From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [RFC PATCH 2/4] ima: define new ima_sb_post_new_mount hook
Date: Wed, 16 Aug 2017 13:30:18 -0400 [thread overview]
Message-ID: <1502904620-20075-3-git-send-email-zohar@linux.vnet.ibm.com> (raw)
In-Reply-To: <1502904620-20075-1-git-send-email-zohar@linux.vnet.ibm.com>
IMA measures a file, verifies a file's integrity, and caches the
results. On filesystems with MS_I_VERSION enabled, IMA can detect
file changes and cause them to be re-measured and verified. On
filesystems without MS_I_VERSION enabled, files are measured and
verified just once.
This patch logs filesystems mounted without MS_I_VERSION.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
include/linux/ima.h | 5 +++++
security/integrity/ima/ima_main.c | 44 +++++++++++++++++++++++++++++++++++++++
security/security.c | 1 +
3 files changed, 50 insertions(+)
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 0e4647e0eb60..4475cb01149c 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -23,6 +23,8 @@ extern int ima_read_file(struct file *file, enum kernel_read_file_id id);
extern int ima_post_read_file(struct file *file, void *buf, loff_t size,
enum kernel_read_file_id id);
extern void ima_post_path_mknod(struct dentry *dentry);
+extern void ima_sb_post_new_mount(const struct vfsmount *newmnt,
+ const struct path *path);
#ifdef CONFIG_IMA_KEXEC
extern void ima_add_kexec_buffer(struct kimage *image);
@@ -65,6 +67,9 @@ static inline void ima_post_path_mknod(struct dentry *dentry)
return;
}
+static inline void ima_sb_post_new_mount(const struct vfsmount *newmnt,
+ const struct path *path)
+{ }
#endif /* CONFIG_IMA */
#ifndef CONFIG_IMA_KEXEC
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index b00186914df8..a0a685189001 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -354,6 +354,50 @@ void ima_post_path_mknod(struct dentry *dentry)
}
/**
+ * ima_sb_post_new_mount - check filesystem mounted flags
+ *
+ * Indicate that filesystem isn't mounted with i_version enabled.
+ */
+void ima_sb_post_new_mount(const struct vfsmount *newmnt,
+ const struct path *path)
+{
+ struct super_block *sb;
+ unsigned long pseudo_fs[] = {CGROUP_SUPER_MAGIC, CGROUP2_SUPER_MAGIC,
+ SYSFS_MAGIC, DEVPTS_SUPER_MAGIC, PSTOREFS_MAGIC, EFIVARFS_MAGIC,
+ DEBUGFS_MAGIC, TMPFS_MAGIC};
+ char *pathbuf = NULL;
+ char filename[NAME_MAX];
+ const char *pathname;
+ bool found = 0;
+ int i;
+
+ sb = newmnt ? newmnt->mnt_sb : path->mnt->mnt_sb;
+
+ if ((sb->s_flags & MS_I_VERSION) || (sb->s_flags & MS_RDONLY) ||
+ (sb->s_flags & MS_KERNMOUNT))
+ return;
+
+ for (i = 0; i < ARRAY_SIZE(pseudo_fs); i++) {
+ if (pseudo_fs[i] != sb->s_magic)
+ continue;
+
+ found = 1;
+ break;
+ }
+ if (found)
+ return;
+
+ pathname = ima_d_path(path, &pathbuf, filename);
+ if (!pathname)
+ return;
+
+ if (newmnt)
+ pr_warn("ima: %s mounted without i_version enabled\n",
+ pathname);
+ __putname(pathbuf);
+}
+
+/**
* ima_read_file - pre-measure/appraise hook decision based on policy
* @file: pointer to the file to be measured/appraised/audit
* @read_id: caller identifier
diff --git a/security/security.c b/security/security.c
index 592153e8d2b6..79111141b383 100644
--- a/security/security.c
+++ b/security/security.c
@@ -402,6 +402,7 @@ void security_sb_post_new_mount(const struct vfsmount *newmnt,
const struct path *path)
{
call_void_hook(sb_post_new_mount, newmnt, path);
+ ima_sb_post_new_mount(newmnt, path);
}
int security_sb_umount(struct vfsmount *mnt, int flags)
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-08-16 17:30 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-16 17:30 [RFC PATCH 0/4] ima: filesystems not mounted with i_version Mimi Zohar
2017-08-16 17:30 ` [RFC PATCH 1/4] security: define new LSM sb_post_new_mount hook Mimi Zohar
2017-08-16 17:30 ` Mimi Zohar [this message]
2017-08-16 19:24 ` [RFC PATCH 2/4] ima: define new ima_sb_post_new_mount hook Casey Schaufler
2017-08-16 20:59 ` Mimi Zohar
2017-08-17 2:39 ` [Linux-ima-devel] " James Morris
2017-12-07 12:26 ` Jeff Layton
2017-12-07 14:35 ` Mimi Zohar
2017-12-07 14:50 ` Jeff Layton
2017-12-07 15:08 ` Mimi Zohar
2017-12-07 15:09 ` Jeff Layton
2017-12-15 21:13 ` Jeff Layton
2017-08-16 17:30 ` [RFC PATCH 3/4] security: define a new LSM sb_post_remount hook Mimi Zohar
2017-08-16 17:30 ` [RFC PATCH 4/4] ima: define a new ima_sb_post_remount hook Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1502904620-20075-3-git-send-email-zohar@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).