Pull integrity updates from James Morris:
"From Mimi:
- add run time support for specifying additional security xattrs
included in the security.evm HMAC/signature
- some code clean up and bug fixes"
* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
EVM: unlock on error path in evm_read_xattrs()
EVM: prevent array underflow in evm_write_xattrs()
EVM: Fix null dereference on xattr when xattr fails to allocate
EVM: fix memory leak of temporary buffer 'temp'
IMA: use list_splice_tail_init_rcu() instead of its open coded variant
ima: use match_string() helper
ima: fix updating the ima_appraise flag
ima: based on policy verify firmware signatures (pre-allocated buffer)
ima: define a new policy condition based on the filesystem name
EVM: Allow runtime modification of the set of verified xattrs
EVM: turn evm_config_xattrnames into a list
integrity: Add an integrity directory in securityfs
ima: Remove unused variable ima_initialized
ima: Unify logging
ima: Reflect correct permissions for policy
Pull audit updates from Paul Moore:
"Another reasonable chunk of audit changes for v4.18, thirteen patches
in total.
The thirteen patches can mostly be broken down into one of four
categories: general bug fixes, accessor functions for audit state
stored in the task_struct, negative filter matches on executable
names, and extending the (relatively) new seccomp logging knobs to the
audit subsystem.
The main driver for the accessor functions from Richard are the
changes we're working on to associate audit events with containers,
but I think they have some standalone value too so I figured it would
be good to get them in now.
The seccomp/audit patches from Tyler apply the seccomp logging
improvements from a few releases ago to audit's seccomp logging;
starting with this patchset the changes in
/proc/sys/kernel/seccomp/actions_logged should apply to both the
standard kernel logging and audit.
As usual, everything passes the audit-testsuite and it happens to
merge cleanly with your tree"
[ Heh, except it had trivial merge conflicts with the SELinux tree that
also came in from Paul - Linus ]
* tag 'audit-pr-20180605' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
audit: Fix wrong task in comparison of session ID
audit: use existing session info function
audit: normalize loginuid read access
audit: use new audit_context access funciton for seccomp_actions_logged
audit: use inline function to set audit context
audit: use inline function to get audit context
audit: convert sessionid unset to a macro
seccomp: Don't special case audited processes when logging
seccomp: Audit attempts to modify the actions_logged sysctl
seccomp: Configurable separator for the actions_logged string
seccomp: Separate read and write code for actions_logged sysctl
audit: allow not equal op for audit by executable
audit: add syscall information to FEATURE_CHANGE records
We need to unlock before returning on this error path.
Fixes: fa516b66a1 ("EVM: Allow runtime modification of the set of verified xattrs")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
If the user sets xattr->name[0] to NUL then we would read one character
before the start of the array. This bug seems harmless as far as I can
see but perhaps it would trigger a warning in KASAN.
Fixes: fa516b66a1 ("EVM: Allow runtime modification of the set of verified xattrs")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
In the case where the allocation of xattr fails and xattr is NULL, the
error exit return path via label 'out' will dereference xattr when
kfree'ing xattr-name. Fix this by only kfree'ing xattr->name and xattr
when xattr is non-null.
Detected by CoverityScan, CID#1469366 ("Dereference after null check")
Fixes: fa516b66a1 ("EVM: Allow runtime modification of the set of verified xattrs")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
The allocation of 'temp' is not kfree'd and hence there is a memory
leak on each call of evm_read_xattrs. Fix this by kfree'ing it
after copying data from it back to the user space buffer 'buf'.
Detected by CoverityScan, CID#1469386 ("Resource Leak")
Fixes: fa516b66a1 ("EVM: Allow runtime modification of the set of verified xattrs")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Use list_splice_tail_init_rcu() to extend the existing custom IMA policy
with additional IMA policy rules.
Signed-off-by: Petko Manolov <petko.manolov@konsulko.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
As IMA policy rules are added, a mask of the type of rule (eg. kernel
modules, firmware, IMA policy) is updated. Unlike custom IMA policy
rules, which replace the original builtin policy rules and update the
mask, the builtin "secure_boot" policy rules were loaded, but did not
update the mask.
This patch refactors the code to load custom policies, defining a new
function named ima_appraise_flag(). The new function is called either
when loading the builtin "secure_boot" or custom policies.
Fixes: 503ceaef8e ("ima: define a set of appraisal rules requiring file signatures")
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
If/when file data signatures are distributed with the file data, this
patch will not be needed. In the current environment where only some
files are signed, the ability to differentiate between file systems is
needed. Some file systems consider the file system magic number
internal to the file system.
This patch defines a new IMA policy condition named "fsname", based on
the superblock's file_system_type (sb->s_type) name. This allows policy
rules to be expressed in terms of the filesystem name.
The following sample rules require file signatures on rootfs files
executed or mmap'ed.
appraise func=BPRM_CHECK fsname=rootfs appraise_type=imasig
appraise func=FILE_MMAP fsname=rootfs appraise_type=imasig
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Theodore Ts'o <tytso@mit.edu>
Sites may wish to provide additional metadata alongside files in order
to make more fine-grained security decisions[1]. The security of this is
enhanced if this metadata is protected, something that EVM makes
possible. However, the kernel cannot know about the set of extended
attributes that local admins may wish to protect, and hardcoding this
policy in the kernel makes it difficult to change over time and less
convenient for distributions to enable.
This patch adds a new /sys/kernel/security/integrity/evm/evm_xattrs node,
which can be read to obtain the current set of EVM-protected extended
attributes or written to in order to add new entries. Extending this list
will not change the validity of any existing signatures provided that the
file in question does not have any of the additional extended attributes -
missing xattrs are skipped when calculating the EVM hash.
[1] For instance, a package manager could install information about the
package uploader in an additional extended attribute. Local LSM policy
could then be associated with that extended attribute in order to
restrict the privileges available to packages from less trusted
uploaders.
Signed-off-by: Matthew Garrett <mjg59@google.com>
Reviewed-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
We want to add additional evm control nodes, and it'd be preferable not
to clutter up the securityfs root directory any further. Create a new
integrity directory, move the ima directory into it, create an evm
directory for the evm attribute and add compatibility symlinks.
Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Commit a756024 ("ima: added ima_policy_flag variable") replaced
ima_initialized with ima_policy_flag, but didn't remove ima_initialized.
This patch removes it.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Define pr_fmt everywhere.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> (powerpc build error)
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Changelog:
Previous pr_fmt definition was too late and caused problems in powerpc
allyesconfg build.
Kernel configured as CONFIG_IMA_READ_POLICY=y && CONFIG_IMA_WRITE_POLICY=n
keeps 0600 mode after loading policy. Remove write permission to state
that policy file no longer be written.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Recognizing that the audit context is an internal audit value, use an
access function to retrieve the audit context pointer for the task
rather than reaching directly into the task struct to get it.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[PM: merge fuzz in auditsc.c and selinuxfs.c, checkpatch.pl fixes]
Signed-off-by: Paul Moore <paul@paul-moore.com>
This is required to use SMACK and IMA/EVM together. Add it to the
default nomeasure/noappraise list like other pseudo filesystems.
Signed-off-by: Martin Townsend <mtownsend1973@gmail.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
EVM might update the evm xattr while the VFS performs a remount to
readonly mode. This is not properly checked for, additionally check
the s_readonly_remount superblock flag before writing.
The bug can for example be observed with UBIFS. UBIFS checks the free
space on the device before and after a remount. With EVM enabled the
free space sometimes differs between both checks.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Replace nested ifs in the EVM xattr verification logic with a switch
statement, making the code easier to understand.
Also, add comments to the if statements in the out section and constify the
cause variable.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
The "goto out" statement doesn't have any purpose since there's no cleanup
to be done when returning early, so remove it. This also makes the rc
variable unnecessary so remove it as well.
Also, the xattr_len and fmt variables are redundant so remove them as well.
Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
