summaryrefslogtreecommitdiffstats
path: root/meta-agl-core/recipes-kernel/linux/linux-4.14
diff options
context:
space:
mode:
Diffstat (limited to 'meta-agl-core/recipes-kernel/linux/linux-4.14')
-rw-r--r--meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch40
-rw-r--r--meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch109
-rw-r--r--meta-agl-core/recipes-kernel/linux/linux-4.14/net-sch_generic-add-if_afp.h-header-to-get-ARPHRD_CA.patch25
3 files changed, 174 insertions, 0 deletions
diff --git a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch b/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch
new file mode 100644
index 000000000..c595dfdf5
--- /dev/null
+++ b/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch
@@ -0,0 +1,40 @@
+From 63f5acdf097b7baca8d0f7056a037f8811b48aaa Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Tue, 27 Feb 2018 17:06:21 +0100
+Subject: [PATCH] Smack: Handle CGROUP2 in the same way that CGROUP
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The new file system CGROUP2 isn't actually handled
+by smack. This changes makes Smack treat equally
+CGROUP and CGROUP2 items.
+
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ security/smack/smack_lsm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index 03fdecba93bb..5d77ed04422c 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -3431,6 +3431,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
+ if (opt_dentry->d_parent == opt_dentry) {
+ switch (sbp->s_magic) {
+ case CGROUP_SUPER_MAGIC:
++ case CGROUP2_SUPER_MAGIC:
+ /*
+ * The cgroup filesystem is never mounted,
+ * so there's no opportunity to set the mount
+@@ -3474,6 +3475,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
+ switch (sbp->s_magic) {
+ case SMACK_MAGIC:
+ case CGROUP_SUPER_MAGIC:
++ case CGROUP2_SUPER_MAGIC:
+ /*
+ * Casey says that it's a little embarrassing
+ * that the smack file system doesn't do
+--
+2.14.3
+
diff --git a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch b/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch
new file mode 100644
index 000000000..4100bb8fd
--- /dev/null
+++ b/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch
@@ -0,0 +1,109 @@
+Smack: Privilege check on key operations
+
+Operations on key objects are subjected to Smack policy
+even if the process is privileged. This is inconsistent
+with the general behavior of Smack and may cause issues
+with authentication by privileged daemons. This patch
+allows processes with CAP_MAC_OVERRIDE to access keys
+even if the Smack rules indicate otherwise.
+
+Reported-by: Jose Bollo <jobol@nonadev.net>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+---
+ security/smack/smack.h | 1 +
+ security/smack/smack_access.c | 40 +++++++++++++++++++++++++++++-----------
+ security/smack/smack_lsm.c | 4 ++++
+ 3 files changed, 34 insertions(+), 11 deletions(-)
+
+diff --git a/security/smack/smack.h b/security/smack/smack.h
+index 6a71fc7..f7db791 100644
+--- a/security/smack/smack.h
++++ b/security/smack/smack.h
+@@ -321,6 +321,7 @@ struct smack_known *smk_import_entry(const char *, int);
+ void smk_insert_entry(struct smack_known *skp);
+ struct smack_known *smk_find_entry(const char *);
+ bool smack_privileged(int cap);
++bool smack_privileged_cred(int cap, const struct cred *cred);
+ void smk_destroy_label_list(struct list_head *list);
+
+ /*
+diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
+index 1a30041..141ffac 100644
+--- a/security/smack/smack_access.c
++++ b/security/smack/smack_access.c
+@@ -623,26 +623,24 @@ struct smack_known *smack_from_secid(const u32 secid)
+ LIST_HEAD(smack_onlycap_list);
+ DEFINE_MUTEX(smack_onlycap_lock);
+
+-/*
++/**
++ * smack_privileged_cred - are all privilege requirements met by cred
++ * @cap: The requested capability
++ * @cred: the credential to use
++ *
+ * Is the task privileged and allowed to be privileged
+ * by the onlycap rule.
+ *
+ * Returns true if the task is allowed to be privileged, false if it's not.
+ */
+-bool smack_privileged(int cap)
++bool smack_privileged_cred(int cap, const struct cred *cred)
+ {
+- struct smack_known *skp = smk_of_current();
++ struct task_smack *tsp = cred->security;
++ struct smack_known *skp = tsp->smk_task;
+ struct smack_known_list_elem *sklep;
+ int rc;
+
+- /*
+- * All kernel tasks are privileged
+- */
+- if (unlikely(current->flags & PF_KTHREAD))
+- return true;
+-
+- rc = cap_capable(current_cred(), &init_user_ns, cap,
+- SECURITY_CAP_AUDIT);
++ rc = cap_capable(cred, &init_user_ns, cap, SECURITY_CAP_AUDIT);
+ if (rc)
+ return false;
+
+@@ -662,3 +660,23 @@ bool smack_privileged(int cap)
+
+ return false;
+ }
++
++/**
++ * smack_privileged - are all privilege requirements met
++ * @cap: The requested capability
++ *
++ * Is the task privileged and allowed to be privileged
++ * by the onlycap rule.
++ *
++ * Returns true if the task is allowed to be privileged, false if it's not.
++ */
++bool smack_privileged(int cap)
++{
++ /*
++ * All kernel tasks are privileged
++ */
++ if (unlikely(current->flags & PF_KTHREAD))
++ return true;
++
++ return smack_privileged_cred(cap, current_cred());
++}
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index 30f2c3d..03fdecb 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -4369,6 +4369,10 @@ static int smack_key_permission(key_ref_t key_ref,
+ */
+ if (tkp == NULL)
+ return -EACCES;
++
++ if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred))
++ return 0;
++
+ #ifdef CONFIG_AUDIT
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY);
+ ad.a.u.key_struct.key = keyp->serial;
+
diff --git a/meta-agl-core/recipes-kernel/linux/linux-4.14/net-sch_generic-add-if_afp.h-header-to-get-ARPHRD_CA.patch b/meta-agl-core/recipes-kernel/linux/linux-4.14/net-sch_generic-add-if_afp.h-header-to-get-ARPHRD_CA.patch
new file mode 100644
index 000000000..7c34fb306
--- /dev/null
+++ b/meta-agl-core/recipes-kernel/linux/linux-4.14/net-sch_generic-add-if_afp.h-header-to-get-ARPHRD_CA.patch
@@ -0,0 +1,25 @@
+From 17d0075d95b5087d5df553444cca390fa479bad9 Mon Sep 17 00:00:00 2001
+From: Matt Ranostay <matt.ranostay@konsulko.com>
+Date: Tue, 10 Mar 2020 22:27:28 -0700
+Subject: [PATCH] net: sch_generic: add if_afp.h header to get ARPHRD_CAN macro
+
+Signed-off-by: Matt Ranostay <matt.ranostay@konsulko.com>
+---
+ net/sched/sch_generic.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
+index bf8c81e07c70..1845ef8c7dbd 100644
+--- a/net/sched/sch_generic.c
++++ b/net/sched/sch_generic.c
+@@ -25,6 +25,7 @@
+ #include <linux/rcupdate.h>
+ #include <linux/list.h>
+ #include <linux/slab.h>
++#include <linux/if_arp.h>
+ #include <linux/if_vlan.h>
+ #include <net/sch_generic.h>
+ #include <net/pkt_sched.h>
+--
+2.25.0
+