Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp1099999imm; Fri, 1 Jun 2018 15:32:59 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJ6ih/ExDzjX/c/5TdSnzr9v2dYUFnO6wL2wHKmhauGpgDOD2ap8KEw/Gt1avJojYSIOYLv X-Received: by 2002:a17:902:125:: with SMTP id 34-v6mr13090533plb.42.1527892379847; Fri, 01 Jun 2018 15:32:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527892379; cv=none; d=google.com; s=arc-20160816; b=AY7tabE+B3UjUBEKAH3QphJP7RQgXbusjqi37LoxsQ+/HrCSjaaGYDkKhOOJNlsSFS cgy37zMv9bVNxO/Unsz+6HyUzKxpiys/KL220YfmmN0nC3SfyaDKNhIgQYqyvJsgi4Hx ZvEmVmtqNbnUEUiZI61iAevWiro1uBNRkkXMlKCW229ogyDOICkN5bDYF6wYrZwYwySt k6z8tlKEb3k8CGsJ0c6MGt+SUH8rm5vLgJTKFgR4ZRoL+0/1hyvM3FDYVblJfzG69uV7 sZaIGhdgzW29n5lwRUl3tEvcpAjjHpKp6yGsYO/JaA93OV49p2Vw70+L+coMLByaxMjP Rluw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=zAI0BqTFfUlkGh1moyEBSRdvgRppwXnsBliI6mB2pVE=; b=Je6DFr8wZZVP+xZNgNj1xj0HcVDxE1J+d5rSW03flaKeNq/qGPH8qzXsbpCELel6kj 4Vg2gecd14QMH0z1/AOeKAE8SiKpE8dBp/GoGbz8gfwTNj/AkcGUTHHGmEW6BjDh9k04 tJCo0nN+LEfTkFzke93O9+zMf1hPDpbVzqh1SY9L65GhadXSjixwVhTR60xq2JUP7R0b gu2MldC+34vkgQfo6XbyApFDjNNHCUh3ME17khdjV+UIYp1JzqL0HIWSa15MNu3sgX6B 1GsUOgFTZAgDnkFMsGpkkccS9rPbcCH9jSVF9n/q8tcnsbHkS2vMiVp57y/6VMHLxto3 m8lA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=Gg9vroDM; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 189-v6si2923960pfg.163.2018.06.01.15.32.31; Fri, 01 Jun 2018 15:32:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=Gg9vroDM; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751270AbeFAW2e (ORCPT + 99 others); Fri, 1 Jun 2018 18:28:34 -0400 Received: from mail-lf0-f65.google.com ([209.85.215.65]:34388 "EHLO mail-lf0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750964AbeFAW2c (ORCPT ); Fri, 1 Jun 2018 18:28:32 -0400 Received: by mail-lf0-f65.google.com with SMTP id o9-v6so16928127lfk.1 for ; Fri, 01 Jun 2018 15:28:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=zAI0BqTFfUlkGh1moyEBSRdvgRppwXnsBliI6mB2pVE=; b=Gg9vroDMFTpJhShASoT3XdZZ4oBpfXIsQ9Mzf8OpI+dUTW12axHoQ6RzVhWBF5FW2+ n3eiFbbI7tw2rhtUxNkfSmf0doL4quO2GUQzO7bqrKeEi1mvtePEjJfWAXylwftOPyEs c6d2MMvkYe57gFJdhagSRLDFsZz9p1tpPI9TjKoAOh2ERpeBT8dBJFR60ohJwx4iLYeR uBQlLvVVCoJbB1jGzcq22CvUSuru2tFwIYgAS+CyAxu1JBRtTQhUhA+CZ9gBRLHsIpgr jUQBZ250RIg9WlaGorHEcPXN4Z/mLiRwDFqV4z3bKMIuf+IS7x37rOEJA1oLcrUN743f N/QA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=zAI0BqTFfUlkGh1moyEBSRdvgRppwXnsBliI6mB2pVE=; b=WLeTYHnQTILamqtBgeT/JOZkMklLqZ/f6hZKxrXeEQGnfjtWcGf9tUrbFaPtnCw0ng dkPm/4hZ2SBEFmqsHlHu4BHhUXp1VEhf3VUhX6YqaaaGQTpWJM/ZSTLIPNV/Z9xrRYeq OjQ6BgoglPDDLForo9ehJQUSvt2ZCmEqIaBdnIg+L5dlBfQryHRh6hoKAY1lmR2CVYpb FeWcvJkdtqURXI+37PHci/+g232x5cYWHNBol+4Zf73qwi8yTzPjKIAplIOg2OXc5tKR QZxR9reeKG6gd20lpRaB8hMeJe3A5v35nb1GKXM6QofGa+DIQn/YgT4STQukg33IJVsC scnQ== X-Gm-Message-State: ALKqPwf5IuEsv0hrDVLqjfujWfeeNAq1RdRZb1n+y2egs8JEcdo+V3Rh vuscNXmLyRWUSROWSs3B5SrgpmGBiFUbRDYqUSwX X-Received: by 2002:a19:944f:: with SMTP id w76-v6mr8036968lfd.90.1527892111042; Fri, 01 Jun 2018 15:28:31 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a19:a911:0:0:0:0:0 with HTTP; Fri, 1 Jun 2018 15:28:30 -0700 (PDT) X-Originating-IP: [108.20.156.165] In-Reply-To: <1527780226.3427.20.camel@linux.vnet.ibm.com> References: <1527616920-5415-1-git-send-email-zohar@linux.vnet.ibm.com> <1527616920-5415-9-git-send-email-zohar@linux.vnet.ibm.com> <1527635645.3534.39.camel@linux.vnet.ibm.com> <1527780226.3427.20.camel@linux.vnet.ibm.com> From: Paul Moore Date: Fri, 1 Jun 2018 18:28:30 -0400 Message-ID: Subject: Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module To: Mimi Zohar Cc: Kees Cook , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, David Howells , "Luis R . Rodriguez" , Eric Biederman , kexec@lists.infradead.org, Andres Rodriguez , Greg Kroah-Hartman , Ard Biesheuvel , Jeff Vander Stoep , Casey Schaufler Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 31, 2018 at 11:23 AM, Mimi Zohar wrote: > Both the init_module and finit_module syscalls call either directly > or indirectly the security_kernel_read_file LSM hook. This patch > replaces the direct call in init_module with a call to the new > security_kernel_load_data hook and makes the corresponding changes > in SELinux, LoadPin, and IMA. > > Signed-off-by: Mimi Zohar > Cc: Jeff Vander Stoep > Cc: Paul Moore > Cc: Casey Schaufler > Cc: Kees Cook > > --- > Changelog: > - For SELinux, have both the security_kernel_read_file and > security_kernel_load_data LSM hooks call selinux_kernel_read_file(). > - LoadPin: replace existing init_module LSM hook support with > new security_kernel_load_data hook. > > kernel/module.c | 2 +- > security/integrity/ima/ima_main.c | 24 ++++++++++-------------- > security/loadpin/loadpin.c | 15 +++++++++++++++ > security/selinux/hooks.c | 15 +++++++++++++++ > 4 files changed, 41 insertions(+), 15 deletions(-) As mentioned in the previous iteration, I have no strong opinion on the question of the LSM hooks, but the SELinux bits look okay to me. Acked-by: Paul Moore > diff --git a/kernel/module.c b/kernel/module.c > index ce8066b88178..b97c642b5b4d 100644 > --- a/kernel/module.c > +++ b/kernel/module.c > @@ -2879,7 +2879,7 @@ static int copy_module_from_user(const void __user *umod, unsigned long len, > if (info->len < sizeof(*(info->hdr))) > return -ENOEXEC; > > - err = security_kernel_read_file(NULL, READING_MODULE); > + err = security_kernel_load_data(LOADING_MODULE); > if (err) > return err; > > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c > index 5a7696152982..cd33a2eff496 100644 > --- a/security/integrity/ima/ima_main.c > +++ b/security/integrity/ima/ima_main.c > @@ -438,17 +438,6 @@ static int read_idmap[READING_MAX_ID] = { > */ > int ima_read_file(struct file *file, enum kernel_read_file_id read_id) > { > - bool sig_enforce = is_module_sig_enforced(); > - > - if (!file && read_id == READING_MODULE) { > - if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES) && > - (ima_appraise & IMA_APPRAISE_ENFORCE)) { > - pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n"); > - return -EACCES; /* INTEGRITY_UNKNOWN */ > - } > - return 0; /* We rely on module signature checking */ > - } > - > if (read_id == READING_FIRMWARE_PREALLOC_BUFFER) { > if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && > (ima_appraise & IMA_APPRAISE_ENFORCE)) { > @@ -487,9 +476,6 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, > return 0; > } > > - if (!file && read_id == READING_MODULE) /* MODULE_SIG_FORCE enabled */ > - return 0; > - > /* permit signed certs */ > if (!file && read_id == READING_X509_CERTIFICATE) > return 0; > @@ -518,6 +504,8 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, > */ > int ima_load_data(enum kernel_load_data_id id) > { > + bool sig_enforce; > + > if ((ima_appraise & IMA_APPRAISE_ENFORCE) != IMA_APPRAISE_ENFORCE) > return 0; > > @@ -533,6 +521,14 @@ int ima_load_data(enum kernel_load_data_id id) > pr_err("Prevent firmware sysfs fallback loading.\n"); > return -EACCES; /* INTEGRITY_UNKNOWN */ > } > + break; > + case LOADING_MODULE: > + sig_enforce = is_module_sig_enforced(); > + > + if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES)) { > + pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n"); > + return -EACCES; /* INTEGRITY_UNKNOWN */ > + } > default: > break; > } > diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c > index 5fa191252c8f..a9c07bfbc338 100644 > --- a/security/loadpin/loadpin.c > +++ b/security/loadpin/loadpin.c > @@ -173,9 +173,24 @@ static int loadpin_read_file(struct file *file, enum kernel_read_file_id id) > return 0; > } > > +static int loadpin_load_data(enum kernel_load_data_id id) > +{ > + int rc = 0; > + > + switch (id) { > + case LOADING_MODULE: > + rc = loadpin_read_file(NULL, READING_MODULE); > + default: > + break; > + } > + > + return rc; > +} > + > static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = { > LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security), > LSM_HOOK_INIT(kernel_read_file, loadpin_read_file), > + LSM_HOOK_INIT(kernel_load_data, loadpin_load_data), > }; > > void __init loadpin_add_hooks(void) > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 02ebd1585eaf..475aed9ee2c7 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -4059,6 +4059,20 @@ static int selinux_kernel_read_file(struct file *file, > return rc; > } > > +static int selinux_kernel_load_data(enum kernel_load_data_id id) > +{ > + int rc = 0; > + > + switch (id) { > + case LOADING_MODULE: > + rc = selinux_kernel_module_from_file(NULL); > + default: > + break; > + } > + > + return rc; > +} > + > static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) > { > return avc_has_perm(&selinux_state, > @@ -6950,6 +6964,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { > LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), > LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), > LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), > + LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data), > LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), > LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), > LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), > -- > 2.7.5 > -- paul moore www.paul-moore.com