Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3368666imm; Mon, 4 Jun 2018 02:20:32 -0700 (PDT) X-Google-Smtp-Source: ADUXVKL4Lwgf20LwwyugzounxWNZQGnN4jRI1YB4c+1IQkfnLs0CreXS72+Ma5fVuMMu1pSvw4eZ X-Received: by 2002:a63:ba56:: with SMTP id l22-v6mr16788461pgu.161.1528104032484; Mon, 04 Jun 2018 02:20:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528104032; cv=none; d=google.com; s=arc-20160816; b=L98DVTSP+RUXlQWf2jZ1pzVT1C8ofrGJvRWNWQMI0tl3vEqWqQAjxpfXNPrMhos8ZS 6mOrpReS93PeOWu7lTTonA8Ag6HzGju9nROWAA+Ci7enbrWHWWfzPyTgw67NI0Bz1sPn YvspILW4Y9gBsE9u9b5F34lWFAmqxUpc32UxKKyb9eadagU6fAfS+oWzFx+xfDx+6i/H Njogm5xWLI4b0hRcEFJVNKaq2x5iCywAuxlJauIN/cZXmVwqBtJDSvyjdAspoGMLRQIL J2kaB/nK6PEFWc6uwSplCMrUGP0TOByDH2VMWq3pUbKQSqlqgUuHtAuhdTFTM5KBjh03 kvAA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=efpU7GQp2h1wqSd+CbQiSlIz5GJC74uRoLPzyY5/5nw=; b=RYLDPUiaxKxHEdgtQbM9HgpT+DcERU8QFu5dm3XlceN/tjzbEnYPjdvC+qMdZ4F97i B52ukXVaIR5dZwORE74fFzCKn9rCCm+nC9ZrYa8eVKPDV/nCOBnips8CFf+FdsUAj75k 1HqiTJ6JcnAAuqlE1yaphi+FqaBrwUWdL62iOsgbKs7y8ql7fjMjFdoTQ9e8WEI7t29g JBlgDG+pN9SUowGQhF5Jfv1q3U73iSCPhuvygEMc0hHUb86OSOgEMxe/izACC6uwrSNv XJB4e1QnulGOpVy3mwQCBqXpV4rL4bIAO8pggq2FEaKL+Jey9b/pP6HK9akL2efOorfA mskA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=pbBUuAdK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t200-v6si17742245pgb.553.2018.06.04.02.20.17; Mon, 04 Jun 2018 02:20:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=pbBUuAdK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752003AbeFDJTp (ORCPT + 99 others); Mon, 4 Jun 2018 05:19:45 -0400 Received: from mail.kernel.org ([198.145.29.99]:41238 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750868AbeFDJTn (ORCPT ); Mon, 4 Jun 2018 05:19:43 -0400 Received: from d217.suse.de (charybdis-ext.suse.de [195.135.221.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CB3EA2088F; Mon, 4 Jun 2018 09:19:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1528103982; bh=okgX6Y02YiMFvtXnw0KOi9Uly6jSip5w9KkfT1Gjx8k=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=pbBUuAdKIKQCxFz1yH7XzkHDRtauG/81fdHvZt9zGsh+mw9n8aczVVugUMwZxSj4w +gKZxtcTJLEv/bP4VHSWeRbEcyXKrYqugbRZno+BXYF3O1vqkcCmUyqHMjMfvSrx8T E2Op+fdXV+uSNBFXh28UmrBAUUQ/Co50b1a+Krvg= Date: Mon, 4 Jun 2018 11:19:37 +0200 From: Jessica Yu To: Mimi Zohar Cc: Paul Moore , Kees Cook , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, David Howells , "Luis R . Rodriguez" , Eric Biederman , kexec@lists.infradead.org, Andres Rodriguez , Greg Kroah-Hartman , Ard Biesheuvel , Jeff Vander Stoep , Casey Schaufler Subject: Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module Message-ID: <20180604091937.4hiv3tmsky2splwc@d217.suse.de> References: <1527616920-5415-1-git-send-email-zohar@linux.vnet.ibm.com> <1527616920-5415-9-git-send-email-zohar@linux.vnet.ibm.com> <1527635645.3534.39.camel@linux.vnet.ibm.com> <1527780226.3427.20.camel@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <1527780226.3427.20.camel@linux.vnet.ibm.com> X-OS: Linux d217 4.12.14-lp150.10-default x86_64 User-Agent: NeoMutt/20170912 (1.9.0) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org +++ Mimi Zohar [31/05/18 11:23 -0400]: >Both the init_module and finit_module syscalls call either directly >or indirectly the security_kernel_read_file LSM hook. This patch >replaces the direct call in init_module with a call to the new >security_kernel_load_data hook and makes the corresponding changes >in SELinux, LoadPin, and IMA. > >Signed-off-by: Mimi Zohar >Cc: Jeff Vander Stoep >Cc: Paul Moore >Cc: Casey Schaufler >Cc: Kees Cook For the module.c parts: Acked-by: Jessica Yu >Changelog: >- For SELinux, have both the security_kernel_read_file and >security_kernel_load_data LSM hooks call selinux_kernel_read_file(). >- LoadPin: replace existing init_module LSM hook support with >new security_kernel_load_data hook. > > kernel/module.c | 2 +- > security/integrity/ima/ima_main.c | 24 ++++++++++-------------- > security/loadpin/loadpin.c | 15 +++++++++++++++ > security/selinux/hooks.c | 15 +++++++++++++++ > 4 files changed, 41 insertions(+), 15 deletions(-) > >diff --git a/kernel/module.c b/kernel/module.c >index ce8066b88178..b97c642b5b4d 100644 >--- a/kernel/module.c >+++ b/kernel/module.c >@@ -2879,7 +2879,7 @@ static int copy_module_from_user(const void __user *umod, unsigned long len, > if (info->len < sizeof(*(info->hdr))) > return -ENOEXEC; > >- err = security_kernel_read_file(NULL, READING_MODULE); >+ err = security_kernel_load_data(LOADING_MODULE); > if (err) > return err; > >diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c >index 5a7696152982..cd33a2eff496 100644 >--- a/security/integrity/ima/ima_main.c >+++ b/security/integrity/ima/ima_main.c >@@ -438,17 +438,6 @@ static int read_idmap[READING_MAX_ID] = { > */ > int ima_read_file(struct file *file, enum kernel_read_file_id read_id) > { >- bool sig_enforce = is_module_sig_enforced(); >- >- if (!file && read_id == READING_MODULE) { >- if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES) && >- (ima_appraise & IMA_APPRAISE_ENFORCE)) { >- pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n"); >- return -EACCES; /* INTEGRITY_UNKNOWN */ >- } >- return 0; /* We rely on module signature checking */ >- } >- > if (read_id == READING_FIRMWARE_PREALLOC_BUFFER) { > if ((ima_appraise & IMA_APPRAISE_FIRMWARE) && > (ima_appraise & IMA_APPRAISE_ENFORCE)) { >@@ -487,9 +476,6 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, > return 0; > } > >- if (!file && read_id == READING_MODULE) /* MODULE_SIG_FORCE enabled */ >- return 0; >- > /* permit signed certs */ > if (!file && read_id == READING_X509_CERTIFICATE) > return 0; >@@ -518,6 +504,8 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, > */ > int ima_load_data(enum kernel_load_data_id id) > { >+ bool sig_enforce; >+ > if ((ima_appraise & IMA_APPRAISE_ENFORCE) != IMA_APPRAISE_ENFORCE) > return 0; > >@@ -533,6 +521,14 @@ int ima_load_data(enum kernel_load_data_id id) > pr_err("Prevent firmware sysfs fallback loading.\n"); > return -EACCES; /* INTEGRITY_UNKNOWN */ > } >+ break; >+ case LOADING_MODULE: >+ sig_enforce = is_module_sig_enforced(); >+ >+ if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES)) { >+ pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n"); >+ return -EACCES; /* INTEGRITY_UNKNOWN */ >+ } > default: > break; > } >diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c >index 5fa191252c8f..a9c07bfbc338 100644 >--- a/security/loadpin/loadpin.c >+++ b/security/loadpin/loadpin.c >@@ -173,9 +173,24 @@ static int loadpin_read_file(struct file *file, enum kernel_read_file_id id) > return 0; > } > >+static int loadpin_load_data(enum kernel_load_data_id id) >+{ >+ int rc = 0; >+ >+ switch (id) { >+ case LOADING_MODULE: >+ rc = loadpin_read_file(NULL, READING_MODULE); >+ default: >+ break; >+ } >+ >+ return rc; >+} >+ > static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = { > LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security), > LSM_HOOK_INIT(kernel_read_file, loadpin_read_file), >+ LSM_HOOK_INIT(kernel_load_data, loadpin_load_data), > }; > > void __init loadpin_add_hooks(void) >diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c >index 02ebd1585eaf..475aed9ee2c7 100644 >--- a/security/selinux/hooks.c >+++ b/security/selinux/hooks.c >@@ -4059,6 +4059,20 @@ static int selinux_kernel_read_file(struct file *file, > return rc; > } > >+static int selinux_kernel_load_data(enum kernel_load_data_id id) >+{ >+ int rc = 0; >+ >+ switch (id) { >+ case LOADING_MODULE: >+ rc = selinux_kernel_module_from_file(NULL); >+ default: >+ break; >+ } >+ >+ return rc; >+} >+ > static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) > { > return avc_has_perm(&selinux_state, >@@ -6950,6 +6964,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { > LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as), > LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as), > LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request), >+ LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data), > LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file), > LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid), > LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid), >-- >2.7.5 >