From 75c09c7444e0912d60a7fed84a65fd195ff3f39e Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Fri, 19 Jun 2020 00:11:07 -0400
Subject: [PATCH] Fixes for 5.7

Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 ...dundant-policy-rule-set-in-add_rules.patch | 40 ++++++++++++++
 ...et-again-build_ima_appraise-variable.patch | 54 +++++++++++++++++++
 queue-5.7/series                              |  2 +
 3 files changed, 96 insertions(+)
 create mode 100644 queue-5.7/ima-remove-redundant-policy-rule-set-in-add_rules.patch
 create mode 100644 queue-5.7/ima-set-again-build_ima_appraise-variable.patch

diff --git a/queue-5.7/ima-remove-redundant-policy-rule-set-in-add_rules.patch b/queue-5.7/ima-remove-redundant-policy-rule-set-in-add_rules.patch
new file mode 100644
index 00000000000..58de8275641
--- /dev/null
+++ b/queue-5.7/ima-remove-redundant-policy-rule-set-in-add_rules.patch
@@ -0,0 +1,40 @@
+From 553d5822ea3e1447a23d7e832c51607cc6ff5af5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 12:28:58 +0200
+Subject: ima: Remove redundant policy rule set in add_rules()
+
+From: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
+
+[ Upstream commit 6ee28442a465ab4c4be45e3b15015af24b1ba906 ]
+
+Function ima_appraise_flag() returns the flag to be set in
+temp_ima_appraise depending on the hook identifier passed as an argument.
+It is not necessary to set the flag again for the POLICY_CHECK hook.
+
+Signed-off-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/ima/ima_policy.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
+index 1c78cbbd27d8..7414443c19bf 100644
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -643,11 +643,8 @@ static void add_rules(struct ima_rule_entry *entries, int count,
+ 
+ 			list_add_tail(&entry->list, &ima_policy_rules);
+ 		}
+-		if (entries[i].action == APPRAISE) {
++		if (entries[i].action == APPRAISE)
+ 			temp_ima_appraise |= ima_appraise_flag(entries[i].func);
+-			if (entries[i].func == POLICY_CHECK)
+-				temp_ima_appraise |= IMA_APPRAISE_POLICY;
+-		}
+ 	}
+ }
+ 
+-- 
+2.25.1
+
diff --git a/queue-5.7/ima-set-again-build_ima_appraise-variable.patch b/queue-5.7/ima-set-again-build_ima_appraise-variable.patch
new file mode 100644
index 00000000000..99627b754a1
--- /dev/null
+++ b/queue-5.7/ima-set-again-build_ima_appraise-variable.patch
@@ -0,0 +1,54 @@
+From 0aa33cae67e47c5b8724abde312a38672155fffd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Apr 2020 12:28:59 +0200
+Subject: ima: Set again build_ima_appraise variable
+
+From: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
+
+[ Upstream commit b59fda449cf07f2db3be3a67142e6c000f5e8d79 ]
+
+After adding the new add_rule() function in commit c52657d93b05
+("ima: refactor ima_init_policy()"), all appraisal flags are added to the
+temp_ima_appraise variable. Revert to the previous behavior instead of
+removing build_ima_appraise, to benefit from the protection offered by
+__ro_after_init.
+
+The mentioned commit introduced a bug, as it makes all the flags
+modifiable, while build_ima_appraise flags can be protected with
+__ro_after_init.
+
+Cc: stable@vger.kernel.org # 5.0.x
+Fixes: c52657d93b05 ("ima: refactor ima_init_policy()")
+Co-developed-by: Roberto Sassu <roberto.sassu@huawei.com>
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Signed-off-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/ima/ima_policy.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
+index 7414443c19bf..e493063a3c34 100644
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -643,8 +643,14 @@ static void add_rules(struct ima_rule_entry *entries, int count,
+ 
+ 			list_add_tail(&entry->list, &ima_policy_rules);
+ 		}
+-		if (entries[i].action == APPRAISE)
+-			temp_ima_appraise |= ima_appraise_flag(entries[i].func);
++		if (entries[i].action == APPRAISE) {
++			if (entries != build_appraise_rules)
++				temp_ima_appraise |=
++					ima_appraise_flag(entries[i].func);
++			else
++				build_ima_appraise |=
++					ima_appraise_flag(entries[i].func);
++		}
+ 	}
+ }
+ 
+-- 
+2.25.1
+
diff --git a/queue-5.7/series b/queue-5.7/series
index 29dbdd721f5..ad5a3aeddff 100644
--- a/queue-5.7/series
+++ b/queue-5.7/series
@@ -287,3 +287,5 @@ pci-avoid-flr-for-amd-starship-usb-3.0.patch
 pci-add-acs-quirk-for-intel-root-complex-integrated-.patch
 serial-8250_pci-move-pericom-ids-to-pci_ids.h.patch
 x86-amd_nb-add-amd-family-17h-model-60h-pci-ids.patch
+ima-remove-redundant-policy-rule-set-in-add_rules.patch
+ima-set-again-build_ima_appraise-variable.patch
-- 
2.47.3