[PATCH v2 15/18] fs/kernel_file_read: Add "offset" arg for partial reads
Kees Cook
keescook at chromium.org
Fri Jul 24 14:39:27 EDT 2020
On Fri, Jul 24, 2020 at 11:23:37AM -0700, Kees Cook wrote:
> On Thu, Jul 23, 2020 at 10:41:07PM -0700, Scott Branden wrote:
> >
> >
> > On 2020-07-23 12:15 p.m., Kees Cook wrote:
> > > On Wed, Jul 22, 2020 at 03:29:26PM -0700, Scott Branden wrote:
> > > > These changes don't pass the kernel-selftest for partial reads I added
> > > > (which are at the end of this patch v2 series).
> > > Oh, interesting. Is there any feedback in dmesg? I wonder if I have the
> > > LSMs configured differently than you?
> > I have no LSMs configured that I know of.
> > Yes, there is failure in dmesg which is how I determined to add my
> > workaround.
> > Without workaround, dmesg log attached after booting and running
> > fw_run_tests.h
> > > > See change below added for temp workaround for issue.
> > > > > [...]
> > > > > +
> > > > > + whole_file = (offset == 0 && i_size <= buf_size);
> > > > A hack to get this passing I added which probably breaks some security?
> > > > if (whole_file) {
> > > > > + ret = security_kernel_read_file(file, id, whole_file);
> > > > > + if (ret)
> > > > > + goto out;
> > > > > +
> > > > }
> > > This would imply I did something wrong in the LSM hook refactoring (i.e.
> > > some LSM is rejecting the !whole_file case, but if the entire call to
> > > the hooks are skipped, it's okay).
> > >
> > > What does this return on your test system:
> > >
> > > echo $(cat /sys/kernel/security/lsm)
> > ima kernel configs are enabled but I don't enable security policies
> > on the kernel command line.
> >
> > echo $(cat /sys/kernel/security/lsm)
> > cat: /sys/kernel/security/lsm: No such file or directory
>
> Oh, er... CONFIG_SECURITYFS is missing?
>
> Can you send me your .config?
Ah, nevermind, I found my config mistake. I thought I had the right
setting, but I'd missed CONFIG_IMA_APPRAISE=y. With that enabled, the
firmware tests _correctly_ fail, since IMA can't appraise partial reads.
So, this doesn't look like a bug to me.
--
Kees Cook
More information about the kexec
mailing list