From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: corbet@lwn.net, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com,
eric.snowberg@oracle.com, paul@paul-moore.com, jmorris@namei.org,
serge@hallyn.com
Cc: linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, wufan@linux.microsoft.com,
pbrobinson@gmail.com, zbyszek@in.waw.pl, hch@lst.de,
mjg59@srcf.ucam.org, pmatilai@redhat.com, jannh@google.com,
dhowells@redhat.com, jikos@kernel.org, mkoutny@suse.com,
ppavlu@suse.com, petr.vorel@gmail.com, mzerqung@0pointer.de,
kgold@linux.ibm.com, Roberto Sassu <roberto.sassu@huawei.com>
Subject: [RFC][PATCH v2 9/9] ima: Register to the digest_cache LSM notifier and process events
Date: Mon, 15 Apr 2024 18:10:44 +0200 [thread overview]
Message-ID: <20240415161044.2572438-10-roberto.sassu@huaweicloud.com> (raw)
In-Reply-To: <20240415161044.2572438-1-roberto.sassu@huaweicloud.com>
From: Roberto Sassu <roberto.sassu@huawei.com>
A digest cache used for measurement/appraisal might change over the time
(due to file modification, directory changes). When that happens, IMA
should invalidate the cached integrity result for affected inodes and
evaluate those inodes again.
Implement ima_digest_cache_change(), to be invoked at every notification by
the digest_cache LSM, and register it as a callback with
digest_cache_register_notifier().
For every notification, and if the type of event is DIGEST_CACHE_RESET,
retrieve the inode integrity metadata (if any), and set the
IMA_CHANGE_XATTR atomic flag, so that IMA fully reevaluates the inode in
process_measurement().
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
security/integrity/ima/ima_digest_cache.c | 31 +++++++++++++++++++++++
security/integrity/ima/ima_digest_cache.h | 6 +++++
security/integrity/ima/ima_main.c | 11 +++++++-
3 files changed, 47 insertions(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_digest_cache.c b/security/integrity/ima/ima_digest_cache.c
index 013c69f265d8..0ab35575ff7c 100644
--- a/security/integrity/ima/ima_digest_cache.c
+++ b/security/integrity/ima/ima_digest_cache.c
@@ -90,3 +90,34 @@ void ima_digest_cache_update_allowed_usage(struct file *file,
out:
digest_cache_put(digest_cache);
}
+
+static int ima_digest_cache_change(struct notifier_block *nb,
+ unsigned long event, void *data)
+{
+ struct ima_iint_cache *iint;
+ struct digest_cache_event_data *event_data = data;
+
+ if (event != DIGEST_CACHE_RESET)
+ return NOTIFY_DONE;
+
+ iint = ima_iint_find(event_data->inode);
+ if (!iint) {
+ pr_debug("Integrity metadata not found for inode %lu\n",
+ event_data->inode->i_ino);
+ return NOTIFY_OK;
+ }
+
+ set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
+ pr_debug("Integrity metadata of inode %lu successfully reset\n",
+ event_data->inode->i_ino);
+ return NOTIFY_OK;
+}
+
+static struct notifier_block digest_cache_notifier = {
+ .notifier_call = ima_digest_cache_change,
+};
+
+int ima_digest_cache_register_notifier(void)
+{
+ return digest_cache_register_notifier(&digest_cache_notifier);
+}
diff --git a/security/integrity/ima/ima_digest_cache.h b/security/integrity/ima/ima_digest_cache.h
index cb47c15e975d..44c188c2fb93 100644
--- a/security/integrity/ima/ima_digest_cache.h
+++ b/security/integrity/ima/ima_digest_cache.h
@@ -15,6 +15,7 @@ void ima_digest_cache_store_allowed_usage(struct file *file,
void ima_digest_cache_update_allowed_usage(struct file *file,
struct ima_iint_cache *iint,
u64 *allowed_usage);
+int ima_digest_cache_register_notifier(void);
#else
static inline void
ima_digest_cache_store_allowed_usage(struct file *file,
@@ -27,4 +28,9 @@ ima_digest_cache_update_allowed_usage(struct file *file,
u64 *allowed_usage)
{ }
+static inline int ima_digest_cache_register_notifier(void)
+{
+ return 0;
+}
+
#endif /* CONFIG_SECURITY_DIGEST_CACHE */
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 7ae2bd888d41..fe826755acd1 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -1159,8 +1159,17 @@ static int __init init_ima(void)
return error;
error = register_blocking_lsm_notifier(&ima_lsm_policy_notifier);
- if (error)
+ if (error) {
pr_warn("Couldn't register LSM notifier, error %d\n", error);
+ return error;
+ }
+
+ error = ima_digest_cache_register_notifier();
+ if (error) {
+ pr_warn("Couldn't register digest cache notifier, error %d\n",
+ error);
+ unregister_blocking_lsm_notifier(&ima_lsm_policy_notifier);
+ }
if (!error)
ima_update_policy_flags();
--
2.34.1
prev parent reply other threads:[~2024-04-15 16:13 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-15 16:10 [RFC][PATCH v2 0/9] ima: Integrate with digest_cache LSM Roberto Sassu
2024-04-15 16:10 ` [RFC][PATCH v2 1/9] ima: Introduce hook DIGEST_LIST_CHECK Roberto Sassu
2024-04-15 16:10 ` [RFC][PATCH v2 2/9] ima: Nest iint mutex for DIGEST_LIST_CHECK hook Roberto Sassu
2024-04-15 16:10 ` [RFC][PATCH v2 3/9] ima: Add digest_cache policy keyword Roberto Sassu
2024-04-15 16:10 ` [RFC][PATCH v2 4/9] ima: Add digest_cache_measure/appraise boot-time built-in policies Roberto Sassu
2024-04-15 16:10 ` [RFC][PATCH v2 5/9] ima: Modify existing boot-time built-in policies with digest cache policies Roberto Sassu
2024-04-15 16:10 ` [RFC][PATCH v2 6/9] ima: Store allowed usage in digest cache based on integrity metadata flags Roberto Sassu
2024-04-15 16:10 ` [RFC][PATCH v2 7/9] ima: Use digest caches for measurement Roberto Sassu
2024-04-15 16:10 ` [RFC][PATCH v2 8/9] ima: Use digest caches for appraisal Roberto Sassu
2024-04-15 16:10 ` Roberto Sassu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240415161044.2572438-10-roberto.sassu@huaweicloud.com \
--to=roberto.sassu@huaweicloud.com \
--cc=corbet@lwn.net \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=hch@lst.de \
--cc=jannh@google.com \
--cc=jikos@kernel.org \
--cc=jmorris@namei.org \
--cc=kgold@linux.ibm.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@srcf.ucam.org \
--cc=mkoutny@suse.com \
--cc=mzerqung@0pointer.de \
--cc=paul@paul-moore.com \
--cc=pbrobinson@gmail.com \
--cc=petr.vorel@gmail.com \
--cc=pmatilai@redhat.com \
--cc=ppavlu@suse.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=wufan@linux.microsoft.com \
--cc=zbyszek@in.waw.pl \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).