user/sven/linux.git/security/integrity, branch v5.17.1

ima: Do not print policy rule with inactive LSM labels

2022-02-02T16:59:54Z

Before printing a policy rule scan for inactive LSM labels in the policy rule. Inactive LSM labels are identified by args_p != NULL and rule == NULL. Fixes: 483ec26eed42 ("ima: ima/lsm policy rule loading logic bug fixes") Signed-off-by: Stefan Berger Cc: # v5.6+ Acked-by: Christian Brauner [zohar@linux.ibm.com: Updated "Fixes" tag] Signed-off-by: Mimi Zohar

ima: Allow template selection with ima_template[_fmt]= after ima_hash=

2022-02-02T16:59:54Z

Commit c2426d2ad5027 ("ima: added support for new kernel cmdline parameter ima_template_fmt") introduced an additional check on the ima_template variable to avoid multiple template selection. Unfortunately, ima_template could be also set by the setup function of the ima_hash= parameter, when it calls ima_template_desc_current(). This causes attempts to choose a new template with ima_template= or with ima_template_fmt=, after ima_hash=, to be ignored. Achieve the goal of the commit mentioned with the new static variable template_setup_done, so that template selection requests after ima_hash= are not ignored. Finally, call ima_init_template_list(), if not already done, to initialize the list of templates before lookup_template_desc() is called. Reported-by: Guo Zihua Signed-off-by: Roberto Sassu Cc: stable@vger.kernel.org Fixes: c2426d2ad5027 ("ima: added support for new kernel cmdline parameter ima_template_fmt") Signed-off-by: Mimi Zohar

ima: Remove ima_policy file before directory

2022-02-02T16:59:09Z

The removal of ima_dir currently fails since ima_policy still exists, so remove the ima_policy file before removing the directory. Fixes: 4af4662fa4a9 ("integrity: IMA policy") Signed-off-by: Stefan Berger Cc: Acked-by: Christian Brauner Signed-off-by: Mimi Zohar

integrity: check the return value of audit_log_start()

2022-02-02T16:44:23Z

audit_log_start() returns audit_buffer pointer on success or NULL on error, so it is better to check the return value of it. Fixes: 3323eec921ef ("integrity: IMA as an integrity service provider") Signed-off-by: Xiaoke Wang Cc: Reviewed-by: Paul Moore Signed-off-by: Mimi Zohar

ima: fix reference leak in asymmetric_verify()

2022-01-24T23:37:36Z

Don't leak a reference to the key if its algorithm is unknown. Fixes: 947d70597236 ("ima: Support EC keys for signature verification") Cc: # v5.13+ Signed-off-by: Eric Biggers Reviewed-by: Stefan Berger Reviewed-by: Tianjia Zhang Signed-off-by: Mimi Zohar

Merge tag 'integrity-v5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

2022-01-11T21:11:10Z

Pull integrity subsystem updates from Mimi Zohar: "The few changes are all kexec related: - The MOK keys are loaded onto the .platform keyring in order to verify the kexec kernel image signature. However, the MOK keys should only be trusted when secure boot is enabled. Before loading the MOK keys onto the .platform keyring, make sure the system is booted in secure boot mode. - When carrying the IMA measurement list across kexec, limit dumping the measurement list to when dynamic debug or CONFIG_DEBUG is enabled. - kselftest: add kexec_file_load selftest support for PowerNV and other cleanup" * tag 'integrity-v5.17' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: selftests/kexec: Enable secureboot tests for PowerPC ima: silence measurement list hexdump during kexec selftests/kexec: update searching for the Kconfig selftest/kexec: fix "ignored null byte in input" warning integrity: Do not load MOK and MOKx when secure boot be disabled ima: Fix undefined arch_ima_get_secureboot() and co

ima: silence measurement list hexdump during kexec

2022-01-05T11:22:00Z

Directly calling print_hex_dump() dumps the IMA measurement list on soft resets (kexec) straight to the syslog (kmsg/dmesg) without considering the DEBUG flag or the dynamic debug state, causing the output to be always printed, including during boot time. Since this output is only valid for IMA debugging, but not necessary on normal kexec operation, print_hex_dump_debug() adheres to the pr_debug() behavior: the dump is only printed to syslog when DEBUG is defined or when explicitly requested by the user through dynamic debugging. Signed-off-by: Bruno Meneguele Signed-off-by: Mimi Zohar

integrity: Do not load MOK and MOKx when secure boot be disabled

2021-12-24T15:25:24Z

The security of Machine Owner Key (MOK) relies on secure boot. When secure boot is disabled, EFI firmware will not verify binary code. Then arbitrary efi binary code can modify MOK when rebooting. This patch prevents MOK/MOKx be loaded when secure boot be disabled. Signed-off-by: "Lee, Chun-Yi" Reviewed-by: Petr Vorel Signed-off-by: Mimi Zohar

lsm: security_task_getsecid_subj() -> security_current_getsecid_subj()

2021-11-22T22:52:47Z

The security_task_getsecid_subj() LSM hook invites misuse by allowing callers to specify a task even though the hook is only safe when the current task is referenced. Fix this by removing the task_struct argument to the hook, requiring LSM implementations to use the current task. While we are changing the hook declaration we also rename the function to security_current_getsecid_subj() in an effort to reinforce that the hook captures the subjective credentials of the current task and not an arbitrary task on the system. Reviewed-by: Serge Hallyn Reviewed-by: Casey Schaufler Signed-off-by: Paul Moore

evm: mark evm_fixmode as __ro_after_init

2021-10-28T22:52:49Z

The evm_fixmode is only configurable by command-line option and it is never modified outside initcalls, so declaring it with __ro_after_init is better. Signed-off-by: Austin Kim Cc: stable@vger.kernel.org Signed-off-by: Mimi Zohar