diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/integrity/digsig.c | 2 | ||||
| -rw-r--r-- | security/integrity/evm/evm_main.c | 18 | ||||
| -rw-r--r-- | security/integrity/iint.c | 3 | ||||
| -rw-r--r-- | security/integrity/ima/ima.h | 27 | ||||
| -rw-r--r-- | security/integrity/ima/ima_api.c | 20 | ||||
| -rw-r--r-- | security/integrity/ima/ima_appraise.c | 8 | ||||
| -rw-r--r-- | security/integrity/ima/ima_init.c | 13 | ||||
| -rw-r--r-- | security/integrity/ima/ima_main.c | 5 | ||||
| -rw-r--r-- | security/integrity/ima/ima_policy.c | 18 | ||||
| -rw-r--r-- | security/integrity/ima/ima_template_lib.c | 71 | ||||
| -rw-r--r-- | security/integrity/ima/ima_template_lib.h | 22 | ||||
| -rw-r--r-- | security/integrity/integrity.h | 2 |
12 files changed, 103 insertions, 106 deletions
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 5e3bd72b299a..36fb6b527829 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -85,7 +85,7 @@ int __init integrity_init_keyring(const unsigned int id) return err; } -int __init integrity_load_x509(const unsigned int id, char *path) +int __init integrity_load_x509(const unsigned int id, const char *path) { key_ref_t key; char *data; diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 10f994307a04..1334e02ae8f4 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -296,6 +296,17 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, iint = integrity_iint_find(d_backing_inode(dentry)); if (iint && (iint->flags & IMA_NEW_FILE)) return 0; + + /* exception for pseudo filesystems */ + if (dentry->d_inode->i_sb->s_magic == TMPFS_MAGIC + || dentry->d_inode->i_sb->s_magic == SYSFS_MAGIC) + return 0; + + integrity_audit_msg(AUDIT_INTEGRITY_METADATA, + dentry->d_inode, dentry->d_name.name, + "update_metadata", + integrity_status_msg[evm_status], + -EPERM, 0); } out: if (evm_status != INTEGRITY_PASS) @@ -376,17 +387,16 @@ void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, * @xattr_name: pointer to the affected extended attribute name * * Update the HMAC stored in 'security.evm' to reflect removal of the xattr. + * + * No need to take the i_mutex lock here, as this function is called from + * vfs_removexattr() which takes the i_mutex. */ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) { - struct inode *inode = d_backing_inode(dentry); - if (!evm_initialized || !evm_protected_xattr(xattr_name)) return; - mutex_lock(&inode->i_mutex); evm_update_evmxattr(dentry, xattr_name, NULL, 0); - mutex_unlock(&inode->i_mutex); } /** diff --git a/security/integrity/iint.c b/security/integrity/iint.c index dbb6d141c3db..3d2f5b45c8cb 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -213,6 +213,9 @@ int __init integrity_read_file(const char *path, char **data) char *buf; int rc = -EINVAL; + if (!path || !*path) + return -EINVAL; + file = filp_open(path, O_RDONLY, 0); if (IS_ERR(file)) { rc = PTR_ERR(file); diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 8ee997dff139..c996f7edff3a 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -52,6 +52,16 @@ extern int ima_used_chip; extern int ima_hash_algo; extern int ima_appraise; +/* IMA event related data */ +struct ima_event_data { + struct integrity_iint_cache *iint; + struct file *file; + const unsigned char *filename; + struct evm_ima_xattr_data *xattr_value; + int xattr_len; + const char *violation; +}; + /* IMA template field data definition */ struct ima_field_data { u8 *data; @@ -61,12 +71,10 @@ struct ima_field_data { /* IMA template field definition */ struct ima_template_field { const char field_id[IMA_TEMPLATE_FIELD_ID_MAX_LEN]; - int (*field_init) (struct integrity_iint_cache *iint, struct file *file, - const unsigned char *filename, - struct evm_ima_xattr_data *xattr_value, - int xattr_len, struct ima_field_data *field_data); - void (*field_show) (struct seq_file *m, enum ima_show_type show, - struct ima_field_data *field_data); + int (*field_init)(struct ima_event_data *event_data, + struct ima_field_data *field_data); + void (*field_show)(struct seq_file *m, enum ima_show_type show, + struct ima_field_data *field_data); }; /* IMA template descriptor definition */ @@ -103,6 +111,7 @@ int ima_calc_field_array_hash(struct ima_field_data *field_data, struct ima_digest_data *hash); int __init ima_calc_boot_aggregate(struct ima_digest_data *hash); void ima_add_violation(struct file *file, const unsigned char *filename, + struct integrity_iint_cache *iint, const char *op, const char *cause); int ima_init_crypto(void); void ima_putc(struct seq_file *m, void *data, int datalen); @@ -140,10 +149,8 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, int xattr_len); void ima_audit_measurement(struct integrity_iint_cache *iint, const unsigned char *filename); -int ima_alloc_init_template(struct integrity_iint_cache *iint, - struct file *file, const unsigned char *filename, - struct evm_ima_xattr_data *xattr_value, - int xattr_len, struct ima_template_entry **entry); +int ima_alloc_init_template(struct ima_event_data *event_data, + struct ima_template_entry **entry); int ima_store_template(struct ima_template_entry *entry, int violation, struct inode *inode, const unsigned char *filename); void ima_free_template_entry(struct ima_template_entry *entry); diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index b8a27c5052d4..1d950fbb2aec 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -37,10 +37,8 @@ void ima_free_template_entry(struct ima_template_entry *entry) /* * ima_alloc_init_template - create and initialize a new template entry */ -int ima_alloc_init_template(struct integrity_iint_cache *iint, - struct file *file, const unsigned char *filename, - struct evm_ima_xattr_data *xattr_value, - int xattr_len, struct ima_template_entry **entry) +int ima_alloc_init_template(struct ima_event_data *event_data, + struct ima_template_entry **entry) { struct ima_template_desc *template_desc = ima_template_desc_current(); int i, result = 0; @@ -55,8 +53,7 @@ int ima_alloc_init_template(struct integrity_iint_cache *iint, struct ima_template_field *field = template_desc->fields[i]; u32 len; - result = field->field_init(iint, file, filename, - xattr_value, xattr_len, + result = field->field_init(event_data, &((*entry)->template_data[i])); if (result != 0) goto out; @@ -129,18 +126,20 @@ int ima_store_template(struct ima_template_entry *entry, * value is invalidated. */ void ima_add_violation(struct file *file, const unsigned char *filename, + struct integrity_iint_cache *iint, const char *op, const char *cause) { struct ima_template_entry *entry; struct inode *inode = file_inode(file); + struct ima_event_data event_data = {iint, file, filename, NULL, 0, + cause}; int violation = 1; int result; /* can overflow, only indicator */ atomic_long_inc(&ima_htable.violations); - result = ima_alloc_init_template(NULL, file, filename, - NULL, 0, &entry); + result = ima_alloc_init_template(&event_data, &entry); if (result < 0) { result = -ENOMEM; goto err_out; @@ -267,13 +266,14 @@ void ima_store_measurement(struct integrity_iint_cache *iint, int result = -ENOMEM; struct inode *inode = file_inode(file); struct ima_template_entry *entry; + struct ima_event_data event_data = {iint, file, filename, xattr_value, + xattr_len, NULL}; int violation = 0; if (iint->flags & IMA_MEASURED) return; - result = ima_alloc_init_template(iint, file, filename, - xattr_value, xattr_len, &entry); + result = ima_alloc_init_template(&event_data, &entry); if (result < 0) { integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename, op, audit_cause, result, 0); diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 4df493e4b3c9..1873b5536f80 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -378,10 +378,14 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, result = ima_protect_xattr(dentry, xattr_name, xattr_value, xattr_value_len); if (result == 1) { + bool digsig; + if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) return -EINVAL; - ima_reset_appraise_flags(d_backing_inode(dentry), - (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0); + digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); + if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE)) + return -EPERM; + ima_reset_appraise_flags(d_backing_inode(dentry), digsig); result = 0; } return result; diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 5e4c29d174ee..e600cadd231c 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -24,12 +24,6 @@ #include <crypto/hash_info.h> #include "ima.h" -#ifdef CONFIG_IMA_X509_PATH -#define IMA_X509_PATH CONFIG_IMA_X509_PATH -#else -#define IMA_X509_PATH "/etc/keys/x509_ima.der" -#endif - /* name for boot aggregate entry */ static const char *boot_aggregate_name = "boot_aggregate"; int ima_used_chip; @@ -55,6 +49,8 @@ static int __init ima_add_boot_aggregate(void) const char *audit_cause = "ENOMEM"; struct ima_template_entry *entry; struct integrity_iint_cache tmp_iint, *iint = &tmp_iint; + struct ima_event_data event_data = {iint, NULL, boot_aggregate_name, + NULL, 0, NULL}; int result = -ENOMEM; int violation = 0; struct { @@ -76,8 +72,7 @@ static int __init ima_add_boot_aggregate(void) } } - result = ima_alloc_init_template(iint, NULL, boot_aggregate_name, - NULL, 0, &entry); + result = ima_alloc_init_template(&event_data, &entry); if (result < 0) { audit_cause = "alloc_entry"; goto err_out; @@ -103,7 +98,7 @@ void __init ima_load_x509(void) int unset_flags = ima_policy_flag & IMA_APPRAISE; ima_policy_flag &= ~unset_flags; - integrity_load_x509(INTEGRITY_KEYRING_IMA, IMA_X509_PATH); + integrity_load_x509(INTEGRITY_KEYRING_IMA, CONFIG_IMA_X509_PATH); ima_policy_flag |= unset_flags; } #endif diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index eeee00dce729..c21f09bf8b99 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -106,9 +106,10 @@ static void ima_rdwr_violation_check(struct file *file, *pathname = ima_d_path(&file->f_path, pathbuf); if (send_tomtou) - ima_add_violation(file, *pathname, "invalid_pcr", "ToMToU"); + ima_add_violation(file, *pathname, iint, + "invalid_pcr", "ToMToU"); if (send_writers) - ima_add_violation(file, *pathname, + ima_add_violation(file, *pathname, iint, "invalid_pcr", "open_writers"); } diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index d1eefb9d65fb..f2421f7fa3c8 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -79,6 +79,9 @@ static struct ima_rule_entry default_rules[] = { {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, + {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, + .flags = IMA_FSMAGIC}, + {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, .flags = IMA_FUNC | IMA_MASK}, {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, @@ -99,6 +102,7 @@ static struct ima_rule_entry default_appraise_rules[] = { {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, + {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .flags = IMA_FOWNER}, @@ -338,16 +342,12 @@ void __init ima_init_policy(void) appraise_entries = ima_use_appraise_tcb ? ARRAY_SIZE(default_appraise_rules) : 0; - for (i = 0; i < measure_entries + appraise_entries; i++) { - if (i < measure_entries) - list_add_tail(&default_rules[i].list, - &ima_default_rules); - else { - int j = i - measure_entries; + for (i = 0; i < measure_entries; i++) + list_add_tail(&default_rules[i].list, &ima_default_rules); - list_add_tail(&default_appraise_rules[j].list, - &ima_default_rules); - } + for (i = 0; i < appraise_entries; i++) { + list_add_tail(&default_appraise_rules[i].list, + &ima_default_rules); } ima_rules = &ima_default_rules; diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c index bcfc36cbde6a..de0ce4fbdf69 100644 --- a/security/integrity/ima/ima_template_lib.c +++ b/security/integrity/ima/ima_template_lib.c @@ -195,9 +195,7 @@ static int ima_eventdigest_init_common(u8 *digest, u32 digestsize, u8 hash_algo, /* * This function writes the digest of an event (with size limit). */ -int ima_eventdigest_init(struct integrity_iint_cache *iint, struct file *file, - const unsigned char *filename, - struct evm_ima_xattr_data *xattr_value, int xattr_len, +int ima_eventdigest_init(struct ima_event_data *event_data, struct ima_field_data *field_data) { struct { @@ -211,25 +209,25 @@ int ima_eventdigest_init(struct integrity_iint_cache *iint, struct file *file, memset(&hash, 0, sizeof(hash)); - if (!iint) /* recording a violation. */ + if (event_data->violation) /* recording a violation. */ goto out; - if (ima_template_hash_algo_allowed(iint->ima_hash->algo)) { - cur_digest = iint->ima_hash->digest; - cur_digestsize = iint->ima_hash->length; + if (ima_template_hash_algo_allowed(event_data->iint->ima_hash->algo)) { + cur_digest = event_data->iint->ima_hash->digest; + cur_digestsize = event_data->iint->ima_hash->length; goto out; } - if (!file) /* missing info to re-calculate the digest */ + if (!event_data->file) /* missing info to re-calculate the digest */ return -EINVAL; - inode = file_inode(file); + inode = file_inode(event_data->file); hash.hdr.algo = ima_template_hash_algo_allowed(ima_hash_algo) ? ima_hash_algo : HASH_ALGO_SHA1; - result = ima_calc_file_hash(file, &hash.hdr); + result = ima_calc_file_hash(event_data->file, &hash.hdr); if (result) { integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, - filename, "collect_data", + event_data->filename, "collect_data", "failed", result, 0); return result; } @@ -243,48 +241,43 @@ out: /* * This function writes the digest of an event (without size limit). */ -int ima_eventdigest_ng_init(struct integrity_iint_cache *iint, - struct file *file, const unsigned char *filename, - struct evm_ima_xattr_data *xattr_value, - int xattr_len, struct ima_field_data *field_data) +int ima_eventdigest_ng_init(struct ima_event_data *event_data, + struct ima_field_data *field_data) { u8 *cur_digest = NULL, hash_algo = HASH_ALGO_SHA1; u32 cur_digestsize = 0; - /* If iint is NULL, we are recording a violation. */ - if (!iint) + if (event_data->violation) /* recording a violation. */ goto out; - cur_digest = iint->ima_hash->digest; - cur_digestsize = iint->ima_hash->length; + cur_digest = event_data->iint->ima_hash->digest; + cur_digestsize = event_data->iint->ima_hash->length; - hash_algo = iint->ima_hash->algo; + hash_algo = event_data->iint->ima_hash->algo; out: return ima_eventdigest_init_common(cur_digest, cur_digestsize, hash_algo, field_data); } -static int ima_eventname_init_common(struct integrity_iint_cache *iint, - struct file *file, - const unsigned char *filename, +static int ima_eventname_init_common(struct ima_event_data *event_data, struct ima_field_data *field_data, bool size_limit) { const char *cur_filename = NULL; u32 cur_filename_len = 0; - BUG_ON(filename == NULL && file == NULL); + BUG_ON(event_data->filename == NULL && event_data->file == NULL); - if (filename) { - cur_filename = filename; - cur_filename_len = strlen(filename); + if (event_data->filename) { + cur_filename = event_data->filename; + cur_filename_len = strlen(event_data->filename); if (!size_limit || cur_filename_len <= IMA_EVENT_NAME_LEN_MAX) goto out; } - if (file) { - cur_filename = file->f_path.dentry->d_name.name; + if (event_data->file) { + cur_filename = event_data->file->f_path.dentry->d_name.name; cur_filename_len = strlen(cur_filename); } else /* @@ -300,36 +293,30 @@ out: /* * This function writes the name of an event (with size limit). */ -int ima_eventname_init(struct integrity_iint_cache *iint, struct file *file, - const unsigned char *filename, - struct evm_ima_xattr_data *xattr_value, int xattr_len, +int ima_eventname_init(struct ima_event_data *event_data, struct ima_field_data *field_data) { - return ima_eventname_init_common(iint, file, filename, - field_data, true); + return ima_eventname_init_common(event_data, field_data, true); } /* * This function writes the name of an event (without size limit). */ -int ima_eventname_ng_init(struct integrity_iint_cache *iint, struct file *file, - const unsigned char *filename, - struct evm_ima_xattr_data *xattr_value, int xattr_len, +int ima_eventname_ng_init(struct ima_event_data *event_data, struct ima_field_data *field_data) { - return ima_eventname_init_common(iint, file, filename, - field_data, false); + return ima_eventname_init_common(event_data, field_data, false); } /* * ima_eventsig_init - include the file signature as part of the template data */ -int ima_eventsig_init(struct integrity_iint_cache *iint, struct file *file, - const unsigned char *filename, - struct evm_ima_xattr_data *xattr_value, int xattr_len, +int ima_eventsig_init(struct ima_event_data *event_data, struct ima_field_data *field_data) { enum data_formats fmt = DATA_FMT_HEX; + struct evm_ima_xattr_data *xattr_value = event_data->xattr_value; + int xattr_len = event_data->xattr_len; int rc = 0; if ((!xattr_value) || (xattr_value->type != EVM_IMA_XATTR_DIGSIG)) diff --git a/security/integrity/ima/ima_template_lib.h b/security/integrity/ima/ima_template_lib.h index 63f6b52cb1c2..c344530c1d69 100644 --- a/security/integrity/ima/ima_template_lib.h +++ b/security/integrity/ima/ima_template_lib.h @@ -26,24 +26,14 @@ void ima_show_template_string(struct seq_file *m, enum ima_show_type show, struct ima_field_data *field_data); void ima_show_template_sig(struct seq_file *m, enum ima_show_type show, struct ima_field_data *field_data); -int ima_eventdigest_init(struct integrity_iint_cache *iint, struct file *file, - const unsigned char *filename, - struct evm_ima_xattr_data *xattr_value, int xattr_len, +int ima_eventdigest_init(struct ima_event_data *event_data, struct ima_field_data *field_data); -int ima_eventname_init(struct integrity_iint_cache *iint, struct file *file, - const unsigned char *filename, - struct evm_ima_xattr_data *xattr_value, int xattr_len, +int ima_eventname_init(struct ima_event_data *event_data, struct ima_field_data *field_data); -int ima_eventdigest_ng_init(struct integrity_iint_cache *iint, - struct file *file, const unsigned char *filename, - struct evm_ima_xattr_data *xattr_value, - int xattr_len, struct ima_field_data *field_data); -int ima_eventname_ng_init(struct integrity_iint_cache *iint, struct file *file, - const unsigned char *filename, - struct evm_ima_xattr_data *xattr_value, int xattr_len, +int ima_eventdigest_ng_init(struct ima_event_data *event_data, + struct ima_field_data *field_data); +int ima_eventname_ng_init(struct ima_event_data *event_data, struct ima_field_data *field_data); -int ima_eventsig_init(struct integrity_iint_cache *iint, struct file *file, - const unsigned char *filename, - struct evm_ima_xattr_data *xattr_value, int xattr_len, +int ima_eventsig_init(struct ima_event_data *event_data, struct ima_field_data *field_data); #endif /* __LINUX_IMA_TEMPLATE_LIB_H */ diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 0fc9519fefa9..9c6168709d3b 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -135,7 +135,7 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, const char *digest, int digestlen); int __init integrity_init_keyring(const unsigned int id); -int __init integrity_load_x509(const unsigned int id, char *path); +int __init integrity_load_x509(const unsigned int id, const char *path); #else static inline int integrity_digsig_verify(const unsigned int id, |