Eric Richter [Thu, 15 Jun 2017 21:02:52 +0000 (16:02 -0500)]
IMA: update IMA policy documentation to include pcr= option
Commit
0260643ce "ima: add policy support for extending different pcrs"
introduced a new IMA policy option "pcr=". Missing was the documentation
for this option. This patch updates ima_policy to include this option,
as well as an example.
Signed-off-by: Eric Richter <erichte@linux.vnet.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Thiago Jung Bauermann [Thu, 8 Jun 2017 01:49:12 +0000 (22:49 -0300)]
ima: Log the same audit cause whenever a file has no signature
If the file doesn't have an xattr, ima_appraise_measurement sets cause to
"missing-hash" while if there's an xattr but it's a digest instead of a
signature it sets cause to "IMA-signature-required".
Fix it by setting cause to "IMA-signature-required" in both cases.
Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Thiago Jung Bauermann [Thu, 8 Jun 2017 01:49:11 +0000 (22:49 -0300)]
ima: Simplify policy_func_show.
If the func_tokens array uses the same indices as enum ima_hooks,
policy_func_show can be a lot simpler, and the func_* enum becomes
unnecessary.
Also, if we use the same macro trick used by kernel_read_file_id_str we can
use one hooks list for both the enum and the string array, making sure they
are always in sync (suggested by Mimi Zohar).
Finally, by using the printf pattern for the function token directly
instead of using the pt macro we can simplify policy_func_show even further
and avoid needing a temporary buffer.
Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Thiago Jung Bauermann [Thu, 8 Jun 2017 01:49:10 +0000 (22:49 -0300)]
integrity: Small code improvements
These changes are too small to warrant their own patches:
The keyid and sig_size members of struct signature_v2_hdr are in BE format,
so use a type that makes this assumption explicit. Also, use beXX_to_cpu
instead of __beXX_to_cpu to read them.
Change integrity_kernel_read to take a void * buffer instead of char *
buffer, so that callers don't have to use a cast if they provide a buffer
that isn't a char *.
Add missing #endif comment in ima.h pointing out which macro it refers to.
Add missing fall through comment in ima_appraise.c.
Constify mask_tokens and func_tokens arrays.
Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Roberto Sassu [Tue, 16 May 2017 12:53:47 +0000 (14:53 +0200)]
ima: fix get_binary_runtime_size()
Remove '+ 1' from 'size += strlen(entry->template_desc->name) + 1;',
as the template name is sent to userspace without the '\0' character.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Roberto Sassu [Tue, 16 May 2017 12:53:43 +0000 (14:53 +0200)]
ima: use ima_parse_buf() to parse template data
The binary_field_data structure definition has been removed from
ima_restore_template_data(). The lengths and data pointers are directly
stored into the template_data array of the ima_template_entry structure.
For template data, both the number of fields and buffer end checks can
be done, as these information are known (respectively from the template
descriptor, and from the measurement header field).
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Roberto Sassu [Tue, 16 May 2017 12:53:42 +0000 (14:53 +0200)]
ima: use ima_parse_buf() to parse measurements headers
The binary_hdr_v1 and binary_data_v1 structures defined in
ima_restore_measurement_list() have been replaced with an array of four
ima_field_data structures where pcr, digest, template name and
template data lengths and pointers are stored.
The length of pcr and digest in the ima_field_data array and the bits
in the bitmap are set before ima_parse_buf() is called. The ENFORCE_FIELDS
bit is set for all entries except the last one (there is still data to
parse), and ENFORCE_BUFEND is set only for the last entry.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Roberto Sassu [Tue, 16 May 2017 12:53:41 +0000 (14:53 +0200)]
ima: introduce ima_parse_buf()
ima_parse_buf() takes as input the buffer start and end pointers, and
stores the result in a static array of ima_field_data structures,
where the len field contains the length parsed from the buffer, and
the data field contains the address of the buffer just after the length.
Optionally, the function returns the current value of the buffer pointer
and the number of array elements written.
A bitmap has been added as parameter of ima_parse_buf() to handle
the cases where the length is not prepended to data. Each bit corresponds
to an element of the ima_field_data array. If a bit is set, the length
is not parsed from the buffer, but is read from the corresponding element
of the array (the length must be set before calling the function).
ima_parse_buf() can perform three checks upon request by callers,
depending on the enforce mask passed to it:
- ENFORCE_FIELDS: matching of number of fields (length-data combination)
- there must be enough data in the buffer to parse the number of fields
requested (output: current value of buffer pointer)
- ENFORCE_BUFEND: matching of buffer end
- the ima_field_data array must be large enough to contain lengths and
data pointers for the amount of data requested (output: number
of fields written)
- ENFORCE_FIELDS | ENFORCE_BUFEND: matching of both
Use cases
- measurement entry header: ENFORCE_FIELDS | ENFORCE_BUFEND
- four fields must be parsed: pcr, digest, template name, template data
- ENFORCE_BUFEND is enforced only for the last measurement entry
- template digest (Crypto Agile): ENFORCE_BUFEND
- since only the total template digest length is known, the function
parses length-data combinations until the buffer end is reached
- template data: ENFORCE_FIELDS | ENFORCE_BUFEND
- since the number of fields and the total template data length
are known, the function can perform both checks
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Laura Abbott [Tue, 9 May 2017 18:25:27 +0000 (11:25 -0700)]
ima: Add cgroups2 to the defaults list
cgroups2 is beginning to show up in wider usage. Add it to the default
nomeasure/noappraise list like other filesystems.
Signed-off-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Geliang Tang [Sat, 6 May 2017 15:40:18 +0000 (23:40 +0800)]
ima: use memdup_user_nul
Use memdup_user_nul() helper instead of open-coding to simplify the
code.
Signed-off-by: Geliang Tang <geliangtang@gmail.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Tycho Andersen [Fri, 5 May 2017 17:15:47 +0000 (11:15 -0600)]
ima: fix up #endif comments
While reading the code, I noticed that these #endif comments don't match
how they're actually nested. This patch fixes that.
Signed-off-by: Tycho Andersen <tycho@docker.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Ben Hutchings [Tue, 2 May 2017 18:27:00 +0000 (19:27 +0100)]
IMA: Correct Kconfig dependencies for hash selection
IMA uses the hash algorithm too early to be able to use a module.
Require the selected hash algorithm to be built-in.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Mimi Zohar [Tue, 25 Apr 2017 02:43:52 +0000 (22:43 -0400)]
ima: define is_ima_appraise_enabled()
Only return enabled if in enforcing mode, not fix or log modes.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Changes:
- Define is_ima_appraise_enabled() as a bool (Thiago Bauermann)
Mimi Zohar [Tue, 25 Apr 2017 02:06:49 +0000 (22:06 -0400)]
ima: define Kconfig IMA_APPRAISE_BOOTPARAM option
Permit enabling the different "ima_appraise=" modes (eg. log, fix)
from the boot command line.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Mimi Zohar [Fri, 21 Apr 2017 22:58:27 +0000 (18:58 -0400)]
ima: define a set of appraisal rules requiring file signatures
The builtin "ima_appraise_tcb" policy should require file signatures for
at least a few of the hooks (eg. kernel modules, firmware, and the kexec
kernel image), but changing it would break the existing userspace/kernel
ABI.
This patch defines a new builtin policy named "secure_boot", which
can be specified on the "ima_policy=" boot command line, independently
or in conjunction with the "ima_appraise_tcb" policy, by specifing
ima_policy="appraise_tcb | secure_boot". The new appraisal rules
requiring file signatures will be added prior to the "ima_appraise_tcb"
rules.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Changelog:
- Reference secure boot in the new builtin policy name. (Thiago Bauermann)
Mimi Zohar [Mon, 24 Apr 2017 16:04:09 +0000 (12:04 -0400)]
ima: extend the "ima_policy" boot command line to support multiple policies
Add support for providing multiple builtin policies on the "ima_policy="
boot command line. Use "|" as the delimitor separating the policy names.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
James Morris [Wed, 21 Jun 2017 01:30:20 +0000 (11:30 +1000)]
Merge branch 'smack-for-4.13' of git://github.com/cschaufler/smack-next into next
Gustavo A. R. Silva [Tue, 13 Jun 2017 19:55:42 +0000 (14:55 -0500)]
tpm/tpm_atmel: remove unnecessary NULL check
Remove unnecessary NULL check.
Pointer _chip_ cannot be NULL in this instance.
Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkine@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkine@linux.intel.com> (compilation)
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Andy Shevchenko [Mon, 12 Jun 2017 15:44:16 +0000 (18:44 +0300)]
tpm/st33zp24: Switch to devm_acpi_dev_add_driver_gpios()
Switch to use managed variant of acpi_dev_add_driver_gpios() to simplify
error path and fix potentially wrong assignment if ->probe() fails.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkine@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkine@linux.intel.com> (compilation)
Signed-off-by: Jarkko Sakkinen <jarkko.sakkine@linux.intel.com>
Stefan Berger [Wed, 24 May 2017 21:39:41 +0000 (17:39 -0400)]
tpm: vtpm_proxy: Prevent userspace from sending driver command
To prevent userspace from sending the TPM driver command to set
the locality, we need to check every command that is sent from
user space. To distinguish user space commands from internally
sent commands we introduce an additional state flag
STATE_DRIVER_COMMAND that is set while the driver sends this
command. Similar to the TPM 2 space commands we return an error
code when this command is detected.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Stefan Berger [Wed, 24 May 2017 21:39:40 +0000 (17:39 -0400)]
tpm: vtpm_proxy: Implement request_locality function.
Implement the request_locality function. To set the locality on the
backend we define vendor-specific TPM 1.2 and TPM 2 ordinals and send
a command to the backend to set the locality for the next commands.
To avoid recursing into requesting the locality, we set the
TPM_TRANSMIT_RAW flag when calling tpm_transmit_cmd. To avoid recursing
into TPM 2 space related commands, we set the space parameter to NULL.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Stefan Berger [Wed, 24 May 2017 21:39:39 +0000 (17:39 -0400)]
tpm: Introduce flag TPM_TRANSMIT_RAW
Introduce the flag TPM_TRANSMIT_RAW that allows us to transmit
a command without recursing into the requesting of locality.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Stefan Berger [Thu, 25 May 2017 22:29:13 +0000 (18:29 -0400)]
tpm: vtpm_proxy: Suppress error logging when in closed state
Suppress the error logging when the core TPM driver sends commands
to the VTPM proxy driver and -EPIPE is returned in case the VTPM
proxy driver is 'closed' (closed anonymous file descriptor). This
error code is only returned by the send function and by tpm_transmit
when the VTPM proxy driver is being used.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Peter Huewe [Thu, 25 May 2017 05:43:05 +0000 (07:43 +0200)]
tpm, tpmrm: Mark tpmrm_write as static
sparse complains that tpmrm_write can be made static, and since it is
right we make it static.
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Wed, 24 May 2017 22:26:08 +0000 (15:26 -0700)]
tpm: remove struct tpm_pcrextend_in
Removed struct tpm_pcrextend_in as it is not used for anything anymore.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Peter Huewe <peterhuewe@gmx.de>
Jarkko Sakkinen [Wed, 24 May 2017 21:29:16 +0000 (14:29 -0700)]
tpm, tpm_infineon: remove useless snprintf() calls
The memory copy from rodata to stack is useless.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Peter Huewe <peterhuewe@gmx.de>
Jarkko Sakkinen [Sun, 7 May 2017 17:50:02 +0000 (20:50 +0300)]
tpm: fix byte order related arithmetic inconsistency in tpm_getcap()
You should not do arithmetic with __be32 or __le32 types because
sometimes it results incorrect results. Calculations must be done only
with integers that are in in the CPU byte order. This commit migrates
tpm_getcap() to struct tpm_buf in order to sort out these issues.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Bryan Freed [Mon, 22 May 2017 09:20:11 +0000 (11:20 +0200)]
tpm: Apply a sane minimum adapterlimit value for retransmission.
When the I2C Infineon part is attached to an I2C adapter that imposes
a size limitation, large requests will fail with -EOPNOTSUPP. Retry
them with a sane minimum size without re-issuing the 0x05 command
as this appears to occasionally put the TPM in a bad state.
Signed-off-by: Bryan Freed <bfreed@chromium.org>
[rework the patch to adapt to the feedback received]
Signed-off-by: Enric Balletbo i Serra <enric.balletbo@collabora.com>
Acked-by: Andrew Lunn <andrew@lunn.ch>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jason Gunthorpe [Thu, 4 May 2017 15:53:25 +0000 (09:53 -0600)]
tpm_tis: Consolidate the platform and acpi probe flow
Now that the platform device was merged for OF support we can use the
platform device to match ACPI devices as well and run everything
through tpm_tis_init.
pnp_acpi_device is replaced with ACPI_COMPANION, and ACPI_HANDLE is
pushed further down.
platform_get_resource is used instead of acpi_dev_get_resources.
The itpm global module parameter is no longer changed during itpm
detection, instead the phy specific bit is set directly.
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jerry Snitselaar <jsnitsel@redhat.com> (with TPM 2.0)
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> (with TPM 1.2)
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jason Gunthorpe [Thu, 4 May 2017 15:53:24 +0000 (09:53 -0600)]
tpm_tis: Use platform_get_irq
Replace the open coded IORESOURCE_IRQ with platform_get_irq, which
supports more cases.
Fixes:
00194826e6be ("tpm_tis: Clean up the force=1 module parameter")
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jerry Snitselaar <jsnitsel@redhat.com> (with TPM 2.0)
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> (with TPM 1.2)
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jason Gunthorpe [Thu, 4 May 2017 15:53:23 +0000 (09:53 -0600)]
tpm_tis: Fix IRQ autoprobing when using platform_device
The test was backwards, triggering IRQ autoprobing if the firmware
did not specify an IRQ, instead of triggering it only when the
module force parameter was specified.
Since autoprobing is not enabled on !x86 and the platform device is
currently only used on !x86, or with force, this has gone unnoticed.
Fixes:
00194826e6be ("tpm_tis: Clean up the force=1 module parameter")
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jerry Snitselaar <jsnitsel@redhat.com> (with TPM 2.0)
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> (with TPM 1.2)
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Roberto Sassu [Thu, 4 May 2017 11:16:47 +0000 (13:16 +0200)]
tpm: move TPM 1.2 code of tpm_pcr_extend() to tpm1_pcr_extend()
In preparation of the modifications to tpm_pcr_extend(), which will
allow callers to supply a digest for each PCR bank of a TPM 2.0,
the TPM 1.2 specific code has been moved to tpm1_pcr_extend().
tpm1_pcr_extend() uses tpm_buf_init() to prepare the command buffer,
which offers protection against buffer overflow. It is called by
tpm_pcr_extend() and tpm_pm_suspend().
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Roberto Sassu [Wed, 3 May 2017 16:19:10 +0000 (18:19 +0200)]
tpm: move endianness conversion of ordinals to tpm_input_header
Move CPU native value to big-endian conversion of ordinals to the
tpm_input_header declarations.
With the previous and this patch it will now be possible to modify TPM 1.2
functions to use tpm_buf_init(), which expects CPU native value for the
tag and ordinal arguments.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Roberto Sassu [Wed, 3 May 2017 16:19:09 +0000 (18:19 +0200)]
tpm: move endianness conversion of TPM_TAG_RQU_COMMAND to tpm_input_header
In the long term, TPM 1.2 functions in the driver interface will be
modified to use tpm_buf_init().
However, tag and ordinals cannot be passed directly to tpm_buf_init(),
because this function performs CPU native to big-endian conversion of these
arguments. Since TPM_TAG_RQU_COMMAND and TPM_ORD_ are already converted,
passing them to the function will undo the previous conversion.
This patch moves the conversion of TPM_TAG_RQU_COMMAND from the tpm.h
header file in the driver directory to the tpm_input_header declarations
in the driver interface and tpm-sysfs.c.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
John Johansen [Sat, 10 Jun 2017 00:25:03 +0000 (17:25 -0700)]
apparmor: export that basic profile namespaces are supported
Allow userspace to detect that basic profile policy namespaces are
available.
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Sat, 10 Jun 2017 00:22:50 +0000 (17:22 -0700)]
apparmor: add stacked domain labels interface
Update the user interface to support the stacked change_profile transition.
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Sat, 10 Jun 2017 00:11:17 +0000 (17:11 -0700)]
apparmor: add domain label stacking info to apparmorfs
Now that the domain label transition is complete advertise it to
userspace.
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Sat, 10 Jun 2017 00:07:58 +0000 (17:07 -0700)]
apparmor: move change_profile mediation to using labels
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Sat, 10 Jun 2017 00:01:43 +0000 (17:01 -0700)]
apparmor: move change_hat mediation to using labels
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 23:55:04 +0000 (16:55 -0700)]
apparmor: move exec domain mediation to using labels
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Sat, 10 Jun 2017 00:29:12 +0000 (17:29 -0700)]
apparmor: support v7 transition format compatible with label_parse
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Sat, 10 Jun 2017 00:15:56 +0000 (17:15 -0700)]
apparmor: mediate files when they are received
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 23:19:02 +0000 (16:19 -0700)]
apparmor: rework file permission to cache file access in file->ctx
This is a temporary step, towards using the file->ctx for delegation,
and also helps speed up file queries, until the permission lookup
cache is introduced.
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 23:06:21 +0000 (16:06 -0700)]
apparmor: move path_link mediation to using labels
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 23:02:25 +0000 (16:02 -0700)]
apparmor: refactor path name lookup and permission checks around labels
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 22:48:20 +0000 (15:48 -0700)]
apparmor: update aa_audit_file() to use labels
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 21:59:51 +0000 (14:59 -0700)]
apparmor: move aa_file_perm() to use labels
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 21:38:35 +0000 (14:38 -0700)]
apparmor: allow ptrace checks to be finer grained than just capability
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 21:22:14 +0000 (14:22 -0700)]
apparmor: move ptrace checks to using labels
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 21:23:09 +0000 (14:23 -0700)]
apparmor: add cross check permission helper macros
The cross check permission helper macros will help simplify code
that does cross task permission checks like ptrace.
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 21:15:20 +0000 (14:15 -0700)]
apparmor: move resource checks to using labels
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 21:07:02 +0000 (14:07 -0700)]
apparmor: move capability checks to using labels
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 20:55:38 +0000 (13:55 -0700)]
apparmor: update query interface to support label queries
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 19:47:17 +0000 (12:47 -0700)]
apparmor: switch getprocattr to using label_print fns()
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 15:14:28 +0000 (08:14 -0700)]
apparmor: switch from profiles to using labels on contexts
Begin the actual switch to using domain labels by storing them on
the context and converting the label to a singular profile where
possible.
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 13:19:19 +0000 (06:19 -0700)]
apparmor: add the base fns() for domain labels
Begin moving apparmor to using broader domain labels, that will allow
run time computation of domain type splitting via "stacking" of
profiles into a domain label vec.
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 18:58:42 +0000 (11:58 -0700)]
apparmor: revalidate files during exec
Instead of running file revalidation lazily when read/write are called
copy selinux and revalidate the file table on exec. This avoids
extra mediation overhead in read/write and also prevents file handles
being passed through to a grand child unchecked.
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 18:43:45 +0000 (11:43 -0700)]
apparmor: cleanup rename XXX_file_context() to XXX_file_ctx()
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 18:36:48 +0000 (11:36 -0700)]
apparmor: convert aa_change_XXX bool parameters to flags
Instead of passing multiple booleans consolidate on a single flags
field.
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 14:24:18 +0000 (07:24 -0700)]
apparmor: cleanup remove unused and not fully implemented profile rename
Remove the partially implemented code, until this can be properly
implemented.
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 14:16:46 +0000 (07:16 -0700)]
apparmor: refactor updating profiles to the newest parent
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 14:09:05 +0000 (07:09 -0700)]
apparmor: share profile name on replacement
The profile names are the same, leverage this.
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 09:08:28 +0000 (02:08 -0700)]
apparmor: convert to profile block critical sections
There are still a few places where profile replacement fails to update
and a stale profile is used for mediation. Fix this by moving to
accessing the current label through a critical section that will
always ensure mediation is using the current label regardless of
whether the tasks cred has been updated or not.
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 12:27:50 +0000 (05:27 -0700)]
apparmor: move bprm_committing_creds/committed_creds to lsm.c
There is no reason to have the small stubs that don't use domain
private functions in domain.c, instead move them to lsm.c and make
them static.
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 09:11:29 +0000 (02:11 -0700)]
apparmor: fix display of ns name
The ns name being displayed should go through an ns view lookup.
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 9 Jun 2017 09:28:19 +0000 (02:28 -0700)]
apparmor: fix apparmor_query data
The data being queried isn't always the current profile and a lookup
relative to the current profile should be done.
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Sun, 4 Jun 2017 19:22:22 +0000 (12:22 -0700)]
apparmor: fix policy load/remove semantics
The namespace being passed into the replace/remove profiles fns() is
not the view, but the namespace specified by the inode from the
file hook (if present) or the loading tasks ns, if accessing the
top level virtualized load/replace file interface.
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Sat, 3 Jun 2017 00:44:27 +0000 (17:44 -0700)]
apparmor: add namespace lookup fns()
Currently lookups are restricted to a single ns component in the
path. However when namespaces are allowed to have separate views, and
scopes this will not be sufficient, as it will be possible to have
a multiple component ns path in scope.
Add some ns lookup fns() to allow this and use them.
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 2 Jun 2017 20:50:22 +0000 (13:50 -0700)]
apparmor: cleanup __find_child()
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Thu, 30 Mar 2017 12:25:23 +0000 (05:25 -0700)]
apparmor: provide information about path buffer size at boot
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Sat, 27 May 2017 01:35:29 +0000 (18:35 -0700)]
apparmor: add profile permission query ability
Allow userspace to query a profile about permissions, through the
transaction interface that is already used to allow userspace to
query about key,value data.
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Mon, 29 May 2017 19:19:39 +0000 (12:19 -0700)]
apparmor: switch from file_perms to aa_perms
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Mon, 29 May 2017 19:16:04 +0000 (12:16 -0700)]
apparmor: add gerneric permissions struct and support fns
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Mon, 29 May 2017 18:45:29 +0000 (11:45 -0700)]
apparmor: add fn to test if profile supports a given mediation class
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Sat, 27 May 2017 00:23:23 +0000 (17:23 -0700)]
apparmor: speed up transactional queries
The simple_transaction interface is slow. It requires 4 syscalls
(open, write, read, close) per query and shares a single lock for each
queries.
So replace its use with a compatible in multi_transaction interface.
It allows for a faster 2 syscall pattern per query. After an initial
open, an arbitrary number of writes and reads can be issued. Each
write will reset the query with new data that can be read. Reads do
not clear the data, and can be issued multiple times, and used with
seek, until a new write is performed which will reset the data
available and the seek position.
Note: this keeps the single lock design, if needed moving to a per
file lock will have to come later.
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Sat, 27 May 2017 01:49:04 +0000 (18:49 -0700)]
apparmor: add label data availability to the feature set
gsettings mediation needs to be able to determine if apparmor supports
label data queries. A label data query can be done to test for support
but its failure is indistinguishable from other failures, making it an
unreliable indicator.
Fix by making support of label data queries available as a flag in the
apparmorfs features dir tree.
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 26 May 2017 23:45:48 +0000 (16:45 -0700)]
apparmor: add mkdir/rmdir interface to manage policy namespaces
When setting up namespaces for containers its easier for them to use
an fs interface to create the namespace for the containers
policy. Allow mkdir/rmdir under the policy/namespaces/ dir to be used
to create and remove namespaces.
BugLink: http://bugs.launchpad.net/bugs/1611078
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 26 May 2017 23:27:58 +0000 (16:27 -0700)]
apparmor: add policy revision file interface
Add a policy revision file to find the current revision of a ns's policy.
There is a revision file per ns, as well as a virtualized global revision
file in the base apparmor fs directory. The global revision file when
opened will provide the revision of the opening task namespace.
The revision file can be waited on via select/poll to detect apparmor
policy changes from the last read revision of the opened file. This
means that the revision file must be read after the select/poll other
wise update data will remain ready for reading.
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 26 May 2017 08:45:08 +0000 (01:45 -0700)]
apparmor: provide finer control over policy management
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 26 May 2017 22:07:22 +0000 (15:07 -0700)]
apparmor: rework perm mapping to a slightly broader set
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Fri, 26 May 2017 08:57:09 +0000 (01:57 -0700)]
apparmor: move permissions into their own file to be more easily shared
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Thu, 25 May 2017 13:35:38 +0000 (06:35 -0700)]
apparmor: convert from securityfs to apparmorfs for policy ns files
Virtualize the apparmor policy/ directory so that the current
namespace affects what part of policy is seen. To do this convert to
using apparmorfs for policy namespace files and setup a magic symlink
in the securityfs apparmor dir to access those files.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
John Johansen [Thu, 25 May 2017 13:31:46 +0000 (06:31 -0700)]
apparmor: allow specifying an already created dir to create ns entries in
Signed-off-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
John Johansen [Thu, 25 May 2017 13:23:42 +0000 (06:23 -0700)]
apparmor: rename apparmor file fns and data to indicate use
prefixes are used for fns/data that are not static to apparmorfs.c
with the prefixes being
aafs - special magic apparmorfs for policy namespace data
aa_sfs - for fns/data that go into securityfs
aa_fs - for fns/data that may be used in the either of aafs or
securityfs
Signed-off-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
John Johansen [Thu, 25 May 2017 12:52:56 +0000 (05:52 -0700)]
apparmor: add custom apparmorfs that will be used by policy namespace files
AppArmor policy needs to be able to be resolved based on the policy
namespace a task is confined by. Add a base apparmorfs filesystem that
(like nsfs) will exist as a kern mount and be accessed via jump_link
through a securityfs file.
Setup the base apparmorfs fns and data, but don't use it yet.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
John Johansen [Thu, 25 May 2017 14:27:35 +0000 (07:27 -0700)]
apparmor: use macro template to simplify namespace seq_files
Signed-off-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
John Johansen [Thu, 25 May 2017 11:35:09 +0000 (04:35 -0700)]
apparmor: use macro template to simplify profile seq_files
Signed-off-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
John Johansen [Tue, 9 May 2017 07:08:41 +0000 (00:08 -0700)]
apparmor: move to per loaddata files, instead of replicating in profiles
The loaddata sets cover more than just a single profile and should
be tracked at the ns level. Move the load data files under the namespace
and reference the files from the profiles via a symlink.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
John Johansen [Sun, 7 May 2017 12:53:37 +0000 (05:53 -0700)]
securityfs: add the ability to support symlinks
Signed-off-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Kees Cook <keescook@chromium.org>
John Johansen [Tue, 23 May 2017 10:25:14 +0000 (03:25 -0700)]
apparmor: Move path lookup to using preallocated buffers
Dynamically allocating buffers is problematic and is an extra layer
that is a potntial point of failure and can slow down mediation.
Change path lookup to use the preallocated per cpu buffers.
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Mon, 22 May 2017 10:06:52 +0000 (03:06 -0700)]
apparmor: allow profiles to provide info to disconnected paths
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Mon, 22 May 2017 09:47:22 +0000 (02:47 -0700)]
apparmor: make internal lib fn skipn_spaces available to the rest of apparmor
Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen [Mon, 22 May 2017 00:15:28 +0000 (17:15 -0700)]
apparmor: move file context into file.h
Signed-off-by: John Johansen <john.johansen@canonical.com>
Thomas Schneider [Fri, 14 Oct 2016 19:29:49 +0000 (21:29 +0200)]
security/apparmor: Use POSIX-compatible "printf '%s'"
When using a strictly POSIX-compliant shell, "-n #define ..." gets
written into the file. Use "printf '%s'" to avoid this.
Signed-off-by: Thomas Schneider <qsx@qsx.re>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Dan Carpenter [Tue, 23 May 2017 14:33:46 +0000 (17:33 +0300)]
apparmor: Fix error cod in __aa_fs_profile_mkdir()
We can either return PTR_ERR(NULL) or a PTR_ERR(a valid pointer) here.
Returning NULL is probably not good, but since this happens at boot
then we are probably already toasted if we were to hit this bug in real
life. In other words, it seems like a very low severity bug to me.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Markus Elfring [Sun, 7 May 2017 11:50:28 +0000 (13:50 +0200)]
apparmorfs: Use seq_putc() in two functions
Two single characters (line breaks) should be put into a sequence.
Thus use the corresponding function "seq_putc".
This issue was detected by using the Coccinelle software.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Markus Elfring [Sun, 7 May 2017 11:43:50 +0000 (13:43 +0200)]
apparmorfs: Combine two function calls into one in aa_fs_seq_raw_abi_show()
A bit of data was put into a sequence by two separate function calls.
Print the same data by a single function call instead.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Casey Schaufler [Wed, 31 May 2017 20:23:41 +0000 (13:23 -0700)]
Smack: Use cap_capable in privilege check
Use cap_capable() rather than capable() in the Smack privilege
check as the former does not invoke other security module
privilege check, while the later does. This becomes important
when stacking. It may be a problem even with minor modules.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Casey Schaufler [Wed, 31 May 2017 15:53:42 +0000 (08:53 -0700)]
Smack: Safer check for a socket in file_receive
The check of S_ISSOCK() in smack_file_receive() is not
appropriate if the passed descriptor is a socket.
Reported-by: Stephen Smalley <sds@tyco.nsa.gov>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Florian Westphal [Fri, 21 Apr 2017 09:49:08 +0000 (11:49 +0200)]
smack: use pernet operations for hook registration
It will allow us to remove the old netfilter hook api in the near future.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>