diff --git a/kernel/kernel-modules/integrity/centos/build_srpm.data b/kernel/kernel-modules/integrity/centos/build_srpm.data index 16ebb1099..d07dc140a 100644 --- a/kernel/kernel-modules/integrity/centos/build_srpm.data +++ b/kernel/kernel-modules/integrity/centos/build_srpm.data @@ -1,5 +1,5 @@ COPY_LIST=" \ $FILES_BASE/* \ $PATCHES_BASE/* \ - $STX_BASE/downloads/integrity-kmod-668a8270.tar.gz" + $STX_BASE/downloads/integrity-kmod-e6aef069.tar.gz" TIS_PATCH_VER=5 diff --git a/kernel/kernel-modules/integrity/centos/integrity-kmod.spec b/kernel/kernel-modules/integrity/centos/integrity-kmod.spec index eb3c739cd..c0e6ee45f 100644 --- a/kernel/kernel-modules/integrity/centos/integrity-kmod.spec +++ b/kernel/kernel-modules/integrity/centos/integrity-kmod.spec @@ -22,7 +22,7 @@ ExclusiveArch: x86_64 # Sources. # the integrity is available as a tarball, with # the git commit Id referenced in the name -Source0: %{kmod_name}-kmod-668a8270.tar.gz +Source0: %{kmod_name}-kmod-e6aef069.tar.gz Source1: modules-load.conf Source2: COPYING Source3: README diff --git a/kernel/kernel-modules/integrity/centos/patches/0001-integrity-kcompat-support.patch b/kernel/kernel-modules/integrity/centos/patches/0001-integrity-kcompat-support.patch index 10cbfb417..ce82a96fc 100644 --- a/kernel/kernel-modules/integrity/centos/patches/0001-integrity-kcompat-support.patch +++ b/kernel/kernel-modules/integrity/centos/patches/0001-integrity-kcompat-support.patch @@ -497,7 +497,7 @@ index 106e855..f850ef7 100644 #endif #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY -@@ -77,32 +77,43 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, +@@ -77,39 +77,43 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, return -EOPNOTSUPP; } @@ -507,6 +507,7 @@ index 106e855..f850ef7 100644 +int integrity_init_keyring(const unsigned int id) { const struct cred *cred = current_cred(); +- struct key_restriction *restriction; int err = 0; - if (!init_keyring) @@ -515,27 +516,29 @@ index 106e855..f850ef7 100644 + * the Kernel as a trusted keyring for which + * a search reference is available + */ -+ keyring[id] = ima_keyring; ++ keyring[id] = ima_keyring; return 0; +- +- restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); +- if (!restriction) +- return -ENOMEM; +- +- restriction->check = restrict_link_to_ima; + } keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0), -- KGIDT_INIT(0), cred, -- ((KEY_POS_ALL & ~KEY_POS_SETATTR) | -- KEY_USR_VIEW | KEY_USR_READ | -- KEY_USR_WRITE | KEY_USR_SEARCH), + KGIDT_INIT(0), cred, + ((KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW | KEY_USR_READ | + KEY_USR_WRITE | KEY_USR_SEARCH), - KEY_ALLOC_NOT_IN_QUOTA, -- restrict_link_to_ima, NULL); +- restriction, NULL); - if (IS_ERR(keyring[id])) { -+ KGIDT_INIT(0), cred, -+ ((KEY_POS_ALL & ~KEY_POS_SETATTR) | -+ KEY_USR_VIEW | KEY_USR_READ | -+ KEY_USR_WRITE | KEY_USR_SEARCH), -+ KEY_ALLOC_NOT_IN_QUOTA, NULL); ++ KEY_ALLOC_NOT_IN_QUOTA, NULL); + -+ if (!IS_ERR(keyring[id])) ++ if (!IS_ERR(keyring[id])) { + set_bit(KEY_FLAG_TRUSTED_ONLY, &keyring[id]->flags); -+ else { ++ } else { err = PTR_ERR(keyring[id]); pr_info("Can't allocate %s keyring (%d)\n", keyring_name[id], err); @@ -1096,21 +1099,48 @@ diff --git a/ima/ima_policy.c b/ima/ima_policy.c index aed47b7..dd52d98 100644 --- a/ima/ima_policy.c +++ b/ima/ima_policy.c -@@ -92,9 +92,11 @@ static struct ima_rule_entry dont_measure_rules[] = { - {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, - {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, +@@ -85,7 +85,7 @@ struct ima_rule_entry { + * normal users can easily run the machine out of memory simply building + * and running executables. + */ +-static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { ++static struct ima_rule_entry dont_measure_rules[] = { + {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, + {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, + {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, +@@ -96,10 +96,12 @@ static struct ima_rule_entry dont_measure_rules[] __ro_after_init = { {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, -+#if ( LINUX_VERSION_CODE > KERNEL_VERSION(3,10,0) ) -+ {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, -+#endif {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, -- .flags = IMA_FSMAGIC}, -- {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC} -+ .flags = IMA_FSMAGIC} + .flags = IMA_FSMAGIC}, ++#if ( LINUX_VERSION_CODE > KERNEL_VERSION(3,10,0) ) + {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC} ++#endif }; - static struct ima_rule_entry original_measurement_rules[] = { -@@ -132,7 +134,9 @@ static struct ima_rule_entry default_appraise_rules[] = { +-static struct ima_rule_entry original_measurement_rules[] __ro_after_init = { ++static struct ima_rule_entry original_measurement_rules[] = { + {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, + .flags = IMA_FUNC | IMA_MASK}, + {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, +@@ -111,7 +113,7 @@ static struct ima_rule_entry original_measurement_rules[] __ro_after_init = { + {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, + }; + +-static struct ima_rule_entry default_measurement_rules[] __ro_after_init = { ++static struct ima_rule_entry default_measurement_rules[] = { + {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, + .flags = IMA_FUNC | IMA_MASK}, + {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, +@@ -127,7 +129,7 @@ static struct ima_rule_entry default_measurement_rules[] __ro_after_init = { + {.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC}, + }; + +-static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { ++static struct ima_rule_entry default_appraise_rules[] = { + {.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, + {.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, + {.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, +@@ -137,7 +139,9 @@ static struct ima_rule_entry default_appraise_rules[] __ro_after_init = { {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, @@ -1120,8 +1150,8 @@ index aed47b7..dd52d98 100644 {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, #ifdef CONFIG_IMA_WRITE_POLICY {.action = APPRAISE, .func = POLICY_CHECK, -@@ -243,7 +247,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, - if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid)) +@@ -249,7 +253,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, + if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid)) return false; if (rule->flags & IMA_EUID) { +#if ( LINUX_VERSION_CODE > KERNEL_VERSION(3,10,0) ) @@ -1129,38 +1159,51 @@ index aed47b7..dd52d98 100644 +#else + if (capable_wrt_inode_uidgid(inode, CAP_SETUID) || capable(CAP_SETUID)) { +#endif - if (!uid_eq(rule->uid, cred->euid) - && !uid_eq(rule->uid, cred->suid) - && !uid_eq(rule->uid, cred->uid)) -@@ -541,10 +549,26 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry, + if (!rule->uid_op(cred->euid, rule->uid) + && !rule->uid_op(cred->suid, rule->uid) + && !rule->uid_op(cred->uid, rule->uid)) +@@ -556,16 +564,34 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry, return result; } +static int ima_string_contains_hex(const char *string, size_t len) +{ -+ const unsigned char *p; -+ for (p = string; p < (const unsigned char *)string + len; p++) { -+ if (*p == '"' || *p < 0x21 || *p > 0x7e) -+ return 1; -+ } -+ return 0; ++ const unsigned char *p; ++ for (p = string; p < (const unsigned char *)string + len; p++) { ++ if (*p == '"' || *p < 0x21 || *p > 0x7e) ++ return 1; ++ } ++ return 0; +} + -+ - static void ima_log_string(struct audit_buffer *ab, char *key, char *value) + static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value, + bool (*rule_operator)(kuid_t, kuid_t)) { -- audit_log_format(ab, "%s=", key); +- if (rule_operator == &uid_gt) +- audit_log_format(ab, "%s>", key); +- else if (rule_operator == &uid_lt) +- audit_log_format(ab, "%s<", key); +- else +- audit_log_format(ab, "%s=", key); - audit_log_untrustedstring(ab, value); + if (ima_string_contains_hex(value, strlen(value))) { -+ // value string contains hex. Convert to hex instead -+ audit_log_format(ab, "%s=(contains hex)%s", key, value); -+ } -+ else { -+ audit_log_format(ab, "%s=%s", key, value); ++ if (rule_operator == &uid_gt) ++ audit_log_format(ab, "%s>(contains hex)%s", key, value); ++ else if (rule_operator == &uid_lt) ++ audit_log_format(ab, "%s<(contains hex)%s", key, value); ++ else ++ audit_log_format(ab, "%s=(contains hex)%s", key, value); ++ } else { ++ if (rule_operator == &uid_gt) ++ audit_log_format(ab, "%s>", key); ++ else if (rule_operator == &uid_lt) ++ audit_log_format(ab, "%s<", key); ++ else ++ audit_log_format(ab, "%s=", key); + } audit_log_format(ab, " "); } - + static void ima_log_string(struct audit_buffer *ab, char *key, char *value) diff --git a/integrity.h b/integrity.h index 24520b4..c13e61d 100644 --- a/integrity.h @@ -1183,11 +1226,7 @@ index 24520b4..c13e61d 100644 uint32_t keyid; /* IMA key identifier - not X509/PGP specific */ uint16_t sig_size; /* signature size */ uint8_t sig[0]; /* signature payload */ -@@ -127,12 +129,11 @@ int __init integrity_read_file(const char *path, char **data); - #define INTEGRITY_KEYRING_MAX 3 - - #ifdef CONFIG_INTEGRITY_SIGNATURE -- +@@ -131,8 +133,8 @@ int __init integrity_read_file(const char *path, char **data); int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, const char *digest, int digestlen); diff --git a/kernel/kernel-modules/integrity/centos/patches/0004-integrity-disable-set-xattr-on-imasig.patch b/kernel/kernel-modules/integrity/centos/patches/0004-integrity-disable-set-xattr-on-imasig.patch index cb489681e..1d37f6991 100644 --- a/kernel/kernel-modules/integrity/centos/patches/0004-integrity-disable-set-xattr-on-imasig.patch +++ b/kernel/kernel-modules/integrity/centos/patches/0004-integrity-disable-set-xattr-on-imasig.patch @@ -24,19 +24,18 @@ diff --git a/ima/ima_appraise.c b/ima/ima_appraise.c index 88b5091..cff2ad2 100644 --- a/ima/ima_appraise.c +++ b/ima/ima_appraise.c -@@ -250,8 +250,11 @@ int ima_appraise_measurement(enum ima_hooks func, - if (rc <= 0) { +@@ -205,7 +208,11 @@ int ima_appraise_measurement(enum ima_hooks func, if (rc && rc != -ENODATA) goto out; -- + - cause = "missing-hash"; -+ + if (iint->flags & IMA_DIGSIG_REQUIRED) -+ cause = "missing-signature"; ++ cause = "missing-signature"; + else + cause = "missing-hash"; ++ status = INTEGRITY_NOLABEL; - if (opened & FILE_CREATED) { + if (opened & FILE_CREATED) iint->flags |= IMA_NEW_FILE; @@ -352,7 +355,8 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file) int rc = 0;