Merge tag 'integrity-v6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

+15 -1

certs/Kconfig

··· 88 88 help 89 89 If set, provide a keyring to which extra keys may be added, provided 90 90 those keys are not blacklisted and are vouched for by a key built 91 - into the kernel or already in the secondary trusted keyring. 91 + into the kernel, machine keyring (if configured), or already in the 92 + secondary trusted keyring. 93 + 94 + config SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN 95 + bool "Only allow additional certs signed by keys on the builtin trusted keyring" 96 + depends on SECONDARY_TRUSTED_KEYRING 97 + help 98 + If set, only certificates signed by keys on the builtin trusted 99 + keyring may be loaded onto the secondary trusted keyring. 100 + 101 + Note: The machine keyring, if configured, will be linked to the 102 + secondary keyring. When enabling this option, it is recommended 103 + to also configure INTEGRITY_CA_MACHINE_KEYRING_MAX to prevent 104 + linking code signing keys with imputed trust to the secondary 105 + trusted keyring. 92 106 93 107 config SYSTEM_BLACKLIST_KEYRING 94 108 bool "Provide system-wide ring of blacklisted keys"

+4

crypto/asymmetric_keys/restrict.c

··· 102 102 103 103 if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags)) 104 104 ret = -ENOKEY; 105 + else if (IS_BUILTIN(CONFIG_SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN) && 106 + !strcmp(dest_keyring->description, ".secondary_trusted_keys") && 107 + !test_bit(KEY_FLAG_BUILTIN, &key->flags)) 108 + ret = -ENOKEY; 105 109 else 106 110 ret = verify_signature(key, sig); 107 111 key_put(key);

+1 -1

fs/overlayfs/super.c

··· 1499 1499 #ifdef CONFIG_FS_POSIX_ACL 1500 1500 sb->s_flags |= SB_POSIXACL; 1501 1501 #endif 1502 - sb->s_iflags |= SB_I_SKIP_SYNC | SB_I_IMA_UNVERIFIABLE_SIGNATURE; 1502 + sb->s_iflags |= SB_I_SKIP_SYNC; 1503 1503 /* 1504 1504 * Ensure that umask handling is done by the filesystems used 1505 1505 * for the the upper layer instead of overlayfs as that would

+22 -22

security/integrity/Kconfig

··· 34 34 bool "Enable asymmetric keys support" 35 35 depends on INTEGRITY_SIGNATURE 36 36 default n 37 - select ASYMMETRIC_KEY_TYPE 38 - select ASYMMETRIC_PUBLIC_KEY_SUBTYPE 39 - select CRYPTO_RSA 40 - select X509_CERTIFICATE_PARSER 37 + select ASYMMETRIC_KEY_TYPE 38 + select ASYMMETRIC_PUBLIC_KEY_SUBTYPE 39 + select CRYPTO_RSA 40 + select X509_CERTIFICATE_PARSER 41 41 help 42 42 This option enables digital signature verification using 43 43 asymmetric keys. ··· 53 53 keyring. 54 54 55 55 config INTEGRITY_PLATFORM_KEYRING 56 - bool "Provide keyring for platform/firmware trusted keys" 57 - depends on INTEGRITY_ASYMMETRIC_KEYS 58 - depends on SYSTEM_BLACKLIST_KEYRING 59 - help 60 - Provide a separate, distinct keyring for platform trusted keys, which 61 - the kernel automatically populates during initialization from values 62 - provided by the platform for verifying the kexec'ed kerned image 63 - and, possibly, the initramfs signature. 56 + bool "Provide keyring for platform/firmware trusted keys" 57 + depends on INTEGRITY_ASYMMETRIC_KEYS 58 + depends on SYSTEM_BLACKLIST_KEYRING 59 + help 60 + Provide a separate, distinct keyring for platform trusted keys, which 61 + the kernel automatically populates during initialization from values 62 + provided by the platform for verifying the kexec'ed kerned image 63 + and, possibly, the initramfs signature. 64 64 65 65 config INTEGRITY_MACHINE_KEYRING 66 66 bool "Provide a keyring to which Machine Owner Keys may be added" ··· 69 69 depends on SYSTEM_BLACKLIST_KEYRING 70 70 depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS 71 71 help 72 - If set, provide a keyring to which Machine Owner Keys (MOK) may 73 - be added. This keyring shall contain just MOK keys. Unlike keys 74 - in the platform keyring, keys contained in the .machine keyring will 75 - be trusted within the kernel. 72 + If set, provide a keyring to which Machine Owner Keys (MOK) may 73 + be added. This keyring shall contain just MOK keys. Unlike keys 74 + in the platform keyring, keys contained in the .machine keyring will 75 + be trusted within the kernel. 76 76 77 77 config INTEGRITY_CA_MACHINE_KEYRING 78 78 bool "Enforce Machine Keyring CA Restrictions" ··· 97 97 .platform keyring. 98 98 99 99 config LOAD_UEFI_KEYS 100 - depends on INTEGRITY_PLATFORM_KEYRING 101 - depends on EFI 102 - def_bool y 100 + depends on INTEGRITY_PLATFORM_KEYRING 101 + depends on EFI 102 + def_bool y 103 103 104 104 config LOAD_IPL_KEYS 105 - depends on INTEGRITY_PLATFORM_KEYRING 106 - depends on S390 107 - def_bool y 105 + depends on INTEGRITY_PLATFORM_KEYRING 106 + depends on S390 107 + def_bool y 108 108 109 109 config LOAD_PPC_KEYS 110 110 bool "Enable loading of platform and blacklisted keys for POWER"

+37 -11

security/integrity/iint.c

··· 66 66 return iint; 67 67 } 68 68 69 - static void iint_free(struct integrity_iint_cache *iint) 69 + #define IMA_MAX_NESTING (FILESYSTEM_MAX_STACK_DEPTH+1) 70 + 71 + /* 72 + * It is not clear that IMA should be nested at all, but as long is it measures 73 + * files both on overlayfs and on underlying fs, we need to annotate the iint 74 + * mutex to avoid lockdep false positives related to IMA + overlayfs. 75 + * See ovl_lockdep_annotate_inode_mutex_key() for more details. 76 + */ 77 + static inline void iint_lockdep_annotate(struct integrity_iint_cache *iint, 78 + struct inode *inode) 70 79 { 71 - kfree(iint->ima_hash); 80 + #ifdef CONFIG_LOCKDEP 81 + static struct lock_class_key iint_mutex_key[IMA_MAX_NESTING]; 82 + 83 + int depth = inode->i_sb->s_stack_depth; 84 + 85 + if (WARN_ON_ONCE(depth < 0 || depth >= IMA_MAX_NESTING)) 86 + depth = 0; 87 + 88 + lockdep_set_class(&iint->mutex, &iint_mutex_key[depth]); 89 + #endif 90 + } 91 + 92 + static void iint_init_always(struct integrity_iint_cache *iint, 93 + struct inode *inode) 94 + { 72 95 iint->ima_hash = NULL; 73 96 iint->version = 0; 74 97 iint->flags = 0UL; ··· 103 80 iint->ima_creds_status = INTEGRITY_UNKNOWN; 104 81 iint->evm_status = INTEGRITY_UNKNOWN; 105 82 iint->measured_pcrs = 0; 83 + mutex_init(&iint->mutex); 84 + iint_lockdep_annotate(iint, inode); 85 + } 86 + 87 + static void iint_free(struct integrity_iint_cache *iint) 88 + { 89 + kfree(iint->ima_hash); 90 + mutex_destroy(&iint->mutex); 106 91 kmem_cache_free(iint_cache, iint); 107 92 } 108 93 ··· 134 103 iint = kmem_cache_alloc(iint_cache, GFP_NOFS); 135 104 if (!iint) 136 105 return NULL; 106 + 107 + iint_init_always(iint, inode); 137 108 138 109 write_lock(&integrity_iint_lock); 139 110 ··· 186 153 iint_free(iint); 187 154 } 188 155 189 - static void init_once(void *foo) 156 + static void iint_init_once(void *foo) 190 157 { 191 158 struct integrity_iint_cache *iint = (struct integrity_iint_cache *) foo; 192 159 193 160 memset(iint, 0, sizeof(*iint)); 194 - iint->ima_file_status = INTEGRITY_UNKNOWN; 195 - iint->ima_mmap_status = INTEGRITY_UNKNOWN; 196 - iint->ima_bprm_status = INTEGRITY_UNKNOWN; 197 - iint->ima_read_status = INTEGRITY_UNKNOWN; 198 - iint->ima_creds_status = INTEGRITY_UNKNOWN; 199 - iint->evm_status = INTEGRITY_UNKNOWN; 200 - mutex_init(&iint->mutex); 201 161 } 202 162 203 163 static int __init integrity_iintcache_init(void) 204 164 { 205 165 iint_cache = 206 166 kmem_cache_create("iint_cache", sizeof(struct integrity_iint_cache), 207 - 0, SLAB_PANIC, init_once); 167 + 0, SLAB_PANIC, iint_init_once); 208 168 return 0; 209 169 } 210 170 DEFINE_LSM(integrity) = {

+5

security/integrity/ima/ima_api.c

··· 243 243 { 244 244 const char *audit_cause = "failed"; 245 245 struct inode *inode = file_inode(file); 246 + struct inode *real_inode = d_real_inode(file_dentry(file)); 246 247 const char *filename = file->f_path.dentry->d_name.name; 247 248 struct ima_max_digest_data hash; 248 249 struct kstat stat; ··· 303 302 iint->ima_hash = tmpbuf; 304 303 memcpy(iint->ima_hash, &hash, length); 305 304 iint->version = i_version; 305 + if (real_inode != inode) { 306 + iint->real_ino = real_inode->i_ino; 307 + iint->real_dev = real_inode->i_sb->s_dev; 308 + } 306 309 307 310 /* Possibly temporary failure due to type of read (eg. O_DIRECT) */ 308 311 if (!result)

+15 -1

security/integrity/ima/ima_main.c

··· 25 25 #include <linux/xattr.h> 26 26 #include <linux/ima.h> 27 27 #include <linux/fs.h> 28 + #include <linux/iversion.h> 28 29 29 30 #include "ima.h" 30 31 ··· 208 207 u32 secid, char *buf, loff_t size, int mask, 209 208 enum ima_hooks func) 210 209 { 211 - struct inode *inode = file_inode(file); 210 + struct inode *backing_inode, *inode = file_inode(file); 212 211 struct integrity_iint_cache *iint = NULL; 213 212 struct ima_template_desc *template_desc = NULL; 214 213 char *pathbuf = NULL; ··· 283 282 !(action & IMA_FAIL_UNVERIFIABLE_SIGS))) { 284 283 iint->flags &= ~IMA_DONE_MASK; 285 284 iint->measured_pcrs = 0; 285 + } 286 + 287 + /* Detect and re-evaluate changes made to the backing file. */ 288 + backing_inode = d_real_inode(file_dentry(file)); 289 + if (backing_inode != inode && 290 + (action & IMA_DO_MASK) && (iint->flags & IMA_DONE_MASK)) { 291 + if (!IS_I_VERSION(backing_inode) || 292 + backing_inode->i_sb->s_dev != iint->real_dev || 293 + backing_inode->i_ino != iint->real_ino || 294 + !inode_eq_iversion(backing_inode, iint->version)) { 295 + iint->flags &= ~IMA_DONE_MASK; 296 + iint->measured_pcrs = 0; 297 + } 286 298 } 287 299 288 300 /* Determine if already appraised/measured based on bitmask

+2

security/integrity/integrity.h

··· 164 164 unsigned long flags; 165 165 unsigned long measured_pcrs; 166 166 unsigned long atomic_flags; 167 + unsigned long real_ino; 168 + dev_t real_dev; 167 169 enum integrity_status ima_file_status:4; 168 170 enum integrity_status ima_mmap_status:4; 169 171 enum integrity_status ima_bprm_status:4;

Configure Feed

Configure Feed