forked from Minki/linux
integrity-v5-17-fix
-----BEGIN PGP SIGNATURE----- iIoEABYIADIWIQQdXVVFGN5XqKr1Hj7LwZzRsCrn5QUCYgBPohQcem9oYXJAbGlu dXguaWJtLmNvbQAKCRDLwZzRsCrn5d5oAP99Iuskwx22LvkTsq/wtpncbpOq7PCn m2by5qy3oSbLagD/YRDLh3ilgcvBbf152JBAOl4SRkph7bX/MGF14UZ0Zwg= =OFwx -----END PGP SIGNATURE----- Merge tag 'integrity-v5.17-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity Pull integrity fixes from Mimi Zohar: "Fixes for recently found bugs. One was found/noticed while reviewing IMA support for fsverity digests and signatures. Two of them were found/noticed while working on IMA namespacing. Plus two other bugs. All of them are for previous kernel releases" * tag 'integrity-v5.17-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: ima: Do not print policy rule with inactive LSM labels ima: Allow template selection with ima_template[_fmt]= after ima_hash= ima: Remove ima_policy file before directory integrity: check the return value of audit_log_start() ima: fix reference leak in asymmetric_verify()
This commit is contained in:
commit
c8ba56b7e8
@ -109,22 +109,25 @@ int asymmetric_verify(struct key *keyring, const char *sig,
|
||||
|
||||
pk = asymmetric_key_public_key(key);
|
||||
pks.pkey_algo = pk->pkey_algo;
|
||||
if (!strcmp(pk->pkey_algo, "rsa"))
|
||||
if (!strcmp(pk->pkey_algo, "rsa")) {
|
||||
pks.encoding = "pkcs1";
|
||||
else if (!strncmp(pk->pkey_algo, "ecdsa-", 6))
|
||||
} else if (!strncmp(pk->pkey_algo, "ecdsa-", 6)) {
|
||||
/* edcsa-nist-p192 etc. */
|
||||
pks.encoding = "x962";
|
||||
else if (!strcmp(pk->pkey_algo, "ecrdsa") ||
|
||||
!strcmp(pk->pkey_algo, "sm2"))
|
||||
} else if (!strcmp(pk->pkey_algo, "ecrdsa") ||
|
||||
!strcmp(pk->pkey_algo, "sm2")) {
|
||||
pks.encoding = "raw";
|
||||
else
|
||||
return -ENOPKG;
|
||||
} else {
|
||||
ret = -ENOPKG;
|
||||
goto out;
|
||||
}
|
||||
|
||||
pks.digest = (u8 *)data;
|
||||
pks.digest_size = datalen;
|
||||
pks.s = hdr->sig;
|
||||
pks.s_size = siglen;
|
||||
ret = verify_signature(key, &pks);
|
||||
out:
|
||||
key_put(key);
|
||||
pr_debug("%s() = %d\n", __func__, ret);
|
||||
return ret;
|
||||
|
@ -496,12 +496,12 @@ int __init ima_fs_init(void)
|
||||
|
||||
return 0;
|
||||
out:
|
||||
securityfs_remove(ima_policy);
|
||||
securityfs_remove(violations);
|
||||
securityfs_remove(runtime_measurements_count);
|
||||
securityfs_remove(ascii_runtime_measurements);
|
||||
securityfs_remove(binary_runtime_measurements);
|
||||
securityfs_remove(ima_symlink);
|
||||
securityfs_remove(ima_dir);
|
||||
securityfs_remove(ima_policy);
|
||||
return -1;
|
||||
}
|
||||
|
@ -1967,6 +1967,14 @@ int ima_policy_show(struct seq_file *m, void *v)
|
||||
|
||||
rcu_read_lock();
|
||||
|
||||
/* Do not print rules with inactive LSM labels */
|
||||
for (i = 0; i < MAX_LSM_RULES; i++) {
|
||||
if (entry->lsm[i].args_p && !entry->lsm[i].rule) {
|
||||
rcu_read_unlock();
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
if (entry->action & MEASURE)
|
||||
seq_puts(m, pt(Opt_measure));
|
||||
if (entry->action & DONT_MEASURE)
|
||||
|
@ -29,6 +29,7 @@ static struct ima_template_desc builtin_templates[] = {
|
||||
|
||||
static LIST_HEAD(defined_templates);
|
||||
static DEFINE_SPINLOCK(template_list);
|
||||
static int template_setup_done;
|
||||
|
||||
static const struct ima_template_field supported_fields[] = {
|
||||
{.field_id = "d", .field_init = ima_eventdigest_init,
|
||||
@ -101,10 +102,11 @@ static int __init ima_template_setup(char *str)
|
||||
struct ima_template_desc *template_desc;
|
||||
int template_len = strlen(str);
|
||||
|
||||
if (ima_template)
|
||||
if (template_setup_done)
|
||||
return 1;
|
||||
|
||||
ima_init_template_list();
|
||||
if (!ima_template)
|
||||
ima_init_template_list();
|
||||
|
||||
/*
|
||||
* Verify that a template with the supplied name exists.
|
||||
@ -128,6 +130,7 @@ static int __init ima_template_setup(char *str)
|
||||
}
|
||||
|
||||
ima_template = template_desc;
|
||||
template_setup_done = 1;
|
||||
return 1;
|
||||
}
|
||||
__setup("ima_template=", ima_template_setup);
|
||||
@ -136,7 +139,7 @@ static int __init ima_template_fmt_setup(char *str)
|
||||
{
|
||||
int num_templates = ARRAY_SIZE(builtin_templates);
|
||||
|
||||
if (ima_template)
|
||||
if (template_setup_done)
|
||||
return 1;
|
||||
|
||||
if (template_desc_init_fields(str, NULL, NULL) < 0) {
|
||||
@ -147,6 +150,7 @@ static int __init ima_template_fmt_setup(char *str)
|
||||
|
||||
builtin_templates[num_templates - 1].fmt = str;
|
||||
ima_template = builtin_templates + num_templates - 1;
|
||||
template_setup_done = 1;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
@ -45,6 +45,8 @@ void integrity_audit_message(int audit_msgno, struct inode *inode,
|
||||
return;
|
||||
|
||||
ab = audit_log_start(audit_context(), GFP_KERNEL, audit_msgno);
|
||||
if (!ab)
|
||||
return;
|
||||
audit_log_format(ab, "pid=%d uid=%u auid=%u ses=%u",
|
||||
task_pid_nr(current),
|
||||
from_kuid(&init_user_ns, current_uid()),
|
||||
|
Loading…
Reference in New Issue
Block a user