diff options
Diffstat (limited to 'patch-5.13.0-redhat.patch')
| -rw-r--r-- | patch-5.13.0-redhat.patch | 124 |
1 files changed, 29 insertions, 95 deletions
diff --git a/patch-5.13.0-redhat.patch b/patch-5.13.0-redhat.patch index 41fefb0dd..24f398a19 100644 --- a/patch-5.13.0-redhat.patch +++ b/patch-5.13.0-redhat.patch @@ -1,5 +1,5 @@ Documentation/admin-guide/kdump/kdump.rst | 11 + - Documentation/admin-guide/kernel-parameters.txt | 8 + + Documentation/admin-guide/kernel-parameters.txt | 9 + Kconfig | 2 + Kconfig.redhat | 17 ++ Makefile | 13 +- @@ -55,12 +55,13 @@ include/linux/rmi.h | 1 + include/linux/security.h | 5 + kernel/Makefile | 1 + - kernel/bpf/syscall.c | 27 ++ + kernel/bpf/syscall.c | 24 ++ kernel/crash_core.c | 28 +- kernel/module.c | 2 + kernel/module_signing.c | 9 +- kernel/panic.c | 14 + kernel/rh_taint.c | 93 +++++++ + kernel/sysctl.c | 5 + mm/cma.c | 10 + scripts/mod/modpost.c | 8 + scripts/tags.sh | 2 + @@ -68,7 +69,7 @@ security/lockdown/Kconfig | 13 + security/lockdown/lockdown.c | 1 + security/security.c | 6 + - 70 files changed, 1211 insertions(+), 188 deletions(-) + 71 files changed, 1214 insertions(+), 188 deletions(-) diff --git a/Documentation/admin-guide/kdump/kdump.rst b/Documentation/admin-guide/kdump/kdump.rst index 75a9dd98e76e..3ff3291551f9 100644 @@ -93,20 +94,21 @@ index 75a9dd98e76e..3ff3291551f9 100644 Boot into System Kernel diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt -index cb89dbdedc46..3d033c0b69f9 100644 +index cb89dbdedc46..e4c7b7002d58 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -5764,6 +5764,14 @@ +@@ -5764,6 +5764,15 @@ unknown_nmi_panic [X86] Cause panic on unknown NMI. + unprivileged_bpf_disabled= -+ Format: { "0" | "1" } ++ Format: { "0" | "1" | "2" } + Sets the initial value of + kernel.unprivileged_bpf_disabled sysctl knob. + 0 - unprivileged bpf() syscall access is enabled. -+ 1 - unprivileged bpf() syscall access is disabled. -+ Default value is 1. ++ 1 - unprivileged bpf() syscall access is disabled permanently. ++ 2 - unprivileged bpf() syscall access is disabled. ++ Default value is 2. + usbcore.authorized_default= [USB] Default USB device authorization: @@ -2349,7 +2351,7 @@ index 4df609be42d0..4ef0c0f6a8f4 100644 obj-$(CONFIG_MODULES) += kmod.o obj-$(CONFIG_MULTIUSER) += groups.o diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c -index ea04b0deb5ce..88925c1887b7 100644 +index ea04b0deb5ce..cb37c3f119cf 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -24,6 +24,7 @@ @@ -2360,13 +2362,10 @@ index ea04b0deb5ce..88925c1887b7 100644 #include <uapi/linux/btf.h> #include <linux/pgtable.h> #include <linux/bpf_lsm.h> -@@ -50,6 +51,26 @@ static DEFINE_SPINLOCK(map_idr_lock); +@@ -50,6 +51,23 @@ static DEFINE_SPINLOCK(map_idr_lock); static DEFINE_IDR(link_idr); static DEFINE_SPINLOCK(link_idr_lock); -+/* RHEL-only: default to 1 */ -+int sysctl_unprivileged_bpf_disabled __read_mostly = 1; -+ +static int __init unprivileged_bpf_setup(char *str) +{ + unsigned long disabled; @@ -2387,7 +2386,7 @@ index ea04b0deb5ce..88925c1887b7 100644 int sysctl_unprivileged_bpf_disabled __read_mostly = IS_BUILTIN(CONFIG_BPF_UNPRIV_DEFAULT_OFF) ? 2 : 0; -@@ -4369,11 +4390,17 @@ static int bpf_prog_bind_map(union bpf_attr *attr) +@@ -4369,11 +4387,17 @@ static int bpf_prog_bind_map(union bpf_attr *attr) SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, size) { union bpf_attr attr; @@ -2635,6 +2634,22 @@ index 000000000000..4050b6dead75 + name ? name : "kernel"); +} +EXPORT_SYMBOL(mark_driver_unsupported); +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index d4a78e08f6d8..cfb0ff48394d 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -241,6 +241,11 @@ static int bpf_unpriv_handler(struct ctl_table *table, int write, + if (write && !ret) { + if (locked_state && unpriv_enable != 1) + return -EPERM; ++ if (!unpriv_enable) { ++ pr_warn("Unprivileged BPF has been enabled, " ++ "tainting the kernel"); ++ add_taint(TAINT_UNPRIVILEGED_BPF, LOCKDEP_STILL_OK); ++ } + *(int *)table->data = unpriv_enable; + } + return ret; diff --git a/mm/cma.c b/mm/cma.c index 995e15480937..588f7e7885cf 100644 --- a/mm/cma.c @@ -2786,84 +2801,3 @@ index b38155b2de83..b0a6711b4825 100644 #ifdef CONFIG_PERF_EVENTS int security_perf_event_open(struct perf_event_attr *attr, int type) { -From d9b1c2752249db9fabd95de4b3656d66f348b671 Mon Sep 17 00:00:00 2001 -From: Jiri Olsa <jolsa@kernel.org> -Date: Tue, 1 Jun 2021 14:15:11 +0200 -Subject: [PATCH] bpf: Fix unprivileged_bpf_disabled setup - -There's recent change [1] that adds new config option and sets -unprivileged_bpf_disabled to 2 if the option is enabled -(CONFIG_BPF_UNPRIV_DEFAULT_OFF). - -The current RHEL specific behaviour is to set unprivileged_bpf_disabled -to 1 by default and add boot command line argument to enable -unpriv bpf. - -The config option is enabled in previous patch, adding the taint -for proc/sysctl unprivileged_bpf_disabled setup. - -[1] 08389d888287 ("bpf: Add kconfig knob for disabling unpriv bpf by default") -[2] 607f0e89af7e ("bpf: set unprivileged_bpf_disabled to 1 by default, add a boot parameter") - -Fixes: 607f0e89af7e ("bpf: set unprivileged_bpf_disabled to 1 by default, add a boot parameter") -Signed-off-by: Jiri Olsa <jolsa@redhat.com> ---- - Documentation/admin-guide/kernel-parameters.txt | 7 ++++--- - kernel/bpf/syscall.c | 3 --- - kernel/sysctl.c | 5 +++++ - 3 files changed, 9 insertions(+), 6 deletions(-) - -diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt -index 3d033c0b69f9..e4c7b7002d58 100644 ---- a/Documentation/admin-guide/kernel-parameters.txt -+++ b/Documentation/admin-guide/kernel-parameters.txt -@@ -5765,12 +5765,13 @@ - [X86] Cause panic on unknown NMI. - - unprivileged_bpf_disabled= -- Format: { "0" | "1" } -+ Format: { "0" | "1" | "2" } - Sets the initial value of - kernel.unprivileged_bpf_disabled sysctl knob. - 0 - unprivileged bpf() syscall access is enabled. -- 1 - unprivileged bpf() syscall access is disabled. -- Default value is 1. -+ 1 - unprivileged bpf() syscall access is disabled permanently. -+ 2 - unprivileged bpf() syscall access is disabled. -+ Default value is 2. - - usbcore.authorized_default= - [USB] Default USB device authorization: -diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c -index 88925c1887b7..cb37c3f119cf 100644 ---- a/kernel/bpf/syscall.c -+++ b/kernel/bpf/syscall.c -@@ -51,9 +51,6 @@ static DEFINE_SPINLOCK(map_idr_lock); - static DEFINE_IDR(link_idr); - static DEFINE_SPINLOCK(link_idr_lock); - --/* RHEL-only: default to 1 */ --int sysctl_unprivileged_bpf_disabled __read_mostly = 1; -- - static int __init unprivileged_bpf_setup(char *str) - { - unsigned long disabled; -diff --git a/kernel/sysctl.c b/kernel/sysctl.c -index d4a78e08f6d8..cfb0ff48394d 100644 ---- a/kernel/sysctl.c -+++ b/kernel/sysctl.c -@@ -241,6 +241,11 @@ static int bpf_unpriv_handler(struct ctl_table *table, int write, - if (write && !ret) { - if (locked_state && unpriv_enable != 1) - return -EPERM; -+ if (!unpriv_enable) { -+ pr_warn("Unprivileged BPF has been enabled, " -+ "tainting the kernel"); -+ add_taint(TAINT_UNPRIVILEGED_BPF, LOCKDEP_STILL_OK); -+ } - *(int *)table->data = unpriv_enable; - } - return ret; --- -GitLab - |