summaryrefslogtreecommitdiffstats
path: root/security/integrity
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch 'next' of ↵Linus Torvalds2017-07-0512-177/+211
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull security layer updates from James Morris: - a major update for AppArmor. From JJ: * several bug fixes and cleanups * the patch to add symlink support to securityfs that was floated on the list earlier and the apparmorfs changes that make use of securityfs symlinks * it introduces the domain labeling base code that Ubuntu has been carrying for several years, with several cleanups applied. And it converts the current mediation over to using the domain labeling base, which brings domain stacking support with it. This finally will bring the base upstream code in line with Ubuntu and provide a base to upstream the new feature work that Ubuntu carries. * This does _not_ contain any of the newer apparmor mediation features/controls (mount, signals, network, keys, ...) that Ubuntu is currently carrying, all of which will be RFC'd on top of this. - Notable also is the Infiniband work in SELinux, and the new file:map permission. From Paul: "While we're down to 21 patches for v4.13 (it was 31 for v4.12), the diffstat jumps up tremendously with over 2k of line changes. Almost all of these changes are the SELinux/IB work done by Daniel Jurgens; some other noteworthy changes include a NFS v4.2 labeling fix, a new file:map permission, and reporting of policy capabilities on policy load" There's also now genfscon labeling support for tracefs, which was lost in v4.1 with the separation from debugfs. - Smack incorporates a safer socket check in file_receive, and adds a cap_capable call in privilege check. - TPM as usual has a bunch of fixes and enhancements. - Multiple calls to security_add_hooks() can now be made for the same LSM, to allow LSMs to have hook declarations across multiple files. - IMA now supports different "ima_appraise=" modes (eg. log, fix) from the boot command line. * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (126 commits) apparmor: put back designators in struct initialisers seccomp: Switch from atomic_t to recount_t seccomp: Adjust selftests to avoid double-join seccomp: Clean up core dump logic IMA: update IMA policy documentation to include pcr= option ima: Log the same audit cause whenever a file has no signature ima: Simplify policy_func_show. integrity: Small code improvements ima: fix get_binary_runtime_size() ima: use ima_parse_buf() to parse template data ima: use ima_parse_buf() to parse measurements headers ima: introduce ima_parse_buf() ima: Add cgroups2 to the defaults list ima: use memdup_user_nul ima: fix up #endif comments IMA: Correct Kconfig dependencies for hash selection ima: define is_ima_appraise_enabled() ima: define Kconfig IMA_APPRAISE_BOOTPARAM option ima: define a set of appraisal rules requiring file signatures ima: extend the "ima_policy" boot command line to support multiple policies ...
| * ima: Log the same audit cause whenever a file has no signatureThiago Jung Bauermann2017-06-211-1/+2
| | | | | | | | | | | | | | | | | | | | | | If the file doesn't have an xattr, ima_appraise_measurement sets cause to "missing-hash" while if there's an xattr but it's a digest instead of a signature it sets cause to "IMA-signature-required". Fix it by setting cause to "IMA-signature-required" in both cases. Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * ima: Simplify policy_func_show.Thiago Jung Bauermann2017-06-212-62/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If the func_tokens array uses the same indices as enum ima_hooks, policy_func_show can be a lot simpler, and the func_* enum becomes unnecessary. Also, if we use the same macro trick used by kernel_read_file_id_str we can use one hooks list for both the enum and the string array, making sure they are always in sync (suggested by Mimi Zohar). Finally, by using the printf pattern for the function token directly instead of using the pt macro we can simplify policy_func_show even further and avoid needing a temporary buffer. Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * integrity: Small code improvementsThiago Jung Bauermann2017-06-216-9/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These changes are too small to warrant their own patches: The keyid and sig_size members of struct signature_v2_hdr are in BE format, so use a type that makes this assumption explicit. Also, use beXX_to_cpu instead of __beXX_to_cpu to read them. Change integrity_kernel_read to take a void * buffer instead of char * buffer, so that callers don't have to use a cast if they provide a buffer that isn't a char *. Add missing #endif comment in ima.h pointing out which macro it refers to. Add missing fall through comment in ima_appraise.c. Constify mask_tokens and func_tokens arrays. Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * ima: fix get_binary_runtime_size()Roberto Sassu2017-06-211-1/+1
| | | | | | | | | | | | | | | | Remove '+ 1' from 'size += strlen(entry->template_desc->name) + 1;', as the template name is sent to userspace without the '\0' character. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * ima: use ima_parse_buf() to parse template dataRoberto Sassu2017-06-211-31/+13
| | | | | | | | | | | | | | | | | | | | | | | | The binary_field_data structure definition has been removed from ima_restore_template_data(). The lengths and data pointers are directly stored into the template_data array of the ima_template_entry structure. For template data, both the number of fields and buffer end checks can be done, as these information are known (respectively from the template descriptor, and from the measurement header field). Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * ima: use ima_parse_buf() to parse measurements headersRoberto Sassu2017-06-211-52/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The binary_hdr_v1 and binary_data_v1 structures defined in ima_restore_measurement_list() have been replaced with an array of four ima_field_data structures where pcr, digest, template name and template data lengths and pointers are stored. The length of pcr and digest in the ima_field_data array and the bits in the bitmap are set before ima_parse_buf() is called. The ENFORCE_FIELDS bit is set for all entries except the last one (there is still data to parse), and ENFORCE_BUFEND is set only for the last entry. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * ima: introduce ima_parse_buf()Roberto Sassu2017-06-212-0/+67
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ima_parse_buf() takes as input the buffer start and end pointers, and stores the result in a static array of ima_field_data structures, where the len field contains the length parsed from the buffer, and the data field contains the address of the buffer just after the length. Optionally, the function returns the current value of the buffer pointer and the number of array elements written. A bitmap has been added as parameter of ima_parse_buf() to handle the cases where the length is not prepended to data. Each bit corresponds to an element of the ima_field_data array. If a bit is set, the length is not parsed from the buffer, but is read from the corresponding element of the array (the length must be set before calling the function). ima_parse_buf() can perform three checks upon request by callers, depending on the enforce mask passed to it: - ENFORCE_FIELDS: matching of number of fields (length-data combination) - there must be enough data in the buffer to parse the number of fields requested (output: current value of buffer pointer) - ENFORCE_BUFEND: matching of buffer end - the ima_field_data array must be large enough to contain lengths and data pointers for the amount of data requested (output: number of fields written) - ENFORCE_FIELDS | ENFORCE_BUFEND: matching of both Use cases - measurement entry header: ENFORCE_FIELDS | ENFORCE_BUFEND - four fields must be parsed: pcr, digest, template name, template data - ENFORCE_BUFEND is enforced only for the last measurement entry - template digest (Crypto Agile): ENFORCE_BUFEND - since only the total template digest length is known, the function parses length-data combinations until the buffer end is reached - template data: ENFORCE_FIELDS | ENFORCE_BUFEND - since the number of fields and the total template data length are known, the function can perform both checks Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * ima: Add cgroups2 to the defaults listLaura Abbott2017-06-211-0/+3
| | | | | | | | | | | | | | | | cgroups2 is beginning to show up in wider usage. Add it to the default nomeasure/noappraise list like other filesystems. Signed-off-by: Laura Abbott <labbott@redhat.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * ima: use memdup_user_nulGeliang Tang2017-06-211-9/+4
| | | | | | | | | | | | | | | | Use memdup_user_nul() helper instead of open-coding to simplify the code. Signed-off-by: Geliang Tang <geliangtang@gmail.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * ima: fix up #endif commentsTycho Andersen2017-06-211-2/+2
| | | | | | | | | | | | | | | | While reading the code, I noticed that these #endif comments don't match how they're actually nested. This patch fixes that. Signed-off-by: Tycho Andersen <tycho@docker.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * IMA: Correct Kconfig dependencies for hash selectionBen Hutchings2017-06-211-4/+4
| | | | | | | | | | | | | | | | IMA uses the hash algorithm too early to be able to use a module. Require the selected hash algorithm to be built-in. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * ima: define is_ima_appraise_enabled()Mimi Zohar2017-06-211-0/+10
| | | | | | | | | | | | | | | | | | Only return enabled if in enforcing mode, not fix or log modes. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Changes: - Define is_ima_appraise_enabled() as a bool (Thiago Bauermann)
| * ima: define Kconfig IMA_APPRAISE_BOOTPARAM optionMimi Zohar2017-06-212-0/+10
| | | | | | | | | | | | | | Permit enabling the different "ima_appraise=" modes (eg. log, fix) from the boot command line. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * ima: define a set of appraisal rules requiring file signaturesMimi Zohar2017-06-211-1/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The builtin "ima_appraise_tcb" policy should require file signatures for at least a few of the hooks (eg. kernel modules, firmware, and the kexec kernel image), but changing it would break the existing userspace/kernel ABI. This patch defines a new builtin policy named "secure_boot", which can be specified on the "ima_policy=" boot command line, independently or in conjunction with the "ima_appraise_tcb" policy, by specifing ima_policy="appraise_tcb | secure_boot". The new appraisal rules requiring file signatures will be added prior to the "ima_appraise_tcb" rules. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Changelog: - Reference secure boot in the new builtin policy name. (Thiago Bauermann)
| * ima: extend the "ima_policy" boot command line to support multiple policiesMimi Zohar2017-06-211-5/+10
| | | | | | | | | | | | | | Add support for providing multiple builtin policies on the "ima_policy=" boot command line. Use "|" as the delimitor separating the policy names. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* | fs: switch ->s_uuid to uuid_tChristoph Hellwig2017-06-052-2/+2
| | | | | | | | | | | | | | | | | | | | For some file systems we still memcpy into it, but in various places this already allows us to use the proper uuid helpers. More to come.. Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Amir Goldstein <amir73il@gmail.com> Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com> (Changes to IMA/EVM) Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
* | ima/policy: switch to use uuid_tChristoph Hellwig2017-06-051-6/+5
| | | | | | | | | | | | | | Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Amir Goldstein <amir73il@gmail.com> Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
* | block: remove blk_part_pack_uuidChristoph Hellwig2017-06-051-2/+1
|/ | | | | | | | | | This helper was only used by IMA of all things, which would get spurious errors if CONFIG_BLOCK is disabled. Just opencode the call there. Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Amir Goldstein <amir73il@gmail.com> Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
* Merge branch 'next' of ↵James Morris2017-04-192-34/+94
|\ | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity into next
| * ima: provide ">" and "<" operators for fowner/uid/euid rules.Mikhail Kurinnoi2017-03-131-28/+87
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For now we have only "=" operator for fowner/uid/euid rules. This patch provide two more operators - ">" and "<" in order to make fowner/uid/euid rules more flexible. Examples of usage. Appraise all files owned by special and system users (SYS_UID_MAX 999): appraise fowner<1000 Don't appraise files owned by normal users (UID_MIN 1000): dont_appraise fowner>999 Appraise all files owned by users with UID 1000-1010: dont_appraise fowner>1010 appraise fowner>999 Changelog v3: - Removed code duplication in ima_parse_rule(). - Fix ima_policy_show() - (Mimi) Changelog v2: - Fixed default policy rules. Signed-off-by: Mikhail Kurinnoi <viewizard@viewizard.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> security/integrity/ima/ima_policy.c | 115 +++++++++++++++++++++++++++--------- 1 file changed, 87 insertions(+), 28 deletions(-)
| * ima: accept previously set IMA_NEW_FILEDaniel Glöckner2017-03-071-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Modifying the attributes of a file makes ima_inode_post_setattr reset the IMA cache flags. So if the file, which has just been created, is opened a second time before the first file descriptor is closed, verification fails since the security.ima xattr has not been written yet. We therefore have to look at the IMA_NEW_FILE even if the file already existed. With this patch there should no longer be an error when cat tries to open testfile: $ rm -f testfile $ ( echo test >&3 ; touch testfile ; cat testfile ) 3>testfile A file being new is no reason to accept that it is missing a digital signature demanded by the policy. Signed-off-by: Daniel Glöckner <dg@emlix.com> Cc: stable@vger.kernel.org Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * integrity: mark default IMA rules as __ro_after_initJames Morris2017-03-061-4/+4
| | | | | | | | | | | | | | | | The default IMA rules are loaded during init and then do not change, so mark them as __ro_after_init. Signed-off-by: James Morris <james.l.morris@oracle.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* | KEYS: Use structure to capture key restriction function and dataMat Martineau2017-04-042-2/+18
|/ | | | | | | | | | | | | | Replace struct key's restrict_link function pointer with a pointer to the new struct key_restriction. The structure contains pointers to the restriction function as well as relevant data for evaluating the restriction. The garbage collector checks restrict_link->keytype when key types are unregistered. Restrictions involving a removed key type are converted to use restrict_link_reject so that restrictions cannot be removed by unregistering key types. Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
* sched/headers: Prepare to remove the <linux/magic.h> include from ↵Ingo Molnar2017-03-021-0/+2
| | | | | | | | | | | | | <linux/sched/task_stack.h> Update files that depend on the magic.h inclusion. Acked-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: Mike Galbraith <efault@gmx.de> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: linux-kernel@vger.kernel.org Signed-off-by: Ingo Molnar <mingo@kernel.org>
* ima: allow to check MAY_APPENDLans Zhang2017-01-272-4/+5
| | | | | | | | Otherwise some mask and inmask tokens with MAY_APPEND flag may not work as expected. Signed-off-by: Lans Zhang <jia.zhang@windriver.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* ima: fix ima_d_path() possible race with renameMimi Zohar2017-01-273-6/+24
| | | | | | | | | | | | | | On failure to return a pathname from ima_d_path(), a pointer to dname is returned, which is subsequently used in the IMA measurement list, the IMA audit records, and other audit logging. Saving the pointer to dname for later use has the potential to race with rename. Intead of returning a pointer to dname on failure, this patch returns a pointer to a copy of the filename. Reported-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: stable@vger.kernel.org
* ima: platform-independent hash valueAndreas Steffen2016-12-201-2/+4
| | | | | | | | | | | | | | | | | | | | | | | For remote attestion it is important for the ima measurement values to be platform-independent. Therefore integer fields to be hashed must be converted to canonical format. Link: http://lkml.kernel.org/r/1480554346-29071-11-git-send-email-zohar@linux.vnet.ibm.com Signed-off-by: Andreas Steffen <andreas.steffen@strongswan.org> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Cc: Josh Sklar <sklar@linux.vnet.ibm.com> Cc: Dave Young <dyoung@redhat.com> Cc: Vivek Goyal <vgoyal@redhat.com> Cc: Baoquan He <bhe@redhat.com> Cc: Michael Ellerman <mpe@ellerman.id.au> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Paul Mackerras <paulus@samba.org> Cc: Stewart Smith <stewart@linux.vnet.ibm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* ima: define a canonical binary_runtime_measurements list formatMimi Zohar2016-12-205-13/+62
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The IMA binary_runtime_measurements list is currently in platform native format. To allow restoring a measurement list carried across kexec with a different endianness than the targeted kernel, this patch defines little-endian as the canonical format. For big endian systems wanting to save/restore the measurement list from a system with a different endianness, a new boot command line parameter named "ima_canonical_fmt" is defined. Considerations: use of the "ima_canonical_fmt" boot command line option will break existing userspace applications on big endian systems expecting the binary_runtime_measurements list to be in platform native format. Link: http://lkml.kernel.org/r/1480554346-29071-10-git-send-email-zohar@linux.vnet.ibm.com Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Cc: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Andreas Steffen <andreas.steffen@strongswan.org> Cc: Josh Sklar <sklar@linux.vnet.ibm.com> Cc: Dave Young <dyoung@redhat.com> Cc: Vivek Goyal <vgoyal@redhat.com> Cc: Baoquan He <bhe@redhat.com> Cc: Michael Ellerman <mpe@ellerman.id.au> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Paul Mackerras <paulus@samba.org> Cc: Stewart Smith <stewart@linux.vnet.ibm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* ima: support restoring multiple template formatsMimi Zohar2016-12-201-3/+49
| | | | | | | | | | | | | | | | | | | | | | | | The configured IMA measurement list template format can be replaced at runtime on the boot command line, including a custom template format. This patch adds support for restoring a measuremement list containing multiple builtin/custom template formats. Link: http://lkml.kernel.org/r/1480554346-29071-9-git-send-email-zohar@linux.vnet.ibm.com Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Cc: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Andreas Steffen <andreas.steffen@strongswan.org> Cc: Josh Sklar <sklar@linux.vnet.ibm.com> Cc: Dave Young <dyoung@redhat.com> Cc: Vivek Goyal <vgoyal@redhat.com> Cc: Baoquan He <bhe@redhat.com> Cc: Michael Ellerman <mpe@ellerman.id.au> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Paul Mackerras <paulus@samba.org> Cc: Stewart Smith <stewart@linux.vnet.ibm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* ima: store the builtin/custom template definitions in a listMimi Zohar2016-12-203-11/+43
| | | | | | | | | | | | | | | | | | | | | | | | | The builtin and single custom templates are currently stored in an array. In preparation for being able to restore a measurement list containing multiple builtin/custom templates, this patch stores the builtin and custom templates as a linked list. This will permit defining more than one custom template per boot. Link: http://lkml.kernel.org/r/1480554346-29071-8-git-send-email-zohar@linux.vnet.ibm.com Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Cc: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Andreas Steffen <andreas.steffen@strongswan.org> Cc: Josh Sklar <sklar@linux.vnet.ibm.com> Cc: Dave Young <dyoung@redhat.com> Cc: Vivek Goyal <vgoyal@redhat.com> Cc: Baoquan He <bhe@redhat.com> Cc: Michael Ellerman <mpe@ellerman.id.au> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Paul Mackerras <paulus@samba.org> Cc: Stewart Smith <stewart@linux.vnet.ibm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* ima: on soft reboot, save the measurement listMimi Zohar2016-12-203-1/+119
| | | | | | | | | | | | | | | | | | | | | | | | | | The TPM PCRs are only reset on a hard reboot. In order to validate a TPM's quote after a soft reboot (eg. kexec -e), the IMA measurement list of the running kernel must be saved and restored on boot. This patch uses the kexec buffer passing mechanism to pass the serialized IMA binary_runtime_measurements to the next kernel. Link: http://lkml.kernel.org/r/1480554346-29071-7-git-send-email-zohar@linux.vnet.ibm.com Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: "Eric W. Biederman" <ebiederm@xmission.com> Acked-by: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Cc: Andreas Steffen <andreas.steffen@strongswan.org> Cc: Josh Sklar <sklar@linux.vnet.ibm.com> Cc: Dave Young <dyoung@redhat.com> Cc: Vivek Goyal <vgoyal@redhat.com> Cc: Baoquan He <bhe@redhat.com> Cc: Michael Ellerman <mpe@ellerman.id.au> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Paul Mackerras <paulus@samba.org> Cc: Stewart Smith <stewart@linux.vnet.ibm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* ima: maintain memory size needed for serializing the measurement listMimi Zohar2016-12-203-2/+64
| | | | | | | | | | | | | | | | | | | | | | In preparation for serializing the binary_runtime_measurements, this patch maintains the amount of memory required. Link: http://lkml.kernel.org/r/1480554346-29071-5-git-send-email-zohar@linux.vnet.ibm.com Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Cc: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Andreas Steffen <andreas.steffen@strongswan.org> Cc: Josh Sklar <sklar@linux.vnet.ibm.com> Cc: Dave Young <dyoung@redhat.com> Cc: Vivek Goyal <vgoyal@redhat.com> Cc: Baoquan He <bhe@redhat.com> Cc: Michael Ellerman <mpe@ellerman.id.au> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Paul Mackerras <paulus@samba.org> Cc: Stewart Smith <stewart@linux.vnet.ibm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* ima: permit duplicate measurement list entriesMimi Zohar2016-12-201-6/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | Measurements carried across kexec need to be added to the IMA measurement list, but should not prevent measurements of the newly booted kernel from being added to the measurement list. This patch adds support for allowing duplicate measurements. The "boot_aggregate" measurement entry is the delimiter between soft boots. Link: http://lkml.kernel.org/r/1480554346-29071-4-git-send-email-zohar@linux.vnet.ibm.com Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Cc: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Andreas Steffen <andreas.steffen@strongswan.org> Cc: Josh Sklar <sklar@linux.vnet.ibm.com> Cc: Dave Young <dyoung@redhat.com> Cc: Vivek Goyal <vgoyal@redhat.com> Cc: Baoquan He <bhe@redhat.com> Cc: Michael Ellerman <mpe@ellerman.id.au> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Paul Mackerras <paulus@samba.org> Cc: Stewart Smith <stewart@linux.vnet.ibm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* ima: on soft reboot, restore the measurement listMimi Zohar2016-12-206-0/+255
| | | | | | | | | | | | | | | | | | | | | | | | The TPM PCRs are only reset on a hard reboot. In order to validate a TPM's quote after a soft reboot (eg. kexec -e), the IMA measurement list of the running kernel must be saved and restored on boot. This patch restores the measurement list. Link: http://lkml.kernel.org/r/1480554346-29071-3-git-send-email-zohar@linux.vnet.ibm.com Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Cc: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Andreas Steffen <andreas.steffen@strongswan.org> Cc: Josh Sklar <sklar@linux.vnet.ibm.com> Cc: Dave Young <dyoung@redhat.com> Cc: Vivek Goyal <vgoyal@redhat.com> Cc: Baoquan He <bhe@redhat.com> Cc: Michael Ellerman <mpe@ellerman.id.au> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Paul Mackerras <paulus@samba.org> Cc: Stewart Smith <stewart@linux.vnet.ibm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* Merge branch 'for-linus' of ↵Linus Torvalds2016-12-141-2/+10
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace Pull namespace updates from Eric Biederman: "After a lot of discussion and work we have finally reachanged a basic understanding of what is necessary to make unprivileged mounts safe in the presence of EVM and IMA xattrs which the last commit in this series reflects. While technically it is a revert the comments it adds are important for people not getting confused in the future. Clearing up that confusion allows us to seriously work on unprivileged mounts of fuse in the next development cycle. The rest of the fixes in this set are in the intersection of user namespaces, ptrace, and exec. I started with the first fix which started a feedback cycle of finding additional issues during review and fixing them. Culiminating in a fix for a bug that has been present since at least Linux v1.0. Potentially these fixes were candidates for being merged during the rc cycle, and are certainly backport candidates but enough little things turned up during review and testing that I decided they should be handled as part of the normal development process just to be certain there were not any great surprises when it came time to backport some of these fixes" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: Revert "evm: Translate user/group ids relative to s_user_ns when computing HMAC" exec: Ensure mm->user_ns contains the execed files ptrace: Don't allow accessing an undumpable mm ptrace: Capture the ptracer's creds not PT_PTRACE_CAP mm: Add a user_ns owner to mm_struct and fix ptrace permission checks
| * Revert "evm: Translate user/group ids relative to s_user_ns when computing HMAC"Eric W. Biederman2016-12-021-2/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 0b3c9761d1e405514a551ed24d3ea89aea26ce14. Seth Forshee <seth.forshee@canonical.com> writes: > All right, I think 0b3c9761d1e405514a551ed24d3ea89aea26ce14 should be > reverted then. EVM is a machine-local integrity mechanism, and so it > makes sense that the signature would be based on the kernel's notion of > the uid and not the filesystem's. I added a commment explaining why the EVM hmac needs to be in the kernel's notion of uid and gid, not the filesystems to prevent remounting the filesystem and gaining unwaranted trust in files. Acked-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
* | security/integrity: Harden against malformed xattrsSeth Forshee2016-11-133-2/+9
| | | | | | | | | | | | | | | | | | | | | | In general the handling of IMA/EVM xattrs is good, but I found a few locations where either the xattr size or the value of the type field in the xattr are not checked. Add a few simple checks to these locations to prevent malformed or malicious xattrs from causing problems. Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* | ima: include the reason for TPM-bypass modeMimi Zohar2016-11-131-1/+2
| | | | | | | | | | | | | | This patch includes the reason for going into TPM-bypass mode and not using the TPM. Signed-off-by: Mimi Zohar (zohar@linux.vnet.ibm>
* | Revert "ima: limit file hash setting by user to fix and log modes"Mimi Zohar2016-11-131-6/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Userspace applications have been modified to write security xattrs, but they are not context aware. In the case of security.ima, the security xattr can be either a file hash or a file signature. Permitting writing one, but not the other requires the application to be context aware. In addition, userspace applications might write files to a staging area, which might not be in policy, and then change some file metadata (eg. owner) making it in policy. As a result, these files are not labeled properly. This reverts commit c68ed80c97d9720f51ef31fe91560fdd1e121533, which prevents writing file hashes as security.ima xattrs. Requested-by: Patrick Ohly <patrick.ohly@intel.com> Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* | ima: fix memory leak in ima_release_policyEric Richter2016-11-131-1/+1
|/ | | | | | | | | | | | | | | When the "policy" securityfs file is opened for read, it is opened as a sequential file. However, when it is eventually released, there is no cleanup for the sequential file, therefore some memory is leaked. This patch adds a call to seq_release() in ima_release_policy() to clean up the memory when the file is opened for read. Fixes: 80eae209d63a IMA: allow reading back the current policy Reported-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com> Tested-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* Merge branch 'work.xattr' of ↵Linus Torvalds2016-10-103-16/+16
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull vfs xattr updates from Al Viro: "xattr stuff from Andreas This completes the switch to xattr_handler ->get()/->set() from ->getxattr/->setxattr/->removexattr" * 'work.xattr' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: vfs: Remove {get,set,remove}xattr inode operations xattr: Stop calling {get,set,remove}xattr inode operations vfs: Check for the IOP_XATTR flag in listxattr xattr: Add __vfs_{get,set,remove}xattr helpers libfs: Use IOP_XATTR flag for empty directory handling vfs: Use IOP_XATTR flag for bad-inode handling vfs: Add IOP_XATTR inode operations flag vfs: Move xattr_resolve_name to the front of fs/xattr.c ecryptfs: Switch to generic xattr handlers sockfs: Get rid of getxattr iop sockfs: getxattr: Fail with -EOPNOTSUPP for invalid attribute names kernfs: Switch to generic xattr handlers hfs: Switch to generic xattr handlers jffs2: Remove jffs2_{get,set,remove}xattr macros xattr: Remove unnecessary NULL attribute name check
| * xattr: Add __vfs_{get,set,remove}xattr helpersAndreas Gruenbacher2016-10-073-16/+16
| | | | | | | | | | | | | | | | | | | | | | Right now, various places in the kernel check for the existence of getxattr, setxattr, and removexattr inode operations and directly call those operations. Switch to helper functions and test for the IOP_XATTR flag instead. Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> Acked-by: James Morris <james.l.morris@oracle.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | ima: use file_dentry()Miklos Szeredi2016-09-162-3/+3
|/ | | | | | | | | | | Ima tries to call ->setxattr() on overlayfs dentry after having locked underlying inode, which results in a deadlock. Reported-by: Krisztian Litkey <kli@iki.fi> Fixes: 4bacc9c9234c ("overlayfs: Make f_path always point to the overlay and f_inode to the underlay") Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Cc: <stable@vger.kernel.org> # v4.2 Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
* Merge branch 'next' of ↵Linus Torvalds2016-07-2910-30/+80
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull security subsystem updates from James Morris: "Highlights: - TPM core and driver updates/fixes - IPv6 security labeling (CALIPSO) - Lots of Apparmor fixes - Seccomp: remove 2-phase API, close hole where ptrace can change syscall #" * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (156 commits) apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT parameter handling tpm: Add TPM 2.0 support to the Nuvoton i2c driver (NPCT6xx family) tpm: Factor out common startup code tpm: use devm_add_action_or_reset tpm2_i2c_nuvoton: add irq validity check tpm: read burstcount from TPM_STS in one 32-bit transaction tpm: fix byte-order for the value read by tpm2_get_tpm_pt tpm_tis_core: convert max timeouts from msec to jiffies apparmor: fix arg_size computation for when setprocattr is null terminated apparmor: fix oops, validate buffer size in apparmor_setprocattr() apparmor: do not expose kernel stack apparmor: fix module parameters can be changed after policy is locked apparmor: fix oops in profile_unpack() when policy_db is not present apparmor: don't check for vmalloc_addr if kvzalloc() failed apparmor: add missing id bounds check on dfa verification apparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task apparmor: use list_next_entry instead of list_entry_next apparmor: fix refcount race when finding a child profile apparmor: fix ref count leak when profile sha1 hash is read apparmor: check that xindex is in trans_table bounds ...
| * ima: extend the measurement entry specific pcrEric Richter2016-06-301-3/+3
| | | | | | | | | | | | | | | | Extend the PCR supplied as a parameter, instead of assuming that the measurement entry uses the default configured PCR. Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * ima: change integrity cache to store measured pcrEric Richter2016-06-303-3/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | IMA avoids re-measuring files by storing the current state as a flag in the integrity cache. It will then skip adding a new measurement log entry if the cache reports the file as already measured. If a policy measures an already measured file to a new PCR, the measurement will not be added to the list. This patch implements a new bitfield for specifying which PCR the file was measured into, rather than if it was measured. Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * ima: redefine duplicate template entriesEric Richter2016-06-301-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Template entry duplicates are prevented from being added to the measurement list by checking a hash table that contains the template entry digests. However, the PCR value is not included in this comparison, so duplicate template entry digests with differing PCRs may be dropped. This patch redefines duplicate template entries as template entries with the same digest and same PCR values. Reported-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * ima: change ima_measurements_show() to display the entry specific pcrEric Richter2016-06-301-5/+4
| | | | | | | | | | | | | | | | | | IMA assumes that the same default Kconfig PCR is extended for each entry. This patch replaces the default configured PCR with the policy defined PCR. Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * ima: include pcr for each measurement log entryEric Richter2016-06-304-8/+13
| | | | | | | | | | | | | | | | | | The IMA measurement list entries include the Kconfig defined PCR value. This patch defines a new ima_template_entry field for including the PCR as specified in the policy rule. Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
OpenPOWER on IntegriCloud