From: Stefan Berger <stefanb@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: zohar@linux.ibm.com, serge@hallyn.com,
christian.brauner@ubuntu.com, containers@lists.linux.dev,
dmitry.kasatkin@gmail.com, ebiederm@xmission.com,
krzysztof.struczynski@huawei.com, roberto.sassu@huawei.com,
mpeters@redhat.com, lhinds@redhat.com, lsturman@redhat.com,
puiterwi@redhat.com, jejb@linux.ibm.com, jamjoom@us.ibm.com,
linux-kernel@vger.kernel.org, paul@paul-moore.com,
rgb@redhat.com, linux-security-module@vger.kernel.org,
jmorris@namei.org, Stefan Berger <stefanb@linux.ibm.com>,
Christian Brauner <brauner@kernel.org>
Subject: [PATCH v11 05/27] ima: Move arch_policy_entry into ima_namespace
Date: Wed, 2 Mar 2022 08:46:40 -0500 [thread overview]
Message-ID: <20220302134703.1273041-6-stefanb@linux.ibm.com> (raw)
In-Reply-To: <20220302134703.1273041-1-stefanb@linux.ibm.com>
The architecture-specific policy rules, currently defined for EFI and
powerpc, require the kexec kernel image and kernel modules to be
validly signed and measured, based on the system's secure boot and/or
trusted boot mode and the IMA_ARCH_POLICY Kconfig option being enabled.
To avoid special-casing init_ima_ns as much as possible, move the
arch_policy_entry into the ima_namespace.
When freeing the arch_policy_entry set the pointer to NULL.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Acked-by: Christian Brauner <brauner@kernel.org>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
---
security/integrity/ima/ima.h | 3 +++
security/integrity/ima/ima_init_ima_ns.c | 1 +
security/integrity/ima/ima_policy.c | 23 +++++++++++------------
3 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 9bcde1a24e74..2305bf223a98 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -125,6 +125,9 @@ struct ima_namespace {
struct list_head __rcu *ima_rules; /* Pointer to the current policy */
int ima_policy_flag;
+
+ /* An array of architecture specific rules */
+ struct ima_rule_entry *arch_policy_entry;
} __randomize_layout;
extern struct ima_namespace init_ima_ns;
diff --git a/security/integrity/ima/ima_init_ima_ns.c b/security/integrity/ima/ima_init_ima_ns.c
index c919a456b525..ae33621c3955 100644
--- a/security/integrity/ima/ima_init_ima_ns.c
+++ b/security/integrity/ima/ima_init_ima_ns.c
@@ -15,6 +15,7 @@ static int ima_init_namespace(struct ima_namespace *ns)
INIT_LIST_HEAD(&ns->ima_temp_rules);
ns->ima_rules = (struct list_head __rcu *)(&ns->ima_default_rules);
ns->ima_policy_flag = 0;
+ ns->arch_policy_entry = NULL;
return 0;
}
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index b0e1c16b7f37..05b2bc06ab0c 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -229,9 +229,6 @@ static struct ima_rule_entry critical_data_rules[] __ro_after_init = {
{.action = MEASURE, .func = CRITICAL_DATA, .flags = IMA_FUNC},
};
-/* An array of architecture specific rules */
-static struct ima_rule_entry *arch_policy_entry __ro_after_init;
-
static int ima_policy __initdata;
static int __init default_measure_policy_setup(char *str)
@@ -860,9 +857,10 @@ static int __init ima_init_arch_policy(struct ima_namespace *ns)
for (rules = arch_rules; *rules != NULL; rules++)
arch_entries++;
- arch_policy_entry = kcalloc(arch_entries + 1,
- sizeof(*arch_policy_entry), GFP_KERNEL);
- if (!arch_policy_entry)
+ ns->arch_policy_entry = kcalloc(arch_entries + 1,
+ sizeof(*ns->arch_policy_entry),
+ GFP_KERNEL);
+ if (!ns->arch_policy_entry)
return 0;
/* Convert each policy string rules to struct ima_rule_entry format */
@@ -872,13 +870,13 @@ static int __init ima_init_arch_policy(struct ima_namespace *ns)
result = strscpy(rule, *rules, sizeof(rule));
- INIT_LIST_HEAD(&arch_policy_entry[i].list);
- result = ima_parse_rule(ns, rule, &arch_policy_entry[i]);
+ INIT_LIST_HEAD(&ns->arch_policy_entry[i].list);
+ result = ima_parse_rule(ns, rule, &ns->arch_policy_entry[i]);
if (result) {
pr_warn("Skipping unknown architecture policy rule: %s\n",
rule);
- memset(&arch_policy_entry[i], 0,
- sizeof(*arch_policy_entry));
+ memset(&ns->arch_policy_entry[i], 0,
+ sizeof(ns->arch_policy_entry[i]));
continue;
}
i++;
@@ -926,7 +924,7 @@ void __init ima_init_policy(struct ima_namespace *ns)
if (!arch_entries)
pr_info("No architecture policies found\n");
else
- add_rules(ns, arch_policy_entry, arch_entries,
+ add_rules(ns, ns->arch_policy_entry, arch_entries,
IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
/*
@@ -1006,7 +1004,8 @@ void ima_update_policy(struct ima_namespace *ns)
* on boot. After loading a custom policy, free the
* architecture specific rules stored as an array.
*/
- kfree(arch_policy_entry);
+ kfree(ns->arch_policy_entry);
+ ns->arch_policy_entry = NULL;
}
ima_update_policy_flags(ns);
--
2.31.1
next prev parent reply other threads:[~2022-03-02 13:50 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-02 13:46 [PATCH v11 00/27] ima: Namespace IMA with audit support in IMA-ns Stefan Berger
2022-03-02 13:46 ` [PATCH v11 01/27] ima: Return error code obtained from securityfs functions Stefan Berger
2022-03-02 13:46 ` [PATCH v11 02/27] securityfs: rework dentry creation Stefan Berger
2022-03-02 13:46 ` [PATCH v11 03/27] securityfs: Extend securityfs with namespacing support Stefan Berger
2022-03-02 13:46 ` [PATCH v11 04/27] ima: Define ima_namespace struct and start moving variables into it Stefan Berger
2022-03-02 13:46 ` Stefan Berger [this message]
2022-03-02 13:46 ` [PATCH v11 06/27] ima: Move ima_htable into ima_namespace Stefan Berger
2022-03-02 13:46 ` [PATCH v11 07/27] ima: Move measurement list related variables " Stefan Berger
2022-03-02 13:46 ` [PATCH v11 08/27] ima: Move some IMA policy and filesystem " Stefan Berger
2022-03-02 13:46 ` [PATCH v11 09/27] ima: Move IMA securityfs files into ima_namespace or onto stack Stefan Berger
2022-03-02 13:46 ` [PATCH v11 10/27] ima: Move ima_lsm_policy_notifier into ima_namespace Stefan Berger
2022-03-02 13:46 ` [PATCH v11 11/27] ima: Switch to lazy lsm policy updates for better performance Stefan Berger
2022-03-02 13:46 ` [PATCH v11 12/27] ima: Define mac_admin_ns_capable() as a wrapper for ns_capable() Stefan Berger
2022-03-02 13:46 ` [PATCH v11 13/27] ima: Only accept AUDIT rules for non-init_ima_ns namespaces for now Stefan Berger
2022-03-02 13:46 ` [PATCH v11 14/27] userns: Add pointer to ima_namespace to user_namespace Stefan Berger
2022-03-02 13:46 ` [PATCH v11 15/27] ima: Implement hierarchical processing of file accesses Stefan Berger
2022-03-02 13:46 ` [PATCH v11 16/27] ima: Implement ima_free_policy_rules() for freeing of an ima_namespace Stefan Berger
2022-03-02 13:46 ` [PATCH v11 17/27] ima: Add functions for creating and " Stefan Berger
2022-03-02 13:46 ` [PATCH v11 18/27] integrity/ima: Define ns_status for storing namespaced iint data Stefan Berger
2022-03-02 13:46 ` [PATCH v11 19/27] integrity: Add optional callback function to integrity_inode_free() Stefan Berger
2022-03-02 13:46 ` [PATCH v11 20/27] ima: Namespace audit status flags Stefan Berger
2022-03-02 13:46 ` [PATCH v11 21/27] ima: Remove unused iints from the integrity_iint_cache Stefan Berger
2022-03-02 13:46 ` [PATCH v11 22/27] ima: Setup securityfs for IMA namespace Stefan Berger
2022-03-02 13:46 ` [PATCH v11 23/27] ima: Introduce securityfs file to activate an " Stefan Berger
2022-03-02 19:16 ` kernel test robot
2022-03-02 13:46 ` [PATCH v11 24/27] ima: Show owning user namespace's uid and gid when displaying policy Stefan Berger
2022-03-02 13:47 ` [PATCH v11 25/27] ima: Limit number of policy rules in non-init_ima_ns Stefan Berger
2022-03-02 13:47 ` [PATCH v11 26/27] ima: Restrict informational audit messages to init_ima_ns Stefan Berger
2022-03-02 23:11 ` kernel test robot
2022-03-02 13:47 ` [PATCH v11 27/27] ima: Enable IMA namespaces Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220302134703.1273041-6-stefanb@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=brauner@kernel.org \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux.dev \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jamjoom@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=krzysztof.struczynski@huawei.com \
--cc=lhinds@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lsturman@redhat.com \
--cc=mpeters@redhat.com \
--cc=paul@paul-moore.com \
--cc=puiterwi@redhat.com \
--cc=rgb@redhat.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.