Eric Lee / smarc-fsl-linux-kernel

02 Nov, 2020

3 commits

30 Oct, 2020

1 commit

  • 4739eeafb   ima: Replace zero-length array with flexible-array member ... Browse Code »

    There is a regular need in the kernel to provide a way to declare having a
    dynamically sized set of trailing elements in a structure. Kernel code should
    always use “flexible array members”[1] for these cases. The older style of
    one-element or zero-length arrays should no longer be used[2].

    [1] https://en.wikipedia.org/wiki/Flexible_array_member
    [2] https://www.kernel.org/doc/html/v5.9-rc1/process/deprecated.html#zero-length-and-one-element-arrays

    Signed-off-by: Gustavo A. R. Silva

    Gustavo A. R. Silva
     

29 Oct, 2020

1 commit

27 Oct, 2020

1 commit

26 Oct, 2020

4 commits

25 Oct, 2020

1 commit

23 Oct, 2020

4 commits

21 Oct, 2020

1 commit

18 Oct, 2020

1 commit

  • 91989c707   task_work: cleanup notification modes ... Browse Code »

    A previous commit changed the notification mode from true/false to an
    int, allowing notify-no, notify-yes, or signal-notify. This was
    backwards compatible in the sense that any existing true/false user
    would translate to either 0 (on notification sent) or 1, the latter
    which mapped to TWA_RESUME. TWA_SIGNAL was assigned a value of 2.

    Clean this up properly, and define a proper enum for the notification
    mode. Now we have:

    - TWA_NONE. This is 0, same as before the original change, meaning no
    notification requested.
    - TWA_RESUME. This is 1, same as before the original change, meaning
    that we use TIF_NOTIFY_RESUME.
    - TWA_SIGNAL. This uses TIF_SIGPENDING/JOBCTL_TASK_WORK for the
    notification.

    Clean up all the callers, switching their 0/1/false/true to using the
    appropriate TWA_* mode for notifications.

    Fixes: e91b48162332 ("task_work: teach task_work_add() to do signal_wake_up()")
    Reviewed-by: Thomas Gleixner
    Signed-off-by: Jens Axboe

    Jens Axboe
     

16 Oct, 2020

3 commits

  • 9ff9b0d39   Merge tag 'net-next-5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next ... Browse Code »

    Pull networking updates from Jakub Kicinski:

    - Add redirect_neigh() BPF packet redirect helper, allowing to limit
    stack traversal in common container configs and improving TCP
    back-pressure.

    Daniel reports ~10Gbps => ~15Gbps single stream TCP performance gain.

    - Expand netlink policy support and improve policy export to user
    space. (Ge)netlink core performs request validation according to
    declared policies. Expand the expressiveness of those policies
    (min/max length and bitmasks). Allow dumping policies for particular
    commands. This is used for feature discovery by user space (instead
    of kernel version parsing or trial and error).

    - Support IGMPv3/MLDv2 multicast listener discovery protocols in
    bridge.

    - Allow more than 255 IPv4 multicast interfaces.

    - Add support for Type of Service (ToS) reflection in SYN/SYN-ACK
    packets of TCPv6.

    - In Multi-patch TCP (MPTCP) support concurrent transmission of data on
    multiple subflows in a load balancing scenario. Enhance advertising
    addresses via the RM_ADDR/ADD_ADDR options.

    - Support SMC-Dv2 version of SMC, which enables multi-subnet
    deployments.

    - Allow more calls to same peer in RxRPC.

    - Support two new Controller Area Network (CAN) protocols - CAN-FD and
    ISO 15765-2:2016.

    - Add xfrm/IPsec compat layer, solving the 32bit user space on 64bit
    kernel problem.

    - Add TC actions for implementing MPLS L2 VPNs.

    - Improve nexthop code - e.g. handle various corner cases when nexthop
    objects are removed from groups better, skip unnecessary
    notifications and make it easier to offload nexthops into HW by
    converting to a blocking notifier.

    - Support adding and consuming TCP header options by BPF programs,
    opening the doors for easy experimental and deployment-specific TCP
    option use.

    - Reorganize TCP congestion control (CC) initialization to simplify
    life of TCP CC implemented in BPF.

    - Add support for shipping BPF programs with the kernel and loading
    them early on boot via the User Mode Driver mechanism, hence reusing
    all the user space infra we have.

    - Support sleepable BPF programs, initially targeting LSM and tracing.

    - Add bpf_d_path() helper for returning full path for given 'struct
    path'.

    - Make bpf_tail_call compatible with bpf-to-bpf calls.

    - Allow BPF programs to call map_update_elem on sockmaps.

    - Add BPF Type Format (BTF) support for type and enum discovery, as
    well as support for using BTF within the kernel itself (current use
    is for pretty printing structures).

    - Support listing and getting information about bpf_links via the bpf
    syscall.

    - Enhance kernel interfaces around NIC firmware update. Allow
    specifying overwrite mask to control if settings etc. are reset
    during update; report expected max time operation may take to users;
    support firmware activation without machine reboot incl. limits of
    how much impact reset may have (e.g. dropping link or not).

    - Extend ethtool configuration interface to report IEEE-standard
    counters, to limit the need for per-vendor logic in user space.

    - Adopt or extend devlink use for debug, monitoring, fw update in many
    drivers (dsa loop, ice, ionic, sja1105, qed, mlxsw, mv88e6xxx,
    dpaa2-eth).

    - In mlxsw expose critical and emergency SFP module temperature alarms.
    Refactor port buffer handling to make the defaults more suitable and
    support setting these values explicitly via the DCBNL interface.

    - Add XDP support for Intel's igb driver.

    - Support offloading TC flower classification and filtering rules to
    mscc_ocelot switches.

    - Add PTP support for Marvell Octeontx2 and PP2.2 hardware, as well as
    fixed interval period pulse generator and one-step timestamping in
    dpaa-eth.

    - Add support for various auth offloads in WiFi APs, e.g. SAE (WPA3)
    offload.

    - Add Lynx PHY/PCS MDIO module, and convert various drivers which have
    this HW to use it. Convert mvpp2 to split PCS.

    - Support Marvell Prestera 98DX3255 24-port switch ASICs, as well as
    7-port Mediatek MT7531 IP.

    - Add initial support for QCA6390 and IPQ6018 in ath11k WiFi driver,
    and wcn3680 support in wcn36xx.

    - Improve performance for packets which don't require much offloads on
    recent Mellanox NICs by 20% by making multiple packets share a
    descriptor entry.

    - Move chelsio inline crypto drivers (for TLS and IPsec) from the
    crypto subtree to drivers/net. Move MDIO drivers out of the phy
    directory.

    - Clean up a lot of W=1 warnings, reportedly the actively developed
    subsections of networking drivers should now build W=1 warning free.

    - Make sure drivers don't use in_interrupt() to dynamically adapt their
    code. Convert tasklets to use new tasklet_setup API (sadly this
    conversion is not yet complete).

    * tag 'net-next-5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next: (2583 commits)
    Revert "bpfilter: Fix build error with CONFIG_BPFILTER_UMH"
    net, sockmap: Don't call bpf_prog_put() on NULL pointer
    bpf, selftest: Fix flaky tcp_hdr_options test when adding addr to lo
    bpf, sockmap: Add locking annotations to iterator
    netfilter: nftables: allow re-computing sctp CRC-32C in 'payload' statements
    net: fix pos incrementment in ipv6_route_seq_next
    net/smc: fix invalid return code in smcd_new_buf_create()
    net/smc: fix valid DMBE buffer sizes
    net/smc: fix use-after-free of delayed events
    bpfilter: Fix build error with CONFIG_BPFILTER_UMH
    cxgb4/ch_ipsec: Replace the module name to ch_ipsec from chcr
    net: sched: Fix suspicious RCU usage while accessing tcf_tunnel_info
    bpf: Fix register equivalence tracking.
    rxrpc: Fix loss of final ack on shutdown
    rxrpc: Fix bundle counting for exclusive connections
    netfilter: restore NF_INET_NUMHOOKS
    ibmveth: Identify ingress large send packets.
    ibmveth: Switch order of ibmveth_helper calls.
    cxgb4: handle 4-tuple PEDIT to NAT mode translation
    selftests: Add VRF route leaking tests
    ...

    Linus Torvalds
     
  • 840e5bb32   Merge tag 'integrity-v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity ... Browse Code »

    Pull integrity updates from Mimi Zohar:
    "Continuing IMA policy rule cleanup and validation in particular for
    measuring keys, adding/removing/updating informational and error
    messages (e.g. "ima_appraise" boot command line option), and other bug
    fixes (e.g. minimal data size validation before use, return code and
    NULL pointer checking)"

    * tag 'integrity-v5.10' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
    ima: Fix NULL pointer dereference in ima_file_hash
    evm: Check size of security.evm before using it
    ima: Remove semicolon at the end of ima_get_binary_runtime_size()
    ima: Don't ignore errors from crypto_shash_update()
    ima: Use kmemdup rather than kmalloc+memcpy
    integrity: include keyring name for unknown key request
    ima: limit secure boot feedback scope for appraise
    integrity: invalid kernel parameters feedback
    ima: add check for enforced appraise option
    integrity: Use current_uid() in integrity_audit_message()
    ima: Fail rule parsing when asymmetric key measurement isn't supportable
    ima: Pre-parse the list of keyrings in a KEY_CHECK rule

    Linus Torvalds
     
  • 726eb70e0   Merge tag 'char-misc-5.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc ... Browse Code »

    Pull char/misc driver updates from Greg KH:
    "Here is the big set of char, misc, and other assorted driver subsystem
    patches for 5.10-rc1.

    There's a lot of different things in here, all over the drivers/
    directory. Some summaries:

    - soundwire driver updates

    - habanalabs driver updates

    - extcon driver updates

    - nitro_enclaves new driver

    - fsl-mc driver and core updates

    - mhi core and bus updates

    - nvmem driver updates

    - eeprom driver updates

    - binder driver updates and fixes

    - vbox minor bugfixes

    - fsi driver updates

    - w1 driver updates

    - coresight driver updates

    - interconnect driver updates

    - misc driver updates

    - other minor driver updates

    All of these have been in linux-next for a while with no reported
    issues"

    * tag 'char-misc-5.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (396 commits)
    binder: fix UAF when releasing todo list
    docs: w1: w1_therm: Fix broken xref, mistakes, clarify text
    misc: Kconfig: fix a HISI_HIKEY_USB dependency
    LSM: Fix type of id parameter in kernel_post_load_data prototype
    misc: Kconfig: add a new dependency for HISI_HIKEY_USB
    firmware_loader: fix a kernel-doc markup
    w1: w1_therm: make w1_poll_completion static
    binder: simplify the return expression of binder_mmap
    test_firmware: Test partial read support
    firmware: Add request_partial_firmware_into_buf()
    firmware: Store opt_flags in fw_priv
    fs/kernel_file_read: Add "offset" arg for partial reads
    IMA: Add support for file reads without contents
    LSM: Add "contents" flag to kernel_read_file hook
    module: Call security_kernel_post_load_data()
    firmware_loader: Use security_post_load_data()
    LSM: Introduce kernel_post_load_data() hook
    fs/kernel_read_file: Add file_size output argument
    fs/kernel_read_file: Switch buffer size arg to size_t
    fs/kernel_read_file: Remove redundant size argument
    ...

    Linus Torvalds
     

14 Oct, 2020

5 commits

  • 7b540812c   Merge tag 'selinux-pr-20201012' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux ... Browse Code »

    Pull selinux updates from Paul Moore:
    "A decent number of SELinux patches for v5.10, twenty two in total. The
    highlights are listed below, but all of the patches pass our test
    suite and merge cleanly.

    - A number of changes to how the SELinux policy is loaded and managed
    inside the kernel with the goal of improving the atomicity of a
    SELinux policy load operation.

    These changes account for the bulk of the diffstat as well as the
    patch count. A special thanks to everyone who contributed patches
    and fixes for this work.

    - Convert the SELinux policy read-write lock to RCU.

    - A tracepoint was added for audited SELinux access control events;
    this should help provide a more unified backtrace across kernel and
    userspace.

    - Allow the removal of security.selinux xattrs when a SELinux policy
    is not loaded.

    - Enable policy capabilities in SELinux policies created with the
    scripts/selinux/mdp tool.

    - Provide some "no sooner than" dates for the SELinux checkreqprot
    sysfs deprecation"

    * tag 'selinux-pr-20201012' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: (22 commits)
    selinux: provide a "no sooner than" date for the checkreqprot removal
    selinux: Add helper functions to get and set checkreqprot
    selinux: access policycaps with READ_ONCE/WRITE_ONCE
    selinux: simplify away security_policydb_len()
    selinux: move policy mutex to selinux_state, use in lockdep checks
    selinux: fix error handling bugs in security_load_policy()
    selinux: convert policy read-write lock to RCU
    selinux: delete repeated words in comments
    selinux: add basic filtering for audit trace events
    selinux: add tracepoint on audited events
    selinux: Create new booleans and class dirs out of tree
    selinux: Standardize string literal usage for selinuxfs directory names
    selinux: Refactor selinuxfs directory populating functions
    selinux: Create function for selinuxfs directory cleanup
    selinux: permit removing security.selinux xattr before policy load
    selinux: fix memdup.cocci warnings
    selinux: avoid dereferencing the policy prior to initialization
    selinux: fix allocation failure check on newpolicy->sidtab
    selinux: refactor changing booleans
    selinux: move policy commit after updating selinuxfs
    ...

    Linus Torvalds
     
  • 99a6740f8   Merge tag 'Smack-for-5.10' of git://github.com/cschaufler/smack-next ... Browse Code »

    Pull smack updates from Casey Schaufler:
    "Two minor fixes and one performance enhancement to Smack. The
    performance improvement is significant and the new code is more like
    its counterpart in SELinux.

    - Two kernel test robot suggested clean-ups.

    - Teach Smack to use the IPv4 netlabel cache. This results in a
    12-14% improvement on TCP benchmarks"

    * tag 'Smack-for-5.10' of git://github.com/cschaufler/smack-next:
    Smack: Remove unnecessary variable initialization
    Smack: Fix build when NETWORK_SECMARK is not set
    Smack: Use the netlabel cache
    Smack: Set socket labels only once
    Smack: Consolidate uses of secmark into a function

    Linus Torvalds
     
  • b274279a0   Merge tag 'tomoyo-pr-20201012' of git://git.osdn.net/gitroot/tomoyo/tomoyo-test1 ... Browse Code »

    Pull tomoyo fix from Tetsuo HandaL
    "One patch to make it possible to execute usermode-driver's path"

    * tag 'tomoyo-pr-20201012' of git://git.osdn.net/gitroot/tomoyo/tomoyo-test1:
    tomoyo: Loosen pathname/domainname validation.

    Linus Torvalds
     
  • 03ca0ec13   LSM: SafeSetID: Fix warnings reported by test bot ... Browse Code »

    Fix multiple cast-to-union warnings related to casting kuid_t and kgid_t
    types to kid_t union type. Also fix incompatible type warning that
    arises from accidental omission of "__rcu" qualifier on the struct
    setid_ruleset pointer in the argument list for safesetid_file_read().

    Reported-by: kernel test robot
    Signed-off-by: Thomas Cedeno
    Signed-off-by: Micah Morton

    Thomas Cedeno
     
  • 5294bac97   LSM: SafeSetID: Add GID security policy handling ... Browse Code »

    The SafeSetID LSM has functionality for restricting setuid() calls based
    on its configured security policies. This patch adds the analogous
    functionality for setgid() calls. This is mostly a copy-and-paste change
    with some code deduplication, plus slight modifications/name changes to
    the policy-rule-related structs (now contain GID rules in addition to
    the UID ones) and some type generalization since SafeSetID now needs to
    deal with kgid_t and kuid_t types.

    Signed-off-by: Thomas Cedeno
    Signed-off-by: Micah Morton

    Thomas Cedeno
     

13 Oct, 2020

3 commits

  • 39a5101f9   Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 ... Browse Code »

    Pull crypto updates from Herbert Xu:
    "API:
    - Allow DRBG testing through user-space af_alg
    - Add tcrypt speed testing support for keyed hashes
    - Add type-safe init/exit hooks for ahash

    Algorithms:
    - Mark arc4 as obsolete and pending for future removal
    - Mark anubis, khazad, sead and tea as obsolete
    - Improve boot-time xor benchmark
    - Add OSCCA SM2 asymmetric cipher algorithm and use it for integrity

    Drivers:
    - Fixes and enhancement for XTS in caam
    - Add support for XIP8001B hwrng in xiphera-trng
    - Add RNG and hash support in sun8i-ce/sun8i-ss
    - Allow imx-rngc to be used by kernel entropy pool
    - Use crypto engine in omap-sham
    - Add support for Ingenic X1830 with ingenic"

    * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (205 commits)
    X.509: Fix modular build of public_key_sm2
    crypto: xor - Remove unused variable count in do_xor_speed
    X.509: fix error return value on the failed path
    crypto: bcm - Verify GCM/CCM key length in setkey
    crypto: qat - drop input parameter from adf_enable_aer()
    crypto: qat - fix function parameters descriptions
    crypto: atmel-tdes - use semicolons rather than commas to separate statements
    crypto: drivers - use semicolons rather than commas to separate statements
    hwrng: mxc-rnga - use semicolons rather than commas to separate statements
    hwrng: iproc-rng200 - use semicolons rather than commas to separate statements
    hwrng: stm32 - use semicolons rather than commas to separate statements
    crypto: xor - use ktime for template benchmarking
    crypto: xor - defer load time benchmark to a later time
    crypto: hisilicon/zip - fix the uninitalized 'curr_qm_qp_num'
    crypto: hisilicon/zip - fix the return value when device is busy
    crypto: hisilicon/zip - fix zero length input in GZIP decompress
    crypto: hisilicon/zip - fix the uncleared debug registers
    lib/mpi: Fix unused variable warnings
    crypto: x86/poly1305 - Remove assignments with no effect
    hwrng: npcm - modify readl to readb
    ...

    Linus Torvalds
     
  • 85ed13e78   Merge branch 'work.iov_iter' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs ... Browse Code »

    Pull compat iovec cleanups from Al Viro:
    "Christoph's series around import_iovec() and compat variant thereof"

    * 'work.iov_iter' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
    security/keys: remove compat_keyctl_instantiate_key_iov
    mm: remove compat_process_vm_{readv,writev}
    fs: remove compat_sys_vmsplice
    fs: remove the compat readv/writev syscalls
    fs: remove various compat readv/writev helpers
    iov_iter: transparently handle compat iovecs in import_iovec
    iov_iter: refactor rw_copy_check_uvector and import_iovec
    iov_iter: move rw_copy_check_uvector() into lib/iov_iter.c
    compat.h: fix a spelling error in

    Linus Torvalds
     
  • e6412f983   Merge tag 'efi-core-2020-10-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip ... Browse Code »

    Pull EFI changes from Ingo Molnar:

    - Preliminary RISC-V enablement - the bulk of it will arrive via the
    RISCV tree.

    - Relax decompressed image placement rules for 32-bit ARM

    - Add support for passing MOK certificate table contents via a config
    table rather than a EFI variable.

    - Add support for 18 bit DIMM row IDs in the CPER records.

    - Work around broken Dell firmware that passes the entire Boot####
    variable contents as the command line

    - Add definition of the EFI_MEMORY_CPU_CRYPTO memory attribute so we
    can identify it in the memory map listings.

    - Don't abort the boot on arm64 if the EFI RNG protocol is available
    but returns with an error

    - Replace slashes with exclamation marks in efivarfs file names

    - Split efi-pstore from the deprecated efivars sysfs code, so we can
    disable the latter on !x86.

    - Misc fixes, cleanups and updates.

    * tag 'efi-core-2020-10-12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (26 commits)
    efi: mokvar: add missing include of asm/early_ioremap.h
    efi: efivars: limit availability to X86 builds
    efi: remove some false dependencies on CONFIG_EFI_VARS
    efi: gsmi: fix false dependency on CONFIG_EFI_VARS
    efi: efivars: un-export efivars_sysfs_init()
    efi: pstore: move workqueue handling out of efivars
    efi: pstore: disentangle from deprecated efivars module
    efi: mokvar-table: fix some issues in new code
    efi/arm64: libstub: Deal gracefully with EFI_RNG_PROTOCOL failure
    efivarfs: Replace invalid slashes with exclamation marks in dentries.
    efi: Delete deprecated parameter comments
    efi/libstub: Fix missing-prototypes in string.c
    efi: Add definition of EFI_MEMORY_CPU_CRYPTO and ability to report it
    cper,edac,efi: Memory Error Record: bank group/address and chip id
    edac,ghes,cper: Add Row Extension to Memory Error Record
    efi/x86: Add a quirk to support command line arguments on Dell EFI firmware
    efi/libstub: Add efi_warn and *_once logging helpers
    integrity: Load certs from the EFI MOK config table
    integrity: Move import of MokListRT certs to a separate routine
    efi: Support for MOK variable config table
    ...

    Linus Torvalds
     

12 Oct, 2020

1 commit

  • a20751677   tomoyo: Loosen pathname/domainname validation. ... Browse Code »

    Since commit e2dc9bf3f5275ca3 ("umd: Transform fork_usermode_blob into
    fork_usermode_driver") started calling execve() on a program written in
    a local mount which is not connected to mount tree,
    tomoyo_realpath_from_path() started returning a pathname in
    "$fsname:/$pathname" format which violates TOMOYO's domainname rule that
    it must start with "" followed by zero or more repetitions of
    pathnames which start with '/'.

    Since $fsname must not contain '.' since commit 79c0b2df79eb56fc ("add
    filesystem subtype support"), tomoyo_correct_path() can recognize a token
    which appears '/' before '.' appears (e.g. proc:/self/exe ) as a pathname
    while rejecting a token which appears '.' before '/' appears (e.g.
    exec.realpath="/bin/bash" ) as a condition parameter.

    Therefore, accept domainnames which contain pathnames which do not start
    with '/' but contain '/' before '.' (e.g. tmpfs:/bpfilter_umh ).

    Signed-off-by: Tetsuo Handa

    Tetsuo Handa
     

06 Oct, 2020

1 commit

05 Oct, 2020

10 commits

  • 0fa8e0846   fs/kernel_file_read: Add "offset" arg for partial reads ... Browse Code »

    To perform partial reads, callers of kernel_read_file*() must have a
    non-NULL file_size argument and a preallocated buffer. The new "offset"
    argument can then be used to seek to specific locations in the file to
    fill the buffer to, at most, "buf_size" per call.

    Where possible, the LSM hooks can report whether a full file has been
    read or not so that the contents can be reasoned about.

    Signed-off-by: Kees Cook
    Link: https://lore.kernel.org/r/20201002173828.2099543-14-keescook@chromium.org
    Signed-off-by: Greg Kroah-Hartman

    Kees Cook
     
  • 34736daee   IMA: Add support for file reads without contents ... Browse Code »

    When the kernel_read_file LSM hook is called with contents=false, IMA
    can appraise the file directly, without requiring a filled buffer. When
    such a buffer is available, though, IMA can continue to use it instead
    of forcing a double read here.

    Signed-off-by: Scott Branden
    Link: https://lore.kernel.org/lkml/20200706232309.12010-10-scott.branden@broadcom.com/
    Signed-off-by: Kees Cook
    Reviewed-by: Mimi Zohar
    Link: https://lore.kernel.org/r/20201002173828.2099543-13-keescook@chromium.org
    Signed-off-by: Greg Kroah-Hartman

    Scott Branden
     
  • 2039bda1f   LSM: Add "contents" flag to kernel_read_file hook ... Browse Code »

    As with the kernel_load_data LSM hook, add a "contents" flag to the
    kernel_read_file LSM hook that indicates whether the LSM can expect
    a matching call to the kernel_post_read_file LSM hook with the full
    contents of the file. With the coming addition of partial file read
    support for kernel_read_file*() API, the LSM will no longer be able
    to always see the entire contents of a file during the read calls.

    For cases where the LSM must read examine the complete file contents,
    it will need to do so on its own every time the kernel_read_file
    hook is called with contents=false (or reject such cases). Adjust all
    existing LSMs to retain existing behavior.

    Signed-off-by: Kees Cook
    Reviewed-by: Mimi Zohar
    Link: https://lore.kernel.org/r/20201002173828.2099543-12-keescook@chromium.org
    Signed-off-by: Greg Kroah-Hartman

    Kees Cook
     
  • 4f2d99b06   firmware_loader: Use security_post_load_data() ... Browse Code »

    Now that security_post_load_data() is wired up, use it instead
    of the NULL file argument style of security_post_read_file(),
    and update the security_kernel_load_data() call to indicate that a
    security_kernel_post_load_data() call is expected.

    Wire up the IMA check to match earlier logic. Perhaps a generalized
    change to ima_post_load_data() might look something like this:

    return process_buffer_measurement(buf, size,
    kernel_load_data_id_str(load_id),
    read_idmap[load_id] ?: FILE_CHECK,
    0, NULL);

    Signed-off-by: Kees Cook
    Reviewed-by: Mimi Zohar
    Link: https://lore.kernel.org/r/20201002173828.2099543-10-keescook@chromium.org
    Signed-off-by: Greg Kroah-Hartman

    Kees Cook
     
  • b64fcae74   LSM: Introduce kernel_post_load_data() hook ... Browse Code »

    There are a few places in the kernel where LSMs would like to have
    visibility into the contents of a kernel buffer that has been loaded or
    read. While security_kernel_post_read_file() (which includes the
    buffer) exists as a pairing for security_kernel_read_file(), no such
    hook exists to pair with security_kernel_load_data().

    Earlier proposals for just using security_kernel_post_read_file() with a
    NULL file argument were rejected (i.e. "file" should always be valid for
    the security_..._file hooks, but it appears at least one case was
    left in the kernel during earlier refactoring. (This will be fixed in
    a subsequent patch.)

    Since not all cases of security_kernel_load_data() can have a single
    contiguous buffer made available to the LSM hook (e.g. kexec image
    segments are separately loaded), there needs to be a way for the LSM to
    reason about its expectations of the hook coverage. In order to handle
    this, add a "contents" argument to the "kernel_load_data" hook that
    indicates if the newly added "kernel_post_load_data" hook will be called
    with the full contents once loaded. That way, LSMs requiring full contents
    can choose to unilaterally reject "kernel_load_data" with contents=false
    (which is effectively the existing hook coverage), but when contents=true
    they can allow it and later evaluate the "kernel_post_load_data" hook
    once the buffer is loaded.

    With this change, LSMs can gain coverage over non-file-backed data loads
    (e.g. init_module(2) and firmware userspace helper), which will happen
    in subsequent patches.

    Additionally prepare IMA to start processing these cases.

    Signed-off-by: Kees Cook
    Reviewed-by: KP Singh
    Link: https://lore.kernel.org/r/20201002173828.2099543-9-keescook@chromium.org
    Signed-off-by: Greg Kroah-Hartman

    Kees Cook
     
  • 885352881   fs/kernel_read_file: Add file_size output argument ... Browse Code »

    In preparation for adding partial read support, add an optional output
    argument to kernel_read_file*() that reports the file size so callers
    can reason more easily about their reading progress.

    Signed-off-by: Kees Cook
    Reviewed-by: Mimi Zohar
    Reviewed-by: Luis Chamberlain
    Reviewed-by: James Morris
    Acked-by: Scott Branden
    Link: https://lore.kernel.org/r/20201002173828.2099543-8-keescook@chromium.org
    Signed-off-by: Greg Kroah-Hartman

    Kees Cook
     
  • 113eeb517   fs/kernel_read_file: Switch buffer size arg to size_t ... Browse Code »

    In preparation for further refactoring of kernel_read_file*(), rename
    the "max_size" argument to the more accurate "buf_size", and correct
    its type to size_t. Add kerndoc to explain the specifics of how the
    arguments will be used. Note that with buf_size now size_t, it can no
    longer be negative (and was never called with a negative value). Adjust
    callers to use it as a "maximum size" when *buf is NULL.

    Signed-off-by: Kees Cook
    Reviewed-by: Mimi Zohar
    Reviewed-by: Luis Chamberlain
    Reviewed-by: James Morris
    Acked-by: Scott Branden
    Link: https://lore.kernel.org/r/20201002173828.2099543-7-keescook@chromium.org
    Signed-off-by: Greg Kroah-Hartman

    Kees Cook
     
  • f7a4f689b   fs/kernel_read_file: Remove redundant size argument ... Browse Code »

    In preparation for refactoring kernel_read_file*(), remove the redundant
    "size" argument which is not needed: it can be included in the return
    code, with callers adjusted. (VFS reads already cannot be larger than
    INT_MAX.)

    Signed-off-by: Kees Cook
    Reviewed-by: Mimi Zohar
    Reviewed-by: Luis Chamberlain
    Reviewed-by: James Morris
    Acked-by: Scott Branden
    Link: https://lore.kernel.org/r/20201002173828.2099543-6-keescook@chromium.org
    Signed-off-by: Greg Kroah-Hartman

    Kees Cook
     
  • b89999d00   fs/kernel_read_file: Split into separate include file ... Browse Code »

    Move kernel_read_file* out of linux/fs.h to its own linux/kernel_read_file.h
    include file. That header gets pulled in just about everywhere
    and doesn't really need functions not related to the general fs interface.

    Suggested-by: Christoph Hellwig
    Signed-off-by: Scott Branden
    Signed-off-by: Kees Cook
    Reviewed-by: Christoph Hellwig
    Reviewed-by: Mimi Zohar
    Reviewed-by: Luis Chamberlain
    Acked-by: Greg Kroah-Hartman
    Acked-by: James Morris
    Link: https://lore.kernel.org/r/20200706232309.12010-2-scott.branden@broadcom.com
    Link: https://lore.kernel.org/r/20201002173828.2099543-4-keescook@chromium.org
    Signed-off-by: Greg Kroah-Hartman

    Scott Branden
     
  • c307459b9   fs/kernel_read_file: Remove FIRMWARE_PREALLOC_BUFFER enum ... Browse Code »

    FIRMWARE_PREALLOC_BUFFER is a "how", not a "what", and confuses the LSMs
    that are interested in filtering between types of things. The "how"
    should be an internal detail made uninteresting to the LSMs.

    Fixes: a098ecd2fa7d ("firmware: support loading into a pre-allocated buffer")
    Fixes: fd90bc559bfb ("ima: based on policy verify firmware signatures (pre-allocated buffer)")
    Fixes: 4f0496d8ffa3 ("ima: based on policy warn about loading firmware (pre-allocated buffer)")
    Signed-off-by: Kees Cook
    Reviewed-by: Mimi Zohar
    Reviewed-by: Luis Chamberlain
    Acked-by: Scott Branden
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20201002173828.2099543-2-keescook@chromium.org
    Signed-off-by: Greg Kroah-Hartman

    Kees Cook