BugLink: https://bugs.launchpad.net/bugs/1921632
The soundwire audio driver in the kernel could work on some Dell cml
machines, so enable the machine driver and some needed codec driver.
Signed-off-by: Hui Wang <hui.wang@canonical.com> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Andrea Righi [Mon, 31 May 2021 10:02:50 +0000 (12:02 +0200)]
UBUNTU: [Config] set CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
This option will disable uprivileged BPF by default. It can be reenabled,
though, as it uses the new value 2 for the kernel.unprivileged_bpf_disabled
sysctl. That value disables it, but allows the sysctl knob to be set back
to 0.
This allows sysadmins to enable unprivileged BPF back by using sysctl
config files.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Seth Forshee [Wed, 19 May 2021 15:21:20 +0000 (10:21 -0500)]
UBUNTU: [Config] Temporarily disable signing for ppc64el and s390x
We're awaiting testing of lockdown under secureboot on these
architectures. Disable signing in the meantime to allow putting
linux-unstable into -proposed.
UBUNTU: SAUCE: integrity: add informational messages when revoking certs
integrity_load_cert() prints messages of the source and cert details
when adding certs as trusted. Mirror those messages in
uefi_revocation_list_x509() when adding certs as revoked.
UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config table
Refactor load_moklist_certs() to load either MokListRT into db, or
MokListXRT into dbx. Call load_moklist_certs() twice - first to load
mokx certs into dbx, then mok certs into db.
This thus now attempts to load mokx certs via the EFI MOKvar config
table first, and if that fails, via the EFI variable. Previously mokx
certs were only loaded via the EFI variable. Which fails when
MokListXRT is large. Instead of large MokListXRT variable, only
MokListXRT{1,2,3} are available which are not loaded. This is the case
with Ubuntu's 15.4 based shim. This patch is required to address
CVE-2020-26541 when certificates are revoked via MokListXRT.
Fixes: ebd9c2ae369a ("integrity: Load mokx variables into the blacklist keyring") BugLink: https://bugs.launchpad.net/bugs/1928679 Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Juerg Haefliger [Mon, 3 May 2021 08:47:07 +0000 (10:47 +0200)]
UBUNTU: [Packaging] Drop the processing of perm-blacklist
perm-blacklist lists modules and/or symbols that are permanently excluded
from the ABI check. AFAICT this hasn't been used in ages and with the
previous commit it would move up one level which puts it outside of the
ABI directory. That in itelf is not problematic just not pretty. Take this
opportunity to get rid of the whole (unsued) concept. We can always add it
back later should the need arise (and then should probably rename it to
abi.perm-blacklist to make it clear that it's a file related to the ABI).
Signed-off-by: Juerg Haefliger <juergh@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Juerg Haefliger [Mon, 3 May 2021 08:47:06 +0000 (10:47 +0200)]
UBUNTU: [Packaging] Move the ABI files up by one directory level
The current ABI root directory name is <DEBIAN/abi/previous/. This commit
drops the 'previous' path component and moves the ABI up one level. We
still need a temporary directory for downloading the current ABIs which now
has to reside outside of the ABI tree. For that, use <DEBIAN>/__abi.current/
which should clearly indicate that it's a temporary directory.
Signed-off-by: Juerg Haefliger <juergh@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Andrea Righi [Tue, 11 May 2021 07:30:51 +0000 (09:30 +0200)]
UBUNTU: SAUCE: make ASYNCB_INITIALIZED available for the kernel
The flag ASYNCB_INITIALIZED is required by our driver
ubuntu/xr-usb-serial. Make it available to kernel code to prevent the
following build failure:
./build/ubuntu/xr-usb-serial/xr_usb_serial_common.c:1613:15: error: 'ASYNCB_INITIALIZED' undeclared (first use in this function); did you mean 'RCU_INITIALIZER'?
1613 | if (test_bit(ASYNCB_INITIALIZED, &xr_usb_serial->port.flags))
| ^~~~~~~~~~~~~~~~~~
| RCU_INITIALIZER
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
shiftfs expects copy_to_user() to return a negative error code on
failure, when it actually returns the amount of uncopied data. Fix all
code using copy_to_user() to handle the return values correctly.
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
CVE-2021-3492 Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
UBUNTU: SAUCE: shiftfs: free allocated memory in shiftfs_btrfs_ioctl_fd_replace() error paths
Many error paths in shiftfs_btrfs_ioctl_fd_replace() do not free memory
allocated near the top of the function. Fix up these error paths to free
the memory.
Additionally, the addresses for the allocated memory are assigned to
return parameters early in the function, before we know whether or not
the function as a whole will return success. Wait to assign these values
until we know the function was successful, and for good measure
initialize the return parameters to NULL at the start.
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
CVE-2021-3492 Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Colin Ian King [Mon, 29 Mar 2021 09:26:15 +0000 (10:26 +0100)]
UBUNTU: SAUCE: apparmor: Fix build error, make sk parameter const
Make the sk parameter const to fix a build error with clang:
security/apparmor/net.c:143:35: error: passing 'const struct sock *' to
parameter of type 'struct sock *' discards qualifiers
[-Werror,-Wincompatible-pointer-types-discards-qualifiers]
audit_unix_sk_addr(ab, "addr", sa->u.net->sk);
^~~~~~~~~~~~~
/home/ubuntu/hirsute/security/apparmor/net.c:98:24: note: passing argument
to parameter 'sk' here
struct sock *sk)
^
Fixes: 2775e0786896 ("UBUNTU: SAUCE: apparmor: af_unix mediation") Signed-off-by: Colin Ian King <colin.king@canonical.com> Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Daniel Axtens [Thu, 2 Apr 2020 05:16:32 +0000 (16:16 +1100)]
UBUNTU: SAUCE: (lockdown) powerpc: lock down kernel in secure boot mode
BugLink: https://bugs.launchpad.net/bugs/1855668
PowerNV has recently gained Secure Boot support. If it's enabled through
the firmware and bootloader stack, then lock down the kernel.
Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
(cherry picked from commit d4f3f12e040caf3ec669726efb67b27550a4713f) Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Seth Forshee [Thu, 10 Oct 2019 16:19:32 +0000 (11:19 -0500)]
UBUNTU: SAUCE: (lockdown) security: lockdown: Make CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT more generic
s390 supports secure boot which is not based on EFI. Change the
config option to be more generic, and allow it to be enabled on
s390.
Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
(cherry picked from commit dd9548a9eb3f2a34ee7c60abce157f8e2868e7c7) Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Seth Forshee [Thu, 10 Oct 2019 15:57:25 +0000 (10:57 -0500)]
UBUNTU: SAUCE: (lockdown) arm64: Allow locking down the kernel under EFI secure boot
Add support to arm64 for the CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT
option. When enabled the lockdown LSM will be enabled with
maximum confidentiality when booted under EFI secure boot.
Based on an earlier patch by Linn Crosetto.
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
[v2: ported to 5.7-rc1 and adapted to the new fdt parsing mechanism] Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
(cherry picked from commit fb9c9645d977e23e9b494ce008d31507d872ffef) Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Robert Holmes [Tue, 23 Apr 2019 07:39:29 +0000 (07:39 +0000)]
UBUNTU: SAUCE: (lockdown) KEYS: Make use of platform keyring for module signature verify
This patch completes commit 278311e417be ("kexec, KEYS: Make use of
platform keyring for signature verify") which, while adding the
platform keyring for bzImage verification, neglected to also add
this keyring for module verification.
As such, kernel modules signed with keys from the MokList variable
were not successfully verified.
Signed-off-by: Robert Holmes <robeholmes@gmail.com> Signed-off-by: Jeremy Cline <jcline@redhat.com>
(cherry picked from commit b697ff5e26974fee8fcd31a1e221e9dd41515efc
from https://gitlab.com/cki-project/kernel-ark) Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Jeremy Cline [Wed, 30 Oct 2019 14:37:49 +0000 (14:37 +0000)]
UBUNTU: SAUCE: (lockdown) s390: Lock down the kernel when the IPL secure flag is set
Automatically lock down the kernel to LOCKDOWN_CONFIDENTIALITY_MAX if
the IPL secure flag is set.
Upstream Status: RHEL only Suggested-by: Philipp Rudo <prudo@redhat.com> Signed-off-by: Jeremy Cline <jcline@redhat.com>
(cherry picked from commit 2384646bf71d8c282cf49bb20321fdf802c61cce
https://gitlab.com/cki-project/kernel-ark) Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
David Howells [Mon, 30 Sep 2019 21:28:16 +0000 (21:28 +0000)]
UBUNTU: SAUCE: (lockdown) efi: Lock down the kernel if booted in secure boot mode
UEFI Secure Boot provides a mechanism for ensuring that the firmware
will only load signed bootloaders and kernels. Certain use cases may
also require that all kernel modules also be signed. Add a
configuration option that to lock down the kernel - which includes
requiring validly signed modules - if the kernel is secure-booted.
Upstream Status: RHEL only Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Jeremy Cline <jcline@redhat.com>
(cherry picked from commit 5850c93175b9d2e1081873f4bbe08dead202cb08
from https://gitlab.com/cki-project/kernel-ark) Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
David Howells [Tue, 27 Feb 2018 10:04:55 +0000 (10:04 +0000)]
UBUNTU: SAUCE: (lockdown) efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode
UEFI machines can be booted in Secure Boot mode. Add an EFI_SECURE_BOOT
flag that can be passed to efi_enabled() to find out whether secure boot is
enabled.
Move the switch-statement in x86's setup_arch() that inteprets the
secure_boot boot parameter to generic code and set the bit there.
Upstream Status: RHEL only Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
cc: linux-efi@vger.kernel.org
[Rebased for context; efi_is_table_address was moved to arch/x86] Signed-off-by: Jeremy Cline <jcline@redhat.com>
(cherry picked from commit 53250b991f841be025fa4d264850dadc0fae2861
from https://gitlab.com/cki-project/kernel-ark) Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Jeremy Cline [Mon, 30 Sep 2019 21:22:47 +0000 (21:22 +0000)]
UBUNTU: SAUCE: (lockdown) security: lockdown: expose a hook to lock the kernel down
In order to automatically lock down kernels running on UEFI machines
booted in Secure Boot mode, expose the lock_kernel_down() hook.
Upstream Status: RHEL only Signed-off-by: Jeremy Cline <jcline@redhat.com>
(cherry picked from commit 72223fd1241cc5c70b96a491db14d54c83beadd8
from https://gitlab.com/cki-project/kernel-ark)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Peter Jones [Mon, 2 Oct 2017 22:18:30 +0000 (18:18 -0400)]
UBUNTU: SAUCE: (lockdown) Make get_cert_list() use efi_status_to_str() to print error messages.
Upstream Status: RHEL only Signed-off-by: Peter Jones <pjones@redhat.com> Signed-off-by: Jeremy Cline <jcline@redhat.com>
(cherry picked from commit 7ba28f03674fa9346610c3fea7fc93bc58f06d2a
from https://gitlab.com/cki-project/kernel-ark) Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Peter Jones [Mon, 2 Oct 2017 22:22:13 +0000 (18:22 -0400)]
UBUNTU: SAUCE: (lockdown) Add efi_status_to_str() and rework efi_status_to_err().
This adds efi_status_to_str() for use when printing efi_status_t
messages, and reworks efi_status_to_err() so that the two use a common
list of errors.
Upstream Status: RHEL only Signed-off-by: Peter Jones <pjones@redhat.com>
(cherry picked from commit 2ae9082db0b54d831a9b3782c049d9917e37d89f
from https://gitlab.com/cki-project/kernel-ark) Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Greentime Hu [Tue, 16 Mar 2021 21:31:11 +0000 (21:31 +0000)]
clk: sifive: Use reset-simple in prci driver for PCIe driver
We use reset-simple in this patch so that pcie driver can use
devm_reset_control_get() to get this reset data structure and use
reset_control_deassert() to deassert pcie_power_up_rst_n.
Signed-off-by: Greentime Hu <greentime.hu@sifive.com> Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Vincent Chen [Tue, 16 Mar 2021 21:31:07 +0000 (21:31 +0000)]
riscv: Get CPU manufacturer information
Issue 3 SBI calls to get the vendor ID, architecture ID and implementation
ID early in boot so we only need to take the SBI call overhead once.
Signed-off-by: Vincent Chen <vincent.chen@sifive.com> Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Signed-off-by: David Abdurachmanov <david.abdurachmanov@sifive.com> Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
riscv: sifive: fu740: cpu{1, 2, 3, 4} set compatible to sifive, u74-mc
Signed-off-by: David Abdurachmanov <david.abdurachmanov@sifive.com> Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Kai-Heng Feng [Tue, 16 Mar 2021 13:13:28 +0000 (21:13 +0800)]
UBUNTU: SAUCE: PCI: Serialize TGL e1000e PM ops
BugLink: https://bugs.launchpad.net/bugs/1919321
On TGL systems, PCI_COMMAND may randomly flip to 0 on system resume.
This is devastating to drivers that use pci_set_master(), like NVMe and
xHCI, to enable DMA in their resume routine, as pci_set_master() can
inadvertently disable PCI_COMMAND_IO and PCI_COMMAND_MEMORY, making
resources inaccessible.
The issue is reproducible on all kernel releases, but obviously the
situation is exacerbated by commit 6cecf02e77ab ('Revert "e1000e:
disable s0ix entry and exit flows for ME systems"').
Seems like ME is out to lunch until it's finally out of ULP polling. So
ensure e1000e PM ops are serialized by enforcing device links to
workaround the issue. This is another hacky hackish hack that we can't
upstream :)
Of course this will make suspend and resume a bit slower, but at least
we protect other PCI devices by keeping ME from going full basket case.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=212039 Link: https://lore.kernel.org/linux-pci/20210303172223.GA634698@bjorn-Precision-5520/ Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
BugLink: https://bugs.launchpad.net/bugs/1919123
On some platforms, the EC doesn't support the register reading sequence
for sentelic[1], and then make the EC can't respond commands for a while
when probing. It leads to the keyboard non-responsive for around 10
seconds while waking up from s2idle.
A DMI quirk to mark this platform doesn't have aux device could avoid those
commands to be sent. And the system could still using i2c interface to
communicate with the touchpad.
Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
(cherry picked from https://lkml.org/lkml/2021/3/15/126) Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Paolo Pisati [Thu, 18 Feb 2021 14:58:21 +0000 (15:58 +0100)]
UBUNTU: SAUCE: selftests: memory-hotplug: bump timeout to 10min
$ sudo make -C tools/testing/selftests/memory-hotplug run_tests
TAP version 13
1..1
...
15:11:09 DEBUG| [stdout] not ok 1 selftests: memory-hotplug: mem-on-off-test.sh # TIMEOUT 45 seconds
The memory-hotplug selftest can take up to several minutes, depending on memory
size and cpu speed of the testbench, so bump timeout to 10 minutes.
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Andrea Righi [Thu, 14 Jan 2021 11:06:12 +0000 (12:06 +0100)]
UBUNTU: SAUCE: x86/entry: build thunk_$(BITS) only if CONFIG_PREEMPTION=y
With CONFIG_PREEMPTION disabled, arch/x86/entry/thunk_64.o is just an
empty object file.
With the newer binutils (tested with 2.35.90.20210113-1ubuntu1) the GNU
assembler doesn't generate a symbol table for empty object files and
objtool fails with the following error when a valid symbol table cannot
be found:
arch/x86/entry/thunk_64.o: warning: objtool: missing symbol table
To prevent this from happening, build thunk_$(BITS).o only if
CONFIG_PREEMPTION is enabled.
BugLink: https://bugs.launchpad.net/bugs/1911359 Fixes: 320100a5ffe5 ("x86/entry: Remove the TRACE_IRQS cruft") Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
BugLink: https://bugs.launchpad.net/bugs/1865402
ODM asks us to use get_display_mode command to confirm the scalar's
behavior, and Windows use this command, too.
To align the behavior with Windows, remove get_scalar_status command and
replace it with get_display_mode.
Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
BugLink: https://bugs.launchpad.net/bugs/1910965
By default no functions are assigned to LEDs. It's up to user/distribution
to provide udev rules to configure them.
Signed-off-by: David Abdurachmanov <david.abdurachmanov@sifive.com>
(backported from https://github.com/sifive/meta-sifive/blob/2020.11/recipes-kernel/linux/files/freedom-u540/0007-Add-PWM-LEDs-D1-D2-D3-D4.patch) Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Signed-off-by: Atish Patra <atish.patra@wdc.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: David Abdurachmanov <david.abdurachmanov@sifive.com>
Upstream-Status: Inappropriate [enable feature]
(backported from https://github.com/sifive/meta-sifive/blob/2020.11/recipes-kernel/linux/files/freedom-u540/0002-Microsemi-PCIe-expansion-board-DT-entry.patch) Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
BugLink: https://bugs.launchpad.net/bugs/1896801
Since upstream has removed python3-venv, update our build dependencies and let
linux-doc build outside a virtualenv.
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com> Acked-by: Colin Ian King <colin.king@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
UBUNTU: SAUCE: dccp: avoid double free of ccid on child socket
When a dccp socket is cloned, the pointers to dccps_hc_rx_ccid and
dccps_hc_tx_ccid are copied. When CCID features are activated on the child
socket, the CCID objects are freed, leaving the parent socket with dangling
pointers.
During cloning, set dccps_hc_rx_ccid and dccps_hc_tx_ccid to NULL so the
parent objects are not freed.
Reported-by: Hadar Manor
CVE-2020-16119 Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Acked-by: Juerg Haefliger <juerg.haefliger@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
UBUNTU: SAUCE: AppArmor: Remove the exclusive flag
With the inclusion of the "display" process attribute
mechanism AppArmor no longer needs to be treated as an
"exclusive" security module. Remove the flag that indicates
it is exclusive. Remove the stub getpeersec_dgram AppArmor
hook as it has no effect in the single LSM case and
interferes in the multiple LSM case.
Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Casey Schaufler [Fri, 21 Aug 2020 22:27:38 +0000 (15:27 -0700)]
UBUNTU: SAUCE: LSM: Add /proc attr entry for full LSM context
Add an entry /proc/.../attr/context which displays the full
process security "context" in compound format:
lsm1\0value\0lsm2\0value\0...
This entry is not writable.
A security module may decide that its policy does not allow
this information to be displayed. In this case none of the
information will be displayed.
Casey Schaufler [Fri, 21 Aug 2020 21:59:03 +0000 (14:59 -0700)]
UBUNTU: SAUCE: Audit: Add a new record for multiple object LSM
attributes
Create a new audit record type to contain the object information
when there are multiple security modules that require such data.
This record is emitted before the other records for the event, but
is linked with the same timestamp and serial number.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: linux-audit@redhat.com Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Casey Schaufler [Fri, 21 Aug 2020 21:29:19 +0000 (14:29 -0700)]
UBUNTU: SAUCE: Audit: Add new record for multiple process LSM attributes
Create a new audit record type to contain the subject information
when there are multiple security modules that require such data.
This record is linked with the same timestamp and serial number.
The record is produced only in cases where there is more than one
security module with a process "context".
Before this change the only audit events that required multiple
records were syscall events. Several non-syscall events include
subject contexts, so the use of audit_context data has been expanded
as necessary.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: linux-audit@redhat.com Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Casey Schaufler [Fri, 21 Aug 2020 17:54:15 +0000 (10:54 -0700)]
UBUNTU: SAUCE: NET: Store LSM netlabel data in a lsmblob
Netlabel uses LSM interfaces requiring an lsmblob and
the internal storage is used to pass information between
these interfaces, so change the internal data from a secid
to a lsmblob. Update the netlabel interfaces and their
callers to accommodate the change. This requires that the
modules using netlabel use the lsm_id.slot to access the
correct secid when using netlabel.
Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: netdev@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Casey Schaufler [Thu, 20 Aug 2020 23:25:25 +0000 (16:25 -0700)]
UBUNTU: SAUCE: LSM: Use lsmcontext in security_inode_getsecctx
Change the security_inode_getsecctx() interface to fill
a lsmcontext structure instead of data and length pointers.
This provides the information about which LSM created the
context so that security_release_secctx() can use the
correct hook.
Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Casey Schaufler [Thu, 20 Aug 2020 22:19:52 +0000 (15:19 -0700)]
UBUNTU: SAUCE: LSM: Use lsmcontext in security_secid_to_secctx
Replace the (secctx,seclen) pointer pair with a single
lsmcontext pointer to allow return of the LSM identifier
along with the context and context length. This allows
security_release_secctx() to know how to release the
context. Callers have been modified to use or save the
returned data from the new structure.
Reviewed-by: Kees Cook <keescook@chromium.org> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: netdev@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Casey Schaufler [Thu, 20 Aug 2020 18:47:01 +0000 (11:47 -0700)]
UBUNTU: SAUCE: LSM: Ensure the correct LSM context releaser
Add a new lsmcontext data structure to hold all the information
about a "security context", including the string, its size and
which LSM allocated the string. The allocation information is
necessary because LSMs have different policies regarding the
lifecycle of these strings. SELinux allocates and destroys
them on each use, whereas Smack provides a pointer to an entry
in a list that never goes away.
Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: linux-integrity@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Casey Schaufler [Thu, 20 Aug 2020 17:40:08 +0000 (10:40 -0700)]
UBUNTU: SAUCE: LSM: Specify which LSM to display
Create a new entry "display" in the procfs attr directory for
controlling which LSM security information is displayed for a
process. A process can only read or write its own display value.
The name of an active LSM that supplies hooks for
human readable data may be written to "display" to set the
value. The name of the LSM currently in use can be read from
"display". At this point there can only be one LSM capable
of display active. A helper function lsm_task_display() is
provided to get the display slot for a task_struct.
Setting the "display" requires that all security modules using
setprocattr hooks allow the action. Each security module is
responsible for defining its policy.
AppArmor hook provided by John Johansen <john.johansen@canonical.com>
SELinux hook provided by Stephen Smalley <sds@tycho.nsa.gov>
Reviewed-by: Kees Cook <keescook@chromium.org> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Casey Schaufler [Thu, 20 Aug 2020 16:24:21 +0000 (09:24 -0700)]
UBUNTU: SAUCE: IMA: Change internal interfaces to use lsmblobs
The IMA interfaces ima_get_action() and ima_match_policy()
call LSM functions that use lsmblobs. Change the IMA functions
to pass the lsmblob to be compatible with the LSM functions.
Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
cc: linux-integrity@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com>
[ saf: resolve conflicts ] Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Casey Schaufler [Thu, 20 Aug 2020 15:43:21 +0000 (08:43 -0700)]
UBUNTU: SAUCE: LSM: Use lsmblob in security_cred_getsecid
Change the security_cred_getsecid() interface to fill in a
lsmblob instead of a u32 secid. The associated data elements
in the audit sub-system are changed from a secid to a lsmblob
to accommodate multiple possible LSM audit users.
Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
cc: linux-integrity@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Casey Schaufler [Thu, 20 Aug 2020 00:28:57 +0000 (17:28 -0700)]
UBUNTU: SAUCE: LSM: Use lsmblob in security_inode_getsecid
Change the security_inode_getsecid() interface to fill in a
lsmblob structure instead of a u32 secid. This allows for its
callers to gather data from all registered LSMs. Data is provided
for IMA and audit.
Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
cc: linux-integrity@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com>
[ saf: resolve conflicts ] Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Casey Schaufler [Wed, 19 Aug 2020 23:06:37 +0000 (16:06 -0700)]
UBUNTU: SAUCE: LSM: Use lsmblob in security_task_getsecid
Change the security_task_getsecid() interface to fill in
a lsmblob structure instead of a u32 secid in support of
LSM stacking. Audit interfaces will need to collect all
possible secids for possible reporting.
Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
cc: linux-integrity@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com>
[ saf: resolve conflicts ] Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Casey Schaufler [Thu, 19 Mar 2020 16:40:29 +0000 (09:40 -0700)]
UBUNTU: SAUCE: LSM: Use lsmblob in security_ipc_getsecid
There may be more than one LSM that provides IPC data
for auditing. Change security_ipc_getsecid() to fill in
a lsmblob structure instead of the u32 secid. The
audit data structure containing the secid will be updated
later, so there is a bit of scaffolding here.
Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Casey Schaufler [Wed, 19 Aug 2020 16:32:48 +0000 (09:32 -0700)]
UBUNTU: SAUCE: LSM: Use lsmblob in security_secid_to_secctx
Change security_secid_to_secctx() to take a lsmblob as input
instead of a u32 secid. It will then call the LSM hooks
using the lsmblob element allocated for that module. The
callers have been updated as well. This allows for the
possibility that more than one module may be called upon
to translate a secid to a string, as can occur in the
audit code.
Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
UBUNTU: SAUCE: LSM: Use lsmblob in security_secctx_to_secid
Change security_secctx_to_secid() to fill in a lsmblob instead
of a u32 secid. Multiple LSMs may be able to interpret the
string, and this allows for setting whichever secid is
appropriate. Change security_secmark_relabel_packet() to use a
lsmblob instead of a u32 secid. In some other cases there is
scaffolding where interfaces have yet to be converted.
UBUNTU: SAUCE: net: Prepare UDS for security module stacking
Change the data used in UDS SO_PEERSEC processing from a
secid to a more general struct lsmblob. Update the
security_socket_getpeersec_dgram() interface to use the
lsmblob. There is a small amount of scaffolding code
that will come out when the security_secid_to_secctx()
code is brought in line with the lsmblob.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Casey Schaufler [Tue, 18 Aug 2020 17:12:56 +0000 (10:12 -0700)]
UBUNTU: SAUCE: LSM: Use lsmblob in security_kernel_act_as
Change the security_kernel_act_as interface to use a lsmblob
structure in place of the single u32 secid in support of
module stacking. Change its only caller, set_security_override,
to do the same. Change that one's only caller,
set_security_override_from_ctx, to call it with the new
parameter type.
The security module hook is unchanged, still taking a secid.
The infrastructure passes the correct entry from the lsmblob.
lsmblob_init() is used to fill the lsmblob structure, however
this will be removed later in the series when security_secctx_to_secid()
is undated to provide a lsmblob instead of a secid.
Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Casey Schaufler [Tue, 18 Aug 2020 00:15:27 +0000 (17:15 -0700)]
UBUNTU: SAUCE: LSM: Use lsmblob in security_audit_rule_match
Change the secid parameter of security_audit_rule_match
to a lsmblob structure pointer. Pass the entry from the
lsmblob structure for the approprite slot to the LSM hook.
Change the users of security_audit_rule_match to use the
lsmblob instead of a u32. The scaffolding function lsmblob_init()
fills the blob with the value of the old secid, ensuring that
it is available to the appropriate module hook. The sources of
the secid, security_task_getsecid() and security_inode_getsecid(),
will be converted to use the blob structure later in the series.
At the point the use of lsmblob_init() is dropped.
Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com>
[ saf: resolve conflicts ] Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Casey Schaufler [Mon, 17 Aug 2020 23:02:56 +0000 (16:02 -0700)]
UBUNTU: SAUCE: LSM: Create and manage the lsmblob data structure.
When more than one security module is exporting data to
audit and networking sub-systems a single 32 bit integer
is no longer sufficient to represent the data. Add a
structure to be used instead.
The lsmblob structure is currently an array of
u32 "secids". There is an entry for each of the
security modules built into the system that would
use secids if active. The system assigns the module
a "slot" when it registers hooks. If modules are
compiled in but not registered there will be unused
slots.
A new lsm_id structure, which contains the name
of the LSM and its slot number, is created. There
is an instance for each LSM, which assigns the name
and passes it to the infrastructure to set the slot.
The audit rules data is expanded to use an array of
security module data rather than a single instance.
Because IMA uses the audit rule functions it is
affected as well.
Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com>
[ saf: resolve conflicts ] Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
[ update to support landlock ] Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
UBUNTU: SAUCE: LSM: Infrastructure management of the sock security
Move management of the sock->sk_security blob out
of the individual security modules and into the security
infrastructure. Instead of allocating the blobs from within
the modules the modules tell the infrastructure how much
space is required, and the space is allocated there.
Acked-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
John Johansen [Tue, 6 Oct 2020 21:29:39 +0000 (14:29 -0700)]
UBUNTU: SAUCE: apparmor: LSM stacking: switch from SK_CTX() to aa_sock()
LSM: Infrastructure management of the sock security
changes apparmor to use aa_sock() instead of SK_CTX() but doesn't
update the apparmor unix mediation because that code is not upstream.
So make the change here instead of modifying the LSM patch.
Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
John Johansen [Tue, 6 Oct 2020 21:01:04 +0000 (14:01 -0700)]
UBUNTU: SAUCE: apparmor: rename aa_sock() to aa_unix_sk()
The LSM stacking patches introduce and use a macro aa_sock
which conflicts with the apparmor unix mediation patches. Rename
aa_sock() in apparmor to avoid a conflict.
Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
John Johansen [Tue, 6 Oct 2020 21:43:16 +0000 (14:43 -0700)]
UBUNTU: SAUCE: apparmor: disable showing the mode as part of a secid to secctx
Displaying the mode as part of the seectx takes up unnecessary memory,
makes it so we can't use refcounted secctx so we need to alloc/free on
every conversion from secid to secctx and introduces a space that
could be potentially mishandled by tooling.
Eg. In an audit record we get
subj_type=firefix (enforce)
Having the mode reported is not necessary, and might even be confusing
eg. when writing an audit rule to match the above record field you
would use
-F subj_type=firefox
ie. the mode is not included. AppArmor provides ways to find the mode
without reporting as part of the secctx. So disable this by default
before its use is wide spread and we can't. For now we add a sysctl
to control the behavior as we can't guarentee no one is using this.
Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Andrea Righi <andrea.righi@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
ubuntu-host is a module for providing data to containers via proc.
Initially it is populated with a single file, esm-token, for
supplying ESM access tokens.
This patch only papers over the symptom, as we don't really know the
root cause of the issue. The most possible culprit is Intel ME, which
may do its own things that conflict with software.
Intel ethernet devs are aware of this issue, though they think this is
not the right solution. However, instead of papering over the cracks,
they don't have any solution either because they don't support ME under
Linux :)
Full discussion can be found here:
https://lore.kernel.org/lkml/20200923074751.10527-1-kai.heng.feng@canonical.com/