--- /dev/null
+From de7c4cc947f9f56f61520ee7edaf380434a98c8d Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 16 Dec 2015 18:09:10 -0800
+Subject: apparmor: fix refcount race when finding a child profile
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit de7c4cc947f9f56f61520ee7edaf380434a98c8d upstream.
+
+When finding a child profile via an rcu critical section, the profile
+may be put and scheduled for deletion after the child is found but
+before its refcount is incremented.
+
+Protect against this by repeating the lookup if the profiles refcount
+is 0 and is one its way to deletion.
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Acked-by: Seth Arnold <seth.arnold@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/policy.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -766,7 +766,9 @@ struct aa_profile *aa_find_child(struct
+ struct aa_profile *profile;
+
+ rcu_read_lock();
+- profile = aa_get_profile(__find_child(&parent->base.profiles, name));
++ do {
++ profile = __find_child(&parent->base.profiles, name);
++ } while (profile && !aa_get_profile_not0(profile));
+ rcu_read_unlock();
+
+ /* refcount released by caller */
--- /dev/null
+From 5f65e5ca286126a60f62c8421b77c2018a482b8a Mon Sep 17 00:00:00 2001
+From: Seth Forshee <seth.forshee@canonical.com>
+Date: Tue, 26 Apr 2016 14:36:24 -0500
+Subject: cred: Reject inodes with invalid ids in set_create_file_as()
+
+From: Seth Forshee <seth.forshee@canonical.com>
+
+commit 5f65e5ca286126a60f62c8421b77c2018a482b8a upstream.
+
+Using INVALID_[UG]ID for the LSM file creation context doesn't
+make sense, so return an error if the inode passed to
+set_create_file_as() has an invalid id.
+
+Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
+Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
+Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cred.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/cred.c
++++ b/kernel/cred.c
+@@ -689,6 +689,8 @@ EXPORT_SYMBOL(set_security_override_from
+ */
+ int set_create_files_as(struct cred *new, struct inode *inode)
+ {
++ if (!uid_valid(inode->i_uid) || !gid_valid(inode->i_gid))
++ return -EINVAL;
+ new->fsuid = inode->i_uid;
+ new->fsgid = inode->i_gid;
+ return security_kernel_create_files_as(new, inode);
--- /dev/null
+From 2d7f9e2ad35e4e7a3086231f19bfab33c6a8a64a Mon Sep 17 00:00:00 2001
+From: Seth Forshee <seth.forshee@canonical.com>
+Date: Tue, 26 Apr 2016 14:36:23 -0500
+Subject: fs: Check for invalid i_uid in may_follow_link()
+
+From: Seth Forshee <seth.forshee@canonical.com>
+
+commit 2d7f9e2ad35e4e7a3086231f19bfab33c6a8a64a upstream.
+
+Filesystem uids which don't map into a user namespace may result
+in inode->i_uid being INVALID_UID. A symlink and its parent
+could have different owners in the filesystem can both get
+mapped to INVALID_UID, which may result in following a symlink
+when this would not have otherwise been permitted when protected
+symlinks are enabled.
+
+Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
+Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
+Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namei.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -901,6 +901,7 @@ static inline int may_follow_link(struct
+ {
+ const struct inode *inode;
+ const struct inode *parent;
++ kuid_t puid;
+
+ if (!sysctl_protected_symlinks)
+ return 0;
+@@ -916,7 +917,8 @@ static inline int may_follow_link(struct
+ return 0;
+
+ /* Allowed if parent directory and link owner match. */
+- if (uid_eq(parent->i_uid, inode->i_uid))
++ puid = parent->i_uid;
++ if (uid_valid(puid) && uid_eq(puid, inode->i_uid))
+ return 0;
+
+ if (nd->flags & LOOKUP_RCU)
--- /dev/null
+From 98f368e9e2630a3ce3e80fb10fb2e02038cf9578 Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu, 2 Jun 2016 23:43:21 -0500
+Subject: kernel: Add noaudit variant of ns_capable()
+
+From: Tyler Hicks <tyhicks@canonical.com>
+
+commit 98f368e9e2630a3ce3e80fb10fb2e02038cf9578 upstream.
+
+When checking the current cred for a capability in a specific user
+namespace, it isn't always desirable to have the LSMs audit the check.
+This patch adds a noaudit variant of ns_capable() for when those
+situations arise.
+
+The common logic between ns_capable() and the new ns_capable_noaudit()
+is moved into a single, shared function to keep duplicated code to a
+minimum and ease maintainability.
+
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/capability.h | 5 ++++
+ kernel/capability.c | 46 +++++++++++++++++++++++++++++++++++----------
+ 2 files changed, 41 insertions(+), 10 deletions(-)
+
+--- a/include/linux/capability.h
++++ b/include/linux/capability.h
+@@ -206,6 +206,7 @@ extern bool has_ns_capability_noaudit(st
+ struct user_namespace *ns, int cap);
+ extern bool capable(int cap);
+ extern bool ns_capable(struct user_namespace *ns, int cap);
++extern bool ns_capable_noaudit(struct user_namespace *ns, int cap);
+ #else
+ static inline bool has_capability(struct task_struct *t, int cap)
+ {
+@@ -233,6 +234,10 @@ static inline bool ns_capable(struct use
+ {
+ return true;
+ }
++static inline bool ns_capable_noaudit(struct user_namespace *ns, int cap)
++{
++ return true;
++}
+ #endif /* CONFIG_MULTIUSER */
+ extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
+ extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
+--- a/kernel/capability.c
++++ b/kernel/capability.c
+@@ -361,6 +361,24 @@ bool has_capability_noaudit(struct task_
+ return has_ns_capability_noaudit(t, &init_user_ns, cap);
+ }
+
++static bool ns_capable_common(struct user_namespace *ns, int cap, bool audit)
++{
++ int capable;
++
++ if (unlikely(!cap_valid(cap))) {
++ pr_crit("capable() called with invalid cap=%u\n", cap);
++ BUG();
++ }
++
++ capable = audit ? security_capable(current_cred(), ns, cap) :
++ security_capable_noaudit(current_cred(), ns, cap);
++ if (capable == 0) {
++ current->flags |= PF_SUPERPRIV;
++ return true;
++ }
++ return false;
++}
++
+ /**
+ * ns_capable - Determine if the current task has a superior capability in effect
+ * @ns: The usernamespace we want the capability in
+@@ -374,19 +392,27 @@ bool has_capability_noaudit(struct task_
+ */
+ bool ns_capable(struct user_namespace *ns, int cap)
+ {
+- if (unlikely(!cap_valid(cap))) {
+- pr_crit("capable() called with invalid cap=%u\n", cap);
+- BUG();
+- }
+-
+- if (security_capable(current_cred(), ns, cap) == 0) {
+- current->flags |= PF_SUPERPRIV;
+- return true;
+- }
+- return false;
++ return ns_capable_common(ns, cap, true);
+ }
+ EXPORT_SYMBOL(ns_capable);
+
++/**
++ * ns_capable_noaudit - Determine if the current task has a superior capability
++ * (unaudited) in effect
++ * @ns: The usernamespace we want the capability in
++ * @cap: The capability to be tested for
++ *
++ * Return true if the current task has the given superior capability currently
++ * available for use, false if not.
++ *
++ * This sets PF_SUPERPRIV on the task if the capability is available on the
++ * assumption that it's about to be used.
++ */
++bool ns_capable_noaudit(struct user_namespace *ns, int cap)
++{
++ return ns_capable_common(ns, cap, false);
++}
++EXPORT_SYMBOL(ns_capable_noaudit);
+
+ /**
+ * capable - Determine if the current task has a superior capability in effect
--- /dev/null
+From d6e0d306449bcb5fa3c80e7a3edf11d45abf9ae9 Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu, 2 Jun 2016 23:43:22 -0500
+Subject: net: Use ns_capable_noaudit() when determining net sysctl permissions
+
+From: Tyler Hicks <tyhicks@canonical.com>
+
+commit d6e0d306449bcb5fa3c80e7a3edf11d45abf9ae9 upstream.
+
+The capability check should not be audited since it is only being used
+to determine the inode permissions. A failed check does not indicate a
+violation of security policy but, when an LSM is enabled, a denial audit
+message was being generated.
+
+The denial audit message caused confusion for some application authors
+because root-running Go applications always triggered the denial. To
+prevent this confusion, the capability check in net_ctl_permissions() is
+switched to the noaudit variant.
+
+BugLink: https://launchpad.net/bugs/1465724
+
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sysctl_net.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sysctl_net.c
++++ b/net/sysctl_net.c
+@@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
+ kgid_t root_gid = make_kgid(net->user_ns, 0);
+
+ /* Allow network administrator to have same access as root. */
+- if (ns_capable(net->user_ns, CAP_NET_ADMIN) ||
++ if (ns_capable_noaudit(net->user_ns, CAP_NET_ADMIN) ||
+ uid_eq(root_uid, current_euid())) {
+ int mode = (table->mode >> 6) & 7;
+ return (mode << 6) | (mode << 3) | mode;
revert-floppy-refactor-open-flags-handling.patch
+apparmor-fix-refcount-race-when-finding-a-child-profile.patch
+kernel-add-noaudit-variant-of-ns_capable.patch
+net-use-ns_capable_noaudit-when-determining-net-sysctl-permissions.patch
+fs-check-for-invalid-i_uid-in-may_follow_link.patch
+cred-reject-inodes-with-invalid-ids-in-set_create_file_as.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
