24 Dec, 2012
1 commit
-
The new kernel module syscall appraises kernel modules based
on policy. If the IMA policy requires kernel module checking,
fallback to module signature enforcing for the existing syscall.
Without CONFIG_MODULE_SIG_FORCE enabled, the kernel module's
integrity is unknown, return -EACCES.Changelog v1:
- Fix ima_module_check() return result (Tetsuo Handa)Reported-by: Tetsuo Handa
Reviewed-by: Tetsuo Handa
Signed-off-by: Mimi Zohar
14 Dec, 2012
1 commit
-
With the addition of the new kernel module syscall, which defines two
arguments - a file descriptor to the kernel module and a pointer to a NULL
terminated string of module arguments - it is now possible to measure and
appraise kernel modules like any other file on the file system.This patch adds support to measure and appraise kernel modules in an
extensible and consistent manner.To support filesystems without extended attribute support, additional
patches could pass the signature as the first parameter.Signed-off-by: Mimi Zohar
Signed-off-by: Rusty Russell
05 Oct, 2012
1 commit
-
mask argument goes first, then func, like ima_must_measure
and ima_get_action. ima_inode_post_setattr() assumes that.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
Signed-off-by: James Morris
03 Oct, 2012
1 commit
-
Pull security subsystem updates from James Morris:
"Highlights:- Integrity: add local fs integrity verification to detect offline
attacks
- Integrity: add digital signature verification
- Simple stacking of Yama with other LSMs (per LSS discussions)
- IBM vTPM support on ppc64
- Add new driver for Infineon I2C TIS TPM
- Smack: add rule revocation for subject labels"Fixed conflicts with the user namespace support in kernel/auditsc.c and
security/integrity/ima/ima_policy.c.* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (39 commits)
Documentation: Update git repository URL for Smack userland tools
ima: change flags container data type
Smack: setprocattr memory leak fix
Smack: implement revoking all rules for a subject label
Smack: remove task_wait() hook.
ima: audit log hashes
ima: generic IMA action flag handling
ima: rename ima_must_appraise_or_measure
audit: export audit_log_task_info
tpm: fix tpm_acpi sparse warning on different address spaces
samples/seccomp: fix 31 bit build on s390
ima: digital signature verification support
ima: add support for different security.ima data types
ima: add ima_inode_setxattr/removexattr function and calls
ima: add inode_post_setattr call
ima: replace iint spinblock with rwlock/read_lock
ima: allocating iint improvements
ima: add appraise action keywords and default rules
ima: integrity appraisal extension
vfs: move ima_file_free before releasing the file
...
21 Sep, 2012
2 commits
-
Use kuid's in the IMA rules.
When reporting the current uid in audit logs use from_kuid
to get a usable value.Cc: Mimi Zohar
Acked-by: Serge Hallyn
Signed-off-by: Eric W. Biederman -
Cc: Mimi Zohar
Acked-by: Serge Hallyn
Signed-off-by: Eric W. Biederman
19 Sep, 2012
1 commit
-
IMA audit hashes patches introduced new IMA flags and required
space went beyond 8 bits. Currently the only flag is IMA_DIGSIG.
This patch use 16 bit short instead of 8 bit char.
Without this fix IMA signature will be replaced with hash, which
should not happen.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
14 Sep, 2012
2 commits
-
This adds an 'audit' policy action which audit logs file measurements.
Changelog v6:
- use new action flag handling (Dmitry Kasatkin).
- removed whitespace (Mimi)Changelog v5:
- use audit_log_untrustedstring.Changelog v4:
- cleanup digest -> hash conversion.
- use filename rather than d_path in ima_audit_measurement.Changelog v3:
- Use newly exported audit_log_task_info for logging pid/ppid/uid/etc.
- Update the ima_policy ABI documentation.Changelog v2:
- Use 'audit' action rather than 'measure_and_audit' to permit
auditing in the absence of measuring..Changelog v1:
- Initial posting.Signed-off-by: Peter Moody
Signed-off-by: Mimi Zohar -
Make the IMA action flag handling generic in order to support
additional new actions, without requiring changes to the base
implementation. New actions, like audit logging, will only
need to modify the define statements.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
12 Sep, 2012
1 commit
-
When AUDIT action support is added to the IMA,
ima_must_appraise_or_measure() does not reflect the real meaning anymore.
Rename it to ima_get_action().Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
08 Sep, 2012
7 commits
-
This patch adds support for digital signature based integrity appraisal.
With this patch, 'security.ima' contains either the file data hash or
a digital signature of the file data hash. The file data hash provides
the security attribute of file integrity. In addition to file integrity,
a digital signature provides the security attribute of authenticity.Unlike EVM, when the file metadata changes, the digital signature is
replaced with an HMAC, modification of the file data does not cause the
'security.ima' digital signature to be replaced with a hash. As a
result, after any modification, subsequent file integrity appraisals
would fail.Although digitally signed files can be modified, but by not updating
'security.ima' to reflect these modifications, in essence digitally
signed files could be considered 'immutable'.IMA uses a different keyring than EVM. While the EVM keyring should not
be updated after initialization and locked, the IMA keyring should allow
updating or adding new keys when upgrading or installing packages.Changelog v4:
- Change IMA_DIGSIG to hex equivalent
Changelog v3:
- Permit files without any 'security.ima' xattr to be labeled properly.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
IMA-appraisal currently verifies the integrity of a file based on a
known 'good' measurement value. This patch reserves the first byte
of 'security.ima' as a place holder for the type of method used for
verifying file data integrity.Changelog v1:
- Use the newly defined 'struct evm_ima_xattr_data'Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Based on xattr_permission comments, the restriction to modify 'security'
xattr is left up to the underlying fs or lsm. Ensure that not just anyone
can modify or remove 'security.ima'.Changelog v1:
- Unless IMA-APPRAISE is configured, use stub ima_inode_removexattr()/setxattr()
functions. (Moved ima_inode_removexattr()/setxattr() to ima_appraise.c)Changelog:
- take i_mutex to fix locking (Dmitry Kasatkin)
- ima_reset_appraise_flags should only be called when modifying or
removing the 'security.ima' xattr. Requires CAP_SYS_ADMIN privilege.
(Incorporated fix from Roberto Sassu)
- Even if allowed to update security.ima, reset the appraisal flags,
forcing re-appraisal.
- Replace CAP_MAC_ADMIN with CAP_SYS_ADMIN
- static inline ima_inode_setxattr()/ima_inode_removexattr() stubs
- ima_protect_xattr should be staticSigned-off-by: Mimi Zohar
Signed-off-by: Dmitry Kasatkin -
For performance, replace the iint spinlock with rwlock/read_lock.
Eric Paris questioned this change, from spinlocks to rwlocks, saying
"rwlocks have been shown to actually be slower on multi processor
systems in a number of cases due to the cache line bouncing required."Based on performance measurements compiling the kernel on a cold
boot with multiple jobs with/without this patch, Dmitry Kasatkin
and I found that rwlocks performed better than spinlocks, but very
insignificantly. For example with total compilation time around 6
minutes, with rwlocks time was 1 - 3 seconds shorter... but always
like that.Changelog v2:
- new patch taken from the 'allocating iint improvements' patchSigned-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
With IMA-appraisal's removal of the iint mutex and taking the i_mutex
instead, allocating the iint becomes a lot simplier, as we don't need
to be concerned with two processes racing to allocate the iint. This
patch cleans up and improves performance for allocating the iint.- removed redundant double i_mutex locking
- combined iint allocation with tree searchChangelog v2:
- removed the rwlock/read_lock changes from this patchSigned-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Unlike the IMA measurement policy, the appraise policy can not be dependent
on runtime process information, such as the task uid, as the 'security.ima'
xattr is written on file close and must be updated each time the file changes,
regardless of the current task uid.This patch extends the policy language with 'fowner', defines an appraise
policy, which appraises all files owned by root, and defines 'ima_appraise_tcb',
a new boot command line option, to enable the appraise policy.Changelog v3:
- separate the measure from the appraise rules in order to support measuring
without appraising and appraising without measuring.
- change appraisal default for filesystems without xattr support to fail
- update default appraise policy for cgroupsChangelog v1:
- don't appraise RAMFS (Dmitry Kasatkin)
- merged rest of "ima: ima_must_appraise_or_measure API change" commit
(Dmtiry Kasatkin)ima_must_appraise_or_measure() called ima_match_policy twice, which
searched the policy for a matching rule. Once for a matching measurement
rule and subsequently for an appraisal rule. Searching the policy twice
is unnecessary overhead, which could be noticeable with a large policy.The new version of ima_must_appraise_or_measure() does everything in a
single iteration using a new version of ima_match_policy(). It returns
IMA_MEASURE, IMA_APPRAISE mask.With the use of action mask only one efficient matching function
is enough. Removed other specific versions of matching functions.Changelog:
- change 'owner' to 'fowner' to conform to the new LSM conditions posted by
Roberto Sassu.
- fix calls to ima_log_string()Signed-off-by: Mimi Zohar
Signed-off-by: Dmitry Kasatkin -
IMA currently maintains an integrity measurement list used to assert the
integrity of the running system to a third party. The IMA-appraisal
extension adds local integrity validation and enforcement of the
measurement against a "good" value stored as an extended attribute
'security.ima'. The initial methods for validating 'security.ima' are
hashed based, which provides file data integrity, and digital signature
based, which in addition to providing file data integrity, provides
authenticity.This patch creates and maintains the 'security.ima' xattr, containing
the file data hash measurement. Protection of the xattr is provided by
EVM, if enabled and configured.Based on policy, IMA calls evm_verifyxattr() to verify a file's metadata
integrity and, assuming success, compares the file's current hash value
with the one stored as an extended attribute in 'security.ima'.Changelov v4:
- changed iint cache flags to hex valuesChangelog v3:
- change appraisal default for filesystems without xattr support to failChangelog v2:
- fix audit msg 'res' value
- removed unused 'ima_appraise=' valuesChangelog v1:
- removed unused iint mutex (Dmitry Kasatkin)
- setattr hook must not reset appraised (Dmitry Kasatkin)
- evm_verifyxattr() now differentiates between no 'security.evm' xattr
(INTEGRITY_NOLABEL) and no EVM 'protected' xattrs included in the
'security.evm' (INTEGRITY_NOXATTRS).
- replace hash_status with ima_status (Dmitry Kasatkin)
- re-initialize slab element ima_status on free (Dmitry Kasatkin)
- include 'security.ima' in EVM if CONFIG_IMA_APPRAISE, not CONFIG_IMA
- merged half "ima: ima_must_appraise_or_measure API change" (Dmitry Kasatkin)
- removed unnecessary error variable in process_measurement() (Dmitry Kasatkin)
- use ima_inode_post_setattr() stub function, if IMA_APPRAISE not configured
(moved ima_inode_post_setattr() to ima_appraise.c)
- make sure ima_collect_measurement() can read fileChangelog:
- add 'iint' to evm_verifyxattr() call (Dimitry Kasatkin)
- fix the race condition between chmod, which takes the i_mutex and then
iint->mutex, and ima_file_free() and process_measurement(), which take
the locks in the reverse order, by eliminating iint->mutex. (Dmitry Kasatkin)
- cleanup of ima_appraise_measurement() (Dmitry Kasatkin)
- changes as a result of the iint not allocated for all regular files, but
only for those measured/appraised.
- don't try to appraise new/empty files
- expanded ima_appraisal description in ima/Kconfig
- IMA appraise definitions required even if IMA_APPRAISE not enabled
- add return value to ima_must_appraise() stub
- unconditionally set status = INTEGRITY_PASS *after* testing status,
not before. (Found by Joe Perches)Signed-off-by: Mimi Zohar
Signed-off-by: Dmitry Kasatkin
23 Aug, 2012
1 commit
-
Enable tpm_ibmvtpm driver by default when IMA is enabled on PPC64
Signed-off-by: Kent Yoder
06 Jul, 2012
3 commits
-
IMA auditing code was compiled even when CONFIG_AUDIT was not enabled.
This patch compiles auditing code only when possible and enabled.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Set ima_initialized only if initialization was successful.
Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Exclude DEVPTS and BINFMT filesystems from the measurement policy.
Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
03 Jul, 2012
3 commits
-
IMA cannot be used as module and does not need __exit functions.
Removed them.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
On ima_fs_init() error, free securityfs violations file.
Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
The IMA measurement list contains filename hints, which can be
ambigious without the full pathname. This patch replaces the
filename hint with the full pathname, simplifying for userspace
the correlating of file hash measurements with files.Change log v1:
- Revert to short filenames, when full pathname is longer than IMA
measurement buffer size. (Based on Dmitry's review)Signed-off-by: Mimi Zohar
16 May, 2012
1 commit
-
When IMA was first upstreamed, the bprm filename and interp were
always the same. Currently, the bprm->filename and bprm->interp
are the same, except for when only bprm->interp contains the
interpreter name. So instead of using the bprm->filename as
the IMA filename hint in the measurement list, we could replace
it with bprm->interp, but this feels too fragil.The following patch is not much better, but at least there is some
indication that sometimes we're passing the filename and other times
the interpreter name.Reported-by: Andrew Lunn
Signed-off-by: Mimi Zohar
Signed-off-by: James Morris
28 Feb, 2012
1 commit
-
Fix IMA kconfig warning on non-X86 architectures:
warning: (IMA) selects TCG_TIS which has unmet direct dependencies
(TCG_TPM && X86)Signed-off-by: Randy Dunlap
Reported-by: Geert Uytterhoeven
Acked-by: Rajiv Andrade
Signed-off-by: James Morris
16 Feb, 2012
1 commit
-
The audit res field ususally indicates success with a 1 and 0 for a
failure. So make IMA do it the same way.Signed-off-by: Eric Paris
Signed-off-by: Mimi Zohar
Signed-off-by: James Morris
09 Feb, 2012
1 commit
20 Jan, 2012
2 commits
-
Don't measure ramfs files.
Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Fix the following build warning:
warning: (IMA) selects TCG_TPM which has unmet direct dependencies
(HAS_IOMEM && EXPERIMENTAL)Suggested-by: Rajiv Andrade
Signed-off-by: Fabio Estevam
Signed-off-by: Rajiv Andrade
Cc:
Signed-off-by: Mimi Zohar
19 Jan, 2012
1 commit
-
Fix ima_policy.c sparse "warning: dereference of noderef expression"
message, by accessing cred->uid using current_cred().Changelog v1:
- Change __cred to just cred (based on David Howell's comment)Signed-off-by: Mimi Zohar
Signed-off-by: James Morris
18 Jan, 2012
4 commits
-
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
integrity: digital signature config option name change
lib: Removed MPILIB, MPILIB_EXTRA, and SIGNATURE prompts
lib: MPILIB Kconfig description update
lib: digital signature dependency fix
lib: digital signature config option name change
encrypted-keys: fix rcu and sparse messages
keys: fix trusted/encrypted keys sparse rcu_assign_pointer messages
KEYS: Add missing smp_rmb() primitives to the keyring search code
TOMOYO: Accept \000 as a valid character.
security: update MAINTAINERS file with new git repo -
Similar to SIGNATURE, rename INTEGRITY_DIGSIG to INTEGRITY_SIGNATURE.
Signed-off-by: Dmitry Kasatkin
Signed-off-by: James Morris -
It was reported that DIGSIG is confusing name for digital signature
module. It was suggested to rename DIGSIG to SIGNATURE.Requested-by: Linus Torvalds
Suggested-by: Pavel Machek
Signed-off-by: Dmitry Kasatkin
Signed-off-by: James Morris -
The use of s_id should go through the untrusted string path, just to be
extra careful.Signed-off-by: Kees Cook
Acked-by: Mimi Zohar
Signed-off-by: Eric Paris
09 Jan, 2012
1 commit
-
Conflicts:
security/integrity/evm/evm_crypto.cResolved upstream fix vs. next conflict manually.
Signed-off-by: James Morris
20 Dec, 2011
4 commits
-
There is a small chance of racing during tfm allocation.
This patch fixes it.Signed-off-by: Dmitry Kasatkin
Acked-by: Mimi Zohar
Signed-off-by: James Morris -
On multi-core systems, setting of the key before every caclculation,
causes invalid HMAC calculation for other tfm users, because internal
state (ipad, opad) can be invalid before set key call returns.
It needs to be set only once during initialization.Signed-off-by: Dmitry Kasatkin
Acked-by: Mimi Zohar
Signed-off-by: James Morris -
Don't free a valid measurement entry on TPM PCR extend failure.
Signed-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar
Cc: stable@vger.kernel.org -
Info about new measurements are cached in the iint for performance. When
the inode is flushed from cache, the associated iint is flushed as well.
Subsequent access to the inode will cause the inode to be re-measured and
will attempt to add a duplicate entry to the measurement list.This patch frees the duplicate measurement memory, fixing a memory leak.
Signed-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar
Cc: stable@vger.kernel.org
