forked from torvalds/linux
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/k…
…ernel/git/zohar/linux-integrity Pull IMA updates from Mimi Zohar: "Two new features - measuring certificates and querying IMA for a file hash - and three bug fixes: - Measuring certificates is like the rest of IMA, based on policy, but requires loading a custom policy. Certificates loaded onto a keyring, for example during early boot, before a custom policy has been loaded, are queued and only processed after loading the custom policy. - IMA calculates and caches files hashes. Other kernel subsystems, and possibly kernel modules, are interested in accessing these cached file hashes. The bug fixes prevent classifying a file short read (e.g. shutdown) as an invalid file signature, add a missing blank when displaying the securityfs policy rules containing LSM labels, and, lastly, fix the handling of the IMA policy information for unknown LSM labels" * 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: IMA: Defined delayed workqueue to free the queued keys IMA: Call workqueue functions to measure queued keys IMA: Define workqueue for early boot key measurements IMA: pre-allocate buffer to hold keyrings string ima: ima/lsm policy rule loading logic bug fixes ima: add the ability to query the cached hash of a given file ima: Add a space after printing LSM rules for readability IMA: fix measuring asymmetric keys Kconfig IMA: Read keyrings= option from the IMA policy IMA: Add support to limit measuring keys KEYS: Call the IMA hook to measure keys IMA: Define an IMA hook to measure keys IMA: Add KEY_CHECK func to measure keys IMA: Check IMA policy flag ima: avoid appraise error for hash calc interrupt
- Loading branch information
Showing
14 changed files
with
540 additions
and
40 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
// SPDX-License-Identifier: GPL-2.0+ | ||
/* | ||
* Copyright (C) 2019 Microsoft Corporation | ||
* | ||
* Author: Lakshmi Ramasubramanian ([email protected]) | ||
* | ||
* File: ima_asymmetric_keys.c | ||
* Defines an IMA hook to measure asymmetric keys on key | ||
* create or update. | ||
*/ | ||
|
||
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | ||
|
||
#include <keys/asymmetric-type.h> | ||
#include "ima.h" | ||
|
||
/** | ||
* ima_post_key_create_or_update - measure asymmetric keys | ||
* @keyring: keyring to which the key is linked to | ||
* @key: created or updated key | ||
* @payload: The data used to instantiate or update the key. | ||
* @payload_len: The length of @payload. | ||
* @flags: key flags | ||
* @create: flag indicating whether the key was created or updated | ||
* | ||
* Keys can only be measured, not appraised. | ||
* The payload data used to instantiate or update the key is measured. | ||
*/ | ||
void ima_post_key_create_or_update(struct key *keyring, struct key *key, | ||
const void *payload, size_t payload_len, | ||
unsigned long flags, bool create) | ||
{ | ||
bool queued = false; | ||
|
||
/* Only asymmetric keys are handled by this hook. */ | ||
if (key->type != &key_type_asymmetric) | ||
return; | ||
|
||
if (!payload || (payload_len == 0)) | ||
return; | ||
|
||
if (ima_should_queue_key()) | ||
queued = ima_queue_key(keyring, payload, payload_len); | ||
|
||
if (queued) | ||
return; | ||
|
||
/* | ||
* keyring->description points to the name of the keyring | ||
* (such as ".builtin_trusted_keys", ".ima", etc.) to | ||
* which the given key is linked to. | ||
* | ||
* The name of the keyring is passed in the "eventname" | ||
* parameter to process_buffer_measurement() and is set | ||
* in the "eventname" field in ima_event_data for | ||
* the key measurement IMA event. | ||
* | ||
* The name of the keyring is also passed in the "keyring" | ||
* parameter to process_buffer_measurement() to check | ||
* if the IMA policy is configured to measure a key linked | ||
* to the given keyring. | ||
*/ | ||
process_buffer_measurement(payload, payload_len, | ||
keyring->description, KEY_CHECK, 0, | ||
keyring->description); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.