diff options
author | James Morris <james.morris@microsoft.com> | 2019-02-14 10:55:42 -0800 |
---|---|---|
committer | James Morris <james.morris@microsoft.com> | 2019-02-14 10:55:42 -0800 |
commit | 2e884fc9759d8816630d3c30694721a39b7396e0 (patch) | |
tree | 83c213634f69eec583f1d4ca7234e78ccf367435 /security | |
parent | e7a44cfd639945a0dec749f896adc1d340c2a6aa (diff) | |
parent | e7fde070f39bc058c356cf366cb17ac2d643abb0 (diff) |
Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity into next-integrity
From: Mimi Zohar <zohar@linux.ibm.com>
Linux 5.0 introduced the platform keyring to allow verifying the IMA
kexec kernel image signature using the pre-boot keys. This pull
request similarly makes keys on the platform keyring accessible for
verifying the PE kernel image signature.*
Also included in this pull request is a new IMA hook that tags tmp
files, in policy, indicating the file hash needs to be calculated.
The remaining patches are cleanup.
*Upstream commit "993a110319a4 (x86/kexec: Fix a kexec_file_load()
failure)" is required for testing.
Diffstat (limited to 'security')
-rw-r--r-- | security/integrity/digsig.c | 3 | ||||
-rw-r--r-- | security/integrity/evm/evm_crypto.c | 3 | ||||
-rw-r--r-- | security/integrity/evm/evm_main.c | 6 | ||||
-rw-r--r-- | security/integrity/ima/ima_main.c | 35 | ||||
-rw-r--r-- | security/keys/encrypted-keys/encrypted.c | 4 |
5 files changed, 40 insertions, 11 deletions
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index f45d6edecf99..e19c2eb72c51 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -87,6 +87,9 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm, pr_info("Can't allocate %s keyring (%d)\n", keyring_name[id], err); keyring[id] = NULL; + } else { + if (id == INTEGRITY_KEYRING_PLATFORM) + set_platform_trusted_keys(keyring[id]); } return err; diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c index 43e2dc3a60d0..c37d08118af5 100644 --- a/security/integrity/evm/evm_crypto.c +++ b/security/integrity/evm/evm_crypto.c @@ -173,8 +173,7 @@ static void hmac_add_misc(struct shash_desc *desc, struct inode *inode, crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof(hmac_misc)); if ((evm_hmac_attrs & EVM_ATTR_FSUUID) && type != EVM_XATTR_PORTABLE_DIGSIG) - crypto_shash_update(desc, &inode->i_sb->s_uuid.b[0], - sizeof(inode->i_sb->s_uuid)); + crypto_shash_update(desc, (u8 *)&inode->i_sb->s_uuid, UUID_SIZE); crypto_shash_final(desc, digest); } diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 5ecaa3d6fe0b..b6d9f14bc234 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -563,7 +563,6 @@ static int __init init_evm(void) { int error; struct list_head *pos, *q; - struct xattr_list *xattr; evm_init_config(); @@ -580,11 +579,8 @@ static int __init init_evm(void) error: if (error != 0) { if (!list_empty(&evm_config_xattrnames)) { - list_for_each_safe(pos, q, &evm_config_xattrnames) { - xattr = list_entry(pos, struct xattr_list, - list); + list_for_each_safe(pos, q, &evm_config_xattrnames) list_del(pos); - } } } diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 4ffac4f5c647..357edd140c09 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -397,6 +397,33 @@ int ima_file_check(struct file *file, int mask) EXPORT_SYMBOL_GPL(ima_file_check); /** + * ima_post_create_tmpfile - mark newly created tmpfile as new + * @file : newly created tmpfile + * + * No measuring, appraising or auditing of newly created tmpfiles is needed. + * Skip calling process_measurement(), but indicate which newly, created + * tmpfiles are in policy. + */ +void ima_post_create_tmpfile(struct inode *inode) +{ + struct integrity_iint_cache *iint; + int must_appraise; + + must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); + if (!must_appraise) + return; + + /* Nothing to do if we can't allocate memory */ + iint = integrity_inode_get(inode); + if (!iint) + return; + + /* needed for writing the security xattrs */ + set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags); + iint->ima_file_status = INTEGRITY_PASS; +} + +/** * ima_post_path_mknod - mark as a new inode * @dentry: newly created dentry * @@ -413,9 +440,13 @@ void ima_post_path_mknod(struct dentry *dentry) if (!must_appraise) return; + /* Nothing to do if we can't allocate memory */ iint = integrity_inode_get(inode); - if (iint) - iint->flags |= IMA_NEW_FILE; + if (!iint) + return; + + /* needed for re-opening empty files */ + iint->flags |= IMA_NEW_FILE; } /** diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c index 389a298274d3..347108f660a1 100644 --- a/security/keys/encrypted-keys/encrypted.c +++ b/security/keys/encrypted-keys/encrypted.c @@ -60,11 +60,11 @@ static int blksize; static struct crypto_shash *hash_tfm; enum { - Opt_err = -1, Opt_new, Opt_load, Opt_update + Opt_new, Opt_load, Opt_update, Opt_err }; enum { - Opt_error = -1, Opt_default, Opt_ecryptfs, Opt_enc32 + Opt_default, Opt_ecryptfs, Opt_enc32, Opt_error }; static const match_table_t key_format_tokens = { |