-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl70p5sACgkQONu9yGCS
aT4nRg/9HAG5FdyJgH3OnUY5LtrjtlVpRsD+AgdUnnftpDprZ0m4dZsUuUSF4fJJ
hzEr98/vX41yYqi2ne9mZcPnm4uOw21dEJK9X/2Z5+654i4qOwcv9FfVQSAdSpXC
KEN0rRlZw0MdXwISmU9UbBTwSRqxi0qJNWfSR3rS9DZRiSPhhxElMwbdcYXjpgKR
GZ7Wd/pDb0q371mR2Ar7+13PVxsvBzoEwYUngbeTr3EXtCiWiavBqBzABpJQYH9L
xm5ZfFLwLMsnQSd/gdW7DZGq+6JdLgf6HaY4FOcpkoDo5gSSDc2RNTg8jbzu8dM0
o2Wge54q9aTbuu+sc6k9x5HAaTPdv7uFnORdBvNhYGZWfXv69SZjCFgqwjsmPiww
+wg6D4uYWeh+faIz4tNBHk/bjIIMACnSJifsd131aXUed1cm4GeeQEQgimT8ea99
uOZrKPSTd+tbY3tZJrX2TyixYKgtaegdYTh3GWLx0AmYS8dOTHKfezUMMtFj4F7F
XTbZ3IWyVTSynO/7LRLdEGwAZjA/vWCK3YQS95qVCY1ni7h2vZw4FQb2C9CHyHAq
BIqiu2rOvxAsmIgh6GFcLLYN6cAa+lgIifmOMn2DPYrfF2gcrrGt6iOm1fc0gr5t
QbNYK7OQ/1L70BgvnI1lDAl4qG6lhSKV28SB6Csbzrz5WYzbfnE=
=iU+4
-----END PGP SIGNATURE-----
Merge 4.19.130 into android-4.19-stable
Changes in 4.19.130
power: supply: bq24257_charger: Replace depends on REGMAP_I2C with select
clk: sunxi: Fix incorrect usage of round_down()
ASoC: tegra: tegra_wm8903: Support nvidia, headset property
i2c: piix4: Detect secondary SMBus controller on AMD AM4 chipsets
iio: pressure: bmp280: Tolerate IRQ before registering
remoteproc: Fix IDR initialisation in rproc_alloc()
clk: qcom: msm8916: Fix the address location of pll->config_reg
backlight: lp855x: Ensure regulators are disabled on probe failure
ASoC: davinci-mcasp: Fix dma_chan refcnt leak when getting dma type
ARM: integrator: Add some Kconfig selections
scsi: qedi: Check for buffer overflow in qedi_set_path()
ALSA: hda/realtek - Introduce polarity for micmute LED GPIO
ALSA: isa/wavefront: prevent out of bounds write in ioctl
PCI: Allow pci_resize_resource() for devices on root bus
scsi: qla2xxx: Fix issue with adapter's stopping state
iio: bmp280: fix compensation of humidity
f2fs: report delalloc reserve as non-free in statfs for project quota
i2c: pxa: clear all master action bits in i2c_pxa_stop_message()
clk: samsung: Mark top ISP and CAM clocks on Exynos542x as critical
usblp: poison URBs upon disconnect
serial: 8250: Fix max baud limit in generic 8250 port
dm mpath: switch paths in dm_blk_ioctl() code path
PCI: aardvark: Don't blindly enable ASPM L0s and don't write to read-only register
ps3disk: use the default segment boundary
vfio/pci: fix memory leaks in alloc_perm_bits()
RDMA/mlx5: Add init2init as a modify command
m68k/PCI: Fix a memory leak in an error handling path
gpio: dwapb: Call acpi_gpiochip_free_interrupts() on GPIO chip de-registration
mfd: wm8994: Fix driver operation if loaded as modules
scsi: lpfc: Fix lpfc_nodelist leak when processing unsolicited event
clk: clk-flexgen: fix clock-critical handling
powerpc/perf/hv-24x7: Fix inconsistent output values incase multiple hv-24x7 events run
nfsd: Fix svc_xprt refcnt leak when setup callback client failed
PCI: vmd: Filter resource type bits from shadow register
powerpc/crashkernel: Take "mem=" option into account
pwm: img: Call pm_runtime_put() in pm_runtime_get_sync() failed case
yam: fix possible memory leak in yam_init_driver
NTB: ntb_pingpong: Choose doorbells based on port number
NTB: Fix the default port and peer numbers for legacy drivers
mksysmap: Fix the mismatch of '.L' symbols in System.map
apparmor: fix introspection of of task mode for unconfined tasks
apparmor: check/put label on apparmor_sk_clone_security()
ASoC: meson: add missing free_irq() in error path
scsi: sr: Fix sr_probe() missing deallocate of device minor
scsi: ibmvscsi: Don't send host info in adapter info MAD after LPM
apparmor: fix nnp subset test for unconfined
x86/purgatory: Disable various profiling and sanitizing options
staging: greybus: fix a missing-check bug in gb_lights_light_config()
arm64: dts: mt8173: fix unit name warnings
scsi: qedi: Do not flush offload work if ARP not resolved
ARM: dts: sun8i-h2-plus-bananapi-m2-zero: Fix led polarity
gpio: dwapb: Append MODULE_ALIAS for platform driver
scsi: qedf: Fix crash when MFW calls for protocol stats while function is still probing
pinctrl: rza1: Fix wrong array assignment of rza1l_swio_entries
firmware: qcom_scm: fix bogous abuse of dma-direct internals
staging: gasket: Fix mapping refcnt leak when put attribute fails
staging: gasket: Fix mapping refcnt leak when register/store fails
ALSA: usb-audio: Improve frames size computation
ALSA: usb-audio: Fix racy list management in output queue
s390/qdio: put thinint indicator after early error
tty: hvc: Fix data abort due to race in hvc_open
slimbus: ngd: get drvdata from correct device
thermal/drivers/ti-soc-thermal: Avoid dereferencing ERR_PTR
usb: dwc3: gadget: Properly handle failed kick_transfer
staging: sm750fb: add missing case while setting FB_VISUAL
PCI: v3-semi: Fix a memory leak in v3_pci_probe() error handling paths
i2c: pxa: fix i2c_pxa_scream_blue_murder() debug output
serial: amba-pl011: Make sure we initialize the port.lock spinlock
drivers: base: Fix NULL pointer exception in __platform_driver_probe() if a driver developer is foolish
PCI: rcar: Fix incorrect programming of OB windows
PCI/ASPM: Allow ASPM on links to PCIe-to-PCI/PCI-X Bridges
scsi: qla2xxx: Fix warning after FC target reset
power: supply: lp8788: Fix an error handling path in 'lp8788_charger_probe()'
power: supply: smb347-charger: IRQSTAT_D is volatile
scsi: mpt3sas: Fix double free warnings
pinctrl: rockchip: fix memleak in rockchip_dt_node_to_map
dlm: remove BUG() before panic()
clk: ti: composite: fix memory leak
PCI: Fix pci_register_host_bridge() device_register() error handling
powerpc/64: Don't initialise init_task->thread.regs
tty: n_gsm: Fix SOF skipping
tty: n_gsm: Fix waking up upper tty layer when room available
HID: Add quirks for Trust Panora Graphic Tablet
ipmi: use vzalloc instead of kmalloc for user creation
powerpc/pseries/ras: Fix FWNMI_VALID off by one
powerpc/ps3: Fix kexec shutdown hang
vfio-pci: Mask cap zero
usb/ohci-platform: Fix a warning when hibernating
drm/msm/mdp5: Fix mdp5_init error path for failed mdp5_kms allocation
ASoC: Intel: bytcr_rt5640: Add quirk for Toshiba Encore WT8-A tablet
USB: host: ehci-mxc: Add error handling in ehci_mxc_drv_probe()
tty: n_gsm: Fix bogus i++ in gsm_data_kick
fpga: dfl: afu: Corrected error handling levels
clk: samsung: exynos5433: Add IGNORE_UNUSED flag to sclk_i2s1
scsi: target: tcmu: Userspace must not complete queued commands
arm64: tegra: Fix ethernet phy-mode for Jetson Xavier
powerpc/64s/pgtable: fix an undefined behaviour
dm zoned: return NULL if dmz_get_zone_for_reclaim() fails to find a zone
PCI/PTM: Inherit Switch Downstream Port PTM settings from Upstream Port
PCI: dwc: Fix inner MSI IRQ domain registration
IB/cma: Fix ports memory leak in cma_configfs
watchdog: da9062: No need to ping manually before setting timeout
usb: dwc2: gadget: move gadget resume after the core is in L0 state
USB: gadget: udc: s3c2410_udc: Remove pointless NULL check in s3c2410_udc_nuke
usb: gadget: lpc32xx_udc: don't dereference ep pointer before null check
usb: gadget: fix potential double-free in m66592_probe.
usb: gadget: Fix issue with config_ep_by_speed function
RDMA/iw_cxgb4: cleanup device debugfs entries on ULD remove
x86/apic: Make TSC deadline timer detection message visible
ASoC: fix incomplete error-handling in img_i2s_in_probe.
scsi: target: tcmu: Fix a use after free in tcmu_check_expired_queue_cmd()
clk: bcm2835: Fix return type of bcm2835_register_gate
scsi: ufs-qcom: Fix scheduling while atomic issue
KVM: PPC: Book3S HV: Ignore kmemleak false positives
clk: sprd: return correct type of value for _sprd_pll_recalc_rate
net: sunrpc: Fix off-by-one issues in 'rpc_ntop6'
NFSv4.1 fix rpc_call_done assignment for BIND_CONN_TO_SESSION
of: Fix a refcounting bug in __of_attach_node_sysfs()
powerpc/4xx: Don't unmap NULL mbase
extcon: adc-jack: Fix an error handling path in 'adc_jack_probe()'
ASoC: fsl_asrc_dma: Fix dma_chan leak when config DMA channel failed
vfio/mdev: Fix reference count leak in add_mdev_supported_type
rxrpc: Adjust /proc/net/rxrpc/calls to display call->debug_id not user_ID
openrisc: Fix issue with argument clobbering for clone/fork
gfs2: Allow lock_nolock mount to specify jid=X
scsi: iscsi: Fix reference count leak in iscsi_boot_create_kobj
scsi: ufs: Don't update urgent bkops level when toggling auto bkops
pinctrl: imxl: Fix an error handling path in 'imx1_pinctrl_core_probe()'
pinctrl: freescale: imx: Fix an error handling path in 'imx_pinctrl_probe()'
crypto: omap-sham - add proper load balancing support for multicore
geneve: change from tx_error to tx_dropped on missing metadata
lib/zlib: remove outdated and incorrect pre-increment optimization
include/linux/bitops.h: avoid clang shift-count-overflow warnings
elfnote: mark all .note sections SHF_ALLOC
selftests/vm/pkeys: fix alloc_random_pkey() to make it really random
blktrace: use errno instead of bi_status
blktrace: fix endianness in get_pdu_int()
blktrace: fix endianness for blk_log_remap()
gfs2: fix use-after-free on transaction ail lists
ntb_perf: pass correct struct device to dma_alloc_coherent
ntb_tool: pass correct struct device to dma_alloc_coherent
NTB: ntb_tool: reading the link file should not end in a NULL byte
NTB: Revert the change to use the NTB device dev for DMA allocations
NTB: perf: Don't require one more memory window than number of peers
NTB: perf: Fix support for hardware that doesn't have port numbers
NTB: perf: Fix race condition when run with ntb_test
NTB: ntb_test: Fix bug when counting remote files
drivers/perf: hisi: Fix wrong value for all counters enable
selftests/net: in timestamping, strncpy needs to preserve null byte
afs: Fix memory leak in afs_put_sysnames()
ASoC: core: only convert non DPCM link to DPCM link
ASoC: Intel: bytcr_rt5640: Add quirk for Toshiba Encore WT10-A tablet
ASoC: rt5645: Add platform-data for Asus T101HA
drm/sun4i: hdmi ddc clk: Fix size of m divider
scsi: acornscsi: Fix an error handling path in acornscsi_probe()
x86/idt: Keep spurious entries unset in system_vectors
net/filter: Permit reading NET in load_bytes_relative when MAC not set
xdp: Fix xsk_generic_xmit errno
usb/xhci-plat: Set PM runtime as active on resume
usb: host: ehci-platform: add a quirk to avoid stuck
usb/ehci-platform: Set PM runtime as active on resume
perf report: Fix NULL pointer dereference in hists__fprintf_nr_sample_events()
ext4: stop overwrite the errcode in ext4_setup_super
bcache: fix potential deadlock problem in btree_gc_coalesce
afs: Fix non-setting of mtime when writing into mmap
afs: afs_write_end() should change i_size under the right lock
block: Fix use-after-free in blkdev_get()
arm64: hw_breakpoint: Don't invoke overflow handler on uaccess watchpoints
libata: Use per port sync for detach
drm: encoder_slave: fix refcouting error for modules
drm/dp_mst: Reformat drm_dp_check_act_status() a bit
drm/qxl: Use correct notify port address when creating cursor ring
drm/amdgpu: Replace invalid device ID with a valid device ID
selinux: fix double free
ext4: fix partial cluster initialization when splitting extent
ext4: avoid race conditions when remounting with options that change dax
drm/dp_mst: Increase ACT retry timeout to 3s
x86/boot/compressed: Relax sed symbol type regex for LLVM ld.lld
block: nr_sects_write(): Disable preemption on seqcount write
mtd: rawnand: Pass a nand_chip object to nand_scan()
mtd: rawnand: Pass a nand_chip object to nand_release()
mtd: rawnand: diskonchip: Fix the probe error path
mtd: rawnand: sharpsl: Fix the probe error path
mtd: rawnand: xway: Fix the probe error path
mtd: rawnand: orion: Fix the probe error path
mtd: rawnand: oxnas: Add of_node_put()
mtd: rawnand: oxnas: Fix the probe error path
mtd: rawnand: socrates: Fix the probe error path
mtd: rawnand: plat_nand: Fix the probe error path
mtd: rawnand: mtk: Fix the probe error path
mtd: rawnand: tmio: Fix the probe error path
s390: fix syscall_get_error for compat processes
drm/i915: Whitelist context-local timestamp in the gen9 cmdparser
drm/i915/icl+: Fix hotplug interrupt disabling after storm detection
crypto: algif_skcipher - Cap recv SG list at ctx->used
crypto: algboss - don't wait during notifier callback
kprobes: Fix to protect kick_kprobe_optimizer() by kprobe_mutex
e1000e: Do not wake up the system via WOL if device wakeup is disabled
net: octeon: mgmt: Repair filling of RX ring
kretprobe: Prevent triggering kretprobe from within kprobe_flush_task
sched/rt, net: Use CONFIG_PREEMPTION.patch
net: core: device_rename: Use rwsem instead of a seqcount
Revert "dpaa_eth: fix usage as DSA master, try 3"
md: add feature flag MD_FEATURE_RAID0_LAYOUT
kvm: x86: Move kvm_set_mmio_spte_mask() from x86.c to mmu.c
kvm: x86: Fix reserved bits related calculation errors caused by MKTME
KVM: x86/mmu: Set mmio_value to '0' if reserved #PF can't be generated
Linux 4.19.130
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I8fff23470852b747c3d75461b45f9d77460062d3
commit 65de50969a77509452ae590e9449b70a22b923bb upstream.
Clang's static analysis tool reports these double free memory errors.
security/selinux/ss/services.c:2987:4: warning: Attempt to free released memory [unix.Malloc]
kfree(bnames[i]);
^~~~~~~~~~~~~~~~
security/selinux/ss/services.c:2990:2: warning: Attempt to free released memory [unix.Malloc]
kfree(bvalues);
^~~~~~~~~~~~~~
So improve the security_get_bools error handling by freeing these variables
and setting their return pointers to NULL and the return len to 0
Cc: stable@vger.kernel.org
Signed-off-by: Tom Rix <trix@redhat.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl6yVZMACgkQONu9yGCS
aT7+oBAApTDE7RPVMZ3k1p3fg01Fpa26WUQmmG8QtRYtH9CTjux0BfbA7zFuWOSO
qIm/oCvrfdPmO3CcAwYdwU/fiBiUR/jXFM1VolUvKAtP+jaTKZ48TI4Bz9TjMtZE
2h3XPiMrbtOzKwqWJCcksQPbtGZBxg1PFc2lm4bFatnI+HsZmJMkib2/3g64Jcdy
aZ9hcPvH2WW9+nxig8FtDCAhZ/019P+74ji5E/FzhmUONkMzXg5iRcJLhBjzYMiv
5Y7J+ONPAkxkmm+Zze32lue1FP2iZwruNrlk5BJaCof2zJfmbcW06r65X5OX5bAi
XMkxgEmrnQxxMyEz7TMw8McFQG1vpA728glTWzsW3Y/kNeTy+dt6DfTa+cjGn2Ky
k2EOSZqf+G9bd/LjUldfkkGJa+Tv7a+J7A+IVnrOeg1VvI/6/JgI5pyyQVLlH6t3
DfcyMG32Y85QB0Am08lSobV0CxZ6plNLsIuIN1b1iCbq64y7BHf4oeo48VnaFGFR
F83HeSxOo8fXoxaMZyJ/bVdC8vrn9QNWWEfmdqXnFhLXqdllSIDG8KRPxbgciZWS
ShabaEsXZxtyf+8e0VxpXx0A7THsPWbJ/4REpS6mPpfIWpi0gcHnpsT+k6sbtJ68
8uJrouDLXDei7ll1E5FZWhKbEfwUpBRmFKW+YDjZKeg5R/FuQug=
=giKj
-----END PGP SIGNATURE-----
Merge 4.19.121 into android-4.19
Changes in 4.19.121
drm/edid: Fix off-by-one in DispID DTD pixel clock
drm/qxl: qxl_release leak in qxl_draw_dirty_fb()
drm/qxl: qxl_release leak in qxl_hw_surface_alloc()
drm/qxl: qxl_release use after free
btrfs: fix block group leak when removing fails
ALSA: hda/realtek - Two front mics on a Lenovo ThinkCenter
ALSA: usb-audio: Correct a typo of NuPrime DAC-10 USB ID
ALSA: hda/hdmi: fix without unlocked before return
ALSA: pcm: oss: Place the plugin buffer overflow checks correctly
PM: ACPI: Output correct message on target power state
PM: hibernate: Freeze kernel threads in software_resume()
dm verity fec: fix hash block number in verity_fec_decode
dm writecache: fix data corruption when reloading the target
dm multipath: use updated MPATHF_QUEUE_IO on mapping for bio-based mpath
scsi: qla2xxx: set UNLOADING before waiting for session deletion
scsi: qla2xxx: check UNLOADING before posting async work
RDMA/mlx5: Set GRH fields in query QP on RoCE
RDMA/mlx4: Initialize ib_spec on the stack
RDMA/core: Prevent mixed use of FDs between shared ufiles
RDMA/core: Fix race between destroy and release FD object
vfio: avoid possible overflow in vfio_iommu_type1_pin_pages
vfio/type1: Fix VA->PA translation for PFNMAP VMAs in vaddr_get_pfn()
iommu/qcom: Fix local_base status check
scsi: target/iblock: fix WRITE SAME zeroing
iommu/amd: Fix legacy interrupt remapping for x2APIC-enabled system
ALSA: opti9xx: shut up gcc-10 range warning
nfs: Fix potential posix_acl refcnt leak in nfs3_set_acl
dmaengine: dmatest: Fix iteration non-stop logic
selinux: properly handle multiple messages in selinux_netlink_send()
btrfs: fix partial loss of prealloc extent past i_size after fsync
btrfs: transaction: Avoid deadlock due to bad initialization timing of fs_info::journal_info
mmc: cqhci: Avoid false "cqhci: CQE stuck on" by not open-coding timeout loop
mmc: sdhci-xenon: fix annoying 1.8V regulator warning
mmc: sdhci-pci: Fix eMMC driver strength for BYT-based controllers
mmc: sdhci-msm: Enable host capabilities pertains to R1b response
mmc: meson-mx-sdio: Set MMC_CAP_WAIT_WHILE_BUSY
mmc: meson-mx-sdio: remove the broken ->card_busy() op
Linux 4.19.121
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Iba9e535d8be8646d141c60515e02989eb64397ab
commit fb73974172ffaaf57a7c42f35424d9aece1a5af6 upstream.
Fix the SELinux netlink_send hook to properly handle multiple netlink
messages in a single sk_buff; each message is parsed and subject to
SELinux access control. Prior to this patch, SELinux only inspected
the first message in the sk_buff.
Cc: stable@vger.kernel.org
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl5TfLwACgkQONu9yGCS
aT5wlRAAhZELK39c78NMCTZKHtKGLsGb2os2IiI7zIRbqNNwnvJi+jAc3kgbS9jP
+W+wnhYFtFisDvqdCQ009I6A0NA1p3Nqy166JplW0iIg1e7rgUKKUfabCN9sJmjh
HGK913cJlHwGmkSxq//sBucBwWhYYGaHec28pZ7uCFATjWrTaH3G4VrvLStuicYR
YgS9MH261tWJKJm5+V2MxnOOI0103+Uey+xVqwSnLlV+qmasxwDCMU5ae+SK7e7f
cXIkNZwvDph1zunekHg+jd64GN3GYswXVcRighWP0n7Lr+0tGPN7SY5pvZIjZLv/
sdroyrqAxytTYP32hypIUgsToVvJr7zXD09LGdsgOCKVwFVn8yl1e4zgGKH3L9Xu
OK2krI90v1MVevibyaNndZ4UDKilF75oE2YYDOFW/BU1lorFAIzk4hh15CfKc8s1
KHRjePfcgQREs/SGK8k2BAmf/JwxFN1/Ro5dl7MvKn07ZYqx6QOwUoMhgxspIntN
9TlFw6elu1RSwu2BFts9wvoHO1tr7GZBa1cVkNF8qV1rzaGVY68aLDvvHGdffD6W
JgX+BCfr6vcN7R4izak1RxzAoqDrRxS0vWoC1vVsPqeIIZydSxpYDquaFnbZm+Wc
MRuh5gpQ2PzTXuMLeBB+ig6UnzsAO3x+3yIG/l5ZmmYxJbMFBKU=
=zE/i
-----END PGP SIGNATURE-----
Merge 4.19.106 into android-4.19
Changes in 4.19.106
core: Don't skip generic XDP program execution for cloned SKBs
enic: prevent waking up stopped tx queues over watchdog reset
net/smc: fix leak of kernel memory to user space
net: dsa: tag_qca: Make sure there is headroom for tag
net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS
net/sched: flower: add missing validation of TCA_FLOWER_FLAGS
Revert "KVM: nVMX: Use correct root level for nested EPT shadow page tables"
Revert "KVM: VMX: Add non-canonical check on writes to RTIT address MSRs"
KVM: nVMX: Use correct root level for nested EPT shadow page tables
drm/gma500: Fixup fbdev stolen size usage evaluation
cpu/hotplug, stop_machine: Fix stop_machine vs hotplug order
brcmfmac: Fix use after free in brcmf_sdio_readframes()
leds: pca963x: Fix open-drain initialization
ext4: fix ext4_dax_read/write inode locking sequence for IOCB_NOWAIT
ALSA: ctl: allow TLV read operation for callback type of element in locked case
gianfar: Fix TX timestamping with a stacked DSA driver
pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs
pxa168fb: Fix the function used to release some memory in an error handling path
media: i2c: mt9v032: fix enum mbus codes and frame sizes
powerpc/powernv/iov: Ensure the pdn for VFs always contains a valid PE number
gpio: gpio-grgpio: fix possible sleep-in-atomic-context bugs in grgpio_irq_map/unmap()
iommu/vt-d: Fix off-by-one in PASID allocation
char/random: silence a lockdep splat with printk()
media: sti: bdisp: fix a possible sleep-in-atomic-context bug in bdisp_device_run()
pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins
efi/x86: Map the entire EFI vendor string before copying it
MIPS: Loongson: Fix potential NULL dereference in loongson3_platform_init()
sparc: Add .exit.data section.
uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()
usb: gadget: udc: fix possible sleep-in-atomic-context bugs in gr_probe()
usb: dwc2: Fix IN FIFO allocation
clocksource/drivers/bcm2835_timer: Fix memory leak of timer
kselftest: Minimise dependency of get_size on C library interfaces
jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal
x86/sysfb: Fix check for bad VRAM size
pwm: omap-dmtimer: Simplify error handling
s390/pci: Fix possible deadlock in recover_store()
powerpc/iov: Move VF pdev fixup into pcibios_fixup_iov()
tracing: Fix tracing_stat return values in error handling paths
tracing: Fix very unlikely race of registering two stat tracers
ARM: 8952/1: Disable kmemleak on XIP kernels
ext4, jbd2: ensure panic when aborting with zero errno
ath10k: Correct the DMA direction for management tx buffers
drm/amd/display: Retrain dongles when SINK_COUNT becomes non-zero
nbd: add a flush_workqueue in nbd_start_device
KVM: s390: ENOTSUPP -> EOPNOTSUPP fixups
kconfig: fix broken dependency in randconfig-generated .config
clk: qcom: rcg2: Don't crash if our parent can't be found; return an error
drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table
drm/amdgpu: Ensure ret is always initialized when using SOC15_WAIT_ON_RREG
regulator: rk808: Lower log level on optional GPIOs being not available
net/wan/fsl_ucc_hdlc: reject muram offsets above 64K
NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu().
selinux: fall back to ref-walk if audit is required
arm64: dts: allwinner: H6: Add PMU mode
arm: dts: allwinner: H3: Add PMU node
selinux: ensure we cleanup the internal AVC counters on error in avc_insert()
arm64: dts: qcom: msm8996: Disable USB2 PHY suspend by core
ARM: dts: imx6: rdu2: Disable WP for USDHC2 and USDHC3
ARM: dts: imx6: rdu2: Limit USBH1 to Full Speed
PCI: iproc: Apply quirk_paxc_bridge() for module as well as built-in
media: cx23885: Add support for AVerMedia CE310B
PCI: Add generic quirk for increasing D3hot delay
PCI: Increase D3 delay for AMD Ryzen5/7 XHCI controllers
media: v4l2-device.h: Explicitly compare grp{id,mask} to zero in v4l2_device macros
reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling
r8169: check that Realtek PHY driver module is loaded
fore200e: Fix incorrect checks of NULL pointer dereference
netfilter: nft_tunnel: add the missing ERSPAN_VERSION nla_policy
ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status
b43legacy: Fix -Wcast-function-type
ipw2x00: Fix -Wcast-function-type
iwlegacy: Fix -Wcast-function-type
rtlwifi: rtl_pci: Fix -Wcast-function-type
orinoco: avoid assertion in case of NULL pointer
ACPICA: Disassembler: create buffer fields in ACPI_PARSE_LOAD_PASS1
scsi: ufs: Complete pending requests in host reset and restore path
scsi: aic7xxx: Adjust indentation in ahc_find_syncrate
drm/mediatek: handle events when enabling/disabling crtc
ARM: dts: r8a7779: Add device node for ARM global timer
selinux: ensure we cleanup the internal AVC counters on error in avc_update()
dmaengine: Store module owner in dma_device struct
dmaengine: imx-sdma: Fix memory leak
crypto: chtls - Fixed memory leak
x86/vdso: Provide missing include file
PM / devfreq: rk3399_dmc: Add COMPILE_TEST and HAVE_ARM_SMCCC dependency
pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs
reset: uniphier: Add SCSSI reset control for each channel
RDMA/rxe: Fix error type of mmap_offset
clk: sunxi-ng: add mux and pll notifiers for A64 CPU clock
ALSA: sh: Fix unused variable warnings
clk: uniphier: Add SCSSI clock gate for each channel
ALSA: sh: Fix compile warning wrt const
tools lib api fs: Fix gcc9 stringop-truncation compilation error
ACPI: button: Add DMI quirk for Razer Blade Stealth 13 late 2019 lid switch
mlx5: work around high stack usage with gcc
drm: remove the newline for CRC source name.
ARM: dts: stm32: Add power-supply for DSI panel on stm32f469-disco
usbip: Fix unsafe unaligned pointer usage
udf: Fix free space reporting for metadata and virtual partitions
staging: rtl8188: avoid excessive stack usage
IB/hfi1: Add software counter for ctxt0 seq drop
soc/tegra: fuse: Correct straps' address for older Tegra124 device trees
efi/x86: Don't panic or BUG() on non-critical error conditions
rcu: Use WRITE_ONCE() for assignments to ->pprev for hlist_nulls
Input: edt-ft5x06 - work around first register access error
x86/nmi: Remove irq_work from the long duration NMI handler
wan: ixp4xx_hss: fix compile-testing on 64-bit
ASoC: atmel: fix build error with CONFIG_SND_ATMEL_SOC_DMA=m
tty: synclinkmp: Adjust indentation in several functions
tty: synclink_gt: Adjust indentation in several functions
visorbus: fix uninitialized variable access
driver core: platform: Prevent resouce overflow from causing infinite loops
driver core: Print device when resources present in really_probe()
bpf: Return -EBADRQC for invalid map type in __bpf_tx_xdp_map
vme: bridges: reduce stack usage
drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new()
drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read from fw
drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler
drm/nouveau/drm/ttm: Remove set but not used variable 'mem'
drm/nouveau/fault/gv100-: fix memory leak on module unload
drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add
usb: musb: omap2430: Get rid of musb .set_vbus for omap2430 glue
iommu/arm-smmu-v3: Use WRITE_ONCE() when changing validity of an STE
f2fs: set I_LINKABLE early to avoid wrong access by vfs
f2fs: free sysfs kobject
scsi: iscsi: Don't destroy session if there are outstanding connections
arm64: fix alternatives with LLVM's integrated assembler
drm/amd/display: fixup DML dependencies
watchdog/softlockup: Enforce that timestamp is valid on boot
f2fs: fix memleak of kobject
x86/mm: Fix NX bit clearing issue in kernel_map_pages_in_pgd
pwm: omap-dmtimer: Remove PWM chip in .remove before making it unfunctional
cmd64x: potential buffer overflow in cmd64x_program_timings()
ide: serverworks: potential overflow in svwks_set_pio_mode()
pwm: Remove set but not set variable 'pwm'
btrfs: fix possible NULL-pointer dereference in integrity checks
btrfs: safely advance counter when looking up bio csums
btrfs: device stats, log when stats are zeroed
module: avoid setting info->name early in case we can fall back to info->mod->name
remoteproc: Initialize rproc_class before use
irqchip/mbigen: Set driver .suppress_bind_attrs to avoid remove problems
ALSA: hda/hdmi - add retry logic to parse_intel_hdmi()
kbuild: use -S instead of -E for precise cc-option test in Kconfig
x86/decoder: Add TEST opcode to Group3-2
s390: adjust -mpacked-stack support check for clang 10
s390/ftrace: generate traced function stack frame
driver core: platform: fix u32 greater or equal to zero comparison
ALSA: hda - Add docking station support for Lenovo Thinkpad T420s
drm/nouveau/mmu: fix comptag memory leak
powerpc/sriov: Remove VF eeh_dev state when disabling SR-IOV
bcache: cached_dev_free needs to put the sb page
iommu/vt-d: Remove unnecessary WARN_ON_ONCE()
selftests: bpf: Reset global state between reuseport test runs
jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record
jbd2: make sure ESHUTDOWN to be recorded in the journal superblock
ARM: 8951/1: Fix Kexec compilation issue.
hostap: Adjust indentation in prism2_hostapd_add_sta
iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop
cifs: fix NULL dereference in match_prepath
bpf: map_seq_next should always increase position index
ceph: check availability of mds cluster on mount after wait timeout
rbd: work around -Wuninitialized warning
irqchip/gic-v3: Only provision redistributors that are enabled in ACPI
drm/nouveau/disp/nv50-: prevent oops when no channel method map provided
ftrace: fpid_next() should increase position index
trigger_next should increase position index
radeon: insert 10ms sleep in dce5_crtc_load_lut
ocfs2: fix a NULL pointer dereference when call ocfs2_update_inode_fsync_trans()
lib/scatterlist.c: adjust indentation in __sg_alloc_table
reiserfs: prevent NULL pointer dereference in reiserfs_insert_item()
bcache: explicity type cast in bset_bkey_last()
irqchip/gic-v3-its: Reference to its_invall_cmd descriptor when building INVALL
iwlwifi: mvm: Fix thermal zone registration
microblaze: Prevent the overflow of the start
brd: check and limit max_part par
drm/amdgpu/smu10: fix smu10_get_clock_by_type_with_latency
drm/amdgpu/smu10: fix smu10_get_clock_by_type_with_voltage
NFS: Fix memory leaks
help_next should increase position index
cifs: log warning message (once) if out of disk space
virtio_balloon: prevent pfn array overflow
mlxsw: spectrum_dpipe: Add missing error path
drm/amdgpu/display: handle multiple numbers of fclks in dcn_calcs.c (v2)
Linux 4.19.106
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ia1032b50dd82b42e13973120dcbf94ae7b864648
[ Upstream commit 030b995ad9ece9fa2d218af4429c1c78c2342096 ]
In AVC update we don't call avc_node_kill() when avc_xperms_populate()
fails, resulting in the avc->avc_cache.active_nodes counter having a
false value. In last patch this changes was missed , so correcting it.
Fixes: fa1aa143ac ("selinux: extended permissions for ioctls")
Signed-off-by: Jaihind Yadav <jaihindyadav@codeaurora.org>
Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>
[PM: merge fuzz, minor description cleanup]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit d8db60cb23e49a92cf8cada3297395c7fa50fdf8 ]
Fix avc_insert() to call avc_node_kill() if we've already allocated
an AVC node and the code fails to insert the node in the cache.
Fixes: fa1aa143ac ("selinux: extended permissions for ioctls")
Reported-by: rsiddoji@codeaurora.org
Suggested-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 0188d5c025ca8fe756ba3193bd7d150139af5a88 ]
commit bda0be7ad9 ("security: make inode_follow_link RCU-walk aware")
passed down the rcu flag to the SELinux AVC, but failed to adjust the
test in slow_avc_audit() to also return -ECHILD on LSM_AUDIT_DATA_DENTRY.
Previously, we only returned -ECHILD if generating an audit record with
LSM_AUDIT_DATA_INODE since this was only relevant from inode_permission.
Move the handling of MAY_NOT_BLOCK to avc_audit() and its inlined
equivalent in selinux_inode_permission() immediately after we determine
that audit is required, and always fall back to ref-walk in this case.
Fixes: bda0be7ad9 ("security: make inode_follow_link RCU-walk aware")
Reported-by: Will Deacon <will@kernel.org>
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Map the permission gating RTM_GETLINK messages to a new permission so
that it can be distinguished from the other netlink route permissions
in selinux policy.
This is a temporary Android-only patch that will be deprecated in
newer kernels once the long-term solution lands as discusssed on the
mailing list [1]. The maintainer's recommended solution is more
general, much more complex, and likely not suitable for backporting.
This patch provides the minimal change needed for Android including
the userspace settable trigger which ensures that the permission
change is only applied to the newest version of Android which
contains the changes needed for userpace compatibility.
[1]: https://lore.kernel.org/selinux/20200116142653.61738-1-jeffv@google.com/
Bug: 141455849
Bug: 148218425
Test: CtsSelinuxTargetSdkCurrentTestCases
Test: atest bionic-unit-tests-static
Test: atest NetworkInterfaceTest
Test: Connect to Wi-Fi network
Test: Set up hotspot
Test: Cast from device
Test: Pair Bluetooth device
Test: Call getifaddrs() directly from within an app.
Test: Call NetworkInterface#getNetworkInterfaces() from within an app.
Change-Id: I7b44ce60ad98f858c412722d41b9842f8577151f
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
This patch allows genfscon per-file labeling for binderfs.
This is required to have separate permissions to allow
access to binder, hwbinder and vndbinder devices which are
relocating to binderfs.
Acked-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Mark Salyzyn <salyzyn@android.com>
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Bug: 136497735
(cherry picked from commit 7a4b51947475a7f67e2bd06c4a4c768e2e64a975
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
master)
Link: https://lore.kernel.org/patchwork/patch/1175776/
Change-Id: I105cc54b30ddd4120dc23a363bddc2f9d00e4dc4
[ Upstream commit c1a85a00ea66cb6f0bd0f14e47c28c2b0999799f ]
This patch provides a general mechanism for passing flags to the
security_capable LSM hook. It replaces the specific 'audit' flag that is
used to tell security_capable whether it should log an audit message for
the given capability check. The reason for generalizing this flag
passing is so we can add an additional flag that signifies whether
security_capable is being called by a setid syscall (which is needed by
the proposed SafeSetID LSM).
Signed-off-by: Micah Morton <mortonm@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
In current mainline, the degree of access to perf_event_open(2) system
call depends on the perf_event_paranoid sysctl. This has a number of
limitations:
1. The sysctl is only a single value. Many types of accesses are controlled
based on the single value thus making the control very limited and
coarse grained.
2. The sysctl is global, so if the sysctl is changed, then that means
all processes get access to perf_event_open(2) opening the door to
security issues.
This patch adds LSM and SELinux access checking which will be used in
Android to access perf_event_open(2) for the purposes of attaching BPF
programs to tracepoints, perf profiling and other operations from
userspace. These operations are intended for production systems.
5 new LSM hooks are added:
1. perf_event_open: This controls access during the perf_event_open(2)
syscall itself. The hook is called from all the places that the
perf_event_paranoid sysctl is checked to keep it consistent with the
systctl. The hook gets passed a 'type' argument which controls CPU,
kernel and tracepoint accesses (in this context, CPU, kernel and
tracepoint have the same semantics as the perf_event_paranoid sysctl).
Additionally, I added an 'open' type which is similar to
perf_event_paranoid sysctl == 3 patch carried in Android and several other
distros but was rejected in mainline [1] in 2016.
2. perf_event_alloc: This allocates a new security object for the event
which stores the current SID within the event. It will be useful when
the perf event's FD is passed through IPC to another process which may
try to read the FD. Appropriate security checks will limit access.
3. perf_event_free: Called when the event is closed.
4. perf_event_read: Called from the read(2) and mmap(2) syscalls for the event.
5. perf_event_write: Called from the ioctl(2) syscalls for the event.
[1] https://lwn.net/Articles/696240/
Since Peter had suggest LSM hooks in 2016 [1], I am adding his
Suggested-by tag below.
To use this patch, we set the perf_event_paranoid sysctl to -1 and then
apply selinux checking as appropriate (default deny everything, and then
add policy rules to give access to domains that need it). In the future
we can remove the perf_event_paranoid sysctl altogether.
Suggested-by: Peter Zijlstra <peterz@infradead.org>
Co-developed-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: James Morris <jmorris@namei.org>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: rostedt@goodmis.org
Cc: Yonghong Song <yhs@fb.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: jeffv@google.com
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: primiano@google.com
Cc: Song Liu <songliubraving@fb.com>
Cc: rsavitski@google.com
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Matthew Garrett <matthewgarrett@google.com>
Link: https://lkml.kernel.org/r/20191014170308.70668-1-joel@joelfernandes.org
(cherry picked from commit da97e18458fb42d7c00fac5fd1c56a3896ec666e)
[ Ryan Savitski: Resolved conflicts with existing code, and folded in
upstream ae79d5588a04 (perf/core: Fix !CONFIG_PERF_EVENTS build
warnings and failures). This should fix the build errors from the
previous backport attempt, where certain configurations would end up
with functions referring to the perf_event struct prior to its
declaration (and therefore declaring it with a different scope). ]
Bug: 137092007
Signed-off-by: Ryan Savitski <rsavitski@google.com>
Change-Id: Ief8c669083c81f4ea2fa75d5c0d947d19ea741b3
This reverts commit 8af21ac176 as it
breaks the build :(
Cc: Joel Fernandes (Google) <joel@joelfernandes.org>
Cc: Ryan Savitski <rsavitski@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This replaces the reverse table lookup and reverse cache with a
hashtable which improves cache-miss reverse-lookup times from
O(n) to O(1)* and maintains the same performance as a reverse
cache hit.
This reduces the time needed to add a new sidtab entry from ~500us
to 5us on a Pixel 3 when there are ~10,000 sidtab entries.
The implementation uses the kernel's generic hashtable API,
It uses the context's string represtation as the hash source,
and the kernels generic string hashing algorithm full_name_hash()
to reduce the string to a 32 bit value.
This change also maintains the improvement introduced in
commit ee1a84fdfeed ("selinux: overhaul sidtab to fix bug and improve
performance") which removed the need to keep the current sidtab
locked during policy reload. It does however introduce periodic
locking of the target sidtab while converting the hashtable. Sidtab
entries are never modified or removed, so the context struct stored
in the sid_to_context tree can also be used for the context_to_sid
hashtable to reduce memory usage.
This bug was reported by:
- On the selinux bug tracker.
BUG: kernel softlockup due to too many SIDs/contexts #37https://github.com/SELinuxProject/selinux-kernel/issues/37
- Jovana Knezevic on Android's bugtracker.
Bug: 140252993
"During multi-user performance testing, we create and remove users
many times. selinux_android_restorecon_pkgdir goes from 1ms to over
20ms after about 200 user creations and removals. Accumulated over
~280 packages, that adds a significant time to user creation,
making perf benchmarks unreliable."
* Hashtable lookup is only O(1) when n < the number of buckets.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Reported-by: Stephen Smalley <sds@tycho.nsa.gov>
Reported-by: Jovana Knezevic <jovanak@google.com>
Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
Tested-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: subj tweak, removed changelog from patch description]
Signed-off-by: Paul Moore <paul@paul-moore.com>
(cherry picked from commit 66f8e2f03c02e812002f8e9e465681cc62edda5b)
Bug: 140252993
Change-Id: Iead2a1d90731ae24fefec2a40af5ffdc457ac916
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
As noted in Documentation/atomic_t.txt, if we don't need the RMW atomic
operations, we should only use READ_ONCE()/WRITE_ONCE() +
smp_rmb()/smp_wmb() where necessary (or the combined variants
smp_load_acquire()/smp_store_release()).
This patch converts the sidtab code to use regular u32 for the counter
and reverse lookup cache and use the appropriate operations instead of
atomic_get()/atomic_set(). Note that when reading/updating the reverse
lookup cache we don't need memory barriers as it doesn't need to be
consistent or accurate. We can now also replace some atomic ops with
regular loads (when under spinlock) and stores (for conversion target
fields that are always accessed under the master table's spinlock).
We can now also bump SIDTAB_MAX to U32_MAX as we can use the full u32
range again.
Suggested-by: Jann Horn <jannh@google.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Jann Horn <jannh@google.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(cherry picked from commit 116f21bb967fcef1fa360fe591a2947481788020)
Change-Id: I15ecafe9be3cc434fc91978d6621333b8a5669cb
Bug: 140252993
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
We need to error out when trying to add an entry above SIDTAB_MAX in
sidtab_reverse_lookup() to avoid overflow on the odd chance that this
happens.
Cc: stable@vger.kernel.org
Fixes: ee1a84fdfeed ("selinux: overhaul sidtab to fix bug and improve performance")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(cherry picked from commit acbc372e6109c803cbee4733769d02008381740f)
Change-Id: I88e6b5b1626c901e41ecbf1dfdded6f4e7301332
Bug: 140252993
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
string_to_context_struct() may garble the context string, so we need to
copy back the contents again from the old context struct to avoid
storing the corrupted context.
Since string_to_context_struct() tokenizes (and therefore truncates) the
context string and we are later potentially copying it with kstrdup(),
this may eventually cause pieces of uninitialized kernel memory to be
disclosed to userspace (when copying to userspace based on the stored
length and not the null character).
How to reproduce on Fedora and similar:
# dnf install -y memcached
# systemctl start memcached
# semodule -d memcached
# load_policy
# load_policy
# systemctl stop memcached
# ausearch -m AVC
type=AVC msg=audit(1570090572.648:313): avc: denied { signal } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon=73797374656D5F75007400000000000070BE6E847296FFFF726F6D000096FFFF76
Cc: stable@vger.kernel.org
Reported-by: Milos Malik <mmalik@redhat.com>
Fixes: ee1a84fdfeed ("selinux: overhaul sidtab to fix bug and improve performance")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
(cherry picked from commit 2a5243937c700ffe6a28e6557a4562a9ab0a17a4)
Change-Id: I56add9632ba622b956adb00a2b1ecfc608a37c32
Bug: 140252993
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Before this patch, during a policy reload the sidtab would become frozen
and trying to map a new context to SID would be unable to add a new
entry to sidtab and fail with -ENOMEM.
Such failures are usually propagated into userspace, which has no way of
distignuishing them from actual allocation failures and thus doesn't
handle them gracefully. Such situation can be triggered e.g. by the
following reproducer:
while true; do load_policy; echo -n .; sleep 0.1; done &
for (( i = 0; i < 1024; i++ )); do
runcon -l s0:c$i echo -n x || break
# or:
# chcon -l s0:c$i <some_file> || break
done
This patch overhauls the sidtab so it doesn't need to be frozen during
policy reload, thus solving the above problem.
The new SID table leverages the fact that SIDs are allocated
sequentially and are never invalidated and stores them in linear buckets
indexed by a tree structure. This brings several advantages:
1. Fast SID -> context lookup - this lookup can now be done in
logarithmic time complexity (usually in less than 4 array lookups)
and can still be done safely without locking.
2. No need to re-search the whole table on reverse lookup miss - after
acquiring the spinlock only the newly added entries need to be
searched, which means that reverse lookups that end up inserting a
new entry are now about twice as fast.
3. No need to freeze sidtab during policy reload - it is now possible
to handle insertion of new entries even during sidtab conversion.
The tree structure of the new sidtab is able to grow automatically to up
to about 2^31 entries (at which point it should not have more than about
4 tree levels). The old sidtab had a theoretical capacity of almost 2^32
entries, but half of that is still more than enough since by that point
the reverse table lookups would become unusably slow anyway...
The number of entries per tree node is selected automatically so that
each node fits into a single page, which should be the easiest size for
kmalloc() to handle.
Note that the cache for reverse lookup is preserved with equivalent
logic. The only difference is that instead of storing pointers to the
hash table nodes it stores just the indices of the cached entries.
The new cache ensures that the indices are loaded/stored atomically, but
it still has the drawback that concurrent cache updates may mess up the
contents of the cache. Such situation however only reduces its
effectivity, not the correctness of lookups.
Tested by selinux-testsuite and thoroughly tortured by this simple
stress test:
```
function rand_cat() {
echo $(( $RANDOM % 1024 ))
}
function do_work() {
while true; do
echo -n "system_u:system_r:kernel_t:s0:c$(rand_cat),c$(rand_cat)" \
>/sys/fs/selinux/context 2>/dev/null || true
done
}
do_work >/dev/null &
do_work >/dev/null &
do_work >/dev/null &
while load_policy; do echo -n .; sleep 0.1; done
kill %1
kill %2
kill %3
```
Link: https://github.com/SELinuxProject/selinux-kernel/issues/38
Reported-by: Orion Poplawski <orion@nwra.com>
Reported-by: Li Kun <hw.likun@huawei.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: most of sidtab.c merged by hand due to conflicts]
[PM: checkpatch fixes in mls.c, services.c, sidtab.c]
Signed-off-by: Paul Moore <paul@paul-moore.com>
(cherry picked from commit ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d)
Change-Id: I0c3e122cbbf307ad558eb9283127b30118767a53
Bug: 140252993
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
The intended behavior change for this patch is to reject any MLS strings
that contain (trailing) garbage if p->mls_enabled is true.
As suggested by Paul Moore, change mls_context_to_sid() so that the two
parts of the range are extracted before the rest of the parsing. Because
now we don't have to scan for two different separators simultaneously
everywhere, we can actually switch to strchr() everywhere instead of the
open-coded loops that scan for two separators at once.
mls_context_to_sid() used to signal how much of the input string was parsed
by updating `*scontext`. However, there is actually no case in which
mls_context_to_sid() only parses a subset of the input and still returns
a success (other than the buggy case with a second '-' in which it
incorrectly claims to have consumed the entire string). Turn `scontext`
into a simple pointer argument and stop redundantly checking whether the
entire input was consumed in string_to_context_struct(). This also lets us
remove the `scontext_len` argument from `string_to_context_struct()`.
Signed-off-by: Jann Horn <jannh@google.com>
[PM: minor merge fuzz in convert_context()]
Signed-off-by: Paul Moore <paul@paul-moore.com>
(cherry picked from commit 95ffe194204ae3cef88d0b59be209204bbe9b3be)
Change-Id: I63960c9ef54cc29381f3bade53115cc6ed376045
Bug: 140252993
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
This moves handling of initial SIDs into a separate table. Note that the
SIDs stored in the main table are now shifted by SECINITSID_NUM and
converted to/from the actual SIDs transparently by helper functions.
This change doesn't make much sense on its own, but it simplifies
further sidtab overhaul in a succeeding patch.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: fixed some checkpatch warnings on line length, whitespace]
Signed-off-by: Paul Moore <paul@paul-moore.com>
(cherry picked from commit 24ed7fdae669feda4c5e0dadba2467c4c0d297d3)
Change-Id: I63e5163c6c96f7497303b9a13685d7aa360450c1
Bug: 140252993
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
This is a purely cosmetic change that encapsulates the three-step sidtab
conversion logic (shutdown -> clone -> map) into a single function
defined in sidtab.c (as opposed to services.c).
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: whitespaces fixes to make checkpatch happy]
Signed-off-by: Paul Moore <paul@paul-moore.com>
(cherry picked from commit 5386e6caa6711407182573e2b0344fe908b0fbcc)
Change-Id: If23e6e40bd0c920cac090c2e9379d148d3ac6ca3
Bug: 140252993
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
In current mainline, the degree of access to perf_event_open(2) system
call depends on the perf_event_paranoid sysctl. This has a number of
limitations:
1. The sysctl is only a single value. Many types of accesses are controlled
based on the single value thus making the control very limited and
coarse grained.
2. The sysctl is global, so if the sysctl is changed, then that means
all processes get access to perf_event_open(2) opening the door to
security issues.
This patch adds LSM and SELinux access checking which will be used in
Android to access perf_event_open(2) for the purposes of attaching BPF
programs to tracepoints, perf profiling and other operations from
userspace. These operations are intended for production systems.
5 new LSM hooks are added:
1. perf_event_open: This controls access during the perf_event_open(2)
syscall itself. The hook is called from all the places that the
perf_event_paranoid sysctl is checked to keep it consistent with the
systctl. The hook gets passed a 'type' argument which controls CPU,
kernel and tracepoint accesses (in this context, CPU, kernel and
tracepoint have the same semantics as the perf_event_paranoid sysctl).
Additionally, I added an 'open' type which is similar to
perf_event_paranoid sysctl == 3 patch carried in Android and several other
distros but was rejected in mainline [1] in 2016.
2. perf_event_alloc: This allocates a new security object for the event
which stores the current SID within the event. It will be useful when
the perf event's FD is passed through IPC to another process which may
try to read the FD. Appropriate security checks will limit access.
3. perf_event_free: Called when the event is closed.
4. perf_event_read: Called from the read(2) and mmap(2) syscalls for the event.
5. perf_event_write: Called from the ioctl(2) syscalls for the event.
[1] https://lwn.net/Articles/696240/
Since Peter had suggest LSM hooks in 2016 [1], I am adding his
Suggested-by tag below.
To use this patch, we set the perf_event_paranoid sysctl to -1 and then
apply selinux checking as appropriate (default deny everything, and then
add policy rules to give access to domains that need it). In the future
we can remove the perf_event_paranoid sysctl altogether.
Suggested-by: Peter Zijlstra <peterz@infradead.org>
Co-developed-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: James Morris <jmorris@namei.org>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: rostedt@goodmis.org
Cc: Yonghong Song <yhs@fb.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: jeffv@google.com
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: primiano@google.com
Cc: Song Liu <songliubraving@fb.com>
Cc: rsavitski@google.com
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Matthew Garrett <matthewgarrett@google.com>
Link: https://lkml.kernel.org/r/20191014170308.70668-1-joel@joelfernandes.org
Bug: 137092007
Change-Id: I591c6ad6c82ab9133409e51383d2c9b9f6ae4545
(cherry picked from commit da97e18458fb42d7c00fac5fd1c56a3896ec666e)
[ Ryan Savitski:
Resolved conflicts with existing code, no new functionality ]
Signed-off-by: Ryan Savitski <rsavitski@google.com>
commit 45385237f65aeee73641f1ef737d7273905a233f upstream.
Since roles_init() adds some entries to the role hash table, we need to
destroy also its keys/values on error, otherwise we get a memory leak in
the error path.
Cc: <stable@vger.kernel.org>
Reported-by: syzbot+fee3a14d4cdf92646287@syzkaller.appspotmail.com
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 464c258aa45b09f16aa0f05847ed8895873262d9 ]
When sid == 0 (we are resetting keycreate_sid to the default value), we
should skip the KEY__CREATE check.
Before this patch, doing a zero-sized write to /proc/self/keycreate
would check if the current task can create unlabeled keys (which would
usually fail with -EACCESS and generate an AVC). Now it skips the check
and correctly sets the task's keycreate_sid to 0.
Bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1719067
Tested using the reproducer from the report above.
Fixes: 4eb582cf1f ("[PATCH] keys: add a way to store the appropriate context for newly-created keys")
Reported-by: Kir Kolyshkin <kir@sacred.ru>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 98bbbb76f2edcfb8fb2b8f4b3ccc7b6e99d64bd8 ]
clang correctly points out a code path that would lead
to an uninitialized variable use:
security/selinux/netlabel.c:310:6: error: variable 'addr' is used uninitialized whenever 'if' condition is false
[-Werror,-Wsometimes-uninitialized]
if (ip_hdr(skb)->version == 4) {
^~~~~~~~~~~~~~~~~~~~~~~~~
security/selinux/netlabel.c:322:40: note: uninitialized use occurs here
rc = netlbl_conn_setattr(ep->base.sk, addr, &secattr);
^~~~
security/selinux/netlabel.c:310:2: note: remove the 'if' if its condition is always true
if (ip_hdr(skb)->version == 4) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
security/selinux/netlabel.c:291:23: note: initialize the variable 'addr' to silence this warning
struct sockaddr *addr;
^
= NULL
This is probably harmless since we should not see ipv6 packets
of CONFIG_IPV6 is disabled, but it's better to rearrange the code
so this cannot happen.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
[PM: removed old patchwork link, fixed checkpatch.pl style errors]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit c7e0d6cca86581092cbbf2cd868b3601495554cf ]
calling connect(AF_UNSPEC) on an already connected TCP socket is an
established way to disconnect() such socket. After commit 68741a8ada
("selinux: Fix ltp test connect-syscall failure") it no longer works
and, in the above scenario connect() fails with EAFNOSUPPORT.
Fix the above falling back to the generic/old code when the address family
is not AF_INET{4,6}, but leave the SCTP code path untouched, as it has
specific constraints.
Fixes: 68741a8ada ("selinux: Fix ltp test connect-syscall failure")
Reported-by: Tom Deseyn <tdeseyn@redhat.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a83d6ddaebe541570291205cb538e35ad4ff94f9 upstream.
In the SECURITY_FS_USE_MNTPOINT case we never want to allow relabeling
files/directories, so we should never set the SBLABEL_MNT flag. The
'special handling' in selinux_is_sblabel_mnt() is only intended for when
the behavior is set to SECURITY_FS_USE_GENFS.
While there, make the logic in selinux_is_sblabel_mnt() more explicit
and add a BUILD_BUG_ON() to make sure that introducing a new
SECURITY_FS_USE_* forces a review of the logic.
Fixes: d5f3a5f6e7 ("selinux: add security in-core xattr support for pstore and debugfs")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3a28cff3bd4bf43f02be0c4e7933aebf3dc8197e upstream.
commit 0dc1ba24f7 ("SELINUX: Make selinux cache VFS RCU walks safe")
results in no audit messages at all if in permissive mode because the
cache is updated during the rcu walk and thus no denial occurs on
the subsequent ref walk. Fix this by not updating the cache when
performing a non-blocking permission check. This only affects search
and symlink read checks during rcu walk.
Fixes: 0dc1ba24f7 ("SELINUX: Make selinux cache VFS RCU walks safe")
Reported-by: BMK <bmktuwien@gmail.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit dfbd199a7cfe3e3cd8531e1353cdbd7175bfbc5e upstream.
When compiling genheaders and mdp from a newer host kernel, the
following error happens:
In file included from scripts/selinux/genheaders/genheaders.c:18:
./security/selinux/include/classmap.h:238:2: error: #error New
address family defined, please update secclass_map. #error New
address family defined, please update secclass_map. ^~~~~
make[3]: *** [scripts/Makefile.host:107:
scripts/selinux/genheaders/genheaders] Error 1 make[2]: ***
[scripts/Makefile.build:599: scripts/selinux/genheaders] Error 2
make[1]: *** [scripts/Makefile.build:599: scripts/selinux] Error 2
make[1]: *** Waiting for unfinished jobs....
Instead of relying on the host definition, include linux/socket.h in
classmap.h to have PF_MAX.
Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara <paulo@paulo.ac>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: manually merge in mdp.c, subject line tweaks]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 53e0c2aa9a59a48e3798ef193d573ade85aa80f5 ]
Ignore all selinux_inode_notifysecctx() calls on mounts with SBLABEL_MNT
flag unset. This is achived by returning -EOPNOTSUPP for this case in
selinux_inode_setsecurtity() (because that function should not be called
in such case anyway) and translating this error to 0 in
selinux_inode_notifysecctx().
This fixes behavior of kernfs-based filesystems when mounted with the
'context=' option. Before this patch, if a node's context had been
explicitly set to a non-default value and later the filesystem has been
remounted with the 'context=' option, then this node would show up as
having the manually-set context and not the mount-specified one.
Steps to reproduce:
# mount -t cgroup2 cgroup2 /sys/fs/cgroup/unified
# chcon unconfined_u:object_r:user_home_t:s0 /sys/fs/cgroup/unified/cgroup.stat
# ls -lZ /sys/fs/cgroup/unified
total 0
-r--r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.controllers
-rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.max.depth
-rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.max.descendants
-rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.procs
-r--r--r--. 1 root root unconfined_u:object_r:user_home_t:s0 0 Dec 13 10:41 cgroup.stat
-rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.subtree_control
-rw-r--r--. 1 root root system_u:object_r:cgroup_t:s0 0 Dec 13 10:41 cgroup.threads
# umount /sys/fs/cgroup/unified
# mount -o context=system_u:object_r:tmpfs_t:s0 -t cgroup2 cgroup2 /sys/fs/cgroup/unified
Result before:
# ls -lZ /sys/fs/cgroup/unified
total 0
-r--r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.controllers
-rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.depth
-rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.descendants
-rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.procs
-r--r--r--. 1 root root unconfined_u:object_r:user_home_t:s0 0 Dec 13 10:41 cgroup.stat
-rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.subtree_control
-rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.threads
Result after:
# ls -lZ /sys/fs/cgroup/unified
total 0
-r--r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.controllers
-rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.depth
-rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.max.descendants
-rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.procs
-r--r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.stat
-rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.subtree_control
-rw-r--r--. 1 root root system_u:object_r:tmpfs_t:s0 0 Dec 13 10:41 cgroup.threads
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 3815a245b50124f0865415dcb606a034e97494d4 upstream.
In the case when we're reusing a superblock, selinux_sb_clone_mnt_opts()
fails to set set_kern_flags, with the result that
nfs_clone_sb_security() incorrectly clears NFS_CAP_SECURITY_LABEL.
The result is that if you mount the same NFS filesystem twice, NFS
security labels are turned off, even if they would work fine if you
mounted the filesystem only once.
("fixes" may be not exactly the right tag, it may be more like
"fixed-other-cases-but-missed-this-one".)
Cc: Scott Mayhew <smayhew@redhat.com>
Cc: stable@vger.kernel.org
Fixes: 0b4d3452b8 "security/selinux: allow security_sb_clone_mnt_opts..."
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 292c997a1970f8d1e1dfa354ed770a22f7b5a434 upstream.
As does in __sctp_connect(), when checking addrs in a while loop, after
get the addr len according to sa_family, it's necessary to do the check
walk_size + af->sockaddr_len > addrs_size to make sure it won't access
an out-of-bounds addr.
The same thing is needed in selinux_sctp_bind_connect(), otherwise an
out-of-bounds issue can be triggered:
[14548.772313] BUG: KASAN: slab-out-of-bounds in selinux_sctp_bind_connect+0x1aa/0x1f0
[14548.927083] Call Trace:
[14548.938072] dump_stack+0x9a/0xe9
[14548.953015] print_address_description+0x65/0x22e
[14548.996524] kasan_report.cold.6+0x92/0x1a6
[14549.015335] selinux_sctp_bind_connect+0x1aa/0x1f0
[14549.036947] security_sctp_bind_connect+0x58/0x90
[14549.058142] __sctp_setsockopt_connectx+0x5a/0x150 [sctp]
[14549.081650] sctp_setsockopt.part.24+0x1322/0x3ce0 [sctp]
Cc: stable@vger.kernel.org
Fixes: d452930fd3 ("selinux: Add SCTP support")
Reported-by: Chunyu Hu <chuhu@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 2cbdcb882f97a45f7475c67ac6257bbc16277dfe ]
If a superblock has the MS_SUBMOUNT flag set, we should always allow
mounting it. These mounts are done automatically by the kernel either as
part of mounting some parent mount (e.g. debugfs always mounts tracefs
under "tracing" for compatibility) or they are mounted automatically as
needed on subdirectory accesses (e.g. NFS crossmnt mounts). Since such
automounts are either an implicit consequence of the parent mount (which
is already checked) or they can happen during regular accesses (where it
doesn't make sense to check against the current task's context), the
mount permission check should be skipped for them.
Without this patch, attempts to access contents of an automounted
directory can cause unexpected SELinux denials.
In the current kernel tree, the MS_SUBMOUNT flag is set only via
vfs_submount(), which is called only from the following places:
- AFS, when automounting special "symlinks" referencing other cells
- CIFS, when automounting "referrals"
- NFS, when automounting subtrees
- debugfs, when automounting tracefs
In all cases the submounts are meant to be transparent to the user and
it makes sense that if mounting the master is allowed, then so should be
the automounts. Note that CAP_SYS_ADMIN capability checking is already
skipped for (SB_KERNMOUNT|SB_SUBMOUNT) in:
- sget_userns() in fs/super.c:
if (!(flags & (SB_KERNMOUNT|SB_SUBMOUNT)) &&
!(type->fs_flags & FS_USERNS_MOUNT) &&
!capable(CAP_SYS_ADMIN))
return ERR_PTR(-EPERM);
- sget() in fs/super.c:
/* Ensure the requestor has permissions over the target filesystem */
if (!(flags & (SB_KERNMOUNT|SB_SUBMOUNT)) && !ns_capable(user_ns, CAP_SYS_ADMIN))
return ERR_PTR(-EPERM);
Verified internally on patched RHEL 7.6 with a reproducer using
NFS+httpd and selinux-tesuite.
Fixes: 93faccbbfa ("fs: Better permission checking for submounts")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 5b0e7310a2a33c06edc7eb81ffc521af9b2c5610 upstream.
levdatum->level can be NULL if we encounter an error while loading
the policy during sens_read prior to initializing it. Make sure
sens_destroy handles that case correctly.
Reported-by: syzbot+6664500f0f18f07a5c0e@syzkaller.appspotmail.com
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5df275cd4cf51c86d49009f1397132f284ba515e upstream.
Do the LE conversions before doing the Infiniband-related range checks.
The incorrect checks are otherwise causing a failure to load any policy
with an ibendportcon rule on BE systems. This can be reproduced by
running (on e.g. ppc64):
cat >my_module.cil <<EOF
(type test_ibendport_t)
(roletype object_r test_ibendport_t)
(ibendportcon mlx4_0 1 (system_u object_r test_ibendport_t ((s0) (s0))))
EOF
semodule -i my_module.cil
Also, fix loading/storing the 64-bit subnet prefix for OCON_IBPKEY to
use a correctly aligned buffer.
Finally, do not use the 'nodebuf' (u32) buffer where 'buf' (__le32)
should be used instead.
Tested internally on a ppc64 machine with a RHEL 7 kernel with this
patch applied.
Cc: Daniel Jurgens <danielj@mellanox.com>
Cc: Eli Cohen <eli@mellanox.com>
Cc: James Morris <jmorris@namei.org>
Cc: Doug Ledford <dledford@redhat.com>
Cc: <stable@vger.kernel.org> # 4.13+
Fixes: a806f7a161 ("selinux: Create policydb version for Infiniband support")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 598e1a42e9626213565d3b22ea948ce78556512a upstream.
Commit 32a4f5ecd7 ("net: sched: introduce chain object to uapi")
added new RTM_* definitions without properly updating SELinux, this
patch adds the necessary SELinux support.
While there was a BUILD_BUG_ON() in the SELinux code to protect from
exactly this case, it was bypassed in the broken commit. In order to
hopefully prevent this from happening in the future, add additional
comments which provide some instructions on how to resolve the
BUILD_BUG_ON() failures.
Fixes: 32a4f5ecd7 ("net: sched: introduce chain object to uapi")
Cc: <stable@vger.kernel.org> # 4.19
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4458bba09788e70e8fb39ad003f087cd9dfbd6ac upstream.
syzbot is hitting warning at str_read() [1] because len parameter can
become larger than KMALLOC_MAX_SIZE. We don't need to emit warning for
this case.
[1] https://syzkaller.appspot.com/bug?id=7f2f5aad79ea8663c296a2eedb81978401a908f0
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reported-by: syzbot <syzbot+ac488b9811036cea7ea0@syzkaller.appspotmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c138325fb8713472d5a0c3c7258b9131bab40725 upstream.
selinux_sctp_bind_connect() must verify if the address buffer has
sufficient length before accessing the 'sa_family' field. See
__sctp_connect() for a similar check.
The length of the whole address ('len') is already checked in the
callees.
Reported-by: Qian Cai <cai@gmx.us>
Fixes: d452930fd3 ("selinux: Add SCTP support")
Cc: <stable@vger.kernel.org> # 4.17+
Cc: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Tested-by: Qian Cai <cai@gmx.us>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7bb185edb0306bb90029a5fa6b9cff900ffdbf4b upstream.
commit 901ef845fa ("selinux: allow per-file labeling for cgroupfs")
broke mounting of cgroup2 under older SELinux policies which lacked
a genfscon rule for cgroup2. This prevents mounting of cgroup2 even
when SELinux is permissive.
Change the handling when there is no genfscon rule in policy to
just mark the inode unlabeled and not return an error to the caller.
This permits mounting and access if allowed by policy, e.g. to
unconfined domains.
I also considered changing the behavior of security_genfs_sid() to
never return -ENOENT, but the current behavior is relied upon by
other callers to perform caller-specific handling.
Fixes: 901ef845fa ("selinux: allow per-file labeling for cgroupfs")
CC: <stable@vger.kernel.org>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reported-by: Waiman Long <longman@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Tested-by: Waiman Long <longman@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Pull networking updates from David Miller:
"Highlights:
- Gustavo A. R. Silva keeps working on the implicit switch fallthru
changes.
- Support 802.11ax High-Efficiency wireless in cfg80211 et al, From
Luca Coelho.
- Re-enable ASPM in r8169, from Kai-Heng Feng.
- Add virtual XFRM interfaces, which avoids all of the limitations of
existing IPSEC tunnels. From Steffen Klassert.
- Convert GRO over to use a hash table, so that when we have many
flows active we don't traverse a long list during accumluation.
- Many new self tests for routing, TC, tunnels, etc. Too many
contributors to mention them all, but I'm really happy to keep
seeing this stuff.
- Hardware timestamping support for dpaa_eth/fsl-fman from Yangbo Lu.
- Lots of cleanups and fixes in L2TP code from Guillaume Nault.
- Add IPSEC offload support to netdevsim, from Shannon Nelson.
- Add support for slotting with non-uniform distribution to netem
packet scheduler, from Yousuk Seung.
- Add UDP GSO support to mlx5e, from Boris Pismenny.
- Support offloading of Team LAG in NFP, from John Hurley.
- Allow to configure TX queue selection based upon RX queue, from
Amritha Nambiar.
- Support ethtool ring size configuration in aquantia, from Anton
Mikaev.
- Support DSCP and flowlabel per-transport in SCTP, from Xin Long.
- Support list based batching and stack traversal of SKBs, this is
very exciting work. From Edward Cree.
- Busyloop optimizations in vhost_net, from Toshiaki Makita.
- Introduce the ETF qdisc, which allows time based transmissions. IGB
can offload this in hardware. From Vinicius Costa Gomes.
- Add parameter support to devlink, from Moshe Shemesh.
- Several multiplication and division optimizations for BPF JIT in
nfp driver, from Jiong Wang.
- Lots of prepatory work to make more of the packet scheduler layer
lockless, when possible, from Vlad Buslov.
- Add ACK filter and NAT awareness to sch_cake packet scheduler, from
Toke Høiland-Jørgensen.
- Support regions and region snapshots in devlink, from Alex Vesker.
- Allow to attach XDP programs to both HW and SW at the same time on
a given device, with initial support in nfp. From Jakub Kicinski.
- Add TLS RX offload and support in mlx5, from Ilya Lesokhin.
- Use PHYLIB in r8169 driver, from Heiner Kallweit.
- All sorts of changes to support Spectrum 2 in mlxsw driver, from
Ido Schimmel.
- PTP support in mv88e6xxx DSA driver, from Andrew Lunn.
- Make TCP_USER_TIMEOUT socket option more accurate, from Jon
Maxwell.
- Support for templates in packet scheduler classifier, from Jiri
Pirko.
- IPV6 support in RDS, from Ka-Cheong Poon.
- Native tproxy support in nf_tables, from Máté Eckl.
- Maintain IP fragment queue in an rbtree, but optimize properly for
in-order frags. From Peter Oskolkov.
- Improvde handling of ACKs on hole repairs, from Yuchung Cheng"
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next: (1996 commits)
bpf: test: fix spelling mistake "REUSEEPORT" -> "REUSEPORT"
hv/netvsc: Fix NULL dereference at single queue mode fallback
net: filter: mark expected switch fall-through
xen-netfront: fix warn message as irq device name has '/'
cxgb4: Add new T5 PCI device ids 0x50af and 0x50b0
net: dsa: mv88e6xxx: missing unlock on error path
rds: fix building with IPV6=m
inet/connection_sock: prefer _THIS_IP_ to current_text_addr
net: dsa: mv88e6xxx: bitwise vs logical bug
net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd()
ieee802154: hwsim: using right kind of iteration
net: hns3: Add vlan filter setting by ethtool command -K
net: hns3: Set tx ring' tc info when netdev is up
net: hns3: Remove tx ring BD len register in hns3_enet
net: hns3: Fix desc num set to default when setting channel
net: hns3: Fix for phy link issue when using marvell phy driver
net: hns3: Fix for information of phydev lost problem when down/up
net: hns3: Fix for command format parsing error in hclge_is_all_function_id_zero
net: hns3: Add support for serdes loopback selftest
bnxt_en: take coredump_record structure off stack
...
-----BEGIN PGP SIGNATURE-----
iQJIBAABCAAyFiEEcQCq365ubpQNLgrWVeRaWujKfIoFAltzOGIUHHBhdWxAcGF1
bC1tb29yZS5jb20ACgkQVeRaWujKfIrXAA//QSmpUOkxq7o5yIuHuguE9NoHyFV8
xX0oYAfmiWzQBvhqLHTN3k9H3jT08kMtoYuZ+Q7dCjmNuK0kuUnE/lGBDY7wZ7Z/
T/MXDR39yG1fPhsjo0gTfQkDbylKZ+HVtNuBAdFAsEdaVMbkcDg3la4A6RJg9hOq
pKFRtsxVlygPZ54mtqX5E8VMSfsIL3gzfZkaOVhqwdN51pHFDVXAtvgqAICqneSs
GXjt4+48Wss1oNa9jxmUy7EhZHrJSwDk0zOuI/CfCq5Nf9Z8zd+ldoD0Y7Tv8xEc
7XoyKlTVDpjpohZvuigXWT22e0knAKadHjJwEV/AwCMAQ7vFVtvjhLxBDWl7PGWf
VxOAoeHSNnTAD/FTUGxc/b0r4kocUIzmOqAVlVJOSyfHf35ToePoy+ylWJNby8FS
aaYhf9QdYLnC6lqdQsMt7UZLVEU2xLwis3vuFMvv5Le4byw8ForZIo8sLriifhz8
0ZRF62cj+445MCKIgPI8FpHQ8xatbPY5D/CgojnHWrlIAH/FVJU9EzQqDIg7wlQs
4Qnghvm5LtkzKN9aTFUnQozrY+X1WoD0IYvfdK3sYlO2K4N/Hg0QDmmUZkZlFRuS
OQ7G3aML3LZuJkXygadYu2FAxWnW8FIYG32CPXMo7htnczvDfIt4nOl7IhY/TQcz
iXdItwvU0M3RTgA=
=h1Mb
-----END PGP SIGNATURE-----
Merge tag 'selinux-pr-20180814' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
Pull SELinux updates from Paul Moore:
"There are 16 patches in here but really only one that is of any
significance. That one patch is by nixiaoming and fixes a few places
where we were not properly cleaning up dentry and inode objects in the
selinuxfs error handling code. The rest are either printk->pr_*
conversions, constification tweaks, and a minor tweak to MAINTAINERS.
Everything passes the selinux-testsuite and looks to merge cleanly
against your master branch"
* tag 'selinux-pr-20180814' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
selinux: cleanup dentry and inodes on error in selinuxfs
selinux: constify write_op[]
selinux: Cleanup printk logging in netnode
selinux: Cleanup printk logging in avc
selinux: Cleanup printk logging in netif
selinux: Cleanup printk logging in netport
selinux: Cleanup printk logging in sidtab
selinux: Cleanup printk logging in netlink
selinux: Cleanup printk logging in selinuxfs
selinux: Cleanup printk logging in services
selinux: Cleanup printk logging in avtab
selinux: Cleanup printk logging in hooks
selinux: Cleanup printk logging in policydb
selinux: Cleanup printk logging in ebitmap
selinux: Cleanup printk logging in conditional
MAINTAINERS: update the LSM and SELinux subsystems
Pull security subsystem updates from James Morris:
- kstrdup() return value fix from Eric Biggers
- Add new security_load_data hook to differentiate security checking of
kernel-loaded binaries in the case of there being no associated file
descriptor, from Mimi Zohar.
- Add ability to IMA to specify a policy at build-time, rather than
just via command line params or by loading a custom policy, from
Mimi.
- Allow IMA and LSMs to prevent sysfs firmware load fallback (e.g. if
using signed firmware), from Mimi.
- Allow IMA to deny loading of kexec kernel images, as they cannot be
measured by IMA, from Mimi.
* 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
security: check for kstrdup() failure in lsm_append()
security: export security_kernel_load_data function
ima: based on policy warn about loading firmware (pre-allocated buffer)
module: replace the existing LSM hook in init_module
ima: add build time policy
ima: based on policy require signed firmware (sysfs fallback)
firmware: add call to LSM hook before firmware sysfs fallback
ima: based on policy require signed kexec kernel images
kexec: add call to LSM hook in original kexec_load syscall
security: define new LSM hook named security_kernel_load_data
MAINTAINERS: remove the outdated "LINUX SECURITY MODULE (LSM) FRAMEWORK" entry
Pull vfs open-related updates from Al Viro:
- "do we need fput() or put_filp()" rules are gone - it's always fput()
now. We keep track of that state where it belongs - in ->f_mode.
- int *opened mess killed - in finish_open(), in ->atomic_open()
instances and in fs/namei.c code around do_last()/lookup_open()/atomic_open().
- alloc_file() wrappers with saner calling conventions are introduced
(alloc_file_clone() and alloc_file_pseudo()); callers converted, with
much simplification.
- while we are at it, saner calling conventions for path_init() and
link_path_walk(), simplifying things inside fs/namei.c (both on
open-related paths and elsewhere).
* 'work.open3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (40 commits)
few more cleanups of link_path_walk() callers
allow link_path_walk() to take ERR_PTR()
make path_init() unconditionally paired with terminate_walk()
document alloc_file() changes
make alloc_file() static
do_shmat(): grab shp->shm_file earlier, switch to alloc_file_clone()
new helper: alloc_file_clone()
create_pipe_files(): switch the first allocation to alloc_file_pseudo()
anon_inode_getfile(): switch to alloc_file_pseudo()
hugetlb_file_setup(): switch to alloc_file_pseudo()
ocxlflash_getfile(): switch to alloc_file_pseudo()
cxl_getfile(): switch to alloc_file_pseudo()
... and switch shmem_file_setup() to alloc_file_pseudo()
__shmem_file_setup(): reorder allocations
new wrapper: alloc_file_pseudo()
kill FILE_{CREATED,OPENED}
switch atomic_open() and lookup_open() to returning 0 in all success cases
document ->atomic_open() changes
->atomic_open(): return 0 in all success cases
get rid of 'opened' in path_openat() and the helpers downstream
...
If the resource requested by d_alloc_name is not added to the linked
list through d_add, then dput needs to be called to release the
subsequent abnormal branch to avoid resource leakage.
Add missing dput to selinuxfs.c
Signed-off-by: nixiaoming <nixiaoming@huawei.com>
[PM: tweak the subject line]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Allow user to create, destroy, get and dump chain objects. Do that by
extending rtnl commands by the chain-specific ones. User will now be
able to explicitly create or destroy chains (so far this was done only
automatically according the filter/act needs and refcounting). Also, the
user will receive notification about any chain creation or destuction.
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Both the init_module and finit_module syscalls call either directly
or indirectly the security_kernel_read_file LSM hook. This patch
replaces the direct call in init_module with a call to the new
security_kernel_load_data hook and makes the corresponding changes
in SELinux, LoadPin, and IMA.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Jeff Vander Stoep <jeffv@google.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: Kees Cook <keescook@chromium.org>
Acked-by: Jessica Yu <jeyu@kernel.org>
Acked-by: Paul Moore <paul@paul-moore.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.morris@microsoft.com>
Greg Kroah-Hartman
Tom Rix
Paul Moore
Jaihind Yadav
Stephen Smalley
Jeff Vander Stoep
Hridya Valsaraju
Micah Morton
Joel Fernandes (Google)
Ondrej Mosnacek
Jann Horn
Alexey Dobriyan
Arnd Bergmann
Paolo Abeni
Paulo Alcantara
J. Bruce Fields
Xin Long
Tetsuo Handa
Linus Torvalds
nixiaoming
Jiri Pirko
Eric Biggers
Mimi Zohar
Al Viro