summaryrefslogtreecommitdiffstats
path: root/security/integrity
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2023-08-30 18:16:56 +0200
committerLinus Torvalds <torvalds@linux-foundation.org>2023-08-30 18:16:56 +0200
commit1a35914f738c564060a14388f52a06669b09e0b3 (patch)
tree25af3423d677d4339a3a9e03c1731be25a00e13d /security/integrity
parentMerge tag 'lsm-pr-20230829' of git://git.kernel.org/pub/scm/linux/kernel/git/... (diff)
parentkexec_lock: Replace kexec_mutex() by kexec_lock() in two comments (diff)
downloadlinux-1a35914f738c564060a14388f52a06669b09e0b3.tar.xz
linux-1a35914f738c564060a14388f52a06669b09e0b3.zip
Merge tag 'integrity-v6.6' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
Pull integrity subsystem updates from Mimi Zohar: - With commit 099f26f22f58 ("integrity: machine keyring CA configuration") certificates may be loaded onto the IMA keyring, directly or indirectly signed by keys on either the "builtin" or the "machine" keyrings. With the ability for the system/machine owner to sign the IMA policy itself without needing to recompile the kernel, update the IMA architecture specific policy rules to require the IMA policy itself be signed. [ As commit 099f26f22f58 was upstreamed in linux-6.4, updating the IMA architecture specific policy now to require signed IMA policies may break userspace expectations. ] - IMA only checked the file data hash was not on the system blacklist keyring for files with an appended signature (e.g. kernel modules, Power kernel image). Check all file data hashes regardless of how it was signed - Code cleanup, and a kernel-doc update * tag 'integrity-v6.6' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: kexec_lock: Replace kexec_mutex() by kexec_lock() in two comments ima: require signed IMA policy when UEFI secure boot is enabled integrity: Always reference the blacklist keyring with appraisal ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig
Diffstat (limited to 'security/integrity')
-rw-r--r--security/integrity/ima/Kconfig12
-rw-r--r--security/integrity/ima/ima_appraise.c12
-rw-r--r--security/integrity/ima/ima_efi.c3
-rw-r--r--security/integrity/ima/ima_kexec.c2
-rw-r--r--security/integrity/ima/ima_policy.c17
5 files changed, 16 insertions, 30 deletions
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 684425936c53..ecddc807c536 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -248,18 +248,6 @@ config IMA_APPRAISE_MODSIG
The modsig keyword can be used in the IMA policy to allow a hook
to accept such signatures.
-config IMA_TRUSTED_KEYRING
- bool "Require all keys on the .ima keyring be signed (deprecated)"
- depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
- depends on INTEGRITY_ASYMMETRIC_KEYS
- select INTEGRITY_TRUSTED_KEYRING
- default y
- help
- This option requires that all keys added to the .ima
- keyring be signed by a key on the system trusted keyring.
-
- This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING
-
config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
depends on SYSTEM_TRUSTED_KEYRING
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 491c1aca0b1c..870dde67707b 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -458,11 +458,13 @@ int ima_check_blacklist(struct integrity_iint_cache *iint,
ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);
rc = is_binary_blacklisted(digest, digestsize);
- if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
- process_buffer_measurement(&nop_mnt_idmap, NULL, digest, digestsize,
- "blacklisted-hash", NONE,
- pcr, NULL, false, NULL, 0);
- }
+ } else if (iint->flags & IMA_DIGSIG_REQUIRED && iint->ima_hash)
+ rc = is_binary_blacklisted(iint->ima_hash->digest, iint->ima_hash->length);
+
+ if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
+ process_buffer_measurement(&nop_mnt_idmap, NULL, digest, digestsize,
+ "blacklisted-hash", NONE,
+ pcr, NULL, false, NULL, 0);
return rc;
}
diff --git a/security/integrity/ima/ima_efi.c b/security/integrity/ima/ima_efi.c
index 9db66fe310d4..138029bfcce1 100644
--- a/security/integrity/ima/ima_efi.c
+++ b/security/integrity/ima/ima_efi.c
@@ -58,6 +58,9 @@ static const char * const sb_arch_rules[] = {
#if !IS_ENABLED(CONFIG_MODULE_SIG)
"appraise func=MODULE_CHECK appraise_type=imasig",
#endif
+#if IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && IS_ENABLED(CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY)
+ "appraise func=POLICY_CHECK appraise_type=imasig",
+#endif
"measure func=MODULE_CHECK",
NULL
};
diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
index 419dc405c831..ad133fe120db 100644
--- a/security/integrity/ima/ima_kexec.c
+++ b/security/integrity/ima/ima_kexec.c
@@ -77,7 +77,7 @@ out:
* Called during kexec_file_load so that IMA can add a segment to the kexec
* image for the measurement list for the next kernel.
*
- * This function assumes that kexec_mutex is held.
+ * This function assumes that kexec_lock is held.
*/
void ima_add_kexec_buffer(struct kimage *image)
{
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 7a0420cf1a6a..f69062617754 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -1280,7 +1280,7 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
IMA_FSNAME | IMA_GID | IMA_EGID |
IMA_FGROUP | IMA_DIGSIG_REQUIRED |
IMA_PERMIT_DIRECTIO | IMA_VALIDATE_ALGOS |
- IMA_VERITY_REQUIRED))
+ IMA_CHECK_BLACKLIST | IMA_VERITY_REQUIRED))
return false;
break;
@@ -1355,7 +1355,7 @@ static bool ima_validate_rule(struct ima_rule_entry *entry)
/* Ensure that combinations of flags are compatible with each other */
if (entry->flags & IMA_CHECK_BLACKLIST &&
- !(entry->flags & IMA_MODSIG_ALLOWED))
+ !(entry->flags & IMA_DIGSIG_REQUIRED))
return false;
/*
@@ -1803,11 +1803,11 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
if (entry->flags & IMA_VERITY_REQUIRED)
result = -EINVAL;
else
- entry->flags |= IMA_DIGSIG_REQUIRED;
+ entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST;
} else if (strcmp(args[0].from, "sigv3") == 0) {
/* Only fsverity supports sigv3 for now */
if (entry->flags & IMA_VERITY_REQUIRED)
- entry->flags |= IMA_DIGSIG_REQUIRED;
+ entry->flags |= IMA_DIGSIG_REQUIRED | IMA_CHECK_BLACKLIST;
else
result = -EINVAL;
} else if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
@@ -1816,18 +1816,13 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
result = -EINVAL;
else
entry->flags |= IMA_DIGSIG_REQUIRED |
- IMA_MODSIG_ALLOWED;
+ IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST;
} else {
result = -EINVAL;
}
break;
case Opt_appraise_flag:
ima_log_string(ab, "appraise_flag", args[0].from);
- if (IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG) &&
- strstr(args[0].from, "blacklist"))
- entry->flags |= IMA_CHECK_BLACKLIST;
- else
- result = -EINVAL;
break;
case Opt_appraise_algos:
ima_log_string(ab, "appraise_algos", args[0].from);
@@ -2271,8 +2266,6 @@ int ima_policy_show(struct seq_file *m, void *v)
}
if (entry->flags & IMA_VERITY_REQUIRED)
seq_puts(m, "digest_type=verity ");
- if (entry->flags & IMA_CHECK_BLACKLIST)
- seq_puts(m, "appraise_flag=check_blacklist ");
if (entry->flags & IMA_PERMIT_DIRECTIO)
seq_puts(m, "permit_directio ");
rcu_read_unlock();