From: Greg Kroah-Hartman Date: Fri, 9 Sep 2016 13:47:52 +0000 (+0200) Subject: 4.7-stable patches X-Git-Tag: v3.14.79~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=004e9798dd47b79d953fd5ce4a92d968bc1fe784;p=thirdparty%2Fkernel%2Fstable-queue.git 4.7-stable patches added patches: apparmor-fix-refcount-race-when-finding-a-child-profile.patch cred-reject-inodes-with-invalid-ids-in-set_create_file_as.patch fs-check-for-invalid-i_uid-in-may_follow_link.patch kernel-add-noaudit-variant-of-ns_capable.patch net-use-ns_capable_noaudit-when-determining-net-sysctl-permissions.patch --- diff --git a/queue-4.7/apparmor-fix-refcount-race-when-finding-a-child-profile.patch b/queue-4.7/apparmor-fix-refcount-race-when-finding-a-child-profile.patch new file mode 100644 index 00000000000..4a95a5e7bb5 --- /dev/null +++ b/queue-4.7/apparmor-fix-refcount-race-when-finding-a-child-profile.patch @@ -0,0 +1,37 @@ +From de7c4cc947f9f56f61520ee7edaf380434a98c8d Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Wed, 16 Dec 2015 18:09:10 -0800 +Subject: apparmor: fix refcount race when finding a child profile + +From: John Johansen + +commit de7c4cc947f9f56f61520ee7edaf380434a98c8d upstream. + +When finding a child profile via an rcu critical section, the profile +may be put and scheduled for deletion after the child is found but +before its refcount is incremented. + +Protect against this by repeating the lookup if the profiles refcount +is 0 and is one its way to deletion. + +Signed-off-by: John Johansen +Acked-by: Seth Arnold +Signed-off-by: Greg Kroah-Hartman + +--- + security/apparmor/policy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/security/apparmor/policy.c ++++ b/security/apparmor/policy.c +@@ -766,7 +766,9 @@ struct aa_profile *aa_find_child(struct + struct aa_profile *profile; + + rcu_read_lock(); +- profile = aa_get_profile(__find_child(&parent->base.profiles, name)); ++ do { ++ profile = __find_child(&parent->base.profiles, name); ++ } while (profile && !aa_get_profile_not0(profile)); + rcu_read_unlock(); + + /* refcount released by caller */ diff --git a/queue-4.7/cred-reject-inodes-with-invalid-ids-in-set_create_file_as.patch b/queue-4.7/cred-reject-inodes-with-invalid-ids-in-set_create_file_as.patch new file mode 100644 index 00000000000..cf429d1bcb6 --- /dev/null +++ b/queue-4.7/cred-reject-inodes-with-invalid-ids-in-set_create_file_as.patch @@ -0,0 +1,33 @@ +From 5f65e5ca286126a60f62c8421b77c2018a482b8a Mon Sep 17 00:00:00 2001 +From: Seth Forshee +Date: Tue, 26 Apr 2016 14:36:24 -0500 +Subject: cred: Reject inodes with invalid ids in set_create_file_as() + +From: Seth Forshee + +commit 5f65e5ca286126a60f62c8421b77c2018a482b8a upstream. + +Using INVALID_[UG]ID for the LSM file creation context doesn't +make sense, so return an error if the inode passed to +set_create_file_as() has an invalid id. + +Signed-off-by: Seth Forshee +Acked-by: Serge Hallyn +Signed-off-by: Eric W. Biederman +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cred.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/cred.c ++++ b/kernel/cred.c +@@ -689,6 +689,8 @@ EXPORT_SYMBOL(set_security_override_from + */ + int set_create_files_as(struct cred *new, struct inode *inode) + { ++ if (!uid_valid(inode->i_uid) || !gid_valid(inode->i_gid)) ++ return -EINVAL; + new->fsuid = inode->i_uid; + new->fsgid = inode->i_gid; + return security_kernel_create_files_as(new, inode); diff --git a/queue-4.7/fs-check-for-invalid-i_uid-in-may_follow_link.patch b/queue-4.7/fs-check-for-invalid-i_uid-in-may_follow_link.patch new file mode 100644 index 00000000000..ae6849370eb --- /dev/null +++ b/queue-4.7/fs-check-for-invalid-i_uid-in-may_follow_link.patch @@ -0,0 +1,45 @@ +From 2d7f9e2ad35e4e7a3086231f19bfab33c6a8a64a Mon Sep 17 00:00:00 2001 +From: Seth Forshee +Date: Tue, 26 Apr 2016 14:36:23 -0500 +Subject: fs: Check for invalid i_uid in may_follow_link() + +From: Seth Forshee + +commit 2d7f9e2ad35e4e7a3086231f19bfab33c6a8a64a upstream. + +Filesystem uids which don't map into a user namespace may result +in inode->i_uid being INVALID_UID. A symlink and its parent +could have different owners in the filesystem can both get +mapped to INVALID_UID, which may result in following a symlink +when this would not have otherwise been permitted when protected +symlinks are enabled. + +Signed-off-by: Seth Forshee +Acked-by: Serge Hallyn +Signed-off-by: Eric W. Biederman +Signed-off-by: Greg Kroah-Hartman + +--- + fs/namei.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -901,6 +901,7 @@ static inline int may_follow_link(struct + { + const struct inode *inode; + const struct inode *parent; ++ kuid_t puid; + + if (!sysctl_protected_symlinks) + return 0; +@@ -916,7 +917,8 @@ static inline int may_follow_link(struct + return 0; + + /* Allowed if parent directory and link owner match. */ +- if (uid_eq(parent->i_uid, inode->i_uid)) ++ puid = parent->i_uid; ++ if (uid_valid(puid) && uid_eq(puid, inode->i_uid)) + return 0; + + if (nd->flags & LOOKUP_RCU) diff --git a/queue-4.7/kernel-add-noaudit-variant-of-ns_capable.patch b/queue-4.7/kernel-add-noaudit-variant-of-ns_capable.patch new file mode 100644 index 00000000000..d37de6b3979 --- /dev/null +++ b/queue-4.7/kernel-add-noaudit-variant-of-ns_capable.patch @@ -0,0 +1,115 @@ +From 98f368e9e2630a3ce3e80fb10fb2e02038cf9578 Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Thu, 2 Jun 2016 23:43:21 -0500 +Subject: kernel: Add noaudit variant of ns_capable() + +From: Tyler Hicks + +commit 98f368e9e2630a3ce3e80fb10fb2e02038cf9578 upstream. + +When checking the current cred for a capability in a specific user +namespace, it isn't always desirable to have the LSMs audit the check. +This patch adds a noaudit variant of ns_capable() for when those +situations arise. + +The common logic between ns_capable() and the new ns_capable_noaudit() +is moved into a single, shared function to keep duplicated code to a +minimum and ease maintainability. + +Signed-off-by: Tyler Hicks +Acked-by: Serge E. Hallyn +Signed-off-by: James Morris +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/capability.h | 5 ++++ + kernel/capability.c | 46 +++++++++++++++++++++++++++++++++++---------- + 2 files changed, 41 insertions(+), 10 deletions(-) + +--- a/include/linux/capability.h ++++ b/include/linux/capability.h +@@ -206,6 +206,7 @@ extern bool has_ns_capability_noaudit(st + struct user_namespace *ns, int cap); + extern bool capable(int cap); + extern bool ns_capable(struct user_namespace *ns, int cap); ++extern bool ns_capable_noaudit(struct user_namespace *ns, int cap); + #else + static inline bool has_capability(struct task_struct *t, int cap) + { +@@ -233,6 +234,10 @@ static inline bool ns_capable(struct use + { + return true; + } ++static inline bool ns_capable_noaudit(struct user_namespace *ns, int cap) ++{ ++ return true; ++} + #endif /* CONFIG_MULTIUSER */ + extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap); + extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap); +--- a/kernel/capability.c ++++ b/kernel/capability.c +@@ -361,6 +361,24 @@ bool has_capability_noaudit(struct task_ + return has_ns_capability_noaudit(t, &init_user_ns, cap); + } + ++static bool ns_capable_common(struct user_namespace *ns, int cap, bool audit) ++{ ++ int capable; ++ ++ if (unlikely(!cap_valid(cap))) { ++ pr_crit("capable() called with invalid cap=%u\n", cap); ++ BUG(); ++ } ++ ++ capable = audit ? security_capable(current_cred(), ns, cap) : ++ security_capable_noaudit(current_cred(), ns, cap); ++ if (capable == 0) { ++ current->flags |= PF_SUPERPRIV; ++ return true; ++ } ++ return false; ++} ++ + /** + * ns_capable - Determine if the current task has a superior capability in effect + * @ns: The usernamespace we want the capability in +@@ -374,19 +392,27 @@ bool has_capability_noaudit(struct task_ + */ + bool ns_capable(struct user_namespace *ns, int cap) + { +- if (unlikely(!cap_valid(cap))) { +- pr_crit("capable() called with invalid cap=%u\n", cap); +- BUG(); +- } +- +- if (security_capable(current_cred(), ns, cap) == 0) { +- current->flags |= PF_SUPERPRIV; +- return true; +- } +- return false; ++ return ns_capable_common(ns, cap, true); + } + EXPORT_SYMBOL(ns_capable); + ++/** ++ * ns_capable_noaudit - Determine if the current task has a superior capability ++ * (unaudited) in effect ++ * @ns: The usernamespace we want the capability in ++ * @cap: The capability to be tested for ++ * ++ * Return true if the current task has the given superior capability currently ++ * available for use, false if not. ++ * ++ * This sets PF_SUPERPRIV on the task if the capability is available on the ++ * assumption that it's about to be used. ++ */ ++bool ns_capable_noaudit(struct user_namespace *ns, int cap) ++{ ++ return ns_capable_common(ns, cap, false); ++} ++EXPORT_SYMBOL(ns_capable_noaudit); + + /** + * capable - Determine if the current task has a superior capability in effect diff --git a/queue-4.7/net-use-ns_capable_noaudit-when-determining-net-sysctl-permissions.patch b/queue-4.7/net-use-ns_capable_noaudit-when-determining-net-sysctl-permissions.patch new file mode 100644 index 00000000000..40ae2277517 --- /dev/null +++ b/queue-4.7/net-use-ns_capable_noaudit-when-determining-net-sysctl-permissions.patch @@ -0,0 +1,42 @@ +From d6e0d306449bcb5fa3c80e7a3edf11d45abf9ae9 Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Thu, 2 Jun 2016 23:43:22 -0500 +Subject: net: Use ns_capable_noaudit() when determining net sysctl permissions + +From: Tyler Hicks + +commit d6e0d306449bcb5fa3c80e7a3edf11d45abf9ae9 upstream. + +The capability check should not be audited since it is only being used +to determine the inode permissions. A failed check does not indicate a +violation of security policy but, when an LSM is enabled, a denial audit +message was being generated. + +The denial audit message caused confusion for some application authors +because root-running Go applications always triggered the denial. To +prevent this confusion, the capability check in net_ctl_permissions() is +switched to the noaudit variant. + +BugLink: https://launchpad.net/bugs/1465724 + +Signed-off-by: Tyler Hicks +Acked-by: Serge E. Hallyn +Signed-off-by: James Morris +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman + +--- + net/sysctl_net.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sysctl_net.c ++++ b/net/sysctl_net.c +@@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct + kgid_t root_gid = make_kgid(net->user_ns, 0); + + /* Allow network administrator to have same access as root. */ +- if (ns_capable(net->user_ns, CAP_NET_ADMIN) || ++ if (ns_capable_noaudit(net->user_ns, CAP_NET_ADMIN) || + uid_eq(root_uid, current_euid())) { + int mode = (table->mode >> 6) & 7; + return (mode << 6) | (mode << 3) | mode; diff --git a/queue-4.7/series b/queue-4.7/series index fd01cc0b173..43d702ba980 100644 --- a/queue-4.7/series +++ b/queue-4.7/series @@ -1 +1,6 @@ revert-floppy-refactor-open-flags-handling.patch +apparmor-fix-refcount-race-when-finding-a-child-profile.patch +kernel-add-noaudit-variant-of-ns_capable.patch +net-use-ns_capable_noaudit-when-determining-net-sysctl-permissions.patch +fs-check-for-invalid-i_uid-in-may_follow_link.patch +cred-reject-inodes-with-invalid-ids-in-set_create_file_as.patch