summaryrefslogtreecommitdiffstats
path: root/security/integrity
Commit message (Collapse)AuthorAgeFilesLines
...
* ima: add policy for pseudo fsDmitry Kasatkin2012-07-051-0/+2
| | | | | | | Exclude DEVPTS and BINFMT filesystems from the measurement policy. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* ima: remove unused cleanup functionsDmitry Kasatkin2012-07-023-20/+0
| | | | | | | | IMA cannot be used as module and does not need __exit functions. Removed them. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* ima: free securityfs violations fileDmitry Kasatkin2012-07-021-0/+1
| | | | | | | On ima_fs_init() error, free securityfs violations file. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
* ima: use full pathnames in measurement listMimi Zohar2012-07-022-7/+39
| | | | | | | | | | | | | The IMA measurement list contains filename hints, which can be ambigious without the full pathname. This patch replaces the filename hint with the full pathname, simplifying for userspace the correlating of file hash measurements with files. Change log v1: - Revert to short filenames, when full pathname is longer than IMA measurement buffer size. (Based on Dmitry's review) Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
* ima: fix filename hint to reflect script interpreter nameMimi Zohar2012-05-161-1/+3
| | | | | | | | | | | | | | | | | When IMA was first upstreamed, the bprm filename and interp were always the same. Currently, the bprm->filename and bprm->interp are the same, except for when only bprm->interp contains the interpreter name. So instead of using the bprm->filename as the IMA filename hint in the measurement list, we could replace it with bprm->interp, but this feels too fragil. The following patch is not much better, but at least there is some indication that sometimes we're passing the filename and other times the interpreter name. Reported-by: Andrew Lunn <andrew@lunn.ch> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
* security: fix ima kconfig warningRandy Dunlap2012-02-281-1/+1
| | | | | | | | | | | | Fix IMA kconfig warning on non-X86 architectures: warning: (IMA) selects TCG_TIS which has unmet direct dependencies (TCG_TPM && X86) Signed-off-by: Randy Dunlap <rdunlap@xenotime.net> Reported-by: Geert Uytterhoeven <geert@linux-m68k.org> Acked-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
* IMA: fix audit res field to indicate 1 for success and 0 for failureEric Paris2012-02-162-2/+2
| | | | | | | | | The audit res field ususally indicates success with a 1 and 0 for a failure. So make IMA do it the same way. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
* Merge branch 'next-queue' into nextJames Morris2012-02-092-1/+2
|\
| * ima: policy for RAMFSDmitry Kasatkin2012-01-191-0/+1
| | | | | | | | | | | | | | Don't measure ramfs files. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
| * ima: fix Kconfig dependenciesFabio Estevam2012-01-191-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Fix the following build warning: warning: (IMA) selects TCG_TPM which has unmet direct dependencies (HAS_IOMEM && EXPERIMENTAL) Suggested-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com> Signed-off-by: Fabio Estevam <fabio.estevam@freescale.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com> Cc: <stable@vger.kernel.org> Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
* | ima: fix cred sparse warningMimi Zohar2012-01-191-1/+2
| | | | | | | | | | | | | | | | | | | | | | Fix ima_policy.c sparse "warning: dereference of noderef expression" message, by accessing cred->uid using current_cred(). Changelog v1: - Change __cred to just cred (based on David Howell's comment) Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
* | Merge branch 'for-linus' of ↵Linus Torvalds2012-01-173-5/+5
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: integrity: digital signature config option name change lib: Removed MPILIB, MPILIB_EXTRA, and SIGNATURE prompts lib: MPILIB Kconfig description update lib: digital signature dependency fix lib: digital signature config option name change encrypted-keys: fix rcu and sparse messages keys: fix trusted/encrypted keys sparse rcu_assign_pointer messages KEYS: Add missing smp_rmb() primitives to the keyring search code TOMOYO: Accept \000 as a valid character. security: update MAINTAINERS file with new git repo
| * | integrity: digital signature config option name changeDmitry Kasatkin2012-01-183-4/+4
| | | | | | | | | | | | | | | | | | | | | Similar to SIGNATURE, rename INTEGRITY_DIGSIG to INTEGRITY_SIGNATURE. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: James Morris <jmorris@namei.org>
| * | lib: digital signature config option name changeDmitry Kasatkin2012-01-181-1/+1
| |/ | | | | | | | | | | | | | | | | | | It was reported that DIGSIG is confusing name for digital signature module. It was suggested to rename DIGSIG to SIGNATURE. Requested-by: Linus Torvalds <torvalds@linux-foundation.org> Suggested-by: Pavel Machek <pavel@ucw.cz> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: James Morris <jmorris@namei.org>
* | audit: treat s_id as an untrusted stringKees Cook2012-01-171-3/+5
|/ | | | | | | | | The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: Eric Paris <eparis@redhat.com>
* Merge branch 'next' into for-linusJames Morris2012-01-099-43/+244
|\ | | | | | | | | | | | | | | | | Conflicts: security/integrity/evm/evm_crypto.c Resolved upstream fix vs. next conflict manually. Signed-off-by: James Morris <jmorris@namei.org>
| * ima: fix invalid memory referenceRoberto Sassu2011-12-191-5/+11
| | | | | | | | | | | | | | | | Don't free a valid measurement entry on TPM PCR extend failure. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Cc: stable@vger.kernel.org
| * ima: free duplicate measurement memoryRoberto Sassu2011-12-192-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | Info about new measurements are cached in the iint for performance. When the inode is flushed from cache, the associated iint is flushed as well. Subsequent access to the inode will cause the inode to be re-measured and will attempt to add a duplicate entry to the measurement list. This patch frees the duplicate measurement memory, fixing a memory leak. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Cc: stable@vger.kernel.org
| * evm: prevent racing during tfm allocationDmitry Kasatkin2011-12-081-3/+11
| | | | | | | | | | | | | | | | | | There is a small chance of racing during tfm allocation. This patch fixes it. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Acked-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
| * evm: key must be set once during initializationDmitry Kasatkin2011-12-081-7/+8
| | | | | | | | | | | | | | | | | | | | | | On multi-core systems, setting of the key before every caclculation, causes invalid HMAC calculation for other tfm users, because internal state (ipad, opad) can be invalid before set key call returns. It needs to be set only once during initialization. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Acked-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
| * digsig: build dependency fixDmitry Kasatkin2011-11-221-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix build errors by adding Kconfig dependency on KEYS. CRYPTO dependency removed. CC security/integrity/digsig.o security/integrity/digsig.c: In function ?integrity_digsig_verify?: security/integrity/digsig.c:38:4: error: implicit declaration of function ?request_key? security/integrity/digsig.c:38:17: error: ?key_type_keyring? undeclared (first use in this function) security/integrity/digsig.c:38:17: note: each undeclared identifier is reported only once for each function it appears in make[2]: *** [security/integrity/digsig.o] Error 1 Reported-by: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: James Morris <jmorris@namei.org>
| * evm: digital signature verification supportDmitry Kasatkin2011-11-093-30/+142
| | | | | | | | | | | | | | | | | | | | | | | | This patch adds support for digital signature verification to EVM. With this feature file metadata can be protected using digital signature instead of an HMAC. When building an image, which has to be flashed to different devices, an HMAC cannot be used to sign file metadata, because the HMAC key should be different on every device. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Acked-by: Mimi Zohar <zohar@us.ibm.com>
| * integrity: digital signature verification using multiple keyringsDmitry Kasatkin2011-11-094-0/+84
| | | | | | | | | | | | | | | | | | | | Define separate keyrings for each of the different use cases - evm, ima, and modules. Using different keyrings improves search performance, and also allows "locking" specific keyring to prevent adding new keys. This is useful for evm and module keyrings, when keys are usually only added from initramfs. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
* | evm: prevent racing during tfm allocationDmitry Kasatkin2011-12-201-0/+9
| | | | | | | | | | | | | | | | | | There is a small chance of racing during tfm allocation. This patch fixes it. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Acked-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
* | evm: key must be set once during initializationDmitry Kasatkin2011-12-201-4/+6
|/ | | | | | | | | | | On multi-core systems, setting of the key before every caclculation, causes invalid HMAC calculation for other tfm users, because internal state (ipad, opad) can be invalid before set key call returns. It needs to be set only once during initialization. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Acked-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
* Merge branch 'for-linus' of git://github.com/richardweinberger/linuxLinus Torvalds2011-11-021-1/+1
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * 'for-linus' of git://github.com/richardweinberger/linux: (90 commits) um: fix ubd cow size um: Fix kmalloc argument order in um/vdso/vma.c um: switch to use of drivers/Kconfig UserModeLinux-HOWTO.txt: fix a typo UserModeLinux-HOWTO.txt: remove ^H characters um: we need sys/user.h only on i386 um: merge delay_{32,64}.c um: distribute exports to where exported stuff is defined um: kill system-um.h um: generic ftrace.h will do... um: segment.h is x86-only and needed only there um: asm/pda.h is not needed anymore um: hw_irq.h can go generic as well um: switch to generic-y um: clean Kconfig up a bit um: a couple of missing dependencies... um: kill useless argument of free_chan() and free_one_chan() um: unify ptrace_user.h um: unify KSTK_... um: fix gcov build breakage ...
| * um: switch to use of drivers/KconfigAl Viro2011-11-021-1/+1
| | | | | | | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Richard Weinberger <richard@nod.at>
* | evm: clean verification statusDmitry Kasatkin2011-09-141-0/+1
| | | | | | | | | | | | | | | | | | | | | | When allocating from slab, initialization is done the first time in init_once() and subsequently on free. Because evm_status was not re-initialized on free, evm_verify_hmac() skipped verifications. This patch re-initializes evm_status. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
* | evm: permit mode bits to be updatedMimi Zohar2011-09-141-17/+13
| | | | | | | | | | | | | | | | | | | | | | Before permitting 'security.evm' to be updated, 'security.evm' must exist and be valid. In the case that there are no existing EVM protected xattrs, it is safe for posix acls to update the mode bits. To differentiate between no 'security.evm' xattr and no xattrs used to calculate 'security.evm', this patch defines INTEGRITY_NOXATTR. Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
* | evm: posix acls modify i_modeMimi Zohar2011-09-143-5/+46
| | | | | | | | | | | | | | | | | | | | The posix xattr acls are 'system' prefixed, which normally would not affect security.evm. An interesting side affect of writing posix xattr acls is their modifying of the i_mode, which is included in security.evm. This patch updates security.evm when posix xattr acls are written. Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
* | evm: limit verifying current security.evm integrityMimi Zohar2011-09-141-34/+24
| | | | | | | | | | | | | | | | | | evm_protect_xattr unnecessarily validates the current security.evm integrity, before updating non-evm protected extended attributes and other file metadata. This patch limits validating the current security.evm integrity to evm protected metadata. Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
* | evm: remove TCG_TPM dependencyMimi Zohar2011-09-141-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | All tristates selected by EVM(boolean) are forced to be builtin, except in the TCG_TPM(tristate) dependency case. Arnaud Lacombe summarizes the Kconfig bug as, "So it would seem direct dependency state influence the state of reverse dependencies.." For a detailed explanation, refer to Arnaud Lacombe's posting http://lkml.org/lkml/2011/8/23/498. With the "encrypted-keys: remove trusted-keys dependency" patch, EVM can now be built without a dependency on TCG_TPM. The trusted-keys dependency requires trusted-keys to either be builtin or not selected. This dependency will prevent the boolean/tristate mismatch from occuring. Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>, Randy Dunlap <rdunlap@xenotimenet> Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
* | ima: sparse fix: include linux/ima.h in ima_main.cJames Morris2011-09-091-0/+1
| | | | | | | | | | | | | | | | | | | | Fixes sparse warnings: security/integrity/ima/ima_main.c:105:6: warning: symbol 'ima_file_free' was not declared. Should it be static? security/integrity/ima/ima_main.c:167:5: warning: symbol 'ima_file_mmap' was not declared. Should it be static? security/integrity/ima/ima_main.c:192:5: warning: symbol 'ima_bprm_check' was not declared. Should it be static? security/integrity/ima/ima_main.c:211:5: warning: symbol 'ima_file_check' was not declared. Should it be static? Signed-off-by: James Morris <jmorris@namei.org>
* | ima: sparse fix: make ima_open_policy staticJames Morris2011-09-091-1/+1
| | | | | | | | | | | | | | Fixes sparse warning: security/integrity/ima/ima_fs.c:290:5: warning: symbol 'ima_open_policy' was not declared. Should it be static? Signed-off-by: James Morris <jmorris@namei.org>
* | integrity: sparse fix: move iint_initialized to integrity.hJames Morris2011-09-092-1/+3
| | | | | | | | | | | | Sparse fix: move iint_initialized to integrity.h Signed-off-by: James Morris <jmorris@namei.org>
* | evm: add Kconfig TCG_TPM dependencyMimi Zohar2011-08-181-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Although the EVM encrypted-key should be encrypted/decrypted using a trusted-key, a user-defined key could be used instead. When using a user- defined key, a TCG_TPM dependency should not be required. Unfortunately, the encrypted-key code needs to be refactored a bit in order to remove this dependency. This patch adds the TCG_TPM dependency. Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>, Randy Dunlap <rdunlap@xenotimenet> Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
* | evm: fix evm_inode_init_security return codeMimi Zohar2011-08-111-1/+1
| | | | | | | | | | | | | | | | evm_inode_init_security() should return 0, when EVM is not enabled. (Returning an error is a remnant of evm_inode_post_init_security.) Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
* | EVM: ensure trusted and encypted key symbols are available to EVMJames Morris2011-08-091-1/+3
| | | | | | | | | | | | | | | | | | Select trusted and encrypted keys if EVM is selected, to ensure the requisite symbols are available. Otherwise, these can be selected as modules while EVM is static, leading to a kernel build failure. Signed-off-by: James Morris <jmorris@namei.org>
* | Merge branch 'next-evm' of ↵James Morris2011-08-0916-199/+1022
|\ \ | |/ |/| | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/zohar/ima-2.6 into next Conflicts: fs/attr.c Resolve conflict manually. Signed-off-by: James Morris <jmorris@namei.org>
| * evm: add evm_inode_setattr to prevent updating an invalid security.evmMimi Zohar2011-07-181-0/+15
| | | | | | | | | | | | | | Permit changing of security.evm only when valid, unless in fixmode. Reported-by: Roberto Sassu <roberto.sassu@polito.it> Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
| * evm: permit only valid security.evm xattrs to be updatedMimi Zohar2011-07-181-14/+63
| | | | | | | | | | | | | | | | | | | | | | | | | | In addition to requiring CAP_SYS_ADMIN permission to modify/delete security.evm, prohibit invalid security.evm xattrs from changing, unless in fixmode. This patch prevents inadvertent 'fixing' of security.evm to reflect offline modifications. Changelog v7: - rename boot paramater 'evm_mode' to 'evm' Reported-by: Roberto Sassu <roberto.sassu@polito.it> Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
| * evm: replace hmac_status with evm_statusDmitry Kasatkin2011-07-183-9/+9
| | | | | | | | | | | | | | We will use digital signatures in addtion to hmac. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@nokia.com> Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
| * evm: evm_verify_hmac must not return INTEGRITY_UNKNOWNDmitry Kasatkin2011-07-181-6/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If EVM is not supported or enabled, evm_verify_hmac() returns INTEGRITY_UNKNOWN, which ima_appraise_measurement() ignores and sets the appraisal status based solely on the security.ima verification. evm_verify_hmac() also returns INTEGRITY_UNKNOWN for other failures, such as temporary failures like -ENOMEM, resulting in possible attack vectors. This patch changes the default return code for temporary/unexpected failures, like -ENOMEM, from INTEGRITY_UNKNOWN to INTEGRITY_FAIL, making evm_verify_hmac() fail safe. As a result, failures need to be re-evaluated in order to catch both temporary errors, such as the -ENOMEM, as well as errors that have been resolved in fix mode. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@nokia.com> Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
| * evm: additional parameter to pass integrity cache entry 'iint'Dmitry Kasatkin2011-07-181-10/+8
| | | | | | | | | | | | | | Additional iint parameter allows to skip lookup in the cache. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@nokia.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * evm: crypto hash replaced by shashDmitry Kasatkin2011-07-183-45/+57
| | | | | | | | | | | | | | | | | | | | | | | | Using shash is more efficient, because the algorithm is allocated only once. Only the descriptor to store the hash state needs to be allocated for every operation. Changelog v6: - check for crypto_shash_setkey failure Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@nokia.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * evm: add evm_inode_init_security to initialize new filesMimi Zohar2011-07-183-0/+61
| | | | | | | | | | | | | | | | | | | | | | | | | | Initialize 'security.evm' for new files. Changelog v7: - renamed evm_inode_post_init_security to evm_inode_init_security - moved struct xattr definition to earlier patch - allocate xattr name Changelog v6: - Use 'struct evm_ima_xattr_data' Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
| * security: imbed evm calls in security hooksMimi Zohar2011-07-181-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Imbed the evm calls evm_inode_setxattr(), evm_inode_post_setxattr(), evm_inode_removexattr() in the security hooks. evm_inode_setxattr() protects security.evm xattr. evm_inode_post_setxattr() and evm_inode_removexattr() updates the hmac associated with an inode. (Assumes an LSM module protects the setting/removing of xattr.) Changelog: - Don't define evm_verifyxattr(), unless CONFIG_INTEGRITY is enabled. - xattr_name is a 'const', value is 'void *' Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
| * evm: add support for different security.evm data typesDmitry Kasatkin2011-07-183-9/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | EVM protects a file's security extended attributes(xattrs) against integrity attacks. The current patchset maintains an HMAC-sha1 value across the security xattrs, storing the value as the extended attribute 'security.evm'. We anticipate other methods for protecting the security extended attributes. This patch reserves the first byte of 'security.evm' as a place holder for the type of method. Changelog v6: - move evm_ima_xattr_type definition to security/integrity/integrity.h - defined a structure for the EVM xattr called evm_ima_xattr_data (based on Serge Hallyn's suggestion) - removed unnecessary memset Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@nokia.com> Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
| * evm: re-releaseMimi Zohar2011-07-1810-1/+632
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | EVM protects a file's security extended attributes(xattrs) against integrity attacks. This patchset provides the framework and an initial method. The initial method maintains an HMAC-sha1 value across the security extended attributes, storing the HMAC value as the extended attribute 'security.evm'. Other methods of validating the integrity of a file's metadata will be posted separately (eg. EVM-digital-signatures). While this patchset does authenticate the security xattrs, and cryptographically binds them to the inode, coming extensions will bind other directory and inode metadata for more complete protection. To help simplify the review and upstreaming process, each extension will be posted separately (eg. IMA-appraisal, IMA-appraisal-directory). For a general overview of the proposed Linux integrity subsystem, refer to Dave Safford's whitepaper: http://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf. EVM depends on the Kernel Key Retention System to provide it with a trusted/encrypted key for the HMAC-sha1 operation. The key is loaded onto the root's keyring using keyctl. Until EVM receives notification that the key has been successfully loaded onto the keyring (echo 1 > <securityfs>/evm), EVM can not create or validate the 'security.evm' xattr, but returns INTEGRITY_UNKNOWN. Loading the key and signaling EVM should be done as early as possible. Normally this is done in the initramfs, which has already been measured as part of the trusted boot. For more information on creating and loading existing trusted/encrypted keys, refer to Documentation/keys-trusted-encrypted.txt. A sample dracut patch, which loads the trusted/encrypted key and enables EVM, is available from http://linux-ima.sourceforge.net/#EVM. Based on the LSMs enabled, the set of EVM protected security xattrs is defined at compile. EVM adds the following three calls to the existing security hooks: evm_inode_setxattr(), evm_inode_post_setxattr(), and evm_inode_removexattr. To initialize and update the 'security.evm' extended attribute, EVM defines three calls: evm_inode_post_init(), evm_inode_post_setattr() and evm_inode_post_removexattr() hooks. To verify the integrity of a security xattr, EVM exports evm_verifyxattr(). Changelog v7: - Fixed URL in EVM ABI documentation Changelog v6: (based on Serge Hallyn's review) - fix URL in patch description - remove evm_hmac_size definition - use SHA1_DIGEST_SIZE (removed both MAX_DIGEST_SIZE and evm_hmac_size) - moved linux include before other includes - test for crypto_hash_setkey failure - fail earlier for invalid key - clear entire encrypted key, even on failure - check xattr name length before comparing xattr names Changelog: - locking based on i_mutex, remove evm_mutex - using trusted/encrypted keys for storing the EVM key used in the HMAC-sha1 operation. - replaced crypto hash with shash (Dmitry Kasatkin) - support for additional methods of verifying the security xattrs (Dmitry Kasatkin) - iint not allocated for all regular files, but only for those appraised - Use cap_sys_admin in lieu of cap_mac_admin - Use __vfs_setxattr_noperm(), without permission checks, from EVM Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
| * integrity: move ima inode integrity data managementMimi Zohar2011-07-1810-199/+242
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Move the inode integrity data(iint) management up to the integrity directory in order to share the iint among the different integrity models. Changelog: - don't define MAX_DIGEST_SIZE - rename several globally visible 'ima_' prefixed functions, structs, locks, etc to 'integrity_' - replace '20' with SHA1_DIGEST_SIZE - reflect location change in appropriate Kconfig and Makefiles - remove unnecessary initialization of iint_initialized to 0 - rebased on current ima_iint.c - define integrity_iint_store/lock as static There should be no other functional changes. Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
OpenPOWER on IntegriCloud