From: Stefan Berger <stefanb@linux.ibm.com>
To: Christian Brauner <brauner@kernel.org>,
Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc: linux-integrity@vger.kernel.org, zohar@linux.ibm.com,
serge@hallyn.com, christian.brauner@ubuntu.com,
containers@lists.linux.dev, dmitry.kasatkin@gmail.com,
ebiederm@xmission.com, krzysztof.struczynski@huawei.com,
roberto.sassu@huawei.com, mpeters@redhat.com, lhinds@redhat.com,
lsturman@redhat.com, puiterwi@redhat.com, jejb@linux.ibm.com,
jamjoom@us.ibm.com, linux-kernel@vger.kernel.org,
paul@paul-moore.com, rgb@redhat.com,
linux-security-module@vger.kernel.org, jmorris@namei.org
Subject: Re: [PATCH v8 10/19] ima: Implement hierarchical processing of file accesses
Date: Tue, 18 Jan 2022 13:25:38 -0500 [thread overview]
Message-ID: <546afc0c-8d86-e471-49cd-8665cea643fb@linux.ibm.com> (raw)
In-Reply-To: <20220114112114.tu4f56bm7tewzfmj@wittgenstein>
On 1/14/22 06:21, Christian Brauner wrote:
> On Tue, Jan 04, 2022 at 12:04:07PM -0500, Stefan Berger wrote:
>> From: Stefan Berger <stefanb@linux.ibm.com>
>>
>> Implement hierarchical processing of file accesses in IMA namespaces by
>> walking the list of user namespaces towards the root. This way file
>> accesses can be audited in an IMA namespace and also be evaluated against
>> the IMA policies of parent IMA namespaces.
>>
>> __process_measurement() returns either 0 or -EACCES. For hierarchical
>> processing remember the -EACCES returned by this function but continue
>> to the parent user namespace. At the end either return 0 or -EACCES
>> if an error occurred in one of the IMA namespaces.
>>
>> Currently the ima_ns pointer of the user_namespace is always NULL except
>> at the init_user_ns, so test ima_ns for NULL pointer and skip the call to
>> __process_measurement() if it is NULL. Once IMA namespacing is fully
>> enabled, the pointer may also be NULL due to late initialization of the
>> IMA namespace.
>>
>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>> ---
>> include/linux/ima.h | 6 +++++
>> security/integrity/ima/ima_main.c | 37 +++++++++++++++++++++++++++----
>> 2 files changed, 39 insertions(+), 4 deletions(-)
>>
>> diff --git a/include/linux/ima.h b/include/linux/ima.h
>> index b6ab66a546ae..fcee2a51bb87 100644
>> --- a/include/linux/ima.h
>> +++ b/include/linux/ima.h
>> @@ -65,6 +65,12 @@ static inline const char * const *arch_get_ima_policy(void)
>> }
>> #endif
>>
>> +static inline struct user_namespace
>> +*ima_ns_to_user_ns(struct ima_namespace *ns)
>> +{
>> + return current_user_ns();
>> +}
>> +
>> #else
>> static inline enum hash_algo ima_get_current_hash_algo(void)
>> {
>> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
>> index 621685d4eb95..51b0ef1cebbe 100644
>> --- a/security/integrity/ima/ima_main.c
>> +++ b/security/integrity/ima/ima_main.c
>> @@ -200,10 +200,10 @@ void ima_file_free(struct file *file)
>> ima_check_last_writer(iint, inode, file);
>> }
>>
>> -static int process_measurement(struct ima_namespace *ns,
>> - struct file *file, const struct cred *cred,
>> - u32 secid, char *buf, loff_t size, int mask,
>> - enum ima_hooks func)
>> +static int __process_measurement(struct ima_namespace *ns,
>> + struct file *file, const struct cred *cred,
>> + u32 secid, char *buf, loff_t size, int mask,
>> + enum ima_hooks func)
>> {
>> struct inode *inode = file_inode(file);
>> struct integrity_iint_cache *iint = NULL;
>> @@ -395,6 +395,35 @@ static int process_measurement(struct ima_namespace *ns,
>> return 0;
>> }
>>
>> +static int process_measurement(struct ima_namespace *ns,
>> + struct file *file, const struct cred *cred,
>> + u32 secid, char *buf, loff_t size, int mask,
>> + enum ima_hooks func)
>> +{
>> + struct user_namespace *user_ns = ima_ns_to_user_ns(ns);
>> + int ret = 0;
>> +
>> + while (user_ns) {
>> + ns = ima_ns_from_user_ns(user_ns);
>> + if (ns) {
>> + int rc;
>> +
>> + rc = __process_measurement(ns, file, cred, secid, buf,
>> + size, mask, func);
>> + switch (rc) {
>> + case -EACCES:
>> + /* return this error at the end but continue */
>> + ret = -EACCES;
>> + break;
> This seems risky. Every error not -EACCES will be counted as a success.
> It doesn't look like __process_measurement() will return anything else
> but I would still place a WARN_ON() or WARN_ON_ONCE() in there to make
> that assumption explicit.
>
> Right now it looks like your only error condition is -EACCES and non-ima
> cracks like me need to read through __process_measurement() to figure
> out that that's ok. With a WARN_ON* in there I'd not have needed to bother.
>
> switch (rc) {
> case -EACCES:
> /* return this error at the end but continue */
> ret = -EACCES;
> break
> default:
> WARN_ON_ONCE(true);
ret = -EINVAL;
> }
>
> or sm similar.
Agreed. To be on the safe side I would add a ret = -EINVAL to it for the
unhandled case as shown above.
next prev parent reply other threads:[~2022-01-18 18:25 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-04 17:03 [PATCH v8 00/19] ima: Namespace IMA with audit support in IMA-ns Stefan Berger
2022-01-04 17:03 ` [PATCH v8 01/19] securityfs: Extend securityfs with namespacing support Stefan Berger
2022-01-05 3:58 ` Al Viro
2022-01-05 10:18 ` Christian Brauner
2022-01-11 12:16 ` Mimi Zohar
2022-01-11 14:12 ` Christian Brauner
2022-01-04 17:03 ` [PATCH v8 02/19] ima: Define ima_namespace structure and implement basic functions Stefan Berger
2022-01-04 17:04 ` [PATCH v8 03/19] ima: Move policy related variables into ima_namespace Stefan Berger
2022-01-13 20:26 ` Mimi Zohar
2022-01-14 10:48 ` Christian Brauner
2022-01-19 13:32 ` Stefan Berger
2022-01-04 17:04 ` [PATCH v8 04/19] ima: Move ima_htable " Stefan Berger
2022-01-04 17:04 ` [PATCH v8 05/19] ima: Move measurement list related variables " Stefan Berger
2022-01-13 20:27 ` Mimi Zohar
2022-01-19 12:23 ` Stefan Berger
2022-01-04 17:04 ` [PATCH v8 06/19] ima: Move some IMA policy and filesystem " Stefan Berger
2022-01-04 17:04 ` [PATCH v8 07/19] ima: Move dentry into ima_namespace and others onto stack Stefan Berger
2022-01-13 20:28 ` Mimi Zohar
2022-01-18 20:12 ` Stefan Berger
2022-01-18 20:42 ` Mimi Zohar
2022-01-18 20:54 ` Stefan Berger
2022-01-04 17:04 ` [PATCH v8 08/19] ima: Use mac_admin_ns_capable() to check corresponding capability Stefan Berger
2022-01-05 20:55 ` kernel test robot
2022-01-13 20:28 ` Mimi Zohar
2022-01-04 17:04 ` [PATCH v8 09/19] ima: Only accept AUDIT rules for non-init_ima_ns namespaces for now Stefan Berger
2022-01-04 17:04 ` [PATCH v8 10/19] ima: Implement hierarchical processing of file accesses Stefan Berger
2022-01-14 11:21 ` Christian Brauner
2022-01-18 18:25 ` Stefan Berger [this message]
2022-01-04 17:04 ` [PATCH v8 11/19] ima: Implement ima_free_policy_rules() for freeing of an ima_namespace Stefan Berger
2022-01-04 17:04 ` [PATCH v8 12/19] userns: Add pointer to ima_namespace to user_namespace Stefan Berger
2022-01-04 17:04 ` [PATCH v8 13/19] ima: Add functions for creation and freeing of an ima_namespace Stefan Berger
2022-01-14 11:43 ` Christian Brauner
2022-01-04 17:04 ` [PATCH v8 14/19] integrity/ima: Define ns_status for storing namespaced iint data Stefan Berger
2022-01-04 17:04 ` [PATCH v8 15/19] ima: Namespace audit status flags Stefan Berger
2022-01-04 17:04 ` [PATCH v8 16/19] ima: Enable re-auditing of modified files Stefan Berger
2022-01-05 15:21 ` Stefan Berger
2022-01-04 17:04 ` [PATCH v8 17/19] ima: Setup securityfs for IMA namespace Stefan Berger
2022-01-04 17:04 ` [PATCH v8 18/19] ima: Show owning user namespace's uid and gid when displaying policy Stefan Berger
2022-01-14 13:45 ` Christian Brauner
2022-01-18 16:31 ` Stefan Berger
2022-01-19 9:23 ` Christian Brauner
2022-01-04 17:04 ` [PATCH v8 19/19] ima: Enable IMA namespaces Stefan Berger
2022-01-14 12:05 ` Christian Brauner
2022-01-18 17:53 ` Stefan Berger
2022-01-14 14:45 ` Christian Brauner
2022-01-18 18:09 ` Stefan Berger
2022-01-19 9:46 ` Christian Brauner
2022-01-19 12:45 ` Stefan Berger
2022-01-19 13:03 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=546afc0c-8d86-e471-49cd-8665cea643fb@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=brauner@kernel.org \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux.dev \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jamjoom@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=krzysztof.struczynski@huawei.com \
--cc=lhinds@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lsturman@redhat.com \
--cc=mpeters@redhat.com \
--cc=paul@paul-moore.com \
--cc=puiterwi@redhat.com \
--cc=rgb@redhat.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=stefanb@linux.vnet.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox