Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.7.3 2024-02-01T00:21:00+00:00 2024-02-01T00:21:00+00:00 Alfred Piccioni alpic@google.com 2023-12-19T09:09:09+00:00 urn:sha1:1818ee771c3afcff013fe25043b0ffa2017ecfb9 commit f1bb47a31dff6d4b34fb14e99850860ee74bb003 upstream. Some ioctl commands do not require ioctl permission, but are routed to other permissions such as FILE_GETATTR or FILE_SETATTR. This routing is done by comparing the ioctl cmd to a set of 64-bit flags (FS_IOC_*). However, if a 32-bit process is running on a 64-bit kernel, it emits 32-bit flags (FS_IOC32_*) for certain ioctl operations. These flags are being checked erroneously, which leads to these ioctl operations being routed to the ioctl permission, rather than the correct file permissions. This was also noted in a RED-PEN finding from a while back - "/* RED-PEN how should LSM module know it's handling 32bit? */". This patch introduces a new hook, security_file_ioctl_compat(), that is called from the compat ioctl syscall. All current LSMs have been changed to support this hook. Reviewing the three places where we are currently using security_file_ioctl(), it appears that only SELinux needs a dedicated compat change; TOMOYO and SMACK appear to be functional without any change. Cc: stable@vger.kernel.org Fixes: 0b24dcb7f2f7 ("Revert "selinux: simplify ioctl checking"") Signed-off-by: Alfred Piccioni <alpic@google.com> Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com> [PM: subject tweak, line length fixes, and alignment corrections] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-01-25T23:45:31+00:00 Mimi Zohar zohar@linux.ibm.com 2024-01-24T19:21:44+00:00 urn:sha1:b5beb861861c7d63fec0f96387fbedef566c099c commit 1ed4b563100230ea68821a2b25a3d9f25388a3e6 upstream. This reverts commit b4af096b5df5dd131ab796c79cedc7069d8f4882. New encrypted keys are created either from kernel-generated random numbers or user-provided decrypted data. Revert the change requiring user-provided decrypted data. Reported-by: Vishal Verma <vishal.l.verma@intel.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-01-25T23:45:25+00:00 Gaosheng Cui cuigaosheng1@huawei.com 2024-01-05T02:01:26+00:00 urn:sha1:a5745b111005bc8928845628a13b2bee252887b6 [ Upstream commit 8ead196be219adade3bd0d4115cc9b8506643121 ] The aa_put_pdb(rules->file) should be called when rules->file is reassigned, otherwise there may be a memory leak. This was found via kmemleak: unreferenced object 0xffff986c17056600 (size 192): comm "apparmor_parser", pid 875, jiffies 4294893488 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 89 14 04 6c 98 ff ff ............l... 00 00 8c 11 6c 98 ff ff bc 0c 00 00 00 00 00 00 ....l........... backtrace (crc e28c80c4): [<ffffffffba25087f>] kmemleak_alloc+0x4f/0x90 [<ffffffffb95ecd42>] kmalloc_trace+0x2d2/0x340 [<ffffffffb98a7b3d>] aa_alloc_pdb+0x4d/0x90 [<ffffffffb98ab3b8>] unpack_pdb+0x48/0x660 [<ffffffffb98ac073>] unpack_profile+0x693/0x1090 [<ffffffffb98acf5a>] aa_unpack+0x10a/0x6e0 [<ffffffffb98a93e3>] aa_replace_profiles+0xa3/0x1210 [<ffffffffb989a183>] policy_update+0x163/0x2a0 [<ffffffffb989a381>] profile_replace+0xb1/0x130 [<ffffffffb966cb64>] vfs_write+0xd4/0x3d0 [<ffffffffb966d05b>] ksys_write+0x6b/0xf0 [<ffffffffb966d10e>] __x64_sys_write+0x1e/0x30 [<ffffffffba242316>] do_syscall_64+0x76/0x120 [<ffffffffba4000e5>] entry_SYSCALL_64_after_hwframe+0x6c/0x74 So add aa_put_pdb(rules->file) to fix it when rules->file is reassigned. Fixes: 98b824ff8984 ("apparmor: refcount the pdb") Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-01-25T23:45:24+00:00 Fedor Pchelkin pchelkin@ispras.ru 2023-12-28T16:07:43+00:00 urn:sha1:77ab09b92f16c8439a948d1af489196953dc4a0e [ Upstream commit 55a8210c9e7d21ff2644809699765796d4bfb200 ] When processing a packed profile in unpack_profile() described like "profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}" a string ":samba-dcerpcd" is unpacked as a fully-qualified name and then passed to aa_splitn_fqname(). aa_splitn_fqname() treats ":samba-dcerpcd" as only containing a namespace. Thus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later aa_alloc_profile() crashes as the new profile name is NULL now. general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 RIP: 0010:strlen+0x1e/0xa0 Call Trace: <TASK> ? strlen+0x1e/0xa0 aa_policy_init+0x1bb/0x230 aa_alloc_profile+0xb1/0x480 unpack_profile+0x3bc/0x4960 aa_unpack+0x309/0x15e0 aa_replace_profiles+0x213/0x33c0 policy_update+0x261/0x370 profile_replace+0x20e/0x2a0 vfs_write+0x2af/0xe00 ksys_write+0x126/0x250 do_syscall_64+0x46/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 </TASK> ---[ end trace 0000000000000000 ]--- RIP: 0010:strlen+0x1e/0xa0 It seems such behaviour of aa_splitn_fqname() is expected and checked in other places where it is called (e.g. aa_remove_profiles). Well, there is an explicit comment "a ns name without a following profile is allowed" inside. AFAICS, nothing can prevent unpacked "name" to be in form like ":samba-dcerpcd" - it is passed from userspace. Deny the whole profile set replacement in such case and inform user with EPROTO and an explaining message. Found by Linux Verification Center (linuxtesting.org). Fixes: 04dc715e24d0 ("apparmor: audit policy ns specified in policy load") Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-01-25T23:45:24+00:00 Fedor Pchelkin pchelkin@ispras.ru 2023-12-04T18:19:44+00:00 urn:sha1:c6bdba19ba5472b046c5a717325bb80d27264162 [ Upstream commit 1342ad786073e96fa813ad943c19f586157ae297 ] If we fail to unpack the transition table then the table elements which have been already allocated are not freed on error path. unreferenced object 0xffff88802539e000 (size 128): comm "apparmor_parser", pid 903, jiffies 4294914938 (age 35.085s) hex dump (first 32 bytes): 20 73 6f 6d 65 20 6e 61 73 74 79 20 73 74 72 69 some nasty stri 6e 67 20 73 6f 6d 65 20 6e 61 73 74 79 20 73 74 ng some nasty st backtrace: [<ffffffff81ddb312>] __kmem_cache_alloc_node+0x1e2/0x2d0 [<ffffffff81c47194>] __kmalloc_node_track_caller+0x54/0x170 [<ffffffff81c225b9>] kmemdup+0x29/0x60 [<ffffffff83e1ee65>] aa_unpack_strdup+0xe5/0x1b0 [<ffffffff83e20808>] unpack_pdb+0xeb8/0x2700 [<ffffffff83e23567>] unpack_profile+0x1507/0x4a30 [<ffffffff83e27bfa>] aa_unpack+0x36a/0x1560 [<ffffffff83e194c3>] aa_replace_profiles+0x213/0x33c0 [<ffffffff83de9461>] policy_update+0x261/0x370 [<ffffffff83de978e>] profile_replace+0x20e/0x2a0 [<ffffffff81eac8bf>] vfs_write+0x2af/0xe00 [<ffffffff81eaddd6>] ksys_write+0x126/0x250 [<ffffffff88f34fb6>] do_syscall_64+0x46/0xf0 [<ffffffff890000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 Call aa_free_str_table() on error path as was done before the blamed commit. It implements all necessary checks, frees str_table if it is available and nullifies the pointers. Found by Linux Verification Center (linuxtesting.org). Fixes: a0792e2ceddc ("apparmor: make transition table unpack generic so it can be reused") Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-01-25T23:45:24+00:00 Fedor Pchelkin pchelkin@ispras.ru 2023-11-27T17:59:04+00:00 urn:sha1:bcb9321b63e9355bfdf99d93d46ff02d6f61c68b [ Upstream commit 1af5aa82c976753e93eb52b72784e586a7d2844b ] policy_db objects are allocated with kzalloc() inside aa_alloc_pdb() and are not cleared in the corresponding aa_free_pdb() function causing leak: unreferenced object 0xffff88801f0a1400 (size 192): comm "apparmor_parser", pid 1247, jiffies 4295122827 (age 2306.399s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff81ddc612>] __kmem_cache_alloc_node+0x1e2/0x2d0 [<ffffffff81c47c55>] kmalloc_trace+0x25/0xc0 [<ffffffff83eb9a12>] aa_alloc_pdb+0x82/0x140 [<ffffffff83ec4077>] unpack_pdb+0xc7/0x2700 [<ffffffff83ec6b10>] unpack_profile+0x450/0x4960 [<ffffffff83ecc129>] aa_unpack+0x309/0x15e0 [<ffffffff83ebdb23>] aa_replace_profiles+0x213/0x33c0 [<ffffffff83e8d341>] policy_update+0x261/0x370 [<ffffffff83e8d66e>] profile_replace+0x20e/0x2a0 [<ffffffff81eadfaf>] vfs_write+0x2af/0xe00 [<ffffffff81eaf4c6>] ksys_write+0x126/0x250 [<ffffffff890fa0b6>] do_syscall_64+0x46/0xf0 [<ffffffff892000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 Free the pdbs inside aa_free_pdb(). While at it, rename the variable representing an aa_policydb object to make the function more unified with aa_pdb_free_kref() and aa_alloc_pdb(). Found by Linux Verification Center (linuxtesting.org). Fixes: 98b824ff8984 ("apparmor: refcount the pdb") Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-01-25T23:45:23+00:00 John Johansen john.johansen@canonical.com 2023-12-29T14:54:41+00:00 urn:sha1:4c546abf22de9a31c2753e5a9753df12e5792237 [ Upstream commit 2cb54a19ac7153b9a26a72098c495187f64c2276 ] apparmor_task_kill was not putting the task_cred reference tc, or the cred_label reference tc when dealing with a passed in cred, fix this by using a single fn exit. Fixes: 90c436a64a6e ("apparmor: pass cred through to audit info.") Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-01-25T23:44:40+00:00 Mickaël Salaün mic@digikod.net 2024-01-03T16:34:15+00:00 urn:sha1:7f25cd51aa71711438a6c11fa638ba5aba61ed95 [ Upstream commit bbf5a1d0e5d0fb3bdf90205aa872636122692a50 ] The IPv6 network stack first checks the sockaddr length (-EINVAL error) before checking the family (-EAFNOSUPPORT error). This was discovered thanks to commit a549d055a22e ("selftests/landlock: Add network tests"). Cc: Eric Paris <eparis@parisplace.org> Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> Cc: Paul Moore <paul@paul-moore.com> Cc: Stephen Smalley <stephen.smalley.work@gmail.com> Reported-by: Muhammad Usama Anjum <usama.anjum@collabora.com> Closes: https://lore.kernel.org/r/0584f91c-537c-4188-9e4f-04f192565667@collabora.com Fixes: 0f8db8cc73df ("selinux: add AF_UNSPEC and INADDR_ANY checks to selinux_socket_bind()") Signed-off-by: Mickaël Salaün <mic@digikod.net> Tested-by: Muhammad Usama Anjum <usama.anjum@collabora.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-01-25T23:44:39+00:00 Chen Ni nichen@iscas.ac.cn 2023-11-08T07:36:27+00:00 urn:sha1:cd06de9800b3a7742fe7f6d772ff72b966085850 [ Upstream commit b4af096b5df5dd131ab796c79cedc7069d8f4882 ] Add check for strsep() in order to transfer the error. Fixes: cd3bc044af48 ("KEYS: encrypted: Instantiate key with user-provided decrypted data") Signed-off-by: Chen Ni <nichen@iscas.ac.cn> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-01-03T20:10:29+00:00 John Johansen john.johansen@canonical.com 2023-12-18T09:10:03+00:00 urn:sha1:8026e40608b4d552216d2a818ca7080a4264bb44 Prevent move_mount from applying the attach_disconnected flag to move_mount(). This prevents detached mounts from appearing as / when applying mount mediation, which is not only incorrect but could result in bad policy being generated. Basic mount rules like allow mount, allow mount options=(move) -> /target/, will allow detached mounts, allowing older policy to continue to function. New policy gains the ability to specify `detached` as a source option allow mount detached -> /target/, In addition make sure support of move_mount is advertised as a feature to userspace so that applications that generate policy can respond to the addition. Note: this fixes mediation of move_mount when a detached mount is used, it does not fix the broader regression of apparmor mediation of mounts under the new mount api. Link: https://lore.kernel.org/all/68c166b8-5b4d-4612-8042-1dee3334385b@leemhuis.info/T/#mb35fdde37f999f08f0b02d58dc1bf4e6b65b8da2 Fixes: 157a3537d6bc ("apparmor: Fix regression in mount mediation") Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>