* Re: integrity: nfsd imbalance bug fix [not found] ` <1240943534.4143.55.camel-Ip4+SIe7dfOMop5i0OabyFN1H4us77DDVpNB7YpNyf8@public.gmane.org> @ 2009-04-28 22:56 ` James Morris 2009-04-29 21:18 ` Andrew Morton 1 sibling, 0 replies; 6+ messages in thread From: James Morris @ 2009-04-28 22:56 UTC (permalink / raw) To: Mimi Zohar Cc: linux-kernel, hooanon05-/E1597aS9LR3+QwDJ9on6Q, david safford, J. Bruce Fields, linux-nfs On Tue, 28 Apr 2009, Mimi Zohar wrote: > The number of calls to ima_path_check()/ima_file_free() > should be balanced. An extra call to fput(), indicates > the file could have been accessed without first being > measured. > > An nfsd exported file is opened/closed by the kernel > causing an integrity imbalance message. [Adding NFS folk to the CC] > > - rename and export opencount_get to ima_opencount_get > - replace ima_shm_check calls with ima_opencount_get > - add call to increment opencount for files opened by nfsd. > - add call to measure exported files in nfsd_permission(). > - export ima_path_check > > Signed-off-by: Mimi Zohar <zohar@us.ibm.com> > > Index: security-testing-2.6/fs/nfsd/vfs.c > =================================================================== > --- security-testing-2.6.orig/fs/nfsd/vfs.c > +++ security-testing-2.6/fs/nfsd/vfs.c > @@ -55,6 +55,7 @@ > #include <linux/security.h> > #endif /* CONFIG_NFSD_V4 */ > #include <linux/jhash.h> > +#include <linux/ima.h> > > #include <asm/uaccess.h> > > @@ -735,6 +736,8 @@ nfsd_open(struct svc_rqst *rqstp, struct > flags, cred); > if (IS_ERR(*filp)) > host_err = PTR_ERR(*filp); > + else > + ima_opencount_get(*filp); > out_nfserr: > err = nfserrno(host_err); > out: > @@ -2096,7 +2099,13 @@ nfsd_permission(struct svc_rqst *rqstp, > if (err == -EACCES && S_ISREG(inode->i_mode) && > acc == (NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE)) > err = inode_permission(inode, MAY_EXEC); > + if (err) > + goto nfsd_out; > > + err = ima_path_check(&exp->ex_path, > + acc & (MAY_READ | MAY_WRITE | MAY_EXEC)); > + return err; > +nfsd_out: > return err? nfserrno(err) : 0; > } > > Index: security-testing-2.6/security/integrity/ima/ima_main.c > =================================================================== > --- security-testing-2.6.orig/security/integrity/ima/ima_main.c > +++ security-testing-2.6/security/integrity/ima/ima_main.c > @@ -206,6 +206,7 @@ out: > kref_put(&iint->refcount, iint_free); > return 0; > } > +EXPORT_SYMBOL_GPL(ima_path_check); > > static int process_measurement(struct file *file, const unsigned char *filename, > int mask, int function) > @@ -234,7 +235,16 @@ out: > return rc; > } > > -static void opencount_get(struct file *file) > +/* > + * ima_opencount_get - incr opencount for files opened by the kernel > + * > + * - IPC shm and shmat create/fput a file. > + * - nfsd opens/closes exported files. > + * > + * Increment the opencount for these files to prevent unnecessary > + * imbalance messages. > + */ > +void ima_opencount_get(struct file *file) > { > struct inode *inode = file->f_dentry->d_inode; > struct ima_iint_cache *iint; > @@ -248,6 +258,7 @@ static void opencount_get(struct file *f > iint->opencount++; > mutex_unlock(&iint->mutex); > } > +EXPORT_SYMBOL_GPL(ima_opencount_get); > > /** > * ima_file_mmap - based on policy, collect/store measurement. > @@ -272,18 +283,6 @@ int ima_file_mmap(struct file *file, uns > return 0; > } > > -/* > - * ima_shm_check - IPC shm and shmat create/fput a file > - * > - * Maintain the opencount for these files to prevent unnecessary > - * imbalance messages. > - */ > -void ima_shm_check(struct file *file) > -{ > - opencount_get(file); > - return; > -} > - > /** > * ima_bprm_check - based on policy, collect/store measurement. > * @bprm: contains the linux_binprm structure > Index: security-testing-2.6/include/linux/ima.h > =================================================================== > --- security-testing-2.6.orig/include/linux/ima.h > +++ security-testing-2.6/include/linux/ima.h > @@ -20,7 +20,7 @@ extern void ima_inode_free(struct inode > extern int ima_path_check(struct path *path, int mask); > extern void ima_file_free(struct file *file); > extern int ima_file_mmap(struct file *file, unsigned long prot); > -extern void ima_shm_check(struct file *file); > +extern void ima_opencount_get(struct file *file); > > #else > static inline int ima_bprm_check(struct linux_binprm *bprm) > @@ -53,7 +53,7 @@ static inline int ima_file_mmap(struct f > return 0; > } > > -static inline void ima_shm_check(struct file *file) > +static inline void ima_opencount_get(struct file *file) > { > return; > } > Index: security-testing-2.6/ipc/shm.c > =================================================================== > --- security-testing-2.6.orig/ipc/shm.c > +++ security-testing-2.6/ipc/shm.c > @@ -384,7 +384,7 @@ static int newseg(struct ipc_namespace * > error = PTR_ERR(file); > if (IS_ERR(file)) > goto no_file; > - ima_shm_check(file); > + ima_opencount_get(file); > > id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni); > if (id < 0) { > @@ -891,7 +891,7 @@ long do_shmat(int shmid, char __user *sh > file = alloc_file(path.mnt, path.dentry, f_mode, &shm_file_operations); > if (!file) > goto out_free; > - ima_shm_check(file); > + ima_opencount_get(file); > > file->private_data = sfd; > file->f_mapping = shp->shm_file->f_mapping; > Index: security-testing-2.6/mm/shmem.c > =================================================================== > --- security-testing-2.6.orig/mm/shmem.c > +++ security-testing-2.6/mm/shmem.c > @@ -2680,7 +2680,7 @@ int shmem_zero_setup(struct vm_area_stru > if (IS_ERR(file)) > return PTR_ERR(file); > > - ima_shm_check(file); > + ima_opencount_get(file); > if (vma->vm_file) > fput(vma->vm_file); > vma->vm_file = file; > > -- James Morris <jmorris@namei.org> ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: integrity: nfsd imbalance bug fix [not found] ` <1240943534.4143.55.camel-Ip4+SIe7dfOMop5i0OabyFN1H4us77DDVpNB7YpNyf8@public.gmane.org> 2009-04-28 22:56 ` integrity: nfsd imbalance bug fix James Morris @ 2009-04-29 21:18 ` Andrew Morton 2009-05-08 17:35 ` Mimi Zohar 1 sibling, 1 reply; 6+ messages in thread From: Andrew Morton @ 2009-04-29 21:18 UTC (permalink / raw) To: Mimi Zohar Cc: linux-kernel, hooanon05-/E1597aS9LR3+QwDJ9on6Q, jmorris, safford-aZOuKsOsJu3MbYB6QlFGEg, J. Bruce Fields, linux-nfs On Tue, 28 Apr 2009 14:32:14 -0400 Mimi Zohar <zohar@linux.vnet.ibm.com> wrote: > The number of calls to ima_path_check()/ima_file_free() > should be balanced. An extra call to fput(), indicates > the file could have been accessed without first being > measured. > > An nfsd exported file is opened/closed by the kernel > causing an integrity imbalance message. > > - rename and export opencount_get to ima_opencount_get > - replace ima_shm_check calls with ima_opencount_get > - add call to increment opencount for files opened by nfsd. > - add call to measure exported files in nfsd_permission(). > - export ima_path_check > The patch looks fragile to me. It sprinkles IMA-specific operations over random unrelated subsystems. There is hence a decent chance of breakage in the future. Suppose some other new piece of kernel code opens/closes a file. The developer didn't think to add the IMA hooks and whoops, we have a bug. It would be really really better if we could add the IMA hooks in a single place. That might require the addition of a new function, and that's fine. d_instantiate_kernel() or init_file_kernel() or whatever - that's fine. It still has the risk that new code will forget to use the in-kernel variant, but we have a better chance of detecting it. > > Index: security-testing-2.6/fs/nfsd/vfs.c > =================================================================== > --- security-testing-2.6.orig/fs/nfsd/vfs.c > +++ security-testing-2.6/fs/nfsd/vfs.c > @@ -55,6 +55,7 @@ > #include <linux/security.h> > #endif /* CONFIG_NFSD_V4 */ > #include <linux/jhash.h> > +#include <linux/ima.h> > > #include <asm/uaccess.h> > > @@ -735,6 +736,8 @@ nfsd_open(struct svc_rqst *rqstp, struct > flags, cred); > if (IS_ERR(*filp)) > host_err = PTR_ERR(*filp); > + else > + ima_opencount_get(*filp); This suggests dentry_open_kernel(). > out_nfserr: > err = nfserrno(host_err); > out: > @@ -2096,7 +2099,13 @@ nfsd_permission(struct svc_rqst *rqstp, > if (err == -EACCES && S_ISREG(inode->i_mode) && > acc == (NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE)) > err = inode_permission(inode, MAY_EXEC); > + if (err) > + goto nfsd_out; > > + err = ima_path_check(&exp->ex_path, > + acc & (MAY_READ | MAY_WRITE | MAY_EXEC)); hm, dunno what to do about that. > + return err; > +nfsd_out: > return err? nfserrno(err) : 0; > } > > Index: security-testing-2.6/security/integrity/ima/ima_main.c > =================================================================== > --- security-testing-2.6.orig/security/integrity/ima/ima_main.c > +++ security-testing-2.6/security/integrity/ima/ima_main.c > @@ -206,6 +206,7 @@ out: > kref_put(&iint->refcount, iint_free); > return 0; > } > +EXPORT_SYMBOL_GPL(ima_path_check); > > static int process_measurement(struct file *file, const unsigned char *filename, > int mask, int function) > @@ -234,7 +235,16 @@ out: > return rc; > } > > -static void opencount_get(struct file *file) > +/* > + * ima_opencount_get - incr opencount for files opened by the kernel > + * > + * - IPC shm and shmat create/fput a file. > + * - nfsd opens/closes exported files. > + * > + * Increment the opencount for these files to prevent unnecessary > + * imbalance messages. > + */ > +void ima_opencount_get(struct file *file) > { > struct inode *inode = file->f_dentry->d_inode; > struct ima_iint_cache *iint; > @@ -248,6 +258,7 @@ static void opencount_get(struct file *f > iint->opencount++; > mutex_unlock(&iint->mutex); > } > +EXPORT_SYMBOL_GPL(ima_opencount_get); > > /** > * ima_file_mmap - based on policy, collect/store measurement. > @@ -272,18 +283,6 @@ int ima_file_mmap(struct file *file, uns > return 0; > } > > -/* > - * ima_shm_check - IPC shm and shmat create/fput a file > - * > - * Maintain the opencount for these files to prevent unnecessary > - * imbalance messages. > - */ > -void ima_shm_check(struct file *file) > -{ > - opencount_get(file); > - return; > -} > - > /** > * ima_bprm_check - based on policy, collect/store measurement. > * @bprm: contains the linux_binprm structure > Index: security-testing-2.6/include/linux/ima.h > =================================================================== > --- security-testing-2.6.orig/include/linux/ima.h > +++ security-testing-2.6/include/linux/ima.h > @@ -20,7 +20,7 @@ extern void ima_inode_free(struct inode > extern int ima_path_check(struct path *path, int mask); > extern void ima_file_free(struct file *file); > extern int ima_file_mmap(struct file *file, unsigned long prot); > -extern void ima_shm_check(struct file *file); > +extern void ima_opencount_get(struct file *file); > > #else > static inline int ima_bprm_check(struct linux_binprm *bprm) > @@ -53,7 +53,7 @@ static inline int ima_file_mmap(struct f > return 0; > } > > -static inline void ima_shm_check(struct file *file) > +static inline void ima_opencount_get(struct file *file) > { > return; > } > Index: security-testing-2.6/ipc/shm.c > =================================================================== > --- security-testing-2.6.orig/ipc/shm.c > +++ security-testing-2.6/ipc/shm.c > @@ -384,7 +384,7 @@ static int newseg(struct ipc_namespace * > error = PTR_ERR(file); > if (IS_ERR(file)) > goto no_file; > - ima_shm_check(file); > + ima_opencount_get(file); > > id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni); > if (id < 0) { > @@ -891,7 +891,7 @@ long do_shmat(int shmid, char __user *sh > file = alloc_file(path.mnt, path.dentry, f_mode, &shm_file_operations); > if (!file) > goto out_free; > - ima_shm_check(file); > + ima_opencount_get(file); > > file->private_data = sfd; > file->f_mapping = shp->shm_file->f_mapping; > Index: security-testing-2.6/mm/shmem.c > =================================================================== > --- security-testing-2.6.orig/mm/shmem.c > +++ security-testing-2.6/mm/shmem.c > @@ -2680,7 +2680,7 @@ int shmem_zero_setup(struct vm_area_stru > if (IS_ERR(file)) > return PTR_ERR(file); > > - ima_shm_check(file); > + ima_opencount_get(file); > if (vma->vm_file) > fput(vma->vm_file); > vma->vm_file = file; Maybe do the IMA operations in (or under) shmem_file_setup() and hugetlb_file_setup()? ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: integrity: nfsd imbalance bug fix 2009-04-29 21:18 ` Andrew Morton @ 2009-05-08 17:35 ` Mimi Zohar [not found] ` <1241804120.4843.7.camel-Ip4+SIe7dfOMop5i0OabyFN1H4us77DDVpNB7YpNyf8@public.gmane.org> 0 siblings, 1 reply; 6+ messages in thread From: Mimi Zohar @ 2009-05-08 17:35 UTC (permalink / raw) To: Andrew Morton Cc: linux-kernel, hooanon05-/E1597aS9LR3+QwDJ9on6Q, jmorris, safford-aZOuKsOsJu3MbYB6QlFGEg, J. Bruce Fields, linux-nfs On Wed, 2009-04-29 at 14:18 -0700, Andrew Morton wrote: > On Tue, 28 Apr 2009 14:32:14 -0400 > Mimi Zohar <zohar@linux.vnet.ibm.com> wrote: > > > The number of calls to ima_path_check()/ima_file_free() > > should be balanced. An extra call to fput(), indicates > > the file could have been accessed without first being > > measured. > > > > An nfsd exported file is opened/closed by the kernel > > causing an integrity imbalance message. > > > > - rename and export opencount_get to ima_opencount_get > > - replace ima_shm_check calls with ima_opencount_get > > - add call to increment opencount for files opened by nfsd. > > - add call to measure exported files in nfsd_permission(). > > - export ima_path_check > > > > The patch looks fragile to me. It sprinkles IMA-specific operations > over random unrelated subsystems. There is hence a decent chance of > breakage in the future. > > Suppose some other new piece of kernel code opens/closes a file. The > developer didn't think to add the IMA hooks and whoops, we have a bug. Agreed. Exactly for that reason we have the imbalance message. The imbalance message is not a bug per se, but an indication that the file hasn't been integrity (permission) checked. > It would be really really better if we could add the IMA hooks in a > single place. That might require the addition of a new function, and > that's fine. d_instantiate_kernel() or init_file_kernel() or whatever > - that's fine. It still has the risk that new code will forget to use > the in-kernel variant, but we have a better chance of detecting it. Definitely. Originally the integrity checking was in inode_permission(). But measuring a file requires a dentry and mount point. I've updated the patch to fix a 'counts' error and divided the patch into two, separating the IMA code changes from the IMA calls in nfsd. > > > > Index: security-testing-2.6/fs/nfsd/vfs.c > > =================================================================== > > --- security-testing-2.6.orig/fs/nfsd/vfs.c > > +++ security-testing-2.6/fs/nfsd/vfs.c > > @@ -55,6 +55,7 @@ > > #include <linux/security.h> > > #endif /* CONFIG_NFSD_V4 */ > > #include <linux/jhash.h> > > +#include <linux/ima.h> > > > > #include <asm/uaccess.h> > > > > @@ -735,6 +736,8 @@ nfsd_open(struct svc_rqst *rqstp, struct > > flags, cred); > > if (IS_ERR(*filp)) > > host_err = PTR_ERR(*filp); > > + else > > + ima_opencount_get(*filp); > > This suggests dentry_open_kernel(). Good name, but making dentry_open_kernel() the default behavior, would mask the real bug - not doing integrity (permission) checking. > > > out_nfserr: > > err = nfserrno(host_err); > > out: > > @@ -2096,7 +2099,13 @@ nfsd_permission(struct svc_rqst *rqstp, > > if (err == -EACCES && S_ISREG(inode->i_mode) && > > acc == (NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE)) > > err = inode_permission(inode, MAY_EXEC); > > + if (err) > > + goto nfsd_out; > > > > + err = ima_path_check(&exp->ex_path, > > + acc & (MAY_READ | MAY_WRITE | MAY_EXEC)); > > hm, dunno what to do about that. The real problem is that this belongs in inode_permission(), but an inode is not enough. It requires a dentry and mount point to measure the file. > > + return err; > > +nfsd_out: > > return err? nfserrno(err) : 0; > > } > > > > Index: security-testing-2.6/security/integrity/ima/ima_main.c > > =================================================================== > > --- security-testing-2.6.orig/security/integrity/ima/ima_main.c > > +++ security-testing-2.6/security/integrity/ima/ima_main.c > > @@ -206,6 +206,7 @@ out: > > kref_put(&iint->refcount, iint_free); > > return 0; > > } > > +EXPORT_SYMBOL_GPL(ima_path_check); > > > > static int process_measurement(struct file *file, const unsigned char *filename, > > int mask, int function) > > @@ -234,7 +235,16 @@ out: > > return rc; > > } > > > > -static void opencount_get(struct file *file) > > +/* > > + * ima_opencount_get - incr opencount for files opened by the kernel > > + * > > + * - IPC shm and shmat create/fput a file. > > + * - nfsd opens/closes exported files. > > + * > > + * Increment the opencount for these files to prevent unnecessary > > + * imbalance messages. > > + */ > > +void ima_opencount_get(struct file *file) > > { > > struct inode *inode = file->f_dentry->d_inode; > > struct ima_iint_cache *iint; > > @@ -248,6 +258,7 @@ static void opencount_get(struct file *f > > iint->opencount++; > > mutex_unlock(&iint->mutex); > > } > > +EXPORT_SYMBOL_GPL(ima_opencount_get); > > > > /** > > * ima_file_mmap - based on policy, collect/store measurement. > > @@ -272,18 +283,6 @@ int ima_file_mmap(struct file *file, uns > > return 0; > > } > > > > -/* > > - * ima_shm_check - IPC shm and shmat create/fput a file > > - * > > - * Maintain the opencount for these files to prevent unnecessary > > - * imbalance messages. > > - */ > > -void ima_shm_check(struct file *file) > > -{ > > - opencount_get(file); > > - return; > > -} > > - > > /** > > * ima_bprm_check - based on policy, collect/store measurement. > > * @bprm: contains the linux_binprm structure > > Index: security-testing-2.6/include/linux/ima.h > > =================================================================== > > --- security-testing-2.6.orig/include/linux/ima.h > > +++ security-testing-2.6/include/linux/ima.h > > @@ -20,7 +20,7 @@ extern void ima_inode_free(struct inode > > extern int ima_path_check(struct path *path, int mask); > > extern void ima_file_free(struct file *file); > > extern int ima_file_mmap(struct file *file, unsigned long prot); > > -extern void ima_shm_check(struct file *file); > > +extern void ima_opencount_get(struct file *file); > > > > #else > > static inline int ima_bprm_check(struct linux_binprm *bprm) > > @@ -53,7 +53,7 @@ static inline int ima_file_mmap(struct f > > return 0; > > } > > > > -static inline void ima_shm_check(struct file *file) > > +static inline void ima_opencount_get(struct file *file) > > { > > return; > > } > > Index: security-testing-2.6/ipc/shm.c > > =================================================================== > > --- security-testing-2.6.orig/ipc/shm.c > > +++ security-testing-2.6/ipc/shm.c > > @@ -384,7 +384,7 @@ static int newseg(struct ipc_namespace * > > error = PTR_ERR(file); > > if (IS_ERR(file)) > > goto no_file; > > - ima_shm_check(file); > > + ima_opencount_get(file); > > > > id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni); > > if (id < 0) { > > @@ -891,7 +891,7 @@ long do_shmat(int shmid, char __user *sh > > file = alloc_file(path.mnt, path.dentry, f_mode, &shm_file_operations); > > if (!file) > > goto out_free; > > - ima_shm_check(file); > > + ima_opencount_get(file); > > > > file->private_data = sfd; > > file->f_mapping = shp->shm_file->f_mapping; > > Index: security-testing-2.6/mm/shmem.c > > =================================================================== > > --- security-testing-2.6.orig/mm/shmem.c > > +++ security-testing-2.6/mm/shmem.c > > @@ -2680,7 +2680,7 @@ int shmem_zero_setup(struct vm_area_stru > > if (IS_ERR(file)) > > return PTR_ERR(file); > > > > - ima_shm_check(file); > > + ima_opencount_get(file); > > if (vma->vm_file) > > fput(vma->vm_file); > > vma->vm_file = file; > > Maybe do the IMA operations in (or under) shmem_file_setup() and > hugetlb_file_setup()? Again, that would hide the real issue of not having done integrity (permission) checking. Mimi ^ permalink raw reply [flat|nested] 6+ messages in thread
[parent not found: <1241804120.4843.7.camel-Ip4+SIe7dfOMop5i0OabyFN1H4us77DDVpNB7YpNyf8@public.gmane.org>]
* Re: integrity: nfsd imbalance bug fix [not found] ` <1241804120.4843.7.camel-Ip4+SIe7dfOMop5i0OabyFN1H4us77DDVpNB7YpNyf8@public.gmane.org> @ 2009-05-08 18:07 ` J. Bruce Fields 2009-05-08 18:47 ` Mimi Zohar 2009-05-11 20:09 ` Eric Paris 1 sibling, 1 reply; 6+ messages in thread From: J. Bruce Fields @ 2009-05-08 18:07 UTC (permalink / raw) To: Mimi Zohar Cc: Andrew Morton, linux-kernel, hooanon05-/E1597aS9LR3+QwDJ9on6Q, jmorris, safford-aZOuKsOsJu3MbYB6QlFGEg, linux-nfs On Fri, May 08, 2009 at 01:35:20PM -0400, Mimi Zohar wrote: > On Wed, 2009-04-29 at 14:18 -0700, Andrew Morton wrote: > > On Tue, 28 Apr 2009 14:32:14 -0400 > > Mimi Zohar <zohar@linux.vnet.ibm.com> wrote: > > > > > The number of calls to ima_path_check()/ima_file_free() > > > should be balanced. An extra call to fput(), indicates > > > the file could have been accessed without first being > > > measured. > > > > > > An nfsd exported file is opened/closed by the kernel > > > causing an integrity imbalance message. > > > > > > - rename and export opencount_get to ima_opencount_get > > > - replace ima_shm_check calls with ima_opencount_get > > > - add call to increment opencount for files opened by nfsd. > > > - add call to measure exported files in nfsd_permission(). > > > - export ima_path_check > > > > > > > The patch looks fragile to me. It sprinkles IMA-specific operations > > over random unrelated subsystems. There is hence a decent chance of > > breakage in the future. > > > > Suppose some other new piece of kernel code opens/closes a file. The > > developer didn't think to add the IMA hooks and whoops, we have a bug. > > Agreed. Exactly for that reason we have the imbalance message. The > imbalance message is not a bug per se, but an indication that the > file hasn't been integrity (permission) checked. Where do I need to go to find out what this integrity checking is? I don't know the first thing about it.... --b. > > > It would be really really better if we could add the IMA hooks in a > > single place. That might require the addition of a new function, and > > that's fine. d_instantiate_kernel() or init_file_kernel() or whatever > > - that's fine. It still has the risk that new code will forget to use > > the in-kernel variant, but we have a better chance of detecting it. > > Definitely. Originally the integrity checking was in inode_permission(). > But measuring a file requires a dentry and mount point. > > I've updated the patch to fix a 'counts' error and divided the patch > into two, separating the IMA code changes from the IMA calls in nfsd. > > > > > > > Index: security-testing-2.6/fs/nfsd/vfs.c > > > =================================================================== > > > --- security-testing-2.6.orig/fs/nfsd/vfs.c > > > +++ security-testing-2.6/fs/nfsd/vfs.c > > > @@ -55,6 +55,7 @@ > > > #include <linux/security.h> > > > #endif /* CONFIG_NFSD_V4 */ > > > #include <linux/jhash.h> > > > +#include <linux/ima.h> > > > > > > #include <asm/uaccess.h> > > > > > > @@ -735,6 +736,8 @@ nfsd_open(struct svc_rqst *rqstp, struct > > > flags, cred); > > > if (IS_ERR(*filp)) > > > host_err = PTR_ERR(*filp); > > > + else > > > + ima_opencount_get(*filp); > > > > This suggests dentry_open_kernel(). > > Good name, but making dentry_open_kernel() the default behavior, > would mask the real bug - not doing integrity (permission) checking. > > > > > > out_nfserr: > > > err = nfserrno(host_err); > > > out: > > > @@ -2096,7 +2099,13 @@ nfsd_permission(struct svc_rqst *rqstp, > > > if (err == -EACCES && S_ISREG(inode->i_mode) && > > > acc == (NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE)) > > > err = inode_permission(inode, MAY_EXEC); > > > + if (err) > > > + goto nfsd_out; > > > > > > + err = ima_path_check(&exp->ex_path, > > > + acc & (MAY_READ | MAY_WRITE | MAY_EXEC)); > > > > hm, dunno what to do about that. > > The real problem is that this belongs in inode_permission(), but an > inode is not enough. It requires a dentry and mount point to > measure the file. > > > > + return err; > > > +nfsd_out: > > > return err? nfserrno(err) : 0; > > > } > > > > > > Index: security-testing-2.6/security/integrity/ima/ima_main.c > > > =================================================================== > > > --- security-testing-2.6.orig/security/integrity/ima/ima_main.c > > > +++ security-testing-2.6/security/integrity/ima/ima_main.c > > > @@ -206,6 +206,7 @@ out: > > > kref_put(&iint->refcount, iint_free); > > > return 0; > > > } > > > +EXPORT_SYMBOL_GPL(ima_path_check); > > > > > > static int process_measurement(struct file *file, const unsigned char *filename, > > > int mask, int function) > > > @@ -234,7 +235,16 @@ out: > > > return rc; > > > } > > > > > > -static void opencount_get(struct file *file) > > > +/* > > > + * ima_opencount_get - incr opencount for files opened by the kernel > > > + * > > > + * - IPC shm and shmat create/fput a file. > > > + * - nfsd opens/closes exported files. > > > + * > > > + * Increment the opencount for these files to prevent unnecessary > > > + * imbalance messages. > > > + */ > > > +void ima_opencount_get(struct file *file) > > > { > > > struct inode *inode = file->f_dentry->d_inode; > > > struct ima_iint_cache *iint; > > > @@ -248,6 +258,7 @@ static void opencount_get(struct file *f > > > iint->opencount++; > > > mutex_unlock(&iint->mutex); > > > } > > > +EXPORT_SYMBOL_GPL(ima_opencount_get); > > > > > > /** > > > * ima_file_mmap - based on policy, collect/store measurement. > > > @@ -272,18 +283,6 @@ int ima_file_mmap(struct file *file, uns > > > return 0; > > > } > > > > > > -/* > > > - * ima_shm_check - IPC shm and shmat create/fput a file > > > - * > > > - * Maintain the opencount for these files to prevent unnecessary > > > - * imbalance messages. > > > - */ > > > -void ima_shm_check(struct file *file) > > > -{ > > > - opencount_get(file); > > > - return; > > > -} > > > - > > > /** > > > * ima_bprm_check - based on policy, collect/store measurement. > > > * @bprm: contains the linux_binprm structure > > > Index: security-testing-2.6/include/linux/ima.h > > > =================================================================== > > > --- security-testing-2.6.orig/include/linux/ima.h > > > +++ security-testing-2.6/include/linux/ima.h > > > @@ -20,7 +20,7 @@ extern void ima_inode_free(struct inode > > > extern int ima_path_check(struct path *path, int mask); > > > extern void ima_file_free(struct file *file); > > > extern int ima_file_mmap(struct file *file, unsigned long prot); > > > -extern void ima_shm_check(struct file *file); > > > +extern void ima_opencount_get(struct file *file); > > > > > > #else > > > static inline int ima_bprm_check(struct linux_binprm *bprm) > > > @@ -53,7 +53,7 @@ static inline int ima_file_mmap(struct f > > > return 0; > > > } > > > > > > -static inline void ima_shm_check(struct file *file) > > > +static inline void ima_opencount_get(struct file *file) > > > { > > > return; > > > } > > > Index: security-testing-2.6/ipc/shm.c > > > =================================================================== > > > --- security-testing-2.6.orig/ipc/shm.c > > > +++ security-testing-2.6/ipc/shm.c > > > @@ -384,7 +384,7 @@ static int newseg(struct ipc_namespace * > > > error = PTR_ERR(file); > > > if (IS_ERR(file)) > > > goto no_file; > > > - ima_shm_check(file); > > > + ima_opencount_get(file); > > > > > > id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni); > > > if (id < 0) { > > > @@ -891,7 +891,7 @@ long do_shmat(int shmid, char __user *sh > > > file = alloc_file(path.mnt, path.dentry, f_mode, &shm_file_operations); > > > if (!file) > > > goto out_free; > > > - ima_shm_check(file); > > > + ima_opencount_get(file); > > > > > > file->private_data = sfd; > > > file->f_mapping = shp->shm_file->f_mapping; > > > Index: security-testing-2.6/mm/shmem.c > > > =================================================================== > > > --- security-testing-2.6.orig/mm/shmem.c > > > +++ security-testing-2.6/mm/shmem.c > > > @@ -2680,7 +2680,7 @@ int shmem_zero_setup(struct vm_area_stru > > > if (IS_ERR(file)) > > > return PTR_ERR(file); > > > > > > - ima_shm_check(file); > > > + ima_opencount_get(file); > > > if (vma->vm_file) > > > fput(vma->vm_file); > > > vma->vm_file = file; > > > > Maybe do the IMA operations in (or under) shmem_file_setup() and > > hugetlb_file_setup()? > > Again, that would hide the real issue of not having done integrity > (permission) checking. > > Mimi > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: integrity: nfsd imbalance bug fix 2009-05-08 18:07 ` J. Bruce Fields @ 2009-05-08 18:47 ` Mimi Zohar 0 siblings, 0 replies; 6+ messages in thread From: Mimi Zohar @ 2009-05-08 18:47 UTC (permalink / raw) To: J. Bruce Fields Cc: Andrew Morton, linux-kernel, hooanon05, jmorris, safford, linux-nfs On Fri, 2009-05-08 at 14:07 -0400, J. Bruce Fields wrote: > On Fri, May 08, 2009 at 01:35:20PM -0400, Mimi Zohar wrote: > > On Wed, 2009-04-29 at 14:18 -0700, Andrew Morton wrote: > > > On Tue, 28 Apr 2009 14:32:14 -0400 > > > Mimi Zohar <zohar@linux.vnet.ibm.com> wrote: > > > > > > > The number of calls to ima_path_check()/ima_file_free() > > > > should be balanced. An extra call to fput(), indicates > > > > the file could have been accessed without first being > > > > measured. > > > > > > > > An nfsd exported file is opened/closed by the kernel > > > > causing an integrity imbalance message. > > > > > > > > - rename and export opencount_get to ima_opencount_get > > > > - replace ima_shm_check calls with ima_opencount_get > > > > - add call to increment opencount for files opened by nfsd. > > > > - add call to measure exported files in nfsd_permission(). > > > > - export ima_path_check > > > > > > > > > > The patch looks fragile to me. It sprinkles IMA-specific operations > > > over random unrelated subsystems. There is hence a decent chance of > > > breakage in the future. > > > > > > Suppose some other new piece of kernel code opens/closes a file. The > > > developer didn't think to add the IMA hooks and whoops, we have a bug. > > > > Agreed. Exactly for that reason we have the imbalance message. The > > imbalance message is not a bug per se, but an indication that the > > file hasn't been integrity (permission) checked. > > Where do I need to go to find out what this integrity checking is? I > don't know the first thing about it.... > > --b. I'd start with the patch descriptions http://lkml.org/lkml/2009/2/4/251 and security/integrity/ima/Kconfig, which has a pointer to the initial paper on IMA. Documentation/ABI/testing/ima_policy contains information on defining a config file. Mimi > > > > > It would be really really better if we could add the IMA hooks in a > > > single place. That might require the addition of a new function, and > > > that's fine. d_instantiate_kernel() or init_file_kernel() or whatever > > > - that's fine. It still has the risk that new code will forget to use > > > the in-kernel variant, but we have a better chance of detecting it. > > > > Definitely. Originally the integrity checking was in inode_permission(). > > But measuring a file requires a dentry and mount point. > > > > I've updated the patch to fix a 'counts' error and divided the patch > > into two, separating the IMA code changes from the IMA calls in nfsd. > > > > > > > > > > Index: security-testing-2.6/fs/nfsd/vfs.c > > > > =================================================================== > > > > --- security-testing-2.6.orig/fs/nfsd/vfs.c > > > > +++ security-testing-2.6/fs/nfsd/vfs.c > > > > @@ -55,6 +55,7 @@ > > > > #include <linux/security.h> > > > > #endif /* CONFIG_NFSD_V4 */ > > > > #include <linux/jhash.h> > > > > +#include <linux/ima.h> > > > > > > > > #include <asm/uaccess.h> > > > > > > > > @@ -735,6 +736,8 @@ nfsd_open(struct svc_rqst *rqstp, struct > > > > flags, cred); > > > > if (IS_ERR(*filp)) > > > > host_err = PTR_ERR(*filp); > > > > + else > > > > + ima_opencount_get(*filp); > > > > > > This suggests dentry_open_kernel(). > > > > Good name, but making dentry_open_kernel() the default behavior, > > would mask the real bug - not doing integrity (permission) checking. > > > > > > > > > out_nfserr: > > > > err = nfserrno(host_err); > > > > out: > > > > @@ -2096,7 +2099,13 @@ nfsd_permission(struct svc_rqst *rqstp, > > > > if (err == -EACCES && S_ISREG(inode->i_mode) && > > > > acc == (NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE)) > > > > err = inode_permission(inode, MAY_EXEC); > > > > + if (err) > > > > + goto nfsd_out; > > > > > > > > + err = ima_path_check(&exp->ex_path, > > > > + acc & (MAY_READ | MAY_WRITE | MAY_EXEC)); > > > > > > hm, dunno what to do about that. > > > > The real problem is that this belongs in inode_permission(), but an > > inode is not enough. It requires a dentry and mount point to > > measure the file. > > > > > > + return err; > > > > +nfsd_out: > > > > return err? nfserrno(err) : 0; > > > > } > > > > > > > > Index: security-testing-2.6/security/integrity/ima/ima_main.c > > > > =================================================================== > > > > --- security-testing-2.6.orig/security/integrity/ima/ima_main.c > > > > +++ security-testing-2.6/security/integrity/ima/ima_main.c > > > > @@ -206,6 +206,7 @@ out: > > > > kref_put(&iint->refcount, iint_free); > > > > return 0; > > > > } > > > > +EXPORT_SYMBOL_GPL(ima_path_check); > > > > > > > > static int process_measurement(struct file *file, const unsigned char *filename, > > > > int mask, int function) > > > > @@ -234,7 +235,16 @@ out: > > > > return rc; > > > > } > > > > > > > > -static void opencount_get(struct file *file) > > > > +/* > > > > + * ima_opencount_get - incr opencount for files opened by the kernel > > > > + * > > > > + * - IPC shm and shmat create/fput a file. > > > > + * - nfsd opens/closes exported files. > > > > + * > > > > + * Increment the opencount for these files to prevent unnecessary > > > > + * imbalance messages. > > > > + */ > > > > +void ima_opencount_get(struct file *file) > > > > { > > > > struct inode *inode = file->f_dentry->d_inode; > > > > struct ima_iint_cache *iint; > > > > @@ -248,6 +258,7 @@ static void opencount_get(struct file *f > > > > iint->opencount++; > > > > mutex_unlock(&iint->mutex); > > > > } > > > > +EXPORT_SYMBOL_GPL(ima_opencount_get); > > > > > > > > /** > > > > * ima_file_mmap - based on policy, collect/store measurement. > > > > @@ -272,18 +283,6 @@ int ima_file_mmap(struct file *file, uns > > > > return 0; > > > > } > > > > > > > > -/* > > > > - * ima_shm_check - IPC shm and shmat create/fput a file > > > > - * > > > > - * Maintain the opencount for these files to prevent unnecessary > > > > - * imbalance messages. > > > > - */ > > > > -void ima_shm_check(struct file *file) > > > > -{ > > > > - opencount_get(file); > > > > - return; > > > > -} > > > > - > > > > /** > > > > * ima_bprm_check - based on policy, collect/store measurement. > > > > * @bprm: contains the linux_binprm structure > > > > Index: security-testing-2.6/include/linux/ima.h > > > > =================================================================== > > > > --- security-testing-2.6.orig/include/linux/ima.h > > > > +++ security-testing-2.6/include/linux/ima.h > > > > @@ -20,7 +20,7 @@ extern void ima_inode_free(struct inode > > > > extern int ima_path_check(struct path *path, int mask); > > > > extern void ima_file_free(struct file *file); > > > > extern int ima_file_mmap(struct file *file, unsigned long prot); > > > > -extern void ima_shm_check(struct file *file); > > > > +extern void ima_opencount_get(struct file *file); > > > > > > > > #else > > > > static inline int ima_bprm_check(struct linux_binprm *bprm) > > > > @@ -53,7 +53,7 @@ static inline int ima_file_mmap(struct f > > > > return 0; > > > > } > > > > > > > > -static inline void ima_shm_check(struct file *file) > > > > +static inline void ima_opencount_get(struct file *file) > > > > { > > > > return; > > > > } > > > > Index: security-testing-2.6/ipc/shm.c > > > > =================================================================== > > > > --- security-testing-2.6.orig/ipc/shm.c > > > > +++ security-testing-2.6/ipc/shm.c > > > > @@ -384,7 +384,7 @@ static int newseg(struct ipc_namespace * > > > > error = PTR_ERR(file); > > > > if (IS_ERR(file)) > > > > goto no_file; > > > > - ima_shm_check(file); > > > > + ima_opencount_get(file); > > > > > > > > id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni); > > > > if (id < 0) { > > > > @@ -891,7 +891,7 @@ long do_shmat(int shmid, char __user *sh > > > > file = alloc_file(path.mnt, path.dentry, f_mode, &shm_file_operations); > > > > if (!file) > > > > goto out_free; > > > > - ima_shm_check(file); > > > > + ima_opencount_get(file); > > > > > > > > file->private_data = sfd; > > > > file->f_mapping = shp->shm_file->f_mapping; > > > > Index: security-testing-2.6/mm/shmem.c > > > > =================================================================== > > > > --- security-testing-2.6.orig/mm/shmem.c > > > > +++ security-testing-2.6/mm/shmem.c > > > > @@ -2680,7 +2680,7 @@ int shmem_zero_setup(struct vm_area_stru > > > > if (IS_ERR(file)) > > > > return PTR_ERR(file); > > > > > > > > - ima_shm_check(file); > > > > + ima_opencount_get(file); > > > > if (vma->vm_file) > > > > fput(vma->vm_file); > > > > vma->vm_file = file; > > > > > > Maybe do the IMA operations in (or under) shmem_file_setup() and > > > hugetlb_file_setup()? > > > > Again, that would hide the real issue of not having done integrity > > (permission) checking. > > > > Mimi > > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: integrity: nfsd imbalance bug fix [not found] ` <1241804120.4843.7.camel-Ip4+SIe7dfOMop5i0OabyFN1H4us77DDVpNB7YpNyf8@public.gmane.org> 2009-05-08 18:07 ` J. Bruce Fields @ 2009-05-11 20:09 ` Eric Paris 1 sibling, 0 replies; 6+ messages in thread From: Eric Paris @ 2009-05-11 20:09 UTC (permalink / raw) To: Mimi Zohar Cc: Andrew Morton, linux-kernel, hooanon05-/E1597aS9LR3+QwDJ9on6Q, jmorris, safford-aZOuKsOsJu3MbYB6QlFGEg, J. Bruce Fields, linux-nfs, Eric Paris On Fri, May 8, 2009 at 1:35 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> w= rote: > On Wed, 2009-04-29 at 14:18 -0700, Andrew Morton wrote: >> On Tue, 28 Apr 2009 14:32:14 -0400 >> Mimi Zohar <zohar@linux.vnet.ibm.com> wrote: >> > Index: security-testing-2.6/mm/shmem.c >> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> > --- security-testing-2.6.orig/mm/shmem.c >> > +++ security-testing-2.6/mm/shmem.c >> > @@ -2680,7 +2680,7 @@ int shmem_zero_setup(struct vm_area_stru >> > =A0 =A0 if (IS_ERR(file)) >> > =A0 =A0 =A0 =A0 =A0 =A0 return PTR_ERR(file); >> > >> > - =A0 ima_shm_check(file); >> > + =A0 ima_opencount_get(file); >> > =A0 =A0 if (vma->vm_file) >> > =A0 =A0 =A0 =A0 =A0 =A0 fput(vma->vm_file); >> > =A0 =A0 vma->vm_file =3D file; >> >> Maybe do the IMA operations in (or under) shmem_file_setup() and >> hugetlb_file_setup()? > > Again, that would hide the real issue of not having done integrity > (permission) checking. Where are we doing integrity or permission checks on hugetlb or shm files? Andrew's right, another example of this problem would be drivers/gpu/drm/drm_gem.c::drm_get_object_alloc() (at least in linux-next) which uses shmem_file_setup(). If we aren't doing integrity checks on shmem already, why do we care about kernel vs. non-kernel users? moving the ima_opencount_get() from newseg down a layer into *_file_setup() would, I think, have taken care of the drm case as well..... -Eric ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2009-05-11 20:09 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1240943534.4143.55.camel@dyn9002018117.watson.ibm.com>
[not found] ` <1240943534.4143.55.camel-Ip4+SIe7dfOMop5i0OabyFN1H4us77DDVpNB7YpNyf8@public.gmane.org>
2009-04-28 22:56 ` integrity: nfsd imbalance bug fix James Morris
2009-04-29 21:18 ` Andrew Morton
2009-05-08 17:35 ` Mimi Zohar
[not found] ` <1241804120.4843.7.camel-Ip4+SIe7dfOMop5i0OabyFN1H4us77DDVpNB7YpNyf8@public.gmane.org>
2009-05-08 18:07 ` J. Bruce Fields
2009-05-08 18:47 ` Mimi Zohar
2009-05-11 20:09 ` Eric Paris
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox