Recreate integrity patches using a new kernel revision
Before opensource these patches a kernel revision different from the available in upstream was used. This changes recreates the patches to use a valid revision. Story: 2002964 Task: 22967 Change-Id: I424e928571ded42d2b768e1dbb1f87e8fb9aa847 Required-By: https://review.openstack.org/#/c/583016/ Signed-off-by: Erich Cordoba <erich.cordoba.malibran@intel.com> Signed-off-by: Scott Little <scott.little@windriver.com>
This commit is contained in:
parent
c26e0efd3c
commit
e9d93b7e28
@ -1,5 +1,5 @@
|
||||
COPY_LIST=" \
|
||||
$FILES_BASE/* \
|
||||
$PATCHES_BASE/* \
|
||||
$STX_BASE/downloads/integrity-kmod-668a8270.tar.gz"
|
||||
$STX_BASE/downloads/integrity-kmod-e6aef069.tar.gz"
|
||||
TIS_PATCH_VER=5
|
||||
|
@ -22,7 +22,7 @@ ExclusiveArch: x86_64
|
||||
# Sources.
|
||||
# the integrity is available as a tarball, with
|
||||
# the git commit Id referenced in the name
|
||||
Source0: %{kmod_name}-kmod-668a8270.tar.gz
|
||||
Source0: %{kmod_name}-kmod-e6aef069.tar.gz
|
||||
Source1: modules-load.conf
|
||||
Source2: COPYING
|
||||
Source3: README
|
||||
|
@ -497,7 +497,7 @@ index 106e855..f850ef7 100644
|
||||
#endif
|
||||
|
||||
#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
|
||||
@@ -77,32 +77,43 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
|
||||
@@ -77,39 +77,43 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
|
||||
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
@ -507,6 +507,7 @@ index 106e855..f850ef7 100644
|
||||
+int integrity_init_keyring(const unsigned int id)
|
||||
{
|
||||
const struct cred *cred = current_cred();
|
||||
- struct key_restriction *restriction;
|
||||
int err = 0;
|
||||
|
||||
- if (!init_keyring)
|
||||
@ -515,27 +516,29 @@ index 106e855..f850ef7 100644
|
||||
+ * the Kernel as a trusted keyring for which
|
||||
+ * a search reference is available
|
||||
+ */
|
||||
+ keyring[id] = ima_keyring;
|
||||
+ keyring[id] = ima_keyring;
|
||||
return 0;
|
||||
-
|
||||
- restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
|
||||
- if (!restriction)
|
||||
- return -ENOMEM;
|
||||
-
|
||||
- restriction->check = restrict_link_to_ima;
|
||||
+ }
|
||||
|
||||
keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
|
||||
- KGIDT_INIT(0), cred,
|
||||
- ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
|
||||
- KEY_USR_VIEW | KEY_USR_READ |
|
||||
- KEY_USR_WRITE | KEY_USR_SEARCH),
|
||||
KGIDT_INIT(0), cred,
|
||||
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
|
||||
KEY_USR_VIEW | KEY_USR_READ |
|
||||
KEY_USR_WRITE | KEY_USR_SEARCH),
|
||||
- KEY_ALLOC_NOT_IN_QUOTA,
|
||||
- restrict_link_to_ima, NULL);
|
||||
- restriction, NULL);
|
||||
- if (IS_ERR(keyring[id])) {
|
||||
+ KGIDT_INIT(0), cred,
|
||||
+ ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
|
||||
+ KEY_USR_VIEW | KEY_USR_READ |
|
||||
+ KEY_USR_WRITE | KEY_USR_SEARCH),
|
||||
+ KEY_ALLOC_NOT_IN_QUOTA, NULL);
|
||||
+ KEY_ALLOC_NOT_IN_QUOTA, NULL);
|
||||
+
|
||||
+ if (!IS_ERR(keyring[id]))
|
||||
+ if (!IS_ERR(keyring[id])) {
|
||||
+ set_bit(KEY_FLAG_TRUSTED_ONLY, &keyring[id]->flags);
|
||||
+ else {
|
||||
+ } else {
|
||||
err = PTR_ERR(keyring[id]);
|
||||
pr_info("Can't allocate %s keyring (%d)\n",
|
||||
keyring_name[id], err);
|
||||
@ -1096,21 +1099,48 @@ diff --git a/ima/ima_policy.c b/ima/ima_policy.c
|
||||
index aed47b7..dd52d98 100644
|
||||
--- a/ima/ima_policy.c
|
||||
+++ b/ima/ima_policy.c
|
||||
@@ -92,9 +92,11 @@ static struct ima_rule_entry dont_measure_rules[] = {
|
||||
{.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
|
||||
{.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
|
||||
@@ -85,7 +85,7 @@ struct ima_rule_entry {
|
||||
* normal users can easily run the machine out of memory simply building
|
||||
* and running executables.
|
||||
*/
|
||||
-static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
|
||||
+static struct ima_rule_entry dont_measure_rules[] = {
|
||||
{.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
|
||||
{.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
|
||||
{.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
|
||||
@@ -96,10 +96,12 @@ static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
|
||||
{.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
|
||||
+#if ( LINUX_VERSION_CODE > KERNEL_VERSION(3,10,0) )
|
||||
+ {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
|
||||
+#endif
|
||||
{.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
|
||||
- .flags = IMA_FSMAGIC},
|
||||
- {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}
|
||||
+ .flags = IMA_FSMAGIC}
|
||||
.flags = IMA_FSMAGIC},
|
||||
+#if ( LINUX_VERSION_CODE > KERNEL_VERSION(3,10,0) )
|
||||
{.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}
|
||||
+#endif
|
||||
};
|
||||
|
||||
static struct ima_rule_entry original_measurement_rules[] = {
|
||||
@@ -132,7 +134,9 @@ static struct ima_rule_entry default_appraise_rules[] = {
|
||||
-static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
|
||||
+static struct ima_rule_entry original_measurement_rules[] = {
|
||||
{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
|
||||
.flags = IMA_FUNC | IMA_MASK},
|
||||
{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
|
||||
@@ -111,7 +113,7 @@ static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
|
||||
{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
|
||||
};
|
||||
|
||||
-static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
|
||||
+static struct ima_rule_entry default_measurement_rules[] = {
|
||||
{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
|
||||
.flags = IMA_FUNC | IMA_MASK},
|
||||
{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
|
||||
@@ -127,7 +129,7 @@ static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
|
||||
{.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
|
||||
};
|
||||
|
||||
-static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
|
||||
+static struct ima_rule_entry default_appraise_rules[] = {
|
||||
{.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
|
||||
{.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
|
||||
{.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
|
||||
@@ -137,7 +139,9 @@ static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
|
||||
{.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
|
||||
{.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
|
||||
{.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
|
||||
@ -1120,8 +1150,8 @@ index aed47b7..dd52d98 100644
|
||||
{.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
|
||||
#ifdef CONFIG_IMA_WRITE_POLICY
|
||||
{.action = APPRAISE, .func = POLICY_CHECK,
|
||||
@@ -243,7 +247,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
|
||||
if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))
|
||||
@@ -249,7 +253,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
|
||||
if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
|
||||
return false;
|
||||
if (rule->flags & IMA_EUID) {
|
||||
+#if ( LINUX_VERSION_CODE > KERNEL_VERSION(3,10,0) )
|
||||
@ -1129,38 +1159,51 @@ index aed47b7..dd52d98 100644
|
||||
+#else
|
||||
+ if (capable_wrt_inode_uidgid(inode, CAP_SETUID) || capable(CAP_SETUID)) {
|
||||
+#endif
|
||||
if (!uid_eq(rule->uid, cred->euid)
|
||||
&& !uid_eq(rule->uid, cred->suid)
|
||||
&& !uid_eq(rule->uid, cred->uid))
|
||||
@@ -541,10 +549,26 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry,
|
||||
if (!rule->uid_op(cred->euid, rule->uid)
|
||||
&& !rule->uid_op(cred->suid, rule->uid)
|
||||
&& !rule->uid_op(cred->uid, rule->uid))
|
||||
@@ -556,16 +564,34 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry,
|
||||
return result;
|
||||
}
|
||||
|
||||
+static int ima_string_contains_hex(const char *string, size_t len)
|
||||
+{
|
||||
+ const unsigned char *p;
|
||||
+ for (p = string; p < (const unsigned char *)string + len; p++) {
|
||||
+ if (*p == '"' || *p < 0x21 || *p > 0x7e)
|
||||
+ return 1;
|
||||
+ }
|
||||
+ return 0;
|
||||
+ const unsigned char *p;
|
||||
+ for (p = string; p < (const unsigned char *)string + len; p++) {
|
||||
+ if (*p == '"' || *p < 0x21 || *p > 0x7e)
|
||||
+ return 1;
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+
|
||||
static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
|
||||
static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value,
|
||||
bool (*rule_operator)(kuid_t, kuid_t))
|
||||
{
|
||||
- audit_log_format(ab, "%s=", key);
|
||||
- if (rule_operator == &uid_gt)
|
||||
- audit_log_format(ab, "%s>", key);
|
||||
- else if (rule_operator == &uid_lt)
|
||||
- audit_log_format(ab, "%s<", key);
|
||||
- else
|
||||
- audit_log_format(ab, "%s=", key);
|
||||
- audit_log_untrustedstring(ab, value);
|
||||
+ if (ima_string_contains_hex(value, strlen(value))) {
|
||||
+ // value string contains hex. Convert to hex instead
|
||||
+ audit_log_format(ab, "%s=(contains hex)%s", key, value);
|
||||
+ }
|
||||
+ else {
|
||||
+ audit_log_format(ab, "%s=%s", key, value);
|
||||
+ if (rule_operator == &uid_gt)
|
||||
+ audit_log_format(ab, "%s>(contains hex)%s", key, value);
|
||||
+ else if (rule_operator == &uid_lt)
|
||||
+ audit_log_format(ab, "%s<(contains hex)%s", key, value);
|
||||
+ else
|
||||
+ audit_log_format(ab, "%s=(contains hex)%s", key, value);
|
||||
+ } else {
|
||||
+ if (rule_operator == &uid_gt)
|
||||
+ audit_log_format(ab, "%s>", key);
|
||||
+ else if (rule_operator == &uid_lt)
|
||||
+ audit_log_format(ab, "%s<", key);
|
||||
+ else
|
||||
+ audit_log_format(ab, "%s=", key);
|
||||
+ }
|
||||
audit_log_format(ab, " ");
|
||||
}
|
||||
|
||||
static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
|
||||
diff --git a/integrity.h b/integrity.h
|
||||
index 24520b4..c13e61d 100644
|
||||
--- a/integrity.h
|
||||
@ -1183,11 +1226,7 @@ index 24520b4..c13e61d 100644
|
||||
uint32_t keyid; /* IMA key identifier - not X509/PGP specific */
|
||||
uint16_t sig_size; /* signature size */
|
||||
uint8_t sig[0]; /* signature payload */
|
||||
@@ -127,12 +129,11 @@ int __init integrity_read_file(const char *path, char **data);
|
||||
#define INTEGRITY_KEYRING_MAX 3
|
||||
|
||||
#ifdef CONFIG_INTEGRITY_SIGNATURE
|
||||
-
|
||||
@@ -131,8 +133,8 @@ int __init integrity_read_file(const char *path, char **data);
|
||||
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
|
||||
const char *digest, int digestlen);
|
||||
|
||||
|
@ -24,19 +24,18 @@ diff --git a/ima/ima_appraise.c b/ima/ima_appraise.c
|
||||
index 88b5091..cff2ad2 100644
|
||||
--- a/ima/ima_appraise.c
|
||||
+++ b/ima/ima_appraise.c
|
||||
@@ -250,8 +250,11 @@ int ima_appraise_measurement(enum ima_hooks func,
|
||||
if (rc <= 0) {
|
||||
@@ -205,7 +208,11 @@ int ima_appraise_measurement(enum ima_hooks func,
|
||||
if (rc && rc != -ENODATA)
|
||||
goto out;
|
||||
-
|
||||
|
||||
- cause = "missing-hash";
|
||||
+
|
||||
+ if (iint->flags & IMA_DIGSIG_REQUIRED)
|
||||
+ cause = "missing-signature";
|
||||
+ cause = "missing-signature";
|
||||
+ else
|
||||
+ cause = "missing-hash";
|
||||
+
|
||||
status = INTEGRITY_NOLABEL;
|
||||
if (opened & FILE_CREATED) {
|
||||
if (opened & FILE_CREATED)
|
||||
iint->flags |= IMA_NEW_FILE;
|
||||
@@ -352,7 +355,8 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
|
||||
int rc = 0;
|
||||
|
Loading…
Reference in New Issue
Block a user