Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=linux-4.20.y 2018-10-10T16:56:15+00:00 2018-10-10T16:56:15+00:00 Eric Biggers ebiggers@google.com 2018-09-07T20:22:23+00:00 urn:sha1:b2724d5802a77b7fb47e84d9b88b80370eccbc64 Constify some static data that is never modified, so that it is placed in .rodata. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2018-05-14T21:24:18+00:00 Richard Guy Briggs rgb@redhat.com 2018-05-13T01:58:20+00:00 urn:sha1:cdfb6b341f0f2409aba24b84f3b4b2bba50be5c5 Recognizing that the audit context is an internal audit value, use an access function to retrieve the audit context pointer for the task rather than reaching directly into the task struct to get it. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: merge fuzz in auditsc.c and selinuxfs.c, checkpatch.pl fixes] Signed-off-by: Paul Moore <paul@paul-moore.com> 2018-03-25T11:26:28+00:00 Tycho Andersen tycho@tycho.ws 2018-03-08T23:08:36+00:00 urn:sha1:e456ef88ae8c9ffd303e970c28dcce4474c3d356 In keeping with the directive to get rid of VLAs [1], let's drop the VLA from ima_audit_measurement(). We need to adjust the return type of ima_audit_measurement, because now this function can fail if an allocation fails. [1]: https://lkml.org/lkml/2018/3/7/621 v2: just use audit_log_format instead of doing a second allocation v3: ignore failures in ima_audit_measurement() Signed-off-by: Tycho Andersen <tycho@tycho.ws> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2018-03-23T10:31:11+00:00 Matthew Garrett mjg59@google.com 2018-01-08T21:36:20+00:00 urn:sha1:d906c10d8a31654cb9167c9a2ebc7d3e43820bad The existing BPRM_CHECK functionality in IMA validates against the credentials of the existing process, not any new credentials that the child process may transition to. Add an additional CREDS_CHECK target and refactor IMA to pass the appropriate creds structure. In ima_bprm_check(), check with both the existing process credentials and the credentials that will be committed when the new process is started. This will not change behaviour unless the system policy is extended to include CREDS_CHECK targets - BPRM_CHECK will continue to check the same credentials that it did previously. After this patch, an IMA policy rule along the lines of: measure func=CREDS_CHECK subj_type=unconfined_t will trigger if a process is executed and runs as unconfined_t, ignoring the context of the parent process. This is in contrast to: measure func=BPRM_CHECK subj_type=unconfined_t which will trigger if the process that calls exec() is already executing in unconfined_t, ignoring the context that the child process executes into. Signed-off-by: Matthew Garrett <mjg59@google.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Changelog: - initialize ima_creds_status 2018-01-31T21:07:35+00:00 Linus Torvalds torvalds@linux-foundation.org 2018-01-31T21:07:35+00:00 urn:sha1:3c29548f87f9545f2f3c1cd1a784fae8ad2d53ba Pull integrity updates from James Morris: "This contains a mixture of bug fixes, code cleanup, and new functionality. Of note is the integrity cache locking fix, file change detection, and support for a new EVM portable and immutable signature type. The re-introduction of the integrity cache lock (iint) fixes the problem of attempting to take the i_rwsem shared a second time, when it was previously taken exclusively. Defining atomic flags resolves the original iint/i_rwsem circular locking - accessing the file data vs. modifying the file metadata. Although it fixes the O_DIRECT problem as well, a subsequent patch is needed to remove the explicit O_DIRECT prevention. For performance reasons, detecting when a file has changed and needs to be re-measured, re-appraised, and/or re-audited, was limited to after the last writer has closed, and only if the file data has changed. Detecting file change is based on i_version. For filesystems that do not support i_version, remote filesystems, or userspace filesystems, the file was measured, appraised and/or audited once and never re-evaluated. Now local filesystems, which do not support i_version or are not mounted with the i_version option, assume the file has changed and are required to re-evaluate the file. This change does not address detecting file change on remote or userspace filesystems. Unlike file data signatures, which can be included and distributed in software packages (eg. rpm, deb), the existing EVM signature, which protects the file metadata, could not be included in software packages, as it includes file system specific information (eg. i_ino, possibly the UUID). This pull request defines a new EVM portable and immutable file metadata signature format, which can be included in software packages" * 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: ima/policy: fix parsing of fsuuid ima: Use i_version only when filesystem supports it integrity: remove unneeded initializations in integrity_iint_cache entries ima: log message to module appraisal error ima: pass filename to ima_rdwr_violation_check() ima: Fix line continuation format ima: support new "hash" and "dont_hash" policy actions ima: re-introduce own integrity cache lock EVM: Add support for portable signature format EVM: Allow userland to permit modification of EVM-protected metadata ima: relax requiring a file signature for new files with zero length 2018-01-29T11:42:21+00:00 Jeff Layton jlayton@redhat.com 2017-12-11T11:35:21+00:00 urn:sha1:3b370b215f4b45c0be87d7a15b0d0e2e8b238aee Signed-off-by: Jeff Layton <jlayton@redhat.com> 2017-12-18T14:43:38+00:00 Mimi Zohar zohar@linux.vnet.ibm.com 2016-09-29T14:04:52+00:00 urn:sha1:da1b0029f527a9b4204e90ba6f14ee139fd76f9e The builtin ima_appraise_tcb policy, which is specified on the boot command line, can be replaced with a custom policy, normally early in the boot process. Custom policies can be more restrictive in some ways, like requiring file signatures, but can be less restrictive in other ways, like not appraising mutable files. With a less restrictive policy in place, files in the builtin policy might not be hashed and labeled with a security.ima hash. On reboot, files which should be labeled in the ima_appraise_tcb are not labeled, possibly preventing the system from booting properly. To resolve this problem, this patch extends the existing IMA policy actions "measure", "dont_measure", "appraise", "dont_appraise", and "audit" with "hash" and "dont_hash". The new "hash" action will write the file hash as security.ima, but without requiring the file to be appraised as well. For example, the builtin ima_appraise_tcb policy includes the rule, "appraise fowner=0". Adding the "hash fowner=0" rule to a custom policy, will cause the needed file hashes to be calculated and written as security.ima xattrs. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> 2017-11-08T20:16:36+00:00 Mimi Zohar zohar@linux.vnet.ibm.com 2017-06-18T03:56:23+00:00 urn:sha1:f3cc6b25dcc5616f0d5c720009b2ac66f97df2ff All files matching a "measure" rule must be included in the IMA measurement list, even when the file hash cannot be calculated. Similarly, all files matching an "audit" rule must be audited, even when the file hash can not be calculated. The file data hash field contained in the IMA measurement list template data will contain 0's instead of the actual file hash digest. Note: In general, adding, deleting or in anyway changing which files are included in the IMA measurement list is not a good idea, as it might result in not being able to unseal trusted keys sealed to a specific TPM PCR value. This patch not only adds file measurements that were not previously measured, but specifies that the file hash value for these files will be 0's. As the IMA measurement list ordering is not consistent from one boot to the next, it is unlikely that anyone is sealing keys based on the IMA measurement list. Remote attestation servers should be able to process these new measurement records, but might complain about these unknown records. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Reviewed-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com> 2017-01-27T19:17:21+00:00 Lans Zhang jia.zhang@windriver.com 2017-01-06T04:38:11+00:00 urn:sha1:20f482ab9e0f800d1e01ce748ebd382d085abe56 Otherwise some mask and inmask tokens with MAY_APPEND flag may not work as expected. Signed-off-by: Lans Zhang <jia.zhang@windriver.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2017-01-27T19:16:02+00:00 Mimi Zohar zohar@linux.vnet.ibm.com 2017-01-17T11:45:41+00:00 urn:sha1:bc15ed663e7e53ee4dc3e60f8d09c93a0528c694 On failure to return a pathname from ima_d_path(), a pointer to dname is returned, which is subsequently used in the IMA measurement list, the IMA audit records, and other audit logging. Saving the pointer to dname for later use has the potential to race with rename. Intead of returning a pointer to dname on failure, this patch returns a pointer to a copy of the filename. Reported-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: stable@vger.kernel.org