Re: [PATCH v3 11/19] LSM: Introduce kernel_post_load_data() hook

[PATCH v3 00/19] Introduce partial kernel_read_file() support · Kees Cook <hidden> · 2020-07-24
[PATCH v3 01/19] test_firmware: Test platform fw loading on non-EFI systems · Kees Cook <hidden> · 2020-07-24
[PATCH v3 02/19] selftest/firmware: Add selftest timeout in settings · Kees Cook <hidden> · 2020-07-24
[PATCH v3 05/19] fs/kernel_read_file: Remove FIRMWARE_EFI_EMBEDDED enum · Kees Cook <hidden> · 2020-07-24
[PATCH v3 15/19] IMA: Add support for file reads without contents · Kees Cook <hidden> · 2020-07-24
Re: [PATCH v3 15/19] IMA: Add support for file reads without contents · Mimi Zohar <zohar@kernel.org> · 2020-07-27
Re: [PATCH v3 15/19] IMA: Add support for file reads without contents · Kees Cook <hidden> · 2020-07-28
Re: [PATCH v3 15/19] IMA: Add support for file reads without contents · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2020-07-28
Re: [PATCH v3 15/19] IMA: Add support for file reads without contents · Kees Cook <hidden> · 2020-07-28
[PATCH v3 13/19] module: Call security_kernel_post_load_data() · Kees Cook <hidden> · 2020-07-24
[PATCH v3 14/19] LSM: Add "contents" flag to kernel_read_file hook · Kees Cook <hidden> · 2020-07-24
[PATCH v3 11/19] LSM: Introduce kernel_post_load_data() hook · Kees Cook <hidden> · 2020-07-24
Re: [PATCH v3 11/19] LSM: Introduce kernel_post_load_data() hook · Mimi Zohar <zohar@kernel.org> · 2020-07-27
Re: [PATCH v3 11/19] LSM: Introduce kernel_post_load_data() hook · Kees Cook <hidden> · 2020-07-28
[PATCH v3 12/19] firmware_loader: Use security_post_load_data() · Kees Cook <hidden> · 2020-07-24
Re: [PATCH v3 12/19] firmware_loader: Use security_post_load_data() · Mimi Zohar <zohar@kernel.org> · 2020-07-27
Re: [PATCH v3 12/19] firmware_loader: Use security_post_load_data() · Kees Cook <hidden> · 2020-07-28
Re: [PATCH v3 12/19] firmware_loader: Use security_post_load_data() · Mimi Zohar <zohar@linux.ibm.com> · 2020-07-29
Re: [PATCH v3 12/19] firmware_loader: Use security_post_load_data() · Mimi Zohar <zohar@linux.ibm.com> · 2020-07-29
Re: [PATCH v3 12/19] firmware_loader: Use security_post_load_data() · Kees Cook <hidden> · 2020-07-29
[PATCH v3 10/19] fs/kernel_read_file: Add file_size output argument · Kees Cook <hidden> · 2020-07-24
Re: [PATCH v3 10/19] fs/kernel_read_file: Add file_size output argument · Mimi Zohar <zohar@kernel.org> · 2020-07-27
[PATCH v3 09/19] fs/kernel_read_file: Switch buffer size arg to size_t · Kees Cook <hidden> · 2020-07-24
Re: [PATCH v3 09/19] fs/kernel_read_file: Switch buffer size arg to size_t · Mimi Zohar <zohar@kernel.org> · 2020-07-27
[PATCH v3 08/19] fs/kernel_read_file: Remove redundant size argument · Kees Cook <hidden> · 2020-07-24
Re: [PATCH v3 08/19] fs/kernel_read_file: Remove redundant size argument · Mimi Zohar <zohar@kernel.org> · 2020-07-27
[PATCH v3 06/19] fs/kernel_read_file: Split into separate include file · Kees Cook <hidden> · 2020-07-24
Re: [PATCH v3 06/19] fs/kernel_read_file: Split into separate include file · Mimi Zohar <zohar@kernel.org> · 2020-07-27
[PATCH v3 07/19] fs/kernel_read_file: Split into separate source file · Kees Cook <hidden> · 2020-07-24
Re: [PATCH v3 07/19] fs/kernel_read_file: Split into separate source file · Mimi Zohar <zohar@kernel.org> · 2020-07-27
[PATCH v3 03/19] firmware_loader: EFI firmware loader must handle pre-allocated buffer · Kees Cook <hidden> · 2020-07-24
Re: [PATCH v3 03/19] firmware_loader: EFI firmware loader must handle pre-allocated buffer · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2020-07-25
Re: [PATCH v3 03/19] firmware_loader: EFI firmware loader must handle pre-allocated buffer · Kees Cook <hidden> · 2020-07-25
Re: [PATCH v3 03/19] firmware_loader: EFI firmware loader must handle pre-allocated buffer · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2020-07-25
[PATCH v3 04/19] fs/kernel_read_file: Remove FIRMWARE_PREALLOC_BUFFER enum · Kees Cook <hidden> · 2020-07-24
Re: [PATCH v3 04/19] fs/kernel_read_file: Remove FIRMWARE_PREALLOC_BUFFER enum · Mimi Zohar <zohar@kernel.org> · 2020-07-27
[PATCH v3 17/19] firmware: Store opt_flags in fw_priv · Kees Cook <hidden> · 2020-07-24
[PATCH v3 19/19] test_firmware: Test partial read support · Kees Cook <hidden> · 2020-07-24
[PATCH v3 18/19] firmware: Add request_partial_firmware_into_buf() · Kees Cook <hidden> · 2020-07-24
Re: [PATCH v3 18/19] firmware: Add request_partial_firmware_into_buf() · Luis Chamberlain <mcgrof@kernel.org> · 2020-07-29
Re: [PATCH v3 18/19] firmware: Add request_partial_firmware_into_buf() · Takashi Iwai <hidden> · 2020-07-29
Re: [PATCH v3 18/19] firmware: Add request_partial_firmware_into_buf() · Kees Cook <hidden> · 2020-07-29
[PATCH v3 16/19] fs/kernel_file_read: Add "offset" arg for partial reads · Kees Cook <hidden> · 2020-07-24
Re: [PATCH v3 00/19] Introduce partial kernel_read_file() support · Scott Branden <scott.branden@broadcom.com> · 2020-07-25
Re: [PATCH v3 00/19] Introduce partial kernel_read_file() support · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2020-07-25
Re: [PATCH v3 00/19] Introduce partial kernel_read_file() support · Kees Cook <hidden> · 2020-07-25
Re: [PATCH v3 00/19] Introduce partial kernel_read_file() support · Mimi Zohar <zohar@kernel.org> · 2020-07-27
Re: [PATCH v3 00/19] Introduce partial kernel_read_file() support · Scott Branden <scott.branden@broadcom.com> · 2020-07-27
Re: [PATCH v3 00/19] Introduce partial kernel_read_file() support · Mimi Zohar <zohar@linux.ibm.com> · 2020-07-28
Re: [PATCH v3 00/19] Introduce partial kernel_read_file() support · Scott Branden <scott.branden@broadcom.com> · 2020-07-28
Re: [PATCH v3 00/19] Introduce partial kernel_read_file() support · Luis Chamberlain <mcgrof@kernel.org> · 2020-07-29

From: Mimi Zohar <zohar@kernel.org>
Date: 2020-07-27 10:49:16
Also in: linux-efi, linux-integrity, linux-kselftest, lkml, selinux

On Fri, 2020-07-24 at 14:36 -0700, Kees Cook wrote:

There are a few places in the kernel where LSMs would like to have
visibility into the contents of a kernel buffer that has been loaded or
read. While security_kernel_post_read_file() (which includes the
buffer) exists as a pairing for security_kernel_read_file(), no such
hook exists to pair with security_kernel_load_data().

Earlier proposals for just using security_kernel_post_read_file() with a
NULL file argument were rejected (i.e. "file" should always be valid for
the security_..._file hooks, but it appears at least one case was
left in the kernel during earlier refactoring. (This will be fixed in
a subsequent patch.)

Since not all cases of security_kernel_load_data() can have a single
contiguous buffer made available to the LSM hook (e.g. kexec image
segments are separately loaded), there needs to be a way for the LSM to
reason about its expectations of the hook coverage. In order to handle
this, add a "contents" argument to the "kernel_load_data" hook that
indicates if the newly added "kernel_post_load_data" hook will be called
with the full contents once loaded. That way, LSMs requiring full contents
can choose to unilaterally reject "kernel_load_data" with contents=false
(which is effectively the existing hook coverage), but when contents=true
they can allow it and later evaluate the "kernel_post_load_data" hook
once the buffer is loaded.

With this change, LSMs can gain coverage over non-file-backed data loads
(e.g. init_module(2) and firmware userspace helper), which will happen
in subsequent patches.

Additionally prepare IMA to start processing these cases.

Signed-off-by: Kees Cook <redacted>

At least from an IMA perspective, the original
security_kernel_load_data() hook was defined in order to prevent
certain syscalls - init_module, kexec_load - and loading firmware via
sysfs.  The resulting error messages were generic.
  
Unlike security_kernel_load_data(), security_kernel_post_load_data()
is meant to be used, but without a file desciptor specific
information, like the filename associated with the buffer, is missing.
 Having the filename isn't actually necessary for verifying the
appended signature, but it is needed for auditing signature
verification failures and including in the IMA measurement list.

Mimi

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help