Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1444445ybh; Thu, 16 Jul 2020 12:14:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxi2OFiWHC42C/VYzjY81whrTkuI2RN0ACwIsYqpJlzY2tVmm2OmkCP2i5+TKH9XuUE+H4w X-Received: by 2002:a05:6402:1655:: with SMTP id s21mr5640657edx.289.1594926843803; Thu, 16 Jul 2020 12:14:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594926843; cv=none; d=google.com; s=arc-20160816; b=CWS+ZB3q6i9aeuEh9YX436Xjx+feRvjWAzuP+CtKcEF7BaaPLKzUhs+3N6LKzykBqm JE546J2BPS2DCTg3KHumGzLBdJDHzl1Wdo7/nTuVJ9P4NSdYJNrdPPbpd7yFaUDPp8Pq /LyfT+yUyK6nsbfnyUNTYwsfBj7uUQUx5flFacqO7rVwgHGtW6E7OKhgCiANDzGb5Lem p/GZm2mByzDqKBvas1qZ1T3pkxelbFpGavr5AXggUjxW4PdKuej32J24dhGBWwugM7IF U5gz81hy8oHhORGlC04dCyTA+/uC4WM3ua+A+kJe4p0PpREZl3ow11mu/Q540Vw8ojVf 6E0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature:dkim-filter; bh=rJqLOziw2osdo15zsPugmz5im9Pv3tHMh1e9Igalmc8=; b=obwzY3RN1pVU8An+nGFDLq+bOwoywroixx8ZtB0x61RVg9UwBqSmAa/dSJO/J51qnT NZEloOX3dTfs9zr0R6+vH/ytlxAwk2IbPf1948tOijhlt+Q0b0RacRPHIaqOB6iVhwij wCjMIsRvU2X1Not8r62INixP76NxvQXg96wJzKfX6e8FIuP7Ddtd0jq04i45jQgRhrP1 mt36y4wSADKnjIn3Z69oCQ1LElf4hzwYL+8sKGFVFzmM0SuJYqoArCackeS8JCpnDpIP uBsL4YHrjrcxojoJvDxd01d5gcWGDXe/ccCYUe5Jq4FDDtLHvcN4iBwJfWLIkJmE/f9l LFcw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=PGufXFeu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f13si3819293edy.576.2020.07.16.12.13.41; Thu, 16 Jul 2020 12:14:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=PGufXFeu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729534AbgGPTNT (ORCPT + 99 others); Thu, 16 Jul 2020 15:13:19 -0400 Received: from linux.microsoft.com ([13.77.154.182]:37646 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729048AbgGPTNR (ORCPT ); Thu, 16 Jul 2020 15:13:17 -0400 Received: from [192.168.0.104] (c-73-42-176-67.hsd1.wa.comcast.net [73.42.176.67]) by linux.microsoft.com (Postfix) with ESMTPSA id 48ED520B4909; Thu, 16 Jul 2020 12:13:16 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 48ED520B4909 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1594926796; bh=rJqLOziw2osdo15zsPugmz5im9Pv3tHMh1e9Igalmc8=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=PGufXFeubXILzI0FUQYAfve2Zm8SYb5HgltkEq/48sHn2lOJrw9tjMaDwamk2KUwH Cvqy9knLTQLdB4ki88SmMf51+IUaUfxuVvU66AMpz88PvI7qs6iP3qmxOL01T0Cdh3 A72XDO/LEcgBDQd+QQHQg57Suwx/P+jSdqJg7cYA= Subject: Re: [PATCH v2 4/5] LSM: Define SELinux function to measure security state To: Stephen Smalley Cc: Mimi Zohar , Casey Schaufler , James Morris , linux-integrity@vger.kernel.org, SElinux list , LSM List , linux-kernel References: <20200716174351.20128-1-nramas@linux.microsoft.com> <20200716174351.20128-5-nramas@linux.microsoft.com> From: Lakshmi Ramasubramanian Message-ID: <9478ddca-8298-5170-836d-8cbc7a070df2@linux.microsoft.com> Date: Thu, 16 Jul 2020 12:13:15 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 7/16/20 11:54 AM, Stephen Smalley wrote: >> The data for selinux-state in the above measurement is: >> enabled=1;enforcing=0;checkreqprot=1;network_peer_controls=1;open_perms=1;extended_socket_class=1;always_check_network=0;cgroup_seclabel=1;nnp_nosuid_transition=1;genfs_seclabel_symlinks=0; >> >> The data for selinux-policy-hash in the above measurement is >> the SHA256 hash of the SELinux policy. > > Can you show an example of how to verify that the above measurement > matches a given state and policy, e.g. the sha256sum commands and > inputs to reproduce the same from an expected state and policy? Sure - I'll provide an example. >> +/* Pre-allocated buffer used for measuring state */ >> +static char *selinux_state_string; >> +static size_t selinux_state_string_len; >> +static char *selinux_state_string_fmt = >> + "%s=%d;%s=%d;%s=%d;%s=%d;%s=%d;%s=%d;%s=%d;%s=%d;%s=%d;%s=%d;"; >> + >> +void __init selinux_init_measurement(void) >> +{ >> + selinux_state_string_len = >> + snprintf(NULL, 0, selinux_state_string_fmt, >> + "enabled", 0, >> + "enforcing", 0, >> + "checkreqprot", 0, >> + selinux_policycap_names[POLICYDB_CAPABILITY_NETPEER], 0, >> + selinux_policycap_names[POLICYDB_CAPABILITY_OPENPERM], 0, >> + selinux_policycap_names[POLICYDB_CAPABILITY_EXTSOCKCLASS], 0, >> + selinux_policycap_names[POLICYDB_CAPABILITY_ALWAYSNETWORK], 0, >> + selinux_policycap_names[POLICYDB_CAPABILITY_CGROUPSECLABEL], 0, >> + selinux_policycap_names[POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION], 0, >> + selinux_policycap_names[POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS], >> + 0); > > I was thinking you'd dynamically construct the format string with a > for loop from 0 to POLICYDB_CAPABILITY_MAX > and likewise for the values so that we wouldn't have to patch this > code every time we add a new one. That's a good point - will do. > >> + >> + if (selinux_state_string_len < 0) >> + return; > > How can this happen legitimately (i.e. as a result of something other > than a kernel bug)? Since snprintf can return an error I wanted to handle that. But I agree this should not happen for the input data to snprintf used here. > >> + >> + ++selinux_state_string_len; >> + >> + selinux_state_string = kzalloc(selinux_state_string_len, GFP_KERNEL); >> + if (!selinux_state_string) >> + selinux_state_string_len = 0; >> +} > > Not sure about this error handling approach (silent, proceeding as if > the length was zero and then later failing with ENOMEM on every > attempt?). I'd be more inclined to panic/BUG here but I know Linus > doesn't like that. I am not sure if failing (kernel panic/BUG) to "measure" LSM data under memory pressure conditions is the right thing. But I am open to treating this error as a fatal error. Please let me know. > >> + if (ret) >> + pr_err("%s: error %d\n", __func__, ret); > > This doesn't seem terribly useful as an error message; I'd be inclined > to drop it. > Will do. thanks, -lakshmi