diff options
Diffstat (limited to 'recipes/linux/linux-omap-2.6.37/linus/0061-ima-fix-add-LSM-rule-bug.patch')
-rw-r--r-- | recipes/linux/linux-omap-2.6.37/linus/0061-ima-fix-add-LSM-rule-bug.patch | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/recipes/linux/linux-omap-2.6.37/linus/0061-ima-fix-add-LSM-rule-bug.patch b/recipes/linux/linux-omap-2.6.37/linus/0061-ima-fix-add-LSM-rule-bug.patch new file mode 100644 index 0000000000..5c37ce3514 --- /dev/null +++ b/recipes/linux/linux-omap-2.6.37/linus/0061-ima-fix-add-LSM-rule-bug.patch @@ -0,0 +1,64 @@ +From 497d2c1cfa523a66bfea594791d8f2a50e5bb0aa Mon Sep 17 00:00:00 2001 +From: Mimi Zohar <zohar@linux.vnet.ibm.com> +Date: Mon, 3 Jan 2011 14:59:10 -0800 +Subject: [PATCH 61/65] ima: fix add LSM rule bug + +If security_filter_rule_init() doesn't return a rule, then not everything +is as fine as the return code implies. + +This bug only occurs when the LSM (eg. SELinux) is disabled at runtime. + +Adding an empty LSM rule causes ima_match_rules() to always succeed, +ignoring any remaining rules. + + default IMA TCB policy: + # PROC_SUPER_MAGIC + dont_measure fsmagic=0x9fa0 + # SYSFS_MAGIC + dont_measure fsmagic=0x62656572 + # DEBUGFS_MAGIC + dont_measure fsmagic=0x64626720 + # TMPFS_MAGIC + dont_measure fsmagic=0x01021994 + # SECURITYFS_MAGIC + dont_measure fsmagic=0x73636673 + + < LSM specific rule > + dont_measure obj_type=var_log_t + + measure func=BPRM_CHECK + measure func=FILE_MMAP mask=MAY_EXEC + measure func=FILE_CHECK mask=MAY_READ uid=0 + +Thus without the patch, with the boot parameters 'tcb selinux=0', adding +the above 'dont_measure obj_type=var_log_t' rule to the default IMA TCB +measurement policy, would result in nothing being measured. The patch +prevents the default TCB policy from being replaced. + +Signed-off-by: Mimi Zohar <zohar@us.ibm.com> +Cc: James Morris <jmorris@namei.org> +Acked-by: Serge Hallyn <serge.hallyn@canonical.com> +Cc: David Safford <safford@watson.ibm.com> +Cc: <stable@kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +--- + security/integrity/ima/ima_policy.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c +index aef8c0a..d661afb 100644 +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -253,6 +253,8 @@ static int ima_lsm_rule_init(struct ima_measure_rule_entry *entry, + result = security_filter_rule_init(entry->lsm[lsm_rule].type, + Audit_equal, args, + &entry->lsm[lsm_rule].rule); ++ if (!entry->lsm[lsm_rule].rule) ++ return -EINVAL; + return result; + } + +-- +1.6.6.1 + |