From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 91C43C433E7 for ; Mon, 29 Jun 2020 19:04:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6BF4D2053B for ; Mon, 29 Jun 2020 19:04:56 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="eVgVYnsc" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730685AbgF2TEz (ORCPT ); Mon, 29 Jun 2020 15:04:55 -0400 Received: from linux.microsoft.com ([13.77.154.182]:48704 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730681AbgF2TEy (ORCPT ); Mon, 29 Jun 2020 15:04:54 -0400 Received: from sequoia (162-237-133-238.lightspeed.rcsntx.sbcglobal.net [162.237.133.238]) by linux.microsoft.com (Postfix) with ESMTPSA id AEAE920B4901; Mon, 29 Jun 2020 07:16:16 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com AEAE920B4901 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1593440177; bh=v+wyGBDonImB9MBWCw9EMxRuWEDmYg128Fe9bnY0g6c=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=eVgVYnscENhuNhNQTyhZbFymcwHwtaCB1JVO/5//WlJM4Nv5RhfXHxEmzNS8HBHRk p5XfObD9Ymg9erl91qvwxM3XsQMB/o/hLnkyCgNzIHXK+B6Dg2Bykqevr0UVq7cUGd ArzJcUXJf0dxujES9z46s7zXvQxC856nBBvZzEaE= Date: Mon, 29 Jun 2020 09:16:14 -0500 From: Tyler Hicks To: Lakshmi Ramasubramanian Cc: Mimi Zohar , Dmitry Kasatkin , James Morris , "Serge E . Hallyn" , Prakhar Srivastava , linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: Re: [PATCH v2 09/11] ima: Move validation of the keyrings conditional into ima_validate_rule() Message-ID: <20200629141614.GD4694@sequoia> References: <20200626223900.253615-1-tyhicks@linux.microsoft.com> <20200626223900.253615-10-tyhicks@linux.microsoft.com> <0e7012e7-e1df-466d-9d51-a691f779570a@linux.microsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0e7012e7-e1df-466d-9d51-a691f779570a@linux.microsoft.com> Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org On 2020-06-27 16:49:46, Lakshmi Ramasubramanian wrote: > On 6/26/20 3:38 PM, Tyler Hicks wrote: > > > Use ima_validate_rule() to ensure that the combination of a hook > > function and the keyrings conditional is valid and that the keyrings > > conditional is not specified without an explicit KEY_CHECK func > > conditional. This is a code cleanup and has no user-facing change. > > In addition to checking for func=KEY_CHECK and the keyrings conditional, the > patch also validates the flags for other IMA hooks (such as > KEXEC_KERNEL_CHECK, POLICY_CHECK, etc.) Would be good to mention that in the > patch description. It actually doesn't do any additional validation of other IMA hooks at this time. That check on entry->flags is an allowlist of every possible conditional flag except IMA_KEYRINGS. The ima_parse_rule() function is already validating all of these conditional flags. Tyler > > -lakshmi > > > > > Signed-off-by: Tyler Hicks > > --- > > > > * v2 > > - Allowed IMA_DIGSIG_REQUIRED, IMA_PERMIT_DIRECTIO, > > IMA_MODSIG_ALLOWED, and IMA_CHECK_BLACKLIST conditionals to be > > present in the rule entry flags for non-buffer hook functions. > > > > security/integrity/ima/ima_policy.c | 13 +++++++++++-- > > 1 file changed, 11 insertions(+), 2 deletions(-) > > > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > > index 8cdca2399d59..43d49ad958fb 100644 > > --- a/security/integrity/ima/ima_policy.c > > +++ b/security/integrity/ima/ima_policy.c > > @@ -1000,6 +1000,15 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) > > case KEXEC_KERNEL_CHECK: > > case KEXEC_INITRAMFS_CHECK: > > case POLICY_CHECK: > > + if (entry->flags & ~(IMA_FUNC | IMA_MASK | IMA_FSMAGIC | > > + IMA_UID | IMA_FOWNER | IMA_FSUUID | > > + IMA_INMASK | IMA_EUID | IMA_PCR | > > + IMA_FSNAME | IMA_DIGSIG_REQUIRED | > > + IMA_PERMIT_DIRECTIO | > > + IMA_MODSIG_ALLOWED | > > + IMA_CHECK_BLACKLIST)) > > + return false; > > + > > break; > > case KEXEC_CMDLINE: > > if (entry->action & ~(MEASURE | DONT_MEASURE)) > > @@ -1027,7 +1036,8 @@ static bool ima_validate_rule(struct ima_rule_entry *entry) > > default: > > return false; > > } > > - } > > + } else if (entry->flags & IMA_KEYRINGS) > > + return false; > > return true; > > } > > @@ -1209,7 +1219,6 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) > > keyrings_len = strlen(args[0].from) + 1; > > if ((entry->keyrings) || > > - (entry->func != KEY_CHECK) || > > (keyrings_len < 2)) { > > result = -EINVAL; > > break; > >