Re: [PATCH 1/2] security/keys/secure_key: Adds the secure key support based on CAAM.

On Tue, 2018-07-24 at 12:31 +, Udit Agarwal wrote: > Yes the secure keys and CAAM are correlated. Secure keys depends on > NXP CAAM crypto HW accelerator.  Secure key is a random data of > length X (passed using keyctl command) & derived using CAAM. Blob of > this data is also created using

Re: [PATCH 1/2] security/keys/secure_key: Adds the secure key support based on CAAM.

On Tue, 2018-07-24 at 12:31 +, Udit Agarwal wrote: > Yes the secure keys and CAAM are correlated. Secure keys depends on > NXP CAAM crypto HW accelerator.  Secure key is a random data of > length X (passed using keyctl command) & derived using CAAM. Blob of > this data is also created using

Re: [PATCH 1/2] security/keys/secure_key: Adds the secure key support based on CAAM.

On Fri, 2018-07-20 at 11:16 +0530, Udit Agarwal wrote: > Secure keys are derieved using CAAM crypto block. > > Secure keys derieved are the random number symmetric keys from CAAM. > Blobs corresponding to the key are formed using CAAM. User space > will only be able to view the blob of the key.

Re: [PATCH 1/2] security/keys/secure_key: Adds the secure key support based on CAAM.

On Fri, 2018-07-20 at 11:16 +0530, Udit Agarwal wrote: > Secure keys are derieved using CAAM crypto block. > > Secure keys derieved are the random number symmetric keys from CAAM. > Blobs corresponding to the key are formed using CAAM. User space > will only be able to view the blob of the key.

Re: [PATCH] security: export security_kernel_load_data to fix firmware_loader build

Thanks, Randy. On Thu, 2018-07-19 at 13:15 -0700, Randy Dunlap wrote: > From: Randy Dunlap > > Fix build error when CONFIG_FW_LOADER=m, CONFIG_FW_LOADER_USER_HELPER=y, > CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y, and CONFIG_SECURITY=y: > > ERROR: "security_kernel_load_data" >

Re: [PATCH] security: export security_kernel_load_data to fix firmware_loader build

Thanks, Randy. On Thu, 2018-07-19 at 13:15 -0700, Randy Dunlap wrote: > From: Randy Dunlap > > Fix build error when CONFIG_FW_LOADER=m, CONFIG_FW_LOADER_USER_HELPER=y, > CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y, and CONFIG_SECURITY=y: > > ERROR: "security_kernel_load_data" >

Re: linux-next: build failure after merge of the integrity tree

On Tue, 2018-07-17 at 14:40 +1000, Stephen Rothwell wrote: > Hi all, > > After merging the integrity tree, today's linux-next build (x86_64 > allmodconfig) failed like this: > > security/integrity/ima/ima_main.c:549:5: error: redefinition of > 'ima_load_data' > int ima_load_data(enum

Re: linux-next: build failure after merge of the integrity tree

On Tue, 2018-07-17 at 14:40 +1000, Stephen Rothwell wrote: > Hi all, > > After merging the integrity tree, today's linux-next build (x86_64 > allmodconfig) failed like this: > > security/integrity/ima/ima_main.c:549:5: error: redefinition of > 'ima_load_data' > int ima_load_data(enum

Re: [PATCH v6 7/8] module: replace the existing LSM hook in init_module

On Sat, 2018-07-14 at 19:30 -0700, Kees Cook wrote: > On Fri, Jul 13, 2018 at 11:06 AM, Mimi Zohar wrote: > > Both the init_module and finit_module syscalls call either directly > > or indirectly the security_kernel_read_file LSM hook. This patch > > replaces the direc

Re: [PATCH v6 7/8] module: replace the existing LSM hook in init_module

On Sat, 2018-07-14 at 19:30 -0700, Kees Cook wrote: > On Fri, Jul 13, 2018 at 11:06 AM, Mimi Zohar wrote: > > Both the init_module and finit_module syscalls call either directly > > or indirectly the security_kernel_read_file LSM hook. This patch > > replaces the direc

Re: [PATCH v5 7/8] ima: based on policy warn about loading firmware (pre-allocated buffer)

On Tue, 2018-07-10 at 08:56 +0200, Ard Biesheuvel wrote: > On 10 July 2018 at 08:51, Ard Biesheuvel wrote: > > On 9 July 2018 at 21:41, Mimi Zohar wrote: > >> On Mon, 2018-07-02 at 17:30 +0200, Ard Biesheuvel wrote: > >>> On 2 July 2018 at 16:38, Mimi Zoha

Re: [PATCH v5 7/8] ima: based on policy warn about loading firmware (pre-allocated buffer)

On Tue, 2018-07-10 at 08:56 +0200, Ard Biesheuvel wrote: > On 10 July 2018 at 08:51, Ard Biesheuvel wrote: > > On 9 July 2018 at 21:41, Mimi Zohar wrote: > >> On Mon, 2018-07-02 at 17:30 +0200, Ard Biesheuvel wrote: > >>> On 2 July 2018 at 16:38, Mimi Zoha

Re: [PATCH] ima: Use tpm_default_chip() and call TPM functions with a tpm_chip

On Tue, 2018-07-03 at 19:32 +0300, Jarkko Sakkinen wrote: > On Mon, 2018-07-02 at 13:00 -0400, Mimi Zohar wrote: > > On Mon, 2018-07-02 at 11:24 -0400, Stefan Berger wrote: > > > Rather than accessing the TPM functions by passing a NULL pointer for > > > the tpm_

Re: [PATCH] ima: Use tpm_default_chip() and call TPM functions with a tpm_chip

On Tue, 2018-07-03 at 19:32 +0300, Jarkko Sakkinen wrote: > On Mon, 2018-07-02 at 13:00 -0400, Mimi Zohar wrote: > > On Mon, 2018-07-02 at 11:24 -0400, Stefan Berger wrote: > > > Rather than accessing the TPM functions by passing a NULL pointer for > > > the tpm_

Re: [PATCH] ima: Remove unused is_ima_appraise_enabled() function.

On Tue, 2018-07-03 at 07:19 -0400, Stefan Berger wrote: > Remove the unused is_ima_appraise_enabled() function. is_ima_appraise_enabled() was introduced to coordinate between IMA and the lockdown patch set.  Before removing it, let's wait and see if it is still needed by the lockdown patches.

Re: [PATCH] ima: Remove unused is_ima_appraise_enabled() function.

On Tue, 2018-07-03 at 07:19 -0400, Stefan Berger wrote: > Remove the unused is_ima_appraise_enabled() function. is_ima_appraise_enabled() was introduced to coordinate between IMA and the lockdown patch set.  Before removing it, let's wait and see if it is still needed by the lockdown patches.

Re: [PATCH] ima: Use tpm_default_chip() and call TPM functions with a tpm_chip

o get rid of > the ima_used_chip variable and use the new ima_tpm_chip variable instead > for determining whether to call TPM functions. > > Signed-off-by: Stefan Berger > Acked-by: Jarkko Sakkinen Signed-off-by: Mimi Zohar Jarkko, would you mind staging this patch with the rest of the patch set?

Re: [PATCH] ima: Use tpm_default_chip() and call TPM functions with a tpm_chip

o get rid of > the ima_used_chip variable and use the new ima_tpm_chip variable instead > for determining whether to call TPM functions. > > Signed-off-by: Stefan Berger > Acked-by: Jarkko Sakkinen Signed-off-by: Mimi Zohar Jarkko, would you mind staging this patch with the rest of the patch set?

Re: [PATCH v7 5/5] ima: Get rid of ima_used_chip and use ima_tpm_chip != NULL instead

Hi Stefan, On Tue, 2018-06-26 at 15:09 -0400, Stefan Berger wrote: > Get rid of ima_used_chip and use ima_tpm_chip variable instead for > determining whether to use the TPM chip. I don't see a need for separating this change from the previous patch. Could you squash this patch with the previous

Re: [PATCH v7 5/5] ima: Get rid of ima_used_chip and use ima_tpm_chip != NULL instead

Hi Stefan, On Tue, 2018-06-26 at 15:09 -0400, Stefan Berger wrote: > Get rid of ima_used_chip and use ima_tpm_chip variable instead for > determining whether to use the TPM chip. I don't see a need for separating this change from the previous patch. Could you squash this patch with the previous

Re: [PATCH v7 0/5] Have IMA find and use a tpm_chip until system shutdown

On Fri, 2018-06-29 at 15:13 +0300, Jarkko Sakkinen wrote: > On Tue, 2018-06-26 at 15:09 -0400, Stefan Berger wrote: > > This series of patches converts IMA's usage of the tpm_chip to find a TPM > > chip initially and use it until the machine is shut down. To do this we need > > to introduce a kref

Re: [PATCH v7 0/5] Have IMA find and use a tpm_chip until system shutdown

On Fri, 2018-06-29 at 15:13 +0300, Jarkko Sakkinen wrote: > On Tue, 2018-06-26 at 15:09 -0400, Stefan Berger wrote: > > This series of patches converts IMA's usage of the tpm_chip to find a TPM > > chip initially and use it until the machine is shut down. To do this we need > > to introduce a kref

Re: [PATCH v2 3/4] ima: Use tpm_chip_find() and access TPM functions using it

On Wed, 2018-06-20 at 16:42 -0400, Stefan Berger wrote: > Rather than accessing the TPM functions using a NULL pointer, which > causes a lookup for a suitable chip every time, get a hold of a tpm_chip > and access the TPM functions using this chip. We call the tpm_chip > ima_tpm_chip and protect

Re: [PATCH v2 3/4] ima: Use tpm_chip_find() and access TPM functions using it

On Wed, 2018-06-20 at 16:42 -0400, Stefan Berger wrote: > Rather than accessing the TPM functions using a NULL pointer, which > causes a lookup for a suitable chip every time, get a hold of a tpm_chip > and access the TPM functions using this chip. We call the tpm_chip > ima_tpm_chip and protect

Re: [PATCH] integrity: add error handling for kmem_cache_create

On Tue, 2018-06-12 at 12:27 +0800, Zhouyang Jia wrote: > When kmem_cache_create fails, the lack of error-handling code may > cause unexpected results. > > This patch adds error-handling code after calling kmem_cache_create. The slab is being create during __init.  Under what circumstances do you

Re: [PATCH] integrity: add error handling for kmem_cache_create

On Tue, 2018-06-12 at 12:27 +0800, Zhouyang Jia wrote: > When kmem_cache_create fails, the lack of error-handling code may > cause unexpected results. > > This patch adds error-handling code after calling kmem_cache_create. The slab is being create during __init.  Under what circumstances do you

Re: [PATCH v2 13/21] ima: use match_string() helper

On Thu, 2018-05-31 at 19:11 +0800, Yisheng Xie wrote: > match_string() returns the index of an array for a matching string, > which can be used instead of open coded variant. > > Reviewed-by: Mimi Zohar > Reviewed-by: Andy Shevchenko > Cc: Mimi Zohar > Cc: Dmitry Kasatki

Re: [PATCH v2 13/21] ima: use match_string() helper

On Thu, 2018-05-31 at 19:11 +0800, Yisheng Xie wrote: > match_string() returns the index of an array for a matching string, > which can be used instead of open coded variant. > > Reviewed-by: Mimi Zohar > Reviewed-by: Andy Shevchenko > Cc: Mimi Zohar > Cc: Dmitry Kasatki

Re: [PATCH][next] EVM: fix memory leak of temporary buffer 'temp'

On Sun, 2018-05-27 at 23:15 +0100, Colin King wrote: > From: Colin Ian King > > The allocation of 'temp' is not kfree'd and hence there is a memory > leak on each call of evm_read_xattrs. Fix this by kfree'ing it > after copying data from it back to the user space buffer 'buf'. > > Detected by

Re: [PATCH][next] EVM: fix memory leak of temporary buffer 'temp'

On Sun, 2018-05-27 at 23:15 +0100, Colin King wrote: > From: Colin Ian King > > The allocation of 'temp' is not kfree'd and hence there is a memory > leak on each call of evm_read_xattrs. Fix this by kfree'ing it > after copying data from it back to the user space buffer 'buf'. > > Detected by

[PATCH v4 4/8] firmware: add call to LSM hook before firmware sysfs fallback

Add an LSM hook prior to allowing firmware sysfs fallback loading. Signed-off-by: Mimi Zohar Cc: Luis R. Rodriguez Cc: David Howells Cc: Kees Cook Changelog v4: - call new LSM security_kernel_arg hook Changelog v2: - call security_kernel_read_blob() - rename the READING_FIRMWARE_FALLBACK

[PATCH v4 4/8] firmware: add call to LSM hook before firmware sysfs fallback

Add an LSM hook prior to allowing firmware sysfs fallback loading. Signed-off-by: Mimi Zohar Cc: Luis R. Rodriguez Cc: David Howells Cc: Kees Cook Changelog v4: - call new LSM security_kernel_arg hook Changelog v2: - call security_kernel_read_blob() - rename the READING_FIRMWARE_FALLBACK

Re: [PATCH] EVM: Fix null dereference on xattr when xattr fails to allocate

Hi Dan, On Tue, 2018-05-29 at 12:05 +0300, Dan Carpenter wrote: > Not really related to this patch except I was looking at the function: > > security/integrity/evm/evm_secfs.c >191 ab = audit_log_start(NULL, GFP_KERNEL, > AUDIT_INTEGRITY_EVM_XATTR); >192 if

Re: [PATCH] EVM: Fix null dereference on xattr when xattr fails to allocate

Hi Dan, On Tue, 2018-05-29 at 12:05 +0300, Dan Carpenter wrote: > Not really related to this patch except I was looking at the function: > > security/integrity/evm/evm_secfs.c >191 ab = audit_log_start(NULL, GFP_KERNEL, > AUDIT_INTEGRITY_EVM_XATTR); >192 if

Re: [PATCH] EVM: Fix null dereference on xattr when xattr fails to allocate

Hi Colin, On Sun, 2018-05-27 at 23:55 +0100, Colin King wrote: > From: Colin Ian King > > In the case where the allocation of xattr fails and xattr is NULL, the > error exit return path via label 'out' will dereference xattr when > kfree'ing xattr-name. Fix this by only kfree'ing xattr->name

Re: [PATCH] EVM: Fix null dereference on xattr when xattr fails to allocate

Hi Colin, On Sun, 2018-05-27 at 23:55 +0100, Colin King wrote: > From: Colin Ian King > > In the case where the allocation of xattr fails and xattr is NULL, the > error exit return path via label 'out' will dereference xattr when > kfree'ing xattr-name. Fix this by only kfree'ing xattr->name

Re: [PATCH v3 1/7] security: rename security_kernel_read_file() hook

On Thu, 2018-05-24 at 15:49 -0500, Eric W. Biederman wrote: Thank you for the sample code below.  It needs to be broken up into proper patches, with some changes, but it is a good start. Mimi  > diff --git a/drivers/base/firmware_loader/fallback.c > b/drivers/base/firmware_loader/fallback.c >

Re: [PATCH v3 1/7] security: rename security_kernel_read_file() hook

On Thu, 2018-05-24 at 15:49 -0500, Eric W. Biederman wrote: Thank you for the sample code below.  It needs to be broken up into proper patches, with some changes, but it is a good start. Mimi  > diff --git a/drivers/base/firmware_loader/fallback.c > b/drivers/base/firmware_loader/fallback.c >

Re: [PATCH v3 1/7] security: rename security_kernel_read_file() hook

On Thu, 2018-05-24 at 15:49 -0500, Eric W. Biederman wrote: > I already nacked this approach because the two cases don't > share a bit of code. When I looked closer it was even crazier. It hasn't been clear what you meant by "the two cases don't share a bit of code".  The first attempt called

Re: [PATCH v3 1/7] security: rename security_kernel_read_file() hook

On Thu, 2018-05-24 at 15:49 -0500, Eric W. Biederman wrote: > I already nacked this approach because the two cases don't > share a bit of code. When I looked closer it was even crazier. It hasn't been clear what you meant by "the two cases don't share a bit of code".  The first attempt called

[PATCH v3 1/7] security: rename security_kernel_read_file() hook

the hook (eg. loadpin, init_module, IMA). Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Cc: Eric Biederman <ebied...@xmission.com> Cc: Luis R. Rodriguez <mcg...@kernel.org> Cc: Kees Cook <keesc...@chromium.org> Cc: David Howells <dhowe...@redhat.com>

[PATCH v3 1/7] security: rename security_kernel_read_file() hook

the hook (eg. loadpin, init_module, IMA). Signed-off-by: Mimi Zohar Cc: Eric Biederman Cc: Luis R. Rodriguez Cc: Kees Cook Cc: David Howells Cc: Casey Schaufler Changelog v3: - Rename security_kernel_read_file to security_kernel_read_data(). Changelog v2: - Define a generic

[PATCH v3 0/7] kexec/firmware: support system wide policy requiring signatures

d by Luis. - removed the CONFIG_CFG80211_REQUIRE_SIGNED_REGDB ifdef. If both REGDB and an IMA-appraisal policy require signed firmware, for now require both signatures. Subsequent patches might change this. - Still unclear if the pre-allocated firmware buffer can be accessed Mimi Zohar (7)

[PATCH v3 0/7] kexec/firmware: support system wide policy requiring signatures

d by Luis. - removed the CONFIG_CFG80211_REQUIRE_SIGNED_REGDB ifdef. If both REGDB and an IMA-appraisal policy require signed firmware, for now require both signatures. Subsequent patches might change this. - Still unclear if the pre-allocated firmware buffer can be accessed Mimi Zohar (7)

[PATCH v3 6/7] ima: add build time policy

signatures. This build time policy is automatically enabled at runtime. The build time policy rules persist after loading a custom policy. Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> --- security/integrity/ima/Kconfig | 58 + security/integri

[PATCH v3 2/7] kexec: add call to LSM hook in original kexec_load syscall

In order for LSMs and IMA-appraisal to differentiate between the original and new syscalls, both the original and new syscalls must call an LSM hook. This patch adds a call to security_kernel_read_data() in the original kexec syscall. Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Cc

[PATCH v3 5/7] ima: based on policy require signed firmware (sysfs fallback)

With an IMA policy requiring signed firmware, this patch prevents the sysfs fallback method of loading firmware. Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Cc: Luis R. Rodriguez <mcg...@suse.com> Cc: David Howells <dhowe...@redhat.com> Cc: Matthew Garrett

[PATCH v3 6/7] ima: add build time policy

signatures. This build time policy is automatically enabled at runtime. The build time policy rules persist after loading a custom policy. Signed-off-by: Mimi Zohar --- security/integrity/ima/Kconfig | 58 + security/integrity/ima/ima_policy.c | 46

[PATCH v3 2/7] kexec: add call to LSM hook in original kexec_load syscall

In order for LSMs and IMA-appraisal to differentiate between the original and new syscalls, both the original and new syscalls must call an LSM hook. This patch adds a call to security_kernel_read_data() in the original kexec syscall. Signed-off-by: Mimi Zohar Cc: Eric Biederman Cc: Luis R

[PATCH v3 5/7] ima: based on policy require signed firmware (sysfs fallback)

With an IMA policy requiring signed firmware, this patch prevents the sysfs fallback method of loading firmware. Signed-off-by: Mimi Zohar Cc: Luis R. Rodriguez Cc: David Howells Cc: Matthew Garrett --- security/integrity/ima/ima_main.c | 7 +++ 1 file changed, 7 insertions(+) diff

[PATCH v3 3/7] ima: based on policy require signed kexec kernel images

The original kexec_load syscall can not verify file signatures. This patch differentiates between the kexec_load and kexec_file_load syscalls. Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Cc: Eric Biederman <ebied...@xmission.com> Cc: Luis R. Rodriguez <mcg...@kernel.org

[PATCH v3 3/7] ima: based on policy require signed kexec kernel images

The original kexec_load syscall can not verify file signatures. This patch differentiates between the kexec_load and kexec_file_load syscalls. Signed-off-by: Mimi Zohar Cc: Eric Biederman Cc: Luis R. Rodriguez Cc: Kees Cook Cc: David Howells Changelog v3: - use switch/case --- security

[RFC PATCH v3 7/7] ima: based on policy prevent loading firmware (pre-allocated buffer)

signature? Is it dependent on the type of buffer allocated (eg. DMA)? For example, qcom_mdt_load() -> qcom_scm_pas_init_image() -> dma_alloc_coherent(). With an IMA policy requiring signed firmware, this patch would prevent loading firmware into a pre-allocated buffer. Signed-off-by: Mimi Zoh

[PATCH v3 4/7] firmware: add call to LSM hook before firmware sysfs fallback

Add an LSM hook prior to allowing firmware sysfs fallback loading. Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Cc: Luis R. Rodriguez <mcg...@suse.com> Cc: David Howells <dhowe...@redhat.com> Cc: Kees Cook <keesc...@chromium.org> Changelog: - call security_ker

[RFC PATCH v3 7/7] ima: based on policy prevent loading firmware (pre-allocated buffer)

signature? Is it dependent on the type of buffer allocated (eg. DMA)? For example, qcom_mdt_load() -> qcom_scm_pas_init_image() -> dma_alloc_coherent(). With an IMA policy requiring signed firmware, this patch would prevent loading firmware into a pre-allocated buffer. Signed-off-by: Mimi Zoh

[PATCH v3 4/7] firmware: add call to LSM hook before firmware sysfs fallback

Add an LSM hook prior to allowing firmware sysfs fallback loading. Signed-off-by: Mimi Zohar Cc: Luis R. Rodriguez Cc: David Howells Cc: Kees Cook Changelog: - call security_kernel_read_blob() - rename the READING_FIRMWARE_FALLBACK kernel_read_file_id enumeration

Re: [PATCH 25/33] ima: use match_string() helper

On Mon, 2018-05-21 at 19:58 +0800, Yisheng Xie wrote: > match_string() returns the index of an array for a matching string, > which can be used intead of open coded variant. > > Cc: Mimi Zohar <zo...@linux.vnet.ibm.com> > Cc: Dmitry Kasatkin <dmitry.kasat...@gmail.com&g

Re: [PATCH 25/33] ima: use match_string() helper

On Mon, 2018-05-21 at 19:58 +0800, Yisheng Xie wrote: > match_string() returns the index of an array for a matching string, > which can be used intead of open coded variant. > > Cc: Mimi Zohar > Cc: Dmitry Kasatkin > Cc: James Morris > Cc: "Serge E. H

Re: [PATCH v2 3/9] security: define security_kernel_read_blob() wrapper

On Sat, 2018-05-19 at 03:13 +1000, James Morris wrote: > On Thu, 17 May 2018, Eric W. Biederman wrote: > > > Nacked-by: "Eric W. Biederman" > > > > Nack on this sharing nonsense. These two interfaces do not share any > > code in their implementations other than the if

Re: [PATCH v2 3/9] security: define security_kernel_read_blob() wrapper

On Sat, 2018-05-19 at 03:13 +1000, James Morris wrote: > On Thu, 17 May 2018, Eric W. Biederman wrote: > > > Nacked-by: "Eric W. Biederman" > > > > Nack on this sharing nonsense. These two interfaces do not share any > > code in their implementations other than the if statement to distinguish

Re: [PATCH] audit: add containerid support for IMA-audit

On Fri, 2018-05-18 at 11:56 -0400, Richard Guy Briggs wrote: > On 2018-05-18 10:39, Mimi Zohar wrote: > > On Fri, 2018-05-18 at 09:54 -0400, Stefan Berger wrote: > > > On 05/18/2018 08:53 AM, Mimi Zohar wrote: > > > > [..] > > > > > >>>>

Re: [PATCH] audit: add containerid support for IMA-audit

On Fri, 2018-05-18 at 11:56 -0400, Richard Guy Briggs wrote: > On 2018-05-18 10:39, Mimi Zohar wrote: > > On Fri, 2018-05-18 at 09:54 -0400, Stefan Berger wrote: > > > On 05/18/2018 08:53 AM, Mimi Zohar wrote: > > > > [..] > > > > > >>>>

Re: [PATCH v2 3/9] security: define security_kernel_read_blob() wrapper

On Fri, 2018-05-18 at 07:58 -0700, Casey Schaufler wrote: > On 5/18/2018 4:30 AM, Mimi Zohar wrote: > > Having to define a separate LSM hook for each of the original, non > > kernel_read_file(), buffer based method callers, kind of makes sense, > > as the callers th

Re: [PATCH v2 3/9] security: define security_kernel_read_blob() wrapper

On Fri, 2018-05-18 at 07:58 -0700, Casey Schaufler wrote: > On 5/18/2018 4:30 AM, Mimi Zohar wrote: > > Having to define a separate LSM hook for each of the original, non > > kernel_read_file(), buffer based method callers, kind of makes sense, > > as the callers th

Re: [PATCH] audit: add containerid support for IMA-audit

On Fri, 2018-05-18 at 09:54 -0400, Stefan Berger wrote: > On 05/18/2018 08:53 AM, Mimi Zohar wrote: [..] > >>>> If so, which ones? We could probably refactor the current > >>>> integrity_audit_message() and have ima_parse_rule() call into it to get > >>

Re: [PATCH] audit: add containerid support for IMA-audit

On Fri, 2018-05-18 at 09:54 -0400, Stefan Berger wrote: > On 05/18/2018 08:53 AM, Mimi Zohar wrote: [..] > >>>> If so, which ones? We could probably refactor the current > >>>> integrity_audit_message() and have ima_parse_rule() call into it to get > >>

Re: [PATCH] audit: add containerid support for IMA-audit

On Fri, 2018-05-18 at 07:49 -0400, Stefan Berger wrote: > On 05/17/2018 05:30 PM, Richard Guy Briggs wrote: [...] > >>> auxiliary record either by being converted to a syscall auxiliary record > >>> by using current->audit_context rather than NULL when calling > >>> audit_log_start(), or

Re: [PATCH] audit: add containerid support for IMA-audit

On Fri, 2018-05-18 at 07:49 -0400, Stefan Berger wrote: > On 05/17/2018 05:30 PM, Richard Guy Briggs wrote: [...] > >>> auxiliary record either by being converted to a syscall auxiliary record > >>> by using current->audit_context rather than NULL when calling > >>> audit_log_start(), or

Re: [PATCH v2 3/9] security: define security_kernel_read_blob() wrapper

On Thu, 2018-05-17 at 22:37 -0500, Eric W. Biederman wrote: > Casey Schaufler <ca...@schaufler-ca.com> writes: > > > On 5/17/2018 7:48 AM, Mimi Zohar wrote: > >> In order for LSMs and IMA-appraisal to differentiate between the original > >> and new syscalls

Re: [PATCH v2 3/9] security: define security_kernel_read_blob() wrapper

On Thu, 2018-05-17 at 22:37 -0500, Eric W. Biederman wrote: > Casey Schaufler writes: > > > On 5/17/2018 7:48 AM, Mimi Zohar wrote: > >> In order for LSMs and IMA-appraisal to differentiate between the original > >> and new syscalls (eg. kexec, kernel modules

[PATCH v2 5/9] ima: based on policy require signed kexec kernel images

The original kexec_load syscall can not verify file signatures. This patch differentiates between the kexec_load and kexec_file_load syscalls. Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Cc: Eric Biederman <ebied...@xmission.com> Cc: Luis R. Rodriguez <mcg...@kernel.org

[PATCH v2 5/9] ima: based on policy require signed kexec kernel images

The original kexec_load syscall can not verify file signatures. This patch differentiates between the kexec_load and kexec_file_load syscalls. Signed-off-by: Mimi Zohar Cc: Eric Biederman Cc: Luis R. Rodriguez Cc: Kees Cook Cc: David Howells --- security/integrity/ima/ima.h| 1

[PATCH v2 2/9] ima: fix updating the ima_appraise flag

ef8e2e ("ima: define a set of appraisal rules requiring file signatures") Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> --- security/integrity/ima/ima_policy.c | 28 +++- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/security/in

[PATCH v2 2/9] ima: fix updating the ima_appraise flag

ef8e2e ("ima: define a set of appraisal rules requiring file signatures") Signed-off-by: Mimi Zohar --- security/integrity/ima/ima_policy.c | 28 +++- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/security/integrity/ima/ima_policy.c b/security/in

[PATCH v2 1/9] ima: based on policy verify firmware signatures (pre-allocated buffer)

Don't differentiate between kernel_read_file_id READING_FIRMWARE and READING_FIRMWARE_PREALLOC_BUFFER enumerations. Fixes: a098ecd firmware: support loading into a pre-allocated buffer (since 4.8) Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Cc: Luis R. Rodriguez <mcg...@sus

[PATCH v2 1/9] ima: based on policy verify firmware signatures (pre-allocated buffer)

Don't differentiate between kernel_read_file_id READING_FIRMWARE and READING_FIRMWARE_PREALLOC_BUFFER enumerations. Fixes: a098ecd firmware: support loading into a pre-allocated buffer (since 4.8) Signed-off-by: Mimi Zohar Cc: Luis R. Rodriguez Cc: David Howells Cc: Kees Cook Cc: Serge E

[PATCH v2 3/9] security: define security_kernel_read_blob() wrapper

the security hook name is inappropriate. Instead of defining a new LSM hook, this patch defines security_kernel_read_blob() as a wrapper for the existing LSM security_kernel_file_read() hook. Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Cc: Eric Biederman <ebied...@xmission.com>

[PATCH v2 3/9] security: define security_kernel_read_blob() wrapper

the security hook name is inappropriate. Instead of defining a new LSM hook, this patch defines security_kernel_read_blob() as a wrapper for the existing LSM security_kernel_file_read() hook. Signed-off-by: Mimi Zohar Cc: Eric Biederman Cc: Luis R. Rodriguez Cc: Kees Cook Cc: David How

[PATCH v2 4/9] kexec: add call to LSM hook in original kexec_load syscall

In order for LSMs and IMA-appraisal to differentiate between the original and new syscalls, both the original and new syscalls must call an LSM hook. This patch adds a call to security_kernel_read_blob() in the original kexec syscall. Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Cc

[PATCH v2 4/9] kexec: add call to LSM hook in original kexec_load syscall

In order for LSMs and IMA-appraisal to differentiate between the original and new syscalls, both the original and new syscalls must call an LSM hook. This patch adds a call to security_kernel_read_blob() in the original kexec syscall. Signed-off-by: Mimi Zohar Cc: Eric Biederman Cc: Luis R

[PATCH v2 9/9] ima: based on policy prevent loading firmware (pre-allocated buffer)

of buffer allocated (eg. DMA)? For example, qcom_mdt_load() -> qcom_scm_pas_init_image() -> dma_alloc_coherent(). With an IMA policy requiring signed firmware, this patch would prevent loading firmware into a pre-allocated buffer. Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>

[PATCH v2 9/9] ima: based on policy prevent loading firmware (pre-allocated buffer)

of buffer allocated (eg. DMA)? For example, qcom_mdt_load() -> qcom_scm_pas_init_image() -> dma_alloc_coherent(). With an IMA policy requiring signed firmware, this patch would prevent loading firmware into a pre-allocated buffer. Signed-off-by: Mimi Zohar Cc: Luis R. Rodriguez Cc: David Howel

[PATCH v2 8/9] ima: add build time policy

signatures. This build time policy is automatically enabled at runtime. The build time policy rules persist after loading a custom policy. Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> --- security/integrity/ima/Kconfig | 58 + security/integri

[PATCH v2 6/9] firmware: add call to LSM hook before firmware sysfs fallback

Add an LSM hook prior to allowing firmware sysfs fallback loading. Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Cc: Luis R. Rodriguez <mcg...@suse.com> Cc: David Howells <dhowe...@redhat.com> Cc: Kees Cook <keesc...@chromium.org> Changelog: - call security_ker

[PATCH v2 8/9] ima: add build time policy

signatures. This build time policy is automatically enabled at runtime. The build time policy rules persist after loading a custom policy. Signed-off-by: Mimi Zohar --- security/integrity/ima/Kconfig | 58 + security/integrity/ima/ima_policy.c | 46

[PATCH v2 6/9] firmware: add call to LSM hook before firmware sysfs fallback

Add an LSM hook prior to allowing firmware sysfs fallback loading. Signed-off-by: Mimi Zohar Cc: Luis R. Rodriguez Cc: David Howells Cc: Kees Cook Changelog: - call security_kernel_read_blob() - rename the READING_FIRMWARE_FALLBACK kernel_read_file_id enumeration

[PATCH v2 7/9] ima: based on policy require signed firmware (sysfs fallback)

With an IMA policy requiring signed firmware, this patch prevents the sysfs fallback method of loading firmware. Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com> Cc: Luis R. Rodriguez <mcg...@suse.com> Cc: David Howells <dhowe...@redhat.com> Cc: Matthew Garrett

[PATCH v2 7/9] ima: based on policy require signed firmware (sysfs fallback)

With an IMA policy requiring signed firmware, this patch prevents the sysfs fallback method of loading firmware. Signed-off-by: Mimi Zohar Cc: Luis R. Rodriguez Cc: David Howells Cc: Matthew Garrett --- security/integrity/ima/ima_main.c | 10 ++ 1 file changed, 10 insertions(+) diff

[PATCH v2 0/9] kexec/firmware: support system wide policy requiring signatures

equent patches might change this. - Still unclear if the pre-allocated firmware buffer can be accessed prior to the signature verification completes. Mimi Zohar (9): ima: based on policy verify firmware signatures (pre-allocated buffer) ima: fix updating the ima_appraise fla

[PATCH v2 0/9] kexec/firmware: support system wide policy requiring signatures

equent patches might change this. - Still unclear if the pre-allocated firmware buffer can be accessed prior to the signature verification completes. Mimi Zohar (9): ima: based on policy verify firmware signatures (pre-allocated buffer) ima: fix updating the ima_appraise fla

Re: [PATCH] ima: Fix pr_fmt() redefinition

Hi Petr, On Thu, 2018-05-17 at 12:47 +0200, Petr Vorel wrote: > Previous definition was too late and caused problems in powerpc allyesconfig: > security/integrity/ima/ima_kexec.c:18:0: warning: "pr_fmt" redefined > #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt > > In file included from

Re: [PATCH] ima: Fix pr_fmt() redefinition

Hi Petr, On Thu, 2018-05-17 at 12:47 +0200, Petr Vorel wrote: > Previous definition was too late and caused problems in powerpc allyesconfig: > security/integrity/ima/ima_kexec.c:18:0: warning: "pr_fmt" redefined > #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt > > In file included from

Re: [RFC PATCH v4 3/5] ima: differentiate auditing policy rules from "audit" actions

On Wed, 2018-05-16 at 16:28 -0400, Stefan Berger wrote: > On 05/15/2018 09:40 AM, Mimi Zohar wrote: > > Hi Stefan, > > > > On Fri, 2018-05-11 at 10:42 -0400, Stefan Berger wrote: > >> From: Mimi Zohar <zo...@linux.vnet.ibm.com> > >> > >> Th

Re: [RFC PATCH v4 3/5] ima: differentiate auditing policy rules from "audit" actions

On Wed, 2018-05-16 at 16:28 -0400, Stefan Berger wrote: > On 05/15/2018 09:40 AM, Mimi Zohar wrote: > > Hi Stefan, > > > > On Fri, 2018-05-11 at 10:42 -0400, Stefan Berger wrote: > >> From: Mimi Zohar > >> > >> The AUDIT_INTEGRITY_RULE is used for a

Re: [RFC PATCH v4 3/5] ima: differentiate auditing policy rules from "audit" actions

Hi Stefan, On Fri, 2018-05-11 at 10:42 -0400, Stefan Berger wrote: > From: Mimi Zohar <zo...@linux.vnet.ibm.com> > > The AUDIT_INTEGRITY_RULE is used for auditing IMA policy rules and > the IMA "audit" policy action. This patch defines AUDIT_INTEGRITY_POLICY >

Re: [RFC PATCH v4 3/5] ima: differentiate auditing policy rules from "audit" actions

Hi Stefan, On Fri, 2018-05-11 at 10:42 -0400, Stefan Berger wrote: > From: Mimi Zohar > > The AUDIT_INTEGRITY_RULE is used for auditing IMA policy rules and > the IMA "audit" policy action. This patch defines AUDIT_INTEGRITY_POLICY > to reflect the IMA policy rules.

Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

On Tue, 2018-05-15 at 08:32 -0400, Josh Boyer wrote: > One aspect that was always a concern to some is whether the firmware files > were modified directly to have the signature attached to them. That may > run afoul of the "no modification" license that most blobs are shipped > under. Does IMA

Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

On Tue, 2018-05-15 at 08:32 -0400, Josh Boyer wrote: > One aspect that was always a concern to some is whether the firmware files > were modified directly to have the signature attached to them. That may > run afoul of the "no modification" license that most blobs are shipped > under. Does IMA

Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

On Mon, 2018-05-14 at 19:28 +, Luis R. Rodriguez wrote: [...] > > At runtime, in the case > > that regdb is enabled and a custom policy requires IMA-appraisal > > firmware signature verification, then both signature verification > > methods will verify the signatures.  If either fails, then

Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware

On Mon, 2018-05-14 at 19:28 +, Luis R. Rodriguez wrote: [...] > > At runtime, in the case > > that regdb is enabled and a custom policy requires IMA-appraisal > > firmware signature verification, then both signature verification > > methods will verify the signatures.  If either fails, then

<    3   4   5   6   7   8   9   10   11   12   >