14 Nov, 2018
2 commits
-
commit a408e4a86b36bf98ad15b9ada531cf0e5118ac67 upstream.
Open a new file instance as opposed to changing file->f_mode when
the file is not readable. This is done to accomodate overlayfs
stacked file operations change. The real struct file is hidden
behind the overlays struct file. So, any file->f_mode manipulations are
not reflected on the real struct file. Open the file again in read mode
if original file cannot be read, read and calculate the hash.Signed-off-by: Goldwyn Rodrigues
Cc: stable@vger.kernel.org (linux-4.19)
Signed-off-by: Mimi Zohar
Signed-off-by: Greg Kroah-Hartman -
commit 1e4c8dafbb6bf72fb5eca035b861e39c5896c2b7 upstream.
The 12 character temporary buffer is not necessarily long enough to hold
a 'long' value. Increase it.Signed-off-by: Eric Biggers
Cc: stable@vger.kernel.org
Signed-off-by: Mimi Zohar
Signed-off-by: Greg Kroah-Hartman
16 Aug, 2018
3 commits
-
…morris/linux-security
Pull integrity updates from James Morris:
"This adds support for EVM signatures based on larger digests, contains
a new audit record AUDIT_INTEGRITY_POLICY_RULE to differentiate the
IMA policy rules from the IMA-audit messages, addresses two deadlocks
due to either loading or searching for crypto algorithms, and cleans
up the audit messages"* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
EVM: fix return value check in evm_write_xattrs()
integrity: prevent deadlock during digsig verification.
evm: Allow non-SHA1 digital signatures
evm: Don't deadlock if a crypto algorithm is unavailable
integrity: silence warning when CONFIG_SECURITYFS is not enabled
ima: Differentiate auditing policy rules from "audit" actions
ima: Do not audit if CONFIG_INTEGRITY_AUDIT is not set
ima: Use audit_log_format() rather than audit_log_string()
ima: Call audit_log_string() rather than logging it untrusted -
Pull TPM updates from James Morris:
- Migrate away from PM runtime as explicit cmdReady/goIdle transactions
for every command is a spec requirement. PM runtime adds only a layer
of complexity on our case.- tpm_tis drivers can now specify the hwrng quality.
- TPM 2.0 code uses now tpm_buf for constructing messages. Jarkko
thinks Tomas Winkler has done the same for TPM 1.2, and will start
digging those changes from the patchwork in the near future.- Bug fixes and clean ups
* 'next-tpm' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
ima: Get rid of ima_used_chip and use ima_tpm_chip != NULL instead
ima: Use tpm_default_chip() and call TPM functions with a tpm_chip
tpm: replace TPM_TRANSMIT_RAW with TPM_TRANSMIT_NESTED
tpm: Convert tpm_find_get_ops() to use tpm_default_chip()
tpm: Implement tpm_default_chip() to find a TPM chip
tpm: rename tpm_chip_find_get() to tpm_find_get_ops()
tpm: Allow tpm_tis drivers to set hwrng quality.
tpm: Return the actual size when receiving an unsupported command
tpm: separate cmd_ready/go_idle from runtime_pm
tpm/tpm_i2c_infineon: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT)
tpm_tis_spi: Pass the SPI IRQ down to the driver
tpm: migrate tpm2_get_random() to use struct tpm_buf
tpm: migrate tpm2_get_tpm_pt() to use struct tpm_buf
tpm: migrate tpm2_probe() to use struct tpm_buf
tpm: migrate tpm2_shutdown() to use struct tpm_buf -
Pull security subsystem updates from James Morris:
- kstrdup() return value fix from Eric Biggers
- Add new security_load_data hook to differentiate security checking of
kernel-loaded binaries in the case of there being no associated file
descriptor, from Mimi Zohar.- Add ability to IMA to specify a policy at build-time, rather than
just via command line params or by loading a custom policy, from
Mimi.- Allow IMA and LSMs to prevent sysfs firmware load fallback (e.g. if
using signed firmware), from Mimi.- Allow IMA to deny loading of kexec kernel images, as they cannot be
measured by IMA, from Mimi.* 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
security: check for kstrdup() failure in lsm_append()
security: export security_kernel_load_data function
ima: based on policy warn about loading firmware (pre-allocated buffer)
module: replace the existing LSM hook in init_module
ima: add build time policy
ima: based on policy require signed firmware (sysfs fallback)
firmware: add call to LSM hook before firmware sysfs fallback
ima: based on policy require signed kexec kernel images
kexec: add call to LSM hook in original kexec_load syscall
security: define new LSM hook named security_kernel_load_data
MAINTAINERS: remove the outdated "LINUX SECURITY MODULE (LSM) FRAMEWORK" entry
28 Jul, 2018
2 commits
-
Get rid of ima_used_chip and use ima_tpm_chip variable instead for
determining whether to use the TPM chip.Signed-off-by: Stefan Berger
Signed-off-by: Mimi Zohar
Reviewed-by: Jarkko Sakkinen
Signed-off-by: Jarkko Sakkinen -
Rather than accessing the TPM functions by passing a NULL pointer for
the tpm_chip, which causes a lookup for a suitable chip every time, get a
hold of a tpm_chip and access the TPM functions using it.Signed-off-by: Stefan Berger
Signed-off-by: Mimi Zohar
Reviewed-by: Jarkko Sakkinen
Signed-off-by: Jarkko Sakkinen
23 Jul, 2018
1 commit
-
In case of error, the function audit_log_start() returns NULL pointer
not ERR_PTR(). The IS_ERR() test in the return value check should be
replaced with NULL test.Fixes: fa516b66a1bf ("EVM: Allow runtime modification of the set of verified xattrs")
Signed-off-by: Wei Yongjun
Acked-by: Serge Hallyn
Signed-off-by: Mimi Zohar
18 Jul, 2018
8 commits
-
This patch aimed to prevent deadlock during digsig verification.The point
of issue - user space utility modprobe and/or it's dependencies (ld-*.so,
libz.so.*, libc-*.so and /lib/modules/ files) that could be used for
kernel modules load during digsig verification and could be signed by
digsig in the same time.First at all, look at crypto_alloc_tfm() work algorithm:
crypto_alloc_tfm() will first attempt to locate an already loaded
algorithm. If that fails and the kernel supports dynamically loadable
modules, it will then attempt to load a module of the same name or alias.
If that fails it will send a query to any loaded crypto manager to
construct an algorithm on the fly.We have situation, when public_key_verify_signature() in case of RSA
algorithm use alg_name to store internal information in order to construct
an algorithm on the fly, but crypto_larval_lookup() will try to use
alg_name in order to load kernel module with same name.1) we can't do anything with crypto module work, since it designed to work
exactly in this way;
2) we can't globally filter module requests for modprobe, since it
designed to work with any requests.In this patch, I propose add an exception for "crypto-pkcs1pad(rsa,*)"
module requests only in case of enabled integrity asymmetric keys support.
Since we don't have any real "crypto-pkcs1pad(rsa,*)" kernel modules for
sure, we are safe to fail such module request from crypto_larval_lookup().
In this way we prevent modprobe execution during digsig verification and
avoid possible deadlock if modprobe and/or it's dependencies also signed
with digsig.Requested "crypto-pkcs1pad(rsa,*)" kernel module name formed by:
1) "pkcs1pad(rsa,%s)" in public_key_verify_signature();
2) "crypto-%s" / "crypto-%s-all" in crypto_larval_lookup().
"crypto-pkcs1pad(rsa," part of request is a constant and unique and could
be used as filter.Signed-off-by: Mikhail Kurinnoi
Signed-off-by: Mimi Zoharinclude/linux/integrity.h | 13 +++++++++++++
security/integrity/digsig_asymmetric.c | 23 +++++++++++++++++++++++
security/security.c | 7 ++++++-
3 files changed, 42 insertions(+), 1 deletion(-) -
SHA1 is reasonable in HMAC constructs, but it's desirable to be able to
use stronger hashes in digital signatures. Modify the EVM crypto code so
the hash type is imported from the digital signature and passed down to
the hash calculation code, and return the digest size to higher layers
for validation.Signed-off-by: Matthew Garrett
Signed-off-by: Mimi Zohar -
When EVM attempts to appraise a file signed with a crypto algorithm the
kernel doesn't have support for, it will cause the kernel to trigger a
module load. If the EVM policy includes appraisal of kernel modules this
will in turn call back into EVM - since EVM is holding a lock until the
crypto initialisation is complete, this triggers a deadlock. Add a
CRYPTO_NOLOAD flag and skip module loading if it's set, and add that flag
in the EVM case in order to fail gracefully with an error message
instead of deadlocking.Signed-off-by: Matthew Garrett
Acked-by: Herbert Xu
Signed-off-by: Mimi Zohar -
When CONFIG_SECURITYFS is not enabled, securityfs_create_dir returns
-ENODEV which throws the following error:
"Unable to create integrity sysfs dir: -19"However, if the feature is disabled, it can't be warning and hence
we need to silence the error. This patch checks for the error -ENODEV
which is returned when CONFIG_SECURITYFS is disabled to stop the error
being thrown.Signed-off-by: Sudeep Holla
Acked-by: Matthew Garrett
Signed-off-by: Mimi Zohar -
The AUDIT_INTEGRITY_RULE is used for auditing IMA policy rules and
the IMA "audit" policy action. This patch defines
AUDIT_INTEGRITY_POLICY_RULE to reflect the IMA policy rules.Since we defined a new message type we can now also pass the
audit_context and get an associated SYSCALL record. This now produces
the following records when parsing IMA policy's rules:type=UNKNOWN[1807] msg=audit(1527888965.738:320): action=audit \
func=MMAP_CHECK mask=MAY_EXEC res=1
type=UNKNOWN[1807] msg=audit(1527888965.738:320): action=audit \
func=FILE_CHECK mask=MAY_READ res=1
type=SYSCALL msg=audit(1527888965.738:320): arch=c000003e syscall=1 \
success=yes exit=17 a0=1 a1=55bcfcca9030 a2=11 a3=7fcc1b55fb38 \
items=0 ppid=1567 pid=1601 auid=0 uid=0 gid=0 euid=0 suid=0 \
fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=2 comm="echo" \
exe="/usr/bin/echo" \
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)Signed-off-by: Stefan Berger
Acked-by: Paul Moore
Signed-off-by: Mimi Zohar -
If Integrity is not auditing, IMA shouldn't audit, either.
Signed-off-by: Stefan Berger
Acked-by: Paul Moore
Signed-off-by: Mimi Zohar -
Remove the usage of audit_log_string() and replace it with
audit_log_format().Signed-off-by: Stefan Berger
Suggested-by: Steve Grubb
Acked-by: Paul Moore
Signed-off-by: Mimi Zohar -
The parameters passed to this logging function are all provided by
a privileged user and therefore we can call audit_log_string()
rather than audit_log_untrustedstring().Signed-off-by: Stefan Berger
Suggested-by: Steve Grubb
Acked-by: Paul Moore
Signed-off-by: Mimi Zohar
17 Jul, 2018
5 commits
-
Some systems are memory constrained but they need to load very large
firmwares. The firmware subsystem allows drivers to request this
firmware be loaded from the filesystem, but this requires that the
entire firmware be loaded into kernel memory first before it's provided
to the driver. This can lead to a situation where we map the firmware
twice, once to load the firmware into kernel memory and once to copy the
firmware into the final resting place.To resolve this problem, commit a098ecd2fa7d ("firmware: support loading
into a pre-allocated buffer") introduced request_firmware_into_buf() API
that allows drivers to request firmware be loaded directly into a
pre-allocated buffer.Do devices using pre-allocated memory run the risk of the firmware being
accessible to the device prior to the completion of IMA's signature
verification any more than when using two buffers? (Refer to mailing list
discussion[1]).Only on systems with an IOMMU can the access be prevented. As long as
the signature verification completes prior to the DMA map is performed,
the device can not access the buffer. This implies that the same buffer
can not be re-used. Can we ensure the buffer has not been DMA mapped
before using the pre-allocated buffer?[1] https://lkml.org/lkml/2018/7/10/56
Signed-off-by: Mimi Zohar
Cc: Luis R. Rodriguez
Cc: Stephen Boyd
Cc: Bjorn Andersson
Cc: Ard Biesheuvel
Reviewed-by: Kees Cook
Signed-off-by: James Morris -
Both the init_module and finit_module syscalls call either directly
or indirectly the security_kernel_read_file LSM hook. This patch
replaces the direct call in init_module with a call to the new
security_kernel_load_data hook and makes the corresponding changes
in SELinux, LoadPin, and IMA.Signed-off-by: Mimi Zohar
Cc: Jeff Vander Stoep
Cc: Casey Schaufler
Cc: Kees Cook
Acked-by: Jessica Yu
Acked-by: Paul Moore
Acked-by: Kees Cook
Signed-off-by: James Morris -
IMA by default does not measure, appraise or audit files, but can be
enabled at runtime by specifying a builtin policy on the boot command line
or by loading a custom policy.This patch defines a build time policy, which verifies kernel modules,
firmware, kexec image, and/or the IMA policy signatures. This build time
policy is automatically enabled at runtime and persists after loading a
custom policy.Signed-off-by: Mimi Zohar
Reviewed-by: Kees Cook
Signed-off-by: James Morris -
With an IMA policy requiring signed firmware, this patch prevents
the sysfs fallback method of loading firmware.Signed-off-by: Mimi Zohar
Reviewed-by: Kees Cook
Cc: Luis R. Rodriguez
Cc: Matthew Garrett
Signed-off-by: James Morris -
The original kexec_load syscall can not verify file signatures, nor can
the kexec image be measured. Based on policy, deny the kexec_load
syscall.Signed-off-by: Mimi Zohar
Cc: Eric Biederman
Cc: Kees Cook
Reviewed-by: Kees Cook
Signed-off-by: James Morris
12 Jul, 2018
1 commit
-
just check ->f_mode in ima_appraise_measurement()
Acked-by: Linus Torvalds
Signed-off-by: Al Viro
08 Jun, 2018
1 commit
-
…morris/linux-security
Pull integrity updates from James Morris:
"From Mimi:- add run time support for specifying additional security xattrs
included in the security.evm HMAC/signature- some code clean up and bug fixes"
* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
EVM: unlock on error path in evm_read_xattrs()
EVM: prevent array underflow in evm_write_xattrs()
EVM: Fix null dereference on xattr when xattr fails to allocate
EVM: fix memory leak of temporary buffer 'temp'
IMA: use list_splice_tail_init_rcu() instead of its open coded variant
ima: use match_string() helper
ima: fix updating the ima_appraise flag
ima: based on policy verify firmware signatures (pre-allocated buffer)
ima: define a new policy condition based on the filesystem name
EVM: Allow runtime modification of the set of verified xattrs
EVM: turn evm_config_xattrnames into a list
integrity: Add an integrity directory in securityfs
ima: Remove unused variable ima_initialized
ima: Unify logging
ima: Reflect correct permissions for policy
07 Jun, 2018
1 commit
-
Pull audit updates from Paul Moore:
"Another reasonable chunk of audit changes for v4.18, thirteen patches
in total.The thirteen patches can mostly be broken down into one of four
categories: general bug fixes, accessor functions for audit state
stored in the task_struct, negative filter matches on executable
names, and extending the (relatively) new seccomp logging knobs to the
audit subsystem.The main driver for the accessor functions from Richard are the
changes we're working on to associate audit events with containers,
but I think they have some standalone value too so I figured it would
be good to get them in now.The seccomp/audit patches from Tyler apply the seccomp logging
improvements from a few releases ago to audit's seccomp logging;
starting with this patchset the changes in
/proc/sys/kernel/seccomp/actions_logged should apply to both the
standard kernel logging and audit.As usual, everything passes the audit-testsuite and it happens to
merge cleanly with your tree"[ Heh, except it had trivial merge conflicts with the SELinux tree that
also came in from Paul - Linus ]* tag 'audit-pr-20180605' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
audit: Fix wrong task in comparison of session ID
audit: use existing session info function
audit: normalize loginuid read access
audit: use new audit_context access funciton for seccomp_actions_logged
audit: use inline function to set audit context
audit: use inline function to get audit context
audit: convert sessionid unset to a macro
seccomp: Don't special case audited processes when logging
seccomp: Audit attempts to modify the actions_logged sysctl
seccomp: Configurable separator for the actions_logged string
seccomp: Separate read and write code for actions_logged sysctl
audit: allow not equal op for audit by executable
audit: add syscall information to FEATURE_CHANGE records
01 Jun, 2018
1 commit
-
We need to unlock before returning on this error path.
Fixes: fa516b66a1bf ("EVM: Allow runtime modification of the set of verified xattrs")
Signed-off-by: Dan Carpenter
Signed-off-by: Mimi Zohar
31 May, 2018
5 commits
-
If the user sets xattr->name[0] to NUL then we would read one character
before the start of the array. This bug seems harmless as far as I can
see but perhaps it would trigger a warning in KASAN.Fixes: fa516b66a1bf ("EVM: Allow runtime modification of the set of verified xattrs")
Signed-off-by: Dan Carpenter
Signed-off-by: Mimi Zohar -
In the case where the allocation of xattr fails and xattr is NULL, the
error exit return path via label 'out' will dereference xattr when
kfree'ing xattr-name. Fix this by only kfree'ing xattr->name and xattr
when xattr is non-null.Detected by CoverityScan, CID#1469366 ("Dereference after null check")
Fixes: fa516b66a1bf ("EVM: Allow runtime modification of the set of verified xattrs")
Signed-off-by: Colin Ian King
Signed-off-by: Mimi Zohar -
The allocation of 'temp' is not kfree'd and hence there is a memory
leak on each call of evm_read_xattrs. Fix this by kfree'ing it
after copying data from it back to the user space buffer 'buf'.Detected by CoverityScan, CID#1469386 ("Resource Leak")
Fixes: fa516b66a1bf ("EVM: Allow runtime modification of the set of verified xattrs")
Signed-off-by: Colin Ian King
Signed-off-by: Mimi Zohar -
Use list_splice_tail_init_rcu() to extend the existing custom IMA policy
with additional IMA policy rules.Signed-off-by: Petko Manolov
Signed-off-by: Mimi Zohar -
match_string() returns the index of an array for a matching string,
which can be used intead of open coded variant.Signed-off-by: Yisheng Xie
Reviewed-by: Andy Shevchenko
Signed-off-by: Mimi Zohar
23 May, 2018
1 commit
-
As IMA policy rules are added, a mask of the type of rule (eg. kernel
modules, firmware, IMA policy) is updated. Unlike custom IMA policy
rules, which replace the original builtin policy rules and update the
mask, the builtin "secure_boot" policy rules were loaded, but did not
update the mask.This patch refactors the code to load custom policies, defining a new
function named ima_appraise_flag(). The new function is called either
when loading the builtin "secure_boot" or custom policies.Fixes: 503ceaef8e2e ("ima: define a set of appraisal rules requiring file signatures")
Signed-off-by: Mimi Zohar
22 May, 2018
2 commits
-
Don't differentiate, for now, between kernel_read_file_id READING_FIRMWARE
and READING_FIRMWARE_PREALLOC_BUFFER enumerations.Fixes: a098ecd firmware: support loading into a pre-allocated buffer (since 4.8)
Signed-off-by: Mimi Zohar
Cc: Luis R. Rodriguez
Cc: David Howells
Cc: Kees Cook
Cc: Serge E. Hallyn
Cc: Stephen Boyd -
If/when file data signatures are distributed with the file data, this
patch will not be needed. In the current environment where only some
files are signed, the ability to differentiate between file systems is
needed. Some file systems consider the file system magic number
internal to the file system.This patch defines a new IMA policy condition named "fsname", based on
the superblock's file_system_type (sb->s_type) name. This allows policy
rules to be expressed in terms of the filesystem name.The following sample rules require file signatures on rootfs files
executed or mmap'ed.appraise func=BPRM_CHECK fsname=rootfs appraise_type=imasig
appraise func=FILE_MMAP fsname=rootfs appraise_type=imasigSigned-off-by: Mimi Zohar
Cc: Dave Chinner
Cc: Theodore Ts'o
19 May, 2018
2 commits
-
Sites may wish to provide additional metadata alongside files in order
to make more fine-grained security decisions[1]. The security of this is
enhanced if this metadata is protected, something that EVM makes
possible. However, the kernel cannot know about the set of extended
attributes that local admins may wish to protect, and hardcoding this
policy in the kernel makes it difficult to change over time and less
convenient for distributions to enable.This patch adds a new /sys/kernel/security/integrity/evm/evm_xattrs node,
which can be read to obtain the current set of EVM-protected extended
attributes or written to in order to add new entries. Extending this list
will not change the validity of any existing signatures provided that the
file in question does not have any of the additional extended attributes -
missing xattrs are skipped when calculating the EVM hash.[1] For instance, a package manager could install information about the
package uploader in an additional extended attribute. Local LSM policy
could then be associated with that extended attribute in order to
restrict the privileges available to packages from less trusted
uploaders.Signed-off-by: Matthew Garrett
Reviewed-by: James Morris
Signed-off-by: Mimi Zohar -
Use a list of xattrs rather than an array - this makes it easier to
extend the list at runtime.Signed-off-by: Matthew Garrett
Reviewed-by: James Morris
Signed-off-by: Mimi Zohar
17 May, 2018
4 commits
-
We want to add additional evm control nodes, and it'd be preferable not
to clutter up the securityfs root directory any further. Create a new
integrity directory, move the ima directory into it, create an evm
directory for the evm attribute and add compatibility symlinks.Signed-off-by: Matthew Garrett
Signed-off-by: Mimi Zohar -
Commit a756024 ("ima: added ima_policy_flag variable") replaced
ima_initialized with ima_policy_flag, but didn't remove ima_initialized.
This patch removes it.Signed-off-by: Petr Vorel
Reviewed-by: James Morris
Signed-off-by: Mimi Zohar -
Define pr_fmt everywhere.
Signed-off-by: Petr Vorel
Reported-by: Stephen Rothwell (powerpc build error)
Signed-off-by: Mimi ZoharChangelog:
Previous pr_fmt definition was too late and caused problems in powerpc
allyesconfg build. -
Kernel configured as CONFIG_IMA_READ_POLICY=y && CONFIG_IMA_WRITE_POLICY=n
keeps 0600 mode after loading policy. Remove write permission to state
that policy file no longer be written.Signed-off-by: Petr Vorel
Signed-off-by: Mimi Zohar
15 May, 2018
1 commit
-
Recognizing that the audit context is an internal audit value, use an
access function to retrieve the audit context pointer for the task
rather than reaching directly into the task struct to get it.Signed-off-by: Richard Guy Briggs
[PM: merge fuzz in auditsc.c and selinuxfs.c, checkpatch.pl fixes]
Signed-off-by: Paul Moore
