lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20220114144515.vbler7ae3jqebhec@wittgenstein>
Date:   Fri, 14 Jan 2022 15:45:15 +0100
From:   Christian Brauner <brauner@...nel.org>
To:     Stefan Berger <stefanb@...ux.vnet.ibm.com>
Cc:     linux-integrity@...r.kernel.org, zohar@...ux.ibm.com,
        serge@...lyn.com, christian.brauner@...ntu.com,
        containers@...ts.linux.dev, dmitry.kasatkin@...il.com,
        ebiederm@...ssion.com, krzysztof.struczynski@...wei.com,
        roberto.sassu@...wei.com, mpeters@...hat.com, lhinds@...hat.com,
        lsturman@...hat.com, puiterwi@...hat.com, jejb@...ux.ibm.com,
        jamjoom@...ibm.com, linux-kernel@...r.kernel.org,
        paul@...l-moore.com, rgb@...hat.com,
        linux-security-module@...r.kernel.org, jmorris@...ei.org,
        Stefan Berger <stefanb@...ux.ibm.com>
Subject: Re: [PATCH v8 19/19] ima: Enable IMA namespaces

On Tue, Jan 04, 2022 at 12:04:16PM -0500, Stefan Berger wrote:
> From: Stefan Berger <stefanb@...ux.ibm.com>
> 
> Introduce the IMA_NS in Kconfig for IMA namespace enablement.
> 
> Enable the lazy initialization of an IMA namespace when a user mounts
> SecurityFS. Now a user_namespace will get a pointer to an ima_namespace
> and therefore add an implementation of get_current_ns() that returns this
> pointer.
> 
> get_current_ns() may now return a NULL pointer for as long as the IMA
> namespace hasn't been created, yet. Therefore, return early from those
> functions that may now get a NULL pointer from this call. The NULL
> pointer can typically be treated similar to not having an IMA policy set
> and simply return early from a function.
> 
> Implement ima_ns_from_file() for SecurityFS-related files where we can
> now get the IMA namespace via the user namespace pointer associated
> with the superblock of the SecurityFS filesystem instance. Since
> the functions using ima_ns_from_file() will only be called after an
> ima_namesapce has been allocated they will never get a NULL pointer
> for the ima_namespace.
> 
> Switch access to userns->ima_ns to use acquire/release semantics to ensure
> that a newly created ima_namespace structure is fully visible upon access.
> 
> Replace usage of current_user_ns() with ima_ns_from_user_ns() that
> implements a method to derive the user_namespace from the given
> ima_namespace. It leads to the same result.
> 
> Signed-off-by: Stefan Berger <stefanb@...ux.ibm.com>
> ---
>  include/linux/ima.h                 |  9 ++++++-
>  init/Kconfig                        | 13 ++++++++++
>  kernel/user_namespace.c             |  2 ++
>  security/integrity/ima/ima.h        | 35 ++++++++++++++++++++++-----
>  security/integrity/ima/ima_fs.c     | 37 ++++++++++++++++++++++-------
>  security/integrity/ima/ima_main.c   | 29 ++++++++++++++++------
>  security/integrity/ima/ima_ns.c     |  3 ++-
>  security/integrity/ima/ima_policy.c | 13 +++++-----
>  8 files changed, 112 insertions(+), 29 deletions(-)
> 
> diff --git a/include/linux/ima.h b/include/linux/ima.h
> index 5354e83d1694..7b9713b290ae 100644
> --- a/include/linux/ima.h
> +++ b/include/linux/ima.h
> @@ -11,6 +11,7 @@
>  #include <linux/fs.h>
>  #include <linux/security.h>
>  #include <linux/kexec.h>
> +#include <linux/user_namespace.h>
>  #include <crypto/hash_info.h>
>  struct linux_binprm;
>  
> @@ -71,7 +72,13 @@ static inline const char * const *arch_get_ima_policy(void)
>  static inline struct user_namespace
>  *ima_ns_to_user_ns(struct ima_namespace *ns)
>  {
> -	return current_user_ns();
> +	struct user_namespace *user_ns;
> +
> +	user_ns = current_user_ns();
> +#ifdef CONFIG_IMA_NS
> +	WARN_ON(user_ns->ima_ns != ns);
> +#endif
> +	return user_ns;
>  }
>  
>  #else
> diff --git a/init/Kconfig b/init/Kconfig
> index 4b7bac10c72d..e27155e0ddba 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -1247,6 +1247,19 @@ config NET_NS
>  	  Allow user space to create what appear to be multiple instances
>  	  of the network stack.
>  
> +config IMA_NS
> +	bool "IMA namespace"
> +	depends on USER_NS
> +	depends on IMA
> +	default n
> +	help
> +	  Allow the creation of an IMA namespace for each user namespace.
> +	  Namespaced IMA enables having IMA features work separately
> +	  in each IMA namespace.
> +	  Currently, only the audit status flags are stored in the namespace,
> +	  which allows the same file to be audited each time it is accessed
> +	  in a new namespace.
> +
>  endif # NAMESPACES
>  
>  config CHECKPOINT_RESTORE
> diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
> index 6b2e3ca7ee99..653f8fa83b69 100644
> --- a/kernel/user_namespace.c
> +++ b/kernel/user_namespace.c
> @@ -20,6 +20,7 @@
>  #include <linux/fs_struct.h>
>  #include <linux/bsearch.h>
>  #include <linux/sort.h>
> +#include <linux/ima.h>
>  
>  static struct kmem_cache *user_ns_cachep __read_mostly;
>  static DEFINE_MUTEX(userns_state_mutex);
> @@ -196,6 +197,7 @@ static void free_user_ns(struct work_struct *work)
>  			kfree(ns->projid_map.forward);
>  			kfree(ns->projid_map.reverse);
>  		}
> +		free_ima_ns(ns);
>  		retire_userns_sysctls(ns);
>  		key_free_user_ns(ns);
>  		ns_free_inum(&ns->ns);
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index 344c8c4bd030..d993655ec796 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -509,21 +509,20 @@ struct user_namespace *ima_user_ns_from_file(const struct file *filp)
>  	return file_inode(filp)->i_sb->s_user_ns;
>  }
>  
> +#ifdef CONFIG_IMA_NS
> +
>  static inline struct ima_namespace
>  *ima_ns_from_user_ns(struct user_namespace *user_ns)
>  {
> -	if (user_ns == &init_user_ns)
> -		return &init_ima_ns;
> -	return NULL;
> +	/* Pairs with smp_store_releases() in create_ima_ns(). */
> +	return smp_load_acquire(&user_ns->ima_ns);
>  }
>  
>  static inline struct ima_namespace *get_current_ns(void)
>  {
> -	return &init_ima_ns;
> +	return ima_ns_from_user_ns(current_user_ns());
>  }
>  
> -#ifdef CONFIG_IMA_NS
> -
>  struct ima_namespace *create_ima_ns(struct user_namespace *user_ns);
>  
>  struct ns_status *ima_get_ns_status(struct ima_namespace *ns,
> @@ -532,6 +531,11 @@ struct ns_status *ima_get_ns_status(struct ima_namespace *ns,
>  
>  void ima_free_ns_status_tree(struct ima_namespace *ns);
>  
> +static inline struct ima_namespace *ima_ns_from_file(const struct file *filp)
> +{
> +	return ima_user_ns_from_file(filp)->ima_ns;
> +}
> +
>  #define IMA_NS_STATUS_ACTIONS   IMA_AUDIT
>  #define IMA_NS_STATUS_FLAGS     IMA_AUDITED
>  
> @@ -542,6 +546,20 @@ unsigned long set_iint_flags(struct integrity_iint_cache *iint,
>  
>  #else
>  
> +static inline struct ima_namespace
> +*ima_ns_from_user_ns(struct user_namespace *user_ns)
> +{
> +	if (user_ns == &init_user_ns)
> +		return &init_ima_ns;
> +	return NULL;
> +}
> +
> +
> +static inline struct ima_namespace *get_current_ns(void)
> +{
> +	return &init_ima_ns;
> +}
> +
>  static inline struct ima_namespace *
>  create_ima_ns(struct user_namespace *user_ns)
>  {
> @@ -572,6 +590,11 @@ static inline unsigned long set_iint_flags(struct integrity_iint_cache *iint,
>  	return flags;
>  }
>  
> +static inline struct ima_namespace *ima_ns_from_file(const struct file *filp)
> +{
> +	return &init_ima_ns;
> +}
> +
>  #endif /* CONFIG_IMA_NS */
>  
>  #endif /* __LINUX_IMA_H */
> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
> index 468508f6a7e8..ee3af81d1c3e 100644
> --- a/security/integrity/ima/ima_fs.c
> +++ b/security/integrity/ima/ima_fs.c
> @@ -49,7 +49,7 @@ static ssize_t ima_show_htable_violations(struct file *filp,
>  					  char __user *buf,
>  					  size_t count, loff_t *ppos)
>  {
> -	struct ima_namespace *ns = &init_ima_ns;
> +	struct ima_namespace *ns = ima_ns_from_file(filp);
>  
>  	return ima_show_htable_value(buf, count, ppos,
>  				     &ns->ima_htable.violations);
> @@ -64,7 +64,7 @@ static ssize_t ima_show_measurements_count(struct file *filp,
>  					   char __user *buf,
>  					   size_t count, loff_t *ppos)
>  {
> -	struct ima_namespace *ns = &init_ima_ns;
> +	struct ima_namespace *ns = ima_ns_from_file(filp);
>  
>  	return ima_show_htable_value(buf, count, ppos, &ns->ima_htable.len);
>  }
> @@ -77,7 +77,7 @@ static const struct file_operations ima_measurements_count_ops = {
>  /* returns pointer to hlist_node */
>  static void *ima_measurements_start(struct seq_file *m, loff_t *pos)
>  {
> -	struct ima_namespace *ns = &init_ima_ns;
> +	struct ima_namespace *ns = ima_ns_from_file(m->file);
>  	loff_t l = *pos;
>  	struct ima_queue_entry *qe;
>  
> @@ -95,7 +95,7 @@ static void *ima_measurements_start(struct seq_file *m, loff_t *pos)
>  
>  static void *ima_measurements_next(struct seq_file *m, void *v, loff_t *pos)
>  {
> -	struct ima_namespace *ns = &init_ima_ns;
> +	struct ima_namespace *ns = ima_ns_from_file(m->file);
>  	struct ima_queue_entry *qe = v;
>  
>  	/* lock protects when reading beyond last element
> @@ -317,7 +317,7 @@ static ssize_t ima_read_policy(struct ima_namespace *ns, char *path)
>  static ssize_t ima_write_policy(struct file *file, const char __user *buf,
>  				size_t datalen, loff_t *ppos)
>  {
> -	struct ima_namespace *ns = &init_ima_ns;
> +	struct ima_namespace *ns = ima_ns_from_file(file);
>  	char *data;
>  	ssize_t result;
>  
> @@ -379,7 +379,7 @@ static const struct seq_operations ima_policy_seqops = {
>  static int ima_open_policy(struct inode *inode, struct file *filp)
>  {
>  	struct user_namespace *user_ns = ima_user_ns_from_file(filp);
> -	struct ima_namespace *ns = &init_ima_ns;
> +	struct ima_namespace *ns = ima_ns_from_file(filp);
>  
>  	if (!(filp->f_flags & O_WRONLY)) {
>  #ifndef	CONFIG_IMA_READ_POLICY
> @@ -406,7 +406,7 @@ static int ima_open_policy(struct inode *inode, struct file *filp)
>   */
>  static int ima_release_policy(struct inode *inode, struct file *file)
>  {
> -	struct ima_namespace *ns = &init_ima_ns;
> +	struct ima_namespace *ns = ima_ns_from_file(file);
>  	const char *cause = ns->valid_policy ? "completed" : "failed";
>  
>  	if ((file->f_flags & O_ACCMODE) == O_RDONLY)
> @@ -459,12 +459,29 @@ int ima_fs_ns_init(struct user_namespace *user_ns, struct dentry *root)
>  	struct dentry *ascii_runtime_measurements = NULL;
>  	struct dentry *runtime_measurements_count = NULL;
>  	struct dentry *violations = NULL;
> +	bool created_ns = false;
> +
> +	/*
> +	 * While multiple superblocks can exist they are keyed by userns in
> +	 * s_fs_info for securityfs. The first time a userns mounts a
> +	 * securityfs instance we lazily allocate the ima_namespace for the
> +	 * userns since that's the only way a userns can meaningfully use ima.
> +	 * The vfs ensures we're the only one to call fill_super() and hence
> +	 * ima_fs_ns_init(), so we don't need any memory barriers here, i.e.
> +	 * user_ns->ima_ns can't change while we're in here.
> +	 */
> +	if (!ns) {
> +		ns = create_ima_ns(user_ns);
> +		if (IS_ERR(ns))
> +			return PTR_ERR(ns);
> +		created_ns = true;
> +	}
>  
>  	/* FIXME: update when evm and integrity are namespaced */
>  	if (user_ns != &init_user_ns) {
>  		int_dir = securityfs_create_dir("integrity", root);
>  		if (IS_ERR(int_dir))
> -			return PTR_ERR(int_dir);
> +			goto free_ns;
>  	} else
>  		int_dir = integrity_dir;
>  
> @@ -526,6 +543,10 @@ int ima_fs_ns_init(struct user_namespace *user_ns, struct dentry *root)
>  	if (user_ns != &init_user_ns)
>  		securityfs_remove(int_dir);
>  
> +free_ns:
> +	if (created_ns)
> +		free_ima_ns(user_ns);
> +
>  	return -1;
>  }
>  
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index bc3ab08f39c6..fc878577cdd7 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -483,7 +483,7 @@ int ima_file_mmap(struct file *file, unsigned long prot)
>  	struct ima_namespace *ns = get_current_ns();
>  	u32 secid;
>  
> -	if (file && (prot & PROT_EXEC)) {
> +	if (ns && file && (prot & PROT_EXEC)) {
>  		security_task_getsecid_subj(current, &secid);
>  		return process_measurement(ns, file, current_cred(), secid,
>  					   NULL, 0, MAY_EXEC, MMAP_CHECK);
> @@ -519,7 +519,7 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot)
>  	int pcr;
>  
>  	/* Is mprotect making an mmap'ed file executable? */
> -	if (!(ns->ima_policy_flag & IMA_APPRAISE) || !vma->vm_file ||
> +	if (!ns || !(ns->ima_policy_flag & IMA_APPRAISE) || !vma->vm_file ||
>  	    !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC))
>  		return 0;
>  
> @@ -565,6 +565,9 @@ int ima_bprm_check(struct linux_binprm *bprm)
>  	int ret;
>  	u32 secid;
>  
> +	if (!ns)
> +		return 0;
> +
>  	security_task_getsecid_subj(current, &secid);
>  	ret = process_measurement(ns, bprm->file, current_cred(), secid, NULL,
>  				  0, MAY_EXEC, BPRM_CHECK);
> @@ -591,6 +594,9 @@ int ima_file_check(struct file *file, int mask)
>  	struct ima_namespace *ns = get_current_ns();
>  	u32 secid;
>  
> +	if (!ns)
> +		return 0;
> +
>  	security_task_getsecid_subj(current, &secid);
>  	return process_measurement(ns, file, current_cred(), secid, NULL, 0,
>  				   mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
> @@ -656,7 +662,7 @@ int ima_file_hash(struct file *file, char *buf, size_t buf_size)
>  {
>  	struct ima_namespace *ns = get_current_ns();
>  
> -	if (!file)
> +	if (!ns || !file)
>  		return -EINVAL;
>  
>  	return __ima_inode_hash(ns, file_inode(file), buf, buf_size);
> @@ -685,7 +691,7 @@ int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size)
>  {
>  	struct ima_namespace *ns = get_current_ns();
>  
> -	if (!inode)
> +	if (!ns || !inode)
>  		return -EINVAL;
>  
>  	return __ima_inode_hash(ns, inode, buf, buf_size);
> @@ -708,7 +714,7 @@ void ima_post_create_tmpfile(struct user_namespace *mnt_userns,
>  	struct integrity_iint_cache *iint;
>  	int must_appraise;
>  
> -	if (!ns->ima_policy_flag || !S_ISREG(inode->i_mode))
> +	if (!ns || !ns->ima_policy_flag || !S_ISREG(inode->i_mode))
>  		return;
>  
>  	must_appraise = ima_must_appraise(ns, mnt_userns, inode, MAY_ACCESS,
> @@ -742,7 +748,7 @@ void ima_post_path_mknod(struct user_namespace *mnt_userns,
>  	struct inode *inode = dentry->d_inode;
>  	int must_appraise;
>  
> -	if (!ns->ima_policy_flag || !S_ISREG(inode->i_mode))
> +	if (!ns || !ns->ima_policy_flag || !S_ISREG(inode->i_mode))
>  		return;
>  
>  	must_appraise = ima_must_appraise(ns, mnt_userns, inode, MAY_ACCESS,
> @@ -778,6 +784,9 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id,
>  	enum ima_hooks func;
>  	u32 secid;
>  
> +	if (!ns)
> +		return 0;
> +
>  	/*
>  	 * Do devices using pre-allocated memory run the risk of the
>  	 * firmware being accessible to the device prior to the completion
> @@ -829,6 +838,9 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
>  	enum ima_hooks func;
>  	u32 secid;
>  
> +	if (!ns)
> +		return 0;
> +
>  	/* permit signed certs */
>  	if (!file && read_id == READING_X509_CERTIFICATE)
>  		return 0;
> @@ -1071,7 +1083,7 @@ void ima_kexec_cmdline(int kernel_fd, const void *buf, int size)
>  	struct ima_namespace *ns = get_current_ns();
>  	struct fd f;
>  
> -	if (!buf || !size)
> +	if (!ns || !buf || !size)
>  		return;
>  
>  	f = fdget(kernel_fd);
> @@ -1111,6 +1123,9 @@ int ima_measure_critical_data(const char *event_label,
>  {
>  	struct ima_namespace *ns = get_current_ns();
>  
> +	if (!ns)
> +		return -EINVAL;
> +
>  	if (!event_name || !event_label || !buf || !buf_len)
>  		return -ENOPARAM;
>  
> diff --git a/security/integrity/ima/ima_ns.c b/security/integrity/ima/ima_ns.c
> index 205dd06ac41e..9a5105d0ea89 100644
> --- a/security/integrity/ima/ima_ns.c
> +++ b/security/integrity/ima/ima_ns.c
> @@ -26,7 +26,8 @@ struct ima_namespace *create_ima_ns(struct user_namespace *user_ns)
>  	if (err)
>  		goto fail_free;
>  
> -	user_ns->ima_ns = ns;
> +	/* Pairs with smp_load_acquire() in ima_ns_from_user_ns(). */
> +	smp_store_release(&user_ns->ima_ns, ns);
>  
>  	return ns;
>  
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index b7dbc687b6ff..5a9b511ebbae 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -1333,6 +1333,7 @@ static unsigned int ima_parse_appraise_algos(char *arg)
>  static int ima_parse_rule(struct ima_namespace *ns,
>  			  char *rule, struct ima_rule_entry *entry)
>  {
> +	struct user_namespace *user_ns = ima_ns_to_user_ns(ns);

So I think ima_policy_write() and therefore ima_parse_rule() can
legitimately be reached at least from an ancestor userns but also from a
completely unrelated userns via securityfs. Sorry, I didn't see this
earlier. Think of the following two scenarios:

* userns1: unshare -U --map-root --mount
-----------------------------------------
   mount -t securityfs securityfs /userns1_securityfs
   fd_in_userns1 = open("/userns1_securityfs/ima_file, O_RDWR);

   /* I _think_ that sending of fds here should work but I haven't
    * bothered to recheck the scm code as I need to do some driving in a
    * little bit so I'm running out of time...
    */
   send_fd_scm_rights(fd_in_userns1, task_in_userns2);

* userns2: unshare -U --map-root --mount
-----------------------------------------
   fd_from_userns1 = receive_fd_scm_rights();
   write_policy(fd_from_userns1, "my fancy policy");

It also means that if you inherit an fd from a more privileged imans
instance you can write to it:

* initial_userns:
------------------
   mount -t securityfs securityfs /initial_securityfs

   fd_in_initial_securityfs = open("/initial_securityfs/ima_file, O_RDWR);

   pid = fork():
   if (pid == 0) {
	unshare(CLONE_NEWUSER);
	/* write idmapping for yourself */

	write_policy(fd_in_initial_securityfs, "my fancy policy");
   }

would allow an unprivileged caller to alter the host's ima policy (as
you can see the example requires cooperation).

In both cases the write can legitimately reach ima_policy_write() and
trigger ima_parse_rule() from another user namespace.

There are multiple ways to go here, I think.

It's important to figure out whether - coming back to an earlier review
of mine - you're ok with everyone with access to an opened policy fd
being able to write an ima policy for the namespace in questions as long
as _the opener of the policy file_ was privileged enough.

If that's the case then you can just remove the WARN_ON()/add a
non-WARN_ON() helper in there.

>From my ima-naive perspective this seems fine and preferable as this
means clean permission checking once at open time.

A good question to answer in order to solve this is whether or not a
given operation is allowed is dependent on what is written, i.e. on the
content of the rule, I guess. I don't think there is.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ