Commit d266b3f5 authored by Linus Torvalds's avatar Linus Torvalds

Merge branch 'next-fixes-for-5.2-rc' of...

Merge branch 'next-fixes-for-5.2-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Pull integrity subsystem fixes from Mimi Zohar:
 "Four bug fixes, none 5.2-specific, all marked for stable.

  The first two are related to the architecture specific IMA policy
  support. The other two patches, one is related to EVM signatures,
  based on additional hash algorithms, and the other is related to
  displaying the IMA policy"

* 'next-fixes-for-5.2-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  ima: show rules with IMA_INMASK correctly
  evm: check hash algorithm passed to init_desc()
  ima: fix wrong signed policy requirement when not appraising
  x86/ima: Check EFI_RUNTIME_SERVICES before using
parents 8164c571 8cdc23a3
...@@ -18,6 +18,11 @@ static enum efi_secureboot_mode get_sb_mode(void) ...@@ -18,6 +18,11 @@ static enum efi_secureboot_mode get_sb_mode(void)
size = sizeof(secboot); size = sizeof(secboot);
if (!efi_enabled(EFI_RUNTIME_SERVICES)) {
pr_info("ima: secureboot mode unknown, no efi\n");
return efi_secureboot_mode_unknown;
}
/* Get variable contents into buffer */ /* Get variable contents into buffer */
status = efi.get_variable(efi_SecureBoot_name, &efi_variable_guid, status = efi.get_variable(efi_SecureBoot_name, &efi_variable_guid,
NULL, &size, &secboot); NULL, &size, &secboot);
......
...@@ -89,6 +89,9 @@ static struct shash_desc *init_desc(char type, uint8_t hash_algo) ...@@ -89,6 +89,9 @@ static struct shash_desc *init_desc(char type, uint8_t hash_algo)
tfm = &hmac_tfm; tfm = &hmac_tfm;
algo = evm_hmac; algo = evm_hmac;
} else { } else {
if (hash_algo >= HASH_ALGO__LAST)
return ERR_PTR(-EINVAL);
tfm = &evm_tfm[hash_algo]; tfm = &evm_tfm[hash_algo];
algo = hash_algo_name[hash_algo]; algo = hash_algo_name[hash_algo];
} }
......
...@@ -498,11 +498,12 @@ static void add_rules(struct ima_rule_entry *entries, int count, ...@@ -498,11 +498,12 @@ static void add_rules(struct ima_rule_entry *entries, int count,
list_add_tail(&entry->list, &ima_policy_rules); list_add_tail(&entry->list, &ima_policy_rules);
} }
if (entries[i].action == APPRAISE) if (entries[i].action == APPRAISE) {
temp_ima_appraise |= ima_appraise_flag(entries[i].func); temp_ima_appraise |= ima_appraise_flag(entries[i].func);
if (entries[i].func == POLICY_CHECK) if (entries[i].func == POLICY_CHECK)
temp_ima_appraise |= IMA_APPRAISE_POLICY; temp_ima_appraise |= IMA_APPRAISE_POLICY;
} }
}
} }
static int ima_parse_rule(char *rule, struct ima_rule_entry *entry); static int ima_parse_rule(char *rule, struct ima_rule_entry *entry);
...@@ -1146,10 +1147,10 @@ enum { ...@@ -1146,10 +1147,10 @@ enum {
}; };
static const char *const mask_tokens[] = { static const char *const mask_tokens[] = {
"MAY_EXEC", "^MAY_EXEC",
"MAY_WRITE", "^MAY_WRITE",
"MAY_READ", "^MAY_READ",
"MAY_APPEND" "^MAY_APPEND"
}; };
#define __ima_hook_stringify(str) (#str), #define __ima_hook_stringify(str) (#str),
...@@ -1209,6 +1210,7 @@ int ima_policy_show(struct seq_file *m, void *v) ...@@ -1209,6 +1210,7 @@ int ima_policy_show(struct seq_file *m, void *v)
struct ima_rule_entry *entry = v; struct ima_rule_entry *entry = v;
int i; int i;
char tbuf[64] = {0,}; char tbuf[64] = {0,};
int offset = 0;
rcu_read_lock(); rcu_read_lock();
...@@ -1232,15 +1234,17 @@ int ima_policy_show(struct seq_file *m, void *v) ...@@ -1232,15 +1234,17 @@ int ima_policy_show(struct seq_file *m, void *v)
if (entry->flags & IMA_FUNC) if (entry->flags & IMA_FUNC)
policy_func_show(m, entry->func); policy_func_show(m, entry->func);
if (entry->flags & IMA_MASK) { if ((entry->flags & IMA_MASK) || (entry->flags & IMA_INMASK)) {
if (entry->flags & IMA_MASK)
offset = 1;
if (entry->mask & MAY_EXEC) if (entry->mask & MAY_EXEC)
seq_printf(m, pt(Opt_mask), mt(mask_exec)); seq_printf(m, pt(Opt_mask), mt(mask_exec) + offset);
if (entry->mask & MAY_WRITE) if (entry->mask & MAY_WRITE)
seq_printf(m, pt(Opt_mask), mt(mask_write)); seq_printf(m, pt(Opt_mask), mt(mask_write) + offset);
if (entry->mask & MAY_READ) if (entry->mask & MAY_READ)
seq_printf(m, pt(Opt_mask), mt(mask_read)); seq_printf(m, pt(Opt_mask), mt(mask_read) + offset);
if (entry->mask & MAY_APPEND) if (entry->mask & MAY_APPEND)
seq_printf(m, pt(Opt_mask), mt(mask_append)); seq_printf(m, pt(Opt_mask), mt(mask_append) + offset);
seq_puts(m, " "); seq_puts(m, " ");
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment