Rebase to v4.19.0

1 files changed, 48 insertions, 45 deletions

diff --git a/efi-lockdown.patch b/efi-lockdown.patch
index f11505b9e..4f84f4715 100644
--- a/efi-lockdown.patch
+++ b/efi-lockdown.patch
@@ -530,14 +530,14 @@ in secure boot lockdown mode.
 Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
 Signed-off-by: David Howells <dhowells@redhat.com>
 ---
- security/integrity/ima/ima_policy.c | 39 +++++++++++++++++++++++++++----------
- 1 file changed, 29 insertions(+), 10 deletions(-)
+ security/integrity/ima/ima_policy.c | 34 +++++++++++++++++++++++------
+ 1 file changed, 27 insertions(+), 7 deletions(-)
 
 diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
-index d89bebf85421..da6f55c96a61 100644
+index 8c9499867c91..f8428f579924 100644
 --- a/security/integrity/ima/ima_policy.c
 +++ b/security/integrity/ima/ima_policy.c
-@@ -443,14 +443,21 @@ void ima_update_policy_flag(void)
+@@ -481,14 +481,21 @@ static int ima_appraise_flag(enum ima_hooks func)
   */
  void __init ima_init_policy(void)
  {
@@ -547,7 +547,7 @@ index d89bebf85421..da6f55c96a61 100644
 +	int appraise_entries = 0;
 +	int secure_boot_entries = 0;
 +	bool kernel_locked_down = __kernel_is_locked_down(NULL, false);
-
+ 
  	/* if !ima_policy set entries = 0 so we load NO default rules */
 -	measure_entries = ima_policy ? ARRAY_SIZE(dont_measure_rules) : 0;
 -	appraise_entries = ima_use_appraise_tcb ?
@@ -562,16 +562,17 @@ index d89bebf85421..da6f55c96a61 100644
 +
 +	if (ima_use_secure_boot || kernel_locked_down)
 +		secure_boot_entries = ARRAY_SIZE(secure_boot_rules);
-
+ 
  	for (i = 0; i < measure_entries; i++)
  		list_add_tail(&dont_measure_rules[i].list, &ima_default_rules);
-@@ -487,12 +494,24 @@ void __init ima_init_policy(void)
+@@ -509,12 +516,25 @@ void __init ima_init_policy(void)
  
  	/*
- 	 * Insert the appraise rules requiring file signatures, prior to
--	 * any other appraise rules.
-+	 * any other appraise rules.  In secure boot lock-down mode, also
-+	 * require these appraise rules for custom policies.
+ 	 * Insert the builtin "secure_boot" policy rules requiring file
+-	 * signatures, prior to any other appraise rules.
++	 * signatures, prior to any other appraise rules.  In secure boot
++	 * lock-down mode, also require these appraise rules for custom
++	 * policies.
  	 */
  	for (i = 0; i < secure_boot_entries; i++) {
 +		struct ima_rule_entry *entry;
@@ -590,14 +591,14 @@ index d89bebf85421..da6f55c96a61 100644
 +		}
  	}
  
- 	for (i = 0; i < appraise_entries; i++) {
+ 	/*
 -- 
-2.14.3
+2.17.1
 
-From 64b01ecc309c8ae79209e00dd8b95a549e5050b7 Mon Sep 17 00:00:00 2001
+From 980a380dc973c5a7745e4833aba368637a99df2e Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Mon, 9 Apr 2018 09:52:46 +0100
-Subject: [PATCH 04/24] Enforce module signatures if the kernel is locked down
+Subject: [PATCH] Enforce module signatures if the kernel is locked down
 
 If the kernel is locked down, require that all modules have valid
 signatures that we can verify or that IMA can validate the file.
@@ -627,11 +628,11 @@ Reviewed-by: Jiri Bohac <jbohac@suse.cz>
 cc: "Lee, Chun-Yi" <jlee@suse.com>
 cc: James Morris <james.l.morris@oracle.com>
 ---
- kernel/module.c | 56 +++++++++++++++++++++++++++++++++++++++++++-------------
+ kernel/module.c | 56 +++++++++++++++++++++++++++++++++++++------------
  1 file changed, 43 insertions(+), 13 deletions(-)
 
 diff --git a/kernel/module.c b/kernel/module.c
-index a6e43a5806a1..9c1709a05037 100644
+index b046a32520d8..3bb0722c106e 100644
 --- a/kernel/module.c
 +++ b/kernel/module.c
 @@ -64,6 +64,7 @@
@@ -641,10 +642,10 @@ index a6e43a5806a1..9c1709a05037 100644
 +#include <linux/ima.h>
  #include <uapi/linux/module.h>
  #include "module-internal.h"
-
-@@ -2761,10 +2762,12 @@ static inline void kmemleak_load_module(const struct module *mod,
+ 
+@@ -2741,10 +2742,12 @@ static inline void kmemleak_load_module(const struct module *mod,
  #endif
-
+ 
  #ifdef CONFIG_MODULE_SIG
 -static int module_sig_check(struct load_info *info, int flags)
 +static int module_sig_check(struct load_info *info, int flags,
@@ -655,19 +656,19 @@ index a6e43a5806a1..9c1709a05037 100644
  	const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
 +	const char *reason;
  	const void *mod = info->hdr;
-
+ 
  	/*
-@@ -2779,19 +2782,46 @@ static int module_sig_check(struct load_info *info, int flags)
- 		err = mod_verify_sig(mod, &info->len);
+@@ -2759,19 +2762,46 @@ static int module_sig_check(struct load_info *info, int flags)
+ 		err = mod_verify_sig(mod, info);
  	}
-
+ 
 -	if (!err) {
 +	switch (err) {
 +	case 0:
  		info->sig_ok = true;
  		return 0;
 -	}
-
+ 
 -	/* Not having a signature is only an error if we're strict. */
 -	if (err == -ENOKEY && !is_module_sig_enforced())
 -		err = 0;
@@ -688,7 +689,7 @@ index a6e43a5806a1..9c1709a05037 100644
 +			pr_notice("%s is rejected\n", reason);
 +			return -EKEYREJECTED;
 +		}
-
+ 
 -	return err;
 +		if (can_do_ima_check && is_ima_appraise_enabled())
 +			return 0;
@@ -711,7 +712,7 @@ index a6e43a5806a1..9c1709a05037 100644
  {
  	return 0;
  }
-@@ -3651,13 +3681,13 @@ static int unknown_module_param_cb(char *param, char *val, const char *modname,
+@@ -3620,7 +3650,7 @@ static int unknown_module_param_cb(char *param, char *val, const char *modname,
  /* Allocate and load the module: note that size of section 0 is always
     zero, and we rely on this for optional sections. */
  static int load_module(struct load_info *info, const char __user *uargs,
@@ -719,34 +720,36 @@ index a6e43a5806a1..9c1709a05037 100644
 +		       int flags, bool can_do_ima_check)
  {
  	struct module *mod;
- 	long err;
- 	char *after_dashes;
-
+ 	long err = 0;
+@@ -3639,7 +3669,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
+ 		goto free_copy;
+ 	}
+ 
 -	err = module_sig_check(info, flags);
 +	err = module_sig_check(info, flags, can_do_ima_check);
  	if (err)
  		goto free_copy;
-
-@@ -3846,7 +3876,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
+ 
+@@ -3834,7 +3864,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod,
  	if (err)
  		return err;
-
+ 
 -	return load_module(&info, uargs, 0);
 +	return load_module(&info, uargs, 0, false);
  }
-
+ 
  SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags)
-@@ -3873,7 +3903,7 @@ SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags)
+@@ -3861,7 +3891,7 @@ SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags)
  	info.hdr = hdr;
  	info.len = size;
-
+ 
 -	return load_module(&info, uargs, flags);
 +	return load_module(&info, uargs, flags, true);
  }
-
+ 
  static inline int within(unsigned long addr, void *start, unsigned long size)
 -- 
-2.14.3
+2.17.1
 
 From 7948946e19294e7560c81b177b2788d21ed79f59 Mon Sep 17 00:00:00 2001
 From: Matthew Garrett <mjg59@srcf.ucam.org>
@@ -811,13 +814,13 @@ cc: kexec@lists.infradead.org
  1 file changed, 7 insertions(+)
 
 diff --git a/kernel/kexec.c b/kernel/kexec.c
-index aed8fb2564b3..1553ac765e73 100644
+index 68559808fdfa..041d505070e1 100644
 --- a/kernel/kexec.c
 +++ b/kernel/kexec.c
-@@ -199,6 +199,13 @@ static inline int kexec_load_check(unsigned long nr_segments,
+@@ -202,6 +202,13 @@ static inline int kexec_load_check(unsigned long nr_segments,
  	if (!capable(CAP_SYS_BOOT) || kexec_load_disabled)
  		return -EPERM;
-
+ 
 +	/*
 +	 * kexec can be used to circumvent module loading restrictions, so
 +	 * prevent loading in that case
@@ -825,11 +828,11 @@ index aed8fb2564b3..1553ac765e73 100644
 +	if (kernel_is_locked_down("kexec of unsigned images"))
 +		return -EPERM;
 +
- 	/*
- 	 * Verify we have a legal set of flags
- 	 * This leaves us room for future extensions.
+ 	/* Permit LSMs and IMA to fail the kexec */
+ 	result = security_kernel_load_data(LOADING_KEXEC_IMAGE);
+ 	if (result < 0)
 -- 
-2.14.3
+2.17.1
 
 From aed8ee965258e3926be6aaeb57aef8a9a03c9989 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>