From 496971b9b9d72c4075383bc4e59bbe0b047d9404 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 6 Mar 2023 18:55:20 +0100 Subject: [PATCH] 4.19-stable patches added patches: ima-align-ima_file_mmap-parameters-with-mmap_file-lsm-hook.patch --- ...p-parameters-with-mmap_file-lsm-hook.patch | 107 ++++++++++++++++++ queue-4.19/series | 1 + 2 files changed, 108 insertions(+) create mode 100644 queue-4.19/ima-align-ima_file_mmap-parameters-with-mmap_file-lsm-hook.patch diff --git a/queue-4.19/ima-align-ima_file_mmap-parameters-with-mmap_file-lsm-hook.patch b/queue-4.19/ima-align-ima_file_mmap-parameters-with-mmap_file-lsm-hook.patch new file mode 100644 index 00000000000..f354a660372 --- /dev/null +++ b/queue-4.19/ima-align-ima_file_mmap-parameters-with-mmap_file-lsm-hook.patch @@ -0,0 +1,107 @@ +From 4971c268b85e1c7a734a61622fc0813c86e2362e Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Tue, 31 Jan 2023 18:42:43 +0100 +Subject: ima: Align ima_file_mmap() parameters with mmap_file LSM hook + +From: Roberto Sassu + +commit 4971c268b85e1c7a734a61622fc0813c86e2362e upstream. + +Commit 98de59bfe4b2f ("take calculation of final prot in +security_mmap_file() into a helper") moved the code to update prot, to be +the actual protections applied to the kernel, to a new helper called +mmap_prot(). + +However, while without the helper ima_file_mmap() was getting the updated +prot, with the helper ima_file_mmap() gets the original prot, which +contains the protections requested by the application. + +A possible consequence of this change is that, if an application calls +mmap() with only PROT_READ, and the kernel applies PROT_EXEC in addition, +that application would have access to executable memory without having this +event recorded in the IMA measurement list. This situation would occur for +example if the application, before mmap(), calls the personality() system +call with READ_IMPLIES_EXEC as the first argument. + +Align ima_file_mmap() parameters with those of the mmap_file LSM hook, so +that IMA can receive both the requested prot and the final prot. Since the +requested protections are stored in a new variable, and the final +protections are stored in the existing variable, this effectively restores +the original behavior of the MMAP_CHECK hook. + +Cc: stable@vger.kernel.org +Fixes: 98de59bfe4b2 ("take calculation of final prot in security_mmap_file() into a helper") +Signed-off-by: Roberto Sassu +Reviewed-by: Stefan Berger +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/ima.h | 6 ++++-- + security/integrity/ima/ima_main.c | 7 +++++-- + security/security.c | 7 ++++--- + 3 files changed, 13 insertions(+), 7 deletions(-) + +--- a/include/linux/ima.h ++++ b/include/linux/ima.h +@@ -19,7 +19,8 @@ struct linux_binprm; + extern int ima_bprm_check(struct linux_binprm *bprm); + extern int ima_file_check(struct file *file, int mask); + extern void ima_file_free(struct file *file); +-extern int ima_file_mmap(struct file *file, unsigned long prot); ++extern int ima_file_mmap(struct file *file, unsigned long reqprot, ++ unsigned long prot, unsigned long flags); + extern int ima_load_data(enum kernel_load_data_id id); + extern int ima_read_file(struct file *file, enum kernel_read_file_id id); + extern int ima_post_read_file(struct file *file, void *buf, loff_t size, +@@ -46,7 +47,8 @@ static inline void ima_file_free(struct + return; + } + +-static inline int ima_file_mmap(struct file *file, unsigned long prot) ++static inline int ima_file_mmap(struct file *file, unsigned long reqprot, ++ unsigned long prot, unsigned long flags) + { + return 0; + } +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -323,7 +323,9 @@ out: + /** + * ima_file_mmap - based on policy, collect/store measurement. + * @file: pointer to the file to be measured (May be NULL) +- * @prot: contains the protection that will be applied by the kernel. ++ * @reqprot: protection requested by the application ++ * @prot: protection that will be applied by the kernel ++ * @flags: operational flags + * + * Measure files being mmapped executable based on the ima_must_measure() + * policy decision. +@@ -331,7 +333,8 @@ out: + * On success return 0. On integrity appraisal error, assuming the file + * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. + */ +-int ima_file_mmap(struct file *file, unsigned long prot) ++int ima_file_mmap(struct file *file, unsigned long reqprot, ++ unsigned long prot, unsigned long flags) + { + u32 secid; + +--- a/security/security.c ++++ b/security/security.c +@@ -926,12 +926,13 @@ static inline unsigned long mmap_prot(st + int security_mmap_file(struct file *file, unsigned long prot, + unsigned long flags) + { ++ unsigned long prot_adj = mmap_prot(file, prot); + int ret; +- ret = call_int_hook(mmap_file, 0, file, prot, +- mmap_prot(file, prot), flags); ++ ++ ret = call_int_hook(mmap_file, 0, file, prot, prot_adj, flags); + if (ret) + return ret; +- return ima_file_mmap(file, prot); ++ return ima_file_mmap(file, prot, prot_adj, flags); + } + + int security_mmap_addr(unsigned long addr) diff --git a/queue-4.19/series b/queue-4.19/series index 71576367de1..688a9151fe9 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -165,3 +165,4 @@ x86-microcode-amd-add-a-cpu-parameter-to-the-reloading-functions.patch x86-microcode-amd-fix-mixed-steppings-support.patch x86-speculation-allow-enabling-stibp-with-legacy-ibrs.patch documentation-hw-vuln-document-the-interaction-between-ibrs-and-stibp.patch +ima-align-ima_file_mmap-parameters-with-mmap_file-lsm-hook.patch -- 2.47.3