diff options
-rw-r--r-- | efi-lockdown.patch | 52 | ||||
-rw-r--r-- | gitrev | 2 | ||||
-rw-r--r-- | kernel.spec | 5 | ||||
-rw-r--r-- | sources | 2 |
4 files changed, 33 insertions, 28 deletions
diff --git a/efi-lockdown.patch b/efi-lockdown.patch index 307b272f4..4e6ed15c2 100644 --- a/efi-lockdown.patch +++ b/efi-lockdown.patch @@ -595,10 +595,10 @@ index 8c9499867c91..f8428f579924 100644 -- 2.17.1 -From 64b01ecc309c8ae79209e00dd8b95a549e5050b7 Mon Sep 17 00:00:00 2001 +From 980a380dc973c5a7745e4833aba368637a99df2e Mon Sep 17 00:00:00 2001 From: David Howells <dhowells@redhat.com> Date: Mon, 9 Apr 2018 09:52:46 +0100 -Subject: [PATCH 04/24] Enforce module signatures if the kernel is locked down +Subject: [PATCH] Enforce module signatures if the kernel is locked down If the kernel is locked down, require that all modules have valid signatures that we can verify or that IMA can validate the file. @@ -628,11 +628,11 @@ Reviewed-by: Jiri Bohac <jbohac@suse.cz> cc: "Lee, Chun-Yi" <jlee@suse.com> cc: James Morris <james.l.morris@oracle.com> --- - kernel/module.c | 56 +++++++++++++++++++++++++++++++++++++++++++------------- + kernel/module.c | 56 +++++++++++++++++++++++++++++++++++++------------ 1 file changed, 43 insertions(+), 13 deletions(-) diff --git a/kernel/module.c b/kernel/module.c -index a6e43a5806a1..9c1709a05037 100644 +index b046a32520d8..3bb0722c106e 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -64,6 +64,7 @@ @@ -642,10 +642,10 @@ index a6e43a5806a1..9c1709a05037 100644 +#include <linux/ima.h> #include <uapi/linux/module.h> #include "module-internal.h" - -@@ -2761,10 +2762,12 @@ static inline void kmemleak_load_module(const struct module *mod, + +@@ -2741,10 +2742,12 @@ static inline void kmemleak_load_module(const struct module *mod, #endif - + #ifdef CONFIG_MODULE_SIG -static int module_sig_check(struct load_info *info, int flags) +static int module_sig_check(struct load_info *info, int flags, @@ -656,19 +656,19 @@ index a6e43a5806a1..9c1709a05037 100644 const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; + const char *reason; const void *mod = info->hdr; - + /* -@@ -2779,19 +2782,46 @@ static int module_sig_check(struct load_info *info, int flags) - err = mod_verify_sig(mod, &info->len); +@@ -2759,19 +2762,46 @@ static int module_sig_check(struct load_info *info, int flags) + err = mod_verify_sig(mod, info); } - + - if (!err) { + switch (err) { + case 0: info->sig_ok = true; return 0; - } - + - /* Not having a signature is only an error if we're strict. */ - if (err == -ENOKEY && !is_module_sig_enforced()) - err = 0; @@ -689,7 +689,7 @@ index a6e43a5806a1..9c1709a05037 100644 + pr_notice("%s is rejected\n", reason); + return -EKEYREJECTED; + } - + - return err; + if (can_do_ima_check && is_ima_appraise_enabled()) + return 0; @@ -712,7 +712,7 @@ index a6e43a5806a1..9c1709a05037 100644 { return 0; } -@@ -3651,13 +3681,13 @@ static int unknown_module_param_cb(char *param, char *val, const char *modname, +@@ -3620,7 +3650,7 @@ static int unknown_module_param_cb(char *param, char *val, const char *modname, /* Allocate and load the module: note that size of section 0 is always zero, and we rely on this for optional sections. */ static int load_module(struct load_info *info, const char __user *uargs, @@ -720,34 +720,36 @@ index a6e43a5806a1..9c1709a05037 100644 + int flags, bool can_do_ima_check) { struct module *mod; - long err; - char *after_dashes; - + long err = 0; +@@ -3639,7 +3669,7 @@ static int load_module(struct load_info *info, const char __user *uargs, + goto free_copy; + } + - err = module_sig_check(info, flags); + err = module_sig_check(info, flags, can_do_ima_check); if (err) goto free_copy; - -@@ -3846,7 +3876,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, + +@@ -3834,7 +3864,7 @@ SYSCALL_DEFINE3(init_module, void __user *, umod, if (err) return err; - + - return load_module(&info, uargs, 0); + return load_module(&info, uargs, 0, false); } - + SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags) -@@ -3873,7 +3903,7 @@ SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags) +@@ -3861,7 +3891,7 @@ SYSCALL_DEFINE3(finit_module, int, fd, const char __user *, uargs, int, flags) info.hdr = hdr; info.len = size; - + - return load_module(&info, uargs, flags); + return load_module(&info, uargs, flags, true); } - + static inline int within(unsigned long addr, void *start, unsigned long size) -- -2.14.3 +2.17.1 From 7948946e19294e7560c81b177b2788d21ed79f59 Mon Sep 17 00:00:00 2001 From: Matthew Garrett <mjg59@srcf.ucam.org> @@ -1 +1 @@ -5c60a7389d795e001c8748b458eb76e3a5b6008c +1f7a4c73a739a63b3f108d8eda6f947fdc70dd65 diff --git a/kernel.spec b/kernel.spec index cfca93297..885659822 100644 --- a/kernel.spec +++ b/kernel.spec @@ -69,7 +69,7 @@ Summary: The Linux kernel # The rc snapshot level %global rcrev 0 # The git snapshot level -%define gitrev 4 +%define gitrev 5 # Set rpm version accordingly %define rpmversion 4.%{upstream_sublevel}.0 %endif @@ -1881,6 +1881,9 @@ fi # # %changelog +* Sat Aug 18 2018 Jeremy Cline <jcline@redhat.com> - 4.19.0-0.rc0.git5.1 +- Linux v4.18-8895-g1f7a4c73a739 + * Fri Aug 17 2018 Laura Abbott <labbott@redhat.com> - Enable CONFIG_AF_KCM (rhbz 1613819) @@ -1,2 +1,2 @@ SHA512 (linux-4.18.tar.xz) = 950eb85ac743b291afe9f21cd174d823e25f11883ee62cecfbfff8fe8c5672aae707654b1b8f29a133b1f2e3529e63b9f7fba4c45d6dacccc8000b3a9a9ae038 -SHA512 (patch-4.18-git4.xz) = 9fcca1932f896fca915d7be48c09cbe70fa086eb8fbc63818abcab2be7de1b6710f2c23593a9549feb9a6a62dff50a485e4869209d8d5c7fcbfb1c2a37720a15 +SHA512 (patch-4.18-git5.xz) = 7c251d05f5ed9cdeb4b751c23f28a049c8aa4a72fcb127a934a6bef60c3ea54e47f46f34f73113bbe6cd1c412d78504a3ac9778c534c5d9a61178e0dcf1ac1c7 |