Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security layer updates from James Morris:
- a major update for AppArmor. From JJ:
* several bug fixes and cleanups
* the patch to add symlink support to securityfs that was floated
on the list earlier and the apparmorfs changes that make use of
securityfs symlinks
* it introduces the domain labeling base code that Ubuntu has been
carrying for several years, with several cleanups applied. And it
converts the current mediation over to using the domain labeling
base, which brings domain stacking support with it. This finally
will bring the base upstream code in line with Ubuntu and provide
a base to upstream the new feature work that Ubuntu carries.
* This does _not_ contain any of the newer apparmor mediation
features/controls (mount, signals, network, keys, ...) that
Ubuntu is currently carrying, all of which will be RFC'd on top
of this.
- Notable also is the Infiniband work in SELinux, and the new file:map
permission. From Paul:
"While we're down to 21 patches for v4.13 (it was 31 for v4.12),
the diffstat jumps up tremendously with over 2k of line changes.
Almost all of these changes are the SELinux/IB work done by
Daniel Jurgens; some other noteworthy changes include a NFS v4.2
labeling fix, a new file:map permission, and reporting of policy
capabilities on policy load"
There's also now genfscon labeling support for tracefs, which was
lost in v4.1 with the separation from debugfs.
- Smack incorporates a safer socket check in file_receive, and adds a
cap_capable call in privilege check.
- TPM as usual has a bunch of fixes and enhancements.
- Multiple calls to security_add_hooks() can now be made for the same
LSM, to allow LSMs to have hook declarations across multiple files.
- IMA now supports different "ima_appraise=" modes (eg. log, fix) from
the boot command line.
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (126 commits)
apparmor: put back designators in struct initialisers
seccomp: Switch from atomic_t to recount_t
seccomp: Adjust selftests to avoid double-join
seccomp: Clean up core dump logic
IMA: update IMA policy documentation to include pcr= option
ima: Log the same audit cause whenever a file has no signature
ima: Simplify policy_func_show.
integrity: Small code improvements
ima: fix get_binary_runtime_size()
ima: use ima_parse_buf() to parse template data
ima: use ima_parse_buf() to parse measurements headers
ima: introduce ima_parse_buf()
ima: Add cgroups2 to the defaults list
ima: use memdup_user_nul
ima: fix up #endif comments
IMA: Correct Kconfig dependencies for hash selection
ima: define is_ima_appraise_enabled()
ima: define Kconfig IMA_APPRAISE_BOOTPARAM option
ima: define a set of appraisal rules requiring file signatures
ima: extend the "ima_policy" boot command line to support multiple policies
...
This commit is contained in:
Linus Torvalds
@@ -96,6 +96,8 @@ static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
|
||||
{.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
|
||||
{.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
|
||||
.flags = IMA_FSMAGIC},
|
||||
{.action = DONT_MEASURE, .fsmagic = CGROUP2_SUPER_MAGIC,
|
||||
.flags = IMA_FSMAGIC},
|
||||
{.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}
|
||||
};
|
||||
|
||||
@@ -139,6 +141,7 @@ static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
|
||||
{.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
|
||||
{.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
|
||||
{.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
|
||||
{.action = DONT_APPRAISE, .fsmagic = CGROUP2_SUPER_MAGIC, .flags = IMA_FSMAGIC},
|
||||
#ifdef CONFIG_IMA_WRITE_POLICY
|
||||
{.action = APPRAISE, .func = POLICY_CHECK,
|
||||
.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
|
||||
@@ -153,6 +156,17 @@ static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
|
||||
#endif
|
||||
};
|
||||
|
||||
static struct ima_rule_entry secure_boot_rules[] __ro_after_init = {
|
||||
{.action = APPRAISE, .func = MODULE_CHECK,
|
||||
.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
|
||||
{.action = APPRAISE, .func = FIRMWARE_CHECK,
|
||||
.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
|
||||
{.action = APPRAISE, .func = KEXEC_KERNEL_CHECK,
|
||||
.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
|
||||
{.action = APPRAISE, .func = POLICY_CHECK,
|
||||
.flags = IMA_FUNC | IMA_DIGSIG_REQUIRED},
|
||||
};
|
||||
|
||||
static LIST_HEAD(ima_default_rules);
|
||||
static LIST_HEAD(ima_policy_rules);
|
||||
static LIST_HEAD(ima_temp_rules);
|
||||
@@ -170,19 +184,27 @@ static int __init default_measure_policy_setup(char *str)
|
||||
}
|
||||
__setup("ima_tcb", default_measure_policy_setup);
|
||||
|
||||
static bool ima_use_appraise_tcb __initdata;
|
||||
static bool ima_use_secure_boot __initdata;
|
||||
static int __init policy_setup(char *str)
|
||||
{
|
||||
if (ima_policy)
|
||||
return 1;
|
||||
char *p;
|
||||
|
||||
if (strcmp(str, "tcb") == 0)
|
||||
ima_policy = DEFAULT_TCB;
|
||||
while ((p = strsep(&str, " |\n")) != NULL) {
|
||||
if (*p == ' ')
|
||||
continue;
|
||||
if ((strcmp(p, "tcb") == 0) && !ima_policy)
|
||||
ima_policy = DEFAULT_TCB;
|
||||
else if (strcmp(p, "appraise_tcb") == 0)
|
||||
ima_use_appraise_tcb = 1;
|
||||
else if (strcmp(p, "secure_boot") == 0)
|
||||
ima_use_secure_boot = 1;
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
__setup("ima_policy=", policy_setup);
|
||||
|
||||
static bool ima_use_appraise_tcb __initdata;
|
||||
static int __init default_appraise_policy_setup(char *str)
|
||||
{
|
||||
ima_use_appraise_tcb = 1;
|
||||
@@ -405,12 +427,14 @@ void ima_update_policy_flag(void)
|
||||
*/
|
||||
void __init ima_init_policy(void)
|
||||
{
|
||||
int i, measure_entries, appraise_entries;
|
||||
int i, measure_entries, appraise_entries, secure_boot_entries;
|
||||
|
||||
/* if !ima_policy set entries = 0 so we load NO default rules */
|
||||
measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0;
|
||||
appraise_entries = ima_use_appraise_tcb ?
|
||||
ARRAY_SIZE(default_appraise_rules) : 0;
|
||||
secure_boot_entries = ima_use_secure_boot ?
|
||||
ARRAY_SIZE(secure_boot_rules) : 0;
|
||||
|
||||
for (i = 0; i < measure_entries; i++)
|
||||
list_add_tail(&dont_measure_rules[i].list, &ima_default_rules);
|
||||
@@ -429,6 +453,14 @@ void __init ima_init_policy(void)
|
||||
break;
|
||||
}
|
||||
|
||||
/*
|
||||
* Insert the appraise rules requiring file signatures, prior to
|
||||
* any other appraise rules.
|
||||
*/
|
||||
for (i = 0; i < secure_boot_entries; i++)
|
||||
list_add_tail(&secure_boot_rules[i].list,
|
||||
&ima_default_rules);
|
||||
|
||||
for (i = 0; i < appraise_entries; i++) {
|
||||
list_add_tail(&default_appraise_rules[i].list,
|
||||
&ima_default_rules);
|
||||
@@ -931,30 +963,17 @@ enum {
|
||||
mask_exec = 0, mask_write, mask_read, mask_append
|
||||
};
|
||||
|
||||
static char *mask_tokens[] = {
|
||||
static const char *const mask_tokens[] = {
|
||||
"MAY_EXEC",
|
||||
"MAY_WRITE",
|
||||
"MAY_READ",
|
||||
"MAY_APPEND"
|
||||
};
|
||||
|
||||
enum {
|
||||
func_file = 0, func_mmap, func_bprm,
|
||||
func_module, func_firmware, func_post,
|
||||
func_kexec_kernel, func_kexec_initramfs,
|
||||
func_policy
|
||||
};
|
||||
#define __ima_hook_stringify(str) (#str),
|
||||
|
||||
static char *func_tokens[] = {
|
||||
"FILE_CHECK",
|
||||
"MMAP_CHECK",
|
||||
"BPRM_CHECK",
|
||||
"MODULE_CHECK",
|
||||
"FIRMWARE_CHECK",
|
||||
"POST_SETATTR",
|
||||
"KEXEC_KERNEL_CHECK",
|
||||
"KEXEC_INITRAMFS_CHECK",
|
||||
"POLICY_CHECK"
|
||||
static const char *const func_tokens[] = {
|
||||
__ima_hooks(__ima_hook_stringify)
|
||||
};
|
||||
|
||||
void *ima_policy_start(struct seq_file *m, loff_t *pos)
|
||||
@@ -991,49 +1010,16 @@ void ima_policy_stop(struct seq_file *m, void *v)
|
||||
|
||||
#define pt(token) policy_tokens[token + Opt_err].pattern
|
||||
#define mt(token) mask_tokens[token]
|
||||
#define ft(token) func_tokens[token]
|
||||
|
||||
/*
|
||||
* policy_func_show - display the ima_hooks policy rule
|
||||
*/
|
||||
static void policy_func_show(struct seq_file *m, enum ima_hooks func)
|
||||
{
|
||||
char tbuf[64] = {0,};
|
||||
|
||||
switch (func) {
|
||||
case FILE_CHECK:
|
||||
seq_printf(m, pt(Opt_func), ft(func_file));
|
||||
break;
|
||||
case MMAP_CHECK:
|
||||
seq_printf(m, pt(Opt_func), ft(func_mmap));
|
||||
break;
|
||||
case BPRM_CHECK:
|
||||
seq_printf(m, pt(Opt_func), ft(func_bprm));
|
||||
break;
|
||||
case MODULE_CHECK:
|
||||
seq_printf(m, pt(Opt_func), ft(func_module));
|
||||
break;
|
||||
case FIRMWARE_CHECK:
|
||||
seq_printf(m, pt(Opt_func), ft(func_firmware));
|
||||
break;
|
||||
case POST_SETATTR:
|
||||
seq_printf(m, pt(Opt_func), ft(func_post));
|
||||
break;
|
||||
case KEXEC_KERNEL_CHECK:
|
||||
seq_printf(m, pt(Opt_func), ft(func_kexec_kernel));
|
||||
break;
|
||||
case KEXEC_INITRAMFS_CHECK:
|
||||
seq_printf(m, pt(Opt_func), ft(func_kexec_initramfs));
|
||||
break;
|
||||
case POLICY_CHECK:
|
||||
seq_printf(m, pt(Opt_func), ft(func_policy));
|
||||
break;
|
||||
default:
|
||||
snprintf(tbuf, sizeof(tbuf), "%d", func);
|
||||
seq_printf(m, pt(Opt_func), tbuf);
|
||||
break;
|
||||
}
|
||||
seq_puts(m, " ");
|
||||
if (func > 0 && func < MAX_CHECK)
|
||||
seq_printf(m, "func=%s ", func_tokens[func]);
|
||||
else
|
||||
seq_printf(m, "func=%d ", func);
|
||||
}
|
||||
|
||||
int ima_policy_show(struct seq_file *m, void *v)
|
||||
|
||||
Reference in New Issue
Block a user