Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v6.0-rc2 2022-08-02T22:12:13Z 2022-08-02T22:12:13Z Linus Torvalds torvalds@linux-foundation.org 2022-08-02T22:12:13Z urn:sha1:87fe1adb66a514fa3abbe8bdb4278a5b2f421d8b Pull SafeSetID updates from Micah Morton: "This contains one commit that touches common kernel code, one that adds functionality internal to the SafeSetID LSM code, and a few other commits that only modify the SafeSetID LSM selftest. The commit that touches common kernel code simply adds an LSM hook in the setgroups() syscall that mirrors what is done for the existing LSM hooks in the setuid() and setgid() syscalls. This commit combined with the SafeSetID-specific one allow the LSM to filter setgroups() calls according to configured rule sets in the same way that is already done for setuid() and setgid()" * tag 'safesetid-6.0' of https://github.com/micah-morton/linux: LSM: SafeSetID: add setgroups() testing to selftest LSM: SafeSetID: Add setgroups() security policy handling security: Add LSM hook to setgroups() syscall LSM: SafeSetID: add GID testing to selftest LSM: SafeSetID: selftest cleanup and prepare for GIDs LSM: SafeSetID: fix userns bug in selftest 2022-07-15T18:21:49Z Micah Morton mortonm@chromium.org 2022-06-08T20:57:11Z urn:sha1:fcfe0ac2fcfae7d5fcad3d0375cb8ff38caf8aba Give the LSM framework the ability to filter setgroups() syscalls. There are already analagous hooks for the set*uid() and set*gid() syscalls. The SafeSetID LSM will use this new hook to ensure setgroups() calls are allowed by the installed security policy. Tested by putting print statement in security_task_fix_setgroups() hook and confirming that it gets hit when userspace does a setgroups() syscall. Acked-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: Micah Morton <mortonm@chromium.org> 2022-06-26T16:18:56Z Christian Brauner brauner@kernel.org 2022-06-21T14:14:53Z urn:sha1:0e363cf3fa598c69340794da068d4d9cbc869322 Before this change we used to take a shortcut and place the actual values that would be written to inode->i_{g,u}id into struct iattr. This had the advantage that we moved idmappings mostly out of the picture early on but it made reasoning about changes more difficult than it should be. The filesystem was never explicitly told that it dealt with an idmapped mount. The transition to the value that needed to be stored in inode->i_{g,u}id appeared way too early and increased the probability of bugs in various codepaths. We know place the same value in struct iattr no matter if this is an idmapped mount or not. The vfs will only deal with type safe vfs{g,u}id_t. This makes it massively safer to perform permission checks as the type will tell us what checks we need to perform and what helpers we need to use. Adapt the security_inode_setattr() helper to pass down the mount's idmapping to account for that change. Link: https://lore.kernel.org/r/20220621141454.2914719-8-brauner@kernel.org Cc: Seth Forshee <sforshee@digitalocean.com> Cc: Christoph Hellwig <hch@lst.de> Cc: Aleksa Sarai <cyphar@cyphar.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Al Viro <viro@zeniv.linux.org.uk> CC: linux-fsdevel@vger.kernel.org Reviewed-by: Seth Forshee <sforshee@digitalocean.com> Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org> 2022-05-24T20:09:13Z Linus Torvalds torvalds@linux-foundation.org 2022-05-24T20:09:13Z urn:sha1:cb44e4f061e16be65b8a16505e121490c66d30d0 Pull Landlock updates from Mickaël Salaün: - improve the path_rename LSM hook implementations for RENAME_EXCHANGE; - fix a too-restrictive filesystem control for a rare corner case; - set the nested sandbox limitation to 16 layers; - add a new LANDLOCK_ACCESS_FS_REFER access right to properly handle file reparenting (i.e. full rename and link support); - add new tests and documentation; - format code with clang-format to make it easier to maintain and contribute. * tag 'landlock-5.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: (30 commits) landlock: Explain how to support Landlock landlock: Add design choices documentation for filesystem access rights landlock: Document good practices about filesystem policies landlock: Document LANDLOCK_ACCESS_FS_REFER and ABI versioning samples/landlock: Add support for file reparenting selftests/landlock: Add 11 new test suites dedicated to file reparenting landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER LSM: Remove double path_rename hook calls for RENAME_EXCHANGE landlock: Move filesystem helpers and add a new one landlock: Fix same-layer rule unions landlock: Create find_rule() from unmask_layers() landlock: Reduce the maximum number of layers to 16 landlock: Define access_mask_t to enforce a consistent access mask size selftests/landlock: Test landlock_create_ruleset(2) argument check ordering landlock: Change landlock_restrict_self(2) check ordering landlock: Change landlock_add_rule(2) argument check ordering selftests/landlock: Add tests for O_PATH selftests/landlock: Fully test file rename with "remove" access selftests/landlock: Extend access right tests to directories selftests/landlock: Add tests for unknown access rights ... 2022-05-24T20:06:32Z Linus Torvalds torvalds@linux-foundation.org 2022-05-24T20:06:32Z urn:sha1:efd1df1982e9203b4f56cb0d5946a24885260ce5 Pull selinux updates from Paul Moore: "We've got twelve patches queued for v5.19, with most being fairly minor. The highlights are below: - The checkreqprot and runtime disable knobs have been deprecated for some time with no active users that we can find. In an effort to move things along we are adding a pause when the knobs are used to help make the deprecation more noticeable in case anyone is still using these hacks in the shadows. - We've added the anonymous inode class name to the AVC audit records when anonymous inodes are involved. This should make writing policy easier when anonymous inodes are involved. - More constification work. This is fairly straightforward and the source of most of the diffstat. - The usual minor cleanups: remove unnecessary assignments, assorted style/checkpatch fixes, kdoc fixes, macro while-loop encapsulations, #include tweaks, etc" * tag 'selinux-pr-20220523' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: security: declare member holding string literal const selinux: log anon inode class name selinux: declare data arrays const selinux: fix indentation level of mls_ops block selinux: include necessary headers in headers selinux: avoid extra semicolon selinux: update parameter documentation selinux: resolve checkpatch errors selinux: don't sleep when CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE is true selinux: checkreqprot is deprecated, add some ssleep() discomfort selinux: runtime disable is deprecated, add some ssleep() discomfort selinux: Remove redundant assignments 2022-05-24T19:27:09Z Linus Torvalds torvalds@linux-foundation.org 2022-05-24T19:27:09Z urn:sha1:0bf13a84362e750a90008af259b098d7c0e0755b Pull kernel hardening updates from Kees Cook: - usercopy hardening expanded to check other allocation types (Matthew Wilcox, Yuanzheng Song) - arm64 stackleak behavioral improvements (Mark Rutland) - arm64 CFI code gen improvement (Sami Tolvanen) - LoadPin LSM block dev API adjustment (Christoph Hellwig) - Clang randstruct support (Bill Wendling, Kees Cook) * tag 'kernel-hardening-v5.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: (34 commits) loadpin: stop using bdevname mm: usercopy: move the virt_addr_valid() below the is_vmalloc_addr() gcc-plugins: randstruct: Remove cast exception handling af_unix: Silence randstruct GCC plugin warning niu: Silence randstruct warnings big_keys: Use struct for internal payload gcc-plugins: Change all version strings match kernel randomize_kstack: Improve docs on requirements/rationale lkdtm/stackleak: fix CONFIG_GCC_PLUGIN_STACKLEAK=n arm64: entry: use stackleak_erase_on_task_stack() stackleak: add on/off stack variants lkdtm/stackleak: check stack boundaries lkdtm/stackleak: prevent unexpected stack usage lkdtm/stackleak: rework boundary management lkdtm/stackleak: avoid spurious failure stackleak: rework poison scanning stackleak: rework stack high bound handling stackleak: clarify variable names stackleak: rework stack low bound handling stackleak: remove redundant check ... 2022-05-24T18:29:34Z Daniel Thompson daniel.thompson@linaro.org 2022-05-23T18:11:02Z urn:sha1:eadb2f47a3ced5c64b23b90fd2a3463f63726066 KGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown. An attacker with access to a serial port (for example, via a hypervisor console, which some cloud vendors provide over the network) could trigger the debugger so it is important that the debugger respect the lockdown mode when/if it is triggered. Fix this by integrating lockdown into kdb's existing permissions mechanism. Unfortunately kgdb does not have any permissions mechanism (although it certainly could be added later) so, for now, kgdb is simply and brutally disabled by immediately exiting the gdb stub without taking any action. For lockdowns established early in the boot (e.g. the normal case) then this should be fine but on systems where kgdb has set breakpoints before the lockdown is enacted than "bad things" will happen. CVE: CVE-2022-21499 Co-developed-by: Stephen Brennan <stephen.s.brennan@oracle.com> Signed-off-by: Stephen Brennan <stephen.s.brennan@oracle.com> Reviewed-by: Douglas Anderson <dianders@chromium.org> Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2022-05-23T11:27:58Z Mickaël Salaün mic@digikod.net 2022-05-06T16:10:56Z urn:sha1:100f59d964050020285f0c8264ce520f0c406c13 In order to be able to identify a file exchange with renameat2(2) and RENAME_EXCHANGE, which will be useful for Landlock [1], propagate the rename flags to LSMs. This may also improve performance because of the switch from two set of LSM hook calls to only one, and because LSMs using this hook may optimize the double check (e.g. only one lock, reduce the number of path walks). AppArmor, Landlock and Tomoyo are updated to leverage this change. This should not change the current behavior (same check order), except (different level of) speed boosts. [1] https://lore.kernel.org/r/20220221212522.320243-1-mic@digikod.net Cc: James Morris <jmorris@namei.org> Cc: Kentaro Takeda <takedakn@nttdata.co.jp> Cc: Serge E. Hallyn <serge@hallyn.com> Acked-by: John Johansen <john.johansen@canonical.com> Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Reviewed-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Mickaël Salaün <mic@digikod.net> Link: https://lore.kernel.org/r/20220506161102.525323-7-mic@digikod.net 2022-05-13T18:51:06Z Christian Göttsche cgzones@googlemail.com 2022-02-17T14:18:57Z urn:sha1:1af0e4a0233fea7e8226cb977d379dc20f9bbe11 The struct security_hook_list member lsm is assigned in security_add_hooks() with string literals passed from the individual security modules. Declare the function parameter and the struct member const to signal their immutability. Reported by Clang [-Wwrite-strings]: security/selinux/hooks.c:7388:63: error: passing 'const char [8]' to parameter of type 'char *' discards qualifiers [-Werror,-Wincompatible-pointer-types-discards-qualifiers] security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), selinux); ^~~~~~~~~ ./include/linux/lsm_hooks.h:1629:11: note: passing argument to parameter 'lsm' here char *lsm); ^ Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Reviewed-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2022-04-13T19:15:53Z Bill Wendling morbo@google.com 2022-04-07T17:59:30Z urn:sha1:75c1182e18f4a66bbd2c91511b6b629dac6a27dc The initialization of "security_hook_heads" is done by casting it to another structure pointer type, and treating it as an array of "struct hlist_head" objects. This requires an exception be made in "randstruct", because otherwise it will emit an error, reducing the effectiveness of the hardening technique. Instead of using a cast, initialize the individual struct hlist_head elements in security_hook_heads explicitly. This removes the need for the cast and randstruct exception. Signed-off-by: Bill Wendling <morbo@google.com> Cc: Kees Cook <keescook@chromium.org> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20220407175930.471870-1-morbo@google.com