| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACYkzJ6djhtZ2GUDZgf+YO-fXTFhmH9=Mu1t+3eAOosj=1kGhw@mail.gmail.com>
Date: Fri, 7 Aug 2020 02:21:42 +0200
From: KP Singh <kpsingh@...omium.org>
To: Kees Cook <keescook@...omium.org>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Scott Branden <scott.branden@...adcom.com>,
Mimi Zohar <zohar@...ux.ibm.com>,
Luis Chamberlain <mcgrof@...nel.org>,
Takashi Iwai <tiwai@...e.de>, Jessica Yu <jeyu@...nel.org>,
SeongJae Park <sjpark@...zon.de>, linux-efi@...r.kernel.org,
Linux Security Module list
<linux-security-module@...r.kernel.org>,
linux-integrity@...r.kernel.org, selinux@...r.kernel.org,
linux-kselftest@...r.kernel.org,
open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v4 09/17] LSM: Introduce kernel_post_load_data() hook
On Wed, Jul 29, 2020 at 7:59 PM Kees Cook <keescook@...omium.org> wrote:
>
> There are a few places in the kernel where LSMs would like to have
> visibility into the contents of a kernel buffer that has been loaded or
> read. While security_kernel_post_read_file() (which includes the
> buffer) exists as a pairing for security_kernel_read_file(), no such
> hook exists to pair with security_kernel_load_data().
>
> Earlier proposals for just using security_kernel_post_read_file() with a
> NULL file argument were rejected (i.e. "file" should always be valid for
> the security_..._file hooks, but it appears at least one case was
> left in the kernel during earlier refactoring. (This will be fixed in
> a subsequent patch.)
>
> Since not all cases of security_kernel_load_data() can have a single
> contiguous buffer made available to the LSM hook (e.g. kexec image
> segments are separately loaded), there needs to be a way for the LSM to
> reason about its expectations of the hook coverage. In order to handle
> this, add a "contents" argument to the "kernel_load_data" hook that
> indicates if the newly added "kernel_post_load_data" hook will be called
> with the full contents once loaded. That way, LSMs requiring full contents
> can choose to unilaterally reject "kernel_load_data" with contents=false
> (which is effectively the existing hook coverage), but when contents=true
> they can allow it and later evaluate the "kernel_post_load_data" hook
> once the buffer is loaded.
>
> With this change, LSMs can gain coverage over non-file-backed data loads
> (e.g. init_module(2) and firmware userspace helper), which will happen
> in subsequent patches.
>
> Additionally prepare IMA to start processing these cases.
>
> Signed-off-by: Kees Cook <keescook@...omium.org>
Thanks for adding this! Would be really useful for us.
Reviewed-by: KP Singh <kpsingh@...gle.com>
> ---
> drivers/base/firmware_loader/fallback.c | 2 +-
[...]
> index 5de45010fb1a..1a5c68196faf 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4019,7 +4019,7 @@ static int selinux_kernel_read_file(struct file *file,
> return rc;
> }
>
> -static int selinux_kernel_load_data(enum kernel_load_data_id id)
> +static int selinux_kernel_load_data(enum kernel_load_data_id id, bool contents)
> {
> int rc = 0;
>
> --
> 2.25.1
>
Powered by blists - more mailing lists