Recreate integrity patches using a new kernel revision
Before opensource these patches a kernel revision different from the available in upstream was used. This changes recreates the patches to use a valid revision. Story: 2002964 Task: 22967 Change-Id: I424e928571ded42d2b768e1dbb1f87e8fb9aa847 Required-By: https://review.openstack.org/#/c/583016/ Signed-off-by: Erich Cordoba <erich.cordoba.malibran@intel.com> Signed-off-by: Scott Little <scott.little@windriver.com>
This commit is contained in:
parent
c26e0efd3c
commit
e9d93b7e28
@ -1,5 +1,5 @@
|
|||||||
COPY_LIST=" \
|
COPY_LIST=" \
|
||||||
$FILES_BASE/* \
|
$FILES_BASE/* \
|
||||||
$PATCHES_BASE/* \
|
$PATCHES_BASE/* \
|
||||||
$STX_BASE/downloads/integrity-kmod-668a8270.tar.gz"
|
$STX_BASE/downloads/integrity-kmod-e6aef069.tar.gz"
|
||||||
TIS_PATCH_VER=5
|
TIS_PATCH_VER=5
|
||||||
|
@ -22,7 +22,7 @@ ExclusiveArch: x86_64
|
|||||||
# Sources.
|
# Sources.
|
||||||
# the integrity is available as a tarball, with
|
# the integrity is available as a tarball, with
|
||||||
# the git commit Id referenced in the name
|
# the git commit Id referenced in the name
|
||||||
Source0: %{kmod_name}-kmod-668a8270.tar.gz
|
Source0: %{kmod_name}-kmod-e6aef069.tar.gz
|
||||||
Source1: modules-load.conf
|
Source1: modules-load.conf
|
||||||
Source2: COPYING
|
Source2: COPYING
|
||||||
Source3: README
|
Source3: README
|
||||||
|
@ -497,7 +497,7 @@ index 106e855..f850ef7 100644
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
|
#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
|
||||||
@@ -77,32 +77,43 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
|
@@ -77,39 +77,43 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
|
||||||
|
|
||||||
return -EOPNOTSUPP;
|
return -EOPNOTSUPP;
|
||||||
}
|
}
|
||||||
@ -507,6 +507,7 @@ index 106e855..f850ef7 100644
|
|||||||
+int integrity_init_keyring(const unsigned int id)
|
+int integrity_init_keyring(const unsigned int id)
|
||||||
{
|
{
|
||||||
const struct cred *cred = current_cred();
|
const struct cred *cred = current_cred();
|
||||||
|
- struct key_restriction *restriction;
|
||||||
int err = 0;
|
int err = 0;
|
||||||
|
|
||||||
- if (!init_keyring)
|
- if (!init_keyring)
|
||||||
@ -515,27 +516,29 @@ index 106e855..f850ef7 100644
|
|||||||
+ * the Kernel as a trusted keyring for which
|
+ * the Kernel as a trusted keyring for which
|
||||||
+ * a search reference is available
|
+ * a search reference is available
|
||||||
+ */
|
+ */
|
||||||
+ keyring[id] = ima_keyring;
|
+ keyring[id] = ima_keyring;
|
||||||
return 0;
|
return 0;
|
||||||
|
-
|
||||||
|
- restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
|
||||||
|
- if (!restriction)
|
||||||
|
- return -ENOMEM;
|
||||||
|
-
|
||||||
|
- restriction->check = restrict_link_to_ima;
|
||||||
+ }
|
+ }
|
||||||
|
|
||||||
keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
|
keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
|
||||||
- KGIDT_INIT(0), cred,
|
KGIDT_INIT(0), cred,
|
||||||
- ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
|
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
|
||||||
- KEY_USR_VIEW | KEY_USR_READ |
|
KEY_USR_VIEW | KEY_USR_READ |
|
||||||
- KEY_USR_WRITE | KEY_USR_SEARCH),
|
KEY_USR_WRITE | KEY_USR_SEARCH),
|
||||||
- KEY_ALLOC_NOT_IN_QUOTA,
|
- KEY_ALLOC_NOT_IN_QUOTA,
|
||||||
- restrict_link_to_ima, NULL);
|
- restriction, NULL);
|
||||||
- if (IS_ERR(keyring[id])) {
|
- if (IS_ERR(keyring[id])) {
|
||||||
+ KGIDT_INIT(0), cred,
|
+ KEY_ALLOC_NOT_IN_QUOTA, NULL);
|
||||||
+ ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
|
|
||||||
+ KEY_USR_VIEW | KEY_USR_READ |
|
|
||||||
+ KEY_USR_WRITE | KEY_USR_SEARCH),
|
|
||||||
+ KEY_ALLOC_NOT_IN_QUOTA, NULL);
|
|
||||||
+
|
+
|
||||||
+ if (!IS_ERR(keyring[id]))
|
+ if (!IS_ERR(keyring[id])) {
|
||||||
+ set_bit(KEY_FLAG_TRUSTED_ONLY, &keyring[id]->flags);
|
+ set_bit(KEY_FLAG_TRUSTED_ONLY, &keyring[id]->flags);
|
||||||
+ else {
|
+ } else {
|
||||||
err = PTR_ERR(keyring[id]);
|
err = PTR_ERR(keyring[id]);
|
||||||
pr_info("Can't allocate %s keyring (%d)\n",
|
pr_info("Can't allocate %s keyring (%d)\n",
|
||||||
keyring_name[id], err);
|
keyring_name[id], err);
|
||||||
@ -1096,21 +1099,48 @@ diff --git a/ima/ima_policy.c b/ima/ima_policy.c
|
|||||||
index aed47b7..dd52d98 100644
|
index aed47b7..dd52d98 100644
|
||||||
--- a/ima/ima_policy.c
|
--- a/ima/ima_policy.c
|
||||||
+++ b/ima/ima_policy.c
|
+++ b/ima/ima_policy.c
|
||||||
@@ -92,9 +92,11 @@ static struct ima_rule_entry dont_measure_rules[] = {
|
@@ -85,7 +85,7 @@ struct ima_rule_entry {
|
||||||
{.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
|
* normal users can easily run the machine out of memory simply building
|
||||||
{.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
|
* and running executables.
|
||||||
|
*/
|
||||||
|
-static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
|
||||||
|
+static struct ima_rule_entry dont_measure_rules[] = {
|
||||||
|
{.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
|
||||||
|
{.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
|
||||||
|
{.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
|
||||||
|
@@ -96,10 +96,12 @@ static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
|
||||||
{.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
|
{.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
|
||||||
+#if ( LINUX_VERSION_CODE > KERNEL_VERSION(3,10,0) )
|
|
||||||
+ {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
|
|
||||||
+#endif
|
|
||||||
{.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
|
{.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
|
||||||
- .flags = IMA_FSMAGIC},
|
.flags = IMA_FSMAGIC},
|
||||||
- {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}
|
+#if ( LINUX_VERSION_CODE > KERNEL_VERSION(3,10,0) )
|
||||||
+ .flags = IMA_FSMAGIC}
|
{.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}
|
||||||
|
+#endif
|
||||||
};
|
};
|
||||||
|
|
||||||
static struct ima_rule_entry original_measurement_rules[] = {
|
-static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
|
||||||
@@ -132,7 +134,9 @@ static struct ima_rule_entry default_appraise_rules[] = {
|
+static struct ima_rule_entry original_measurement_rules[] = {
|
||||||
|
{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
|
||||||
|
.flags = IMA_FUNC | IMA_MASK},
|
||||||
|
{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
|
||||||
|
@@ -111,7 +113,7 @@ static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
|
||||||
|
{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
|
||||||
|
};
|
||||||
|
|
||||||
|
-static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
|
||||||
|
+static struct ima_rule_entry default_measurement_rules[] = {
|
||||||
|
{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
|
||||||
|
.flags = IMA_FUNC | IMA_MASK},
|
||||||
|
{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
|
||||||
|
@@ -127,7 +129,7 @@ static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
|
||||||
|
{.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
|
||||||
|
};
|
||||||
|
|
||||||
|
-static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
|
||||||
|
+static struct ima_rule_entry default_appraise_rules[] = {
|
||||||
|
{.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
|
||||||
|
{.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
|
||||||
|
{.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
|
||||||
|
@@ -137,7 +139,9 @@ static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
|
||||||
{.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
|
{.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
|
||||||
{.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
|
{.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
|
||||||
{.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
|
{.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
|
||||||
@ -1120,8 +1150,8 @@ index aed47b7..dd52d98 100644
|
|||||||
{.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
|
{.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
|
||||||
#ifdef CONFIG_IMA_WRITE_POLICY
|
#ifdef CONFIG_IMA_WRITE_POLICY
|
||||||
{.action = APPRAISE, .func = POLICY_CHECK,
|
{.action = APPRAISE, .func = POLICY_CHECK,
|
||||||
@@ -243,7 +247,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
|
@@ -249,7 +253,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
|
||||||
if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))
|
if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
|
||||||
return false;
|
return false;
|
||||||
if (rule->flags & IMA_EUID) {
|
if (rule->flags & IMA_EUID) {
|
||||||
+#if ( LINUX_VERSION_CODE > KERNEL_VERSION(3,10,0) )
|
+#if ( LINUX_VERSION_CODE > KERNEL_VERSION(3,10,0) )
|
||||||
@ -1129,38 +1159,51 @@ index aed47b7..dd52d98 100644
|
|||||||
+#else
|
+#else
|
||||||
+ if (capable_wrt_inode_uidgid(inode, CAP_SETUID) || capable(CAP_SETUID)) {
|
+ if (capable_wrt_inode_uidgid(inode, CAP_SETUID) || capable(CAP_SETUID)) {
|
||||||
+#endif
|
+#endif
|
||||||
if (!uid_eq(rule->uid, cred->euid)
|
if (!rule->uid_op(cred->euid, rule->uid)
|
||||||
&& !uid_eq(rule->uid, cred->suid)
|
&& !rule->uid_op(cred->suid, rule->uid)
|
||||||
&& !uid_eq(rule->uid, cred->uid))
|
&& !rule->uid_op(cred->uid, rule->uid))
|
||||||
@@ -541,10 +549,26 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry,
|
@@ -556,16 +564,34 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry,
|
||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
|
|
||||||
+static int ima_string_contains_hex(const char *string, size_t len)
|
+static int ima_string_contains_hex(const char *string, size_t len)
|
||||||
+{
|
+{
|
||||||
+ const unsigned char *p;
|
+ const unsigned char *p;
|
||||||
+ for (p = string; p < (const unsigned char *)string + len; p++) {
|
+ for (p = string; p < (const unsigned char *)string + len; p++) {
|
||||||
+ if (*p == '"' || *p < 0x21 || *p > 0x7e)
|
+ if (*p == '"' || *p < 0x21 || *p > 0x7e)
|
||||||
+ return 1;
|
+ return 1;
|
||||||
+ }
|
+ }
|
||||||
+ return 0;
|
+ return 0;
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+
|
static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value,
|
||||||
static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
|
bool (*rule_operator)(kuid_t, kuid_t))
|
||||||
{
|
{
|
||||||
- audit_log_format(ab, "%s=", key);
|
- if (rule_operator == &uid_gt)
|
||||||
|
- audit_log_format(ab, "%s>", key);
|
||||||
|
- else if (rule_operator == &uid_lt)
|
||||||
|
- audit_log_format(ab, "%s<", key);
|
||||||
|
- else
|
||||||
|
- audit_log_format(ab, "%s=", key);
|
||||||
- audit_log_untrustedstring(ab, value);
|
- audit_log_untrustedstring(ab, value);
|
||||||
+ if (ima_string_contains_hex(value, strlen(value))) {
|
+ if (ima_string_contains_hex(value, strlen(value))) {
|
||||||
+ // value string contains hex. Convert to hex instead
|
+ if (rule_operator == &uid_gt)
|
||||||
+ audit_log_format(ab, "%s=(contains hex)%s", key, value);
|
+ audit_log_format(ab, "%s>(contains hex)%s", key, value);
|
||||||
+ }
|
+ else if (rule_operator == &uid_lt)
|
||||||
+ else {
|
+ audit_log_format(ab, "%s<(contains hex)%s", key, value);
|
||||||
+ audit_log_format(ab, "%s=%s", key, value);
|
+ else
|
||||||
|
+ audit_log_format(ab, "%s=(contains hex)%s", key, value);
|
||||||
|
+ } else {
|
||||||
|
+ if (rule_operator == &uid_gt)
|
||||||
|
+ audit_log_format(ab, "%s>", key);
|
||||||
|
+ else if (rule_operator == &uid_lt)
|
||||||
|
+ audit_log_format(ab, "%s<", key);
|
||||||
|
+ else
|
||||||
|
+ audit_log_format(ab, "%s=", key);
|
||||||
+ }
|
+ }
|
||||||
audit_log_format(ab, " ");
|
audit_log_format(ab, " ");
|
||||||
}
|
}
|
||||||
|
static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
|
||||||
diff --git a/integrity.h b/integrity.h
|
diff --git a/integrity.h b/integrity.h
|
||||||
index 24520b4..c13e61d 100644
|
index 24520b4..c13e61d 100644
|
||||||
--- a/integrity.h
|
--- a/integrity.h
|
||||||
@ -1183,11 +1226,7 @@ index 24520b4..c13e61d 100644
|
|||||||
uint32_t keyid; /* IMA key identifier - not X509/PGP specific */
|
uint32_t keyid; /* IMA key identifier - not X509/PGP specific */
|
||||||
uint16_t sig_size; /* signature size */
|
uint16_t sig_size; /* signature size */
|
||||||
uint8_t sig[0]; /* signature payload */
|
uint8_t sig[0]; /* signature payload */
|
||||||
@@ -127,12 +129,11 @@ int __init integrity_read_file(const char *path, char **data);
|
@@ -131,8 +133,8 @@ int __init integrity_read_file(const char *path, char **data);
|
||||||
#define INTEGRITY_KEYRING_MAX 3
|
|
||||||
|
|
||||||
#ifdef CONFIG_INTEGRITY_SIGNATURE
|
|
||||||
-
|
|
||||||
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
|
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
|
||||||
const char *digest, int digestlen);
|
const char *digest, int digestlen);
|
||||||
|
|
||||||
|
@ -24,19 +24,18 @@ diff --git a/ima/ima_appraise.c b/ima/ima_appraise.c
|
|||||||
index 88b5091..cff2ad2 100644
|
index 88b5091..cff2ad2 100644
|
||||||
--- a/ima/ima_appraise.c
|
--- a/ima/ima_appraise.c
|
||||||
+++ b/ima/ima_appraise.c
|
+++ b/ima/ima_appraise.c
|
||||||
@@ -250,8 +250,11 @@ int ima_appraise_measurement(enum ima_hooks func,
|
@@ -205,7 +208,11 @@ int ima_appraise_measurement(enum ima_hooks func,
|
||||||
if (rc <= 0) {
|
|
||||||
if (rc && rc != -ENODATA)
|
if (rc && rc != -ENODATA)
|
||||||
goto out;
|
goto out;
|
||||||
-
|
|
||||||
- cause = "missing-hash";
|
- cause = "missing-hash";
|
||||||
+
|
|
||||||
+ if (iint->flags & IMA_DIGSIG_REQUIRED)
|
+ if (iint->flags & IMA_DIGSIG_REQUIRED)
|
||||||
+ cause = "missing-signature";
|
+ cause = "missing-signature";
|
||||||
+ else
|
+ else
|
||||||
+ cause = "missing-hash";
|
+ cause = "missing-hash";
|
||||||
|
+
|
||||||
status = INTEGRITY_NOLABEL;
|
status = INTEGRITY_NOLABEL;
|
||||||
if (opened & FILE_CREATED) {
|
if (opened & FILE_CREATED)
|
||||||
iint->flags |= IMA_NEW_FILE;
|
iint->flags |= IMA_NEW_FILE;
|
||||||
@@ -352,7 +355,8 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
|
@@ -352,7 +355,8 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
|
||||||
int rc = 0;
|
int rc = 0;
|
||||||
|
Loading…
Reference in New Issue
Block a user