Commit d643a990 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'integrity-v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity 

Pull IMA updates from Mimi Zohar:
 "New is IMA support for measuring kernel critical data, as per usual
  based on policy. The first example measures the in memory SELinux
  policy. The second example measures the kernel version.

  In addition are four bug fixes to address memory leaks and a missing
  'static' function declaration"

* tag 'integrity-v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  integrity: Make function integrity_add_key() static
  ima: Free IMA measurement buffer after kexec syscall
  ima: Free IMA measurement buffer on error
  IMA: Measure kernel version in early boot
  selinux: include a consumer of the new IMA critical data hook
  IMA: define a builtin critical data measurement policy
  IMA: extend critical data hook to limit the measurement based on a label
  IMA: limit critical data measurement based on a label
  IMA: add policy rule to measure critical data
  IMA: define a hook to measure kernel integrity critical data
  IMA: add support to measure buffer data hash
  IMA: generalize keyring specific measurement constructs
  evm: Fix memleak in init_desc
parents 23b6ba45 f6692213

Documentation/ABI/testing/ima_policy

+4 −1
Original line number Diff line number Diff line
@@ -32,7 +32,7 @@ Description: 
			func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK]MODULE_CHECK]

			        [FIRMWARE_CHECK]

				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]

				[KEXEC_CMDLINE] [KEY_CHECK]

				[KEXEC_CMDLINE] [KEY_CHECK] [CRITICAL_DATA]

			mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]

			       [[^]MAY_EXEC]

			fsmagic:= hex value
@@ -52,6 +52,9 @@ Description: 
			template:= name of a defined IMA template type

			(eg, ima-ng). Only valid when action is "measure".

			pcr:= decimal value

			label:= [selinux]|[kernel_info]|[data_label]

			data_label:= a unique string used for grouping and limiting critical data.

			For example, "selinux" to measure critical data for SELinux.



		  default policy:

			# PROC_SUPER_MAGIC

Documentation/admin-guide/kernel-parameters.txt

+4 −1
Original line number Diff line number Diff line
@@ -1747,7 +1747,7 @@ 
	ima_policy=	[IMA]

			The builtin policies to load during IMA setup.

			Format: "tcb | appraise_tcb | secure_boot |

				 fail_securely"

				 fail_securely | critical_data"



			The "tcb" policy measures all programs exec'd, files

			mmap'd for exec, and all files opened with the read
@@ -1766,6 +1766,9 @@ 
			filesystems with the SB_I_UNVERIFIABLE_SIGNATURE

			flag.



			The "critical_data" policy measures kernel integrity

			critical data.



	ima_tcb		[IMA] Deprecated.  Use ima_policy= instead.

			Load a policy which meets the needs of the Trusted

			Computing Base.  This means IMA will measure all

include/linux/ima.h

+10 −0
Original line number Diff line number Diff line
@@ -31,6 +31,10 @@ extern void ima_post_path_mknod(struct dentry *dentry); 
extern int ima_file_hash(struct file *file, char *buf, size_t buf_size);

extern int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size);

extern void ima_kexec_cmdline(int kernel_fd, const void *buf, int size);

extern void ima_measure_critical_data(const char *event_label,

				      const char *event_name,

				      const void *buf, size_t buf_len,

				      bool hash);



#ifdef CONFIG_IMA_APPRAISE_BOOTPARAM

extern void ima_appraise_parse_cmdline(void);
@@ -128,6 +132,12 @@ static inline int ima_inode_hash(struct inode *inode, char *buf, size_t buf_size 
}



static inline void ima_kexec_cmdline(int kernel_fd, const void *buf, int size) {}



static inline void ima_measure_critical_data(const char *event_label,

					     const char *event_name,

					     const void *buf, size_t buf_len,

					     bool hash) {}



#endif /* CONFIG_IMA */



#ifndef CONFIG_IMA_KEXEC

include/linux/kexec.h

+5 −0
Original line number Diff line number Diff line
@@ -300,6 +300,11 @@ struct kimage { 
	/* Information for loading purgatory */

	struct purgatory_info purgatory_info;

#endif



#ifdef CONFIG_IMA_KEXEC

	/* Virtual address of IMA measurement buffer for kexec syscall */

	void *ima_buffer;

#endif

};



/* kexec interface functions */

kernel/kexec_file.c

+5 −0
Original line number Diff line number Diff line
@@ -166,6 +166,11 @@ void kimage_file_post_load_cleanup(struct kimage *image) 
	vfree(pi->sechdrs);

	pi->sechdrs = NULL;



#ifdef CONFIG_IMA_KEXEC

	vfree(image->ima_buffer);

	image->ima_buffer = NULL;

#endif /* CONFIG_IMA_KEXEC */



	/* See if architecture has anything to cleanup post load */

	arch_kimage_file_post_load_cleanup(image);