summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2019-07-08 23:28:59 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2019-07-08 23:28:59 -0400
commit8b68150883ca466a23e90902dd4113b22e692f04 (patch)
treee27be560379f4dc6f3d49a88f83bf5f9cb539851
parent0f75ef6a9cff49ff612f7ce0578bced9d0b38325 (diff)
parent650b29dbdf2caf7db27cdc8bfa8fc009b28a6ce3 (diff)
Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
Pull integrity updates from Mimi Zohar: "Bug fixes, code clean up, and new features: - IMA policy rules can be defined in terms of LSM labels, making the IMA policy dependent on LSM policy label changes, in particular LSM label deletions. The new environment, in which IMA-appraisal is being used, frequently updates the LSM policy and permits LSM label deletions. - Prevent an mmap'ed shared file opened for write from also being mmap'ed execute. In the long term, making this and other similar changes at the VFS layer would be preferable. - The IMA per policy rule template format support is needed for a couple of new/proposed features (eg. kexec boot command line measurement, appended signatures, and VFS provided file hashes). - Other than the "boot-aggregate" record in the IMA measuremeent list, all other measurements are of file data. Measuring and storing the kexec boot command line in the IMA measurement list is the first buffer based measurement included in the measurement list" * 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: integrity: Introduce struct evm_xattr ima: Update MAX_TEMPLATE_NAME_LEN to fit largest reasonable definition KEXEC: Call ima_kexec_cmdline to measure the boot command line args IMA: Define a new template field buf IMA: Define a new hook to measure the kexec boot command line arguments IMA: support for per policy rule template formats integrity: Fix __integrity_init_keyring() section mismatch ima: Use designated initializers for struct ima_event_data ima: use the lsm policy update notifier LSM: switch to blocking policy update notifiers x86/ima: fix the Kconfig dependency for IMA_ARCH_POLICY ima: Make arch_policy_entry static ima: prevent a file already mmap'ed write to be mmap'ed execute x86/ima: check EFI SetupMode too
-rw-r--r--Documentation/ABI/testing/ima_policy6
-rw-r--r--Documentation/security/IMA-templates.rst7
-rw-r--r--arch/x86/kernel/ima_arch.c12
-rw-r--r--drivers/infiniband/core/device.c6
-rw-r--r--include/linux/ima.h2
-rw-r--r--include/linux/security.h12
-rw-r--r--kernel/kexec_file.c9
-rw-r--r--security/integrity/digsig.c5
-rw-r--r--security/integrity/evm/evm_main.c8
-rw-r--r--security/integrity/ima/Kconfig3
-rw-r--r--security/integrity/ima/ima.h21
-rw-r--r--security/integrity/ima/ima_api.c38
-rw-r--r--security/integrity/ima/ima_appraise.c9
-rw-r--r--security/integrity/ima/ima_init.c6
-rw-r--r--security/integrity/ima/ima_main.c123
-rw-r--r--security/integrity/ima/ima_policy.c163
-rw-r--r--security/integrity/ima/ima_template.c23
-rw-r--r--security/integrity/ima/ima_template_lib.c21
-rw-r--r--security/integrity/ima/ima_template_lib.h4
-rw-r--r--security/integrity/integrity.h6
-rw-r--r--security/security.c23
-rw-r--r--security/selinux/hooks.c2
-rw-r--r--security/selinux/selinuxfs.c2
23 files changed, 413 insertions, 98 deletions
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index 74c6702de74e..fc376a323908 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -24,11 +24,11 @@ Description:
24 [euid=] [fowner=] [fsname=]] 24 [euid=] [fowner=] [fsname=]]
25 lsm: [[subj_user=] [subj_role=] [subj_type=] 25 lsm: [[subj_user=] [subj_role=] [subj_type=]
26 [obj_user=] [obj_role=] [obj_type=]] 26 [obj_user=] [obj_role=] [obj_type=]]
27 option: [[appraise_type=]] [permit_directio] 27 option: [[appraise_type=]] [template=] [permit_directio]
28
29 base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK] 28 base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
30 [FIRMWARE_CHECK] 29 [FIRMWARE_CHECK]
31 [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK] 30 [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
31 [KEXEC_CMDLINE]
32 mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] 32 mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
33 [[^]MAY_EXEC] 33 [[^]MAY_EXEC]
34 fsmagic:= hex value 34 fsmagic:= hex value
@@ -38,6 +38,8 @@ Description:
38 fowner:= decimal value 38 fowner:= decimal value
39 lsm: are LSM specific 39 lsm: are LSM specific
40 option: appraise_type:= [imasig] 40 option: appraise_type:= [imasig]
41 template:= name of a defined IMA template type
42 (eg, ima-ng). Only valid when action is "measure".
41 pcr:= decimal value 43 pcr:= decimal value
42 44
43 default policy: 45 default policy:
diff --git a/Documentation/security/IMA-templates.rst b/Documentation/security/IMA-templates.rst
index 2cd0e273cc9a..3d1cca287aa4 100644
--- a/Documentation/security/IMA-templates.rst
+++ b/Documentation/security/IMA-templates.rst
@@ -69,15 +69,16 @@ descriptors by adding their identifier to the format string
69 algorithm (field format: [<hash algo>:]digest, where the digest 69 algorithm (field format: [<hash algo>:]digest, where the digest
70 prefix is shown only if the hash algorithm is not SHA1 or MD5); 70 prefix is shown only if the hash algorithm is not SHA1 or MD5);
71 - 'n-ng': the name of the event, without size limitations; 71 - 'n-ng': the name of the event, without size limitations;
72 - 'sig': the file signature. 72 - 'sig': the file signature;
73 - 'buf': the buffer data that was used to generate the hash without size limitations;
73 74
74 75
75Below, there is the list of defined template descriptors: 76Below, there is the list of defined template descriptors:
76 77
77 - "ima": its format is ``d|n``; 78 - "ima": its format is ``d|n``;
78 - "ima-ng" (default): its format is ``d-ng|n-ng``; 79 - "ima-ng" (default): its format is ``d-ng|n-ng``;
79 - "ima-sig": its format is ``d-ng|n-ng|sig``. 80 - "ima-sig": its format is ``d-ng|n-ng|sig``;
80 81 - "ima-buf": its format is ``d-ng|n-ng|buf``;
81 82
82 83
83Use 84Use
diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c
index 64b973f0e985..4c407833faca 100644
--- a/arch/x86/kernel/ima_arch.c
+++ b/arch/x86/kernel/ima_arch.c
@@ -11,10 +11,11 @@ extern struct boot_params boot_params;
11static enum efi_secureboot_mode get_sb_mode(void) 11static enum efi_secureboot_mode get_sb_mode(void)
12{ 12{
13 efi_char16_t efi_SecureBoot_name[] = L"SecureBoot"; 13 efi_char16_t efi_SecureBoot_name[] = L"SecureBoot";
14 efi_char16_t efi_SetupMode_name[] = L"SecureBoot";
14 efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID; 15 efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
15 efi_status_t status; 16 efi_status_t status;
16 unsigned long size; 17 unsigned long size;
17 u8 secboot; 18 u8 secboot, setupmode;
18 19
19 size = sizeof(secboot); 20 size = sizeof(secboot);
20 21
@@ -36,7 +37,14 @@ static enum efi_secureboot_mode get_sb_mode(void)
36 return efi_secureboot_mode_unknown; 37 return efi_secureboot_mode_unknown;
37 } 38 }
38 39
39 if (secboot == 0) { 40 size = sizeof(setupmode);
41 status = efi.get_variable(efi_SetupMode_name, &efi_variable_guid,
42 NULL, &size, &setupmode);
43
44 if (status != EFI_SUCCESS) /* ignore unknown SetupMode */
45 setupmode = 0;
46
47 if (secboot == 0 || setupmode == 1) {
40 pr_info("ima: secureboot mode disabled\n"); 48 pr_info("ima: secureboot mode disabled\n");
41 return efi_secureboot_mode_disabled; 49 return efi_secureboot_mode_disabled;
42 } 50 }
diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
index d020bb4d03d5..3352a107b4a3 100644
--- a/drivers/infiniband/core/device.c
+++ b/drivers/infiniband/core/device.c
@@ -2520,7 +2520,7 @@ static int __init ib_core_init(void)
2520 goto err_mad; 2520 goto err_mad;
2521 } 2521 }
2522 2522
2523 ret = register_lsm_notifier(&ibdev_lsm_nb); 2523 ret = register_blocking_lsm_notifier(&ibdev_lsm_nb);
2524 if (ret) { 2524 if (ret) {
2525 pr_warn("Couldn't register LSM notifier. ret %d\n", ret); 2525 pr_warn("Couldn't register LSM notifier. ret %d\n", ret);
2526 goto err_sa; 2526 goto err_sa;
@@ -2539,7 +2539,7 @@ static int __init ib_core_init(void)
2539 return 0; 2539 return 0;
2540 2540
2541err_compat: 2541err_compat:
2542 unregister_lsm_notifier(&ibdev_lsm_nb); 2542 unregister_blocking_lsm_notifier(&ibdev_lsm_nb);
2543err_sa: 2543err_sa:
2544 ib_sa_cleanup(); 2544 ib_sa_cleanup();
2545err_mad: 2545err_mad:
@@ -2565,7 +2565,7 @@ static void __exit ib_core_cleanup(void)
2565 nldev_exit(); 2565 nldev_exit();
2566 rdma_nl_unregister(RDMA_NL_LS); 2566 rdma_nl_unregister(RDMA_NL_LS);
2567 unregister_pernet_device(&rdma_dev_net_ops); 2567 unregister_pernet_device(&rdma_dev_net_ops);
2568 unregister_lsm_notifier(&ibdev_lsm_nb); 2568 unregister_blocking_lsm_notifier(&ibdev_lsm_nb);
2569 ib_sa_cleanup(); 2569 ib_sa_cleanup();
2570 ib_mad_cleanup(); 2570 ib_mad_cleanup();
2571 addr_cleanup(); 2571 addr_cleanup();
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 00036d2f57c3..a20ad398d260 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -23,6 +23,7 @@ extern int ima_read_file(struct file *file, enum kernel_read_file_id id);
23extern int ima_post_read_file(struct file *file, void *buf, loff_t size, 23extern int ima_post_read_file(struct file *file, void *buf, loff_t size,
24 enum kernel_read_file_id id); 24 enum kernel_read_file_id id);
25extern void ima_post_path_mknod(struct dentry *dentry); 25extern void ima_post_path_mknod(struct dentry *dentry);
26extern void ima_kexec_cmdline(const void *buf, int size);
26 27
27#ifdef CONFIG_IMA_KEXEC 28#ifdef CONFIG_IMA_KEXEC
28extern void ima_add_kexec_buffer(struct kimage *image); 29extern void ima_add_kexec_buffer(struct kimage *image);
@@ -89,6 +90,7 @@ static inline void ima_post_path_mknod(struct dentry *dentry)
89 return; 90 return;
90} 91}
91 92
93static inline void ima_kexec_cmdline(const void *buf, int size) {}
92#endif /* CONFIG_IMA */ 94#endif /* CONFIG_IMA */
93 95
94#ifndef CONFIG_IMA_KEXEC 96#ifndef CONFIG_IMA_KEXEC
diff --git a/include/linux/security.h b/include/linux/security.h
index 659071c2e57c..5f7441abbf42 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -189,9 +189,9 @@ static inline const char *kernel_load_data_id_str(enum kernel_load_data_id id)
189 189
190#ifdef CONFIG_SECURITY 190#ifdef CONFIG_SECURITY
191 191
192int call_lsm_notifier(enum lsm_event event, void *data); 192int call_blocking_lsm_notifier(enum lsm_event event, void *data);
193int register_lsm_notifier(struct notifier_block *nb); 193int register_blocking_lsm_notifier(struct notifier_block *nb);
194int unregister_lsm_notifier(struct notifier_block *nb); 194int unregister_blocking_lsm_notifier(struct notifier_block *nb);
195 195
196/* prototypes */ 196/* prototypes */
197extern int security_init(void); 197extern int security_init(void);
@@ -394,17 +394,17 @@ int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
394int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); 394int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
395#else /* CONFIG_SECURITY */ 395#else /* CONFIG_SECURITY */
396 396
397static inline int call_lsm_notifier(enum lsm_event event, void *data) 397static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
398{ 398{
399 return 0; 399 return 0;
400} 400}
401 401
402static inline int register_lsm_notifier(struct notifier_block *nb) 402static inline int register_blocking_lsm_notifier(struct notifier_block *nb)
403{ 403{
404 return 0; 404 return 0;
405} 405}
406 406
407static inline int unregister_lsm_notifier(struct notifier_block *nb) 407static inline int unregister_blocking_lsm_notifier(struct notifier_block *nb)
408{ 408{
409 return 0; 409 return 0;
410} 410}
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index ef7b951a8087..b8cc032d5620 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -196,9 +196,6 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
196 return ret; 196 return ret;
197 image->kernel_buf_len = size; 197 image->kernel_buf_len = size;
198 198
199 /* IMA needs to pass the measurement list to the next kernel. */
200 ima_add_kexec_buffer(image);
201
202 /* Call arch image probe handlers */ 199 /* Call arch image probe handlers */
203 ret = arch_kexec_kernel_image_probe(image, image->kernel_buf, 200 ret = arch_kexec_kernel_image_probe(image, image->kernel_buf,
204 image->kernel_buf_len); 201 image->kernel_buf_len);
@@ -239,8 +236,14 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
239 ret = -EINVAL; 236 ret = -EINVAL;
240 goto out; 237 goto out;
241 } 238 }
239
240 ima_kexec_cmdline(image->cmdline_buf,
241 image->cmdline_buf_len - 1);
242 } 242 }
243 243
244 /* IMA needs to pass the measurement list to the next kernel. */
245 ima_add_kexec_buffer(image);
246
244 /* Call arch image load handlers */ 247 /* Call arch image load handlers */
245 ldata = arch_kexec_kernel_image_load(image); 248 ldata = arch_kexec_kernel_image_load(image);
246 249
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index ceb10553a6ba..f9f3c8ffe786 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -70,8 +70,9 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
70 return -EOPNOTSUPP; 70 return -EOPNOTSUPP;
71} 71}
72 72
73static int __integrity_init_keyring(const unsigned int id, struct key_acl *acl, 73static int __init __integrity_init_keyring(const unsigned int id,
74 struct key_restriction *restriction) 74 struct key_acl *acl,
75 struct key_restriction *restriction)
75{ 76{
76 const struct cred *cred = current_cred(); 77 const struct cred *cred = current_cred();
77 int err = 0; 78 int err = 0;
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 5bbd8b4dc29a..f9a81b187fae 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -166,7 +166,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
166 /* check value type */ 166 /* check value type */
167 switch (xattr_data->type) { 167 switch (xattr_data->type) {
168 case EVM_XATTR_HMAC: 168 case EVM_XATTR_HMAC:
169 if (xattr_len != sizeof(struct evm_ima_xattr_data)) { 169 if (xattr_len != sizeof(struct evm_xattr)) {
170 evm_status = INTEGRITY_FAIL; 170 evm_status = INTEGRITY_FAIL;
171 goto out; 171 goto out;
172 } 172 }
@@ -176,7 +176,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
176 xattr_value_len, &digest); 176 xattr_value_len, &digest);
177 if (rc) 177 if (rc)
178 break; 178 break;
179 rc = crypto_memneq(xattr_data->digest, digest.digest, 179 rc = crypto_memneq(xattr_data->data, digest.digest,
180 SHA1_DIGEST_SIZE); 180 SHA1_DIGEST_SIZE);
181 if (rc) 181 if (rc)
182 rc = -EINVAL; 182 rc = -EINVAL;
@@ -520,7 +520,7 @@ int evm_inode_init_security(struct inode *inode,
520 const struct xattr *lsm_xattr, 520 const struct xattr *lsm_xattr,
521 struct xattr *evm_xattr) 521 struct xattr *evm_xattr)
522{ 522{
523 struct evm_ima_xattr_data *xattr_data; 523 struct evm_xattr *xattr_data;
524 int rc; 524 int rc;
525 525
526 if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name)) 526 if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name))
@@ -530,7 +530,7 @@ int evm_inode_init_security(struct inode *inode,
530 if (!xattr_data) 530 if (!xattr_data)
531 return -ENOMEM; 531 return -ENOMEM;
532 532
533 xattr_data->type = EVM_XATTR_HMAC; 533 xattr_data->data.type = EVM_XATTR_HMAC;
534 rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); 534 rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest);
535 if (rc < 0) 535 if (rc < 0)
536 goto out; 536 goto out;
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 2692c7358c2c..2ced99dde694 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -160,7 +160,8 @@ config IMA_APPRAISE
160 160
161config IMA_ARCH_POLICY 161config IMA_ARCH_POLICY
162 bool "Enable loading an IMA architecture specific policy" 162 bool "Enable loading an IMA architecture specific policy"
163 depends on KEXEC_VERIFY_SIG || IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS 163 depends on (KEXEC_VERIFY_SIG && IMA) || IMA_APPRAISE \
164 && INTEGRITY_ASYMMETRIC_KEYS
164 default n 165 default n
165 help 166 help
166 This option enables loading an IMA architecture specific policy 167 This option enables loading an IMA architecture specific policy
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index ca10917b5f89..011b91c79351 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -61,6 +61,8 @@ struct ima_event_data {
61 struct evm_ima_xattr_data *xattr_value; 61 struct evm_ima_xattr_data *xattr_value;
62 int xattr_len; 62 int xattr_len;
63 const char *violation; 63 const char *violation;
64 const void *buf;
65 int buf_len;
64}; 66};
65 67
66/* IMA template field data definition */ 68/* IMA template field data definition */
@@ -142,7 +144,11 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
142int ima_init_crypto(void); 144int ima_init_crypto(void);
143void ima_putc(struct seq_file *m, void *data, int datalen); 145void ima_putc(struct seq_file *m, void *data, int datalen);
144void ima_print_digest(struct seq_file *m, u8 *digest, u32 size); 146void ima_print_digest(struct seq_file *m, u8 *digest, u32 size);
147int template_desc_init_fields(const char *template_fmt,
148 const struct ima_template_field ***fields,
149 int *num_fields);
145struct ima_template_desc *ima_template_desc_current(void); 150struct ima_template_desc *ima_template_desc_current(void);
151struct ima_template_desc *lookup_template_desc(const char *name);
146int ima_restore_measurement_entry(struct ima_template_entry *entry); 152int ima_restore_measurement_entry(struct ima_template_entry *entry);
147int ima_restore_measurement_list(loff_t bufsize, void *buf); 153int ima_restore_measurement_list(loff_t bufsize, void *buf);
148int ima_measurements_show(struct seq_file *m, void *v); 154int ima_measurements_show(struct seq_file *m, void *v);
@@ -150,6 +156,8 @@ unsigned long ima_get_binary_runtime_size(void);
150int ima_init_template(void); 156int ima_init_template(void);
151void ima_init_template_list(void); 157void ima_init_template_list(void);
152int __init ima_init_digests(void); 158int __init ima_init_digests(void);
159int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
160 void *lsm_data);
153 161
154/* 162/*
155 * used to protect h_table and sha_table 163 * used to protect h_table and sha_table
@@ -180,6 +188,7 @@ static inline unsigned long ima_hash_key(u8 *digest)
180 hook(KEXEC_KERNEL_CHECK) \ 188 hook(KEXEC_KERNEL_CHECK) \
181 hook(KEXEC_INITRAMFS_CHECK) \ 189 hook(KEXEC_INITRAMFS_CHECK) \
182 hook(POLICY_CHECK) \ 190 hook(POLICY_CHECK) \
191 hook(KEXEC_CMDLINE) \
183 hook(MAX_CHECK) 192 hook(MAX_CHECK)
184#define __ima_hook_enumify(ENUM) ENUM, 193#define __ima_hook_enumify(ENUM) ENUM,
185 194
@@ -189,7 +198,8 @@ enum ima_hooks {
189 198
190/* LIM API function definitions */ 199/* LIM API function definitions */
191int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, 200int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid,
192 int mask, enum ima_hooks func, int *pcr); 201 int mask, enum ima_hooks func, int *pcr,
202 struct ima_template_desc **template_desc);
193int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func); 203int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);
194int ima_collect_measurement(struct integrity_iint_cache *iint, 204int ima_collect_measurement(struct integrity_iint_cache *iint,
195 struct file *file, void *buf, loff_t size, 205 struct file *file, void *buf, loff_t size,
@@ -197,11 +207,13 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
197void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, 207void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
198 const unsigned char *filename, 208 const unsigned char *filename,
199 struct evm_ima_xattr_data *xattr_value, 209 struct evm_ima_xattr_data *xattr_value,
200 int xattr_len, int pcr); 210 int xattr_len, int pcr,
211 struct ima_template_desc *template_desc);
201void ima_audit_measurement(struct integrity_iint_cache *iint, 212void ima_audit_measurement(struct integrity_iint_cache *iint,
202 const unsigned char *filename); 213 const unsigned char *filename);
203int ima_alloc_init_template(struct ima_event_data *event_data, 214int ima_alloc_init_template(struct ima_event_data *event_data,
204 struct ima_template_entry **entry); 215 struct ima_template_entry **entry,
216 struct ima_template_desc *template_desc);
205int ima_store_template(struct ima_template_entry *entry, int violation, 217int ima_store_template(struct ima_template_entry *entry, int violation,
206 struct inode *inode, 218 struct inode *inode,
207 const unsigned char *filename, int pcr); 219 const unsigned char *filename, int pcr);
@@ -210,7 +222,8 @@ const char *ima_d_path(const struct path *path, char **pathbuf, char *filename);
210 222
211/* IMA policy related functions */ 223/* IMA policy related functions */
212int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, 224int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
213 enum ima_hooks func, int mask, int flags, int *pcr); 225 enum ima_hooks func, int mask, int flags, int *pcr,
226 struct ima_template_desc **template_desc);
214void ima_init_policy(void); 227void ima_init_policy(void);
215void ima_update_policy(void); 228void ima_update_policy(void);
216void ima_update_policy_flag(void); 229void ima_update_policy_flag(void);
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 35c129cbb7e9..f614e22bf39f 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -34,11 +34,17 @@ void ima_free_template_entry(struct ima_template_entry *entry)
34 * ima_alloc_init_template - create and initialize a new template entry 34 * ima_alloc_init_template - create and initialize a new template entry
35 */ 35 */
36int ima_alloc_init_template(struct ima_event_data *event_data, 36int ima_alloc_init_template(struct ima_event_data *event_data,
37 struct ima_template_entry **entry) 37 struct ima_template_entry **entry,
38 struct ima_template_desc *desc)
38{ 39{
39 struct ima_template_desc *template_desc = ima_template_desc_current(); 40 struct ima_template_desc *template_desc;
40 int i, result = 0; 41 int i, result = 0;
41 42
43 if (desc)
44 template_desc = desc;
45 else
46 template_desc = ima_template_desc_current();
47
42 *entry = kzalloc(sizeof(**entry) + template_desc->num_fields * 48 *entry = kzalloc(sizeof(**entry) + template_desc->num_fields *
43 sizeof(struct ima_field_data), GFP_NOFS); 49 sizeof(struct ima_field_data), GFP_NOFS);
44 if (!*entry) 50 if (!*entry)
@@ -129,15 +135,17 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
129{ 135{
130 struct ima_template_entry *entry; 136 struct ima_template_entry *entry;
131 struct inode *inode = file_inode(file); 137 struct inode *inode = file_inode(file);
132 struct ima_event_data event_data = {iint, file, filename, NULL, 0, 138 struct ima_event_data event_data = { .iint = iint,
133 cause}; 139 .file = file,
140 .filename = filename,
141 .violation = cause };
134 int violation = 1; 142 int violation = 1;
135 int result; 143 int result;
136 144
137 /* can overflow, only indicator */ 145 /* can overflow, only indicator */
138 atomic_long_inc(&ima_htable.violations); 146 atomic_long_inc(&ima_htable.violations);
139 147
140 result = ima_alloc_init_template(&event_data, &entry); 148 result = ima_alloc_init_template(&event_data, &entry, NULL);
141 if (result < 0) { 149 if (result < 0) {
142 result = -ENOMEM; 150 result = -ENOMEM;
143 goto err_out; 151 goto err_out;
@@ -160,11 +168,13 @@ err_out:
160 * MAY_APPEND) 168 * MAY_APPEND)
161 * @func: caller identifier 169 * @func: caller identifier
162 * @pcr: pointer filled in if matched measure policy sets pcr= 170 * @pcr: pointer filled in if matched measure policy sets pcr=
171 * @template_desc: pointer filled in if matched measure policy sets template=
163 * 172 *
164 * The policy is defined in terms of keypairs: 173 * The policy is defined in terms of keypairs:
165 * subj=, obj=, type=, func=, mask=, fsmagic= 174 * subj=, obj=, type=, func=, mask=, fsmagic=
166 * subj,obj, and type: are LSM specific. 175 * subj,obj, and type: are LSM specific.
167 * func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK 176 * func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK
177 * | KEXEC_CMDLINE
168 * mask: contains the permission mask 178 * mask: contains the permission mask
169 * fsmagic: hex value 179 * fsmagic: hex value
170 * 180 *
@@ -172,13 +182,15 @@ err_out:
172 * 182 *
173 */ 183 */
174int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid, 184int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid,
175 int mask, enum ima_hooks func, int *pcr) 185 int mask, enum ima_hooks func, int *pcr,
186 struct ima_template_desc **template_desc)
176{ 187{
177 int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH; 188 int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH;
178 189
179 flags &= ima_policy_flag; 190 flags &= ima_policy_flag;
180 191
181 return ima_match_policy(inode, cred, secid, func, mask, flags, pcr); 192 return ima_match_policy(inode, cred, secid, func, mask, flags, pcr,
193 template_desc);
182} 194}
183 195
184/* 196/*
@@ -273,21 +285,25 @@ out:
273void ima_store_measurement(struct integrity_iint_cache *iint, 285void ima_store_measurement(struct integrity_iint_cache *iint,
274 struct file *file, const unsigned char *filename, 286 struct file *file, const unsigned char *filename,
275 struct evm_ima_xattr_data *xattr_value, 287 struct evm_ima_xattr_data *xattr_value,
276 int xattr_len, int pcr) 288 int xattr_len, int pcr,
289 struct ima_template_desc *template_desc)
277{ 290{
278 static const char op[] = "add_template_measure"; 291 static const char op[] = "add_template_measure";
279 static const char audit_cause[] = "ENOMEM"; 292 static const char audit_cause[] = "ENOMEM";
280 int result = -ENOMEM; 293 int result = -ENOMEM;
281 struct inode *inode = file_inode(file); 294 struct inode *inode = file_inode(file);
282 struct ima_template_entry *entry; 295 struct ima_template_entry *entry;
283 struct ima_event_data event_data = {iint, file, filename, xattr_value, 296 struct ima_event_data event_data = { .iint = iint,
284 xattr_len, NULL}; 297 .file = file,
298 .filename = filename,
299 .xattr_value = xattr_value,
300 .xattr_len = xattr_len };
285 int violation = 0; 301 int violation = 0;
286 302
287 if (iint->measured_pcrs & (0x1 << pcr)) 303 if (iint->measured_pcrs & (0x1 << pcr))
288 return; 304 return;
289 305
290 result = ima_alloc_init_template(&event_data, &entry); 306 result = ima_alloc_init_template(&event_data, &entry, template_desc);
291 if (result < 0) { 307 if (result < 0) {
292 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename, 308 integrity_audit_msg(AUDIT_INTEGRITY_PCR, inode, filename,
293 op, audit_cause, result, 0); 309 op, audit_cause, result, 0);
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index f0cd67cab6aa..89b83194d1dc 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -54,7 +54,7 @@ int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
54 54
55 security_task_getsecid(current, &secid); 55 security_task_getsecid(current, &secid);
56 return ima_match_policy(inode, current_cred(), secid, func, mask, 56 return ima_match_policy(inode, current_cred(), secid, func, mask,
57 IMA_APPRAISE | IMA_HASH, NULL); 57 IMA_APPRAISE | IMA_HASH, NULL, NULL);
58} 58}
59 59
60static int ima_fix_xattr(struct dentry *dentry, 60static int ima_fix_xattr(struct dentry *dentry,
@@ -165,7 +165,8 @@ enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,
165 return sig->hash_algo; 165 return sig->hash_algo;
166 break; 166 break;
167 case IMA_XATTR_DIGEST_NG: 167 case IMA_XATTR_DIGEST_NG:
168 ret = xattr_value->digest[0]; 168 /* first byte contains algorithm id */
169 ret = xattr_value->data[0];
169 if (ret < HASH_ALGO__LAST) 170 if (ret < HASH_ALGO__LAST)
170 return ret; 171 return ret;
171 break; 172 break;
@@ -173,7 +174,7 @@ enum hash_algo ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value,
173 /* this is for backward compatibility */ 174 /* this is for backward compatibility */
174 if (xattr_len == 21) { 175 if (xattr_len == 21) {
175 unsigned int zero = 0; 176 unsigned int zero = 0;
176 if (!memcmp(&xattr_value->digest[16], &zero, 4)) 177 if (!memcmp(&xattr_value->data[16], &zero, 4))
177 return HASH_ALGO_MD5; 178 return HASH_ALGO_MD5;
178 else 179 else
179 return HASH_ALGO_SHA1; 180 return HASH_ALGO_SHA1;
@@ -272,7 +273,7 @@ int ima_appraise_measurement(enum ima_hooks func,
272 /* xattr length may be longer. md5 hash in previous 273 /* xattr length may be longer. md5 hash in previous
273 version occupied 20 bytes in xattr, instead of 16 274 version occupied 20 bytes in xattr, instead of 16
274 */ 275 */
275 rc = memcmp(&xattr_value->digest[hash_start], 276 rc = memcmp(&xattr_value->data[hash_start],
276 iint->ima_hash->digest, 277 iint->ima_hash->digest,
277 iint->ima_hash->length); 278 iint->ima_hash->length);
278 else 279 else
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 1e47c1026471..5d55ade5f3b9 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -45,8 +45,8 @@ static int __init ima_add_boot_aggregate(void)
45 const char *audit_cause = "ENOMEM"; 45 const char *audit_cause = "ENOMEM";
46 struct ima_template_entry *entry; 46 struct ima_template_entry *entry;
47 struct integrity_iint_cache tmp_iint, *iint = &tmp_iint; 47 struct integrity_iint_cache tmp_iint, *iint = &tmp_iint;
48 struct ima_event_data event_data = {iint, NULL, boot_aggregate_name, 48 struct ima_event_data event_data = { .iint = iint,
49 NULL, 0, NULL}; 49 .filename = boot_aggregate_name };
50 int result = -ENOMEM; 50 int result = -ENOMEM;
51 int violation = 0; 51 int violation = 0;
52 struct { 52 struct {
@@ -68,7 +68,7 @@ static int __init ima_add_boot_aggregate(void)
68 } 68 }
69 } 69 }
70 70
71 result = ima_alloc_init_template(&event_data, &entry); 71 result = ima_alloc_init_template(&event_data, &entry, NULL);
72 if (result < 0) { 72 if (result < 0) {
73 audit_cause = "alloc_entry"; 73 audit_cause = "alloc_entry";
74 goto err_out; 74 goto err_out;
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index f556e6c18f9b..584019728660 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -39,6 +39,10 @@ int ima_appraise;
39int ima_hash_algo = HASH_ALGO_SHA1; 39int ima_hash_algo = HASH_ALGO_SHA1;
40static int hash_setup_done; 40static int hash_setup_done;
41 41
42static struct notifier_block ima_lsm_policy_notifier = {
43 .notifier_call = ima_lsm_policy_change,
44};
45
42static int __init hash_setup(char *str) 46static int __init hash_setup(char *str)
43{ 47{
44 struct ima_template_desc *template_desc = ima_template_desc_current(); 48 struct ima_template_desc *template_desc = ima_template_desc_current();
@@ -68,6 +72,27 @@ out:
68} 72}
69__setup("ima_hash=", hash_setup); 73__setup("ima_hash=", hash_setup);
70 74
75/* Prevent mmap'ing a file execute that is already mmap'ed write */
76static int mmap_violation_check(enum ima_hooks func, struct file *file,
77 char **pathbuf, const char **pathname,
78 char *filename)
79{
80 struct inode *inode;
81 int rc = 0;
82
83 if ((func == MMAP_CHECK) && mapping_writably_mapped(file->f_mapping)) {
84 rc = -ETXTBSY;
85 inode = file_inode(file);
86
87 if (!*pathbuf) /* ima_rdwr_violation possibly pre-fetched */
88 *pathname = ima_d_path(&file->f_path, pathbuf,
89 filename);
90 integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, *pathname,
91 "mmap_file", "mmapped_writers", rc, 0);
92 }
93 return rc;
94}
95
71/* 96/*
72 * ima_rdwr_violation_check 97 * ima_rdwr_violation_check
73 * 98 *
@@ -170,7 +195,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
170{ 195{
171 struct inode *inode = file_inode(file); 196 struct inode *inode = file_inode(file);
172 struct integrity_iint_cache *iint = NULL; 197 struct integrity_iint_cache *iint = NULL;
173 struct ima_template_desc *template_desc; 198 struct ima_template_desc *template_desc = NULL;
174 char *pathbuf = NULL; 199 char *pathbuf = NULL;
175 char filename[NAME_MAX]; 200 char filename[NAME_MAX];
176 const char *pathname = NULL; 201 const char *pathname = NULL;
@@ -188,7 +213,8 @@ static int process_measurement(struct file *file, const struct cred *cred,
188 * bitmask based on the appraise/audit/measurement policy. 213 * bitmask based on the appraise/audit/measurement policy.
189 * Included is the appraise submask. 214 * Included is the appraise submask.
190 */ 215 */
191 action = ima_get_action(inode, cred, secid, mask, func, &pcr); 216 action = ima_get_action(inode, cred, secid, mask, func, &pcr,
217 &template_desc);
192 violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) && 218 violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) &&
193 (ima_policy_flag & IMA_MEASURE)); 219 (ima_policy_flag & IMA_MEASURE));
194 if (!action && !violation_check) 220 if (!action && !violation_check)
@@ -266,12 +292,15 @@ static int process_measurement(struct file *file, const struct cred *cred,
266 292
267 /* Nothing to do, just return existing appraised status */ 293 /* Nothing to do, just return existing appraised status */
268 if (!action) { 294 if (!action) {
269 if (must_appraise) 295 if (must_appraise) {
270 rc = ima_get_cache_status(iint, func); 296 rc = mmap_violation_check(func, file, &pathbuf,
297 &pathname, filename);
298 if (!rc)
299 rc = ima_get_cache_status(iint, func);
300 }
271 goto out_locked; 301 goto out_locked;
272 } 302 }
273 303
274 template_desc = ima_template_desc_current();
275 if ((action & IMA_APPRAISE_SUBMASK) || 304 if ((action & IMA_APPRAISE_SUBMASK) ||
276 strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0) 305 strcmp(template_desc->name, IMA_TEMPLATE_IMA_NAME) != 0)
277 /* read 'security.ima' */ 306 /* read 'security.ima' */
@@ -288,12 +317,16 @@ static int process_measurement(struct file *file, const struct cred *cred,
288 317
289 if (action & IMA_MEASURE) 318 if (action & IMA_MEASURE)
290 ima_store_measurement(iint, file, pathname, 319 ima_store_measurement(iint, file, pathname,
291 xattr_value, xattr_len, pcr); 320 xattr_value, xattr_len, pcr,
321 template_desc);
292 if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) { 322 if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {
293 inode_lock(inode); 323 inode_lock(inode);
294 rc = ima_appraise_measurement(func, iint, file, pathname, 324 rc = ima_appraise_measurement(func, iint, file, pathname,
295 xattr_value, xattr_len); 325 xattr_value, xattr_len);
296 inode_unlock(inode); 326 inode_unlock(inode);
327 if (!rc)
328 rc = mmap_violation_check(func, file, &pathbuf,
329 &pathname, filename);
297 } 330 }
298 if (action & IMA_AUDIT) 331 if (action & IMA_AUDIT)
299 ima_audit_measurement(iint, pathname); 332 ima_audit_measurement(iint, pathname);
@@ -572,6 +605,80 @@ int ima_load_data(enum kernel_load_data_id id)
572 return 0; 605 return 0;
573} 606}
574 607
608/*
609 * process_buffer_measurement - Measure the buffer to ima log.
610 * @buf: pointer to the buffer that needs to be added to the log.
611 * @size: size of buffer(in bytes).
612 * @eventname: event name to be used for the buffer entry.
613 * @cred: a pointer to a credentials structure for user validation.
614 * @secid: the secid of the task to be validated.
615 *
616 * Based on policy, the buffer is measured into the ima log.
617 */
618static void process_buffer_measurement(const void *buf, int size,
619 const char *eventname,
620 const struct cred *cred, u32 secid)
621{
622 int ret = 0;
623 struct ima_template_entry *entry = NULL;
624 struct integrity_iint_cache iint = {};
625 struct ima_event_data event_data = {.iint = &iint,
626 .filename = eventname,
627 .buf = buf,
628 .buf_len = size};
629 struct ima_template_desc *template_desc = NULL;
630 struct {
631 struct ima_digest_data hdr;
632 char digest[IMA_MAX_DIGEST_SIZE];
633 } hash = {};
634 int violation = 0;
635 int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
636 int action = 0;
637
638 action = ima_get_action(NULL, cred, secid, 0, KEXEC_CMDLINE, &pcr,
639 &template_desc);
640 if (!(action & IMA_MEASURE))
641 return;
642
643 iint.ima_hash = &hash.hdr;
644 iint.ima_hash->algo = ima_hash_algo;
645 iint.ima_hash->length = hash_digest_size[ima_hash_algo];
646
647 ret = ima_calc_buffer_hash(buf, size, iint.ima_hash);
648 if (ret < 0)
649 goto out;
650
651 ret = ima_alloc_init_template(&event_data, &entry, template_desc);
652 if (ret < 0)
653 goto out;
654
655 ret = ima_store_template(entry, violation, NULL, buf, pcr);
656
657 if (ret < 0)
658 ima_free_template_entry(entry);
659
660out:
661 return;
662}
663
664/**
665 * ima_kexec_cmdline - measure kexec cmdline boot args
666 * @buf: pointer to buffer
667 * @size: size of buffer
668 *
669 * Buffers can only be measured, not appraised.
670 */
671void ima_kexec_cmdline(const void *buf, int size)
672{
673 u32 secid;
674
675 if (buf && size != 0) {
676 security_task_getsecid(current, &secid);
677 process_buffer_measurement(buf, size, "kexec-cmdline",
678 current_cred(), secid);
679 }
680}
681
575static int __init init_ima(void) 682static int __init init_ima(void)
576{ 683{
577 int error; 684 int error;
@@ -589,6 +696,10 @@ static int __init init_ima(void)
589 error = ima_init(); 696 error = ima_init();
590 } 697 }
591 698
699 error = register_blocking_lsm_notifier(&ima_lsm_policy_notifier);
700 if (error)
701 pr_warn("Couldn't register LSM notifier, error %d\n", error);
702
592 if (!error) 703 if (!error)
593 ima_update_policy_flag(); 704 ima_update_policy_flag();
594 705
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 7b53f2ca58e2..6df7f641ff66 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -76,6 +76,7 @@ struct ima_rule_entry {
76 int type; /* audit type */ 76 int type; /* audit type */
77 } lsm[MAX_LSM_RULES]; 77 } lsm[MAX_LSM_RULES];
78 char *fsname; 78 char *fsname;
79 struct ima_template_desc *template;
79}; 80};
80 81
81/* 82/*
@@ -195,7 +196,7 @@ static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
195}; 196};
196 197
197/* An array of architecture specific rules */ 198/* An array of architecture specific rules */
198struct ima_rule_entry *arch_policy_entry __ro_after_init; 199static struct ima_rule_entry *arch_policy_entry __ro_after_init;
199 200
200static LIST_HEAD(ima_default_rules); 201static LIST_HEAD(ima_default_rules);
201static LIST_HEAD(ima_policy_rules); 202static LIST_HEAD(ima_policy_rules);
@@ -245,31 +246,113 @@ static int __init default_appraise_policy_setup(char *str)
245} 246}
246__setup("ima_appraise_tcb", default_appraise_policy_setup); 247__setup("ima_appraise_tcb", default_appraise_policy_setup);
247 248
249static void ima_lsm_free_rule(struct ima_rule_entry *entry)
250{
251 int i;
252
253 for (i = 0; i < MAX_LSM_RULES; i++) {
254 kfree(entry->lsm[i].rule);
255 kfree(entry->lsm[i].args_p);
256 }
257 kfree(entry);
258}
259
260static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
261{
262 struct ima_rule_entry *nentry;
263 int i, result;
264
265 nentry = kmalloc(sizeof(*nentry), GFP_KERNEL);
266 if (!nentry)
267 return NULL;
268
269 /*
270 * Immutable elements are copied over as pointers and data; only
271 * lsm rules can change
272 */
273 memcpy(nentry, entry, sizeof(*nentry));
274 memset(nentry->lsm, 0, FIELD_SIZEOF(struct ima_rule_entry, lsm));
275
276 for (i = 0; i < MAX_LSM_RULES; i++) {
277 if (!entry->lsm[i].rule)
278 continue;
279
280 nentry->lsm[i].type = entry->lsm[i].type;
281 nentry->lsm[i].args_p = kstrdup(entry->lsm[i].args_p,
282 GFP_KERNEL);
283 if (!nentry->lsm[i].args_p)
284 goto out_err;
285
286 result = security_filter_rule_init(nentry->lsm[i].type,
287 Audit_equal,
288 nentry->lsm[i].args_p,
289 &nentry->lsm[i].rule);
290 if (result == -EINVAL)
291 pr_warn("ima: rule for LSM \'%d\' is undefined\n",
292 entry->lsm[i].type);
293 }
294 return nentry;
295
296out_err:
297 ima_lsm_free_rule(nentry);
298 return NULL;
299}
300
301static int ima_lsm_update_rule(struct ima_rule_entry *entry)
302{
303 struct ima_rule_entry *nentry;
304
305 nentry = ima_lsm_copy_rule(entry);
306 if (!nentry)
307 return -ENOMEM;
308
309 list_replace_rcu(&entry->list, &nentry->list);
310 synchronize_rcu();
311 ima_lsm_free_rule(entry);
312
313 return 0;
314}
315
248/* 316/*
249 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring 317 * The LSM policy can be reloaded, leaving the IMA LSM based rules referring
250 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect 318 * to the old, stale LSM policy. Update the IMA LSM based rules to reflect
251 * the reloaded LSM policy. We assume the rules still exist; and BUG_ON() if 319 * the reloaded LSM policy.
252 * they don't.
253 */ 320 */
254static void ima_lsm_update_rules(void) 321static void ima_lsm_update_rules(void)
255{ 322{
256 struct ima_rule_entry *entry; 323 struct ima_rule_entry *entry, *e;
257 int result; 324 int i, result, needs_update;
258 int i;
259 325
260 list_for_each_entry(entry, &ima_policy_rules, list) { 326 list_for_each_entry_safe(entry, e, &ima_policy_rules, list) {
327 needs_update = 0;
261 for (i = 0; i < MAX_LSM_RULES; i++) { 328 for (i = 0; i < MAX_LSM_RULES; i++) {
262 if (!entry->lsm[i].rule) 329 if (entry->lsm[i].rule) {
263 continue; 330 needs_update = 1;
264 result = security_filter_rule_init(entry->lsm[i].type, 331 break;
265 Audit_equal, 332 }
266 entry->lsm[i].args_p, 333 }
267 &entry->lsm[i].rule); 334 if (!needs_update)
268 BUG_ON(!entry->lsm[i].rule); 335 continue;
336
337 result = ima_lsm_update_rule(entry);
338 if (result) {
339 pr_err("ima: lsm rule update error %d\n",
340 result);
341 return;
269 } 342 }
270 } 343 }
271} 344}
272 345
346int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
347 void *lsm_data)
348{
349 if (event != LSM_POLICY_CHANGE)
350 return NOTIFY_DONE;
351
352 ima_lsm_update_rules();
353 return NOTIFY_OK;
354}
355
273/** 356/**
274 * ima_match_rules - determine whether an inode matches the measure rule. 357 * ima_match_rules - determine whether an inode matches the measure rule.
275 * @rule: a pointer to a rule 358 * @rule: a pointer to a rule
@@ -287,6 +370,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
287{ 370{
288 int i; 371 int i;
289 372
373 if (func == KEXEC_CMDLINE) {
374 if ((rule->flags & IMA_FUNC) && (rule->func == func))
375 return true;
376 return false;
377 }
290 if ((rule->flags & IMA_FUNC) && 378 if ((rule->flags & IMA_FUNC) &&
291 (rule->func != func && func != POST_SETATTR)) 379 (rule->func != func && func != POST_SETATTR))
292 return false; 380 return false;
@@ -323,11 +411,10 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
323 for (i = 0; i < MAX_LSM_RULES; i++) { 411 for (i = 0; i < MAX_LSM_RULES; i++) {
324 int rc = 0; 412 int rc = 0;
325 u32 osid; 413 u32 osid;
326 int retried = 0;
327 414
328 if (!rule->lsm[i].rule) 415 if (!rule->lsm[i].rule)
329 continue; 416 continue;
330retry: 417
331 switch (i) { 418 switch (i) {
332 case LSM_OBJ_USER: 419 case LSM_OBJ_USER:
333 case LSM_OBJ_ROLE: 420 case LSM_OBJ_ROLE:
@@ -348,11 +435,6 @@ retry:
348 default: 435 default:
349 break; 436 break;
350 } 437 }
351 if ((rc < 0) && (!retried)) {
352 retried = 1;
353 ima_lsm_update_rules();
354 goto retry;
355 }
356 if (!rc) 438 if (!rc)
357 return false; 439 return false;
358 } 440 }
@@ -393,6 +475,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
393 * @func: IMA hook identifier 475 * @func: IMA hook identifier
394 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) 476 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
395 * @pcr: set the pcr to extend 477 * @pcr: set the pcr to extend
478 * @template_desc: the template that should be used for this rule
396 * 479 *
397 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type) 480 * Measure decision based on func/mask/fsmagic and LSM(subj/obj/type)
398 * conditions. 481 * conditions.
@@ -402,7 +485,8 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
402 * than writes so ima_match_policy() is classical RCU candidate. 485 * than writes so ima_match_policy() is classical RCU candidate.
403 */ 486 */
404int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid, 487int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
405 enum ima_hooks func, int mask, int flags, int *pcr) 488 enum ima_hooks func, int mask, int flags, int *pcr,
489 struct ima_template_desc **template_desc)
406{ 490{
407 struct ima_rule_entry *entry; 491 struct ima_rule_entry *entry;
408 int action = 0, actmask = flags | (flags << 1); 492 int action = 0, actmask = flags | (flags << 1);
@@ -434,6 +518,11 @@ int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
434 if ((pcr) && (entry->flags & IMA_PCR)) 518 if ((pcr) && (entry->flags & IMA_PCR))
435 *pcr = entry->pcr; 519 *pcr = entry->pcr;
436 520
521 if (template_desc && entry->template)
522 *template_desc = entry->template;
523 else if (template_desc)
524 *template_desc = ima_template_desc_current();
525
437 if (!actmask) 526 if (!actmask)
438 break; 527 break;
439 } 528 }
@@ -672,7 +761,7 @@ enum {
672 Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt, 761 Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
673 Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt, 762 Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
674 Opt_appraise_type, Opt_permit_directio, 763 Opt_appraise_type, Opt_permit_directio,
675 Opt_pcr, Opt_err 764 Opt_pcr, Opt_template, Opt_err
676}; 765};
677 766
678static const match_table_t policy_tokens = { 767static const match_table_t policy_tokens = {
@@ -706,6 +795,7 @@ static const match_table_t policy_tokens = {
706 {Opt_appraise_type, "appraise_type=%s"}, 795 {Opt_appraise_type, "appraise_type=%s"},
707 {Opt_permit_directio, "permit_directio"}, 796 {Opt_permit_directio, "permit_directio"},
708 {Opt_pcr, "pcr=%s"}, 797 {Opt_pcr, "pcr=%s"},
798 {Opt_template, "template=%s"},
709 {Opt_err, NULL} 799 {Opt_err, NULL}
710}; 800};
711 801
@@ -759,6 +849,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
759 char *from; 849 char *from;
760 char *p; 850 char *p;
761 bool uid_token; 851 bool uid_token;
852 struct ima_template_desc *template_desc;
762 int result = 0; 853 int result = 0;
763 854
764 ab = integrity_audit_log_start(audit_context(), GFP_KERNEL, 855 ab = integrity_audit_log_start(audit_context(), GFP_KERNEL,
@@ -866,6 +957,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
866 entry->func = KEXEC_INITRAMFS_CHECK; 957 entry->func = KEXEC_INITRAMFS_CHECK;
867 else if (strcmp(args[0].from, "POLICY_CHECK") == 0) 958 else if (strcmp(args[0].from, "POLICY_CHECK") == 0)
868 entry->func = POLICY_CHECK; 959 entry->func = POLICY_CHECK;
960 else if (strcmp(args[0].from, "KEXEC_CMDLINE") == 0)
961 entry->func = KEXEC_CMDLINE;
869 else 962 else
870 result = -EINVAL; 963 result = -EINVAL;
871 if (!result) 964 if (!result)
@@ -1055,6 +1148,28 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
1055 entry->flags |= IMA_PCR; 1148 entry->flags |= IMA_PCR;
1056 1149
1057 break; 1150 break;
1151 case Opt_template:
1152 ima_log_string(ab, "template", args[0].from);
1153 if (entry->action != MEASURE) {
1154 result = -EINVAL;
1155 break;
1156 }
1157 template_desc = lookup_template_desc(args[0].from);
1158 if (!template_desc || entry->template) {
1159 result = -EINVAL;
1160 break;
1161 }
1162
1163 /*
1164 * template_desc_init_fields() does nothing if
1165 * the template is already initialised, so
1166 * it's safe to do this unconditionally
1167 */
1168 template_desc_init_fields(template_desc->fmt,
1169 &(template_desc->fields),
1170 &(template_desc->num_fields));
1171 entry->template = template_desc;
1172 break;
1058 case Opt_err: 1173 case Opt_err:
1059 ima_log_string(ab, "UNKNOWN", p); 1174 ima_log_string(ab, "UNKNOWN", p);
1060 result = -EINVAL; 1175 result = -EINVAL;
@@ -1330,6 +1445,8 @@ int ima_policy_show(struct seq_file *m, void *v)
1330 } 1445 }
1331 } 1446 }
1332 } 1447 }
1448 if (entry->template)
1449 seq_printf(m, "template=%s ", entry->template->name);
1333 if (entry->flags & IMA_DIGSIG_REQUIRED) 1450 if (entry->flags & IMA_DIGSIG_REQUIRED)
1334 seq_puts(m, "appraise_type=imasig "); 1451 seq_puts(m, "appraise_type=imasig ");
1335 if (entry->flags & IMA_PERMIT_DIRECTIO) 1452 if (entry->flags & IMA_PERMIT_DIRECTIO)
diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
index f4354c267396..cb349d7b2601 100644
--- a/security/integrity/ima/ima_template.c
+++ b/security/integrity/ima/ima_template.c
@@ -22,6 +22,7 @@ static struct ima_template_desc builtin_templates[] = {
22 {.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT}, 22 {.name = IMA_TEMPLATE_IMA_NAME, .fmt = IMA_TEMPLATE_IMA_FMT},
23 {.name = "ima-ng", .fmt = "d-ng|n-ng"}, 23 {.name = "ima-ng", .fmt = "d-ng|n-ng"},
24 {.name = "ima-sig", .fmt = "d-ng|n-ng|sig"}, 24 {.name = "ima-sig", .fmt = "d-ng|n-ng|sig"},
25 {.name = "ima-buf", .fmt = "d-ng|n-ng|buf"},
25 {.name = "", .fmt = ""}, /* placeholder for a custom format */ 26 {.name = "", .fmt = ""}, /* placeholder for a custom format */
26}; 27};
27 28
@@ -39,14 +40,18 @@ static const struct ima_template_field supported_fields[] = {
39 .field_show = ima_show_template_string}, 40 .field_show = ima_show_template_string},
40 {.field_id = "sig", .field_init = ima_eventsig_init, 41 {.field_id = "sig", .field_init = ima_eventsig_init,
41 .field_show = ima_show_template_sig}, 42 .field_show = ima_show_template_sig},
43 {.field_id = "buf", .field_init = ima_eventbuf_init,
44 .field_show = ima_show_template_buf},
42}; 45};
43#define MAX_TEMPLATE_NAME_LEN 15 46
47/*
48 * Used when restoring measurements carried over from a kexec. 'd' and 'n' don't
49 * need to be accounted for since they shouldn't be defined in the same template
50 * description as 'd-ng' and 'n-ng' respectively.
51 */
52#define MAX_TEMPLATE_NAME_LEN sizeof("d-ng|n-ng|sig|buf")
44 53
45static struct ima_template_desc *ima_template; 54static struct ima_template_desc *ima_template;
46static struct ima_template_desc *lookup_template_desc(const char *name);
47static int template_desc_init_fields(const char *template_fmt,
48 const struct ima_template_field ***fields,
49 int *num_fields);
50 55
51static int __init ima_template_setup(char *str) 56static int __init ima_template_setup(char *str)
52{ 57{
@@ -104,7 +109,7 @@ static int __init ima_template_fmt_setup(char *str)
104} 109}
105__setup("ima_template_fmt=", ima_template_fmt_setup); 110__setup("ima_template_fmt=", ima_template_fmt_setup);
106 111
107static struct ima_template_desc *lookup_template_desc(const char *name) 112struct ima_template_desc *lookup_template_desc(const char *name)
108{ 113{
109 struct ima_template_desc *template_desc; 114 struct ima_template_desc *template_desc;
110 int found = 0; 115 int found = 0;
@@ -149,9 +154,9 @@ static int template_fmt_size(const char *template_fmt)
149 return j + 1; 154 return j + 1;
150} 155}
151 156
152static int template_desc_init_fields(const char *template_fmt, 157int template_desc_init_fields(const char *template_fmt,
153 const struct ima_template_field ***fields, 158 const struct ima_template_field ***fields,
154 int *num_fields) 159 int *num_fields)
155{ 160{
156 const char *template_fmt_ptr; 161 const char *template_fmt_ptr;
157 const struct ima_template_field *found_fields[IMA_TEMPLATE_NUM_FIELDS_MAX]; 162 const struct ima_template_field *found_fields[IMA_TEMPLATE_NUM_FIELDS_MAX];
diff --git a/security/integrity/ima/ima_template_lib.c b/security/integrity/ima/ima_template_lib.c
index 9fe0ef7f91e2..2fb9a10bc6b7 100644
--- a/security/integrity/ima/ima_template_lib.c
+++ b/security/integrity/ima/ima_template_lib.c
@@ -158,6 +158,12 @@ void ima_show_template_sig(struct seq_file *m, enum ima_show_type show,
158 ima_show_template_field_data(m, show, DATA_FMT_HEX, field_data); 158 ima_show_template_field_data(m, show, DATA_FMT_HEX, field_data);
159} 159}
160 160
161void ima_show_template_buf(struct seq_file *m, enum ima_show_type show,
162 struct ima_field_data *field_data)
163{
164 ima_show_template_field_data(m, show, DATA_FMT_HEX, field_data);
165}
166
161/** 167/**
162 * ima_parse_buf() - Parses lengths and data from an input buffer 168 * ima_parse_buf() - Parses lengths and data from an input buffer
163 * @bufstartp: Buffer start address. 169 * @bufstartp: Buffer start address.
@@ -385,3 +391,18 @@ int ima_eventsig_init(struct ima_event_data *event_data,
385 return ima_write_template_field_data(xattr_value, event_data->xattr_len, 391 return ima_write_template_field_data(xattr_value, event_data->xattr_len,
386 DATA_FMT_HEX, field_data); 392 DATA_FMT_HEX, field_data);
387} 393}
394
395/*
396 * ima_eventbuf_init - include the buffer(kexec-cmldine) as part of the
397 * template data.
398 */
399int ima_eventbuf_init(struct ima_event_data *event_data,
400 struct ima_field_data *field_data)
401{
402 if ((!event_data->buf) || (event_data->buf_len == 0))
403 return 0;
404
405 return ima_write_template_field_data(event_data->buf,
406 event_data->buf_len, DATA_FMT_HEX,
407 field_data);
408}
diff --git a/security/integrity/ima/ima_template_lib.h b/security/integrity/ima/ima_template_lib.h
index e515955456a3..652aa5de81ef 100644
--- a/security/integrity/ima/ima_template_lib.h
+++ b/security/integrity/ima/ima_template_lib.h
@@ -25,6 +25,8 @@ void ima_show_template_string(struct seq_file *m, enum ima_show_type show,
25 struct ima_field_data *field_data); 25 struct ima_field_data *field_data);
26void ima_show_template_sig(struct seq_file *m, enum ima_show_type show, 26void ima_show_template_sig(struct seq_file *m, enum ima_show_type show,
27 struct ima_field_data *field_data); 27 struct ima_field_data *field_data);
28void ima_show_template_buf(struct seq_file *m, enum ima_show_type show,
29 struct ima_field_data *field_data);
28int ima_parse_buf(void *bufstartp, void *bufendp, void **bufcurp, 30int ima_parse_buf(void *bufstartp, void *bufendp, void **bufcurp,
29 int maxfields, struct ima_field_data *fields, int *curfields, 31 int maxfields, struct ima_field_data *fields, int *curfields,
30 unsigned long *len_mask, int enforce_mask, char *bufname); 32 unsigned long *len_mask, int enforce_mask, char *bufname);
@@ -38,4 +40,6 @@ int ima_eventname_ng_init(struct ima_event_data *event_data,
38 struct ima_field_data *field_data); 40 struct ima_field_data *field_data);
39int ima_eventsig_init(struct ima_event_data *event_data, 41int ima_eventsig_init(struct ima_event_data *event_data,
40 struct ima_field_data *field_data); 42 struct ima_field_data *field_data);
43int ima_eventbuf_init(struct ima_event_data *event_data,
44 struct ima_field_data *field_data);
41#endif /* __LINUX_IMA_TEMPLATE_LIB_H */ 45#endif /* __LINUX_IMA_TEMPLATE_LIB_H */
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 45f4aef83e29..875c6a7a5af1 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -76,6 +76,12 @@ enum evm_ima_xattr_type {
76 76
77struct evm_ima_xattr_data { 77struct evm_ima_xattr_data {
78 u8 type; 78 u8 type;
79 u8 data[];
80} __packed;
81
82/* Only used in the EVM HMAC code. */
83struct evm_xattr {
84 struct evm_ima_xattr_data data;
79 u8 digest[SHA1_DIGEST_SIZE]; 85 u8 digest[SHA1_DIGEST_SIZE];
80} __packed; 86} __packed;
81 87
diff --git a/security/security.c b/security/security.c
index f493db0bf62a..250ee2d76406 100644
--- a/security/security.c
+++ b/security/security.c
@@ -35,7 +35,7 @@
35#define LSM_COUNT (__end_lsm_info - __start_lsm_info) 35#define LSM_COUNT (__end_lsm_info - __start_lsm_info)
36 36
37struct security_hook_heads security_hook_heads __lsm_ro_after_init; 37struct security_hook_heads security_hook_heads __lsm_ro_after_init;
38static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain); 38static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain);
39 39
40static struct kmem_cache *lsm_file_cache; 40static struct kmem_cache *lsm_file_cache;
41static struct kmem_cache *lsm_inode_cache; 41static struct kmem_cache *lsm_inode_cache;
@@ -426,23 +426,26 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
426 panic("%s - Cannot get early memory.\n", __func__); 426 panic("%s - Cannot get early memory.\n", __func__);
427} 427}
428 428
429int call_lsm_notifier(enum lsm_event event, void *data) 429int call_blocking_lsm_notifier(enum lsm_event event, void *data)
430{ 430{
431 return atomic_notifier_call_chain(&lsm_notifier_chain, event, data); 431 return blocking_notifier_call_chain(&blocking_lsm_notifier_chain,
432 event, data);
432} 433}
433EXPORT_SYMBOL(call_lsm_notifier); 434EXPORT_SYMBOL(call_blocking_lsm_notifier);
434 435
435int register_lsm_notifier(struct notifier_block *nb) 436int register_blocking_lsm_notifier(struct notifier_block *nb)
436{ 437{
437 return atomic_notifier_chain_register(&lsm_notifier_chain, nb); 438 return blocking_notifier_chain_register(&blocking_lsm_notifier_chain,
439 nb);
438} 440}
439EXPORT_SYMBOL(register_lsm_notifier); 441EXPORT_SYMBOL(register_blocking_lsm_notifier);
440 442
441int unregister_lsm_notifier(struct notifier_block *nb) 443int unregister_blocking_lsm_notifier(struct notifier_block *nb)
442{ 444{
443 return atomic_notifier_chain_unregister(&lsm_notifier_chain, nb); 445 return blocking_notifier_chain_unregister(&blocking_lsm_notifier_chain,
446 nb);
444} 447}
445EXPORT_SYMBOL(unregister_lsm_notifier); 448EXPORT_SYMBOL(unregister_blocking_lsm_notifier);
446 449
447/** 450/**
448 * lsm_cred_alloc - allocate a composite cred blob 451 * lsm_cred_alloc - allocate a composite cred blob
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4ed83d869084..4bef86ed463b 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -194,7 +194,7 @@ static int selinux_lsm_notifier_avc_callback(u32 event)
194{ 194{
195 if (event == AVC_CALLBACK_RESET) { 195 if (event == AVC_CALLBACK_RESET) {
196 sel_ib_pkey_flush(); 196 sel_ib_pkey_flush();
197 call_lsm_notifier(LSM_POLICY_CHANGE, NULL); 197 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
198 } 198 }
199 199
200 return 0; 200 return 0;
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 1884f34bb983..6f195c7915de 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -178,7 +178,7 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
178 selnl_notify_setenforce(new_value); 178 selnl_notify_setenforce(new_value);
179 selinux_status_update_setenforce(state, new_value); 179 selinux_status_update_setenforce(state, new_value);
180 if (!new_value) 180 if (!new_value)
181 call_lsm_notifier(LSM_POLICY_CHANGE, NULL); 181 call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
182 } 182 }
183 length = count; 183 length = count;
184out: 184out: