1. 13 Nov, 2013 1 commit
    • David Howells's avatar
      KEYS: Fix error handling in big_key instantiation · 97826c82
      David Howells authored
      In the big_key_instantiate() function we return 0 if kernel_write() returns us
      an error rather than returning an error.  This can potentially lead to
      dentry_open() giving a BUG when called from big_key_read() with an unset
      tmpfile path.
      
      	------------[ cut here ]------------
      	kernel BUG at fs/open.c:798!
      	...
      	RIP: 0010:[<ffffffff8119bbd1>] dentry_open+0xd1/0xe0
      	...
      	Call Trace:
      	 [<ffffffff812350c5>] big_key_read+0x55/0x100
      	 [<ffffffff81231084>] keyctl_read_key+0xb4/0xe0
      	 [<ffffffff81231e58>] SyS_keyctl+0xf8/0x1d0
      	 [<ffffffff815bb799>] system_call_fastpath+0x16/0x1b
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarStephen Gallagher <sgallagh@redhat.com>
      97826c82
  2. 06 Nov, 2013 1 commit
    • David Howells's avatar
      KEYS: Fix UID check in keyctl_get_persistent() · fbf8c53f
      David Howells authored
      If the UID is specified by userspace when calling the KEYCTL_GET_PERSISTENT
      function and the process does not have the CAP_SETUID capability, then the
      function will return -EPERM if the current process's uid, suid, euid and fsuid
      all match the requested UID.  This is incorrect.
      
      Fix it such that when a non-privileged caller requests a persistent keyring by
      a specific UID they can only request their own (ie. the specified UID matches
      either then process's UID or the process's EUID).
      
      This can be tested by logging in as the user and doing:
      
      	keyctl get_persistent @p
      	keyctl get_persistent @p `id -u`
      	keyctl get_persistent @p 0
      
      The first two should successfully print the same key ID.  The third should do
      the same if called by UID 0 or indicate Operation Not Permitted otherwise.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarStephen Gallagher <sgallagh@redhat.com>
      fbf8c53f
  3. 01 Nov, 2013 3 commits
    • David Howells's avatar
      KEYS: The RSA public key algorithm needs to select MPILIB · dbed7141
      David Howells authored
      The RSA public key algorithm needs to select MPILIB directly in Kconfig as the
      'select' directive is not recursive and is thus MPILIB is not enabled by
      selecting MPILIB_EXTRA.
      
      Without this, the following errors can occur:
      
      	crypto/built-in.o: In function `RSA_verify_signature':
      	rsa.c:(.text+0x1d347): undefined reference to `mpi_get_nbits'
      	rsa.c:(.text+0x1d354): undefined reference to `mpi_get_nbits'
      	rsa.c:(.text+0x1d36e): undefined reference to `mpi_cmp_ui'
      	rsa.c:(.text+0x1d382): undefined reference to `mpi_cmp'
      	rsa.c:(.text+0x1d391): undefined reference to `mpi_alloc'
      	rsa.c:(.text+0x1d3b0): undefined reference to `mpi_powm'
      	rsa.c:(.text+0x1d3c3): undefined reference to `mpi_free'
      	rsa.c:(.text+0x1d3d8): undefined reference to `mpi_get_buffer'
      	rsa.c:(.text+0x1d4d4): undefined reference to `mpi_free'
      	rsa.c:(.text+0x1d503): undefined reference to `mpi_get_nbits'
      Reported-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      dbed7141
    • Mimi Zohar's avatar
      ima: define '_ima' as a builtin 'trusted' keyring · 217091dd
      Mimi Zohar authored
      Require all keys added to the IMA keyring be signed by an
      existing trusted key on the system trusted keyring.
      
      Changelog:
      - define stub integrity_init_keyring() function (reported-by Fengguang Wu)
      - differentiate between regular and trusted keyring names.
      - replace printk with pr_info (D. Kasatkin)
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      217091dd
    • Mimi Zohar's avatar
      ima: extend the measurement list to include the file signature · bcbc9b0c
      Mimi Zohar authored
      This patch defines a new template called 'ima-sig', which includes
      the file signature in the template data, in addition to the file's
      digest and pathname.
      
      A template is composed of a set of fields.  Associated with each
      field is an initialization and display function.  This patch defines
      a new template field called 'sig', the initialization function
      ima_eventsig_init(), and the display function ima_show_template_sig().
      
      This patch modifies the .field_init() function definition to include
      the 'security.ima' extended attribute and length.
      
      Changelog:
      - remove unused code (Dmitry Kasatkin)
      - avoid calling ima_write_template_field_data() unnecesarily (Roberto Sassu)
      - rename DATA_FMT_SIG to DATA_FMT_HEX
      - cleanup ima_eventsig_init() based on Roberto's comments
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
      bcbc9b0c
  4. 30 Oct, 2013 11 commits
    • James Morris's avatar
      Merge branch 'keys-devel' of... · 42a20ba5
      James Morris authored
      Merge branch 'keys-devel' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into ra-next
      42a20ba5
    • Chen Gang's avatar
      kernel/system_certificate.S: use real contents instead of macro GLOBAL() · 6ef4d2ea
      Chen Gang authored
      If a macro is only used within 2 times, and also its contents are
      within 2 lines, recommend to expand it to shrink code line.
      
      For our case, the macro is not portable either: some architectures'
      assembler may use another character to mark newline in a macro (e.g.
      '`' for arc), which will cause issue.
      
      If still want to use macro and let it portable enough, it will also
      need include additional header file (e.g "#include <linux/linkage.h>",
      although it also need be fixed).
      Signed-off-by: default avatarChen Gang <gang.chen@asianux.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      6ef4d2ea
    • Wei Yongjun's avatar
      KEYS: fix error return code in big_key_instantiate() · d2b86970
      Wei Yongjun authored
      Fix to return a negative error code from the error handling
      case instead of 0, as done elsewhere in this function.
      Signed-off-by: default avatarWei Yongjun <yongjun_wei@trendmicro.com.cn>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      d2b86970
    • David Howells's avatar
      KEYS: Fix keyring quota misaccounting on key replacement and unlink · 034faeb9
      David Howells authored
      If a key is displaced from a keyring by a matching one, then four more bytes
      of quota are allocated to the keyring - despite the fact that the keyring does
      not change in size.
      
      Further, when a key is unlinked from a keyring, the four bytes of quota
      allocated the link isn't recovered and returned to the user's pool.
      
      The first can be tested by repeating:
      
      	keyctl add big_key a fred @s
      	cat /proc/key-users
      
      (Don't put it in a shell loop otherwise the garbage collector won't have time
      to clear the displaced keys, thus affecting the result).
      
      This was causing the kerberos keyring to run out of room fairly quickly.
      
      The second can be tested by:
      
      	cat /proc/key-users
      	a=`keyctl add user a a @s`
      	cat /proc/key-users
      	keyctl unlink $a
      	sleep 1 # Give RCU a chance to delete the key
      	cat /proc/key-users
      
      assuming no system activity that otherwise adds/removes keys, the amount of
      key data allocated should go up (say 40/20000 -> 47/20000) and then return to
      the original value at the end.
      Reported-by: default avatarStephen Gallagher <sgallagh@redhat.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      034faeb9
    • David Howells's avatar
      KEYS: Fix a race between negating a key and reading the error set · 74792b00
      David Howells authored
      key_reject_and_link() marking a key as negative and setting the error with
      which it was negated races with keyring searches and other things that read
      that error.
      
      The fix is to switch the order in which the assignments are done in
      key_reject_and_link() and to use memory barriers.
      
      Kudos to Dave Wysochanski <dwysocha@redhat.com> and Scott Mayhew
      <smayhew@redhat.com> for tracking this down.
      
      This may be the cause of:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000070
      IP: [<ffffffff81219011>] wait_for_key_construction+0x31/0x80
      PGD c6b2c3067 PUD c59879067 PMD 0
      Oops: 0000 [#1] SMP
      last sysfs file: /sys/devices/system/cpu/cpu3/cache/index2/shared_cpu_map
      CPU 0
      Modules linked in: ...
      
      Pid: 13359, comm: amqzxma0 Not tainted 2.6.32-358.20.1.el6.x86_64 #1 IBM System x3650 M3 -[7945PSJ]-/00J6159
      RIP: 0010:[<ffffffff81219011>] wait_for_key_construction+0x31/0x80
      RSP: 0018:ffff880c6ab33758  EFLAGS: 00010246
      RAX: ffffffff81219080 RBX: 0000000000000000 RCX: 0000000000000002
      RDX: ffffffff81219060 RSI: 0000000000000000 RDI: 0000000000000000
      RBP: ffff880c6ab33768 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000001 R11: 0000000000000000 R12: ffff880adfcbce40
      R13: ffffffffa03afb84 R14: ffff880adfcbce40 R15: ffff880adfcbce43
      FS:  00007f29b8042700(0000) GS:ffff880028200000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000070 CR3: 0000000c613dc000 CR4: 00000000000007f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process amqzxma0 (pid: 13359, threadinfo ffff880c6ab32000, task ffff880c610deae0)
      Stack:
       ffff880adfcbce40 0000000000000000 ffff880c6ab337b8 ffffffff81219695
      <d> 0000000000000000 ffff880a000000d0 ffff880c6ab337a8 000000000000000f
      <d> ffffffffa03afb93 000000000000000f ffff88186c7882c0 0000000000000014
      Call Trace:
       [<ffffffff81219695>] request_key+0x65/0xa0
       [<ffffffffa03a0885>] nfs_idmap_request_key+0xc5/0x170 [nfs]
       [<ffffffffa03a0eb4>] nfs_idmap_lookup_id+0x34/0x80 [nfs]
       [<ffffffffa03a1255>] nfs_map_group_to_gid+0x75/0xa0 [nfs]
       [<ffffffffa039a9ad>] decode_getfattr_attrs+0xbdd/0xfb0 [nfs]
       [<ffffffff81057310>] ? __dequeue_entity+0x30/0x50
       [<ffffffff8100988e>] ? __switch_to+0x26e/0x320
       [<ffffffffa039ae03>] decode_getfattr+0x83/0xe0 [nfs]
       [<ffffffffa039b610>] ? nfs4_xdr_dec_getattr+0x0/0xa0 [nfs]
       [<ffffffffa039b69f>] nfs4_xdr_dec_getattr+0x8f/0xa0 [nfs]
       [<ffffffffa02dada4>] rpcauth_unwrap_resp+0x84/0xb0 [sunrpc]
       [<ffffffffa039b610>] ? nfs4_xdr_dec_getattr+0x0/0xa0 [nfs]
       [<ffffffffa02cf923>] call_decode+0x1b3/0x800 [sunrpc]
       [<ffffffff81096de0>] ? wake_bit_function+0x0/0x50
       [<ffffffffa02cf770>] ? call_decode+0x0/0x800 [sunrpc]
       [<ffffffffa02d99a7>] __rpc_execute+0x77/0x350 [sunrpc]
       [<ffffffff81096c67>] ? bit_waitqueue+0x17/0xd0
       [<ffffffffa02d9ce1>] rpc_execute+0x61/0xa0 [sunrpc]
       [<ffffffffa02d03a5>] rpc_run_task+0x75/0x90 [sunrpc]
       [<ffffffffa02d04c2>] rpc_call_sync+0x42/0x70 [sunrpc]
       [<ffffffffa038ff80>] _nfs4_call_sync+0x30/0x40 [nfs]
       [<ffffffffa038836c>] _nfs4_proc_getattr+0xac/0xc0 [nfs]
       [<ffffffff810aac87>] ? futex_wait+0x227/0x380
       [<ffffffffa038b856>] nfs4_proc_getattr+0x56/0x80 [nfs]
       [<ffffffffa0371403>] __nfs_revalidate_inode+0xe3/0x220 [nfs]
       [<ffffffffa037158e>] nfs_revalidate_mapping+0x4e/0x170 [nfs]
       [<ffffffffa036f147>] nfs_file_read+0x77/0x130 [nfs]
       [<ffffffff811811aa>] do_sync_read+0xfa/0x140
       [<ffffffff81096da0>] ? autoremove_wake_function+0x0/0x40
       [<ffffffff8100bb8e>] ? apic_timer_interrupt+0xe/0x20
       [<ffffffff8100b9ce>] ? common_interrupt+0xe/0x13
       [<ffffffff81228ffb>] ? selinux_file_permission+0xfb/0x150
       [<ffffffff8121bed6>] ? security_file_permission+0x16/0x20
       [<ffffffff81181a95>] vfs_read+0xb5/0x1a0
       [<ffffffff81181bd1>] sys_read+0x51/0x90
       [<ffffffff810dc685>] ? __audit_syscall_exit+0x265/0x290
       [<ffffffff8100b072>] system_call_fastpath+0x16/0x1b
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Dave Wysochanski <dwysocha@redhat.com>
      cc: Scott Mayhew <smayhew@redhat.com>
      74792b00
    • Josh Boyer's avatar
      KEYS: Make BIG_KEYS boolean · 2eaf6b5d
      Josh Boyer authored
      Having the big_keys functionality as a module is very marginally useful.
      The userspace code that would use this functionality will get odd error
      messages from the keys layer if the module isn't loaded.  The code itself
      is fairly small, so just have this as a boolean option and not a tristate.
      Signed-off-by: default avatarJosh Boyer <jwboyer@fedoraproject.org>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      2eaf6b5d
    • Oleg Nesterov's avatar
      apparmor: remove the "task" arg from may_change_ptraced_domain() · 51775fe7
      Oleg Nesterov authored
      Unless task == current ptrace_parent(task) is not safe even under
      rcu_read_lock() and most of the current users are not right.
      
      So may_change_ptraced_domain(task) looks wrong as well. However it
      is always called with task == current so the code is actually fine.
      Remove this argument to make this fact clear.
      
      Note: perhaps we should simply kill ptrace_parent(), it buys almost
      nothing. And it is obviously racy, perhaps this should be fixed.
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      51775fe7
    • John Johansen's avatar
      apparmor: remove parent task info from audit logging · 4a7fc301
      John Johansen authored
      The reporting of the parent task info is a vestage from old versions of
      apparmor. The need for this information was removed by unique null-
      profiles before apparmor was upstreamed so remove this info from logging.
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      4a7fc301
    • John Johansen's avatar
      apparmor: remove tsk field from the apparmor_audit_struct · 61e3fb8a
      John Johansen authored
      Now that aa_capabile no longer sets the task field it can be removed
      and the lsm_audit version of the field can be used.
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      61e3fb8a
    • John Johansen's avatar
      apparmor: fix capability to not use the current task, during reporting · dd0c6e86
      John Johansen authored
      Mediation is based off of the cred but auditing includes the current
      task which may not be related to the actual request.
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      dd0c6e86
    • James Morris's avatar
  5. 28 Oct, 2013 1 commit
  6. 27 Oct, 2013 6 commits
    • Dmitry Kasatkin's avatar
      ima: provide hash algo info in the xattr · 3ea7a560
      Dmitry Kasatkin authored
      All files labeled with 'security.ima' hashes, are hashed using the
      same hash algorithm.  Changing from one hash algorithm to another,
      requires relabeling the filesystem.  This patch defines a new xattr
      type, which includes the hash algorithm, permitting different files
      to be hashed with different algorithms.
      Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      3ea7a560
    • Mimi Zohar's avatar
      ima: enable support for larger default filedata hash algorithms · e7a2ad7e
      Mimi Zohar authored
      The IMA measurement list contains two hashes - a template data hash
      and a filedata hash.  The template data hash is committed to the TPM,
      which is limited, by the TPM v1.2 specification, to 20 bytes.  The
      filedata hash is defined as 20 bytes as well.
      
      Now that support for variable length measurement list templates was
      added, the filedata hash is not limited to 20 bytes.  This patch adds
      Kconfig support for defining larger default filedata hash algorithms
      and replacing the builtin default with one specified on the kernel
      command line.
      
      <uapi/linux/hash_info.h> contains a list of hash algorithms.  The
      Kconfig default hash algorithm is a subset of this list, but any hash
      algorithm included in the list can be specified at boot, using the
      'ima_hash=' kernel command line option.
      
      Changelog v2:
      - update Kconfig
      
      Changelog:
      - support hashes that are configured
      - use generic HASH_ALGO_ definitions
      - add Kconfig support
      - hash_setup must be called only once (Dmitry)
      - removed trailing whitespaces (Roberto Sassu)
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
      e7a2ad7e
    • Roberto Sassu's avatar
      ima: define kernel parameter 'ima_template=' to change configured default · 9b9d4ce5
      Roberto Sassu authored
      This patch allows users to specify from the kernel command line the
      template descriptor, among those defined, that will be used to generate
      and display measurement entries. If an user specifies a wrong template,
      IMA reverts to the template descriptor set in the kernel configuration.
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      9b9d4ce5
    • Mimi Zohar's avatar
      ima: add Kconfig default measurement list template · 4286587d
      Mimi Zohar authored
      This patch adds a Kconfig option to select the default IMA
      measurement list template.  The 'ima' template limited the
      filedata hash to 20 bytes and the pathname to 255 charaters.
      The 'ima-ng' measurement list template permits larger hash
      digests and longer pathnames.
      
      Changelog:
      - keep 'select CRYPTO_HASH_INFO' in 'config IMA' section (Kconfig)
        (Roberto Sassu);
      - removed trailing whitespaces (Roberto Sassu).
      - Lindent fixes
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
      4286587d
    • Roberto Sassu's avatar
      ima: defer determining the appraisal hash algorithm for 'ima' template · add1c05d
      Roberto Sassu authored
      The same hash algorithm should be used for calculating the file
      data hash for the IMA measurement list, as for appraising the file
      data integrity.  (The appraise hash algorithm is stored in the
      'security.ima' extended attribute.)  The exception is when the
      reference file data hash digest, stored in the extended attribute,
      is larger than the one supported by the template.  In this case,
      the file data hash needs to be calculated twice, once for the
      measurement list and, again, for appraisal.
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      add1c05d
    • Mimi Zohar's avatar
      ima: add audit log support for larger hashes · 5278aa52
      Mimi Zohar authored
      Different files might be signed based on different hash algorithms.
      This patch prefixes the audit log measurement hash with the hash
      algorithm.
      
      Changelog:
      - use generic HASH_ALGO defintions
      - use ':' as delimiter between the hash algorithm and the digest
        (Roberto Sassu)
      - always include the hash algorithm used when audit-logging a measurement
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: default avatarPeter Moody <pmoody@google.com>
      5278aa52
  7. 25 Oct, 2013 17 commits
    • Roberto Sassu's avatar
      ima: switch to new template management mechanism · a71dc65d
      Roberto Sassu authored
      This patch performs the switch to the new template mechanism by modifying
      the functions ima_alloc_init_template(), ima_measurements_show() and
      ima_ascii_measurements_show(). The old function ima_template_show() was
      removed as it is no longer needed. Also, if the template descriptor used
      to generate a measurement entry is not 'ima', the whole length of field
      data stored for an entry is provided before the data itself through the
      binary_runtime_measurement interface.
      
      Changelog:
      - unnecessary to use strncmp() (Mimi Zohar)
      - create new variable 'field' in ima_alloc_init_template() (Roberto Sassu)
      - use GFP_NOFS flag in ima_alloc_init_template() (Roberto Sassu)
      - new variable 'num_fields' in ima_store_template() (Roberto Sassu,
        proposed by Mimi Zohar)
      - rename ima_calc_buffer_hash/template_hash() to ima_calc_field_array_hash(),
        something more generic (Mimi, requested by Dmitry)
      - sparse error fix - Fengguang Wu
      - fix lindent warnings
      - always include the field length in the template data length
      - include the template field length variable size in the template data length
      - include both the template field data and field length in the template digest
        calculation. Simplifies verifying the template digest. (Mimi)
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      a71dc65d
    • Roberto Sassu's avatar
      ima: define new template ima-ng and template fields d-ng and n-ng · 4d7aeee7
      Roberto Sassu authored
      This patch adds support for the new template 'ima-ng', whose format
      is defined as 'd-ng|n-ng'.  These new field definitions remove the
      size limitations of the original 'ima' template.  Further, the 'd-ng'
      field prefixes the inode digest with the hash algorithim, when
      displaying the new larger digest sizes.
      
      Change log:
      - scripts/Lindent fixes  - Mimi
      - "always true comparison" - reported by Fengguang Wu, resolved Dmitry
      - initialize hash_algo variable to HASH_ALGO__LAST
      - always prefix digest with hash algorithm - Mimi
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      4d7aeee7
    • Roberto Sassu's avatar
      ima: define template fields library and new helpers · 3ce1217d
      Roberto Sassu authored
      This patch defines a library containing two initial template fields,
      inode digest (d) and file name (n), the 'ima' template descriptor,
      whose format is 'd|n', and two helper functions,
      ima_write_template_field_data() and ima_show_template_field_data().
      
      Changelog:
      - replace ima_eventname_init() parameter NULL checking with BUG_ON.
        (suggested by Mimi)
      - include "new template fields for inode digest (d) and file name (n)"
        definitions to fix a compiler warning.  - Mimi
      - unnecessary to prefix static function names with 'ima_'. remove
        prefix to resolve Lindent formatting changes. - Mimi
      - abbreviated/removed inline comments - Mimi
      - always send the template field length - Mimi
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      3ce1217d
    • Roberto Sassu's avatar
      ima: new templates management mechanism · adf53a77
      Roberto Sassu authored
      The original 'ima' template is fixed length, containing the filedata hash
      and pathname.  The filedata hash is limited to 20 bytes (md5/sha1).  The
      pathname is a null terminated string, limited to 255 characters.  To
      overcome these limitations and to add additional file metadata, it is
      necessary to extend the current version of IMA by defining additional
      templates.
      
      The main reason to introduce this feature is that, each time a new
      template is defined, the functions that generate and display the
      measurement list would include the code for handling a new format and,
      thus, would significantly grow over time.
      
      This patch set solves this problem by separating the template management
      from the remaining IMA code. The core of this solution is the definition
      of two new data structures: a template descriptor, to determine which
      information should be included in the measurement list, and a template
      field, to generate and display data of a given type.
      
      To define a new template field, developers define the field identifier
      and implement two functions, init() and show(), respectively to generate
      and display measurement entries.  Initially, this patch set defines the
      following template fields (support for additional data types will be
      added later):
       - 'd': the digest of the event (i.e. the digest of a measured file),
              calculated with the SHA1 or MD5 hash algorithm;
       - 'n': the name of the event (i.e. the file name), with size up to
              255 bytes;
       - 'd-ng': the digest of the event, calculated with an arbitrary hash
                 algorithm (field format: [<hash algo>:]digest, where the digest
                 prefix is shown only if the hash algorithm is not SHA1 or MD5);
       - 'n-ng': the name of the event, without size limitations.
      
      Defining a new template descriptor requires specifying the template format,
      a string of field identifiers separated by the '|' character.  This patch
      set defines the following template descriptors:
       - "ima": its format is 'd|n';
       - "ima-ng" (default): its format is 'd-ng|n-ng'
      
      Further details about the new template architecture can be found in
      Documentation/security/IMA-templates.txt.
      
      Changelog:
      - don't defer calling ima_init_template() - Mimi
      - don't define ima_lookup_template_desc() until used - Mimi
      - squashed with documentation patch - Mimi
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      adf53a77
    • Roberto Sassu's avatar
      ima: define new function ima_alloc_init_template() to API · 7bc5f447
      Roberto Sassu authored
      Instead of allocating and initializing the template entry from multiple
      places (eg. boot aggregate, violation, and regular measurements), this
      patch defines a new function called ima_alloc_init_template().  The new
      function allocates and initializes the measurement entry with the inode
      digest and the filename.
      
      In respect to the current behavior, it truncates the file name passed
      in the 'filename' argument if the latter's size is greater than 255 bytes
      and the passed file descriptor is NULL.
      
      Changelog:
      - initialize 'hash' variable for non TPM case - Mimi
      - conform to expectation for 'iint' to be defined as a pointer. - Mimi
      - add missing 'file' dependency for recalculating file hash. - Mimi
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      7bc5f447
    • Roberto Sassu's avatar
      ima: pass the filename argument up to ima_add_template_entry() · 9803d413
      Roberto Sassu authored
      Pass the filename argument to ima_add_template_entry() in order to
      eliminate a dependency on template specific data (third argument of
      integrity_audit_msg).
      
      This change is required because, with the new template management
      mechanism, the generation of a new measurement entry will be performed
      by new specific functions (introduced in next patches) and the current IMA
      code will not be aware anymore of how data is stored in the entry payload.
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      9803d413
    • Roberto Sassu's avatar
      ima: pass the file descriptor to ima_add_violation() · 7d802a22
      Roberto Sassu authored
      Pass the file descriptor instead of the inode to ima_add_violation(),
      to make the latter consistent with ima_store_measurement() in
      preparation for the new template architecture.
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      7d802a22
    • Dmitry Kasatkin's avatar
      ima: ima_calc_boot_agregate must use SHA1 · 09ef5435
      Dmitry Kasatkin authored
      With multiple hash algorithms, ima_hash_tfm is no longer guaranteed to be sha1.
      Need to force to use sha1.
      
      Changelog:
      - pass ima_digest_data to ima_calc_boot_aggregate() instead of char *
        (Roberto Sassu);
      - create an ima_digest_data structure in ima_add_boot_aggregate()
        (Roberto Sassu);
      - pass hash->algo to ima_alloc_tfm() (Roberto Sassu, reported by Dmitry).
      - "move hash definition in ima_add_boot_aggregate()" commit hunk to here.
      - sparse warning fix - Fengguang Wu
      Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      09ef5435
    • Dmitry Kasatkin's avatar
      ima: support arbitrary hash algorithms in ima_calc_buffer_hash · ea593993
      Dmitry Kasatkin authored
      ima_calc_buffer_hash will be used with different hash algorithms.
      This patch provides support for arbitrary hash algorithms in
      ima_calc_buffer_hash.
      Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      ea593993
    • Dmitry Kasatkin's avatar
      ima: provide dedicated hash algo allocation function · 723326b9
      Dmitry Kasatkin authored
      This patch provides dedicated hash algo allocation and
      deallocation function which can be used by different clients.
      Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      723326b9
    • Mimi Zohar's avatar
      ima: differentiate between template hash and file data hash sizes · 140d8022
      Mimi Zohar authored
      The TPM v1.2 limits the template hash size to 20 bytes.  This
      patch differentiates between the template hash size, as defined
      in the ima_template_entry, and the file data hash size, as
      defined in the ima_template_data.  Subsequent patches add support
      for different file data hash algorithms.
      
      Change log:
      - hash digest definition in ima_store_template() should be TPM_DIGEST_SIZE
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      140d8022
    • Dmitry Kasatkin's avatar
      ima: use dynamically allocated hash storage · a35c3fb6
      Dmitry Kasatkin authored
      For each inode in the IMA policy, an iint is allocated.  To support
      larger hash digests, the iint digest size changed from 20 bytes to
      the maximum supported hash digest size.  Instead of allocating the
      maximum size, which most likely is not needed, this patch dynamically
      allocates the needed hash storage.
      
      Changelog:
      - fix krealloc bug
      Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      a35c3fb6
    • Dmitry Kasatkin's avatar
      ima: pass full xattr with the signature · b1aaab22
      Dmitry Kasatkin authored
      For possibility to use xattr type for new signature formats,
      pass full xattr to the signature verification function.
      Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      b1aaab22
    • Dmitry Kasatkin's avatar
      ima: read and use signature hash algorithm · d3634d0f
      Dmitry Kasatkin authored
      All files on the filesystem, currently, are hashed using the same hash
      algorithm.  In preparation for files from different packages being
      signed using different hash algorithms, this patch adds support for
      reading the signature hash algorithm from the 'security.ima' extended
      attribute and calculates the appropriate file data hash based on it.
      
      Changelog:
      - fix scripts Lindent and checkpatch msgs - Mimi
      - fix md5 support for older version, which occupied 20 bytes in the
        xattr, not the expected 16 bytes.  Fix the comparison to compare
        only the first 16 bytes.
      Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      d3634d0f
    • Dmitry Kasatkin's avatar
      ima: provide support for arbitrary hash algorithms · c7c8bb23
      Dmitry Kasatkin authored
      In preparation of supporting more hash algorithms with larger hash sizes
      needed for signature verification, this patch replaces the 20 byte sized
      digest, with a more flexible structure.  The new structure includes the
      hash algorithm, digest size, and digest.
      
      Changelog:
      - recalculate filedata hash for the measurement list, if the signature
        hash digest size is greater than 20 bytes.
      - use generic HASH_ALGO_
      - make ima_calc_file_hash static
      - scripts lindent and checkpatch fixes
      Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      c7c8bb23
    • Dmitry Kasatkin's avatar
      keys: change asymmetric keys to use common hash definitions · 3fe78ca2
      Dmitry Kasatkin authored
      This patch makes use of the newly defined common hash algorithm info,
      replacing, for example, PKEY_HASH with HASH_ALGO.
      
      Changelog:
      - Lindent fixes - Mimi
      
      CC: David Howells <dhowells@redhat.com>
      Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      3fe78ca2
    • Dmitry Kasatkin's avatar
      crypto: provide single place for hash algo information · ee08997f
      Dmitry Kasatkin authored
      This patch provides a single place for information about hash algorithms,
      such as hash sizes and kernel driver names, which will be used by IMA
      and the public key code.
      
      Changelog:
      - Fix sparse and checkpatch warnings
      - Move hash algo enums to uapi for userspace signing functions.
      Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      ee08997f