linux/security/integrity, branch v4.5 Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v4.5 2016-02-12T07:36:47Z EVM: Use crypto_memneq() for digest comparisons 2016-02-12T07:36:47Z Ryan Ware ware@linux.intel.com 2016-02-11T23:58:44Z urn:sha1:613317bd212c585c20796c10afe5daaa95d4b0a1 This patch fixes vulnerability CVE-2016-2085. The problem exists because the vm_verify_hmac() function includes a use of memcmp(). Unfortunately, this allows timing side channel attacks; specifically a MAC forgery complexity drop from 2^128 to 2^12. This patch changes the memcmp() to the cryptographically safe crypto_memneq(). Reported-by: Xiaofei Rex Guo <xiaofei.rex.guo@intel.com> Signed-off-by: Ryan Ware <ware@linux.intel.com> Cc: stable@vger.kernel.org Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: James Morris <james.l.morris@oracle.com> wrappers for ->i_mutex access 2016-01-22T23:04:28Z Al Viro viro@zeniv.linux.org.uk 2016-01-22T20:40:57Z urn:sha1:5955102c9984fa081b2d570cfac75c97eecf8f3b parallel to mutex_{lock,unlock,trylock,is_locked,lock_nested}, inode_foo(inode) being mutex_foo(&inode->i_mutex). Please, use those for access to ->i_mutex; over the coming cycle ->i_mutex will become rwsem, with ->lookup() done with it held only shared. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2016-01-18T03:13:15Z Linus Torvalds torvalds@linux-foundation.org 2016-01-18T03:13:15Z urn:sha1:5807fcaa9bf7dd87241df739161c119cf78a6bc4 Pull security subsystem updates from James Morris: - EVM gains support for loading an x509 cert from the kernel (EVM_LOAD_X509), into the EVM trusted kernel keyring. - Smack implements 'file receive' process-based permission checking for sockets, rather than just depending on inode checks. - Misc enhancments for TPM & TPM2. - Cleanups and bugfixes for SELinux, Keys, and IMA. * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (41 commits) selinux: Inode label revalidation performance fix KEYS: refcount bug fix ima: ima_write_policy() limit locking IMA: policy can be updated zero times selinux: rate-limit netlink message warnings in selinux_nlmsg_perm() selinux: export validatetrans decisions gfs2: Invalid security labels of inodes when they go invalid selinux: Revalidate invalid inode security labels security: Add hook to invalidate inode security labels selinux: Add accessor functions for inode->i_security security: Make inode argument of inode_getsecid non-const security: Make inode argument of inode_getsecurity non-const selinux: Remove unused variable in selinux_inode_init_security keys, trusted: seal with a TPM2 authorization policy keys, trusted: select hash algorithm for TPM2 chips keys, trusted: fix: *do not* allow duplicate key options tpm_ibmvtpm: properly handle interrupted packet receptions tpm_tis: Tighten IRQ auto-probing tpm_tis: Refactor the interrupt setup tpm_tis: Get rid of the duplicate IRQ probing code ... fix the leak in integrity_read_file() 2016-01-04T15:28:19Z Al Viro viro@zeniv.linux.org.uk 2015-12-25T22:59:12Z urn:sha1:cc4e719e83cd4149bc96b7e1d1a73fe61797df6e Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> ima: ima_write_policy() limit locking 2016-01-03T18:22:38Z Petko Manolov petkan@mip-labs.com 2016-01-03T15:36:38Z urn:sha1:6427e6c71c8b374761b661c4f355762794c171a1 There is no need to hold the ima_write_mutex for so long. We only need it around ima_parse_add_rule(). Changelog: - The return path now takes into account failed kmalloc() call. Reported-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: Petko Manolov <petkan@mip-labs.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> IMA: policy can be updated zero times 2015-12-24T23:56:45Z Sasha Levin sasha.levin@oracle.com 2015-12-22T13:51:23Z urn:sha1:0112721df4edbdd07b800813300d76811572f080 Commit "IMA: policy can now be updated multiple times" assumed that the policy would be updated at least once. If there are zero updates, the temporary list head object will get added to the policy list, and later dereferenced as an IMA policy object, which means that invalid memory will be accessed. Changelog: - Move list_empty() test to ima_release_policy(), before audit msg - Mimi Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> security/integrity: make ima/ima_mok.c explicitly non-modular 2015-12-15T15:01:43Z Paul Gortmaker paul.gortmaker@windriver.com 2015-12-09T22:37:16Z urn:sha1:92cc916638a48f285736cd5541536e2e1b73ecf8 The Kconfig currently controlling compilation of this code is: ima/Kconfig:config IMA_MOK_KEYRING ima/Kconfig: bool "Create IMA machine owner keys (MOK) and blacklist keyrings" ...meaning that it currently is not being built as a module by anyone. Lets remove the couple of traces of modularity so that when reading the driver there is no doubt it really is builtin-only. Since module_init translates to device_initcall in the non-modular case, the init ordering remains unchanged with this commit. Cc: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Cc: James Morris <james.l.morris@oracle.com> Cc: "Serge E. Hallyn" <serge@hallyn.com> Cc: linux-ima-devel@lists.sourceforge.net Cc: linux-ima-user@lists.sourceforge.net Cc: linux-security-module@vger.kernel.org Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> ima: update appraise flags after policy update completes 2015-12-15T15:01:43Z Mimi Zohar zohar@linux.vnet.ibm.com 2015-12-07T19:35:47Z urn:sha1:6ad6afa14610c1fed3303c719b1f8f86f19f1fd3 While creating a temporary list of new rules, the ima_appraise flag is updated, but not reverted on failure to append the new rules to the existing policy. This patch defines temp_ima_appraise flag. Only when the new rules are appended to the policy is the flag updated. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Petko Manolov <petkan@mip-labs.com> IMA: prevent keys on the .ima_blacklist from being removed 2015-12-15T15:01:43Z Mimi Zohar zohar@linux.vnet.ibm.com 2015-11-10T14:00:38Z urn:sha1:501f1bde66525f94403a5b78832a9218ef9b1c14 Set the KEY_FLAGS_KEEP on the .ima_blacklist to prevent userspace from removing keys from the keyring. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> IMA: allow reading back the current IMA policy 2015-12-15T15:01:43Z Petko Manolov petkan@mip-labs.com 2015-12-02T15:47:56Z urn:sha1:80eae209d63ac6361c7b445f7e7e41f39c044772 It is often useful to be able to read back the IMA policy. It is even more important after introducing CONFIG_IMA_WRITE_POLICY. This option allows the root user to see the current policy rules. Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com> Signed-off-by: Petko Manolov <petkan@mip-labs.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>