From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: James Bottomley <James.Bottomley@hansenpartnership.com>,
Mark Brown <broonie@sirena.org.uk>,
"ksummit-discuss@lists.linuxfoundation.org"
<ksummit-discuss@lists.linuxfoundation.org>,
Jason Cooper <jason@lakedaemon.net>
Subject: Re: [Ksummit-discuss] Last minute nominations: mcgrof and toshi
Date: Sun, 31 Jul 2016 13:28:58 -0400 [thread overview]
Message-ID: <1469986138.23563.312.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <CALCETrVQj23-0Bhsx91Z3O7BJdjDVXgPQSQUqXHoc+pd5+tfYA@mail.gmail.com>
On So, 2016-07-31 at 09:19 -0700, Andy Lutomirski wrote:
> On Sun, Jul 31, 2016 at 8:31 AM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> > On Sa, 2016-07-30 at 20:09 -0700, Andy Lutomirski wrote:
> >> On Jul 30, 2016 8:08 PM, "Mimi Zohar" <zohar@linux.vnet.ibm.com> wrote:
> >> >
> >> > On Sa, 2016-07-30 at 18:36 +0200, Luis R. Rodriguez wrote:
> >> > > On Fri, Jul 29, 2016 at 03:25:09PM -0700, Andy Lutomirski wrote:
> >> > > > On Fri, Jul 29, 2016 at 3:10 PM, Mimi Zohar <zohar@linux.vnet.ibm.com>
> >> wrote:
> >> > > > > On Do, 2016-07-28 at 16:57 +0000, Jason Cooper wrote:
> >> > > > >> Hi Andy,
> >> > > > >>
> >> > > > >> On Wed, Jul 27, 2016 at 01:09:37PM -0700, Andy Lutomirski wrote:
> >> > > > >> ...
> >> > > > >> > I would like someone to explain why using the keyring mechanism
> >> for
> >> > > > >> > this in the first place is a good idea.
> >> > > > >> >
> >> > > > >> > As far as I can tell, the design goals of "keys trusted by the
> >> kernel
> >> > > > >> > for modules, firmware, etc" are:
> >> > > > >> >
> >> > > > >> > - Keys are added at build time or, according to potentially
> >> > > > >> > system-specific rules, at boot time.
> >> > > > >> >
> >> > > > >> > - Keys should specify what they're trusted *for*.
> >> > > > >>
> >> > > > >> Well, I'd argue that keys should specify what they are *intended*
> >> for by
> >> > > > >> the keyholder. A useful security system could further restrict
> >> the key
> >> > > > >> as needed.
> >> > > > >
> >> > > > > We've already started. Currently the kernel_read_file() and family
> >> of
> >> > > > > functions provide the LSM hooks needed for verifying file
> >> signatures of
> >> > > > > files read by the kernel. The kernel_read_file_id enumeration is
> >> used
> >> > > > > to differentiate between callers. Based on this enumeration, the
> >> > > > > *intended* for could be defined. It would make sense to extend the
> >> IMA
> >> > > > > policy language to support *intended* for.
> >> > > > >
> >> > > >
> >> > > > Having kernel_read_file know the purpose is a big step in the right
> >> > > > direction, although, as I think I and others have pointed out, just an
> >> > > > enum is insufficient -- for firmware, at least, the *name* is
> >> > > > relevant.
> >> >
> >> > > The name is passed for firmware, the wrapper
> >> kernel_read_file_from_path()
> >> > > is used. So if we wanted an LSM extension on name I think we can do that
> >> > > on kernel_read_file_from_path() ?
> >> >
> >> > It shouldn't make a difference whether kernel_read_file() is called
> >> > directly, or the kernel_read_file_by_path/fd() are called. The pathname
> >> > is accessible from the "file" argument.
> >> >
> >>l
> >> What happens if a symlink is involved?
> >
> > For callers of kernel_read_file_by_path(), like firmware, we could pass
> > the pathname, but for the other callers of kernel_read_file/_by_fd() we
> > could use d_absolute_path().
>
> That seems pointlessly fragile to me, and this issue has been known
> for longer than the code in question has even existed. How about:
>
> struct kernel_trusted_file_description {
> enum kernel_read_file_id type;
> const char *specific_purpose; /* may be NULL for KEXEC_IMAGE, etc. */
> };
>
> int kernel_read_file(struct file *, void **, loff_t *, const struct
> trusted_file_description *);
>
> rather than trying to guess.
>
> Also, are there any plans to move module signature verification into
> .kernel_post_read_file?
The whole point of defining the kernel_read_file() family of functions
was to close a class of measurement/appraisal gaps. To answer your
question, yes IMA measures and/or appraises files on the security post
kernel read hook, based on policy.
Andy, other than IMA-appraisal being xattr based, I'm not sure why
you're so against it. if you're going to be at LinuxCon/LSS, perhaps
we could speak in person there.
Mimi
next prev parent reply other threads:[~2016-07-31 17:29 UTC|newest]
Thread overview: 101+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-04 15:26 Luis R. Rodriguez
2015-08-04 22:20 ` Toshi Kani
2016-07-15 19:50 ` Mimi Zohar
2016-07-15 19:57 ` Mimi Zohar
2016-07-16 0:52 ` Mark Brown
2016-07-26 14:42 ` David Woodhouse
2016-07-27 14:04 ` [Ksummit-discuss] [TECH TOPIC] Signature management - keys, modules, firmware, was: " Jason Cooper
2016-07-27 14:58 ` Mark Rutland
2016-07-27 18:17 ` Stephen Hemminger
2016-07-27 18:36 ` Andy Lutomirski
2016-07-29 12:29 ` Ben Hutchings
2016-08-05 17:16 ` Mimi Zohar
2016-08-05 18:24 ` Ben Hutchings
2016-08-02 12:54 ` Linus Walleij
2016-08-02 14:00 ` Jason Cooper
2016-08-02 14:09 ` David Woodhouse
[not found] ` <CALCETrUjn7TeGbS4TQ+OFih-nby2Rh54i5177MOwqjTYDBMO=A@mail.gmail.com>
[not found] ` <CALCETrU6aQ5PR_+M7QHkTWos6i6vVS2nvEQDwr5ktBkWu-5MKw@mail.gmail.com>
[not found] ` <CALCETrW8uRK4cuQ+B6NPcO0pY-=-HRDf4LZk4xv2QdPzNEvMCg@mail.gmail.com>
[not found] ` <CALCETrW_mQLmR6g_Ar8Nnpr7CRFZhth=Hj9C901Gj7_WSp=yEQ@mail.gmail.com>
2016-08-02 14:53 ` Andy Lutomirski
2016-08-02 14:13 ` James Bottomley
2016-08-03 9:47 ` Linus Walleij
2016-08-03 10:00 ` Jiri Kosina
2016-08-03 10:28 ` Jani Nikula
2016-08-03 10:41 ` Linus Walleij
2016-08-03 11:18 ` Jani Nikula
2016-08-03 15:19 ` Jason Cooper
2016-08-12 12:38 ` Vinod Koul
2016-08-12 12:39 ` David Woodhouse
2016-08-12 12:54 ` Andy Lutomirski
2016-08-12 13:00 ` David Woodhouse
2016-08-12 13:12 ` Vinod Koul
2016-07-27 14:08 ` David Howells
2016-07-27 14:10 ` Ard Biesheuvel
2016-07-27 14:23 ` Mark Brown
2016-07-27 15:06 ` [Ksummit-discuss] " James Bottomley
2016-08-01 10:22 ` Johannes Berg
2016-07-27 15:37 ` David Howells
2016-07-27 16:14 ` James Bottomley
2016-07-27 17:57 ` Andy Lutomirski
2016-07-27 19:00 ` James Bottomley
2016-07-27 19:20 ` Andy Lutomirski
2016-07-27 19:50 ` James Bottomley
2016-07-27 16:07 ` David Howells
2016-07-27 16:25 ` James Bottomley
2016-07-27 16:10 ` David Howells
2016-07-27 16:14 ` David Howells
2016-07-27 16:28 ` James Bottomley
2016-07-27 16:36 ` James Bottomley
2016-07-27 17:20 ` Luis R. Rodriguez
2016-07-27 17:51 ` James Bottomley
2016-07-27 18:57 ` Luis R. Rodriguez
2016-07-27 19:37 ` Mimi Zohar
2016-07-27 20:09 ` Andy Lutomirski
2016-07-27 22:54 ` Mimi Zohar
2016-07-27 23:15 ` Andy Lutomirski
2016-07-28 3:17 ` Mimi Zohar
2016-07-28 3:29 ` Andy Lutomirski
2016-07-28 16:57 ` Jason Cooper
2016-07-29 22:10 ` Mimi Zohar
2016-07-29 22:25 ` Andy Lutomirski
2016-07-30 16:36 ` Luis R. Rodriguez
2016-07-31 3:08 ` Mimi Zohar
2016-07-31 3:09 ` Andy Lutomirski
2016-07-31 15:31 ` Mimi Zohar
2016-07-31 16:19 ` Andy Lutomirski
2016-07-31 17:28 ` Mimi Zohar [this message]
2016-07-31 18:20 ` Andy Lutomirski
2016-08-01 1:52 ` Mimi Zohar
2016-08-01 17:29 ` Luis R. Rodriguez
2016-08-01 17:59 ` Andy Lutomirski
2016-08-01 20:23 ` Luis R. Rodriguez
2016-08-01 20:37 ` Andy Lutomirski
2016-08-01 20:57 ` Luis R. Rodriguez
2016-08-01 21:14 ` Andy Lutomirski
2016-08-01 22:56 ` Jason Cooper
2016-08-01 23:12 ` Andy Lutomirski
2016-08-02 0:33 ` James Bottomley
[not found] ` <CALCETrXHfUULy-EB13Kbkjwco-2UVgsuRsG+OicZT6_uOkzeqA@mail.gmail.com>
[not found] ` <CALCETrWqpQV1AyxVx5eTkJiOe3t7ZFpSAuN2RG3JNHD-gqm0uA@mail.gmail.com>
2016-08-02 0:48 ` Andy Lutomirski
2016-08-02 1:13 ` James Bottomley
2016-08-02 1:23 ` Andy Lutomirski
2016-08-02 18:12 ` James Bottomley
2016-08-01 22:21 ` Mimi Zohar
2016-08-01 22:36 ` Andy Lutomirski
2016-08-01 23:02 ` Mimi Zohar
2016-08-01 23:04 ` Jason Cooper
2016-08-01 23:13 ` Andy Lutomirski
2016-08-01 23:30 ` Jason Cooper
[not found] ` <CALCETrWDsMdU2-AWQC4wYvotnNd2ydWT15Ckq0nZaNRJZOtZ-g@mail.gmail.com>
[not found] ` <CALCETrW-P8+yGuEgM2BT+aCfZqJ=ekB2Xsz+4xhWtdRpprJHNw@mail.gmail.com>
2016-08-01 23:45 ` Andy Lutomirski
2016-08-02 12:20 ` Jason Cooper
[not found] ` <CALCETrVEY=opRPGKy=P9h8s+TC_K19WnBJ2svXT+=_FnqRF1Mw@mail.gmail.com>
[not found] ` <CALCETrVZtn_SmeN1YX9_+2g+bEAHsfJJ7KQH7-eC_mU3O+0x2w@mail.gmail.com>
2016-08-02 15:07 ` Andy Lutomirski
2016-08-03 16:44 ` Jason Cooper
2016-08-03 17:20 ` Andy Lutomirski
2016-08-03 17:50 ` Jason Cooper
2016-08-01 17:15 ` Luis R. Rodriguez
2016-08-02 18:55 ` Andy Lutomirski
2016-08-02 19:02 ` Ard Biesheuvel
2016-08-02 19:08 ` Andy Lutomirski
2016-08-02 19:14 ` Ard Biesheuvel
2016-08-02 19:17 ` Andy Lutomirski
2016-08-02 19:20 ` Ard Biesheuvel
2016-08-02 20:22 ` Ard Biesheuvel
2016-07-29 12:43 ` Ben Hutchings
2016-07-29 17:57 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1469986138.23563.312.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=broonie@sirena.org.uk \
--cc=jason@lakedaemon.net \
--cc=ksummit-discuss@lists.linuxfoundation.org \
--cc=luto@amacapital.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox