Commit 73a0bff2 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'next-integrity' of... 

Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Pull IMA updates from Mimi Zohar:
 "Two new features - measuring certificates and querying IMA for a file
  hash - and three bug fixes:

   - Measuring certificates is like the rest of IMA, based on policy,
     but requires loading a custom policy. Certificates loaded onto a
     keyring, for example during early boot, before a custom policy has
     been loaded, are queued and only processed after loading the custom
     policy.

   - IMA calculates and caches files hashes. Other kernel subsystems,
     and possibly kernel modules, are interested in accessing these
     cached file hashes.

  The bug fixes prevent classifying a file short read (e.g. shutdown) as
  an invalid file signature, add a missing blank when displaying the
  securityfs policy rules containing LSM labels, and, lastly, fix the
  handling of the IMA policy information for unknown LSM labels"

* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  IMA: Defined delayed workqueue to free the queued keys
  IMA: Call workqueue functions to measure queued keys
  IMA: Define workqueue for early boot key measurements
  IMA: pre-allocate buffer to hold keyrings string
  ima: ima/lsm policy rule loading logic bug fixes
  ima: add the ability to query the cached hash of a given file
  ima: Add a space after printing LSM rules for readability
  IMA: fix measuring asymmetric keys Kconfig
  IMA: Read keyrings= option from the IMA policy
  IMA: Add support to limit measuring keys
  KEYS: Call the IMA hook to measure keys
  IMA: Define an IMA hook to measure keys
  IMA: Add KEY_CHECK func to measure keys
  IMA: Check IMA policy flag
  ima: avoid appraise error for hash calc interrupt
parents 2cf64d7c d54e17b4

Documentation/ABI/testing/ima_policy

+14 −2
Original line number Diff line number Diff line
@@ -25,11 +25,11 @@ Description: 
			lsm:	[[subj_user=] [subj_role=] [subj_type=]

				 [obj_user=] [obj_role=] [obj_type=]]

			option:	[[appraise_type=]] [template=] [permit_directio]

				[appraise_flag=]

				[appraise_flag=] [keyrings=]

		base: 	func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]

				[FIRMWARE_CHECK]

				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]

				[KEXEC_CMDLINE]

				[KEXEC_CMDLINE] [KEY_CHECK]

			mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]

			       [[^]MAY_EXEC]

			fsmagic:= hex value
@@ -42,6 +42,9 @@ Description: 
			appraise_flag:= [check_blacklist]

			Currently, blacklist check is only for files signed with appended

			signature.

			keyrings:= list of keyrings

			(eg, .builtin_trusted_keys|.ima). Only valid

			when action is "measure" and func is KEY_CHECK.

			template:= name of a defined IMA template type

			(eg, ima-ng). Only valid when action is "measure".

			pcr:= decimal value
@@ -113,3 +116,12 @@ Description: 
		Example of appraise rule allowing modsig appended signatures:



			appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig



		Example of measure rule using KEY_CHECK to measure all keys:



			measure func=KEY_CHECK



		Example of measure rule using KEY_CHECK to only measure

		keys added to .builtin_trusted_keys or .ima keyring:



			measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima

include/linux/ima.h

+20 −0
Original line number Diff line number Diff line
@@ -23,6 +23,7 @@ extern int ima_read_file(struct file *file, enum kernel_read_file_id id); 
extern int ima_post_read_file(struct file *file, void *buf, loff_t size,

			      enum kernel_read_file_id id);

extern void ima_post_path_mknod(struct dentry *dentry);

extern int ima_file_hash(struct file *file, char *buf, size_t buf_size);

extern void ima_kexec_cmdline(const void *buf, int size);



#ifdef CONFIG_IMA_KEXEC
@@ -91,6 +92,11 @@ static inline void ima_post_path_mknod(struct dentry *dentry) 
	return;

}



static inline int ima_file_hash(struct file *file, char *buf, size_t buf_size)

{

	return -EOPNOTSUPP;

}



static inline void ima_kexec_cmdline(const void *buf, int size) {}

#endif /* CONFIG_IMA */
@@ -101,6 +107,20 @@ static inline void ima_add_kexec_buffer(struct kimage *image) 
{}

#endif



#ifdef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS

extern void ima_post_key_create_or_update(struct key *keyring,

					  struct key *key,

					  const void *payload, size_t plen,

					  unsigned long flags, bool create);

#else

static inline void ima_post_key_create_or_update(struct key *keyring,

						 struct key *key,

						 const void *payload,

						 size_t plen,

						 unsigned long flags,

						 bool create) {}

#endif  /* CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS */



#ifdef CONFIG_IMA_APPRAISE

extern bool is_ima_appraise_enabled(void);

extern void ima_inode_post_setattr(struct dentry *dentry);

security/integrity/ima/Kconfig

+12 −0
Original line number Diff line number Diff line
@@ -310,3 +310,15 @@ config IMA_APPRAISE_SIGNED_INIT 
	default n

	help

	   This option requires user-space init to be signed.



config IMA_MEASURE_ASYMMETRIC_KEYS

	bool

	depends on IMA

	depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y

	default y



config IMA_QUEUE_EARLY_BOOT_KEYS

	bool

	depends on IMA_MEASURE_ASYMMETRIC_KEYS

	depends on SYSTEM_TRUSTED_KEYRING

	default y

security/integrity/ima/Makefile

+2 −0
Original line number Diff line number Diff line
@@ -12,3 +12,5 @@ ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o 
ima-$(CONFIG_IMA_APPRAISE_MODSIG) += ima_modsig.o

ima-$(CONFIG_HAVE_IMA_KEXEC) += ima_kexec.o

obj-$(CONFIG_IMA_BLACKLIST_KEYRING) += ima_mok.o

obj-$(CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS) += ima_asymmetric_keys.o

obj-$(CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS) += ima_queue_keys.o

security/integrity/ima/ima.h

+30 −3
Original line number Diff line number Diff line
@@ -193,6 +193,7 @@ static inline unsigned long ima_hash_key(u8 *digest) 
	hook(KEXEC_INITRAMFS_CHECK)	\

	hook(POLICY_CHECK)		\

	hook(KEXEC_CMDLINE)		\

	hook(KEY_CHECK)			\

	hook(MAX_CHECK)

#define __ima_hook_enumify(ENUM)	ENUM,
@@ -204,10 +205,35 @@ extern const char *const func_tokens[]; 


struct modsig;



#ifdef CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS

/*

 * To track keys that need to be measured.

 */

struct ima_key_entry {

	struct list_head list;

	void *payload;

	size_t payload_len;

	char *keyring_name;

};

void ima_init_key_queue(void);

bool ima_should_queue_key(void);

bool ima_queue_key(struct key *keyring, const void *payload,

		   size_t payload_len);

void ima_process_queued_keys(void);

#else

static inline void ima_init_key_queue(void) {}

static inline bool ima_should_queue_key(void) { return false; }

static inline bool ima_queue_key(struct key *keyring,

				 const void *payload,

				 size_t payload_len) { return false; }

static inline void ima_process_queued_keys(void) {}

#endif /* CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS */



/* LIM API function definitions */

int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid,

		   int mask, enum ima_hooks func, int *pcr,

		   struct ima_template_desc **template_desc);

		   struct ima_template_desc **template_desc,

		   const char *keyring);

int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);

int ima_collect_measurement(struct integrity_iint_cache *iint,

			    struct file *file, void *buf, loff_t size,
@@ -219,7 +245,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, 
			   struct ima_template_desc *template_desc);

void process_buffer_measurement(const void *buf, int size,

				const char *eventname, enum ima_hooks func,

				int pcr);

				int pcr, const char *keyring);

void ima_audit_measurement(struct integrity_iint_cache *iint,

			   const unsigned char *filename);

int ima_alloc_init_template(struct ima_event_data *event_data,
@@ -234,7 +260,8 @@ const char *ima_d_path(const struct path *path, char **pathbuf, char *filename); 
/* IMA policy related functions */

int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,

		     enum ima_hooks func, int mask, int flags, int *pcr,

		     struct ima_template_desc **template_desc);

		     struct ima_template_desc **template_desc,

		     const char *keyring);

void ima_init_policy(void);

void ima_update_policy(void);

void ima_update_policy_flag(void);

CRA Git | Maintained and supported by SUSTech CRA and CCSE