Linux v5.0.1 rebase

author: Laura Abbott <labbott@redhat.com> 2019-03-11 13:35:25 -0700
committer: Laura Abbott <labbott@redhat.com> 2019-03-11 13:59:25 -0700
commit: 2d62e0d70f99987e98fedec648a10a286000eab0 (patch)
tree: b7c04f62e6915fe7865db2fafadd0ade3a323981 /efi-lockdown.patch
parent: 4c7c358c38e94d1ccbc1f848e6cb98711fa9284c (diff)
download: kernel-2d62e0d70f99987e98fedec648a10a286000eab0.tar.gz
kernel-2d62e0d70f99987e98fedec648a10a286000eab0.tar.xz
kernel-2d62e0d70f99987e98fedec648a10a286000eab0.zip
1 files changed, 6 insertions, 239 deletions
diff --git a/efi-lockdown.patch b/efi-lockdown.patch
index 2fbc40e63..a4b602b2a 100644
--- a/efi-lockdown.patch
+++ b/efi-lockdown.patch
@@ -136,9 +136,9 @@ index c4302067a3ad..a68e5bdebad5 100644
 +	  Makes the lockdown non-negotiable.  It is always on and cannot be
 +	  disabled.
 +
- source security/selinux/Kconfig
- source security/smack/Kconfig
- source security/tomoyo/Kconfig
+ source "security/selinux/Kconfig"
+ source "security/smack/Kconfig"
+ source "security/tomoyo/Kconfig"
 @@ -278,4 +300,3 @@ config DEFAULT_SECURITY
  	default "" if DEFAULT_SECURITY_DAC
 
@@ -447,9 +447,9 @@ index a68e5bdebad5..46967ee77dfd 100644
 +	  combination on a wired keyboard.  On x86, this is SysRq+x.
 +
 +
- source security/selinux/Kconfig
- source security/smack/Kconfig
- source security/tomoyo/Kconfig
+ source "security/selinux/Kconfig"
+ source "security/smack/Kconfig"
+ source "security/tomoyo/Kconfig"
 diff --git a/security/lock_down.c b/security/lock_down.c
 index f35ffdd096ad..2615669dbf03 100644
 --- a/security/lock_down.c
@@ -518,239 +518,6 @@ index f35ffdd096ad..2615669dbf03 100644
 -- 
 2.14.3
 
-From 2d534703537af95f601d3bdab11ee6ba8b3bc2dc Mon Sep 17 00:00:00 2001
-From: Mimi Zohar <zohar@linux.vnet.ibm.com>
-Date: Mon, 9 Apr 2018 09:52:45 +0100
-Subject: [PATCH 03/24] ima: require secure_boot rules in lockdown mode
-
-Require the "secure_boot" rules, whether or not it is specified
-on the boot command line, for both the builtin and custom policies
-in secure boot lockdown mode.
-
-Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- security/integrity/ima/ima_policy.c | 34 +++++++++++++++++++++++------
- 1 file changed, 27 insertions(+), 7 deletions(-)
-
-diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
-index 8c9499867c91..f8428f579924 100644
---- a/security/integrity/ima/ima_policy.c
-+++ b/security/integrity/ima/ima_policy.c
-@@ -481,14 +481,21 @@ static int ima_appraise_flag(enum ima_hooks func)
-  */
- void __init ima_init_policy(void)
- {
--	int i, measure_entries, appraise_entries, secure_boot_entries;
-+	int i;
-+	int measure_entries = 0;
-+	int appraise_entries = 0;
-+	int secure_boot_entries = 0;
-+	bool kernel_locked_down = __kernel_is_locked_down(NULL, false);
- 
- 	/* if !ima_policy set entries = 0 so we load NO default rules */
--	measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0;
--	appraise_entries = ima_use_appraise_tcb ?
--			 ARRAY_SIZE(default_appraise_rules) : 0;
--	secure_boot_entries = ima_use_secure_boot ?
--			ARRAY_SIZE(secure_boot_rules) : 0;
-+	if (ima_policy)
-+		measure_entries = ARRAY_SIZE(dont_measure_rules);
-+
-+	if (ima_use_appraise_tcb)
-+		appraise_entries = ARRAY_SIZE(default_appraise_rules);
-+
-+	if (ima_use_secure_boot || kernel_locked_down)
-+		secure_boot_entries = ARRAY_SIZE(secure_boot_rules);
- 
- 	for (i = 0; i < measure_entries; i++)
- 		list_add_tail(&dont_measure_rules[i].list, &ima_default_rules);
-@@ -509,12 +516,25 @@ void __init ima_init_policy(void)
- 
- 	/*
- 	 * Insert the builtin "secure_boot" policy rules requiring file
--	 * signatures, prior to any other appraise rules.
-+	 * signatures, prior to any other appraise rules.  In secure boot
-+	 * lock-down mode, also require these appraise rules for custom
-+	 * policies.
- 	 */
- 	for (i = 0; i < secure_boot_entries; i++) {
-+		struct ima_rule_entry *entry;
-+
-+		/* Include for builtin policies */
- 		list_add_tail(&secure_boot_rules[i].list, &ima_default_rules);
- 		temp_ima_appraise |=
- 		    ima_appraise_flag(secure_boot_rules[i].func);
-+
-+		/* Include for custom policies */
-+		if (kernel_locked_down) {
-+			entry = kmemdup(&secure_boot_rules[i], sizeof(*entry),
-+					GFP_KERNEL);
-+			if (entry)
-+				list_add_tail(&entry->list, &ima_policy_rules);
-+		}
- 	}
- 
- 	/*
--- 
-2.17.1
-
-From 980a380dc973c5a7745e4833aba368637a99df2e Mon Sep 17 00:00:00 2001
-From: David Howells <dhowells@redhat.com>
-Date: Mon, 9 Apr 2018 09:52:46 +0100
-Subject: [PATCH] Enforce module signatures if the kernel is locked down
-
-If the kernel is locked down, require that all modules have valid
-signatures that we can verify or that IMA can validate the file.
-
-I have adjusted the errors generated:
-
- (1) If there's no signature (ENODATA) or we can't check it (ENOPKG,
-     ENOKEY), then:
-
-     (a) If signatures are enforced then EKEYREJECTED is returned.
-
-     (b) If IMA will have validated the image, return 0 (okay).
-
-     (c) If there's no signature or we can't check it, but the kernel is
-	 locked down then EPERM is returned (this is then consistent with
-	 other lockdown cases).
-
- (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails
-     the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we
-     return the error we got.
-
-Note that the X.509 code doesn't check for key expiry as the RTC might not
-be valid or might not have been transferred to the kernel's clock yet.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
-Reviewed-by: Jiri Bohac <jbohac@suse.cz>
-cc: "Lee, Chun-Yi" <jlee@suse.com>
-cc: James Morris <james.l.morris@oracle.com>
----
- kernel/module.c | 56 +++++++++++++++++++++++++++++++++++++------------
- 1 file changed, 43 insertions(+), 13 deletions(-)
-
-diff --git a/kernel/module.c b/kernel/module.c
-index b046a32520d8..3bb0722c106e 100644
---- a/kernel/module.c
-+++ b/kernel/module.c
-@@ -64,6 +64,7 @@
- #include <linux/bsearch.h>
- #include <linux/dynamic_debug.h>
- #include <linux/audit.h>
-+#include <linux/ima.h>
- #include <uapi/linux/module.h>
- #include "module-internal.h"
- 
-@@ -2741,10 +2742,12 @@ static inline void kmemleak_load_module(const struct module *mod,
- #endif
- 
- #ifdef CONFIG_MODULE_SIG
--static int module_sig_check(struct load_info *info, int flags)
-+static int module_sig_check(struct load_info *info, int flags,
-+			    bool can_do_ima_check)
- {
--	int err = -ENOKEY;
-+	int err = -ENODATA;
- 	const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
-+	const char *reason;
- 	const void *mod = info->hdr;
- 
- 	/*
-@@ -2759,19 +2762,46 @@ static int module_sig_check(struct load_info *info, int flags)
- 		err = mod_verify_sig(mod, info);
- 	}
- 
--	if (!err) {
-+	switch (err) {
-+	case 0:
- 		info->sig_ok = true;
- 		return 0;
--	}
- 
--	/* Not having a signature is only an error if we're strict. */
--	if (err == -ENOKEY && !is_module_sig_enforced())
--		err = 0;
-+		/* We don't permit modules to be loaded into trusted kernels
-+		 * without a valid signature on them, but if we're not
-+		 * enforcing, certain errors are non-fatal.
-+		 */
-+	case -ENODATA:
-+		reason = "Loading of unsigned module";
-+		goto decide;
-+	case -ENOPKG:
-+		reason = "Loading of module with unsupported crypto";
-+		goto decide;
-+	case -ENOKEY:
-+		reason = "Loading of module with unavailable key";
-+	decide:
-+		if (sig_enforce) {
-+			pr_notice("%s is rejected\n", reason);
-+			return -EKEYREJECTED;
-+		}
- 
--	return err;
-+		if (can_do_ima_check && is_ima_appraise_enabled())
-+			return 0;
-+		if (kernel_is_locked_down(reason))
-+			return -EPERM;
-+		return 0;
-+
-+		/* All other errors are fatal, including nomem, unparseable
-+		 * signatures and signature check failures - even if signatures
-+		 * aren't required.
-+		 */
-+	default:
-+		return err;
-+	}
- }
- #else /* !CONFIG_MODULE_SIG */
--static int module_sig_check(struct load_info *info, int flags)
-+static int module_sig_check(struct load_info *info, int flags,
-+			    bool can_do_ima_check)
- {
- 	return 0;
- }
-@@ -3620,7 +3650,7 @@ static int unknown_module_param_cb(char *param, char *val, const char *modname,
- /* Allocate and load the module: note that size of section 0 is always
-    zero, and we rely on this for optional sections. */
- static int load_module(struct load_info *info, const char __user *uargs,
--		       int flags)
-+		       int flags, bool can_do_ima_check)
- {
- 	struct module *mod;
- 	long err = 0;
-@@ -3639,7 +3669,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
- 		goto free_copy;
- 	}
- 
--	err = module_sig_check(info, flags);
-+	err = module_sig_check(info, flags, can_do_ima_check);
- 	if (err)
- 		goto free_copy;
- 
-@@ -3834,7 +3864,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
- 	if (err)
- 		return err;
- 
--	return load_module(&info, uargs, 0);
-+	return load_module(&info, uargs, 0, false);
- }
- 
- SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags)
-@@ -3861,7 +3891,7 @@ SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags)
- 	info.hdr = hdr;
- 	info.len = size;
- 
--	return load_module(&info, uargs, flags);
-+	return load_module(&info, uargs, flags, true);
- }
- 
- static inline int within(unsigned long addr, void *start, unsigned long size)
--- 
-2.17.1
-
 From 7948946e19294e7560c81b177b2788d21ed79f59 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@srcf.ucam.org>
 Date: Mon, 9 Apr 2018 09:52:46 +0100
author	Laura Abbott <labbott@redhat.com>	2019-03-11 13:35:25 -0700
committer	Laura Abbott <labbott@redhat.com>	2019-03-11 13:59:25 -0700
commit	2d62e0d70f99987e98fedec648a10a286000eab0 (patch)
tree	b7c04f62e6915fe7865db2fafadd0ade3a323981 /efi-lockdown.patch
parent	4c7c358c38e94d1ccbc1f848e6cb98711fa9284c (diff)
download	kernel-2d62e0d70f99987e98fedec648a10a286000eab0.tar.gz kernel-2d62e0d70f99987e98fedec648a10a286000eab0.tar.xz kernel-2d62e0d70f99987e98fedec648a10a286000eab0.zip