| Message ID | 1328088957-27506-2-git-send-email-apw@canonical.com |
|---|---|
| State | New |
| Headers | show |
On 01.02.2012 10:35, Andy Whitcroft wrote: > From: Mimi Zohar <zohar@linux.vnet.ibm.com> > > If security_filter_rule_init() doesn't return a rule, then not everything > is as fine as the return code implies. > > This bug only occurs when the LSM (eg. SELinux) is disabled at runtime. > > Adding an empty LSM rule causes ima_match_rules() to always succeed, > ignoring any remaining rules. > > default IMA TCB policy: > # PROC_SUPER_MAGIC > dont_measure fsmagic=0x9fa0 > # SYSFS_MAGIC > dont_measure fsmagic=0x62656572 > # DEBUGFS_MAGIC > dont_measure fsmagic=0x64626720 > # TMPFS_MAGIC > dont_measure fsmagic=0x01021994 > # SECURITYFS_MAGIC > dont_measure fsmagic=0x73636673 > > < LSM specific rule > > dont_measure obj_type=var_log_t > > measure func=BPRM_CHECK > measure func=FILE_MMAP mask=MAY_EXEC > measure func=FILE_CHECK mask=MAY_READ uid=0 > > Thus without the patch, with the boot parameters 'tcb selinux=0', adding > the above 'dont_measure obj_type=var_log_t' rule to the default IMA TCB > measurement policy, would result in nothing being measured. The patch > prevents the default TCB policy from being replaced. > > Signed-off-by: Mimi Zohar <zohar@us.ibm.com> > Cc: James Morris <jmorris@namei.org> > Acked-by: Serge Hallyn <serge.hallyn@canonical.com> > Cc: David Safford <safford@watson.ibm.com> > Cc: <stable@kernel.org> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > > (cherry picked from commit 867c20265459d30a01b021a9c1e81fb4c5832aa9) > CVE-2011-0006 > BugLink: http://bugs.launchpad.net/bugs/917808 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > security/integrity/ima/ima_policy.c | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index aef8c0a..d661afb 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -253,6 +253,8 @@ static int ima_lsm_rule_init(struct ima_measure_rule_entry *entry, > result = security_filter_rule_init(entry->lsm[lsm_rule].type, > Audit_equal, args, > &entry->lsm[lsm_rule].rule); > + if (!entry->lsm[lsm_rule].rule) > + return -EINVAL; > return result; > } > Checking something exists sounds like a good idea. Acked-by: Stefan Bader <stefan.bader@canonical.com>
On Wed, Feb 01, 2012 at 09:35:57AM +0000, Andy Whitcroft wrote: > From: Mimi Zohar <zohar@linux.vnet.ibm.com> > > If security_filter_rule_init() doesn't return a rule, then not everything > is as fine as the return code implies. > > This bug only occurs when the LSM (eg. SELinux) is disabled at runtime. > > Adding an empty LSM rule causes ima_match_rules() to always succeed, > ignoring any remaining rules. > > default IMA TCB policy: > # PROC_SUPER_MAGIC > dont_measure fsmagic=0x9fa0 > # SYSFS_MAGIC > dont_measure fsmagic=0x62656572 > # DEBUGFS_MAGIC > dont_measure fsmagic=0x64626720 > # TMPFS_MAGIC > dont_measure fsmagic=0x01021994 > # SECURITYFS_MAGIC > dont_measure fsmagic=0x73636673 > > < LSM specific rule > > dont_measure obj_type=var_log_t > > measure func=BPRM_CHECK > measure func=FILE_MMAP mask=MAY_EXEC > measure func=FILE_CHECK mask=MAY_READ uid=0 > > Thus without the patch, with the boot parameters 'tcb selinux=0', adding > the above 'dont_measure obj_type=var_log_t' rule to the default IMA TCB > measurement policy, would result in nothing being measured. The patch > prevents the default TCB policy from being replaced. > > Signed-off-by: Mimi Zohar <zohar@us.ibm.com> > Cc: James Morris <jmorris@namei.org> > Acked-by: Serge Hallyn <serge.hallyn@canonical.com> > Cc: David Safford <safford@watson.ibm.com> > Cc: <stable@kernel.org> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > > (cherry picked from commit 867c20265459d30a01b021a9c1e81fb4c5832aa9) > CVE-2011-0006 > BugLink: http://bugs.launchpad.net/bugs/917808 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > security/integrity/ima/ima_policy.c | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) > > diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c > index aef8c0a..d661afb 100644 > --- a/security/integrity/ima/ima_policy.c > +++ b/security/integrity/ima/ima_policy.c > @@ -253,6 +253,8 @@ static int ima_lsm_rule_init(struct ima_measure_rule_entry *entry, > result = security_filter_rule_init(entry->lsm[lsm_rule].type, > Audit_equal, args, > &entry->lsm[lsm_rule].rule); > + if (!entry->lsm[lsm_rule].rule) > + return -EINVAL; > return result; > } > > -- > 1.7.5.4 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index aef8c0a..d661afb 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -253,6 +253,8 @@ static int ima_lsm_rule_init(struct ima_measure_rule_entry *entry, result = security_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, args, &entry->lsm[lsm_rule].rule); + if (!entry->lsm[lsm_rule].rule) + return -EINVAL; return result; }