From: Stefan Berger <stefanb@linux.ibm.com>
To: Christian Brauner <brauner@kernel.org>,
Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc: linux-integrity@vger.kernel.org, zohar@linux.ibm.com,
serge@hallyn.com, christian.brauner@ubuntu.com,
containers@lists.linux.dev, dmitry.kasatkin@gmail.com,
ebiederm@xmission.com, krzysztof.struczynski@huawei.com,
roberto.sassu@huawei.com, mpeters@redhat.com, lhinds@redhat.com,
lsturman@redhat.com, puiterwi@redhat.com, jejb@linux.ibm.com,
jamjoom@us.ibm.com, linux-kernel@vger.kernel.org,
paul@paul-moore.com, rgb@redhat.com,
linux-security-module@vger.kernel.org, jmorris@namei.org
Subject: Re: [PATCH v8 19/19] ima: Enable IMA namespaces
Date: Tue, 18 Jan 2022 12:53:54 -0500 [thread overview]
Message-ID: <15ae2c20-ae1f-0341-95d5-3168cdf899a5@linux.ibm.com> (raw)
In-Reply-To: <20220114120547.jrasikjcaahareue@wittgenstein>
On 1/14/22 07:05, Christian Brauner wrote:
> On Tue, Jan 04, 2022 at 12:04:16PM -0500, Stefan Berger wrote:
>> From: Stefan Berger <stefanb@linux.ibm.com>
>>
>> Introduce the IMA_NS in Kconfig for IMA namespace enablement.
>>
>> Enable the lazy initialization of an IMA namespace when a user mounts
>> SecurityFS. Now a user_namespace will get a pointer to an ima_namespace
>> and therefore add an implementation of get_current_ns() that returns this
>> pointer.
>>
>> get_current_ns() may now return a NULL pointer for as long as the IMA
>> namespace hasn't been created, yet. Therefore, return early from those
>> functions that may now get a NULL pointer from this call. The NULL
>> pointer can typically be treated similar to not having an IMA policy set
>> and simply return early from a function.
>>
>> Implement ima_ns_from_file() for SecurityFS-related files where we can
>> now get the IMA namespace via the user namespace pointer associated
>> with the superblock of the SecurityFS filesystem instance. Since
>> the functions using ima_ns_from_file() will only be called after an
>> ima_namesapce has been allocated they will never get a NULL pointer
>> for the ima_namespace.
>>
>> Switch access to userns->ima_ns to use acquire/release semantics to ensure
>> that a newly created ima_namespace structure is fully visible upon access.
>>
>> Replace usage of current_user_ns() with ima_ns_from_user_ns() that
>> implements a method to derive the user_namespace from the given
>> ima_namespace. It leads to the same result.
>>
>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>> ---
>> include/linux/ima.h | 9 ++++++-
>> init/Kconfig | 13 ++++++++++
>> kernel/user_namespace.c | 2 ++
>> security/integrity/ima/ima.h | 35 ++++++++++++++++++++++-----
>> security/integrity/ima/ima_fs.c | 37 ++++++++++++++++++++++-------
>> security/integrity/ima/ima_main.c | 29 ++++++++++++++++------
>> security/integrity/ima/ima_ns.c | 3 ++-
>> security/integrity/ima/ima_policy.c | 13 +++++-----
>> 8 files changed, 112 insertions(+), 29 deletions(-)
>>
>> diff --git a/include/linux/ima.h b/include/linux/ima.h
>> index 5354e83d1694..7b9713b290ae 100644
>> --- a/include/linux/ima.h
>> +++ b/include/linux/ima.h
>> @@ -11,6 +11,7 @@
>> #include <linux/fs.h>
>> #include <linux/security.h>
>> #include <linux/kexec.h>
>> +#include <linux/user_namespace.h>
>> #include <crypto/hash_info.h>
>> struct linux_binprm;
>>
>> @@ -71,7 +72,13 @@ static inline const char * const *arch_get_ima_policy(void)
>> static inline struct user_namespace
>> *ima_ns_to_user_ns(struct ima_namespace *ns)
>> {
>> - return current_user_ns();
>> + struct user_namespace *user_ns;
>> +
>> + user_ns = current_user_ns();
>> +#ifdef CONFIG_IMA_NS
>> + WARN_ON(user_ns->ima_ns != ns);
>> +#endif
>> + return user_ns;
>> }
>>
>> #else
>> diff --git a/init/Kconfig b/init/Kconfig
>> index 4b7bac10c72d..e27155e0ddba 100644
>> --- a/init/Kconfig
>> +++ b/init/Kconfig
>> @@ -1247,6 +1247,19 @@ config NET_NS
>> Allow user space to create what appear to be multiple instances
>> of the network stack.
>>
>> +config IMA_NS
>> + bool "IMA namespace"
>> + depends on USER_NS
>> + depends on IMA
>> + default n
>> + help
>> + Allow the creation of an IMA namespace for each user namespace.
>> + Namespaced IMA enables having IMA features work separately
>> + in each IMA namespace.
>> + Currently, only the audit status flags are stored in the namespace,
>> + which allows the same file to be audited each time it is accessed
>> + in a new namespace.
>> +
>> endif # NAMESPACES
>>
>> config CHECKPOINT_RESTORE
>> diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
>> index 6b2e3ca7ee99..653f8fa83b69 100644
>> --- a/kernel/user_namespace.c
>> +++ b/kernel/user_namespace.c
>> @@ -20,6 +20,7 @@
>> #include <linux/fs_struct.h>
>> #include <linux/bsearch.h>
>> #include <linux/sort.h>
>> +#include <linux/ima.h>
>>
>> static struct kmem_cache *user_ns_cachep __read_mostly;
>> static DEFINE_MUTEX(userns_state_mutex);
>> @@ -196,6 +197,7 @@ static void free_user_ns(struct work_struct *work)
>> kfree(ns->projid_map.forward);
>> kfree(ns->projid_map.reverse);
>> }
>> + free_ima_ns(ns);
>> retire_userns_sysctls(ns);
>> key_free_user_ns(ns);
>> ns_free_inum(&ns->ns);
>> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
>> index 344c8c4bd030..d993655ec796 100644
>> --- a/security/integrity/ima/ima.h
>> +++ b/security/integrity/ima/ima.h
>> @@ -509,21 +509,20 @@ struct user_namespace *ima_user_ns_from_file(const struct file *filp)
>> return file_inode(filp)->i_sb->s_user_ns;
>> }
>>
>> +#ifdef CONFIG_IMA_NS
>> +
>> static inline struct ima_namespace
>> *ima_ns_from_user_ns(struct user_namespace *user_ns)
>> {
>> - if (user_ns == &init_user_ns)
>> - return &init_ima_ns;
>> - return NULL;
>> + /* Pairs with smp_store_releases() in create_ima_ns(). */
>> + return smp_load_acquire(&user_ns->ima_ns);
>> }
>>
>> static inline struct ima_namespace *get_current_ns(void)
>> {
>> - return &init_ima_ns;
>> + return ima_ns_from_user_ns(current_user_ns());
>> }
>>
>> -#ifdef CONFIG_IMA_NS
>> -
>> struct ima_namespace *create_ima_ns(struct user_namespace *user_ns);
>>
>> struct ns_status *ima_get_ns_status(struct ima_namespace *ns,
>> @@ -532,6 +531,11 @@ struct ns_status *ima_get_ns_status(struct ima_namespace *ns,
>>
>> void ima_free_ns_status_tree(struct ima_namespace *ns);
>>
>> +static inline struct ima_namespace *ima_ns_from_file(const struct file *filp)
>> +{
>> + return ima_user_ns_from_file(filp)->ima_ns;
>> +}
>> +
>> #define IMA_NS_STATUS_ACTIONS IMA_AUDIT
>> #define IMA_NS_STATUS_FLAGS IMA_AUDITED
>>
>> @@ -542,6 +546,20 @@ unsigned long set_iint_flags(struct integrity_iint_cache *iint,
>>
>> #else
>>
>> +static inline struct ima_namespace
>> +*ima_ns_from_user_ns(struct user_namespace *user_ns)
>> +{
>> + if (user_ns == &init_user_ns)
>> + return &init_ima_ns;
>> + return NULL;
>> +}
>> +
>> +
>> +static inline struct ima_namespace *get_current_ns(void)
>> +{
>> + return &init_ima_ns;
>> +}
>> +
>> static inline struct ima_namespace *
>> create_ima_ns(struct user_namespace *user_ns)
>> {
>> @@ -572,6 +590,11 @@ static inline unsigned long set_iint_flags(struct integrity_iint_cache *iint,
>> return flags;
>> }
>>
>> +static inline struct ima_namespace *ima_ns_from_file(const struct file *filp)
>> +{
>> + return &init_ima_ns;
>> +}
>> +
>> #endif /* CONFIG_IMA_NS */
>>
>> #endif /* __LINUX_IMA_H */
>> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
>> index 468508f6a7e8..ee3af81d1c3e 100644
>> --- a/security/integrity/ima/ima_fs.c
>> +++ b/security/integrity/ima/ima_fs.c
>> @@ -49,7 +49,7 @@ static ssize_t ima_show_htable_violations(struct file *filp,
>> char __user *buf,
>> size_t count, loff_t *ppos)
>> {
>> - struct ima_namespace *ns = &init_ima_ns;
>> + struct ima_namespace *ns = ima_ns_from_file(filp);
>>
>> return ima_show_htable_value(buf, count, ppos,
>> &ns->ima_htable.violations);
>> @@ -64,7 +64,7 @@ static ssize_t ima_show_measurements_count(struct file *filp,
>> char __user *buf,
>> size_t count, loff_t *ppos)
>> {
>> - struct ima_namespace *ns = &init_ima_ns;
>> + struct ima_namespace *ns = ima_ns_from_file(filp);
>>
>> return ima_show_htable_value(buf, count, ppos, &ns->ima_htable.len);
>> }
>> @@ -77,7 +77,7 @@ static const struct file_operations ima_measurements_count_ops = {
>> /* returns pointer to hlist_node */
>> static void *ima_measurements_start(struct seq_file *m, loff_t *pos)
>> {
>> - struct ima_namespace *ns = &init_ima_ns;
>> + struct ima_namespace *ns = ima_ns_from_file(m->file);
>> loff_t l = *pos;
>> struct ima_queue_entry *qe;
>>
>> @@ -95,7 +95,7 @@ static void *ima_measurements_start(struct seq_file *m, loff_t *pos)
>>
>> static void *ima_measurements_next(struct seq_file *m, void *v, loff_t *pos)
>> {
>> - struct ima_namespace *ns = &init_ima_ns;
>> + struct ima_namespace *ns = ima_ns_from_file(m->file);
>> struct ima_queue_entry *qe = v;
>>
>> /* lock protects when reading beyond last element
>> @@ -317,7 +317,7 @@ static ssize_t ima_read_policy(struct ima_namespace *ns, char *path)
>> static ssize_t ima_write_policy(struct file *file, const char __user *buf,
>> size_t datalen, loff_t *ppos)
>> {
>> - struct ima_namespace *ns = &init_ima_ns;
>> + struct ima_namespace *ns = ima_ns_from_file(file);
>> char *data;
>> ssize_t result;
>>
>> @@ -379,7 +379,7 @@ static const struct seq_operations ima_policy_seqops = {
>> static int ima_open_policy(struct inode *inode, struct file *filp)
>> {
>> struct user_namespace *user_ns = ima_user_ns_from_file(filp);
>> - struct ima_namespace *ns = &init_ima_ns;
>> + struct ima_namespace *ns = ima_ns_from_file(filp);
>>
>> if (!(filp->f_flags & O_WRONLY)) {
>> #ifndef CONFIG_IMA_READ_POLICY
>> @@ -406,7 +406,7 @@ static int ima_open_policy(struct inode *inode, struct file *filp)
>> */
>> static int ima_release_policy(struct inode *inode, struct file *file)
>> {
>> - struct ima_namespace *ns = &init_ima_ns;
>> + struct ima_namespace *ns = ima_ns_from_file(file);
>> const char *cause = ns->valid_policy ? "completed" : "failed";
>>
>> if ((file->f_flags & O_ACCMODE) == O_RDONLY)
>> @@ -459,12 +459,29 @@ int ima_fs_ns_init(struct user_namespace *user_ns, struct dentry *root)
>> struct dentry *ascii_runtime_measurements = NULL;
>> struct dentry *runtime_measurements_count = NULL;
>> struct dentry *violations = NULL;
>> + bool created_ns = false;
>> +
>> + /*
>> + * While multiple superblocks can exist they are keyed by userns in
>> + * s_fs_info for securityfs. The first time a userns mounts a
>> + * securityfs instance we lazily allocate the ima_namespace for the
>> + * userns since that's the only way a userns can meaningfully use ima.
>> + * The vfs ensures we're the only one to call fill_super() and hence
>> + * ima_fs_ns_init(), so we don't need any memory barriers here, i.e.
>> + * user_ns->ima_ns can't change while we're in here.
>> + */
>> + if (!ns) {
>> + ns = create_ima_ns(user_ns);
>> + if (IS_ERR(ns))
>> + return PTR_ERR(ns);
>> + created_ns = true;
>> + }
> Since create_ima_ns() initializes user_ns->ima_ns via
> smp_store_release() the patch currently implies that concurrent access
> to user_ns->ima_ns are safe once create_ima_ns() returns.
>
> Specifically, it entails that no caller will access entries in the ima
> namespace that will only be filled in past this point. Afaict, this only
> relates to the ns->policy_dentry which can't be accessed until
> securityfs is finished.
>
> Nonetheless, I would recommend that you change create_ima_ns() to not
> initialize user_ns->ima_ns and instead defer this until everything in
> the namespace is setup. So maybe move the smp_store_release() to the end
> of ima_fs_ns_init(). If ns->policy_dentry wouldn't be stashed in ima_ns
> it wouldn't matter but since it is I would not publish ima_ns before
> this is set. Sm like (uncompiled, untested):
>
> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
> index ee3af81d1c3e..64ca47671d31 100644
> --- a/security/integrity/ima/ima_fs.c
> +++ b/security/integrity/ima/ima_fs.c
> @@ -531,6 +531,8 @@ int ima_fs_ns_init(struct user_namespace *user_ns, struct dentry *root)
> goto out;
> }
>
> + if (!user_ns->ima_ns)
> + smp_store_release(&user_ns->ima_ns, ns);
> return 0;
> out:
> securityfs_remove(ns->policy_dentry);
>
> As a side-effect this will let you get rid of the bool created_ns and
> thereby simplify the codeflow.
Fixed. Thanks.
>
> (Note, that obviously means that the changes I mentioned earlier in
> https://lore.kernel.org/containers/20220114114321.7prnt72ukvch4wxa@wittgenstein
> can't be made.)
next prev parent reply other threads:[~2022-01-18 17:54 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-04 17:03 [PATCH v8 00/19] ima: Namespace IMA with audit support in IMA-ns Stefan Berger
2022-01-04 17:03 ` [PATCH v8 01/19] securityfs: Extend securityfs with namespacing support Stefan Berger
2022-01-05 3:58 ` Al Viro
2022-01-05 10:18 ` Christian Brauner
2022-01-11 12:16 ` Mimi Zohar
2022-01-11 14:12 ` Christian Brauner
2022-01-04 17:03 ` [PATCH v8 02/19] ima: Define ima_namespace structure and implement basic functions Stefan Berger
2022-01-04 17:04 ` [PATCH v8 03/19] ima: Move policy related variables into ima_namespace Stefan Berger
2022-01-13 20:26 ` Mimi Zohar
2022-01-14 10:48 ` Christian Brauner
2022-01-19 13:32 ` Stefan Berger
2022-01-04 17:04 ` [PATCH v8 04/19] ima: Move ima_htable " Stefan Berger
2022-01-04 17:04 ` [PATCH v8 05/19] ima: Move measurement list related variables " Stefan Berger
2022-01-13 20:27 ` Mimi Zohar
2022-01-19 12:23 ` Stefan Berger
2022-01-04 17:04 ` [PATCH v8 06/19] ima: Move some IMA policy and filesystem " Stefan Berger
2022-01-04 17:04 ` [PATCH v8 07/19] ima: Move dentry into ima_namespace and others onto stack Stefan Berger
2022-01-13 20:28 ` Mimi Zohar
2022-01-18 20:12 ` Stefan Berger
2022-01-18 20:42 ` Mimi Zohar
2022-01-18 20:54 ` Stefan Berger
2022-01-04 17:04 ` [PATCH v8 08/19] ima: Use mac_admin_ns_capable() to check corresponding capability Stefan Berger
2022-01-13 20:28 ` Mimi Zohar
2022-01-04 17:04 ` [PATCH v8 09/19] ima: Only accept AUDIT rules for non-init_ima_ns namespaces for now Stefan Berger
2022-01-04 17:04 ` [PATCH v8 10/19] ima: Implement hierarchical processing of file accesses Stefan Berger
2022-01-14 11:21 ` Christian Brauner
2022-01-18 18:25 ` Stefan Berger
2022-01-04 17:04 ` [PATCH v8 11/19] ima: Implement ima_free_policy_rules() for freeing of an ima_namespace Stefan Berger
2022-01-04 17:04 ` [PATCH v8 12/19] userns: Add pointer to ima_namespace to user_namespace Stefan Berger
2022-01-04 17:04 ` [PATCH v8 13/19] ima: Add functions for creation and freeing of an ima_namespace Stefan Berger
2022-01-14 11:43 ` Christian Brauner
2022-01-04 17:04 ` [PATCH v8 14/19] integrity/ima: Define ns_status for storing namespaced iint data Stefan Berger
2022-01-04 17:04 ` [PATCH v8 15/19] ima: Namespace audit status flags Stefan Berger
2022-01-04 17:04 ` [PATCH v8 16/19] ima: Enable re-auditing of modified files Stefan Berger
2022-01-05 15:21 ` Stefan Berger
2022-01-04 17:04 ` [PATCH v8 17/19] ima: Setup securityfs for IMA namespace Stefan Berger
2022-01-04 17:04 ` [PATCH v8 18/19] ima: Show owning user namespace's uid and gid when displaying policy Stefan Berger
2022-01-14 13:45 ` Christian Brauner
2022-01-18 16:31 ` Stefan Berger
2022-01-19 9:23 ` Christian Brauner
2022-01-04 17:04 ` [PATCH v8 19/19] ima: Enable IMA namespaces Stefan Berger
2022-01-14 12:05 ` Christian Brauner
2022-01-18 17:53 ` Stefan Berger [this message]
2022-01-14 14:45 ` Christian Brauner
2022-01-18 18:09 ` Stefan Berger
2022-01-19 9:46 ` Christian Brauner
2022-01-19 12:45 ` Stefan Berger
2022-01-19 13:03 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=15ae2c20-ae1f-0341-95d5-3168cdf899a5@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=brauner@kernel.org \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux.dev \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jamjoom@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=krzysztof.struczynski@huawei.com \
--cc=lhinds@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lsturman@redhat.com \
--cc=mpeters@redhat.com \
--cc=paul@paul-moore.com \
--cc=puiterwi@redhat.com \
--cc=rgb@redhat.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=stefanb@linux.vnet.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).