10 Jan, 2016
1 commit
-
…-integrity into ra-next
08 Jan, 2016
1 commit
-
This patch fixes the key_ref leak, removes the unnecessary KEY_FLAG_KEEP
test before setting the flag, and cleans up the if/then brackets style
introduced in commit:
d3600bc KEYS: prevent keys from being removed from specified keyringsReported-by: David Howells
Signed-off-by: Mimi Zohar
Acked-by: David Howells
04 Jan, 2016
1 commit
-
There is no need to hold the ima_write_mutex for so long. We only need it
around ima_parse_add_rule().Changelog:
- The return path now takes into account failed kmalloc() call.Reported-by: Al Viro
Signed-off-by: Petko Manolov
Signed-off-by: Mimi Zohar
26 Dec, 2015
3 commits
25 Dec, 2015
10 commits
-
Commit "IMA: policy can now be updated multiple times" assumed that the
policy would be updated at least once.If there are zero updates, the temporary list head object will get added
to the policy list, and later dereferenced as an IMA policy object, which
means that invalid memory will be accessed.Changelog:
- Move list_empty() test to ima_release_policy(), before audit msg - MimiSigned-off-by: Sasha Levin
Signed-off-by: Mimi Zohar -
Any process is able to send netlink messages with invalid types.
Make the warning rate-limited to prevent too much log spam.The warning is supposed to help to find misbehaving programs, so
print the triggering command name and pid.Reported-by: Florian Weimer
Signed-off-by: Vladis Dronov
[PM: subject line tweak to make checkpatch.pl happy]
Signed-off-by: Paul Moore -
Make validatetrans decisions available through selinuxfs.
"/validatetrans" is added to selinuxfs for this purpose.
This functionality is needed by file system servers
implemented in userspace or kernelspace without the VFS
layer.Writing "$oldcontext $newcontext $tclass $taskcontext"
to /validatetrans is expected to return 0 if the transition
is allowed and -EPERM otherwise.Signed-off-by: Andrew Perepechko
CC: andrew.perepechko@seagate.com
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore -
When gfs2 releases the glock of an inode, it must invalidate all
information cached for that inode, including the page cache and acls.
Use the new security_inode_invalidate_secctx hook to also invalidate
security labels in that case. These items will be reread from disk
when needed after reacquiring the glock.Signed-off-by: Andreas Gruenbacher
Acked-by: Bob Peterson
Acked-by: Steven Whitehouse
Cc: cluster-devel@redhat.com
[PM: fixed spelling errors and description line lengths]
Signed-off-by: Paul Moore -
When fetching an inode's security label, check if it is still valid, and
try reloading it if it is not. Reloading will fail when we are in RCU
context which doesn't allow sleeping, or when we can't find a dentry for
the inode. (Reloading happens via iop->getxattr which takes a dentry
parameter.) When reloading fails, continue using the old, invalid
label.Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore -
Add a hook to invalidate an inode's security label when the cached
information becomes invalid.Add the new hook in selinux: set a flag when a security label becomes
invalid.Signed-off-by: Andreas Gruenbacher
Reviewed-by: James Morris
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore -
Add functions dentry_security and inode_security for accessing
inode->i_security. These functions initially don't do much, but they
will later be used to revalidate the security labels when necessary.Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore -
Make the inode argument of the inode_getsecid hook non-const so that we
can use it to revalidate invalid security labels.Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore -
Make the inode argument of the inode_getsecurity hook non-const so that
we can use it to revalidate invalid security labels.Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore -
Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore
20 Dec, 2015
10 commits
-
TPM2 supports authorization policies, which are essentially
combinational logic statements repsenting the conditions where the data
can be unsealed based on the TPM state. This patch enables to use
authorization policies to seal trusted keys.Two following new options have been added for trusted keys:
* 'policydigest=': provide an auth policy digest for sealing.
* 'policyhandle=': provide a policy session handle for unsealing.If 'hash=' option is supplied after 'policydigest=' option, this
will result an error because the state of the option would become
mixed.Signed-off-by: Jarkko Sakkinen
Tested-by: Colin Ian King
Reviewed-by: Mimi Zohar
Acked-by: Peter Huewe -
Added 'hash=' option for selecting the hash algorithm for add_key()
syscall and documentation for it.Added entry for sm3-256 to the following tables in order to support
TPM_ALG_SM3_256:* hash_algo_name
* hash_digest_sizeIncludes support for the following hash algorithms:
* sha1
* sha256
* sha384
* sha512
* sm3-256Signed-off-by: Jarkko Sakkinen
Tested-by: Colin Ian King
Reviewed-by: James Morris
Reviewed-by: Mimi Zohar
Acked-by: Peter Huewe -
The trusted keys option parsing allows specifying the same option
multiple times. The last option value specified is used.This is problematic because:
* No gain.
* This makes complicated to specify options that are dependent on other
options.This patch changes the behavior in a way that option can be specified
only once.Reported-by: James Morris James Morris
Reviewed-by: Mimi Zohar
Signed-off-by: Jarkko Sakkinen
Acked-by: Peter Huewe -
When the TPM response reception is interrupted in the wait_event_interruptable
call, the TPM is still busy processing the command and will only deliver the
response later. So we have to wait for an outstanding response before sending
a new request to avoid trying to put a 2nd request into the CRQ. Also reset
the res_len before sending a command so we will end up in that
wait_event_interruptable() waiting for the response rather than reading the
command packet as a response.The easiest way to trigger the problem is to run the following
cd /sys/device/vio/71000004
while :; cat pcrs >/dev/null; done
And press Ctrl-C. This will then display an error
tpm_ibmvtpm 71000004: tpm_transmit: tpm_recv: error -4
followed by several other errors once interaction with the TPM resumes.
tpm_ibmvtpm 71000004: A TPM error (101) occurred attempting to determine the number of PCRS.
Signed-off-by: Stefan Berger
Tested-by: Hon Ching(Vicky) Lo
Reviewed-by: Jarkko Sakkinen
Reviewed-by: Ashley Lai
Signed-off-by: Jarkko Sakkinen
Acked-by: Peter Huewe -
auto-probing doesn't work with shared interrupts, and the auto detection
interrupt range is for x86 only.Signed-off-by: Jason Gunthorpe
Reviewed-by: Jarkko Sakkinen
Tested-by: Jarkko Sakkinen
Tested-by: Martin Wilck
Tested-by: Scot Doyle
Signed-off-by: Jarkko Sakkinen
Acked-by: Peter Huewe -
Now that the probe and run cases are merged together we can use a
much simpler setup flow where probe and normal setup are done with
exactly the same code.Since the new flow always calls tpm_gen_interrupt to confirm the IRQ
there is also no longer any need to call tpm_get_timeouts twice.Signed-off-by: Jason Gunthorpe
Reviewed-by: Jarkko Sakkinen
Tested-by: Jarkko Sakkinen
Tested-by: Martin Wilck
Tested-by: Scot Doyle
Signed-off-by: Jarkko Sakkinen
Acked-by: Peter Huewe -
The new code that works directly in tpm_tis_send is able to handle
IRQ probing duties as well, so just use it for everything.Signed-off-by: Jason Gunthorpe
Reviewed-by: Jarkko Sakkinen
Tested-by: Jarkko Sakkinen
Tested-by: Martin Wilck
Tested-by: Scot Doyle
Signed-off--by: Jarkko Sakkinen
Acked-by: Peter Huewe -
IRQ probing needs to know that the TPM is working before trying to
probe, so move tpm_get_timeouts() to the top of the tpm_tis_init().
This has the advantage of also getting the correct timeouts loaded
before doing IRQ probing.All the timeout handling code is moved to tpm_get_timeouts() in order to
remove duplicate code in tpm_tis and tpm_crb.[jarkko.sakkinen@linux.intel.com: squashed two patches together and
improved the commit message.]Signed-off-by: Jason Gunthorpe
Reviewed-by: Jarkko Sakkinen
Tested-by: Jarkko Sakkinen
Tested-by: Martin Wilck
Tested-by: Scot Doyle
Signed-off-by: Jarkko Sakkinen
Acked-by: Peter Huewe -
This should be done very early, before anything could possibly
cause the TPM to generate an interrupt. If the IRQ line is shared
with another driver causing an interrupt before setting up our
handler will be very bad.Signed-off-by: Jason Gunthorpe
Reviewed-by: Jarkko Sakkinen
Tested-by: Jarkko Sakkinen
Tested-by: Martin Wilck
Tested-by: Scot Doyle
Signed-off-by: Jarkko Sakkinen
Acked-by: Peter Huewe -
The interrupt is always allocated with devm_request_irq so it
must always be freed with devm_free_irq.Fixes: 448e9c55c12d ("tpm_tis: verify interrupt during init")
Signed-off-by: Jason Gunthorpe
Acked-by: Jarkko Sakkinen
Tested-by: Jarkko Sakkinen
Tested-by: Martin Wilck
Signed-off-by: Jarkko Sakkinen
Acked-by: Peter Huewe
18 Dec, 2015
1 commit
-
Smack security handler for sendmsg() syscall
is vulnerable to type confusion issue what
can allow to privilege escalation into root
or cause denial of service.A malicious attacker can create socket of one
type for example AF_UNIX and pass is into
sendmsg() function ensuring that this is
AF_INET socket.Remedy
Do not trust user supplied data.
Proposed fix below.Signed-off-by: Roman Kubiak
Signed-off-by: Mateusz Fruba
Acked-by: Casey Schaufler
15 Dec, 2015
12 commits
-
The Kconfig currently controlling compilation of this code is:
ima/Kconfig:config IMA_MOK_KEYRING
ima/Kconfig: bool "Create IMA machine owner keys (MOK) and blacklist keyrings"...meaning that it currently is not being built as a module by anyone.
Lets remove the couple of traces of modularity so that when reading the
driver there is no doubt it really is builtin-only.Since module_init translates to device_initcall in the non-modular
case, the init ordering remains unchanged with this commit.Cc: Mimi Zohar
Cc: Dmitry Kasatkin
Cc: James Morris
Cc: "Serge E. Hallyn"
Cc: linux-ima-devel@lists.sourceforge.net
Cc: linux-ima-user@lists.sourceforge.net
Cc: linux-security-module@vger.kernel.org
Signed-off-by: Paul Gortmaker
Signed-off-by: Mimi Zohar -
While creating a temporary list of new rules, the ima_appraise flag is
updated, but not reverted on failure to append the new rules to the
existing policy. This patch defines temp_ima_appraise flag. Only when
the new rules are appended to the policy is the flag updated.Signed-off-by: Mimi Zohar
Acked-by: Petko Manolov -
Set the KEY_FLAGS_KEEP on the .ima_blacklist to prevent userspace
from removing keys from the keyring.Signed-off-by: Mimi Zohar
-
Userspace should not be allowed to remove keys from certain keyrings
(eg. blacklist), though the keys themselves can expire.This patch defines a new key flag named KEY_FLAG_KEEP to prevent
userspace from being able to unlink, revoke, invalidate or timed
out a key on a keyring. When this flag is set on the keyring, all
keys subsequently added are flagged.In addition, when this flag is set, the keyring itself can not be
cleared.Signed-off-by: Mimi Zohar
Cc: David Howells -
It is often useful to be able to read back the IMA policy. It is
even more important after introducing CONFIG_IMA_WRITE_POLICY.
This option allows the root user to see the current policy rules.Signed-off-by: Zbigniew Jasinski
Signed-off-by: Petko Manolov
Signed-off-by: Mimi Zohar -
This option creates IMA MOK and blacklist keyrings. IMA MOK is an
intermediate keyring that sits between .system and .ima keyrings,
effectively forming a simple CA hierarchy. To successfully import a key
into .ima_mok it must be signed by a key which CA is in .system keyring.
On turn any key that needs to go in .ima keyring must be signed by CA in
either .system or .ima_mok keyrings. IMA MOK is empty at kernel boot.IMA blacklist keyring contains all revoked IMA keys. It is consulted
before any other keyring. If the search is successful the requested
operation is rejected and error is returned to the caller.Signed-off-by: Petko Manolov
Signed-off-by: Mimi Zohar -
The new rules get appended to the original policy, forming a queue.
The new rules are first added to a temporary list, which on error
get released without disturbing the normal IMA operations. On
success both lists (the current policy and the new rules) are spliced.IMA policy reads are many orders of magnitude more numerous compared to
writes, the match code is RCU protected. The updater side also does
list splice in RCU manner.Signed-off-by: Petko Manolov
Signed-off-by: Mimi Zohar -
The newly added EVM_LOAD_X509 code can be configured even if
CONFIG_EVM is disabled, but that causes a link error:security/built-in.o: In function `integrity_load_keys':
digsig_asymmetric.c:(.init.text+0x400): undefined reference to `evm_load_x509'This adds a Kconfig dependency to ensure it is only enabled when
CONFIG_EVM is set as well.Signed-off-by: Arnd Bergmann
Fixes: 2ce523eb8976 ("evm: load x509 certificate from the kernel")
Signed-off-by: Mimi Zohar -
The EVM verification status is cached in iint->evm_status and if it
was successful, never re-verified again when IMA passes the 'iint' to
evm_verifyxattr().When file attributes or extended attributes change, we may wish to
re-verify EVM integrity as well. For example, after setting a digital
signature we may need to re-verify the signature and update the
iint->flags that there is an EVM signature.This patch enables that by resetting evm_status to INTEGRITY_UKNOWN
state.Changes in v2:
* Flag setting moved to EVM layerSigned-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
A crypto HW kernel module can possibly initialize the EVM key from the
kernel __init code to enable EVM before calling the 'init' process.
This patch provides a function evm_set_key() to set the EVM key
directly without using the KEY subsystem.Changes in v4:
* kernel-doc style for evm_set_keyChanges in v3:
* error reporting moved to evm_set_key
* EVM_INIT_HMAC moved to evm_set_key
* added bitop to prevent key setting raceChanges in v2:
* use size_t for key size instead of signed int
* provide EVM_MAX_KEY_SIZE macro in
* provide EVM_MIN_KEY_SIZE macro inSigned-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
In order to enable EVM before starting the 'init' process,
evm_initialized needs to be non-zero. Previously non-zero indicated
that the HMAC key was loaded. When EVM loads the X509 before calling
'init', with this patch it is now possible to enable EVM to start
signature based verification.This patch defines bits to enable EVM if a key of any type is loaded.
Changes in v3:
* print error message if key is not setChanges in v2:
* EVM_STATE_KEY_SET replaced by EVM_INIT_HMAC
* EVM_STATE_X509_SET replaced by EVM_INIT_X509Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
This patch defines a configuration option and the evm_load_x509() hook
to load an X509 certificate onto the EVM trusted kernel keyring.Changes in v4:
* Patch description updatedChanges in v3:
* Removed EVM_X509_PATH definition. CONFIG_EVM_X509_PATH is used
directly.Changes in v2:
* default key patch changed to /etc/keysSigned-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
10 Dec, 2015
1 commit
-
The existing file receive hook checks for access on
the file inode even for UDS. This is not right, as
the inode is not used by Smack to make access checks
for sockets. This change checks for an appropriate
access relationship between the receiving (current)
process and the socket. If the process can't write
to the socket's send label or the socket's receive
label can't write to the process fail.This will allow the legitimate cases, where the
socket sender and socket receiver can freely communicate.
Only strangly set socket labels should cause a problem.Signed-off-by: Casey Schaufler
