Commit c8ba56b7 authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'integrity-v5.17-fix' of...

Merge tag 'integrity-v5.17-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Pull integrity fixes from Mimi Zohar:
 "Fixes for recently found bugs.

  One was found/noticed while reviewing IMA support for fsverity digests
  and signatures. Two of them were found/noticed while working on IMA
  namespacing. Plus two other bugs.

  All of them are for previous kernel releases"

* tag 'integrity-v5.17-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  ima: Do not print policy rule with inactive LSM labels
  ima: Allow template selection with ima_template[_fmt]= after ima_hash=
  ima: Remove ima_policy file before directory
  integrity: check the return value of audit_log_start()
  ima: fix reference leak in asymmetric_verify()
parents dfd42fac 89677197
...@@ -109,22 +109,25 @@ int asymmetric_verify(struct key *keyring, const char *sig, ...@@ -109,22 +109,25 @@ int asymmetric_verify(struct key *keyring, const char *sig,
pk = asymmetric_key_public_key(key); pk = asymmetric_key_public_key(key);
pks.pkey_algo = pk->pkey_algo; pks.pkey_algo = pk->pkey_algo;
if (!strcmp(pk->pkey_algo, "rsa")) if (!strcmp(pk->pkey_algo, "rsa")) {
pks.encoding = "pkcs1"; pks.encoding = "pkcs1";
else if (!strncmp(pk->pkey_algo, "ecdsa-", 6)) } else if (!strncmp(pk->pkey_algo, "ecdsa-", 6)) {
/* edcsa-nist-p192 etc. */ /* edcsa-nist-p192 etc. */
pks.encoding = "x962"; pks.encoding = "x962";
else if (!strcmp(pk->pkey_algo, "ecrdsa") || } else if (!strcmp(pk->pkey_algo, "ecrdsa") ||
!strcmp(pk->pkey_algo, "sm2")) !strcmp(pk->pkey_algo, "sm2")) {
pks.encoding = "raw"; pks.encoding = "raw";
else } else {
return -ENOPKG; ret = -ENOPKG;
goto out;
}
pks.digest = (u8 *)data; pks.digest = (u8 *)data;
pks.digest_size = datalen; pks.digest_size = datalen;
pks.s = hdr->sig; pks.s = hdr->sig;
pks.s_size = siglen; pks.s_size = siglen;
ret = verify_signature(key, &pks); ret = verify_signature(key, &pks);
out:
key_put(key); key_put(key);
pr_debug("%s() = %d\n", __func__, ret); pr_debug("%s() = %d\n", __func__, ret);
return ret; return ret;
......
...@@ -496,12 +496,12 @@ int __init ima_fs_init(void) ...@@ -496,12 +496,12 @@ int __init ima_fs_init(void)
return 0; return 0;
out: out:
securityfs_remove(ima_policy);
securityfs_remove(violations); securityfs_remove(violations);
securityfs_remove(runtime_measurements_count); securityfs_remove(runtime_measurements_count);
securityfs_remove(ascii_runtime_measurements); securityfs_remove(ascii_runtime_measurements);
securityfs_remove(binary_runtime_measurements); securityfs_remove(binary_runtime_measurements);
securityfs_remove(ima_symlink); securityfs_remove(ima_symlink);
securityfs_remove(ima_dir); securityfs_remove(ima_dir);
securityfs_remove(ima_policy);
return -1; return -1;
} }
...@@ -1967,6 +1967,14 @@ int ima_policy_show(struct seq_file *m, void *v) ...@@ -1967,6 +1967,14 @@ int ima_policy_show(struct seq_file *m, void *v)
rcu_read_lock(); rcu_read_lock();
/* Do not print rules with inactive LSM labels */
for (i = 0; i < MAX_LSM_RULES; i++) {
if (entry->lsm[i].args_p && !entry->lsm[i].rule) {
rcu_read_unlock();
return 0;
}
}
if (entry->action & MEASURE) if (entry->action & MEASURE)
seq_puts(m, pt(Opt_measure)); seq_puts(m, pt(Opt_measure));
if (entry->action & DONT_MEASURE) if (entry->action & DONT_MEASURE)
......
...@@ -29,6 +29,7 @@ static struct ima_template_desc builtin_templates[] = { ...@@ -29,6 +29,7 @@ static struct ima_template_desc builtin_templates[] = {
static LIST_HEAD(defined_templates); static LIST_HEAD(defined_templates);
static DEFINE_SPINLOCK(template_list); static DEFINE_SPINLOCK(template_list);
static int template_setup_done;
static const struct ima_template_field supported_fields[] = { static const struct ima_template_field supported_fields[] = {
{.field_id = "d", .field_init = ima_eventdigest_init, {.field_id = "d", .field_init = ima_eventdigest_init,
...@@ -101,9 +102,10 @@ static int __init ima_template_setup(char *str) ...@@ -101,9 +102,10 @@ static int __init ima_template_setup(char *str)
struct ima_template_desc *template_desc; struct ima_template_desc *template_desc;
int template_len = strlen(str); int template_len = strlen(str);
if (ima_template) if (template_setup_done)
return 1; return 1;
if (!ima_template)
ima_init_template_list(); ima_init_template_list();
/* /*
...@@ -128,6 +130,7 @@ static int __init ima_template_setup(char *str) ...@@ -128,6 +130,7 @@ static int __init ima_template_setup(char *str)
} }
ima_template = template_desc; ima_template = template_desc;
template_setup_done = 1;
return 1; return 1;
} }
__setup("ima_template=", ima_template_setup); __setup("ima_template=", ima_template_setup);
...@@ -136,7 +139,7 @@ static int __init ima_template_fmt_setup(char *str) ...@@ -136,7 +139,7 @@ static int __init ima_template_fmt_setup(char *str)
{ {
int num_templates = ARRAY_SIZE(builtin_templates); int num_templates = ARRAY_SIZE(builtin_templates);
if (ima_template) if (template_setup_done)
return 1; return 1;
if (template_desc_init_fields(str, NULL, NULL) < 0) { if (template_desc_init_fields(str, NULL, NULL) < 0) {
...@@ -147,6 +150,7 @@ static int __init ima_template_fmt_setup(char *str) ...@@ -147,6 +150,7 @@ static int __init ima_template_fmt_setup(char *str)
builtin_templates[num_templates - 1].fmt = str; builtin_templates[num_templates - 1].fmt = str;
ima_template = builtin_templates + num_templates - 1; ima_template = builtin_templates + num_templates - 1;
template_setup_done = 1;
return 1; return 1;
} }
......
...@@ -45,6 +45,8 @@ void integrity_audit_message(int audit_msgno, struct inode *inode, ...@@ -45,6 +45,8 @@ void integrity_audit_message(int audit_msgno, struct inode *inode,
return; return;
ab = audit_log_start(audit_context(), GFP_KERNEL, audit_msgno); ab = audit_log_start(audit_context(), GFP_KERNEL, audit_msgno);
if (!ab)
return;
audit_log_format(ab, "pid=%d uid=%u auid=%u ses=%u", audit_log_format(ab, "pid=%d uid=%u auid=%u ses=%u",
task_pid_nr(current), task_pid_nr(current),
from_kuid(&init_user_ns, current_uid()), from_kuid(&init_user_ns, current_uid()),
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment