[PATCH v3 15/19] IMA: Add support for file reads without contents

Kees Cook keescook at chromium.org
Tue Jul 28 19:44:50 UTC 2020


On Mon, Jul 27, 2020 at 09:23:34AM -0400, Mimi Zohar wrote:
> On Fri, 2020-07-24 at 14:36 -0700, Kees Cook wrote:
> > From: Scott Branden <scott.branden at broadcom.com>
> > 
> > When the kernel_read_file LSM hook is called with contents=false, IMA
> > can appraise the file directly, without requiring a filled buffer. When
> > such a buffer is available, though, IMA can continue to use it instead
> > of forcing a double read here.
> > 
> > Signed-off-by: Scott Branden <scott.branden at broadcom.com>
> > Link: https://lore.kernel.org/lkml/20200706232309.12010-10-scott.branden@broadcom.com/
> > Signed-off-by: Kees Cook <keescook at chromium.org>
> 
> After adjusting the comment below.
> 
> Reviewed-by: Mimi Zohar <zohar at linux.ibm.com>

Sure!

Greg, shall I send a v4 with added Reviews and the comment change or is
that minor enough that you're able to do it?

Thanks for the reviews Mimi!

-Kees

> 
> > ---
> >  security/integrity/ima/ima_main.c | 22 ++++++++++++++++------
> >  1 file changed, 16 insertions(+), 6 deletions(-)
> > 
> > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> > index dc4f90660aa6..459e50526a12 100644
> > --- a/security/integrity/ima/ima_main.c
> > +++ b/security/integrity/ima/ima_main.c
> > @@ -613,11 +613,8 @@ void ima_post_path_mknod(struct dentry *dentry)
> >  int ima_read_file(struct file *file, enum kernel_read_file_id read_id,
> >  		  bool contents)
> >  {
> > -	/* Reject all partial reads during appraisal. */
> > -	if (!contents) {
> > -		if (ima_appraise & IMA_APPRAISE_ENFORCE)
> > -			return -EACCES;
> > -	}
> > +	enum ima_hooks func;
> > +	u32 secid;
> >  
> >  	/*
> >  	 * Do devices using pre-allocated memory run the risk of the
> > @@ -626,7 +623,20 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id,
> >  	 * buffers? It may be desirable to include the buffer address
> >  	 * in this API and walk all the dma_map_single() mappings to check.
> >  	 */
> > -	return 0;
> > +
> > +	/*
> > +	 * There will be a call made to ima_post_read_file() with
> > +	 * a filled buffer, so we don't need to perform an extra
> > +	 * read early here.
> > +	 */
> > +	if (contents)
> > +		return 0;
> > +
> > +	/* Read entire file for all partial reads during appraisal. */
> 
> In addition to verifying the file signature, the file might be
> included in the IMA measurement list or the file hash may be used to
> augment the audit record.  Please remove "during appraisal" from the
> comment.
> 
> > +	func = read_idmap[read_id] ?: FILE_CHECK;
> > +	security_task_getsecid(current, &secid);
> > +	return process_measurement(file, current_cred(), secid, NULL,
> > +				   0, MAY_READ, func);
> >  }
> >  
> >  const int read_idmap[READING_MAX_ID] = {
> 

-- 
Kees Cook



More information about the Linux-security-module-archive mailing list