Linux-Modules Archive on lore.kernel.org
 help / Atom feed
From: Kees Cook <keescook@chromium.org>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: linux-security-module <linux-security-module@vger.kernel.org>,
	"Luis R. Rodriguez" <mcgrof@suse.com>,
	Kexec Mailing List <kexec@lists.infradead.org>,
	linux-modules@vger.kernel.org,
	David Howells <dhowells@redhat.com>,
	David Woodhouse <dwmw2@infradead.org>,
	Dmitry Torokhov <dmitry.torokhov@gmail.com>,
	Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
	Eric Biederman <ebiederm@xmission.com>,
	Rusty Russell <rusty@rustcorp.com.au>
Subject: Re: [PATCH v3 13/22] firmware: replace call to fw_read_file_contents() with kernel version
Date: Thu, 4 Feb 2016 09:56:17 -0800
Message-ID: <CAGXu5jLp63Z=c__eOZh3-b+gsCu-LhQ5d2SnBxQ0mLoEioeU=w@mail.gmail.com> (raw)
In-Reply-To: <1454526390-19792-14-git-send-email-zohar@linux.vnet.ibm.com>

On Wed, Feb 3, 2016 at 11:06 AM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> Replace the fw_read_file_contents with kernel_file_read_from_path().
>
> Although none of the upstreamed LSMs define a kernel_fw_from_file hook,
> IMA is called by the security function to prevent unsigned firmware from
> being loaded and to measure/appraise signed firmware, based on policy.
>
> Instead of reading the firmware twice, once for measuring/appraising the
> firmware and again for reading the firmware contents into memory, the
> kernel_post_read_file() security hook calculates the file hash based on
> the in memory file buffer.  The firmware is read once.
>
> This patch removes the LSM kernel_fw_from_file() hook and security call.
>
> Changelog v3:
> - remove kernel_fw_from_file hook
> - use kernel_file_read_from_path() - requested by Luis
> v2:
> - reordered and squashed firmware patches
> - fix MAX firmware size (Kees Cook)
>
> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

Acked-by: Kees Cook <keescook@chromium.org>

-Kees

> ---
>  drivers/base/firmware_class.c     | 48 +++++++--------------------------------
>  include/linux/fs.h                |  1 +
>  include/linux/ima.h               |  6 -----
>  include/linux/lsm_hooks.h         | 11 ---------
>  include/linux/security.h          |  7 ------
>  security/integrity/ima/ima_main.c | 21 ++++++++---------
>  security/security.c               | 13 -----------
>  7 files changed, 19 insertions(+), 88 deletions(-)
>
> diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
> index c658cec..e06a3d8 100644
> --- a/drivers/base/firmware_class.c
> +++ b/drivers/base/firmware_class.c
> @@ -291,37 +291,6 @@ static const char * const fw_path[] = {
>  module_param_string(path, fw_path_para, sizeof(fw_path_para), 0644);
>  MODULE_PARM_DESC(path, "customized firmware image search path with a higher priority than default path");
>
> -static int fw_read_file_contents(struct file *file, struct firmware_buf *fw_buf)
> -{
> -       int size;
> -       char *buf;
> -       int rc;
> -
> -       if (!S_ISREG(file_inode(file)->i_mode))
> -               return -EINVAL;
> -       size = i_size_read(file_inode(file));
> -       if (size <= 0)
> -               return -EINVAL;
> -       buf = vmalloc(size);
> -       if (!buf)
> -               return -ENOMEM;
> -       rc = kernel_read(file, 0, buf, size);
> -       if (rc != size) {
> -               if (rc > 0)
> -                       rc = -EIO;
> -               goto fail;
> -       }
> -       rc = security_kernel_fw_from_file(file, buf, size);
> -       if (rc)
> -               goto fail;
> -       fw_buf->data = buf;
> -       fw_buf->size = size;
> -       return 0;
> -fail:
> -       vfree(buf);
> -       return rc;
> -}
> -
>  static void fw_finish_direct_load(struct device *device,
>                                   struct firmware_buf *buf)
>  {
> @@ -334,6 +303,7 @@ static void fw_finish_direct_load(struct device *device,
>  static int fw_get_filesystem_firmware(struct device *device,
>                                        struct firmware_buf *buf)
>  {
> +       loff_t size;
>         int i, len;
>         int rc = -ENOENT;
>         char *path;
> @@ -343,8 +313,6 @@ static int fw_get_filesystem_firmware(struct device *device,
>                 return -ENOMEM;
>
>         for (i = 0; i < ARRAY_SIZE(fw_path); i++) {
> -               struct file *file;
> -
>                 /* skip the unset customized path */
>                 if (!fw_path[i][0])
>                         continue;
> @@ -356,12 +324,11 @@ static int fw_get_filesystem_firmware(struct device *device,
>                         break;
>                 }
>
> -               file = filp_open(path, O_RDONLY, 0);
> -               if (IS_ERR(file))
> -                       continue;
> -               rc = fw_read_file_contents(file, buf);
> -               fput(file);
> +               buf->size = 0;
> +               rc = kernel_read_file_from_path(path, &buf->data, &size,
> +                                               INT_MAX, READING_FIRMWARE);
>                 if (rc == 0) {
> +                       buf->size = (size_t) size;
>                         dev_dbg(device, "direct-loading %s\n",
>                                 buf->fw_id);
>                         fw_finish_direct_load(device, buf);
> @@ -689,8 +656,9 @@ static ssize_t firmware_loading_store(struct device *dev,
>                                 dev_err(dev, "%s: map pages failed\n",
>                                         __func__);
>                         else
> -                               rc = security_kernel_fw_from_file(NULL,
> -                                               fw_buf->data, fw_buf->size);
> +                               rc = security_kernel_post_read_file(NULL,
> +                                               fw_buf->data, fw_buf->size,
> +                                               READING_FIRMWARE);
>
>                         /*
>                          * Same logic as fw_load_abort, only the DONE bit
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index 962c491..2a9670a 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -2527,6 +2527,7 @@ static inline void i_readcount_inc(struct inode *inode)
>  extern int do_pipe_flags(int *, int);
>
>  enum kernel_read_file_id {
> +       READING_FIRMWARE = 1,
>         READING_MAX_ID
>  };
>
> diff --git a/include/linux/ima.h b/include/linux/ima.h
> index d29a6a2..7aea486 100644
> --- a/include/linux/ima.h
> +++ b/include/linux/ima.h
> @@ -19,7 +19,6 @@ extern int ima_file_check(struct file *file, int mask, int opened);
>  extern void ima_file_free(struct file *file);
>  extern int ima_file_mmap(struct file *file, unsigned long prot);
>  extern int ima_module_check(struct file *file);
> -extern int ima_fw_from_file(struct file *file, char *buf, size_t size);
>  extern int ima_post_read_file(struct file *file, void *buf, loff_t size,
>                               enum kernel_read_file_id id);
>
> @@ -49,11 +48,6 @@ static inline int ima_module_check(struct file *file)
>         return 0;
>  }
>
> -static inline int ima_fw_from_file(struct file *file, char *buf, size_t size)
> -{
> -       return 0;
> -}
> -
>  static inline int ima_post_read_file(struct file *file, void *buf, loff_t size,
>                                      enum kernel_read_file_id id)
>  {
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 2337f33..7d04a12 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -541,15 +541,6 @@
>   *     @inode points to the inode to use as a reference.
>   *     The current task must be the one that nominated @inode.
>   *     Return 0 if successful.
> - * @kernel_fw_from_file:
> - *     Load firmware from userspace (not called for built-in firmware).
> - *     @file contains the file structure pointing to the file containing
> - *     the firmware to load. This argument will be NULL if the firmware
> - *     was loaded via the uevent-triggered blob-based interface exposed
> - *     by CONFIG_FW_LOADER_USER_HELPER.
> - *     @buf pointer to buffer containing firmware contents.
> - *     @size length of the firmware contents.
> - *     Return 0 if permission is granted.
>   * @kernel_module_request:
>   *     Ability to trigger the kernel to automatically upcall to userspace for
>   *     userspace to load a kernel module with the given name.
> @@ -1462,7 +1453,6 @@ union security_list_options {
>         void (*cred_transfer)(struct cred *new, const struct cred *old);
>         int (*kernel_act_as)(struct cred *new, u32 secid);
>         int (*kernel_create_files_as)(struct cred *new, struct inode *inode);
> -       int (*kernel_fw_from_file)(struct file *file, char *buf, size_t size);
>         int (*kernel_module_request)(char *kmod_name);
>         int (*kernel_module_from_file)(struct file *file);
>         int (*kernel_post_read_file)(struct file *file, char *buf, loff_t size,
> @@ -1725,7 +1715,6 @@ struct security_hook_heads {
>         struct list_head cred_transfer;
>         struct list_head kernel_act_as;
>         struct list_head kernel_create_files_as;
> -       struct list_head kernel_fw_from_file;
>         struct list_head kernel_post_read_file;
>         struct list_head kernel_module_request;
>         struct list_head kernel_module_from_file;
> diff --git a/include/linux/security.h b/include/linux/security.h
> index d920718..cee1349 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -300,7 +300,6 @@ int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp);
>  void security_transfer_creds(struct cred *new, const struct cred *old);
>  int security_kernel_act_as(struct cred *new, u32 secid);
>  int security_kernel_create_files_as(struct cred *new, struct inode *inode);
> -int security_kernel_fw_from_file(struct file *file, char *buf, size_t size);
>  int security_kernel_module_request(char *kmod_name);
>  int security_kernel_module_from_file(struct file *file);
>  int security_kernel_post_read_file(struct file *file, char *buf, loff_t size,
> @@ -854,12 +853,6 @@ static inline int security_kernel_create_files_as(struct cred *cred,
>         return 0;
>  }
>
> -static inline int security_kernel_fw_from_file(struct file *file,
> -                                              char *buf, size_t size)
> -{
> -       return 0;
> -}
> -
>  static inline int security_kernel_module_request(char *kmod_name)
>  {
>         return 0;
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index bead94b..4a5db31 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -337,17 +337,6 @@ int ima_module_check(struct file *file)
>         return process_measurement(file, NULL, 0, MAY_EXEC, MODULE_CHECK, 0);
>  }
>
> -int ima_fw_from_file(struct file *file, char *buf, size_t size)
> -{
> -       if (!file) {
> -               if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
> -                   (ima_appraise & IMA_APPRAISE_ENFORCE))
> -                       return -EACCES; /* INTEGRITY_UNKNOWN */
> -               return 0;
> -       }
> -       return process_measurement(file, NULL, 0, MAY_EXEC, FIRMWARE_CHECK, 0);
> -}
> -
>  /**
>   * ima_post_read_file - in memory collect/appraise/audit measurement
>   * @file: pointer to the file to be measured/appraised/audit
> @@ -366,12 +355,22 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
>  {
>         enum ima_hooks func = FILE_CHECK;
>
> +       if (!file && read_id == READING_FIRMWARE) {
> +               if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
> +                   (ima_appraise & IMA_APPRAISE_ENFORCE))
> +                       return -EACCES; /* INTEGRITY_UNKNOWN */
> +               return 0;
> +       }
> +
>         if (!file && (!buf || size == 0)) { /* should never happen */
>                 if (ima_appraise & IMA_APPRAISE_ENFORCE)
>                         return -EACCES;
>                 return 0;
>         }
>
> +       if (read_id == READING_FIRMWARE)
> +               func = FIRMWARE_CHECK;
> +
>         return process_measurement(file, buf, size, MAY_READ, func, 0);
>  }
>
> diff --git a/security/security.c b/security/security.c
> index ad87e8d..81a4c3a 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -884,17 +884,6 @@ int security_kernel_create_files_as(struct cred *new, struct inode *inode)
>         return call_int_hook(kernel_create_files_as, 0, new, inode);
>  }
>
> -int security_kernel_fw_from_file(struct file *file, char *buf, size_t size)
> -{
> -       int ret;
> -
> -       ret = call_int_hook(kernel_fw_from_file, 0, file, buf, size);
> -       if (ret)
> -               return ret;
> -       return ima_fw_from_file(file, buf, size);
> -}
> -EXPORT_SYMBOL_GPL(security_kernel_fw_from_file);
> -
>  int security_kernel_module_request(char *kmod_name)
>  {
>         return call_int_hook(kernel_module_request, 0, kmod_name);
> @@ -1702,8 +1691,6 @@ struct security_hook_heads security_hook_heads = {
>                 LIST_HEAD_INIT(security_hook_heads.kernel_act_as),
>         .kernel_create_files_as =
>                 LIST_HEAD_INIT(security_hook_heads.kernel_create_files_as),
> -       .kernel_fw_from_file =
> -               LIST_HEAD_INIT(security_hook_heads.kernel_fw_from_file),
>         .kernel_module_request =
>                 LIST_HEAD_INIT(security_hook_heads.kernel_module_request),
>         .kernel_module_from_file =
> --
> 2.1.0
>



-- 
Kees Cook
Chrome OS & Brillo Security

  reply index

Thread overview: 77+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-02-03 19:06 [PATCH v3 00/22] vfs: support for a common kernel file loader Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 01/22] ima: separate 'security.ima' reading functionality from collect Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 02/22] ima: refactor ima_policy_show() to display "ima_hooks" rules Mimi Zohar
2016-02-07 19:45   ` Petko Manolov
2016-02-10 19:33   ` Dmitry Kasatkin
2016-02-03 19:06 ` [PATCH v3 03/22] ima: use "ima_hooks" enum as function argument Mimi Zohar
2016-02-07 19:46   ` Petko Manolov
2016-02-10 19:35   ` Dmitry Kasatkin
2016-02-03 19:06 ` [PATCH v3 04/22] firmware: simplify dev_*() print messages for generic helpers Mimi Zohar
2016-02-04 17:26   ` Kees Cook
2016-02-03 19:06 ` [PATCH v3 05/22] firmware: move completing fw into a helper Mimi Zohar
2016-02-04 17:27   ` Kees Cook
2016-02-03 19:06 ` [PATCH v3 06/22] firmware: fold successful fw read early Mimi Zohar
2016-02-04 17:36   ` Kees Cook
2016-02-04 20:26     ` Luis R. Rodriguez
2016-02-03 19:06 ` [PATCH v3 07/22] vfs: define a generic function to read a file from the kernel Mimi Zohar
2016-02-04 17:41   ` Kees Cook
2016-02-03 19:06 ` [PATCH v3 08/22] vfs: define kernel_read_file_id enumeration Mimi Zohar
2016-02-04 17:41   ` Kees Cook
2016-02-04 19:45   ` Luis R. Rodriguez
2016-02-03 19:06 ` [PATCH v3 09/22] ima: provide buffer hash calculation function Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 10/22] ima: calculate the hash of a buffer using aynchronous hash(ahash) Mimi Zohar
2016-02-10 19:58   ` Dmitry Kasatkin
2016-02-03 19:06 ` [PATCH v3 11/22] ima: define a new hook to measure and appraise a file already in memory Mimi Zohar
2016-02-10 20:27   ` Dmitry Kasatkin
2016-02-03 19:06 ` [PATCH v3 12/22] vfs: define kernel_read_file_from_path Mimi Zohar
2016-02-04 17:46   ` Kees Cook
2016-02-04 19:47   ` Luis R. Rodriguez
2016-02-03 19:06 ` [PATCH v3 13/22] firmware: replace call to fw_read_file_contents() with kernel version Mimi Zohar
2016-02-04 17:56   ` Kees Cook [this message]
2016-02-04 19:51   ` Luis R. Rodriguez
2016-02-03 19:06 ` [PATCH v3 14/22] security: define kernel_read_file hook Mimi Zohar
2016-02-04 17:57   ` Kees Cook
2016-02-04 19:54   ` Luis R. Rodriguez
2016-02-11 16:54   ` Casey Schaufler
2016-02-11 19:35     ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 15/22] vfs: define kernel_copy_file_from_fd() Mimi Zohar
2016-02-04 17:58   ` Kees Cook
2016-02-04 19:55   ` Luis R. Rodriguez
2016-02-03 19:06 ` [PATCH v3 16/22] module: replace copy_module_from_fd with kernel version Mimi Zohar
2016-02-04 18:04   ` Kees Cook
2016-02-04 19:56   ` Luis R. Rodriguez
2016-02-05  0:19     ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 17/22] ima: remove firmware and module specific cached status info Mimi Zohar
2016-02-07 19:56   ` Petko Manolov
2016-02-10 20:18   ` Dmitry Kasatkin
2016-02-10 23:14     ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 18/22] kexec: replace call to copy_file_from_fd() with kernel version Mimi Zohar
2016-02-04 18:05   ` Kees Cook
2016-02-04 19:57   ` Luis R. Rodriguez
2016-02-12 12:50   ` Dave Young
2016-02-03 19:06 ` [PATCH v3 19/22] ima: support for kexec image and initramfs Mimi Zohar
2016-02-07 20:10   ` Petko Manolov
2016-02-08 23:34     ` Mimi Zohar
2016-02-10 21:09   ` Dmitry Kasatkin
2016-02-10 23:21     ` Mimi Zohar
     [not found]       ` <CACE9dm8OJ1cgbKszUG-pCiEMVarUFLLWi_jewVV-JEMGAJsA-g@mail.gmail.com>
2016-02-11  2:08         ` Mimi Zohar
2016-02-11  8:47           ` Dmitry Kasatkin
2016-02-11 12:16             ` Mimi Zohar
2016-02-12 12:53   ` Dave Young
2016-02-12 13:09     ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 20/22] ima: load policy using path Mimi Zohar
2016-02-07 19:59   ` Petko Manolov
2016-02-08  9:58     ` Dmitry Kasatkin
2016-02-08 10:35       ` Petko Manolov
2016-02-08 10:45         ` Dmitry Kasatkin
2016-02-08 21:12           ` Mimi Zohar
2016-02-09  7:47             ` Petko Manolov
2016-02-03 19:06 ` [PATCH v3 21/22] ima: measure and appraise the IMA policy itself Mimi Zohar
2016-02-07 20:01   ` Petko Manolov
2016-02-10 20:22   ` Dmitry Kasatkin
2016-02-10 23:15     ` Mimi Zohar
2016-02-03 19:06 ` [PATCH v3 22/22] ima: require signed IMA policy Mimi Zohar
2016-02-07 20:02   ` Petko Manolov
2016-02-10 20:24   ` Dmitry Kasatkin
2016-02-04 18:15 ` [PATCH v3 00/22] vfs: support for a common kernel file loader Kees Cook
2016-02-04 23:54   ` Mimi Zohar

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAGXu5jLp63Z=c__eOZh3-b+gsCu-LhQ5d2SnBxQ0mLoEioeU=w@mail.gmail.com' \
    --to=keescook@chromium.org \
    --cc=dhowells@redhat.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=dmitry.torokhov@gmail.com \
    --cc=dwmw2@infradead.org \
    --cc=ebiederm@xmission.com \
    --cc=kexec@lists.infradead.org \
    --cc=linux-modules@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mcgrof@suse.com \
    --cc=rusty@rustcorp.com.au \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Modules Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-modules/0 linux-modules/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-modules linux-modules/ https://lore.kernel.org/linux-modules \
		linux-modules@vger.kernel.org linux-modules@archiver.kernel.org
	public-inbox-index linux-modules


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-modules


AGPL code for this site: git clone https://public-inbox.org/ public-inbox