Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v5.1 2019-05-05T16:28:45Z 2019-05-05T16:28:45Z Linus Torvalds torvalds@linux-foundation.org 2019-05-05T16:28:45Z urn:sha1:51987affd626b8e4ce9f4c65e1950cb9159f0f58 Pull vfs fixes from Al Viro: - a couple of ->i_link use-after-free fixes - regression fix for wrong errno on absent device name in mount(2) (this cycle stuff) - ancient UFS braino in large GID handling on Solaris UFS images (bogus cut'n'paste from large UID handling; wrong field checked to decide whether we should look at old (16bit) or new (32bit) field) * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour Abort file_remove_privs() for non-reg. files [fix] get rid of checking for absent device name in vfs_get_tree() apparmorfs: fix use-after-free on symlink traversal securityfs: fix use-after-free on symlink traversal 2019-04-10T18:04:34Z Al Viro viro@zeniv.linux.org.uk 2019-04-10T18:04:34Z urn:sha1:f51dcd0f621caac5380ce90fbbeafc32ce4517ae symlink body shouldn't be freed without an RCU delay. Switch apparmorfs to ->destroy_inode() and use of call_rcu(); free both the inode and symlink body in the callback. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2019-04-10T11:24:48Z Kees Cook keescook@chromium.org 2019-04-08T16:07:06Z urn:sha1:e33c1b9923775d17ad246946fe67fcb9be288677 Before commit c5459b829b71 ("LSM: Plumb visibility into optional "enabled" state"), /sys/module/apparmor/parameters/enabled would show "Y" or "N" since it was using the "bool" handler. After being changed to "int", this switched to "1" or "0", breaking the userspace AppArmor detection of dbus-broker. This restores the Y/N output while keeping the LSM infrastructure happy. Before: $ cat /sys/module/apparmor/parameters/enabled 1 After: $ cat /sys/module/apparmor/parameters/enabled Y Reported-by: David Rheinsberg <david.rheinsberg@gmail.com> Reviewed-by: David Rheinsberg <david.rheinsberg@gmail.com> Link: https://lkml.kernel.org/r/CADyDSO6k8vYb1eryT4g6+EHrLCvb68GAbHVWuULkYjcZcYNhhw@mail.gmail.com Fixes: c5459b829b71 ("LSM: Plumb visibility into optional "enabled" state") Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: John Johansen <john.johansen@canonical.com> 2019-03-13T18:07:36Z Linus Torvalds torvalds@linux-foundation.org 2019-03-13T18:07:36Z urn:sha1:8636b1dbce854363cd98922b3e4b49a603c4d5fd Pull apparmor fixes from John Johansen: - fix double when failing to unpack secmark rules in policy - fix leak of dentry when profile is removed * tag 'apparmor-pr-2019-03-12' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: apparmor: fix double free when unpack of secmark rules fails apparmor: delete the dentry in aafs_remove() to avoid a leak apparmor: Fix warning about unused function apparmor_ipv6_postroute 2019-03-12T10:48:02Z John Johansen john.johansen@canonical.com 2019-02-12T11:35:40Z urn:sha1:d8dbb581d4f86a2ac669c056fc71a28ebeb367f4 if secmark rules fail to unpack a double free happens resulting in the following oops [ 1295.584074] audit: type=1400 audit(1549970525.256:51): apparmor="STATUS" info="failed to unpack profile secmark rules" error=-71 profile="unconfined" name="/root/test" pid=29882 comm="apparmor_parser" name="/root/test" offset=120 [ 1374.042334] ------------[ cut here ]------------ [ 1374.042336] kernel BUG at mm/slub.c:294! [ 1374.042404] invalid opcode: 0000 [#1] SMP PTI [ 1374.042436] CPU: 0 PID: 29921 Comm: apparmor_parser Not tainted 4.20.7-042007-generic #201902061234 [ 1374.042461] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 [ 1374.042489] RIP: 0010:kfree+0x164/0x180 [ 1374.042502] Code: 74 05 41 0f b6 72 51 4c 89 d7 e8 37 cd f8 ff eb 8b 41 b8 01 00 00 00 48 89 d9 48 89 da 4c 89 d6 e8 11 f6 ff ff e9 72 ff ff ff <0f> 0b 49 8b 42 08 a8 01 75 c2 0f 0b 48 8b 3d a9 f4 19 01 e9 c5 fe [ 1374.042552] RSP: 0018:ffffaf7b812d7b90 EFLAGS: 00010246 [ 1374.042568] RAX: ffff91e437679200 RBX: ffff91e437679200 RCX: ffff91e437679200 [ 1374.042589] RDX: 00000000000088b6 RSI: ffff91e43da27060 RDI: ffff91e43d401a80 [ 1374.042609] RBP: ffffaf7b812d7ba8 R08: 0000000000027080 R09: ffffffffa6627a6d [ 1374.042629] R10: ffffd3af41dd9e40 R11: ffff91e43a1740dc R12: ffff91e3f52e8000 [ 1374.042650] R13: ffffffffa6627a6d R14: ffffffffffffffb9 R15: 0000000000000001 [ 1374.042675] FS: 00007f928df77740(0000) GS:ffff91e43da00000(0000) knlGS:0000000000000000 [ 1374.042697] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1374.042714] CR2: 000055a0c3ab6b50 CR3: 0000000079ed8004 CR4: 0000000000360ef0 [ 1374.042737] Call Trace: [ 1374.042750] kzfree+0x2d/0x40 [ 1374.042763] aa_free_profile+0x12b/0x270 [ 1374.042776] unpack_profile+0xc1/0xf10 [ 1374.042790] aa_unpack+0x115/0x4e0 [ 1374.042802] aa_replace_profiles+0x8e/0xcc0 [ 1374.042817] ? kvmalloc_node+0x6d/0x80 [ 1374.042831] ? __check_object_size+0x166/0x192 [ 1374.042845] policy_update+0xcf/0x1b0 [ 1374.042858] profile_load+0x7d/0xa0 [ 1374.042871] __vfs_write+0x3a/0x190 [ 1374.042883] ? apparmor_file_permission+0x1a/0x20 [ 1374.042899] ? security_file_permission+0x31/0xc0 [ 1374.042918] ? _cond_resched+0x19/0x30 [ 1374.042931] vfs_write+0xab/0x1b0 [ 1374.042963] ksys_write+0x55/0xc0 [ 1374.043004] __x64_sys_write+0x1a/0x20 [ 1374.043046] do_syscall_64+0x5a/0x110 [ 1374.043087] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: 9caafbe2b4cf ("apparmor: Parse secmark policy") Reported-by: Alex Murray <alex.murray@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2019-03-12T10:48:02Z Chris Coulson chris.coulson@canonical.com 2019-02-04T10:21:23Z urn:sha1:201218e4d3dfa1346e30997f48725acce3f26d01 Although the apparmorfs dentries are always dropped from the dentry cache when the usage count drops to zero, there is no guarantee that this will happen in aafs_remove(), as another thread might still be using it. In this scenario, this means that the dentry will temporarily continue to appear in the results of lookups, even after the call to aafs_remove(). In the case of removal of a profile - it also causes simple_rmdir() on the profile directory to fail, as the directory won't be empty until the usage counts of all child dentries have decreased to zero. This results in the dentry for the profile directory leaking and appearing empty in the file system tree forever. Signed-off-by: Chris Coulson <chris.coulson@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> 2019-03-07T20:20:11Z Linus Torvalds torvalds@linux-foundation.org 2019-03-07T20:20:11Z urn:sha1:be37f21a08ce65c7632c7f45e1755a4b07f278a0 Pull audit updates from Paul Moore: "A lucky 13 audit patches for v5.1. Despite the rather large diffstat, most of the changes are from two bug fix patches that move code from one Kconfig option to another. Beyond that bit of churn, the remaining changes are largely cleanups and bug-fixes as we slowly march towards container auditing. It isn't all boring though, we do have a couple of new things: file capabilities v3 support, and expanded support for filtering on filesystems to solve problems with remote filesystems. All changes pass the audit-testsuite. Please merge for v5.1" * tag 'audit-pr-20190305' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit: audit: mark expected switch fall-through audit: hide auditsc_get_stamp and audit_serial prototypes audit: join tty records to their syscall audit: remove audit_context when CONFIG_ AUDIT and not AUDITSYSCALL audit: remove unused actx param from audit_rule_match audit: ignore fcaps on umount audit: clean up AUDITSYSCALL prototypes and stubs audit: more filter PATH records keyed on filesystem magic audit: add support for fcaps v3 audit: move loginuid and sessionid from CONFIG_AUDITSYSCALL to CONFIG_AUDIT audit: add syscall information to CONFIG_CHANGE records audit: hand taken context to audit_kill_trees for syscall logging audit: give a clue what CONFIG_CHANGE op was involved 2019-03-07T19:44:01Z Linus Torvalds torvalds@linux-foundation.org 2019-03-07T19:44:01Z urn:sha1:ae5906ceee038ea29ff5162d1bcd18fb50af8b94 Pull security subsystem updates from James Morris: - Extend LSM stacking to allow sharing of cred, file, ipc, inode, and task blobs. This paves the way for more full-featured LSMs to be merged, and is specifically aimed at LandLock and SARA LSMs. This work is from Casey and Kees. - There's a new LSM from Micah Morton: "SafeSetID gates the setid family of syscalls to restrict UID/GID transitions from a given UID/GID to only those approved by a system-wide whitelist." This feature is currently shipping in ChromeOS. * 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (62 commits) keys: fix missing __user in KEYCTL_PKEY_QUERY LSM: Update list of SECURITYFS users in Kconfig LSM: Ignore "security=" when "lsm=" is specified LSM: Update function documentation for cap_capable security: mark expected switch fall-throughs and add a missing break tomoyo: Bump version. LSM: fix return value check in safesetid_init_securityfs() LSM: SafeSetID: add selftest LSM: SafeSetID: remove unused include LSM: SafeSetID: 'depend' on CONFIG_SECURITY LSM: Add 'name' field for SafeSetID in DEFINE_LSM LSM: add SafeSetID module that gates setid calls LSM: add SafeSetID module that gates setid calls tomoyo: Allow multiple use_group lines. tomoyo: Coding style fix. tomoyo: Swicth from cred->security to task_struct->security. security: keys: annotate implicit fall throughs security: keys: annotate implicit fall throughs security: keys: annotate implicit fall through capabilities:: annotate implicit fall through ... 2019-02-22T17:56:09Z Gustavo A. R. Silva gustavo@embeddedor.com 2019-02-08T20:54:53Z urn:sha1:09186e503486da4a17f16f2f7c679e6e3e2a32f4 In preparation to enabling -Wimplicit-fallthrough, mark switch cases where we are expecting to fall through. This patch fixes the following warnings: security/integrity/ima/ima_template_lib.c:85:10: warning: this statement may fall through [-Wimplicit-fallthrough=] security/integrity/ima/ima_policy.c:940:18: warning: this statement may fall through [-Wimplicit-fallthrough=] security/integrity/ima/ima_policy.c:943:7: warning: this statement may fall through [-Wimplicit-fallthrough=] security/integrity/ima/ima_policy.c:972:21: warning: this statement may fall through [-Wimplicit-fallthrough=] security/integrity/ima/ima_policy.c:974:7: warning: this statement may fall through [-Wimplicit-fallthrough=] security/smack/smack_lsm.c:3391:9: warning: this statement may fall through [-Wimplicit-fallthrough=] security/apparmor/domain.c:569:6: warning: this statement may fall through [-Wimplicit-fallthrough=] Warning level 3 was used: -Wimplicit-fallthrough=3 Also, add a missing break statement to fix the following warning: security/integrity/ima/ima_appraise.c:116:26: warning: this statement may fall through [-Wimplicit-fallthrough=] Acked-by: John Johansen <john.johansen@canonical.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Acked-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: James Morris <james.morris@microsoft.com> 2019-02-01T16:01:39Z John Johansen john.johansen@canonical.com 2019-01-24T21:53:05Z urn:sha1:d6d478aee003e19ef90321176552a8ad2929a47f aa_label_merge() can return NULL for memory allocations failures make sure to handle and set the correct error in this case. Reported-by: Peng Hao <peng.hao2@zte.com.cn> Signed-off-by: John Johansen <john.johansen@canonical.com>