- 26 Dec, 2015 2 commits
-
-
-
James Morris authored
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity into next
-
- 24 Dec, 2015 10 commits
-
-
Sasha Levin authored
Commit "IMA: policy can now be updated multiple times" assumed that the policy would be updated at least once. If there are zero updates, the temporary list head object will get added to the policy list, and later dereferenced as an IMA policy object, which means that invalid memory will be accessed. Changelog: - Move list_empty() test to ima_release_policy(), before audit msg - Mimi Signed-off-by:
Sasha Levin <sasha.levin@oracle.com> Signed-off-by:
Mimi Zohar <zohar@linux.vnet.ibm.com>
-
Vladis Dronov authored
Any process is able to send netlink messages with invalid types. Make the warning rate-limited to prevent too much log spam. The warning is supposed to help to find misbehaving programs, so print the triggering command name and pid. Reported-by:
Florian Weimer <fweimer@redhat.com> Signed-off-by:
Vladis Dronov <vdronov@redhat.com> [PM: subject line tweak to make checkpatch.pl happy] Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
Andrew Perepechko authored
Make validatetrans decisions available through selinuxfs. "/validatetrans" is added to selinuxfs for this purpose. This functionality is needed by file system servers implemented in userspace or kernelspace without the VFS layer. Writing "$oldcontext $newcontext $tclass $taskcontext" to /validatetrans is expected to return 0 if the transition is allowed and -EPERM otherwise. Signed-off-by:
Andrew Perepechko <anserper@ya.ru> CC: andrew.perepechko@seagate.com Acked-by:
Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by:
-
Andreas Gruenbacher authored
When gfs2 releases the glock of an inode, it must invalidate all information cached for that inode, including the page cache and acls. Use the new security_inode_invalidate_secctx hook to also invalidate security labels in that case. These items will be reread from disk when needed after reacquiring the glock. Signed-off-by:
Andreas Gruenbacher <agruenba@redhat.com> Acked-by:
Bob Peterson <rpeterso@redhat.com> Acked-by:
Steven Whitehouse <swhiteho@redhat.com> Cc: cluster-devel@redhat.com [PM: fixed spelling errors and description line lengths] Signed-off-by:
-
Andreas Gruenbacher authored
When fetching an inode's security label, check if it is still valid, and try reloading it if it is not. Reloading will fail when we are in RCU context which doesn't allow sleeping, or when we can't find a dentry for the inode. (Reloading happens via iop->getxattr which takes a dentry parameter.) When reloading fails, continue using the old, invalid label. Signed-off-by:
-
Andreas Gruenbacher authored
Add a hook to invalidate an inode's security label when the cached information becomes invalid. Add the new hook in selinux: set a flag when a security label becomes invalid. Signed-off-by:
James Morris <james.l.morris@oracle.com> Acked-by:
-
Andreas Gruenbacher authored
Add functions dentry_security and inode_security for accessing inode->i_security. These functions initially don't do much, but they will later be used to revalidate the security labels when necessary. Signed-off-by:
-
Andreas Gruenbacher authored
Make the inode argument of the inode_getsecid hook non-const so that we can use it to revalidate invalid security labels. Signed-off-by:
-
Andreas Gruenbacher authored
Make the inode argument of the inode_getsecurity hook non-const so that we can use it to revalidate invalid security labels. Signed-off-by:
-
Andreas Gruenbacher authored
Signed-off-by:
-
- 20 Dec, 2015 10 commits
-
-
Jarkko Sakkinen authored
TPM2 supports authorization policies, which are essentially combinational logic statements repsenting the conditions where the data can be unsealed based on the TPM state. This patch enables to use authorization policies to seal trusted keys. Two following new options have been added for trusted keys: * 'policydigest=': provide an auth policy digest for sealing. * 'policyhandle=': provide a policy session handle for unsealing. If 'hash=' option is supplied after 'policydigest=' option, this will result an error because the state of the option would become mixed. Signed-off-by:
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by:
Colin Ian King <colin.king@canonical.com> Reviewed-by:
Peter Huewe <peterhuewe@gmx.de>
-
Jarkko Sakkinen authored
Added 'hash=' option for selecting the hash algorithm for add_key() syscall and documentation for it. Added entry for sm3-256 to the following tables in order to support TPM_ALG_SM3_256: * hash_algo_name * hash_digest_size Includes support for the following hash algorithms: * sha1 * sha256 * sha384 * sha512 * sm3-256 Signed-off-by:
-
Jarkko Sakkinen authored
The trusted keys option parsing allows specifying the same option multiple times. The last option value specified is used. This is problematic because: * No gain. * This makes complicated to specify options that are dependent on other options. This patch changes the behavior in a way that option can be specified only once. Reported-by:
James Morris James Morris <jmorris@namei.org> Reviewed-by:
-
Stefan Berger authored
When the TPM response reception is interrupted in the wait_event_interruptable call, the TPM is still busy processing the command and will only deliver the response later. So we have to wait for an outstanding response before sending a new request to avoid trying to put a 2nd request into the CRQ. Also reset the res_len before sending a command so we will end up in that wait_event_interruptable() waiting for the response rather than reading the command packet as a response. The easiest way to trigger the problem is to run the following cd /sys/device/vio/71000004 while :; cat pcrs >/dev/null; done And press Ctrl-C. This will then display an error tpm_ibmvtpm 71000004: tpm_transmit: tpm_recv: error -4 followed by several other errors once interaction with the TPM resumes. tpm_ibmvtpm 71000004: A TPM error (101) occurred attempting to determine the number of PCRS. Signed-off-by:
Stefan Berger <stefanb@linux.vnet.ibm.com> Tested-by:
Hon Ching(Vicky) Lo <honclo@linux.vnet.ibm.com> Reviewed-by:
Ashley Lai <ashley@ashleylai.com> Signed-off-by:
-
Jason Gunthorpe authored
auto-probing doesn't work with shared interrupts, and the auto detection interrupt range is for x86 only. Signed-off-by:
Jason Gunthorpe <jgunthorpe@obsidianresearch.com> Reviewed-by:
Martin Wilck <Martin.Wilck@ts.fujitsu.com> Tested-by:
Scot Doyle <lkml14@scotdoyle.com> Signed-off-by:
-
Jason Gunthorpe authored
Now that the probe and run cases are merged together we can use a much simpler setup flow where probe and normal setup are done with exactly the same code. Since the new flow always calls tpm_gen_interrupt to confirm the IRQ there is also no longer any need to call tpm_get_timeouts twice. Signed-off-by:
-
Jason Gunthorpe authored
The new code that works directly in tpm_tis_send is able to handle IRQ probing duties as well, so just use it for everything. Signed-off-by:
-
Jason Gunthorpe authored
IRQ probing needs to know that the TPM is working before trying to probe, so move tpm_get_timeouts() to the top of the tpm_tis_init(). This has the advantage of also getting the correct timeouts loaded before doing IRQ probing. All the timeout handling code is moved to tpm_get_timeouts() in order to remove duplicate code in tpm_tis and tpm_crb. [jarkko.sakkinen@linux.intel.com: squashed two patches together and improved the commit message.] Signed-off-by:
-
Jason Gunthorpe authored
This should be done very early, before anything could possibly cause the TPM to generate an interrupt. If the IRQ line is shared with another driver causing an interrupt before setting up our handler will be very bad. Signed-off-by:
-
Jason Gunthorpe authored
The interrupt is always allocated with devm_request_irq so it must always be freed with devm_free_irq. Fixes: 448e9c55 ("tpm_tis: verify interrupt during init") Signed-off-by:
-
- 15 Dec, 2015 12 commits
-
-
Paul Gortmaker authored
The Kconfig currently controlling compilation of this code is: ima/Kconfig:config IMA_MOK_KEYRING ima/Kconfig: bool "Create IMA machine owner keys (MOK) and blacklist keyrings" ...meaning that it currently is not being built as a module by anyone. Lets remove the couple of traces of modularity so that when reading the driver there is no doubt it really is builtin-only. Since module_init translates to device_initcall in the non-modular case, the init ordering remains unchanged with this commit. Cc: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Cc: James Morris <james.l.morris@oracle.com> Cc: "Serge E. Hallyn" <serge@hallyn.com> Cc: linux-ima-devel@lists.sourceforge.net Cc: linux-ima-user@lists.sourceforge.net Cc: linux-security-module@vger.kernel.org Signed-off-by:
Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by:
-
Mimi Zohar authored
While creating a temporary list of new rules, the ima_appraise flag is updated, but not reverted on failure to append the new rules to the existing policy. This patch defines temp_ima_appraise flag. Only when the new rules are appended to the policy is the flag updated. Signed-off-by:
Petko Manolov <petkan@mip-labs.com>
-
Mimi Zohar authored
Set the KEY_FLAGS_KEEP on the .ima_blacklist to prevent userspace from removing keys from the keyring. Signed-off-by: -
Mimi Zohar authored
Userspace should not be allowed to remove keys from certain keyrings (eg. blacklist), though the keys themselves can expire. This patch defines a new key flag named KEY_FLAG_KEEP to prevent userspace from being able to unlink, revoke, invalidate or timed out a key on a keyring. When this flag is set on the keyring, all keys subsequently added are flagged. In addition, when this flag is set, the keyring itself can not be cleared. Signed-off-by: -
Petko Manolov authored
It is often useful to be able to read back the IMA policy. It is even more important after introducing CONFIG_IMA_WRITE_POLICY. This option allows the root user to see the current policy rules. Signed-off-by:
Zbigniew Jasinski <z.jasinski@samsung.com> Signed-off-by:
-
Petko Manolov authored
This option creates IMA MOK and blacklist keyrings. IMA MOK is an intermediate keyring that sits between .system and .ima keyrings, effectively forming a simple CA hierarchy. To successfully import a key into .ima_mok it must be signed by a key which CA is in .system keyring. On turn any key that needs to go in .ima keyring must be signed by CA in either .system or .ima_mok keyrings. IMA MOK is empty at kernel boot. IMA blacklist keyring contains all revoked IMA keys. It is consulted before any other keyring. If the search is successful the requested operation is rejected and error is returned to the caller. Signed-off-by:
-
Petko Manolov authored
The new rules get appended to the original policy, forming a queue. The new rules are first added to a temporary list, which on error get released without disturbing the normal IMA operations. On success both lists (the current policy and the new rules) are spliced. IMA policy reads are many orders of magnitude more numerous compared to writes, the match code is RCU protected. The updater side also does list splice in RCU manner. Signed-off-by:
-
Arnd Bergmann authored
The newly added EVM_LOAD_X509 code can be configured even if CONFIG_EVM is disabled, but that causes a link error: security/built-in.o: In function `integrity_load_keys': digsig_asymmetric.c:(.init.text+0x400): undefined reference to `evm_load_x509' This adds a Kconfig dependency to ensure it is only enabled when CONFIG_EVM is set as well. Signed-off-by:
Arnd Bergmann <arnd@arndb.de> Fixes: 2ce523eb ("evm: load x509 certificate from the kernel") Signed-off-by:
-
Dmitry Kasatkin authored
The EVM verification status is cached in iint->evm_status and if it was successful, never re-verified again when IMA passes the 'iint' to evm_verifyxattr(). When file attributes or extended attributes change, we may wish to re-verify EVM integrity as well. For example, after setting a digital signature we may need to re-verify the signature and update the iint->flags that there is an EVM signature. This patch enables that by resetting evm_status to INTEGRITY_UKNOWN state. Changes in v2: * Flag setting moved to EVM layer Signed-off-by:
Dmitry Kasatkin <dmitry.kasatkin@huawei.com> Signed-off-by:
-
Dmitry Kasatkin authored
A crypto HW kernel module can possibly initialize the EVM key from the kernel __init code to enable EVM before calling the 'init' process. This patch provides a function evm_set_key() to set the EVM key directly without using the KEY subsystem. Changes in v4: * kernel-doc style for evm_set_key Changes in v3: * error reporting moved to evm_set_key * EVM_INIT_HMAC moved to evm_set_key * added bitop to prevent key setting race Changes in v2: * use size_t for key size instead of signed int * provide EVM_MAX_KEY_SIZE macro in <linux/evm.h> * provide EVM_MIN_KEY_SIZE macro in <linux/evm.h> Signed-off-by:
-
Dmitry Kasatkin authored
In order to enable EVM before starting the 'init' process, evm_initialized needs to be non-zero. Previously non-zero indicated that the HMAC key was loaded. When EVM loads the X509 before calling 'init', with this patch it is now possible to enable EVM to start signature based verification. This patch defines bits to enable EVM if a key of any type is loaded. Changes in v3: * print error message if key is not set Changes in v2: * EVM_STATE_KEY_SET replaced by EVM_INIT_HMAC * EVM_STATE_X509_SET replaced by EVM_INIT_X509 Signed-off-by:
-
Dmitry Kasatkin authored
This patch defines a configuration option and the evm_load_x509() hook to load an X509 certificate onto the EVM trusted kernel keyring. Changes in v4: * Patch description updated Changes in v3: * Removed EVM_X509_PATH definition. CONFIG_EVM_X509_PATH is used directly. Changes in v2: * default key patch changed to /etc/keys Signed-off-by:
-
- 02 Dec, 2015 1 commit
-
-
Martin Wilck authored
commit 07b133e6 ("char/tpm: simplify duration calculation and eliminate smatch warning.") includes a misleading test that is always false. The tpm_ordinal_duration table is only valid for TPM_PROTECTED ordinals where the higher 16 bits are all 0, anyway. Signed-off-by:
-
- 23 Nov, 2015 3 commits
-
-
Dmitry Kasatkin authored
Require all keys added to the EVM keyring be signed by an existing trusted key on the system trusted keyring. This patch also switches IMA to use integrity_init_keyring(). Changes in v3: * Added 'init_keyring' config based variable to skip initializing keyring instead of using __integrity_init_keyring() wrapper. * Added dependency back to CONFIG_IMA_TRUSTED_KEYRING Changes in v2: * Replace CONFIG_EVM_TRUSTED_KEYRING with IMA and EVM common CONFIG_INTEGRITY_TRUSTED_KEYRING configuration option * Deprecate CONFIG_IMA_TRUSTED_KEYRING but keep it for config file compatibility. (Mimi Zohar) Signed-off-by:
-
James Morris authored
-
Linus Torvalds authored
-
- 22 Nov, 2015 2 commits
-
-
Linus Torvalds authored
Merge slub bulk allocator updates from Andrew Morton: "This missed the merge window because I was waiting for some repairs to come in. Nothing actually uses the bulk allocator yet and the changes to other code paths are pretty small. And the net guys are waiting for this so they can start merging the client code" More comments from Jesper Dangaard Brouer: "The kmem_cache_alloc_bulk() call, in mm/slub.c, were included in previous kernel. The present version contains a bug. Vladimir Davydov noticed it contained a bug, when kernel is compiled with CONFIG_MEMCG_KMEM (see commit 03ec0ed5: "slub: fix kmem cgroup bug in kmem_cache_alloc_bulk"). Plus the mem cgroup counterpart in kmem_cache_free_bulk() were missing (see commit 03374518 "slub: add missing kmem cgroup support to kmem_cache_free_bulk"). I don't consider the fix stable-material because there are no in-tree users of the API. But with known bugs (for memcg) I cannot start using the API in the net-tree" * emailed patches from Andrew Morton <akpm@linux-foundation.org>: slab/slub: adjust kmem_cache_alloc_bulk API slub: add missing kmem cgroup support to kmem_cache_free_bulk slub: fix kmem cgroup bug in kmem_cache_alloc_bulk slub: optimize bulk slowpath free by detached freelist slub: support for bulk free with SLUB freelists
-
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/ttyLinus Torvalds authored
Pull tty/serial fixes from Greg KH: "Here are a few small tty/serial driver fixes for 4.4-rc2 that resolve some reported problems. All have been in linux-next, full details are in the shortlog below" * tag 'tty-4.4-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: serial: export fsl8250_handle_irq serial: 8250_mid: Add missing dependency tty: audit: Fix audit source serial: etraxfs-uart: Fix crash serial: fsl_lpuart: Fix earlycon support bcm63xx_uart: Use the device name when registering an interrupt tty: Fix direct use of tty buffer work tty: Fix tty_send_xchar() lock order inversion
-
