Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized
On 3/24/2021 4:58 AM, Dmitry Vyukov wrote: > On Wed, Mar 24, 2021 at 12:49 PM Mimi Zohar wrote: >> On Wed, 2021-03-24 at 12:37 +0100, Dmitry Vyukov wrote: >>> On Wed, Mar 24, 2021 at 12:21 PM Tetsuo Handa >>> wrote: On 2021/03/24 20:10, Mimi Zohar wrote: > On Wed, 2021-03-24 at 19:10 +0900, Tetsuo Handa wrote: >> On 2021/03/24 1:13, Mimi Zohar wrote: >>> On Wed, 2021-03-24 at 00:14 +0900, Tetsuo Handa wrote: On 2021/03/23 23:47, Mimi Zohar wrote: > Initially I also questioned making "integrity" an LSM. Perhaps it's > time to reconsider. For now, it makes sense to just fix the NULL > pointer dereferencing. Do we think calling panic() as "fix the NULL pointer dereferencing" ? >>> Not supplying "integrity" as an "lsm=" option is a user error. There >>> are only two options - allow or deny the caller to proceed. If the >>> user is expecting the integrity subsystem to be properly working, >>> returning a NULL and allowing the system to boot (RFC patch version) >>> does not make sense. Better to fail early. >> What does the "user" mean? Those who load the vmlinux? >> Only the "root" user (so called administrators)? >> Any users including other than "root" user? >> >> If the user means those who load the vmlinux, that user is explicitly >> asking >> for disabling "integrity" for some reason. In that case, it is a bug if >> booting with "integrity" disabled is impossible. >> >> If the user means something other than those who load the vmlinux, >> is there a possibility that that user (especially non "root" users) is >> allowed to try to use "integrity" ? If processes other than global init >> process can try to use "integrity", wouldn't it be a DoS attack vector? >> Please explain in the descripotion why calling panic() does not cause >> DoS attack vector. > User in this case, is anyone rebooting the system and is intentionally > changing the default values, dropping the "integrity" option on the > boot command line. OK. Then, I expect that the system boots instead of calling panic(). That user is explicitly asking for disabling "integrity" for some reason. >>> That was actually my intention. The prebuilt kernel that I use for >>> things has all LSMs enabled, but then I needed to try some workload >>> with only 1 specific LSM, so I gave a different lsm= argument. >> IMA/EVM is dependent on "integrity". Was your intention to also >> disable IMA and EVM? > I think, yes... or not sure. I was trying to test a bug that requires > a different major LSM and all minor LSMs are presumably irrelevant. I > dropped existing lsm= arg and added something like lsm=apparmor. This is the legacy case that security= supports. If you specify security=apparmor you will get all the "minor" LSMs you have compiled in and the "major" LSM you've specified, AppArmor in this case. This is exactly the behavior you used to get before lsm= was introduced. > >> If so, when disabling "integrity", don't load an >> IMA policy. > I don't really know what this means. I guess it simply comes from the > image? If so, there was no easy way to avoid loading.
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized
On Wed, 2021-03-24 at 12:58 +0100, Dmitry Vyukov wrote: > On Wed, Mar 24, 2021 at 12:49 PM Mimi Zohar wrote: > > > > On Wed, 2021-03-24 at 12:37 +0100, Dmitry Vyukov wrote: > > > On Wed, Mar 24, 2021 at 12:21 PM Tetsuo Handa > > > wrote: > > > > > > > > On 2021/03/24 20:10, Mimi Zohar wrote: > > > > > On Wed, 2021-03-24 at 19:10 +0900, Tetsuo Handa wrote: > > > > >> On 2021/03/24 1:13, Mimi Zohar wrote: > > > > >>> On Wed, 2021-03-24 at 00:14 +0900, Tetsuo Handa wrote: > > > > On 2021/03/23 23:47, Mimi Zohar wrote: > > > > > Initially I also questioned making "integrity" an LSM. Perhaps > > > > > it's > > > > > time to reconsider. For now, it makes sense to just fix the NULL > > > > > pointer dereferencing. > > > > > > > > Do we think calling panic() as "fix the NULL pointer > > > > dereferencing" ? > > > > >>> > > > > >>> Not supplying "integrity" as an "lsm=" option is a user error. > > > > >>> There > > > > >>> are only two options - allow or deny the caller to proceed. If the > > > > >>> user is expecting the integrity subsystem to be properly working, > > > > >>> returning a NULL and allowing the system to boot (RFC patch version) > > > > >>> does not make sense. Better to fail early. > > > > >> > > > > >> What does the "user" mean? Those who load the vmlinux? > > > > >> Only the "root" user (so called administrators)? > > > > >> Any users including other than "root" user? > > > > >> > > > > >> If the user means those who load the vmlinux, that user is > > > > >> explicitly asking > > > > >> for disabling "integrity" for some reason. In that case, it is a bug > > > > >> if > > > > >> booting with "integrity" disabled is impossible. > > > > >> > > > > >> If the user means something other than those who load the vmlinux, > > > > >> is there a possibility that that user (especially non "root" users) > > > > >> is > > > > >> allowed to try to use "integrity" ? If processes other than global > > > > >> init > > > > >> process can try to use "integrity", wouldn't it be a DoS attack > > > > >> vector? > > > > >> Please explain in the descripotion why calling panic() does not cause > > > > >> DoS attack vector. > > > > > > > > > > User in this case, is anyone rebooting the system and is intentionally > > > > > changing the default values, dropping the "integrity" option on the > > > > > boot command line. > > > > > > > > OK. Then, I expect that the system boots instead of calling panic(). > > > > That user is explicitly asking for disabling "integrity" for some > > > > reason. > > > > > > That was actually my intention. The prebuilt kernel that I use for > > > things has all LSMs enabled, but then I needed to try some workload > > > with only 1 specific LSM, so I gave a different lsm= argument. > > > > IMA/EVM is dependent on "integrity". Was your intention to also > > disable IMA and EVM? > > I think, yes... or not sure. I was trying to test a bug that requires > a different major LSM and all minor LSMs are presumably irrelevant. I > dropped existing lsm= arg and added something like lsm=apparmor. > > > If so, when disabling "integrity", don't load an > > IMA policy. > > I don't really know what this means. I guess it simply comes from the > image? If so, there was no easy way to avoid loading. There are a couple of builtin IMA policies, which may be loaded on boot by specifying on the boot command line "ima_policy=". Unless the boot command line "ima_policy=" option is specified, no policy will loaded. A custom IMA policy may subsequently be loaded, normally in the initramfs, by echo'ing the file pathname to /sys/kernel/security/ima/policy. Mimi
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized
On Wed, Mar 24, 2021 at 12:49 PM Mimi Zohar wrote: > > On Wed, 2021-03-24 at 12:37 +0100, Dmitry Vyukov wrote: > > On Wed, Mar 24, 2021 at 12:21 PM Tetsuo Handa > > wrote: > > > > > > On 2021/03/24 20:10, Mimi Zohar wrote: > > > > On Wed, 2021-03-24 at 19:10 +0900, Tetsuo Handa wrote: > > > >> On 2021/03/24 1:13, Mimi Zohar wrote: > > > >>> On Wed, 2021-03-24 at 00:14 +0900, Tetsuo Handa wrote: > > > On 2021/03/23 23:47, Mimi Zohar wrote: > > > > Initially I also questioned making "integrity" an LSM. Perhaps it's > > > > time to reconsider. For now, it makes sense to just fix the NULL > > > > pointer dereferencing. > > > > > > Do we think calling panic() as "fix the NULL pointer dereferencing" ? > > > >>> > > > >>> Not supplying "integrity" as an "lsm=" option is a user error. There > > > >>> are only two options - allow or deny the caller to proceed. If the > > > >>> user is expecting the integrity subsystem to be properly working, > > > >>> returning a NULL and allowing the system to boot (RFC patch version) > > > >>> does not make sense. Better to fail early. > > > >> > > > >> What does the "user" mean? Those who load the vmlinux? > > > >> Only the "root" user (so called administrators)? > > > >> Any users including other than "root" user? > > > >> > > > >> If the user means those who load the vmlinux, that user is explicitly > > > >> asking > > > >> for disabling "integrity" for some reason. In that case, it is a bug if > > > >> booting with "integrity" disabled is impossible. > > > >> > > > >> If the user means something other than those who load the vmlinux, > > > >> is there a possibility that that user (especially non "root" users) is > > > >> allowed to try to use "integrity" ? If processes other than global init > > > >> process can try to use "integrity", wouldn't it be a DoS attack vector? > > > >> Please explain in the descripotion why calling panic() does not cause > > > >> DoS attack vector. > > > > > > > > User in this case, is anyone rebooting the system and is intentionally > > > > changing the default values, dropping the "integrity" option on the > > > > boot command line. > > > > > > OK. Then, I expect that the system boots instead of calling panic(). > > > That user is explicitly asking for disabling "integrity" for some reason. > > > > That was actually my intention. The prebuilt kernel that I use for > > things has all LSMs enabled, but then I needed to try some workload > > with only 1 specific LSM, so I gave a different lsm= argument. > > IMA/EVM is dependent on "integrity". Was your intention to also > disable IMA and EVM? I think, yes... or not sure. I was trying to test a bug that requires a different major LSM and all minor LSMs are presumably irrelevant. I dropped existing lsm= arg and added something like lsm=apparmor. > If so, when disabling "integrity", don't load an > IMA policy. I don't really know what this means. I guess it simply comes from the image? If so, there was no easy way to avoid loading.
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized
On Wed, 2021-03-24 at 12:37 +0100, Dmitry Vyukov wrote: > On Wed, Mar 24, 2021 at 12:21 PM Tetsuo Handa > wrote: > > > > On 2021/03/24 20:10, Mimi Zohar wrote: > > > On Wed, 2021-03-24 at 19:10 +0900, Tetsuo Handa wrote: > > >> On 2021/03/24 1:13, Mimi Zohar wrote: > > >>> On Wed, 2021-03-24 at 00:14 +0900, Tetsuo Handa wrote: > > On 2021/03/23 23:47, Mimi Zohar wrote: > > > Initially I also questioned making "integrity" an LSM. Perhaps it's > > > time to reconsider. For now, it makes sense to just fix the NULL > > > pointer dereferencing. > > > > Do we think calling panic() as "fix the NULL pointer dereferencing" ? > > >>> > > >>> Not supplying "integrity" as an "lsm=" option is a user error. There > > >>> are only two options - allow or deny the caller to proceed. If the > > >>> user is expecting the integrity subsystem to be properly working, > > >>> returning a NULL and allowing the system to boot (RFC patch version) > > >>> does not make sense. Better to fail early. > > >> > > >> What does the "user" mean? Those who load the vmlinux? > > >> Only the "root" user (so called administrators)? > > >> Any users including other than "root" user? > > >> > > >> If the user means those who load the vmlinux, that user is explicitly > > >> asking > > >> for disabling "integrity" for some reason. In that case, it is a bug if > > >> booting with "integrity" disabled is impossible. > > >> > > >> If the user means something other than those who load the vmlinux, > > >> is there a possibility that that user (especially non "root" users) is > > >> allowed to try to use "integrity" ? If processes other than global init > > >> process can try to use "integrity", wouldn't it be a DoS attack vector? > > >> Please explain in the descripotion why calling panic() does not cause > > >> DoS attack vector. > > > > > > User in this case, is anyone rebooting the system and is intentionally > > > changing the default values, dropping the "integrity" option on the > > > boot command line. > > > > OK. Then, I expect that the system boots instead of calling panic(). > > That user is explicitly asking for disabling "integrity" for some reason. > > That was actually my intention. The prebuilt kernel that I use for > things has all LSMs enabled, but then I needed to try some workload > with only 1 specific LSM, so I gave a different lsm= argument. IMA/EVM is dependent on "integrity". Was your intention to also disable IMA and EVM? If so, when disabling "integrity", don't load an IMA policy. Mimi
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized
On Wed, Mar 24, 2021 at 12:21 PM Tetsuo Handa wrote: > > On 2021/03/24 20:10, Mimi Zohar wrote: > > On Wed, 2021-03-24 at 19:10 +0900, Tetsuo Handa wrote: > >> On 2021/03/24 1:13, Mimi Zohar wrote: > >>> On Wed, 2021-03-24 at 00:14 +0900, Tetsuo Handa wrote: > On 2021/03/23 23:47, Mimi Zohar wrote: > > Initially I also questioned making "integrity" an LSM. Perhaps it's > > time to reconsider. For now, it makes sense to just fix the NULL > > pointer dereferencing. > > Do we think calling panic() as "fix the NULL pointer dereferencing" ? > >>> > >>> Not supplying "integrity" as an "lsm=" option is a user error. There > >>> are only two options - allow or deny the caller to proceed. If the > >>> user is expecting the integrity subsystem to be properly working, > >>> returning a NULL and allowing the system to boot (RFC patch version) > >>> does not make sense. Better to fail early. > >> > >> What does the "user" mean? Those who load the vmlinux? > >> Only the "root" user (so called administrators)? > >> Any users including other than "root" user? > >> > >> If the user means those who load the vmlinux, that user is explicitly > >> asking > >> for disabling "integrity" for some reason. In that case, it is a bug if > >> booting with "integrity" disabled is impossible. > >> > >> If the user means something other than those who load the vmlinux, > >> is there a possibility that that user (especially non "root" users) is > >> allowed to try to use "integrity" ? If processes other than global init > >> process can try to use "integrity", wouldn't it be a DoS attack vector? > >> Please explain in the descripotion why calling panic() does not cause > >> DoS attack vector. > > > > User in this case, is anyone rebooting the system and is intentionally > > changing the default values, dropping the "integrity" option on the > > boot command line. > > OK. Then, I expect that the system boots instead of calling panic(). > That user is explicitly asking for disabling "integrity" for some reason. That was actually my intention. The prebuilt kernel that I use for things has all LSMs enabled, but then I needed to try some workload with only 1 specific LSM, so I gave a different lsm= argument.
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized
On 2021/03/24 20:10, Mimi Zohar wrote: > On Wed, 2021-03-24 at 19:10 +0900, Tetsuo Handa wrote: >> On 2021/03/24 1:13, Mimi Zohar wrote: >>> On Wed, 2021-03-24 at 00:14 +0900, Tetsuo Handa wrote: On 2021/03/23 23:47, Mimi Zohar wrote: > Initially I also questioned making "integrity" an LSM. Perhaps it's > time to reconsider. For now, it makes sense to just fix the NULL > pointer dereferencing. Do we think calling panic() as "fix the NULL pointer dereferencing" ? >>> >>> Not supplying "integrity" as an "lsm=" option is a user error. There >>> are only two options - allow or deny the caller to proceed. If the >>> user is expecting the integrity subsystem to be properly working, >>> returning a NULL and allowing the system to boot (RFC patch version) >>> does not make sense. Better to fail early. >> >> What does the "user" mean? Those who load the vmlinux? >> Only the "root" user (so called administrators)? >> Any users including other than "root" user? >> >> If the user means those who load the vmlinux, that user is explicitly asking >> for disabling "integrity" for some reason. In that case, it is a bug if >> booting with "integrity" disabled is impossible. >> >> If the user means something other than those who load the vmlinux, >> is there a possibility that that user (especially non "root" users) is >> allowed to try to use "integrity" ? If processes other than global init >> process can try to use "integrity", wouldn't it be a DoS attack vector? >> Please explain in the descripotion why calling panic() does not cause >> DoS attack vector. > > User in this case, is anyone rebooting the system and is intentionally > changing the default values, dropping the "integrity" option on the > boot command line. OK. Then, I expect that the system boots instead of calling panic(). That user is explicitly asking for disabling "integrity" for some reason.
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized
On Wed, 2021-03-24 at 19:10 +0900, Tetsuo Handa wrote: > On 2021/03/24 1:13, Mimi Zohar wrote: > > On Wed, 2021-03-24 at 00:14 +0900, Tetsuo Handa wrote: > >> On 2021/03/23 23:47, Mimi Zohar wrote: > >>> Initially I also questioned making "integrity" an LSM. Perhaps it's > >>> time to reconsider. For now, it makes sense to just fix the NULL > >>> pointer dereferencing. > >> > >> Do we think calling panic() as "fix the NULL pointer dereferencing" ? > > > > Not supplying "integrity" as an "lsm=" option is a user error. There > > are only two options - allow or deny the caller to proceed. If the > > user is expecting the integrity subsystem to be properly working, > > returning a NULL and allowing the system to boot (RFC patch version) > > does not make sense. Better to fail early. > > What does the "user" mean? Those who load the vmlinux? > Only the "root" user (so called administrators)? > Any users including other than "root" user? > > If the user means those who load the vmlinux, that user is explicitly asking > for disabling "integrity" for some reason. In that case, it is a bug if > booting with "integrity" disabled is impossible. > > If the user means something other than those who load the vmlinux, > is there a possibility that that user (especially non "root" users) is > allowed to try to use "integrity" ? If processes other than global init > process can try to use "integrity", wouldn't it be a DoS attack vector? > Please explain in the descripotion why calling panic() does not cause > DoS attack vector. User in this case, is anyone rebooting the system and is intentionally changing the default values, dropping the "integrity" option on the boot command line. Mimi
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized
On 2021/03/24 1:13, Mimi Zohar wrote: > On Wed, 2021-03-24 at 00:14 +0900, Tetsuo Handa wrote: >> On 2021/03/23 23:47, Mimi Zohar wrote: >>> Initially I also questioned making "integrity" an LSM. Perhaps it's >>> time to reconsider. For now, it makes sense to just fix the NULL >>> pointer dereferencing. >> >> Do we think calling panic() as "fix the NULL pointer dereferencing" ? > > Not supplying "integrity" as an "lsm=" option is a user error. There > are only two options - allow or deny the caller to proceed. If the > user is expecting the integrity subsystem to be properly working, > returning a NULL and allowing the system to boot (RFC patch version) > does not make sense. Better to fail early. What does the "user" mean? Those who load the vmlinux? Only the "root" user (so called administrators)? Any users including other than "root" user? If the user means those who load the vmlinux, that user is explicitly asking for disabling "integrity" for some reason. In that case, it is a bug if booting with "integrity" disabled is impossible. If the user means something other than those who load the vmlinux, is there a possibility that that user (especially non "root" users) is allowed to try to use "integrity" ? If processes other than global init process can try to use "integrity", wouldn't it be a DoS attack vector? Please explain in the descripotion why calling panic() does not cause DoS attack vector.
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized
On Wed, 2021-03-24 at 00:14 +0900, Tetsuo Handa wrote: > On 2021/03/23 23:47, Mimi Zohar wrote: > > Initially I also questioned making "integrity" an LSM. Perhaps it's > > time to reconsider. For now, it makes sense to just fix the NULL > > pointer dereferencing. > > Do we think calling panic() as "fix the NULL pointer dereferencing" ? Not supplying "integrity" as an "lsm=" option is a user error. There are only two options - allow or deny the caller to proceed. If the user is expecting the integrity subsystem to be properly working, returning a NULL and allowing the system to boot (RFC patch version) does not make sense. Better to fail early. Mimi
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized
On 2021/03/23 23:47, Mimi Zohar wrote: > Initially I also questioned making "integrity" an LSM. Perhaps it's > time to reconsider. For now, it makes sense to just fix the NULL > pointer dereferencing. Do we think calling panic() as "fix the NULL pointer dereferencing" ?
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized
On Tue, 2021-03-23 at 23:01 +0900, Tetsuo Handa wrote: > On 2021/03/23 22:37, Tetsuo Handa wrote: > > On 2021/03/23 21:09, Mimi Zohar wrote: > >> Please take a look at the newer version of this patch. Do you want to > >> add any tags? > > > > Oh, I didn't know that you already posted the newer version. > > > >> diff --git a/security/integrity/iint.c b/security/integrity/iint.c > >> index 1d20003243c3..0ba01847e836 100644 > >> --- a/security/integrity/iint.c > >> +++ b/security/integrity/iint.c > >> @@ -98,6 +98,14 @@ struct integrity_iint_cache *integrity_inode_get(struct > >> inode *inode) > >>struct rb_node *node, *parent = NULL; > >>struct integrity_iint_cache *iint, *test_iint; > >> > >> + /* > >> + * The integrity's "iint_cache" is initialized at security_init(), > >> + * unless it is not included in the ordered list of LSMs enabled > >> + * on the boot command line. > >> + */ > >> + if (!iint_cache) > >> + panic("%s: lsm=integrity required.\n", __func__); > >> + > > > > This looks strange. If "lsm=" parameter must include "integrity", > > it implies that nobody is allowed to disable "integrity" at boot. Integrity isn't always required. Only when something tries to use it, does it need to be enabled. Since both integrity and the integrity caller are runtime dependent, it is up to the user/admin to specify "integrity" as an "lsm=" option. > > Then, why not unconditionally call integrity_iintcache_init() by > > not counting on DEFINE_LSM(integrity) declaration? Initially I also questioned making "integrity" an LSM. Perhaps it's time to reconsider. For now, it makes sense to just fix the NULL pointer dereferencing. Mimi
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized
On 2021/03/23 22:37, Tetsuo Handa wrote: > On 2021/03/23 21:09, Mimi Zohar wrote: >> Please take a look at the newer version of this patch. Do you want to >> add any tags? > > Oh, I didn't know that you already posted the newer version. > >> diff --git a/security/integrity/iint.c b/security/integrity/iint.c >> index 1d20003243c3..0ba01847e836 100644 >> --- a/security/integrity/iint.c >> +++ b/security/integrity/iint.c >> @@ -98,6 +98,14 @@ struct integrity_iint_cache *integrity_inode_get(struct >> inode *inode) >> struct rb_node *node, *parent = NULL; >> struct integrity_iint_cache *iint, *test_iint; >> >> +/* >> + * The integrity's "iint_cache" is initialized at security_init(), >> + * unless it is not included in the ordered list of LSMs enabled >> + * on the boot command line. >> + */ >> +if (!iint_cache) >> +panic("%s: lsm=integrity required.\n", __func__); >> + > > This looks strange. If "lsm=" parameter must include "integrity", > it implies that nobody is allowed to disable "integrity" at boot. > Then, why not unconditionally call integrity_iintcache_init() by > not counting on DEFINE_LSM(integrity) declaration? Or, I think below one is also possible. diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 1d20003243c3..37afc5168891 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -19,6 +19,7 @@ #include #include #include +#include #include "integrity.h" static struct rb_root integrity_iint_tree = RB_ROOT; @@ -85,6 +86,20 @@ static void iint_free(struct integrity_iint_cache *iint) kmem_cache_free(iint_cache, iint); } +static void init_once(void *foo) +{ + struct integrity_iint_cache *iint = foo; + + memset(iint, 0, sizeof(*iint)); + iint->ima_file_status = INTEGRITY_UNKNOWN; + iint->ima_mmap_status = INTEGRITY_UNKNOWN; + iint->ima_bprm_status = INTEGRITY_UNKNOWN; + iint->ima_read_status = INTEGRITY_UNKNOWN; + iint->ima_creds_status = INTEGRITY_UNKNOWN; + iint->evm_status = INTEGRITY_UNKNOWN; + mutex_init(>mutex); +} + /** * integrity_inode_get - find or allocate an iint associated with an inode * @inode: pointer to the inode @@ -102,6 +117,18 @@ struct integrity_iint_cache *integrity_inode_get(struct inode *inode) if (iint) return iint; + if (!iint_cache) { + static DEFINE_MUTEX(lock); + unsigned int flags = memalloc_nofs_save(); + + mutex_lock(); + if (!iint_cache) + iint_cache = kmem_cache_create("iint_cache", + sizeof(struct integrity_iint_cache), + 0, SLAB_PANIC, init_once); + mutex_unlock(); + memalloc_nofs_restore(flags); + } iint = kmem_cache_alloc(iint_cache, GFP_NOFS); if (!iint) return NULL; @@ -150,25 +177,8 @@ void integrity_inode_free(struct inode *inode) iint_free(iint); } -static void init_once(void *foo) -{ - struct integrity_iint_cache *iint = foo; - - memset(iint, 0, sizeof(*iint)); - iint->ima_file_status = INTEGRITY_UNKNOWN; - iint->ima_mmap_status = INTEGRITY_UNKNOWN; - iint->ima_bprm_status = INTEGRITY_UNKNOWN; - iint->ima_read_status = INTEGRITY_UNKNOWN; - iint->ima_creds_status = INTEGRITY_UNKNOWN; - iint->evm_status = INTEGRITY_UNKNOWN; - mutex_init(>mutex); -} - static int __init integrity_iintcache_init(void) { - iint_cache = - kmem_cache_create("iint_cache", sizeof(struct integrity_iint_cache), - 0, SLAB_PANIC, init_once); return 0; } DEFINE_LSM(integrity) = {
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized
On 2021/03/23 21:09, Mimi Zohar wrote: > Please take a look at the newer version of this patch. Do you want to > add any tags? Oh, I didn't know that you already posted the newer version. > diff --git a/security/integrity/iint.c b/security/integrity/iint.c > index 1d20003243c3..0ba01847e836 100644 > --- a/security/integrity/iint.c > +++ b/security/integrity/iint.c > @@ -98,6 +98,14 @@ struct integrity_iint_cache *integrity_inode_get(struct > inode *inode) > struct rb_node *node, *parent = NULL; > struct integrity_iint_cache *iint, *test_iint; > > + /* > + * The integrity's "iint_cache" is initialized at security_init(), > + * unless it is not included in the ordered list of LSMs enabled > + * on the boot command line. > + */ > + if (!iint_cache) > + panic("%s: lsm=integrity required.\n", __func__); > + This looks strange. If "lsm=" parameter must include "integrity", it implies that nobody is allowed to disable "integrity" at boot. Then, why not unconditionally call integrity_iintcache_init() by not counting on DEFINE_LSM(integrity) declaration? > iint = integrity_iint_find(inode); > if (iint) > return iint; >
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized
On Tue, 2021-03-23 at 10:46 +0900, Tetsuo Handa wrote: > On 2021/03/20 5:03, Mimi Zohar wrote: > > The integrity's "iint_cache" is initialized at security_init(). Only > > after an IMA policy is loaded, which is initialized at late_initcall, > > is a file's integrity status stored in the "iint_cache". > > > > All integrity_inode_get() callers first verify that the IMA policy has > > been loaded, before calling it. Yet for some reason, it is still being > > called, causing a NULL pointer dereference. > > > > qemu-system-x86_64 (...snipped...) lsm=smack (...snipped...) > > Hmm, why are you using lsm=smack instead of security=smack ? > Since use of lsm= overrides > CONFIG_LSM="lockdown,yama,safesetid,integrity,tomoyo,smack,bpf" settings, > only smack is activated, which means that integrity_iintcache_init() will not > be called by > > DEFINE_LSM(integrity) = { > .name = "integrity", > .init = integrity_iintcache_init, > }; > > declaration. That's the reason iint_cache == NULL when integrity_inode_get() > is called. That's exactly the problem, but since we don't control how the system is configured or which parameters are supplied on the boot command line, the kernel needs to at least provide some explanation instead of dereferencing a NULL pointer. FYI, "security=" is being deprecated. From Documentation/admin- guide/kernel-parameters.txt: security= [SECURITY] Choose a legacy "major" security module to enable at boot. This has been deprecated by the "lsm=" parameter. Please take a look at the newer version of this patch. Do you want to add any tags? thanks, Mimi
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized
On 2021/03/20 5:03, Mimi Zohar wrote: > The integrity's "iint_cache" is initialized at security_init(). Only > after an IMA policy is loaded, which is initialized at late_initcall, > is a file's integrity status stored in the "iint_cache". > > All integrity_inode_get() callers first verify that the IMA policy has > been loaded, before calling it. Yet for some reason, it is still being > called, causing a NULL pointer dereference. > > qemu-system-x86_64 (...snipped...) lsm=smack (...snipped...) Hmm, why are you using lsm=smack instead of security=smack ? Since use of lsm= overrides CONFIG_LSM="lockdown,yama,safesetid,integrity,tomoyo,smack,bpf" settings, only smack is activated, which means that integrity_iintcache_init() will not be called by DEFINE_LSM(integrity) = { .name = "integrity", .init = integrity_iintcache_init, }; declaration. That's the reason iint_cache == NULL when integrity_inode_get() is called.
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized
On Mon, Mar 22, 2021 at 8:11 AM Tetsuo Handa wrote: > > On 2021/03/20 5:03, Mimi Zohar wrote: > > The integrity's "iint_cache" is initialized at security_init(). Only > > after an IMA policy is loaded, which is initialized at late_initcall, > > is a file's integrity status stored in the "iint_cache". > > > > All integrity_inode_get() callers first verify that the IMA policy has > > been loaded, before calling it. Yet for some reason, it is still being > > called, causing a NULL pointer dereference. > > > > As reported by Dmitry Vyukov: > > in qemu: > > qemu-system-x86_64 -enable-kvm -machine q35,nvdimm -cpu > > max,migratable=off -smp 4 -m 4G,slots=4,maxmem=16G-hda > > wheezy.img -kernel arch/x86/boot/bzImage -nographic -vga std > > -soundhw all -usb -usbdevice tablet -bt hci -bt device:keyboard > >-net user,host=10.0.2.10,hostfwd=tcp::10022-:22 -net > > nic,model=virtio-net-pci -object > > memory-backend-file,id=pmem1,share=off,mem-path=/dev/zero,size=64M > > -device nvdimm,id=nvdimm1,memdev=pmem1 -append "console=ttyS0 > > root=/dev/sda earlyprintk=serial rodata=n oops=panic panic_on_warn=1 > > panic=86400 lsm=smack numa=fake=2 nopcid dummy_hcd.num=8" -pidfile > > vm_pid -m 2G -cpu host > > > > I tried similar command line (without "-enable-kvm" and without "-cpu host" > as I'm running from VMware, without "-soundhw all", without "-machine > q35,nvdimm" > and "-device nvdimm,id=nvdimm1,memdev=pmem1" etc.) on 5.12-rc4. While I was > finally > able to hit similar crash when I used "-smp 1" instead of "-smp 4", I suspect > this is not a integrity module's problem but a memory > initialization/corruption > problem, for I got various different crashes (INT3) at memory allocation when > I was trimming command line options trying to reproduce the same crash. > > Dmitry, do you get different crashes by changing command line arguments? No, I have not seen any other crashes, one the reported one.
Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized
On 2021/03/20 5:03, Mimi Zohar wrote: > The integrity's "iint_cache" is initialized at security_init(). Only > after an IMA policy is loaded, which is initialized at late_initcall, > is a file's integrity status stored in the "iint_cache". > > All integrity_inode_get() callers first verify that the IMA policy has > been loaded, before calling it. Yet for some reason, it is still being > called, causing a NULL pointer dereference. > > As reported by Dmitry Vyukov: > in qemu: > qemu-system-x86_64 -enable-kvm -machine q35,nvdimm -cpu > max,migratable=off -smp 4 -m 4G,slots=4,maxmem=16G-hda > wheezy.img -kernel arch/x86/boot/bzImage -nographic -vga std > -soundhw all -usb -usbdevice tablet -bt hci -bt device:keyboard >-net user,host=10.0.2.10,hostfwd=tcp::10022-:22 -net > nic,model=virtio-net-pci -object > memory-backend-file,id=pmem1,share=off,mem-path=/dev/zero,size=64M > -device nvdimm,id=nvdimm1,memdev=pmem1 -append "console=ttyS0 > root=/dev/sda earlyprintk=serial rodata=n oops=panic panic_on_warn=1 > panic=86400 lsm=smack numa=fake=2 nopcid dummy_hcd.num=8" -pidfile > vm_pid -m 2G -cpu host > I tried similar command line (without "-enable-kvm" and without "-cpu host" as I'm running from VMware, without "-soundhw all", without "-machine q35,nvdimm" and "-device nvdimm,id=nvdimm1,memdev=pmem1" etc.) on 5.12-rc4. While I was finally able to hit similar crash when I used "-smp 1" instead of "-smp 4", I suspect this is not a integrity module's problem but a memory initialization/corruption problem, for I got various different crashes (INT3) at memory allocation when I was trimming command line options trying to reproduce the same crash. Dmitry, do you get different crashes by changing command line arguments?
[RFC PATCH 2/2] integrity: double check iint_cache was initialized
From: Test The integrity's "iint_cache" is initialized at security_init(). Only after an IMA policy is loaded, which is initialized at late_initcall, is a file's integrity status stored in the "iint_cache". All integrity_inode_get() callers first verify that the IMA policy has been loaded, before calling it. Yet for some reason, it is still being called, causing a NULL pointer dereference. As reported by Dmitry Vyukov: in qemu: qemu-system-x86_64 -enable-kvm -machine q35,nvdimm -cpu max,migratable=off -smp 4 -m 4G,slots=4,maxmem=16G-hda wheezy.img -kernel arch/x86/boot/bzImage -nographic -vga std -soundhw all -usb -usbdevice tablet -bt hci -bt device:keyboard -net user,host=10.0.2.10,hostfwd=tcp::10022-:22 -net nic,model=virtio-net-pci -object memory-backend-file,id=pmem1,share=off,mem-path=/dev/zero,size=64M -device nvdimm,id=nvdimm1,memdev=pmem1 -append "console=ttyS0 root=/dev/sda earlyprintk=serial rodata=n oops=panic panic_on_warn=1 panic=86400 lsm=smack numa=fake=2 nopcid dummy_hcd.num=8" -pidfile vm_pid -m 2G -cpu host But it crashes on NULL deref in integrity_inode_get during boot: Run /sbin/init as init process BUG: kernel NULL pointer dereference, address: 001c PGD 0 P4D 0 Oops: [#1] PREEMPT SMP KASAN CPU: 3 PID: 1 Comm: swapper/0 Not tainted 5.12.0-rc2+ #97 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-44-g88ab0c15525c-prebuilt.qemu.org 04/01/2014 RIP: 0010:kmem_cache_alloc+0x2b/0x370 mm/slub.c:2920 Code: 57 41 56 41 55 41 54 41 89 f4 55 48 89 fd 53 48 83 ec 10 44 8b 3d d9 1f 90 0b 65 48 8b 04 25 28 00 00 00 48 89 44 24 08 31 c0 <8b> 5f 1c 4cf RSP: :c932f9d8 EFLAGS: 00010246 RAX: RBX: 888017fc4f00 RCX: RDX: 88804022 RSI: 0c40 RDI: RBP: R08: R09: 888019263627 R10: 83937cd1 R11: R12: 0c40 R13: 888019263538 R14: R15: 00ff FS: () GS:88802d18() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 001c CR3: 0b48e000 CR4: 00750ee0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 PKRU: 5554 Call Trace: integrity_inode_get+0x47/0x260 security/integrity/iint.c:105 process_measurement+0x33d/0x17e0 security/integrity/ima/ima_main.c:237 ima_bprm_check+0xde/0x210 security/integrity/ima/ima_main.c:474 security_bprm_check+0x7d/0xa0 security/security.c:845 search_binary_handler fs/exec.c:1708 [inline] exec_binprm fs/exec.c:1761 [inline] bprm_execve fs/exec.c:1830 [inline] bprm_execve+0x764/0x19a0 fs/exec.c:1792 kernel_execve+0x370/0x460 fs/exec.c:1973 try_to_run_init_process+0x14/0x4e init/main.c:1366 kernel_init+0x11d/0x1b8 init/main.c:1477 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Modules linked in: CR2: 001c ---[ end trace 22d601a500de7d79 ]--- Before calling kmem_cache_alloc(), check that the iint_cache has been initialized. Reported-by: Dmitry Vyukov Signed-off-by: Mimi Zohar --- security/integrity/iint.c | 9 + 1 file changed, 9 insertions(+) diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 1d20003243c3..80b5ae7bb712 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -97,6 +97,15 @@ struct integrity_iint_cache *integrity_inode_get(struct inode *inode) struct rb_node **p; struct rb_node *node, *parent = NULL; struct integrity_iint_cache *iint, *test_iint; + static int once = 0; + + if (!iint_cache) { /* shouldn't get here */ + if (!once) { + dump_stack(); + once = 1; + } + return NULL; + } iint = integrity_iint_find(inode); if (iint) -- 2.27.0