Received: by 2002:ab2:710b:0:b0:1ef:a325:1205 with SMTP id z11csp466246lql; Mon, 11 Mar 2024 07:59:04 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXHn/Wfa4QmwJ4eq2r/jQeifRu6Rb27JBoT77sfuU3/lYzeNyyT4ypkmoc5Baq9v5HdA7RLuyxWy20d6zowJDWtLh0rjbruRN6QiIow4A== X-Google-Smtp-Source: AGHT+IHoRCbx6c7Ah94wnXHbtYtx+wUAotz6bkmJu4jidvAGZF8ZO0L65E5wUoX+vuFTrvPkzUSc X-Received: by 2002:a05:6870:b24d:b0:221:7a96:9ca2 with SMTP id b13-20020a056870b24d00b002217a969ca2mr7872167oam.32.1710169144462; Mon, 11 Mar 2024 07:59:04 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1710169144; cv=pass; d=google.com; s=arc-20160816; b=K752OygOrB8VnVBQi8uPbs7G4mFPPGetqitiSOGQQzSzvvSRDObUCoDq6yjvkJYSYK Va6ztagshdMVHI/mG5JCBk8GsdahtcE3onseQAnpDl8gW/6qQuKglRsyegHtJp2m9CEj 5ZnMshjj8vUpnlHluo42apWCP9Budj1W4LbRNIiwnYkrHxbl9HQYRAQR2GtonIwRVDkT BEm/rYhAXZGWfZ6PB6GCcoDXJi/kv69DD0fvi6xBRDNY5cPGnxpX/fhXI00e7NtlcSoO dHLoEWhwoxsywmC0eoDkDSRJowKh9OInG7bkc9fW2m4IyBI/S8O0maltw1oErjW6Ul0p lR/Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence :user-agent:content-transfer-encoding:references:in-reply-to:date:cc :to:from:subject:message-id; bh=wv4nj91T4qQrBDQ0yXfGUh4H+RBa5s8/0jeGGRBXCjw=; fh=lbCu/km91g2cnw0DV3E0PybnKAtvqMuFoVPU9Haj6mc=; b=Wy5lqlHX178igXFDttTFDuWjT1BP5gWo2iysHQ4OhUCNR0ZhyL5F8qWzc1JGXg87Dg Z2Mw/baUUFs1EiwPV9anpu2n/uduxE1U6iWMTQIQoocDvuAdMn9M0rjvvoLJdDEnO+iP /owXa3lysi3fjoxM/0lMsCxwPpXzkwgL/LchsltftqiFjJH+k2qQmUSEcizRVlMtjdgU cPLidBU2zu4gSCFlmnCERoFAW0cIpNBgeB0wSPSzlyBnGcy9mp5QmCEKheVkg7df5g3y ikzlHqtdYnMMCqDrNPUXP36UWn9nLh3DLekFVRkLdcETPGP451gpvT7c0/FasOet3r2G nj+A==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=huaweicloud.com); spf=pass (google.com: domain of linux-kernel+bounces-99027-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-99027-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id x23-20020a05620a14b700b007884fdf7f3esi5358226qkj.253.2024.03.11.07.59.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Mar 2024 07:59:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-99027-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=huaweicloud.com); spf=pass (google.com: domain of linux-kernel+bounces-99027-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-99027-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 253511C21592 for ; Mon, 11 Mar 2024 14:59:04 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 09F2943AC0; Mon, 11 Mar 2024 14:53:41 +0000 (UTC) Received: from frasgout12.his.huawei.com (frasgout12.his.huawei.com [14.137.139.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8B7C24642B; Mon, 11 Mar 2024 14:53:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=14.137.139.154 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710168820; cv=none; b=p3xPzi79tAZGUR19J+R2JPoIGasK5cSd3VCMqb5isNcbdTXWb3QhXzYTj7Yi6stATvdjgqhb5uxJ8TI7TTatLOC/ceevQ88qBGgEq2CH26Izr0cUSihMAd6TwTtRC3n8H9Bws1RbBH0cxU5gnUp2NJzzkw0HVlQBOQjn5dMOaD8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710168820; c=relaxed/simple; bh=PMoGFhLyp3YjG8q6lz6vCYFDE3yIaeLIe7vPuylvNAw=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References: Content-Type:MIME-Version; b=BsvDsDcRJ5ToRTvEgMQS+IdySl2y8Z49HtkPEx1uEywdlrWw3jy4HlusOUXhYSCk2wzOVhJ1Wpw+sRtfjuap8p+oKdUn5Xi2DP9UmnrnRjm+zP6pGJhlaH48QwLzdsfVrwpEqxBN19Sin6CCZQKAz0unT5Qs7evk7wLRO8aeBWY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=pass smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=14.137.139.154 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huaweicloud.com Received: from mail.maildlp.com (unknown [172.18.186.51]) by frasgout12.his.huawei.com (SkyGuard) with ESMTP id 4TtfQr6zsVz9xrMR; Mon, 11 Mar 2024 22:33:40 +0800 (CST) Received: from mail02.huawei.com (unknown [7.182.16.27]) by mail.maildlp.com (Postfix) with ESMTP id 4A127140496; Mon, 11 Mar 2024 22:53:23 +0800 (CST) Received: from [127.0.0.1] (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwBnoCTVGu9l72MbBA--.32227S2; Mon, 11 Mar 2024 15:53:22 +0100 (CET) Message-ID: Subject: Re: [RFC PATCH v14 05/19] initramfs|security: Add a security hook to do_populate_rootfs() From: Roberto Sassu To: Fan Wu , corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@lists.linux.dev, audit@vger.kernel.org, linux-kernel@vger.kernel.org Date: Mon, 11 Mar 2024 15:53:06 +0100 In-Reply-To: <1709768084-22539-6-git-send-email-wufan@linux.microsoft.com> References: <1709768084-22539-1-git-send-email-wufan@linux.microsoft.com> <1709768084-22539-6-git-send-email-wufan@linux.microsoft.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.44.4-0ubuntu2 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-CM-TRANSID:GxC2BwBnoCTVGu9l72MbBA--.32227S2 X-Coremail-Antispam: 1UD129KBjvJXoWxurWxWFW8urW7ury3CrWDXFb_yoW5Kw4DpF Wq9F13GF4kAF47W3yvk3W7Ca1aq395K3W7JrWDu3W8tF1akrn2qr43Kryqkrs7WrW7Ca1I qF4avrW3Cw1Dt3DanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUk0b4IE77IF4wAFF20E14v26ryj6rWUM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4 vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Jr0_JF4l84ACjcxK6xIIjxv20xvEc7Cj xVAFwI0_Gr0_Cr1l84ACjcxK6I8E87Iv67AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIEc7CjxV AFwI0_Gr0_Gr1UM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40E x7xfMcIj6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x 0Yz7v_Jr0_Gr1lF7xvr2IY64vIr41lFIxGxcIEc7CjxVA2Y2ka0xkIwI1l42xK82IYc2Ij 64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x 8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r4a6rW5MIIYrxkI7VAKI48JMIIF0xvE 2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r4j6F4UMIIF0xvE42 xK8VAvwI8IcIk0rVWrJr0_WFyUJwCI42IY6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv 6xkF7I0E14v26r4j6r4UJbIYCTnIWIevJa73UjIFyTuYvjxUFDGOUUUUU X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgATBF1jj5c4TAAAsH On Wed, 2024-03-06 at 15:34 -0800, Fan Wu wrote: > This patch introduces a new hook to notify security system that the > content of initramfs has been unpacked into the rootfs. >=20 > Upon receiving this notification, the security system can activate > a policy to allow only files that originated from the initramfs to > execute or load into kernel during the early stages of booting. >=20 > This approach is crucial for minimizing the attack surface by > ensuring that only trusted files from the initramfs are operational > in the critical boot phase. >=20 > Signed-off-by: Fan Wu >=20 > --- > v1-v11: > + Not present >=20 > v12: > + Introduced >=20 > v13: > + Rename the hook name to initramfs_populated() >=20 > v14: > + No changes > --- > include/linux/lsm_hook_defs.h | 2 ++ > include/linux/security.h | 8 ++++++++ > init/initramfs.c | 3 +++ > security/security.c | 10 ++++++++++ > 4 files changed, 23 insertions(+) >=20 > diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.= h > index 76458b6d53da..e0f50789a18f 100644 > --- a/include/linux/lsm_hook_defs.h > +++ b/include/linux/lsm_hook_defs.h > @@ -425,3 +425,5 @@ LSM_HOOK(int, 0, uring_override_creds, const struct c= red *new) > LSM_HOOK(int, 0, uring_sqpoll, void) > LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd) > #endif /* CONFIG_IO_URING */ > + > +LSM_HOOK(void, LSM_RET_VOID, initramfs_populated, void) I don't know, but why there is no super_block as parameter? And, wouldn't be better to rely on existing hooks to identify inodes in the initial ram disk? (gdb) p *file->f_path.dentry->d_inode->i_sb->s_type $3 =3D {name =3D 0xffffffff826058a9 "rootfs" That could also help if you want to enforce action based on the filesystem name (and why not on the UUID too). Roberto > diff --git a/include/linux/security.h b/include/linux/security.h > index d0eb20f90b26..619e17e59532 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -2167,4 +2167,12 @@ static inline int security_uring_cmd(struct io_uri= ng_cmd *ioucmd) > #endif /* CONFIG_SECURITY */ > #endif /* CONFIG_IO_URING */ > =20 > +#ifdef CONFIG_SECURITY > +extern void security_initramfs_populated(void); > +#else > +static inline void security_initramfs_populated(void) > +{ > +} > +#endif /* CONFIG_SECURITY */ > + > #endif /* ! __LINUX_SECURITY_H */ > diff --git a/init/initramfs.c b/init/initramfs.c > index 76deb48c38cb..140619a583ff 100644 > --- a/init/initramfs.c > +++ b/init/initramfs.c > @@ -18,6 +18,7 @@ > #include > #include > #include > +#include > =20 > static __initdata bool csum_present; > static __initdata u32 io_csum; > @@ -720,6 +721,8 @@ static void __init do_populate_rootfs(void *unused, a= sync_cookie_t cookie) > #endif > } > =20 > + security_initramfs_populated(); > + > done: > /* > * If the initrd region is overlapped with crashkernel reserved region, > diff --git a/security/security.c b/security/security.c > index f168bc30a60d..26c28db211fd 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -5619,3 +5619,13 @@ int security_uring_cmd(struct io_uring_cmd *ioucmd= ) > return call_int_hook(uring_cmd, 0, ioucmd); > } > #endif /* CONFIG_IO_URING */ > + > +/** > + * security_initramfs_populated() - Notify LSMs that initramfs has been = loaded > + * > + * Tells the LSMs the initramfs has been unpacked into the rootfs. > + */ > +void security_initramfs_populated(void) > +{ > + call_void_hook(initramfs_populated); > +}