linux/security/integrity/evm, branch v3.2.52

evm: checking if removexattr is not a NULL

2013-02-06T04:33:40Z

commit a67adb997419fb53540d4a4f79c6471c60bc69b6 upstream. The following lines of code produce a kernel oops. fd = socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0); fchmod(fd, 0666); [ 139.922364] BUG: unable to handle kernel NULL pointer dereference at (null) [ 139.924982] IP: [< (null)>] (null) [ 139.924982] *pde = 00000000 [ 139.924982] Oops: 0000 [#5] SMP [ 139.924982] Modules linked in: fuse dm_crypt dm_mod i2c_piix4 serio_raw evdev binfmt_misc button [ 139.924982] Pid: 3070, comm: acpid Tainted: G D 3.8.0-rc2-kds+ #465 Bochs Bochs [ 139.924982] EIP: 0060:[<00000000>] EFLAGS: 00010246 CPU: 0 [ 139.924982] EIP is at 0x0 [ 139.924982] EAX: cf5ef000 EBX: cf5ef000 ECX: c143d600 EDX: c15225f2 [ 139.924982] ESI: cf4d2a1c EDI: cf4d2a1c EBP: cc02df10 ESP: cc02dee4 [ 139.924982] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 [ 139.924982] CR0: 80050033 CR2: 00000000 CR3: 0c059000 CR4: 000006d0 [ 139.924982] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 139.924982] DR6: ffff0ff0 DR7: 00000400 [ 139.924982] Process acpid (pid: 3070, ti=cc02c000 task=d7705340 task.ti=cc02c000) [ 139.924982] Stack: [ 139.924982] c1203c88 00000000 cc02def4 cf4d2a1c ae21eefa 471b60d5 1083c1ba c26a5940 [ 139.924982] e891fb5e 00000041 00000004 cc02df1c c1203964 00000000 cc02df4c c10e20c3 [ 139.924982] 00000002 00000000 00000000 22222222 c1ff2222 cf5ef000 00000000 d76efb08 [ 139.924982] Call Trace: [ 139.924982] [] ? evm_update_evmxattr+0x5b/0x62 [ 139.924982] [] evm_inode_post_setattr+0x22/0x26 [ 139.924982] [] notify_change+0x25f/0x281 [ 139.924982] [] chmod_common+0x59/0x76 [ 139.924982] [] ? put_unused_fd+0x33/0x33 [ 139.924982] [] sys_fchmod+0x39/0x5c [ 139.924982] [] syscall_call+0x7/0xb [ 139.924982] Code: Bad EIP value. This happens because sockets do not define the removexattr operation. Before removing the xattr, verify the removexattr function pointer is not NULL. Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar Signed-off-by: James Morris Signed-off-by: Ben Hutchings

evm: prevent racing during tfm allocation

2011-12-20T15:50:08Z

There is a small chance of racing during tfm allocation. This patch fixes it. Signed-off-by: Dmitry Kasatkin Acked-by: Mimi Zohar Signed-off-by: James Morris

evm: key must be set once during initialization

2011-12-20T15:45:45Z

On multi-core systems, setting of the key before every caclculation, causes invalid HMAC calculation for other tfm users, because internal state (ipad, opad) can be invalid before set key call returns. It needs to be set only once during initialization. Signed-off-by: Dmitry Kasatkin Acked-by: Mimi Zohar Signed-off-by: James Morris

evm: permit mode bits to be updated

2011-09-14T19:24:52Z

Before permitting 'security.evm' to be updated, 'security.evm' must exist and be valid. In the case that there are no existing EVM protected xattrs, it is safe for posix acls to update the mode bits. To differentiate between no 'security.evm' xattr and no xattrs used to calculate 'security.evm', this patch defines INTEGRITY_NOXATTR. Signed-off-by: Mimi Zohar

evm: posix acls modify i_mode

2011-09-14T19:24:51Z

The posix xattr acls are 'system' prefixed, which normally would not affect security.evm. An interesting side affect of writing posix xattr acls is their modifying of the i_mode, which is included in security.evm. This patch updates security.evm when posix xattr acls are written. Signed-off-by: Mimi Zohar

evm: limit verifying current security.evm integrity

2011-09-14T19:24:51Z

evm_protect_xattr unnecessarily validates the current security.evm integrity, before updating non-evm protected extended attributes and other file metadata. This patch limits validating the current security.evm integrity to evm protected metadata. Signed-off-by: Mimi Zohar

evm: remove TCG_TPM dependency

2011-09-14T19:24:49Z

All tristates selected by EVM(boolean) are forced to be builtin, except in the TCG_TPM(tristate) dependency case. Arnaud Lacombe summarizes the Kconfig bug as, "So it would seem direct dependency state influence the state of reverse dependencies.." For a detailed explanation, refer to Arnaud Lacombe's posting http://lkml.org/lkml/2011/8/23/498. With the "encrypted-keys: remove trusted-keys dependency" patch, EVM can now be built without a dependency on TCG_TPM. The trusted-keys dependency requires trusted-keys to either be builtin or not selected. This dependency will prevent the boolean/tristate mismatch from occuring. Reported-by: Stephen Rothwell , Randy Dunlap Signed-off-by: Mimi Zohar

evm: add Kconfig TCG_TPM dependency

2011-08-18T02:58:12Z

Although the EVM encrypted-key should be encrypted/decrypted using a trusted-key, a user-defined key could be used instead. When using a user- defined key, a TCG_TPM dependency should not be required. Unfortunately, the encrypted-key code needs to be refactored a bit in order to remove this dependency. This patch adds the TCG_TPM dependency. Reported-by: Stephen Rothwell , Randy Dunlap Signed-off-by: Mimi Zohar Signed-off-by: James Morris

evm: fix evm_inode_init_security return code

2011-08-11T07:42:41Z

evm_inode_init_security() should return 0, when EVM is not enabled. (Returning an error is a remnant of evm_inode_post_init_security.) Signed-off-by: Mimi Zohar Signed-off-by: James Morris

EVM: ensure trusted and encypted key symbols are available to EVM

2011-08-09T01:33:36Z

Select trusted and encrypted keys if EVM is selected, to ensure the requisite symbols are available. Otherwise, these can be selected as modules while EVM is static, leading to a kernel build failure. Signed-off-by: James Morris