linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 0/4] Fix misused kernel_read_file() enums
@ 2020-07-07  8:19 Kees Cook
  2020-07-07  8:19 ` [PATCH 1/4] firmware_loader: EFI firmware loader must handle pre-allocated buffer Kees Cook
                   ` (6 more replies)
  0 siblings, 7 replies; 29+ messages in thread
From: Kees Cook @ 2020-07-07  8:19 UTC (permalink / raw)
  To: James Morris
  Cc: Kees Cook, Luis Chamberlain, Mimi Zohar, Scott Branden,
	Greg Kroah-Hartman, Rafael J. Wysocki, Alexander Viro,
	Jessica Yu, Dmitry Kasatkin, Serge E. Hallyn, Casey Schaufler,
	Eric W. Biederman, Peter Zijlstra, Matthew Garrett,
	David Howells, Mauro Carvalho Chehab, Randy Dunlap,
	Joel Fernandes (Google),
	KP Singh, Dave Olsthoorn, Hans de Goede, Peter Jones,
	Andrew Morton, Stephen Boyd, Paul Moore, linux-kernel,
	linux-fsdevel, linux-integrity, linux-security-module

Hi,

In looking for closely at the additions that got made to the
kernel_read_file() enums, I noticed that FIRMWARE_PREALLOC_BUFFER
and FIRMWARE_EFI_EMBEDDED were added, but they are not appropriate
*kinds* of files for the LSM to reason about. They are a "how" and
"where", respectively. Remove these improper aliases and refactor the
code to adapt to the changes.

Additionally adds in missing calls to security_kernel_post_read_file()
in the platform firmware fallback path (to match the sysfs firmware
fallback path) and in module loading. I considered entirely removing
security_kernel_post_read_file() hook since it is technically unused,
but IMA probably wants to be able to measure EFI-stored firmware images,
so I wired it up and matched it for modules, in case anyone wants to
move the module signature checks out of the module core and into an LSM
to avoid the current layering violations.

This touches several trees, and I suspect it would be best to go through
James's LSM tree.

Thanks!

-Kees

Kees Cook (4):
  firmware_loader: EFI firmware loader must handle pre-allocated buffer
  fs: Remove FIRMWARE_PREALLOC_BUFFER from kernel_read_file() enums
  fs: Remove FIRMWARE_EFI_EMBEDDED from kernel_read_file() enums
  module: Add hook for security_kernel_post_read_file()

 drivers/base/firmware_loader/fallback_platform.c | 12 ++++++++++--
 drivers/base/firmware_loader/main.c              |  5 ++---
 fs/exec.c                                        |  7 ++++---
 include/linux/fs.h                               |  3 +--
 include/linux/lsm_hooks.h                        |  6 +++++-
 kernel/module.c                                  |  7 ++++++-
 security/integrity/ima/ima_main.c                |  6 ++----
 7 files changed, 30 insertions(+), 16 deletions(-)

-- 
2.25.1


^ permalink raw reply	[flat|nested] 29+ messages in thread

end of thread, other threads:[~2020-07-16 21:16 UTC | newest]

Thread overview: 29+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-07  8:19 [PATCH 0/4] Fix misused kernel_read_file() enums Kees Cook
2020-07-07  8:19 ` [PATCH 1/4] firmware_loader: EFI firmware loader must handle pre-allocated buffer Kees Cook
2020-07-07  8:19 ` [PATCH 2/4] fs: Remove FIRMWARE_PREALLOC_BUFFER from kernel_read_file() enums Kees Cook
2020-07-07 16:42   ` Scott Branden
2020-07-07 21:55     ` Kees Cook
2020-07-08  3:06       ` Scott Branden
2020-07-08  3:14         ` Kees Cook
2020-07-08  1:37   ` [fs] 676800b78f: BUG:unable_to_handle_page_fault_for_address kernel test robot
2020-07-10 21:00   ` [PATCH 2/4] fs: Remove FIRMWARE_PREALLOC_BUFFER from kernel_read_file() enums Scott Branden
2020-07-10 22:04     ` Matthew Wilcox
2020-07-10 22:10       ` Scott Branden
2020-07-10 22:44         ` Kees Cook
2020-07-10 22:58           ` Scott Branden
2020-07-16 20:35           ` Scott Branden
2020-07-16 21:16             ` Kees Cook
2020-07-07  8:19 ` [PATCH 3/4] fs: Remove FIRMWARE_EFI_EMBEDDED " Kees Cook
2020-07-07  8:19 ` [PATCH 4/4] module: Add hook for security_kernel_post_read_file() Kees Cook
2020-07-08  0:47   ` Mimi Zohar
2020-07-08  3:10     ` Kees Cook
2020-07-08 13:47       ` Mimi Zohar
2020-07-07  9:31 ` [PATCH 0/4] Fix misused kernel_read_file() enums Greg Kroah-Hartman
2020-07-07 15:36 ` Mimi Zohar
2020-07-07 21:45   ` Kees Cook
2020-07-08 11:01 ` Hans de Goede
2020-07-08 11:37   ` Hans de Goede
2020-07-08 11:55     ` Luis Chamberlain
2020-07-08 11:58       ` Hans de Goede
2020-07-08 13:30         ` Luis Chamberlain
2020-07-09  2:00           ` Kees Cook

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).