diff options
| author | Olof Johansson <olof@lixom.net> | 2013-07-12 10:59:39 -0700 |
|---|---|---|
| committer | Olof Johansson <olof@lixom.net> | 2013-07-12 10:59:39 -0700 |
| commit | f4b96f5e4ff8d86699c851c10245e102809b0331 (patch) | |
| tree | f766102263bed71738431cabb4d4f6f086005cd8 /security/integrity | |
| parent | 9d8812df35be58a5da0c44182c1e4ba2507cc6a7 (diff) | |
| parent | c24a6ae18abde53b048372b066b93b71b1b91154 (diff) | |
| download | op-kernel-dev-f4b96f5e4ff8d86699c851c10245e102809b0331.zip op-kernel-dev-f4b96f5e4ff8d86699c851c10245e102809b0331.tar.gz | |
Merge tag 'omap-for-v3.11/fixes-for-merge-window' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into fixes
Omap fixes and minor defconfig updates that would be good to
get in before -rc1.
* tag 'omap-for-v3.11/fixes-for-merge-window' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap:
ARM: OMAP2+: omap2plus_defconfig: Enable appended DTB support
ARM: OMAP2+: Enable TI_EDMA in omap2plus_defconfig
ARM: OMAP2+: omap2plus_defconfig: enable DRA752 thermal support by default
ARM: OMAP2+: omap2plus_defconfig: enable TI bandgap driver
ARM: OMAP2+: devices: remove duplicated include from devices.c
ARM: OMAP3: igep0020: Set DSS pins in correct mux mode.
ARM: OMAP2+: N900: enable N900-specific drivers even if device tree is enabled
ARM: OMAP2+: Cocci spatch "ptr_ret.spatch"
ARM: OMAP2+: Remove obsolete Makefile line
ARM: OMAP5: Enable Cortex A15 errata 798181
ARM: scu: provide inline dummy functions when SCU is not present
ARM: OMAP4: sleep: build OMAP4 specific functions only for OMAP4
ARM: OMAP2+: timer: initialize before using oh_name
Signed-off-by: Olof Johansson <olof@lixom.net>
Add/move/change conflicts in arch/arm/mach-omap2/Kconfig resolved.
Diffstat (limited to 'security/integrity')
| -rw-r--r-- | security/integrity/Kconfig | 15 | ||||
| -rw-r--r-- | security/integrity/Makefile | 1 | ||||
| -rw-r--r-- | security/integrity/evm/evm_main.c | 15 | ||||
| -rw-r--r-- | security/integrity/ima/Kconfig | 12 | ||||
| -rw-r--r-- | security/integrity/ima/Makefile | 1 | ||||
| -rw-r--r-- | security/integrity/ima/ima.h | 14 | ||||
| -rw-r--r-- | security/integrity/ima/ima_main.c | 2 | ||||
| -rw-r--r-- | security/integrity/integrity.h | 14 | ||||
| -rw-r--r-- | security/integrity/integrity_audit.c (renamed from security/integrity/ima/ima_audit.c) | 12 |
9 files changed, 51 insertions, 35 deletions
diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 4bb3a77..245c6d9 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -17,6 +17,21 @@ config INTEGRITY_SIGNATURE This is useful for evm and module keyrings, when keys are usually only added from initramfs. +config INTEGRITY_AUDIT + bool "Enables integrity auditing support " + depends on INTEGRITY && AUDIT + default y + help + In addition to enabling integrity auditing support, this + option adds a kernel parameter 'integrity_audit', which + controls the level of integrity auditing messages. + 0 - basic integrity auditing messages (default) + 1 - additional integrity auditing messages + + Additional informational integrity auditing messages would + be enabled by specifying 'integrity_audit=1' on the kernel + command line. + config INTEGRITY_ASYMMETRIC_KEYS boolean "Enable asymmetric keys support" depends on INTEGRITY_SIGNATURE diff --git a/security/integrity/Makefile b/security/integrity/Makefile index ebb6409..0f9cffb 100644 --- a/security/integrity/Makefile +++ b/security/integrity/Makefile @@ -3,6 +3,7 @@ # obj-$(CONFIG_INTEGRITY) += integrity.o +obj-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o obj-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o obj-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index cdbde17..df0fa45 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -16,6 +16,7 @@ #include <linux/module.h> #include <linux/crypto.h> +#include <linux/audit.h> #include <linux/xattr.h> #include <linux/integrity.h> #include <linux/evm.h> @@ -24,6 +25,9 @@ int evm_initialized; +static char *integrity_status_msg[] = { + "pass", "fail", "no_label", "no_xattrs", "unknown" +}; char *evm_hmac = "hmac(sha1)"; char *evm_hash = "sha1"; int evm_hmac_version = CONFIG_EVM_HMAC_VERSION; @@ -262,9 +266,15 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, if ((evm_status == INTEGRITY_PASS) || (evm_status == INTEGRITY_NOXATTRS)) return 0; - return -EPERM; + goto out; } evm_status = evm_verify_current_integrity(dentry); +out: + if (evm_status != INTEGRITY_PASS) + integrity_audit_msg(AUDIT_INTEGRITY_METADATA, dentry->d_inode, + dentry->d_name.name, "appraise_metadata", + integrity_status_msg[evm_status], + -EPERM, 0); return evm_status == INTEGRITY_PASS ? 0 : -EPERM; } @@ -357,6 +367,9 @@ int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) if ((evm_status == INTEGRITY_PASS) || (evm_status == INTEGRITY_NOXATTRS)) return 0; + integrity_audit_msg(AUDIT_INTEGRITY_METADATA, dentry->d_inode, + dentry->d_name.name, "appraise_metadata", + integrity_status_msg[evm_status], -EPERM, 0); return -EPERM; } diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index d232c73..39196ab 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -38,18 +38,6 @@ config IMA_MEASURE_PCR_IDX that IMA uses to maintain the integrity aggregate of the measurement list. If unsure, use the default 10. -config IMA_AUDIT - bool "Enables auditing support" - depends on IMA - depends on AUDIT - default y - help - This option adds a kernel parameter 'ima_audit', which - allows informational auditing messages to be enabled - at boot. If this option is selected, informational integrity - auditing messages can be enabled with 'ima_audit=1' on - the kernel command line. - config IMA_LSM_RULES bool depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK) diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile index 3f2ca6b..56dfee7 100644 --- a/security/integrity/ima/Makefile +++ b/security/integrity/ima/Makefile @@ -7,5 +7,4 @@ obj-$(CONFIG_IMA) += ima.o ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \ ima_policy.o -ima-$(CONFIG_IMA_AUDIT) += ima_audit.o ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index a41c9c1..b3dd616 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -62,20 +62,6 @@ struct ima_queue_entry { }; extern struct list_head ima_measurements; /* list of all measurements */ -#ifdef CONFIG_IMA_AUDIT -/* declarations */ -void integrity_audit_msg(int audit_msgno, struct inode *inode, - const unsigned char *fname, const char *op, - const char *cause, int result, int info); -#else -static inline void integrity_audit_msg(int audit_msgno, struct inode *inode, - const unsigned char *fname, - const char *op, const char *cause, - int result, int info) -{ -} -#endif - /* Internal IMA function definitions */ int ima_init(void); void ima_cleanup(void); diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 6c491a6..e9508d5 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -57,7 +57,7 @@ __setup("ima_hash=", hash_setup); static void ima_rdwr_violation_check(struct file *file) { struct dentry *dentry = file->f_path.dentry; - struct inode *inode = dentry->d_inode; + struct inode *inode = file_inode(file); fmode_t mode = file->f_mode; int must_measure; bool send_tomtou = false, send_writers = false; diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 84c37c4..c42fb7a 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -113,5 +113,19 @@ static inline int asymmetric_verify(struct key *keyring, const char *sig, } #endif +#ifdef CONFIG_INTEGRITY_AUDIT +/* declarations */ +void integrity_audit_msg(int audit_msgno, struct inode *inode, + const unsigned char *fname, const char *op, + const char *cause, int result, int info); +#else +static inline void integrity_audit_msg(int audit_msgno, struct inode *inode, + const unsigned char *fname, + const char *op, const char *cause, + int result, int info) +{ +} +#endif + /* set during initialization */ extern int iint_initialized; diff --git a/security/integrity/ima/ima_audit.c b/security/integrity/integrity_audit.c index c586faa..d7efb30 100644 --- a/security/integrity/ima/ima_audit.c +++ b/security/integrity/integrity_audit.c @@ -13,20 +13,20 @@ #include <linux/fs.h> #include <linux/gfp.h> #include <linux/audit.h> -#include "ima.h" +#include "integrity.h" -static int ima_audit; +static int integrity_audit_info; /* ima_audit_setup - enable informational auditing messages */ -static int __init ima_audit_setup(char *str) +static int __init integrity_audit_setup(char *str) { unsigned long audit; if (!strict_strtoul(str, 0, &audit)) - ima_audit = audit ? 1 : 0; + integrity_audit_info = audit ? 1 : 0; return 1; } -__setup("ima_audit=", ima_audit_setup); +__setup("integrity_audit=", integrity_audit_setup); void integrity_audit_msg(int audit_msgno, struct inode *inode, const unsigned char *fname, const char *op, @@ -34,7 +34,7 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode, { struct audit_buffer *ab; - if (!ima_audit && audit_info == 1) /* Skip informational messages */ + if (!integrity_audit_info && audit_info == 1) /* Skip info messages */ return; ab = audit_log_start(current->audit_context, GFP_KERNEL, audit_msgno); |
