On Fri, May 20, 2022 at 09:46:33PM -0500, Serge E. Hallyn wrote:
> On Wed, Apr 20, 2022 at 10:06:11AM -0400, Stefan Berger wrote:
> > The architecture-specific policy rules, currently defined for EFI and
> > powerpc, require the kexec kernel image and kernel modules to be
> > validly signed and measured, based on the system's secure boot and/or
> > trusted boot mode and the IMA_ARCH_POLICY Kconfig option being enabled.
> >
> > To avoid special-casing init_ima_ns as much as possible, move the
> > arch_policy_entry into the ima_namespace.
> >
> > When freeing the arch_policy_entry set the pointer to NULL.
> >
> > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
> > Acked-by: Christian Brauner <brauner@xxxxxxxxxx>
> > Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
> > ---
> > security/integrity/ima/ima.h | 3 +++
> > security/integrity/ima/ima_init_ima_ns.c | 1 +
> > security/integrity/ima/ima_policy.c | 23 +++++++++++------------
> > 3 files changed, 15 insertions(+), 12 deletions(-)
> >
> > diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> > index 9bcde1a24e74..2305bf223a98 100644
> > --- a/security/integrity/ima/ima.h
> > +++ b/security/integrity/ima/ima.h
> > @@ -125,6 +125,9 @@ struct ima_namespace {
> >
> > struct list_head __rcu *ima_rules; /* Pointer to the current policy */
> > int ima_policy_flag;
> > +
> > + /* An array of architecture specific rules */
> > + struct ima_rule_entry *arch_policy_entry;
> > } __randomize_layout;
> > extern struct ima_namespace init_ima_ns;
> >
> > diff --git a/security/integrity/ima/ima_init_ima_ns.c b/security/integrity/ima/ima_init_ima_ns.c
> > index c919a456b525..ae33621c3955 100644
> > --- a/security/integrity/ima/ima_init_ima_ns.c
> > +++ b/security/integrity/ima/ima_init_ima_ns.c
> > @@ -15,6 +15,7 @@ static int ima_init_namespace(struct ima_namespace *ns)
> > INIT_LIST_HEAD(&ns->ima_temp_rules);
> > ns->ima_rules = (struct list_head __rcu *)(&ns->ima_default_rules);
> > ns->ima_policy_flag = 0;
> > + ns->arch_policy_entry = NULL;
> >
> > return 0;
> > }
> > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> > index 69b19f4d5fee..0a7c61ca3265 100644
> > --- a/security/integrity/ima/ima_policy.c
> > +++ b/security/integrity/ima/ima_policy.c
> > @@ -228,9 +228,6 @@ static struct ima_rule_entry critical_data_rules[] __ro_after_init = {
> > {.action = MEASURE, .func = CRITICAL_DATA, .flags = IMA_FUNC},
> > };
> >
> > -/* An array of architecture specific rules */
> > -static struct ima_rule_entry *arch_policy_entry __ro_after_init;
> > -
> > static int ima_policy __initdata;
> >
> > static int __init default_measure_policy_setup(char *str)
> > @@ -859,9 +856,10 @@ static int __init ima_init_arch_policy(struct ima_namespace *ns)
> > for (rules = arch_rules; *rules != NULL; rules++)
> > arch_entries++;
> >
> > - arch_policy_entry = kcalloc(arch_entries + 1,
> > - sizeof(*arch_policy_entry), GFP_KERNEL);
> > - if (!arch_policy_entry)
> > + ns->arch_policy_entry = kcalloc(arch_entries + 1,
> > + sizeof(*ns->arch_policy_entry),
> > + GFP_KERNEL);
> > + if (!ns->arch_policy_entry)
> > return 0;
> >
> > /* Convert each policy string rules to struct ima_rule_entry format */
> > @@ -871,13 +869,13 @@ static int __init ima_init_arch_policy(struct ima_namespace *ns)
> >
> > result = strscpy(rule, *rules, sizeof(rule));
> >
> > - INIT_LIST_HEAD(&arch_policy_entry[i].list);
> > - result = ima_parse_rule(ns, rule, &arch_policy_entry[i]);
> > + INIT_LIST_HEAD(&ns->arch_policy_entry[i].list);
> > + result = ima_parse_rule(ns, rule, &ns->arch_policy_entry[i]);
> > if (result) {
> > pr_warn("Skipping unknown architecture policy rule: %s\n",
> > rule);
> > - memset(&arch_policy_entry[i], 0,
> > - sizeof(*arch_policy_entry));
> > + memset(&ns->arch_policy_entry[i], 0,
> > + sizeof(ns->arch_policy_entry[i]));
> > continue;
> > }
> > i++;
> > @@ -925,7 +923,7 @@ void __init ima_init_policy(struct ima_namespace *ns)
> > if (!arch_entries)
> > pr_info("No architecture policies found\n");
> > else
> > - add_rules(ns, arch_policy_entry, arch_entries,
> > + add_rules(ns, ns->arch_policy_entry, arch_entries,
> > IMA_DEFAULT_POLICY | IMA_CUSTOM_POLICY);
> >
> > /*
> > @@ -1005,7 +1003,8 @@ void ima_update_policy(struct ima_namespace *ns)
> > * on boot. After loading a custom policy, free the
> > * architecture specific rules stored as an array.
> > */
> > - kfree(arch_policy_entry);
> > + kfree(ns->arch_policy_entry);
> > + ns->arch_policy_entry = NULL;
>
> So the thing that prevents multiple racing occurances of the above two lines is
> that ima_open_policy() sets IMA_FS_BUSY (or returns EBUSY) and then removes
> this file before clearing the flag, right?
(To correct the above: ima_update_policy completes before the flag is
cleared. The file is not removed in all cases but that's ok.)
> Seems good.
>
> Reviewed-by: Serge Hallyn <serge@xxxxxxxxxx>
>
>
> > }
> > ima_update_policy_flags(ns);
> >
> > --
> > 2.34.1
