Skip to content

GitLab

Switch branch/tag
History Find file
Clone
ima: Fail rule parsing when buffer hook functions have an invalid action
Tyler Hicks authored 
[ Upstream commit 71218343 ]

Buffer based hook functions, such as KEXEC_CMDLINE and KEY_CHECK, can
only measure. The process_buffer_measurement() function quietly ignores
all actions except measure so make this behavior clear at the time of
policy load.

The parsing of the keyrings conditional had a check to ensure that it
was only specified with measure actions but the check should be on the
hook function and not the keyrings conditional since
"appraise func=KEY_CHECK" is not a valid rule.

Fixes: b0935123 ("IMA: Define a new hook to measure the kexec boot command line arguments")
Fixes: 5808611c

 ("IMA: Add KEY_CHECK func to measure keys")
Signed-off-by: default avatarTyler Hicks <tyhicks@linux.microsoft.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
8e07cdb1
Name Last commit Last update
Documentation powerpc/pseries: remove cede offline state for CPUs
LICENSES LICENSES: Rename other to deprecated
arch powerpc/vdso: Fix vdso cpu truncation
block block: don't do revalidate zones on invalid devices
certs .gitignore: add SPDX License Identifier
crypto keys: asymmetric: fix error return code in software_key_query()
drivers RDMA/rxe: Prevent access to wr->next ptr afrer wr is posted to send queue
fs kernfs: do not call fsnotify() with name without a parent
include RDMA/qedr: Add EDPM max size to alloc ucontext response
init kbuild: fix CONFIG_CC_CAN_LINK(_STATIC) for cross-compilation with Clang
ipc mmap locking API: use coccinelle to convert mmap_sem rwsem call sites
kernel tracing: Move pipe reference to trace array instead of current_tracer
lib kobject: Avoid premature parent object freeing in kobject_cleanup()
mm mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls
net bpfilter: Initialize pos variable
samples samples: bpf: Fix bpf programs with kprobe/sys_connect event
scripts scripts/selinux/mdp: fix initial SID handling
security ima: Fail rule parsing when buffer hook functions have an invalid action
sound ASoC: Intel: Boards: cml_rt1011_rt5682: use statically define codec config
tools lkdtm: Make arch-specific tests always available
usr bpfilter: match bit size of bpfilter_umh to that of the kernel
virt kvm: use more precise cast and do not drop __user
.clang-format block: add bio_for_each_bvec_all()
.cocciconfig scripts: add Linux .cocciconfig for coccinelle
.get_maintainer.ignore Opt out of scripts/get_maintainer.pl
.gitattributes .gitattributes: use 'dts' diff driver for dts files
.gitignore .gitignore: Do not track `defconfig` from `make savedefconfig`
.mailmap mailmap: add entry for Mike Rapoport
COPYING COPYING: state that all contributions really are covered by this file
CREDITS mailmap: change email for Ricardo Ribalda
Kbuild kbuild: rename hostprogs-y/always to hostprogs/always-y
Kconfig kbuild: ensure full rebuild when the compiler is updated
MAINTAINERS Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Makefile Linux 5.8.1
README Drop all 00-INDEX files from Documentation/
README
Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.