From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: Christoph Hellwig <hch@lst.de>, Al Viro <viro@zeniv.linux.org.uk>,
Matthew Garrett <mjg59@google.com>,
James Morris <jmorris@namei.org>,
linux-fsdevel@vger.kernel.org,
linux-ima-devel <linux-ima-devel@lists.sourceforge.net>,
linux-security-module <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH v6 3/6] ima: always measure and audit files in policy
Date: Tue, 22 Aug 2017 08:54:25 -0400 [thread overview]
Message-ID: <1503406465.8360.52.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <CACE9dm_xVdJU8+7GfB_0mtjD1jH+cxMq5JstM1_TkYaZU02JGw@mail.gmail.com>
On Tue, 2017-08-22 at 13:05 +0300, Dmitry Kasatkin wrote:
> On Tue, Aug 15, 2017 at 5:43 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> > All files matching a "measure" rule must be included in the IMA
> > measurement list, even when the file hash cannot be calculated.
> > Similarly, all files matching an "audit" rule must be audited, even when
> > the file hash can not be calculated.
> >
> > The file data hash field contained in the IMA measurement list template
> > data will contain 0's instead of the actual file hash digest.
> >
> > Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> >
> > ---
> > Changelog v6:
> > - replace "?:" with if/then
> > - annotate i_version usage
> > - reword O_DIRECT comment
> >
> > Changelog v5:
> > - Fail files opened O_DIRECT, but include attempt in measurement list.
> >
> > Changelog v4:
> > - Based on both -EBADF and -EINVAL
> > - clean up ima_collect_measurement()
> >
> > security/integrity/ima/ima_api.c | 67 +++++++++++++++++++++++--------------
> > security/integrity/ima/ima_crypto.c | 10 ++++++
> > security/integrity/ima/ima_main.c | 7 ++--
> > 3 files changed, 54 insertions(+), 30 deletions(-)
> >
> > diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
> > index c2edba8de35e..1dee695642a4 100644
> > --- a/security/integrity/ima/ima_api.c
> > +++ b/security/integrity/ima/ima_api.c
> > @@ -199,42 +199,59 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
> > struct inode *inode = file_inode(file);
> > const char *filename = file->f_path.dentry->d_name.name;
> > int result = 0;
> > + int length;
> > + void *tmpbuf;
> > + u64 i_version;
> > struct {
> > struct ima_digest_data hdr;
> > char digest[IMA_MAX_DIGEST_SIZE];
> > } hash;
> >
> > - if (!(iint->flags & IMA_COLLECTED)) {
> > - u64 i_version = file_inode(file)->i_version;
> > + if (iint->flags & IMA_COLLECTED)
> > + goto out;
> >
> > - if (file->f_flags & O_DIRECT) {
> > - audit_cause = "failed(directio)";
> > - result = -EACCES;
> > - goto out;
> > - }
> > + /*
> > + * Dectecting file change is based on i_version. On filesystems
> > + * which do not support i_version, support is limited to an initial
> > + * measurement/appraisal/audit.
> > + */
> > + i_version = file_inode(file)->i_version;
> > + hash.hdr.algo = algo;
> >
> > - hash.hdr.algo = algo;
> > -
> > - result = (!buf) ? ima_calc_file_hash(file, &hash.hdr) :
> > - ima_calc_buffer_hash(buf, size, &hash.hdr);
> > - if (!result) {
> > - int length = sizeof(hash.hdr) + hash.hdr.length;
> > - void *tmpbuf = krealloc(iint->ima_hash, length,
> > - GFP_NOFS);
> > - if (tmpbuf) {
> > - iint->ima_hash = tmpbuf;
> > - memcpy(iint->ima_hash, &hash, length);
> > - iint->version = i_version;
> > - iint->flags |= IMA_COLLECTED;
> > - } else
> > - result = -ENOMEM;
> > - }
> > + /* Initialize hash digest to 0's in case of failure */
> > + memset(&hash.digest, 0, sizeof(hash.digest));
> > +
> > + if (buf)
> > + result = ima_calc_buffer_hash(buf, size, &hash.hdr);
> > + else
> > + result = ima_calc_file_hash(file, &hash.hdr);
> > +
> > + if (result && result != -EBADF && result != -EINVAL)
> > + goto out;
> > +
> > + length = sizeof(hash.hdr) + hash.hdr.length;
> > + tmpbuf = krealloc(iint->ima_hash, length, GFP_NOFS);
> > + if (!tmpbuf) {
> > + result = -ENOMEM;
> > + goto out;
> > }
> > +
> > + iint->ima_hash = tmpbuf;
> > + memcpy(iint->ima_hash, &hash, length);
> > + iint->version = i_version;
> > +
> > + /* Possibly temporary failure due to type of read (eg. O_DIRECT) */
> > + if (result != -EBADF && result != -EINVAL)
> > + iint->flags |= IMA_COLLECTED;
>
>
> Result can be other than 0, EBADF and EINVAL here?
> It is confusing.. simpler than can be just
>
> if (!result)
> iint->flags |= IMA_COLLECTED;
>
> Isn't it?
Yes, that is better.
Mimi
next prev parent reply other threads:[~2017-08-22 12:54 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-15 14:43 [PATCH v6 0/6] define new fs integrity_read method Mimi Zohar
2017-08-15 14:43 ` [PATCH v6 1/6] libfs: define simple_read_iter_from_buffer Mimi Zohar
2017-08-16 6:35 ` Christoph Hellwig
2017-08-16 17:43 ` Mimi Zohar
2017-08-17 2:42 ` James Morris
2017-08-17 11:00 ` Mimi Zohar
2017-08-22 10:04 ` Dmitry Kasatkin
2017-08-15 14:43 ` [PATCH v6 2/6] efivarfs: replaces the read file operation with read_iter Mimi Zohar
2017-08-16 6:35 ` Christoph Hellwig
2017-08-15 14:43 ` [PATCH v6 3/6] ima: always measure and audit files in policy Mimi Zohar
2017-08-22 10:05 ` Dmitry Kasatkin
2017-08-22 12:54 ` Mimi Zohar [this message]
2017-08-15 14:43 ` [PATCH v6 4/6] ima: use fs method to read integrity data Mimi Zohar
2017-08-16 13:17 ` Jan Kara
2017-08-16 17:43 ` Mimi Zohar
2017-08-22 10:09 ` Dmitry Kasatkin
2017-08-28 4:13 ` Al Viro
2017-08-28 18:30 ` Mimi Zohar
2017-08-15 14:43 ` [PATCH v6 5/6] ima: define "dont_failsafe" policy action rule Mimi Zohar
2017-08-22 10:07 ` Dmitry Kasatkin
2017-08-22 12:54 ` Mimi Zohar
2017-08-22 13:31 ` Dmitry Kasatkin
2017-08-15 14:43 ` [PATCH v6 6/6] ima: define "fs_unsafe" builtin policy Mimi Zohar
2017-08-22 10:07 ` Dmitry Kasatkin
2017-08-22 13:13 ` Mimi Zohar
2017-08-22 13:41 ` Dmitry Kasatkin
2017-08-16 2:43 ` [PATCH v6 0/6] define new fs integrity_read method James Morris
2017-08-16 6:34 ` Christoph Hellwig
2017-08-16 9:52 ` James Morris
2017-08-16 11:05 ` Mimi Zohar
2017-08-28 4:18 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1503406465.8360.52.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=hch@lst.de \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-ima-devel@lists.sourceforge.net \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@google.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).