diff --git a/drivers/hck/vendor_hooks.c b/drivers/hck/vendor_hooks.c index 7bea8ddcaaa8bac1809c83c5775586d2fd8024d3..5ac7abbcac83ecf4b62a645e8cc4440abd73b4c5 100644 --- a/drivers/hck/vendor_hooks.c +++ b/drivers/hck/vendor_hooks.c @@ -11,3 +11,4 @@ #include #include #include +#include diff --git a/fs/Kconfig b/fs/Kconfig index efc725d7c628e7a0e864bcc02e40422466a1f374..0b0cf3e09f30200841534f4714e4b29487476bb9 100644 --- a/fs/Kconfig +++ b/fs/Kconfig @@ -115,6 +115,8 @@ config MANDATORY_FILE_LOCKING source "fs/crypto/Kconfig" +source "fs/code_sign/Kconfig" + source "fs/verity/Kconfig" source "fs/notify/Kconfig" diff --git a/fs/Makefile b/fs/Makefile index 74989c30c3fb240cee76863f008b5ce9ecc198c0..ff1ad0366d9da24fd5b5c3c0a766edfd8b0d5d92 100644 --- a/fs/Makefile +++ b/fs/Makefile @@ -4,7 +4,7 @@ # # 14 Sep 2000, Christoph Hellwig # Rewritten to use lists instead of if-statements. -# +# obj-y := open.o read_write.o file_table.o super.o \ char_dev.o stat.o exec.o pipe.o namei.o fcntl.o \ @@ -34,6 +34,7 @@ obj-$(CONFIG_USERFAULTFD) += userfaultfd.o obj-$(CONFIG_AIO) += aio.o obj-$(CONFIG_FS_DAX) += dax.o obj-$(CONFIG_FS_ENCRYPTION) += crypto/ +obj-$(CONFIG_SECURITY_CODE_SIGN) += code_sign/ obj-$(CONFIG_FS_VERITY) += verity/ obj-$(CONFIG_FILE_LOCKING) += locks.o obj-$(CONFIG_BINFMT_AOUT) += binfmt_aout.o @@ -64,7 +65,7 @@ obj-y += devpts/ obj-$(CONFIG_PROFILING) += dcookies.o obj-$(CONFIG_DLM) += dlm/ - + # Do not add any filesystems before this line obj-$(CONFIG_FSCACHE) += fscache/ obj-$(CONFIG_REISERFS_FS) += reiserfs/ diff --git a/fs/verity/signature.c b/fs/verity/signature.c index b14ed96387ece05635780ef34e267729fe27ccb5..23109a7ba1480fe9791a80537c7df886ea7615cb 100644 --- a/fs/verity/signature.c +++ b/fs/verity/signature.c @@ -11,6 +11,7 @@ #include #include #include +#include /* * /proc/sys/fs/verity/require_signatures @@ -45,7 +46,7 @@ int fsverity_verify_signature(const struct fsverity_info *vi, const struct fsverity_hash_alg *hash_alg = vi->tree_params.hash_alg; const u32 sig_size = le32_to_cpu(desc->sig_size); struct fsverity_signed_digest *d; - int err; + int err, ret = 0; if (sig_size == 0) { if (fsverity_require_signatures) { @@ -69,6 +70,14 @@ int fsverity_verify_signature(const struct fsverity_info *vi, d->digest_size = cpu_to_le16(hash_alg->digest_size); memcpy(d->digest, vi->measurement, hash_alg->digest_size); + CALL_HCK_LITE_HOOK(fsverity_verity_certchain_lhck, desc->signature, sig_size, &ret); + if (!ret) { + pr_debug("verify cert chain succ\n"); + } else { + fsverity_err(inode, "verify cert chain failed, ret = %d", ret); + return -EPERM; + } + err = verify_pkcs7_signature(d, sizeof(*d) + hash_alg->digest_size, desc->signature, sig_size, fsverity_keyring, diff --git a/include/linux/hck/lite_hck_code_sign.h b/include/linux/hck/lite_hck_code_sign.h new file mode 100644 index 0000000000000000000000000000000000000000..b03f9a2a1fb5b3d2d184b488d08a56c56f2db735 --- /dev/null +++ b/include/linux/hck/lite_hck_code_sign.h @@ -0,0 +1,27 @@ +//SPDX-License-Identifier: GPL-2.0-only +/*lite_hck_sample.h + * + *OpenHarmony Common Kernel Vendor Hook Smaple + * + */ + +#ifndef LITE_HCK_CODE_SIGN_H +#define LITE_HCK_CODE_SIGN_H + +#include + +#ifndef CONFIG_HCK + +#define CALL_HCK_LITE_HOOK(name, args...) +#define REGISTER_HCK_LITE_HOOK(name, probe) +#define REGISTER_HCK_LITE_DATA_HOOK(name, probe, data) + +#else + +DECLARE_HCK_LITE_HOOK(fsverity_verity_certchain_lhck, + TP_PROTO(const void *raw_pkcs7, size_t pkcs7_len, int *ret), + TP_ARGS(raw_pkcs7, pkcs7_len, ret)); + +#endif /* CONFIG_HCK */ + +#endif /* LITE_HCK_CODE_SIGN_H */ diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 1c6c59b92ab5c79c73352c7246bce957c01e60dd..2702e1df32a2f3c2e14df8444e2a92a7dc9f3a36 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -252,6 +252,8 @@ struct security_class_mapping secclass_map[] = { { "integrity", "confidentiality", NULL } }, { "xpm", { "exec_no_sign", "exec_anon_mem", NULL } }, + { "code_sign", + { "access_cert_chain", NULL } }, { NULL } };