- 18 Sep, 2014 1 commit
-
-
- 12 Sep, 2014 1 commit
-
-
James Morris authored
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity into next
-
- 09 Sep, 2014 13 commits
-
-
Dmitry Kasatkin authored
The kernel print macros use the KBUILD_MODNAME, which is initialized to the module name. The current integrity/Makefile makes every file as its own module, so pr_xxx messages are prefixed with the file name instead of the module. Similar to the evm/Makefile and ima/Makefile, this patch fixes the integrity/Makefile to use the single name 'integrity'. Signed-off-by:
Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by:
Mimi Zohar <zohar@linux.vnet.ibm.com>
-
Dmitry Kasatkin authored
The integrity subsystem has lots of options and takes more than half of the security menu. This patch consolidates the options under "integrity", which are hidden if not enabled. This change does not affect existing configurations. Re-configuration is not needed. Changes v4: - no need to change "integrity subsystem" to menuconfig as options are hidden, when not enabled. (Mimi) - add INTEGRITY Kconfig help description Changes v3: - dependency to INTEGRITY removed when behind 'if INTEGRITY' Changes v2: - previous patch moved integrity out of the 'security' menu. This version keeps integrity as a security option (Mimi). Signed-off-by:
-
Dmitry Kasatkin authored
For better visual appearance it is better to co-locate asymmetric key options together with signature support. Signed-off-by:
-
Dmitry Kasatkin authored
IMA uses only one template. This patch initializes only required template to avoid unnecessary memory allocations. Signed-off-by:
Roberto Sassu <roberto.sassu@polito.it> Signed-off-by:
-
Dmitry Kasatkin authored
In all cases except ima_bprm_check() the filename was not defined and ima_d_path() was used to find the full path. Unfortunately, the bprm filename is a relative pathname (eg. ./<dir>/filename). ima_bprm_check() selects between bprm->interp and bprm->filename. The following dump demonstrates the differences between using filename and interp. bprm->filename filename: ./foo.sh, pathname: /root/bin/foo.sh filename: ./foo.sh, pathname: /bin/dash bprm->interp filename: ./foo.sh, pathname: /root/bin/foo.sh filename: /bin/sh, pathname: /bin/dash In both cases the pathnames are currently the same. This patch removes usage of filename and interp in favor of d_absolute_path. Changes v3: - 11 extra bytes for "deleted" not needed (Mimi) - purpose "replace relative bprm filename with full pathname" (Mimi) Changes v2: - use d_absolute_path() instead of d_path to work in chroot environments. Signed-off-by:
-
Dmitry Kasatkin authored
ima_get_action() sets the "action" flags based on policy. Before collecting, measuring, appraising, or auditing the file, the "action" flag is updated based on the cached iint->flags. This patch removes the subsequent unnecessary appraisal test in ima_appraise_measurement(). Signed-off-by:
-
Dmitry Kasatkin authored
Add missing keywords to the function definition to cleanup to discard initialization code. Signed-off-by:
-
Dmitry Kasatkin authored
'function' variable value can be changed instead of allocating extra '_func' variable. Signed-off-by:
-
Dmitry Kasatkin authored
Precede bit testing before string comparison makes code faster. Also refactor statement as a single line pointer assignment. Logic is following: we set 'xattr_ptr' to read xattr value when we will do appraisal or in any case when measurement template is other than 'ima'. Signed-off-by:
-
Dmitry Kasatkin authored
Commit f381c272 "integrity: move ima inode integrity data management" (re)moved few functions but left their declarations in header files. This patch removes them and also removes duplicated declaration of integrity_iint_find(). Commit c7de7adc "ima: remove unused cleanup functions". This patch removes these definitions as well. Signed-off-by:
-
Dmitry Kasatkin authored
If file has IMA signature, IMA in enforce mode, but key is missing then file access is blocked and single error message is printed. If IMA appraisal is enabled in fix mode, then system runs as usual but might produce tons of 'Request for unknown key' messages. This patch switches 'pr_warn' to 'pr_err_ratelimited'. Signed-off-by:
-
Dmitry Kasatkin authored
Empty files and missing xattrs do not guarantee that a file was just created. This patch passes FILE_CREATED flag to IMA to reliably identify new files. Signed-off-by:
-
Dmitry Kasatkin authored
Unless an LSM labels a file during d_instantiate(), newly created files are not labeled with an initial security.evm xattr, until the file closes. EVM, before allowing a protected, security xattr to be written, verifies the existing 'security.evm' value is good. For newly created files without a security.evm label, this verification prevents writing any protected, security xattrs, until the file closes. Following is the example when this happens: fd = open("foo", O_CREAT | O_WRONLY, 0644); setxattr("foo", "security.SMACK64", value, sizeof(value), 0); close(fd); While INTEGRITY_NOXATTRS status is handled in other places, such as evm_inode_setattr(), it does not handle it in all cases in evm_protect_xattr(). By limiting the use of INTEGRITY_NOXATTRS to newly created files, we can now allow setting "protected" xattrs. Changelog: - limit the use of INTEGRITY_NOXATTRS to IMA identified new files Signed-off-by:
-
- 08 Sep, 2014 2 commits
-
-
Dmitry Kasatkin authored
On ima_file_free(), newly created empty files are not labeled with an initial security.ima value, because the iversion did not change. Commit dff6efc3 "fs: fix iversion handling" introduced a change in iversion behavior. To verify this change use the shell command: $ (exec >foo) $ getfattr -h -e hex -d -m security foo This patch defines the IMA_NEW_FILE flag. The flag is initially set, when IMA detects that a new file is created, and subsequently checked on the ima_file_free() hook to set the initial security.ima value. Signed-off-by:
-
Dmitry Kasatkin authored
This patch fixes a bug, where evm_verify_hmac() returns INTEGRITY_PASS if inode->i_op->getxattr() returns an error in evm_find_protected_xattrs. Signed-off-by:
-
- 03 Sep, 2014 2 commits
-
-
Kees Cook authored
This adds two reviewers to the seccomp tree. Signed-off-by:Kees Cook <keescook@chromium.org>
-
David Howells authored
Printing in base signature handling should have a prefix, so set pr_fmt(). Signed-off-by:
David Howells <dhowells@redhat.com> Signed-off-by:
James Morris <james.l.morris@oracle.com>
-
- 02 Sep, 2014 5 commits
-
-
Dmitry Kasatkin authored
This patch fixes checkpatch 'return' warnings introduced with commit 9819cf25 "checkpatch: warn on unnecessary void function return statements". Use scripts/checkpatch.pl --file security/integrity/evm/evm_main.c to produce the warnings. Signed-off-by:
-
Dmitry Kasatkin authored
3.16 commit aad4f8bb 'switch simple generic_file_aio_read() users to ->read_iter()' replaced ->aio_read with ->read_iter in most of the file systems and introduced new_sync_read() as a replacement for do_sync_read(). Most of file systems set '->read' and ima_kernel_read is not affected. When ->read is not set, this patch adopts fallback call changes from the vfs_read. Signed-off-by:
-
Dmitry Kasatkin authored
This patch fixes the case where the file's signature/hash xattr contains an invalid hash algorithm. Although we can not verify the xattr, we still need to measure the file. Use the default IMA hash algorithm. Signed-off-by:
-
Mimi Zohar authored
The patch 3bcced39: "ima: use ahash API for file hash calculation" from Feb 26, 2014, leads to the following static checker warning: security/integrity/ima/ima_crypto.c:204 ima_alloc_atfm() error: buffer overflow 'hash_algo_name' 17 <= 17 Unlike shash tfm memory, which is allocated on initialization, the ahash tfm memory allocation is deferred until needed. This patch fixes the case where ima_ahash_tfm has not yet been allocated and the file's signature/hash xattr contains an invalid hash algorithm. Although we can not verify the xattr, we still need to measure the file. Use the default IMA hash algorithm. Changelog: - set valid algo before testing tfm - based on Dmitry's comment Reported-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
-
Mark Rustad authored
Renaming an unused formal parameter in the static inline function security_inode_init_security eliminates many W=2 warnings. Signed-off-by:
Mark Rustad <mark.d.rustad@intel.com> Signed-off-by:
Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by:
-
- 29 Aug, 2014 3 commits
-
-
Lukasz Pawelczyk authored
Smack used to use a mix of smack_known struct and char* throughout its APIs and implementation. This patch unifies the behaviour and makes it store and operate exclusively on smack_known struct pointers when managing labels. Signed-off-by:Lukasz Pawelczyk <l.pawelczyk@samsung.com> Conflicts: security/smack/smack_access.c security/smack/smack_lsm.c
-
Lukasz Pawelczyk authored
The 54e70ec5 commit introduced a bidirectional check that should have checked for mutual WRITE access between two labels. Due to a typo the second check was incorrect. Signed-off-by:
-
Lukasz Pawelczyk authored
Signed-off-by:
-
- 28 Aug, 2014 1 commit
-
-
Casey Schaufler authored
People keep asking me for permissive mode, and I keep saying "no". Permissive mode is wrong for more reasons than I can enumerate, but the compelling one is that it's once on, never off. Nonetheless, there is an argument to be made for running a process with lots of permissions, logging which are required, and then locking the process down. There wasn't a way to do that with Smack, but this provides it. The notion is that you start out by giving the process an appropriate Smack label, such as "ATBirds". You create rules with a wide range of access and the "b" mode. On Tizen it might be: ATBirds System rwxalb ATBirds User rwxalb ATBirds _ rwxalb User ATBirds wb System ATBirds wb Accesses that fail will generate audit records. Accesses that succeed because of rules marked with a "b" generate log messages identifying the rule, the program and as much object information as is convenient. When the system is properly configured and the programs brought in line with the labeling scheme the "b" mode can be removed from the rules. When the system is ready for production the facility can be configured out. This provides the developer the convenience of permissive mode without creating a system that looks like it is enforcing a policy while it is not. Signed-off-by:Casey Schaufler <casey@schaufler-ca.com>
-
- 25 Aug, 2014 1 commit
-
-
Marcin Niesluchowski authored
While opening with CAP_MAC_OVERRIDE file label is not set. Other calls may access it after CAP_MAC_OVERRIDE is dropped from process. Signed-off-by:Marcin Niesluchowski <m.niesluchow@samsung.com>
-
- 08 Aug, 2014 3 commits
-
-
Konstantin Khlebnikov authored
Values of extended attributes are stored as binary blobs. NULL-termination of them isn't required. It just wastes disk space and confuses command-line tools like getfattr because they have to print that zero byte at the end. This patch removes terminating zero byte from initial security label in smack_inode_init_security and cuts it out in function smack_inode_getsecurity which is used by syscall getxattr. This change seems completely safe, because function smk_parse_smack ignores everything after first zero byte. Signed-off-by:Konstantin Khlebnikov <k.khlebnikov@samsung.com>
-
Konstantin Khlebnikov authored
Zero-length security labels are invalid but kernel should handle them. This patch fixes kernel panic after setting zero-length security labels: # attr -S -s "SMACK64" -V "" file And after writing zero-length string into smackfs files syslog and onlycp: # python -c 'import os; os.write(1, "")' > /smack/syslog The problem is caused by brain-damaged logic in function smk_parse_smack() which takes pointer to buffer and its length but if length below or equal zero it thinks that the buffer is zero-terminated. Unfortunately callers of this function are widely used and proper fix requires serious refactoring. Signed-off-by: -
Konstantin Khlebnikov authored
Security operation ->inode_listsecurity is used for generating list of available extended attributes for syscall listxattr. Currently it's used only in nfs4 or if filesystem doesn't provide i_op->listxattr. The list is the set of NULL-terminated names, one after the other. This method must include zero byte at the and into result. Also this function must return length even if string does not fit into output buffer or it is NULL, see similar method in selinux and man listxattr. Signed-off-by:
-
- 05 Aug, 2014 1 commit
-
-
James Morris authored
Merge tag 'keys-next-20140805' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into next
-
- 03 Aug, 2014 1 commit
-
-
David Howells authored
Need to export x509_request_asymmetric_key() so that PKCS#7 can use it if compiled as a module. Reported-by:
James Morris <jmorris@namei.org> Signed-off-by:
-
- 02 Aug, 2014 1 commit
-
-
- 01 Aug, 2014 4 commits
-
-
Paul Moore authored
Historically the NetLabel LSM secattr catmap functions and data structures have had very long names which makes a mess of the NetLabel code and anyone who uses NetLabel. This patch renames the catmap functions and structures from "*_secattr_catmap_*" to just "*_catmap_*" which improves things greatly. There are no substantial code or logic changes in this patch. Signed-off-by:
Paul Moore <pmoore@redhat.com> Tested-by:
-
Paul Moore authored
The two NetLabel LSM secattr catmap walk functions didn't handle certain edge conditions correctly, causing incorrect security labels to be generated in some cases. This patch corrects these problems and converts the functions to use the new _netlbl_secattr_catmap_getnode() function in order to reduce the amount of repeated code. Cc: stable@vger.kernel.org Signed-off-by:
-
Paul Moore authored
The NetLabel secattr catmap functions, and the SELinux import/export glue routines, were broken in many horrible ways and the SELinux glue code fiddled with the NetLabel catmap structures in ways that we probably shouldn't allow. At some point this "worked", but that was likely due to a bit of dumb luck and sub-par testing (both inflicted by yours truly). This patch corrects these problems by basically gutting the code in favor of something less obtuse and restoring the NetLabel abstractions in the SELinux catmap glue code. Everything is working now, and if it decides to break itself in the future this code will be much easier to debug than the code it replaces. One noteworthy side effect of the changes is that it is no longer necessary to allocate a NetLabel catmap before calling one of the NetLabel APIs to set a bit in the catmap. NetLabel will automatically allocate the catmap nodes when needed, resulting in less allocations when the lowest bit is greater than 255 and less code in the LSMs. Cc: stable@vger.kernel.org Reported-by:
Christian Evans <frodox@zoho.com> Signed-off-by:
-
Paul Moore authored
The NetLabel category (catmap) functions have a problem in that they assume categories will be set in an increasing manner, e.g. the next category set will always be larger than the last. Unfortunately, this is not a valid assumption and could result in problems when attempting to set categories less than the startbit in the lowest catmap node. In some cases kernel panics and other nasties can result. This patch corrects the problem by checking for this and allocating a new catmap node instance and placing it at the front of the list. Cc: stable@vger.kernel.org Reported-by:
-
- 31 Jul, 2014 1 commit
-
-
David Howells authored
X.509 certificate issuer and subject fields are mandatory fields in the ASN.1 and so their existence needn't be tested for. They are guaranteed to end up with an empty string if the name material has nothing we can use (see x509_fabricate_name()). Reported-by:
Vivek Goyal <vgoyal@redhat.com>
-
