Sync with the changes pushed by Serge in the last merge window.

author: James Morris <james.l.morris@oracle.com> 2014-07-16 12:10:27 -0400
committer: James Morris <james.l.morris@oracle.com> 2014-07-16 12:10:27 -0400
commit: bd89bb78f35fd175db7a9cfc504d789b6ca0f7b0 (patch)
tree: dee9f8b31f3d6d2fb141541da88e1cc1329b017e /security
parent: f01387d2693813eb5271a3448e6a082322c7d75d (diff)
parent: 1795cd9b3a91d4b5473c97f491d63892442212ab (diff)
12 files changed, 147 insertions, 52 deletions
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 9134dbf70d3e..d9d69e6930ed 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -182,7 +182,7 @@ static inline bool is_devcg_online(const struct dev_cgroup *devcg)
 static int devcgroup_online(struct cgroup_subsys_state *css)
 {
        struct dev_cgroup *dev_cgroup = css_to_devcgroup(css);
-        struct dev_cgroup *parent_dev_cgroup = css_to_devcgroup(css_parent(css));
+        struct dev_cgroup *parent_dev_cgroup = css_to_devcgroup(css->parent);
        int ret = 0;
        mutex_lock(&devcgroup_mutex);
@@ -455,7 +455,7 @@ static bool verify_new_ex(struct dev_cgroup *dev_cgroup,
 static int parent_has_perm(struct dev_cgroup *childcg,
                                  struct dev_exception_item *ex)
 {
-        struct dev_cgroup *parent = css_to_devcgroup(css_parent(&childcg->css));
+        struct dev_cgroup *parent = css_to_devcgroup(childcg->css.parent);
        if (!parent)
                return 1;
@@ -476,7 +476,7 @@ static int parent_has_perm(struct dev_cgroup *childcg,
 static bool parent_allows_removal(struct dev_cgroup *childcg,
                                  struct dev_exception_item *ex)
 {
-        struct dev_cgroup *parent = css_to_devcgroup(css_parent(&childcg->css));
+        struct dev_cgroup *parent = css_to_devcgroup(childcg->css.parent);
        if (!parent)
                return true;
@@ -587,13 +587,6 @@ static int propagate_exception(struct dev_cgroup *devcg_root,
        return rc;
 }
-static inline bool has_children(struct dev_cgroup *devcgroup)
-{
-        struct cgroup *cgrp = devcgroup->css.cgroup;
-        return !list_empty(&cgrp->children);
-}
 /*
 * Modify the exception list using allow/deny rules.
 * CAP_SYS_ADMIN is needed for this.  It's at least separate from CAP_MKNOD
@@ -614,7 +607,7 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
        char temp[12];          /* 11 + 1 characters needed for a u32 */
        int count, rc = 0;
        struct dev_exception_item ex;
-        struct dev_cgroup *parent = css_to_devcgroup(css_parent(&devcgroup->css));
+        struct dev_cgroup *parent = css_to_devcgroup(devcgroup->css.parent);
        if (!capable(CAP_SYS_ADMIN))
                return -EPERM;
@@ -626,7 +619,7 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
        case 'a':
                switch (filetype) {
                case DEVCG_ALLOW:
-                        if (has_children(devcgroup))
+                        if (css_has_online_children(&devcgroup->css))
                                return -EINVAL;
                        if (!may_allow_all(parent))
@@ -642,7 +635,7 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
                                return rc;
                        break;
                case DEVCG_DENY:
-                        if (has_children(devcgroup))
+                        if (css_has_online_children(&devcgroup->css))
                                return -EINVAL;
                        dev_exception_clean(devcgroup);
@@ -767,27 +760,27 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
        return rc;
 }
-static int devcgroup_access_write(struct cgroup_subsys_state *css,
+static ssize_t devcgroup_access_write(struct kernfs_open_file *of,
-                                  struct cftype *cft, char *buffer)
+                                      char *buf, size_t nbytes, loff_t off)
 {
        int retval;
        mutex_lock(&devcgroup_mutex);
-        retval = devcgroup_update_access(css_to_devcgroup(css),
+        retval = devcgroup_update_access(css_to_devcgroup(of_css(of)),
-                                         cft->private, buffer);
+                                         of_cft(of)->private, strstrip(buf));
        mutex_unlock(&devcgroup_mutex);
-        return retval;
+        return retval ?: nbytes;
 }
 static struct cftype dev_cgroup_files[] = {
        {
                .name = "allow",
-                .write_string  = devcgroup_access_write,
+                .write = devcgroup_access_write,
                .private = DEVCG_ALLOW,
        },
        {
                .name = "deny",
-                .write_string = devcgroup_access_write,
+                .write = devcgroup_access_write,
                .private = DEVCG_DENY,
        },
        {
diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index d35b4915b00d..d606f3d12d6b 100644
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -12,15 +12,41 @@ config EVM
          If you are unsure how to answer this question, answer N.
-config EVM_HMAC_VERSION
+if EVM
-        int "EVM HMAC version"
+menu "EVM options"
+config EVM_ATTR_FSUUID
+        bool "FSUUID (version 2)"
+        default y
        depends on EVM
-        default 2
        help
-          This options adds EVM HMAC version support.
+          Include filesystem UUID for HMAC calculation.
-          1 - original version
-          2 - add per filesystem unique identifier (UUID) (default)
+          Default value is 'selected', which is former version 2.
+          if 'not selected', it is former version 1
-          WARNING: changing the HMAC calculation method or adding 
+          WARNING: changing the HMAC calculation method or adding
          additional info to the calculation, requires existing EVM
-          labeled file systems to be relabeled.  
+          labeled file systems to be relabeled.
+config EVM_EXTRA_SMACK_XATTRS
+        bool "Additional SMACK xattrs"
+        depends on EVM && SECURITY_SMACK
+        default n
+        help
+          Include additional SMACK xattrs for HMAC calculation.
+          In addition to the original security xattrs (eg. security.selinux,
+          security.SMACK64, security.capability, and security.ima) included
+          in the HMAC calculation, enabling this option includes newly defined
+          Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
+          security.SMACK64MMAP.
+          WARNING: changing the HMAC calculation method or adding
+          additional info to the calculation, requires existing EVM
+          labeled file systems to be relabeled.
+endmenu
+endif
diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
index 37c88ddb3cfe..88bfe77efa1c 100644
--- a/security/integrity/evm/evm.h
+++ b/security/integrity/evm/evm.h
@@ -24,7 +24,10 @@
 extern int evm_initialized;
 extern char *evm_hmac;
 extern char *evm_hash;
-extern int evm_hmac_version;
+#define EVM_ATTR_FSUUID         0x0001
+extern int evm_hmac_attrs;
 extern struct crypto_shash *hmac_tfm;
 extern struct crypto_shash *hash_tfm;
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index 6b540f1822e0..5e9687f02e1b 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -112,7 +112,7 @@ static void hmac_add_misc(struct shash_desc *desc, struct inode *inode,
        hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid);
        hmac_misc.mode = inode->i_mode;
        crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof(hmac_misc));
-        if (evm_hmac_version > 1)
+        if (evm_hmac_attrs & EVM_ATTR_FSUUID)
                crypto_shash_update(desc, inode->i_sb->s_uuid,
                                    sizeof(inode->i_sb->s_uuid));
        crypto_shash_final(desc, digest);
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 6e0bd933b6a9..3bcb80df4d01 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -32,7 +32,7 @@ static char *integrity_status_msg[] = {
 };
 char *evm_hmac = "hmac(sha1)";
 char *evm_hash = "sha1";
-int evm_hmac_version = CONFIG_EVM_HMAC_VERSION;
+int evm_hmac_attrs;
 char *evm_config_xattrnames[] = {
 #ifdef CONFIG_SECURITY_SELINUX
@@ -40,6 +40,11 @@ char *evm_config_xattrnames[] = {
 #endif
 #ifdef CONFIG_SECURITY_SMACK
        XATTR_NAME_SMACK,
+#ifdef CONFIG_EVM_EXTRA_SMACK_XATTRS
+        XATTR_NAME_SMACKEXEC,
+        XATTR_NAME_SMACKTRANSMUTE,
+        XATTR_NAME_SMACKMMAP,
+#endif
 #endif
 #ifdef CONFIG_IMA_APPRAISE
        XATTR_NAME_IMA,
@@ -57,6 +62,14 @@ static int __init evm_set_fixmode(char *str)
 }
 __setup("evm=", evm_set_fixmode);
+static void __init evm_init_config(void)
+{
+#ifdef CONFIG_EVM_ATTR_FSUUID
+        evm_hmac_attrs |= EVM_ATTR_FSUUID;
+#endif
+        pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
+}
 static int evm_find_protected_xattrs(struct dentry *dentry)
 {
        struct inode *inode = dentry->d_inode;
@@ -287,12 +300,20 @@ out:
 * @xattr_value: pointer to the new extended attribute value
 * @xattr_value_len: pointer to the new extended attribute value length
 *
- * Updating 'security.evm' requires CAP_SYS_ADMIN privileges and that
+ * Before allowing the 'security.evm' protected xattr to be updated,
- * the current value is valid.
+ * verify the existing value is valid.  As only the kernel should have
+ * access to the EVM encrypted key needed to calculate the HMAC, prevent
+ * userspace from writing HMAC value.  Writing 'security.evm' requires
+ * requires CAP_SYS_ADMIN privileges.
 */
 int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name,
                       const void *xattr_value, size_t xattr_value_len)
 {
+        const struct evm_ima_xattr_data *xattr_data = xattr_value;
+        if ((strcmp(xattr_name, XATTR_NAME_EVM) == 0)
+            && (xattr_data->type == EVM_XATTR_HMAC))
+                return -EPERM;
        return evm_protect_xattr(dentry, xattr_name, xattr_value,
                                 xattr_value_len);
 }
@@ -432,6 +453,8 @@ static int __init init_evm(void)
 {
        int error;
+        evm_init_config();
        error = evm_init_secfs();
        if (error < 0) {
                pr_info("Error registering secfs\n");
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index ba9e4d792dd5..d9cd5ce14d2b 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -199,6 +199,7 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
                            struct evm_ima_xattr_data **xattr_value,
                            int *xattr_len)
 {
+        const char *audit_cause = "failed";
        struct inode *inode = file_inode(file);
        const char *filename = file->f_dentry->d_name.name;
        int result = 0;
@@ -213,6 +214,12 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
        if (!(iint->flags & IMA_COLLECTED)) {
                u64 i_version = file_inode(file)->i_version;
+                if (file->f_flags & O_DIRECT) {
+                        audit_cause = "failed(directio)";
+                        result = -EACCES;
+                        goto out;
+                }
                /* use default hash algorithm */
                hash.hdr.algo = ima_hash_algo;
@@ -233,9 +240,10 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
                                result = -ENOMEM;
                }
        }
+out:
        if (result)
                integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
-                                    filename, "collect_data", "failed",
+                                    filename, "collect_data", audit_cause,
                                    result, 0);
        return result;
 }
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 291bf0f3a46d..d3113d4aaa3c 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -341,7 +341,7 @@ static int ima_protect_xattr(struct dentry *dentry, const char *xattr_name,
        return 0;
 }
-static void ima_reset_appraise_flags(struct inode *inode)
+static void ima_reset_appraise_flags(struct inode *inode, int digsig)
 {
        struct integrity_iint_cache *iint;
@@ -353,18 +353,22 @@ static void ima_reset_appraise_flags(struct inode *inode)
                return;
        iint->flags &= ~IMA_DONE_MASK;
+        if (digsig)
+                iint->flags |= IMA_DIGSIG;
        return;
 }
 int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
                       const void *xattr_value, size_t xattr_value_len)
 {
+        const struct evm_ima_xattr_data *xvalue = xattr_value;
        int result;
        result = ima_protect_xattr(dentry, xattr_name, xattr_value,
                                   xattr_value_len);
        if (result == 1) {
-                ima_reset_appraise_flags(dentry->d_inode);
+                ima_reset_appraise_flags(dentry->d_inode,
+                         (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0);
                result = 0;
        }
        return result;
@@ -376,7 +380,7 @@ int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
        result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
        if (result == 1) {
-                ima_reset_appraise_flags(dentry->d_inode);
+                ima_reset_appraise_flags(dentry->d_inode, 0);
                result = 0;
        }
        return result;
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index 1bde8e627766..ccd0ac8fa9a0 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -27,6 +27,36 @@
 static struct crypto_shash *ima_shash_tfm;
+/**
+ * ima_kernel_read - read file content
+ *
+ * This is a function for reading file content instead of kernel_read().
+ * It does not perform locking checks to ensure it cannot be blocked.
+ * It does not perform security checks because it is irrelevant for IMA.
+ *
+ */
+static int ima_kernel_read(struct file *file, loff_t offset,
+                           char *addr, unsigned long count)
+{
+        mm_segment_t old_fs;
+        char __user *buf = addr;
+        ssize_t ret;
+        if (!(file->f_mode & FMODE_READ))
+                return -EBADF;
+        if (!file->f_op->read && !file->f_op->aio_read)
+                return -EINVAL;
+        old_fs = get_fs();
+        set_fs(get_ds());
+        if (file->f_op->read)
+                ret = file->f_op->read(file, buf, count, &offset);
+        else
+                ret = do_sync_read(file, buf, count, &offset);
+        set_fs(old_fs);
+        return ret;
+}
 int ima_init_crypto(void)
 {
        long rc;
@@ -104,7 +134,7 @@ static int ima_calc_file_hash_tfm(struct file *file,
        while (offset < i_size) {
                int rbuf_len;
-                rbuf_len = kernel_read(file, offset, rbuf, PAGE_SIZE);
+                rbuf_len = ima_kernel_read(file, offset, rbuf, PAGE_SIZE);
                if (rbuf_len < 0) {
                        rc = rbuf_len;
                        break;
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 52ac6cf41f88..09baa335ebc7 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -81,7 +81,6 @@ static void ima_rdwr_violation_check(struct file *file)
 {
        struct inode *inode = file_inode(file);
        fmode_t mode = file->f_mode;
-        int must_measure;
        bool send_tomtou = false, send_writers = false;
        char *pathbuf = NULL;
        const char *pathname;
@@ -92,18 +91,19 @@ static void ima_rdwr_violation_check(struct file *file)
        mutex_lock(&inode->i_mutex);    /* file metadata: permissions, xattr */
        if (mode & FMODE_WRITE) {
-                if (atomic_read(&inode->i_readcount) && IS_IMA(inode))
+                if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) {
-                        send_tomtou = true;
+                        struct integrity_iint_cache *iint;
-                goto out;
+                        iint = integrity_iint_find(inode);
+                        /* IMA_MEASURE is set from reader side */
+                        if (iint && (iint->flags & IMA_MEASURE))
+                                send_tomtou = true;
+                }
+        } else {
+                if ((atomic_read(&inode->i_writecount) > 0) &&
+                    ima_must_measure(inode, MAY_READ, FILE_CHECK))
+                        send_writers = true;
        }
-        must_measure = ima_must_measure(inode, MAY_READ, FILE_CHECK);
-        if (!must_measure)
-                goto out;
-        if (atomic_read(&inode->i_writecount) > 0)
-                send_writers = true;
-out:
        mutex_unlock(&inode->i_mutex);
        if (!send_tomtou && !send_writers)
@@ -214,8 +214,11 @@ static int process_measurement(struct file *file, const char *filename,
                xattr_ptr = &xattr_value;
        rc = ima_collect_measurement(iint, file, xattr_ptr, &xattr_len);
-        if (rc != 0)
+        if (rc != 0) {
+                if (file->f_flags & O_DIRECT)
+                        rc = (iint->flags & IMA_PERMIT_DIRECTIO) ? 0 : -EACCES;
                goto out_digsig;
+        }
        pathname = filename ?: ima_d_path(&file->f_path, &pathbuf);
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 93873a450ff7..40a7488f6721 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -353,7 +353,7 @@ enum {
        Opt_obj_user, Opt_obj_role, Opt_obj_type,
        Opt_subj_user, Opt_subj_role, Opt_subj_type,
        Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner,
-        Opt_appraise_type, Opt_fsuuid
+        Opt_appraise_type, Opt_fsuuid, Opt_permit_directio
 };
 static match_table_t policy_tokens = {
@@ -375,6 +375,7 @@ static match_table_t policy_tokens = {
        {Opt_uid, "uid=%s"},
        {Opt_fowner, "fowner=%s"},
        {Opt_appraise_type, "appraise_type=%s"},
+        {Opt_permit_directio, "permit_directio"},
        {Opt_err, NULL}
 };
@@ -622,6 +623,9 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
                        else
                                result = -EINVAL;
                        break;
+                case Opt_permit_directio:
+                        entry->flags |= IMA_PERMIT_DIRECTIO;
+                        break;
                case Opt_err:
                        ima_log_string(ab, "UNKNOWN", p);
                        result = -EINVAL;
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 2fb5e53e927f..33c0a70f6b15 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -30,6 +30,7 @@
 #define IMA_ACTION_FLAGS        0xff000000
 #define IMA_DIGSIG              0x01000000
 #define IMA_DIGSIG_REQUIRED     0x02000000
+#define IMA_PERMIT_DIRECTIO     0x04000000
 #define IMA_DO_MASK             (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
                                 IMA_APPRAISE_SUBMASK)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 14d04e63b1f0..be491a74c1ed 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -147,7 +147,7 @@ struct security_class_mapping secclass_map[] = {
        { "peer", { "recv", NULL } },
        { "capability2",
          { "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend",
-            NULL } },
+            "audit_read", NULL } },
        { "kernel_service", { "use_as_override", "create_files_as", NULL } },
        { "tun_socket",
          { COMMON_SOCK_PERMS, "attach_queue", NULL } },
author	James Morris <james.l.morris@oracle.com>	2014-07-16 12:10:27 -0400
committer	James Morris <james.l.morris@oracle.com>	2014-07-16 12:10:27 -0400
commit	bd89bb78f35fd175db7a9cfc504d789b6ca0f7b0 (patch)
tree	dee9f8b31f3d6d2fb141541da88e1cc1329b017e /security
parent	f01387d2693813eb5271a3448e6a082322c7d75d (diff)
parent	1795cd9b3a91d4b5473c97f491d63892442212ab (diff)