From: Kees Cook <keescook@chromium.org>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: "Kees Cook" <keescook@chromium.org>,
"Dmitry Kasatkin" <dmitry.kasatkin@gmail.com>,
"Paul Moore" <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Jonathan McDowell" <noodles@fb.com>,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
"Mickaël Salaün" <mic@digikod.net>,
"KP Singh" <kpsingh@kernel.org>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"John Johansen" <john.johansen@canonical.com>,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: [PATCH 7/9] ima: Move ima_file_check() into LSM
Date: Thu, 13 Oct 2022 15:36:52 -0700 [thread overview]
Message-ID: <20221013223654.659758-7-keescook@chromium.org> (raw)
In-Reply-To: <20221013222702.never.990-kees@kernel.org>
The "file_open" hook in the LSM is the correct place to add the
ima_file_check() callback. Rename it to ima_file_open(), and use the
newly created helper to construct the permissions mask from the file
flags and fmode.
For reference, the LSM hooks across an open are:
do_filp_open(dfd, filename, open_flags)
path_openat(nameidata, open_flags, flags)
file = alloc_empty_file(open_flags, current_cred());
do_open(nameidata, file, open_flags)
may_open(path, acc_mode, open_flag)
inode_permission(inode, MAY_OPEN | acc_mode)
----> security_inode_permission(inode, acc_mode)
vfs_open(path, file)
do_dentry_open(file, path->dentry->d_inode, open)
----> security_file_open(f)
open()
The open-coded hook in the VFS and NFS are removed, as they are fully
covered by the security_file_open() hook.
Cc: Mimi Zohar <zohar@linux.ibm.com>
Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Jonathan McDowell <noodles@fb.com>
Cc: linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
fs/namei.c | 2 --
fs/nfsd/vfs.c | 6 ------
include/linux/ima.h | 6 ------
security/integrity/ima/ima_main.c | 14 +++++++-------
4 files changed, 7 insertions(+), 21 deletions(-)
diff --git a/fs/namei.c b/fs/namei.c
index 53b4bc094db2..d9bd3887e823 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -3555,8 +3555,6 @@ static int do_open(struct nameidata *nd,
error = may_open(mnt_userns, &nd->path, acc_mode, open_flag);
if (!error && !(file->f_mode & FMODE_OPENED))
error = vfs_open(&nd->path, file);
- if (!error)
- error = ima_file_check(file, op->acc_mode);
if (!error && do_truncate)
error = handle_truncate(mnt_userns, file);
if (unlikely(error > 0)) {
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index 9f486b788ed0..33fe326272df 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -762,12 +762,6 @@ __nfsd_open(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type,
goto out_nfserr;
}
- host_err = ima_file_check(file, may_flags);
- if (host_err) {
- fput(file);
- goto out_nfserr;
- }
-
if (may_flags & NFSD_MAY_64BIT_COOKIE)
file->f_mode |= FMODE_64BITHASH;
else
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 70180b9bd974..cf1e48a2d97d 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -16,7 +16,6 @@ struct linux_binprm;
#ifdef CONFIG_IMA
extern enum hash_algo ima_get_current_hash_algo(void);
-extern int ima_file_check(struct file *file, int mask);
extern void ima_post_create_tmpfile(struct user_namespace *mnt_userns,
struct inode *inode);
extern void ima_post_path_mknod(struct user_namespace *mnt_userns,
@@ -45,11 +44,6 @@ static inline enum hash_algo ima_get_current_hash_algo(void)
return HASH_ALGO__LAST;
}
-static inline int ima_file_check(struct file *file, int mask)
-{
- return 0;
-}
-
static inline void ima_post_create_tmpfile(struct user_namespace *mnt_userns,
struct inode *inode)
{
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index ffebd3236f24..823d660b53ec 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -12,7 +12,7 @@
*
* File: ima_main.c
* implements the IMA hooks: ima_bprm_check, ima_file_mmap,
- * and ima_file_check.
+ * and ima_file_open.
*/
#include <linux/module.h>
@@ -504,25 +504,24 @@ static int ima_bprm_check(struct linux_binprm *bprm)
}
/**
- * ima_file_check - based on policy, collect/store measurement.
+ * ima_file_open - based on policy, collect/store measurement.
* @file: pointer to the file to be measured
- * @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND
*
* Measure files based on the ima_must_measure() policy decision.
*
* On success return 0. On integrity appraisal error, assuming the file
* is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
*/
-int ima_file_check(struct file *file, int mask)
+static int ima_file_open(struct file *file)
{
+ u32 perms = file_to_perms(file);
u32 secid;
security_current_getsecid_subj(&secid);
+
return process_measurement(file, current_cred(), secid, NULL, 0,
- mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
- MAY_APPEND), FILE_CHECK);
+ perms, FILE_CHECK);
}
-EXPORT_SYMBOL_GPL(ima_file_check);
static int __ima_inode_hash(struct inode *inode, struct file *file, char *buf,
size_t buf_size)
@@ -1085,6 +1084,7 @@ static struct security_hook_list ima_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(bprm_check_security, ima_bprm_check),
LSM_HOOK_INIT(mmap_file, ima_file_mmap),
LSM_HOOK_INIT(file_mprotect, ima_file_mprotect),
+ LSM_HOOK_INIT(file_open, ima_file_open),
LSM_HOOK_INIT(file_free_security, ima_file_free),
LSM_HOOK_INIT(kernel_read_file, ima_read_file),
LSM_HOOK_INIT(kernel_post_read_file, ima_post_read_file),
--
2.34.1
next prev parent reply other threads:[~2022-10-13 22:37 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-13 22:36 [PATCH 0/9] integrity: Move hooks into LSM Kees Cook
2022-10-13 22:36 ` [PATCH 1/9] integrity: Prepare for having "ima" and "evm" available in "integrity" LSM Kees Cook
2022-10-14 14:40 ` Mickaël Salaün
2022-10-14 17:59 ` Kees Cook
2022-10-17 9:26 ` Mickaël Salaün
2022-10-17 18:11 ` Kees Cook
2022-10-19 18:33 ` Kees Cook
2022-10-19 19:13 ` Mimi Zohar
2022-10-19 22:37 ` Kees Cook
2022-10-19 14:34 ` Mimi Zohar
2022-10-19 18:28 ` Kees Cook
2022-10-13 22:36 ` [PATCH 2/9] security: Move trivial IMA hooks into LSM Kees Cook
2022-10-19 14:34 ` Mimi Zohar
2022-10-19 18:59 ` Kees Cook
2022-10-19 20:45 ` Mimi Zohar
2022-10-19 23:41 ` Kees Cook
2022-10-20 12:17 ` Mimi Zohar
2022-10-21 14:53 ` Dr. Greg
2022-10-21 15:09 ` Casey Schaufler
2022-10-13 22:36 ` [PATCH 3/9] ima: Move xattr " Kees Cook
2022-10-18 15:07 ` Christian Brauner
2022-10-19 13:24 ` Mimi Zohar
2022-10-13 22:36 ` [PATCH 4/9] ima: Move ima_file_free() " Kees Cook
2022-10-18 15:02 ` Christian Brauner
2022-10-18 15:32 ` Roberto Sassu
2022-10-18 18:29 ` Kees Cook
2022-10-19 6:55 ` Roberto Sassu
2022-10-20 15:47 ` Paul Moore
2022-10-13 22:36 ` [PATCH 5/9] LSM: Introduce inode_post_setattr hook Kees Cook
2022-10-18 14:50 ` Christian Brauner
2022-10-13 22:36 ` [PATCH 6/9] fs: Introduce file_to_perms() helper Kees Cook
2022-10-18 14:10 ` Christian Brauner
2022-10-18 18:25 ` Kees Cook
2022-10-20 17:29 ` Casey Schaufler
2022-10-20 23:04 ` Kees Cook
2022-10-13 22:36 ` Kees Cook [this message]
2022-10-13 22:36 ` [PATCH 8/9] integrity: Move trivial hooks into LSM Kees Cook
2022-10-13 22:36 ` [PATCH 9/9] integrity: Move integrity_inode_get() out of global header Kees Cook
2022-10-13 22:47 ` [PATCH 0/9] integrity: Move hooks into LSM Paul Moore
2022-10-14 1:16 ` Mimi Zohar
2022-10-18 15:31 ` Mickaël Salaün
2022-10-18 15:38 ` Roberto Sassu
2022-10-18 18:31 ` Kees Cook
2022-10-20 17:36 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221013223654.659758-7-keescook@chromium.org \
--to=keescook@chromium.org \
--cc=casey@schaufler-ca.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=kpsingh@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=noodles@fb.com \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox