[PATCH v4 0/5] define new fs integrity_read method

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Christoph Hellwig <hch@lst.de>, Al Viro <viro@zeniv.linux.org.uk>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
	James Morris <jmorris@namei.org>,
	linux-fsdevel@vger.kernel.org,
	linux-ima-devel@lists.sourceforge.net,
	linux-security-module@vger.kernel.org
Subject: [PATCH v4 0/5] define new fs integrity_read method
Date: Wed, 26 Jul 2017 09:22:50 -0400	[thread overview]
Message-ID: <1501075375-29469-1-git-send-email-zohar@linux.vnet.ibm.com> (raw)

With the introduction of IMA-appraisal and the need to write file
hashes as security xattrs, IMA needed to take the global i_mutex
lock.  process_measurement() took the iint->mutex first and then
the i_mutex, while setxattr, chmod and chown took the locks in
reverse order.  To resolve this potential deadlock, the iint->mutex
was removed.

Some filesystems have recently replaced their filesystem dependent
lock with the global i_rwsem (formerly the i_mutex) to read a file.
As a result, when IMA attempts to calculate the file hash, reading
the file attempts to take the i_rwsem again.

To resolve this locking problem, this patch set introduces a new
->integrity_read file operation method.  Until all filesystems
define the new ->integrity_read method, files that were previously
measured might not be currently measured and files that were
previously appraised might fail to be appraised properly.

Version 2 of this patch set, introduced measurement entries and
IMA-audit messages containing file hash values containing 0's,
instead of the actual file hash, for files which the file hash
could not be calculated.  Like for any other file signature
verification error, file access/execute permission will be denied,
for files in policy that the file hash could not be calculated.

To override the IMA policy, allowing unverified code to be
accessed/executed on filesystems not supported by IMA, version 2 of
this patch set defined a new policy "action" named "dont_failsafe"
and a new builtin policy named "fs_unsafe", which can be specified
on the boot command line.

The new ->integrity_read method supports opening files with O_DIRECT
on block devices that support direct IO and are mounted with the
"-o dax" option.  Version 4 of this patch set removes the
"permit_direction" IMA policy option, which is no longer necessary.

Change log v4:
- define ext2/4 specific ->integrity_read functions based Jan Kara's
review.
- properly fail file open with O_DIRECT on filesystems not mounted
with "-o dax".
- remove the "permit_directio" IMA policy option.

Change log v3:
- define simple_read_iter_from_buffer
- replace the existing efivarfs ->read method with ->read_iter method.
- squashed other fs definitions of ->integrity_read with this patch.
- include dont_failsafe rule when displaying policy.
- fail attempt to add dont_failsafe rule when appending to the policy.
- moved '---' divider before change log, as requested in review.

Mimi

Christoph Hellwig (1):
  ima: use fs method to read integrity data

Mimi Zohar (4):
  ima: always measure and audit files in policy
  ima: define "dont_failsafe" policy action rule
  ima: define "fs_unsafe" builtin policy
  ima: remove permit_directio policy option

 Documentation/ABI/testing/ima_policy            |  5 ++-
 Documentation/admin-guide/kernel-parameters.txt |  8 +++-
 fs/btrfs/file.c                                 |  1 +
 fs/efivarfs/file.c                              | 12 +++---
 fs/ext2/file.c                                  | 17 ++++++++
 fs/ext4/file.c                                  | 23 +++++++++++
 fs/f2fs/file.c                                  |  1 +
 fs/gfs2/file.c                                  |  2 +
 fs/jffs2/file.c                                 |  1 +
 fs/jfs/file.c                                   |  1 +
 fs/libfs.c                                      | 32 +++++++++++++++
 fs/nilfs2/file.c                                |  1 +
 fs/ocfs2/file.c                                 |  1 +
 fs/ramfs/file-mmu.c                             |  1 +
 fs/ramfs/file-nommu.c                           |  1 +
 fs/ubifs/file.c                                 |  1 +
 fs/xfs/xfs_file.c                               | 21 ++++++++++
 include/linux/fs.h                              |  3 ++
 mm/shmem.c                                      |  1 +
 security/integrity/iint.c                       | 20 +++++++---
 security/integrity/ima/ima.h                    |  1 +
 security/integrity/ima/ima_api.c                | 52 ++++++++++++++-----------
 security/integrity/ima/ima_main.c               | 18 ++++++---
 security/integrity/ima/ima_policy.c             | 49 +++++++++++++++++++----
 security/integrity/integrity.h                  |  1 -
 25 files changed, 222 insertions(+), 52 deletions(-)

-- 
2.7.4

next             reply	other threads:[~2017-07-26 13:23 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-07-26 13:22 Mimi Zohar [this message]
2017-07-26 13:22 ` [PATCH v4 1/5] ima: always measure and audit files in policy Mimi Zohar
2017-08-22  9:24   ` [Linux-ima-devel] " Dmitry Kasatkin
2017-07-26 13:22 ` [PATCH v4 2/5] ima: use fs method to read integrity data Mimi Zohar
2017-07-31  7:01   ` Jan Kara
2017-07-31 19:08     ` Mimi Zohar
2017-08-01 10:42       ` Jan Kara
2017-08-01 15:38         ` Mimi Zohar
2017-08-01 20:24   ` [PATCH v4 2/5] ima: use fs method to read integrity data [updated] Mimi Zohar
2017-08-02  8:01     ` Jan Kara
2017-08-02 17:11       ` Mimi Zohar
2017-08-03 10:56         ` Jan Kara
2017-08-04 21:07           ` Mimi Zohar
2017-08-07 10:04             ` Jan Kara
2017-08-07 20:12               ` Mimi Zohar
2017-08-08 11:17                 ` Jan Kara
2017-08-22  9:59   ` [PATCH v4 2/5] ima: use fs method to read integrity data Dmitry Kasatkin
2017-07-26 13:22 ` [PATCH v4 3/5] ima: define "dont_failsafe" policy action rule Mimi Zohar
2017-08-22  9:34   ` [Linux-ima-devel] " Dmitry Kasatkin
2017-08-22  9:39     ` Dmitry Kasatkin
2017-07-26 13:22 ` [PATCH v4 4/5] ima: define "fs_unsafe" builtin policy Mimi Zohar
2017-08-22  9:36   ` [Linux-ima-devel] " Dmitry Kasatkin
2017-07-26 13:22 ` [PATCH v4 5/5] ima: remove permit_directio policy option Mimi Zohar
2017-08-22  9:27   ` [Linux-ima-devel] " Dmitry Kasatkin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1501075375-29469-1-git-send-email-zohar@linux.vnet.ibm.com \
    --to=zohar@linux.vnet.ibm.com \
    --cc=hch@lst.de \
    --cc=jmorris@namei.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-ima-devel@lists.sourceforge.net \
    --cc=linux-security-module@vger.kernel.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).