[PATCH 11/12] IMA: turn ima_policy_flags into __wr_after_init
The policy flags could be targeted by an attacker aiming at disabling IMA,
so that there would be no trace of a file system modification in the
measurement list.
Since the flags can be altered at runtime, it is not possible to make
them become fully read-only, for example with __ro_after_init.
__wr_after_init can still provide some protection, at least against
simple memory overwrite attacks
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: Thiago Jung Bauermann
CC: Ahmed Soliman
CC: linux-integr...@vger.kernel.org
CC: kernel-harden...@lists.openwall.com
CC: linux...@kvack.org
CC: linux-kernel@vger.kernel.org
---
security/integrity/ima/ima.h| 3 ++-
security/integrity/ima/ima_policy.c | 9 +
2 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index cc12f3449a72..297c25f5122e 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -24,6 +24,7 @@
#include
#include
#include
+#include
#include
#include "../integrity.h"
@@ -50,7 +51,7 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
#define IMA_TEMPLATE_IMA_FMT "d|n"
/* current content of the policy */
-extern int ima_policy_flag;
+extern int ima_policy_flag __wr_after_init;
/* set during initialization */
extern int ima_hash_algo;
diff --git a/security/integrity/ima/ima_policy.c
b/security/integrity/ima/ima_policy.c
index 7489cb7de6dc..2004de818d92 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -47,7 +47,7 @@
#define INVALID_PCR(a) (((a) < 0) || \
(a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8))
-int ima_policy_flag;
+int ima_policy_flag __wr_after_init;
static int temp_ima_appraise;
static int build_ima_appraise __ro_after_init;
@@ -452,12 +452,13 @@ void ima_update_policy_flag(void)
list_for_each_entry(entry, ima_rules, list) {
if (entry->action & IMA_DO_MASK)
- ima_policy_flag |= entry->action;
+ wr_assign(ima_policy_flag,
+ ima_policy_flag | entry->action);
}
ima_appraise |= (build_ima_appraise | temp_ima_appraise);
if (!ima_appraise)
- ima_policy_flag &= ~IMA_APPRAISE;
+ wr_assign(ima_policy_flag, ima_policy_flag & ~IMA_APPRAISE);
}
static int ima_appraise_flag(enum ima_hooks func)
@@ -574,7 +575,7 @@ void ima_update_policy(void)
list_splice_tail_init_rcu(_temp_rules, policy, synchronize_rcu);
if (ima_rules != policy) {
- ima_policy_flag = 0;
+ wr_assign(ima_policy_flag, 0);
ima_rules = policy;
}
ima_update_policy_flag();
--
2.19.1
Re: [PATCH 11/12] IMA: turn ima_policy_flags into __wr_after_init
Hi,
On 20/12/2018 19:30, Thiago Jung Bauermann wrote:
Hello Igor,
Igor Stoppa writes:
diff --git a/security/integrity/ima/ima_init.c
b/security/integrity/ima/ima_init.c
index 59d834219cd6..5f4e13e671bf 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -21,6 +21,7 @@
#include
#include
#include
+#include
#include "ima.h"
@@ -98,9 +99,9 @@ void __init ima_load_x509(void)
{
int unset_flags = ima_policy_flag & IMA_APPRAISE;
- ima_policy_flag &= ~unset_flags;
+ wr_assign(ima_policy_flag, ima_policy_flag & ~unset_flags);
integrity_load_x509(INTEGRITY_KEYRING_IMA, CONFIG_IMA_X509_PATH);
- ima_policy_flag |= unset_flags;
+ wr_assign(ima_policy_flag, ima_policy_flag | unset_flags);
}
#endif
In the cover letter, you said:
As the name implies, the write protection kicks in only after init()
is completed; before that moment, the data is modifiable in the usual
way.
Given that, is it still necessary or useful to use wr_assign() in a
function marked with __init?
I might have been over enthusiastic of using the wr interface.
You are right, I can drop these two. Thank you.
--
igor
Re: [PATCH 11/12] IMA: turn ima_policy_flags into __wr_after_init
Hello Igor,
Igor Stoppa writes:
> diff --git a/security/integrity/ima/ima_init.c
> b/security/integrity/ima/ima_init.c
> index 59d834219cd6..5f4e13e671bf 100644
> --- a/security/integrity/ima/ima_init.c
> +++ b/security/integrity/ima/ima_init.c
> @@ -21,6 +21,7 @@
> #include
> #include
> #include
> +#include
>
> #include "ima.h"
>
> @@ -98,9 +99,9 @@ void __init ima_load_x509(void)
> {
> int unset_flags = ima_policy_flag & IMA_APPRAISE;
>
> - ima_policy_flag &= ~unset_flags;
> + wr_assign(ima_policy_flag, ima_policy_flag & ~unset_flags);
> integrity_load_x509(INTEGRITY_KEYRING_IMA, CONFIG_IMA_X509_PATH);
> - ima_policy_flag |= unset_flags;
> + wr_assign(ima_policy_flag, ima_policy_flag | unset_flags);
> }
> #endif
In the cover letter, you said:
> As the name implies, the write protection kicks in only after init()
> is completed; before that moment, the data is modifiable in the usual
> way.
Given that, is it still necessary or useful to use wr_assign() in a
function marked with __init?
--
Thiago Jung Bauermann
IBM Linux Technology Center
[PATCH 11/12] IMA: turn ima_policy_flags into __wr_after_init
The policy flags could be targeted by an attacker aiming at disabling IMA,
so that there would be no trace of a file system modification in the
measurement list.
Since the flags can be altered at runtime, it is not possible to make
them become fully read-only, for example with __ro_after_init.
__wr_after_init can still provide some protection, at least against
simple memory overwrite attacks
Signed-off-by: Igor Stoppa
CC: Andy Lutomirski
CC: Nadav Amit
CC: Matthew Wilcox
CC: Peter Zijlstra
CC: Kees Cook
CC: Dave Hansen
CC: Mimi Zohar
CC: linux-integr...@vger.kernel.org
CC: kernel-harden...@lists.openwall.com
CC: linux...@kvack.org
CC: linux-kernel@vger.kernel.org
---
security/integrity/ima/ima.h| 3 ++-
security/integrity/ima/ima_init.c | 5 +++--
security/integrity/ima/ima_policy.c | 9 +
3 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index cc12f3449a72..297c25f5122e 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -24,6 +24,7 @@
#include
#include
#include
+#include
#include
#include "../integrity.h"
@@ -50,7 +51,7 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 };
#define IMA_TEMPLATE_IMA_FMT "d|n"
/* current content of the policy */
-extern int ima_policy_flag;
+extern int ima_policy_flag __wr_after_init;
/* set during initialization */
extern int ima_hash_algo;
diff --git a/security/integrity/ima/ima_init.c
b/security/integrity/ima/ima_init.c
index 59d834219cd6..5f4e13e671bf 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -21,6 +21,7 @@
#include
#include
#include
+#include
#include "ima.h"
@@ -98,9 +99,9 @@ void __init ima_load_x509(void)
{
int unset_flags = ima_policy_flag & IMA_APPRAISE;
- ima_policy_flag &= ~unset_flags;
+ wr_assign(ima_policy_flag, ima_policy_flag & ~unset_flags);
integrity_load_x509(INTEGRITY_KEYRING_IMA, CONFIG_IMA_X509_PATH);
- ima_policy_flag |= unset_flags;
+ wr_assign(ima_policy_flag, ima_policy_flag | unset_flags);
}
#endif
diff --git a/security/integrity/ima/ima_policy.c
b/security/integrity/ima/ima_policy.c
index 7489cb7de6dc..2004de818d92 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -47,7 +47,7 @@
#define INVALID_PCR(a) (((a) < 0) || \
(a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8))
-int ima_policy_flag;
+int ima_policy_flag __wr_after_init;
static int temp_ima_appraise;
static int build_ima_appraise __ro_after_init;
@@ -452,12 +452,13 @@ void ima_update_policy_flag(void)
list_for_each_entry(entry, ima_rules, list) {
if (entry->action & IMA_DO_MASK)
- ima_policy_flag |= entry->action;
+ wr_assign(ima_policy_flag,
+ ima_policy_flag | entry->action);
}
ima_appraise |= (build_ima_appraise | temp_ima_appraise);
if (!ima_appraise)
- ima_policy_flag &= ~IMA_APPRAISE;
+ wr_assign(ima_policy_flag, ima_policy_flag & ~IMA_APPRAISE);
}
static int ima_appraise_flag(enum ima_hooks func)
@@ -574,7 +575,7 @@ void ima_update_policy(void)
list_splice_tail_init_rcu(_temp_rules, policy, synchronize_rcu);
if (ima_rules != policy) {
- ima_policy_flag = 0;
+ wr_assign(ima_policy_flag, 0);
ima_rules = policy;
}
ima_update_policy_flag();
--
2.19.1
