linux-stable/security/selinux/ima.c
Ondrej Mosnacek ce2fc710c9 selinux: fix misuse of mutex_is_locked()
mutex_is_locked() tests whether the mutex is locked *by any task*, while
here we want to test if it is held *by the current task*. To avoid
false/missed WARNINGs, use lockdep_assert_is_held() and
lockdep_assert_is_not_held() instead, which do the right thing (though
they are a no-op if CONFIG_LOCKDEP=n).

Cc: stable@vger.kernel.org
Fixes: 2554a48f44 ("selinux: measure state and policy capabilities")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2022-02-22 18:02:58 -05:00

125 lines
2.9 KiB
C

// SPDX-License-Identifier: GPL-2.0+
/*
* Copyright (C) 2021 Microsoft Corporation
*
* Author: Lakshmi Ramasubramanian (nramas@linux.microsoft.com)
*
* Measure critical data structures maintainted by SELinux
* using IMA subsystem.
*/
#include <linux/vmalloc.h>
#include <linux/ima.h>
#include "security.h"
#include "ima.h"
/*
* selinux_ima_collect_state - Read selinux configuration settings
*
* @state: selinux_state
*
* On success returns the configuration settings string.
* On error, returns NULL.
*/
static char *selinux_ima_collect_state(struct selinux_state *state)
{
const char *on = "=1;", *off = "=0;";
char *buf;
int buf_len, len, i, rc;
buf_len = strlen("initialized=0;enforcing=0;checkreqprot=0;") + 1;
len = strlen(on);
for (i = 0; i < __POLICYDB_CAPABILITY_MAX; i++)
buf_len += strlen(selinux_policycap_names[i]) + len;
buf = kzalloc(buf_len, GFP_KERNEL);
if (!buf)
return NULL;
rc = strscpy(buf, "initialized", buf_len);
WARN_ON(rc < 0);
rc = strlcat(buf, selinux_initialized(state) ? on : off, buf_len);
WARN_ON(rc >= buf_len);
rc = strlcat(buf, "enforcing", buf_len);
WARN_ON(rc >= buf_len);
rc = strlcat(buf, enforcing_enabled(state) ? on : off, buf_len);
WARN_ON(rc >= buf_len);
rc = strlcat(buf, "checkreqprot", buf_len);
WARN_ON(rc >= buf_len);
rc = strlcat(buf, checkreqprot_get(state) ? on : off, buf_len);
WARN_ON(rc >= buf_len);
for (i = 0; i < __POLICYDB_CAPABILITY_MAX; i++) {
rc = strlcat(buf, selinux_policycap_names[i], buf_len);
WARN_ON(rc >= buf_len);
rc = strlcat(buf, state->policycap[i] ? on : off, buf_len);
WARN_ON(rc >= buf_len);
}
return buf;
}
/*
* selinux_ima_measure_state_locked - Measure SELinux state and hash of policy
*
* @state: selinux state struct
*/
void selinux_ima_measure_state_locked(struct selinux_state *state)
{
char *state_str = NULL;
void *policy = NULL;
size_t policy_len;
int rc = 0;
lockdep_assert_held(&state->policy_mutex);
state_str = selinux_ima_collect_state(state);
if (!state_str) {
pr_err("SELinux: %s: failed to read state.\n", __func__);
return;
}
ima_measure_critical_data("selinux", "selinux-state",
state_str, strlen(state_str), false,
NULL, 0);
kfree(state_str);
/*
* Measure SELinux policy only after initialization is completed.
*/
if (!selinux_initialized(state))
return;
rc = security_read_state_kernel(state, &policy, &policy_len);
if (rc) {
pr_err("SELinux: %s: failed to read policy %d.\n", __func__, rc);
return;
}
ima_measure_critical_data("selinux", "selinux-policy-hash",
policy, policy_len, true,
NULL, 0);
vfree(policy);
}
/*
* selinux_ima_measure_state - Measure SELinux state and hash of policy
*
* @state: selinux state struct
*/
void selinux_ima_measure_state(struct selinux_state *state)
{
lockdep_assert_not_held(&state->policy_mutex);
mutex_lock(&state->policy_mutex);
selinux_ima_measure_state_locked(state);
mutex_unlock(&state->policy_mutex);
}