From: Greg Kroah-Hartman Date: Tue, 11 Aug 2015 00:03:35 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v3.10.87~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d7f95eb0b0fb690c8ce4ca64b12186dd14312b78;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: ima-add-support-for-new-euid-policy-condition.patch ima-extend-mask-policy-matching-support.patch --- diff --git a/queue-3.14/ima-add-support-for-new-euid-policy-condition.patch b/queue-3.14/ima-add-support-for-new-euid-policy-condition.patch new file mode 100644 index 00000000000..816a3231cad --- /dev/null +++ b/queue-3.14/ima-add-support-for-new-euid-policy-condition.patch @@ -0,0 +1,118 @@ +From 139069eff7388407f19794384c42a534d618ccd7 Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Wed, 5 Nov 2014 07:48:36 -0500 +Subject: ima: add support for new "euid" policy condition + +From: Mimi Zohar + +commit 139069eff7388407f19794384c42a534d618ccd7 upstream. + +The new "euid" policy condition measures files with the specified +effective uid (euid). In addition, for CAP_SETUID files it measures +files with the specified uid or suid. + +Changelog: +- fixed checkpatch.pl warnings +- fixed avc denied {setuid} messages - based on Roberto's feedback + +Signed-off-by: Mimi Zohar +Signed-off-by: Dr. Greg Wettstein +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/ABI/testing/ima_policy | 3 ++- + security/integrity/ima/ima_policy.c | 27 +++++++++++++++++++++++---- + 2 files changed, 25 insertions(+), 5 deletions(-) + +--- a/Documentation/ABI/testing/ima_policy ++++ b/Documentation/ABI/testing/ima_policy +@@ -20,7 +20,7 @@ Description: + action: measure | dont_measure | appraise | dont_appraise | audit + condition:= base | lsm [option] + base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=] +- [fowner]] ++ [euid=] [fowner=]] + lsm: [[subj_user=] [subj_role=] [subj_type=] + [obj_user=] [obj_role=] [obj_type=]] + option: [[appraise_type=]] [permit_directio] +@@ -30,6 +30,7 @@ Description: + fsmagic:= hex value + fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6) + uid:= decimal value ++ euid:= decimal value + fowner:=decimal value + lsm: are LSM specific + option: appraise_type:= [imasig] +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -27,6 +27,7 @@ + #define IMA_UID 0x0008 + #define IMA_FOWNER 0x0010 + #define IMA_FSUUID 0x0020 ++#define IMA_EUID 0x0080 + + #define UNKNOWN 0 + #define MEASURE 0x0001 /* same as IMA_MEASURE */ +@@ -179,6 +180,16 @@ static bool ima_match_rules(struct ima_r + return false; + if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid)) + return false; ++ if (rule->flags & IMA_EUID) { ++ if (has_capability_noaudit(current, CAP_SETUID)) { ++ if (!uid_eq(rule->uid, cred->euid) ++ && !uid_eq(rule->uid, cred->suid) ++ && !uid_eq(rule->uid, cred->uid)) ++ return false; ++ } else if (!uid_eq(rule->uid, cred->euid)) ++ return false; ++ } ++ + if ((rule->flags & IMA_FOWNER) && !uid_eq(rule->fowner, inode->i_uid)) + return false; + for (i = 0; i < MAX_LSM_RULES; i++) { +@@ -350,7 +361,8 @@ enum { + Opt_audit, + Opt_obj_user, Opt_obj_role, Opt_obj_type, + Opt_subj_user, Opt_subj_role, Opt_subj_type, +- Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner, ++ Opt_func, Opt_mask, Opt_fsmagic, ++ Opt_uid, Opt_euid, Opt_fowner, + Opt_appraise_type, Opt_fsuuid, Opt_permit_directio + }; + +@@ -371,6 +383,7 @@ static match_table_t policy_tokens = { + {Opt_fsmagic, "fsmagic=%s"}, + {Opt_fsuuid, "fsuuid=%s"}, + {Opt_uid, "uid=%s"}, ++ {Opt_euid, "euid=%s"}, + {Opt_fowner, "fowner=%s"}, + {Opt_appraise_type, "appraise_type=%s"}, + {Opt_permit_directio, "permit_directio"}, +@@ -542,6 +555,9 @@ static int ima_parse_rule(char *rule, st + break; + case Opt_uid: + ima_log_string(ab, "uid", args[0].from); ++ case Opt_euid: ++ if (token == Opt_euid) ++ ima_log_string(ab, "euid", args[0].from); + + if (uid_valid(entry->uid)) { + result = -EINVAL; +@@ -550,11 +566,14 @@ static int ima_parse_rule(char *rule, st + + result = strict_strtoul(args[0].from, 10, &lnum); + if (!result) { +- entry->uid = make_kuid(current_user_ns(), (uid_t)lnum); +- if (!uid_valid(entry->uid) || (((uid_t)lnum) != lnum)) ++ entry->uid = make_kuid(current_user_ns(), ++ (uid_t) lnum); ++ if (!uid_valid(entry->uid) || ++ (uid_t)lnum != lnum) + result = -EINVAL; + else +- entry->flags |= IMA_UID; ++ entry->flags |= (token == Opt_uid) ++ ? IMA_UID : IMA_EUID; + } + break; + case Opt_fowner: diff --git a/queue-3.14/ima-extend-mask-policy-matching-support.patch b/queue-3.14/ima-extend-mask-policy-matching-support.patch new file mode 100644 index 00000000000..19bc544ace8 --- /dev/null +++ b/queue-3.14/ima-extend-mask-policy-matching-support.patch @@ -0,0 +1,92 @@ +From 4351c294b8c1028077280f761e158d167b592974 Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Wed, 5 Nov 2014 07:53:55 -0500 +Subject: ima: extend "mask" policy matching support + +From: Mimi Zohar + +commit 4351c294b8c1028077280f761e158d167b592974 upstream. + +The current "mask" policy option matches files opened as MAY_READ, +MAY_WRITE, MAY_APPEND or MAY_EXEC. This patch extends the "mask" +option to match files opened containing one of these modes. For +example, "mask=^MAY_READ" would match files opened read-write. + +Signed-off-by: Mimi Zohar +Signed-off-by: Dr. Greg Wettstein +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/ABI/testing/ima_policy | 3 ++- + security/integrity/ima/ima_policy.c | 20 +++++++++++++++----- + 2 files changed, 17 insertions(+), 6 deletions(-) + +--- a/Documentation/ABI/testing/ima_policy ++++ b/Documentation/ABI/testing/ima_policy +@@ -26,7 +26,8 @@ Description: + option: [[appraise_type=]] [permit_directio] + + base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK] +- mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC] ++ mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND] ++ [[^]MAY_EXEC] + fsmagic:= hex value + fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6) + uid:= decimal value +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -27,6 +27,7 @@ + #define IMA_UID 0x0008 + #define IMA_FOWNER 0x0010 + #define IMA_FSUUID 0x0020 ++#define IMA_INMASK 0x0040 + #define IMA_EUID 0x0080 + + #define UNKNOWN 0 +@@ -172,6 +173,9 @@ static bool ima_match_rules(struct ima_r + return false; + if ((rule->flags & IMA_MASK) && rule->mask != mask) + return false; ++ if ((rule->flags & IMA_INMASK) && ++ (!(rule->mask & mask) && func != POST_SETATTR)) ++ return false; + if ((rule->flags & IMA_FSMAGIC) + && rule->fsmagic != inode->i_sb->s_magic) + return false; +@@ -425,6 +429,7 @@ static void ima_log_string(struct audit_ + static int ima_parse_rule(char *rule, struct ima_rule_entry *entry) + { + struct audit_buffer *ab; ++ char *from; + char *p; + int result = 0; + +@@ -513,18 +518,23 @@ static int ima_parse_rule(char *rule, st + if (entry->mask) + result = -EINVAL; + +- if ((strcmp(args[0].from, "MAY_EXEC")) == 0) ++ from = args[0].from; ++ if (*from == '^') ++ from++; ++ ++ if ((strcmp(from, "MAY_EXEC")) == 0) + entry->mask = MAY_EXEC; +- else if (strcmp(args[0].from, "MAY_WRITE") == 0) ++ else if (strcmp(from, "MAY_WRITE") == 0) + entry->mask = MAY_WRITE; +- else if (strcmp(args[0].from, "MAY_READ") == 0) ++ else if (strcmp(from, "MAY_READ") == 0) + entry->mask = MAY_READ; +- else if (strcmp(args[0].from, "MAY_APPEND") == 0) ++ else if (strcmp(from, "MAY_APPEND") == 0) + entry->mask = MAY_APPEND; + else + result = -EINVAL; + if (!result) +- entry->flags |= IMA_MASK; ++ entry->flags |= (*args[0].from == '^') ++ ? IMA_INMASK : IMA_MASK; + break; + case Opt_fsmagic: + ima_log_string(ab, "fsmagic", args[0].from); diff --git a/queue-3.14/series b/queue-3.14/series index 356b8dd09d2..bb8a42a2f36 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -9,3 +9,5 @@ ipr-fix-incorrect-trace-indexing.patch ipr-fix-invalid-array-indexing-for-hrrq.patch xhci-fix-off-by-one-error-in-trb-dma-address-boundary-check.patch usb-sierra-add-1199-68ab-device-id.patch +ima-add-support-for-new-euid-policy-condition.patch +ima-extend-mask-policy-matching-support.patch