From 54a4a6754af49ca512b38df60c88d6fba6d9c241 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 6 Mar 2023 18:55:11 +0100 Subject: [PATCH] 4.14-stable patches added patches: ima-align-ima_file_mmap-parameters-with-mmap_file-lsm-hook.patch --- ...p-parameters-with-mmap_file-lsm-hook.patch | 107 ++++++++++++++++++ queue-4.14/series | 1 + 2 files changed, 108 insertions(+) create mode 100644 queue-4.14/ima-align-ima_file_mmap-parameters-with-mmap_file-lsm-hook.patch diff --git a/queue-4.14/ima-align-ima_file_mmap-parameters-with-mmap_file-lsm-hook.patch b/queue-4.14/ima-align-ima_file_mmap-parameters-with-mmap_file-lsm-hook.patch new file mode 100644 index 00000000000..50505989f0e --- /dev/null +++ b/queue-4.14/ima-align-ima_file_mmap-parameters-with-mmap_file-lsm-hook.patch @@ -0,0 +1,107 @@ +From 4971c268b85e1c7a734a61622fc0813c86e2362e Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Tue, 31 Jan 2023 18:42:43 +0100 +Subject: ima: Align ima_file_mmap() parameters with mmap_file LSM hook + +From: Roberto Sassu + +commit 4971c268b85e1c7a734a61622fc0813c86e2362e upstream. + +Commit 98de59bfe4b2f ("take calculation of final prot in +security_mmap_file() into a helper") moved the code to update prot, to be +the actual protections applied to the kernel, to a new helper called +mmap_prot(). + +However, while without the helper ima_file_mmap() was getting the updated +prot, with the helper ima_file_mmap() gets the original prot, which +contains the protections requested by the application. + +A possible consequence of this change is that, if an application calls +mmap() with only PROT_READ, and the kernel applies PROT_EXEC in addition, +that application would have access to executable memory without having this +event recorded in the IMA measurement list. This situation would occur for +example if the application, before mmap(), calls the personality() system +call with READ_IMPLIES_EXEC as the first argument. + +Align ima_file_mmap() parameters with those of the mmap_file LSM hook, so +that IMA can receive both the requested prot and the final prot. Since the +requested protections are stored in a new variable, and the final +protections are stored in the existing variable, this effectively restores +the original behavior of the MMAP_CHECK hook. + +Cc: stable@vger.kernel.org +Fixes: 98de59bfe4b2 ("take calculation of final prot in security_mmap_file() into a helper") +Signed-off-by: Roberto Sassu +Reviewed-by: Stefan Berger +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/ima.h | 6 ++++-- + security/integrity/ima/ima_main.c | 7 +++++-- + security/security.c | 7 ++++--- + 3 files changed, 13 insertions(+), 7 deletions(-) + +--- a/include/linux/ima.h ++++ b/include/linux/ima.h +@@ -18,7 +18,8 @@ struct linux_binprm; + extern int ima_bprm_check(struct linux_binprm *bprm); + extern int ima_file_check(struct file *file, int mask, int opened); + extern void ima_file_free(struct file *file); +-extern int ima_file_mmap(struct file *file, unsigned long prot); ++extern int ima_file_mmap(struct file *file, unsigned long reqprot, ++ unsigned long prot, unsigned long flags); + extern int ima_read_file(struct file *file, enum kernel_read_file_id id); + extern int ima_post_read_file(struct file *file, void *buf, loff_t size, + enum kernel_read_file_id id); +@@ -44,7 +45,8 @@ static inline void ima_file_free(struct + return; + } + +-static inline int ima_file_mmap(struct file *file, unsigned long prot) ++static inline int ima_file_mmap(struct file *file, unsigned long reqprot, ++ unsigned long prot, unsigned long flags) + { + return 0; + } +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -303,7 +303,9 @@ out: + /** + * ima_file_mmap - based on policy, collect/store measurement. + * @file: pointer to the file to be measured (May be NULL) +- * @prot: contains the protection that will be applied by the kernel. ++ * @reqprot: protection requested by the application ++ * @prot: protection that will be applied by the kernel ++ * @flags: operational flags + * + * Measure files being mmapped executable based on the ima_must_measure() + * policy decision. +@@ -311,7 +313,8 @@ out: + * On success return 0. On integrity appraisal error, assuming the file + * is in policy and IMA-appraisal is in enforcing mode, return -EACCES. + */ +-int ima_file_mmap(struct file *file, unsigned long prot) ++int ima_file_mmap(struct file *file, unsigned long reqprot, ++ unsigned long prot, unsigned long flags) + { + if (file && (prot & PROT_EXEC)) + return process_measurement(file, NULL, 0, MAY_EXEC, +--- a/security/security.c ++++ b/security/security.c +@@ -920,12 +920,13 @@ static inline unsigned long mmap_prot(st + int security_mmap_file(struct file *file, unsigned long prot, + unsigned long flags) + { ++ unsigned long prot_adj = mmap_prot(file, prot); + int ret; +- ret = call_int_hook(mmap_file, 0, file, prot, +- mmap_prot(file, prot), flags); ++ ++ ret = call_int_hook(mmap_file, 0, file, prot, prot_adj, flags); + if (ret) + return ret; +- return ima_file_mmap(file, prot); ++ return ima_file_mmap(file, prot, prot_adj, flags); + } + + int security_mmap_addr(unsigned long addr) diff --git a/queue-4.14/series b/queue-4.14/series index e6d09c7e44f..bf0120e9ac1 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -121,3 +121,4 @@ x86-microcode-amd-add-a-cpu-parameter-to-the-reloading-functions.patch x86-microcode-amd-fix-mixed-steppings-support.patch x86-speculation-allow-enabling-stibp-with-legacy-ibrs.patch documentation-hw-vuln-document-the-interaction-between-ibrs-and-stibp.patch +ima-align-ima_file_mmap-parameters-with-mmap_file-lsm-hook.patch -- 2.47.3