Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1438479ybi;
        Thu, 30 May 2019 18:00:49 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzZPndDiwWaFcGHIepLJsaXSc+qi1LPpZkMmAG5MaiYtkg302fAcJoOkeRs+14A33ce2FLS
X-Received: by 2002:a17:90a:20c4:: with SMTP id f62mr6288403pjg.16.1559264448904;
        Thu, 30 May 2019 18:00:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1559264448; cv=none;
        d=google.com; s=arc-20160816;
        b=gtPA3RRUYuHaREZIgNspqjwQ6KaMKGZiWD5DUzS1EuE56W8slnjhOnflc8aOC61yfb
         ox1HZeags/IuyzuxBlqZYSiAhM5MifhbXFsGLRfJxV++74lWBxI/IwhWBNQC4eCK4gKR
         sUn2nqd1m3NrLzVh95dRWjPLo08AtlX4cz5WhDHIQc3oc8hY55XO8YUmelYej4qSrd1p
         jklNRI4QsIR/5Fmy4+BYBjM12U946YbNTsamMbIZLDOxMgZqgc8402nhpr7R3EK9wq1B
         brKLGeiWq6j7pzbTp107UhYUBWA5LVNLyWBeCCUVPhoXF7KaMuT7R3UAou7HA5y/8Gyd
         G5dQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date;
        bh=UN9nMBPArV7cjk+crFYzR//FzOrTyOFhgv7drL3YzW4=;
        b=gyc8b81KdDZzPDsBQ5DMA5VV/BSndjUqueGmLz/0712ATEzmHHpTb1ZWF3TfQf9HLh
         aDOihGkzsiN9Z2/GSTdFzcla/DC43YeIRFRmujj/ggOA2JD5UwV5N8qEkNuxX4rZhaI1
         LRx70tJHo+RHZpm9erAOai4NhYG2t7EqezUDLZBfCWkTpWGOM197RYPrhNix4Dy0YjOZ
         QxHGXvL+OiHYg2bsUTGJB3BylNEEBx+01jo4+j1tgb2eWPYFHiIowzngHDySZhVCJDpK
         pOlkciAivmOhiytpva051ixq2Tf3T2J5H0NC8DEzL4on5q3F4OJzCW8sATbPpPeeCIYP
         tflw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f64si4150963plf.128.2019.05.30.18.00.31;
        Thu, 30 May 2019 18:00:48 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726693AbfEaA7Y (ORCPT <rfc822;kerneldev.sdk@gmail.com>
        + 99 others); Thu, 30 May 2019 20:59:24 -0400
Received: from namei.org ([65.99.196.166]:35662 "EHLO namei.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726131AbfEaA7Y (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 30 May 2019 20:59:24 -0400
Received: from localhost (localhost [127.0.0.1])
        by namei.org (8.14.4/8.14.4) with ESMTP id x4V0xGOY017048;
        Fri, 31 May 2019 00:59:16 GMT
Date:   Fri, 31 May 2019 10:59:16 +1000 (AEST)
From:   James Morris <jmorris@namei.org>
To:     Kees Cook <keescook@chromium.org>
cc:     Ke Wu <mikewu@google.com>, Jonathan Corbet <corbet@lwn.net>,
        "Serge E. Hallyn" <serge@hallyn.com>, linux-doc@vger.kernel.org,
        linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org
Subject: Re: [PATCH v2] Allow to exclude specific file types in LoadPin
In-Reply-To: <201905301440.1DC01275@keescook>
Message-ID: <alpine.LRH.2.21.1905311058560.16993@namei.org>
References: <20190529224350.6460-1-mikewu@google.com> <20190530192208.99773-1-mikewu@google.com> <201905301440.1DC01275@keescook>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, 30 May 2019, Kees Cook wrote:

> On Thu, May 30, 2019 at 12:22:08PM -0700, Ke Wu wrote:
> > Linux kernel already provide MODULE_SIG and KEXEC_VERIFY_SIG to
> > make sure loaded kernel module and kernel image are trusted. This
> > patch adds a kernel command line option "loadpin.exclude" which
> > allows to exclude specific file types from LoadPin. This is useful
> > when people want to use different mechanisms to verify module and
> > kernel image while still use LoadPin to protect the integrity of
> > other files kernel loads.
> > 
> > Signed-off-by: Ke Wu <mikewu@google.com>
> 
> Thanks for the updates!
> 
> Acked-by: Kees Cook <keescook@chromium.org>
> 
> James, I don't have anything else planned for loadpin this cycle. Do you
> want me to push this to Linus in the next cycle, or do you want to take
> it into one of your trees?

You should push it directly to Linus.


> 
> Thanks!
> 
> -Kees
> 
> > ---
> > Changelog since v1:
> > - Mark ignore_read_file_id with __ro_after_init.
> > - Mark parse_exclude() with __init.
> > - Use ARRAY_SIZE(ignore_read_file_id) instead of READING_MAX_ID.
> > 
> > 
> >  Documentation/admin-guide/LSM/LoadPin.rst | 10 ++++++
> >  security/loadpin/loadpin.c                | 38 +++++++++++++++++++++++
> >  2 files changed, 48 insertions(+)
> > 
> > diff --git a/Documentation/admin-guide/LSM/LoadPin.rst b/Documentation/admin-guide/LSM/LoadPin.rst
> > index 32070762d24c..716ad9b23c9a 100644
> > --- a/Documentation/admin-guide/LSM/LoadPin.rst
> > +++ b/Documentation/admin-guide/LSM/LoadPin.rst
> > @@ -19,3 +19,13 @@ block device backing the filesystem is not read-only, a sysctl is
> >  created to toggle pinning: ``/proc/sys/kernel/loadpin/enabled``. (Having
> >  a mutable filesystem means pinning is mutable too, but having the
> >  sysctl allows for easy testing on systems with a mutable filesystem.)
> > +
> > +It's also possible to exclude specific file types from LoadPin using kernel
> > +command line option "``loadpin.exclude``". By default, all files are
> > +included, but they can be excluded using kernel command line option such
> > +as "``loadpin.exclude=kernel-module,kexec-image``". This allows to use
> > +different mechanisms such as ``CONFIG_MODULE_SIG`` and
> > +``CONFIG_KEXEC_VERIFY_SIG`` to verify kernel module and kernel image while
> > +still use LoadPin to protect the integrity of other files kernel loads. The
> > +full list of valid file types can be found in ``kernel_read_file_str``
> > +defined in ``include/linux/fs.h``.
> > diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c
> > index 055fb0a64169..d5f064644c54 100644
> > --- a/security/loadpin/loadpin.c
> > +++ b/security/loadpin/loadpin.c
> > @@ -45,6 +45,8 @@ static void report_load(const char *origin, struct file *file, char *operation)
> >  }
> >  
> >  static int enforce = IS_ENABLED(CONFIG_SECURITY_LOADPIN_ENFORCE);
> > +static char *exclude_read_files[READING_MAX_ID];
> > +static int ignore_read_file_id[READING_MAX_ID] __ro_after_init;
> >  static struct super_block *pinned_root;
> >  static DEFINE_SPINLOCK(pinned_root_spinlock);
> >  
> > @@ -129,6 +131,13 @@ static int loadpin_read_file(struct file *file, enum kernel_read_file_id id)
> >  	struct super_block *load_root;
> >  	const char *origin = kernel_read_file_id_str(id);
> >  
> > +	/* If the file id is excluded, ignore the pinning. */
> > +	if ((unsigned int)id < ARRAY_SIZE(ignore_read_file_id) &&
> > +	    ignore_read_file_id[id]) {
> > +		report_load(origin, file, "pinning-excluded");
> > +		return 0;
> > +	}
> > +
> >  	/* This handles the older init_module API that has a NULL file. */
> >  	if (!file) {
> >  		if (!enforce) {
> > @@ -187,10 +196,37 @@ static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = {
> >  	LSM_HOOK_INIT(kernel_load_data, loadpin_load_data),
> >  };
> >  
> > +static void __init parse_exclude(void)
> > +{
> > +	int i, j;
> > +	char *cur;
> > +
> > +	for (i = 0; i < ARRAY_SIZE(exclude_read_files); i++) {
> > +		cur = exclude_read_files[i];
> > +		if (!cur)
> > +			break;
> > +		if (*cur == '\0')
> > +			continue;
> > +
> > +		for (j = 0; j < ARRAY_SIZE(kernel_read_file_str); j++) {
> > +			if (strcmp(cur, kernel_read_file_str[j]) == 0) {
> > +				pr_info("excluding: %s\n",
> > +					kernel_read_file_str[j]);
> > +				ignore_read_file_id[j] = 1;
> > +				/*
> > +				 * Can not break, because one read_file_str
> > +				 * may map to more than on read_file_id.
> > +				 */
> > +			}
> > +		}
> > +	}
> > +}
> > +
> >  static int __init loadpin_init(void)
> >  {
> >  	pr_info("ready to pin (currently %senforcing)\n",
> >  		enforce ? "" : "not ");
> > +	parse_exclude();
> >  	security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin");
> >  	return 0;
> >  }
> > @@ -203,3 +239,5 @@ DEFINE_LSM(loadpin) = {
> >  /* Should not be mutable after boot, so not listed in sysfs (perm == 0). */
> >  module_param(enforce, int, 0);
> >  MODULE_PARM_DESC(enforce, "Enforce module/firmware pinning");
> > +module_param_array_named(exclude, exclude_read_files, charp, NULL, 0);
> > +MODULE_PARM_DESC(exclude, "Exclude pinning specific read file types");
> > -- 
> > 2.22.0.rc1.257.g3120a18244-goog
> > 
> 
> 

-- 
James Morris
<jmorris@namei.org>