Re: [RFC PATCH v2 08/11] module: replace copy_module_from_fd with kernel version
On Thu, Jan 21, 2016 at 1:15 PM, Mimi Zohar wrote: > On Thu, 2016-01-21 at 10:45 -0500, Paul Moore wrote: >> On Thursday, January 21, 2016 08:12:12 AM Mimi Zohar wrote: >> > Paul, Casey, Kees, Jon, Tetsuo does it make sense to consolidate the >> > module, firmware, and kexec pre and post security hooks and have just >> > one set of pre and post security kernel_read_file hook instead? Does >> > it make sense for this patch set to define the new hooks to allow the >> > LSMs to migrate to it independently of each other? >> >> Well, as usual, the easiest way to both get solid feedback and actually get a >> change accepted is to post patches to the affected LSMs. Probably not what >> you wanted to hear, but at least I'm honest :) > > Unless I'm misreading the code, it might be a lot simpler than I > thought. Of the three LSM hooks kernel_module_request, > kernel_module_from_file, and kernel_fw_from_file, the only upstreamed > LSM on any of these hooks is SELinux, which is only on the > kernel_module_request hook. > > After converting the SELinux kernel_module_request hook to use the new > kernel_read_file(), do I then remove the three hooks? Are we > concerned about "minor" LSMs that have not been upstreamed that might be > using these hooks? It should be easy for me to port my LSM to use the new hook. No objections in consolidating things. (Which reminds me to resend my LSM again...) -Kees -- Kees Cook Chrome OS & Brillo Security ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
Re: [RFC PATCH v2 08/11] module: replace copy_module_from_fd with kernel version
On Thursday, January 21, 2016 04:15:02 PM Mimi Zohar wrote: > On Thu, 2016-01-21 at 10:45 -0500, Paul Moore wrote: > > On Thursday, January 21, 2016 08:12:12 AM Mimi Zohar wrote: > > > Paul, Casey, Kees, Jon, Tetsuo does it make sense to consolidate the > > > module, firmware, and kexec pre and post security hooks and have just > > > one set of pre and post security kernel_read_file hook instead? Does > > > it make sense for this patch set to define the new hooks to allow the > > > LSMs to migrate to it independently of each other? > > > > Well, as usual, the easiest way to both get solid feedback and actually > > get a change accepted is to post patches to the affected LSMs. Probably > > not what you wanted to hear, but at least I'm honest :) > > Unless I'm misreading the code, it might be a lot simpler than I > thought. Of the three LSM hooks kernel_module_request, > kernel_module_from_file, and kernel_fw_from_file, the only upstreamed > LSM on any of these hooks is SELinux, which is only on the > kernel_module_request hook. > > After converting the SELinux kernel_module_request hook to use the new > kernel_read_file(), do I then remove the three hooks? Are we > concerned about "minor" LSMs that have not been upstreamed that might be > using these hooks? You can't worry about code that isn't upstream; if this change breaks something that hasn't been merged, then the burden lies on the out-of-tree developers to change their code. -- paul moore security @ redhat ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
Re: [RFC PATCH v2 08/11] module: replace copy_module_from_fd with kernel version
On Thu, 2016-01-21 at 10:45 -0500, Paul Moore wrote: > On Thursday, January 21, 2016 08:12:12 AM Mimi Zohar wrote: > > Paul, Casey, Kees, Jon, Tetsuo does it make sense to consolidate the > > module, firmware, and kexec pre and post security hooks and have just > > one set of pre and post security kernel_read_file hook instead? Does > > it make sense for this patch set to define the new hooks to allow the > > LSMs to migrate to it independently of each other? > > Well, as usual, the easiest way to both get solid feedback and actually get a > change accepted is to post patches to the affected LSMs. Probably not what > you wanted to hear, but at least I'm honest :) Unless I'm misreading the code, it might be a lot simpler than I thought. Of the three LSM hooks kernel_module_request, kernel_module_from_file, and kernel_fw_from_file, the only upstreamed LSM on any of these hooks is SELinux, which is only on the kernel_module_request hook. After converting the SELinux kernel_module_request hook to use the new kernel_read_file(), do I then remove the three hooks? Are we concerned about "minor" LSMs that have not been upstreamed that might be using these hooks? Mimi ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
Re: [RFC PATCH v2 08/11] module: replace copy_module_from_fd with kernel version
On Thu, 2016-01-21 at 08:56 -0800, Luis R. Rodriguez wrote: > On Thu, Jan 21, 2016 at 5:12 AM, Mimi Zohar wrote: > > On Thu, 2016-01-21 at 01:03 +0100, Luis R. Rodriguez wrote: > >> On Mon, Jan 18, 2016 at 10:11:23AM -0500, Mimi Zohar wrote: > >> > This patch replaces the module copy_module_from_fd() call with the VFS > >> > common kernel_read_file_from_fd() function. Instead of reading the > >> > kernel module twice, once for measuring/appraising and then loading > >> > the kernel module, the file is read once. > >> > > >> > This patch defines a new security hook named security_kernel_read_file(), > >> > which is called before reading the file. For now, call the module > >> > security hook from security_kernel_read_file until the LSMs have been > >> > converted to use the kernel_read_file hook. > >> > > >> > This patch retains the kernel_module_from_file hook, but removes the > >> > security_kernel_module_from_file() function. > >> > >> I think it would help if your cover letter and this patch described > >> a bit that some LSMs either prefer to read / check / appraise files > >> prior to loading and some other prefer to do that later. You could > >> explain the LSM hook preferences and what they do. Then here you > >> can explain how this one prefers a hook early, but acknowledge that > >> the other one still exists. > > > > Before this patch set, IMA measured/appraised/audited a file before > > allowing it to be accessed, causing the file in some cases to be read > > twice. This patch set changes that. Files are read into memory and > > then measured/appraised/audited. > > Sounds like this could help also with performance, has any preliminary > benchmarking been done to see the effect ? In general, IMA's pre-reading a file has negligible performance impact, if any. Dmitry's LinuxCon 2013 Europe talk "Integrity Protection Solutions in Linux" had some performance statistics. I'm not sure this change will have much of a performance impact. > > By defining > > the pre and post security hooks in this patch set, it permits each of > > the LSMs to migrate to the new hooks independently of each other. Lets > > ask the LSM maintainers what they think. > > I see -- yeah making this a 2 step thing makes sense, so long as the > maintainers can later expect / understand what would be done in a > second patch set. Breaking this down in two patch sets makes sense. I'll defer adding the pre and post security hooks to the subsequent patch set. Mimi ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
Re: [RFC PATCH v2 08/11] module: replace copy_module_from_fd with kernel version
On Thu, Jan 21, 2016 at 5:12 AM, Mimi Zohar wrote:
> On Thu, 2016-01-21 at 01:03 +0100, Luis R. Rodriguez wrote:
>> On Mon, Jan 18, 2016 at 10:11:23AM -0500, Mimi Zohar wrote:
>> > This patch replaces the module copy_module_from_fd() call with the VFS
>> > common kernel_read_file_from_fd() function. Instead of reading the
>> > kernel module twice, once for measuring/appraising and then loading
>> > the kernel module, the file is read once.
>> >
>> > This patch defines a new security hook named security_kernel_read_file(),
>> > which is called before reading the file. For now, call the module
>> > security hook from security_kernel_read_file until the LSMs have been
>> > converted to use the kernel_read_file hook.
>> >
>> > This patch retains the kernel_module_from_file hook, but removes the
>> > security_kernel_module_from_file() function.
>>
>> I think it would help if your cover letter and this patch described
>> a bit that some LSMs either prefer to read / check / appraise files
>> prior to loading and some other prefer to do that later. You could
>> explain the LSM hook preferences and what they do. Then here you
>> can explain how this one prefers a hook early, but acknowledge that
>> the other one still exists.
>
> Before this patch set, IMA measured/appraised/audited a file before
> allowing it to be accessed, causing the file in some cases to be read
> twice. This patch set changes that. Files are read into memory and
> then measured/appraised/audited.
Sounds like this could help also with performance, has any preliminary
benchmarking been done to see the effect ?
> It's been a while since this hook was added. As I recall, Kees added
> the pre module hook to limit loading kernel modules to only those
> filesystems that were mounted read-only. I would have to look at each
> of the LSMs to see how they're using the hooks.
Sure.
>> So:
>>
>> kernel_read_file() {
>> ...
>> security_kernel_read_file();
>> ...
>> security_kernel_post_read_file();
>> ...
>> }
>>
>> > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
>> > index 4e6e2af..9915310 100644
>> > --- a/include/linux/lsm_hooks.h
>> > +++ b/include/linux/lsm_hooks.h
>> > @@ -1465,6 +1471,7 @@ union security_list_options {
>> > int (*kernel_fw_from_file)(struct file *file, char *buf, size_t size);
>> > int (*kernel_module_request)(char *kmod_name);
>> > int (*kernel_module_from_file)(struct file *file);
>> > + int (*kernel_read_file)(struct file *file, int policy_id);
>> > int (*kernel_post_read_file)(struct file *file, char *buf, loff_t size,
>> > int policy_id);
>> > int (*task_fix_setuid)(struct cred *new, const struct cred *old,
>>
>> Is the goal to eventually kill the other LSM hooks and just keep the
>> file one? If so where is that done in this series? It was not clear.
>
> As mentioned in the cover letter, consolidating the LSM hooks is not
> covered in this patch set.
Sorry I missed that after I started reviewing.
> I was under the impression that not only
> were we defining a common kernel read file function, but that we were
> also consolidating the pre and post security hooks as well.
Sure.
> By defining
> the pre and post security hooks in this patch set, it permits each of
> the LSMs to migrate to the new hooks independently of each other. Lets
> ask the LSM maintainers what they think.
I see -- yeah making this a 2 step thing makes sense, so long as the
maintainers can later expect / understand what would be done in a
second patch set. Breaking this down in two patch sets makes sense. It
should also mean there might be fun benchmarks on gains provided there
were considerable IO savings by not opening files twice.
Luis
___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
Re: [RFC PATCH v2 08/11] module: replace copy_module_from_fd with kernel version
On Thursday, January 21, 2016 08:12:12 AM Mimi Zohar wrote: > Paul, Casey, Kees, Jon, Tetsuo does it make sense to consolidate the > module, firmware, and kexec pre and post security hooks and have just > one set of pre and post security kernel_read_file hook instead? Does > it make sense for this patch set to define the new hooks to allow the > LSMs to migrate to it independently of each other? Well, as usual, the easiest way to both get solid feedback and actually get a change accepted is to post patches to the affected LSMs. Probably not what you wanted to hear, but at least I'm honest :) -- paul moore security @ redhat ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
Re: [RFC PATCH v2 08/11] module: replace copy_module_from_fd with kernel version
On Thu, 2016-01-21 at 01:03 +0100, Luis R. Rodriguez wrote:
> On Mon, Jan 18, 2016 at 10:11:23AM -0500, Mimi Zohar wrote:
> > This patch replaces the module copy_module_from_fd() call with the VFS
> > common kernel_read_file_from_fd() function. Instead of reading the
> > kernel module twice, once for measuring/appraising and then loading
> > the kernel module, the file is read once.
> >
> > This patch defines a new security hook named security_kernel_read_file(),
> > which is called before reading the file. For now, call the module
> > security hook from security_kernel_read_file until the LSMs have been
> > converted to use the kernel_read_file hook.
> >
> > This patch retains the kernel_module_from_file hook, but removes the
> > security_kernel_module_from_file() function.
>
> I think it would help if your cover letter and this patch described
> a bit that some LSMs either prefer to read / check / appraise files
> prior to loading and some other prefer to do that later. You could
> explain the LSM hook preferences and what they do. Then here you
> can explain how this one prefers a hook early, but acknowledge that
> the other one still exists.
Before this patch set, IMA measured/appraised/audited a file before
allowing it to be accessed, causing the file in some cases to be read
twice. This patch set changes that. Files are read into memory and
then measured/appraised/audited.
It's been a while since this hook was added. As I recall, Kees added
the pre module hook to limit loading kernel modules to only those
filesystems that were mounted read-only. I would have to look at each
of the LSMs to see how they're using the hooks.
> So:
>
> kernel_read_file() {
> ...
> security_kernel_read_file();
> ...
> security_kernel_post_read_file();
> ...
> }
>
> > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> > index 4e6e2af..9915310 100644
> > --- a/include/linux/lsm_hooks.h
> > +++ b/include/linux/lsm_hooks.h
> > @@ -1465,6 +1471,7 @@ union security_list_options {
> > int (*kernel_fw_from_file)(struct file *file, char *buf, size_t size);
> > int (*kernel_module_request)(char *kmod_name);
> > int (*kernel_module_from_file)(struct file *file);
> > + int (*kernel_read_file)(struct file *file, int policy_id);
> > int (*kernel_post_read_file)(struct file *file, char *buf, loff_t size,
> > int policy_id);
> > int (*task_fix_setuid)(struct cred *new, const struct cred *old,
>
> Is the goal to eventually kill the other LSM hooks and just keep the
> file one? If so where is that done in this series? It was not clear.
As mentioned in the cover letter, consolidating the LSM hooks is not
covered in this patch set. I was under the impression that not only
were we defining a common kernel read file function, but that we were
also consolidating the pre and post security hooks as well. By defining
the pre and post security hooks in this patch set, it permits each of
the LSMs to migrate to the new hooks independently of each other. Lets
ask the LSM maintainers what they think.
Paul, Casey, Kees, Jon, Tetsuo does it make sense to consolidate the
module, firmware, and kexec pre and post security hooks and have just
one set of pre and post security kernel_read_file hook instead? Does
it make sense for this patch set to define the new hooks to allow the
LSMs to migrate to it independently of each other?
Mimi
___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
Re: [RFC PATCH v2 08/11] module: replace copy_module_from_fd with kernel version
On Mon, Jan 18, 2016 at 10:11:23AM -0500, Mimi Zohar wrote:
> This patch replaces the module copy_module_from_fd() call with the VFS
> common kernel_read_file_from_fd() function. Instead of reading the
> kernel module twice, once for measuring/appraising and then loading
> the kernel module, the file is read once.
>
> This patch defines a new security hook named security_kernel_read_file(),
> which is called before reading the file. For now, call the module
> security hook from security_kernel_read_file until the LSMs have been
> converted to use the kernel_read_file hook.
>
> This patch retains the kernel_module_from_file hook, but removes the
> security_kernel_module_from_file() function.
I think it would help if your cover letter and this patch described
a bit that some LSMs either prefer to read / check / appraise files
prior to loading and some other prefer to do that later. You could
explain the LSM hook preferences and what they do. Then here you
can explain how this one prefers a hook early, but acknowledge that
the other one still exists.
So:
kernel_read_file() {
...
security_kernel_read_file();
...
security_kernel_post_read_file();
...
}
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 4e6e2af..9915310 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -1465,6 +1471,7 @@ union security_list_options {
> int (*kernel_fw_from_file)(struct file *file, char *buf, size_t size);
> int (*kernel_module_request)(char *kmod_name);
> int (*kernel_module_from_file)(struct file *file);
> + int (*kernel_read_file)(struct file *file, int policy_id);
> int (*kernel_post_read_file)(struct file *file, char *buf, loff_t size,
>int policy_id);
> int (*task_fix_setuid)(struct cred *new, const struct cred *old,
Is the goal to eventually kill the other LSM hooks and just keep the
file one? If so where is that done in this series? It was not clear.
Luis
___
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
[RFC PATCH v2 08/11] module: replace copy_module_from_fd with kernel version
This patch replaces the module copy_module_from_fd() call with the VFS
common kernel_read_file_from_fd() function. Instead of reading the
kernel module twice, once for measuring/appraising and then loading
the kernel module, the file is read once.
This patch defines a new security hook named security_kernel_read_file(),
which is called before reading the file. For now, call the module
security hook from security_kernel_read_file until the LSMs have been
converted to use the kernel_read_file hook.
This patch retains the kernel_module_from_file hook, but removes the
security_kernel_module_from_file() function.
Signed-off-by: Mimi Zohar
---
fs/exec.c | 4 +++
include/linux/ima.h | 1 +
include/linux/lsm_hooks.h | 8 +
include/linux/security.h | 3 +-
kernel/module.c | 67 ---
security/integrity/ima/ima.h | 1 -
security/integrity/ima/ima_appraise.c | 7
security/integrity/ima/ima_main.c | 5 ++-
security/integrity/ima/ima_policy.c | 16 -
security/integrity/integrity.h| 12 +++
security/security.c | 12 +--
11 files changed, 47 insertions(+), 89 deletions(-)
diff --git a/fs/exec.c b/fs/exec.c
index a5ae51e..3524e5f 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -842,6 +842,10 @@ int kernel_read_file(struct file *file, void **buf, loff_t
*size,
if (!S_ISREG(file_inode(file)->i_mode))
return -EINVAL;
+ ret = security_kernel_read_file(file, policy_id);
+ if (ret)
+ return ret;
+
i_size = i_size_read(file_inode(file));
if (max_size > 0 && i_size > max_size)
return -EFBIG;
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 0a7f039..eec5e2b 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -17,6 +17,7 @@ enum ima_policy_id {
KEXEC_CHECK = 1,
INITRAMFS_CHECK,
FIRMWARE_CHECK,
+ MODULE_CHECK,
IMA_MAX_READ_CHECK
};
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 4e6e2af..9915310 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -561,6 +561,12 @@
* the kernel module to load. If the module is being loaded from a blob,
* this argument will be NULL.
* Return 0 if permission is granted.
+ * @kernel_read_file:
+ * Read a file specified by userspace.
+ * @file contains the file structure pointing to the file being read
+ * by the kernel.
+ * @policy_id contains IMA policy identifier.
+ * Return 0 if permission is granted.
* @kernel_post_read_file:
* Read a file specified by userspace.
* @file contains the file structure pointing to the file being read
@@ -1465,6 +1471,7 @@ union security_list_options {
int (*kernel_fw_from_file)(struct file *file, char *buf, size_t size);
int (*kernel_module_request)(char *kmod_name);
int (*kernel_module_from_file)(struct file *file);
+ int (*kernel_read_file)(struct file *file, int policy_id);
int (*kernel_post_read_file)(struct file *file, char *buf, loff_t size,
int policy_id);
int (*task_fix_setuid)(struct cred *new, const struct cred *old,
@@ -1726,6 +1733,7 @@ struct security_hook_heads {
struct list_head kernel_act_as;
struct list_head kernel_create_files_as;
struct list_head kernel_fw_from_file;
+ struct list_head kernel_read_file;
struct list_head kernel_post_read_file;
struct list_head kernel_module_request;
struct list_head kernel_module_from_file;
diff --git a/include/linux/security.h b/include/linux/security.h
index 51f3bc6..6d005b3 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -301,6 +301,7 @@ int security_kernel_act_as(struct cred *new, u32 secid);
int security_kernel_create_files_as(struct cred *new, struct inode *inode);
int security_kernel_module_request(char *kmod_name);
int security_kernel_module_from_file(struct file *file);
+int security_kernel_read_file(struct file *file, int policy_id);
int security_kernel_post_read_file(struct file *file, char *buf, loff_t size,
int policy_id);
int security_task_fix_setuid(struct cred *new, const struct cred *old,
@@ -857,7 +858,7 @@ static inline int security_kernel_module_request(char
*kmod_name)
return 0;
}
-static inline int security_kernel_module_from_file(struct file *file)
+static inline int security_kernel_read_file(struct file *file, int policy_id)
{
return 0;
}
diff --git a/kernel/module.c b/kernel/module.c
index 8f051a1..7398d12 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2665,7 +2665,7 @@ static int copy_module_from_user(const void __user *umod,
unsigned long len,
if (info->len < sizeof(*(info->hdr)))
return -ENOEXEC;
-
