Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp344019ybg;
        Tue, 28 Jul 2020 07:28:35 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxtmkejRubblZ0cOAFsTn+OTCaSaxUw1prqi9RoH5cC97i4GUjBZMMCNQ23zQttDHQ9ySPJ
X-Received: by 2002:aa7:ca4b:: with SMTP id j11mr21273334edt.385.1595946514931;
        Tue, 28 Jul 2020 07:28:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1595946514; cv=none;
        d=google.com; s=arc-20160816;
        b=q+sBDf48IZ9FqFSJp186+qbGINPwcDcIMIHtUOiOg6/cN/ruGZA0D7w2Dxg6IlOSAB
         kfBw7ifDr6INIrH2PTI8SmMaNO4EtTVOI699TXFf9sUz2AqwkkEywYZrpVb8H473UNj3
         9B3OI0UmcmZvlqR3jDhG/IJH/7u+FVPrwuUE4fIuCd3kfTtdgOR26kPnS6yhYlE/Opww
         SN+DwtfmH6lc86/MLxH4tNNJByDscJpuhsQCXJezgKdSbY1y+COHgaEcptIFl6wLMydl
         N9Y7k1psRmdNY7zYInz8ShS20UNb4PngDoqth98o+E6m+4t6VARYTMJGbpMJ3v/sZou+
         Pvig==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature:dkim-filter;
        bh=kf49Pl4vodwxbcCaCVjPOECW8xxDzk6EtLOs42dKW5M=;
        b=W3LcRlMr781KBPsEUJdvw7uYJtqfyN3EGsYcEsUrxlu5CGTgUnnxEfQV1qtjDAn56g
         wNOeENgABEHlFGjZG1yrg08CFI7J8SaAalQ98ODj+iB75fo2HKjNIhwEZJZAywQZ6AWW
         AxWspgb4XDtmXKk7rGfDPT6FcPgCuXKdWrDfROkmmreWprWz6k0YXCN0zV5ZN7M58iT4
         iVydUtZvVHN2XrW8I6LWtvot+QetDWI+nZNOqmglP9a2ZUej5xr6St/HwBCernMkPZiX
         69ugf0ahMHmKZ0lC9FPtM+jvNNgnrV6BLn0CXYy2stifMP0jEv5qudb3wt8xE3m3/AIt
         qihQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linux.microsoft.com header.s=default header.b=n7hsyuxJ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id mm22si3144460ejb.735.2020.07.28.07.28.11;
        Tue, 28 Jul 2020 07:28:34 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux.microsoft.com header.s=default header.b=n7hsyuxJ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730406AbgG1OZK (ORCPT <rfc822;busarih159@gmail.com>
        + 99 others); Tue, 28 Jul 2020 10:25:10 -0400
Received: from linux.microsoft.com ([13.77.154.182]:48448 "EHLO
        linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1730089AbgG1OZK (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 28 Jul 2020 10:25:10 -0400
Received: from [192.168.0.104] (c-73-42-176-67.hsd1.wa.comcast.net [73.42.176.67])
        by linux.microsoft.com (Postfix) with ESMTPSA id 4604D20B4908;
        Tue, 28 Jul 2020 07:25:09 -0700 (PDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 4604D20B4908
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com;
        s=default; t=1595946309;
        bh=kf49Pl4vodwxbcCaCVjPOECW8xxDzk6EtLOs42dKW5M=;
        h=Subject:To:Cc:References:From:Date:In-Reply-To:From;
        b=n7hsyuxJEGAN2VcPdsLlUNFVFF4BLQhvYqXnhM4qQ28xeJqT+t+Ob/3mUlk1BrbNt
         roMUe9lkfvyJe5bANGjyV6/Ckx5lMh94srtffhHtKtkeMIziH9BSweuDN5qKRg0mTw
         pp2KOkg+YWjy90HyDGx4md5UwnAfAFse6EXXpU0w=
Subject: Re: [PATCH 1/2] ima: Pre-parse the list of keyrings in a KEY_CHECK
 rule
To:     Tyler Hicks <tyhicks@linux.microsoft.com>,
        Mimi Zohar <zohar@linux.ibm.com>,
        Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc:     James Morris <jmorris@namei.org>,
        "Serge E . Hallyn" <serge@hallyn.com>,
        Tushar Sugandhi <tusharsu@linux.microsoft.com>,
        Nayna Jain <nayna@linux.ibm.com>, linux-kernel@vger.kernel.org,
        linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org
References: <20200727140831.64251-1-tyhicks@linux.microsoft.com>
 <20200727140831.64251-2-tyhicks@linux.microsoft.com>
From:   Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Message-ID: <953d1c54-ac80-3807-1082-e7fd00e386d5@linux.microsoft.com>
Date:   Tue, 28 Jul 2020 07:25:08 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <20200727140831.64251-2-tyhicks@linux.microsoft.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 7/27/20 7:08 AM, Tyler Hicks wrote:
> The ima_keyrings buffer was used as a work buffer for strsep()-based
> parsing of the "keyrings=" option of an IMA policy rule. This parsing
> was re-performed each time an asymmetric key was added to a kernel
> keyring for each loaded policy rule that contained a "keyrings=" option.
> 
> An example rule specifying this option is:
> 
>   measure func=KEY_CHECK keyrings=a|b|c
> 
> The rule says to measure asymmetric keys added to any of the kernel
> keyrings named "a", "b", or "c". The size of the buffer size was
> equal to the size of the largest "keyrings=" value seen in a previously
> loaded rule (5 + 1 for the NUL-terminator in the previous example) and
> the buffer was pre-allocated at the time of policy load.
> 
> The pre-allocated buffer approach suffered from a couple bugs:
> 
> 1) There was no locking around the use of the buffer so concurrent key
>     add operations, to two different keyrings, would result in the
>     strsep() loop of ima_match_keyring() to modify the buffer at the same
>     time. This resulted in unexpected results from ima_match_keyring()
>     and, therefore, could cause unintended keys to be measured or keys to
>     not be measured when IMA policy intended for them to be measured.
> 
> 2) If the kstrdup() that initialized entry->keyrings in ima_parse_rule()
>     failed, the ima_keyrings buffer was freed and set to NULL even when a
>     valid KEY_CHECK rule was previously loaded. The next KEY_CHECK event
>     would trigger a call to strcpy() with a NULL destination pointer and
>     crash the kernel.
> 
> Remove the need for a pre-allocated global buffer by parsing the list of
> keyrings in a KEY_CHECK rule at the time of policy load. The
> ima_rule_entry will contain an array of string pointers which point to
> the name of each keyring specified in the rule. No string processing
> needs to happen at the time of asymmetric key add so iterating through
> the list and doing a string comparison is all that's required at the
> time of policy check.
> 
> In the process of changing how the "keyrings=" policy option is handled,
> a couple additional bugs were fixed:
> 
> 1) The rule parser accepted rules containing invalid "keyrings=" values
>     such as "a|b||c", "a|b|", or simply "|".
> 
> 2) The /sys/kernel/security/ima/policy file did not display the entire
>     "keyrings=" value if the list of keyrings was longer than what could
>     fit in the fixed size tbuf buffer in ima_policy_show().
> 
> Fixes: 5c7bac9fb2c5 ("IMA: pre-allocate buffer to hold keyrings string")
> Fixes: 2b60c0ecedf8 ("IMA: Read keyrings= option from the IMA policy")
> Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
> ---
>   security/integrity/ima/ima_policy.c | 138 +++++++++++++++++++---------
>   1 file changed, 93 insertions(+), 45 deletions(-)

Reviewed-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>