| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202007281244.2F2681AE9@keescook>
Date: Tue, 28 Jul 2020 12:44:50 -0700
From: Kees Cook <keescook@...omium.org>
To: Mimi Zohar <zohar@...nel.org>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Scott Branden <scott.branden@...adcom.com>,
Luis Chamberlain <mcgrof@...nel.org>,
Jessica Yu <jeyu@...nel.org>, SeongJae Park <sjpark@...zon.de>,
KP Singh <kpsingh@...omium.org>, linux-efi@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-integrity@...r.kernel.org, selinux@...r.kernel.org,
linux-kselftest@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 15/19] IMA: Add support for file reads without contents
On Mon, Jul 27, 2020 at 09:23:34AM -0400, Mimi Zohar wrote:
> On Fri, 2020-07-24 at 14:36 -0700, Kees Cook wrote:
> > From: Scott Branden <scott.branden@...adcom.com>
> >
> > When the kernel_read_file LSM hook is called with contents=false, IMA
> > can appraise the file directly, without requiring a filled buffer. When
> > such a buffer is available, though, IMA can continue to use it instead
> > of forcing a double read here.
> >
> > Signed-off-by: Scott Branden <scott.branden@...adcom.com>
> > Link: https://lore.kernel.org/lkml/20200706232309.12010-10-scott.branden@broadcom.com/
> > Signed-off-by: Kees Cook <keescook@...omium.org>
>
> After adjusting the comment below.
>
> Reviewed-by: Mimi Zohar <zohar@...ux.ibm.com>
Sure!
Greg, shall I send a v4 with added Reviews and the comment change or is
that minor enough that you're able to do it?
Thanks for the reviews Mimi!
-Kees
>
> > ---
> > security/integrity/ima/ima_main.c | 22 ++++++++++++++++------
> > 1 file changed, 16 insertions(+), 6 deletions(-)
> >
> > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> > index dc4f90660aa6..459e50526a12 100644
> > --- a/security/integrity/ima/ima_main.c
> > +++ b/security/integrity/ima/ima_main.c
> > @@ -613,11 +613,8 @@ void ima_post_path_mknod(struct dentry *dentry)
> > int ima_read_file(struct file *file, enum kernel_read_file_id read_id,
> > bool contents)
> > {
> > - /* Reject all partial reads during appraisal. */
> > - if (!contents) {
> > - if (ima_appraise & IMA_APPRAISE_ENFORCE)
> > - return -EACCES;
> > - }
> > + enum ima_hooks func;
> > + u32 secid;
> >
> > /*
> > * Do devices using pre-allocated memory run the risk of the
> > @@ -626,7 +623,20 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id,
> > * buffers? It may be desirable to include the buffer address
> > * in this API and walk all the dma_map_single() mappings to check.
> > */
> > - return 0;
> > +
> > + /*
> > + * There will be a call made to ima_post_read_file() with
> > + * a filled buffer, so we don't need to perform an extra
> > + * read early here.
> > + */
> > + if (contents)
> > + return 0;
> > +
> > + /* Read entire file for all partial reads during appraisal. */
>
> In addition to verifying the file signature, the file might be
> included in the IMA measurement list or the file hash may be used to
> augment the audit record. Please remove "during appraisal" from the
> comment.
>
> > + func = read_idmap[read_id] ?: FILE_CHECK;
> > + security_task_getsecid(current, &secid);
> > + return process_measurement(file, current_cred(), secid, NULL,
> > + 0, MAY_READ, func);
> > }
> >
> > const int read_idmap[READING_MAX_ID] = {
>
--
Kees Cook
Powered by blists - more mailing lists