Commit f91e6544 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'next-integrity' of... 

Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull integrity updates from James Morris:
 "This adds support for EVM signatures based on larger digests, contains
  a new audit record AUDIT_INTEGRITY_POLICY_RULE to differentiate the
  IMA policy rules from the IMA-audit messages, addresses two deadlocks
  due to either loading or searching for crypto algorithms, and cleans
  up the audit messages"

* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  EVM: fix return value check in evm_write_xattrs()
  integrity: prevent deadlock during digsig verification.
  evm: Allow non-SHA1 digital signatures
  evm: Don't deadlock if a crypto algorithm is unavailable
  integrity: silence warning when CONFIG_SECURITYFS is not enabled
  ima: Differentiate auditing policy rules from "audit" actions
  ima: Do not audit if CONFIG_INTEGRITY_AUDIT is not set
  ima: Use audit_log_format() rather than audit_log_string()
  ima: Call audit_log_string() rather than logging it untrusted
parents c715ebeb 3dd0f18c

crypto/api.c

+1 −1
Original line number Diff line number Diff line
@@ -229,7 +229,7 @@ static struct crypto_alg *crypto_larval_lookup(const char *name, u32 type, 
	mask &= ~(CRYPTO_ALG_LARVAL | CRYPTO_ALG_DEAD);



	alg = crypto_alg_lookup(name, type, mask);

	if (!alg) {

	if (!alg && !(mask & CRYPTO_NOLOAD)) {

		request_module("crypto-%s", name);



		if (!((type ^ CRYPTO_ALG_NEED_FALLBACK) & mask &

include/linux/crypto.h

+5 −0
Original line number Diff line number Diff line
@@ -112,6 +112,11 @@ 
 */

#define CRYPTO_ALG_OPTIONAL_KEY		0x00004000



/*

 * Don't trigger module loading

 */

#define CRYPTO_NOLOAD			0x00008000



/*

 * Transform masks and values (for crt_flags).

 */

include/linux/integrity.h

+13 −0
Original line number Diff line number Diff line
@@ -44,4 +44,17 @@ static inline void integrity_load_keys(void) 
}

#endif /* CONFIG_INTEGRITY */



#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS



extern int integrity_kernel_module_request(char *kmod_name);



#else



static inline int integrity_kernel_module_request(char *kmod_name)

{

	return 0;

}



#endif /* CONFIG_INTEGRITY_ASYMMETRIC_KEYS */



#endif /* _LINUX_INTEGRITY_H */

include/uapi/linux/audit.h

+1 −0
Original line number Diff line number Diff line
@@ -148,6 +148,7 @@ 
#define AUDIT_INTEGRITY_PCR	    1804 /* PCR invalidation msgs */

#define AUDIT_INTEGRITY_RULE	    1805 /* policy rule */

#define AUDIT_INTEGRITY_EVM_XATTR   1806 /* New EVM-covered xattr */

#define AUDIT_INTEGRITY_POLICY_RULE 1807 /* IMA policy rules */



#define AUDIT_KERNEL		2000	/* Asynchronous audit record. NOT A REQUEST. */

security/integrity/digsig_asymmetric.c

+23 −0
Original line number Diff line number Diff line
@@ -115,3 +115,26 @@ int asymmetric_verify(struct key *keyring, const char *sig, 
	pr_debug("%s() = %d\n", __func__, ret);

	return ret;

}



/**

 * integrity_kernel_module_request - prevent crypto-pkcs1pad(rsa,*) requests

 * @kmod_name: kernel module name

 *

 * We have situation, when public_key_verify_signature() in case of RSA

 * algorithm use alg_name to store internal information in order to

 * construct an algorithm on the fly, but crypto_larval_lookup() will try

 * to use alg_name in order to load kernel module with same name.

 * Since we don't have any real "crypto-pkcs1pad(rsa,*)" kernel modules,

 * we are safe to fail such module request from crypto_larval_lookup().

 *

 * In this way we prevent modprobe execution during digsig verification

 * and avoid possible deadlock if modprobe and/or it's dependencies

 * also signed with digsig.

 */

int integrity_kernel_module_request(char *kmod_name)

{

	if (strncmp(kmod_name, "crypto-pkcs1pad(rsa,", 20) == 0)

		return -EINVAL;



	return 0;

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE