[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20181129140113.878468514@linuxfoundation.org>
Date: Thu, 29 Nov 2018 15:12:57 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org, Seth Forshee <seth.forshee@...onical.com>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Aditya Kali <adityakali@...gle.com>
Subject: [PATCH 4.9 88/92] Revert "evm: Translate user/group ids relative to s_user_ns when computing HMAC"
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric W. Biederman <ebiederm@...ssion.com>
commit 19339c251607a3defc7f089511ce8561936fee45 upstream.
This reverts commit 0b3c9761d1e405514a551ed24d3ea89aea26ce14.
Seth Forshee <seth.forshee@...onical.com> writes:
> All right, I think 0b3c9761d1e405514a551ed24d3ea89aea26ce14 should be
> reverted then. EVM is a machine-local integrity mechanism, and so it
> makes sense that the signature would be based on the kernel's notion of
> the uid and not the filesystem's.
I added a commment explaining why the EVM hmac needs to be in the
kernel's notion of uid and gid, not the filesystems to prevent
remounting the filesystem and gaining unwaranted trust in files.
Acked-by: Seth Forshee <seth.forshee@...onical.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@...ssion.com>
Cc: Aditya Kali <adityakali@...gle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
security/integrity/evm/evm_crypto.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -152,8 +152,16 @@ static void hmac_add_misc(struct shash_d
memset(&hmac_misc, 0, sizeof(hmac_misc));
hmac_misc.ino = inode->i_ino;
hmac_misc.generation = inode->i_generation;
- hmac_misc.uid = from_kuid(inode->i_sb->s_user_ns, inode->i_uid);
- hmac_misc.gid = from_kgid(inode->i_sb->s_user_ns, inode->i_gid);
+ /* The hmac uid and gid must be encoded in the initial user
+ * namespace (not the filesystems user namespace) as encoding
+ * them in the filesystems user namespace allows an attack
+ * where first they are written in an unprivileged fuse mount
+ * of a filesystem and then the system is tricked to mount the
+ * filesystem for real on next boot and trust it because
+ * everything is signed.
+ */
+ hmac_misc.uid = from_kuid(&init_user_ns, inode->i_uid);
+ hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid);
hmac_misc.mode = inode->i_mode;
crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof(hmac_misc));
if (evm_hmac_attrs & EVM_ATTR_FSUUID)
Powered by blists - more mailing lists