Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2557610imu; Thu, 29 Nov 2018 06:52:46 -0800 (PST) X-Google-Smtp-Source: AFSGD/UJhOysTQEEvnwoYRmNqvMnEFxcPObwD4hcCrjFyemYkq+FywNzQvVj1m4DWIYtFznoLZnQ X-Received: by 2002:a17:902:28e6:: with SMTP id f93mr1720715plb.239.1543503166114; Thu, 29 Nov 2018 06:52:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543503166; cv=none; d=google.com; s=arc-20160816; b=P5l214d5zfR0rTgYjczvxuf+PUlOY7Ns3q3zdbI210i1aY2GkL2ET+SiZ5+Hus8jw3 +or3ihoqNbqRCmTMepjSvIDfuBtUpJLcKArrBids3sWSER7UFEFaFNzrDBIkI9zON2pd CHvu9GuGns6lma1iJU+PwIQlRe55mpbhX6g+YC+8VyyeJsRqwI0hjU1n9Wu25rVMA9lG zZoRhqrYOo4ruhre0MvunLXifM2pMknSl4A3Iy4R/2L9uNDgs2iWqwSxMjbgFmWBEyOQ 8SzGkEyqy1ZS1QXvW8vl3j5UxHkM9hvYP62seOl5U+al6il2npO0wzrr73plEchjtrXB FgDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=436+ejuqN4+ykCMT1+lz5Gf1k7xgxcpZh+yMOm+WS0c=; b=SjttFZyYHYizeU+JyH/GhX21kIk7ZwTl49L7y+GzePW+uLt/w3XzK6kJUvJAgHB4B4 0ZpvIrxRLRzB+KFEjlCrDcAsV87HFsICt/oKEGXu/Q9++HDj8WqHBkeAGNHNG4XTSNnZ JMkvHprlxY5sQ4d9b8ekVTx4hcra+LBotDGYnSnlIqyXJWIi9DbWdn8S1Fn4T77ntpOs adobm+85TVVteznon0lG7akstrTaB9kto1lsgyWNWQd2XRY4FYOvQosxDWU00Bm+Fgx3 e8qhe9AePQBddZrd302YraB71ijxrVdUTwN4rzgGQnl5zDL4g6wVfAuQ1ugCcpmxbDf9 8Ltg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=2gT6Ckdq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cc17si2568279plb.265.2018.11.29.06.52.24; Thu, 29 Nov 2018 06:52:46 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=2gT6Ckdq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732467AbeK3B33 (ORCPT + 99 others); Thu, 29 Nov 2018 20:29:29 -0500 Received: from mail.kernel.org ([198.145.29.99]:55856 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730150AbeK3B31 (ORCPT ); Thu, 29 Nov 2018 20:29:27 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 186CC205C9; Thu, 29 Nov 2018 14:23:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1543501435; bh=KN8hxaIFzkBr89gqtihj1rAuMgtAlFI7O5ztYo+R1tc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2gT6CkdqFFFYBi3TrPMnHqdy10F/Icy+j5F9WpVSbwmrygzVmdOY4g2PkV4ltSJrZ AH4L1A4r+dDL3A8U3KEoOJXkSmtnmM/1c2gDzRrhMKlCoeF9bT05sT6HomAsa+Up83 DgE4mKAPXCZlzxyj0GWa/nV3S4rdEdoCQoPIitk4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Seth Forshee , "Eric W. Biederman" , Aditya Kali Subject: [PATCH 4.9 88/92] Revert "evm: Translate user/group ids relative to s_user_ns when computing HMAC" Date: Thu, 29 Nov 2018 15:12:57 +0100 Message-Id: <20181129140113.878468514@linuxfoundation.org> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20181129140106.520639693@linuxfoundation.org> References: <20181129140106.520639693@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric W. Biederman commit 19339c251607a3defc7f089511ce8561936fee45 upstream. This reverts commit 0b3c9761d1e405514a551ed24d3ea89aea26ce14. Seth Forshee writes: > All right, I think 0b3c9761d1e405514a551ed24d3ea89aea26ce14 should be > reverted then. EVM is a machine-local integrity mechanism, and so it > makes sense that the signature would be based on the kernel's notion of > the uid and not the filesystem's. I added a commment explaining why the EVM hmac needs to be in the kernel's notion of uid and gid, not the filesystems to prevent remounting the filesystem and gaining unwaranted trust in files. Acked-by: Seth Forshee Signed-off-by: "Eric W. Biederman" Cc: Aditya Kali Signed-off-by: Greg Kroah-Hartman --- security/integrity/evm/evm_crypto.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) --- a/security/integrity/evm/evm_crypto.c +++ b/security/integrity/evm/evm_crypto.c @@ -152,8 +152,16 @@ static void hmac_add_misc(struct shash_d memset(&hmac_misc, 0, sizeof(hmac_misc)); hmac_misc.ino = inode->i_ino; hmac_misc.generation = inode->i_generation; - hmac_misc.uid = from_kuid(inode->i_sb->s_user_ns, inode->i_uid); - hmac_misc.gid = from_kgid(inode->i_sb->s_user_ns, inode->i_gid); + /* The hmac uid and gid must be encoded in the initial user + * namespace (not the filesystems user namespace) as encoding + * them in the filesystems user namespace allows an attack + * where first they are written in an unprivileged fuse mount + * of a filesystem and then the system is tricked to mount the + * filesystem for real on next boot and trust it because + * everything is signed. + */ + hmac_misc.uid = from_kuid(&init_user_ns, inode->i_uid); + hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid); hmac_misc.mode = inode->i_mode; crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof(hmac_misc)); if (evm_hmac_attrs & EVM_ATTR_FSUUID)