Received: by 2002:a05:6a10:c7d3:0:0:0:0 with SMTP id h19csp240186pxy;
        Sat, 14 Aug 2021 05:50:00 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJynCBP7wwDZH1xqFWloZt8Uompr3M4kPBIZuWFD/CnBxZ5ZABGIHqQkyfWTprS8CNZDzToe
X-Received: by 2002:a92:dd82:: with SMTP id g2mr5222991iln.279.1628945400370;
        Sat, 14 Aug 2021 05:50:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1628945400; cv=none;
        d=google.com; s=arc-20160816;
        b=depOCJcEQ0q30cR1D2IjXBi4ZJehvU2OOI9oNe/kEsZWoTBLe6s1vLpQxwMZmY+8t1
         ZR5KB9+LWXCekcVsj8IWjQfcvwSaVeVCMXIDje84xaDXQy7VIZuXidg+OTOaJEtbl0b/
         p7bqGsPfXyjbXW7SvQsKpWcdFHlu/gT1+crQ4oVnanvZtad8xgfzxQrldfspumnwNDG3
         Taee+s6hr0M7InLIQwBWZR6F9Y7y7hRrSM9d9DQJ8lztGGoksQL78T+8arlvVS+cdF+I
         pVDFckZ2m7cs2Q/TlPAIOil8OcOyPpt8fEmHVD/+xc/memLtZbLJYTPQT+onXwAD9r0t
         LFnw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:date:cc:to:from:subject
         :message-id:dkim-signature:dkim-signature;
        bh=9o+LPGNTOI9iNqDJqxJEjh4wlxL4fb3oXVgIXOLngoY=;
        b=wqCy6t6xl0+7A2fSKoX9Axi5vHb9DEUlUmZaRhohN5SB9gyxSld8ULTafgHKUiZywk
         27M5ZGHfGpdo0H9mmApC69x9ob0ENd1fCBVxTVy4dsK3js3UwopIaF5f8K77KX8634yw
         yvxGlHxXi/LcRyPsHsaxHbNt90yso9CSPWyiRdbwdnmwe+6YEEWnFEKuAJFJasKTn3Kq
         chpbus260yKUoJMNaWgtFtbRfMwwujlRIXVV3ZZsLm4C9VnqcWE556Xpobk8ww7ZJcg5
         9lrdcSy76BOwGRpYSELWiPqFup8YGLZoVuW/qWj2Btmi0803QA0KOnN0b4369jciho1l
         Lkvw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=kYYINPBs;
       dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=kYYINPBs;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id v16si5111112jas.2.2021.08.14.05.49.49;
        Sat, 14 Aug 2021 05:50:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=kYYINPBs;
       dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=kYYINPBs;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238358AbhHNMsY (ORCPT <rfc822;liu198754@gmail.com> + 99 others);
        Sat, 14 Aug 2021 08:48:24 -0400
Received: from bedivere.hansenpartnership.com ([96.44.175.130]:50244 "EHLO
        bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S229549AbhHNMsY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 14 Aug 2021 08:48:24 -0400
Received: from localhost (localhost [127.0.0.1])
        by bedivere.hansenpartnership.com (Postfix) with ESMTP id EAA90128067B;
        Sat, 14 Aug 2021 05:47:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
        d=hansenpartnership.com; s=20151216; t=1628945275;
        bh=cgxV7bbPSYfAgzY/AlYMwaADsA0E6EehSBVR1UqWY54=;
        h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From;
        b=kYYINPBsn2p5SInQ7cRu3c5BSttcJyasn4XJ6onLp7ytPLo0g7pmZW3gCt5pufpYl
         NJwjQ+56IFvUS9vCY/2zILEyhTfrSlegyHPVAG5R/wSTudZWKKAHbHY/nnZ9vxERKQ
         vY7545Od8uVe3mSMoU874VMPvmTRjKRPk9/tymCE=
Received: from bedivere.hansenpartnership.com ([127.0.0.1])
        by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id BO_pKxiRKFGy; Sat, 14 Aug 2021 05:47:55 -0700 (PDT)
Received: from [172.20.3.52] (unknown [216.54.114.90])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 31E0E1280658;
        Sat, 14 Aug 2021 05:47:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
        d=hansenpartnership.com; s=20151216; t=1628945275;
        bh=cgxV7bbPSYfAgzY/AlYMwaADsA0E6EehSBVR1UqWY54=;
        h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From;
        b=kYYINPBsn2p5SInQ7cRu3c5BSttcJyasn4XJ6onLp7ytPLo0g7pmZW3gCt5pufpYl
         NJwjQ+56IFvUS9vCY/2zILEyhTfrSlegyHPVAG5R/wSTudZWKKAHbHY/nnZ9vxERKQ
         vY7545Od8uVe3mSMoU874VMPvmTRjKRPk9/tymCE=
Message-ID: <b86ec24317e4a07901ee5d981d9bcf580c8fd2eb.camel@HansenPartnership.com>
Subject: Re: [PATCH 0/1] ima: check control characters in policy path
From:   James Bottomley <James.Bottomley@HansenPartnership.com>
To:     Tianxing Zhang <anakinzhang96@gmail.com>, zohar@linux.ibm.com
Cc:     linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org
Date:   Sat, 14 Aug 2021 08:47:53 -0400
In-Reply-To: <20210814081356.293-1-anakinzhang96@gmail.com>
References: <20210814081356.293-1-anakinzhang96@gmail.com>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.34.4 
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, 2021-08-14 at 16:13 +0800, Tianxing Zhang wrote:
> Hi,
> 
> IMA policy can be updated with /sys/kernel/security/ima/policy
> interface when CONFIG_IMA_WRITE_POLICY is set. However, kernel does
> not check the file path carefully. It only checks if the path has '/'
> prefix.
> 
> When a policy file path contains control characters like '\r' or
> '\b', invalid error messages can be printed to overwrite system
> messages.

This doesn't sound like a good idea: filesystems accept control
characters in names, so the IMA file policy has to be able to specify
them.  We can debate whether filesystems should do this, but while they
do IMA has to as well.

> For example:
> 
> $ echo -e "/\rtest invalid path: ddddddddddddddddddddd" >
> /sys/kernel/security/ima/policy
> $ dmesg
> test invalid path: ddddddddddddddddddddd (-2) 
> 
> After adding this patch, we'll be able to throw out error message:
> 
> $ echo -e "/\rtest invalid path: ddddddddddddddddddddd" >
> /sys/kernel/security/ima/policy
> -bash: echo: write error: Invalid argument
> $ dmesg
> [   11.684004] ima: invalid path (control characters are not allowed)
> [   11.684071] ima: policy update failed
> 
> Any suggestions would be appreciated, thank you.

I don't quite understand what you think the problem is.  Only root can
write IMA policies so no-one other than a legitimate administrator can
use bogus paths like the above.  If the problem is producing a bogus
log message, we do have several IMA messages that print out
measured/appraised file names ... they would be vulnerable to this
since a generic user could have created them with control character
containg file names, and your proposed patch wouldn't fix that.

Wouldn't a better solution be to have a file name print that expands
the unprintable characters?

James