From: Stefan Berger <stefanb@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: zohar@linux.ibm.com, serge@hallyn.com,
christian.brauner@ubuntu.com, containers@lists.linux.dev,
dmitry.kasatkin@gmail.com, ebiederm@xmission.com,
krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com,
mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com,
puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com,
linux-kernel@vger.kernel.org, paul@paul-moore.com,
rgb@redhat.com, linux-security-module@vger.kernel.org,
jmorris@namei.org, Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH v11 25/27] ima: Limit number of policy rules in non-init_ima_ns
Date: Wed, 2 Mar 2022 08:47:00 -0500 [thread overview]
Message-ID: <20220302134703.1273041-26-stefanb@linux.ibm.com> (raw)
In-Reply-To: <20220302134703.1273041-1-stefanb@linux.ibm.com>
Limit the number of policy rules a user can set in non-init_ima_ns to a
hardcoded 1024 rules. This allows to restrict the amount of kernel memory
used for IMA's policy since now any user can create an IMA namespace and
could try to waste kernel memory.
Ignore added rules if the user attempts to exceed this limit by setting
too many additional rules.
Switch the accounting for the memory allocated for IMA policy rules to
GFP_KERNEL_ACCOUNT so that cgroups kernel memory accounting can take
effect. This switch has no effect on the init_ima_ns.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
v11:
- roll back changes to auditing too-many-rules since not auditing from
IMA namespaces
---
security/integrity/ima/ima_policy.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 0f697a475882..5ea1549bf601 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -313,7 +313,8 @@ static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src)
return ERR_PTR(-EINVAL);
}
- opt_list = kzalloc(struct_size(opt_list, items, count), GFP_KERNEL);
+ opt_list = kzalloc(struct_size(opt_list, items, count),
+ GFP_KERNEL_ACCOUNT);
if (!opt_list) {
kfree(src_copy);
return ERR_PTR(-ENOMEM);
@@ -387,7 +388,7 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_namespace *ns,
* Immutable elements are copied over as pointers and data; only
* lsm rules can change
*/
- nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL);
+ nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL_ACCOUNT);
if (!nentry)
return NULL;
@@ -843,7 +844,7 @@ static void add_rules(struct ima_namespace *ns,
if (policy_rule & IMA_CUSTOM_POLICY) {
entry = kmemdup(&entries[i], sizeof(*entry),
- GFP_KERNEL);
+ GFP_KERNEL_ACCOUNT);
if (!entry)
continue;
@@ -880,7 +881,7 @@ static int __init ima_init_arch_policy(struct ima_namespace *ns)
ns->arch_policy_entry = kcalloc(arch_entries + 1,
sizeof(*ns->arch_policy_entry),
- GFP_KERNEL);
+ GFP_KERNEL_ACCOUNT);
if (!ns->arch_policy_entry)
return 0;
@@ -992,8 +993,20 @@ void __init ima_init_policy(struct ima_namespace *ns)
/* Make sure we have a valid policy, at least containing some rules. */
int ima_check_policy(struct ima_namespace *ns)
{
+ struct ima_rule_entry *entry;
+ size_t len1 = 0;
+ size_t len2 = 0;
+
if (list_empty(&ns->ima_temp_rules))
return -EINVAL;
+ if (ns != &init_ima_ns) {
+ list_for_each_entry(entry, &ns->ima_temp_rules, list)
+ len1++;
+ list_for_each_entry(entry, &ns->ima_policy_rules, list)
+ len2++;
+ if (len1 + len2 > 1024)
+ return -ENOSPC;
+ }
return 0;
}
@@ -1865,7 +1878,7 @@ ssize_t ima_parse_add_rule(struct ima_namespace *ns, char *rule)
if (*p == '#' || *p == '\0')
return len;
- entry = kzalloc(sizeof(*entry), GFP_KERNEL);
+ entry = kzalloc(sizeof(*entry), GFP_KERNEL_ACCOUNT);
if (!entry) {
integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
NULL, op, "-ENOMEM", -ENOMEM, audit_info);
--
2.31.1
next prev parent reply other threads:[~2022-03-02 13:50 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-02 13:46 [PATCH v11 00/27] ima: Namespace IMA with audit support in IMA-ns Stefan Berger
2022-03-02 13:46 ` [PATCH v11 01/27] ima: Return error code obtained from securityfs functions Stefan Berger
2022-03-02 13:46 ` [PATCH v11 02/27] securityfs: rework dentry creation Stefan Berger
2022-03-02 13:46 ` [PATCH v11 03/27] securityfs: Extend securityfs with namespacing support Stefan Berger
2022-03-02 13:46 ` [PATCH v11 04/27] ima: Define ima_namespace struct and start moving variables into it Stefan Berger
2022-03-02 13:46 ` [PATCH v11 05/27] ima: Move arch_policy_entry into ima_namespace Stefan Berger
2022-03-02 13:46 ` [PATCH v11 06/27] ima: Move ima_htable " Stefan Berger
2022-03-02 13:46 ` [PATCH v11 07/27] ima: Move measurement list related variables " Stefan Berger
2022-03-02 13:46 ` [PATCH v11 08/27] ima: Move some IMA policy and filesystem " Stefan Berger
2022-03-02 13:46 ` [PATCH v11 09/27] ima: Move IMA securityfs files into ima_namespace or onto stack Stefan Berger
2022-03-02 13:46 ` [PATCH v11 10/27] ima: Move ima_lsm_policy_notifier into ima_namespace Stefan Berger
2022-03-02 13:46 ` [PATCH v11 11/27] ima: Switch to lazy lsm policy updates for better performance Stefan Berger
2022-03-02 13:46 ` [PATCH v11 12/27] ima: Define mac_admin_ns_capable() as a wrapper for ns_capable() Stefan Berger
2022-03-02 13:46 ` [PATCH v11 13/27] ima: Only accept AUDIT rules for non-init_ima_ns namespaces for now Stefan Berger
2022-03-02 13:46 ` [PATCH v11 14/27] userns: Add pointer to ima_namespace to user_namespace Stefan Berger
2022-03-02 13:46 ` [PATCH v11 15/27] ima: Implement hierarchical processing of file accesses Stefan Berger
2022-03-02 13:46 ` [PATCH v11 16/27] ima: Implement ima_free_policy_rules() for freeing of an ima_namespace Stefan Berger
2022-03-02 13:46 ` [PATCH v11 17/27] ima: Add functions for creating and " Stefan Berger
2022-03-02 13:46 ` [PATCH v11 18/27] integrity/ima: Define ns_status for storing namespaced iint data Stefan Berger
2022-03-02 13:46 ` [PATCH v11 19/27] integrity: Add optional callback function to integrity_inode_free() Stefan Berger
2022-03-02 13:46 ` [PATCH v11 20/27] ima: Namespace audit status flags Stefan Berger
2022-03-02 13:46 ` [PATCH v11 21/27] ima: Remove unused iints from the integrity_iint_cache Stefan Berger
2022-03-02 13:46 ` [PATCH v11 22/27] ima: Setup securityfs for IMA namespace Stefan Berger
2022-03-02 13:46 ` [PATCH v11 23/27] ima: Introduce securityfs file to activate an " Stefan Berger
2022-03-02 19:16 ` kernel test robot
2022-03-02 13:46 ` [PATCH v11 24/27] ima: Show owning user namespace's uid and gid when displaying policy Stefan Berger
2022-03-02 13:47 ` Stefan Berger [this message]
2022-03-02 13:47 ` [PATCH v11 26/27] ima: Restrict informational audit messages to init_ima_ns Stefan Berger
2022-03-02 23:11 ` kernel test robot
2022-03-02 13:47 ` [PATCH v11 27/27] ima: Enable IMA namespaces Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220302134703.1273041-26-stefanb@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux.dev \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jamjoom@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=krzysztof.struczynski@huawei.com \
--cc=lhinds@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lsturman@redhat.com \
--cc=mpeters@redhat.com \
--cc=paul@paul-moore.com \
--cc=puiterwi@redhat.com \
--cc=rgb@redhat.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).