Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v4.1.6 2015-08-03T16:29:14Z 2015-08-03T16:29:14Z Stephen Smalley sds@tycho.nsa.gov 2015-07-10T13:40:59Z urn:sha1:872d2790a36047dd0f032666550951b4fb865fb4 commit 892e8cac99a71f6254f84fc662068d912e1943bf upstream. commit 66fc13039422ba7df2d01a8ee0873e4ef965b50b ("mm: shmem_zero_setup skip security check and lockdep conflict with XFS") caused a regression for SELinux by disabling any SELinux checking of mprotect PROT_EXEC on shared anonymous mappings. However, even before that regression, the checking on such mprotect PROT_EXEC calls was inconsistent with the checking on a mmap PROT_EXEC call for a shared anonymous mapping. On a mmap, the security hook is passed a NULL file and knows it is dealing with an anonymous mapping and therefore applies an execmem check and no file checks. On a mprotect, the security hook is passed a vma with a non-NULL vm_file (as this was set from the internally-created shmem file during mmap) and therefore applies the file-based execute check and no execmem check. Since the aforementioned commit now marks the shmem zero inode with the S_PRIVATE flag, the file checks are disabled and we have no checking at all on mprotect PROT_EXEC. Add a test to the mprotect hook logic for such private inodes, and apply an execmem check in that case. This makes the mmap and mprotect checking consistent for shared anonymous mappings, as well as for /dev/zero and ashmem. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <pmoore@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-08-03T16:29:14Z Paul Moore pmoore@redhat.com 2015-07-09T18:20:36Z urn:sha1:9d680e03989324f000596be4862728a7c30f22c1 commit 3324603524925c7727207027d1c15e597412d15e upstream. At present we don't create efficient ebitmaps when importing NetLabel category bitmaps. This can present a problem when comparing ebitmaps since ebitmap_cmp() is very strict about these things and considers these wasteful ebitmaps not equal when compared to their more efficient counterparts, even if their values are the same. This isn't likely to cause problems on 64-bit systems due to a bit of luck on how NetLabel/CIPSO works and the default ebitmap size, but it can be a problem on 32-bit systems. This patch fixes this problem by being a bit more intelligent when importing NetLabel category bitmaps by skipping over empty sections which should result in a nice, efficient ebitmap. Signed-off-by: Paul Moore <pmoore@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-08-03T16:29:12Z Mimi Zohar zohar@linux.vnet.ibm.com 2015-06-12T00:48:33Z urn:sha1:66963999a2b2f589e108c786bfcb2e2b560d920e commit 24fd03c87695a76f0517df42a37e51b1597d2c8a upstream. This patch defines a builtin measurement policy "tcb", similar to the existing "ima_tcb", but with additional rules to also measure files based on the effective uid and to measure files opened with the "read" mode bit set (eg. read, read-write). Changing the builtin "ima_tcb" policy could potentially break existing users. Instead of defining a new separate boot command line option each time the builtin measurement policy is modified, this patch defines a single generic boot command line option "ima_policy=" to specify the builtin policy and deprecates the use of the builtin ima_tcb policy. [The "ima_policy=" boot command line option is based on Roberto Sassu's "ima: added new policy type exec" patch.] Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Dr. Greg Wettstein <gw@idfusion.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-08-03T16:29:12Z Mimi Zohar zohar@linux.vnet.ibm.com 2014-11-05T12:53:55Z urn:sha1:bf609547cdb2f274fb5bd978affc8649022b5d3a commit 4351c294b8c1028077280f761e158d167b592974 upstream. The current "mask" policy option matches files opened as MAY_READ, MAY_WRITE, MAY_APPEND or MAY_EXEC. This patch extends the "mask" option to match files opened containing one of these modes. For example, "mask=^MAY_READ" would match files opened read-write. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Dr. Greg Wettstein <gw@idfusion.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-08-03T16:29:12Z Mimi Zohar zohar@linux.vnet.ibm.com 2014-11-05T12:48:36Z urn:sha1:9428e8a37303a363bc4a8ac08501045f2195c02d commit 139069eff7388407f19794384c42a534d618ccd7 upstream. The new "euid" policy condition measures files with the specified effective uid (euid). In addition, for CAP_SETUID files it measures files with the specified uid or suid. Changelog: - fixed checkpatch.pl warnings - fixed avc denied {setuid} messages - based on Roberto's feedback Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Dr. Greg Wettstein <gw@idfusion.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-08-03T16:29:12Z Mimi Zohar zohar@linux.vnet.ibm.com 2015-06-11T15:54:42Z urn:sha1:2b92ad967d2884fed41469c0c37f3cd14937fad6 commit 45b26133b97871896b8c5241d59f4ff7839db7b2 upstream. This patch fixes a bug introduced in "4d7aeee ima: define new template ima-ng and template fields d-ng and n-ng". Changelog: - change int to uint32 (Roberto Sassu's suggestion) Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Roberto Sassu <rsassu@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-08-03T16:29:12Z Mimi Zohar zohar@linux.vnet.ibm.com 2015-04-21T17:59:31Z urn:sha1:60e2874ce4570fa546d9c173a5a5cf7b9e966070 commit 5101a1850bb7ccbf107929dee9af0cd2f400940f upstream. To prevent offline stripping of existing file xattrs and relabeling of them at runtime, EVM allows only newly created files to be labeled. As pseudo filesystems are not persistent, stripping of xattrs is not a concern. Some LSMs defer file labeling on pseudo filesystems. This patch permits the labeling of existing files on pseudo files systems. Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-08-03T16:29:12Z Mimi Zohar zohar@linux.vnet.ibm.com 2015-04-21T20:54:24Z urn:sha1:0ecc8ea6de19f41bf1332ef9dd472412b9ce4fa3 commit cd025f7f94108995383edddfb61fc8afea6c66a9 upstream. Include don't appraise or measure rules for the NSFS filesystem in the builtin ima_tcb and ima_appraise_tcb policies. Changelog: - Update documentation Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-08-03T16:29:11Z Dan Carpenter dan.carpenter@oracle.com 2015-04-07T09:22:11Z urn:sha1:7869fa6047fe7c5076e70b57a83fb351b42c34c6 commit 5577857f8e26e9027271f10daf96361640907300 upstream. It's a bit easier to read this if we split it up into two for loops. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-08-03T16:29:11Z Roberto Sassu rsassu@suse.de 2015-04-11T15:13:06Z urn:sha1:73cc530acfebd856d803d3f153350a2892715da8 commit 6438de9f3fb5180d78a0422695d0b88c687757d3 upstream. This patch adds a rule in the default measurement policy to skip inodes in the cgroupfs filesystem. Measurements for this filesystem can be avoided, as all the digests collected have the same value of the digest of an empty file. Furthermore, this patch updates the documentation of IMA policies in Documentation/ABI/testing/ima_policy to make it consistent with the policies set in security/integrity/ima/ima_policy.c. Signed-off-by: Roberto Sassu <rsassu@suse.de> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>