Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.4.4 2023-07-19T14:36:53+00:00 2023-07-19T14:36:53+00:00 Tianjia Zhang tianjia.zhang@linux.alibaba.com 2023-06-01T06:42:44+00:00 urn:sha1:fd768cc263f3983e7abb40530b3026ada9a37250 commit 9df6a4870dc371136e90330cfbbc51464ee66993 upstream. When integrity_inode_get() is querying and inserting the cache, there is a conditional race in the concurrent environment. The race condition is the result of not properly implementing "double-checked locking". In this case, it first checks to see if the iint cache record exists before taking the lock, but doesn't check again after taking the integrity_iint_lock. Fixes: bf2276d10ce5 ("ima: allocating iint improvements") Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> Cc: <stable@vger.kernel.org> # v3.10+ Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-07-19T14:36:49+00:00 John Johansen john.johansen@canonical.com 2023-04-17T09:57:55+00:00 urn:sha1:346b1ac789fa8e666d1b564d9b9fa8880644faa0 [ Upstream commit 6f442d42c0d89876994a4a135eadf82b0e6ff6e4 ] The transition table size was not being set by compat mappings resulting in the profile verification code not being run. Unfortunately the checks were also buggy not being correctly updated from the old accept perms, to the new layout. Also indicate to userspace that the kernel has the permstable verification fixes. BugLink: http://bugs.launchpad.net/bugs/2017903 Fixes: 670f31774ab6 ("apparmor: verify permission table indexes") Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Jon Tourville <jontourville@me.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2023-07-19T14:36:49+00:00 John Johansen john.johansen@canonical.com 2023-03-10T23:59:45+00:00 urn:sha1:6108e25cfe4336de0583872d402884178b6ef8f1 [ Upstream commit 0bac2002b397fda7c9ea81ee0b06a02242958107 ] If the extended permission table is present we should not be attempting to do a compat_permission remap as the compat_permissions are not stored in the dfa accept states. Fixes: fd1b2b95a211 ("apparmor: add the ability for policy to specify a permission table") Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Jon Tourville <jontourville@me.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2023-07-19T14:36:49+00:00 John Johansen john.johansen@canonical.com 2023-04-14T07:24:47+00:00 urn:sha1:33b1fe578f7d3cf6cdf0765ef9376644b1905c68 [ Upstream commit 6600e9f692e36e265ef0828f08337fa294bb330f ] Add check for failure to allocate the permission table. Fixes: caa9f579ca72 ("apparmor: isolate policy backwards compatibility to its own file") Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2023-07-19T14:36:49+00:00 Danila Chernetsov listdansp@mail.ru 2023-04-04T19:05:49+00:00 urn:sha1:543731db0173252a835b9b43ca4c7c1203a1f41e [ Upstream commit 000518bc5aef25d3f703592a0296d578c98b1517 ] rhashtable_insert_fast() could return err value when memory allocation is failed. but unpack_profile() do not check values and this always returns success value. This patch just adds error check code. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: e025be0f26d5 ("apparmor: support querying extended trusted helper extra data") Signed-off-by: Danila Chernetsov <listdansp@mail.ru> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2023-07-19T14:36:21+00:00 John Johansen john.johansen@canonical.com 2023-04-15T07:50:32+00:00 urn:sha1:ca456dfa515c13989ba25458bc170a56678c879f commit ec6851ae0ab4587e610e260ddda75f92f3389f91 upstream. Currently the permstables of the shared dfas are not shared, and need to be allocated and copied. In the future this should be addressed with a larger rework on dfa and pdb ref counts and structure sharing. BugLink: http://bugs.launchpad.net/bugs/2017903 Fixes: 217af7e2f4de ("apparmor: refactor profile rules and attachments") Cc: stable@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Jon Tourville <jontourville@me.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-07-19T14:35:20+00:00 Roberto Sassu roberto.sassu@huawei.com 2023-06-06T07:41:13+00:00 urn:sha1:b02c26ccf6aafc427c11631f8836cc337c1aa37c [ Upstream commit 95526d13038c2bbddd567a4d8e39fac42484e182 ] Fix build warnings (function parameters description) for ima_collect_modsig(), ima_match_policy() and ima_parse_add_rule(). Fixes: 15588227e086 ("ima: Collect modsig") # v5.4+ Fixes: 2fe5d6def167 ("ima: integrity appraisal extension") # v5.14+ Fixes: 4af4662fa4a9 ("integrity: IMA policy") # v3.2+ Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2023-07-19T14:35:19+00:00 Roberto Sassu roberto.sassu@huawei.com 2023-06-06T07:41:12+00:00 urn:sha1:d19eecffa4a1d628c8b6c0b833efe6c7b7434b9b [ Upstream commit 996e0a97ebd7b11cb785794e2a83c20c1add9d92 ] Fix build warnings (function parameters description) for evm_read_protected_xattrs(), evm_set_key() and evm_verifyxattr(). Fixes: 7626676320f3 ("evm: provide a function to set the EVM key from the kernel") # v4.5+ Fixes: 8314b6732ae4 ("ima: Define new template fields xattrnames, xattrlengths and xattrvalues") # v5.14+ Fixes: 2960e6cb5f7c ("evm: additional parameter to pass integrity cache entry 'iint'") # v3.2+ Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2023-07-19T14:35:19+00:00 Roberto Sassu roberto.sassu@huawei.com 2023-03-06T10:40:36+00:00 urn:sha1:f9d43d2bf3eb1d00c4a508be018669062b87d0a8 [ Upstream commit b1de86d4248b273cb12c4cd7d20c08d459519f7d ] Add the description for missing parameters of evm_inode_setattr() to avoid the warning arising with W=n compile option. Fixes: 817b54aa45db ("evm: add evm_inode_setattr to prevent updating an invalid security.evm") # v3.2+ Fixes: c1632a0f1120 ("fs: port ->setattr() to pass mnt_idmap") # v6.3+ Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2023-06-01T17:56:13+00:00 Paul Moore paul@paul-moore.com 2023-06-01T14:21:21+00:00 urn:sha1:42c4e97e06a839b07d834f640a10911ad84ec8b3 The Linux Kernel currently only requires make v3.82 while the grouped target functionality requires make v4.3. Removed the grouped target introduced in 4ce1f694eb5d ("selinux: ensure av_permissions.h is built when needed") as well as the multiple header file targets in the make rule. This effectively reverts the problem commit. We will revisit this change when make >= 4.3 is required by the rest of the kernel. Cc: stable@vger.kernel.org Fixes: 4ce1f694eb5d ("selinux: ensure av_permissions.h is built when needed") Reported-by: Erwan Velu <e.velu@criteo.com> Reported-by: Luiz Capitulino <luizcap@amazon.com> Tested-by: Luiz Capitulino <luizcap@amazon.com> Signed-off-by: Paul Moore <paul@paul-moore.com>