From: Tyler Hicks <tyhicks@linux.microsoft.com>
To: deven.desai@linux.microsoft.com
Cc: agk@redhat.com, axboe@kernel.dk, snitzer@redhat.com,
jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, dm-devel@redhat.com,
linux-block@vger.kernel.org, jannh@google.com,
pasha.tatashin@soleen.com, sashal@kernel.org,
jaskarankhurana@linux.microsoft.com, nramas@linux.microsoft.com,
mdsakib@linux.microsoft.com, linux-kernel@vger.kernel.org,
corbet@lwn.net
Subject: Re: [RFC PATCH v3 03/12] security: add ipe lsm policy parser and policy loading
Date: Wed, 15 Jul 2020 14:16:17 -0500 [thread overview]
Message-ID: <20200715191617.GD3673@sequoia> (raw)
In-Reply-To: <20200415162550.2324-4-deven.desai@linux.microsoft.com>
On 2020-04-15 09:25:41, deven.desai@linux.microsoft.com wrote:
> From: Deven Bowers <deven.desai@linux.microsoft.com>
>
> Adds the policy parser and the policy loading to IPE, along with the
> related sysfs, securityfs entries, and audit events.
>
> Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
> ---
...
> diff --git a/security/ipe/ipe-sysfs.c b/security/ipe/ipe-sysfs.c
> index 1c65185c531d..a250da29c3b5 100644
> --- a/security/ipe/ipe-sysfs.c
> +++ b/security/ipe/ipe-sysfs.c
> @@ -5,6 +5,7 @@
>
> #include "ipe.h"
> #include "ipe-audit.h"
> +#include "ipe-secfs.h"
>
> #include <linux/sysctl.h>
> #include <linux/fs.h>
> @@ -45,6 +46,79 @@ static int ipe_switch_mode(struct ctl_table *table, int write,
>
> #endif /* CONFIG_SECURITY_IPE_PERMISSIVE_SWITCH */
>
> +#ifdef CONFIG_SECURITYFS
> +
> +/**
> + * ipe_switch_active_policy: Handler to switch the policy IPE is enforcing.
> + * @table: Sysctl table entry from the variable, sysctl_table.
> + * @write: Integer indicating whether this is a write or a read.
> + * @buffer: Data passed to sysctl. This is the policy id to activate,
> + * for this function.
> + * @lenp: Pointer to the size of @buffer.
> + * @ppos: Offset into @buffer.
> + *
> + * This wraps proc_dointvec_minmax, and if there's a change, emits an
> + * audit event.
> + *
> + * Return:
> + * 0 - OK
> + * -ENOMEM - Out of memory
> + * -ENOENT - Policy identified by @id does not exist
> + * Other - See proc_dostring and retrieve_backed_dentry
> + */
> +static int ipe_switch_active_policy(struct ctl_table *table, int write,
> + void __user *buffer, size_t *lenp,
> + loff_t *ppos)
> +{
> + int rc = 0;
> + char *id = NULL;
> + size_t size = 0;
> +
> + if (write) {
I see that the policy files in securityfs, such as new_policy, are
checking for CAP_MAC_ADMIN but there's no check here for CAP_MAC_ADMIN
when switching the active policy. I think we should enforce that cap
here, too.
Thinking about it some more, I find it a little odd that we're spreading
the files necessary to update a policy across both procfs (sysctl) and
securityfs. It looks like procfs will have different semantics than
securityfs after looking at proc_sys_permission(). I suggest moving
strict_parse and active_policy under securityfs for a unified experience
and common location when updating policy.
Tyler
> + id = kzalloc((*lenp) + 1, GFP_KERNEL);
> + if (!id)
> + return -ENOMEM;
> +
> + table->data = id;
> + table->maxlen = (*lenp) + 1;
> +
> + rc = proc_dostring(table, write, buffer, lenp, ppos);
> + if (rc != 0)
> + goto out;
> +
> + rc = ipe_set_active_policy(id, strlen(id));
> + } else {
> + if (!rcu_access_pointer(ipe_active_policy)) {
> + table->data = "";
> + table->maxlen = 1;
> + return proc_dostring(table, write, buffer, lenp, ppos);
> + }
> +
> + rcu_read_lock();
> + size = strlen(rcu_dereference(ipe_active_policy)->policy_name);
> + rcu_read_unlock();
> +
> + id = kzalloc(size + 1, GFP_KERNEL);
> + if (!id)
> + return -ENOMEM;
> +
> + rcu_read_lock();
> + strncpy(id, rcu_dereference(ipe_active_policy)->policy_name,
> + size);
> + rcu_read_unlock();
> +
> + table->data = id;
> + table->maxlen = size;
> +
> + rc = proc_dostring(table, write, buffer, lenp, ppos);
> + }
> +out:
> + kfree(id);
> + return rc;
> +}
> +
> +#endif /* CONFIG_SECURITYFS */
> +
> static struct ctl_table_header *sysctl_header;
>
> static const struct ctl_path sysctl_path[] = {
> @@ -75,6 +149,24 @@ static struct ctl_table sysctl_table[] = {
> .extra1 = SYSCTL_ZERO,
> .extra2 = SYSCTL_ONE,
> },
> +#ifdef CONFIG_SECURITYFS
> + {
> + .procname = "strict_parse",
> + .data = &ipe_strict_parse,
> + .maxlen = sizeof(int),
> + .mode = 0644,
> + .proc_handler = proc_dointvec_minmax,
> + .extra1 = SYSCTL_ZERO,
> + .extra2 = SYSCTL_ONE,
> + },
> + {
> + .procname = "active_policy",
> + .data = NULL,
> + .maxlen = 0,
> + .mode = 0644,
> + .proc_handler = ipe_switch_active_policy,
> + },
> +#endif /* CONFIG_SECURITYFS */
> {}
> };
>
> diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
> index b6553e370f98..07f855ffb79a 100644
> --- a/security/ipe/ipe.c
> +++ b/security/ipe/ipe.c
> @@ -6,6 +6,7 @@
> #include "ipe.h"
> #include "ipe-policy.h"
> #include "ipe-hooks.h"
> +#include "ipe-secfs.h"
> #include "ipe-sysfs.h"
>
> #include <linux/module.h>
> @@ -60,3 +61,4 @@ DEFINE_LSM(ipe) = {
>
> int ipe_enforce = 1;
> int ipe_success_audit;
> +int ipe_strict_parse;
> diff --git a/security/ipe/ipe.h b/security/ipe/ipe.h
> index 6a47f55b05d9..bf6cf7744b0e 100644
> --- a/security/ipe/ipe.h
> +++ b/security/ipe/ipe.h
> @@ -16,5 +16,6 @@
>
> extern int ipe_enforce;
> extern int ipe_success_audit;
> +extern int ipe_strict_parse;
>
> #endif /* IPE_H */
> --
> 2.26.0
next prev parent reply other threads:[~2020-07-15 19:17 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-15 16:25 [RFC PATCH v3 00/12] Integrity Policy Enforcement LSM (IPE) deven.desai
2020-04-15 16:25 ` [RFC PATCH v3 01/12] scripts: add ipe tooling to generate boot policy deven.desai
2020-04-15 16:25 ` [RFC PATCH v3 02/12] security: add ipe lsm evaluation loop and audit system deven.desai
2020-04-15 16:25 ` [RFC PATCH v3 03/12] security: add ipe lsm policy parser and policy loading deven.desai
2020-07-15 19:16 ` Tyler Hicks [this message]
2020-04-15 16:25 ` [RFC PATCH v3 04/12] ipe: add property for trust of boot volume deven.desai
2020-04-15 16:25 ` [RFC PATCH v3 05/12] fs: add security blob and hooks for block_device deven.desai
2020-04-22 16:42 ` James Morris
2020-04-22 16:55 ` Casey Schaufler
2020-04-15 16:25 ` [RFC PATCH v3 06/12] dm-verity: move signature check after tree validation deven.desai
2020-04-15 16:25 ` [RFC PATCH v3 07/12] dm-verity: add bdev_setsecurity hook for dm-verity signature deven.desai
2020-04-15 16:25 ` [RFC PATCH v3 08/12] ipe: add property for signed dmverity volumes deven.desai
2020-04-15 16:25 ` [RFC PATCH v3 09/12] dm-verity: add bdev_setsecurity hook for root-hash deven.desai
2020-04-15 16:25 ` [RFC PATCH v3 10/12] ipe: add property for dmverity roothash deven.desai
2020-04-15 16:25 ` [RFC PATCH v3 11/12] documentation: add ipe documentation deven.desai
2020-04-15 16:25 ` [RFC PATCH v3 12/12] cleanup: uapi/linux/audit.h deven.desai
2020-05-10 9:28 ` [RFC PATCH v3 00/12] Integrity Policy Enforcement LSM (IPE) Mickaël Salaün
2020-05-11 18:03 ` Deven Bowers
2020-05-12 20:46 ` Deven Bowers
2020-05-14 19:28 ` Mickaël Salaün
2020-05-16 22:14 ` Jaskaran Singh Khurana
2020-05-26 20:44 ` Jaskaran Singh Khurana
2020-05-29 8:18 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200715191617.GD3673@sequoia \
--to=tyhicks@linux.microsoft.com \
--cc=agk@redhat.com \
--cc=axboe@kernel.dk \
--cc=corbet@lwn.net \
--cc=deven.desai@linux.microsoft.com \
--cc=dm-devel@redhat.com \
--cc=jannh@google.com \
--cc=jaskarankhurana@linux.microsoft.com \
--cc=jmorris@namei.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mdsakib@linux.microsoft.com \
--cc=nramas@linux.microsoft.com \
--cc=pasha.tatashin@soleen.com \
--cc=sashal@kernel.org \
--cc=serge@hallyn.com \
--cc=snitzer@redhat.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).