Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
f6fd5c84
Commit
f6fd5c84
authored
Jul 26, 2014
by
James Morris
Browse files
Options
Browse Files
Download
Plain Diff
Merge tag 'fw-restrict-3.17' of
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
into next
parents
ed3c4f8f
5a9196d7
Changes
11
Hide whitespace changes
Inline
Side-by-side
Showing
11 changed files
with
104 additions
and
8 deletions
+104
-8
Documentation/ABI/testing/ima_policy
Documentation/ABI/testing/ima_policy
+3
-1
drivers/base/firmware_class.c
drivers/base/firmware_class.c
+26
-4
include/linux/ima.h
include/linux/ima.h
+6
-0
include/linux/security.h
include/linux/security.h
+17
-0
security/capability.c
security/capability.c
+6
-0
security/integrity/ima/ima.h
security/integrity/ima/ima.h
+2
-1
security/integrity/ima/ima_appraise.c
security/integrity/ima/ima_appraise.c
+8
-0
security/integrity/ima/ima_main.c
security/integrity/ima/ima_main.c
+11
-0
security/integrity/ima/ima_policy.c
security/integrity/ima/ima_policy.c
+7
-0
security/integrity/integrity.h
security/integrity/integrity.h
+7
-2
security/security.c
security/security.c
+11
-0
No files found.
Documentation/ABI/testing/ima_policy
View file @
f6fd5c84
...
...
@@ -26,6 +26,7 @@ Description:
option: [[appraise_type=]] [permit_directio]
base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
[FIRMWARE_CHECK]
mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC]
fsmagic:= hex value
fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
...
...
@@ -57,7 +58,8 @@ Description:
measure func=BPRM_CHECK
measure func=FILE_MMAP mask=MAY_EXEC
measure func=FILE_CHECK mask=MAY_READ uid=0
measure func=MODULE_CHECK uid=0
measure func=MODULE_CHECK
measure func=FIRMWARE_CHECK
appraise fowner=0
The default policy measures all executables in bprm_check,
...
...
drivers/base/firmware_class.c
View file @
f6fd5c84
...
...
@@ -28,6 +28,7 @@
#include <linux/suspend.h>
#include <linux/syscore_ops.h>
#include <linux/reboot.h>
#include <linux/security.h>
#include <generated/utsrelease.h>
...
...
@@ -308,12 +309,17 @@ static int fw_read_file_contents(struct file *file, struct firmware_buf *fw_buf)
if
(
rc
!=
size
)
{
if
(
rc
>
0
)
rc
=
-
EIO
;
vfree
(
buf
);
return
rc
;
goto
fail
;
}
rc
=
security_kernel_fw_from_file
(
file
,
buf
,
size
);
if
(
rc
)
goto
fail
;
fw_buf
->
data
=
buf
;
fw_buf
->
size
=
size
;
return
0
;
fail:
vfree
(
buf
);
return
rc
;
}
static
int
fw_get_filesystem_firmware
(
struct
device
*
device
,
...
...
@@ -617,6 +623,7 @@ static ssize_t firmware_loading_store(struct device *dev,
{
struct
firmware_priv
*
fw_priv
=
to_firmware_priv
(
dev
);
struct
firmware_buf
*
fw_buf
;
ssize_t
written
=
count
;
int
loading
=
simple_strtol
(
buf
,
NULL
,
10
);
int
i
;
...
...
@@ -640,6 +647,8 @@ static ssize_t firmware_loading_store(struct device *dev,
break
;
case
0
:
if
(
test_bit
(
FW_STATUS_LOADING
,
&
fw_buf
->
status
))
{
int
rc
;
set_bit
(
FW_STATUS_DONE
,
&
fw_buf
->
status
);
clear_bit
(
FW_STATUS_LOADING
,
&
fw_buf
->
status
);
...
...
@@ -649,10 +658,23 @@ static ssize_t firmware_loading_store(struct device *dev,
* see the mapped 'buf->data' once the loading
* is completed.
* */
if
(
fw_map_pages_buf
(
fw_buf
))
rc
=
fw_map_pages_buf
(
fw_buf
);
if
(
rc
)
dev_err
(
dev
,
"%s: map pages failed
\n
"
,
__func__
);
else
rc
=
security_kernel_fw_from_file
(
NULL
,
fw_buf
->
data
,
fw_buf
->
size
);
/*
* Same logic as fw_load_abort, only the DONE bit
* is ignored and we set ABORT only on failure.
*/
list_del_init
(
&
fw_buf
->
pending_list
);
if
(
rc
)
{
set_bit
(
FW_STATUS_ABORT
,
&
fw_buf
->
status
);
written
=
rc
;
}
complete_all
(
&
fw_buf
->
completion
);
break
;
}
...
...
@@ -666,7 +688,7 @@ static ssize_t firmware_loading_store(struct device *dev,
}
out:
mutex_unlock
(
&
fw_lock
);
return
count
;
return
written
;
}
static
DEVICE_ATTR
(
loading
,
0644
,
firmware_loading_show
,
firmware_loading_store
);
...
...
include/linux/ima.h
View file @
f6fd5c84
...
...
@@ -19,6 +19,7 @@ extern int ima_file_check(struct file *file, int mask);
extern
void
ima_file_free
(
struct
file
*
file
);
extern
int
ima_file_mmap
(
struct
file
*
file
,
unsigned
long
prot
);
extern
int
ima_module_check
(
struct
file
*
file
);
extern
int
ima_fw_from_file
(
struct
file
*
file
,
char
*
buf
,
size_t
size
);
#else
static
inline
int
ima_bprm_check
(
struct
linux_binprm
*
bprm
)
...
...
@@ -46,6 +47,11 @@ static inline int ima_module_check(struct file *file)
return
0
;
}
static
inline
int
ima_fw_from_file
(
struct
file
*
file
,
char
*
buf
,
size_t
size
)
{
return
0
;
}
#endif
/* CONFIG_IMA */
#ifdef CONFIG_IMA_APPRAISE
...
...
include/linux/security.h
View file @
f6fd5c84
...
...
@@ -702,6 +702,15 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* @inode points to the inode to use as a reference.
* The current task must be the one that nominated @inode.
* Return 0 if successful.
* @kernel_fw_from_file:
* Load firmware from userspace (not called for built-in firmware).
* @file contains the file structure pointing to the file containing
* the firmware to load. This argument will be NULL if the firmware
* was loaded via the uevent-triggered blob-based interface exposed
* by CONFIG_FW_LOADER_USER_HELPER.
* @buf pointer to buffer containing firmware contents.
* @size length of the firmware contents.
* Return 0 if permission is granted.
* @kernel_module_request:
* Ability to trigger the kernel to automatically upcall to userspace for
* userspace to load a kernel module with the given name.
...
...
@@ -1568,6 +1577,7 @@ struct security_operations {
void
(
*
cred_transfer
)(
struct
cred
*
new
,
const
struct
cred
*
old
);
int
(
*
kernel_act_as
)(
struct
cred
*
new
,
u32
secid
);
int
(
*
kernel_create_files_as
)(
struct
cred
*
new
,
struct
inode
*
inode
);
int
(
*
kernel_fw_from_file
)(
struct
file
*
file
,
char
*
buf
,
size_t
size
);
int
(
*
kernel_module_request
)(
char
*
kmod_name
);
int
(
*
kernel_module_from_file
)(
struct
file
*
file
);
int
(
*
task_fix_setuid
)
(
struct
cred
*
new
,
const
struct
cred
*
old
,
...
...
@@ -1840,6 +1850,7 @@ int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp);
void
security_transfer_creds
(
struct
cred
*
new
,
const
struct
cred
*
old
);
int
security_kernel_act_as
(
struct
cred
*
new
,
u32
secid
);
int
security_kernel_create_files_as
(
struct
cred
*
new
,
struct
inode
*
inode
);
int
security_kernel_fw_from_file
(
struct
file
*
file
,
char
*
buf
,
size_t
size
);
int
security_kernel_module_request
(
char
*
kmod_name
);
int
security_kernel_module_from_file
(
struct
file
*
file
);
int
security_task_fix_setuid
(
struct
cred
*
new
,
const
struct
cred
*
old
,
...
...
@@ -2366,6 +2377,12 @@ static inline int security_kernel_create_files_as(struct cred *cred,
return
0
;
}
static
inline
int
security_kernel_fw_from_file
(
struct
file
*
file
,
char
*
buf
,
size_t
size
)
{
return
0
;
}
static
inline
int
security_kernel_module_request
(
char
*
kmod_name
)
{
return
0
;
...
...
security/capability.c
View file @
f6fd5c84
...
...
@@ -401,6 +401,11 @@ static int cap_kernel_create_files_as(struct cred *new, struct inode *inode)
return
0
;
}
static
int
cap_kernel_fw_from_file
(
struct
file
*
file
,
char
*
buf
,
size_t
size
)
{
return
0
;
}
static
int
cap_kernel_module_request
(
char
*
kmod_name
)
{
return
0
;
...
...
@@ -1015,6 +1020,7 @@ void __init security_fixup_ops(struct security_operations *ops)
set_to_cap_if_null
(
ops
,
cred_transfer
);
set_to_cap_if_null
(
ops
,
kernel_act_as
);
set_to_cap_if_null
(
ops
,
kernel_create_files_as
);
set_to_cap_if_null
(
ops
,
kernel_fw_from_file
);
set_to_cap_if_null
(
ops
,
kernel_module_request
);
set_to_cap_if_null
(
ops
,
kernel_module_from_file
);
set_to_cap_if_null
(
ops
,
task_fix_setuid
);
...
...
security/integrity/ima/ima.h
View file @
f6fd5c84
...
...
@@ -158,7 +158,7 @@ struct integrity_iint_cache *integrity_iint_insert(struct inode *inode);
struct
integrity_iint_cache
*
integrity_iint_find
(
struct
inode
*
inode
);
/* IMA policy related functions */
enum
ima_hooks
{
FILE_CHECK
=
1
,
MMAP_CHECK
,
BPRM_CHECK
,
MODULE_CHECK
,
POST_SETATTR
};
enum
ima_hooks
{
FILE_CHECK
=
1
,
MMAP_CHECK
,
BPRM_CHECK
,
MODULE_CHECK
,
FIRMWARE_CHECK
,
POST_SETATTR
};
int
ima_match_policy
(
struct
inode
*
inode
,
enum
ima_hooks
func
,
int
mask
,
int
flags
);
...
...
@@ -171,6 +171,7 @@ void ima_delete_rules(void);
#define IMA_APPRAISE_ENFORCE 0x01
#define IMA_APPRAISE_FIX 0x02
#define IMA_APPRAISE_MODULES 0x04
#define IMA_APPRAISE_FIRMWARE 0x08
#ifdef CONFIG_IMA_APPRAISE
int
ima_appraise_measurement
(
int
func
,
struct
integrity_iint_cache
*
iint
,
...
...
security/integrity/ima/ima_appraise.c
View file @
f6fd5c84
...
...
@@ -75,6 +75,8 @@ enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
return
iint
->
ima_bprm_status
;
case
MODULE_CHECK
:
return
iint
->
ima_module_status
;
case
FIRMWARE_CHECK
:
return
iint
->
ima_firmware_status
;
case
FILE_CHECK
:
default:
return
iint
->
ima_file_status
;
...
...
@@ -94,6 +96,9 @@ static void ima_set_cache_status(struct integrity_iint_cache *iint,
case
MODULE_CHECK
:
iint
->
ima_module_status
=
status
;
break
;
case
FIRMWARE_CHECK
:
iint
->
ima_firmware_status
=
status
;
break
;
case
FILE_CHECK
:
default:
iint
->
ima_file_status
=
status
;
...
...
@@ -113,6 +118,9 @@ static void ima_cache_flags(struct integrity_iint_cache *iint, int func)
case
MODULE_CHECK
:
iint
->
flags
|=
(
IMA_MODULE_APPRAISED
|
IMA_APPRAISED
);
break
;
case
FIRMWARE_CHECK
:
iint
->
flags
|=
(
IMA_FIRMWARE_APPRAISED
|
IMA_APPRAISED
);
break
;
case
FILE_CHECK
:
default:
iint
->
flags
|=
(
IMA_FILE_APPRAISED
|
IMA_APPRAISED
);
...
...
security/integrity/ima/ima_main.c
View file @
f6fd5c84
...
...
@@ -319,6 +319,17 @@ int ima_module_check(struct file *file)
return
process_measurement
(
file
,
NULL
,
MAY_EXEC
,
MODULE_CHECK
);
}
int
ima_fw_from_file
(
struct
file
*
file
,
char
*
buf
,
size_t
size
)
{
if
(
!
file
)
{
if
((
ima_appraise
&
IMA_APPRAISE_FIRMWARE
)
&&
(
ima_appraise
&
IMA_APPRAISE_ENFORCE
))
return
-
EACCES
;
/* INTEGRITY_UNKNOWN */
return
0
;
}
return
process_measurement
(
file
,
NULL
,
MAY_EXEC
,
FIRMWARE_CHECK
);
}
static
int
__init
init_ima
(
void
)
{
int
error
;
...
...
security/integrity/ima/ima_policy.c
View file @
f6fd5c84
...
...
@@ -84,6 +84,7 @@ static struct ima_rule_entry default_rules[] = {
{.
action
=
MEASURE
,
.
func
=
FILE_CHECK
,
.
mask
=
MAY_READ
,
.
uid
=
GLOBAL_ROOT_UID
,
.
flags
=
IMA_FUNC
|
IMA_MASK
|
IMA_UID
},
{.
action
=
MEASURE
,
.
func
=
MODULE_CHECK
,
.
flags
=
IMA_FUNC
},
{.
action
=
MEASURE
,
.
func
=
FIRMWARE_CHECK
,
.
flags
=
IMA_FUNC
},
};
static
struct
ima_rule_entry
default_appraise_rules
[]
=
{
...
...
@@ -241,6 +242,8 @@ static int get_subaction(struct ima_rule_entry *rule, int func)
return
IMA_BPRM_APPRAISE
;
case
MODULE_CHECK
:
return
IMA_MODULE_APPRAISE
;
case
FIRMWARE_CHECK
:
return
IMA_FIRMWARE_APPRAISE
;
case
FILE_CHECK
:
default:
return
IMA_FILE_APPRAISE
;
...
...
@@ -486,6 +489,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
entry
->
func
=
FILE_CHECK
;
else
if
(
strcmp
(
args
[
0
].
from
,
"MODULE_CHECK"
)
==
0
)
entry
->
func
=
MODULE_CHECK
;
else
if
(
strcmp
(
args
[
0
].
from
,
"FIRMWARE_CHECK"
)
==
0
)
entry
->
func
=
FIRMWARE_CHECK
;
else
if
((
strcmp
(
args
[
0
].
from
,
"FILE_MMAP"
)
==
0
)
||
(
strcmp
(
args
[
0
].
from
,
"MMAP_CHECK"
)
==
0
))
entry
->
func
=
MMAP_CHECK
;
...
...
@@ -636,6 +641,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
result
=
-
EINVAL
;
else
if
(
entry
->
func
==
MODULE_CHECK
)
ima_appraise
|=
IMA_APPRAISE_MODULES
;
else
if
(
entry
->
func
==
FIRMWARE_CHECK
)
ima_appraise
|=
IMA_APPRAISE_FIRMWARE
;
audit_log_format
(
ab
,
"res=%d"
,
!
result
);
audit_log_end
(
ab
);
return
result
;
...
...
security/integrity/integrity.h
View file @
f6fd5c84
...
...
@@ -46,10 +46,14 @@
#define IMA_BPRM_APPRAISED 0x00002000
#define IMA_MODULE_APPRAISE 0x00004000
#define IMA_MODULE_APPRAISED 0x00008000
#define IMA_FIRMWARE_APPRAISE 0x00010000
#define IMA_FIRMWARE_APPRAISED 0x00020000
#define IMA_APPRAISE_SUBMASK (IMA_FILE_APPRAISE | IMA_MMAP_APPRAISE | \
IMA_BPRM_APPRAISE | IMA_MODULE_APPRAISE)
IMA_BPRM_APPRAISE | IMA_MODULE_APPRAISE | \
IMA_FIRMWARE_APPRAISE)
#define IMA_APPRAISED_SUBMASK (IMA_FILE_APPRAISED | IMA_MMAP_APPRAISED | \
IMA_BPRM_APPRAISED | IMA_MODULE_APPRAISED)
IMA_BPRM_APPRAISED | IMA_MODULE_APPRAISED | \
IMA_FIRMWARE_APPRAISED)
enum
evm_ima_xattr_type
{
IMA_XATTR_DIGEST
=
0x01
,
...
...
@@ -104,6 +108,7 @@ struct integrity_iint_cache {
enum
integrity_status
ima_mmap_status
:
4
;
enum
integrity_status
ima_bprm_status
:
4
;
enum
integrity_status
ima_module_status
:
4
;
enum
integrity_status
ima_firmware_status
:
4
;
enum
integrity_status
evm_status
:
4
;
struct
ima_digest_data
*
ima_hash
;
};
...
...
security/security.c
View file @
f6fd5c84
...
...
@@ -845,6 +845,17 @@ int security_kernel_create_files_as(struct cred *new, struct inode *inode)
return
security_ops
->
kernel_create_files_as
(
new
,
inode
);
}
int
security_kernel_fw_from_file
(
struct
file
*
file
,
char
*
buf
,
size_t
size
)
{
int
ret
;
ret
=
security_ops
->
kernel_fw_from_file
(
file
,
buf
,
size
);
if
(
ret
)
return
ret
;
return
ima_fw_from_file
(
file
,
buf
,
size
);
}
EXPORT_SYMBOL_GPL
(
security_kernel_fw_from_file
);
int
security_kernel_module_request
(
char
*
kmod_name
)
{
return
security_ops
->
kernel_module_request
(
kmod_name
);
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment