aboutsummaryrefslogtreecommitdiffstats
path: root/security/integrity
Commit message (Collapse)AuthorAge
* IMA: update ima_counts_putMimi Zohar2009-09-06
| | | | | | | | | | | | | | - As ima_counts_put() may be called after the inode has been freed, verify that the inode is not NULL, before dereferencing it. - Maintain the IMA file counters in may_open() properly, decrementing any counter increments on subsequent errors. Reported-by: Ciprian Docan <docan@eden.rutgers.edu> Reported-by: J.R. Okajima <hooanon05@yahoo.co.jp> Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Eric Paris <eparis@redhat.com Signed-off-by: James Morris <jmorris@namei.org>
* Merge branch 'for-linus' of ↵Linus Torvalds2009-08-26
|\ | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6 * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: IMA: iint put in ima_counts_get and put
| * IMA: iint put in ima_counts_get and putEric Paris2009-08-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ima_counts_get() calls ima_iint_find_insert_get() which takes a reference to the iint in question, but does not put that reference at the end of the function. This can lead to a nasty memory leak. Easy enough to reproduce: #include <sys/mman.h> #include <stdio.h> int main (void) { int i; void *ptr; for (i=0; i < 100000; i++) { ptr = mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0); if (ptr == MAP_FAILED) return 2; munmap(ptr, 4096); } return 0; } Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* | ima: hashing large files bug fixMimi Zohar2009-08-24
|/ | | | | | | | | | | Hashing files larger than INT_MAX causes process to loop. Dependent on redefining kernel_read() offset type to loff_t. (http://bugzilla.kernel.org/show_bug.cgi?id=13909) Cc: stable@kernel.org Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
* integrity: add ima_counts_put (updated)Mimi Zohar2009-06-28
| | | | | | | | | | | This patch fixes an imbalance message as reported by J.R. Okajima. The IMA file counters are incremented in ima_path_check. If the actual open fails, such as ETXTBSY, decrement the counters to prevent unnecessary imbalance messages. Reported-by: J.R. Okajima <hooanon05@yahoo.co.jp> Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
* integrity: ima audit hash_exists fixMimi Zohar2009-06-28
| | | | | | | Audit the file name, not the template name. Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
* Merge branch 'for-linus' of ↵Linus Torvalds2009-06-11
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6 * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (44 commits) nommu: Provide mmap_min_addr definition. TOMOYO: Add description of lists and structures. TOMOYO: Remove unused field. integrity: ima audit dentry_open failure TOMOYO: Remove unused parameter. security: use mmap_min_addr indepedently of security models TOMOYO: Simplify policy reader. TOMOYO: Remove redundant markers. SELinux: define audit permissions for audit tree netlink messages TOMOYO: Remove unused mutex. tomoyo: avoid get+put of task_struct smack: Remove redundant initialization. integrity: nfsd imbalance bug fix rootplug: Remove redundant initialization. smack: do not beyond ARRAY_SIZE of data integrity: move ima_counts_get integrity: path_check update IMA: Add __init notation to ima functions IMA: Minimal IMA policy and boot param for TCB IMA policy selinux: remove obsolete read buffer limit from sel_read_bool ...
| * integrity: ima audit dentry_open failureMimi Zohar2009-06-04
| | | | | | | | | | | | | | | | | | | | | | | | Until we start appraising measurements, the ima_path_check() return code should always be 0. - Update the ima_path_check() return code comment - Instead of the pr_info, audit the dentry_open failure Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
| * integrity: path_check updateMimi Zohar2009-05-21
| | | | | | | | | | | | | | | | | | | | | | - Add support in ima_path_check() for integrity checking without incrementing the counts. (Required for nfsd.) - rename and export opencount_get to ima_counts_get - replace ima_shm_check calls with ima_counts_get - export ima_path_check Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
| * IMA: Add __init notation to ima functionsEric Paris2009-05-21
| | | | | | | | | | | | | | | | | | A number of IMA functions only used during init are not marked with __init. Add those notations so they are freed automatically. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
| * IMA: Minimal IMA policy and boot param for TCB IMA policyEric Paris2009-05-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The IMA TCB policy is dangerous. A normal use can use all of a system's memory (which cannot be freed) simply by building and running lots of executables. The TCB policy is also nearly useless because logging in as root often causes a policy violation when dealing with utmp, thus rendering the measurements meaningless. There is no good fix for this in the kernel. A full TCB policy would need to be loaded in userspace using LSM rule matching to get both a protected and useful system. But, if too little is measured before userspace can load a real policy one again ends up with a meaningless set of measurements. One option would be to put the policy load inside the initrd in order to get it early enough in the boot sequence to be useful, but this runs into trouble with the LSM. For IMA to measure the LSM policy and the LSM policy loading mechanism it needs rules to do so, but we already talked about problems with defaulting to such broad rules.... IMA also depends on the files being measured to be on an FS which implements and supports i_version. Since the only FS with this support (ext4) doesn't even use it by default it seems silly to have any IMA rules by default. This should reduce the performance overhead of IMA to near 0 while still letting users who choose to configure their machine as such to inclue the ima_tcb kernel paramenter and get measurements during boot before they can load a customized, reasonable policy in userspace. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
| * SELinux: move SELINUX_MAGIC into magic.hEric Paris2009-05-18
| | | | | | | | | | | | | | | | | | The selinuxfs superblock magic is used inside the IMA code, but is being defined in two places and could someday get out of sync. This patch moves the declaration into magic.h so it is only done once. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
| * IMA: do not measure everything opened by root by defaultEric Paris2009-05-14
| | | | | | | | | | | | | | | | | | | | | | The IMA default policy measures every single file opened by root. This is terrible for most users. Consider a system (like mine) with virtual machine images. When those images are touched (which happens at boot for me) those images are measured. This is just way too much for the default case. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
| * IMA: remove read permissions on the ima policy fileEric Paris2009-05-14
| | | | | | | | | | | | | | | | | | | | | | The IMA policy file does not implement read. Trying to just open/read/close the file will load a blank policy and you cannot then change the policy without a reboot. This removes the read permission from the file so one must at least be attempting to write... Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
| * IMA: open all files O_LARGEFILEEric Paris2009-05-11
| | | | | | | | | | | | | | | | | | | | If IMA tried to measure a file which was larger than 4G dentry_open would fail with -EOVERFLOW since IMA wasn't passing O_LARGEFILE. This patch passes O_LARGEFILE to all IMA opens to avoid this problem. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
| * IMA: Handle dentry_open failuresEric Paris2009-05-11
| | | | | | | | | | | | | | | | | | | | Currently IMA does not handle failures from dentry_open(). This means that we leave a pointer set to ERR_PTR(errno) and then try to use it just a few lines later in fput(). Oops. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
| * IMA: use current_cred() instead of current->credEric Paris2009-05-11
| | | | | | | | | | | | | | | | | | Proper invocation of the current credentials is to use current_cred() not current->cred. This patches makes IMA use the new method. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
| * integrity: remove __setup auditing msgsMimi Zohar2009-05-05
| | | | | | | | | | | | | | Remove integrity audit messages from __setup() Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
| * integrity: use audit_log_stringMimi Zohar2009-05-05
| | | | | | | | | | | | | | | | | | Based on a request from Eric Paris to simplify parsing, replace audit_log_format statements containing "%s" with audit_log_string(). Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
| * integrity: lsm audit rule matching fixMimi Zohar2009-05-05
| | | | | | | | | | | | | | | | | | An audit subsystem change replaced AUDIT_EQUAL with Audit_equal. Update calls to security_filter_rule_init()/match() to reflect the change. Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
* | rculist: use list_entry_rcu in places where it's appropriateJiri Pirko2009-04-15
|/ | | | | | | | | | | Use previously introduced list_entry_rcu instead of an open-coded list_entry + rcu_dereference combination. Signed-off-by: Jiri Pirko <jpirko@redhat.com> Reviewed-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Cc: dipankar@in.ibm.com LKML-Reference: <20090414181715.GA3634@psychotron.englab.brq.redhat.com> Signed-off-by: Ingo Molnar <mingo@elte.hu>
* integrity: ima iint radix_tree_lookup locking fixMimi Zohar2009-02-22
| | | | | | | | | | Based on Andrew Morton's comments: - add missing locks around radix_tree_lookup in ima_iint_insert() Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Cc: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: James Morris <jmorris@namei.org>
* integrity: ima scatterlist bug fixMimi Zohar2009-02-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Based on Alexander Beregalov's post http://lkml.org/lkml/2009/2/19/198 - replaced sg_set_buf() with sg_init_one() kernel BUG at include/linux/scatterlist.h:65! invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC last sysfs file: CPU 2 Modules linked in: Pid: 1, comm: swapper Not tainted 2.6.29-rc5-next-20090219 #5 PowerEdge 1950 RIP: 0010:[<ffffffff8045ec70>] [<ffffffff8045ec70>] ima_calc_hash+0xc0/0x160 RSP: 0018:ffff88007f46bc40 EFLAGS: 00010286 RAX: ffffe200032c45e8 RBX: 00000000fffffff4 RCX: 0000000087654321 RDX: 0000000000000002 RSI: 0000000000000001 RDI: ffff88007cf71048 RBP: ffff88007f46bcd0 R08: 0000000000000000 R09: 0000000000000163 R10: ffff88007f4707a8 R11: 0000000000000000 R12: ffff88007cf71048 R13: 0000000000001000 R14: 0000000000000000 R15: 0000000000009d98 FS: 0000000000000000(0000) GS:ffff8800051ac000(0000) knlGS:0000000000000000 CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b CR2: 0000000000000000 CR3: 0000000000201000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Tested-by: Alexander Beregalov <a.beregalov@gmail.com> Signed-off-by: James Morris <jmorris@namei.org>
* ima: fix build errorRandy Dunlap2009-02-12
| | | | | | | | | | | | | IMA_LSM_RULES requires AUDIT. This is automatic if SECURITY_SELINUX=y but not when SECURITY_SMACK=y (and SECURITY_SELINUX=n), so make the dependency explicit. This fixes the following build error: security/integrity/ima/ima_policy.c:111:error: implicit declaration of function 'security_audit_rule_match' security/integrity/ima/ima_policy.c:230:error: implicit declaration of function 'security_audit_rule_init' Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Acked-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
* integrity: audit updateMimi Zohar2009-02-11
| | | | | | | | | | | | Based on discussions on linux-audit, as per Steve Grubb's request http://lkml.org/lkml/2009/2/6/269, the following changes were made: - forced audit result to be either 0 or 1. - made template names const - Added new stand-alone message type: AUDIT_INTEGRITY_RULE Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* IMA: fix ima_delete_rules() definitionJames Morris2009-02-05
| | | | | | Fix ima_delete_rules() definition so sparse doesn't complain. Signed-off-by: James Morris <jmorris@namei.org>
* Integrity: IMA file free imbalanceMimi Zohar2009-02-05
| | | | | | | | | | | | | | | | | | | | | The number of calls to ima_path_check()/ima_file_free() should be balanced. An extra call to fput(), indicates the file could have been accessed without first being measured. Although f_count is incremented/decremented in places other than fget/fput, like fget_light/fput_light and get_file, the current task must already hold a file refcnt. The call to __fput() is delayed until the refcnt becomes 0, resulting in ima_file_free() flagging any changes. - add hook to increment opencount for IPC shared memory(SYSV), shmat files, and /dev/zero - moved NULL iint test in opencount_get() Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
* integrity: IMA policy openMimi Zohar2009-02-05
| | | | | | | | | Sequentialize access to the policy file - permit multiple attempts to replace default policy with a valid policy Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
* integrity: IMA policyMimi Zohar2009-02-05
| | | | | | | | | | Support for a user loadable policy through securityfs with support for LSM specific policy data. - free invalid rule in ima_parse_add_rule() Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
* integrity: IMA displayMimi Zohar2009-02-05
| | | | | | | | | Make the measurement lists available through securityfs. - removed test for NULL return code from securityfs_create_file/dir Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
* integrity: IMA as an integrity service providerMimi Zohar2009-02-05
IMA provides hardware (TPM) based measurement and attestation for file measurements. As the Trusted Computing (TPM) model requires, IMA measures all files before they are accessed in any way (on the integrity_bprm_check, integrity_path_check and integrity_file_mmap hooks), and commits the measurements to the TPM. Once added to the TPM, measurements can not be removed. In addition, IMA maintains a list of these file measurements, which can be used to validate the aggregate value stored in the TPM. The TPM can sign these measurements, and thus the system can prove, to itself and to a third party, the system's integrity in a way that cannot be circumvented by malicious or compromised software. - alloc ima_template_entry before calling ima_store_template() - log ima_add_boot_aggregate() failure - removed unused IMA_TEMPLATE_NAME_LEN - replaced hard coded string length with #define name Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>