13 Apr, 2014
2 commits
-
Pull vfs updates from Al Viro:
"The first vfs pile, with deep apologies for being very late in this
window.Assorted cleanups and fixes, plus a large preparatory part of iov_iter
work. There's a lot more of that, but it'll probably go into the next
merge window - it *does* shape up nicely, removes a lot of
boilerplate, gets rid of locking inconsistencie between aio_write and
splice_write and I hope to get Kent's direct-io rewrite merged into
the same queue, but some of the stuff after this point is having
(mostly trivial) conflicts with the things already merged into
mainline and with some I want more testing.This one passes LTP and xfstests without regressions, in addition to
usual beating. BTW, readahead02 in ltp syscalls testsuite has started
giving failures since "mm/readahead.c: fix readahead failure for
memoryless NUMA nodes and limit readahead pages" - might be a false
positive, might be a real regression..."* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (63 commits)
missing bits of "splice: fix racy pipe->buffers uses"
cifs: fix the race in cifs_writev()
ceph_sync_{,direct_}write: fix an oops on ceph_osdc_new_request() failure
kill generic_file_buffered_write()
ocfs2_file_aio_write(): switch to generic_perform_write()
ceph_aio_write(): switch to generic_perform_write()
xfs_file_buffered_aio_write(): switch to generic_perform_write()
export generic_perform_write(), start getting rid of generic_file_buffer_write()
generic_file_direct_write(): get rid of ppos argument
btrfs_file_aio_write(): get rid of ppos
kill the 5th argument of generic_file_buffered_write()
kill the 4th argument of __generic_file_aio_write()
lustre: don't open-code kernel_recvmsg()
ocfs2: don't open-code kernel_recvmsg()
drbd: don't open-code kernel_recvmsg()
constify blk_rq_map_user_iov() and friends
lustre: switch to kernel_sendmsg()
ocfs2: don't open-code kernel_sendmsg()
take iov_iter stuff to mm/iov_iter.c
process_vm_access: tidy up a bit
... -
Pull audit updates from Eric Paris.
* git://git.infradead.org/users/eparis/audit: (28 commits)
AUDIT: make audit_is_compat depend on CONFIG_AUDIT_COMPAT_GENERIC
audit: renumber AUDIT_FEATURE_CHANGE into the 1300 range
audit: do not cast audit_rule_data pointers pointlesly
AUDIT: Allow login in non-init namespaces
audit: define audit_is_compat in kernel internal header
kernel: Use RCU_INIT_POINTER(x, NULL) in audit.c
sched: declare pid_alive as inline
audit: use uapi/linux/audit.h for AUDIT_ARCH declarations
syscall_get_arch: remove useless function arguments
audit: remove stray newline from audit_log_execve_info() audit_panic() call
audit: remove stray newlines from audit_log_lost messages
audit: include subject in login records
audit: remove superfluous new- prefix in AUDIT_LOGIN messages
audit: allow user processes to log from another PID namespace
audit: anchor all pid references in the initial pid namespace
audit: convert PPIDs to the inital PID namespace.
pid: get pid_t ppid of task in init_pid_ns
audit: rename the misleading audit_get_context() to audit_take_context()
audit: Add generic compat syscall support
audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL
...
02 Apr, 2014
1 commit
-
Signed-off-by: Al Viro
20 Mar, 2014
1 commit
-
Store and log all PIDs with reference to the initial PID namespace and
use the access functions task_pid_nr() and task_tgid_nr() for task->pid
and task->tgid.Cc: "Eric W. Biederman"
(informed by ebiederman's c776b5d2)
Signed-off-by: Richard Guy Briggs
08 Mar, 2014
11 commits
-
If keys are not enabled, EVM is not visible in the configuration menu.
It may be difficult to figure out what to do unless you really know.
Other subsystems as NFS, CIFS select keys automatically. This patch does
the same.This patch also removes '(TRUSTED_KEYS=y || TRUSTED_KEYS=n)' dependency,
which is unnecessary. EVM does not depend on trusted keys, but on
encrypted keys. evm.h provides compile time dependency.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Memory allocation is unnecessary for empty files.
This patch calculates the hash without memory allocation.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
EVM does not use MD5 HMAC. Selection of CRYPTO_MD5 can be safely removed.
Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
This is a small refactoring so ima_d_path() returns dentry name
if path reconstruction fails. It simplifies callers actions
and removes code duplication.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Between checkpatch changes (eg. sizeof) and inconsistencies between
Lindent and checkpatch, unfixed checkpatch errors make it difficult
to see new errors. This patch fixes them. Some lines with over 80 chars
remained unchanged to improve code readability.The "extern" keyword is removed from internal evm.h to make it consistent
with internal ima.h.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
ima_inode_post_setattr() calls ima_must_appraise() to check if the
file needs to be appraised. If it does not then it removes security.ima
xattr. With original policy matching code it might happen that even
file needs to be appraised with FILE_CHECK hook, it might not be
for POST_SETATTR hook. 'security.ima' might be erronously removed.This patch treats POST_SETATTR as special wildcard function and will
cause ima_must_appraise() to be true if any of the hooks rules matches.
security.ima will not be removed if any of the hooks would require
appraisal.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Convert printks to pr_.
Add pr_fmt.
Remove embedded prefixes.Signed-off-by: Joe Perches
Signed-off-by: Mimi Zohar -
Before this change, to correctly calculate the template digest for the
'ima' template, the event name field (id: 'n') length was set to the fixed
size of 256 bytes.This patch reduces the length of the event name field to the string
length incremented of one (to make room for the termination character '\0')
and handles the specific case of the digest calculation for the 'ima'
template directly in ima_calc_field_array_hash_tfm().Signed-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar -
With the new template mechanism introduced in IMA since kernel 3.13,
the format of data sent through the binary_runtime_measurements interface
is slightly changed. Now, for a generic measurement, the format of
template data (after the template name) is:template_len | field1_len | field1 | ... | fieldN_len | fieldN
In addition, fields containing a string now include the '\0' termination
character.Instead, the format for the 'ima' template should be:
SHA1 digest | event name length | event name
It must be noted that while in the IMA 3.13 code 'event name length' is
'IMA_EVENT_NAME_LEN_MAX + 1' (256 bytes), so that the template digest
is calculated correctly, and 'event name' contains '\0', in the pre 3.13
code 'event name length' is exactly the string length and 'event name'
does not contain the termination character.The patch restores the behavior of the IMA code pre 3.13 for the 'ima'
template so that legacy userspace tools obtain a consistent behavior
when receiving data from the binary_runtime_measurements interface
regardless of which kernel version is used.Signed-off-by: Roberto Sassu
Cc: # 3.3.13: 3ce1217 ima: define template fields library
Signed-off-by: Mimi Zohar -
When we pass task->comm to audit_log_untrustedstring(), we need to pass it
via get_task_comm() because task->comm can be changed to contain untrusted
string by other threads after audit_log_untrustedstring() confirmed that
task->comm does not contain untrusted string.Signed-off-by: Tetsuo Handa
Signed-off-by: Mimi Zohar -
A const char pointer allocates memory for a pointer as well as for
a string, This patch replaces a number of the const char pointers
throughout IMA, with a static const char array.Suggested-by: David Howells
Signed-off-by: Mimi Zohar
Acked-by: David Howells
05 Mar, 2014
1 commit
-
Replace "file->f_dentry->d_inode" with the new file_inode() helper
function.Signed-off-by: Libo Chen
Signed-off-by: Mimi Zohar
17 Feb, 2014
1 commit
-
The Makefiles in security/ uses a non-standard way to
specify sub-directories for building.Fix it up so the normal (and documented) approach is used.
Signed-off-by: Sam Ravnborg
Cc: Michal Marek
Signed-off-by: James Morris
06 Feb, 2014
1 commit
-
The usage of strict_strto*() is not preferred, because
strict_strto*() is obsolete. Thus, kstrto*() should be
used.Signed-off-by: Jingoo Han
Signed-off-by: James Morris
06 Jan, 2014
1 commit
03 Jan, 2014
3 commits
-
This patch removes the 'size_limit' argument from
ima_eventdigest_init_common(). Since the 'd' field will never include
the hash algorithm as prefix and the 'd-ng' will always have it, we can
use the hash algorithm to differentiate the two cases in the modified
function (it is equal to HASH_ALGO__LAST in the first case, the opposite
in the second).Signed-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar -
Replace the '-1' value with HASH_ALGO__LAST in ima_eventdigest_init()
as the called function ima_eventdigest_init_common() expects an unsigned
char.Fix commit:
4d7aeee ima: define new template ima-ng and template fields d-ng and n-ngSigned-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar -
Replace HASH_ALGO__LAST with HASH_ALGO_SHA1 as the initial value of
the hash algorithm so that the prefix 'sha1:' is added to violation
digests.Fix commit:
4d7aeee ima: define new template ima-ng and template fields d-ng and n-ngSigned-off-by: Roberto Sassu
Cc: # 3.13.x
Signed-off-by: Mimi Zohar
03 Dec, 2013
2 commits
-
The new templates management mechanism records information associated
to an event into an array of 'ima_field_data' structures and makes it
available through the 'template_data' field of the 'ima_template_entry'
structure (the element of the measurements list created by IMA).Since 'ima_field_data' contains dynamically allocated data (which length
varies depending on the data associated to a selected template field),
it is not enough to just free the memory reserved for a
'ima_template_entry' structure if something goes wrong.This patch creates the new function ima_free_template_entry() which
walks the array of 'ima_field_data' structures, frees the memory
referenced by the 'data' pointer and finally the space reserved for
the 'ima_template_entry' structure. Further, it replaces existing kfree()
that have a pointer to an 'ima_template_entry' structure as argument
with calls to the new function.Fixes: a71dc65: ima: switch to new template management mechanism
Signed-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar -
7bc5f447ce9d0 (ima: define new function ima_alloc_init_template() to
API) moved the initialization of 'entry' in ima_add_boot_aggregate() a
bit more below, after the if (ima_used_chip).So, 'entry' is not initialized while being inside this if-block. So, we
should not attempt to free it.Found by Coverity (CID: 1131971)
Fixes: 7bc5f447ce9d0 (ima: define new function ima_alloc_init_template() to API)
Signed-off-by: Christoph Paasch
Signed-off-by: Mimi Zohar
30 Nov, 2013
1 commit
-
This patch stores the address of the 'template_fmt_copy' variable in a new
variable, called 'template_fmt_ptr', so that the latter is passed as an
argument of strsep() instead of the former. This modification is needed
in order to correctly free the memory area referenced by
'template_fmt_copy' (strsep() modifies the pointer of the passed string).Signed-off-by: Roberto Sassu
Reported-by: Sebastian Ott
Signed-off-by: Mimi Zohar
Signed-off-by: James Morris
26 Nov, 2013
1 commit
-
This patch makes a copy of the 'template_fmt' function argument so that
the latter will not be modified by strsep(), which does the splitting by
replacing the given separator with '\0'.IMA: No TPM chip found, activating TPM-bypass!
Unable to handle kernel pointer dereference at virtual kernel address 0000000000842000
Oops: 0004 [#1] SMP
Modules linked in:
CPU: 3 PID: 1 Comm: swapper/0 Not tainted 3.12.0-rc2-00098-g3ce1217d6cd5 #17
task: 000000003ffa0000 ti: 000000003ff84000 task.ti: 000000003ff84000
Krnl PSW : 0704e00180000000 000000000044bf88 (strsep+0x7c/0xa0)
R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 EA:3
Krnl GPRS: 000000000000007c 000000000000007c 000000003ff87d90 0000000000821fd8
0000000000000000 000000000000007c 0000000000aa37e0 0000000000aa9008
0000000000000051 0000000000a114d8 0000000100000002 0000000000842bde
0000000000842bdf 00000000006f97f0 000000000040062c 000000003ff87cf0
Krnl Code: 000000000044bf7c: a7f4000a brc 15,44bf90
000000000044bf80: b90200cc ltgr %r12,%r12
#000000000044bf84: a7840006 brc 8,44bf90
>000000000044bf88: 9200c000 mvi 0(%r12),0
000000000044bf8c: 41c0c001 la %r12,1(%r12)
000000000044bf90: e3c020000024 stg %r12,0(%r2)
000000000044bf96: b904002b lgr %r2,%r11
000000000044bf9a: ebbcf0700004 lmg %r11,%r12,112(%r15)
Call Trace:
([] ima_init_template+0xa2/0x1bc)
[] ima_init+0x7a/0xa8
[] init_ima+0x24/0x40
[] do_one_initcall+0x68/0x128
[] kernel_init_freeable+0x20a/0x2b4
[] kernel_init+0x30/0x178
[] kernel_thread_starter+0x6/0xc
[] kernel_thread_starter+0x0/0xc
Last Breaking-Event-Address:
[] strsep+0x36/0xa0Fixes commit: adf53a7 ima: new templates management mechanism
Changelog v1:
- make template_fmt 'const char *' (reported-by James Morris)
- fix kstrdup memory leak (reported-by James Morris)Reported-by: Heiko Carstens
Signed-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar
Tested-by: Heiko Carstens
25 Nov, 2013
2 commits
-
This patch defines a new value for the 'ima_show_type' enumerator
(IMA_SHOW_BINARY_NO_FIELD_LEN) to prevent that the field length
is transmitted through the 'binary_runtime_measurements' interface
for the digest field of the 'ima' template.Fixes commit: 3ce1217 ima: define template fields library and new helpers
Signed-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar -
To maintain compatibility with userspace tools, the field length must not
be included in the template digest calculation for the 'ima' template.Fixes commit: a71dc65 ima: switch to new template management mechanism
Signed-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar
24 Nov, 2013
1 commit
-
This reverts commit 217091dd7a7a1bdac027ddb7c5a25f6ac0b8e241, which
caused the following build error:security/integrity/digsig.c:70:5: error: redefinition of ‘integrity_init_keyring’
security/integrity/integrity.h:149:12: note: previous definition of ‘integrity_init_keyring’ w
security/integrity/integrity.h:149:12: warning: ‘integrity_init_keyring’ defined but not usedreported by Krzysztof Kolasa. Mimi says:
"I made the classic mistake of requesting this patch to be upstreamed
at the last second, rather than waiting until the next open window.At this point, the best course would probably be to revert the two
commits and fix them for the next open window"Reported-by: Krzysztof Kolasa
Acked-by: Mimi Zohar
Signed-off-by: Linus Torvalds
01 Nov, 2013
2 commits
-
Require all keys added to the IMA keyring be signed by an
existing trusted key on the system trusted keyring.Changelog:
- define stub integrity_init_keyring() function (reported-by Fengguang Wu)
- differentiate between regular and trusted keyring names.
- replace printk with pr_info (D. Kasatkin)Signed-off-by: Mimi Zohar
-
This patch defines a new template called 'ima-sig', which includes
the file signature in the template data, in addition to the file's
digest and pathname.A template is composed of a set of fields. Associated with each
field is an initialization and display function. This patch defines
a new template field called 'sig', the initialization function
ima_eventsig_init(), and the display function ima_show_template_sig().This patch modifies the .field_init() function definition to include
the 'security.ima' extended attribute and length.Changelog:
- remove unused code (Dmitry Kasatkin)
- avoid calling ima_write_template_field_data() unnecesarily (Roberto Sassu)
- rename DATA_FMT_SIG to DATA_FMT_HEX
- cleanup ima_eventsig_init() based on Roberto's commentsSigned-off-by: Mimi Zohar
Signed-off-by: Dmitry Kasatkin
Signed-off-by: Roberto Sassu
27 Oct, 2013
6 commits
-
All files labeled with 'security.ima' hashes, are hashed using the
same hash algorithm. Changing from one hash algorithm to another,
requires relabeling the filesystem. This patch defines a new xattr
type, which includes the hash algorithm, permitting different files
to be hashed with different algorithms.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
The IMA measurement list contains two hashes - a template data hash
and a filedata hash. The template data hash is committed to the TPM,
which is limited, by the TPM v1.2 specification, to 20 bytes. The
filedata hash is defined as 20 bytes as well.Now that support for variable length measurement list templates was
added, the filedata hash is not limited to 20 bytes. This patch adds
Kconfig support for defining larger default filedata hash algorithms
and replacing the builtin default with one specified on the kernel
command line.contains a list of hash algorithms. The
Kconfig default hash algorithm is a subset of this list, but any hash
algorithm included in the list can be specified at boot, using the
'ima_hash=' kernel command line option.Changelog v2:
- update KconfigChangelog:
- support hashes that are configured
- use generic HASH_ALGO_ definitions
- add Kconfig support
- hash_setup must be called only once (Dmitry)
- removed trailing whitespaces (Roberto Sassu)Signed-off-by: Mimi Zohar
Signed-off-by: Roberto Sassu -
This patch allows users to specify from the kernel command line the
template descriptor, among those defined, that will be used to generate
and display measurement entries. If an user specifies a wrong template,
IMA reverts to the template descriptor set in the kernel configuration.Signed-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar -
This patch adds a Kconfig option to select the default IMA
measurement list template. The 'ima' template limited the
filedata hash to 20 bytes and the pathname to 255 charaters.
The 'ima-ng' measurement list template permits larger hash
digests and longer pathnames.Changelog:
- keep 'select CRYPTO_HASH_INFO' in 'config IMA' section (Kconfig)
(Roberto Sassu);
- removed trailing whitespaces (Roberto Sassu).
- Lindent fixesSigned-off-by: Mimi Zohar
Signed-off-by: Roberto Sassu -
The same hash algorithm should be used for calculating the file
data hash for the IMA measurement list, as for appraising the file
data integrity. (The appraise hash algorithm is stored in the
'security.ima' extended attribute.) The exception is when the
reference file data hash digest, stored in the extended attribute,
is larger than the one supported by the template. In this case,
the file data hash needs to be calculated twice, once for the
measurement list and, again, for appraisal.Signed-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar -
Different files might be signed based on different hash algorithms.
This patch prefixes the audit log measurement hash with the hash
algorithm.Changelog:
- use generic HASH_ALGO defintions
- use ':' as delimiter between the hash algorithm and the digest
(Roberto Sassu)
- always include the hash algorithm used when audit-logging a measurementSigned-off-by: Mimi Zohar
Signed-off-by: Roberto Sassu
Signed-off-by: Peter Moody
26 Oct, 2013
3 commits
-
This patch performs the switch to the new template mechanism by modifying
the functions ima_alloc_init_template(), ima_measurements_show() and
ima_ascii_measurements_show(). The old function ima_template_show() was
removed as it is no longer needed. Also, if the template descriptor used
to generate a measurement entry is not 'ima', the whole length of field
data stored for an entry is provided before the data itself through the
binary_runtime_measurement interface.Changelog:
- unnecessary to use strncmp() (Mimi Zohar)
- create new variable 'field' in ima_alloc_init_template() (Roberto Sassu)
- use GFP_NOFS flag in ima_alloc_init_template() (Roberto Sassu)
- new variable 'num_fields' in ima_store_template() (Roberto Sassu,
proposed by Mimi Zohar)
- rename ima_calc_buffer_hash/template_hash() to ima_calc_field_array_hash(),
something more generic (Mimi, requested by Dmitry)
- sparse error fix - Fengguang Wu
- fix lindent warnings
- always include the field length in the template data length
- include the template field length variable size in the template data length
- include both the template field data and field length in the template digest
calculation. Simplifies verifying the template digest. (Mimi)Signed-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar -
This patch adds support for the new template 'ima-ng', whose format
is defined as 'd-ng|n-ng'. These new field definitions remove the
size limitations of the original 'ima' template. Further, the 'd-ng'
field prefixes the inode digest with the hash algorithim, when
displaying the new larger digest sizes.Change log:
- scripts/Lindent fixes - Mimi
- "always true comparison" - reported by Fengguang Wu, resolved Dmitry
- initialize hash_algo variable to HASH_ALGO__LAST
- always prefix digest with hash algorithm - MimiSigned-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar -
This patch defines a library containing two initial template fields,
inode digest (d) and file name (n), the 'ima' template descriptor,
whose format is 'd|n', and two helper functions,
ima_write_template_field_data() and ima_show_template_field_data().Changelog:
- replace ima_eventname_init() parameter NULL checking with BUG_ON.
(suggested by Mimi)
- include "new template fields for inode digest (d) and file name (n)"
definitions to fix a compiler warning. - Mimi
- unnecessary to prefix static function names with 'ima_'. remove
prefix to resolve Lindent formatting changes. - Mimi
- abbreviated/removed inline comments - Mimi
- always send the template field length - MimiSigned-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar