From ffb122de9a60bd789422fd9caa4d8363acf1e851 Mon Sep 17 00:00:00 2001 From: Petr Vorel Date: Fri, 20 Apr 2018 15:28:57 +0200 Subject: ima: Reflect correct permissions for policy Kernel configured as CONFIG_IMA_READ_POLICY=y && CONFIG_IMA_WRITE_POLICY=n keeps 0600 mode after loading policy. Remove write permission to state that policy file no longer be written. Signed-off-by: Petr Vorel Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_fs.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'security/integrity') diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index fa540c0469da..c1265127d1b6 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -434,6 +434,8 @@ static int ima_release_policy(struct inode *inode, struct file *file) ima_policy = NULL; #elif defined(CONFIG_IMA_WRITE_POLICY) clear_bit(IMA_FS_BUSY, &ima_fs_flags); +#elif defined(CONFIG_IMA_READ_POLICY) + inode->i_mode &= ~S_IWUSR; #endif return 0; } -- cgit From de636769c8c7359dacccca61d6c187d864d1d3b8 Mon Sep 17 00:00:00 2001 From: Petr Vorel Date: Tue, 24 Apr 2018 16:30:38 +0200 Subject: ima: Unify logging Define pr_fmt everywhere. Signed-off-by: Petr Vorel Reported-by: Stephen Rothwell (powerpc build error) Signed-off-by: Mimi Zohar Changelog: Previous pr_fmt definition was too late and caused problems in powerpc allyesconfg build. --- security/integrity/ima/ima_fs.c | 7 +++++-- security/integrity/ima/ima_kexec.c | 2 ++ security/integrity/ima/ima_template_lib.c | 2 ++ 3 files changed, 9 insertions(+), 2 deletions(-) (limited to 'security/integrity') diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index c1265127d1b6..b34cec78ffb3 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -15,6 +15,9 @@ * implemenents security file system for reporting * current measurement list and IMA statistics */ + +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + #include #include #include @@ -336,7 +339,7 @@ static ssize_t ima_write_policy(struct file *file, const char __user *buf, if (data[0] == '/') { result = ima_read_policy(data); } else if (ima_appraise & IMA_APPRAISE_POLICY) { - pr_err("IMA: signed policy file (specified as an absolute pathname) required\n"); + pr_err("signed policy file (specified as an absolute pathname) required\n"); integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL, "policy_update", "signed policy required", 1, 0); @@ -417,7 +420,7 @@ static int ima_release_policy(struct inode *inode, struct file *file) valid_policy = 0; } - pr_info("IMA: policy update %s\n", cause); + pr_info("policy update %s\n", cause); integrity_audit_msg(AUDIT_INTEGRITY_STATUS, NULL, NULL, "policy_update", cause, !valid_policy, 0); diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c index e473eee913cb..16bd18747cfa 100644 --- a/security/integrity/ima/ima_kexec.c +++ b/security/integrity/ima/ima_kexec.c @@ -10,6 +10,8 @@ * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. */ +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + #include #include #include diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c index 5afaa53decc5..43752002c222 100644 --- a/security/integrity/ima/ima_template_lib.c +++ b/security/integrity/ima/ima_template_lib.c @@ -13,6 +13,8 @@ * Library of supported template fields. */ +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + #include "ima_template_lib.h" static bool ima_template_hash_algo_allowed(u8 algo) -- cgit From 4ecd9934ba1c2edf95588a364d49ddfd85c61bd1 Mon Sep 17 00:00:00 2001 From: Petr Vorel Date: Thu, 10 May 2018 17:15:48 +0200 Subject: ima: Remove unused variable ima_initialized Commit a756024 ("ima: added ima_policy_flag variable") replaced ima_initialized with ima_policy_flag, but didn't remove ima_initialized. This patch removes it. Signed-off-by: Petr Vorel Reviewed-by: James Morris Signed-off-by: Mimi Zohar --- security/integrity/ima/ima.h | 1 - security/integrity/ima/ima_main.c | 7 ++----- 2 files changed, 2 insertions(+), 6 deletions(-) (limited to 'security/integrity') diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 35fe91aa1fc9..354bb5716ce3 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -53,7 +53,6 @@ enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; extern int ima_policy_flag; /* set during initialization */ -extern int ima_initialized; extern int ima_used_chip; extern int ima_hash_algo; extern int ima_appraise; diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 74d0bd7e76d7..e771b736aa03 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -32,8 +32,6 @@ #include "ima.h" -int ima_initialized; - #ifdef CONFIG_IMA_APPRAISE int ima_appraise = IMA_APPRAISE_ENFORCE; #else @@ -517,10 +515,9 @@ static int __init init_ima(void) error = ima_init(); } - if (!error) { - ima_initialized = 1; + if (!error) ima_update_policy_flag(); - } + return error; } -- cgit From 0c343af8065be5ceb0c03a876af7c513e960e2ff Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 11 May 2018 16:12:34 -0700 Subject: integrity: Add an integrity directory in securityfs We want to add additional evm control nodes, and it'd be preferable not to clutter up the securityfs root directory any further. Create a new integrity directory, move the ima directory into it, create an evm directory for the evm attribute and add compatibility symlinks. Signed-off-by: Matthew Garrett Signed-off-by: Mimi Zohar --- security/integrity/evm/evm_secfs.c | 27 ++++++++++++++++++++++++--- security/integrity/iint.c | 18 ++++++++++++++++++ security/integrity/ima/ima_fs.c | 9 ++++++++- security/integrity/integrity.h | 2 ++ 4 files changed, 52 insertions(+), 4 deletions(-) (limited to 'security/integrity') diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c index feba03bbedae..e44380f0cb45 100644 --- a/security/integrity/evm/evm_secfs.c +++ b/security/integrity/evm/evm_secfs.c @@ -19,7 +19,9 @@ #include #include "evm.h" +static struct dentry *evm_dir; static struct dentry *evm_init_tpm; +static struct dentry *evm_symlink; /** * evm_read_key - read() for /evm @@ -111,9 +113,28 @@ int __init evm_init_secfs(void) { int error = 0; - evm_init_tpm = securityfs_create_file("evm", S_IRUSR | S_IRGRP, - NULL, NULL, &evm_key_ops); - if (!evm_init_tpm || IS_ERR(evm_init_tpm)) + evm_dir = securityfs_create_dir("evm", integrity_dir); + if (!evm_dir || IS_ERR(evm_dir)) + return -EFAULT; + + evm_init_tpm = securityfs_create_file("evm", 0660, + evm_dir, NULL, &evm_key_ops); + if (!evm_init_tpm || IS_ERR(evm_init_tpm)) { + error = -EFAULT; + goto out; + } + + evm_symlink = securityfs_create_symlink("evm", NULL, + "integrity/evm/evm", NULL); + if (!evm_symlink || IS_ERR(evm_symlink)) { error = -EFAULT; + goto out; + } + + return 0; +out: + securityfs_remove(evm_symlink); + securityfs_remove(evm_init_tpm); + securityfs_remove(evm_dir); return error; } diff --git a/security/integrity/iint.c b/security/integrity/iint.c index f266e4b3b7d4..149faa81f6f0 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -21,12 +21,15 @@ #include #include #include +#include #include "integrity.h" static struct rb_root integrity_iint_tree = RB_ROOT; static DEFINE_RWLOCK(integrity_iint_lock); static struct kmem_cache *iint_cache __read_mostly; +struct dentry *integrity_dir; + /* * __integrity_iint_find - return the iint associated with an inode */ @@ -211,3 +214,18 @@ void __init integrity_load_keys(void) ima_load_x509(); evm_load_x509(); } + +static int __init integrity_fs_init(void) +{ + integrity_dir = securityfs_create_dir("integrity", NULL); + if (IS_ERR(integrity_dir)) { + pr_err("Unable to create integrity sysfs dir: %ld\n", + PTR_ERR(integrity_dir)); + integrity_dir = NULL; + return PTR_ERR(integrity_dir); + } + + return 0; +} + +late_initcall(integrity_fs_init) diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index b34cec78ffb3..ae9d5c766a3c 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -359,6 +359,7 @@ out: } static struct dentry *ima_dir; +static struct dentry *ima_symlink; static struct dentry *binary_runtime_measurements; static struct dentry *ascii_runtime_measurements; static struct dentry *runtime_measurements_count; @@ -453,10 +454,15 @@ static const struct file_operations ima_measure_policy_ops = { int __init ima_fs_init(void) { - ima_dir = securityfs_create_dir("ima", NULL); + ima_dir = securityfs_create_dir("ima", integrity_dir); if (IS_ERR(ima_dir)) return -1; + ima_symlink = securityfs_create_symlink("ima", NULL, "integrity/ima", + NULL); + if (IS_ERR(ima_symlink)) + goto out; + binary_runtime_measurements = securityfs_create_file("binary_runtime_measurements", S_IRUSR | S_IRGRP, ima_dir, NULL, @@ -496,6 +502,7 @@ out: securityfs_remove(runtime_measurements_count); securityfs_remove(ascii_runtime_measurements); securityfs_remove(binary_runtime_measurements); + securityfs_remove(ima_symlink); securityfs_remove(ima_dir); securityfs_remove(ima_policy); return -1; diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 5e58e02ba8dc..0bb372eed62a 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -143,6 +143,8 @@ int integrity_kernel_read(struct file *file, loff_t offset, #define INTEGRITY_KEYRING_MODULE 2 #define INTEGRITY_KEYRING_MAX 3 +extern struct dentry *integrity_dir; + #ifdef CONFIG_INTEGRITY_SIGNATURE int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, -- cgit From 21af76631476030709f85f48e20bb9429a912b6f Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 11 May 2018 16:12:35 -0700 Subject: EVM: turn evm_config_xattrnames into a list Use a list of xattrs rather than an array - this makes it easier to extend the list at runtime. Signed-off-by: Matthew Garrett Reviewed-by: James Morris Signed-off-by: Mimi Zohar --- security/integrity/evm/evm.h | 7 +++- security/integrity/evm/evm_crypto.c | 10 ++--- security/integrity/evm/evm_main.c | 79 +++++++++++++++++++++---------------- 3 files changed, 57 insertions(+), 39 deletions(-) (limited to 'security/integrity') diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h index 45c4a89c02ff..1257c3c24723 100644 --- a/security/integrity/evm/evm.h +++ b/security/integrity/evm/evm.h @@ -30,6 +30,11 @@ #define EVM_INIT_MASK (EVM_INIT_HMAC | EVM_INIT_X509 | EVM_SETUP_COMPLETE | \ EVM_ALLOW_METADATA_WRITES) +struct xattr_list { + struct list_head list; + char *name; +}; + extern int evm_initialized; #define EVM_ATTR_FSUUID 0x0001 @@ -40,7 +45,7 @@ extern struct crypto_shash *hmac_tfm; extern struct crypto_shash *hash_tfm; /* List of EVM protected security xattrs */ -extern char *evm_config_xattrnames[]; +extern struct list_head evm_config_xattrnames; int evm_init_key(void); int evm_update_evmxattr(struct dentry *dentry, diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c index a46fba322340..caeea20670cc 100644 --- a/security/integrity/evm/evm_crypto.c +++ b/security/integrity/evm/evm_crypto.c @@ -192,8 +192,8 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, char type, char *digest) { struct inode *inode = d_backing_inode(dentry); + struct xattr_list *xattr; struct shash_desc *desc; - char **xattrname; size_t xattr_size = 0; char *xattr_value = NULL; int error; @@ -208,14 +208,14 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, return PTR_ERR(desc); error = -ENODATA; - for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) { + list_for_each_entry(xattr, &evm_config_xattrnames, list) { bool is_ima = false; - if (strcmp(*xattrname, XATTR_NAME_IMA) == 0) + if (strcmp(xattr->name, XATTR_NAME_IMA) == 0) is_ima = true; if ((req_xattr_name && req_xattr_value) - && !strcmp(*xattrname, req_xattr_name)) { + && !strcmp(xattr->name, req_xattr_name)) { error = 0; crypto_shash_update(desc, (const u8 *)req_xattr_value, req_xattr_value_len); @@ -223,7 +223,7 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, ima_present = true; continue; } - size = vfs_getxattr_alloc(dentry, *xattrname, + size = vfs_getxattr_alloc(dentry, xattr->name, &xattr_value, xattr_size, GFP_NOFS); if (size == -ENOMEM) { error = -ENOMEM; diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 9ea9c19a545c..09582d4fc4a8 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -35,28 +35,29 @@ static const char * const integrity_status_msg[] = { }; int evm_hmac_attrs; -char *evm_config_xattrnames[] = { +static struct xattr_list evm_config_default_xattrnames[] __ro_after_init = { #ifdef CONFIG_SECURITY_SELINUX - XATTR_NAME_SELINUX, + {.name = XATTR_NAME_SELINUX}, #endif #ifdef CONFIG_SECURITY_SMACK - XATTR_NAME_SMACK, + {.name = XATTR_NAME_SMACK}, #ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS - XATTR_NAME_SMACKEXEC, - XATTR_NAME_SMACKTRANSMUTE, - XATTR_NAME_SMACKMMAP, + {.name = XATTR_NAME_SMACKEXEC}, + {.name = XATTR_NAME_SMACKTRANSMUTE}, + {.name = XATTR_NAME_SMACKMMAP}, #endif #endif #ifdef CONFIG_SECURITY_APPARMOR - XATTR_NAME_APPARMOR, + {.name = XATTR_NAME_APPARMOR}, #endif #ifdef CONFIG_IMA_APPRAISE - XATTR_NAME_IMA, + {.name = XATTR_NAME_IMA}, #endif - XATTR_NAME_CAPS, - NULL + {.name = XATTR_NAME_CAPS}, }; +LIST_HEAD(evm_config_xattrnames); + static int evm_fixmode; static int __init evm_set_fixmode(char *str) { @@ -68,6 +69,17 @@ __setup("evm=", evm_set_fixmode); static void __init evm_init_config(void) { + int i, xattrs; + + xattrs = ARRAY_SIZE(evm_config_default_xattrnames); + + pr_info("Initialising EVM extended attributes:\n"); + for (i = 0; i < xattrs; i++) { + pr_info("%s\n", evm_config_default_xattrnames[i].name); + list_add_tail(&evm_config_default_xattrnames[i].list, + &evm_config_xattrnames); + } + #ifdef CONFIG_EVM_ATTR_FSUUID evm_hmac_attrs |= EVM_ATTR_FSUUID; #endif @@ -82,15 +94,15 @@ static bool evm_key_loaded(void) static int evm_find_protected_xattrs(struct dentry *dentry) { struct inode *inode = d_backing_inode(dentry); - char **xattr; + struct xattr_list *xattr; int error; int count = 0; if (!(inode->i_opflags & IOP_XATTR)) return -EOPNOTSUPP; - for (xattr = evm_config_xattrnames; *xattr != NULL; xattr++) { - error = __vfs_getxattr(dentry, inode, *xattr, NULL, 0); + list_for_each_entry(xattr, &evm_config_xattrnames, list) { + error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0); if (error < 0) { if (error == -ENODATA) continue; @@ -211,24 +223,25 @@ out: static int evm_protected_xattr(const char *req_xattr_name) { - char **xattrname; int namelen; int found = 0; + struct xattr_list *xattr; namelen = strlen(req_xattr_name); - for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) { - if ((strlen(*xattrname) == namelen) - && (strncmp(req_xattr_name, *xattrname, namelen) == 0)) { + list_for_each_entry(xattr, &evm_config_xattrnames, list) { + if ((strlen(xattr->name) == namelen) + && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) { found = 1; break; } if (strncmp(req_xattr_name, - *xattrname + XATTR_SECURITY_PREFIX_LEN, + xattr->name + XATTR_SECURITY_PREFIX_LEN, strlen(req_xattr_name)) == 0) { found = 1; break; } } + return found; } @@ -544,35 +557,35 @@ void __init evm_load_x509(void) static int __init init_evm(void) { int error; + struct list_head *pos, *q; + struct xattr_list *xattr; evm_init_config(); error = integrity_init_keyring(INTEGRITY_KEYRING_EVM); if (error) - return error; + goto error; error = evm_init_secfs(); if (error < 0) { pr_info("Error registering secfs\n"); - return error; + goto error; } - return 0; -} - -/* - * evm_display_config - list the EVM protected security extended attributes - */ -static int __init evm_display_config(void) -{ - char **xattrname; +error: + if (error != 0) { + if (!list_empty(&evm_config_xattrnames)) { + list_for_each_safe(pos, q, &evm_config_xattrnames) { + xattr = list_entry(pos, struct xattr_list, + list); + list_del(pos); + } + } + } - for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) - pr_info("%s\n", *xattrname); - return 0; + return error; } -pure_initcall(evm_display_config); late_initcall(init_evm); MODULE_DESCRIPTION("Extended Verification Module"); -- cgit From fa516b66a1bfce1d72f1620c54bdfebc493000d1 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 15 May 2018 10:38:26 -0700 Subject: EVM: Allow runtime modification of the set of verified xattrs Sites may wish to provide additional metadata alongside files in order to make more fine-grained security decisions[1]. The security of this is enhanced if this metadata is protected, something that EVM makes possible. However, the kernel cannot know about the set of extended attributes that local admins may wish to protect, and hardcoding this policy in the kernel makes it difficult to change over time and less convenient for distributions to enable. This patch adds a new /sys/kernel/security/integrity/evm/evm_xattrs node, which can be read to obtain the current set of EVM-protected extended attributes or written to in order to add new entries. Extending this list will not change the validity of any existing signatures provided that the file in question does not have any of the additional extended attributes - missing xattrs are skipped when calculating the EVM hash. [1] For instance, a package manager could install information about the package uploader in an additional extended attribute. Local LSM policy could then be associated with that extended attribute in order to restrict the privileges available to packages from less trusted uploaders. Signed-off-by: Matthew Garrett Reviewed-by: James Morris Signed-off-by: Mimi Zohar --- security/integrity/evm/Kconfig | 11 +++ security/integrity/evm/evm_crypto.c | 2 +- security/integrity/evm/evm_main.c | 6 +- security/integrity/evm/evm_secfs.c | 173 ++++++++++++++++++++++++++++++++++++ 4 files changed, 188 insertions(+), 4 deletions(-) (limited to 'security/integrity') diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig index e825e0ae78e7..d593346d0bba 100644 --- a/security/integrity/evm/Kconfig +++ b/security/integrity/evm/Kconfig @@ -42,6 +42,17 @@ config EVM_EXTRA_SMACK_XATTRS additional info to the calculation, requires existing EVM labeled file systems to be relabeled. +config EVM_ADD_XATTRS + bool "Add additional EVM extended attributes at runtime" + depends on EVM + default n + help + Allow userland to provide additional xattrs for HMAC calculation. + + When this option is enabled, root can add additional xattrs to the + list used by EVM by writing them into + /sys/kernel/security/integrity/evm/evm_xattrs. + config EVM_LOAD_X509 bool "Load an X509 certificate onto the '.evm' trusted keyring" depends on EVM && INTEGRITY_TRUSTED_KEYRING diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c index caeea20670cc..494da5fcc092 100644 --- a/security/integrity/evm/evm_crypto.c +++ b/security/integrity/evm/evm_crypto.c @@ -208,7 +208,7 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, return PTR_ERR(desc); error = -ENODATA; - list_for_each_entry(xattr, &evm_config_xattrnames, list) { + list_for_each_entry_rcu(xattr, &evm_config_xattrnames, list) { bool is_ima = false; if (strcmp(xattr->name, XATTR_NAME_IMA) == 0) diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 09582d4fc4a8..f9eff5041e4c 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -35,7 +35,7 @@ static const char * const integrity_status_msg[] = { }; int evm_hmac_attrs; -static struct xattr_list evm_config_default_xattrnames[] __ro_after_init = { +static struct xattr_list evm_config_default_xattrnames[] = { #ifdef CONFIG_SECURITY_SELINUX {.name = XATTR_NAME_SELINUX}, #endif @@ -101,7 +101,7 @@ static int evm_find_protected_xattrs(struct dentry *dentry) if (!(inode->i_opflags & IOP_XATTR)) return -EOPNOTSUPP; - list_for_each_entry(xattr, &evm_config_xattrnames, list) { + list_for_each_entry_rcu(xattr, &evm_config_xattrnames, list) { error = __vfs_getxattr(dentry, inode, xattr->name, NULL, 0); if (error < 0) { if (error == -ENODATA) @@ -228,7 +228,7 @@ static int evm_protected_xattr(const char *req_xattr_name) struct xattr_list *xattr; namelen = strlen(req_xattr_name); - list_for_each_entry(xattr, &evm_config_xattrnames, list) { + list_for_each_entry_rcu(xattr, &evm_config_xattrnames, list) { if ((strlen(xattr->name) == namelen) && (strncmp(req_xattr_name, xattr->name, namelen) == 0)) { found = 1; diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c index e44380f0cb45..a7a0a1acae99 100644 --- a/security/integrity/evm/evm_secfs.c +++ b/security/integrity/evm/evm_secfs.c @@ -15,14 +15,22 @@ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt +#include #include #include +#include #include "evm.h" static struct dentry *evm_dir; static struct dentry *evm_init_tpm; static struct dentry *evm_symlink; +#ifdef CONFIG_EVM_ADD_XATTRS +static struct dentry *evm_xattrs; +static DEFINE_MUTEX(xattr_list_mutex); +static int evm_xattrs_locked; +#endif + /** * evm_read_key - read() for /evm * @@ -109,6 +117,166 @@ static const struct file_operations evm_key_ops = { .write = evm_write_key, }; +#ifdef CONFIG_EVM_ADD_XATTRS +/** + * evm_read_xattrs - read() for /evm_xattrs + * + * @filp: file pointer, not actually used + * @buf: where to put the result + * @count: maximum to send along + * @ppos: where to start + * + * Returns number of bytes read or error code, as appropriate + */ +static ssize_t evm_read_xattrs(struct file *filp, char __user *buf, + size_t count, loff_t *ppos) +{ + char *temp; + int offset = 0; + ssize_t rc, size = 0; + struct xattr_list *xattr; + + if (*ppos != 0) + return 0; + + rc = mutex_lock_interruptible(&xattr_list_mutex); + if (rc) + return -ERESTARTSYS; + + list_for_each_entry(xattr, &evm_config_xattrnames, list) + size += strlen(xattr->name) + 1; + + temp = kmalloc(size + 1, GFP_KERNEL); + if (!temp) + return -ENOMEM; + + list_for_each_entry(xattr, &evm_config_xattrnames, list) { + sprintf(temp + offset, "%s\n", xattr->name); + offset += strlen(xattr->name) + 1; + } + + mutex_unlock(&xattr_list_mutex); + rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); + + return rc; +} + +/** + * evm_write_xattrs - write() for /evm_xattrs + * @file: file pointer, not actually used + * @buf: where to get the data from + * @count: bytes sent + * @ppos: where to start + * + * Returns number of bytes written or error code, as appropriate + */ +static ssize_t evm_write_xattrs(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) +{ + int len, err; + struct xattr_list *xattr, *tmp; + struct audit_buffer *ab; + struct iattr newattrs; + struct inode *inode; + + if (!capable(CAP_SYS_ADMIN) || evm_xattrs_locked) + return -EPERM; + + if (*ppos != 0) + return -EINVAL; + + if (count > XATTR_NAME_MAX) + return -E2BIG; + + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_INTEGRITY_EVM_XATTR); + if (IS_ERR(ab)) + return PTR_ERR(ab); + + xattr = kmalloc(sizeof(struct xattr_list), GFP_KERNEL); + if (!xattr) { + err = -ENOMEM; + goto out; + } + + xattr->name = memdup_user_nul(buf, count); + if (IS_ERR(xattr->name)) { + err = PTR_ERR(xattr->name); + xattr->name = NULL; + goto out; + } + + /* Remove any trailing newline */ + len = strlen(xattr->name); + if (xattr->name[len-1] == '\n') + xattr->name[len-1] = '\0'; + + if (strcmp(xattr->name, ".") == 0) { + evm_xattrs_locked = 1; + newattrs.ia_mode = S_IFREG | 0440; + newattrs.ia_valid = ATTR_MODE; + inode = evm_xattrs->d_inode; + inode_lock(inode); + err = simple_setattr(evm_xattrs, &newattrs); + inode_unlock(inode); + audit_log_format(ab, "locked"); + if (!err) + err = count; + goto out; + } + + audit_log_format(ab, "xattr="); + audit_log_untrustedstring(ab, xattr->name); + + if (strncmp(xattr->name, XATTR_SECURITY_PREFIX, + XATTR_SECURITY_PREFIX_LEN) != 0) { + err = -EINVAL; + goto out; + } + + /* Guard against races in evm_read_xattrs */ + mutex_lock(&xattr_list_mutex); + list_for_each_entry(tmp, &evm_config_xattrnames, list) { + if (strcmp(xattr->name, tmp->name) == 0) { + err = -EEXIST; + mutex_unlock(&xattr_list_mutex); + goto out; + } + } + list_add_tail_rcu(&xattr->list, &evm_config_xattrnames); + mutex_unlock(&xattr_list_mutex); + + audit_log_format(ab, " res=0"); + audit_log_end(ab); + return count; +out: + audit_log_format(ab, " res=%d", err); + audit_log_end(ab); + kfree(xattr->name); + kfree(xattr); + return err; +} + +static const struct file_operations evm_xattr_ops = { + .read = evm_read_xattrs, + .write = evm_write_xattrs, +}; + +static int evm_init_xattrs(void) +{ + evm_xattrs = securityfs_create_file("evm_xattrs", 0660, evm_dir, NULL, + &evm_xattr_ops); + if (!evm_xattrs || IS_ERR(evm_xattrs)) + return -EFAULT; + + return 0; +} +#else +static int evm_init_xattrs(void) +{ + return 0; +} +#endif + int __init evm_init_secfs(void) { int error = 0; @@ -131,6 +299,11 @@ int __init evm_init_secfs(void) goto out; } + if (evm_init_xattrs() != 0) { + error = -EFAULT; + goto out; + } + return 0; out: securityfs_remove(evm_symlink); -- cgit From f1b08bbcbdaf3160fa95ec95a760a49adf312b67 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Mon, 15 Jan 2018 11:20:36 -0500 Subject: ima: define a new policy condition based on the filesystem name If/when file data signatures are distributed with the file data, this patch will not be needed. In the current environment where only some files are signed, the ability to differentiate between file systems is needed. Some file systems consider the file system magic number internal to the file system. This patch defines a new IMA policy condition named "fsname", based on the superblock's file_system_type (sb->s_type) name. This allows policy rules to be expressed in terms of the filesystem name. The following sample rules require file signatures on rootfs files executed or mmap'ed. appraise func=BPRM_CHECK fsname=rootfs appraise_type=imasig appraise func=FILE_MMAP fsname=rootfs appraise_type=imasig Signed-off-by: Mimi Zohar Cc: Dave Chinner Cc: Theodore Ts'o --- security/integrity/ima/ima_policy.c | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) (limited to 'security/integrity') diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index d89bebf85421..03cbba423e59 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -33,6 +33,7 @@ #define IMA_INMASK 0x0040 #define IMA_EUID 0x0080 #define IMA_PCR 0x0100 +#define IMA_FSNAME 0x0200 #define UNKNOWN 0 #define MEASURE 0x0001 /* same as IMA_MEASURE */ @@ -74,6 +75,7 @@ struct ima_rule_entry { void *args_p; /* audit value */ int type; /* audit type */ } lsm[MAX_LSM_RULES]; + char *fsname; }; /* @@ -273,6 +275,9 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, if ((rule->flags & IMA_FSMAGIC) && rule->fsmagic != inode->i_sb->s_magic) return false; + if ((rule->flags & IMA_FSNAME) + && strcmp(rule->fsname, inode->i_sb->s_type->name)) + return false; if ((rule->flags & IMA_FSUUID) && !uuid_equal(&rule->fsuuid, &inode->i_sb->s_uuid)) return false; @@ -540,7 +545,7 @@ enum { Opt_audit, Opt_hash, Opt_dont_hash, Opt_obj_user, Opt_obj_role, Opt_obj_type, Opt_subj_user, Opt_subj_role, Opt_subj_type, - Opt_func, Opt_mask, Opt_fsmagic, + Opt_func, Opt_mask, Opt_fsmagic, Opt_fsname, Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq, Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, @@ -565,6 +570,7 @@ static match_table_t policy_tokens = { {Opt_func, "func=%s"}, {Opt_mask, "mask=%s"}, {Opt_fsmagic, "fsmagic=%s"}, + {Opt_fsname, "fsname=%s"}, {Opt_fsuuid, "fsuuid=%s"}, {Opt_uid_eq, "uid=%s"}, {Opt_euid_eq, "euid=%s"}, @@ -776,6 +782,17 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) if (!result) entry->flags |= IMA_FSMAGIC; break; + case Opt_fsname: + ima_log_string(ab, "fsname", args[0].from); + + entry->fsname = kstrdup(args[0].from, GFP_KERNEL); + if (!entry->fsname) { + result = -ENOMEM; + break; + } + result = 0; + entry->flags |= IMA_FSNAME; + break; case Opt_fsuuid: ima_log_string(ab, "fsuuid", args[0].from); @@ -1104,6 +1121,12 @@ int ima_policy_show(struct seq_file *m, void *v) seq_puts(m, " "); } + if (entry->flags & IMA_FSNAME) { + snprintf(tbuf, sizeof(tbuf), "%s", entry->fsname); + seq_printf(m, pt(Opt_fsname), tbuf); + seq_puts(m, " "); + } + if (entry->flags & IMA_PCR) { snprintf(tbuf, sizeof(tbuf), "%d", entry->pcr); seq_printf(m, pt(Opt_pcr), tbuf); -- cgit From fd90bc559bfba743ae8de87ff23b92a5e4668062 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Fri, 27 Apr 2018 14:31:40 -0400 Subject: ima: based on policy verify firmware signatures (pre-allocated buffer) Don't differentiate, for now, between kernel_read_file_id READING_FIRMWARE and READING_FIRMWARE_PREALLOC_BUFFER enumerations. Fixes: a098ecd firmware: support loading into a pre-allocated buffer (since 4.8) Signed-off-by: Mimi Zohar Cc: Luis R. Rodriguez Cc: David Howells Cc: Kees Cook Cc: Serge E. Hallyn Cc: Stephen Boyd --- security/integrity/ima/ima_main.c | 1 + 1 file changed, 1 insertion(+) (limited to 'security/integrity') diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index e771b736aa03..83f84928ad76 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -447,6 +447,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id) static int read_idmap[READING_MAX_ID] = { [READING_FIRMWARE] = FIRMWARE_CHECK, + [READING_FIRMWARE_PREALLOC_BUFFER] = FIRMWARE_CHECK, [READING_MODULE] = MODULE_CHECK, [READING_KEXEC_IMAGE] = KEXEC_KERNEL_CHECK, [READING_KEXEC_INITRAMFS] = KEXEC_INITRAMFS_CHECK, -- cgit From 6f0911a666d1f99ff72e7848ddee36af7bbce050 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Thu, 12 Apr 2018 00:15:22 -0400 Subject: ima: fix updating the ima_appraise flag As IMA policy rules are added, a mask of the type of rule (eg. kernel modules, firmware, IMA policy) is updated. Unlike custom IMA policy rules, which replace the original builtin policy rules and update the mask, the builtin "secure_boot" policy rules were loaded, but did not update the mask. This patch refactors the code to load custom policies, defining a new function named ima_appraise_flag(). The new function is called either when loading the builtin "secure_boot" or custom policies. Fixes: 503ceaef8e2e ("ima: define a set of appraisal rules requiring file signatures") Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_policy.c | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) (limited to 'security/integrity') diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 03cbba423e59..8bbc18eb07eb 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -440,6 +440,17 @@ void ima_update_policy_flag(void) ima_policy_flag &= ~IMA_APPRAISE; } +static int ima_appraise_flag(enum ima_hooks func) +{ + if (func == MODULE_CHECK) + return IMA_APPRAISE_MODULES; + else if (func == FIRMWARE_CHECK) + return IMA_APPRAISE_FIRMWARE; + else if (func == POLICY_CHECK) + return IMA_APPRAISE_POLICY; + return 0; +} + /** * ima_init_policy - initialize the default measure rules. * @@ -478,9 +489,11 @@ void __init ima_init_policy(void) * Insert the appraise rules requiring file signatures, prior to * any other appraise rules. */ - for (i = 0; i < secure_boot_entries; i++) - list_add_tail(&secure_boot_rules[i].list, - &ima_default_rules); + for (i = 0; i < secure_boot_entries; i++) { + list_add_tail(&secure_boot_rules[i].list, &ima_default_rules); + temp_ima_appraise |= + ima_appraise_flag(secure_boot_rules[i].func); + } for (i = 0; i < appraise_entries; i++) { list_add_tail(&default_appraise_rules[i].list, @@ -934,12 +947,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) } if (!result && (entry->action == UNKNOWN)) result = -EINVAL; - else if (entry->func == MODULE_CHECK) - temp_ima_appraise |= IMA_APPRAISE_MODULES; - else if (entry->func == FIRMWARE_CHECK) - temp_ima_appraise |= IMA_APPRAISE_FIRMWARE; - else if (entry->func == POLICY_CHECK) - temp_ima_appraise |= IMA_APPRAISE_POLICY; + else if (entry->action == APPRAISE) + temp_ima_appraise |= ima_appraise_flag(entry->func); + audit_log_format(ab, "res=%d", !result); audit_log_end(ab); return result; -- cgit From b4df86085af9d3f456bed8245cede7c4413dcf83 Mon Sep 17 00:00:00 2001 From: Yisheng Xie Date: Mon, 21 May 2018 19:58:02 +0800 Subject: ima: use match_string() helper match_string() returns the index of an array for a matching string, which can be used intead of open coded variant. Signed-off-by: Yisheng Xie Reviewed-by: Andy Shevchenko Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_main.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) (limited to 'security/integrity') diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 83f84928ad76..dca44cf7838e 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -59,14 +59,11 @@ static int __init hash_setup(char *str) goto out; } - for (i = 0; i < HASH_ALGO__LAST; i++) { - if (strcmp(str, hash_algo_name[i]) == 0) { - ima_hash_algo = i; - break; - } - } - if (i == HASH_ALGO__LAST) + i = match_string(hash_algo_name, HASH_ALGO__LAST, str); + if (i < 0) return 1; + + ima_hash_algo = i; out: hash_setup_done = 1; return 1; -- cgit From 53b626f9038ee357a2183a6994c11fd9dfb3f94d Mon Sep 17 00:00:00 2001 From: Petko Manolov Date: Tue, 22 May 2018 17:06:55 +0300 Subject: IMA: use list_splice_tail_init_rcu() instead of its open coded variant Use list_splice_tail_init_rcu() to extend the existing custom IMA policy with additional IMA policy rules. Signed-off-by: Petko Manolov Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_policy.c | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) (limited to 'security/integrity') diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 8bbc18eb07eb..cdcc9a7b4e24 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -527,22 +527,9 @@ int ima_check_policy(void) */ void ima_update_policy(void) { - struct list_head *first, *last, *policy; + struct list_head *policy = &ima_policy_rules; - /* append current policy with the new rules */ - first = (&ima_temp_rules)->next; - last = (&ima_temp_rules)->prev; - policy = &ima_policy_rules; - - synchronize_rcu(); - - last->next = policy; - rcu_assign_pointer(list_next_rcu(policy->prev), first); - first->prev = policy->prev; - policy->prev = last; - - /* prepare for the next policy rules addition */ - INIT_LIST_HEAD(&ima_temp_rules); + list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu); if (ima_rules != policy) { ima_policy_flag = 0; -- cgit From 825b8650dc3dd064969ce343e918d0eb6bf907fb Mon Sep 17 00:00:00 2001 From: Colin Ian King Date: Sun, 27 May 2018 23:15:02 +0100 Subject: EVM: fix memory leak of temporary buffer 'temp' The allocation of 'temp' is not kfree'd and hence there is a memory leak on each call of evm_read_xattrs. Fix this by kfree'ing it after copying data from it back to the user space buffer 'buf'. Detected by CoverityScan, CID#1469386 ("Resource Leak") Fixes: fa516b66a1bf ("EVM: Allow runtime modification of the set of verified xattrs") Signed-off-by: Colin Ian King Signed-off-by: Mimi Zohar --- security/integrity/evm/evm_secfs.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'security/integrity') diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c index a7a0a1acae99..fb8bc950aceb 100644 --- a/security/integrity/evm/evm_secfs.c +++ b/security/integrity/evm/evm_secfs.c @@ -158,6 +158,8 @@ static ssize_t evm_read_xattrs(struct file *filp, char __user *buf, mutex_unlock(&xattr_list_mutex); rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); + kfree(temp); + return rc; } -- cgit From 72acd64df4561593d2ec3227b4aca9b0d7ded50e Mon Sep 17 00:00:00 2001 From: Colin Ian King Date: Sun, 27 May 2018 23:55:10 +0100 Subject: EVM: Fix null dereference on xattr when xattr fails to allocate In the case where the allocation of xattr fails and xattr is NULL, the error exit return path via label 'out' will dereference xattr when kfree'ing xattr-name. Fix this by only kfree'ing xattr->name and xattr when xattr is non-null. Detected by CoverityScan, CID#1469366 ("Dereference after null check") Fixes: fa516b66a1bf ("EVM: Allow runtime modification of the set of verified xattrs") Signed-off-by: Colin Ian King Signed-off-by: Mimi Zohar --- security/integrity/evm/evm_secfs.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'security/integrity') diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c index fb8bc950aceb..cf5cd303d7c0 100644 --- a/security/integrity/evm/evm_secfs.c +++ b/security/integrity/evm/evm_secfs.c @@ -253,8 +253,10 @@ static ssize_t evm_write_xattrs(struct file *file, const char __user *buf, out: audit_log_format(ab, " res=%d", err); audit_log_end(ab); - kfree(xattr->name); - kfree(xattr); + if (xattr) { + kfree(xattr->name); + kfree(xattr); + } return err; } -- cgit From a41d80acfa2764e9b1ce49aa303a263e609d91f7 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Tue, 29 May 2018 16:11:28 +0300 Subject: EVM: prevent array underflow in evm_write_xattrs() If the user sets xattr->name[0] to NUL then we would read one character before the start of the array. This bug seems harmless as far as I can see but perhaps it would trigger a warning in KASAN. Fixes: fa516b66a1bf ("EVM: Allow runtime modification of the set of verified xattrs") Signed-off-by: Dan Carpenter Signed-off-by: Mimi Zohar --- security/integrity/evm/evm_secfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'security/integrity') diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c index cf5cd303d7c0..3cefef3919e5 100644 --- a/security/integrity/evm/evm_secfs.c +++ b/security/integrity/evm/evm_secfs.c @@ -209,7 +209,7 @@ static ssize_t evm_write_xattrs(struct file *file, const char __user *buf, /* Remove any trailing newline */ len = strlen(xattr->name); - if (xattr->name[len-1] == '\n') + if (len && xattr->name[len-1] == '\n') xattr->name[len-1] = '\0'; if (strcmp(xattr->name, ".") == 0) { -- cgit From b5c90a7526fe39164c2204f0404ce8f8ff21e522 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Fri, 1 Jun 2018 11:00:05 +0300 Subject: EVM: unlock on error path in evm_read_xattrs() We need to unlock before returning on this error path. Fixes: fa516b66a1bf ("EVM: Allow runtime modification of the set of verified xattrs") Signed-off-by: Dan Carpenter Signed-off-by: Mimi Zohar --- security/integrity/evm/evm_secfs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'security/integrity') diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c index 3cefef3919e5..637eb999e340 100644 --- a/security/integrity/evm/evm_secfs.c +++ b/security/integrity/evm/evm_secfs.c @@ -147,8 +147,10 @@ static ssize_t evm_read_xattrs(struct file *filp, char __user *buf, size += strlen(xattr->name) + 1; temp = kmalloc(size + 1, GFP_KERNEL); - if (!temp) + if (!temp) { + mutex_unlock(&xattr_list_mutex); return -ENOMEM; + } list_for_each_entry(xattr, &evm_config_xattrnames, list) { sprintf(temp + offset, "%s\n", xattr->name); -- cgit