1. 07 12月, 2014 1 次提交
  2. 18 11月, 2014 2 次提交
    • D
      ima: require signature based appraisal · c57782c1
      Dmitry Kasatkin 提交于
      This patch provides CONFIG_IMA_APPRAISE_SIGNED_INIT kernel configuration
      option to force IMA appraisal using signatures. This is useful, when EVM
      key is not initialized yet and we want securely initialize integrity or
      any other functionality.
      
      It forces embedded policy to require signature. Signed initialization
      script can initialize EVM key, update the IMA policy and change further
      requirement of everything to be signed.
      
      Changes in v3:
      * kernel parameter fixed to configuration option in the patch description
      
      Changes in v2:
      * policy change of this patch separated from the key loading patch
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      c57782c1
    • D
      ima: load x509 certificate from the kernel · fd5f4e90
      Dmitry Kasatkin 提交于
      Define configuration option to load X509 certificate into the
      IMA trusted kernel keyring. It implements ima_load_x509() hook
      to load X509 certificate into the .ima trusted kernel keyring
      from the root filesystem.
      
      Changes in v3:
      * use ima_policy_flag in ima_get_action()
        ima_load_x509 temporarily clears ima_policy_flag to disable
        appraisal to load key. Use it to skip appraisal rules.
      * Key directory path changed to /etc/keys (Mimi)
      * Expand IMA_LOAD_X509 Kconfig help
      
      Changes in v2:
      * added '__init'
      * use ima_policy_flag to disable appraisal to load keys
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      fd5f4e90
  3. 09 9月, 2014 1 次提交
    • D
      integrity: base integrity subsystem kconfig options on integrity · 7ef84e65
      Dmitry Kasatkin 提交于
      The integrity subsystem has lots of options and takes more than
      half of the security menu.  This patch consolidates the options
      under "integrity", which are hidden if not enabled.  This change
      does not affect existing configurations.  Re-configuration is not
      needed.
      
      Changes v4:
      - no need to change "integrity subsystem" to menuconfig as
      options are hidden, when not enabled. (Mimi)
      - add INTEGRITY Kconfig help description
      
      Changes v3:
      - dependency to INTEGRITY removed when behind 'if INTEGRITY'
      
      Changes v2:
      - previous patch moved integrity out of the 'security' menu.
        This version keeps integrity as a security option (Mimi).
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      7ef84e65
  4. 17 7月, 2014 1 次提交
    • M
      ima: define '.ima' as a builtin 'trusted' keyring · 7d2ce232
      Mimi Zohar 提交于
      Require all keys added to the IMA keyring be signed by an
      existing trusted key on the system trusted keyring.
      
      Changelog v6:
      - remove ifdef CONFIG_IMA_TRUSTED_KEYRING in C code - Dmitry
      - update Kconfig dependency and help
      - select KEYS_DEBUG_PROC_KEYS - Dmitry
      
      Changelog v5:
      - Move integrity_init_keyring() to init_ima() - Dmitry
      - reset keyring[id] on failure - Dmitry
      
      Changelog v1:
      - don't link IMA trusted keyring to user keyring
      
      Changelog:
      - define stub integrity_init_keyring() function (reported-by Fengguang Wu)
      - differentiate between regular and trusted keyring names.
      - replace printk with pr_info (D. Kasatkin)
      - only make the IMA keyring a trusted keyring (reported-by D. Kastatkin)
      - define stub integrity_init_keyring() definition based on
        CONFIG_INTEGRITY_SIGNATURE, not CONFIG_INTEGRITY_ASYMMETRIC_KEYS.
        (reported-by Jim Davis)
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Acked-by: NDavid Howells <dhowells@redhat.com>
      7d2ce232
  5. 24 11月, 2013 1 次提交
  6. 01 11月, 2013 2 次提交
    • M
      ima: define '_ima' as a builtin 'trusted' keyring · 217091dd
      Mimi Zohar 提交于
      Require all keys added to the IMA keyring be signed by an
      existing trusted key on the system trusted keyring.
      
      Changelog:
      - define stub integrity_init_keyring() function (reported-by Fengguang Wu)
      - differentiate between regular and trusted keyring names.
      - replace printk with pr_info (D. Kasatkin)
      Signed-off-by: NMimi Zohar <zohar@us.ibm.com>
      217091dd
    • M
      ima: extend the measurement list to include the file signature · bcbc9b0c
      Mimi Zohar 提交于
      This patch defines a new template called 'ima-sig', which includes
      the file signature in the template data, in addition to the file's
      digest and pathname.
      
      A template is composed of a set of fields.  Associated with each
      field is an initialization and display function.  This patch defines
      a new template field called 'sig', the initialization function
      ima_eventsig_init(), and the display function ima_show_template_sig().
      
      This patch modifies the .field_init() function definition to include
      the 'security.ima' extended attribute and length.
      
      Changelog:
      - remove unused code (Dmitry Kasatkin)
      - avoid calling ima_write_template_field_data() unnecesarily (Roberto Sassu)
      - rename DATA_FMT_SIG to DATA_FMT_HEX
      - cleanup ima_eventsig_init() based on Roberto's comments
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it>
      bcbc9b0c
  7. 27 10月, 2013 2 次提交
    • M
      ima: enable support for larger default filedata hash algorithms · e7a2ad7e
      Mimi Zohar 提交于
      The IMA measurement list contains two hashes - a template data hash
      and a filedata hash.  The template data hash is committed to the TPM,
      which is limited, by the TPM v1.2 specification, to 20 bytes.  The
      filedata hash is defined as 20 bytes as well.
      
      Now that support for variable length measurement list templates was
      added, the filedata hash is not limited to 20 bytes.  This patch adds
      Kconfig support for defining larger default filedata hash algorithms
      and replacing the builtin default with one specified on the kernel
      command line.
      
      <uapi/linux/hash_info.h> contains a list of hash algorithms.  The
      Kconfig default hash algorithm is a subset of this list, but any hash
      algorithm included in the list can be specified at boot, using the
      'ima_hash=' kernel command line option.
      
      Changelog v2:
      - update Kconfig
      
      Changelog:
      - support hashes that are configured
      - use generic HASH_ALGO_ definitions
      - add Kconfig support
      - hash_setup must be called only once (Dmitry)
      - removed trailing whitespaces (Roberto Sassu)
      Signed-off-by: NMimi Zohar <zohar@us.ibm.com>
      Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it>
      e7a2ad7e
    • M
      ima: add Kconfig default measurement list template · 4286587d
      Mimi Zohar 提交于
      This patch adds a Kconfig option to select the default IMA
      measurement list template.  The 'ima' template limited the
      filedata hash to 20 bytes and the pathname to 255 charaters.
      The 'ima-ng' measurement list template permits larger hash
      digests and longer pathnames.
      
      Changelog:
      - keep 'select CRYPTO_HASH_INFO' in 'config IMA' section (Kconfig)
        (Roberto Sassu);
      - removed trailing whitespaces (Roberto Sassu).
      - Lindent fixes
      Signed-off-by: NMimi Zohar <zohar@us.ibm.com>
      Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it>
      4286587d
  8. 26 10月, 2013 1 次提交
    • D
      ima: provide support for arbitrary hash algorithms · c7c8bb23
      Dmitry Kasatkin 提交于
      In preparation of supporting more hash algorithms with larger hash sizes
      needed for signature verification, this patch replaces the 20 byte sized
      digest, with a more flexible structure.  The new structure includes the
      hash algorithm, digest size, and digest.
      
      Changelog:
      - recalculate filedata hash for the measurement list, if the signature
        hash digest size is greater than 20 bytes.
      - use generic HASH_ALGO_
      - make ima_calc_file_hash static
      - scripts lindent and checkpatch fixes
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      c7c8bb23
  9. 20 6月, 2013 1 次提交
    • M
      integrity: move integrity_audit_msg() · d726d8d7
      Mimi Zohar 提交于
      This patch moves the integrity_audit_msg() function and defintion to
      security/integrity/, the parent directory, renames the 'ima_audit'
      boot command line option to 'integrity_audit', and fixes the Kconfig
      help text to reflect the actual code.
      
      Changelog:
      - Fixed ifdef inclusion of integrity_audit_msg() (Fengguang Wu)
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      d726d8d7
  10. 08 9月, 2012 1 次提交
    • M
      ima: integrity appraisal extension · 2fe5d6de
      Mimi Zohar 提交于
      IMA currently maintains an integrity measurement list used to assert the
      integrity of the running system to a third party.  The IMA-appraisal
      extension adds local integrity validation and enforcement of the
      measurement against a "good" value stored as an extended attribute
      'security.ima'.  The initial methods for validating 'security.ima' are
      hashed based, which provides file data integrity, and digital signature
      based, which in addition to providing file data integrity, provides
      authenticity.
      
      This patch creates and maintains the 'security.ima' xattr, containing
      the file data hash measurement.  Protection of the xattr is provided by
      EVM, if enabled and configured.
      
      Based on policy, IMA calls evm_verifyxattr() to verify a file's metadata
      integrity and, assuming success, compares the file's current hash value
      with the one stored as an extended attribute in 'security.ima'.
      
      Changelov v4:
      - changed iint cache flags to hex values
      
      Changelog v3:
      - change appraisal default for filesystems without xattr support to fail
      
      Changelog v2:
      - fix audit msg 'res' value
      - removed unused 'ima_appraise=' values
      
      Changelog v1:
      - removed unused iint mutex (Dmitry Kasatkin)
      - setattr hook must not reset appraised (Dmitry Kasatkin)
      - evm_verifyxattr() now differentiates between no 'security.evm' xattr
        (INTEGRITY_NOLABEL) and no EVM 'protected' xattrs included in the
        'security.evm' (INTEGRITY_NOXATTRS).
      - replace hash_status with ima_status (Dmitry Kasatkin)
      - re-initialize slab element ima_status on free (Dmitry Kasatkin)
      - include 'security.ima' in EVM if CONFIG_IMA_APPRAISE, not CONFIG_IMA
      - merged half "ima: ima_must_appraise_or_measure API change" (Dmitry Kasatkin)
      - removed unnecessary error variable in process_measurement() (Dmitry Kasatkin)
      - use ima_inode_post_setattr() stub function, if IMA_APPRAISE not configured
        (moved ima_inode_post_setattr() to ima_appraise.c)
      - make sure ima_collect_measurement() can read file
      
      Changelog:
      - add 'iint' to evm_verifyxattr() call (Dimitry Kasatkin)
      - fix the race condition between chmod, which takes the i_mutex and then
        iint->mutex, and ima_file_free() and process_measurement(), which take
        the locks in the reverse order, by eliminating iint->mutex. (Dmitry Kasatkin)
      - cleanup of ima_appraise_measurement() (Dmitry Kasatkin)
      - changes as a result of the iint not allocated for all regular files, but
        only for those measured/appraised.
      - don't try to appraise new/empty files
      - expanded ima_appraisal description in ima/Kconfig
      - IMA appraise definitions required even if IMA_APPRAISE not enabled
      - add return value to ima_must_appraise() stub
      - unconditionally set status = INTEGRITY_PASS *after* testing status,
        not before.  (Found by Joe Perches)
      Signed-off-by: NMimi Zohar <zohar@us.ibm.com>
      Signed-off-by: NDmitry Kasatkin <dmitry.kasatkin@intel.com>
      2fe5d6de
  11. 23 8月, 2012 1 次提交
  12. 06 7月, 2012 1 次提交
  13. 28 2月, 2012 1 次提交
  14. 20 1月, 2012 1 次提交
  15. 02 11月, 2011 1 次提交
  16. 19 7月, 2011 1 次提交
    • M
      integrity: move ima inode integrity data management · f381c272
      Mimi Zohar 提交于
      Move the inode integrity data(iint) management up to the integrity directory
      in order to share the iint among the different integrity models.
      
      Changelog:
      - don't define MAX_DIGEST_SIZE
      - rename several globally visible 'ima_' prefixed functions, structs,
        locks, etc to 'integrity_'
      - replace '20' with SHA1_DIGEST_SIZE
      - reflect location change in appropriate Kconfig and Makefiles
      - remove unnecessary initialization of iint_initialized to 0
      - rebased on current ima_iint.c
      - define integrity_iint_store/lock as static
      
      There should be no other functional changes.
      Signed-off-by: NMimi Zohar <zohar@us.ibm.com>
      Acked-by: NSerge Hallyn <serge.hallyn@ubuntu.com>
      f381c272
  17. 17 5月, 2010 1 次提交
  18. 07 5月, 2010 1 次提交
  19. 05 5月, 2010 1 次提交
  20. 25 10月, 2009 1 次提交
  21. 13 2月, 2009 1 次提交
    • R
      ima: fix build error · b53fab9d
      Randy Dunlap 提交于
      IMA_LSM_RULES requires AUDIT.  This is automatic if SECURITY_SELINUX=y
      but not when SECURITY_SMACK=y (and SECURITY_SELINUX=n), so make the
      dependency explicit.  This fixes the following build error:
      
      security/integrity/ima/ima_policy.c:111:error: implicit declaration of function 'security_audit_rule_match'
      security/integrity/ima/ima_policy.c:230:error: implicit declaration of function 'security_audit_rule_init'
      Signed-off-by: NRandy Dunlap <randy.dunlap@oracle.com>
      Acked-by: NMimi Zohar <zohar@us.ibm.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      b53fab9d
  22. 06 2月, 2009 2 次提交
    • M
      integrity: IMA policy · 4af4662f
      Mimi Zohar 提交于
      Support for a user loadable policy through securityfs
      with support for LSM specific policy data.
      - free invalid rule in ima_parse_add_rule()
      Signed-off-by: NMimi Zohar <zohar@us.ibm.com>
      Acked-by: NSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      4af4662f
    • M
      integrity: IMA as an integrity service provider · 3323eec9
      Mimi Zohar 提交于
      IMA provides hardware (TPM) based measurement and attestation for
      file measurements. As the Trusted Computing (TPM) model requires,
      IMA measures all files before they are accessed in any way (on the
      integrity_bprm_check, integrity_path_check and integrity_file_mmap
      hooks), and commits the measurements to the TPM. Once added to the
      TPM, measurements can not be removed.
      
      In addition, IMA maintains a list of these file measurements, which
      can be used to validate the aggregate value stored in the TPM.  The
      TPM can sign these measurements, and thus the system can prove, to
      itself and to a third party, the system's integrity in a way that
      cannot be circumvented by malicious or compromised software.
      
      - alloc ima_template_entry before calling ima_store_template()
      - log ima_add_boot_aggregate() failure
      - removed unused IMA_TEMPLATE_NAME_LEN
      - replaced hard coded string length with #define name
      Signed-off-by: NMimi Zohar <zohar@us.ibm.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      3323eec9