From: Mimi Zohar <zohar@linux.ibm.com>
To: Stefan Berger <stefanb@linux.ibm.com>, linux-integrity@vger.kernel.org
Cc: serge@hallyn.com, christian.brauner@ubuntu.com,
containers@lists.linux.dev, dmitry.kasatkin@gmail.com,
ebiederm@xmission.com, krzysztof.struczynski@huawei.com,
roberto.sassu@huawei.com, mpeters@redhat.com, lhinds@redhat.com,
lsturman@redhat.com, puiterwi@redhat.com, jejb@linux.ibm.com,
jamjoom@us.ibm.com, linux-kernel@vger.kernel.org,
paul@paul-moore.com, rgb@redhat.com,
linux-security-module@vger.kernel.org, jmorris@namei.org
Subject: Re: [PATCH v10 24/27] ima: Introduce securityfs file to activate an IMA namespace
Date: Wed, 23 Feb 2022 08:54:35 -0500 [thread overview]
Message-ID: <9a720bf5928151a0cbc7994ee498a1c3ca779c56.camel@linux.ibm.com> (raw)
In-Reply-To: <20220201203735.164593-25-stefanb@linux.ibm.com>
On Tue, 2022-02-01 at 15:37 -0500, Stefan Berger wrote:
> Introduce securityfs file 'active' that allows a user to activate an IMA
> namespace by writing a "1" (precisely a '1\0' or '1\n') to it. When
> reading from the file, it shows either '0' or '1'.
A patch description should start with the motivation for the change
being introduced. The last paragraph mentions "why" it will be needed
in the future, but there are other reasons for explicitly requiring
activation. Probably something along the lines of not every user
namespace requires an active IMA namespace. Please include those
reasons here.
>
> Also, introduce ns_is_active() to be used in those places where the
> ima_namespace pointer may either be NULL or where the active field may not
> have been set to '1', yet. An inactive IMA namespace should never be
> accessed since it has not been initialized, yet.
>
> Set the init_ima_ns's active field to '1' since it is considered active
> right from the beginning.
>
> The rationale for introducing a file to activate an IMA namespace is that
> subsequent support for IMA-measurement and IMA-appraisal will add
> configuration files for selecting for example the template that an IMA
> namespace is supposed to use for logging measurements, which will add
> an IMA namespace configuration stage (using securityfs files) before its
> activation.
This could be included at the beginning, as part of the motivation for
the patch, but it shouldn't be the only reason.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>
> ---
> v10:
> - use memdup_user_nul to copy input from user
> - propagating error returned from ima_fs_add_ns_files()
> ---
> security/integrity/ima/ima.h | 7 +++
> security/integrity/ima/ima_fs.c | 71 ++++++++++++++++++++++++
> security/integrity/ima/ima_init_ima_ns.c | 1 +
> security/integrity/ima/ima_main.c | 2 +-
> 4 files changed, 80 insertions(+), 1 deletion(-)
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index 1e3f9dda218d..05e2de7697da 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -123,6 +123,8 @@ struct ima_h_table {
> };
>
> struct ima_namespace {
> + atomic_t active; /* whether namespace is active */
> +
> struct rb_root ns_status_tree;
> rwlock_t ns_tree_lock;
> struct kmem_cache *ns_status_cache;
> @@ -154,6 +156,11 @@ struct ima_namespace {
> } __randomize_layout;
> extern struct ima_namespace init_ima_ns;
>
> +static inline bool ns_is_active(struct ima_namespace *ns)
> +{
> + return (ns && atomic_read(&ns->active));
> +}
> +
> extern const int read_idmap[];
>
> #ifdef CONFIG_HAVE_IMA_KEXEC
> diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
> index 84cd02a9e19b..58d80884880f 100644
> --- a/security/integrity/ima/ima_fs.c
> +++ b/security/integrity/ima/ima_fs.c
> @@ -451,6 +451,71 @@ static const struct file_operations ima_measure_policy_ops = {
> .llseek = generic_file_llseek,
> };
>
> +static ssize_t ima_show_active(struct file *filp,
> + char __user *buf,
> + size_t count, loff_t *ppos)
> +{
> + struct ima_namespace *ns = &init_ima_ns;
> + char tmpbuf[2];
> + ssize_t len;
> +
> + len = scnprintf(tmpbuf, sizeof(tmpbuf),
> + "%d\n", atomic_read(&ns->active));
> + return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
> +}
> +
> +static ssize_t ima_write_active(struct file *filp,
> + const char __user *buf,
> + size_t count, loff_t *ppos)
> +{
> + struct ima_namespace *ns = &init_ima_ns;
> + unsigned int active;
> + char *kbuf;
> + int err;
> +
> + if (ns_is_active(ns))
> + return -EBUSY;
> +
> + /* accepting '1\n' and '1\0' and no partial writes */
> + if (count >= 3 || *ppos != 0)
> + return -EINVAL;
> +
> + kbuf = memdup_user_nul(buf, count);
> + if (IS_ERR(kbuf))
> + return PTR_ERR(kbuf);
> +
> + err = kstrtouint(kbuf, 10, &active);
> + kfree(kbuf);
> + if (err)
> + return err;
> +
> + if (active != 1)
> + return -EINVAL;
> +
> + atomic_set(&ns->active, 1);
> +
> + return count;
> +}
> +
> +static const struct file_operations ima_active_ops = {
> + .read = ima_show_active,
> + .write = ima_write_active,
> +};
> +
> +static int ima_fs_add_ns_files(struct dentry *ima_dir)
> +{
> + struct dentry *active;
> +
> + active =
> + securityfs_create_file("active",
> + S_IRUSR | S_IWUSR | S_IRGRP, ima_dir, NULL,
> + &ima_active_ops);
> + if (IS_ERR(active))
> + return PTR_ERR(active);
> +
> + return 0;
> +}
> +
> int ima_fs_ns_init(struct user_namespace *user_ns, struct dentry *root)
> {
> struct ima_namespace *ns = ima_ns_from_user_ns(user_ns);
> @@ -531,6 +596,12 @@ int ima_fs_ns_init(struct user_namespace *user_ns, struct dentry *root)
> }
> }
>
> + if (ns != &init_ima_ns) {
> + ret = ima_fs_add_ns_files(ima_dir);
> + if (ret)
> + goto out;
> + }
> +
In all other cases, the securityfs files are directly created in
ima_fs_ns_init(). What is different about "active" that a new
function is defined?
thanks,
Mimi
> return 0;
> out:
> securityfs_remove(ns->ima_policy);
> diff --git a/security/integrity/ima/ima_init_ima_ns.c b/security/integrity/ima/ima_init_ima_ns.c
> index d4ddfd1de60b..39ee0c2477a6 100644
> --- a/security/integrity/ima/ima_init_ima_ns.c
> +++ b/security/integrity/ima/ima_init_ima_ns.c
> @@ -58,5 +58,6 @@ struct ima_namespace init_ima_ns = {
> .ima_lsm_policy_notifier = {
> .notifier_call = ima_lsm_policy_change,
> },
> + .active = ATOMIC_INIT(1),
> };
> EXPORT_SYMBOL(init_ima_ns);
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 1dee8cb5afa2..9ca9223bbcf6 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -441,7 +441,7 @@ static int process_measurement(struct user_namespace *user_ns,
>
> while (user_ns) {
> ns = ima_ns_from_user_ns(user_ns);
> - if (ns) {
> + if (ns_is_active(ns)) {
> int rc;
>
> rc = __process_measurement(ns, file, cred, secid, buf,
next prev parent reply other threads:[~2022-02-23 13:55 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-01 20:37 [PATCH v10 00/27] ima: Namespace IMA with audit support in IMA-ns Stefan Berger
2022-02-01 20:37 ` [PATCH v10 01/27] ima: Remove ima_policy file before directory Stefan Berger
2022-02-10 12:02 ` Mimi Zohar
2022-02-01 20:37 ` [PATCH v10 02/27] ima: Do not print policy rule with inactive LSM labels Stefan Berger
2022-02-02 14:17 ` Christian Brauner
2022-02-01 20:37 ` [PATCH v10 03/27] ima: Return error code obtained from securityfs functions Stefan Berger
2022-02-10 12:02 ` Mimi Zohar
2022-02-15 18:09 ` Mimi Zohar
2022-02-01 20:37 ` [PATCH v10 04/27] securityfs: rework dentry creation Stefan Berger
2022-02-10 12:03 ` Mimi Zohar
2022-02-01 20:37 ` [PATCH v10 05/27] ima: Define ima_namespace struct and start moving variables into it Stefan Berger
2022-02-16 14:41 ` Mimi Zohar
2022-02-16 20:25 ` Stefan Berger
2022-02-01 20:37 ` [PATCH v10 06/27] ima: Move arch_policy_entry into ima_namespace Stefan Berger
2022-02-16 16:39 ` Mimi Zohar
2022-02-16 20:48 ` Stefan Berger
2022-02-16 20:56 ` Mimi Zohar
2022-02-16 21:19 ` Stefan Berger
2022-02-01 20:37 ` [PATCH v10 07/27] ima: Move ima_htable " Stefan Berger
2022-02-16 14:41 ` Mimi Zohar
2022-02-01 20:37 ` [PATCH v10 08/27] ima: Move measurement list related variables " Stefan Berger
2022-02-17 14:46 ` Mimi Zohar
2022-02-01 20:37 ` [PATCH v10 09/27] ima: Move some IMA policy and filesystem " Stefan Berger
2022-02-17 14:44 ` Mimi Zohar
2022-02-01 20:37 ` [PATCH v10 10/27] ima: Move IMA securityfs files into ima_namespace or onto stack Stefan Berger
2022-02-17 14:44 ` Mimi Zohar
2022-02-01 20:37 ` [PATCH v10 11/27] ima: Move ima_lsm_policy_notifier into ima_namespace Stefan Berger
2022-02-17 20:30 ` Mimi Zohar
2022-02-17 20:59 ` Stefan Berger
2022-02-17 21:24 ` Mimi Zohar
2022-02-01 20:37 ` [PATCH v10 12/27] ima: Define mac_admin_ns_capable() as a wrapper for ns_capable() Stefan Berger
2022-02-05 5:58 ` Serge E. Hallyn
2022-02-06 17:20 ` Stefan Berger
2022-02-07 18:43 ` Stefan Berger
2022-02-23 17:51 ` Serge E. Hallyn
2022-02-01 20:37 ` [PATCH v10 13/27] ima: Only accept AUDIT rules for non-init_ima_ns namespaces for now Stefan Berger
2022-02-17 21:32 ` Mimi Zohar
2022-02-01 20:37 ` [PATCH v10 14/27] userns: Add pointer to ima_namespace to user_namespace Stefan Berger
2022-02-18 16:26 ` Mimi Zohar
2022-02-01 20:37 ` [PATCH v10 15/27] ima: Implement hierarchical processing of file accesses Stefan Berger
2022-02-18 16:27 ` Mimi Zohar
2022-02-01 20:37 ` [PATCH v10 16/27] ima: Implement ima_free_policy_rules() for freeing of an ima_namespace Stefan Berger
2022-02-18 17:09 ` Mimi Zohar
2022-02-18 19:38 ` Stefan Berger
2022-02-18 20:04 ` Mimi Zohar
2022-02-01 20:37 ` [PATCH v10 17/27] ima: Add functions for creating and " Stefan Berger
2022-02-18 19:49 ` Mimi Zohar
2022-02-01 20:37 ` [PATCH v10 18/27] integrity/ima: Define ns_status for storing namespaced iint data Stefan Berger
2022-02-23 16:12 ` Mimi Zohar
2022-02-24 2:21 ` Stefan Berger
2022-02-24 2:49 ` Stefan Berger
2022-02-01 20:37 ` [PATCH v10 19/27] integrity: Add optional callback function to integrity_inode_free() Stefan Berger
2022-02-01 20:37 ` [PATCH v10 20/27] ima: Namespace audit status flags Stefan Berger
2022-02-01 20:37 ` [PATCH v10 21/27] ima: Remove unused iints from the integrity_iint_cache Stefan Berger
2022-02-01 20:37 ` [PATCH v10 22/27] securityfs: Extend securityfs with namespacing support Stefan Berger
2022-02-23 1:48 ` Mimi Zohar
2022-02-23 8:14 ` Christian Brauner
2022-02-23 15:44 ` Stefan Berger
2022-02-01 20:37 ` [PATCH v10 23/27] ima: Setup securityfs for IMA namespace Stefan Berger
2022-02-23 11:45 ` Mimi Zohar
2022-02-01 20:37 ` [PATCH v10 24/27] ima: Introduce securityfs file to activate an " Stefan Berger
2022-02-23 13:54 ` Mimi Zohar [this message]
2022-02-23 17:08 ` Stefan Berger
2022-02-23 17:12 ` Mimi Zohar
2022-02-23 22:30 ` Stefan Berger
2022-02-01 20:37 ` [PATCH v10 25/27] ima: Show owning user namespace's uid and gid when displaying policy Stefan Berger
2022-02-23 14:06 ` Mimi Zohar
2022-02-01 20:37 ` [PATCH v10 26/27] ima: Limit number of policy rules in non-init_ima_ns Stefan Berger
2022-02-23 15:38 ` Mimi Zohar
2022-02-23 16:37 ` Stefan Berger
2022-02-23 17:04 ` Mimi Zohar
2022-02-23 20:45 ` Stefan Berger
2022-02-23 20:59 ` Mimi Zohar
2022-02-23 21:06 ` Stefan Berger
2022-02-01 20:37 ` [PATCH v10 27/27] ima: Enable IMA namespaces Stefan Berger
2022-02-23 17:58 ` Serge E. Hallyn
2022-02-23 20:53 ` Stefan Berger
2022-02-02 14:13 ` [PATCH v10 00/27] ima: Namespace IMA with audit support in IMA-ns Christian Brauner
2022-02-02 14:40 ` Stefan Berger
2022-02-02 16:04 ` Mimi Zohar
2022-02-02 18:18 ` Stefan Berger
2022-02-02 21:27 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9a720bf5928151a0cbc7994ee498a1c3ca779c56.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=christian.brauner@ubuntu.com \
--cc=containers@lists.linux.dev \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiederm@xmission.com \
--cc=jamjoom@us.ibm.com \
--cc=jejb@linux.ibm.com \
--cc=jmorris@namei.org \
--cc=krzysztof.struczynski@huawei.com \
--cc=lhinds@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lsturman@redhat.com \
--cc=mpeters@redhat.com \
--cc=paul@paul-moore.com \
--cc=puiterwi@redhat.com \
--cc=rgb@redhat.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=stefanb@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).