1. 25 3月, 2018 1 次提交
  2. 23 3月, 2018 1 次提交
    • M
      IMA: Support using new creds in appraisal policy · d906c10d
      Matthew Garrett 提交于
      The existing BPRM_CHECK functionality in IMA validates against the
      credentials of the existing process, not any new credentials that the
      child process may transition to. Add an additional CREDS_CHECK target
      and refactor IMA to pass the appropriate creds structure. In
      ima_bprm_check(), check with both the existing process credentials and
      the credentials that will be committed when the new process is started.
      This will not change behaviour unless the system policy is extended to
      include CREDS_CHECK targets - BPRM_CHECK will continue to check the same
      credentials that it did previously.
      
      After this patch, an IMA policy rule along the lines of:
      
      measure func=CREDS_CHECK subj_type=unconfined_t
      
      will trigger if a process is executed and runs as unconfined_t, ignoring
      the context of the parent process. This is in contrast to:
      
      measure func=BPRM_CHECK subj_type=unconfined_t
      
      which will trigger if the process that calls exec() is already executing
      in unconfined_t, ignoring the context that the child process executes
      into.
      Signed-off-by: NMatthew Garrett <mjg59@google.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      
      Changelog:
      - initialize ima_creds_status
      d906c10d
  3. 29 1月, 2018 1 次提交
  4. 18 12月, 2017 1 次提交
    • M
      ima: support new "hash" and "dont_hash" policy actions · da1b0029
      Mimi Zohar 提交于
      The builtin ima_appraise_tcb policy, which is specified on the boot
      command line, can be replaced with a custom policy, normally early in
      the boot process.  Custom policies can be more restrictive in some ways,
      like requiring file signatures, but can be less restrictive in other
      ways, like not appraising mutable files.  With a less restrictive policy
      in place, files in the builtin policy might not be hashed and labeled
      with a security.ima hash.  On reboot, files which should be labeled in
      the ima_appraise_tcb are not labeled, possibly preventing the system
      from booting properly.
      
      To resolve this problem, this patch extends the existing IMA policy
      actions "measure", "dont_measure", "appraise", "dont_appraise", and
      "audit" with "hash" and "dont_hash".  The new "hash" action will write
      the file hash as security.ima, but without requiring the file to be
      appraised as well.
      
      For example, the builtin ima_appraise_tcb policy includes the rule,
      "appraise fowner=0".  Adding the "hash fowner=0" rule to a custom
      policy, will cause the needed file hashes to be calculated and written
      as security.ima xattrs.
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
      da1b0029
  5. 09 11月, 2017 1 次提交
    • M
      ima: always measure and audit files in policy · f3cc6b25
      Mimi Zohar 提交于
      All files matching a "measure" rule must be included in the IMA
      measurement list, even when the file hash cannot be calculated.
      Similarly, all files matching an "audit" rule must be audited, even when
      the file hash can not be calculated.
      
      The file data hash field contained in the IMA measurement list template
      data will contain 0's instead of the actual file hash digest.
      
      Note:
      In general, adding, deleting or in anyway changing which files are
      included in the IMA measurement list is not a good idea, as it might
      result in not being able to unseal trusted keys sealed to a specific
      TPM PCR value.  This patch not only adds file measurements that were
      not previously measured, but specifies that the file hash value for
      these files will be 0's.
      
      As the IMA measurement list ordering is not consistent from one boot
      to the next, it is unlikely that anyone is sealing keys based on the
      IMA measurement list.  Remote attestation servers should be able to
      process these new measurement records, but might complain about
      these unknown records.
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      Reviewed-by: NDmitry Kasatkin <dmitry.kasatkin@huawei.com>
      f3cc6b25
  6. 28 1月, 2017 2 次提交
  7. 30 6月, 2016 3 次提交
  8. 28 3月, 2016 1 次提交
  9. 21 2月, 2016 1 次提交
  10. 19 2月, 2016 2 次提交
  11. 22 5月, 2015 2 次提交
    • R
      ima: pass iint to ima_add_violation() · 8d94eb9b
      Roberto Sassu 提交于
      This patch adds the iint associated to the current inode as a new
      parameter of ima_add_violation(). The passed iint is always not NULL
      if a violation is detected. This modification will be used to determine
      the inode for which there is a violation.
      
      Since the 'd' and 'd-ng' template field init() functions were detecting
      a violation from the value of the iint pointer, they now check the new
      field 'violation', added to the 'ima_event_data' structure.
      
      Changelog:
       - v1:
         - modified an old comment (Roberto Sassu)
      Signed-off-by: NRoberto Sassu <rsassu@suse.de>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      8d94eb9b
    • R
      ima: wrap event related data to the new ima_event_data structure · 23b57419
      Roberto Sassu 提交于
      All event related data has been wrapped into the new 'ima_event_data'
      structure. The main benefit of this patch is that a new information
      can be made available to template fields initialization functions
      by simply adding a new field to the new structure instead of modifying
      the definition of those functions.
      
      Changelog:
       - v2:
         - f_dentry replaced with f_path.dentry (Roberto Sassu)
         - removed declaration of temporary variables in template field functions
           when possible (suggested by Dmitry Kasatkin)
      Signed-off-by: NRoberto Sassu <rsassu@suse.de>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      23b57419
  12. 20 11月, 2014 1 次提交
  13. 18 11月, 2014 1 次提交
    • D
      ima: load x509 certificate from the kernel · fd5f4e90
      Dmitry Kasatkin 提交于
      Define configuration option to load X509 certificate into the
      IMA trusted kernel keyring. It implements ima_load_x509() hook
      to load X509 certificate into the .ima trusted kernel keyring
      from the root filesystem.
      
      Changes in v3:
      * use ima_policy_flag in ima_get_action()
        ima_load_x509 temporarily clears ima_policy_flag to disable
        appraisal to load key. Use it to skip appraisal rules.
      * Key directory path changed to /etc/keys (Mimi)
      * Expand IMA_LOAD_X509 Kconfig help
      
      Changes in v2:
      * added '__init'
      * use ima_policy_flag to disable appraisal to load keys
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      fd5f4e90
  14. 08 10月, 2014 1 次提交
  15. 18 9月, 2014 1 次提交
    • R
      ima: detect violations for mmaped files · 1b68bdf9
      Roberto Sassu 提交于
      This patch fixes the detection of the 'open_writers' violation for mmaped
      files.
      
      before) an 'open_writers' violation is detected if the policy contains
              a rule with the criteria: func=FILE_CHECK mask=MAY_READ
      
      after) an 'open_writers' violation is detected if the current event
             matches one of the policy rules.
      
      With the old behaviour, the 'open_writers' violation is not detected
      in the following case:
      
      policy:
      measure func=FILE_MMAP mask=MAY_EXEC
      
      steps:
      1) open a shared library for writing
      2) execute a binary that links that shared library
      3) during the binary execution, modify the shared library and save
         the change
      
      result:
      the 'open_writers' violation measurement is not present in the IMA list.
      
      Only binaries executed are protected from writes. For libraries mapped
      in memory there is the flag MAP_DENYWRITE for this purpose, but according
      to the output of 'man mmap', the mmap flag is ignored.
      
      Since ima_rdwr_violation_check() is now called by process_measurement()
      the information about if the inode must be measured is already provided
      by ima_get_action(). Thus the unnecessary function ima_must_measure()
      has been removed.
      
      Changes in v3 (Dmitry Kasatkin):
      - Violation for MMAP_CHECK function are verified since this patch
      - Changed patch description a bit
      Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      1b68bdf9
  16. 09 9月, 2014 1 次提交
    • D
      ima: remove usage of filename parameter · 17f4bad3
      Dmitry Kasatkin 提交于
      In all cases except ima_bprm_check() the filename was not defined
      and ima_d_path() was used to find the full path.  Unfortunately,
      the bprm filename is a relative pathname (eg. ./<dir>/filename).
      
      ima_bprm_check() selects between bprm->interp and bprm->filename.
      The following dump demonstrates the differences between using
      filename and interp.
      
      bprm->filename
       filename: ./foo.sh, pathname: /root/bin/foo.sh
       filename: ./foo.sh, pathname: /bin/dash
      
      bprm->interp
       filename: ./foo.sh, pathname: /root/bin/foo.sh
       filename: /bin/sh, pathname: /bin/dash
      
      In both cases the pathnames are currently the same.  This patch
      removes usage of filename and interp in favor of d_absolute_path.
      
      Changes v3:
      - 11 extra bytes for "deleted" not needed (Mimi)
      - purpose "replace relative bprm filename with full pathname" (Mimi)
      
      Changes v2:
      - use d_absolute_path() instead of d_path to work in chroot environments.
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      17f4bad3
  17. 04 6月, 2014 1 次提交
    • M
      ima: audit log files opened with O_DIRECT flag · f9b2a735
      Mimi Zohar 提交于
      Files are measured or appraised based on the IMA policy.  When a
      file, in policy, is opened with the O_DIRECT flag, a deadlock
      occurs.
      
      The first attempt at resolving this lockdep temporarily removed the
      O_DIRECT flag and restored it, after calculating the hash.  The
      second attempt introduced the O_DIRECT_HAVELOCK flag. Based on this
      flag, do_blockdev_direct_IO() would skip taking the i_mutex a second
      time.  The third attempt, by Dmitry Kasatkin, resolves the i_mutex
      locking issue, by re-introducing the IMA mutex, but uncovered
      another problem.  Reading a file with O_DIRECT flag set, writes
      directly to userspace pages.  A second patch allocates a user-space
      like memory.  This works for all IMA hooks, except ima_file_free(),
      which is called on __fput() to recalculate the file hash.
      
      Until this last issue is addressed, do not 'collect' the
      measurement for measuring, appraising, or auditing files opened
      with the O_DIRECT flag set.  Based on policy, permit or deny file
      access.  This patch defines a new IMA policy rule option named
      'permit_directio'.  Policy rules could be defined, based on LSM
      or other criteria, to permit specific applications to open files
      with the O_DIRECT flag set.
      
      Changelog v1:
      - permit or deny file access based IMA policy rules
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      Acked-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Cc: <stable@vger.kernel.org>
      f9b2a735
  18. 08 3月, 2014 3 次提交
  19. 05 3月, 2014 1 次提交
  20. 03 12月, 2013 1 次提交
    • R
      ima: properly free ima_template_entry structures · a7ed7c60
      Roberto Sassu 提交于
      The new templates management mechanism records information associated
      to an event into an array of 'ima_field_data' structures and makes it
      available through the 'template_data' field of the 'ima_template_entry'
      structure (the element of the measurements list created by IMA).
      
      Since 'ima_field_data' contains dynamically allocated data (which length
      varies depending on the data associated to a selected template field),
      it is not enough to just free the memory reserved for a
      'ima_template_entry' structure if something goes wrong.
      
      This patch creates the new function ima_free_template_entry() which
      walks the array of 'ima_field_data' structures, frees the memory
      referenced by the 'data' pointer and finally the space reserved for
      the 'ima_template_entry' structure. Further, it replaces existing kfree()
      that have a pointer to an 'ima_template_entry' structure as argument
      with calls to the new function.
      
      Fixes: a71dc65d: ima: switch to new template management mechanism
      Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: NMimi Zohar <zohar@us.ibm.com>
      a7ed7c60
  21. 25 11月, 2013 1 次提交
  22. 01 11月, 2013 1 次提交
    • M
      ima: extend the measurement list to include the file signature · bcbc9b0c
      Mimi Zohar 提交于
      This patch defines a new template called 'ima-sig', which includes
      the file signature in the template data, in addition to the file's
      digest and pathname.
      
      A template is composed of a set of fields.  Associated with each
      field is an initialization and display function.  This patch defines
      a new template field called 'sig', the initialization function
      ima_eventsig_init(), and the display function ima_show_template_sig().
      
      This patch modifies the .field_init() function definition to include
      the 'security.ima' extended attribute and length.
      
      Changelog:
      - remove unused code (Dmitry Kasatkin)
      - avoid calling ima_write_template_field_data() unnecesarily (Roberto Sassu)
      - rename DATA_FMT_SIG to DATA_FMT_HEX
      - cleanup ima_eventsig_init() based on Roberto's comments
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it>
      bcbc9b0c
  23. 27 10月, 2013 1 次提交
  24. 26 10月, 2013 9 次提交
    • R
      ima: switch to new template management mechanism · a71dc65d
      Roberto Sassu 提交于
      This patch performs the switch to the new template mechanism by modifying
      the functions ima_alloc_init_template(), ima_measurements_show() and
      ima_ascii_measurements_show(). The old function ima_template_show() was
      removed as it is no longer needed. Also, if the template descriptor used
      to generate a measurement entry is not 'ima', the whole length of field
      data stored for an entry is provided before the data itself through the
      binary_runtime_measurement interface.
      
      Changelog:
      - unnecessary to use strncmp() (Mimi Zohar)
      - create new variable 'field' in ima_alloc_init_template() (Roberto Sassu)
      - use GFP_NOFS flag in ima_alloc_init_template() (Roberto Sassu)
      - new variable 'num_fields' in ima_store_template() (Roberto Sassu,
        proposed by Mimi Zohar)
      - rename ima_calc_buffer_hash/template_hash() to ima_calc_field_array_hash(),
        something more generic (Mimi, requested by Dmitry)
      - sparse error fix - Fengguang Wu
      - fix lindent warnings
      - always include the field length in the template data length
      - include the template field length variable size in the template data length
      - include both the template field data and field length in the template digest
        calculation. Simplifies verifying the template digest. (Mimi)
      Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      a71dc65d
    • R
      ima: define new function ima_alloc_init_template() to API · 7bc5f447
      Roberto Sassu 提交于
      Instead of allocating and initializing the template entry from multiple
      places (eg. boot aggregate, violation, and regular measurements), this
      patch defines a new function called ima_alloc_init_template().  The new
      function allocates and initializes the measurement entry with the inode
      digest and the filename.
      
      In respect to the current behavior, it truncates the file name passed
      in the 'filename' argument if the latter's size is greater than 255 bytes
      and the passed file descriptor is NULL.
      
      Changelog:
      - initialize 'hash' variable for non TPM case - Mimi
      - conform to expectation for 'iint' to be defined as a pointer. - Mimi
      - add missing 'file' dependency for recalculating file hash. - Mimi
      Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      7bc5f447
    • R
      ima: pass the filename argument up to ima_add_template_entry() · 9803d413
      Roberto Sassu 提交于
      Pass the filename argument to ima_add_template_entry() in order to
      eliminate a dependency on template specific data (third argument of
      integrity_audit_msg).
      
      This change is required because, with the new template management
      mechanism, the generation of a new measurement entry will be performed
      by new specific functions (introduced in next patches) and the current IMA
      code will not be aware anymore of how data is stored in the entry payload.
      Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      9803d413
    • R
      ima: pass the file descriptor to ima_add_violation() · 7d802a22
      Roberto Sassu 提交于
      Pass the file descriptor instead of the inode to ima_add_violation(),
      to make the latter consistent with ima_store_measurement() in
      preparation for the new template architecture.
      Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      7d802a22
    • D
      ima: support arbitrary hash algorithms in ima_calc_buffer_hash · ea593993
      Dmitry Kasatkin 提交于
      ima_calc_buffer_hash will be used with different hash algorithms.
      This patch provides support for arbitrary hash algorithms in
      ima_calc_buffer_hash.
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      ea593993
    • M
      ima: differentiate between template hash and file data hash sizes · 140d8022
      Mimi Zohar 提交于
      The TPM v1.2 limits the template hash size to 20 bytes.  This
      patch differentiates between the template hash size, as defined
      in the ima_template_entry, and the file data hash size, as
      defined in the ima_template_data.  Subsequent patches add support
      for different file data hash algorithms.
      
      Change log:
      - hash digest definition in ima_store_template() should be TPM_DIGEST_SIZE
      Signed-off-by: NMimi Zohar <zohar@us.ibm.com>
      140d8022
    • D
      ima: use dynamically allocated hash storage · a35c3fb6
      Dmitry Kasatkin 提交于
      For each inode in the IMA policy, an iint is allocated.  To support
      larger hash digests, the iint digest size changed from 20 bytes to
      the maximum supported hash digest size.  Instead of allocating the
      maximum size, which most likely is not needed, this patch dynamically
      allocates the needed hash storage.
      
      Changelog:
      - fix krealloc bug
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      a35c3fb6
    • D
      ima: read and use signature hash algorithm · d3634d0f
      Dmitry Kasatkin 提交于
      All files on the filesystem, currently, are hashed using the same hash
      algorithm.  In preparation for files from different packages being
      signed using different hash algorithms, this patch adds support for
      reading the signature hash algorithm from the 'security.ima' extended
      attribute and calculates the appropriate file data hash based on it.
      
      Changelog:
      - fix scripts Lindent and checkpatch msgs - Mimi
      - fix md5 support for older version, which occupied 20 bytes in the
        xattr, not the expected 16 bytes.  Fix the comparison to compare
        only the first 16 bytes.
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      d3634d0f
    • D
      ima: provide support for arbitrary hash algorithms · c7c8bb23
      Dmitry Kasatkin 提交于
      In preparation of supporting more hash algorithms with larger hash sizes
      needed for signature verification, this patch replaces the 20 byte sized
      digest, with a more flexible structure.  The new structure includes the
      hash algorithm, digest size, and digest.
      
      Changelog:
      - recalculate filedata hash for the measurement list, if the signature
        hash digest size is greater than 20 bytes.
      - use generic HASH_ALGO_
      - make ima_calc_file_hash static
      - scripts lindent and checkpatch fixes
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      c7c8bb23
  25. 23 2月, 2013 1 次提交