Linux-Security-Module Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] ima: Rename internal audit rule functions
@ 2020-06-29 15:30 Tyler Hicks
  2020-06-29 16:24 ` Casey Schaufler
  2020-06-29 21:30 ` Mimi Zohar
  0 siblings, 2 replies; 4+ messages in thread
From: Tyler Hicks @ 2020-06-29 15:30 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, linux-kernel, linux-integrity,
	linux-security-module, Casey Schaufler

Rename IMA's internal audit rule functions from security_filter_rule_*()
to ima_audit_rule_*(). This avoids polluting the security_* namespace,
which is typically reserved for general security subsystem
infrastructure, and better aligns the IMA function names with the names
of the LSM hooks.

Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Suggested-by: Casey Schaufler <casey@schaufler-ca.com>
---

Developed on top of next-integrity-testing, commit cd1d8603df60 ("IMA:
Add audit log for failure conditions"), plus this patch series:

 [PATCH v2 00/11] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support
 https://lore.kernel.org/linux-integrity/20200626223900.253615-1-tyhicks@linux.microsoft.com/T/#t

This patch has dependencies on the above patch series.

Tested with and without CONFIG_IMA_LSM_RULES enabled by attempting to
load IMA policy with rules containing the subj_role=foo conditional.
Build logs are clean in both configurations. The IMA policy was first
loaded without and then with a valid AppArmor profile named "foo". The
behavior is the same before and after this patch is applied:

                  | CONFIG_IMA_LSM_RULES=n   | CONFIG_IMA_LSM_RULES=y
-----------------------------------------------------------------------
 Without Profile  |  IMA policy load fails   | IMA policy load fails
 With Profile     |  IMA policy load fails   | IMA policy load succeeds

 security/integrity/ima/ima.h        | 16 +++++++--------
 security/integrity/ima/ima_policy.c | 30 +++++++++++++----------------
 2 files changed, 21 insertions(+), 25 deletions(-)

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index ff2bf57ff0c7..5d62ee8319f4 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -419,24 +419,24 @@ static inline void ima_free_modsig(struct modsig *modsig)
 /* LSM based policy rules require audit */
 #ifdef CONFIG_IMA_LSM_RULES
 
-#define security_filter_rule_init security_audit_rule_init
-#define security_filter_rule_free security_audit_rule_free
-#define security_filter_rule_match security_audit_rule_match
+#define ima_audit_rule_init security_audit_rule_init
+#define ima_audit_rule_free security_audit_rule_free
+#define ima_audit_rule_match security_audit_rule_match
 
 #else
 
-static inline int security_filter_rule_init(u32 field, u32 op, char *rulestr,
-					    void **lsmrule)
+static inline int ima_audit_rule_init(u32 field, u32 op, char *rulestr,
+				      void **lsmrule)
 {
 	return -EINVAL;
 }
 
-static inline void security_filter_rule_free(void *lsmrule)
+static inline void ima_audit_rule_free(void *lsmrule)
 {
 }
 
-static inline int security_filter_rule_match(u32 secid, u32 field, u32 op,
-					     void *lsmrule)
+static inline int ima_audit_rule_match(u32 secid, u32 field, u32 op,
+				       void *lsmrule)
 {
 	return -EINVAL;
 }
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 294323b36d06..60894656a4b7 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -258,7 +258,7 @@ static void ima_lsm_free_rule(struct ima_rule_entry *entry)
 	int i;
 
 	for (i = 0; i < MAX_LSM_RULES; i++) {
-		security_filter_rule_free(entry->lsm[i].rule);
+		ima_audit_rule_free(entry->lsm[i].rule);
 		kfree(entry->lsm[i].args_p);
 	}
 }
@@ -308,10 +308,9 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
 		 */
 		entry->lsm[i].args_p = NULL;
 
-		security_filter_rule_init(nentry->lsm[i].type,
-					  Audit_equal,
-					  nentry->lsm[i].args_p,
-					  &nentry->lsm[i].rule);
+		ima_audit_rule_init(nentry->lsm[i].type, Audit_equal,
+				    nentry->lsm[i].args_p,
+				    &nentry->lsm[i].rule);
 		if (!nentry->lsm[i].rule)
 			pr_warn("rule for LSM \'%s\' is undefined\n",
 				entry->lsm[i].args_p);
@@ -495,18 +494,16 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
 		case LSM_OBJ_ROLE:
 		case LSM_OBJ_TYPE:
 			security_inode_getsecid(inode, &osid);
-			rc = security_filter_rule_match(osid,
-							rule->lsm[i].type,
-							Audit_equal,
-							rule->lsm[i].rule);
+			rc = ima_audit_rule_match(osid, rule->lsm[i].type,
+						  Audit_equal,
+						  rule->lsm[i].rule);
 			break;
 		case LSM_SUBJ_USER:
 		case LSM_SUBJ_ROLE:
 		case LSM_SUBJ_TYPE:
-			rc = security_filter_rule_match(secid,
-							rule->lsm[i].type,
-							Audit_equal,
-							rule->lsm[i].rule);
+			rc = ima_audit_rule_match(secid, rule->lsm[i].type,
+						  Audit_equal,
+						  rule->lsm[i].rule);
 		default:
 			break;
 		}
@@ -901,10 +898,9 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry,
 		return -ENOMEM;
 
 	entry->lsm[lsm_rule].type = audit_type;
-	result = security_filter_rule_init(entry->lsm[lsm_rule].type,
-					   Audit_equal,
-					   entry->lsm[lsm_rule].args_p,
-					   &entry->lsm[lsm_rule].rule);
+	result = ima_audit_rule_init(entry->lsm[lsm_rule].type, Audit_equal,
+				     entry->lsm[lsm_rule].args_p,
+				     &entry->lsm[lsm_rule].rule);
 	if (!entry->lsm[lsm_rule].rule) {
 		pr_warn("rule for LSM \'%s\' is undefined\n",
 			entry->lsm[lsm_rule].args_p);
-- 
2.25.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] ima: Rename internal audit rule functions
  2020-06-29 15:30 [PATCH] ima: Rename internal audit rule functions Tyler Hicks
@ 2020-06-29 16:24 ` Casey Schaufler
  2020-06-29 21:30 ` Mimi Zohar
  1 sibling, 0 replies; 4+ messages in thread
From: Casey Schaufler @ 2020-06-29 16:24 UTC (permalink / raw)
  To: Tyler Hicks, Mimi Zohar, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, linux-kernel, linux-integrity,
	linux-security-module, Casey Schaufler

On 6/29/2020 8:30 AM, Tyler Hicks wrote:
> Rename IMA's internal audit rule functions from security_filter_rule_*()
> to ima_audit_rule_*(). This avoids polluting the security_* namespace,
> which is typically reserved for general security subsystem
> infrastructure, and better aligns the IMA function names with the names
> of the LSM hooks.
>
> Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
> Suggested-by: Casey Schaufler <casey@schaufler-ca.com>

Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>

> ---
>
> Developed on top of next-integrity-testing, commit cd1d8603df60 ("IMA:
> Add audit log for failure conditions"), plus this patch series:
>
>  [PATCH v2 00/11] ima: Fix rule parsing bugs and extend KEXEC_CMDLINE rule support
>  https://lore.kernel.org/linux-integrity/20200626223900.253615-1-tyhicks@linux.microsoft.com/T/#t
>
> This patch has dependencies on the above patch series.
>
> Tested with and without CONFIG_IMA_LSM_RULES enabled by attempting to
> load IMA policy with rules containing the subj_role=foo conditional.
> Build logs are clean in both configurations. The IMA policy was first
> loaded without and then with a valid AppArmor profile named "foo". The
> behavior is the same before and after this patch is applied:
>
>                   | CONFIG_IMA_LSM_RULES=n   | CONFIG_IMA_LSM_RULES=y
> -----------------------------------------------------------------------
>  Without Profile  |  IMA policy load fails   | IMA policy load fails
>  With Profile     |  IMA policy load fails   | IMA policy load succeeds
>
>  security/integrity/ima/ima.h        | 16 +++++++--------
>  security/integrity/ima/ima_policy.c | 30 +++++++++++++----------------
>  2 files changed, 21 insertions(+), 25 deletions(-)
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index ff2bf57ff0c7..5d62ee8319f4 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -419,24 +419,24 @@ static inline void ima_free_modsig(struct modsig *modsig)
>  /* LSM based policy rules require audit */
>  #ifdef CONFIG_IMA_LSM_RULES
>  
> -#define security_filter_rule_init security_audit_rule_init
> -#define security_filter_rule_free security_audit_rule_free
> -#define security_filter_rule_match security_audit_rule_match
> +#define ima_audit_rule_init security_audit_rule_init
> +#define ima_audit_rule_free security_audit_rule_free
> +#define ima_audit_rule_match security_audit_rule_match
>  
>  #else
>  
> -static inline int security_filter_rule_init(u32 field, u32 op, char *rulestr,
> -					    void **lsmrule)
> +static inline int ima_audit_rule_init(u32 field, u32 op, char *rulestr,
> +				      void **lsmrule)
>  {
>  	return -EINVAL;
>  }
>  
> -static inline void security_filter_rule_free(void *lsmrule)
> +static inline void ima_audit_rule_free(void *lsmrule)
>  {
>  }
>  
> -static inline int security_filter_rule_match(u32 secid, u32 field, u32 op,
> -					     void *lsmrule)
> +static inline int ima_audit_rule_match(u32 secid, u32 field, u32 op,
> +				       void *lsmrule)
>  {
>  	return -EINVAL;
>  }
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 294323b36d06..60894656a4b7 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -258,7 +258,7 @@ static void ima_lsm_free_rule(struct ima_rule_entry *entry)
>  	int i;
>  
>  	for (i = 0; i < MAX_LSM_RULES; i++) {
> -		security_filter_rule_free(entry->lsm[i].rule);
> +		ima_audit_rule_free(entry->lsm[i].rule);
>  		kfree(entry->lsm[i].args_p);
>  	}
>  }
> @@ -308,10 +308,9 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
>  		 */
>  		entry->lsm[i].args_p = NULL;
>  
> -		security_filter_rule_init(nentry->lsm[i].type,
> -					  Audit_equal,
> -					  nentry->lsm[i].args_p,
> -					  &nentry->lsm[i].rule);
> +		ima_audit_rule_init(nentry->lsm[i].type, Audit_equal,
> +				    nentry->lsm[i].args_p,
> +				    &nentry->lsm[i].rule);
>  		if (!nentry->lsm[i].rule)
>  			pr_warn("rule for LSM \'%s\' is undefined\n",
>  				entry->lsm[i].args_p);
> @@ -495,18 +494,16 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
>  		case LSM_OBJ_ROLE:
>  		case LSM_OBJ_TYPE:
>  			security_inode_getsecid(inode, &osid);
> -			rc = security_filter_rule_match(osid,
> -							rule->lsm[i].type,
> -							Audit_equal,
> -							rule->lsm[i].rule);
> +			rc = ima_audit_rule_match(osid, rule->lsm[i].type,
> +						  Audit_equal,
> +						  rule->lsm[i].rule);
>  			break;
>  		case LSM_SUBJ_USER:
>  		case LSM_SUBJ_ROLE:
>  		case LSM_SUBJ_TYPE:
> -			rc = security_filter_rule_match(secid,
> -							rule->lsm[i].type,
> -							Audit_equal,
> -							rule->lsm[i].rule);
> +			rc = ima_audit_rule_match(secid, rule->lsm[i].type,
> +						  Audit_equal,
> +						  rule->lsm[i].rule);
>  		default:
>  			break;
>  		}
> @@ -901,10 +898,9 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry,
>  		return -ENOMEM;
>  
>  	entry->lsm[lsm_rule].type = audit_type;
> -	result = security_filter_rule_init(entry->lsm[lsm_rule].type,
> -					   Audit_equal,
> -					   entry->lsm[lsm_rule].args_p,
> -					   &entry->lsm[lsm_rule].rule);
> +	result = ima_audit_rule_init(entry->lsm[lsm_rule].type, Audit_equal,
> +				     entry->lsm[lsm_rule].args_p,
> +				     &entry->lsm[lsm_rule].rule);
>  	if (!entry->lsm[lsm_rule].rule) {
>  		pr_warn("rule for LSM \'%s\' is undefined\n",
>  			entry->lsm[lsm_rule].args_p);

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] ima: Rename internal audit rule functions
  2020-06-29 15:30 [PATCH] ima: Rename internal audit rule functions Tyler Hicks
  2020-06-29 16:24 ` Casey Schaufler
@ 2020-06-29 21:30 ` Mimi Zohar
  2020-07-10 19:42   ` Tyler Hicks
  1 sibling, 1 reply; 4+ messages in thread
From: Mimi Zohar @ 2020-06-29 21:30 UTC (permalink / raw)
  To: Tyler Hicks, Dmitry Kasatkin
  Cc: James Morris, Serge E . Hallyn, linux-kernel, linux-integrity,
	linux-security-module, Casey Schaufler, linux-audit

[Cc'ing the audit mailing list]

On Mon, 2020-06-29 at 10:30 -0500, Tyler Hicks wrote:
> 
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index ff2bf57ff0c7..5d62ee8319f4 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -419,24 +419,24 @@ static inline void ima_free_modsig(struct modsig *modsig)
>  /* LSM based policy rules require audit */
>  #ifdef CONFIG_IMA_LSM_RULES
>  
> -#define security_filter_rule_init security_audit_rule_init
> -#define security_filter_rule_free security_audit_rule_free
> -#define security_filter_rule_match security_audit_rule_match
> +#define ima_audit_rule_init security_audit_rule_init
> +#define ima_audit_rule_free security_audit_rule_free
> +#define ima_audit_rule_match security_audit_rule_match

Instead of defining an entirely new method of identifying files, IMA
piggybacks on top of the existing audit rule syntax.  IMA policy rules
"filter" based on this information.

IMA already audits security/integrity related events.  Using the word
"audit" here will make things even more confusing than they currently
are.  Renaming these functions as ima_audit_rule_XXX provides no
benefit.  At that point, IMA might as well call the
security_audit_rule prefixed function names directly.  As a quick fix,
rename them as "ima_filter_rule".

The correct solution would probably be to rename these prefixed
"security_audit_rule" functions as "security_filter_rule", so that
both the audit subsystem and IMA could use them.

Mimi

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] ima: Rename internal audit rule functions
  2020-06-29 21:30 ` Mimi Zohar
@ 2020-07-10 19:42   ` Tyler Hicks
  0 siblings, 0 replies; 4+ messages in thread
From: Tyler Hicks @ 2020-07-10 19:42 UTC (permalink / raw)
  To: Mimi Zohar
  Cc: Dmitry Kasatkin, James Morris, Serge E . Hallyn, linux-kernel,
	linux-integrity, linux-security-module, Casey Schaufler,
	linux-audit

On 2020-06-29 17:30:03, Mimi Zohar wrote:
> [Cc'ing the audit mailing list]
> 
> On Mon, 2020-06-29 at 10:30 -0500, Tyler Hicks wrote:
> > 
> > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> > index ff2bf57ff0c7..5d62ee8319f4 100644
> > --- a/security/integrity/ima/ima.h
> > +++ b/security/integrity/ima/ima.h
> > @@ -419,24 +419,24 @@ static inline void ima_free_modsig(struct modsig *modsig)
> >  /* LSM based policy rules require audit */
> >  #ifdef CONFIG_IMA_LSM_RULES
> >  
> > -#define security_filter_rule_init security_audit_rule_init
> > -#define security_filter_rule_free security_audit_rule_free
> > -#define security_filter_rule_match security_audit_rule_match
> > +#define ima_audit_rule_init security_audit_rule_init
> > +#define ima_audit_rule_free security_audit_rule_free
> > +#define ima_audit_rule_match security_audit_rule_match
> 
> Instead of defining an entirely new method of identifying files, IMA
> piggybacks on top of the existing audit rule syntax.  IMA policy rules
> "filter" based on this information.
> 
> IMA already audits security/integrity related events.  Using the word
> "audit" here will make things even more confusing than they currently
> are.  Renaming these functions as ima_audit_rule_XXX provides no
> benefit.  At that point, IMA might as well call the
> security_audit_rule prefixed function names directly.  As a quick fix,
> rename them as "ima_filter_rule".
> 
> The correct solution would probably be to rename these prefixed
> "security_audit_rule" functions as "security_filter_rule", so that
> both the audit subsystem and IMA could use them.

There doesn't seem to be any interest, from the audit side, in re-using
these. I don't quite understand why they would want to use them since
they're just simple wrappers around the security_audit_rule_*()
functions.

I'll go the "quick fix" route of renaming them as ima_filter_rule_*().

Tyler

> 
> Mimi

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-29 15:30 [PATCH] ima: Rename internal audit rule functions Tyler Hicks
2020-06-29 16:24 ` Casey Schaufler
2020-06-29 21:30 ` Mimi Zohar
2020-07-10 19:42   ` Tyler Hicks

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org
	public-inbox-index linux-security-module

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git