Commit f8cf2f16 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'next-integrity' of... 

Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull integrity updates from James Morris:
 "A mixture of bug fixes, code cleanup, and continues to close
  IMA-measurement, IMA-appraisal, and IMA-audit gaps.

  Also note the addition of a new cred_getsecid LSM hook by Matthew
  Garrett:

     For IMA purposes, we want to be able to obtain the prepared secid
     in the bprm structure before the credentials are committed. Add a
     cred_getsecid hook that makes this possible.

  which is used by a new CREDS_CHECK target in IMA:

     In ima_bprm_check(), check with both the existing process
     credentials and the credentials that will be committed when the new
     process is started. This will not change behaviour unless the
     system policy is extended to include CREDS_CHECK targets -
     BPRM_CHECK will continue to check the same credentials that it did
     previously"

* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  ima: Fallback to the builtin hash algorithm
  ima: Add smackfs to the default appraise/measure list
  evm: check for remount ro in progress before writing
  ima: Improvements in ima_appraise_measurement()
  ima: Simplify ima_eventsig_init()
  integrity: Remove unused macro IMA_ACTION_RULE_FLAGS
  ima: drop vla in ima_audit_measurement()
  ima: Fix Kconfig to select TPM 2.0 CRB interface
  evm: Constify *integrity_status_msg[]
  evm: Move evm_hmac and evm_hash from evm_main.c to evm_crypto.c
  fuse: define the filesystem as untrusted
  ima: fail signature verification based on policy
  ima: clear IMA_HASH
  ima: re-evaluate files on privileged mounted filesystems
  ima: fail file signature verification on non-init mounted filesystems
  IMA: Support using new creds in appraisal policy
  security: Add a cred_getsecid hook
parents 4b3f1a15 ab60368a

Documentation/ABI/testing/ima_policy

+1 −1
Original line number Diff line number Diff line
@@ -26,7 +26,7 @@ Description: 
				 [obj_user=] [obj_role=] [obj_type=]]

			option:	[[appraise_type=]] [permit_directio]



		base: 	func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]

		base: 	func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]

				[FIRMWARE_CHECK]

				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]

			mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]

Documentation/admin-guide/kernel-parameters.txt

+7 −1
Original line number Diff line number Diff line
@@ -1521,7 +1521,8 @@ 


	ima_policy=	[IMA]

			The builtin policies to load during IMA setup.

			Format: "tcb | appraise_tcb | secure_boot"

			Format: "tcb | appraise_tcb | secure_boot |

				 fail_securely"



			The "tcb" policy measures all programs exec'd, files

			mmap'd for exec, and all files opened with the read
@@ -1536,6 +1537,11 @@ 
			of files (eg. kexec kernel image, kernel modules,

			firmware, policy, etc) based on file signatures.



			The "fail_securely" policy forces file signature

			verification failure also on privileged mounted

			filesystems with the SB_I_UNVERIFIABLE_SIGNATURE

			flag.



	ima_tcb		[IMA] Deprecated.  Use ima_policy= instead.

			Load a policy which meets the needs of the Trusted

			Computing Base.  This means IMA will measure all

fs/fuse/inode.c

+3 −0
Original line number Diff line number Diff line
@@ -1080,6 +1080,9 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent) 
	sb->s_maxbytes = MAX_LFS_FILESIZE;

	sb->s_time_gran = 1;

	sb->s_export_op = &fuse_export_operations;

	sb->s_iflags |= SB_I_IMA_UNVERIFIABLE_SIGNATURE;

	if (sb->s_user_ns != &init_user_ns)

		sb->s_iflags |= SB_I_UNTRUSTED_MOUNTER;



	file = fget(d.fd);

	err = -EINVAL;

include/linux/fs.h

+2 −0
Original line number Diff line number Diff line
@@ -1321,6 +1321,8 @@ extern int send_sigurg(struct fown_struct *fown); 


/* sb->s_iflags to limit user namespace mounts */

#define SB_I_USERNS_VISIBLE		0x00000010 /* fstype already mounted */

#define SB_I_IMA_UNVERIFIABLE_SIGNATURE	0x00000020

#define SB_I_UNTRUSTED_MOUNTER		0x00000040



/* Possible states of 'frozen' field */

enum {

include/linux/lsm_hooks.h

+6 −0
Original line number Diff line number Diff line
@@ -554,6 +554,10 @@ 
 *	@new points to the new credentials.

 *	@old points to the original credentials.

 *	Transfer data from original creds to new creds

 * @cred_getsecid:

 *	Retrieve the security identifier of the cred structure @c

 *	@c contains the credentials, secid will be placed into @secid.

 *	In case of failure, @secid will be set to zero.

 * @kernel_act_as:

 *	Set the credentials for a kernel service to act as (subjective context).

 *	@new points to the credentials to be modified.
@@ -1569,6 +1573,7 @@ union security_list_options { 
	int (*cred_prepare)(struct cred *new, const struct cred *old,

				gfp_t gfp);

	void (*cred_transfer)(struct cred *new, const struct cred *old);

	void (*cred_getsecid)(const struct cred *c, u32 *secid);

	int (*kernel_act_as)(struct cred *new, u32 secid);

	int (*kernel_create_files_as)(struct cred *new, struct inode *inode);

	int (*kernel_module_request)(char *kmod_name);
@@ -1858,6 +1863,7 @@ struct security_hook_heads { 
	struct hlist_head cred_free;

	struct hlist_head cred_prepare;

	struct hlist_head cred_transfer;

	struct hlist_head cred_getsecid;

	struct hlist_head kernel_act_as;

	struct hlist_head kernel_create_files_as;

	struct hlist_head kernel_read_file;

CRA Git | Maintained and supported by SUSTech CRA and CCSE