linux-toradex.git/include/uapi/linux/audit.h, branch v5.1-rc1 Linux kernel for Apalis and Colibri modules Fix a handful of audit-related issue 2019-01-07T16:45:47+00:00 Palmer Dabbelt palmer@sifive.com 2019-01-07T16:45:47+00:00 801009424e05cf110f016d7fac7fcf20ef94941a This is sort of a mix between a new feature and a bug fix. I've managed to screw up merging this patch set a handful of times but I think it's OK this time around. The main new feature here is audit support for RISC-V, with some fixes to audit-related bugs that cropped up along the way: * The addition of NR_syscalls into unistd.h, which is necessary for CONFIG_FTRACE_SYSCALLS. * The definition of CREATE_TRACE_POINTS so __tracepoint_sys_{enter,exit} get defined. * A fix for trace_sys_exit() so we can enable CONFIG_HAVE_SYSCALL_TRACEPOINTS. 
This is sort of a mix between a new feature and a bug fix.  I've managed
to screw up merging this patch set a handful of times but I think it's
OK this time around.  The main new feature here is audit support for
RISC-V, with some fixes to audit-related bugs that cropped up along the
way:

* The addition of NR_syscalls into unistd.h, which is necessary for
  CONFIG_FTRACE_SYSCALLS.
* The definition of CREATE_TRACE_POINTS so
  __tracepoint_sys_{enter,exit} get defined.
* A fix for trace_sys_exit() so we can enable
  CONFIG_HAVE_SYSCALL_TRACEPOINTS.
riscv: add audit support 2019-01-07T16:22:39+00:00 David Abdurachmanov david.abdurachmanov@gmail.com 2018-10-29T10:48:53+00:00 efe75c494f57890900caf6c8a0667db35bfaf56a On RISC-V (riscv) audit is supported through generic lib/audit.c. The patch adds required arch specific definitions. Signed-off-by: David Abdurachmanov <david.abdurachmanov@gmail.com> Signed-off-by: Palmer Dabbelt <palmer@sifive.com> 
On RISC-V (riscv) audit is supported through generic lib/audit.c.
The patch adds required arch specific definitions.

Signed-off-by: David Abdurachmanov <david.abdurachmanov@gmail.com>
Signed-off-by: Palmer Dabbelt <palmer@sifive.com>
Merge tag 'csky-for-linus-4.21' of git://github.com/c-sky/csky-linux 2019-01-05T17:50:07+00:00 Linus Torvalds torvalds@linux-foundation.org 2019-01-05T17:50:07+00:00 9ee3b3f4a5eb523ef27675ac2fcd2269b9d68767 Pull arch/csky updates from Guo Ren: "Here are three main features (cpu_hotplug, basic ftrace, basic perf) and some bugfixes: Features: - Add CPU-hotplug support for SMP - Add ftrace with function trace and function graph trace - Add Perf support - Add EM_CSKY_OLD 39 - optimize kernel panic print. - remove syscall_exit_work Bugfixes: - fix abiv2 mmap(... O_SYNC) failure - fix gdb coredump error - remove vdsp implement for kernel - fix qemu failure to bootup sometimes - fix ftrace call-graph panic - fix device tree node reference leak - remove meaningless header-y - fix save hi,lo,dspcr regs in switch_stack - remove unused members in processor.h" * tag 'csky-for-linus-4.21' of git://github.com/c-sky/csky-linux: csky: Add perf support for C-SKY csky: Add EM_CSKY_OLD 39 clocksource/drivers/c-sky: fixup ftrace call-graph panic csky: ftrace call graph supported. csky: basic ftrace supported csky: remove unused members in processor.h csky: optimize kernel panic print. csky: stacktrace supported. csky: CPU-hotplug supported for SMP clocksource/drivers/c-sky: fixup qemu fail to bootup sometimes. csky: fixup save hi,lo,dspcr regs in switch_stack. csky: remove syscall_exit_work csky: fixup remove vdsp implement for kernel. csky: bugfix gdb coredump error. csky: fixup abiv2 mmap(... O_SYNC) failed. csky: define syscall_get_arch() elf-em.h: add EM_CSKY csky: remove meaningless header-y csky: Don't leak device tree node reference 
Pull arch/csky updates from Guo Ren:
 "Here are three main features (cpu_hotplug, basic ftrace, basic perf)
  and some bugfixes:

  Features:
   - Add CPU-hotplug support for SMP
   - Add ftrace with function trace and function graph trace
   - Add Perf support
   - Add EM_CSKY_OLD 39
   - optimize kernel panic print.
   - remove syscall_exit_work

  Bugfixes:
   - fix abiv2 mmap(... O_SYNC) failure
   - fix gdb coredump error
   - remove vdsp implement for kernel
   - fix qemu failure to bootup sometimes
   - fix ftrace call-graph panic
   - fix device tree node reference leak
   - remove meaningless header-y
   - fix save hi,lo,dspcr regs in switch_stack
   - remove unused members in processor.h"

* tag 'csky-for-linus-4.21' of git://github.com/c-sky/csky-linux:
  csky: Add perf support for C-SKY
  csky: Add EM_CSKY_OLD 39
  clocksource/drivers/c-sky: fixup ftrace call-graph panic
  csky: ftrace call graph supported.
  csky: basic ftrace supported
  csky: remove unused members in processor.h
  csky: optimize kernel panic print.
  csky: stacktrace supported.
  csky: CPU-hotplug supported for SMP
  clocksource/drivers/c-sky: fixup qemu fail to bootup sometimes.
  csky: fixup save hi,lo,dspcr regs in switch_stack.
  csky: remove syscall_exit_work
  csky: fixup remove vdsp implement for kernel.
  csky: bugfix gdb coredump error.
  csky: fixup abiv2 mmap(... O_SYNC) failed.
  csky: define syscall_get_arch()
  elf-em.h: add EM_CSKY
  csky: remove meaningless header-y
  csky: Don't leak device tree node reference
csky: define syscall_get_arch() 2018-12-30T13:21:24+00:00 Dmitry V. Levin ldv@altlinux.org 2018-12-13T17:22:07+00:00 d770b25653447b4c57303859e2ac04ebe9318f8e syscall_get_arch() is required to be implemented on all architectures in order to extend the generic ptrace API with PTRACE_GET_SYSCALL_INFO request. Cc: Guo Ren <guoren@kernel.org> Cc: Paul Moore <paul@paul-moore.com> Cc: Eric Paris <eparis@redhat.com> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Elvira Khabirova <lineprinter@altlinux.org> Cc: Eugene Syromyatnikov <esyr@redhat.com> Cc: linux-audit@redhat.com Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> Signed-off-by: Guo Ren <guoren@kernel.org> arch/csky/include/asm/syscall.h | 7 +++++++ include/uapi/linux/audit.h | 1 + 2 files changed, 8 insertions(+) 
syscall_get_arch() is required to be implemented on all architectures
in order to extend the generic ptrace API with PTRACE_GET_SYSCALL_INFO
request.

Cc: Guo Ren <guoren@kernel.org>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Eric Paris <eparis@redhat.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Elvira Khabirova <lineprinter@altlinux.org>
Cc: Eugene Syromyatnikov <esyr@redhat.com>
Cc: linux-audit@redhat.com
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Guo Ren <guoren@kernel.org>

 arch/csky/include/asm/syscall.h | 7 +++++++
 include/uapi/linux/audit.h      | 1 +
 2 files changed, 8 insertions(+)
xtensa: define syscall_get_arch() 2018-12-17T21:47:25+00:00 Dmitry V. Levin ldv@altlinux.org 2018-11-20T00:17:01+00:00 98c3115a4ec56f03056efd9295e0fcb4c5c57a85 syscall_get_arch() is required to be implemented on all architectures in order to extend the generic ptrace API with PTRACE_GET_SYSCALL_INFO request. Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> Acked-by: Max Filippov <jcmvbkbc@gmail.com> Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> 
syscall_get_arch() is required to be implemented on all architectures
in order to extend the generic ptrace API with PTRACE_GET_SYSCALL_INFO
request.

Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Acked-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2018-08-16T05:54:12+00:00 Linus Torvalds torvalds@linux-foundation.org 2018-08-16T05:54:12+00:00 f91e654474d413201ae578820fb63f8a811f6c4e Pull integrity updates from James Morris: "This adds support for EVM signatures based on larger digests, contains a new audit record AUDIT_INTEGRITY_POLICY_RULE to differentiate the IMA policy rules from the IMA-audit messages, addresses two deadlocks due to either loading or searching for crypto algorithms, and cleans up the audit messages" * 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: EVM: fix return value check in evm_write_xattrs() integrity: prevent deadlock during digsig verification. evm: Allow non-SHA1 digital signatures evm: Don't deadlock if a crypto algorithm is unavailable integrity: silence warning when CONFIG_SECURITYFS is not enabled ima: Differentiate auditing policy rules from "audit" actions ima: Do not audit if CONFIG_INTEGRITY_AUDIT is not set ima: Use audit_log_format() rather than audit_log_string() ima: Call audit_log_string() rather than logging it untrusted 
Pull integrity updates from James Morris:
 "This adds support for EVM signatures based on larger digests, contains
  a new audit record AUDIT_INTEGRITY_POLICY_RULE to differentiate the
  IMA policy rules from the IMA-audit messages, addresses two deadlocks
  due to either loading or searching for crypto algorithms, and cleans
  up the audit messages"

* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  EVM: fix return value check in evm_write_xattrs()
  integrity: prevent deadlock during digsig verification.
  evm: Allow non-SHA1 digital signatures
  evm: Don't deadlock if a crypto algorithm is unavailable
  integrity: silence warning when CONFIG_SECURITYFS is not enabled
  ima: Differentiate auditing policy rules from "audit" actions
  ima: Do not audit if CONFIG_INTEGRITY_AUDIT is not set
  ima: Use audit_log_format() rather than audit_log_string()
  ima: Call audit_log_string() rather than logging it untrusted
ima: Differentiate auditing policy rules from "audit" actions 2018-07-18T11:27:22+00:00 Stefan Berger stefanb@linux.vnet.ibm.com 2018-06-04T20:54:55+00:00 dba31ee759417ef1a952e929524b0cca1751c036 The AUDIT_INTEGRITY_RULE is used for auditing IMA policy rules and the IMA "audit" policy action. This patch defines AUDIT_INTEGRITY_POLICY_RULE to reflect the IMA policy rules. Since we defined a new message type we can now also pass the audit_context and get an associated SYSCALL record. This now produces the following records when parsing IMA policy's rules: type=UNKNOWN[1807] msg=audit(1527888965.738:320): action=audit \ func=MMAP_CHECK mask=MAY_EXEC res=1 type=UNKNOWN[1807] msg=audit(1527888965.738:320): action=audit \ func=FILE_CHECK mask=MAY_READ res=1 type=SYSCALL msg=audit(1527888965.738:320): arch=c000003e syscall=1 \ success=yes exit=17 a0=1 a1=55bcfcca9030 a2=11 a3=7fcc1b55fb38 \ items=0 ppid=1567 pid=1601 auid=0 uid=0 gid=0 euid=0 suid=0 \ fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=2 comm="echo" \ exe="/usr/bin/echo" \ subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 
The AUDIT_INTEGRITY_RULE is used for auditing IMA policy rules and
the IMA "audit" policy action.  This patch defines
AUDIT_INTEGRITY_POLICY_RULE to reflect the IMA policy rules.

Since we defined a new message type we can now also pass the
audit_context and get an associated SYSCALL record. This now produces
the following records when parsing IMA policy's rules:

type=UNKNOWN[1807] msg=audit(1527888965.738:320): action=audit \
  func=MMAP_CHECK mask=MAY_EXEC res=1
type=UNKNOWN[1807] msg=audit(1527888965.738:320): action=audit \
  func=FILE_CHECK mask=MAY_READ res=1
type=SYSCALL msg=audit(1527888965.738:320): arch=c000003e syscall=1 \
  success=yes exit=17 a0=1 a1=55bcfcca9030 a2=11 a3=7fcc1b55fb38 \
  items=0 ppid=1567 pid=1601 auid=0 uid=0 gid=0 euid=0 suid=0 \
  fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=2 comm="echo" \
  exe="/usr/bin/echo" \
  subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
audit: rename FILTER_TYPE to FILTER_EXCLUDE 2018-06-19T14:39:54+00:00 Richard Guy Briggs rgb@redhat.com 2018-06-05T15:45:07+00:00 d904ac0320d3c4ff4e9d80e4294ca5dde803696f The AUDIT_FILTER_TYPE name is vague and misleading due to not describing where or when the filter is applied and obsolete due to its available filter fields having been expanded. Userspace has already renamed it from AUDIT_FILTER_TYPE to AUDIT_FILTER_EXCLUDE without checking if it already exists. The userspace maintainer assures that as long as it is set to the same value it will not be a problem since the userspace code does not treat compiler warnings as errors. If this policy changes then checks if it already exists can be added at the same time. See: https://github.com/linux-audit/audit-kernel/issues/89 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 
The AUDIT_FILTER_TYPE name is vague and misleading due to not describing
where or when the filter is applied and obsolete due to its available
filter fields having been expanded.

Userspace has already renamed it from AUDIT_FILTER_TYPE to
AUDIT_FILTER_EXCLUDE without checking if it already exists.  The
userspace maintainer assures that as long as it is set to the same value
it will not be a problem since the userspace code does not treat
compiler warnings as errors.  If this policy changes then checks if it
already exists can be added at the same time.

See: https://github.com/linux-audit/audit-kernel/issues/89

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2018-06-07T22:40:37+00:00 Linus Torvalds torvalds@linux-foundation.org 2018-06-07T22:40:37+00:00 00d535a386c071a06e111fd846f6beda445126a5 Pull integrity updates from James Morris: "From Mimi: - add run time support for specifying additional security xattrs included in the security.evm HMAC/signature - some code clean up and bug fixes" * 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: EVM: unlock on error path in evm_read_xattrs() EVM: prevent array underflow in evm_write_xattrs() EVM: Fix null dereference on xattr when xattr fails to allocate EVM: fix memory leak of temporary buffer 'temp' IMA: use list_splice_tail_init_rcu() instead of its open coded variant ima: use match_string() helper ima: fix updating the ima_appraise flag ima: based on policy verify firmware signatures (pre-allocated buffer) ima: define a new policy condition based on the filesystem name EVM: Allow runtime modification of the set of verified xattrs EVM: turn evm_config_xattrnames into a list integrity: Add an integrity directory in securityfs ima: Remove unused variable ima_initialized ima: Unify logging ima: Reflect correct permissions for policy 
Pull integrity updates from James Morris:
 "From Mimi:

   - add run time support for specifying additional security xattrs
     included in the security.evm HMAC/signature

   - some code clean up and bug fixes"

* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  EVM: unlock on error path in evm_read_xattrs()
  EVM: prevent array underflow in evm_write_xattrs()
  EVM: Fix null dereference on xattr when xattr fails to allocate
  EVM: fix memory leak of temporary buffer 'temp'
  IMA: use list_splice_tail_init_rcu() instead of its open coded variant
  ima: use match_string() helper
  ima: fix updating the ima_appraise flag
  ima: based on policy verify firmware signatures (pre-allocated buffer)
  ima: define a new policy condition based on the filesystem name
  EVM: Allow runtime modification of the set of verified xattrs
  EVM: turn evm_config_xattrnames into a list
  integrity: Add an integrity directory in securityfs
  ima: Remove unused variable ima_initialized
  ima: Unify logging
  ima: Reflect correct permissions for policy
EVM: Allow runtime modification of the set of verified xattrs 2018-05-18T19:34:45+00:00 Matthew Garrett mjg59@google.com 2018-05-15T17:38:26+00:00 fa516b66a1bfce1d72f1620c54bdfebc493000d1 Sites may wish to provide additional metadata alongside files in order to make more fine-grained security decisions[1]. The security of this is enhanced if this metadata is protected, something that EVM makes possible. However, the kernel cannot know about the set of extended attributes that local admins may wish to protect, and hardcoding this policy in the kernel makes it difficult to change over time and less convenient for distributions to enable. This patch adds a new /sys/kernel/security/integrity/evm/evm_xattrs node, which can be read to obtain the current set of EVM-protected extended attributes or written to in order to add new entries. Extending this list will not change the validity of any existing signatures provided that the file in question does not have any of the additional extended attributes - missing xattrs are skipped when calculating the EVM hash. [1] For instance, a package manager could install information about the package uploader in an additional extended attribute. Local LSM policy could then be associated with that extended attribute in order to restrict the privileges available to packages from less trusted uploaders. Signed-off-by: Matthew Garrett <mjg59@google.com> Reviewed-by: James Morris <james.morris@microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 
Sites may wish to provide additional metadata alongside files in order
to make more fine-grained security decisions[1]. The security of this is
enhanced if this metadata is protected, something that EVM makes
possible. However, the kernel cannot know about the set of extended
attributes that local admins may wish to protect, and hardcoding this
policy in the kernel makes it difficult to change over time and less
convenient for distributions to enable.

This patch adds a new /sys/kernel/security/integrity/evm/evm_xattrs node,
which can be read to obtain the current set of EVM-protected extended
attributes or written to in order to add new entries. Extending this list
will not change the validity of any existing signatures provided that the
file in question does not have any of the additional extended attributes -
missing xattrs are skipped when calculating the EVM hash.

[1] For instance, a package manager could install information about the
package uploader in an additional extended attribute. Local LSM policy
could then be associated with that extended attribute in order to
restrict the privileges available to packages from less trusted
uploaders.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Reviewed-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>