Relocate integrity to stx-integ/kernel/kernel-modules/integrity
Move content from stx-gplv2 into stx-integ Packages will be relocated to stx-integ: base/ bash cgcs-users cluster-resource-agents dpkg haproxy libfdt netpbm rpm database/ mariadb filesystem/ iscsi-initiator-utils filesystem/drbd/ drbd-tools kernel/kernel-modules/ drbd integrity intel-e1000e intel-i40e intel-i40evf intel-ixgbe intel-ixgbevf qat17 tpmdd ldap/ ldapscripts networking/ iptables net-tools Change-Id: I4e55b27d93294c5287eb965b3d946618f54e211b Story: 2002801 Task: 22687 Signed-off-by: Scott Little <scott.little@windriver.com>
This commit is contained in:
parent
53c06b0c98
commit
d7e9b8e15f
|
@ -10,7 +10,6 @@ iscsi-initiator-utils
|
||||||
ldapscripts
|
ldapscripts
|
||||||
netpbm
|
netpbm
|
||||||
net-tools
|
net-tools
|
||||||
integrity
|
|
||||||
drbd
|
drbd
|
||||||
drbd-tools
|
drbd-tools
|
||||||
mariadb
|
mariadb
|
||||||
|
|
|
@ -1,2 +1 @@
|
||||||
drbd
|
drbd
|
||||||
integrity
|
|
||||||
|
|
|
@ -1,5 +0,0 @@
|
||||||
COPY_LIST=" \
|
|
||||||
$FILES_BASE/* \
|
|
||||||
$PATCHES_BASE/* \
|
|
||||||
$STX_BASE/downloads/integrity-kmod-e6aef069.tar.gz"
|
|
||||||
TIS_PATCH_VER=5
|
|
|
@ -1,344 +0,0 @@
|
||||||
|
|
||||||
"This software program is licensed subject to the GNU General Public License
|
|
||||||
(GPL). Version 2, June 1991, available at
|
|
||||||
<http://www.gnu.org/licenses/gpl-2.0.html>"
|
|
||||||
|
|
||||||
GNU GENERAL PUBLIC LICENSE
|
|
||||||
Version 2, June 1991
|
|
||||||
|
|
||||||
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
|
|
||||||
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
||||||
Everyone is permitted to copy and distribute verbatim copies
|
|
||||||
of this license document, but changing it is not allowed.
|
|
||||||
|
|
||||||
Preamble
|
|
||||||
|
|
||||||
The licenses for most software are designed to take away your
|
|
||||||
freedom to share and change it. By contrast, the GNU General Public
|
|
||||||
License is intended to guarantee your freedom to share and change free
|
|
||||||
software--to make sure the software is free for all its users. This
|
|
||||||
General Public License applies to most of the Free Software
|
|
||||||
Foundation's software and to any other program whose authors commit to
|
|
||||||
using it. (Some other Free Software Foundation software is covered by
|
|
||||||
the GNU Lesser General Public License instead.) You can apply it to
|
|
||||||
your programs, too.
|
|
||||||
|
|
||||||
When we speak of free software, we are referring to freedom, not
|
|
||||||
price. Our General Public Licenses are designed to make sure that you
|
|
||||||
have the freedom to distribute copies of free software (and charge for
|
|
||||||
this service if you wish), that you receive source code or can get it
|
|
||||||
if you want it, that you can change the software or use pieces of it
|
|
||||||
in new free programs; and that you know you can do these things.
|
|
||||||
|
|
||||||
To protect your rights, we need to make restrictions that forbid
|
|
||||||
anyone to deny you these rights or to ask you to surrender the rights.
|
|
||||||
These restrictions translate to certain responsibilities for you if you
|
|
||||||
distribute copies of the software, or if you modify it.
|
|
||||||
|
|
||||||
For example, if you distribute copies of such a program, whether
|
|
||||||
gratis or for a fee, you must give the recipients all the rights that
|
|
||||||
you have. You must make sure that they, too, receive or can get the
|
|
||||||
source code. And you must show them these terms so they know their
|
|
||||||
rights.
|
|
||||||
|
|
||||||
We protect your rights with two steps: (1) copyright the software, and
|
|
||||||
(2) offer you this license which gives you legal permission to copy,
|
|
||||||
distribute and/or modify the software.
|
|
||||||
|
|
||||||
Also, for each author's protection and ours, we want to make certain
|
|
||||||
that everyone understands that there is no warranty for this free
|
|
||||||
software. If the software is modified by someone else and passed on, we
|
|
||||||
want its recipients to know that what they have is not the original, so
|
|
||||||
that any problems introduced by others will not reflect on the original
|
|
||||||
authors' reputations.
|
|
||||||
|
|
||||||
Finally, any free program is threatened constantly by software
|
|
||||||
patents. We wish to avoid the danger that redistributors of a free
|
|
||||||
program will individually obtain patent licenses, in effect making the
|
|
||||||
program proprietary. To prevent this, we have made it clear that any
|
|
||||||
patent must be licensed for everyone's free use or not licensed at all.
|
|
||||||
|
|
||||||
The precise terms and conditions for copying, distribution and
|
|
||||||
modification follow.
|
|
||||||
|
|
||||||
GNU GENERAL PUBLIC LICENSE
|
|
||||||
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
|
||||||
|
|
||||||
0. This License applies to any program or other work which contains
|
|
||||||
a notice placed by the copyright holder saying it may be distributed
|
|
||||||
under the terms of this General Public License. The "Program", below,
|
|
||||||
refers to any such program or work, and a "work based on the Program"
|
|
||||||
means either the Program or any derivative work under copyright law:
|
|
||||||
that is to say, a work containing the Program or a portion of it,
|
|
||||||
either verbatim or with modifications and/or translated into another
|
|
||||||
language. (Hereinafter, translation is included without limitation in
|
|
||||||
the term "modification".) Each licensee is addressed as "you".
|
|
||||||
|
|
||||||
Activities other than copying, distribution and modification are not
|
|
||||||
covered by this License; they are outside its scope. The act of
|
|
||||||
running the Program is not restricted, and the output from the Program
|
|
||||||
is covered only if its contents constitute a work based on the
|
|
||||||
Program (independent of having been made by running the Program).
|
|
||||||
Whether that is true depends on what the Program does.
|
|
||||||
|
|
||||||
1. You may copy and distribute verbatim copies of the Program's
|
|
||||||
source code as you receive it, in any medium, provided that you
|
|
||||||
conspicuously and appropriately publish on each copy an appropriate
|
|
||||||
copyright notice and disclaimer of warranty; keep intact all the
|
|
||||||
notices that refer to this License and to the absence of any warranty;
|
|
||||||
and give any other recipients of the Program a copy of this License
|
|
||||||
along with the Program.
|
|
||||||
|
|
||||||
You may charge a fee for the physical act of transferring a copy, and
|
|
||||||
you may at your option offer warranty protection in exchange for a fee.
|
|
||||||
|
|
||||||
2. You may modify your copy or copies of the Program or any portion
|
|
||||||
of it, thus forming a work based on the Program, and copy and
|
|
||||||
distribute such modifications or work under the terms of Section 1
|
|
||||||
above, provided that you also meet all of these conditions:
|
|
||||||
|
|
||||||
a) You must cause the modified files to carry prominent notices
|
|
||||||
stating that you changed the files and the date of any change.
|
|
||||||
|
|
||||||
b) You must cause any work that you distribute or publish, that in
|
|
||||||
whole or in part contains or is derived from the Program or any
|
|
||||||
part thereof, to be licensed as a whole at no charge to all third
|
|
||||||
parties under the terms of this License.
|
|
||||||
|
|
||||||
c) If the modified program normally reads commands interactively
|
|
||||||
when run, you must cause it, when started running for such
|
|
||||||
interactive use in the most ordinary way, to print or display an
|
|
||||||
announcement including an appropriate copyright notice and a
|
|
||||||
notice that there is no warranty (or else, saying that you provide
|
|
||||||
a warranty) and that users may redistribute the program under
|
|
||||||
these conditions, and telling the user how to view a copy of this
|
|
||||||
License. (Exception: if the Program itself is interactive but
|
|
||||||
does not normally print such an announcement, your work based on
|
|
||||||
the Program is not required to print an announcement.)
|
|
||||||
|
|
||||||
These requirements apply to the modified work as a whole. If
|
|
||||||
identifiable sections of that work are not derived from the Program,
|
|
||||||
and can be reasonably considered independent and separate works in
|
|
||||||
themselves, then this License, and its terms, do not apply to those
|
|
||||||
sections when you distribute them as separate works. But when you
|
|
||||||
distribute the same sections as part of a whole which is a work based
|
|
||||||
on the Program, the distribution of the whole must be on the terms of
|
|
||||||
this License, whose permissions for other licensees extend to the
|
|
||||||
entire whole, and thus to each and every part regardless of who wrote it.
|
|
||||||
|
|
||||||
Thus, it is not the intent of this section to claim rights or contest
|
|
||||||
your rights to work written entirely by you; rather, the intent is to
|
|
||||||
exercise the right to control the distribution of derivative or
|
|
||||||
collective works based on the Program.
|
|
||||||
|
|
||||||
In addition, mere aggregation of another work not based on the Program
|
|
||||||
with the Program (or with a work based on the Program) on a volume of
|
|
||||||
a storage or distribution medium does not bring the other work under
|
|
||||||
the scope of this License.
|
|
||||||
|
|
||||||
3. You may copy and distribute the Program (or a work based on it,
|
|
||||||
under Section 2) in object code or executable form under the terms of
|
|
||||||
Sections 1 and 2 above provided that you also do one of the following:
|
|
||||||
|
|
||||||
a) Accompany it with the complete corresponding machine-readable
|
|
||||||
source code, which must be distributed under the terms of Sections
|
|
||||||
1 and 2 above on a medium customarily used for software interchange; or,
|
|
||||||
|
|
||||||
b) Accompany it with a written offer, valid for at least three
|
|
||||||
years, to give any third party, for a charge no more than your
|
|
||||||
cost of physically performing source distribution, a complete
|
|
||||||
machine-readable copy of the corresponding source code, to be
|
|
||||||
distributed under the terms of Sections 1 and 2 above on a medium
|
|
||||||
customarily used for software interchange; or,
|
|
||||||
|
|
||||||
c) Accompany it with the information you received as to the offer
|
|
||||||
to distribute corresponding source code. (This alternative is
|
|
||||||
allowed only for noncommercial distribution and only if you
|
|
||||||
received the program in object code or executable form with such
|
|
||||||
an offer, in accord with Subsection b above.)
|
|
||||||
|
|
||||||
The source code for a work means the preferred form of the work for
|
|
||||||
making modifications to it. For an executable work, complete source
|
|
||||||
code means all the source code for all modules it contains, plus any
|
|
||||||
associated interface definition files, plus the scripts used to
|
|
||||||
control compilation and installation of the executable. However, as a
|
|
||||||
special exception, the source code distributed need not include
|
|
||||||
anything that is normally distributed (in either source or binary
|
|
||||||
form) with the major components (compiler, kernel, and so on) of the
|
|
||||||
operating system on which the executable runs, unless that component
|
|
||||||
itself accompanies the executable.
|
|
||||||
|
|
||||||
If distribution of executable or object code is made by offering
|
|
||||||
access to copy from a designated place, then offering equivalent
|
|
||||||
access to copy the source code from the same place counts as
|
|
||||||
distribution of the source code, even though third parties are not
|
|
||||||
compelled to copy the source along with the object code.
|
|
||||||
|
|
||||||
4. You may not copy, modify, sublicense, or distribute the Program
|
|
||||||
except as expressly provided under this License. Any attempt
|
|
||||||
otherwise to copy, modify, sublicense or distribute the Program is
|
|
||||||
void, and will automatically terminate your rights under this License.
|
|
||||||
However, parties who have received copies, or rights, from you under
|
|
||||||
this License will not have their licenses terminated so long as such
|
|
||||||
parties remain in full compliance.
|
|
||||||
|
|
||||||
5. You are not required to accept this License, since you have not
|
|
||||||
signed it. However, nothing else grants you permission to modify or
|
|
||||||
distribute the Program or its derivative works. These actions are
|
|
||||||
prohibited by law if you do not accept this License. Therefore, by
|
|
||||||
modifying or distributing the Program (or any work based on the
|
|
||||||
Program), you indicate your acceptance of this License to do so, and
|
|
||||||
all its terms and conditions for copying, distributing or modifying
|
|
||||||
the Program or works based on it.
|
|
||||||
|
|
||||||
6. Each time you redistribute the Program (or any work based on the
|
|
||||||
Program), the recipient automatically receives a license from the
|
|
||||||
original licensor to copy, distribute or modify the Program subject to
|
|
||||||
these terms and conditions. You may not impose any further
|
|
||||||
restrictions on the recipients' exercise of the rights granted herein.
|
|
||||||
You are not responsible for enforcing compliance by third parties to
|
|
||||||
this License.
|
|
||||||
|
|
||||||
7. If, as a consequence of a court judgment or allegation of patent
|
|
||||||
infringement or for any other reason (not limited to patent issues),
|
|
||||||
conditions are imposed on you (whether by court order, agreement or
|
|
||||||
otherwise) that contradict the conditions of this License, they do not
|
|
||||||
excuse you from the conditions of this License. If you cannot
|
|
||||||
distribute so as to satisfy simultaneously your obligations under this
|
|
||||||
License and any other pertinent obligations, then as a consequence you
|
|
||||||
may not distribute the Program at all. For example, if a patent
|
|
||||||
license would not permit royalty-free redistribution of the Program by
|
|
||||||
all those who receive copies directly or indirectly through you, then
|
|
||||||
the only way you could satisfy both it and this License would be to
|
|
||||||
refrain entirely from distribution of the Program.
|
|
||||||
|
|
||||||
If any portion of this section is held invalid or unenforceable under
|
|
||||||
any particular circumstance, the balance of the section is intended to
|
|
||||||
apply and the section as a whole is intended to apply in other
|
|
||||||
circumstances.
|
|
||||||
|
|
||||||
It is not the purpose of this section to induce you to infringe any
|
|
||||||
patents or other property right claims or to contest validity of any
|
|
||||||
such claims; this section has the sole purpose of protecting the
|
|
||||||
integrity of the free software distribution system, which is
|
|
||||||
implemented by public license practices. Many people have made
|
|
||||||
generous contributions to the wide range of software distributed
|
|
||||||
through that system in reliance on consistent application of that
|
|
||||||
system; it is up to the author/donor to decide if he or she is willing
|
|
||||||
to distribute software through any other system and a licensee cannot
|
|
||||||
impose that choice.
|
|
||||||
|
|
||||||
This section is intended to make thoroughly clear what is believed to
|
|
||||||
be a consequence of the rest of this License.
|
|
||||||
|
|
||||||
8. If the distribution and/or use of the Program is restricted in
|
|
||||||
certain countries either by patents or by copyrighted interfaces, the
|
|
||||||
original copyright holder who places the Program under this License
|
|
||||||
may add an explicit geographical distribution limitation excluding
|
|
||||||
those countries, so that distribution is permitted only in or among
|
|
||||||
countries not thus excluded. In such case, this License incorporates
|
|
||||||
the limitation as if written in the body of this License.
|
|
||||||
|
|
||||||
9. The Free Software Foundation may publish revised and/or new versions
|
|
||||||
of the General Public License from time to time. Such new versions will
|
|
||||||
be similar in spirit to the present version, but may differ in detail to
|
|
||||||
address new problems or concerns.
|
|
||||||
|
|
||||||
Each version is given a distinguishing version number. If the Program
|
|
||||||
specifies a version number of this License which applies to it and "any
|
|
||||||
later version", you have the option of following the terms and conditions
|
|
||||||
either of that version or of any later version published by the Free
|
|
||||||
Software Foundation. If the Program does not specify a version number of
|
|
||||||
this License, you may choose any version ever published by the Free Software
|
|
||||||
Foundation.
|
|
||||||
|
|
||||||
10. If you wish to incorporate parts of the Program into other free
|
|
||||||
programs whose distribution conditions are different, write to the author
|
|
||||||
to ask for permission. For software which is copyrighted by the Free
|
|
||||||
Software Foundation, write to the Free Software Foundation; we sometimes
|
|
||||||
make exceptions for this. Our decision will be guided by the two goals
|
|
||||||
of preserving the free status of all derivatives of our free software and
|
|
||||||
of promoting the sharing and reuse of software generally.
|
|
||||||
|
|
||||||
NO WARRANTY
|
|
||||||
|
|
||||||
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
|
||||||
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
|
||||||
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
|
||||||
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
|
||||||
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
|
||||||
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
|
||||||
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
|
||||||
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
|
||||||
REPAIR OR CORRECTION.
|
|
||||||
|
|
||||||
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
|
||||||
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
|
||||||
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
|
||||||
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
|
||||||
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
|
||||||
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
|
||||||
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
|
||||||
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
|
||||||
POSSIBILITY OF SUCH DAMAGES.
|
|
||||||
|
|
||||||
END OF TERMS AND CONDITIONS
|
|
||||||
|
|
||||||
How to Apply These Terms to Your New Programs
|
|
||||||
|
|
||||||
If you develop a new program, and you want it to be of the greatest
|
|
||||||
possible use to the public, the best way to achieve this is to make it
|
|
||||||
free software which everyone can redistribute and change under these terms.
|
|
||||||
|
|
||||||
To do so, attach the following notices to the program. It is safest
|
|
||||||
to attach them to the start of each source file to most effectively
|
|
||||||
convey the exclusion of warranty; and each file should have at least
|
|
||||||
the "copyright" line and a pointer to where the full notice is found.
|
|
||||||
|
|
||||||
<one line to give the program's name and a brief idea of what it does.>
|
|
||||||
Copyright (C) <year> <name of author>
|
|
||||||
|
|
||||||
This program is free software; you can redistribute it and/or modify
|
|
||||||
it under the terms of the GNU General Public License as published by
|
|
||||||
the Free Software Foundation; either version 2 of the License, or
|
|
||||||
(at your option) any later version.
|
|
||||||
|
|
||||||
This program is distributed in the hope that it will be useful,
|
|
||||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
GNU General Public License for more details.
|
|
||||||
|
|
||||||
You should have received a copy of the GNU General Public License along
|
|
||||||
with this program; if not, write to the Free Software Foundation, Inc.,
|
|
||||||
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
||||||
|
|
||||||
Also add information on how to contact you by electronic and paper mail.
|
|
||||||
|
|
||||||
If the program is interactive, make it output a short notice like this
|
|
||||||
when it starts in an interactive mode:
|
|
||||||
|
|
||||||
Gnomovision version 69, Copyright (C) year name of author
|
|
||||||
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
|
||||||
This is free software, and you are welcome to redistribute it
|
|
||||||
under certain conditions; type `show c' for details.
|
|
||||||
|
|
||||||
The hypothetical commands `show w' and `show c' should show the appropriate
|
|
||||||
parts of the General Public License. Of course, the commands you use may
|
|
||||||
be called something other than `show w' and `show c'; they could even be
|
|
||||||
mouse-clicks or menu items--whatever suits your program.
|
|
||||||
|
|
||||||
You should also get your employer (if you work as a programmer) or your
|
|
||||||
school, if any, to sign a "copyright disclaimer" for the program, if
|
|
||||||
necessary. Here is a sample; alter the names:
|
|
||||||
|
|
||||||
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
|
|
||||||
`Gnomovision' (which makes passes at compilers) written by James Hacker.
|
|
||||||
|
|
||||||
<signature of Ty Coon>, 1 April 1989
|
|
||||||
Ty Coon, President of Vice
|
|
||||||
|
|
||||||
This General Public License does not permit incorporating your program into
|
|
||||||
proprietary programs. If your program is a subroutine library, you may
|
|
||||||
consider it more useful to permit linking proprietary applications with the
|
|
||||||
library. If this is what you want to do, use the GNU Lesser General
|
|
||||||
Public License instead of this License.
|
|
|
@ -1,231 +0,0 @@
|
||||||
|
|
||||||
Integrity and IMA Modules for CentOS 7 (Linux version 3.10)
|
|
||||||
===============================================================================
|
|
||||||
|
|
||||||
===============================================================================
|
|
||||||
|
|
||||||
Kam Nasim <kam.nasim@windriver.com>
|
|
||||||
Copyright (c) 2017 Wind River Systems, Inc.
|
|
||||||
|
|
||||||
SPDX-License-Identifier: Apache-2.0
|
|
||||||
|
|
||||||
|
|
||||||
August, 2017
|
|
||||||
|
|
||||||
===============================================================================
|
|
||||||
|
|
||||||
Contents
|
|
||||||
--------
|
|
||||||
|
|
||||||
- Overview
|
|
||||||
- Rebasing Guidelines
|
|
||||||
- Changesets
|
|
||||||
|
|
||||||
================================================================================
|
|
||||||
|
|
||||||
|
|
||||||
Important Notes
|
|
||||||
---------------
|
|
||||||
|
|
||||||
No support for APPENDING IMA policies
|
|
||||||
----------------------------------------------
|
|
||||||
|
|
||||||
A provision was introduced in April 2014 to allow multiple IMA policies to be
|
|
||||||
appended.This change involved setting up inode hooks which could not be
|
|
||||||
backported in the 3.10 Kernel. Therefore we do not allow the following operation
|
|
||||||
types:
|
|
||||||
echo /etc/ima/ima_policy > /sys/kernel/security/ima/policy
|
|
||||||
|
|
||||||
only an overwrite is possible:
|
|
||||||
cat policy-file > <securityfs>/ima/policy
|
|
||||||
|
|
||||||
EVM support disabled in Kernel
|
|
||||||
------------------------------------------------
|
|
||||||
|
|
||||||
The EVM Kernel Configuration option was mutually exclusive to the CONFIG_INTEGRITY
|
|
||||||
Kernel configuration option. Since Integrity is being disabled in the Kernel, EVM
|
|
||||||
would also need to be built out-of-tree as a Kernel module and would require some
|
|
||||||
refactoring if it is to be used with this module pack.
|
|
||||||
|
|
||||||
|
|
||||||
IMA Keyring allocated inside the Kernel
|
|
||||||
-----------------------------------------
|
|
||||||
|
|
||||||
Normally, the _ima Keyring is allocated from user space, but this has the
|
|
||||||
added disadvantage of persisting the public key on the file system. Corruption
|
|
||||||
of this public key may cripple the system by triggering APPRAISAL failures if
|
|
||||||
ima 'Enforcement' is enabled. To prevent this, the IMA public key is compiled
|
|
||||||
into the Kernel and is placed in the Kernel SOURCE (ima_signing_key.pub)
|
|
||||||
|
|
||||||
|
|
||||||
Overview
|
|
||||||
--------
|
|
||||||
|
|
||||||
This module pack builds Integrity and IMA kernel modules for the 3.10 kernel version.
|
|
||||||
If newer kernel version are to be supported in the future then the COMPAT
|
|
||||||
layer (kcompat.h) will need to be adjusted to address kernel-driver compatibility
|
|
||||||
issues. As well as certain LINUX_VERSION_CODE <= KERNEL_VERSION(3,10,0) ifdefs
|
|
||||||
|
|
||||||
It supports Linux supported x86_64 systems.
|
|
||||||
|
|
||||||
These drivers are only supported as a loadable module at this time.
|
|
||||||
|
|
||||||
|
|
||||||
Rebasing Guidelines
|
|
||||||
--------------------
|
|
||||||
|
|
||||||
On rebasing TiC software heed the following:
|
|
||||||
- always rebase the Kernel first before rebasing this package
|
|
||||||
- get the HEAD from the tpmdd repo and generate a tarball, the tarball
|
|
||||||
should follow the naming convention: tpm-kmod-<gitHEAD>; use the short-hand
|
|
||||||
form of the git commit ID (8 characters)
|
|
||||||
- update the integrity-kmod spec to Source the new tarball
|
|
||||||
- apply all existing patches against the new tarball, and adjust the kcompat
|
|
||||||
layer (LINUX_VERSION_CODE ifdefs, kcompat.h and common.mk) accordingly
|
|
||||||
|
|
||||||
IMA Signing Key Generation Guidelines
|
|
||||||
--------------------------------------
|
|
||||||
|
|
||||||
The following may be used to generate an IMA key pair:
|
|
||||||
openssl req -newkey rsa:2048 -nodes -days 10950 -x509 -outform DER -out ima_signing_key.pub -keyout ima_signing_key.priv
|
|
||||||
|
|
||||||
The "ima_signing_key.pub" MUST be placed in the Kernel source (files/) so that the
|
|
||||||
Kernel build can pick it up and compile it in.
|
|
||||||
|
|
||||||
|
|
||||||
================================================================================
|
|
||||||
|
|
||||||
|
|
||||||
Change Sets
|
|
||||||
-------------------------
|
|
||||||
|
|
||||||
This driver is a fork from the tpmdd repo:
|
|
||||||
https://sourceforge.net/projects/tpmdd/
|
|
||||||
http://git.infradead.org/users/jjs/linux-tpmdd.git/
|
|
||||||
|
|
||||||
Sync Head: 668a827057187403999b7ecfcf86b59979c8c3b2
|
|
||||||
|
|
||||||
COMPAT NOTES:
|
|
||||||
|
|
||||||
1. In newer kernels, VFS layer read operations have been refactored:
|
|
||||||
VFS: refactor vfs_read()
|
|
||||||
|
|
||||||
integrity_kernel_read() duplicates the file read operations code
|
|
||||||
in vfs_read(). This patch refactors vfs_read() code creating a
|
|
||||||
helper function __vfs_read(). It is used by both vfs_read() and
|
|
||||||
integrity_kernel_read().
|
|
||||||
|
|
||||||
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
|
|
||||||
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
|
|
||||||
|
|
||||||
The compat layer therefore needs to redefine the integrity vfs code to use
|
|
||||||
the original implementation
|
|
||||||
|
|
||||||
|
|
||||||
2. In newer kernels, a wrapper has been developed around inode mutex un/lock
|
|
||||||
|
|
||||||
commit 5955102c9984fa081b2d570cfac75c97eecf8f3b
|
|
||||||
Author: Al Viro <viro@zeniv.linux.org.uk>
|
|
||||||
Date: Fri Jan 22 15:40:57 2016 -0500
|
|
||||||
|
|
||||||
wrappers for ->i_mutex access
|
|
||||||
|
|
||||||
parallel to mutex_{lock,unlock,trylock,is_locked,lock_nested},
|
|
||||||
inode_foo(inode) being mutex_foo(&inode->i_mutex).
|
|
||||||
|
|
||||||
Please, use those for access to ->i_mutex; over the coming cycle
|
|
||||||
->i_mutex will become rwsem, with ->lookup() done with it held
|
|
||||||
only shared.
|
|
||||||
|
|
||||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
|
||||||
|
|
||||||
The compat layer needs to replace all instances of inode locking
|
|
||||||
with the underlying mutex locking/unlocking calls
|
|
||||||
|
|
||||||
|
|
||||||
3. In newer kernels, security PRE and POST Hooks are defined which
|
|
||||||
have their seperate appraisal calls
|
|
||||||
|
|
||||||
commit 39eeb4fb97f60dbdfc823c1a673a8844b9226b60
|
|
||||||
Author: Mimi Zohar <zohar@linux.vnet.ibm.com>
|
|
||||||
Date: Sat Jan 30 22:23:26 2016 -0500
|
|
||||||
|
|
||||||
security: define kernel_read_file hook
|
|
||||||
|
|
||||||
The kernel_read_file security hook is called prior to reading the file
|
|
||||||
into memory.
|
|
||||||
|
|
||||||
Changelog v4+:
|
|
||||||
- export security_kernel_read_file()
|
|
||||||
|
|
||||||
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
|
|
||||||
Acked-by: Kees Cook <keescook@chromium.org>
|
|
||||||
Acked-by: Luis R. Rodriguez <mcgrof@kernel.org>
|
|
||||||
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
|
|
||||||
|
|
||||||
The compat layer needs to ignore all PRE and POST File hooks and
|
|
||||||
cannot support such PRE and POST appraisals
|
|
||||||
|
|
||||||
|
|
||||||
4. In newer kernels, IMA policies can be applied by path as opposed to
|
|
||||||
content allowing multiple policies to be appended
|
|
||||||
|
|
||||||
commit 7429b092811fb20c6a5b261c2c116a6a90cb9a29
|
|
||||||
Author: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
|
|
||||||
Date: Fri Apr 11 17:47:01 2014 +0300
|
|
||||||
|
|
||||||
ima: load policy using path
|
|
||||||
|
|
||||||
We currently cannot do appraisal or signature vetting of IMA policies
|
|
||||||
since we currently can only load IMA policies by writing the contents
|
|
||||||
of the policy directly in, as follows:
|
|
||||||
|
|
||||||
cat policy-file > <securityfs>/ima/policy
|
|
||||||
|
|
||||||
If we provide the kernel the path to the IMA policy so it can load
|
|
||||||
the policy itself it'd be able to later appraise or vet the file
|
|
||||||
signature if it has one. This patch adds support to load the IMA
|
|
||||||
policy with a given path as follows:
|
|
||||||
|
|
||||||
echo /etc/ima/ima_policy > /sys/kernel/security/ima/policy
|
|
||||||
|
|
||||||
Changelog v4+:
|
|
||||||
- moved kernel_read_file_from_path() error messages to callers
|
|
||||||
v3:
|
|
||||||
- moved kernel_read_file_from_path() to a separate patch
|
|
||||||
v2:
|
|
||||||
- after re-ordering the patches, replace calling integrity_kernel_read()
|
|
||||||
to read the file with kernel_read_file_from_path() (Mimi)
|
|
||||||
- Patch description re-written by Luis R. Rodriguez
|
|
||||||
|
|
||||||
Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
|
|
||||||
|
|
||||||
This feature was removed from the IMA modules since it required extensive
|
|
||||||
backporting to the INODE and VFS layers inthe base kernel
|
|
||||||
|
|
||||||
5. In newer kernels, IMA allows measurement lists to be preserved over
|
|
||||||
Kernel reinstalls or kexecs
|
|
||||||
|
|
||||||
commit d9ddf077bb85b54200dfcb5f2edec4f0d6a7c2ca
|
|
||||||
Author: Mimi Zohar <zohar@linux.vnet.ibm.com>
|
|
||||||
Date: Thu Jan 14 20:59:14 2016 -0500
|
|
||||||
|
|
||||||
ima: support for kexec image and initramfs
|
|
||||||
|
|
||||||
Add IMA policy support for measuring/appraising the kexec image and
|
|
||||||
initramfs. Two new IMA policy identifiers KEXEC_KERNEL_CHECK and
|
|
||||||
KEXEC_INITRAMFS_CHECK are defined.
|
|
||||||
|
|
||||||
Example policy rules:
|
|
||||||
measure func=KEXEC_KERNEL_CHECK
|
|
||||||
appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig
|
|
||||||
measure func=KEXEC_INITRAMFS_CHECK
|
|
||||||
appraise func=KEXEC_INITRAMFS_CHECK appraise_type=imasig
|
|
||||||
|
|
||||||
Moving the enumeration to the vfs layer simplified the patches, allowing
|
|
||||||
the IMA changes, for the most part, to be separated from the other
|
|
||||||
changes. Unfortunately, passing either a kernel_read_file_id or a
|
|
||||||
ima_hooks enumeration within IMA is messy.
|
|
||||||
|
|
||||||
This feature was removed from the IMA modules since it required defining a
|
|
||||||
new Kexec cache in the base Kernel which was an extensive backporting effort
|
|
|
@ -1 +0,0 @@
|
||||||
options ima ima_appraise_param="log" ima_use_tpm=0
|
|
|
@ -1,4 +0,0 @@
|
||||||
# EXT4_SUPER_MAGIC
|
|
||||||
measure func=FILE_CHECK uid=0 fsmagic=0xEF53
|
|
||||||
appraise func=FILE_MMAP mask=MAY_EXEC uid=0 appraise_type=imasig fsmagic=0xEF53
|
|
||||||
appraise func=BPRM_CHECK mask=MAY_EXEC uid=0 appraise_type=imasig fsmagic=0xEF53
|
|
|
@ -1 +0,0 @@
|
||||||
options integrity integrity_audit=0
|
|
|
@ -1,3 +0,0 @@
|
||||||
tpm_tis
|
|
||||||
integrity
|
|
||||||
ima
|
|
|
@ -1,138 +0,0 @@
|
||||||
%if "%{?_tis_build_type}" == "rt"
|
|
||||||
%define bt_ext -rt
|
|
||||||
%else
|
|
||||||
%undefine bt_ext
|
|
||||||
%endif
|
|
||||||
|
|
||||||
# Define the kmod package name here.
|
|
||||||
%define kmod_name integrity
|
|
||||||
|
|
||||||
Name: %{kmod_name}-kmod%{?bt_ext}
|
|
||||||
# the version is the Kernel version from which
|
|
||||||
# this driver is extracted
|
|
||||||
Version: 4.12
|
|
||||||
Release: 0%{?_tis_dist}.%{tis_patch_ver}
|
|
||||||
Group: System Environment/Kernel
|
|
||||||
License: GPLv2
|
|
||||||
Summary: %{kmod_name}%{?bt_ext} kernel module(s)
|
|
||||||
|
|
||||||
BuildRequires: kernel%{?bt_ext}-devel, redhat-rpm-config, perl, tpm-kmod%{?bt_ext}-symbols, openssl
|
|
||||||
ExclusiveArch: x86_64
|
|
||||||
|
|
||||||
# Sources.
|
|
||||||
# the integrity is available as a tarball, with
|
|
||||||
# the git commit Id referenced in the name
|
|
||||||
Source0: %{kmod_name}-kmod-e6aef069.tar.gz
|
|
||||||
Source1: modules-load.conf
|
|
||||||
Source2: COPYING
|
|
||||||
Source3: README
|
|
||||||
Source4: integrity.conf
|
|
||||||
Source5: ima.conf
|
|
||||||
Source6: ima.policy
|
|
||||||
|
|
||||||
# Patches
|
|
||||||
Patch01: 0001-integrity-kcompat-support.patch
|
|
||||||
Patch02: 0002-integrity-expose-module-params.patch
|
|
||||||
Patch03: 0003-integrity-restrict-by-iversion.patch
|
|
||||||
Patch04: 0004-integrity-disable-set-xattr-on-imasig.patch
|
|
||||||
Patch05: Changes-for-CentOS-7.4-support.patch
|
|
||||||
|
|
||||||
%define kversion %(rpm -q kernel%{?bt_ext}-devel | sort --version-sort | tail -1 | sed 's/kernel%{?bt_ext}-devel-//')
|
|
||||||
|
|
||||||
%package -n kmod-integrity%{?bt_ext}
|
|
||||||
Summary: Integrity kernel module(s) and driver
|
|
||||||
Group: System Environment/Kernel
|
|
||||||
%global _use_internal_dependency_generator 0
|
|
||||||
Provides: kernel-modules >= %{kversion}
|
|
||||||
Provides: integrity-kmod = %{?epoch:%{epoch}:}%{version}-%{release}
|
|
||||||
Requires(post): /usr/sbin/depmod
|
|
||||||
Requires(postun): /usr/sbin/depmod
|
|
||||||
|
|
||||||
%description -n kmod-integrity%{?bt_ext}
|
|
||||||
This package provides the %{version} Integrity / IMA kernel module(s) and drivers built
|
|
||||||
for the Linux kernel using the %{_target_cpu} family of processors.
|
|
||||||
|
|
||||||
%post -n kmod-integrity%{?bt_ext}
|
|
||||||
echo "Working. This may take some time ..."
|
|
||||||
if [ -e "/boot/System.map-%{kversion}" ]; then
|
|
||||||
/usr/sbin/depmod -aeF "/boot/System.map-%{kversion}" "%{kversion}" > /dev/null || :
|
|
||||||
fi
|
|
||||||
modules=( $(find /lib/modules/%{kversion}/kernel/security/integrity/ | grep '\.ko$') )
|
|
||||||
if [ -x "/sbin/weak-modules" ]; then
|
|
||||||
printf '%s\n' "${modules[@]}" | /sbin/weak-modules --add-modules
|
|
||||||
fi
|
|
||||||
echo "Done."
|
|
||||||
|
|
||||||
%preun -n kmod-integrity%{?bt_ext}
|
|
||||||
rpm -ql kmod-integrity%{?bt_ext}-%{version}-%{release}.x86_64 | grep '\.ko$' > /var/run/rpm-kmod-integrity%{?bt_ext}-modules
|
|
||||||
|
|
||||||
%postun -n kmod-integrity%{?bt_ext}
|
|
||||||
echo "Working. This may take some time ..."
|
|
||||||
if [ -e "/boot/System.map-%{kversion}" ]; then
|
|
||||||
/usr/sbin/depmod -aeF "/boot/System.map-%{kversion}" "%{kversion}" > /dev/null || :
|
|
||||||
fi
|
|
||||||
modules=( $(cat /var/run/rpm-kmod-integrity%{?bt_ext}-modules) )
|
|
||||||
rm /var/run/rpm-kmod-integrity%{?bt_ext}-modules
|
|
||||||
if [ -x "/sbin/weak-modules" ]; then
|
|
||||||
printf '%s\n' "${modules[@]}" | /sbin/weak-modules --remove-modules
|
|
||||||
fi
|
|
||||||
echo "Done."
|
|
||||||
|
|
||||||
%files -n kmod-integrity%{?bt_ext}
|
|
||||||
%defattr(-,root,root,-)
|
|
||||||
/lib/modules/%{kversion}/
|
|
||||||
%doc /usr/share/doc/kmod-integrity/
|
|
||||||
%{_sysconfdir}/modules-load.d/ima.conf
|
|
||||||
%config(noreplace) %{_sysconfdir}/modprobe.d/integrity.conf
|
|
||||||
%config(noreplace) %{_sysconfdir}/modprobe.d/ima.conf
|
|
||||||
%{_sysconfdir}/ima.policy
|
|
||||||
|
|
||||||
# Disable the building of the debug package(s).
|
|
||||||
%define debug_package %{nil}
|
|
||||||
|
|
||||||
%description
|
|
||||||
This package provides the %{kmod_name} kernel module(s).
|
|
||||||
It is built to depend upon the specific ABI provided by a range of releases
|
|
||||||
of the same variant of the Linux kernel and not on any one specific build.
|
|
||||||
|
|
||||||
%prep
|
|
||||||
%autosetup -p 1 -n %{kmod_name}
|
|
||||||
|
|
||||||
%build
|
|
||||||
# build out all the Integrity / IMA kernel modules
|
|
||||||
%{__make} KSRC=%{_usrsrc}/kernels/%{kversion} KBUILD_EXTRA_SYMBOLS=%{_usrsrc}/debug/tpm/Module.symvers
|
|
||||||
|
|
||||||
%install
|
|
||||||
%{__install} -d %{buildroot}/lib/modules/%{kversion}/kernel/security/%{kmod_name}/
|
|
||||||
%{__install} *.ko %{buildroot}/lib/modules/%{kversion}/kernel/security/%{kmod_name}/
|
|
||||||
%{__install} -d %{buildroot}/lib/modules/%{kversion}/kernel/security/%{kmod_name}/ima/
|
|
||||||
%{__install} ima/*.ko %{buildroot}/lib/modules/%{kversion}/kernel/security/%{kmod_name}/ima/
|
|
||||||
%{__install} -d %{buildroot}%{_sysconfdir}/modules-load.d
|
|
||||||
%{__install} -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/modules-load.d/ima.conf
|
|
||||||
%{__install} -d %{buildroot}%{_sysconfdir}/modprobe.d
|
|
||||||
%{__install} -p -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/modprobe.d/integrity.conf
|
|
||||||
%{__install} -p -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/modprobe.d/ima.conf
|
|
||||||
%{__install} -p -m 0400 %{SOURCE6} %{buildroot}%{_sysconfdir}/ima.policy
|
|
||||||
%{__install} -d %{buildroot}%{_defaultdocdir}/kmod-%{kmod_name}/
|
|
||||||
%{__install} %{SOURCE2} %{buildroot}%{_defaultdocdir}/kmod-%{kmod_name}/
|
|
||||||
%{__install} %{SOURCE3} %{buildroot}%{_defaultdocdir}/kmod-%{kmod_name}/
|
|
||||||
|
|
||||||
# Strip the modules(s).
|
|
||||||
find %{buildroot} -type f -name \*.ko -exec %{__strip} --strip-debug \{\} \;
|
|
||||||
|
|
||||||
# Always Sign the modules(s).
|
|
||||||
# If the module signing keys are not defined, define them here.
|
|
||||||
%{!?privkey: %define privkey /usr/src/kernels/%{kversion}/signing_key.priv}
|
|
||||||
%{!?pubkey: %define pubkey /usr/src/kernels/%{kversion}/signing_key.x509}
|
|
||||||
for module in $(find %{buildroot} -type f -name \*.ko);
|
|
||||||
do %{__perl} /usr/src/kernels/%{kversion}/scripts/sign-file \
|
|
||||||
sha256 %{privkey} %{pubkey} $module;
|
|
||||||
done
|
|
||||||
|
|
||||||
%clean
|
|
||||||
%{__rm} -rf %{buildroot}
|
|
||||||
|
|
||||||
%changelog
|
|
||||||
* Mon Aug 21 2017 Kam Nasim <kam.nasim@windriver.com> 4.12
|
|
||||||
- Initial RPM package.
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -1,156 +0,0 @@
|
||||||
From 6d0d8278d37b3874e0b272a6d01663fbfc91cdcb Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kam Nasim <kam.nasim@windriver.com>
|
|
||||||
Date: Fri, 22 Sep 2017 14:19:39 -0400
|
|
||||||
Subject: [PATCH] US103091: IMA: System Configuration
|
|
||||||
|
|
||||||
Expose integrity_audit and ima_appraise (which were only available
|
|
||||||
as boot parameters), as Module parameters since it is perceived that
|
|
||||||
customers would want to tune these at runtime. The integrity_audit
|
|
||||||
parameter can be toggled at runtime, however the ima_appraise modparam
|
|
||||||
will require a node reboot inorder to change appraise type.
|
|
||||||
|
|
||||||
In addition we introduce a new module param to disable IMA-TPM
|
|
||||||
interactions. Ths is tunable at runtime.
|
|
||||||
---
|
|
||||||
ima/ima_appraise.c | 47 +++++++++++++++++++++++++++++++++++++++++++++--
|
|
||||||
ima/ima_init.c | 18 ++++++++++++------
|
|
||||||
integrity_audit.c | 2 ++
|
|
||||||
kcompat.h | 4 ++++
|
|
||||||
4 files changed, 63 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ima/ima_appraise.c b/ima/ima_appraise.c
|
|
||||||
index b0d4286..88b5091 100644
|
|
||||||
--- a/ima/ima_appraise.c
|
|
||||||
+++ b/ima/ima_appraise.c
|
|
||||||
@@ -21,7 +21,21 @@
|
|
||||||
|
|
||||||
#include "ima.h"
|
|
||||||
|
|
||||||
-static int __init default_appraise_setup(char *str)
|
|
||||||
+static char *ima_appraise_param = "log";
|
|
||||||
+static int ima_appraise_param_set(const char *,
|
|
||||||
+ const struct kernel_param *);
|
|
||||||
+static struct kernel_param_ops ima_appraise_param_ops = {
|
|
||||||
+ .set = ima_appraise_param_set,
|
|
||||||
+ .get = param_get_charp,
|
|
||||||
+};
|
|
||||||
+module_param_cb(ima_appraise_param, &ima_appraise_param_ops,
|
|
||||||
+ &ima_appraise_param, 0444);
|
|
||||||
+MODULE_PARM_DESC(ima_appraise_param,
|
|
||||||
+ "IMA appraise type " \
|
|
||||||
+ "{ \"off\" | \"enforce\" | \"fix\" | \"log\" }" \
|
|
||||||
+ "(default: log).");
|
|
||||||
+
|
|
||||||
+static int default_appraise_setup(char *str)
|
|
||||||
{
|
|
||||||
if (strncmp(str, "off", 3) == 0)
|
|
||||||
ima_appraise = 0;
|
|
||||||
@@ -29,11 +43,40 @@ static int __init default_appraise_setup(char *str)
|
|
||||||
ima_appraise = IMA_APPRAISE_LOG;
|
|
||||||
else if (strncmp(str, "fix", 3) == 0)
|
|
||||||
ima_appraise = IMA_APPRAISE_FIX;
|
|
||||||
- return 1;
|
|
||||||
+ else if (strncmp(str, "enforce", 7) == 0)
|
|
||||||
+ ima_appraise = IMA_APPRAISE_ENFORCE;
|
|
||||||
+ else {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
__setup("ima_appraise=", default_appraise_setup);
|
|
||||||
|
|
||||||
+
|
|
||||||
+static int ima_appraise_param_set(const char *val,
|
|
||||||
+ const struct kernel_param *kp)
|
|
||||||
+{
|
|
||||||
+ char *ima_appraise_type = strstrip((char *)val);
|
|
||||||
+
|
|
||||||
+ /* no change required */
|
|
||||||
+ if (!strcmp(ima_appraise_type, *(char **)kp->arg))
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ /* set the ima_appraise mode and only
|
|
||||||
+ * update the kernel parameter if the parameter
|
|
||||||
+ * was successfully set */
|
|
||||||
+ int ret;
|
|
||||||
+ ret = default_appraise_setup(ima_appraise_type);
|
|
||||||
+ if (ret == -1) {
|
|
||||||
+ pr_err("Undefined value for ima_appraise_param: %s\n",
|
|
||||||
+ ima_appraise_type);
|
|
||||||
+ return -EINVAL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return param_set_charp(ima_appraise_type, kp);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* ima_must_appraise - set appraise flag
|
|
||||||
*
|
|
||||||
diff --git a/ima/ima_init.c b/ima/ima_init.c
|
|
||||||
index 0759c8c..a7362e8 100644
|
|
||||||
--- a/ima/ima_init.c
|
|
||||||
+++ b/ima/ima_init.c
|
|
||||||
@@ -26,7 +26,11 @@
|
|
||||||
|
|
||||||
/* name for boot aggregate entry */
|
|
||||||
static const char *boot_aggregate_name = "boot_aggregate";
|
|
||||||
-int ima_used_chip;
|
|
||||||
+int ima_used_chip = -1;
|
|
||||||
+module_param_named(ima_use_tpm, ima_used_chip, int, 0644);
|
|
||||||
+MODULE_PARM_DESC(ima_use_tpm,
|
|
||||||
+ "Enable TPM interaction for storing measurement aggregate " \
|
|
||||||
+ " { 0(disable) | 1(enable) }(default: 0).");
|
|
||||||
|
|
||||||
/* Add the boot aggregate to the IMA measurement list and extend
|
|
||||||
* the PCR register.
|
|
||||||
@@ -108,11 +112,13 @@ int __init ima_init(void)
|
|
||||||
{
|
|
||||||
u8 pcr_i[TPM_DIGEST_SIZE];
|
|
||||||
int rc;
|
|
||||||
-
|
|
||||||
- ima_used_chip = 0;
|
|
||||||
- rc = tpm_pcr_read(TPM_ANY_NUM, 0, pcr_i);
|
|
||||||
- if (rc == 0)
|
|
||||||
- ima_used_chip = 1;
|
|
||||||
+
|
|
||||||
+ if (ima_used_chip != 0) {
|
|
||||||
+ ima_used_chip = 0;
|
|
||||||
+ rc = tpm_pcr_read(TPM_ANY_NUM, 0, pcr_i);
|
|
||||||
+ if (rc == 0)
|
|
||||||
+ ima_used_chip = 1;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (!ima_used_chip)
|
|
||||||
pr_info("No TPM chip found, activating TPM-bypass! (rc=%d)\n",
|
|
||||||
diff --git a/integrity_audit.c b/integrity_audit.c
|
|
||||||
index ba5e532..da29f91 100644
|
|
||||||
--- a/integrity_audit.c
|
|
||||||
+++ b/integrity_audit.c
|
|
||||||
@@ -17,6 +17,8 @@
|
|
||||||
#include "integrity.h"
|
|
||||||
|
|
||||||
static int integrity_audit_info;
|
|
||||||
+module_param_named(integrity_audit, integrity_audit_info, uint, 0644);
|
|
||||||
+MODULE_PARM_DESC(integrity_audit, "Enable debug integrity auditing.");
|
|
||||||
|
|
||||||
/* ima_audit_setup - enable informational auditing messages */
|
|
||||||
static int __init integrity_audit_setup(char *str)
|
|
||||||
diff --git a/kcompat.h b/kcompat.h
|
|
||||||
index 936b76c..a5445aa 100644
|
|
||||||
--- a/kcompat.h
|
|
||||||
+++ b/kcompat.h
|
|
||||||
@@ -9,6 +9,10 @@
|
|
||||||
|
|
||||||
#if ( LINUX_VERSION_CODE <= KERNEL_VERSION(3,10,0) )
|
|
||||||
|
|
||||||
+#include <linux/string.h>
|
|
||||||
+#include <linux/moduleparam.h>
|
|
||||||
+#include <linux/module.h>
|
|
||||||
+
|
|
||||||
/* kcompat definitions */
|
|
||||||
#define CONFIG_TCG_TPM_MODULE 1
|
|
||||||
|
|
||||||
--
|
|
||||||
1.8.3.1
|
|
||||||
|
|
|
@ -1,54 +0,0 @@
|
||||||
From 0c83c892509e592692e5002d855ce1f3001149e5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kam Nasim <kam.nasim@windriver.com>
|
|
||||||
Date: Fri, 22 Sep 2017 16:47:36 -0400
|
|
||||||
Subject: [PATCH] US103091: IMA: System Configuration
|
|
||||||
|
|
||||||
Since IMA does measurements on all EXT4 file systems (as per IMA
|
|
||||||
policy), we end up with a large number of measurements for log files and
|
|
||||||
the DRBD fs. Therefore we restrict IMA to only do measurements &
|
|
||||||
appraisals on file systems that have i_version set, which is only the
|
|
||||||
rootfs.
|
|
||||||
---
|
|
||||||
ima/ima_main.c | 6 +++++-
|
|
||||||
kcompat.h | 1 +
|
|
||||||
2 files changed, 6 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ima/ima_main.c b/ima/ima_main.c
|
|
||||||
index 5d6ba23..ea3ace3 100644
|
|
||||||
--- a/ima/ima_main.c
|
|
||||||
+++ b/ima/ima_main.c
|
|
||||||
@@ -22,6 +22,7 @@
|
|
||||||
|
|
||||||
#include <linux/module.h>
|
|
||||||
#include <linux/file.h>
|
|
||||||
+#include <linux/fs.h>
|
|
||||||
#include <linux/binfmts.h>
|
|
||||||
#include <linux/mount.h>
|
|
||||||
#include <linux/mman.h>
|
|
||||||
@@ -178,7 +179,10 @@ static int process_measurement(struct file *file, char *buf, loff_t size,
|
|
||||||
bool violation_check;
|
|
||||||
enum hash_algo hash_algo;
|
|
||||||
|
|
||||||
- if (!ima_policy_flag || !S_ISREG(inode->i_mode))
|
|
||||||
+ /* WRS: Only do measurements & appraisals
|
|
||||||
+ * on inodes that have i_version set (i.e the rootfs)
|
|
||||||
+ */
|
|
||||||
+ if (!ima_policy_flag || !S_ISREG(inode->i_mode) || !IS_I_VERSION(inode))
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
/* Return an IMA_MEASURE, IMA_APPRAISE, IMA_AUDIT action
|
|
||||||
diff --git a/kcompat.h b/kcompat.h
|
|
||||||
index a5445aa..59e32a8 100644
|
|
||||||
--- a/kcompat.h
|
|
||||||
+++ b/kcompat.h
|
|
||||||
@@ -19,6 +19,7 @@
|
|
||||||
#define CONFIG_IMA 1
|
|
||||||
#define CONFIG_IMA_APPRAISE_SIGNED_INIT 1
|
|
||||||
#define CONFIG_IMA_APPRAISE 1
|
|
||||||
+#define CONFIG_IMA_LSM_RULES 1
|
|
||||||
#define CONFIG_IMA_DEFAULT_HASH "sha256"
|
|
||||||
#define CONFIG_IMA_MEASURE_PCR_IDX 10
|
|
||||||
#define CONFIG_IMA_DEFAULT_TEMPLATE "ima-sig"
|
|
||||||
--
|
|
||||||
1.8.3.1
|
|
||||||
|
|
|
@ -1,120 +0,0 @@
|
||||||
From 928f2de735ab38802984938618aa051dd55f536c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kam Nasim <kam.nasim@windriver.com>
|
|
||||||
Date: Wed, 4 Oct 2017 14:23:13 -0400
|
|
||||||
Subject: [PATCH] US103091: IMA: System Configuration
|
|
||||||
|
|
||||||
When appraise_type="imasig" is set in the IMA policy then don't allow
|
|
||||||
IMA to put a hash value for the security.ima xattr, if the extended
|
|
||||||
attribute is missing. This is a fool's errand, as there is already a
|
|
||||||
check in the driver which will give an appraisal failure if it detects
|
|
||||||
that the security.ima xattr is a Hash and NOT a Signature, so appraisal
|
|
||||||
would fail again next time that file is executed.
|
|
||||||
|
|
||||||
The advantage of this fix is that it improves driver performance as we
|
|
||||||
are not collecting a measurement on appraisal failure
|
|
||||||
|
|
||||||
By virtue of the same, we will not remove the security.ima xattr if we
|
|
||||||
detect that imasig is set on that iint
|
|
||||||
---
|
|
||||||
ima/ima_appraise.c | 33 +++++++++++++++++++++++++++++----
|
|
||||||
ima/ima_main.c | 2 --
|
|
||||||
2 files changed, 29 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ima/ima_appraise.c b/ima/ima_appraise.c
|
|
||||||
index 88b5091..cff2ad2 100644
|
|
||||||
--- a/ima/ima_appraise.c
|
|
||||||
+++ b/ima/ima_appraise.c
|
|
||||||
@@ -205,7 +208,11 @@ int ima_appraise_measurement(enum ima_hooks func,
|
|
||||||
if (rc && rc != -ENODATA)
|
|
||||||
goto out;
|
|
||||||
|
|
||||||
- cause = "missing-hash";
|
|
||||||
+ if (iint->flags & IMA_DIGSIG_REQUIRED)
|
|
||||||
+ cause = "missing-signature";
|
|
||||||
+ else
|
|
||||||
+ cause = "missing-hash";
|
|
||||||
+
|
|
||||||
status = INTEGRITY_NOLABEL;
|
|
||||||
if (opened & FILE_CREATED)
|
|
||||||
iint->flags |= IMA_NEW_FILE;
|
|
||||||
@@ -352,7 +355,8 @@ void ima_update_xattr(struct integrity_iint_cache *iint, struct file *file)
|
|
||||||
int rc = 0;
|
|
||||||
|
|
||||||
/* do not collect and update hash for digital signatures */
|
|
||||||
- if (iint->flags & IMA_DIGSIG)
|
|
||||||
+ /* WRS: Don't do it if appraise_type is set to imasig */
|
|
||||||
+ if ((iint->flags & IMA_DIGSIG) || (iint->flags & IMA_DIGSIG_REQUIRED))
|
|
||||||
return;
|
|
||||||
|
|
||||||
rc = ima_collect_measurement(iint, file, NULL, 0, ima_hash_algo);
|
|
||||||
@@ -376,6 +380,7 @@ void __ima_inode_post_setattr(struct dentry *dentry)
|
|
||||||
struct inode *inode = d_backing_inode(dentry);
|
|
||||||
struct integrity_iint_cache *iint;
|
|
||||||
int must_appraise, rc;
|
|
||||||
+ int imasig = 0;
|
|
||||||
|
|
||||||
if (!(ima_policy_flag & IMA_APPRAISE) || !S_ISREG(inode->i_mode)
|
|
||||||
|| !inode->i_op->removexattr)
|
|
||||||
@@ -384,11 +389,20 @@ void __ima_inode_post_setattr(struct dentry *dentry)
|
|
||||||
must_appraise = ima_must_appraise(inode, MAY_ACCESS, POST_SETATTR);
|
|
||||||
iint = integrity_iint_find(inode);
|
|
||||||
if (iint) {
|
|
||||||
+ /* WRS: Before we clear all the ACTION RULE FLAGS, check if
|
|
||||||
+ * imasig was set on this iint, which implies that we are
|
|
||||||
+ * expecting a signature for the security.ima xattr
|
|
||||||
+ */
|
|
||||||
+ if (iint->flags & IMA_DIGSIG_REQUIRED)
|
|
||||||
+ imasig = 1;
|
|
||||||
iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
|
|
||||||
IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
|
|
||||||
IMA_ACTION_RULE_FLAGS);
|
|
||||||
- if (must_appraise)
|
|
||||||
+ if (must_appraise) {
|
|
||||||
iint->flags |= IMA_APPRAISE;
|
|
||||||
+ if (imasig)
|
|
||||||
+ iint->flags |= IMA_DIGSIG_REQUIRED;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
if (!must_appraise)
|
|
||||||
rc = inode->i_op->removexattr(dentry, XATTR_NAME_IMA);
|
|
||||||
@@ -450,6 +464,17 @@ int __ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
|
|
||||||
int __ima_inode_removexattr(struct dentry *dentry, const char *xattr_name)
|
|
||||||
{
|
|
||||||
int result;
|
|
||||||
+
|
|
||||||
+ /* WRS: If this security.ima xattr is a digital signature
|
|
||||||
+ * then we will not allow it to be removed (only if we
|
|
||||||
+ * have a cached iint entry for it)
|
|
||||||
+ */
|
|
||||||
+ struct inode *inode = d_backing_inode(dentry);
|
|
||||||
+ struct integrity_iint_cache *iint = integrity_iint_find(inode);
|
|
||||||
+ if (iint) {
|
|
||||||
+ if (iint->flags & IMA_DIGSIG_REQUIRED)
|
|
||||||
+ return -EPERM;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
result = ima_protect_xattr(dentry, xattr_name, NULL, 0);
|
|
||||||
if (result == 1) {
|
|
||||||
diff --git a/ima/ima_main.c b/ima/ima_main.c
|
|
||||||
index ea3ace3..15ac6a7 100644
|
|
||||||
--- a/ima/ima_main.c
|
|
||||||
+++ b/ima/ima_main.c
|
|
||||||
@@ -129,7 +129,6 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
|
|
||||||
if (!(mode & FMODE_WRITE))
|
|
||||||
return;
|
|
||||||
|
|
||||||
- inode_lock(inode);
|
|
||||||
if (atomic_read(&inode->i_writecount) == 1) {
|
|
||||||
if ((iint->version != inode->i_version) ||
|
|
||||||
(iint->flags & IMA_NEW_FILE)) {
|
|
||||||
@@ -139,7 +138,6 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
|
|
||||||
ima_update_xattr(iint, file);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
- inode_unlock(inode);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
--
|
|
||||||
1.8.3.1
|
|
||||||
|
|
|
@ -1,28 +0,0 @@
|
||||||
From cf5d8b554d6fdacf3ad3d18333bd00f8b937ff54 Mon Sep 17 00:00:00 2001
|
|
||||||
Message-Id: <cf5d8b554d6fdacf3ad3d18333bd00f8b937ff54.1507754332.git.Jim.Somerville@windriver.com>
|
|
||||||
From: Jim Somerville <Jim.Somerville@windriver.com>
|
|
||||||
Date: Wed, 11 Oct 2017 16:38:36 -0400
|
|
||||||
Subject: [PATCH 1/1] Changes for CentOS 7.4 support
|
|
||||||
|
|
||||||
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
|
|
||||||
---
|
|
||||||
kcompat.h | 4 ----
|
|
||||||
1 file changed, 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/kcompat.h b/kcompat.h
|
|
||||||
index 59e32a8..3d4e8f6 100644
|
|
||||||
--- a/kcompat.h
|
|
||||||
+++ b/kcompat.h
|
|
||||||
@@ -31,9 +31,5 @@
|
|
||||||
|
|
||||||
#define __GFP_RECLAIM __GFP_WAIT
|
|
||||||
|
|
||||||
-#define inode_lock(_node) mutex_lock(&_node->i_mutex)
|
|
||||||
-#define inode_unlock(_node) mutex_unlock(&_node->i_mutex)
|
|
||||||
-
|
|
||||||
-
|
|
||||||
#endif
|
|
||||||
#endif
|
|
||||||
--
|
|
||||||
1.8.3.1
|
|
||||||
|
|
|
@ -1,3 +0,0 @@
|
||||||
0001-integrity-kcompat-support.patch
|
|
||||||
0002-integrity-expose-module-params.patch
|
|
||||||
0003-integrity-restrict-by-iversion.patch
|
|
Loading…
Reference in New Issue