Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 00d535a3 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'next-integrity' of... 

Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull integrity updates from James Morris:
 "From Mimi:

   - add run time support for specifying additional security xattrs
     included in the security.evm HMAC/signature

   - some code clean up and bug fixes"

* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  EVM: unlock on error path in evm_read_xattrs()
  EVM: prevent array underflow in evm_write_xattrs()
  EVM: Fix null dereference on xattr when xattr fails to allocate
  EVM: fix memory leak of temporary buffer 'temp'
  IMA: use list_splice_tail_init_rcu() instead of its open coded variant
  ima: use match_string() helper
  ima: fix updating the ima_appraise flag
  ima: based on policy verify firmware signatures (pre-allocated buffer)
  ima: define a new policy condition based on the filesystem name
  EVM: Allow runtime modification of the set of verified xattrs
  EVM: turn evm_config_xattrnames into a list
  integrity: Add an integrity directory in securityfs
  ima: Remove unused variable ima_initialized
  ima: Unify logging
  ima: Reflect correct permissions for policy
parents 289cf155 b5c90a75

Documentation/ABI/testing/evm

+13 −0
Original line number Original line Diff line number Diff line
@@ -57,3 +57,16 @@ Description: 
		dracut (via 97masterkey and 98integrity) and systemd (via

		dracut (via 97masterkey and 98integrity) and systemd (via

		core/ima-setup) have support for loading keys at boot

		core/ima-setup) have support for loading keys at boot

		time.

		time.



What:		security/integrity/evm/evm_xattrs

Date:		April 2018

Contact:	Matthew Garrett <mjg59@google.com>

Description:

		Shows the set of extended attributes used to calculate or

		validate the EVM signature, and allows additional attributes

		to be added at runtime. Any signatures generated after

		additional attributes are added (and on files posessing those

		additional attributes) will only be valid if the same

		additional attributes are configured on system boot. Writing

		a single period (.) will lock the xattr list from any further

		modification.

Documentation/ABI/testing/ima_policy

+1 −1
Original line number Original line Diff line number Diff line
@@ -21,7 +21,7 @@ Description: 
			audit | hash | dont_hash

			audit | hash | dont_hash

		condition:= base | lsm  [option]

		condition:= base | lsm  [option]

			base:	[[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]

			base:	[[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]

				[euid=] [fowner=]]

				[euid=] [fowner=] [fsname=]]

			lsm:	[[subj_user=] [subj_role=] [subj_type=]

			lsm:	[[subj_user=] [subj_role=] [subj_type=]

				 [obj_user=] [obj_role=] [obj_type=]]

				 [obj_user=] [obj_role=] [obj_type=]]

			option:	[[appraise_type=]] [permit_directio]

			option:	[[appraise_type=]] [permit_directio]

include/uapi/linux/audit.h

+1 −0
Original line number Original line Diff line number Diff line
@@ -147,6 +147,7 @@ 
#define AUDIT_INTEGRITY_HASH	    1803 /* Integrity HASH type */

#define AUDIT_INTEGRITY_HASH	    1803 /* Integrity HASH type */

#define AUDIT_INTEGRITY_PCR	    1804 /* PCR invalidation msgs */

#define AUDIT_INTEGRITY_PCR	    1804 /* PCR invalidation msgs */

#define AUDIT_INTEGRITY_RULE	    1805 /* policy rule */

#define AUDIT_INTEGRITY_RULE	    1805 /* policy rule */

#define AUDIT_INTEGRITY_EVM_XATTR   1806 /* New EVM-covered xattr */





#define AUDIT_KERNEL		2000	/* Asynchronous audit record. NOT A REQUEST. */

#define AUDIT_KERNEL		2000	/* Asynchronous audit record. NOT A REQUEST. */

security/integrity/evm/Kconfig

+11 −0
Original line number Original line Diff line number Diff line
@@ -42,6 +42,17 @@ config EVM_EXTRA_SMACK_XATTRS 
	  additional info to the calculation, requires existing EVM

	  additional info to the calculation, requires existing EVM

	  labeled file systems to be relabeled.

	  labeled file systems to be relabeled.





config EVM_ADD_XATTRS

	bool "Add additional EVM extended attributes at runtime"

	depends on EVM

	default n

	help

	  Allow userland to provide additional xattrs for HMAC calculation.



	  When this option is enabled, root can add additional xattrs to the

	  list used by EVM by writing them into

	  /sys/kernel/security/integrity/evm/evm_xattrs.



config EVM_LOAD_X509

config EVM_LOAD_X509

	bool "Load an X509 certificate onto the '.evm' trusted keyring"

	bool "Load an X509 certificate onto the '.evm' trusted keyring"

	depends on EVM && INTEGRITY_TRUSTED_KEYRING

	depends on EVM && INTEGRITY_TRUSTED_KEYRING

security/integrity/evm/evm.h

+6 −1
Original line number Original line Diff line number Diff line
@@ -30,6 +30,11 @@ 
#define EVM_INIT_MASK (EVM_INIT_HMAC | EVM_INIT_X509 | EVM_SETUP_COMPLETE | \

#define EVM_INIT_MASK (EVM_INIT_HMAC | EVM_INIT_X509 | EVM_SETUP_COMPLETE | \

		       EVM_ALLOW_METADATA_WRITES)

		       EVM_ALLOW_METADATA_WRITES)





struct xattr_list {

	struct list_head list;

	char *name;

};



extern int evm_initialized;

extern int evm_initialized;





#define EVM_ATTR_FSUUID		0x0001

#define EVM_ATTR_FSUUID		0x0001
@@ -40,7 +45,7 @@ extern struct crypto_shash *hmac_tfm; 
extern struct crypto_shash *hash_tfm;

extern struct crypto_shash *hash_tfm;





/* List of EVM protected security xattrs */

/* List of EVM protected security xattrs */

extern char *evm_config_xattrnames[];

extern struct list_head evm_config_xattrnames;





int evm_init_key(void);

int evm_init_key(void);

int evm_update_evmxattr(struct dentry *dentry,

int evm_update_evmxattr(struct dentry *dentry,