20 Jan, 2021

2 commits

  • This is the 5.10.9 stable release

    * tag 'v5.10.9': (153 commits)
    Linux 5.10.9
    netfilter: nf_nat: Fix memleak in nf_nat_init
    netfilter: conntrack: fix reading nf_conntrack_buckets
    ...

    Signed-off-by: Jason Liu

    Jason Liu
     
  • commit d36a1dd9f77ae1e72da48f4123ed35627848507d upstream.

    We are not guaranteed the locking environment that would prevent
    dentry getting renamed right under us. And it's possible for
    old long name to be freed after rename, leading to UAF here.

    Cc: stable@kernel.org # v2.6.2+
    Signed-off-by: Al Viro
    Signed-off-by: Greg Kroah-Hartman

    Al Viro
     

04 Jan, 2021

1 commit

  • This is the 5.10.4 stable release

    * tag 'v5.10.4': (717 commits)
    Linux 5.10.4
    x86/CPU/AMD: Save AMD NodeId as cpu_die_id
    drm/edid: fix objtool warning in drm_cvt_modes()
    ...

    Signed-off-by: Jason Liu

    Conflicts:
    drivers/gpu/drm/imx/dcss/dcss-plane.c
    drivers/media/i2c/ov5640.c

    Jason Liu
     

30 Dec, 2020

4 commits

  • commit 207cdd565dfc95a0a5185263a567817b7ebf5467 upstream.

    Commit a408e4a86b36b ("ima: open a new file instance if no read
    permissions") already introduced a second open to measure a file when the
    original file descriptor does not allow it. However, it didn't remove the
    existing method of changing the mode of the original file descriptor, which
    is still necessary if the current process does not have enough privileges
    to open a new one.

    Changing the mode isn't really an option, as the filesystem might need to
    do preliminary steps to make the read possible. Thus, this patch removes
    the code and keeps the second open as the only option to measure a file
    when it is unreadable with the original file descriptor.

    Cc: # 4.20.x: 0014cc04e8ec0 ima: Set file->f_mode
    Fixes: 2fe5d6def1672 ("ima: integrity appraisal extension")
    Signed-off-by: Roberto Sassu
    Reviewed-by: Christoph Hellwig
    Signed-off-by: Mimi Zohar
    Signed-off-by: Greg Kroah-Hartman

    Roberto Sassu
     
  • [ Upstream commit 942cb357ae7d9249088e3687ee6a00ed2745a0c7 ]

    Smack assumes that kernel threads are privileged for smackfs
    operations. This was necessary because the credential of the
    kernel thread was not related to a user operation. With io_uring
    the credential does reflect a user's rights and can be used.

    Suggested-by: Jens Axboe
    Acked-by: Jens Axboe
    Acked-by: Eric W. Biederman
    Signed-off-by: Casey Schaufler
    Signed-off-by: Sasha Levin

    Casey Schaufler
     
  • [ Upstream commit 200ea5a2292dc444a818b096ae6a32ba3caa51b9 ]

    A previous fix, commit 83370b31a915 ("selinux: fix error initialization
    in inode_doinit_with_dentry()"), changed how failures were handled
    before a SELinux policy was loaded. Unfortunately that patch was
    potentially problematic for two reasons: it set the isec->initialized
    state without holding a lock, and it didn't set the inode's SELinux
    label to the "default" for the particular filesystem. The later can
    be a problem if/when a later attempt to revalidate the inode fails
    and SELinux reverts to the existing inode label.

    This patch should restore the default inode labeling that existed
    before the original fix, without affecting the LABEL_INVALID marking
    such that revalidation will still be attempted in the future.

    Fixes: 83370b31a915 ("selinux: fix error initialization in inode_doinit_with_dentry()")
    Reported-by: Sven Schnelle
    Tested-by: Sven Schnelle
    Reviewed-by: Ondrej Mosnacek
    Signed-off-by: Paul Moore
    Signed-off-by: Sasha Levin

    Paul Moore
     
  • [ Upstream commit 83370b31a915493231e5b9addc72e4bef69f8d31 ]

    Mark the inode security label as invalid if we cannot find
    a dentry so that we will retry later rather than marking it
    initialized with the unlabeled SID.

    Fixes: 9287aed2ad1f ("selinux: Convert isec->lock into a spinlock")
    Signed-off-by: Tianyue Ren
    [PM: minor comment tweaks]
    Signed-off-by: Paul Moore
    Signed-off-by: Sasha Levin

    Tianyue Ren
     

14 Dec, 2020

4 commits


15 Nov, 2020

1 commit


13 Nov, 2020

1 commit

  • Fix to return a negative error code from the error handling case
    instead of 0 in function sel_ib_pkey_sid_slow(), as done elsewhere
    in this function.

    Cc: stable@vger.kernel.org
    Fixes: 409dcf31538a ("selinux: Add a cache for quicker retreival of PKey SIDs")
    Reported-by: Hulk Robot
    Signed-off-by: Chen Zhou
    Signed-off-by: Paul Moore

    Chen Zhou
     

30 Oct, 2020

1 commit

  • There is a regular need in the kernel to provide a way to declare having a
    dynamically sized set of trailing elements in a structure. Kernel code should
    always use “flexible array members”[1] for these cases. The older style of
    one-element or zero-length arrays should no longer be used[2].

    [1] https://en.wikipedia.org/wiki/Flexible_array_member
    [2] https://www.kernel.org/doc/html/v5.9-rc1/process/deprecated.html#zero-length-and-one-element-arrays

    Signed-off-by: Gustavo A. R. Silva

    Gustavo A. R. Silva
     

26 Oct, 2020

1 commit

  • Pull SafeSetID updates from Micah Morton:
    "The changes are mostly contained to within the SafeSetID LSM, with the
    exception of a few 1-line changes to change some ns_capable() calls to
    ns_capable_setid() -- causing a flag (CAP_OPT_INSETID) to be set that
    is examined by SafeSetID code and nothing else in the kernel.

    The changes to SafeSetID internally allow for setting up GID
    transition security policies, as already existed for UIDs"

    * tag 'safesetid-5.10' of git://github.com/micah-morton/linux:
    LSM: SafeSetID: Fix warnings reported by test bot
    LSM: SafeSetID: Add GID security policy handling
    LSM: Signal to SafeSetID when setting group IDs

    Linus Torvalds
     

18 Oct, 2020

1 commit

  • A previous commit changed the notification mode from true/false to an
    int, allowing notify-no, notify-yes, or signal-notify. This was
    backwards compatible in the sense that any existing true/false user
    would translate to either 0 (on notification sent) or 1, the latter
    which mapped to TWA_RESUME. TWA_SIGNAL was assigned a value of 2.

    Clean this up properly, and define a proper enum for the notification
    mode. Now we have:

    - TWA_NONE. This is 0, same as before the original change, meaning no
    notification requested.
    - TWA_RESUME. This is 1, same as before the original change, meaning
    that we use TIF_NOTIFY_RESUME.
    - TWA_SIGNAL. This uses TIF_SIGPENDING/JOBCTL_TASK_WORK for the
    notification.

    Clean up all the callers, switching their 0/1/false/true to using the
    appropriate TWA_* mode for notifications.

    Fixes: e91b48162332 ("task_work: teach task_work_add() to do signal_wake_up()")
    Reviewed-by: Thomas Gleixner
    Signed-off-by: Jens Axboe

    Jens Axboe
     

16 Oct, 2020

3 commits

  • Pull networking updates from Jakub Kicinski:

    - Add redirect_neigh() BPF packet redirect helper, allowing to limit
    stack traversal in common container configs and improving TCP
    back-pressure.

    Daniel reports ~10Gbps => ~15Gbps single stream TCP performance gain.

    - Expand netlink policy support and improve policy export to user
    space. (Ge)netlink core performs request validation according to
    declared policies. Expand the expressiveness of those policies
    (min/max length and bitmasks). Allow dumping policies for particular
    commands. This is used for feature discovery by user space (instead
    of kernel version parsing or trial and error).

    - Support IGMPv3/MLDv2 multicast listener discovery protocols in
    bridge.

    - Allow more than 255 IPv4 multicast interfaces.

    - Add support for Type of Service (ToS) reflection in SYN/SYN-ACK
    packets of TCPv6.

    - In Multi-patch TCP (MPTCP) support concurrent transmission of data on
    multiple subflows in a load balancing scenario. Enhance advertising
    addresses via the RM_ADDR/ADD_ADDR options.

    - Support SMC-Dv2 version of SMC, which enables multi-subnet
    deployments.

    - Allow more calls to same peer in RxRPC.

    - Support two new Controller Area Network (CAN) protocols - CAN-FD and
    ISO 15765-2:2016.

    - Add xfrm/IPsec compat layer, solving the 32bit user space on 64bit
    kernel problem.

    - Add TC actions for implementing MPLS L2 VPNs.

    - Improve nexthop code - e.g. handle various corner cases when nexthop
    objects are removed from groups better, skip unnecessary
    notifications and make it easier to offload nexthops into HW by
    converting to a blocking notifier.

    - Support adding and consuming TCP header options by BPF programs,
    opening the doors for easy experimental and deployment-specific TCP
    option use.

    - Reorganize TCP congestion control (CC) initialization to simplify
    life of TCP CC implemented in BPF.

    - Add support for shipping BPF programs with the kernel and loading
    them early on boot via the User Mode Driver mechanism, hence reusing
    all the user space infra we have.

    - Support sleepable BPF programs, initially targeting LSM and tracing.

    - Add bpf_d_path() helper for returning full path for given 'struct
    path'.

    - Make bpf_tail_call compatible with bpf-to-bpf calls.

    - Allow BPF programs to call map_update_elem on sockmaps.

    - Add BPF Type Format (BTF) support for type and enum discovery, as
    well as support for using BTF within the kernel itself (current use
    is for pretty printing structures).

    - Support listing and getting information about bpf_links via the bpf
    syscall.

    - Enhance kernel interfaces around NIC firmware update. Allow
    specifying overwrite mask to control if settings etc. are reset
    during update; report expected max time operation may take to users;
    support firmware activation without machine reboot incl. limits of
    how much impact reset may have (e.g. dropping link or not).

    - Extend ethtool configuration interface to report IEEE-standard
    counters, to limit the need for per-vendor logic in user space.

    - Adopt or extend devlink use for debug, monitoring, fw update in many
    drivers (dsa loop, ice, ionic, sja1105, qed, mlxsw, mv88e6xxx,
    dpaa2-eth).

    - In mlxsw expose critical and emergency SFP module temperature alarms.
    Refactor port buffer handling to make the defaults more suitable and
    support setting these values explicitly via the DCBNL interface.

    - Add XDP support for Intel's igb driver.

    - Support offloading TC flower classification and filtering rules to
    mscc_ocelot switches.

    - Add PTP support for Marvell Octeontx2 and PP2.2 hardware, as well as
    fixed interval period pulse generator and one-step timestamping in
    dpaa-eth.

    - Add support for various auth offloads in WiFi APs, e.g. SAE (WPA3)
    offload.

    - Add Lynx PHY/PCS MDIO module, and convert various drivers which have
    this HW to use it. Convert mvpp2 to split PCS.

    - Support Marvell Prestera 98DX3255 24-port switch ASICs, as well as
    7-port Mediatek MT7531 IP.

    - Add initial support for QCA6390 and IPQ6018 in ath11k WiFi driver,
    and wcn3680 support in wcn36xx.

    - Improve performance for packets which don't require much offloads on
    recent Mellanox NICs by 20% by making multiple packets share a
    descriptor entry.

    - Move chelsio inline crypto drivers (for TLS and IPsec) from the
    crypto subtree to drivers/net. Move MDIO drivers out of the phy
    directory.

    - Clean up a lot of W=1 warnings, reportedly the actively developed
    subsections of networking drivers should now build W=1 warning free.

    - Make sure drivers don't use in_interrupt() to dynamically adapt their
    code. Convert tasklets to use new tasklet_setup API (sadly this
    conversion is not yet complete).

    * tag 'net-next-5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next: (2583 commits)
    Revert "bpfilter: Fix build error with CONFIG_BPFILTER_UMH"
    net, sockmap: Don't call bpf_prog_put() on NULL pointer
    bpf, selftest: Fix flaky tcp_hdr_options test when adding addr to lo
    bpf, sockmap: Add locking annotations to iterator
    netfilter: nftables: allow re-computing sctp CRC-32C in 'payload' statements
    net: fix pos incrementment in ipv6_route_seq_next
    net/smc: fix invalid return code in smcd_new_buf_create()
    net/smc: fix valid DMBE buffer sizes
    net/smc: fix use-after-free of delayed events
    bpfilter: Fix build error with CONFIG_BPFILTER_UMH
    cxgb4/ch_ipsec: Replace the module name to ch_ipsec from chcr
    net: sched: Fix suspicious RCU usage while accessing tcf_tunnel_info
    bpf: Fix register equivalence tracking.
    rxrpc: Fix loss of final ack on shutdown
    rxrpc: Fix bundle counting for exclusive connections
    netfilter: restore NF_INET_NUMHOOKS
    ibmveth: Identify ingress large send packets.
    ibmveth: Switch order of ibmveth_helper calls.
    cxgb4: handle 4-tuple PEDIT to NAT mode translation
    selftests: Add VRF route leaking tests
    ...

    Linus Torvalds
     
  • Pull integrity updates from Mimi Zohar:
    "Continuing IMA policy rule cleanup and validation in particular for
    measuring keys, adding/removing/updating informational and error
    messages (e.g. "ima_appraise" boot command line option), and other bug
    fixes (e.g. minimal data size validation before use, return code and
    NULL pointer checking)"

    * tag 'integrity-v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
    ima: Fix NULL pointer dereference in ima_file_hash
    evm: Check size of security.evm before using it
    ima: Remove semicolon at the end of ima_get_binary_runtime_size()
    ima: Don't ignore errors from crypto_shash_update()
    ima: Use kmemdup rather than kmalloc+memcpy
    integrity: include keyring name for unknown key request
    ima: limit secure boot feedback scope for appraise
    integrity: invalid kernel parameters feedback
    ima: add check for enforced appraise option
    integrity: Use current_uid() in integrity_audit_message()
    ima: Fail rule parsing when asymmetric key measurement isn't supportable
    ima: Pre-parse the list of keyrings in a KEY_CHECK rule

    Linus Torvalds
     
  • Pull char/misc driver updates from Greg KH:
    "Here is the big set of char, misc, and other assorted driver subsystem
    patches for 5.10-rc1.

    There's a lot of different things in here, all over the drivers/
    directory. Some summaries:

    - soundwire driver updates

    - habanalabs driver updates

    - extcon driver updates

    - nitro_enclaves new driver

    - fsl-mc driver and core updates

    - mhi core and bus updates

    - nvmem driver updates

    - eeprom driver updates

    - binder driver updates and fixes

    - vbox minor bugfixes

    - fsi driver updates

    - w1 driver updates

    - coresight driver updates

    - interconnect driver updates

    - misc driver updates

    - other minor driver updates

    All of these have been in linux-next for a while with no reported
    issues"

    * tag 'char-misc-5.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (396 commits)
    binder: fix UAF when releasing todo list
    docs: w1: w1_therm: Fix broken xref, mistakes, clarify text
    misc: Kconfig: fix a HISI_HIKEY_USB dependency
    LSM: Fix type of id parameter in kernel_post_load_data prototype
    misc: Kconfig: add a new dependency for HISI_HIKEY_USB
    firmware_loader: fix a kernel-doc markup
    w1: w1_therm: make w1_poll_completion static
    binder: simplify the return expression of binder_mmap
    test_firmware: Test partial read support
    firmware: Add request_partial_firmware_into_buf()
    firmware: Store opt_flags in fw_priv
    fs/kernel_file_read: Add "offset" arg for partial reads
    IMA: Add support for file reads without contents
    LSM: Add "contents" flag to kernel_read_file hook
    module: Call security_kernel_post_load_data()
    firmware_loader: Use security_post_load_data()
    LSM: Introduce kernel_post_load_data() hook
    fs/kernel_read_file: Add file_size output argument
    fs/kernel_read_file: Switch buffer size arg to size_t
    fs/kernel_read_file: Remove redundant size argument
    ...

    Linus Torvalds
     

14 Oct, 2020

5 commits

  • Pull selinux updates from Paul Moore:
    "A decent number of SELinux patches for v5.10, twenty two in total. The
    highlights are listed below, but all of the patches pass our test
    suite and merge cleanly.

    - A number of changes to how the SELinux policy is loaded and managed
    inside the kernel with the goal of improving the atomicity of a
    SELinux policy load operation.

    These changes account for the bulk of the diffstat as well as the
    patch count. A special thanks to everyone who contributed patches
    and fixes for this work.

    - Convert the SELinux policy read-write lock to RCU.

    - A tracepoint was added for audited SELinux access control events;
    this should help provide a more unified backtrace across kernel and
    userspace.

    - Allow the removal of security.selinux xattrs when a SELinux policy
    is not loaded.

    - Enable policy capabilities in SELinux policies created with the
    scripts/selinux/mdp tool.

    - Provide some "no sooner than" dates for the SELinux checkreqprot
    sysfs deprecation"

    * tag 'selinux-pr-20201012' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: (22 commits)
    selinux: provide a "no sooner than" date for the checkreqprot removal
    selinux: Add helper functions to get and set checkreqprot
    selinux: access policycaps with READ_ONCE/WRITE_ONCE
    selinux: simplify away security_policydb_len()
    selinux: move policy mutex to selinux_state, use in lockdep checks
    selinux: fix error handling bugs in security_load_policy()
    selinux: convert policy read-write lock to RCU
    selinux: delete repeated words in comments
    selinux: add basic filtering for audit trace events
    selinux: add tracepoint on audited events
    selinux: Create new booleans and class dirs out of tree
    selinux: Standardize string literal usage for selinuxfs directory names
    selinux: Refactor selinuxfs directory populating functions
    selinux: Create function for selinuxfs directory cleanup
    selinux: permit removing security.selinux xattr before policy load
    selinux: fix memdup.cocci warnings
    selinux: avoid dereferencing the policy prior to initialization
    selinux: fix allocation failure check on newpolicy->sidtab
    selinux: refactor changing booleans
    selinux: move policy commit after updating selinuxfs
    ...

    Linus Torvalds
     
  • Pull smack updates from Casey Schaufler:
    "Two minor fixes and one performance enhancement to Smack. The
    performance improvement is significant and the new code is more like
    its counterpart in SELinux.

    - Two kernel test robot suggested clean-ups.

    - Teach Smack to use the IPv4 netlabel cache. This results in a
    12-14% improvement on TCP benchmarks"

    * tag 'Smack-for-5.10' of git://github.com/cschaufler/smack-next:
    Smack: Remove unnecessary variable initialization
    Smack: Fix build when NETWORK_SECMARK is not set
    Smack: Use the netlabel cache
    Smack: Set socket labels only once
    Smack: Consolidate uses of secmark into a function

    Linus Torvalds
     
  • Pull tomoyo fix from Tetsuo HandaL
    "One patch to make it possible to execute usermode-driver's path"

    * tag 'tomoyo-pr-20201012' of git://git.osdn.net/gitroot/tomoyo/tomoyo-test1:
    tomoyo: Loosen pathname/domainname validation.

    Linus Torvalds
     
  • Fix multiple cast-to-union warnings related to casting kuid_t and kgid_t
    types to kid_t union type. Also fix incompatible type warning that
    arises from accidental omission of "__rcu" qualifier on the struct
    setid_ruleset pointer in the argument list for safesetid_file_read().

    Reported-by: kernel test robot
    Signed-off-by: Thomas Cedeno
    Signed-off-by: Micah Morton

    Thomas Cedeno
     
  • The SafeSetID LSM has functionality for restricting setuid() calls based
    on its configured security policies. This patch adds the analogous
    functionality for setgid() calls. This is mostly a copy-and-paste change
    with some code deduplication, plus slight modifications/name changes to
    the policy-rule-related structs (now contain GID rules in addition to
    the UID ones) and some type generalization since SafeSetID now needs to
    deal with kgid_t and kuid_t types.

    Signed-off-by: Thomas Cedeno
    Signed-off-by: Micah Morton

    Thomas Cedeno
     

13 Oct, 2020

3 commits

  • Pull crypto updates from Herbert Xu:
    "API:
    - Allow DRBG testing through user-space af_alg
    - Add tcrypt speed testing support for keyed hashes
    - Add type-safe init/exit hooks for ahash

    Algorithms:
    - Mark arc4 as obsolete and pending for future removal
    - Mark anubis, khazad, sead and tea as obsolete
    - Improve boot-time xor benchmark
    - Add OSCCA SM2 asymmetric cipher algorithm and use it for integrity

    Drivers:
    - Fixes and enhancement for XTS in caam
    - Add support for XIP8001B hwrng in xiphera-trng
    - Add RNG and hash support in sun8i-ce/sun8i-ss
    - Allow imx-rngc to be used by kernel entropy pool
    - Use crypto engine in omap-sham
    - Add support for Ingenic X1830 with ingenic"

    * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (205 commits)
    X.509: Fix modular build of public_key_sm2
    crypto: xor - Remove unused variable count in do_xor_speed
    X.509: fix error return value on the failed path
    crypto: bcm - Verify GCM/CCM key length in setkey
    crypto: qat - drop input parameter from adf_enable_aer()
    crypto: qat - fix function parameters descriptions
    crypto: atmel-tdes - use semicolons rather than commas to separate statements
    crypto: drivers - use semicolons rather than commas to separate statements
    hwrng: mxc-rnga - use semicolons rather than commas to separate statements
    hwrng: iproc-rng200 - use semicolons rather than commas to separate statements
    hwrng: stm32 - use semicolons rather than commas to separate statements
    crypto: xor - use ktime for template benchmarking
    crypto: xor - defer load time benchmark to a later time
    crypto: hisilicon/zip - fix the uninitalized 'curr_qm_qp_num'
    crypto: hisilicon/zip - fix the return value when device is busy
    crypto: hisilicon/zip - fix zero length input in GZIP decompress
    crypto: hisilicon/zip - fix the uncleared debug registers
    lib/mpi: Fix unused variable warnings
    crypto: x86/poly1305 - Remove assignments with no effect
    hwrng: npcm - modify readl to readb
    ...

    Linus Torvalds
     
  • Pull compat iovec cleanups from Al Viro:
    "Christoph's series around import_iovec() and compat variant thereof"

    * 'work.iov_iter' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
    security/keys: remove compat_keyctl_instantiate_key_iov
    mm: remove compat_process_vm_{readv,writev}
    fs: remove compat_sys_vmsplice
    fs: remove the compat readv/writev syscalls
    fs: remove various compat readv/writev helpers
    iov_iter: transparently handle compat iovecs in import_iovec
    iov_iter: refactor rw_copy_check_uvector and import_iovec
    iov_iter: move rw_copy_check_uvector() into lib/iov_iter.c
    compat.h: fix a spelling error in

    Linus Torvalds
     
  • Pull EFI changes from Ingo Molnar:

    - Preliminary RISC-V enablement - the bulk of it will arrive via the
    RISCV tree.

    - Relax decompressed image placement rules for 32-bit ARM

    - Add support for passing MOK certificate table contents via a config
    table rather than a EFI variable.

    - Add support for 18 bit DIMM row IDs in the CPER records.

    - Work around broken Dell firmware that passes the entire Boot####
    variable contents as the command line

    - Add definition of the EFI_MEMORY_CPU_CRYPTO memory attribute so we
    can identify it in the memory map listings.

    - Don't abort the boot on arm64 if the EFI RNG protocol is available
    but returns with an error

    - Replace slashes with exclamation marks in efivarfs file names

    - Split efi-pstore from the deprecated efivars sysfs code, so we can
    disable the latter on !x86.

    - Misc fixes, cleanups and updates.

    * tag 'efi-core-2020-10-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (26 commits)
    efi: mokvar: add missing include of asm/early_ioremap.h
    efi: efivars: limit availability to X86 builds
    efi: remove some false dependencies on CONFIG_EFI_VARS
    efi: gsmi: fix false dependency on CONFIG_EFI_VARS
    efi: efivars: un-export efivars_sysfs_init()
    efi: pstore: move workqueue handling out of efivars
    efi: pstore: disentangle from deprecated efivars module
    efi: mokvar-table: fix some issues in new code
    efi/arm64: libstub: Deal gracefully with EFI_RNG_PROTOCOL failure
    efivarfs: Replace invalid slashes with exclamation marks in dentries.
    efi: Delete deprecated parameter comments
    efi/libstub: Fix missing-prototypes in string.c
    efi: Add definition of EFI_MEMORY_CPU_CRYPTO and ability to report it
    cper,edac,efi: Memory Error Record: bank group/address and chip id
    edac,ghes,cper: Add Row Extension to Memory Error Record
    efi/x86: Add a quirk to support command line arguments on Dell EFI firmware
    efi/libstub: Add efi_warn and *_once logging helpers
    integrity: Load certs from the EFI MOK config table
    integrity: Move import of MokListRT certs to a separate routine
    efi: Support for MOK variable config table
    ...

    Linus Torvalds
     

12 Oct, 2020

1 commit

  • Since commit e2dc9bf3f5275ca3 ("umd: Transform fork_usermode_blob into
    fork_usermode_driver") started calling execve() on a program written in
    a local mount which is not connected to mount tree,
    tomoyo_realpath_from_path() started returning a pathname in
    "$fsname:/$pathname" format which violates TOMOYO's domainname rule that
    it must start with "" followed by zero or more repetitions of
    pathnames which start with '/'.

    Since $fsname must not contain '.' since commit 79c0b2df79eb56fc ("add
    filesystem subtype support"), tomoyo_correct_path() can recognize a token
    which appears '/' before '.' appears (e.g. proc:/self/exe ) as a pathname
    while rejecting a token which appears '.' before '/' appears (e.g.
    exec.realpath="/bin/bash" ) as a condition parameter.

    Therefore, accept domainnames which contain pathnames which do not start
    with '/' but contain '/' before '.' (e.g. tmpfs:/bpfilter_umh ).

    Signed-off-by: Tetsuo Handa

    Tetsuo Handa
     

06 Oct, 2020

1 commit


05 Oct, 2020

10 commits

  • To perform partial reads, callers of kernel_read_file*() must have a
    non-NULL file_size argument and a preallocated buffer. The new "offset"
    argument can then be used to seek to specific locations in the file to
    fill the buffer to, at most, "buf_size" per call.

    Where possible, the LSM hooks can report whether a full file has been
    read or not so that the contents can be reasoned about.

    Signed-off-by: Kees Cook
    Link: https://lore.kernel.org/r/20201002173828.2099543-14-keescook@chromium.org
    Signed-off-by: Greg Kroah-Hartman

    Kees Cook
     
  • When the kernel_read_file LSM hook is called with contents=false, IMA
    can appraise the file directly, without requiring a filled buffer. When
    such a buffer is available, though, IMA can continue to use it instead
    of forcing a double read here.

    Signed-off-by: Scott Branden
    Link: https://lore.kernel.org/lkml/20200706232309.12010-10-scott.branden@broadcom.com/
    Signed-off-by: Kees Cook
    Reviewed-by: Mimi Zohar
    Link: https://lore.kernel.org/r/20201002173828.2099543-13-keescook@chromium.org
    Signed-off-by: Greg Kroah-Hartman

    Scott Branden
     
  • As with the kernel_load_data LSM hook, add a "contents" flag to the
    kernel_read_file LSM hook that indicates whether the LSM can expect
    a matching call to the kernel_post_read_file LSM hook with the full
    contents of the file. With the coming addition of partial file read
    support for kernel_read_file*() API, the LSM will no longer be able
    to always see the entire contents of a file during the read calls.

    For cases where the LSM must read examine the complete file contents,
    it will need to do so on its own every time the kernel_read_file
    hook is called with contents=false (or reject such cases). Adjust all
    existing LSMs to retain existing behavior.

    Signed-off-by: Kees Cook
    Reviewed-by: Mimi Zohar
    Link: https://lore.kernel.org/r/20201002173828.2099543-12-keescook@chromium.org
    Signed-off-by: Greg Kroah-Hartman

    Kees Cook
     
  • Now that security_post_load_data() is wired up, use it instead
    of the NULL file argument style of security_post_read_file(),
    and update the security_kernel_load_data() call to indicate that a
    security_kernel_post_load_data() call is expected.

    Wire up the IMA check to match earlier logic. Perhaps a generalized
    change to ima_post_load_data() might look something like this:

    return process_buffer_measurement(buf, size,
    kernel_load_data_id_str(load_id),
    read_idmap[load_id] ?: FILE_CHECK,
    0, NULL);

    Signed-off-by: Kees Cook
    Reviewed-by: Mimi Zohar
    Link: https://lore.kernel.org/r/20201002173828.2099543-10-keescook@chromium.org
    Signed-off-by: Greg Kroah-Hartman

    Kees Cook
     
  • There are a few places in the kernel where LSMs would like to have
    visibility into the contents of a kernel buffer that has been loaded or
    read. While security_kernel_post_read_file() (which includes the
    buffer) exists as a pairing for security_kernel_read_file(), no such
    hook exists to pair with security_kernel_load_data().

    Earlier proposals for just using security_kernel_post_read_file() with a
    NULL file argument were rejected (i.e. "file" should always be valid for
    the security_..._file hooks, but it appears at least one case was
    left in the kernel during earlier refactoring. (This will be fixed in
    a subsequent patch.)

    Since not all cases of security_kernel_load_data() can have a single
    contiguous buffer made available to the LSM hook (e.g. kexec image
    segments are separately loaded), there needs to be a way for the LSM to
    reason about its expectations of the hook coverage. In order to handle
    this, add a "contents" argument to the "kernel_load_data" hook that
    indicates if the newly added "kernel_post_load_data" hook will be called
    with the full contents once loaded. That way, LSMs requiring full contents
    can choose to unilaterally reject "kernel_load_data" with contents=false
    (which is effectively the existing hook coverage), but when contents=true
    they can allow it and later evaluate the "kernel_post_load_data" hook
    once the buffer is loaded.

    With this change, LSMs can gain coverage over non-file-backed data loads
    (e.g. init_module(2) and firmware userspace helper), which will happen
    in subsequent patches.

    Additionally prepare IMA to start processing these cases.

    Signed-off-by: Kees Cook
    Reviewed-by: KP Singh
    Link: https://lore.kernel.org/r/20201002173828.2099543-9-keescook@chromium.org
    Signed-off-by: Greg Kroah-Hartman

    Kees Cook
     
  • In preparation for adding partial read support, add an optional output
    argument to kernel_read_file*() that reports the file size so callers
    can reason more easily about their reading progress.

    Signed-off-by: Kees Cook
    Reviewed-by: Mimi Zohar
    Reviewed-by: Luis Chamberlain
    Reviewed-by: James Morris
    Acked-by: Scott Branden
    Link: https://lore.kernel.org/r/20201002173828.2099543-8-keescook@chromium.org
    Signed-off-by: Greg Kroah-Hartman

    Kees Cook
     
  • In preparation for further refactoring of kernel_read_file*(), rename
    the "max_size" argument to the more accurate "buf_size", and correct
    its type to size_t. Add kerndoc to explain the specifics of how the
    arguments will be used. Note that with buf_size now size_t, it can no
    longer be negative (and was never called with a negative value). Adjust
    callers to use it as a "maximum size" when *buf is NULL.

    Signed-off-by: Kees Cook
    Reviewed-by: Mimi Zohar
    Reviewed-by: Luis Chamberlain
    Reviewed-by: James Morris
    Acked-by: Scott Branden
    Link: https://lore.kernel.org/r/20201002173828.2099543-7-keescook@chromium.org
    Signed-off-by: Greg Kroah-Hartman

    Kees Cook
     
  • In preparation for refactoring kernel_read_file*(), remove the redundant
    "size" argument which is not needed: it can be included in the return
    code, with callers adjusted. (VFS reads already cannot be larger than
    INT_MAX.)

    Signed-off-by: Kees Cook
    Reviewed-by: Mimi Zohar
    Reviewed-by: Luis Chamberlain
    Reviewed-by: James Morris
    Acked-by: Scott Branden
    Link: https://lore.kernel.org/r/20201002173828.2099543-6-keescook@chromium.org
    Signed-off-by: Greg Kroah-Hartman

    Kees Cook
     
  • Move kernel_read_file* out of linux/fs.h to its own linux/kernel_read_file.h
    include file. That header gets pulled in just about everywhere
    and doesn't really need functions not related to the general fs interface.

    Suggested-by: Christoph Hellwig
    Signed-off-by: Scott Branden
    Signed-off-by: Kees Cook
    Reviewed-by: Christoph Hellwig
    Reviewed-by: Mimi Zohar
    Reviewed-by: Luis Chamberlain
    Acked-by: Greg Kroah-Hartman
    Acked-by: James Morris
    Link: https://lore.kernel.org/r/20200706232309.12010-2-scott.branden@broadcom.com
    Link: https://lore.kernel.org/r/20201002173828.2099543-4-keescook@chromium.org
    Signed-off-by: Greg Kroah-Hartman

    Scott Branden
     
  • FIRMWARE_PREALLOC_BUFFER is a "how", not a "what", and confuses the LSMs
    that are interested in filtering between types of things. The "how"
    should be an internal detail made uninteresting to the LSMs.

    Fixes: a098ecd2fa7d ("firmware: support loading into a pre-allocated buffer")
    Fixes: fd90bc559bfb ("ima: based on policy verify firmware signatures (pre-allocated buffer)")
    Fixes: 4f0496d8ffa3 ("ima: based on policy warn about loading firmware (pre-allocated buffer)")
    Signed-off-by: Kees Cook
    Reviewed-by: Mimi Zohar
    Reviewed-by: Luis Chamberlain
    Acked-by: Scott Branden
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20201002173828.2099543-2-keescook@chromium.org
    Signed-off-by: Greg Kroah-Hartman

    Kees Cook
     

03 Oct, 2020

1 commit