Re: [PATCH v4 10/17] firmware_loader: Use security_post_load_data()

[PATCH v4 00/17] Introduce partial kernel_read_file() support · Kees Cook <hidden> · 2020-07-29
[PATCH v4 01/17] test_firmware: Test platform fw loading on non-EFI systems · Kees Cook <hidden> · 2020-07-29
[PATCH v4 08/17] fs/kernel_read_file: Add file_size output argument · Kees Cook <hidden> · 2020-07-29
Re: [PATCH v4 08/17] fs/kernel_read_file: Add file_size output argument · James Morris <jmorris@namei.org> · 2020-07-30
[PATCH v4 11/17] module: Call security_kernel_post_load_data() · Kees Cook <hidden> · 2020-07-29
Re: [PATCH v4 11/17] module: Call security_kernel_post_load_data() · Jessica Yu <jeyu@kernel.org> · 2020-08-05
Re: [PATCH v4 11/17] module: Call security_kernel_post_load_data() · KP Singh <hidden> · 2020-08-07
[PATCH v4 13/17] IMA: Add support for file reads without contents · Kees Cook <hidden> · 2020-07-29
[PATCH v4 15/17] firmware: Store opt_flags in fw_priv · Kees Cook <hidden> · 2020-07-29
[PATCH v4 14/17] fs/kernel_file_read: Add "offset" arg for partial reads · Kees Cook <hidden> · 2020-07-29
[PATCH v4 16/17] firmware: Add request_partial_firmware_into_buf() · Kees Cook <hidden> · 2020-07-29
[PATCH v4 09/17] LSM: Introduce kernel_post_load_data() hook · Kees Cook <hidden> · 2020-07-29
Re: [PATCH v4 09/17] LSM: Introduce kernel_post_load_data() hook · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-06
Re: [PATCH v4 09/17] LSM: Introduce kernel_post_load_data() hook · KP Singh <hidden> · 2020-08-07
[PATCH v4 10/17] firmware_loader: Use security_post_load_data() · Kees Cook <hidden> · 2020-07-29
Re: [PATCH v4 10/17] firmware_loader: Use security_post_load_data() · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-06
[PATCH v4 12/17] LSM: Add "contents" flag to kernel_read_file hook · Kees Cook <hidden> · 2020-07-29
Re: [PATCH v4 12/17] LSM: Add "contents" flag to kernel_read_file hook · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-07
[PATCH v4 07/17] fs/kernel_read_file: Switch buffer size arg to size_t · Kees Cook <hidden> · 2020-07-29
Re: [PATCH v4 07/17] fs/kernel_read_file: Switch buffer size arg to size_t · James Morris <jmorris@namei.org> · 2020-07-30
[PATCH v4 06/17] fs/kernel_read_file: Remove redundant size argument · Kees Cook <hidden> · 2020-07-29
Re: [PATCH v4 06/17] fs/kernel_read_file: Remove redundant size argument · James Morris <jmorris@namei.org> · 2020-07-30
[PATCH v4 05/17] fs/kernel_read_file: Split into separate source file · Kees Cook <hidden> · 2020-07-29
[PATCH v4 04/17] fs/kernel_read_file: Split into separate include file · Kees Cook <hidden> · 2020-07-29
Re: [PATCH v4 04/17] fs/kernel_read_file: Split into separate include file · James Morris <jmorris@namei.org> · 2020-07-30
[PATCH v4 02/17] fs/kernel_read_file: Remove FIRMWARE_PREALLOC_BUFFER enum · Kees Cook <hidden> · 2020-07-29
[PATCH v4 03/17] fs/kernel_read_file: Remove FIRMWARE_EFI_EMBEDDED enum · Kees Cook <hidden> · 2020-07-29
[PATCH v4 17/17] test_firmware: Test partial read support · Kees Cook <hidden> · 2020-07-29

From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2020-08-06 22:08:15
Also in: linux-efi, linux-integrity, linux-kselftest, lkml, selinux

On Wed, 2020-07-29 at 10:58 -0700, Kees Cook wrote:

Now that security_post_load_data() is wired up, use it instead
of the NULL file argument style of security_post_read_file(),
and update the security_kernel_load_data() call to indicate that a
security_kernel_post_load_data() call is expected.

Wire up the IMA check to match earlier logic. Perhaps a generalized
change to ima_post_load_data() might look something like this:

    return process_buffer_measurement(buf, size,
                                      kernel_load_data_id_str(load_id),
                                      read_idmap[load_id] ?: FILE_CHECK,
                                      0, NULL);

Signed-off-by: Kees Cook <redacted>

Other than one change and one question below, it looks good.

Reviewed-by:  Mimi Zohar <zohar@linux.ibm.com>

<snip>

quoted hunk ↗ jump to hunk

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 85000dc8595c..1a7bc4c7437d 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c

quoted hunk ↗ jump to hunk

@@ -706,7 +697,7 @@ int ima_load_data(enum kernel_load_data_id id, bool contents)
 		}
 		break;
 	case LOADING_FIRMWARE:
-		if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE)) {
+		if (ima_enforce && (ima_appraise & IMA_APPRAISE_FIRMWARE) && !contents) {
 			pr_err("Prevent firmware sysfs fallback loading.\n");

Appended signatures are limited to kernel modules and, more recently,
to the kexec kernel image, not firmware.  Without a file descriptor,
file signatures stored as an xattrs are not applicable either.  We
might as well fail earlier, rather than later.  Adding "!contents" is
unnecessary.

quoted hunk ↗ jump to hunk

 			return -EACCES;	/* INTEGRITY_UNKNOWN */
 		}

@@ -739,6 +730,15 @@ int ima_load_data(enum kernel_load_data_id id, bool contents)
  */
 int ima_post_load_data(char *buf, loff_t size, enum kernel_load_data_id load_id)
 {
+	if (load_id == LOADING_FIRMWARE) {
+		if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
+		    (ima_appraise & IMA_APPRAISE_ENFORCE)) {
+			pr_err("Prevent firmware loading_store.\n");
+			return -EACCES; /* INTEGRITY_UNKNOWN */
+		}
+		return 0;
+	}

Even with failing LOADING_FIRMWARE early in ima_load_data(), is this
still needed for fw_sysfs_loading()?

thanks,

Mimi

+
 	return 0;
 }

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help