linux/security/integrity, branch v6.14

ima: Reset IMA_NONACTION_RULE_FLAGS after post_setattr

2025-02-05T02:36:43Z

Commit 0d73a55208e9 ("ima: re-introduce own integrity cache lock") mistakenly reverted the performance improvement introduced in commit 42a4c603198f0 ("ima: fix ima_inode_post_setattr"). The unused bit mask was subsequently removed by commit 11c60f23ed13 ("integrity: Remove unused macro IMA_ACTION_RULE_FLAGS"). Restore the performance improvement by introducing the new mask IMA_NONACTION_RULE_FLAGS, equal to IMA_NONACTION_FLAGS without IMA_NEW_FILE, which is not a rule-specific flag. Finally, reset IMA_NONACTION_RULE_FLAGS instead of IMA_NONACTION_FLAGS in process_measurement(), if the IMA_CHANGE_ATTR atomic flag is set (after file metadata modification). With this patch, new files for which metadata were modified while they are still open, can be reopened before the last file close (when security.ima is written), since the IMA_NEW_FILE flag is not cleared anymore. Otherwise, appraisal fails because security.ima is missing (files with IMA_NEW_FILE set are an exception). Cc: stable@vger.kernel.org # v4.16.x Fixes: 0d73a55208e9 ("ima: re-introduce own integrity cache lock") Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar

integrity: fix typos and spelling errors

2025-02-05T02:36:43Z

Fix typos and spelling errors in integrity module comments that were identified using the codespell tool. No functional changes - documentation only. Signed-off-by: Tanya Agarwal Reviewed-by: Mimi Zohar Signed-off-by: Mimi Zohar

Merge tag 'AT_EXECVE_CHECK-v6.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

2025-01-23T04:34:42Z

Pull AT_EXECVE_CHECK from Kees Cook: - Implement AT_EXECVE_CHECK flag to execveat(2) (Mickaël Salaün) - Implement EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits (Mickaël Salaün) - Add selftests and samples for AT_EXECVE_CHECK (Mickaël Salaün) * tag 'AT_EXECVE_CHECK-v6.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: ima: instantiate the bprm_creds_for_exec() hook samples/check-exec: Add an enlighten "inc" interpreter and 28 tests selftests: ktap_helpers: Fix uninitialized variable samples/check-exec: Add set-exec selftests/landlock: Add tests for execveat + AT_EXECVE_CHECK selftests/exec: Add 32 tests for AT_EXECVE_CHECK and exec securebits security: Add EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits exec: Add a new AT_EXECVE_CHECK flag to execveat(2)

ima: ignore suffixed policy rule comments

2025-01-03T15:18:43Z

Lines beginning with '#' in the IMA policy are comments and are ignored. Instead of placing the rule and comment on separate lines, allow the comment to be suffixed to the IMA policy rule. Reviewed-by: Petr Vorel Reviewed-by: Jarkko Sakkinen Signed-off-by: Mimi Zohar

ima: limit the builtin 'tcb' dont_measure tmpfs policy rule

2025-01-03T15:18:24Z

With a custom policy similar to the builtin IMA 'tcb' policy [1], arch specific policy, and a kexec boot command line measurement policy rule, the kexec boot command line is not measured due to the dont_measure tmpfs rule. Limit the builtin 'tcb' dont_measure tmpfs policy rule to just the "func=FILE_CHECK" hook. Depending on the end users security threat model, a custom policy might not even include this dont_measure tmpfs rule. Note: as a result of this policy rule change, other measurements might also be included in the IMA-measurement list that previously weren't included. [1] https://ima-doc.readthedocs.io/en/latest/ima-policy.html#ima-tcb Reviewed-by: Petr Vorel Signed-off-by: Mimi Zohar

ima: kexec: silence RCU list traversal warning

2024-12-24T18:56:45Z

The ima_measurements list is append-only and doesn't require rcu_read_lock() protection. However, lockdep issues a warning when traversing RCU lists without the read lock: security/integrity/ima/ima_kexec.c:40 RCU-list traversed in non-reader section!! Fix this by using the variant of list_for_each_entry_rcu() with the last argument set to true. This tells the RCU subsystem that traversing this append-only list without the read lock is intentional and safe. This change silences the lockdep warning while maintaining the correct semantics for the append-only list traversal. Signed-off-by: Breno Leitao Signed-off-by: Mimi Zohar

ima: instantiate the bprm_creds_for_exec() hook

2024-12-19T01:00:29Z

Like direct file execution (e.g. ./script.sh), indirect file execution (e.g. sh script.sh) needs to be measured and appraised. Instantiate the new security_bprm_creds_for_exec() hook to measure and verify the indirect file's integrity. Unlike direct file execution, indirect file execution is optionally enforced by the interpreter. Differentiate kernel and userspace enforced integrity audit messages. Co-developed-by: Roberto Sassu Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar Tested-by: Stefan Berger Reviewed-by: Mickaël Salaün Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20241212174223.389435-9-mic@digikod.net Signed-off-by: Kees Cook

ima: Suspend PCR extends and log appends when rebooting

2024-12-11T16:55:53Z

To avoid the following types of error messages due to a failure by the TPM driver to use the TPM, suspend TPM PCR extensions and the appending of entries to the IMA log once IMA's reboot notifier has been called. This avoids trying to use the TPM after the TPM subsystem has been shut down. [111707.685315][ T1] ima: Error Communicating to TPM chip, result: -19 [111707.685960][ T1] ima: Error Communicating to TPM chip, result: -19 Synchronization with the ima_extend_list_mutex to set ima_measurements_suspended ensures that the TPM subsystem is not shut down when IMA holds the mutex while appending to the log and extending the PCR. The alternative of reading the system_state variable would not provide this guarantee. This error could be observed on a ppc64 machine running SuSE Linux where processes are still accessing files after devices have been shut down. Suspending the IMA log and PCR extensions shortly before reboot does not seem to open a significant measurement gap since neither TPM quoting would work for attestation nor that new log entries could be written to anywhere after devices have been shut down. However, there's a time window between the invocation of the reboot notifier and the shutdown of devices. This includes all subsequently invoked reboot notifiers as well as kernel_restart_prepare() where __usermodehelper_disable() waits for all running_helpers to exit. During this time window IMA could now miss log entries even though attestation would still work. The reboot of the system shortly after may make this small gap insignificant. Signed-off-by: Tushar Sugandhi Signed-off-by: Stefan Berger Reviewed-by: Jarkko Sakkinen Signed-off-by: Mimi Zohar

Merge tag 'lsm-pr-20241129' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm

2024-12-01T02:14:56Z

Pull ima fix from Paul Moore: "One small patch to fix a function parameter / local variable naming snafu that went up to you in the current merge window" * tag 'lsm-pr-20241129' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm: ima: uncover hidden variable in ima_match_rules()

ima: uncover hidden variable in ima_match_rules()

2024-11-27T03:58:03Z

The variable name "prop" is inadvertently used twice in ima_match_rules(), resulting in incorrect use of the local variable when the function parameter should have been. Rename the local variable and correct the use of the parameter. Suggested-by: Roberto Sassu Signed-off-by: Casey Schaufler Acked-by: Roberto Sassu [PM: subj tweak, Roberto's ACK] Signed-off-by: Paul Moore