[PATCH v1 00/11] extend initramfs archive format to support xattrs

[PATCH v1 00/11] extend initramfs archive format to support xattrs

[Mimi Zohar]

Many of the Linux security/integrity features are dependent on file
metadata, stored as extended attributes (xattrs), for making decisions.
These features need to be initialized during initcall and enabled as
early as possible for complete security coverage. 

The linux kernel creates the rootfs file system and extracts the contents
of the initramfs, a compressed CPIO archive, onto it. If CONFIG_TMPFS is
enabled (and "root=" is not specified on the boot command line), rootfs
will use tmpfs instead of ramfs by default.  Although the tmpfs filesystem
supports xattrs, the CPIO archive specification does not define a method
for including them in the archive.  Other archive formats have added xattr
support (eg. tar).

There are a couple of ways to include and label the rootfs filesystem:
- include a file manifest containing the xattrs in the initramfs
- extend CPIO to support xattrs
- add tar support

This patch set extends the existing newc CPIO archive format to include
xattrs in the initramfs.  This change affects usr/gen_init_cpio,
scripts/gen_initramfs_list.sh, and init/initramfs.c.  Included in this
patch set are the associated IMA and EVM policy changes.

Changelog v1:
- Patch "init: remove "root=" command line option test for tmpfs decision"
  was previously included for testing without userspace application (eg.
  systemd, dracut) changes.  The associated userspace changes will be
  posted to the relevant mailing lists. Patch dropped.
- replace simple_strtoul with kstrtoul
- add some input data checking
- change size of mtime and file length to 64 bits
- define new gen_initramfs_list.sh "-x" command line option
- define new IMA_APPRAISE_ROOTFS Kconfig option

Mimi

Mimi Zohar (11):
  initramfs: separate reading cpio method from header
  initramfs: replace simple_strtoul() with kstrtoul()
  initramfs: add extended attribute support
  initramfs: change size of mtime and file length to 64 bits
  gen_init_cpio: replace inline format string with common variable
  gen_init_cpio: define new CPIO format to support xattrs
  gen_init_cpio: include the file extended attributes
  gen_init_cpio: change size of mtime and file length to 64 bits
  gen_initramfs_list.sh: include xattrs
  evm: make rootfs a special case
  ima: include rootfs (tmpfs) in ima_appraise_tcb policy

 init/initramfs.c                    | 130 +++++++++++++++++++++++++----
 scripts/gen_initramfs_list.sh       |   8 +-
 security/integrity/evm/evm_main.c   |  12 ++-
 security/integrity/ima/Kconfig      |  12 +++
 security/integrity/ima/ima_policy.c |   8 ++
 usr/gen_init_cpio.c                 | 159 ++++++++++++++++++++++++++++++------
 6 files changed, 282 insertions(+), 47 deletions(-)

-- 
1.8.1.4

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v1 01/11] initramfs: separate reading cpio method from header

[Mimi Zohar]

In preparation for adding xattr support, read the CPIO method
separately from the rest of the header.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
 init/initramfs.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/init/initramfs.c b/init/initramfs.c
index ad1bd77..bb51b5b 100644
--- a/init/initramfs.c
+++ b/init/initramfs.c
@@ -187,6 +187,7 @@ static void __init parse_header(char *s)
 
 static __initdata enum state {
 	Start,
+	GotFormat,
 	Collect,
 	GotHeader,
 	SkipIt,
@@ -230,7 +231,7 @@ static __initdata char *header_buf, *symlink_buf, *name_buf;
 
 static int __init do_start(void)
 {
-	read_into(header_buf, 110, GotHeader);
+	read_into(header_buf, 6, GotFormat);
 	return 0;
 }
 
@@ -248,7 +249,7 @@ static int __init do_collect(void)
 	return 0;
 }
 
-static int __init do_header(void)
+static int __init do_format(void)
 {
 	if (memcmp(collected, "070707", 6)==0) {
 		error("incorrect cpio method used: use -H newc option");
@@ -258,6 +259,12 @@ static int __init do_header(void)
 		error("no cpio magic");
 		return 1;
 	}
+	read_into(header_buf, 104, GotHeader);
+	return 0;
+}
+
+static int __init do_header(void)
+{
 	parse_header(collected);
 	next_header = this_header + N_ALIGN(name_len) + body_len;
 	next_header = (next_header + 3) & ~3;
@@ -400,6 +407,7 @@ static int __init do_symlink(void)
 
 static __initdata int (*actions[])(void) = {
 	[Start]		= do_start,
+	[GotFormat]	= do_format,
 	[Collect]	= do_collect,
 	[GotHeader]	= do_header,
 	[SkipIt]	= do_skip,
-- 
1.8.1.4

[PATCH v1 02/11] initramfs: replace simple_strtoul() with kstrtoul()

[Mimi Zohar]

Replace existing obsolete simple_strtoul() call with kstrtoul(),
before making other changes.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
 init/initramfs.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/init/initramfs.c b/init/initramfs.c
index bb51b5b..5dd93ca 100644
--- a/init/initramfs.c
+++ b/init/initramfs.c
@@ -163,12 +163,15 @@ static void __init parse_header(char *s)
 {
 	unsigned long parsed[12];
 	char buf[9];
+	int ret;
 	int i;
 
 	buf[8] = '\0';
 	for (i = 0, s += 6; i < 12; i++, s += 8) {
 		memcpy(buf, s, 8);
-		parsed[i] = simple_strtoul(buf, NULL, 16);
+		ret = kstrtoul(buf, 16, &parsed[i]);
+		if (ret)
+			pr_err("invalid cpio header field (%d)", ret);
 	}
 	ino = parsed[0];
 	mode = parsed[1];
-- 
1.8.1.4

[PATCH v1 03/11] initramfs: add extended attribute support

[Mimi Zohar]

This patch writes out the extended attributes included in the cpio file.
As the "security.ima" xattr needs to be written after the file data,
this patch separates extracting and setting the xattrs by defining two
new states "GotXattrs" and "SetXattrs".

Changelog:
- "way too trusting of input data" - Rob Landley. Added some checking...

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
 init/initramfs.c | 97 ++++++++++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 87 insertions(+), 10 deletions(-)

diff --git a/init/initramfs.c b/init/initramfs.c
index 5dd93ca..8917065 100644
--- a/init/initramfs.c
+++ b/init/initramfs.c
@@ -52,6 +52,7 @@ static void __init error(char *x)
 /* link hash */
 
 #define N_ALIGN(len) ((((len) + 1) & ~3) + 2)
+#define X_ALIGN(len) ((len + 3) & ~3)
 
 static __initdata struct hash {
 	int ino, minor, major;
@@ -154,20 +155,21 @@ static __initdata time_t mtime;
 
 static __initdata unsigned long ino, major, minor, nlink;
 static __initdata umode_t mode;
-static __initdata unsigned long body_len, name_len;
+static __initdata unsigned long body_len, name_len, xattr_buflen;
 static __initdata uid_t uid;
 static __initdata gid_t gid;
 static __initdata unsigned rdev;
+static __initdata int newcx;
 
 static void __init parse_header(char *s)
 {
-	unsigned long parsed[12];
+	unsigned long parsed[13];
 	char buf[9];
 	int ret;
 	int i;
 
 	buf[8] = '\0';
-	for (i = 0, s += 6; i < 12; i++, s += 8) {
+	for (i = 0; i < (!newcx ? 12 : 13); i++, s += 8) {
 		memcpy(buf, s, 8);
 		ret = kstrtoul(buf, 16, &parsed[i]);
 		if (ret)
@@ -184,6 +186,7 @@ static void __init parse_header(char *s)
 	minor = parsed[8];
 	rdev = new_encode_dev(MKDEV(parsed[9], parsed[10]));
 	name_len = parsed[11];
+	xattr_buflen = newcx ? parsed[12] : 0;
 }
 
 /* FSM */
@@ -195,7 +198,9 @@ static __initdata enum state {
 	GotHeader,
 	SkipIt,
 	GotName,
+	GotXattrs,
 	CopyFile,
+	SetXattrs,
 	GotSymlink,
 	Reset
 } state, next_state;
@@ -212,6 +217,8 @@ static inline void __init eat(unsigned n)
 }
 
 static __initdata char *vcollected;
+static __initdata char *ncollected;
+static __initdata u8 *xcollected;
 static __initdata char *collected;
 static long remains __initdata;
 static __initdata char *collect;
@@ -230,7 +237,7 @@ static void __init read_into(char *buf, unsigned size, enum state next)
 	}
 }
 
-static __initdata char *header_buf, *symlink_buf, *name_buf;
+static __initdata char *header_buf, *symlink_buf, *name_buf, *xattr_buf;
 
 static int __init do_start(void)
 {
@@ -254,22 +261,26 @@ static int __init do_collect(void)
 
 static int __init do_format(void)
 {
+	newcx = 0;
 	if (memcmp(collected, "070707", 6)==0) {
 		error("incorrect cpio method used: use -H newc option");
 		return 1;
 	}
-	if (memcmp(collected, "070701", 6)) {
+	if (memcmp(collected, "070703", 6) == 0)
+		newcx = 1;
+	else if (memcmp(collected, "070701", 6)) {
 		error("no cpio magic");
 		return 1;
 	}
-	read_into(header_buf, 104, GotHeader);
+	read_into(header_buf, !newcx ? 104: 112, GotHeader);
 	return 0;
 }
 
 static int __init do_header(void)
 {
 	parse_header(collected);
-	next_header = this_header + N_ALIGN(name_len) + body_len;
+	next_header = this_header + N_ALIGN(name_len) + X_ALIGN(xattr_buflen)
+	    + body_len;
 	next_header = (next_header + 3) & ~3;
 	state = SkipIt;
 	if (name_len <= 0 || name_len > PATH_MAX)
@@ -331,8 +342,64 @@ static void __init clean_path(char *path, umode_t fmode)
 	}
 }
 
-static __initdata int wfd;
+static int __init do_xattrs(void)
+{
+	state = next_state;
+	xcollected = kmalloc(xattr_buflen, GFP_KERNEL);
+	if (!xcollected)
+		panic("can't allocate xattr buffer");
+	memcpy(xcollected, collected, xattr_buflen);
+	return 0;
+}
+
+static int __init do_setxattrs(void)
+{
+	char *xattr_name = NULL;
+	int i, offset = 8, num_xattrs = 0;
+	unsigned xattr_value_size;
+	u8 *buf = xcollected;
+	u8 *bufend = buf + xattr_buflen - 1;
+
+	state = SkipIt;
+	next_state = Reset;
+
+	if (!newcx || xattr_buflen == 0 || !buf)
+		return 0;
+
+	*bufend = '\0';
+	sscanf(buf, "%08X", &num_xattrs);
+
+	/* xattr format: name value-len value */
+	for (i = 0; i < num_xattrs || buf + offset > bufend; i++) {
+		u8 *xattr_buf;
+		int ret;
 
+		xattr_name = buf + offset;
+		offset += (strlen(xattr_name) + 1);
+		if (buf + offset + 8 > bufend) {
+			error("malformed xattrs");
+			break;
+		}
+
+		ret = sscanf(buf + offset, "%08X", &xattr_value_size);
+		xattr_buf = buf + offset + 8;
+		if (ret != 1 || xattr_buf + xattr_value_size > bufend) {
+			error("malformed xattrs");
+			break;
+		}
+
+		ret = sys_setxattr(ncollected, xattr_name, xattr_buf,
+				   xattr_value_size, 0);
+		pr_debug("%s: %s size: %u (ret: %d)\n", ncollected, xattr_name,
+			xattr_value_size, ret);
+		offset += (8 + xattr_value_size);
+	}
+	kfree(ncollected);
+	kfree(xcollected);
+	return 0;
+}
+
+static __initdata int wfd;
 static int __init do_name(void)
 {
 	state = SkipIt;
@@ -373,6 +440,12 @@ static int __init do_name(void)
 			do_utime(collected, mtime);
 		}
 	}
+
+	if (xattr_buflen > 0) {
+		ncollected = kstrdup(collected, GFP_KERNEL);
+		next_state = (state == SkipIt) ? SetXattrs : state;
+		read_into(xattr_buf, X_ALIGN(xattr_buflen), GotXattrs);
+	}
 	return 0;
 }
 
@@ -385,7 +458,7 @@ static int __init do_copy(void)
 		do_utime(vcollected, mtime);
 		kfree(vcollected);
 		eat(body_len);
-		state = SkipIt;
+		state = (newcx && xattr_buflen > 0)? SetXattrs : SkipIt;
 		return 0;
 	} else {
 		if (xwrite(wfd, victim, byte_count) != byte_count)
@@ -415,7 +488,9 @@ static __initdata int (*actions[])(void) = {
 	[GotHeader]	= do_header,
 	[SkipIt]	= do_skip,
 	[GotName]	= do_name,
+	[GotXattrs]	= do_xattrs,
 	[CopyFile]	= do_copy,
+	[SetXattrs]	= do_setxattrs,
 	[GotSymlink]	= do_symlink,
 	[Reset]		= do_reset,
 };
@@ -464,9 +539,10 @@ static char * __init unpack_to_rootfs(char *buf, unsigned long len)
 	const char *compress_name;
 	static __initdata char msg_buf[64];
 
-	header_buf = kmalloc(110, GFP_KERNEL);
+	header_buf = kmalloc(118, GFP_KERNEL);
 	symlink_buf = kmalloc(PATH_MAX + N_ALIGN(PATH_MAX) + 1, GFP_KERNEL);
 	name_buf = kmalloc(N_ALIGN(PATH_MAX), GFP_KERNEL);
+	xattr_buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
 
 	if (!header_buf || !symlink_buf || !name_buf)
 		panic("can't allocate buffers");
@@ -513,6 +589,7 @@ static char * __init unpack_to_rootfs(char *buf, unsigned long len)
 		len -= my_inptr;
 	}
 	dir_utime();
+	kfree(xattr_buf);
 	kfree(name_buf);
 	kfree(symlink_buf);
 	kfree(header_buf);
-- 
1.8.1.4

[PATCH v1 04/11] initramfs: change size of mtime and file length to 64 bits

[Mimi Zohar]

Either we keep the current field ordering, making some fields
64 bits, or move the larger fields to the end.  This patch keeps
the same field ordering.

Requested-by: Rob Landley <rob@landley.net>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
 init/initramfs.c | 30 +++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 11 deletions(-)

diff --git a/init/initramfs.c b/init/initramfs.c
index 8917065..cec6fe1 100644
--- a/init/initramfs.c
+++ b/init/initramfs.c
@@ -155,7 +155,8 @@ static __initdata time_t mtime;
 
 static __initdata unsigned long ino, major, minor, nlink;
 static __initdata umode_t mode;
-static __initdata unsigned long body_len, name_len, xattr_buflen;
+static __initdata uint64_t body_len;
+static __initdata unsigned long name_len, xattr_buflen;
 static __initdata uid_t uid;
 static __initdata gid_t gid;
 static __initdata unsigned rdev;
@@ -164,14 +165,21 @@ static __initdata int newcx;
 static void __init parse_header(char *s)
 {
 	unsigned long parsed[13];
-	char buf[9];
-	int ret;
+	uint64_t parsed64[2];
+	char buf[17];
+	bool ull = 0;
+	int ret = 0;
 	int i;
 
-	buf[8] = '\0';
-	for (i = 0; i < (!newcx ? 12 : 13); i++, s += 8) {
-		memcpy(buf, s, 8);
-		ret = kstrtoul(buf, 16, &parsed[i]);
+	buf[16] = '\0';
+	for (i = 0; i < (!newcx ? 12 : 13); i++, s += (ull ? 16 : 8)) {
+		ull = newcx && (i == 5 || i == 6);
+		
+		buf[8] = '\0';
+		memcpy(buf, s, ull ? 16 : 8);
+
+		ret = ull ?  kstrtoull(buf, 16, &parsed64[i - 5]) :
+			kstrtoul(buf, 16, &parsed[i]);
 		if (ret)
 			pr_err("invalid cpio header field (%d)", ret);
 	}
@@ -180,8 +188,8 @@ static void __init parse_header(char *s)
 	uid = parsed[2];
 	gid = parsed[3];
 	nlink = parsed[4];
-	mtime = parsed[5];
-	body_len = parsed[6];
+	mtime = !newcx ? parsed[5] : parsed64[0] / 1000000;
+	body_len = !newcx ? parsed[6] : parsed64[1];
 	major = parsed[7];
 	minor = parsed[8];
 	rdev = new_encode_dev(MKDEV(parsed[9], parsed[10]));
@@ -272,7 +280,7 @@ static int __init do_format(void)
 		error("no cpio magic");
 		return 1;
 	}
-	read_into(header_buf, !newcx ? 104: 112, GotHeader);
+	read_into(header_buf, !newcx ? 104: 128, GotHeader);
 	return 0;
 }
 
@@ -539,7 +547,7 @@ static char * __init unpack_to_rootfs(char *buf, unsigned long len)
 	const char *compress_name;
 	static __initdata char msg_buf[64];
 
-	header_buf = kmalloc(118, GFP_KERNEL);
+	header_buf = kmalloc(128, GFP_KERNEL);
 	symlink_buf = kmalloc(PATH_MAX + N_ALIGN(PATH_MAX) + 1, GFP_KERNEL);
 	name_buf = kmalloc(N_ALIGN(PATH_MAX), GFP_KERNEL);
 	xattr_buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
-- 
1.8.1.4

[PATCH v1 05/11] gen_init_cpio: replace inline format string with common variable

[Mimi Zohar]

The same printf format string is used in a number of places.  This
patch replaces the inline format string with a single common variable
called newcfmt.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
 usr/gen_init_cpio.c | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/usr/gen_init_cpio.c b/usr/gen_init_cpio.c
index 225ad24..ee35361 100644
--- a/usr/gen_init_cpio.c
+++ b/usr/gen_init_cpio.c
@@ -20,6 +20,9 @@
 #define xstr(s) #s
 #define str(s) xstr(s)
 
+static char *newcfmt = "%s%08X%08X%08lX%08lX%08X%08lX"
+			"%08X%08X%08X%08X%08X%08X%08X";
+
 static unsigned int offset;
 static unsigned int ino = 721;
 static time_t default_mtime;
@@ -74,8 +77,7 @@ static void cpio_trailer(void)
 	char s[256];
 	const char name[] = "TRAILER!!!";
 
-	sprintf(s, "%s%08X%08X%08lX%08lX%08X%08lX"
-	       "%08X%08X%08X%08X%08X%08X%08X",
+	sprintf(s, newcfmt,
 		"070701",		/* magic */
 		0,			/* ino */
 		0,			/* mode */
@@ -106,8 +108,7 @@ static int cpio_mkslink(const char *name, const char *target,
 
 	if (name[0] == '/')
 		name++;
-	sprintf(s,"%s%08X%08X%08lX%08lX%08X%08lX"
-	       "%08X%08X%08X%08X%08X%08X%08X",
+	sprintf(s, newcfmt,
 		"070701",		/* magic */
 		ino++,			/* ino */
 		S_IFLNK | mode,		/* mode */
@@ -155,8 +156,7 @@ static int cpio_mkgeneric(const char *name, unsigned int mode,
 
 	if (name[0] == '/')
 		name++;
-	sprintf(s,"%s%08X%08X%08lX%08lX%08X%08lX"
-	       "%08X%08X%08X%08X%08X%08X%08X",
+	sprintf(s, newcfmt,
 		"070701",		/* magic */
 		ino++,			/* ino */
 		mode,			/* mode */
@@ -249,8 +249,7 @@ static int cpio_mknod(const char *name, unsigned int mode,
 
 	if (name[0] == '/')
 		name++;
-	sprintf(s,"%s%08X%08X%08lX%08lX%08X%08lX"
-	       "%08X%08X%08X%08X%08X%08X%08X",
+	sprintf(s, newcfmt,
 		"070701",		/* magic */
 		ino++,			/* ino */
 		mode,			/* mode */
@@ -339,8 +338,7 @@ static int cpio_mkfile(const char *name, const char *location,
 		if (name[0] == '/')
 			name++;
 		namesize = strlen(name) + 1;
-		sprintf(s,"%s%08X%08X%08lX%08lX%08X%08lX"
-		       "%08lX%08X%08X%08X%08X%08X%08X",
+		sprintf(s, newcfmt,
 			"070701",		/* magic */
 			ino,			/* ino */
 			mode,			/* mode */
-- 
1.8.1.4

[PATCH v1 06/11] gen_init_cpio: define new CPIO format to support xattrs

[Mimi Zohar]

This patch defines a new CPIO method 070703 for including xattrs.
The new format extends the existing NEWC header to include the
buffer size containing the number of xattrs, the xattr(s) name,
data size, and data.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
 usr/gen_init_cpio.c | 35 ++++++++++++++++++++++-------------
 1 file changed, 22 insertions(+), 13 deletions(-)

diff --git a/usr/gen_init_cpio.c b/usr/gen_init_cpio.c
index ee35361..0d9c6e8 100644
--- a/usr/gen_init_cpio.c
+++ b/usr/gen_init_cpio.c
@@ -21,7 +21,11 @@
 #define str(s) xstr(s)
 
 static char *newcfmt = "%s%08X%08X%08lX%08lX%08X%08lX"
-			"%08X%08X%08X%08X%08X%08X%08X";
+			"%08X%08X%08X%08X%08X%08X%15$08X";
+static char *newcxfmt = "%s%08X%08X%08lX%08lX%08X%08lX"
+			"%08X%08X%08X%08X%08X%08X%08X%08X";
+
+static int newcx;
 
 static unsigned int offset;
 static unsigned int ino = 721;
@@ -58,7 +62,7 @@ static void push_rest(const char *name)
 	putchar(0);
 	offset += name_len;
 
-	tmp_ofs = name_len + 110;
+	tmp_ofs = name_len + (newcx ? 118 : 110);
 	while (tmp_ofs & 3) {
 		putchar(0);
 		offset++;
@@ -69,7 +73,7 @@ static void push_rest(const char *name)
 static void push_hdr(const char *s)
 {
 	fputs(s, stdout);
-	offset += 110;
+	offset += newcx ? 118 : 110;
 }
 
 static void cpio_trailer(void)
@@ -77,8 +81,8 @@ static void cpio_trailer(void)
 	char s[256];
 	const char name[] = "TRAILER!!!";
 
-	sprintf(s, newcfmt,
-		"070701",		/* magic */
+	sprintf(s, newcx ? newcxfmt : newcfmt,
+		newcx ? "070703": "070701",/* magic */
 		0,			/* ino */
 		0,			/* mode */
 		(long) 0,		/* uid */
@@ -91,6 +95,7 @@ static void cpio_trailer(void)
 		0,			/* rmajor */
 		0,			/* rminor */
 		(unsigned)strlen(name)+1, /* namesize */
+		0,			/* xattrs-size */
 		0);			/* chksum */
 	push_hdr(s);
 	push_rest(name);
@@ -108,8 +113,8 @@ static int cpio_mkslink(const char *name, const char *target,
 
 	if (name[0] == '/')
 		name++;
-	sprintf(s, newcfmt,
-		"070701",		/* magic */
+	sprintf(s, newcx ? newcxfmt : newcfmt,
+		newcx ? "070703": "070701",/* magic */
 		ino++,			/* ino */
 		S_IFLNK | mode,		/* mode */
 		(long) uid,		/* uid */
@@ -122,6 +127,7 @@ static int cpio_mkslink(const char *name, const char *target,
 		0,			/* rmajor */
 		0,			/* rminor */
 		(unsigned)strlen(name) + 1,/* namesize */
+		0,			/* xattrs-size */
 		0);			/* chksum */
 	push_hdr(s);
 	push_string(name);
@@ -156,8 +162,8 @@ static int cpio_mkgeneric(const char *name, unsigned int mode,
 
 	if (name[0] == '/')
 		name++;
-	sprintf(s, newcfmt,
-		"070701",		/* magic */
+	sprintf(s, newcx ? newcxfmt : newcfmt,
+		newcx ? "070703": "070701",/* magic */
 		ino++,			/* ino */
 		mode,			/* mode */
 		(long) uid,		/* uid */
@@ -170,6 +176,7 @@ static int cpio_mkgeneric(const char *name, unsigned int mode,
 		0,			/* rmajor */
 		0,			/* rminor */
 		(unsigned)strlen(name) + 1,/* namesize */
+		0,			/* xattrs-size */
 		0);			/* chksum */
 	push_hdr(s);
 	push_rest(name);
@@ -249,8 +256,8 @@ static int cpio_mknod(const char *name, unsigned int mode,
 
 	if (name[0] == '/')
 		name++;
-	sprintf(s, newcfmt,
-		"070701",		/* magic */
+	sprintf(s, newcx ? newcxfmt : newcfmt,
+		newcx ? "070703": "070701",/* magic */
 		ino++,			/* ino */
 		mode,			/* mode */
 		(long) uid,		/* uid */
@@ -263,6 +270,7 @@ static int cpio_mknod(const char *name, unsigned int mode,
 		maj,			/* rmajor */
 		min,			/* rminor */
 		(unsigned)strlen(name) + 1,/* namesize */
+		0,			/* xattrs-size */
 		0);			/* chksum */
 	push_hdr(s);
 	push_rest(name);
@@ -338,8 +346,8 @@ static int cpio_mkfile(const char *name, const char *location,
 		if (name[0] == '/')
 			name++;
 		namesize = strlen(name) + 1;
-		sprintf(s, newcfmt,
-			"070701",		/* magic */
+		sprintf(s, newcx ? newcxfmt : newcfmt,
+			newcx ? "070703": "070701",/* magic */
 			ino,			/* ino */
 			mode,			/* mode */
 			(long) uid,		/* uid */
@@ -352,6 +360,7 @@ static int cpio_mkfile(const char *name, const char *location,
 			0,			/* rmajor */
 			0,			/* rminor */
 			namesize,		/* namesize */
+			0,			/* xattrs-size */
 			0);			/* chksum */
 		push_hdr(s);
 		push_string(name);
-- 
1.8.1.4

[PATCH v1 07/11] gen_init_cpio: include the file extended attributes

[Mimi Zohar]

This patch reads the xattr(s), creating a buffer containing the
number of xattrs, the xattr(s) name, data size, and data. The
resulting buffer size is included in the CPIO header and the
buffer data is written after the file name.

This patch also defines the '-x' option to enable the inclusion
of the xattrs.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
 usr/gen_init_cpio.c | 107 ++++++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 100 insertions(+), 7 deletions(-)

diff --git a/usr/gen_init_cpio.c b/usr/gen_init_cpio.c
index 0d9c6e8..08994d6 100644
--- a/usr/gen_init_cpio.c
+++ b/usr/gen_init_cpio.c
@@ -9,6 +9,7 @@
 #include <errno.h>
 #include <ctype.h>
 #include <limits.h>
+#include <attr/xattr.h>
 
 /*
  * Original work by Jeff Garzik
@@ -36,6 +37,71 @@ struct file_handler {
 	int (*handler)(const char *line);
 };
 
+#define MAX_XATTRNAMES_SIZE 500
+static char xattr_names[MAX_XATTRNAMES_SIZE];
+static char xattr_header[8];	/* number xattrs */
+static ssize_t xattr_nameslen;
+static unsigned int xattrs_buflen;
+
+static char xattr_buf[1000];
+static unsigned int get_xattrs(const char *name)
+{
+    	char xattr_num[9];
+    	char *xname, *buf, *bufend;
+	int xattrsize = 0, num_xattrs = 0;
+
+	xattr_nameslen = listxattr(name, NULL, 0);
+	if (xattr_nameslen <= 0 || xattr_nameslen > MAX_XATTRNAMES_SIZE)
+		return 0;
+
+	xattr_names[xattr_nameslen] = 0;
+	xattr_nameslen = listxattr(name, xattr_names, xattr_nameslen);
+	if (xattr_nameslen <= 0)
+		return 0;
+
+	/* xattr format: name value-len value */
+	buf = xattr_buf + sizeof xattr_header;
+	bufend = xattr_buf + sizeof xattr_buf;
+
+	for (xname = xattr_names; xname < (xattr_names + xattr_nameslen);
+		xname += strlen(xname) + 1) {
+		char sizebuf[9];
+		int offset;
+
+		/* skip security.evm as it is file system specific */
+		if (strcmp(xname, "security.evm") == 0)
+			continue;
+
+		offset = strlen(xname) + 1 + 8;
+		xattrsize = getxattr(name, xname, NULL, 0);
+		if (buf + offset + xattrsize > bufend) {
+			fprintf(stderr, "%s: xattrs too large \n", name);
+			return 0;
+		}
+
+		xattrsize = getxattr(name, xname, buf + offset,
+				     bufend - (buf + offset));
+		if (xattrsize <= 0)
+			continue;
+		
+		num_xattrs++;
+		fprintf(stderr, "%s: %s %x (%d)\n", name, xname, xattrsize,
+			num_xattrs);
+		strcpy(buf, xname);
+		buf += strlen(xname) + 1;
+		sprintf(sizebuf, "%08X", (int)xattrsize); 
+		memcpy(buf, sizebuf, 8);
+		buf += (8 + xattrsize);
+	}
+
+	*buf = 0;
+	buf++;
+	sprintf(xattr_num, "%08X", num_xattrs);
+	memcpy(xattr_buf, xattr_num, 8);
+
+	return buf - xattr_buf;
+}
+
 static void push_string(const char *name)
 {
 	unsigned int name_len = strlen(name) + 1;
@@ -106,11 +172,24 @@ static void cpio_trailer(void)
 	}
 }
 
+static void include_xattrs(void)
+{
+	if (!xattrs_buflen)
+		return;
+	
+	if (fwrite(xattr_buf, xattrs_buflen, 1, stdout) != 1)
+		fprintf(stderr, "writing xattrs failed\n");
+	offset += xattrs_buflen;
+
+	push_pad();
+}
+
 static int cpio_mkslink(const char *name, const char *target,
 			 unsigned int mode, uid_t uid, gid_t gid)
 {
 	char s[256];
 
+	xattrs_buflen = newcx ? get_xattrs(name) : 0;
 	if (name[0] == '/')
 		name++;
 	sprintf(s, newcx ? newcxfmt : newcfmt,
@@ -127,13 +206,15 @@ static int cpio_mkslink(const char *name, const char *target,
 		0,			/* rmajor */
 		0,			/* rminor */
 		(unsigned)strlen(name) + 1,/* namesize */
-		0,			/* xattrs-size */
+		xattrs_buflen,		/* xattrs-size */
 		0);			/* chksum */
 	push_hdr(s);
 	push_string(name);
 	push_pad();
 	push_string(target);
 	push_pad();
+	if (newcx)
+		include_xattrs();
 	return 0;
 }
 
@@ -160,6 +241,7 @@ static int cpio_mkgeneric(const char *name, unsigned int mode,
 {
 	char s[256];
 
+	xattrs_buflen = newcx ? get_xattrs(name) : 0;
 	if (name[0] == '/')
 		name++;
 	sprintf(s, newcx ? newcxfmt : newcfmt,
@@ -176,10 +258,12 @@ static int cpio_mkgeneric(const char *name, unsigned int mode,
 		0,			/* rmajor */
 		0,			/* rminor */
 		(unsigned)strlen(name) + 1,/* namesize */
-		0,			/* xattrs-size */
+		xattrs_buflen,		/* xattrs-size */
 		0);			/* chksum */
 	push_hdr(s);
 	push_rest(name);
+	if (newcx)
+		include_xattrs();
 	return 0;
 }
 
@@ -339,9 +423,14 @@ static int cpio_mkfile(const char *name, const char *location,
 	}
 
 	size = 0;
+	xattrs_buflen = 0;
 	for (i = 1; i <= nlinks; i++) {
 		/* data goes on last link */
-		if (i == nlinks) size = buf.st_size;
+		if (i == nlinks) {
+			size = buf.st_size;
+			if (newcx)
+				xattrs_buflen = get_xattrs(location);
+		}
 
 		if (name[0] == '/')
 			name++;
@@ -360,12 +449,13 @@ static int cpio_mkfile(const char *name, const char *location,
 			0,			/* rmajor */
 			0,			/* rminor */
 			namesize,		/* namesize */
-			0,			/* xattrs-size */
+			xattrs_buflen,		/* xattrs-size */
 			0);			/* chksum */
 		push_hdr(s);
 		push_string(name);
 		push_pad();
-
+		if (newcx)
+			include_xattrs();
 		if (size) {
 			if (fwrite(filebuf, size, 1, stdout) != 1) {
 				fprintf(stderr, "writing filebuf failed\n");
@@ -458,7 +548,7 @@ static int cpio_mkfile_line(const char *line)
 static void usage(const char *prog)
 {
 	fprintf(stderr, "Usage:\n"
-		"\t%s [-t <timestamp>] <cpio_list>\n"
+		"\t%s [-t <timestamp>] [-x] <cpio_list>\n"
 		"\n"
 		"<cpio_list> is a file containing newline separated entries that\n"
 		"describe the files to be included in the initramfs archive:\n"
@@ -535,7 +625,7 @@ int main (int argc, char *argv[])
 
 	default_mtime = time(NULL);
 	while (1) {
-		int opt = getopt(argc, argv, "t:h");
+		int opt = getopt(argc, argv, "t:h:x");
 		char *invalid;
 
 		if (opt == -1)
@@ -550,6 +640,9 @@ int main (int argc, char *argv[])
 				exit(1);
 			}
 			break;
+		case 'x':
+			newcx = 1;
+			break;
 		case 'h':
 		case '?':
 			usage(argv[0]);
-- 
1.8.1.4

[PATCH v1 08/11] gen_init_cpio: change size of mtime and file length to 64 bits

[Mimi Zohar]

Either we keep the current field ordering, making some fields
64 bits or move the larger fields to the end.  This patch keeps
the same field ordering.

Requested-by: Rob Landley <rob@landley.net>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
 usr/gen_init_cpio.c | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/usr/gen_init_cpio.c b/usr/gen_init_cpio.c
index 08994d6..55dab65 100644
--- a/usr/gen_init_cpio.c
+++ b/usr/gen_init_cpio.c
@@ -1,5 +1,6 @@
 #include <stdio.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <string.h>
@@ -23,14 +24,15 @@
 
 static char *newcfmt = "%s%08X%08X%08lX%08lX%08X%08lX"
 			"%08X%08X%08X%08X%08X%08X%15$08X";
-static char *newcxfmt = "%s%08X%08X%08lX%08lX%08X%08lX"
-			"%08X%08X%08X%08X%08X%08X%08X%08X";
+static char *newcxfmt = "%s%08X%08X%08lX%08lX%08X%016llX"
+			"%016llX%08X%08X%08X%08X%08X%08X%08X";
 
 static int newcx;
 
 static unsigned int offset;
 static unsigned int ino = 721;
 static time_t default_mtime;
+static uint64_t default_mtime_usec;
 
 struct file_handler {
 	const char *type;
@@ -128,7 +130,7 @@ static void push_rest(const char *name)
 	putchar(0);
 	offset += name_len;
 
-	tmp_ofs = name_len + (newcx ? 118 : 110);
+	tmp_ofs = name_len + (newcx ? 130 : 110);
 	while (tmp_ofs & 3) {
 		putchar(0);
 		offset++;
@@ -139,7 +141,7 @@ static void push_rest(const char *name)
 static void push_hdr(const char *s)
 {
 	fputs(s, stdout);
-	offset += newcx ? 118 : 110;
+	offset += newcx ? 130 : 110;
 }
 
 static void cpio_trailer(void)
@@ -199,7 +201,8 @@ static int cpio_mkslink(const char *name, const char *target,
 		(long) uid,		/* uid */
 		(long) gid,		/* gid */
 		1,			/* nlink */
-		(long) default_mtime,	/* mtime */
+		newcx ? default_mtime_usec :
+		  (long) default_mtime,	/* mtime */
 		(unsigned)strlen(target)+1, /* filesize */
 		3,			/* major */
 		1,			/* minor */
@@ -251,7 +254,8 @@ static int cpio_mkgeneric(const char *name, unsigned int mode,
 		(long) uid,		/* uid */
 		(long) gid,		/* gid */
 		2,			/* nlink */
-		(long) default_mtime,	/* mtime */
+		newcx ? default_mtime_usec :
+		  (long) default_mtime,	/* mtime */
 		0,			/* filesize */
 		3,			/* major */
 		1,			/* minor */
@@ -347,7 +351,8 @@ static int cpio_mknod(const char *name, unsigned int mode,
 		(long) uid,		/* uid */
 		(long) gid,		/* gid */
 		1,			/* nlink */
-		(long) default_mtime,	/* mtime */
+		newcx ? default_mtime_usec :
+		  (long) default_mtime,	/* mtime */
 		0,			/* filesize */
 		3,			/* major */
 		1,			/* minor */
@@ -389,7 +394,7 @@ static int cpio_mkfile(const char *name, const char *location,
 	char s[256];
 	char *filebuf = NULL;
 	struct stat buf;
-	long size;
+	uint64_t size;
 	int file = -1;
 	int retval;
 	int rc = -1;
@@ -442,7 +447,8 @@ static int cpio_mkfile(const char *name, const char *location,
 			(long) uid,		/* uid */
 			(long) gid,		/* gid */
 			nlinks,			/* nlink */
-			(long) buf.st_mtime,	/* mtime */
+			newcx ?  (uint64_t) buf.st_mtime * 1000000 :
+			  (long) buf.st_mtime,	/* mtime */
 			size,			/* filesize */
 			3,			/* major */
 			1,			/* minor */
@@ -664,6 +670,7 @@ int main (int argc, char *argv[])
 		exit(1);
 	}
 
+	default_mtime_usec = default_mtime * 1000000;	
 	while (fgets(line, LINE_SIZE, cpio_list)) {
 		int type_idx;
 		size_t slen = strlen(line);
-- 
1.8.1.4

[PATCH v1 09/11] gen_initramfs_list.sh: include xattrs

[Mimi Zohar]

Support the new gen_init_cpio option to include extended attributes.
This patch adds support for the "-x" option and passes it to
gen_init_cpio.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
 scripts/gen_initramfs_list.sh | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/scripts/gen_initramfs_list.sh b/scripts/gen_initramfs_list.sh
index 17fa901..8d10b9d 100755
--- a/scripts/gen_initramfs_list.sh
+++ b/scripts/gen_initramfs_list.sh
@@ -24,6 +24,7 @@ $0 [-o <file>] [-u <uid>] [-g <gid>] {-d | <cpio_source>} ...
 	-g <gid>       Group ID to map to group ID 0 (root).
 		       <gid> is only meaningful if <cpio_source> is a
 		       directory.  "squash" forces all files to gid 0.
+	-x             include file extended attributes in cpio archive.
 	<cpio_source>  File list or directory for cpio archive.
 		       If <cpio_source> is a .cpio file it will be used
 		       as direct input to initramfs.
@@ -223,6 +224,7 @@ root_gid=0
 dep_list=
 cpio_file=
 cpio_list=
+cpio_opts=
 output="/dev/stdout"
 output_file=""
 is_cpio_compressed=
@@ -278,6 +280,9 @@ while [ $# -gt 0 ]; do
 			default_list="$arg"
 			${dep_list}default_initramfs
 			;;
+		"-x")	# include extended attributers
+			cpio_opts="-x"
+			;;
 		"-h")
 			usage
 			exit 0
@@ -307,7 +312,8 @@ if [ ! -z ${output_file} ]; then
 			fi
 		fi
 		cpio_tfile="$(mktemp ${TMPDIR:-/tmp}/cpiofile.XXXXXX)"
-		usr/gen_init_cpio $timestamp ${cpio_list} > ${cpio_tfile}
+		usr/gen_init_cpio $timestamp ${cpio_opts} ${cpio_list} \
+			> ${cpio_tfile}
 	else
 		cpio_tfile=${cpio_file}
 	fi
-- 
1.8.1.4

[PATCH v1 10/11] evm: make rootfs a special case

[Mimi Zohar]

Both the EVM HMAC and signature xattr formats are file system
specific and can not be copied from one filesystem to another.

EVM differentiates files without any xattrs (INTEGRITY_UNKNOWN)
from those having protected xattrs (INTEGRITY_NOLABEL).  This
patch treats the rootfs filesystem as a special case, returning
INTEGRITY_UNKNOWN.

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
 security/integrity/evm/evm_main.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index f589c9a0..9140016 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -19,6 +19,7 @@
 #include <linux/module.h>
 #include <linux/crypto.h>
 #include <linux/audit.h>
+#include <linux/magic.h>
 #include <linux/xattr.h>
 #include <linux/integrity.h>
 #include <linux/evm.h>
@@ -128,11 +129,16 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
 	if (rc <= 0) {
 		evm_status = INTEGRITY_FAIL;
 		if (rc == -ENODATA) {
+			struct super_block *sb = dentry->d_inode->i_sb;
+
 			rc = evm_find_protected_xattrs(dentry);
-			if (rc > 0)
-				evm_status = INTEGRITY_NOLABEL;
-			else if (rc == 0)
+			if (rc == 0)
 				evm_status = INTEGRITY_NOXATTRS; /* new file */
+			else if (rc > 0 && sb->s_magic == TMPFS_MAGIC
+				 && strcmp(sb->s_id, "rootfs") == 0)
+				evm_status = INTEGRITY_UNKNOWN;
+			else if (rc > 0)
+				evm_status = INTEGRITY_NOLABEL;
 		} else if (rc == -EOPNOTSUPP) {
 			evm_status = INTEGRITY_UNKNOWN;
 		}
-- 
1.8.1.4

[PATCH v1 11/11] ima: include rootfs (tmpfs) in ima_appraise_tcb policy

[Mimi Zohar]

When rootfs supports extended attributes and CONFIG_IMA_APPRAISE_ROOTFS
is enabled, appraise the xattrs.

Changelog v1:
- limit appraising tmpfs to rootfs
- define new IMA_APPRAISE_ROOTFS Kconfig option (based on Josh Boyer's
comment).

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
 security/integrity/ima/Kconfig      | 12 ++++++++++++
 security/integrity/ima/ima_policy.c |  8 ++++++++
 2 files changed, 20 insertions(+)

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 57515bc..fe2fd5f 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -156,3 +156,15 @@ config IMA_APPRAISE_SIGNED_INIT
 	default n
 	help
 	   This option requires user-space init to be signed.
+
+config IMA_APPRAISE_ROOTFS
+	bool "Require labeled rootfs"
+	depends on IMA_LOAD_X509
+	default n
+	help
+	   This option is dependent on the initramfs including
+	   extended attributes(xattrs) in the CPIO file and the
+	   rootfs file system for supporting them.
+
+	   The new CPIO format (070703) includes xattrs in the
+	   initramfs.  Use tmpfs as the rootfs.
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index d1eefb9..7748332 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -27,6 +27,7 @@
 #define IMA_UID		0x0008
 #define IMA_FOWNER	0x0010
 #define IMA_FSUUID	0x0020
+#define IMA_SBID	0x0040
 
 #define UNKNOWN		0
 #define MEASURE		0x0001	/* same as IMA_MEASURE */
@@ -49,6 +50,7 @@ struct ima_rule_entry {
 	enum ima_hooks func;
 	int mask;
 	unsigned long fsmagic;
+	char sbid[32];
 	u8 fsuuid[16];
 	kuid_t uid;
 	kuid_t fowner;
@@ -93,6 +95,10 @@ static struct ima_rule_entry default_appraise_rules[] = {
 	{.action = DONT_APPRAISE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC},
 	{.action = DONT_APPRAISE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC},
 	{.action = DONT_APPRAISE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC},
+#ifdef CONFIG_IMA_APPRAISE_ROOTFS
+	{.action = APPRAISE, .fsmagic = TMPFS_MAGIC, .sbid="rootfs", 
+	 .flags = IMA_FSMAGIC | IMA_SBID},
+#endif
 	{.action = DONT_APPRAISE, .fsmagic = TMPFS_MAGIC, .flags = IMA_FSMAGIC},
 	{.action = DONT_APPRAISE, .fsmagic = RAMFS_MAGIC, .flags = IMA_FSMAGIC},
 	{.action = DONT_APPRAISE, .fsmagic = DEVPTS_SUPER_MAGIC, .flags = IMA_FSMAGIC},
@@ -188,6 +194,8 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
 	if ((rule->flags & IMA_FSUUID) &&
 	    memcmp(rule->fsuuid, inode->i_sb->s_uuid, sizeof(rule->fsuuid)))
 		return false;
+	if ((rule->flags & IMA_SBID) && strcmp(rule->sbid, inode->i_sb->s_id))
+		return false;
 	if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))
 		return false;
 	if ((rule->flags & IMA_FOWNER) && !uid_eq(rule->fowner, inode->i_uid))
-- 
1.8.1.4