[RFC][PATCH 2/8] ima: Nest iint mutex for DIGEST_LIST_CHECK hook
Mimi Zohar
zohar at linux.ibm.com
Thu Mar 7 19:42:39 UTC 2024
On Wed, 2024-02-14 at 15:35 +0100, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu at huawei.com>
>
> Invoking digest_cache_get() inside the iint->mutex critical region can
> cause deadlocks due to the fact that IMA can be recursively invoked for
> reading the digest list. The deadlock would occur if the digest_cache LSM
> attempts to read the same inode that is already locked by IMA.
>
> However, since the digest_cache LSM makes sure that the above situation
> never happens, as it checks the inodes, it is safe to call
> digest_cache_get() inside the critical region and nest the iint->mutex
> when the DIGEST_LIST_CHECK hook is executed.
>
> Add a lockdep subclass to the iint->mutex, that is 0 if the IMA hook
> executed is not DIGEST_LIST_CHECK, and 1 when it is. Since lockdep allows
> nesting with higher classes and subclasses, that effectively eliminates the
> warning about the unsafe lock.
>
> Pass the new lockdep subclass (nested variable) from ima_inode_get() to
> ima_iint_init_always() and ima_iint_lockdep_annotate().
>
> Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
> ---
> security/integrity/ima/ima.h | 2 +-
> security/integrity/ima/ima_iint.c | 11 ++++++-----
> security/integrity/ima/ima_main.c | 6 +++---
> 3 files changed, 10 insertions(+), 9 deletions(-)
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index cea4517e73ab..c9140a57b591 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -216,7 +216,7 @@ static inline void ima_inode_set_iint(const struct inode
> *inode,
> }
>
> struct ima_iint_cache *ima_iint_find(struct inode *inode);
> -struct ima_iint_cache *ima_inode_get(struct inode *inode);
> +struct ima_iint_cache *ima_inode_get(struct inode *inode, bool nested);
> void ima_inode_free(struct inode *inode);
> void __init ima_iintcache_init(void);
>
> diff --git a/security/integrity/ima/ima_iint.c
> b/security/integrity/ima/ima_iint.c
> index e7c9c216c1c6..b4f476fae437 100644
> --- a/security/integrity/ima/ima_iint.c
> +++ b/security/integrity/ima/ima_iint.c
> @@ -41,7 +41,7 @@ struct ima_iint_cache *ima_iint_find(struct inode *inode)
> * See ovl_lockdep_annotate_inode_mutex_key() for more details.
> */
> static inline void ima_iint_lockdep_annotate(struct ima_iint_cache *iint,
> - struct inode *inode)
> + struct inode *inode, bool nested)
> {
> #ifdef CONFIG_LOCKDEP
> static struct lock_class_key ima_iint_mutex_key[IMA_MAX_NESTING];
"nested" is being pushed all the way down to here, perhaps I'm missing
something, but I don't see it being used in any of the patches.
Mimi
> @@ -56,7 +56,7 @@ static inline void ima_iint_lockdep_annotate(struct
> ima_iint_cache *iint,
> }
>
> static void ima_iint_init_always(struct ima_iint_cache *iint,
> - struct inode *inode)
> + struct inode *inode, bool nested)
> {
> iint->ima_hash = NULL;
> iint->version = 0;
> @@ -69,7 +69,7 @@ static void ima_iint_init_always(struct ima_iint_cache
> *iint,
> iint->ima_creds_status = INTEGRITY_UNKNOWN;
> iint->measured_pcrs = 0;
> mutex_init(&iint->mutex);
> - ima_iint_lockdep_annotate(iint, inode);
> + ima_iint_lockdep_annotate(iint, inode, nested);
> }
>
> static void ima_iint_free(struct ima_iint_cache *iint)
> @@ -82,13 +82,14 @@ static void ima_iint_free(struct ima_iint_cache *iint)
> /**
> * ima_inode_get - Find or allocate an iint associated with an inode
> * @inode: Pointer to the inode
> + * @nested: Whether or not the iint->mutex lock can be nested
> *
> * Find an iint associated with an inode, and allocate a new one if not
> found.
> * Caller must lock i_mutex.
> *
> * Return: An iint on success, NULL on error.
> */
> -struct ima_iint_cache *ima_inode_get(struct inode *inode)
> +struct ima_iint_cache *ima_inode_get(struct inode *inode, bool nested)
> {
> struct ima_iint_cache *iint;
>
> @@ -100,7 +101,7 @@ struct ima_iint_cache *ima_inode_get(struct inode *inode)
> if (!iint)
> return NULL;
>
> - ima_iint_init_always(iint, inode);
> + ima_iint_init_always(iint, inode, nested);
>
> inode->i_flags |= S_IMA;
> ima_inode_set_iint(inode, iint);
> diff --git a/security/integrity/ima/ima_main.c
> b/security/integrity/ima/ima_main.c
> index 780627b0cde7..18285fc8ac07 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -248,7 +248,7 @@ static int process_measurement(struct file *file, const
> struct cred *cred,
> inode_lock(inode);
>
> if (action) {
> - iint = ima_inode_get(inode);
> + iint = ima_inode_get(inode, func == DIGEST_LIST_CHECK);
> if (!iint)
> rc = -ENOMEM;
> }
> @@ -699,7 +699,7 @@ static void ima_post_create_tmpfile(struct mnt_idmap
> *idmap,
> return;
>
> /* Nothing to do if we can't allocate memory */
> - iint = ima_inode_get(inode);
> + iint = ima_inode_get(inode, false);
> if (!iint)
> return;
>
> @@ -731,7 +731,7 @@ static void ima_post_path_mknod(struct mnt_idmap *idmap,
> struct dentry *dentry)
> return;
>
> /* Nothing to do if we can't allocate memory */
> - iint = ima_inode_get(inode);
> + iint = ima_inode_get(inode, false);
> if (!iint)
> return;
>
More information about the Linux-security-module-archive
mailing list