ima: Fix the IMA kernel feature

Fix the IMA kernel feature. Remove outdated patches and add ima.cfg holding kernel configuration options for IMA and EVM. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Stefan Berger <stefanb@linux.ibm.com> 2023-04-28 08:23:11 -0400
committer: Armin Kuster <akuster808@gmail.com> 2023-05-06 07:54:09 -0400
commit: f4f7624d2e50e19249e7a2a3798c1120e5183424 (patch)
tree: 2c3a5b997857d1a7431f94a5cc1882a4ab4a5d41
parent: cb8f26d82a35ba56f3bd40cd6ba105de03602a4b (diff)
download: meta-security-f4f7624d2e50e19249e7a2a3798c1120e5183424.tar.gz
7 files changed, 63 insertions, 251 deletions
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass
index 57de2f6..3cb0d07 100644
--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -17,7 +17,7 @@ IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der"
 # with a .x509 suffix. See linux-%.bbappend for details.
 #
 # ima-local-ca.x509 is what ima-gen-local-ca.sh creates.
-IMA_EVM_ROOT_CA ?= ""
+IMA_EVM_ROOT_CA ?= "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"
 # Sign all regular files by default.
 IMA_EVM_ROOTFS_SIGNED ?= ". -type f"
@@ -31,6 +31,9 @@ IMA_EVM_ROOTFS_IVERSION ?= ""
 # Avoid re-generating fstab when ima is enabled.
 WIC_CREATE_EXTRA_ARGS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}"
+# Add necessary tools (e.g., keyctl) to image
+IMAGE_INSTALL:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' ima-evm-utils', '', d)}"
 ima_evm_sign_rootfs () {
    cd ${IMAGE_ROOTFS}
diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
deleted file mode 100644
index 64016dd..0000000
--- a/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 45ea681ebc0dd44aaec5d3cc4143b9722070d3ac Mon Sep 17 00:00:00 2001
-From: Mimi Zohar <zohar@linux.vnet.ibm.com>
-Date: Tue, 8 Mar 2016 16:43:55 -0500
-Subject: [PATCH] ima: fix ima_inode_post_setattr
-Changing file metadata (eg. uid, guid) could result in having to
-re-appraise a file's integrity, but does not change the "new file"
-status nor the security.ima xattr.  The IMA_PERMIT_DIRECTIO and
-IMA_DIGSIG_REQUIRED flags are policy rule specific.  This patch
-only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags.
-With this patch, changing the file timestamp will not remove the
-file signature on new files.
-Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b]
-Reported-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
-Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
- security/integrity/ima/ima_appraise.c | 2 +-
- security/integrity/integrity.h        | 1 +
- 2 files changed, 2 insertions(+), 1 deletion(-)
-diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
-index 4df493e..a384ba1 100644
--- a/security/integrity/ima/ima_appraise.c
-+++ b/security/integrity/ima/ima_appraise.c
-@@ -327,7 +327,7 @@ void ima_inode_post_setattr(struct dentry *dentry)
-        if (iint) {
-                iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
-                                 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
-                                IMA_ACTION_FLAGS);
-+                                IMA_ACTION_RULE_FLAGS);
-                if (must_appraise)
-                        iint->flags |= IMA_APPRAISE;
-        }
-diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
-index 0fc9519..f9decae 100644
--- a/security/integrity/integrity.h
-+++ b/security/integrity/integrity.h
-@@ -28,6 +28,7 @@
- 
- /* iint cache flags */
- #define IMA_ACTION_FLAGS       0xff000000
-+#define IMA_ACTION_RULE_FLAGS  0x06000000
- #define IMA_DIGSIG             0x01000000
- #define IMA_DIGSIG_REQUIRED    0x02000000
- #define IMA_PERMIT_DIRECTIO    0x04000000
-- 
-2.5.0
diff --git a/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch b/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
deleted file mode 100644
index 6ab7ce2..0000000
--- a/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
+++ /dev/null
@@ -1,138 +0,0 @@
-From baaec960e9e7be0b526eaf831b079ddfe5c15124 Mon Sep 17 00:00:00 2001
-From: Mimi Zohar <zohar@linux.vnet.ibm.com>
-Date: Thu, 10 Mar 2016 18:19:20 +0200
-Subject: [PATCH] ima: add support for creating files using the mknodat
- syscall
-Commit 3034a14 "ima: pass 'opened' flag to identify newly created files"
-stopped identifying empty files as new files.  However new empty files
-can be created using the mknodat syscall.  On systems with IMA-appraisal
-enabled, these empty files are not labeled with security.ima extended
-attributes properly, preventing them from subsequently being opened in
-order to write the file data contents.  This patch marks these empty
-files, created using mknodat, as new in order to allow the file data
-contents to be written.
-Files with security.ima xattrs containing a file signature are considered
-"immutable" and can not be modified.  The file contents need to be
-written, before signing the file.  This patch relaxes this requirement
-for new files, allowing the file signature to be written before the file
-contents.
-Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=05d1a717ec0430c916a749b94eb90ab74bbfa356]
-Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
- fs/namei.c                            |  2 ++
- include/linux/ima.h                   |  7 ++++++-
- security/integrity/ima/ima_appraise.c |  3 +++
- security/integrity/ima/ima_main.c     | 32 +++++++++++++++++++++++++++++++-
- 4 files changed, 42 insertions(+), 2 deletions(-)
-diff --git a/fs/namei.c b/fs/namei.c
-index ccd7f98..19502da 100644
--- a/fs/namei.c
-+++ b/fs/namei.c
-@@ -3526,6 +3526,8 @@ retry:
-        switch (mode & S_IFMT) {
-                case 0: case S_IFREG:
-                        error = vfs_create(path.dentry->d_inode,dentry,mode,true);
-+                       if (!error)
-+                               ima_post_path_mknod(dentry);
-                        break;
-                case S_IFCHR: case S_IFBLK:
-                        error = vfs_mknod(path.dentry->d_inode,dentry,mode,
-diff --git a/include/linux/ima.h b/include/linux/ima.h
-index 120ccc5..7f51971 100644
--- a/include/linux/ima.h
-+++ b/include/linux/ima.h
-@@ -20,7 +20,7 @@ extern void ima_file_free(struct file *file);
- extern int ima_file_mmap(struct file *file, unsigned long prot);
- extern int ima_module_check(struct file *file);
- extern int ima_fw_from_file(struct file *file, char *buf, size_t size);
-
-+extern void ima_post_path_mknod(struct dentry *dentry);
- #else
- static inline int ima_bprm_check(struct linux_binprm *bprm)
- {
-@@ -52,6 +52,11 @@ static inline int ima_fw_from_file(struct file *file, char *buf, size_t size)
-        return 0;
- }
- 
-+static inline void ima_post_path_mknod(struct dentry *dentry)
-+{
-+       return;
-+}
-+
- #endif /* CONFIG_IMA */
- 
- #ifdef CONFIG_IMA_APPRAISE
-diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
-index 4df493e..20806ea 100644
--- a/security/integrity/ima/ima_appraise.c
-+++ b/security/integrity/ima/ima_appraise.c
-@@ -274,6 +274,11 @@ out:
-                     xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
-                        if (!ima_fix_xattr(dentry, iint))
-                                status = INTEGRITY_PASS;
-+               } else if ((inode->i_size == 0) &&
-+                          (iint->flags & IMA_NEW_FILE) &&
-+                          (xattr_value &&
-+                           xattr_value->type == EVM_IMA_XATTR_DIGSIG)) {
-+                       status = INTEGRITY_PASS;
-                }
-                integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
-                                    op, cause, rc, 0);
-diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
-index eeee00dc..705bf78 100644
--- a/security/integrity/ima/ima_main.c
-+++ b/security/integrity/ima/ima_main.c
-@@ -242,7 +242,8 @@ static int process_measurement(struct file *file, int mask, int function,
-                ima_audit_measurement(iint, pathname);
- 
- out_digsig:
-       if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG))
-+       if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) &&
-+            !(iint->flags & IMA_NEW_FILE))
-                rc = -EACCES;
-        kfree(xattr_value);
- out_free:
-@@ -310,6 +311,35 @@ int ima_file_check(struct file *file, int mask, int opened)
- EXPORT_SYMBOL_GPL(ima_file_check);
- 
- /**
-+ * ima_post_path_mknod - mark as a new inode
-+ * @dentry: newly created dentry
-+ *
-+ * Mark files created via the mknodat syscall as new, so that the
-+ * file data can be written later.
-+ */
-+void ima_post_path_mknod(struct dentry *dentry)
-+{
-+       struct integrity_iint_cache *iint;
-+       struct inode *inode;
-+       int must_appraise;
-+
-+       if (!dentry || !dentry->d_inode)
-+               return;
-+
-+       inode = dentry->d_inode;
-+       if (inode->i_size != 0)
-+               return;
-+
-+       must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK);
-+       if (!must_appraise)
-+               return;
-+
-+       iint = integrity_inode_get(inode);
-+       if (iint)
-+               iint->flags |= IMA_NEW_FILE;
-+}
-+
-+/**
-  * ima_module_check - based on policy, collect/store/appraise measurement.
-  * @file: pointer to the file to be measured/appraised
-  *
-- 
-2.5.0
diff --git a/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch b/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
deleted file mode 100644
index 157c007..0000000
--- a/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From a34d61850b680c152e1dcc958ee83c3ab3261c3d Mon Sep 17 00:00:00 2001
-From: Patrick Ohly <patrick.ohly@intel.com>
-Date: Tue, 15 Nov 2016 10:10:23 +0100
-Subject: [PATCH] Revert "ima: limit file hash setting by user to fix and log
- modes"
-This reverts commit c68ed80c97d9720f51ef31fe91560fdd1e121533.
-The original motivation was security hardening ("File hashes are
-automatically set and updated and should not be manually set.")
-However, that hardening ignores and breaks some valid use cases:
- File hashes might not be set because the file is currently
-  outside of the policy and therefore have to be set by the
-  creator. Examples:
-  - Booting into an initramfs with an IMA-enabled kernel but
-    without setting an IMA policy, then installing
-    the OS onto the target partition by unpacking a rootfs archive
-    which has the file hashes pre-computed.
-  - Unpacking a file into a staging area with meta data (like owner)
-    that leaves the file outside of the current policy, then changing
-    the meta data such that it becomes part of the current policy.
- "should not be set manually" implies that the creator is aware
-  of IMA semantic, the current system's configuration, and then
-  skips setting file hashes in security.ima if (and only if) the
-  kernel would prevent it. That's not the case for standard, unmodified
-  tools. Example: unpacking an archive with security.ima xattrs with
-  bsdtar or GNU tar.
-Upstream-Status: Submitted [https://sourceforge.net/p/linux-ima/mailman/message/35492824/]
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
---
- security/integrity/ima/ima_appraise.c | 8 ++------
- 1 file changed, 2 insertions(+), 6 deletions(-)
-diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
-index 4b9b4a4..b8b2dd9 100644
--- a/security/integrity/ima/ima_appraise.c
-+++ b/security/integrity/ima/ima_appraise.c
-@@ -385,14 +385,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
-        result = ima_protect_xattr(dentry, xattr_name, xattr_value,
-                                   xattr_value_len);
-        if (result == 1) {
-               bool digsig;
-
-                if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
-                        return -EINVAL;
-               digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
-               if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE))
-                       return -EPERM;
-               ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
-+               ima_reset_appraise_flags(d_backing_inode(dentry),
-+                        (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0);
-                result = 0;
-        }
-        return result;
-- 
-2.1.4
diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-integrity/recipes-kernel/linux/linux/ima.cfg
new file mode 100644
index 0000000..86fb3aa
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux/ima.cfg
@@ -0,0 +1,46 @@
+CONFIG_SQUASHFS_XATTR=y
+CONFIG_KEYS=y
+CONFIG_ASYMMETRIC_KEY_TYPE=y
+CONFIG_SYSTEM_TRUSTED_KEYRING=y
+CONFIG_SYSTEM_TRUSTED_KEYS="${IMA_EVM_ROOT_CA}"
+CONFIG_SECONDARY_TRUSTED_KEYRING=y
+CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
+CONFIG_X509_CERTIFICATE_PARSER=y
+CONFIG_PKCS8_PRIVATE_KEY_PARSER=y
+CONFIG_CRYPTO_ECDSA=y
+CONFIG_SECURITY=y
+CONFIG_SECURITYFS=y
+CONFIG_INTEGRITY=y
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
+CONFIG_IMA=y
+CONFIG_IMA_MEASURE_PCR_IDX=10
+CONFIG_IMA_LSM_RULES=y
+# CONFIG_IMA_TEMPLATE is not set
+# CONFIG_IMA_NG_TEMPLATE is not set
+CONFIG_IMA_SIG_TEMPLATE=y
+CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
+# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
+CONFIG_IMA_WRITE_POLICY=y
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_APPRAISE=y
+CONFIG_IMA_ARCH_POLICY=y
+CONFIG_IMA_APPRAISE_BUILD_POLICY=y
+CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y
+# CONFIG_IMA_APPRAISE_BOOTPARAM is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
+CONFIG_IMA_TRUSTED_KEYRING=y
+CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
+# CONFIG_IMA_BLACKLIST_KEYRING is not set
+# CONFIG_IMA_LOAD_X509 is not set
+CONFIG_IMA_APPRAISE_SIGNED_INIT=y
+CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
+CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
+CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
+# CONFIG_IMA_DISABLE_HTABLE is not set
+CONFIG_EVM=y
+# CONFIG_EVM_LOAD_X509 is not set
diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.scc b/meta-integrity/recipes-kernel/linux/linux/ima.scc
new file mode 100644
index 0000000..6eb84b0
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux/ima.scc
@@ -0,0 +1,4 @@
+define KFEATURE_DESCRIPTION "Enable IMA"
+kconf non-hardware ima.cfg
diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc
index 3ab53e5..0b6f530 100644
--- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
+++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
@@ -1,4 +1,12 @@
-KERNEL_FEATURES:append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}"
+FILESEXTRAPATHS:append := "${THISDIR}/linux:"
+SRC_URI += " \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \
+"
+do_configure() {
+    sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config
+}
 KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}"
author	Stefan Berger <stefanb@linux.ibm.com>	2023-04-28 08:23:11 -0400
committer	Armin Kuster <akuster808@gmail.com>	2023-05-06 07:54:09 -0400
commit	f4f7624d2e50e19249e7a2a3798c1120e5183424 (patch)
tree	2c3a5b997857d1a7431f94a5cc1882a4ab4a5d41
parent	cb8f26d82a35ba56f3bd40cd6ba105de03602a4b (diff)
download	meta-security-f4f7624d2e50e19249e7a2a3798c1120e5183424.tar.gz

diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index 57de2f6..3cb0d07 100644 --- a/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -17,7 +17,7 @@ IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der"
17	# with a .x509 suffix. See linux-%.bbappend for details.	17	# with a .x509 suffix. See linux-%.bbappend for details.
18	#	18	#
19	# ima-local-ca.x509 is what ima-gen-local-ca.sh creates.	19	# ima-local-ca.x509 is what ima-gen-local-ca.sh creates.
20	IMA_EVM_ROOT_CA ?= ""	20	IMA_EVM_ROOT_CA ?= "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"
21		21
22	# Sign all regular files by default.	22	# Sign all regular files by default.
23	IMA_EVM_ROOTFS_SIGNED ?= ". -type f"	23	IMA_EVM_ROOTFS_SIGNED ?= ". -type f"
@@ -31,6 +31,9 @@ IMA_EVM_ROOTFS_IVERSION ?= ""
31	# Avoid re-generating fstab when ima is enabled.	31	# Avoid re-generating fstab when ima is enabled.
32	WIC_CREATE_EXTRA_ARGS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}"	32	WIC_CREATE_EXTRA_ARGS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}"
33		33
		34	# Add necessary tools (e.g., keyctl) to image
		35	IMAGE_INSTALL:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' ima-evm-utils', '', d)}"
		36
34	ima_evm_sign_rootfs () {	37	ima_evm_sign_rootfs () {
35	cd ${IMAGE_ROOTFS}	38	cd ${IMAGE_ROOTFS}
36		39


diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch deleted file mode 100644 index 64016dd..0000000 --- a/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch +++ /dev/null
@@ -1,51 +0,0 @@
1	From 45ea681ebc0dd44aaec5d3cc4143b9722070d3ac Mon Sep 17 00:00:00 2001
2	From: Mimi Zohar <zohar@linux.vnet.ibm.com>
3	Date: Tue, 8 Mar 2016 16:43:55 -0500
4	Subject: [PATCH] ima: fix ima_inode_post_setattr
5
6	Changing file metadata (eg. uid, guid) could result in having to
7	re-appraise a file's integrity, but does not change the "new file"
8	status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and
9	IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch
10	only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags.
11
12	With this patch, changing the file timestamp will not remove the
13	file signature on new files.
14
15	Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b]
16
17	Reported-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
18	Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
19	---
20	security/integrity/ima/ima_appraise.c \| 2 +-
21	security/integrity/integrity.h \| 1 +
22	2 files changed, 2 insertions(+), 1 deletion(-)
23
24	diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
25	index 4df493e..a384ba1 100644
26	--- a/security/integrity/ima/ima_appraise.c
27	+++ b/security/integrity/ima/ima_appraise.c
28	@@ -327,7 +327,7 @@ void ima_inode_post_setattr(struct dentry *dentry)
29	if (iint) {
30	iint->flags &= ~(IMA_APPRAISE \| IMA_APPRAISED \|
31	IMA_APPRAISE_SUBMASK \| IMA_APPRAISED_SUBMASK \|
32	- IMA_ACTION_FLAGS);
33	+ IMA_ACTION_RULE_FLAGS);
34	if (must_appraise)
35	iint->flags \|= IMA_APPRAISE;
36	}
37	diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
38	index 0fc9519..f9decae 100644
39	--- a/security/integrity/integrity.h
40	+++ b/security/integrity/integrity.h
41	@@ -28,6 +28,7 @@
42
43	/* iint cache flags */
44	#define IMA_ACTION_FLAGS 0xff000000
45	+#define IMA_ACTION_RULE_FLAGS 0x06000000
46	#define IMA_DIGSIG 0x01000000
47	#define IMA_DIGSIG_REQUIRED 0x02000000
48	#define IMA_PERMIT_DIRECTIO 0x04000000
49	--
50	2.5.0
51


diff --git a/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch b/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch deleted file mode 100644 index 6ab7ce2..0000000 --- a/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch +++ /dev/null
@@ -1,138 +0,0 @@
1	From baaec960e9e7be0b526eaf831b079ddfe5c15124 Mon Sep 17 00:00:00 2001
2	From: Mimi Zohar <zohar@linux.vnet.ibm.com>
3	Date: Thu, 10 Mar 2016 18:19:20 +0200
4	Subject: [PATCH] ima: add support for creating files using the mknodat
5	syscall
6
7	Commit 3034a14 "ima: pass 'opened' flag to identify newly created files"
8	stopped identifying empty files as new files. However new empty files
9	can be created using the mknodat syscall. On systems with IMA-appraisal
10	enabled, these empty files are not labeled with security.ima extended
11	attributes properly, preventing them from subsequently being opened in
12	order to write the file data contents. This patch marks these empty
13	files, created using mknodat, as new in order to allow the file data
14	contents to be written.
15
16	Files with security.ima xattrs containing a file signature are considered
17	"immutable" and can not be modified. The file contents need to be
18	written, before signing the file. This patch relaxes this requirement
19	for new files, allowing the file signature to be written before the file
20	contents.
21
22	Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=05d1a717ec0430c916a749b94eb90ab74bbfa356]
23
24	Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
25	---
26	fs/namei.c \| 2 ++
27	include/linux/ima.h \| 7 ++++++-
28	security/integrity/ima/ima_appraise.c \| 3 +++
29	security/integrity/ima/ima_main.c \| 32 +++++++++++++++++++++++++++++++-
30	4 files changed, 42 insertions(+), 2 deletions(-)
31
32	diff --git a/fs/namei.c b/fs/namei.c
33	index ccd7f98..19502da 100644
34	--- a/fs/namei.c
35	+++ b/fs/namei.c
36	@@ -3526,6 +3526,8 @@ retry:
37	switch (mode & S_IFMT) {
38	case 0: case S_IFREG:
39	error = vfs_create(path.dentry->d_inode,dentry,mode,true);
40	+ if (!error)
41	+ ima_post_path_mknod(dentry);
42	break;
43	case S_IFCHR: case S_IFBLK:
44	error = vfs_mknod(path.dentry->d_inode,dentry,mode,
45	diff --git a/include/linux/ima.h b/include/linux/ima.h
46	index 120ccc5..7f51971 100644
47	--- a/include/linux/ima.h
48	+++ b/include/linux/ima.h
49	@@ -20,7 +20,7 @@ extern void ima_file_free(struct file *file);
50	extern int ima_file_mmap(struct file *file, unsigned long prot);
51	extern int ima_module_check(struct file *file);
52	extern int ima_fw_from_file(struct file file, char buf, size_t size);
53	-
54	+extern void ima_post_path_mknod(struct dentry *dentry);
55	#else
56	static inline int ima_bprm_check(struct linux_binprm *bprm)
57	{
58	@@ -52,6 +52,11 @@ static inline int ima_fw_from_file(struct file file, char buf, size_t size)
59	return 0;
60	}
61
62	+static inline void ima_post_path_mknod(struct dentry *dentry)
63	+{
64	+ return;
65	+}
66	+
67	#endif /* CONFIG_IMA */
68
69	#ifdef CONFIG_IMA_APPRAISE
70	diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
71	index 4df493e..20806ea 100644
72	--- a/security/integrity/ima/ima_appraise.c
73	+++ b/security/integrity/ima/ima_appraise.c
74	@@ -274,6 +274,11 @@ out:
75	xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
76	if (!ima_fix_xattr(dentry, iint))
77	status = INTEGRITY_PASS;
78	+ } else if ((inode->i_size == 0) &&
79	+ (iint->flags & IMA_NEW_FILE) &&
80	+ (xattr_value &&
81	+ xattr_value->type == EVM_IMA_XATTR_DIGSIG)) {
82	+ status = INTEGRITY_PASS;
83	}
84	integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
85	op, cause, rc, 0);
86	diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
87	index eeee00dc..705bf78 100644
88	--- a/security/integrity/ima/ima_main.c
89	+++ b/security/integrity/ima/ima_main.c
90	@@ -242,7 +242,8 @@ static int process_measurement(struct file *file, int mask, int function,
91	ima_audit_measurement(iint, pathname);
92
93	out_digsig:
94	- if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG))
95	+ if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) &&
96	+ !(iint->flags & IMA_NEW_FILE))
97	rc = -EACCES;
98	kfree(xattr_value);
99	out_free:
100	@@ -310,6 +311,35 @@ int ima_file_check(struct file *file, int mask, int opened)
101	EXPORT_SYMBOL_GPL(ima_file_check);
102
103	/**
104	+ * ima_post_path_mknod - mark as a new inode
105	+ * @dentry: newly created dentry
106	+ *
107	+ * Mark files created via the mknodat syscall as new, so that the
108	+ * file data can be written later.
109	+ */
110	+void ima_post_path_mknod(struct dentry *dentry)
111	+{
112	+ struct integrity_iint_cache *iint;
113	+ struct inode *inode;
114	+ int must_appraise;
115	+
116	+ if (!dentry \|\| !dentry->d_inode)
117	+ return;
118	+
119	+ inode = dentry->d_inode;
120	+ if (inode->i_size != 0)
121	+ return;
122	+
123	+ must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK);
124	+ if (!must_appraise)
125	+ return;
126	+
127	+ iint = integrity_inode_get(inode);
128	+ if (iint)
129	+ iint->flags \|= IMA_NEW_FILE;
130	+}
131	+
132	+/**
133	* ima_module_check - based on policy, collect/store/appraise measurement.
134	* @file: pointer to the file to be measured/appraised
135	*
136	--
137	2.5.0
138


diff --git a/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch b/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch deleted file mode 100644 index 157c007..0000000 --- a/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch +++ /dev/null
@@ -1,60 +0,0 @@
1	From a34d61850b680c152e1dcc958ee83c3ab3261c3d Mon Sep 17 00:00:00 2001
2	From: Patrick Ohly <patrick.ohly@intel.com>
3	Date: Tue, 15 Nov 2016 10:10:23 +0100
4	Subject: [PATCH] Revert "ima: limit file hash setting by user to fix and log
5	modes"
6
7	This reverts commit c68ed80c97d9720f51ef31fe91560fdd1e121533.
8
9	The original motivation was security hardening ("File hashes are
10	automatically set and updated and should not be manually set.")
11
12	However, that hardening ignores and breaks some valid use cases:
13	- File hashes might not be set because the file is currently
14	outside of the policy and therefore have to be set by the
15	creator. Examples:
16	- Booting into an initramfs with an IMA-enabled kernel but
17	without setting an IMA policy, then installing
18	the OS onto the target partition by unpacking a rootfs archive
19	which has the file hashes pre-computed.
20	- Unpacking a file into a staging area with meta data (like owner)
21	that leaves the file outside of the current policy, then changing
22	the meta data such that it becomes part of the current policy.
23	- "should not be set manually" implies that the creator is aware
24	of IMA semantic, the current system's configuration, and then
25	skips setting file hashes in security.ima if (and only if) the
26	kernel would prevent it. That's not the case for standard, unmodified
27	tools. Example: unpacking an archive with security.ima xattrs with
28	bsdtar or GNU tar.
29
30	Upstream-Status: Submitted [https://sourceforge.net/p/linux-ima/mailman/message/35492824/]
31
32	Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
33	---
34	security/integrity/ima/ima_appraise.c \| 8 ++------
35	1 file changed, 2 insertions(+), 6 deletions(-)
36
37	diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
38	index 4b9b4a4..b8b2dd9 100644
39	--- a/security/integrity/ima/ima_appraise.c
40	+++ b/security/integrity/ima/ima_appraise.c
41	@@ -385,14 +385,10 @@ int ima_inode_setxattr(struct dentry dentry, const char xattr_name,
42	result = ima_protect_xattr(dentry, xattr_name, xattr_value,
43	xattr_value_len);
44	if (result == 1) {
45	- bool digsig;
46	-
47	if (!xattr_value_len \|\| (xvalue->type >= IMA_XATTR_LAST))
48	return -EINVAL;
49	- digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
50	- if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE))
51	- return -EPERM;
52	- ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
53	+ ima_reset_appraise_flags(d_backing_inode(dentry),
54	+ (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0);
55	result = 0;
56	}
57	return result;
58	--
59	2.1.4
60


diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-integrity/recipes-kernel/linux/linux/ima.cfg new file mode 100644 index 0000000..86fb3aa --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux/ima.cfg
@@ -0,0 +1,46 @@
		1	CONFIG_SQUASHFS_XATTR=y
		2	CONFIG_KEYS=y
		3	CONFIG_ASYMMETRIC_KEY_TYPE=y
		4	CONFIG_SYSTEM_TRUSTED_KEYRING=y
		5	CONFIG_SYSTEM_TRUSTED_KEYS="${IMA_EVM_ROOT_CA}"
		6	CONFIG_SECONDARY_TRUSTED_KEYRING=y
		7	CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
		8	CONFIG_X509_CERTIFICATE_PARSER=y
		9	CONFIG_PKCS8_PRIVATE_KEY_PARSER=y
		10	CONFIG_CRYPTO_ECDSA=y
		11	CONFIG_SECURITY=y
		12	CONFIG_SECURITYFS=y
		13	CONFIG_INTEGRITY=y
		14	CONFIG_INTEGRITY_SIGNATURE=y
		15	CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
		16	CONFIG_INTEGRITY_TRUSTED_KEYRING=y
		17	CONFIG_IMA=y
		18	CONFIG_IMA_MEASURE_PCR_IDX=10
		19	CONFIG_IMA_LSM_RULES=y
		20	# CONFIG_IMA_TEMPLATE is not set
		21	# CONFIG_IMA_NG_TEMPLATE is not set
		22	CONFIG_IMA_SIG_TEMPLATE=y
		23	CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
		24	# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
		25	CONFIG_IMA_DEFAULT_HASH_SHA256=y
		26	# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
		27	CONFIG_IMA_DEFAULT_HASH="sha256"
		28	CONFIG_IMA_WRITE_POLICY=y
		29	CONFIG_IMA_READ_POLICY=y
		30	CONFIG_IMA_APPRAISE=y
		31	CONFIG_IMA_ARCH_POLICY=y
		32	CONFIG_IMA_APPRAISE_BUILD_POLICY=y
		33	CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y
		34	# CONFIG_IMA_APPRAISE_BOOTPARAM is not set
		35	# CONFIG_IMA_APPRAISE_MODSIG is not set
		36	CONFIG_IMA_TRUSTED_KEYRING=y
		37	CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
		38	# CONFIG_IMA_BLACKLIST_KEYRING is not set
		39	# CONFIG_IMA_LOAD_X509 is not set
		40	CONFIG_IMA_APPRAISE_SIGNED_INIT=y
		41	CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
		42	CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
		43	CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
		44	# CONFIG_IMA_DISABLE_HTABLE is not set
		45	CONFIG_EVM=y
		46	# CONFIG_EVM_LOAD_X509 is not set


diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.scc b/meta-integrity/recipes-kernel/linux/linux/ima.scc new file mode 100644 index 0000000..6eb84b0 --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux/ima.scc
@@ -0,0 +1,4 @@
		1	define KFEATURE_DESCRIPTION "Enable IMA"
		2
		3	kconf non-hardware ima.cfg
		4


diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc index 3ab53e5..0b6f530 100644 --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
@@ -1,4 +1,12 @@
1	KERNEL_FEATURES:append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}"	1	FILESEXTRAPATHS:append := "${THISDIR}/linux:"
		2
		3	SRC_URI += " \
		4	${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \
		5	"
		6
		7	do_configure() {
		8	sed -i "s\|^CONFIG_SYSTEM_TRUSTED_KEYS=.*\|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"\|" .config
		9	}
2		10
3	KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}"	11	KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}"
4		12