linux/security/integrity, branch v3.13.1

ima: properly free ima_template_entry structures

2013-12-03T01:46:56Z

The new templates management mechanism records information associated to an event into an array of 'ima_field_data' structures and makes it available through the 'template_data' field of the 'ima_template_entry' structure (the element of the measurements list created by IMA). Since 'ima_field_data' contains dynamically allocated data (which length varies depending on the data associated to a selected template field), it is not enough to just free the memory reserved for a 'ima_template_entry' structure if something goes wrong. This patch creates the new function ima_free_template_entry() which walks the array of 'ima_field_data' structures, frees the memory referenced by the 'data' pointer and finally the space reserved for the 'ima_template_entry' structure. Further, it replaces existing kfree() that have a pointer to an 'ima_template_entry' structure as argument with calls to the new function. Fixes: a71dc65: ima: switch to new template management mechanism Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar

ima: Do not free 'entry' before it is initialized

2013-12-03T01:46:32Z

7bc5f447ce9d0 (ima: define new function ima_alloc_init_template() to API) moved the initialization of 'entry' in ima_add_boot_aggregate() a bit more below, after the if (ima_used_chip). So, 'entry' is not initialized while being inside this if-block. So, we should not attempt to free it. Found by Coverity (CID: 1131971) Fixes: 7bc5f447ce9d0 (ima: define new function ima_alloc_init_template() to API) Signed-off-by: Christoph Paasch Signed-off-by: Mimi Zohar

ima: store address of template_fmt_copy in a pointer before calling strsep

2013-11-30T02:09:53Z

This patch stores the address of the 'template_fmt_copy' variable in a new variable, called 'template_fmt_ptr', so that the latter is passed as an argument of strsep() instead of the former. This modification is needed in order to correctly free the memory area referenced by 'template_fmt_copy' (strsep() modifies the pointer of the passed string). Signed-off-by: Roberto Sassu Reported-by: Sebastian Ott Signed-off-by: Mimi Zohar Signed-off-by: James Morris

ima: make a copy of template_fmt in template_desc_init_fields()

2013-11-25T20:05:33Z

This patch makes a copy of the 'template_fmt' function argument so that the latter will not be modified by strsep(), which does the splitting by replacing the given separator with '\0'. IMA: No TPM chip found, activating TPM-bypass! Unable to handle kernel pointer dereference at virtual kernel address 0000000000842000 Oops: 0004 [#1] SMP Modules linked in: CPU: 3 PID: 1 Comm: swapper/0 Not tainted 3.12.0-rc2-00098-g3ce1217d6cd5 #17 task: 000000003ffa0000 ti: 000000003ff84000 task.ti: 000000003ff84000 Krnl PSW : 0704e00180000000 000000000044bf88 (strsep+0x7c/0xa0) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 EA:3 Krnl GPRS: 000000000000007c 000000000000007c 000000003ff87d90 0000000000821fd8 0000000000000000 000000000000007c 0000000000aa37e0 0000000000aa9008 0000000000000051 0000000000a114d8 0000000100000002 0000000000842bde 0000000000842bdf 00000000006f97f0 000000000040062c 000000003ff87cf0 Krnl Code: 000000000044bf7c: a7f4000a brc 15,44bf90 000000000044bf80: b90200cc ltgr %r12,%r12 #000000000044bf84: a7840006 brc 8,44bf90 >000000000044bf88: 9200c000 mvi 0(%r12),0 000000000044bf8c: 41c0c001 la %r12,1(%r12) 000000000044bf90: e3c020000024 stg %r12,0(%r2) 000000000044bf96: b904002b lgr %r2,%r11 000000000044bf9a: ebbcf0700004 lmg %r11,%r12,112(%r15) Call Trace: ([<00000000004005fe>] ima_init_template+0xa2/0x1bc) [<0000000000a7c896>] ima_init+0x7a/0xa8 [<0000000000a7c938>] init_ima+0x24/0x40 [<00000000001000e8>] do_one_initcall+0x68/0x128 [<0000000000a4eb56>] kernel_init_freeable+0x20a/0x2b4 [<00000000006a1ff4>] kernel_init+0x30/0x178 [<00000000006b69fe>] kernel_thread_starter+0x6/0xc [<00000000006b69f8>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<000000000044bf42>] strsep+0x36/0xa0 Fixes commit: adf53a7 ima: new templates management mechanism Changelog v1: - make template_fmt 'const char *' (reported-by James Morris) - fix kstrdup memory leak (reported-by James Morris) Reported-by: Heiko Carstens Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar Tested-by: Heiko Carstens

ima: do not send field length to userspace for digest of ima template

2013-11-25T12:31:14Z

This patch defines a new value for the 'ima_show_type' enumerator (IMA_SHOW_BINARY_NO_FIELD_LEN) to prevent that the field length is transmitted through the 'binary_runtime_measurements' interface for the digest field of the 'ima' template. Fixes commit: 3ce1217 ima: define template fields library and new helpers Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar

ima: do not include field length in template digest calc for ima template

2013-11-25T12:26:28Z

To maintain compatibility with userspace tools, the field length must not be included in the template digest calculation for the 'ima' template. Fixes commit: a71dc65 ima: switch to new template management mechanism Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar

Revert "ima: define '_ima' as a builtin 'trusted' keyring"

2013-11-24T00:36:35Z

This reverts commit 217091dd7a7a1bdac027ddb7c5a25f6ac0b8e241, which caused the following build error: security/integrity/digsig.c:70:5: error: redefinition of ‘integrity_init_keyring’ security/integrity/integrity.h:149:12: note: previous definition of ‘integrity_init_keyring’ w security/integrity/integrity.h:149:12: warning: ‘integrity_init_keyring’ defined but not used reported by Krzysztof Kolasa. Mimi says: "I made the classic mistake of requesting this patch to be upstreamed at the last second, rather than waiting until the next open window. At this point, the best course would probably be to revert the two commits and fix them for the next open window" Reported-by: Krzysztof Kolasa Acked-by: Mimi Zohar Signed-off-by: Linus Torvalds

ima: define '_ima' as a builtin 'trusted' keyring

2013-11-01T00:20:48Z

Require all keys added to the IMA keyring be signed by an existing trusted key on the system trusted keyring. Changelog: - define stub integrity_init_keyring() function (reported-by Fengguang Wu) - differentiate between regular and trusted keyring names. - replace printk with pr_info (D. Kasatkin) Signed-off-by: Mimi Zohar

ima: extend the measurement list to include the file signature

2013-11-01T00:19:35Z

This patch defines a new template called 'ima-sig', which includes the file signature in the template data, in addition to the file's digest and pathname. A template is composed of a set of fields. Associated with each field is an initialization and display function. This patch defines a new template field called 'sig', the initialization function ima_eventsig_init(), and the display function ima_show_template_sig(). This patch modifies the .field_init() function definition to include the 'security.ima' extended attribute and length. Changelog: - remove unused code (Dmitry Kasatkin) - avoid calling ima_write_template_field_data() unnecesarily (Roberto Sassu) - rename DATA_FMT_SIG to DATA_FMT_HEX - cleanup ima_eventsig_init() based on Roberto's comments Signed-off-by: Mimi Zohar Signed-off-by: Dmitry Kasatkin Signed-off-by: Roberto Sassu

ima: provide hash algo info in the xattr

2013-10-27T01:32:55Z

All files labeled with 'security.ima' hashes, are hashed using the same hash algorithm. Changing from one hash algorithm to another, requires relabeling the filesystem. This patch defines a new xattr type, which includes the hash algorithm, permitting different files to be hashed with different algorithms. Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar