From c886edb1cddbb583da44f3074eeef1ea95245115 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 18 Jun 2014 19:41:46 -0700 Subject: [PATCH] 3.10-stable patches added patches: evm-prohibit-userspace-writing-security.evm-hmac-value.patch ima-introduce-ima_kernel_read.patch --- ...pace-writing-security.evm-hmac-value.patch | 46 +++++ .../ima-introduce-ima_kernel_read.patch | 169 ++++++++++++++++++ queue-3.10/series | 2 + 3 files changed, 217 insertions(+) create mode 100644 queue-3.10/evm-prohibit-userspace-writing-security.evm-hmac-value.patch create mode 100644 queue-3.10/ima-introduce-ima_kernel_read.patch diff --git a/queue-3.10/evm-prohibit-userspace-writing-security.evm-hmac-value.patch b/queue-3.10/evm-prohibit-userspace-writing-security.evm-hmac-value.patch new file mode 100644 index 00000000000..01a4c447136 --- /dev/null +++ b/queue-3.10/evm-prohibit-userspace-writing-security.evm-hmac-value.patch @@ -0,0 +1,46 @@ +From 2fb1c9a4f2dbc2f0bd2431c7fa64d0b5483864e4 Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Sun, 11 May 2014 00:05:23 -0400 +Subject: evm: prohibit userspace writing 'security.evm' HMAC value + +From: Mimi Zohar + +commit 2fb1c9a4f2dbc2f0bd2431c7fa64d0b5483864e4 upstream. + +Calculating the 'security.evm' HMAC value requires access to the +EVM encrypted key. Only the kernel should have access to it. This +patch prevents userspace tools(eg. setfattr, cp --preserve=xattr) +from setting/modifying the 'security.evm' HMAC value directly. + +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/evm/evm_main.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/security/integrity/evm/evm_main.c ++++ b/security/integrity/evm/evm_main.c +@@ -275,12 +275,20 @@ static int evm_protect_xattr(struct dent + * @xattr_value: pointer to the new extended attribute value + * @xattr_value_len: pointer to the new extended attribute value length + * +- * Updating 'security.evm' requires CAP_SYS_ADMIN privileges and that +- * the current value is valid. ++ * Before allowing the 'security.evm' protected xattr to be updated, ++ * verify the existing value is valid. As only the kernel should have ++ * access to the EVM encrypted key needed to calculate the HMAC, prevent ++ * userspace from writing HMAC value. Writing 'security.evm' requires ++ * requires CAP_SYS_ADMIN privileges. + */ + int evm_inode_setxattr(struct dentry *dentry, const char *xattr_name, + const void *xattr_value, size_t xattr_value_len) + { ++ const struct evm_ima_xattr_data *xattr_data = xattr_value; ++ ++ if ((strcmp(xattr_name, XATTR_NAME_EVM) == 0) ++ && (xattr_data->type == EVM_XATTR_HMAC)) ++ return -EPERM; + return evm_protect_xattr(dentry, xattr_name, xattr_value, + xattr_value_len); + } diff --git a/queue-3.10/ima-introduce-ima_kernel_read.patch b/queue-3.10/ima-introduce-ima_kernel_read.patch new file mode 100644 index 00000000000..878fa307872 --- /dev/null +++ b/queue-3.10/ima-introduce-ima_kernel_read.patch @@ -0,0 +1,169 @@ +From 0430e49b6e7c6b5e076be8fefdee089958c9adad Mon Sep 17 00:00:00 2001 +From: Dmitry Kasatkin +Date: Thu, 8 May 2014 14:03:22 +0300 +Subject: ima: introduce ima_kernel_read() + +From: Dmitry Kasatkin + +commit 0430e49b6e7c6b5e076be8fefdee089958c9adad upstream. + +Commit 8aac62706 "move exit_task_namespaces() outside of exit_notify" +introduced the kernel opps since the kernel v3.10, which happens when +Apparmor and IMA-appraisal are enabled at the same time. + +---------------------------------------------------------------------- +[ 106.750167] BUG: unable to handle kernel NULL pointer dereference at +0000000000000018 +[ 106.750221] IP: [] our_mnt+0x1a/0x30 +[ 106.750241] PGD 0 +[ 106.750254] Oops: 0000 [#1] SMP +[ 106.750272] Modules linked in: cuse parport_pc ppdev bnep rfcomm +bluetooth rpcsec_gss_krb5 nfsd auth_rpcgss nfs_acl nfs lockd sunrpc +fscache dm_crypt intel_rapl x86_pkg_temp_thermal intel_powerclamp +kvm_intel snd_hda_codec_hdmi kvm crct10dif_pclmul crc32_pclmul +ghash_clmulni_intel aesni_intel aes_x86_64 glue_helper lrw gf128mul +ablk_helper cryptd snd_hda_codec_realtek dcdbas snd_hda_intel +snd_hda_codec snd_hwdep snd_pcm snd_page_alloc snd_seq_midi +snd_seq_midi_event snd_rawmidi psmouse snd_seq microcode serio_raw +snd_timer snd_seq_device snd soundcore video lpc_ich coretemp mac_hid lp +parport mei_me mei nbd hid_generic e1000e usbhid ahci ptp hid libahci +pps_core +[ 106.750658] CPU: 6 PID: 1394 Comm: mysqld Not tainted 3.13.0-rc7-kds+ #15 +[ 106.750673] Hardware name: Dell Inc. OptiPlex 9010/0M9KCM, BIOS A08 +09/19/2012 +[ 106.750689] task: ffff8800de804920 ti: ffff880400fca000 task.ti: +ffff880400fca000 +[ 106.750704] RIP: 0010:[] [] +our_mnt+0x1a/0x30 +[ 106.750725] RSP: 0018:ffff880400fcba60 EFLAGS: 00010286 +[ 106.750738] RAX: 0000000000000000 RBX: 0000000000000100 RCX: +ffff8800d51523e7 +[ 106.750764] RDX: ffffffffffffffea RSI: ffff880400fcba34 RDI: +ffff880402d20020 +[ 106.750791] RBP: ffff880400fcbae0 R08: 0000000000000000 R09: +0000000000000001 +[ 106.750817] R10: 0000000000000000 R11: 0000000000000001 R12: +ffff8800d5152300 +[ 106.750844] R13: ffff8803eb8df510 R14: ffff880400fcbb28 R15: +ffff8800d51523e7 +[ 106.750871] FS: 0000000000000000(0000) GS:ffff88040d200000(0000) +knlGS:0000000000000000 +[ 106.750910] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 106.750935] CR2: 0000000000000018 CR3: 0000000001c0e000 CR4: +00000000001407e0 +[ 106.750962] Stack: +[ 106.750981] ffffffff813434eb ffff880400fcbb20 ffff880400fcbb18 +0000000000000000 +[ 106.751037] ffff8800de804920 ffffffff8101b9b9 0001800000000000 +0000000000000100 +[ 106.751093] 0000010000000000 0000000000000002 000000000000000e +ffff8803eb8df500 +[ 106.751149] Call Trace: +[ 106.751172] [] ? aa_path_name+0x2ab/0x430 +[ 106.751199] [] ? sched_clock+0x9/0x10 +[ 106.751225] [] aa_path_perm+0x7d/0x170 +[ 106.751250] [] ? native_sched_clock+0x15/0x80 +[ 106.751276] [] aa_file_perm+0x33/0x40 +[ 106.751301] [] common_file_perm+0x8e/0xb0 +[ 106.751327] [] apparmor_file_permission+0x18/0x20 +[ 106.751355] [] security_file_permission+0x23/0xa0 +[ 106.751382] [] rw_verify_area+0x52/0xe0 +[ 106.751407] [] vfs_read+0x6d/0x170 +[ 106.751432] [] kernel_read+0x41/0x60 +[ 106.751457] [] ima_calc_file_hash+0x225/0x280 +[ 106.751483] [] ? ima_calc_file_hash+0x32/0x280 +[ 106.751509] [] ima_collect_measurement+0x9d/0x160 +[ 106.751536] [] ? trace_hardirqs_on+0xd/0x10 +[ 106.751562] [] ? ima_file_free+0x6c/0xd0 +[ 106.751587] [] ima_update_xattr+0x34/0x60 +[ 106.751612] [] ima_file_free+0xc0/0xd0 +[ 106.751637] [] __fput+0xd5/0x300 +[ 106.751662] [] ____fput+0xe/0x10 +[ 106.751687] [] task_work_run+0xc4/0xe0 +[ 106.751712] [] do_exit+0x2bd/0xa90 +[ 106.751738] [] ? retint_swapgs+0x13/0x1b +[ 106.751763] [] do_group_exit+0x4c/0xc0 +[ 106.751788] [] SyS_exit_group+0x14/0x20 +[ 106.751814] [] system_call_fastpath+0x1a/0x1f +[ 106.751839] Code: c3 0f 1f 44 00 00 55 48 89 e5 e8 22 fe ff ff 5d c3 +0f 1f 44 00 00 55 65 48 8b 04 25 c0 c9 00 00 48 8b 80 28 06 00 00 48 89 +e5 5d <48> 8b 40 18 48 39 87 c0 00 00 00 0f 94 c0 c3 0f 1f 80 00 00 00 +[ 106.752185] RIP [] our_mnt+0x1a/0x30 +[ 106.752214] RSP +[ 106.752236] CR2: 0000000000000018 +[ 106.752258] ---[ end trace 3c520748b4732721 ]--- +---------------------------------------------------------------------- + +The reason for the oops is that IMA-appraisal uses "kernel_read()" when +file is closed. kernel_read() honors LSM security hook which calls +Apparmor handler, which uses current->nsproxy->mnt_ns. The 'guilty' +commit changed the order of cleanup code so that nsproxy->mnt_ns was +not already available for Apparmor. + +Discussion about the issue with Al Viro and Eric W. Biederman suggested +that kernel_read() is too high-level for IMA. Another issue, except +security checking, that was identified is mandatory locking. kernel_read +honors it as well and it might prevent IMA from calculating necessary hash. +It was suggested to use simplified version of the function without security +and locking checks. + +This patch introduces special version ima_kernel_read(), which skips security +and mandatory locking checking. It prevents the kernel oops to happen. + +Signed-off-by: Dmitry Kasatkin +Suggested-by: Eric W. Biederman +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/ima/ima_crypto.c | 32 +++++++++++++++++++++++++++++++- + 1 file changed, 31 insertions(+), 1 deletion(-) + +--- a/security/integrity/ima/ima_crypto.c ++++ b/security/integrity/ima/ima_crypto.c +@@ -24,6 +24,36 @@ + + static struct crypto_shash *ima_shash_tfm; + ++/** ++ * ima_kernel_read - read file content ++ * ++ * This is a function for reading file content instead of kernel_read(). ++ * It does not perform locking checks to ensure it cannot be blocked. ++ * It does not perform security checks because it is irrelevant for IMA. ++ * ++ */ ++static int ima_kernel_read(struct file *file, loff_t offset, ++ char *addr, unsigned long count) ++{ ++ mm_segment_t old_fs; ++ char __user *buf = addr; ++ ssize_t ret; ++ ++ if (!(file->f_mode & FMODE_READ)) ++ return -EBADF; ++ if (!file->f_op->read && !file->f_op->aio_read) ++ return -EINVAL; ++ ++ old_fs = get_fs(); ++ set_fs(get_ds()); ++ if (file->f_op->read) ++ ret = file->f_op->read(file, buf, count, &offset); ++ else ++ ret = do_sync_read(file, buf, count, &offset); ++ set_fs(old_fs); ++ return ret; ++} ++ + int ima_init_crypto(void) + { + long rc; +@@ -70,7 +100,7 @@ int ima_calc_file_hash(struct file *file + while (offset < i_size) { + int rbuf_len; + +- rbuf_len = kernel_read(file, offset, rbuf, PAGE_SIZE); ++ rbuf_len = ima_kernel_read(file, offset, rbuf, PAGE_SIZE); + if (rbuf_len < 0) { + rc = rbuf_len; + break; diff --git a/queue-3.10/series b/queue-3.10/series index ee3f1c2bf4d..97bd0e9a40b 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -1,2 +1,4 @@ rtc-rtc-at91rm9200-fix-infinite-wait-for-ackupd-irq.patch iscsi-target-reject-mutual-authentication-with-reflected-chap_c.patch +ima-introduce-ima_kernel_read.patch +evm-prohibit-userspace-writing-security.evm-hmac-value.patch -- 2.47.3