06 Jul, 2012
3 commits
-
IMA auditing code was compiled even when CONFIG_AUDIT was not enabled.
This patch compiles auditing code only when possible and enabled.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Set ima_initialized only if initialization was successful.
Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Exclude DEVPTS and BINFMT filesystems from the measurement policy.
Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
03 Jul, 2012
3 commits
-
IMA cannot be used as module and does not need __exit functions.
Removed them.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
On ima_fs_init() error, free securityfs violations file.
Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
The IMA measurement list contains filename hints, which can be
ambigious without the full pathname. This patch replaces the
filename hint with the full pathname, simplifying for userspace
the correlating of file hash measurements with files.Change log v1:
- Revert to short filenames, when full pathname is longer than IMA
measurement buffer size. (Based on Dmitry's review)Signed-off-by: Mimi Zohar
16 May, 2012
1 commit
-
When IMA was first upstreamed, the bprm filename and interp were
always the same. Currently, the bprm->filename and bprm->interp
are the same, except for when only bprm->interp contains the
interpreter name. So instead of using the bprm->filename as
the IMA filename hint in the measurement list, we could replace
it with bprm->interp, but this feels too fragil.The following patch is not much better, but at least there is some
indication that sometimes we're passing the filename and other times
the interpreter name.Reported-by: Andrew Lunn
Signed-off-by: Mimi Zohar
Signed-off-by: James Morris
28 Feb, 2012
1 commit
-
Fix IMA kconfig warning on non-X86 architectures:
warning: (IMA) selects TCG_TIS which has unmet direct dependencies
(TCG_TPM && X86)Signed-off-by: Randy Dunlap
Reported-by: Geert Uytterhoeven
Acked-by: Rajiv Andrade
Signed-off-by: James Morris
16 Feb, 2012
1 commit
-
The audit res field ususally indicates success with a 1 and 0 for a
failure. So make IMA do it the same way.Signed-off-by: Eric Paris
Signed-off-by: Mimi Zohar
Signed-off-by: James Morris
09 Feb, 2012
1 commit
20 Jan, 2012
2 commits
-
Don't measure ramfs files.
Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Fix the following build warning:
warning: (IMA) selects TCG_TPM which has unmet direct dependencies
(HAS_IOMEM && EXPERIMENTAL)Suggested-by: Rajiv Andrade
Signed-off-by: Fabio Estevam
Signed-off-by: Rajiv Andrade
Cc:
Signed-off-by: Mimi Zohar
19 Jan, 2012
1 commit
-
Fix ima_policy.c sparse "warning: dereference of noderef expression"
message, by accessing cred->uid using current_cred().Changelog v1:
- Change __cred to just cred (based on David Howell's comment)Signed-off-by: Mimi Zohar
Signed-off-by: James Morris
18 Jan, 2012
4 commits
-
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
integrity: digital signature config option name change
lib: Removed MPILIB, MPILIB_EXTRA, and SIGNATURE prompts
lib: MPILIB Kconfig description update
lib: digital signature dependency fix
lib: digital signature config option name change
encrypted-keys: fix rcu and sparse messages
keys: fix trusted/encrypted keys sparse rcu_assign_pointer messages
KEYS: Add missing smp_rmb() primitives to the keyring search code
TOMOYO: Accept \000 as a valid character.
security: update MAINTAINERS file with new git repo -
Similar to SIGNATURE, rename INTEGRITY_DIGSIG to INTEGRITY_SIGNATURE.
Signed-off-by: Dmitry Kasatkin
Signed-off-by: James Morris -
It was reported that DIGSIG is confusing name for digital signature
module. It was suggested to rename DIGSIG to SIGNATURE.Requested-by: Linus Torvalds
Suggested-by: Pavel Machek
Signed-off-by: Dmitry Kasatkin
Signed-off-by: James Morris -
The use of s_id should go through the untrusted string path, just to be
extra careful.Signed-off-by: Kees Cook
Acked-by: Mimi Zohar
Signed-off-by: Eric Paris
09 Jan, 2012
1 commit
-
Conflicts:
security/integrity/evm/evm_crypto.cResolved upstream fix vs. next conflict manually.
Signed-off-by: James Morris
20 Dec, 2011
4 commits
-
There is a small chance of racing during tfm allocation.
This patch fixes it.Signed-off-by: Dmitry Kasatkin
Acked-by: Mimi Zohar
Signed-off-by: James Morris -
On multi-core systems, setting of the key before every caclculation,
causes invalid HMAC calculation for other tfm users, because internal
state (ipad, opad) can be invalid before set key call returns.
It needs to be set only once during initialization.Signed-off-by: Dmitry Kasatkin
Acked-by: Mimi Zohar
Signed-off-by: James Morris -
Don't free a valid measurement entry on TPM PCR extend failure.
Signed-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar
Cc: stable@vger.kernel.org -
Info about new measurements are cached in the iint for performance. When
the inode is flushed from cache, the associated iint is flushed as well.
Subsequent access to the inode will cause the inode to be re-measured and
will attempt to add a duplicate entry to the measurement list.This patch frees the duplicate measurement memory, fixing a memory leak.
Signed-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar
Cc: stable@vger.kernel.org
08 Dec, 2011
2 commits
-
There is a small chance of racing during tfm allocation.
This patch fixes it.Signed-off-by: Dmitry Kasatkin
Acked-by: Mimi Zohar
Signed-off-by: James Morris -
On multi-core systems, setting of the key before every caclculation,
causes invalid HMAC calculation for other tfm users, because internal
state (ipad, opad) can be invalid before set key call returns.
It needs to be set only once during initialization.Signed-off-by: Dmitry Kasatkin
Acked-by: Mimi Zohar
Signed-off-by: James Morris
22 Nov, 2011
1 commit
-
Fix build errors by adding Kconfig dependency on KEYS.
CRYPTO dependency removed.CC security/integrity/digsig.o
security/integrity/digsig.c: In function ?integrity_digsig_verify?:
security/integrity/digsig.c:38:4: error: implicit declaration of function ?request_key?
security/integrity/digsig.c:38:17: error: ?key_type_keyring? undeclared (first use in this function)
security/integrity/digsig.c:38:17: note: each undeclared identifier is reported only once for each function it appears in
make[2]: *** [security/integrity/digsig.o] Error 1Reported-by: Randy Dunlap
Signed-off-by: Dmitry Kasatkin
Signed-off-by: James Morris
09 Nov, 2011
2 commits
-
This patch adds support for digital signature verification to EVM.
With this feature file metadata can be protected using digital
signature instead of an HMAC. When building an image,
which has to be flashed to different devices, an HMAC cannot
be used to sign file metadata, because the HMAC key should be
different on every device.Signed-off-by: Dmitry Kasatkin
Acked-by: Mimi Zohar -
Define separate keyrings for each of the different use cases - evm, ima,
and modules. Using different keyrings improves search performance, and also
allows "locking" specific keyring to prevent adding new keys.
This is useful for evm and module keyrings, when keys are usually only
added from initramfs.Signed-off-by: Dmitry Kasatkin
03 Nov, 2011
1 commit
-
* 'for-linus' of git://github.com/richardweinberger/linux: (90 commits)
um: fix ubd cow size
um: Fix kmalloc argument order in um/vdso/vma.c
um: switch to use of drivers/Kconfig
UserModeLinux-HOWTO.txt: fix a typo
UserModeLinux-HOWTO.txt: remove ^H characters
um: we need sys/user.h only on i386
um: merge delay_{32,64}.c
um: distribute exports to where exported stuff is defined
um: kill system-um.h
um: generic ftrace.h will do...
um: segment.h is x86-only and needed only there
um: asm/pda.h is not needed anymore
um: hw_irq.h can go generic as well
um: switch to generic-y
um: clean Kconfig up a bit
um: a couple of missing dependencies...
um: kill useless argument of free_chan() and free_one_chan()
um: unify ptrace_user.h
um: unify KSTK_...
um: fix gcov build breakage
...
02 Nov, 2011
1 commit
-
Signed-off-by: Al Viro
Signed-off-by: Richard Weinberger
15 Sep, 2011
5 commits
-
When allocating from slab, initialization is done the first time in
init_once() and subsequently on free. Because evm_status was not
re-initialized on free, evm_verify_hmac() skipped verifications.This patch re-initializes evm_status.
Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Before permitting 'security.evm' to be updated, 'security.evm' must
exist and be valid. In the case that there are no existing EVM protected
xattrs, it is safe for posix acls to update the mode bits.To differentiate between no 'security.evm' xattr and no xattrs used to
calculate 'security.evm', this patch defines INTEGRITY_NOXATTR.Signed-off-by: Mimi Zohar
-
The posix xattr acls are 'system' prefixed, which normally would not
affect security.evm. An interesting side affect of writing posix xattr
acls is their modifying of the i_mode, which is included in security.evm.This patch updates security.evm when posix xattr acls are written.
Signed-off-by: Mimi Zohar
-
evm_protect_xattr unnecessarily validates the current security.evm
integrity, before updating non-evm protected extended attributes
and other file metadata. This patch limits validating the current
security.evm integrity to evm protected metadata.Signed-off-by: Mimi Zohar
-
All tristates selected by EVM(boolean) are forced to be builtin, except
in the TCG_TPM(tristate) dependency case. Arnaud Lacombe summarizes the
Kconfig bug as, "So it would seem direct dependency state influence the
state of reverse dependencies.." For a detailed explanation, refer to
Arnaud Lacombe's posting http://lkml.org/lkml/2011/8/23/498.With the "encrypted-keys: remove trusted-keys dependency" patch, EVM
can now be built without a dependency on TCG_TPM. The trusted-keys
dependency requires trusted-keys to either be builtin or not selected.
This dependency will prevent the boolean/tristate mismatch from
occuring.Reported-by: Stephen Rothwell ,
Randy Dunlap
Signed-off-by: Mimi Zohar
10 Sep, 2011
3 commits
-
Fixes sparse warnings:
security/integrity/ima/ima_main.c:105:6: warning: symbol 'ima_file_free' was not declared. Should it be static?
security/integrity/ima/ima_main.c:167:5: warning: symbol 'ima_file_mmap' was not declared. Should it be static?
security/integrity/ima/ima_main.c:192:5: warning: symbol 'ima_bprm_check' was not declared. Should it be static?
security/integrity/ima/ima_main.c:211:5: warning: symbol 'ima_file_check' was not declared. Should it be static?Signed-off-by: James Morris
-
Fixes sparse warning:
security/integrity/ima/ima_fs.c:290:5: warning: symbol 'ima_open_policy' was not declared. Should it be static?Signed-off-by: James Morris
-
Sparse fix: move iint_initialized to integrity.h
Signed-off-by: James Morris
18 Aug, 2011
1 commit
-
Although the EVM encrypted-key should be encrypted/decrypted using a
trusted-key, a user-defined key could be used instead. When using a user-
defined key, a TCG_TPM dependency should not be required. Unfortunately,
the encrypted-key code needs to be refactored a bit in order to remove
this dependency.This patch adds the TCG_TPM dependency.
Reported-by: Stephen Rothwell ,
Randy Dunlap
Signed-off-by: Mimi Zohar
Signed-off-by: James Morris
11 Aug, 2011
1 commit
-
evm_inode_init_security() should return 0, when EVM is not enabled.
(Returning an error is a remnant of evm_inode_post_init_security.)Signed-off-by: Mimi Zohar
Signed-off-by: James Morris
09 Aug, 2011
1 commit
-
Select trusted and encrypted keys if EVM is selected, to ensure
the requisite symbols are available. Otherwise, these can be
selected as modules while EVM is static, leading to a kernel
build failure.Signed-off-by: James Morris