RE: [PATCH 0/5] evm: Prepare for moving to the LSM infrastructure

> From: Casey Schaufler [mailto:ca...@schaufler-ca.com] > Sent: Friday, April 16, 2021 11:25 PM > On 4/16/2021 9:37 AM, Roberto Sassu wrote: > >> From: Casey Schaufler [mailto:ca...@schaufler-ca.com] > >> Sent: Thursday, April 15, 2021 10:44 PM > >> On 4/

RE: [PATCH 0/5] evm: Prepare for moving to the LSM infrastructure

> From: Casey Schaufler [mailto:ca...@schaufler-ca.com] > Sent: Thursday, April 15, 2021 10:44 PM > On 4/15/2021 3:04 AM, Roberto Sassu wrote: > > This patch set depends on: > > > > https://lore.kernel.org/linux-integrity/20210409114313.4073-1- > rober

RE: [PATCH 1/5] xattr: Complete constify ->name member of "struct xattr"

> From: Tetsuo Handa [mailto:penguin-ker...@i-love.sakura.ne.jp] > Sent: Thursday, April 15, 2021 1:20 PM > On 2021/04/15 19:04, Roberto Sassu wrote: > > This patch completes commit 9548906b2bb7 ('xattr: Constify ->name > member of > > "struct xattr&

[PATCH 5/5] evm: Support multiple LSMs providing an xattr

set to NULL, this patch reuses the same assumption for evm_inode_init_security() to scan all xattrs and to calculate the HMAC on all of them. Signed-off-by: Roberto Sassu --- security/integrity/evm/evm.h| 2 ++ security/integrity/evm/evm_crypto.c | 9 - security/integrity/evm

[PATCH 4/5] evm: Align evm_inode_init_security() definition with LSM infrastructure

This patch changes the evm_inode_init_security() definition to align with the LSM infrastructure, in preparation for moving IMA and EVM to that infrastructure. Signed-off-by: Roberto Sassu --- include/linux/evm.h | 21 ++--- security/integrity/evm/evm_main.c | 24

[PATCH 3/5] security: Pass xattrs allocated by LSMs to the inode_init_security hook

, value and len with the full array, as LSMs would have had to scan it to find an empty slot. Signed-off-by: Roberto Sassu --- include/linux/lsm_hook_defs.h | 2 +- include/linux/lsm_hooks.h | 1 + security/security.c | 7 --- security/selinux/hooks.c | 3 ++- security

[PATCH 2/5] security: Support multiple LSMs implementing the inode_init_security hook

overwriting the *value pointer). The modifications necessary for EVM to calculate the HMAC on all xattrs will be done in a separate patch. Signed-off-by: Roberto Sassu --- security/security.c | 87 + 1 file changed, 72 insertions(+), 15 deletions

[PATCH 1/5] xattr: Complete constify ->name member of "struct xattr"

o, it removes the kfree() of name and setting it to NULL in the reiserfs code. Fixes: 9548906b2bb7 ('xattr: Constify ->name member of "struct xattr"') Cc: sta...@vger.kernel.org Cc: Tetsuo Handa Signed-off-by: Roberto Sassu --- fs/reiserfs/xattr_security.c | 2 -- include/

[PATCH 0/5] evm: Prepare for moving to the LSM infrastructure

struct xattr"'), and a misalignment with security_inode_init_security() (the old version expects the full xattr name with the security. prefix, the new version just the suffix). The last issue has not been fixed yet. Roberto Sassu (5): xattr: Complete constify ->name member of

[PATCH 6/7] evm: Allow choice of hash algorithm for HMAC

n evm_hash=. Signed-off-by: Roberto Sassu --- .../admin-guide/kernel-parameters.txt | 8 +++ security/integrity/evm/Kconfig| 34 security/integrity/evm/evm.h | 2 + security/integrity/evm/evm_crypto.c | 55 +-- security

[PATCH 7/7] evm: Extend evm= with allow_metadata_writes and complete values

on't allow further changes of the EVM mode. While EVM_ALLOW_METADATA_WRITES will be applied directly by the kernel at setup time, EVM_SETUP_COMPLETE will be applied only if a public key is loaded by evm_load_x509(). Signed-off-by: Roberto Sassu --- Documentation/admin-guide/kernel-para

[PATCH 5/7] ima: Introduce appraise_exec_immutable policy

This patch modifies the existing "appraise_exec_tcb" policy, by adding the appraise_type=meta_immutable requirement for executed files. This policy can be selected by specifying ima_policy="appraise_exec_tcb|appraise_exec_immutable" in the kernel command line. Signed-o

[PATCH 4/7] ima: Introduce appraise_exec_tcb and appraise_tmpfs policies

files which might not have an HMAC or digital signature. Signed-off-by: Roberto Sassu --- .../admin-guide/kernel-parameters.txt | 9 + security/integrity/ima/ima_policy.c | 33 +++ 2 files changed, 35 insertions(+), 7 deletions(-) diff --git a/Documentation

[PATCH 3/7] ima: Introduce exec_tcb and tmpfs policies

, recognizable from a set of reference values from software vendors. However, this policy provides a less accurate view of the integrity of the system, as opened files are excluded from measurement. Signed-off-by: Roberto Sassu --- .../admin-guide/kernel-parameters.txt | 7 security

[PATCH 2/7] ima: Add meta_immutable appraisal type

. Without it, an administrator might obtain a different target label by changing the label of the executable. Signed-off-by: Roberto Sassu --- Documentation/ABI/testing/ima_policy | 2 +- security/integrity/ima/ima_appraise.c | 9 + security/integrity/ima/ima_policy.c | 13

[PATCH 1/7] ima: Avoid measurement and audit if access to the file will be denied

TPM-protected objects sealed to PCRs. Given that a potentially corrupted file will not be accessed by any user space process, it is safe for the purpose of integrity evaluation to avoid to record a measurement or audit log in this case. Signed-off-by: Roberto Sassu --- security/integrity/ima

[PATCH 0/7] ima/evm: Small enhancements

to facilitate the setup of EVM. Roberto Sassu (7): ima: Avoid measurement and audit if access to the file will be denied ima: Add meta_immutable appraisal type ima: Introduce exec_tcb and tmpfs policies ima: Introduce appraise_exec_tcb and appraise_tmpfs policies ima: Introduce

[RESEND][PATCH v5 09/12] evm: Allow setxattr() and setattr() for unmodified metadata

alter the current value). This patch avoids this problem by reporting successful operation to user space when that operation does not alter the current value of xattrs/attrs. Cc: Christian Brauner Cc: Andreas Gruenbacher Reported-by: kernel test robot Signed-off-by: Roberto Sassu Reviewed-by

RE: [PATCH v5 04/12] ima: Move ima_reset_appraise_flags() call to post hooks

> From: Casey Schaufler [mailto:ca...@schaufler-ca.com] > Sent: Wednesday, April 7, 2021 6:18 PM > On 4/7/2021 3:52 AM, Roberto Sassu wrote: > > ima_inode_setxattr() and ima_inode_removexattr() hooks are called > before an > > operation is performed. Thus, ima_reset_apprai

[PATCH v5 12/12] ima: Don't remove security.ima if file must not be appraised

Files might come from a remote source and might have xattrs, including security.ima. It should not be IMA task to decide whether security.ima should be kept or not. This patch removes the removexattr() system call in ima_inode_post_setattr(). Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar

[PATCH v5 10/12] ima: Allow imasig requirement to be satisfied by EVM portable signatures

temporarily allows new files without or with incomplete metadata to be opened so that content can be written. Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar --- security/integrity/ima/ima_appraise.c | 24 +--- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a

[PATCH v5 11/12] ima: Introduce template field evmsig and write to field sig as fallback

IMA signatures can be included in the measurement list. This patch solves the issue by introducing the new template field 'evmsig' to show EVM portable signatures and by including its value in the existing field 'sig' if the IMA signature is not found. Signed-off-by: Roberto Sassu

[PATCH v5 09/12] evm: Allow setxattr() and setattr() for unmodified metadata

alter the current value). This patch avoids this problem by reporting successful operation to user space when that operation does not alter the current value of xattrs/attrs. Cc: Christian Brauner Cc: Andreas Gruenbacher Signed-off-by: Roberto Sassu --- security/integrity/evm/evm_main.c | 107

[PATCH v5 07/12] evm: Allow xattr/attr operations for portable signatures

an exception in evm_protect_xattr() and evm_inode_setattr() for this status and returns 0 instead of -EPERM. Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar --- include/linux/integrity.h | 1 + security/integrity/evm/evm_main.c | 31 +-- securit

[PATCH v5 08/12] evm: Pass user namespace to set/remove xattr hooks

ruenbacher Signed-off-by: Roberto Sassu --- include/linux/evm.h | 12 security/integrity/evm/evm_main.c | 17 +++-- security/security.c | 4 ++-- 3 files changed, 21 insertions(+), 12 deletions(-) diff --git a/include/linux/evm.h b/include/l

[PATCH v5 06/12] evm: Ignore INTEGRITY_NOLABEL/INTEGRITY_NOXATTRS if conditions are safe

option to preserve xattrs won't work. This patch ignores these errors when they won't be an issue, if no HMAC key is loaded and cannot be loaded in the future (which can be enforced by setting the EVM_SETUP_COMPLETE initialization flag). Signed-off-by: Roberto Sassu --- security/int

[PATCH v5 05/12] evm: Introduce evm_status_revalidate()

-evaluated after a metadata operation. Lastly, this patch also adds a call to evm_reset_status() in evm_inode_post_setattr() to invalidate the cached EVM status after a setattr operation. Signed-off-by: Roberto Sassu --- include/linux/evm.h | 6 + security/integrity/evm

[PATCH v5 04/12] ima: Move ima_reset_appraise_flags() call to post hooks

ima_inode_post_removexattr(), and adds the call to ima_reset_appraise_flags() in the new functions. Cc: Casey Schaufler Signed-off-by: Roberto Sassu --- fs/xattr.c| 2 ++ include/linux/ima.h | 18 ++ security/integrity/ima

[PATCH v5 02/12] evm: Load EVM key in ima_load_x509() to avoid appraisal

crosses the normal IMA and EVM boundary. Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar --- security/integrity/iint.c | 4 +++- security/integrity/ima/ima_init.c | 4 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/security/integrity/iint.c b/security/integrity

[PATCH v5 03/12] evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded

: ae1ba1676b88e ("EVM: Allow userland to permit modification of EVM-protected metadata") Signed-off-by: Roberto Sassu --- Documentation/ABI/testing/evm | 5 +++-- security/integrity/evm/evm_secfs.c | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/Documentation/ABI/tes

[PATCH v5 01/12] evm: Execute evm_inode_init_security() only when an HMAC key is loaded

EVM_INIT_HMAC flag in evm_initialized. Cc: sta...@vger.kernel.org # 4.5.x Fixes: 26ddabfe96b ("evm: enable EVM when X509 certificate is loaded") Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar --- security/integrity/evm/evm_main.c | 5 +++-- 1 file changed, 3 insertions(+), 2

[PATCH v5 00/12] evm: Improve usability of portable signatures

on of evm_xattr_acl_change() and evm_xattr_change() Roberto Sassu (12): evm: Execute evm_inode_init_security() only when an HMAC key is loaded evm: Load EVM key in ima_load_x509() to avoid appraisal evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded ima: Move ima_reset_appraise_flags()

RE: [PATCH v4 08/11] evm: Allow setxattr() and setattr() for unmodified metadata

> From: Christian Brauner [mailto:christian.brau...@ubuntu.com] > Sent: Thursday, March 25, 2021 1:21 PM > On Thu, Mar 25, 2021 at 01:13:41PM +0100, Christian Brauner wrote: > > On Thu, Mar 25, 2021 at 10:53:43AM +, Roberto Sassu wrote: > > > > From: Roberto Sassu &g

RE: [PATCH v4 08/11] evm: Allow setxattr() and setattr() for unmodified metadata

> From: Christian Brauner [mailto:christian.brau...@ubuntu.com] > Sent: Thursday, March 25, 2021 1:14 PM > On Thu, Mar 25, 2021 at 10:53:43AM +, Roberto Sassu wrote: > > > From: Roberto Sassu > > > Sent: Friday, March 5, 2021 4:19 PM > > > With the patch

RE: [PATCH v4 08/11] evm: Allow setxattr() and setattr() for unmodified metadata

> From: Roberto Sassu > Sent: Friday, March 5, 2021 4:19 PM > With the patch to allow xattr/attr operations if a portable signature > verification fails, cp and tar can copy all xattrs/attrs so that at the > end of the process verification succeeds. > > However, it might h

RE: [PATCH] ima: Fix the error code for restoring the PCR value

s > headers") > > Signed-off-by: Li Huafei Hi Li Huafei yes, correct. Thanks for the patch. Reviewed-by: Roberto Sassu Roberto HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Li Jian, Shi Yanli > > --- > > security/integrity/ima/im

[PATCH v4 10/11] ima: Introduce template field evmsig and write to field sig as fallback

IMA signatures can be included in the measurement list. This patch solves the issue by introducing the new template field 'evmsig' to show EVM portable signatures and by including its value in the existing field 'sig' if the IMA signature is not found. Signed-off-by: Roberto Sassu

[PATCH v4 11/11] ima: Don't remove security.ima if file must not be appraised

Files might come from a remote source and might have xattrs, including security.ima. It should not be IMA task to decide whether security.ima should be kept or not. This patch removes the removexattr() system call in ima_inode_post_setattr(). Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar

[PATCH v4 05/11] evm: Introduce evm_status_revalidate()

-evaluated after a metadata operation. Lastly, this patch also adds a call to evm_reset_status() in evm_inode_post_setattr() to invalidate the cached EVM status after a setattr operation. Signed-off-by: Roberto Sassu --- include/linux/evm.h | 6 + security/integrity/evm

[PATCH v4 07/11] evm: Allow xattr/attr operations for portable signatures

an exception in evm_protect_xattr() and evm_inode_setattr() for this status and returns 0 instead of -EPERM. Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar --- include/linux/integrity.h | 1 + security/integrity/evm/evm_main.c | 31 +-- securit

[PATCH v4 09/11] ima: Allow imasig requirement to be satisfied by EVM portable signatures

temporarily allows new files without or with incomplete metadata to be opened so that content can be written. Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar --- security/integrity/ima/ima_appraise.c | 24 +--- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a

[PATCH v4 06/11] evm: Ignore INTEGRITY_NOLABEL/INTEGRITY_NOXATTRS if conditions are safe

option to preserve xattrs won't work. This patch ignores these errors when they won't be an issue, if no HMAC key is loaded and cannot be loaded in the future (which can be enforced by setting the EVM_SETUP_COMPLETE initialization flag). Signed-off-by: Roberto Sassu --- security/int

[PATCH v4 08/11] evm: Allow setxattr() and setattr() for unmodified metadata

alter the current value). This patch avoids this problem by reporting successful operation to user space when that operation does not alter the current value of xattrs/attrs. Signed-off-by: Roberto Sassu --- security/integrity/evm/evm_main.c | 96 +++ 1 file changed

[PATCH v4 01/11] evm: Execute evm_inode_init_security() only when an HMAC key is loaded

EVM_INIT_HMAC flag in evm_initialized. Cc: sta...@vger.kernel.org # 4.5.x Fixes: 26ddabfe96b ("evm: enable EVM when X509 certificate is loaded") Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar --- security/integrity/evm/evm_main.c | 5 +++-- 1 file changed, 3 insertions(+), 2

[PATCH v4 04/11] ima: Move ima_reset_appraise_flags() call to post hooks

ima_inode_post_removexattr(), and adds the call to ima_reset_appraise_flags() in the new functions. Cc: Casey Schaufler Signed-off-by: Roberto Sassu --- fs/xattr.c| 2 ++ include/linux/ima.h | 18 ++ security/integrity/ima

[PATCH v4 00/11] evm: Improve usability of portable signatures

g IMA flag - introduce new template field evmsig - add description of evm_xattr_acl_change() and evm_xattr_change() Roberto Sassu (11): evm: Execute evm_inode_init_security() only when an HMAC key is loaded evm: Load EVM key in ima_load_x509() to avoid appraisal evm: R

[PATCH v4 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal

crosses the normal IMA and EVM boundary. Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar --- security/integrity/iint.c | 4 +++- security/integrity/ima/ima_init.c | 4 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/security/integrity/iint.c b/security/integrity

[PATCH v4 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded

: ae1ba1676b88e ("EVM: Allow userland to permit modification of EVM-protected metadata") Signed-off-by: Roberto Sassu --- Documentation/ABI/testing/evm | 5 +++-- security/integrity/evm/evm_secfs.c | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/Documentation/ABI/tes

RE: [PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded

> From: Mimi Zohar [mailto:zo...@linux.ibm.com] > Sent: Friday, December 4, 2020 2:05 PM > On Fri, 2020-12-04 at 08:05 +, Roberto Sassu wrote: > > > From: Mimi Zohar [mailto:zo...@linux.ibm.com] > > > Sent: Thursday, December 3, 2020 9:43 PM > > > Hi Robert

RE: [PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded

> From: Mimi Zohar [mailto:zo...@linux.ibm.com] > Sent: Thursday, December 3, 2020 9:43 PM > Hi Roberto, > > On Wed, 2020-11-11 at 10:22 +0100, Roberto Sassu wrote: > > When a file is being created, LSMs can set the initial label with the > > inode_init_security hoo

RE: [PATCH v3 04/11] ima: Move ima_reset_appraise_flags() call to post hooks

> From: Roberto Sassu > Sent: Wednesday, November 11, 2020 10:23 AM > ima_inode_setxattr() and ima_inode_removexattr() hooks are called > before an > operation is performed. Thus, ima_reset_appraise_flags() should not be > called there, as flags might be unnecessarily reset i

[PATCH] ima: Don't modify file descriptor mode on the fly

option to measure a file when it is unreadable with the original file descriptor. Cc: # 4.20.x: 0014cc04e8ec0 ima: Set file->f_mode Cc: # 4.20.x Fixes: 2fe5d6def1672 ("ima: integrity appraisal extension") Signed-off-by: Roberto Sassu --- security/integrity/ima/ima_crypto.c | 20 +++

RE: [RESEND][PATCH] ima: Set and clear FMODE_CAN_READ in ima_calc_file_hash()

> From: Linus Torvalds [mailto:torva...@linux-foundation.org] > Sent: Wednesday, November 18, 2020 12:37 AM > On Tue, Nov 17, 2020 at 3:29 PM Linus Torvalds > wrote: > > > > On Tue, Nov 17, 2020 at 3:24 PM Mimi Zohar > wrote: > > > > > > I really wish it wasn't needed. > > > > Seriously, I get th

RE: [RESEND][PATCH] ima: Set and clear FMODE_CAN_READ in ima_calc_file_hash()

> From: Al Viro [mailto:v...@ftp.linux.org.uk] On Behalf Of Al Viro > Sent: Monday, November 16, 2020 7:09 PM > On Mon, Nov 16, 2020 at 09:37:32AM -0800, Linus Torvalds wrote: > > On Mon, Nov 16, 2020 at 8:47 AM Mimi Zohar > wrote: > > > > > > This discussion seems to be going down the path of req

RE: [RESEND][PATCH] ima: Set and clear FMODE_CAN_READ in ima_calc_file_hash()

> From: Christoph Hellwig [mailto:h...@infradead.org] > Sent: Saturday, November 14, 2020 12:11 PM > On Fri, Nov 13, 2020 at 09:01:32AM +0100, Roberto Sassu wrote: > > Commit a1f9b1c0439db ("integrity/ima: switch to using __kernel_read") > > replaced the __vfs_read(

[RESEND][PATCH] ima: Set and clear FMODE_CAN_READ in ima_calc_file_hash()

uot;integrity/ima: switch to using __kernel_read") Signed-off-by: Roberto Sassu --- security/integrity/ima/ima_crypto.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c index 21989fa0c107..2

[PATCH] ima: Set and clear FMODE_CAN_READ in ima_calc_file_hash()

FMODE_CAN_READ flag is set in file->f_mode, this patch saves the original f_mode and sets the flag if the file descriptor has the necessary file operation. Lastly, it restores the original f_mode at the end of ima_calc_file_hash(). Signed-off-by: Roberto Sassu --- security/integrity/ima/ima_c

[PATCH v3 10/11] ima: Introduce template field evmsig and write to field sig as fallback

IMA signatures can be included in the measurement list. This patch solves the issue by introducing the new template field 'evmsig' to show EVM portable signatures and by including its value in the existing field 'sig' if the IMA signature is not found. Signed-off-by: Roberto Sassu

[PATCH v3 11/11] ima: Don't remove security.ima if file must not be appraised

Files might come from a remote source and might have xattrs, including security.ima. It should not be IMA task to decide whether security.ima should be kept or not. This patch removes the removexattr() system call in ima_inode_post_setattr(). Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar

[PATCH v3 09/11] ima: Allow imasig requirement to be satisfied by EVM portable signatures

temporarily allows new files without or with incomplete metadata to be opened so that content can be written. Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar --- security/integrity/ima/ima_appraise.c | 24 +--- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a

[PATCH v3 08/11] evm: Allow setxattr() and setattr() for unmodified metadata

alter the current value). This patch avoids this problem by reporting successful operation to user space when that operation does not alter the current value of xattrs/attrs. Signed-off-by: Roberto Sassu --- security/integrity/evm/evm_main.c | 94 +++ 1 file changed

[PATCH v3 06/11] evm: Ignore INTEGRITY_NOLABEL if no HMAC key is loaded

EVM won't calculate the HMAC on metadata that wasn't previously verified. Thus this patch checks if an HMAC key is loaded and if not, ignores INTEGRITY_NOLABEL. Signed-off-by: Roberto Sassu --- security/integrity/evm/evm_main.c | 17 - 1 file changed, 16 insertions(+), 1 delet

[PATCH v3 05/11] evm: Introduce evm_status_revalidate()

-evaluated after a metadata operation. Lastly, this patch also adds a call to evm_reset_status() in evm_inode_post_setattr() to invalidate the cached EVM status after a setattr operation. Signed-off-by: Roberto Sassu --- include/linux/evm.h | 6 + security/integrity/evm

[PATCH v3 07/11] evm: Allow xattr/attr operations for portable signatures

an exception in evm_protect_xattr() and evm_inode_setattr() for this status and returns 0 instead of -EPERM. Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar --- include/linux/integrity.h | 1 + security/integrity/evm/evm_main.c | 31 +-- securit

[PATCH v3 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal

added to the EVM key to pass verification. Since the restriction is applied on both IMA and EVM keyrings, it is safe to disable appraisal also when the EVM key is loaded. This patch calls evm_load_x509() inside ima_load_x509() if CONFIG_IMA_LOAD_X509 is defined. Signed-off-by: Roberto Sassu

[PATCH v3 00/11] evm: Improve usability of portable signatures

e IMA policy requires file signatures and patch 10 shows portable signatures in the measurement list when the ima-sig template is selected. Lastly, patch 11 avoids undesired removal of security.ima when a file is not selected by the IMA policy. Roberto Sassu (11): evm: Execute evm_inode_init_sec

[PATCH v3 01/11] evm: Execute evm_inode_init_security() only when an HMAC key is loaded

EVM_INIT_HMAC flag in evm_initialized. Cc: sta...@vger.kernel.org # 4.5.x Fixes: 26ddabfe96b ("evm: enable EVM when X509 certificate is loaded") Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar --- security/integrity/evm/evm_main.c | 3 ++- 1 file changed, 2 insertions(+),

[PATCH v3 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded

: ae1ba1676b88e ("EVM: Allow userland to permit modification of EVM-protected metadata") Signed-off-by: Roberto Sassu --- Documentation/ABI/testing/evm | 5 +++-- security/integrity/evm/evm_secfs.c | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/Documentation/ABI/tes

[PATCH v3 04/11] ima: Move ima_reset_appraise_flags() call to post hooks

ima_inode_post_removexattr(), removes ima_inode_removexattr() and adds the call to ima_reset_appraise_flags() in the new functions. Signed-off-by: Roberto Sassu --- fs/xattr.c| 2 ++ include/linux/ima.h | 19 +++ security/integrity/ima

RE: [PATCH] ima: Fix sizeof mismatches

hese is the same. Fix this in the kmalloc_array and > memcpy calls. > > Addresses-Coverity: ("Sizeof not portable (SIZEOF_MISMATCH)") > Fixes: 1bd7face7439 ("ima: allocate field pointers array on demand in > template_desc_init_fields()") > Signed-off-by:

RE: [PATCH v2 07/12] evm: Introduce EVM_RESET_STATUS atomic flag

> From: Mimi Zohar [mailto:zo...@linux.ibm.com] > Sent: Thursday, September 17, 2020 2:01 PM > [Cc'ing John Johansen] > > Hi Roberto, > > On Fri, 2020-09-04 at 11:26 +0200, Roberto Sassu wrote: > > When EVM_ALLOW_METADATA_WRITES is set, EVM allows any opera

RE: [PATCH v2 11/12] ima: Introduce template field evmsig and write to field sig as fallback

> From: Mimi Zohar [mailto:zo...@linux.ibm.com] > Sent: Thursday, September 17, 2020 4:25 PM > Hi Roberto, > > On Fri, 2020-09-04 at 11:26 +0200, Roberto Sassu wrote: > > With the patch to accept EVM portable signatures when the > > appraise_type=imasig requirement

[PATCH v2 12/12] ima: Don't remove security.ima if file must not be appraised

Files might come from a remote source and might have xattrs, including security.ima. It should not be IMA task to decide whether security.ima should be kept or not. This patch removes the removexattr() system call in ima_inode_post_setattr(). Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar

[PATCH v2 11/12] ima: Introduce template field evmsig and write to field sig as fallback

IMA signatures can be included in the measurement list. This patch solves the issue by introducing the new template field 'evmsig' to show EVM portable signatures and by including its value in the existing field 'sig' if the IMA signature is not found. Signed-off-by: Roberto Sassu

[PATCH v2 10/12] ima: Allow imasig requirement to be satisfied by EVM portable signatures

temporarily allows new files without or with incomplete metadata to be opened so that content can be written. Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar --- security/integrity/ima/ima_appraise.c | 22 +++--- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/security

[PATCH v2 09/12] evm: Allow setxattr() and setattr() if metadata digest won't change

alter the current value). This patch avoids this problem by reporting successful operation to user space when that operation does not alter the current value of xattrs/attrs. Signed-off-by: Roberto Sassu --- security/integrity/evm/evm_main.c | 94 +++ 1 file changed, 94

[PATCH v2 07/12] evm: Introduce EVM_RESET_STATUS atomic flag

-protected metadata") Signed-off-by: Roberto Sassu --- security/integrity/evm/evm_main.c | 17 +++-- security/integrity/ima/ima_main.c | 8 ++-- security/integrity/integrity.h| 1 + 3 files changed, 22 insertions(+), 4 deletions(-) diff --git a/security/integrity/ev

[PATCH v2 08/12] evm: Allow xattr/attr operations for portable signatures if check fails

an exception in evm_protect_xattr() and evm_inode_setattr() for this status and returns 0 instead of -EPERM. Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar --- include/linux/integrity.h | 1 + security/integrity/evm/evm_main.c | 31 +-- securit

[PATCH v2 06/12] evm: Refuse EVM_ALLOW_METADATA_WRITES only if the HMAC key is loaded

: ae1ba1676b88e ("EVM: Allow userland to permit modification of EVM-protected metadata") Signed-off-by: Roberto Sassu --- Documentation/ABI/testing/evm | 6 -- security/integrity/evm/evm_secfs.c | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/Documentation/ABI/tes

[PATCH v2 05/12] evm: Load EVM key in ima_load_x509() to avoid appraisal

to the EVM key to pass verification. Since the restriction is applied on both IMA and EVM keyrings, it is safe to disable appraisal also when the EVM key is loaded. This patch calls evm_load_x509() inside ima_load_x509() if CONFIG_IMA_LOAD_X509 is defined. Signed-off-by: Roberto Sassu Reviewed

[PATCH v2 03/12] evm: Check size of security.evm before using it

ned-off-by: Roberto Sassu Reviewed-by: Mimi Zohar --- security/integrity/evm/evm_main.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 0d36259b690d..e4b47759ba1c 100644 --- a/security/integrity/evm/evm_main.c +++

[PATCH v2 02/12] ima: Remove semicolon at the end of ima_get_binary_runtime_size()

This patch removes the unnecessary semicolon at the end of ima_get_binary_runtime_size(). Cc: sta...@vger.kernel.org Fixes: d158847ae89a2 ("ima: maintain memory size needed for serializing the measurement list") Signed-off-by: Roberto Sassu --- security/integrity/ima/ima_queue.c | 2

[PATCH v2 00/12] IMA/EVM fixes

table signatures when the IMA policy requires file signatures and patch 11 shows portable signatures when the ima-sig measurement list template is selected. Lastly, patch 12 avoids undesired removal of security.ima when a file is not selected by the IMA policy. Roberto Sassu (12): ima: Don

[PATCH v2 01/12] ima: Don't ignore errors from crypto_shash_update()

: 3323eec921efd ("integrity: IMA as an integrity service provider") Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar --- security/integrity/ima/ima_crypto.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_cryp

[PATCH v2 04/12] evm: Execute evm_inode_init_security() only when the HMAC key is loaded

...@vger.kernel.org # 4.5.x Fixes: 26ddabfe96b ("evm: enable EVM when X509 certificate is loaded") Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar --- security/integrity/evm/evm_main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/integrity/evm/evm

RE: [PATCH 01/11] evm: Execute evm_inode_init_security() only when the HMAC key is loaded

> From: Mimi Zohar [mailto:zo...@linux.ibm.com] > Sent: Monday, August 24, 2020 7:45 PM > Hi Roberto, > > On Fri, 2020-08-21 at 14:30 -0400, Mimi Zohar wrote: > > Sorry for the delay in reviewing these patches. Missing from this > > patch set is a cover letter with an explanation for grouping th

RE: [PATCH 07/11] evm: Set IMA_CHANGE_XATTR/ATTR bit if EVM_ALLOW_METADATA_WRITES is set

> From: Mimi Zohar [mailto:zo...@linux.ibm.com] > Sent: Tuesday, September 1, 2020 1:05 PM > On Tue, 2020-09-01 at 09:08 +, Roberto Sassu wrote: > > > From: Mimi Zohar [mailto:zo...@linux.ibm.com] > > > Sent: Monday, August 24, 2020 2:18 PM > > > On Thu

RE: [PATCH 07/11] evm: Set IMA_CHANGE_XATTR/ATTR bit if EVM_ALLOW_METADATA_WRITES is set

> From: Mimi Zohar [mailto:zo...@linux.ibm.com] > Sent: Monday, August 24, 2020 2:18 PM > On Thu, 2020-06-18 at 18:04 +0200, Roberto Sassu wrote: > > When EVM_ALLOW_METADATA_WRITES is set, EVM allows any operation > on > > metadata. Its main purpose is to allow users to

RE: [PATCH 02/11] evm: Load EVM key in ima_load_x509() to avoid appraisal

> From: Mimi Zohar [mailto:zo...@linux.ibm.com] > Sent: Friday, August 21, 2020 8:45 PM > On Thu, 2020-06-18 at 18:01 +0200, Roberto Sassu wrote: > > Public keys do not need to be appraised by IMA as the restriction on the > > IMA/EVM keyrings ensures that a key is loaded only

RE: [PATCH 06/11] evm: Allow setxattr() and setattr() if metadata digest won't change

> From: Mimi Zohar [mailto:zo...@linux.ibm.com] > Sent: Monday, August 24, 2020 2:17 PM > On Thu, 2020-06-18 at 18:04 +0200, Roberto Sassu wrote: > > If metadata are immutable, they cannot be changed. If metadata are > already > > set to the final value before cp and tar re

RE: [PATCH 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if the HMAC key is loaded

> From: Mimi Zohar [mailto:zo...@linux.ibm.com] > Sent: Friday, August 21, 2020 10:15 PM > Hi Roberto, > > On Thu, 2020-06-18 at 18:01 +0200, Roberto Sassu wrote: > > Granting metadata write is safe if the HMAC key is not loaded, as it won't > > let an attacker ob

[PATCH 11/11] ima: Remove semicolon at the end of ima_get_binary_runtime_size()

This patch removes the unnecessary semicolon at the end of ima_get_binary_runtime_size(). Cc: sta...@vger.kernel.org Fixes: d158847ae89a2 ("ima: maintain memory size needed for serializing the measurement list") Signed-off-by: Roberto Sassu --- security/integrity/ima/ima_queue.c | 2

[PATCH 08/11] ima: Allow imasig requirement to be satisfied by EVM portable signatures

IMA signature, not immutable) after: denied (file with EVM portable signature, immutable) In addition, similarly to IMA signatures, this patch temporarily allows new files without or with incomplete metadata to be opened so that content can be written. Signed-off-by: Roberto Sassu --- security

[PATCH 07/11] evm: Set IMA_CHANGE_XATTR/ATTR bit if EVM_ALLOW_METADATA_WRITES is set

also adds a call to evm_reset_status() in evm_inode_post_setattr() so that EVM won't return the cached status the next time appraisal is performed. Cc: sta...@vger.kernel.org # 4.16.x Fixes: ae1ba1676b88e ("EVM: Allow userland to permit modification of EVM-protected metadata") Signed-

[PATCH 10/11] ima: Don't ignore errors from crypto_shash_update()

: 3323eec921efd ("integrity: IMA as an integrity service provider") Signed-off-by: Roberto Sassu --- security/integrity/ima/ima_crypto.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c index 220b14920c37..47

[PATCH 09/11] ima: Don't remove security.ima if file must not be appraised

Files might come from a remote source and might have xattrs, including security.ima. It should not be IMA task to decide whether security.ima should be kept or not. This patch removes the removexattr() system call in ima_inode_post_setattr(). Signed-off-by: Roberto Sassu --- security/integrity

[PATCH 06/11] evm: Allow setxattr() and setattr() if metadata digest won't change

xattr()/setattr() change metadata and, if not, allows the operations even if metadata are immutable. Signed-off-by: Roberto Sassu --- security/integrity/evm/evm_main.c | 72 +++ 1 file changed, 72 insertions(+) diff --git a/security/integrity/evm/evm_main.c b/sec

[PATCH 05/11] evm: Allow xattr/attr operations for portable signatures if check fails

ss verification and then adds an exception in evm_protect_xattr() and evm_inode_setattr() for this status and returns 0 instead of -EPERM. Signed-off-by: Roberto Sassu --- include/linux/integrity.h | 1 + security/integrity/evm/evm_main.c | 25 - securit

[PATCH 04/11] evm: Check size of security.evm before using it

ned-off-by: Roberto Sassu --- security/integrity/evm/evm_main.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 744c105b48d1..4e9f5e8b21d5 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/

[PATCH 03/11] evm: Refuse EVM_ALLOW_METADATA_WRITES only if the HMAC key is loaded

tting EVM_ALLOW_METADATA_WRITES if the EVM_INIT_HMAC flag is not set. Cc: sta...@vger.kernel.org # 4.16.x Fixes: ae1ba1676b88e ("EVM: Allow userland to permit modification of EVM-protected metadata") Signed-off-by: Roberto Sassu --- security/integrity/evm/evm_secfs.c | 2 +- 1 file changed, 1 insertion

  1   2   3   4   5   >