From 3b14f98896f7cde9ed4c787d69eebbf1f37fb432 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Nov 02 2017 16:30:30 +0000 Subject: Linux v4.13.11 --- diff --git a/kernel.spec b/kernel.spec index 94df3d2..dab1d1d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 10 +%define stable_update 11 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -705,6 +705,9 @@ Patch632: 0001-staging-vboxvideo-Fix-reporting-invalid-suggested-of.patch # http://patchwork.ozlabs.org/patch/831938/ Patch633: net-mlxsw-reg-Add-high-and-low-temperature-thresholds.patch +# Included in 4.14, backport requested on kernel@ +Patch634: selinux-Generalize-support-for-NNP-nosuid-SELinux-do.patch + # END OF PATCH DEFINITIONS %endif @@ -2259,6 +2262,12 @@ fi # # %changelog +* Thu Nov 02 2017 Jeremy Cline - 4.13.11-300 +- Linux v4.13.11 +- Fix CVE-2017-12193 (rhbz 1501215 1508717) +- SMB3: Validate negotiate request must always be signed (rhbz 1502606) +- Backport new SELinux NNP/nosuid patch to resolve interactions with systemd + * Wed Nov 01 2017 Laura Abbott - Add fix for potential mlxsw firmware incompatibility diff --git a/selinux-Generalize-support-for-NNP-nosuid-SELinux-do.patch b/selinux-Generalize-support-for-NNP-nosuid-SELinux-do.patch new file mode 100644 index 0000000..797566c --- /dev/null +++ b/selinux-Generalize-support-for-NNP-nosuid-SELinux-do.patch @@ -0,0 +1,220 @@ +From af63f4193f9fbbbac50fc766417d74735afd87ef Mon Sep 17 00:00:00 2001 +From: Stephen Smalley +Date: Mon, 31 Jul 2017 10:12:46 -0400 +Subject: [PATCH] selinux: Generalize support for NNP/nosuid SELinux domain + transitions + +As systemd ramps up enabling NNP (NoNewPrivileges) for system services, +it is increasingly breaking SELinux domain transitions for those services +and their descendants. systemd enables NNP not only for services whose +unit files explicitly specify NoNewPrivileges=yes but also for services +whose unit files specify any of the following options in combination with +running without CAP_SYS_ADMIN (e.g. specifying User= or a +CapabilityBoundingSet= without CAP_SYS_ADMIN): SystemCallFilter=, +SystemCallArchitectures=, RestrictAddressFamilies=, RestrictNamespaces=, +PrivateDevices=, ProtectKernelTunables=, ProtectKernelModules=, +MemoryDenyWriteExecute=, or RestrictRealtime= as per the systemd.exec(5) +man page. + +The end result is bad for the security of both SELinux-disabled and +SELinux-enabled systems. Packagers have to turn off these +options in the unit files to preserve SELinux domain transitions. For +users who choose to disable SELinux, this means that they miss out on +at least having the systemd-supported protections. For users who keep +SELinux enabled, they may still be missing out on some protections +because it isn't necessarily guaranteed that the SELinux policy for +that service provides the same protections in all cases. + +commit 7b0d0b40cd78 ("selinux: Permit bounded transitions under +NO_NEW_PRIVS or NOSUID.") allowed bounded transitions under NNP in +order to support limited usage for sandboxing programs. However, +defining typebounds for all of the affected service domains +is impractical to implement in policy, since typebounds requires us +to ensure that each domain is allowed everything all of its descendant +domains are allowed, and this has to be repeated for the entire chain +of domain transitions. There is no way to clone all allow rules from +descendants to their ancestors in policy currently, and doing so would +be undesirable even if it were practical, as it requires leaking +permissions to objects and operations into ancestor domains that could +weaken their own security in order to allow them to the descendants +(e.g. if a descendant requires execmem permission, then so do all of +its ancestors; if a descendant requires execute permission to a file, +then so do all of its ancestors; if a descendant requires read to a +symbolic link or temporary file, then so do all of its ancestors...). +SELinux domains are intentionally not hierarchical / bounded in this +manner normally, and making them so would undermine their protections +and least privilege. + +We have long had a similar tension with SELinux transitions and nosuid +mounts, albeit not as severe. Users often have had to choose between +retaining nosuid on a mount and allowing SELinux domain transitions on +files within those mounts. This likewise leads to unfortunate tradeoffs +in security. + +Decouple NNP/nosuid from SELinux transitions, so that we don't have to +make a choice between them. Introduce a nnp_nosuid_transition policy +capability that enables transitions under NNP/nosuid to be based on +a permission (nnp_transition for NNP; nosuid_transition for nosuid) +between the old and new contexts in addition to the current support +for bounded transitions. Domain transitions can then be allowed in +policy without requiring the parent to be a strict superset of all of +its children. + +With this change, systemd unit files can be left unmodified from upstream. +SELinux-disabled and SELinux-enabled users will benefit from retaining any +of the systemd-provided protections. SELinux policy will only need to +be adapted to enable the new policy capability and to allow the +new permissions between domain pairs as appropriate. + +NB: Allowing nnp_transition between two contexts opens up the potential +for the old context to subvert the new context by installing seccomp +filters before the execve. Allowing nosuid_transition between two contexts +opens up the potential for a context transition to occur on a file from +an untrusted filesystem (e.g. removable media or remote filesystem). Use +with care. + +Signed-off-by: Stephen Smalley +Signed-off-by: Paul Moore +--- + security/selinux/hooks.c | 47 +++++++++++++++++++++++++------------ + security/selinux/include/classmap.h | 2 ++ + security/selinux/include/security.h | 2 ++ + security/selinux/ss/services.c | 7 +++++- + 4 files changed, 42 insertions(+), 16 deletions(-) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 00ad46e166f6..04b8e1082c9a 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -2318,6 +2318,7 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm, + int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); + int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); + int rc; ++ u32 av; + + if (!nnp && !nosuid) + return 0; /* neither NNP nor nosuid */ +@@ -2326,24 +2327,40 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm, + return 0; /* No change in credentials */ + + /* +- * The only transitions we permit under NNP or nosuid +- * are transitions to bounded SIDs, i.e. SIDs that are +- * guaranteed to only be allowed a subset of the permissions +- * of the current SID. ++ * If the policy enables the nnp_nosuid_transition policy capability, ++ * then we permit transitions under NNP or nosuid if the ++ * policy allows the corresponding permission between ++ * the old and new contexts. + */ +- rc = security_bounded_transition(old_tsec->sid, new_tsec->sid); +- if (rc) { +- /* +- * On failure, preserve the errno values for NNP vs nosuid. +- * NNP: Operation not permitted for caller. +- * nosuid: Permission denied to file. +- */ ++ if (selinux_policycap_nnp_nosuid_transition) { ++ av = 0; + if (nnp) +- return -EPERM; +- else +- return -EACCES; ++ av |= PROCESS2__NNP_TRANSITION; ++ if (nosuid) ++ av |= PROCESS2__NOSUID_TRANSITION; ++ rc = avc_has_perm(old_tsec->sid, new_tsec->sid, ++ SECCLASS_PROCESS2, av, NULL); ++ if (!rc) ++ return 0; + } +- return 0; ++ ++ /* ++ * We also permit NNP or nosuid transitions to bounded SIDs, ++ * i.e. SIDs that are guaranteed to only be allowed a subset ++ * of the permissions of the current SID. ++ */ ++ rc = security_bounded_transition(old_tsec->sid, new_tsec->sid); ++ if (!rc) ++ return 0; ++ ++ /* ++ * On failure, preserve the errno values for NNP vs nosuid. ++ * NNP: Operation not permitted for caller. ++ * nosuid: Permission denied to file. ++ */ ++ if (nnp) ++ return -EPERM; ++ return -EACCES; + } + + static int selinux_bprm_set_creds(struct linux_binprm *bprm) +diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h +index b9fe3434b036..35ffb29a69cb 100644 +--- a/security/selinux/include/classmap.h ++++ b/security/selinux/include/classmap.h +@@ -48,6 +48,8 @@ struct security_class_mapping secclass_map[] = { + "setrlimit", "rlimitinh", "dyntransition", "setcurrent", + "execmem", "execstack", "execheap", "setkeycreate", + "setsockcreate", "getrlimit", NULL } }, ++ { "process2", ++ { "nnp_transition", "nosuid_transition", NULL } }, + { "system", + { "ipc_info", "syslog_read", "syslog_mod", + "syslog_console", "module_request", "module_load", NULL } }, +diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h +index e91f08c16c0b..3e323179159a 100644 +--- a/security/selinux/include/security.h ++++ b/security/selinux/include/security.h +@@ -73,6 +73,7 @@ enum { + POLICYDB_CAPABILITY_EXTSOCKCLASS, + POLICYDB_CAPABILITY_ALWAYSNETWORK, + POLICYDB_CAPABILITY_CGROUPSECLABEL, ++ POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION, + __POLICYDB_CAPABILITY_MAX + }; + #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) +@@ -84,6 +85,7 @@ extern int selinux_policycap_openperm; + extern int selinux_policycap_extsockclass; + extern int selinux_policycap_alwaysnetwork; + extern int selinux_policycap_cgroupseclabel; ++extern int selinux_policycap_nnp_nosuid_transition; + + /* + * type_datum properties +diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c +index 2f02fa67ec2e..16c55de21b9f 100644 +--- a/security/selinux/ss/services.c ++++ b/security/selinux/ss/services.c +@@ -76,7 +76,8 @@ char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = { + "open_perms", + "extended_socket_class", + "always_check_network", +- "cgroup_seclabel" ++ "cgroup_seclabel", ++ "nnp_nosuid_transition" + }; + + int selinux_policycap_netpeer; +@@ -84,6 +85,7 @@ int selinux_policycap_openperm; + int selinux_policycap_extsockclass; + int selinux_policycap_alwaysnetwork; + int selinux_policycap_cgroupseclabel; ++int selinux_policycap_nnp_nosuid_transition; + + static DEFINE_RWLOCK(policy_rwlock); + +@@ -2009,6 +2011,9 @@ static void security_load_policycaps(void) + selinux_policycap_cgroupseclabel = + ebitmap_get_bit(&policydb.policycaps, + POLICYDB_CAPABILITY_CGROUPSECLABEL); ++ selinux_policycap_nnp_nosuid_transition = ++ ebitmap_get_bit(&policydb.policycaps, ++ POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION); + + for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++) + pr_info("SELinux: policy capability %s=%d\n", +-- +2.14.3 + diff --git a/sources b/sources index 8fadb3c..5567d2f 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (linux-4.13.tar.xz) = a557c2f0303ae618910b7106ff63d9978afddf470f03cb72aa748213e099a0ecd5f3119aea6cbd7b61df30ca6ef3ec57044d524b7babbaabddf8b08b8bafa7d2 SHA512 (perf-man-4.13.tar.gz) = 9bcc2cd8e56ec583ed2d8e0b0c88e7a94035a1915e40b3177bb02d6c0f10ddd4df9b097b1f5af59efc624226b613e240ddba8ddc2156f3682f992d5455fc5c03 -SHA512 (patch-4.13.10.xz) = 634d81ea509aac5555d8d11631babe9bb04ea771c873f084cea7067313a566d5cad291b0c311002ae8d1d6dd498a93a9a43517923aa449eebb405fb4c1e34753 +SHA512 (patch-4.13.11.xz) = ad38845a4c05fcaace68563ffa005cf537d3564448b28750b2c872788cbc0c2495dbc9fdf98817d21aef41863614d8b707acdfb05d8f07845d921c909b5f1d22