- 07 Jan, 2016 3 commits
-
-
David Howells authored
Make the determination of the trustworthiness of a key dependent on whether a key that can verify it is present in the ring of trusted keys rather than whether or not the verifying key has KEY_FLAG_TRUSTED set. verify_pkcs7_signature() will return -ENOKEY if the PKCS#7 message trust chain cannot be verified. Signed-off-by:David Howells <dhowells@redhat.com>
-
David Howells authored
Generalise system_verify_data() to provide access to internal content through a callback. This allows all the PKCS#7 stuff to be hidden inside this function and removed from the PE file parser and the PKCS#7 test key. If external content is not required, NULL should be passed as data to the function. If the callback is not required, that can be set to NULL. The function is now called verify_pkcs7_signature() to contrast with verify_pefile_signature() and the definitions of both have been moved into linux/verification.h along with the key_being_used_for enum. Signed-off-by: -
David Howells authored
Trust for a self-signed certificate can normally only be determined by whether we obtained it from a trusted location (ie. it was built into the kernel at compile time), so there's not really any point in checking it - we could verify that the signature is valid, but it doesn't really tell us anything if the signature checks out. However, there's a bug in the code determining whether a certificate is self-signed or not - if they have neither AKID nor SKID then we just assume that the cert is self-signed, which may not be true. Given this, remove the code that treats self-signed certs specially when it comes to evaluating trustability and attempt to evaluate them as ordinary signed certificates. We then expect self-signed certificates to fail the trustability check and be marked as untrustworthy in x509_key_preparse(). Note that there is the possibility of the trustability check on a self-signed cert then succeeding. This is most likely to happen when a duplicate of the certificate is already on the trust keyring - in which case it shouldn't be a problem. Signed-off-by:
-
- 06 Jan, 2016 1 commit
-
-
David Howells authored
Partially revert commit 41c89b64: Author: Petko Manolov <petkan@mip-labs.com> Date: Wed Dec 2 17:47:55 2015 +0200 IMA: create machine owner and blacklist keyrings The problem is that prep->trusted is a simple boolean and the additional x509_validate_trust() call doesn't therefore distinguish levels of trustedness, but is just OR'd with the result of validation against the system trusted keyring. However, setting the trusted flag means that this key may be added to *any* trusted-only keyring - including the system trusted keyring. Whilst I appreciate what the patch is trying to do, I don't think this is quite the right solution. Signed-off-by:
-
- 26 Dec, 2015 3 commits
-
-
-
-
James Morris authored
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity into next
-
- 24 Dec, 2015 10 commits
-
-
Sasha Levin authored
Commit "IMA: policy can now be updated multiple times" assumed that the policy would be updated at least once. If there are zero updates, the temporary list head object will get added to the policy list, and later dereferenced as an IMA policy object, which means that invalid memory will be accessed. Changelog: - Move list_empty() test to ima_release_policy(), before audit msg - Mimi Signed-off-by:
Sasha Levin <sasha.levin@oracle.com> Signed-off-by:
Mimi Zohar <zohar@linux.vnet.ibm.com>
-
Vladis Dronov authored
Any process is able to send netlink messages with invalid types. Make the warning rate-limited to prevent too much log spam. The warning is supposed to help to find misbehaving programs, so print the triggering command name and pid. Reported-by:
Florian Weimer <fweimer@redhat.com> Signed-off-by:
Vladis Dronov <vdronov@redhat.com> [PM: subject line tweak to make checkpatch.pl happy] Signed-off-by:
Paul Moore <pmoore@redhat.com>
-
Andrew Perepechko authored
Make validatetrans decisions available through selinuxfs. "/validatetrans" is added to selinuxfs for this purpose. This functionality is needed by file system servers implemented in userspace or kernelspace without the VFS layer. Writing "$oldcontext $newcontext $tclass $taskcontext" to /validatetrans is expected to return 0 if the transition is allowed and -EPERM otherwise. Signed-off-by:
Andrew Perepechko <anserper@ya.ru> CC: andrew.perepechko@seagate.com Acked-by:
Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by:
-
Andreas Gruenbacher authored
When gfs2 releases the glock of an inode, it must invalidate all information cached for that inode, including the page cache and acls. Use the new security_inode_invalidate_secctx hook to also invalidate security labels in that case. These items will be reread from disk when needed after reacquiring the glock. Signed-off-by:
Andreas Gruenbacher <agruenba@redhat.com> Acked-by:
Bob Peterson <rpeterso@redhat.com> Acked-by:
Steven Whitehouse <swhiteho@redhat.com> Cc: cluster-devel@redhat.com [PM: fixed spelling errors and description line lengths] Signed-off-by:
-
Andreas Gruenbacher authored
When fetching an inode's security label, check if it is still valid, and try reloading it if it is not. Reloading will fail when we are in RCU context which doesn't allow sleeping, or when we can't find a dentry for the inode. (Reloading happens via iop->getxattr which takes a dentry parameter.) When reloading fails, continue using the old, invalid label. Signed-off-by:
-
Andreas Gruenbacher authored
Add a hook to invalidate an inode's security label when the cached information becomes invalid. Add the new hook in selinux: set a flag when a security label becomes invalid. Signed-off-by:
James Morris <james.l.morris@oracle.com> Acked-by:
-
Andreas Gruenbacher authored
Add functions dentry_security and inode_security for accessing inode->i_security. These functions initially don't do much, but they will later be used to revalidate the security labels when necessary. Signed-off-by:
-
Andreas Gruenbacher authored
Make the inode argument of the inode_getsecid hook non-const so that we can use it to revalidate invalid security labels. Signed-off-by:
-
Andreas Gruenbacher authored
Make the inode argument of the inode_getsecurity hook non-const so that we can use it to revalidate invalid security labels. Signed-off-by:
-
Andreas Gruenbacher authored
Signed-off-by:
-
- 20 Dec, 2015 10 commits
-
-
Jarkko Sakkinen authored
TPM2 supports authorization policies, which are essentially combinational logic statements repsenting the conditions where the data can be unsealed based on the TPM state. This patch enables to use authorization policies to seal trusted keys. Two following new options have been added for trusted keys: * 'policydigest=': provide an auth policy digest for sealing. * 'policyhandle=': provide a policy session handle for unsealing. If 'hash=' option is supplied after 'policydigest=' option, this will result an error because the state of the option would become mixed. Signed-off-by:
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by:
Colin Ian King <colin.king@canonical.com> Reviewed-by:
Peter Huewe <peterhuewe@gmx.de>
-
Jarkko Sakkinen authored
Added 'hash=' option for selecting the hash algorithm for add_key() syscall and documentation for it. Added entry for sm3-256 to the following tables in order to support TPM_ALG_SM3_256: * hash_algo_name * hash_digest_size Includes support for the following hash algorithms: * sha1 * sha256 * sha384 * sha512 * sm3-256 Signed-off-by:
-
Jarkko Sakkinen authored
The trusted keys option parsing allows specifying the same option multiple times. The last option value specified is used. This is problematic because: * No gain. * This makes complicated to specify options that are dependent on other options. This patch changes the behavior in a way that option can be specified only once. Reported-by:
James Morris James Morris <jmorris@namei.org> Reviewed-by:
-
Stefan Berger authored
When the TPM response reception is interrupted in the wait_event_interruptable call, the TPM is still busy processing the command and will only deliver the response later. So we have to wait for an outstanding response before sending a new request to avoid trying to put a 2nd request into the CRQ. Also reset the res_len before sending a command so we will end up in that wait_event_interruptable() waiting for the response rather than reading the command packet as a response. The easiest way to trigger the problem is to run the following cd /sys/device/vio/71000004 while :; cat pcrs >/dev/null; done And press Ctrl-C. This will then display an error tpm_ibmvtpm 71000004: tpm_transmit: tpm_recv: error -4 followed by several other errors once interaction with the TPM resumes. tpm_ibmvtpm 71000004: A TPM error (101) occurred attempting to determine the number of PCRS. Signed-off-by:
Stefan Berger <stefanb@linux.vnet.ibm.com> Tested-by:
Hon Ching(Vicky) Lo <honclo@linux.vnet.ibm.com> Reviewed-by:
Ashley Lai <ashley@ashleylai.com> Signed-off-by:
-
Jason Gunthorpe authored
auto-probing doesn't work with shared interrupts, and the auto detection interrupt range is for x86 only. Signed-off-by:
Jason Gunthorpe <jgunthorpe@obsidianresearch.com> Reviewed-by:
Martin Wilck <Martin.Wilck@ts.fujitsu.com> Tested-by:
Scot Doyle <lkml14@scotdoyle.com> Signed-off-by:
-
Jason Gunthorpe authored
Now that the probe and run cases are merged together we can use a much simpler setup flow where probe and normal setup are done with exactly the same code. Since the new flow always calls tpm_gen_interrupt to confirm the IRQ there is also no longer any need to call tpm_get_timeouts twice. Signed-off-by:
-
Jason Gunthorpe authored
The new code that works directly in tpm_tis_send is able to handle IRQ probing duties as well, so just use it for everything. Signed-off-by:
-
Jason Gunthorpe authored
IRQ probing needs to know that the TPM is working before trying to probe, so move tpm_get_timeouts() to the top of the tpm_tis_init(). This has the advantage of also getting the correct timeouts loaded before doing IRQ probing. All the timeout handling code is moved to tpm_get_timeouts() in order to remove duplicate code in tpm_tis and tpm_crb. [jarkko.sakkinen@linux.intel.com: squashed two patches together and improved the commit message.] Signed-off-by:
-
Jason Gunthorpe authored
This should be done very early, before anything could possibly cause the TPM to generate an interrupt. If the IRQ line is shared with another driver causing an interrupt before setting up our handler will be very bad. Signed-off-by:
-
Jason Gunthorpe authored
The interrupt is always allocated with devm_request_irq so it must always be freed with devm_free_irq. Fixes: 448e9c55 ("tpm_tis: verify interrupt during init") Signed-off-by:
-
- 17 Dec, 2015 1 commit
-
-
Roman Kubiak authored
Smack security handler for sendmsg() syscall is vulnerable to type confusion issue what can allow to privilege escalation into root or cause denial of service. A malicious attacker can create socket of one type for example AF_UNIX and pass is into sendmsg() function ensuring that this is AF_INET socket. Remedy Do not trust user supplied data. Proposed fix below. Signed-off-by:
Roman Kubiak <r.kubiak@samsung.com> Signed-off-by:
Mateusz Fruba <m.fruba@samsung.com> Acked-by:
Casey Schaufler <casey@schaufler-ca.com>
-
- 15 Dec, 2015 12 commits
-
-
Paul Gortmaker authored
The Kconfig currently controlling compilation of this code is: ima/Kconfig:config IMA_MOK_KEYRING ima/Kconfig: bool "Create IMA machine owner keys (MOK) and blacklist keyrings" ...meaning that it currently is not being built as a module by anyone. Lets remove the couple of traces of modularity so that when reading the driver there is no doubt it really is builtin-only. Since module_init translates to device_initcall in the non-modular case, the init ordering remains unchanged with this commit. Cc: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Cc: James Morris <james.l.morris@oracle.com> Cc: "Serge E. Hallyn" <serge@hallyn.com> Cc: linux-ima-devel@lists.sourceforge.net Cc: linux-ima-user@lists.sourceforge.net Cc: linux-security-module@vger.kernel.org Signed-off-by:
Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by:
-
Mimi Zohar authored
While creating a temporary list of new rules, the ima_appraise flag is updated, but not reverted on failure to append the new rules to the existing policy. This patch defines temp_ima_appraise flag. Only when the new rules are appended to the policy is the flag updated. Signed-off-by:
Petko Manolov <petkan@mip-labs.com>
-
Mimi Zohar authored
Set the KEY_FLAGS_KEEP on the .ima_blacklist to prevent userspace from removing keys from the keyring. Signed-off-by: -
Mimi Zohar authored
Userspace should not be allowed to remove keys from certain keyrings (eg. blacklist), though the keys themselves can expire. This patch defines a new key flag named KEY_FLAG_KEEP to prevent userspace from being able to unlink, revoke, invalidate or timed out a key on a keyring. When this flag is set on the keyring, all keys subsequently added are flagged. In addition, when this flag is set, the keyring itself can not be cleared. Signed-off-by: -
Petko Manolov authored
It is often useful to be able to read back the IMA policy. It is even more important after introducing CONFIG_IMA_WRITE_POLICY. This option allows the root user to see the current policy rules. Signed-off-by:
Zbigniew Jasinski <z.jasinski@samsung.com> Signed-off-by:
-
Petko Manolov authored
This option creates IMA MOK and blacklist keyrings. IMA MOK is an intermediate keyring that sits between .system and .ima keyrings, effectively forming a simple CA hierarchy. To successfully import a key into .ima_mok it must be signed by a key which CA is in .system keyring. On turn any key that needs to go in .ima keyring must be signed by CA in either .system or .ima_mok keyrings. IMA MOK is empty at kernel boot. IMA blacklist keyring contains all revoked IMA keys. It is consulted before any other keyring. If the search is successful the requested operation is rejected and error is returned to the caller. Signed-off-by:
-
Petko Manolov authored
The new rules get appended to the original policy, forming a queue. The new rules are first added to a temporary list, which on error get released without disturbing the normal IMA operations. On success both lists (the current policy and the new rules) are spliced. IMA policy reads are many orders of magnitude more numerous compared to writes, the match code is RCU protected. The updater side also does list splice in RCU manner. Signed-off-by:
-
Arnd Bergmann authored
The newly added EVM_LOAD_X509 code can be configured even if CONFIG_EVM is disabled, but that causes a link error: security/built-in.o: In function `integrity_load_keys': digsig_asymmetric.c:(.init.text+0x400): undefined reference to `evm_load_x509' This adds a Kconfig dependency to ensure it is only enabled when CONFIG_EVM is set as well. Signed-off-by:
Arnd Bergmann <arnd@arndb.de> Fixes: 2ce523eb ("evm: load x509 certificate from the kernel") Signed-off-by:
-
Dmitry Kasatkin authored
The EVM verification status is cached in iint->evm_status and if it was successful, never re-verified again when IMA passes the 'iint' to evm_verifyxattr(). When file attributes or extended attributes change, we may wish to re-verify EVM integrity as well. For example, after setting a digital signature we may need to re-verify the signature and update the iint->flags that there is an EVM signature. This patch enables that by resetting evm_status to INTEGRITY_UKNOWN state. Changes in v2: * Flag setting moved to EVM layer Signed-off-by:
Dmitry Kasatkin <dmitry.kasatkin@huawei.com> Signed-off-by:
-
Dmitry Kasatkin authored
A crypto HW kernel module can possibly initialize the EVM key from the kernel __init code to enable EVM before calling the 'init' process. This patch provides a function evm_set_key() to set the EVM key directly without using the KEY subsystem. Changes in v4: * kernel-doc style for evm_set_key Changes in v3: * error reporting moved to evm_set_key * EVM_INIT_HMAC moved to evm_set_key * added bitop to prevent key setting race Changes in v2: * use size_t for key size instead of signed int * provide EVM_MAX_KEY_SIZE macro in <linux/evm.h> * provide EVM_MIN_KEY_SIZE macro in <linux/evm.h> Signed-off-by:
-
Dmitry Kasatkin authored
In order to enable EVM before starting the 'init' process, evm_initialized needs to be non-zero. Previously non-zero indicated that the HMAC key was loaded. When EVM loads the X509 before calling 'init', with this patch it is now possible to enable EVM to start signature based verification. This patch defines bits to enable EVM if a key of any type is loaded. Changes in v3: * print error message if key is not set Changes in v2: * EVM_STATE_KEY_SET replaced by EVM_INIT_HMAC * EVM_STATE_X509_SET replaced by EVM_INIT_X509 Signed-off-by:
-
Dmitry Kasatkin authored
This patch defines a configuration option and the evm_load_x509() hook to load an X509 certificate onto the EVM trusted kernel keyring. Changes in v4: * Patch description updated Changes in v3: * Removed EVM_X509_PATH definition. CONFIG_EVM_X509_PATH is used directly. Changes in v2: * default key patch changed to /etc/keys Signed-off-by:
-
