5c37ce3514f1bb5ec091bb1d82ee397fa027f467
[glsdk/meta-ti-glsdk.git] / recipes-bsp / linux / linux-omap / linus / 0061-ima-fix-add-LSM-rule-bug.patch
1 From 497d2c1cfa523a66bfea594791d8f2a50e5bb0aa Mon Sep 17 00:00:00 2001
2 From: Mimi Zohar <zohar@linux.vnet.ibm.com>
3 Date: Mon, 3 Jan 2011 14:59:10 -0800
4 Subject: [PATCH 61/65] ima: fix add LSM rule bug
6 If security_filter_rule_init() doesn't return a rule, then not everything
7 is as fine as the return code implies.
9 This bug only occurs when the LSM (eg. SELinux) is disabled at runtime.
11 Adding an empty LSM rule causes ima_match_rules() to always succeed,
12 ignoring any remaining rules.
14 default IMA TCB policy:
15 # PROC_SUPER_MAGIC
16 dont_measure fsmagic=0x9fa0
17 # SYSFS_MAGIC
18 dont_measure fsmagic=0x62656572
19 # DEBUGFS_MAGIC
20 dont_measure fsmagic=0x64626720
21 # TMPFS_MAGIC
22 dont_measure fsmagic=0x01021994
23 # SECURITYFS_MAGIC
24 dont_measure fsmagic=0x73636673
26 < LSM specific rule >
27 dont_measure obj_type=var_log_t
29 measure func=BPRM_CHECK
30 measure func=FILE_MMAP mask=MAY_EXEC
31 measure func=FILE_CHECK mask=MAY_READ uid=0
33 Thus without the patch, with the boot parameters 'tcb selinux=0', adding
34 the above 'dont_measure obj_type=var_log_t' rule to the default IMA TCB
35 measurement policy, would result in nothing being measured. The patch
36 prevents the default TCB policy from being replaced.
38 Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
39 Cc: James Morris <jmorris@namei.org>
40 Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
41 Cc: David Safford <safford@watson.ibm.com>
42 Cc: <stable@kernel.org>
43 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
44 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
45 ---
46 security/integrity/ima/ima_policy.c | 2 ++
47 1 files changed, 2 insertions(+), 0 deletions(-)
49 diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
50 index aef8c0a..d661afb 100644
51 --- a/security/integrity/ima/ima_policy.c
52 +++ b/security/integrity/ima/ima_policy.c
53 @@ -253,6 +253,8 @@ static int ima_lsm_rule_init(struct ima_measure_rule_entry *entry,
54 result = security_filter_rule_init(entry->lsm[lsm_rule].type,
55 Audit_equal, args,
56 &entry->lsm[lsm_rule].rule);
57 + if (!entry->lsm[lsm_rule].rule)
58 + return -EINVAL;
59 return result;
60 }
62 --
63 1.6.6.1