tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'integrity-v5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Pull integrity subsystem updates from Mimi Zohar:

- Limit the allowed hash algorithms when writing security.ima xattrs or
verifying them, based on the IMA policy and the configured hash
algorithms.

- Return the calculated "critical data" measurement hash and size to
avoid code duplication. (Preparatory change for a proposed LSM.)

- and a single patch to address a compiler warning.

* tag 'integrity-v5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
IMA: reject unknown hash algorithms in ima_get_hash_algo
IMA: prevent SETXATTR_CHECK policy rules with unavailable algorithms
IMA: introduce a new policy option func=SETXATTR_CHECK
IMA: add a policy option to restrict xattr hash algorithms on appraisal
IMA: add support to restrict the hash algorithms used for file appraisal
IMA: block writes of the security.ima xattr with unsupported algorithms
IMA: remove the dependency on CRYPTO_MD5
ima: Add digest and digest_len params to the functions to measure a buffer
ima: Return int in the functions to measure a buffer
ima: Introduce ima_get_current_hash_algo()
IMA: remove -Wmissing-prototypes warning

Linus Torvalds aef4892a b55060d7

+352 -76
+13 -2
Documentation/ABI/testing/ima_policy
··· 27 27 lsm: [[subj_user=] [subj_role=] [subj_type=] 28 28 [obj_user=] [obj_role=] [obj_type=]] 29 29 option: [[appraise_type=]] [template=] [permit_directio] 30 - [appraise_flag=] [keyrings=] 30 + [appraise_flag=] [appraise_algos=] [keyrings=] 31 31 base: 32 32 func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] 33 - [FIRMWARE_CHECK] 33 + [FIRMWARE_CHECK] 34 34 [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] 35 35 [KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA] 36 + [SETXATTR_CHECK] 36 37 mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] 37 38 [[^]MAY_EXEC] 38 39 fsmagic:= hex value ··· 56 55 label:= [selinux]|[kernel_info]|[data_label] 57 56 data_label:= a unique string used for grouping and limiting critical data. 58 57 For example, "selinux" to measure critical data for SELinux. 58 + appraise_algos:= comma-separated list of hash algorithms 59 + For example, "sha256,sha512" to only accept to appraise 60 + files where the security.ima xattr was hashed with one 61 + of these two algorithms. 59 62 60 63 default policy: 61 64 # PROC_SUPER_MAGIC ··· 139 134 keys added to .builtin_trusted_keys or .ima keyring: 140 135 141 136 measure func=KEY_CHECK keyrings=.builtin_trusted_keys|.ima 137 + 138 + Example of the special SETXATTR_CHECK appraise rule, that 139 + restricts the hash algorithms allowed when writing to the 140 + security.ima xattr of a file: 141 + 142 + appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512
+2 -1
drivers/md/dm-ima.c
··· 136 136 if (noio) 137 137 noio_flag = memalloc_noio_save(); 138 138 139 - ima_measure_critical_data(DM_NAME, event_name, buf, buf_len, false); 139 + ima_measure_critical_data(DM_NAME, event_name, buf, buf_len, 140 + false, NULL, 0); 140 141 141 142 if (noio) 142 143 memalloc_noio_restore(noio_flag);
+17 -6
include/linux/ima.h
··· 11 11 #include <linux/fs.h> 12 12 #include <linux/security.h> 13 13 #include <linux/kexec.h> 14 + #include <crypto/hash_info.h> 14 15 struct linux_binprm; 15 16 16 17 #ifdef CONFIG_IMA 18 + extern enum hash_algo ima_get_current_hash_algo(void); 17 19 extern int ima_bprm_check(struct linux_binprm *bprm); 18 20 extern int ima_file_check(struct file *file, int mask); 19 21 extern void ima_post_create_tmpfile(struct user_namespace *mnt_userns, ··· 35 33 extern int ima_file_hash(struct file *file, char *buf, size_t buf_size); 36 34 extern int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size); 37 35 extern void ima_kexec_cmdline(int kernel_fd, const void *buf, int size); 38 - extern void ima_measure_critical_data(const char *event_label, 39 - const char *event_name, 40 - const void *buf, size_t buf_len, 41 - bool hash); 36 + extern int ima_measure_critical_data(const char *event_label, 37 + const char *event_name, 38 + const void *buf, size_t buf_len, 39 + bool hash, u8 *digest, size_t digest_len); 42 40 43 41 #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM 44 42 extern void ima_appraise_parse_cmdline(void); ··· 66 64 #endif 67 65 68 66 #else 67 + static inline enum hash_algo ima_get_current_hash_algo(void) 68 + { 69 + return HASH_ALGO__LAST; 70 + } 71 + 69 72 static inline int ima_bprm_check(struct linux_binprm *bprm) 70 73 { 71 74 return 0; ··· 144 137 145 138 static inline void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) {} 146 139 147 - static inline void ima_measure_critical_data(const char *event_label, 140 + static inline int ima_measure_critical_data(const char *event_label, 148 141 const char *event_name, 149 142 const void *buf, size_t buf_len, 150 - bool hash) {} 143 + bool hash, u8 *digest, 144 + size_t digest_len) 145 + { 146 + return -ENOENT; 147 + } 151 148 152 149 #endif /* CONFIG_IMA */ 153 150
-1
security/integrity/ima/Kconfig
··· 6 6 select SECURITYFS 7 7 select CRYPTO 8 8 select CRYPTO_HMAC 9 - select CRYPTO_MD5 10 9 select CRYPTO_SHA1 11 10 select CRYPTO_HASH_INFO 12 11 select TCG_TPM if HAS_IOMEM && !UML
+14 -10
security/integrity/ima/ima.h
··· 46 46 /* current content of the policy */ 47 47 extern int ima_policy_flag; 48 48 49 + /* bitset of digests algorithms allowed in the setxattr hook */ 50 + extern atomic_t ima_setxattr_allowed_hash_algorithms; 51 + 49 52 /* set during initialization */ 50 - extern int ima_hash_algo; 53 + extern int ima_hash_algo __ro_after_init; 51 54 extern int ima_sha1_idx __ro_after_init; 52 55 extern int ima_hash_algo_idx __ro_after_init; 53 56 extern int ima_extra_slots __ro_after_init; ··· 201 198 hook(KEXEC_CMDLINE, kexec_cmdline) \ 202 199 hook(KEY_CHECK, key) \ 203 200 hook(CRITICAL_DATA, critical_data) \ 201 + hook(SETXATTR_CHECK, setxattr_check) \ 204 202 hook(MAX_CHECK, none) 205 203 206 204 #define __ima_hook_enumify(ENUM, str) ENUM, ··· 258 254 const struct cred *cred, u32 secid, int mask, 259 255 enum ima_hooks func, int *pcr, 260 256 struct ima_template_desc **template_desc, 261 - const char *func_data); 257 + const char *func_data, unsigned int *allowed_algos); 262 258 int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func); 263 259 int ima_collect_measurement(struct integrity_iint_cache *iint, 264 260 struct file *file, void *buf, loff_t size, ··· 268 264 struct evm_ima_xattr_data *xattr_value, 269 265 int xattr_len, const struct modsig *modsig, int pcr, 270 266 struct ima_template_desc *template_desc); 271 - void process_buffer_measurement(struct user_namespace *mnt_userns, 272 - struct inode *inode, const void *buf, int size, 273 - const char *eventname, enum ima_hooks func, 274 - int pcr, const char *func_data, 275 - bool buf_hash); 267 + int process_buffer_measurement(struct user_namespace *mnt_userns, 268 + struct inode *inode, const void *buf, int size, 269 + const char *eventname, enum ima_hooks func, 270 + int pcr, const char *func_data, 271 + bool buf_hash, u8 *digest, size_t digest_len); 276 272 void ima_audit_measurement(struct integrity_iint_cache *iint, 277 273 const unsigned char *filename); 278 274 int ima_alloc_init_template(struct ima_event_data *event_data, ··· 289 285 const struct cred *cred, u32 secid, enum ima_hooks func, 290 286 int mask, int flags, int *pcr, 291 287 struct ima_template_desc **template_desc, 292 - const char *func_data); 288 + const char *func_data, unsigned int *allowed_algos); 293 289 void ima_init_policy(void); 294 290 void ima_update_policy(void); 295 - void ima_update_policy_flag(void); 291 + void ima_update_policy_flags(void); 296 292 ssize_t ima_parse_add_rule(char *); 297 293 void ima_delete_rules(void); 298 294 int ima_check_policy(void); ··· 323 319 void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file); 324 320 enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint, 325 321 enum ima_hooks func); 326 - enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, 322 + enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value, 327 323 int xattr_len); 328 324 int ima_read_xattr(struct dentry *dentry, 329 325 struct evm_ima_xattr_data **xattr_value);
+4 -2
security/integrity/ima/ima_api.c
··· 172 172 * @pcr: pointer filled in if matched measure policy sets pcr= 173 173 * @template_desc: pointer filled in if matched measure policy sets template= 174 174 * @func_data: func specific data, may be NULL 175 + * @allowed_algos: allowlist of hash algorithms for the IMA xattr 175 176 * 176 177 * The policy is defined in terms of keypairs: 177 178 * subj=, obj=, type=, func=, mask=, fsmagic= ··· 189 188 const struct cred *cred, u32 secid, int mask, 190 189 enum ima_hooks func, int *pcr, 191 190 struct ima_template_desc **template_desc, 192 - const char *func_data) 191 + const char *func_data, unsigned int *allowed_algos) 193 192 { 194 193 int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH; 195 194 196 195 flags &= ima_policy_flag; 197 196 198 197 return ima_match_policy(mnt_userns, inode, cred, secid, func, mask, 199 - flags, pcr, template_desc, func_data); 198 + flags, pcr, template_desc, func_data, 199 + allowed_algos); 200 200 } 201 201 202 202 /*
+71 -7
security/integrity/ima/ima_appraise.c
··· 77 77 return 0; 78 78 79 79 security_task_getsecid_subj(current, &secid); 80 - return ima_match_policy(mnt_userns, inode, current_cred(), secid, func, 81 - mask, IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL); 80 + return ima_match_policy(mnt_userns, inode, current_cred(), secid, 81 + func, mask, IMA_APPRAISE | IMA_HASH, NULL, 82 + NULL, NULL, NULL); 82 83 } 83 84 84 85 static int ima_fix_xattr(struct dentry *dentry, ··· 172 171 } 173 172 } 174 173 175 - enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, 174 + enum hash_algo ima_get_hash_algo(const struct evm_ima_xattr_data *xattr_value, 176 175 int xattr_len) 177 176 { 178 177 struct signature_v2_hdr *sig; ··· 185 184 switch (xattr_value->type) { 186 185 case EVM_IMA_XATTR_DIGSIG: 187 186 sig = (typeof(sig))xattr_value; 188 - if (sig->version != 2 || xattr_len <= sizeof(*sig)) 187 + if (sig->version != 2 || xattr_len <= sizeof(*sig) 188 + || sig->hash_algo >= HASH_ALGO__LAST) 189 189 return ima_hash_algo; 190 190 return sig->hash_algo; 191 191 break; ··· 359 357 if ((rc == -EPERM) && (iint->flags & IMA_MEASURE)) 360 358 process_buffer_measurement(&init_user_ns, NULL, digest, digestsize, 361 359 "blacklisted-hash", NONE, 362 - pcr, NULL, false); 360 + pcr, NULL, false, NULL, 0); 363 361 } 364 362 365 363 return rc; ··· 577 575 clear_bit(IMA_DIGSIG, &iint->atomic_flags); 578 576 } 579 577 578 + /** 579 + * validate_hash_algo() - Block setxattr with unsupported hash algorithms 580 + * @dentry: object of the setxattr() 581 + * @xattr_value: userland supplied xattr value 582 + * @xattr_value_len: length of xattr_value 583 + * 584 + * The xattr value is mapped to its hash algorithm, and this algorithm 585 + * must be built in the kernel for the setxattr to be allowed. 586 + * 587 + * Emit an audit message when the algorithm is invalid. 588 + * 589 + * Return: 0 on success, else an error. 590 + */ 591 + static int validate_hash_algo(struct dentry *dentry, 592 + const struct evm_ima_xattr_data *xattr_value, 593 + size_t xattr_value_len) 594 + { 595 + char *path = NULL, *pathbuf = NULL; 596 + enum hash_algo xattr_hash_algo; 597 + const char *errmsg = "unavailable-hash-algorithm"; 598 + unsigned int allowed_hashes; 599 + 600 + xattr_hash_algo = ima_get_hash_algo(xattr_value, xattr_value_len); 601 + 602 + allowed_hashes = atomic_read(&ima_setxattr_allowed_hash_algorithms); 603 + 604 + if (allowed_hashes) { 605 + /* success if the algorithm is allowed in the ima policy */ 606 + if (allowed_hashes & (1U << xattr_hash_algo)) 607 + return 0; 608 + 609 + /* 610 + * We use a different audit message when the hash algorithm 611 + * is denied by a policy rule, instead of not being built 612 + * in the kernel image 613 + */ 614 + errmsg = "denied-hash-algorithm"; 615 + } else { 616 + if (likely(xattr_hash_algo == ima_hash_algo)) 617 + return 0; 618 + 619 + /* allow any xattr using an algorithm built in the kernel */ 620 + if (crypto_has_alg(hash_algo_name[xattr_hash_algo], 0, 0)) 621 + return 0; 622 + } 623 + 624 + pathbuf = kmalloc(PATH_MAX, GFP_KERNEL); 625 + if (!pathbuf) 626 + return -EACCES; 627 + 628 + path = dentry_path(dentry, pathbuf, PATH_MAX); 629 + 630 + integrity_audit_msg(AUDIT_INTEGRITY_DATA, d_inode(dentry), path, 631 + "set_data", errmsg, -EACCES, 0); 632 + 633 + kfree(pathbuf); 634 + 635 + return -EACCES; 636 + } 637 + 580 638 int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, 581 639 const void *xattr_value, size_t xattr_value_len) 582 640 { ··· 654 592 digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG); 655 593 } 656 594 if (result == 1 || evm_revalidate_status(xattr_name)) { 595 + result = validate_hash_algo(dentry, xvalue, xattr_value_len); 596 + if (result) 597 + return result; 598 + 657 599 ima_reset_appraise_flags(d_backing_inode(dentry), digsig); 658 - if (result == 1) 659 - result = 0; 660 600 } 661 601 return result; 662 602 }
+1 -1
security/integrity/ima/ima_asymmetric_keys.c
··· 62 62 */ 63 63 process_buffer_measurement(&init_user_ns, NULL, payload, payload_len, 64 64 keyring->description, KEY_CHECK, 0, 65 - keyring->description, false); 65 + keyring->description, false, NULL, 0); 66 66 }
+2 -1
security/integrity/ima/ima_init.c
··· 154 154 ima_init_key_queue(); 155 155 156 156 ima_measure_critical_data("kernel_info", "kernel_version", 157 - UTS_RELEASE, strlen(UTS_RELEASE), false); 157 + UTS_RELEASE, strlen(UTS_RELEASE), false, 158 + NULL, 0); 158 159 159 160 return rc; 160 161 }
+64 -25
security/integrity/ima/ima_main.c
··· 35 35 int ima_appraise; 36 36 #endif 37 37 38 - int ima_hash_algo = HASH_ALGO_SHA1; 38 + int __ro_after_init ima_hash_algo = HASH_ALGO_SHA1; 39 39 static int hash_setup_done; 40 40 41 41 static struct notifier_block ima_lsm_policy_notifier = { ··· 75 75 return 1; 76 76 } 77 77 __setup("ima_hash=", hash_setup); 78 + 79 + enum hash_algo ima_get_current_hash_algo(void) 80 + { 81 + return ima_hash_algo; 82 + } 78 83 79 84 /* Prevent mmap'ing a file execute that is already mmap'ed write */ 80 85 static int mmap_violation_check(enum ima_hooks func, struct file *file, ··· 215 210 int xattr_len = 0; 216 211 bool violation_check; 217 212 enum hash_algo hash_algo; 213 + unsigned int allowed_algos = 0; 218 214 219 215 if (!ima_policy_flag || !S_ISREG(inode->i_mode)) 220 216 return 0; ··· 225 219 * Included is the appraise submask. 226 220 */ 227 221 action = ima_get_action(file_mnt_user_ns(file), inode, cred, secid, 228 - mask, func, &pcr, &template_desc, NULL); 222 + mask, func, &pcr, &template_desc, NULL, 223 + &allowed_algos); 229 224 violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) && 230 225 (ima_policy_flag & IMA_MEASURE)); 231 226 if (!action && !violation_check) ··· 363 356 364 357 if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO)) 365 358 rc = 0; 359 + 360 + /* Ensure the digest was generated using an allowed algorithm */ 361 + if (rc == 0 && must_appraise && allowed_algos != 0 && 362 + (allowed_algos & (1U << hash_algo)) == 0) { 363 + rc = -EACCES; 364 + 365 + integrity_audit_msg(AUDIT_INTEGRITY_DATA, file_inode(file), 366 + pathname, "collect_data", 367 + "denied-hash-algorithm", rc, 0); 368 + } 366 369 out_locked: 367 370 if ((mask & MAY_WRITE) && test_bit(IMA_DIGSIG, &iint->atomic_flags) && 368 371 !(iint->flags & IMA_NEW_FILE)) ··· 450 433 inode = file_inode(vma->vm_file); 451 434 action = ima_get_action(file_mnt_user_ns(vma->vm_file), inode, 452 435 current_cred(), secid, MAY_EXEC, MMAP_CHECK, 453 - &pcr, &template, NULL); 436 + &pcr, &template, NULL, NULL); 454 437 455 438 /* Is the mmap'ed file in policy? */ 456 439 if (!(action & (IMA_MEASURE | IMA_APPRAISE_SUBMASK))) ··· 839 822 return 0; 840 823 } 841 824 842 - /* 825 + /** 843 826 * process_buffer_measurement - Measure the buffer or the buffer data hash 844 827 * @mnt_userns: user namespace of the mount the inode was found from 845 828 * @inode: inode associated with the object being measured (NULL for KEY_CHECK) ··· 850 833 * @pcr: pcr to extend the measurement 851 834 * @func_data: func specific data, may be NULL 852 835 * @buf_hash: measure buffer data hash 836 + * @digest: buffer digest will be written to 837 + * @digest_len: buffer length 853 838 * 854 839 * Based on policy, either the buffer data or buffer data hash is measured 840 + * 841 + * Return: 0 if the buffer has been successfully measured, 1 if the digest 842 + * has been written to the passed location but not added to a measurement entry, 843 + * a negative value otherwise. 855 844 */ 856 - void process_buffer_measurement(struct user_namespace *mnt_userns, 857 - struct inode *inode, const void *buf, int size, 858 - const char *eventname, enum ima_hooks func, 859 - int pcr, const char *func_data, 860 - bool buf_hash) 845 + int process_buffer_measurement(struct user_namespace *mnt_userns, 846 + struct inode *inode, const void *buf, int size, 847 + const char *eventname, enum ima_hooks func, 848 + int pcr, const char *func_data, 849 + bool buf_hash, u8 *digest, size_t digest_len) 861 850 { 862 851 int ret = 0; 863 852 const char *audit_cause = "ENOMEM"; ··· 884 861 int action = 0; 885 862 u32 secid; 886 863 887 - if (!ima_policy_flag) 888 - return; 864 + if (digest && digest_len < digest_hash_len) 865 + return -EINVAL; 866 + 867 + if (!ima_policy_flag && !digest) 868 + return -ENOENT; 889 869 890 870 template = ima_template_desc_buf(); 891 871 if (!template) { ··· 908 882 security_task_getsecid_subj(current, &secid); 909 883 action = ima_get_action(mnt_userns, inode, current_cred(), 910 884 secid, 0, func, &pcr, &template, 911 - func_data); 912 - if (!(action & IMA_MEASURE)) 913 - return; 885 + func_data, NULL); 886 + if (!(action & IMA_MEASURE) && !digest) 887 + return -ENOENT; 914 888 } 915 889 916 890 if (!pcr) ··· 940 914 event_data.buf_len = digest_hash_len; 941 915 } 942 916 917 + if (digest) 918 + memcpy(digest, iint.ima_hash->digest, digest_hash_len); 919 + 920 + if (!ima_policy_flag || (func && !(action & IMA_MEASURE))) 921 + return 1; 922 + 943 923 ret = ima_alloc_init_template(&event_data, &entry, template); 944 924 if (ret < 0) { 945 925 audit_cause = "alloc_entry"; ··· 964 932 func_measure_str(func), 965 933 audit_cause, ret, 0, ret); 966 934 967 - return; 935 + return ret; 968 936 } 969 937 970 938 /** ··· 988 956 989 957 process_buffer_measurement(file_mnt_user_ns(f.file), file_inode(f.file), 990 958 buf, size, "kexec-cmdline", KEXEC_CMDLINE, 0, 991 - NULL, false); 959 + NULL, false, NULL, 0); 992 960 fdput(f); 993 961 } 994 962 ··· 999 967 * @buf: pointer to buffer data 1000 968 * @buf_len: length of buffer data (in bytes) 1001 969 * @hash: measure buffer data hash 970 + * @digest: buffer digest will be written to 971 + * @digest_len: buffer length 1002 972 * 1003 973 * Measure data critical to the integrity of the kernel into the IMA log 1004 974 * and extend the pcr. Examples of critical data could be various data 1005 975 * structures, policies, and states stored in kernel memory that can 1006 976 * impact the integrity of the system. 977 + * 978 + * Return: 0 if the buffer has been successfully measured, 1 if the digest 979 + * has been written to the passed location but not added to a measurement entry, 980 + * a negative value otherwise. 1007 981 */ 1008 - void ima_measure_critical_data(const char *event_label, 1009 - const char *event_name, 1010 - const void *buf, size_t buf_len, 1011 - bool hash) 982 + int ima_measure_critical_data(const char *event_label, 983 + const char *event_name, 984 + const void *buf, size_t buf_len, 985 + bool hash, u8 *digest, size_t digest_len) 1012 986 { 1013 987 if (!event_name || !event_label || !buf || !buf_len) 1014 - return; 988 + return -ENOPARAM; 1015 989 1016 - process_buffer_measurement(&init_user_ns, NULL, buf, buf_len, event_name, 1017 - CRITICAL_DATA, 0, event_label, 1018 - hash); 990 + return process_buffer_measurement(&init_user_ns, NULL, buf, buf_len, 991 + event_name, CRITICAL_DATA, 0, 992 + event_label, hash, digest, 993 + digest_len); 1019 994 } 1020 995 EXPORT_SYMBOL_GPL(ima_measure_critical_data); 1021 996 ··· 1052 1013 pr_warn("Couldn't register LSM notifier, error %d\n", error); 1053 1014 1054 1015 if (!error) 1055 - ima_update_policy_flag(); 1016 + ima_update_policy_flags(); 1056 1017 1057 1018 return error; 1058 1019 }
+1 -1
security/integrity/ima/ima_mok.c
··· 21 21 /* 22 22 * Allocate the IMA blacklist keyring 23 23 */ 24 - __init int ima_mok_init(void) 24 + static __init int ima_mok_init(void) 25 25 { 26 26 struct key_restriction *restriction; 27 27
+158 -16
security/integrity/ima/ima_policy.c
··· 35 35 #define IMA_FSNAME 0x0200 36 36 #define IMA_KEYRINGS 0x0400 37 37 #define IMA_LABEL 0x0800 38 + #define IMA_VALIDATE_ALGOS 0x1000 38 39 39 40 #define UNKNOWN 0 40 41 #define MEASURE 0x0001 /* same as IMA_MEASURE */ ··· 52 51 int ima_policy_flag; 53 52 static int temp_ima_appraise; 54 53 static int build_ima_appraise __ro_after_init; 54 + 55 + atomic_t ima_setxattr_allowed_hash_algorithms; 55 56 56 57 #define MAX_LSM_RULES 6 57 58 enum lsm_rule_types { LSM_OBJ_USER, LSM_OBJ_ROLE, LSM_OBJ_TYPE, ··· 82 79 bool (*uid_op)(kuid_t, kuid_t); /* Handlers for operators */ 83 80 bool (*fowner_op)(kuid_t, kuid_t); /* uid_eq(), uid_gt(), uid_lt() */ 84 81 int pcr; 82 + unsigned int allowed_algos; /* bitfield of allowed hash algorithms */ 85 83 struct { 86 84 void *rule; /* LSM file metadata specific */ 87 85 char *args_p; /* audit value */ ··· 93 89 struct ima_rule_opt_list *label; /* Measure data grouped under this label */ 94 90 struct ima_template_desc *template; 95 91 }; 92 + 93 + /* 94 + * sanity check in case the kernels gains more hash algorithms that can 95 + * fit in an unsigned int 96 + */ 97 + static_assert( 98 + 8 * sizeof(unsigned int) >= HASH_ALGO__LAST, 99 + "The bitfield allowed_algos in ima_rule_entry is too small to contain all the supported hash algorithms, consider using a bigger type"); 96 100 97 101 /* 98 102 * Without LSM specific knowledge, the default policy can only be ··· 658 646 * @pcr: set the pcr to extend 659 647 * @template_desc: the template that should be used for this rule 660 648 * @func_data: func specific data, may be NULL 649 + * @allowed_algos: allowlist of hash algorithms for the IMA xattr 661 650 * 662 651 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) 663 652 * conditions. ··· 671 658 const struct cred *cred, u32 secid, enum ima_hooks func, 672 659 int mask, int flags, int *pcr, 673 660 struct ima_template_desc **template_desc, 674 - const char *func_data) 661 + const char *func_data, unsigned int *allowed_algos) 675 662 { 676 663 struct ima_rule_entry *entry; 677 664 int action = 0, actmask = flags | (flags << 1); ··· 697 684 action &= ~IMA_HASH; 698 685 if (ima_fail_unverifiable_sigs) 699 686 action |= IMA_FAIL_UNVERIFIABLE_SIGS; 700 - } 701 687 688 + if (allowed_algos && 689 + entry->flags & IMA_VALIDATE_ALGOS) 690 + *allowed_algos = entry->allowed_algos; 691 + } 702 692 703 693 if (entry->action & IMA_DO_MASK) 704 694 actmask &= ~(entry->action | entry->action << 1); ··· 722 706 return action; 723 707 } 724 708 725 - /* 726 - * Initialize the ima_policy_flag variable based on the currently 727 - * loaded policy. Based on this flag, the decision to short circuit 728 - * out of a function or not call the function in the first place 729 - * can be made earlier. 709 + /** 710 + * ima_update_policy_flags() - Update global IMA variables 711 + * 712 + * Update ima_policy_flag and ima_setxattr_allowed_hash_algorithms 713 + * based on the currently loaded policy. 714 + * 715 + * With ima_policy_flag, the decision to short circuit out of a function 716 + * or not call the function in the first place can be made earlier. 717 + * 718 + * With ima_setxattr_allowed_hash_algorithms, the policy can restrict the 719 + * set of hash algorithms accepted when updating the security.ima xattr of 720 + * a file. 721 + * 722 + * Context: called after a policy update and at system initialization. 730 723 */ 731 - void ima_update_policy_flag(void) 724 + void ima_update_policy_flags(void) 732 725 { 733 726 struct ima_rule_entry *entry; 727 + int new_policy_flag = 0; 734 728 729 + rcu_read_lock(); 735 730 list_for_each_entry(entry, ima_rules, list) { 731 + /* 732 + * SETXATTR_CHECK rules do not implement a full policy check 733 + * because rule checking would probably have an important 734 + * performance impact on setxattr(). As a consequence, only one 735 + * SETXATTR_CHECK can be active at a given time. 736 + * Because we want to preserve that property, we set out to use 737 + * atomic_cmpxchg. Either: 738 + * - the atomic was non-zero: a setxattr hash policy is 739 + * already enforced, we do nothing 740 + * - the atomic was zero: no setxattr policy was set, enable 741 + * the setxattr hash policy 742 + */ 743 + if (entry->func == SETXATTR_CHECK) { 744 + atomic_cmpxchg(&ima_setxattr_allowed_hash_algorithms, 745 + 0, entry->allowed_algos); 746 + /* SETXATTR_CHECK doesn't impact ima_policy_flag */ 747 + continue; 748 + } 749 + 736 750 if (entry->action & IMA_DO_MASK) 737 - ima_policy_flag |= entry->action; 751 + new_policy_flag |= entry->action; 738 752 } 753 + rcu_read_unlock(); 739 754 740 755 ima_appraise |= (build_ima_appraise | temp_ima_appraise); 741 756 if (!ima_appraise) 742 - ima_policy_flag &= ~IMA_APPRAISE; 757 + new_policy_flag &= ~IMA_APPRAISE; 758 + 759 + ima_policy_flag = new_policy_flag; 743 760 } 744 761 745 762 static int ima_appraise_flag(enum ima_hooks func) ··· 938 889 ARRAY_SIZE(critical_data_rules), 939 890 IMA_DEFAULT_POLICY); 940 891 941 - ima_update_policy_flag(); 892 + atomic_set(&ima_setxattr_allowed_hash_algorithms, 0); 893 + 894 + ima_update_policy_flags(); 942 895 } 943 896 944 897 /* Make sure we have a valid policy, at least containing some rules. */ ··· 980 929 */ 981 930 kfree(arch_policy_entry); 982 931 } 983 - ima_update_policy_flag(); 932 + ima_update_policy_flags(); 984 933 985 934 /* Custom IMA policy has been loaded */ 986 935 ima_process_queued_keys(); ··· 997 946 Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq, 998 947 Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, 999 948 Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, 1000 - Opt_appraise_type, Opt_appraise_flag, 949 + Opt_appraise_type, Opt_appraise_flag, Opt_appraise_algos, 1001 950 Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings, 1002 951 Opt_label, Opt_err 1003 952 }; ··· 1032 981 {Opt_fowner_lt, "fowner<%s"}, 1033 982 {Opt_appraise_type, "appraise_type=%s"}, 1034 983 {Opt_appraise_flag, "appraise_flag=%s"}, 984 + {Opt_appraise_algos, "appraise_algos=%s"}, 1035 985 {Opt_permit_directio, "permit_directio"}, 1036 986 {Opt_pcr, "pcr=%s"}, 1037 987 {Opt_template, "template=%s"}, ··· 1133 1081 return false; 1134 1082 1135 1083 if (entry->action != APPRAISE && 1136 - entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | IMA_CHECK_BLACKLIST)) 1084 + entry->flags & (IMA_DIGSIG_REQUIRED | IMA_MODSIG_ALLOWED | 1085 + IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS)) 1137 1086 return false; 1138 1087 1139 1088 /* ··· 1164 1111 IMA_UID | IMA_FOWNER | IMA_FSUUID | 1165 1112 IMA_INMASK | IMA_EUID | IMA_PCR | 1166 1113 IMA_FSNAME | IMA_DIGSIG_REQUIRED | 1167 - IMA_PERMIT_DIRECTIO)) 1114 + IMA_PERMIT_DIRECTIO | IMA_VALIDATE_ALGOS)) 1168 1115 return false; 1169 1116 1170 1117 break; ··· 1176 1123 IMA_INMASK | IMA_EUID | IMA_PCR | 1177 1124 IMA_FSNAME | IMA_DIGSIG_REQUIRED | 1178 1125 IMA_PERMIT_DIRECTIO | IMA_MODSIG_ALLOWED | 1179 - IMA_CHECK_BLACKLIST)) 1126 + IMA_CHECK_BLACKLIST | IMA_VALIDATE_ALGOS)) 1180 1127 return false; 1181 1128 1182 1129 break; ··· 1214 1161 return false; 1215 1162 1216 1163 break; 1164 + case SETXATTR_CHECK: 1165 + /* any action other than APPRAISE is unsupported */ 1166 + if (entry->action != APPRAISE) 1167 + return false; 1168 + 1169 + /* SETXATTR_CHECK requires an appraise_algos parameter */ 1170 + if (!(entry->flags & IMA_VALIDATE_ALGOS)) 1171 + return false; 1172 + 1173 + /* 1174 + * full policies are not supported, they would have too 1175 + * much of a performance impact 1176 + */ 1177 + if (entry->flags & ~(IMA_FUNC | IMA_VALIDATE_ALGOS)) 1178 + return false; 1179 + 1180 + break; 1217 1181 default: 1218 1182 return false; 1219 1183 } ··· 1241 1171 return false; 1242 1172 1243 1173 return true; 1174 + } 1175 + 1176 + static unsigned int ima_parse_appraise_algos(char *arg) 1177 + { 1178 + unsigned int res = 0; 1179 + int idx; 1180 + char *token; 1181 + 1182 + while ((token = strsep(&arg, ",")) != NULL) { 1183 + idx = match_string(hash_algo_name, HASH_ALGO__LAST, token); 1184 + 1185 + if (idx < 0) { 1186 + pr_err("unknown hash algorithm \"%s\"", 1187 + token); 1188 + return 0; 1189 + } 1190 + 1191 + if (!crypto_has_alg(hash_algo_name[idx], 0, 0)) { 1192 + pr_err("unavailable hash algorithm \"%s\", check your kernel configuration", 1193 + token); 1194 + return 0; 1195 + } 1196 + 1197 + /* Add the hash algorithm to the 'allowed' bitfield */ 1198 + res |= (1U << idx); 1199 + } 1200 + 1201 + return res; 1244 1202 } 1245 1203 1246 1204 static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) ··· 1392 1294 entry->func = KEY_CHECK; 1393 1295 else if (strcmp(args[0].from, "CRITICAL_DATA") == 0) 1394 1296 entry->func = CRITICAL_DATA; 1297 + else if (strcmp(args[0].from, "SETXATTR_CHECK") == 0) 1298 + entry->func = SETXATTR_CHECK; 1395 1299 else 1396 1300 result = -EINVAL; 1397 1301 if (!result) ··· 1608 1508 else 1609 1509 result = -EINVAL; 1610 1510 break; 1511 + case Opt_appraise_algos: 1512 + ima_log_string(ab, "appraise_algos", args[0].from); 1513 + 1514 + if (entry->allowed_algos) { 1515 + result = -EINVAL; 1516 + break; 1517 + } 1518 + 1519 + entry->allowed_algos = 1520 + ima_parse_appraise_algos(args[0].from); 1521 + /* invalid or empty list of algorithms */ 1522 + if (!entry->allowed_algos) { 1523 + result = -EINVAL; 1524 + break; 1525 + } 1526 + 1527 + entry->flags |= IMA_VALIDATE_ALGOS; 1528 + 1529 + break; 1611 1530 case Opt_permit_directio: 1612 1531 entry->flags |= IMA_PERMIT_DIRECTIO; 1613 1532 break; ··· 1819 1700 seq_printf(m, "%s%s", i ? "|" : "", opt_list->items[i]); 1820 1701 } 1821 1702 1703 + static void ima_policy_show_appraise_algos(struct seq_file *m, 1704 + unsigned int allowed_hashes) 1705 + { 1706 + int idx, list_size = 0; 1707 + 1708 + for (idx = 0; idx < HASH_ALGO__LAST; idx++) { 1709 + if (!(allowed_hashes & (1U << idx))) 1710 + continue; 1711 + 1712 + /* only add commas if the list contains multiple entries */ 1713 + if (list_size++) 1714 + seq_puts(m, ","); 1715 + 1716 + seq_puts(m, hash_algo_name[idx]); 1717 + } 1718 + } 1719 + 1822 1720 int ima_policy_show(struct seq_file *m, void *v) 1823 1721 { 1824 1722 struct ima_rule_entry *entry = v; ··· 1944 1808 seq_printf(m, pt(Opt_fowner_lt), tbuf); 1945 1809 else 1946 1810 seq_printf(m, pt(Opt_fowner_eq), tbuf); 1811 + seq_puts(m, " "); 1812 + } 1813 + 1814 + if (entry->flags & IMA_VALIDATE_ALGOS) { 1815 + seq_puts(m, "appraise_algos="); 1816 + ima_policy_show_appraise_algos(m, entry->allowed_algos); 1947 1817 seq_puts(m, " "); 1948 1818 } 1949 1819
+1 -1
security/integrity/ima/ima_queue_keys.c
··· 165 165 entry->keyring_name, 166 166 KEY_CHECK, 0, 167 167 entry->keyring_name, 168 - false); 168 + false, NULL, 0); 169 169 list_del(&entry->list); 170 170 ima_free_key_entry(entry); 171 171 }
+4 -2
security/selinux/ima.c
··· 86 86 } 87 87 88 88 ima_measure_critical_data("selinux", "selinux-state", 89 - state_str, strlen(state_str), false); 89 + state_str, strlen(state_str), false, 90 + NULL, 0); 90 91 91 92 kfree(state_str); 92 93 ··· 104 103 } 105 104 106 105 ima_measure_critical_data("selinux", "selinux-policy-hash", 107 - policy, policy_len, true); 106 + policy, policy_len, true, 107 + NULL, 0); 108 108 109 109 vfree(policy); 110 110 }