starlingx
/
gplv2
Code Issues Proposed changes

Recreate integrity patches using a new kernel revision 

Before opensource these patches a kernel revision different
from the available in upstream was used. This changes recreates
the patches to use a valid revision.

Story: 2002964
Task: 22967

Change-Id: I424e928571ded42d2b768e1dbb1f87e8fb9aa847
Required-By: https://review.openstack.org/#/c/583016/
Signed-off-by: Erich Cordoba <erich.cordoba.malibran@intel.com>
This commit is contained in:
Erich Cordoba 2018-07-16 13:43:21 -05:00
parent 67202ded0a
commit 5e66170a09
4 changed files with 97 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
integrity/centos/build_srpm.data
View File

@ -1,5 +1,5 @@
COPY_LIST=" \ COPY_LIST=" \
$FILES_BASE/* \ $FILES_BASE/* \
$PATCHES_BASE/* \ $PATCHES_BASE/* \
$STX_BASE/downloads/integrity-kmod-668a8270.tar.gz" $STX_BASE/downloads/integrity-kmod-e6aef069.tar.gz"
TIS_PATCH_VER=5 TIS_PATCH_VER=5

2
integrity/centos/integrity-kmod.spec
View File

@ -22,7 +22,7 @@ ExclusiveArch: x86_64
# Sources. # Sources.
# the integrity is available as a tarball, with # the integrity is available as a tarball, with
# the git commit Id referenced in the name # the git commit Id referenced in the name
Source0: %{kmod_name}-kmod-668a8270.tar.gz Source0: %{kmod_name}-kmod-e6aef069.tar.gz
Source1: modules-load.conf Source1: modules-load.conf
Source2: COPYING Source2: COPYING
Source3: README Source3: README

141
integrity/centos/patches/0001-integrity-kcompat-support.patch
View File

@ -497,7 +497,7 @@ index 106e855..f850ef7 100644
#endif #endif
#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
@@ -77,32 +77,43 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, @@ -77,39 +77,43 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
return -EOPNOTSUPP; return -EOPNOTSUPP;
} }
@ -507,6 +507,7 @@ index 106e855..f850ef7 100644
+int integrity_init_keyring(const unsigned int id) +int integrity_init_keyring(const unsigned int id)
{ {
const struct cred *cred = current_cred(); const struct cred *cred = current_cred();
- struct key_restriction *restriction;
int err = 0; int err = 0;
- if (!init_keyring) - if (!init_keyring)
@ -515,27 +516,29 @@ index 106e855..f850ef7 100644
+ * the Kernel as a trusted keyring for which + * the Kernel as a trusted keyring for which
+ * a search reference is available + * a search reference is available
+ */ + */
+ keyring[id] = ima_keyring; + keyring[id] = ima_keyring;
return 0; return 0;
-
- restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
- if (!restriction)
- return -ENOMEM;
-
- restriction->check = restrict_link_to_ima;
+ } + }
keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0), keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
- KGIDT_INIT(0), cred, KGIDT_INIT(0), cred,
- ((KEY_POS_ALL & ~KEY_POS_SETATTR) | ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
- KEY_USR_VIEW | KEY_USR_READ | KEY_USR_VIEW | KEY_USR_READ |
- KEY_USR_WRITE | KEY_USR_SEARCH), KEY_USR_WRITE | KEY_USR_SEARCH),
- KEY_ALLOC_NOT_IN_QUOTA, - KEY_ALLOC_NOT_IN_QUOTA,
- restrict_link_to_ima, NULL); - restriction, NULL);
- if (IS_ERR(keyring[id])) { - if (IS_ERR(keyring[id])) {
+ KGIDT_INIT(0), cred, + KEY_ALLOC_NOT_IN_QUOTA, NULL);
+ ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
+ KEY_USR_VIEW | KEY_USR_READ |
+ KEY_USR_WRITE | KEY_USR_SEARCH),
+ KEY_ALLOC_NOT_IN_QUOTA, NULL);
+ +
+ if (!IS_ERR(keyring[id])) + if (!IS_ERR(keyring[id])) {
+ set_bit(KEY_FLAG_TRUSTED_ONLY, &keyring[id]->flags); + set_bit(KEY_FLAG_TRUSTED_ONLY, &keyring[id]->flags);
+ else { + } else {
err = PTR_ERR(keyring[id]); err = PTR_ERR(keyring[id]);
pr_info("Can't allocate %s keyring (%d)\n", pr_info("Can't allocate %s keyring (%d)\n",
keyring_name[id], err); keyring_name[id], err);
@ -1096,21 +1099,48 @@ diff --git a/ima/ima_policy.c b/ima/ima_policy.c
index aed47b7..dd52d98 100644 index aed47b7..dd52d98 100644
--- a/ima/ima_policy.c --- a/ima/ima_policy.c
+++ b/ima/ima_policy.c +++ b/ima/ima_policy.c
@@ -92,9 +92,11 @@ static struct ima_rule_entry dont_measure_rules[] = { @@ -85,7 +85,7 @@ struct ima_rule_entry {
{.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, * normal users can easily run the machine out of memory simply building
{.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, * and running executables.
*/
-static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
+static struct ima_rule_entry dont_measure_rules[] = {
{.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
{.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
{.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
@@ -96,10 +96,12 @@ static struct ima_rule_entry dont_measure_rules[] __ro_after_init = {
{.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
+#if ( LINUX_VERSION_CODE > KERNEL_VERSION(3,10,0) )
+ {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
+#endif
{.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
- .flags = IMA_FSMAGIC}, .flags = IMA_FSMAGIC},
- {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC} +#if ( LINUX_VERSION_CODE > KERNEL_VERSION(3,10,0) )
+ .flags = IMA_FSMAGIC} {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}
+#endif
}; };
static struct ima_rule_entry original_measurement_rules[] = { -static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
@@ -132,7 +134,9 @@ static struct ima_rule_entry default_appraise_rules[] = { +static struct ima_rule_entry original_measurement_rules[] = {
{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
.flags = IMA_FUNC | IMA_MASK},
{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
@@ -111,7 +113,7 @@ static struct ima_rule_entry original_measurement_rules[] __ro_after_init = {
{.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
};
-static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
+static struct ima_rule_entry default_measurement_rules[] = {
{.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
.flags = IMA_FUNC | IMA_MASK},
{.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
@@ -127,7 +129,7 @@ static struct ima_rule_entry default_measurement_rules[] __ro_after_init = {
{.action = MEASURE, .func = POLICY_CHECK, .flags = IMA_FUNC},
};
-static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
+static struct ima_rule_entry default_appraise_rules[] = {
{.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
{.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
{.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
@@ -137,7 +139,9 @@ static struct ima_rule_entry default_appraise_rules[] __ro_after_init = {
{.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
{.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
{.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
@ -1120,8 +1150,8 @@ index aed47b7..dd52d98 100644
{.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
#ifdef CONFIG_IMA_WRITE_POLICY #ifdef CONFIG_IMA_WRITE_POLICY
{.action = APPRAISE, .func = POLICY_CHECK, {.action = APPRAISE, .func = POLICY_CHECK,
@@ -243,7 +247,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode, @@ -249,7 +253,11 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid)) if ((rule->flags & IMA_UID) && !rule->uid_op(cred->uid, rule->uid))
return false; return false;
if (rule->flags & IMA_EUID) { if (rule->flags & IMA_EUID) {
+#if ( LINUX_VERSION_CODE > KERNEL_VERSION(3,10,0) ) +#if ( LINUX_VERSION_CODE > KERNEL_VERSION(3,10,0) )
@ -1129,38 +1159,51 @@ index aed47b7..dd52d98 100644
+#else +#else
+ if (capable_wrt_inode_uidgid(inode, CAP_SETUID) || capable(CAP_SETUID)) { + if (capable_wrt_inode_uidgid(inode, CAP_SETUID) || capable(CAP_SETUID)) {
+#endif +#endif
if (!uid_eq(rule->uid, cred->euid) if (!rule->uid_op(cred->euid, rule->uid)
&& !uid_eq(rule->uid, cred->suid) && !rule->uid_op(cred->suid, rule->uid)
&& !uid_eq(rule->uid, cred->uid)) && !rule->uid_op(cred->uid, rule->uid))
@@ -541,10 +549,26 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry, @@ -556,16 +564,34 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry,
return result; return result;
} }
+static int ima_string_contains_hex(const char *string, size_t len) +static int ima_string_contains_hex(const char *string, size_t len)
+{ +{
+ const unsigned char *p; + const unsigned char *p;
+ for (p = string; p < (const unsigned char *)string + len; p++) { + for (p = string; p < (const unsigned char *)string + len; p++) {
+ if (*p == '"' || *p < 0x21 || *p > 0x7e) + if (*p == '"' || *p < 0x21 || *p > 0x7e)
+ return 1; + return 1;
+ } + }
+ return 0; + return 0;
+} +}
+ +
+ static void ima_log_string_op(struct audit_buffer *ab, char *key, char *value,
static void ima_log_string(struct audit_buffer *ab, char *key, char *value) bool (*rule_operator)(kuid_t, kuid_t))
{ {
- audit_log_format(ab, "%s=", key); - if (rule_operator == &uid_gt)
- audit_log_format(ab, "%s>", key);
- else if (rule_operator == &uid_lt)
- audit_log_format(ab, "%s<", key);
- else
- audit_log_format(ab, "%s=", key);
- audit_log_untrustedstring(ab, value); - audit_log_untrustedstring(ab, value);
+ if (ima_string_contains_hex(value, strlen(value))) { + if (ima_string_contains_hex(value, strlen(value))) {
+ // value string contains hex. Convert to hex instead + if (rule_operator == &uid_gt)
+ audit_log_format(ab, "%s=(contains hex)%s", key, value); + audit_log_format(ab, "%s>(contains hex)%s", key, value);
+ } + else if (rule_operator == &uid_lt)
+ else { + audit_log_format(ab, "%s<(contains hex)%s", key, value);
+ audit_log_format(ab, "%s=%s", key, value); + else
+ audit_log_format(ab, "%s=(contains hex)%s", key, value);
+ } else {
+ if (rule_operator == &uid_gt)
+ audit_log_format(ab, "%s>", key);
+ else if (rule_operator == &uid_lt)
+ audit_log_format(ab, "%s<", key);
+ else
+ audit_log_format(ab, "%s=", key);
+ } + }
audit_log_format(ab, " "); audit_log_format(ab, " ");
} }
static void ima_log_string(struct audit_buffer *ab, char *key, char *value)
diff --git a/integrity.h b/integrity.h diff --git a/integrity.h b/integrity.h
index 24520b4..c13e61d 100644 index 24520b4..c13e61d 100644
--- a/integrity.h --- a/integrity.h
@ -1183,11 +1226,7 @@ index 24520b4..c13e61d 100644
uint32_t keyid; /* IMA key identifier - not X509/PGP specific */ uint32_t keyid; /* IMA key identifier - not X509/PGP specific */
uint16_t sig_size; /* signature size */ uint16_t sig_size; /* signature size */
uint8_t sig[0]; /* signature payload */ uint8_t sig[0]; /* signature payload */
@@ -127,12 +129,11 @@ int __init integrity_read_file(const char *path, char **data); @@ -131,8 +133,8 @@ int __init integrity_read_file(const char *path, char **data);
#define INTEGRITY_KEYRING_MAX 3
#ifdef CONFIG_INTEGRITY_SIGNATURE
-
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
const char *digest, int digestlen); const char *digest, int digestlen);

11
integrity/centos/patches/0004-integrity-disable-set-xattr-on-imasig.patch
View File

@ -24,19 +24,18 @@ diff --git a/ima/ima_appraise.c b/ima/ima_appraise.c
index 88b5091..cff2ad2 100644 index 88b5091..cff2ad2 100644
--- a/ima/ima_appraise.c --- a/ima/ima_appraise.c
+++ b/ima/ima_appraise.c +++ b/ima/ima_appraise.c
@@ -250,8 +250,11 @@ int ima_appraise_measurement(enum ima_hooks func, @@ -205,7 +208,11 @@ int ima_appraise_measurement(enum ima_hooks func,
if (rc <= 0) {
if (rc && rc != -ENODATA) if (rc && rc != -ENODATA)
goto out; goto out;
-
- cause = "missing-hash"; - cause = "missing-hash";
+
+ if (iint->flags & IMA_DIGSIG_REQUIRED) + if (iint->flags & IMA_DIGSIG_REQUIRED)
+ cause = "missing-signature"; + cause = "missing-signature";
+ else + else
+ cause = "missing-hash"; + cause = "missing-hash";
+
status = INTEGRITY_NOLABEL; status = INTEGRITY_NOLABEL;
if (opened & FILE_CREATED) { if (opened & FILE_CREATED)
iint->flags |= IMA_NEW_FILE; iint->flags |= IMA_NEW_FILE;
@@ -352,7 +355,8 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file) @@ -352,7 +355,8 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
int rc = 0; int rc = 0;