1. 18 Sep, 2014 1 commit
    • Roberto Sassu's avatar
      ima: fix race condition on ima_rdwr_violation_check and process_measurement · f7a859ff
      Roberto Sassu authored
      This patch fixes a race condition between two functions that try to access
      the same inode. Since the i_mutex lock is held and released separately
      in the two functions, there may be the possibility that a violation is
      not correctly detected.
      
      Suppose there are two processes, A (reader) and B (writer), if the
      following sequence happens:
      
      A: ima_rdwr_violation_check()
      B: ima_rdwr_violation_check()
      B: process_measurement()
      B: starts writing the inode
      A: process_measurement()
      
      the ToMToU violation (a reader may be accessing a content different from
      that measured, due to a concurrent modification by a writer) will not be
      detected. To avoid this issue, the violation check and the measurement
      must be done atomically.
      
      This patch fixes the problem by moving the violation check inside
      process_measurement() when the i_mutex lock is held. Differently from
      the old code, the violation check is executed also for the MMAP_CHECK
      hook (other than for FILE_CHECK). This allows to detect ToMToU violations
      that are possible because shared libraries can be opened for writing
      while they are in use (according to the output of 'man mmap', the mmap()
      flag MAP_DENYWRITE is ignored).
      
      Changes in v5 (Roberto Sassu):
      * get iint if action is not zero
      * exit process_measurement() after the violation check if action is zero
      * reverse order process_measurement() exit cleanup (Mimi)
      
      Changes in v4 (Dmitry Kasatkin):
      * iint allocation is done before calling ima_rdrw_violation_check()
        (Suggested-by Mimi)
      * do not check for violations if the policy does not contain 'measure'
        rules (done by Roberto Sassu)
      
      Changes in v3 (Dmitry Kasatkin):
      * no violation checking for MMAP_CHECK function in this patch
      * remove use of filename from violation
      * removes checking if ima is enabled from ima_rdrw_violation_check
      * slight style change
      Suggested-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      f7a859ff
  2. 17 Sep, 2014 4 commits
    • Roberto Sassu's avatar
      ima: added ima_policy_flag variable · a756024e
      Roberto Sassu authored
      This patch introduces the new variable 'ima_policy_flag', whose bits
      are set depending on the action of the current policy rules. Only the
      flags IMA_MEASURE, IMA_APPRAISE and IMA_AUDIT are set.
      
      The new variable will be used to improve performance by skipping the
      unnecessary execution of IMA code if the policy does not contain rules
      with the above actions.
      
      Changes in v6 (Roberto Sassu)
      * do not check 'ima_initialized' before calling ima_update_policy_flag()
        in ima_update_policy() (suggested by Dmitry)
      * calling ima_update_policy_flag() moved to init_ima to co-locate with
        ima_initialized (Dmitry)
      * add/revise comments (Mimi)
      
      Changes in v5 (Roberto Sassu)
      * reset IMA_APPRAISE flag in 'ima_policy_flag' if 'ima_appraise' is set
        to zero (reported by Dmitry)
      * update 'ima_policy_flag' only if IMA initialization is successful
        (suggested by Mimi and Dmitry)
      * check 'ima_policy_flag' instead of 'ima_initialized'
        (suggested by Mimi and Dmitry)
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      a756024e
    • Roberto Sassu's avatar
      ima: return an error code from ima_add_boot_aggregate() · be39ffc2
      Roberto Sassu authored
      This patch modifies ima_add_boot_aggregate() to return an error code.
      This way we can determine if all the initialization procedures have
      been executed successfully.
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      be39ffc2
    • Dmitry Kasatkin's avatar
      ima: provide 'ima_appraise=log' kernel option · 2faa6ef3
      Dmitry Kasatkin authored
      The kernel boot parameter "ima_appraise" currently defines 'off',
      'enforce' and 'fix' modes.  When designing a policy and labeling
      the system, access to files are either blocked in the default
      'enforce' mode or automatically fixed in the 'fix' mode.  It is
      beneficial to be able to run the system in a logging only mode,
      without fixing it, in order to properly analyze the system. This
      patch adds a 'log' mode to run the system in a permissive mode and
      log the appraisal results.
      Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      2faa6ef3
    • Dmitry Kasatkin's avatar
      ima: move keyring initialization to ima_init() · 31b70f66
      Dmitry Kasatkin authored
      ima_init() is used as a single place for all initializations.
      Experimental keyring patches used the 'late_initcall' which was
      co-located with the late_initcall(init_ima). When the late_initcall
      for the keyring initialization was abandoned, initialization moved
      to init_ima, though it would be more logical to move it to ima_init,
      where the rest of the initialization is done. This patch moves the
      keyring initialization to ima_init() as a preparatory step for
      loading the keys which will be added to ima_init() in following
      patches.
      Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      31b70f66
  3. 12 Sep, 2014 1 commit
  4. 09 Sep, 2014 13 commits
  5. 08 Sep, 2014 2 commits
  6. 03 Sep, 2014 2 commits
  7. 02 Sep, 2014 5 commits
  8. 05 Aug, 2014 1 commit
  9. 03 Aug, 2014 1 commit
  10. 02 Aug, 2014 1 commit
  11. 01 Aug, 2014 4 commits
    • Paul Moore's avatar
      netlabel: shorter names for the NetLabel catmap funcs/structs · 4fbe63d1
      Paul Moore authored
      Historically the NetLabel LSM secattr catmap functions and data
      structures have had very long names which makes a mess of the NetLabel
      code and anyone who uses NetLabel.  This patch renames the catmap
      functions and structures from "*_secattr_catmap_*" to just "*_catmap_*"
      which improves things greatly.
      
      There are no substantial code or logic changes in this patch.
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Tested-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      4fbe63d1
    • Paul Moore's avatar
      netlabel: fix the catmap walking functions · d960a618
      Paul Moore authored
      The two NetLabel LSM secattr catmap walk functions didn't handle
      certain edge conditions correctly, causing incorrect security labels
      to be generated in some cases.  This patch corrects these problems and
      converts the functions to use the new _netlbl_secattr_catmap_getnode()
      function in order to reduce the amount of repeated code.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Tested-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      d960a618
    • Paul Moore's avatar
      netlabel: fix the horribly broken catmap functions · 4b8feff2
      Paul Moore authored
      The NetLabel secattr catmap functions, and the SELinux import/export
      glue routines, were broken in many horrible ways and the SELinux glue
      code fiddled with the NetLabel catmap structures in ways that we
      probably shouldn't allow.  At some point this "worked", but that was
      likely due to a bit of dumb luck and sub-par testing (both inflicted
      by yours truly).  This patch corrects these problems by basically
      gutting the code in favor of something less obtuse and restoring the
      NetLabel abstractions in the SELinux catmap glue code.
      
      Everything is working now, and if it decides to break itself in the
      future this code will be much easier to debug than the code it
      replaces.
      
      One noteworthy side effect of the changes is that it is no longer
      necessary to allocate a NetLabel catmap before calling one of the
      NetLabel APIs to set a bit in the catmap.  NetLabel will automatically
      allocate the catmap nodes when needed, resulting in less allocations
      when the lowest bit is greater than 255 and less code in the LSMs.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarChristian Evans <frodox@zoho.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Tested-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      4b8feff2
    • Paul Moore's avatar
      netlabel: fix a problem when setting bits below the previously lowest bit · 41c3bd20
      Paul Moore authored
      The NetLabel category (catmap) functions have a problem in that they
      assume categories will be set in an increasing manner, e.g. the next
      category set will always be larger than the last.  Unfortunately, this
      is not a valid assumption and could result in problems when attempting
      to set categories less than the startbit in the lowest catmap node.
      In some cases kernel panics and other nasties can result.
      
      This patch corrects the problem by checking for this and allocating a
      new catmap node instance and placing it at the front of the list.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarChristian Evans <frodox@zoho.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Tested-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      41c3bd20
  12. 31 Jul, 2014 1 commit
  13. 29 Jul, 2014 4 commits