Doug / smarc-fsl-linux-kernel

12 Jun, 2009

1 commit

  • 3296ca27f   Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorri… ... Browse Code »

    …s/security-testing-2.6

    * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (44 commits)
    nommu: Provide mmap_min_addr definition.
    TOMOYO: Add description of lists and structures.
    TOMOYO: Remove unused field.
    integrity: ima audit dentry_open failure
    TOMOYO: Remove unused parameter.
    security: use mmap_min_addr indepedently of security models
    TOMOYO: Simplify policy reader.
    TOMOYO: Remove redundant markers.
    SELinux: define audit permissions for audit tree netlink messages
    TOMOYO: Remove unused mutex.
    tomoyo: avoid get+put of task_struct
    smack: Remove redundant initialization.
    integrity: nfsd imbalance bug fix
    rootplug: Remove redundant initialization.
    smack: do not beyond ARRAY_SIZE of data
    integrity: move ima_counts_get
    integrity: path_check update
    IMA: Add __init notation to ima functions
    IMA: Minimal IMA policy and boot param for TCB IMA policy
    selinux: remove obsolete read buffer limit from sel_read_bool
    ...

    Linus Torvalds
     

05 Jun, 2009

1 commit

  • 04288f420   integrity: ima audit dentry_open failure ... Browse Code »

    Until we start appraising measurements, the ima_path_check()
    return code should always be 0.

    - Update the ima_path_check() return code comment
    - Instead of the pr_info, audit the dentry_open failure

    Signed-off-by: Mimi Zohar
    Acked-by: Eric Paris
    Signed-off-by: James Morris

    Mimi Zohar
     

22 May, 2009

3 commits

  • b9fc745db   integrity: path_check update ... Browse Code »

    - Add support in ima_path_check() for integrity checking without
    incrementing the counts. (Required for nfsd.)
    - rename and export opencount_get to ima_counts_get
    - replace ima_shm_check calls with ima_counts_get
    - export ima_path_check

    Signed-off-by: Mimi Zohar
    Signed-off-by: James Morris

    Mimi Zohar
     
  • 932995f0c   IMA: Add __init notation to ima functions ... Browse Code »

    A number of IMA functions only used during init are not marked with __init.
    Add those notations so they are freed automatically.

    Signed-off-by: Eric Paris
    Acked-by: Mimi Zohar
    Signed-off-by: James Morris

    Eric Paris
     
  • 5789ba3bd   IMA: Minimal IMA policy and boot param for TCB IMA policy ... Browse Code »

    The IMA TCB policy is dangerous. A normal use can use all of a system's
    memory (which cannot be freed) simply by building and running lots of
    executables. The TCB policy is also nearly useless because logging in as root
    often causes a policy violation when dealing with utmp, thus rendering the
    measurements meaningless.

    There is no good fix for this in the kernel. A full TCB policy would need to
    be loaded in userspace using LSM rule matching to get both a protected and
    useful system. But, if too little is measured before userspace can load a real
    policy one again ends up with a meaningless set of measurements. One option
    would be to put the policy load inside the initrd in order to get it early
    enough in the boot sequence to be useful, but this runs into trouble with the
    LSM. For IMA to measure the LSM policy and the LSM policy loading mechanism
    it needs rules to do so, but we already talked about problems with defaulting
    to such broad rules....

    IMA also depends on the files being measured to be on an FS which implements
    and supports i_version. Since the only FS with this support (ext4) doesn't
    even use it by default it seems silly to have any IMA rules by default.

    This should reduce the performance overhead of IMA to near 0 while still
    letting users who choose to configure their machine as such to inclue the
    ima_tcb kernel paramenter and get measurements during boot before they can
    load a customized, reasonable policy in userspace.

    Signed-off-by: Eric Paris
    Acked-by: Mimi Zohar
    Signed-off-by: James Morris

    Eric Paris
     

19 May, 2009

1 commit

  • 75834fc3b   SELinux: move SELINUX_MAGIC into magic.h ... Browse Code »

    The selinuxfs superblock magic is used inside the IMA code, but is being
    defined in two places and could someday get out of sync. This patch moves the
    declaration into magic.h so it is only done once.

    Signed-off-by: Eric Paris
    Signed-off-by: James Morris

    Eric Paris
     

15 May, 2009

2 commits

  • c3d20103d   IMA: do not measure everything opened by root by default ... Browse Code »

    The IMA default policy measures every single file opened by root. This is
    terrible for most users. Consider a system (like mine) with virtual machine
    images. When those images are touched (which happens at boot for me) those
    images are measured. This is just way too much for the default case.

    Signed-off-by: Eric Paris
    Acked-by: Mimi Zohar
    Signed-off-by: James Morris

    Eric Paris
     
  • f850a7c04   IMA: remove read permissions on the ima policy file ... Browse Code »

    The IMA policy file does not implement read. Trying to just open/read/close
    the file will load a blank policy and you cannot then change the policy
    without a reboot. This removes the read permission from the file so one must
    at least be attempting to write...

    Signed-off-by: Eric Paris
    Acked-by: Mimi Zohar
    Signed-off-by: James Morris

    Eric Paris
     

12 May, 2009

3 commits

  • 1a62e958f   IMA: open all files O_LARGEFILE ... Browse Code »

    If IMA tried to measure a file which was larger than 4G dentry_open would fail
    with -EOVERFLOW since IMA wasn't passing O_LARGEFILE. This patch passes
    O_LARGEFILE to all IMA opens to avoid this problem.

    Signed-off-by: Eric Paris
    Acked-by: Mimi Zohar
    Signed-off-by: James Morris

    Eric Paris
     
  • f06dd16a0   IMA: Handle dentry_open failures ... Browse Code »

    Currently IMA does not handle failures from dentry_open(). This means that we
    leave a pointer set to ERR_PTR(errno) and then try to use it just a few lines
    later in fput(). Oops.

    Signed-off-by: Eric Paris
    Acked-by: Mimi Zohar
    Signed-off-by: James Morris

    Eric Paris
     
  • 37bcbf13d   IMA: use current_cred() instead of current->cred ... Browse Code »

    Proper invocation of the current credentials is to use current_cred() not
    current->cred. This patches makes IMA use the new method.

    Signed-off-by: Eric Paris
    Acked-by: Mimi Zohar
    Signed-off-by: James Morris

    Eric Paris
     

06 May, 2009

3 commits

15 Apr, 2009

1 commit

23 Feb, 2009

1 commit

20 Feb, 2009

1 commit

  • 0da0a420b   integrity: ima scatterlist bug fix ... Browse Code »

    Based on Alexander Beregalov's post http://lkml.org/lkml/2009/2/19/198

    - replaced sg_set_buf() with sg_init_one()

    kernel BUG at include/linux/scatterlist.h:65!
    invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
    last sysfs file:
    CPU 2
    Modules linked in:
    Pid: 1, comm: swapper Not tainted 2.6.29-rc5-next-20090219 #5 PowerEdge 1950
    RIP: 0010:[] [] ima_calc_hash+0xc0/0x160
    RSP: 0018:ffff88007f46bc40 EFLAGS: 00010286
    RAX: ffffe200032c45e8 RBX: 00000000fffffff4 RCX: 0000000087654321
    RDX: 0000000000000002 RSI: 0000000000000001 RDI: ffff88007cf71048
    RBP: ffff88007f46bcd0 R08: 0000000000000000 R09: 0000000000000163
    R10: ffff88007f4707a8 R11: 0000000000000000 R12: ffff88007cf71048
    R13: 0000000000001000 R14: 0000000000000000 R15: 0000000000009d98
    FS: 0000000000000000(0000) GS:ffff8800051ac000(0000) knlGS:0000000000000000
    CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b
    CR2: 0000000000000000 CR3: 0000000000201000 CR4: 00000000000006e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400

    Signed-off-by: Mimi Zohar
    Tested-by: Alexander Beregalov
    Signed-off-by: James Morris

    Mimi Zohar
     

13 Feb, 2009

1 commit

  • b53fab9d4   ima: fix build error ... Browse Code »

    IMA_LSM_RULES requires AUDIT. This is automatic if SECURITY_SELINUX=y
    but not when SECURITY_SMACK=y (and SECURITY_SELINUX=n), so make the
    dependency explicit. This fixes the following build error:

    security/integrity/ima/ima_policy.c:111:error: implicit declaration of function 'security_audit_rule_match'
    security/integrity/ima/ima_policy.c:230:error: implicit declaration of function 'security_audit_rule_init'

    Signed-off-by: Randy Dunlap
    Acked-by: Mimi Zohar
    Signed-off-by: James Morris

    Randy Dunlap
     

12 Feb, 2009

1 commit

  • 523979adf   integrity: audit update ... Browse Code »

    Based on discussions on linux-audit, as per Steve Grubb's request
    http://lkml.org/lkml/2009/2/6/269, the following changes were made:
    - forced audit result to be either 0 or 1.
    - made template names const
    - Added new stand-alone message type: AUDIT_INTEGRITY_RULE

    Signed-off-by: Mimi Zohar
    Acked-by: Steve Grubb
    Signed-off-by: James Morris

    Mimi Zohar
     

06 Feb, 2009

6 commits

  • 64c61d80a   IMA: fix ima_delete_rules() definition ... Browse Code »

    Fix ima_delete_rules() definition so sparse doesn't complain.

    Signed-off-by: James Morris

    James Morris
     
  • 1df9f0a73   Integrity: IMA file free imbalance ... Browse Code »

    The number of calls to ima_path_check()/ima_file_free()
    should be balanced. An extra call to fput(), indicates
    the file could have been accessed without first being
    measured.

    Although f_count is incremented/decremented in places other
    than fget/fput, like fget_light/fput_light and get_file, the
    current task must already hold a file refcnt. The call to
    __fput() is delayed until the refcnt becomes 0, resulting
    in ima_file_free() flagging any changes.

    - add hook to increment opencount for IPC shared memory(SYSV),
    shmat files, and /dev/zero
    - moved NULL iint test in opencount_get()

    Signed-off-by: Mimi Zohar
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    Mimi Zohar
     
  • f4bd857bc   integrity: IMA policy open ... Browse Code »

    Sequentialize access to the policy file
    - permit multiple attempts to replace default policy with a valid policy

    Signed-off-by: Mimi Zohar
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    Mimi Zohar
     
  • 4af4662fa   integrity: IMA policy ... Browse Code »

    Support for a user loadable policy through securityfs
    with support for LSM specific policy data.
    - free invalid rule in ima_parse_add_rule()

    Signed-off-by: Mimi Zohar
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    Mimi Zohar
     
  • bab739378   integrity: IMA display ... Browse Code »

    Make the measurement lists available through securityfs.
    - removed test for NULL return code from securityfs_create_file/dir

    Signed-off-by: Mimi Zohar
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    Mimi Zohar
     
  • 3323eec92   integrity: IMA as an integrity service provider ... Browse Code »

    IMA provides hardware (TPM) based measurement and attestation for
    file measurements. As the Trusted Computing (TPM) model requires,
    IMA measures all files before they are accessed in any way (on the
    integrity_bprm_check, integrity_path_check and integrity_file_mmap
    hooks), and commits the measurements to the TPM. Once added to the
    TPM, measurements can not be removed.

    In addition, IMA maintains a list of these file measurements, which
    can be used to validate the aggregate value stored in the TPM. The
    TPM can sign these measurements, and thus the system can prove, to
    itself and to a third party, the system's integrity in a way that
    cannot be circumvented by malicious or compromised software.

    - alloc ima_template_entry before calling ima_store_template()
    - log ima_add_boot_aggregate() failure
    - removed unused IMA_TEMPLATE_NAME_LEN
    - replaced hard coded string length with #define name

    Signed-off-by: Mimi Zohar
    Signed-off-by: James Morris

    Mimi Zohar