From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C0F33C43334 for ; Thu, 16 Jun 2022 13:30:53 +0000 (UTC) Subject: [4.4.y] cred_getsecid hook To: cip-dev@lists.cip-project.org From: theflamefire89@gmail.com X-Originating-Location: Dresden, Saxony, DE (217.254.145.221) X-Originating-Platform: Linux Firefox 101 User-Agent: GROUPS.IO Web Poster MIME-Version: 1.0 Date: Thu, 16 Jun 2022 06:30:50 -0700 Message-ID: Content-Type: multipart/alternative; boundary="uNCFNBrcJuaZfiAqDTUJ" List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 16 Jun 2022 13:30:53 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8571 --uNCFNBrcJuaZfiAqDTUJ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable While working on backporting the fix for CVE-2021-39686 in the Android-"ver= sion" of the 4.4.y kernel I noticed the missing cred_getsecid hook introduc= ed in e.g. 4.19.y by 3ec30113264a7bcd389f51d1738e42da0f41bb5a ( https://git= .kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git/commit/?h=3Dlinux-4.= 19.y&id=3D3ec30113264a7bcd389f51d1738e42da0f41bb5a ) It seems the LSM security_* hooks haven't received updates for a while in t= his kernel. E.g. a source of error due to missed list HEAD init is due to 0= 302e28dee643932ee7b3c112ebccdbb9f8ec32c ( https://git.kernel.org/pub/scm/li= nux/kernel/git/cip/linux-cip.git/commit/?h=3Dlinux-4.19.y&id=3D0302e28dee64= 3932ee7b3c112ebccdbb9f8ec32c ) merging in 3dfc9b02864b19f4dab376f14479ee4ad= 1de6c9e ( https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git= /commit/security/security.c?h=3Dlinux-4.19.y&id=3D3dfc9b02864b19f4dab376f14= 479ee4ad1de6c9e ) which makes the HEAD initialization shorter and more reli= able but trying to get that commit in results in quite a bit of merge confl= icts as hooks have been added/removed in 4.19 which is not yet in 4.4. Anyway: Are there any plans to synchronize the hooks in 4.4 with those in m= ore recent kernels? Regards, Alexander --uNCFNBrcJuaZfiAqDTUJ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable

While working on backporting the fix for CVE-2021-39686 in the Android-"= version" of the 4.4.y kernel I noticed the missing cred_getsecid hook intro= duced in e.g. 4.19.y by 3ec30113264a7= bcd389f51d1738e42da0f41bb5a

It seems the LSM security_* hook= s haven't received updates for a while in this kernel. E.g. a source of err= or due to missed list HEAD init is due to 0302e28dee643932ee7b3c112ebccdbb9f8ec32c merging in 3dfc9b02864b19f4dab376f14479ee4a= d1de6c9e which makes the HEAD initialization shorter and more reliable = but trying to get that commit in results in quite a bit of merge conflicts = as hooks have been added/removed in 4.19 which is not yet in 4.4.

Anyway: Are there any plans to synchronize the hooks in 4.4 with those in= more recent kernels?

Regards,
Alexander

--uNCFNBrcJuaZfiAqDTUJ-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 79E78C43334 for ; Wed, 22 Jun 2022 12:06:42 +0000 (UTC) Received: from jabberwock.ucw.cz (jabberwock.ucw.cz [46.255.230.98]) by mx.groups.io with SMTP id smtpd.web10.6374.1655899596430066862 for ; Wed, 22 Jun 2022 05:06:37 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=neutral (domain: denx.de, ip: 46.255.230.98, mailfrom: pavel@denx.de) Received: by jabberwock.ucw.cz (Postfix, from userid 1017) id 379431C0B9B; Wed, 22 Jun 2022 14:06:34 +0200 (CEST) Date: Wed, 22 Jun 2022 14:06:33 +0200 From: Pavel Machek To: cip-dev@lists.cip-project.org Subject: Re: [cip-dev] [4.4.y] cred_getsecid hook Message-ID: <20220622120633.GB7458@duo.ucw.cz> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="PmA2V3Z32TCmWXqI" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 22 Jun 2022 12:06:42 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8582 --PmA2V3Z32TCmWXqI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! > While working on backporting the fix for CVE-2021-39686 in the >Android-"version" of the 4.4.y kernel I noticed the missing >cred_getsecid hook introduced in e.g. 4.19.y by >3ec30113264a7bcd389f51d1738e42da0f41bb5a ( >https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git/commit/?= h=3Dlinux-4.19.y&id=3D3ec30113264a7bcd389f51d1738e42da0f41bb5a >) =2E.. > Anyway: Are there any plans to synchronize the hooks in 4.4 with those in= more recent kernels? > Let me see. 4.19 has that commit; it was merged during merge window. 4.9 does not have that commit. If CVE-2021-39686 is important to you, right way forward would be to backport neccessary changes to 4.9, first. We would rather not have changes in 4.4-st that are not present in 4.9.X. I don't think we have any plans to work in this area. commit 3ec30113264a7bcd389f51d1738e42da0f41bb5a Author: Matthew Garrett Date: Mon Jan 8 13:36:19 2018 -0800 security: Add a cred_getsecid hook =20 For IMA purposes, we want to be able to obtain the prepared secid in the bprm structure before the credentials are committed. Add a cred_getsecid hook that makes this possible. Best regards, Pavel --=20 DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany --PmA2V3Z32TCmWXqI Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQRPfPO7r0eAhk010v0w5/Bqldv68gUCYrMFyQAKCRAw5/Bqldv6 8tzbAJ9S2HNUXaaV+kNNfWrMPBT4Fyzq4ACffoaqxGJAbOuX+DfMv6xd0X6H480= =usq7 -----END PGP SIGNATURE----- --PmA2V3Z32TCmWXqI-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1D0EAC43334 for ; Wed, 29 Jun 2022 15:44:35 +0000 (UTC) Subject: Re: [4.4.y] cred_getsecid hook To: cip-dev@lists.cip-project.org From: theflamefire89@gmail.com X-Originating-Location: Dresden, Saxony, DE (217.254.152.199) X-Originating-Platform: Linux Firefox 101 User-Agent: GROUPS.IO Web Poster MIME-Version: 1.0 Date: Wed, 29 Jun 2022 08:44:31 -0700 References: <20220622120633.GB7458@duo.ucw.cz> In-Reply-To: <20220622120633.GB7458@duo.ucw.cz> Message-ID: <7356.1656517471464294518@lists.cip-project.org> Content-Type: multipart/alternative; boundary="wmR45h1ZFtWLT1mXdjw8" List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 29 Jun 2022 15:44:35 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8624 --wmR45h1ZFtWLT1mXdjw8 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable >=20 > If CVE-2021-39686 is important to you, right way forward would be to > backport neccessary changes to 4.9, first. We would rather not have > changes in 4.4-st that are not present in 4.9.X. Hi Pavel, thanks for the reply. I'm happy to contribute what I have back to 4.9. Can you give me some guida= nce on how I'd do that? I've never contributed to the upstream kernel before but am confident in C/= C++ and git and am maintaining an Android kernel fork. In this case it should be pretty straight forward. All commits are from Goo= gles android-mainline branch, backported where required, but mostly unchang= ed and I have the upstream discussions from the kernel ML for reference. If= you are curious the 38 commits I want to backport to reduce the divergence= and then fix that CVE can be found at https://github.com/Flamefire/android= _kernel_sony_msm8998/pull/24. It will likely be easy enough to port them to the 4.9 branch but I'd need t= o know how to have them applied and/or who to contact. Best Regards, Alex PS: Greetings from Dresden, Germany --wmR45h1ZFtWLT1mXdjw8 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable

If CVE-2021-39686 is important to you, right way forward would = be to backport neccessary changes to 4.9, first. We would rather not have c= hanges in 4.4-st that are not present in 4.9.X.

Hi Pavel, thanks for the reply.

I'm happy to contribute what I have back to 4.9. Can you give me some gu= idance on how I'd do that?
I've never contributed to the upstream kern= el before but am confident in C/C++ and git and am maintaining an Android k= ernel fork.
In this case it should be pretty straight forward. All com= mits are from Googles android-mainline branch, backported where required, b= ut mostly unchanged and I have the upstream discussions from the kernel ML = for reference. If you are curious the 38 commits I want to backport to redu= ce the divergence and then fix that CVE can be found at https://github.com/Flamefire/android_kernel_sony_msm8998/= pull/24.

It will likely be easy enough to port them to the 4.9 branch but I'd nee= d to know how to have them applied and/or who to contact.

Best R= egards,
Alex

PS: Greetings from Dresden, Germany

--wmR45h1ZFtWLT1mXdjw8-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 01EE0C43334 for ; Wed, 29 Jun 2022 18:27:56 +0000 (UTC) Received: from jabberwock.ucw.cz (jabberwock.ucw.cz [46.255.230.98]) by mx.groups.io with SMTP id smtpd.web09.15386.1656527271157124252 for ; Wed, 29 Jun 2022 11:27:52 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=neutral (domain: denx.de, ip: 46.255.230.98, mailfrom: pavel@denx.de) Received: by jabberwock.ucw.cz (Postfix, from userid 1017) id 2F47C1C0BCB; Wed, 29 Jun 2022 20:27:48 +0200 (CEST) Date: Wed, 29 Jun 2022 20:27:47 +0200 From: Pavel Machek To: cip-dev@lists.cip-project.org Subject: Re: [cip-dev] [4.4.y] cred_getsecid hook Message-ID: <20220629182747.GA8730@duo.ucw.cz> References: <20220622120633.GB7458@duo.ucw.cz> <7356.1656517471464294518@lists.cip-project.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="/9DWx/yDrRhgMJTb" Content-Disposition: inline In-Reply-To: <7356.1656517471464294518@lists.cip-project.org> User-Agent: Mutt/1.10.1 (2018-07-13) List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 29 Jun 2022 18:27:55 -0000 X-Groupsio-URL: https://lists.cip-project.org/g/cip-dev/message/8627 --/9DWx/yDrRhgMJTb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! > > If CVE-2021-39686 is important to you, right way forward would be to > > backport neccessary changes to 4.9, first. We would rather not have > > changes in 4.4-st that are not present in 4.9.X. >=20 > Hi Pavel, thanks for the reply. >=20 > I'm happy to contribute what I have back to 4.9. Can you give me some gui= dance on how I'd do that? > I've never contributed to the upstream kernel before but am confident in = C/C++ and git and am maintaining an Android kernel fork. > In this case it should be pretty straight forward. All commits are from G= oogles android-mainline branch, backported where required, but mostly uncha= nged and I have the upstream discussions from the kernel ML for reference. = If you are curious the 38 commits I want to backport to reduce the divergen= ce and then fix that CVE can be found at https://github.com/Flamefire/andro= id_kernel_sony_msm8998/pull/24. >=20 > It will likely be easy enough to port them to the 4.9 branch but I'd need= to know how to have them applied and/or who to contact. > It should be enough to send them to stable@ mailing list, as described in Documentation/process/stable-kernel-rules.rst . Greg KH (see maintainers) is the person to talk to, but mailing list should be enough. > PS: Greetings from Dresden, Germany Nice to meet you, Alex! Best regards, Pavel --=20 DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany --/9DWx/yDrRhgMJTb Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQRPfPO7r0eAhk010v0w5/Bqldv68gUCYryZowAKCRAw5/Bqldv6 8sBVAJ4+Mu2wHU2/xr5OIcyeDpRiYsmM0gCeM3JtTs2g9O72q93wo258Q9snxDc= =TDoo -----END PGP SIGNATURE----- --/9DWx/yDrRhgMJTb--