From: Linus Torvalds Date: Wed, 22 Feb 2023 20:36:25 +0000 (-0800) Subject: Merge tag 'integrity-v6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar... X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=67e2dcff8b21923d48f5ca835773b2f005389e69;p=linux.git Merge tag 'integrity-v6.3' of git://git./linux/kernel/git/zohar/linux-integrity Pull integrity update from Mimi Zohar: "One doc and one code cleanup, and two bug fixes" * tag 'integrity-v6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: ima: Introduce MMAP_CHECK_REQPROT hook ima: Align ima_file_mmap() parameters with mmap_file LSM hook evm: call dump_security_xattr() in all cases to remove code duplication ima: fix ima_delete_rules() kernel-doc warning ima: return IMA digest value only when IMA_COLLECTED flag is set ima: fix error handling logic when file measurement failed --- 67e2dcff8b21923d48f5ca835773b2f005389e69 diff --cc include/linux/ima.h index 172b113a98642,d79fee67235ee..86b57757c7b10 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@@ -18,10 -18,11 +18,11 @@@ struct linux_binprm extern enum hash_algo ima_get_current_hash_algo(void); extern int ima_bprm_check(struct linux_binprm *bprm); extern int ima_file_check(struct file *file, int mask); -extern void ima_post_create_tmpfile(struct user_namespace *mnt_userns, +extern void ima_post_create_tmpfile(struct mnt_idmap *idmap, struct inode *inode); extern void ima_file_free(struct file *file); - extern int ima_file_mmap(struct file *file, unsigned long prot); + extern int ima_file_mmap(struct file *file, unsigned long reqprot, + unsigned long prot, unsigned long flags); extern int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot); extern int ima_load_data(enum kernel_load_data_id id, bool contents); extern int ima_post_load_data(char *buf, loff_t size, diff --cc security/integrity/evm/evm_crypto.c index 52b811da6989c,0fe6c9cd8eab4..033804f5a5f20 --- a/security/integrity/evm/evm_crypto.c +++ b/security/integrity/evm/evm_crypto.c @@@ -254,18 -264,12 +264,12 @@@ static int evm_calc_hmac_or_hash(struc if (is_ima) ima_present = true; - if (req_xattr_value_len < 64) - pr_debug("%s: (%zu) [%*phN]\n", req_xattr_name, - req_xattr_value_len, - (int)req_xattr_value_len, - req_xattr_value); - else - dump_security_xattr(req_xattr_name, - req_xattr_value, - req_xattr_value_len); + dump_security_xattr(req_xattr_name, + req_xattr_value, + req_xattr_value_len); continue; } - size = vfs_getxattr_alloc(&init_user_ns, dentry, xattr->name, + size = vfs_getxattr_alloc(&nop_mnt_idmap, dentry, xattr->name, &xattr_value, xattr_size, GFP_NOFS); if (size == -ENOMEM) { error = -ENOMEM; diff --cc security/integrity/ima/ima_main.c index 358578267feaa,31ab86f7e4d30..d66a0a36415e8 --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@@ -224,10 -225,11 +225,11 @@@ static int process_measurement(struct f * bitmask based on the appraise/audit/measurement policy. * Included is the appraise submask. */ - action = ima_get_action(file_mnt_user_ns(file), inode, cred, secid, + action = ima_get_action(file_mnt_idmap(file), inode, cred, secid, mask, func, &pcr, &template_desc, NULL, &allowed_algos); - violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) && + violation_check = ((func == FILE_CHECK || func == MMAP_CHECK || + func == MMAP_CHECK_REQPROT) && (ima_policy_flag & IMA_MEASURE)); if (!action && !violation_check) return 0; @@@ -451,9 -467,13 +467,13 @@@ int ima_file_mprotect(struct vm_area_st security_current_getsecid_subj(&secid); inode = file_inode(vma->vm_file); - action = ima_get_action(file_mnt_user_ns(vma->vm_file), inode, + action = ima_get_action(file_mnt_idmap(vma->vm_file), inode, current_cred(), secid, MAY_EXEC, MMAP_CHECK, &pcr, &template, NULL, NULL); - action |= ima_get_action(file_mnt_user_ns(vma->vm_file), inode, ++ action |= ima_get_action(file_mnt_idmap(vma->vm_file), inode, + current_cred(), secid, MAY_EXEC, + MMAP_CHECK_REQPROT, &pcr, &template, NULL, + NULL); /* Is the mmap'ed file in policy? */ if (!(action & (IMA_MEASURE | IMA_APPRAISE_SUBMASK)))