When a key is being garbage collected, it's key->user would get put before
the ->destroy() callback is called, where the key is removed from it's
respective tracking structures.

This leaves a key hanging in a semi-invalid state which leaves a window open
for a different task to try an access key->user. An example is
find_keyring_by_name() which would dereference key->user for a key that is
in the process of being garbage collected (where key->user was freed but
->destroy() wasn't called yet - so it's still present in the linked list).

This would cause either a panic, or corrupt memory.

Fixes CVE-2014-9529.
Signed-off-by: NSasha Levin <sasha.levin@oracle.com>
Signed-off-by: NDavid Howells <dhowells@redhat.com>

We already checked if "desc" was NULL at the beginning of the function
and we've dereferenced it so this causes a static checker warning.
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: NDavid Howells <dhowells@redhat.com>
Signed-off-by: NJames Morris <james.l.morris@oracle.com>

On powerpc we can end up with IMA=y and PPC_PSERIES=n which leads to:

 warning: (IMA) selects TCG_IBMVTPM which has unmet direct dependencies (TCG_TPM && PPC_PSERIES)
  tpm_ibmvtpm.c:(.text+0x14f3e8): undefined reference to `.plpar_hcall_norets'

I'm not sure why IMA needs to select those user-visible symbols, but if
it must then the simplest fix is to just express the proper dependencies
on the select.
Tested-by: NHon Ching (Vicky) Lo <lo1@us.ibm.com>
Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

When loading encrypted-keys module, if the last check of
aes_get_sizes() in init_encrypted() fails, the driver just returns an
error without unregistering its key type.  This results in the stale
entry in the list.  In addition to memory leaks, this leads to a kernel
crash when registering a new key type later.

This patch fixes the problem by swapping the calls of aes_get_sizes()
and register_key_type(), and releasing resources properly at the error
paths.

Bugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=908163
Cc: <stable@vger.kernel.org>
Signed-off-by: NTakashi Iwai <tiwai@suse.de>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

Since the keyring facility can be viewed as a cache (at least in some
applications), the local expiration time on the key should probably be viewed
as a 'needs updating after this time' property rather than an absolute 'anyone
now wanting to use this object is out of luck' property.

Since request_key() is the main interface for the usage of keys, this should
update or replace an expired key rather than issuing EKEYEXPIRED if the local
expiration has been reached (ie. it should refresh the cache).

For absolute conditions where refreshing the cache probably doesn't help, the
key can be negatively instantiated using KEYCTL_REJECT_KEY with EKEYEXPIRED
given as the error to issue.  This will still cause request_key() to return
EKEYEXPIRED as that was explicitly set.

In the future, if the key type has an update op available, we might want to
upcall with the expired key and allow the upcall to update it.  We would pass
a different operation name (the first column in /etc/request-key.conf) to the
request-key program.

request_key() returning EKEYEXPIRED is causing an NFS problem which Chuck
Lever describes thusly:

	After about 10 minutes, my NFSv4 functional tests fail because the
	ownership of the test files goes to "-2". Looking at /proc/keys
	shows that the id_resolv keys that map to my test user ID have
	expired. The ownership problem persists until the expired keys are
	purged from the keyring, and fresh keys are obtained.

	I bisected the problem to 3.13 commit b2a4df20 ("KEYS: Expand
	the capacity of a keyring"). This commit inadvertantly changes the
	API contract of the internal function keyring_search_aux().

	The root cause appears to be that b2a4df20 made "no state check"
	the default behavior. "No state check" means the keyring search
	iterator function skips checking the key's expiry timeout, and
	returns expired keys.  request_key_and_link() depends on getting
	an -EAGAIN result code to know when to perform an upcall to refresh
	an expired key.

This patch can be tested directly by:

	keyctl request2 user debug:fred a @s
	keyctl timeout %user:debug:fred 3
	sleep 4
	keyctl request2 user debug:fred a @s

Without the patch, the last command gives error EKEYEXPIRED, but with the
command it gives a new key.
Reported-by: NCarl Hetherington <cth@carlh.net>
Reported-by: NChuck Lever <chuck.lever@oracle.com>
Signed-off-by: NDavid Howells <dhowells@redhat.com>
Tested-by: NChuck Lever <chuck.lever@oracle.com>

Simplify KEYRING_SEARCH_{NO,DO}_STATE_CHECK flags to be two variations of the
same flag.  They are effectively mutually exclusive and one or the other
should be provided, but not both.

Keyring cycle detection and key possession determination are the only things
that set NO_STATE_CHECK, except that neither flag really does anything there
because neither purpose makes use of the keyring_search_iterator() function,
but rather provides their own.

For cycle detection we definitely want to check inside of expired keyrings,
just so that we don't create a cycle we can't get rid of.  Revoked keyrings
are cleared at revocation time and can't then be reused, so shouldn't be a
problem either way.

For possession determination, we *might* want to validate each keyring before
searching it: do you possess a key that's hidden behind an expired or just
plain inaccessible keyring?  Currently, the answer is yes.  Note that you
cannot, however, possess a key behind a revoked keyring because they are
cleared on revocation.

keyring_search() sets DO_STATE_CHECK, which is correct.

request_key_and_link() currently doesn't specify whether to check the key
state or not - but it should set DO_STATE_CHECK.

key_get_instantiation_authkey() also currently doesn't specify whether to
check the key state or not - but it probably should also set DO_STATE_CHECK.
Signed-off-by: NDavid Howells <dhowells@redhat.com>
Tested-by: NChuck Lever <chuck.lever@oracle.com>

When a key description argument is imported into the kernel from userspace, as
happens in add_key(), request_key(), KEYCTL_JOIN_SESSION_KEYRING,
KEYCTL_SEARCH, the description is copied into a buffer up to PAGE_SIZE in size.
PAGE_SIZE, however, is a variable quantity, depending on the arch.  Fix this at
4096 instead (ie. 4095 plus a NUL termination) and define a constant
(KEY_MAX_DESC_SIZE) to this end.

When reading the description back with KEYCTL_DESCRIBE, a PAGE_SIZE internal
buffer is allocated into which the information and description will be
rendered.  This means that the description will get truncated if an extremely
long description it has to be crammed into the buffer with the stringified
information.  There is no particular need to copy the description into the
buffer, so just copy it directly to userspace in a separate operation.
Reported-by: NChristian Kastner <debian@kvr.at>
Signed-off-by: NDavid Howells <dhowells@redhat.com>
Tested-by: NChristian Kastner <debian@kvr.at>

security_ops is not used in this file.
Signed-off-by: NYao Dongdong <yaodongdong@huawei.com>
Signed-off-by: NPaul Moore <pmoore@redhat.com>

Setting smack label on file (e.g. 'attr -S -s SMACK64 -V "test" test')
triggered following spew on the kernel with KASan applied:
    ==================================================================
    BUG: AddressSanitizer: out of bounds access in strncpy+0x28/0x60 at addr ffff8800059ad064
    =============================================================================
    BUG kmalloc-8 (Not tainted): kasan error
    -----------------------------------------------------------------------------

    Disabling lock debugging due to kernel taint
    INFO: Slab 0xffffea0000166b40 objects=128 used=7 fp=0xffff8800059ad080 flags=0x4000000000000080
    INFO: Object 0xffff8800059ad060 @offset=96 fp=0xffff8800059ad080

    Bytes b4 ffff8800059ad050: a0 df 9a 05 00 88 ff ff 5a 5a 5a 5a 5a 5a 5a 5a  ........ZZZZZZZZ
    Object ffff8800059ad060: 74 65 73 74 6b 6b 6b a5                          testkkk.
    Redzone ffff8800059ad068: cc cc cc cc cc cc cc cc                          ........
    Padding ffff8800059ad078: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
    CPU: 0 PID: 528 Comm: attr Tainted: G    B          3.18.0-rc1-mm1+ #5
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
     0000000000000000 ffff8800059ad064 ffffffff81534cf2 ffff880005a5bc40
     ffffffff8112fe1a 0000000100800006 0000000f059ad060 ffff880006000f90
     0000000000000296 ffffea0000166b40 ffffffff8107ca97 ffff880005891060
    Call Trace:
    ? dump_stack (lib/dump_stack.c:52)
    ? kasan_report_error (mm/kasan/report.c:102 mm/kasan/report.c:178)
    ? preempt_count_sub (kernel/sched/core.c:2651)
    ? __asan_load1 (mm/kasan/kasan.h:50 mm/kasan/kasan.c:248 mm/kasan/kasan.c:358)
    ? strncpy (lib/string.c:121)
    ? strncpy (lib/string.c:121)
    ? smk_parse_smack (security/smack/smack_access.c:457)
    ? setxattr (fs/xattr.c:343)
    ? smk_import_entry (security/smack/smack_access.c:514)
    ? smack_inode_setxattr (security/smack/smack_lsm.c:1093 (discriminator 1))
    ? security_inode_setxattr (security/security.c:602)
    ? vfs_setxattr (fs/xattr.c:134)
    ? setxattr (fs/xattr.c:343)
    ? setxattr (fs/xattr.c:360)
    ? get_parent_ip (kernel/sched/core.c:2606)
    ? preempt_count_sub (kernel/sched/core.c:2651)
    ? __percpu_counter_add (arch/x86/include/asm/preempt.h:98 lib/percpu_counter.c:90)
    ? get_parent_ip (kernel/sched/core.c:2606)
    ? preempt_count_sub (kernel/sched/core.c:2651)
    ? __mnt_want_write (arch/x86/include/asm/preempt.h:98 fs/namespace.c:359)
    ? path_setxattr (fs/xattr.c:380)
    ? SyS_lsetxattr (fs/xattr.c:397)
    ? system_call_fastpath (arch/x86/kernel/entry_64.S:423)
    Read of size 1 by task attr:
    Memory state around the buggy address:
     ffff8800059ace80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     ffff8800059acf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     ffff8800059acf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    >ffff8800059ad000: 00 fc fc fc 00 fc fc fc 05 fc fc fc 04 fc fc fc
                                                           ^
     ffff8800059ad080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ffff8800059ad100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ffff8800059ad180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    ==================================================================

strncpy() copies one byte more than the source string has.
Fix this by passing the correct length to strncpy().

Now we can remove initialization of the last byte in 'smack' string
because kzalloc() already did this for us.
Signed-off-by: NAndrey Ryabinin <a.ryabinin@samsung.com>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

integrity_kernel_read() duplicates the file read operations code
in vfs_read(). This patch refactors vfs_read() code creating a
helper function __vfs_read(). It is used by both vfs_read() and
integrity_kernel_read().
Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

This patch provides CONFIG_IMA_APPRAISE_SIGNED_INIT kernel configuration
option to force IMA appraisal using signatures. This is useful, when EVM
key is not initialized yet and we want securely initialize integrity or
any other functionality.

It forces embedded policy to require signature. Signed initialization
script can initialize EVM key, update the IMA policy and change further
requirement of everything to be signed.

Changes in v3:
* kernel parameter fixed to configuration option in the patch description

Changes in v2:
* policy change of this patch separated from the key loading patch
Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

Keys can only be loaded once the rootfs is mounted. Initcalls
are not suitable for that. This patch defines a special hook
to load the x509 public keys onto the IMA keyring, before
attempting to access any file. The keys are required for
verifying the file's signature. The hook is called after the
root filesystem is mounted and before the kernel calls 'init'.

Changes in v3:
* added more explanation to the patch description (Mimi)

Changes in v2:
* Hook renamed as 'integrity_load_keys()' to handle both IMA and EVM
  keys by integrity subsystem.
* Hook patch moved after defining loading functions
Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

Define configuration option to load X509 certificate into the
IMA trusted kernel keyring. It implements ima_load_x509() hook
to load X509 certificate into the .ima trusted kernel keyring
from the root filesystem.

Changes in v3:
* use ima_policy_flag in ima_get_action()
  ima_load_x509 temporarily clears ima_policy_flag to disable
  appraisal to load key. Use it to skip appraisal rules.
* Key directory path changed to /etc/keys (Mimi)
* Expand IMA_LOAD_X509 Kconfig help

Changes in v2:
* added '__init'
* use ima_policy_flag to disable appraisal to load keys
Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

Provide the function to load x509 certificates from the kernel into the
integrity kernel keyring.

Changes in v2:
* configuration option removed
* function declared as '__init'
Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

This patch defines a new function called integrity_read_file()
to read file from the kernel into a buffer. Subsequent patches
will read a file containing the public keys and load them onto
the IMA keyring.

This patch moves and renames ima_kernel_read(), the non-security
checking version of kernel_read(), to integrity_kernel_read().

Changes in v3:
* Patch descriptions improved (Mimi)
* Add missing cast (kbuild test robot)

Changes in v2:
* configuration option removed
* function declared as '__init'
Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

Convert WARN_ONCE() to printk() in selinux_nlmsg_perm().

After conversion from audit_log() in commit e173fb26, WARN_ONCE() was
deemed too alarmist, so switch it to printk().
Signed-off-by: NRichard Guy Briggs <rgb@redhat.com>
[PM: Changed to printk(WARNING) so we catch all of the different
 invalid netlink messages.  In Richard's defense, he brought this
 point up earlier, but I didn't understand his point at the time.]
Signed-off-by: NPaul Moore <pmoore@redhat.com>

Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>

The patch use kmem_cache to allocate/free inode_smack since they are
alloced in high volumes making it a perfect case for kmem_cache.

As per analysis, 24 bytes of memory is wasted per allocation due
to internal fragmentation. With kmem_cache, this can be avoided.

Accounting of memory allocation is below :
 total       slack            net      count-alloc/free        caller
Before (with kzalloc)
1919872      719952          1919872      29998/0          new_inode_smack+0x14

After (with kmem_cache)
1201680          0           1201680      30042/0          new_inode_smack+0x18

>From above data, we found that 719952 bytes(~700 KB) of memory is
saved on allocation of 29998 smack inodes.
Signed-off-by: NRohit <rohit.kr@samsung.com>

The lock access mode allows setting a read lock on a file
for with the process has only read access. The floor label is
defined to make it easy to have the basic system installed such
that everyone can read it. Once there's a desire to read lock
(rationally or otherwise) a floor file a rule needs to get set.
This happens all the time, so make the floor label a little bit
more special and allow everyone lock access, too. By implication,
give processes with the hat label (hat can read everything)
lock access as well. This reduces clutter in the Smack rule set.
Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>

evm_inode_setxattr() can be called with no value. The function does not
check the length so that following command can be used to produce the
kernel oops: setfattr -n security.evm FOO. This patch fixes it.

Changes in v3:
* there is no reason to return different error codes for EVM_XATTR_HMAC
  and non EVM_XATTR_HMAC. Remove unnecessary test then.

Changes in v2:
* testing for validity of xattr type

[ 1106.396921] BUG: unable to handle kernel NULL pointer dereference at           (null)
[ 1106.398192] IP: [<ffffffff812af7b8>] evm_inode_setxattr+0x2a/0x48
[ 1106.399244] PGD 29048067 PUD 290d7067 PMD 0
[ 1106.399953] Oops: 0000 [#1] SMP
[ 1106.400020] Modules linked in: bridge stp llc evdev serio_raw i2c_piix4 button fuse
[ 1106.400020] CPU: 0 PID: 3635 Comm: setxattr Not tainted 3.16.0-kds+ #2936
[ 1106.400020] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 1106.400020] task: ffff8800291a0000 ti: ffff88002917c000 task.ti: ffff88002917c000
[ 1106.400020] RIP: 0010:[<ffffffff812af7b8>]  [<ffffffff812af7b8>] evm_inode_setxattr+0x2a/0x48
[ 1106.400020] RSP: 0018:ffff88002917fd50  EFLAGS: 00010246
[ 1106.400020] RAX: 0000000000000000 RBX: ffff88002917fdf8 RCX: 0000000000000000
[ 1106.400020] RDX: 0000000000000000 RSI: ffffffff818136d3 RDI: ffff88002917fdf8
[ 1106.400020] RBP: ffff88002917fd68 R08: 0000000000000000 R09: 00000000003ec1df
[ 1106.400020] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800438a0a00
[ 1106.400020] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 1106.400020] FS:  00007f7dfa7d7740(0000) GS:ffff88005da00000(0000) knlGS:0000000000000000
[ 1106.400020] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1106.400020] CR2: 0000000000000000 CR3: 000000003763e000 CR4: 00000000000006f0
[ 1106.400020] Stack:
[ 1106.400020]  ffff8800438a0a00 ffff88002917fdf8 0000000000000000 ffff88002917fd98
[ 1106.400020]  ffffffff812a1030 ffff8800438a0a00 ffff88002917fdf8 0000000000000000
[ 1106.400020]  0000000000000000 ffff88002917fde0 ffffffff8116d08a ffff88002917fdc8
[ 1106.400020] Call Trace:
[ 1106.400020]  [<ffffffff812a1030>] security_inode_setxattr+0x5d/0x6a
[ 1106.400020]  [<ffffffff8116d08a>] vfs_setxattr+0x6b/0x9f
[ 1106.400020]  [<ffffffff8116d1e0>] setxattr+0x122/0x16c
[ 1106.400020]  [<ffffffff811687e8>] ? mnt_want_write+0x21/0x45
[ 1106.400020]  [<ffffffff8114d011>] ? __sb_start_write+0x10f/0x143
[ 1106.400020]  [<ffffffff811687e8>] ? mnt_want_write+0x21/0x45
[ 1106.400020]  [<ffffffff811687c0>] ? __mnt_want_write+0x48/0x4f
[ 1106.400020]  [<ffffffff8116d3e6>] SyS_setxattr+0x6e/0xb0
[ 1106.400020]  [<ffffffff81529da9>] system_call_fastpath+0x16/0x1b
[ 1106.400020] Code: c3 0f 1f 44 00 00 55 48 89 e5 41 55 49 89 d5 41 54 49 89 fc 53 48 89 f3 48 c7 c6 d3 36 81 81 48 89 df e8 18 22 04 00 85 c0 75 07 <41> 80 7d 00 02 74 0d 48 89 de 4c 89 e7 e8 5a fe ff ff eb 03 83
[ 1106.400020] RIP  [<ffffffff812af7b8>] evm_inode_setxattr+0x2a/0x48
[ 1106.400020]  RSP <ffff88002917fd50>
[ 1106.400020] CR2: 0000000000000000
[ 1106.428061] ---[ end trace ae08331628ba3050 ]---
Reported-by: NJan Kara <jack@suse.cz>
Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Cc: stable@vger.kernel.org
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

ima_inode_setxattr() can be called with no value. Function does not
check the length so that following command can be used to produce
kernel oops: setfattr -n security.ima FOO. This patch fixes it.

Changes in v3:
* for stable reverted "allow setting hash only in fix or log mode"
  It will be a separate patch.

Changes in v2:
* testing validity of xattr type
* allow setting hash only in fix or log mode (Mimi)

[  261.562522] BUG: unable to handle kernel NULL pointer dereference at           (null)
[  261.564109] IP: [<ffffffff812af272>] ima_inode_setxattr+0x3e/0x5a
[  261.564109] PGD 3112f067 PUD 42965067 PMD 0
[  261.564109] Oops: 0000 [#1] SMP
[  261.564109] Modules linked in: bridge stp llc evdev serio_raw i2c_piix4 button fuse
[  261.564109] CPU: 0 PID: 3299 Comm: setxattr Not tainted 3.16.0-kds+ #2924
[  261.564109] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  261.564109] task: ffff8800428c2430 ti: ffff880042be0000 task.ti: ffff880042be0000
[  261.564109] RIP: 0010:[<ffffffff812af272>]  [<ffffffff812af272>] ima_inode_setxattr+0x3e/0x5a
[  261.564109] RSP: 0018:ffff880042be3d50  EFLAGS: 00010246
[  261.564109] RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000015
[  261.564109] RDX: 0000001500000000 RSI: 0000000000000000 RDI: ffff8800375cc600
[  261.564109] RBP: ffff880042be3d68 R08: 0000000000000000 R09: 00000000004d6256
[  261.564109] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88002149ba00
[  261.564109] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  261.564109] FS:  00007f6c1e219740(0000) GS:ffff88005da00000(0000) knlGS:0000000000000000
[  261.564109] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  261.564109] CR2: 0000000000000000 CR3: 000000003b35a000 CR4: 00000000000006f0
[  261.564109] Stack:
[  261.564109]  ffff88002149ba00 ffff880042be3df8 0000000000000000 ffff880042be3d98
[  261.564109]  ffffffff812a101b ffff88002149ba00 ffff880042be3df8 0000000000000000
[  261.564109]  0000000000000000 ffff880042be3de0 ffffffff8116d08a ffff880042be3dc8
[  261.564109] Call Trace:
[  261.564109]  [<ffffffff812a101b>] security_inode_setxattr+0x48/0x6a
[  261.564109]  [<ffffffff8116d08a>] vfs_setxattr+0x6b/0x9f
[  261.564109]  [<ffffffff8116d1e0>] setxattr+0x122/0x16c
[  261.564109]  [<ffffffff811687e8>] ? mnt_want_write+0x21/0x45
[  261.564109]  [<ffffffff8114d011>] ? __sb_start_write+0x10f/0x143
[  261.564109]  [<ffffffff811687e8>] ? mnt_want_write+0x21/0x45
[  261.564109]  [<ffffffff811687c0>] ? __mnt_want_write+0x48/0x4f
[  261.564109]  [<ffffffff8116d3e6>] SyS_setxattr+0x6e/0xb0
[  261.564109]  [<ffffffff81529da9>] system_call_fastpath+0x16/0x1b
[  261.564109] Code: 48 89 f7 48 c7 c6 58 36 81 81 53 31 db e8 73 27 04 00 85 c0 75 28 bf 15 00 00 00 e8 8a a5 d9 ff 84 c0 75 05 83 cb ff eb 15 31 f6 <41> 80 7d 00 03 49 8b 7c 24 68 40 0f 94 c6 e8 e1 f9 ff ff 89 d8
[  261.564109] RIP  [<ffffffff812af272>] ima_inode_setxattr+0x3e/0x5a
[  261.564109]  RSP <ffff880042be3d50>
[  261.564109] CR2: 0000000000000000
[  261.599998] ---[ end trace 39a89a3fc267e652 ]---
Reported-by: NJan Kara <jack@suse.cz>
Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Cc: stable@vger.kernel.org
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

sb_finish_set_opts() can race with inode_free_security()
when initializing inode security structures for inodes
created prior to initial policy load or by the filesystem
during ->mount().   This appears to have always been
a possible race, but commit 3dc91d43 ("SELinux:  Fix possible
NULL pointer dereference in selinux_inode_permission()")
made it more evident by immediately reusing the unioned
list/rcu element  of the inode security structure for call_rcu()
upon an inode_free_security().  But the underlying issue
was already present before that commit as a possible use-after-free
of isec.

Shivnandan Kumar reported the list corruption and proposed
a patch to split the list and rcu elements out of the union
as separate fields of the inode_security_struct so that setting
the rcu element would not affect the list element.  However,
this would merely hide the issue and not truly fix the code.

This patch instead moves up the deletion of the list entry
prior to dropping the sbsec->isec_lock initially.  Then,
if the inode is dropped subsequently, there will be no further
references to the isec.
Reported-by: NShivnandan Kumar <shivnandan.k@samsung.com>
Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
Cc: stable@vger.kernel.org
Signed-off-by: NPaul Moore <pmoore@redhat.com>

Replaced the use of a Variable Length Array In Struct (VLAIS) with a C99
compliant equivalent. This patch allocates the appropriate amount of memory
using a char array using the SHASH_DESC_ON_STACK macro.

The new code can be compiled with both gcc and clang.
Signed-off-by: NBehan Webster <behanw@converseincode.com>
Reviewed-by: NMark Charlebois <charlebm@gmail.com>
Reviewed-by: NJan-Simon Möller <dl9pf@gmx.de>
Acked-by: NHerbert Xu <herbert@gondor.apana.org.au>
Acked-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Cc: tglx@linutronix.de

This patch allows users to provide a custom template format through the
new kernel command line parameter 'ima_template_fmt'. If the supplied
format is not valid, IMA uses the default template descriptor.

Changelog:
 - v3:
   - added check for 'fields' and 'num_fields' in
     template_desc_init_fields() (suggested by Mimi Zohar)

 - v2:
   - using template_desc_init_fields() to validate a format string
     (Roberto Sassu)
   - updated documentation by stating that only the chosen template
     descriptor is initialized (Roberto Sassu)

 - v1:
   - simplified code of ima_template_fmt_setup()
     (Roberto Sassu, suggested by Mimi Zohar)
Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

The allocation of a field pointers array is moved at the end of
template_desc_init_fields() and done only if the value of the 'fields'
and 'num_fields' parameters is not NULL. For just validating a template
format string, retrieved template field pointers are placed in a temporary
array.

Changelog:
 - v3:
   - do not check in this patch if 'fields' and 'num_fields' are NULL
     (suggested by Mimi Zohar)
Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

This patch removes the allocation of a copy of 'template_fmt', needed for
iterating over all fields in the passed template format string. The removal
was possible by replacing strcspn(), which modifies the passed string,
with strchrnul(). The currently processed template field is copied in
a temporary variable.

The purpose of this change is use template_desc_init_fields() in two ways:
for just validating a template format string (the function should work
if called by a setup function, when memory cannot be allocated), and for
actually initializing a template descriptor. The implementation of this
feature will be complete with the next patch.

Changelog:
 - v3:
   - added 'goto out' in template_desc_init_fields() to free allocated
     memory if a template field length is not valid (suggested by
     Mimi Zohar)
Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

With the introduction of the 'ima_template_fmt' kernel cmdline parameter,
a user can define a new template descriptor with custom format. However,
in this case, userspace tools will be unable to parse the measurements
list because the new template is unknown. For this reason, this patch
modifies the current IMA behavior to display in the list the template
format instead of the name (only if the length of the latter is zero)
so that a tool can extract needed information if it can handle listed
fields.

This patch also correctly displays the error log message in
ima_init_template() if the selected template cannot be initialized.

Changelog:
 - v3:
   - check the first byte of 'e->template_desc->name' instead of using
     strlen() in ima_fs.c (suggested by Mimi Zohar)

 - v2:
   - print the template format in ima_init_template(), if the selected
     template is custom (Roberto Sassu)

 - v1:
   - fixed patch description (Roberto Sassu, suggested by Mimi Zohar)
   - set 'template_name' variable in ima_fs.c only once
     (Roberto Sassu, suggested by Mimi Zohar)
Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

This patch adds some error messages to inform users about the following
events: template descriptor not found, invalid template descriptor,
template field not found and template initialization failed.

Changelog:
 - v2:
   - display an error message if the format string contains too many
     fields (Roberto Sassu)
Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

The current implementation uses an atomic counter to provide exclusive
access to the sysfs 'policy' entry to update the IMA policy. While it is
highly unlikely, the usage of a counter might potentially allow another
process to overflow the counter, open the interface and insert additional
rules into the policy being loaded.

This patch replaces using an atomic counter with atomic bit operations
which is more reliable and a widely used method to provide exclusive access.

As bit operation keep the interface locked after successful update, it makes
it unnecessary to verify if the default policy was set or not during parsing
and interface closing. This patch also removes that code.

Changes in v3:
* move audit log message to ima_relead_policy() to report successful and
  unsuccessful result
* unnecessary comment removed

Changes in v2:
* keep interface locked after successful policy load as in original design
* remove sysfs entry as in original design
Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

Empty policy lines cause parsing failures which is, especially
for new users, hard to spot. This patch prevents it.

Changes in v2:
* strip leading blanks and tabs in rules to prevent parsing failures
Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

If a rule is a comment, there is no need to allocate an entry.
Move the checking for comments before allocating the entry.
Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

Audit messages are rate limited, often causing the policy update
info to not be visible.  Report policy loading status also using
pr_info.

Changes in v2:
* reporting moved to ima_release_policy to notice parsing errors
* reporting both completed and failed status
Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

__getname() uses slab allocation which is faster than kmalloc.
Make use of it.
Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

If filesystem is mounted read-only or file is immutable, updating
xattr will fail. This is a usual case during early boot until
filesystem is remount read-write. This patch verifies conditions
to skip unnecessary attempt to calculate HMAC and set xattr.

Changes in v2:
* indention changed according to Lindent (requested by Mimi)
Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

integrity_init_keyring() is used only from kernel '__init'
functions. Add it there as well.
Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>

This patch completes the switching to the 'ima_policy_flag' variable
in the checks at the beginning of IMA functions, starting with the
commit a756024e.

Checking 'iint_initialized' is completely unnecessary, because
S_IMA flag is unset if iint was not allocated. At the same time
the integrity cache is allocated with SLAB_PANIC and the kernel will
panic if the allocation fails during kernel initialization. So on
a running system iint_initialized is always true and can be removed.

Changes in v3:
* not limiting test to IMA_APPRAISE (spotted by Roberto Sassu)

Changes in v2:
* 'iint_initialized' removal patch merged to this patch (requested
   by Mimi)
Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Acked-by: NRoberto Sassu <roberto.sassu@polito.it>

Latest KEYS code return error if hexadecimal string length id odd.
Fix it.
Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: NDavid Howells <dhowells@redhat.com>

Restructure to keyword=value pairs without spaces.  Drop superfluous words in
text.  Make invalid_context a keyword.  Change result= keyword to seresult=.
Signed-off-by: NRichard Guy Briggs <rgb@redhat.com>
[Minor rewrite to the patch subject line]
Signed-off-by: NPaul Moore <pmoore@redhat.com>