linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Tyler Hicks <tyhicks@linux.microsoft.com>,
	Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: James Morris <jmorris@namei.org>,
	"Serge E . Hallyn" <serge@hallyn.com>,
	Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
	Prakhar Srivastava <prsriva02@gmail.com>,
	linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: Re: [PATCH 05/12] ima: Fail rule parsing when buffer hook functions have an invalid action
Date: Thu, 25 Jun 2020 17:51:54 -0400	[thread overview]
Message-ID: <1593121914.27152.411.camel@linux.ibm.com> (raw)
In-Reply-To: <20200623003236.830149-6-tyhicks@linux.microsoft.com>

On Mon, 2020-06-22 at 19:32 -0500, Tyler Hicks wrote:
> Buffer based hook functions, such as KEXEC_CMDLINE and KEY_CHECK, can
> only measure. The process_buffer_measurement() function quietly ignores
> all actions except measure so make this behavior clear at the time of
> policy load.
> 
> The parsing of the keyrings conditional had a check to ensure that it
> was only specified with measure actions but the check should be on the
> hook function and not the keyrings conditional since
> "appraise func=KEY_CHECK" is not a valid rule.
> 
> Fixes: b0935123a183 ("IMA: Define a new hook to measure the kexec boot command line arguments")
> Fixes: 5808611cccb2 ("IMA: Add KEY_CHECK func to measure keys")
> Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
> ---
>  security/integrity/ima/ima_policy.c | 36 +++++++++++++++++++++++++++--
>  1 file changed, 34 insertions(+), 2 deletions(-)
> 
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index ee5152ecd3d9..ecc234b956a2 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -979,6 +979,39 @@ static void check_template_modsig(const struct ima_template_desc *template)
>  #undef MSG
>  }
>  
> +static bool ima_validate_rule(struct ima_rule_entry *entry)
> +{
> +	if (entry->action == UNKNOWN)
> +		return false;
> +
> +	if (entry->flags & IMA_FUNC) {
> +		switch (entry->func) {
> +		case NONE:
> +		case FILE_CHECK:
> +		case MMAP_CHECK:
> +		case BPRM_CHECK:
> +		case CREDS_CHECK:
> +		case POST_SETATTR:
> +		case MODULE_CHECK:
> +		case FIRMWARE_CHECK:
> +		case KEXEC_KERNEL_CHECK:
> +		case KEXEC_INITRAMFS_CHECK:
> +		case POLICY_CHECK:
> +			break;
> +		case KEXEC_CMDLINE:
> +		case KEY_CHECK:
> +			if (entry->action & ~(MEASURE | DONT_MEASURE))
> +				return false;
> +
> +			break;
> +		default:
> +			return false;
> +		}
> +	}
> +
> +	return true;
> +}
> +

Good idea.  There are a couple of other examples that could be cleaned
up as well.  For example, for performance reasons
"appraise_flag=check_blacklist" is limited to files with appended
signatures, like kernel modules and the kexec kernel image
(OpenPower).

Mimi

  reply	other threads:[~2020-06-25 21:52 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-23  0:32 [PATCH 00/12] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support Tyler Hicks
2020-06-23  0:32 ` [PATCH 01/12] ima: Have the LSM free its audit rule Tyler Hicks
2020-06-23  0:55   ` Casey Schaufler
2020-06-23  3:04     ` Tyler Hicks
2020-06-23 23:04   ` Tyler Hicks
2020-06-25 19:41   ` Mimi Zohar
2020-06-23  0:32 ` [PATCH 02/12] ima: Create a function to free a rule entry Tyler Hicks
2020-06-25 19:33   ` Mimi Zohar
2020-06-25 19:56     ` Tyler Hicks
2020-06-25 20:32       ` Mimi Zohar
2020-06-23  0:32 ` [PATCH 03/12] ima: Free the entire rule when deleting a list of rules Tyler Hicks
2020-06-25 21:05   ` Mimi Zohar
2020-06-25 21:07   ` Mimi Zohar
2020-06-25 21:08     ` Mimi Zohar
2020-06-23  0:32 ` [PATCH 04/12] ima: Free the entire rule if it fails to parse Tyler Hicks
2020-06-23  0:32 ` [PATCH 05/12] ima: Fail rule parsing when buffer hook functions have an invalid action Tyler Hicks
2020-06-25 21:51   ` Mimi Zohar [this message]
2020-06-23  0:32 ` [PATCH 06/12] ima: Fail rule parsing when the KEXEC_CMDLINE hook is combined with an invalid cond Tyler Hicks
2020-06-25 21:53   ` Mimi Zohar
2020-06-23  0:32 ` [PATCH 07/12] ima: Fail rule parsing when the KEY_CHECK " Tyler Hicks
2020-06-23  0:32 ` [PATCH 08/12] ima: Shallow copy the args_p member of ima_rule_entry.lsm elements Tyler Hicks
2020-06-25 21:18   ` Mimi Zohar
2020-06-23  0:32 ` [PATCH 09/12] ima: Use correct type for " Tyler Hicks
2020-06-25 21:20   ` Mimi Zohar
2020-06-23  0:32 ` [PATCH 10/12] ima: Move validation of the keyrings conditional into ima_validate_rule() Tyler Hicks
2020-06-25 19:50   ` Tyler Hicks
2020-06-25 20:46     ` Mimi Zohar
2020-06-23  0:32 ` [PATCH 11/12] ima: Use the common function to detect LSM conditionals in a rule Tyler Hicks
2020-06-25 22:45   ` Mimi Zohar
2020-06-23  0:32 ` [PATCH 12/12] ima: Support additional conditionals in the KEXEC_CMDLINE hook function Tyler Hicks
2020-06-25 22:56   ` Mimi Zohar
2020-06-25 22:59     ` Tyler Hicks

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1593121914.27152.411.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=jmorris@namei.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=nramas@linux.microsoft.com \
    --cc=prsriva02@gmail.com \
    --cc=serge@hallyn.com \
    --cc=tyhicks@linux.microsoft.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).