[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <c3bb1069-c732-d3cf-0dde-7a83b3f31871@schaufler-ca.com>
Date: Fri, 5 Mar 2021 09:30:51 -0800
From: Casey Schaufler <casey@...aufler-ca.com>
To: Roberto Sassu <roberto.sassu@...wei.com>, zohar@...ux.ibm.com,
mjg59@...gle.com
Cc: linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
Casey Schaufler <casey@...aufler-ca.com>
Subject: Re: [PATCH v4 04/11] ima: Move ima_reset_appraise_flags() call to
post hooks
On 3/5/2021 7:19 AM, Roberto Sassu wrote:
> ima_inode_setxattr() and ima_inode_removexattr() hooks are called before an
> operation is performed. Thus, ima_reset_appraise_flags() should not be
> called there, as flags might be unnecessarily reset if the operation is
> denied.
>
> This patch introduces the post hooks ima_inode_post_setxattr() and
> ima_inode_post_removexattr(), and adds the call to
> ima_reset_appraise_flags() in the new functions.
I don't see anything wrong with this patch in light of the way
IMA and EVM have been treated to date.
However ...
The special casing of IMA and EVM in security.c is getting out of
hand, and appears to be unnecessary. By my count there are 9 IMA
hooks and 5 EVM hooks that have been hard coded. Adding this IMA
hook makes 10. It would be really easy to register IMA and EVM as
security modules. That would remove the dependency they currently
have on security sub-system approval for changes like this one.
I know there has been resistance to "IMA as an LSM" in the past,
but it's pretty hard to see how it wouldn't be a win.
Short of that ...
Many of the places where IMA is invoked immediately invoke EVM
as well. Instead of:
ima_do_stuff(x, y, z);
evm_do_stuff(x, y, z);
how about
integrity_do_stuff(x, y, z);
>
> Cc: Casey Schaufler <casey@...aufler-ca.com>
> Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
> ---
> fs/xattr.c | 2 ++
> include/linux/ima.h | 18 ++++++++++++++++++
> security/integrity/ima/ima_appraise.c | 25 ++++++++++++++++++++++---
> security/security.c | 1 +
> 4 files changed, 43 insertions(+), 3 deletions(-)
>
> diff --git a/fs/xattr.c b/fs/xattr.c
> index b3444e06cded..81847f132d26 100644
> --- a/fs/xattr.c
> +++ b/fs/xattr.c
> @@ -16,6 +16,7 @@
> #include <linux/namei.h>
> #include <linux/security.h>
> #include <linux/evm.h>
> +#include <linux/ima.h>
> #include <linux/syscalls.h>
> #include <linux/export.h>
> #include <linux/fsnotify.h>
> @@ -502,6 +503,7 @@ __vfs_removexattr_locked(struct user_namespace *mnt_userns,
>
> if (!error) {
> fsnotify_xattr(dentry);
> + ima_inode_post_removexattr(dentry, name);
> evm_inode_post_removexattr(dentry, name);
> }
>
> diff --git a/include/linux/ima.h b/include/linux/ima.h
> index 61d5723ec303..5e059da43857 100644
> --- a/include/linux/ima.h
> +++ b/include/linux/ima.h
> @@ -171,7 +171,13 @@ extern void ima_inode_post_setattr(struct user_namespace *mnt_userns,
> struct dentry *dentry);
> extern int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
> const void *xattr_value, size_t xattr_value_len);
> +extern void ima_inode_post_setxattr(struct dentry *dentry,
> + const char *xattr_name,
> + const void *xattr_value,
> + size_t xattr_value_len);
> extern int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name);
> +extern void ima_inode_post_removexattr(struct dentry *dentry,
> + const char *xattr_name);
> #else
> static inline bool is_ima_appraise_enabled(void)
> {
> @@ -192,11 +198,23 @@ static inline int ima_inode_setxattr(struct dentry *dentry,
> return 0;
> }
>
> +static inline void ima_inode_post_setxattr(struct dentry *dentry,
> + const char *xattr_name,
> + const void *xattr_value,
> + size_t xattr_value_len)
> +{
> +}
> +
> static inline int ima_inode_removexattr(struct dentry *dentry,
> const char *xattr_name)
> {
> return 0;
> }
> +
> +static inline void ima_inode_post_removexattr(struct dentry *dentry,
> + const char *xattr_name)
> +{
> +}
> #endif /* CONFIG_IMA_APPRAISE */
>
> #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 565e33ff19d0..1f029e4c8d7f 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -577,21 +577,40 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
> if (result == 1) {
> if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
> return -EINVAL;
> - ima_reset_appraise_flags(d_backing_inode(dentry),
> - xvalue->type == EVM_IMA_XATTR_DIGSIG);
> result = 0;
> }
> return result;
> }
>
> +void ima_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
> + const void *xattr_value, size_t xattr_value_len)
> +{
> + const struct evm_ima_xattr_data *xvalue = xattr_value;
> + int result;
> +
> + result = ima_protect_xattr(dentry, xattr_name, xattr_value,
> + xattr_value_len);
> + if (result == 1)
> + ima_reset_appraise_flags(d_backing_inode(dentry),
> + xvalue->type == EVM_IMA_XATTR_DIGSIG);
> +}
> +
> int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
> {
> int result;
>
> result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
> if (result == 1) {
> - ima_reset_appraise_flags(d_backing_inode(dentry), 0);
> result = 0;
> }
> return result;
> }
> +
> +void ima_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
> +{
> + int result;
> +
> + result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
> + if (result == 1)
> + ima_reset_appraise_flags(d_backing_inode(dentry), 0);
> +}
> diff --git a/security/security.c b/security/security.c
> index 5ac96b16f8fa..efb1f874dc41 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -1319,6 +1319,7 @@ void security_inode_post_setxattr(struct dentry *dentry, const char *name,
> if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
> return;
> call_void_hook(inode_post_setxattr, dentry, name, value, size, flags);
> + ima_inode_post_setxattr(dentry, name, value, size);
> evm_inode_post_setxattr(dentry, name, value, size);
> }
>
Powered by blists - more mailing lists