From: Sasha Levin <sashal@kernel.org>
Date: Fri, 19 Jun 2020 04:11:08 +0000 (-0400)
Subject: Fixes for 5.4
X-Git-Tag: v4.4.228~36
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7531b0399bde0429711e613beb5e69106f1dfa2d;p=thirdparty%2Fkernel%2Fstable-queue.git

Fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-5.4/ima-remove-redundant-policy-rule-set-in-add_rules.patch b/queue-5.4/ima-remove-redundant-policy-rule-set-in-add_rules.patch
new file mode 100644
index 00000000000..17b4f5f3638
--- /dev/null
+++ b/queue-5.4/ima-remove-redundant-policy-rule-set-in-add_rules.patch
@@ -0,0 +1,40 @@
+From e057d62e819dc22367b91849634c99bba21624bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 12:28:58 +0200
+Subject: ima: Remove redundant policy rule set in add_rules()
+
+From: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
+
+[ Upstream commit 6ee28442a465ab4c4be45e3b15015af24b1ba906 ]
+
+Function ima_appraise_flag() returns the flag to be set in
+temp_ima_appraise depending on the hook identifier passed as an argument.
+It is not necessary to set the flag again for the POLICY_CHECK hook.
+
+Signed-off-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/ima/ima_policy.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
+index 99d357e84ee9..86624b1331ef 100644
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -590,11 +590,8 @@ static void add_rules(struct ima_rule_entry *entries, int count,
+ 
+ 			list_add_tail(&entry->list, &ima_policy_rules);
+ 		}
+-		if (entries[i].action == APPRAISE) {
++		if (entries[i].action == APPRAISE)
+ 			temp_ima_appraise |= ima_appraise_flag(entries[i].func);
+-			if (entries[i].func == POLICY_CHECK)
+-				temp_ima_appraise |= IMA_APPRAISE_POLICY;
+-		}
+ 	}
+ }
+ 
+-- 
+2.25.1
+
diff --git a/queue-5.4/ima-set-again-build_ima_appraise-variable.patch b/queue-5.4/ima-set-again-build_ima_appraise-variable.patch
new file mode 100644
index 00000000000..4b6a66d5010
--- /dev/null
+++ b/queue-5.4/ima-set-again-build_ima_appraise-variable.patch
@@ -0,0 +1,54 @@
+From b4001462a35a736ae9775784796ae0be700db254 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 12:28:59 +0200
+Subject: ima: Set again build_ima_appraise variable
+
+From: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
+
+[ Upstream commit b59fda449cf07f2db3be3a67142e6c000f5e8d79 ]
+
+After adding the new add_rule() function in commit c52657d93b05
+("ima: refactor ima_init_policy()"), all appraisal flags are added to the
+temp_ima_appraise variable. Revert to the previous behavior instead of
+removing build_ima_appraise, to benefit from the protection offered by
+__ro_after_init.
+
+The mentioned commit introduced a bug, as it makes all the flags
+modifiable, while build_ima_appraise flags can be protected with
+__ro_after_init.
+
+Cc: stable@vger.kernel.org # 5.0.x
+Fixes: c52657d93b05 ("ima: refactor ima_init_policy()")
+Co-developed-by: Roberto Sassu <roberto.sassu@huawei.com>
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Signed-off-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/ima/ima_policy.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
+index 86624b1331ef..558a7607bf93 100644
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -590,8 +590,14 @@ static void add_rules(struct ima_rule_entry *entries, int count,
+ 
+ 			list_add_tail(&entry->list, &ima_policy_rules);
+ 		}
+-		if (entries[i].action == APPRAISE)
+-			temp_ima_appraise |= ima_appraise_flag(entries[i].func);
++		if (entries[i].action == APPRAISE) {
++			if (entries != build_appraise_rules)
++				temp_ima_appraise |=
++					ima_appraise_flag(entries[i].func);
++			else
++				build_ima_appraise |=
++					ima_appraise_flag(entries[i].func);
++		}
+ 	}
+ }
+ 
+-- 
+2.25.1
+
diff --git a/queue-5.4/series b/queue-5.4/series
index 2bebb9e0655..01dd8afbbe7 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -190,3 +190,5 @@ x86-amd_nb-add-family-19h-pci-ids.patch
 pci-add-loongson-vendor-id.patch
 serial-8250_pci-move-pericom-ids-to-pci_ids.h.patch
 x86-amd_nb-add-amd-family-17h-model-60h-pci-ids.patch
+ima-remove-redundant-policy-rule-set-in-add_rules.patch
+ima-set-again-build_ima_appraise-variable.patch