From: Stefan Berger <stefanb@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: zohar@linux.ibm.com, serge@hallyn.com,
christian.brauner@ubuntu.com, containers@lists.linux.dev,
dmitry.kasatkin@gmail.com, ebiederm@xmission.com,
krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com,
mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com,
puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com,
linux-kernel@vger.kernel.org, paul@paul-moore.com,
rgb@redhat.com, linux-security-module@vger.kernel.org,
jmorris@namei.org, Stefan Berger <stefanb@linux.ibm.com>,
James Bottomley <James.Bottomley@HansenPartnership.com>
Subject: [RFC 01/20] ima: Add IMA namespace support
Date: Tue, 30 Nov 2021 11:06:35 -0500 [thread overview]
Message-ID: <20211130160654.1418231-2-stefanb@linux.ibm.com> (raw)
In-Reply-To: <20211130160654.1418231-1-stefanb@linux.ibm.com>
Implement an IMA namespace data structure that gets created alongside a
user namespace with CLONE_NEWUSER. This lays down the foundation for
namespacing the different aspects of IMA (eg. IMA-audit, IMA-measurement,
IMA-appraisal).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Suggested-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
include/linux/ima.h | 59 +++++++++++++++++
include/linux/user_namespace.h | 4 ++
init/Kconfig | 9 +++
kernel/user.c | 9 ++-
kernel/user_namespace.c | 16 +++++
security/integrity/ima/Makefile | 3 +-
security/integrity/ima/ima.h | 4 ++
security/integrity/ima/ima_init.c | 4 ++
security/integrity/ima/ima_init_ima_ns.c | 32 +++++++++
security/integrity/ima/ima_ns.c | 82 ++++++++++++++++++++++++
10 files changed, 220 insertions(+), 2 deletions(-)
create mode 100644 security/integrity/ima/ima_init_ima_ns.c
create mode 100644 security/integrity/ima/ima_ns.c
diff --git a/include/linux/ima.h b/include/linux/ima.h
index b6ab66a546ae..86d126b9ff2f 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -11,6 +11,7 @@
#include <linux/fs.h>
#include <linux/security.h>
#include <linux/kexec.h>
+#include <linux/user_namespace.h>
#include <crypto/hash_info.h>
struct linux_binprm;
@@ -210,6 +211,64 @@ static inline int ima_inode_removexattr(struct dentry *dentry,
}
#endif /* CONFIG_IMA_APPRAISE */
+struct ima_namespace {
+ struct kref kref;
+ struct user_namespace *user_ns;
+};
+
+extern struct ima_namespace init_ima_ns;
+
+#ifdef CONFIG_IMA_NS
+
+void free_ima_ns(struct kref *kref);
+
+static inline struct ima_namespace *get_ima_ns(struct ima_namespace *ns)
+{
+ if (ns)
+ kref_get(&ns->kref);
+
+ return ns;
+}
+
+static inline void put_ima_ns(struct ima_namespace *ns)
+{
+ if (ns) {
+ pr_debug("DEREF ima_ns: 0x%p ctr: %d\n", ns, kref_read(&ns->kref));
+ kref_put(&ns->kref, free_ima_ns);
+ }
+}
+
+struct ima_namespace *copy_ima_ns(struct ima_namespace *old_ns,
+ struct user_namespace *user_ns);
+
+static inline struct ima_namespace *get_current_ns(void)
+{
+ return current_user_ns()->ima_ns;
+}
+
+#else
+
+static inline struct ima_namespace *get_ima_ns(struct ima_namespace *ns)
+{
+ return ns;
+}
+
+static inline void put_ima_ns(struct ima_namespace *ns)
+{
+}
+
+static inline struct ima_namespace *copy_ima_ns(struct ima_namespace *old_ns,
+ struct user_namespace *user_ns)
+{
+ return old_ns;
+}
+
+static inline struct ima_namespace *get_current_ns(void)
+{
+ return &init_ima_ns;
+}
+#endif /* CONFIG_IMA_NS */
+
#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
extern bool ima_appraise_signature(enum kernel_read_file_id func);
#else
diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index 33a4240e6a6f..5249db04d62b 100644
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
@@ -36,6 +36,7 @@ struct uid_gid_map { /* 64 bytes -- 1 cache line */
#define USERNS_INIT_FLAGS USERNS_SETGROUPS_ALLOWED
struct ucounts;
+struct ima_namespace;
enum ucount_type {
UCOUNT_USER_NAMESPACES,
@@ -99,6 +100,9 @@ struct user_namespace {
#endif
struct ucounts *ucounts;
long ucount_max[UCOUNT_COUNTS];
+#ifdef CONFIG_IMA
+ struct ima_namespace *ima_ns;
+#endif
} __randomize_layout;
struct ucounts {
diff --git a/init/Kconfig b/init/Kconfig
index 11f8a845f259..598baf451a54 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1242,6 +1242,15 @@ config NET_NS
Allow user space to create what appear to be multiple instances
of the network stack.
+config IMA_NS
+ bool "IMA namespace"
+ depends on IMA
+ default y
+ help
+ Allow the creation of IMA namespaces for each user namespace.
+ Namespaced IMA enables having IMA features work separately
+ in each IMA namespace.
+
endif # NAMESPACES
config CHECKPOINT_RESTORE
diff --git a/kernel/user.c b/kernel/user.c
index e2cf8c22b539..b5dc803a033d 100644
--- a/kernel/user.c
+++ b/kernel/user.c
@@ -20,6 +20,10 @@
#include <linux/user_namespace.h>
#include <linux/proc_ns.h>
+#ifdef CONFIG_IMA
+extern struct ima_namespace init_ima_ns;
+#endif
+
/*
* userns count is 1 for root user, 1 for init_uts_ns,
* and 1 for... ?
@@ -55,7 +59,7 @@ struct user_namespace init_user_ns = {
},
},
},
- .ns.count = REFCOUNT_INIT(3),
+ .ns.count = REFCOUNT_INIT(4),
.owner = GLOBAL_ROOT_UID,
.group = GLOBAL_ROOT_GID,
.ns.inum = PROC_USER_INIT_INO,
@@ -67,6 +71,9 @@ struct user_namespace init_user_ns = {
.keyring_name_list = LIST_HEAD_INIT(init_user_ns.keyring_name_list),
.keyring_sem = __RWSEM_INITIALIZER(init_user_ns.keyring_sem),
#endif
+#ifdef CONFIG_IMA
+ .ima_ns = &init_ima_ns,
+#endif
};
EXPORT_SYMBOL_GPL(init_user_ns);
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 6b2e3ca7ee99..c26885343b19 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -20,6 +20,7 @@
#include <linux/fs_struct.h>
#include <linux/bsearch.h>
#include <linux/sort.h>
+#include <linux/ima.h>
static struct kmem_cache *user_ns_cachep __read_mostly;
static DEFINE_MUTEX(userns_state_mutex);
@@ -141,8 +142,20 @@ int create_user_ns(struct cred *new)
if (!setup_userns_sysctls(ns))
goto fail_keyring;
+#if CONFIG_IMA
+ ns->ima_ns = copy_ima_ns(parent_ns->ima_ns, ns);
+ if (IS_ERR(ns->ima_ns)) {
+ ret = PTR_ERR(ns->ima_ns);
+ goto fail_userns_sysctls;
+ }
+#endif
+
set_cred_user_ns(new, ns);
return 0;
+#if CONFIG_IMA
+fail_userns_sysctls:
+ retire_userns_sysctls(ns);
+#endif
fail_keyring:
#ifdef CONFIG_PERSISTENT_KEYRINGS
key_put(ns->persistent_keyring_register);
@@ -196,6 +209,9 @@ static void free_user_ns(struct work_struct *work)
kfree(ns->projid_map.forward);
kfree(ns->projid_map.reverse);
}
+#ifdef CONFIG_IMA
+ put_ima_ns(ns->ima_ns);
+#endif
retire_userns_sysctls(ns);
key_free_user_ns(ns);
ns_free_inum(&ns->ns);
diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile
index 2499f2485c04..b86a35fbed60 100644
--- a/security/integrity/ima/Makefile
+++ b/security/integrity/ima/Makefile
@@ -7,13 +7,14 @@
obj-$(CONFIG_IMA) += ima.o
ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \
- ima_policy.o ima_template.o ima_template_lib.o
+ ima_policy.o ima_template.o ima_template_lib.o ima_init_ima_ns.o
ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o
ima-$(CONFIG_IMA_APPRAISE_MODSIG) += ima_modsig.o
ima-$(CONFIG_HAVE_IMA_KEXEC) += ima_kexec.o
ima-$(CONFIG_IMA_BLACKLIST_KEYRING) += ima_mok.o
ima-$(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) += ima_asymmetric_keys.o
ima-$(CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS) += ima_queue_keys.o
+ima-$(CONFIG_IMA_NS) += ima_ns.o
ifeq ($(CONFIG_EFI),y)
ima-$(CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT) += ima_efi.o
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index be965a8715e4..2f8adf383054 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -418,6 +418,10 @@ static inline void ima_free_modsig(struct modsig *modsig)
}
#endif /* CONFIG_IMA_APPRAISE_MODSIG */
+int ima_ns_init(void);
+struct ima_namespace;
+int ima_init_namespace(struct ima_namespace *ns);
+
/* LSM based policy rules require audit */
#ifdef CONFIG_IMA_LSM_RULES
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index b26fa67476b4..f6ae4557a0da 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -120,6 +120,10 @@ int __init ima_init(void)
{
int rc;
+ rc = ima_ns_init();
+ if (rc)
+ return rc;
+
ima_tpm_chip = tpm_default_chip();
if (!ima_tpm_chip)
pr_info("No TPM chip found, activating TPM-bypass!\n");
diff --git a/security/integrity/ima/ima_init_ima_ns.c b/security/integrity/ima/ima_init_ima_ns.c
new file mode 100644
index 000000000000..12723d77fe17
--- /dev/null
+++ b/security/integrity/ima/ima_init_ima_ns.c
@@ -0,0 +1,32 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Copyright (C) 2016-2018 IBM Corporation
+ * Author:
+ * Yuqiong Sun <suny@us.ibm.com>
+ * Stefan Berger <stefanb@linux.vnet.ibm.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2 of the License.
+ */
+
+#include <linux/export.h>
+#include <linux/user_namespace.h>
+#include <linux/ima.h>
+#include <linux/proc_ns.h>
+
+int ima_init_namespace(struct ima_namespace *ns)
+{
+ return 0;
+}
+
+int __init ima_ns_init(void)
+{
+ return ima_init_namespace(&init_ima_ns);
+}
+
+struct ima_namespace init_ima_ns = {
+ .kref = KREF_INIT(1),
+ .user_ns = &init_user_ns,
+};
+EXPORT_SYMBOL(init_ima_ns);
diff --git a/security/integrity/ima/ima_ns.c b/security/integrity/ima/ima_ns.c
new file mode 100644
index 000000000000..fa8069acc217
--- /dev/null
+++ b/security/integrity/ima/ima_ns.c
@@ -0,0 +1,82 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Copyright (C) 2016-2018 IBM Corporation
+ * Author:
+ * Yuqiong Sun <suny@us.ibm.com>
+ * Stefan Berger <stefanb@linux.vnet.ibm.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2 of the License.
+ */
+
+#include <linux/kref.h>
+#include <linux/slab.h>
+#include <linux/ima.h>
+#include <linux/mount.h>
+#include <linux/proc_ns.h>
+#include <linux/lsm_hooks.h>
+
+#include "ima.h"
+
+static struct kmem_cache *imans_cachep;
+
+static struct ima_namespace *create_ima_ns(struct user_namespace *user_ns)
+{
+ struct ima_namespace *ns;
+ int err;
+
+ ns = kmem_cache_zalloc(imans_cachep, GFP_KERNEL);
+ if (!ns)
+ return ERR_PTR(-ENOMEM);
+ pr_debug("NEW ima_ns: 0x%p\n", ns);
+
+ kref_init(&ns->kref);
+ ns->user_ns = user_ns;
+
+ err = ima_init_namespace(ns);
+ if (err)
+ goto fail_free;
+
+ return ns;
+
+fail_free:
+ kmem_cache_free(imans_cachep, ns);
+
+ return ERR_PTR(err);
+}
+
+/**
+ * Copy an ima namespace - create a new one
+ *
+ * @old_ns: old ima namespace to clone
+ * @user_ns: User namespace
+ */
+struct ima_namespace *copy_ima_ns(struct ima_namespace *old_ns,
+ struct user_namespace *user_ns)
+{
+ return create_ima_ns(user_ns);
+}
+
+static void destroy_ima_ns(struct ima_namespace *ns)
+{
+ pr_debug("DESTROY ima_ns: 0x%p\n", ns);
+ kmem_cache_free(imans_cachep, ns);
+}
+
+void free_ima_ns(struct kref *kref)
+{
+ struct ima_namespace *ns;
+
+ ns = container_of(kref, struct ima_namespace, kref);
+ BUG_ON(ns == &init_ima_ns);
+
+ destroy_ima_ns(ns);
+}
+
+int __init imans_cache_init(void)
+{
+ imans_cachep = KMEM_CACHE(ima_namespace, SLAB_PANIC);
+ return 0;
+}
+subsys_initcall(imans_cache_init)
--
2.31.1
next prev parent reply other threads:[~2021-11-30 16:07 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-30 16:06 [RFC 00/20] ima: Namespace IMA with audit support in IMA-ns Stefan Berger
2021-11-30 16:06 ` Stefan Berger [this message]
2021-11-30 21:53 ` [RFC 01/20] ima: Add IMA namespace support kernel test robot
2021-11-30 21:53 ` kernel test robot
2021-11-30 22:03 ` kernel test robot
2021-11-30 22:03 ` kernel test robot
2021-11-30 22:42 ` [RFC PATCH] ima: imans_cache_init() can be static kernel test robot
2021-11-30 22:44 ` [RFC 01/20] ima: Add IMA namespace support kernel test robot
2021-11-30 16:06 ` [RFC 02/20] ima: Define ns_status for storing namespaced iint data Stefan Berger
2021-11-30 23:21 ` kernel test robot
2021-11-30 23:21 ` kernel test robot
2021-12-01 0:31 ` [RFC PATCH] ima: insert_ns_status() can be static kernel test robot
2021-12-01 0:33 ` [RFC 02/20] ima: Define ns_status for storing namespaced iint data kernel test robot
2021-11-30 16:06 ` [RFC 03/20] ima: Namespace audit status flags Stefan Berger
2021-11-30 16:06 ` [RFC 04/20] ima: Move delayed work queue and variables into ima_namespace Stefan Berger
2021-11-30 16:06 ` [RFC 05/20] ima: Move IMA's keys queue related " Stefan Berger
2021-11-30 16:06 ` [RFC 06/20] ima: Move policy " Stefan Berger
2021-11-30 19:29 ` kernel test robot
2021-11-30 16:06 ` [RFC 07/20] ima: Move ima_htable " Stefan Berger
2021-11-30 16:06 ` [RFC 08/20] ima: Move measurement list related variables " Stefan Berger
2021-12-02 12:46 ` James Bottomley
2021-12-02 13:41 ` Stefan Berger
2021-12-02 16:29 ` James Bottomley
2021-12-02 16:45 ` Stefan Berger
2021-12-02 17:44 ` James Bottomley
2021-12-02 18:03 ` Stefan Berger
2021-12-02 20:03 ` James Bottomley
2021-11-30 16:06 ` [RFC 09/20] ima: Only accept AUDIT rules for IMA non-init_ima_ns namespaces for now Stefan Berger
2021-11-30 16:06 ` [RFC 10/20] ima: Implement hierarchical processing of file accesses Stefan Berger
2021-11-30 16:06 ` [RFC 11/20] securityfs: Prefix global variables with securityfs_ Stefan Berger
2021-11-30 16:06 ` [RFC 12/20] securityfs: Pass static variables as parameters from top level functions Stefan Berger
2021-12-01 3:55 ` [RFC PATCH] securityfs: _securityfs_create_symlink() can be static kernel test robot
2021-12-01 4:02 ` [RFC 12/20] securityfs: Pass static variables as parameters from top level functions kernel test robot
2021-11-30 16:06 ` [RFC 13/20] securityfs: Build securityfs_ns for namespacing support Stefan Berger
2021-12-02 13:35 ` Christian Brauner
2021-12-02 13:47 ` Stefan Berger
2021-11-30 16:06 ` [RFC 14/20] ima: Move some IMA policy and filesystem related variables into ima_namespace Stefan Berger
2021-11-30 16:06 ` [RFC 15/20] capabilities: Introduce CAP_INTEGRITY_ADMIN Stefan Berger
2021-11-30 17:27 ` Casey Schaufler
2021-11-30 17:41 ` Stefan Berger
2021-11-30 17:50 ` Casey Schaufler
2021-11-30 16:06 ` [RFC 16/20] ima: Use ns_capable() for namespace policy access Stefan Berger
2021-11-30 16:06 ` [RFC 17/20] ima: Use integrity_admin_ns_capable() to check corresponding capability Stefan Berger
2021-12-01 16:58 ` James Bottomley
2021-12-01 17:35 ` Stefan Berger
2021-12-01 19:29 ` James Bottomley
2021-12-02 7:16 ` Denis Semakin
2021-12-02 12:33 ` James Bottomley
2021-12-02 17:54 ` Stefan Berger
2021-12-02 12:59 ` Christian Brauner
2021-12-02 13:01 ` Christian Brauner
2021-12-02 15:58 ` Casey Schaufler
2021-11-30 16:06 ` [RFC 18/20] userns: Introduce a refcount variable for calling early teardown function Stefan Berger
2021-11-30 16:06 ` [RFC 19/20] ima/userns: Define early teardown function for IMA namespace Stefan Berger
2021-11-30 20:42 ` kernel test robot
2021-11-30 16:06 ` [RFC 20/20] ima: Setup securityfs_ns " Stefan Berger
2021-12-01 2:14 ` [RFC PATCH] ima: ima_fs_ns_permission() can be static kernel test robot
2021-12-01 2:15 ` [RFC 20/20] ima: Setup securityfs_ns for IMA namespace kernel test robot
2021-12-01 17:56 ` James Bottomley
2021-12-01 18:11 ` Stefan Berger
2021-12-01 19:21 ` James Bottomley
2021-12-01 20:25 ` Stefan Berger
2021-12-01 21:11 ` James Bottomley
2021-12-01 21:34 ` Stefan Berger
2021-12-01 22:01 ` James Bottomley
2021-12-01 22:09 ` Stefan Berger
2021-12-01 22:19 ` James Bottomley
2021-12-02 0:02 ` Stefan Berger
2021-12-02 13:18 ` Christian Brauner
2021-12-02 13:52 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211130160654.1418231-2-stefanb@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux.dev \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jamjoom@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=krzysztof.struczynski@huawei.com \
--cc=lhinds@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lsturman@redhat.com \
--cc=mpeters@redhat.com \
--cc=paul@paul-moore.com \
--cc=puiterwi@redhat.com \
--cc=rgb@redhat.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.