aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorJames Morris <jmorris@namei.org>2018-02-21 11:21:41 -0500
committerJames Morris <jmorris@namei.org>2018-02-21 11:21:41 -0500
commita02633e9b13dcb9b1a656b08f81bc8ba2d4d2294 (patch)
tree3d5ef56eee3117cd61812759a255fa293d8044b8 /security
parentd21bd6898336a7892914d308d5e0868f0b863571 (diff)
parent91ab883eb21325ad80f3473633f794c78ac87f51 (diff)
Merge tag 'v4.16-rc2' into next-general
Sync to Linux 4.16-rc2 for developers to work against.
Diffstat (limited to 'security')
-rw-r--r--security/Kconfig26
-rw-r--r--security/apparmor/apparmorfs.c6
-rw-r--r--security/apparmor/domain.c9
-rw-r--r--security/apparmor/include/perms.h3
-rw-r--r--security/apparmor/ipc.c53
-rw-r--r--security/apparmor/mount.c12
-rw-r--r--security/commoncap.c21
-rw-r--r--security/integrity/evm/evm.h9
-rw-r--r--security/integrity/evm/evm_crypto.c75
-rw-r--r--security/integrity/evm/evm_main.c67
-rw-r--r--security/integrity/evm/evm_secfs.c20
-rw-r--r--security/integrity/iint.c5
-rw-r--r--security/integrity/ima/ima_api.c5
-rw-r--r--security/integrity/ima/ima_appraise.c46
-rw-r--r--security/integrity/ima/ima_crypto.c2
-rw-r--r--security/integrity/ima/ima_init.c2
-rw-r--r--security/integrity/ima/ima_main.c96
-rw-r--r--security/integrity/ima/ima_policy.c32
-rw-r--r--security/integrity/ima/ima_queue.c2
-rw-r--r--security/integrity/ima/ima_template.c11
-rw-r--r--security/integrity/integrity.h41
-rw-r--r--security/keys/keyring.c7
-rw-r--r--security/keys/trusted.c35
-rw-r--r--security/selinux/include/netlabel.h3
-rw-r--r--security/selinux/netlabel.c3
-rw-r--r--security/selinux/ss/services.c21
-rw-r--r--security/selinux/xfrm.c2
-rw-r--r--security/smack/smack.h1
-rw-r--r--security/smack/smack_access.c40
-rw-r--r--security/smack/smack_lsm.c10
-rw-r--r--security/tomoyo/audit.c8
-rw-r--r--security/tomoyo/common.c18
-rw-r--r--security/tomoyo/common.h6
-rw-r--r--security/tomoyo/securityfs_if.c6
-rw-r--r--security/yama/yama_lsm.c11
35 files changed, 484 insertions, 230 deletions
diff --git a/security/Kconfig b/security/Kconfig
index e8e449444e65..c4302067a3ad 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -54,6 +54,17 @@ config SECURITY_NETWORK
54 implement socket and networking access controls. 54 implement socket and networking access controls.
55 If you are unsure how to answer this question, answer N. 55 If you are unsure how to answer this question, answer N.
56 56
57config PAGE_TABLE_ISOLATION
58 bool "Remove the kernel mapping in user mode"
59 default y
60 depends on X86_64 && !UML
61 help
62 This feature reduces the number of hardware side channels by
63 ensuring that the majority of kernel addresses are not mapped
64 into userspace.
65
66 See Documentation/x86/pti.txt for more details.
67
57config SECURITY_INFINIBAND 68config SECURITY_INFINIBAND
58 bool "Infiniband Security Hooks" 69 bool "Infiniband Security Hooks"
59 depends on SECURITY && INFINIBAND 70 depends on SECURITY && INFINIBAND
@@ -143,6 +154,7 @@ config HARDENED_USERCOPY
143 bool "Harden memory copies between kernel and userspace" 154 bool "Harden memory copies between kernel and userspace"
144 depends on HAVE_HARDENED_USERCOPY_ALLOCATOR 155 depends on HAVE_HARDENED_USERCOPY_ALLOCATOR
145 select BUG 156 select BUG
157 imply STRICT_DEVMEM
146 help 158 help
147 This option checks for obviously wrong memory regions when 159 This option checks for obviously wrong memory regions when
148 copying memory to/from the kernel (via copy_to_user() and 160 copying memory to/from the kernel (via copy_to_user() and
@@ -152,6 +164,20 @@ config HARDENED_USERCOPY
152 or are part of the kernel text. This kills entire classes 164 or are part of the kernel text. This kills entire classes
153 of heap overflow exploits and similar kernel memory exposures. 165 of heap overflow exploits and similar kernel memory exposures.
154 166
167config HARDENED_USERCOPY_FALLBACK
168 bool "Allow usercopy whitelist violations to fallback to object size"
169 depends on HARDENED_USERCOPY
170 default y
171 help
172 This is a temporary option that allows missing usercopy whitelists
173 to be discovered via a WARN() to the kernel log, instead of
174 rejecting the copy, falling back to non-whitelisted hardened
175 usercopy that checks the slab allocation size instead of the
176 whitelist size. This option will be removed once it seems like
177 all missing usercopy whitelists have been identified and fixed.
178 Booting with "slab_common.usercopy_fallback=Y/N" can change
179 this setting.
180
155config HARDENED_USERCOPY_PAGESPAN 181config HARDENED_USERCOPY_PAGESPAN
156 bool "Refuse to copy allocations that span multiple pages" 182 bool "Refuse to copy allocations that span multiple pages"
157 depends on HARDENED_USERCOPY 183 depends on HARDENED_USERCOPY
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index d4fa04d91439..a9428daa69f3 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -571,16 +571,16 @@ static int ns_revision_open(struct inode *inode, struct file *file)
571 return 0; 571 return 0;
572} 572}
573 573
574static unsigned int ns_revision_poll(struct file *file, poll_table *pt) 574static __poll_t ns_revision_poll(struct file *file, poll_table *pt)
575{ 575{
576 struct aa_revision *rev = file->private_data; 576 struct aa_revision *rev = file->private_data;
577 unsigned int mask = 0; 577 __poll_t mask = 0;
578 578
579 if (rev) { 579 if (rev) {
580 mutex_lock_nested(&rev->ns->lock, rev->ns->level); 580 mutex_lock_nested(&rev->ns->lock, rev->ns->level);
581 poll_wait(file, &rev->ns->wait, pt); 581 poll_wait(file, &rev->ns->wait, pt);
582 if (rev->last_read < rev->ns->revision) 582 if (rev->last_read < rev->ns->revision)
583 mask |= POLLIN | POLLRDNORM; 583 mask |= EPOLLIN | EPOLLRDNORM;
584 mutex_unlock(&rev->ns->lock); 584 mutex_unlock(&rev->ns->lock);
585 } 585 }
586 586
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 04ba9d0718ea..6a54d2ffa840 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -330,10 +330,7 @@ static struct aa_profile *__attach_match(const char *name,
330 continue; 330 continue;
331 331
332 if (profile->xmatch) { 332 if (profile->xmatch) {
333 if (profile->xmatch_len == len) { 333 if (profile->xmatch_len >= len) {
334 conflict = true;
335 continue;
336 } else if (profile->xmatch_len > len) {
337 unsigned int state; 334 unsigned int state;
338 u32 perm; 335 u32 perm;
339 336
@@ -342,6 +339,10 @@ static struct aa_profile *__attach_match(const char *name,
342 perm = dfa_user_allow(profile->xmatch, state); 339 perm = dfa_user_allow(profile->xmatch, state);
343 /* any accepting state means a valid match. */ 340 /* any accepting state means a valid match. */
344 if (perm & MAY_EXEC) { 341 if (perm & MAY_EXEC) {
342 if (profile->xmatch_len == len) {
343 conflict = true;
344 continue;
345 }
345 candidate = profile; 346 candidate = profile;
346 len = profile->xmatch_len; 347 len = profile->xmatch_len;
347 conflict = false; 348 conflict = false;
diff --git a/security/apparmor/include/perms.h b/security/apparmor/include/perms.h
index 2b27bb79aec4..d7b7e7115160 100644
--- a/security/apparmor/include/perms.h
+++ b/security/apparmor/include/perms.h
@@ -133,6 +133,9 @@ extern struct aa_perms allperms;
133#define xcheck_labels_profiles(L1, L2, FN, args...) \ 133#define xcheck_labels_profiles(L1, L2, FN, args...) \
134 xcheck_ns_labels((L1), (L2), xcheck_ns_profile_label, (FN), args) 134 xcheck_ns_labels((L1), (L2), xcheck_ns_profile_label, (FN), args)
135 135
136#define xcheck_labels(L1, L2, P, FN1, FN2) \
137 xcheck(fn_for_each((L1), (P), (FN1)), fn_for_each((L2), (P), (FN2)))
138
136 139
137void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask); 140void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask);
138void aa_audit_perm_names(struct audit_buffer *ab, const char **names, u32 mask); 141void aa_audit_perm_names(struct audit_buffer *ab, const char **names, u32 mask);
diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c
index 7ca0032e7ba9..b40678f3c1d5 100644
--- a/security/apparmor/ipc.c
+++ b/security/apparmor/ipc.c
@@ -64,40 +64,48 @@ static void audit_ptrace_cb(struct audit_buffer *ab, void *va)
64 FLAGS_NONE, GFP_ATOMIC); 64 FLAGS_NONE, GFP_ATOMIC);
65} 65}
66 66
67/* assumes check for PROFILE_MEDIATES is already done */
67/* TODO: conditionals */ 68/* TODO: conditionals */
68static int profile_ptrace_perm(struct aa_profile *profile, 69static int profile_ptrace_perm(struct aa_profile *profile,
69 struct aa_profile *peer, u32 request, 70 struct aa_label *peer, u32 request,
70 struct common_audit_data *sa) 71 struct common_audit_data *sa)
71{ 72{
72 struct aa_perms perms = { }; 73 struct aa_perms perms = { };
73 74
74 /* need because of peer in cross check */ 75 aad(sa)->peer = peer;
75 if (profile_unconfined(profile) || 76 aa_profile_match_label(profile, peer, AA_CLASS_PTRACE, request,
76 !PROFILE_MEDIATES(profile, AA_CLASS_PTRACE))
77 return 0;
78
79 aad(sa)->peer = &peer->label;
80 aa_profile_match_label(profile, &peer->label, AA_CLASS_PTRACE, request,
81 &perms); 77 &perms);
82 aa_apply_modes_to_perms(profile, &perms); 78 aa_apply_modes_to_perms(profile, &perms);
83 return aa_check_perms(profile, &perms, request, sa, audit_ptrace_cb); 79 return aa_check_perms(profile, &perms, request, sa, audit_ptrace_cb);
84} 80}
85 81
86static int cross_ptrace_perm(struct aa_profile *tracer, 82static int profile_tracee_perm(struct aa_profile *tracee,
87 struct aa_profile *tracee, u32 request, 83 struct aa_label *tracer, u32 request,
88 struct common_audit_data *sa) 84 struct common_audit_data *sa)
89{ 85{
86 if (profile_unconfined(tracee) || unconfined(tracer) ||
87 !PROFILE_MEDIATES(tracee, AA_CLASS_PTRACE))
88 return 0;
89
90 return profile_ptrace_perm(tracee, tracer, request, sa);
91}
92
93static int profile_tracer_perm(struct aa_profile *tracer,
94 struct aa_label *tracee, u32 request,
95 struct common_audit_data *sa)
96{
97 if (profile_unconfined(tracer))
98 return 0;
99
90 if (PROFILE_MEDIATES(tracer, AA_CLASS_PTRACE)) 100 if (PROFILE_MEDIATES(tracer, AA_CLASS_PTRACE))
91 return xcheck(profile_ptrace_perm(tracer, tracee, request, sa), 101 return profile_ptrace_perm(tracer, tracee, request, sa);
92 profile_ptrace_perm(tracee, tracer, 102
93 request << PTRACE_PERM_SHIFT, 103 /* profile uses the old style capability check for ptrace */
94 sa)); 104 if (&tracer->label == tracee)
95 /* policy uses the old style capability check for ptrace */
96 if (profile_unconfined(tracer) || tracer == tracee)
97 return 0; 105 return 0;
98 106
99 aad(sa)->label = &tracer->label; 107 aad(sa)->label = &tracer->label;
100 aad(sa)->peer = &tracee->label; 108 aad(sa)->peer = tracee;
101 aad(sa)->request = 0; 109 aad(sa)->request = 0;
102 aad(sa)->error = aa_capable(&tracer->label, CAP_SYS_PTRACE, 1); 110 aad(sa)->error = aa_capable(&tracer->label, CAP_SYS_PTRACE, 1);
103 111
@@ -115,10 +123,13 @@ static int cross_ptrace_perm(struct aa_profile *tracer,
115int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee, 123int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee,
116 u32 request) 124 u32 request)
117{ 125{
126 struct aa_profile *profile;
127 u32 xrequest = request << PTRACE_PERM_SHIFT;
118 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_PTRACE); 128 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_PTRACE);
119 129
120 return xcheck_labels_profiles(tracer, tracee, cross_ptrace_perm, 130 return xcheck_labels(tracer, tracee, profile,
121 request, &sa); 131 profile_tracer_perm(profile, tracee, request, &sa),
132 profile_tracee_perm(profile, tracer, xrequest, &sa));
122} 133}
123 134
124 135
diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c
index ed9b4d0f9f7e..8c558cbce930 100644
--- a/security/apparmor/mount.c
+++ b/security/apparmor/mount.c
@@ -329,6 +329,9 @@ static int match_mnt_path_str(struct aa_profile *profile,
329 AA_BUG(!mntpath); 329 AA_BUG(!mntpath);
330 AA_BUG(!buffer); 330 AA_BUG(!buffer);
331 331
332 if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
333 return 0;
334
332 error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer, 335 error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer,
333 &mntpnt, &info, profile->disconnected); 336 &mntpnt, &info, profile->disconnected);
334 if (error) 337 if (error)
@@ -380,6 +383,9 @@ static int match_mnt(struct aa_profile *profile, const struct path *path,
380 AA_BUG(!profile); 383 AA_BUG(!profile);
381 AA_BUG(devpath && !devbuffer); 384 AA_BUG(devpath && !devbuffer);
382 385
386 if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
387 return 0;
388
383 if (devpath) { 389 if (devpath) {
384 error = aa_path_name(devpath, path_flags(profile, devpath), 390 error = aa_path_name(devpath, path_flags(profile, devpath),
385 devbuffer, &devname, &info, 391 devbuffer, &devname, &info,
@@ -558,6 +564,9 @@ static int profile_umount(struct aa_profile *profile, struct path *path,
558 AA_BUG(!profile); 564 AA_BUG(!profile);
559 AA_BUG(!path); 565 AA_BUG(!path);
560 566
567 if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
568 return 0;
569
561 error = aa_path_name(path, path_flags(profile, path), buffer, &name, 570 error = aa_path_name(path, path_flags(profile, path), buffer, &name,
562 &info, profile->disconnected); 571 &info, profile->disconnected);
563 if (error) 572 if (error)
@@ -613,7 +622,8 @@ static struct aa_label *build_pivotroot(struct aa_profile *profile,
613 AA_BUG(!new_path); 622 AA_BUG(!new_path);
614 AA_BUG(!old_path); 623 AA_BUG(!old_path);
615 624
616 if (profile_unconfined(profile)) 625 if (profile_unconfined(profile) ||
626 !PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
617 return aa_get_newest_label(&profile->label); 627 return aa_get_newest_label(&profile->label);
618 628
619 error = aa_path_name(old_path, path_flags(profile, old_path), 629 error = aa_path_name(old_path, path_flags(profile, old_path),
diff --git a/security/commoncap.c b/security/commoncap.c
index 4f8e09340956..48620c93d697 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -348,21 +348,18 @@ static __u32 sansflags(__u32 m)
348 return m & ~VFS_CAP_FLAGS_EFFECTIVE; 348 return m & ~VFS_CAP_FLAGS_EFFECTIVE;
349} 349}
350 350
351static bool is_v2header(size_t size, __le32 magic) 351static bool is_v2header(size_t size, const struct vfs_cap_data *cap)
352{ 352{
353 __u32 m = le32_to_cpu(magic);
354 if (size != XATTR_CAPS_SZ_2) 353 if (size != XATTR_CAPS_SZ_2)
355 return false; 354 return false;
356 return sansflags(m) == VFS_CAP_REVISION_2; 355 return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_2;
357} 356}
358 357
359static bool is_v3header(size_t size, __le32 magic) 358static bool is_v3header(size_t size, const struct vfs_cap_data *cap)
360{ 359{
361 __u32 m = le32_to_cpu(magic);
362
363 if (size != XATTR_CAPS_SZ_3) 360 if (size != XATTR_CAPS_SZ_3)
364 return false; 361 return false;
365 return sansflags(m) == VFS_CAP_REVISION_3; 362 return sansflags(le32_to_cpu(cap->magic_etc)) == VFS_CAP_REVISION_3;
366} 363}
367 364
368/* 365/*
@@ -405,7 +402,7 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
405 402
406 fs_ns = inode->i_sb->s_user_ns; 403 fs_ns = inode->i_sb->s_user_ns;
407 cap = (struct vfs_cap_data *) tmpbuf; 404 cap = (struct vfs_cap_data *) tmpbuf;
408 if (is_v2header((size_t) ret, cap->magic_etc)) { 405 if (is_v2header((size_t) ret, cap)) {
409 /* If this is sizeof(vfs_cap_data) then we're ok with the 406 /* If this is sizeof(vfs_cap_data) then we're ok with the
410 * on-disk value, so return that. */ 407 * on-disk value, so return that. */
411 if (alloc) 408 if (alloc)
@@ -413,7 +410,7 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
413 else 410 else
414 kfree(tmpbuf); 411 kfree(tmpbuf);
415 return ret; 412 return ret;
416 } else if (!is_v3header((size_t) ret, cap->magic_etc)) { 413 } else if (!is_v3header((size_t) ret, cap)) {
417 kfree(tmpbuf); 414 kfree(tmpbuf);
418 return -EINVAL; 415 return -EINVAL;
419 } 416 }
@@ -470,9 +467,9 @@ static kuid_t rootid_from_xattr(const void *value, size_t size,
470 return make_kuid(task_ns, rootid); 467 return make_kuid(task_ns, rootid);
471} 468}
472 469
473static bool validheader(size_t size, __le32 magic) 470static bool validheader(size_t size, const struct vfs_cap_data *cap)
474{ 471{
475 return is_v2header(size, magic) || is_v3header(size, magic); 472 return is_v2header(size, cap) || is_v3header(size, cap);
476} 473}
477 474
478/* 475/*
@@ -495,7 +492,7 @@ int cap_convert_nscap(struct dentry *dentry, void **ivalue, size_t size)
495 492
496 if (!*ivalue) 493 if (!*ivalue)
497 return -EINVAL; 494 return -EINVAL;
498 if (!validheader(size, cap->magic_etc)) 495 if (!validheader(size, cap))
499 return -EINVAL; 496 return -EINVAL;
500 if (!capable_wrt_inode_uidgid(inode, CAP_SETFCAP)) 497 if (!capable_wrt_inode_uidgid(inode, CAP_SETFCAP))
501 return -EPERM; 498 return -EPERM;
diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
index 241aca315b0c..04825393facb 100644
--- a/security/integrity/evm/evm.h
+++ b/security/integrity/evm/evm.h
@@ -23,9 +23,12 @@
23 23
24#define EVM_INIT_HMAC 0x0001 24#define EVM_INIT_HMAC 0x0001
25#define EVM_INIT_X509 0x0002 25#define EVM_INIT_X509 0x0002
26#define EVM_SETUP 0x80000000 /* userland has signaled key load */ 26#define EVM_ALLOW_METADATA_WRITES 0x0004
27#define EVM_SETUP_COMPLETE 0x80000000 /* userland has signaled key load */
27 28
28#define EVM_INIT_MASK (EVM_INIT_HMAC | EVM_INIT_X509 | EVM_SETUP) 29#define EVM_KEY_MASK (EVM_INIT_HMAC | EVM_INIT_X509)
30#define EVM_INIT_MASK (EVM_INIT_HMAC | EVM_INIT_X509 | EVM_SETUP_COMPLETE | \
31 EVM_ALLOW_METADATA_WRITES)
29 32
30extern int evm_initialized; 33extern int evm_initialized;
31extern char *evm_hmac; 34extern char *evm_hmac;
@@ -51,7 +54,7 @@ int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name,
51 size_t req_xattr_value_len, char *digest); 54 size_t req_xattr_value_len, char *digest);
52int evm_calc_hash(struct dentry *dentry, const char *req_xattr_name, 55int evm_calc_hash(struct dentry *dentry, const char *req_xattr_name,
53 const char *req_xattr_value, 56 const char *req_xattr_value,
54 size_t req_xattr_value_len, char *digest); 57 size_t req_xattr_value_len, char type, char *digest);
55int evm_init_hmac(struct inode *inode, const struct xattr *xattr, 58int evm_init_hmac(struct inode *inode, const struct xattr *xattr,
56 char *hmac_val); 59 char *hmac_val);
57int evm_init_secfs(void); 60int evm_init_secfs(void);
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index bcd64baf8788..691f3e09154c 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -138,7 +138,7 @@ out:
138 * protection.) 138 * protection.)
139 */ 139 */
140static void hmac_add_misc(struct shash_desc *desc, struct inode *inode, 140static void hmac_add_misc(struct shash_desc *desc, struct inode *inode,
141 char *digest) 141 char type, char *digest)
142{ 142{
143 struct h_misc { 143 struct h_misc {
144 unsigned long ino; 144 unsigned long ino;
@@ -149,8 +149,13 @@ static void hmac_add_misc(struct shash_desc *desc, struct inode *inode,
149 } hmac_misc; 149 } hmac_misc;
150 150
151 memset(&hmac_misc, 0, sizeof(hmac_misc)); 151 memset(&hmac_misc, 0, sizeof(hmac_misc));
152 hmac_misc.ino = inode->i_ino; 152 /* Don't include the inode or generation number in portable
153 hmac_misc.generation = inode->i_generation; 153 * signatures
154 */
155 if (type != EVM_XATTR_PORTABLE_DIGSIG) {
156 hmac_misc.ino = inode->i_ino;
157 hmac_misc.generation = inode->i_generation;
158 }
154 /* The hmac uid and gid must be encoded in the initial user 159 /* The hmac uid and gid must be encoded in the initial user
155 * namespace (not the filesystems user namespace) as encoding 160 * namespace (not the filesystems user namespace) as encoding
156 * them in the filesystems user namespace allows an attack 161 * them in the filesystems user namespace allows an attack
@@ -163,7 +168,8 @@ static void hmac_add_misc(struct shash_desc *desc, struct inode *inode,
163 hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid); 168 hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid);
164 hmac_misc.mode = inode->i_mode; 169 hmac_misc.mode = inode->i_mode;
165 crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof(hmac_misc)); 170 crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof(hmac_misc));
166 if (evm_hmac_attrs & EVM_ATTR_FSUUID) 171 if ((evm_hmac_attrs & EVM_ATTR_FSUUID) &&
172 type != EVM_XATTR_PORTABLE_DIGSIG)
167 crypto_shash_update(desc, &inode->i_sb->s_uuid.b[0], 173 crypto_shash_update(desc, &inode->i_sb->s_uuid.b[0],
168 sizeof(inode->i_sb->s_uuid)); 174 sizeof(inode->i_sb->s_uuid));
169 crypto_shash_final(desc, digest); 175 crypto_shash_final(desc, digest);
@@ -189,6 +195,7 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry,
189 char *xattr_value = NULL; 195 char *xattr_value = NULL;
190 int error; 196 int error;
191 int size; 197 int size;
198 bool ima_present = false;
192 199
193 if (!(inode->i_opflags & IOP_XATTR)) 200 if (!(inode->i_opflags & IOP_XATTR))
194 return -EOPNOTSUPP; 201 return -EOPNOTSUPP;
@@ -199,11 +206,18 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry,
199 206
200 error = -ENODATA; 207 error = -ENODATA;
201 for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) { 208 for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) {
209 bool is_ima = false;
210
211 if (strcmp(*xattrname, XATTR_NAME_IMA) == 0)
212 is_ima = true;
213
202 if ((req_xattr_name && req_xattr_value) 214 if ((req_xattr_name && req_xattr_value)
203 && !strcmp(*xattrname, req_xattr_name)) { 215 && !strcmp(*xattrname, req_xattr_name)) {
204 error = 0; 216 error = 0;
205 crypto_shash_update(desc, (const u8 *)req_xattr_value, 217 crypto_shash_update(desc, (const u8 *)req_xattr_value,
206 req_xattr_value_len); 218 req_xattr_value_len);
219 if (is_ima)
220 ima_present = true;
207 continue; 221 continue;
208 } 222 }
209 size = vfs_getxattr_alloc(dentry, *xattrname, 223 size = vfs_getxattr_alloc(dentry, *xattrname,
@@ -218,9 +232,14 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry,
218 error = 0; 232 error = 0;
219 xattr_size = size; 233 xattr_size = size;
220 crypto_shash_update(desc, (const u8 *)xattr_value, xattr_size); 234 crypto_shash_update(desc, (const u8 *)xattr_value, xattr_size);
235 if (is_ima)
236 ima_present = true;
221 } 237 }
222 hmac_add_misc(desc, inode, digest); 238 hmac_add_misc(desc, inode, type, digest);
223 239
240 /* Portable EVM signatures must include an IMA hash */
241 if (type == EVM_XATTR_PORTABLE_DIGSIG && !ima_present)
242 return -EPERM;
224out: 243out:
225 kfree(xattr_value); 244 kfree(xattr_value);
226 kfree(desc); 245 kfree(desc);
@@ -232,17 +251,45 @@ int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name,
232 char *digest) 251 char *digest)
233{ 252{
234 return evm_calc_hmac_or_hash(dentry, req_xattr_name, req_xattr_value, 253 return evm_calc_hmac_or_hash(dentry, req_xattr_name, req_xattr_value,
235 req_xattr_value_len, EVM_XATTR_HMAC, digest); 254 req_xattr_value_len, EVM_XATTR_HMAC, digest);
236} 255}
237 256
238int evm_calc_hash(struct dentry *dentry, const char *req_xattr_name, 257int evm_calc_hash(struct dentry *dentry, const char *req_xattr_name,
239 const char *req_xattr_value, size_t req_xattr_value_len, 258 const char *req_xattr_value, size_t req_xattr_value_len,
240 char *digest) 259 char type, char *digest)
241{ 260{
242 return evm_calc_hmac_or_hash(dentry, req_xattr_name, req_xattr_value, 261 return evm_calc_hmac_or_hash(dentry, req_xattr_name, req_xattr_value,
243 req_xattr_value_len, IMA_XATTR_DIGEST, digest); 262 req_xattr_value_len, type, digest);
263}
264
265static int evm_is_immutable(struct dentry *dentry, struct inode *inode)
266{
267 const struct evm_ima_xattr_data *xattr_data = NULL;
268 struct integrity_iint_cache *iint;
269 int rc = 0;
270
271 iint = integrity_iint_find(inode);
272 if (iint && (iint->flags & EVM_IMMUTABLE_DIGSIG))
273 return 1;
274
275 /* Do this the hard way */
276 rc = vfs_getxattr_alloc(dentry, XATTR_NAME_EVM, (char **)&xattr_data, 0,
277 GFP_NOFS);
278 if (rc <= 0) {
279 if (rc == -ENODATA)
280 return 0;
281 return rc;
282 }
283 if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG)
284 rc = 1;
285 else
286 rc = 0;
287
288 kfree(xattr_data);
289 return rc;
244} 290}
245 291
292
246/* 293/*
247 * Calculate the hmac and update security.evm xattr 294 * Calculate the hmac and update security.evm xattr
248 * 295 *
@@ -255,6 +302,16 @@ int evm_update_evmxattr(struct dentry *dentry, const char *xattr_name,
255 struct evm_ima_xattr_data xattr_data; 302 struct evm_ima_xattr_data xattr_data;
256 int rc = 0; 303 int rc = 0;
257 304
305 /*
306 * Don't permit any transformation of the EVM xattr if the signature
307 * is of an immutable type
308 */
309 rc = evm_is_immutable(dentry, inode);
310 if (rc < 0)
311 return rc;
312 if (rc)
313 return -EPERM;
314
258 rc = evm_calc_hmac(dentry, xattr_name, xattr_value, 315 rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
259 xattr_value_len, xattr_data.digest); 316 xattr_value_len, xattr_data.digest);
260 if (rc == 0) { 317 if (rc == 0) {
@@ -280,7 +337,7 @@ int evm_init_hmac(struct inode *inode, const struct xattr *lsm_xattr,
280 } 337 }
281 338
282 crypto_shash_update(desc, lsm_xattr->value, lsm_xattr->value_len); 339 crypto_shash_update(desc, lsm_xattr->value, lsm_xattr->value_len);
283 hmac_add_misc(desc, inode, hmac_val); 340 hmac_add_misc(desc, inode, EVM_XATTR_HMAC, hmac_val);
284 kfree(desc); 341 kfree(desc);
285 return 0; 342 return 0;
286} 343}
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 9826c02e2db8..a8d502827270 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -31,7 +31,7 @@
31int evm_initialized; 31int evm_initialized;
32 32
33static char *integrity_status_msg[] = { 33static char *integrity_status_msg[] = {
34 "pass", "fail", "no_label", "no_xattrs", "unknown" 34 "pass", "pass_immutable", "fail", "no_label", "no_xattrs", "unknown"
35}; 35};
36char *evm_hmac = "hmac(sha1)"; 36char *evm_hmac = "hmac(sha1)";
37char *evm_hash = "sha1"; 37char *evm_hash = "sha1";
@@ -76,6 +76,11 @@ static void __init evm_init_config(void)
76 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs); 76 pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
77} 77}
78 78
79static bool evm_key_loaded(void)
80{
81 return (bool)(evm_initialized & EVM_KEY_MASK);
82}
83
79static int evm_find_protected_xattrs(struct dentry *dentry) 84static int evm_find_protected_xattrs(struct dentry *dentry)
80{ 85{
81 struct inode *inode = d_backing_inode(dentry); 86 struct inode *inode = d_backing_inode(dentry);
@@ -123,7 +128,8 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
123 enum integrity_status evm_status = INTEGRITY_PASS; 128 enum integrity_status evm_status = INTEGRITY_PASS;
124 int rc, xattr_len; 129 int rc, xattr_len;
125 130
126 if (iint && iint->evm_status == INTEGRITY_PASS) 131 if (iint && (iint->evm_status == INTEGRITY_PASS ||
132 iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
127 return iint->evm_status; 133 return iint->evm_status;
128 134
129 /* if status is not PASS, try to check again - against -ENOMEM */ 135 /* if status is not PASS, try to check again - against -ENOMEM */
@@ -164,22 +170,26 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
164 rc = -EINVAL; 170 rc = -EINVAL;
165 break; 171 break;
166 case EVM_IMA_XATTR_DIGSIG: 172 case EVM_IMA_XATTR_DIGSIG:
173 case EVM_XATTR_PORTABLE_DIGSIG:
167 rc = evm_calc_hash(dentry, xattr_name, xattr_value, 174 rc = evm_calc_hash(dentry, xattr_name, xattr_value,
168 xattr_value_len, calc.digest); 175 xattr_value_len, xattr_data->type,
176 calc.digest);
169 if (rc) 177 if (rc)
170 break; 178 break;
171 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, 179 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
172 (const char *)xattr_data, xattr_len, 180 (const char *)xattr_data, xattr_len,
173 calc.digest, sizeof(calc.digest)); 181 calc.digest, sizeof(calc.digest));
174 if (!rc) { 182 if (!rc) {
175 /* Replace RSA with HMAC if not mounted readonly and 183 if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) {
176 * not immutable 184 if (iint)
177 */ 185 iint->flags |= EVM_IMMUTABLE_DIGSIG;
178 if (!IS_RDONLY(d_backing_inode(dentry)) && 186 evm_status = INTEGRITY_PASS_IMMUTABLE;
179 !IS_IMMUTABLE(d_backing_inode(dentry))) 187 } else if (!IS_RDONLY(d_backing_inode(dentry)) &&
188 !IS_IMMUTABLE(d_backing_inode(dentry))) {
180 evm_update_evmxattr(dentry, xattr_name, 189 evm_update_evmxattr(dentry, xattr_name,
181 xattr_value, 190 xattr_value,
182 xattr_value_len); 191 xattr_value_len);
192 }
183 } 193 }
184 break; 194 break;
185 default: 195 default:
@@ -241,7 +251,7 @@ enum integrity_status evm_verifyxattr(struct dentry *dentry,
241 void *xattr_value, size_t xattr_value_len, 251 void *xattr_value, size_t xattr_value_len,
242 struct integrity_iint_cache *iint) 252 struct integrity_iint_cache *iint)
243{ 253{
244 if (!evm_initialized || !evm_protected_xattr(xattr_name)) 254 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
245 return INTEGRITY_UNKNOWN; 255 return INTEGRITY_UNKNOWN;
246 256
247 if (!iint) { 257 if (!iint) {
@@ -265,7 +275,7 @@ static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
265{ 275{
266 struct inode *inode = d_backing_inode(dentry); 276 struct inode *inode = d_backing_inode(dentry);
267 277
268 if (!evm_initialized || !S_ISREG(inode->i_mode) || evm_fixmode) 278 if (!evm_key_loaded() || !S_ISREG(inode->i_mode) || evm_fixmode)
269 return 0; 279 return 0;
270 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL); 280 return evm_verify_hmac(dentry, NULL, NULL, 0, NULL);
271} 281}
@@ -280,7 +290,7 @@ static enum integrity_status evm_verify_current_integrity(struct dentry *dentry)
280 * affect security.evm. An interesting side affect of writing posix xattr 290 * affect security.evm. An interesting side affect of writing posix xattr
281 * acls is their modifying of the i_mode, which is included in security.evm. 291 * acls is their modifying of the i_mode, which is included in security.evm.
282 * For posix xattr acls only, permit security.evm, even if it currently 292 * For posix xattr acls only, permit security.evm, even if it currently
283 * doesn't exist, to be updated. 293 * doesn't exist, to be updated unless the EVM signature is immutable.
284 */ 294 */
285static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, 295static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
286 const void *xattr_value, size_t xattr_value_len) 296 const void *xattr_value, size_t xattr_value_len)
@@ -299,6 +309,7 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name,
299 return 0; 309 return 0;
300 goto out; 310 goto out;
301 } 311 }
312
302 evm_status = evm_verify_current_integrity(dentry); 313 evm_status = evm_verify_current_integrity(dentry);
303 if (evm_status == INTEGRITY_NOXATTRS) { 314 if (evm_status == INTEGRITY_NOXATTRS) {
304 struct integrity_iint_cache *iint; 315 struct integrity_iint_cache *iint;
@@ -345,10 +356,17 @@ int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
345{ 356{
346 const struct evm_ima_xattr_data *xattr_data = xattr_value; 357 const struct evm_ima_xattr_data *xattr_data = xattr_value;
347 358
359 /* Policy permits modification of the protected xattrs even though
360 * there's no HMAC key loaded
361 */
362 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
363 return 0;
364
348 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { 365 if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
349 if (!xattr_value_len) 366 if (!xattr_value_len)
350 return -EINVAL; 367 return -EINVAL;
351 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG) 368 if (xattr_data->type != EVM_IMA_XATTR_DIGSIG &&
369 xattr_data->type != EVM_XATTR_PORTABLE_DIGSIG)
352 return -EPERM; 370 return -EPERM;
353 } 371 }
354 return evm_protect_xattr(dentry, xattr_name, xattr_value, 372 return evm_protect_xattr(dentry, xattr_name, xattr_value,
@@ -365,6 +383,12 @@ int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
365 */ 383 */
366int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) 384int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name)
367{ 385{
386 /* Policy permits modification of the protected xattrs even though
387 * there's no HMAC key loaded
388 */
389 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
390 return 0;
391
368 return evm_protect_xattr(dentry, xattr_name, NULL, 0); 392 return evm_protect_xattr(dentry, xattr_name, NULL, 0);
369} 393}
370 394
@@ -393,8 +417,8 @@ static void evm_reset_status(struct inode *inode)
393void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, 417void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
394 const void *xattr_value, size_t xattr_value_len) 418 const void *xattr_value, size_t xattr_value_len)
395{ 419{
396 if (!evm_initialized || (!evm_protected_xattr(xattr_name) 420 if (!evm_key_loaded() || (!evm_protected_xattr(xattr_name)
397 && !posix_xattr_acl(xattr_name))) 421 && !posix_xattr_acl(xattr_name)))
398 return; 422 return;
399 423
400 evm_reset_status(dentry->d_inode); 424 evm_reset_status(dentry->d_inode);
@@ -414,7 +438,7 @@ void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
414 */ 438 */
415void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) 439void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
416{ 440{
417 if (!evm_initialized || !evm_protected_xattr(xattr_name)) 441 if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
418 return; 442 return;
419 443
420 evm_reset_status(dentry->d_inode); 444 evm_reset_status(dentry->d_inode);
@@ -425,12 +449,21 @@ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name)
425/** 449/**
426 * evm_inode_setattr - prevent updating an invalid EVM extended attribute 450 * evm_inode_setattr - prevent updating an invalid EVM extended attribute
427 * @dentry: pointer to the affected dentry 451 * @dentry: pointer to the affected dentry
452 *
453 * Permit update of file attributes when files have a valid EVM signature,
454 * except in the case of them having an immutable portable signature.
428 */ 455 */
429int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) 456int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
430{ 457{
431 unsigned int ia_valid = attr->ia_valid; 458 unsigned int ia_valid = attr->ia_valid;
432 enum integrity_status evm_status; 459 enum integrity_status evm_status;
433 460
461 /* Policy permits modification of the protected attrs even though
462 * there's no HMAC key loaded
463 */
464 if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
465 return 0;
466
434 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))) 467 if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
435 return 0; 468 return 0;
436 evm_status = evm_verify_current_integrity(dentry); 469 evm_status = evm_verify_current_integrity(dentry);
@@ -456,7 +489,7 @@ int evm_inode_setattr(struct dentry *dentry, struct iattr *attr)
456 */ 489 */
457void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) 490void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
458{ 491{
459 if (!evm_initialized) 492 if (!evm_key_loaded())
460 return; 493 return;
461 494
462 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) 495 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
@@ -473,7 +506,7 @@ int evm_inode_init_security(struct inode *inode,
473 struct evm_ima_xattr_data *xattr_data; 506 struct evm_ima_xattr_data *xattr_data;
474 int rc; 507 int rc;
475 508
476 if (!evm_initialized || !evm_protected_xattr(lsm_xattr->name)) 509 if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name))
477 return 0; 510 return 0;
478 511
479 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); 512 xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);
diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c
index 319cf16d6603..feba03bbedae 100644
--- a/security/integrity/evm/evm_secfs.c
+++ b/security/integrity/evm/evm_secfs.c
@@ -40,7 +40,7 @@ static ssize_t evm_read_key(struct file *filp, char __user *buf,
40 if (*ppos != 0) 40 if (*ppos != 0)
41 return 0; 41 return 0;
42 42
43 sprintf(temp, "%d", (evm_initialized & ~EVM_SETUP)); 43 sprintf(temp, "%d", (evm_initialized & ~EVM_SETUP_COMPLETE));
44 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); 44 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
45 45
46 return rc; 46 return rc;
@@ -63,7 +63,7 @@ static ssize_t evm_write_key(struct file *file, const char __user *buf,
63{ 63{
64 int i, ret; 64 int i, ret;
65 65
66 if (!capable(CAP_SYS_ADMIN) || (evm_initialized & EVM_SETUP)) 66 if (!capable(CAP_SYS_ADMIN) || (evm_initialized & EVM_SETUP_COMPLETE))
67 return -EPERM; 67 return -EPERM;
68 68
69 ret = kstrtoint_from_user(buf, count, 0, &i); 69 ret = kstrtoint_from_user(buf, count, 0, &i);
@@ -75,16 +75,30 @@ static ssize_t evm_write_key(struct file *file, const char __user *buf,
75 if (!i || (i & ~EVM_INIT_MASK) != 0) 75 if (!i || (i & ~EVM_INIT_MASK) != 0)
76 return -EINVAL; 76 return -EINVAL;
77 77
78 /* Don't allow a request to freshly enable metadata writes if
79 * keys are loaded.
80 */
81 if ((i & EVM_ALLOW_METADATA_WRITES) &&
82 ((evm_initialized & EVM_KEY_MASK) != 0) &&
83 !(evm_initialized & EVM_ALLOW_METADATA_WRITES))
84 return -EPERM;
85
78 if (i & EVM_INIT_HMAC) { 86 if (i & EVM_INIT_HMAC) {
79 ret = evm_init_key(); 87 ret = evm_init_key();
80 if (ret != 0) 88 if (ret != 0)
81 return ret; 89 return ret;
82 /* Forbid further writes after the symmetric key is loaded */ 90 /* Forbid further writes after the symmetric key is loaded */
83 i |= EVM_SETUP; 91 i |= EVM_SETUP_COMPLETE;
84 } 92 }
85 93
86 evm_initialized |= i; 94 evm_initialized |= i;
87 95
96 /* Don't allow protected metadata modification if a symmetric key
97 * is loaded
98 */
99 if (evm_initialized & EVM_INIT_HMAC)
100 evm_initialized &= ~(EVM_ALLOW_METADATA_WRITES);
101
88 return count; 102 return count;
89} 103}
90 104
diff --git a/security/integrity/iint.c b/security/integrity/iint.c
index c84e05866052..9700e96ab0f0 100644
--- a/security/integrity/iint.c
+++ b/security/integrity/iint.c
@@ -74,6 +74,7 @@ static void iint_free(struct integrity_iint_cache *iint)
74 iint->ima_hash = NULL; 74 iint->ima_hash = NULL;
75 iint->version = 0; 75 iint->version = 0;
76 iint->flags = 0UL; 76 iint->flags = 0UL;
77 iint->atomic_flags = 0UL;
77 iint->ima_file_status = INTEGRITY_UNKNOWN; 78 iint->ima_file_status = INTEGRITY_UNKNOWN;
78 iint->ima_mmap_status = INTEGRITY_UNKNOWN; 79 iint->ima_mmap_status = INTEGRITY_UNKNOWN;
79 iint->ima_bprm_status = INTEGRITY_UNKNOWN; 80 iint->ima_bprm_status = INTEGRITY_UNKNOWN;
@@ -153,14 +154,12 @@ static void init_once(void *foo)
153 struct integrity_iint_cache *iint = foo; 154 struct integrity_iint_cache *iint = foo;
154 155
155 memset(iint, 0, sizeof(*iint)); 156 memset(iint, 0, sizeof(*iint));
156 iint->version = 0;
157 iint->flags = 0UL;
158 iint->ima_file_status = INTEGRITY_UNKNOWN; 157 iint->ima_file_status = INTEGRITY_UNKNOWN;
159 iint->ima_mmap_status = INTEGRITY_UNKNOWN; 158 iint->ima_mmap_status = INTEGRITY_UNKNOWN;
160 iint->ima_bprm_status = INTEGRITY_UNKNOWN; 159 iint->ima_bprm_status = INTEGRITY_UNKNOWN;
161 iint->ima_read_status = INTEGRITY_UNKNOWN; 160 iint->ima_read_status = INTEGRITY_UNKNOWN;
162 iint->evm_status = INTEGRITY_UNKNOWN; 161 iint->evm_status = INTEGRITY_UNKNOWN;
163 iint->measured_pcrs = 0; 162 mutex_init(&iint->mutex);
164} 163}
165 164
166static int __init integrity_iintcache_init(void) 165static int __init integrity_iintcache_init(void)
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index c7e8db0ea4c0..08fe405338e1 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -18,6 +18,7 @@
18#include <linux/fs.h> 18#include <linux/fs.h>
19#include <linux/xattr.h> 19#include <linux/xattr.h>
20#include <linux/evm.h> 20#include <linux/evm.h>
21#include <linux/iversion.h>
21 22
22#include "ima.h" 23#include "ima.h"
23 24
@@ -174,7 +175,7 @@ err_out:
174 */ 175 */
175int ima_get_action(struct inode *inode, int mask, enum ima_hooks func, int *pcr) 176int ima_get_action(struct inode *inode, int mask, enum ima_hooks func, int *pcr)
176{ 177{
177 int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE; 178 int flags = IMA_MEASURE | IMA_AUDIT | IMA_APPRAISE | IMA_HASH;
178 179
179 flags &= ima_policy_flag; 180 flags &= ima_policy_flag;
180 181
@@ -215,7 +216,7 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
215 * which do not support i_version, support is limited to an initial 216 * which do not support i_version, support is limited to an initial
216 * measurement/appraisal/audit. 217 * measurement/appraisal/audit.
217 */ 218 */
218 i_version = file_inode(file)->i_version; 219 i_version = inode_query_iversion(inode);
219 hash.hdr.algo = algo; 220 hash.hdr.algo = algo;
220 221
221 /* Initialize hash digest to 0's in case of failure */ 222 /* Initialize hash digest to 0's in case of failure */
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 65fbcf3c32c7..f2803a40ff82 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -46,14 +46,15 @@ bool is_ima_appraise_enabled(void)
46/* 46/*
47 * ima_must_appraise - set appraise flag 47 * ima_must_appraise - set appraise flag
48 * 48 *
49 * Return 1 to appraise 49 * Return 1 to appraise or hash
50 */ 50 */
51int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func) 51int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
52{ 52{
53 if (!ima_appraise) 53 if (!ima_appraise)
54 return 0; 54 return 0;
55 55
56 return ima_match_policy(inode, func, mask, IMA_APPRAISE, NULL); 56 return ima_match_policy(inode, func, mask, IMA_APPRAISE | IMA_HASH,
57 NULL);
57} 58}
58 59
59static int ima_fix_xattr(struct dentry *dentry, 60static int ima_fix_xattr(struct dentry *dentry,
@@ -223,13 +224,16 @@ int ima_appraise_measurement(enum ima_hooks func,
223 if (opened & FILE_CREATED) 224 if (opened & FILE_CREATED)
224 iint->flags |= IMA_NEW_FILE; 225 iint->flags |= IMA_NEW_FILE;
225 if ((iint->flags & IMA_NEW_FILE) && 226 if ((iint->flags & IMA_NEW_FILE) &&
226 !(iint->flags & IMA_DIGSIG_REQUIRED)) 227 (!(iint->flags & IMA_DIGSIG_REQUIRED) ||
228 (inode->i_size == 0)))
227 status = INTEGRITY_PASS; 229 status = INTEGRITY_PASS;
228 goto out; 230 goto out;
229 } 231 }
230 232
231 status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint); 233 status = evm_verifyxattr(dentry, XATTR_NAME_IMA, xattr_value, rc, iint);
232 if ((status != INTEGRITY_PASS) && (status != INTEGRITY_UNKNOWN)) { 234 if ((status != INTEGRITY_PASS) &&
235 (status != INTEGRITY_PASS_IMMUTABLE) &&
236 (status != INTEGRITY_UNKNOWN)) {
233 if ((status == INTEGRITY_NOLABEL) 237 if ((status == INTEGRITY_NOLABEL)
234 || (status == INTEGRITY_NOXATTRS)) 238 || (status == INTEGRITY_NOXATTRS))
235 cause = "missing-HMAC"; 239 cause = "missing-HMAC";
@@ -248,6 +252,7 @@ int ima_appraise_measurement(enum ima_hooks func,
248 status = INTEGRITY_FAIL; 252 status = INTEGRITY_FAIL;
249 break; 253 break;
250 } 254 }
255 clear_bit(IMA_DIGSIG, &iint->atomic_flags);
251 if (xattr_len - sizeof(xattr_value->type) - hash_start >= 256 if (xattr_len - sizeof(xattr_value->type) - hash_start >=
252 iint->ima_hash->length) 257 iint->ima_hash->length)
253 /* xattr length may be longer. md5 hash in previous 258 /* xattr length may be longer. md5 hash in previous
@@ -266,7 +271,7 @@ int ima_appraise_measurement(enum ima_hooks func,
266 status = INTEGRITY_PASS; 271 status = INTEGRITY_PASS;
267 break; 272 break;
268 case EVM_IMA_XATTR_DIGSIG: 273 case EVM_IMA_XATTR_DIGSIG:
269 iint->flags |= IMA_DIGSIG; 274 set_bit(IMA_DIGSIG, &iint->atomic_flags);
270 rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, 275 rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
271 (const char *)xattr_value, rc, 276 (const char *)xattr_value, rc,
272 iint->ima_hash->digest, 277 iint->ima_hash->digest,
@@ -317,17 +322,20 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
317 int rc = 0; 322 int rc = 0;
318 323
319 /* do not collect and update hash for digital signatures */ 324 /* do not collect and update hash for digital signatures */
320 if (iint->flags & IMA_DIGSIG) 325 if (test_bit(IMA_DIGSIG, &iint->atomic_flags))
321 return; 326 return;
322 327
323 if (iint->ima_file_status != INTEGRITY_PASS) 328 if ((iint->ima_file_status != INTEGRITY_PASS) &&
329 !(iint->flags & IMA_HASH))
324 return; 330 return;
325 331
326 rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo); 332 rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo);
327 if (rc < 0) 333 if (rc < 0)
328 return; 334 return;
329 335
336 inode_lock(file_inode(file));
330 ima_fix_xattr(dentry, iint); 337 ima_fix_xattr(dentry, iint);
338 inode_unlock(file_inode(file));
331} 339}
332 340
333/** 341/**
@@ -343,23 +351,21 @@ void ima_inode_post_setattr(struct dentry *dentry)
343{ 351{
344 struct inode *inode = d_backing_inode(dentry); 352 struct inode *inode = d_backing_inode(dentry);
345 struct integrity_iint_cache *iint; 353 struct integrity_iint_cache *iint;
346 int must_appraise; 354 int action;
347 355
348 if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode) 356 if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode)
349 || !(inode->i_opflags & IOP_XATTR)) 357 || !(inode->i_opflags & IOP_XATTR))
350 return; 358 return;
351 359
352 must_appraise = ima_must_appraise(inode, MAY_ACCESS, POST_SETATTR); 360 action = ima_must_appraise(inode, MAY_ACCESS, POST_SETATTR);
361 if (!action)
362 __vfs_removexattr(dentry, XATTR_NAME_IMA);
353 iint = integrity_iint_find(inode); 363 iint = integrity_iint_find(inode);
354 if (iint) { 364 if (iint) {
355 iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED | 365 set_bit(IMA_CHANGE_ATTR, &iint->atomic_flags);
356 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | 366 if (!action)
357 IMA_ACTION_RULE_FLAGS); 367 clear_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
358 if (must_appraise)
359 iint->flags |= IMA_APPRAISE;
360 } 368 }
361 if (!must_appraise)
362 __vfs_removexattr(dentry, XATTR_NAME_IMA);
363} 369}
364 370
365/* 371/*
@@ -388,12 +394,12 @@ static void ima_reset_appraise_flags(struct inode *inode, int digsig)
388 iint = integrity_iint_find(inode); 394 iint = integrity_iint_find(inode);
389 if (!iint) 395 if (!iint)
390 return; 396 return;
391
392 iint->flags &= ~IMA_DONE_MASK;
393 iint->measured_pcrs = 0; 397 iint->measured_pcrs = 0;
398 set_bit(IMA_CHANGE_XATTR, &iint->atomic_flags);
394 if (digsig) 399 if (digsig)
395 iint->flags |= IMA_DIGSIG; 400 set_bit(IMA_DIGSIG, &iint->atomic_flags);
396 return; 401 else
402 clear_bit(IMA_DIGSIG, &iint->atomic_flags);
397} 403}
398 404
399int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, 405int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index 9057b163c378..205bc69361ea 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -632,7 +632,7 @@ static void __init ima_pcrread(int idx, u8 *pcr)
632 if (!ima_used_chip) 632 if (!ima_used_chip)
633 return; 633 return;
634 634
635 if (tpm_pcr_read(TPM_ANY_NUM, idx, pcr) != 0) 635 if (tpm_pcr_read(NULL, idx, pcr) != 0)
636 pr_err("Error Communicating to TPM chip\n"); 636 pr_err("Error Communicating to TPM chip\n");
637} 637}
638 638
diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima_init.c
index 2967d497a665..29b72cd2502e 100644
--- a/security/integrity/ima/ima_init.c
+++ b/security/integrity/ima/ima_init.c
@@ -110,7 +110,7 @@ int __init ima_init(void)
110 int rc; 110 int rc;
111 111
112 ima_used_chip = 0; 112 ima_used_chip = 0;
113 rc = tpm_pcr_read(TPM_ANY_NUM, 0, pcr_i); 113 rc = tpm_pcr_read(NULL, 0, pcr_i);
114 if (rc == 0) 114 if (rc == 0)
115 ima_used_chip = 1; 115 ima_used_chip = 1;
116 116
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 770654694efc..2cfb0c714967 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -24,6 +24,7 @@
24#include <linux/slab.h> 24#include <linux/slab.h>
25#include <linux/xattr.h> 25#include <linux/xattr.h>
26#include <linux/ima.h> 26#include <linux/ima.h>
27#include <linux/iversion.h>
27 28
28#include "ima.h" 29#include "ima.h"
29 30
@@ -84,10 +85,10 @@ static void ima_rdwr_violation_check(struct file *file,
84 struct integrity_iint_cache *iint, 85 struct integrity_iint_cache *iint,
85 int must_measure, 86 int must_measure,
86 char **pathbuf, 87 char **pathbuf,
87 const char **pathname) 88 const char **pathname,
89 char *filename)
88{ 90{
89 struct inode *inode = file_inode(file); 91 struct inode *inode = file_inode(file);
90 char filename[NAME_MAX];
91 fmode_t mode = file->f_mode; 92 fmode_t mode = file->f_mode;
92 bool send_tomtou = false, send_writers = false; 93 bool send_tomtou = false, send_writers = false;
93 94
@@ -96,10 +97,13 @@ static void ima_rdwr_violation_check(struct file *file,
96 if (!iint) 97 if (!iint)
97 iint = integrity_iint_find(inode); 98 iint = integrity_iint_find(inode);
98 /* IMA_MEASURE is set from reader side */ 99 /* IMA_MEASURE is set from reader side */
99 if (iint && (iint->flags & IMA_MEASURE)) 100 if (iint && test_bit(IMA_MUST_MEASURE,
101 &iint->atomic_flags))
100 send_tomtou = true; 102 send_tomtou = true;
101 } 103 }
102 } else { 104 } else {
105 if (must_measure)
106 set_bit(IMA_MUST_MEASURE, &iint->atomic_flags);
103 if ((atomic_read(&inode->i_writecount) > 0) && must_measure) 107 if ((atomic_read(&inode->i_writecount) > 0) && must_measure)
104 send_writers = true; 108 send_writers = true;
105 } 109 }
@@ -121,21 +125,25 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
121 struct inode *inode, struct file *file) 125 struct inode *inode, struct file *file)
122{ 126{
123 fmode_t mode = file->f_mode; 127 fmode_t mode = file->f_mode;
128 bool update;
124 129
125 if (!(mode & FMODE_WRITE)) 130 if (!(mode & FMODE_WRITE))
126 return; 131 return;
127 132
128 inode_lock(inode); 133 mutex_lock(&iint->mutex);
129 if (atomic_read(&inode->i_writecount) == 1) { 134 if (atomic_read(&inode->i_writecount) == 1) {
130 if ((iint->version != inode->i_version) || 135 update = test_and_clear_bit(IMA_UPDATE_XATTR,
136 &iint->atomic_flags);
137 if (!IS_I_VERSION(inode) ||
138 !inode_eq_iversion(inode, iint->version) ||
131 (iint->flags & IMA_NEW_FILE)) { 139 (iint->flags & IMA_NEW_FILE)) {
132 iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE); 140 iint->flags &= ~(IMA_DONE_MASK | IMA_NEW_FILE);
133 iint->measured_pcrs = 0; 141 iint->measured_pcrs = 0;
134 if (iint->flags & IMA_APPRAISE) 142 if (update)
135 ima_update_xattr(iint, file); 143 ima_update_xattr(iint, file);
136 } 144 }
137 } 145 }
138 inode_unlock(inode); 146 mutex_unlock(&iint->mutex);
139} 147}
140 148
141/** 149/**
@@ -168,7 +176,7 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
168 char *pathbuf = NULL; 176 char *pathbuf = NULL;
169 char filename[NAME_MAX]; 177 char filename[NAME_MAX];
170 const char *pathname = NULL; 178 const char *pathname = NULL;
171 int rc = -ENOMEM, action, must_appraise; 179 int rc = 0, action, must_appraise = 0;
172 int pcr = CONFIG_IMA_MEASURE_PCR_IDX; 180 int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
173 struct evm_ima_xattr_data *xattr_value = NULL; 181 struct evm_ima_xattr_data *xattr_value = NULL;
174 int xattr_len = 0; 182 int xattr_len = 0;
@@ -199,17 +207,31 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
199 if (action) { 207 if (action) {
200 iint = integrity_inode_get(inode); 208 iint = integrity_inode_get(inode);
201 if (!iint) 209 if (!iint)
202 goto out; 210 rc = -ENOMEM;
203 } 211 }
204 212
205 if (violation_check) { 213 if (!rc && violation_check)
206 ima_rdwr_violation_check(file, iint, action & IMA_MEASURE, 214 ima_rdwr_violation_check(file, iint, action & IMA_MEASURE,
207 &pathbuf, &pathname); 215 &pathbuf, &pathname, filename);
208 if (!action) { 216
209 rc = 0; 217 inode_unlock(inode);
210 goto out_free; 218
211 } 219 if (rc)
212 } 220 goto out;
221 if (!action)
222 goto out;
223
224 mutex_lock(&iint->mutex);
225
226 if (test_and_clear_bit(IMA_CHANGE_ATTR, &iint->atomic_flags))
227 /* reset appraisal flags if ima_inode_post_setattr was called */
228 iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
229 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
230 IMA_ACTION_FLAGS);
231
232 if (test_and_clear_bit(IMA_CHANGE_XATTR, &iint->atomic_flags))
233 /* reset all flags if ima_inode_setxattr was called */
234 iint->flags &= ~IMA_DONE_MASK;
213 235
214 /* Determine if already appraised/measured based on bitmask 236 /* Determine if already appraised/measured based on bitmask
215 * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED, 237 * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
@@ -223,11 +245,23 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
223 if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr))) 245 if ((action & IMA_MEASURE) && (iint->measured_pcrs & (0x1 << pcr)))
224 action ^= IMA_MEASURE; 246 action ^= IMA_MEASURE;
225 247
248 /* HASH sets the digital signature and update flags, nothing else */
249 if ((action & IMA_HASH) &&
250 !(test_bit(IMA_DIGSIG, &iint->atomic_flags))) {
251 xattr_len = ima_read_xattr(file_dentry(file), &xattr_value);
252 if ((xattr_value && xattr_len > 2) &&
253 (xattr_value->type == EVM_IMA_XATTR_DIGSIG))
254 set_bit(IMA_DIGSIG, &iint->atomic_flags);
255 iint->flags |= IMA_HASHED;
256 action ^= IMA_HASH;
257 set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
258 }
259
226 /* Nothing to do, just return existing appraised status */ 260 /* Nothing to do, just return existing appraised status */
227 if (!action) { 261 if (!action) {
228 if (must_appraise) 262 if (must_appraise)
229 rc = ima_get_cache_status(iint, func); 263 rc = ima_get_cache_status(iint, func);
230 goto out_digsig; 264 goto out_locked;
231 } 265 }
232 266
233 template_desc = ima_template_desc_current(); 267 template_desc = ima_template_desc_current();
@@ -240,7 +274,7 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
240 274
241 rc = ima_collect_measurement(iint, file, buf, size, hash_algo); 275 rc = ima_collect_measurement(iint, file, buf, size, hash_algo);
242 if (rc != 0 && rc != -EBADF && rc != -EINVAL) 276 if (rc != 0 && rc != -EBADF && rc != -EINVAL)
243 goto out_digsig; 277 goto out_locked;
244 278
245 if (!pathbuf) /* ima_rdwr_violation possibly pre-fetched */ 279 if (!pathbuf) /* ima_rdwr_violation possibly pre-fetched */
246 pathname = ima_d_path(&file->f_path, &pathbuf, filename); 280 pathname = ima_d_path(&file->f_path, &pathbuf, filename);
@@ -248,26 +282,32 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
248 if (action & IMA_MEASURE) 282 if (action & IMA_MEASURE)
249 ima_store_measurement(iint, file, pathname, 283 ima_store_measurement(iint, file, pathname,
250 xattr_value, xattr_len, pcr); 284 xattr_value, xattr_len, pcr);
251 if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) 285 if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {
286 inode_lock(inode);
252 rc = ima_appraise_measurement(func, iint, file, pathname, 287 rc = ima_appraise_measurement(func, iint, file, pathname,
253 xattr_value, xattr_len, opened); 288 xattr_value, xattr_len, opened);
289 inode_unlock(inode);
290 }
254 if (action & IMA_AUDIT) 291 if (action & IMA_AUDIT)
255 ima_audit_measurement(iint, pathname); 292 ima_audit_measurement(iint, pathname);
256 293
257 if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO)) 294 if ((file->f_flags & O_DIRECT) && (iint->flags & IMA_PERMIT_DIRECTIO))
258 rc = 0; 295 rc = 0;
259out_digsig: 296out_locked:
260 if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) && 297 if ((mask & MAY_WRITE) && test_bit(IMA_DIGSIG, &iint->atomic_flags) &&
261 !(iint->flags & IMA_NEW_FILE)) 298 !(iint->flags & IMA_NEW_FILE))
262 rc = -EACCES; 299 rc = -EACCES;
300 mutex_unlock(&iint->mutex);
263 kfree(xattr_value); 301 kfree(xattr_value);
264out_free: 302out:
265 if (pathbuf) 303 if (pathbuf)
266 __putname(pathbuf); 304 __putname(pathbuf);
267out: 305 if (must_appraise) {
268 inode_unlock(inode); 306 if (rc && (ima_appraise & IMA_APPRAISE_ENFORCE))
269 if ((rc && must_appraise) && (ima_appraise & IMA_APPRAISE_ENFORCE)) 307 return -EACCES;
270 return -EACCES; 308 if (file->f_mode & FMODE_WRITE)
309 set_bit(IMA_UPDATE_XATTR, &iint->atomic_flags);
310 }
271 return 0; 311 return 0;
272} 312}
273 313
@@ -366,8 +406,10 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id)
366 406
367 if (!file && read_id == READING_MODULE) { 407 if (!file && read_id == READING_MODULE) {
368 if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES) && 408 if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES) &&
369 (ima_appraise & IMA_APPRAISE_ENFORCE)) 409 (ima_appraise & IMA_APPRAISE_ENFORCE)) {
410 pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
370 return -EACCES; /* INTEGRITY_UNKNOWN */ 411 return -EACCES; /* INTEGRITY_UNKNOWN */
412 }
371 return 0; /* We rely on module signature checking */ 413 return 0; /* We rely on module signature checking */
372 } 414 }
373 return 0; 415 return 0;
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index ee4613fa5840..915f5572c6ff 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -40,6 +40,8 @@
40#define APPRAISE 0x0004 /* same as IMA_APPRAISE */ 40#define APPRAISE 0x0004 /* same as IMA_APPRAISE */
41#define DONT_APPRAISE 0x0008 41#define DONT_APPRAISE 0x0008
42#define AUDIT 0x0040 42#define AUDIT 0x0040
43#define HASH 0x0100
44#define DONT_HASH 0x0200
43 45
44#define INVALID_PCR(a) (((a) < 0) || \ 46#define INVALID_PCR(a) (((a) < 0) || \
45 (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8)) 47 (a) >= (FIELD_SIZEOF(struct integrity_iint_cache, measured_pcrs) * 8))
@@ -380,8 +382,10 @@ int ima_match_policy(struct inode *inode, enum ima_hooks func, int mask,
380 action |= entry->flags & IMA_ACTION_FLAGS; 382 action |= entry->flags & IMA_ACTION_FLAGS;
381 383
382 action |= entry->action & IMA_DO_MASK; 384 action |= entry->action & IMA_DO_MASK;
383 if (entry->action & IMA_APPRAISE) 385 if (entry->action & IMA_APPRAISE) {
384 action |= get_subaction(entry, func); 386 action |= get_subaction(entry, func);
387 action ^= IMA_HASH;
388 }
385 389
386 if (entry->action & IMA_DO_MASK) 390 if (entry->action & IMA_DO_MASK)
387 actmask &= ~(entry->action | entry->action << 1); 391 actmask &= ~(entry->action | entry->action << 1);
@@ -521,7 +525,7 @@ enum {
521 Opt_err = -1, 525 Opt_err = -1,
522 Opt_measure = 1, Opt_dont_measure, 526 Opt_measure = 1, Opt_dont_measure,
523 Opt_appraise, Opt_dont_appraise, 527 Opt_appraise, Opt_dont_appraise,
524 Opt_audit, 528 Opt_audit, Opt_hash, Opt_dont_hash,
525 Opt_obj_user, Opt_obj_role, Opt_obj_type, 529 Opt_obj_user, Opt_obj_role, Opt_obj_type,
526 Opt_subj_user, Opt_subj_role, Opt_subj_type, 530 Opt_subj_user, Opt_subj_role, Opt_subj_type,
527 Opt_func, Opt_mask, Opt_fsmagic, 531 Opt_func, Opt_mask, Opt_fsmagic,
@@ -538,6 +542,8 @@ static match_table_t policy_tokens = {
538 {Opt_appraise, "appraise"}, 542 {Opt_appraise, "appraise"},
539 {Opt_dont_appraise, "dont_appraise"}, 543 {Opt_dont_appraise, "dont_appraise"},
540 {Opt_audit, "audit"}, 544 {Opt_audit, "audit"},
545 {Opt_hash, "hash"},
546 {Opt_dont_hash, "dont_hash"},
541 {Opt_obj_user, "obj_user=%s"}, 547 {Opt_obj_user, "obj_user=%s"},
542 {Opt_obj_role, "obj_role=%s"}, 548 {Opt_obj_role, "obj_role=%s"},
543 {Opt_obj_type, "obj_type=%s"}, 549 {Opt_obj_type, "obj_type=%s"},
@@ -671,6 +677,22 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
671 677
672 entry->action = AUDIT; 678 entry->action = AUDIT;
673 break; 679 break;
680 case Opt_hash:
681 ima_log_string(ab, "action", "hash");
682
683 if (entry->action != UNKNOWN)
684 result = -EINVAL;
685
686 entry->action = HASH;
687 break;
688 case Opt_dont_hash:
689 ima_log_string(ab, "action", "dont_hash");
690
691 if (entry->action != UNKNOWN)
692 result = -EINVAL;
693
694 entry->action = DONT_HASH;
695 break;
674 case Opt_func: 696 case Opt_func:
675 ima_log_string(ab, "func", args[0].from); 697 ima_log_string(ab, "func", args[0].from);
676 698
@@ -743,7 +765,7 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
743 case Opt_fsuuid: 765 case Opt_fsuuid:
744 ima_log_string(ab, "fsuuid", args[0].from); 766 ima_log_string(ab, "fsuuid", args[0].from);
745 767
746 if (uuid_is_null(&entry->fsuuid)) { 768 if (!uuid_is_null(&entry->fsuuid)) {
747 result = -EINVAL; 769 result = -EINVAL;
748 break; 770 break;
749 } 771 }
@@ -1040,6 +1062,10 @@ int ima_policy_show(struct seq_file *m, void *v)
1040 seq_puts(m, pt(Opt_dont_appraise)); 1062 seq_puts(m, pt(Opt_dont_appraise));
1041 if (entry->action & AUDIT) 1063 if (entry->action & AUDIT)
1042 seq_puts(m, pt(Opt_audit)); 1064 seq_puts(m, pt(Opt_audit));
1065 if (entry->action & HASH)
1066 seq_puts(m, pt(Opt_hash));
1067 if (entry->action & DONT_HASH)
1068 seq_puts(m, pt(Opt_dont_hash));
1043 1069
1044 seq_puts(m, " "); 1070 seq_puts(m, " ");
1045 1071
diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
index a02a86d51102..418f35e38015 100644
--- a/security/integrity/ima/ima_queue.c
+++ b/security/integrity/ima/ima_queue.c
@@ -145,7 +145,7 @@ static int ima_pcr_extend(const u8 *hash, int pcr)
145 if (!ima_used_chip) 145 if (!ima_used_chip)
146 return result; 146 return result;
147 147
148 result = tpm_pcr_extend(TPM_ANY_NUM, pcr, hash); 148 result = tpm_pcr_extend(NULL, pcr, hash);
149 if (result != 0) 149 if (result != 0)
150 pr_err("Error Communicating to TPM chip, result: %d\n", result); 150 pr_err("Error Communicating to TPM chip, result: %d\n", result);
151 return result; 151 return result;
diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
index 7412d0291ab9..30db39b23804 100644
--- a/security/integrity/ima/ima_template.c
+++ b/security/integrity/ima/ima_template.c
@@ -377,8 +377,7 @@ int ima_restore_measurement_list(loff_t size, void *buf)
377 break; 377 break;
378 378
379 if (hdr[HDR_TEMPLATE_NAME].len >= MAX_TEMPLATE_NAME_LEN) { 379 if (hdr[HDR_TEMPLATE_NAME].len >= MAX_TEMPLATE_NAME_LEN) {
380 pr_err("attempting to restore a template name \ 380 pr_err("attempting to restore a template name that is too long\n");
381 that is too long\n");
382 ret = -EINVAL; 381 ret = -EINVAL;
383 break; 382 break;
384 } 383 }
@@ -389,8 +388,8 @@ int ima_restore_measurement_list(loff_t size, void *buf)
389 template_name[hdr[HDR_TEMPLATE_NAME].len] = 0; 388 template_name[hdr[HDR_TEMPLATE_NAME].len] = 0;
390 389
391 if (strcmp(template_name, "ima") == 0) { 390 if (strcmp(template_name, "ima") == 0) {
392 pr_err("attempting to restore an unsupported \ 391 pr_err("attempting to restore an unsupported template \"%s\" failed\n",
393 template \"%s\" failed\n", template_name); 392 template_name);
394 ret = -EINVAL; 393 ret = -EINVAL;
395 break; 394 break;
396 } 395 }
@@ -410,8 +409,8 @@ int ima_restore_measurement_list(loff_t size, void *buf)
410 &(template_desc->fields), 409 &(template_desc->fields),
411 &(template_desc->num_fields)); 410 &(template_desc->num_fields));
412 if (ret < 0) { 411 if (ret < 0) {
413 pr_err("attempting to restore the template fmt \"%s\" \ 412 pr_err("attempting to restore the template fmt \"%s\" failed\n",
414 failed\n", template_desc->fmt); 413 template_desc->fmt);
415 ret = -EINVAL; 414 ret = -EINVAL;
416 break; 415 break;
417 } 416 }
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index e1bf040fb110..50a8e3365df7 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -25,39 +25,50 @@
25#define IMA_COLLECTED 0x00000020 25#define IMA_COLLECTED 0x00000020
26#define IMA_AUDIT 0x00000040 26#define IMA_AUDIT 0x00000040
27#define IMA_AUDITED 0x00000080 27#define IMA_AUDITED 0x00000080
28#define IMA_HASH 0x00000100
29#define IMA_HASHED 0x00000200
28 30
29/* iint cache flags */ 31/* iint cache flags */
30#define IMA_ACTION_FLAGS 0xff000000 32#define IMA_ACTION_FLAGS 0xff000000
31#define IMA_ACTION_RULE_FLAGS 0x06000000 33#define IMA_ACTION_RULE_FLAGS 0x06000000
32#define IMA_DIGSIG 0x01000000 34#define IMA_DIGSIG_REQUIRED 0x01000000
33#define IMA_DIGSIG_REQUIRED 0x02000000 35#define IMA_PERMIT_DIRECTIO 0x02000000
34#define IMA_PERMIT_DIRECTIO 0x04000000 36#define IMA_NEW_FILE 0x04000000
35#define IMA_NEW_FILE 0x08000000 37#define EVM_IMMUTABLE_DIGSIG 0x08000000
36 38
37#define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \ 39#define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
38 IMA_APPRAISE_SUBMASK) 40 IMA_HASH | IMA_APPRAISE_SUBMASK)
39#define IMA_DONE_MASK (IMA_MEASURED | IMA_APPRAISED | IMA_AUDITED | \ 41#define IMA_DONE_MASK (IMA_MEASURED | IMA_APPRAISED | IMA_AUDITED | \
40 IMA_COLLECTED | IMA_APPRAISED_SUBMASK) 42 IMA_HASHED | IMA_COLLECTED | \
43 IMA_APPRAISED_SUBMASK)
41 44
42/* iint subaction appraise cache flags */ 45/* iint subaction appraise cache flags */
43#define IMA_FILE_APPRAISE 0x00000100 46#define IMA_FILE_APPRAISE 0x00001000
44#define IMA_FILE_APPRAISED 0x00000200 47#define IMA_FILE_APPRAISED 0x00002000
45#define IMA_MMAP_APPRAISE 0x00000400 48#define IMA_MMAP_APPRAISE 0x00004000
46#define IMA_MMAP_APPRAISED 0x00000800 49#define IMA_MMAP_APPRAISED 0x00008000
47#define IMA_BPRM_APPRAISE 0x00001000 50#define IMA_BPRM_APPRAISE 0x00010000
48#define IMA_BPRM_APPRAISED 0x00002000 51#define IMA_BPRM_APPRAISED 0x00020000
49#define IMA_READ_APPRAISE 0x00004000 52#define IMA_READ_APPRAISE 0x00040000
50#define IMA_READ_APPRAISED 0x00008000 53#define IMA_READ_APPRAISED 0x00080000
51#define IMA_APPRAISE_SUBMASK (IMA_FILE_APPRAISE | IMA_MMAP_APPRAISE | \ 54#define IMA_APPRAISE_SUBMASK (IMA_FILE_APPRAISE | IMA_MMAP_APPRAISE | \
52 IMA_BPRM_APPRAISE | IMA_READ_APPRAISE) 55 IMA_BPRM_APPRAISE | IMA_READ_APPRAISE)
53#define IMA_APPRAISED_SUBMASK (IMA_FILE_APPRAISED | IMA_MMAP_APPRAISED | \ 56#define IMA_APPRAISED_SUBMASK (IMA_FILE_APPRAISED | IMA_MMAP_APPRAISED | \
54 IMA_BPRM_APPRAISED | IMA_READ_APPRAISED) 57 IMA_BPRM_APPRAISED | IMA_READ_APPRAISED)
55 58
59/* iint cache atomic_flags */
60#define IMA_CHANGE_XATTR 0
61#define IMA_UPDATE_XATTR 1
62#define IMA_CHANGE_ATTR 2
63#define IMA_DIGSIG 3
64#define IMA_MUST_MEASURE 4
65
56enum evm_ima_xattr_type { 66enum evm_ima_xattr_type {
57 IMA_XATTR_DIGEST = 0x01, 67 IMA_XATTR_DIGEST = 0x01,
58 EVM_XATTR_HMAC, 68 EVM_XATTR_HMAC,
59 EVM_IMA_XATTR_DIGSIG, 69 EVM_IMA_XATTR_DIGSIG,
60 IMA_XATTR_DIGEST_NG, 70 IMA_XATTR_DIGEST_NG,
71 EVM_XATTR_PORTABLE_DIGSIG,
61 IMA_XATTR_LAST 72 IMA_XATTR_LAST
62}; 73};
63 74
@@ -100,10 +111,12 @@ struct signature_v2_hdr {
100/* integrity data associated with an inode */ 111/* integrity data associated with an inode */
101struct integrity_iint_cache { 112struct integrity_iint_cache {
102 struct rb_node rb_node; /* rooted in integrity_iint_tree */ 113 struct rb_node rb_node; /* rooted in integrity_iint_tree */
114 struct mutex mutex; /* protects: version, flags, digest */
103 struct inode *inode; /* back pointer to inode in question */ 115 struct inode *inode; /* back pointer to inode in question */
104 u64 version; /* track inode changes */ 116 u64 version; /* track inode changes */
105 unsigned long flags; 117 unsigned long flags;
106 unsigned long measured_pcrs; 118 unsigned long measured_pcrs;
119 unsigned long atomic_flags;
107 enum integrity_status ima_file_status:4; 120 enum integrity_status ima_file_status:4;
108 enum integrity_status ima_mmap_status:4; 121 enum integrity_status ima_mmap_status:4;
109 enum integrity_status ima_bprm_status:4; 122 enum integrity_status ima_bprm_status:4;
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index d0bccebbd3b5..41bcf57e96f2 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -713,7 +713,6 @@ descend_to_keyring:
713 * doesn't contain any keyring pointers. 713 * doesn't contain any keyring pointers.
714 */ 714 */
715 shortcut = assoc_array_ptr_to_shortcut(ptr); 715 shortcut = assoc_array_ptr_to_shortcut(ptr);
716 smp_read_barrier_depends();
717 if ((shortcut->index_key[0] & ASSOC_ARRAY_FAN_MASK) != 0) 716 if ((shortcut->index_key[0] & ASSOC_ARRAY_FAN_MASK) != 0)
718 goto not_this_keyring; 717 goto not_this_keyring;
719 718
@@ -723,8 +722,6 @@ descend_to_keyring:
723 } 722 }
724 723
725 node = assoc_array_ptr_to_node(ptr); 724 node = assoc_array_ptr_to_node(ptr);
726 smp_read_barrier_depends();
727
728 ptr = node->slots[0]; 725 ptr = node->slots[0];
729 if (!assoc_array_ptr_is_meta(ptr)) 726 if (!assoc_array_ptr_is_meta(ptr))
730 goto begin_node; 727 goto begin_node;
@@ -736,7 +733,6 @@ descend_to_node:
736 kdebug("descend"); 733 kdebug("descend");
737 if (assoc_array_ptr_is_shortcut(ptr)) { 734 if (assoc_array_ptr_is_shortcut(ptr)) {
738 shortcut = assoc_array_ptr_to_shortcut(ptr); 735 shortcut = assoc_array_ptr_to_shortcut(ptr);
739 smp_read_barrier_depends();
740 ptr = READ_ONCE(shortcut->next_node); 736 ptr = READ_ONCE(shortcut->next_node);
741 BUG_ON(!assoc_array_ptr_is_node(ptr)); 737 BUG_ON(!assoc_array_ptr_is_node(ptr));
742 } 738 }
@@ -744,7 +740,6 @@ descend_to_node:
744 740
745begin_node: 741begin_node:
746 kdebug("begin_node"); 742 kdebug("begin_node");
747 smp_read_barrier_depends();
748 slot = 0; 743 slot = 0;
749ascend_to_node: 744ascend_to_node:
750 /* Go through the slots in a node */ 745 /* Go through the slots in a node */
@@ -792,14 +787,12 @@ ascend_to_node:
792 787
793 if (ptr && assoc_array_ptr_is_shortcut(ptr)) { 788 if (ptr && assoc_array_ptr_is_shortcut(ptr)) {
794 shortcut = assoc_array_ptr_to_shortcut(ptr); 789 shortcut = assoc_array_ptr_to_shortcut(ptr);
795 smp_read_barrier_depends();
796 ptr = READ_ONCE(shortcut->back_pointer); 790 ptr = READ_ONCE(shortcut->back_pointer);
797 slot = shortcut->parent_slot; 791 slot = shortcut->parent_slot;
798 } 792 }
799 if (!ptr) 793 if (!ptr)
800 goto not_this_keyring; 794 goto not_this_keyring;
801 node = assoc_array_ptr_to_node(ptr); 795 node = assoc_array_ptr_to_node(ptr);
802 smp_read_barrier_depends();
803 slot++; 796 slot++;
804 797
805 /* If we've ascended to the root (zero backpointer), we must have just 798 /* If we've ascended to the root (zero backpointer), we must have just
diff --git a/security/keys/trusted.c b/security/keys/trusted.c
index 98aa89ff7bfd..423776682025 100644
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -355,13 +355,12 @@ out:
355 * For key specific tpm requests, we will generate and send our 355 * For key specific tpm requests, we will generate and send our
356 * own TPM command packets using the drivers send function. 356 * own TPM command packets using the drivers send function.
357 */ 357 */
358static int trusted_tpm_send(const u32 chip_num, unsigned char *cmd, 358static int trusted_tpm_send(unsigned char *cmd, size_t buflen)
359 size_t buflen)
360{ 359{
361 int rc; 360 int rc;
362 361
363 dump_tpm_buf(cmd); 362 dump_tpm_buf(cmd);
364 rc = tpm_send(chip_num, cmd, buflen); 363 rc = tpm_send(NULL, cmd, buflen);
365 dump_tpm_buf(cmd); 364 dump_tpm_buf(cmd);
366 if (rc > 0) 365 if (rc > 0)
367 /* Can't return positive return codes values to keyctl */ 366 /* Can't return positive return codes values to keyctl */
@@ -382,10 +381,10 @@ static int pcrlock(const int pcrnum)
382 381
383 if (!capable(CAP_SYS_ADMIN)) 382 if (!capable(CAP_SYS_ADMIN))
384 return -EPERM; 383 return -EPERM;
385 ret = tpm_get_random(TPM_ANY_NUM, hash, SHA1_DIGEST_SIZE); 384 ret = tpm_get_random(NULL, hash, SHA1_DIGEST_SIZE);
386 if (ret != SHA1_DIGEST_SIZE) 385 if (ret != SHA1_DIGEST_SIZE)
387 return ret; 386 return ret;
388 return tpm_pcr_extend(TPM_ANY_NUM, pcrnum, hash) ? -EINVAL : 0; 387 return tpm_pcr_extend(NULL, pcrnum, hash) ? -EINVAL : 0;
389} 388}
390 389
391/* 390/*
@@ -398,7 +397,7 @@ static int osap(struct tpm_buf *tb, struct osapsess *s,
398 unsigned char ononce[TPM_NONCE_SIZE]; 397 unsigned char ononce[TPM_NONCE_SIZE];
399 int ret; 398 int ret;
400 399
401 ret = tpm_get_random(TPM_ANY_NUM, ononce, TPM_NONCE_SIZE); 400 ret = tpm_get_random(NULL, ononce, TPM_NONCE_SIZE);
402 if (ret != TPM_NONCE_SIZE) 401 if (ret != TPM_NONCE_SIZE)
403 return ret; 402 return ret;
404 403
@@ -410,7 +409,7 @@ static int osap(struct tpm_buf *tb, struct osapsess *s,
410 store32(tb, handle); 409 store32(tb, handle);
411 storebytes(tb, ononce, TPM_NONCE_SIZE); 410 storebytes(tb, ononce, TPM_NONCE_SIZE);
412 411
413 ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE); 412 ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
414 if (ret < 0) 413 if (ret < 0)
415 return ret; 414 return ret;
416 415
@@ -434,7 +433,7 @@ static int oiap(struct tpm_buf *tb, uint32_t *handle, unsigned char *nonce)
434 store16(tb, TPM_TAG_RQU_COMMAND); 433 store16(tb, TPM_TAG_RQU_COMMAND);
435 store32(tb, TPM_OIAP_SIZE); 434 store32(tb, TPM_OIAP_SIZE);
436 store32(tb, TPM_ORD_OIAP); 435 store32(tb, TPM_ORD_OIAP);
437 ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE); 436 ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
438 if (ret < 0) 437 if (ret < 0)
439 return ret; 438 return ret;
440 439
@@ -493,7 +492,7 @@ static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
493 if (ret < 0) 492 if (ret < 0)
494 goto out; 493 goto out;
495 494
496 ret = tpm_get_random(TPM_ANY_NUM, td->nonceodd, TPM_NONCE_SIZE); 495 ret = tpm_get_random(NULL, td->nonceodd, TPM_NONCE_SIZE);
497 if (ret != TPM_NONCE_SIZE) 496 if (ret != TPM_NONCE_SIZE)
498 goto out; 497 goto out;
499 ordinal = htonl(TPM_ORD_SEAL); 498 ordinal = htonl(TPM_ORD_SEAL);
@@ -542,7 +541,7 @@ static int tpm_seal(struct tpm_buf *tb, uint16_t keytype,
542 store8(tb, cont); 541 store8(tb, cont);
543 storebytes(tb, td->pubauth, SHA1_DIGEST_SIZE); 542 storebytes(tb, td->pubauth, SHA1_DIGEST_SIZE);
544 543
545 ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE); 544 ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
546 if (ret < 0) 545 if (ret < 0)
547 goto out; 546 goto out;
548 547
@@ -603,7 +602,7 @@ static int tpm_unseal(struct tpm_buf *tb,
603 602
604 ordinal = htonl(TPM_ORD_UNSEAL); 603 ordinal = htonl(TPM_ORD_UNSEAL);
605 keyhndl = htonl(SRKHANDLE); 604 keyhndl = htonl(SRKHANDLE);
606 ret = tpm_get_random(TPM_ANY_NUM, nonceodd, TPM_NONCE_SIZE); 605 ret = tpm_get_random(NULL, nonceodd, TPM_NONCE_SIZE);
607 if (ret != TPM_NONCE_SIZE) { 606 if (ret != TPM_NONCE_SIZE) {
608 pr_info("trusted_key: tpm_get_random failed (%d)\n", ret); 607 pr_info("trusted_key: tpm_get_random failed (%d)\n", ret);
609 return ret; 608 return ret;
@@ -635,7 +634,7 @@ static int tpm_unseal(struct tpm_buf *tb,
635 store8(tb, cont); 634 store8(tb, cont);
636 storebytes(tb, authdata2, SHA1_DIGEST_SIZE); 635 storebytes(tb, authdata2, SHA1_DIGEST_SIZE);
637 636
638 ret = trusted_tpm_send(TPM_ANY_NUM, tb->data, MAX_BUF_SIZE); 637 ret = trusted_tpm_send(tb->data, MAX_BUF_SIZE);
639 if (ret < 0) { 638 if (ret < 0) {
640 pr_info("trusted_key: authhmac failed (%d)\n", ret); 639 pr_info("trusted_key: authhmac failed (%d)\n", ret);
641 return ret; 640 return ret;
@@ -748,7 +747,7 @@ static int getoptions(char *c, struct trusted_key_payload *pay,
748 int i; 747 int i;
749 int tpm2; 748 int tpm2;
750 749
751 tpm2 = tpm_is_tpm2(TPM_ANY_NUM); 750 tpm2 = tpm_is_tpm2(NULL);
752 if (tpm2 < 0) 751 if (tpm2 < 0)
753 return tpm2; 752 return tpm2;
754 753
@@ -917,7 +916,7 @@ static struct trusted_key_options *trusted_options_alloc(void)
917 struct trusted_key_options *options; 916 struct trusted_key_options *options;
918 int tpm2; 917 int tpm2;
919 918
920 tpm2 = tpm_is_tpm2(TPM_ANY_NUM); 919 tpm2 = tpm_is_tpm2(NULL);
921 if (tpm2 < 0) 920 if (tpm2 < 0)
922 return NULL; 921 return NULL;
923 922
@@ -967,7 +966,7 @@ static int trusted_instantiate(struct key *key,
967 size_t key_len; 966 size_t key_len;
968 int tpm2; 967 int tpm2;
969 968
970 tpm2 = tpm_is_tpm2(TPM_ANY_NUM); 969 tpm2 = tpm_is_tpm2(NULL);
971 if (tpm2 < 0) 970 if (tpm2 < 0)
972 return tpm2; 971 return tpm2;
973 972
@@ -1008,7 +1007,7 @@ static int trusted_instantiate(struct key *key,
1008 switch (key_cmd) { 1007 switch (key_cmd) {
1009 case Opt_load: 1008 case Opt_load:
1010 if (tpm2) 1009 if (tpm2)
1011 ret = tpm_unseal_trusted(TPM_ANY_NUM, payload, options); 1010 ret = tpm_unseal_trusted(NULL, payload, options);
1012 else 1011 else
1013 ret = key_unseal(payload, options); 1012 ret = key_unseal(payload, options);
1014 dump_payload(payload); 1013 dump_payload(payload);
@@ -1018,13 +1017,13 @@ static int trusted_instantiate(struct key *key,
1018 break; 1017 break;
1019 case Opt_new: 1018 case Opt_new:
1020 key_len = payload->key_len; 1019 key_len = payload->key_len;
1021 ret = tpm_get_random(TPM_ANY_NUM, payload->key, key_len); 1020 ret = tpm_get_random(NULL, payload->key, key_len);
1022 if (ret != key_len) { 1021 if (ret != key_len) {
1023 pr_info("trusted_key: key_create failed (%d)\n", ret); 1022 pr_info("trusted_key: key_create failed (%d)\n", ret);
1024 goto out; 1023 goto out;
1025 } 1024 }
1026 if (tpm2) 1025 if (tpm2)
1027 ret = tpm_seal_trusted(TPM_ANY_NUM, payload, options); 1026 ret = tpm_seal_trusted(NULL, payload, options);
1028 else 1027 else
1029 ret = key_seal(payload, options); 1028 ret = key_seal(payload, options);
1030 if (ret < 0) 1029 if (ret < 0)
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h
index 75686d53df07..e77a5e307955 100644
--- a/security/selinux/include/netlabel.h
+++ b/security/selinux/include/netlabel.h
@@ -19,8 +19,7 @@
19 * the GNU General Public License for more details. 19 * the GNU General Public License for more details.
20 * 20 *
21 * You should have received a copy of the GNU General Public License 21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software 22 * along with this program. If not, see <http://www.gnu.org/licenses/>.
23 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
24 * 23 *
25 */ 24 */
26 25
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index aaba6677ee2e..2c297b995b16 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -22,8 +22,7 @@
22 * the GNU General Public License for more details. 22 * the GNU General Public License for more details.
23 * 23 *
24 * You should have received a copy of the GNU General Public License 24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software 25 * along with this program. If not, see <http://www.gnu.org/licenses/>.
26 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
27 * 26 *
28 */ 27 */
29 28
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 33cfe5d3d6cb..8900ea5cbabf 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -867,6 +867,9 @@ int security_bounded_transition(u32 old_sid, u32 new_sid)
867 int index; 867 int index;
868 int rc; 868 int rc;
869 869
870 if (!ss_initialized)
871 return 0;
872
870 read_lock(&policy_rwlock); 873 read_lock(&policy_rwlock);
871 874
872 rc = -EINVAL; 875 rc = -EINVAL;
@@ -1413,27 +1416,25 @@ static int security_context_to_sid_core(const char *scontext, u32 scontext_len,
1413 if (!scontext_len) 1416 if (!scontext_len)
1414 return -EINVAL; 1417 return -EINVAL;
1415 1418
1419 /* Copy the string to allow changes and ensure a NUL terminator */
1420 scontext2 = kmemdup_nul(scontext, scontext_len, gfp_flags);
1421 if (!scontext2)
1422 return -ENOMEM;
1423
1416 if (!ss_initialized) { 1424 if (!ss_initialized) {
1417 int i; 1425 int i;
1418 1426
1419 for (i = 1; i < SECINITSID_NUM; i++) { 1427 for (i = 1; i < SECINITSID_NUM; i++) {
1420 if (!strcmp(initial_sid_to_string[i], scontext)) { 1428 if (!strcmp(initial_sid_to_string[i], scontext2)) {
1421 *sid = i; 1429 *sid = i;
1422 return 0; 1430 goto out;
1423 } 1431 }
1424 } 1432 }
1425 *sid = SECINITSID_KERNEL; 1433 *sid = SECINITSID_KERNEL;
1426 return 0; 1434 goto out;
1427 } 1435 }
1428 *sid = SECSID_NULL; 1436 *sid = SECSID_NULL;
1429 1437
1430 /* Copy the string so that we can modify the copy as we parse it. */
1431 scontext2 = kmalloc(scontext_len + 1, gfp_flags);
1432 if (!scontext2)
1433 return -ENOMEM;
1434 memcpy(scontext2, scontext, scontext_len);
1435 scontext2[scontext_len] = 0;
1436
1437 if (force) { 1438 if (force) {
1438 /* Save another copy for storing in uninterpreted form */ 1439 /* Save another copy for storing in uninterpreted form */
1439 rc = -ENOMEM; 1440 rc = -ENOMEM;
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 56e354fcdfc6..928188902901 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -452,7 +452,7 @@ int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
452 if (dst) { 452 if (dst) {
453 struct dst_entry *iter; 453 struct dst_entry *iter;
454 454
455 for (iter = dst; iter != NULL; iter = iter->child) { 455 for (iter = dst; iter != NULL; iter = xfrm_dst_child(iter)) {
456 struct xfrm_state *x = iter->xfrm; 456 struct xfrm_state *x = iter->xfrm;
457 457
458 if (x && selinux_authorizable_xfrm(x)) 458 if (x && selinux_authorizable_xfrm(x))
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 6a71fc7831ab..f7db791fb566 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -321,6 +321,7 @@ struct smack_known *smk_import_entry(const char *, int);
321void smk_insert_entry(struct smack_known *skp); 321void smk_insert_entry(struct smack_known *skp);
322struct smack_known *smk_find_entry(const char *); 322struct smack_known *smk_find_entry(const char *);
323bool smack_privileged(int cap); 323bool smack_privileged(int cap);
324bool smack_privileged_cred(int cap, const struct cred *cred);
324void smk_destroy_label_list(struct list_head *list); 325void smk_destroy_label_list(struct list_head *list);
325 326
326/* 327/*
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 1a3004189447..9a4c0ad46518 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -623,26 +623,24 @@ struct smack_known *smack_from_secid(const u32 secid)
623LIST_HEAD(smack_onlycap_list); 623LIST_HEAD(smack_onlycap_list);
624DEFINE_MUTEX(smack_onlycap_lock); 624DEFINE_MUTEX(smack_onlycap_lock);
625 625
626/* 626/**
627 * smack_privileged_cred - are all privilege requirements met by cred
628 * @cap: The requested capability
629 * @cred: the credential to use
630 *
627 * Is the task privileged and allowed to be privileged 631 * Is the task privileged and allowed to be privileged
628 * by the onlycap rule. 632 * by the onlycap rule.
629 * 633 *
630 * Returns true if the task is allowed to be privileged, false if it's not. 634 * Returns true if the task is allowed to be privileged, false if it's not.
631 */ 635 */
632bool smack_privileged(int cap) 636bool smack_privileged_cred(int cap, const struct cred *cred)
633{ 637{
634 struct smack_known *skp = smk_of_current(); 638 struct task_smack *tsp = cred->security;
639 struct smack_known *skp = tsp->smk_task;
635 struct smack_known_list_elem *sklep; 640 struct smack_known_list_elem *sklep;
636 int rc; 641 int rc;
637 642
638 /* 643 rc = cap_capable(cred, &init_user_ns, cap, SECURITY_CAP_AUDIT);
639 * All kernel tasks are privileged
640 */
641 if (unlikely(current->flags & PF_KTHREAD))
642 return true;
643
644 rc = cap_capable(current_cred(), &init_user_ns, cap,
645 SECURITY_CAP_AUDIT);
646 if (rc) 644 if (rc)
647 return false; 645 return false;
648 646
@@ -662,3 +660,23 @@ bool smack_privileged(int cap)
662 660
663 return false; 661 return false;
664} 662}
663
664/**
665 * smack_privileged - are all privilege requirements met
666 * @cap: The requested capability
667 *
668 * Is the task privileged and allowed to be privileged
669 * by the onlycap rule.
670 *
671 * Returns true if the task is allowed to be privileged, false if it's not.
672 */
673bool smack_privileged(int cap)
674{
675 /*
676 * All kernel tasks are privileged
677 */
678 if (unlikely(current->flags & PF_KTHREAD))
679 return true;
680
681 return smack_privileged_cred(cap, current_cred());
682}
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 14cc7940b36d..03fdecba93bb 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2866,12 +2866,16 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
2866#endif 2866#endif
2867#ifdef SMACK_IPV6_SECMARK_LABELING 2867#ifdef SMACK_IPV6_SECMARK_LABELING
2868 struct smack_known *rsp; 2868 struct smack_known *rsp;
2869 struct socket_smack *ssp = sock->sk->sk_security; 2869 struct socket_smack *ssp;
2870#endif 2870#endif
2871 2871
2872 if (sock->sk == NULL) 2872 if (sock->sk == NULL)
2873 return 0; 2873 return 0;
2874 2874
2875#ifdef SMACK_IPV6_SECMARK_LABELING
2876 ssp = sock->sk->sk_security;
2877#endif
2878
2875 switch (sock->sk->sk_family) { 2879 switch (sock->sk->sk_family) {
2876 case PF_INET: 2880 case PF_INET:
2877 if (addrlen < sizeof(struct sockaddr_in)) 2881 if (addrlen < sizeof(struct sockaddr_in))
@@ -4365,6 +4369,10 @@ static int smack_key_permission(key_ref_t key_ref,
4365 */ 4369 */
4366 if (tkp == NULL) 4370 if (tkp == NULL)
4367 return -EACCES; 4371 return -EACCES;
4372
4373 if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred))
4374 return 0;
4375
4368#ifdef CONFIG_AUDIT 4376#ifdef CONFIG_AUDIT
4369 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4377 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY);
4370 ad.a.u.key_struct.key = keyp->serial; 4378 ad.a.u.key_struct.key = keyp->serial;
diff --git a/security/tomoyo/audit.c b/security/tomoyo/audit.c
index 0f73fe30e37a..479b03a7a17e 100644
--- a/security/tomoyo/audit.c
+++ b/security/tomoyo/audit.c
@@ -456,14 +456,14 @@ void tomoyo_read_log(struct tomoyo_io_buffer *head)
456 * @file: Pointer to "struct file". 456 * @file: Pointer to "struct file".
457 * @wait: Pointer to "poll_table". Maybe NULL. 457 * @wait: Pointer to "poll_table". Maybe NULL.
458 * 458 *
459 * Returns POLLIN | POLLRDNORM when ready to read an audit log. 459 * Returns EPOLLIN | EPOLLRDNORM when ready to read an audit log.
460 */ 460 */
461unsigned int tomoyo_poll_log(struct file *file, poll_table *wait) 461__poll_t tomoyo_poll_log(struct file *file, poll_table *wait)
462{ 462{
463 if (tomoyo_log_count) 463 if (tomoyo_log_count)
464 return POLLIN | POLLRDNORM; 464 return EPOLLIN | EPOLLRDNORM;
465 poll_wait(file, &tomoyo_log_wait, wait); 465 poll_wait(file, &tomoyo_log_wait, wait);
466 if (tomoyo_log_count) 466 if (tomoyo_log_count)
467 return POLLIN | POLLRDNORM; 467 return EPOLLIN | EPOLLRDNORM;
468 return 0; 468 return 0;
469} 469}
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 25eed4b0b0e8..03923a138ef5 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -2116,17 +2116,17 @@ static struct tomoyo_domain_info *tomoyo_find_domain_by_qid
2116 * @file: Pointer to "struct file". 2116 * @file: Pointer to "struct file".
2117 * @wait: Pointer to "poll_table". 2117 * @wait: Pointer to "poll_table".
2118 * 2118 *
2119 * Returns POLLIN | POLLRDNORM when ready to read, 0 otherwise. 2119 * Returns EPOLLIN | EPOLLRDNORM when ready to read, 0 otherwise.
2120 * 2120 *
2121 * Waits for access requests which violated policy in enforcing mode. 2121 * Waits for access requests which violated policy in enforcing mode.
2122 */ 2122 */
2123static unsigned int tomoyo_poll_query(struct file *file, poll_table *wait) 2123static __poll_t tomoyo_poll_query(struct file *file, poll_table *wait)
2124{ 2124{
2125 if (!list_empty(&tomoyo_query_list)) 2125 if (!list_empty(&tomoyo_query_list))
2126 return POLLIN | POLLRDNORM; 2126 return EPOLLIN | EPOLLRDNORM;
2127 poll_wait(file, &tomoyo_query_wait, wait); 2127 poll_wait(file, &tomoyo_query_wait, wait);
2128 if (!list_empty(&tomoyo_query_list)) 2128 if (!list_empty(&tomoyo_query_list))
2129 return POLLIN | POLLRDNORM; 2129 return EPOLLIN | EPOLLRDNORM;
2130 return 0; 2130 return 0;
2131} 2131}
2132 2132
@@ -2450,15 +2450,15 @@ int tomoyo_open_control(const u8 type, struct file *file)
2450 * @file: Pointer to "struct file". 2450 * @file: Pointer to "struct file".
2451 * @wait: Pointer to "poll_table". Maybe NULL. 2451 * @wait: Pointer to "poll_table". Maybe NULL.
2452 * 2452 *
2453 * Returns POLLIN | POLLRDNORM | POLLOUT | POLLWRNORM if ready to read/write, 2453 * Returns EPOLLIN | EPOLLRDNORM | EPOLLOUT | EPOLLWRNORM if ready to read/write,
2454 * POLLOUT | POLLWRNORM otherwise. 2454 * EPOLLOUT | EPOLLWRNORM otherwise.
2455 */ 2455 */
2456unsigned int tomoyo_poll_control(struct file *file, poll_table *wait) 2456__poll_t tomoyo_poll_control(struct file *file, poll_table *wait)
2457{ 2457{
2458 struct tomoyo_io_buffer *head = file->private_data; 2458 struct tomoyo_io_buffer *head = file->private_data;
2459 if (head->poll) 2459 if (head->poll)
2460 return head->poll(file, wait) | POLLOUT | POLLWRNORM; 2460 return head->poll(file, wait) | EPOLLOUT | EPOLLWRNORM;
2461 return POLLIN | POLLRDNORM | POLLOUT | POLLWRNORM; 2461 return EPOLLIN | EPOLLRDNORM | EPOLLOUT | EPOLLWRNORM;
2462} 2462}
2463 2463
2464/** 2464/**
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index 7adccdd8e36d..539bcdd30bb8 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -789,7 +789,7 @@ struct tomoyo_acl_param {
789struct tomoyo_io_buffer { 789struct tomoyo_io_buffer {
790 void (*read) (struct tomoyo_io_buffer *); 790 void (*read) (struct tomoyo_io_buffer *);
791 int (*write) (struct tomoyo_io_buffer *); 791 int (*write) (struct tomoyo_io_buffer *);
792 unsigned int (*poll) (struct file *file, poll_table *wait); 792 __poll_t (*poll) (struct file *file, poll_table *wait);
793 /* Exclusive lock for this structure. */ 793 /* Exclusive lock for this structure. */
794 struct mutex io_sem; 794 struct mutex io_sem;
795 char __user *read_user_buf; 795 char __user *read_user_buf;
@@ -981,8 +981,8 @@ int tomoyo_path_number_perm(const u8 operation, const struct path *path,
981 unsigned long number); 981 unsigned long number);
982int tomoyo_path_perm(const u8 operation, const struct path *path, 982int tomoyo_path_perm(const u8 operation, const struct path *path,
983 const char *target); 983 const char *target);
984unsigned int tomoyo_poll_control(struct file *file, poll_table *wait); 984__poll_t tomoyo_poll_control(struct file *file, poll_table *wait);
985unsigned int tomoyo_poll_log(struct file *file, poll_table *wait); 985__poll_t tomoyo_poll_log(struct file *file, poll_table *wait);
986int tomoyo_socket_bind_permission(struct socket *sock, struct sockaddr *addr, 986int tomoyo_socket_bind_permission(struct socket *sock, struct sockaddr *addr,
987 int addr_len); 987 int addr_len);
988int tomoyo_socket_connect_permission(struct socket *sock, 988int tomoyo_socket_connect_permission(struct socket *sock,
diff --git a/security/tomoyo/securityfs_if.c b/security/tomoyo/securityfs_if.c
index 49393c2a3f8b..1d3d7e7a1f05 100644
--- a/security/tomoyo/securityfs_if.c
+++ b/security/tomoyo/securityfs_if.c
@@ -154,10 +154,10 @@ static int tomoyo_release(struct inode *inode, struct file *file)
154 * @file: Pointer to "struct file". 154 * @file: Pointer to "struct file".
155 * @wait: Pointer to "poll_table". Maybe NULL. 155 * @wait: Pointer to "poll_table". Maybe NULL.
156 * 156 *
157 * Returns POLLIN | POLLRDNORM | POLLOUT | POLLWRNORM if ready to read/write, 157 * Returns EPOLLIN | EPOLLRDNORM | EPOLLOUT | EPOLLWRNORM if ready to read/write,
158 * POLLOUT | POLLWRNORM otherwise. 158 * EPOLLOUT | EPOLLWRNORM otherwise.
159 */ 159 */
160static unsigned int tomoyo_poll(struct file *file, poll_table *wait) 160static __poll_t tomoyo_poll(struct file *file, poll_table *wait)
161{ 161{
162 return tomoyo_poll_control(file, wait); 162 return tomoyo_poll_control(file, wait);
163} 163}
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 8298e094f4f7..ffda91a4a1aa 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -250,15 +250,10 @@ int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3,
250 } else { 250 } else {
251 struct task_struct *tracer; 251 struct task_struct *tracer;
252 252
253 rcu_read_lock(); 253 tracer = find_get_task_by_vpid(arg2);
254 tracer = find_task_by_vpid(arg2); 254 if (!tracer) {
255 if (tracer)
256 get_task_struct(tracer);
257 else
258 rc = -EINVAL; 255 rc = -EINVAL;
259 rcu_read_unlock(); 256 } else {
260
261 if (tracer) {
262 rc = yama_ptracer_add(tracer, myself); 257 rc = yama_ptracer_add(tracer, myself);
263 put_task_struct(tracer); 258 put_task_struct(tracer);
264 } 259 }
generated by cgit v1.2.2 (git 2.25.0) at 2026-01-08 07:43:22 -0500