<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/security/integrity/ima, branch v3.16.52</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>ima: accept previously set IMA_NEW_FILE</title>
<updated>2017-08-26T01:14:23+00:00</updated>
<author>
<name>Daniel Glöckner</name>
<email>dg@emlix.com</email>
</author>
<published>2017-02-24T14:05:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b297f0a2297c79a72ea456ac6aa291c6245d6746'/>
<id>b297f0a2297c79a72ea456ac6aa291c6245d6746</id>
<content type='text'>
commit 1ac202e978e18f045006d75bd549612620c6ec3a upstream.

Modifying the attributes of a file makes ima_inode_post_setattr reset
the IMA cache flags. So if the file, which has just been created,
is opened a second time before the first file descriptor is closed,
verification fails since the security.ima xattr has not been written
yet. We therefore have to look at the IMA_NEW_FILE even if the file
already existed.

With this patch there should no longer be an error when cat tries to
open testfile:

$ rm -f testfile
$ ( echo test &gt;&amp;3 ; touch testfile ; cat testfile ) 3&gt;testfile

A file being new is no reason to accept that it is missing a digital
signature demanded by the policy.

Signed-off-by: Daniel Glöckner &lt;dg@emlix.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 1ac202e978e18f045006d75bd549612620c6ec3a upstream.

Modifying the attributes of a file makes ima_inode_post_setattr reset
the IMA cache flags. So if the file, which has just been created,
is opened a second time before the first file descriptor is closed,
verification fails since the security.ima xattr has not been written
yet. We therefore have to look at the IMA_NEW_FILE even if the file
already existed.

With this patch there should no longer be an error when cat tries to
open testfile:

$ rm -f testfile
$ ( echo test &gt;&amp;3 ; touch testfile ; cat testfile ) 3&gt;testfile

A file being new is no reason to accept that it is missing a digital
signature demanded by the policy.

Signed-off-by: Daniel Glöckner &lt;dg@emlix.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ima: pass 'opened' flag to identify newly created files</title>
<updated>2017-08-26T01:14:23+00:00</updated>
<author>
<name>Dmitry Kasatkin</name>
<email>d.kasatkin@samsung.com</email>
</author>
<published>2014-06-27T15:15:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ad4b000f037c80628e1ecfcc8b782eb2bdec49ca'/>
<id>ad4b000f037c80628e1ecfcc8b782eb2bdec49ca</id>
<content type='text'>
commit 3034a146820c26fe6da66a45f6340fe87fe0983a upstream.

Empty files and missing xattrs do not guarantee that a file was
just created.  This patch passes FILE_CREATED flag to IMA to
reliably identify new files.

Signed-off-by: Dmitry Kasatkin &lt;d.kasatkin@samsung.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
[bwh: Backported to 3.16: drop change to ima_fw_from_file()]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 3034a146820c26fe6da66a45f6340fe87fe0983a upstream.

Empty files and missing xattrs do not guarantee that a file was
just created.  This patch passes FILE_CREATED flag to IMA to
reliably identify new files.

Signed-off-by: Dmitry Kasatkin &lt;d.kasatkin@samsung.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
[bwh: Backported to 3.16: drop change to ima_fw_from_file()]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ima: extend "mask" policy matching support</title>
<updated>2015-08-27T14:06:54+00:00</updated>
<author>
<name>Mimi Zohar</name>
<email>zohar@linux.vnet.ibm.com</email>
</author>
<published>2014-11-05T12:53:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c510d7f8f118095abea42b5ff4255abed50c0f50'/>
<id>c510d7f8f118095abea42b5ff4255abed50c0f50</id>
<content type='text'>
commit 4351c294b8c1028077280f761e158d167b592974 upstream.

The current "mask" policy option matches files opened as MAY_READ,
MAY_WRITE, MAY_APPEND or MAY_EXEC.  This patch extends the "mask"
option to match files opened containing one of these modes.  For
example, "mask=^MAY_READ" would match files opened read-write.

Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
Signed-off-by: Dr. Greg Wettstein &lt;gw@idfusion.org&gt;
Signed-off-by: Luis Henriques &lt;luis.henriques@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 4351c294b8c1028077280f761e158d167b592974 upstream.

The current "mask" policy option matches files opened as MAY_READ,
MAY_WRITE, MAY_APPEND or MAY_EXEC.  This patch extends the "mask"
option to match files opened containing one of these modes.  For
example, "mask=^MAY_READ" would match files opened read-write.

Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
Signed-off-by: Dr. Greg Wettstein &lt;gw@idfusion.org&gt;
Signed-off-by: Luis Henriques &lt;luis.henriques@canonical.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ima: add support for new "euid" policy condition</title>
<updated>2015-08-27T14:04:16+00:00</updated>
<author>
<name>Mimi Zohar</name>
<email>zohar@linux.vnet.ibm.com</email>
</author>
<published>2014-11-05T12:48:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=aced8cce2e008fb49fc95016d2401f529a380ece'/>
<id>aced8cce2e008fb49fc95016d2401f529a380ece</id>
<content type='text'>
commit 139069eff7388407f19794384c42a534d618ccd7 upstream.

The new "euid" policy condition measures files with the specified
effective uid (euid).  In addition, for CAP_SETUID files it measures
files with the specified uid or suid.

Changelog:
- fixed checkpatch.pl warnings
- fixed avc denied {setuid} messages - based on Roberto's feedback

Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
Signed-off-by: Dr. Greg Wettstein &lt;gw@idfusion.org&gt;
Signed-off-by: Luis Henriques &lt;luis.henriques@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 139069eff7388407f19794384c42a534d618ccd7 upstream.

The new "euid" policy condition measures files with the specified
effective uid (euid).  In addition, for CAP_SETUID files it measures
files with the specified uid or suid.

Changelog:
- fixed checkpatch.pl warnings
- fixed avc denied {setuid} messages - based on Roberto's feedback

Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
Signed-off-by: Dr. Greg Wettstein &lt;gw@idfusion.org&gt;
Signed-off-by: Luis Henriques &lt;luis.henriques@canonical.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ima: fix ima_show_template_data_ascii()</title>
<updated>2015-07-15T09:00:38+00:00</updated>
<author>
<name>Mimi Zohar</name>
<email>zohar@linux.vnet.ibm.com</email>
</author>
<published>2015-06-11T15:54:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3ff73f91203af1a861a92f73b9342402120c8fc2'/>
<id>3ff73f91203af1a861a92f73b9342402120c8fc2</id>
<content type='text'>
commit 45b26133b97871896b8c5241d59f4ff7839db7b2 upstream.

This patch fixes a bug introduced in "4d7aeee ima: define new template
ima-ng and template fields d-ng and n-ng".

Changelog:
- change int to uint32 (Roberto Sassu's suggestion)

Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
Signed-off-by: Roberto Sassu &lt;rsassu@suse.de&gt;
Signed-off-by: Luis Henriques &lt;luis.henriques@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 45b26133b97871896b8c5241d59f4ff7839db7b2 upstream.

This patch fixes a bug introduced in "4d7aeee ima: define new template
ima-ng and template fields d-ng and n-ng".

Changelog:
- change int to uint32 (Roberto Sassu's suggestion)

Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
Signed-off-by: Roberto Sassu &lt;rsassu@suse.de&gt;
Signed-off-by: Luis Henriques &lt;luis.henriques@canonical.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ima: check xattr value length and type in the ima_inode_setxattr()</title>
<updated>2014-11-13T11:48:50+00:00</updated>
<author>
<name>Dmitry Kasatkin</name>
<email>d.kasatkin@samsung.com</email>
</author>
<published>2014-10-28T11:31:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2b94fbb8a5cc34e4ad8a6b547a31b23a7d88aa48'/>
<id>2b94fbb8a5cc34e4ad8a6b547a31b23a7d88aa48</id>
<content type='text'>
commit a48fda9de94500a3152a56b723d0a64ae236547c upstream.

ima_inode_setxattr() can be called with no value. Function does not
check the length so that following command can be used to produce
kernel oops: setfattr -n security.ima FOO. This patch fixes it.

Changes in v3:
* for stable reverted "allow setting hash only in fix or log mode"
  It will be a separate patch.

Changes in v2:
* testing validity of xattr type
* allow setting hash only in fix or log mode (Mimi)

[  261.562522] BUG: unable to handle kernel NULL pointer dereference at           (null)
[  261.564109] IP: [&lt;ffffffff812af272&gt;] ima_inode_setxattr+0x3e/0x5a
[  261.564109] PGD 3112f067 PUD 42965067 PMD 0
[  261.564109] Oops: 0000 [#1] SMP
[  261.564109] Modules linked in: bridge stp llc evdev serio_raw i2c_piix4 button fuse
[  261.564109] CPU: 0 PID: 3299 Comm: setxattr Not tainted 3.16.0-kds+ #2924
[  261.564109] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  261.564109] task: ffff8800428c2430 ti: ffff880042be0000 task.ti: ffff880042be0000
[  261.564109] RIP: 0010:[&lt;ffffffff812af272&gt;]  [&lt;ffffffff812af272&gt;] ima_inode_setxattr+0x3e/0x5a
[  261.564109] RSP: 0018:ffff880042be3d50  EFLAGS: 00010246
[  261.564109] RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000015
[  261.564109] RDX: 0000001500000000 RSI: 0000000000000000 RDI: ffff8800375cc600
[  261.564109] RBP: ffff880042be3d68 R08: 0000000000000000 R09: 00000000004d6256
[  261.564109] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88002149ba00
[  261.564109] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  261.564109] FS:  00007f6c1e219740(0000) GS:ffff88005da00000(0000) knlGS:0000000000000000
[  261.564109] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  261.564109] CR2: 0000000000000000 CR3: 000000003b35a000 CR4: 00000000000006f0
[  261.564109] Stack:
[  261.564109]  ffff88002149ba00 ffff880042be3df8 0000000000000000 ffff880042be3d98
[  261.564109]  ffffffff812a101b ffff88002149ba00 ffff880042be3df8 0000000000000000
[  261.564109]  0000000000000000 ffff880042be3de0 ffffffff8116d08a ffff880042be3dc8
[  261.564109] Call Trace:
[  261.564109]  [&lt;ffffffff812a101b&gt;] security_inode_setxattr+0x48/0x6a
[  261.564109]  [&lt;ffffffff8116d08a&gt;] vfs_setxattr+0x6b/0x9f
[  261.564109]  [&lt;ffffffff8116d1e0&gt;] setxattr+0x122/0x16c
[  261.564109]  [&lt;ffffffff811687e8&gt;] ? mnt_want_write+0x21/0x45
[  261.564109]  [&lt;ffffffff8114d011&gt;] ? __sb_start_write+0x10f/0x143
[  261.564109]  [&lt;ffffffff811687e8&gt;] ? mnt_want_write+0x21/0x45
[  261.564109]  [&lt;ffffffff811687c0&gt;] ? __mnt_want_write+0x48/0x4f
[  261.564109]  [&lt;ffffffff8116d3e6&gt;] SyS_setxattr+0x6e/0xb0
[  261.564109]  [&lt;ffffffff81529da9&gt;] system_call_fastpath+0x16/0x1b
[  261.564109] Code: 48 89 f7 48 c7 c6 58 36 81 81 53 31 db e8 73 27 04 00 85 c0 75 28 bf 15 00 00 00 e8 8a a5 d9 ff 84 c0 75 05 83 cb ff eb 15 31 f6 &lt;41&gt; 80 7d 00 03 49 8b 7c 24 68 40 0f 94 c6 e8 e1 f9 ff ff 89 d8
[  261.564109] RIP  [&lt;ffffffff812af272&gt;] ima_inode_setxattr+0x3e/0x5a
[  261.564109]  RSP &lt;ffff880042be3d50&gt;
[  261.564109] CR2: 0000000000000000
[  261.599998] ---[ end trace 39a89a3fc267e652 ]---

Reported-by: Jan Kara &lt;jack@suse.cz&gt;
Signed-off-by: Dmitry Kasatkin &lt;d.kasatkin@samsung.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
Signed-off-by: Luis Henriques &lt;luis.henriques@canonical.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit a48fda9de94500a3152a56b723d0a64ae236547c upstream.

ima_inode_setxattr() can be called with no value. Function does not
check the length so that following command can be used to produce
kernel oops: setfattr -n security.ima FOO. This patch fixes it.

Changes in v3:
* for stable reverted "allow setting hash only in fix or log mode"
  It will be a separate patch.

Changes in v2:
* testing validity of xattr type
* allow setting hash only in fix or log mode (Mimi)

[  261.562522] BUG: unable to handle kernel NULL pointer dereference at           (null)
[  261.564109] IP: [&lt;ffffffff812af272&gt;] ima_inode_setxattr+0x3e/0x5a
[  261.564109] PGD 3112f067 PUD 42965067 PMD 0
[  261.564109] Oops: 0000 [#1] SMP
[  261.564109] Modules linked in: bridge stp llc evdev serio_raw i2c_piix4 button fuse
[  261.564109] CPU: 0 PID: 3299 Comm: setxattr Not tainted 3.16.0-kds+ #2924
[  261.564109] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  261.564109] task: ffff8800428c2430 ti: ffff880042be0000 task.ti: ffff880042be0000
[  261.564109] RIP: 0010:[&lt;ffffffff812af272&gt;]  [&lt;ffffffff812af272&gt;] ima_inode_setxattr+0x3e/0x5a
[  261.564109] RSP: 0018:ffff880042be3d50  EFLAGS: 00010246
[  261.564109] RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000015
[  261.564109] RDX: 0000001500000000 RSI: 0000000000000000 RDI: ffff8800375cc600
[  261.564109] RBP: ffff880042be3d68 R08: 0000000000000000 R09: 00000000004d6256
[  261.564109] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88002149ba00
[  261.564109] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  261.564109] FS:  00007f6c1e219740(0000) GS:ffff88005da00000(0000) knlGS:0000000000000000
[  261.564109] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  261.564109] CR2: 0000000000000000 CR3: 000000003b35a000 CR4: 00000000000006f0
[  261.564109] Stack:
[  261.564109]  ffff88002149ba00 ffff880042be3df8 0000000000000000 ffff880042be3d98
[  261.564109]  ffffffff812a101b ffff88002149ba00 ffff880042be3df8 0000000000000000
[  261.564109]  0000000000000000 ffff880042be3de0 ffffffff8116d08a ffff880042be3dc8
[  261.564109] Call Trace:
[  261.564109]  [&lt;ffffffff812a101b&gt;] security_inode_setxattr+0x48/0x6a
[  261.564109]  [&lt;ffffffff8116d08a&gt;] vfs_setxattr+0x6b/0x9f
[  261.564109]  [&lt;ffffffff8116d1e0&gt;] setxattr+0x122/0x16c
[  261.564109]  [&lt;ffffffff811687e8&gt;] ? mnt_want_write+0x21/0x45
[  261.564109]  [&lt;ffffffff8114d011&gt;] ? __sb_start_write+0x10f/0x143
[  261.564109]  [&lt;ffffffff811687e8&gt;] ? mnt_want_write+0x21/0x45
[  261.564109]  [&lt;ffffffff811687c0&gt;] ? __mnt_want_write+0x48/0x4f
[  261.564109]  [&lt;ffffffff8116d3e6&gt;] SyS_setxattr+0x6e/0xb0
[  261.564109]  [&lt;ffffffff81529da9&gt;] system_call_fastpath+0x16/0x1b
[  261.564109] Code: 48 89 f7 48 c7 c6 58 36 81 81 53 31 db e8 73 27 04 00 85 c0 75 28 bf 15 00 00 00 e8 8a a5 d9 ff 84 c0 75 05 83 cb ff eb 15 31 f6 &lt;41&gt; 80 7d 00 03 49 8b 7c 24 68 40 0f 94 c6 e8 e1 f9 ff ff 89 d8
[  261.564109] RIP  [&lt;ffffffff812af272&gt;] ima_inode_setxattr+0x3e/0x5a
[  261.564109]  RSP &lt;ffff880042be3d50&gt;
[  261.564109] CR2: 0000000000000000
[  261.599998] ---[ end trace 39a89a3fc267e652 ]---

Reported-by: Jan Kara &lt;jack@suse.cz&gt;
Signed-off-by: Dmitry Kasatkin &lt;d.kasatkin@samsung.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
Signed-off-by: Luis Henriques &lt;luis.henriques@canonical.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ima: provide flag to identify new empty files</title>
<updated>2014-10-30T16:40:16+00:00</updated>
<author>
<name>Dmitry Kasatkin</name>
<email>d.kasatkin@samsung.com</email>
</author>
<published>2014-06-27T15:04:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=88a111df23ba853ff85592dbc512a5aa8a348c50'/>
<id>88a111df23ba853ff85592dbc512a5aa8a348c50</id>
<content type='text'>
commit b151d6b00bbb798c58f2f21305e7d43fa763f34f upstream.

On ima_file_free(), newly created empty files are not labeled with
an initial security.ima value, because the iversion did not change.
Commit dff6efc "fs: fix iversion handling" introduced a change in
iversion behavior.  To verify this change use the shell command:

  $ (exec &gt;foo)
  $ getfattr -h -e hex -d -m security foo

This patch defines the IMA_NEW_FILE flag.  The flag is initially
set, when IMA detects that a new file is created, and subsequently
checked on the ima_file_free() hook to set the initial security.ima
value.

Signed-off-by: Dmitry Kasatkin &lt;d.kasatkin@samsung.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit b151d6b00bbb798c58f2f21305e7d43fa763f34f upstream.

On ima_file_free(), newly created empty files are not labeled with
an initial security.ima value, because the iversion did not change.
Commit dff6efc "fs: fix iversion handling" introduced a change in
iversion behavior.  To verify this change use the shell command:

  $ (exec &gt;foo)
  $ getfattr -h -e hex -d -m security foo

This patch defines the IMA_NEW_FILE flag.  The flag is initially
set, when IMA detects that a new file is created, and subsequently
checked on the ima_file_free() hook to set the initial security.ima
value.

Signed-off-by: Dmitry Kasatkin &lt;d.kasatkin@samsung.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ima: fix fallback to use new_sync_read()</title>
<updated>2014-10-30T16:40:16+00:00</updated>
<author>
<name>Dmitry Kasatkin</name>
<email>d.kasatkin@samsung.com</email>
</author>
<published>2014-06-23T17:32:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b6f9e215ccef639113fae18fc652d201e85aabc0'/>
<id>b6f9e215ccef639113fae18fc652d201e85aabc0</id>
<content type='text'>
commit 27cd1fc3ae5374a4a86662c67033f15ef27b2461 upstream.

3.16 commit aad4f8bb42af06371aa0e85bf0cd9d52c0494985
'switch simple generic_file_aio_read() users to -&gt;read_iter()'
replaced -&gt;aio_read with -&gt;read_iter in most of the file systems
and introduced new_sync_read() as a replacement for do_sync_read().

Most of file systems set '-&gt;read' and ima_kernel_read is not affected.
When -&gt;read is not set, this patch adopts fallback call changes from the
vfs_read.

Signed-off-by: Dmitry Kasatkin &lt;d.kasatkin@samsung.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 27cd1fc3ae5374a4a86662c67033f15ef27b2461 upstream.

3.16 commit aad4f8bb42af06371aa0e85bf0cd9d52c0494985
'switch simple generic_file_aio_read() users to -&gt;read_iter()'
replaced -&gt;aio_read with -&gt;read_iter in most of the file systems
and introduced new_sync_read() as a replacement for do_sync_read().

Most of file systems set '-&gt;read' and ima_kernel_read is not affected.
When -&gt;read is not set, this patch adopts fallback call changes from the
vfs_read.

Signed-off-by: Dmitry Kasatkin &lt;d.kasatkin@samsung.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ima: introduce ima_kernel_read()</title>
<updated>2014-06-12T21:58:08+00:00</updated>
<author>
<name>Dmitry Kasatkin</name>
<email>d.kasatkin@samsung.com</email>
</author>
<published>2014-05-08T11:03:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0430e49b6e7c6b5e076be8fefdee089958c9adad'/>
<id>0430e49b6e7c6b5e076be8fefdee089958c9adad</id>
<content type='text'>
Commit 8aac62706 "move exit_task_namespaces() outside of exit_notify"
introduced the kernel opps since the kernel v3.10, which happens when
Apparmor and IMA-appraisal are enabled at the same time.

----------------------------------------------------------------------
[  106.750167] BUG: unable to handle kernel NULL pointer dereference at
0000000000000018
[  106.750221] IP: [&lt;ffffffff811ec7da&gt;] our_mnt+0x1a/0x30
[  106.750241] PGD 0
[  106.750254] Oops: 0000 [#1] SMP
[  106.750272] Modules linked in: cuse parport_pc ppdev bnep rfcomm
bluetooth rpcsec_gss_krb5 nfsd auth_rpcgss nfs_acl nfs lockd sunrpc
fscache dm_crypt intel_rapl x86_pkg_temp_thermal intel_powerclamp
kvm_intel snd_hda_codec_hdmi kvm crct10dif_pclmul crc32_pclmul
ghash_clmulni_intel aesni_intel aes_x86_64 glue_helper lrw gf128mul
ablk_helper cryptd snd_hda_codec_realtek dcdbas snd_hda_intel
snd_hda_codec snd_hwdep snd_pcm snd_page_alloc snd_seq_midi
snd_seq_midi_event snd_rawmidi psmouse snd_seq microcode serio_raw
snd_timer snd_seq_device snd soundcore video lpc_ich coretemp mac_hid lp
parport mei_me mei nbd hid_generic e1000e usbhid ahci ptp hid libahci
pps_core
[  106.750658] CPU: 6 PID: 1394 Comm: mysqld Not tainted 3.13.0-rc7-kds+ #15
[  106.750673] Hardware name: Dell Inc. OptiPlex 9010/0M9KCM, BIOS A08
09/19/2012
[  106.750689] task: ffff8800de804920 ti: ffff880400fca000 task.ti:
ffff880400fca000
[  106.750704] RIP: 0010:[&lt;ffffffff811ec7da&gt;]  [&lt;ffffffff811ec7da&gt;]
our_mnt+0x1a/0x30
[  106.750725] RSP: 0018:ffff880400fcba60  EFLAGS: 00010286
[  106.750738] RAX: 0000000000000000 RBX: 0000000000000100 RCX:
ffff8800d51523e7
[  106.750764] RDX: ffffffffffffffea RSI: ffff880400fcba34 RDI:
ffff880402d20020
[  106.750791] RBP: ffff880400fcbae0 R08: 0000000000000000 R09:
0000000000000001
[  106.750817] R10: 0000000000000000 R11: 0000000000000001 R12:
ffff8800d5152300
[  106.750844] R13: ffff8803eb8df510 R14: ffff880400fcbb28 R15:
ffff8800d51523e7
[  106.750871] FS:  0000000000000000(0000) GS:ffff88040d200000(0000)
knlGS:0000000000000000
[  106.750910] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  106.750935] CR2: 0000000000000018 CR3: 0000000001c0e000 CR4:
00000000001407e0
[  106.750962] Stack:
[  106.750981]  ffffffff813434eb ffff880400fcbb20 ffff880400fcbb18
0000000000000000
[  106.751037]  ffff8800de804920 ffffffff8101b9b9 0001800000000000
0000000000000100
[  106.751093]  0000010000000000 0000000000000002 000000000000000e
ffff8803eb8df500
[  106.751149] Call Trace:
[  106.751172]  [&lt;ffffffff813434eb&gt;] ? aa_path_name+0x2ab/0x430
[  106.751199]  [&lt;ffffffff8101b9b9&gt;] ? sched_clock+0x9/0x10
[  106.751225]  [&lt;ffffffff8134a68d&gt;] aa_path_perm+0x7d/0x170
[  106.751250]  [&lt;ffffffff8101b945&gt;] ? native_sched_clock+0x15/0x80
[  106.751276]  [&lt;ffffffff8134aa73&gt;] aa_file_perm+0x33/0x40
[  106.751301]  [&lt;ffffffff81348c5e&gt;] common_file_perm+0x8e/0xb0
[  106.751327]  [&lt;ffffffff81348d78&gt;] apparmor_file_permission+0x18/0x20
[  106.751355]  [&lt;ffffffff8130c853&gt;] security_file_permission+0x23/0xa0
[  106.751382]  [&lt;ffffffff811c77a2&gt;] rw_verify_area+0x52/0xe0
[  106.751407]  [&lt;ffffffff811c789d&gt;] vfs_read+0x6d/0x170
[  106.751432]  [&lt;ffffffff811cda31&gt;] kernel_read+0x41/0x60
[  106.751457]  [&lt;ffffffff8134fd45&gt;] ima_calc_file_hash+0x225/0x280
[  106.751483]  [&lt;ffffffff8134fb52&gt;] ? ima_calc_file_hash+0x32/0x280
[  106.751509]  [&lt;ffffffff8135022d&gt;] ima_collect_measurement+0x9d/0x160
[  106.751536]  [&lt;ffffffff810b552d&gt;] ? trace_hardirqs_on+0xd/0x10
[  106.751562]  [&lt;ffffffff8134f07c&gt;] ? ima_file_free+0x6c/0xd0
[  106.751587]  [&lt;ffffffff81352824&gt;] ima_update_xattr+0x34/0x60
[  106.751612]  [&lt;ffffffff8134f0d0&gt;] ima_file_free+0xc0/0xd0
[  106.751637]  [&lt;ffffffff811c9635&gt;] __fput+0xd5/0x300
[  106.751662]  [&lt;ffffffff811c98ae&gt;] ____fput+0xe/0x10
[  106.751687]  [&lt;ffffffff81086774&gt;] task_work_run+0xc4/0xe0
[  106.751712]  [&lt;ffffffff81066fad&gt;] do_exit+0x2bd/0xa90
[  106.751738]  [&lt;ffffffff8173c958&gt;] ? retint_swapgs+0x13/0x1b
[  106.751763]  [&lt;ffffffff8106780c&gt;] do_group_exit+0x4c/0xc0
[  106.751788]  [&lt;ffffffff81067894&gt;] SyS_exit_group+0x14/0x20
[  106.751814]  [&lt;ffffffff8174522d&gt;] system_call_fastpath+0x1a/0x1f
[  106.751839] Code: c3 0f 1f 44 00 00 55 48 89 e5 e8 22 fe ff ff 5d c3
0f 1f 44 00 00 55 65 48 8b 04 25 c0 c9 00 00 48 8b 80 28 06 00 00 48 89
e5 5d &lt;48&gt; 8b 40 18 48 39 87 c0 00 00 00 0f 94 c0 c3 0f 1f 80 00 00 00
[  106.752185] RIP  [&lt;ffffffff811ec7da&gt;] our_mnt+0x1a/0x30
[  106.752214]  RSP &lt;ffff880400fcba60&gt;
[  106.752236] CR2: 0000000000000018
[  106.752258] ---[ end trace 3c520748b4732721 ]---
----------------------------------------------------------------------

The reason for the oops is that IMA-appraisal uses "kernel_read()" when
file is closed. kernel_read() honors LSM security hook which calls
Apparmor handler, which uses current-&gt;nsproxy-&gt;mnt_ns. The 'guilty'
commit changed the order of cleanup code so that nsproxy-&gt;mnt_ns was
not already available for Apparmor.

Discussion about the issue with Al Viro and Eric W. Biederman suggested
that kernel_read() is too high-level for IMA. Another issue, except
security checking, that was identified is mandatory locking. kernel_read
honors it as well and it might prevent IMA from calculating necessary hash.
It was suggested to use simplified version of the function without security
and locking checks.

This patch introduces special version ima_kernel_read(), which skips security
and mandatory locking checking. It prevents the kernel oops to happen.

Signed-off-by: Dmitry Kasatkin &lt;d.kasatkin@samsung.com&gt;
Suggested-by: Eric W. Biederman &lt;ebiederm@xmission.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
Cc: &lt;stable@vger.kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Commit 8aac62706 "move exit_task_namespaces() outside of exit_notify"
introduced the kernel opps since the kernel v3.10, which happens when
Apparmor and IMA-appraisal are enabled at the same time.

----------------------------------------------------------------------
[  106.750167] BUG: unable to handle kernel NULL pointer dereference at
0000000000000018
[  106.750221] IP: [&lt;ffffffff811ec7da&gt;] our_mnt+0x1a/0x30
[  106.750241] PGD 0
[  106.750254] Oops: 0000 [#1] SMP
[  106.750272] Modules linked in: cuse parport_pc ppdev bnep rfcomm
bluetooth rpcsec_gss_krb5 nfsd auth_rpcgss nfs_acl nfs lockd sunrpc
fscache dm_crypt intel_rapl x86_pkg_temp_thermal intel_powerclamp
kvm_intel snd_hda_codec_hdmi kvm crct10dif_pclmul crc32_pclmul
ghash_clmulni_intel aesni_intel aes_x86_64 glue_helper lrw gf128mul
ablk_helper cryptd snd_hda_codec_realtek dcdbas snd_hda_intel
snd_hda_codec snd_hwdep snd_pcm snd_page_alloc snd_seq_midi
snd_seq_midi_event snd_rawmidi psmouse snd_seq microcode serio_raw
snd_timer snd_seq_device snd soundcore video lpc_ich coretemp mac_hid lp
parport mei_me mei nbd hid_generic e1000e usbhid ahci ptp hid libahci
pps_core
[  106.750658] CPU: 6 PID: 1394 Comm: mysqld Not tainted 3.13.0-rc7-kds+ #15
[  106.750673] Hardware name: Dell Inc. OptiPlex 9010/0M9KCM, BIOS A08
09/19/2012
[  106.750689] task: ffff8800de804920 ti: ffff880400fca000 task.ti:
ffff880400fca000
[  106.750704] RIP: 0010:[&lt;ffffffff811ec7da&gt;]  [&lt;ffffffff811ec7da&gt;]
our_mnt+0x1a/0x30
[  106.750725] RSP: 0018:ffff880400fcba60  EFLAGS: 00010286
[  106.750738] RAX: 0000000000000000 RBX: 0000000000000100 RCX:
ffff8800d51523e7
[  106.750764] RDX: ffffffffffffffea RSI: ffff880400fcba34 RDI:
ffff880402d20020
[  106.750791] RBP: ffff880400fcbae0 R08: 0000000000000000 R09:
0000000000000001
[  106.750817] R10: 0000000000000000 R11: 0000000000000001 R12:
ffff8800d5152300
[  106.750844] R13: ffff8803eb8df510 R14: ffff880400fcbb28 R15:
ffff8800d51523e7
[  106.750871] FS:  0000000000000000(0000) GS:ffff88040d200000(0000)
knlGS:0000000000000000
[  106.750910] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  106.750935] CR2: 0000000000000018 CR3: 0000000001c0e000 CR4:
00000000001407e0
[  106.750962] Stack:
[  106.750981]  ffffffff813434eb ffff880400fcbb20 ffff880400fcbb18
0000000000000000
[  106.751037]  ffff8800de804920 ffffffff8101b9b9 0001800000000000
0000000000000100
[  106.751093]  0000010000000000 0000000000000002 000000000000000e
ffff8803eb8df500
[  106.751149] Call Trace:
[  106.751172]  [&lt;ffffffff813434eb&gt;] ? aa_path_name+0x2ab/0x430
[  106.751199]  [&lt;ffffffff8101b9b9&gt;] ? sched_clock+0x9/0x10
[  106.751225]  [&lt;ffffffff8134a68d&gt;] aa_path_perm+0x7d/0x170
[  106.751250]  [&lt;ffffffff8101b945&gt;] ? native_sched_clock+0x15/0x80
[  106.751276]  [&lt;ffffffff8134aa73&gt;] aa_file_perm+0x33/0x40
[  106.751301]  [&lt;ffffffff81348c5e&gt;] common_file_perm+0x8e/0xb0
[  106.751327]  [&lt;ffffffff81348d78&gt;] apparmor_file_permission+0x18/0x20
[  106.751355]  [&lt;ffffffff8130c853&gt;] security_file_permission+0x23/0xa0
[  106.751382]  [&lt;ffffffff811c77a2&gt;] rw_verify_area+0x52/0xe0
[  106.751407]  [&lt;ffffffff811c789d&gt;] vfs_read+0x6d/0x170
[  106.751432]  [&lt;ffffffff811cda31&gt;] kernel_read+0x41/0x60
[  106.751457]  [&lt;ffffffff8134fd45&gt;] ima_calc_file_hash+0x225/0x280
[  106.751483]  [&lt;ffffffff8134fb52&gt;] ? ima_calc_file_hash+0x32/0x280
[  106.751509]  [&lt;ffffffff8135022d&gt;] ima_collect_measurement+0x9d/0x160
[  106.751536]  [&lt;ffffffff810b552d&gt;] ? trace_hardirqs_on+0xd/0x10
[  106.751562]  [&lt;ffffffff8134f07c&gt;] ? ima_file_free+0x6c/0xd0
[  106.751587]  [&lt;ffffffff81352824&gt;] ima_update_xattr+0x34/0x60
[  106.751612]  [&lt;ffffffff8134f0d0&gt;] ima_file_free+0xc0/0xd0
[  106.751637]  [&lt;ffffffff811c9635&gt;] __fput+0xd5/0x300
[  106.751662]  [&lt;ffffffff811c98ae&gt;] ____fput+0xe/0x10
[  106.751687]  [&lt;ffffffff81086774&gt;] task_work_run+0xc4/0xe0
[  106.751712]  [&lt;ffffffff81066fad&gt;] do_exit+0x2bd/0xa90
[  106.751738]  [&lt;ffffffff8173c958&gt;] ? retint_swapgs+0x13/0x1b
[  106.751763]  [&lt;ffffffff8106780c&gt;] do_group_exit+0x4c/0xc0
[  106.751788]  [&lt;ffffffff81067894&gt;] SyS_exit_group+0x14/0x20
[  106.751814]  [&lt;ffffffff8174522d&gt;] system_call_fastpath+0x1a/0x1f
[  106.751839] Code: c3 0f 1f 44 00 00 55 48 89 e5 e8 22 fe ff ff 5d c3
0f 1f 44 00 00 55 65 48 8b 04 25 c0 c9 00 00 48 8b 80 28 06 00 00 48 89
e5 5d &lt;48&gt; 8b 40 18 48 39 87 c0 00 00 00 0f 94 c0 c3 0f 1f 80 00 00 00
[  106.752185] RIP  [&lt;ffffffff811ec7da&gt;] our_mnt+0x1a/0x30
[  106.752214]  RSP &lt;ffff880400fcba60&gt;
[  106.752236] CR2: 0000000000000018
[  106.752258] ---[ end trace 3c520748b4732721 ]---
----------------------------------------------------------------------

The reason for the oops is that IMA-appraisal uses "kernel_read()" when
file is closed. kernel_read() honors LSM security hook which calls
Apparmor handler, which uses current-&gt;nsproxy-&gt;mnt_ns. The 'guilty'
commit changed the order of cleanup code so that nsproxy-&gt;mnt_ns was
not already available for Apparmor.

Discussion about the issue with Al Viro and Eric W. Biederman suggested
that kernel_read() is too high-level for IMA. Another issue, except
security checking, that was identified is mandatory locking. kernel_read
honors it as well and it might prevent IMA from calculating necessary hash.
It was suggested to use simplified version of the function without security
and locking checks.

This patch introduces special version ima_kernel_read(), which skips security
and mandatory locking checking. It prevents the kernel oops to happen.

Signed-off-by: Dmitry Kasatkin &lt;d.kasatkin@samsung.com&gt;
Suggested-by: Eric W. Biederman &lt;ebiederm@xmission.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
Cc: &lt;stable@vger.kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ima: check inode integrity cache in violation check</title>
<updated>2014-06-12T21:58:07+00:00</updated>
<author>
<name>Dmitry Kasatkin</name>
<email>d.kasatkin@samsung.com</email>
</author>
<published>2014-03-27T08:29:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=14503eb99414ceffe348b82982d5770b745f6626'/>
<id>14503eb99414ceffe348b82982d5770b745f6626</id>
<content type='text'>
When IMA did not support ima-appraisal, existance of the S_IMA flag
clearly indicated that the file was measured. With IMA appraisal S_IMA
flag indicates that file was measured and/or appraised. Because of
this, when measurement is not enabled by the policy, violations are
still reported.

To differentiate between measurement and appraisal policies this
patch checks the inode integrity cache flags.  The IMA_MEASURED
flag indicates whether the file was actually measured, while the
IMA_MEASURE flag indicates whether the file should be measured.
Unfortunately, the IMA_MEASURED flag is reset to indicate the file
needs to be re-measured.  Thus, this patch checks the IMA_MEASURE
flag.

This patch limits the false positive violation reports, but does
not fix it entirely.  The IMA_MEASURE/IMA_MEASURED flags are
indications that, at some point in time, the file opened for read
was in policy, but might not be in policy now (eg. different uid).
Other changes would be needed to further limit false positive
violation reports.

Changelog:
- expanded patch description based on conversation with Roberto (Mimi)

Signed-off-by: Dmitry Kasatkin &lt;d.kasatkin@samsung.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When IMA did not support ima-appraisal, existance of the S_IMA flag
clearly indicated that the file was measured. With IMA appraisal S_IMA
flag indicates that file was measured and/or appraised. Because of
this, when measurement is not enabled by the policy, violations are
still reported.

To differentiate between measurement and appraisal policies this
patch checks the inode integrity cache flags.  The IMA_MEASURED
flag indicates whether the file was actually measured, while the
IMA_MEASURE flag indicates whether the file should be measured.
Unfortunately, the IMA_MEASURED flag is reset to indicate the file
needs to be re-measured.  Thus, this patch checks the IMA_MEASURE
flag.

This patch limits the false positive violation reports, but does
not fix it entirely.  The IMA_MEASURE/IMA_MEASURED flags are
indications that, at some point in time, the file opened for read
was in policy, but might not be in policy now (eg. different uid).
Other changes would be needed to further limit false positive
violation reports.

Changelog:
- expanded patch description based on conversation with Roberto (Mimi)

Signed-off-by: Dmitry Kasatkin &lt;d.kasatkin@samsung.com&gt;
Signed-off-by: Mimi Zohar &lt;zohar@linux.vnet.ibm.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
