| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 23 May 2008 16:30:32 -0700
From: Randy Dunlap <randy.dunlap@...cle.com>
To: Mimi Zohar <zohar@...ux.vnet.ibm.com>
Cc: linux-kernel@...r.kernel.org, safford@...son.ibm.com,
serue@...ux.vnet.ibm.com, sailer@...son.ibm.com, zohar@...ibm.com,
Stephen Smalley <sds@...ho.nsa.gov>,
CaseySchaufler <casey@...aufler-ca.com>
Subject: Re: [RFC][PATCH 4/5]integrity: Linux Integrity Module(LIM)
On Fri, 23 May 2008 11:05:33 -0400 Mimi Zohar wrote:
> ---
> Index: linux-2.6.26-rc3-git2/security/integrity/integrity.c
> ===================================================================
> --- /dev/null
> +++ linux-2.6.26-rc3-git2/security/integrity/integrity.c
> @@ -0,0 +1,259 @@
> +/**
> + * register_template
Needs short function description.
> + * @template_name: a pointer to a string containing the template name.
> + * @template_ops: a pointer to the template functions
> + *
> + * Register a set of functions to collect, appraise, store, and display
> + * a template measurement, and a means to decide whether to do them.
> + * Unlike integrity modules, any number of templates may be registered.
> + */
> +int register_template(char *template_name,
> + struct template_operations *template_ops)
> +{
> + int template_len;
> + struct template_list_entry *entry;
> +
> + if (!template_initialized++) {
> + INIT_LIST_HEAD(&integrity_templates);
> + mutex_init(&integrity_templates_mutex);
> + }
> +
> + entry = kmalloc(sizeof(*entry), GFP_ATOMIC);
> + INIT_LIST_HEAD(&entry->template);
> +
> + template_len = strlen(template_name);
> + if (template_len > TEMPLATE_NAME_LEN_MAX)
> + template_len = TEMPLATE_NAME_LEN_MAX;
> + memcpy(entry->template_name, template_name, template_len);
> + entry->template_name[template_len] = '\0';
> + entry->template_ops = template_ops;
> +
> + mutex_lock(&integrity_templates_mutex);
> + list_add_rcu(&entry->template, &integrity_templates);
> + mutex_unlock(&integrity_templates_mutex);
> + synchronize_rcu();
> +
> + return 0;
> +}
> +EXPORT_SYMBOL_GPL(register_template);
> +
> +/**
> + * unregister_template
ditto.
> + * @template_name: a pointer to a string containing the template name.
> + *
> + * Unregister the template functions
> + */
> +int unregister_template(char *template_name)
> +{
> + struct template_list_entry *entry;
> +
> + mutex_lock(&integrity_templates_mutex);
> + list_for_each_entry(entry, &integrity_templates, template) {
> + if (strncmp(entry->template_name, template_name,
> + strlen(entry->template_name)) == 0) {
> + list_del_rcu(&entry->template);
> + mutex_unlock(&integrity_templates_mutex);
> + synchronize_rcu();
> + kfree(entry);
> + return 0;
> + }
> + }
> + mutex_unlock(&integrity_templates_mutex);
> + return -EINVAL;
> +}
> +EXPORT_SYMBOL_GPL(unregister_template);
> +
> +/**
> + * integrity_find_template
ditto.
> + * @template_name: a pointer to a string containing the template name.
> + * @template_ops: a pointer to the template functions
> + *
> + * Find the template functions based on the template name.
> + */
> +int integrity_find_template(char *template_name,
> + struct template_operations **template_ops)
> +{
> + struct template_list_entry *entry;
> +
> + rcu_read_lock();
> + list_for_each_entry_rcu(entry, &integrity_templates, template) {
> + if (strncmp(entry->template_name, template_name,
> + strlen(entry->template_name)) == 0) {
> + *template_ops = entry->template_ops;
> + rcu_read_unlock();
> + return 0;
> + }
> + }
> + rcu_read_unlock();
> + return 1;
> +}
> +EXPORT_SYMBOL_GPL(integrity_find_template);
> +
> +/* Integrity template API */
Please add kernel-doc for exported symbols (like this one and more
below).
> +int integrity_collect_measurement(char *template_name, void *data)
> +{
> + struct template_operations *template_ops;
> +
> + if (integrity_find_template(template_name, &template_ops) == 0)
> + template_ops->collect_measurement(data);
> + return 0;
> +}
> +EXPORT_SYMBOL_GPL(integrity_collect_measurement);
> +
> +int integrity_appraise_measurement(char *template_name, void *data)
> +{
> + struct template_operations *template_ops;
> +
> + if (integrity_find_template(template_name, &template_ops) == 0)
> + return template_ops->appraise_measurement(data);
> + return 1;
> +}
> +EXPORT_SYMBOL_GPL(integrity_appraise_measurement);
> +
> +void integrity_store_measurement(char *template_name, void *data)
> +{
> + struct template_operations *template_ops;
> +
> + if (integrity_find_template(template_name, &template_ops) == 0)
> + template_ops->store_measurement(data);
> + return;
> +}
> +EXPORT_SYMBOL_GPL(integrity_store_measurement);
> +
> +int integrity_must_measure(char *template_name, void *data)
> +{
> + struct template_operations *template_ops;
> +
> + if (integrity_find_template(template_name, &template_ops) == 0)
> + return template_ops->must_measure(data);
> + return 1;
> +}
> +EXPORT_SYMBOL_GPL(integrity_must_measure);
> +
> +/* Integrity Hooks */
> +int integrity_bprm_check(struct linux_binprm *bprm)
> +{
> + return integrity_ops->bprm_check_integrity(bprm);
> +}
> +
> +int integrity_inode_setxattr(struct dentry *dentry, const char *name,
> + const void *value, size_t size, int flags)
> +{
> + if (unlikely(IS_PRIVATE(dentry->d_inode)))
> + return 0;
> + return integrity_ops->inode_setxattr(dentry, name, value, size, flags);
> +}
> +
> +void integrity_inode_post_setxattr(struct dentry *dentry, const char *name)
> +{
> + if (unlikely(IS_PRIVATE(dentry->d_inode)))
> + return;
> + integrity_ops->inode_post_setxattr(dentry, name);
> +}
> +
> +int integrity_inode_alloc(struct inode *inode)
> +{
> + return integrity_ops->inode_alloc_integrity(inode);
> +}
> +
> +void integrity_inode_free(struct inode *inode)
> +{
> + integrity_ops->inode_free_integrity(inode);
> +}
> +
> +int integrity_inode_permission(struct inode *inode, int mask,
> + struct nameidata *nd)
> +{
> + return integrity_ops->inode_permission(inode, mask, nd);
> +}
> +
> +void integrity_inode_init_integrity(struct inode *inode, struct inode *dir,
> + char **name, void **value, size_t *len)
> +{
> + if (unlikely(IS_PRIVATE(inode)))
> + return;
> + integrity_ops->inode_init_integrity(inode, dir, name, value, len);
> + return;
> +}
> +EXPORT_SYMBOL(integrity_inode_init_integrity);
> +
> +void integrity_file_free(struct file *file)
> +{
> + integrity_ops->file_free_integrity(file);
> +}
> +
> +int integrity_file_mmap(struct file *file, unsigned long reqprot,
> + unsigned long prot, unsigned long flags,
> + unsigned long addr, unsigned long addr_only)
> +{
> + return integrity_ops->file_mmap(file, reqprot, prot, flags, addr,
> + addr_only);
> +}
> +
> +void integrity_d_instantiate(struct dentry *dentry, struct inode *inode)
> +{
> + if (unlikely(inode && IS_PRIVATE(inode)))
> + return;
> + integrity_ops->d_instantiate(dentry, inode);
> +}
> Index: linux-2.6.26-rc3-git2/Documentation/kernel-parameters.txt
> ===================================================================
> --- linux-2.6.26-rc3-git2.orig/Documentation/kernel-parameters.txt
> +++ linux-2.6.26-rc3-git2/Documentation/kernel-parameters.txt
> @@ -821,6 +821,11 @@ and is between 256 and 4096 characters.
> inport.irq= [HW] Inport (ATI XL and Microsoft) busmouse driver
> Format: <irq>
>
> + integrity_audit= [INTEGRITY]
Where is the INTEGRITY tag defined?
> + Format: { "0" | "1" }
> + 0 -- disable integrity auditing messages.
> + 1 -- enable integrity auditing messages. (Default)
> +
> inttest= [IA64]
>
> iommu= [x86]
> Index: linux-2.6.26-rc3-git2/security/integrity/integrity_policy.c
> ===================================================================
> --- /dev/null
> +++ linux-2.6.26-rc3-git2/security/integrity/integrity_policy.c
> @@ -0,0 +1,204 @@
> +
> +/**
> + * integrity_measure_rules - determine whether an inode matches the given rule.
> + * @rule - a pointer to a rule
> + * @inode - a pointer to an inode
> + * @func - LIM hook identifier
> + * @mask - requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
kernel-doc notation for parameters is (e.g.)
* @rule: a pointer to a rule
> + *
> + * Returns 1 on rule match, 0 on failure.
> + */
> +static int integrity_measure_rules(struct integrity_measure_rule_entry *rule,
> + struct inode *inode, enum lim_hooks func,
> + int mask)
> +{
> + int result = 1;
> +
> + if (result && (rule->func != 0)) {
> + if (rule->func != func)
> + result = 0;
> + }
> + if (result && (rule->mask != 0)) {
> + if (rule->mask != mask)
> + result = 0;
> + }
> + if (result && rule->lsm_subj_rule) {
> + struct task_struct *tsk = current;
> + u32 sid;
> +
> + security_task_getsecid(tsk, &sid);
> + result = security_filter_rule_match(sid, AUDIT_SUBJ_USER,
> + AUDIT_EQUAL,
> + rule->lsm_subj_rule, NULL);
> + }
> + if (result && rule->lsm_obj_rule) {
> + u32 osid;
> +
> + security_inode_getsecid(inode, &osid);
> + result = security_filter_rule_match(osid, AUDIT_OBJ_USER,
> + AUDIT_EQUAL,
> + rule->lsm_obj_rule, NULL);
> + }
> + return result;
> +}
> +
> +/**
> + * integrity_measure_policy - base measure decision on: subj, obj, LIM hook,
> + * and mask
One line for short description.
* @inode: pointer to an inode
> + * @inode - pointer to an inode
> + * @func - LIM hook identifier
> + * @mask - requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
> + *
> + * Returns 1 on rule match, 0 on failure.
> + */
> +int integrity_measure_policy(struct inode *inode, enum lim_hooks func, int mask)
> +{
> + struct integrity_measure_rule_entry *entry;
> + int rc = 0;
> +
> + rcu_read_lock();
> + list_for_each_entry_rcu(entry, integrity_measure, list) {
> + rc = integrity_measure_rules(entry, inode, func, mask);
> + if (rc) {
> + rcu_read_unlock();
> + return rc;
> + }
> + }
> + rcu_read_unlock();
> + return rc;
> +}
> +
> +
> +
> +/**
> + * integrity_measure_rule_add - add integrity measure rules
> + * @subj - pointer to an LSM subject value
* @subj: etc etc etc
> + * @obj - pointer to an LSM object value
> + * @func - LIM hook identifier
> + * @mask - requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
> + *
> + * Returns 0 on success, an error code on failure.
> + */
> +int integrity_measure_rule_add(char *subj, char *obj, char *func, char *mask)
> +{
> + struct integrity_measure_rule_entry *entry;
> + int result = 0;
> +
> + /* Prevent installed policy from changing */
> + if (integrity_measure != &measure_default_rules) {
> + integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL,
> + NULL, "policy_update", "already exists", 1);
> + return -EACCES;
> + }
> +
> + entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
> + INIT_LIST_HEAD(&entry->list);
> + if (!result && subj)
> + result = security_filter_rule_init(AUDIT_SUBJ_USER, AUDIT_EQUAL,
> + subj, &entry->lsm_subj_rule);
> + if (!result && obj)
> + result = security_filter_rule_init(AUDIT_OBJ_USER, AUDIT_EQUAL,
> + obj, &entry->lsm_obj_rule);
> + if (!result && func) {
> + if (strcmp(func, "INODE_PERMISSION") == 0)
> + entry->func = INODE_PERMISSION;
> + else if (strcmp(func, "FILE_MMAP") == 0)
> + entry->func = FILE_MMAP;
> + else if (strcmp(func, "BPRM_CHECK") == 0)
> + entry->func = BPRM_CHECK;
> + else
> + result = -EINVAL;
> + }
> + if (!result && mask) {
> + if (strcmp(mask, "MAY_EXEC") == 0)
> + entry->mask = MAY_EXEC;
> + else if (strcmp(mask, "MAY_WRITE") == 0)
> + entry->mask = MAY_WRITE;
> + else if (strcmp(mask, "MAY_READ") == 0)
> + entry->mask = MAY_READ;
> + else if (strcmp(mask, "MAY_APPEND") == 0)
> + entry->mask = MAY_APPEND;
> + else
> + result = -EINVAL;
> + }
> + if (!result) {
> + mutex_lock(&integrity_measure_mutex);
> + list_add_tail(&entry->list, &measure_policy_rules);
> + mutex_unlock(&integrity_measure_mutex);
> + }
> + return result;
> +}
---
~Randy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists