| Message ID | 20221221141007.2579770-1-roberto.sassu@huaweicloud.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:e747:0:0:0:0:0 with SMTP id c7csp3546738wrn;
Wed, 21 Dec 2022 06:15:09 -0800 (PST)
X-Google-Smtp-Source:
AMrXdXu9+dTEHApSI97u5ljS8LskXMviGSYBNw8NOJHdH9bXoCjk+2jSsWlogSYnJOffiRcfebKh
X-Received: by 2002:a17:90b:3c0e:b0:219:463d:4ebc with SMTP id
pb14-20020a17090b3c0e00b00219463d4ebcmr2410850pjb.30.1671632109045;
Wed, 21 Dec 2022 06:15:09 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671632109; cv=none;
d=google.com; s=arc-20160816;
b=z/0V06Wm2M74jBWQ57eBwHE6FeOmUM9KqgoGYEmFBaWBfQjXKZ4B8Tn2kSrnXnzBuf
82OgCMvlV4KfhivpGeYg6UckuO6piXkqoX2zyqFnDGeUhx1NVtpYYRye5R9TSCfHTPlo
TSd8xXqjz49L/eOzGrCgD1OieRSaWDEX2PvuKM76nED6ouMOfOWe/lwermvoj7u2w8QB
6/cBG+hFxR8g4c+feT3HzjX1fZZPVAU/8saRuTC5+G8h0CIoYdGg+cB2a0e8bn2bd0sW
JOj/JcCsQu2mm00l8Lv6zY2eI6TnjAcqFeCY/3eI6vNGxSAujJcQWThtY1kuq6BKtZ2w
RoOQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from;
bh=cSgqnB02qKCdcgsVc/dGOApJfyvE/aTaE0T41fXXOEA=;
b=A7WGtKb8eoASAaRW+K3Vdwye3IVZD12VVfoaUAoEpJ+2sYEtfrb34uDt9Kx7UQhPPI
RLQfH83nRR4Y++z/BqJAPAs9BxsQy9AC/PDo3llq8mvSdsYTYZZi37i+lQzU2aRbYGay
Jdev9WhaKX5kHYwcMMCS07wsJME5j5V6XkY+dAX8V4iGEvbcIvSKvt+RsdQMWpicvkrM
0P6NZSx3LdXScItduFcq4OaLOeR41ioqw7jg/dZgoP+0cctkdIdNKbD6GyNB/H5Edic4
bLa3rBMYBfiT9kv3GSsqj8A9VZyvbKVX6duf1hr6SZENICof6tMWLz3Gcz8MTHRiX8/O
EjLw==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
c17-20020a17090a8d1100b002190ba4112dsi1796485pjo.94.2022.12.21.06.14.55;
Wed, 21 Dec 2022 06:15:09 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S231986AbiLUOKh (ORCPT <rfc822;pacteraone@gmail.com> + 99 others);
Wed, 21 Dec 2022 09:10:37 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53940 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229791AbiLUOKf (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Wed, 21 Dec 2022 09:10:35 -0500
Received: from frasgout12.his.huawei.com (frasgout12.his.huawei.com
[14.137.139.154])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DDCD423BEC;
Wed, 21 Dec 2022 06:10:31 -0800 (PST)
Received: from mail02.huawei.com (unknown [172.18.147.227])
by frasgout12.his.huawei.com (SkyGuard) with ESMTP id
4NcZsm2fxLz9xFrp;
Wed, 21 Dec 2022 22:03:24 +0800 (CST)
Received: from huaweicloud.com (unknown [10.204.63.22])
by APP2 (Coremail) with SMTP id GxC2BwAH2F7DE6NjUuUvAA--.8166S2;
Wed, 21 Dec 2022 15:10:18 +0100 (CET)
From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com,
zohar@linux.ibm.com
Cc: linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, viro@zeniv.linux.org.uk,
Roberto Sassu <roberto.sassu@huawei.com>,
stable@vger.kernel.org
Subject: [PATCH v2] security: Restore passing final prot to ima_file_mmap()
Date: Wed, 21 Dec 2022 15:10:07 +0100
Message-Id: <20221221141007.2579770-1-roberto.sassu@huaweicloud.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-CM-TRANSID: GxC2BwAH2F7DE6NjUuUvAA--.8166S2
X-Coremail-Antispam: 1UD129KBjvJXoW7AFW7AF45ArW3Gw1kGF1rJFb_yoW8Xr1fpa
y5t3WUKrs5JFyFqFn7WFW7CF1Sk39xKFWUWan2gryj93Z8XFnYkr15AFWj9ry8Xrn5JFyF
qw12k3y3A3Wqy3DanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
9KBjDU0xBIdaVrnRJUUUk2b4IE77IF4wAFF20E14v26r4j6ryUM7CY07I20VC2zVCF04k2
6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4
vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Jr0_JF4l84ACjcxK6xIIjxv20xvEc7Cj
xVAFwI0_Gr0_Cr1l84ACjcxK6I8E87Iv67AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIEc7CjxV
AFwI0_Gr1j6F4UJwAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG
6I80ewAv7VC0I7IYx2IY67AKxVWUGVWUXwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFV
Cjc4AY6r1j6r4UM4x0Y48IcxkI7VAKI48JM4IIrI8v6xkF7I0E8cxan2IY04v7MxAIw28I
cxkI7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2
IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWUtVW8ZwCIc40Y0x0EwIxGrwCI
42IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x0267AKxVW8JVWxJwCI42
IY6xAIw20EY4v20xvaj40_Zr0_Wr1UMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2
jsIEc7CjxVAFwI0_Gr1j6F4UJbIYCTnIWIevJa73UjIFyTuYvjxUOyCJDUUUU
X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgANBF1jj4LnoQAAs+
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1752833082953151010?=
X-GMAIL-MSGID: =?utf-8?q?1752833309927822357?=
|
| Series |
[v2] security: Restore passing final prot to ima_file_mmap()
|
|
Commit Message
Roberto Sassu
Dec. 21, 2022, 2:10 p.m. UTC
From: Roberto Sassu <roberto.sassu@huawei.com> Commit 98de59bfe4b2f ("take calculation of final prot in security_mmap_file() into a helper") moved the code to update prot with the actual protection flags to be granted to the requestor by the kernel to a helper called mmap_prot(). However, the patch didn't update the argument passed to ima_file_mmap(), making it receive the requested prot instead of the final computed prot. A possible consequence is that files mmapped as executable might not be measured/appraised if PROT_EXEC is not requested but subsequently added in the final prot. Replace prot with mmap_prot(file, prot) as the second argument of ima_file_mmap() to restore the original behavior. Cc: stable@vger.kernel.org Fixes: 98de59bfe4b2 ("take calculation of final prot in security_mmap_file() into a helper") Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> --- security/security.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Wed, Dec 21, 2022 at 9:10 AM Roberto Sassu <roberto.sassu@huaweicloud.com> wrote: > > From: Roberto Sassu <roberto.sassu@huawei.com> > > Commit 98de59bfe4b2f ("take calculation of final prot in > security_mmap_file() into a helper") moved the code to update prot with the > actual protection flags to be granted to the requestor by the kernel to a > helper called mmap_prot(). However, the patch didn't update the argument > passed to ima_file_mmap(), making it receive the requested prot instead of > the final computed prot. > > A possible consequence is that files mmapped as executable might not be > measured/appraised if PROT_EXEC is not requested but subsequently added in > the final prot. > > Replace prot with mmap_prot(file, prot) as the second argument of > ima_file_mmap() to restore the original behavior. > > Cc: stable@vger.kernel.org > Fixes: 98de59bfe4b2 ("take calculation of final prot in security_mmap_file() into a helper") > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > --- > security/security.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/security.c b/security/security.c > index d1571900a8c7..0d2359d588a1 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -1666,7 +1666,7 @@ int security_mmap_file(struct file *file, unsigned long prot, > mmap_prot(file, prot), flags); > if (ret) > return ret; > - return ima_file_mmap(file, prot); > + return ima_file_mmap(file, mmap_prot(file, prot)); > } This seems like a reasonable fix, although as the original commit is ~10 years old at this point I am a little concerned about the impact this might have on IMA. Mimi, what do you think? Beyond that, my only other comment would be to only call mmap_prot() once and cache the results in a local variable. You could also fix up some of the ugly indentation crimes in security_mmap_file() while you are at it, e.g. something like this: diff --git a/security/security.c b/security/security.c index d1571900a8c7..2f9cad9ecac8 100644 --- a/security/security.c +++ b/security/security.c @@ -1662,11 +1662,12 @@ int security_mmap_file(struct file *file, unsigned long prot, unsigned long flags) { int ret; - ret = call_int_hook(mmap_file, 0, file, prot, - mmap_prot(file, prot), flags); + unsigned long prot_adj = mmap_prot(file, prot); + + ret = call_int_hook(mmap_file, 0, file, prot, prot_adj, flags); if (ret) return ret; - return ima_file_mmap(file, prot); + return ima_file_mmap(file, prot_adj); } -- paul-moore.com
On Fri, 2023-01-06 at 16:14 -0500, Paul Moore wrote: > On Wed, Dec 21, 2022 at 9:10 AM Roberto Sassu > <roberto.sassu@huaweicloud.com> wrote: > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > Commit 98de59bfe4b2f ("take calculation of final prot in > > security_mmap_file() into a helper") moved the code to update prot with the > > actual protection flags to be granted to the requestor by the kernel to a > > helper called mmap_prot(). However, the patch didn't update the argument > > passed to ima_file_mmap(), making it receive the requested prot instead of > > the final computed prot. > > > > A possible consequence is that files mmapped as executable might not be > > measured/appraised if PROT_EXEC is not requested but subsequently added in > > the final prot. > > > > Replace prot with mmap_prot(file, prot) as the second argument of > > ima_file_mmap() to restore the original behavior. > > > > Cc: stable@vger.kernel.org > > Fixes: 98de59bfe4b2 ("take calculation of final prot in security_mmap_file() into a helper") > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > --- > > security/security.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/security/security.c b/security/security.c > > index d1571900a8c7..0d2359d588a1 100644 > > --- a/security/security.c > > +++ b/security/security.c > > @@ -1666,7 +1666,7 @@ int security_mmap_file(struct file *file, unsigned long prot, > > mmap_prot(file, prot), flags); > > if (ret) > > return ret; > > - return ima_file_mmap(file, prot); > > + return ima_file_mmap(file, mmap_prot(file, prot)); > > } > > This seems like a reasonable fix, although as the original commit is > ~10 years old at this point I am a little concerned about the impact > this might have on IMA. Mimi, what do you think? > > Beyond that, my only other comment would be to only call mmap_prot() > once and cache the results in a local variable. You could also fix up > some of the ugly indentation crimes in security_mmap_file() while you > are at it, e.g. something like this: Hi Paul thanks for the comments. With the patch set to move IMA and EVM to the LSM infrastructure we will be back to calling mmap_prot() only once, but I guess we could do anyway, as the patch (if accepted) would be likely backported to stable kernels. Thanks Roberto > diff --git a/security/security.c b/security/security.c > index d1571900a8c7..2f9cad9ecac8 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -1662,11 +1662,12 @@ int security_mmap_file(struct file *file, unsigned long > prot, > unsigned long flags) > { > int ret; > - ret = call_int_hook(mmap_file, 0, file, prot, > - mmap_prot(file, prot), flags); > + unsigned long prot_adj = mmap_prot(file, prot); > + > + ret = call_int_hook(mmap_file, 0, file, prot, prot_adj, flags); > if (ret) > return ret; > - return ima_file_mmap(file, prot); > + return ima_file_mmap(file, prot_adj); > } > > -- > paul-moore.com
On Wed, Jan 11, 2023 at 4:31 AM Roberto Sassu <roberto.sassu@huaweicloud.com> wrote: > On Fri, 2023-01-06 at 16:14 -0500, Paul Moore wrote: > > On Wed, Dec 21, 2022 at 9:10 AM Roberto Sassu > > <roberto.sassu@huaweicloud.com> wrote: > > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > > > Commit 98de59bfe4b2f ("take calculation of final prot in > > > security_mmap_file() into a helper") moved the code to update prot with the > > > actual protection flags to be granted to the requestor by the kernel to a > > > helper called mmap_prot(). However, the patch didn't update the argument > > > passed to ima_file_mmap(), making it receive the requested prot instead of > > > the final computed prot. > > > > > > A possible consequence is that files mmapped as executable might not be > > > measured/appraised if PROT_EXEC is not requested but subsequently added in > > > the final prot. > > > > > > Replace prot with mmap_prot(file, prot) as the second argument of > > > ima_file_mmap() to restore the original behavior. > > > > > > Cc: stable@vger.kernel.org > > > Fixes: 98de59bfe4b2 ("take calculation of final prot in security_mmap_file() into a helper") > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > > --- > > > security/security.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/security/security.c b/security/security.c > > > index d1571900a8c7..0d2359d588a1 100644 > > > --- a/security/security.c > > > +++ b/security/security.c > > > @@ -1666,7 +1666,7 @@ int security_mmap_file(struct file *file, unsigned long prot, > > > mmap_prot(file, prot), flags); > > > if (ret) > > > return ret; > > > - return ima_file_mmap(file, prot); > > > + return ima_file_mmap(file, mmap_prot(file, prot)); > > > } > > > > This seems like a reasonable fix, although as the original commit is > > ~10 years old at this point I am a little concerned about the impact > > this might have on IMA. Mimi, what do you think? > > > > Beyond that, my only other comment would be to only call mmap_prot() > > once and cache the results in a local variable. You could also fix up > > some of the ugly indentation crimes in security_mmap_file() while you > > are at it, e.g. something like this: > > Hi Paul > > thanks for the comments. With the patch set to move IMA and EVM to the > LSM infrastructure we will be back to calling mmap_prot() only once, > but I guess we could do anyway, as the patch (if accepted) would be > likely backported to stable kernels. I think there is value in fixing this now and keeping it separate from the IMA-to-LSM work as they really are disjoint.
On Wed, 2023-01-11 at 09:25 -0500, Paul Moore wrote: > On Wed, Jan 11, 2023 at 4:31 AM Roberto Sassu > <roberto.sassu@huaweicloud.com> wrote: > > On Fri, 2023-01-06 at 16:14 -0500, Paul Moore wrote: > > > On Wed, Dec 21, 2022 at 9:10 AM Roberto Sassu > > > <roberto.sassu@huaweicloud.com> wrote: > > > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > > > > > Commit 98de59bfe4b2f ("take calculation of final prot in > > > > security_mmap_file() into a helper") moved the code to update prot with the > > > > actual protection flags to be granted to the requestor by the kernel to a > > > > helper called mmap_prot(). However, the patch didn't update the argument > > > > passed to ima_file_mmap(), making it receive the requested prot instead of > > > > the final computed prot. > > > > > > > > A possible consequence is that files mmapped as executable might not be > > > > measured/appraised if PROT_EXEC is not requested but subsequently added in > > > > the final prot. > > > > > > > > Replace prot with mmap_prot(file, prot) as the second argument of > > > > ima_file_mmap() to restore the original behavior. > > > > > > > > Cc: stable@vger.kernel.org > > > > Fixes: 98de59bfe4b2 ("take calculation of final prot in security_mmap_file() into a helper") > > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > > > --- > > > > security/security.c | 2 +- > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > diff --git a/security/security.c b/security/security.c > > > > index d1571900a8c7..0d2359d588a1 100644 > > > > --- a/security/security.c > > > > +++ b/security/security.c > > > > @@ -1666,7 +1666,7 @@ int security_mmap_file(struct file *file, unsigned long prot, > > > > mmap_prot(file, prot), flags); > > > > if (ret) > > > > return ret; > > > > - return ima_file_mmap(file, prot); > > > > + return ima_file_mmap(file, mmap_prot(file, prot)); > > > > } > > > > > > This seems like a reasonable fix, although as the original commit is > > > ~10 years old at this point I am a little concerned about the impact > > > this might have on IMA. Mimi, what do you think? As a user, I probably would like to know that my system is not measuring what it is supposed to measure. The rule: measure func=MMAP_CHECK mask=MAY_EXEC is looking for executable code mapped in memory. If it is requested by the application or the kernel, probably it does not make too much difference from the perspective of measurement goals. If we add a new policy keyword, existing policies would not be updated unless the system administrator notices it. If a remote attestation fails, the administrator has to look into it. Maybe we can introduce a new hook called MMAP_CHECK_REQ, so that an administrator could change the policy to have the current behavior, if the administrator wishes so. Roberto > > > Beyond that, my only other comment would be to only call mmap_prot() > > > once and cache the results in a local variable. You could also fix up > > > some of the ugly indentation crimes in security_mmap_file() while you > > > are at it, e.g. something like this: > > > > Hi Paul > > > > thanks for the comments. With the patch set to move IMA and EVM to the > > LSM infrastructure we will be back to calling mmap_prot() only once, > > but I guess we could do anyway, as the patch (if accepted) would be > > likely backported to stable kernels. > > I think there is value in fixing this now and keeping it separate from > the IMA-to-LSM work as they really are disjoint. >
On Thu, 2023-01-12 at 13:36 +0100, Roberto Sassu wrote: > On Wed, 2023-01-11 at 09:25 -0500, Paul Moore wrote: > > On Wed, Jan 11, 2023 at 4:31 AM Roberto Sassu > > <roberto.sassu@huaweicloud.com> wrote: > > > On Fri, 2023-01-06 at 16:14 -0500, Paul Moore wrote: > > > > On Wed, Dec 21, 2022 at 9:10 AM Roberto Sassu > > > > <roberto.sassu@huaweicloud.com> wrote: > > > > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > > > > > > > Commit 98de59bfe4b2f ("take calculation of final prot in > > > > > security_mmap_file() into a helper") moved the code to update prot with the > > > > > actual protection flags to be granted to the requestor by the kernel to a > > > > > helper called mmap_prot(). However, the patch didn't update the argument > > > > > passed to ima_file_mmap(), making it receive the requested prot instead of > > > > > the final computed prot. > > > > > > > > > > A possible consequence is that files mmapped as executable might not be > > > > > measured/appraised if PROT_EXEC is not requested but subsequently added in > > > > > the final prot. > > > > > > > > > > Replace prot with mmap_prot(file, prot) as the second argument of > > > > > ima_file_mmap() to restore the original behavior. > > > > > > > > > > Cc: stable@vger.kernel.org > > > > > Fixes: 98de59bfe4b2 ("take calculation of final prot in security_mmap_file() into a helper") > > > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > > > > --- > > > > > security/security.c | 2 +- > > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > > > diff --git a/security/security.c b/security/security.c > > > > > index d1571900a8c7..0d2359d588a1 100644 > > > > > --- a/security/security.c > > > > > +++ b/security/security.c > > > > > @@ -1666,7 +1666,7 @@ int security_mmap_file(struct file *file, unsigned long prot, > > > > > mmap_prot(file, prot), flags); > > > > > if (ret) > > > > > return ret; > > > > > - return ima_file_mmap(file, prot); > > > > > + return ima_file_mmap(file, mmap_prot(file, prot)); > > > > > } > > > > > > > > This seems like a reasonable fix, although as the original commit is > > > > ~10 years old at this point I am a little concerned about the impact > > > > this might have on IMA. Mimi, what do you think? > > As a user, I probably would like to know that my system is not > measuring what it is supposed to measure. The rule: Agreed, that it is measuring what it is supposed to measure. > > measure func=MMAP_CHECK mask=MAY_EXEC > > is looking for executable code mapped in memory. If it is requested by > the application or the kernel, probably it does not make too much > difference from the perspective of measurement goals. Currently, it's limited to measuring file's being mmapped. From what I can tell from looking at the code, additional measurements would be included when "current->personality & READ_IMPLIES_EXEC". > > If we add a new policy keyword, existing policies would not be updated > unless the system administrator notices it. If a remote attestation > fails, the administrator has to look into it. Verifying the measurement list against a TPM quote should work regardless of additional measurements. The attestation server, however, should also check for unknown files. > > Maybe we can introduce a new hook called MMAP_CHECK_REQ, so that an > administrator could change the policy to have the current behavior, if > the administrator wishes so. Agreed, for backwards compatibility this would be good. Would you support it afterward transitioning IMA to an LSM? However "_REQ" could mean either requested or required. > > > > Beyond that, my only other comment would be to only call mmap_prot() > > > > once and cache the results in a local variable. You could also fix up > > > > some of the ugly indentation crimes in security_mmap_file() while you > > > > are at it, e.g. something like this: > > > > > > Hi Paul > > > > > > thanks for the comments. With the patch set to move IMA and EVM to the > > > LSM infrastructure we will be back to calling mmap_prot() only once, > > > but I guess we could do anyway, as the patch (if accepted) would be > > > likely backported to stable kernels. > > > > I think there is value in fixing this now and keeping it separate from > > the IMA-to-LSM work as they really are disjoint. > > >
On Thu, 2023-01-12 at 12:45 -0500, Mimi Zohar wrote: > On Thu, 2023-01-12 at 13:36 +0100, Roberto Sassu wrote: > > On Wed, 2023-01-11 at 09:25 -0500, Paul Moore wrote: > > > On Wed, Jan 11, 2023 at 4:31 AM Roberto Sassu > > > <roberto.sassu@huaweicloud.com> wrote: > > > > On Fri, 2023-01-06 at 16:14 -0500, Paul Moore wrote: > > > > > On Wed, Dec 21, 2022 at 9:10 AM Roberto Sassu > > > > > <roberto.sassu@huaweicloud.com> wrote: > > > > > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > > > > > > > > > Commit 98de59bfe4b2f ("take calculation of final prot in > > > > > > security_mmap_file() into a helper") moved the code to update prot with the > > > > > > actual protection flags to be granted to the requestor by the kernel to a > > > > > > helper called mmap_prot(). However, the patch didn't update the argument > > > > > > passed to ima_file_mmap(), making it receive the requested prot instead of > > > > > > the final computed prot. > > > > > > > > > > > > A possible consequence is that files mmapped as executable might not be > > > > > > measured/appraised if PROT_EXEC is not requested but subsequently added in > > > > > > the final prot. > > > > > > > > > > > > Replace prot with mmap_prot(file, prot) as the second argument of > > > > > > ima_file_mmap() to restore the original behavior. > > > > > > > > > > > > Cc: stable@vger.kernel.org > > > > > > Fixes: 98de59bfe4b2 ("take calculation of final prot in security_mmap_file() into a helper") > > > > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > > > > > --- > > > > > > security/security.c | 2 +- > > > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > > > > > diff --git a/security/security.c b/security/security.c > > > > > > index d1571900a8c7..0d2359d588a1 100644 > > > > > > --- a/security/security.c > > > > > > +++ b/security/security.c > > > > > > @@ -1666,7 +1666,7 @@ int security_mmap_file(struct file *file, unsigned long prot, > > > > > > mmap_prot(file, prot), flags); > > > > > > if (ret) > > > > > > return ret; > > > > > > - return ima_file_mmap(file, prot); > > > > > > + return ima_file_mmap(file, mmap_prot(file, prot)); > > > > > > } > > > > > > > > > > This seems like a reasonable fix, although as the original commit is > > > > > ~10 years old at this point I am a little concerned about the impact > > > > > this might have on IMA. Mimi, what do you think? > > > > As a user, I probably would like to know that my system is not > > measuring what it is supposed to measure. The rule: > > Agreed, that it is measuring what it is supposed to measure. > > > measure func=MMAP_CHECK mask=MAY_EXEC > > > > is looking for executable code mapped in memory. If it is requested by > > the application or the kernel, probably it does not make too much > > difference from the perspective of measurement goals. > > Currently, it's limited to measuring file's being mmapped. From what I > can tell from looking at the code, additional measurements would be > included when "current->personality & READ_IMPLIES_EXEC". Yes, I developed a small program to see the differences: void main() { struct stat st; personality(READ_IMPLIES_EXEC); stat("test-file", &st); int fd = open("test-file", O_RDONLY); mmap(0, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0); } Without the patch, the test-file measurement does not appear. > > If we add a new policy keyword, existing policies would not be updated > > unless the system administrator notices it. If a remote attestation > > fails, the administrator has to look into it. > > Verifying the measurement list against a TPM quote should work > regardless of additional measurements. The attestation server, > however, should also check for unknown files. > > > Maybe we can introduce a new hook called MMAP_CHECK_REQ, so that an > > administrator could change the policy to have the current behavior, if > > the administrator wishes so. > > Agreed, for backwards compatibility this would be good. Would you > support it afterward transitioning IMA to an LSM? Yes, I have a patch to align ima_file_mmap() with the mmap_file() hook definition: -int ima_file_mmap(struct file *file, unsigned long prot) +int ima_file_mmap(struct file *file, unsigned long reqprot, + unsigned long prot, unsigned long flags) This would have also fixed the issue. But for backporting, I did a standalone patch. I noticed that Kees found this as well: -int ima_file_mmap(struct file *file, unsigned long prot) +static int ima_file_mmap(struct file *file, unsigned long reqprot, + unsigned long prot, unsigned long flags) { u32 secid; - if (file && (prot & PROT_EXEC)) { + if (file && (reqprot & PROT_EXEC)) { but from the history I saw that the original intent was to consider prot, not reqprot. > However "_REQ" could mean either requested or required. It was to recall reqprot. I could rename to MMAP_CHECK_REQPROT. Thanks Roberto > > > > > Beyond that, my only other comment would be to only call mmap_prot() > > > > > once and cache the results in a local variable. You could also fix up > > > > > some of the ugly indentation crimes in security_mmap_file() while you > > > > > are at it, e.g. something like this: > > > > > > > > Hi Paul > > > > > > > > thanks for the comments. With the patch set to move IMA and EVM to the > > > > LSM infrastructure we will be back to calling mmap_prot() only once, > > > > but I guess we could do anyway, as the patch (if accepted) would be > > > > likely backported to stable kernels. > > > > > > I think there is value in fixing this now and keeping it separate from > > > the IMA-to-LSM work as they really are disjoint. > > >
On Fri, Jan 13, 2023 at 5:53 AM Roberto Sassu <roberto.sassu@huaweicloud.com> wrote: > On Thu, 2023-01-12 at 12:45 -0500, Mimi Zohar wrote: > > On Thu, 2023-01-12 at 13:36 +0100, Roberto Sassu wrote: > > > On Wed, 2023-01-11 at 09:25 -0500, Paul Moore wrote: > > > > On Wed, Jan 11, 2023 at 4:31 AM Roberto Sassu > > > > <roberto.sassu@huaweicloud.com> wrote: > > > > > On Fri, 2023-01-06 at 16:14 -0500, Paul Moore wrote: > > > > > > On Wed, Dec 21, 2022 at 9:10 AM Roberto Sassu > > > > > > <roberto.sassu@huaweicloud.com> wrote: > > > > > > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > > > > > > > > > > > Commit 98de59bfe4b2f ("take calculation of final prot in > > > > > > > security_mmap_file() into a helper") moved the code to update prot with the > > > > > > > actual protection flags to be granted to the requestor by the kernel to a > > > > > > > helper called mmap_prot(). However, the patch didn't update the argument > > > > > > > passed to ima_file_mmap(), making it receive the requested prot instead of > > > > > > > the final computed prot. > > > > > > > > > > > > > > A possible consequence is that files mmapped as executable might not be > > > > > > > measured/appraised if PROT_EXEC is not requested but subsequently added in > > > > > > > the final prot. > > > > > > > > > > > > > > Replace prot with mmap_prot(file, prot) as the second argument of > > > > > > > ima_file_mmap() to restore the original behavior. > > > > > > > > > > > > > > Cc: stable@vger.kernel.org > > > > > > > Fixes: 98de59bfe4b2 ("take calculation of final prot in security_mmap_file() into a helper") > > > > > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > > > > > > --- > > > > > > > security/security.c | 2 +- > > > > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > > > > > > > diff --git a/security/security.c b/security/security.c > > > > > > > index d1571900a8c7..0d2359d588a1 100644 > > > > > > > --- a/security/security.c > > > > > > > +++ b/security/security.c > > > > > > > @@ -1666,7 +1666,7 @@ int security_mmap_file(struct file *file, unsigned long prot, > > > > > > > mmap_prot(file, prot), flags); > > > > > > > if (ret) > > > > > > > return ret; > > > > > > > - return ima_file_mmap(file, prot); > > > > > > > + return ima_file_mmap(file, mmap_prot(file, prot)); > > > > > > > } > > > > > > > > > > > > This seems like a reasonable fix, although as the original commit is > > > > > > ~10 years old at this point I am a little concerned about the impact > > > > > > this might have on IMA. Mimi, what do you think? So ... where do we stand on this patch, Mimi, Roberto? I stand by my original comment, but I would want to see an ACK from Mimi at the very least before merging this upstream. If this isn't ACK-able, do we have a plan to resolve this soon?
On Fri, 2023-01-13 at 11:52 +0100, Roberto Sassu wrote: > > > If we add a new policy keyword, existing policies would not be updated > > > unless the system administrator notices it. If a remote attestation > > > fails, the administrator has to look into it. > > > > Verifying the measurement list against a TPM quote should work > > regardless of additional measurements. The attestation server, > > however, should also check for unknown files. > > > > > Maybe we can introduce a new hook called MMAP_CHECK_REQ, so that an > > > administrator could change the policy to have the current behavior, if > > > the administrator wishes so. <snip> > > However "_REQ" could mean either requested or required. > > It was to recall reqprot. I could rename to MMAP_CHECK_REQPROT. That sounds good.
On Fri, 2023-01-20 at 16:04 -0500, Paul Moore wrote: > On Fri, Jan 13, 2023 at 5:53 AM Roberto Sassu > <roberto.sassu@huaweicloud.com> wrote: > > On Thu, 2023-01-12 at 12:45 -0500, Mimi Zohar wrote: > > > On Thu, 2023-01-12 at 13:36 +0100, Roberto Sassu wrote: > > > > On Wed, 2023-01-11 at 09:25 -0500, Paul Moore wrote: > > > > > On Wed, Jan 11, 2023 at 4:31 AM Roberto Sassu > > > > > <roberto.sassu@huaweicloud.com> wrote: > > > > > > On Fri, 2023-01-06 at 16:14 -0500, Paul Moore wrote: > > > > > > > On Wed, Dec 21, 2022 at 9:10 AM Roberto Sassu > > > > > > > <roberto.sassu@huaweicloud.com> wrote: > > > > > > > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > > > > > > > > > > > > > Commit 98de59bfe4b2f ("take calculation of final prot in > > > > > > > > security_mmap_file() into a helper") moved the code to update prot with the > > > > > > > > actual protection flags to be granted to the requestor by the kernel to a > > > > > > > > helper called mmap_prot(). However, the patch didn't update the argument > > > > > > > > passed to ima_file_mmap(), making it receive the requested prot instead of > > > > > > > > the final computed prot. > > > > > > > > > > > > > > > > A possible consequence is that files mmapped as executable might not be > > > > > > > > measured/appraised if PROT_EXEC is not requested but subsequently added in > > > > > > > > the final prot. > > > > > > > > > > > > > > > > Replace prot with mmap_prot(file, prot) as the second argument of > > > > > > > > ima_file_mmap() to restore the original behavior. > > > > > > > > > > > > > > > > Cc: stable@vger.kernel.org > > > > > > > > Fixes: 98de59bfe4b2 ("take calculation of final prot in security_mmap_file() into a helper") > > > > > > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > > > > > > > --- > > > > > > > > security/security.c | 2 +- > > > > > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > > > > > > > > > diff --git a/security/security.c b/security/security.c > > > > > > > > index d1571900a8c7..0d2359d588a1 100644 > > > > > > > > --- a/security/security.c > > > > > > > > +++ b/security/security.c > > > > > > > > @@ -1666,7 +1666,7 @@ int security_mmap_file(struct file *file, unsigned long prot, > > > > > > > > mmap_prot(file, prot), flags); > > > > > > > > if (ret) > > > > > > > > return ret; > > > > > > > > - return ima_file_mmap(file, prot); > > > > > > > > + return ima_file_mmap(file, mmap_prot(file, prot)); > > > > > > > > } > > > > > > > > > > > > > > This seems like a reasonable fix, although as the original commit is > > > > > > > ~10 years old at this point I am a little concerned about the impact > > > > > > > this might have on IMA. Mimi, what do you think? > > So ... where do we stand on this patch, Mimi, Roberto? I stand by my > original comment, but I would want to see an ACK from Mimi at the very > least before merging this upstream. If this isn't ACK-able, do we > have a plan to resolve this soon? Sorry, I had business trips last week. Will send the patches this week. Roberto
On Mon, Jan 23, 2023 at 3:30 AM Roberto Sassu <roberto.sassu@huaweicloud.com> wrote: > On Fri, 2023-01-20 at 16:04 -0500, Paul Moore wrote: > > On Fri, Jan 13, 2023 at 5:53 AM Roberto Sassu > > <roberto.sassu@huaweicloud.com> wrote: > > > On Thu, 2023-01-12 at 12:45 -0500, Mimi Zohar wrote: > > > > On Thu, 2023-01-12 at 13:36 +0100, Roberto Sassu wrote: > > > > > On Wed, 2023-01-11 at 09:25 -0500, Paul Moore wrote: > > > > > > On Wed, Jan 11, 2023 at 4:31 AM Roberto Sassu > > > > > > <roberto.sassu@huaweicloud.com> wrote: > > > > > > > On Fri, 2023-01-06 at 16:14 -0500, Paul Moore wrote: > > > > > > > > On Wed, Dec 21, 2022 at 9:10 AM Roberto Sassu > > > > > > > > <roberto.sassu@huaweicloud.com> wrote: > > > > > > > > > From: Roberto Sassu <roberto.sassu@huawei.com> > > > > > > > > > > > > > > > > > > Commit 98de59bfe4b2f ("take calculation of final prot in > > > > > > > > > security_mmap_file() into a helper") moved the code to update prot with the > > > > > > > > > actual protection flags to be granted to the requestor by the kernel to a > > > > > > > > > helper called mmap_prot(). However, the patch didn't update the argument > > > > > > > > > passed to ima_file_mmap(), making it receive the requested prot instead of > > > > > > > > > the final computed prot. > > > > > > > > > > > > > > > > > > A possible consequence is that files mmapped as executable might not be > > > > > > > > > measured/appraised if PROT_EXEC is not requested but subsequently added in > > > > > > > > > the final prot. > > > > > > > > > > > > > > > > > > Replace prot with mmap_prot(file, prot) as the second argument of > > > > > > > > > ima_file_mmap() to restore the original behavior. > > > > > > > > > > > > > > > > > > Cc: stable@vger.kernel.org > > > > > > > > > Fixes: 98de59bfe4b2 ("take calculation of final prot in security_mmap_file() into a helper") > > > > > > > > > Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> > > > > > > > > > --- > > > > > > > > > security/security.c | 2 +- > > > > > > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > > > > > > > > > > > diff --git a/security/security.c b/security/security.c > > > > > > > > > index d1571900a8c7..0d2359d588a1 100644 > > > > > > > > > --- a/security/security.c > > > > > > > > > +++ b/security/security.c > > > > > > > > > @@ -1666,7 +1666,7 @@ int security_mmap_file(struct file *file, unsigned long prot, > > > > > > > > > mmap_prot(file, prot), flags); > > > > > > > > > if (ret) > > > > > > > > > return ret; > > > > > > > > > - return ima_file_mmap(file, prot); > > > > > > > > > + return ima_file_mmap(file, mmap_prot(file, prot)); > > > > > > > > > } > > > > > > > > > > > > > > > > This seems like a reasonable fix, although as the original commit is > > > > > > > > ~10 years old at this point I am a little concerned about the impact > > > > > > > > this might have on IMA. Mimi, what do you think? > > > > So ... where do we stand on this patch, Mimi, Roberto? I stand by my > > original comment, but I would want to see an ACK from Mimi at the very > > least before merging this upstream. If this isn't ACK-able, do we > > have a plan to resolve this soon? > > Sorry, I had business trips last week. Will send the patches this week. No worries, I just wasn't sure of the status and wanted to check in on this.
diff --git a/security/security.c b/security/security.c index d1571900a8c7..0d2359d588a1 100644 --- a/security/security.c +++ b/security/security.c @@ -1666,7 +1666,7 @@ int security_mmap_file(struct file *file, unsigned long prot, mmap_prot(file, prot), flags); if (ret) return ret; - return ima_file_mmap(file, prot); + return ima_file_mmap(file, mmap_prot(file, prot)); } int security_mmap_addr(unsigned long addr)