From 219a3e8676f3132d27b530c7d2d6bcab89536b57 Mon Sep 17 00:00:00 2001 From: Kairui Song Date: Mon, 21 Jan 2019 17:59:28 +0800 Subject: integrity, KEYS: add a reference to platform keyring commit 9dc92c45177a ("integrity: Define a trusted platform keyring") introduced a .platform keyring for storing preboot keys, used for verifying kernel image signatures. Currently only IMA-appraisal is able to use the keyring to verify kernel images that have their signature stored in xattr. This patch exposes the .platform keyring, making it accessible for verifying PE signed kernel images as well. Suggested-by: Mimi Zohar Signed-off-by: Kairui Song Cc: David Howells [zohar@linux.ibm.com: fixed checkpatch errors, squashed with patch fix] Signed-off-by: Mimi Zohar --- security/integrity/digsig.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'security') diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index f45d6edecf99..e19c2eb72c51 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -87,6 +87,9 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm, pr_info("Can't allocate %s keyring (%d)\n", keyring_name[id], err); keyring[id] = NULL; + } else { + if (id == INTEGRITY_KEYRING_PLATFORM) + set_platform_trusted_keys(keyring[id]); } return err; -- cgit v1.2.3-59-g8ed1b From 107dfa2e56ecdfda654d939cd464893a72086297 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Tue, 18 Dec 2018 07:57:41 -0500 Subject: encrypted-keys: fix Opt_err/Opt_error = -1 Properly start the enumeration associated with match_table_t at zero, making Opt_err/Opt_error the last enumeration value. Signed-off-by: Mimi Zohar --- security/keys/encrypted-keys/encrypted.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'security') diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c index 389a298274d3..347108f660a1 100644 --- a/security/keys/encrypted-keys/encrypted.c +++ b/security/keys/encrypted-keys/encrypted.c @@ -60,11 +60,11 @@ static int blksize; static struct crypto_shash *hash_tfm; enum { - Opt_err = -1, Opt_new, Opt_load, Opt_update + Opt_new, Opt_load, Opt_update, Opt_err }; enum { - Opt_error = -1, Opt_default, Opt_ecryptfs, Opt_enc32 + Opt_default, Opt_ecryptfs, Opt_enc32, Opt_error }; static const match_table_t key_format_tokens = { -- cgit v1.2.3-59-g8ed1b From c8b37524d3cdbcf07426529cb83b38b1240cb54d Mon Sep 17 00:00:00 2001 From: YueHaibing Date: Sat, 15 Dec 2018 10:06:10 +0000 Subject: evm: remove set but not used variable 'xattr' Fixes gcc '-Wunused-but-set-variable' warning: security/integrity/evm/evm_main.c: In function 'init_evm': security/integrity/evm/evm_main.c:566:21: warning: variable 'xattr' set but not used [-Wunused-but-set-variable] Commit 21af76631476 ("EVM: turn evm_config_xattrnames into a list") defined and set "xattr", but never used it. [zohar@linux.ibm.com: tweaked the patch description explanation] Signed-off-by: YueHaibing Signed-off-by: Mimi Zohar --- security/integrity/evm/evm_main.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'security') diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 5ecaa3d6fe0b..b6d9f14bc234 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -563,7 +563,6 @@ static int __init init_evm(void) { int error; struct list_head *pos, *q; - struct xattr_list *xattr; evm_init_config(); @@ -580,11 +579,8 @@ static int __init init_evm(void) error: if (error != 0) { if (!list_empty(&evm_config_xattrnames)) { - list_for_each_safe(pos, q, &evm_config_xattrnames) { - xattr = list_entry(pos, struct xattr_list, - list); + list_for_each_safe(pos, q, &evm_config_xattrnames) list_del(pos); - } } } -- cgit v1.2.3-59-g8ed1b From fdb2410f7702f25f82804a261f90ad03422bd2c3 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Tue, 22 Jan 2019 14:06:49 -0600 Subject: ima: define ima_post_create_tmpfile() hook and add missing call If tmpfiles can be made persistent, then newly created tmpfiles need to be treated like any other new files in policy. This patch indicates which newly created tmpfiles are in policy, causing the file hash to be calculated on __fput(). Reported-by: Ignaz Forster [rgoldwyn@suse.com: Call ima_post_create_tmpfile() in vfs_tmpfile() as opposed to do_tmpfile(). This will help the case for overlayfs where copy_up is denied while overwriting a file.] Signed-off-by: Goldwyn Rodrigues Signed-off-by: Mimi Zohar --- fs/namei.c | 1 + include/linux/ima.h | 5 +++++ security/integrity/ima/ima_main.c | 35 +++++++++++++++++++++++++++++++++-- 3 files changed, 39 insertions(+), 2 deletions(-) (limited to 'security') diff --git a/fs/namei.c b/fs/namei.c index 914178cdbe94..373a7ec4b09d 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -3462,6 +3462,7 @@ struct dentry *vfs_tmpfile(struct dentry *dentry, umode_t mode, int open_flag) inode->i_state |= I_LINKABLE; spin_unlock(&inode->i_lock); } + ima_post_create_tmpfile(inode); return child; out_err: diff --git a/include/linux/ima.h b/include/linux/ima.h index b5e16b8c50b7..dc12fbcf484c 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -18,6 +18,7 @@ struct linux_binprm; #ifdef CONFIG_IMA extern int ima_bprm_check(struct linux_binprm *bprm); extern int ima_file_check(struct file *file, int mask); +extern void ima_post_create_tmpfile(struct inode *inode); extern void ima_file_free(struct file *file); extern int ima_file_mmap(struct file *file, unsigned long prot); extern int ima_load_data(enum kernel_load_data_id id); @@ -56,6 +57,10 @@ static inline int ima_file_check(struct file *file, int mask) return 0; } +static inline void ima_post_create_tmpfile(struct inode *inode) +{ +} + static inline void ima_file_free(struct file *file) { return; diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 4ffac4f5c647..357edd140c09 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -396,6 +396,33 @@ int ima_file_check(struct file *file, int mask) } EXPORT_SYMBOL_GPL(ima_file_check); +/** + * ima_post_create_tmpfile - mark newly created tmpfile as new + * @file : newly created tmpfile + * + * No measuring, appraising or auditing of newly created tmpfiles is needed. + * Skip calling process_measurement(), but indicate which newly, created + * tmpfiles are in policy. + */ +void ima_post_create_tmpfile(struct inode *inode) +{ + struct integrity_iint_cache *iint; + int must_appraise; + + must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); + if (!must_appraise) + return; + + /* Nothing to do if we can't allocate memory */ + iint = integrity_inode_get(inode); + if (!iint) + return; + + /* needed for writing the security xattrs */ + set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); + iint->ima_file_status = INTEGRITY_PASS; +} + /** * ima_post_path_mknod - mark as a new inode * @dentry: newly created dentry @@ -413,9 +440,13 @@ void ima_post_path_mknod(struct dentry *dentry) if (!must_appraise) return; + /* Nothing to do if we can't allocate memory */ iint = integrity_inode_get(inode); - if (iint) - iint->flags |= IMA_NEW_FILE; + if (!iint) + return; + + /* needed for re-opening empty files */ + iint->flags |= IMA_NEW_FILE; } /** -- cgit v1.2.3-59-g8ed1b From e7fde070f39bc058c356cf366cb17ac2d643abb0 Mon Sep 17 00:00:00 2001 From: Andy Shevchenko Date: Thu, 24 Jan 2019 22:37:02 +0200 Subject: evm: Use defined constant for UUID representation Instead of sizeof use pre-defined constant for UUID representation. While here, drop the implementation details of uuid_t type. Signed-off-by: Andy Shevchenko Signed-off-by: Mimi Zohar --- security/integrity/evm/evm_crypto.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'security') diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c index 43e2dc3a60d0..c37d08118af5 100644 --- a/security/integrity/evm/evm_crypto.c +++ b/security/integrity/evm/evm_crypto.c @@ -173,8 +173,7 @@ static void hmac_add_misc(struct shash_desc *desc, struct inode *inode, crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof(hmac_misc)); if ((evm_hmac_attrs & EVM_ATTR_FSUUID) && type != EVM_XATTR_PORTABLE_DIGSIG) - crypto_shash_update(desc, &inode->i_sb->s_uuid.b[0], - sizeof(inode->i_sb->s_uuid)); + crypto_shash_update(desc, (u8 *)&inode->i_sb->s_uuid, UUID_SIZE); crypto_shash_final(desc, digest); } -- cgit v1.2.3-59-g8ed1b