From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v6 3/6] ima: always measure and audit files in policy
Date: Tue, 22 Aug 2017 08:54:25 -0400 [thread overview]
Message-ID: <1503406465.8360.52.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <CACE9dm_xVdJU8+7GfB_0mtjD1jH+cxMq5JstM1_TkYaZU02JGw@mail.gmail.com>
On Tue, 2017-08-22 at 13:05 +0300, Dmitry Kasatkin wrote:
> On Tue, Aug 15, 2017 at 5:43 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> > All files matching a "measure" rule must be included in the IMA
> > measurement list, even when the file hash cannot be calculated.
> > Similarly, all files matching an "audit" rule must be audited, even when
> > the file hash can not be calculated.
> >
> > The file data hash field contained in the IMA measurement list template
> > data will contain 0's instead of the actual file hash digest.
> >
> > Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> >
> > ---
> > Changelog v6:
> > - replace "?:" with if/then
> > - annotate i_version usage
> > - reword O_DIRECT comment
> >
> > Changelog v5:
> > - Fail files opened O_DIRECT, but include attempt in measurement list.
> >
> > Changelog v4:
> > - Based on both -EBADF and -EINVAL
> > - clean up ima_collect_measurement()
> >
> > security/integrity/ima/ima_api.c | 67 +++++++++++++++++++++++--------------
> > security/integrity/ima/ima_crypto.c | 10 ++++++
> > security/integrity/ima/ima_main.c | 7 ++--
> > 3 files changed, 54 insertions(+), 30 deletions(-)
> >
> > diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
> > index c2edba8de35e..1dee695642a4 100644
> > --- a/security/integrity/ima/ima_api.c
> > +++ b/security/integrity/ima/ima_api.c
> > @@ -199,42 +199,59 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
> > struct inode *inode = file_inode(file);
> > const char *filename = file->f_path.dentry->d_name.name;
> > int result = 0;
> > + int length;
> > + void *tmpbuf;
> > + u64 i_version;
> > struct {
> > struct ima_digest_data hdr;
> > char digest[IMA_MAX_DIGEST_SIZE];
> > } hash;
> >
> > - if (!(iint->flags & IMA_COLLECTED)) {
> > - u64 i_version = file_inode(file)->i_version;
> > + if (iint->flags & IMA_COLLECTED)
> > + goto out;
> >
> > - if (file->f_flags & O_DIRECT) {
> > - audit_cause = "failed(directio)";
> > - result = -EACCES;
> > - goto out;
> > - }
> > + /*
> > + * Dectecting file change is based on i_version. On filesystems
> > + * which do not support i_version, support is limited to an initial
> > + * measurement/appraisal/audit.
> > + */
> > + i_version = file_inode(file)->i_version;
> > + hash.hdr.algo = algo;
> >
> > - hash.hdr.algo = algo;
> > -
> > - result = (!buf) ? ima_calc_file_hash(file, &hash.hdr) :
> > - ima_calc_buffer_hash(buf, size, &hash.hdr);
> > - if (!result) {
> > - int length = sizeof(hash.hdr) + hash.hdr.length;
> > - void *tmpbuf = krealloc(iint->ima_hash, length,
> > - GFP_NOFS);
> > - if (tmpbuf) {
> > - iint->ima_hash = tmpbuf;
> > - memcpy(iint->ima_hash, &hash, length);
> > - iint->version = i_version;
> > - iint->flags |= IMA_COLLECTED;
> > - } else
> > - result = -ENOMEM;
> > - }
> > + /* Initialize hash digest to 0's in case of failure */
> > + memset(&hash.digest, 0, sizeof(hash.digest));
> > +
> > + if (buf)
> > + result = ima_calc_buffer_hash(buf, size, &hash.hdr);
> > + else
> > + result = ima_calc_file_hash(file, &hash.hdr);
> > +
> > + if (result && result != -EBADF && result != -EINVAL)
> > + goto out;
> > +
> > + length = sizeof(hash.hdr) + hash.hdr.length;
> > + tmpbuf = krealloc(iint->ima_hash, length, GFP_NOFS);
> > + if (!tmpbuf) {
> > + result = -ENOMEM;
> > + goto out;
> > }
> > +
> > + iint->ima_hash = tmpbuf;
> > + memcpy(iint->ima_hash, &hash, length);
> > + iint->version = i_version;
> > +
> > + /* Possibly temporary failure due to type of read (eg. O_DIRECT) */
> > + if (result != -EBADF && result != -EINVAL)
> > + iint->flags |= IMA_COLLECTED;
>
>
> Result can be other than 0, EBADF and EINVAL here?
> It is confusing.. simpler than can be just
>
> if (!result)
> iint->flags |= IMA_COLLECTED;
>
> Isn't it?
Yes, that is better.
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: Christoph Hellwig <hch@lst.de>, Al Viro <viro@zeniv.linux.org.uk>,
Matthew Garrett <mjg59@google.com>,
James Morris <jmorris@namei.org>,
linux-fsdevel@vger.kernel.org,
linux-ima-devel <linux-ima-devel@lists.sourceforge.net>,
linux-security-module <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH v6 3/6] ima: always measure and audit files in policy
Date: Tue, 22 Aug 2017 08:54:25 -0400 [thread overview]
Message-ID: <1503406465.8360.52.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <CACE9dm_xVdJU8+7GfB_0mtjD1jH+cxMq5JstM1_TkYaZU02JGw@mail.gmail.com>
On Tue, 2017-08-22 at 13:05 +0300, Dmitry Kasatkin wrote:
> On Tue, Aug 15, 2017 at 5:43 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> > All files matching a "measure" rule must be included in the IMA
> > measurement list, even when the file hash cannot be calculated.
> > Similarly, all files matching an "audit" rule must be audited, even when
> > the file hash can not be calculated.
> >
> > The file data hash field contained in the IMA measurement list template
> > data will contain 0's instead of the actual file hash digest.
> >
> > Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> >
> > ---
> > Changelog v6:
> > - replace "?:" with if/then
> > - annotate i_version usage
> > - reword O_DIRECT comment
> >
> > Changelog v5:
> > - Fail files opened O_DIRECT, but include attempt in measurement list.
> >
> > Changelog v4:
> > - Based on both -EBADF and -EINVAL
> > - clean up ima_collect_measurement()
> >
> > security/integrity/ima/ima_api.c | 67 +++++++++++++++++++++++--------------
> > security/integrity/ima/ima_crypto.c | 10 ++++++
> > security/integrity/ima/ima_main.c | 7 ++--
> > 3 files changed, 54 insertions(+), 30 deletions(-)
> >
> > diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
> > index c2edba8de35e..1dee695642a4 100644
> > --- a/security/integrity/ima/ima_api.c
> > +++ b/security/integrity/ima/ima_api.c
> > @@ -199,42 +199,59 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
> > struct inode *inode = file_inode(file);
> > const char *filename = file->f_path.dentry->d_name.name;
> > int result = 0;
> > + int length;
> > + void *tmpbuf;
> > + u64 i_version;
> > struct {
> > struct ima_digest_data hdr;
> > char digest[IMA_MAX_DIGEST_SIZE];
> > } hash;
> >
> > - if (!(iint->flags & IMA_COLLECTED)) {
> > - u64 i_version = file_inode(file)->i_version;
> > + if (iint->flags & IMA_COLLECTED)
> > + goto out;
> >
> > - if (file->f_flags & O_DIRECT) {
> > - audit_cause = "failed(directio)";
> > - result = -EACCES;
> > - goto out;
> > - }
> > + /*
> > + * Dectecting file change is based on i_version. On filesystems
> > + * which do not support i_version, support is limited to an initial
> > + * measurement/appraisal/audit.
> > + */
> > + i_version = file_inode(file)->i_version;
> > + hash.hdr.algo = algo;
> >
> > - hash.hdr.algo = algo;
> > -
> > - result = (!buf) ? ima_calc_file_hash(file, &hash.hdr) :
> > - ima_calc_buffer_hash(buf, size, &hash.hdr);
> > - if (!result) {
> > - int length = sizeof(hash.hdr) + hash.hdr.length;
> > - void *tmpbuf = krealloc(iint->ima_hash, length,
> > - GFP_NOFS);
> > - if (tmpbuf) {
> > - iint->ima_hash = tmpbuf;
> > - memcpy(iint->ima_hash, &hash, length);
> > - iint->version = i_version;
> > - iint->flags |= IMA_COLLECTED;
> > - } else
> > - result = -ENOMEM;
> > - }
> > + /* Initialize hash digest to 0's in case of failure */
> > + memset(&hash.digest, 0, sizeof(hash.digest));
> > +
> > + if (buf)
> > + result = ima_calc_buffer_hash(buf, size, &hash.hdr);
> > + else
> > + result = ima_calc_file_hash(file, &hash.hdr);
> > +
> > + if (result && result != -EBADF && result != -EINVAL)
> > + goto out;
> > +
> > + length = sizeof(hash.hdr) + hash.hdr.length;
> > + tmpbuf = krealloc(iint->ima_hash, length, GFP_NOFS);
> > + if (!tmpbuf) {
> > + result = -ENOMEM;
> > + goto out;
> > }
> > +
> > + iint->ima_hash = tmpbuf;
> > + memcpy(iint->ima_hash, &hash, length);
> > + iint->version = i_version;
> > +
> > + /* Possibly temporary failure due to type of read (eg. O_DIRECT) */
> > + if (result != -EBADF && result != -EINVAL)
> > + iint->flags |= IMA_COLLECTED;
>
>
> Result can be other than 0, EBADF and EINVAL here?
> It is confusing.. simpler than can be just
>
> if (!result)
> iint->flags |= IMA_COLLECTED;
>
> Isn't it?
Yes, that is better.
Mimi
next prev parent reply other threads:[~2017-08-22 12:54 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-15 14:43 [PATCH v6 0/6] define new fs integrity_read method Mimi Zohar
2017-08-15 14:43 ` Mimi Zohar
2017-08-15 14:43 ` [PATCH v6 1/6] libfs: define simple_read_iter_from_buffer Mimi Zohar
2017-08-15 14:43 ` Mimi Zohar
2017-08-16 6:35 ` Christoph Hellwig
2017-08-16 6:35 ` Christoph Hellwig
2017-08-16 17:43 ` Mimi Zohar
2017-08-16 17:43 ` Mimi Zohar
2017-08-17 2:42 ` James Morris
2017-08-17 2:42 ` James Morris
2017-08-17 11:00 ` Mimi Zohar
2017-08-17 11:00 ` Mimi Zohar
2017-08-22 10:04 ` Dmitry Kasatkin
2017-08-22 10:04 ` Dmitry Kasatkin
2017-08-15 14:43 ` [PATCH v6 2/6] efivarfs: replaces the read file operation with read_iter Mimi Zohar
2017-08-15 14:43 ` Mimi Zohar
2017-08-16 6:35 ` Christoph Hellwig
2017-08-16 6:35 ` Christoph Hellwig
2017-08-15 14:43 ` [PATCH v6 3/6] ima: always measure and audit files in policy Mimi Zohar
2017-08-15 14:43 ` Mimi Zohar
2017-08-22 10:05 ` Dmitry Kasatkin
2017-08-22 10:05 ` Dmitry Kasatkin
2017-08-22 12:54 ` Mimi Zohar [this message]
2017-08-22 12:54 ` Mimi Zohar
2017-08-15 14:43 ` [PATCH v6 4/6] ima: use fs method to read integrity data Mimi Zohar
2017-08-15 14:43 ` Mimi Zohar
2017-08-16 13:17 ` Jan Kara
2017-08-16 13:17 ` Jan Kara
2017-08-16 17:43 ` Mimi Zohar
2017-08-16 17:43 ` Mimi Zohar
2017-08-22 10:09 ` Dmitry Kasatkin
2017-08-22 10:09 ` Dmitry Kasatkin
2017-08-28 4:13 ` Al Viro
2017-08-28 4:13 ` Al Viro
2017-08-28 18:30 ` Mimi Zohar
2017-08-28 18:30 ` Mimi Zohar
2017-08-15 14:43 ` [PATCH v6 5/6] ima: define "dont_failsafe" policy action rule Mimi Zohar
2017-08-15 14:43 ` Mimi Zohar
2017-08-22 10:07 ` Dmitry Kasatkin
2017-08-22 10:07 ` Dmitry Kasatkin
2017-08-22 12:54 ` Mimi Zohar
2017-08-22 12:54 ` Mimi Zohar
2017-08-22 13:31 ` Dmitry Kasatkin
2017-08-22 13:31 ` Dmitry Kasatkin
2017-08-15 14:43 ` [PATCH v6 6/6] ima: define "fs_unsafe" builtin policy Mimi Zohar
2017-08-15 14:43 ` Mimi Zohar
2017-08-22 10:07 ` Dmitry Kasatkin
2017-08-22 10:07 ` Dmitry Kasatkin
2017-08-22 13:13 ` Mimi Zohar
2017-08-22 13:13 ` Mimi Zohar
2017-08-22 13:41 ` Dmitry Kasatkin
2017-08-22 13:41 ` Dmitry Kasatkin
2017-08-16 2:43 ` [PATCH v6 0/6] define new fs integrity_read method James Morris
2017-08-16 2:43 ` James Morris
2017-08-16 6:34 ` Christoph Hellwig
2017-08-16 6:34 ` Christoph Hellwig
2017-08-16 9:52 ` James Morris
2017-08-16 9:52 ` James Morris
2017-08-16 11:05 ` Mimi Zohar
2017-08-16 11:05 ` Mimi Zohar
2017-08-28 4:18 ` Al Viro
2017-08-28 4:18 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1503406465.8360.52.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.