The kernel has no way of differentiating between a file containing data
or code being opened by an interpreter. The proposed RESOLVE_MAYEXEC
openat2(2) flag bridges this gap by defining and enabling the MAY_OPENEXEC
flag.
This patch adds IMA policy support for the new MAY_OPENEXEC flag.
Example:
measure func=FILE_CHECK mask=^MAY_OPENEXEC
appraise func=FILE_CHECK appraise_type=imasig mask=^MAY_OPENEXEC
Signed-off-by: Mimi Zohar <[email protected]>
---
Documentation/ABI/testing/ima_policy | 2 +-
security/integrity/ima/ima_main.c | 3 ++-
security/integrity/ima/ima_policy.c | 15 +++++++++++----
3 files changed, 14 insertions(+), 6 deletions(-)
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index a12e784cee31..aa8e4b6181e0 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -31,7 +31,7 @@ Description:
[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
[KEXEC_CMDLINE] [KEY_CHECK]
mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
- [[^]MAY_EXEC]
+ [[^]MAY_EXEC] [[^]MAY_OPENEXEC]
mode:= [IXUGO]
fsmagic:= hex value
fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index f96f151294e6..b644eda68e9e 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -438,7 +438,8 @@ int ima_file_check(struct file *file, int mask)
security_task_getsecid(current, &secid);
return process_measurement(file, current_cred(), secid, NULL, 0,
- mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
+ mask & (MAY_READ | MAY_WRITE |
+ MAY_EXEC | MAY_OPENEXEC |
MAY_APPEND), FILE_CHECK);
}
EXPORT_SYMBOL_GPL(ima_file_check);
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 28b68e076638..8c29d1b01964 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -407,7 +407,8 @@ static bool ima_match_keyring(struct ima_rule_entry *rule,
* @cred: a pointer to a credentials structure for user validation
* @secid: the secid of the task to be validated
* @func: LIM hook identifier
- * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
+ * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC |
+ * MAY_OPENEXEC)
* @keyring: keyring name to check in policy for KEY_CHECK func
*
* Returns true on rule match, false on failure.
@@ -531,7 +532,8 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
* being made
* @secid: LSM secid of the task to be validated
* @func: IMA hook identifier
- * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
+ * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC |
+ * MAY_OPENEXEC)
* @pcr: set the pcr to extend
* @template_desc: the template that should be used for this rule
* @keyring: the keyring name, if given, to be used to check in the policy.
@@ -1097,6 +1099,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
entry->mask = MAY_READ;
else if (strcmp(from, "MAY_APPEND") == 0)
entry->mask = MAY_APPEND;
+ else if (strcmp(from, "MAY_OPENEXEC") == 0)
+ entry->mask = MAY_OPENEXEC;
else
result = -EINVAL;
if (!result)
@@ -1434,14 +1438,15 @@ const char *const func_tokens[] = {
#ifdef CONFIG_IMA_READ_POLICY
enum {
- mask_exec = 0, mask_write, mask_read, mask_append
+ mask_exec = 0, mask_write, mask_read, mask_append, mask_openexec
};
static const char *const mask_tokens[] = {
"^MAY_EXEC",
"^MAY_WRITE",
"^MAY_READ",
- "^MAY_APPEND"
+ "^MAY_APPEND",
+ "^MAY_OPENEXEC"
};
void *ima_policy_start(struct seq_file *m, loff_t *pos)
@@ -1530,6 +1535,8 @@ int ima_policy_show(struct seq_file *m, void *v)
seq_printf(m, pt(Opt_mask), mt(mask_read) + offset);
if (entry->mask & MAY_APPEND)
seq_printf(m, pt(Opt_mask), mt(mask_append) + offset);
+ if (entry->mask & MAY_OPENEXEC)
+ seq_printf(m, pt(Opt_mask), mt(mask_openexec) + offset);
seq_puts(m, " ");
}
--
2.7.5
On 4/29/20 6:38 AM, Mimi Zohar wrote:
> The kernel has no way of differentiating between a file containing data
> or code being opened by an interpreter. The proposed RESOLVE_MAYEXEC
> openat2(2) flag bridges this gap by defining and enabling the MAY_OPENEXEC
> flag.
>
> This patch adds IMA policy support for the new MAY_OPENEXEC flag.
>
> Example:
> measure func=FILE_CHECK mask=^MAY_OPENEXEC
> appraise func=FILE_CHECK appraise_type=imasig mask=^MAY_OPENEXEC
>
> Signed-off-by: Mimi Zohar <[email protected]>
Reviewed.
Hi Mimi,
I love your patch! Yet something to improve:
[auto build test ERROR on integrity/next-integrity]
[also build test ERROR on linus/master v5.7-rc3 next-20200429]
[cannot apply to security/next-testing]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system. BTW, we also suggest to use '--base' option to specify the
base tree in git format-patch, please see https://stackoverflow.com/a/37406982]
url: https://github.com/0day-ci/linux/commits/Mimi-Zohar/ima-extending-IMA-policy-to-support-interpreters/20200430-030608
base: https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity
config: arc-allyesconfig (attached as .config)
compiler: arc-elf-gcc (GCC) 9.3.0
reproduce:
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day GCC_VERSION=9.3.0 make.cross ARCH=arc
If you fix the issue, kindly add following tag as appropriate
Reported-by: kbuild test robot <[email protected]>
All error/warnings (new ones prefixed by >>):
security/integrity/ima/ima_main.c: In function 'ima_file_check':
>> security/integrity/ima/ima_main.c:442:20: error: 'MAY_OPENEXEC' undeclared (first use in this function); did you mean 'MAY_OPEN'?
442 | MAY_EXEC | MAY_OPENEXEC |
| ^~~~~~~~~~~~
| MAY_OPEN
security/integrity/ima/ima_main.c:442:20: note: each undeclared identifier is reported only once for each function it appears in
>> security/integrity/ima/ima_main.c:444:1: warning: control reaches end of non-void function [-Wreturn-type]
444 | }
| ^
--
security/integrity/ima/ima_policy.c: In function 'ima_parse_rule':
>> security/integrity/ima/ima_policy.c:1100:19: error: 'MAY_OPENEXEC' undeclared (first use in this function); did you mean 'MAY_OPEN'?
1100 | entry->mask = MAY_OPENEXEC;
| ^~~~~~~~~~~~
| MAY_OPEN
security/integrity/ima/ima_policy.c:1100:19: note: each undeclared identifier is reported only once for each function it appears in
security/integrity/ima/ima_policy.c: In function 'ima_policy_show':
security/integrity/ima/ima_policy.c:1535:21: error: 'MAY_OPENEXEC' undeclared (first use in this function); did you mean 'MAY_OPEN'?
1535 | if (entry->mask & MAY_OPENEXEC)
| ^~~~~~~~~~~~
| MAY_OPEN
vim +442 security/integrity/ima/ima_main.c
424
425 /**
426 * ima_path_check - based on policy, collect/store measurement.
427 * @file: pointer to the file to be measured
428 * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND
429 *
430 * Measure files based on the ima_must_measure() policy decision.
431 *
432 * On success return 0. On integrity appraisal error, assuming the file
433 * is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
434 */
435 int ima_file_check(struct file *file, int mask)
436 {
437 u32 secid;
438
439 security_task_getsecid(current, &secid);
440 return process_measurement(file, current_cred(), secid, NULL, 0,
441 mask & (MAY_READ | MAY_WRITE |
> 442 MAY_EXEC | MAY_OPENEXEC |
443 MAY_APPEND), FILE_CHECK);
> 444 }
445 EXPORT_SYMBOL_GPL(ima_file_check);
446
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]
Hi Mickaël,
On Thu, 2020-04-30 at 05:24 +0800, kbuild test robot wrote:
> Hi Mimi,
>
> I love your patch! Yet something to improve:
>
> [auto build test ERROR on integrity/next-integrity]
> [also build test ERROR on linus/master v5.7-rc3 next-20200429]
> [cannot apply to security/next-testing]
> [if your patch is applied to the wrong git tree, please drop us a note to help
> improve the system. BTW, we also suggest to use '--base' option to specify the
> base tree in git format-patch, please see https://stackoverflow.com/a/37406982]
To prevent this sort of message, in the future could you include this
patch (2/2) with your patch set? Please include the "Reviewed-by:
Lakshmi Ramasubramanian <[email protected]>" tag.
thanks,
Mimi
>
> url: https://github.com/0day-ci/linux/commits/Mimi-Zohar/ima-extending-IMA-policy-to-support-interpreters/20200430-030608
> base: https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity
> config: arc-allyesconfig (attached as .config)
> compiler: arc-elf-gcc (GCC) 9.3.0
> reproduce:
> wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
> chmod +x ~/bin/make.cross
> # save the attached .config to linux build tree
> COMPILER_INSTALL_PATH=$HOME/0day GCC_VERSION=9.3.0 make.cross ARCH=arc
>
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kbuild test robot <[email protected]>
>
> All error/warnings (new ones prefixed by >>):
>
> security/integrity/ima/ima_main.c: In function 'ima_file_check':
> >> security/integrity/ima/ima_main.c:442:20: error: 'MAY_OPENEXEC' undeclared (first use in this function); did you mean 'MAY_OPEN'?
> 442 | MAY_EXEC | MAY_OPENEXEC |
> | ^~~~~~~~~~~~
> | MAY_OPEN
OK, I'll add it to the next series.
On 30/04/2020 15:42, Mimi Zohar wrote:
> Hi Mickaël,
>
> On Thu, 2020-04-30 at 05:24 +0800, kbuild test robot wrote:
>> Hi Mimi,
>>
>> I love your patch! Yet something to improve:
>>
>> [auto build test ERROR on integrity/next-integrity]
>> [also build test ERROR on linus/master v5.7-rc3 next-20200429]
>> [cannot apply to security/next-testing]
>> [if your patch is applied to the wrong git tree, please drop us a note to help
>> improve the system. BTW, we also suggest to use '--base' option to specify the
>> base tree in git format-patch, please see https://stackoverflow.com/a/37406982]
>
> To prevent this sort of message, in the future could you include this
> patch (2/2) with your patch set? Please include the "Reviewed-by:
> Lakshmi Ramasubramanian <[email protected]>" tag.
>
> thanks,
>
> Mimi
>
>>
>> url: https://github.com/0day-ci/linux/commits/Mimi-Zohar/ima-extending-IMA-policy-to-support-interpreters/20200430-030608
>> base: https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git next-integrity
>> config: arc-allyesconfig (attached as .config)
>> compiler: arc-elf-gcc (GCC) 9.3.0
>> reproduce:
>> wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
>> chmod +x ~/bin/make.cross
>> # save the attached .config to linux build tree
>> COMPILER_INSTALL_PATH=$HOME/0day GCC_VERSION=9.3.0 make.cross ARCH=arc
>>
>> If you fix the issue, kindly add following tag as appropriate
>> Reported-by: kbuild test robot <[email protected]>
>>
>> All error/warnings (new ones prefixed by >>):
>>
>> security/integrity/ima/ima_main.c: In function 'ima_file_check':
>>>> security/integrity/ima/ima_main.c:442:20: error: 'MAY_OPENEXEC' undeclared (first use in this function); did you mean 'MAY_OPEN'?
>> 442 | MAY_EXEC | MAY_OPENEXEC |
>> | ^~~~~~~~~~~~
>> | MAY_OPEN
>