mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-23 00:20:52 -05:00
integrity-v6.8
-----BEGIN PGP SIGNATURE----- iIoEABYIADIWIQQdXVVFGN5XqKr1Hj7LwZzRsCrn5QUCZZ0pVhQcem9oYXJAbGlu dXguaWJtLmNvbQAKCRDLwZzRsCrn5RVMAQDm9J+iiY/2Af75vOTKIZXtGF6KsBpx 9b9ALPqPNZPgugD+PfwSbS+6rO8AItXE0Q2+FwtDaV8LxgSwK9vGeCHI2wM= =yinc -----END PGP SIGNATURE----- Merge tag 'integrity-v6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity Pull integrity updates from Mimi Zohar: - Add a new IMA/EVM maintainer and reviewer - Disable EVM on overlayfs The EVM HMAC and the original file signatures contain filesystem specific metadata (e.g. i_ino, i_generation and s_uuid), preventing the security.evm xattr from directly being copied up to the overlay. Further before calculating and writing out the overlay file's EVM HMAC, EVM must first verify the existing backing file's 'security.evm' value. For now until a solution is developed, disable EVM on overlayfs. - One bug fix and two cleanups * tag 'integrity-v6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: overlay: disable EVM evm: add support to disable EVM on unsupported filesystems evm: don't copy up 'security.evm' xattr MAINTAINERS: Add Eric Snowberg as a reviewer to IMA MAINTAINERS: Add Roberto Sassu as co-maintainer to IMA and EVM KEYS: encrypted: Add check for strsep ima: Remove EXPERIMENTAL from Kconfig ima: Reword IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
This commit is contained in:
commit
6c1dd1fe5d
8 changed files with 62 additions and 7 deletions
|
@ -7930,6 +7930,7 @@ F: include/uapi/linux/ext4.h
|
|||
|
||||
Extended Verification Module (EVM)
|
||||
M: Mimi Zohar <zohar@linux.ibm.com>
|
||||
M: Roberto Sassu <roberto.sassu@huawei.com>
|
||||
L: linux-integrity@vger.kernel.org
|
||||
S: Supported
|
||||
T: git git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
|
||||
|
@ -10518,7 +10519,9 @@ F: drivers/crypto/inside-secure/
|
|||
|
||||
INTEGRITY MEASUREMENT ARCHITECTURE (IMA)
|
||||
M: Mimi Zohar <zohar@linux.ibm.com>
|
||||
M: Roberto Sassu <roberto.sassu@huawei.com>
|
||||
M: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
|
||||
R: Eric Snowberg <eric.snowberg@oracle.com>
|
||||
L: linux-integrity@vger.kernel.org
|
||||
S: Supported
|
||||
T: git git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
|
||||
|
|
|
@ -1454,6 +1454,7 @@ int ovl_fill_super(struct super_block *sb, struct fs_context *fc)
|
|||
* lead to unexpected results.
|
||||
*/
|
||||
sb->s_iflags |= SB_I_NOUMASK;
|
||||
sb->s_iflags |= SB_I_EVM_UNSUPPORTED;
|
||||
|
||||
err = -ENOMEM;
|
||||
root_dentry = ovl_get_root(sb, ctx->upper.dentry, oe);
|
||||
|
|
|
@ -31,6 +31,7 @@ extern void evm_inode_post_setxattr(struct dentry *dentry,
|
|||
const char *xattr_name,
|
||||
const void *xattr_value,
|
||||
size_t xattr_value_len);
|
||||
extern int evm_inode_copy_up_xattr(const char *name);
|
||||
extern int evm_inode_removexattr(struct mnt_idmap *idmap,
|
||||
struct dentry *dentry, const char *xattr_name);
|
||||
extern void evm_inode_post_removexattr(struct dentry *dentry,
|
||||
|
@ -117,6 +118,11 @@ static inline void evm_inode_post_setxattr(struct dentry *dentry,
|
|||
return;
|
||||
}
|
||||
|
||||
static inline int evm_inode_copy_up_xattr(const char *name)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
static inline int evm_inode_removexattr(struct mnt_idmap *idmap,
|
||||
struct dentry *dentry,
|
||||
const char *xattr_name)
|
||||
|
|
|
@ -1166,6 +1166,7 @@ extern int send_sigurg(struct fown_struct *fown);
|
|||
#define SB_I_USERNS_VISIBLE 0x00000010 /* fstype already mounted */
|
||||
#define SB_I_IMA_UNVERIFIABLE_SIGNATURE 0x00000020
|
||||
#define SB_I_UNTRUSTED_MOUNTER 0x00000040
|
||||
#define SB_I_EVM_UNSUPPORTED 0x00000080
|
||||
|
||||
#define SB_I_SKIP_SYNC 0x00000100 /* Skip superblock at global sync */
|
||||
#define SB_I_PERSB_BDI 0x00000200 /* has a per-sb bdi */
|
||||
|
|
|
@ -151,6 +151,17 @@ static int evm_find_protected_xattrs(struct dentry *dentry)
|
|||
return count;
|
||||
}
|
||||
|
||||
static int is_unsupported_fs(struct dentry *dentry)
|
||||
{
|
||||
struct inode *inode = d_backing_inode(dentry);
|
||||
|
||||
if (inode->i_sb->s_iflags & SB_I_EVM_UNSUPPORTED) {
|
||||
pr_info_once("%s not supported\n", inode->i_sb->s_type->name);
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* evm_verify_hmac - calculate and compare the HMAC with the EVM xattr
|
||||
*
|
||||
|
@ -181,6 +192,9 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
|
|||
iint->evm_status == INTEGRITY_PASS_IMMUTABLE))
|
||||
return iint->evm_status;
|
||||
|
||||
if (is_unsupported_fs(dentry))
|
||||
return INTEGRITY_UNKNOWN;
|
||||
|
||||
/* if status is not PASS, try to check again - against -ENOMEM */
|
||||
|
||||
/* first need to know the sig type */
|
||||
|
@ -408,6 +422,9 @@ enum integrity_status evm_verifyxattr(struct dentry *dentry,
|
|||
if (!evm_key_loaded() || !evm_protected_xattr(xattr_name))
|
||||
return INTEGRITY_UNKNOWN;
|
||||
|
||||
if (is_unsupported_fs(dentry))
|
||||
return INTEGRITY_UNKNOWN;
|
||||
|
||||
if (!iint) {
|
||||
iint = integrity_iint_find(d_backing_inode(dentry));
|
||||
if (!iint)
|
||||
|
@ -491,15 +508,21 @@ static int evm_protect_xattr(struct mnt_idmap *idmap,
|
|||
if (strcmp(xattr_name, XATTR_NAME_EVM) == 0) {
|
||||
if (!capable(CAP_SYS_ADMIN))
|
||||
return -EPERM;
|
||||
if (is_unsupported_fs(dentry))
|
||||
return -EPERM;
|
||||
} else if (!evm_protected_xattr(xattr_name)) {
|
||||
if (!posix_xattr_acl(xattr_name))
|
||||
return 0;
|
||||
if (is_unsupported_fs(dentry))
|
||||
return 0;
|
||||
|
||||
evm_status = evm_verify_current_integrity(dentry);
|
||||
if ((evm_status == INTEGRITY_PASS) ||
|
||||
(evm_status == INTEGRITY_NOXATTRS))
|
||||
return 0;
|
||||
goto out;
|
||||
}
|
||||
} else if (is_unsupported_fs(dentry))
|
||||
return 0;
|
||||
|
||||
evm_status = evm_verify_current_integrity(dentry);
|
||||
if (evm_status == INTEGRITY_NOXATTRS) {
|
||||
|
@ -750,6 +773,9 @@ void evm_inode_post_setxattr(struct dentry *dentry, const char *xattr_name,
|
|||
if (!(evm_initialized & EVM_INIT_HMAC))
|
||||
return;
|
||||
|
||||
if (is_unsupported_fs(dentry))
|
||||
return;
|
||||
|
||||
evm_update_evmxattr(dentry, xattr_name, xattr_value, xattr_value_len);
|
||||
}
|
||||
|
||||
|
@ -814,8 +840,12 @@ int evm_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
|
|||
if (evm_initialized & EVM_ALLOW_METADATA_WRITES)
|
||||
return 0;
|
||||
|
||||
if (is_unsupported_fs(dentry))
|
||||
return 0;
|
||||
|
||||
if (!(ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)))
|
||||
return 0;
|
||||
|
||||
evm_status = evm_verify_current_integrity(dentry);
|
||||
/*
|
||||
* Writing attrs is safe for portable signatures, as portable signatures
|
||||
|
@ -859,10 +889,20 @@ void evm_inode_post_setattr(struct dentry *dentry, int ia_valid)
|
|||
if (!(evm_initialized & EVM_INIT_HMAC))
|
||||
return;
|
||||
|
||||
if (is_unsupported_fs(dentry))
|
||||
return;
|
||||
|
||||
if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
|
||||
evm_update_evmxattr(dentry, NULL, NULL, 0);
|
||||
}
|
||||
|
||||
int evm_inode_copy_up_xattr(const char *name)
|
||||
{
|
||||
if (strcmp(name, XATTR_NAME_EVM) == 0)
|
||||
return 1; /* Discard */
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
|
||||
/*
|
||||
* evm_inode_init_security - initializes security.evm HMAC value
|
||||
*/
|
||||
|
|
|
@ -243,7 +243,7 @@ config IMA_APPRAISE_MODSIG
|
|||
to accept such signatures.
|
||||
|
||||
config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
|
||||
bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
|
||||
bool "Permit keys validly signed by a built-in, machine (if configured) or secondary"
|
||||
depends on SYSTEM_TRUSTED_KEYRING
|
||||
depends on SECONDARY_TRUSTED_KEYRING
|
||||
depends on INTEGRITY_ASYMMETRIC_KEYS
|
||||
|
@ -251,14 +251,14 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
|
|||
default n
|
||||
help
|
||||
Keys may be added to the IMA or IMA blacklist keyrings, if the
|
||||
key is validly signed by a CA cert in the system built-in or
|
||||
secondary trusted keyrings. The key must also have the
|
||||
digitalSignature usage set.
|
||||
key is validly signed by a CA cert in the system built-in,
|
||||
machine (if configured), or secondary trusted keyrings. The
|
||||
key must also have the digitalSignature usage set.
|
||||
|
||||
Intermediate keys between those the kernel has compiled in and the
|
||||
IMA keys to be added may be added to the system secondary keyring,
|
||||
provided they are validly signed by a key already resident in the
|
||||
built-in or secondary trusted keyrings.
|
||||
built-in, machine (if configured) or secondary trusted keyrings.
|
||||
|
||||
config IMA_BLACKLIST_KEYRING
|
||||
bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
|
||||
|
|
|
@ -237,6 +237,10 @@ static int datablob_parse(char *datablob, const char **format,
|
|||
break;
|
||||
}
|
||||
*decrypted_data = strsep(&datablob, " \t");
|
||||
if (!*decrypted_data) {
|
||||
pr_info("encrypted_key: decrypted_data is missing\n");
|
||||
break;
|
||||
}
|
||||
ret = 0;
|
||||
break;
|
||||
case Opt_load:
|
||||
|
|
|
@ -2623,7 +2623,7 @@ int security_inode_copy_up_xattr(const char *name)
|
|||
return rc;
|
||||
}
|
||||
|
||||
return LSM_RET_DEFAULT(inode_copy_up_xattr);
|
||||
return evm_inode_copy_up_xattr(name);
|
||||
}
|
||||
EXPORT_SYMBOL(security_inode_copy_up_xattr);
|
||||
|
||||
|
|
Loading…
Reference in a new issue