From 9d8f13ba3f4833219e50767b022b82cd0da930eb Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Mon, 6 Jun 2011 15:29:25 -0400 Subject: security: new security_inode_init_security API adds function callback This patch changes the security_inode_init_security API by adding a filesystem specific callback to write security extended attributes. This change is in preparation for supporting the initialization of multiple LSM xattrs and the EVM xattr. Initially the callback function walks an array of xattrs, writing each xattr separately, but could be optimized to write multiple xattrs at once. For existing security_inode_init_security() calls, which have not yet been converted to use the new callback function, such as those in reiserfs and ocfs2, this patch defines security_old_inode_init_security(). Signed-off-by: Mimi Zohar --- include/linux/security.h | 17 ++++++++++++----- include/linux/xattr.h | 6 ++++++ 2 files changed, 18 insertions(+), 5 deletions(-) (limited to 'include') diff --git a/include/linux/security.h b/include/linux/security.h index 8ce59ef3e5af..6a20c7025495 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -36,6 +36,7 @@ #include #include #include +#include #include /* Maximum number of letters for an LSM name string */ @@ -147,6 +148,10 @@ extern int mmap_min_addr_handler(struct ctl_table *table, int write, void __user *buffer, size_t *lenp, loff_t *ppos); #endif +/* security_inode_init_security callback function to write xattrs */ +typedef int (*initxattrs) (struct inode *inode, + const struct xattr *xattr_array, void *fs_data); + #ifdef CONFIG_SECURITY struct security_mnt_opts { @@ -1704,8 +1709,11 @@ int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts); int security_inode_alloc(struct inode *inode); void security_inode_free(struct inode *inode); int security_inode_init_security(struct inode *inode, struct inode *dir, - const struct qstr *qstr, char **name, - void **value, size_t *len); + const struct qstr *qstr, + initxattrs initxattrs, void *fs_data); +int security_old_inode_init_security(struct inode *inode, struct inode *dir, + const struct qstr *qstr, char **name, + void **value, size_t *len); int security_inode_create(struct inode *dir, struct dentry *dentry, int mode); int security_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry); @@ -2035,9 +2043,8 @@ static inline void security_inode_free(struct inode *inode) static inline int security_inode_init_security(struct inode *inode, struct inode *dir, const struct qstr *qstr, - char **name, - void **value, - size_t *len) + initxattrs initxattrs, + void *fs_data) { return -EOPNOTSUPP; } diff --git a/include/linux/xattr.h b/include/linux/xattr.h index aed54c50aa66..7a378662ddff 100644 --- a/include/linux/xattr.h +++ b/include/linux/xattr.h @@ -67,6 +67,12 @@ struct xattr_handler { size_t size, int flags, int handler_flags); }; +struct xattr { + char *name; + void *value; + size_t value_len; +}; + ssize_t xattr_getsecurity(struct inode *, const char *, void *, size_t); ssize_t vfs_getxattr(struct dentry *, const char *, void *, size_t); ssize_t vfs_listxattr(struct dentry *d, char *list, size_t size); -- cgit v1.2.3 From f381c272224f5f158f5cff64f8f3481fa0eee8b3 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Wed, 9 Mar 2011 14:13:22 -0500 Subject: integrity: move ima inode integrity data management Move the inode integrity data(iint) management up to the integrity directory in order to share the iint among the different integrity models. Changelog: - don't define MAX_DIGEST_SIZE - rename several globally visible 'ima_' prefixed functions, structs, locks, etc to 'integrity_' - replace '20' with SHA1_DIGEST_SIZE - reflect location change in appropriate Kconfig and Makefiles - remove unnecessary initialization of iint_initialized to 0 - rebased on current ima_iint.c - define integrity_iint_store/lock as static There should be no other functional changes. Signed-off-by: Mimi Zohar Acked-by: Serge Hallyn --- include/linux/ima.h | 13 --- include/linux/integrity.h | 30 +++++++ security/Kconfig | 2 +- security/Makefile | 4 +- security/integrity/Kconfig | 6 ++ security/integrity/Makefile | 10 +++ security/integrity/iint.c | 170 ++++++++++++++++++++++++++++++++++++++ security/integrity/ima/Kconfig | 1 + security/integrity/ima/Makefile | 2 +- security/integrity/ima/ima.h | 29 ++----- security/integrity/ima/ima_api.c | 7 +- security/integrity/ima/ima_iint.c | 169 ------------------------------------- security/integrity/ima/ima_main.c | 12 +-- security/integrity/integrity.h | 35 ++++++++ security/security.c | 3 +- 15 files changed, 277 insertions(+), 216 deletions(-) create mode 100644 include/linux/integrity.h create mode 100644 security/integrity/Kconfig create mode 100644 security/integrity/Makefile create mode 100644 security/integrity/iint.c delete mode 100644 security/integrity/ima/ima_iint.c create mode 100644 security/integrity/integrity.h (limited to 'include') diff --git a/include/linux/ima.h b/include/linux/ima.h index 09e6e62f9953..6ac8e50c6cf5 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -15,8 +15,6 @@ struct linux_binprm; #ifdef CONFIG_IMA extern int ima_bprm_check(struct linux_binprm *bprm); -extern int ima_inode_alloc(struct inode *inode); -extern void ima_inode_free(struct inode *inode); extern int ima_file_check(struct file *file, int mask); extern void ima_file_free(struct file *file); extern int ima_file_mmap(struct file *file, unsigned long prot); @@ -27,16 +25,6 @@ static inline int ima_bprm_check(struct linux_binprm *bprm) return 0; } -static inline int ima_inode_alloc(struct inode *inode) -{ - return 0; -} - -static inline void ima_inode_free(struct inode *inode) -{ - return; -} - static inline int ima_file_check(struct file *file, int mask) { return 0; @@ -51,6 +39,5 @@ static inline int ima_file_mmap(struct file *file, unsigned long prot) { return 0; } - #endif /* CONFIG_IMA_H */ #endif /* _LINUX_IMA_H */ diff --git a/include/linux/integrity.h b/include/linux/integrity.h new file mode 100644 index 000000000000..905981247327 --- /dev/null +++ b/include/linux/integrity.h @@ -0,0 +1,30 @@ +/* + * Copyright (C) 2009 IBM Corporation + * Author: Mimi Zohar + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, version 2 of the License. + */ + +#ifndef _LINUX_INTEGRITY_H +#define _LINUX_INTEGRITY_H + +#include + +#ifdef CONFIG_INTEGRITY +extern int integrity_inode_alloc(struct inode *inode); +extern void integrity_inode_free(struct inode *inode); + +#else +static inline int integrity_inode_alloc(struct inode *inode) +{ + return 0; +} + +static inline void integrity_inode_free(struct inode *inode) +{ + return; +} +#endif /* CONFIG_INTEGRITY_H */ +#endif /* _LINUX_INTEGRITY_H */ diff --git a/security/Kconfig b/security/Kconfig index e0f08b52e4ab..22847a889081 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -186,7 +186,7 @@ source security/smack/Kconfig source security/tomoyo/Kconfig source security/apparmor/Kconfig -source security/integrity/ima/Kconfig +source security/integrity/Kconfig choice prompt "Default security module" diff --git a/security/Makefile b/security/Makefile index 8bb0fe9e1ca9..a5e502f8a05b 100644 --- a/security/Makefile +++ b/security/Makefile @@ -24,5 +24,5 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/built-in.o obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o # Object integrity file lists -subdir-$(CONFIG_IMA) += integrity/ima -obj-$(CONFIG_IMA) += integrity/ima/built-in.o +subdir-$(CONFIG_INTEGRITY) += integrity +obj-$(CONFIG_INTEGRITY) += integrity/built-in.o diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig new file mode 100644 index 000000000000..270469155681 --- /dev/null +++ b/security/integrity/Kconfig @@ -0,0 +1,6 @@ +# +config INTEGRITY + def_bool y + depends on IMA + +source security/integrity/ima/Kconfig diff --git a/security/integrity/Makefile b/security/integrity/Makefile new file mode 100644 index 000000000000..6eddd61b84e8 --- /dev/null +++ b/security/integrity/Makefile @@ -0,0 +1,10 @@ +# +# Makefile for caching inode integrity data (iint) +# + +obj-$(CONFIG_INTEGRITY) += integrity.o + +integrity-y := iint.o + +subdir-$(CONFIG_IMA) += ima +obj-$(CONFIG_IMA) += ima/built-in.o diff --git a/security/integrity/iint.c b/security/integrity/iint.c new file mode 100644 index 000000000000..d17de48bd6cc --- /dev/null +++ b/security/integrity/iint.c @@ -0,0 +1,170 @@ +/* + * Copyright (C) 2008 IBM Corporation + * + * Authors: + * Mimi Zohar + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation, version 2 of the + * License. + * + * File: integrity_iint.c + * - implements the integrity hooks: integrity_inode_alloc, + * integrity_inode_free + * - cache integrity information associated with an inode + * using a rbtree tree. + */ +#include +#include +#include +#include +#include "integrity.h" + +static struct rb_root integrity_iint_tree = RB_ROOT; +static DEFINE_SPINLOCK(integrity_iint_lock); +static struct kmem_cache *iint_cache __read_mostly; + +int iint_initialized; + +/* + * __integrity_iint_find - return the iint associated with an inode + */ +static struct integrity_iint_cache *__integrity_iint_find(struct inode *inode) +{ + struct integrity_iint_cache *iint; + struct rb_node *n = integrity_iint_tree.rb_node; + + assert_spin_locked(&integrity_iint_lock); + + while (n) { + iint = rb_entry(n, struct integrity_iint_cache, rb_node); + + if (inode < iint->inode) + n = n->rb_left; + else if (inode > iint->inode) + n = n->rb_right; + else + break; + } + if (!n) + return NULL; + + return iint; +} + +/* + * integrity_iint_find - return the iint associated with an inode + */ +struct integrity_iint_cache *integrity_iint_find(struct inode *inode) +{ + struct integrity_iint_cache *iint; + + if (!IS_IMA(inode)) + return NULL; + + spin_lock(&integrity_iint_lock); + iint = __integrity_iint_find(inode); + spin_unlock(&integrity_iint_lock); + + return iint; +} + +static void iint_free(struct integrity_iint_cache *iint) +{ + iint->version = 0; + iint->flags = 0UL; + kmem_cache_free(iint_cache, iint); +} + +/** + * integrity_inode_alloc - allocate an iint associated with an inode + * @inode: pointer to the inode + */ +int integrity_inode_alloc(struct inode *inode) +{ + struct rb_node **p; + struct rb_node *new_node, *parent = NULL; + struct integrity_iint_cache *new_iint, *test_iint; + int rc; + + new_iint = kmem_cache_alloc(iint_cache, GFP_NOFS); + if (!new_iint) + return -ENOMEM; + + new_iint->inode = inode; + new_node = &new_iint->rb_node; + + mutex_lock(&inode->i_mutex); /* i_flags */ + spin_lock(&integrity_iint_lock); + + p = &integrity_iint_tree.rb_node; + while (*p) { + parent = *p; + test_iint = rb_entry(parent, struct integrity_iint_cache, + rb_node); + rc = -EEXIST; + if (inode < test_iint->inode) + p = &(*p)->rb_left; + else if (inode > test_iint->inode) + p = &(*p)->rb_right; + else + goto out_err; + } + + inode->i_flags |= S_IMA; + rb_link_node(new_node, parent, p); + rb_insert_color(new_node, &integrity_iint_tree); + + spin_unlock(&integrity_iint_lock); + mutex_unlock(&inode->i_mutex); /* i_flags */ + + return 0; +out_err: + spin_unlock(&integrity_iint_lock); + mutex_unlock(&inode->i_mutex); /* i_flags */ + iint_free(new_iint); + + return rc; +} + +/** + * integrity_inode_free - called on security_inode_free + * @inode: pointer to the inode + * + * Free the integrity information(iint) associated with an inode. + */ +void integrity_inode_free(struct inode *inode) +{ + struct integrity_iint_cache *iint; + + if (!IS_IMA(inode)) + return; + + spin_lock(&integrity_iint_lock); + iint = __integrity_iint_find(inode); + rb_erase(&iint->rb_node, &integrity_iint_tree); + spin_unlock(&integrity_iint_lock); + + iint_free(iint); +} + +static void init_once(void *foo) +{ + struct integrity_iint_cache *iint = foo; + + memset(iint, 0, sizeof *iint); + iint->version = 0; + iint->flags = 0UL; + mutex_init(&iint->mutex); +} + +static int __init integrity_iintcache_init(void) +{ + iint_cache = + kmem_cache_create("iint_cache", sizeof(struct integrity_iint_cache), + 0, SLAB_PANIC, init_once); + iint_initialized = 1; + return 0; +} +security_initcall(integrity_iintcache_init); diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index b6ecfd4d8d78..19c053b82303 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -3,6 +3,7 @@ config IMA bool "Integrity Measurement Architecture(IMA)" depends on SECURITY + select INTEGRITY select SECURITYFS select CRYPTO select CRYPTO_HMAC diff --git a/security/integrity/ima/Makefile b/security/integrity/ima/Makefile index 787c4cb916cd..5690c021de8f 100644 --- a/security/integrity/ima/Makefile +++ b/security/integrity/ima/Makefile @@ -6,4 +6,4 @@ obj-$(CONFIG_IMA) += ima.o ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \ - ima_policy.o ima_iint.o ima_audit.o + ima_policy.o ima_audit.o diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 08408bd71462..29d97af5e9a4 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -24,11 +24,13 @@ #include #include +#include "../integrity.h" + enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_ASCII }; enum tpm_pcrs { TPM_PCR0 = 0, TPM_PCR8 = 8 }; /* digest size for IMA, fits SHA1 or MD5 */ -#define IMA_DIGEST_SIZE 20 +#define IMA_DIGEST_SIZE SHA1_DIGEST_SIZE #define IMA_EVENT_NAME_LEN_MAX 255 #define IMA_HASH_BITS 9 @@ -96,34 +98,21 @@ static inline unsigned long ima_hash_key(u8 *digest) return hash_long(*digest, IMA_HASH_BITS); } -/* iint cache flags */ -#define IMA_MEASURED 0x01 - -/* integrity data associated with an inode */ -struct ima_iint_cache { - struct rb_node rb_node; /* rooted in ima_iint_tree */ - struct inode *inode; /* back pointer to inode in question */ - u64 version; /* track inode changes */ - unsigned char flags; - u8 digest[IMA_DIGEST_SIZE]; - struct mutex mutex; /* protects: version, flags, digest */ -}; - /* LIM API function definitions */ int ima_must_measure(struct inode *inode, int mask, int function); -int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file); -void ima_store_measurement(struct ima_iint_cache *iint, struct file *file, +int ima_collect_measurement(struct integrity_iint_cache *iint, + struct file *file); +void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file, const unsigned char *filename); int ima_store_template(struct ima_template_entry *entry, int violation, struct inode *inode); -void ima_template_show(struct seq_file *m, void *e, - enum ima_show_type show); +void ima_template_show(struct seq_file *m, void *e, enum ima_show_type show); /* rbtree tree calls to lookup, insert, delete * integrity data associated with an inode. */ -struct ima_iint_cache *ima_iint_insert(struct inode *inode); -struct ima_iint_cache *ima_iint_find(struct inode *inode); +struct integrity_iint_cache *integrity_iint_insert(struct inode *inode); +struct integrity_iint_cache *integrity_iint_find(struct inode *inode); /* IMA policy related functions */ enum ima_hooks { FILE_CHECK = 1, FILE_MMAP, BPRM_CHECK }; diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c index da36d2c085a4..0d50df04ccc4 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -126,7 +126,8 @@ int ima_must_measure(struct inode *inode, int mask, int function) * * Return 0 on success, error code otherwise */ -int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file) +int ima_collect_measurement(struct integrity_iint_cache *iint, + struct file *file) { int result = -EEXIST; @@ -156,8 +157,8 @@ int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file) * * Must be called with iint->mutex held. */ -void ima_store_measurement(struct ima_iint_cache *iint, struct file *file, - const unsigned char *filename) +void ima_store_measurement(struct integrity_iint_cache *iint, + struct file *file, const unsigned char *filename) { const char *op = "add_template_measure"; const char *audit_cause = "ENOMEM"; diff --git a/security/integrity/ima/ima_iint.c b/security/integrity/ima/ima_iint.c deleted file mode 100644 index 4ae73040ab7b..000000000000 --- a/security/integrity/ima/ima_iint.c +++ /dev/null @@ -1,169 +0,0 @@ -/* - * Copyright (C) 2008 IBM Corporation - * - * Authors: - * Mimi Zohar - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, version 2 of the - * License. - * - * File: ima_iint.c - * - implements the IMA hooks: ima_inode_alloc, ima_inode_free - * - cache integrity information associated with an inode - * using a rbtree tree. - */ -#include -#include -#include -#include -#include "ima.h" - -static struct rb_root ima_iint_tree = RB_ROOT; -static DEFINE_SPINLOCK(ima_iint_lock); -static struct kmem_cache *iint_cache __read_mostly; - -int iint_initialized = 0; - -/* - * __ima_iint_find - return the iint associated with an inode - */ -static struct ima_iint_cache *__ima_iint_find(struct inode *inode) -{ - struct ima_iint_cache *iint; - struct rb_node *n = ima_iint_tree.rb_node; - - assert_spin_locked(&ima_iint_lock); - - while (n) { - iint = rb_entry(n, struct ima_iint_cache, rb_node); - - if (inode < iint->inode) - n = n->rb_left; - else if (inode > iint->inode) - n = n->rb_right; - else - break; - } - if (!n) - return NULL; - - return iint; -} - -/* - * ima_iint_find - return the iint associated with an inode - */ -struct ima_iint_cache *ima_iint_find(struct inode *inode) -{ - struct ima_iint_cache *iint; - - if (!IS_IMA(inode)) - return NULL; - - spin_lock(&ima_iint_lock); - iint = __ima_iint_find(inode); - spin_unlock(&ima_iint_lock); - - return iint; -} - -static void iint_free(struct ima_iint_cache *iint) -{ - iint->version = 0; - iint->flags = 0UL; - kmem_cache_free(iint_cache, iint); -} - -/** - * ima_inode_alloc - allocate an iint associated with an inode - * @inode: pointer to the inode - */ -int ima_inode_alloc(struct inode *inode) -{ - struct rb_node **p; - struct rb_node *new_node, *parent = NULL; - struct ima_iint_cache *new_iint, *test_iint; - int rc; - - new_iint = kmem_cache_alloc(iint_cache, GFP_NOFS); - if (!new_iint) - return -ENOMEM; - - new_iint->inode = inode; - new_node = &new_iint->rb_node; - - mutex_lock(&inode->i_mutex); /* i_flags */ - spin_lock(&ima_iint_lock); - - p = &ima_iint_tree.rb_node; - while (*p) { - parent = *p; - test_iint = rb_entry(parent, struct ima_iint_cache, rb_node); - - rc = -EEXIST; - if (inode < test_iint->inode) - p = &(*p)->rb_left; - else if (inode > test_iint->inode) - p = &(*p)->rb_right; - else - goto out_err; - } - - inode->i_flags |= S_IMA; - rb_link_node(new_node, parent, p); - rb_insert_color(new_node, &ima_iint_tree); - - spin_unlock(&ima_iint_lock); - mutex_unlock(&inode->i_mutex); /* i_flags */ - - return 0; -out_err: - spin_unlock(&ima_iint_lock); - mutex_unlock(&inode->i_mutex); /* i_flags */ - iint_free(new_iint); - - return rc; -} - -/** - * ima_inode_free - called on security_inode_free - * @inode: pointer to the inode - * - * Free the integrity information(iint) associated with an inode. - */ -void ima_inode_free(struct inode *inode) -{ - struct ima_iint_cache *iint; - - if (!IS_IMA(inode)) - return; - - spin_lock(&ima_iint_lock); - iint = __ima_iint_find(inode); - rb_erase(&iint->rb_node, &ima_iint_tree); - spin_unlock(&ima_iint_lock); - - iint_free(iint); -} - -static void init_once(void *foo) -{ - struct ima_iint_cache *iint = foo; - - memset(iint, 0, sizeof *iint); - iint->version = 0; - iint->flags = 0UL; - mutex_init(&iint->mutex); -} - -static int __init ima_iintcache_init(void) -{ - iint_cache = - kmem_cache_create("iint_cache", sizeof(struct ima_iint_cache), 0, - SLAB_PANIC, init_once); - iint_initialized = 1; - return 0; -} -security_initcall(ima_iintcache_init); diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c index 39d66dc2b8e9..25f9fe762896 100644 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -82,7 +82,7 @@ out: "open_writers"); } -static void ima_check_last_writer(struct ima_iint_cache *iint, +static void ima_check_last_writer(struct integrity_iint_cache *iint, struct inode *inode, struct file *file) { @@ -105,12 +105,12 @@ static void ima_check_last_writer(struct ima_iint_cache *iint, void ima_file_free(struct file *file) { struct inode *inode = file->f_dentry->d_inode; - struct ima_iint_cache *iint; + struct integrity_iint_cache *iint; if (!iint_initialized || !S_ISREG(inode->i_mode)) return; - iint = ima_iint_find(inode); + iint = integrity_iint_find(inode); if (!iint) return; @@ -121,7 +121,7 @@ static int process_measurement(struct file *file, const unsigned char *filename, int mask, int function) { struct inode *inode = file->f_dentry->d_inode; - struct ima_iint_cache *iint; + struct integrity_iint_cache *iint; int rc = 0; if (!ima_initialized || !S_ISREG(inode->i_mode)) @@ -131,9 +131,9 @@ static int process_measurement(struct file *file, const unsigned char *filename, if (rc != 0) return rc; retry: - iint = ima_iint_find(inode); + iint = integrity_iint_find(inode); if (!iint) { - rc = ima_inode_alloc(inode); + rc = integrity_inode_alloc(inode); if (!rc || rc == -EEXIST) goto retry; return rc; diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h new file mode 100644 index 000000000000..7351836325a8 --- /dev/null +++ b/security/integrity/integrity.h @@ -0,0 +1,35 @@ +/* + * Copyright (C) 2009-2010 IBM Corporation + * + * Authors: + * Mimi Zohar + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation, version 2 of the + * License. + * + */ + +#include +#include +#include + +/* iint cache flags */ +#define IMA_MEASURED 0x01 + +/* integrity data associated with an inode */ +struct integrity_iint_cache { + struct rb_node rb_node; /* rooted in integrity_iint_tree */ + struct inode *inode; /* back pointer to inode in question */ + u64 version; /* track inode changes */ + unsigned char flags; + u8 digest[SHA1_DIGEST_SIZE]; + struct mutex mutex; /* protects: version, flags, digest */ +}; + +/* rbtree tree calls to lookup, insert, delete + * integrity data associated with an inode. + */ +struct integrity_iint_cache *integrity_iint_insert(struct inode *inode); +struct integrity_iint_cache *integrity_iint_find(struct inode *inode); diff --git a/security/security.c b/security/security.c index 3464d58a5766..947fdcfbc83e 100644 --- a/security/security.c +++ b/security/security.c @@ -16,6 +16,7 @@ #include #include #include +#include #include #define MAX_LSM_XATTR 1 @@ -336,7 +337,7 @@ int security_inode_alloc(struct inode *inode) void security_inode_free(struct inode *inode) { - ima_inode_free(inode); + integrity_inode_free(inode); security_ops->inode_free_security(inode); } -- cgit v1.2.3 From 1601fbad2b14e0b8d4dbb55e749bfe31e972818a Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Wed, 9 Mar 2011 14:23:34 -0500 Subject: xattr: define vfs_getxattr_alloc and vfs_xattr_cmp vfs_getxattr_alloc() and vfs_xattr_cmp() are two new kernel xattr helper functions. vfs_getxattr_alloc() first allocates memory for the requested xattr and then retrieves it. vfs_xattr_cmp() compares a given value with the contents of an extended attribute. Signed-off-by: Mimi Zohar Acked-by: Serge Hallyn --- fs/xattr.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++ include/linux/xattr.h | 5 ++++- 2 files changed, 62 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/fs/xattr.c b/fs/xattr.c index f060663ab70c..851808c92b30 100644 --- a/fs/xattr.c +++ b/fs/xattr.c @@ -166,6 +166,64 @@ out_noalloc: } EXPORT_SYMBOL_GPL(xattr_getsecurity); +/* + * vfs_getxattr_alloc - allocate memory, if necessary, before calling getxattr + * + * Allocate memory, if not already allocated, or re-allocate correct size, + * before retrieving the extended attribute. + * + * Returns the result of alloc, if failed, or the getxattr operation. + */ +ssize_t +vfs_getxattr_alloc(struct dentry *dentry, const char *name, char **xattr_value, + size_t xattr_size, gfp_t flags) +{ + struct inode *inode = dentry->d_inode; + char *value = *xattr_value; + int error; + + error = xattr_permission(inode, name, MAY_READ); + if (error) + return error; + + if (!inode->i_op->getxattr) + return -EOPNOTSUPP; + + error = inode->i_op->getxattr(dentry, name, NULL, 0); + if (error < 0) + return error; + + if (!value || (error > xattr_size)) { + value = krealloc(*xattr_value, error + 1, flags); + if (!value) + return -ENOMEM; + memset(value, 0, error + 1); + } + + error = inode->i_op->getxattr(dentry, name, value, error); + *xattr_value = value; + return error; +} + +/* Compare an extended attribute value with the given value */ +int vfs_xattr_cmp(struct dentry *dentry, const char *xattr_name, + const char *value, size_t size, gfp_t flags) +{ + char *xattr_value = NULL; + int rc; + + rc = vfs_getxattr_alloc(dentry, xattr_name, &xattr_value, 0, flags); + if (rc < 0) + return rc; + + if ((rc != size) || (memcmp(xattr_value, value, rc) != 0)) + rc = -EINVAL; + else + rc = 0; + kfree(xattr_value); + return rc; +} + ssize_t vfs_getxattr(struct dentry *dentry, const char *name, void *value, size_t size) { diff --git a/include/linux/xattr.h b/include/linux/xattr.h index 7a378662ddff..4703f6bd1f53 100644 --- a/include/linux/xattr.h +++ b/include/linux/xattr.h @@ -84,7 +84,10 @@ ssize_t generic_getxattr(struct dentry *dentry, const char *name, void *buffer, ssize_t generic_listxattr(struct dentry *dentry, char *buffer, size_t buffer_size); int generic_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags); int generic_removexattr(struct dentry *dentry, const char *name); - +ssize_t vfs_getxattr_alloc(struct dentry *dentry, const char *name, + char **xattr_value, size_t size, gfp_t flags); +int vfs_xattr_cmp(struct dentry *dentry, const char *xattr_name, + const char *value, size_t size, gfp_t flags); #endif /* __KERNEL__ */ #endif /* _LINUX_XATTR_H */ -- cgit v1.2.3 From 66dbc325afcef909043c30e90930a36823fc734c Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Tue, 15 Mar 2011 16:12:09 -0400 Subject: evm: re-release EVM protects a file's security extended attributes(xattrs) against integrity attacks. This patchset provides the framework and an initial method. The initial method maintains an HMAC-sha1 value across the security extended attributes, storing the HMAC value as the extended attribute 'security.evm'. Other methods of validating the integrity of a file's metadata will be posted separately (eg. EVM-digital-signatures). While this patchset does authenticate the security xattrs, and cryptographically binds them to the inode, coming extensions will bind other directory and inode metadata for more complete protection. To help simplify the review and upstreaming process, each extension will be posted separately (eg. IMA-appraisal, IMA-appraisal-directory). For a general overview of the proposed Linux integrity subsystem, refer to Dave Safford's whitepaper: http://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf. EVM depends on the Kernel Key Retention System to provide it with a trusted/encrypted key for the HMAC-sha1 operation. The key is loaded onto the root's keyring using keyctl. Until EVM receives notification that the key has been successfully loaded onto the keyring (echo 1 > /evm), EVM can not create or validate the 'security.evm' xattr, but returns INTEGRITY_UNKNOWN. Loading the key and signaling EVM should be done as early as possible. Normally this is done in the initramfs, which has already been measured as part of the trusted boot. For more information on creating and loading existing trusted/encrypted keys, refer to Documentation/keys-trusted-encrypted.txt. A sample dracut patch, which loads the trusted/encrypted key and enables EVM, is available from http://linux-ima.sourceforge.net/#EVM. Based on the LSMs enabled, the set of EVM protected security xattrs is defined at compile. EVM adds the following three calls to the existing security hooks: evm_inode_setxattr(), evm_inode_post_setxattr(), and evm_inode_removexattr. To initialize and update the 'security.evm' extended attribute, EVM defines three calls: evm_inode_post_init(), evm_inode_post_setattr() and evm_inode_post_removexattr() hooks. To verify the integrity of a security xattr, EVM exports evm_verifyxattr(). Changelog v7: - Fixed URL in EVM ABI documentation Changelog v6: (based on Serge Hallyn's review) - fix URL in patch description - remove evm_hmac_size definition - use SHA1_DIGEST_SIZE (removed both MAX_DIGEST_SIZE and evm_hmac_size) - moved linux include before other includes - test for crypto_hash_setkey failure - fail earlier for invalid key - clear entire encrypted key, even on failure - check xattr name length before comparing xattr names Changelog: - locking based on i_mutex, remove evm_mutex - using trusted/encrypted keys for storing the EVM key used in the HMAC-sha1 operation. - replaced crypto hash with shash (Dmitry Kasatkin) - support for additional methods of verifying the security xattrs (Dmitry Kasatkin) - iint not allocated for all regular files, but only for those appraised - Use cap_sys_admin in lieu of cap_mac_admin - Use __vfs_setxattr_noperm(), without permission checks, from EVM Signed-off-by: Mimi Zohar Acked-by: Serge Hallyn --- Documentation/ABI/testing/evm | 23 +++ include/linux/integrity.h | 7 + include/linux/xattr.h | 3 + security/integrity/Kconfig | 3 +- security/integrity/Makefile | 2 + security/integrity/evm/Kconfig | 12 ++ security/integrity/evm/Makefile | 6 + security/integrity/evm/evm.h | 33 +++++ security/integrity/evm/evm_crypto.c | 183 +++++++++++++++++++++++ security/integrity/evm/evm_main.c | 284 ++++++++++++++++++++++++++++++++++++ security/integrity/evm/evm_secfs.c | 108 ++++++++++++++ security/integrity/iint.c | 1 + security/integrity/integrity.h | 1 + 13 files changed, 665 insertions(+), 1 deletion(-) create mode 100644 Documentation/ABI/testing/evm create mode 100644 security/integrity/evm/Kconfig create mode 100644 security/integrity/evm/Makefile create mode 100644 security/integrity/evm/evm.h create mode 100644 security/integrity/evm/evm_crypto.c create mode 100644 security/integrity/evm/evm_main.c create mode 100644 security/integrity/evm/evm_secfs.c (limited to 'include') diff --git a/Documentation/ABI/testing/evm b/Documentation/ABI/testing/evm new file mode 100644 index 000000000000..8374d4557e5d --- /dev/null +++ b/Documentation/ABI/testing/evm @@ -0,0 +1,23 @@ +What: security/evm +Date: March 2011 +Contact: Mimi Zohar +Description: + EVM protects a file's security extended attributes(xattrs) + against integrity attacks. The initial method maintains an + HMAC-sha1 value across the extended attributes, storing the + value as the extended attribute 'security.evm'. + + EVM depends on the Kernel Key Retention System to provide it + with a trusted/encrypted key for the HMAC-sha1 operation. + The key is loaded onto the root's keyring using keyctl. Until + EVM receives notification that the key has been successfully + loaded onto the keyring (echo 1 > /evm), EVM + can not create or validate the 'security.evm' xattr, but + returns INTEGRITY_UNKNOWN. Loading the key and signaling EVM + should be done as early as possible. Normally this is done + in the initramfs, which has already been measured as part + of the trusted boot. For more information on creating and + loading existing trusted/encrypted keys, refer to: + Documentation/keys-trusted-encrypted.txt. (A sample dracut + patch, which loads the trusted/encrypted key and enables + EVM, is available from http://linux-ima.sourceforge.net/#EVM.) diff --git a/include/linux/integrity.h b/include/linux/integrity.h index 905981247327..e715a2abcea2 100644 --- a/include/linux/integrity.h +++ b/include/linux/integrity.h @@ -12,6 +12,13 @@ #include +enum integrity_status { + INTEGRITY_PASS = 0, + INTEGRITY_FAIL, + INTEGRITY_NOLABEL, + INTEGRITY_UNKNOWN, +}; + #ifdef CONFIG_INTEGRITY extern int integrity_inode_alloc(struct inode *inode); extern void integrity_inode_free(struct inode *inode); diff --git a/include/linux/xattr.h b/include/linux/xattr.h index 4703f6bd1f53..b20cb965c322 100644 --- a/include/linux/xattr.h +++ b/include/linux/xattr.h @@ -30,6 +30,9 @@ #define XATTR_USER_PREFIX_LEN (sizeof (XATTR_USER_PREFIX) - 1) /* Security namespace */ +#define XATTR_EVM_SUFFIX "evm" +#define XATTR_NAME_EVM XATTR_SECURITY_PREFIX XATTR_EVM_SUFFIX + #define XATTR_SELINUX_SUFFIX "selinux" #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 270469155681..4bf00acf7937 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -1,6 +1,7 @@ # config INTEGRITY def_bool y - depends on IMA + depends on IMA || EVM source security/integrity/ima/Kconfig +source security/integrity/evm/Kconfig diff --git a/security/integrity/Makefile b/security/integrity/Makefile index 6eddd61b84e8..0ae44aea6516 100644 --- a/security/integrity/Makefile +++ b/security/integrity/Makefile @@ -8,3 +8,5 @@ integrity-y := iint.o subdir-$(CONFIG_IMA) += ima obj-$(CONFIG_IMA) += ima/built-in.o +subdir-$(CONFIG_EVM) += evm +obj-$(CONFIG_EVM) += evm/built-in.o diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig new file mode 100644 index 000000000000..73f654099a4b --- /dev/null +++ b/security/integrity/evm/Kconfig @@ -0,0 +1,12 @@ +config EVM + boolean "EVM support" + depends on SECURITY && KEYS && ENCRYPTED_KEYS + select CRYPTO_HMAC + select CRYPTO_MD5 + select CRYPTO_SHA1 + default n + help + EVM protects a file's security extended attributes against + integrity attacks. + + If you are unsure how to answer this question, answer N. diff --git a/security/integrity/evm/Makefile b/security/integrity/evm/Makefile new file mode 100644 index 000000000000..0787d262b9e3 --- /dev/null +++ b/security/integrity/evm/Makefile @@ -0,0 +1,6 @@ +# +# Makefile for building the Extended Verification Module(EVM) +# +obj-$(CONFIG_EVM) += evm.o + +evm-y := evm_main.o evm_crypto.o evm_secfs.o diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h new file mode 100644 index 000000000000..375dc3e6015c --- /dev/null +++ b/security/integrity/evm/evm.h @@ -0,0 +1,33 @@ +/* + * Copyright (C) 2005-2010 IBM Corporation + * + * Authors: + * Mimi Zohar + * Kylene Hall + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, version 2 of the License. + * + * File: evm.h + * + */ +#include +#include "../integrity.h" + +extern int evm_initialized; +extern char *evm_hmac; + +/* List of EVM protected security xattrs */ +extern char *evm_config_xattrnames[]; + +extern int evm_init_key(void); +extern int evm_update_evmxattr(struct dentry *dentry, + const char *req_xattr_name, + const char *req_xattr_value, + size_t req_xattr_value_len); +extern int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name, + const char *req_xattr_value, + size_t req_xattr_value_len, char *digest); +extern int evm_init_secfs(void); +extern void evm_cleanup_secfs(void); diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c new file mode 100644 index 000000000000..d49bb002f3da --- /dev/null +++ b/security/integrity/evm/evm_crypto.c @@ -0,0 +1,183 @@ +/* + * Copyright (C) 2005-2010 IBM Corporation + * + * Authors: + * Mimi Zohar + * Kylene Hall + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, version 2 of the License. + * + * File: evm_crypto.c + * Using root's kernel master key (kmk), calculate the HMAC + */ + +#include +#include +#include +#include +#include +#include "evm.h" + +#define EVMKEY "evm-key" +#define MAX_KEY_SIZE 128 +static unsigned char evmkey[MAX_KEY_SIZE]; +static int evmkey_len = MAX_KEY_SIZE; + +static int init_desc(struct hash_desc *desc) +{ + int rc; + + desc->tfm = crypto_alloc_hash(evm_hmac, 0, CRYPTO_ALG_ASYNC); + if (IS_ERR(desc->tfm)) { + pr_info("Can not allocate %s (reason: %ld)\n", + evm_hmac, PTR_ERR(desc->tfm)); + rc = PTR_ERR(desc->tfm); + return rc; + } + desc->flags = 0; + rc = crypto_hash_setkey(desc->tfm, evmkey, evmkey_len); + if (rc) + goto out; + rc = crypto_hash_init(desc); +out: + if (rc) + crypto_free_hash(desc->tfm); + return rc; +} + +/* Protect against 'cutting & pasting' security.evm xattr, include inode + * specific info. + * + * (Additional directory/file metadata needs to be added for more complete + * protection.) + */ +static void hmac_add_misc(struct hash_desc *desc, struct inode *inode, + char *digest) +{ + struct h_misc { + unsigned long ino; + __u32 generation; + uid_t uid; + gid_t gid; + umode_t mode; + } hmac_misc; + struct scatterlist sg[1]; + + memset(&hmac_misc, 0, sizeof hmac_misc); + hmac_misc.ino = inode->i_ino; + hmac_misc.generation = inode->i_generation; + hmac_misc.uid = inode->i_uid; + hmac_misc.gid = inode->i_gid; + hmac_misc.mode = inode->i_mode; + sg_init_one(sg, &hmac_misc, sizeof hmac_misc); + crypto_hash_update(desc, sg, sizeof hmac_misc); + crypto_hash_final(desc, digest); +} + +/* + * Calculate the HMAC value across the set of protected security xattrs. + * + * Instead of retrieving the requested xattr, for performance, calculate + * the hmac using the requested xattr value. Don't alloc/free memory for + * each xattr, but attempt to re-use the previously allocated memory. + */ +int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name, + const char *req_xattr_value, size_t req_xattr_value_len, + char *digest) +{ + struct inode *inode = dentry->d_inode; + struct hash_desc desc; + struct scatterlist sg[1]; + char **xattrname; + size_t xattr_size = 0; + char *xattr_value = NULL; + int error; + int size; + + if (!inode->i_op || !inode->i_op->getxattr) + return -EOPNOTSUPP; + error = init_desc(&desc); + if (error) + return error; + + error = -ENODATA; + for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) { + if ((req_xattr_name && req_xattr_value) + && !strcmp(*xattrname, req_xattr_name)) { + error = 0; + sg_init_one(sg, req_xattr_value, req_xattr_value_len); + crypto_hash_update(&desc, sg, req_xattr_value_len); + continue; + } + size = vfs_getxattr_alloc(dentry, *xattrname, + &xattr_value, xattr_size, GFP_NOFS); + if (size == -ENOMEM) { + error = -ENOMEM; + goto out; + } + if (size < 0) + continue; + + error = 0; + xattr_size = size; + sg_init_one(sg, xattr_value, xattr_size); + crypto_hash_update(&desc, sg, xattr_size); + } + hmac_add_misc(&desc, inode, digest); + kfree(xattr_value); +out: + crypto_free_hash(desc.tfm); + return error; +} + +/* + * Calculate the hmac and update security.evm xattr + * + * Expects to be called with i_mutex locked. + */ +int evm_update_evmxattr(struct dentry *dentry, const char *xattr_name, + const char *xattr_value, size_t xattr_value_len) +{ + struct inode *inode = dentry->d_inode; + u8 hmac[SHA1_DIGEST_SIZE]; + int rc = 0; + + rc = evm_calc_hmac(dentry, xattr_name, xattr_value, + xattr_value_len, hmac); + if (rc == 0) + rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_EVM, + hmac, SHA1_DIGEST_SIZE, 0); + else if (rc == -ENODATA) + rc = inode->i_op->removexattr(dentry, XATTR_NAME_EVM); + return rc; +} + +/* + * Get the key from the TPM for the SHA1-HMAC + */ +int evm_init_key(void) +{ + struct key *evm_key; + struct encrypted_key_payload *ekp; + int rc = 0; + + evm_key = request_key(&key_type_encrypted, EVMKEY, NULL); + if (IS_ERR(evm_key)) + return -ENOENT; + + down_read(&evm_key->sem); + ekp = evm_key->payload.data; + if (ekp->decrypted_datalen > MAX_KEY_SIZE) { + rc = -EINVAL; + goto out; + } + memcpy(evmkey, ekp->decrypted_data, ekp->decrypted_datalen); +out: + /* burn the original key contents */ + memset(ekp->decrypted_data, 0, ekp->decrypted_datalen); + up_read(&evm_key->sem); + key_put(evm_key); + return rc; +} diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c new file mode 100644 index 000000000000..a8fa45fef8f1 --- /dev/null +++ b/security/integrity/evm/evm_main.c @@ -0,0 +1,284 @@ +/* + * Copyright (C) 2005-2010 IBM Corporation + * + * Author: + * Mimi Zohar + * Kylene Hall + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, version 2 of the License. + * + * File: evm_main.c + * implements evm_inode_setxattr, evm_inode_post_setxattr, + * evm_inode_removexattr, and evm_verifyxattr + */ + +#include +#include +#include +#include +#include "evm.h" + +int evm_initialized; + +char *evm_hmac = "hmac(sha1)"; + +char *evm_config_xattrnames[] = { +#ifdef CONFIG_SECURITY_SELINUX + XATTR_NAME_SELINUX, +#endif +#ifdef CONFIG_SECURITY_SMACK + XATTR_NAME_SMACK, +#endif + XATTR_NAME_CAPS, + NULL +}; + +/* + * evm_verify_hmac - calculate and compare the HMAC with the EVM xattr + * + * Compute the HMAC on the dentry's protected set of extended attributes + * and compare it against the stored security.evm xattr. (For performance, + * use the previoulsy retrieved xattr value and length to calculate the + * HMAC.) + * + * Returns integrity status + */ +static enum integrity_status evm_verify_hmac(struct dentry *dentry, + const char *xattr_name, + char *xattr_value, + size_t xattr_value_len, + struct integrity_iint_cache *iint) +{ + char hmac_val[SHA1_DIGEST_SIZE]; + int rc; + + if (iint->hmac_status != INTEGRITY_UNKNOWN) + return iint->hmac_status; + + memset(hmac_val, 0, sizeof hmac_val); + rc = evm_calc_hmac(dentry, xattr_name, xattr_value, + xattr_value_len, hmac_val); + if (rc < 0) + return INTEGRITY_UNKNOWN; + + rc = vfs_xattr_cmp(dentry, XATTR_NAME_EVM, hmac_val, sizeof hmac_val, + GFP_NOFS); + if (rc < 0) + goto err_out; + iint->hmac_status = INTEGRITY_PASS; + return iint->hmac_status; + +err_out: + switch (rc) { + case -ENODATA: /* file not labelled */ + iint->hmac_status = INTEGRITY_NOLABEL; + break; + case -EINVAL: + iint->hmac_status = INTEGRITY_FAIL; + break; + default: + iint->hmac_status = INTEGRITY_UNKNOWN; + } + return iint->hmac_status; +} + +static int evm_protected_xattr(const char *req_xattr_name) +{ + char **xattrname; + int namelen; + int found = 0; + + namelen = strlen(req_xattr_name); + for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) { + if ((strlen(*xattrname) == namelen) + && (strncmp(req_xattr_name, *xattrname, namelen) == 0)) { + found = 1; + break; + } + } + return found; +} + +/** + * evm_verifyxattr - verify the integrity of the requested xattr + * @dentry: object of the verify xattr + * @xattr_name: requested xattr + * @xattr_value: requested xattr value + * @xattr_value_len: requested xattr value length + * + * Calculate the HMAC for the given dentry and verify it against the stored + * security.evm xattr. For performance, use the xattr value and length + * previously retrieved to calculate the HMAC. + * + * Returns the xattr integrity status. + * + * This function requires the caller to lock the inode's i_mutex before it + * is executed. + */ +enum integrity_status evm_verifyxattr(struct dentry *dentry, + const char *xattr_name, + void *xattr_value, size_t xattr_value_len) +{ + struct inode *inode = dentry->d_inode; + struct integrity_iint_cache *iint; + enum integrity_status status; + + if (!evm_initialized || !evm_protected_xattr(xattr_name)) + return INTEGRITY_UNKNOWN; + + iint = integrity_iint_find(inode); + if (!iint) + return INTEGRITY_UNKNOWN; + status = evm_verify_hmac(dentry, xattr_name, xattr_value, + xattr_value_len, iint); + return status; +} +EXPORT_SYMBOL_GPL(evm_verifyxattr); + +/* + * evm_protect_xattr - protect the EVM extended attribute + * + * Prevent security.evm from being modified or removed. + */ +static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, + const void *xattr_value, size_t xattr_value_len) +{ + if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + } + return 0; +} + +/** + * evm_inode_setxattr - protect the EVM extended attribute + * @dentry: pointer to the affected dentry + * @xattr_name: pointer to the affected extended attribute name + * @xattr_value: pointer to the new extended attribute value + * @xattr_value_len: pointer to the new extended attribute value length + * + * Prevent 'security.evm' from being modified + */ +int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, + const void *xattr_value, size_t xattr_value_len) +{ + return evm_protect_xattr(dentry, xattr_name, xattr_value, + xattr_value_len); +} + +/** + * evm_inode_removexattr - protect the EVM extended attribute + * @dentry: pointer to the affected dentry + * @xattr_name: pointer to the affected extended attribute name + * + * Prevent 'security.evm' from being removed. + */ +int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) +{ + return evm_protect_xattr(dentry, xattr_name, NULL, 0); +} + +/** + * evm_inode_post_setxattr - update 'security.evm' to reflect the changes + * @dentry: pointer to the affected dentry + * @xattr_name: pointer to the affected extended attribute name + * @xattr_value: pointer to the new extended attribute value + * @xattr_value_len: pointer to the new extended attribute value length + * + * Update the HMAC stored in 'security.evm' to reflect the change. + * + * No need to take the i_mutex lock here, as this function is called from + * __vfs_setxattr_noperm(). The caller of which has taken the inode's + * i_mutex lock. + */ +void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, + const void *xattr_value, size_t xattr_value_len) +{ + if (!evm_initialized || !evm_protected_xattr(xattr_name)) + return; + + evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); + return; +} + +/** + * evm_inode_post_removexattr - update 'security.evm' after removing the xattr + * @dentry: pointer to the affected dentry + * @xattr_name: pointer to the affected extended attribute name + * + * Update the HMAC stored in 'security.evm' to reflect removal of the xattr. + */ +void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) +{ + struct inode *inode = dentry->d_inode; + + if (!evm_initialized || !evm_protected_xattr(xattr_name)) + return; + + mutex_lock(&inode->i_mutex); + evm_update_evmxattr(dentry, xattr_name, NULL, 0); + mutex_unlock(&inode->i_mutex); + return; +} + +/** + * evm_inode_post_setattr - update 'security.evm' after modifying metadata + * @dentry: pointer to the affected dentry + * @ia_valid: for the UID and GID status + * + * For now, update the HMAC stored in 'security.evm' to reflect UID/GID + * changes. + * + * This function is called from notify_change(), which expects the caller + * to lock the inode's i_mutex. + */ +void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) +{ + if (!evm_initialized) + return; + + if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) + evm_update_evmxattr(dentry, NULL, NULL, 0); + return; +} + +static struct crypto_hash *tfm_hmac; /* preload crypto alg */ +static int __init init_evm(void) +{ + int error; + + tfm_hmac = crypto_alloc_hash(evm_hmac, 0, CRYPTO_ALG_ASYNC); + error = evm_init_secfs(); + if (error < 0) { + printk(KERN_INFO "EVM: Error registering secfs\n"); + goto err; + } +err: + return error; +} + +static void __exit cleanup_evm(void) +{ + evm_cleanup_secfs(); + crypto_free_hash(tfm_hmac); +} + +/* + * evm_display_config - list the EVM protected security extended attributes + */ +static int __init evm_display_config(void) +{ + char **xattrname; + + for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) + printk(KERN_INFO "EVM: %s\n", *xattrname); + return 0; +} + +pure_initcall(evm_display_config); +late_initcall(init_evm); + +MODULE_DESCRIPTION("Extended Verification Module"); +MODULE_LICENSE("GPL"); diff --git a/security/integrity/evm/evm_secfs.c b/security/integrity/evm/evm_secfs.c new file mode 100644 index 000000000000..ac7629950578 --- /dev/null +++ b/security/integrity/evm/evm_secfs.c @@ -0,0 +1,108 @@ +/* + * Copyright (C) 2010 IBM Corporation + * + * Authors: + * Mimi Zohar + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, version 2 of the License. + * + * File: evm_secfs.c + * - Used to signal when key is on keyring + * - Get the key and enable EVM + */ + +#include +#include +#include "evm.h" + +static struct dentry *evm_init_tpm; + +/** + * evm_read_key - read() for /evm + * + * @filp: file pointer, not actually used + * @buf: where to put the result + * @count: maximum to send along + * @ppos: where to start + * + * Returns number of bytes read or error code, as appropriate + */ +static ssize_t evm_read_key(struct file *filp, char __user *buf, + size_t count, loff_t *ppos) +{ + char temp[80]; + ssize_t rc; + + if (*ppos != 0) + return 0; + + sprintf(temp, "%d", evm_initialized); + rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); + + return rc; +} + +/** + * evm_write_key - write() for /evm + * @file: file pointer, not actually used + * @buf: where to get the data from + * @count: bytes sent + * @ppos: where to start + * + * Used to signal that key is on the kernel key ring. + * - get the integrity hmac key from the kernel key ring + * - create list of hmac protected extended attributes + * Returns number of bytes written or error code, as appropriate + */ +static ssize_t evm_write_key(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) +{ + char temp[80]; + int i, error; + + if (!capable(CAP_SYS_ADMIN) || evm_initialized) + return -EPERM; + + if (count >= sizeof(temp) || count == 0) + return -EINVAL; + + if (copy_from_user(temp, buf, count) != 0) + return -EFAULT; + + temp[count] = '\0'; + + if ((sscanf(temp, "%d", &i) != 1) || (i != 1)) + return -EINVAL; + + error = evm_init_key(); + if (!error) { + evm_initialized = 1; + pr_info("EVM: initialized\n"); + } else + pr_err("EVM: initialization failed\n"); + return count; +} + +static const struct file_operations evm_key_ops = { + .read = evm_read_key, + .write = evm_write_key, +}; + +int __init evm_init_secfs(void) +{ + int error = 0; + + evm_init_tpm = securityfs_create_file("evm", S_IRUSR | S_IRGRP, + NULL, NULL, &evm_key_ops); + if (!evm_init_tpm || IS_ERR(evm_init_tpm)) + error = -EFAULT; + return error; +} + +void __exit evm_cleanup_secfs(void) +{ + if (evm_init_tpm) + securityfs_remove(evm_init_tpm); +} diff --git a/security/integrity/iint.c b/security/integrity/iint.c index d17de48bd6cc..991df20709b0 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -157,6 +157,7 @@ static void init_once(void *foo) iint->version = 0; iint->flags = 0UL; mutex_init(&iint->mutex); + iint->hmac_status = INTEGRITY_UNKNOWN; } static int __init integrity_iintcache_init(void) diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 7351836325a8..397a46b3992f 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -26,6 +26,7 @@ struct integrity_iint_cache { unsigned char flags; u8 digest[SHA1_DIGEST_SIZE]; struct mutex mutex; /* protects: version, flags, digest */ + enum integrity_status hmac_status; }; /* rbtree tree calls to lookup, insert, delete -- cgit v1.2.3 From 6be5cc5246f807fd8ede9f5f1bb2826f2c598658 Mon Sep 17 00:00:00 2001 From: Dmitry Kasatkin Date: Wed, 9 Mar 2011 14:28:20 -0500 Subject: evm: add support for different security.evm data types EVM protects a file's security extended attributes(xattrs) against integrity attacks. The current patchset maintains an HMAC-sha1 value across the security xattrs, storing the value as the extended attribute 'security.evm'. We anticipate other methods for protecting the security extended attributes. This patch reserves the first byte of 'security.evm' as a place holder for the type of method. Changelog v6: - move evm_ima_xattr_type definition to security/integrity/integrity.h - defined a structure for the EVM xattr called evm_ima_xattr_data (based on Serge Hallyn's suggestion) - removed unnecessary memset Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar Acked-by: Serge Hallyn --- include/linux/integrity.h | 1 + security/integrity/evm/evm_crypto.c | 11 +++++++---- security/integrity/evm/evm_main.c | 10 +++++----- security/integrity/integrity.h | 11 +++++++++++ 4 files changed, 24 insertions(+), 9 deletions(-) (limited to 'include') diff --git a/include/linux/integrity.h b/include/linux/integrity.h index e715a2abcea2..968443385678 100644 --- a/include/linux/integrity.h +++ b/include/linux/integrity.h @@ -19,6 +19,7 @@ enum integrity_status { INTEGRITY_UNKNOWN, }; +/* List of EVM protected security xattrs */ #ifdef CONFIG_INTEGRITY extern int integrity_inode_alloc(struct inode *inode); extern void integrity_inode_free(struct inode *inode); diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c index d49bb002f3da..c631b99bda95 100644 --- a/security/integrity/evm/evm_crypto.c +++ b/security/integrity/evm/evm_crypto.c @@ -141,14 +141,17 @@ int evm_update_evmxattr(struct dentry *dentry, const char *xattr_name, const char *xattr_value, size_t xattr_value_len) { struct inode *inode = dentry->d_inode; - u8 hmac[SHA1_DIGEST_SIZE]; + struct evm_ima_xattr_data xattr_data; int rc = 0; rc = evm_calc_hmac(dentry, xattr_name, xattr_value, - xattr_value_len, hmac); - if (rc == 0) + xattr_value_len, xattr_data.digest); + if (rc == 0) { + xattr_data.type = EVM_XATTR_HMAC; rc = __vfs_setxattr_noperm(dentry, XATTR_NAME_EVM, - hmac, SHA1_DIGEST_SIZE, 0); + &xattr_data, + sizeof(xattr_data), 0); + } else if (rc == -ENODATA) rc = inode->i_op->removexattr(dentry, XATTR_NAME_EVM); return rc; diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index a8fa45fef8f1..c0580dd15ec0 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -51,20 +51,20 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, size_t xattr_value_len, struct integrity_iint_cache *iint) { - char hmac_val[SHA1_DIGEST_SIZE]; + struct evm_ima_xattr_data xattr_data; int rc; if (iint->hmac_status != INTEGRITY_UNKNOWN) return iint->hmac_status; - memset(hmac_val, 0, sizeof hmac_val); rc = evm_calc_hmac(dentry, xattr_name, xattr_value, - xattr_value_len, hmac_val); + xattr_value_len, xattr_data.digest); if (rc < 0) return INTEGRITY_UNKNOWN; - rc = vfs_xattr_cmp(dentry, XATTR_NAME_EVM, hmac_val, sizeof hmac_val, - GFP_NOFS); + xattr_data.type = EVM_XATTR_HMAC; + rc = vfs_xattr_cmp(dentry, XATTR_NAME_EVM, (u8 *)&xattr_data, + sizeof xattr_data, GFP_NOFS); if (rc < 0) goto err_out; iint->hmac_status = INTEGRITY_PASS; diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 397a46b3992f..7efbf560b7d5 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -18,6 +18,17 @@ /* iint cache flags */ #define IMA_MEASURED 0x01 +enum evm_ima_xattr_type { + IMA_XATTR_DIGEST = 0x01, + EVM_XATTR_HMAC, + EVM_IMA_XATTR_DIGSIG, +}; + +struct evm_ima_xattr_data { + u8 type; + u8 digest[SHA1_DIGEST_SIZE]; +} __attribute__((packed)); + /* integrity data associated with an inode */ struct integrity_iint_cache { struct rb_node rb_node; /* rooted in integrity_iint_tree */ -- cgit v1.2.3 From 3e1be52d6c6b21d9080dd886c0e609e009831562 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Wed, 9 Mar 2011 14:38:26 -0500 Subject: security: imbed evm calls in security hooks Imbed the evm calls evm_inode_setxattr(), evm_inode_post_setxattr(), evm_inode_removexattr() in the security hooks. evm_inode_setxattr() protects security.evm xattr. evm_inode_post_setxattr() and evm_inode_removexattr() updates the hmac associated with an inode. (Assumes an LSM module protects the setting/removing of xattr.) Changelog: - Don't define evm_verifyxattr(), unless CONFIG_INTEGRITY is enabled. - xattr_name is a 'const', value is 'void *' Signed-off-by: Mimi Zohar Acked-by: Serge Hallyn --- include/linux/evm.h | 56 +++++++++++++++++++++++++++++++++++++++ security/integrity/evm/evm_main.c | 1 + security/security.c | 16 +++++++++-- 3 files changed, 71 insertions(+), 2 deletions(-) create mode 100644 include/linux/evm.h (limited to 'include') diff --git a/include/linux/evm.h b/include/linux/evm.h new file mode 100644 index 000000000000..8b4e9e3b395e --- /dev/null +++ b/include/linux/evm.h @@ -0,0 +1,56 @@ +/* + * evm.h + * + * Copyright (c) 2009 IBM Corporation + * Author: Mimi Zohar + */ + +#ifndef _LINUX_EVM_H +#define _LINUX_EVM_H + +#include + +#ifdef CONFIG_EVM +extern enum integrity_status evm_verifyxattr(struct dentry *dentry, + const char *xattr_name, + void *xattr_value, + size_t xattr_value_len); +extern int evm_inode_setxattr(struct dentry *dentry, const char *name, + const void *value, size_t size); +extern void evm_inode_post_setxattr(struct dentry *dentry, + const char *xattr_name, + const void *xattr_value, + size_t xattr_value_len); +extern int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name); +#else +#ifdef CONFIG_INTEGRITY +static inline enum integrity_status evm_verifyxattr(struct dentry *dentry, + const char *xattr_name, + void *xattr_value, + size_t xattr_value_len) +{ + return INTEGRITY_UNKNOWN; +} +#endif + +static inline int evm_inode_setxattr(struct dentry *dentry, const char *name, + const void *value, size_t size) +{ + return 0; +} + +static inline void evm_inode_post_setxattr(struct dentry *dentry, + const char *xattr_name, + const void *xattr_value, + size_t xattr_value_len) +{ + return; +} + +static inline int evm_inode_removexattr(struct dentry *dentry, + const char *xattr_name) +{ + return 0; +} +#endif /* CONFIG_EVM_H */ +#endif /* LINUX_EVM_H */ diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index c0580dd15ec0..1746c3669c6f 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -18,6 +18,7 @@ #include #include #include +#include #include "evm.h" int evm_initialized; diff --git a/security/security.c b/security/security.c index 947fdcfbc83e..21a79b3d1e8e 100644 --- a/security/security.c +++ b/security/security.c @@ -18,6 +18,7 @@ #include #include #include +#include #define MAX_LSM_XATTR 1 @@ -580,9 +581,14 @@ int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) int security_inode_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) { + int ret; + if (unlikely(IS_PRIVATE(dentry->d_inode))) return 0; - return security_ops->inode_setxattr(dentry, name, value, size, flags); + ret = security_ops->inode_setxattr(dentry, name, value, size, flags); + if (ret) + return ret; + return evm_inode_setxattr(dentry, name, value, size); } void security_inode_post_setxattr(struct dentry *dentry, const char *name, @@ -591,6 +597,7 @@ void security_inode_post_setxattr(struct dentry *dentry, const char *name, if (unlikely(IS_PRIVATE(dentry->d_inode))) return; security_ops->inode_post_setxattr(dentry, name, value, size, flags); + evm_inode_post_setxattr(dentry, name, value, size); } int security_inode_getxattr(struct dentry *dentry, const char *name) @@ -609,9 +616,14 @@ int security_inode_listxattr(struct dentry *dentry) int security_inode_removexattr(struct dentry *dentry, const char *name) { + int ret; + if (unlikely(IS_PRIVATE(dentry->d_inode))) return 0; - return security_ops->inode_removexattr(dentry, name); + ret = security_ops->inode_removexattr(dentry, name); + if (ret) + return ret; + return evm_inode_removexattr(dentry, name); } int security_inode_need_killpriv(struct dentry *dentry) -- cgit v1.2.3 From c7b87de23b6fd5dfbe5c36601f29d6c515056343 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Wed, 9 Mar 2011 14:39:18 -0500 Subject: evm: evm_inode_post_removexattr When an EVM protected extended attribute is removed, update 'security.evm'. Signed-off-by: Mimi Zohar Acked-by: Serge Hallyn --- fs/xattr.c | 5 ++++- include/linux/evm.h | 9 +++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/fs/xattr.c b/fs/xattr.c index 851808c92b30..67583de8218c 100644 --- a/fs/xattr.c +++ b/fs/xattr.c @@ -14,6 +14,7 @@ #include #include #include +#include #include #include #include @@ -301,8 +302,10 @@ vfs_removexattr(struct dentry *dentry, const char *name) error = inode->i_op->removexattr(dentry, name); mutex_unlock(&inode->i_mutex); - if (!error) + if (!error) { fsnotify_xattr(dentry); + evm_inode_post_removexattr(dentry, name); + } return error; } EXPORT_SYMBOL_GPL(vfs_removexattr); diff --git a/include/linux/evm.h b/include/linux/evm.h index 8b4e9e3b395e..a730782da563 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -22,6 +22,8 @@ extern void evm_inode_post_setxattr(struct dentry *dentry, const void *xattr_value, size_t xattr_value_len); extern int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name); +extern void evm_inode_post_removexattr(struct dentry *dentry, + const char *xattr_name); #else #ifdef CONFIG_INTEGRITY static inline enum integrity_status evm_verifyxattr(struct dentry *dentry, @@ -52,5 +54,12 @@ static inline int evm_inode_removexattr(struct dentry *dentry, { return 0; } + +static inline void evm_inode_post_removexattr(struct dentry *dentry, + const char *xattr_name) +{ + return; +} + #endif /* CONFIG_EVM_H */ #endif /* LINUX_EVM_H */ -- cgit v1.2.3 From 975d294373d8c1c913ad2bf4eb93966d4c7ca38f Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Wed, 9 Mar 2011 14:39:57 -0500 Subject: evm: imbed evm_inode_post_setattr Changing the inode's metadata may require the 'security.evm' extended attribute to be re-calculated and updated. Signed-off-by: Mimi Zohar Acked-by: Serge Hallyn --- fs/attr.c | 5 ++++- include/linux/evm.h | 6 ++++++ 2 files changed, 10 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/fs/attr.c b/fs/attr.c index caf2aa521e2b..5ad45d3cc20a 100644 --- a/fs/attr.c +++ b/fs/attr.c @@ -13,6 +13,7 @@ #include #include #include +#include /** * inode_change_ok - check if attribute changes to an inode are allowed @@ -243,8 +244,10 @@ int notify_change(struct dentry * dentry, struct iattr * attr) if (ia_valid & ATTR_SIZE) up_write(&dentry->d_inode->i_alloc_sem); - if (!error) + if (!error) { fsnotify_change(dentry, ia_valid); + evm_inode_post_setattr(dentry, ia_valid); + } return error; } diff --git a/include/linux/evm.h b/include/linux/evm.h index a730782da563..33a92471e463 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -15,6 +15,7 @@ extern enum integrity_status evm_verifyxattr(struct dentry *dentry, const char *xattr_name, void *xattr_value, size_t xattr_value_len); +extern void evm_inode_post_setattr(struct dentry *dentry, int ia_valid); extern int evm_inode_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size); extern void evm_inode_post_setxattr(struct dentry *dentry, @@ -35,6 +36,11 @@ static inline enum integrity_status evm_verifyxattr(struct dentry *dentry, } #endif +static inline void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) +{ + return; +} + static inline int evm_inode_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size) { -- cgit v1.2.3 From cb72318069d5e92eb74840118732c66eb38c812f Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Wed, 9 Mar 2011 14:40:44 -0500 Subject: evm: add evm_inode_init_security to initialize new files Initialize 'security.evm' for new files. Changelog v7: - renamed evm_inode_post_init_security to evm_inode_init_security - moved struct xattr definition to earlier patch - allocate xattr name Changelog v6: - Use 'struct evm_ima_xattr_data' Signed-off-by: Mimi Zohar --- include/linux/evm.h | 11 +++++++++++ security/integrity/evm/evm.h | 3 +++ security/integrity/evm/evm_crypto.c | 20 +++++++++++++++++++ security/integrity/evm/evm_main.c | 38 +++++++++++++++++++++++++++++++++++++ 4 files changed, 72 insertions(+) (limited to 'include') diff --git a/include/linux/evm.h b/include/linux/evm.h index 33a92471e463..7c10761916a2 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -9,6 +9,7 @@ #define _LINUX_EVM_H #include +#include #ifdef CONFIG_EVM extern enum integrity_status evm_verifyxattr(struct dentry *dentry, @@ -25,6 +26,9 @@ extern void evm_inode_post_setxattr(struct dentry *dentry, extern int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name); extern void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name); +extern int evm_inode_init_security(struct inode *inode, + const struct xattr *xattr_array, + struct xattr *evm); #else #ifdef CONFIG_INTEGRITY static inline enum integrity_status evm_verifyxattr(struct dentry *dentry, @@ -67,5 +71,12 @@ static inline void evm_inode_post_removexattr(struct dentry *dentry, return; } +static inline int evm_inode_init_security(struct inode *inode, + const struct xattr *xattr_array, + struct xattr *evm) +{ + return -EOPNOTSUPP; +} + #endif /* CONFIG_EVM_H */ #endif /* LINUX_EVM_H */ diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h index 375dc3e6015c..a45d0d630a30 100644 --- a/security/integrity/evm/evm.h +++ b/security/integrity/evm/evm.h @@ -12,6 +12,7 @@ * File: evm.h * */ +#include #include #include "../integrity.h" @@ -29,5 +30,7 @@ extern int evm_update_evmxattr(struct dentry *dentry, extern int evm_calc_hmac(struct dentry *dentry, const char *req_xattr_name, const char *req_xattr_value, size_t req_xattr_value_len, char *digest); +extern int evm_init_hmac(struct inode *inode, const struct xattr *xattr, + char *hmac_val); extern int evm_init_secfs(void); extern void evm_cleanup_secfs(void); diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c index c631b99bda95..c9902bddcb9a 100644 --- a/security/integrity/evm/evm_crypto.c +++ b/security/integrity/evm/evm_crypto.c @@ -157,6 +157,26 @@ int evm_update_evmxattr(struct dentry *dentry, const char *xattr_name, return rc; } +int evm_init_hmac(struct inode *inode, const struct xattr *lsm_xattr, + char *hmac_val) +{ + struct hash_desc desc; + struct scatterlist sg[1]; + int error; + + error = init_desc(&desc); + if (error != 0) { + printk(KERN_INFO "init_desc failed\n"); + return error; + } + + sg_init_one(sg, lsm_xattr->value, lsm_xattr->value_len); + crypto_hash_update(&desc, sg, lsm_xattr->value_len); + hmac_add_misc(&desc, inode, hmac_val); + crypto_free_hash(desc.tfm); + return 0; +} + /* * Get the key from the TPM for the SHA1-HMAC */ diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 1746c3669c6f..23486355f443 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -98,6 +98,12 @@ static int evm_protected_xattr(const char *req_xattr_name) found = 1; break; } + if (strncmp(req_xattr_name, + *xattrname + XATTR_SECURITY_PREFIX_LEN, + strlen(req_xattr_name)) == 0) { + found = 1; + break; + } } return found; } @@ -245,6 +251,38 @@ void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) return; } +/* + * evm_inode_init_security - initializes security.evm + */ +int evm_inode_init_security(struct inode *inode, + const struct xattr *lsm_xattr, + struct xattr *evm_xattr) +{ + struct evm_ima_xattr_data *xattr_data; + int rc; + + if (!evm_initialized || !evm_protected_xattr(lsm_xattr->name)) + return -EOPNOTSUPP; + + xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); + if (!xattr_data) + return -ENOMEM; + + xattr_data->type = EVM_XATTR_HMAC; + rc = evm_init_hmac(inode, lsm_xattr, xattr_data->digest); + if (rc < 0) + goto out; + + evm_xattr->value = xattr_data; + evm_xattr->value_len = sizeof(*xattr_data); + evm_xattr->name = kstrdup(XATTR_EVM_SUFFIX, GFP_NOFS); + return 0; +out: + kfree(xattr_data); + return rc; +} +EXPORT_SYMBOL_GPL(evm_inode_init_security); + static struct crypto_hash *tfm_hmac; /* preload crypto alg */ static int __init init_evm(void) { -- cgit v1.2.3 From 2960e6cb5f7c662b8edb6b0d2edc72095b4f5672 Mon Sep 17 00:00:00 2001 From: Dmitry Kasatkin Date: Fri, 6 May 2011 11:34:13 +0300 Subject: evm: additional parameter to pass integrity cache entry 'iint' Additional iint parameter allows to skip lookup in the cache. Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar --- include/linux/evm.h | 8 ++++++-- security/integrity/evm/evm_main.c | 18 ++++++++---------- 2 files changed, 14 insertions(+), 12 deletions(-) (limited to 'include') diff --git a/include/linux/evm.h b/include/linux/evm.h index 7c10761916a2..6d4e89b020c5 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -11,11 +11,14 @@ #include #include +struct integrity_iint_cache; + #ifdef CONFIG_EVM extern enum integrity_status evm_verifyxattr(struct dentry *dentry, const char *xattr_name, void *xattr_value, - size_t xattr_value_len); + size_t xattr_value_len, + struct integrity_iint_cache *iint); extern void evm_inode_post_setattr(struct dentry *dentry, int ia_valid); extern int evm_inode_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size); @@ -34,7 +37,8 @@ extern int evm_inode_init_security(struct inode *inode, static inline enum integrity_status evm_verifyxattr(struct dentry *dentry, const char *xattr_name, void *xattr_value, - size_t xattr_value_len) + size_t xattr_value_len, + struct integrity_iint_cache *iint) { return INTEGRITY_UNKNOWN; } diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index b65adb5b06c8..0fa8261c3655 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -127,21 +127,19 @@ static int evm_protected_xattr(const char *req_xattr_name) */ enum integrity_status evm_verifyxattr(struct dentry *dentry, const char *xattr_name, - void *xattr_value, size_t xattr_value_len) + void *xattr_value, size_t xattr_value_len, + struct integrity_iint_cache *iint) { - struct inode *inode = dentry->d_inode; - struct integrity_iint_cache *iint; - enum integrity_status status; - if (!evm_initialized || !evm_protected_xattr(xattr_name)) return INTEGRITY_UNKNOWN; - iint = integrity_iint_find(inode); - if (!iint) - return INTEGRITY_UNKNOWN; - status = evm_verify_hmac(dentry, xattr_name, xattr_value, + if (!iint) { + iint = integrity_iint_find(dentry->d_inode); + if (!iint) + return INTEGRITY_UNKNOWN; + } + return evm_verify_hmac(dentry, xattr_name, xattr_value, xattr_value_len, iint); - return status; } EXPORT_SYMBOL_GPL(evm_verifyxattr); -- cgit v1.2.3 From 817b54aa45db03437c6d09a7693fc6926eb8e822 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Fri, 13 May 2011 12:53:38 -0400 Subject: evm: add evm_inode_setattr to prevent updating an invalid security.evm Permit changing of security.evm only when valid, unless in fixmode. Reported-by: Roberto Sassu Signed-off-by: Mimi Zohar --- include/linux/evm.h | 6 ++++++ security/integrity/evm/evm_main.c | 15 +++++++++++++++ security/security.c | 7 ++++++- 3 files changed, 27 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/linux/evm.h b/include/linux/evm.h index 6d4e89b020c5..db5556dcdd27 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -19,6 +19,7 @@ extern enum integrity_status evm_verifyxattr(struct dentry *dentry, void *xattr_value, size_t xattr_value_len, struct integrity_iint_cache *iint); +extern int evm_inode_setattr(struct dentry *dentry, struct iattr *attr); extern void evm_inode_post_setattr(struct dentry *dentry, int ia_valid); extern int evm_inode_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size); @@ -44,6 +45,11 @@ static inline enum integrity_status evm_verifyxattr(struct dentry *dentry, } #endif +static int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) +{ + return 0; +} + static inline void evm_inode_post_setattr(struct dentry *dentry, int ia_valid) { return; diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 94d66af07aa4..8fc5b5d7ceaa 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -277,6 +277,21 @@ void evm_inode_post_removexattr(struct dentry *dentry, const char *xattr_name) return; } +/** + * evm_inode_setattr - prevent updating an invalid EVM extended attribute + * @dentry: pointer to the affected dentry + */ +int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) +{ + unsigned int ia_valid = attr->ia_valid; + enum integrity_status evm_status; + + if (ia_valid & ~(ATTR_MODE | ATTR_UID | ATTR_GID)) + return 0; + evm_status = evm_verify_current_integrity(dentry); + return evm_status == INTEGRITY_PASS ? 0 : -EPERM; +} + /** * evm_inode_post_setattr - update 'security.evm' after modifying metadata * @dentry: pointer to the affected dentry diff --git a/security/security.c b/security/security.c index 181990ae90c1..19251ccb2de0 100644 --- a/security/security.c +++ b/security/security.c @@ -571,9 +571,14 @@ int security_inode_exec_permission(struct inode *inode, unsigned int flags) int security_inode_setattr(struct dentry *dentry, struct iattr *attr) { + int ret; + if (unlikely(IS_PRIVATE(dentry->d_inode))) return 0; - return security_ops->inode_setattr(dentry, attr); + ret = security_ops->inode_setattr(dentry, attr); + if (ret) + return ret; + return evm_inode_setattr(dentry, attr); } EXPORT_SYMBOL_GPL(security_inode_setattr); -- cgit v1.2.3 From e1c9b23adbe86c725738402857397d7a29f9d6ef Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Thu, 11 Aug 2011 00:22:51 -0400 Subject: evm: building without EVM enabled fixes - Missing 'inline' on evm_inode_setattr() definition. Introduced by commit 817b54aa45db ("evm: add evm_inode_setattr to prevent updating an invalid security.evm"). - Missing security_old_inode_init_security() stub function definition. Caused by commit 9d8f13ba3f48 ("security: new security_inode_init_security API adds function callback"). Reported-by: Stephen Rothwell Signed-off-by: Mimi Zohar Signed-off-by: James Morris --- include/linux/evm.h | 2 +- include/linux/security.h | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/linux/evm.h b/include/linux/evm.h index db5556dcdd27..62deb6557d37 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -45,7 +45,7 @@ static inline enum integrity_status evm_verifyxattr(struct dentry *dentry, } #endif -static int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) +static inline int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) { return 0; } diff --git a/include/linux/security.h b/include/linux/security.h index 1c528b19a329..f399cf10e2a8 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -2048,6 +2048,13 @@ static inline int security_inode_init_security(struct inode *inode, return -EOPNOTSUPP; } +int security_old_inode_init_security(struct inode *inode, struct inode *dir, + const struct qstr *qstr, char **name, + void **value, size_t *len) +{ + return -EOPNOTSUPP; +} + static inline int security_inode_create(struct inode *dir, struct dentry *dentry, int mode) -- cgit v1.2.3 From 5a4730ba9517cf2793175991243436a24b1db18f Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Thu, 11 Aug 2011 00:22:52 -0400 Subject: evm: fix evm_inode_init_security return code evm_inode_init_security() should return 0, when EVM is not enabled. (Returning an error is a remnant of evm_inode_post_init_security.) Signed-off-by: Mimi Zohar Signed-off-by: James Morris --- include/linux/evm.h | 2 +- security/integrity/evm/evm_main.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'include') diff --git a/include/linux/evm.h b/include/linux/evm.h index 62deb6557d37..ea603c9e775d 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -85,7 +85,7 @@ static inline int evm_inode_init_security(struct inode *inode, const struct xattr *xattr_array, struct xattr *evm) { - return -EOPNOTSUPP; + return 0; } #endif /* CONFIG_EVM_H */ diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 8fc5b5d7ceaa..f0127e536f84 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -324,7 +324,7 @@ int evm_inode_init_security(struct inode *inode, int rc; if (!evm_initialized || !evm_protected_xattr(lsm_xattr->name)) - return -EOPNOTSUPP; + return 0; xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS); if (!xattr_data) -- cgit v1.2.3 From 1e39f384bb01b0395b69cb70c2cacae65012f203 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Mon, 15 Aug 2011 09:09:16 -0400 Subject: evm: fix build problems - Make the previously missing security_old_inode_init_security() stub function definition static inline. - The stub security_inode_init_security() function previously returned -EOPNOTSUPP and relied on the callers to change it to 0. The stub security/security_old_inode_init_security() functions now return 0. Reported-by: Stephen Rothwell Signed-off-by: Mimi Zohar Signed-off-by: James Morris --- include/linux/security.h | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'include') diff --git a/include/linux/security.h b/include/linux/security.h index f399cf10e2a8..d9f7ec41ba51 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -2045,14 +2045,16 @@ static inline int security_inode_init_security(struct inode *inode, initxattrs initxattrs, void *fs_data) { - return -EOPNOTSUPP; + return 0; } -int security_old_inode_init_security(struct inode *inode, struct inode *dir, - const struct qstr *qstr, char **name, - void **value, size_t *len) +static inline int security_old_inode_init_security(struct inode *inode, + struct inode *dir, + const struct qstr *qstr, + char **name, void **value, + size_t *len) { - return -EOPNOTSUPP; + return 0; } static inline int security_inode_create(struct inode *dir, -- cgit v1.2.3 From fc9ff9b7e3eaff3f49bc0fbbddfc1416212e888a Mon Sep 17 00:00:00 2001 From: "rongqing.li@windriver.com" Date: Tue, 6 Sep 2011 11:35:36 +0800 Subject: security: Fix a typo Fix a typo. Signed-off-by: Roy.Li Signed-off-by: James Morris --- include/linux/security.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include') diff --git a/include/linux/security.h b/include/linux/security.h index d9f7ec41ba51..a14c2d4b22cf 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1372,7 +1372,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * @inode_getsecctx: * Returns a string containing all relavent security context information * - * @inode we wish to set the security context of. + * @inode we wish to get the security context of. * @ctx is a pointer in which to place the allocated security context. * @ctxlen points to the place to put the length of @ctx. * This is the main security structure. -- cgit v1.2.3 From 5dbe3040c74eef18e66951347eda05b153e69328 Mon Sep 17 00:00:00 2001 From: James Morris Date: Tue, 30 Aug 2011 13:48:53 +1000 Subject: security: sparse fix: Move security_fixup_op to security.h Fix sparse warning by moving declaraion to global header. Signed-off-by: James Morris --- include/linux/security.h | 2 ++ security/security.c | 3 --- 2 files changed, 2 insertions(+), 3 deletions(-) (limited to 'include') diff --git a/include/linux/security.h b/include/linux/security.h index a14c2d4b22cf..19d8e04e1688 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1660,6 +1660,8 @@ struct security_operations { extern int security_init(void); extern int security_module_enable(struct security_operations *ops); extern int register_security(struct security_operations *ops); +extern void __init security_fixup_ops(struct security_operations *ops); + /* Security operations */ int security_ptrace_access_check(struct task_struct *child, unsigned int mode); diff --git a/security/security.c b/security/security.c index a6328421a055..9ebda054a333 100644 --- a/security/security.c +++ b/security/security.c @@ -26,9 +26,6 @@ static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = CONFIG_DEFAULT_SECURITY; -/* things that live in capability.c */ -extern void __init security_fixup_ops(struct security_operations *ops); - static struct security_operations *security_ops; static struct security_operations default_security_ops = { .name = "default", -- cgit v1.2.3 From bf6d0f5dcda17df3cc5577e203d0f8ea1c2ad6aa Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Thu, 18 Aug 2011 18:07:44 -0400 Subject: evm: posix acls modify i_mode The posix xattr acls are 'system' prefixed, which normally would not affect security.evm. An interesting side affect of writing posix xattr acls is their modifying of the i_mode, which is included in security.evm. This patch updates security.evm when posix xattr acls are written. Signed-off-by: Mimi Zohar --- include/linux/evm.h | 8 ++++++++ include/linux/xattr.h | 5 +++++ security/integrity/evm/Makefile | 1 + security/integrity/evm/evm_main.c | 24 +++++++++++++++++++----- security/integrity/evm/evm_posix_acl.c | 26 ++++++++++++++++++++++++++ 5 files changed, 59 insertions(+), 5 deletions(-) create mode 100644 security/integrity/evm/evm_posix_acl.c (limited to 'include') diff --git a/include/linux/evm.h b/include/linux/evm.h index ea603c9e775d..9fc13a760928 100644 --- a/include/linux/evm.h +++ b/include/linux/evm.h @@ -33,6 +33,14 @@ extern void evm_inode_post_removexattr(struct dentry *dentry, extern int evm_inode_init_security(struct inode *inode, const struct xattr *xattr_array, struct xattr *evm); +#ifdef CONFIG_FS_POSIX_ACL +extern int posix_xattr_acl(const char *xattrname); +#else +static inline int posix_xattr_acl(const char *xattrname) +{ + return 0; +} +#endif #else #ifdef CONFIG_INTEGRITY static inline enum integrity_status evm_verifyxattr(struct dentry *dentry, diff --git a/include/linux/xattr.h b/include/linux/xattr.h index b20cb965c322..e5d122031542 100644 --- a/include/linux/xattr.h +++ b/include/linux/xattr.h @@ -52,6 +52,11 @@ #define XATTR_CAPS_SUFFIX "capability" #define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX +#define XATTR_POSIX_ACL_ACCESS "posix_acl_access" +#define XATTR_NAME_POSIX_ACL_ACCESS XATTR_SYSTEM_PREFIX XATTR_POSIX_ACL_ACCESS +#define XATTR_POSIX_ACL_DEFAULT "posix_acl_default" +#define XATTR_NAME_POSIX_ACL_DEFAULT XATTR_SYSTEM_PREFIX XATTR_POSIX_ACL_DEFAULT + #ifdef __KERNEL__ #include diff --git a/security/integrity/evm/Makefile b/security/integrity/evm/Makefile index 0787d262b9e3..7393c415a066 100644 --- a/security/integrity/evm/Makefile +++ b/security/integrity/evm/Makefile @@ -4,3 +4,4 @@ obj-$(CONFIG_EVM) += evm.o evm-y := evm_main.o evm_crypto.o evm_secfs.o +evm-$(CONFIG_FS_POSIX_ACL) += evm_posix_acl.o diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 7d4247535f9e..73c008d047c7 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -177,7 +177,14 @@ static enum integrity_status evm_verify_current_integrity(struct dentry *dentry) /* * evm_protect_xattr - protect the EVM extended attribute * - * Prevent security.evm from being modified or removed. + * Prevent security.evm from being modified or removed without the + * necessary permissions or when the existing value is invalid. + * + * The posix xattr acls are 'system' prefixed, which normally would not + * affect security.evm. An interesting side affect of writing posix xattr + * acls is their modifying of the i_mode, which is included in security.evm. + * For posix xattr acls only, permit security.evm, even if it currently + * doesn't exist, to be updated. */ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, const void *xattr_value, size_t xattr_value_len) @@ -187,9 +194,15 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) { if (!capable(CAP_SYS_ADMIN)) return -EPERM; - } else if (!evm_protected_xattr(xattr_name)) - return 0; - + } else if (!evm_protected_xattr(xattr_name)) { + if (!posix_xattr_acl(xattr_name)) + return 0; + evm_status = evm_verify_current_integrity(dentry); + if ((evm_status == INTEGRITY_PASS) || + (evm_status == INTEGRITY_NOLABEL)) + return 0; + return -EPERM; + } evm_status = evm_verify_current_integrity(dentry); return evm_status == INTEGRITY_PASS ? 0 : -EPERM; } @@ -240,7 +253,8 @@ int evm_inode_removexattr(struct dentry *dentry, const char *xattr_name) void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name, const void *xattr_value, size_t xattr_value_len) { - if (!evm_initialized || !evm_protected_xattr(xattr_name)) + if (!evm_initialized || (!evm_protected_xattr(xattr_name) + && !posix_xattr_acl(xattr_name))) return; evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len); diff --git a/security/integrity/evm/evm_posix_acl.c b/security/integrity/evm/evm_posix_acl.c new file mode 100644 index 000000000000..b1753e98bf9a --- /dev/null +++ b/security/integrity/evm/evm_posix_acl.c @@ -0,0 +1,26 @@ +/* + * Copyright (C) 2011 IBM Corporation + * + * Author: + * Mimi Zohar + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, version 2 of the License. + */ + +#include +#include + +int posix_xattr_acl(char *xattr) +{ + int xattr_len = strlen(xattr); + + if ((strlen(XATTR_NAME_POSIX_ACL_ACCESS) == xattr_len) + && (strncmp(XATTR_NAME_POSIX_ACL_ACCESS, xattr, xattr_len) == 0)) + return 1; + if ((strlen(XATTR_NAME_POSIX_ACL_DEFAULT) == xattr_len) + && (strncmp(XATTR_NAME_POSIX_ACL_DEFAULT, xattr, xattr_len) == 0)) + return 1; + return 0; +} -- cgit v1.2.3 From 566be59ab86c0e030b980645a580d683a015a483 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Mon, 22 Aug 2011 09:14:18 -0400 Subject: evm: permit mode bits to be updated Before permitting 'security.evm' to be updated, 'security.evm' must exist and be valid. In the case that there are no existing EVM protected xattrs, it is safe for posix acls to update the mode bits. To differentiate between no 'security.evm' xattr and no xattrs used to calculate 'security.evm', this patch defines INTEGRITY_NOXATTR. Signed-off-by: Mimi Zohar --- include/linux/integrity.h | 1 + security/integrity/evm/evm_main.c | 30 +++++++++++++----------------- 2 files changed, 14 insertions(+), 17 deletions(-) (limited to 'include') diff --git a/include/linux/integrity.h b/include/linux/integrity.h index 968443385678..a0c41256cb92 100644 --- a/include/linux/integrity.h +++ b/include/linux/integrity.h @@ -16,6 +16,7 @@ enum integrity_status { INTEGRITY_PASS = 0, INTEGRITY_FAIL, INTEGRITY_NOLABEL, + INTEGRITY_NOXATTRS, INTEGRITY_UNKNOWN, }; diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 73c008d047c7..92d3d99a9f7b 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -66,7 +66,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, struct integrity_iint_cache *iint) { struct evm_ima_xattr_data xattr_data; - enum integrity_status evm_status; + enum integrity_status evm_status = INTEGRITY_PASS; int rc; if (iint && iint->evm_status == INTEGRITY_PASS) @@ -76,25 +76,18 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, rc = evm_calc_hmac(dentry, xattr_name, xattr_value, xattr_value_len, xattr_data.digest); - if (rc < 0) - goto err_out; + if (rc < 0) { + evm_status = (rc == -ENODATA) + ? INTEGRITY_NOXATTRS : INTEGRITY_FAIL; + goto out; + } xattr_data.type = EVM_XATTR_HMAC; rc = vfs_xattr_cmp(dentry, XATTR_NAME_EVM, (u8 *)&xattr_data, sizeof xattr_data, GFP_NOFS); if (rc < 0) - goto err_out; - evm_status = INTEGRITY_PASS; - goto out; - -err_out: - switch (rc) { - case -ENODATA: /* file not labelled */ - evm_status = INTEGRITY_NOLABEL; - break; - default: - evm_status = INTEGRITY_FAIL; - } + evm_status = (rc == -ENODATA) + ? INTEGRITY_NOLABEL : INTEGRITY_FAIL; out: if (iint) iint->evm_status = evm_status; @@ -199,7 +192,7 @@ static int evm_protect_xattr(struct dentry *dentry, const char *xattr_name, return 0; evm_status = evm_verify_current_integrity(dentry); if ((evm_status == INTEGRITY_PASS) || - (evm_status == INTEGRITY_NOLABEL)) + (evm_status == INTEGRITY_NOXATTRS)) return 0; return -EPERM; } @@ -293,7 +286,10 @@ int evm_inode_setattr(struct dentry *dentry, struct iattr *attr) if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))) return 0; evm_status = evm_verify_current_integrity(dentry); - return evm_status == INTEGRITY_PASS ? 0 : -EPERM; + if ((evm_status == INTEGRITY_PASS) || + (evm_status == INTEGRITY_NOXATTRS)) + return 0; + return -EPERM; } /** -- cgit v1.2.3 From b78049831ffed65f0b4e61f69df14f3ab17922cb Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Tue, 20 Sep 2011 11:23:49 -0400 Subject: lib: add error checking to hex2bin hex2bin converts a hexadecimal string to its binary representation. The original version of hex2bin did not do any error checking. This patch adds error checking and returns the result. Changelog v1: - removed unpack_hex_byte() - changed return code from boolean to int Changelog: - use the new unpack_hex_byte() - add __must_check compiler option (Andy Shevchenko's suggestion) - change function API to return error checking result (based on Tetsuo Handa's initial patch) Signed-off-by: Mimi Zohar Acked-by: Andy Shevchenko --- include/linux/kernel.h | 2 +- lib/hexdump.c | 15 +++++++++++---- 2 files changed, 12 insertions(+), 5 deletions(-) (limited to 'include') diff --git a/include/linux/kernel.h b/include/linux/kernel.h index 46ac9a50528d..8eefcf7e95eb 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -382,7 +382,7 @@ static inline char *pack_hex_byte(char *buf, u8 byte) } extern int hex_to_bin(char ch); -extern void hex2bin(u8 *dst, const char *src, size_t count); +extern int __must_check hex2bin(u8 *dst, const char *src, size_t count); /* * General tracing related utility functions - trace_printk(), diff --git a/lib/hexdump.c b/lib/hexdump.c index f5fe6ba7a3ab..51d5ae210244 100644 --- a/lib/hexdump.c +++ b/lib/hexdump.c @@ -38,14 +38,21 @@ EXPORT_SYMBOL(hex_to_bin); * @dst: binary result * @src: ascii hexadecimal string * @count: result length + * + * Return 0 on success, -1 in case of bad input. */ -void hex2bin(u8 *dst, const char *src, size_t count) +int hex2bin(u8 *dst, const char *src, size_t count) { while (count--) { - *dst = hex_to_bin(*src++) << 4; - *dst += hex_to_bin(*src++); - dst++; + int hi = hex_to_bin(*src++); + int lo = hex_to_bin(*src++); + + if ((hi < 0) || (lo < 0)) + return -1; + + *dst++ = (hi << 4) | lo; } + return 0; } EXPORT_SYMBOL(hex2bin); -- cgit v1.2.3