Recreate integrity patches using a new kernel revision

Before opensource these patches a kernel revision different
from the available in upstream was used. This changes recreates
the patches to use a valid revision.

Story: 2002964
Task: 22967

Change-Id: I424e928571ded42d2b768e1dbb1f87e8fb9aa847
Required-By: https://review.openstack.org/#/c/583016/
Signed-off-by: Erich Cordoba <erich.cordoba.malibran@intel.com>
This commit is contained in:
Erich Cordoba 2018-07-16 13:43:21 -05:00
parent 67202ded0a
commit 5e66170a09
4 changed files with 97 additions and 59 deletions

View File

@ -1,5 +1,5 @@
COPY_LIST=" \
$FILES_BASE/* \
$PATCHES_BASE/* \
$STX_BASE/downloads/integrity-kmod-668a8270.tar.gz"
$STX_BASE/downloads/integrity-kmod-e6aef069.tar.gz"
TIS_PATCH_VER=5

View File

@ -22,7 +22,7 @@ ExclusiveArch: x86_64
# Sources.
# the integrity is available as a tarball, with
# the git commit Id referenced in the name
Source0: %{kmod_name}-kmod-668a8270.tar.gz
Source0: %{kmod_name}-kmod-e6aef069.tar.gz
Source1: modules-load.conf
Source2: COPYING
Source3: README

View File

@ -497,7 +497,7 @@ index 106e855..f850ef7 100644
#endif
#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
@@ -77,32 +77,43 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
@@ -77,39 +77,43 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
return -EOPNOTSUPP;
}
@ -507,6 +507,7 @@ index 106e855..f850ef7 100644
+int integrity_init_keyring(const unsigned int id)
{
const struct cred *cred = current_cred();
- struct key_restriction *restriction;
int err = 0;
- if (!init_keyring)
@ -515,27 +516,29 @@ index 106e855..f850ef7 100644
+ * the Kernel as a trusted keyring for which
+ * a search reference is available
+ */
+ keyring[id] = ima_keyring;
+ keyring[id] = ima_keyring;
return 0;
-
- restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
- if (!restriction)
- return -ENOMEM;
-
- restriction->check = restrict_link_to_ima;
+ }
keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
- KGIDT_INIT(0), cred,
- ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
- KEY_USR_VIEW | KEY_USR_READ |
- KEY_USR_WRITE | KEY_USR_SEARCH),
KGIDT_INIT(0), cred,
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
KEY_USR_VIEW | KEY_USR_READ |
KEY_USR_WRITE | KEY_USR_SEARCH),
- KEY_ALLOC_NOT_IN_QUOTA,
- restrict_link_to_ima, NULL);
- restriction, NULL);
- if (IS_ERR(keyring[id])) {
+ KGIDT_INIT(0), cred,
+ ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
+ KEY_USR_VIEW | KEY_USR_READ |
+ KEY_USR_WRITE | KEY_USR_SEARCH),
+ KEY_ALLOC_NOT_IN_QUOTA, NULL);
+ KEY_ALLOC_NOT_IN_QUOTA, NULL);
+
+ if (!IS_ERR(keyring[id]))
+ if (!IS_ERR(keyring[id])) {
+ set_bit(KEY_FLAG_TRUSTED_ONLY, &keyring[id]->flags);
+ else {
+ } else {
err = PTR_ERR(keyring[id]);
pr_info("Can't allocate %s keyring (%d)\n",
keyring_name[id], err);
@ -1096,21 +1099,48 @@ diff --git a/ima/ima_policy.c b/ima/ima_policy.c
index aed47b7..dd52d98 100644
--- a/ima/ima_policy.c
+++ b/ima/ima_policy.c
@@ -92,9 +92,11 @@ static struct ima_rule_entry dont_measure_rules[] = {
{.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
{.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
@@ -85,7 +85,7 @@ struct ima_rule_entry {
* normal users can easily run the machine out of memory simply building
* and running executables.
*/
-static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
+static struct ima_rule_entry dont_measure_rules[] = {
{.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
{.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
{.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
@@ -96,10 +96,12 @@ static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
{.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
+#if ( LINUX_VERSION_CODE > KERNEL_VERSION(3,10,0) )
+ {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
+#endif
{.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
- .flags = IMA_FSMAGIC},
- {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}
+ .flags = IMA_FSMAGIC}
.flags = IMA_FSMAGIC},
+#if ( LINUX_VERSION_CODE > KERNEL_VERSION(3,10,0) )
{.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}
+#endif
};
static struct ima_rule_entry original_measurement_rules[] = {
@@ -132,7 +134,9 @@ static struct ima_rule_entry default_appraise_rules[] = {
-static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
+static struct ima_rule_entry original_measurement_rules[] = {
{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
.flags = IMA_FUNC | IMA_MASK},
{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
@@ -111,7 +113,7 @@ static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
};
-static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
+static struct ima_rule_entry default_measurement_rules[] = {
{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
.flags = IMA_FUNC | IMA_MASK},
{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
@@ -127,7 +129,7 @@ static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
{.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
};
-static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
+static struct ima_rule_entry default_appraise_rules[] = {
{.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
{.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
{.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
@@ -137,7 +139,9 @@ static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
{.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
{.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
{.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
@ -1120,8 +1150,8 @@ index aed47b7..dd52d98 100644
{.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
#ifdef CONFIG_IMA_WRITE_POLICY
{.action = APPRAISE, .func = POLICY_CHECK,
@@ -243,7 +247,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))
@@ -249,7 +253,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
return false;
if (rule->flags & IMA_EUID) {
+#if ( LINUX_VERSION_CODE > KERNEL_VERSION(3,10,0) )
@ -1129,38 +1159,51 @@ index aed47b7..dd52d98 100644
+#else
+ if (capable_wrt_inode_uidgid(inode, CAP_SETUID) || capable(CAP_SETUID)) {
+#endif
if (!uid_eq(rule->uid, cred->euid)
&& !uid_eq(rule->uid, cred->suid)
&& !uid_eq(rule->uid, cred->uid))
@@ -541,10 +549,26 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry,
if (!rule->uid_op(cred->euid, rule->uid)
&& !rule->uid_op(cred->suid, rule->uid)
&& !rule->uid_op(cred->uid, rule->uid))
@@ -556,16 +564,34 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry,
return result;
}
+static int ima_string_contains_hex(const char *string, size_t len)
+{
+ const unsigned char *p;
+ for (p = string; p < (const unsigned char *)string + len; p++) {
+ if (*p == '"' || *p < 0x21 || *p > 0x7e)
+ return 1;
+ }
+ return 0;
+ const unsigned char *p;
+ for (p = string; p < (const unsigned char *)string + len; p++) {
+ if (*p == '"' || *p < 0x21 || *p > 0x7e)
+ return 1;
+ }
+ return 0;
+}
+
+
static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value,
bool (*rule_operator)(kuid_t, kuid_t))
{
- audit_log_format(ab, "%s=", key);
- if (rule_operator == &uid_gt)
- audit_log_format(ab, "%s>", key);
- else if (rule_operator == &uid_lt)
- audit_log_format(ab, "%s<", key);
- else
- audit_log_format(ab, "%s=", key);
- audit_log_untrustedstring(ab, value);
+ if (ima_string_contains_hex(value, strlen(value))) {
+ // value string contains hex. Convert to hex instead
+ audit_log_format(ab, "%s=(contains hex)%s", key, value);
+ }
+ else {
+ audit_log_format(ab, "%s=%s", key, value);
+ if (rule_operator == &uid_gt)
+ audit_log_format(ab, "%s>(contains hex)%s", key, value);
+ else if (rule_operator == &uid_lt)
+ audit_log_format(ab, "%s<(contains hex)%s", key, value);
+ else
+ audit_log_format(ab, "%s=(contains hex)%s", key, value);
+ } else {
+ if (rule_operator == &uid_gt)
+ audit_log_format(ab, "%s>", key);
+ else if (rule_operator == &uid_lt)
+ audit_log_format(ab, "%s<", key);
+ else
+ audit_log_format(ab, "%s=", key);
+ }
audit_log_format(ab, " ");
}
static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
diff --git a/integrity.h b/integrity.h
index 24520b4..c13e61d 100644
--- a/integrity.h
@ -1183,11 +1226,7 @@ index 24520b4..c13e61d 100644
uint32_t keyid; /* IMA key identifier - not X509/PGP specific */
uint16_t sig_size; /* signature size */
uint8_t sig[0]; /* signature payload */
@@ -127,12 +129,11 @@ int __init integrity_read_file(const char *path, char **data);
#define INTEGRITY_KEYRING_MAX 3
#ifdef CONFIG_INTEGRITY_SIGNATURE
-
@@ -131,8 +133,8 @@ int __init integrity_read_file(const char *path, char **data);
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
const char *digest, int digestlen);

View File

@ -24,19 +24,18 @@ diff --git a/ima/ima_appraise.c b/ima/ima_appraise.c
index 88b5091..cff2ad2 100644
--- a/ima/ima_appraise.c
+++ b/ima/ima_appraise.c
@@ -250,8 +250,11 @@ int ima_appraise_measurement(enum ima_hooks func,
if (rc <= 0) {
@@ -205,7 +208,11 @@ int ima_appraise_measurement(enum ima_hooks func,
if (rc && rc != -ENODATA)
goto out;
-
- cause = "missing-hash";
+
+ if (iint->flags & IMA_DIGSIG_REQUIRED)
+ cause = "missing-signature";
+ cause = "missing-signature";
+ else
+ cause = "missing-hash";
+
status = INTEGRITY_NOLABEL;
if (opened & FILE_CREATED) {
if (opened & FILE_CREATED)
iint->flags |= IMA_NEW_FILE;
@@ -352,7 +355,8 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
int rc = 0;