linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: zohar@linux.ibm.com, stephen.smalley@gmail.com, casey@schaufler-ca.com
Cc: jmorris@namei.org, linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH 5/5] LSM: Define workqueue for measuring security module state
Date: Fri, 12 Jun 2020 19:41:30 -0700	[thread overview]
Message-ID: <20200613024130.3356-6-nramas@linux.microsoft.com> (raw)
In-Reply-To: <20200613024130.3356-1-nramas@linux.microsoft.com>

The data maintained by the security modules could be tampered with by
malware. The LSM needs to periodically query the state of
the security modules and measure the data when the state is changed.

Define a workqueue for handling this periodic query and measurement.

Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
---
 security/security.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/security/security.c b/security/security.c
index e7175db5a093..3dad6766cb9d 100644
--- a/security/security.c
+++ b/security/security.c
@@ -89,6 +89,11 @@ static __initdata struct lsm_info *exclusive;
 static struct lsm_info *security_state_lsms;
 static int security_state_lsms_count;
 
+static long security_state_timeout = 300000; /* 5 Minutes */
+static void security_state_handler(struct work_struct *work);
+static DECLARE_DELAYED_WORK(security_state_delayed_work,
+			    security_state_handler);
+
 static __initdata bool debug;
 #define init_debug(...)						\
 	do {							\
@@ -294,6 +299,26 @@ static void __init initialize_security_state_lsms(void)
 	security_state_lsms_count = count;
 }
 
+static void initialize_security_state_monitor(void)
+{
+	if (security_state_lsms_count == 0)
+		return;
+
+	schedule_delayed_work(&security_state_delayed_work,
+			      msecs_to_jiffies(security_state_timeout));
+}
+
+static void security_state_handler(struct work_struct *work)
+{
+	int inx;
+
+	for (inx = 0; inx < security_state_lsms_count; inx++)
+		measure_security_state(&(security_state_lsms[inx]));
+
+	schedule_delayed_work(&security_state_delayed_work,
+			      msecs_to_jiffies(security_state_timeout));
+}
+
 /* Populate ordered LSMs list from comma-separated LSM name list. */
 static void __init ordered_lsm_parse(const char *order, const char *origin)
 {
@@ -417,6 +442,7 @@ static void __init ordered_lsm_init(void)
 	}
 
 	initialize_security_state_lsms();
+	initialize_security_state_monitor();
 
 	kfree(ordered_lsms);
 }
-- 
2.27.0


  parent reply	other threads:[~2020-06-13  2:41 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-13  2:41 [PATCH 0/5] LSM: Measure security module state Lakshmi Ramasubramanian
2020-06-13  2:41 ` [PATCH 1/5] IMA: Add LSM_STATE func to measure LSM data Lakshmi Ramasubramanian
2020-06-13  2:41 ` [PATCH 2/5] IMA: Define an IMA hook " Lakshmi Ramasubramanian
2020-06-13  2:41 ` [PATCH 3/5] LSM: Add security_state function pointer in lsm_info struct Lakshmi Ramasubramanian
2020-06-13  2:41 ` [PATCH 4/5] LSM: Define SELinux function to measure security state Lakshmi Ramasubramanian
2020-06-15 11:57   ` Stephen Smalley
2020-06-15 12:15     ` Stephen Smalley
2020-06-15 16:45     ` Lakshmi Ramasubramanian
2020-06-15 17:33       ` Casey Schaufler
2020-06-15 17:44         ` Mimi Zohar
2020-06-15 23:18           ` Casey Schaufler
2020-06-16  0:44             ` Mimi Zohar
2020-06-16  8:38           ` John Johansen
2020-06-15 20:31       ` Stephen Smalley
2020-06-13  2:41 ` Lakshmi Ramasubramanian [this message]
2020-06-15 13:33   ` [PATCH 5/5] LSM: Define workqueue for measuring security module state Stephen Smalley
2020-06-15 14:59     ` Mimi Zohar
2020-06-15 15:47       ` Stephen Smalley
2020-06-15 16:10         ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200613024130.3356-6-nramas@linux.microsoft.com \
    --to=nramas@linux.microsoft.com \
    --cc=casey@schaufler-ca.com \
    --cc=jmorris@namei.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=stephen.smalley@gmail.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).