IMA: Support using new creds in appraisal policy

The existing BPRM_CHECK functionality in IMA validates against the credentials of the existing process, not any new credentials that the child process may transition to. Add an additional CREDS_CHECK target and refactor IMA to pass the appropriate creds structure. In ima_bprm_check(), check with both the existing process credentials and the credentials that will be committed when the new process is started. This will not change behaviour unless the system policy is extended to include CREDS_CHECK targets - BPRM_CHECK will continue to check the same credentials that it did previously. After this patch, an IMA policy rule along the lines of: measure func=CREDS_CHECK subj_type=unconfined_t will trigger if a process is executed and runs as unconfined_t, ignoring the context of the parent process. This is in contrast to: measure func=BPRM_CHECK subj_type=unconfined_t which will trigger if the process that calls exec() is already executing in unconfined_t, ignoring the context that the child process executes into. Signed-off-by: Matthew Garrett <mjg59@google.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Changelog: - initialize ima_creds_status
author: Matthew Garrett <mjg59@google.com> 2018-01-08 16:36:20 -0500
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> 2018-03-23 06:31:11 -0400
commit: d906c10d8a31654cb9167c9a2ebc7d3e43820bad (patch)
tree: b82b0c49a7d88ee82fc7f083a8bf62250e8164f9
parent: 3ec30113264a7bcd389f51d1738e42da0f41bb5a (diff)
8 files changed, 80 insertions, 30 deletions
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index 2028f2d093b2..b8465e00ba5f 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -26,7 +26,7 @@ Description:
                                 [obj_user=] [obj_role=] [obj_type=]]
                        option: [[appraise_type=]] [permit_directio]
-                base:   func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
+                base:   func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
                                [FIRMWARE_CHECK]
                                [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
                        mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index 9700e96ab0f0..f266e4b3b7d4 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -79,6 +79,7 @@ static void iint_free(struct integrity_iint_cache *iint)
        iint->ima_mmap_status = INTEGRITY_UNKNOWN;
        iint->ima_bprm_status = INTEGRITY_UNKNOWN;
        iint->ima_read_status = INTEGRITY_UNKNOWN;
+        iint->ima_creds_status = INTEGRITY_UNKNOWN;
        iint->evm_status = INTEGRITY_UNKNOWN;
        iint->measured_pcrs = 0;
        kmem_cache_free(iint_cache, iint);
@@ -158,6 +159,7 @@ static void init_once(void *foo)
        iint->ima_mmap_status = INTEGRITY_UNKNOWN;
        iint->ima_bprm_status = INTEGRITY_UNKNOWN;
        iint->ima_read_status = INTEGRITY_UNKNOWN;
+        iint->ima_creds_status = INTEGRITY_UNKNOWN;
        iint->evm_status = INTEGRITY_UNKNOWN;
        mutex_init(&iint->mutex);
 }
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index d52b487ad259..35fe91aa1fc9 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -177,6 +177,7 @@ static inline unsigned long ima_hash_key(u8 *digest)
        hook(FILE_CHECK)                \
        hook(MMAP_CHECK)                \
        hook(BPRM_CHECK)                \
+        hook(CREDS_CHECK)               \
        hook(POST_SETATTR)              \
        hook(MODULE_CHECK)              \
        hook(FIRMWARE_CHECK)            \
@@ -191,8 +192,8 @@ enum ima_hooks {
 };
 /* LIM API function definitions */
-int ima_get_action(struct inode *inode, int mask,
+int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid,
-                   enum ima_hooks func, int *pcr);
+                   int mask, enum ima_hooks func, int *pcr);
 int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);
 int ima_collect_measurement(struct integrity_iint_cache *iint,
                            struct file *file, void *buf, loff_t size,
@@ -212,8 +213,8 @@ void ima_free_template_entry(struct ima_template_entry *entry);
 const char *ima_d_path(const struct path *path, char **pathbuf, char *filename);
 /* IMA policy related functions */
-int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
+int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
-                     int flags, int *pcr);
+                     enum ima_hooks func, int mask, int flags, int *pcr);
 void ima_init_policy(void);
 void ima_update_policy(void);
 void ima_update_policy_flag(void);
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 08fe405338e1..33b4458cdbef 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -158,6 +158,8 @@ err_out:
 /**
 * ima_get_action - appraise & measure decision based on policy.
 * @inode: pointer to inode to measure
+ * @cred: pointer to credentials structure to validate
+ * @secid: secid of the task being validated
 * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC,
 *        MAY_APPEND)
 * @func: caller identifier
@@ -166,20 +168,21 @@ err_out:
 * The policy is defined in terms of keypairs:
 *              subj=, obj=, type=, func=, mask=, fsmagic=
 *      subj,obj, and type: are LSM specific.
- *      func: FILE_CHECK | BPRM_CHECK | MMAP_CHECK | MODULE_CHECK
+ *      func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK
 *      mask: contains the permission mask
 *      fsmagic: hex value
 *
 * Returns IMA_MEASURE, IMA_APPRAISE mask.
 *
 */
-int ima_get_action(struct inode *inode, int mask, enum ima_hooks func, int *pcr)
+int ima_get_action(struct inode *inode, const struct cred *cred, u32 secid,
+                   int mask, enum ima_hooks func, int *pcr)
 {
        int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH;
        flags &= ima_policy_flag;
-        return ima_match_policy(inode, func, mask, flags, pcr);
+        return ima_match_policy(inode, cred, secid, func, mask, flags, pcr);
 }
 /*
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index f2803a40ff82..1b177461f20e 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -50,11 +50,14 @@ bool is_ima_appraise_enabled(void)
 */
 int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
 {
+        u32 secid;
        if (!ima_appraise)
                return 0;
-        return ima_match_policy(inode, func, mask, IMA_APPRAISE | IMA_HASH,
+        security_task_getsecid(current, &secid);
-                                NULL);
+        return ima_match_policy(inode, current_cred(), secid, func, mask,
+                                IMA_APPRAISE | IMA_HASH, NULL);
 }
 static int ima_fix_xattr(struct dentry *dentry,
@@ -87,6 +90,8 @@ enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
                return iint->ima_mmap_status;
        case BPRM_CHECK:
                return iint->ima_bprm_status;
+        case CREDS_CHECK:
+                return iint->ima_creds_status;
        case FILE_CHECK:
        case POST_SETATTR:
                return iint->ima_file_status;
@@ -107,6 +112,8 @@ static void ima_set_cache_status(struct integrity_iint_cache *iint,
        case BPRM_CHECK:
                iint->ima_bprm_status = status;
                break;
+        case CREDS_CHECK:
+                iint->ima_creds_status = status;
        case FILE_CHECK:
        case POST_SETATTR:
                iint->ima_file_status = status;
@@ -128,6 +135,9 @@ static void ima_cache_flags(struct integrity_iint_cache *iint,
        case BPRM_CHECK:
                iint->flags |= (IMA_BPRM_APPRAISED | IMA_APPRAISED);
                break;
+        case CREDS_CHECK:
+                iint->flags |= (IMA_CREDS_APPRAISED | IMA_APPRAISED);
+                break;
        case FILE_CHECK:
        case POST_SETATTR:
                iint->flags |= (IMA_FILE_APPRAISED | IMA_APPRAISED);
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 2cfb0c714967..a5d225ffc388 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -167,8 +167,9 @@ void ima_file_free(struct file *file)
        ima_check_last_writer(iint, inode, file);
 }
-static int process_measurement(struct file *file, char *buf, loff_t size,
+static int process_measurement(struct file *file, const struct cred *cred,
-                               int mask, enum ima_hooks func, int opened)
+                               u32 secid, char *buf, loff_t size, int mask,
+                               enum ima_hooks func, int opened)
 {
        struct inode *inode = file_inode(file);
        struct integrity_iint_cache *iint = NULL;
@@ -190,7 +191,7 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
         * bitmask based on the appraise/audit/measurement policy.
         * Included is the appraise submask.
         */
-        action = ima_get_action(inode, mask, func, &pcr);
+        action = ima_get_action(inode, cred, secid, mask, func, &pcr);
        violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) &&
                           (ima_policy_flag & IMA_MEASURE));
        if (!action && !violation_check)
@@ -324,9 +325,14 @@ out:
 */
 int ima_file_mmap(struct file *file, unsigned long prot)
 {
-        if (file && (prot & PROT_EXEC))
+        u32 secid;
-                return process_measurement(file, NULL, 0, MAY_EXEC,
-                                           MMAP_CHECK, 0);
+        if (file && (prot & PROT_EXEC)) {
+                security_task_getsecid(current, &secid);
+                return process_measurement(file, current_cred(), secid, NULL,
+                                           0, MAY_EXEC, MMAP_CHECK, 0);
+        }
        return 0;
 }
@@ -345,8 +351,18 @@ int ima_file_mmap(struct file *file, unsigned long prot)
 */
 int ima_bprm_check(struct linux_binprm *bprm)
 {
-        return process_measurement(bprm->file, NULL, 0, MAY_EXEC,
+        int ret;
-                                   BPRM_CHECK, 0);
+        u32 secid;
+        security_task_getsecid(current, &secid);
+        ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0,
+                                  MAY_EXEC, BPRM_CHECK, 0);
+        if (ret)
+                return ret;
+        security_cred_getsecid(bprm->cred, &secid);
+        return process_measurement(bprm->file, bprm->cred, secid, NULL, 0,
+                                   MAY_EXEC, CREDS_CHECK, 0);
 }
 /**
@@ -361,7 +377,10 @@ int ima_bprm_check(struct linux_binprm *bprm)
 */
 int ima_file_check(struct file *file, int mask, int opened)
 {
-        return process_measurement(file, NULL, 0,
+        u32 secid;
+        security_task_getsecid(current, &secid);
+        return process_measurement(file, current_cred(), secid, NULL, 0,
                                   mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
                                           MAY_APPEND), FILE_CHECK, opened);
 }
@@ -440,6 +459,7 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
                       enum kernel_read_file_id read_id)
 {
        enum ima_hooks func;
+        u32 secid;
        if (!file && read_id == READING_FIRMWARE) {
                if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
@@ -462,7 +482,9 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
        }
        func = read_idmap[read_id] ?: FILE_CHECK;
-        return process_measurement(file, buf, size, MAY_READ, func, 0);
+        security_task_getsecid(current, &secid);
+        return process_measurement(file, current_cred(), secid, buf, size,
+                                   MAY_READ, func, 0);
 }
 static int __init init_ima(void)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 915f5572c6ff..e3da29af2c16 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -243,16 +243,17 @@ static void ima_lsm_update_rules(void)
 * ima_match_rules - determine whether an inode matches the measure rule.
 * @rule: a pointer to a rule
 * @inode: a pointer to an inode
+ * @cred: a pointer to a credentials structure for user validation
+ * @secid: the secid of the task to be validated
 * @func: LIM hook identifier
 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
 *
 * Returns true on rule match, false on failure.
 */
 static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
+                            const struct cred *cred, u32 secid,
                            enum ima_hooks func, int mask)
 {
-        struct task_struct *tsk = current;
-        const struct cred *cred = current_cred();
        int i;
        if ((rule->flags & IMA_FUNC) &&
@@ -287,7 +288,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
                return false;
        for (i = 0; i < MAX_LSM_RULES; i++) {
                int rc = 0;
-                u32 osid, sid;
+                u32 osid;
                int retried = 0;
                if (!rule->lsm[i].rule)
@@ -307,8 +308,7 @@ retry:
                case LSM_SUBJ_USER:
                case LSM_SUBJ_ROLE:
                case LSM_SUBJ_TYPE:
-                        security_task_getsecid(tsk, &sid);
+                        rc = security_filter_rule_match(secid,
-                        rc = security_filter_rule_match(sid,
                                                        rule->lsm[i].type,
                                                        Audit_equal,
                                                        rule->lsm[i].rule,
@@ -341,6 +341,8 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
                return IMA_MMAP_APPRAISE;
        case BPRM_CHECK:
                return IMA_BPRM_APPRAISE;
+        case CREDS_CHECK:
+                return IMA_CREDS_APPRAISE;
        case FILE_CHECK:
        case POST_SETATTR:
                return IMA_FILE_APPRAISE;
@@ -353,6 +355,9 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
 /**
 * ima_match_policy - decision based on LSM and other conditions
 * @inode: pointer to an inode for which the policy decision is being made
+ * @cred: pointer to a credentials structure for which the policy decision is
+ *        being made
+ * @secid: LSM secid of the task to be validated
 * @func: IMA hook identifier
 * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
 * @pcr: set the pcr to extend
@@ -364,8 +369,8 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
 * list when walking it.  Reads are many orders of magnitude more numerous
 * than writes so ima_match_policy() is classical RCU candidate.
 */
-int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
+int ima_match_policy(struct inode *inode, const struct cred *cred, u32 secid,
-                     int flags, int *pcr)
+                     enum ima_hooks func, int mask, int flags, int *pcr)
 {
        struct ima_rule_entry *entry;
        int action = 0, actmask = flags | (flags << 1);
@@ -376,7 +381,7 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
                if (!(entry->action & actmask))
                        continue;
-                if (!ima_match_rules(entry, inode, func, mask))
+                if (!ima_match_rules(entry, inode, cred, secid, func, mask))
                        continue;
                action |= entry->flags & IMA_ACTION_FLAGS;
@@ -713,6 +718,8 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
                                entry->func = MMAP_CHECK;
                        else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
                                entry->func = BPRM_CHECK;
+                        else if (strcmp(args[0].from, "CREDS_CHECK") == 0)
+                                entry->func = CREDS_CHECK;
                        else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") ==
                                 0)
                                entry->func = KEXEC_KERNEL_CHECK;
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 50a8e3365df7..843ae23ba0ac 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -51,10 +51,14 @@
 #define IMA_BPRM_APPRAISED      0x00020000
 #define IMA_READ_APPRAISE       0x00040000
 #define IMA_READ_APPRAISED      0x00080000
+#define IMA_CREDS_APPRAISE      0x00100000
+#define IMA_CREDS_APPRAISED     0x00200000
 #define IMA_APPRAISE_SUBMASK    (IMA_FILE_APPRAISE | IMA_MMAP_APPRAISE | \
-                                 IMA_BPRM_APPRAISE | IMA_READ_APPRAISE)
+                                 IMA_BPRM_APPRAISE | IMA_READ_APPRAISE | \
+                                 IMA_CREDS_APPRAISE)
 #define IMA_APPRAISED_SUBMASK   (IMA_FILE_APPRAISED | IMA_MMAP_APPRAISED | \
-                                 IMA_BPRM_APPRAISED | IMA_READ_APPRAISED)
+                                 IMA_BPRM_APPRAISED | IMA_READ_APPRAISED | \
+                                 IMA_CREDS_APPRAISED)
 /* iint cache atomic_flags */
 #define IMA_CHANGE_XATTR        0
@@ -121,6 +125,7 @@ struct integrity_iint_cache {
        enum integrity_status ima_mmap_status:4;
        enum integrity_status ima_bprm_status:4;
        enum integrity_status ima_read_status:4;
+        enum integrity_status ima_creds_status:4;
        enum integrity_status evm_status:4;
        struct ima_digest_data *ima_hash;
 };
author	Matthew Garrett <mjg59@google.com>	2018-01-08 16:36:20 -0500
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	2018-03-23 06:31:11 -0400
commit	d906c10d8a31654cb9167c9a2ebc7d3e43820bad (patch)
tree	b82b0c49a7d88ee82fc7f083a8bf62250e8164f9
parent	3ec30113264a7bcd389f51d1738e42da0f41bb5a (diff)

diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy index 2028f2d093b2..b8465e00ba5f 100644 --- a/Documentation/ABI/testing/ima_policy +++ b/Documentation/ABI/testing/ima_policy
@@ -26,7 +26,7 @@ Description:
26	[obj_user=] [obj_role=] [obj_type=]]	26	[obj_user=] [obj_role=] [obj_type=]]
27	option: [[appraise_type=]] [permit_directio]	27	option: [[appraise_type=]] [permit_directio]
28		28
29	base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]	29	base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
30	[FIRMWARE_CHECK]	30	[FIRMWARE_CHECK]
31	[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]	31	[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
32	mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]	32	mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]


diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 9700e96ab0f0..f266e4b3b7d4 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c
@@ -79,6 +79,7 @@ static void iint_free(struct integrity_iint_cache *iint)
79	iint->ima_mmap_status = INTEGRITY_UNKNOWN;	79	iint->ima_mmap_status = INTEGRITY_UNKNOWN;
80	iint->ima_bprm_status = INTEGRITY_UNKNOWN;	80	iint->ima_bprm_status = INTEGRITY_UNKNOWN;
81	iint->ima_read_status = INTEGRITY_UNKNOWN;	81	iint->ima_read_status = INTEGRITY_UNKNOWN;
		82	iint->ima_creds_status = INTEGRITY_UNKNOWN;
82	iint->evm_status = INTEGRITY_UNKNOWN;	83	iint->evm_status = INTEGRITY_UNKNOWN;
83	iint->measured_pcrs = 0;	84	iint->measured_pcrs = 0;
84	kmem_cache_free(iint_cache, iint);	85	kmem_cache_free(iint_cache, iint);
@@ -158,6 +159,7 @@ static void init_once(void *foo)
158	iint->ima_mmap_status = INTEGRITY_UNKNOWN;	159	iint->ima_mmap_status = INTEGRITY_UNKNOWN;
159	iint->ima_bprm_status = INTEGRITY_UNKNOWN;	160	iint->ima_bprm_status = INTEGRITY_UNKNOWN;
160	iint->ima_read_status = INTEGRITY_UNKNOWN;	161	iint->ima_read_status = INTEGRITY_UNKNOWN;
		162	iint->ima_creds_status = INTEGRITY_UNKNOWN;
161	iint->evm_status = INTEGRITY_UNKNOWN;	163	iint->evm_status = INTEGRITY_UNKNOWN;
162	mutex_init(&iint->mutex);	164	mutex_init(&iint->mutex);
163	}	165	}


diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index d52b487ad259..35fe91aa1fc9 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h
@@ -177,6 +177,7 @@ static inline unsigned long ima_hash_key(u8 *digest)
177	hook(FILE_CHECK) \	177	hook(FILE_CHECK) \
178	hook(MMAP_CHECK) \	178	hook(MMAP_CHECK) \
179	hook(BPRM_CHECK) \	179	hook(BPRM_CHECK) \
		180	hook(CREDS_CHECK) \
180	hook(POST_SETATTR) \	181	hook(POST_SETATTR) \
181	hook(MODULE_CHECK) \	182	hook(MODULE_CHECK) \
182	hook(FIRMWARE_CHECK) \	183	hook(FIRMWARE_CHECK) \
@@ -191,8 +192,8 @@ enum ima_hooks {
191	};	192	};
192		193
193	/* LIM API function definitions */	194	/* LIM API function definitions */
194	int ima_get_action(struct inode *inode, int mask,	195	int ima_get_action(struct inode inode, const struct cred cred, u32 secid,
195	enum ima_hooks func, int *pcr);	196	int mask, enum ima_hooks func, int *pcr);
196	int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);	197	int ima_must_measure(struct inode *inode, int mask, enum ima_hooks func);
197	int ima_collect_measurement(struct integrity_iint_cache *iint,	198	int ima_collect_measurement(struct integrity_iint_cache *iint,
198	struct file file, void buf, loff_t size,	199	struct file file, void buf, loff_t size,
@@ -212,8 +213,8 @@ void ima_free_template_entry(struct ima_template_entry *entry);
212	const char ima_d_path(const struct path path, char *pathbuf, char filename);	213	const char ima_d_path(const struct path path, char *pathbuf, char filename);
213		214
214	/* IMA policy related functions */	215	/* IMA policy related functions */
215	int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,	216	int ima_match_policy(struct inode inode, const struct cred cred, u32 secid,
216	int flags, int *pcr);	217	enum ima_hooks func, int mask, int flags, int *pcr);
217	void ima_init_policy(void);	218	void ima_init_policy(void);
218	void ima_update_policy(void);	219	void ima_update_policy(void);
219	void ima_update_policy_flag(void);	220	void ima_update_policy_flag(void);


diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index 08fe405338e1..33b4458cdbef 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c
@@ -158,6 +158,8 @@ err_out:
158	/**	158	/**
159	* ima_get_action - appraise & measure decision based on policy.	159	* ima_get_action - appraise & measure decision based on policy.
160	* @inode: pointer to inode to measure	160	* @inode: pointer to inode to measure
		161	* @cred: pointer to credentials structure to validate
		162	* @secid: secid of the task being validated
161	* @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC,	163	* @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC,
162	* MAY_APPEND)	164	* MAY_APPEND)
163	* @func: caller identifier	165	* @func: caller identifier
@@ -166,20 +168,21 @@ err_out:
166	* The policy is defined in terms of keypairs:	168	* The policy is defined in terms of keypairs:
167	* subj=, obj=, type=, func=, mask=, fsmagic=	169	* subj=, obj=, type=, func=, mask=, fsmagic=
168	* subj,obj, and type: are LSM specific.	170	* subj,obj, and type: are LSM specific.
169	* func: FILE_CHECK \| BPRM_CHECK \| MMAP_CHECK \| MODULE_CHECK	171	* func: FILE_CHECK \| BPRM_CHECK \| CREDS_CHECK \| MMAP_CHECK \| MODULE_CHECK
170	* mask: contains the permission mask	172	* mask: contains the permission mask
171	* fsmagic: hex value	173	* fsmagic: hex value
172	*	174	*
173	* Returns IMA_MEASURE, IMA_APPRAISE mask.	175	* Returns IMA_MEASURE, IMA_APPRAISE mask.
174	*	176	*
175	*/	177	*/
176	int ima_get_action(struct inode inode, int mask, enum ima_hooks func, int pcr)	178	int ima_get_action(struct inode inode, const struct cred cred, u32 secid,
		179	int mask, enum ima_hooks func, int *pcr)
177	{	180	{
178	int flags = IMA_MEASURE \| IMA_AUDIT \| IMA_APPRAISE \| IMA_HASH;	181	int flags = IMA_MEASURE \| IMA_AUDIT \| IMA_APPRAISE \| IMA_HASH;
179		182
180	flags &= ima_policy_flag;	183	flags &= ima_policy_flag;
181		184
182	return ima_match_policy(inode, func, mask, flags, pcr);	185	return ima_match_policy(inode, cred, secid, func, mask, flags, pcr);
183	}	186	}
184		187
185	/*	188	/*


diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index f2803a40ff82..1b177461f20e 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c
@@ -50,11 +50,14 @@ bool is_ima_appraise_enabled(void)
50	*/	50	*/
51	int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)	51	int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
52	{	52	{
		53	u32 secid;
		54
53	if (!ima_appraise)	55	if (!ima_appraise)
54	return 0;	56	return 0;
55		57
56	return ima_match_policy(inode, func, mask, IMA_APPRAISE \| IMA_HASH,	58	security_task_getsecid(current, &secid);
57	NULL);	59	return ima_match_policy(inode, current_cred(), secid, func, mask,
		60	IMA_APPRAISE \| IMA_HASH, NULL);
58	}	61	}
59		62
60	static int ima_fix_xattr(struct dentry *dentry,	63	static int ima_fix_xattr(struct dentry *dentry,
@@ -87,6 +90,8 @@ enum integrity_status ima_get_cache_status(struct integrity_iint_cache *iint,
87	return iint->ima_mmap_status;	90	return iint->ima_mmap_status;
88	case BPRM_CHECK:	91	case BPRM_CHECK:
89	return iint->ima_bprm_status;	92	return iint->ima_bprm_status;
		93	case CREDS_CHECK:
		94	return iint->ima_creds_status;
90	case FILE_CHECK:	95	case FILE_CHECK:
91	case POST_SETATTR:	96	case POST_SETATTR:
92	return iint->ima_file_status;	97	return iint->ima_file_status;
@@ -107,6 +112,8 @@ static void ima_set_cache_status(struct integrity_iint_cache *iint,
107	case BPRM_CHECK:	112	case BPRM_CHECK:
108	iint->ima_bprm_status = status;	113	iint->ima_bprm_status = status;
109	break;	114	break;
		115	case CREDS_CHECK:
		116	iint->ima_creds_status = status;
110	case FILE_CHECK:	117	case FILE_CHECK:
111	case POST_SETATTR:	118	case POST_SETATTR:
112	iint->ima_file_status = status;	119	iint->ima_file_status = status;
@@ -128,6 +135,9 @@ static void ima_cache_flags(struct integrity_iint_cache *iint,
128	case BPRM_CHECK:	135	case BPRM_CHECK:
129	iint->flags \|= (IMA_BPRM_APPRAISED \| IMA_APPRAISED);	136	iint->flags \|= (IMA_BPRM_APPRAISED \| IMA_APPRAISED);
130	break;	137	break;
		138	case CREDS_CHECK:
		139	iint->flags \|= (IMA_CREDS_APPRAISED \| IMA_APPRAISED);
		140	break;
131	case FILE_CHECK:	141	case FILE_CHECK:
132	case POST_SETATTR:	142	case POST_SETATTR:
133	iint->flags \|= (IMA_FILE_APPRAISED \| IMA_APPRAISED);	143	iint->flags \|= (IMA_FILE_APPRAISED \| IMA_APPRAISED);


diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 2cfb0c714967..a5d225ffc388 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c
@@ -167,8 +167,9 @@ void ima_file_free(struct file *file)
167	ima_check_last_writer(iint, inode, file);	167	ima_check_last_writer(iint, inode, file);
168	}	168	}
169		169
170	static int process_measurement(struct file file, char buf, loff_t size,	170	static int process_measurement(struct file file, const struct cred cred,
171	int mask, enum ima_hooks func, int opened)	171	u32 secid, char *buf, loff_t size, int mask,
		172	enum ima_hooks func, int opened)
172	{	173	{
173	struct inode *inode = file_inode(file);	174	struct inode *inode = file_inode(file);
174	struct integrity_iint_cache *iint = NULL;	175	struct integrity_iint_cache *iint = NULL;
@@ -190,7 +191,7 @@ static int process_measurement(struct file file, char buf, loff_t size,
190	* bitmask based on the appraise/audit/measurement policy.	191	* bitmask based on the appraise/audit/measurement policy.
191	* Included is the appraise submask.	192	* Included is the appraise submask.
192	*/	193	*/
193	action = ima_get_action(inode, mask, func, &pcr);	194	action = ima_get_action(inode, cred, secid, mask, func, &pcr);
194	violation_check = ((func == FILE_CHECK \|\| func == MMAP_CHECK) &&	195	violation_check = ((func == FILE_CHECK \|\| func == MMAP_CHECK) &&
195	(ima_policy_flag & IMA_MEASURE));	196	(ima_policy_flag & IMA_MEASURE));
196	if (!action && !violation_check)	197	if (!action && !violation_check)
@@ -324,9 +325,14 @@ out:
324	*/	325	*/
325	int ima_file_mmap(struct file *file, unsigned long prot)	326	int ima_file_mmap(struct file *file, unsigned long prot)
326	{	327	{
327	if (file && (prot & PROT_EXEC))	328	u32 secid;
328	return process_measurement(file, NULL, 0, MAY_EXEC,	329
329	MMAP_CHECK, 0);	330	if (file && (prot & PROT_EXEC)) {
		331	security_task_getsecid(current, &secid);
		332	return process_measurement(file, current_cred(), secid, NULL,
		333	0, MAY_EXEC, MMAP_CHECK, 0);
		334	}
		335
330	return 0;	336	return 0;
331	}	337	}
332		338
@@ -345,8 +351,18 @@ int ima_file_mmap(struct file *file, unsigned long prot)
345	*/	351	*/
346	int ima_bprm_check(struct linux_binprm *bprm)	352	int ima_bprm_check(struct linux_binprm *bprm)
347	{	353	{
348	return process_measurement(bprm->file, NULL, 0, MAY_EXEC,	354	int ret;
349	BPRM_CHECK, 0);	355	u32 secid;
		356
		357	security_task_getsecid(current, &secid);
		358	ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0,
		359	MAY_EXEC, BPRM_CHECK, 0);
		360	if (ret)
		361	return ret;
		362
		363	security_cred_getsecid(bprm->cred, &secid);
		364	return process_measurement(bprm->file, bprm->cred, secid, NULL, 0,
		365	MAY_EXEC, CREDS_CHECK, 0);
350	}	366	}
351		367
352	/**	368	/**
@@ -361,7 +377,10 @@ int ima_bprm_check(struct linux_binprm *bprm)
361	*/	377	*/
362	int ima_file_check(struct file *file, int mask, int opened)	378	int ima_file_check(struct file *file, int mask, int opened)
363	{	379	{
364	return process_measurement(file, NULL, 0,	380	u32 secid;
		381
		382	security_task_getsecid(current, &secid);
		383	return process_measurement(file, current_cred(), secid, NULL, 0,
365	mask & (MAY_READ \| MAY_WRITE \| MAY_EXEC \|	384	mask & (MAY_READ \| MAY_WRITE \| MAY_EXEC \|
366	MAY_APPEND), FILE_CHECK, opened);	385	MAY_APPEND), FILE_CHECK, opened);
367	}	386	}
@@ -440,6 +459,7 @@ int ima_post_read_file(struct file file, void buf, loff_t size,
440	enum kernel_read_file_id read_id)	459	enum kernel_read_file_id read_id)
441	{	460	{
442	enum ima_hooks func;	461	enum ima_hooks func;
		462	u32 secid;
443		463
444	if (!file && read_id == READING_FIRMWARE) {	464	if (!file && read_id == READING_FIRMWARE) {
445	if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&	465	if ((ima_appraise & IMA_APPRAISE_FIRMWARE) &&
@@ -462,7 +482,9 @@ int ima_post_read_file(struct file file, void buf, loff_t size,
462	}	482	}
463		483
464	func = read_idmap[read_id] ?: FILE_CHECK;	484	func = read_idmap[read_id] ?: FILE_CHECK;
465	return process_measurement(file, buf, size, MAY_READ, func, 0);	485	security_task_getsecid(current, &secid);
		486	return process_measurement(file, current_cred(), secid, buf, size,
		487	MAY_READ, func, 0);
466	}	488	}
467		489
468	static int __init init_ima(void)	490	static int __init init_ima(void)


diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 915f5572c6ff..e3da29af2c16 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c
@@ -243,16 +243,17 @@ static void ima_lsm_update_rules(void)
243	* ima_match_rules - determine whether an inode matches the measure rule.	243	* ima_match_rules - determine whether an inode matches the measure rule.
244	* @rule: a pointer to a rule	244	* @rule: a pointer to a rule
245	* @inode: a pointer to an inode	245	* @inode: a pointer to an inode
		246	* @cred: a pointer to a credentials structure for user validation
		247	* @secid: the secid of the task to be validated
246	* @func: LIM hook identifier	248	* @func: LIM hook identifier
247	* @mask: requested action (MAY_READ \| MAY_WRITE \| MAY_APPEND \| MAY_EXEC)	249	* @mask: requested action (MAY_READ \| MAY_WRITE \| MAY_APPEND \| MAY_EXEC)
248	*	250	*
249	* Returns true on rule match, false on failure.	251	* Returns true on rule match, false on failure.
250	*/	252	*/
251	static bool ima_match_rules(struct ima_rule_entry rule, struct inode inode,	253	static bool ima_match_rules(struct ima_rule_entry rule, struct inode inode,
		254	const struct cred *cred, u32 secid,
252	enum ima_hooks func, int mask)	255	enum ima_hooks func, int mask)
253	{	256	{
254	struct task_struct *tsk = current;
255	const struct cred *cred = current_cred();
256	int i;	257	int i;
257		258
258	if ((rule->flags & IMA_FUNC) &&	259	if ((rule->flags & IMA_FUNC) &&
@@ -287,7 +288,7 @@ static bool ima_match_rules(struct ima_rule_entry rule, struct inode inode,
287	return false;	288	return false;
288	for (i = 0; i < MAX_LSM_RULES; i++) {	289	for (i = 0; i < MAX_LSM_RULES; i++) {
289	int rc = 0;	290	int rc = 0;
290	u32 osid, sid;	291	u32 osid;
291	int retried = 0;	292	int retried = 0;
292		293
293	if (!rule->lsm[i].rule)	294	if (!rule->lsm[i].rule)
@@ -307,8 +308,7 @@ retry:
307	case LSM_SUBJ_USER:	308	case LSM_SUBJ_USER:
308	case LSM_SUBJ_ROLE:	309	case LSM_SUBJ_ROLE:
309	case LSM_SUBJ_TYPE:	310	case LSM_SUBJ_TYPE:
310	security_task_getsecid(tsk, &sid);	311	rc = security_filter_rule_match(secid,
311	rc = security_filter_rule_match(sid,
312	rule->lsm[i].type,	312	rule->lsm[i].type,
313	Audit_equal,	313	Audit_equal,
314	rule->lsm[i].rule,	314	rule->lsm[i].rule,
@@ -341,6 +341,8 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
341	return IMA_MMAP_APPRAISE;	341	return IMA_MMAP_APPRAISE;
342	case BPRM_CHECK:	342	case BPRM_CHECK:
343	return IMA_BPRM_APPRAISE;	343	return IMA_BPRM_APPRAISE;
		344	case CREDS_CHECK:
		345	return IMA_CREDS_APPRAISE;
344	case FILE_CHECK:	346	case FILE_CHECK:
345	case POST_SETATTR:	347	case POST_SETATTR:
346	return IMA_FILE_APPRAISE;	348	return IMA_FILE_APPRAISE;
@@ -353,6 +355,9 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
353	/**	355	/**
354	* ima_match_policy - decision based on LSM and other conditions	356	* ima_match_policy - decision based on LSM and other conditions
355	* @inode: pointer to an inode for which the policy decision is being made	357	* @inode: pointer to an inode for which the policy decision is being made
		358	* @cred: pointer to a credentials structure for which the policy decision is
		359	* being made
		360	* @secid: LSM secid of the task to be validated
356	* @func: IMA hook identifier	361	* @func: IMA hook identifier
357	* @mask: requested action (MAY_READ \| MAY_WRITE \| MAY_APPEND \| MAY_EXEC)	362	* @mask: requested action (MAY_READ \| MAY_WRITE \| MAY_APPEND \| MAY_EXEC)
358	* @pcr: set the pcr to extend	363	* @pcr: set the pcr to extend
@@ -364,8 +369,8 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
364	* list when walking it. Reads are many orders of magnitude more numerous	369	* list when walking it. Reads are many orders of magnitude more numerous
365	* than writes so ima_match_policy() is classical RCU candidate.	370	* than writes so ima_match_policy() is classical RCU candidate.
366	*/	371	*/
367	int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,	372	int ima_match_policy(struct inode inode, const struct cred cred, u32 secid,
368	int flags, int *pcr)	373	enum ima_hooks func, int mask, int flags, int *pcr)
369	{	374	{
370	struct ima_rule_entry *entry;	375	struct ima_rule_entry *entry;
371	int action = 0, actmask = flags \| (flags << 1);	376	int action = 0, actmask = flags \| (flags << 1);
@@ -376,7 +381,7 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
376	if (!(entry->action & actmask))	381	if (!(entry->action & actmask))
377	continue;	382	continue;
378		383
379	if (!ima_match_rules(entry, inode, func, mask))	384	if (!ima_match_rules(entry, inode, cred, secid, func, mask))
380	continue;	385	continue;
381		386
382	action \|= entry->flags & IMA_ACTION_FLAGS;	387	action \|= entry->flags & IMA_ACTION_FLAGS;
@@ -713,6 +718,8 @@ static int ima_parse_rule(char rule, struct ima_rule_entry entry)
713	entry->func = MMAP_CHECK;	718	entry->func = MMAP_CHECK;
714	else if (strcmp(args[0].from, "BPRM_CHECK") == 0)	719	else if (strcmp(args[0].from, "BPRM_CHECK") == 0)
715	entry->func = BPRM_CHECK;	720	entry->func = BPRM_CHECK;
		721	else if (strcmp(args[0].from, "CREDS_CHECK") == 0)
		722	entry->func = CREDS_CHECK;
716	else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") ==	723	else if (strcmp(args[0].from, "KEXEC_KERNEL_CHECK") ==
717	0)	724	0)
718	entry->func = KEXEC_KERNEL_CHECK;	725	entry->func = KEXEC_KERNEL_CHECK;


diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 50a8e3365df7..843ae23ba0ac 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h
@@ -51,10 +51,14 @@
51	#define IMA_BPRM_APPRAISED 0x00020000	51	#define IMA_BPRM_APPRAISED 0x00020000
52	#define IMA_READ_APPRAISE 0x00040000	52	#define IMA_READ_APPRAISE 0x00040000
53	#define IMA_READ_APPRAISED 0x00080000	53	#define IMA_READ_APPRAISED 0x00080000
		54	#define IMA_CREDS_APPRAISE 0x00100000
		55	#define IMA_CREDS_APPRAISED 0x00200000
54	#define IMA_APPRAISE_SUBMASK (IMA_FILE_APPRAISE \| IMA_MMAP_APPRAISE \| \	56	#define IMA_APPRAISE_SUBMASK (IMA_FILE_APPRAISE \| IMA_MMAP_APPRAISE \| \
55	IMA_BPRM_APPRAISE \| IMA_READ_APPRAISE)	57	IMA_BPRM_APPRAISE \| IMA_READ_APPRAISE \| \
		58	IMA_CREDS_APPRAISE)
56	#define IMA_APPRAISED_SUBMASK (IMA_FILE_APPRAISED \| IMA_MMAP_APPRAISED \| \	59	#define IMA_APPRAISED_SUBMASK (IMA_FILE_APPRAISED \| IMA_MMAP_APPRAISED \| \
57	IMA_BPRM_APPRAISED \| IMA_READ_APPRAISED)	60	IMA_BPRM_APPRAISED \| IMA_READ_APPRAISED \| \
		61	IMA_CREDS_APPRAISED)
58		62
59	/* iint cache atomic_flags */	63	/* iint cache atomic_flags */
60	#define IMA_CHANGE_XATTR 0	64	#define IMA_CHANGE_XATTR 0
@@ -121,6 +125,7 @@ struct integrity_iint_cache {
121	enum integrity_status ima_mmap_status:4;	125	enum integrity_status ima_mmap_status:4;
122	enum integrity_status ima_bprm_status:4;	126	enum integrity_status ima_bprm_status:4;
123	enum integrity_status ima_read_status:4;	127	enum integrity_status ima_read_status:4;
		128	enum integrity_status ima_creds_status:4;
124	enum integrity_status evm_status:4;	129	enum integrity_status evm_status:4;
125	struct ima_digest_data *ima_hash;	130	struct ima_digest_data *ima_hash;
126	};	131	};