summaryrefslogtreecommitdiffstats
path: root/security/integrity/ima/ima_policy.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* security/integrity/ima/ima_policy.c: use %pU to output UUID in printable formatAndy Shevchenko2016-05-211-12/+2
| | | | | | | | | | | | | | | | | Instead of open coded variant re-use extension that vsprintf.c provides us for ages. Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Reviewed-by: Matt Fleming <matt@codeblueprint.co.uk> Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Cc: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk> Cc: Arnd Bergmann <arnd@arndb.de> Cc: "Theodore Ts'o" <tytso@mit.edu> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Jens Axboe <axboe@kernel.dk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* ima: fix the string representation of the LSM/IMA hook enumeration orderingMimi Zohar2016-05-041-2/+2
| | | | | | | | | | This patch fixes the string representation of the LSM/IMA hook enumeration ordering used for displaying the IMA policy. Fixes: d9ddf077bb85 ("ima: support for kexec image and initramfs") Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Tested-by: Eric Richter <erichte@linux.vnet.ibm.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
* ima: require signed IMA policyMimi Zohar2016-02-211-0/+7
| | | | | | | | | | | | Require the IMA policy to be signed when additional rules can be added. v1: - initialize the policy flag - include IMA_APPRAISE_POLICY in the policy flag Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Petko Manolov <petkan@mip-labs.com> Acked-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
* ima: measure and appraise the IMA policy itselfMimi Zohar2016-02-211-1/+11
| | | | | | | | | | | | | Add support for measuring and appraising the IMA policy itself. Changelog v4: - use braces on both if/else branches, even if single line on one of the branches - Dmitry - Use the id mapping - Dmitry Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Petko Manolov <petkan@mip-labs.com> Acked-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
* ima: support for kexec image and initramfsMimi Zohar2016-02-211-1/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add IMA policy support for measuring/appraising the kexec image and initramfs. Two new IMA policy identifiers KEXEC_KERNEL_CHECK and KEXEC_INITRAMFS_CHECK are defined. Example policy rules: measure func=KEXEC_KERNEL_CHECK appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig measure func=KEXEC_INITRAMFS_CHECK appraise func=KEXEC_INITRAMFS_CHECK appraise_type=imasig Moving the enumeration to the vfs layer simplified the patches, allowing the IMA changes, for the most part, to be separated from the other changes. Unfortunately, passing either a kernel_read_file_id or a ima_hooks enumeration within IMA is messy. Option 1: duplicate kernel_read_file enumeration in ima_hooks enum kernel_read_file_id { ... READING_KEXEC_IMAGE, READING_KEXEC_INITRAMFS, READING_MAX_ID enum ima_hooks { ... KEXEC_KERNEL_CHECK KEXEC_INITRAMFS_CHECK Option 2: define ima_hooks as extension of kernel_read_file eg: enum ima_hooks { FILE_CHECK = READING_MAX_ID, MMAP_CHECK, In order to pass both kernel_read_file_id and ima_hooks values, we would need to specify a struct containing a union. struct caller_id { union { enum ima_hooks func_id; enum kernel_read_file_id read_id; }; }; Option 3: incorportate the ima_hooks enumeration into kernel_read_file_id, perhaps changing the enumeration name. For now, duplicate the new READING_KEXEC_IMAGE/INITRAMFS in the ima_hooks. Changelog v4: - replaced switch statement with a kernel_read_file_id to an ima_hooks id mapping array - Dmitry - renamed ima_hook tokens KEXEC_CHECK and INITRAMFS_CHECK to KEXEC_KERNEL_CHECK and KEXEC_INITRAMFS_CHECK respectively - Dave Young Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Petko Manolov <petkan@mip-labs.com> Acked-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com> Cc: Dave Young <dyoung@redhat.com>
* ima: remove firmware and module specific cached status infoMimi Zohar2016-02-211-5/+4
| | | | | | | | | | | | | Each time a file is read by the kernel, the file should be re-measured and the file signature re-appraised, based on policy. As there is no need to preserve the status information, this patch replaces the firmware and module specific cache status with a generic one named read_file. This change simplifies adding support for other files read by the kernel. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Petko Manolov <petkan@mip-labs.com> Acked-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
* ima: define a new hook to measure and appraise a file already in memoryMimi Zohar2016-02-211-0/+1
| | | | | | | | | | | | | | | | | | This patch defines a new IMA hook ima_post_read_file() for measuring and appraising files read by the kernel. The caller loads the file into memory before calling this function, which calculates the hash followed by the normal IMA policy based processing. Changelog v5: - fail ima_post_read_file() if either file or buf is NULL v3: - rename ima_hash_and_process_file() to ima_post_read_file() v1: - split patch Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
* ima: use "ima_hooks" enum as function argumentMimi Zohar2016-02-181-3/+3
| | | | | | | | Cleanup the function arguments by using "ima_hooks" enumerator as needed. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Petko Manolov <petkan@mip-labs.com> Acked-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
* ima: refactor ima_policy_show() to display "ima_hooks" rulesMimi Zohar2016-02-181-27/+36
| | | | | | | | Define and call a function to display the "ima_hooks" rules. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Petko Manolov <petkan@mip-labs.com> Acked-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
* IMA: fix non-ANSI declaration of ima_check_policy()Colin Ian King2016-02-091-1/+1
| | | | | | | | | ima_check_policy() has no parameters, so use the normal void parameter convention to make it match the prototype in the header file security/integrity/ima/ima.h Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* IMA: policy can be updated zero timesSasha Levin2015-12-251-0/+8
| | | | | | | | | | | | | | | Commit "IMA: policy can now be updated multiple times" assumed that the policy would be updated at least once. If there are zero updates, the temporary list head object will get added to the policy list, and later dereferenced as an IMA policy object, which means that invalid memory will be accessed. Changelog: - Move list_empty() test to ima_release_policy(), before audit msg - Mimi Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* ima: update appraise flags after policy update completesMimi Zohar2015-12-151-2/+5
| | | | | | | | | | While creating a temporary list of new rules, the ima_appraise flag is updated, but not reverted on failure to append the new rules to the existing policy. This patch defines temp_ima_appraise flag. Only when the new rules are appended to the policy is the flag updated. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Petko Manolov <petkan@mip-labs.com>
* IMA: allow reading back the current IMA policyPetko Manolov2015-12-151-2/+205
| | | | | | | | | | It is often useful to be able to read back the IMA policy. It is even more important after introducing CONFIG_IMA_WRITE_POLICY. This option allows the root user to see the current policy rules. Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com> Signed-off-by: Petko Manolov <petkan@mip-labs.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* IMA: policy can now be updated multiple timesPetko Manolov2015-12-151-28/+51
| | | | | | | | | | | | | | The new rules get appended to the original policy, forming a queue. The new rules are first added to a temporary list, which on error get released without disturbing the normal IMA operations. On success both lists (the current policy and the new rules) are spliced. IMA policy reads are many orders of magnitude more numerous compared to writes, the match code is RCU protected. The updater side also does list splice in RCU manner. Signed-off-by: Petko Manolov <petkan@mip-labs.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* ima: update builtin policiesMimi Zohar2015-06-161-9/+56
| | | | | | | | | | | | | | | | | | | | This patch defines a builtin measurement policy "tcb", similar to the existing "ima_tcb", but with additional rules to also measure files based on the effective uid and to measure files opened with the "read" mode bit set (eg. read, read-write). Changing the builtin "ima_tcb" policy could potentially break existing users. Instead of defining a new separate boot command line option each time the builtin measurement policy is modified, this patch defines a single generic boot command line option "ima_policy=" to specify the builtin policy and deprecates the use of the builtin ima_tcb policy. [The "ima_policy=" boot command line option is based on Roberto Sassu's "ima: added new policy type exec" patch.] Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Dr. Greg Wettstein <gw@idfusion.org> Cc: stable@vger.kernel.org
* ima: extend "mask" policy matching supportMimi Zohar2015-06-161-5/+15
| | | | | | | | | | | The current "mask" policy option matches files opened as MAY_READ, MAY_WRITE, MAY_APPEND or MAY_EXEC. This patch extends the "mask" option to match files opened containing one of these modes. For example, "mask=^MAY_READ" would match files opened read-write. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Dr. Greg Wettstein <gw@idfusion.org> Cc: stable@vger.kernel.org
* ima: add support for new "euid" policy conditionMimi Zohar2015-06-161-4/+23
| | | | | | | | | | | | | | The new "euid" policy condition measures files with the specified effective uid (euid). In addition, for CAP_SETUID files it measures files with the specified uid or suid. Changelog: - fixed checkpatch.pl warnings - fixed avc denied {setuid} messages - based on Roberto's feedback Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Dr. Greg Wettstein <gw@idfusion.org> Cc: stable@vger.kernel.org
* ima: do not measure or appraise the NSFS filesystemMimi Zohar2015-05-211-0/+2
| | | | | | | | | | | Include don't appraise or measure rules for the NSFS filesystem in the builtin ima_tcb and ima_appraise_tcb policies. Changelog: - Update documentation Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: stable@vger.kernel.org # 3.19
* ima: skip measurement of cgroupfs files and update documentationRoberto Sassu2015-05-211-0/+2
| | | | | | | | | | | | | | This patch adds a rule in the default measurement policy to skip inodes in the cgroupfs filesystem. Measurements for this filesystem can be avoided, as all the digests collected have the same value of the digest of an empty file. Furthermore, this patch updates the documentation of IMA policies in Documentation/ABI/testing/ima_policy to make it consistent with the policies set in security/integrity/ima/ima_policy.c. Signed-off-by: Roberto Sassu <rsassu@suse.de> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* ima: cleanup ima_init_policy() a littleDan Carpenter2015-05-131-10/+6
| | | | | | | It's a bit easier to read this if we split it up into two for loops. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* ima: require signature based appraisalDmitry Kasatkin2014-11-181-0/+6
| | | | | | | | | | | | | | | | | | | | This patch provides CONFIG_IMA_APPRAISE_SIGNED_INIT kernel configuration option to force IMA appraisal using signatures. This is useful, when EVM key is not initialized yet and we want securely initialize integrity or any other functionality. It forces embedded policy to require signature. Signed initialization script can initialize EVM key, update the IMA policy and change further requirement of everything to be signed. Changes in v3: * kernel parameter fixed to configuration option in the patch description Changes in v2: * policy change of this patch separated from the key loading patch Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* ima: use atomic bit operations to protect policy update interfaceDmitry Kasatkin2014-10-121-21/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | The current implementation uses an atomic counter to provide exclusive access to the sysfs 'policy' entry to update the IMA policy. While it is highly unlikely, the usage of a counter might potentially allow another process to overflow the counter, open the interface and insert additional rules into the policy being loaded. This patch replaces using an atomic counter with atomic bit operations which is more reliable and a widely used method to provide exclusive access. As bit operation keep the interface locked after successful update, it makes it unnecessary to verify if the default policy was set or not during parsing and interface closing. This patch also removes that code. Changes in v3: * move audit log message to ima_relead_policy() to report successful and unsuccessful result * unnecessary comment removed Changes in v2: * keep interface locked after successful policy load as in original design * remove sysfs entry as in original design Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* ima: ignore empty and with whitespaces policy linesDmitry Kasatkin2014-10-121-1/+2
| | | | | | | | | | | Empty policy lines cause parsing failures which is, especially for new users, hard to spot. This patch prevents it. Changes in v2: * strip leading blanks and tabs in rules to prevent parsing failures Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* ima: no need to allocate entry for commentDmitry Kasatkin2014-10-121-8/+6
| | | | | | | | If a rule is a comment, there is no need to allocate an entry. Move the checking for comments before allocating the entry. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* ima: added ima_policy_flag variableRoberto Sassu2014-09-171-0/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch introduces the new variable 'ima_policy_flag', whose bits are set depending on the action of the current policy rules. Only the flags IMA_MEASURE, IMA_APPRAISE and IMA_AUDIT are set. The new variable will be used to improve performance by skipping the unnecessary execution of IMA code if the policy does not contain rules with the above actions. Changes in v6 (Roberto Sassu) * do not check 'ima_initialized' before calling ima_update_policy_flag() in ima_update_policy() (suggested by Dmitry) * calling ima_update_policy_flag() moved to init_ima to co-locate with ima_initialized (Dmitry) * add/revise comments (Mimi) Changes in v5 (Roberto Sassu) * reset IMA_APPRAISE flag in 'ima_policy_flag' if 'ima_appraise' is set to zero (reported by Dmitry) * update 'ima_policy_flag' only if IMA initialization is successful (suggested by Mimi and Dmitry) * check 'ima_policy_flag' instead of 'ima_initialized' (suggested by Mimi and Dmitry) Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* ima: add support for measuring and appraising firmwareMimi Zohar2014-07-251-0/+7
| | | | | | | | | | | | | The "security: introduce kernel_fw_from_file hook" patch defined a new security hook to evaluate any loaded firmware that wasn't built into the kernel. This patch defines ima_fw_from_file(), which is called from the new security hook, to measure and/or appraise the loaded firmware's integrity. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Kees Cook <keescook@chromium.org>
* audit: fix dangling keywords in integrity ima message outputRichard Guy Briggs2014-07-171-3/+3
| | | | | | | | | Replace spaces in op keyword labels in log output since userspace audit tools can't parse orphaned keywords. Reported-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* ima: audit log files opened with O_DIRECT flagMimi Zohar2014-06-031-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Files are measured or appraised based on the IMA policy. When a file, in policy, is opened with the O_DIRECT flag, a deadlock occurs. The first attempt at resolving this lockdep temporarily removed the O_DIRECT flag and restored it, after calculating the hash. The second attempt introduced the O_DIRECT_HAVELOCK flag. Based on this flag, do_blockdev_direct_IO() would skip taking the i_mutex a second time. The third attempt, by Dmitry Kasatkin, resolves the i_mutex locking issue, by re-introducing the IMA mutex, but uncovered another problem. Reading a file with O_DIRECT flag set, writes directly to userspace pages. A second patch allocates a user-space like memory. This works for all IMA hooks, except ima_file_free(), which is called on __fput() to recalculate the file hash. Until this last issue is addressed, do not 'collect' the measurement for measuring, appraising, or auditing files opened with the O_DIRECT flag set. Based on policy, permit or deny file access. This patch defines a new IMA policy rule option named 'permit_directio'. Policy rules could be defined, based on LSM or other criteria, to permit specific applications to open files with the O_DIRECT flag set. Changelog v1: - permit or deny file access based IMA policy rules Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Cc: <stable@vger.kernel.org>
* integrity: fix checkpatch errorsDmitry Kasatkin2014-03-071-33/+32
| | | | | | | | | | | | | Between checkpatch changes (eg. sizeof) and inconsistencies between Lindent and checkpatch, unfixed checkpatch errors make it difficult to see new errors. This patch fixes them. Some lines with over 80 chars remained unchanged to improve code readability. The "extern" keyword is removed from internal evm.h to make it consistent with internal ima.h. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* ima: fix erroneous removal of security.ima xattrDmitry Kasatkin2014-03-071-2/+4
| | | | | | | | | | | | | | | | ima_inode_post_setattr() calls ima_must_appraise() to check if the file needs to be appraised. If it does not then it removes security.ima xattr. With original policy matching code it might happen that even file needs to be appraised with FILE_CHECK hook, it might not be for POST_SETATTR hook. 'security.ima' might be erronously removed. This patch treats POST_SETATTR as special wildcard function and will cause ima_must_appraise() to be true if any of the hooks rules matches. security.ima will not be removed if any of the hooks would require appraisal. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* ima: use static const char array definitionsMimi Zohar2014-03-071-2/+2
| | | | | | | | | | A const char pointer allocates memory for a pointer as well as for a string, This patch replaces a number of the const char pointers throughout IMA, with a static const char array. Suggested-by: David Howells <dhowells@redhat.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: David Howells <dhowells@redhat.com>
* security: replace strict_strto*() with kstrto*()Jingoo Han2014-02-061-3/+3
| | | | | | | | | The usage of strict_strto*() is not preferred, because strict_strto*() is obsolete. Thus, kstrto*() should be used. Signed-off-by: Jingoo Han <jg1.han@samsung.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
* Revert "ima: policy for RAMFS"Mimi Zohar2013-10-251-1/+0
| | | | | | | | | | | This reverts commit 4c2c392763a682354fac65b6a569adec4e4b5387. Everything in the initramfs should be measured and appraised, but until the initramfs has extended attribute support, at least measured. Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Cc: Stable Kernel <stable@kernel.org>
* block: fix part_pack_uuid() build errorMimi Zohar2013-02-251-5/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | Commit "85865c1 ima: add policy support for file system uuid" introduced a CONFIG_BLOCK dependency. This patch defines a wrapper called blk_part_pack_uuid(), which returns -EINVAL, when CONFIG_BLOCK is not defined. security/integrity/ima/ima_policy.c:538:4: error: implicit declaration of function 'part_pack_uuid' [-Werror=implicit-function-declaration] Changelog v2: - Reference commit number in patch description Changelog v1: - rename ima_part_pack_uuid() to blk_part_pack_uuid() - resolve scripts/checkpatch.pl warnings Changelog v0: - fix UUID scripts/Lindent msgs Reported-by: Randy Dunlap <rdunlap@infradead.org> Reported-by: David Rientjes <rientjes@google.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: David Rientjes <rientjes@google.com> Acked-by: Randy Dunlap <rdunlap@infradead.org> Cc: Jens Axboe <axboe@kernel.dk> Signed-off-by: James Morris <james.l.morris@oracle.com>
* Merge branch 'next' of ↵Linus Torvalds2013-02-211-14/+124
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull security subsystem updates from James Morris: "This is basically a maintenance update for the TPM driver and EVM/IMA" Fix up conflicts in lib/digsig.c and security/integrity/ima/ima_main.c * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (45 commits) tpm/ibmvtpm: build only when IBM pseries is configured ima: digital signature verification using asymmetric keys ima: rename hash calculation functions ima: use new crypto_shash API instead of old crypto_hash ima: add policy support for file system uuid evm: add file system uuid to EVM hmac tpm_tis: check pnp_acpi_device return code char/tpm/tpm_i2c_stm_st33: drop temporary variable for return value char/tpm/tpm_i2c_stm_st33: remove dead assignment in tpm_st33_i2c_probe char/tpm/tpm_i2c_stm_st33: Remove __devexit attribute char/tpm/tpm_i2c_stm_st33: Don't use memcpy for one byte assignment tpm_i2c_stm_st33: removed unused variables/code TPM: Wait for TPM_ACCESS tpmRegValidSts to go high at startup tpm: Fix cancellation of TPM commands (interrupt mode) tpm: Fix cancellation of TPM commands (polling mode) tpm: Store TPM vendor ID TPM: Work around buggy TPMs that block during continue self test tpm_i2c_stm_st33: fix oops when i2c client is unavailable char/tpm: Use struct dev_pm_ops for power management TPM: STMicroelectronics ST33 I2C BUILD STUFF ...
| * ima: add policy support for file system uuidDmitry Kasatkin2013-02-061-1/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The IMA policy permits specifying rules to enable or disable measurement/appraisal/audit based on the file system magic number. If, for example, the policy contains an ext4 measurement rule, the rule is enabled for all ext4 partitions. Sometimes it might be necessary to enable measurement/appraisal/audit only for one partition and disable it for another partition of the same type. With the existing IMA policy syntax, this can not be done. This patch provides support for IMA policy rules to specify the file system by its UUID (eg. fsuuid=397449cd-687d-4145-8698-7fed4a3e0363). For partitions not being appraised, it might be a good idea to mount file systems with the 'noexec' option to prevent executing non-verified binaries. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * ima: differentiate appraise status only for hook specific rulesMimi Zohar2013-01-221-3/+6
| | | | | | | | | | | | | | | | | | | | | | | | Different hooks can require different methods for appraising a file's integrity. As a result, an integrity appraisal status is cached on a per hook basis. Only a hook specific rule, requires the inode to be re-appraised. This patch eliminates unnecessary appraisals. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
| * ima: per hook cache integrity appraisal statusMimi Zohar2013-01-221-0/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With the new IMA policy 'appraise_type=' option, different hooks can require different methods for appraising a file's integrity. For example, the existing 'ima_appraise_tcb' policy defines a generic rule, requiring all root files to be appraised, without specfying the appraisal method. A more specific rule could require all kernel modules, for example, to be signed. appraise fowner=0 func=MODULE_CHECK appraise_type=imasig appraise fowner=0 As a result, the integrity appraisal results for the same inode, but for different hooks, could differ. This patch caches the integrity appraisal results on a per hook basis. Changelog v2: - Rename ima_cache_status() to ima_set_cache_status() - Rename and move get_appraise_status() to ima_get_cache_status() Changelog v0: - include IMA_APPRAISE/APPRAISED_SUBMASK in IMA_DO/DONE_MASK (Dmitry) - Support independent MODULE_CHECK appraise status. - fixed IMA_XXXX_APPRAISE/APPRAISED flags Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
| * ima: added policy support for 'security.ima' typeDmitry Kasatkin2013-01-221-1/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The 'security.ima' extended attribute may contain either the file data's hash or a digital signature. This patch adds support for requiring a specific extended attribute type. It extends the IMA policy with a new keyword 'appraise_type=imasig'. (Default is hash.) Changelog v2: - Fixed Documentation/ABI/testing/ima_policy option syntax Changelog v1: - Differentiate between 'required' vs. 'actual' extended attribute Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * ima: rename FILE_MMAP to MMAP_CHECKMimi Zohar2013-01-161-3/+4
| | | | | | | | | | | | | | Rename FILE_MMAP hook to MMAP_CHECK to be consistent with the other hook names. Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
| * ima: re-initialize IMA policy LSM infoMimi Zohar2013-01-161-10/+58
| | | | | | | | | | | | | | | | | | | | | | | | | | Although the IMA policy does not change, the LSM policy can be reloaded, leaving the IMA LSM based rules referring to the old, stale LSM policy. This patch updates the IMA LSM based rules to reflect the reloaded LSM policy. Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be> tested-by: Sven Vermeulen <sven.vermeulen@siphos.be> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: Eric Paris <eparis@parisplace.org> Cc: Casey Schaufler <casey@schaufler-ca.com>
* | ima: fallback to MODULE_SIG_ENFORCE for existing kernel module syscallMimi Zohar2012-12-241-1/+2
|/ | | | | | | | | | | | | | | The new kernel module syscall appraises kernel modules based on policy. If the IMA policy requires kernel module checking, fallback to module signature enforcing for the existing syscall. Without CONFIG_MODULE_SIG_FORCE enabled, the kernel module's integrity is unknown, return -EACCES. Changelog v1: - Fix ima_module_check() return result (Tetsuo Handa) Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Reviewed-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
* ima: support new kernel module syscallMimi Zohar2012-12-141-0/+3
| | | | | | | | | | | | | | | | With the addition of the new kernel module syscall, which defines two arguments - a file descriptor to the kernel module and a pointer to a NULL terminated string of module arguments - it is now possible to measure and appraise kernel modules like any other file on the file system. This patch adds support to measure and appraise kernel modules in an extensible and consistent manner. To support filesystems without extended attribute support, additional patches could pass the signature as the first parameter. Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
* Merge branch 'next' of ↵Linus Torvalds2012-10-031-47/+148
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull security subsystem updates from James Morris: "Highlights: - Integrity: add local fs integrity verification to detect offline attacks - Integrity: add digital signature verification - Simple stacking of Yama with other LSMs (per LSS discussions) - IBM vTPM support on ppc64 - Add new driver for Infineon I2C TIS TPM - Smack: add rule revocation for subject labels" Fixed conflicts with the user namespace support in kernel/auditsc.c and security/integrity/ima/ima_policy.c. * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (39 commits) Documentation: Update git repository URL for Smack userland tools ima: change flags container data type Smack: setprocattr memory leak fix Smack: implement revoking all rules for a subject label Smack: remove task_wait() hook. ima: audit log hashes ima: generic IMA action flag handling ima: rename ima_must_appraise_or_measure audit: export audit_log_task_info tpm: fix tpm_acpi sparse warning on different address spaces samples/seccomp: fix 31 bit build on s390 ima: digital signature verification support ima: add support for different security.ima data types ima: add ima_inode_setxattr/removexattr function and calls ima: add inode_post_setattr call ima: replace iint spinblock with rwlock/read_lock ima: allocating iint improvements ima: add appraise action keywords and default rules ima: integrity appraisal extension vfs: move ima_file_free before releasing the file ...
| * ima: audit log hashesPeter Moody2012-09-131-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds an 'audit' policy action which audit logs file measurements. Changelog v6: - use new action flag handling (Dmitry Kasatkin). - removed whitespace (Mimi) Changelog v5: - use audit_log_untrustedstring. Changelog v4: - cleanup digest -> hash conversion. - use filename rather than d_path in ima_audit_measurement. Changelog v3: - Use newly exported audit_log_task_info for logging pid/ppid/uid/etc. - Update the ima_policy ABI documentation. Changelog v2: - Use 'audit' action rather than 'measure_and_audit' to permit auditing in the absence of measuring.. Changelog v1: - Initial posting. Signed-off-by: Peter Moody <pmoody@google.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * ima: generic IMA action flag handlingDmitry Kasatkin2012-09-131-10/+11
| | | | | | | | | | | | | | | | | | | | Make the IMA action flag handling generic in order to support additional new actions, without requiring changes to the base implementation. New actions, like audit logging, will only need to modify the define statements. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * ima: add appraise action keywords and default rulesMimi Zohar2012-09-071-39/+112
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Unlike the IMA measurement policy, the appraise policy can not be dependent on runtime process information, such as the task uid, as the 'security.ima' xattr is written on file close and must be updated each time the file changes, regardless of the current task uid. This patch extends the policy language with 'fowner', defines an appraise policy, which appraises all files owned by root, and defines 'ima_appraise_tcb', a new boot command line option, to enable the appraise policy. Changelog v3: - separate the measure from the appraise rules in order to support measuring without appraising and appraising without measuring. - change appraisal default for filesystems without xattr support to fail - update default appraise policy for cgroups Changelog v1: - don't appraise RAMFS (Dmitry Kasatkin) - merged rest of "ima: ima_must_appraise_or_measure API change" commit (Dmtiry Kasatkin) ima_must_appraise_or_measure() called ima_match_policy twice, which searched the policy for a matching rule. Once for a matching measurement rule and subsequently for an appraisal rule. Searching the policy twice is unnecessary overhead, which could be noticeable with a large policy. The new version of ima_must_appraise_or_measure() does everything in a single iteration using a new version of ima_match_policy(). It returns IMA_MEASURE, IMA_APPRAISE mask. With the use of action mask only one efficient matching function is enough. Removed other specific versions of matching functions. Changelog: - change 'owner' to 'fowner' to conform to the new LSM conditions posted by Roberto Sassu. - fix calls to ima_log_string() Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
| * ima: integrity appraisal extensionMimi Zohar2012-09-071-8/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | IMA currently maintains an integrity measurement list used to assert the integrity of the running system to a third party. The IMA-appraisal extension adds local integrity validation and enforcement of the measurement against a "good" value stored as an extended attribute 'security.ima'. The initial methods for validating 'security.ima' are hashed based, which provides file data integrity, and digital signature based, which in addition to providing file data integrity, provides authenticity. This patch creates and maintains the 'security.ima' xattr, containing the file data hash measurement. Protection of the xattr is provided by EVM, if enabled and configured. Based on policy, IMA calls evm_verifyxattr() to verify a file's metadata integrity and, assuming success, compares the file's current hash value with the one stored as an extended attribute in 'security.ima'. Changelov v4: - changed iint cache flags to hex values Changelog v3: - change appraisal default for filesystems without xattr support to fail Changelog v2: - fix audit msg 'res' value - removed unused 'ima_appraise=' values Changelog v1: - removed unused iint mutex (Dmitry Kasatkin) - setattr hook must not reset appraised (Dmitry Kasatkin) - evm_verifyxattr() now differentiates between no 'security.evm' xattr (INTEGRITY_NOLABEL) and no EVM 'protected' xattrs included in the 'security.evm' (INTEGRITY_NOXATTRS). - replace hash_status with ima_status (Dmitry Kasatkin) - re-initialize slab element ima_status on free (Dmitry Kasatkin) - include 'security.ima' in EVM if CONFIG_IMA_APPRAISE, not CONFIG_IMA - merged half "ima: ima_must_appraise_or_measure API change" (Dmitry Kasatkin) - removed unnecessary error variable in process_measurement() (Dmitry Kasatkin) - use ima_inode_post_setattr() stub function, if IMA_APPRAISE not configured (moved ima_inode_post_setattr() to ima_appraise.c) - make sure ima_collect_measurement() can read file Changelog: - add 'iint' to evm_verifyxattr() call (Dimitry Kasatkin) - fix the race condition between chmod, which takes the i_mutex and then iint->mutex, and ima_file_free() and process_measurement(), which take the locks in the reverse order, by eliminating iint->mutex. (Dmitry Kasatkin) - cleanup of ima_appraise_measurement() (Dmitry Kasatkin) - changes as a result of the iint not allocated for all regular files, but only for those measured/appraised. - don't try to appraise new/empty files - expanded ima_appraisal description in ima/Kconfig - IMA appraise definitions required even if IMA_APPRAISE not enabled - add return value to ima_must_appraise() stub - unconditionally set status = INTEGRITY_PASS *after* testing status, not before. (Found by Joe Perches) Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
* | userns: Add user namespace support to IMAEric W. Biederman2012-09-211-7/+7
|/ | | | | | | | | | | Use kuid's in the IMA rules. When reporting the current uid in audit logs use from_kuid to get a usable value. Cc: Mimi Zohar <zohar@us.ibm.com> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
* ima: add policy for pseudo fsDmitry Kasatkin2012-07-051-0/+2
| | | | | | | Exclude DEVPTS and BINFMT filesystems from the measurement policy. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>