Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp2949506imm; Thu, 24 May 2018 19:43:02 -0700 (PDT) X-Google-Smtp-Source: AB8JxZppN9ZkEqMpaUOAhE8PmKLXd1f0G9Ojx/VPB7Oh7HohgY5r/Z743H/0Hl7xK15La2m+nqYz X-Received: by 2002:aa7:8305:: with SMTP id t5-v6mr601421pfm.198.1527216182703; Thu, 24 May 2018 19:43:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527216182; cv=none; d=google.com; s=arc-20160816; b=BCOT8PLsPI594hvy8zncu00qsQ5TXuF5vNEvuTvzBjTngNwePBgjHz+YDHOPTm6hVG TqZkgZ8vwH2r+xHk1LMF0c8J/LPuG04G682X9eM6H8n5aD+/frfpaSBdhliMmkhqyJsV 7xX0fR1OHJJk4RVCiiPo776X9sS8dU/6IPfFWWOcFGgOSTmyvA7FJE9MCAqbxlGPGme9 ogNp83B3bVGMcPdlx5ZPe4a9liF9/u/NkVLMtkZ7w2cXBCFAKAAZIkNvEPtrnOY97uvS vsu8vwKTZPGxUjoWcym/c++VOGZPyICmzltiaeU3DykVcVG1ljDuodUWeFFrRWhjsZj+ 7pbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:mime-version:user-agent :message-id:in-reply-to:date:references:cc:to:from :arc-authentication-results; bh=JpqwD1iGhB1j8HzCYM8+j0C6vIYp8W/Up9CJe69f02s=; b=LB9O9fD38xsc0890AQnyHSvbdYIB/p4wHUa401VDJWkRV+dyde2o35kn0CIgOLmNKT 95iVJniZwgiRlhavSbayQzlbHLNk4tg8fxMFYjFyNaDGwQrXMXcE1mlyfR2IKaf9biu4 d6tuTHBvqvSmR3kOQom5ssrmLXJChCvuf2wnUQBrikyOBgtZY6B7NnJZYYMsJD6ygAw3 NuMHUFTWzoDRNg+Alq0krtadYf+g7C5PV46xW19G6dV0qWrieN1oGA97fJNmEesb06I5 4xSyCsHsoaOcK2kAA+HNzs8ANSW1cUSvIUCUbB/gRRHo3Oze8JewLDY8FQfB4+e3OKME hhPw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k18-v6si22566980pfe.13.2018.05.24.19.42.48; Thu, 24 May 2018 19:43:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S969399AbeEXUte (ORCPT + 99 others); Thu, 24 May 2018 16:49:34 -0400 Received: from out02.mta.xmission.com ([166.70.13.232]:51139 "EHLO out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S966945AbeEXUtb (ORCPT ); Thu, 24 May 2018 16:49:31 -0400 Received: from in01.mta.xmission.com ([166.70.13.51]) by out02.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1fLxAw-0003gC-4i; Thu, 24 May 2018 14:49:30 -0600 Received: from [97.119.174.25] (helo=x220.xmission.com) by in01.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1fLxAu-0004wu-Rn; Thu, 24 May 2018 14:49:29 -0600 From: ebiederm@xmission.com (Eric W. Biederman) To: Mimi Zohar Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, David Howells , "Luis R . Rodriguez" , kexec@lists.infradead.org, Andres Rodriguez , Greg Kroah-Hartman , Ard Biesheuvel , Kees Cook , Casey Schaufler References: <1527160176-29269-1-git-send-email-zohar@linux.vnet.ibm.com> <1527160176-29269-2-git-send-email-zohar@linux.vnet.ibm.com> Date: Thu, 24 May 2018 15:49:15 -0500 In-Reply-To: <1527160176-29269-2-git-send-email-zohar@linux.vnet.ibm.com> (Mimi Zohar's message of "Thu, 24 May 2018 07:09:30 -0400") Message-ID: <87po1k2304.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1fLxAu-0004wu-Rn;;;mid=<87po1k2304.fsf@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=97.119.174.25;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX1+L8W1WAKAHd5isPyRnG5M11o/40QIvxtk= X-SA-Exim-Connect-IP: 97.119.174.25 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa04.xmission.com X-Spam-Level: * X-Spam-Status: No, score=1.0 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,T_TM2_M_HEADER_IN_MSG,T_TooManySym_01,T_TooManySym_02, T_TooManySym_03,XMGappySubj_01,XMSubLong autolearn=disabled version=3.4.1 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.7 XMSubLong Long Subject * 0.5 XMGappySubj_01 Very gappy subject * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa04 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_02 5+ unique symbols in subject * 0.0 T_TooManySym_01 4+ unique symbols in subject * 0.0 T_TooManySym_03 6+ unique symbols in subject X-Spam-DCC: XMission; sa04 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: *;Mimi Zohar X-Spam-Relay-Country: X-Spam-Timing: total 754 ms - load_scoreonly_sql: 0.06 (0.0%), signal_user_changed: 3.1 (0.4%), b_tie_ro: 2.2 (0.3%), parse: 2.2 (0.3%), extract_message_metadata: 13 (1.8%), get_uri_detail_list: 10 (1.4%), tests_pri_-1000: 6 (0.7%), tests_pri_-950: 1.72 (0.2%), tests_pri_-900: 1.37 (0.2%), tests_pri_-400: 59 (7.8%), check_bayes: 58 (7.6%), b_tokenize: 31 (4.1%), b_tok_get_all: 14 (1.9%), b_comp_prob: 4.6 (0.6%), b_tok_touch_all: 6 (0.7%), b_finish: 0.70 (0.1%), tests_pri_0: 647 (85.7%), check_dkim_signature: 0.86 (0.1%), check_dkim_adsp: 2.9 (0.4%), tests_pri_500: 8 (1.1%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH v3 1/7] security: rename security_kernel_read_file() hook X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I already nacked this approach because the two cases don't share a bit of code. When I looked closer it was even crazier. The way ima uses this hook and the post_load hook today is a travesty. The way the security_kernel_file_read and security_kernel_file_post_read are called today and are used by ima don't make the least little bit of sense. Abusing security_kernel_file_read in the module loader and then abusing security_kernel_file_post_read in the firmware loader is insane. The loadpin lsm could not even figure this out and so it failed to work because of these shenanighans. Only implementing kernel_file_read to handle the !file case is pretty much insane. There is no way this should be expanded to cover kexec until the code actually makes sense. We need a maintainable kernel. Below is where I suggest you start on sorting out these security hooks. - Adding a security_kernel_arg to catch when you want to allow/deny the use of an argument to a syscall. What security_kernel_file_read and security_kernel_file_post_read have been abused for. - Removing ima_file_read because it is completely subsumed by the new call. - Please note with adding this new hook there is no code shared between the cases, and the lsm code becomes simpler shorter when it can assume security_kernel_file_post_read always takes a struct file. (Even with the addition of a new security hook). Eric diff --git a/drivers/base/firmware_loader/fallback.c b/drivers/base/firmware_loader/fallback.c index 358354148dec..04536ff81bd2 100644 --- a/drivers/base/firmware_loader/fallback.c +++ b/drivers/base/firmware_loader/fallback.c @@ -294,9 +294,7 @@ static ssize_t firmware_loading_store(struct device *dev, dev_err(dev, "%s: map pages failed\n", __func__); else - rc = security_kernel_post_read_file(NULL, - fw_priv->data, fw_priv->size, - READING_FIRMWARE); + rc = security_kernel_arg(KARG_FIRMWARE); /* * Same logic as fw_load_abort, only the DONE bit diff --git a/include/linux/ima.h b/include/linux/ima.h index 0e4647e0eb60..9fb42736ba29 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -11,6 +11,7 @@ #define _LINUX_IMA_H #include +#include #include struct linux_binprm; @@ -19,7 +20,7 @@ extern int ima_bprm_check(struct linux_binprm *bprm); extern int ima_file_check(struct file *file, int mask, int opened); extern void ima_file_free(struct file *file); extern int ima_file_mmap(struct file *file, unsigned long prot); -extern int ima_read_file(struct file *file, enum kernel_read_file_id id); +extern int ima_kernel_arg(enum kernel_arg_id id); extern int ima_post_read_file(struct file *file, void *buf, loff_t size, enum kernel_read_file_id id); extern void ima_post_path_mknod(struct dentry *dentry); @@ -49,7 +50,7 @@ static inline int ima_file_mmap(struct file *file, unsigned long prot) return 0; } -static inline int ima_read_file(struct file *file, enum kernel_read_file_id id) +static inline int ima_kernel_arg(enum kernel_arg_id id) { return 0; } diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 9d0b286f3dba..7f8bc3030784 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -576,6 +576,10 @@ * userspace to load a kernel module with the given name. * @kmod_name name of the module requested by the kernel * Return 0 if successful. + * @kernel_arg: + * Use a syscall argument + * @id kernel argument identifier + * Return 0 if permission is granted. * @kernel_read_file: * Read a file specified by userspace. * @file contains the file structure pointing to the file being read @@ -1577,6 +1581,7 @@ union security_list_options { int (*kernel_act_as)(struct cred *new, u32 secid); int (*kernel_create_files_as)(struct cred *new, struct inode *inode); int (*kernel_module_request)(char *kmod_name); + int (*kernel_arg)(enum kernel_arg_id id); int (*kernel_read_file)(struct file *file, enum kernel_read_file_id id); int (*kernel_post_read_file)(struct file *file, char *buf, loff_t size, enum kernel_read_file_id id); @@ -1866,6 +1871,7 @@ struct security_hook_heads { struct hlist_head cred_getsecid; struct hlist_head kernel_act_as; struct hlist_head kernel_create_files_as; + struct hlist_head kernel_arg; struct hlist_head kernel_read_file; struct hlist_head kernel_post_read_file; struct hlist_head kernel_module_request; diff --git a/include/linux/security.h b/include/linux/security.h index 200920f521a1..6cf1bd87f041 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -159,6 +159,32 @@ extern int mmap_min_addr_handler(struct ctl_table *table, int write, typedef int (*initxattrs) (struct inode *inode, const struct xattr *xattr_array, void *fs_data); +#define __kernel_arg_id(id) \ + id(UNKNOWN, unknown) \ + id(FIRMWARE, firmware) \ + id(MODULE, kernel-module) \ + id(MAX_ID, ) + +#define __karg_enumify(ENUM, dummy) KARG_ ## ENUM, +#define __karg_stringify(dummy, str) #str, + +enum kernel_arg_id { + __kernel_arg_id(__karg_enumify) +}; + +static const char * const kernel_arg_str[] = { + __kernel_arg_id(__karg_stringify) +}; + +static inline const char *kernel_arg_id_str(enum kernel_arg_id id) +{ + if ((unsigned)id >= KARG_MAX_ID) + return kernel_arg_str[KARG_UNKNOWN]; + + return kernel_arg_str[id]; +} + + #ifdef CONFIG_SECURITY struct security_mnt_opts { @@ -326,6 +352,7 @@ void security_cred_getsecid(const struct cred *c, u32 *secid); int security_kernel_act_as(struct cred *new, u32 secid); int security_kernel_create_files_as(struct cred *new, struct inode *inode); int security_kernel_module_request(char *kmod_name); +int security_kernel_arg(enum kernel_arg_id id); int security_kernel_read_file(struct file *file, enum kernel_read_file_id id); int security_kernel_post_read_file(struct file *file, char *buf, loff_t size, enum kernel_read_file_id id); @@ -923,6 +950,11 @@ static inline int security_kernel_module_request(char *kmod_name) return 0; } +static inline int security_kernel_arg(enum kernel_arg_id id) +{ + return 0; +} + static inline int security_kernel_read_file(struct file *file, enum kernel_read_file_id id) { diff --git a/kernel/module.c b/kernel/module.c index ce8066b88178..03a1dd21ad4a 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2879,7 +2879,7 @@ static int copy_module_from_user(const void __user *umod, unsigned long len, if (info->len < sizeof(*(info->hdr))) return -ENOEXEC; - err = security_kernel_read_file(NULL, READING_MODULE); + err = security_kernel_arg(KARG_MODULE); if (err) return err; diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 74d0bd7e76d7..d51a8ca97238 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -421,32 +421,6 @@ void ima_post_path_mknod(struct dentry *dentry) iint->flags |= IMA_NEW_FILE; } -/** - * ima_read_file - pre-measure/appraise hook decision based on policy - * @file: pointer to the file to be measured/appraised/audit - * @read_id: caller identifier - * - * Permit reading a file based on policy. The policy rules are written - * in terms of the policy identifier. Appraising the integrity of - * a file requires a file descriptor. - * - * For permission return 0, otherwise return -EACCES. - */ -int ima_read_file(struct file *file, enum kernel_read_file_id read_id) -{ - bool sig_enforce = is_module_sig_enforced(); - - if (!file && read_id == READING_MODULE) { - if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES) && - (ima_appraise & IMA_APPRAISE_ENFORCE)) { - pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n"); - return -EACCES; /* INTEGRITY_UNKNOWN */ - } - return 0; /* We rely on module signature checking */ - } - return 0; -} - static int read_idmap[READING_MAX_ID] = { [READING_FIRMWARE] = FIRMWARE_CHECK, [READING_MODULE] = MODULE_CHECK, @@ -474,21 +448,7 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, enum ima_hooks func; u32 secid; - if (!file && read_id == READING_FIRMWARE) { - if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && - (ima_appraise & IMA_APPRAISE_ENFORCE)) - return -EACCES; /* INTEGRITY_UNKNOWN */ - return 0; - } - - if (!file && read_id == READING_MODULE) /* MODULE_SIG_FORCE enabled */ - return 0; - - /* permit signed certs */ - if (!file && read_id == READING_X509_CERTIFICATE) - return 0; - - if (!file || !buf || size == 0) { /* should never happen */ + if (!buf || size == 0) { /* should never happen */ if (ima_appraise & IMA_APPRAISE_ENFORCE) return -EACCES; return 0; @@ -500,6 +460,40 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, MAY_READ, func, 0); } +/** + * ima_kernel_arg - pre-measure/appraise hook decision based on policy + * @id: caller identifier + * + * Permit using an argument to a syscall based on policy. The policy + * rules are written in terms of the policy identifier. + * + * For permission return 0, otherwise return -EACCES. + */ +int ima_kernel_arg(enum kernel_arg_id id) +{ + if (id == KARG_MODULE) { + bool sig_enforce = is_module_sig_enforced(); + if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES) && + (ima_appraise & IMA_APPRAISE_ENFORCE)) { + pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n"); + return -EACCES; /* INTEGRITY_UNKNOWN */ + } + return 0; /* We rely on module signature checking */ + } + else if (id == KARG_FIRMWARE) { + if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && + (ima_appraise & IMA_APPRAISE_ENFORCE)) + return -EACCES; /* INTEGRITY_UNKNOWN */ + return 0; + } + else { + if (ima_appraise & IMA_APPRAISE_ENFORCE) + return -EACCES; + return 0; + } + return 0; +} + static int __init init_ima(void) { int error; diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c index 5fa191252c8f..f5333e5abac9 100644 --- a/security/loadpin/loadpin.c +++ b/security/loadpin/loadpin.c @@ -121,23 +121,24 @@ static void loadpin_sb_free_security(struct super_block *mnt_sb) } } -static int loadpin_read_file(struct file *file, enum kernel_read_file_id id) +static int loadpin_read_data(enum kernel_read_data_id id) { - struct super_block *load_root; - const char *origin = kernel_read_file_id_str(id); + const char *origin = kernel_arg_id_str(id); /* This handles the older init_module API that has a NULL file. */ - if (!file) { - if (!enabled) { - report_load(origin, NULL, "old-api-pinning-ignored"); - return 0; - } - - report_load(origin, NULL, "old-api-denied"); - return -EPERM; + if (!enabled) { + report_load(origin, NULL, "old-api-pinning-ignored"); + return 0; } - load_root = file->f_path.mnt->mnt_sb; + report_load(origin, NULL, "old-api-denied"); + return -EPERM; +} + +static int loadpin_read_file(struct file *file, enum kernel_read_file_id id) +{ + struct super_block *load_root; + const char *origin = kernel_read_file_id_str(id); /* First loaded module/firmware defines the root for all others. */ spin_lock(&pinned_root_spinlock); @@ -175,6 +176,7 @@ static int loadpin_read_file(struct file *file, enum kernel_read_file_id id) static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security), + LSM_HOOK_INIT(kernel_read_data, loadpin_read_data), LSM_HOOK_INIT(kernel_read_file, loadpin_read_file), }; diff --git a/security/security.c b/security/security.c index 7bc2fde023a7..9b5f43c24ee2 100644 --- a/security/security.c +++ b/security/security.c @@ -1033,14 +1033,19 @@ int security_kernel_module_request(char *kmod_name) return call_int_hook(kernel_module_request, 0, kmod_name); } -int security_kernel_read_file(struct file *file, enum kernel_read_file_id id) +int security_kernel_arg(enum kernel_arg_id id) { int ret; - ret = call_int_hook(kernel_read_file, 0, file, id); - if (ret) - return ret; - return ima_read_file(file, id); + ret = call_int_hook(kernel_arg, 0, id); + if (!ret) + ret = ima_kernel_arg(id); + return ret; +} + +int security_kernel_read_file(struct file *file, enum kernel_read_file_id id) +{ + return call_int_hook(kernel_read_file, 0, file, id); } EXPORT_SYMBOL_GPL(security_kernel_read_file); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 4cafe6a19167..76843099fed6 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4010,6 +4010,15 @@ static int selinux_kernel_module_request(char *kmod_name) SYSTEM__MODULE_REQUEST, &ad); } +static int selinux_kernel_module_arg(void) +{ + /* init_module */ + u32 sid = current_sid(); + return avc_has_perm(&selinux_state, + sid, sid, SECCLASS_SYSTEM, + SYSTEM__MODULE_LOAD, NULL); +} + static int selinux_kernel_module_from_file(struct file *file) { struct common_audit_data ad; @@ -4018,12 +4027,6 @@ static int selinux_kernel_module_from_file(struct file *file) u32 sid = current_sid(); int rc; - /* init_module */ - if (file == NULL) - return avc_has_perm(&selinux_state, - sid, sid, SECCLASS_SYSTEM, - SYSTEM__MODULE_LOAD, NULL); - /* finit_module */ ad.type = LSM_AUDIT_DATA_FILE; @@ -4043,6 +4046,20 @@ static int selinux_kernel_module_from_file(struct file *file) SYSTEM__MODULE_LOAD, &ad); } +static int selinux_kernel_arg(enum kernel_arg_id id) +{ + int rc = 0; + + switch (id) { + case KARG_MODULE: + rc = selinux_kernel_module_arg(); + break; + default: + break; + } + return rc; +} + static int selinux_kernel_read_file(struct file *file, enum kernel_read_file_id id) { @@ -6938,6 +6955,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), + LSM_HOOK_INIT(kernel_arg, selinux_kernel_arg), LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),