On Thu, Dec 16, 2021 at 12:43:10AM -0500, Stefan Berger wrote:
> From: Stefan Berger <stefanb@xxxxxxxxxxxxx>
>
> Implement an IMA namespace data structure that gets created alongside a
> user namespace with CLONE_NEWUSER. This lays down the foundation for
> namespacing the different aspects of IMA (eg. IMA-audit, IMA-measurement,
> IMA-appraisal).
>
> Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
> Suggested-by: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx>
> ---
> include/linux/ima.h | 33 ++++++++++++
> include/linux/user_namespace.h | 4 ++
> init/Kconfig | 10 ++++
> kernel/user.c | 7 +++
> kernel/user_namespace.c | 8 +++
> security/integrity/ima/Makefile | 3 +-
> security/integrity/ima/ima.h | 8 +++
> security/integrity/ima/ima_init.c | 4 ++
> security/integrity/ima/ima_init_ima_ns.c | 28 ++++++++++
> security/integrity/ima/ima_ns.c | 65 ++++++++++++++++++++++++
> 10 files changed, 169 insertions(+), 1 deletion(-)
> create mode 100644 security/integrity/ima/ima_init_ima_ns.c
> create mode 100644 security/integrity/ima/ima_ns.c
>
> diff --git a/include/linux/ima.h b/include/linux/ima.h
> index b6ab66a546ae..61461ee5b208 100644
> --- a/include/linux/ima.h
> +++ b/include/linux/ima.h
> @@ -11,6 +11,7 @@
> #include <linux/fs.h>
> #include <linux/security.h>
> #include <linux/kexec.h>
> +#include <linux/user_namespace.h>
> #include <crypto/hash_info.h>
> struct linux_binprm;
>
> @@ -210,6 +211,38 @@ static inline int ima_inode_removexattr(struct dentry *dentry,
> }
> #endif /* CONFIG_IMA_APPRAISE */
>
> +extern struct ima_namespace init_ima_ns;
> +
> +#ifdef CONFIG_IMA_NS
> +
> +void free_ima_ns(struct user_namespace *ns);
> +int create_ima_ns(struct user_namespace *user_ns);
> +
> +static inline struct ima_namespace *get_current_ns(void)
> +{
> + return current_user_ns()->ima_ns;
> +}
> +
> +#else
> +
> +static inline void free_ima_ns(struct user_namespace *user_ns)
> +{
> +}
> +
> +static inline int create_ima_ns(struct user_namespace *user_ns)
> +{
> +#ifdef CONFIG_IMA
> + user_ns->ima_ns = &init_ima_ns;
> +#endif
> + return 0;
> +}
> +
> +static inline struct ima_namespace *get_current_ns(void)
> +{
> + return &init_ima_ns;
> +}
> +#endif /* CONFIG_IMA_NS */
> +
> #if defined(CONFIG_IMA_APPRAISE) && defined(CONFIG_INTEGRITY_TRUSTED_KEYRING)
> extern bool ima_appraise_signature(enum kernel_read_file_id func);
> #else
> diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
> index 33a4240e6a6f..5249db04d62b 100644
> --- a/include/linux/user_namespace.h
> +++ b/include/linux/user_namespace.h
> @@ -36,6 +36,7 @@ struct uid_gid_map { /* 64 bytes -- 1 cache line */
> #define USERNS_INIT_FLAGS USERNS_SETGROUPS_ALLOWED
>
> struct ucounts;
> +struct ima_namespace;
>
> enum ucount_type {
> UCOUNT_USER_NAMESPACES,
> @@ -99,6 +100,9 @@ struct user_namespace {
> #endif
> struct ucounts *ucounts;
> long ucount_max[UCOUNT_COUNTS];
> +#ifdef CONFIG_IMA
> + struct ima_namespace *ima_ns;
> +#endif
> } __randomize_layout;
>
> struct ucounts {
> diff --git a/init/Kconfig b/init/Kconfig
> index 11f8a845f259..27890607e8cb 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -1242,6 +1242,16 @@ config NET_NS
> Allow user space to create what appear to be multiple instances
> of the network stack.
>
> +config IMA_NS
> + bool "IMA namespace"
> + depends on USER_NS
> + depends on IMA
> + default y
> + help
> + Allow the creation of IMA namespaces for each user namespace.
> + Namespaced IMA enables having IMA features work separately
> + in each IMA namespace.
> +
> endif # NAMESPACES
>
> config CHECKPOINT_RESTORE
> diff --git a/kernel/user.c b/kernel/user.c
> index e2cf8c22b539..287751d89b44 100644
> --- a/kernel/user.c
> +++ b/kernel/user.c
> @@ -20,6 +20,10 @@
> #include <linux/user_namespace.h>
> #include <linux/proc_ns.h>
>
> +#ifdef CONFIG_IMA
> +extern struct ima_namespace init_ima_ns;
> +#endif
> +
> /*
> * userns count is 1 for root user, 1 for init_uts_ns,
> * and 1 for... ?
> @@ -67,6 +71,9 @@ struct user_namespace init_user_ns = {
> .keyring_name_list = LIST_HEAD_INIT(init_user_ns.keyring_name_list),
> .keyring_sem = __RWSEM_INITIALIZER(init_user_ns.keyring_sem),
> #endif
> +#ifdef CONFIG_IMA
> + .ima_ns = &init_ima_ns,
> +#endif
> };
> EXPORT_SYMBOL_GPL(init_user_ns);
>
> diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
> index 6b2e3ca7ee99..6fa01323aac9 100644
> --- a/kernel/user_namespace.c
> +++ b/kernel/user_namespace.c
> @@ -20,6 +20,7 @@
> #include <linux/fs_struct.h>
> #include <linux/bsearch.h>
> #include <linux/sort.h>
> +#include <linux/ima.h>
>
> static struct kmem_cache *user_ns_cachep __read_mostly;
> static DEFINE_MUTEX(userns_state_mutex);
> @@ -141,8 +142,14 @@ int create_user_ns(struct cred *new)
> if (!setup_userns_sysctls(ns))
> goto fail_keyring;
>
> + ret = create_ima_ns(ns);
Instead of greedily allocating a new ima namespace for each new user
namespace creation and wasting memory that is likely wasted since most
containers won't use ima (for a long time at least) have you considered
lazily allocating it like I suggested in one of my first reviews?
So under the assumption that the only way for a container to get its own
ima policy it needs to have mounted a new securityfs instance you can
move the ima namespace allocation into fill_super/ima_fs_ns_init():
>From 46fd4f19e1360bee167fccb11e793a3a3331ccc2 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@xxxxxxxxxx>
Date: Thu, 16 Dec 2021 14:57:30 +0100
Subject: [PATCH] !!!! HERE BE DRAGONS - COMPLETELY UNTESTED !!!!
Lazily initialize ima_ns. This avoids pointlessly wasting memory that is never
needed or used which I think will be the case for most containers.
---
include/linux/ima.h | 2 +-
kernel/user_namespace.c | 6 ------
security/integrity/ima/ima_fs.c | 20 ++++++++++++++++++--
security/integrity/ima/ima_main.c | 5 ++++-
security/integrity/ima/ima_ns.c | 7 ++++++-
5 files changed, 29 insertions(+), 11 deletions(-)
diff --git a/include/linux/ima.h b/include/linux/ima.h
index a2705aa5242a..cb1b94df11a1 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -230,7 +230,7 @@ int create_ima_ns(struct user_namespace *user_ns);
static inline struct ima_namespace *get_current_ns(void)
{
- return current_user_ns()->ima_ns;
+ return smp_load_acquire(¤t_user_ns()->ima_ns);
}
static inline int ima_securityfs_init(struct user_namespace *user_ns,
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index 6fa01323aac9..653f8fa83b69 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -142,14 +142,8 @@ int create_user_ns(struct cred *new)
if (!setup_userns_sysctls(ns))
goto fail_keyring;
- ret = create_ima_ns(ns);
- if (ret)
- goto fail_sysctls;
-
set_cred_user_ns(new, ns);
return 0;
-fail_sysctls:
- retire_userns_sysctls(ns);
fail_keyring:
#ifdef CONFIG_PERSISTENT_KEYRINGS
key_put(ns->persistent_keyring_register);
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 3b8001ba62e3..971620a22dab 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -378,7 +378,7 @@ static const struct seq_operations ima_policy_seqops = {
static int ima_open_policy(struct inode *inode, struct file *filp)
{
struct user_namespace *user_ns = ima_user_ns_from_file(filp);
- struct ima_namespace *ns = user_ns->ima_ns;
+ struct ima_namespace *ns = user_ns->ima_ns; /* no need to use acquire semantics it's guaranteed to be initialized */
if (!(filp->f_flags & O_WRONLY)) {
#ifndef CONFIG_IMA_READ_POLICY
@@ -450,7 +450,8 @@ static const struct file_operations ima_measure_policy_ops = {
int ima_fs_ns_init(struct user_namespace *user_ns, struct dentry *root)
{
- struct ima_namespace *ns = user_ns->ima_ns;
+ int ret;
+ struct ima_namespace *ns = user_ns->ima_ns; /* no need to use acquire semantics it's guaranteed to be initialized */
struct dentry *int_dir;
struct dentry *ima_dir = NULL;
struct dentry *ima_symlink = NULL;
@@ -459,6 +460,21 @@ int ima_fs_ns_init(struct user_namespace *user_ns, struct dentry *root)
struct dentry *runtime_measurements_count = NULL;
struct dentry *violations = NULL;
+ /*
+ * While multiple superblocks can exist they are keyed by userns in
+ * s_fs_info for securityfs. The first time a userns mounts a
+ * securityfs instance we lazily allocate the ima_namespace for the
+ * userns since that's the only way a userns can meaningfully use ima.
+ * The vfs ensure we're the only one to call fill_super() and hence
+ * ima_fs_ns_init() so we don't need any memory barriers here, i.e.
+ * user_ns->ima_ns can't change while we're in here.
+ */
+ if (!ns) {
+ ret = create_ima_ns(user_ns);
+ if (ret)
+ return ret;
+ }
+
/* FIXME: update when evm and integrity are namespaced */
if (user_ns != &init_user_ns) {
int_dir =
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 4c85a8df3c86..a0e71416561d 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -414,7 +414,10 @@ static int process_measurement(struct ima_namespace *ns,
int ret = 0;
while (user_ns) {
- ns = user_ns->ima_ns;
+ /* the container has not loaded a separate policy (yet) */
+ ns = smp_load_acquire(&user_ns->ima_ns);
+ if (!ns)
+ continue;
ret = __process_measurement(ns, file, cred, secid, buf, size,
mask, func);
diff --git a/security/integrity/ima/ima_ns.c b/security/integrity/ima/ima_ns.c
index d192a80c927f..5c7177b07344 100644
--- a/security/integrity/ima/ima_ns.c
+++ b/security/integrity/ima/ima_ns.c
@@ -31,7 +31,8 @@ int create_ima_ns(struct user_namespace *user_ns)
if (err)
goto fail_free;
- user_ns->ima_ns = ns;
+ /* Pairs with smp_load_acquire() in get_current_ns() and process_measurement(). */
+ smp_store_release(&user_ns->ima_ns, ns);
return 0;
@@ -52,6 +53,10 @@ static void destroy_ima_ns(struct ima_namespace *ns)
void free_ima_ns(struct user_namespace *user_ns)
{
+ /* No need to use acquire semantics as the userns can't be reached
+ * anymore from userspace so either ima_ns has been initialized or it
+ * never has.
+ */
struct ima_namespace *ns = user_ns->ima_ns;
if (WARN_ON(ns == &init_ima_ns))
--
2.30.2
