Re: [RFC][PATCH 8/8] ima: Detect if digest cache changed since last measurement/appraisal

Linux Documentation
 help / color / mirror / Atom feed

From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: Mimi Zohar <zohar@linux.ibm.com>,
	corbet@lwn.net, dmitry.kasatkin@gmail.com,
	 eric.snowberg@oracle.com, paul@paul-moore.com,
	jmorris@namei.org, serge@hallyn.com
Cc: linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org,
	 linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	 wufan@linux.microsoft.com, pbrobinson@gmail.com,
	zbyszek@in.waw.pl, hch@lst.de,  mjg59@srcf.ucam.org,
	pmatilai@redhat.com, jannh@google.com, dhowells@redhat.com,
	 jikos@kernel.org, mkoutny@suse.com, ppavlu@suse.com,
	petr.vorel@gmail.com,  petrtesarik@huaweicloud.com,
	mzerqung@0pointer.de, kgold@linux.ibm.com,
	Roberto Sassu <roberto.sassu@huawei.com>
Subject: Re: [RFC][PATCH 8/8] ima: Detect if digest cache changed since last measurement/appraisal
Date: Mon, 11 Mar 2024 10:11:54 +0100	[thread overview]
Message-ID: <4bac45ced03f82c2f3775684368e22db5dafea11.camel@huaweicloud.com> (raw)
In-Reply-To: <ddb1c28356fb8a4dcca9bff6dc206802d7981bb8.camel@linux.ibm.com>

On Fri, 2024-03-08 at 12:35 -0500, Mimi Zohar wrote:
> Hi Roberto,
> 
> > b/security/integrity/ima/ima_main.c
> > index a66522a22cbc..e1b2f5737753 100644
> > --- a/security/integrity/ima/ima_main.c
> > +++ b/security/integrity/ima/ima_main.c
> > @@ -301,6 +301,15 @@ static int process_measurement(struct file *file, const
> > struct cred *cred,
> >  		}
> >  	}
> >  
> > +	/* Check if digest cache changed since last measurement/appraisal. */
> > +	if (iint->digest_cache &&
> > +	    digest_cache_changed(inode, iint->digest_cache)) {
> > +		iint->flags &= ~IMA_DONE_MASK;
> > +		iint->measured_pcrs = 0;
> > +		digest_cache_put(iint->digest_cache);
> > +		iint->digest_cache = NULL;
> > +	}
> > +
> >  	/* Determine if already appraised/measured based on bitmask
> >  	 * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
> >  	 *  IMA_AUDIT, IMA_AUDITED)
> > @@ -371,8 +380,15 @@ static int process_measurement(struct file *file, const
> > struct cred *cred,
> >  	 * Since we allow IMA policy rules without func=, we have to enforce
> >  	 * this restriction here.
> >  	 */
> > -	if (rc == 0 && policy_mask && func != DIGEST_LIST_CHECK)
> > -		digest_cache = digest_cache_get(file_dentry(file));
> > +	if (rc == 0 && policy_mask && func != DIGEST_LIST_CHECK) {
> > +		if (!iint->digest_cache) {
> > +			/* Released by ima_iint_free(). */
> > +			digest_cache = digest_cache_get(file_dentry(file));
> > +			iint->digest_cache = digest_cache;
> > +		} else {
> > +			digest_cache = iint->digest_cache;
> > +		}
> 
> Simple cleanup:
> 		if (!iint->digest_cache)
> 			iint->digest_cache =digest_cache_get(file_dentry(file));
> 
> 		digest_cache = iint->digest_cache;

Thanks.

> > +	}
> >  
> >  	if (digest_cache) {
> >  		found = digest_cache_lookup(file_dentry(file), digest_cache,
> > @@ -386,8 +402,6 @@ static int process_measurement(struct file *file, const
> > struct cred *cred,
> >  			if (verif_mask_ptr)
> >  				allow_mask = policy_mask & *verif_mask_ptr;
> >  		}
> > -
> > -		digest_cache_put(digest_cache);
> 
> Keeping a reference to the digest_cache list for each file in the iint cache
> until the file is re-accessed, might take a while to free.

Yes, that is the drawback...

> I'm wondering if it necessary to keep a reference to the digest_cache.  Or is it
> possible to just compare the existing iint->digest_cache pointer with the
> current digest_cache pointer?

If the pointer value is the same, it does not guarantee that it is the
same digest cache used for the previous verification. It might have
been freed and reallocated.

Maybe, if the digest_cache LSM is able to notify to IMA that the digest
cache changed, so that IMA resets its flags in the integrity metadata,
we would not need to pin it.

Roberto

> thanks,
> 
> Mimi
> 
> >  	}
> >  
> >  	if (action & IMA_MEASURE)
>

next prev parent reply	other threads:[~2024-03-11  9:12 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-02-14 14:35 [RFC][PATCH 0/8] ima: Integrate with digest_cache LSM Roberto Sassu
2024-02-14 14:35 ` [RFC][PATCH 1/8] ima: Introduce hook DIGEST_LIST_CHECK Roberto Sassu
2024-02-14 14:35 ` [RFC][PATCH 2/8] ima: Nest iint mutex for DIGEST_LIST_CHECK hook Roberto Sassu
2024-03-07 19:42   ` Mimi Zohar
2024-03-08  8:00     ` Roberto Sassu
2024-02-14 14:35 ` [RFC][PATCH 3/8] ima: Add digest_cache policy keyword Roberto Sassu
2024-03-07 19:43   ` Mimi Zohar
2024-03-08  9:05     ` Roberto Sassu
2024-03-08 13:41       ` Mimi Zohar
2024-02-14 14:35 ` [RFC][PATCH 4/8] ima: Add digest_cache_measure and digest_cache_appraise boot-time policies Roberto Sassu
2024-03-07 20:17   ` Mimi Zohar
2024-03-08 10:36     ` Roberto Sassu
2024-03-08 14:23       ` Mimi Zohar
2024-03-11 13:01   ` Mimi Zohar
2024-02-14 14:35 ` [RFC][PATCH 5/8] ima: Record IMA verification result of digest lists in digest cache Roberto Sassu
2024-03-11 14:00   ` Mimi Zohar
2024-02-14 14:35 ` [RFC][PATCH 6/8] ima: Use digest cache for measurement Roberto Sassu
2024-03-08 16:08   ` Mimi Zohar
2024-03-08 16:27     ` Roberto Sassu
2024-02-14 14:35 ` [RFC][PATCH 7/8] ima: Use digest cache for appraisal Roberto Sassu
2024-02-14 14:35 ` [RFC][PATCH 8/8] ima: Detect if digest cache changed since last measurement/appraisal Roberto Sassu
2024-03-08 17:35   ` Mimi Zohar
2024-03-11  9:11     ` Roberto Sassu [this message]
2024-03-11 12:19       ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4bac45ced03f82c2f3775684368e22db5dafea11.camel@huaweicloud.com \
    --to=roberto.sassu@huaweicloud.com \
    --cc=corbet@lwn.net \
    --cc=dhowells@redhat.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=eric.snowberg@oracle.com \
    --cc=hch@lst.de \
    --cc=jannh@google.com \
    --cc=jikos@kernel.org \
    --cc=jmorris@namei.org \
    --cc=kgold@linux.ibm.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mjg59@srcf.ucam.org \
    --cc=mkoutny@suse.com \
    --cc=mzerqung@0pointer.de \
    --cc=paul@paul-moore.com \
    --cc=pbrobinson@gmail.com \
    --cc=petr.vorel@gmail.com \
    --cc=petrtesarik@huaweicloud.com \
    --cc=pmatilai@redhat.com \
    --cc=ppavlu@suse.com \
    --cc=roberto.sassu@huawei.com \
    --cc=serge@hallyn.com \
    --cc=wufan@linux.microsoft.com \
    --cc=zbyszek@in.waw.pl \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox