1. 03 Mar, 2016 2 commits
    • David Howells's avatar
      X.509: Make algo identifiers text instead of enum · 4e8ae72a
      David Howells authored
      Make the identifier public key and digest algorithm fields text instead of
      enum.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      4e8ae72a
    • David Howells's avatar
      akcipher: Move the RSA DER encoding check to the crypto layer · d43de6c7
      David Howells authored
      Move the RSA EMSA-PKCS1-v1_5 encoding from the asymmetric-key public_key
      subtype to the rsa crypto module's pkcs1pad template.  This means that the
      public_key subtype no longer has any dependencies on public key type.
      
      To make this work, the following changes have been made:
      
       (1) The rsa pkcs1pad template is now used for RSA keys.  This strips off the
           padding and returns just the message hash.
      
       (2) In a previous patch, the pkcs1pad template gained an optional second
           parameter that, if given, specifies the hash used.  We now give this,
           and pkcs1pad checks the encoded message E(M) for the EMSA-PKCS1-v1_5
           encoding and verifies that the correct digest OID is present.
      
       (3) The crypto driver in crypto/asymmetric_keys/rsa.c is now reduced to
           something that doesn't care about what the encryption actually does
           and and has been merged into public_key.c.
      
       (4) CONFIG_PUBLIC_KEY_ALGO_RSA is gone.  Module signing must set
           CONFIG_CRYPTO_RSA=y instead.
      
      Thoughts:
      
       (*) Should the encoding style (eg. raw, EMSA-PKCS1-v1_5) also be passed to
           the padding template?  Should there be multiple padding templates
           registered that share most of the code?
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarTadeusz Struk <tadeusz.struk@intel.com>
      Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      d43de6c7
  2. 21 Feb, 2016 8 commits
    • Mimi Zohar's avatar
      ima: require signed IMA policy · 95ee08fa
      Mimi Zohar authored
      Require the IMA policy to be signed when additional rules can be added.
      
      v1:
      - initialize the policy flag
      - include IMA_APPRAISE_POLICY in the policy flag
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Acked-by: default avatarPetko Manolov <petkan@mip-labs.com>
      Acked-by: default avatarDmitry Kasatkin <dmitry.kasatkin@huawei.com>
      95ee08fa
    • Mimi Zohar's avatar
      ima: measure and appraise the IMA policy itself · 19f8a847
      Mimi Zohar authored
      Add support for measuring and appraising the IMA policy itself.
      
      Changelog v4:
      - use braces on both if/else branches, even if single line on one of the
      branches - Dmitry
      - Use the id mapping - Dmitry
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Acked-by: default avatarPetko Manolov <petkan@mip-labs.com>
      Acked-by: default avatarDmitry Kasatkin <dmitry.kasatkin@huawei.com>
      19f8a847
    • Dmitry Kasatkin's avatar
      ima: load policy using path · 7429b092
      Dmitry Kasatkin authored
      We currently cannot do appraisal or signature vetting of IMA policies
      since we currently can only load IMA policies by writing the contents
      of the policy directly in, as follows:
      
      cat policy-file > <securityfs>/ima/policy
      
      If we provide the kernel the path to the IMA policy so it can load
      the policy itself it'd be able to later appraise or vet the file
      signature if it has one.  This patch adds support to load the IMA
      policy with a given path as follows:
      
      echo /etc/ima/ima_policy > /sys/kernel/security/ima/policy
      
      Changelog v4+:
      - moved kernel_read_file_from_path() error messages to callers
      v3:
      - moved kernel_read_file_from_path() to a separate patch
      v2:
      - after re-ordering the patches, replace calling integrity_kernel_read()
        to read the file with kernel_read_file_from_path() (Mimi)
      - Patch description re-written by Luis R. Rodriguez
      Signed-off-by: default avatarDmitry Kasatkin <dmitry.kasatkin@huawei.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      7429b092
    • Mimi Zohar's avatar
      ima: support for kexec image and initramfs · d9ddf077
      Mimi Zohar authored
      Add IMA policy support for measuring/appraising the kexec image and
      initramfs. Two new IMA policy identifiers KEXEC_KERNEL_CHECK and
      KEXEC_INITRAMFS_CHECK are defined.
      
      Example policy rules:
      measure func=KEXEC_KERNEL_CHECK
      appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig
      measure func=KEXEC_INITRAMFS_CHECK
      appraise func=KEXEC_INITRAMFS_CHECK appraise_type=imasig
      
      Moving the enumeration to the vfs layer simplified the patches, allowing
      the IMA changes, for the most part, to be separated from the other
      changes.  Unfortunately, passing either a kernel_read_file_id or a
      ima_hooks enumeration within IMA is messy.
      
      Option 1: duplicate kernel_read_file enumeration in ima_hooks
      
      enum kernel_read_file_id {
      	...
              READING_KEXEC_IMAGE,
              READING_KEXEC_INITRAMFS,
              READING_MAX_ID
      
      enum ima_hooks {
      	...
      	KEXEC_KERNEL_CHECK
      	KEXEC_INITRAMFS_CHECK
      
      Option 2: define ima_hooks as extension of kernel_read_file
      eg: enum ima_hooks {
              FILE_CHECK = READING_MAX_ID,
              MMAP_CHECK,
      
      In order to pass both kernel_read_file_id and ima_hooks values, we
      would need to specify a struct containing a union.
      
      struct caller_id {
              union {
                      enum ima_hooks func_id;
                      enum kernel_read_file_id read_id;
              };
      };
      
      Option 3: incorportate the ima_hooks enumeration into kernel_read_file_id,
      perhaps changing the enumeration name.
      
      For now, duplicate the new READING_KEXEC_IMAGE/INITRAMFS in the ima_hooks.
      
      Changelog v4:
      - replaced switch statement with a kernel_read_file_id to an ima_hooks
      id mapping array - Dmitry
      - renamed ima_hook tokens KEXEC_CHECK and INITRAMFS_CHECK to
      KEXEC_KERNEL_CHECK and KEXEC_INITRAMFS_CHECK respectively - Dave Young
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Acked-by: default avatarPetko Manolov <petkan@mip-labs.com>
      Acked-by: default avatarDmitry Kasatkin <dmitry.kasatkin@huawei.com>
      Cc: Dave Young <dyoung@redhat.com>
      d9ddf077
    • Mimi Zohar's avatar
      ima: remove firmware and module specific cached status info · c6af8efe
      Mimi Zohar authored
      Each time a file is read by the kernel, the file should be re-measured and
      the file signature re-appraised, based on policy.  As there is no need to
      preserve the status information, this patch replaces the firmware and
      module specific cache status with a generic one named read_file.
      
      This change simplifies adding support for other files read by the kernel.
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Acked-by: default avatarPetko Manolov <petkan@mip-labs.com>
      Acked-by: default avatarDmitry Kasatkin <dmitry.kasatkin@huawei.com>
      c6af8efe
    • Mimi Zohar's avatar
      module: replace copy_module_from_fd with kernel version · a1db7420
      Mimi Zohar authored
      Replace copy_module_from_fd() with kernel_read_file_from_fd().
      
      Although none of the upstreamed LSMs define a kernel_module_from_file
      hook, IMA is called, based on policy, to prevent unsigned kernel modules
      from being loaded by the original kernel module syscall and to
      measure/appraise signed kernel modules.
      
      The security function security_kernel_module_from_file() was called prior
      to reading a kernel module.  Preventing unsigned kernel modules from being
      loaded by the original kernel module syscall remains on the pre-read
      kernel_read_file() security hook.  Instead of reading the kernel module
      twice, once for measuring/appraising and again for loading the kernel
      module, the signature validation is moved to the kernel_post_read_file()
      security hook.
      
      This patch removes the security_kernel_module_from_file() hook and security
      call.
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Acked-by: default avatarLuis R. Rodriguez <mcgrof@kernel.org>
      Cc: Rusty Russell <rusty@rustcorp.com.au>
      a1db7420
    • Mimi Zohar's avatar
      security: define kernel_read_file hook · 39eeb4fb
      Mimi Zohar authored
      The kernel_read_file security hook is called prior to reading the file
      into memory.
      
      Changelog v4+:
      - export security_kernel_read_file()
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Acked-by: default avatarLuis R. Rodriguez <mcgrof@kernel.org>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      39eeb4fb
    • Mimi Zohar's avatar
      firmware: replace call to fw_read_file_contents() with kernel version · e40ba6d5
      Mimi Zohar authored
      Replace the fw_read_file_contents with kernel_file_read_from_path().
      
      Although none of the upstreamed LSMs define a kernel_fw_from_file hook,
      IMA is called by the security function to prevent unsigned firmware from
      being loaded and to measure/appraise signed firmware, based on policy.
      
      Instead of reading the firmware twice, once for measuring/appraising the
      firmware and again for reading the firmware contents into memory, the
      kernel_post_read_file() security hook calculates the file hash based on
      the in memory file buffer.  The firmware is read once.
      
      This patch removes the LSM kernel_fw_from_file() hook and security call.
      
      Changelog v4+:
      - revert dropped buf->size assignment - reported by Sergey Senozhatsky
      v3:
      - remove kernel_fw_from_file hook
      - use kernel_file_read_from_path() - requested by Luis
      v2:
      - reordered and squashed firmware patches
      - fix MAX firmware size (Kees Cook)
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Acked-by: default avatarLuis R. Rodriguez <mcgrof@kernel.org>
      e40ba6d5
  3. 20 Feb, 2016 1 commit
  4. 19 Feb, 2016 1 commit
  5. 18 Feb, 2016 9 commits
  6. 16 Feb, 2016 2 commits
    • José Bollo's avatar
      smack: fix cache of access labels · 8012495e
      José Bollo authored
      Before this commit, removing the access property of
      a file, aka, the extended attribute security.SMACK64
      was not effictive until the cache had been cleaned.
      
      This patch fixes that problem.
      Signed-off-by: default avatarJosé Bollo <jobol@nonadev.net>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      8012495e
    • Dave Hansen's avatar
      mm/gup: Introduce get_user_pages_remote() · 1e987790
      Dave Hansen authored
      For protection keys, we need to understand whether protections
      should be enforced in software or not.  In general, we enforce
      protections when working on our own task, but not when on others.
      We call these "current" and "remote" operations.
      
      This patch introduces a new get_user_pages() variant:
      
              get_user_pages_remote()
      
      Which is a replacement for when get_user_pages() is called on
      non-current tsk/mm.
      
      We also introduce a new gup flag: FOLL_REMOTE which can be used
      for the "__" gup variants to get this new behavior.
      
      The uprobes is_trap_at_addr() location holds mmap_sem and
      calls get_user_pages(current->mm) on an instruction address.  This
      makes it a pretty unique gup caller.  Being an instruction access
      and also really originating from the kernel (vs. the app), I opted
      to consider this a 'remote' access where protection keys will not
      be enforced.
      
      Without protection keys, this patch should not change any behavior.
      Signed-off-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
      Reviewed-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Dave Hansen <dave@sr71.net>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: jack@suse.cz
      Cc: linux-mm@kvack.org
      Link: http://lkml.kernel.org/r/20160212210154.3F0E51EA@viggo.jf.intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      1e987790
  7. 12 Feb, 2016 1 commit
  8. 11 Feb, 2016 1 commit
    • Casey Schaufler's avatar
      Smack: Remove pointless hooks · 491a0b08
      Casey Schaufler authored
      Prior to the 4.2 kernel there no no harm in providing
      a security module hook that does nothing, as the default
      hook would get called if the module did not supply one.
      With the list based infrastructure an empty hook adds
      overhead. This patch removes the three Smack hooks that
      don't actually do anything.
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      491a0b08
  9. 10 Feb, 2016 1 commit
    • David Howells's avatar
      KEYS: CONFIG_KEYS_DEBUG_PROC_KEYS is no longer an option · 50d35015
      David Howells authored
      CONFIG_KEYS_DEBUG_PROC_KEYS is no longer an option as /proc/keys is now
      mandatory if the keyrings facility is enabled (it's used by libkeyutils in
      userspace).
      
      The defconfig references were removed with:
      
      	perl -p -i -e 's/CONFIG_KEYS_DEBUG_PROC_KEYS=y\n//' \
      	    `git grep -l CONFIG_KEYS_DEBUG_PROC_KEYS=y`
      
      and the integrity Kconfig fixed by hand.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Andreas Ziegler <andreas.ziegler@fau.de>
      cc: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
      50d35015
  10. 09 Feb, 2016 4 commits
  11. 08 Feb, 2016 1 commit
  12. 06 Feb, 2016 1 commit
  13. 28 Jan, 2016 1 commit
    • Andy Shevchenko's avatar
      selinux: use absolute path to include directory · 9090a2d5
      Andy Shevchenko authored
      Compiler warns us a lot that it can't find include folder because it's
      provided in relative form.
      
        CC      security/selinux/netlabel.o
      cc1: warning: security/selinux/include: No such file or directory
      cc1: warning: security/selinux/include: No such file or directory
      cc1: warning: security/selinux/include: No such file or directory
      cc1: warning: security/selinux/include: No such file or directory
      
      Add $(srctree) prefix to the path.
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      [PM: minor description edits to fit under 80char width]
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      9090a2d5
  14. 27 Jan, 2016 3 commits
  15. 22 Jan, 2016 1 commit
    • Al Viro's avatar
      wrappers for ->i_mutex access · 5955102c
      Al Viro authored
      parallel to mutex_{lock,unlock,trylock,is_locked,lock_nested},
      inode_foo(inode) being mutex_foo(&inode->i_mutex).
      
      Please, use those for access to ->i_mutex; over the coming cycle
      ->i_mutex will become rwsem, with ->lookup() done with it held
      only shared.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      5955102c
  16. 20 Jan, 2016 2 commits
    • Jann Horn's avatar
      ptrace: use fsuid, fsgid, effective creds for fs access checks · caaee623
      Jann Horn authored
      By checking the effective credentials instead of the real UID / permitted
      capabilities, ensure that the calling process actually intended to use its
      credentials.
      
      To ensure that all ptrace checks use the correct caller credentials (e.g.
      in case out-of-tree code or newly added code omits the PTRACE_MODE_*CREDS
      flag), use two new flags and require one of them to be set.
      
      The problem was that when a privileged task had temporarily dropped its
      privileges, e.g.  by calling setreuid(0, user_uid), with the intent to
      perform following syscalls with the credentials of a user, it still passed
      ptrace access checks that the user would not be able to pass.
      
      While an attacker should not be able to convince the privileged task to
      perform a ptrace() syscall, this is a problem because the ptrace access
      check is reused for things in procfs.
      
      In particular, the following somewhat interesting procfs entries only rely
      on ptrace access checks:
      
       /proc/$pid/stat - uses the check for determining whether pointers
           should be visible, useful for bypassing ASLR
       /proc/$pid/maps - also useful for bypassing ASLR
       /proc/$pid/cwd - useful for gaining access to restricted
           directories that contain files with lax permissions, e.g. in
           this scenario:
           lrwxrwxrwx root root /proc/13020/cwd -> /root/foobar
           drwx------ root root /root
           drwxr-xr-x root root /root/foobar
           -rw-r--r-- root root /root/foobar/secret
      
      Therefore, on a system where a root-owned mode 6755 binary changes its
      effective credentials as described and then dumps a user-specified file,
      this could be used by an attacker to reveal the memory layout of root's
      processes or reveal the contents of files he is not allowed to access
      (through /proc/$pid/cwd).
      
      [akpm@linux-foundation.org: fix warning]
      Signed-off-by: default avatarJann Horn <jann@thejh.net>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Casey Schaufler <casey@schaufler-ca.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: James Morris <james.l.morris@oracle.com>
      Cc: "Serge E. Hallyn" <serge.hallyn@ubuntu.com>
      Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Cc: Willy Tarreau <w@1wt.eu>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      caaee623
    • Jann Horn's avatar
      security: let security modules use PTRACE_MODE_* with bitmasks · 3dfb7d8c
      Jann Horn authored
      It looks like smack and yama weren't aware that the ptrace mode
      can have flags ORed into it - PTRACE_MODE_NOAUDIT until now, but
      only for /proc/$pid/stat, and with the PTRACE_MODE_*CREDS patch,
      all modes have flags ORed into them.
      Signed-off-by: default avatarJann Horn <jann@thejh.net>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: James Morris <james.l.morris@oracle.com>
      Cc: "Serge E. Hallyn" <serge.hallyn@ubuntu.com>
      Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Cc: Willy Tarreau <w@1wt.eu>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3dfb7d8c
  17. 19 Jan, 2016 1 commit
    • Yevgeny Pats's avatar
      KEYS: Fix keyring ref leak in join_session_keyring() · 23567fd0
      Yevgeny Pats authored
      This fixes CVE-2016-0728.
      
      If a thread is asked to join as a session keyring the keyring that's already
      set as its session, we leak a keyring reference.
      
      This can be tested with the following program:
      
      	#include <stddef.h>
      	#include <stdio.h>
      	#include <sys/types.h>
      	#include <keyutils.h>
      
      	int main(int argc, const char *argv[])
      	{
      		int i = 0;
      		key_serial_t serial;
      
      		serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
      				"leaked-keyring");
      		if (serial < 0) {
      			perror("keyctl");
      			return -1;
      		}
      
      		if (keyctl(KEYCTL_SETPERM, serial,
      			   KEY_POS_ALL | KEY_USR_ALL) < 0) {
      			perror("keyctl");
      			return -1;
      		}
      
      		for (i = 0; i < 100; i++) {
      			serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
      					"leaked-keyring");
      			if (serial < 0) {
      				perror("keyctl");
      				return -1;
      			}
      		}
      
      		return 0;
      	}
      
      If, after the program has run, there something like the following line in
      /proc/keys:
      
      3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty
      
      with a usage count of 100 * the number of times the program has been run,
      then the kernel is malfunctioning.  If leaked-keyring has zero usages or
      has been garbage collected, then the problem is fixed.
      Reported-by: default avatarYevgeny Pats <yevgeny@perception-point.io>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarDon Zickus <dzickus@redhat.com>
      Acked-by: default avatarPrarit Bhargava <prarit@redhat.com>
      Acked-by: default avatarJarod Wilson <jarod@redhat.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      23567fd0