Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

+20 -11

Documentation/security/keys-trusted-encrypted.txt

··· 27 27 keyctl print keyid 28 28 29 29 options: 30 - keyhandle= ascii hex value of sealing key default 0x40000000 (SRK) 31 - keyauth= ascii hex auth for sealing key default 0x00...i 32 - (40 ascii zeros) 33 - blobauth= ascii hex auth for sealed data default 0x00... 34 - (40 ascii zeros) 35 - blobauth= ascii hex auth for sealed data default 0x00... 36 - (40 ascii zeros) 37 - pcrinfo= ascii hex of PCR_INFO or PCR_INFO_LONG (no default) 38 - pcrlock= pcr number to be extended to "lock" blob 39 - migratable= 0|1 indicating permission to reseal to new PCR values, 40 - default 1 (resealing allowed) 30 + keyhandle= ascii hex value of sealing key default 0x40000000 (SRK) 31 + keyauth= ascii hex auth for sealing key default 0x00...i 32 + (40 ascii zeros) 33 + blobauth= ascii hex auth for sealed data default 0x00... 34 + (40 ascii zeros) 35 + blobauth= ascii hex auth for sealed data default 0x00... 36 + (40 ascii zeros) 37 + pcrinfo= ascii hex of PCR_INFO or PCR_INFO_LONG (no default) 38 + pcrlock= pcr number to be extended to "lock" blob 39 + migratable= 0|1 indicating permission to reseal to new PCR values, 40 + default 1 (resealing allowed) 41 + hash= hash algorithm name as a string. For TPM 1.x the only 42 + allowed value is sha1. For TPM 2.x the allowed values 43 + are sha1, sha256, sha384, sha512 and sm3-256. 44 + policydigest= digest for the authorization policy. must be calculated 45 + with the same hash algorithm as specified by the 'hash=' 46 + option. 47 + policyhandle= handle to an authorization policy session that defines the 48 + same policy and with the same hash algorithm as was used to 49 + seal the key. 41 50 42 51 "keyctl print" returns an ascii hex copy of the sealed key, which is in standard 43 52 TPM_STORED_DATA format. The key length for new keys are always in bytes.

+2

crypto/asymmetric_keys/x509_public_key.c

··· 321 321 goto error_free_cert; 322 322 } else if (!prep->trusted) { 323 323 ret = x509_validate_trust(cert, get_system_trusted_keyring()); 324 + if (ret) 325 + ret = x509_validate_trust(cert, get_ima_mok_keyring()); 324 326 if (!ret) 325 327 prep->trusted = 1; 326 328 }

+2

crypto/hash_info.c

··· 31 31 [HASH_ALGO_TGR_128] = "tgr128", 32 32 [HASH_ALGO_TGR_160] = "tgr160", 33 33 [HASH_ALGO_TGR_192] = "tgr192", 34 + [HASH_ALGO_SM3_256] = "sm3-256", 34 35 }; 35 36 EXPORT_SYMBOL_GPL(hash_algo_name); 36 37 ··· 53 52 [HASH_ALGO_TGR_128] = TGR128_DIGEST_SIZE, 54 53 [HASH_ALGO_TGR_160] = TGR160_DIGEST_SIZE, 55 54 [HASH_ALGO_TGR_192] = TGR192_DIGEST_SIZE, 55 + [HASH_ALGO_SM3_256] = SM3256_DIGEST_SIZE, 56 56 }; 57 57 EXPORT_SYMBOL_GPL(hash_digest_size);

+20 -3

drivers/char/tpm/tpm-interface.c

··· 310 310 { 311 311 int duration_idx = TPM_UNDEFINED; 312 312 int duration = 0; 313 - u8 category = (ordinal >> 24) & 0xFF; 314 313 315 - if ((category == TPM_PROTECTED_COMMAND && ordinal < TPM_MAX_ORDINAL) || 316 - (category == TPM_CONNECTION_COMMAND && ordinal < TSC_MAX_ORDINAL)) 314 + /* 315 + * We only have a duration table for protected commands, where the upper 316 + * 16 bits are 0. For the few other ordinals the fallback will be used. 317 + */ 318 + if (ordinal < TPM_MAX_ORDINAL) 317 319 duration_idx = tpm_ordinal_duration[ordinal]; 318 320 319 321 if (duration_idx != TPM_UNDEFINED) ··· 502 500 unsigned long old_timeout[4]; 503 501 struct duration_t *duration_cap; 504 502 ssize_t rc; 503 + 504 + if (chip->flags & TPM_CHIP_FLAG_TPM2) { 505 + /* Fixed timeouts for TPM2 */ 506 + chip->vendor.timeout_a = msecs_to_jiffies(TPM2_TIMEOUT_A); 507 + chip->vendor.timeout_b = msecs_to_jiffies(TPM2_TIMEOUT_B); 508 + chip->vendor.timeout_c = msecs_to_jiffies(TPM2_TIMEOUT_C); 509 + chip->vendor.timeout_d = msecs_to_jiffies(TPM2_TIMEOUT_D); 510 + chip->vendor.duration[TPM_SHORT] = 511 + msecs_to_jiffies(TPM2_DURATION_SHORT); 512 + chip->vendor.duration[TPM_MEDIUM] = 513 + msecs_to_jiffies(TPM2_DURATION_MEDIUM); 514 + chip->vendor.duration[TPM_LONG] = 515 + msecs_to_jiffies(TPM2_DURATION_LONG); 516 + return 0; 517 + } 505 518 506 519 tpm_cmd.header.in = tpm_getcap_header; 507 520 tpm_cmd.params.getcap_in.cap = TPM_CAP_PROP;

+7 -4

drivers/char/tpm/tpm.h

··· 83 83 }; 84 84 85 85 enum tpm2_return_codes { 86 - TPM2_RC_INITIALIZE = 0x0100, 87 - TPM2_RC_TESTING = 0x090A, 86 + TPM2_RC_HASH = 0x0083, /* RC_FMT1 */ 87 + TPM2_RC_INITIALIZE = 0x0100, /* RC_VER1 */ 88 88 TPM2_RC_DISABLED = 0x0120, 89 + TPM2_RC_TESTING = 0x090A, /* RC_WARN */ 89 90 }; 90 91 91 92 enum tpm2_algorithms { 92 93 TPM2_ALG_SHA1 = 0x0004, 93 94 TPM2_ALG_KEYEDHASH = 0x0008, 94 95 TPM2_ALG_SHA256 = 0x000B, 95 - TPM2_ALG_NULL = 0x0010 96 + TPM2_ALG_SHA384 = 0x000C, 97 + TPM2_ALG_SHA512 = 0x000D, 98 + TPM2_ALG_NULL = 0x0010, 99 + TPM2_ALG_SM3_256 = 0x0012, 96 100 }; 97 101 98 102 enum tpm2_command_codes { ··· 142 138 unsigned long base; /* TPM base address */ 143 139 144 140 int irq; 145 - int probed_irq; 146 141 147 142 int region_size; 148 143 int have_region;

+53 -7

drivers/char/tpm/tpm2-cmd.c

··· 16 16 */ 17 17 18 18 #include "tpm.h" 19 + #include <crypto/hash_info.h> 19 20 #include <keys/trusted-type.h> 20 21 21 22 enum tpm2_object_attributes { ··· 104 103 tpm_cmd_header header; 105 104 union tpm2_cmd_params params; 106 105 } __packed; 106 + 107 + struct tpm2_hash { 108 + unsigned int crypto_id; 109 + unsigned int tpm_id; 110 + }; 111 + 112 + static struct tpm2_hash tpm2_hash_map[] = { 113 + {HASH_ALGO_SHA1, TPM2_ALG_SHA1}, 114 + {HASH_ALGO_SHA256, TPM2_ALG_SHA256}, 115 + {HASH_ALGO_SHA384, TPM2_ALG_SHA384}, 116 + {HASH_ALGO_SHA512, TPM2_ALG_SHA512}, 117 + {HASH_ALGO_SM3_256, TPM2_ALG_SM3_256}, 118 + }; 107 119 108 120 /* 109 121 * Array with one entry per ordinal defining the maximum amount ··· 443 429 { 444 430 unsigned int blob_len; 445 431 struct tpm_buf buf; 432 + u32 hash; 433 + int i; 446 434 int rc; 435 + 436 + for (i = 0; i < ARRAY_SIZE(tpm2_hash_map); i++) { 437 + if (options->hash == tpm2_hash_map[i].crypto_id) { 438 + hash = tpm2_hash_map[i].tpm_id; 439 + break; 440 + } 441 + } 442 + 443 + if (i == ARRAY_SIZE(tpm2_hash_map)) 444 + return -EINVAL; 447 445 448 446 rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_CREATE); 449 447 if (rc) ··· 478 452 tpm_buf_append_u8(&buf, payload->migratable); 479 453 480 454 /* public */ 481 - tpm_buf_append_u16(&buf, 14); 455 + if (options->policydigest) 456 + tpm_buf_append_u16(&buf, 14 + options->digest_len); 457 + else 458 + tpm_buf_append_u16(&buf, 14); 482 459 483 460 tpm_buf_append_u16(&buf, TPM2_ALG_KEYEDHASH); 484 - tpm_buf_append_u16(&buf, TPM2_ALG_SHA256); 485 - tpm_buf_append_u32(&buf, TPM2_ATTR_USER_WITH_AUTH); 486 - tpm_buf_append_u16(&buf, 0); /* policy digest size */ 461 + tpm_buf_append_u16(&buf, hash); 462 + 463 + /* policy */ 464 + if (options->policydigest) { 465 + tpm_buf_append_u32(&buf, 0); 466 + tpm_buf_append_u16(&buf, options->digest_len); 467 + tpm_buf_append(&buf, options->policydigest, 468 + options->digest_len); 469 + } else { 470 + tpm_buf_append_u32(&buf, TPM2_ATTR_USER_WITH_AUTH); 471 + tpm_buf_append_u16(&buf, 0); 472 + } 473 + 474 + /* public parameters */ 487 475 tpm_buf_append_u16(&buf, TPM2_ALG_NULL); 488 476 tpm_buf_append_u16(&buf, 0); 489 477 ··· 528 488 out: 529 489 tpm_buf_destroy(&buf); 530 490 531 - if (rc > 0) 532 - rc = -EPERM; 491 + if (rc > 0) { 492 + if ((rc & TPM2_RC_HASH) == TPM2_RC_HASH) 493 + rc = -EINVAL; 494 + else 495 + rc = -EPERM; 496 + } 533 497 534 498 return rc; 535 499 } ··· 627 583 return rc; 628 584 629 585 tpm_buf_append_u32(&buf, blob_handle); 630 - tpm2_buf_append_auth(&buf, TPM2_RS_PW, 586 + tpm2_buf_append_auth(&buf, 587 + options->policyhandle ? 588 + options->policyhandle : TPM2_RS_PW, 631 589 NULL /* nonce */, 0, 632 590 0 /* session_attributes */, 633 591 options->blobauth /* hmac */,

+3 -11

drivers/char/tpm/tpm_crb.c

··· 284 284 285 285 chip->vendor.priv = priv; 286 286 287 - /* Default timeouts and durations */ 288 - chip->vendor.timeout_a = msecs_to_jiffies(TPM2_TIMEOUT_A); 289 - chip->vendor.timeout_b = msecs_to_jiffies(TPM2_TIMEOUT_B); 290 - chip->vendor.timeout_c = msecs_to_jiffies(TPM2_TIMEOUT_C); 291 - chip->vendor.timeout_d = msecs_to_jiffies(TPM2_TIMEOUT_D); 292 - chip->vendor.duration[TPM_SHORT] = 293 - msecs_to_jiffies(TPM2_DURATION_SHORT); 294 - chip->vendor.duration[TPM_MEDIUM] = 295 - msecs_to_jiffies(TPM2_DURATION_MEDIUM); 296 - chip->vendor.duration[TPM_LONG] = 297 - msecs_to_jiffies(TPM2_DURATION_LONG); 287 + rc = tpm_get_timeouts(chip); 288 + if (rc) 289 + return rc; 298 290 299 291 chip->acpi_dev_handle = device->handle; 300 292

+20 -2

drivers/char/tpm/tpm_ibmvtpm.c

··· 90 90 return 0; 91 91 } 92 92 93 - sig = wait_event_interruptible(ibmvtpm->wq, ibmvtpm->res_len != 0); 93 + sig = wait_event_interruptible(ibmvtpm->wq, !ibmvtpm->tpm_processing_cmd); 94 94 if (sig) 95 95 return -EINTR; 96 96 ··· 125 125 struct ibmvtpm_dev *ibmvtpm; 126 126 struct ibmvtpm_crq crq; 127 127 __be64 *word = (__be64 *)&crq; 128 - int rc; 128 + int rc, sig; 129 129 130 130 ibmvtpm = (struct ibmvtpm_dev *)TPM_VPRIV(chip); 131 131 ··· 141 141 return -EIO; 142 142 } 143 143 144 + if (ibmvtpm->tpm_processing_cmd) { 145 + dev_info(ibmvtpm->dev, 146 + "Need to wait for TPM to finish\n"); 147 + /* wait for previous command to finish */ 148 + sig = wait_event_interruptible(ibmvtpm->wq, !ibmvtpm->tpm_processing_cmd); 149 + if (sig) 150 + return -EINTR; 151 + } 152 + 144 153 spin_lock(&ibmvtpm->rtce_lock); 154 + ibmvtpm->res_len = 0; 145 155 memcpy((void *)ibmvtpm->rtce_buf, (void *)buf, count); 146 156 crq.valid = (u8)IBMVTPM_VALID_CMD; 147 157 crq.msg = (u8)VTPM_TPM_COMMAND; 148 158 crq.len = cpu_to_be16(count); 149 159 crq.data = cpu_to_be32(ibmvtpm->rtce_dma_handle); 150 160 161 + /* 162 + * set the processing flag before the Hcall, since we may get the 163 + * result (interrupt) before even being able to check rc. 164 + */ 165 + ibmvtpm->tpm_processing_cmd = true; 166 + 151 167 rc = ibmvtpm_send_crq(ibmvtpm->vdev, be64_to_cpu(word[0]), 152 168 be64_to_cpu(word[1])); 153 169 if (rc != H_SUCCESS) { 154 170 dev_err(ibmvtpm->dev, "tpm_ibmvtpm_send failed rc=%d\n", rc); 155 171 rc = 0; 172 + ibmvtpm->tpm_processing_cmd = false; 156 173 } else 157 174 rc = count; 158 175 ··· 532 515 case VTPM_TPM_COMMAND_RES: 533 516 /* len of the data in rtce buffer */ 534 517 ibmvtpm->res_len = be16_to_cpu(crq->len); 518 + ibmvtpm->tpm_processing_cmd = false; 535 519 wake_up_interruptible(&ibmvtpm->wq); 536 520 return; 537 521 default:

+1

drivers/char/tpm/tpm_ibmvtpm.h

··· 45 45 wait_queue_head_t wq; 46 46 u16 res_len; 47 47 u32 vtpm_version; 48 + bool tpm_processing_cmd; 48 49 }; 49 50 50 51 #define CRQ_RES_BUF_SIZE PAGE_SIZE

+109 -147

drivers/char/tpm/tpm_tis.c

··· 401 401 iowrite32(intmask, 402 402 chip->vendor.iobase + 403 403 TPM_INT_ENABLE(chip->vendor.locality)); 404 - free_irq(chip->vendor.irq, chip); 404 + devm_free_irq(chip->pdev, chip->vendor.irq, chip); 405 405 chip->vendor.irq = 0; 406 406 } 407 407 ··· 461 461 chip->vendor.irq = irq; 462 462 if (!priv->irq_tested) 463 463 msleep(1); 464 - if (!priv->irq_tested) { 464 + if (!priv->irq_tested) 465 465 disable_interrupts(chip); 466 - dev_err(chip->pdev, 467 - FW_BUG "TPM interrupt not working, polling instead\n"); 468 - } 469 466 priv->irq_tested = true; 470 467 return rc; 471 468 } ··· 567 570 .req_canceled = tpm_tis_req_canceled, 568 571 }; 569 572 570 - static irqreturn_t tis_int_probe(int irq, void *dev_id) 571 - { 572 - struct tpm_chip *chip = dev_id; 573 - u32 interrupt; 574 - 575 - interrupt = ioread32(chip->vendor.iobase + 576 - TPM_INT_STATUS(chip->vendor.locality)); 577 - 578 - if (interrupt == 0) 579 - return IRQ_NONE; 580 - 581 - chip->vendor.probed_irq = irq; 582 - 583 - /* Clear interrupts handled with TPM_EOI */ 584 - iowrite32(interrupt, 585 - chip->vendor.iobase + 586 - TPM_INT_STATUS(chip->vendor.locality)); 587 - return IRQ_HANDLED; 588 - } 589 - 590 573 static irqreturn_t tis_int_handler(int dummy, void *dev_id) 591 574 { 592 575 struct tpm_chip *chip = dev_id; ··· 599 622 return IRQ_HANDLED; 600 623 } 601 624 625 + /* Register the IRQ and issue a command that will cause an interrupt. If an 626 + * irq is seen then leave the chip setup for IRQ operation, otherwise reverse 627 + * everything and leave in polling mode. Returns 0 on success. 628 + */ 629 + static int tpm_tis_probe_irq_single(struct tpm_chip *chip, u32 intmask, 630 + int flags, int irq) 631 + { 632 + struct priv_data *priv = chip->vendor.priv; 633 + u8 original_int_vec; 634 + 635 + if (devm_request_irq(chip->pdev, irq, tis_int_handler, flags, 636 + chip->devname, chip) != 0) { 637 + dev_info(chip->pdev, "Unable to request irq: %d for probe\n", 638 + irq); 639 + return -1; 640 + } 641 + chip->vendor.irq = irq; 642 + 643 + original_int_vec = ioread8(chip->vendor.iobase + 644 + TPM_INT_VECTOR(chip->vendor.locality)); 645 + iowrite8(irq, 646 + chip->vendor.iobase + TPM_INT_VECTOR(chip->vendor.locality)); 647 + 648 + /* Clear all existing */ 649 + iowrite32(ioread32(chip->vendor.iobase + 650 + TPM_INT_STATUS(chip->vendor.locality)), 651 + chip->vendor.iobase + TPM_INT_STATUS(chip->vendor.locality)); 652 + 653 + /* Turn on */ 654 + iowrite32(intmask | TPM_GLOBAL_INT_ENABLE, 655 + chip->vendor.iobase + TPM_INT_ENABLE(chip->vendor.locality)); 656 + 657 + priv->irq_tested = false; 658 + 659 + /* Generate an interrupt by having the core call through to 660 + * tpm_tis_send 661 + */ 662 + if (chip->flags & TPM_CHIP_FLAG_TPM2) 663 + tpm2_gen_interrupt(chip); 664 + else 665 + tpm_gen_interrupt(chip); 666 + 667 + /* tpm_tis_send will either confirm the interrupt is working or it 668 + * will call disable_irq which undoes all of the above. 669 + */ 670 + if (!chip->vendor.irq) { 671 + iowrite8(original_int_vec, 672 + chip->vendor.iobase + 673 + TPM_INT_VECTOR(chip->vendor.locality)); 674 + return 1; 675 + } 676 + 677 + return 0; 678 + } 679 + 680 + /* Try to find the IRQ the TPM is using. This is for legacy x86 systems that 681 + * do not have ACPI/etc. We typically expect the interrupt to be declared if 682 + * present. 683 + */ 684 + static void tpm_tis_probe_irq(struct tpm_chip *chip, u32 intmask) 685 + { 686 + u8 original_int_vec; 687 + int i; 688 + 689 + original_int_vec = ioread8(chip->vendor.iobase + 690 + TPM_INT_VECTOR(chip->vendor.locality)); 691 + 692 + if (!original_int_vec) { 693 + if (IS_ENABLED(CONFIG_X86)) 694 + for (i = 3; i <= 15; i++) 695 + if (!tpm_tis_probe_irq_single(chip, intmask, 0, 696 + i)) 697 + return; 698 + } else if (!tpm_tis_probe_irq_single(chip, intmask, 0, 699 + original_int_vec)) 700 + return; 701 + } 702 + 602 703 static bool interrupts = true; 603 704 module_param(interrupts, bool, 0444); 604 705 MODULE_PARM_DESC(interrupts, "Enable interrupts"); ··· 699 644 acpi_handle acpi_dev_handle) 700 645 { 701 646 u32 vendor, intfcaps, intmask; 702 - int rc, i, irq_s, irq_e, probe; 703 - int irq_r = -1; 647 + int rc, probe; 704 648 struct tpm_chip *chip; 705 649 struct priv_data *priv; 706 650 ··· 730 676 rc = -ENODEV; 731 677 goto out_err; 732 678 } 679 + 680 + /* Take control of the TPM's interrupt hardware and shut it off */ 681 + intmask = ioread32(chip->vendor.iobase + 682 + TPM_INT_ENABLE(chip->vendor.locality)); 683 + intmask |= TPM_INTF_CMD_READY_INT | TPM_INTF_LOCALITY_CHANGE_INT | 684 + TPM_INTF_DATA_AVAIL_INT | TPM_INTF_STS_VALID_INT; 685 + intmask &= ~TPM_GLOBAL_INT_ENABLE; 686 + iowrite32(intmask, 687 + chip->vendor.iobase + TPM_INT_ENABLE(chip->vendor.locality)); 733 688 734 689 if (request_locality(chip, 0) != 0) { 735 690 rc = -ENODEV; ··· 794 731 if (intfcaps & TPM_INTF_DATA_AVAIL_INT) 795 732 dev_dbg(dev, "\tData Avail Int Support\n"); 796 733 734 + /* Very early on issue a command to the TPM in polling mode to make 735 + * sure it works. May as well use that command to set the proper 736 + * timeouts for the driver. 737 + */ 738 + if (tpm_get_timeouts(chip)) { 739 + dev_err(dev, "Could not get TPM timeouts and durations\n"); 740 + rc = -ENODEV; 741 + goto out_err; 742 + } 743 + 797 744 /* INTERRUPT Setup */ 798 745 init_waitqueue_head(&chip->vendor.read_queue); 799 746 init_waitqueue_head(&chip->vendor.int_queue); 800 - 801 - intmask = 802 - ioread32(chip->vendor.iobase + 803 - TPM_INT_ENABLE(chip->vendor.locality)); 804 - 805 - intmask |= TPM_INTF_CMD_READY_INT 806 - | TPM_INTF_LOCALITY_CHANGE_INT | TPM_INTF_DATA_AVAIL_INT 807 - | TPM_INTF_STS_VALID_INT; 808 - 809 - iowrite32(intmask, 810 - chip->vendor.iobase + 811 - TPM_INT_ENABLE(chip->vendor.locality)); 812 - if (interrupts) 813 - chip->vendor.irq = tpm_info->irq; 814 - if (interrupts && !chip->vendor.irq) { 815 - irq_s = 816 - ioread8(chip->vendor.iobase + 817 - TPM_INT_VECTOR(chip->vendor.locality)); 818 - irq_r = irq_s; 819 - if (irq_s) { 820 - irq_e = irq_s; 821 - } else { 822 - irq_s = 3; 823 - irq_e = 15; 824 - } 825 - 826 - for (i = irq_s; i <= irq_e && chip->vendor.irq == 0; i++) { 827 - iowrite8(i, chip->vendor.iobase + 828 - TPM_INT_VECTOR(chip->vendor.locality)); 829 - if (devm_request_irq 830 - (dev, i, tis_int_probe, IRQF_SHARED, 831 - chip->devname, chip) != 0) { 832 - dev_info(chip->pdev, 833 - "Unable to request irq: %d for probe\n", 834 - i); 835 - continue; 836 - } 837 - 838 - /* Clear all existing */ 839 - iowrite32(ioread32 840 - (chip->vendor.iobase + 841 - TPM_INT_STATUS(chip->vendor.locality)), 842 - chip->vendor.iobase + 843 - TPM_INT_STATUS(chip->vendor.locality)); 844 - 845 - /* Turn on */ 846 - iowrite32(intmask | TPM_GLOBAL_INT_ENABLE, 847 - chip->vendor.iobase + 848 - TPM_INT_ENABLE(chip->vendor.locality)); 849 - 850 - chip->vendor.probed_irq = 0; 851 - 852 - /* Generate Interrupts */ 853 - if (chip->flags & TPM_CHIP_FLAG_TPM2) 854 - tpm2_gen_interrupt(chip); 855 - else 856 - tpm_gen_interrupt(chip); 857 - 858 - chip->vendor.irq = chip->vendor.probed_irq; 859 - 860 - /* free_irq will call into tis_int_probe; 861 - clear all irqs we haven't seen while doing 862 - tpm_gen_interrupt */ 863 - iowrite32(ioread32 864 - (chip->vendor.iobase + 865 - TPM_INT_STATUS(chip->vendor.locality)), 866 - chip->vendor.iobase + 867 - TPM_INT_STATUS(chip->vendor.locality)); 868 - 869 - /* Turn off */ 870 - iowrite32(intmask, 871 - chip->vendor.iobase + 872 - TPM_INT_ENABLE(chip->vendor.locality)); 873 - 874 - devm_free_irq(dev, i, chip); 875 - } 747 + if (interrupts) { 748 + if (tpm_info->irq) { 749 + tpm_tis_probe_irq_single(chip, intmask, IRQF_SHARED, 750 + tpm_info->irq); 751 + if (!chip->vendor.irq) 752 + dev_err(chip->pdev, FW_BUG 753 + "TPM interrupt not working, polling instead\n"); 754 + } else 755 + tpm_tis_probe_irq(chip, intmask); 876 756 } 877 - if (chip->vendor.irq) { 878 - iowrite8(chip->vendor.irq, 879 - chip->vendor.iobase + 880 - TPM_INT_VECTOR(chip->vendor.locality)); 881 - if (devm_request_irq 882 - (dev, chip->vendor.irq, tis_int_handler, IRQF_SHARED, 883 - chip->devname, chip) != 0) { 884 - dev_info(chip->pdev, 885 - "Unable to request irq: %d for use\n", 886 - chip->vendor.irq); 887 - chip->vendor.irq = 0; 888 - } else { 889 - /* Clear all existing */ 890 - iowrite32(ioread32 891 - (chip->vendor.iobase + 892 - TPM_INT_STATUS(chip->vendor.locality)), 893 - chip->vendor.iobase + 894 - TPM_INT_STATUS(chip->vendor.locality)); 895 - 896 - /* Turn on */ 897 - iowrite32(intmask | TPM_GLOBAL_INT_ENABLE, 898 - chip->vendor.iobase + 899 - TPM_INT_ENABLE(chip->vendor.locality)); 900 - } 901 - } else if (irq_r != -1) 902 - iowrite8(irq_r, chip->vendor.iobase + 903 - TPM_INT_VECTOR(chip->vendor.locality)); 904 757 905 758 if (chip->flags & TPM_CHIP_FLAG_TPM2) { 906 - chip->vendor.timeout_a = msecs_to_jiffies(TPM2_TIMEOUT_A); 907 - chip->vendor.timeout_b = msecs_to_jiffies(TPM2_TIMEOUT_B); 908 - chip->vendor.timeout_c = msecs_to_jiffies(TPM2_TIMEOUT_C); 909 - chip->vendor.timeout_d = msecs_to_jiffies(TPM2_TIMEOUT_D); 910 - chip->vendor.duration[TPM_SHORT] = 911 - msecs_to_jiffies(TPM2_DURATION_SHORT); 912 - chip->vendor.duration[TPM_MEDIUM] = 913 - msecs_to_jiffies(TPM2_DURATION_MEDIUM); 914 - chip->vendor.duration[TPM_LONG] = 915 - msecs_to_jiffies(TPM2_DURATION_LONG); 916 - 917 759 rc = tpm2_do_selftest(chip); 918 760 if (rc == TPM2_RC_INITIALIZE) { 919 761 dev_warn(dev, "Firmware has not started TPM\n"); ··· 834 866 goto out_err; 835 867 } 836 868 } else { 837 - if (tpm_get_timeouts(chip)) { 838 - dev_err(dev, "Could not get TPM timeouts and durations\n"); 839 - rc = -ENODEV; 840 - goto out_err; 841 - } 842 - 843 869 if (tpm_do_selftest(chip)) { 844 870 dev_err(dev, "TPM self test failed\n"); 845 871 rc = -ENODEV;

+2

fs/gfs2/glops.c

··· 13 13 #include <linux/gfs2_ondisk.h> 14 14 #include <linux/bio.h> 15 15 #include <linux/posix_acl.h> 16 + #include <linux/security.h> 16 17 17 18 #include "gfs2.h" 18 19 #include "incore.h" ··· 263 262 if (ip) { 264 263 set_bit(GIF_INVALID, &ip->i_flags); 265 264 forget_all_cached_acls(&ip->i_inode); 265 + security_inode_invalidate_secctx(&ip->i_inode); 266 266 gfs2_dir_hash_inval(ip); 267 267 } 268 268 }

+3

include/crypto/hash_info.h

··· 34 34 #define TGR160_DIGEST_SIZE 20 35 35 #define TGR192_DIGEST_SIZE 24 36 36 37 + /* not defined in include/crypto/ */ 38 + #define SM3256_DIGEST_SIZE 32 39 + 37 40 extern const char *const hash_algo_name[HASH_ALGO__LAST]; 38 41 extern const int hash_digest_size[HASH_ALGO__LAST]; 39 42

+24

include/keys/system_keyring.h

··· 35 35 enum key_being_used_for usage); 36 36 #endif 37 37 38 + #ifdef CONFIG_IMA_MOK_KEYRING 39 + extern struct key *ima_mok_keyring; 40 + extern struct key *ima_blacklist_keyring; 41 + 42 + static inline struct key *get_ima_mok_keyring(void) 43 + { 44 + return ima_mok_keyring; 45 + } 46 + static inline struct key *get_ima_blacklist_keyring(void) 47 + { 48 + return ima_blacklist_keyring; 49 + } 50 + #else 51 + static inline struct key *get_ima_mok_keyring(void) 52 + { 53 + return NULL; 54 + } 55 + static inline struct key *get_ima_blacklist_keyring(void) 56 + { 57 + return NULL; 58 + } 59 + #endif /* CONFIG_IMA_MOK_KEYRING */ 60 + 61 + 38 62 #endif /* _KEYS_SYSTEM_KEYRING_H */

+5

include/keys/trusted-type.h

··· 18 18 #define MAX_KEY_SIZE 128 19 19 #define MAX_BLOB_SIZE 512 20 20 #define MAX_PCRINFO_SIZE 64 21 + #define MAX_DIGEST_SIZE 64 21 22 22 23 struct trusted_key_payload { 23 24 struct rcu_head rcu; ··· 37 36 uint32_t pcrinfo_len; 38 37 unsigned char pcrinfo[MAX_PCRINFO_SIZE]; 39 38 int pcrlock; 39 + uint32_t hash; 40 + uint32_t digest_len; 41 + unsigned char policydigest[MAX_DIGEST_SIZE]; 42 + uint32_t policyhandle; 40 43 }; 41 44 42 45 extern struct key_type key_type_trusted;

+4 -4

include/linux/audit.h

··· 238 238 extern void __audit_inode(struct filename *name, const struct dentry *dentry, 239 239 unsigned int flags); 240 240 extern void __audit_file(const struct file *); 241 - extern void __audit_inode_child(const struct inode *parent, 241 + extern void __audit_inode_child(struct inode *parent, 242 242 const struct dentry *dentry, 243 243 const unsigned char type); 244 244 extern void __audit_seccomp(unsigned long syscall, long signr, int code); ··· 303 303 __audit_inode(name, dentry, 304 304 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN); 305 305 } 306 - static inline void audit_inode_child(const struct inode *parent, 306 + static inline void audit_inode_child(struct inode *parent, 307 307 const struct dentry *dentry, 308 308 const unsigned char type) { 309 309 if (unlikely(!audit_dummy_context())) ··· 463 463 const struct dentry *dentry, 464 464 unsigned int flags) 465 465 { } 466 - static inline void __audit_inode_child(const struct inode *parent, 466 + static inline void __audit_inode_child(struct inode *parent, 467 467 const struct dentry *dentry, 468 468 const unsigned char type) 469 469 { } ··· 477 477 static inline void audit_inode_parent_hidden(struct filename *name, 478 478 const struct dentry *dentry) 479 479 { } 480 - static inline void audit_inode_child(const struct inode *parent, 480 + static inline void audit_inode_child(struct inode *parent, 481 481 const struct dentry *dentry, 482 482 const unsigned char type) 483 483 { }

+8 -14

include/linux/capability.h

··· 145 145 return dest; 146 146 } 147 147 148 - static inline int cap_isclear(const kernel_cap_t a) 148 + static inline bool cap_isclear(const kernel_cap_t a) 149 149 { 150 150 unsigned __capi; 151 151 CAP_FOR_EACH_U32(__capi) { 152 152 if (a.cap[__capi] != 0) 153 - return 0; 153 + return false; 154 154 } 155 - return 1; 155 + return true; 156 156 } 157 157 158 158 /* 159 159 * Check if "a" is a subset of "set". 160 - * return 1 if ALL of the capabilities in "a" are also in "set" 161 - * cap_issubset(0101, 1111) will return 1 162 - * return 0 if ANY of the capabilities in "a" are not in "set" 163 - * cap_issubset(1111, 0101) will return 0 160 + * return true if ALL of the capabilities in "a" are also in "set" 161 + * cap_issubset(0101, 1111) will return true 162 + * return false if ANY of the capabilities in "a" are not in "set" 163 + * cap_issubset(1111, 0101) will return false 164 164 */ 165 - static inline int cap_issubset(const kernel_cap_t a, const kernel_cap_t set) 165 + static inline bool cap_issubset(const kernel_cap_t a, const kernel_cap_t set) 166 166 { 167 167 kernel_cap_t dest; 168 168 dest = cap_drop(a, set); ··· 170 170 } 171 171 172 172 /* Used to decide between falling back on the old suser() or fsuser(). */ 173 - 174 - static inline int cap_is_fs_cap(int cap) 175 - { 176 - const kernel_cap_t __cap_fs_set = CAP_FS_SET; 177 - return !!(CAP_TO_MASK(cap) & __cap_fs_set.cap[CAP_TO_INDEX(cap)]); 178 - } 179 173 180 174 static inline kernel_cap_t cap_drop_fs_set(const kernel_cap_t a) 181 175 {

+7

include/linux/evm.h

··· 14 14 struct integrity_iint_cache; 15 15 16 16 #ifdef CONFIG_EVM 17 + extern int evm_set_key(void *key, size_t keylen); 17 18 extern enum integrity_status evm_verifyxattr(struct dentry *dentry, 18 19 const char *xattr_name, 19 20 void *xattr_value, ··· 43 42 } 44 43 #endif 45 44 #else 45 + 46 + static inline int evm_set_key(void *key, size_t keylen) 47 + { 48 + return -EOPNOTSUPP; 49 + } 50 + 46 51 #ifdef CONFIG_INTEGRITY 47 52 static inline enum integrity_status evm_verifyxattr(struct dentry *dentry, 48 53 const char *xattr_name,

+1

include/linux/key.h

··· 177 177 #define KEY_FLAG_TRUSTED_ONLY 9 /* set if keyring only accepts links to trusted keys */ 178 178 #define KEY_FLAG_BUILTIN 10 /* set if key is builtin */ 179 179 #define KEY_FLAG_ROOT_CAN_INVAL 11 /* set if key can be invalidated by root without permission */ 180 + #define KEY_FLAG_KEEP 12 /* set if key should not be removed */ 180 181 181 182 /* the key type and key description string 182 183 * - the desc is used to match a key against search criteria

+8 -2

include/linux/lsm_hooks.h

··· 1261 1261 * audit_rule_init. 1262 1262 * @rule contains the allocated rule 1263 1263 * 1264 + * @inode_invalidate_secctx: 1265 + * Notify the security module that it must revalidate the security context 1266 + * of an inode. 1267 + * 1264 1268 * @inode_notifysecctx: 1265 1269 * Notify the security module of what the security context of an inode 1266 1270 * should be. Initializes the incore security context managed by the ··· 1417 1413 int (*inode_removexattr)(struct dentry *dentry, const char *name); 1418 1414 int (*inode_need_killpriv)(struct dentry *dentry); 1419 1415 int (*inode_killpriv)(struct dentry *dentry); 1420 - int (*inode_getsecurity)(const struct inode *inode, const char *name, 1416 + int (*inode_getsecurity)(struct inode *inode, const char *name, 1421 1417 void **buffer, bool alloc); 1422 1418 int (*inode_setsecurity)(struct inode *inode, const char *name, 1423 1419 const void *value, size_t size, 1424 1420 int flags); 1425 1421 int (*inode_listsecurity)(struct inode *inode, char *buffer, 1426 1422 size_t buffer_size); 1427 - void (*inode_getsecid)(const struct inode *inode, u32 *secid); 1423 + void (*inode_getsecid)(struct inode *inode, u32 *secid); 1428 1424 1429 1425 int (*file_permission)(struct file *file, int mask); 1430 1426 int (*file_alloc_security)(struct file *file); ··· 1520 1516 int (*secctx_to_secid)(const char *secdata, u32 seclen, u32 *secid); 1521 1517 void (*release_secctx)(char *secdata, u32 seclen); 1522 1518 1519 + void (*inode_invalidate_secctx)(struct inode *inode); 1523 1520 int (*inode_notifysecctx)(struct inode *inode, void *ctx, u32 ctxlen); 1524 1521 int (*inode_setsecctx)(struct dentry *dentry, void *ctx, u32 ctxlen); 1525 1522 int (*inode_getsecctx)(struct inode *inode, void **ctx, u32 *ctxlen); ··· 1762 1757 struct list_head secid_to_secctx; 1763 1758 struct list_head secctx_to_secid; 1764 1759 struct list_head release_secctx; 1760 + struct list_head inode_invalidate_secctx; 1765 1761 struct list_head inode_notifysecctx; 1766 1762 struct list_head inode_setsecctx; 1767 1763 struct list_head inode_getsecctx;

+9 -4

include/linux/security.h

··· 270 270 int security_inode_removexattr(struct dentry *dentry, const char *name); 271 271 int security_inode_need_killpriv(struct dentry *dentry); 272 272 int security_inode_killpriv(struct dentry *dentry); 273 - int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc); 273 + int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc); 274 274 int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags); 275 275 int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); 276 - void security_inode_getsecid(const struct inode *inode, u32 *secid); 276 + void security_inode_getsecid(struct inode *inode, u32 *secid); 277 277 int security_file_permission(struct file *file, int mask); 278 278 int security_file_alloc(struct file *file); 279 279 void security_file_free(struct file *file); ··· 353 353 int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); 354 354 void security_release_secctx(char *secdata, u32 seclen); 355 355 356 + void security_inode_invalidate_secctx(struct inode *inode); 356 357 int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); 357 358 int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); 358 359 int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); ··· 720 719 return cap_inode_killpriv(dentry); 721 720 } 722 721 723 - static inline int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc) 722 + static inline int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 724 723 { 725 724 return -EOPNOTSUPP; 726 725 } ··· 735 734 return 0; 736 735 } 737 736 738 - static inline void security_inode_getsecid(const struct inode *inode, u32 *secid) 737 + static inline void security_inode_getsecid(struct inode *inode, u32 *secid) 739 738 { 740 739 *secid = 0; 741 740 } ··· 1091 1090 } 1092 1091 1093 1092 static inline void security_release_secctx(char *secdata, u32 seclen) 1093 + { 1094 + } 1095 + 1096 + static inline void security_inode_invalidate_secctx(struct inode *inode) 1094 1097 { 1095 1098 } 1096 1099

+1

include/uapi/linux/hash_info.h

··· 31 31 HASH_ALGO_TGR_128, 32 32 HASH_ALGO_TGR_160, 33 33 HASH_ALGO_TGR_192, 34 + HASH_ALGO_SM3_256, 34 35 HASH_ALGO__LAST 35 36 }; 36 37

+1 -1

kernel/audit.c

··· 1719 1719 1720 1720 /* Copy inode data into an audit_names. */ 1721 1721 void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, 1722 - const struct inode *inode) 1722 + struct inode *inode) 1723 1723 { 1724 1724 name->ino = inode->i_ino; 1725 1725 name->dev = inode->i_sb->s_dev;

+1 -1

kernel/audit.h

··· 207 207 208 208 extern void audit_copy_inode(struct audit_names *name, 209 209 const struct dentry *dentry, 210 - const struct inode *inode); 210 + struct inode *inode); 211 211 extern void audit_log_cap(struct audit_buffer *ab, char *prefix, 212 212 kernel_cap_t *cap); 213 213 extern void audit_log_name(struct audit_context *context,

+3 -3

kernel/auditsc.c

··· 1754 1754 unsigned int flags) 1755 1755 { 1756 1756 struct audit_context *context = current->audit_context; 1757 - const struct inode *inode = d_backing_inode(dentry); 1757 + struct inode *inode = d_backing_inode(dentry); 1758 1758 struct audit_names *n; 1759 1759 bool parent = flags & AUDIT_INODE_PARENT; 1760 1760 ··· 1848 1848 * must be hooked prior, in order to capture the target inode during 1849 1849 * unsuccessful attempts. 1850 1850 */ 1851 - void __audit_inode_child(const struct inode *parent, 1851 + void __audit_inode_child(struct inode *parent, 1852 1852 const struct dentry *dentry, 1853 1853 const unsigned char type) 1854 1854 { 1855 1855 struct audit_context *context = current->audit_context; 1856 - const struct inode *inode = d_backing_inode(dentry); 1856 + struct inode *inode = d_backing_inode(dentry); 1857 1857 const char *dname = dentry->d_name.name; 1858 1858 struct audit_names *n, *found_parent = NULL, *found_child = NULL; 1859 1859

+11

security/integrity/Kconfig

··· 41 41 This option enables digital signature verification using 42 42 asymmetric keys. 43 43 44 + config INTEGRITY_TRUSTED_KEYRING 45 + bool "Require all keys on the integrity keyrings be signed" 46 + depends on SYSTEM_TRUSTED_KEYRING 47 + depends on INTEGRITY_ASYMMETRIC_KEYS 48 + select KEYS_DEBUG_PROC_KEYS 49 + default y 50 + help 51 + This option requires that all keys added to the .ima and 52 + .evm keyrings be signed by a key on the system trusted 53 + keyring. 54 + 44 55 config INTEGRITY_AUDIT 45 56 bool "Enables integrity auditing support " 46 57 depends on AUDIT

+12 -2

security/integrity/digsig.c

··· 24 24 static struct key *keyring[INTEGRITY_KEYRING_MAX]; 25 25 26 26 static const char *keyring_name[INTEGRITY_KEYRING_MAX] = { 27 + #ifndef CONFIG_INTEGRITY_TRUSTED_KEYRING 27 28 "_evm", 28 - "_module", 29 - #ifndef CONFIG_IMA_TRUSTED_KEYRING 30 29 "_ima", 31 30 #else 31 + ".evm", 32 32 ".ima", 33 33 #endif 34 + "_module", 34 35 }; 36 + 37 + #ifdef CONFIG_INTEGRITY_TRUSTED_KEYRING 38 + static bool init_keyring __initdata = true; 39 + #else 40 + static bool init_keyring __initdata; 41 + #endif 35 42 36 43 int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, 37 44 const char *digest, int digestlen) ··· 74 67 { 75 68 const struct cred *cred = current_cred(); 76 69 int err = 0; 70 + 71 + if (!init_keyring) 72 + return 0; 77 73 78 74 keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0), 79 75 KGIDT_INIT(0), cred,

+14

security/integrity/digsig_asymmetric.c

··· 17 17 #include <linux/key-type.h> 18 18 #include <crypto/public_key.h> 19 19 #include <keys/asymmetric-type.h> 20 + #include <keys/system_keyring.h> 20 21 21 22 #include "integrity.h" 22 23 ··· 33 32 34 33 pr_debug("key search: \"%s\"\n", name); 35 34 35 + key = get_ima_blacklist_keyring(); 36 + if (key) { 37 + key_ref_t kref; 38 + 39 + kref = keyring_search(make_key_ref(key, 1), 40 + &key_type_asymmetric, name); 41 + if (!IS_ERR(kref)) { 42 + pr_err("Key '%s' is in ima_blacklist_keyring\n", name); 43 + return ERR_PTR(-EKEYREJECTED); 44 + } 45 + } 46 + 36 47 if (keyring) { 37 48 /* search in specific keyring */ 38 49 key_ref_t kref; 50 + 39 51 kref = keyring_search(make_key_ref(keyring, 1), 40 52 &key_type_asymmetric, name); 41 53 if (IS_ERR(kref))

+17

security/integrity/evm/Kconfig

··· 42 42 additional info to the calculation, requires existing EVM 43 43 labeled file systems to be relabeled. 44 44 45 + config EVM_LOAD_X509 46 + bool "Load an X509 certificate onto the '.evm' trusted keyring" 47 + depends on EVM && INTEGRITY_TRUSTED_KEYRING 48 + default n 49 + help 50 + Load an X509 certificate onto the '.evm' trusted keyring. 51 + 52 + This option enables X509 certificate loading from the kernel 53 + onto the '.evm' trusted keyring. A public key can be used to 54 + verify EVM integrity starting from the 'init' process. 55 + 56 + config EVM_X509_PATH 57 + string "EVM X509 certificate path" 58 + depends on EVM_LOAD_X509 59 + default "/etc/keys/x509_evm.der" 60 + help 61 + This option defines X509 certificate path.

+3

security/integrity/evm/evm.h

··· 21 21 22 22 #include "../integrity.h" 23 23 24 + #define EVM_INIT_HMAC 0x0001 25 + #define EVM_INIT_X509 0x0002 26 + 24 27 extern int evm_initialized; 25 28 extern char *evm_hmac; 26 29 extern char *evm_hash;

+47 -7

security/integrity/evm/evm_crypto.c

··· 18 18 #include <linux/module.h> 19 19 #include <linux/crypto.h> 20 20 #include <linux/xattr.h> 21 + #include <linux/evm.h> 21 22 #include <keys/encrypted-type.h> 22 23 #include <crypto/hash.h> 23 24 #include "evm.h" ··· 33 32 34 33 static DEFINE_MUTEX(mutex); 35 34 35 + #define EVM_SET_KEY_BUSY 0 36 + 37 + static unsigned long evm_set_key_flags; 38 + 39 + /** 40 + * evm_set_key() - set EVM HMAC key from the kernel 41 + * @key: pointer to a buffer with the key data 42 + * @size: length of the key data 43 + * 44 + * This function allows setting the EVM HMAC key from the kernel 45 + * without using the "encrypted" key subsystem keys. It can be used 46 + * by the crypto HW kernel module which has its own way of managing 47 + * keys. 48 + * 49 + * key length should be between 32 and 128 bytes long 50 + */ 51 + int evm_set_key(void *key, size_t keylen) 52 + { 53 + int rc; 54 + 55 + rc = -EBUSY; 56 + if (test_and_set_bit(EVM_SET_KEY_BUSY, &evm_set_key_flags)) 57 + goto busy; 58 + rc = -EINVAL; 59 + if (keylen > MAX_KEY_SIZE) 60 + goto inval; 61 + memcpy(evmkey, key, keylen); 62 + evm_initialized |= EVM_INIT_HMAC; 63 + pr_info("key initialized\n"); 64 + return 0; 65 + inval: 66 + clear_bit(EVM_SET_KEY_BUSY, &evm_set_key_flags); 67 + busy: 68 + pr_err("key initialization failed\n"); 69 + return rc; 70 + } 71 + EXPORT_SYMBOL_GPL(evm_set_key); 72 + 36 73 static struct shash_desc *init_desc(char type) 37 74 { 38 75 long rc; ··· 79 40 struct shash_desc *desc; 80 41 81 42 if (type == EVM_XATTR_HMAC) { 43 + if (!(evm_initialized & EVM_INIT_HMAC)) { 44 + pr_err("HMAC key is not set\n"); 45 + return ERR_PTR(-ENOKEY); 46 + } 82 47 tfm = &hmac_tfm; 83 48 algo = evm_hmac; 84 49 } else { ··· 283 240 { 284 241 struct key *evm_key; 285 242 struct encrypted_key_payload *ekp; 286 - int rc = 0; 243 + int rc; 287 244 288 245 evm_key = request_key(&key_type_encrypted, EVMKEY, NULL); 289 246 if (IS_ERR(evm_key)) ··· 291 248 292 249 down_read(&evm_key->sem); 293 250 ekp = evm_key->payload.data[0]; 294 - if (ekp->decrypted_datalen > MAX_KEY_SIZE) { 295 - rc = -EINVAL; 296 - goto out; 297 - } 298 - memcpy(evmkey, ekp->decrypted_data, ekp->decrypted_datalen); 299 - out: 251 + 252 + rc = evm_set_key(ekp->decrypted_data, ekp->decrypted_datalen); 253 + 300 254 /* burn the original key contents */ 301 255 memset(ekp->decrypted_data, 0, ekp->decrypted_datalen); 302 256 up_read(&evm_key->sem);

+29 -3

security/integrity/evm/evm_main.c

··· 358 358 return evm_protect_xattr(dentry, xattr_name, NULL, 0); 359 359 } 360 360 361 + static void evm_reset_status(struct inode *inode) 362 + { 363 + struct integrity_iint_cache *iint; 364 + 365 + iint = integrity_iint_find(inode); 366 + if (iint) 367 + iint->evm_status = INTEGRITY_UNKNOWN; 368 + } 369 + 361 370 /** 362 371 * evm_inode_post_setxattr - update 'security.evm' to reflect the changes 363 372 * @dentry: pointer to the affected dentry ··· 387 378 && !posix_xattr_acl(xattr_name))) 388 379 return; 389 380 381 + evm_reset_status(dentry->d_inode); 382 + 390 383 evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); 391 384 } 392 385 ··· 406 395 { 407 396 if (!evm_initialized || !evm_protected_xattr(xattr_name)) 408 397 return; 398 + 399 + evm_reset_status(dentry->d_inode); 409 400 410 401 evm_update_evmxattr(dentry, xattr_name, NULL, 0); 411 402 } ··· 485 472 } 486 473 EXPORT_SYMBOL_GPL(evm_inode_init_security); 487 474 475 + #ifdef CONFIG_EVM_LOAD_X509 476 + void __init evm_load_x509(void) 477 + { 478 + int rc; 479 + 480 + rc = integrity_load_x509(INTEGRITY_KEYRING_EVM, CONFIG_EVM_X509_PATH); 481 + if (!rc) 482 + evm_initialized |= EVM_INIT_X509; 483 + } 484 + #endif 485 + 488 486 static int __init init_evm(void) 489 487 { 490 488 int error; 491 489 492 490 evm_init_config(); 493 491 492 + error = integrity_init_keyring(INTEGRITY_KEYRING_EVM); 493 + if (error) 494 + return error; 495 + 494 496 error = evm_init_secfs(); 495 497 if (error < 0) { 496 498 pr_info("Error registering secfs\n"); 497 - goto err; 499 + return error; 498 500 } 499 501 500 502 return 0; 501 - err: 502 - return error; 503 503 } 504 504 505 505 /*

+4 -8

security/integrity/evm/evm_secfs.c

··· 62 62 size_t count, loff_t *ppos) 63 63 { 64 64 char temp[80]; 65 - int i, error; 65 + int i; 66 66 67 - if (!capable(CAP_SYS_ADMIN) || evm_initialized) 67 + if (!capable(CAP_SYS_ADMIN) || (evm_initialized & EVM_INIT_HMAC)) 68 68 return -EPERM; 69 69 70 70 if (count >= sizeof(temp) || count == 0) ··· 78 78 if ((sscanf(temp, "%d", &i) != 1) || (i != 1)) 79 79 return -EINVAL; 80 80 81 - error = evm_init_key(); 82 - if (!error) { 83 - evm_initialized = 1; 84 - pr_info("initialized\n"); 85 - } else 86 - pr_err("initialization failed\n"); 81 + evm_init_key(); 82 + 87 83 return count; 88 84 } 89 85

+1

security/integrity/iint.c

··· 255 255 void __init integrity_load_keys(void) 256 256 { 257 257 ima_load_x509(); 258 + evm_load_x509(); 258 259 }

+43 -1

security/integrity/ima/Kconfig

··· 107 107 default "sha512" if IMA_DEFAULT_HASH_SHA512 108 108 default "wp512" if IMA_DEFAULT_HASH_WP512 109 109 110 + config IMA_WRITE_POLICY 111 + bool "Enable multiple writes to the IMA policy" 112 + depends on IMA 113 + default n 114 + help 115 + IMA policy can now be updated multiple times. The new rules get 116 + appended to the original policy. Have in mind that the rules are 117 + scanned in FIFO order so be careful when you design and add new ones. 118 + 119 + If unsure, say N. 120 + 121 + config IMA_READ_POLICY 122 + bool "Enable reading back the current IMA policy" 123 + depends on IMA 124 + default y if IMA_WRITE_POLICY 125 + default n if !IMA_WRITE_POLICY 126 + help 127 + It is often useful to be able to read back the IMA policy. It is 128 + even more important after introducing CONFIG_IMA_WRITE_POLICY. 129 + This option allows the root user to see the current policy rules. 130 + 110 131 config IMA_APPRAISE 111 132 bool "Appraise integrity measurements" 112 133 depends on IMA ··· 144 123 If unsure, say N. 145 124 146 125 config IMA_TRUSTED_KEYRING 147 - bool "Require all keys on the .ima keyring be signed" 126 + bool "Require all keys on the .ima keyring be signed (deprecated)" 148 127 depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING 149 128 depends on INTEGRITY_ASYMMETRIC_KEYS 129 + select INTEGRITY_TRUSTED_KEYRING 150 130 default y 151 131 help 152 132 This option requires that all keys added to the .ima 153 133 keyring be signed by a key on the system trusted keyring. 134 + 135 + This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING 136 + 137 + config IMA_MOK_KEYRING 138 + bool "Create IMA machine owner keys (MOK) and blacklist keyrings" 139 + depends on SYSTEM_TRUSTED_KEYRING 140 + depends on IMA_TRUSTED_KEYRING 141 + default n 142 + help 143 + This option creates IMA MOK and blacklist keyrings. IMA MOK is an 144 + intermediate keyring that sits between .system and .ima keyrings, 145 + effectively forming a simple CA hierarchy. To successfully import a 146 + key into .ima_mok it must be signed by a key which CA is in .system 147 + keyring. On turn any key that needs to go in .ima keyring must be 148 + signed by CA in either .system or .ima_mok keyrings. IMA MOK is empty 149 + at kernel boot. 150 + 151 + IMA blacklist keyring contains all revoked IMA keys. It is consulted 152 + before any other keyring. If the search is successful the requested 153 + operation is rejected and error is returned to the caller. 154 154 155 155 config IMA_LOAD_X509 156 156 bool "Load X509 certificate onto the '.ima' trusted keyring"

+1

security/integrity/ima/Makefile

··· 8 8 ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \ 9 9 ima_policy.o ima_template.o ima_template_lib.o 10 10 ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o 11 + obj-$(CONFIG_IMA_MOK_KEYRING) += ima_mok.o

+13 -13

security/integrity/ima/ima.h

··· 166 166 void ima_update_policy_flag(void); 167 167 ssize_t ima_parse_add_rule(char *); 168 168 void ima_delete_rules(void); 169 + int ima_check_policy(void); 170 + void *ima_policy_start(struct seq_file *m, loff_t *pos); 171 + void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos); 172 + void ima_policy_stop(struct seq_file *m, void *v); 173 + int ima_policy_show(struct seq_file *m, void *v); 169 174 170 175 /* Appraise integrity measurements */ 171 176 #define IMA_APPRAISE_ENFORCE 0x01 ··· 255 250 { 256 251 return -EINVAL; 257 252 } 258 - #endif /* CONFIG_IMA_LSM_RULES */ 259 - 260 - #ifdef CONFIG_IMA_TRUSTED_KEYRING 261 - static inline int ima_init_keyring(const unsigned int id) 262 - { 263 - return integrity_init_keyring(id); 264 - } 265 - #else 266 - static inline int ima_init_keyring(const unsigned int id) 267 - { 268 - return 0; 269 - } 270 253 #endif /* CONFIG_IMA_TRUSTED_KEYRING */ 271 - #endif 254 + 255 + #ifdef CONFIG_IMA_READ_POLICY 256 + #define POLICY_FILE_FLAGS (S_IWUSR | S_IRUSR) 257 + #else 258 + #define POLICY_FILE_FLAGS S_IWUSR 259 + #endif /* CONFIG_IMA_WRITE_POLICY */ 260 + 261 + #endif /* __LINUX_IMA_H */

+46 -7

security/integrity/ima/ima_fs.c

··· 25 25 26 26 #include "ima.h" 27 27 28 + static DEFINE_MUTEX(ima_write_mutex); 29 + 28 30 static int valid_policy = 1; 29 31 #define TMPBUFLEN 12 30 32 static ssize_t ima_show_htable_value(char __user *buf, size_t count, ··· 261 259 static ssize_t ima_write_policy(struct file *file, const char __user *buf, 262 260 size_t datalen, loff_t *ppos) 263 261 { 264 - char *data = NULL; 262 + char *data; 265 263 ssize_t result; 266 264 267 265 if (datalen >= PAGE_SIZE) ··· 281 279 282 280 result = -EFAULT; 283 281 if (copy_from_user(data, buf, datalen)) 284 - goto out; 282 + goto out_free; 285 283 284 + result = mutex_lock_interruptible(&ima_write_mutex); 285 + if (result < 0) 286 + goto out_free; 286 287 result = ima_parse_add_rule(data); 288 + mutex_unlock(&ima_write_mutex); 289 + 290 + out_free: 291 + kfree(data); 287 292 out: 288 293 if (result < 0) 289 294 valid_policy = 0; 290 - kfree(data); 295 + 291 296 return result; 292 297 } 293 298 ··· 311 302 312 303 static unsigned long ima_fs_flags; 313 304 305 + #ifdef CONFIG_IMA_READ_POLICY 306 + static const struct seq_operations ima_policy_seqops = { 307 + .start = ima_policy_start, 308 + .next = ima_policy_next, 309 + .stop = ima_policy_stop, 310 + .show = ima_policy_show, 311 + }; 312 + #endif 313 + 314 314 /* 315 315 * ima_open_policy: sequentialize access to the policy file 316 316 */ 317 317 static int ima_open_policy(struct inode *inode, struct file *filp) 318 318 { 319 - /* No point in being allowed to open it if you aren't going to write */ 320 - if (!(filp->f_flags & O_WRONLY)) 319 + if (!(filp->f_flags & O_WRONLY)) { 320 + #ifndef CONFIG_IMA_READ_POLICY 321 321 return -EACCES; 322 + #else 323 + if ((filp->f_flags & O_ACCMODE) != O_RDONLY) 324 + return -EACCES; 325 + if (!capable(CAP_SYS_ADMIN)) 326 + return -EPERM; 327 + return seq_open(filp, &ima_policy_seqops); 328 + #endif 329 + } 322 330 if (test_and_set_bit(IMA_FS_BUSY, &ima_fs_flags)) 323 331 return -EBUSY; 324 332 return 0; ··· 352 326 { 353 327 const char *cause = valid_policy ? "completed" : "failed"; 354 328 329 + if ((file->f_flags & O_ACCMODE) == O_RDONLY) 330 + return 0; 331 + 332 + if (valid_policy && ima_check_policy() < 0) { 333 + cause = "failed"; 334 + valid_policy = 0; 335 + } 336 + 355 337 pr_info("IMA: policy update %s\n", cause); 356 338 integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL, 357 339 "policy_update", cause, !valid_policy, 0); ··· 370 336 clear_bit(IMA_FS_BUSY, &ima_fs_flags); 371 337 return 0; 372 338 } 339 + 373 340 ima_update_policy(); 341 + #ifndef CONFIG_IMA_WRITE_POLICY 374 342 securityfs_remove(ima_policy); 375 343 ima_policy = NULL; 344 + #else 345 + clear_bit(IMA_FS_BUSY, &ima_fs_flags); 346 + #endif 376 347 return 0; 377 348 } 378 349 379 350 static const struct file_operations ima_measure_policy_ops = { 380 351 .open = ima_open_policy, 381 352 .write = ima_write_policy, 353 + .read = seq_read, 382 354 .release = ima_release_policy, 383 355 .llseek = generic_file_llseek, 384 356 }; ··· 422 382 if (IS_ERR(violations)) 423 383 goto out; 424 384 425 - ima_policy = securityfs_create_file("policy", 426 - S_IWUSR, 385 + ima_policy = securityfs_create_file("policy", POLICY_FILE_FLAGS, 427 386 ima_dir, NULL, 428 387 &ima_measure_policy_ops); 429 388 if (IS_ERR(ima_policy))

+1 -1

security/integrity/ima/ima_init.c

··· 116 116 if (!ima_used_chip) 117 117 pr_info("No TPM chip found, activating TPM-bypass!\n"); 118 118 119 - rc = ima_init_keyring(INTEGRITY_KEYRING_IMA); 119 + rc = integrity_init_keyring(INTEGRITY_KEYRING_IMA); 120 120 if (rc) 121 121 return rc; 122 122

+55

security/integrity/ima/ima_mok.c

··· 1 + /* 2 + * Copyright (C) 2015 Juniper Networks, Inc. 3 + * 4 + * Author: 5 + * Petko Manolov <petko.manolov@konsulko.com> 6 + * 7 + * This program is free software; you can redistribute it and/or 8 + * modify it under the terms of the GNU General Public License as 9 + * published by the Free Software Foundation, version 2 of the 10 + * License. 11 + * 12 + */ 13 + 14 + #include <linux/export.h> 15 + #include <linux/kernel.h> 16 + #include <linux/sched.h> 17 + #include <linux/cred.h> 18 + #include <linux/err.h> 19 + #include <linux/init.h> 20 + #include <keys/asymmetric-type.h> 21 + 22 + 23 + struct key *ima_mok_keyring; 24 + struct key *ima_blacklist_keyring; 25 + 26 + /* 27 + * Allocate the IMA MOK and blacklist keyrings 28 + */ 29 + __init int ima_mok_init(void) 30 + { 31 + pr_notice("Allocating IMA MOK and blacklist keyrings.\n"); 32 + 33 + ima_mok_keyring = keyring_alloc(".ima_mok", 34 + KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), 35 + (KEY_POS_ALL & ~KEY_POS_SETATTR) | 36 + KEY_USR_VIEW | KEY_USR_READ | 37 + KEY_USR_WRITE | KEY_USR_SEARCH, 38 + KEY_ALLOC_NOT_IN_QUOTA, NULL); 39 + 40 + ima_blacklist_keyring = keyring_alloc(".ima_blacklist", 41 + KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), 42 + (KEY_POS_ALL & ~KEY_POS_SETATTR) | 43 + KEY_USR_VIEW | KEY_USR_READ | 44 + KEY_USR_WRITE | KEY_USR_SEARCH, 45 + KEY_ALLOC_NOT_IN_QUOTA, NULL); 46 + 47 + if (IS_ERR(ima_mok_keyring) || IS_ERR(ima_blacklist_keyring)) 48 + panic("Can't allocate IMA MOK or blacklist keyrings."); 49 + set_bit(KEY_FLAG_TRUSTED_ONLY, &ima_mok_keyring->flags); 50 + 51 + set_bit(KEY_FLAG_TRUSTED_ONLY, &ima_blacklist_keyring->flags); 52 + set_bit(KEY_FLAG_KEEP, &ima_blacklist_keyring->flags); 53 + return 0; 54 + } 55 + device_initcall(ima_mok_init);

+269 -32

security/integrity/ima/ima_policy.c

··· 16 16 #include <linux/magic.h> 17 17 #include <linux/parser.h> 18 18 #include <linux/slab.h> 19 + #include <linux/rculist.h> 19 20 #include <linux/genhd.h> 21 + #include <linux/seq_file.h> 20 22 21 23 #include "ima.h" 22 24 ··· 40 38 #define AUDIT 0x0040 41 39 42 40 int ima_policy_flag; 41 + static int temp_ima_appraise; 43 42 44 43 #define MAX_LSM_RULES 6 45 44 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, ··· 138 135 139 136 static LIST_HEAD(ima_default_rules); 140 137 static LIST_HEAD(ima_policy_rules); 138 + static LIST_HEAD(ima_temp_rules); 141 139 static struct list_head *ima_rules; 142 140 143 - static DEFINE_MUTEX(ima_rules_mutex); 144 - 145 141 static int ima_policy __initdata; 142 + 146 143 static int __init default_measure_policy_setup(char *str) 147 144 { 148 145 if (ima_policy) ··· 174 171 __setup("ima_appraise_tcb", default_appraise_policy_setup); 175 172 176 173 /* 177 - * Although the IMA policy does not change, the LSM policy can be 178 - * reloaded, leaving the IMA LSM based rules referring to the old, 179 - * stale LSM policy. 180 - * 181 - * Update the IMA LSM based rules to reflect the reloaded LSM policy. 182 - * We assume the rules still exist; and BUG_ON() if they don't. 174 + * The LSM policy can be reloaded, leaving the IMA LSM based rules referring 175 + * to the old, stale LSM policy. Update the IMA LSM based rules to reflect 176 + * the reloaded LSM policy. We assume the rules still exist; and BUG_ON() if 177 + * they don't. 183 178 */ 184 179 static void ima_lsm_update_rules(void) 185 180 { 186 - struct ima_rule_entry *entry, *tmp; 181 + struct ima_rule_entry *entry; 187 182 int result; 188 183 int i; 189 184 190 - mutex_lock(&ima_rules_mutex); 191 - list_for_each_entry_safe(entry, tmp, &ima_policy_rules, list) { 185 + list_for_each_entry(entry, &ima_policy_rules, list) { 192 186 for (i = 0; i < MAX_LSM_RULES; i++) { 193 187 if (!entry->lsm[i].rule) 194 188 continue; ··· 196 196 BUG_ON(!entry->lsm[i].rule); 197 197 } 198 198 } 199 - mutex_unlock(&ima_rules_mutex); 200 199 } 201 200 202 201 /** ··· 318 319 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) 319 320 * conditions. 320 321 * 321 - * (There is no need for locking when walking the policy list, 322 - * as elements in the list are never deleted, nor does the list 323 - * change.) 322 + * Since the IMA policy may be updated multiple times we need to lock the 323 + * list when walking it. Reads are many orders of magnitude more numerous 324 + * than writes so ima_match_policy() is classical RCU candidate. 324 325 */ 325 326 int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask, 326 327 int flags) ··· 328 329 struct ima_rule_entry *entry; 329 330 int action = 0, actmask = flags | (flags << 1); 330 331 331 - list_for_each_entry(entry, ima_rules, list) { 332 + rcu_read_lock(); 333 + list_for_each_entry_rcu(entry, ima_rules, list) { 332 334 333 335 if (!(entry->action & actmask)) 334 336 continue; ··· 351 351 if (!actmask) 352 352 break; 353 353 } 354 + rcu_read_unlock(); 354 355 355 356 return action; 356 357 } ··· 366 365 { 367 366 struct ima_rule_entry *entry; 368 367 369 - ima_policy_flag = 0; 370 368 list_for_each_entry(entry, ima_rules, list) { 371 369 if (entry->action & IMA_DO_MASK) 372 370 ima_policy_flag |= entry->action; 373 371 } 374 372 373 + ima_appraise |= temp_ima_appraise; 375 374 if (!ima_appraise) 376 375 ima_policy_flag &= ~IMA_APPRAISE; 377 376 } ··· 416 415 ima_rules = &ima_default_rules; 417 416 } 418 417 418 + /* Make sure we have a valid policy, at least containing some rules. */ 419 + int ima_check_policy() 420 + { 421 + if (list_empty(&ima_temp_rules)) 422 + return -EINVAL; 423 + return 0; 424 + } 425 + 419 426 /** 420 427 * ima_update_policy - update default_rules with new measure rules 421 428 * 422 429 * Called on file .release to update the default rules with a complete new 423 - * policy. Once updated, the policy is locked, no additional rules can be 424 - * added to the policy. 430 + * policy. What we do here is to splice ima_policy_rules and ima_temp_rules so 431 + * they make a queue. The policy may be updated multiple times and this is the 432 + * RCU updater. 433 + * 434 + * Policy rules are never deleted so ima_policy_flag gets zeroed only once when 435 + * we switch from the default policy to user defined. 425 436 */ 426 437 void ima_update_policy(void) 427 438 { 428 - ima_rules = &ima_policy_rules; 439 + struct list_head *first, *last, *policy; 440 + 441 + /* append current policy with the new rules */ 442 + first = (&ima_temp_rules)->next; 443 + last = (&ima_temp_rules)->prev; 444 + policy = &ima_policy_rules; 445 + 446 + synchronize_rcu(); 447 + 448 + last->next = policy; 449 + rcu_assign_pointer(list_next_rcu(policy->prev), first); 450 + first->prev = policy->prev; 451 + policy->prev = last; 452 + 453 + /* prepare for the next policy rules addition */ 454 + INIT_LIST_HEAD(&ima_temp_rules); 455 + 456 + if (ima_rules != policy) { 457 + ima_policy_flag = 0; 458 + ima_rules = policy; 459 + } 429 460 ima_update_policy_flag(); 430 461 } 431 462 ··· 469 436 Opt_obj_user, Opt_obj_role, Opt_obj_type, 470 437 Opt_subj_user, Opt_subj_role, Opt_subj_type, 471 438 Opt_func, Opt_mask, Opt_fsmagic, 472 - Opt_uid, Opt_euid, Opt_fowner, 473 - Opt_appraise_type, Opt_fsuuid, Opt_permit_directio 439 + Opt_fsuuid, Opt_uid, Opt_euid, Opt_fowner, 440 + Opt_appraise_type, Opt_permit_directio 474 441 }; 475 442 476 443 static match_table_t policy_tokens = { ··· 767 734 if (!result && (entry->action == UNKNOWN)) 768 735 result = -EINVAL; 769 736 else if (entry->func == MODULE_CHECK) 770 - ima_appraise |= IMA_APPRAISE_MODULES; 737 + temp_ima_appraise |= IMA_APPRAISE_MODULES; 771 738 else if (entry->func == FIRMWARE_CHECK) 772 - ima_appraise |= IMA_APPRAISE_FIRMWARE; 739 + temp_ima_appraise |= IMA_APPRAISE_FIRMWARE; 773 740 audit_log_format(ab, "res=%d", !result); 774 741 audit_log_end(ab); 775 742 return result; ··· 779 746 * ima_parse_add_rule - add a rule to ima_policy_rules 780 747 * @rule - ima measurement policy rule 781 748 * 782 - * Uses a mutex to protect the policy list from multiple concurrent writers. 749 + * Avoid locking by allowing just one writer at a time in ima_write_policy() 783 750 * Returns the length of the rule parsed, an error code on failure 784 751 */ 785 752 ssize_t ima_parse_add_rule(char *rule) ··· 815 782 return result; 816 783 } 817 784 818 - mutex_lock(&ima_rules_mutex); 819 - list_add_tail(&entry->list, &ima_policy_rules); 820 - mutex_unlock(&ima_rules_mutex); 785 + list_add_tail(&entry->list, &ima_temp_rules); 821 786 822 787 return len; 823 788 } 824 789 825 - /* ima_delete_rules called to cleanup invalid policy */ 790 + /** 791 + * ima_delete_rules() called to cleanup invalid in-flight policy. 792 + * We don't need locking as we operate on the temp list, which is 793 + * different from the active one. There is also only one user of 794 + * ima_delete_rules() at a time. 795 + */ 826 796 void ima_delete_rules(void) 827 797 { 828 798 struct ima_rule_entry *entry, *tmp; 829 799 int i; 830 800 831 - mutex_lock(&ima_rules_mutex); 832 - list_for_each_entry_safe(entry, tmp, &ima_policy_rules, list) { 801 + temp_ima_appraise = 0; 802 + list_for_each_entry_safe(entry, tmp, &ima_temp_rules, list) { 833 803 for (i = 0; i < MAX_LSM_RULES; i++) 834 804 kfree(entry->lsm[i].args_p); 835 805 836 806 list_del(&entry->list); 837 807 kfree(entry); 838 808 } 839 - mutex_unlock(&ima_rules_mutex); 840 809 } 810 + 811 + #ifdef CONFIG_IMA_READ_POLICY 812 + enum { 813 + mask_exec = 0, mask_write, mask_read, mask_append 814 + }; 815 + 816 + static char *mask_tokens[] = { 817 + "MAY_EXEC", 818 + "MAY_WRITE", 819 + "MAY_READ", 820 + "MAY_APPEND" 821 + }; 822 + 823 + enum { 824 + func_file = 0, func_mmap, func_bprm, 825 + func_module, func_firmware, func_post 826 + }; 827 + 828 + static char *func_tokens[] = { 829 + "FILE_CHECK", 830 + "MMAP_CHECK", 831 + "BPRM_CHECK", 832 + "MODULE_CHECK", 833 + "FIRMWARE_CHECK", 834 + "POST_SETATTR" 835 + }; 836 + 837 + void *ima_policy_start(struct seq_file *m, loff_t *pos) 838 + { 839 + loff_t l = *pos; 840 + struct ima_rule_entry *entry; 841 + 842 + rcu_read_lock(); 843 + list_for_each_entry_rcu(entry, ima_rules, list) { 844 + if (!l--) { 845 + rcu_read_unlock(); 846 + return entry; 847 + } 848 + } 849 + rcu_read_unlock(); 850 + return NULL; 851 + } 852 + 853 + void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos) 854 + { 855 + struct ima_rule_entry *entry = v; 856 + 857 + rcu_read_lock(); 858 + entry = list_entry_rcu(entry->list.next, struct ima_rule_entry, list); 859 + rcu_read_unlock(); 860 + (*pos)++; 861 + 862 + return (&entry->list == ima_rules) ? NULL : entry; 863 + } 864 + 865 + void ima_policy_stop(struct seq_file *m, void *v) 866 + { 867 + } 868 + 869 + #define pt(token) policy_tokens[token + Opt_err].pattern 870 + #define mt(token) mask_tokens[token] 871 + #define ft(token) func_tokens[token] 872 + 873 + int ima_policy_show(struct seq_file *m, void *v) 874 + { 875 + struct ima_rule_entry *entry = v; 876 + int i = 0; 877 + char tbuf[64] = {0,}; 878 + 879 + rcu_read_lock(); 880 + 881 + if (entry->action & MEASURE) 882 + seq_puts(m, pt(Opt_measure)); 883 + if (entry->action & DONT_MEASURE) 884 + seq_puts(m, pt(Opt_dont_measure)); 885 + if (entry->action & APPRAISE) 886 + seq_puts(m, pt(Opt_appraise)); 887 + if (entry->action & DONT_APPRAISE) 888 + seq_puts(m, pt(Opt_dont_appraise)); 889 + if (entry->action & AUDIT) 890 + seq_puts(m, pt(Opt_audit)); 891 + 892 + seq_puts(m, " "); 893 + 894 + if (entry->flags & IMA_FUNC) { 895 + switch (entry->func) { 896 + case FILE_CHECK: 897 + seq_printf(m, pt(Opt_func), ft(func_file)); 898 + break; 899 + case MMAP_CHECK: 900 + seq_printf(m, pt(Opt_func), ft(func_mmap)); 901 + break; 902 + case BPRM_CHECK: 903 + seq_printf(m, pt(Opt_func), ft(func_bprm)); 904 + break; 905 + case MODULE_CHECK: 906 + seq_printf(m, pt(Opt_func), ft(func_module)); 907 + break; 908 + case FIRMWARE_CHECK: 909 + seq_printf(m, pt(Opt_func), ft(func_firmware)); 910 + break; 911 + case POST_SETATTR: 912 + seq_printf(m, pt(Opt_func), ft(func_post)); 913 + break; 914 + default: 915 + snprintf(tbuf, sizeof(tbuf), "%d", entry->func); 916 + seq_printf(m, pt(Opt_func), tbuf); 917 + break; 918 + } 919 + seq_puts(m, " "); 920 + } 921 + 922 + if (entry->flags & IMA_MASK) { 923 + if (entry->mask & MAY_EXEC) 924 + seq_printf(m, pt(Opt_mask), mt(mask_exec)); 925 + if (entry->mask & MAY_WRITE) 926 + seq_printf(m, pt(Opt_mask), mt(mask_write)); 927 + if (entry->mask & MAY_READ) 928 + seq_printf(m, pt(Opt_mask), mt(mask_read)); 929 + if (entry->mask & MAY_APPEND) 930 + seq_printf(m, pt(Opt_mask), mt(mask_append)); 931 + seq_puts(m, " "); 932 + } 933 + 934 + if (entry->flags & IMA_FSMAGIC) { 935 + snprintf(tbuf, sizeof(tbuf), "0x%lx", entry->fsmagic); 936 + seq_printf(m, pt(Opt_fsmagic), tbuf); 937 + seq_puts(m, " "); 938 + } 939 + 940 + if (entry->flags & IMA_FSUUID) { 941 + seq_puts(m, "fsuuid="); 942 + for (i = 0; i < ARRAY_SIZE(entry->fsuuid); ++i) { 943 + switch (i) { 944 + case 4: 945 + case 6: 946 + case 8: 947 + case 10: 948 + seq_puts(m, "-"); 949 + } 950 + seq_printf(m, "%x", entry->fsuuid[i]); 951 + } 952 + seq_puts(m, " "); 953 + } 954 + 955 + if (entry->flags & IMA_UID) { 956 + snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 957 + seq_printf(m, pt(Opt_uid), tbuf); 958 + seq_puts(m, " "); 959 + } 960 + 961 + if (entry->flags & IMA_EUID) { 962 + snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->uid)); 963 + seq_printf(m, pt(Opt_euid), tbuf); 964 + seq_puts(m, " "); 965 + } 966 + 967 + if (entry->flags & IMA_FOWNER) { 968 + snprintf(tbuf, sizeof(tbuf), "%d", __kuid_val(entry->fowner)); 969 + seq_printf(m, pt(Opt_fowner), tbuf); 970 + seq_puts(m, " "); 971 + } 972 + 973 + for (i = 0; i < MAX_LSM_RULES; i++) { 974 + if (entry->lsm[i].rule) { 975 + switch (i) { 976 + case LSM_OBJ_USER: 977 + seq_printf(m, pt(Opt_obj_user), 978 + (char *)entry->lsm[i].args_p); 979 + break; 980 + case LSM_OBJ_ROLE: 981 + seq_printf(m, pt(Opt_obj_role), 982 + (char *)entry->lsm[i].args_p); 983 + break; 984 + case LSM_OBJ_TYPE: 985 + seq_printf(m, pt(Opt_obj_type), 986 + (char *)entry->lsm[i].args_p); 987 + break; 988 + case LSM_SUBJ_USER: 989 + seq_printf(m, pt(Opt_subj_user), 990 + (char *)entry->lsm[i].args_p); 991 + break; 992 + case LSM_SUBJ_ROLE: 993 + seq_printf(m, pt(Opt_subj_role), 994 + (char *)entry->lsm[i].args_p); 995 + break; 996 + case LSM_SUBJ_TYPE: 997 + seq_printf(m, pt(Opt_subj_type), 998 + (char *)entry->lsm[i].args_p); 999 + break; 1000 + } 1001 + } 1002 + } 1003 + if (entry->flags & IMA_DIGSIG_REQUIRED) 1004 + seq_puts(m, "appraise_type=imasig "); 1005 + if (entry->flags & IMA_PERMIT_DIRECTIO) 1006 + seq_puts(m, "permit_directio "); 1007 + rcu_read_unlock(); 1008 + seq_puts(m, "\n"); 1009 + return 0; 1010 + } 1011 + #endif /* CONFIG_IMA_READ_POLICY */

+10 -3

security/integrity/integrity.h

··· 125 125 int __init integrity_read_file(const char *path, char **data); 126 126 127 127 #define INTEGRITY_KEYRING_EVM 0 128 - #define INTEGRITY_KEYRING_MODULE 1 129 - #define INTEGRITY_KEYRING_IMA 2 128 + #define INTEGRITY_KEYRING_IMA 1 129 + #define INTEGRITY_KEYRING_MODULE 2 130 130 #define INTEGRITY_KEYRING_MAX 3 131 131 132 132 #ifdef CONFIG_INTEGRITY_SIGNATURE ··· 149 149 { 150 150 return 0; 151 151 } 152 - 153 152 #endif /* CONFIG_INTEGRITY_SIGNATURE */ 154 153 155 154 #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS ··· 166 167 void __init ima_load_x509(void); 167 168 #else 168 169 static inline void ima_load_x509(void) 170 + { 171 + } 172 + #endif 173 + 174 + #ifdef CONFIG_EVM_LOAD_X509 175 + void __init evm_load_x509(void); 176 + #else 177 + static inline void evm_load_x509(void) 169 178 { 170 179 } 171 180 #endif

+1

security/keys/Kconfig

··· 54 54 select CRYPTO 55 55 select CRYPTO_HMAC 56 56 select CRYPTO_SHA1 57 + select CRYPTO_HASH_INFO 57 58 help 58 59 This option provides support for creating, sealing, and unsealing 59 60 keys in the kernel. Trusted keys are random number symmetric keys,

+4 -1

security/keys/key.c

··· 429 429 awaken = 1; 430 430 431 431 /* and link it into the destination keyring */ 432 - if (keyring) 432 + if (keyring) { 433 + set_bit(KEY_FLAG_KEEP, &key->flags); 434 + 433 435 __key_link(key, _edit); 436 + } 434 437 435 438 /* disable the authorisation key */ 436 439 if (authkey)

+41 -8

security/keys/keyctl.c

··· 358 358 * and any links to the key will be automatically garbage collected after a 359 359 * certain amount of time (/proc/sys/kernel/keys/gc_delay). 360 360 * 361 + * Keys with KEY_FLAG_KEEP set should not be revoked. 362 + * 361 363 * If successful, 0 is returned. 362 364 */ 363 365 long keyctl_revoke_key(key_serial_t id) 364 366 { 365 367 key_ref_t key_ref; 368 + struct key *key; 366 369 long ret; 367 370 368 371 key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE); ··· 380 377 } 381 378 } 382 379 383 - key_revoke(key_ref_to_ptr(key_ref)); 380 + key = key_ref_to_ptr(key_ref); 384 381 ret = 0; 382 + if (test_bit(KEY_FLAG_KEEP, &key->flags)) 383 + ret = -EPERM; 384 + else 385 + key_revoke(key); 385 386 386 387 key_ref_put(key_ref); 387 388 error: ··· 399 392 * The key and any links to the key will be automatically garbage collected 400 393 * immediately. 401 394 * 395 + * Keys with KEY_FLAG_KEEP set should not be invalidated. 396 + * 402 397 * If successful, 0 is returned. 403 398 */ 404 399 long keyctl_invalidate_key(key_serial_t id) 405 400 { 406 401 key_ref_t key_ref; 402 + struct key *key; 407 403 long ret; 408 404 409 405 kenter("%d", id); ··· 430 420 } 431 421 432 422 invalidate: 433 - key_invalidate(key_ref_to_ptr(key_ref)); 423 + key = key_ref_to_ptr(key_ref); 434 424 ret = 0; 425 + if (test_bit(KEY_FLAG_KEEP, &key->flags)) 426 + ret = -EPERM; 427 + else 428 + key_invalidate(key); 435 429 error_put: 436 430 key_ref_put(key_ref); 437 431 error: ··· 447 433 * Clear the specified keyring, creating an empty process keyring if one of the 448 434 * special keyring IDs is used. 449 435 * 450 - * The keyring must grant the caller Write permission for this to work. If 451 - * successful, 0 will be returned. 436 + * The keyring must grant the caller Write permission and not have 437 + * KEY_FLAG_KEEP set for this to work. If successful, 0 will be returned. 452 438 */ 453 439 long keyctl_keyring_clear(key_serial_t ringid) 454 440 { 455 441 key_ref_t keyring_ref; 442 + struct key *keyring; 456 443 long ret; 457 444 458 445 keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); ··· 475 460 } 476 461 477 462 clear: 478 - ret = keyring_clear(key_ref_to_ptr(keyring_ref)); 463 + keyring = key_ref_to_ptr(keyring_ref); 464 + if (test_bit(KEY_FLAG_KEEP, &keyring->flags)) 465 + ret = -EPERM; 466 + else 467 + ret = keyring_clear(keyring); 479 468 error_put: 480 469 key_ref_put(keyring_ref); 481 470 error: ··· 530 511 * itself need not grant the caller anything. If the last link to a key is 531 512 * removed then that key will be scheduled for destruction. 532 513 * 514 + * Keys or keyrings with KEY_FLAG_KEEP set should not be unlinked. 515 + * 533 516 * If successful, 0 will be returned. 534 517 */ 535 518 long keyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) 536 519 { 537 520 key_ref_t keyring_ref, key_ref; 521 + struct key *keyring, *key; 538 522 long ret; 539 523 540 524 keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_WRITE); ··· 552 530 goto error2; 553 531 } 554 532 555 - ret = key_unlink(key_ref_to_ptr(keyring_ref), key_ref_to_ptr(key_ref)); 533 + keyring = key_ref_to_ptr(keyring_ref); 534 + key = key_ref_to_ptr(key_ref); 535 + if (test_bit(KEY_FLAG_KEEP, &keyring->flags) && 536 + test_bit(KEY_FLAG_KEEP, &key->flags)) 537 + ret = -EPERM; 538 + else 539 + ret = key_unlink(keyring, key); 556 540 557 541 key_ref_put(key_ref); 558 542 error2: ··· 1317 1289 * the current time. The key and any links to the key will be automatically 1318 1290 * garbage collected after the timeout expires. 1319 1291 * 1292 + * Keys with KEY_FLAG_KEEP set should not be timed out. 1293 + * 1320 1294 * If successful, 0 is returned. 1321 1295 */ 1322 1296 long keyctl_set_timeout(key_serial_t id, unsigned timeout) ··· 1350 1320 1351 1321 okay: 1352 1322 key = key_ref_to_ptr(key_ref); 1353 - key_set_timeout(key, timeout); 1323 + ret = 0; 1324 + if (test_bit(KEY_FLAG_KEEP, &key->flags)) 1325 + ret = -EPERM; 1326 + else 1327 + key_set_timeout(key, timeout); 1354 1328 key_put(key); 1355 1329 1356 - ret = 0; 1357 1330 error: 1358 1331 return ret; 1359 1332 }

+55 -1

security/keys/trusted.c

··· 11 11 * See Documentation/security/keys-trusted-encrypted.txt 12 12 */ 13 13 14 + #include <crypto/hash_info.h> 14 15 #include <linux/uaccess.h> 15 16 #include <linux/module.h> 16 17 #include <linux/init.h> ··· 711 710 Opt_err = -1, 712 711 Opt_new, Opt_load, Opt_update, 713 712 Opt_keyhandle, Opt_keyauth, Opt_blobauth, 714 - Opt_pcrinfo, Opt_pcrlock, Opt_migratable 713 + Opt_pcrinfo, Opt_pcrlock, Opt_migratable, 714 + Opt_hash, 715 + Opt_policydigest, 716 + Opt_policyhandle, 715 717 }; 716 718 717 719 static const match_table_t key_tokens = { ··· 727 723 {Opt_pcrinfo, "pcrinfo=%s"}, 728 724 {Opt_pcrlock, "pcrlock=%s"}, 729 725 {Opt_migratable, "migratable=%s"}, 726 + {Opt_hash, "hash=%s"}, 727 + {Opt_policydigest, "policydigest=%s"}, 728 + {Opt_policyhandle, "policyhandle=%s"}, 730 729 {Opt_err, NULL} 731 730 }; 732 731 ··· 743 736 int res; 744 737 unsigned long handle; 745 738 unsigned long lock; 739 + unsigned long token_mask = 0; 740 + int i; 741 + int tpm2; 742 + 743 + tpm2 = tpm_is_tpm2(TPM_ANY_NUM); 744 + if (tpm2 < 0) 745 + return tpm2; 746 + 747 + opt->hash = tpm2 ? HASH_ALGO_SHA256 : HASH_ALGO_SHA1; 748 + opt->digest_len = hash_digest_size[opt->hash]; 746 749 747 750 while ((p = strsep(&c, " \t"))) { 748 751 if (*p == '\0' || *p == ' ' || *p == '\t') 749 752 continue; 750 753 token = match_token(p, key_tokens, args); 754 + if (test_and_set_bit(token, &token_mask)) 755 + return -EINVAL; 751 756 752 757 switch (token) { 753 758 case Opt_pcrinfo: ··· 805 786 if (res < 0) 806 787 return -EINVAL; 807 788 opt->pcrlock = lock; 789 + break; 790 + case Opt_hash: 791 + if (test_bit(Opt_policydigest, &token_mask)) 792 + return -EINVAL; 793 + for (i = 0; i < HASH_ALGO__LAST; i++) { 794 + if (!strcmp(args[0].from, hash_algo_name[i])) { 795 + opt->hash = i; 796 + opt->digest_len = 797 + hash_digest_size[opt->hash]; 798 + break; 799 + } 800 + } 801 + if (i == HASH_ALGO__LAST) 802 + return -EINVAL; 803 + if (!tpm2 && i != HASH_ALGO_SHA1) { 804 + pr_info("trusted_key: TPM 1.x only supports SHA-1.\n"); 805 + return -EINVAL; 806 + } 807 + break; 808 + case Opt_policydigest: 809 + if (!tpm2 || 810 + strlen(args[0].from) != (2 * opt->digest_len)) 811 + return -EINVAL; 812 + res = hex2bin(opt->policydigest, args[0].from, 813 + opt->digest_len); 814 + if (res < 0) 815 + return -EINVAL; 816 + break; 817 + case Opt_policyhandle: 818 + if (!tpm2) 819 + return -EINVAL; 820 + res = kstrtoul(args[0].from, 16, &handle); 821 + if (res < 0) 822 + return -EINVAL; 823 + opt->policyhandle = handle; 808 824 break; 809 825 default: 810 826 return -EINVAL;

+10 -2

security/security.c

··· 697 697 return call_int_hook(inode_killpriv, 0, dentry); 698 698 } 699 699 700 - int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc) 700 + int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 701 701 { 702 702 if (unlikely(IS_PRIVATE(inode))) 703 703 return -EOPNOTSUPP; ··· 721 721 } 722 722 EXPORT_SYMBOL(security_inode_listsecurity); 723 723 724 - void security_inode_getsecid(const struct inode *inode, u32 *secid) 724 + void security_inode_getsecid(struct inode *inode, u32 *secid) 725 725 { 726 726 call_void_hook(inode_getsecid, inode, secid); 727 727 } ··· 1160 1160 call_void_hook(release_secctx, secdata, seclen); 1161 1161 } 1162 1162 EXPORT_SYMBOL(security_release_secctx); 1163 + 1164 + void security_inode_invalidate_secctx(struct inode *inode) 1165 + { 1166 + call_void_hook(inode_invalidate_secctx, inode); 1167 + } 1168 + EXPORT_SYMBOL(security_inode_invalidate_secctx); 1163 1169 1164 1170 int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 1165 1171 { ··· 1769 1763 LIST_HEAD_INIT(security_hook_heads.secctx_to_secid), 1770 1764 .release_secctx = 1771 1765 LIST_HEAD_INIT(security_hook_heads.release_secctx), 1766 + .inode_invalidate_secctx = 1767 + LIST_HEAD_INIT(security_hook_heads.inode_invalidate_secctx), 1772 1768 .inode_notifysecctx = 1773 1769 LIST_HEAD_INIT(security_hook_heads.inode_notifysecctx), 1774 1770 .inode_setsecctx =

+139 -61

security/selinux/hooks.c

··· 242 242 return 0; 243 243 } 244 244 245 + static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 246 + 247 + /* 248 + * Try reloading inode security labels that have been marked as invalid. The 249 + * @may_sleep parameter indicates when sleeping and thus reloading labels is 250 + * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is 251 + * invalid. The @opt_dentry parameter should be set to a dentry of the inode; 252 + * when no dentry is available, set it to NULL instead. 253 + */ 254 + static int __inode_security_revalidate(struct inode *inode, 255 + struct dentry *opt_dentry, 256 + bool may_sleep) 257 + { 258 + struct inode_security_struct *isec = inode->i_security; 259 + 260 + might_sleep_if(may_sleep); 261 + 262 + if (isec->initialized == LABEL_INVALID) { 263 + if (!may_sleep) 264 + return -ECHILD; 265 + 266 + /* 267 + * Try reloading the inode security label. This will fail if 268 + * @opt_dentry is NULL and no dentry for this inode can be 269 + * found; in that case, continue using the old label. 270 + */ 271 + inode_doinit_with_dentry(inode, opt_dentry); 272 + } 273 + return 0; 274 + } 275 + 276 + static struct inode_security_struct *inode_security_novalidate(struct inode *inode) 277 + { 278 + return inode->i_security; 279 + } 280 + 281 + static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu) 282 + { 283 + int error; 284 + 285 + error = __inode_security_revalidate(inode, NULL, !rcu); 286 + if (error) 287 + return ERR_PTR(error); 288 + return inode->i_security; 289 + } 290 + 291 + /* 292 + * Get the security label of an inode. 293 + */ 294 + static struct inode_security_struct *inode_security(struct inode *inode) 295 + { 296 + __inode_security_revalidate(inode, NULL, true); 297 + return inode->i_security; 298 + } 299 + 300 + /* 301 + * Get the security label of a dentry's backing inode. 302 + */ 303 + static struct inode_security_struct *backing_inode_security(struct dentry *dentry) 304 + { 305 + struct inode *inode = d_backing_inode(dentry); 306 + 307 + __inode_security_revalidate(inode, dentry, true); 308 + return inode->i_security; 309 + } 310 + 245 311 static void inode_free_rcu(struct rcu_head *head) 246 312 { 247 313 struct inode_security_struct *isec; ··· 410 344 "uses mountpoint labeling", 411 345 "uses native labeling", 412 346 }; 413 - 414 - static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 415 347 416 348 static inline int inode_doinit(struct inode *inode) 417 349 { ··· 629 565 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT; 630 566 } 631 567 if (sbsec->flags & ROOTCONTEXT_MNT) { 632 - struct inode *root = d_backing_inode(sbsec->sb->s_root); 633 - struct inode_security_struct *isec = root->i_security; 568 + struct dentry *root = sbsec->sb->s_root; 569 + struct inode_security_struct *isec = backing_inode_security(root); 634 570 635 571 rc = security_sid_to_context(isec->sid, &context, &len); 636 572 if (rc) ··· 685 621 int rc = 0, i; 686 622 struct superblock_security_struct *sbsec = sb->s_security; 687 623 const char *name = sb->s_type->name; 688 - struct inode *inode = d_backing_inode(sbsec->sb->s_root); 689 - struct inode_security_struct *root_isec = inode->i_security; 624 + struct dentry *root = sbsec->sb->s_root; 625 + struct inode_security_struct *root_isec = backing_inode_security(root); 690 626 u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0; 691 627 u32 defcontext_sid = 0; 692 628 char **mount_options = opts->mnt_opts; ··· 866 802 goto out; 867 803 868 804 root_isec->sid = rootcontext_sid; 869 - root_isec->initialized = 1; 805 + root_isec->initialized = LABEL_INITIALIZED; 870 806 } 871 807 872 808 if (defcontext_sid) { ··· 916 852 if ((oldflags & DEFCONTEXT_MNT) && old->def_sid != new->def_sid) 917 853 goto mismatch; 918 854 if (oldflags & ROOTCONTEXT_MNT) { 919 - struct inode_security_struct *oldroot = d_backing_inode(oldsb->s_root)->i_security; 920 - struct inode_security_struct *newroot = d_backing_inode(newsb->s_root)->i_security; 855 + struct inode_security_struct *oldroot = backing_inode_security(oldsb->s_root); 856 + struct inode_security_struct *newroot = backing_inode_security(newsb->s_root); 921 857 if (oldroot->sid != newroot->sid) 922 858 goto mismatch; 923 859 } ··· 967 903 if (!set_fscontext) 968 904 newsbsec->sid = sid; 969 905 if (!set_rootcontext) { 970 - struct inode *newinode = d_backing_inode(newsb->s_root); 971 - struct inode_security_struct *newisec = newinode->i_security; 906 + struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 972 907 newisec->sid = sid; 973 908 } 974 909 newsbsec->mntpoint_sid = sid; 975 910 } 976 911 if (set_rootcontext) { 977 - const struct inode *oldinode = d_backing_inode(oldsb->s_root); 978 - const struct inode_security_struct *oldisec = oldinode->i_security; 979 - struct inode *newinode = d_backing_inode(newsb->s_root); 980 - struct inode_security_struct *newisec = newinode->i_security; 912 + const struct inode_security_struct *oldisec = backing_inode_security(oldsb->s_root); 913 + struct inode_security_struct *newisec = backing_inode_security(newsb->s_root); 981 914 982 915 newisec->sid = oldisec->sid; 983 916 } ··· 1354 1293 unsigned len = 0; 1355 1294 int rc = 0; 1356 1295 1357 - if (isec->initialized) 1296 + if (isec->initialized == LABEL_INITIALIZED) 1358 1297 goto out; 1359 1298 1360 1299 mutex_lock(&isec->lock); 1361 - if (isec->initialized) 1300 + if (isec->initialized == LABEL_INITIALIZED) 1362 1301 goto out_unlock; 1363 1302 1364 1303 sbsec = inode->i_sb->s_security; ··· 1530 1469 break; 1531 1470 } 1532 1471 1533 - isec->initialized = 1; 1472 + isec->initialized = LABEL_INITIALIZED; 1534 1473 1535 1474 out_unlock: 1536 1475 mutex_unlock(&isec->lock); ··· 1701 1640 1702 1641 ad.type = LSM_AUDIT_DATA_DENTRY; 1703 1642 ad.u.dentry = dentry; 1643 + __inode_security_revalidate(inode, dentry, true); 1704 1644 return inode_has_perm(cred, inode, av, &ad); 1705 1645 } 1706 1646 ··· 1717 1655 1718 1656 ad.type = LSM_AUDIT_DATA_PATH; 1719 1657 ad.u.path = *path; 1658 + __inode_security_revalidate(inode, path->dentry, true); 1720 1659 return inode_has_perm(cred, inode, av, &ad); 1721 1660 } 1722 1661 ··· 1775 1712 /* 1776 1713 * Determine the label for an inode that might be unioned. 1777 1714 */ 1778 - static int selinux_determine_inode_label(const struct inode *dir, 1715 + static int selinux_determine_inode_label(struct inode *dir, 1779 1716 const struct qstr *name, 1780 1717 u16 tclass, 1781 1718 u32 *_new_isid) 1782 1719 { 1783 1720 const struct superblock_security_struct *sbsec = dir->i_sb->s_security; 1784 - const struct inode_security_struct *dsec = dir->i_security; 1721 + const struct inode_security_struct *dsec = inode_security(dir); 1785 1722 const struct task_security_struct *tsec = current_security(); 1786 1723 1787 1724 if ((sbsec->flags & SE_SBINITIALIZED) && ··· 1810 1747 struct common_audit_data ad; 1811 1748 int rc; 1812 1749 1813 - dsec = dir->i_security; 1750 + dsec = inode_security(dir); 1814 1751 sbsec = dir->i_sb->s_security; 1815 1752 1816 1753 sid = tsec->sid; ··· 1863 1800 u32 av; 1864 1801 int rc; 1865 1802 1866 - dsec = dir->i_security; 1867 - isec = d_backing_inode(dentry)->i_security; 1803 + dsec = inode_security(dir); 1804 + isec = backing_inode_security(dentry); 1868 1805 1869 1806 ad.type = LSM_AUDIT_DATA_DENTRY; 1870 1807 ad.u.dentry = dentry; ··· 1907 1844 int old_is_dir, new_is_dir; 1908 1845 int rc; 1909 1846 1910 - old_dsec = old_dir->i_security; 1911 - old_isec = d_backing_inode(old_dentry)->i_security; 1847 + old_dsec = inode_security(old_dir); 1848 + old_isec = backing_inode_security(old_dentry); 1912 1849 old_is_dir = d_is_dir(old_dentry); 1913 - new_dsec = new_dir->i_security; 1850 + new_dsec = inode_security(new_dir); 1914 1851 1915 1852 ad.type = LSM_AUDIT_DATA_DENTRY; 1916 1853 ··· 1938 1875 if (rc) 1939 1876 return rc; 1940 1877 if (d_is_positive(new_dentry)) { 1941 - new_isec = d_backing_inode(new_dentry)->i_security; 1878 + new_isec = backing_inode_security(new_dentry); 1942 1879 new_is_dir = d_is_dir(new_dentry); 1943 1880 rc = avc_has_perm(sid, new_isec->sid, 1944 1881 new_isec->sclass, ··· 2074 2011 { 2075 2012 u32 sid = task_sid(to); 2076 2013 struct file_security_struct *fsec = file->f_security; 2077 - struct inode *inode = d_backing_inode(file->f_path.dentry); 2078 - struct inode_security_struct *isec = inode->i_security; 2014 + struct dentry *dentry = file->f_path.dentry; 2015 + struct inode_security_struct *isec = backing_inode_security(dentry); 2079 2016 struct common_audit_data ad; 2080 2017 int rc; 2081 2018 ··· 2091 2028 return rc; 2092 2029 } 2093 2030 2094 - if (unlikely(IS_PRIVATE(inode))) 2031 + if (unlikely(IS_PRIVATE(d_backing_inode(dentry)))) 2095 2032 return 0; 2096 2033 2097 2034 return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), ··· 2280 2217 2281 2218 old_tsec = current_security(); 2282 2219 new_tsec = bprm->cred->security; 2283 - isec = inode->i_security; 2220 + isec = inode_security(inode); 2284 2221 2285 2222 /* Default to the current task SID. */ 2286 2223 new_tsec->sid = old_tsec->sid; ··· 2702 2639 break; 2703 2640 case ROOTCONTEXT_MNT: { 2704 2641 struct inode_security_struct *root_isec; 2705 - root_isec = d_backing_inode(sb->s_root)->i_security; 2642 + root_isec = backing_inode_security(sb->s_root); 2706 2643 2707 2644 if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid)) 2708 2645 goto out_bad_option; ··· 2816 2753 void **value, size_t *len) 2817 2754 { 2818 2755 const struct task_security_struct *tsec = current_security(); 2819 - struct inode_security_struct *dsec; 2820 2756 struct superblock_security_struct *sbsec; 2821 2757 u32 sid, newsid, clen; 2822 2758 int rc; 2823 2759 char *context; 2824 2760 2825 - dsec = dir->i_security; 2826 2761 sbsec = dir->i_sb->s_security; 2827 2762 2828 2763 sid = tsec->sid; ··· 2838 2777 struct inode_security_struct *isec = inode->i_security; 2839 2778 isec->sclass = inode_mode_to_security_class(inode->i_mode); 2840 2779 isec->sid = newsid; 2841 - isec->initialized = 1; 2780 + isec->initialized = LABEL_INITIALIZED; 2842 2781 } 2843 2782 2844 2783 if (!ss_initialized || !(sbsec->flags & SBLABEL_MNT)) ··· 2919 2858 ad.type = LSM_AUDIT_DATA_DENTRY; 2920 2859 ad.u.dentry = dentry; 2921 2860 sid = cred_sid(cred); 2922 - isec = inode->i_security; 2861 + isec = inode_security_rcu(inode, rcu); 2862 + if (IS_ERR(isec)) 2863 + return PTR_ERR(isec); 2923 2864 2924 2865 return avc_has_perm_flags(sid, isec->sid, isec->sclass, FILE__READ, &ad, 2925 2866 rcu ? MAY_NOT_BLOCK : 0); ··· 2973 2910 perms = file_mask_to_av(inode->i_mode, mask); 2974 2911 2975 2912 sid = cred_sid(cred); 2976 - isec = inode->i_security; 2913 + isec = inode_security_rcu(inode, flags & MAY_NOT_BLOCK); 2914 + if (IS_ERR(isec)) 2915 + return PTR_ERR(isec); 2977 2916 2978 2917 rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); 2979 2918 audited = avc_audit_required(perms, &avd, rc, ··· 3045 2980 const void *value, size_t size, int flags) 3046 2981 { 3047 2982 struct inode *inode = d_backing_inode(dentry); 3048 - struct inode_security_struct *isec = inode->i_security; 2983 + struct inode_security_struct *isec = backing_inode_security(dentry); 3049 2984 struct superblock_security_struct *sbsec; 3050 2985 struct common_audit_data ad; 3051 2986 u32 newsid, sid = current_sid(); ··· 3122 3057 int flags) 3123 3058 { 3124 3059 struct inode *inode = d_backing_inode(dentry); 3125 - struct inode_security_struct *isec = inode->i_security; 3060 + struct inode_security_struct *isec = backing_inode_security(dentry); 3126 3061 u32 newsid; 3127 3062 int rc; 3128 3063 ··· 3141 3076 3142 3077 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3143 3078 isec->sid = newsid; 3144 - isec->initialized = 1; 3079 + isec->initialized = LABEL_INITIALIZED; 3145 3080 3146 3081 return; 3147 3082 } ··· 3175 3110 * 3176 3111 * Permission check is handled by selinux_inode_getxattr hook. 3177 3112 */ 3178 - static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc) 3113 + static int selinux_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc) 3179 3114 { 3180 3115 u32 size; 3181 3116 int error; 3182 3117 char *context = NULL; 3183 - struct inode_security_struct *isec = inode->i_security; 3118 + struct inode_security_struct *isec = inode_security(inode); 3184 3119 3185 3120 if (strcmp(name, XATTR_SELINUX_SUFFIX)) 3186 3121 return -EOPNOTSUPP; ··· 3219 3154 static int selinux_inode_setsecurity(struct inode *inode, const char *name, 3220 3155 const void *value, size_t size, int flags) 3221 3156 { 3222 - struct inode_security_struct *isec = inode->i_security; 3157 + struct inode_security_struct *isec = inode_security(inode); 3223 3158 u32 newsid; 3224 3159 int rc; 3225 3160 ··· 3235 3170 3236 3171 isec->sclass = inode_mode_to_security_class(inode->i_mode); 3237 3172 isec->sid = newsid; 3238 - isec->initialized = 1; 3173 + isec->initialized = LABEL_INITIALIZED; 3239 3174 return 0; 3240 3175 } 3241 3176 ··· 3247 3182 return len; 3248 3183 } 3249 3184 3250 - static void selinux_inode_getsecid(const struct inode *inode, u32 *secid) 3185 + static void selinux_inode_getsecid(struct inode *inode, u32 *secid) 3251 3186 { 3252 - struct inode_security_struct *isec = inode->i_security; 3187 + struct inode_security_struct *isec = inode_security(inode); 3253 3188 *secid = isec->sid; 3254 3189 } 3255 3190 ··· 3272 3207 { 3273 3208 struct inode *inode = file_inode(file); 3274 3209 struct file_security_struct *fsec = file->f_security; 3275 - struct inode_security_struct *isec = inode->i_security; 3210 + struct inode_security_struct *isec; 3276 3211 u32 sid = current_sid(); 3277 3212 3278 3213 if (!mask) 3279 3214 /* No permission to check. Existence test. */ 3280 3215 return 0; 3281 3216 3217 + isec = inode_security(inode); 3282 3218 if (sid == fsec->sid && fsec->isid == isec->sid && 3283 3219 fsec->pseqno == avc_policy_seqno()) 3284 3220 /* No change since file_open check. */ ··· 3308 3242 struct common_audit_data ad; 3309 3243 struct file_security_struct *fsec = file->f_security; 3310 3244 struct inode *inode = file_inode(file); 3311 - struct inode_security_struct *isec = inode->i_security; 3245 + struct inode_security_struct *isec = inode_security(inode); 3312 3246 struct lsm_ioctlop_audit ioctl; 3313 3247 u32 ssid = cred_sid(cred); 3314 3248 int rc; ··· 3572 3506 struct inode_security_struct *isec; 3573 3507 3574 3508 fsec = file->f_security; 3575 - isec = file_inode(file)->i_security; 3509 + isec = inode_security(file_inode(file)); 3576 3510 /* 3577 3511 * Save inode label and policy sequence number 3578 3512 * at open-time so that selinux_file_permission ··· 3690 3624 */ 3691 3625 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) 3692 3626 { 3693 - struct inode_security_struct *isec = inode->i_security; 3627 + struct inode_security_struct *isec = inode_security(inode); 3694 3628 struct task_security_struct *tsec = new->security; 3695 3629 u32 sid = current_sid(); 3696 3630 int ret; ··· 3814 3748 u32 sid = task_sid(p); 3815 3749 3816 3750 isec->sid = sid; 3817 - isec->initialized = 1; 3751 + isec->initialized = LABEL_INITIALIZED; 3818 3752 } 3819 3753 3820 3754 /* Returns error only if unable to parse addresses */ ··· 4131 4065 int type, int protocol, int kern) 4132 4066 { 4133 4067 const struct task_security_struct *tsec = current_security(); 4134 - struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 4068 + struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); 4135 4069 struct sk_security_struct *sksec; 4136 4070 int err = 0; 4137 4071 ··· 4145 4079 return err; 4146 4080 } 4147 4081 4148 - isec->initialized = 1; 4082 + isec->initialized = LABEL_INITIALIZED; 4149 4083 4150 4084 if (sock->sk) { 4151 4085 sksec = sock->sk->sk_security; ··· 4331 4265 if (err) 4332 4266 return err; 4333 4267 4334 - newisec = SOCK_INODE(newsock)->i_security; 4268 + newisec = inode_security_novalidate(SOCK_INODE(newsock)); 4335 4269 4336 - isec = SOCK_INODE(sock)->i_security; 4270 + isec = inode_security_novalidate(SOCK_INODE(sock)); 4337 4271 newisec->sclass = isec->sclass; 4338 4272 newisec->sid = isec->sid; 4339 - newisec->initialized = 1; 4273 + newisec->initialized = LABEL_INITIALIZED; 4340 4274 4341 4275 return 0; 4342 4276 } ··· 4671 4605 4672 4606 static void selinux_sock_graft(struct sock *sk, struct socket *parent) 4673 4607 { 4674 - struct inode_security_struct *isec = SOCK_INODE(parent)->i_security; 4608 + struct inode_security_struct *isec = 4609 + inode_security_novalidate(SOCK_INODE(parent)); 4675 4610 struct sk_security_struct *sksec = sk->sk_security; 4676 4611 4677 4612 if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || ··· 4852 4785 err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); 4853 4786 if (err) { 4854 4787 if (err == -EINVAL) { 4855 - printk(KERN_WARNING 4856 - "SELinux: unrecognized netlink message:" 4857 - " protocol=%hu nlmsg_type=%hu sclass=%s\n", 4788 + pr_warn_ratelimited("SELinux: unrecognized netlink" 4789 + " message: protocol=%hu nlmsg_type=%hu sclass=%s" 4790 + " pig=%d comm=%s\n", 4858 4791 sk->sk_protocol, nlh->nlmsg_type, 4859 - secclass_map[sksec->sclass - 1].name); 4792 + secclass_map[sksec->sclass - 1].name, 4793 + task_pid_nr(current), current->comm); 4860 4794 if (!selinux_enforcing || security_get_allow_unknown()) 4861 4795 err = 0; 4862 4796 } ··· 5830 5762 kfree(secdata); 5831 5763 } 5832 5764 5765 + static void selinux_inode_invalidate_secctx(struct inode *inode) 5766 + { 5767 + struct inode_security_struct *isec = inode->i_security; 5768 + 5769 + mutex_lock(&isec->lock); 5770 + isec->initialized = LABEL_INVALID; 5771 + mutex_unlock(&isec->lock); 5772 + } 5773 + 5833 5774 /* 5834 5775 * called with inode->i_mutex locked 5835 5776 */ ··· 6070 5993 LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx), 6071 5994 LSM_HOOK_INIT(secctx_to_secid, selinux_secctx_to_secid), 6072 5995 LSM_HOOK_INIT(release_secctx, selinux_release_secctx), 5996 + LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx), 6073 5997 LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx), 6074 5998 LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx), 6075 5999 LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),

+1 -1

security/selinux/include/classmap.h

··· 21 21 { "compute_av", "compute_create", "compute_member", 22 22 "check_context", "load_policy", "compute_relabel", 23 23 "compute_user", "setenforce", "setbool", "setsecparam", 24 - "setcheckreqprot", "read_policy", NULL } }, 24 + "setcheckreqprot", "read_policy", "validate_trans", NULL } }, 25 25 { "process", 26 26 { "fork", "transition", "sigchld", "sigkill", 27 27 "sigstop", "signull", "signal", "ptrace", "getsched", "setsched",

+6

security/selinux/include/objsec.h

··· 37 37 u32 sockcreate_sid; /* fscreate SID */ 38 38 }; 39 39 40 + enum label_initialized { 41 + LABEL_MISSING, /* not initialized */ 42 + LABEL_INITIALIZED, /* inizialized */ 43 + LABEL_INVALID /* invalid */ 44 + }; 45 + 40 46 struct inode_security_struct { 41 47 struct inode *inode; /* back pointer to inode object */ 42 48 union {

+3

security/selinux/include/security.h

··· 187 187 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 188 188 u16 tclass); 189 189 190 + int security_validate_transition_user(u32 oldsid, u32 newsid, u32 tasksid, 191 + u16 tclass); 192 + 190 193 int security_bounded_transition(u32 oldsid, u32 newsid); 191 194 192 195 int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid);

+80

security/selinux/selinuxfs.c

··· 116 116 SEL_DENY_UNKNOWN, /* export unknown deny handling to userspace */ 117 117 SEL_STATUS, /* export current status using mmap() */ 118 118 SEL_POLICY, /* allow userspace to read the in kernel policy */ 119 + SEL_VALIDATE_TRANS, /* compute validatetrans decision */ 119 120 SEL_INO_NEXT, /* The next inode number to use */ 120 121 }; 121 122 ··· 630 629 static const struct file_operations sel_checkreqprot_ops = { 631 630 .read = sel_read_checkreqprot, 632 631 .write = sel_write_checkreqprot, 632 + .llseek = generic_file_llseek, 633 + }; 634 + 635 + static ssize_t sel_write_validatetrans(struct file *file, 636 + const char __user *buf, 637 + size_t count, loff_t *ppos) 638 + { 639 + char *oldcon = NULL, *newcon = NULL, *taskcon = NULL; 640 + char *req = NULL; 641 + u32 osid, nsid, tsid; 642 + u16 tclass; 643 + int rc; 644 + 645 + rc = task_has_security(current, SECURITY__VALIDATE_TRANS); 646 + if (rc) 647 + goto out; 648 + 649 + rc = -ENOMEM; 650 + if (count >= PAGE_SIZE) 651 + goto out; 652 + 653 + /* No partial writes. */ 654 + rc = -EINVAL; 655 + if (*ppos != 0) 656 + goto out; 657 + 658 + rc = -ENOMEM; 659 + req = kzalloc(count + 1, GFP_KERNEL); 660 + if (!req) 661 + goto out; 662 + 663 + rc = -EFAULT; 664 + if (copy_from_user(req, buf, count)) 665 + goto out; 666 + 667 + rc = -ENOMEM; 668 + oldcon = kzalloc(count + 1, GFP_KERNEL); 669 + if (!oldcon) 670 + goto out; 671 + 672 + newcon = kzalloc(count + 1, GFP_KERNEL); 673 + if (!newcon) 674 + goto out; 675 + 676 + taskcon = kzalloc(count + 1, GFP_KERNEL); 677 + if (!taskcon) 678 + goto out; 679 + 680 + rc = -EINVAL; 681 + if (sscanf(req, "%s %s %hu %s", oldcon, newcon, &tclass, taskcon) != 4) 682 + goto out; 683 + 684 + rc = security_context_str_to_sid(oldcon, &osid, GFP_KERNEL); 685 + if (rc) 686 + goto out; 687 + 688 + rc = security_context_str_to_sid(newcon, &nsid, GFP_KERNEL); 689 + if (rc) 690 + goto out; 691 + 692 + rc = security_context_str_to_sid(taskcon, &tsid, GFP_KERNEL); 693 + if (rc) 694 + goto out; 695 + 696 + rc = security_validate_transition_user(osid, nsid, tsid, tclass); 697 + if (!rc) 698 + rc = count; 699 + out: 700 + kfree(req); 701 + kfree(oldcon); 702 + kfree(newcon); 703 + kfree(taskcon); 704 + return rc; 705 + } 706 + 707 + static const struct file_operations sel_transition_ops = { 708 + .write = sel_write_validatetrans, 633 709 .llseek = generic_file_llseek, 634 710 }; 635 711 ··· 1805 1727 [SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO}, 1806 1728 [SEL_STATUS] = {"status", &sel_handle_status_ops, S_IRUGO}, 1807 1729 [SEL_POLICY] = {"policy", &sel_policy_ops, S_IRUGO}, 1730 + [SEL_VALIDATE_TRANS] = {"validatetrans", &sel_transition_ops, 1731 + S_IWUGO}, 1808 1732 /* last one */ {""} 1809 1733 }; 1810 1734 ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files);

+27 -7

security/selinux/ss/services.c

··· 778 778 return -EPERM; 779 779 } 780 780 781 - int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 782 - u16 orig_tclass) 781 + static int security_compute_validatetrans(u32 oldsid, u32 newsid, u32 tasksid, 782 + u16 orig_tclass, bool user) 783 783 { 784 784 struct context *ocontext; 785 785 struct context *ncontext; ··· 794 794 795 795 read_lock(&policy_rwlock); 796 796 797 - tclass = unmap_class(orig_tclass); 797 + if (!user) 798 + tclass = unmap_class(orig_tclass); 799 + else 800 + tclass = orig_tclass; 798 801 799 802 if (!tclass || tclass > policydb.p_classes.nprim) { 800 - printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", 801 - __func__, tclass); 802 803 rc = -EINVAL; 803 804 goto out; 804 805 } ··· 833 832 while (constraint) { 834 833 if (!constraint_expr_eval(ocontext, ncontext, tcontext, 835 834 constraint->expr)) { 836 - rc = security_validtrans_handle_fail(ocontext, ncontext, 837 - tcontext, tclass); 835 + if (user) 836 + rc = -EPERM; 837 + else 838 + rc = security_validtrans_handle_fail(ocontext, 839 + ncontext, 840 + tcontext, 841 + tclass); 838 842 goto out; 839 843 } 840 844 constraint = constraint->next; ··· 848 842 out: 849 843 read_unlock(&policy_rwlock); 850 844 return rc; 845 + } 846 + 847 + int security_validate_transition_user(u32 oldsid, u32 newsid, u32 tasksid, 848 + u16 tclass) 849 + { 850 + return security_compute_validatetrans(oldsid, newsid, tasksid, 851 + tclass, true); 852 + } 853 + 854 + int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 855 + u16 orig_tclass) 856 + { 857 + return security_compute_validatetrans(oldsid, newsid, tasksid, 858 + orig_tclass, false); 851 859 } 852 860 853 861 /*

+25 -3

security/smack/smack_lsm.c

··· 1465 1465 * 1466 1466 * Returns the size of the attribute or an error code 1467 1467 */ 1468 - static int smack_inode_getsecurity(const struct inode *inode, 1468 + static int smack_inode_getsecurity(struct inode *inode, 1469 1469 const char *name, void **buffer, 1470 1470 bool alloc) 1471 1471 { ··· 1536 1536 * @inode: inode to extract the info from 1537 1537 * @secid: where result will be saved 1538 1538 */ 1539 - static void smack_inode_getsecid(const struct inode *inode, u32 *secid) 1539 + static void smack_inode_getsecid(struct inode *inode, u32 *secid) 1540 1540 { 1541 1541 struct inode_smack *isp = inode->i_security; 1542 1542 ··· 1858 1858 int may = 0; 1859 1859 struct smk_audit_info ad; 1860 1860 struct inode *inode = file_inode(file); 1861 + struct socket *sock; 1862 + struct task_smack *tsp; 1863 + struct socket_smack *ssp; 1861 1864 1862 1865 if (unlikely(IS_PRIVATE(inode))) 1863 1866 return 0; 1864 1867 1865 1868 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1866 1869 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1870 + 1871 + if (S_ISSOCK(inode->i_mode)) { 1872 + sock = SOCKET_I(inode); 1873 + ssp = sock->sk->sk_security; 1874 + tsp = current_security(); 1875 + /* 1876 + * If the receiving process can't write to the 1877 + * passed socket or if the passed socket can't 1878 + * write to the receiving process don't accept 1879 + * the passed socket. 1880 + */ 1881 + rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 1882 + rc = smk_bu_file(file, may, rc); 1883 + if (rc < 0) 1884 + return rc; 1885 + rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 1886 + rc = smk_bu_file(file, may, rc); 1887 + return rc; 1888 + } 1867 1889 /* 1868 1890 * This code relies on bitmasks. 1869 1891 */ ··· 3778 3756 if (sip == NULL) 3779 3757 return 0; 3780 3758 3781 - switch (sip->sin_family) { 3759 + switch (sock->sk->sk_family) { 3782 3760 case AF_INET: 3783 3761 rc = smack_netlabel_send(sock->sk, sip); 3784 3762 break;