From: Greg Kroah-Hartman Date: Thu, 30 Jul 2015 19:53:16 +0000 (-0700) Subject: 4.1-stable patches X-Git-Tag: v4.1.4~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=368808adae5f9531604eb300614fb4572efb8349;p=thirdparty%2Fkernel%2Fstable-queue.git 4.1-stable patches added patches: evm-labeling-pseudo-filesystems-exception.patch ima-add-support-for-new-euid-policy-condition.patch ima-cleanup-ima_init_policy-a-little.patch ima-do-not-measure-or-appraise-the-nsfs-filesystem.patch ima-extend-mask-policy-matching-support.patch ima-fix-ima_show_template_data_ascii.patch ima-skip-measurement-of-cgroupfs-files-and-update-documentation.patch ima-update-builtin-policies.patch keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch keys-fix-ca_keys-partial-key-matching.patch --- diff --git a/queue-4.1/evm-labeling-pseudo-filesystems-exception.patch b/queue-4.1/evm-labeling-pseudo-filesystems-exception.patch new file mode 100644 index 00000000000..69d3a1b7f36 --- /dev/null +++ b/queue-4.1/evm-labeling-pseudo-filesystems-exception.patch @@ -0,0 +1,44 @@ +From 5101a1850bb7ccbf107929dee9af0cd2f400940f Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Tue, 21 Apr 2015 13:59:31 -0400 +Subject: evm: labeling pseudo filesystems exception + +From: Mimi Zohar + +commit 5101a1850bb7ccbf107929dee9af0cd2f400940f upstream. + +To prevent offline stripping of existing file xattrs and relabeling of +them at runtime, EVM allows only newly created files to be labeled. As +pseudo filesystems are not persistent, stripping of xattrs is not a +concern. + +Some LSMs defer file labeling on pseudo filesystems. This patch +permits the labeling of existing files on pseudo files systems. + +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/evm/evm_main.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/security/integrity/evm/evm_main.c ++++ b/security/integrity/evm/evm_main.c +@@ -296,6 +296,17 @@ static int evm_protect_xattr(struct dent + iint = integrity_iint_find(d_backing_inode(dentry)); + if (iint && (iint->flags & IMA_NEW_FILE)) + return 0; ++ ++ /* exception for pseudo filesystems */ ++ if (dentry->d_inode->i_sb->s_magic == TMPFS_MAGIC ++ || dentry->d_inode->i_sb->s_magic == SYSFS_MAGIC) ++ return 0; ++ ++ integrity_audit_msg(AUDIT_INTEGRITY_METADATA, ++ dentry->d_inode, dentry->d_name.name, ++ "update_metadata", ++ integrity_status_msg[evm_status], ++ -EPERM, 0); + } + out: + if (evm_status != INTEGRITY_PASS) diff --git a/queue-4.1/ima-add-support-for-new-euid-policy-condition.patch b/queue-4.1/ima-add-support-for-new-euid-policy-condition.patch new file mode 100644 index 00000000000..bb1029012b1 --- /dev/null +++ b/queue-4.1/ima-add-support-for-new-euid-policy-condition.patch @@ -0,0 +1,118 @@ +From 139069eff7388407f19794384c42a534d618ccd7 Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Wed, 5 Nov 2014 07:48:36 -0500 +Subject: ima: add support for new "euid" policy condition + +From: Mimi Zohar + +commit 139069eff7388407f19794384c42a534d618ccd7 upstream. + +The new "euid" policy condition measures files with the specified +effective uid (euid). In addition, for CAP_SETUID files it measures +files with the specified uid or suid. + +Changelog: +- fixed checkpatch.pl warnings +- fixed avc denied {setuid} messages - based on Roberto's feedback + +Signed-off-by: Mimi Zohar +Signed-off-by: Dr. Greg Wettstein +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/ABI/testing/ima_policy | 3 ++- + security/integrity/ima/ima_policy.c | 27 +++++++++++++++++++++++---- + 2 files changed, 25 insertions(+), 5 deletions(-) + +--- a/Documentation/ABI/testing/ima_policy ++++ b/Documentation/ABI/testing/ima_policy +@@ -20,7 +20,7 @@ Description: + action: measure | dont_measure | appraise | dont_appraise | audit + condition:= base | lsm [option] + base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] +- [fowner]] ++ [euid=] [fowner=]] + lsm: [[subj_user=] [subj_role=] [subj_type=] + [obj_user=] [obj_role=] [obj_type=]] + option: [[appraise_type=]] [permit_directio] +@@ -31,6 +31,7 @@ Description: + fsmagic:= hex value + fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6) + uid:= decimal value ++ euid:= decimal value + fowner:=decimal value + lsm: are LSM specific + option: appraise_type:= [imasig] +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -27,6 +27,7 @@ + #define IMA_UID 0x0008 + #define IMA_FOWNER 0x0010 + #define IMA_FSUUID 0x0020 ++#define IMA_EUID 0x0080 + + #define UNKNOWN 0 + #define MEASURE 0x0001 /* same as IMA_MEASURE */ +@@ -194,6 +195,16 @@ static bool ima_match_rules(struct ima_r + return false; + if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid)) + return false; ++ if (rule->flags & IMA_EUID) { ++ if (has_capability_noaudit(current, CAP_SETUID)) { ++ if (!uid_eq(rule->uid, cred->euid) ++ && !uid_eq(rule->uid, cred->suid) ++ && !uid_eq(rule->uid, cred->uid)) ++ return false; ++ } else if (!uid_eq(rule->uid, cred->euid)) ++ return false; ++ } ++ + if ((rule->flags & IMA_FOWNER) && !uid_eq(rule->fowner, inode->i_uid)) + return false; + for (i = 0; i < MAX_LSM_RULES; i++) { +@@ -373,7 +384,8 @@ enum { + Opt_audit, + Opt_obj_user, Opt_obj_role, Opt_obj_type, + Opt_subj_user, Opt_subj_role, Opt_subj_type, +- Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner, ++ Opt_func, Opt_mask, Opt_fsmagic, ++ Opt_uid, Opt_euid, Opt_fowner, + Opt_appraise_type, Opt_fsuuid, Opt_permit_directio + }; + +@@ -394,6 +406,7 @@ static match_table_t policy_tokens = { + {Opt_fsmagic, "fsmagic=%s"}, + {Opt_fsuuid, "fsuuid=%s"}, + {Opt_uid, "uid=%s"}, ++ {Opt_euid, "euid=%s"}, + {Opt_fowner, "fowner=%s"}, + {Opt_appraise_type, "appraise_type=%s"}, + {Opt_permit_directio, "permit_directio"}, +@@ -566,6 +579,9 @@ static int ima_parse_rule(char *rule, st + break; + case Opt_uid: + ima_log_string(ab, "uid", args[0].from); ++ case Opt_euid: ++ if (token == Opt_euid) ++ ima_log_string(ab, "euid", args[0].from); + + if (uid_valid(entry->uid)) { + result = -EINVAL; +@@ -574,11 +590,14 @@ static int ima_parse_rule(char *rule, st + + result = kstrtoul(args[0].from, 10, &lnum); + if (!result) { +- entry->uid = make_kuid(current_user_ns(), (uid_t)lnum); +- if (!uid_valid(entry->uid) || (((uid_t)lnum) != lnum)) ++ entry->uid = make_kuid(current_user_ns(), ++ (uid_t) lnum); ++ if (!uid_valid(entry->uid) || ++ (uid_t)lnum != lnum) + result = -EINVAL; + else +- entry->flags |= IMA_UID; ++ entry->flags |= (token == Opt_uid) ++ ? IMA_UID : IMA_EUID; + } + break; + case Opt_fowner: diff --git a/queue-4.1/ima-cleanup-ima_init_policy-a-little.patch b/queue-4.1/ima-cleanup-ima_init_policy-a-little.patch new file mode 100644 index 00000000000..4300d81e77c --- /dev/null +++ b/queue-4.1/ima-cleanup-ima_init_policy-a-little.patch @@ -0,0 +1,43 @@ +From 5577857f8e26e9027271f10daf96361640907300 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 7 Apr 2015 12:22:11 +0300 +Subject: ima: cleanup ima_init_policy() a little + +From: Dan Carpenter + +commit 5577857f8e26e9027271f10daf96361640907300 upstream. + +It's a bit easier to read this if we split it up into two for loops. + +Signed-off-by: Dan Carpenter +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/ima/ima_policy.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -340,16 +340,12 @@ void __init ima_init_policy(void) + appraise_entries = ima_use_appraise_tcb ? + ARRAY_SIZE(default_appraise_rules) : 0; + +- for (i = 0; i < measure_entries + appraise_entries; i++) { +- if (i < measure_entries) +- list_add_tail(&default_rules[i].list, +- &ima_default_rules); +- else { +- int j = i - measure_entries; ++ for (i = 0; i < measure_entries; i++) ++ list_add_tail(&default_rules[i].list, &ima_default_rules); + +- list_add_tail(&default_appraise_rules[j].list, +- &ima_default_rules); +- } ++ for (i = 0; i < appraise_entries; i++) { ++ list_add_tail(&default_appraise_rules[i].list, ++ &ima_default_rules); + } + + ima_rules = &ima_default_rules; diff --git a/queue-4.1/ima-do-not-measure-or-appraise-the-nsfs-filesystem.patch b/queue-4.1/ima-do-not-measure-or-appraise-the-nsfs-filesystem.patch new file mode 100644 index 00000000000..64f86657f42 --- /dev/null +++ b/queue-4.1/ima-do-not-measure-or-appraise-the-nsfs-filesystem.patch @@ -0,0 +1,53 @@ +From cd025f7f94108995383edddfb61fc8afea6c66a9 Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Tue, 21 Apr 2015 16:54:24 -0400 +Subject: ima: do not measure or appraise the NSFS filesystem + +From: Mimi Zohar + +commit cd025f7f94108995383edddfb61fc8afea6c66a9 upstream. + +Include don't appraise or measure rules for the NSFS filesystem +in the builtin ima_tcb and ima_appraise_tcb policies. + +Changelog: +- Update documentation + +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/ABI/testing/ima_policy | 3 +++ + security/integrity/ima/ima_policy.c | 2 ++ + 2 files changed, 5 insertions(+) + +--- a/Documentation/ABI/testing/ima_policy ++++ b/Documentation/ABI/testing/ima_policy +@@ -65,6 +65,9 @@ Description: + # CGROUP_SUPER_MAGIC + dont_measure fsmagic=0x27e0eb + dont_appraise fsmagic=0x27e0eb ++ # NSFS_MAGIC ++ dont_measure fsmagic=0x6e736673 ++ dont_appraise fsmagic=0x6e736673 + + measure func=BPRM_CHECK + measure func=FILE_MMAP mask=MAY_EXEC +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -81,6 +81,7 @@ static struct ima_rule_entry default_rul + {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, + {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, + .flags = IMA_FSMAGIC}, ++ {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, + {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, + .flags = IMA_FUNC | IMA_MASK}, + {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, +@@ -101,6 +102,7 @@ static struct ima_rule_entry default_app + {.action = DONT_APPRAISE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, + {.action = DONT_APPRAISE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, + {.action = DONT_APPRAISE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, ++ {.action = DONT_APPRAISE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, + {.action = DONT_APPRAISE, .fsmagic = CGROUP_SUPER_MAGIC, .flags = IMA_FSMAGIC}, + #ifndef CONFIG_IMA_APPRAISE_SIGNED_INIT + {.action = APPRAISE, .fowner = GLOBAL_ROOT_UID, .flags = IMA_FOWNER}, diff --git a/queue-4.1/ima-extend-mask-policy-matching-support.patch b/queue-4.1/ima-extend-mask-policy-matching-support.patch new file mode 100644 index 00000000000..5febcb4d44d --- /dev/null +++ b/queue-4.1/ima-extend-mask-policy-matching-support.patch @@ -0,0 +1,92 @@ +From 4351c294b8c1028077280f761e158d167b592974 Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Wed, 5 Nov 2014 07:53:55 -0500 +Subject: ima: extend "mask" policy matching support + +From: Mimi Zohar + +commit 4351c294b8c1028077280f761e158d167b592974 upstream. + +The current "mask" policy option matches files opened as MAY_READ, +MAY_WRITE, MAY_APPEND or MAY_EXEC. This patch extends the "mask" +option to match files opened containing one of these modes. For +example, "mask=^MAY_READ" would match files opened read-write. + +Signed-off-by: Mimi Zohar +Signed-off-by: Dr. Greg Wettstein +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/ABI/testing/ima_policy | 3 ++- + security/integrity/ima/ima_policy.c | 20 +++++++++++++++----- + 2 files changed, 17 insertions(+), 6 deletions(-) + +--- a/Documentation/ABI/testing/ima_policy ++++ b/Documentation/ABI/testing/ima_policy +@@ -27,7 +27,8 @@ Description: + + base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK] + [FIRMWARE_CHECK] +- mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] ++ mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] ++ [[^]MAY_EXEC] + fsmagic:= hex value + fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6) + uid:= decimal value +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -27,6 +27,7 @@ + #define IMA_UID 0x0008 + #define IMA_FOWNER 0x0010 + #define IMA_FSUUID 0x0020 ++#define IMA_INMASK 0x0040 + #define IMA_EUID 0x0080 + + #define UNKNOWN 0 +@@ -187,6 +188,9 @@ static bool ima_match_rules(struct ima_r + if ((rule->flags & IMA_MASK) && + (rule->mask != mask && func != POST_SETATTR)) + return false; ++ if ((rule->flags & IMA_INMASK) && ++ (!(rule->mask & mask) && func != POST_SETATTR)) ++ return false; + if ((rule->flags & IMA_FSMAGIC) + && rule->fsmagic != inode->i_sb->s_magic) + return false; +@@ -448,6 +452,7 @@ static void ima_log_string(struct audit_ + static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) + { + struct audit_buffer *ab; ++ char *from; + char *p; + int result = 0; + +@@ -538,18 +543,23 @@ static int ima_parse_rule(char *rule, st + if (entry->mask) + result = -EINVAL; + +- if ((strcmp(args[0].from, "MAY_EXEC")) == 0) ++ from = args[0].from; ++ if (*from == '^') ++ from++; ++ ++ if ((strcmp(from, "MAY_EXEC")) == 0) + entry->mask = MAY_EXEC; +- else if (strcmp(args[0].from, "MAY_WRITE") == 0) ++ else if (strcmp(from, "MAY_WRITE") == 0) + entry->mask = MAY_WRITE; +- else if (strcmp(args[0].from, "MAY_READ") == 0) ++ else if (strcmp(from, "MAY_READ") == 0) + entry->mask = MAY_READ; +- else if (strcmp(args[0].from, "MAY_APPEND") == 0) ++ else if (strcmp(from, "MAY_APPEND") == 0) + entry->mask = MAY_APPEND; + else + result = -EINVAL; + if (!result) +- entry->flags |= IMA_MASK; ++ entry->flags |= (*args[0].from == '^') ++ ? IMA_INMASK : IMA_MASK; + break; + case Opt_fsmagic: + ima_log_string(ab, "fsmagic", args[0].from); diff --git a/queue-4.1/ima-fix-ima_show_template_data_ascii.patch b/queue-4.1/ima-fix-ima_show_template_data_ascii.patch new file mode 100644 index 00000000000..ee372eceea9 --- /dev/null +++ b/queue-4.1/ima-fix-ima_show_template_data_ascii.patch @@ -0,0 +1,62 @@ +From 45b26133b97871896b8c5241d59f4ff7839db7b2 Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Thu, 11 Jun 2015 11:54:42 -0400 +Subject: ima: fix ima_show_template_data_ascii() + +From: Mimi Zohar + +commit 45b26133b97871896b8c5241d59f4ff7839db7b2 upstream. + +This patch fixes a bug introduced in "4d7aeee ima: define new template +ima-ng and template fields d-ng and n-ng". + +Changelog: +- change int to uint32 (Roberto Sassu's suggestion) + +Signed-off-by: Mimi Zohar +Signed-off-by: Roberto Sassu +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/ima/ima.h | 2 +- + security/integrity/ima/ima_fs.c | 4 ++-- + security/integrity/ima/ima_template_lib.c | 3 ++- + 3 files changed, 5 insertions(+), 4 deletions(-) + +--- a/security/integrity/ima/ima.h ++++ b/security/integrity/ima/ima.h +@@ -106,7 +106,7 @@ void ima_add_violation(struct file *file + const char *op, const char *cause); + int ima_init_crypto(void); + void ima_putc(struct seq_file *m, void *data, int datalen); +-void ima_print_digest(struct seq_file *m, u8 *digest, int size); ++void ima_print_digest(struct seq_file *m, u8 *digest, u32 size); + struct ima_template_desc *ima_template_desc_current(void); + int ima_init_template(void); + +--- a/security/integrity/ima/ima_fs.c ++++ b/security/integrity/ima/ima_fs.c +@@ -190,9 +190,9 @@ static const struct file_operations ima_ + .release = seq_release, + }; + +-void ima_print_digest(struct seq_file *m, u8 *digest, int size) ++void ima_print_digest(struct seq_file *m, u8 *digest, u32 size) + { +- int i; ++ u32 i; + + for (i = 0; i < size; i++) + seq_printf(m, "%02x", *(digest + i)); +--- a/security/integrity/ima/ima_template_lib.c ++++ b/security/integrity/ima/ima_template_lib.c +@@ -70,7 +70,8 @@ static void ima_show_template_data_ascii + enum data_formats datafmt, + struct ima_field_data *field_data) + { +- u8 *buf_ptr = field_data->data, buflen = field_data->len; ++ u8 *buf_ptr = field_data->data; ++ u32 buflen = field_data->len; + + switch (datafmt) { + case DATA_FMT_DIGEST_WITH_ALGO: diff --git a/queue-4.1/ima-skip-measurement-of-cgroupfs-files-and-update-documentation.patch b/queue-4.1/ima-skip-measurement-of-cgroupfs-files-and-update-documentation.patch new file mode 100644 index 00000000000..9471d31331c --- /dev/null +++ b/queue-4.1/ima-skip-measurement-of-cgroupfs-files-and-update-documentation.patch @@ -0,0 +1,75 @@ +From 6438de9f3fb5180d78a0422695d0b88c687757d3 Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Sat, 11 Apr 2015 17:13:06 +0200 +Subject: ima: skip measurement of cgroupfs files and update documentation + +From: Roberto Sassu + +commit 6438de9f3fb5180d78a0422695d0b88c687757d3 upstream. + +This patch adds a rule in the default measurement policy to skip inodes +in the cgroupfs filesystem. Measurements for this filesystem can be +avoided, as all the digests collected have the same value of the digest of +an empty file. + +Furthermore, this patch updates the documentation of IMA policies in +Documentation/ABI/testing/ima_policy to make it consistent with +the policies set in security/integrity/ima/ima_policy.c. + +Signed-off-by: Roberto Sassu +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/ABI/testing/ima_policy | 17 ++++++++++++----- + security/integrity/ima/ima_policy.c | 2 ++ + 2 files changed, 14 insertions(+), 5 deletions(-) + +--- a/Documentation/ABI/testing/ima_policy ++++ b/Documentation/ABI/testing/ima_policy +@@ -49,11 +49,22 @@ Description: + dont_measure fsmagic=0x01021994 + dont_appraise fsmagic=0x01021994 + # RAMFS_MAGIC +- dont_measure fsmagic=0x858458f6 + dont_appraise fsmagic=0x858458f6 ++ # DEVPTS_SUPER_MAGIC ++ dont_measure fsmagic=0x1cd1 ++ dont_appraise fsmagic=0x1cd1 ++ # BINFMTFS_MAGIC ++ dont_measure fsmagic=0x42494e4d ++ dont_appraise fsmagic=0x42494e4d + # SECURITYFS_MAGIC + dont_measure fsmagic=0x73636673 + dont_appraise fsmagic=0x73636673 ++ # SELINUX_MAGIC ++ dont_measure fsmagic=0xf97cff8c ++ dont_appraise fsmagic=0xf97cff8c ++ # CGROUP_SUPER_MAGIC ++ dont_measure fsmagic=0x27e0eb ++ dont_appraise fsmagic=0x27e0eb + + measure func=BPRM_CHECK + measure func=FILE_MMAP mask=MAY_EXEC +@@ -70,10 +81,6 @@ Description: + Examples of LSM specific definitions: + + SELinux: +- # SELINUX_MAGIC +- dont_measure fsmagic=0xf97cff8c +- dont_appraise fsmagic=0xf97cff8c +- + dont_measure obj_type=var_log_t + dont_appraise obj_type=var_log_t + dont_measure obj_type=auditd_log_t +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -79,6 +79,8 @@ static struct ima_rule_entry default_rul + {.action = DONT_MEASURE, .fsmagic = BINFMTFS_MAGIC, .flags = IMA_FSMAGIC}, + {.action = DONT_MEASURE, .fsmagic = SECURITYFS_MAGIC, .flags = IMA_FSMAGIC}, + {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, ++ {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, ++ .flags = IMA_FSMAGIC}, + {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, + .flags = IMA_FUNC | IMA_MASK}, + {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, diff --git a/queue-4.1/ima-update-builtin-policies.patch b/queue-4.1/ima-update-builtin-policies.patch new file mode 100644 index 00000000000..2a2e58df587 --- /dev/null +++ b/queue-4.1/ima-update-builtin-policies.patch @@ -0,0 +1,167 @@ +From 24fd03c87695a76f0517df42a37e51b1597d2c8a Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Thu, 11 Jun 2015 20:48:33 -0400 +Subject: ima: update builtin policies + +From: Mimi Zohar + +commit 24fd03c87695a76f0517df42a37e51b1597d2c8a upstream. + +This patch defines a builtin measurement policy "tcb", similar to the +existing "ima_tcb", but with additional rules to also measure files +based on the effective uid and to measure files opened with the "read" +mode bit set (eg. read, read-write). + +Changing the builtin "ima_tcb" policy could potentially break existing +users. Instead of defining a new separate boot command line option each +time the builtin measurement policy is modified, this patch defines a +single generic boot command line option "ima_policy=" to specify the +builtin policy and deprecates the use of the builtin ima_tcb policy. + +[The "ima_policy=" boot command line option is based on Roberto Sassu's +"ima: added new policy type exec" patch.] + +Signed-off-by: Mimi Zohar +Signed-off-by: Dr. Greg Wettstein +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/kernel-parameters.txt | 10 ++++- + security/integrity/ima/ima_policy.c | 65 +++++++++++++++++++++++++++++++----- + 2 files changed, 65 insertions(+), 10 deletions(-) + +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -1398,7 +1398,15 @@ bytes respectively. Such letter suffixes + The list of supported hash algorithms is defined + in crypto/hash_info.h. + +- ima_tcb [IMA] ++ ima_policy= [IMA] ++ The builtin measurement policy to load during IMA ++ setup. Specyfing "tcb" as the value, measures all ++ programs exec'd, files mmap'd for exec, and all files ++ opened with the read mode bit set by either the ++ effective uid (euid=0) or uid=0. ++ Format: "tcb" ++ ++ ima_tcb [IMA] Deprecated. Use ima_policy= instead. + Load a policy which meets the needs of the Trusted + Computing Base. This means IMA will measure all + programs exec'd, files mmap'd for exec, and all files +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -44,6 +44,8 @@ enum lsm_rule_types { LSM_OBJ_USER, LSM_ + LSM_SUBJ_USER, LSM_SUBJ_ROLE, LSM_SUBJ_TYPE + }; + ++enum policy_types { ORIGINAL_TCB = 1, DEFAULT_TCB }; ++ + struct ima_rule_entry { + struct list_head list; + int action; +@@ -72,7 +74,7 @@ struct ima_rule_entry { + * normal users can easily run the machine out of memory simply building + * and running executables. + */ +-static struct ima_rule_entry default_rules[] = { ++static struct ima_rule_entry dont_measure_rules[] = { + {.action = DONT_MEASURE, .fsmagic = PROC_SUPER_MAGIC, .flags = IMA_FSMAGIC}, + {.action = DONT_MEASURE, .fsmagic = SYSFS_MAGIC, .flags = IMA_FSMAGIC}, + {.action = DONT_MEASURE, .fsmagic = DEBUGFS_MAGIC, .flags = IMA_FSMAGIC}, +@@ -83,13 +85,29 @@ static struct ima_rule_entry default_rul + {.action = DONT_MEASURE, .fsmagic = SELINUX_MAGIC, .flags = IMA_FSMAGIC}, + {.action = DONT_MEASURE, .fsmagic = CGROUP_SUPER_MAGIC, + .flags = IMA_FSMAGIC}, +- {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC}, ++ {.action = DONT_MEASURE, .fsmagic = NSFS_MAGIC, .flags = IMA_FSMAGIC} ++}; ++ ++static struct ima_rule_entry original_measurement_rules[] = { ++ {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, ++ .flags = IMA_FUNC | IMA_MASK}, ++ {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, ++ .flags = IMA_FUNC | IMA_MASK}, ++ {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, ++ .uid = GLOBAL_ROOT_UID, .flags = IMA_FUNC | IMA_MASK | IMA_UID}, ++ {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, ++ {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, ++}; ++ ++static struct ima_rule_entry default_measurement_rules[] = { + {.action = MEASURE, .func = MMAP_CHECK, .mask = MAY_EXEC, + .flags = IMA_FUNC | IMA_MASK}, + {.action = MEASURE, .func = BPRM_CHECK, .mask = MAY_EXEC, + .flags = IMA_FUNC | IMA_MASK}, +- {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, .uid = GLOBAL_ROOT_UID, +- .flags = IMA_FUNC | IMA_MASK | IMA_UID}, ++ {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, ++ .uid = GLOBAL_ROOT_UID, .flags = IMA_FUNC | IMA_INMASK | IMA_EUID}, ++ {.action = MEASURE, .func = FILE_CHECK, .mask = MAY_READ, ++ .uid = GLOBAL_ROOT_UID, .flags = IMA_FUNC | IMA_INMASK | IMA_UID}, + {.action = MEASURE, .func = MODULE_CHECK, .flags = IMA_FUNC}, + {.action = MEASURE, .func = FIRMWARE_CHECK, .flags = IMA_FUNC}, + }; +@@ -121,14 +139,29 @@ static struct list_head *ima_rules; + + static DEFINE_MUTEX(ima_rules_mutex); + +-static bool ima_use_tcb __initdata; ++static int ima_policy __initdata; + static int __init default_measure_policy_setup(char *str) + { +- ima_use_tcb = 1; ++ if (ima_policy) ++ return 1; ++ ++ ima_policy = ORIGINAL_TCB; + return 1; + } + __setup("ima_tcb", default_measure_policy_setup); + ++static int __init policy_setup(char *str) ++{ ++ if (ima_policy) ++ return 1; ++ ++ if (strcmp(str, "tcb") == 0) ++ ima_policy = DEFAULT_TCB; ++ ++ return 1; ++} ++__setup("ima_policy=", policy_setup); ++ + static bool ima_use_appraise_tcb __initdata; + static int __init default_appraise_policy_setup(char *str) + { +@@ -352,13 +385,27 @@ void __init ima_init_policy(void) + { + int i, measure_entries, appraise_entries; + +- /* if !ima_use_tcb set entries = 0 so we load NO default rules */ +- measure_entries = ima_use_tcb ? ARRAY_SIZE(default_rules) : 0; ++ /* if !ima_policy set entries = 0 so we load NO default rules */ ++ measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0; + appraise_entries = ima_use_appraise_tcb ? + ARRAY_SIZE(default_appraise_rules) : 0; + + for (i = 0; i < measure_entries; i++) +- list_add_tail(&default_rules[i].list, &ima_default_rules); ++ list_add_tail(&dont_measure_rules[i].list, &ima_default_rules); ++ ++ switch (ima_policy) { ++ case ORIGINAL_TCB: ++ for (i = 0; i < ARRAY_SIZE(original_measurement_rules); i++) ++ list_add_tail(&original_measurement_rules[i].list, ++ &ima_default_rules); ++ break; ++ case DEFAULT_TCB: ++ for (i = 0; i < ARRAY_SIZE(default_measurement_rules); i++) ++ list_add_tail(&default_measurement_rules[i].list, ++ &ima_default_rules); ++ default: ++ break; ++ } + + for (i = 0; i < appraise_entries; i++) { + list_add_tail(&default_appraise_rules[i].list, diff --git a/queue-4.1/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch b/queue-4.1/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch new file mode 100644 index 00000000000..b7bcd002649 --- /dev/null +++ b/queue-4.1/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch @@ -0,0 +1,47 @@ +From ca4da5dd1f99fe9c59f1709fb43e818b18ad20e0 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Mon, 27 Jul 2015 15:23:43 +0100 +Subject: KEYS: ensure we free the assoc array edit if edit is valid + +From: Colin Ian King + +commit ca4da5dd1f99fe9c59f1709fb43e818b18ad20e0 upstream. + +__key_link_end is not freeing the associated array edit structure +and this leads to a 512 byte memory leak each time an identical +existing key is added with add_key(). + +The reason the add_key() system call returns okay is that +key_create_or_update() calls __key_link_begin() before checking to see +whether it can update a key directly rather than adding/replacing - which +it turns out it can. Thus __key_link() is not called through +__key_instantiate_and_link() and __key_link_end() must cancel the edit. + +CVE-2015-1333 + +Signed-off-by: Colin Ian King +Signed-off-by: David Howells +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + security/keys/keyring.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/security/keys/keyring.c ++++ b/security/keys/keyring.c +@@ -1181,9 +1181,11 @@ void __key_link_end(struct key *keyring, + if (index_key->type == &key_type_keyring) + up_write(&keyring_serialise_link_sem); + +- if (edit && !edit->dead_leaf) { +- key_payload_reserve(keyring, +- keyring->datalen - KEYQUOTA_LINK_BYTES); ++ if (edit) { ++ if (!edit->dead_leaf) { ++ key_payload_reserve(keyring, ++ keyring->datalen - KEYQUOTA_LINK_BYTES); ++ } + assoc_array_cancel_edit(edit); + } + up_write(&keyring->sem); diff --git a/queue-4.1/keys-fix-ca_keys-partial-key-matching.patch b/queue-4.1/keys-fix-ca_keys-partial-key-matching.patch new file mode 100644 index 00000000000..3cd25952148 --- /dev/null +++ b/queue-4.1/keys-fix-ca_keys-partial-key-matching.patch @@ -0,0 +1,130 @@ +From f2b3dee484f9cee967a54ef05a66866282337519 Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Wed, 11 Feb 2015 07:33:34 -0500 +Subject: KEYS: fix "ca_keys=" partial key matching + +From: Mimi Zohar + +commit f2b3dee484f9cee967a54ef05a66866282337519 upstream. + +The call to asymmetric_key_hex_to_key_id() from ca_keys_setup() +silently fails with -ENOMEM. Instead of dynamically allocating +memory from a __setup function, this patch defines a variable +and calls __asymmetric_key_hex_to_key_id(), a new helper function, +directly. + +This bug was introduced by 'commit 46963b774d44 ("KEYS: Overhaul +key identification when searching for asymmetric keys")'. + +Changelog: +- for clarification, rename hexlen to asciihexlen in + asymmetric_key_hex_to_key_id() +- add size argument to __asymmetric_key_hex_to_key_id() - David Howells +- inline __asymmetric_key_hex_to_key_id() - David Howells +- remove duplicate strlen() calls + +Acked-by: David Howells +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/asymmetric_keys/asymmetric_keys.h | 3 +++ + crypto/asymmetric_keys/asymmetric_type.c | 20 ++++++++++++++------ + crypto/asymmetric_keys/x509_public_key.c | 23 ++++++++++++++++++----- + 3 files changed, 35 insertions(+), 11 deletions(-) + +--- a/crypto/asymmetric_keys/asymmetric_keys.h ++++ b/crypto/asymmetric_keys/asymmetric_keys.h +@@ -11,6 +11,9 @@ + + extern struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id); + ++extern int __asymmetric_key_hex_to_key_id(const char *id, ++ struct asymmetric_key_id *match_id, ++ size_t hexlen); + static inline + const struct asymmetric_key_ids *asymmetric_key_ids(const struct key *key) + { +--- a/crypto/asymmetric_keys/asymmetric_type.c ++++ b/crypto/asymmetric_keys/asymmetric_type.c +@@ -104,6 +104,15 @@ static bool asymmetric_match_key_ids( + return false; + } + ++/* helper function can be called directly with pre-allocated memory */ ++inline int __asymmetric_key_hex_to_key_id(const char *id, ++ struct asymmetric_key_id *match_id, ++ size_t hexlen) ++{ ++ match_id->len = hexlen; ++ return hex2bin(match_id->data, id, hexlen); ++} ++ + /** + * asymmetric_key_hex_to_key_id - Convert a hex string into a key ID. + * @id: The ID as a hex string. +@@ -111,21 +120,20 @@ static bool asymmetric_match_key_ids( + struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id) + { + struct asymmetric_key_id *match_id; +- size_t hexlen; ++ size_t asciihexlen; + int ret; + + if (!*id) + return ERR_PTR(-EINVAL); +- hexlen = strlen(id); +- if (hexlen & 1) ++ asciihexlen = strlen(id); ++ if (asciihexlen & 1) + return ERR_PTR(-EINVAL); + +- match_id = kmalloc(sizeof(struct asymmetric_key_id) + hexlen / 2, ++ match_id = kmalloc(sizeof(struct asymmetric_key_id) + asciihexlen / 2, + GFP_KERNEL); + if (!match_id) + return ERR_PTR(-ENOMEM); +- match_id->len = hexlen / 2; +- ret = hex2bin(match_id->data, id, hexlen / 2); ++ ret = __asymmetric_key_hex_to_key_id(id, match_id, asciihexlen / 2); + if (ret < 0) { + kfree(match_id); + return ERR_PTR(-EINVAL); +--- a/crypto/asymmetric_keys/x509_public_key.c ++++ b/crypto/asymmetric_keys/x509_public_key.c +@@ -28,17 +28,30 @@ static bool use_builtin_keys; + static struct asymmetric_key_id *ca_keyid; + + #ifndef MODULE ++static struct { ++ struct asymmetric_key_id id; ++ unsigned char data[10]; ++} cakey; ++ + static int __init ca_keys_setup(char *str) + { + if (!str) /* default system keyring */ + return 1; + + if (strncmp(str, "id:", 3) == 0) { +- struct asymmetric_key_id *p; +- p = asymmetric_key_hex_to_key_id(str + 3); +- if (p == ERR_PTR(-EINVAL)) +- pr_err("Unparsable hex string in ca_keys\n"); +- else if (!IS_ERR(p)) ++ struct asymmetric_key_id *p = &cakey.id; ++ size_t hexlen = (strlen(str) - 3) / 2; ++ int ret; ++ ++ if (hexlen == 0 || hexlen > sizeof(cakey.data)) { ++ pr_err("Missing or invalid ca_keys id\n"); ++ return 1; ++ } ++ ++ ret = __asymmetric_key_hex_to_key_id(str + 3, p, hexlen); ++ if (ret < 0) ++ pr_err("Unparsable ca_keys id hex string\n"); ++ else + ca_keyid = p; /* owner key 'id:xxxxxx' */ + } else if (strcmp(str, "builtin") == 0) { + use_builtin_keys = true; diff --git a/queue-4.1/series b/queue-4.1/series index dc8bffa20bf..98bdfd264b1 100644 --- a/queue-4.1/series +++ b/queue-4.1/series @@ -169,3 +169,13 @@ tpm-tpm_crb-fix-le64_to_cpu-conversions-in-crb_acpi_add.patch vtpm-set-virtual-device-before-passing-to-ibmvtpm_reset_crq.patch tpm-fix-initialization-of-the-cdev.patch tpm-tpm_crb-fail-when-tpm2-acpi-table-contents-look-corrupted.patch +keys-fix-ca_keys-partial-key-matching.patch +keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch +ima-skip-measurement-of-cgroupfs-files-and-update-documentation.patch +ima-cleanup-ima_init_policy-a-little.patch +ima-do-not-measure-or-appraise-the-nsfs-filesystem.patch +evm-labeling-pseudo-filesystems-exception.patch +ima-fix-ima_show_template_data_ascii.patch +ima-add-support-for-new-euid-policy-condition.patch +ima-extend-mask-policy-matching-support.patch +ima-update-builtin-policies.patch