linux-modules.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v4 00/19] vfs: support for a common kernel file loader
@ 2016-02-12 18:29 Mimi Zohar
  2016-02-12 18:29 ` [PATCH v4 01/19] firmware: simplify dev_*() print messages for generic helpers Mimi Zohar
                   ` (18 more replies)
  0 siblings, 19 replies; 20+ messages in thread
From: Mimi Zohar @ 2016-02-12 18:29 UTC (permalink / raw)
  To: linux-security-module
  Cc: Mimi Zohar, Luis R. Rodriguez, kexec, linux-modules,
	linux-fsdevel, Kees Cook, Dmitry Kasatkin

For a while it was looked down upon to directly read files from Linux.
These days there exists a few mechanisms in the kernel that do just this
though to load a file into a local buffer. There are minor but important
checks differences on each, we should take all the best practices from
each of them, generalize them and make all places in the kernel that
read a file use it.[1]

One difference is the method for opening the file.  In some cases we
have a file, while in other cases we have a pathname or a file descriptor.

Another difference is the security hook calls, or lack of them.  In
some versions there is a post file read hook, while in others there
is a pre file read hook. 

This patch set attempts to resolve these differences.  It does not attempt
to merge the different methods of opening a file, but defines a single
common kernel file read function with two wrappers. In addition, as none
of the upstreamed LSMs define either a kernel_module_from_file or a
kernel_fw_from_file hook, this patch set removes these hooks and the
associated functions.  The ima_module_check() and ima_fw_from_file()
functions are renamed and called from the pre and post kernel_read_file
security functions respectively.

Changelog:
- First four IMA patches removed from this patch set.
- Cleaned up the kernel_read_file_id to ima_hooks enumeration mapping.
- Renamed the kexec IMA policy identifiers.
- Added missing include file for other architectures.
- Rebased on top of some of the "firmware_class: extensible firmware API"
patches posted by Luis.
- Removed the kernel_module_from_file and kernel_fw_from_file security
hooks and functions.
- Defined "kernel_read_file_id" enumeration, independently of "ima_hooks".
- Split patches for ease of review.

The latest version of these patches can be found in the next-kernel-read
branch of:
git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git

[1] Taken from Luis Rodriguez's wiki -
http://kernelnewbies.org/KernelProjects/common-kernel-loader

Mimi

Dmitry Kasatkin (2):
  ima: provide buffer hash calculation function
  ima: load policy using path

Kees Cook (1):
  firmware: clean up filesystem load exit path

Luis R. Rodriguez (2):
  firmware: simplify dev_*() print messages for generic helpers
  firmware: move completing fw into a helper

Mimi Zohar (14):
  vfs: define a generic function to read a file from the kernel
  vfs: define kernel_read_file_id enumeration
  ima: calculate the hash of a buffer using aynchronous hash(ahash)
  ima: define a new hook to measure and appraise a file already in
    memory
  vfs: define kernel_read_file_from_path
  firmware: replace call to fw_read_file_contents() with kernel version
  security: define kernel_read_file hook
  vfs: define kernel_copy_file_from_fd()
  module: replace copy_module_from_fd with kernel version
  ima: remove firmware and module specific cached status info
  kexec: replace call to copy_file_from_fd() with kernel version
  ima: support for kexec image and initramfs
  ima: measure and appraise the IMA policy itself
  ima: require signed IMA policy

 Documentation/ABI/testing/ima_policy  |   1 +
 drivers/base/firmware_class.c         |  74 +++++++--------------
 fs/exec.c                             |  95 +++++++++++++++++++++++++++
 include/linux/fs.h                    |  15 +++++
 include/linux/ima.h                   |  10 +--
 include/linux/lsm_hooks.h             |  35 +++++-----
 include/linux/security.h              |  16 +++--
 kernel/kexec_file.c                   |  73 +++------------------
 kernel/module.c                       |  68 +++-----------------
 security/integrity/iint.c             |   4 +-
 security/integrity/ima/ima.h          |  13 +++-
 security/integrity/ima/ima_api.c      |   6 +-
 security/integrity/ima/ima_appraise.c |  37 +++++------
 security/integrity/ima/ima_crypto.c   | 118 ++++++++++++++++++++++++++++++++++
 security/integrity/ima/ima_fs.c       |  51 ++++++++++++++-
 security/integrity/ima/ima_main.c     |  73 ++++++++++++++++-----
 security/integrity/ima/ima_policy.c   |  41 ++++++++++--
 security/integrity/integrity.h        |  15 ++---
 security/security.c                   |  32 ++++-----
 19 files changed, 499 insertions(+), 278 deletions(-)

-- 
2.1.0


^ permalink raw reply	[flat|nested] 20+ messages in thread

end of thread, other threads:[~2016-02-12 19:10 UTC | newest]

Thread overview: 20+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-02-12 18:29 [PATCH v4 00/19] vfs: support for a common kernel file loader Mimi Zohar
2016-02-12 18:29 ` [PATCH v4 01/19] firmware: simplify dev_*() print messages for generic helpers Mimi Zohar
2016-02-12 18:29 ` [PATCH v4 02/19] firmware: move completing fw into a helper Mimi Zohar
2016-02-12 18:29 ` [PATCH v4 03/19] firmware: clean up filesystem load exit path Mimi Zohar
2016-02-12 18:29 ` [PATCH v4 04/19] vfs: define a generic function to read a file from the kernel Mimi Zohar
2016-02-12 18:29 ` [PATCH v4 05/19] vfs: define kernel_read_file_id enumeration Mimi Zohar
2016-02-12 18:29 ` [PATCH v4 06/19] ima: provide buffer hash calculation function Mimi Zohar
2016-02-12 18:29 ` [PATCH v4 07/19] ima: calculate the hash of a buffer using aynchronous hash(ahash) Mimi Zohar
2016-02-12 18:29 ` [PATCH v4 08/19] ima: define a new hook to measure and appraise a file already in memory Mimi Zohar
2016-02-12 18:29 ` [PATCH v4 09/19] vfs: define kernel_read_file_from_path Mimi Zohar
2016-02-12 18:29 ` [PATCH v4 10/19] firmware: replace call to fw_read_file_contents() with kernel version Mimi Zohar
2016-02-12 18:29 ` [PATCH v4 11/19] security: define kernel_read_file hook Mimi Zohar
2016-02-12 18:29 ` [PATCH v4 12/19] vfs: define kernel_copy_file_from_fd() Mimi Zohar
2016-02-12 18:29 ` [PATCH v4 13/19] module: replace copy_module_from_fd with kernel version Mimi Zohar
2016-02-12 18:29 ` [PATCH v4 14/19] ima: remove firmware and module specific cached status info Mimi Zohar
2016-02-12 18:29 ` [PATCH v4 15/19] kexec: replace call to copy_file_from_fd() with kernel version Mimi Zohar
2016-02-12 18:29 ` [PATCH v4 16/19] ima: support for kexec image and initramfs Mimi Zohar
2016-02-12 18:29 ` [PATCH v4 17/19] ima: load policy using path Mimi Zohar
2016-02-12 18:29 ` [PATCH v4 18/19] ima: measure and appraise the IMA policy itself Mimi Zohar
2016-02-12 18:29 ` [PATCH v4 19/19] ima: require signed IMA policy Mimi Zohar

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).