diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2014-06-10 13:05:36 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-06-10 13:05:36 -0400 |
commit | fad0701eaa091beb8ce5ef2eef04b5e833617368 (patch) | |
tree | 788297c7b05b167599265013ef8ec473a0d367fe /security/integrity | |
parent | d53b47c08d8fda1892f47393de8eeab4e34b3188 (diff) | |
parent | f9b2a735bdddf836214b5dca74f6ca7712e5a08c (diff) |
Merge branch 'serge-next-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux-security
Pull security layer updates from Serge Hallyn:
"This is a merge of James Morris' security-next tree from 3.14 to
yesterday's master, plus four patches from Paul Moore which are in
linux-next, plus one patch from Mimi"
* 'serge-next-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux-security:
ima: audit log files opened with O_DIRECT flag
selinux: conditionally reschedule in hashtab_insert while loading selinux policy
selinux: conditionally reschedule in mls_convert_context while loading selinux policy
selinux: reject setexeccon() on MNT_NOSUID applications with -EACCES
selinux: Report permissive mode in avc: denied messages.
Warning in scanf string typing
Smack: Label cgroup files for systemd
Smack: Verify read access on file open - v3
security: Convert use of typedef ctl_table to struct ctl_table
Smack: bidirectional UDS connect check
Smack: Correctly remove SMACK64TRANSMUTE attribute
SMACK: Fix handling value==NULL in post setxattr
bugfix patch for SMACK
Smack: adds smackfs/ptrace interface
Smack: unify all ptrace accesses in the smack
Smack: fix the subject/object order in smack_ptrace_traceme()
Minor improvement of 'smack_sb_kern_mount'
smack: fix key permission verification
KEYS: Move the flags representing required permission to linux/key.h
Diffstat (limited to 'security/integrity')
-rw-r--r-- | security/integrity/ima/ima_api.c | 10 | ||||
-rw-r--r-- | security/integrity/ima/ima_main.c | 5 | ||||
-rw-r--r-- | security/integrity/ima/ima_policy.c | 6 | ||||
-rw-r--r-- | security/integrity/integrity.h | 1 |
4 files changed, 19 insertions, 3 deletions
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index ba9e4d792dd5..d9cd5ce14d2b 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c | |||
@@ -199,6 +199,7 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, | |||
199 | struct evm_ima_xattr_data **xattr_value, | 199 | struct evm_ima_xattr_data **xattr_value, |
200 | int *xattr_len) | 200 | int *xattr_len) |
201 | { | 201 | { |
202 | const char *audit_cause = "failed"; | ||
202 | struct inode *inode = file_inode(file); | 203 | struct inode *inode = file_inode(file); |
203 | const char *filename = file->f_dentry->d_name.name; | 204 | const char *filename = file->f_dentry->d_name.name; |
204 | int result = 0; | 205 | int result = 0; |
@@ -213,6 +214,12 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, | |||
213 | if (!(iint->flags & IMA_COLLECTED)) { | 214 | if (!(iint->flags & IMA_COLLECTED)) { |
214 | u64 i_version = file_inode(file)->i_version; | 215 | u64 i_version = file_inode(file)->i_version; |
215 | 216 | ||
217 | if (file->f_flags & O_DIRECT) { | ||
218 | audit_cause = "failed(directio)"; | ||
219 | result = -EACCES; | ||
220 | goto out; | ||
221 | } | ||
222 | |||
216 | /* use default hash algorithm */ | 223 | /* use default hash algorithm */ |
217 | hash.hdr.algo = ima_hash_algo; | 224 | hash.hdr.algo = ima_hash_algo; |
218 | 225 | ||
@@ -233,9 +240,10 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, | |||
233 | result = -ENOMEM; | 240 | result = -ENOMEM; |
234 | } | 241 | } |
235 | } | 242 | } |
243 | out: | ||
236 | if (result) | 244 | if (result) |
237 | integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, | 245 | integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, |
238 | filename, "collect_data", "failed", | 246 | filename, "collect_data", audit_cause, |
239 | result, 0); | 247 | result, 0); |
240 | return result; | 248 | return result; |
241 | } | 249 | } |
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 52ac6cf41f88..dcc98cf542d8 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c | |||
@@ -214,8 +214,11 @@ static int process_measurement(struct file *file, const char *filename, | |||
214 | xattr_ptr = &xattr_value; | 214 | xattr_ptr = &xattr_value; |
215 | 215 | ||
216 | rc = ima_collect_measurement(iint, file, xattr_ptr, &xattr_len); | 216 | rc = ima_collect_measurement(iint, file, xattr_ptr, &xattr_len); |
217 | if (rc != 0) | 217 | if (rc != 0) { |
218 | if (file->f_flags & O_DIRECT) | ||
219 | rc = (iint->flags & IMA_PERMIT_DIRECTIO) ? 0 : -EACCES; | ||
218 | goto out_digsig; | 220 | goto out_digsig; |
221 | } | ||
219 | 222 | ||
220 | pathname = filename ?: ima_d_path(&file->f_path, &pathbuf); | 223 | pathname = filename ?: ima_d_path(&file->f_path, &pathbuf); |
221 | 224 | ||
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index 93873a450ff7..40a7488f6721 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c | |||
@@ -353,7 +353,7 @@ enum { | |||
353 | Opt_obj_user, Opt_obj_role, Opt_obj_type, | 353 | Opt_obj_user, Opt_obj_role, Opt_obj_type, |
354 | Opt_subj_user, Opt_subj_role, Opt_subj_type, | 354 | Opt_subj_user, Opt_subj_role, Opt_subj_type, |
355 | Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner, | 355 | Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner, |
356 | Opt_appraise_type, Opt_fsuuid | 356 | Opt_appraise_type, Opt_fsuuid, Opt_permit_directio |
357 | }; | 357 | }; |
358 | 358 | ||
359 | static match_table_t policy_tokens = { | 359 | static match_table_t policy_tokens = { |
@@ -375,6 +375,7 @@ static match_table_t policy_tokens = { | |||
375 | {Opt_uid, "uid=%s"}, | 375 | {Opt_uid, "uid=%s"}, |
376 | {Opt_fowner, "fowner=%s"}, | 376 | {Opt_fowner, "fowner=%s"}, |
377 | {Opt_appraise_type, "appraise_type=%s"}, | 377 | {Opt_appraise_type, "appraise_type=%s"}, |
378 | {Opt_permit_directio, "permit_directio"}, | ||
378 | {Opt_err, NULL} | 379 | {Opt_err, NULL} |
379 | }; | 380 | }; |
380 | 381 | ||
@@ -622,6 +623,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) | |||
622 | else | 623 | else |
623 | result = -EINVAL; | 624 | result = -EINVAL; |
624 | break; | 625 | break; |
626 | case Opt_permit_directio: | ||
627 | entry->flags |= IMA_PERMIT_DIRECTIO; | ||
628 | break; | ||
625 | case Opt_err: | 629 | case Opt_err: |
626 | ima_log_string(ab, "UNKNOWN", p); | 630 | ima_log_string(ab, "UNKNOWN", p); |
627 | result = -EINVAL; | 631 | result = -EINVAL; |
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 2fb5e53e927f..33c0a70f6b15 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h | |||
@@ -30,6 +30,7 @@ | |||
30 | #define IMA_ACTION_FLAGS 0xff000000 | 30 | #define IMA_ACTION_FLAGS 0xff000000 |
31 | #define IMA_DIGSIG 0x01000000 | 31 | #define IMA_DIGSIG 0x01000000 |
32 | #define IMA_DIGSIG_REQUIRED 0x02000000 | 32 | #define IMA_DIGSIG_REQUIRED 0x02000000 |
33 | #define IMA_PERMIT_DIRECTIO 0x04000000 | ||
33 | 34 | ||
34 | #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \ | 35 | #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \ |
35 | IMA_APPRAISE_SUBMASK) | 36 | IMA_APPRAISE_SUBMASK) |