Commit 67e2dcff authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'integrity-v6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity 

Pull integrity update from Mimi Zohar:
 "One doc and one code cleanup, and two bug fixes"

* tag 'integrity-v6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  ima: Introduce MMAP_CHECK_REQPROT hook
  ima: Align ima_file_mmap() parameters with mmap_file LSM hook
  evm: call dump_security_xattr() in all cases to remove code duplication
  ima: fix ima_delete_rules() kernel-doc warning
  ima: return IMA digest value only when IMA_COLLECTED flag is set
  ima: fix error handling logic when file measurement failed
parents 70756b49 4958db32

Documentation/ABI/testing/ima_policy

+1 −1
Original line number Diff line number Diff line
@@ -35,7 +35,7 @@ Description: 
				[FIRMWARE_CHECK]

				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]

				[KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA]

				[SETXATTR_CHECK]

				[SETXATTR_CHECK][MMAP_CHECK_REQPROT]

			mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]

			       [[^]MAY_EXEC]

			fsmagic:= hex value

include/linux/ima.h

+4 −2
Original line number Diff line number Diff line
@@ -21,7 +21,8 @@ extern int ima_file_check(struct file *file, int mask); 
extern void ima_post_create_tmpfile(struct mnt_idmap *idmap,

				    struct inode *inode);

extern void ima_file_free(struct file *file);

extern int ima_file_mmap(struct file *file, unsigned long prot);

extern int ima_file_mmap(struct file *file, unsigned long reqprot,

			 unsigned long prot, unsigned long flags);

extern int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot);

extern int ima_load_data(enum kernel_load_data_id id, bool contents);

extern int ima_post_load_data(char *buf, loff_t size,
@@ -76,7 +77,8 @@ static inline void ima_file_free(struct file *file) 
	return;

}



static inline int ima_file_mmap(struct file *file, unsigned long prot)

static inline int ima_file_mmap(struct file *file, unsigned long reqprot,

				unsigned long prot, unsigned long flags)

{

	return 0;

}

security/integrity/evm/evm_crypto.c

+16 −17
Original line number Diff line number Diff line
@@ -183,7 +183,7 @@ static void hmac_add_misc(struct shash_desc *desc, struct inode *inode, 
 * Dump large security xattr values as a continuous ascii hexademical string.

 * (pr_debug is limited to 64 bytes.)

 */

static void dump_security_xattr(const char *prefix, const void *src,

static void dump_security_xattr_l(const char *prefix, const void *src,

				  size_t count)

{

#if defined(DEBUG) || defined(CONFIG_DYNAMIC_DEBUG)
@@ -200,6 +200,16 @@ static void dump_security_xattr(const char *prefix, const void *src, 
#endif

}



static void dump_security_xattr(const char *name, const char *value,

				size_t value_len)

{

	if (value_len < 64)

		pr_debug("%s: (%zu) [%*phN]\n", name, value_len,

			 (int)value_len, value);

	else

		dump_security_xattr_l(name, value, value_len);

}



/*

 * Calculate the HMAC value across the set of protected security xattrs.

 *
@@ -254,12 +264,6 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, 
			if (is_ima)

				ima_present = true;



			if (req_xattr_value_len < 64)

				pr_debug("%s: (%zu) [%*phN]\n", req_xattr_name,

					 req_xattr_value_len,

					 (int)req_xattr_value_len,

					 req_xattr_value);

			else

			dump_security_xattr(req_xattr_name,

					    req_xattr_value,

					    req_xattr_value_len);
@@ -286,12 +290,7 @@ static int evm_calc_hmac_or_hash(struct dentry *dentry, 
		if (is_ima)

			ima_present = true;



		if (xattr_size < 64)

			pr_debug("%s: (%zu) [%*phN]", xattr->name, xattr_size,

				 (int)xattr_size, xattr_value);

		else

			dump_security_xattr(xattr->name, xattr_value,

					    xattr_size);

		dump_security_xattr(xattr->name, xattr_value, xattr_size);

	}

	hmac_add_misc(desc, inode, type, data->digest);

security/integrity/ima/ima.h

+1 −0
Original line number Diff line number Diff line
@@ -190,6 +190,7 @@ static inline unsigned int ima_hash_key(u8 *digest) 
	hook(NONE, none)				\

	hook(FILE_CHECK, file)				\

	hook(MMAP_CHECK, mmap)				\

	hook(MMAP_CHECK_REQPROT, mmap_reqprot)		\

	hook(BPRM_CHECK, bprm)				\

	hook(CREDS_CHECK, creds)			\

	hook(POST_SETATTR, post_setattr)		\

security/integrity/ima/ima_api.c

+3 −2
Original line number Diff line number Diff line
@@ -179,7 +179,8 @@ void ima_add_violation(struct file *file, const unsigned char *filename, 
 *		subj=, obj=, type=, func=, mask=, fsmagic=

 *	subj,obj, and type: are LSM specific.

 *	func: FILE_CHECK | BPRM_CHECK | CREDS_CHECK | MMAP_CHECK | MODULE_CHECK

 *	| KEXEC_CMDLINE | KEY_CHECK | CRITICAL_DATA

 *	| KEXEC_CMDLINE | KEY_CHECK | CRITICAL_DATA | SETXATTR_CHECK

 *	| MMAP_CHECK_REQPROT

 *	mask: contains the permission mask

 *	fsmagic: hex value

 *
@@ -292,7 +293,7 @@ int ima_collect_measurement(struct integrity_iint_cache *iint, 
		result = ima_calc_file_hash(file, &hash.hdr);

	}



	if (result == -ENOMEM)

	if (result && result != -EBADF && result != -EINVAL)

		goto out;



	length = sizeof(hash.hdr) + hash.hdr.length;