1 files changed, 64 insertions, 0 deletions
diff --git a/extras/recipes-kernel/linux/linux-omap/linus/0061-ima-fix-add-LSM-rule-bug.patch b/extras/recipes-kernel/linux/linux-omap/linus/0061-ima-fix-add-LSM-rule-bug.patch
new file mode 100644
index 00000000..5c37ce35
--- /dev/null
+++ b/extras/recipes-kernel/linux/linux-omap/linus/0061-ima-fix-add-LSM-rule-bug.patch
@@ -0,0 +1,64 @@
+From 497d2c1cfa523a66bfea594791d8f2a50e5bb0aa Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Date: Mon, 3 Jan 2011 14:59:10 -0800
+Subject: [PATCH 61/65] ima: fix add LSM rule bug
+If security_filter_rule_init() doesn't return a rule, then not everything
+is as fine as the return code implies.
+This bug only occurs when the LSM (eg. SELinux) is disabled at runtime.
+Adding an empty LSM rule causes ima_match_rules() to always succeed,
+ignoring any remaining rules.
+ default IMA TCB policy:
+  # PROC_SUPER_MAGIC
+  dont_measure fsmagic=0x9fa0
+  # SYSFS_MAGIC
+  dont_measure fsmagic=0x62656572
+  # DEBUGFS_MAGIC
+  dont_measure fsmagic=0x64626720
+  # TMPFS_MAGIC
+  dont_measure fsmagic=0x01021994
+  # SECURITYFS_MAGIC
+  dont_measure fsmagic=0x73636673
+  < LSM specific rule >
+  dont_measure obj_type=var_log_t
+  measure func=BPRM_CHECK
+  measure func=FILE_MMAP mask=MAY_EXEC
+  measure func=FILE_CHECK mask=MAY_READ uid=0
+Thus without the patch, with the boot parameters 'tcb selinux=0', adding
+the above 'dont_measure obj_type=var_log_t' rule to the default IMA TCB
+measurement policy, would result in nothing being measured.  The patch
+prevents the default TCB policy from being replaced.
+Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
+Cc: James Morris <jmorris@namei.org>
+Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
+Cc: David Safford <safford@watson.ibm.com>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ security/integrity/ima/ima_policy.c |    2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
+index aef8c0a..d661afb 100644
+--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
+@@ -253,6 +253,8 @@ static int ima_lsm_rule_init(struct ima_measure_rule_entry *entry,
+        result = security_filter_rule_init(entry->lsm[lsm_rule].type,
+                                           Audit_equal, args,
+                                           &entry->lsm[lsm_rule].rule);
+       if (!entry->lsm[lsm_rule].rule)
+               return -EINVAL;
+        return result;
+ }
+ 
+-- 
+1.6.6.1

diff --git a/extras/recipes-kernel/linux/linux-omap/linus/0061-ima-fix-add-LSM-rule-bug.patch b/extras/recipes-kernel/linux/linux-omap/linus/0061-ima-fix-add-LSM-rule-bug.patch new file mode 100644 index 00000000..5c37ce35 --- /dev/null +++ b/extras/recipes-kernel/linux/linux-omap/linus/0061-ima-fix-add-LSM-rule-bug.patch
@@ -0,0 +1,64 @@
	1	From 497d2c1cfa523a66bfea594791d8f2a50e5bb0aa Mon Sep 17 00:00:00 2001
	2	From: Mimi Zohar <zohar@linux.vnet.ibm.com>
	3	Date: Mon, 3 Jan 2011 14:59:10 -0800
	4	Subject: [PATCH 61/65] ima: fix add LSM rule bug
	5
	6	If security_filter_rule_init() doesn't return a rule, then not everything
	7	is as fine as the return code implies.
	8
	9	This bug only occurs when the LSM (eg. SELinux) is disabled at runtime.
	10
	11	Adding an empty LSM rule causes ima_match_rules() to always succeed,
	12	ignoring any remaining rules.
	13
	14	default IMA TCB policy:
	15	# PROC_SUPER_MAGIC
	16	dont_measure fsmagic=0x9fa0
	17	# SYSFS_MAGIC
	18	dont_measure fsmagic=0x62656572
	19	# DEBUGFS_MAGIC
	20	dont_measure fsmagic=0x64626720
	21	# TMPFS_MAGIC
	22	dont_measure fsmagic=0x01021994
	23	# SECURITYFS_MAGIC
	24	dont_measure fsmagic=0x73636673
	25
	26	< LSM specific rule >
	27	dont_measure obj_type=var_log_t
	28
	29	measure func=BPRM_CHECK
	30	measure func=FILE_MMAP mask=MAY_EXEC
	31	measure func=FILE_CHECK mask=MAY_READ uid=0
	32
	33	Thus without the patch, with the boot parameters 'tcb selinux=0', adding
	34	the above 'dont_measure obj_type=var_log_t' rule to the default IMA TCB
	35	measurement policy, would result in nothing being measured. The patch
	36	prevents the default TCB policy from being replaced.
	37
	38	Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
	39	Cc: James Morris <jmorris@namei.org>
	40	Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
	41	Cc: David Safford <safford@watson.ibm.com>
	42	Cc: <stable@kernel.org>
	43	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	44	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	45	---
	46	security/integrity/ima/ima_policy.c \| 2 ++
	47	1 files changed, 2 insertions(+), 0 deletions(-)
	48
	49	diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
	50	index aef8c0a..d661afb 100644
	51	--- a/security/integrity/ima/ima_policy.c
	52	+++ b/security/integrity/ima/ima_policy.c
	53	@@ -253,6 +253,8 @@ static int ima_lsm_rule_init(struct ima_measure_rule_entry *entry,
	54	result = security_filter_rule_init(entry->lsm[lsm_rule].type,
	55	Audit_equal, args,
	56	&entry->lsm[lsm_rule].rule);
	57	+ if (!entry->lsm[lsm_rule].rule)
	58	+ return -EINVAL;
	59	return result;
	60	}
	61
	62	--
	63	1.6.6.1
	64