#
877b5691 |
| 15-Apr-2019 |
Eric Biggers <ebiggers@google.com> |
crypto: shash - remove shash_desc::flags
The flags field in 'struct shash_desc' never actually does anything. The only ostensibly supported flag is CRYPTO_TFM_REQ_MAY_SLEEP. However, no shash algori
crypto: shash - remove shash_desc::flags
The flags field in 'struct shash_desc' never actually does anything. The only ostensibly supported flag is CRYPTO_TFM_REQ_MAY_SLEEP. However, no shash algorithm ever sleeps, making this flag a no-op.
With this being the case, inevitably some users who can't sleep wrongly pass MAY_SLEEP. These would all need to be fixed if any shash algorithm actually started sleeping. For example, the shash_ahash_*() functions, which wrap a shash algorithm with the ahash API, pass through MAY_SLEEP from the ahash API to the shash API. However, the shash functions are called under kmap_atomic(), so actually they're assumed to never sleep.
Even if it turns out that some users do need preemption points while hashing large buffers, we could easily provide a helper function crypto_shash_update_large() which divides the data into smaller chunks and calls crypto_shash_update() and cond_resched() for each chunk. It's not necessary to have a flag in 'struct shash_desc', nor is it necessary to make individual shash algorithms aware of this at all.
Therefore, remove shash_desc::flags, and document that the crypto_shash_*() functions can be called from any context.
Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
show more ...
|
#
e7fde070 |
| 24-Jan-2019 |
Andy Shevchenko <andriy.shevchenko@linux.intel.com> |
evm: Use defined constant for UUID representation
Instead of sizeof use pre-defined constant for UUID representation.
While here, drop the implementation details of uuid_t type.
Signed-off-by: And
evm: Use defined constant for UUID representation
Instead of sizeof use pre-defined constant for UUID representation.
While here, drop the implementation details of uuid_t type.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
show more ...
|
#
876979c9 |
| 09-Dec-2018 |
Paul Gortmaker <paul.gortmaker@windriver.com> |
security: audit and remove any unnecessary uses of module.h
Historically a lot of these existed because we did not have a distinction between what was modular code and what was providing support to
security: audit and remove any unnecessary uses of module.h
Historically a lot of these existed because we did not have a distinction between what was modular code and what was providing support to modules via EXPORT_SYMBOL and friends. That changed when we forked out support for the latter into the export.h file. This means we should be able to reduce the usage of module.h in code that is obj-y Makefile or bool Kconfig.
The advantage in removing such instances is that module.h itself sources about 15 other headers; adding significantly to what we feed cpp, and it can obscure what headers we are effectively using.
Since module.h might have been the implicit source for init.h (for __init) and for export.h (for EXPORT_SYMBOL) we consider each instance for the presence of either and replace as needed.
Cc: James Morris <jmorris@namei.org> Cc: "Serge E. Hallyn" <serge@hallyn.com> Cc: John Johansen <john.johansen@canonical.com> Cc: Mimi Zohar <zohar@linux.ibm.com> Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Cc: David Howells <dhowells@redhat.com> Cc: linux-security-module@vger.kernel.org Cc: linux-integrity@vger.kernel.org Cc: keyrings@vger.kernel.org Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by: James Morris <james.morris@microsoft.com>
show more ...
|
#
3d234b33 |
| 14-Nov-2018 |
Eric Biggers <ebiggers@google.com> |
crypto: drop mask=CRYPTO_ALG_ASYNC from 'shash' tfm allocations
'shash' algorithms are always synchronous, so passing CRYPTO_ALG_ASYNC in the mask to crypto_alloc_shash() has no effect. Many users
crypto: drop mask=CRYPTO_ALG_ASYNC from 'shash' tfm allocations
'shash' algorithms are always synchronous, so passing CRYPTO_ALG_ASYNC in the mask to crypto_alloc_shash() has no effect. Many users therefore already don't pass it, but some still do. This inconsistency can cause confusion, especially since the way the 'mask' argument works is somewhat counterintuitive.
Thus, just remove the unneeded CRYPTO_ALG_ASYNC flags.
This patch shouldn't change any actual behavior.
Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
show more ...
|
#
b2724d58 |
| 07-Sep-2018 |
Eric Biggers <ebiggers@google.com> |
security/integrity: constify some read-only data
Constify some static data that is never modified, so that it is placed in .rodata.
Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by:
security/integrity: constify some read-only data
Constify some static data that is never modified, so that it is placed in .rodata.
Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
show more ...
|
#
5feeb611 |
| 08-Jun-2018 |
Matthew Garrett <mjg59@google.com> |
evm: Allow non-SHA1 digital signatures
SHA1 is reasonable in HMAC constructs, but it's desirable to be able to use stronger hashes in digital signatures. Modify the EVM crypto code so the hash type
evm: Allow non-SHA1 digital signatures
SHA1 is reasonable in HMAC constructs, but it's desirable to be able to use stronger hashes in digital signatures. Modify the EVM crypto code so the hash type is imported from the digital signature and passed down to the hash calculation code, and return the digest size to higher layers for validation.
Signed-off-by: Matthew Garrett <mjg59@google.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
show more ...
|
#
e2861fa7 |
| 08-Jun-2018 |
Matthew Garrett <mjg59@google.com> |
evm: Don't deadlock if a crypto algorithm is unavailable
When EVM attempts to appraise a file signed with a crypto algorithm the kernel doesn't have support for, it will cause the kernel to trigger
evm: Don't deadlock if a crypto algorithm is unavailable
When EVM attempts to appraise a file signed with a crypto algorithm the kernel doesn't have support for, it will cause the kernel to trigger a module load. If the EVM policy includes appraisal of kernel modules this will in turn call back into EVM - since EVM is holding a lock until the crypto initialisation is complete, this triggers a deadlock. Add a CRYPTO_NOLOAD flag and skip module loading if it's set, and add that flag in the EVM case in order to fail gracefully with an error message instead of deadlocking.
Signed-off-by: Matthew Garrett <mjg59@google.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
show more ...
|
#
fa516b66 |
| 15-May-2018 |
Matthew Garrett <mjg59@google.com> |
EVM: Allow runtime modification of the set of verified xattrs
Sites may wish to provide additional metadata alongside files in order to make more fine-grained security decisions[1]. The security of
EVM: Allow runtime modification of the set of verified xattrs
Sites may wish to provide additional metadata alongside files in order to make more fine-grained security decisions[1]. The security of this is enhanced if this metadata is protected, something that EVM makes possible. However, the kernel cannot know about the set of extended attributes that local admins may wish to protect, and hardcoding this policy in the kernel makes it difficult to change over time and less convenient for distributions to enable.
This patch adds a new /sys/kernel/security/integrity/evm/evm_xattrs node, which can be read to obtain the current set of EVM-protected extended attributes or written to in order to add new entries. Extending this list will not change the validity of any existing signatures provided that the file in question does not have any of the additional extended attributes - missing xattrs are skipped when calculating the EVM hash.
[1] For instance, a package manager could install information about the package uploader in an additional extended attribute. Local LSM policy could then be associated with that extended attribute in order to restrict the privileges available to packages from less trusted uploaders.
Signed-off-by: Matthew Garrett <mjg59@google.com> Reviewed-by: James Morris <james.morris@microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
show more ...
|
#
21af7663 |
| 11-May-2018 |
Matthew Garrett <mjg59@google.com> |
EVM: turn evm_config_xattrnames into a list
Use a list of xattrs rather than an array - this makes it easier to extend the list at runtime.
Signed-off-by: Matthew Garrett <mjg59@google.com> Reviewe
EVM: turn evm_config_xattrnames into a list
Use a list of xattrs rather than an array - this makes it easier to extend the list at runtime.
Signed-off-by: Matthew Garrett <mjg59@google.com> Reviewed-by: James Morris <james.morris@microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
show more ...
|
#
a3a5c966 |
| 22-Dec-2017 |
Seth Forshee <seth.forshee@canonical.com> |
evm: Don't update hmacs in user ns mounts
The kernel should not calculate new hmacs for mounts done by non-root users. Update evm_calc_hmac_or_hash() to refuse to calculate new hmacs for mounts for
evm: Don't update hmacs in user ns mounts
The kernel should not calculate new hmacs for mounts done by non-root users. Update evm_calc_hmac_or_hash() to refuse to calculate new hmacs for mounts for non-init user namespaces.
Cc: linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: James Morris <james.l.morris@oracle.com> Cc: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: "Serge E. Hallyn" <serge@hallyn.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: Dongsu Park <dongsu@kinvolk.io> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
show more ...
|
#
1a82cee3 |
| 27-Feb-2018 |
Hernán Gonzalez <hernan@vanguardiasur.com.ar> |
evm: Move evm_hmac and evm_hash from evm_main.c to evm_crypto.c
These variables are not used where they are was defined. There is no point in declaring them there as extern. Move and constify them
evm: Move evm_hmac and evm_hash from evm_main.c to evm_crypto.c
These variables are not used where they are was defined. There is no point in declaring them there as extern. Move and constify them, saving 2 bytes.
Function old new delta init_desc 273 271 -2 Total: Before=2112094, After=2112092, chg -0.00%
Signed-off-by: Hernán Gonzalez <hernan@vanguardiasur.com.ar> Tested-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
show more ...
|
#
50b97748 |
| 07-Nov-2017 |
Matthew Garrett <mjg59@google.com> |
EVM: Add support for portable signature format
The EVM signature includes the inode number and (optionally) the filesystem UUID, making it impractical to ship EVM signatures in packages. This patch
EVM: Add support for portable signature format
The EVM signature includes the inode number and (optionally) the filesystem UUID, making it impractical to ship EVM signatures in packages. This patch adds a new portable format intended to allow distributions to include EVM signatures. It is identical to the existing format but hardcodes the inode and generation numbers to 0 and does not include the filesystem UUID even if the kernel is configured to do so.
Removing the inode means that the metadata and signature from one file could be copied to another file without invalidating it. This is avoided by ensuring that an IMA xattr is present during EVM validation.
Portable signatures are intended to be immutable - ie, they will never be transformed into HMACs.
Based on earlier work by Dmitry Kasatkin and Mikhail Kurinnoi.
Signed-off-by: Matthew Garrett <mjg59@google.com> Cc: Dmitry Kasatkin <dmitry.kasatkin@huawei.com> Cc: Mikhail Kurinnoi <viewizard@viewizard.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
show more ...
|
#
0485d066 |
| 11-Oct-2017 |
Matthew Garrett <mjg59@google.com> |
EVM: Only complain about a missing HMAC key once
A system can validate EVM digital signatures without requiring an HMAC key, but every EVM validation will generate a kernel error. Change this so we
EVM: Only complain about a missing HMAC key once
A system can validate EVM digital signatures without requiring an HMAC key, but every EVM validation will generate a kernel error. Change this so we only generate an error once.
Signed-off-by: Matthew Garrett <mjg59@google.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
show more ...
|
#
85787090 |
| 10-May-2017 |
Christoph Hellwig <hch@lst.de> |
fs: switch ->s_uuid to uuid_t
For some file systems we still memcpy into it, but in various places this already allows us to use the proper uuid helpers. More to come..
Signed-off-by: Christoph He
fs: switch ->s_uuid to uuid_t
For some file systems we still memcpy into it, but in various places this already allows us to use the proper uuid helpers. More to come..
Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Amir Goldstein <amir73il@gmail.com> Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com> (Changes to IMA/EVM) Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
show more ...
|
#
19339c25 |
| 02-Dec-2016 |
Eric W. Biederman <ebiederm@xmission.com> |
Revert "evm: Translate user/group ids relative to s_user_ns when computing HMAC"
This reverts commit 0b3c9761d1e405514a551ed24d3ea89aea26ce14.
Seth Forshee <seth.forshee@canonical.com> writes: > Al
Revert "evm: Translate user/group ids relative to s_user_ns when computing HMAC"
This reverts commit 0b3c9761d1e405514a551ed24d3ea89aea26ce14.
Seth Forshee <seth.forshee@canonical.com> writes: > All right, I think 0b3c9761d1e405514a551ed24d3ea89aea26ce14 should be > reverted then. EVM is a machine-local integrity mechanism, and so it > makes sense that the signature would be based on the kernel's notion of > the uid and not the filesystem's.
I added a commment explaining why the EVM hmac needs to be in the kernel's notion of uid and gid, not the filesystems to prevent remounting the filesystem and gaining unwaranted trust in files.
Acked-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
show more ...
|
#
5d6c3191 |
| 29-Sep-2016 |
Andreas Gruenbacher <agruenba@redhat.com> |
xattr: Add __vfs_{get,set,remove}xattr helpers
Right now, various places in the kernel check for the existence of getxattr, setxattr, and removexattr inode operations and directly call those operati
xattr: Add __vfs_{get,set,remove}xattr helpers
Right now, various places in the kernel check for the existence of getxattr, setxattr, and removexattr inode operations and directly call those operations. Switch to helper functions and test for the IOP_XATTR flag instead.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> Acked-by: James Morris <james.l.morris@oracle.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|
#
0b3c9761 |
| 05-Feb-2015 |
Seth Forshee <seth.forshee@canonical.com> |
evm: Translate user/group ids relative to s_user_ns when computing HMAC
The EVM HMAC should be calculated using the on disk user and group ids, so the k[ug]ids in the inode must be translated relati
evm: Translate user/group ids relative to s_user_ns when computing HMAC
The EVM HMAC should be calculated using the on disk user and group ids, so the k[ug]ids in the inode must be translated relative to the s_user_ns of the inode's super block.
Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
show more ...
|
#
76266763 |
| 22-Oct-2015 |
Dmitry Kasatkin <dmitry.kasatkin@huawei.com> |
evm: provide a function to set the EVM key from the kernel
A crypto HW kernel module can possibly initialize the EVM key from the kernel __init code to enable EVM before calling the 'init' process.
evm: provide a function to set the EVM key from the kernel
A crypto HW kernel module can possibly initialize the EVM key from the kernel __init code to enable EVM before calling the 'init' process. This patch provides a function evm_set_key() to set the EVM key directly without using the KEY subsystem.
Changes in v4: * kernel-doc style for evm_set_key
Changes in v3: * error reporting moved to evm_set_key * EVM_INIT_HMAC moved to evm_set_key * added bitop to prevent key setting race
Changes in v2: * use size_t for key size instead of signed int * provide EVM_MAX_KEY_SIZE macro in <linux/evm.h> * provide EVM_MIN_KEY_SIZE macro in <linux/evm.h>
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
show more ...
|
#
26ddabfe |
| 22-Oct-2015 |
Dmitry Kasatkin <dmitry.kasatkin@huawei.com> |
evm: enable EVM when X509 certificate is loaded
In order to enable EVM before starting the 'init' process, evm_initialized needs to be non-zero. Previously non-zero indicated that the HMAC key was
evm: enable EVM when X509 certificate is loaded
In order to enable EVM before starting the 'init' process, evm_initialized needs to be non-zero. Previously non-zero indicated that the HMAC key was loaded. When EVM loads the X509 before calling 'init', with this patch it is now possible to enable EVM to start signature based verification.
This patch defines bits to enable EVM if a key of any type is loaded.
Changes in v3: * print error message if key is not set
Changes in v2: * EVM_STATE_KEY_SET replaced by EVM_INIT_HMAC * EVM_STATE_X509_SET replaced by EVM_INIT_X509
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
show more ...
|
#
146aa8b1 |
| 21-Oct-2015 |
David Howells <dhowells@redhat.com> |
KEYS: Merge the type-specific data with the payload data
Merge the type-specific data with the payload data into one four-word chunk as it seems pointless to keep them separate.
Use user_key_payloa
KEYS: Merge the type-specific data with the payload data
Merge the type-specific data with the payload data into one four-word chunk as it seems pointless to keep them separate.
Use user_key_payload() for accessing the payloads of overloaded user-defined keys.
Signed-off-by: David Howells <dhowells@redhat.com> cc: linux-cifs@vger.kernel.org cc: ecryptfs@vger.kernel.org cc: linux-ext4@vger.kernel.org cc: linux-f2fs-devel@lists.sourceforge.net cc: linux-nfs@vger.kernel.org cc: ceph-devel@vger.kernel.org cc: linux-ima-devel@lists.sourceforge.net
show more ...
|
#
c6f493d6 |
| 17-Mar-2015 |
David Howells <dhowells@redhat.com> |
VFS: security/: d_backing_inode() annotations
most of the ->d_inode uses there refer to the same inode IO would go to, i.e. d_backing_inode()
Signed-off-by: David Howells <dhowells@redhat.com> Sign
VFS: security/: d_backing_inode() annotations
most of the ->d_inode uses there refer to the same inode IO would go to, i.e. d_backing_inode()
Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|
#
d3b33679 |
| 28-Mar-2014 |
Dmitry Kasatkin <d.kasatkin@samsung.com> |
evm: replace HMAC version with attribute mask
Using HMAC version limits the posibility to arbitrarily add new attributes such as SMACK64EXEC to the hmac calculation.
This patch replaces hmac versio
evm: replace HMAC version with attribute mask
Using HMAC version limits the posibility to arbitrarily add new attributes such as SMACK64EXEC to the hmac calculation.
This patch replaces hmac version with attribute mask. Desired attributes can be enabled with configuration parameter. It allows to build kernels which works with previously labeled filesystems.
Currently supported attribute is 'fsuuid' which is equivalent of the former version 2.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
show more ...
|
#
627bf81a |
| 01-Feb-2014 |
Al Viro <viro@zeniv.linux.org.uk> |
get rid of pointless checks for NULL ->i_op
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
2bb930ab |
| 04-Mar-2014 |
Dmitry Kasatkin <d.kasatkin@samsung.com> |
integrity: fix checkpatch errors
Between checkpatch changes (eg. sizeof) and inconsistencies between Lindent and checkpatch, unfixed checkpatch errors make it difficult to see new errors. This patch
integrity: fix checkpatch errors
Between checkpatch changes (eg. sizeof) and inconsistencies between Lindent and checkpatch, unfixed checkpatch errors make it difficult to see new errors. This patch fixes them. Some lines with over 80 chars remained unchanged to improve code readability.
The "extern" keyword is removed from internal evm.h to make it consistent with internal ima.h.
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
show more ...
|
#
20ee451f |
| 24-Feb-2014 |
Joe Perches <joe@perches.com> |
security: integrity: Use a more current logging style
Convert printks to pr_<level>. Add pr_fmt. Remove embedded prefixes.
Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Mimi Zohar <zo
security: integrity: Use a more current logging style
Convert printks to pr_<level>. Add pr_fmt. Remove embedded prefixes.
Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
show more ...
|