From: Greg Kroah-Hartman Date: Wed, 5 May 2021 11:21:57 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.19.190~8 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9ffbbe43af7e95b81d4812d9b57d12d698b87ec6;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: perf-core-fix-unconditional-security_locked_down-call.patch --- diff --git a/queue-5.4/perf-core-fix-unconditional-security_locked_down-call.patch b/queue-5.4/perf-core-fix-unconditional-security_locked_down-call.patch new file mode 100644 index 00000000000..034e2fc31e7 --- /dev/null +++ b/queue-5.4/perf-core-fix-unconditional-security_locked_down-call.patch @@ -0,0 +1,54 @@ +From 08ef1af4de5fe7de9c6d69f1e22e51b66e385d9b Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Wed, 24 Feb 2021 22:56:28 +0100 +Subject: perf/core: Fix unconditional security_locked_down() call + +From: Ondrej Mosnacek + +commit 08ef1af4de5fe7de9c6d69f1e22e51b66e385d9b upstream. + +Currently, the lockdown state is queried unconditionally, even though +its result is used only if the PERF_SAMPLE_REGS_INTR bit is set in +attr.sample_type. While that doesn't matter in case of the Lockdown LSM, +it causes trouble with the SELinux's lockdown hook implementation. + +SELinux implements the locked_down hook with a check whether the current +task's type has the corresponding "lockdown" class permission +("integrity" or "confidentiality") allowed in the policy. This means +that calling the hook when the access control decision would be ignored +generates a bogus permission check and audit record. + +Fix this by checking sample_type first and only calling the hook when +its result would be honored. + +Fixes: b0c8fdc7fdb7 ("lockdown: Lock down perf when in confidentiality mode") +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Paul Moore +Link: https://lkml.kernel.org/r/20210224215628.192519-1-omosnace@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -10953,12 +10953,12 @@ SYSCALL_DEFINE5(perf_event_open, + perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN)) + return -EACCES; + +- err = security_locked_down(LOCKDOWN_PERF); +- if (err && (attr.sample_type & PERF_SAMPLE_REGS_INTR)) +- /* REGS_INTR can leak data, lockdown must prevent this */ +- return err; +- +- err = 0; ++ /* REGS_INTR can leak data, lockdown must prevent this */ ++ if (attr.sample_type & PERF_SAMPLE_REGS_INTR) { ++ err = security_locked_down(LOCKDOWN_PERF); ++ if (err) ++ return err; ++ } + + /* + * In cgroup mode, the pid argument is used to pass the fd diff --git a/queue-5.4/series b/queue-5.4/series index fb208529bf7..73c2907268a 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -18,3 +18,4 @@ asoc-ak5558-add-module_device_table.patch platform-x86-thinkpad_acpi-correct-thermal-sensor-allocation.patch scsi-ufs-unlock-on-a-couple-error-paths.patch ovl-allow-upperdir-inside-lowerdir.patch +perf-core-fix-unconditional-security_locked_down-call.patch