From: Greg Kroah-Hartman Date: Wed, 5 May 2021 11:22:48 +0000 (+0200) Subject: 5.12-stable patches X-Git-Tag: v4.19.190~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2e4c97650092cce59974fd4c5407b227cc948afa;p=thirdparty%2Fkernel%2Fstable-queue.git 5.12-stable patches added patches: perf-core-fix-unconditional-security_locked_down-call.patch --- diff --git a/queue-5.12/perf-core-fix-unconditional-security_locked_down-call.patch b/queue-5.12/perf-core-fix-unconditional-security_locked_down-call.patch new file mode 100644 index 00000000000..afd9182b815 --- /dev/null +++ b/queue-5.12/perf-core-fix-unconditional-security_locked_down-call.patch @@ -0,0 +1,54 @@ +From 08ef1af4de5fe7de9c6d69f1e22e51b66e385d9b Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Wed, 24 Feb 2021 22:56:28 +0100 +Subject: perf/core: Fix unconditional security_locked_down() call + +From: Ondrej Mosnacek + +commit 08ef1af4de5fe7de9c6d69f1e22e51b66e385d9b upstream. + +Currently, the lockdown state is queried unconditionally, even though +its result is used only if the PERF_SAMPLE_REGS_INTR bit is set in +attr.sample_type. While that doesn't matter in case of the Lockdown LSM, +it causes trouble with the SELinux's lockdown hook implementation. + +SELinux implements the locked_down hook with a check whether the current +task's type has the corresponding "lockdown" class permission +("integrity" or "confidentiality") allowed in the policy. This means +that calling the hook when the access control decision would be ignored +generates a bogus permission check and audit record. + +Fix this by checking sample_type first and only calling the hook when +its result would be honored. + +Fixes: b0c8fdc7fdb7 ("lockdown: Lock down perf when in confidentiality mode") +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Paul Moore +Link: https://lkml.kernel.org/r/20210224215628.192519-1-omosnace@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -11829,12 +11829,12 @@ SYSCALL_DEFINE5(perf_event_open, + return err; + } + +- err = security_locked_down(LOCKDOWN_PERF); +- if (err && (attr.sample_type & PERF_SAMPLE_REGS_INTR)) +- /* REGS_INTR can leak data, lockdown must prevent this */ +- return err; +- +- err = 0; ++ /* REGS_INTR can leak data, lockdown must prevent this */ ++ if (attr.sample_type & PERF_SAMPLE_REGS_INTR) { ++ err = security_locked_down(LOCKDOWN_PERF); ++ if (err) ++ return err; ++ } + + /* + * In cgroup mode, the pid argument is used to pass the fd diff --git a/queue-5.12/series b/queue-5.12/series index 8ac3534e709..7cd5dd3f364 100644 --- a/queue-5.12/series +++ b/queue-5.12/series @@ -14,3 +14,4 @@ usb-add-reset-resume-quirk-for-wd19-s-realtek-hub.patch asoc-ak4458-add-module_device_table.patch asoc-ak5558-add-module_device_table.patch platform-x86-thinkpad_acpi-correct-thermal-sensor-allocation.patch +perf-core-fix-unconditional-security_locked_down-call.patch