Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.9.134 2016-06-30T05:14:21+00:00 2016-06-30T05:14:21+00:00 Eric Richter erichte@linux.vnet.ibm.com 2016-06-01T18:14:03+00:00 urn:sha1:14b1da85bbe9a59c5e01123a06dea4c4758a6db9 The IMA measurement list entries include the Kconfig defined PCR value. This patch defines a new ima_template_entry field for including the PCR as specified in the policy rule. Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2016-02-18T22:13:32+00:00 Dmitry Kasatkin dmitry.kasatkin@huawei.com 2014-10-30T10:39:39+00:00 urn:sha1:1525b06d99b117198ea8d6c128ee5bf28ceb6723 Instead of passing pointers to pointers to ima_collect_measurent() to read and return the 'security.ima' xattr value, this patch moves the functionality to the calling process_measurement() to directly read the xattr and pass only the hash algo to the ima_collect_measurement(). Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2015-11-23T19:30:02+00:00 Dmitry Kasatkin dmitry.kasatkin@huawei.com 2015-10-22T18:26:10+00:00 urn:sha1:f4dc37785e9b3373d0cb93125d5579fed2af3a43 Require all keys added to the EVM keyring be signed by an existing trusted key on the system trusted keyring. This patch also switches IMA to use integrity_init_keyring(). Changes in v3: * Added 'init_keyring' config based variable to skip initializing keyring instead of using __integrity_init_keyring() wrapper. * Added dependency back to CONFIG_IMA_TRUSTED_KEYRING Changes in v2: * Replace CONFIG_EVM_TRUSTED_KEYRING with IMA and EVM common CONFIG_INTEGRITY_TRUSTED_KEYRING configuration option * Deprecate CONFIG_IMA_TRUSTED_KEYRING but keep it for config file compatibility. (Mimi Zohar) Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2015-05-21T17:59:29+00:00 Roberto Sassu rsassu@suse.de 2015-04-11T15:12:39+00:00 urn:sha1:8d94eb9b5cff350ba170848c862ca0006d33d496 This patch adds the iint associated to the current inode as a new parameter of ima_add_violation(). The passed iint is always not NULL if a violation is detected. This modification will be used to determine the inode for which there is a violation. Since the 'd' and 'd-ng' template field init() functions were detecting a violation from the value of the iint pointer, they now check the new field 'violation', added to the 'ima_event_data' structure. Changelog: - v1: - modified an old comment (Roberto Sassu) Signed-off-by: Roberto Sassu <rsassu@suse.de> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2015-05-21T17:59:28+00:00 Roberto Sassu rsassu@suse.de 2015-04-11T15:09:50+00:00 urn:sha1:23b5741932ca44856762fa24cc7e01307ab8af1f All event related data has been wrapped into the new 'ima_event_data' structure. The main benefit of this patch is that a new information can be made available to template fields initialization functions by simply adding a new field to the new structure instead of modifying the definition of those functions. Changelog: - v2: - f_dentry replaced with f_path.dentry (Roberto Sassu) - removed declaration of temporary variables in template field functions when possible (suggested by Dmitry Kasatkin) Signed-off-by: Roberto Sassu <rsassu@suse.de> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2015-05-21T17:28:47+00:00 Dmitry Kasatkin d.kasatkin@samsung.com 2014-11-26T14:59:54+00:00 urn:sha1:a18d0cbfabd1d17e11ec2ae54804284298462125 CONFIG_IMA_X509_PATH is always defined. This patch removes the IMA_X509_PATH definition and uses CONFIG_IMA_X509_PATH. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2014-11-18T04:12:00+00:00 Dmitry Kasatkin d.kasatkin@samsung.com 2014-11-05T15:01:14+00:00 urn:sha1:fd5f4e9054acbf4f22fac81a358baf3c27aa42ac Define configuration option to load X509 certificate into the IMA trusted kernel keyring. It implements ima_load_x509() hook to load X509 certificate into the .ima trusted kernel keyring from the root filesystem. Changes in v3: * use ima_policy_flag in ima_get_action() ima_load_x509 temporarily clears ima_policy_flag to disable appraisal to load key. Use it to skip appraisal rules. * Key directory path changed to /etc/keys (Mimi) * Expand IMA_LOAD_X509 Kconfig help Changes in v2: * added '__init' * use ima_policy_flag to disable appraisal to load keys Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2014-09-17T20:15:42+00:00 Roberto Sassu roberto.sassu@polito.it 2014-09-12T17:35:53+00:00 urn:sha1:be39ffc2fec78ff80d50e4b7970e94a8b1583862 This patch modifies ima_add_boot_aggregate() to return an error code. This way we can determine if all the initialization procedures have been executed successfully. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2014-09-17T20:10:59+00:00 Dmitry Kasatkin d.kasatkin@samsung.com 2014-06-27T10:01:32+00:00 urn:sha1:31b70f66328e85517b159c786ab31f3fd9a7293c ima_init() is used as a single place for all initializations. Experimental keyring patches used the 'late_initcall' which was co-located with the late_initcall(init_ima). When the late_initcall for the keyring initialization was abandoned, initialization moved to init_ima, though it would be more logical to move it to ima_init, where the rest of the initialization is done. This patch moves the keyring initialization to ima_init() as a preparatory step for loading the keys which will be added to ima_init() in following patches. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2014-03-07T17:15:21+00:00 Joe Perches joe@perches.com 2014-02-24T21:59:56+00:00 urn:sha1:20ee451f5a7cd43edda56ba36cbec4d881d3329f Convert printks to pr_<level>. Add pr_fmt. Remove embedded prefixes. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>