Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1806348ybt;
        Mon, 15 Jun 2020 09:50:26 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxr/naBqztu6LKGox2523nPbuDUe28DpeXR56+8JhG/r7Ft4K7drpGsgQErK7NvjUxXCPNI
X-Received: by 2002:a17:906:d204:: with SMTP id w4mr11138395ejz.117.1592239826383;
        Mon, 15 Jun 2020 09:50:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1592239826; cv=none;
        d=google.com; s=arc-20160816;
        b=Z/4hULAfgSCUvdjHeUEqEJArbz86X78qlr+BWsxM9yRwiFswVhanjeDfo/52ONgC7w
         hPCei/sX/0GgsvxxEDhnZ5n0yt+fsAjp+fwjz1W8BC2zlvLkir35p5zdbalnm2bDY2G/
         jXgmfqE7j6wPsGSoT/28yrvFYOJZXlqbhLDgGg7f9QKzHaHhbBv0xTB8nsoxNUNGviyK
         fk+8aHaoyUOcYtePXlhRRFOF+3n6OFrxtpyoPxfxYL/jdmWx9jl9Jozao0Gbi8qTig8L
         cCqk+gTHf6K1slV0LCanpvWnVg5yt0Oy4hFUhZVdqXg9r+T629vyID9h14CtzZvYKTra
         e+Hg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature:dkim-filter;
        bh=XWqIoID6oSJi5sFAyDXKdR658vGMUI/XhOZPL0DsKnA=;
        b=lv0vB5pyQyAvo5RZS2I7u0SXQ514mHZJyoEGNKJ/HXlVr5tmbYiua/kuNBgT8nqNqu
         uQedwZNhDKcjxxhohwp2JLoSAsfBCFJP1I0k0yoVmmzgv2kyJUrDT0aRMkSAQ+m7mUFG
         kbH+7yt1bfZ+EK+uw4XS4kPQ6OLfKcTfOcuHEHDHt6dfjm/weJLX6ENlRHm+3sELqOjU
         O0/aS05yHNtT5G95Ld53sIUShJ1kd1Xw1p4Z6MxkIt2Y5iPY2Ni+q1kxNGfdeuWVGlyl
         4W2N0yQXJYlE0CASgUIt3tAJ2k9QEulc6LABsJ24+YYFROH6n5jLUwdearnU6332yJZe
         teSw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linux.microsoft.com header.s=default header.b=aUYzJCzF;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id w25si9465947edu.607.2020.06.15.09.50.03;
        Mon, 15 Jun 2020 09:50:26 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux.microsoft.com header.s=default header.b=aUYzJCzF;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730989AbgFOQpu (ORCPT <rfc822;chenc2371@gmail.com> + 99 others);
        Mon, 15 Jun 2020 12:45:50 -0400
Received: from linux.microsoft.com ([13.77.154.182]:55090 "EHLO
        linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728585AbgFOQpt (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 15 Jun 2020 12:45:49 -0400
Received: from [192.168.0.104] (c-73-42-176-67.hsd1.wa.comcast.net [73.42.176.67])
        by linux.microsoft.com (Postfix) with ESMTPSA id A5BB520B4780;
        Mon, 15 Jun 2020 09:45:48 -0700 (PDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com A5BB520B4780
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com;
        s=default; t=1592239548;
        bh=XWqIoID6oSJi5sFAyDXKdR658vGMUI/XhOZPL0DsKnA=;
        h=Subject:To:Cc:References:From:Date:In-Reply-To:From;
        b=aUYzJCzFeQs+E1ArnYzFlomMA/IssGZNCua/12Ubl8cVtJJPgf1aW8IEd6Hb54Zuv
         6iWDu3Nyl7+Q6Nu4kCWvt/q8Yq6G05vX28voSp3QubdOutU2hmwJ6pOurhIk+bCe0D
         ScAH/mqlpvnydpdE9sHA5BOsIkhYeyDjbuQ/DqpY=
Subject: Re: [PATCH 4/5] LSM: Define SELinux function to measure security
 state
To:     Stephen Smalley <stephen.smalley.work@gmail.com>
Cc:     Mimi Zohar <zohar@linux.ibm.com>,
        Stephen Smalley <stephen.smalley@gmail.com>,
        Casey Schaufler <casey@schaufler-ca.com>,
        James Morris <jmorris@namei.org>,
        linux-integrity@vger.kernel.org,
        LSM List <linux-security-module@vger.kernel.org>,
        linux-kernel <linux-kernel@vger.kernel.org>
References: <20200613024130.3356-1-nramas@linux.microsoft.com>
 <20200613024130.3356-5-nramas@linux.microsoft.com>
 <CAEjxPJ49UaZc9pc-+VN8Cx8rcdrjD6NMoLOO_zqENezobmfwVA@mail.gmail.com>
From:   Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Message-ID: <a9a20aa5-963e-5f49-9391-0673fdda378e@linux.microsoft.com>
Date:   Mon, 15 Jun 2020 09:45:48 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.8.0
MIME-Version: 1.0
In-Reply-To: <CAEjxPJ49UaZc9pc-+VN8Cx8rcdrjD6NMoLOO_zqENezobmfwVA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 6/15/20 4:57 AM, Stephen Smalley wrote:

Hi Stephen,

Thanks for reviewing the patches.

>> +void security_state_change(char *lsm_name, void *state, int state_len)
>> +{
>> +       ima_lsm_state(lsm_name, state, state_len);
>> +}
>> +
> 
> What's the benefit of this trivial function instead of just calling
> ima_lsm_state() directly?

One of the feedback Casey Schaufler had given earlier was that calling 
an IMA function directly from SELinux (or, any of the Security Modules) 
would be a layering violation.

LSM framework (security/security.c) already calls IMA functions now (for 
example, ima_bprm_check() is called from security_bprm_check()). I 
followed the same pattern for measuring LSM data as well.

Please let me know if I misunderstood Casey's comment.

>> +static int selinux_security_state(char **lsm_name, void **state,
>> +                                 int *state_len)
>> +{
>> +       int rc = 0;
>> +       char *new_state;
>> +       static char *security_state_string = "enabled=%d;enforcing=%d";
>> +
>> +       *lsm_name = kstrdup("selinux", GFP_KERNEL);
>> +       if (!*lsm_name)
>> +               return -ENOMEM;
>> +
>> +       new_state = kzalloc(strlen(security_state_string) + 1, GFP_KERNEL);
>> +       if (!new_state) {
>> +               kfree(*lsm_name);
>> +               *lsm_name = NULL;
>> +               rc = -ENOMEM;
>> +               goto out;
>> +       }
>> +
>> +       *state_len = sprintf(new_state, security_state_string,
>> +                            !selinux_disabled(&selinux_state),
>> +                            enforcing_enabled(&selinux_state));
> 
> I think I mentioned this on a previous version of these patches, but I
> would recommend including more than just the enabled and enforcing
> states in your measurement.  Other low-hanging fruit would be the
> other selinux_state booleans (checkreqprot, initialized,
> policycap[0..__POLICYDB_CAPABILITY_MAX]).  Going a bit further one
> could take a hash of the loaded policy by using security_read_policy()
> and then computing a hash using whatever hash ima prefers over the
> returned data,len pair.  You likely also need to think about how to
> allow future extensibility of the state in a backward-compatible
> manner, so that future additions do not immediately break systems
> relying on older measurements.
> 

Sure - I will address this one in the next update.

thanks,
  -lakshmi