intel-kernel/security/integrity · openEuler/intel-kernel - AtomGit

ZZhao Yipengima: Handle error code returned by ima_filter_rule_match()

f528f9ee创建于 2025年12月23日历史提交

文件	最后提交记录	最后更新时间
evm	evm: Complete description of evm_inode_setattr() stable inclusion from stable-v5.10.188 commit 16ec59c03ad258b716374946a6b1530921d0faf3 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8KYFP Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=16ec59c03ad258b716374946a6b1530921d0faf3 -------------------------------- [ Upstream commit b1de86d4248b273cb12c4cd7d20c08d459519f7d ] Add the description for missing parameters of evm_inode_setattr() to avoid the warning arising with W=n compile option. Fixes: 817b54aa45db ("evm: add evm_inode_setattr to prevent updating an invalid security.evm") # v3.2+ Fixes: c1632a0f1120 ("fs: port ->setattr() to pass mnt_idmap") # v6.3+ Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: sanglipeng <sanglipeng1@jd.com>	2 年前
ima	ima: Handle error code returned by ima_filter_rule_match() mainline inclusion from mainline-v6.19-rc1 commit 738c9738e690f5cea24a3ad6fd2d9a323cf614f6 category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/7810 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=738c9738e690f5cea24a3ad6fd2d9a323cf614f6 -------------------------------- In ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to the rule being NULL, the function incorrectly skips the 'if (!rc)' check and sets 'result = true'. The LSM rule is considered a match, causing extra files to be measured by IMA. This issue can be reproduced in the following scenario: After unloading the SELinux policy module via 'semodule -d', if an IMA measurement is triggered before ima_lsm_rules is updated, in ima_match_rules(), the first call to ima_filter_rule_match() returns -ESTALE. This causes the code to enter the 'if (rc == -ESTALE && !rule_reinitialized)' block, perform ima_lsm_copy_rule() and retry. In ima_lsm_copy_rule(), since the SELinux module has been removed, the rule becomes NULL, and the second call to ima_filter_rule_match() returns -ENOENT. This bypasses the 'if (!rc)' check and results in a false match. Call trace: selinux_audit_rule_match+0x310/0x3b8 security_audit_rule_match+0x60/0xa0 ima_match_rules+0x2e4/0x4a0 ima_match_policy+0x9c/0x1e8 ima_get_action+0x48/0x60 process_measurement+0xf8/0xa98 ima_bprm_check+0x98/0xd8 security_bprm_check+0x5c/0x78 search_binary_handler+0x6c/0x318 exec_binprm+0x58/0x1b8 bprm_execve+0xb8/0x130 do_execveat_common.isra.0+0x1a8/0x258 __arm64_sys_execve+0x48/0x68 invoke_syscall+0x50/0x128 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x44/0x200 el0t_64_sync_handler+0x100/0x130 el0t_64_sync+0x3c8/0x3d0 Fix this by changing 'if (!rc)' to 'if (rc <= 0)' to ensure that error codes like -ENOENT do not bypass the check and accidentally result in a successful match. Fixes: 4af4662fa4a9d ("integrity: IMA policy") Signed-off-by: Zhao Yipeng <zhaoyipeng5@huawei.com> Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Zhao Yipeng <zhaoyipeng5@huawei.com>	6 个月前
platform_certs	efi: Add iMac Pro 2017 to uefi skip cert quirk stable inclusion from stable-v5.10.163 commit d9f6614a732b012bc34ce3d25ddddd45e64b79a8 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7PJ9N Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d9f6614a732b012bc34ce3d25ddddd45e64b79a8 ---------------------------------------------------- commit 0be56a116220f9e5731a6609e66a11accfe8d8e2 upstream. The iMac Pro 2017 is also a T2 Mac. Thus add it to the list of uefi skip cert. Cc: stable@vger.kernel.org Fixes: 155ca952c7ca ("efi: Do not import certificates from UEFI Secure Boot for T2 Macs") Link: https://lore.kernel.org/linux-integrity/9D46D92F-1381-4F10-989C-1A12CD2FFDD8@live.com/ Signed-off-by: Aditya Garg <gargaditya08@live.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: zhaoxiaoqiang11 <zhaoxiaoqiang11@jd.com>	2 年前
Kconfig	powerpc: Load firmware trusted keys/hashes into kernel keyring The keys used to verify the Host OS kernel are managed by firmware as secure variables. This patch loads the verification keys into the .platform keyring and revocation hashes into .blacklist keyring. This enables verification and loading of the kernels signed by the boot time keys which are trusted by firmware. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Eric Richter <erichte@linux.ibm.com> [mpe: Search by compatible in load_powerpc_certs(), not using format] Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/r/1573441836-3632-5-git-send-email-nayna@linux.ibm.com	6 年前
Makefile	powerpc: Load firmware trusted keys/hashes into kernel keyring The keys used to verify the Host OS kernel are managed by firmware as secure variables. This patch loads the verification keys into the .platform keyring and revocation hashes into .blacklist keyring. This enables verification and loading of the kernels signed by the boot time keys which are trusted by firmware. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Eric Richter <erichte@linux.ibm.com> [mpe: Search by compatible in load_powerpc_certs(), not using format] Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/r/1573441836-3632-5-git-send-email-nayna@linux.ibm.com	6 年前
digsig.c	integrity: Fix memory leakage in keyring allocation error path stable inclusion from stable-v5.10.163 commit 3bd737289c26be3cee4b9afaf61ef784a2af9d6e category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7PJ9N Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3bd737289c26be3cee4b9afaf61ef784a2af9d6e ---------------------------------------------------- [ Upstream commit 39419ef7af0916cc3620ecf1ed42d29659109bf3 ] Key restriction is allocated in integrity_init_keyring(). However, if keyring allocation failed, it is not freed, causing memory leaks. Fixes: 2b6aa412ff23 ("KEYS: Use structure to capture key restriction function and data") Signed-off-by: GUO Zihua <guozihua@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: zhaoxiaoqiang11 <zhaoxiaoqiang11@jd.com>	2 年前
digsig_asymmetric.c	ima: Add macros to isolate the IMA digest list euleros inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7YT6U -------------------------------- Isolate the IMA digest list code by using macros. changelog v2: Exclude some macros for code that has already been merged into upstream kernel v3: add patch header and fix some simple code warnings v4: merge some duplicate code and add macro comments v5: format the code and update the issue number v6: merge duplicate code instead of isolating the entire function Signed-off-by: Zhou Shuiqing <zhoushuiqing2@huawei.com>	2 年前
iint.c	ima: annotate iint mutex to avoid lockdep false positive warnings stable inclusion from stable-v5.10.203 commit 01fbfcd8105c3ccb5ba51699a3e79182d5705da0 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9GXII Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=01fbfcd8105c3ccb5ba51699a3e79182d5705da0 -------------------------------- [ Upstream commit e044374a8a0a99e46f4e6d6751d3042b6d9cc12e ] It is not clear that IMA should be nested at all, but as long is it measures files both on overlayfs and on underlying fs, we need to annotate the iint mutex to avoid lockdep false positives related to IMA + overlayfs, same as overlayfs annotates the inode mutex. Reported-and-tested-by: syzbot+b42fe626038981fb7bfa@syzkaller.appspotmail.com Signed-off-by: Amir Goldstein <amir73il@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: sanglipeng <sanglipeng1@jd.com>	2 年前
integrity.h	ima: detect changes to the backing overlay file stable inclusion from stable-v5.10.202 commit cd5a262a07a514912140b6d42bd17a5aaee2a868 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9DZOS Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=cd5a262a07a514912140b6d42bd17a5aaee2a868 -------------------------------- commit b836c4d29f2744200b2af41e14bf50758dddc818 upstream. Commit 18b44bc5a672 ("ovl: Always reevaluate the file signature for IMA") forced signature re-evaulation on every file access. Instead of always re-evaluating the file's integrity, detect a change to the backing file, by comparing the cached file metadata with the backing file's metadata. Verifying just the i_version has not changed is insufficient. In addition save and compare the i_ino and s_dev as well. Reviewed-by: Amir Goldstein <amir73il@gmail.com> Tested-by: Eric Snowberg <eric.snowberg@oracle.com> Tested-by: Raul E Rangel <rrangel@chromium.org> Cc: stable@vger.kernel.org Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: sanglipeng <sanglipeng1@jd.com>	2 年前
integrity_audit.c	integrity: check the return value of audit_log_start() stable inclusion from stable-v5.10.101 commit 7fea2e52000357abe4c2db94e177b72f02b5597f bugzilla: https://gitee.com/openeuler/kernel/issues/I5669Z Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7fea2e52000357abe4c2db94e177b72f02b5597f -------------------------------- commit 83230351c523b04ff8a029a4bdf97d881ecb96fc upstream. audit_log_start() returns audit_buffer pointer on success or NULL on error, so it is better to check the return value of it. Fixes: 3323eec921ef ("integrity: IMA as an integrity service provider") Signed-off-by: Xiaoke Wang <xkernel.wang@foxmail.com> Cc: <stable@vger.kernel.org> Reviewed-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Yu Liao <liaoyu15@huawei.com> Reviewed-by: Wei Li <liwei391@huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>	4 年前