tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Pull integrity updates from Mimi Zohar:
"Bug fixes, code clean up, and new features:

- IMA policy rules can be defined in terms of LSM labels, making the
IMA policy dependent on LSM policy label changes, in particular LSM
label deletions. The new environment, in which IMA-appraisal is
being used, frequently updates the LSM policy and permits LSM label
deletions.

- Prevent an mmap'ed shared file opened for write from also being
mmap'ed execute. In the long term, making this and other similar
changes at the VFS layer would be preferable.

- The IMA per policy rule template format support is needed for a
couple of new/proposed features (eg. kexec boot command line
measurement, appended signatures, and VFS provided file hashes).

- Other than the "boot-aggregate" record in the IMA measuremeent
list, all other measurements are of file data. Measuring and
storing the kexec boot command line in the IMA measurement list is
the first buffer based measurement included in the measurement
list"

* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
integrity: Introduce struct evm_xattr
ima: Update MAX_TEMPLATE_NAME_LEN to fit largest reasonable definition
KEXEC: Call ima_kexec_cmdline to measure the boot command line args
IMA: Define a new template field buf
IMA: Define a new hook to measure the kexec boot command line arguments
IMA: support for per policy rule template formats
integrity: Fix __integrity_init_keyring() section mismatch
ima: Use designated initializers for struct ima_event_data
ima: use the lsm policy update notifier
LSM: switch to blocking policy update notifiers
x86/ima: fix the Kconfig dependency for IMA_ARCH_POLICY
ima: Make arch_policy_entry static
ima: prevent a file already mmap'ed write to be mmap'ed execute
x86/ima: check EFI SetupMode too

Linus Torvalds 8b681508 0f75ef6a

+413 -98
+4 -2
Documentation/ABI/testing/ima_policy
··· 24 24 [euid=] [fowner=] [fsname=]] 25 25 lsm: [[subj_user=] [subj_role=] [subj_type=] 26 26 [obj_user=] [obj_role=] [obj_type=]] 27 - option: [[appraise_type=]] [permit_directio] 28 - 27 + option: [[appraise_type=]] [template=] [permit_directio] 29 28 base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] 30 29 [FIRMWARE_CHECK] 31 30 [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] 31 + [KEXEC_CMDLINE] 32 32 mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] 33 33 [[^]MAY_EXEC] 34 34 fsmagic:= hex value ··· 38 38 fowner:= decimal value 39 39 lsm: are LSM specific 40 40 option: appraise_type:= [imasig] 41 + template:= name of a defined IMA template type 42 + (eg, ima-ng). Only valid when action is "measure". 41 43 pcr:= decimal value 42 44 43 45 default policy:
+4 -3
Documentation/security/IMA-templates.rst
··· 69 69 algorithm (field format: [<hash algo>:]digest, where the digest 70 70 prefix is shown only if the hash algorithm is not SHA1 or MD5); 71 71 - 'n-ng': the name of the event, without size limitations; 72 - - 'sig': the file signature. 72 + - 'sig': the file signature; 73 + - 'buf': the buffer data that was used to generate the hash without size limitations; 73 74 74 75 75 76 Below, there is the list of defined template descriptors: 76 77 77 78 - "ima": its format is ``d|n``; 78 79 - "ima-ng" (default): its format is ``d-ng|n-ng``; 79 - - "ima-sig": its format is ``d-ng|n-ng|sig``. 80 - 80 + - "ima-sig": its format is ``d-ng|n-ng|sig``; 81 + - "ima-buf": its format is ``d-ng|n-ng|buf``; 81 82 82 83 83 84 Use
+10 -2
arch/x86/kernel/ima_arch.c
··· 11 11 static enum efi_secureboot_mode get_sb_mode(void) 12 12 { 13 13 efi_char16_t efi_SecureBoot_name[] = L"SecureBoot"; 14 + efi_char16_t efi_SetupMode_name[] = L"SecureBoot"; 14 15 efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID; 15 16 efi_status_t status; 16 17 unsigned long size; 17 - u8 secboot; 18 + u8 secboot, setupmode; 18 19 19 20 size = sizeof(secboot); 20 21 ··· 37 36 return efi_secureboot_mode_unknown; 38 37 } 39 38 40 - if (secboot == 0) { 39 + size = sizeof(setupmode); 40 + status = efi.get_variable(efi_SetupMode_name, &efi_variable_guid, 41 + NULL, &size, &setupmode); 42 + 43 + if (status != EFI_SUCCESS) /* ignore unknown SetupMode */ 44 + setupmode = 0; 45 + 46 + if (secboot == 0 || setupmode == 1) { 41 47 pr_info("ima: secureboot mode disabled\n"); 42 48 return efi_secureboot_mode_disabled; 43 49 }
+3 -3
drivers/infiniband/core/device.c
··· 2520 2520 goto err_mad; 2521 2521 } 2522 2522 2523 - ret = register_lsm_notifier(&ibdev_lsm_nb); 2523 + ret = register_blocking_lsm_notifier(&ibdev_lsm_nb); 2524 2524 if (ret) { 2525 2525 pr_warn("Couldn't register LSM notifier. ret %d\n", ret); 2526 2526 goto err_sa; ··· 2539 2539 return 0; 2540 2540 2541 2541 err_compat: 2542 - unregister_lsm_notifier(&ibdev_lsm_nb); 2542 + unregister_blocking_lsm_notifier(&ibdev_lsm_nb); 2543 2543 err_sa: 2544 2544 ib_sa_cleanup(); 2545 2545 err_mad: ··· 2565 2565 nldev_exit(); 2566 2566 rdma_nl_unregister(RDMA_NL_LS); 2567 2567 unregister_pernet_device(&rdma_dev_net_ops); 2568 - unregister_lsm_notifier(&ibdev_lsm_nb); 2568 + unregister_blocking_lsm_notifier(&ibdev_lsm_nb); 2569 2569 ib_sa_cleanup(); 2570 2570 ib_mad_cleanup(); 2571 2571 addr_cleanup();
+2
include/linux/ima.h
··· 23 23 extern int ima_post_read_file(struct file *file, void *buf, loff_t size, 24 24 enum kernel_read_file_id id); 25 25 extern void ima_post_path_mknod(struct dentry *dentry); 26 + extern void ima_kexec_cmdline(const void *buf, int size); 26 27 27 28 #ifdef CONFIG_IMA_KEXEC 28 29 extern void ima_add_kexec_buffer(struct kimage *image); ··· 90 89 return; 91 90 } 92 91 92 + static inline void ima_kexec_cmdline(const void *buf, int size) {} 93 93 #endif /* CONFIG_IMA */ 94 94 95 95 #ifndef CONFIG_IMA_KEXEC
+6 -6
include/linux/security.h
··· 189 189 190 190 #ifdef CONFIG_SECURITY 191 191 192 - int call_lsm_notifier(enum lsm_event event, void *data); 193 - int register_lsm_notifier(struct notifier_block *nb); 194 - int unregister_lsm_notifier(struct notifier_block *nb); 192 + int call_blocking_lsm_notifier(enum lsm_event event, void *data); 193 + int register_blocking_lsm_notifier(struct notifier_block *nb); 194 + int unregister_blocking_lsm_notifier(struct notifier_block *nb); 195 195 196 196 /* prototypes */ 197 197 extern int security_init(void); ··· 394 394 int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); 395 395 #else /* CONFIG_SECURITY */ 396 396 397 - static inline int call_lsm_notifier(enum lsm_event event, void *data) 397 + static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) 398 398 { 399 399 return 0; 400 400 } 401 401 402 - static inline int register_lsm_notifier(struct notifier_block *nb) 402 + static inline int register_blocking_lsm_notifier(struct notifier_block *nb) 403 403 { 404 404 return 0; 405 405 } 406 406 407 - static inline int unregister_lsm_notifier(struct notifier_block *nb) 407 + static inline int unregister_blocking_lsm_notifier(struct notifier_block *nb) 408 408 { 409 409 return 0; 410 410 }
+6 -3
kernel/kexec_file.c
··· 196 196 return ret; 197 197 image->kernel_buf_len = size; 198 198 199 - /* IMA needs to pass the measurement list to the next kernel. */ 200 - ima_add_kexec_buffer(image); 201 - 202 199 /* Call arch image probe handlers */ 203 200 ret = arch_kexec_kernel_image_probe(image, image->kernel_buf, 204 201 image->kernel_buf_len); ··· 236 239 ret = -EINVAL; 237 240 goto out; 238 241 } 242 + 243 + ima_kexec_cmdline(image->cmdline_buf, 244 + image->cmdline_buf_len - 1); 239 245 } 246 + 247 + /* IMA needs to pass the measurement list to the next kernel. */ 248 + ima_add_kexec_buffer(image); 240 249 241 250 /* Call arch image load handlers */ 242 251 ldata = arch_kexec_kernel_image_load(image);
+3 -2
security/integrity/digsig.c
··· 70 70 return -EOPNOTSUPP; 71 71 } 72 72 73 - static int __integrity_init_keyring(const unsigned int id, struct key_acl *acl, 74 - struct key_restriction *restriction) 73 + static int __init __integrity_init_keyring(const unsigned int id, 74 + struct key_acl *acl, 75 + struct key_restriction *restriction) 75 76 { 76 77 const struct cred *cred = current_cred(); 77 78 int err = 0;
+4 -4
security/integrity/evm/evm_main.c
··· 166 166 /* check value type */ 167 167 switch (xattr_data->type) { 168 168 case EVM_XATTR_HMAC: 169 - if (xattr_len != sizeof(struct evm_ima_xattr_data)) { 169 + if (xattr_len != sizeof(struct evm_xattr)) { 170 170 evm_status = INTEGRITY_FAIL; 171 171 goto out; 172 172 } ··· 176 176 xattr_value_len, &digest); 177 177 if (rc) 178 178 break; 179 - rc = crypto_memneq(xattr_data->digest, digest.digest, 179 + rc = crypto_memneq(xattr_data->data, digest.digest, 180 180 SHA1_DIGEST_SIZE); 181 181 if (rc) 182 182 rc = -EINVAL; ··· 520 520 const struct xattr *lsm_xattr, 521 521 struct xattr *evm_xattr) 522 522 { 523 - struct evm_ima_xattr_data *xattr_data; 523 + struct evm_xattr *xattr_data; 524 524 int rc; 525 525 526 526 if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name)) ··· 530 530 if (!xattr_data) 531 531 return -ENOMEM; 532 532 533 - xattr_data->type = EVM_XATTR_HMAC; 533 + xattr_data->data.type = EVM_XATTR_HMAC; 534 534 rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); 535 535 if (rc < 0) 536 536 goto out;
+2 -1
security/integrity/ima/Kconfig
··· 160 160 161 161 config IMA_ARCH_POLICY 162 162 bool "Enable loading an IMA architecture specific policy" 163 - depends on KEXEC_VERIFY_SIG || IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS 163 + depends on (KEXEC_VERIFY_SIG && IMA) || IMA_APPRAISE \ 164 + && INTEGRITY_ASYMMETRIC_KEYS 164 165 default n 165 166 help 166 167 This option enables loading an IMA architecture specific policy
+17 -4
security/integrity/ima/ima.h
··· 61 61 struct evm_ima_xattr_data *xattr_value; 62 62 int xattr_len; 63 63 const char *violation; 64 + const void *buf; 65 + int buf_len; 64 66 }; 65 67 66 68 /* IMA template field data definition */ ··· 144 142 int ima_init_crypto(void); 145 143 void ima_putc(struct seq_file *m, void *data, int datalen); 146 144 void ima_print_digest(struct seq_file *m, u8 *digest, u32 size); 145 + int template_desc_init_fields(const char *template_fmt, 146 + const struct ima_template_field ***fields, 147 + int *num_fields); 147 148 struct ima_template_desc *ima_template_desc_current(void); 149 + struct ima_template_desc *lookup_template_desc(const char *name); 148 150 int ima_restore_measurement_entry(struct ima_template_entry *entry); 149 151 int ima_restore_measurement_list(loff_t bufsize, void *buf); 150 152 int ima_measurements_show(struct seq_file *m, void *v); ··· 156 150 int ima_init_template(void); 157 151 void ima_init_template_list(void); 158 152 int __init ima_init_digests(void); 153 + int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, 154 + void *lsm_data); 159 155 160 156 /* 161 157 * used to protect h_table and sha_table ··· 188 180 hook(KEXEC_KERNEL_CHECK) \ 189 181 hook(KEXEC_INITRAMFS_CHECK) \ 190 182 hook(POLICY_CHECK) \ 183 + hook(KEXEC_CMDLINE) \ 191 184 hook(MAX_CHECK) 192 185 #define __ima_hook_enumify(ENUM) ENUM, 193 186 ··· 198 189 199 190 /* LIM API function definitions */ 200 191 int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, 201 - int mask, enum ima_hooks func, int *pcr); 192 + int mask, enum ima_hooks func, int *pcr, 193 + struct ima_template_desc **template_desc); 202 194 int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func); 203 195 int ima_collect_measurement(struct integrity_iint_cache *iint, 204 196 struct file *file, void *buf, loff_t size, ··· 207 197 void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, 208 198 const unsigned char *filename, 209 199 struct evm_ima_xattr_data *xattr_value, 210 - int xattr_len, int pcr); 200 + int xattr_len, int pcr, 201 + struct ima_template_desc *template_desc); 211 202 void ima_audit_measurement(struct integrity_iint_cache *iint, 212 203 const unsigned char *filename); 213 204 int ima_alloc_init_template(struct ima_event_data *event_data, 214 - struct ima_template_entry **entry); 205 + struct ima_template_entry **entry, 206 + struct ima_template_desc *template_desc); 215 207 int ima_store_template(struct ima_template_entry *entry, int violation, 216 208 struct inode *inode, 217 209 const unsigned char *filename, int pcr); ··· 222 210 223 211 /* IMA policy related functions */ 224 212 int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, 225 - enum ima_hooks func, int mask, int flags, int *pcr); 213 + enum ima_hooks func, int mask, int flags, int *pcr, 214 + struct ima_template_desc **template_desc); 226 215 void ima_init_policy(void); 227 216 void ima_update_policy(void); 228 217 void ima_update_policy_flag(void);
+27 -11
security/integrity/ima/ima_api.c
··· 34 34 * ima_alloc_init_template - create and initialize a new template entry 35 35 */ 36 36 int ima_alloc_init_template(struct ima_event_data *event_data, 37 - struct ima_template_entry **entry) 37 + struct ima_template_entry **entry, 38 + struct ima_template_desc *desc) 38 39 { 39 - struct ima_template_desc *template_desc = ima_template_desc_current(); 40 + struct ima_template_desc *template_desc; 40 41 int i, result = 0; 42 + 43 + if (desc) 44 + template_desc = desc; 45 + else 46 + template_desc = ima_template_desc_current(); 41 47 42 48 *entry = kzalloc(sizeof(**entry) + template_desc->num_fields * 43 49 sizeof(struct ima_field_data), GFP_NOFS); ··· 135 129 { 136 130 struct ima_template_entry *entry; 137 131 struct inode *inode = file_inode(file); 138 - struct ima_event_data event_data = {iint, file, filename, NULL, 0, 139 - cause}; 132 + struct ima_event_data event_data = { .iint = iint, 133 + .file = file, 134 + .filename = filename, 135 + .violation = cause }; 140 136 int violation = 1; 141 137 int result; 142 138 143 139 /* can overflow, only indicator */ 144 140 atomic_long_inc(&ima_htable.violations); 145 141 146 - result = ima_alloc_init_template(&event_data, &entry); 142 + result = ima_alloc_init_template(&event_data, &entry, NULL); 147 143 if (result < 0) { 148 144 result = -ENOMEM; 149 145 goto err_out; ··· 168 160 * MAY_APPEND) 169 161 * @func: caller identifier 170 162 * @pcr: pointer filled in if matched measure policy sets pcr= 163 + * @template_desc: pointer filled in if matched measure policy sets template= 171 164 * 172 165 * The policy is defined in terms of keypairs: 173 166 * subj=, obj=, type=, func=, mask=, fsmagic= 174 167 * subj,obj, and type: are LSM specific. 175 168 * func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK 169 + * | KEXEC_CMDLINE 176 170 * mask: contains the permission mask 177 171 * fsmagic: hex value 178 172 * ··· 182 172 * 183 173 */ 184 174 int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, 185 - int mask, enum ima_hooks func, int *pcr) 175 + int mask, enum ima_hooks func, int *pcr, 176 + struct ima_template_desc **template_desc) 186 177 { 187 178 int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH; 188 179 189 180 flags &= ima_policy_flag; 190 181 191 - return ima_match_policy(inode, cred, secid, func, mask, flags, pcr); 182 + return ima_match_policy(inode, cred, secid, func, mask, flags, pcr, 183 + template_desc); 192 184 } 193 185 194 186 /* ··· 285 273 void ima_store_measurement(struct integrity_iint_cache *iint, 286 274 struct file *file, const unsigned char *filename, 287 275 struct evm_ima_xattr_data *xattr_value, 288 - int xattr_len, int pcr) 276 + int xattr_len, int pcr, 277 + struct ima_template_desc *template_desc) 289 278 { 290 279 static const char op[] = "add_template_measure"; 291 280 static const char audit_cause[] = "ENOMEM"; 292 281 int result = -ENOMEM; 293 282 struct inode *inode = file_inode(file); 294 283 struct ima_template_entry *entry; 295 - struct ima_event_data event_data = {iint, file, filename, xattr_value, 296 - xattr_len, NULL}; 284 + struct ima_event_data event_data = { .iint = iint, 285 + .file = file, 286 + .filename = filename, 287 + .xattr_value = xattr_value, 288 + .xattr_len = xattr_len }; 297 289 int violation = 0; 298 290 299 291 if (iint->measured_pcrs & (0x1 << pcr)) 300 292 return; 301 293 302 - result = ima_alloc_init_template(&event_data, &entry); 294 + result = ima_alloc_init_template(&event_data, &entry, template_desc); 303 295 if (result < 0) { 304 296 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename, 305 297 op, audit_cause, result, 0);
+5 -4
security/integrity/ima/ima_appraise.c
··· 54 54 55 55 security_task_getsecid(current, &secid); 56 56 return ima_match_policy(inode, current_cred(), secid, func, mask, 57 - IMA_APPRAISE | IMA_HASH, NULL); 57 + IMA_APPRAISE | IMA_HASH, NULL, NULL); 58 58 } 59 59 60 60 static int ima_fix_xattr(struct dentry *dentry, ··· 165 165 return sig->hash_algo; 166 166 break; 167 167 case IMA_XATTR_DIGEST_NG: 168 - ret = xattr_value->digest[0]; 168 + /* first byte contains algorithm id */ 169 + ret = xattr_value->data[0]; 169 170 if (ret < HASH_ALGO__LAST) 170 171 return ret; 171 172 break; ··· 174 173 /* this is for backward compatibility */ 175 174 if (xattr_len == 21) { 176 175 unsigned int zero = 0; 177 - if (!memcmp(&xattr_value->digest[16], &zero, 4)) 176 + if (!memcmp(&xattr_value->data[16], &zero, 4)) 178 177 return HASH_ALGO_MD5; 179 178 else 180 179 return HASH_ALGO_SHA1; ··· 273 272 /* xattr length may be longer. md5 hash in previous 274 273 version occupied 20 bytes in xattr, instead of 16 275 274 */ 276 - rc = memcmp(&xattr_value->digest[hash_start], 275 + rc = memcmp(&xattr_value->data[hash_start], 277 276 iint->ima_hash->digest, 278 277 iint->ima_hash->length); 279 278 else
+3 -3
security/integrity/ima/ima_init.c
··· 45 45 const char *audit_cause = "ENOMEM"; 46 46 struct ima_template_entry *entry; 47 47 struct integrity_iint_cache tmp_iint, *iint = &tmp_iint; 48 - struct ima_event_data event_data = {iint, NULL, boot_aggregate_name, 49 - NULL, 0, NULL}; 48 + struct ima_event_data event_data = { .iint = iint, 49 + .filename = boot_aggregate_name }; 50 50 int result = -ENOMEM; 51 51 int violation = 0; 52 52 struct { ··· 68 68 } 69 69 } 70 70 71 - result = ima_alloc_init_template(&event_data, &entry); 71 + result = ima_alloc_init_template(&event_data, &entry, NULL); 72 72 if (result < 0) { 73 73 audit_cause = "alloc_entry"; 74 74 goto err_out;
+117 -6
security/integrity/ima/ima_main.c
··· 39 39 int ima_hash_algo = HASH_ALGO_SHA1; 40 40 static int hash_setup_done; 41 41 42 + static struct notifier_block ima_lsm_policy_notifier = { 43 + .notifier_call = ima_lsm_policy_change, 44 + }; 45 + 42 46 static int __init hash_setup(char *str) 43 47 { 44 48 struct ima_template_desc *template_desc = ima_template_desc_current(); ··· 71 67 return 1; 72 68 } 73 69 __setup("ima_hash=", hash_setup); 70 + 71 + /* Prevent mmap'ing a file execute that is already mmap'ed write */ 72 + static int mmap_violation_check(enum ima_hooks func, struct file *file, 73 + char **pathbuf, const char **pathname, 74 + char *filename) 75 + { 76 + struct inode *inode; 77 + int rc = 0; 78 + 79 + if ((func == MMAP_CHECK) && mapping_writably_mapped(file->f_mapping)) { 80 + rc = -ETXTBSY; 81 + inode = file_inode(file); 82 + 83 + if (!*pathbuf) /* ima_rdwr_violation possibly pre-fetched */ 84 + *pathname = ima_d_path(&file->f_path, pathbuf, 85 + filename); 86 + integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, *pathname, 87 + "mmap_file", "mmapped_writers", rc, 0); 88 + } 89 + return rc; 90 + } 74 91 75 92 /* 76 93 * ima_rdwr_violation_check ··· 195 170 { 196 171 struct inode *inode = file_inode(file); 197 172 struct integrity_iint_cache *iint = NULL; 198 - struct ima_template_desc *template_desc; 173 + struct ima_template_desc *template_desc = NULL; 199 174 char *pathbuf = NULL; 200 175 char filename[NAME_MAX]; 201 176 const char *pathname = NULL; ··· 213 188 * bitmask based on the appraise/audit/measurement policy. 214 189 * Included is the appraise submask. 215 190 */ 216 - action = ima_get_action(inode, cred, secid, mask, func, &pcr); 191 + action = ima_get_action(inode, cred, secid, mask, func, &pcr, 192 + &template_desc); 217 193 violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) && 218 194 (ima_policy_flag & IMA_MEASURE)); 219 195 if (!action && !violation_check) ··· 292 266 293 267 /* Nothing to do, just return existing appraised status */ 294 268 if (!action) { 295 - if (must_appraise) 296 - rc = ima_get_cache_status(iint, func); 269 + if (must_appraise) { 270 + rc = mmap_violation_check(func, file, &pathbuf, 271 + &pathname, filename); 272 + if (!rc) 273 + rc = ima_get_cache_status(iint, func); 274 + } 297 275 goto out_locked; 298 276 } 299 277 300 - template_desc = ima_template_desc_current(); 301 278 if ((action & IMA_APPRAISE_SUBMASK) || 302 279 strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0) 303 280 /* read 'security.ima' */ ··· 317 288 318 289 if (action & IMA_MEASURE) 319 290 ima_store_measurement(iint, file, pathname, 320 - xattr_value, xattr_len, pcr); 291 + xattr_value, xattr_len, pcr, 292 + template_desc); 321 293 if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) { 322 294 inode_lock(inode); 323 295 rc = ima_appraise_measurement(func, iint, file, pathname, 324 296 xattr_value, xattr_len); 325 297 inode_unlock(inode); 298 + if (!rc) 299 + rc = mmap_violation_check(func, file, &pathbuf, 300 + &pathname, filename); 326 301 } 327 302 if (action & IMA_AUDIT) 328 303 ima_audit_measurement(iint, pathname); ··· 605 572 return 0; 606 573 } 607 574 575 + /* 576 + * process_buffer_measurement - Measure the buffer to ima log. 577 + * @buf: pointer to the buffer that needs to be added to the log. 578 + * @size: size of buffer(in bytes). 579 + * @eventname: event name to be used for the buffer entry. 580 + * @cred: a pointer to a credentials structure for user validation. 581 + * @secid: the secid of the task to be validated. 582 + * 583 + * Based on policy, the buffer is measured into the ima log. 584 + */ 585 + static void process_buffer_measurement(const void *buf, int size, 586 + const char *eventname, 587 + const struct cred *cred, u32 secid) 588 + { 589 + int ret = 0; 590 + struct ima_template_entry *entry = NULL; 591 + struct integrity_iint_cache iint = {}; 592 + struct ima_event_data event_data = {.iint = &iint, 593 + .filename = eventname, 594 + .buf = buf, 595 + .buf_len = size}; 596 + struct ima_template_desc *template_desc = NULL; 597 + struct { 598 + struct ima_digest_data hdr; 599 + char digest[IMA_MAX_DIGEST_SIZE]; 600 + } hash = {}; 601 + int violation = 0; 602 + int pcr = CONFIG_IMA_MEASURE_PCR_IDX; 603 + int action = 0; 604 + 605 + action = ima_get_action(NULL, cred, secid, 0, KEXEC_CMDLINE, &pcr, 606 + &template_desc); 607 + if (!(action & IMA_MEASURE)) 608 + return; 609 + 610 + iint.ima_hash = &hash.hdr; 611 + iint.ima_hash->algo = ima_hash_algo; 612 + iint.ima_hash->length = hash_digest_size[ima_hash_algo]; 613 + 614 + ret = ima_calc_buffer_hash(buf, size, iint.ima_hash); 615 + if (ret < 0) 616 + goto out; 617 + 618 + ret = ima_alloc_init_template(&event_data, &entry, template_desc); 619 + if (ret < 0) 620 + goto out; 621 + 622 + ret = ima_store_template(entry, violation, NULL, buf, pcr); 623 + 624 + if (ret < 0) 625 + ima_free_template_entry(entry); 626 + 627 + out: 628 + return; 629 + } 630 + 631 + /** 632 + * ima_kexec_cmdline - measure kexec cmdline boot args 633 + * @buf: pointer to buffer 634 + * @size: size of buffer 635 + * 636 + * Buffers can only be measured, not appraised. 637 + */ 638 + void ima_kexec_cmdline(const void *buf, int size) 639 + { 640 + u32 secid; 641 + 642 + if (buf && size != 0) { 643 + security_task_getsecid(current, &secid); 644 + process_buffer_measurement(buf, size, "kexec-cmdline", 645 + current_cred(), secid); 646 + } 647 + } 648 + 608 649 static int __init init_ima(void) 609 650 { 610 651 int error; ··· 695 588 hash_setup(CONFIG_IMA_DEFAULT_HASH); 696 589 error = ima_init(); 697 590 } 591 + 592 + error = register_blocking_lsm_notifier(&ima_lsm_policy_notifier); 593 + if (error) 594 + pr_warn("Couldn't register LSM notifier, error %d\n", error); 698 595 699 596 if (!error) 700 597 ima_update_policy_flag();
+140 -23
security/integrity/ima/ima_policy.c
··· 76 76 int type; /* audit type */ 77 77 } lsm[MAX_LSM_RULES]; 78 78 char *fsname; 79 + struct ima_template_desc *template; 79 80 }; 80 81 81 82 /* ··· 196 195 }; 197 196 198 197 /* An array of architecture specific rules */ 199 - struct ima_rule_entry *arch_policy_entry __ro_after_init; 198 + static struct ima_rule_entry *arch_policy_entry __ro_after_init; 200 199 201 200 static LIST_HEAD(ima_default_rules); 202 201 static LIST_HEAD(ima_policy_rules); ··· 246 245 } 247 246 __setup("ima_appraise_tcb", default_appraise_policy_setup); 248 247 248 + static void ima_lsm_free_rule(struct ima_rule_entry *entry) 249 + { 250 + int i; 251 + 252 + for (i = 0; i < MAX_LSM_RULES; i++) { 253 + kfree(entry->lsm[i].rule); 254 + kfree(entry->lsm[i].args_p); 255 + } 256 + kfree(entry); 257 + } 258 + 259 + static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) 260 + { 261 + struct ima_rule_entry *nentry; 262 + int i, result; 263 + 264 + nentry = kmalloc(sizeof(*nentry), GFP_KERNEL); 265 + if (!nentry) 266 + return NULL; 267 + 268 + /* 269 + * Immutable elements are copied over as pointers and data; only 270 + * lsm rules can change 271 + */ 272 + memcpy(nentry, entry, sizeof(*nentry)); 273 + memset(nentry->lsm, 0, FIELD_SIZEOF(struct ima_rule_entry, lsm)); 274 + 275 + for (i = 0; i < MAX_LSM_RULES; i++) { 276 + if (!entry->lsm[i].rule) 277 + continue; 278 + 279 + nentry->lsm[i].type = entry->lsm[i].type; 280 + nentry->lsm[i].args_p = kstrdup(entry->lsm[i].args_p, 281 + GFP_KERNEL); 282 + if (!nentry->lsm[i].args_p) 283 + goto out_err; 284 + 285 + result = security_filter_rule_init(nentry->lsm[i].type, 286 + Audit_equal, 287 + nentry->lsm[i].args_p, 288 + &nentry->lsm[i].rule); 289 + if (result == -EINVAL) 290 + pr_warn("ima: rule for LSM \'%d\' is undefined\n", 291 + entry->lsm[i].type); 292 + } 293 + return nentry; 294 + 295 + out_err: 296 + ima_lsm_free_rule(nentry); 297 + return NULL; 298 + } 299 + 300 + static int ima_lsm_update_rule(struct ima_rule_entry *entry) 301 + { 302 + struct ima_rule_entry *nentry; 303 + 304 + nentry = ima_lsm_copy_rule(entry); 305 + if (!nentry) 306 + return -ENOMEM; 307 + 308 + list_replace_rcu(&entry->list, &nentry->list); 309 + synchronize_rcu(); 310 + ima_lsm_free_rule(entry); 311 + 312 + return 0; 313 + } 314 + 249 315 /* 250 316 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring 251 317 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect 252 - * the reloaded LSM policy. We assume the rules still exist; and BUG_ON() if 253 - * they don't. 318 + * the reloaded LSM policy. 254 319 */ 255 320 static void ima_lsm_update_rules(void) 256 321 { 257 - struct ima_rule_entry *entry; 258 - int result; 259 - int i; 322 + struct ima_rule_entry *entry, *e; 323 + int i, result, needs_update; 260 324 261 - list_for_each_entry(entry, &ima_policy_rules, list) { 325 + list_for_each_entry_safe(entry, e, &ima_policy_rules, list) { 326 + needs_update = 0; 262 327 for (i = 0; i < MAX_LSM_RULES; i++) { 263 - if (!entry->lsm[i].rule) 264 - continue; 265 - result = security_filter_rule_init(entry->lsm[i].type, 266 - Audit_equal, 267 - entry->lsm[i].args_p, 268 - &entry->lsm[i].rule); 269 - BUG_ON(!entry->lsm[i].rule); 328 + if (entry->lsm[i].rule) { 329 + needs_update = 1; 330 + break; 331 + } 332 + } 333 + if (!needs_update) 334 + continue; 335 + 336 + result = ima_lsm_update_rule(entry); 337 + if (result) { 338 + pr_err("ima: lsm rule update error %d\n", 339 + result); 340 + return; 270 341 } 271 342 } 343 + } 344 + 345 + int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event, 346 + void *lsm_data) 347 + { 348 + if (event != LSM_POLICY_CHANGE) 349 + return NOTIFY_DONE; 350 + 351 + ima_lsm_update_rules(); 352 + return NOTIFY_OK; 272 353 } 273 354 274 355 /** ··· 370 287 { 371 288 int i; 372 289 290 + if (func == KEXEC_CMDLINE) { 291 + if ((rule->flags & IMA_FUNC) && (rule->func == func)) 292 + return true; 293 + return false; 294 + } 373 295 if ((rule->flags & IMA_FUNC) && 374 296 (rule->func != func && func != POST_SETATTR)) 375 297 return false; ··· 411 323 for (i = 0; i < MAX_LSM_RULES; i++) { 412 324 int rc = 0; 413 325 u32 osid; 414 - int retried = 0; 415 326 416 327 if (!rule->lsm[i].rule) 417 328 continue; 418 - retry: 329 + 419 330 switch (i) { 420 331 case LSM_OBJ_USER: 421 332 case LSM_OBJ_ROLE: ··· 434 347 rule->lsm[i].rule); 435 348 default: 436 349 break; 437 - } 438 - if ((rc < 0) && (!retried)) { 439 - retried = 1; 440 - ima_lsm_update_rules(); 441 - goto retry; 442 350 } 443 351 if (!rc) 444 352 return false; ··· 475 393 * @func: IMA hook identifier 476 394 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 477 395 * @pcr: set the pcr to extend 396 + * @template_desc: the template that should be used for this rule 478 397 * 479 398 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) 480 399 * conditions. ··· 485 402 * than writes so ima_match_policy() is classical RCU candidate. 486 403 */ 487 404 int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, 488 - enum ima_hooks func, int mask, int flags, int *pcr) 405 + enum ima_hooks func, int mask, int flags, int *pcr, 406 + struct ima_template_desc **template_desc) 489 407 { 490 408 struct ima_rule_entry *entry; 491 409 int action = 0, actmask = flags | (flags << 1); ··· 517 433 518 434 if ((pcr) && (entry->flags & IMA_PCR)) 519 435 *pcr = entry->pcr; 436 + 437 + if (template_desc && entry->template) 438 + *template_desc = entry->template; 439 + else if (template_desc) 440 + *template_desc = ima_template_desc_current(); 520 441 521 442 if (!actmask) 522 443 break; ··· 761 672 Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, 762 673 Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, 763 674 Opt_appraise_type, Opt_permit_directio, 764 - Opt_pcr, Opt_err 675 + Opt_pcr, Opt_template, Opt_err 765 676 }; 766 677 767 678 static const match_table_t policy_tokens = { ··· 795 706 {Opt_appraise_type, "appraise_type=%s"}, 796 707 {Opt_permit_directio, "permit_directio"}, 797 708 {Opt_pcr, "pcr=%s"}, 709 + {Opt_template, "template=%s"}, 798 710 {Opt_err, NULL} 799 711 }; 800 712 ··· 849 759 char *from; 850 760 char *p; 851 761 bool uid_token; 762 + struct ima_template_desc *template_desc; 852 763 int result = 0; 853 764 854 765 ab = integrity_audit_log_start(audit_context(), GFP_KERNEL, ··· 957 866 entry->func = KEXEC_INITRAMFS_CHECK; 958 867 else if (strcmp(args[0].from, "POLICY_CHECK") == 0) 959 868 entry->func = POLICY_CHECK; 869 + else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0) 870 + entry->func = KEXEC_CMDLINE; 960 871 else 961 872 result = -EINVAL; 962 873 if (!result) ··· 1147 1054 else 1148 1055 entry->flags |= IMA_PCR; 1149 1056 1057 + break; 1058 + case Opt_template: 1059 + ima_log_string(ab, "template", args[0].from); 1060 + if (entry->action != MEASURE) { 1061 + result = -EINVAL; 1062 + break; 1063 + } 1064 + template_desc = lookup_template_desc(args[0].from); 1065 + if (!template_desc || entry->template) { 1066 + result = -EINVAL; 1067 + break; 1068 + } 1069 + 1070 + /* 1071 + * template_desc_init_fields() does nothing if 1072 + * the template is already initialised, so 1073 + * it's safe to do this unconditionally 1074 + */ 1075 + template_desc_init_fields(template_desc->fmt, 1076 + &(template_desc->fields), 1077 + &(template_desc->num_fields)); 1078 + entry->template = template_desc; 1150 1079 break; 1151 1080 case Opt_err: 1152 1081 ima_log_string(ab, "UNKNOWN", p); ··· 1445 1330 } 1446 1331 } 1447 1332 } 1333 + if (entry->template) 1334 + seq_printf(m, "template=%s ", entry->template->name); 1448 1335 if (entry->flags & IMA_DIGSIG_REQUIRED) 1449 1336 seq_puts(m, "appraise_type=imasig "); 1450 1337 if (entry->flags & IMA_PERMIT_DIRECTIO)
+14 -9
security/integrity/ima/ima_template.c
··· 22 22 {.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT}, 23 23 {.name = "ima-ng", .fmt = "d-ng|n-ng"}, 24 24 {.name = "ima-sig", .fmt = "d-ng|n-ng|sig"}, 25 + {.name = "ima-buf", .fmt = "d-ng|n-ng|buf"}, 25 26 {.name = "", .fmt = ""}, /* placeholder for a custom format */ 26 27 }; 27 28 ··· 40 39 .field_show = ima_show_template_string}, 41 40 {.field_id = "sig", .field_init = ima_eventsig_init, 42 41 .field_show = ima_show_template_sig}, 42 + {.field_id = "buf", .field_init = ima_eventbuf_init, 43 + .field_show = ima_show_template_buf}, 43 44 }; 44 - #define MAX_TEMPLATE_NAME_LEN 15 45 + 46 + /* 47 + * Used when restoring measurements carried over from a kexec. 'd' and 'n' don't 48 + * need to be accounted for since they shouldn't be defined in the same template 49 + * description as 'd-ng' and 'n-ng' respectively. 50 + */ 51 + #define MAX_TEMPLATE_NAME_LEN sizeof("d-ng|n-ng|sig|buf") 45 52 46 53 static struct ima_template_desc *ima_template; 47 - static struct ima_template_desc *lookup_template_desc(const char *name); 48 - static int template_desc_init_fields(const char *template_fmt, 49 - const struct ima_template_field ***fields, 50 - int *num_fields); 51 54 52 55 static int __init ima_template_setup(char *str) 53 56 { ··· 109 104 } 110 105 __setup("ima_template_fmt=", ima_template_fmt_setup); 111 106 112 - static struct ima_template_desc *lookup_template_desc(const char *name) 107 + struct ima_template_desc *lookup_template_desc(const char *name) 113 108 { 114 109 struct ima_template_desc *template_desc; 115 110 int found = 0; ··· 154 149 return j + 1; 155 150 } 156 151 157 - static int template_desc_init_fields(const char *template_fmt, 158 - const struct ima_template_field ***fields, 159 - int *num_fields) 152 + int template_desc_init_fields(const char *template_fmt, 153 + const struct ima_template_field ***fields, 154 + int *num_fields) 160 155 { 161 156 const char *template_fmt_ptr; 162 157 const struct ima_template_field *found_fields[IMA_TEMPLATE_NUM_FIELDS_MAX];
+21
security/integrity/ima/ima_template_lib.c
··· 158 158 ima_show_template_field_data(m, show, DATA_FMT_HEX, field_data); 159 159 } 160 160 161 + void ima_show_template_buf(struct seq_file *m, enum ima_show_type show, 162 + struct ima_field_data *field_data) 163 + { 164 + ima_show_template_field_data(m, show, DATA_FMT_HEX, field_data); 165 + } 166 + 161 167 /** 162 168 * ima_parse_buf() - Parses lengths and data from an input buffer 163 169 * @bufstartp: Buffer start address. ··· 390 384 391 385 return ima_write_template_field_data(xattr_value, event_data->xattr_len, 392 386 DATA_FMT_HEX, field_data); 387 + } 388 + 389 + /* 390 + * ima_eventbuf_init - include the buffer(kexec-cmldine) as part of the 391 + * template data. 392 + */ 393 + int ima_eventbuf_init(struct ima_event_data *event_data, 394 + struct ima_field_data *field_data) 395 + { 396 + if ((!event_data->buf) || (event_data->buf_len == 0)) 397 + return 0; 398 + 399 + return ima_write_template_field_data(event_data->buf, 400 + event_data->buf_len, DATA_FMT_HEX, 401 + field_data); 393 402 }
+4
security/integrity/ima/ima_template_lib.h
··· 25 25 struct ima_field_data *field_data); 26 26 void ima_show_template_sig(struct seq_file *m, enum ima_show_type show, 27 27 struct ima_field_data *field_data); 28 + void ima_show_template_buf(struct seq_file *m, enum ima_show_type show, 29 + struct ima_field_data *field_data); 28 30 int ima_parse_buf(void *bufstartp, void *bufendp, void **bufcurp, 29 31 int maxfields, struct ima_field_data *fields, int *curfields, 30 32 unsigned long *len_mask, int enforce_mask, char *bufname); ··· 39 37 int ima_eventname_ng_init(struct ima_event_data *event_data, 40 38 struct ima_field_data *field_data); 41 39 int ima_eventsig_init(struct ima_event_data *event_data, 40 + struct ima_field_data *field_data); 41 + int ima_eventbuf_init(struct ima_event_data *event_data, 42 42 struct ima_field_data *field_data); 43 43 #endif /* __LINUX_IMA_TEMPLATE_LIB_H */
+6
security/integrity/integrity.h
··· 76 76 77 77 struct evm_ima_xattr_data { 78 78 u8 type; 79 + u8 data[]; 80 + } __packed; 81 + 82 + /* Only used in the EVM HMAC code. */ 83 + struct evm_xattr { 84 + struct evm_ima_xattr_data data; 79 85 u8 digest[SHA1_DIGEST_SIZE]; 80 86 } __packed; 81 87
+13 -10
security/security.c
··· 35 35 #define LSM_COUNT (__end_lsm_info - __start_lsm_info) 36 36 37 37 struct security_hook_heads security_hook_heads __lsm_ro_after_init; 38 - static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain); 38 + static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain); 39 39 40 40 static struct kmem_cache *lsm_file_cache; 41 41 static struct kmem_cache *lsm_inode_cache; ··· 426 426 panic("%s - Cannot get early memory.\n", __func__); 427 427 } 428 428 429 - int call_lsm_notifier(enum lsm_event event, void *data) 429 + int call_blocking_lsm_notifier(enum lsm_event event, void *data) 430 430 { 431 - return atomic_notifier_call_chain(&lsm_notifier_chain, event, data); 431 + return blocking_notifier_call_chain(&blocking_lsm_notifier_chain, 432 + event, data); 432 433 } 433 - EXPORT_SYMBOL(call_lsm_notifier); 434 + EXPORT_SYMBOL(call_blocking_lsm_notifier); 434 435 435 - int register_lsm_notifier(struct notifier_block *nb) 436 + int register_blocking_lsm_notifier(struct notifier_block *nb) 436 437 { 437 - return atomic_notifier_chain_register(&lsm_notifier_chain, nb); 438 + return blocking_notifier_chain_register(&blocking_lsm_notifier_chain, 439 + nb); 438 440 } 439 - EXPORT_SYMBOL(register_lsm_notifier); 441 + EXPORT_SYMBOL(register_blocking_lsm_notifier); 440 442 441 - int unregister_lsm_notifier(struct notifier_block *nb) 443 + int unregister_blocking_lsm_notifier(struct notifier_block *nb) 442 444 { 443 - return atomic_notifier_chain_unregister(&lsm_notifier_chain, nb); 445 + return blocking_notifier_chain_unregister(&blocking_lsm_notifier_chain, 446 + nb); 444 447 } 445 - EXPORT_SYMBOL(unregister_lsm_notifier); 448 + EXPORT_SYMBOL(unregister_blocking_lsm_notifier); 446 449 447 450 /** 448 451 * lsm_cred_alloc - allocate a composite cred blob
+1 -1
security/selinux/hooks.c
··· 194 194 { 195 195 if (event == AVC_CALLBACK_RESET) { 196 196 sel_ib_pkey_flush(); 197 - call_lsm_notifier(LSM_POLICY_CHANGE, NULL); 197 + call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL); 198 198 } 199 199 200 200 return 0;
+1 -1
security/selinux/selinuxfs.c
··· 178 178 selnl_notify_setenforce(new_value); 179 179 selinux_status_update_setenforce(state, new_value); 180 180 if (!new_value) 181 - call_lsm_notifier(LSM_POLICY_CHANGE, NULL); 181 + call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL); 182 182 } 183 183 length = count; 184 184 out: