From: Kees Cook <keescook@chromium.org>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: "Kees Cook" <keescook@chromium.org>,
"Dmitry Kasatkin" <dmitry.kasatkin@gmail.com>,
"Paul Moore" <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Takashi Iwai" <tiwai@suse.de>,
"Jonathan McDowell" <noodles@fb.com>,
"Casey Schaufler" <casey@schaufler-ca.com>,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
"Mickaël Salaün" <mic@digikod.net>,
"KP Singh" <kpsingh@kernel.org>,
"John Johansen" <john.johansen@canonical.com>,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: [PATCH 5/9] LSM: Introduce inode_post_setattr hook
Date: Thu, 13 Oct 2022 15:36:50 -0700 [thread overview]
Message-ID: <20221013223654.659758-5-keescook@chromium.org> (raw)
In-Reply-To: <20221013222702.never.990-kees@kernel.org>
IMA and EVM need to hook after setattr finishes. Introduce this hook and
move IMA and EVM's open-coded stacking to use it.
Cc: Mimi Zohar <zohar@linux.ibm.com>
Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Jonathan McDowell <noodles@fb.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
fs/attr.c | 3 +--
include/linux/evm.h | 6 ------
include/linux/ima.h | 9 ---------
include/linux/lsm_hook_defs.h | 3 +++
security/integrity/evm/evm_main.c | 10 +++++++++-
security/integrity/ima/ima.h | 2 ++
security/integrity/ima/ima_appraise.c | 2 +-
security/integrity/ima/ima_main.c | 1 +
security/security.c | 8 ++++++++
9 files changed, 25 insertions(+), 19 deletions(-)
diff --git a/fs/attr.c b/fs/attr.c
index 1552a5f23d6b..e5731057426b 100644
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -423,8 +423,7 @@ int notify_change(struct user_namespace *mnt_userns, struct dentry *dentry,
if (!error) {
fsnotify_change(dentry, ia_valid);
- ima_inode_post_setattr(mnt_userns, dentry);
- evm_inode_post_setattr(dentry, ia_valid);
+ security_inode_post_setattr(mnt_userns, dentry, ia_valid);
}
return error;
diff --git a/include/linux/evm.h b/include/linux/evm.h
index aa63e0b3c0a2..53f402bfb9f1 100644
--- a/include/linux/evm.h
+++ b/include/linux/evm.h
@@ -23,7 +23,6 @@ extern enum integrity_status evm_verifyxattr(struct dentry *dentry,
struct integrity_iint_cache *iint);
extern int evm_inode_setattr(struct user_namespace *mnt_userns,
struct dentry *dentry, struct iattr *attr);
-extern void evm_inode_post_setattr(struct dentry *dentry, int ia_valid);
extern int evm_inode_setxattr(struct user_namespace *mnt_userns,
struct dentry *dentry, const char *name,
const void *value, size_t size);
@@ -75,11 +74,6 @@ static inline int evm_inode_setattr(struct user_namespace *mnt_userns,
return 0;
}
-static inline void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
-{
- return;
-}
-
static inline int evm_inode_setxattr(struct user_namespace *mnt_userns,
struct dentry *dentry, const char *name,
const void *value, size_t size)
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 9f18df366064..70180b9bd974 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -127,20 +127,11 @@ static inline void ima_post_key_create_or_update(struct key *keyring,
#ifdef CONFIG_IMA_APPRAISE
extern bool is_ima_appraise_enabled(void);
-extern void ima_inode_post_setattr(struct user_namespace *mnt_userns,
- struct dentry *dentry);
#else
static inline bool is_ima_appraise_enabled(void)
{
return 0;
}
-
-static inline void ima_inode_post_setattr(struct user_namespace *mnt_userns,
- struct dentry *dentry)
-{
- return;
-}
-
#endif /* CONFIG_IMA_APPRAISE */
#if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 806448173033..0b01473eee8a 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -135,6 +135,9 @@ LSM_HOOK(int, 0, inode_follow_link, struct dentry *dentry, struct inode *inode,
bool rcu)
LSM_HOOK(int, 0, inode_permission, struct inode *inode, int mask)
LSM_HOOK(int, 0, inode_setattr, struct dentry *dentry, struct iattr *attr)
+LSM_HOOK(void, LSM_RET_VOID, inode_post_setattr,
+ struct user_namespace *mnt_userns, struct dentry *dentry,
+ unsigned int ia_valid)
LSM_HOOK(int, 0, inode_getattr, const struct path *path)
LSM_HOOK(int, 0, inode_setxattr, struct user_namespace *mnt_userns,
struct dentry *dentry, const char *name, const void *value,
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 1ef965089417..aca689dc0576 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -817,7 +817,9 @@ int evm_inode_setattr(struct user_namespace *mnt_userns, struct dentry *dentry,
* This function is called from notify_change(), which expects the caller
* to lock the inode's i_mutex.
*/
-void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
+static void evm_inode_post_setattr(struct user_namespace *mnt_userns,
+ struct dentry *dentry,
+ unsigned int ia_valid)
{
if (!evm_revalidate_status(NULL))
return;
@@ -905,6 +907,12 @@ static int __init init_evm(void)
late_initcall(init_evm);
+static struct security_hook_list evm_hooks[] __lsm_ro_after_init = {
+ LSM_HOOK_INIT(inode_post_setattr, evm_inode_post_setattr),
+};
+
void __init integrity_lsm_evm_init(void)
{
+ pr_info("Integrity LSM enabling EVM\n");
+ integrity_add_lsm_hooks(evm_hooks, ARRAY_SIZE(evm_hooks));
}
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 15a369df4c00..5c95ea6e6c94 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -176,6 +176,8 @@ int ima_inode_setxattr(struct user_namespace *mnt_userns,
int flags);
int ima_inode_removexattr(struct user_namespace *mnt_userns,
struct dentry *dentry, const char *xattr_name);
+void ima_inode_post_setattr(struct user_namespace *mnt_userns,
+ struct dentry *dentry, unsigned int ia_valid);
#endif
/*
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index ddd9df6b7dac..ccd54b50fe48 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -631,7 +631,7 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
* to lock the inode's i_mutex.
*/
void ima_inode_post_setattr(struct user_namespace *mnt_userns,
- struct dentry *dentry)
+ struct dentry *dentry, unsigned int ia_valid)
{
struct inode *inode = d_backing_inode(dentry);
struct integrity_iint_cache *iint;
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 94379ba40b58..ffebd3236f24 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -1093,6 +1093,7 @@ static struct security_hook_list ima_hooks[] __lsm_ro_after_init = {
#ifdef CONFIG_IMA_APPRAISE
LSM_HOOK_INIT(inode_setxattr, ima_inode_setxattr),
LSM_HOOK_INIT(inode_removexattr, ima_inode_removexattr),
+ LSM_HOOK_INIT(inode_post_setattr, ima_inode_post_setattr),
#endif
};
diff --git a/security/security.c b/security/security.c
index ca731132a0e9..af42264ad3e2 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1333,6 +1333,14 @@ int security_inode_setattr(struct user_namespace *mnt_userns,
}
EXPORT_SYMBOL_GPL(security_inode_setattr);
+void security_inode_post_setattr(struct user_namespace *mnt_userns,
+ struct dentry *dentry, unsigned int ia_valid)
+{
+ if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
+ return;
+ call_void_hook(inode_post_setattr, mnt_userns, dentry, ia_valid);
+}
+
int security_inode_getattr(const struct path *path)
{
if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))
--
2.34.1
next prev parent reply other threads:[~2022-10-13 22:37 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-13 22:36 [PATCH 0/9] integrity: Move hooks into LSM Kees Cook
2022-10-13 22:36 ` [PATCH 1/9] integrity: Prepare for having "ima" and "evm" available in "integrity" LSM Kees Cook
2022-10-14 14:40 ` Mickaël Salaün
2022-10-14 17:59 ` Kees Cook
2022-10-17 9:26 ` Mickaël Salaün
2022-10-17 18:11 ` Kees Cook
2022-10-19 18:33 ` Kees Cook
2022-10-19 19:13 ` Mimi Zohar
2022-10-19 22:37 ` Kees Cook
2022-10-19 14:34 ` Mimi Zohar
2022-10-19 18:28 ` Kees Cook
2022-10-13 22:36 ` [PATCH 2/9] security: Move trivial IMA hooks into LSM Kees Cook
2022-10-19 14:34 ` Mimi Zohar
2022-10-19 18:59 ` Kees Cook
2022-10-19 20:45 ` Mimi Zohar
2022-10-19 23:41 ` Kees Cook
2022-10-20 12:17 ` Mimi Zohar
2022-10-21 14:53 ` Dr. Greg
2022-10-21 15:09 ` Casey Schaufler
2022-10-13 22:36 ` [PATCH 3/9] ima: Move xattr " Kees Cook
2022-10-18 15:07 ` Christian Brauner
2022-10-19 13:24 ` Mimi Zohar
2022-10-13 22:36 ` [PATCH 4/9] ima: Move ima_file_free() " Kees Cook
2022-10-18 15:02 ` Christian Brauner
2022-10-18 15:32 ` Roberto Sassu
2022-10-18 18:29 ` Kees Cook
2022-10-19 6:55 ` Roberto Sassu
2022-10-20 15:47 ` Paul Moore
2022-10-13 22:36 ` Kees Cook [this message]
2022-10-17 10:16 ` [PATCH 5/9] LSM: Introduce inode_post_setattr hook kernel test robot
2022-10-17 11:27 ` kernel test robot
2022-10-18 14:50 ` Christian Brauner
2022-10-13 22:36 ` [PATCH 6/9] fs: Introduce file_to_perms() helper Kees Cook
2022-10-18 14:10 ` Christian Brauner
2022-10-18 18:25 ` Kees Cook
2022-10-20 17:29 ` Casey Schaufler
2022-10-20 23:04 ` Kees Cook
2022-10-13 22:36 ` [PATCH 7/9] ima: Move ima_file_check() into LSM Kees Cook
2022-10-13 22:36 ` [PATCH 8/9] integrity: Move trivial hooks " Kees Cook
2022-10-13 22:36 ` [PATCH 9/9] integrity: Move integrity_inode_get() out of global header Kees Cook
2022-10-13 22:47 ` [PATCH 0/9] integrity: Move hooks into LSM Paul Moore
2022-10-14 1:16 ` Mimi Zohar
2022-10-18 15:31 ` Mickaël Salaün
2022-10-18 15:38 ` Roberto Sassu
2022-10-18 18:31 ` Kees Cook
2022-10-20 17:36 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221013223654.659758-5-keescook@chromium.org \
--to=keescook@chromium.org \
--cc=casey@schaufler-ca.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=kpsingh@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=noodles@fb.com \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=tiwai@suse.de \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.