integ/kernel/kernel-rt/centos/patches/US101216-IMA-support-in-Titanium-kernel.patch
Robin Lu 0656fa94dc Update kernel-rt patches for kernel upgrade to version 1062.1.2
This upgrade fixes the CVEs listed below.  We refresh the patches
against the new rt-kernel source.
rcu-Don-t-wake-rcuc-X-kthreads-on-NOCB-CPUs.patch is deleted
because upstream has fixed this bug, and it is no longer needed.

CVE bug: CVE-2019-11810:kernel: a NULL pointer dereference in
drivers/scsi/megaraid/megaraid_sas_base.c leading to DoS
CVE bug: CVE-2019-11811: kernel: use-after-free in IPMI Edit
CVE bug: CVE-2019-14835: kernel: vhost-net: guest to host kernel
escape during migration

Closes-Bug: 1849206
Closes-Bug: 1849209
Closes-Bug: 1847817

Change-Id: Iaf5eae5d64b621f44f8faad51d22f9439431911f
Depends-On: https://review.opendev.org/#/c/695355/
Signed-off-by: Robin Lu <bin1.lu@intel.com>
2019-11-27 12:52:43 +08:00

376 lines
11 KiB
Diff

From 7e592781c3f5635f8b455cfcc2daaca572c633da Mon Sep 17 00:00:00 2001
Message-Id: <7e592781c3f5635f8b455cfcc2daaca572c633da.1528226387.git.Jim.Somerville@windriver.com>
In-Reply-To: <c8270e79f6b7008fde44b8d5aa6314d8cf89d3ed.1528226387.git.Jim.Somerville@windriver.com>
References: <c8270e79f6b7008fde44b8d5aa6314d8cf89d3ed.1528226387.git.Jim.Somerville@windriver.com>
From: Kam Nasim <kam.nasim@windriver.com>
Date: Wed, 23 Aug 2017 17:58:12 -0400
Subject: [PATCH 25/32] US101216: IMA support in Titanium kernel
facilitate building the IMA subsytem out-of-the-kernel tree as a Kernel
module (for which CONFIG_IMA and CONFIG_INTEGRITY will be undefined) by:
- exporting certain function symbols which will be linked to the kernel
module. This includes redefining the export symbols for kernel
functions such that when the kernel module loads, it dynamically points
to those new function definations and reverts to Kernel default
definitions on module deinit
- enabling inode readcount
- modification to ima_file_check to pass in file OPEN status
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
Signed-off-by: Robin Lu <bin1.lu@intel.com>
---
fs/namei.c | 2 +-
fs/nfsd/vfs.c | 2 +-
fs/xattr.c | 1 +
include/linux/fs.h | 15 +------
include/linux/ima.h | 77 +++++++-------------------------
include/linux/integrity.h | 22 ++++-----
security/security.c | 111 +++++++++++++++++++++++++++++++++++++++++++++-
7 files changed, 140 insertions(+), 90 deletions(-)
diff --git a/fs/namei.c b/fs/namei.c
index 9f90b63..bf91ea0 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -3243,7 +3243,7 @@ opened:
error = open_check_o_direct(file);
if (error)
goto exit_fput;
- error = ima_file_check(file, op->acc_mode);
+ error = ima_file_check(file, op->acc_mode, *opened);
if (error)
goto exit_fput;
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index 00e98c3..cb9250e 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -898,7 +898,7 @@ nfsd_open(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type,
goto out_nfserr;
}
- host_err = ima_file_check(file, may_flags);
+ host_err = ima_file_check(file, may_flags, 0);
if (host_err) {
fput(file);
goto out_nfserr;
diff --git a/fs/xattr.c b/fs/xattr.c
index e540aca..cc307ec 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -208,6 +208,7 @@ vfs_getxattr_alloc(struct dentry *dentry, const char *name, char **xattr_value,
*xattr_value = value;
return error;
}
+EXPORT_SYMBOL_GPL(vfs_getxattr_alloc);
/* Compare an extended attribute value with the given value */
int vfs_xattr_cmp(struct dentry *dentry, const char *xattr_name,
diff --git a/include/linux/fs.h b/include/linux/fs.h
index eb6f994..2dbaf80 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -681,9 +681,8 @@ struct inode {
struct fsnotify_mark_connector __rcu *i_fsnotify_marks)
#endif
-#if defined(CONFIG_IMA) && defined(CONFIG_X86_64)
atomic_t i_readcount; /* struct files open RO */
-#endif
+
void *i_private; /* fs or device private pointer */
};
@@ -2852,7 +2851,6 @@ static inline bool inode_is_open_for_write(const struct inode *inode)
return atomic_read(&inode->i_writecount) > 0;
}
-#ifdef CONFIG_IMA
static inline void i_readcount_dec(struct inode *inode)
{
BUG_ON(!atomic_read(&inode->i_readcount));
@@ -2862,16 +2860,7 @@ static inline void i_readcount_inc(struct inode *inode)
{
atomic_inc(&inode->i_readcount);
}
-#else
-static inline void i_readcount_dec(struct inode *inode)
-{
- return;
-}
-static inline void i_readcount_inc(struct inode *inode)
-{
- return;
-}
-#endif
+
extern int do_pipe_flags(int *, int);
extern int kernel_read(struct file *, loff_t, char *, unsigned long);
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 1b7f268..9fee45c 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -13,64 +13,21 @@
#include <linux/fs.h>
struct linux_binprm;
-#ifdef CONFIG_IMA
-extern int ima_bprm_check(struct linux_binprm *bprm);
-extern int ima_file_check(struct file *file, int mask);
-extern void ima_file_free(struct file *file);
-extern int ima_file_mmap(struct file *file, unsigned long prot);
-extern int ima_module_check(struct file *file);
-
-#else
-static inline int ima_bprm_check(struct linux_binprm *bprm)
-{
- return 0;
-}
-
-static inline int ima_file_check(struct file *file, int mask)
-{
- return 0;
-}
-
-static inline void ima_file_free(struct file *file)
-{
- return;
-}
-
-static inline int ima_file_mmap(struct file *file, unsigned long prot)
-{
- return 0;
-}
-
-static inline int ima_module_check(struct file *file)
-{
- return 0;
-}
-
-#endif /* CONFIG_IMA */
-
-#ifdef CONFIG_IMA_APPRAISE
-extern void ima_inode_post_setattr(struct dentry *dentry);
-extern int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
+/*
+ * The IMA Kernel module has to redefine these symbols so that
+ * the kernel module can link a dynamic function, as a hook into
+ * the Kernel FS calls (which use these)
+ */
+/* ifdef CONFIG_IMA */
+extern int (*ima_bprm_check)(struct linux_binprm *bprm);
+extern int (*ima_file_check)(struct file *file, int mask, int opened);
+extern void (*ima_file_free)(struct file *file);
+extern int (*ima_file_mmap)(struct file *file, unsigned long prot);
+extern int (*ima_module_check)(struct file *file);
+
+/* ifdef CONFIG_IMA_APPRAISE */
+extern void (*ima_inode_post_setattr)(struct dentry *dentry);
+extern int (*ima_inode_setxattr)(struct dentry *dentry, const char *xattr_name,
const void *xattr_value, size_t xattr_value_len);
-extern int ima_inode_removexattr(struct dentry *dentry, const char *xattr_name);
-#else
-static inline void ima_inode_post_setattr(struct dentry *dentry)
-{
- return;
-}
-
-static inline int ima_inode_setxattr(struct dentry *dentry,
- const char *xattr_name,
- const void *xattr_value,
- size_t xattr_value_len)
-{
- return 0;
-}
-
-static inline int ima_inode_removexattr(struct dentry *dentry,
- const char *xattr_name)
-{
- return 0;
-}
-#endif /* CONFIG_IMA_APPRAISE */
-#endif /* _LINUX_IMA_H */
+extern int (*ima_inode_removexattr)(struct dentry *dentry, const char *xattr_name);
+#endif
diff --git a/include/linux/integrity.h b/include/linux/integrity.h
index 83222ce..a5040b6 100644
--- a/include/linux/integrity.h
+++ b/include/linux/integrity.h
@@ -21,20 +21,14 @@ enum integrity_status {
};
/* List of EVM protected security xattrs */
-#ifdef CONFIG_INTEGRITY
-extern struct integrity_iint_cache *integrity_inode_get(struct inode *inode);
-extern void integrity_inode_free(struct inode *inode);
+/*
+ * The Integrity Kernel module has to redefine these symbols so that
+ * the kernel module can link a dynamic function, as a hook into
+ * the Kernel Security subsystem (which use these)
+ */
-#else
-static inline struct integrity_iint_cache *
- integrity_inode_get(struct inode *inode)
-{
- return NULL;
-}
+/* #ifdef CONFIG_INTEGRITY */
+extern struct integrity_iint_cache *(*integrity_inode_get)(struct inode *inode);
+extern void (*integrity_inode_free)(struct inode *inode);
-static inline void integrity_inode_free(struct inode *inode)
-{
- return;
-}
-#endif /* CONFIG_INTEGRITY */
#endif /* _LINUX_INTEGRITY_H */
diff --git a/security/security.c b/security/security.c
index f069482..646a0e3 100644
--- a/security/security.c
+++ b/security/security.c
@@ -161,6 +161,110 @@ EXPORT_SYMBOL(unregister_lsm_notifier);
/* Security operations */
+/*
+ * Export these symbols since the IMA and Integrity
+ * modules will redefine it. We do this EXPORT in
+ * the security endpoint as this is the last Kernel
+ * hook into the Integrity / IMA modules
+ */
+#ifndef CONFIG_INTEGRITY
+static struct integrity_iint_cache* integrity_inode_get_kmod(struct inode *inode)
+{
+ return NULL;
+}
+
+static void integrity_inode_free_kmod(struct inode *inode)
+{
+ return;
+}
+
+struct integrity_iint_cache *
+ (*integrity_inode_get)(struct inode *) = &integrity_inode_get_kmod;
+void
+ (*integrity_inode_free)(struct inode*) = &integrity_inode_free_kmod;
+
+EXPORT_SYMBOL_GPL(integrity_inode_get);
+EXPORT_SYMBOL_GPL(integrity_inode_free);
+#endif
+
+#ifndef CONFIG_IMA
+static int ima_bprm_check_kmod(struct linux_binprm *bprm)
+{
+ return 0;
+}
+
+static int ima_file_check_kmod(struct file *file, int mask, int opened)
+{
+ return 0;
+}
+
+static void ima_file_free_kmod(struct file *file)
+{
+ return;
+}
+
+static int ima_file_mmap_kmod(struct file *file, unsigned long prot)
+{
+ return 0;
+}
+
+static int ima_module_check_kmod(struct file *file)
+{
+ return 0;
+}
+
+int
+ (*ima_bprm_check)(struct linux_binprm *) = &ima_bprm_check_kmod;
+int
+ (*ima_file_check)(struct file *, int, int) = &ima_file_check_kmod;
+void
+ (*ima_file_free)(struct file *) = &ima_file_free_kmod;
+int
+ (*ima_file_mmap)(struct file*, unsigned long) = &ima_file_mmap_kmod;
+int
+ (*ima_module_check)(struct file *) = &ima_module_check_kmod;
+
+EXPORT_SYMBOL_GPL(ima_bprm_check);
+EXPORT_SYMBOL_GPL(ima_file_check);
+EXPORT_SYMBOL_GPL(ima_file_free);
+EXPORT_SYMBOL_GPL(ima_file_mmap);
+EXPORT_SYMBOL_GPL(ima_module_check);
+#endif
+
+#ifndef CONFIG_IMA_APPRAISE
+static void ima_inode_post_setattr_kmod(struct dentry *dentry)
+{
+ return;
+}
+
+static int ima_inode_setxattr_kmod(struct dentry *dentry,
+ const char *xattr_name,
+ const void *xattr_value,
+ size_t xattr_value_len)
+{
+ return 0;
+}
+
+static int ima_inode_removexattr_kmod(struct dentry *dentry,
+ const char *xattr_name)
+{
+ return 0;
+}
+
+void
+ (*ima_inode_post_setattr)(struct dentry *) = &ima_inode_post_setattr_kmod;
+int
+ (*ima_inode_setxattr)(struct dentry *, const char *,
+ const void *, size_t) = &ima_inode_setxattr_kmod;
+int
+ (*ima_inode_removexattr)(struct dentry *,
+ const char *) = &ima_inode_removexattr_kmod;
+
+EXPORT_SYMBOL_GPL(ima_inode_post_setattr);
+EXPORT_SYMBOL_GPL(ima_inode_setxattr);
+EXPORT_SYMBOL_GPL(ima_inode_removexattr);
+#endif
+
int security_ptrace_access_check(struct task_struct *child, unsigned int mode)
{
#ifdef CONFIG_SECURITY_YAMA_STACKED
@@ -718,8 +822,11 @@ EXPORT_SYMBOL(security_inode_listsecurity);
void security_inode_getsecid(struct inode *inode, u32 *secid)
{
- security_ops->inode_getsecid(inode, secid);
+ if (unlikely(IS_PRIVATE(inode)))
+ return;
+ security_ops->inode_getsecid(inode, secid);
}
+EXPORT_SYMBOL_GPL(security_inode_getsecid);
int security_inode_copy_up(struct dentry *src, struct cred **new)
{
@@ -1528,6 +1635,7 @@ int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
{
return security_ops->audit_rule_init(field, op, rulestr, lsmrule);
}
+EXPORT_SYMBOL_GPL(security_audit_rule_init);
int security_audit_rule_known(struct audit_krule *krule)
{
@@ -1544,6 +1652,7 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
{
return security_ops->audit_rule_match(secid, field, op, lsmrule, actx);
}
+EXPORT_SYMBOL_GPL(security_audit_rule_match);
#endif /* CONFIG_AUDIT */
--
1.8.3.1