[PATCH 5/5 v4] removed the LSM hook made available, and renamed the ima_policy to be KEXEC_CMDLINE

From: Prakhar Srivastava
Date: Fri May 03 2019 - 18:26:19 EST

Next message: Stephen Rothwell: "Re: linux-next: manual merge of the vfs tree with the orangefs tree"
Previous message: Prakhar Srivastava: "[PATCH 4/5 v4] added LSM hook to call ima_buffer_check"
In reply to: Prakhar Srivastava: "[PATCH 4/5 v4] added LSM hook to call ima_buffer_check"
Next in thread: Mimi Zohar: "Re: [PATCH 5/5 v4] removed the LSM hook made available, and renamed the ima_policy to be KEXEC_CMDLINE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Prakhar Srivastava <prsriva02@xxxxxxxxx>

Per suggestions from the community, removed the LSM hook.
and renamed the buffer_check func and policy to kexec_cmdline
[suggested by: Mimi Zohar]
Signed-off-by: Prakhar Srivastava <prsriva02@xxxxxxxxx>
---
Documentation/ABI/testing/ima_policy | 2 +-
include/linux/ima.h | 6 +--
include/linux/lsm_hooks.h | 3 --
include/linux/security.h | 1 -
kernel/kexec_core.c | 59 +---------------------------
kernel/kexec_file.c | 14 +------
security/integrity/ima/ima.h | 2 +-
security/integrity/ima/ima_api.c | 2 +-
security/integrity/ima/ima_main.c | 11 +++---
security/integrity/ima/ima_policy.c | 4 +-
security/security.c | 6 ---
11 files changed, 15 insertions(+), 95 deletions(-)

diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index 12cfe3ff2dea..62e7cd687e9c 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -29,7 +29,7 @@ Description:
base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
[FIRMWARE_CHECK]
[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
- [BUFFER_CHECK]
+ [KEXEC_CMDLINE]
mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
[[^]MAY_EXEC]
fsmagic:= hex value
diff --git a/include/linux/ima.h b/include/linux/ima.h
index f0abade74707..2c7a22231008 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -26,8 +26,7 @@ extern int ima_read_file(struct file *file, enum kernel_read_file_id id);
extern int ima_post_read_file(struct file *file, void *buf, loff_t size,
enum kernel_read_file_id id);
extern void ima_post_path_mknod(struct dentry *dentry);
-extern void ima_buffer_check(const void *buff, int size,
- const char *eventname);
+extern void ima_kexec_cmdline(const void *buff, int size);

#ifdef CONFIG_IMA_KEXEC
extern void ima_add_kexec_buffer(struct kimage *image);
@@ -94,8 +93,7 @@ static inline void ima_post_path_mknod(struct dentry *dentry)
return;
}

-static inline void ima_buffer_check(const void *buff, int size,
- const char *eventname)
+static inline void ima_kexec_cmdline(const void *buff, int size)
{}
#endif /* CONFIG_IMA */

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index f18562c1eb24..a240a3fc5fc4 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1672,8 +1672,6 @@ union security_list_options {
int (*inode_setsecctx)(struct dentry *dentry, void *ctx, u32 ctxlen);
int (*inode_getsecctx)(struct inode *inode, void **ctx, u32 *ctxlen);

- int (*buffer_check)(const void *buff, int size, const char *eventname);
-
#ifdef CONFIG_SECURITY_NETWORK
int (*unix_stream_connect)(struct sock *sock, struct sock *other,
struct sock *newsk);
@@ -1947,7 +1945,6 @@ struct security_hook_heads {
struct hlist_head inode_notifysecctx;
struct hlist_head inode_setsecctx;
struct hlist_head inode_getsecctx;
- struct hlist_head buffer_check;
#ifdef CONFIG_SECURITY_NETWORK
struct hlist_head unix_stream_connect;
struct hlist_head unix_may_send;
diff --git a/include/linux/security.h b/include/linux/security.h
index 8dece6da0dda..8a129664ba4e 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -388,7 +388,6 @@ void security_inode_invalidate_secctx(struct inode *inode);
int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
-void security_buffer_measure(const void *buff, int size, char *eventname);
#else /* CONFIG_SECURITY */

static inline int call_lsm_notifier(enum lsm_event event, void *data)
diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
index 4667f03d406e..8c0a83980d72 100644
--- a/kernel/kexec_core.c
+++ b/kernel/kexec_core.c
@@ -1212,61 +1212,4 @@ void __weak arch_kexec_protect_crashkres(void)
{}

void __weak arch_kexec_unprotect_crashkres(void)
-{}
-
-/**
- * kexec_cmdline_prepend_img_name - prepare the buffer with cmdline
- * that needs to be measured
- * @outbuf - out buffer that contains the formated string
- * @kernel_fd - the file identifier for the kerenel image
- * @cmdline_ptr - ptr to the cmdline buffer
- * @cmdline_len - len of the buffer.
- *
- * This generates a buffer in the format Kerenelfilename::cmdline
- *
- * On success return 0.
- * On failure return -EINVAL.
- */
-int kexec_cmdline_prepend_img_name(char **outbuf, int kernel_fd,
- const char *cmdline_ptr,
- unsigned long cmdline_len)
-{
- int ret = -EINVAL;
- struct fd f = {};
- int size = 0;
- char *buf = NULL;
- char delimiter[] = "::";
-
- if (!outbuf || !cmdline_ptr)
- goto out;
-
- f = fdget(kernel_fd);
- if (!f.file)
- goto out;
-
- size = (f.file->f_path.dentry->d_name.len + cmdline_len - 1+
- ARRAY_SIZE(delimiter)) - 1;
-
- buf = kzalloc(size, GFP_KERNEL);
- if (!buf)
- goto out;
-
- memcpy(buf, f.file->f_path.dentry->d_name.name,
- f.file->f_path.dentry->d_name.len);
- memcpy(buf + f.file->f_path.dentry->d_name.len,
- delimiter, ARRAY_SIZE(delimiter) - 1);
- memcpy(buf + f.file->f_path.dentry->d_name.len +
- ARRAY_SIZE(delimiter) - 1,
- cmdline_ptr, cmdline_len - 1);
-
- *outbuf = buf;
- ret = size;
-
- pr_debug("kexec cmdline buff: %s\n", buf);
-
-out:
- if (f.file)
- fdput(f);
-
- return ret;
-}
+{}
\ No newline at end of file
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index d287e139085c..2eb977984537 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -191,8 +191,6 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
int ret = 0;
void *ldata;
loff_t size;
- char *buff_to_measure = NULL;
- int buff_to_measure_size = 0;

ret = kernel_read_file_from_fd(kernel_fd, &image->kernel_buf,
&size, INT_MAX, READING_KEXEC_IMAGE);
@@ -244,15 +242,8 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
goto out;
}

- /* IMA measures the cmdline args passed to the next kernel*/
- buff_to_measure_size =
- kexec_cmdline_prepend_img_name(&buff_to_measure,
- kernel_fd, image->cmdline_buf, image->cmdline_buf_len);
-
- ima_buffer_check(buff_to_measure, buff_to_measure_size,
- "kexec_cmdline");
-
-
+ /* IMA measures the cmdline args passed to the next kernel */
+ ima_kexec_cmdline(image->cmdline_buf, image->cmdline_buf_len - 1);
}

/* Call arch image load handlers */
@@ -267,7 +258,6 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
out:

/* In case of error, free up all allocated memory in this function */
- kfree(buff_to_measure);
if (ret)
kimage_file_post_load_cleanup(image);
return ret;
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index de70df132575..226a26d8de09 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -184,7 +184,7 @@ static inline unsigned long ima_hash_key(u8 *digest)
hook(KEXEC_KERNEL_CHECK) \
hook(KEXEC_INITRAMFS_CHECK) \
hook(POLICY_CHECK) \
- hook(BUFFER_CHECK) \
+ hook(KEXEC_CMDLINE) \
hook(MAX_CHECK)
#define __ima_hook_enumify(ENUM) ENUM,

diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index cb3f67b366f1..800d965232e5 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -169,7 +169,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
* subj=, obj=, type=, func=, mask=, fsmagic=
* subj,obj, and type: are LSM specific.
* func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK
- * | BUFFER_CHECK
+ * | KEXEC_CMDLINE
* mask: contains the permission mask
* fsmagic: hex value
*
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 7362952ab273..fc9cef54e37c 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -618,7 +618,7 @@ static int process_buffer_measurement(const void *buff, int size,
if (!buff || size == 0 || !eventname)
goto err_out;

- action = ima_get_action(NULL, cred, secid, 0, BUFFER_CHECK, &pcr);
+ action = ima_get_action(NULL, cred, secid, 0, KEXEC_CMDLINE, &pcr);
if (!(action & IMA_AUDIT) && !(action & IMA_MEASURE))
goto err_out;

@@ -672,21 +672,20 @@ static int process_buffer_measurement(const void *buff, int size,
}

/**
- * ima_buffer_check - based on policy, collect & store buffer measurement
+ * ima_kexec_cmdline - based on policy, collect & store buffer measurement
* @buf: pointer to buffer
* @size: size of buffer
- * @eventname: event name identifier
*
* Buffers can only be measured, not appraised. The buffer identifier
* is used as the measurement list entry name (eg. boot_cmdline).
*/
-void ima_buffer_check(const void *buf, int size, const char *eventname)
+void ima_kexec_cmdline(const void *buf, int size)
{
u32 secid;

- if (buf && size != 0 && eventname) {
+ if (buf && size != 0) {
security_task_getsecid(current, &secid);
- process_buffer_measurement(buf, size, eventname,
+ process_buffer_measurement(buf, size, "Kexec-cmdline",
current_cred(), secid);
}
}
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index b12551ed191c..7ae59afbf28f 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -875,8 +875,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
entry->func = KEXEC_INITRAMFS_CHECK;
else if (strcmp(args[0].from, "POLICY_CHECK") == 0)
entry->func = POLICY_CHECK;
- else if (strcmp(args[0].from, "BUFFER_CHECK") == 0)
- entry->func = BUFFER_CHECK;
+ else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0)
+ entry->func = KEXEC_CMDLINE;
else
result = -EINVAL;
if (!result)
diff --git a/security/security.c b/security/security.c
index 2b575a40470e..23cbb1a295a3 100644
--- a/security/security.c
+++ b/security/security.c
@@ -754,12 +754,6 @@ int security_bprm_check(struct linux_binprm *bprm)
return ima_bprm_check(bprm);
}

-void security_buffer_measure(const void *buff, int size, char *eventname)
-{
- call_void_hook(buffer_check, buff, size, eventname);
- return ima_buffer_check(buff, size, eventname);
-}
-
void security_bprm_committing_creds(struct linux_binprm *bprm)
{
call_void_hook(bprm_committing_creds, bprm);
--
2.20.1

Next message: Stephen Rothwell: "Re: linux-next: manual merge of the vfs tree with the orangefs tree"
Previous message: Prakhar Srivastava: "[PATCH 4/5 v4] added LSM hook to call ima_buffer_check"
In reply to: Prakhar Srivastava: "[PATCH 4/5 v4] added LSM hook to call ima_buffer_check"
Next in thread: Mimi Zohar: "Re: [PATCH 5/5 v4] removed the LSM hook made available, and renamed the ima_policy to be KEXEC_CMDLINE"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]