--- /dev/null
+From 5101a1850bb7ccbf107929dee9af0cd2f400940f Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Date: Tue, 21 Apr 2015 13:59:31 -0400
+Subject: evm: labeling pseudo filesystems exception
+
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+
+commit 5101a1850bb7ccbf107929dee9af0cd2f400940f upstream.
+
+To prevent offline stripping of existing file xattrs and relabeling of
+them at runtime, EVM allows only newly created files to be labeled. As
+pseudo filesystems are not persistent, stripping of xattrs is not a
+concern.
+
+Some LSMs defer file labeling on pseudo filesystems. This patch
+permits the labeling of existing files on pseudo files systems.
+
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/evm/evm_main.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/security/integrity/evm/evm_main.c
++++ b/security/integrity/evm/evm_main.c
+@@ -296,6 +296,17 @@ static int evm_protect_xattr(struct dent
+ iint = integrity_iint_find(d_backing_inode(dentry));
+ if (iint && (iint->flags & IMA_NEW_FILE))
+ return 0;
++
++ /* exception for pseudo filesystems */
++ if (dentry->d_inode->i_sb->s_magic == TMPFS_MAGIC
++ || dentry->d_inode->i_sb->s_magic == SYSFS_MAGIC)
++ return 0;
++
++ integrity_audit_msg(AUDIT_INTEGRITY_METADATA,
++ dentry->d_inode, dentry->d_name.name,
++ "update_metadata",
++ integrity_status_msg[evm_status],
++ -EPERM, 0);
+ }
+ out:
+ if (evm_status != INTEGRITY_PASS)
--- /dev/null
+From 139069eff7388407f19794384c42a534d618ccd7 Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Date: Wed, 5 Nov 2014 07:48:36 -0500
+Subject: ima: add support for new "euid" policy condition
+
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+
+commit 139069eff7388407f19794384c42a534d618ccd7 upstream.
+
+The new "euid" policy condition measures files with the specified
+effective uid (euid). In addition, for CAP_SETUID files it measures
+files with the specified uid or suid.
+
+Changelog:
+- fixed checkpatch.pl warnings
+- fixed avc denied {setuid} messages - based on Roberto's feedback
+
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Dr. Greg Wettstein <gw@idfusion.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/ABI/testing/ima_policy | 3 ++-
+ security/integrity/ima/ima_policy.c | 27 +++++++++++++++++++++++----
+ 2 files changed, 25 insertions(+), 5 deletions(-)
+
+--- a/Documentation/ABI/testing/ima_policy
++++ b/Documentation/ABI/testing/ima_policy
+@@ -20,7 +20,7 @@ Description:
+ action: measure | dont_measure | appraise | dont_appraise | audit
+ condition:= base | lsm [option]
+ base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
+- [fowner]]
++ [euid=] [fowner=]]
+ lsm: [[subj_user=] [subj_role=] [subj_type=]
+ [obj_user=] [obj_role=] [obj_type=]]
+ option: [[appraise_type=]] [permit_directio]
+@@ -31,6 +31,7 @@ Description:
+ fsmagic:= hex value
+ fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
+ uid:= decimal value
++ euid:= decimal value
+ fowner:=decimal value
+ lsm: are LSM specific
+ option: appraise_type:= [imasig]
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -27,6 +27,7 @@
+ #define IMA_UID 0x0008
+ #define IMA_FOWNER 0x0010
+ #define IMA_FSUUID 0x0020
++#define IMA_EUID 0x0080
+
+ #define UNKNOWN 0
+ #define MEASURE 0x0001 /* same as IMA_MEASURE */
+@@ -194,6 +195,16 @@ static bool ima_match_rules(struct ima_r
+ return false;
+ if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))
+ return false;
++ if (rule->flags & IMA_EUID) {
++ if (has_capability_noaudit(current, CAP_SETUID)) {
++ if (!uid_eq(rule->uid, cred->euid)
++ && !uid_eq(rule->uid, cred->suid)
++ && !uid_eq(rule->uid, cred->uid))
++ return false;
++ } else if (!uid_eq(rule->uid, cred->euid))
++ return false;
++ }
++
+ if ((rule->flags & IMA_FOWNER) && !uid_eq(rule->fowner, inode->i_uid))
+ return false;
+ for (i = 0; i < MAX_LSM_RULES; i++) {
+@@ -373,7 +384,8 @@ enum {
+ Opt_audit,
+ Opt_obj_user, Opt_obj_role, Opt_obj_type,
+ Opt_subj_user, Opt_subj_role, Opt_subj_type,
+- Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner,
++ Opt_func, Opt_mask, Opt_fsmagic,
++ Opt_uid, Opt_euid, Opt_fowner,
+ Opt_appraise_type, Opt_fsuuid, Opt_permit_directio
+ };
+
+@@ -394,6 +406,7 @@ static match_table_t policy_tokens = {
+ {Opt_fsmagic, "fsmagic=%s"},
+ {Opt_fsuuid, "fsuuid=%s"},
+ {Opt_uid, "uid=%s"},
++ {Opt_euid, "euid=%s"},
+ {Opt_fowner, "fowner=%s"},
+ {Opt_appraise_type, "appraise_type=%s"},
+ {Opt_permit_directio, "permit_directio"},
+@@ -566,6 +579,9 @@ static int ima_parse_rule(char *rule, st
+ break;
+ case Opt_uid:
+ ima_log_string(ab, "uid", args[0].from);
++ case Opt_euid:
++ if (token == Opt_euid)
++ ima_log_string(ab, "euid", args[0].from);
+
+ if (uid_valid(entry->uid)) {
+ result = -EINVAL;
+@@ -574,11 +590,14 @@ static int ima_parse_rule(char *rule, st
+
+ result = kstrtoul(args[0].from, 10, &lnum);
+ if (!result) {
+- entry->uid = make_kuid(current_user_ns(), (uid_t)lnum);
+- if (!uid_valid(entry->uid) || (((uid_t)lnum) != lnum))
++ entry->uid = make_kuid(current_user_ns(),
++ (uid_t) lnum);
++ if (!uid_valid(entry->uid) ||
++ (uid_t)lnum != lnum)
+ result = -EINVAL;
+ else
+- entry->flags |= IMA_UID;
++ entry->flags |= (token == Opt_uid)
++ ? IMA_UID : IMA_EUID;
+ }
+ break;
+ case Opt_fowner:
--- /dev/null
+From 5577857f8e26e9027271f10daf96361640907300 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 7 Apr 2015 12:22:11 +0300
+Subject: ima: cleanup ima_init_policy() a little
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 5577857f8e26e9027271f10daf96361640907300 upstream.
+
+It's a bit easier to read this if we split it up into two for loops.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/ima/ima_policy.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -340,16 +340,12 @@ void __init ima_init_policy(void)
+ appraise_entries = ima_use_appraise_tcb ?
+ ARRAY_SIZE(default_appraise_rules) : 0;
+
+- for (i = 0; i < measure_entries + appraise_entries; i++) {
+- if (i < measure_entries)
+- list_add_tail(&default_rules[i].list,
+- &ima_default_rules);
+- else {
+- int j = i - measure_entries;
++ for (i = 0; i < measure_entries; i++)
++ list_add_tail(&default_rules[i].list, &ima_default_rules);
+
+- list_add_tail(&default_appraise_rules[j].list,
+- &ima_default_rules);
+- }
++ for (i = 0; i < appraise_entries; i++) {
++ list_add_tail(&default_appraise_rules[i].list,
++ &ima_default_rules);
+ }
+
+ ima_rules = &ima_default_rules;
--- /dev/null
+From cd025f7f94108995383edddfb61fc8afea6c66a9 Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Date: Tue, 21 Apr 2015 16:54:24 -0400
+Subject: ima: do not measure or appraise the NSFS filesystem
+
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+
+commit cd025f7f94108995383edddfb61fc8afea6c66a9 upstream.
+
+Include don't appraise or measure rules for the NSFS filesystem
+in the builtin ima_tcb and ima_appraise_tcb policies.
+
+Changelog:
+- Update documentation
+
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/ABI/testing/ima_policy | 3 +++
+ security/integrity/ima/ima_policy.c | 2 ++
+ 2 files changed, 5 insertions(+)
+
+--- a/Documentation/ABI/testing/ima_policy
++++ b/Documentation/ABI/testing/ima_policy
+@@ -65,6 +65,9 @@ Description:
+ # CGROUP_SUPER_MAGIC
+ dont_measure fsmagic=0x27e0eb
+ dont_appraise fsmagic=0x27e0eb
++ # NSFS_MAGIC
++ dont_measure fsmagic=0x6e736673
++ dont_appraise fsmagic=0x6e736673
+
+ measure func=BPRM_CHECK
+ measure func=FILE_MMAP mask=MAY_EXEC
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -81,6 +81,7 @@ static struct ima_rule_entry default_rul
+ {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
+ {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
+ .flags = IMA_FSMAGIC},
++ {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
+ {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
+ .flags = IMA_FUNC | IMA_MASK},
+ {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
+@@ -101,6 +102,7 @@ static struct ima_rule_entry default_app
+ {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
+ {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
+ {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
++ {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
+ {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC},
+ #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT
+ {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .flags = IMA_FOWNER},
--- /dev/null
+From 4351c294b8c1028077280f761e158d167b592974 Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Date: Wed, 5 Nov 2014 07:53:55 -0500
+Subject: ima: extend "mask" policy matching support
+
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+
+commit 4351c294b8c1028077280f761e158d167b592974 upstream.
+
+The current "mask" policy option matches files opened as MAY_READ,
+MAY_WRITE, MAY_APPEND or MAY_EXEC. This patch extends the "mask"
+option to match files opened containing one of these modes. For
+example, "mask=^MAY_READ" would match files opened read-write.
+
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Dr. Greg Wettstein <gw@idfusion.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/ABI/testing/ima_policy | 3 ++-
+ security/integrity/ima/ima_policy.c | 20 +++++++++++++++-----
+ 2 files changed, 17 insertions(+), 6 deletions(-)
+
+--- a/Documentation/ABI/testing/ima_policy
++++ b/Documentation/ABI/testing/ima_policy
+@@ -27,7 +27,8 @@ Description:
+
+ base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
+ [FIRMWARE_CHECK]
+- mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC]
++ mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
++ [[^]MAY_EXEC]
+ fsmagic:= hex value
+ fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
+ uid:= decimal value
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -27,6 +27,7 @@
+ #define IMA_UID 0x0008
+ #define IMA_FOWNER 0x0010
+ #define IMA_FSUUID 0x0020
++#define IMA_INMASK 0x0040
+ #define IMA_EUID 0x0080
+
+ #define UNKNOWN 0
+@@ -187,6 +188,9 @@ static bool ima_match_rules(struct ima_r
+ if ((rule->flags & IMA_MASK) &&
+ (rule->mask != mask && func != POST_SETATTR))
+ return false;
++ if ((rule->flags & IMA_INMASK) &&
++ (!(rule->mask & mask) && func != POST_SETATTR))
++ return false;
+ if ((rule->flags & IMA_FSMAGIC)
+ && rule->fsmagic != inode->i_sb->s_magic)
+ return false;
+@@ -448,6 +452,7 @@ static void ima_log_string(struct audit_
+ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
+ {
+ struct audit_buffer *ab;
++ char *from;
+ char *p;
+ int result = 0;
+
+@@ -538,18 +543,23 @@ static int ima_parse_rule(char *rule, st
+ if (entry->mask)
+ result = -EINVAL;
+
+- if ((strcmp(args[0].from, "MAY_EXEC")) == 0)
++ from = args[0].from;
++ if (*from == '^')
++ from++;
++
++ if ((strcmp(from, "MAY_EXEC")) == 0)
+ entry->mask = MAY_EXEC;
+- else if (strcmp(args[0].from, "MAY_WRITE") == 0)
++ else if (strcmp(from, "MAY_WRITE") == 0)
+ entry->mask = MAY_WRITE;
+- else if (strcmp(args[0].from, "MAY_READ") == 0)
++ else if (strcmp(from, "MAY_READ") == 0)
+ entry->mask = MAY_READ;
+- else if (strcmp(args[0].from, "MAY_APPEND") == 0)
++ else if (strcmp(from, "MAY_APPEND") == 0)
+ entry->mask = MAY_APPEND;
+ else
+ result = -EINVAL;
+ if (!result)
+- entry->flags |= IMA_MASK;
++ entry->flags |= (*args[0].from == '^')
++ ? IMA_INMASK : IMA_MASK;
+ break;
+ case Opt_fsmagic:
+ ima_log_string(ab, "fsmagic", args[0].from);
--- /dev/null
+From 45b26133b97871896b8c5241d59f4ff7839db7b2 Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Date: Thu, 11 Jun 2015 11:54:42 -0400
+Subject: ima: fix ima_show_template_data_ascii()
+
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+
+commit 45b26133b97871896b8c5241d59f4ff7839db7b2 upstream.
+
+This patch fixes a bug introduced in "4d7aeee ima: define new template
+ima-ng and template fields d-ng and n-ng".
+
+Changelog:
+- change int to uint32 (Roberto Sassu's suggestion)
+
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Roberto Sassu <rsassu@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/ima/ima.h | 2 +-
+ security/integrity/ima/ima_fs.c | 4 ++--
+ security/integrity/ima/ima_template_lib.c | 3 ++-
+ 3 files changed, 5 insertions(+), 4 deletions(-)
+
+--- a/security/integrity/ima/ima.h
++++ b/security/integrity/ima/ima.h
+@@ -106,7 +106,7 @@ void ima_add_violation(struct file *file
+ const char *op, const char *cause);
+ int ima_init_crypto(void);
+ void ima_putc(struct seq_file *m, void *data, int datalen);
+-void ima_print_digest(struct seq_file *m, u8 *digest, int size);
++void ima_print_digest(struct seq_file *m, u8 *digest, u32 size);
+ struct ima_template_desc *ima_template_desc_current(void);
+ int ima_init_template(void);
+
+--- a/security/integrity/ima/ima_fs.c
++++ b/security/integrity/ima/ima_fs.c
+@@ -190,9 +190,9 @@ static const struct file_operations ima_
+ .release = seq_release,
+ };
+
+-void ima_print_digest(struct seq_file *m, u8 *digest, int size)
++void ima_print_digest(struct seq_file *m, u8 *digest, u32 size)
+ {
+- int i;
++ u32 i;
+
+ for (i = 0; i < size; i++)
+ seq_printf(m, "%02x", *(digest + i));
+--- a/security/integrity/ima/ima_template_lib.c
++++ b/security/integrity/ima/ima_template_lib.c
+@@ -70,7 +70,8 @@ static void ima_show_template_data_ascii
+ enum data_formats datafmt,
+ struct ima_field_data *field_data)
+ {
+- u8 *buf_ptr = field_data->data, buflen = field_data->len;
++ u8 *buf_ptr = field_data->data;
++ u32 buflen = field_data->len;
+
+ switch (datafmt) {
+ case DATA_FMT_DIGEST_WITH_ALGO:
--- /dev/null
+From 6438de9f3fb5180d78a0422695d0b88c687757d3 Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <rsassu@suse.de>
+Date: Sat, 11 Apr 2015 17:13:06 +0200
+Subject: ima: skip measurement of cgroupfs files and update documentation
+
+From: Roberto Sassu <rsassu@suse.de>
+
+commit 6438de9f3fb5180d78a0422695d0b88c687757d3 upstream.
+
+This patch adds a rule in the default measurement policy to skip inodes
+in the cgroupfs filesystem. Measurements for this filesystem can be
+avoided, as all the digests collected have the same value of the digest of
+an empty file.
+
+Furthermore, this patch updates the documentation of IMA policies in
+Documentation/ABI/testing/ima_policy to make it consistent with
+the policies set in security/integrity/ima/ima_policy.c.
+
+Signed-off-by: Roberto Sassu <rsassu@suse.de>
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/ABI/testing/ima_policy | 17 ++++++++++++-----
+ security/integrity/ima/ima_policy.c | 2 ++
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+--- a/Documentation/ABI/testing/ima_policy
++++ b/Documentation/ABI/testing/ima_policy
+@@ -49,11 +49,22 @@ Description:
+ dont_measure fsmagic=0x01021994
+ dont_appraise fsmagic=0x01021994
+ # RAMFS_MAGIC
+- dont_measure fsmagic=0x858458f6
+ dont_appraise fsmagic=0x858458f6
++ # DEVPTS_SUPER_MAGIC
++ dont_measure fsmagic=0x1cd1
++ dont_appraise fsmagic=0x1cd1
++ # BINFMTFS_MAGIC
++ dont_measure fsmagic=0x42494e4d
++ dont_appraise fsmagic=0x42494e4d
+ # SECURITYFS_MAGIC
+ dont_measure fsmagic=0x73636673
+ dont_appraise fsmagic=0x73636673
++ # SELINUX_MAGIC
++ dont_measure fsmagic=0xf97cff8c
++ dont_appraise fsmagic=0xf97cff8c
++ # CGROUP_SUPER_MAGIC
++ dont_measure fsmagic=0x27e0eb
++ dont_appraise fsmagic=0x27e0eb
+
+ measure func=BPRM_CHECK
+ measure func=FILE_MMAP mask=MAY_EXEC
+@@ -70,10 +81,6 @@ Description:
+ Examples of LSM specific definitions:
+
+ SELinux:
+- # SELINUX_MAGIC
+- dont_measure fsmagic=0xf97cff8c
+- dont_appraise fsmagic=0xf97cff8c
+-
+ dont_measure obj_type=var_log_t
+ dont_appraise obj_type=var_log_t
+ dont_measure obj_type=auditd_log_t
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -79,6 +79,8 @@ static struct ima_rule_entry default_rul
+ {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC},
+ {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC},
+ {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
++ {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
++ .flags = IMA_FSMAGIC},
+ {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
+ .flags = IMA_FUNC | IMA_MASK},
+ {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
--- /dev/null
+From 24fd03c87695a76f0517df42a37e51b1597d2c8a Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Date: Thu, 11 Jun 2015 20:48:33 -0400
+Subject: ima: update builtin policies
+
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+
+commit 24fd03c87695a76f0517df42a37e51b1597d2c8a upstream.
+
+This patch defines a builtin measurement policy "tcb", similar to the
+existing "ima_tcb", but with additional rules to also measure files
+based on the effective uid and to measure files opened with the "read"
+mode bit set (eg. read, read-write).
+
+Changing the builtin "ima_tcb" policy could potentially break existing
+users. Instead of defining a new separate boot command line option each
+time the builtin measurement policy is modified, this patch defines a
+single generic boot command line option "ima_policy=" to specify the
+builtin policy and deprecates the use of the builtin ima_tcb policy.
+
+[The "ima_policy=" boot command line option is based on Roberto Sassu's
+"ima: added new policy type exec" patch.]
+
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Dr. Greg Wettstein <gw@idfusion.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/kernel-parameters.txt | 10 ++++-
+ security/integrity/ima/ima_policy.c | 65 +++++++++++++++++++++++++++++++-----
+ 2 files changed, 65 insertions(+), 10 deletions(-)
+
+--- a/Documentation/kernel-parameters.txt
++++ b/Documentation/kernel-parameters.txt
+@@ -1398,7 +1398,15 @@ bytes respectively. Such letter suffixes
+ The list of supported hash algorithms is defined
+ in crypto/hash_info.h.
+
+- ima_tcb [IMA]
++ ima_policy= [IMA]
++ The builtin measurement policy to load during IMA
++ setup. Specyfing "tcb" as the value, measures all
++ programs exec'd, files mmap'd for exec, and all files
++ opened with the read mode bit set by either the
++ effective uid (euid=0) or uid=0.
++ Format: "tcb"
++
++ ima_tcb [IMA] Deprecated. Use ima_policy= instead.
+ Load a policy which meets the needs of the Trusted
+ Computing Base. This means IMA will measure all
+ programs exec'd, files mmap'd for exec, and all files
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -44,6 +44,8 @@ enum lsm_rule_types { LSM_OBJ_USER, LSM_
+ LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE
+ };
+
++enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB };
++
+ struct ima_rule_entry {
+ struct list_head list;
+ int action;
+@@ -72,7 +74,7 @@ struct ima_rule_entry {
+ * normal users can easily run the machine out of memory simply building
+ * and running executables.
+ */
+-static struct ima_rule_entry default_rules[] = {
++static struct ima_rule_entry dont_measure_rules[] = {
+ {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
+ {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
+ {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
+@@ -83,13 +85,29 @@ static struct ima_rule_entry default_rul
+ {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC},
+ {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC,
+ .flags = IMA_FSMAGIC},
+- {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC},
++ {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}
++};
++
++static struct ima_rule_entry original_measurement_rules[] = {
++ {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
++ .flags = IMA_FUNC | IMA_MASK},
++ {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
++ .flags = IMA_FUNC | IMA_MASK},
++ {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
++ .uid = GLOBAL_ROOT_UID, .flags = IMA_FUNC | IMA_MASK | IMA_UID},
++ {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
++ {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
++};
++
++static struct ima_rule_entry default_measurement_rules[] = {
+ {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC,
+ .flags = IMA_FUNC | IMA_MASK},
+ {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC,
+ .flags = IMA_FUNC | IMA_MASK},
+- {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, .uid = GLOBAL_ROOT_UID,
+- .flags = IMA_FUNC | IMA_MASK | IMA_UID},
++ {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
++ .uid = GLOBAL_ROOT_UID, .flags = IMA_FUNC | IMA_INMASK | IMA_EUID},
++ {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ,
++ .uid = GLOBAL_ROOT_UID, .flags = IMA_FUNC | IMA_INMASK | IMA_UID},
+ {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC},
+ {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC},
+ };
+@@ -121,14 +139,29 @@ static struct list_head *ima_rules;
+
+ static DEFINE_MUTEX(ima_rules_mutex);
+
+-static bool ima_use_tcb __initdata;
++static int ima_policy __initdata;
+ static int __init default_measure_policy_setup(char *str)
+ {
+- ima_use_tcb = 1;
++ if (ima_policy)
++ return 1;
++
++ ima_policy = ORIGINAL_TCB;
+ return 1;
+ }
+ __setup("ima_tcb", default_measure_policy_setup);
+
++static int __init policy_setup(char *str)
++{
++ if (ima_policy)
++ return 1;
++
++ if (strcmp(str, "tcb") == 0)
++ ima_policy = DEFAULT_TCB;
++
++ return 1;
++}
++__setup("ima_policy=", policy_setup);
++
+ static bool ima_use_appraise_tcb __initdata;
+ static int __init default_appraise_policy_setup(char *str)
+ {
+@@ -352,13 +385,27 @@ void __init ima_init_policy(void)
+ {
+ int i, measure_entries, appraise_entries;
+
+- /* if !ima_use_tcb set entries = 0 so we load NO default rules */
+- measure_entries = ima_use_tcb ? ARRAY_SIZE(default_rules) : 0;
++ /* if !ima_policy set entries = 0 so we load NO default rules */
++ measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0;
+ appraise_entries = ima_use_appraise_tcb ?
+ ARRAY_SIZE(default_appraise_rules) : 0;
+
+ for (i = 0; i < measure_entries; i++)
+- list_add_tail(&default_rules[i].list, &ima_default_rules);
++ list_add_tail(&dont_measure_rules[i].list, &ima_default_rules);
++
++ switch (ima_policy) {
++ case ORIGINAL_TCB:
++ for (i = 0; i < ARRAY_SIZE(original_measurement_rules); i++)
++ list_add_tail(&original_measurement_rules[i].list,
++ &ima_default_rules);
++ break;
++ case DEFAULT_TCB:
++ for (i = 0; i < ARRAY_SIZE(default_measurement_rules); i++)
++ list_add_tail(&default_measurement_rules[i].list,
++ &ima_default_rules);
++ default:
++ break;
++ }
+
+ for (i = 0; i < appraise_entries; i++) {
+ list_add_tail(&default_appraise_rules[i].list,
--- /dev/null
+From ca4da5dd1f99fe9c59f1709fb43e818b18ad20e0 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Mon, 27 Jul 2015 15:23:43 +0100
+Subject: KEYS: ensure we free the assoc array edit if edit is valid
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit ca4da5dd1f99fe9c59f1709fb43e818b18ad20e0 upstream.
+
+__key_link_end is not freeing the associated array edit structure
+and this leads to a 512 byte memory leak each time an identical
+existing key is added with add_key().
+
+The reason the add_key() system call returns okay is that
+key_create_or_update() calls __key_link_begin() before checking to see
+whether it can update a key directly rather than adding/replacing - which
+it turns out it can. Thus __key_link() is not called through
+__key_instantiate_and_link() and __key_link_end() must cancel the edit.
+
+CVE-2015-1333
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/keys/keyring.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -1181,9 +1181,11 @@ void __key_link_end(struct key *keyring,
+ if (index_key->type == &key_type_keyring)
+ up_write(&keyring_serialise_link_sem);
+
+- if (edit && !edit->dead_leaf) {
+- key_payload_reserve(keyring,
+- keyring->datalen - KEYQUOTA_LINK_BYTES);
++ if (edit) {
++ if (!edit->dead_leaf) {
++ key_payload_reserve(keyring,
++ keyring->datalen - KEYQUOTA_LINK_BYTES);
++ }
+ assoc_array_cancel_edit(edit);
+ }
+ up_write(&keyring->sem);
--- /dev/null
+From f2b3dee484f9cee967a54ef05a66866282337519 Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Date: Wed, 11 Feb 2015 07:33:34 -0500
+Subject: KEYS: fix "ca_keys=" partial key matching
+
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+
+commit f2b3dee484f9cee967a54ef05a66866282337519 upstream.
+
+The call to asymmetric_key_hex_to_key_id() from ca_keys_setup()
+silently fails with -ENOMEM. Instead of dynamically allocating
+memory from a __setup function, this patch defines a variable
+and calls __asymmetric_key_hex_to_key_id(), a new helper function,
+directly.
+
+This bug was introduced by 'commit 46963b774d44 ("KEYS: Overhaul
+key identification when searching for asymmetric keys")'.
+
+Changelog:
+- for clarification, rename hexlen to asciihexlen in
+ asymmetric_key_hex_to_key_id()
+- add size argument to __asymmetric_key_hex_to_key_id() - David Howells
+- inline __asymmetric_key_hex_to_key_id() - David Howells
+- remove duplicate strlen() calls
+
+Acked-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/asymmetric_keys/asymmetric_keys.h | 3 +++
+ crypto/asymmetric_keys/asymmetric_type.c | 20 ++++++++++++++------
+ crypto/asymmetric_keys/x509_public_key.c | 23 ++++++++++++++++++-----
+ 3 files changed, 35 insertions(+), 11 deletions(-)
+
+--- a/crypto/asymmetric_keys/asymmetric_keys.h
++++ b/crypto/asymmetric_keys/asymmetric_keys.h
+@@ -11,6 +11,9 @@
+
+ extern struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id);
+
++extern int __asymmetric_key_hex_to_key_id(const char *id,
++ struct asymmetric_key_id *match_id,
++ size_t hexlen);
+ static inline
+ const struct asymmetric_key_ids *asymmetric_key_ids(const struct key *key)
+ {
+--- a/crypto/asymmetric_keys/asymmetric_type.c
++++ b/crypto/asymmetric_keys/asymmetric_type.c
+@@ -104,6 +104,15 @@ static bool asymmetric_match_key_ids(
+ return false;
+ }
+
++/* helper function can be called directly with pre-allocated memory */
++inline int __asymmetric_key_hex_to_key_id(const char *id,
++ struct asymmetric_key_id *match_id,
++ size_t hexlen)
++{
++ match_id->len = hexlen;
++ return hex2bin(match_id->data, id, hexlen);
++}
++
+ /**
+ * asymmetric_key_hex_to_key_id - Convert a hex string into a key ID.
+ * @id: The ID as a hex string.
+@@ -111,21 +120,20 @@ static bool asymmetric_match_key_ids(
+ struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id)
+ {
+ struct asymmetric_key_id *match_id;
+- size_t hexlen;
++ size_t asciihexlen;
+ int ret;
+
+ if (!*id)
+ return ERR_PTR(-EINVAL);
+- hexlen = strlen(id);
+- if (hexlen & 1)
++ asciihexlen = strlen(id);
++ if (asciihexlen & 1)
+ return ERR_PTR(-EINVAL);
+
+- match_id = kmalloc(sizeof(struct asymmetric_key_id) + hexlen / 2,
++ match_id = kmalloc(sizeof(struct asymmetric_key_id) + asciihexlen / 2,
+ GFP_KERNEL);
+ if (!match_id)
+ return ERR_PTR(-ENOMEM);
+- match_id->len = hexlen / 2;
+- ret = hex2bin(match_id->data, id, hexlen / 2);
++ ret = __asymmetric_key_hex_to_key_id(id, match_id, asciihexlen / 2);
+ if (ret < 0) {
+ kfree(match_id);
+ return ERR_PTR(-EINVAL);
+--- a/crypto/asymmetric_keys/x509_public_key.c
++++ b/crypto/asymmetric_keys/x509_public_key.c
+@@ -28,17 +28,30 @@ static bool use_builtin_keys;
+ static struct asymmetric_key_id *ca_keyid;
+
+ #ifndef MODULE
++static struct {
++ struct asymmetric_key_id id;
++ unsigned char data[10];
++} cakey;
++
+ static int __init ca_keys_setup(char *str)
+ {
+ if (!str) /* default system keyring */
+ return 1;
+
+ if (strncmp(str, "id:", 3) == 0) {
+- struct asymmetric_key_id *p;
+- p = asymmetric_key_hex_to_key_id(str + 3);
+- if (p == ERR_PTR(-EINVAL))
+- pr_err("Unparsable hex string in ca_keys\n");
+- else if (!IS_ERR(p))
++ struct asymmetric_key_id *p = &cakey.id;
++ size_t hexlen = (strlen(str) - 3) / 2;
++ int ret;
++
++ if (hexlen == 0 || hexlen > sizeof(cakey.data)) {
++ pr_err("Missing or invalid ca_keys id\n");
++ return 1;
++ }
++
++ ret = __asymmetric_key_hex_to_key_id(str + 3, p, hexlen);
++ if (ret < 0)
++ pr_err("Unparsable ca_keys id hex string\n");
++ else
+ ca_keyid = p; /* owner key 'id:xxxxxx' */
+ } else if (strcmp(str, "builtin") == 0) {
+ use_builtin_keys = true;
vtpm-set-virtual-device-before-passing-to-ibmvtpm_reset_crq.patch
tpm-fix-initialization-of-the-cdev.patch
tpm-tpm_crb-fail-when-tpm2-acpi-table-contents-look-corrupted.patch
+keys-fix-ca_keys-partial-key-matching.patch
+keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch
+ima-skip-measurement-of-cgroupfs-files-and-update-documentation.patch
+ima-cleanup-ima_init_policy-a-little.patch
+ima-do-not-measure-or-appraise-the-nsfs-filesystem.patch
+evm-labeling-pseudo-filesystems-exception.patch
+ima-fix-ima_show_template_data_ascii.patch
+ima-add-support-for-new-euid-policy-condition.patch
+ima-extend-mask-policy-matching-support.patch
+ima-update-builtin-policies.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
