linux/security/integrity/ima, branch v4.5

wrappers for ->i_mutex access

2016-01-22T23:04:28Z

parallel to mutex_{lock,unlock,trylock,is_locked,lock_nested}, inode_foo(inode) being mutex_foo(&inode->i_mutex). Please, use those for access to ->i_mutex; over the coming cycle ->i_mutex will become rwsem, with ->lookup() done with it held only shared. Signed-off-by: Al Viro

ima: ima_write_policy() limit locking

2016-01-03T18:22:38Z

There is no need to hold the ima_write_mutex for so long. We only need it around ima_parse_add_rule(). Changelog: - The return path now takes into account failed kmalloc() call. Reported-by: Al Viro Signed-off-by: Petko Manolov Signed-off-by: Mimi Zohar

IMA: policy can be updated zero times

2015-12-24T23:56:45Z

Commit "IMA: policy can now be updated multiple times" assumed that the policy would be updated at least once. If there are zero updates, the temporary list head object will get added to the policy list, and later dereferenced as an IMA policy object, which means that invalid memory will be accessed. Changelog: - Move list_empty() test to ima_release_policy(), before audit msg - Mimi Signed-off-by: Sasha Levin Signed-off-by: Mimi Zohar

security/integrity: make ima/ima_mok.c explicitly non-modular

2015-12-15T15:01:43Z

The Kconfig currently controlling compilation of this code is: ima/Kconfig:config IMA_MOK_KEYRING ima/Kconfig: bool "Create IMA machine owner keys (MOK) and blacklist keyrings" ...meaning that it currently is not being built as a module by anyone. Lets remove the couple of traces of modularity so that when reading the driver there is no doubt it really is builtin-only. Since module_init translates to device_initcall in the non-modular case, the init ordering remains unchanged with this commit. Cc: Mimi Zohar Cc: Dmitry Kasatkin Cc: James Morris Cc: "Serge E. Hallyn" Cc: linux-ima-devel@lists.sourceforge.net Cc: linux-ima-user@lists.sourceforge.net Cc: linux-security-module@vger.kernel.org Signed-off-by: Paul Gortmaker Signed-off-by: Mimi Zohar

ima: update appraise flags after policy update completes

2015-12-15T15:01:43Z

While creating a temporary list of new rules, the ima_appraise flag is updated, but not reverted on failure to append the new rules to the existing policy. This patch defines temp_ima_appraise flag. Only when the new rules are appended to the policy is the flag updated. Signed-off-by: Mimi Zohar Acked-by: Petko Manolov

IMA: prevent keys on the .ima_blacklist from being removed

2015-12-15T15:01:43Z

Set the KEY_FLAGS_KEEP on the .ima_blacklist to prevent userspace from removing keys from the keyring. Signed-off-by: Mimi Zohar

IMA: allow reading back the current IMA policy

2015-12-15T15:01:43Z

It is often useful to be able to read back the IMA policy. It is even more important after introducing CONFIG_IMA_WRITE_POLICY. This option allows the root user to see the current policy rules. Signed-off-by: Zbigniew Jasinski Signed-off-by: Petko Manolov Signed-off-by: Mimi Zohar

IMA: create machine owner and blacklist keyrings

2015-12-15T15:01:43Z

This option creates IMA MOK and blacklist keyrings. IMA MOK is an intermediate keyring that sits between .system and .ima keyrings, effectively forming a simple CA hierarchy. To successfully import a key into .ima_mok it must be signed by a key which CA is in .system keyring. On turn any key that needs to go in .ima keyring must be signed by CA in either .system or .ima_mok keyrings. IMA MOK is empty at kernel boot. IMA blacklist keyring contains all revoked IMA keys. It is consulted before any other keyring. If the search is successful the requested operation is rejected and error is returned to the caller. Signed-off-by: Petko Manolov Signed-off-by: Mimi Zohar

IMA: policy can now be updated multiple times

2015-12-15T15:01:43Z

The new rules get appended to the original policy, forming a queue. The new rules are first added to a temporary list, which on error get released without disturbing the normal IMA operations. On success both lists (the current policy and the new rules) are spliced. IMA policy reads are many orders of magnitude more numerous compared to writes, the match code is RCU protected. The updater side also does list splice in RCU manner. Signed-off-by: Petko Manolov Signed-off-by: Mimi Zohar

integrity: define '.evm' as a builtin 'trusted' keyring

2015-11-23T19:30:02Z

Require all keys added to the EVM keyring be signed by an existing trusted key on the system trusted keyring. This patch also switches IMA to use integrity_init_keyring(). Changes in v3: * Added 'init_keyring' config based variable to skip initializing keyring instead of using __integrity_init_keyring() wrapper. * Added dependency back to CONFIG_IMA_TRUSTED_KEYRING Changes in v2: * Replace CONFIG_EVM_TRUSTED_KEYRING with IMA and EVM common CONFIG_INTEGRITY_TRUSTED_KEYRING configuration option * Deprecate CONFIG_IMA_TRUSTED_KEYRING but keep it for config file compatibility. (Mimi Zohar) Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar