)]}' { "log": [ { "commit": "a7f2a366f62319dfebf8d4dfe8b211f631c78457", "tree": "67e502cd2da52cc6c75d1fa9dcaed27fd05b86e2", "parents": [ "a49f0d1ea3ec94fc7cf33a7c36a16343b74bd565" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Dec 21 08:34:21 2012 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Dec 24 09:35:48 2012 -0500" }, "message": "ima: fallback to MODULE_SIG_ENFORCE for existing kernel module syscall\n\nThe new kernel module syscall appraises kernel modules based\non policy. If the IMA policy requires kernel module checking,\nfallback to module signature enforcing for the existing syscall.\nWithout CONFIG_MODULE_SIG_FORCE enabled, the kernel module\u0027s\nintegrity is unknown, return -EACCES.\n\nChangelog v1:\n- Fix ima_module_check() return result (Tetsuo Handa)\n\nReported-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nReviewed-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "fdf90729e57812cb12d7938e2dee7c71e875fb08", "tree": "0ec17c765406dedc37ac278823d50587d53d1525", "parents": [ "1625cee56f8e6193b5a0809a414dfa395bd9cf1e" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Oct 16 12:40:08 2012 +1030" }, "committer": { "name": "Rusty Russell", "email": "rusty@rustcorp.com.au", "time": "Fri Dec 14 13:05:26 2012 +1030" }, "message": "ima: support new kernel module syscall\n\nWith the addition of the new kernel module syscall, which defines two\narguments - a file descriptor to the kernel module and a pointer to a NULL\nterminated string of module arguments - it is now possible to measure and\nappraise kernel modules like any other file on the file system.\n\nThis patch adds support to measure and appraise kernel modules in an\nextensible and consistent manner.\n\nTo support filesystems without extended attribute support, additional\npatches could pass the signature as the first parameter.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: Rusty Russell \u003crusty@rustcorp.com.au\u003e\n" }, { "commit": "d26e1936227b538a1691b978566ef269aef10853", "tree": "c1b803d6177f6c39932a159c7bdb2c557497e16f", "parents": [ "ecefbd94b834fa32559d854646d777c56749ef1c" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Thu Sep 27 18:26:53 2012 +0300" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Fri Oct 05 22:32:16 2012 +1000" }, "message": "ima: fix bug in argument order\n\nmask argument goes first, then func, like ima_must_measure\nand ima_get_action. ima_inode_post_setattr() assumes that.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n" }, { "commit": "88265322c14cce39f7afbc416726ef4fac413298", "tree": "e4956f905ef617971f87788d8f8a09dbb66b70a3", "parents": [ "65b99c74fdd325d1ffa2e5663295888704712604", "bf5308344527d015ac9a6d2bda4ad4d40fd7d943" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 02 21:38:48 2012 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 02 21:38:48 2012 -0700" }, "message": "Merge branch \u0027next\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security\n\nPull security subsystem updates from James Morris:\n \"Highlights:\n\n - Integrity: add local fs integrity verification to detect offline\n attacks\n - Integrity: add digital signature verification\n - Simple stacking of Yama with other LSMs (per LSS discussions)\n - IBM vTPM support on ppc64\n - Add new driver for Infineon I2C TIS TPM\n - Smack: add rule revocation for subject labels\"\n\nFixed conflicts with the user namespace support in kernel/auditsc.c and\nsecurity/integrity/ima/ima_policy.c.\n\n* \u0027next\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (39 commits)\n Documentation: Update git repository URL for Smack userland tools\n ima: change flags container data type\n Smack: setprocattr memory leak fix\n Smack: implement revoking all rules for a subject label\n Smack: remove task_wait() hook.\n ima: audit log hashes\n ima: generic IMA action flag handling\n ima: rename ima_must_appraise_or_measure\n audit: export audit_log_task_info\n tpm: fix tpm_acpi sparse warning on different address spaces\n samples/seccomp: fix 31 bit build on s390\n ima: digital signature verification support\n ima: add support for different security.ima data types\n ima: add ima_inode_setxattr/removexattr function and calls\n ima: add inode_post_setattr call\n ima: replace iint spinblock with rwlock/read_lock\n ima: allocating iint improvements\n ima: add appraise action keywords and default rules\n ima: integrity appraisal extension\n vfs: move ima_file_free before releasing the file\n ...\n" }, { "commit": "8b94eea4bfb8df693c5b35d08b74f13cfb92f3de", "tree": "908ffbf4f0bb117ca47346712dc0e57f6434cda1", "parents": [ "cf9c93526f4517581a9e8f1c0d9093a4c7748ec6" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Fri May 25 18:24:12 2012 -0600" }, "committer": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Fri Sep 21 03:13:24 2012 -0700" }, "message": "userns: Add user namespace support to IMA\n\nUse kuid\u0027s in the IMA rules.\n\nWhen reporting the current uid in audit logs use from_kuid\nto get a usable value.\n\nCc: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\n" }, { "commit": "cf9c93526f4517581a9e8f1c0d9093a4c7748ec6", "tree": "9e9eba640d957fe83e081602f7c227480fb413b5", "parents": [ "29f82ae56e8798f7907d60145e0186082800d130" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Fri May 25 18:22:35 2012 -0600" }, "committer": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Fri Sep 21 03:13:24 2012 -0700" }, "message": "userns: Convert EVM to deal with kuids and kgids in it\u0027s hmac computation\n\nCc: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\n" }, { "commit": "0a72ba7aff26fb6e918cee6d2bbfd289069f10ae", "tree": "4263886ae20b6875153c20513b607e6208e8a3f6", "parents": [ "46a2f3b9e99353cc63e15563e8abee71162330f7" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Wed Sep 19 15:32:49 2012 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 19 08:55:20 2012 -0400" }, "message": "ima: change flags container data type\n\nIMA audit hashes patches introduced new IMA flags and required\nspace went beyond 8 bits. Currently the only flag is IMA_DIGSIG.\nThis patch use 16 bit short instead of 8 bit char.\nWithout this fix IMA signature will be replaced with hash, which\nshould not happen.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "e7c568e0fd0cf6d9c8ab8ea537ba8f3a3ae7c3d8", "tree": "f920b77b98c38e28dd2974564db102160e59f3e9", "parents": [ "45e2472e67bf66f794d507b52e82af92e0614e49" ], "author": { "name": "Peter Moody", "email": "pmoody@google.com", "time": "Thu Jun 14 10:04:36 2012 -0700" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Sep 13 14:48:44 2012 -0400" }, "message": "ima: audit log hashes\n\nThis adds an \u0027audit\u0027 policy action which audit logs file measurements.\n\nChangelog v6:\n - use new action flag handling (Dmitry Kasatkin).\n - removed whitespace (Mimi)\n\nChangelog v5:\n - use audit_log_untrustedstring.\n\nChangelog v4:\n - cleanup digest -\u003e hash conversion.\n - use filename rather than d_path in ima_audit_measurement.\n\nChangelog v3:\n - Use newly exported audit_log_task_info for logging pid/ppid/uid/etc.\n - Update the ima_policy ABI documentation.\n\nChangelog v2:\n - Use \u0027audit\u0027 action rather than \u0027measure_and_audit\u0027 to permit\n auditing in the absence of measuring..\n\nChangelog v1:\n - Initial posting.\n\nSigned-off-by: Peter Moody \u003cpmoody@google.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "45e2472e67bf66f794d507b52e82af92e0614e49", "tree": "4b3ba557d4f9da9bca14ce85bee965e4a9fcd6ac", "parents": [ "d9d300cdb6f233c4c591348919c758062198a4f4" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Wed Sep 12 20:51:32 2012 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Sep 13 14:23:57 2012 -0400" }, "message": "ima: generic IMA action flag handling\n\nMake the IMA action flag handling generic in order to support\nadditional new actions, without requiring changes to the base\nimplementation. New actions, like audit logging, will only\nneed to modify the define statements.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "d9d300cdb6f233c4c591348919c758062198a4f4", "tree": "2a00e8e9100b1d799e5b779008ad0081e7fe5264", "parents": [ "e23eb920b0f3978687c497de2ac3eb9e281dab32" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Wed Jun 27 11:26:14 2012 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 12 07:28:05 2012 -0400" }, "message": "ima: rename ima_must_appraise_or_measure\n\nWhen AUDIT action support is added to the IMA,\nima_must_appraise_or_measure() does not reflect the real meaning anymore.\nRename it to ima_get_action().\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "8606404fa555c2ee691376fcc640ab89fe752035", "tree": "4b2d2e43b7ad196b46757faff10d04803381a543", "parents": [ "5a44b41207174e1882ce0c24a752f4cfb65dab07" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Wed Aug 31 14:07:06 2011 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Sep 07 14:57:48 2012 -0400" }, "message": "ima: digital signature verification support\n\nThis patch adds support for digital signature based integrity appraisal.\nWith this patch, \u0027security.ima\u0027 contains either the file data hash or\na digital signature of the file data hash. The file data hash provides\nthe security attribute of file integrity. In addition to file integrity,\na digital signature provides the security attribute of authenticity.\n\nUnlike EVM, when the file metadata changes, the digital signature is\nreplaced with an HMAC, modification of the file data does not cause the\n\u0027security.ima\u0027 digital signature to be replaced with a hash. As a\nresult, after any modification, subsequent file integrity appraisals\nwould fail.\n\nAlthough digitally signed files can be modified, but by not updating\n\u0027security.ima\u0027 to reflect these modifications, in essence digitally\nsigned files could be considered \u0027immutable\u0027.\n\nIMA uses a different keyring than EVM. While the EVM keyring should not\nbe updated after initialization and locked, the IMA keyring should allow\nupdating or adding new keys when upgrading or installing packages.\n\nChangelog v4:\n- Change IMA_DIGSIG to hex equivalent\nChangelog v3:\n- Permit files without any \u0027security.ima\u0027 xattr to be labeled properly.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "5a44b41207174e1882ce0c24a752f4cfb65dab07", "tree": "a5426be63a4f165f3ce15d1e61d8fd10f37fd8c3", "parents": [ "42c63330f2b05aa6077c1bfc2798c04afe54f6b2" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jan 09 22:59:36 2012 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Sep 07 14:57:47 2012 -0400" }, "message": "ima: add support for different security.ima data types\n\nIMA-appraisal currently verifies the integrity of a file based on a\nknown \u0027good\u0027 measurement value. This patch reserves the first byte\nof \u0027security.ima\u0027 as a place holder for the type of method used for\nverifying file data integrity.\n\nChangelog v1:\n- Use the newly defined \u0027struct evm_ima_xattr_data\u0027\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@nokia.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "42c63330f2b05aa6077c1bfc2798c04afe54f6b2", "tree": "bbd7d212ba9c686b2b649718b8b919bdd2eecea4", "parents": [ "9957a5043e7b0b7361cdf48eea22b2900293e63a" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Mar 10 18:54:15 2011 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Sep 07 14:57:47 2012 -0400" }, "message": "ima: add ima_inode_setxattr/removexattr function and calls\n\nBased on xattr_permission comments, the restriction to modify \u0027security\u0027\nxattr is left up to the underlying fs or lsm. Ensure that not just anyone\ncan modify or remove \u0027security.ima\u0027.\n\nChangelog v1:\n- Unless IMA-APPRAISE is configured, use stub ima_inode_removexattr()/setxattr()\n functions. (Moved ima_inode_removexattr()/setxattr() to ima_appraise.c)\n\nChangelog:\n - take i_mutex to fix locking (Dmitry Kasatkin)\n - ima_reset_appraise_flags should only be called when modifying or\n removing the \u0027security.ima\u0027 xattr. Requires CAP_SYS_ADMIN privilege.\n (Incorporated fix from Roberto Sassu)\n - Even if allowed to update security.ima, reset the appraisal flags,\n forcing re-appraisal.\n - Replace CAP_MAC_ADMIN with CAP_SYS_ADMIN\n - static inline ima_inode_setxattr()/ima_inode_removexattr() stubs\n - ima_protect_xattr should be static\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\n" }, { "commit": "a10bf26b2f53242836e9362c6c9c857b627b82a9", "tree": "98c7b83684f1df42571013af4c0572c7eeea8e76", "parents": [ "bf2276d10ce58ff44ab8857266a6718024496af6" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Wed Feb 08 14:15:42 2012 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Sep 07 14:57:46 2012 -0400" }, "message": "ima: replace iint spinblock with rwlock/read_lock\n\nFor performance, replace the iint spinlock with rwlock/read_lock.\n\nEric Paris questioned this change, from spinlocks to rwlocks, saying\n\"rwlocks have been shown to actually be slower on multi processor\nsystems in a number of cases due to the cache line bouncing required.\"\n\nBased on performance measurements compiling the kernel on a cold\nboot with multiple jobs with/without this patch, Dmitry Kasatkin\nand I found that rwlocks performed better than spinlocks, but very\ninsignificantly. For example with total compilation time around 6\nminutes, with rwlocks time was 1 - 3 seconds shorter... but always\nlike that.\n\nChangelog v2:\n- new patch taken from the \u0027allocating iint improvements\u0027 patch\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "bf2276d10ce58ff44ab8857266a6718024496af6", "tree": "7be39c026fd30856248f68c964d0f1e2ae703c25", "parents": [ "07f6a79415d7d502ee0c7d02ace6594a7be7429a" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Wed Oct 19 12:04:40 2011 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Sep 07 14:57:45 2012 -0400" }, "message": "ima: allocating iint improvements\n\nWith IMA-appraisal\u0027s removal of the iint mutex and taking the i_mutex\ninstead, allocating the iint becomes a lot simplier, as we don\u0027t need\nto be concerned with two processes racing to allocate the iint. This\npatch cleans up and improves performance for allocating the iint.\n\n- removed redundant double i_mutex locking\n- combined iint allocation with tree search\n\nChangelog v2:\n- removed the rwlock/read_lock changes from this patch\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "07f6a79415d7d502ee0c7d02ace6594a7be7429a", "tree": "af2a9b3bb84ab621cbf11ab609dd8cc3566f2b12", "parents": [ "2fe5d6def1672ae6635dd71867bf36dcfaa7434b" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Mar 09 22:25:48 2011 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Sep 07 14:57:45 2012 -0400" }, "message": "ima: add appraise action keywords and default rules\n\nUnlike the IMA measurement policy, the appraise policy can not be dependent\non runtime process information, such as the task uid, as the \u0027security.ima\u0027\nxattr is written on file close and must be updated each time the file changes,\nregardless of the current task uid.\n\nThis patch extends the policy language with \u0027fowner\u0027, defines an appraise\npolicy, which appraises all files owned by root, and defines \u0027ima_appraise_tcb\u0027,\na new boot command line option, to enable the appraise policy.\n\nChangelog v3:\n- separate the measure from the appraise rules in order to support measuring\n without appraising and appraising without measuring.\n- change appraisal default for filesystems without xattr support to fail\n- update default appraise policy for cgroups\n\nChangelog v1:\n- don\u0027t appraise RAMFS (Dmitry Kasatkin)\n- merged rest of \"ima: ima_must_appraise_or_measure API change\" commit\n (Dmtiry Kasatkin)\n\n ima_must_appraise_or_measure() called ima_match_policy twice, which\n searched the policy for a matching rule. Once for a matching measurement\n rule and subsequently for an appraisal rule. Searching the policy twice\n is unnecessary overhead, which could be noticeable with a large policy.\n\n The new version of ima_must_appraise_or_measure() does everything in a\n single iteration using a new version of ima_match_policy(). It returns\n IMA_MEASURE, IMA_APPRAISE mask.\n\n With the use of action mask only one efficient matching function\n is enough. Removed other specific versions of matching functions.\n\nChangelog:\n- change \u0027owner\u0027 to \u0027fowner\u0027 to conform to the new LSM conditions posted by\n Roberto Sassu.\n- fix calls to ima_log_string()\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\n" }, { "commit": "2fe5d6def1672ae6635dd71867bf36dcfaa7434b", "tree": "f83878d309605440b5bc2d2d43a16ccece64c645", "parents": [ "4199d35cbc90c15db447d115bd96ffa5f1d60d3a" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Feb 13 10:15:05 2012 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri Sep 07 14:57:44 2012 -0400" }, "message": "ima: integrity appraisal extension\n\nIMA currently maintains an integrity measurement list used to assert the\nintegrity of the running system to a third party. The IMA-appraisal\nextension adds local integrity validation and enforcement of the\nmeasurement against a \"good\" value stored as an extended attribute\n\u0027security.ima\u0027. The initial methods for validating \u0027security.ima\u0027 are\nhashed based, which provides file data integrity, and digital signature\nbased, which in addition to providing file data integrity, provides\nauthenticity.\n\nThis patch creates and maintains the \u0027security.ima\u0027 xattr, containing\nthe file data hash measurement. Protection of the xattr is provided by\nEVM, if enabled and configured.\n\nBased on policy, IMA calls evm_verifyxattr() to verify a file\u0027s metadata\nintegrity and, assuming success, compares the file\u0027s current hash value\nwith the one stored as an extended attribute in \u0027security.ima\u0027.\n\nChangelov v4:\n- changed iint cache flags to hex values\n\nChangelog v3:\n- change appraisal default for filesystems without xattr support to fail\n\nChangelog v2:\n- fix audit msg \u0027res\u0027 value\n- removed unused \u0027ima_appraise\u003d\u0027 values\n\nChangelog v1:\n- removed unused iint mutex (Dmitry Kasatkin)\n- setattr hook must not reset appraised (Dmitry Kasatkin)\n- evm_verifyxattr() now differentiates between no \u0027security.evm\u0027 xattr\n (INTEGRITY_NOLABEL) and no EVM \u0027protected\u0027 xattrs included in the\n \u0027security.evm\u0027 (INTEGRITY_NOXATTRS).\n- replace hash_status with ima_status (Dmitry Kasatkin)\n- re-initialize slab element ima_status on free (Dmitry Kasatkin)\n- include \u0027security.ima\u0027 in EVM if CONFIG_IMA_APPRAISE, not CONFIG_IMA\n- merged half \"ima: ima_must_appraise_or_measure API change\" (Dmitry Kasatkin)\n- removed unnecessary error variable in process_measurement() (Dmitry Kasatkin)\n- use ima_inode_post_setattr() stub function, if IMA_APPRAISE not configured\n (moved ima_inode_post_setattr() to ima_appraise.c)\n- make sure ima_collect_measurement() can read file\n\nChangelog:\n- add \u0027iint\u0027 to evm_verifyxattr() call (Dimitry Kasatkin)\n- fix the race condition between chmod, which takes the i_mutex and then\n iint-\u003emutex, and ima_file_free() and process_measurement(), which take\n the locks in the reverse order, by eliminating iint-\u003emutex. (Dmitry Kasatkin)\n- cleanup of ima_appraise_measurement() (Dmitry Kasatkin)\n- changes as a result of the iint not allocated for all regular files, but\n only for those measured/appraised.\n- don\u0027t try to appraise new/empty files\n- expanded ima_appraisal description in ima/Kconfig\n- IMA appraise definitions required even if IMA_APPRAISE not enabled\n- add return value to ima_must_appraise() stub\n- unconditionally set status \u003d INTEGRITY_PASS *after* testing status,\n not before. (Found by Joe Perches)\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\n" }, { "commit": "20328b56cdf8fcc79f28c6c50ad8190fc0779e80", "tree": "e8c38d27456bda5b112f0edccf63757e7098d997", "parents": [ "c5df39262dd59dbbffb1017fca0f1661408ac9d5" ], "author": { "name": "Kent Yoder", "email": "key@linux.vnet.ibm.com", "time": "Wed Aug 22 15:01:47 2012 -0500" }, "committer": { "name": "Kent Yoder", "email": "key@linux.vnet.ibm.com", "time": "Wed Aug 22 16:23:23 2012 -0500" }, "message": "ima: enable the IBM vTPM as the default TPM in the PPC64 case\n\nEnable tpm_ibmvtpm driver by default when IMA is enabled on PPC64\n\nSigned-off-by: Kent Yoder \u003ckey@linux.vnet.ibm.com\u003e\n" }, { "commit": "417c6c8ee2eb6975f357d8975af94ba5fbeaf82d", "tree": "02af1e4363f415bfaa45c50a530cee78ecdf87b8", "parents": [ "7ff2267af595e642f1009198ab49e86a239148fa" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Mon Jun 25 12:18:21 2012 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Jul 05 16:43:59 2012 -0400" }, "message": "ima: audit is compiled only when enabled\n\nIMA auditing code was compiled even when CONFIG_AUDIT was not enabled.\nThis patch compiles auditing code only when possible and enabled.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "7ff2267af595e642f1009198ab49e86a239148fa", "tree": "bd9187795ee24b4a339593caff40ea677e706e17", "parents": [ "8445d64dd761440fb5c73a2abba25009f4bf0e4c" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Mon Jun 25 12:18:11 2012 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Jul 05 16:43:57 2012 -0400" }, "message": "ima: ima_initialized is set only if successful\n\nSet ima_initialized only if initialization was successful.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "8445d64dd761440fb5c73a2abba25009f4bf0e4c", "tree": "1529319b3b3fed827a02b5b8fafcd367045d540c", "parents": [ "c7de7adc18241a0eb10a6e1fed7cb1e01f53c85a" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Mon Jun 25 12:18:09 2012 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Jul 05 16:42:33 2012 -0400" }, "message": "ima: add policy for pseudo fs\n\nExclude DEVPTS and BINFMT filesystems from the measurement policy.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "c7de7adc18241a0eb10a6e1fed7cb1e01f53c85a", "tree": "2b79a44399e29c7d20397ec5188b42528f8c90d5", "parents": [ "0ea4f8ae416a9e8d15f4e20680879358f620e8b8" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Mon Jun 25 12:18:10 2012 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 02 16:43:30 2012 -0400" }, "message": "ima: remove unused cleanup functions\n\nIMA cannot be used as module and does not need __exit functions.\nRemoved them.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "0ea4f8ae416a9e8d15f4e20680879358f620e8b8", "tree": "68c03378249e4d3c543f5c6bf3833774a3c58adb", "parents": [ "08e1b76ae399a010c0d0916b125d75aed6961d16" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Sun Jan 29 19:19:08 2012 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 02 16:43:30 2012 -0400" }, "message": "ima: free securityfs violations file\n\nOn ima_fs_init() error, free securityfs violations file.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "08e1b76ae399a010c0d0916b125d75aed6961d16", "tree": "88806da1802a75d3edbb46436bb509150177eb76", "parents": [ "659b5e76521c10331495cbd9acb7217e38ff9750" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Jun 20 09:32:55 2012 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 02 16:43:29 2012 -0400" }, "message": "ima: use full pathnames in measurement list\n\nThe IMA measurement list contains filename hints, which can be\nambigious without the full pathname. This patch replaces the\nfilename hint with the full pathname, simplifying for userspace\nthe correlating of file hash measurements with files.\n\nChange log v1:\n- Revert to short filenames, when full pathname is longer than IMA\n measurement buffer size. (Based on Dmitry\u0027s review)\n\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "fbbb456347b21279a379b42eeb31151c33d8dd49", "tree": "d1d5debe01e000fd38f2af8232d342a054b754a4", "parents": [ "12fa8a2732e6d0bb42c311f76250f7871d042df8" ], "author": { "name": "Mimi Zohar", "email": "zohar@us.ibm.com", "time": "Mon May 14 21:50:11 2012 -0400" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Wed May 16 10:36:41 2012 +1000" }, "message": "ima: fix filename hint to reflect script interpreter name\n\nWhen IMA was first upstreamed, the bprm filename and interp were\nalways the same. Currently, the bprm-\u003efilename and bprm-\u003einterp\nare the same, except for when only bprm-\u003einterp contains the\ninterpreter name. So instead of using the bprm-\u003efilename as\nthe IMA filename hint in the measurement list, we could replace\nit with bprm-\u003einterp, but this feels too fragil.\n\nThe following patch is not much better, but at least there is some\nindication that sometimes we\u0027re passing the filename and other times\nthe interpreter name.\n\nReported-by: Andrew Lunn \u003candrew@lunn.ch\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n" }, { "commit": "a69f15890292b5449f9056b4bb322b044e6ce0c6", "tree": "7a37f3826e958787ca7d78603c9031d29558f43f", "parents": [ "28042fabf43b9a8ccfaa38f8c8187cc525e53fd3" ], "author": { "name": "Randy Dunlap", "email": "rdunlap@xenotime.net", "time": "Fri Feb 24 11:28:05 2012 -0800" }, "committer": { "name": "James Morris", "email": "james.l.morris@oracle.com", "time": "Tue Feb 28 11:01:15 2012 +1100" }, "message": "security: fix ima kconfig warning\n\nFix IMA kconfig warning on non-X86 architectures:\n\nwarning: (IMA) selects TCG_TIS which has unmet direct dependencies\n(TCG_TPM \u0026\u0026 X86)\n\nSigned-off-by: Randy Dunlap \u003crdunlap@xenotime.net\u003e\nReported-by: Geert Uytterhoeven \u003cgeert@linux-m68k.org\u003e\nAcked-by: Rajiv Andrade \u003csrajiv@linux.vnet.ibm.com\u003e\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n" }, { "commit": "b0d5de4d58803bbcce2b8175a8dd21c559a3abc1", "tree": "08213154dd13ab28eac64e9a87b3a8b7e5660381", "parents": [ "bf06189e4d14641c0148bea16e9dd24943862215" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Feb 14 17:11:07 2012 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 16 12:01:42 2012 +1100" }, "message": "IMA: fix audit res field to indicate 1 for success and 0 for failure\n\nThe audit res field ususally indicates success with a 1 and 0 for a\nfailure. So make IMA do it the same way.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "9e3ff38647a316e4f92d59b14c8f0eb13b33bb2c", "tree": "2750d9fc94b8fb78d9982ea4a62d586e7f0a7862", "parents": [ "2eb6038c51034bf7f9335b15ce9238a028fdd2d6", "4c2c392763a682354fac65b6a569adec4e4b5387" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 09 17:02:34 2012 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Feb 09 17:02:34 2012 +1100" }, "message": "Merge branch \u0027next-queue\u0027 into next\n" }, { "commit": "4c2c392763a682354fac65b6a569adec4e4b5387", "tree": "490b840399ed1e010561f4b97018f3c0a3caf8b6", "parents": [ "f4a0391dfa91155bd961673b31eb42d9d45c799d" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Tue Oct 18 14:16:28 2011 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Jan 19 21:30:21 2012 -0500" }, "message": "ima: policy for RAMFS\n\nDon\u0027t measure ramfs files.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "f4a0391dfa91155bd961673b31eb42d9d45c799d", "tree": "21186b7a48986afa47115cefaf9d385fb9f8dcf7", "parents": [ "700920eb5ba4de5417b446c9a8bb008df2b973e0" ], "author": { "name": "Fabio Estevam", "email": "festevam@gmail.com", "time": "Thu Jan 05 12:49:54 2012 -0200" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Jan 19 21:30:09 2012 -0500" }, "message": "ima: fix Kconfig dependencies\n\nFix the following build warning:\nwarning: (IMA) selects TCG_TPM which has unmet direct dependencies\n(HAS_IOMEM \u0026\u0026 EXPERIMENTAL)\n\nSuggested-by: Rajiv Andrade \u003csrajiv@linux.vnet.ibm.com\u003e\nSigned-off-by: Fabio Estevam \u003cfabio.estevam@freescale.com\u003e\nSigned-off-by: Rajiv Andrade \u003csrajiv@linux.vnet.ibm.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "3db59dd93309710c40aaf1571c607cb0feef3ecb", "tree": "6a224a855aad0e5207abae573456b2d2ec381f7c", "parents": [ "4bf1924c008dffdc154f82507b4052e49263a6f4" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Jan 17 22:11:28 2012 -0500" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Jan 19 15:59:11 2012 +1100" }, "message": "ima: fix cred sparse warning\n\nFix ima_policy.c sparse \"warning: dereference of noderef expression\"\nmessage, by accessing cred-\u003euid using current_cred().\n\nChangelog v1:\n- Change __cred to just cred (based on David Howell\u0027s comment)\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a25a2b84098eb5e001cb8086603d692aa95bf2ec", "tree": "02c01b36251f7b0afb1a98093e14efb17d015910", "parents": [ "f429ee3b808118591d1f3cdf3c0d0793911a5677", "f1be242c95257b199d8b679bc952ca33487c9af6" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Jan 17 16:43:39 2012 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Jan 17 16:43:39 2012 -0800" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:\n integrity: digital signature config option name change\n lib: Removed MPILIB, MPILIB_EXTRA, and SIGNATURE prompts\n lib: MPILIB Kconfig description update\n lib: digital signature dependency fix\n lib: digital signature config option name change\n encrypted-keys: fix rcu and sparse messages\n keys: fix trusted/encrypted keys sparse rcu_assign_pointer messages\n KEYS: Add missing smp_rmb() primitives to the keyring search code\n TOMOYO: Accept \\000 as a valid character.\n security: update MAINTAINERS file with new git repo\n" }, { "commit": "f1be242c95257b199d8b679bc952ca33487c9af6", "tree": "fa3a1057bbd9caedca959c1fa3811413bf101d7d", "parents": [ "2e5f094b9dbf9463ab93f86351cd1a8dc88942cc" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Tue Jan 17 17:12:07 2012 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 18 10:46:27 2012 +1100" }, "message": "integrity: digital signature config option name change\n\nSimilar to SIGNATURE, rename INTEGRITY_DIGSIG to INTEGRITY_SIGNATURE.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5e8898e97a5db4125d944070922164d1d09a2689", "tree": "a5319fcc60499e63fecc7a08d923a1de8f9c7622", "parents": [ "6ac6172a935d1faf7ef259802267657bc0007a62" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Tue Jan 17 17:12:03 2012 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 18 10:46:21 2012 +1100" }, "message": "lib: digital signature config option name change\n\nIt was reported that DIGSIG is confusing name for digital signature\nmodule. It was suggested to rename DIGSIG to SIGNATURE.\n\nRequested-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSuggested-by: Pavel Machek \u003cpavel@ucw.cz\u003e\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "41fdc3054e23e3229edea27053522fe052d02ec2", "tree": "00bb62aef2288df07eae059f344d11d32b004f69", "parents": [ "5afb8a3f96573f7ea018abb768f5b6ebe1a6c1a4" ], "author": { "name": "Kees Cook", "email": "keescook@chromium.org", "time": "Sat Jan 07 10:41:04 2012 -0800" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jan 17 16:17:03 2012 -0500" }, "message": "audit: treat s_id as an untrusted string\n\nThe use of s_id should go through the untrusted string path, just to be\nextra careful.\n\nSigned-off-by: Kees Cook \u003ckeescook@chromium.org\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "8fcc99549522fc7a0bbaeb5755855ab0d9a59ce8", "tree": "a118eaef15d4ba22247f45ee01537ecc906cd161", "parents": [ "805a6af8dba5dfdd35ec35dc52ec0122400b2610", "7b7e5916aa2f46e57f8bd8cb89c34620ebfda5da" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 09 12:16:48 2012 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 09 12:16:48 2012 +1100" }, "message": "Merge branch \u0027next\u0027 into for-linus\n\nConflicts:\n\tsecurity/integrity/evm/evm_crypto.c\n\nResolved upstream fix vs. next conflict manually.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "97426f985729573cea06e82e271cc3929f1f5f8e", "tree": "4aafe725018a95dc5c76ede5199d24aea524b060", "parents": [ "d21b59451886cb82448302f8d6f9ac87c3bd56cf" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Mon Dec 05 13:17:42 2011 +0200" }, "committer": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Tue Dec 20 17:50:08 2011 +0200" }, "message": "evm: prevent racing during tfm allocation\n\nThere is a small chance of racing during tfm allocation.\nThis patch fixes it.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d21b59451886cb82448302f8d6f9ac87c3bd56cf", "tree": "f2842dca9ee3c2c3febbe2f6984bb2c5e2a34c28", "parents": [ "511585a28e5b5fd1cac61e601e42efc4c5dd64b5" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Mon Dec 05 13:17:41 2011 +0200" }, "committer": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Tue Dec 20 17:45:45 2011 +0200" }, "message": "evm: key must be set once during initialization\n\nOn multi-core systems, setting of the key before every caclculation,\ncauses invalid HMAC calculation for other tfm users, because internal\nstate (ipad, opad) can be invalid before set key call returns.\nIt needs to be set only once during initialization.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7b7e5916aa2f46e57f8bd8cb89c34620ebfda5da", "tree": "af324024e68047b9fff7ddf49c3e8f8e6024792e", "parents": [ "45fae7493970d7c45626ccd96d4a74f5f1eea5a9" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Mon Dec 19 15:57:28 2011 +0100" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Dec 19 22:07:54 2011 -0500" }, "message": "ima: fix invalid memory reference\n\nDon\u0027t free a valid measurement entry on TPM PCR extend failure.\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nCc: stable@vger.kernel.org\n" }, { "commit": "45fae7493970d7c45626ccd96d4a74f5f1eea5a9", "tree": "0c7bdd82bfcb4bd921a64abb441ca5c20c82a3df", "parents": [ "114d6e9c103736487c967060d0a7aec9a7fce967" ], "author": { "name": "Roberto Sassu", "email": "roberto.sassu@polito.it", "time": "Mon Dec 19 15:57:27 2011 +0100" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Dec 19 22:04:32 2011 -0500" }, "message": "ima: free duplicate measurement memory\n\nInfo about new measurements are cached in the iint for performance. When\nthe inode is flushed from cache, the associated iint is flushed as well.\nSubsequent access to the inode will cause the inode to be re-measured and\nwill attempt to add a duplicate entry to the measurement list.\n\nThis patch frees the duplicate measurement memory, fixing a memory leak.\n\nSigned-off-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nCc: stable@vger.kernel.org\n" }, { "commit": "143b01d33221e4937d3930e6bb2b63d70b7c7a65", "tree": "5cae452fecfd8b1fb6b0ae1f159929ada81d8b1f", "parents": [ "88d7ed35085184f15a2af3d9e88d775059b2f307" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Mon Dec 05 13:17:42 2011 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Dec 08 10:06:12 2011 +1100" }, "message": "evm: prevent racing during tfm allocation\n\nThere is a small chance of racing during tfm allocation.\nThis patch fixes it.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "88d7ed35085184f15a2af3d9e88d775059b2f307", "tree": "f02d2530e0f665fea4c5b240404f7767d39f47bf", "parents": [ "fe0e94c5a7e5335ba0d200e7d3e26e9f80cda4b1" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Mon Dec 05 13:17:41 2011 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Dec 08 10:06:09 2011 +1100" }, "message": "evm: key must be set once during initialization\n\nOn multi-core systems, setting of the key before every caclculation,\ncauses invalid HMAC calculation for other tfm users, because internal\nstate (ipad, opad) can be invalid before set key call returns.\nIt needs to be set only once during initialization.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "de353533753e048b5c4658f0a42365937527ac45", "tree": "376ea9cb73de3691d4f907ad98f13f838742395e", "parents": [ "4e2c5b28f8086cd2f678ade0ea21d8c3cc058c53" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Mon Nov 21 17:31:15 2011 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Nov 22 10:02:32 2011 +1100" }, "message": "digsig: build dependency fix\n\nFix build errors by adding Kconfig dependency on KEYS.\nCRYPTO dependency removed.\n\n CC security/integrity/digsig.o\nsecurity/integrity/digsig.c: In function ?integrity_digsig_verify?:\nsecurity/integrity/digsig.c:38:4: error: implicit declaration of function ?request_key?\nsecurity/integrity/digsig.c:38:17: error: ?key_type_keyring? undeclared (first use in this function)\nsecurity/integrity/digsig.c:38:17: note: each undeclared identifier is reported only once for each function it appears in\nmake[2]: *** [security/integrity/digsig.o] Error 1\n\nReported-by: Randy Dunlap \u003crdunlap@xenotime.net\u003e\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "15647eb3985ef30dfd657038924dc85c03026733", "tree": "5d4629ef3b687ff56a446f42a8ee5aa35ec9322b", "parents": [ "8607c501478432b23654739c7321bc7456053cb6" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Thu Sep 01 14:41:40 2011 +0300" }, "committer": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Wed Nov 09 16:51:14 2011 +0200" }, "message": "evm: digital signature verification support\n\nThis patch adds support for digital signature verification to EVM.\nWith this feature file metadata can be protected using digital\nsignature instead of an HMAC. When building an image,\nwhich has to be flashed to different devices, an HMAC cannot\nbe used to sign file metadata, because the HMAC key should be\ndifferent on every device.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "8607c501478432b23654739c7321bc7456053cb6", "tree": "598ef1649a261954cb1cafc05189ddedb3bd3ff8", "parents": [ "051dbb918c7fb7da8e64a2cd0d804ba73399709f" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Wed Oct 05 11:54:46 2011 +0300" }, "committer": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Wed Nov 09 16:51:09 2011 +0200" }, "message": "integrity: digital signature verification using multiple keyrings\n\nDefine separate keyrings for each of the different use cases - evm, ima,\nand modules. Using different keyrings improves search performance, and also\nallows \"locking\" specific keyring to prevent adding new keys.\nThis is useful for evm and module keyrings, when keys are usually only\nadded from initramfs.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\n" }, { "commit": "de0a5345a55b8dd5a4695181275df0e691176830", "tree": "17530e824f7f46ce0b1757657179fb5957a6add5", "parents": [ "994c0e992522c123298b4a91b72f5e67ba2d1123", "8535639810e578960233ad39def3ac2157b0c3ec" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Nov 02 09:45:39 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Nov 02 09:45:39 2011 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://github.com/richardweinberger/linux\n\n* \u0027for-linus\u0027 of git://github.com/richardweinberger/linux: (90 commits)\n um: fix ubd cow size\n um: Fix kmalloc argument order in um/vdso/vma.c\n um: switch to use of drivers/Kconfig\n UserModeLinux-HOWTO.txt: fix a typo\n UserModeLinux-HOWTO.txt: remove ^H characters\n um: we need sys/user.h only on i386\n um: merge delay_{32,64}.c\n um: distribute exports to where exported stuff is defined\n um: kill system-um.h\n um: generic ftrace.h will do...\n um: segment.h is x86-only and needed only there\n um: asm/pda.h is not needed anymore\n um: hw_irq.h can go generic as well\n um: switch to generic-y\n um: clean Kconfig up a bit\n um: a couple of missing dependencies...\n um: kill useless argument of free_chan() and free_one_chan()\n um: unify ptrace_user.h\n um: unify KSTK_...\n um: fix gcov build breakage\n ...\n" }, { "commit": "3369465ed1a6a9aa9b885a6d7d8e074ecbd782da", "tree": "ac60be76e1d363caab63156c1390f1ab0c4ee96c", "parents": [ "c039aff672a540f8976770e74599d350de1805cb" ], "author": { "name": "Al Viro", "email": "viro@ftp.linux.org.uk", "time": "Thu Aug 18 20:11:59 2011 +0100" }, "committer": { "name": "Richard Weinberger", "email": "richard@nod.at", "time": "Wed Nov 02 14:15:41 2011 +0100" }, "message": "um: switch to use of drivers/Kconfig\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Richard Weinberger \u003crichard@nod.at\u003e\n" }, { "commit": "fb788d8b981fa55603873416882f8dcf835e7924", "tree": "023d8410571f27e8d10bf6fc0a4a088cb9368df6", "parents": [ "566be59ab86c0e030b980645a580d683a015a483" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@intel.com", "time": "Mon Aug 15 15:30:11 2011 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 14 15:24:52 2011 -0400" }, "message": "evm: clean verification status\n\nWhen allocating from slab, initialization is done the first time in\ninit_once() and subsequently on free. Because evm_status was not\nre-initialized on free, evm_verify_hmac() skipped verifications.\n\nThis patch re-initializes evm_status.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@intel.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "566be59ab86c0e030b980645a580d683a015a483", "tree": "c5d29c7db2f8ef93e970cb405621f59c57d01b94", "parents": [ "bf6d0f5dcda17df3cc5577e203d0f8ea1c2ad6aa" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Aug 22 09:14:18 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 14 15:24:52 2011 -0400" }, "message": "evm: permit mode bits to be updated\n\nBefore permitting \u0027security.evm\u0027 to be updated, \u0027security.evm\u0027 must\nexist and be valid. In the case that there are no existing EVM protected\nxattrs, it is safe for posix acls to update the mode bits.\n\nTo differentiate between no \u0027security.evm\u0027 xattr and no xattrs used to\ncalculate \u0027security.evm\u0027, this patch defines INTEGRITY_NOXATTR.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "bf6d0f5dcda17df3cc5577e203d0f8ea1c2ad6aa", "tree": "c6c5f39d43fe0d27bc1d3aedbd2f9b3ba2f8f537", "parents": [ "a924ce0b35875ef9512135b46a32f4150fd700b2" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Aug 18 18:07:44 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 14 15:24:51 2011 -0400" }, "message": "evm: posix acls modify i_mode\n\nThe posix xattr acls are \u0027system\u0027 prefixed, which normally would not\naffect security.evm. An interesting side affect of writing posix xattr\nacls is their modifying of the i_mode, which is included in security.evm.\n\nThis patch updates security.evm when posix xattr acls are written.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "a924ce0b35875ef9512135b46a32f4150fd700b2", "tree": "0e01ac679790fe96c03b341b2670a2ed9c56a122", "parents": [ "fb88c2b6cbb1265a8bef60694699b37f5cd4ba76" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Aug 11 01:22:30 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 14 15:24:51 2011 -0400" }, "message": "evm: limit verifying current security.evm integrity\n\nevm_protect_xattr unnecessarily validates the current security.evm\nintegrity, before updating non-evm protected extended attributes\nand other file metadata. This patch limits validating the current\nsecurity.evm integrity to evm protected metadata.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "1d714057ef8f6348eba7b28ace6d307513e57cef", "tree": "a848b86df6257b347b6929f9ad09666105996003", "parents": [ "982e617a313b57abee3bcfa53381c356d00fd64a" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Sun Aug 28 08:57:11 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Sep 14 15:24:49 2011 -0400" }, "message": "evm: remove TCG_TPM dependency\n\nAll tristates selected by EVM(boolean) are forced to be builtin, except\nin the TCG_TPM(tristate) dependency case. Arnaud Lacombe summarizes the\nKconfig bug as, \"So it would seem direct dependency state influence the\nstate of reverse dependencies..\" For a detailed explanation, refer to\nArnaud Lacombe\u0027s posting http://lkml.org/lkml/2011/8/23/498.\n\nWith the \"encrypted-keys: remove trusted-keys dependency\" patch, EVM\ncan now be built without a dependency on TCG_TPM. The trusted-keys\ndependency requires trusted-keys to either be builtin or not selected.\nThis dependency will prevent the boolean/tristate mismatch from\noccuring.\n\nReported-by: Stephen Rothwell \u003csfr@canb.auug.org.au\u003e,\n Randy Dunlap \u003crdunlap@xenotimenet\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "d5813a571876c72766f125b1c6e63414f6822c28", "tree": "fe688a7aa64fa890741e5a87800a3f95ddcaaee6", "parents": [ "b97e14520207dccb5cdf93f322e571bf907df104" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 30 10:19:50 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Sep 09 16:56:30 2011 -0700" }, "message": "ima: sparse fix: include linux/ima.h in ima_main.c\n\nFixes sparse warnings:\nsecurity/integrity/ima/ima_main.c:105:6: warning: symbol \u0027ima_file_free\u0027 was not declared. Should it be static?\nsecurity/integrity/ima/ima_main.c:167:5: warning: symbol \u0027ima_file_mmap\u0027 was not declared. Should it be static?\nsecurity/integrity/ima/ima_main.c:192:5: warning: symbol \u0027ima_bprm_check\u0027 was not declared. Should it be static?\nsecurity/integrity/ima/ima_main.c:211:5: warning: symbol \u0027ima_file_check\u0027 was not declared. Should it be static?\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b97e14520207dccb5cdf93f322e571bf907df104", "tree": "1757e5541378136752d608ecde87e1c7251afbb0", "parents": [ "cc7db09952faefc86187c67c4adf5cbdb6fe2c1b" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 30 10:18:30 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Sep 09 16:56:29 2011 -0700" }, "message": "ima: sparse fix: make ima_open_policy static\n\nFixes sparse warning:\nsecurity/integrity/ima/ima_fs.c:290:5: warning: symbol \u0027ima_open_policy\u0027 was not declared. Should it be static?\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4892722e06694fda1928bac4aa5af5505bd26a4c", "tree": "eaeeb90d98ad1ad35bf32c75a579d28a70b722e2", "parents": [ "fc9ff9b7e3eaff3f49bc0fbbddfc1416212e888a" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Aug 17 10:34:33 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Sep 09 16:56:24 2011 -0700" }, "message": "integrity: sparse fix: move iint_initialized to integrity.h\n\nSparse fix: move iint_initialized to integrity.h\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "dbe5ad17ec62fbd3be7789f9a5ab71d23da8acf0", "tree": "60e4ae2f8b5d66faac484f5774d22290a51c21e4", "parents": [ "09f464bf0961aba3cd917d4939597bafb269fb95" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Aug 17 18:51:36 2011 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 18 12:58:12 2011 +1000" }, "message": "evm: add Kconfig TCG_TPM dependency\n\nAlthough the EVM encrypted-key should be encrypted/decrypted using a\ntrusted-key, a user-defined key could be used instead. When using a user-\ndefined key, a TCG_TPM dependency should not be required. Unfortunately,\nthe encrypted-key code needs to be refactored a bit in order to remove\nthis dependency.\n\nThis patch adds the TCG_TPM dependency.\n\nReported-by: Stephen Rothwell \u003csfr@canb.auug.org.au\u003e,\n\t Randy Dunlap \u003crdunlap@xenotimenet\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5a4730ba9517cf2793175991243436a24b1db18f", "tree": "2c9c26d4662a31c851aed525d4d032d08e54e297", "parents": [ "e1c9b23adbe86c725738402857397d7a29f9d6ef" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Aug 11 00:22:52 2011 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Aug 11 17:42:41 2011 +1000" }, "message": "evm: fix evm_inode_init_security return code\n\nevm_inode_init_security() should return 0, when EVM is not enabled.\n(Returning an error is a remnant of evm_inode_post_init_security.)\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0b024d2446474c6a7c47573af5a35db83f557ce3", "tree": "56d1d380cd4f87581a0e276ee80cc52e438738b8", "parents": [ "5a2f3a02aea164f4f59c0c3497772090a411b462" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 09 11:33:36 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 09 11:33:36 2011 +1000" }, "message": "EVM: ensure trusted and encypted key symbols are available to EVM\n\nSelect trusted and encrypted keys if EVM is selected, to ensure\nthe requisite symbols are available. Otherwise, these can be\nselected as modules while EVM is static, leading to a kernel\nbuild failure.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5a2f3a02aea164f4f59c0c3497772090a411b462", "tree": "d3ebe03d4f97575290087843960baa01de3acd0a", "parents": [ "1d568ab068c021672d6cd7f50f92a3695a921ffb", "817b54aa45db03437c6d09a7693fc6926eb8e822" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 09 10:31:03 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 09 10:31:03 2011 +1000" }, "message": "Merge branch \u0027next-evm\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/ima-2.6 into next\n\nConflicts:\n\tfs/attr.c\n\nResolve conflict manually.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4b2a2c67415f1ab128f1d0b340fe6d13363335e5", "tree": "4553a90b12550980ac1dc40288458865e3eb186f", "parents": [ "ed476418394f12d47f27a75424c237a94d244f10" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jul 26 04:30:35 2011 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Tue Jul 26 13:04:32 2011 -0400" }, "message": "ima: fmode_t misspelled as mode_t...\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "817b54aa45db03437c6d09a7693fc6926eb8e822", "tree": "03d43f3abfbd8670e3a30a33ef868ec7705ef2c4", "parents": [ "7102ebcd65c1cdb5d5a87c7c5cf7a46f5afb0cac" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Fri May 13 12:53:38 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:50 2011 -0400" }, "message": "evm: add evm_inode_setattr to prevent updating an invalid security.evm\n\nPermit changing of security.evm only when valid, unless in fixmode.\n\nReported-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "7102ebcd65c1cdb5d5a87c7c5cf7a46f5afb0cac", "tree": "1de4ac95b25e6bebab103e4377047c8f76038dac", "parents": [ "24e0198efe0df50034ec1c14b2d7b5bb0f66d54a" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu May 12 18:33:20 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:49 2011 -0400" }, "message": "evm: permit only valid security.evm xattrs to be updated\n\nIn addition to requiring CAP_SYS_ADMIN permission to modify/delete\nsecurity.evm, prohibit invalid security.evm xattrs from changing,\nunless in fixmode. This patch prevents inadvertent \u0027fixing\u0027 of\nsecurity.evm to reflect offline modifications.\n\nChangelog v7:\n- rename boot paramater \u0027evm_mode\u0027 to \u0027evm\u0027\n\nReported-by: Roberto Sassu \u003croberto.sassu@polito.it\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "24e0198efe0df50034ec1c14b2d7b5bb0f66d54a", "tree": "64f7d23cd7b07dabe826c2a6ed37f7c1842816b2", "parents": [ "6d38ca01c0c2d6c2e46ec1984db9ada6bad6ca26" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@nokia.com", "time": "Fri May 06 11:34:17 2011 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:48 2011 -0400" }, "message": "evm: replace hmac_status with evm_status\n\nWe will use digital signatures in addtion to hmac.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@nokia.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "6d38ca01c0c2d6c2e46ec1984db9ada6bad6ca26", "tree": "6084a84cd87d18c261d62dc816d48335ce602447", "parents": [ "2960e6cb5f7c662b8edb6b0d2edc72095b4f5672" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@nokia.com", "time": "Fri May 06 11:34:14 2011 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:48 2011 -0400" }, "message": "evm: evm_verify_hmac must not return INTEGRITY_UNKNOWN\n\nIf EVM is not supported or enabled, evm_verify_hmac() returns\nINTEGRITY_UNKNOWN, which ima_appraise_measurement() ignores and sets\nthe appraisal status based solely on the security.ima verification.\n\nevm_verify_hmac() also returns INTEGRITY_UNKNOWN for other failures, such\nas temporary failures like -ENOMEM, resulting in possible attack vectors.\nThis patch changes the default return code for temporary/unexpected\nfailures, like -ENOMEM, from INTEGRITY_UNKNOWN to INTEGRITY_FAIL, making\nevm_verify_hmac() fail safe.\n\nAs a result, failures need to be re-evaluated in order to catch both\ntemporary errors, such as the -ENOMEM, as well as errors that have been\nresolved in fix mode.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@nokia.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "2960e6cb5f7c662b8edb6b0d2edc72095b4f5672", "tree": "84e8c3378312243087089a669e4209f43d531b37", "parents": [ "d46eb3699502ba221e81e88e6c6594e2a7818532" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@nokia.com", "time": "Fri May 06 11:34:13 2011 +0300" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:47 2011 -0400" }, "message": "evm: additional parameter to pass integrity cache entry \u0027iint\u0027\n\nAdditional iint parameter allows to skip lookup in the cache.\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@nokia.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "d46eb3699502ba221e81e88e6c6594e2a7818532", "tree": "4761b63f12ded9ad53e3019c33d62d173b4b07da", "parents": [ "823eb1ccd0b310449e99c822412ea8208334d14c" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@nokia.com", "time": "Wed Mar 09 15:07:36 2011 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:46 2011 -0400" }, "message": "evm: crypto hash replaced by shash\n\nUsing shash is more efficient, because the algorithm is allocated only\nonce. Only the descriptor to store the hash state needs to be allocated\nfor every operation.\n\nChangelog v6:\n- check for crypto_shash_setkey failure\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@nokia.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\n" }, { "commit": "cb72318069d5e92eb74840118732c66eb38c812f", "tree": "eb4e9a6c923567e01ddd1340f9430eb3c43f4aeb", "parents": [ "975d294373d8c1c913ad2bf4eb93966d4c7ca38f" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Mar 09 14:40:44 2011 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:45 2011 -0400" }, "message": "evm: add evm_inode_init_security to initialize new files\n\nInitialize \u0027security.evm\u0027 for new files.\n\nChangelog v7:\n- renamed evm_inode_post_init_security to evm_inode_init_security\n- moved struct xattr definition to earlier patch\n- allocate xattr name\nChangelog v6:\n- Use \u0027struct evm_ima_xattr_data\u0027\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\n" }, { "commit": "3e1be52d6c6b21d9080dd886c0e609e009831562", "tree": "2947250698b89eed0149af2d69a33b303c4d6be4", "parents": [ "6be5cc5246f807fd8ede9f5f1bb2826f2c598658" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Mar 09 14:38:26 2011 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:42 2011 -0400" }, "message": "security: imbed evm calls in security hooks\n\nImbed the evm calls evm_inode_setxattr(), evm_inode_post_setxattr(),\nevm_inode_removexattr() in the security hooks. evm_inode_setxattr()\nprotects security.evm xattr. evm_inode_post_setxattr() and\nevm_inode_removexattr() updates the hmac associated with an inode.\n\n(Assumes an LSM module protects the setting/removing of xattr.)\n\nChangelog:\n - Don\u0027t define evm_verifyxattr(), unless CONFIG_INTEGRITY is enabled.\n - xattr_name is a \u0027const\u0027, value is \u0027void *\u0027\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@ubuntu.com\u003e\n" }, { "commit": "6be5cc5246f807fd8ede9f5f1bb2826f2c598658", "tree": "00fc342eb91fb50df4e8eddfe2a7294b27df8117", "parents": [ "66dbc325afcef909043c30e90930a36823fc734c" ], "author": { "name": "Dmitry Kasatkin", "email": "dmitry.kasatkin@nokia.com", "time": "Wed Mar 09 14:28:20 2011 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:41 2011 -0400" }, "message": "evm: add support for different security.evm data types\n\nEVM protects a file\u0027s security extended attributes(xattrs) against integrity\nattacks. The current patchset maintains an HMAC-sha1 value across the security\nxattrs, storing the value as the extended attribute \u0027security.evm\u0027. We\nanticipate other methods for protecting the security extended attributes.\nThis patch reserves the first byte of \u0027security.evm\u0027 as a place holder for\nthe type of method.\n\nChangelog v6:\n- move evm_ima_xattr_type definition to security/integrity/integrity.h\n- defined a structure for the EVM xattr called evm_ima_xattr_data\n (based on Serge Hallyn\u0027s suggestion)\n- removed unnecessary memset\n\nSigned-off-by: Dmitry Kasatkin \u003cdmitry.kasatkin@nokia.com\u003e\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\n" }, { "commit": "66dbc325afcef909043c30e90930a36823fc734c", "tree": "5c8a7fe063a058f4266c6db5e48229e8c04dd00e", "parents": [ "1601fbad2b14e0b8d4dbb55e749bfe31e972818a" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Mar 15 16:12:09 2011 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:40 2011 -0400" }, "message": "evm: re-release\n\nEVM protects a file\u0027s security extended attributes(xattrs) against integrity\nattacks. This patchset provides the framework and an initial method. The\ninitial method maintains an HMAC-sha1 value across the security extended\nattributes, storing the HMAC value as the extended attribute \u0027security.evm\u0027.\nOther methods of validating the integrity of a file\u0027s metadata will be posted\nseparately (eg. EVM-digital-signatures).\n\nWhile this patchset does authenticate the security xattrs, and\ncryptographically binds them to the inode, coming extensions will bind other\ndirectory and inode metadata for more complete protection. To help simplify\nthe review and upstreaming process, each extension will be posted separately\n(eg. IMA-appraisal, IMA-appraisal-directory). For a general overview of the\nproposed Linux integrity subsystem, refer to Dave Safford\u0027s whitepaper:\nhttp://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf.\n\nEVM depends on the Kernel Key Retention System to provide it with a\ntrusted/encrypted key for the HMAC-sha1 operation. The key is loaded onto the\nroot\u0027s keyring using keyctl. Until EVM receives notification that the key has\nbeen successfully loaded onto the keyring (echo 1 \u003e \u003csecurityfs\u003e/evm), EVM can\nnot create or validate the \u0027security.evm\u0027 xattr, but returns INTEGRITY_UNKNOWN.\nLoading the key and signaling EVM should be done as early as possible. Normally\nthis is done in the initramfs, which has already been measured as part of the\ntrusted boot. For more information on creating and loading existing\ntrusted/encrypted keys, refer to Documentation/keys-trusted-encrypted.txt. A\nsample dracut patch, which loads the trusted/encrypted key and enables EVM, is\navailable from http://linux-ima.sourceforge.net/#EVM.\n\nBased on the LSMs enabled, the set of EVM protected security xattrs is defined\nat compile. EVM adds the following three calls to the existing security hooks:\nevm_inode_setxattr(), evm_inode_post_setxattr(), and evm_inode_removexattr. To\ninitialize and update the \u0027security.evm\u0027 extended attribute, EVM defines three\ncalls: evm_inode_post_init(), evm_inode_post_setattr() and\nevm_inode_post_removexattr() hooks. To verify the integrity of a security\nxattr, EVM exports evm_verifyxattr().\n\nChangelog v7:\n- Fixed URL in EVM ABI documentation\n\nChangelog v6: (based on Serge Hallyn\u0027s review)\n- fix URL in patch description\n- remove evm_hmac_size definition\n- use SHA1_DIGEST_SIZE (removed both MAX_DIGEST_SIZE and evm_hmac_size)\n- moved linux include before other includes\n- test for crypto_hash_setkey failure\n- fail earlier for invalid key\n- clear entire encrypted key, even on failure\n- check xattr name length before comparing xattr names\n\nChangelog:\n- locking based on i_mutex, remove evm_mutex\n- using trusted/encrypted keys for storing the EVM key used in the HMAC-sha1\n operation.\n- replaced crypto hash with shash (Dmitry Kasatkin)\n- support for additional methods of verifying the security xattrs\n (Dmitry Kasatkin)\n- iint not allocated for all regular files, but only for those appraised\n- Use cap_sys_admin in lieu of cap_mac_admin\n- Use __vfs_setxattr_noperm(), without permission checks, from EVM\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\n" }, { "commit": "f381c272224f5f158f5cff64f8f3481fa0eee8b3", "tree": "a003dc4c6635c9d2fa90f31577ba5e7ea7bc71b1", "parents": [ "9d8f13ba3f4833219e50767b022b82cd0da930eb" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Mar 09 14:13:22 2011 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jul 18 12:29:38 2011 -0400" }, "message": "integrity: move ima inode integrity data management\n\nMove the inode integrity data(iint) management up to the integrity directory\nin order to share the iint among the different integrity models.\n\nChangelog:\n- don\u0027t define MAX_DIGEST_SIZE\n- rename several globally visible \u0027ima_\u0027 prefixed functions, structs,\n locks, etc to \u0027integrity_\u0027\n- replace \u002720\u0027 with SHA1_DIGEST_SIZE\n- reflect location change in appropriate Kconfig and Makefiles\n- remove unnecessary initialization of iint_initialized to 0\n- rebased on current ima_iint.c\n- define integrity_iint_store/lock as static\n\nThere should be no other functional changes.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@ubuntu.com\u003e\n" }, { "commit": "1adace9bb04a5f4a4dea9e642089102661bb0ceb", "tree": "2396099935c50d838899a01da1438b8a441619de", "parents": [ "854fdd55bfdd56cfc61bd30f2062a9268fcebba6" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Feb 22 10:19:43 2011 -0500" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Wed Feb 23 16:38:52 2011 -0500" }, "message": "ima: remove unnecessary call to ima_must_measure\n\nThe original ima_must_measure() function based its results on cached\niint information, which required an iint be allocated for all files.\nCurrently, an iint is allocated only for files in policy. As a result,\nfor those files in policy, ima_must_measure() is now called twice: once\nto determine if the inode is in the measurement policy and, the second\ntime, to determine if it needs to be measured/re-measured.\n\nThe second call to ima_must_measure() unnecessarily checks to see if\nthe file is in policy. As we already know the file is in policy, this\npatch removes the second unnecessary call to ima_must_measure(), removes\nthe vestige iint parameter, and just checks the iint directly to determine\nif the inode has been measured or needs to be measured/re-measured.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "854fdd55bfdd56cfc61bd30f2062a9268fcebba6", "tree": "139af793bf7395002e6e68978b603d47f28f7dc2", "parents": [ "890275b5eb79e9933d12290473eab9ac38da0051" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Nov 02 10:14:22 2010 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Feb 10 07:51:44 2011 -0500" }, "message": "IMA: remove IMA imbalance checking\n\nNow that i_readcount is maintained by the VFS layer, remove the\nimbalance checking in IMA. Cleans up the IMA code nicely.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "890275b5eb79e9933d12290473eab9ac38da0051", "tree": "8fa529a6fdfa7647ed4e14287658b71df8636ddd", "parents": [ "a5c96ebf1d71df0c5fb77ab58c9aeb307cf02372" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Nov 02 10:13:07 2010 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Feb 10 07:51:44 2011 -0500" }, "message": "IMA: maintain i_readcount in the VFS layer\n\nima_counts_get() updated the readcount and invalidated the PCR,\nas necessary. Only update the i_readcount in the VFS layer.\nMove the PCR invalidation checks to ima_file_check(), where it\nbelongs.\n\nMaintaining the i_readcount in the VFS layer, will allow other\nsubsystems to use i_readcount.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "a68a27b6f2354273bacc39c3dd06456edb202230", "tree": "d73396dab134842ecd1e86d665718e75012e7e78", "parents": [ "75a25637bf8a1b8fbed2368c0a3ec15c66a534f1" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Nov 02 10:10:56 2010 -0400" }, "committer": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Thu Feb 10 07:51:43 2011 -0500" }, "message": "IMA: convert i_readcount to atomic\n\nConvert the inode\u0027s i_readcount from an unsigned int to atomic.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "867c20265459d30a01b021a9c1e81fb4c5832aa9", "tree": "7873555d6a0e100fb1faa90da6e6366a430c3403", "parents": [ "03ed6a3aa600c48593c3984812fda2d5945ddb46" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Mon Jan 03 14:59:10 2011 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jan 03 16:36:33 2011 -0800" }, "message": "ima: fix add LSM rule bug\n\nIf security_filter_rule_init() doesn\u0027t return a rule, then not everything\nis as fine as the return code implies.\n\nThis bug only occurs when the LSM (eg. SELinux) is disabled at runtime.\n\nAdding an empty LSM rule causes ima_match_rules() to always succeed,\nignoring any remaining rules.\n\n default IMA TCB policy:\n # PROC_SUPER_MAGIC\n dont_measure fsmagic\u003d0x9fa0\n # SYSFS_MAGIC\n dont_measure fsmagic\u003d0x62656572\n # DEBUGFS_MAGIC\n dont_measure fsmagic\u003d0x64626720\n # TMPFS_MAGIC\n dont_measure fsmagic\u003d0x01021994\n # SECURITYFS_MAGIC\n dont_measure fsmagic\u003d0x73636673\n\n \u003c LSM specific rule \u003e\n dont_measure obj_type\u003dvar_log_t\n\n measure func\u003dBPRM_CHECK\n measure func\u003dFILE_MMAP mask\u003dMAY_EXEC\n measure func\u003dFILE_CHECK mask\u003dMAY_READ uid\u003d0\n\nThus without the patch, with the boot parameters \u0027tcb selinux\u003d0\u0027, adding\nthe above \u0027dont_measure obj_type\u003dvar_log_t\u0027 rule to the default IMA TCB\nmeasurement policy, would result in nothing being measured. The patch\nprevents the default TCB policy from being replaced.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nAcked-by: Serge Hallyn \u003cserge.hallyn@canonical.com\u003e\nCc: David Safford \u003csafford@watson.ibm.com\u003e\nCc: \u003cstable@kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "bade72d607c4eb1b1d6c7852c493b75f065a56b5", "tree": "95aafb198d9a8a08e6b7813de0403658e6a1b04a", "parents": [ "196f518128d2ee6e0028b50e6fec0313640db142" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:42:25 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:19 2010 -0700" }, "message": "IMA: fix the ToMToU logic\n\nCurrent logic looks like this:\n\n rc \u003d ima_must_measure(NULL, inode, MAY_READ, FILE_CHECK);\n if (rc \u003c 0)\n goto out;\n\n if (mode \u0026 FMODE_WRITE) {\n if (inode-\u003ei_readcount)\n send_tomtou \u003d true;\n goto out;\n }\n\n if (atomic_read(\u0026inode-\u003ei_writecount) \u003e 0)\n send_writers \u003d true;\n\nLets assume we have a policy which states that all files opened for read\nby root must be measured.\n\nLets assume the file has permissions 777.\n\nLets assume that root has the given file open for read.\n\nLets assume that a non-root process opens the file write.\n\nThe non-root process will get to ima_counts_get() and will check the\nima_must_measure(). Since it is not supposed to measure it will goto\nout.\n\nWe should check the i_readcount no matter what since we might be causing\na ToMToU voilation!\n\nThis is close to correct, but still not quite perfect. The situation\ncould have been that root, which was interested in the mesurement opened\nand closed the file and another process which is not interested in the\nmeasurement is the one holding the i_readcount ATM. This is just overly\nstrict on ToMToU violations, which is better than not strict enough...\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "196f518128d2ee6e0028b50e6fec0313640db142", "tree": "43a1d76bee477dbaa682233979e86f58a98369f0", "parents": [ "64c62f06bef8314a64d3189cb9c78062d54169b3" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:42:19 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:19 2010 -0700" }, "message": "IMA: explicit IMA i_flag to remove global lock on inode_delete\n\nCurrently for every removed inode IMA must take a global lock and search\nthe IMA rbtree looking for an associated integrity structure. Instead\nwe explicitly mark an inode when we add an integrity structure so we\nonly have to take the global lock and do the removal if it exists.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "64c62f06bef8314a64d3189cb9c78062d54169b3", "tree": "63f542bf6a0de4eb2c9742376f7c314ac78e65ec", "parents": [ "bc7d2a3e66b40477270c3cbe3b89b47093276e7a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:42:12 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:19 2010 -0700" }, "message": "IMA: drop refcnt from ima_iint_cache since it isn\u0027t needed\n\nSince finding a struct ima_iint_cache requires a valid struct inode, and\nthe struct ima_iint_cache is supposed to have the same lifetime as a\nstruct inode (technically they die together but don\u0027t need to be created\nat the same time) we don\u0027t have to worry about the ima_iint_cache\noutliving or dieing before the inode. So the refcnt isn\u0027t useful. Just\nget rid of it and free the structure when the inode is freed.\n\nSigned-off-by: Eric Paris \u003ceapris@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "bc7d2a3e66b40477270c3cbe3b89b47093276e7a", "tree": "8f0198b8ad455fde11b24e32a2e32c008a5ececb", "parents": [ "a178d2027d3198b0a04517d764326ab71cd73da2" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:42:05 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: only allocate iint when needed\n\nIMA always allocates an integrity structure to hold information about\nevery inode, but only needed this structure to track the number of\nreaders and writers currently accessing a given inode. Since that\ninformation was moved into struct inode instead of the integrity struct\nthis patch stops allocating the integrity stucture until it is needed.\nThus greatly reducing memory usage.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "a178d2027d3198b0a04517d764326ab71cd73da2", "tree": "d81b9336328ba1741231b318a6f8187f627581fd", "parents": [ "b9593d309d17c57e9ddc3934d641902533896ca9" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:59 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: move read counter into struct inode\n\nIMA currently allocated an inode integrity structure for every inode in\ncore. This stucture is about 120 bytes long. Most files however\n(especially on a system which doesn\u0027t make use of IMA) will never need\nany of this space. The problem is that if IMA is enabled we need to\nknow information about the number of readers and the number of writers\nfor every inode on the box. At the moment we collect that information\nin the per inode iint structure and waste the rest of the space. This\npatch moves those counters into the struct inode so we can eventually\nstop allocating an IMA integrity structure except when absolutely\nneeded.\n\nThis patch does the minimum needed to move the location of the data.\nFurther cleanups, especially the location of counter updates, may still\nbe possible.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b9593d309d17c57e9ddc3934d641902533896ca9", "tree": "fa7fd9ced4a79f102e653ee4a5dc348aa1a41c21", "parents": [ "ad16ad00c34d3f320a5876b3d711ef6bc81362e1" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:52 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: use i_writecount rather than a private counter\n\nIMA tracks the number of struct files which are holding a given inode\nreadonly and the number which are holding the inode write or r/w. It\nneeds this information so when a new reader or writer comes in it can\ntell if this new file will be able to invalidate results it already made\nabout existing files.\n\naka if a task is holding a struct file open RO, IMA measured the file\nand recorded those measurements and then a task opens the file RW IMA\nneeds to note in the logs that the old measurement may not be correct.\nIt\u0027s called a \"Time of Measure Time of Use\" (ToMToU) issue. The same is\ntrue is a RO file is opened to an inode which has an open writer. We\ncannot, with any validity, measure the file in question since it could\nbe changing.\n\nThis patch attempts to use the i_writecount field to track writers. The\ni_writecount field actually embeds more information in it\u0027s value than\nIMA needs but it should work for our purposes and allow us to shrink the\nstruct inode even more.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "ad16ad00c34d3f320a5876b3d711ef6bc81362e1", "tree": "7cf3b755567fde2850d2ea7f4a186a0dcea6b80f", "parents": [ "15aac676778f206b42c4d7782b08f89246680485" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:45 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: use inode-\u003ei_lock to protect read and write counters\n\nCurrently IMA used the iint-\u003emutex to protect the i_readcount and\ni_writecount. This patch uses the inode-\u003ei_lock since we are going to\nstart using in inode objects and that is the most appropriate lock.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "15aac676778f206b42c4d7782b08f89246680485", "tree": "d4d2625139f8a52ffa7bd0cb1848a446518652ec", "parents": [ "497f32337073a2da102c49a53779097b5394711b" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:39 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: convert internal flags from long to char\n\nThe IMA flags is an unsigned long but there is only 1 flag defined.\nLets save a little space and make it a char. This packs nicely next to\nthe array of u8\u0027s.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "497f32337073a2da102c49a53779097b5394711b", "tree": "203cbcd3f9462737d872e24fb2c847ce9a69de45", "parents": [ "b575156dafef208415ff0842c392733d16d4ccf1" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:32 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:18 2010 -0700" }, "message": "IMA: use unsigned int instead of long for counters\n\nCurrently IMA uses 2 longs in struct inode. To save space (and as it\nseems impossible to overflow 32 bits) we switch these to unsigned int.\nThe switch to unsigned does require slightly different checks for\nunderflow, but it isn\u0027t complex.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "b575156dafef208415ff0842c392733d16d4ccf1", "tree": "52e4afd6a1969a975bd9e4b882d97d5ab659fa20", "parents": [ "8549164143a5431f9d9ea846acaa35a862410d9c" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:26 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:17 2010 -0700" }, "message": "IMA: drop the inode opencount since it isn\u0027t needed for operation\n\nThe opencount was used to help debugging to make sure that everything\nwhich created a struct file also correctly made the IMA calls. Since we\nmoved all of that into the VFS this isn\u0027t as necessary. We should be\nable to get the same amount of debugging out of just the reader and\nwrite count.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "8549164143a5431f9d9ea846acaa35a862410d9c", "tree": "79b0d2aeb2674f221854866cb067947dc47f2203", "parents": [ "f6f94e2ab1b33f0082ac22d71f66385a60d8157f" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Oct 25 14:41:18 2010 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue Oct 26 11:37:17 2010 -0700" }, "message": "IMA: use rbtree instead of radix tree for inode information cache\n\nThe IMA code needs to store the number of tasks which have an open fd\ngranting permission to write a file even when IMA is not in use. It\nneeds this information in order to be enabled at a later point in time\nwithout losing it\u0027s integrity garantees.\n\nAt the moment that means we store a little bit of data about every inode\nin a cache. We use a radix tree key\u0027d on the inode\u0027s memory address.\nDave Chinner pointed out that a radix tree is a terrible data structure\nfor such a sparse key space. This patch switches to using an rbtree\nwhich should be more efficient.\n\nBug report from Dave:\n\n \"I just noticed that slabtop was reporting an awfully high usage of\n radix tree nodes:\n\n OBJS ACTIVE USE OBJ SIZE SLABS OBJ/SLAB CACHE SIZE NAME\n 4200331 2778082 66% 0.55K 144839 29 2317424K radix_tree_node\n 2321500 2060290 88% 1.00K 72581 32 2322592K xfs_inode\n 2235648 2069791 92% 0.12K 69864 32 279456K iint_cache\n\n That is, 2.7M radix tree nodes are allocated, and the cache itself is\n consuming 2.3GB of RAM. I know that the XFS inodei caches are indexed\n by radix tree node, but for 2 million cached inodes that would mean a\n density of 1 inode per radix tree node, which for a system with 16M\n inodes in the filsystems is an impossibly low density. The worst I\u0027ve\n seen in a production system like kernel.org is about 20-25% density,\n which would mean about 150-200k radix tree nodes for that many inodes.\n So it\u0027s not the inode cache.\n\n So I looked up what the iint_cache was. It appears to used for\n storing per-inode IMA information, and uses a radix tree for indexing.\n It uses the *address* of the struct inode as the indexing key. That\n means the key space is extremely sparse - for XFS the struct inode\n addresses are approximately 1000 bytes apart, which means the closest\n the radix tree index keys get is ~1000. Which means that there is a\n single entry per radix tree leaf node, so the radix tree is using\n roughly 550 bytes for every 120byte structure being cached. For the\n above example, it\u0027s probably wasting close to 1GB of RAM....\"\n\nReported-by: Dave Chinner \u003cdavid@fromorbit.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "e950598d43dce8d97e7d5270808393425d1e5cbd", "tree": "916c8a6c5dc63cd3486aa7200964269ea31b4d42", "parents": [ "999b4f0aa2314b76857775334cb94bafa053db64" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue Aug 31 09:38:51 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 08 09:51:41 2010 +1000" }, "message": "ima: always maintain counters\n\ncommit 8262bb85da allocated the inode integrity struct (iint) before any\ninodes were created. Only after IMA was initialized in late_initcall were\nthe counters updated. This patch updates the counters, whether or not IMA\nhas been initialized, to resolve \u0027imbalance\u0027 messages.\n\nThis patch fixes the bug as reported in bugzilla: 15673. When the i915\nis builtin, the ring_buffer is initialized before IMA, causing the\nimbalance message on suspend.\n\nReported-by: Thomas Meyer \u003cthomas@m3y3r.de\u003e\nSigned-off-by: Mimi Zohar \u003czohar@linux.vnet.ibm.com\u003e\nTested-by: Thomas Meyer \u003cthomas@m3y3r.de\u003e\nTested-by: David Safford\u003csafford@watson.ibm.com\u003e\nCc: Stable Kernel \u003cstable@kernel.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cdcd90f9e450d4edb5fab0490119f9540874e882", "tree": "5b1a5b5d00d19d6fa9ba13261ff22ffb0b8aa154", "parents": [ "7e2deb7ce8f662bce877dbfd3b0053e9559c25a3" ], "author": { "name": "Arnd Bergmann", "email": "arnd@arndb.de", "time": "Wed Jul 07 23:40:15 2010 +0200" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Aug 02 15:34:58 2010 +1000" }, "message": "ima: use generic_file_llseek for securityfs\n\nThe default for llseek will change to no_llseek,\nso securityfs users need to add explicit .llseek\nassignments. Since we\u0027re dealing with regular\nfiles from a VFS perspective, use generic_file_llseek.\n\nSigned-off-by: Arnd Bergmann \u003carnd@arndb.de\u003e\nCc: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "db1afffab0b5d9f6d31f8f4bea44c9cb3bc59351", "tree": "5ba8fd7a5018c0772d999b8c3aa945c0efb929e0", "parents": [ "dd336c554d8926c3348a2d5f2a5ef5597f6d1a06" ], "author": { "name": "NeilBrown", "email": "neilb@suse.de", "time": "Tue Mar 16 15:14:51 2010 +1100" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@suse.de", "time": "Fri May 21 09:37:29 2010 -0700" }, "message": "kref: remove kref_set\n\nOf the three uses of kref_set in the kernel:\n\n One really should be kref_put as the code is letting go of a\n reference,\n Two really should be kref_init because the kref is being\n initialised.\n\nThis suggests that making kref_set available encourages bad code.\nSo fix the three uses and remove kref_set completely.\n\nSigned-off-by: NeilBrown \u003cneilb@suse.de\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@suse.de\u003e\n\n" }, { "commit": "ba0c1709f4946a5ca1a678f4318ed72c0d409b3c", "tree": "22c60e909f1dccf1fa6f0c0b51b9e3163d66cfc1", "parents": [ "7f2ab000c6f2ae46070807a3bf645c45d8639460" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue May 04 18:16:30 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon May 17 09:21:58 2010 +1000" }, "message": "ima: remove ACPI dependency\n\nThe ACPI dependency moved to the TPM, where it belongs. Although\nIMA per-se does not require access to the bios measurement log,\nverifying the IMA boot aggregate does, which requires ACPI.\n\nThis patch prereq\u0027s \u0027TPM: ACPI/PNP dependency removal\u0027\nhttp://lkml.org/lkml/2010/5/4/378.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nReported-by: Jean-Christophe Dubois \u003cjcd@tribudubois.net\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nTested-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "83c36ccfe4d849f482ea0a62402c7624f4e59f0e", "tree": "381c005c107bc5cf8db594308c5a3b0ec2bd1d34", "parents": [ "ec4a162af388a2716c5314c4aff7029071d09f57" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri May 07 09:20:03 2010 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri May 07 09:20:03 2010 +1000" }, "message": "Revert \"ima: remove ACPI dependency\"\n\nThis reverts commit a674fa46c79ffa37995bd1c8e4daa2b3be5a95ae.\n\nPrevious revert was a prereq.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0ffbe2699cda6afbe08501098dff8a8c2fe6ae09", "tree": "81b1a2305d16c873371b65c5a863c0268036cefe", "parents": [ "4e5d6f7ec3833c0da9cf34fa5c53c6058c5908b6", "7ebd467551ed6ae200d7835a84bbda0dcadaa511" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 10:56:07 2010 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu May 06 10:56:07 2010 +1000" }, "message": "Merge branch \u0027master\u0027 into next\n" }, { "commit": "a674fa46c79ffa37995bd1c8e4daa2b3be5a95ae", "tree": "4f2b0d0b89310cc93e9ae9377cdbba80b0554814", "parents": [ "b89e66e1e396f7b5436af154e58209320cc08aed" ], "author": { "name": "Mimi Zohar", "email": "zohar@linux.vnet.ibm.com", "time": "Tue May 04 18:16:30 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 05 10:00:06 2010 +1000" }, "message": "ima: remove ACPI dependency\n\nThe ACPI dependency moved to the TPM, where it belongs. Although\nIMA per-se does not require access to the bios measurement log,\nverifying the IMA boot aggregate does, which requires ACPI.\n\nThis patch prereq\u0027s \u0027TPM: ACPI/PNP dependency removal\u0027\nhttp://lkml.org/lkml/2010/5/4/378.\n\nSigned-off-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nReported-by: Jean-Christophe Dubois \u003cjcd@tribudubois.net\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nTested-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "eb8dae9607901fd3fc181325ff3f30dce8f574c5", "tree": "1b6a0af7a1cd6b32a8cbb1512d91232895733bc5", "parents": [ "34c111f626e91adb23f90a91d2c7cd4dac9fa4b1" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 22 10:49:36 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri Apr 23 08:47:53 2010 +1000" }, "message": "IMA: include the word IMA in printk messages\n\nAs an example IMA emits a warning when it can\u0027t find a TPM chip:\n\n\"No TPM chip found, activating TPM-bypass!\"\n\nThis patch prefaces that message with IMA so we know what subsystem is\nbypassing the TPM. Do this for all pr_info and pr_err messages.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "34c111f626e91adb23f90a91d2c7cd4dac9fa4b1", "tree": "3ca16731ab7e9b6cc1848dd28852503506dd97e1", "parents": [ "2f1506cd82e0725ba00c7146a9a9b47824a5edcf" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 20 10:21:36 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Apr 21 09:58:18 2010 +1000" }, "message": "IMA: drop the word integrity in the audit message\n\nintegrity_audit_msg() uses \"integrity:\" in the audit message. This\nviolates the (loosely defined) audit system requirements that everything be\na key\u003dvalue pair and it doesn\u0027t provide additional information. This can\nbe obviously gleaned from the message type. Just drop it.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2f1506cd82e0725ba00c7146a9a9b47824a5edcf", "tree": "ac92c983ab10842e82e229c00b697566c6f20028", "parents": [ "7233e3ee22b1506723411fe437bcf69f678e8cdd" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 20 10:21:30 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Apr 21 09:58:17 2010 +1000" }, "message": "IMA: use audit_log_untrusted_string rather than %s\n\nConvert all of the places IMA calls audit_log_format with %s into\naudit_log_untrusted_string(). This is going to cause them all to get\nquoted, but it should make audit log injection harder.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7233e3ee22b1506723411fe437bcf69f678e8cdd", "tree": "3d84d037890a9918ed02b89fde875fd6e6cd3b10", "parents": [ "28ef4002ec7b4be27f1110b83e255df8159c786a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 20 10:21:24 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Apr 21 09:58:16 2010 +1000" }, "message": "IMA: handle comments in policy\n\nIMA policy load parser will reject any policies with a comment. This patch\nwill allow the parser to just ignore lines which start with a #. This is not\nvery robust. # can ONLY be used at the very beginning of a line. Inline\ncomments are not allowed.\n\nSigned-off-by: Eric Paris\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "28ef4002ec7b4be27f1110b83e255df8159c786a", "tree": "e7b32aeb36ecf2d76235aa7d436a7578738a98cc", "parents": [ "e9d393bf8660fbbbe00617015224342bac3ea6fc" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 20 10:21:18 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Apr 21 09:58:16 2010 +1000" }, "message": "IMA: handle whitespace better\n\nIMA parser will fail if whitespace is used in any way other than a single\nspace. Using a tab or even using 2 spaces in a row will result in a policy\nbeing rejected. This patch makes the kernel ignore whitespace a bit better.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e9d393bf8660fbbbe00617015224342bac3ea6fc", "tree": "b127189c4b598774ef467b599bd8bfe08b3c71d4", "parents": [ "b9035b1fd7933c11e68dbbf49b530cc43bf1da65" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Apr 20 10:21:13 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Apr 21 09:58:15 2010 +1000" }, "message": "IMA: reject policies with unknown entries\n\nCurrently the ima policy load code will print what it doesn\u0027t understand\nbut really I think it should reject any policy it doesn\u0027t understand. This\npatch makes it so!\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Mimi Zohar \u003czohar@us.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" } ], "next": "b9035b1fd7933c11e68dbbf49b530cc43bf1da65" }