Merge tag 'integrity-v7.0' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

+10 -4

security/integrity/evm/evm_crypto.c

··· 401 401 { 402 402 struct shash_desc *desc; 403 403 const struct xattr *xattr; 404 + struct xattr_list *xattr_entry; 404 405 405 406 desc = init_desc(EVM_XATTR_HMAC, HASH_ALGO_SHA1); 406 407 if (IS_ERR(desc)) { ··· 409 408 return PTR_ERR(desc); 410 409 } 411 410 412 - for (xattr = xattrs; xattr->name; xattr++) { 413 - if (!evm_protected_xattr(xattr->name)) 414 - continue; 411 + list_for_each_entry_lockless(xattr_entry, &evm_config_xattrnames, 412 + list) { 413 + for (xattr = xattrs; xattr->name; xattr++) { 414 + if (strcmp(xattr_entry->name + 415 + XATTR_SECURITY_PREFIX_LEN, xattr->name) != 0) 416 + continue; 415 417 416 - crypto_shash_update(desc, xattr->value, xattr->value_len); 418 + crypto_shash_update(desc, xattr->value, 419 + xattr->value_len); 420 + } 417 421 } 418 422 419 423 hmac_add_misc(desc, inode, EVM_XATTR_HMAC, hmac_val);

+4 -2

security/integrity/ima/ima.h

··· 441 441 int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint, 442 442 struct file *file, const unsigned char *filename, 443 443 struct evm_ima_xattr_data *xattr_value, 444 - int xattr_len, const struct modsig *modsig); 444 + int xattr_len, const struct modsig *modsig, 445 + bool bprm_is_check); 445 446 int ima_must_appraise(struct mnt_idmap *idmap, struct inode *inode, 446 447 int mask, enum ima_hooks func); 447 448 void ima_update_xattr(struct ima_iint_cache *iint, struct file *file); ··· 467 466 const unsigned char *filename, 468 467 struct evm_ima_xattr_data *xattr_value, 469 468 int xattr_len, 470 - const struct modsig *modsig) 469 + const struct modsig *modsig, 470 + bool bprm_is_check) 471 471 { 472 472 return INTEGRITY_UNKNOWN; 473 473 }

+3 -13

security/integrity/ima/ima_appraise.c

··· 470 470 return rc; 471 471 } 472 472 473 - static bool is_bprm_creds_for_exec(enum ima_hooks func, struct file *file) 474 - { 475 - struct linux_binprm *bprm; 476 - 477 - if (func == BPRM_CHECK) { 478 - bprm = container_of(&file, struct linux_binprm, file); 479 - return bprm->is_check; 480 - } 481 - return false; 482 - } 483 - 484 473 /* 485 474 * ima_appraise_measurement - appraise file measurement 486 475 * ··· 481 492 int ima_appraise_measurement(enum ima_hooks func, struct ima_iint_cache *iint, 482 493 struct file *file, const unsigned char *filename, 483 494 struct evm_ima_xattr_data *xattr_value, 484 - int xattr_len, const struct modsig *modsig) 495 + int xattr_len, const struct modsig *modsig, 496 + bool bprm_is_check) 485 497 { 486 498 static const char op[] = "appraise_data"; 487 499 int audit_msgno = AUDIT_INTEGRITY_DATA; ··· 504 514 * of the script interpreter(userspace). Differentiate kernel and 505 515 * userspace enforced integrity audit messages. 506 516 */ 507 - if (is_bprm_creds_for_exec(func, file)) 517 + if (bprm_is_check) 508 518 audit_msgno = AUDIT_INTEGRITY_USERSPACE; 509 519 510 520 /* If reading the xattr failed and there's no modsig, error out. */

+13 -9

security/integrity/ima/ima_main.c

··· 236 236 static int process_measurement(struct file *file, const struct cred *cred, 237 237 struct lsm_prop *prop, char *buf, loff_t size, 238 238 int mask, enum ima_hooks func, 239 - enum kernel_read_file_id read_id) 239 + enum kernel_read_file_id read_id, 240 + bool bprm_is_check) 240 241 { 241 242 struct inode *real_inode, *inode = file_inode(file); 242 243 struct ima_iint_cache *iint = NULL; ··· 427 426 inode_lock(inode); 428 427 rc = ima_appraise_measurement(func, iint, file, 429 428 pathname, xattr_value, 430 - xattr_len, modsig); 429 + xattr_len, modsig, 430 + bprm_is_check); 431 431 inode_unlock(inode); 432 432 } 433 433 if (!rc) ··· 495 493 496 494 if (reqprot & PROT_EXEC) { 497 495 ret = process_measurement(file, current_cred(), &prop, NULL, 498 - 0, MAY_EXEC, MMAP_CHECK_REQPROT, 0); 496 + 0, MAY_EXEC, MMAP_CHECK_REQPROT, 0, 497 + false); 499 498 if (ret) 500 499 return ret; 501 500 } 502 501 503 502 if (prot & PROT_EXEC) 504 503 return process_measurement(file, current_cred(), &prop, NULL, 505 - 0, MAY_EXEC, MMAP_CHECK, 0); 504 + 0, MAY_EXEC, MMAP_CHECK, 0, false); 506 505 507 506 return 0; 508 507 } ··· 587 584 588 585 security_current_getlsmprop_subj(&prop); 589 586 return process_measurement(bprm->file, current_cred(), 590 - &prop, NULL, 0, MAY_EXEC, BPRM_CHECK, 0); 587 + &prop, NULL, 0, MAY_EXEC, BPRM_CHECK, 0, 588 + bprm->is_check); 591 589 } 592 590 593 591 /** ··· 618 614 619 615 security_current_getlsmprop_subj(&prop); 620 616 return process_measurement((struct file *)file, bprm->cred, &prop, NULL, 621 - 0, MAY_EXEC, CREDS_CHECK, 0); 617 + 0, MAY_EXEC, CREDS_CHECK, 0, false); 622 618 } 623 619 624 620 /** ··· 666 662 security_current_getlsmprop_subj(&prop); 667 663 return process_measurement(file, current_cred(), &prop, NULL, 0, 668 664 mask & (MAY_READ | MAY_WRITE | MAY_EXEC | 669 - MAY_APPEND), FILE_CHECK, 0); 665 + MAY_APPEND), FILE_CHECK, 0, false); 670 666 } 671 667 672 668 static int __ima_inode_hash(struct inode *inode, struct file *file, char *buf, ··· 885 881 func = read_idmap[read_id] ?: FILE_CHECK; 886 882 security_current_getlsmprop_subj(&prop); 887 883 return process_measurement(file, current_cred(), &prop, NULL, 0, 888 - MAY_READ, func, 0); 884 + MAY_READ, func, 0, false); 889 885 } 890 886 891 887 const int read_idmap[READING_MAX_ID] = { ··· 929 925 func = read_idmap[read_id] ?: FILE_CHECK; 930 926 security_current_getlsmprop_subj(&prop); 931 927 return process_measurement(file, current_cred(), &prop, buf, size, 932 - MAY_READ, func, read_id); 928 + MAY_READ, func, read_id, false); 933 929 } 934 930 935 931 /**

Configure Feed

Configure Feed