From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Wed, 15 Aug 2018 17:25:26 +0000 (-0700)
Subject: Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris... 
X-Git-Tag: v4.19~419
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=92d4a03674b8c399c2f547580fa509db78226170;p=platform%2Fkernel%2Flinux-rpi.git

Merge branch 'next-general' of git://git./linux/kernel/git/jmorris/linux-security

Pull security subsystem updates from James Morris:

 - kstrdup() return value fix from Eric Biggers

 - Add new security_load_data hook to differentiate security checking of
   kernel-loaded binaries in the case of there being no associated file
   descriptor, from Mimi Zohar.

 - Add ability to IMA to specify a policy at build-time, rather than
   just via command line params or by loading a custom policy, from
   Mimi.

 - Allow IMA and LSMs to prevent sysfs firmware load fallback (e.g. if
   using signed firmware), from Mimi.

 - Allow IMA to deny loading of kexec kernel images, as they cannot be
   measured by IMA, from Mimi.

* 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  security: check for kstrdup() failure in lsm_append()
  security: export security_kernel_load_data function
  ima: based on policy warn about loading firmware (pre-allocated buffer)
  module: replace the existing LSM hook in init_module
  ima: add build time policy
  ima: based on policy require signed firmware (sysfs fallback)
  firmware: add call to LSM hook before firmware sysfs fallback
  ima: based on policy require signed kexec kernel images
  kexec: add call to LSM hook in original kexec_load syscall
  security: define new LSM hook named security_kernel_load_data
  MAINTAINERS: remove the outdated "LINUX SECURITY MODULE (LSM) FRAMEWORK" entry
---

92d4a03674b8c399c2f547580fa509db78226170
diff --cc MAINTAINERS
index f7a8faf,3119bba..a95a7e6
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@@ -8336,17 -8315,8 +8336,12 @@@ L:	linux-arch@vger.kernel.or
  S:	Supported
  T:	git git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu.git
  F:	tools/memory-model/
 +F:	Documentation/atomic_bitops.txt
 +F:	Documentation/atomic_t.txt
 +F:	Documentation/core-api/atomic_ops.rst
 +F:	Documentation/core-api/refcount-vs-atomic.rst
  F:	Documentation/memory-barriers.txt
  
- LINUX SECURITY MODULE (LSM) FRAMEWORK
- M:	Chris Wright <chrisw@sous-sol.org>
- L:	linux-security-module@vger.kernel.org
- S:	Supported
- 
  LIS3LV02D ACCELEROMETER DRIVER
  M:	Eric Piel <eric.piel@tremplin-utc.net>
  S:	Maintained
diff --cc include/linux/ima.h
index d9ba3fc,84806b5..97914a2
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@@ -16,9 -17,10 +17,10 @@@ struct linux_binprm
  
  #ifdef CONFIG_IMA
  extern int ima_bprm_check(struct linux_binprm *bprm);
 -extern int ima_file_check(struct file *file, int mask, int opened);
 +extern int ima_file_check(struct file *file, int mask);
  extern void ima_file_free(struct file *file);
  extern int ima_file_mmap(struct file *file, unsigned long prot);
+ extern int ima_load_data(enum kernel_load_data_id id);
  extern int ima_read_file(struct file *file, enum kernel_read_file_id id);
  extern int ima_post_read_file(struct file *file, void *buf, loff_t size,
  			      enum kernel_read_file_id id);
diff --cc security/integrity/ima/ima_main.c
index b286f37,dce0a8a..2d31921
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@@ -493,9 -490,52 +490,52 @@@ int ima_post_read_file(struct file *fil
  	func = read_idmap[read_id] ?: FILE_CHECK;
  	security_task_getsecid(current, &secid);
  	return process_measurement(file, current_cred(), secid, buf, size,
 -				   MAY_READ, func, 0);
 +				   MAY_READ, func);
  }
  
+ /**
+  * ima_load_data - appraise decision based on policy
+  * @id: kernel load data caller identifier
+  *
+  * Callers of this LSM hook can not measure, appraise, or audit the
+  * data provided by userspace.  Enforce policy rules requring a file
+  * signature (eg. kexec'ed kernel image).
+  *
+  * For permission return 0, otherwise return -EACCES.
+  */
+ int ima_load_data(enum kernel_load_data_id id)
+ {
+ 	bool sig_enforce;
+ 
+ 	if ((ima_appraise & IMA_APPRAISE_ENFORCE) != IMA_APPRAISE_ENFORCE)
+ 		return 0;
+ 
+ 	switch (id) {
+ 	case LOADING_KEXEC_IMAGE:
+ 		if (ima_appraise & IMA_APPRAISE_KEXEC) {
+ 			pr_err("impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.\n");
+ 			return -EACCES;	/* INTEGRITY_UNKNOWN */
+ 		}
+ 		break;
+ 	case LOADING_FIRMWARE:
+ 		if (ima_appraise & IMA_APPRAISE_FIRMWARE) {
+ 			pr_err("Prevent firmware sysfs fallback loading.\n");
+ 			return -EACCES;	/* INTEGRITY_UNKNOWN */
+ 		}
+ 		break;
+ 	case LOADING_MODULE:
+ 		sig_enforce = is_module_sig_enforced();
+ 
+ 		if (!sig_enforce && (ima_appraise & IMA_APPRAISE_MODULES)) {
+ 			pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
+ 			return -EACCES;	/* INTEGRITY_UNKNOWN */
+ 		}
+ 	default:
+ 		break;
+ 	}
+ 	return 0;
+ }
+ 
  static int __init init_ima(void)
  {
  	int error;