0656fa94dc
This upgrade fixes the CVEs listed below. We refresh the patches against the new rt-kernel source. rcu-Don-t-wake-rcuc-X-kthreads-on-NOCB-CPUs.patch is deleted because upstream has fixed this bug, and it is no longer needed. CVE bug: CVE-2019-11810:kernel: a NULL pointer dereference in drivers/scsi/megaraid/megaraid_sas_base.c leading to DoS CVE bug: CVE-2019-11811: kernel: use-after-free in IPMI Edit CVE bug: CVE-2019-14835: kernel: vhost-net: guest to host kernel escape during migration Closes-Bug: 1849206 Closes-Bug: 1849209 Closes-Bug: 1847817 Change-Id: Iaf5eae5d64b621f44f8faad51d22f9439431911f Depends-On: https://review.opendev.org/#/c/695355/ Signed-off-by: Robin Lu <bin1.lu@intel.com>
376 lines
11 KiB
Diff
376 lines
11 KiB
Diff
From 7e592781c3f5635f8b455cfcc2daaca572c633da Mon Sep 17 00:00:00 2001
|
|
Message-Id: <7e592781c3f5635f8b455cfcc2daaca572c633da.1528226387.git.Jim.Somerville@windriver.com>
|
|
In-Reply-To: <c8270e79f6b7008fde44b8d5aa6314d8cf89d3ed.1528226387.git.Jim.Somerville@windriver.com>
|
|
References: <c8270e79f6b7008fde44b8d5aa6314d8cf89d3ed.1528226387.git.Jim.Somerville@windriver.com>
|
|
From: Kam Nasim <kam.nasim@windriver.com>
|
|
Date: Wed, 23 Aug 2017 17:58:12 -0400
|
|
Subject: [PATCH 25/32] US101216: IMA support in Titanium kernel
|
|
|
|
facilitate building the IMA subsytem out-of-the-kernel tree as a Kernel
|
|
module (for which CONFIG_IMA and CONFIG_INTEGRITY will be undefined) by:
|
|
- exporting certain function symbols which will be linked to the kernel
|
|
module. This includes redefining the export symbols for kernel
|
|
functions such that when the kernel module loads, it dynamically points
|
|
to those new function definations and reverts to Kernel default
|
|
definitions on module deinit
|
|
- enabling inode readcount
|
|
- modification to ima_file_check to pass in file OPEN status
|
|
|
|
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
|
|
Signed-off-by: Robin Lu <bin1.lu@intel.com>
|
|
---
|
|
fs/namei.c | 2 +-
|
|
fs/nfsd/vfs.c | 2 +-
|
|
fs/xattr.c | 1 +
|
|
include/linux/fs.h | 15 +------
|
|
include/linux/ima.h | 77 +++++++-------------------------
|
|
include/linux/integrity.h | 22 ++++-----
|
|
security/security.c | 111 +++++++++++++++++++++++++++++++++++++++++++++-
|
|
7 files changed, 140 insertions(+), 90 deletions(-)
|
|
|
|
diff --git a/fs/namei.c b/fs/namei.c
|
|
index 9f90b63..bf91ea0 100644
|
|
--- a/fs/namei.c
|
|
+++ b/fs/namei.c
|
|
@@ -3243,7 +3243,7 @@ opened:
|
|
error = open_check_o_direct(file);
|
|
if (error)
|
|
goto exit_fput;
|
|
- error = ima_file_check(file, op->acc_mode);
|
|
+ error = ima_file_check(file, op->acc_mode, *opened);
|
|
if (error)
|
|
goto exit_fput;
|
|
|
|
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
|
|
index 00e98c3..cb9250e 100644
|
|
--- a/fs/nfsd/vfs.c
|
|
+++ b/fs/nfsd/vfs.c
|
|
@@ -898,7 +898,7 @@ nfsd_open(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type,
|
|
goto out_nfserr;
|
|
}
|
|
|
|
- host_err = ima_file_check(file, may_flags);
|
|
+ host_err = ima_file_check(file, may_flags, 0);
|
|
if (host_err) {
|
|
fput(file);
|
|
goto out_nfserr;
|
|
diff --git a/fs/xattr.c b/fs/xattr.c
|
|
index e540aca..cc307ec 100644
|
|
--- a/fs/xattr.c
|
|
+++ b/fs/xattr.c
|
|
@@ -208,6 +208,7 @@ vfs_getxattr_alloc(struct dentry *dentry, const char *name, char **xattr_value,
|
|
*xattr_value = value;
|
|
return error;
|
|
}
|
|
+EXPORT_SYMBOL_GPL(vfs_getxattr_alloc);
|
|
|
|
/* Compare an extended attribute value with the given value */
|
|
int vfs_xattr_cmp(struct dentry *dentry, const char *xattr_name,
|
|
diff --git a/include/linux/fs.h b/include/linux/fs.h
|
|
index eb6f994..2dbaf80 100644
|
|
--- a/include/linux/fs.h
|
|
+++ b/include/linux/fs.h
|
|
@@ -681,9 +681,8 @@ struct inode {
|
|
struct fsnotify_mark_connector __rcu *i_fsnotify_marks)
|
|
#endif
|
|
|
|
-#if defined(CONFIG_IMA) && defined(CONFIG_X86_64)
|
|
atomic_t i_readcount; /* struct files open RO */
|
|
-#endif
|
|
+
|
|
void *i_private; /* fs or device private pointer */
|
|
};
|
|
|
|
@@ -2852,7 +2851,6 @@ static inline bool inode_is_open_for_write(const struct inode *inode)
|
|
return atomic_read(&inode->i_writecount) > 0;
|
|
}
|
|
|
|
-#ifdef CONFIG_IMA
|
|
static inline void i_readcount_dec(struct inode *inode)
|
|
{
|
|
BUG_ON(!atomic_read(&inode->i_readcount));
|
|
@@ -2862,16 +2860,7 @@ static inline void i_readcount_inc(struct inode *inode)
|
|
{
|
|
atomic_inc(&inode->i_readcount);
|
|
}
|
|
-#else
|
|
-static inline void i_readcount_dec(struct inode *inode)
|
|
-{
|
|
- return;
|
|
-}
|
|
-static inline void i_readcount_inc(struct inode *inode)
|
|
-{
|
|
- return;
|
|
-}
|
|
-#endif
|
|
+
|
|
extern int do_pipe_flags(int *, int);
|
|
|
|
extern int kernel_read(struct file *, loff_t, char *, unsigned long);
|
|
diff --git a/include/linux/ima.h b/include/linux/ima.h
|
|
index 1b7f268..9fee45c 100644
|
|
--- a/include/linux/ima.h
|
|
+++ b/include/linux/ima.h
|
|
@@ -13,64 +13,21 @@
|
|
#include <linux/fs.h>
|
|
struct linux_binprm;
|
|
|
|
-#ifdef CONFIG_IMA
|
|
-extern int ima_bprm_check(struct linux_binprm *bprm);
|
|
-extern int ima_file_check(struct file *file, int mask);
|
|
-extern void ima_file_free(struct file *file);
|
|
-extern int ima_file_mmap(struct file *file, unsigned long prot);
|
|
-extern int ima_module_check(struct file *file);
|
|
-
|
|
-#else
|
|
-static inline int ima_bprm_check(struct linux_binprm *bprm)
|
|
-{
|
|
- return 0;
|
|
-}
|
|
-
|
|
-static inline int ima_file_check(struct file *file, int mask)
|
|
-{
|
|
- return 0;
|
|
-}
|
|
-
|
|
-static inline void ima_file_free(struct file *file)
|
|
-{
|
|
- return;
|
|
-}
|
|
-
|
|
-static inline int ima_file_mmap(struct file *file, unsigned long prot)
|
|
-{
|
|
- return 0;
|
|
-}
|
|
-
|
|
-static inline int ima_module_check(struct file *file)
|
|
-{
|
|
- return 0;
|
|
-}
|
|
-
|
|
-#endif /* CONFIG_IMA */
|
|
-
|
|
-#ifdef CONFIG_IMA_APPRAISE
|
|
-extern void ima_inode_post_setattr(struct dentry *dentry);
|
|
-extern int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
|
|
+/*
|
|
+ * The IMA Kernel module has to redefine these symbols so that
|
|
+ * the kernel module can link a dynamic function, as a hook into
|
|
+ * the Kernel FS calls (which use these)
|
|
+ */
|
|
+/* ifdef CONFIG_IMA */
|
|
+extern int (*ima_bprm_check)(struct linux_binprm *bprm);
|
|
+extern int (*ima_file_check)(struct file *file, int mask, int opened);
|
|
+extern void (*ima_file_free)(struct file *file);
|
|
+extern int (*ima_file_mmap)(struct file *file, unsigned long prot);
|
|
+extern int (*ima_module_check)(struct file *file);
|
|
+
|
|
+/* ifdef CONFIG_IMA_APPRAISE */
|
|
+extern void (*ima_inode_post_setattr)(struct dentry *dentry);
|
|
+extern int (*ima_inode_setxattr)(struct dentry *dentry, const char *xattr_name,
|
|
const void *xattr_value, size_t xattr_value_len);
|
|
-extern int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name);
|
|
-#else
|
|
-static inline void ima_inode_post_setattr(struct dentry *dentry)
|
|
-{
|
|
- return;
|
|
-}
|
|
-
|
|
-static inline int ima_inode_setxattr(struct dentry *dentry,
|
|
- const char *xattr_name,
|
|
- const void *xattr_value,
|
|
- size_t xattr_value_len)
|
|
-{
|
|
- return 0;
|
|
-}
|
|
-
|
|
-static inline int ima_inode_removexattr(struct dentry *dentry,
|
|
- const char *xattr_name)
|
|
-{
|
|
- return 0;
|
|
-}
|
|
-#endif /* CONFIG_IMA_APPRAISE */
|
|
-#endif /* _LINUX_IMA_H */
|
|
+extern int (*ima_inode_removexattr)(struct dentry *dentry, const char *xattr_name);
|
|
+#endif
|
|
diff --git a/include/linux/integrity.h b/include/linux/integrity.h
|
|
index 83222ce..a5040b6 100644
|
|
--- a/include/linux/integrity.h
|
|
+++ b/include/linux/integrity.h
|
|
@@ -21,20 +21,14 @@ enum integrity_status {
|
|
};
|
|
|
|
/* List of EVM protected security xattrs */
|
|
-#ifdef CONFIG_INTEGRITY
|
|
-extern struct integrity_iint_cache *integrity_inode_get(struct inode *inode);
|
|
-extern void integrity_inode_free(struct inode *inode);
|
|
+/*
|
|
+ * The Integrity Kernel module has to redefine these symbols so that
|
|
+ * the kernel module can link a dynamic function, as a hook into
|
|
+ * the Kernel Security subsystem (which use these)
|
|
+ */
|
|
|
|
-#else
|
|
-static inline struct integrity_iint_cache *
|
|
- integrity_inode_get(struct inode *inode)
|
|
-{
|
|
- return NULL;
|
|
-}
|
|
+/* #ifdef CONFIG_INTEGRITY */
|
|
+extern struct integrity_iint_cache *(*integrity_inode_get)(struct inode *inode);
|
|
+extern void (*integrity_inode_free)(struct inode *inode);
|
|
|
|
-static inline void integrity_inode_free(struct inode *inode)
|
|
-{
|
|
- return;
|
|
-}
|
|
-#endif /* CONFIG_INTEGRITY */
|
|
#endif /* _LINUX_INTEGRITY_H */
|
|
diff --git a/security/security.c b/security/security.c
|
|
index f069482..646a0e3 100644
|
|
--- a/security/security.c
|
|
+++ b/security/security.c
|
|
@@ -161,6 +161,110 @@ EXPORT_SYMBOL(unregister_lsm_notifier);
|
|
|
|
/* Security operations */
|
|
|
|
+/*
|
|
+ * Export these symbols since the IMA and Integrity
|
|
+ * modules will redefine it. We do this EXPORT in
|
|
+ * the security endpoint as this is the last Kernel
|
|
+ * hook into the Integrity / IMA modules
|
|
+ */
|
|
+#ifndef CONFIG_INTEGRITY
|
|
+static struct integrity_iint_cache* integrity_inode_get_kmod(struct inode *inode)
|
|
+{
|
|
+ return NULL;
|
|
+}
|
|
+
|
|
+static void integrity_inode_free_kmod(struct inode *inode)
|
|
+{
|
|
+ return;
|
|
+}
|
|
+
|
|
+struct integrity_iint_cache *
|
|
+ (*integrity_inode_get)(struct inode *) = &integrity_inode_get_kmod;
|
|
+void
|
|
+ (*integrity_inode_free)(struct inode*) = &integrity_inode_free_kmod;
|
|
+
|
|
+EXPORT_SYMBOL_GPL(integrity_inode_get);
|
|
+EXPORT_SYMBOL_GPL(integrity_inode_free);
|
|
+#endif
|
|
+
|
|
+#ifndef CONFIG_IMA
|
|
+static int ima_bprm_check_kmod(struct linux_binprm *bprm)
|
|
+{
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static int ima_file_check_kmod(struct file *file, int mask, int opened)
|
|
+{
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static void ima_file_free_kmod(struct file *file)
|
|
+{
|
|
+ return;
|
|
+}
|
|
+
|
|
+static int ima_file_mmap_kmod(struct file *file, unsigned long prot)
|
|
+{
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static int ima_module_check_kmod(struct file *file)
|
|
+{
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+int
|
|
+ (*ima_bprm_check)(struct linux_binprm *) = &ima_bprm_check_kmod;
|
|
+int
|
|
+ (*ima_file_check)(struct file *, int, int) = &ima_file_check_kmod;
|
|
+void
|
|
+ (*ima_file_free)(struct file *) = &ima_file_free_kmod;
|
|
+int
|
|
+ (*ima_file_mmap)(struct file*, unsigned long) = &ima_file_mmap_kmod;
|
|
+int
|
|
+ (*ima_module_check)(struct file *) = &ima_module_check_kmod;
|
|
+
|
|
+EXPORT_SYMBOL_GPL(ima_bprm_check);
|
|
+EXPORT_SYMBOL_GPL(ima_file_check);
|
|
+EXPORT_SYMBOL_GPL(ima_file_free);
|
|
+EXPORT_SYMBOL_GPL(ima_file_mmap);
|
|
+EXPORT_SYMBOL_GPL(ima_module_check);
|
|
+#endif
|
|
+
|
|
+#ifndef CONFIG_IMA_APPRAISE
|
|
+static void ima_inode_post_setattr_kmod(struct dentry *dentry)
|
|
+{
|
|
+ return;
|
|
+}
|
|
+
|
|
+static int ima_inode_setxattr_kmod(struct dentry *dentry,
|
|
+ const char *xattr_name,
|
|
+ const void *xattr_value,
|
|
+ size_t xattr_value_len)
|
|
+{
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static int ima_inode_removexattr_kmod(struct dentry *dentry,
|
|
+ const char *xattr_name)
|
|
+{
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+void
|
|
+ (*ima_inode_post_setattr)(struct dentry *) = &ima_inode_post_setattr_kmod;
|
|
+int
|
|
+ (*ima_inode_setxattr)(struct dentry *, const char *,
|
|
+ const void *, size_t) = &ima_inode_setxattr_kmod;
|
|
+int
|
|
+ (*ima_inode_removexattr)(struct dentry *,
|
|
+ const char *) = &ima_inode_removexattr_kmod;
|
|
+
|
|
+EXPORT_SYMBOL_GPL(ima_inode_post_setattr);
|
|
+EXPORT_SYMBOL_GPL(ima_inode_setxattr);
|
|
+EXPORT_SYMBOL_GPL(ima_inode_removexattr);
|
|
+#endif
|
|
+
|
|
int security_ptrace_access_check(struct task_struct *child, unsigned int mode)
|
|
{
|
|
#ifdef CONFIG_SECURITY_YAMA_STACKED
|
|
@@ -718,8 +822,11 @@ EXPORT_SYMBOL(security_inode_listsecurity);
|
|
|
|
void security_inode_getsecid(struct inode *inode, u32 *secid)
|
|
{
|
|
- security_ops->inode_getsecid(inode, secid);
|
|
+ if (unlikely(IS_PRIVATE(inode)))
|
|
+ return;
|
|
+ security_ops->inode_getsecid(inode, secid);
|
|
}
|
|
+EXPORT_SYMBOL_GPL(security_inode_getsecid);
|
|
|
|
int security_inode_copy_up(struct dentry *src, struct cred **new)
|
|
{
|
|
@@ -1528,6 +1635,7 @@ int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
|
|
{
|
|
return security_ops->audit_rule_init(field, op, rulestr, lsmrule);
|
|
}
|
|
+EXPORT_SYMBOL_GPL(security_audit_rule_init);
|
|
|
|
int security_audit_rule_known(struct audit_krule *krule)
|
|
{
|
|
@@ -1544,6 +1652,7 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
|
|
{
|
|
return security_ops->audit_rule_match(secid, field, op, lsmrule, actx);
|
|
}
|
|
+EXPORT_SYMBOL_GPL(security_audit_rule_match);
|
|
|
|
#endif /* CONFIG_AUDIT */
|
|
|
|
--
|
|
1.8.3.1
|
|
|