linux/security/integrity/ima/ima_queue_keys.c

// SPDX-License-Identifier: GPL-2.0+
/*
 * Copyright (C) 2019 Microsoft Corporation
 *
 * Author: Lakshmi Ramasubramanian (nramas@linux.microsoft.com)
 *
 * File: ima_queue_keys.c
 *       Enables deferred processing of keys
 */

#include <linux/user_namespace.h>
#include <linux/workqueue.h>
#include <keys/asymmetric-type.h>
#include "ima.h"

/*
 * Flag to indicate whether a key can be processed
 * right away or should be queued for processing later.
 */
static bool ima_process_keys;

/*
 * To synchronize access to the list of keys that need to be measured
 */
static DEFINE_MUTEX(ima_keys_lock);
static LIST_HEAD(ima_keys);

/*
 * If custom IMA policy is not loaded then keys queued up
 * for measurement should be freed. This worker is used
 * for handling this scenario.
 */
static long ima_key_queue_timeout = 300000; /* 5 Minutes */
static void ima_keys_handler(struct work_struct *work);
static DECLARE_DELAYED_WORK(ima_keys_delayed_work, ima_keys_handler);
static bool timer_expired;

/*
 * This worker function frees keys that may still be
 * queued up in case custom IMA policy was not loaded.
 */
static void ima_keys_handler(struct work_struct *work)
{
	timer_expired = true;
	ima_process_queued_keys();
}

/*
 * This function sets up a worker to free queued keys in case
 * custom IMA policy was never loaded.
 */
void ima_init_key_queue(void)
{
	schedule_delayed_work(&ima_keys_delayed_work,
			      msecs_to_jiffies(ima_key_queue_timeout));
}

static void ima_free_key_entry(struct ima_key_entry *entry)
{
	if (entry) {
		kfree(entry->payload);
		kfree(entry->keyring_name);
		kfree(entry);
	}
}

static struct ima_key_entry *ima_alloc_key_entry(struct key *keyring,
						 const void *payload,
						 size_t payload_len)
{
	int rc = 0;
	const char *audit_cause = "ENOMEM";
	struct ima_key_entry *entry;

	entry = kzalloc(sizeof(*entry), GFP_KERNEL);
	if (entry) {
		entry->payload = kmemdup(payload, payload_len, GFP_KERNEL);
		entry->keyring_name = kstrdup(keyring->description,
					      GFP_KERNEL);
		entry->payload_len = payload_len;
	}

	if ((entry == NULL) || (entry->payload == NULL) ||
	    (entry->keyring_name == NULL)) {
		rc = -ENOMEM;
		goto out;
	}

	INIT_LIST_HEAD(&entry->list);

out:
	if (rc) {
		integrity_audit_message(AUDIT_INTEGRITY_PCR, NULL,
					keyring->description,
					func_measure_str(KEY_CHECK),
					audit_cause, rc, 0, rc);
		ima_free_key_entry(entry);
		entry = NULL;
	}

	return entry;
}

bool ima_queue_key(struct key *keyring, const void *payload,
		   size_t payload_len)
{
	bool queued = false;
	struct ima_key_entry *entry;

	entry = ima_alloc_key_entry(keyring, payload, payload_len);
	if (!entry)
		return false;

	mutex_lock(&ima_keys_lock);
	if (!ima_process_keys) {
		list_add_tail(&entry->list, &ima_keys);
		queued = true;
	}
	mutex_unlock(&ima_keys_lock);

	if (!queued)
		ima_free_key_entry(entry);

	return queued;
}

/*
 * ima_process_queued_keys() - process keys queued for measurement
 *
 * This function sets ima_process_keys to true and processes queued keys.
 * From here on keys will be processed right away (not queued).
 */
void ima_process_queued_keys(void)
{
	struct ima_key_entry *entry, *tmp;
	bool process = false;

	if (ima_process_keys)
		return;

	/*
	 * Since ima_process_keys is set to true, any new key will be
	 * processed immediately and not be queued to ima_keys list.
	 * First one setting the ima_process_keys flag to true will
	 * process the queued keys.
	 */
	mutex_lock(&ima_keys_lock);
	if (!ima_process_keys) {
		ima_process_keys = true;
		process = true;
	}
	mutex_unlock(&ima_keys_lock);

	if (!process)
		return;

	if (!timer_expired)
		cancel_delayed_work_sync(&ima_keys_delayed_work);

	list_for_each_entry_safe(entry, tmp, &ima_keys, list) {
		if (!timer_expired)
			process_buffer_measurement(&init_user_ns, NULL,
						   entry->payload,
						   entry->payload_len,
						   entry->keyring_name,
						   KEY_CHECK, 0,
						   entry->keyring_name,
						   false);
		list_del(&entry->list);
		ima_free_key_entry(entry);
	}
}

inline bool ima_should_queue_key(void)
{
	return !ima_process_keys;
}
IMA: Define workqueue for early boot key measurements Measuring keys requires a custom IMA policy to be loaded. Keys created or updated before a custom IMA policy is loaded should be queued and will be processed after a custom policy is loaded. This patch defines a workqueue for queuing keys when a custom IMA policy has not yet been loaded. An intermediate Kconfig boolean option namely IMA_QUEUE_EARLY_BOOT_KEYS is used to declare the workqueue functions. A flag namely ima_process_keys is used to check if the key should be queued or should be processed immediately. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-01-22 17:32:04 -08:00			`// SPDX-License-Identifier: GPL-2.0+`
			`/*`
			`* Copyright (C) 2019 Microsoft Corporation`
			`*`
			`* Author: Lakshmi Ramasubramanian (nramas@linux.microsoft.com)`
			`*`
			`* File: ima_queue_keys.c`
			`* Enables deferred processing of keys`
			`*/`

ima: handle idmapped mounts IMA does sometimes access the inode's i_uid and compares it against the rules' fowner. Enable IMA to handle idmapped mounts by passing down the mount's user namespace. We simply make use of the helpers we introduced before. If the initial user namespace is passed nothing changes so non-idmapped mounts will see identical behavior as before. Link: https://lore.kernel.org/r/20210121131959.646623-27-christian.brauner@ubuntu.com Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> 2021-01-21 14:19:45 +01:00			`#include <linux/user_namespace.h>`
IMA: Defined delayed workqueue to free the queued keys Keys queued for measurement should be freed if a custom IMA policy was not loaded. Otherwise, the keys will remain queued forever consuming kernel memory. This patch defines a delayed workqueue to handle the above scenario. The workqueue handler is setup to execute 5 minutes after IMA initialization is completed. If a custom IMA policy is loaded before the workqueue handler is scheduled to execute, the workqueue task is cancelled and any queued keys are processed for measurement. But if a custom policy was not loaded then the queued keys are just freed when the delayed workqueue handler is run. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Reported-by: kernel test robot <rong.a.chen@intel.com> # sleeping function called from invalid context Reported-by: kbuild test robot <lkp@intel.com> # redefinition of ima_init_key_queue() function. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-01-22 17:32:06 -08:00			`#include <linux/workqueue.h>`
IMA: Define workqueue for early boot key measurements Measuring keys requires a custom IMA policy to be loaded. Keys created or updated before a custom IMA policy is loaded should be queued and will be processed after a custom policy is loaded. This patch defines a workqueue for queuing keys when a custom IMA policy has not yet been loaded. An intermediate Kconfig boolean option namely IMA_QUEUE_EARLY_BOOT_KEYS is used to declare the workqueue functions. A flag namely ima_process_keys is used to check if the key should be queued or should be processed immediately. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-01-22 17:32:04 -08:00			`#include <keys/asymmetric-type.h>`
			`#include "ima.h"`

			`/*`
			`* Flag to indicate whether a key can be processed`
			`* right away or should be queued for processing later.`
			`*/`
			`static bool ima_process_keys;`

			`/*`
			`* To synchronize access to the list of keys that need to be measured`
			`*/`
			`static DEFINE_MUTEX(ima_keys_lock);`
			`static LIST_HEAD(ima_keys);`

IMA: Defined delayed workqueue to free the queued keys Keys queued for measurement should be freed if a custom IMA policy was not loaded. Otherwise, the keys will remain queued forever consuming kernel memory. This patch defines a delayed workqueue to handle the above scenario. The workqueue handler is setup to execute 5 minutes after IMA initialization is completed. If a custom IMA policy is loaded before the workqueue handler is scheduled to execute, the workqueue task is cancelled and any queued keys are processed for measurement. But if a custom policy was not loaded then the queued keys are just freed when the delayed workqueue handler is run. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Reported-by: kernel test robot <rong.a.chen@intel.com> # sleeping function called from invalid context Reported-by: kbuild test robot <lkp@intel.com> # redefinition of ima_init_key_queue() function. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-01-22 17:32:06 -08:00			`/*`
			`* If custom IMA policy is not loaded then keys queued up`
			`* for measurement should be freed. This worker is used`
			`* for handling this scenario.`
			`*/`
			`static long ima_key_queue_timeout = 300000; /* 5 Minutes */`
			`static void ima_keys_handler(struct work_struct *work);`
			`static DECLARE_DELAYED_WORK(ima_keys_delayed_work, ima_keys_handler);`
			`static bool timer_expired;`

			`/*`
			`* This worker function frees keys that may still be`
			`* queued up in case custom IMA policy was not loaded.`
			`*/`
			`static void ima_keys_handler(struct work_struct *work)`
			`{`
			`timer_expired = true;`
			`ima_process_queued_keys();`
			`}`

			`/*`
			`* This function sets up a worker to free queued keys in case`
			`* custom IMA policy was never loaded.`
			`*/`
			`void ima_init_key_queue(void)`
			`{`
			`schedule_delayed_work(&ima_keys_delayed_work,`
			`msecs_to_jiffies(ima_key_queue_timeout));`
			`}`

IMA: Define workqueue for early boot key measurements Measuring keys requires a custom IMA policy to be loaded. Keys created or updated before a custom IMA policy is loaded should be queued and will be processed after a custom policy is loaded. This patch defines a workqueue for queuing keys when a custom IMA policy has not yet been loaded. An intermediate Kconfig boolean option namely IMA_QUEUE_EARLY_BOOT_KEYS is used to declare the workqueue functions. A flag namely ima_process_keys is used to check if the key should be queued or should be processed immediately. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-01-22 17:32:04 -08:00			`static void ima_free_key_entry(struct ima_key_entry *entry)`
			`{`
			`if (entry) {`
			`kfree(entry->payload);`
			`kfree(entry->keyring_name);`
			`kfree(entry);`
			`}`
			`}`

			`static struct ima_key_entry ima_alloc_key_entry(struct key keyring,`
			`const void *payload,`
			`size_t payload_len)`
			`{`
			`int rc = 0;`
IMA: Add audit log for failure conditions process_buffer_measurement() and ima_alloc_key_entry() functions need to log an audit message for auditing integrity measurement failures. Add audit message in these two functions. Remove "pr_devel" log message in process_buffer_measurement(). Sample audit messages: [ 6.303048] audit: type=1804 audit(1592506281.627:2): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel op=measuring_key cause=ENOMEM comm="swapper/0" name=".builtin_trusted_keys" res=0 errno=-12 [ 8.019432] audit: type=1804 audit(1592506283.344:10): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 op=measuring_kexec_cmdline cause=hashing_error comm="systemd" name="kexec-cmdline" res=0 errno=-22 Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-06-18 14:10:12 -07:00			`const char *audit_cause = "ENOMEM";`
IMA: Define workqueue for early boot key measurements Measuring keys requires a custom IMA policy to be loaded. Keys created or updated before a custom IMA policy is loaded should be queued and will be processed after a custom policy is loaded. This patch defines a workqueue for queuing keys when a custom IMA policy has not yet been loaded. An intermediate Kconfig boolean option namely IMA_QUEUE_EARLY_BOOT_KEYS is used to declare the workqueue functions. A flag namely ima_process_keys is used to check if the key should be queued or should be processed immediately. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-01-22 17:32:04 -08:00			`struct ima_key_entry *entry;`

			`entry = kzalloc(sizeof(*entry), GFP_KERNEL);`
			`if (entry) {`
			`entry->payload = kmemdup(payload, payload_len, GFP_KERNEL);`
			`entry->keyring_name = kstrdup(keyring->description,`
			`GFP_KERNEL);`
			`entry->payload_len = payload_len;`
			`}`

			`if ((entry == NULL) \|\| (entry->payload == NULL) \|\|`
			`(entry->keyring_name == NULL)) {`
			`rc = -ENOMEM;`
			`goto out;`
			`}`

			`INIT_LIST_HEAD(&entry->list);`

			`out:`
			`if (rc) {`
IMA: Add audit log for failure conditions process_buffer_measurement() and ima_alloc_key_entry() functions need to log an audit message for auditing integrity measurement failures. Add audit message in these two functions. Remove "pr_devel" log message in process_buffer_measurement(). Sample audit messages: [ 6.303048] audit: type=1804 audit(1592506281.627:2): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel op=measuring_key cause=ENOMEM comm="swapper/0" name=".builtin_trusted_keys" res=0 errno=-12 [ 8.019432] audit: type=1804 audit(1592506283.344:10): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 op=measuring_kexec_cmdline cause=hashing_error comm="systemd" name="kexec-cmdline" res=0 errno=-22 Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-06-18 14:10:12 -07:00			`integrity_audit_message(AUDIT_INTEGRITY_PCR, NULL,`
			`keyring->description,`
			`func_measure_str(KEY_CHECK),`
			`audit_cause, rc, 0, rc);`
IMA: Define workqueue for early boot key measurements Measuring keys requires a custom IMA policy to be loaded. Keys created or updated before a custom IMA policy is loaded should be queued and will be processed after a custom policy is loaded. This patch defines a workqueue for queuing keys when a custom IMA policy has not yet been loaded. An intermediate Kconfig boolean option namely IMA_QUEUE_EARLY_BOOT_KEYS is used to declare the workqueue functions. A flag namely ima_process_keys is used to check if the key should be queued or should be processed immediately. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-01-22 17:32:04 -08:00			`ima_free_key_entry(entry);`
			`entry = NULL;`
			`}`

			`return entry;`
			`}`

			`bool ima_queue_key(struct key keyring, const void payload,`
			`size_t payload_len)`
			`{`
			`bool queued = false;`
			`struct ima_key_entry *entry;`

			`entry = ima_alloc_key_entry(keyring, payload, payload_len);`
			`if (!entry)`
			`return false;`

			`mutex_lock(&ima_keys_lock);`
			`if (!ima_process_keys) {`
			`list_add_tail(&entry->list, &ima_keys);`
			`queued = true;`
			`}`
			`mutex_unlock(&ima_keys_lock);`

			`if (!queued)`
			`ima_free_key_entry(entry);`

			`return queued;`
			`}`

			`/*`
			`* ima_process_queued_keys() - process keys queued for measurement`
			`*`
			`* This function sets ima_process_keys to true and processes queued keys.`
			`* From here on keys will be processed right away (not queued).`
			`*/`
			`void ima_process_queued_keys(void)`
			`{`
			`struct ima_key_entry entry, tmp;`
			`bool process = false;`

			`if (ima_process_keys)`
			`return;`

			`/*`
			`* Since ima_process_keys is set to true, any new key will be`
			`* processed immediately and not be queued to ima_keys list.`
			`* First one setting the ima_process_keys flag to true will`
			`* process the queued keys.`
			`*/`
			`mutex_lock(&ima_keys_lock);`
			`if (!ima_process_keys) {`
			`ima_process_keys = true;`
			`process = true;`
			`}`
			`mutex_unlock(&ima_keys_lock);`

			`if (!process)`
			`return;`

IMA: Defined delayed workqueue to free the queued keys Keys queued for measurement should be freed if a custom IMA policy was not loaded. Otherwise, the keys will remain queued forever consuming kernel memory. This patch defines a delayed workqueue to handle the above scenario. The workqueue handler is setup to execute 5 minutes after IMA initialization is completed. If a custom IMA policy is loaded before the workqueue handler is scheduled to execute, the workqueue task is cancelled and any queued keys are processed for measurement. But if a custom policy was not loaded then the queued keys are just freed when the delayed workqueue handler is run. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Reported-by: kernel test robot <rong.a.chen@intel.com> # sleeping function called from invalid context Reported-by: kbuild test robot <lkp@intel.com> # redefinition of ima_init_key_queue() function. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-01-22 17:32:06 -08:00			`if (!timer_expired)`
			`cancel_delayed_work_sync(&ima_keys_delayed_work);`
IMA: Define workqueue for early boot key measurements Measuring keys requires a custom IMA policy to be loaded. Keys created or updated before a custom IMA policy is loaded should be queued and will be processed after a custom policy is loaded. This patch defines a workqueue for queuing keys when a custom IMA policy has not yet been loaded. An intermediate Kconfig boolean option namely IMA_QUEUE_EARLY_BOOT_KEYS is used to declare the workqueue functions. A flag namely ima_process_keys is used to check if the key should be queued or should be processed immediately. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-01-22 17:32:04 -08:00
			`list_for_each_entry_safe(entry, tmp, &ima_keys, list) {`
IMA: Defined delayed workqueue to free the queued keys Keys queued for measurement should be freed if a custom IMA policy was not loaded. Otherwise, the keys will remain queued forever consuming kernel memory. This patch defines a delayed workqueue to handle the above scenario. The workqueue handler is setup to execute 5 minutes after IMA initialization is completed. If a custom IMA policy is loaded before the workqueue handler is scheduled to execute, the workqueue task is cancelled and any queued keys are processed for measurement. But if a custom policy was not loaded then the queued keys are just freed when the delayed workqueue handler is run. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Reported-by: kernel test robot <rong.a.chen@intel.com> # sleeping function called from invalid context Reported-by: kbuild test robot <lkp@intel.com> # redefinition of ima_init_key_queue() function. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-01-22 17:32:06 -08:00			`if (!timer_expired)`
ima: handle idmapped mounts IMA does sometimes access the inode's i_uid and compares it against the rules' fowner. Enable IMA to handle idmapped mounts by passing down the mount's user namespace. We simply make use of the helpers we introduced before. If the initial user namespace is passed nothing changes so non-idmapped mounts will see identical behavior as before. Link: https://lore.kernel.org/r/20210121131959.646623-27-christian.brauner@ubuntu.com Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> 2021-01-21 14:19:45 +01:00			`process_buffer_measurement(&init_user_ns, NULL,`
			`entry->payload,`
IMA: Defined delayed workqueue to free the queued keys Keys queued for measurement should be freed if a custom IMA policy was not loaded. Otherwise, the keys will remain queued forever consuming kernel memory. This patch defines a delayed workqueue to handle the above scenario. The workqueue handler is setup to execute 5 minutes after IMA initialization is completed. If a custom IMA policy is loaded before the workqueue handler is scheduled to execute, the workqueue task is cancelled and any queued keys are processed for measurement. But if a custom policy was not loaded then the queued keys are just freed when the delayed workqueue handler is run. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Reported-by: kernel test robot <rong.a.chen@intel.com> # sleeping function called from invalid context Reported-by: kbuild test robot <lkp@intel.com> # redefinition of ima_init_key_queue() function. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-01-22 17:32:06 -08:00			`entry->payload_len,`
			`entry->keyring_name,`
			`KEY_CHECK, 0,`
IMA: add support to measure buffer data hash The original IMA buffer data measurement sizes were small (e.g. boot command line), but the new buffer data measurement use cases have data sizes that are a lot larger. Just as IMA measures the file data hash, not the file data, IMA should similarly support the option for measuring buffer data hash. Introduce a boolean parameter to support measuring buffer data hash, which would be much smaller, instead of the buffer itself. Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com> Reviewed-by: Tyler Hicks <tyhicks@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2021-01-07 20:07:02 -08:00			`entry->keyring_name,`
			`false);`
IMA: Define workqueue for early boot key measurements Measuring keys requires a custom IMA policy to be loaded. Keys created or updated before a custom IMA policy is loaded should be queued and will be processed after a custom policy is loaded. This patch defines a workqueue for queuing keys when a custom IMA policy has not yet been loaded. An intermediate Kconfig boolean option namely IMA_QUEUE_EARLY_BOOT_KEYS is used to declare the workqueue functions. A flag namely ima_process_keys is used to check if the key should be queued or should be processed immediately. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2020-01-22 17:32:04 -08:00			`list_del(&entry->list);`
			`ima_free_key_entry(entry);`
			`}`
			`}`

			`inline bool ima_should_queue_key(void)`
			`{`
			`return !ima_process_keys;`
			`}`