- 14 12月, 2012 1 次提交
-
-
由 Mimi Zohar 提交于
With the addition of the new kernel module syscall, which defines two arguments - a file descriptor to the kernel module and a pointer to a NULL terminated string of module arguments - it is now possible to measure and appraise kernel modules like any other file on the file system. This patch adds support to measure and appraise kernel modules in an extensible and consistent manner. To support filesystems without extended attribute support, additional patches could pass the signature as the first parameter. Signed-off-by: NMimi Zohar <zohar@us.ibm.com> Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
-
- 05 10月, 2012 1 次提交
-
-
由 Dmitry Kasatkin 提交于
mask argument goes first, then func, like ima_must_measure and ima_get_action. ima_inode_post_setattr() assumes that. Signed-off-by: NDmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: NJames Morris <james.l.morris@oracle.com>
-
- 21 9月, 2012 1 次提交
-
-
由 Eric W. Biederman 提交于
Use kuid's in the IMA rules. When reporting the current uid in audit logs use from_kuid to get a usable value. Cc: Mimi Zohar <zohar@us.ibm.com> Acked-by: NSerge Hallyn <serge.hallyn@canonical.com> Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
-
- 14 9月, 2012 2 次提交
-
-
由 Peter Moody 提交于
This adds an 'audit' policy action which audit logs file measurements. Changelog v6: - use new action flag handling (Dmitry Kasatkin). - removed whitespace (Mimi) Changelog v5: - use audit_log_untrustedstring. Changelog v4: - cleanup digest -> hash conversion. - use filename rather than d_path in ima_audit_measurement. Changelog v3: - Use newly exported audit_log_task_info for logging pid/ppid/uid/etc. - Update the ima_policy ABI documentation. Changelog v2: - Use 'audit' action rather than 'measure_and_audit' to permit auditing in the absence of measuring.. Changelog v1: - Initial posting. Signed-off-by: NPeter Moody <pmoody@google.com> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
由 Dmitry Kasatkin 提交于
Make the IMA action flag handling generic in order to support additional new actions, without requiring changes to the base implementation. New actions, like audit logging, will only need to modify the define statements. Signed-off-by: NDmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
- 12 9月, 2012 1 次提交
-
-
由 Dmitry Kasatkin 提交于
When AUDIT action support is added to the IMA, ima_must_appraise_or_measure() does not reflect the real meaning anymore. Rename it to ima_get_action(). Signed-off-by: NDmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
- 08 9月, 2012 6 次提交
-
-
由 Dmitry Kasatkin 提交于
This patch adds support for digital signature based integrity appraisal. With this patch, 'security.ima' contains either the file data hash or a digital signature of the file data hash. The file data hash provides the security attribute of file integrity. In addition to file integrity, a digital signature provides the security attribute of authenticity. Unlike EVM, when the file metadata changes, the digital signature is replaced with an HMAC, modification of the file data does not cause the 'security.ima' digital signature to be replaced with a hash. As a result, after any modification, subsequent file integrity appraisals would fail. Although digitally signed files can be modified, but by not updating 'security.ima' to reflect these modifications, in essence digitally signed files could be considered 'immutable'. IMA uses a different keyring than EVM. While the EVM keyring should not be updated after initialization and locked, the IMA keyring should allow updating or adding new keys when upgrading or installing packages. Changelog v4: - Change IMA_DIGSIG to hex equivalent Changelog v3: - Permit files without any 'security.ima' xattr to be labeled properly. Signed-off-by: NDmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
由 Mimi Zohar 提交于
IMA-appraisal currently verifies the integrity of a file based on a known 'good' measurement value. This patch reserves the first byte of 'security.ima' as a place holder for the type of method used for verifying file data integrity. Changelog v1: - Use the newly defined 'struct evm_ima_xattr_data' Signed-off-by: NDmitry Kasatkin <dmitry.kasatkin@nokia.com> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
由 Mimi Zohar 提交于
Based on xattr_permission comments, the restriction to modify 'security' xattr is left up to the underlying fs or lsm. Ensure that not just anyone can modify or remove 'security.ima'. Changelog v1: - Unless IMA-APPRAISE is configured, use stub ima_inode_removexattr()/setxattr() functions. (Moved ima_inode_removexattr()/setxattr() to ima_appraise.c) Changelog: - take i_mutex to fix locking (Dmitry Kasatkin) - ima_reset_appraise_flags should only be called when modifying or removing the 'security.ima' xattr. Requires CAP_SYS_ADMIN privilege. (Incorporated fix from Roberto Sassu) - Even if allowed to update security.ima, reset the appraisal flags, forcing re-appraisal. - Replace CAP_MAC_ADMIN with CAP_SYS_ADMIN - static inline ima_inode_setxattr()/ima_inode_removexattr() stubs - ima_protect_xattr should be static Signed-off-by: NMimi Zohar <zohar@us.ibm.com> Signed-off-by: NDmitry Kasatkin <dmitry.kasatkin@intel.com>
-
由 Dmitry Kasatkin 提交于
With IMA-appraisal's removal of the iint mutex and taking the i_mutex instead, allocating the iint becomes a lot simplier, as we don't need to be concerned with two processes racing to allocate the iint. This patch cleans up and improves performance for allocating the iint. - removed redundant double i_mutex locking - combined iint allocation with tree search Changelog v2: - removed the rwlock/read_lock changes from this patch Signed-off-by: NDmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: NMimi Zohar <zohar@us.ibm.com>
-
由 Mimi Zohar 提交于
Unlike the IMA measurement policy, the appraise policy can not be dependent on runtime process information, such as the task uid, as the 'security.ima' xattr is written on file close and must be updated each time the file changes, regardless of the current task uid. This patch extends the policy language with 'fowner', defines an appraise policy, which appraises all files owned by root, and defines 'ima_appraise_tcb', a new boot command line option, to enable the appraise policy. Changelog v3: - separate the measure from the appraise rules in order to support measuring without appraising and appraising without measuring. - change appraisal default for filesystems without xattr support to fail - update default appraise policy for cgroups Changelog v1: - don't appraise RAMFS (Dmitry Kasatkin) - merged rest of "ima: ima_must_appraise_or_measure API change" commit (Dmtiry Kasatkin) ima_must_appraise_or_measure() called ima_match_policy twice, which searched the policy for a matching rule. Once for a matching measurement rule and subsequently for an appraisal rule. Searching the policy twice is unnecessary overhead, which could be noticeable with a large policy. The new version of ima_must_appraise_or_measure() does everything in a single iteration using a new version of ima_match_policy(). It returns IMA_MEASURE, IMA_APPRAISE mask. With the use of action mask only one efficient matching function is enough. Removed other specific versions of matching functions. Changelog: - change 'owner' to 'fowner' to conform to the new LSM conditions posted by Roberto Sassu. - fix calls to ima_log_string() Signed-off-by: NMimi Zohar <zohar@us.ibm.com> Signed-off-by: NDmitry Kasatkin <dmitry.kasatkin@intel.com>
-
由 Mimi Zohar 提交于
IMA currently maintains an integrity measurement list used to assert the integrity of the running system to a third party. The IMA-appraisal extension adds local integrity validation and enforcement of the measurement against a "good" value stored as an extended attribute 'security.ima'. The initial methods for validating 'security.ima' are hashed based, which provides file data integrity, and digital signature based, which in addition to providing file data integrity, provides authenticity. This patch creates and maintains the 'security.ima' xattr, containing the file data hash measurement. Protection of the xattr is provided by EVM, if enabled and configured. Based on policy, IMA calls evm_verifyxattr() to verify a file's metadata integrity and, assuming success, compares the file's current hash value with the one stored as an extended attribute in 'security.ima'. Changelov v4: - changed iint cache flags to hex values Changelog v3: - change appraisal default for filesystems without xattr support to fail Changelog v2: - fix audit msg 'res' value - removed unused 'ima_appraise=' values Changelog v1: - removed unused iint mutex (Dmitry Kasatkin) - setattr hook must not reset appraised (Dmitry Kasatkin) - evm_verifyxattr() now differentiates between no 'security.evm' xattr (INTEGRITY_NOLABEL) and no EVM 'protected' xattrs included in the 'security.evm' (INTEGRITY_NOXATTRS). - replace hash_status with ima_status (Dmitry Kasatkin) - re-initialize slab element ima_status on free (Dmitry Kasatkin) - include 'security.ima' in EVM if CONFIG_IMA_APPRAISE, not CONFIG_IMA - merged half "ima: ima_must_appraise_or_measure API change" (Dmitry Kasatkin) - removed unnecessary error variable in process_measurement() (Dmitry Kasatkin) - use ima_inode_post_setattr() stub function, if IMA_APPRAISE not configured (moved ima_inode_post_setattr() to ima_appraise.c) - make sure ima_collect_measurement() can read file Changelog: - add 'iint' to evm_verifyxattr() call (Dimitry Kasatkin) - fix the race condition between chmod, which takes the i_mutex and then iint->mutex, and ima_file_free() and process_measurement(), which take the locks in the reverse order, by eliminating iint->mutex. (Dmitry Kasatkin) - cleanup of ima_appraise_measurement() (Dmitry Kasatkin) - changes as a result of the iint not allocated for all regular files, but only for those measured/appraised. - don't try to appraise new/empty files - expanded ima_appraisal description in ima/Kconfig - IMA appraise definitions required even if IMA_APPRAISE not enabled - add return value to ima_must_appraise() stub - unconditionally set status = INTEGRITY_PASS *after* testing status, not before. (Found by Joe Perches) Signed-off-by: NMimi Zohar <zohar@us.ibm.com> Signed-off-by: NDmitry Kasatkin <dmitry.kasatkin@intel.com>
-
- 23 8月, 2012 1 次提交
-
-
由 Kent Yoder 提交于
Enable tpm_ibmvtpm driver by default when IMA is enabled on PPC64 Signed-off-by: NKent Yoder <key@linux.vnet.ibm.com>
-
- 06 7月, 2012 3 次提交
-
-
由 Dmitry Kasatkin 提交于
IMA auditing code was compiled even when CONFIG_AUDIT was not enabled. This patch compiles auditing code only when possible and enabled. Signed-off-by: NDmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
由 Dmitry Kasatkin 提交于
Set ima_initialized only if initialization was successful. Signed-off-by: NDmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
由 Dmitry Kasatkin 提交于
Exclude DEVPTS and BINFMT filesystems from the measurement policy. Signed-off-by: NDmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
- 03 7月, 2012 3 次提交
-
-
由 Dmitry Kasatkin 提交于
IMA cannot be used as module and does not need __exit functions. Removed them. Signed-off-by: NDmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
由 Dmitry Kasatkin 提交于
On ima_fs_init() error, free securityfs violations file. Signed-off-by: NDmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: NMimi Zohar <zohar@us.ibm.com>
-
由 Mimi Zohar 提交于
The IMA measurement list contains filename hints, which can be ambigious without the full pathname. This patch replaces the filename hint with the full pathname, simplifying for userspace the correlating of file hash measurements with files. Change log v1: - Revert to short filenames, when full pathname is longer than IMA measurement buffer size. (Based on Dmitry's review) Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
- 16 5月, 2012 1 次提交
-
-
由 Mimi Zohar 提交于
When IMA was first upstreamed, the bprm filename and interp were always the same. Currently, the bprm->filename and bprm->interp are the same, except for when only bprm->interp contains the interpreter name. So instead of using the bprm->filename as the IMA filename hint in the measurement list, we could replace it with bprm->interp, but this feels too fragil. The following patch is not much better, but at least there is some indication that sometimes we're passing the filename and other times the interpreter name. Reported-by: NAndrew Lunn <andrew@lunn.ch> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: NJames Morris <james.l.morris@oracle.com>
-
- 28 2月, 2012 1 次提交
-
-
由 Randy Dunlap 提交于
Fix IMA kconfig warning on non-X86 architectures: warning: (IMA) selects TCG_TIS which has unmet direct dependencies (TCG_TPM && X86) Signed-off-by: NRandy Dunlap <rdunlap@xenotime.net> Reported-by: NGeert Uytterhoeven <geert@linux-m68k.org> Acked-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com> Signed-off-by: NJames Morris <james.l.morris@oracle.com>
-
- 16 2月, 2012 1 次提交
-
-
由 Eric Paris 提交于
The audit res field ususally indicates success with a 1 and 0 for a failure. So make IMA do it the same way. Signed-off-by: NEric Paris <eparis@redhat.com> Signed-off-by: NMimi Zohar <zohar@us.ibm.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
- 20 1月, 2012 2 次提交
-
-
由 Dmitry Kasatkin 提交于
Don't measure ramfs files. Signed-off-by: NDmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: NMimi Zohar <zohar@us.ibm.com>
-
由 Fabio Estevam 提交于
Fix the following build warning: warning: (IMA) selects TCG_TPM which has unmet direct dependencies (HAS_IOMEM && EXPERIMENTAL) Suggested-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com> Signed-off-by: NFabio Estevam <fabio.estevam@freescale.com> Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com> Cc: <stable@vger.kernel.org> Signed-off-by: NMimi Zohar <zohar@us.ibm.com>
-
- 19 1月, 2012 1 次提交
-
-
由 Mimi Zohar 提交于
Fix ima_policy.c sparse "warning: dereference of noderef expression" message, by accessing cred->uid using current_cred(). Changelog v1: - Change __cred to just cred (based on David Howell's comment) Signed-off-by: NMimi Zohar <zohar@us.ibm.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
- 18 1月, 2012 1 次提交
-
-
由 Kees Cook 提交于
The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: NKees Cook <keescook@chromium.org> Acked-by: NMimi Zohar <zohar@us.ibm.com> Signed-off-by: NEric Paris <eparis@redhat.com>
-
- 20 12月, 2011 2 次提交
-
-
由 Roberto Sassu 提交于
Don't free a valid measurement entry on TPM PCR extend failure. Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it> Signed-off-by: NMimi Zohar <zohar@us.ibm.com> Cc: stable@vger.kernel.org
-
由 Roberto Sassu 提交于
Info about new measurements are cached in the iint for performance. When the inode is flushed from cache, the associated iint is flushed as well. Subsequent access to the inode will cause the inode to be re-measured and will attempt to add a duplicate entry to the measurement list. This patch frees the duplicate measurement memory, fixing a memory leak. Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it> Signed-off-by: NMimi Zohar <zohar@us.ibm.com> Cc: stable@vger.kernel.org
-
- 02 11月, 2011 1 次提交
-
-
由 Al Viro 提交于
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk> Signed-off-by: NRichard Weinberger <richard@nod.at>
-
- 10 9月, 2011 3 次提交
-
-
由 James Morris 提交于
Fixes sparse warnings: security/integrity/ima/ima_main.c:105:6: warning: symbol 'ima_file_free' was not declared. Should it be static? security/integrity/ima/ima_main.c:167:5: warning: symbol 'ima_file_mmap' was not declared. Should it be static? security/integrity/ima/ima_main.c:192:5: warning: symbol 'ima_bprm_check' was not declared. Should it be static? security/integrity/ima/ima_main.c:211:5: warning: symbol 'ima_file_check' was not declared. Should it be static? Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 James Morris 提交于
Fixes sparse warning: security/integrity/ima/ima_fs.c:290:5: warning: symbol 'ima_open_policy' was not declared. Should it be static? Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 James Morris 提交于
Sparse fix: move iint_initialized to integrity.h Signed-off-by: NJames Morris <jmorris@namei.org>
-
- 27 7月, 2011 1 次提交
-
-
由 Al Viro 提交于
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
- 19 7月, 2011 1 次提交
-
-
由 Mimi Zohar 提交于
Move the inode integrity data(iint) management up to the integrity directory in order to share the iint among the different integrity models. Changelog: - don't define MAX_DIGEST_SIZE - rename several globally visible 'ima_' prefixed functions, structs, locks, etc to 'integrity_' - replace '20' with SHA1_DIGEST_SIZE - reflect location change in appropriate Kconfig and Makefiles - remove unnecessary initialization of iint_initialized to 0 - rebased on current ima_iint.c - define integrity_iint_store/lock as static There should be no other functional changes. Signed-off-by: NMimi Zohar <zohar@us.ibm.com> Acked-by: NSerge Hallyn <serge.hallyn@ubuntu.com>
-
- 24 2月, 2011 1 次提交
-
-
由 Mimi Zohar 提交于
The original ima_must_measure() function based its results on cached iint information, which required an iint be allocated for all files. Currently, an iint is allocated only for files in policy. As a result, for those files in policy, ima_must_measure() is now called twice: once to determine if the inode is in the measurement policy and, the second time, to determine if it needs to be measured/re-measured. The second call to ima_must_measure() unnecessarily checks to see if the file is in policy. As we already know the file is in policy, this patch removes the second unnecessary call to ima_must_measure(), removes the vestige iint parameter, and just checks the iint directly to determine if the inode has been measured or needs to be measured/re-measured. Signed-off-by: NMimi Zohar <zohar@us.ibm.com> Acked-by: NEric Paris <eparis@redhat.com>
-
- 10 2月, 2011 3 次提交
-
-
由 Mimi Zohar 提交于
Now that i_readcount is maintained by the VFS layer, remove the imbalance checking in IMA. Cleans up the IMA code nicely. Signed-off-by: NMimi Zohar <zohar@us.ibm.com> Acked-by: NEric Paris <eparis@redhat.com>
-
由 Mimi Zohar 提交于
ima_counts_get() updated the readcount and invalidated the PCR, as necessary. Only update the i_readcount in the VFS layer. Move the PCR invalidation checks to ima_file_check(), where it belongs. Maintaining the i_readcount in the VFS layer, will allow other subsystems to use i_readcount. Signed-off-by: NMimi Zohar <zohar@us.ibm.com> Acked-by: NEric Paris <eparis@redhat.com>
-
由 Mimi Zohar 提交于
Convert the inode's i_readcount from an unsigned int to atomic. Signed-off-by: NMimi Zohar <zohar@us.ibm.com> Acked-by: NEric Paris <eparis@redhat.com>
-
- 04 1月, 2011 1 次提交
-
-
由 Mimi Zohar 提交于
If security_filter_rule_init() doesn't return a rule, then not everything is as fine as the return code implies. This bug only occurs when the LSM (eg. SELinux) is disabled at runtime. Adding an empty LSM rule causes ima_match_rules() to always succeed, ignoring any remaining rules. default IMA TCB policy: # PROC_SUPER_MAGIC dont_measure fsmagic=0x9fa0 # SYSFS_MAGIC dont_measure fsmagic=0x62656572 # DEBUGFS_MAGIC dont_measure fsmagic=0x64626720 # TMPFS_MAGIC dont_measure fsmagic=0x01021994 # SECURITYFS_MAGIC dont_measure fsmagic=0x73636673 < LSM specific rule > dont_measure obj_type=var_log_t measure func=BPRM_CHECK measure func=FILE_MMAP mask=MAY_EXEC measure func=FILE_CHECK mask=MAY_READ uid=0 Thus without the patch, with the boot parameters 'tcb selinux=0', adding the above 'dont_measure obj_type=var_log_t' rule to the default IMA TCB measurement policy, would result in nothing being measured. The patch prevents the default TCB policy from being replaced. Signed-off-by: NMimi Zohar <zohar@us.ibm.com> Cc: James Morris <jmorris@namei.org> Acked-by: NSerge Hallyn <serge.hallyn@canonical.com> Cc: David Safford <safford@watson.ibm.com> Cc: <stable@kernel.org> Signed-off-by: NAndrew Morton <akpm@linux-foundation.org> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
- 27 10月, 2010 1 次提交
-
-
由 Eric Paris 提交于
Current logic looks like this: rc = ima_must_measure(NULL, inode, MAY_READ, FILE_CHECK); if (rc < 0) goto out; if (mode & FMODE_WRITE) { if (inode->i_readcount) send_tomtou = true; goto out; } if (atomic_read(&inode->i_writecount) > 0) send_writers = true; Lets assume we have a policy which states that all files opened for read by root must be measured. Lets assume the file has permissions 777. Lets assume that root has the given file open for read. Lets assume that a non-root process opens the file write. The non-root process will get to ima_counts_get() and will check the ima_must_measure(). Since it is not supposed to measure it will goto out. We should check the i_readcount no matter what since we might be causing a ToMToU voilation! This is close to correct, but still not quite perfect. The situation could have been that root, which was interested in the mesurement opened and closed the file and another process which is not interested in the measurement is the one holding the i_readcount ATM. This is just overly strict on ToMToU violations, which is better than not strict enough... Signed-off-by: NEric Paris <eparis@redhat.com> Acked-by: NMimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-