linux.git/security/integrity, branch v4.20-rc2 Linux kernel source tree Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2018-10-25T20:22:23+00:00 Linus Torvalds torvalds@linux-foundation.org 2018-10-25T20:22:23+00:00 57ce66d39f10fb01efabd72b14eb033deddb226b Pull integrity updates from James Morris: "From Mimi: This contains a couple of bug fixes, including one for a recent problem with calculating file hashes on overlayfs, and some code cleanup" * 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: MAINTAINERS: add Jarkko as maintainer for trusted keys ima: open a new file instance if no read permissions ima: fix showing large 'violations' or 'runtime_measurements_count' security/integrity: remove unnecessary 'init_keyring' variable security/integrity: constify some read-only data vfs: require i_size <= SIZE_MAX in kernel_read_file() 
Pull integrity updates from James Morris:
 "From Mimi: This contains a couple of bug fixes, including one for a
  recent problem with calculating file hashes on overlayfs, and some
  code cleanup"

* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  MAINTAINERS: add Jarkko as maintainer for trusted keys
  ima: open a new file instance if no read permissions
  ima: fix showing large 'violations' or 'runtime_measurements_count'
  security/integrity: remove unnecessary 'init_keyring' variable
  security/integrity: constify some read-only data
  vfs: require i_size <= SIZE_MAX in kernel_read_file()
LSM: Record LSM name in struct lsm_info 2018-10-11T03:40:22+00:00 Kees Cook keescook@chromium.org 2018-10-11T00:18:24+00:00 07aed2f2af5a5892ced035dbcf3993f630825fc3 In preparation for making LSM selections outside of the LSMs, include the name of LSMs in struct lsm_info. Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: James Morris <james.morris@microsoft.com> 
In preparation for making LSM selections outside of the LSMs, include
the name of LSMs in struct lsm_info.

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
LSM: Convert security_initcall() into DEFINE_LSM() 2018-10-11T03:40:21+00:00 Kees Cook keescook@chromium.org 2018-10-11T00:18:23+00:00 3d6e5f6dcf6561e57b6466e43e14029fb196028d Instead of using argument-based initializers, switch to defining the contents of struct lsm_info on a per-LSM basis. This also drops the final use of the now inaccurate "initcall" naming. Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: James Morris <james.morris@microsoft.com> Signed-off-by: James Morris <james.morris@microsoft.com> 
Instead of using argument-based initializers, switch to defining the
contents of struct lsm_info on a per-LSM basis. This also drops
the final use of the now inaccurate "initcall" naming.

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: James Morris <james.morris@microsoft.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
LSM: Convert from initcall to struct lsm_info 2018-10-11T03:40:21+00:00 Kees Cook keescook@chromium.org 2018-10-11T00:18:21+00:00 5b89c1bd4c7e5c5ca8c5374fde35ecee6e16496c In preparation for doing more interesting LSM init probing, this converts the existing initcall system into an explicit call into a function pointer from a section-collected struct lsm_info array. Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: James Morris <james.morris@microsoft.com> Reviewed-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <james.morris@microsoft.com> 
In preparation for doing more interesting LSM init probing, this converts
the existing initcall system into an explicit call into a function pointer
from a section-collected struct lsm_info array.

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: James Morris <james.morris@microsoft.com>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
ima: open a new file instance if no read permissions 2018-10-10T19:18:00+00:00 Goldwyn Rodrigues rgoldwyn@suse.de 2018-10-09T15:12:33+00:00 a408e4a86b36bf98ad15b9ada531cf0e5118ac67 Open a new file instance as opposed to changing file->f_mode when the file is not readable. This is done to accomodate overlayfs stacked file operations change. The real struct file is hidden behind the overlays struct file. So, any file->f_mode manipulations are not reflected on the real struct file. Open the file again in read mode if original file cannot be read, read and calculate the hash. Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com> Cc: stable@vger.kernel.org (linux-4.19) Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 
Open a new file instance as opposed to changing file->f_mode when
the file is not readable.  This is done to accomodate overlayfs
stacked file operations change.  The real struct file is hidden
behind the overlays struct file.  So, any file->f_mode manipulations are
not reflected on the real struct file.  Open the file again in read mode
if original file cannot be read, read and calculate the hash.

Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
Cc: stable@vger.kernel.org (linux-4.19)
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
ima: fix showing large 'violations' or 'runtime_measurements_count' 2018-10-10T16:56:16+00:00 Eric Biggers ebiggers@google.com 2018-09-07T21:33:24+00:00 1e4c8dafbb6bf72fb5eca035b861e39c5896c2b7 The 12 character temporary buffer is not necessarily long enough to hold a 'long' value. Increase it. Signed-off-by: Eric Biggers <ebiggers@google.com> Cc: stable@vger.kernel.org Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 
The 12 character temporary buffer is not necessarily long enough to hold
a 'long' value.  Increase it.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
security/integrity: remove unnecessary 'init_keyring' variable 2018-10-10T16:56:15+00:00 Eric Biggers ebiggers@google.com 2018-10-04T00:15:44+00:00 2ab5daf867d1f7898327962d59d3039206294d3a The 'init_keyring' variable actually just gave the value of CONFIG_INTEGRITY_TRUSTED_KEYRING. We should check the config option directly instead. No change in behavior; this just simplifies the code. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 
The 'init_keyring' variable actually just gave the value of
CONFIG_INTEGRITY_TRUSTED_KEYRING.  We should check the config option
directly instead.  No change in behavior; this just simplifies the code.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
security/integrity: constify some read-only data 2018-10-10T16:56:15+00:00 Eric Biggers ebiggers@google.com 2018-09-07T20:22:23+00:00 b2724d5802a77b7fb47e84d9b88b80370eccbc64 Constify some static data that is never modified, so that it is placed in .rodata. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 
Constify some static data that is never modified,
so that it is placed in .rodata.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2018-08-16T05:54:12+00:00 Linus Torvalds torvalds@linux-foundation.org 2018-08-16T05:54:12+00:00 f91e654474d413201ae578820fb63f8a811f6c4e Pull integrity updates from James Morris: "This adds support for EVM signatures based on larger digests, contains a new audit record AUDIT_INTEGRITY_POLICY_RULE to differentiate the IMA policy rules from the IMA-audit messages, addresses two deadlocks due to either loading or searching for crypto algorithms, and cleans up the audit messages" * 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: EVM: fix return value check in evm_write_xattrs() integrity: prevent deadlock during digsig verification. evm: Allow non-SHA1 digital signatures evm: Don't deadlock if a crypto algorithm is unavailable integrity: silence warning when CONFIG_SECURITYFS is not enabled ima: Differentiate auditing policy rules from "audit" actions ima: Do not audit if CONFIG_INTEGRITY_AUDIT is not set ima: Use audit_log_format() rather than audit_log_string() ima: Call audit_log_string() rather than logging it untrusted 
Pull integrity updates from James Morris:
 "This adds support for EVM signatures based on larger digests, contains
  a new audit record AUDIT_INTEGRITY_POLICY_RULE to differentiate the
  IMA policy rules from the IMA-audit messages, addresses two deadlocks
  due to either loading or searching for crypto algorithms, and cleans
  up the audit messages"

* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  EVM: fix return value check in evm_write_xattrs()
  integrity: prevent deadlock during digsig verification.
  evm: Allow non-SHA1 digital signatures
  evm: Don't deadlock if a crypto algorithm is unavailable
  integrity: silence warning when CONFIG_SECURITYFS is not enabled
  ima: Differentiate auditing policy rules from "audit" actions
  ima: Do not audit if CONFIG_INTEGRITY_AUDIT is not set
  ima: Use audit_log_format() rather than audit_log_string()
  ima: Call audit_log_string() rather than logging it untrusted
Merge branch 'next-tpm' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2018-08-16T05:51:12+00:00 Linus Torvalds torvalds@linux-foundation.org 2018-08-16T05:51:12+00:00 c715ebeb0303b196f17376f189ae4e168d98b563 Pull TPM updates from James Morris: - Migrate away from PM runtime as explicit cmdReady/goIdle transactions for every command is a spec requirement. PM runtime adds only a layer of complexity on our case. - tpm_tis drivers can now specify the hwrng quality. - TPM 2.0 code uses now tpm_buf for constructing messages. Jarkko thinks Tomas Winkler has done the same for TPM 1.2, and will start digging those changes from the patchwork in the near future. - Bug fixes and clean ups * 'next-tpm' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: ima: Get rid of ima_used_chip and use ima_tpm_chip != NULL instead ima: Use tpm_default_chip() and call TPM functions with a tpm_chip tpm: replace TPM_TRANSMIT_RAW with TPM_TRANSMIT_NESTED tpm: Convert tpm_find_get_ops() to use tpm_default_chip() tpm: Implement tpm_default_chip() to find a TPM chip tpm: rename tpm_chip_find_get() to tpm_find_get_ops() tpm: Allow tpm_tis drivers to set hwrng quality. tpm: Return the actual size when receiving an unsupported command tpm: separate cmd_ready/go_idle from runtime_pm tpm/tpm_i2c_infineon: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT) tpm_tis_spi: Pass the SPI IRQ down to the driver tpm: migrate tpm2_get_random() to use struct tpm_buf tpm: migrate tpm2_get_tpm_pt() to use struct tpm_buf tpm: migrate tpm2_probe() to use struct tpm_buf tpm: migrate tpm2_shutdown() to use struct tpm_buf 
Pull TPM updates from James Morris:

 - Migrate away from PM runtime as explicit cmdReady/goIdle transactions
   for every command is a spec requirement. PM runtime adds only a layer
   of complexity on our case.

 - tpm_tis drivers can now specify the hwrng quality.

 - TPM 2.0 code uses now tpm_buf for constructing messages. Jarkko
   thinks Tomas Winkler has done the same for TPM 1.2, and will start
   digging those changes from the patchwork in the near future.

 - Bug fixes and clean ups

* 'next-tpm' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  ima: Get rid of ima_used_chip and use ima_tpm_chip != NULL instead
  ima: Use tpm_default_chip() and call TPM functions with a tpm_chip
  tpm: replace TPM_TRANSMIT_RAW with TPM_TRANSMIT_NESTED
  tpm: Convert tpm_find_get_ops() to use tpm_default_chip()
  tpm: Implement tpm_default_chip() to find a TPM chip
  tpm: rename tpm_chip_find_get() to tpm_find_get_ops()
  tpm: Allow tpm_tis drivers to set hwrng quality.
  tpm: Return the actual size when receiving an unsupported command
  tpm: separate cmd_ready/go_idle from runtime_pm
  tpm/tpm_i2c_infineon: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT)
  tpm_tis_spi: Pass the SPI IRQ down to the driver
  tpm: migrate tpm2_get_random() to use struct tpm_buf
  tpm: migrate tpm2_get_tpm_pt() to use struct tpm_buf
  tpm: migrate tpm2_probe() to use struct tpm_buf
  tpm: migrate tpm2_shutdown() to use struct tpm_buf