linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v5 00/16] Introduce partial kernel_read_file() support
@ 2020-10-02 17:38 Kees Cook
  2020-10-02 17:38 ` [PATCH v5 01/16] fs/kernel_read_file: Remove FIRMWARE_PREALLOC_BUFFER enum Kees Cook
                   ` (15 more replies)
  0 siblings, 16 replies; 21+ messages in thread
From: Kees Cook @ 2020-10-02 17:38 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Kees Cook, Scott Branden, Mimi Zohar, Luis Chamberlain,
	Takashi Iwai, Jessica Yu, SeongJae Park, KP Singh, linux-efi,
	linux-security-module, linux-integrity, selinux, linux-kselftest,
	linux-kernel

v5:
- add more reviews (thank you!)
- add "description" string to post_load_data API (mimi)
- drop bug fix that got taken already
v4: https://lore.kernel.org/lkml/20200729175845.1745471-1-keescook@chromium.org/
v3: https://lore.kernel.org/lkml/20200724213640.389191-1-keescook@chromium.org/
v2: lost to the ether
v1: https://lore.kernel.org/lkml/20200717174309.1164575-1-keescook@chromium.org/

Hi,

Here's my tree for adding partial read support in kernel_read_file(),
which fixes a number of issues along the way. It's got Scott's firmware
and IMA patches ported and everything tests cleanly for me (even with
CONFIG_IMA_APPRAISE=y), and now appears to pass 0day. :)

The intention is for this to go via Greg's tree since Scott's driver
code will depend on it.

Thanks,

-Kees

Kees Cook (12):
  fs/kernel_read_file: Remove FIRMWARE_PREALLOC_BUFFER enum
  fs/kernel_read_file: Remove FIRMWARE_EFI_EMBEDDED enum
  fs/kernel_read_file: Split into separate source file
  fs/kernel_read_file: Remove redundant size argument
  fs/kernel_read_file: Switch buffer size arg to size_t
  fs/kernel_read_file: Add file_size output argument
  LSM: Introduce kernel_post_load_data() hook
  firmware_loader: Use security_post_load_data()
  module: Call security_kernel_post_load_data()
  LSM: Add "contents" flag to kernel_read_file hook
  fs/kernel_file_read: Add "offset" arg for partial reads
  firmware: Store opt_flags in fw_priv

Scott Branden (4):
  fs/kernel_read_file: Split into separate include file
  IMA: Add support for file reads without contents
  firmware: Add request_partial_firmware_into_buf()
  test_firmware: Test partial read support

 drivers/base/firmware_loader/fallback.c       |  19 +-
 drivers/base/firmware_loader/fallback.h       |   5 +-
 .../base/firmware_loader/fallback_platform.c  |  12 +-
 drivers/base/firmware_loader/firmware.h       |   7 +-
 drivers/base/firmware_loader/main.c           | 135 ++++++++++---
 fs/Makefile                                   |   3 +-
 fs/exec.c                                     | 132 +-----------
 fs/kernel_read_file.c                         | 189 ++++++++++++++++++
 include/linux/firmware.h                      |  12 ++
 include/linux/fs.h                            |  39 ----
 include/linux/ima.h                           |  20 +-
 include/linux/kernel_read_file.h              |  55 +++++
 include/linux/lsm_hook_defs.h                 |   6 +-
 include/linux/lsm_hooks.h                     |  13 ++
 include/linux/security.h                      |  21 +-
 kernel/kexec.c                                |   2 +-
 kernel/kexec_file.c                           |  19 +-
 kernel/module.c                               |  24 ++-
 lib/test_firmware.c                           | 154 ++++++++++++--
 security/integrity/digsig.c                   |   8 +-
 security/integrity/ima/ima_fs.c               |  10 +-
 security/integrity/ima/ima_main.c             |  73 +++++--
 security/integrity/ima/ima_policy.c           |   1 +
 security/loadpin/loadpin.c                    |  17 +-
 security/security.c                           |  28 ++-
 security/selinux/hooks.c                      |   8 +-
 .../selftests/firmware/fw_filesystem.sh       |  91 +++++++++
 27 files changed, 807 insertions(+), 296 deletions(-)
 create mode 100644 fs/kernel_read_file.c
 create mode 100644 include/linux/kernel_read_file.h

-- 
2.25.1


^ permalink raw reply	[flat|nested] 21+ messages in thread

end of thread, other threads:[~2020-10-06 17:20 UTC | newest]

Thread overview: 21+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-10-02 17:38 [PATCH v5 00/16] Introduce partial kernel_read_file() support Kees Cook
2020-10-02 17:38 ` [PATCH v5 01/16] fs/kernel_read_file: Remove FIRMWARE_PREALLOC_BUFFER enum Kees Cook
2020-10-06 17:17   ` James Morris
2020-10-02 17:38 ` [PATCH v5 02/16] fs/kernel_read_file: Remove FIRMWARE_EFI_EMBEDDED enum Kees Cook
2020-10-02 17:38 ` [PATCH v5 03/16] fs/kernel_read_file: Split into separate include file Kees Cook
2020-10-02 17:38 ` [PATCH v5 04/16] fs/kernel_read_file: Split into separate source file Kees Cook
2020-10-06 17:18   ` James Morris
2020-10-02 17:38 ` [PATCH v5 05/16] fs/kernel_read_file: Remove redundant size argument Kees Cook
2020-10-02 17:38 ` [PATCH v5 06/16] fs/kernel_read_file: Switch buffer size arg to size_t Kees Cook
2020-10-02 17:38 ` [PATCH v5 07/16] fs/kernel_read_file: Add file_size output argument Kees Cook
2020-10-02 17:38 ` [PATCH v5 08/16] LSM: Introduce kernel_post_load_data() hook Kees Cook
2020-10-02 17:38 ` [PATCH v5 09/16] firmware_loader: Use security_post_load_data() Kees Cook
2020-10-02 17:38 ` [PATCH v5 10/16] module: Call security_kernel_post_load_data() Kees Cook
2020-10-06 17:19   ` James Morris
2020-10-02 17:38 ` [PATCH v5 11/16] LSM: Add "contents" flag to kernel_read_file hook Kees Cook
2020-10-06 17:19   ` James Morris
2020-10-02 17:38 ` [PATCH v5 12/16] IMA: Add support for file reads without contents Kees Cook
2020-10-02 17:38 ` [PATCH v5 13/16] fs/kernel_file_read: Add "offset" arg for partial reads Kees Cook
2020-10-02 17:38 ` [PATCH v5 14/16] firmware: Store opt_flags in fw_priv Kees Cook
2020-10-02 17:38 ` [PATCH v5 15/16] firmware: Add request_partial_firmware_into_buf() Kees Cook
2020-10-02 17:38 ` [PATCH v5 16/16] test_firmware: Test partial read support Kees Cook

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).