diff options
Diffstat (limited to 'security/integrity/ima')
-rw-r--r-- | security/integrity/ima/Kconfig | 3 | ||||
-rw-r--r-- | security/integrity/ima/Makefile | 3 | ||||
-rw-r--r-- | security/integrity/ima/ima.h | 9 | ||||
-rw-r--r-- | security/integrity/ima/ima_api.c | 4 | ||||
-rw-r--r-- | security/integrity/ima/ima_audit.c | 3 | ||||
-rw-r--r-- | security/integrity/ima/ima_fs.c | 11 | ||||
-rw-r--r-- | security/integrity/ima/ima_init.c | 5 | ||||
-rw-r--r-- | security/integrity/ima/ima_main.c | 50 | ||||
-rw-r--r-- | security/integrity/ima/ima_policy.c | 2 |
9 files changed, 57 insertions, 33 deletions
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 35664fe6daa1..b9c1219924f1 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -38,8 +38,9 @@ config IMA_MEASURE_PCR_IDX measurement list. If unsure, use the default 10. config IMA_AUDIT - bool + bool "Enables auditing support" depends on IMA + depends on AUDIT default y help This option adds a kernel parameter 'ima_audit', which diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile index 5690c021de8f..5f740f6971e1 100644 --- a/security/integrity/ima/Makefile +++ b/security/integrity/ima/Makefile @@ -6,4 +6,5 @@ obj-$(CONFIG_IMA) += ima.o ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \ - ima_policy.o ima_audit.o + ima_policy.o +ima-$(CONFIG_IMA_AUDIT) += ima_audit.o diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 3ccf7acac6df..e7c99fd0d223 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -61,10 +61,19 @@ struct ima_queue_entry { }; extern struct list_head ima_measurements; /* list of all measurements */ +#ifdef CONFIG_IMA_AUDIT /* declarations */ void integrity_audit_msg(int audit_msgno, struct inode *inode, const unsigned char *fname, const char *op, const char *cause, int result, int info); +#else +static inline void integrity_audit_msg(int audit_msgno, struct inode *inode, + const unsigned char *fname, + const char *op, const char *cause, + int result, int info) +{ +} +#endif /* Internal IMA function definitions */ int ima_init(void); diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 88a2788b981d..032ff03ad907 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -175,7 +175,9 @@ void ima_store_measurement(struct integrity_iint_cache *iint, } memset(&entry->template, 0, sizeof(entry->template)); memcpy(entry->template.digest, iint->digest, IMA_DIGEST_SIZE); - strncpy(entry->template.file_name, filename, IMA_EVENT_NAME_LEN_MAX); + strcpy(entry->template.file_name, + (strlen(filename) > IMA_EVENT_NAME_LEN_MAX) ? + file->f_dentry->d_name.name : filename); result = ima_store_template(entry, violation, inode); if (!result || result == -EEXIST) diff --git a/security/integrity/ima/ima_audit.c b/security/integrity/ima/ima_audit.c index 21e96bf188df..7a57f6769e9c 100644 --- a/security/integrity/ima/ima_audit.c +++ b/security/integrity/ima/ima_audit.c @@ -17,8 +17,6 @@ static int ima_audit; -#ifdef CONFIG_IMA_AUDIT - /* ima_audit_setup - enable informational auditing messages */ static int __init ima_audit_setup(char *str) { @@ -29,7 +27,6 @@ static int __init ima_audit_setup(char *str) return 1; } __setup("ima_audit=", ima_audit_setup); -#endif void integrity_audit_msg(int audit_msgno, struct inode *inode, const unsigned char *fname, const char *op, diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c index e1aa2b482dd2..38477c9c3415 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -367,20 +367,11 @@ int __init ima_fs_init(void) return 0; out: - securityfs_remove(runtime_measurements_count); - securityfs_remove(ascii_runtime_measurements); - securityfs_remove(binary_runtime_measurements); - securityfs_remove(ima_dir); - securityfs_remove(ima_policy); - return -1; -} - -void __exit ima_fs_cleanup(void) -{ securityfs_remove(violations); securityfs_remove(runtime_measurements_count); securityfs_remove(ascii_runtime_measurements); securityfs_remove(binary_runtime_measurements); securityfs_remove(ima_dir); securityfs_remove(ima_policy); + return -1; } diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c index 17f1f060306f..b5dfd534f13d 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -90,8 +90,3 @@ int __init ima_init(void) return ima_fs_init(); } - -void __exit ima_cleanup(void) -{ - ima_fs_cleanup(); -} diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index b17be79b9cf2..be8294915cf7 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -54,6 +54,7 @@ static void ima_rdwr_violation_check(struct file *file) fmode_t mode = file->f_mode; int rc; bool send_tomtou = false, send_writers = false; + unsigned char *pathname = NULL, *pathbuf = NULL; if (!S_ISREG(inode->i_mode) || !ima_initialized) return; @@ -75,12 +76,27 @@ static void ima_rdwr_violation_check(struct file *file) out: mutex_unlock(&inode->i_mutex); + if (!send_tomtou && !send_writers) + return; + + /* We will allow 11 spaces for ' (deleted)' to be appended */ + pathbuf = kmalloc(PATH_MAX + 11, GFP_KERNEL); + if (pathbuf) { + pathname = d_path(&file->f_path, pathbuf, PATH_MAX + 11); + if (IS_ERR(pathname)) + pathname = NULL; + else if (strlen(pathname) > IMA_EVENT_NAME_LEN_MAX) + pathname = NULL; + } if (send_tomtou) - ima_add_violation(inode, dentry->d_name.name, "invalid_pcr", - "ToMToU"); + ima_add_violation(inode, + !pathname ? dentry->d_name.name : pathname, + "invalid_pcr", "ToMToU"); if (send_writers) - ima_add_violation(inode, dentry->d_name.name, "invalid_pcr", - "open_writers"); + ima_add_violation(inode, + !pathname ? dentry->d_name.name : pathname, + "invalid_pcr", "open_writers"); + kfree(pathbuf); } static void ima_check_last_writer(struct integrity_iint_cache *iint, @@ -123,6 +139,7 @@ static int process_measurement(struct file *file, const unsigned char *filename, { struct inode *inode = file->f_dentry->d_inode; struct integrity_iint_cache *iint; + unsigned char *pathname = NULL, *pathbuf = NULL; int rc = 0; if (!ima_initialized || !S_ISREG(inode->i_mode)) @@ -147,8 +164,21 @@ retry: goto out; rc = ima_collect_measurement(iint, file); - if (!rc) - ima_store_measurement(iint, file, filename); + if (rc != 0) + goto out; + + if (function != BPRM_CHECK) { + /* We will allow 11 spaces for ' (deleted)' to be appended */ + pathbuf = kmalloc(PATH_MAX + 11, GFP_KERNEL); + if (pathbuf) { + pathname = + d_path(&file->f_path, pathbuf, PATH_MAX + 11); + if (IS_ERR(pathname)) + pathname = NULL; + } + } + ima_store_measurement(iint, file, !pathname ? filename : pathname); + kfree(pathbuf); out: mutex_unlock(&iint->mutex); return rc; @@ -228,15 +258,11 @@ static int __init init_ima(void) int error; error = ima_init(); - ima_initialized = 1; + if (!error) + ima_initialized = 1; return error; } -static void __exit cleanup_ima(void) -{ - ima_cleanup(); -} - late_initcall(init_ima); /* Start IMA after the TPM is available */ MODULE_DESCRIPTION("Integrity Measurement Architecture"); diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index d8edff209bf3..1a9583008aae 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -63,6 +63,8 @@ static struct ima_measure_rule_entry default_rules[] = { {.action = DONT_MEASURE,.fsmagic = DEBUGFS_MAGIC,.flags = IMA_FSMAGIC}, {.action = DONT_MEASURE,.fsmagic = TMPFS_MAGIC,.flags = IMA_FSMAGIC}, {.action = DONT_MEASURE,.fsmagic = RAMFS_MAGIC,.flags = IMA_FSMAGIC}, + {.action = DONT_MEASURE,.fsmagic = DEVPTS_SUPER_MAGIC,.flags = IMA_FSMAGIC}, + {.action = DONT_MEASURE,.fsmagic = BINFMTFS_MAGIC,.flags = IMA_FSMAGIC}, {.action = DONT_MEASURE,.fsmagic = SECURITYFS_MAGIC,.flags = IMA_FSMAGIC}, {.action = DONT_MEASURE,.fsmagic = SELINUX_MAGIC,.flags = IMA_FSMAGIC}, {.action = MEASURE,.func = FILE_MMAP,.mask = MAY_EXEC, |