diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2021-06-28 16:15:50 -0700 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2021-06-28 16:15:50 -0700 |
commit | a60c538ed2ff9d084544a894219eed9c5ab980e5 (patch) | |
tree | f1aef111fb7206500abe3862082261398a1afece /include/linux | |
parent | 9cd19f02c46a2dfaf70b8d450fb16f9eb246dfa4 (diff) | |
parent | 907a399de7b0566236c480d0c01ff52220532fb1 (diff) |
Merge tag 'integrity-v5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
Pull integrity subsystem updates from Mimi Zohar:
"The large majority of the changes are EVM portable & immutable
signature related: removing a dependency on loading an HMAC key,
safely allowing file metadata included in the EVM portable & immutable
signatures to be modified, allowing EVM signatures to fulfill IMA file
signature policy requirements, including the EVM file metadata
signature in lieu of an IMA file data signature in the measurement
list, and adding dynamic debugging of EVM file metadata.
In addition, in order to detect critical data or file change
reversions, duplicate measurement records are permitted in the IMA
measurement list.
The remaining patches address compiler, sparse, and doc warnings"
* tag 'integrity-v5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: (31 commits)
evm: Check xattr size discrepancy between kernel and user
evm: output EVM digest calculation info
IMA: support for duplicate measurement records
ima: Fix warning: no previous prototype for function 'ima_add_kexec_buffer'
ima: differentiate between EVM failures in the audit log
ima: Fix fall-through warning for Clang
ima: Pass NULL instead of 0 to ima_get_action() in ima_file_mprotect()
ima: Include header defining ima_post_key_create_or_update()
ima/evm: Fix type mismatch
ima: Set correct casting types
doc: Fix warning in Documentation/security/IMA-templates.rst
evm: Don't return an error in evm_write_xattrs() if audit is not enabled
ima: Define new template evm-sig
ima: Define new template fields xattrnames, xattrlengths and xattrvalues
evm: Verify portable signatures against all protected xattrs
ima: Define new template field imode
ima: Define new template fields iuid and igid
ima: Add ima_show_template_uint() template library function
ima: Don't remove security.ima if file must not be appraised
ima: Introduce template field evmsig and write to field sig as fallback
...
Diffstat (limited to 'include/linux')
-rw-r--r-- | include/linux/evm.h | 34 | ||||
-rw-r--r-- | include/linux/integrity.h | 1 |
2 files changed, 31 insertions, 4 deletions
diff --git a/include/linux/evm.h b/include/linux/evm.h index 8302bc29bb35..4c374be70247 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -23,18 +23,25 @@ extern enum integrity_status evm_verifyxattr(struct dentry *dentry, struct integrity_iint_cache *iint); extern int evm_inode_setattr(struct dentry *dentry, struct iattr *attr); extern void evm_inode_post_setattr(struct dentry *dentry, int ia_valid); -extern int evm_inode_setxattr(struct dentry *dentry, const char *name, +extern int evm_inode_setxattr(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *name, const void *value, size_t size); extern void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, const void *xattr_value, size_t xattr_value_len); -extern int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name); +extern int evm_inode_removexattr(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *xattr_name); extern void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name); extern int evm_inode_init_security(struct inode *inode, const struct xattr *xattr_array, struct xattr *evm); +extern bool evm_revalidate_status(const char *xattr_name); +extern int evm_protected_xattr_if_enabled(const char *req_xattr_name); +extern int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer, + int buffer_size, char type, + bool canonical_fmt); #ifdef CONFIG_FS_POSIX_ACL extern int posix_xattr_acl(const char *xattrname); #else @@ -71,7 +78,8 @@ static inline void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) return; } -static inline int evm_inode_setxattr(struct dentry *dentry, const char *name, +static inline int evm_inode_setxattr(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *name, const void *value, size_t size) { return 0; @@ -85,7 +93,8 @@ static inline void evm_inode_post_setxattr(struct dentry *dentry, return; } -static inline int evm_inode_removexattr(struct dentry *dentry, +static inline int evm_inode_removexattr(struct user_namespace *mnt_userns, + struct dentry *dentry, const char *xattr_name) { return 0; @@ -104,5 +113,22 @@ static inline int evm_inode_init_security(struct inode *inode, return 0; } +static inline bool evm_revalidate_status(const char *xattr_name) +{ + return false; +} + +static inline int evm_protected_xattr_if_enabled(const char *req_xattr_name) +{ + return false; +} + +static inline int evm_read_protected_xattrs(struct dentry *dentry, u8 *buffer, + int buffer_size, char type, + bool canonical_fmt) +{ + return -EOPNOTSUPP; +} + #endif /* CONFIG_EVM */ #endif /* LINUX_EVM_H */ diff --git a/include/linux/integrity.h b/include/linux/integrity.h index 2271939c5c31..2ea0f2f65ab6 100644 --- a/include/linux/integrity.h +++ b/include/linux/integrity.h @@ -13,6 +13,7 @@ enum integrity_status { INTEGRITY_PASS = 0, INTEGRITY_PASS_IMMUTABLE, INTEGRITY_FAIL, + INTEGRITY_FAIL_IMMUTABLE, INTEGRITY_NOLABEL, INTEGRITY_NOXATTRS, INTEGRITY_UNKNOWN, |