From: Nayna <nayna@linux.vnet.ibm.com>
To: Tyler Hicks <tyhicks@linux.microsoft.com>
Cc: Mimi Zohar <zohar@linux.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
James Morris <jmorris@namei.org>,
"Serge E . Hallyn" <serge@hallyn.com>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
Tushar Sugandhi <tusharsu@linux.microsoft.com>,
Nayna Jain <nayna@linux.ibm.com>,
linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH 1/2] ima: Pre-parse the list of keyrings in a KEY_CHECK rule
Date: Thu, 6 Aug 2020 11:34:43 -0400 [thread overview]
Message-ID: <8f749594-1214-9f2d-4614-d360772a2ab6@linux.vnet.ibm.com> (raw)
In-Reply-To: <20200727140831.64251-2-tyhicks@linux.microsoft.com>
On 7/27/20 10:08 AM, Tyler Hicks wrote:
> The ima_keyrings buffer was used as a work buffer for strsep()-based
> parsing of the "keyrings=" option of an IMA policy rule. This parsing
> was re-performed each time an asymmetric key was added to a kernel
> keyring for each loaded policy rule that contained a "keyrings=" option.
>
> An example rule specifying this option is:
>
> measure func=KEY_CHECK keyrings=a|b|c
>
> The rule says to measure asymmetric keys added to any of the kernel
> keyrings named "a", "b", or "c". The size of the buffer size was
> equal to the size of the largest "keyrings=" value seen in a previously
> loaded rule (5 + 1 for the NUL-terminator in the previous example) and
> the buffer was pre-allocated at the time of policy load.
>
> The pre-allocated buffer approach suffered from a couple bugs:
>
> 1) There was no locking around the use of the buffer so concurrent key
> add operations, to two different keyrings, would result in the
> strsep() loop of ima_match_keyring() to modify the buffer at the same
> time. This resulted in unexpected results from ima_match_keyring()
> and, therefore, could cause unintended keys to be measured or keys to
> not be measured when IMA policy intended for them to be measured.
>
> 2) If the kstrdup() that initialized entry->keyrings in ima_parse_rule()
> failed, the ima_keyrings buffer was freed and set to NULL even when a
> valid KEY_CHECK rule was previously loaded. The next KEY_CHECK event
> would trigger a call to strcpy() with a NULL destination pointer and
> crash the kernel.
>
> Remove the need for a pre-allocated global buffer by parsing the list of
> keyrings in a KEY_CHECK rule at the time of policy load. The
> ima_rule_entry will contain an array of string pointers which point to
> the name of each keyring specified in the rule. No string processing
> needs to happen at the time of asymmetric key add so iterating through
> the list and doing a string comparison is all that's required at the
> time of policy check.
>
> In the process of changing how the "keyrings=" policy option is handled,
> a couple additional bugs were fixed:
>
> 1) The rule parser accepted rules containing invalid "keyrings=" values
> such as "a|b||c", "a|b|", or simply "|".
>
> 2) The /sys/kernel/security/ima/policy file did not display the entire
> "keyrings=" value if the list of keyrings was longer than what could
> fit in the fixed size tbuf buffer in ima_policy_show().
>
> Fixes: 5c7bac9fb2c5 ("IMA: pre-allocate buffer to hold keyrings string")
> Fixes: 2b60c0ecedf8 ("IMA: Read keyrings= option from the IMA policy")
> Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
> ---
> security/integrity/ima/ima_policy.c | 138 +++++++++++++++++++---------
> 1 file changed, 93 insertions(+), 45 deletions(-)
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 07f033634b27..c328cfa0fc49 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -59,6 +59,11 @@ enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB };
>
> enum policy_rule_list { IMA_DEFAULT_POLICY = 1, IMA_CUSTOM_POLICY };
>
> +struct ima_rule_opt_list {
> + size_t count;
> + char *items[];
> +};
> +
> struct ima_rule_entry {
> struct list_head list;
> int action;
> @@ -78,7 +83,7 @@ struct ima_rule_entry {
> int type; /* audit type */
> } lsm[MAX_LSM_RULES];
> char *fsname;
> - char *keyrings; /* Measure keys added to these keyrings */
> + struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */
> struct ima_template_desc *template;
> };
>
> @@ -206,10 +211,6 @@ static LIST_HEAD(ima_policy_rules);
> static LIST_HEAD(ima_temp_rules);
> static struct list_head *ima_rules = &ima_default_rules;
>
> -/* Pre-allocated buffer used for matching keyrings. */
> -static char *ima_keyrings;
> -static size_t ima_keyrings_len;
> -
> static int ima_policy __initdata;
>
> static int __init default_measure_policy_setup(char *str)
> @@ -253,6 +254,72 @@ static int __init default_appraise_policy_setup(char *str)
> }
> __setup("ima_appraise_tcb", default_appraise_policy_setup);
>
> +static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src)
> +{
> + struct ima_rule_opt_list *opt_list;
> + size_t count = 0;
> + char *src_copy;
> + char *cur, *next;
> + size_t i;
> +
> + src_copy = match_strdup(src);
> + if (!src_copy)
> + return NULL;
The caller of this function checks for IS_ERR(..) and not
IS_ERR_OR_NULL(..). Shouldn't it return ERR_PTR(-EINVAL) instead of NULL ?
Thanks & Regards,
- Nayna
next prev parent reply other threads:[~2020-08-06 16:55 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-27 14:08 [PATCH 0/2] ima: Fix keyrings race condition and other key related bugs Tyler Hicks
2020-07-27 14:08 ` [PATCH 1/2] ima: Pre-parse the list of keyrings in a KEY_CHECK rule Tyler Hicks
2020-07-28 14:25 ` Lakshmi Ramasubramanian
2020-08-06 15:34 ` Nayna [this message]
2020-08-06 15:46 ` Tyler Hicks
2020-07-27 14:08 ` [PATCH 2/2] ima: Fail rule parsing when asymmetric key measurement isn't supportable Tyler Hicks
2020-07-28 14:14 ` Lakshmi Ramasubramanian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8f749594-1214-9f2d-4614-d360772a2ab6@linux.vnet.ibm.com \
--to=nayna@linux.vnet.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=nramas@linux.microsoft.com \
--cc=serge@hallyn.com \
--cc=tusharsu@linux.microsoft.com \
--cc=tyhicks@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).