diff options
| author | Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com> | 2020-08-11 21:52:36 +0000 |
|---|---|---|
| committer | Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com> | 2020-08-11 21:52:36 +0000 |
| commit | 16c4a925ad2d57aad04edd9fccbab86b1c3f911e (patch) | |
| tree | 2fceb08ff3aee79f8b5e25933f71660a563b7550 /security | |
| parent | e6a09845bc48cc3f957a1d5a6a75975498446cee (diff) | |
| parent | cad17feaf0d05e60f7fe3c29908f9e2d07fbb7ee (diff) | |
Merge tag 'v5.4.58' into 5.4-2.1.x-imx
This is the 5.4.58 stable release
Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/integrity/ima/Kconfig | 2 | ||||
| -rw-r--r-- | security/integrity/ima/ima_appraise.c | 6 | ||||
| -rw-r--r-- | security/smack/smackfs.c | 13 |
3 files changed, 18 insertions, 3 deletions
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 838476d780e5..d2054bec4909 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -227,7 +227,7 @@ config IMA_APPRAISE_REQUIRE_POLICY_SIGS config IMA_APPRAISE_BOOTPARAM bool "ima_appraise boot parameter" - depends on IMA_APPRAISE && !IMA_ARCH_POLICY + depends on IMA_APPRAISE default y help This option enables the different "ima_appraise=" modes diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 136ae4e0ee92..23b04c6521b2 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -18,6 +18,12 @@ static int __init default_appraise_setup(char *str) { #ifdef CONFIG_IMA_APPRAISE_BOOTPARAM + if (arch_ima_get_secureboot()) { + pr_info("Secure boot enabled: ignoring ima_appraise=%s boot parameter option", + str); + return 1; + } + if (strncmp(str, "off", 3) == 0) ima_appraise = 0; else if (strncmp(str, "log", 3) == 0) diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index c21b656b3263..840a192e9337 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -2720,7 +2720,6 @@ static int smk_open_relabel_self(struct inode *inode, struct file *file) static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { - struct task_smack *tsp = smack_cred(current_cred()); char *data; int rc; LIST_HEAD(list_tmp); @@ -2745,11 +2744,21 @@ static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf, kfree(data); if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) { + struct cred *new; + struct task_smack *tsp; + + new = prepare_creds(); + if (!new) { + rc = -ENOMEM; + goto out; + } + tsp = smack_cred(new); smk_destroy_label_list(&tsp->smk_relabel); list_splice(&list_tmp, &tsp->smk_relabel); + commit_creds(new); return count; } - +out: smk_destroy_label_list(&list_tmp); return rc; } |