From 6035a27b25ab9dadc8c3d5c5df5eae3fca62fc95 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Fri, 8 Jun 2018 13:40:10 -0400 Subject: IMA: don't propagate opened through the entire thing just check ->f_mode in ima_appraise_measurement() Acked-by: Linus Torvalds Signed-off-by: Al Viro --- security/integrity/ima/ima.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'security/integrity/ima/ima.h') diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 354bb5716ce3..e4c1a236976c 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -238,7 +238,7 @@ int ima_appraise_measurement(enum ima_hooks func, struct integrity_iint_cache *iint, struct file *file, const unsigned char *filename, struct evm_ima_xattr_data *xattr_value, - int xattr_len, int opened); + int xattr_len); int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func); void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file); enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, @@ -254,7 +254,7 @@ static inline int ima_appraise_measurement(enum ima_hooks func, struct file *file, const unsigned char *filename, struct evm_ima_xattr_data *xattr_value, - int xattr_len, int opened) + int xattr_len) { return INTEGRITY_UNKNOWN; } -- cgit v1.2.3 From 16c267aac86b463b1fcccd43c89f4c8e5c5c86fa Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Fri, 13 Jul 2018 14:05:58 -0400 Subject: ima: based on policy require signed kexec kernel images The original kexec_load syscall can not verify file signatures, nor can the kexec image be measured. Based on policy, deny the kexec_load syscall. Signed-off-by: Mimi Zohar Cc: Eric Biederman Cc: Kees Cook Reviewed-by: Kees Cook Signed-off-by: James Morris --- include/linux/ima.h | 7 +++++++ security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_main.c | 27 +++++++++++++++++++++++++++ security/integrity/ima/ima_policy.c | 2 ++ security/security.c | 7 ++++++- 5 files changed, 43 insertions(+), 1 deletion(-) (limited to 'security/integrity/ima/ima.h') diff --git a/include/linux/ima.h b/include/linux/ima.h index 0e4647e0eb60..84806b54b50a 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -11,6 +11,7 @@ #define _LINUX_IMA_H #include +#include #include struct linux_binprm; @@ -19,6 +20,7 @@ extern int ima_bprm_check(struct linux_binprm *bprm); extern int ima_file_check(struct file *file, int mask, int opened); extern void ima_file_free(struct file *file); extern int ima_file_mmap(struct file *file, unsigned long prot); +extern int ima_load_data(enum kernel_load_data_id id); extern int ima_read_file(struct file *file, enum kernel_read_file_id id); extern int ima_post_read_file(struct file *file, void *buf, loff_t size, enum kernel_read_file_id id); @@ -49,6 +51,11 @@ static inline int ima_file_mmap(struct file *file, unsigned long prot) return 0; } +static inline int ima_load_data(enum kernel_load_data_id id) +{ + return 0; +} + static inline int ima_read_file(struct file *file, enum kernel_read_file_id id) { return 0; diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 354bb5716ce3..78c15264b17b 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -232,6 +232,7 @@ int ima_policy_show(struct seq_file *m, void *v); #define IMA_APPRAISE_MODULES 0x08 #define IMA_APPRAISE_FIRMWARE 0x10 #define IMA_APPRAISE_POLICY 0x20 +#define IMA_APPRAISE_KEXEC 0x40 #ifdef CONFIG_IMA_APPRAISE int ima_appraise_measurement(enum ima_hooks func, diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index dca44cf7838e..71fecfef0939 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -496,6 +496,33 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size, MAY_READ, func, 0); } +/** + * ima_load_data - appraise decision based on policy + * @id: kernel load data caller identifier + * + * Callers of this LSM hook can not measure, appraise, or audit the + * data provided by userspace. Enforce policy rules requring a file + * signature (eg. kexec'ed kernel image). + * + * For permission return 0, otherwise return -EACCES. + */ +int ima_load_data(enum kernel_load_data_id id) +{ + if ((ima_appraise & IMA_APPRAISE_ENFORCE) != IMA_APPRAISE_ENFORCE) + return 0; + + switch (id) { + case LOADING_KEXEC_IMAGE: + if (ima_appraise & IMA_APPRAISE_KEXEC) { + pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n"); + return -EACCES; /* INTEGRITY_UNKNOWN */ + } + default: + break; + } + return 0; +} + static int __init init_ima(void) { int error; diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index cdcc9a7b4e24..d5b4958decc5 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -448,6 +448,8 @@ static int ima_appraise_flag(enum ima_hooks func) return IMA_APPRAISE_FIRMWARE; else if (func == POLICY_CHECK) return IMA_APPRAISE_POLICY; + else if (func == KEXEC_KERNEL_CHECK) + return IMA_APPRAISE_KEXEC; return 0; } diff --git a/security/security.c b/security/security.c index c2de2f134854..4927e7cc7d96 100644 --- a/security/security.c +++ b/security/security.c @@ -1058,7 +1058,12 @@ EXPORT_SYMBOL_GPL(security_kernel_post_read_file); int security_kernel_load_data(enum kernel_load_data_id id) { - return call_int_hook(kernel_load_data, 0, id); + int ret; + + ret = call_int_hook(kernel_load_data, 0, id); + if (ret) + return ret; + return ima_load_data(id); } int security_task_fix_setuid(struct cred *new, const struct cred *old, -- cgit v1.2.3 From 5c2a640aff73914e11ac0db310b32d3b7a1b87ad Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Tue, 26 Jun 2018 15:09:32 -0400 Subject: ima: Use tpm_default_chip() and call TPM functions with a tpm_chip Rather than accessing the TPM functions by passing a NULL pointer for the tpm_chip, which causes a lookup for a suitable chip every time, get a hold of a tpm_chip and access the TPM functions using it. Signed-off-by: Stefan Berger Signed-off-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- security/integrity/ima/ima.h | 1 + security/integrity/ima/ima_crypto.c | 2 +- security/integrity/ima/ima_init.c | 11 ++++------- security/integrity/ima/ima_queue.c | 2 +- 4 files changed, 7 insertions(+), 9 deletions(-) (limited to 'security/integrity/ima/ima.h') diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 78c15264b17b..dc212c59d4d6 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -56,6 +56,7 @@ extern int ima_policy_flag; extern int ima_used_chip; extern int ima_hash_algo; extern int ima_appraise; +extern struct tpm_chip *ima_tpm_chip; /* IMA event related data */ struct ima_event_data { diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c index 4e085a17124f..88082f35adb2 100644 --- a/security/integrity/ima/ima_crypto.c +++ b/security/integrity/ima/ima_crypto.c @@ -634,7 +634,7 @@ static void __init ima_pcrread(int idx, u8 *pcr) if (!ima_used_chip) return; - if (tpm_pcr_read(NULL, idx, pcr) != 0) + if (tpm_pcr_read(ima_tpm_chip, idx, pcr) != 0) pr_err("Error Communicating to TPM chip\n"); } diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 29b72cd2502e..1437ed3dbccc 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -27,6 +27,7 @@ /* name for boot aggregate entry */ static const char *boot_aggregate_name = "boot_aggregate"; int ima_used_chip; +struct tpm_chip *ima_tpm_chip; /* Add the boot aggregate to the IMA measurement list and extend * the PCR register. @@ -106,17 +107,13 @@ void __init ima_load_x509(void) int __init ima_init(void) { - u8 pcr_i[TPM_DIGEST_SIZE]; int rc; - ima_used_chip = 0; - rc = tpm_pcr_read(NULL, 0, pcr_i); - if (rc == 0) - ima_used_chip = 1; + ima_tpm_chip = tpm_default_chip(); + ima_used_chip = ima_tpm_chip != NULL; if (!ima_used_chip) - pr_info("No TPM chip found, activating TPM-bypass! (rc=%d)\n", - rc); + pr_info("No TPM chip found, activating TPM-bypass!\n"); rc = integrity_init_keyring(INTEGRITY_KEYRING_IMA); if (rc) diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c index 418f35e38015..c6303fa19a49 100644 --- a/security/integrity/ima/ima_queue.c +++ b/security/integrity/ima/ima_queue.c @@ -145,7 +145,7 @@ static int ima_pcr_extend(const u8 *hash, int pcr) if (!ima_used_chip) return result; - result = tpm_pcr_extend(NULL, pcr, hash); + result = tpm_pcr_extend(ima_tpm_chip, pcr, hash); if (result != 0) pr_err("Error Communicating to TPM chip, result: %d\n", result); return result; -- cgit v1.2.3 From ec403d8ed08c8272cfeeeea154fdebcd289988c8 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Tue, 26 Jun 2018 15:09:33 -0400 Subject: ima: Get rid of ima_used_chip and use ima_tpm_chip != NULL instead Get rid of ima_used_chip and use ima_tpm_chip variable instead for determining whether to use the TPM chip. Signed-off-by: Stefan Berger Signed-off-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- security/integrity/ima/ima.h | 1 - security/integrity/ima/ima_crypto.c | 2 +- security/integrity/ima/ima_init.c | 7 ++----- security/integrity/ima/ima_queue.c | 2 +- 4 files changed, 4 insertions(+), 8 deletions(-) (limited to 'security/integrity/ima/ima.h') diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index dc212c59d4d6..588e4813370c 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -53,7 +53,6 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; extern int ima_policy_flag; /* set during initialization */ -extern int ima_used_chip; extern int ima_hash_algo; extern int ima_appraise; extern struct tpm_chip *ima_tpm_chip; diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c index 88082f35adb2..7e7e7e7c250a 100644 --- a/security/integrity/ima/ima_crypto.c +++ b/security/integrity/ima/ima_crypto.c @@ -631,7 +631,7 @@ int ima_calc_buffer_hash(const void *buf, loff_t len, static void __init ima_pcrread(int idx, u8 *pcr) { - if (!ima_used_chip) + if (!ima_tpm_chip) return; if (tpm_pcr_read(ima_tpm_chip, idx, pcr) != 0) diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 1437ed3dbccc..faac9ecaa0ae 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -26,7 +26,6 @@ /* name for boot aggregate entry */ static const char *boot_aggregate_name = "boot_aggregate"; -int ima_used_chip; struct tpm_chip *ima_tpm_chip; /* Add the boot aggregate to the IMA measurement list and extend @@ -65,7 +64,7 @@ static int __init ima_add_boot_aggregate(void) iint->ima_hash->algo = HASH_ALGO_SHA1; iint->ima_hash->length = SHA1_DIGEST_SIZE; - if (ima_used_chip) { + if (ima_tpm_chip) { result = ima_calc_boot_aggregate(&hash.hdr); if (result < 0) { audit_cause = "hashing_error"; @@ -110,9 +109,7 @@ int __init ima_init(void) int rc; ima_tpm_chip = tpm_default_chip(); - - ima_used_chip = ima_tpm_chip != NULL; - if (!ima_used_chip) + if (!ima_tpm_chip) pr_info("No TPM chip found, activating TPM-bypass!\n"); rc = integrity_init_keyring(INTEGRITY_KEYRING_IMA); diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c index c6303fa19a49..b186819bd5aa 100644 --- a/security/integrity/ima/ima_queue.c +++ b/security/integrity/ima/ima_queue.c @@ -142,7 +142,7 @@ static int ima_pcr_extend(const u8 *hash, int pcr) { int result = 0; - if (!ima_used_chip) + if (!ima_tpm_chip) return result; result = tpm_pcr_extend(ima_tpm_chip, pcr, hash); -- cgit v1.2.3