Re: [PATCH v20 02/20] ipe: add policy parser

[PATCH v20 00/20] Integrity Policy Enforcement LSM (IPE) · Fan Wu <hidden> · 2024-08-03
[PATCH v20 07/20] security: add new securityfs delete function · Fan Wu <hidden> · 2024-08-03
[PATCH v20 05/20] initramfs|security: Add a security hook to do_populate_rootfs() · Fan Wu <hidden> · 2024-08-03
[PATCH v20 06/20] ipe: introduce 'boot_verified' as a trust provider · Fan Wu <hidden> · 2024-08-03
[PATCH v20 08/20] ipe: add userspace interface · Fan Wu <hidden> · 2024-08-03
[PATCH v20 10/20] ipe: add permissive toggle · Fan Wu <hidden> · 2024-08-03
[PATCH v20 09/20] uapi|audit|ipe: add ipe auditing support · Fan Wu <hidden> · 2024-08-03
[PATCH v20 14/20] security: add security_inode_setintegrity() hook · Fan Wu <hidden> · 2024-08-03
[PATCH v20 11/20] block|lsm: Add LSM blob and new LSM hooks for block devices · Fan Wu <hidden> · 2024-08-03
[PATCH v20 12/20] dm verity: expose root hash digest and signature data to LSMs · Fan Wu <hidden> · 2024-08-03
Re: [PATCH v20 12/20] dm verity: expose root hash digest and signature data to LSMs · Fan Wu <hidden> · 2024-08-08
Re: [PATCH v20 12/20] dm verity: expose root hash digest and signature data to LSMs · Paul Moore <paul@paul-moore.com> · 2024-08-15
Re: [PATCH v20 12/20] dm verity: expose root hash digest and signature data to LSMs · Mikulas Patocka <mpatocka@redhat.com> · 2024-08-16
Re: [PATCH v20 12/20] dm verity: expose root hash digest and signature data to LSMs · Fan Wu <hidden> · 2024-08-16
Re: [PATCH v20 12/20] dm verity: expose root hash digest and signature data to LSMs · Paul Moore <paul@paul-moore.com> · 2024-08-18
Re: [PATCH v20 12/20] dm verity: expose root hash digest and signature data to LSMs · Fan Wu <hidden> · 2024-08-19
Re: [PATCH v20 12/20] dm verity: expose root hash digest and signature data to LSMs · Paul Moore <paul@paul-moore.com> · 2024-08-19
[PATCH v20 13/20] ipe: add support for dm-verity as a trust provider · Fan Wu <hidden> · 2024-08-03
[PATCH v20 16/20] ipe: enable support for fs-verity as a trust provider · Fan Wu <hidden> · 2024-08-03
[PATCH v20 17/20] scripts: add boot policy generation program · Fan Wu <hidden> · 2024-08-03
[PATCH v20 20/20] MAINTAINERS: ipe: add ipe maintainer information · Fan Wu <hidden> · 2024-08-03
Re: [PATCH v20 20/20] MAINTAINERS: ipe: add ipe maintainer information · Paul Menzel <hidden> · 2024-08-03
Re: [PATCH v20 20/20] MAINTAINERS: ipe: add ipe maintainer information · Paul Moore <paul@paul-moore.com> · 2024-08-06
Re: [PATCH v20 20/20] MAINTAINERS: ipe: add ipe maintainer information · Paul Menzel <hidden> · 2024-08-07
Re: [PATCH v20 20/20] MAINTAINERS: ipe: add ipe maintainer information · Fan Wu <hidden> · 2024-08-07
Re: [PATCH v20 20/20] MAINTAINERS: ipe: add ipe maintainer information · Paul Moore <paul@paul-moore.com> · 2024-08-07
[PATCH v20 15/20] fsverity: expose verified fsverity built-in signatures to LSMs · Fan Wu <hidden> · 2024-08-03
Re: [PATCH v20 15/20] fsverity: expose verified fsverity built-in signatures to LSMs · Eric Biggers <ebiggers@kernel.org> · 2024-08-05
[PATCH v20 18/20] ipe: kunit test for parser · Fan Wu <hidden> · 2024-08-03
[PATCH v20 19/20] Documentation: add ipe documentation · Fan Wu <hidden> · 2024-08-03
[PATCH v20 03/20] ipe: add evaluation loop · Fan Wu <hidden> · 2024-08-03
Re: [PATCH v20 03/20] ipe: add evaluation loop · "Serge E. Hallyn" <serge@hallyn.com> · 2024-08-10
[PATCH v20 04/20] ipe: add LSM hooks on execution and kernel read · Fan Wu <hidden> · 2024-08-03
[PATCH v20 01/20] security: add ipe lsm · Fan Wu <hidden> · 2024-08-03
[PATCH v20 02/20] ipe: add policy parser · Fan Wu <hidden> · 2024-08-03
Re: [PATCH v20 02/20] ipe: add policy parser · "Serge E. Hallyn" <serge@hallyn.com> · 2024-08-10
Re: [PATCH v20 02/20] ipe: add policy parser · Fan Wu <hidden> · 2024-08-13
Re: [PATCH v20 02/20] ipe: add policy parser · Paul Moore <paul@paul-moore.com> · 2024-08-14
Re: [PATCH v20 02/20] ipe: add policy parser · Fan Wu <hidden> · 2024-08-14
Re: [PATCH v20 02/20] ipe: add policy parser · Paul Moore <paul@paul-moore.com> · 2024-08-15
Re: [PATCH v20 00/20] Integrity Policy Enforcement LSM (IPE) · Paul Moore <paul@paul-moore.com> · 2024-08-06
Re: [PATCH v20 00/20] Integrity Policy Enforcement LSM (IPE) · Paul Moore <paul@paul-moore.com> · 2024-08-20

From: Fan Wu <hidden>
Date: 2024-08-14 18:23:45
Also in: dm-devel, linux-block, linux-doc, linux-integrity, lkml
Subsystem: integrity policy enforcement (ipe), security subsystem, the rest · Maintainers: Fan Wu, Paul Moore, James Morris, "Serge E. Hallyn", Linus Torvalds


On 8/13/2024 6:53 PM, Paul Moore wrote:

On Tue, Aug 13, 2024 at 1:54 PM Fan Wu [off-list ref] wrote:

quoted

On 8/10/2024 8:50 AM, Serge E. Hallyn wrote:

quoted

On Fri, Aug 02, 2024 at 11:08:16PM -0700, Fan Wu wrote:

quoted

From: Deven Bowers <redacted>

IPE's interpretation of the what the user trusts is accomplished through

nit: "of what the user trusts" (drop the extra 'the')

quoted

its policy. IPE's design is to not provide support for a single trust
provider, but to support multiple providers to enable the end-user to
choose the best one to seek their needs.

This requires the policy to be rather flexible and modular so that
integrity providers, like fs-verity, dm-verity, or some other system,
can plug into the policy with minimal code changes.

Signed-off-by: Deven Bowers <redacted>
Signed-off-by: Fan Wu <redacted>

This all looks fine.  Just one comment below.

Thank you for reviewing this!

quoted

+/**
+ * parse_rule() - parse a policy rule line.
+ * @line: Supplies rule line to be parsed.
+ * @p: Supplies the partial parsed policy.
+ *
+ * Return:
+ * * 0              - Success
+ * * %-ENOMEM       - Out of memory (OOM)
+ * * %-EBADMSG      - Policy syntax error
+ */
+static int parse_rule(char *line, struct ipe_parsed_policy *p)
+{
+    enum ipe_action_type action = IPE_ACTION_INVALID;
+    enum ipe_op_type op = IPE_OP_INVALID;
+    bool is_default_rule = false;
+    struct ipe_rule *r = NULL;
+    bool first_token = true;
+    bool op_parsed = false;
+    int rc = 0;
+    char *t;
+
+    r = kzalloc(sizeof(*r), GFP_KERNEL);
+    if (!r)
+            return -ENOMEM;
+
+    INIT_LIST_HEAD(&r->next);
+    INIT_LIST_HEAD(&r->props);
+
+    while (t = strsep(&line, IPE_POLICY_DELIM), line) {

If line is passed in as NULL, t will be NULL on the first test.  Then
you'll break out and call parse_action(NULL), which calls
match_token(NULL, ...), which I do not think is safe.

I realize the current caller won't pass in NULL, but it seems worth
checking for here in case some future caller is added by someone
who's unaware.

Or, maybe add 'line must not be null' to the function description.

Yes, I agree that adding a NULL check would be better. I will include it
in the next version.

We're still waiting to hear back from the device-mapper devs, but if
this is the only change required to the patchset I can add a NULL
check when I merge the patchset as it seems silly to resend the entire
patchset for this.  Fan, do you want to share the code snippet with
the NULL check so Serge can take a look?

Sure, here is the diff.

diff --git a/security/ipe/policy_parser.c b/security/ipe/policy_parser.c
index 32064262348a..0926b442e32a 100644
--- a/security/ipe/policy_parser.c
+++ b/security/ipe/policy_parser.c

@@ -309,6 +309,9 @@ static int parse_rule(char *line, struct

ipe_parsed_policy *p)
         int rc = 0;
         char *t;

+       if (IS_ERR_OR_NULL(line))
+               return -EBADMSG;
+
         r = kzalloc(sizeof(*r), GFP_KERNEL);
         if (!r)
                 return -ENOMEM;

-Fan

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help