[PATCH v12 09/26] ima: Move ima_lsm_policy_notifier into ima_namespace
Serge E. Hallyn
serge at hallyn.com
Sun May 22 02:35:05 UTC 2022
On Wed, Apr 20, 2022 at 10:06:16AM -0400, Stefan Berger wrote:
> Move the ima_lsm_policy_notifier into the ima_namespace. Each IMA
> namespace can now register its own LSM policy change notifier callback.
> The policy change notifier for the init_ima_ns still remains in init_ima()
> and therefore handle the registration of the callback for all other
> namespaces in init_ima_namespace().
>
> Rate-limit the kernel warning 'rule for LSM <label> is undefined` for
> IMA namespace to avoid flooding the kernel log with this type of message.
>
> Signed-off-by: Stefan Berger <stefanb at linux.ibm.com>
> Reviewed-by: Mimi Zohar <zohar at linux.ibm.com>
Acked-by: Serge Hallyn <serge at hallyn.com>
>
> ---
> v11:
> - Renamed 'rc' to 'ret'
> - Use pr_warn_ratelimited('rule for LSM...') for IMA namespaces
>
> v10:
> - Only call pr_warn('rule for LSM <label> is undefined`) for init_ima_ns
> ---
> security/integrity/ima/ima.h | 2 ++
> security/integrity/ima/ima_init_ima_ns.c | 14 +++++++++++++
> security/integrity/ima/ima_main.c | 6 +-----
> security/integrity/ima/ima_policy.c | 26 ++++++++++++++++--------
> 4 files changed, 35 insertions(+), 13 deletions(-)
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index b35c8504ef87..c68b5117d034 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -144,6 +144,8 @@ struct ima_namespace {
> int valid_policy;
>
> struct dentry *ima_policy;
> +
> + struct notifier_block ima_lsm_policy_notifier;
> } __randomize_layout;
> extern struct ima_namespace init_ima_ns;
>
> diff --git a/security/integrity/ima/ima_init_ima_ns.c b/security/integrity/ima/ima_init_ima_ns.c
> index 425eed1c6838..c4fe8f3e9a73 100644
> --- a/security/integrity/ima/ima_init_ima_ns.c
> +++ b/security/integrity/ima/ima_init_ima_ns.c
> @@ -10,6 +10,8 @@
>
> static int ima_init_namespace(struct ima_namespace *ns)
> {
> + int ret;
> +
> INIT_LIST_HEAD(&ns->ima_default_rules);
> INIT_LIST_HEAD(&ns->ima_policy_rules);
> INIT_LIST_HEAD(&ns->ima_temp_rules);
> @@ -30,6 +32,15 @@ static int ima_init_namespace(struct ima_namespace *ns)
> ns->valid_policy = 1;
> ns->ima_fs_flags = 0;
>
> + if (ns != &init_ima_ns) {
> + ns->ima_lsm_policy_notifier.notifier_call =
> + ima_lsm_policy_change;
> + ret = register_blocking_lsm_notifier
> + (&ns->ima_lsm_policy_notifier);
> + if (ret)
> + return ret;
> + }
> +
> return 0;
> }
>
> @@ -39,5 +50,8 @@ int __init ima_ns_init(void)
> }
>
> struct ima_namespace init_ima_ns = {
> + .ima_lsm_policy_notifier = {
> + .notifier_call = ima_lsm_policy_change,
> + },
> };
> EXPORT_SYMBOL(init_ima_ns);
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 005f9e784e7b..d44faf1c065d 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -38,10 +38,6 @@ int ima_appraise;
> int __ro_after_init ima_hash_algo = HASH_ALGO_SHA1;
> static int hash_setup_done;
>
> -static struct notifier_block ima_lsm_policy_notifier = {
> - .notifier_call = ima_lsm_policy_change,
> -};
> -
> static int __init hash_setup(char *str)
> {
> struct ima_template_desc *template_desc = ima_template_desc_current();
> @@ -1089,7 +1085,7 @@ static int __init init_ima(void)
> if (error)
> return error;
>
> - error = register_blocking_lsm_notifier(&ima_lsm_policy_notifier);
> + error = register_blocking_lsm_notifier(&ns->ima_lsm_policy_notifier);
> if (error)
> pr_warn("Couldn't register LSM notifier, error %d\n", error);
>
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 0a7c61ca3265..23c559c8fae9 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -368,7 +368,8 @@ static void ima_free_rule(struct ima_rule_entry *entry)
> kfree(entry);
> }
>
> -static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
> +static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_namespace *ns,
> + struct ima_rule_entry *entry)
> {
> struct ima_rule_entry *nentry;
> int i;
> @@ -399,18 +400,25 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
> ima_filter_rule_init(nentry->lsm[i].type, Audit_equal,
> nentry->lsm[i].args_p,
> &nentry->lsm[i].rule);
> - if (!nentry->lsm[i].rule)
> - pr_warn("rule for LSM \'%s\' is undefined\n",
> - nentry->lsm[i].args_p);
> + if (!nentry->lsm[i].rule) {
> + if (ns == &init_ima_ns)
> + pr_warn("rule for LSM \'%s\' is undefined\n",
> + nentry->lsm[i].args_p);
> + else
> + pr_warn_ratelimited
> + ("rule for LSM \'%s\' is undefined\n",
> + nentry->lsm[i].args_p);
> + }
> }
> return nentry;
> }
>
> -static int ima_lsm_update_rule(struct ima_rule_entry *entry)
> +static int ima_lsm_update_rule(struct ima_namespace *ns,
> + struct ima_rule_entry *entry)
> {
> struct ima_rule_entry *nentry;
>
> - nentry = ima_lsm_copy_rule(entry);
> + nentry = ima_lsm_copy_rule(ns, entry);
> if (!nentry)
> return -ENOMEM;
>
> @@ -453,7 +461,7 @@ static void ima_lsm_update_rules(struct ima_namespace *ns)
> if (!ima_rule_contains_lsm_cond(entry))
> continue;
>
> - result = ima_lsm_update_rule(entry);
> + result = ima_lsm_update_rule(ns, entry);
> if (result) {
> pr_err("lsm rule update error %d\n", result);
> return;
> @@ -464,12 +472,14 @@ static void ima_lsm_update_rules(struct ima_namespace *ns)
> int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
> void *lsm_data)
> {
> - struct ima_namespace *ns = &init_ima_ns;
> + struct ima_namespace *ns;
>
> if (event != LSM_POLICY_CHANGE)
> return NOTIFY_DONE;
>
> + ns = container_of(nb, struct ima_namespace, ima_lsm_policy_notifier);
> ima_lsm_update_rules(ns);
> +
> return NOTIFY_OK;
> }
>
> --
> 2.34.1
More information about the Linux-security-module-archive
mailing list