[PATCH v6 05/15] digest_cache: Add securityfs interface

Roberto Sassu roberto.sassu at huaweicloud.com
Tue Nov 19 10:49:12 UTC 2024


From: Roberto Sassu <roberto.sassu at huawei.com>

Create the digest_cache directory in <securityfs>/integrity, and add the
default_path file, to let root change/read the default path (file or
directory) from where digest lists are looked up.

An RW semaphore prevents the default path from changing while
digest_list_new() and read_default_path() are executed, so that those read
a stable value. Multiple digest_list_new() and read_default_path() calls,
instead, can be done in parallel, since they are the readers.

Changing the default path does not affect digest caches created with the
old path.

Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
---
 security/integrity/digest_cache/Kconfig    |   4 +
 security/integrity/digest_cache/Makefile   |   2 +-
 security/integrity/digest_cache/internal.h |   4 +
 security/integrity/digest_cache/main.c     |  10 +-
 security/integrity/digest_cache/secfs.c    | 104 +++++++++++++++++++++
 security/integrity/ima/ima_fs.c            |   6 ++
 6 files changed, 128 insertions(+), 2 deletions(-)
 create mode 100644 security/integrity/digest_cache/secfs.c

diff --git a/security/integrity/digest_cache/Kconfig b/security/integrity/digest_cache/Kconfig
index 81f9d4ae749f..a4bfa8287b8d 100644
--- a/security/integrity/digest_cache/Kconfig
+++ b/security/integrity/digest_cache/Kconfig
@@ -17,3 +17,7 @@ config DIGEST_LIST_DEFAULT_PATH
 	help
 	  Default path where the Integrity Digest Cache expects to find digest
 	  lists.
+
+	  It can be changed at run-time, by writing the new path to the
+	  securityfs interface. Digest caches created with the old path are
+	  not affected by the change.
diff --git a/security/integrity/digest_cache/Makefile b/security/integrity/digest_cache/Makefile
index 6a3f7cc6e106..c351186d4e1e 100644
--- a/security/integrity/digest_cache/Makefile
+++ b/security/integrity/digest_cache/Makefile
@@ -4,4 +4,4 @@
 
 obj-$(CONFIG_INTEGRITY_DIGEST_CACHE) += digest_cache.o
 
-digest_cache-y := main.o
+digest_cache-y := main.o secfs.o
diff --git a/security/integrity/digest_cache/internal.h b/security/integrity/digest_cache/internal.h
index 29bf98a974f3..82d9c894c8fc 100644
--- a/security/integrity/digest_cache/internal.h
+++ b/security/integrity/digest_cache/internal.h
@@ -52,6 +52,7 @@ struct digest_cache_security {
 extern loff_t inode_sec_offset;
 extern loff_t file_sec_offset;
 extern char *default_path_str;
+extern struct rw_semaphore default_path_sem;
 
 static inline struct digest_cache_security *
 digest_cache_get_security_from_blob(void *inode_security)
@@ -121,4 +122,7 @@ struct digest_cache *digest_cache_init(struct dentry *dentry,
 int __init digest_cache_do_init(const struct lsm_id *lsm_id,
 				loff_t inode_offset, loff_t file_offset);
 
+/* secfs.c */
+int __init digest_cache_secfs_init(struct dentry *dir);
+
 #endif /* _DIGEST_CACHE_INTERNAL_H */
diff --git a/security/integrity/digest_cache/main.c b/security/integrity/digest_cache/main.c
index 6e94cff2b0dc..6724471914da 100644
--- a/security/integrity/digest_cache/main.c
+++ b/security/integrity/digest_cache/main.c
@@ -21,6 +21,9 @@ loff_t file_sec_offset;
 
 char *default_path_str = CONFIG_DIGEST_LIST_DEFAULT_PATH;
 
+/* Protects default_path_str. */
+struct rw_semaphore default_path_sem;
+
 /**
  * digest_cache_alloc_init - Allocate and initialize a new digest cache
  * @path_str: Path string of the digest list
@@ -321,9 +324,12 @@ struct digest_cache *digest_cache_get(struct file *file)
 
 	/* Serialize accesses to inode for which the digest cache is used. */
 	mutex_lock(&dig_sec->dig_user_mutex);
-	if (!dig_sec->dig_user)
+	if (!dig_sec->dig_user) {
+		down_read(&default_path_sem);
 		/* Consume extra reference from digest_cache_create(). */
 		dig_sec->dig_user = digest_cache_new(dentry, &digest_list_path);
+		up_read(&default_path_sem);
+	}
 
 	if (dig_sec->dig_user)
 		/* Increment ref. count for reference returned to the caller. */
@@ -439,6 +445,8 @@ static struct security_hook_list digest_cache_hooks[] __ro_after_init = {
 int __init digest_cache_do_init(const struct lsm_id *lsm_id,
 				loff_t inode_offset, loff_t file_offset)
 {
+	init_rwsem(&default_path_sem);
+
 	inode_sec_offset = inode_offset;
 	file_sec_offset = file_offset;
 
diff --git a/security/integrity/digest_cache/secfs.c b/security/integrity/digest_cache/secfs.c
new file mode 100644
index 000000000000..f158233f3492
--- /dev/null
+++ b/security/integrity/digest_cache/secfs.c
@@ -0,0 +1,104 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2023-2024 Huawei Technologies Duesseldorf GmbH
+ *
+ * Author: Roberto Sassu <roberto.sassu at huawei.com>
+ *
+ * Implement the securityfs interface of the Integrity Digest Cache.
+ */
+
+#define pr_fmt(fmt) "digest_cache: "fmt
+#include <linux/security.h>
+
+#include "internal.h"
+
+static struct dentry *digest_cache_dir;
+static struct dentry *default_path_dentry;
+
+/**
+ * write_default_path - Write default path
+ * @file: File descriptor of the securityfs file
+ * @buf: User space buffer
+ * @datalen: Amount of data to write
+ * @ppos: Current position in the file
+ *
+ * This function sets the new default path where digest lists can be found.
+ * Can be either a regular file or a directory.
+ *
+ * Return: Length of path written on success, a POSIX error code otherwise.
+ */
+static ssize_t write_default_path(struct file *file, const char __user *buf,
+				  size_t datalen, loff_t *ppos)
+{
+	char *new_default_path_str;
+
+	new_default_path_str = memdup_user_nul(buf, datalen);
+	if (IS_ERR(new_default_path_str))
+		return PTR_ERR(new_default_path_str);
+
+	down_write(&default_path_sem);
+	kfree_const(default_path_str);
+	default_path_str = new_default_path_str;
+	up_write(&default_path_sem);
+	return datalen;
+}
+
+/**
+ * read_default_path - Read default path
+ * @file: File descriptor of the securityfs file
+ * @buf: User space buffer
+ * @datalen: Amount of data to read
+ * @ppos: Current position in the file
+ *
+ * This function returns the current default path where digest lists can be
+ * found. Can be either a regular file or a directory.
+ *
+ * Return: Length of path read on success, a POSIX error code otherwise.
+ */
+static ssize_t read_default_path(struct file *file, char __user *buf,
+				 size_t datalen, loff_t *ppos)
+{
+	int ret;
+
+	down_read(&default_path_sem);
+	ret = simple_read_from_buffer(buf, datalen, ppos, default_path_str,
+				      strlen(default_path_str) + 1);
+	up_read(&default_path_sem);
+	return ret;
+}
+
+static const struct file_operations default_path_ops = {
+	.open = generic_file_open,
+	.write = write_default_path,
+	.read = read_default_path,
+	.llseek = generic_file_llseek,
+};
+
+/**
+ * digest_cache_secfs_init - Initialize the securityfs interface
+ * @dir: Directory entry provided by the calling LSM
+ *
+ * This function initializes the securityfs interfaces, for configuration
+ * by user space.
+ *
+ * It creates 'default_path', allowing user space to change the default
+ * directory where digest lists are searched.
+ *
+ * Return: Zero on success, a POSIX error code otherwise.
+ */
+int __init digest_cache_secfs_init(struct dentry *dir)
+{
+	digest_cache_dir = securityfs_create_dir("digest_cache", dir);
+	if (IS_ERR(digest_cache_dir))
+		return PTR_ERR(digest_cache_dir);
+
+	default_path_dentry = securityfs_create_file("default_path", 0660,
+						     digest_cache_dir, NULL,
+						     &default_path_ops);
+	if (IS_ERR(default_path_dentry)) {
+		securityfs_remove(digest_cache_dir);
+		return PTR_ERR(default_path_dentry);
+	}
+
+	return 0;
+}
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index e4a79a9b2d58..be9e374e2cef 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -614,6 +614,12 @@ int __init ima_fs_init(void)
 		goto out;
 	}
 
+	if (IS_ENABLED(CONFIG_INTEGRITY_DIGEST_CACHE)) {
+		ret = digest_cache_secfs_init(integrity_dir);
+		if (ret < 0)
+			goto out;
+	}
+
 	return 0;
 out:
 	securityfs_remove(ima_policy);
-- 
2.47.0.118.gfd3785337b




More information about the Linux-security-module-archive mailing list