Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp2953399imm;
        Thu, 24 May 2018 19:48:06 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZpCTluSHfVVO0i2iKogpeHZ+EoaRSP60dh431e9GMI3dLQ54Cfd3elk144jqRL0L23RHFPw
X-Received: by 2002:a17:902:d882:: with SMTP id b2-v6mr623921plz.220.1527216486802;
        Thu, 24 May 2018 19:48:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527216486; cv=none;
        d=google.com; s=arc-20160816;
        b=qPmwRrVhU8YMNVXhxo/0MmylEFz0cEn27zGTNOEy4dkSY+nNhdwGwgwAywHq+d2rso
         UdrQTqUhAjn1XNiuVkuhXW6NW53nFmAv0hWeoFVEyCRuk9ON7OwOkdUh+fQ3UfxyxedL
         arSN1h4fLX/QVpSWdKqzSuGQlYtNbm8RH/DEuwRybY4OKSN67+VfD0umB6CF3KsDmvll
         dDWlMlvAq08rlmJKj1/FyCGw1stSfxK0l8uIPph8n5QZUMpPOf1kNXND5lboIhNnYp45
         PuUjaeYbwCzBpeUmLyMo10DsCW2SxlVJy4JAkBJ2dxdywgO++5I1U0DI8wxEEBphTWDv
         2ieg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:content-transfer-encoding
         :mime-version:references:in-reply-to:date:cc:to:from:subject
         :arc-authentication-results;
        bh=G2TYr3evpYnvKJICzuqyw2akYMfZ1GSFklwNDGEwJp8=;
        b=IP/9Ipc3VJ5MxRI/Db6bmW5jU7+6m41qetvJzGzzmqiyDSkokJF082hGuPwCxCVJsh
         YqMElMazhdgIMKMe0jzOkQSSZl36OXVBnPgw57gipegqHE4cc/oWp94365BuGMTKfKN5
         bBM1Ogcz3VF9oL6k5U0jQpGvfShxyjpG80eLJbWkPCyXOeeSutwpzc+Wrtnqm4EdwBZc
         mAtg6e9bzvu2nuLxCMvHHHBxRLyHR4JHN9VCyyenTnXalgow3GmVWiRkVccdrBSJw9p2
         Z0KLMXBSDVc4TgiBJhkzReNKD3Dk0XY4KG8IIs4GhwItc4NaMs83cuaplGP+GQJm8DcR
         +S/A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a4-v6si22355984plp.219.2018.05.24.19.47.52;
        Thu, 24 May 2018 19:48:06 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S965827AbeEXXaE (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Thu, 24 May 2018 19:30:04 -0400
Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:39484 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S965649AbeEXXaC (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 24 May 2018 19:30:02 -0400
Received: from pps.filterd (m0098417.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w4ONOP4e089911
        for <linux-kernel@vger.kernel.org>; Thu, 24 May 2018 19:30:01 -0400
Received: from e06smtp10.uk.ibm.com (e06smtp10.uk.ibm.com [195.75.94.106])
        by mx0a-001b2d01.pphosted.com with ESMTP id 2j65fjk8t1-1
        (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
        for <linux-kernel@vger.kernel.org>; Thu, 24 May 2018 19:30:01 -0400
Received: from localhost
        by e06smtp10.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
        for <linux-kernel@vger.kernel.org> from <zohar@linux.vnet.ibm.com>;
        Fri, 25 May 2018 00:29:59 +0100
Received: from b06cxnps3074.portsmouth.uk.ibm.com (9.149.109.194)
        by e06smtp10.uk.ibm.com (192.168.101.140) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted;
        Fri, 25 May 2018 00:29:55 +0100
Received: from d06av24.portsmouth.uk.ibm.com (mk.ibm.com [9.149.105.60])
        by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w4ONTsWN10486204;
        Thu, 24 May 2018 23:29:54 GMT
Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 4459442045;
        Fri, 25 May 2018 00:20:34 +0100 (BST)
Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 610AA42041;
        Fri, 25 May 2018 00:20:32 +0100 (BST)
Received: from dhcp-9-2-55-105.watson.ibm.com (unknown [9.2.55.105])
        by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP;
        Fri, 25 May 2018 00:20:32 +0100 (BST)
Subject: Re: [PATCH v3 1/7] security: rename security_kernel_read_file() hook
From:   Mimi Zohar <zohar@linux.vnet.ibm.com>
To:     "Eric W. Biederman" <ebiederm@xmission.com>,
        James Morris <jmorris@namei.org>,
        Casey Schaufler <casey@schaufler-ca.com>
Cc:     linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, David Howells <dhowells@redhat.com>,
        "Luis R . Rodriguez" <mcgrof@kernel.org>,
        kexec@lists.infradead.org, Andres Rodriguez <andresx7@gmail.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        Kees Cook <keescook@chromium.org>,
        Casey Schaufler <casey@schaufler-ca.com>,
        Linus Torvalds <torvalds@linux-foundation.org>
Date:   Thu, 24 May 2018 19:29:52 -0400
In-Reply-To: <87po1k2304.fsf@xmission.com>
References: <1527160176-29269-1-git-send-email-zohar@linux.vnet.ibm.com>
         <1527160176-29269-2-git-send-email-zohar@linux.vnet.ibm.com>
         <87po1k2304.fsf@xmission.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TM-AS-GCONF: 00
x-cbid: 18052423-0040-0000-0000-0000043D95F2
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 18052423-0041-0000-0000-00002642D581
Message-Id: <1527204592.3424.132.camel@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-05-24_08:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 malwarescore=0 suspectscore=3 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000
 definitions=main-1805240264
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, 2018-05-24 at 15:49 -0500, Eric W. Biederman wrote:
> I already nacked this approach because the two cases don't
> share a bit of code.  When I looked closer it was even crazier.

It hasn't been clear what you meant by "the two cases don't share a
bit of code".  The first attempt called
security_kernel_read_file().  As per your comments, kexec_load doesn't
load a file.  Thinking it was a naming issue the second attempt
defined a wrapper named security_kernel_read_blob() for
security_kernel_read_file().  Still thinking it was a naming issue,
this attempt renamed the security_kernel_read_file() to
security_kernel_read_data().

> 
> The way ima uses this hook and the post_load hook today is a travesty.

Instead of having multiple functions, each a bit different, for
reading a file from the kernel, kernel_read_file() is a generic
implementation with both pre and post security calls.

 I think the pre and post security kernel_read_file() LSM hooks are
quite well thought out.  The security_kernel_read_file is called
before the kernel reads the file.  The security_kernel_post_read_file
is called after the kernel reads the file.

> The way the security_kernel_file_read and security_kernel_file_post_read
> are called today and are used by ima don't make the least little bit of
> sense.
> 
> Abusing security_kernel_file_read in the module loader and then abusing
> security_kernel_file_post_read in the firmware loader is insane.  The
> loadpin lsm could not even figure this out and so it failed to work
> because of these shenanighans.
> 
> Only implementing kernel_file_read to handle the !file case is pretty
> much insane.   There is no way this should be expanded to cover kexec
> until the code actually makes sense.  We need a maintainable kernel.

It wasn't implemented *only* for the IMA !file case, but as a generic
mechanism.  True, IMA is only using the security_kernel_read_file hook
for detecting !file, but the security_kernel_post_read_file hook is
used for verifying the file's integrity.

> Below is where I suggest you start on sorting out these security hooks.
> - Adding a security_kernel_arg to catch when you want to allow/deny the
>   use of an argument to a syscall.  What security_kernel_file_read and
>   security_kernel_file_post_read have been abused for.

Assuming we define a new LSM hook named "security_kernel_arg", would
we also define a new enumeration or could we still use the existing
kernel_read_file_id?

> 
> - Removing ima_file_read because it is completely subsumed by the new
>   call.

The existing IMA function wouldn't be removed, but renamed to whatever
the new LSM hook is named.

> 
> - Please note with adding this new hook there is no code shared between
>   the cases, and the lsm code becomes simpler shorter when it can assume
>   security_kernel_file_post_read always takes a struct file.  (Even with
>   the addition of a new security hook).

We would be defining a new LSM hook, not removing the existing
security_kernel_read_file hook, and only renaming the IMA usage of the
hook.

If defining a new LSM hook named security_kernel_arg makes you happy,
I don't have a problem with implementing it.

James, Casey, are you Ok with this?

Mimi