_file_hash(struct file *file, char *buf, size_t buf_size);
-extern void ima_kexec_cmdline(const void *buf, int size);
+extern void ima_kexec_cmdline(int kernel_fd, const void *buf, int size);
 
 #ifdef CONFIG_IMA_KEXEC
 extern void ima_add_kexec_buffer(struct kimage *image);
@@ -103,7 +103,7 @@ static inline int ima_file_hash(struct file *file, char *buf, size_t buf_size)
 	return -EOPNOTSUPP;
 }
 
-static inline void ima_kexec_cmdline(const void *buf, int size) {}
+static inline void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) {}
 #endif /* CONFIG_IMA */
 
 #ifndef CONFIG_IMA_KEXEC
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index bb05fd52de85..07df431c1f21 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -287,7 +287,7 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
 			goto out;
 		}
 
-		ima_kexec_cmdline(image->cmdline_buf,
+		ima_kexec_cmdline(kernel_fd, image->cmdline_buf,
 				  image->cmdline_buf_len - 1);
 	}
 
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index de05d7f1d3ec..ed9307dd0e60 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -251,7 +251,8 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
 			   struct ima_template_desc *template_desc);
 void process_buffer_measurement(const void *buf, int size,
 				const char *eventname, enum ima_hooks func,
-				int pcr, const char *keyring);
+				int pcr, struct inode *inode,
+				const char *keyring);
 void ima_audit_measurement(struct integrity_iint_cache *iint,
 			   const unsigned char *filename);
 int ima_alloc_init_template(struct ima_event_data *event_data,
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index bf22de8b7ce0..4f39fb93f278 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -162,7 +162,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
 
 /**
  * ima_get_action - appraise & measure decision based on policy.
- * @inode: pointer to inode to measure
+ * @inode: pointer to the inode associated with the object being validated
  * @cred: pointer to credentials structure to validate
  * @secid: secid of the task being validated
  * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC,
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index a9649b04b9f1..0c11aeefea24 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -330,7 +330,7 @@ int ima_check_blacklist(struct integrity_iint_cache *iint,
 		if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
 			process_buffer_measurement(digest, digestsize,
 						   "blacklisted-hash", NONE,
-						   pcr, NULL);
+						   pcr, NULL, NULL);
 	}
 
 	return rc;
diff --git a/security/integrity/ima/ima_asymmetric_keys.c b/security/integrity/ima/ima_asymmetric_keys.c
index aaae80c4e376..585b64557094 100644
--- a/security/integrity/ima/ima_asymmetric_keys.c
+++ b/security/integrity/ima/ima_asymmetric_keys.c
@@ -60,5 +60,5 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key,
 	 */
 	process_buffer_measurement(payload, payload_len,
 				   keyring->description, KEY_CHECK, 0,
-				   keyring->description);
+				   NULL, keyring->description);
 }
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index c1583d98c5e5..82acd66bf653 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -731,13 +731,15 @@ int ima_load_data(enum kernel_load_data_id id)
  * @eventname: event name to be used for the buffer entry.
  * @func: IMA hook
  * @pcr: pcr to extend the measurement
+ * @inode: inode associated with the object being measured (NULL for KEY_CHECK)
  * @keyring: keyring name to determine the action to be performed
  *
  * Based on policy, the buffer is measured into the ima log.
  */
 void process_buffer_measurement(const void *buf, int size,
 				const char *eventname, enum ima_hooks func,
-				int pcr, const char *keyring)
+				int pcr, struct inode *inode,
+				const char *keyring)
 {
 	int ret = 0;
 	struct ima_template_entry *entry = NULL;
@@ -767,7 +769,7 @@ void process_buffer_measurement(const void *buf, int size,
 	 */
 	if (func) {
 		security_task_getsecid(current, &secid);
-		action = ima_get_action(NULL, current_cred(), secid, 0, func,
+		action = ima_get_action(inode, current_cred(), secid, 0, func,
 					&pcr, &template, keyring);
 		if (!(action & IMA_MEASURE))
 			return;
@@ -815,16 +817,26 @@ void process_buffer_measurement(const void *buf, int size,
 
 /**
  * ima_kexec_cmdline - measure kexec cmdline boot args
+ * @kernel_fd: file descriptor of the kexec kernel being loaded
  * @buf: pointer to buffer
  * @size: size of buffer
  *
  * Buffers can only be measured, not appraised.
  */
-void ima_kexec_cmdline(const void *buf, int size)
+void ima_kexec_cmdline(int kernel_fd, const void *buf, int size)
 {
-	if (buf && size != 0)
-		process_buffer_measurement(buf, size, "kexec-cmdline",
-					   KEXEC_CMDLINE, 0, NULL);
+	struct fd f;
+
+	if (!buf || !size)
+		return;
+
+	f = fdget(kernel_fd);
+	if (!f.file)
+		return;
+
+	process_buffer_measurement(buf, size, "kexec-cmdline", KEXEC_CMDLINE, 0,
+				   file_inode(f.file), NULL);
+	fdput(f);
 }
 
 static int __init init_ima(void)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 0ca9902287bf..5a6aee530011 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -442,13 +442,9 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
 {
 	int i;
 
-	if ((func == KEXEC_CMDLINE) || (func == KEY_CHECK)) {
-		if ((rule->flags & IMA_FUNC) && (rule->func == func)) {
-			if (func == KEY_CHECK)
-				return ima_match_keyring(rule, keyring, cred);
-			return true;
-		}
-		return false;
+	if (func == KEY_CHECK) {
+		return (rule->flags & IMA_FUNC) && (rule->func == func) &&
+		       ima_match_keyring(rule, keyring, cred);
 	}
 	if ((rule->flags & IMA_FUNC) &&
 	    (rule->func != func && func != POST_SETATTR))
@@ -1003,10 +999,9 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
 			if (entry->action & ~(MEASURE | DONT_MEASURE))
 				return false;
 
-			if (entry->flags & ~(IMA_FUNC | IMA_PCR))
-				return false;
-
-			if (ima_rule_contains_lsm_cond(entry))
+			if (entry->flags & ~(IMA_FUNC | IMA_FSMAGIC | IMA_UID |
+					     IMA_FOWNER | IMA_FSUUID |
+					     IMA_EUID | IMA_PCR | IMA_FSNAME))
 				return false;
 
 			break;
diff --git a/security/integrity/ima/ima_queue_keys.c b/security/integrity/ima/ima_queue_keys.c
index cb3e3f501593..7c69d7397832 100644
--- a/security/integrity/ima/ima_queue_keys.c
+++ b/security/integrity/ima/ima_queue_keys.c
@@ -156,7 +156,7 @@ void ima_process_queued_keys(void)
 			process_buffer_measurement(entry->payload,
 						   entry->payload_len,
 						   entry->keyring_name,
-						   KEY_CHECK, 0,
+						   KEY_CHECK, 0, NULL,
 						   entry->keyring_name);
 		list_del(&entry->list);
 		ima_free_key_entry(entry);
-- 
2.25.1


^ permalink raw reply	[flat|nested] 32+ messages in thread

* Re: [PATCH 01/12] ima: Have the LSM free its audit rule
  2020-06-23  0:32 ` [PATCH 01/12] ima: Have the LSM free its audit rule Tyler Hicks
@ 2020-06-23  0:55   ` Casey Schaufler
  2020-06-23  3:04     ` Tyler Hicks
  2020-06-23 23:04   ` Tyler Hicks
  2020-06-25 19:41   ` Mimi Zohar
  2 siblings, 1 reply; 32+ messages in thread
From: Casey Schaufler @ 2020-06-23  0:55 UTC (permalink / raw)
  To: Tyler Hicks, Mimi Zohar, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module, Janne Karhunen, Casey Schaufler

On 6/22/2020 5:32 PM, Tyler Hicks wrote:
> Ask the LSM to free its audit rule rather than directly calling kfree().
> Both AppArmor and SELinux do additional work in their audit_rule_free()
> hooks. Fix memory leaks by allowing the LSMs to perform necessary work.
>
> Fixes: b16942455193 ("ima: use the lsm policy update notifier")
> Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
> Cc: Janne Karhunen <janne.karhunen@gmail.com>
> ---
>  security/integrity/ima/ima.h        | 6 ++++++
>  security/integrity/ima/ima_policy.c | 2 +-
>  2 files changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index df93ac258e01..de05d7f1d3ec 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -404,6 +404,7 @@ static inline void ima_free_modsig(struct modsig *modsig)
>  #ifdef CONFIG_IMA_LSM_RULES
>  
>  #define security_filter_rule_init security_audit_rule_init
> +#define security_filter_rule_free security_audit_rule_free
>  #define security_filter_rule_match security_audit_rule_match

In context this seems perfectly reasonable. If, however, you're
working with the LSM infrastructure this set of #defines is maddening.
The existing ones have been driving my nuts for the past few years,
so I'd like to discourage adding another. Since the security_filter_rule
functions are IMA specific they shouldn't be prefixed security_. I know
that it seems to be code churn/bikesheading, but we please change these:

static inline int ima_filter_rule_init(.....)
{
	return security_audit_rule_init(.....);
}

and so forth. I understand if you don't want to make the change.
I have plenty of other things driving me crazy just now, so this
doesn't seem likely to push me over the edge.

>  
>  #else
> @@ -414,6 +415,11 @@ static inline int security_filter_rule_init(u32 field, u32 op, char *rulestr,
>  	return -EINVAL;
>  }
>  
> +static inline void security_filter_rule_free(void *lsmrule)
> +{
> +	return -EINVAL;
> +}
> +
>  static inline int security_filter_rule_match(u32 secid, u32 field, u32 op,
>  					     void *lsmrule)
>  {
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index e493063a3c34..236a731492d1 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -258,7 +258,7 @@ static void ima_lsm_free_rule(struct ima_rule_entry *entry)
>  	int i;
>  
>  	for (i = 0; i < MAX_LSM_RULES; i++) {
> -		kfree(entry->lsm[i].rule);
> +		security_filter_rule_free(entry->lsm[i].rule);
>  		kfree(entry->lsm[i].args_p);
>  	}
>  	kfree(entry);


^ permalink raw reply	[flat|nested] 32+ messages in thread

* Re: [PATCH 01/12] ima: Have the LSM free its audit rule
  2020-06-23  0:55   ` Casey Schaufler
@ 2020-06-23  3:04     ` Tyler Hicks
  0 siblings, 0 replies; 32+ messages in thread
From: Tyler Hicks @ 2020-06-23  3:04 UTC (permalink / raw)
  To: Casey Schaufler
  Cc: Mimi Zohar, Dmitry Kasatkin, James Morris, Serge E . Hallyn,
	Lakshmi Ramasubramanian, Prakhar Srivastava, linux-kernel,
	linux-integrity, linux-security-module, Janne Karhunen

On 2020-06-22 17:55:59, Casey Schaufler wrote:
> On 6/22/2020 5:32 PM, Tyler Hicks wrote:
> > Ask the LSM to free its audit rule rather than directly calling kfree().
> > Both AppArmor and SELinux do additional work in their audit_rule_free()
> > hooks. Fix memory leaks by allowing the LSMs to perform necessary work.
> >
> > Fixes: b16942455193 ("ima: use the lsm policy update notifier")
> > Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
> > Cc: Janne Karhunen <janne.karhunen@gmail.com>
> > ---
> >  security/integrity/ima/ima.h        | 6 ++++++
> >  security/integrity/ima/ima_policy.c | 2 +-
> >  2 files changed, 7 insertions(+), 1 deletion(-)
> >
> > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> > index df93ac258e01..de05d7f1d3ec 100644
> > --- a/security/integrity/ima/ima.h
> > +++ b/security/integrity/ima/ima.h
> > @@ -404,6 +404,7 @@ static inline void ima_free_modsig(struct modsig *modsig)
> >  #ifdef CONFIG_IMA_LSM_RULES
> >  
> >  #define security_filter_rule_init security_audit_rule_init
> > +#define security_filter_rule_free security_audit_rule_free
> >  #define security_filter_rule_match security_audit_rule_match
> 
> In context this seems perfectly reasonable. If, however, you're
> working with the LSM infrastructure this set of #defines is maddening.
> The existing ones have been driving my nuts for the past few years,
> so I'd like to discourage adding another. Since the security_filter_rule
> functions are IMA specific they shouldn't be prefixed security_. I know
> that it seems to be code churn/bikesheading, but we please change these:
> 
> static inline int ima_filter_rule_init(.....)
> {
> 	return security_audit_rule_init(.....);
> }
> 
> and so forth. I understand if you don't want to make the change.
> I have plenty of other things driving me crazy just now, so this
> doesn't seem likely to push me over the edge.

I'd be happy to take a stab at that as a follow-up or a 13/12 patch. I'd
like to leave this one as-is for stable kernel reasons since it is
straightforward and simple.

Tyler

> 
> >  
> >  #else
> > @@ -414,6 +415,11 @@ static inline int security_filter_rule_init(u32 field, u32 op, char *rulestr,
> >  	return -EINVAL;
> >  }
> >  
> > +static inline void security_filter_rule_free(void *lsmrule)
> > +{
> > +	return -EINVAL;
> > +}
> > +
> >  static inline int security_filter_rule_match(u32 secid, u32 field, u32 op,
> >  					     void *lsmrule)
> >  {
> > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > index e493063a3c34..236a731492d1 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -258,7 +258,7 @@ static void ima_lsm_free_rule(struct ima_rule_entry *entry)
> >  	int i;
> >  
> >  	for (i = 0; i < MAX_LSM_RULES; i++) {
> > -		kfree(entry->lsm[i].rule);
> > +		security_filter_rule_free(entry->lsm[i].rule);
> >  		kfree(entry->lsm[i].args_p);
> >  	}
> >  	kfree(entry);

^ permalink raw reply	[flat|nested] 32+ messages in thread

* Re: [PATCH 01/12] ima: Have the LSM free its audit rule
  2020-06-23  0:32 ` [PATCH 01/12] ima: Have the LSM free its audit rule Tyler Hicks
  2020-06-23  0:55   ` Casey Schaufler
@ 2020-06-23 23:04   ` Tyler Hicks
  2020-06-25 19:41   ` Mimi Zohar
  2 siblings, 0 replies; 32+ messages in thread
From: Tyler Hicks @ 2020-06-23 23:04 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module, Janne Karhunen

On 2020-06-22 19:32:25, Tyler Hicks wrote:
> Ask the LSM to free its audit rule rather than directly calling kfree().
> Both AppArmor and SELinux do additional work in their audit_rule_free()
> hooks. Fix memory leaks by allowing the LSMs to perform necessary work.
> 
> Fixes: b16942455193 ("ima: use the lsm policy update notifier")
> Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
> Cc: Janne Karhunen <janne.karhunen@gmail.com>
> ---
>  security/integrity/ima/ima.h        | 6 ++++++
>  security/integrity/ima/ima_policy.c | 2 +-
>  2 files changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index df93ac258e01..de05d7f1d3ec 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -404,6 +404,7 @@ static inline void ima_free_modsig(struct modsig *modsig)
>  #ifdef CONFIG_IMA_LSM_RULES
>  
>  #define security_filter_rule_init security_audit_rule_init
> +#define security_filter_rule_free security_audit_rule_free
>  #define security_filter_rule_match security_audit_rule_match
>  
>  #else
> @@ -414,6 +415,11 @@ static inline int security_filter_rule_init(u32 field, u32 op, char *rulestr,
>  	return -EINVAL;
>  }
>  
> +static inline void security_filter_rule_free(void *lsmrule)
> +{
> +	return -EINVAL;

Bah, I introduced a build warning here when CONFIG_IMA_LSM_RULES is
disabled. This function should return nothing. I'll wait for additional
feedback before spinning a v2.

Tyler

> +}
> +
>  static inline int security_filter_rule_match(u32 secid, u32 field, u32 op,
>  					     void *lsmrule)
>  {
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index e493063a3c34..236a731492d1 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -258,7 +258,7 @@ static void ima_lsm_free_rule(struct ima_rule_entry *entry)
>  	int i;
>  
>  	for (i = 0; i < MAX_LSM_RULES; i++) {
> -		kfree(entry->lsm[i].rule);
> +		security_filter_rule_free(entry->lsm[i].rule);
>  		kfree(entry->lsm[i].args_p);
>  	}
>  	kfree(entry);
> -- 
> 2.25.1

^ permalink raw reply	[flat|nested] 32+ messages in thread

* Re: [PATCH 02/12] ima: Create a function to free a rule entry
  2020-06-23  0:32 ` [PATCH 02/12] ima: Create a function to free a rule entry Tyler Hicks
@ 2020-06-25 19:33   ` Mimi Zohar
  2020-06-25 19:56     ` Tyler Hicks
  0 siblings, 1 reply; 32+ messages in thread
From: Mimi Zohar @ 2020-06-25 19:33 UTC (permalink / raw)
  To: Tyler Hicks, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module

On Mon, 2020-06-22 at 19:32 -0500, Tyler Hicks wrote:
> There are several possible pieces of allocated memory in a rule entry.
> Create a function that can free all allocated memory for a given rule
> entry.
> 
> This patch introduces no functional changes but sets the groundwork for
> some memory leak fixes.
> 
> Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>

Having a function to release all memory associated with a policy rule
in general is a good idea.  However, in the case of the shallow copy,
we're not removing any IMA rules, just updating the LSM info.

There is an opportunity to transition from the builtin policy rules to
a custom IMA policy.  Afterwards IMA policy rules may only be
appended.

An IMA custom policy based on LSM info may be loaded prior to the LSM
policy.  These LSM based rules are inactive until the corresponding
LSM rule is loaded.  In some environments, LSM policies are loaded and
removed frequently.  The IMA rules themselves are not removed, just
the LSM info is updated to reflect the current LSM info.

> ---
>  security/integrity/ima/ima_policy.c | 33 +++++++++++++++++++++++++++--
>  1 file changed, 31 insertions(+), 2 deletions(-)
> 
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 236a731492d1..1320333201c6 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -261,6 +261,27 @@ static void ima_lsm_free_rule(struct ima_rule_entry *entry)
>  		security_filter_rule_free(entry->lsm[i].rule);
>  		kfree(entry->lsm[i].args_p);
>  	}
> +}
> +
> +static void ima_free_rule(struct ima_rule_entry *entry)
> +{
> +	if (!entry)
> +		return;
> +
> +	/*
> +	 * entry->template->fields may be allocated in ima_parse_rule() but that
> +	 * reference is owned by the corresponding ima_template_desc element in
> +	 * the defined_templates list and cannot be freed here
> +	 */
> +
> +	/*
> +	 * When freeing newly added ima_rule_entry members, consider if you
> +	 * need to disown any references after the shallow copy in
> +	 * ima_lsm_copy_rule()
> +	 */
> +	kfree(entry->fsname);
> +	kfree(entry->keyrings);
> +	ima_lsm_free_rule(entry);
>  	kfree(entry);
>  }
>  
> @@ -298,10 +319,18 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
>  			pr_warn("rule for LSM \'%s\' is undefined\n",
>  				(char *)entry->lsm[i].args_p);
>  	}
> +
> +	/* Disown all references that were shallow copied */
> +	entry->fsname = NULL;
> +	entry->keyrings = NULL;
> +	entry->template = NULL;
>  	return nentry;
>  
>  out_err:
> -	ima_lsm_free_rule(nentry);
> +	nentry->fsname = NULL;
> +	nentry->keyrings = NULL;
> +	nentry->template = NULL;
> +	ima_free_rule(nentry);

>  	return NULL;
>  }
>  
> @@ -315,7 +344,7 @@ static int ima_lsm_update_rule(struct ima_rule_entry *entry)
>  
>  	list_replace_rcu(&entry->list, &nentry->list);
>  	synchronize_rcu();
> -	ima_lsm_free_rule(entry);
> +	ima_free_rule(entry);

This should only update the LSM info, nothing else.

>  
>  	return 0;
>  }


^ permalink raw reply	[flat|nested] 32+ messages in thread

* Re: [PATCH 01/12] ima: Have the LSM free its audit rule
  2020-06-23  0:32 ` [PATCH 01/12] ima: Have the LSM free its audit rule Tyler Hicks
  2020-06-23  0:55   ` Casey Schaufler
  2020-06-23 23:04   ` Tyler Hicks
@ 2020-06-25 19:41   ` Mimi Zohar
  2 siblings, 0 replies; 32+ messages in thread
From: Mimi Zohar @ 2020-06-25 19:41 UTC (permalink / raw)
  To: Tyler Hicks, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module, Janne Karhunen

On Mon, 2020-06-22 at 19:32 -0500, Tyler Hicks wrote:
> Ask the LSM to free its audit rule rather than directly calling kfree().
> Both AppArmor and SELinux do additional work in their audit_rule_free()
> hooks. Fix memory leaks by allowing the LSMs to perform necessary work.
> 
> Fixes: b16942455193 ("ima: use the lsm policy update notifier")
> Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
> Cc: Janne Karhunen <janne.karhunen@gmail.com>

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

^ permalink raw reply	[flat|nested] 32+ messages in thread

* Re: [PATCH 10/12] ima: Move validation of the keyrings conditional into ima_validate_rule()
  2020-06-23  0:32 ` [PATCH 10/12] ima: Move validation of the keyrings conditional into ima_validate_rule() Tyler Hicks
@ 2020-06-25 19:50   ` Tyler Hicks
  2020-06-25 20:46     ` Mimi Zohar
  0 siblings, 1 reply; 32+ messages in thread
From: Tyler Hicks @ 2020-06-25 19:50 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module

On 2020-06-22 19:32:34, Tyler Hicks wrote:
> Use ima_validate_rule() to ensure that the combination of a hook
> function and the keyrings conditional is valid and that the keyrings
> conditional is not specified without an explicit KEY_CHECK func
> conditional. This is a code cleanup and has no user-facing change.
> 
> Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
> ---
>  security/integrity/ima/ima_policy.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 514baf24d6a5..ae2ec2a9cdb9 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -999,6 +999,12 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
>  		case KEXEC_KERNEL_CHECK:
>  		case KEXEC_INITRAMFS_CHECK:
>  		case POLICY_CHECK:
> +			if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
> +					     IMA_UID | IMA_FOWNER | IMA_FSUUID |
> +					     IMA_INMASK | IMA_EUID | IMA_PCR |
> +					     IMA_FSNAME))

I accidentally left these out:

 (IMA_DIGSIG_REQUIRED | IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST)

I'll add them in v2.

Tyler

> +				return false;
> +
>  			break;
>  		case KEXEC_CMDLINE:
>  			if (entry->action & ~(MEASURE | DONT_MEASURE))
> @@ -1026,7 +1032,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
>  		default:
>  			return false;
>  		}
> -	}
> +	} else if (entry->flags & IMA_KEYRINGS)
> +		return false;
>  
>  	return true;
>  }
> @@ -1208,7 +1215,6 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
>  			keyrings_len = strlen(args[0].from) + 1;
>  
>  			if ((entry->keyrings) ||
> -			    (entry->func != KEY_CHECK) ||
>  			    (keyrings_len < 2)) {
>  				result = -EINVAL;
>  				break;
> -- 
> 2.25.1

^ permalink raw reply	[flat|nested] 32+ messages in thread

* Re: [PATCH 02/12] ima: Create a function to free a rule entry
  2020-06-25 19:33   ` Mimi Zohar
@ 2020-06-25 19:56     ` Tyler Hicks
  2020-06-25 20:32       ` Mimi Zohar
  0 siblings, 1 reply; 32+ messages in thread
From: Tyler Hicks @ 2020-06-25 19:56 UTC (permalink / raw)
  To: Mimi Zohar
  Cc: Dmitry Kasatkin, James Morris, Serge E . Hallyn,
	Lakshmi Ramasubramanian, Prakhar Srivastava, linux-kernel,
	linux-integrity, linux-security-module

On 2020-06-25 15:33:33, Mimi Zohar wrote:
> On Mon, 2020-06-22 at 19:32 -0500, Tyler Hicks wrote:
> > There are several possible pieces of allocated memory in a rule entry.
> > Create a function that can free all allocated memory for a given rule
> > entry.
> > 
> > This patch introduces no functional changes but sets the groundwork for
> > some memory leak fixes.
> > 
> > Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
> 
> Having a function to release all memory associated with a policy rule
> in general is a good idea.  However, in the case of the shallow copy,
> we're not removing any IMA rules, just updating the LSM info.
> 
> There is an opportunity to transition from the builtin policy rules to
> a custom IMA policy.  Afterwards IMA policy rules may only be
> appended.
> 
> An IMA custom policy based on LSM info may be loaded prior to the LSM
> policy.  These LSM based rules are inactive until the corresponding
> LSM rule is loaded.  In some environments, LSM policies are loaded and
> removed frequently.  The IMA rules themselves are not removed, just
> the LSM info is updated to reflect the current LSM info.
> 
> > ---
> >  security/integrity/ima/ima_policy.c | 33 +++++++++++++++++++++++++++--
> >  1 file changed, 31 insertions(+), 2 deletions(-)
> > 
> > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > index 236a731492d1..1320333201c6 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -261,6 +261,27 @@ static void ima_lsm_free_rule(struct ima_rule_entry *entry)
> >  		security_filter_rule_free(entry->lsm[i].rule);
> >  		kfree(entry->lsm[i].args_p);
> >  	}
> > +}
> > +
> > +static void ima_free_rule(struct ima_rule_entry *entry)
> > +{
> > +	if (!entry)
> > +		return;
> > +
> > +	/*
> > +	 * entry->template->fields may be allocated in ima_parse_rule() but that
> > +	 * reference is owned by the corresponding ima_template_desc element in
> > +	 * the defined_templates list and cannot be freed here
> > +	 */
> > +
> > +	/*
> > +	 * When freeing newly added ima_rule_entry members, consider if you
> > +	 * need to disown any references after the shallow copy in
> > +	 * ima_lsm_copy_rule()
> > +	 */
> > +	kfree(entry->fsname);
> > +	kfree(entry->keyrings);
> > +	ima_lsm_free_rule(entry);
> >  	kfree(entry);
> >  }
> >  
> > @@ -298,10 +319,18 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
> >  			pr_warn("rule for LSM \'%s\' is undefined\n",
> >  				(char *)entry->lsm[i].args_p);
> >  	}
> > +
> > +	/* Disown all references that were shallow copied */
> > +	entry->fsname = NULL;
> > +	entry->keyrings = NULL;
> > +	entry->template = NULL;
> >  	return nentry;
> >  
> >  out_err:
> > -	ima_lsm_free_rule(nentry);
> > +	nentry->fsname = NULL;
> > +	nentry->keyrings = NULL;
> > +	nentry->template = NULL;
> > +	ima_free_rule(nentry);
> 
> >  	return NULL;
> >  }
> >  
> > @@ -315,7 +344,7 @@ static int ima_lsm_update_rule(struct ima_rule_entry *entry)
> >  
> >  	list_replace_rcu(&entry->list, &nentry->list);
> >  	synchronize_rcu();
> > -	ima_lsm_free_rule(entry);
> > +	ima_free_rule(entry);
> 
> This should only update the LSM info, nothing else.

That's effectively what's happening since the fsname, keyrings, and
template pointers are being set to NULL, before exiting
ima_lsm_copy_rule(), in the ima_rule_entry that's going to be freed.

This patch is only introducing the function which can free all memory
associated with a rule and is starting to use it in place that a rule
entry is freed.

Would you rather me introduce ima_free_rule() for the upcoming memory
leak fixes in the series but not make use of it in
ima_lsm_update_rule()?

Tyler

> 
> >  
> >  	return 0;
> >  }

^ permalink raw reply	[flat|nested] 32+ messages in thread

* Re: [PATCH 02/12] ima: Create a function to free a rule entry
  2020-06-25 19:56     ` Tyler Hicks
@ 2020-06-25 20:32       ` Mimi Zohar
  0 siblings, 0 replies; 32+ messages in thread
From: Mimi Zohar @ 2020-06-25 20:32 UTC (permalink / raw)
  To: Tyler Hicks
  Cc: Dmitry Kasatkin, James Morris, Serge E . Hallyn,
	Lakshmi Ramasubramanian, Prakhar Srivastava, linux-kernel,
	linux-integrity, linux-security-module

On Thu, 2020-06-25 at 14:56 -0500, Tyler Hicks wrote:
> On 2020-06-25 15:33:33, Mimi Zohar wrote:
> > On Mon, 2020-06-22 at 19:32 -0500, Tyler Hicks wrote:
> > > There are several possible pieces of allocated memory in a rule entry.
> > > Create a function that can free all allocated memory for a given rule
> > > entry.
> > > 
> > > This patch introduces no functional changes but sets the groundwork for
> > > some memory leak fixes.
> > > 
> > > Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
> > 
> > Having a function to release all memory associated with a policy rule
> > in general is a good idea.  However, in the case of the shallow copy,
> > we're not removing any IMA rules, just updating the LSM info.
> > 
> > There is an opportunity to transition from the builtin policy rules to
> > a custom IMA policy.  Afterwards IMA policy rules may only be
> > appended.
> > 
> > An IMA custom policy based on LSM info may be loaded prior to the LSM
> > policy.  These LSM based rules are inactive until the corresponding
> > LSM rule is loaded.  In some environments, LSM policies are loaded and
> > removed frequently.  The IMA rules themselves are not removed, just
> > the LSM info is updated to reflect the current LSM info.
> > 
> > > ---
> > >  security/integrity/ima/ima_policy.c | 33 +++++++++++++++++++++++++++--
> > >  1 file changed, 31 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > > index 236a731492d1..1320333201c6 100644
> > > --- a/security/integrity/ima/ima_policy.c
> > > +++ b/security/integrity/ima/ima_policy.c
> > > @@ -261,6 +261,27 @@ static void ima_lsm_free_rule(struct ima_rule_entry *entry)
> > >  		security_filter_rule_free(entry->lsm[i].rule);
> > >  		kfree(entry->lsm[i].args_p);
> > >  	}
> > > +}
> > > +
> > > +static void ima_free_rule(struct ima_rule_entry *entry)
> > > +{
> > > +	if (!entry)
> > > +		return;
> > > +
> > > +	/*
> > > +	 * entry->template->fields may be allocated in ima_parse_rule() but that
> > > +	 * reference is owned by the corresponding ima_template_desc element in
> > > +	 * the defined_templates list and cannot be freed here
> > > +	 */
> > > +
> > > +	/*
> > > +	 * When freeing newly added ima_rule_entry members, consider if you
> > > +	 * need to disown any references after the shallow copy in
> > > +	 * ima_lsm_copy_rule()
> > > +	 */
> > > +	kfree(entry->fsname);
> > > +	kfree(entry->keyrings);
> > > +	ima_lsm_free_rule(entry);
> > >  	kfree(entry);
> > >  }
> > >  
> > > @@ -298,10 +319,18 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
> > >  			pr_warn("rule for LSM \'%s\' is undefined\n",
> > >  				(char *)entry->lsm[i].args_p);
> > >  	}
> > > +
> > > +	/* Disown all references that were shallow copied */
> > > +	entry->fsname = NULL;
> > > +	entry->keyrings = NULL;
> > > +	entry->template = NULL;
> > >  	return nentry;
> > >  
> > >  out_err:
> > > -	ima_lsm_free_rule(nentry);
> > > +	nentry->fsname = NULL;
> > > +	nentry->keyrings = NULL;
> > > +	nentry->template = NULL;
> > > +	ima_free_rule(nentry);
> > 
> > >  	return NULL;
> > >  }
> > >  
> > > @@ -315,7 +344,7 @@ static int ima_lsm_update_rule(struct ima_rule_entry *entry)
> > >  
> > >  	list_replace_rcu(&entry->list, &nentry->list);
> > >  	synchronize_rcu();
> > > -	ima_lsm_free_rule(entry);
> > > +	ima_free_rule(entry);
> > 
> > This should only update the LSM info, nothing else.
> 
> That's effectively what's happening since the fsname, keyrings, and
> template pointers are being set to NULL, before exiting
> ima_lsm_copy_rule(), in the ima_rule_entry that's going to be freed.

Ah, that clarified the reason for setting fsname, keyrings, ... to
null before calling ima_free_rule.

> 
> This patch is only introducing the function which can free all memory
> associated with a rule and is starting to use it in place that a rule
> entry is freed.
> 
> Would you rather me introduce ima_free_rule() for the upcoming memory
> leak fixes in the series but not make use of it in
> ima_lsm_update_rule()?

You could add a comment explaining the NULLs, but it might be clearer
to keep the direct call to ima_lsm_free_rule().

Mimi

^ permalink raw reply	[flat|nested] 32+ messages in thread

* Re: [PATCH 10/12] ima: Move validation of the keyrings conditional into ima_validate_rule()
  2020-06-25 19:50   ` Tyler Hicks
@ 2020-06-25 20:46     ` Mimi Zohar
  0 siblings, 0 replies; 32+ messages in thread
From: Mimi Zohar @ 2020-06-25 20:46 UTC (permalink / raw)
  To: Tyler Hicks, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module


> > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > index 514baf24d6a5..ae2ec2a9cdb9 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -999,6 +999,12 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
> >  		case KEXEC_KERNEL_CHECK:
> >  		case KEXEC_INITRAMFS_CHECK:
> >  		case POLICY_CHECK:
> > +			if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC |
> > +					     IMA_UID | IMA_FOWNER | IMA_FSUUID |
> > +					     IMA_INMASK | IMA_EUID | IMA_PCR |
> > +					     IMA_FSNAME))
> 
> I accidentally left these out:
> 
>  (IMA_DIGSIG_REQUIRED | IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST)
> 
> I'll add them in v2.

Thanks, I noticed when skimming the patches the first time around.

Mimi

^ permalink raw reply	[flat|nested] 32+ messages in thread

* Re: [PATCH 03/12] ima: Free the entire rule when deleting a list of rules
  2020-06-23  0:32 ` [PATCH 03/12] ima: Free the entire rule when deleting a list of rules Tyler Hicks
@ 2020-06-25 21:05   ` Mimi Zohar
  2020-06-25 21:07   ` Mimi Zohar
  1 sibling, 0 replies; 32+ messages in thread
From: Mimi Zohar @ 2020-06-25 21:05 UTC (permalink / raw)
  To: Tyler Hicks, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module

On Mon, 2020-06-22 at 19:32 -0500, Tyler Hicks wrote:
> Use ima_free_rule() to fix memory leaks of allocated ima_rule_entry
> members, such as .fsname and .keyrings, when deleting a list of rules.
> 
> This fixes a memory leak seen when loading by a valid rule that contains
> an additional piece of allocated memory, such as an fsname, followed by
> an invalid rule that triggers a policy load failure:
> 
>  # echo -e "dont_measure fsname=securityfs\nbad syntax" > \
>     /sys/kernel/security/ima/policy
>  -bash: echo: write error: Invalid argument
>  # echo scan > /sys/kernel/debug/kmemleak
>  # cat /sys/kernel/debug/kmemleak
>  unreferenced object 0xffff9bab67ca12c0 (size 16):
>    comm "tee", pid 684, jiffies 4295212803 (age 252.344s)
>    hex dump (first 16 bytes):
>      73 65 63 75 72 69 74 79 66 73 00 6b 6b 6b 6b a5  securityfs.kkkk.
>    backtrace:
>      [<00000000adc80b1b>] kstrdup+0x2e/0x60
>      [<00000000d504cb0d>] ima_parse_add_rule+0x7d4/0x1020
>      [<00000000444825ac>] ima_write_policy+0xab/0x1d0
>      [<000000002b7f0d6c>] vfs_write+0xde/0x1d0
>      [<0000000096feedcf>] ksys_write+0x68/0xe0
>      [<0000000052b544a2>] do_syscall_64+0x56/0xa0
>      [<000000007ead1ba7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> 
> Fixes: f1b08bbcbdaf ("ima: define a new policy condition based on the filesystem name")
> Fixes: 2b60c0ecedf8 ("IMA: Read keyrings= option from the IMA policy")
> Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>

Thanks!  Thinking about it some more.  It makes more sense to define
ima_free_rule() here in this patch.

Mimi

> ---
>  security/integrity/ima/ima_policy.c | 6 +-----
>  1 file changed, 1 insertion(+), 5 deletions(-)
> 
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 1320333201c6..94ca3b8abb69 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -1431,15 +1431,11 @@ ssize_t ima_parse_add_rule(char *rule)
>  void ima_delete_rules(void)
>  {
>  	struct ima_rule_entry *entry, *tmp;
> -	int i;
>  
>  	temp_ima_appraise = 0;
>  	list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
> -		for (i = 0; i < MAX_LSM_RULES; i++)
> -			kfree(entry->lsm[i].args_p);
> -
>  		list_del(&entry->list);
> -		kfree(entry);
> +		ima_free_rule(entry);
>  	}
>  }
>  


^ permalink raw reply	[flat|nested] 32+ messages in thread

* Re: [PATCH 03/12] ima: Free the entire rule when deleting a list of rules
  2020-06-23  0:32 ` [PATCH 03/12] ima: Free the entire rule when deleting a list of rules Tyler Hicks
  2020-06-25 21:05   ` Mimi Zohar
@ 2020-06-25 21:07   ` Mimi Zohar
  2020-06-25 21:08     ` Mimi Zohar
  1 sibling, 1 reply; 32+ messages in thread
From: Mimi Zohar @ 2020-06-25 21:07 UTC (permalink / raw)
  To: Tyler Hicks, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module

On Mon, 2020-06-22 at 19:32 -0500, Tyler Hicks wrote:
> Use ima_free_rule() to fix memory leaks of allocated ima_rule_entry
> members, such as .fsname and .keyrings, when deleting a list of rules.
> 
> This fixes a memory leak seen when loading by a valid rule that contains
> an additional piece of allocated memory, such as an fsname, followed by
> an invalid rule that triggers a policy load failure:
> 
>  # echo -e "dont_measure fsname=securityfs\nbad syntax" > \
>     /sys/kernel/security/ima/policy
>  -bash: echo: write error: Invalid argument
>  # echo scan > /sys/kernel/debug/kmemleak
>  # cat /sys/kernel/debug/kmemleak
>  unreferenced object 0xffff9bab67ca12c0 (size 16):
>    comm "tee", pid 684, jiffies 4295212803 (age 252.344s)
>    hex dump (first 16 bytes):
>      73 65 63 75 72 69 74 79 66 73 00 6b 6b 6b 6b a5  securityfs.kkkk.
>    backtrace:
>      [<00000000adc80b1b>] kstrdup+0x2e/0x60
>      [<00000000d504cb0d>] ima_parse_add_rule+0x7d4/0x1020
>      [<00000000444825ac>] ima_write_policy+0xab/0x1d0
>      [<000000002b7f0d6c>] vfs_write+0xde/0x1d0
>      [<0000000096feedcf>] ksys_write+0x68/0xe0
>      [<0000000052b544a2>] do_syscall_64+0x56/0xa0
>      [<000000007ead1ba7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> 
> Fixes: f1b08bbcbdaf ("ima: define a new policy condition based on the filesystem name")
> Fixes: 2b60c0ecedf8 ("IMA: Read keyrings= option from the IMA policy")
> Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>

Your decision, but you might consider squashing this patch with 3/12.
 Everything all together in one patch.

Mimi

> ---
>  security/integrity/ima/ima_policy.c | 6 +-----
>  1 file changed, 1 insertion(+), 5 deletions(-)
> 
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 1320333201c6..94ca3b8abb69 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -1431,15 +1431,11 @@ ssize_t ima_parse_add_rule(char *rule)
>  void ima_delete_rules(void)
>  {
>  	struct ima_rule_entry *entry, *tmp;
> -	int i;
>  
>  	temp_ima_appraise = 0;
>  	list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) {
> -		for (i = 0; i < MAX_LSM_RULES; i++)
> -			kfree(entry->lsm[i].args_p);
> -
>  		list_del(&entry->list);
> -		kfree(entry);
> +		ima_free_rule(entry);
>  	}
>  }
>  


^ permalink raw reply	[flat|nested] 32+ messages in thread

* Re: [PATCH 03/12] ima: Free the entire rule when deleting a list of rules
  2020-06-25 21:07   ` Mimi Zohar
@ 2020-06-25 21:08     ` Mimi Zohar
  0 siblings, 0 replies; 32+ messages in thread
From: Mimi Zohar @ 2020-06-25 21:08 UTC (permalink / raw)
  To: Tyler Hicks, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module

On Thu, 2020-06-25 at 17:07 -0400, Mimi Zohar wrote:
> On Mon, 2020-06-22 at 19:32 -0500, Tyler Hicks wrote:
> > Use ima_free_rule() to fix memory leaks of allocated ima_rule_entry
> > members, such as .fsname and .keyrings, when deleting a list of rules.
> > 
> > This fixes a memory leak seen when loading by a valid rule that contains
> > an additional piece of allocated memory, such as an fsname, followed by
> > an invalid rule that triggers a policy load failure:
> > 
> >  # echo -e "dont_measure fsname=securityfs\nbad syntax" > \
> >     /sys/kernel/security/ima/policy
> >  -bash: echo: write error: Invalid argument
> >  # echo scan > /sys/kernel/debug/kmemleak
> >  # cat /sys/kernel/debug/kmemleak
> >  unreferenced object 0xffff9bab67ca12c0 (size 16):
> >    comm "tee", pid 684, jiffies 4295212803 (age 252.344s)
> >    hex dump (first 16 bytes):
> >      73 65 63 75 72 69 74 79 66 73 00 6b 6b 6b 6b a5  securityfs.kkkk.
> >    backtrace:
> >      [<00000000adc80b1b>] kstrdup+0x2e/0x60
> >      [<00000000d504cb0d>] ima_parse_add_rule+0x7d4/0x1020
> >      [<00000000444825ac>] ima_write_policy+0xab/0x1d0
> >      [<000000002b7f0d6c>] vfs_write+0xde/0x1d0
> >      [<0000000096feedcf>] ksys_write+0x68/0xe0
> >      [<0000000052b544a2>] do_syscall_64+0x56/0xa0
> >      [<000000007ead1ba7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > 
> > Fixes: f1b08bbcbdaf ("ima: define a new policy condition based on the filesystem name")
> > Fixes: 2b60c0ecedf8 ("IMA: Read keyrings= option from the IMA policy")
> > Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
> 
> Your decision, but you might consider squashing this patch with 3/12.
>  Everything all together in one patch.

Oops, that was the comment for 4/12.

Mimi

^ permalink raw reply	[flat|nested] 32+ messages in thread

* Re: [PATCH 08/12] ima: Shallow copy the args_p member of ima_rule_entry.lsm elements
  2020-06-23  0:32 ` [PATCH 08/12] ima: Shallow copy the args_p member of ima_rule_entry.lsm elements Tyler Hicks
@ 2020-06-25 21:18   ` Mimi Zohar
  0 siblings, 0 replies; 32+ messages in thread
From: Mimi Zohar @ 2020-06-25 21:18 UTC (permalink / raw)
  To: Tyler Hicks, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module

On Mon, 2020-06-22 at 19:32 -0500, Tyler Hicks wrote:
> The args_p member is a simple string that is allocated by
> ima_rule_init(). Shallow copy it like other non-LSM references in
> ima_rule_entry structs.
> 
> There are no longer any necessary error path cleanups to do in
> ima_lsm_copy_rule() so reference ownership from entry to nentry becomes
> easier.
> 
> Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
> ---
>  security/integrity/ima/ima_policy.c | 13 ++-----------
>  1 file changed, 2 insertions(+), 11 deletions(-)
> 
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index e33347148aa9..e9c7d318fdd4 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -306,10 +306,8 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
>  			continue;
>  
>  		nentry->lsm[i].type = entry->lsm[i].type;
> -		nentry->lsm[i].args_p = kstrdup(entry->lsm[i].args_p,
> -						GFP_KERNEL);
> -		if (!nentry->lsm[i].args_p)
> -			goto out_err;
> +		nentry->lsm[i].args_p = entry->lsm[i].args_p;
> +		entry->lsm[i].args_p = NULL;

Nice.

>  
>  		security_filter_rule_init(nentry->lsm[i].type,
>  					  Audit_equal,
> @@ -325,13 +323,6 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
>  	entry->keyrings = NULL;
>  	entry->template = NULL;
>  	return nentry;
> -
> -out_err:
> -	nentry->fsname = NULL;
> -	nentry->keyrings = NULL;
> -	nentry->template = NULL;
> -	ima_free_rule(nentry);
> -	return NULL;
>  }

Definitely moving ima_free_rule() to the subsequent patch makes sense.

Mimi

>  
>  static int ima_lsm_update_rule(struct ima_rule_entry *entry)


^ permalink raw reply	[flat|nested] 32+ messages in thread

* Re: [PATCH 09/12] ima: Use correct type for the args_p member of ima_rule_entry.lsm elements
  2020-06-23  0:32 ` [PATCH 09/12] ima: Use correct type for " Tyler Hicks
@ 2020-06-25 21:20   ` Mimi Zohar
  0 siblings, 0 replies; 32+ messages in thread
From: Mimi Zohar @ 2020-06-25 21:20 UTC (permalink / raw)
  To: Tyler Hicks, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module

On Mon, 2020-06-22 at 19:32 -0500, Tyler Hicks wrote:
> Make args_p be of the char pointer type rather than have it be a void
> pointer that gets casted to char pointer when it is used. It is a simple
> NUL-terminated string as returned by match_strdup().
> 
> Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>

Thanks!

Mimi

^ permalink raw reply	[flat|nested] 32+ messages in thread

* Re: [PATCH 05/12] ima: Fail rule parsing when buffer hook functions have an invalid action
  2020-06-23  0:32 ` [PATCH 05/12] ima: Fail rule parsing when buffer hook functions have an invalid action Tyler Hicks
@ 2020-06-25 21:51   ` Mimi Zohar
  0 siblings, 0 replies; 32+ messages in thread
From: Mimi Zohar @ 2020-06-25 21:51 UTC (permalink / raw)
  To: Tyler Hicks, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module

On Mon, 2020-06-22 at 19:32 -0500, Tyler Hicks wrote:
> Buffer based hook functions, such as KEXEC_CMDLINE and KEY_CHECK, can
> only measure. The process_buffer_measurement() function quietly ignores
> all actions except measure so make this behavior clear at the time of
> policy load.
> 
> The parsing of the keyrings conditional had a check to ensure that it
> was only specified with measure actions but the check should be on the
> hook function and not the keyrings conditional since
> "appraise func=KEY_CHECK" is not a valid rule.
> 
> Fixes: b0935123a183 ("IMA: Define a new hook to measure the kexec boot command line arguments")
> Fixes: 5808611cccb2 ("IMA: Add KEY_CHECK func to measure keys")
> Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
> ---
>  security/integrity/ima/ima_policy.c | 36 +++++++++++++++++++++++++++--
>  1 file changed, 34 insertions(+), 2 deletions(-)
> 
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index ee5152ecd3d9..ecc234b956a2 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -979,6 +979,39 @@ static void check_template_modsig(const struct ima_template_desc *template)
>  #undef MSG
>  }
>  
> +static bool ima_validate_rule(struct ima_rule_entry *entry)
> +{
> +	if (entry->action == UNKNOWN)
> +		return false;
> +
> +	if (entry->flags & IMA_FUNC) {
> +		switch (entry->func) {
> +		case NONE:
> +		case FILE_CHECK:
> +		case MMAP_CHECK:
> +		case BPRM_CHECK:
> +		case CREDS_CHECK:
> +		case POST_SETATTR:
> +		case MODULE_CHECK:
> +		case FIRMWARE_CHECK:
> +		case KEXEC_KERNEL_CHECK:
> +		case KEXEC_INITRAMFS_CHECK:
> +		case POLICY_CHECK:
> +			break;
> +		case KEXEC_CMDLINE:
> +		case KEY_CHECK:
> +			if (entry->action & ~(MEASURE | DONT_MEASURE))
> +				return false;
> +
> +			break;
> +		default:
> +			return false;
> +		}
> +	}
> +
> +	return true;
> +}
> +

Good idea.  There are a couple of other examples that could be cleaned
up as well.  For example, for performance reasons
"appraise_flag=check_blacklist" is limited to files with appended
signatures, like kernel modules and the kexec kernel image
(OpenPower).

Mimi

^ permalink raw reply	[flat|nested] 32+ messages in thread

* Re: [PATCH 06/12] ima: Fail rule parsing when the KEXEC_CMDLINE hook is combined with an invalid cond
  2020-06-23  0:32 ` [PATCH 06/12] ima: Fail rule parsing when the KEXEC_CMDLINE hook is combined with an invalid cond Tyler Hicks
@ 2020-06-25 21:53   ` Mimi Zohar
  0 siblings, 0 replies; 32+ messages in thread
From: Mimi Zohar @ 2020-06-25 21:53 UTC (permalink / raw)
  To: Tyler Hicks, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module

On Mon, 2020-06-22 at 19:32 -0500, Tyler Hicks wrote:
> The KEXEC_CMDLINE hook function only supports the pcr conditional. Make
> this clear at policy load so that IMA policy authors don't assume that
> other conditionals are supported.
> 
> Since KEXEC_CMDLINE's inception, ima_match_rules() has always returned
> true on any loaded KEXEC_CMDLINE rule without any consideration for
> other conditionals present in the rule. Make it clear that pcr is the
> only supported KEXEC_CMDLINE conditional by returning an error during
> policy load.
> 
> An example of why this is a problem can be explained with the following
> rule:
> 
>  dont_measure func=KEXEC_CMDLINE obj_type=foo_t
> 
> An IMA policy author would have assumed that rule is valid because the
> parser accepted it but the result was that measurements for all
> KEXEC_CMDLINE operations would be disabled.
> 
> Fixes: b0935123a183 ("IMA: Define a new hook to measure the kexec boot command line arguments")
> Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

^ permalink raw reply	[flat|nested] 32+ messages in thread

* Re: [PATCH 11/12] ima: Use the common function to detect LSM conditionals in a rule
  2020-06-23  0:32 ` [PATCH 11/12] ima: Use the common function to detect LSM conditionals in a rule Tyler Hicks
@ 2020-06-25 22:45   ` Mimi Zohar
  0 siblings, 0 replies; 32+ messages in thread
From: Mimi Zohar @ 2020-06-25 22:45 UTC (permalink / raw)
  To: Tyler Hicks, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module

On Mon, 2020-06-22 at 19:32 -0500, Tyler Hicks wrote:
> Make broader use of ima_rule_contains_lsm_cond() to check if a given
> rule contains an LSM conditional. This is a code cleanup and has no
> user-facing change.
> 
> Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

Mimi

^ permalink raw reply	[flat|nested] 32+ messages in thread

* Re: [PATCH 12/12] ima: Support additional conditionals in the KEXEC_CMDLINE hook function
  2020-06-23  0:32 ` [PATCH 12/12] ima: Support additional conditionals in the KEXEC_CMDLINE hook function Tyler Hicks
@ 2020-06-25 22:56   ` Mimi Zohar
  2020-06-25 22:59     ` Tyler Hicks
  0 siblings, 1 reply; 32+ messages in thread
From: Mimi Zohar @ 2020-06-25 22:56 UTC (permalink / raw)
  To: Tyler Hicks, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, Lakshmi Ramasubramanian,
	Prakhar Srivastava, linux-kernel, linux-integrity,
	linux-security-module, Eric Biederman, kexec

On Mon, 2020-06-22 at 19:32 -0500, Tyler Hicks wrote:
> Take the properties of the kexec kernel's inode and the current task
> ownership into consideration when matching a KEXEC_CMDLINE operation to
> the rules in the IMA policy. This allows for some uniformity when
> writing IMA policy rules for KEXEC_KERNEL_CHECK, KEXEC_INITRAMFS_CHECK,
> and KEXEC_CMDLINE operations.
> 
> Prior to this patch, it was not possible to write a set of rules like
> this:
> 
>  dont_measure func=KEXEC_KERNEL_CHECK obj_type=foo_t
>  dont_measure func=KEXEC_INITRAMFS_CHECK obj_type=foo_t
>  dont_measure func=KEXEC_CMDLINE obj_type=foo_t
>  measure func=KEXEC_KERNEL_CHECK
>  measure func=KEXEC_INITRAMFS_CHECK
>  measure func=KEXEC_CMDLINE
> 
> The inode information associated with the kernel being loaded by a
> kexec_kernel_load(2) syscall can now be included in the decision to
> measure or not
> 
> Additonally, the uid, euid, and subj_* conditionals can also now be
> used in KEXEC_CMDLINE rules. There was no technical reason as to why
> those conditionals weren't being considered previously other than
> ima_match_rules() didn't have a valid inode to use so it immediately
> bailed out for KEXEC_CMDLINE operations rather than going through the
> full list of conditional comparisons.

This makes a lot of sense.

<snip>
 
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index c1583d98c5e5..82acd66bf653 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -731,13 +731,15 @@ int ima_load_data(enum kernel_load_data_id id)
>   * @eventname: event name to be used for the buffer entry.
>   * @func: IMA hook
>   * @pcr: pcr to extend the measurement
> + * @inode: inode associated with the object being measured (NULL for KEY_CHECK)
>   * @keyring: keyring name to determine the action to be performed
>   *
>   * Based on policy, the buffer is measured into the ima log.
>   */
>  void process_buffer_measurement(const void *buf, int size,
>  				const char *eventname, enum ima_hooks func,
> -				int pcr, const char *keyring)
> +				int pcr, struct inode *inode,
> +				const char *keyring)
>  {

The file descriptor is passed as the first arg to
process_measurement().  Sorry for the patch churn, but could we do the
same for process_buffer_measurements.  As much as possible lets keep
them in same.

thanks,

Mimi

^ permalink raw reply	[flat|nested] 32+ messages in thread

* Re: [PATCH 12/12] ima: Support additional conditionals in the KEXEC_CMDLINE hook function
  2020-06-25 22:56   ` Mimi Zohar
@ 2020-06-25 22:59     ` Tyler Hicks
  0 siblings, 0 replies; 32+ messages in thread
From: Tyler Hicks @ 2020-06-25 22:59 UTC (permalink / raw)
  To: Mimi Zohar
  Cc: Dmitry Kasatkin, James Morris, Serge E . Hallyn,
	Lakshmi Ramasubramanian, Prakhar Srivastava, linux-kernel,
	linux-integrity, linux-security-module, Eric Biederman, kexec

On 2020-06-25 18:56:44, Mimi Zohar wrote:
> On Mon, 2020-06-22 at 19:32 -0500, Tyler Hicks wrote:
> > Take the properties of the kexec kernel's inode and the current task
> > ownership into consideration when matching a KEXEC_CMDLINE operation to
> > the rules in the IMA policy. This allows for some uniformity when
> > writing IMA policy rules for KEXEC_KERNEL_CHECK, KEXEC_INITRAMFS_CHECK,
> > and KEXEC_CMDLINE operations.
> > 
> > Prior to this patch, it was not possible to write a set of rules like
> > this:
> > 
> >  dont_measure func=KEXEC_KERNEL_CHECK obj_type=foo_t
> >  dont_measure func=KEXEC_INITRAMFS_CHECK obj_type=foo_t
> >  dont_measure func=KEXEC_CMDLINE obj_type=foo_t
> >  measure func=KEXEC_KERNEL_CHECK
> >  measure func=KEXEC_INITRAMFS_CHECK
> >  measure func=KEXEC_CMDLINE
> > 
> > The inode information associated with the kernel being loaded by a
> > kexec_kernel_load(2) syscall can now be included in the decision to
> > measure or not
> > 
> > Additonally, the uid, euid, and subj_* conditionals can also now be
> > used in KEXEC_CMDLINE rules. There was no technical reason as to why
> > those conditionals weren't being considered previously other than
> > ima_match_rules() didn't have a valid inode to use so it immediately
> > bailed out for KEXEC_CMDLINE operations rather than going through the
> > full list of conditional comparisons.
> 
> This makes a lot of sense.
> 
> <snip>
>  
> > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> > index c1583d98c5e5..82acd66bf653 100644
> > --- a/security/integrity/ima/ima_main.c
> > +++ b/security/integrity/ima/ima_main.c
> > @@ -731,13 +731,15 @@ int ima_load_data(enum kernel_load_data_id id)
> >   * @eventname: event name to be used for the buffer entry.
> >   * @func: IMA hook
> >   * @pcr: pcr to extend the measurement
> > + * @inode: inode associated with the object being measured (NULL for KEY_CHECK)
> >   * @keyring: keyring name to determine the action to be performed
> >   *
> >   * Based on policy, the buffer is measured into the ima log.
> >   */
> >  void process_buffer_measurement(const void *buf, int size,
> >  				const char *eventname, enum ima_hooks func,
> > -				int pcr, const char *keyring)
> > +				int pcr, struct inode *inode,
> > +				const char *keyring)
> >  {
> 
> The file descriptor is passed as the first arg to
> process_measurement().  Sorry for the patch churn, but could we do the
> same for process_buffer_measurements.  As much as possible lets keep
> them in same.

Yep! That makes sense to me.

Tyler

> 
> thanks,
> 
> Mimi

^ permalink raw reply	[flat|nested] 32+ messages in thread

end of thread, back to index

Thread overview: 32+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-23  0:32 [PATCH 00/12] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support Tyler Hicks
2020-06-23  0:32 ` [PATCH 01/12] ima: Have the LSM free its audit rule Tyler Hicks
2020-06-23  0:55   ` Casey Schaufler
2020-06-23  3:04     ` Tyler Hicks
2020-06-23 23:04   ` Tyler Hicks
2020-06-25 19:41   ` Mimi Zohar
2020-06-23  0:32 ` [PATCH 02/12] ima: Create a function to free a rule entry Tyler Hicks
2020-06-25 19:33   ` Mimi Zohar
2020-06-25 19:56     ` Tyler Hicks
2020-06-25 20:32       ` Mimi Zohar
2020-06-23  0:32 ` [PATCH 03/12] ima: Free the entire rule when deleting a list of rules Tyler Hicks
2020-06-25 21:05   ` Mimi Zohar
2020-06-25 21:07   ` Mimi Zohar
2020-06-25 21:08     ` Mimi Zohar
2020-06-23  0:32 ` [PATCH 04/12] ima: Free the entire rule if it fails to parse Tyler Hicks
2020-06-23  0:32 ` [PATCH 05/12] ima: Fail rule parsing when buffer hook functions have an invalid action Tyler Hicks
2020-06-25 21:51   ` Mimi Zohar
2020-06-23  0:32 ` [PATCH 06/12] ima: Fail rule parsing when the KEXEC_CMDLINE hook is combined with an invalid cond Tyler Hicks
2020-06-25 21:53   ` Mimi Zohar
2020-06-23  0:32 ` [PATCH 07/12] ima: Fail rule parsing when the KEY_CHECK " Tyler Hicks
2020-06-23  0:32 ` [PATCH 08/12] ima: Shallow copy the args_p member of ima_rule_entry.lsm elements Tyler Hicks
2020-06-25 21:18   ` Mimi Zohar
2020-06-23  0:32 ` [PATCH 09/12] ima: Use correct type for " Tyler Hicks
2020-06-25 21:20   ` Mimi Zohar
2020-06-23  0:32 ` [PATCH 10/12] ima: Move validation of the keyrings conditional into ima_validate_rule() Tyler Hicks
2020-06-25 19:50   ` Tyler Hicks
2020-06-25 20:46     ` Mimi Zohar
2020-06-23  0:32 ` [PATCH 11/12] ima: Use the common function to detect LSM conditionals in a rule Tyler Hicks
2020-06-25 22:45   ` Mimi Zohar
2020-06-23  0:32 ` [PATCH 12/12] ima: Support additional conditionals in the KEXEC_CMDLINE hook function Tyler Hicks
2020-06-25 22:56   ` Mimi Zohar
2020-06-25 22:59     ` Tyler Hicks

Linux-Integrity Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \
		linux-integrity@vger.kernel.org
	public-inbox-index linux-integrity

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git