Re: [PATCH 1/2] ima: Pre-parse the list of keyrings in a KEY_CHECK rule

From: Lakshmi Ramasubramanian
Date: Tue Jul 28 2020 - 10:25:12 EST

Next message: Kaaira Gupta: "Re: [PATCH v2 0/3] media: vimc: Allow multiple capture devices to use the same sensor"
Previous message: Arvind Sankar: "Re: [PATCH v2 0/8] x86/kaslr: Cleanup and small bugfixes"
In reply to: Tyler Hicks: "[PATCH 1/2] ima: Pre-parse the list of keyrings in a KEY_CHECK rule"
Next in thread: Tyler Hicks: "[PATCH 2/2] ima: Fail rule parsing when asymmetric key measurement isn't supportable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 7/27/20 7:08 AM, Tyler Hicks wrote:

The ima_keyrings buffer was used as a work buffer for strsep()-based
parsing of the "keyrings=" option of an IMA policy rule. This parsing
was re-performed each time an asymmetric key was added to a kernel
keyring for each loaded policy rule that contained a "keyrings=" option.

An example rule specifying this option is:

measure func=KEY_CHECK keyrings=a|b|c

The rule says to measure asymmetric keys added to any of the kernel
keyrings named "a", "b", or "c". The size of the buffer size was
equal to the size of the largest "keyrings=" value seen in a previously
loaded rule (5 + 1 for the NUL-terminator in the previous example) and
the buffer was pre-allocated at the time of policy load.

The pre-allocated buffer approach suffered from a couple bugs:

1) There was no locking around the use of the buffer so concurrent key
add operations, to two different keyrings, would result in the
strsep() loop of ima_match_keyring() to modify the buffer at the same
time. This resulted in unexpected results from ima_match_keyring()
and, therefore, could cause unintended keys to be measured or keys to
not be measured when IMA policy intended for them to be measured.

2) If the kstrdup() that initialized entry->keyrings in ima_parse_rule()
failed, the ima_keyrings buffer was freed and set to NULL even when a
valid KEY_CHECK rule was previously loaded. The next KEY_CHECK event
would trigger a call to strcpy() with a NULL destination pointer and
crash the kernel.

Remove the need for a pre-allocated global buffer by parsing the list of
keyrings in a KEY_CHECK rule at the time of policy load. The
ima_rule_entry will contain an array of string pointers which point to
the name of each keyring specified in the rule. No string processing
needs to happen at the time of asymmetric key add so iterating through
the list and doing a string comparison is all that's required at the
time of policy check.

In the process of changing how the "keyrings=" policy option is handled,
a couple additional bugs were fixed:

1) The rule parser accepted rules containing invalid "keyrings=" values
such as "a|b||c", "a|b|", or simply "|".

2) The /sys/kernel/security/ima/policy file did not display the entire
"keyrings=" value if the list of keyrings was longer than what could
fit in the fixed size tbuf buffer in ima_policy_show().

Fixes: 5c7bac9fb2c5 ("IMA: pre-allocate buffer to hold keyrings string")
Fixes: 2b60c0ecedf8 ("IMA: Read keyrings= option from the IMA policy")
Signed-off-by: Tyler Hicks <tyhicks@xxxxxxxxxxxxxxxxxxx>
---
security/integrity/ima/ima_policy.c | 138 +++++++++++++++++++---------
1 file changed, 93 insertions(+), 45 deletions(-)

Reviewed-by: Lakshmi Ramasubramanian <nramas@xxxxxxxxxxxxxxxxxxx>

Next message: Kaaira Gupta: "Re: [PATCH v2 0/3] media: vimc: Allow multiple capture devices to use the same sensor"
Previous message: Arvind Sankar: "Re: [PATCH v2 0/8] x86/kaslr: Cleanup and small bugfixes"
In reply to: Tyler Hicks: "[PATCH 1/2] ima: Pre-parse the list of keyrings in a KEY_CHECK rule"
Next in thread: Tyler Hicks: "[PATCH 2/2] ima: Fail rule parsing when asymmetric key measurement isn't supportable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]