From: Stefan Berger <stefanb@linux.vnet.ibm.com>
To: linux-integrity@vger.kernel.org,
containers@lists.linux-foundation.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Cc: serge@hallyn.com, sunyuqiong1988@gmail.com, david.safford@ge.com,
mkayaalp@cs.binghamton.edu,
James.Bottomley@HansenPartnership.com, zohar@linux.vnet.ibm.com,
ebiederm@xmission.com, john.johansen@canonical.com,
Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>
Subject: [RFC PATCH v4 5/5] ima: namespace audit status flags
Date: Fri, 11 May 2018 10:42:30 -0400 [thread overview]
Message-ID: <20180511144230.75384-6-stefanb@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180511144230.75384-1-stefanb@linux.vnet.ibm.com>
From: Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>
The iint cache stores whether the file is measured, appraised, audited
etc. This patch moves the IMA_AUDITED flag into the per-namespace
ns_status, enabling IMA audit mechanism to audit the same file each time
it is accessed in a new namespace.
The ns_status is not looked up if the CONFIG_IMA_NS is disabled or if
any of the IMA_NS_STATUS_ACTIONS (currently only IMA_AUDIT) is not
enabled.
Read and write operations on the iint flags is replaced with function
calls. For reading, iint_flags() returns the bitwise AND of iint->flags
and ns_status->flags. The ns_status flags are masked with
IMA_NS_STATUS_FLAGS (currently only IMA_AUDITED). Similarly
set_iint_flags() only writes the masked portion to the ns_status flags,
while the iint flags is set as before. The ns_status parameter added to
ima_audit_measurement() is used with the above functions to query and
set the ns_status flags.
Signed-off-by: Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>
Changelog:
v2:
* fixed flag calculation in iint_flags()
---
init/Kconfig | 3 +++
security/integrity/ima/ima.h | 24 +++++++++++++++++++++++-
security/integrity/ima/ima_api.c | 8 +++++---
security/integrity/ima/ima_main.c | 15 ++++++++++++---
security/integrity/ima/ima_ns.c | 20 ++++++++++++++++++++
5 files changed, 63 insertions(+), 7 deletions(-)
diff --git a/init/Kconfig b/init/Kconfig
index 2ae532aa12a0..a71a2901dac3 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -939,6 +939,9 @@ config IMA_NS
help
Allow the creation of IMA namespaces. Namespaced IMA data
enables having IMA features work separately in each IMA namespace.
+ Currently, only the audit status flags are stored in the namespace,
+ which allows the same file to be audited each time it is accessed
+ in a new namespace.
endif # NAMESPACES
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index a23f4b0b21f4..d73757984563 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -212,7 +212,8 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
struct evm_ima_xattr_data *xattr_value,
int xattr_len, int pcr);
void ima_audit_measurement(struct integrity_iint_cache *iint,
- const unsigned char *filename);
+ const unsigned char *filename,
+ struct ns_status *status);
int ima_alloc_init_template(struct ima_event_data *event_data,
struct ima_template_entry **entry);
int ima_store_template(struct ima_template_entry *entry, int violation,
@@ -301,6 +302,9 @@ static inline int ima_read_xattr(struct dentry *dentry,
#endif /* CONFIG_IMA_APPRAISE */
+#define IMA_NS_STATUS_ACTIONS IMA_AUDIT
+#define IMA_NS_STATUS_FLAGS IMA_AUDITED
+
int ima_ns_init(void);
struct ima_namespace;
int ima_init_namespace(struct ima_namespace *ns);
@@ -308,12 +312,30 @@ int ima_init_namespace(struct ima_namespace *ns);
#ifdef CONFIG_IMA_NS
struct ns_status *ima_get_ns_status(struct ima_namespace *ns,
struct inode *inode);
+unsigned long iint_flags(struct integrity_iint_cache *iint,
+ struct ns_status *status);
+unsigned long set_iint_flags(struct integrity_iint_cache *iint,
+ struct ns_status *status, unsigned long flags);
#else
static inline struct ns_status *ima_get_ns_status(struct ima_namespace *ns,
struct inode *inode)
{
return NULL;
}
+
+static inline unsigned long iint_flags(struct integrity_iint_cache *iint,
+ struct ns_status *status)
+{
+ return iint->flags;
+}
+
+static inline unsigned long set_iint_flags(struct integrity_iint_cache *iint,
+ struct ns_status *status,
+ unsigned long flags)
+{
+ iint->flags = flags;
+ return flags;
+}
#endif /* CONFIG_IMA_NS */
/* LSM based policy rules require audit */
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 85ca995b9bb7..0b302d829554 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -307,15 +307,17 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
}
void ima_audit_measurement(struct integrity_iint_cache *iint,
- const unsigned char *filename)
+ const unsigned char *filename,
+ struct ns_status *status)
{
struct audit_buffer *ab;
char hash[(iint->ima_hash->length * 2) + 1];
const char *algo_name = hash_algo_name[iint->ima_hash->algo];
char algo_hash[sizeof(hash) + strlen(algo_name) + 2];
int i;
+ unsigned long flags = iint_flags(iint, status);
- if (iint->flags & IMA_AUDITED)
+ if (flags & IMA_AUDITED)
return;
for (i = 0; i < iint->ima_hash->length; i++)
@@ -336,7 +338,7 @@ void ima_audit_measurement(struct integrity_iint_cache *iint,
audit_log_task_info(ab, current);
audit_log_end(ab);
- iint->flags |= IMA_AUDITED;
+ set_iint_flags(iint, status, flags | IMA_AUDITED);
}
/*
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index ad9acac98526..1d1f5dffb186 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -172,6 +172,7 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
{
struct inode *inode = file_inode(file);
struct integrity_iint_cache *iint = NULL;
+ struct ns_status *status = NULL;
struct ima_template_desc *template_desc;
char *pathbuf = NULL;
char filename[NAME_MAX];
@@ -182,6 +183,7 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
int xattr_len = 0;
bool violation_check;
enum hash_algo hash_algo;
+ unsigned long flags;
if (!ima_policy_flag || !S_ISREG(inode->i_mode))
return 0;
@@ -209,6 +211,12 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
iint = integrity_inode_get(inode);
if (!iint)
rc = -ENOMEM;
+
+ if (!rc && (action & IMA_NS_STATUS_ACTIONS)) {
+ status = ima_get_ns_status(get_current_ns(), inode);
+ if (IS_ERR(status))
+ rc = PTR_ERR(status);
+ }
}
if (!rc && violation_check)
@@ -238,9 +246,10 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
* (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
* IMA_AUDIT, IMA_AUDITED)
*/
- iint->flags |= action;
+ flags = iint_flags(iint, status);
+ flags = set_iint_flags(iint, status, flags | action);
action &= IMA_DO_MASK;
- action &= ~((iint->flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1);
+ action &= ~((flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1);
/* If target pcr is already measured, unset IMA_MEASURE action */
if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr)))
@@ -290,7 +299,7 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
inode_unlock(inode);
}
if (action & IMA_AUDIT)
- ima_audit_measurement(iint, pathname);
+ ima_audit_measurement(iint, pathname, status);
if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO))
rc = 0;
diff --git a/security/integrity/ima/ima_ns.c b/security/integrity/ima/ima_ns.c
index e0c4d66aab79..cbd0c33c8107 100644
--- a/security/integrity/ima/ima_ns.c
+++ b/security/integrity/ima/ima_ns.c
@@ -114,6 +114,26 @@ void free_ima_ns(struct kref *kref)
destroy_ima_ns(ns);
}
+unsigned long iint_flags(struct integrity_iint_cache *iint,
+ struct ns_status *status)
+{
+ if (!status)
+ return iint->flags;
+
+ return (iint->flags & ~IMA_NS_STATUS_FLAGS) |
+ (status->flags & IMA_NS_STATUS_FLAGS);
+}
+
+unsigned long set_iint_flags(struct integrity_iint_cache *iint,
+ struct ns_status *status, unsigned long flags)
+{
+ iint->flags = flags;
+ if (status)
+ status->flags = flags & IMA_NS_STATUS_FLAGS;
+
+ return flags;
+}
+
static struct ns_common *imans_get(struct task_struct *task)
{
struct ima_namespace *ns = NULL;
--
2.14.3
WARNING: multiple messages have this Message-ID (diff)
From: stefanb@linux.vnet.ibm.com (Stefan Berger)
To: linux-security-module@vger.kernel.org
Subject: [RFC PATCH v4 5/5] ima: namespace audit status flags
Date: Fri, 11 May 2018 10:42:30 -0400 [thread overview]
Message-ID: <20180511144230.75384-6-stefanb@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180511144230.75384-1-stefanb@linux.vnet.ibm.com>
From: Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>
The iint cache stores whether the file is measured, appraised, audited
etc. This patch moves the IMA_AUDITED flag into the per-namespace
ns_status, enabling IMA audit mechanism to audit the same file each time
it is accessed in a new namespace.
The ns_status is not looked up if the CONFIG_IMA_NS is disabled or if
any of the IMA_NS_STATUS_ACTIONS (currently only IMA_AUDIT) is not
enabled.
Read and write operations on the iint flags is replaced with function
calls. For reading, iint_flags() returns the bitwise AND of iint->flags
and ns_status->flags. The ns_status flags are masked with
IMA_NS_STATUS_FLAGS (currently only IMA_AUDITED). Similarly
set_iint_flags() only writes the masked portion to the ns_status flags,
while the iint flags is set as before. The ns_status parameter added to
ima_audit_measurement() is used with the above functions to query and
set the ns_status flags.
Signed-off-by: Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>
Changelog:
v2:
* fixed flag calculation in iint_flags()
---
init/Kconfig | 3 +++
security/integrity/ima/ima.h | 24 +++++++++++++++++++++++-
security/integrity/ima/ima_api.c | 8 +++++---
security/integrity/ima/ima_main.c | 15 ++++++++++++---
security/integrity/ima/ima_ns.c | 20 ++++++++++++++++++++
5 files changed, 63 insertions(+), 7 deletions(-)
diff --git a/init/Kconfig b/init/Kconfig
index 2ae532aa12a0..a71a2901dac3 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -939,6 +939,9 @@ config IMA_NS
help
Allow the creation of IMA namespaces. Namespaced IMA data
enables having IMA features work separately in each IMA namespace.
+ Currently, only the audit status flags are stored in the namespace,
+ which allows the same file to be audited each time it is accessed
+ in a new namespace.
endif # NAMESPACES
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index a23f4b0b21f4..d73757984563 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -212,7 +212,8 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
struct evm_ima_xattr_data *xattr_value,
int xattr_len, int pcr);
void ima_audit_measurement(struct integrity_iint_cache *iint,
- const unsigned char *filename);
+ const unsigned char *filename,
+ struct ns_status *status);
int ima_alloc_init_template(struct ima_event_data *event_data,
struct ima_template_entry **entry);
int ima_store_template(struct ima_template_entry *entry, int violation,
@@ -301,6 +302,9 @@ static inline int ima_read_xattr(struct dentry *dentry,
#endif /* CONFIG_IMA_APPRAISE */
+#define IMA_NS_STATUS_ACTIONS IMA_AUDIT
+#define IMA_NS_STATUS_FLAGS IMA_AUDITED
+
int ima_ns_init(void);
struct ima_namespace;
int ima_init_namespace(struct ima_namespace *ns);
@@ -308,12 +312,30 @@ int ima_init_namespace(struct ima_namespace *ns);
#ifdef CONFIG_IMA_NS
struct ns_status *ima_get_ns_status(struct ima_namespace *ns,
struct inode *inode);
+unsigned long iint_flags(struct integrity_iint_cache *iint,
+ struct ns_status *status);
+unsigned long set_iint_flags(struct integrity_iint_cache *iint,
+ struct ns_status *status, unsigned long flags);
#else
static inline struct ns_status *ima_get_ns_status(struct ima_namespace *ns,
struct inode *inode)
{
return NULL;
}
+
+static inline unsigned long iint_flags(struct integrity_iint_cache *iint,
+ struct ns_status *status)
+{
+ return iint->flags;
+}
+
+static inline unsigned long set_iint_flags(struct integrity_iint_cache *iint,
+ struct ns_status *status,
+ unsigned long flags)
+{
+ iint->flags = flags;
+ return flags;
+}
#endif /* CONFIG_IMA_NS */
/* LSM based policy rules require audit */
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 85ca995b9bb7..0b302d829554 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -307,15 +307,17 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
}
void ima_audit_measurement(struct integrity_iint_cache *iint,
- const unsigned char *filename)
+ const unsigned char *filename,
+ struct ns_status *status)
{
struct audit_buffer *ab;
char hash[(iint->ima_hash->length * 2) + 1];
const char *algo_name = hash_algo_name[iint->ima_hash->algo];
char algo_hash[sizeof(hash) + strlen(algo_name) + 2];
int i;
+ unsigned long flags = iint_flags(iint, status);
- if (iint->flags & IMA_AUDITED)
+ if (flags & IMA_AUDITED)
return;
for (i = 0; i < iint->ima_hash->length; i++)
@@ -336,7 +338,7 @@ void ima_audit_measurement(struct integrity_iint_cache *iint,
audit_log_task_info(ab, current);
audit_log_end(ab);
- iint->flags |= IMA_AUDITED;
+ set_iint_flags(iint, status, flags | IMA_AUDITED);
}
/*
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index ad9acac98526..1d1f5dffb186 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -172,6 +172,7 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
{
struct inode *inode = file_inode(file);
struct integrity_iint_cache *iint = NULL;
+ struct ns_status *status = NULL;
struct ima_template_desc *template_desc;
char *pathbuf = NULL;
char filename[NAME_MAX];
@@ -182,6 +183,7 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
int xattr_len = 0;
bool violation_check;
enum hash_algo hash_algo;
+ unsigned long flags;
if (!ima_policy_flag || !S_ISREG(inode->i_mode))
return 0;
@@ -209,6 +211,12 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
iint = integrity_inode_get(inode);
if (!iint)
rc = -ENOMEM;
+
+ if (!rc && (action & IMA_NS_STATUS_ACTIONS)) {
+ status = ima_get_ns_status(get_current_ns(), inode);
+ if (IS_ERR(status))
+ rc = PTR_ERR(status);
+ }
}
if (!rc && violation_check)
@@ -238,9 +246,10 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
* (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
* IMA_AUDIT, IMA_AUDITED)
*/
- iint->flags |= action;
+ flags = iint_flags(iint, status);
+ flags = set_iint_flags(iint, status, flags | action);
action &= IMA_DO_MASK;
- action &= ~((iint->flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1);
+ action &= ~((flags & (IMA_DONE_MASK ^ IMA_MEASURED)) >> 1);
/* If target pcr is already measured, unset IMA_MEASURE action */
if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr)))
@@ -290,7 +299,7 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
inode_unlock(inode);
}
if (action & IMA_AUDIT)
- ima_audit_measurement(iint, pathname);
+ ima_audit_measurement(iint, pathname, status);
if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO))
rc = 0;
diff --git a/security/integrity/ima/ima_ns.c b/security/integrity/ima/ima_ns.c
index e0c4d66aab79..cbd0c33c8107 100644
--- a/security/integrity/ima/ima_ns.c
+++ b/security/integrity/ima/ima_ns.c
@@ -114,6 +114,26 @@ void free_ima_ns(struct kref *kref)
destroy_ima_ns(ns);
}
+unsigned long iint_flags(struct integrity_iint_cache *iint,
+ struct ns_status *status)
+{
+ if (!status)
+ return iint->flags;
+
+ return (iint->flags & ~IMA_NS_STATUS_FLAGS) |
+ (status->flags & IMA_NS_STATUS_FLAGS);
+}
+
+unsigned long set_iint_flags(struct integrity_iint_cache *iint,
+ struct ns_status *status, unsigned long flags)
+{
+ iint->flags = flags;
+ if (status)
+ status->flags = flags & IMA_NS_STATUS_FLAGS;
+
+ return flags;
+}
+
static struct ns_common *imans_get(struct task_struct *task)
{
struct ima_namespace *ns = NULL;
--
2.14.3
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-05-11 14:42 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-11 14:42 [RFC PATCH v4 0/5] ima: Namespacing IMA Stefan Berger
2018-05-11 14:42 ` Stefan Berger
[not found] ` <20180511144230.75384-1-stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2018-05-11 14:42 ` [RFC PATCH v4 1/5] ima: Add IMA namespace support Stefan Berger
2018-05-11 14:42 ` Stefan Berger
2018-05-11 14:42 ` Stefan Berger
2018-05-11 14:42 ` [RFC PATCH v4 2/5] ima: Add ns_status for storing namespaced iint data Stefan Berger
2018-05-11 14:42 ` Stefan Berger
2018-05-11 14:42 ` Stefan Berger
2018-05-11 14:42 ` [RFC PATCH v4 3/5] ima: differentiate auditing policy rules from "audit" actions Stefan Berger
2018-05-11 14:42 ` Stefan Berger
2018-05-11 14:42 ` Stefan Berger
[not found] ` <20180511144230.75384-4-stefanb-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2018-05-15 13:40 ` Mimi Zohar
2018-05-15 13:40 ` Mimi Zohar
2018-05-15 13:40 ` Mimi Zohar
2018-05-15 13:40 ` Mimi Zohar
2018-05-16 20:28 ` Stefan Berger
2018-05-16 20:28 ` Stefan Berger
2018-05-16 20:28 ` Stefan Berger
2018-05-16 21:40 ` Mimi Zohar
2018-05-16 21:40 ` Mimi Zohar
2018-05-16 21:40 ` Mimi Zohar
[not found] ` <2496f165-67f7-304d-08a0-ea8eedd3c3d4-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2018-05-16 21:40 ` Mimi Zohar
[not found] ` <1526391655.3937.151.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2018-05-16 20:28 ` Stefan Berger
2018-05-11 14:42 ` [RFC PATCH v4 4/5] ima: extend IMA audit policy rules with attribute to audit namespaces Stefan Berger
2018-05-11 14:42 ` [RFC PATCH v4 5/5] ima: namespace audit status flags Stefan Berger
2018-05-11 14:42 ` [RFC PATCH v4 4/5] ima: extend IMA audit policy rules with attribute to audit namespaces Stefan Berger
2018-05-11 14:42 ` Stefan Berger
2018-05-11 14:42 ` Stefan Berger [this message]
2018-05-11 14:42 ` [RFC PATCH v4 5/5] ima: namespace audit status flags Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180511144230.75384-6-stefanb@linux.vnet.ibm.com \
--to=stefanb@linux.vnet.ibm.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=containers@lists.linux-foundation.org \
--cc=david.safford@ge.com \
--cc=ebiederm@xmission.com \
--cc=john.johansen@canonical.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mkayaalp@cs.binghamton.edu \
--cc=mkayaalp@linux.vnet.ibm.com \
--cc=serge@hallyn.com \
--cc=sunyuqiong1988@gmail.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.