[PATCH 11/12] IMA: turn ima_policy_flags into __wr_after_init
The policy flags could be targeted by an attacker aiming at disabling IMA, so that there would be no trace of a file system modification in the measurement list. Since the flags can be altered at runtime, it is not possible to make them become fully read-only, for example with __ro_after_init. __wr_after_init can still provide some protection, at least against simple memory overwrite attacks Signed-off-by: Igor Stoppa CC: Andy Lutomirski CC: Nadav Amit CC: Matthew Wilcox CC: Peter Zijlstra CC: Kees Cook CC: Dave Hansen CC: Mimi Zohar CC: Thiago Jung Bauermann CC: Ahmed Soliman CC: linux-integr...@vger.kernel.org CC: kernel-harden...@lists.openwall.com CC: linux...@kvack.org CC: linux-kernel@vger.kernel.org --- security/integrity/ima/ima.h| 3 ++- security/integrity/ima/ima_policy.c | 9 + 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index cc12f3449a72..297c25f5122e 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -24,6 +24,7 @@ #include #include #include +#include #include #include "../integrity.h" @@ -50,7 +51,7 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; #define IMA_TEMPLATE_IMA_FMT "d|n" /* current content of the policy */ -extern int ima_policy_flag; +extern int ima_policy_flag __wr_after_init; /* set during initialization */ extern int ima_hash_algo; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 7489cb7de6dc..2004de818d92 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -47,7 +47,7 @@ #define INVALID_PCR(a) (((a) < 0) || \ (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8)) -int ima_policy_flag; +int ima_policy_flag __wr_after_init; static int temp_ima_appraise; static int build_ima_appraise __ro_after_init; @@ -452,12 +452,13 @@ void ima_update_policy_flag(void) list_for_each_entry(entry, ima_rules, list) { if (entry->action & IMA_DO_MASK) - ima_policy_flag |= entry->action; + wr_assign(ima_policy_flag, + ima_policy_flag | entry->action); } ima_appraise |= (build_ima_appraise | temp_ima_appraise); if (!ima_appraise) - ima_policy_flag &= ~IMA_APPRAISE; + wr_assign(ima_policy_flag, ima_policy_flag & ~IMA_APPRAISE); } static int ima_appraise_flag(enum ima_hooks func) @@ -574,7 +575,7 @@ void ima_update_policy(void) list_splice_tail_init_rcu(_temp_rules, policy, synchronize_rcu); if (ima_rules != policy) { - ima_policy_flag = 0; + wr_assign(ima_policy_flag, 0); ima_rules = policy; } ima_update_policy_flag(); -- 2.19.1
Re: [PATCH 11/12] IMA: turn ima_policy_flags into __wr_after_init
Hi, On 20/12/2018 19:30, Thiago Jung Bauermann wrote: Hello Igor, Igor Stoppa writes: diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 59d834219cd6..5f4e13e671bf 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -21,6 +21,7 @@ #include #include #include +#include #include "ima.h" @@ -98,9 +99,9 @@ void __init ima_load_x509(void) { int unset_flags = ima_policy_flag & IMA_APPRAISE; - ima_policy_flag &= ~unset_flags; + wr_assign(ima_policy_flag, ima_policy_flag & ~unset_flags); integrity_load_x509(INTEGRITY_KEYRING_IMA, CONFIG_IMA_X509_PATH); - ima_policy_flag |= unset_flags; + wr_assign(ima_policy_flag, ima_policy_flag | unset_flags); } #endif In the cover letter, you said: As the name implies, the write protection kicks in only after init() is completed; before that moment, the data is modifiable in the usual way. Given that, is it still necessary or useful to use wr_assign() in a function marked with __init? I might have been over enthusiastic of using the wr interface. You are right, I can drop these two. Thank you. -- igor
Re: [PATCH 11/12] IMA: turn ima_policy_flags into __wr_after_init
Hello Igor, Igor Stoppa writes: > diff --git a/security/integrity/ima/ima_init.c > b/security/integrity/ima/ima_init.c > index 59d834219cd6..5f4e13e671bf 100644 > --- a/security/integrity/ima/ima_init.c > +++ b/security/integrity/ima/ima_init.c > @@ -21,6 +21,7 @@ > #include > #include > #include > +#include > > #include "ima.h" > > @@ -98,9 +99,9 @@ void __init ima_load_x509(void) > { > int unset_flags = ima_policy_flag & IMA_APPRAISE; > > - ima_policy_flag &= ~unset_flags; > + wr_assign(ima_policy_flag, ima_policy_flag & ~unset_flags); > integrity_load_x509(INTEGRITY_KEYRING_IMA, CONFIG_IMA_X509_PATH); > - ima_policy_flag |= unset_flags; > + wr_assign(ima_policy_flag, ima_policy_flag | unset_flags); > } > #endif In the cover letter, you said: > As the name implies, the write protection kicks in only after init() > is completed; before that moment, the data is modifiable in the usual > way. Given that, is it still necessary or useful to use wr_assign() in a function marked with __init? -- Thiago Jung Bauermann IBM Linux Technology Center
[PATCH 11/12] IMA: turn ima_policy_flags into __wr_after_init
The policy flags could be targeted by an attacker aiming at disabling IMA, so that there would be no trace of a file system modification in the measurement list. Since the flags can be altered at runtime, it is not possible to make them become fully read-only, for example with __ro_after_init. __wr_after_init can still provide some protection, at least against simple memory overwrite attacks Signed-off-by: Igor Stoppa CC: Andy Lutomirski CC: Nadav Amit CC: Matthew Wilcox CC: Peter Zijlstra CC: Kees Cook CC: Dave Hansen CC: Mimi Zohar CC: linux-integr...@vger.kernel.org CC: kernel-harden...@lists.openwall.com CC: linux...@kvack.org CC: linux-kernel@vger.kernel.org --- security/integrity/ima/ima.h| 3 ++- security/integrity/ima/ima_init.c | 5 +++-- security/integrity/ima/ima_policy.c | 9 + 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index cc12f3449a72..297c25f5122e 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -24,6 +24,7 @@ #include #include #include +#include #include #include "../integrity.h" @@ -50,7 +51,7 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; #define IMA_TEMPLATE_IMA_FMT "d|n" /* current content of the policy */ -extern int ima_policy_flag; +extern int ima_policy_flag __wr_after_init; /* set during initialization */ extern int ima_hash_algo; diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 59d834219cd6..5f4e13e671bf 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -21,6 +21,7 @@ #include #include #include +#include #include "ima.h" @@ -98,9 +99,9 @@ void __init ima_load_x509(void) { int unset_flags = ima_policy_flag & IMA_APPRAISE; - ima_policy_flag &= ~unset_flags; + wr_assign(ima_policy_flag, ima_policy_flag & ~unset_flags); integrity_load_x509(INTEGRITY_KEYRING_IMA, CONFIG_IMA_X509_PATH); - ima_policy_flag |= unset_flags; + wr_assign(ima_policy_flag, ima_policy_flag | unset_flags); } #endif diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 7489cb7de6dc..2004de818d92 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -47,7 +47,7 @@ #define INVALID_PCR(a) (((a) < 0) || \ (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8)) -int ima_policy_flag; +int ima_policy_flag __wr_after_init; static int temp_ima_appraise; static int build_ima_appraise __ro_after_init; @@ -452,12 +452,13 @@ void ima_update_policy_flag(void) list_for_each_entry(entry, ima_rules, list) { if (entry->action & IMA_DO_MASK) - ima_policy_flag |= entry->action; + wr_assign(ima_policy_flag, + ima_policy_flag | entry->action); } ima_appraise |= (build_ima_appraise | temp_ima_appraise); if (!ima_appraise) - ima_policy_flag &= ~IMA_APPRAISE; + wr_assign(ima_policy_flag, ima_policy_flag & ~IMA_APPRAISE); } static int ima_appraise_flag(enum ima_hooks func) @@ -574,7 +575,7 @@ void ima_update_policy(void) list_splice_tail_init_rcu(_temp_rules, policy, synchronize_rcu); if (ima_rules != policy) { - ima_policy_flag = 0; + wr_assign(ima_policy_flag, 0); ima_rules = policy; } ima_update_policy_flag(); -- 2.19.1