12 Jan, 2017
1 commit
-
commit 9a11a18902bc3b904353063763d06480620245a6 upstream.
When the "policy" securityfs file is opened for read, it is opened as a
sequential file. However, when it is eventually released, there is no
cleanup for the sequential file, therefore some memory is leaked.This patch adds a call to seq_release() in ima_release_policy() to clean up
the memory when the file is opened for read.Fixes: 80eae209d63a IMA: allow reading back the current policy
Reported-by: Colin Ian King
Signed-off-by: Eric Richter
Tested-by: Colin Ian King
Signed-off-by: Mimi Zohar
Signed-off-by: Greg Kroah-Hartman
11 Oct, 2016
1 commit
-
Pull vfs xattr updates from Al Viro:
"xattr stuff from AndreasThis completes the switch to xattr_handler ->get()/->set() from
->getxattr/->setxattr/->removexattr"* 'work.xattr' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
vfs: Remove {get,set,remove}xattr inode operations
xattr: Stop calling {get,set,remove}xattr inode operations
vfs: Check for the IOP_XATTR flag in listxattr
xattr: Add __vfs_{get,set,remove}xattr helpers
libfs: Use IOP_XATTR flag for empty directory handling
vfs: Use IOP_XATTR flag for bad-inode handling
vfs: Add IOP_XATTR inode operations flag
vfs: Move xattr_resolve_name to the front of fs/xattr.c
ecryptfs: Switch to generic xattr handlers
sockfs: Get rid of getxattr iop
sockfs: getxattr: Fail with -EOPNOTSUPP for invalid attribute names
kernfs: Switch to generic xattr handlers
hfs: Switch to generic xattr handlers
jffs2: Remove jffs2_{get,set,remove}xattr macros
xattr: Remove unnecessary NULL attribute name check
08 Oct, 2016
1 commit
-
Right now, various places in the kernel check for the existence of
getxattr, setxattr, and removexattr inode operations and directly call
those operations. Switch to helper functions and test for the IOP_XATTR
flag instead.Signed-off-by: Andreas Gruenbacher
Acked-by: James Morris
Signed-off-by: Al Viro
16 Sep, 2016
1 commit
-
Ima tries to call ->setxattr() on overlayfs dentry after having locked
underlying inode, which results in a deadlock.Reported-by: Krisztian Litkey
Fixes: 4bacc9c9234c ("overlayfs: Make f_path always point to the overlay and f_inode to the underlay")
Signed-off-by: Miklos Szeredi
Cc: # v4.2
Cc: Mimi Zohar
30 Jun, 2016
7 commits
-
Extend the PCR supplied as a parameter, instead of assuming that the
measurement entry uses the default configured PCR.Signed-off-by: Eric Richter
Signed-off-by: Mimi Zohar -
IMA avoids re-measuring files by storing the current state as a flag in
the integrity cache. It will then skip adding a new measurement log entry
if the cache reports the file as already measured.If a policy measures an already measured file to a new PCR, the measurement
will not be added to the list. This patch implements a new bitfield for
specifying which PCR the file was measured into, rather than if it was
measured.Signed-off-by: Eric Richter
Signed-off-by: Mimi Zohar -
Template entry duplicates are prevented from being added to the
measurement list by checking a hash table that contains the template
entry digests. However, the PCR value is not included in this comparison,
so duplicate template entry digests with differing PCRs may be dropped.This patch redefines duplicate template entries as template entries with
the same digest and same PCR values.Reported-by: Mimi Zohar
Signed-off-by: Eric Richter
Signed-off-by: Mimi Zohar -
IMA assumes that the same default Kconfig PCR is extended for each
entry. This patch replaces the default configured PCR with the policy
defined PCR.Signed-off-by: Eric Richter
Signed-off-by: Mimi Zohar -
The IMA measurement list entries include the Kconfig defined PCR value.
This patch defines a new ima_template_entry field for including the PCR
as specified in the policy rule.Signed-off-by: Eric Richter
Signed-off-by: Mimi Zohar -
Different policy rules may extend different PCRs. This patch retrieves
the specific PCR for the matched rule. Subsequent patches will include
the rule specific PCR in the measurement list and extend the appropriate
PCR.Signed-off-by: Eric Richter
Signed-off-by: Mimi Zohar -
This patch defines a new IMA measurement policy rule option "pcr=",
which allows extending different PCRs on a per rule basis. For example,
the system independent files could extend the default IMA Kconfig
specified PCR, while the system dependent files could extend a different
PCR.The following is an example of this usage with an SELinux policy; the
rule would extend PCR 11 with system configuration files:measure func=FILE_CHECK mask=MAY_READ obj_type=system_conf_t pcr=11
Changelog v3:
- FIELD_SIZEOF returns bytes, not bits. Fixed INVALID_PCRSigned-off-by: Eric Richter
Signed-off-by: Mimi Zohar
21 May, 2016
1 commit
-
Instead of open coded variant re-use extension that vsprintf.c provides
us for ages.Signed-off-by: Andy Shevchenko
Reviewed-by: Matt Fleming
Cc: Dmitry Kasatkin
Cc: Mimi Zohar
Cc: Rasmus Villemoes
Cc: Arnd Bergmann
Cc: "Theodore Ts'o"
Cc: Al Viro
Cc: Jens Axboe
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
20 May, 2016
1 commit
-
Pull security subsystem updates from James Morris:
"Highlights:- A new LSM, "LoadPin", from Kees Cook is added, which allows forcing
of modules and firmware to be loaded from a specific device (this
is from ChromeOS, where the device as a whole is verified
cryptographically via dm-verity).This is disabled by default but can be configured to be enabled by
default (don't do this if you don't know what you're doing).- Keys: allow authentication data to be stored in an asymmetric key.
Lots of general fixes and updates.- SELinux: add restrictions for loading of kernel modules via
finit_module(). Distinguish non-init user namespace capability
checks. Apply execstack check on thread stacks"* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (48 commits)
LSM: LoadPin: provide enablement CONFIG
Yama: use atomic allocations when reporting
seccomp: Fix comment typo
ima: add support for creating files using the mknodat syscall
ima: fix ima_inode_post_setattr
vfs: forbid write access when reading a file into memory
fs: fix over-zealous use of "const"
selinux: apply execstack check on thread stacks
selinux: distinguish non-init user namespace capability checks
LSM: LoadPin for kernel file loading restrictions
fs: define a string representation of the kernel_read_file_id enumeration
Yama: consolidate error reporting
string_helpers: add kstrdup_quotable_file
string_helpers: add kstrdup_quotable_cmdline
string_helpers: add kstrdup_quotable
selinux: check ss_initialized before revalidating an inode label
selinux: delay inode label lookup as long as possible
selinux: don't revalidate an inode's label when explicitly setting it
selinux: Change bool variable name to index.
KEYS: Add KEYCTL_DH_COMPUTE command
...
18 May, 2016
1 commit
-
Pull 'struct path' constification update from Al Viro:
"'struct path' is passed by reference to a bunch of Linux security
methods; in theory, there's nothing to stop them from modifying the
damn thing and LSM community being what it is, sooner or later some
enterprising soul is going to decide that it's a good idea.Let's remove the temptation and constify all of those..."
* 'work.const-path' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
constify ima_d_path()
constify security_sb_pivotroot()
constify security_path_chroot()
constify security_path_{link,rename}
apparmor: remove useless checks for NULL ->mnt
constify security_path_{mkdir,mknod,symlink}
constify security_path_{unlink,rmdir}
apparmor: constify common_perm_...()
apparmor: constify aa_path_link()
apparmor: new helper - common_path_perm()
constify chmod_common/security_path_chmod
constify security_sb_mount()
constify chown_common/security_path_chown
tomoyo: constify assorted struct path *
apparmor_path_truncate(): path->mnt is never NULL
constify vfs_truncate()
constify security_path_truncate()
[apparmor] constify struct path * in a bunch of helpers
06 May, 2016
1 commit
-
…dhowells/linux-fs into next
04 May, 2016
1 commit
-
This patch fixes the string representation of the LSM/IMA hook enumeration
ordering used for displaying the IMA policy.Fixes: d9ddf077bb85 ("ima: support for kexec image and initramfs")
Signed-off-by: Mimi Zohar
Tested-by: Eric Richter
Signed-off-by: James Morris
01 May, 2016
2 commits
-
Commit 3034a14 "ima: pass 'opened' flag to identify newly created files"
stopped identifying empty files as new files. However new empty files
can be created using the mknodat syscall. On systems with IMA-appraisal
enabled, these empty files are not labeled with security.ima extended
attributes properly, preventing them from subsequently being opened in
order to write the file data contents. This patch defines a new hook
named ima_post_path_mknod() to mark these empty files, created using
mknodat, as new in order to allow the file data contents to be written.In addition, files with security.ima xattrs containing a file signature
are considered "immutable" and can not be modified. The file contents
need to be written, before signing the file. This patch relaxes this
requirement for new files, allowing the file signature to be written
before the file contents.Changelog:
- defer identifying files with signatures stored as security.ima
(based on Dmitry Rozhkov's comments)
- removing tests (eg. dentry, dentry->d_inode, inode->i_size == 0)
(based on Al's review)Signed-off-by: Mimi Zohar
Cc: Al Viro <
Tested-by: Dmitry Rozhkov -
Changing file metadata (eg. uid, guid) could result in having to
re-appraise a file's integrity, but does not change the "new file"
status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and
IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch
only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags.With this patch, changing the file timestamp will not remove the
file signature on new files.Reported-by: Dmitry Rozhkov
Signed-off-by: Mimi Zohar
Tested-by: Dmitry Rozhkov
12 Apr, 2016
3 commits
-
Add a config option (IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY)
that, when enabled, allows keys to be added to the IMA keyrings by
userspace - with the restriction that each must be signed by a key in the
system trusted keyrings.EPERM will be returned if this option is disabled, ENOKEY will be returned if
no authoritative key can be found and EKEYREJECTED will be returned if the
signature doesn't match. Other errors such as ENOPKG may also be returned.If this new option is enabled, the builtin system keyring is searched, as is
the secondary system keyring if that is also enabled. Intermediate keys
between the builtin system keyring and the key being added can be added to
the secondary keyring (which replaces .ima_mok) to form a trust chain -
provided they are also validly signed by a key in one of the trusted keyrings.The .ima_mok keyring is then removed and the IMA blacklist keyring gets its
own config option (IMA_BLACKLIST_KEYRING).Signed-off-by: David Howells
Signed-off-by: Mimi Zohar -
Move the point at which a key is determined to be trustworthy to
__key_link() so that we use the contents of the keyring being linked in to
to determine whether the key being linked in is trusted or not.What is 'trusted' then becomes a matter of what's in the keyring.
Currently, the test is done when the key is parsed, but given that at that
point we can only sensibly refer to the contents of the system trusted
keyring, we can only use that as the basis for working out the
trustworthiness of a new key.With this change, a trusted keyring is a set of keys that once the
trusted-only flag is set cannot be added to except by verification through
one of the contained keys.Further, adding a key into a trusted keyring, whilst it might grant
trustworthiness in the context of that keyring, does not automatically
grant trustworthiness in the context of a second keyring to which it could
be secondarily linked.To accomplish this, the authentication data associated with the key source
must now be retained. For an X.509 cert, this means the contents of the
AuthorityKeyIdentifier and the signature data.If system keyrings are disabled then restrict_link_by_builtin_trusted()
resolves to restrict_link_reject(). The integrity digital signature code
still works correctly with this as it was previously using
KEY_FLAG_TRUSTED_ONLY, which doesn't permit anything to be added if there
is no system keyring against which trust can be determined.Signed-off-by: David Howells
-
Add a facility whereby proposed new links to be added to a keyring can be
vetted, permitting them to be rejected if necessary. This can be used to
block public keys from which the signature cannot be verified or for which
the signature verification fails. It could also be used to provide
blacklisting.This affects operations like add_key(), KEYCTL_LINK and KEYCTL_INSTANTIATE.
To this end:
(1) A function pointer is added to the key struct that, if set, points to
the vetting function. This is called as:int (*restrict_link)(struct key *keyring,
const struct key_type *key_type,
unsigned long key_flags,
const union key_payload *key_payload),where 'keyring' will be the keyring being added to, key_type and
key_payload will describe the key being added and key_flags[*] can be
AND'ed with KEY_FLAG_TRUSTED.[*] This parameter will be removed in a later patch when
KEY_FLAG_TRUSTED is removed.The function should return 0 to allow the link to take place or an
error (typically -ENOKEY, -ENOPKG or -EKEYREJECTED) to reject the
link.The pointer should not be set directly, but rather should be set
through keyring_alloc().Note that if called during add_key(), preparse is called before this
method, but a key isn't actually allocated until after this function
is called.(2) KEY_ALLOC_BYPASS_RESTRICTION is added. This can be passed to
key_create_or_update() or key_instantiate_and_link() to bypass the
restriction check.(3) KEY_FLAG_TRUSTED_ONLY is removed. The entire contents of a keyring
with this restriction emplaced can be considered 'trustworthy' by
virtue of being in the keyring when that keyring is consulted.(4) key_alloc() and keyring_alloc() take an extra argument that will be
used to set restrict_link in the new key. This ensures that the
pointer is set before the key is published, thus preventing a window
of unrestrictedness. Normally this argument will be NULL.(5) As a temporary affair, keyring_restrict_trusted_only() is added. It
should be passed to keyring_alloc() as the extra argument instead of
setting KEY_FLAG_TRUSTED_ONLY on a keyring. This will be replaced in
a later patch with functions that look in the appropriate places for
authoritative keys.Signed-off-by: David Howells
Reviewed-by: Mimi Zohar
28 Mar, 2016
1 commit
-
Signed-off-by: Al Viro
21 Feb, 2016
9 commits
-
Require the IMA policy to be signed when additional rules can be added.
v1:
- initialize the policy flag
- include IMA_APPRAISE_POLICY in the policy flagSigned-off-by: Mimi Zohar
Acked-by: Petko Manolov
Acked-by: Dmitry Kasatkin -
Add support for measuring and appraising the IMA policy itself.
Changelog v4:
- use braces on both if/else branches, even if single line on one of the
branches - Dmitry
- Use the id mapping - DmitrySigned-off-by: Mimi Zohar
Acked-by: Petko Manolov
Acked-by: Dmitry Kasatkin -
We currently cannot do appraisal or signature vetting of IMA policies
since we currently can only load IMA policies by writing the contents
of the policy directly in, as follows:cat policy-file > /ima/policy
If we provide the kernel the path to the IMA policy so it can load
the policy itself it'd be able to later appraise or vet the file
signature if it has one. This patch adds support to load the IMA
policy with a given path as follows:echo /etc/ima/ima_policy > /sys/kernel/security/ima/policy
Changelog v4+:
- moved kernel_read_file_from_path() error messages to callers
v3:
- moved kernel_read_file_from_path() to a separate patch
v2:
- after re-ordering the patches, replace calling integrity_kernel_read()
to read the file with kernel_read_file_from_path() (Mimi)
- Patch description re-written by Luis R. RodriguezSigned-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Add IMA policy support for measuring/appraising the kexec image and
initramfs. Two new IMA policy identifiers KEXEC_KERNEL_CHECK and
KEXEC_INITRAMFS_CHECK are defined.Example policy rules:
measure func=KEXEC_KERNEL_CHECK
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig
measure func=KEXEC_INITRAMFS_CHECK
appraise func=KEXEC_INITRAMFS_CHECK appraise_type=imasigMoving the enumeration to the vfs layer simplified the patches, allowing
the IMA changes, for the most part, to be separated from the other
changes. Unfortunately, passing either a kernel_read_file_id or a
ima_hooks enumeration within IMA is messy.Option 1: duplicate kernel_read_file enumeration in ima_hooks
enum kernel_read_file_id {
...
READING_KEXEC_IMAGE,
READING_KEXEC_INITRAMFS,
READING_MAX_IDenum ima_hooks {
...
KEXEC_KERNEL_CHECK
KEXEC_INITRAMFS_CHECKOption 2: define ima_hooks as extension of kernel_read_file
eg: enum ima_hooks {
FILE_CHECK = READING_MAX_ID,
MMAP_CHECK,In order to pass both kernel_read_file_id and ima_hooks values, we
would need to specify a struct containing a union.struct caller_id {
union {
enum ima_hooks func_id;
enum kernel_read_file_id read_id;
};
};Option 3: incorportate the ima_hooks enumeration into kernel_read_file_id,
perhaps changing the enumeration name.For now, duplicate the new READING_KEXEC_IMAGE/INITRAMFS in the ima_hooks.
Changelog v4:
- replaced switch statement with a kernel_read_file_id to an ima_hooks
id mapping array - Dmitry
- renamed ima_hook tokens KEXEC_CHECK and INITRAMFS_CHECK to
KEXEC_KERNEL_CHECK and KEXEC_INITRAMFS_CHECK respectively - Dave YoungSigned-off-by: Mimi Zohar
Acked-by: Petko Manolov
Acked-by: Dmitry Kasatkin
Cc: Dave Young -
Each time a file is read by the kernel, the file should be re-measured and
the file signature re-appraised, based on policy. As there is no need to
preserve the status information, this patch replaces the firmware and
module specific cache status with a generic one named read_file.This change simplifies adding support for other files read by the kernel.
Signed-off-by: Mimi Zohar
Acked-by: Petko Manolov
Acked-by: Dmitry Kasatkin -
Replace copy_module_from_fd() with kernel_read_file_from_fd().
Although none of the upstreamed LSMs define a kernel_module_from_file
hook, IMA is called, based on policy, to prevent unsigned kernel modules
from being loaded by the original kernel module syscall and to
measure/appraise signed kernel modules.The security function security_kernel_module_from_file() was called prior
to reading a kernel module. Preventing unsigned kernel modules from being
loaded by the original kernel module syscall remains on the pre-read
kernel_read_file() security hook. Instead of reading the kernel module
twice, once for measuring/appraising and again for loading the kernel
module, the signature validation is moved to the kernel_post_read_file()
security hook.This patch removes the security_kernel_module_from_file() hook and security
call.Signed-off-by: Mimi Zohar
Acked-by: Kees Cook
Acked-by: Luis R. Rodriguez
Cc: Rusty Russell -
The kernel_read_file security hook is called prior to reading the file
into memory.Changelog v4+:
- export security_kernel_read_file()Signed-off-by: Mimi Zohar
Acked-by: Kees Cook
Acked-by: Luis R. Rodriguez
Acked-by: Casey Schaufler -
Replace the fw_read_file_contents with kernel_file_read_from_path().
Although none of the upstreamed LSMs define a kernel_fw_from_file hook,
IMA is called by the security function to prevent unsigned firmware from
being loaded and to measure/appraise signed firmware, based on policy.Instead of reading the firmware twice, once for measuring/appraising the
firmware and again for reading the firmware contents into memory, the
kernel_post_read_file() security hook calculates the file hash based on
the in memory file buffer. The firmware is read once.This patch removes the LSM kernel_fw_from_file() hook and security call.
Changelog v4+:
- revert dropped buf->size assignment - reported by Sergey Senozhatsky
v3:
- remove kernel_fw_from_file hook
- use kernel_file_read_from_path() - requested by Luis
v2:
- reordered and squashed firmware patches
- fix MAX firmware size (Kees Cook)Signed-off-by: Mimi Zohar
Acked-by: Kees Cook
Acked-by: Luis R. Rodriguez -
This patch defines a new IMA hook ima_post_read_file() for measuring
and appraising files read by the kernel. The caller loads the file into
memory before calling this function, which calculates the hash followed by
the normal IMA policy based processing.Changelog v5:
- fail ima_post_read_file() if either file or buf is NULL
v3:
- rename ima_hash_and_process_file() to ima_post_read_file()v1:
- split patchSigned-off-by: Mimi Zohar
Acked-by: Dmitry Kasatkin
19 Feb, 2016
5 commits
-
Setting up ahash has some overhead. Only use ahash to calculate the
hash of a buffer, if the buffer is larger than ima_ahash_minsize.Signed-off-by: Mimi Zohar
Acked-by: Dmitry Kasatkin -
This patch provides convenient buffer hash calculation function.
Changelog v3:
- fix while hash calculation - Dmitry
v1:
- rewrite to support loff_t sized buffers - Mimi
(based on Fenguang Wu's testing)Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Cleanup the function arguments by using "ima_hooks" enumerator as needed.
Signed-off-by: Mimi Zohar
Acked-by: Petko Manolov
Acked-by: Dmitry Kasatkin -
Define and call a function to display the "ima_hooks" rules.
Signed-off-by: Mimi Zohar
Acked-by: Petko Manolov
Acked-by: Dmitry Kasatkin -
Instead of passing pointers to pointers to ima_collect_measurent() to
read and return the 'security.ima' xattr value, this patch moves the
functionality to the calling process_measurement() to directly read
the xattr and pass only the hash algo to the ima_collect_measurement().Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
09 Feb, 2016
1 commit
-
ima_check_policy() has no parameters, so use the normal void
parameter convention to make it match the prototype in the header file
security/integrity/ima/ima.hSigned-off-by: Colin Ian King
Signed-off-by: Mimi Zohar
23 Jan, 2016
1 commit
-
parallel to mutex_{lock,unlock,trylock,is_locked,lock_nested},
inode_foo(inode) being mutex_foo(&inode->i_mutex).Please, use those for access to ->i_mutex; over the coming cycle
->i_mutex will become rwsem, with ->lookup() done with it held
only shared.Signed-off-by: Al Viro
04 Jan, 2016
1 commit
-
There is no need to hold the ima_write_mutex for so long. We only need it
around ima_parse_add_rule().Changelog:
- The return path now takes into account failed kmalloc() call.Reported-by: Al Viro
Signed-off-by: Petko Manolov
Signed-off-by: Mimi Zohar
25 Dec, 2015
1 commit
-
Commit "IMA: policy can now be updated multiple times" assumed that the
policy would be updated at least once.If there are zero updates, the temporary list head object will get added
to the policy list, and later dereferenced as an IMA policy object, which
means that invalid memory will be accessed.Changelog:
- Move list_empty() test to ima_release_policy(), before audit msg - MimiSigned-off-by: Sasha Levin
Signed-off-by: Mimi Zohar
