| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 30 Jun 2008 20:43:20 +1000 (EST)
From: James Morris <jmorris@...ei.org>
To: Mimi Zohar <zohar@...ux.vnet.ibm.com>
cc: linux-kernel@...r.kernel.org,
David Safford <safford@...son.ibm.com>,
Serge Hallyn <serue@...ux.vnet.ibm.com>,
Reiner Sailer <sailer@...ibm.com>,
Mimi Zohar <zohar@...ibm.com>
Subject: Re: [RFC][PATCH 4/5] integrity: Linux Integrity Module(LIM)
On Fri, 27 Jun 2008, Mimi Zohar wrote:
> +const struct integrity_operations *integrity_ops = NULL;
This will be initialized to zero anyway.
> +
> + if (!template_initialized++)
> + INIT_LIST_HEAD(&integrity_templates);
Why not just intialize this at compile time with LIST_HEAD ?
> + template_len = strlen(template_name);
> + if (template_len > TEMPLATE_NAME_LEN_MAX)
> + template_len = TEMPLATE_NAME_LEN_MAX;
> + memcpy(entry->template_name, template_name, template_len);
> + entry->template_name[template_len] = '\0';
Perhaps this would be simpler if you just bail with -EINVAL if the length
is too great. Then you can use strcpy and don't need to nul termiate the
string for the caller.
> + rc = integrity_find_template(template_name, &template_ops);
> + if (rc == 0) {
> + rc = template_ops->collect_measurement(data);
> + rcu_read_unlock();
> + return rc;
> + }
> + rcu_read_unlock();
> + return -EINVAL;
> +}
If you give integrity_find_template() a standard form of returning 0 on
success and -errno on failure, you can simplify the above quite a lot to
have one unlock and one return.
> + int rc;
> +
> + rcu_read_lock();
> + rc = integrity_find_template(template_name, &template_ops);
> + if (rc == 0) {
> + rc = template_ops->appraise_measurement(data);
> + rcu_read_unlock();
> + return rc;
> + }
> + rcu_read_unlock();
> + return -EINVAL;
> +}
Ditto.
> +
> +EXPORT_SYMBOL_GPL(integrity_appraise_measurement);
> +
> +/**
> + * integrity_store_measurement - store template specific measurement
> + * @template_name: a pointer to a string containing the template name.
> + * @data: pointer to template specific data
> + *
> + * Store template specific integrity measurement.
> + */
> +void integrity_store_measurement(const char *template_name, void *data)
> +{
> + const struct template_operations *template_ops;
> + int rc;
> +
> + rcu_read_lock();
> + rc = integrity_find_template(template_name, &template_ops);
> + if (rc == 0)
> + template_ops->store_measurement(data);
> + rcu_read_unlock();
> + return;
> +}
So, the caller does not get an error if they supply an invalid template
name? That sounds like a bug which they need to know about.
> +/**
> + * integrity_must_measure - measure decision based on template policy
> + * @template_name: a pointer to a string containing the template name.
> + * @data: pointer to template specific data
> + *
> + * Returns 0 on success, an error code on failure.
> + */
> +int integrity_must_measure(const char *template_name, void *data)
> +{
> + const struct template_operations *template_ops;
> + int rc;
> +
> + rcu_read_lock();
> + rc = integrity_find_template(template_name, &template_ops);
> + if (rc == 0) {
> + rc = template_ops->must_measure(data);
> + rcu_read_unlock();
> + return rc;
> + }
> + rcu_read_unlock();
> + return -EINVAL;
> +}
Do a single unlock and return.
> +/* Hook used to measure executable file integrity. */
> +int integrity_bprm_check(struct linux_binprm *bprm)
> +{
> + int rc = 0;
> +
> + if (integrity_ops && integrity_ops->bprm_check_integrity)
> + rc = integrity_ops->bprm_check_integrity(bprm);
> + return rc;
> +}
Have you considered using a set of dummy ops similar to LSM, so that
integrity_ops->whatever will always point to something and can be
unconditionally called? (see security_fixup_ops()).
- James
--
James Morris
<jmorris@...ei.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists