Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp57409ybt; Fri, 12 Jun 2020 19:45:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyIQk+C+U7Eks7FdBBwOwJbDhpVDJFDjU4gIER5Yv5PRIaCyLykSc6sMXbN3tH4R3J+MplR X-Received: by 2002:a17:906:7c5a:: with SMTP id g26mr3543735ejp.200.1592016305654; Fri, 12 Jun 2020 19:45:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592016305; cv=none; d=google.com; s=arc-20160816; b=jvnn+3wVajG0MOD2iAI5RIO4Eg5MhJI42ytNeaMkZK6+Is3Rv8vehYKJQSDKYPAWrZ +IouRpG49LV5cfb2hvOtJSIZkEXgbY87aMUO/y9BAdZOHukDywY6XYbynOY7yHEADion yMyz5Pc/AKKfpV7qjgwWhS/7QKmSXrNy4eCOzGK4n1daSD5crUovjcenZPedg72Ng6QH L8q4Ke67dndvoQ4jvla2CCto46NEeW5xbJVDOggxmpwCdEpyYiV65//4Myw1uQDRtJcq TmBkXe3m+0iPq00fQI3hqGfKgyH2LAAfA/ERKSygfLiavVyJIP8kpmNNdAiaftkTHtJp p/HQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-filter; bh=bNdc4U/VTJDtcRp/g3v1Y+eSv6Ss10i7Sm+a4SYsn4Q=; b=lAUAf5tZv+4UAfKetyybJOmLUFDzMA1wYQKKNgFCXlIrAv1TNhPQQUw4zZvsyDsIxk h+oBzthzW6vDBJV7Jlzsz4Zp69XH52aJUWIKFOKrMb9NO4WFVl3ZKexu3F4n54fPsR+G kICe4XS115fOyxtjri/W8uE7rrv9ozMuEP9VpN25IBckgyAnee7ERzF5fb447Bo6ouTv MbGXq5pwP+v6Be+x2F4B/B+lc67QB1Oj7GNmfdh1vgzR/Bp4+S8NV7yL02/ra8AN7fBN sfu0MAl0xG+BM43uODyv/6E/fRzfRIVlKdJagJZsR8WO3homEFXbGqN+303grdAgsZZI qllw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=kEtciZBn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c4si4861387ejm.465.2020.06.12.19.44.26; Fri, 12 Jun 2020 19:45:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=kEtciZBn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726520AbgFMClt (ORCPT + 99 others); Fri, 12 Jun 2020 22:41:49 -0400 Received: from linux.microsoft.com ([13.77.154.182]:54150 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726441AbgFMCli (ORCPT ); Fri, 12 Jun 2020 22:41:38 -0400 Received: from localhost.localdomain (c-73-42-176-67.hsd1.wa.comcast.net [73.42.176.67]) by linux.microsoft.com (Postfix) with ESMTPSA id 6D1A520B4785; Fri, 12 Jun 2020 19:41:37 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 6D1A520B4785 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1592016097; bh=bNdc4U/VTJDtcRp/g3v1Y+eSv6Ss10i7Sm+a4SYsn4Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kEtciZBnky8xzcdy61W0t1oH+SEDvfREdGt3kfQ5zWK7WGhu6dkMtNAfzwC6IRtIC HmYSP+GUITWFKpb3NuY7oh5LOnsrVg6G4d/N0qVrowJd0WC7LKgM6CDlbHttv7QF5B 36jXNaGkAkwnbc2kC9HIUzluKrVLNK5TjMM6jDYc= From: Lakshmi Ramasubramanian To: zohar@linux.ibm.com, stephen.smalley@gmail.com, casey@schaufler-ca.com Cc: jmorris@namei.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 5/5] LSM: Define workqueue for measuring security module state Date: Fri, 12 Jun 2020 19:41:30 -0700 Message-Id: <20200613024130.3356-6-nramas@linux.microsoft.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200613024130.3356-1-nramas@linux.microsoft.com> References: <20200613024130.3356-1-nramas@linux.microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The data maintained by the security modules could be tampered with by malware. The LSM needs to periodically query the state of the security modules and measure the data when the state is changed. Define a workqueue for handling this periodic query and measurement. Signed-off-by: Lakshmi Ramasubramanian --- security/security.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/security/security.c b/security/security.c index e7175db5a093..3dad6766cb9d 100644 --- a/security/security.c +++ b/security/security.c @@ -89,6 +89,11 @@ static __initdata struct lsm_info *exclusive; static struct lsm_info *security_state_lsms; static int security_state_lsms_count; +static long security_state_timeout = 300000; /* 5 Minutes */ +static void security_state_handler(struct work_struct *work); +static DECLARE_DELAYED_WORK(security_state_delayed_work, + security_state_handler); + static __initdata bool debug; #define init_debug(...) \ do { \ @@ -294,6 +299,26 @@ static void __init initialize_security_state_lsms(void) security_state_lsms_count = count; } +static void initialize_security_state_monitor(void) +{ + if (security_state_lsms_count == 0) + return; + + schedule_delayed_work(&security_state_delayed_work, + msecs_to_jiffies(security_state_timeout)); +} + +static void security_state_handler(struct work_struct *work) +{ + int inx; + + for (inx = 0; inx < security_state_lsms_count; inx++) + measure_security_state(&(security_state_lsms[inx])); + + schedule_delayed_work(&security_state_delayed_work, + msecs_to_jiffies(security_state_timeout)); +} + /* Populate ordered LSMs list from comma-separated LSM name list. */ static void __init ordered_lsm_parse(const char *order, const char *origin) { @@ -417,6 +442,7 @@ static void __init ordered_lsm_init(void) } initialize_security_state_lsms(); + initialize_security_state_monitor(); kfree(ordered_lsms); } -- 2.27.0