Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp14261279pxu;
        Mon, 4 Jan 2021 18:15:54 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwb93tcfbQK9Rz6dQLU9MjV3YKI7voxrevLAp40QyU5LMXPivpDuU3Y1aEqF5scbsDS5viE
X-Received: by 2002:a50:a694:: with SMTP id e20mr73722142edc.261.1609812954377;
        Mon, 04 Jan 2021 18:15:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1609812954; cv=none;
        d=google.com; s=arc-20160816;
        b=LOvO3nN5mlszR7yhoZUBGoY3A92IhZdYt5C7zt5t7nCfhEI3fofc9xuwrrzCwvCLQh
         rWxfroxmqRz4raEabJe1JDg0ISFh5VeILuR9e5GqiICI2b/O9fR3Bu+rn/D64NguHFqX
         rzDYc1bdFvIhGfBy44f9c3YXR2GLmFgKWEU8VfD5PRgSzrK9RT+kxUx9HbnZkfdQOCEs
         xGqrTZdSFdzSdeX0hFpqVRnGuktuHeufH5IvrSNdu0alMuTI9cIUqmLV+b1KBP5p8nNz
         1iXn43IhUoV4bY7iOyyEqvmcBC2Y1FoKDuYqzuBPeta6XdAlDcn5XsCh1iS3oPEQ1IYq
         /tKA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=qvV6FEczLH+8PfasNVXOCqdhthLBl7usYa45FALYpbY=;
        b=XVPCsJWH+euyzHgvMdSInt39BeWVoQa30AnbRsPQgsj9ijmucWDf7R8GLacvW19frm
         J6GEyQ8K/RIpL/yP1WalniE3cM9rWeLPEKsFr/C7bj/EqnGdnLLYzSScieN6L3EIBbek
         vsiglUfXX6ZzV+Yr54nX9eg4fkBQ4KxkySdLWheLt82YdojFR1PzypSVyydQlNEDRbZO
         UkTwuyxXn4LM/6zfzDqKtckMGX7sff28IdMLIZcRwzsh26mJo59bRT2zhCdflDnt9f+e
         lQuoCyYcr1WM/uW19GsnvwY4lamMysjtowEqrGAfVaH65cnEQKAxz2Gw5/no6/qj0Xge
         kqNw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=xz2K25aO;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id i12si32166111edr.321.2021.01.04.18.15.30;
        Mon, 04 Jan 2021 18:15:54 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=xz2K25aO;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727697AbhAECOY (ORCPT
        <rfc822;linuxmailingsubscription@gmail.com> + 99 others);
        Mon, 4 Jan 2021 21:14:24 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55804 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726613AbhAECOX (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 4 Jan 2021 21:14:23 -0500
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 38499C061793
        for <linux-kernel@vger.kernel.org>; Mon,  4 Jan 2021 18:13:43 -0800 (PST)
Received: by mail-ej1-x62b.google.com with SMTP id w1so39300803ejf.11
        for <linux-kernel@vger.kernel.org>; Mon, 04 Jan 2021 18:13:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=qvV6FEczLH+8PfasNVXOCqdhthLBl7usYa45FALYpbY=;
        b=xz2K25aOL/42q3USBHxE817PRS+cpeKYlYXsD6knCfIbgZOhhDqnUGKBmS9Fi3H76r
         5APZiVGO+eEXnw/E61NSj79GlsT1I1RPnX4tB00uIfCMAY8CkMEZmdmjbJbzn3qBCt8d
         UECtGS1+2PInjKfAk0uMZ6a3T+gclJfxtAFB0t+nS12tYsPbkzcyo4EwvRf2Q667b7EH
         EnBOHa9nBFEc7HcAss4ze9V+TqgySTrRFQWam39hzF+hIYhaQ6zXMzKAwEXidmCrRW+H
         fTyOqFFwpKULfuQ+erBVKYMi+B5AXCUW/fGRM7Oc8E2fiGF3b8oyQKZwQk6RYr4y0wJp
         fGdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=qvV6FEczLH+8PfasNVXOCqdhthLBl7usYa45FALYpbY=;
        b=V2jritAEqoCBcxG0A/NaSpP9273ENPf3Q7QeiLQDRqztJ8dD3JsQ71t0oXmxo/UjcS
         yhzzr7GHBH1PPC/XV3JDbGWx2lcZrpQ3suyEYDUJs9pNu0powQwzmAGvLW6xUJiJnW7g
         p/rSffShREeaxQnfWZrFf7BoYD45LAHnCFgShNGy6ok90OSrvAXxu6WN5bkDIKBLaTQG
         7WmPtR7P4NZK9Y30HBd6jYzRurr6o8Fi4IbUVwHsk144Tg0iR8OM16SuEMSOch0LucU7
         Jf4/pP6GZPKwVUGVMEnEudiXhPNM2++jTetl8H2b6OMspUpqpknCaVyZUYi5zdTI+3Qr
         0/3w==
X-Gm-Message-State: AOAM530wvuCGLTQo7GZjBY9TjSPdoBVtLUpBr7zKAIsr1BPGIvH7fKFJ
        MF7cayNsnZX3RM5YLFoZiJ3oyw1SFiICT+sCSaxA
X-Received: by 2002:a17:907:4126:: with SMTP id mx6mr67633339ejb.91.1609812821733;
 Mon, 04 Jan 2021 18:13:41 -0800 (PST)
MIME-Version: 1.0
References: <20201212180251.9943-1-tusharsu@linux.microsoft.com>
 <20201212180251.9943-9-tusharsu@linux.microsoft.com> <CAHC9VhSao7DGtskbDMax8hN+PhQr8homFXUGjm+c7NtEUCtKhg@mail.gmail.com>
 <2dce2244-adbd-df2a-e890-271bbcc8f9f2@linux.microsoft.com>
In-Reply-To: <2dce2244-adbd-df2a-e890-271bbcc8f9f2@linux.microsoft.com>
From:   Paul Moore <paul@paul-moore.com>
Date:   Mon, 4 Jan 2021 21:13:30 -0500
Message-ID: <CAHC9VhQ8H+UCnLTJ4Mb=GHCdExGvVEB_+nbK+-keMVie-tnbnQ@mail.gmail.com>
Subject: Re: [PATCH v9 8/8] selinux: include a consumer of the new IMA
 critical data hook
To:     Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Cc:     Tushar Sugandhi <tusharsu@linux.microsoft.com>,
        zohar@linux.ibm.com,
        Stephen Smalley <stephen.smalley.work@gmail.com>,
        casey@schaufler-ca.com, agk@redhat.com, snitzer@redhat.com,
        gmazyland@gmail.com, tyhicks@linux.microsoft.com,
        sashal@kernel.org, James Morris <jmorris@namei.org>,
        linux-integrity@vger.kernel.org, selinux@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, dm-devel@redhat.com
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Jan 4, 2021 at 6:30 PM Lakshmi Ramasubramanian
<nramas@linux.microsoft.com> wrote:
> On 12/23/20 1:10 PM, Paul Moore wrote:
> Hi Paul,

Hello.

> >> diff --git a/security/selinux/measure.c b/security/selinux/measure.c
> >> new file mode 100644
> >> index 000000000000..b7e24358e11d
> >> --- /dev/null
> >> +++ b/security/selinux/measure.c
> >> @@ -0,0 +1,79 @@
> >> +// SPDX-License-Identifier: GPL-2.0-or-later
> >> +/*
> >> + * Measure SELinux state using IMA subsystem.
> >> + */
> >> +#include <linux/vmalloc.h>
> >> +#include <linux/ktime.h>
> >> +#include <linux/ima.h>
> >> +#include "security.h"
> >> +
> >> +/*
> >> + * This function creates a unique name by appending the timestamp to
> >> + * the given string. This string is passed as "event_name" to the IMA
> >> + * hook to measure the given SELinux data.
> >> + *
> >> + * The data provided by SELinux to the IMA subsystem for measuring may have
> >> + * already been measured (for instance the same state existed earlier).
> >> + * But for SELinux the current data represents a state change and hence
> >> + * needs to be measured again. To enable this, pass a unique "event_name"
> >> + * to the IMA hook so that IMA subsystem will always measure the given data.
> >> + *
> >> + * For example,
> >> + * At time T0 SELinux data to be measured is "foo". IMA measures it.
> >> + * At time T1 the data is changed to "bar". IMA measures it.
> >> + * At time T2 the data is changed to "foo" again. IMA will not measure it
> >> + * (since it was already measured) unless the event_name, for instance,
> >> + * is different in this call.
> >> + */
> >> +static char *selinux_event_name(const char *name_prefix)
> >> +{
> >> +       struct timespec64 cur_time;
> >> +
> >> +       ktime_get_real_ts64(&cur_time);
> >> +       return kasprintf(GFP_KERNEL, "%s-%lld:%09ld", name_prefix,
> >> +                        cur_time.tv_sec, cur_time.tv_nsec);
> >> +}
> >
> > Why is this a separate function?  It's three lines long and only
> > called from selinux_measure_state().  Do you ever see the SELinux/IMA
> > code in this file expanding to the point where this function is nice
> > from a reuse standpoint?
>
> Earlier I had two measurements - one for SELinux configuration/state and
> another for SELinux policy. selinux_event_name() was used to generate
> event name for each of them.
>
> In this patch set I have included only one measurement - for SELinux
> policy. I plan to add "SELinux configuration/state" measurement in a
> separate patch - I can reuse selinux_event_name() in that patch.

I'm curious about this second measurement.  My apologies if you posted
it previously, this patchset has gone through several iterations and
simply can't recall all the different versions without digging through
the list archives.

Is there a reason why the second measurement isn't included in this
patch?  Or this patchset if it is too big to be a single patch?

> Also, I think the comment in the function header for
> selinux_event_name() is useful.
>
> I prefer to have a separate function, if that's fine by you.

Given just this patch I would prefer if you folded
selinux_event_name() into selinux_measure_state().  However, I agree
with you that the comments in the selinux_event_name() header block is
useful, I would suggest moving those into the body of
selinux_measure_state() directly above the calls to
ktime_get_real_ts64() and kasprintf().

> > Also, I assume you are not concerned about someone circumventing the
> > IMA measurements by manipulating the time?  In most systems I would
> > expect the time to be a protected entity, but with many systems
> > getting their time from remote systems I thought it was worth
> > mentioning.
>
> I am using time function to generate a unique name for the IMA
> measurement event, such as, "selinux-policy-hash-1609790281:860232824".
> This is to ensure that state changes in SELinux data are always measured.
>
> If you think time manipulation can be an issue, please let me know a
> better way to generate unique event names.

Yes, I understand that you are using the time value as a way of
ensuring you always have a different event name and hence a new
measurement.  However, I was wondering if you would be okay if the
time was adjusted such that an event name was duplicated and a
measurement missed?  Is that a problem for you?  It seems like it
might be an issue, but you and Mimi know IMA better than I do.

> >> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> >> index 9704c8a32303..dfa2e00894ae 100644
> >> --- a/security/selinux/ss/services.c
> >> +++ b/security/selinux/ss/services.c
> >> @@ -3875,8 +3876,33 @@ int security_netlbl_sid_to_secattr(struct selinux_state *state,
> >>   }
> >>   #endif /* CONFIG_NETLABEL */
> >>
> >> +/**
> >> + * security_read_selinux_policy - read the policy.
> >> + * @policy: SELinux policy
> >> + * @data: binary policy data
> >> + * @len: length of data in bytes
> >> + *
> >> + */
> >> +static int security_read_selinux_policy(struct selinux_policy *policy,
> >> +                                       void *data, size_t *len)
> >
> > Let's just call this "security_read_policy()".
> There is another function in this file with the name security_read_policy().
>
> How about changing the above function name to "read_selinux_policy()"
> since this is a local/static function.

Ooops, sorry about that!  I'm not sure what I was thinking there :)

How about "__security_read_policy()"?

-- 
paul moore
www.paul-moore.com