1. 02 Feb, 2018 1 commit
  2. 18 Dec, 2017 1 commit
  3. 11 Dec, 2017 1 commit
    • Dmitry Kasatkin's avatar
      ima: re-introduce own integrity cache lock · 0d73a552
      Dmitry Kasatkin authored
      Before IMA appraisal was introduced, IMA was using own integrity cache
      lock along with i_mutex. process_measurement and ima_file_free took
      the iint->mutex first and then the i_mutex, while setxattr, chmod and
      chown took the locks in reverse order. To resolve the potential deadlock,
      i_mutex was moved to protect entire IMA functionality and the redundant
      iint->mutex was eliminated.
      
      Solution was based on the assumption that filesystem code does not take
      i_mutex further. But when file is opened with O_DIRECT flag, direct-io
      implementation takes i_mutex and produces deadlock. Furthermore, certain
      other filesystem operations, such as llseek, also take i_mutex.
      
      More recently some filesystems have replaced their filesystem specific
      lock with the global i_rwsem to read a file.  As a result, when IMA
      attempts to calculate the file hash, reading the file attempts to take
      the i_rwsem again.
      
      To resolve O_DIRECT related deadlock problem, this patch re-introduces
      iint->mutex. But to eliminate the original chmod() related deadlock
      problem, this patch eliminates the requirement for chmod hooks to take
      the iint->mutex by introducing additional atomic iint->attr_flags to
      indicate calling of the hooks. The allowed locking order is to take
      the iint->mutex first and then the i_rwsem.
      
      Original flags were cleared in chmod(), setxattr() or removwxattr()
      hooks and tested when file was closed or opened again. New atomic flags
      are set or cleared in those hooks and tested to clear iint->flags on
      close or on open.
      
      Atomic flags are following:
      * IMA_CHANGE_ATTR - indicates that chATTR() was called (chmod, chown,
        chgrp) and file attributes have changed. On file open, it causes IMA
        to clear iint->flags to re-evaluate policy and perform IMA functions
        again.
      * IMA_CHANGE_XATTR - indicates that setxattr or removexattr was called
        and extended attributes have changed. On file open, it causes IMA to
        clear iint->flags IMA_DONE_MASK to re-appraise.
      * IMA_UPDATE_XATTR - indicates that security.ima needs to be updated.
        It is cleared if file policy changes and no update is needed.
      * IMA_DIGSIG - indicates that file security.ima has signature and file
        security.ima must not update to file has on file close.
      * IMA_MUST_MEASURE - indicates the file is in the measurement policy.
      
      Fixes: Commit 65523218
      
       ("xfs: remove i_iolock and use i_rwsem in
      the VFS inode instead")
      
      Signed-off-by: default avatarDmitry Kasatkin <dmitry.kasatkin@huawei.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      0d73a552
  4. 08 Nov, 2017 1 commit
  5. 21 Jun, 2017 1 commit
    • Thiago Jung Bauermann's avatar
      integrity: Small code improvements · bb543e39
      Thiago Jung Bauermann authored
      
      
      These changes are too small to warrant their own patches:
      
      The keyid and sig_size members of struct signature_v2_hdr are in BE format,
      so use a type that makes this assumption explicit. Also, use beXX_to_cpu
      instead of __beXX_to_cpu to read them.
      
      Change integrity_kernel_read to take a void * buffer instead of char *
      buffer, so that callers don't have to use a cast if they provide a buffer
      that isn't a char *.
      
      Add missing #endif comment in ima.h pointing out which macro it refers to.
      
      Add missing fall through comment in ima_appraise.c.
      
      Constify mask_tokens and func_tokens arrays.
      
      Signed-off-by: default avatarThiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      bb543e39
  6. 30 Jun, 2016 1 commit
  7. 21 Feb, 2016 1 commit
  8. 04 Jan, 2016 1 commit
  9. 15 Dec, 2015 1 commit
  10. 21 May, 2015 1 commit
  11. 18 Nov, 2014 3 commits
  12. 07 Oct, 2014 1 commit
    • Dmitry Kasatkin's avatar
      ima: check ima_policy_flag in the ima_file_free() hook · 0f34a006
      Dmitry Kasatkin authored
      This patch completes the switching to the 'ima_policy_flag' variable
      in the checks at the beginning of IMA functions, starting with the
      commit a756024e
      
      .
      
      Checking 'iint_initialized' is completely unnecessary, because
      S_IMA flag is unset if iint was not allocated. At the same time
      the integrity cache is allocated with SLAB_PANIC and the kernel will
      panic if the allocation fails during kernel initialization. So on
      a running system iint_initialized is always true and can be removed.
      
      Changes in v3:
      * not limiting test to IMA_APPRAISE (spotted by Roberto Sassu)
      
      Changes in v2:
      * 'iint_initialized' removal patch merged to this patch (requested
         by Mimi)
      
      Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
      Acked-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
      0f34a006
  13. 07 Mar, 2014 1 commit
  14. 25 Oct, 2013 1 commit
  15. 22 Jan, 2013 1 commit
    • Mimi Zohar's avatar
      ima: per hook cache integrity appraisal status · d79d72e0
      Mimi Zohar authored
      
      
      With the new IMA policy 'appraise_type=' option, different hooks
      can require different methods for appraising a file's integrity.
      
      For example, the existing 'ima_appraise_tcb' policy defines a
      generic rule, requiring all root files to be appraised, without
      specfying the appraisal method.  A more specific rule could require
      all kernel modules, for example, to be signed.
      
      appraise fowner=0 func=MODULE_CHECK appraise_type=imasig
      appraise fowner=0
      
      As a result, the integrity appraisal results for the same inode, but
      for different hooks, could differ.  This patch caches the integrity
      appraisal results on a per hook basis.
      
      Changelog v2:
      - Rename ima_cache_status() to ima_set_cache_status()
      - Rename and move get_appraise_status() to ima_get_cache_status()
      Changelog v0:
      - include IMA_APPRAISE/APPRAISED_SUBMASK in IMA_DO/DONE_MASK (Dmitry)
      - Support independent MODULE_CHECK appraise status.
      - fixed IMA_XXXX_APPRAISE/APPRAISED flags
      
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarDmitry Kasatkin <dmitry.kasatkin@intel.com>
      d79d72e0
  16. 07 Sep, 2012 3 commits
    • Dmitry Kasatkin's avatar
      ima: replace iint spinblock with rwlock/read_lock · a10bf26b
      Dmitry Kasatkin authored
      
      
      For performance, replace the iint spinlock with rwlock/read_lock.
      
      Eric Paris questioned this change, from spinlocks to rwlocks, saying
      "rwlocks have been shown to actually be slower on multi processor
      systems in a number of cases due to the cache line bouncing required."
      
      Based on performance measurements compiling the kernel on a cold
      boot with multiple jobs with/without this patch, Dmitry Kasatkin
      and I found that rwlocks performed better than spinlocks, but very
      insignificantly.  For example with total compilation time around 6
      minutes, with rwlocks time was 1 - 3 seconds shorter... but always
      like that.
      
      Changelog v2:
      - new patch taken from the 'allocating iint improvements' patch
      
      Signed-off-by: default avatarDmitry Kasatkin <dmitry.kasatkin@intel.com>
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      a10bf26b
    • Dmitry Kasatkin's avatar
      ima: allocating iint improvements · bf2276d1
      Dmitry Kasatkin authored
      
      
      With IMA-appraisal's removal of the iint mutex and taking the i_mutex
      instead, allocating the iint becomes a lot simplier, as we don't need
      to be concerned with two processes racing to allocate the iint. This
      patch cleans up and improves performance for allocating the iint.
      
      - removed redundant double i_mutex locking
      - combined iint allocation with tree search
      
      Changelog v2:
      - removed the rwlock/read_lock changes from this patch
      
      Signed-off-by: default avatarDmitry Kasatkin <dmitry.kasatkin@intel.com>
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      bf2276d1
    • Mimi Zohar's avatar
      ima: integrity appraisal extension · 2fe5d6de
      Mimi Zohar authored
      
      
      IMA currently maintains an integrity measurement list used to assert the
      integrity of the running system to a third party.  The IMA-appraisal
      extension adds local integrity validation and enforcement of the
      measurement against a "good" value stored as an extended attribute
      'security.ima'.  The initial methods for validating 'security.ima' are
      hashed based, which provides file data integrity, and digital signature
      based, which in addition to providing file data integrity, provides
      authenticity.
      
      This patch creates and maintains the 'security.ima' xattr, containing
      the file data hash measurement.  Protection of the xattr is provided by
      EVM, if enabled and configured.
      
      Based on policy, IMA calls evm_verifyxattr() to verify a file's metadata
      integrity and, assuming success, compares the file's current hash value
      with the one stored as an extended attribute in 'security.ima'.
      
      Changelov v4:
      - changed iint cache flags to hex values
      
      Changelog v3:
      - change appraisal default for filesystems without xattr support to fail
      
      Changelog v2:
      - fix audit msg 'res' value
      - removed unused 'ima_appraise=' values
      
      Changelog v1:
      - removed unused iint mutex (Dmitry Kasatkin)
      - setattr hook must not reset appraised (Dmitry Kasatkin)
      - evm_verifyxattr() now differentiates between no 'security.evm' xattr
        (INTEGRITY_NOLABEL) and no EVM 'protected' xattrs included in the
        'security.evm' (INTEGRITY_NOXATTRS).
      - replace hash_status with ima_status (Dmitry Kasatkin)
      - re-initialize slab element ima_status on free (Dmitry Kasatkin)
      - include 'security.ima' in EVM if CONFIG_IMA_APPRAISE, not CONFIG_IMA
      - merged half "ima: ima_must_appraise_or_measure API change" (Dmitry Kasatkin)
      - removed unnecessary error variable in process_measurement() (Dmitry Kasatkin)
      - use ima_inode_post_setattr() stub function, if IMA_APPRAISE not configured
        (moved ima_inode_post_setattr() to ima_appraise.c)
      - make sure ima_collect_measurement() can read file
      
      Changelog:
      - add 'iint' to evm_verifyxattr() call (Dimitry Kasatkin)
      - fix the race condition between chmod, which takes the i_mutex and then
        iint->mutex, and ima_file_free() and process_measurement(), which take
        the locks in the reverse order, by eliminating iint->mutex. (Dmitry Kasatkin)
      - cleanup of ima_appraise_measurement() (Dmitry Kasatkin)
      - changes as a result of the iint not allocated for all regular files, but
        only for those measured/appraised.
      - don't try to appraise new/empty files
      - expanded ima_appraisal description in ima/Kconfig
      - IMA appraise definitions required even if IMA_APPRAISE not enabled
      - add return value to ima_must_appraise() stub
      - unconditionally set status = INTEGRITY_PASS *after* testing status,
        not before.  (Found by Joe Perches)
      
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      Signed-off-by: default avatarDmitry Kasatkin <dmitry.kasatkin@intel.com>
      2fe5d6de
  17. 14 Sep, 2011 1 commit
  18. 18 Jul, 2011 3 commits
    • Dmitry Kasatkin's avatar
      evm: replace hmac_status with evm_status · 24e0198e
      Dmitry Kasatkin authored
      
      
      We will use digital signatures in addtion to hmac.
      
      Signed-off-by: default avatarDmitry Kasatkin <dmitry.kasatkin@nokia.com>
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      24e0198e
    • Mimi Zohar's avatar
      evm: re-release · 66dbc325
      Mimi Zohar authored
      EVM protects a file's security extended attributes(xattrs) against integrity
      attacks.  This patchset provides the framework and an initial method.  The
      initial method maintains an HMAC-sha1 value across the security extended
      attributes, storing the HMAC value as the extended attribute 'security.evm'.
      Other methods of validating the integrity of a file's metadata will be posted
      separately (eg. EVM-digital-signatures).
      
      While this patchset does authenticate the security xattrs, and
      cryptographically binds them to the inode, coming extensions will bind other
      directory and inode metadata for more complete protection.  To help simplify
      the review and upstreaming process, each extension will be posted separately
      (eg. IMA-appraisal, IMA-appraisal-directory).  For a general overview of the
      proposed Linux integrity subsystem, refer to Dave Safford's whitepaper:
      http://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf.
      
      EVM depends on the Kernel Key Retention System to provide it with a
      trusted/encrypted key for the HMAC-sha1 operation. The key is loaded onto the
      root's keyring using keyctl.  Until EVM receives notification that the key has
      been successfully loaded onto the keyring (echo 1 > <securityfs>/evm), EVM can
      not create or validate the 'security.evm' xattr, but returns INTEGRITY_UNKNOWN.
      Loading the key and signaling EVM should be done as early as possible. Normally
      this is done in the initramfs, which has already been measured as part of the
      trusted boot.  For more information on creating and loading existing
      trusted/encrypted keys, refer to Documentation/keys-trusted-encrypted.txt.  A
      sample dracut patch, which loads the trusted/encrypted key and enables EVM, is
      available from http://linux-ima.sourceforge.net/#EVM
      
      .
      
      Based on the LSMs enabled, the set of EVM protected security xattrs is defined
      at compile.  EVM adds the following three calls to the existing security hooks:
      evm_inode_setxattr(), evm_inode_post_setxattr(), and evm_inode_removexattr.  To
      initialize and update the 'security.evm' extended attribute, EVM defines three
      calls: evm_inode_post_init(), evm_inode_post_setattr() and
      evm_inode_post_removexattr() hooks.  To verify the integrity of a security
      xattr, EVM exports evm_verifyxattr().
      
      Changelog v7:
      - Fixed URL in EVM ABI documentation
      
      Changelog v6: (based on Serge Hallyn's review)
      - fix URL in patch description
      - remove evm_hmac_size definition
      - use SHA1_DIGEST_SIZE (removed both MAX_DIGEST_SIZE and evm_hmac_size)
      - moved linux include before other includes
      - test for crypto_hash_setkey failure
      - fail earlier for invalid key
      - clear entire encrypted key, even on failure
      - check xattr name length before comparing xattr names
      
      Changelog:
      - locking based on i_mutex, remove evm_mutex
      - using trusted/encrypted keys for storing the EVM key used in the HMAC-sha1
        operation.
      - replaced crypto hash with shash (Dmitry Kasatkin)
      - support for additional methods of verifying the security xattrs
        (Dmitry Kasatkin)
      - iint not allocated for all regular files, but only for those appraised
      - Use cap_sys_admin in lieu of cap_mac_admin
      - Use __vfs_setxattr_noperm(), without permission checks, from EVM
      
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
      66dbc325
    • Mimi Zohar's avatar
      integrity: move ima inode integrity data management · f381c272
      Mimi Zohar authored
      
      
      Move the inode integrity data(iint) management up to the integrity directory
      in order to share the iint among the different integrity models.
      
      Changelog:
      - don't define MAX_DIGEST_SIZE
      - rename several globally visible 'ima_' prefixed functions, structs,
        locks, etc to 'integrity_'
      - replace '20' with SHA1_DIGEST_SIZE
      - reflect location change in appropriate Kconfig and Makefiles
      - remove unnecessary initialization of iint_initialized to 0
      - rebased on current ima_iint.c
      - define integrity_iint_store/lock as static
      
      There should be no other functional changes.
      
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      Acked-by: default avatarSerge Hallyn <serge.hallyn@ubuntu.com>
      f381c272