From: Christian Brauner <brauner@kernel.org>
To: Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc: linux-integrity@vger.kernel.org, zohar@linux.ibm.com,
serge@hallyn.com, christian.brauner@ubuntu.com,
containers@lists.linux.dev, dmitry.kasatkin@gmail.com,
ebiederm@xmission.com, krzysztof.struczynski@huawei.com,
roberto.sassu@huawei.com, mpeters@redhat.com, lhinds@redhat.com,
lsturman@redhat.com, puiterwi@redhat.com, jejb@linux.ibm.com,
jamjoom@us.ibm.com, linux-kernel@vger.kernel.org,
paul@paul-moore.com, rgb@redhat.com,
linux-security-module@vger.kernel.org, jmorris@namei.org,
Stefan Berger <stefanb@linux.ibm.com>
Subject: Re: [PATCH v9 21/23] ima: Introduce securityfs file to activate an IMA namespace
Date: Wed, 26 Jan 2022 15:31:40 +0100 [thread overview]
Message-ID: <20220126143140.awwlv3h2jqotng2n@wittgenstein> (raw)
In-Reply-To: <20220125224645.79319-22-stefanb@linux.vnet.ibm.com>
On Tue, Jan 25, 2022 at 05:46:43PM -0500, Stefan Berger wrote:
> From: Stefan Berger <stefanb@linux.ibm.com>
>
> Introduce securityfs file 'active' that allows a user to activate an IMA
> namespace by writing a "1" (precisely a '1\0' or '1\n') to it. When
> reading from the file, it shows either '0' or '1'.
>
> Also, introduce ns_is_active() to be used in those places where the
> ima_namespace pointer may either be NULL or where the active field may not
> have been set to '1', yet. An inactive IMA namespace should never be
> accessed since it has not been initialized, yet.
>
> Set the init_ima_ns's active field to '1' since it is considered active
> right from the beginning.
>
> The rationale for introducing a file to activate an IMA namespace is that
> subsequent support for IMA-measurement and IMA-appraisal will add
> configuration files for selecting for example the template that an IMA
> namespace is supposed to use for logging measurements, which will add
> an IMA namespace configuration stage (using securityfs files) before its
> activation.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
> security/integrity/ima/ima.h | 7 +++
> security/integrity/ima/ima_fs.c | 59 ++++++++++++++++++++++++
> security/integrity/ima/ima_init_ima_ns.c | 1 +
> security/integrity/ima/ima_main.c | 2 +-
> 4 files changed, 68 insertions(+), 1 deletion(-)
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index a52b388b4157..cf2f63bb5bdf 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -123,6 +123,8 @@ struct ima_h_table {
> };
>
> struct ima_namespace {
> + atomic_t active; /* whether namespace is active */
> +
> struct rb_root ns_status_tree;
> rwlock_t ns_tree_lock;
> struct kmem_cache *ns_status_cache;
> @@ -154,6 +156,11 @@ struct ima_namespace {
> } __randomize_layout;
> extern struct ima_namespace init_ima_ns;
>
> +static inline bool ns_is_active(struct ima_namespace *ns)
> +{
> + return (ns && atomic_read(&ns->active));
> +}
> +
> extern const int read_idmap[];
>
> #ifdef CONFIG_HAVE_IMA_KEXEC
> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
> index 5dd0e759a470..79a786db79db 100644
> --- a/security/integrity/ima/ima_fs.c
> +++ b/security/integrity/ima/ima_fs.c
> @@ -451,6 +451,62 @@ static const struct file_operations ima_measure_policy_ops = {
> .llseek = generic_file_llseek,
> };
>
> +static ssize_t ima_show_active(struct file *filp,
> + char __user *buf,
> + size_t count, loff_t *ppos)
> +{
> + struct ima_namespace *ns = &init_ima_ns;
> + char tmpbuf[2];
> + ssize_t len;
> +
> + len = scnprintf(tmpbuf, sizeof(tmpbuf),
> + "%d\n", atomic_read(&ns->active));
> + return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
> +}
> +
> +static ssize_t ima_write_active(struct file *filp,
> + const char __user *buf,
> + size_t count, loff_t *ppos)
> +{
> + struct ima_namespace *ns = &init_ima_ns;
> + unsigned int active;
> + char tmpbuf[3];
> + ssize_t ret;
> +
> + if (ns_is_active(ns))
> + return -EBUSY;
> +
> + ret = simple_write_to_buffer(tmpbuf, sizeof(tmpbuf) - 1, ppos,
> + buf, count);
> + if (ret < 0)
> + return ret;
> + tmpbuf[ret] = 0;
> +
> + if (!kstrtouint(tmpbuf, 10, &active) && active == 1)
> + atomic_set(&ns->active, 1);
> +
> + return count;
> +}
Hm, I'd rather do something like (uncompiled, untested):
+static ssize_t ima_write_active(struct file *filp,
const char __user *buf,
size_t count, loff_t *ppos)
{
struct ima_namespace *ns = &init_ima_ns;
int err;
unsigned int active;
char *kbuf = NULL;
ssize_t length;
if (count >= 3)
return -EINVAL;
/* No partial writes. */
if (*ppos != 0)
return -EINVAL;
if (ns_active(ns))
return -EBUSY;
kbuf = memdup_user_nul(buf, count);
if (IS_ERR(kbuf))
return PTR_ERR(kbuf);
err = kstrtouint(kbuf, 10, &active);
kfree(kbuf);
if (err)
return err;
if (active != 1)
return -EINVAL;
atomic_set(&ns->active, 1);
return count;
}
> +
> +static const struct file_operations ima_active_ops = {
> + .read = ima_show_active,
> + .write = ima_write_active,
> +};
> +
> +static int ima_fs_add_ns_files(struct dentry *ima_dir)
> +{
> + struct dentry *active;
> +
> + active =
> + securityfs_create_file("active",
> + S_IRUSR | S_IWUSR | S_IRGRP, ima_dir, NULL,
> + &ima_active_ops);
> + if (IS_ERR(active))
> + return PTR_ERR(active);
> +
> + return 0;
> +}
> +
> int ima_fs_ns_init(struct user_namespace *user_ns, struct dentry *root)
> {
> struct ima_namespace *ns = ima_ns_from_user_ns(user_ns);
> @@ -516,6 +572,9 @@ int ima_fs_ns_init(struct user_namespace *user_ns, struct dentry *root)
> goto out;
> }
>
> + if (ns != &init_ima_ns && ima_fs_add_ns_files(ima_dir))
Wouldn't you want to catch the specific error from
ima_fs_add_ns_files() and surface that?
> + goto out;
> +
> return 0;
> out:
> securityfs_remove(ns->ima_policy);
> diff --git a/security/integrity/ima/ima_init_ima_ns.c b/security/integrity/ima/ima_init_ima_ns.c
> index d4ddfd1de60b..39ee0c2477a6 100644
> --- a/security/integrity/ima/ima_init_ima_ns.c
> +++ b/security/integrity/ima/ima_init_ima_ns.c
> @@ -58,5 +58,6 @@ struct ima_namespace init_ima_ns = {
> .ima_lsm_policy_notifier = {
> .notifier_call = ima_lsm_policy_change,
> },
> + .active = ATOMIC_INIT(1),
> };
> EXPORT_SYMBOL(init_ima_ns);
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 8018e9aaad32..059917182960 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -441,7 +441,7 @@ static int process_measurement(struct user_namespace *user_ns,
>
> while (user_ns) {
> ns = ima_ns_from_user_ns(user_ns);
> - if (ns) {
> + if (ns_is_active(ns)) {
> int rc;
>
> rc = __process_measurement(ns, file, cred, secid, buf,
> --
> 2.31.1
>
>
next prev parent reply other threads:[~2022-01-26 14:32 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-25 22:46 [PATCH v9 00/23] ima: Namespace IMA with audit support in IMA-ns Stefan Berger
2022-01-25 22:46 ` [PATCH v9 01/23] ima: Remove ima_policy file before directory Stefan Berger
2022-01-26 8:30 ` Christian Brauner
2022-01-25 22:46 ` [PATCH v9 02/23] ima: Do not print policy rule with inactive LSM labels Stefan Berger
2022-01-26 8:38 ` Christian Brauner
2022-01-27 14:12 ` Mimi Zohar
2022-01-25 22:46 ` [PATCH v9 03/23] securityfs: rework dentry creation Stefan Berger
2022-01-25 22:46 ` [PATCH v9 04/23] securityfs: Extend securityfs with namespacing support Stefan Berger
2022-01-27 16:53 ` Mimi Zohar
2022-01-31 22:28 ` Stefan Berger
2022-01-31 23:43 ` Mimi Zohar
2022-01-25 22:46 ` [PATCH v9 05/23] ima: Define ima_namespace struct and start moving variables into it Stefan Berger
2022-01-26 8:47 ` Christian Brauner
2022-01-25 22:46 ` [PATCH v9 06/23] ima: Move arch_policy_entry into ima_namespace Stefan Berger
2022-01-26 9:11 ` Christian Brauner
2022-01-27 19:42 ` Mimi Zohar
2022-01-25 22:46 ` [PATCH v9 07/23] ima: Move ima_htable " Stefan Berger
2022-01-26 9:16 ` Christian Brauner
2022-01-25 22:46 ` [PATCH v9 08/23] ima: Move measurement list related variables " Stefan Berger
2022-01-26 9:21 ` Christian Brauner
2022-01-26 22:23 ` Stefan Berger
2022-01-27 21:48 ` Mimi Zohar
2022-01-28 14:06 ` Stefan Berger
2022-01-25 22:46 ` [PATCH v9 09/23] ima: Move some IMA policy and filesystem " Stefan Berger
2022-01-26 9:23 ` Christian Brauner
2022-01-27 22:30 ` Mimi Zohar
2022-01-28 15:44 ` Stefan Berger
2022-01-28 16:03 ` Mimi Zohar
2022-01-25 22:46 ` [PATCH v9 10/23] ima: Move IMA securityfs files into ima_namespace or onto stack Stefan Berger
2022-01-26 9:40 ` Christian Brauner
2022-01-27 17:02 ` Stefan Berger
2022-01-28 3:13 ` Mimi Zohar
2022-01-25 22:46 ` [PATCH v9 11/23] ima: Move ima_lsm_policy_notifier into ima_namespace Stefan Berger
2022-01-26 13:05 ` Christian Brauner
2022-01-26 21:54 ` Stefan Berger
2022-01-25 22:46 ` [PATCH v9 12/23] ima: Define mac_admin_ns_capable() as a wrapper for ns_capable() Stefan Berger
2022-01-26 13:43 ` Christian Brauner
2022-01-25 22:46 ` [PATCH v9 13/23] ima: Only accept AUDIT rules for non-init_ima_ns namespaces for now Stefan Berger
2022-01-26 13:44 ` Christian Brauner
2022-01-25 22:46 ` [PATCH v9 14/23] userns: Add pointer to ima_namespace to user_namespace Stefan Berger
2022-01-26 14:46 ` Christian Brauner
2022-01-25 22:46 ` [PATCH v9 15/23] ima: Implement hierarchical processing of file accesses Stefan Berger
2022-01-26 12:39 ` Christian Brauner
2022-01-26 22:05 ` Stefan Berger
2022-01-25 22:46 ` [PATCH v9 16/23] ima: Implement ima_free_policy_rules() for freeing of an ima_namespace Stefan Berger
2022-01-28 14:02 ` Mimi Zohar
2022-01-31 18:56 ` Stefan Berger
2022-01-25 22:46 ` [PATCH v9 17/23] ima: Add functions for creating and " Stefan Berger
2022-01-26 13:56 ` Christian Brauner
2022-01-25 22:46 ` [PATCH v9 18/23] integrity/ima: Define ns_status for storing namespaced iint data Stefan Berger
2022-01-25 22:46 ` [PATCH v9 19/23] ima: Namespace audit status flags Stefan Berger
2022-01-25 22:46 ` [PATCH v9 20/23] ima: Setup securityfs for IMA namespace Stefan Berger
2022-01-26 14:03 ` Christian Brauner
2022-01-25 22:46 ` [PATCH v9 21/23] ima: Introduce securityfs file to activate an " Stefan Berger
2022-01-26 14:31 ` Christian Brauner [this message]
2022-01-27 15:24 ` Stefan Berger
2022-01-25 22:46 ` [PATCH v9 22/23] ima: Show owning user namespace's uid and gid when displaying policy Stefan Berger
2022-01-26 14:43 ` Christian Brauner
2022-01-26 14:43 ` Christian Brauner
2022-01-26 23:13 ` Stefan Berger
2022-01-25 22:46 ` [PATCH v9 23/23] ima: Enable IMA namespaces Stefan Berger
2022-01-26 14:57 ` Christian Brauner
2022-01-26 13:19 ` [PATCH v9 00/23] ima: Namespace IMA with audit support in IMA-ns Christian Brauner
2022-01-28 18:34 ` Stefan Berger
2022-01-26 16:52 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220126143140.awwlv3h2jqotng2n@wittgenstein \
--to=brauner@kernel.org \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux.dev \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jamjoom@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=krzysztof.struczynski@huawei.com \
--cc=lhinds@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lsturman@redhat.com \
--cc=mpeters@redhat.com \
--cc=paul@paul-moore.com \
--cc=puiterwi@redhat.com \
--cc=rgb@redhat.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=stefanb@linux.ibm.com \
--cc=stefanb@linux.vnet.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).