Commit 99d014a4 authored by Luis Henriques's avatar Luis Henriques

Revert "UBUNTU: SAUCE: (namespace) security/integrity: Harden against malformed xattrs"

BugLink: https://bugs.launchpad.net/bugs/1644165

This reverts commit 038b77f6.

The kernel fix for bug #1634964 breaks LXD userspace, in particular the
following commits:

ac7f3f73 (namespace) vfs: Don't modify inodes with a uid or gid unknown to the vfs
ca52383a (namespace) vfs: Don't create inodes with a uid or gid unknown to the vfs

LXD 2.0.6 will include changes to support these kernel changes, but it isn't
available yet on xenial, so for now we just revert these commits.
Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
parent 9b8ba0b8
...@@ -36,7 +36,7 @@ static const char *keyring_name[INTEGRITY_KEYRING_MAX] = { ...@@ -36,7 +36,7 @@ static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
const char *digest, int digestlen) const char *digest, int digestlen)
{ {
if (id >= INTEGRITY_KEYRING_MAX || siglen < 2) if (id >= INTEGRITY_KEYRING_MAX)
return -EINVAL; return -EINVAL;
if (!keyring[id]) { if (!keyring[id]) {
......
...@@ -145,10 +145,6 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, ...@@ -145,10 +145,6 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
/* check value type */ /* check value type */
switch (xattr_data->type) { switch (xattr_data->type) {
case EVM_XATTR_HMAC: case EVM_XATTR_HMAC:
if (xattr_len != sizeof(struct evm_ima_xattr_data)) {
evm_status = INTEGRITY_FAIL;
goto out;
}
rc = evm_calc_hmac(dentry, xattr_name, xattr_value, rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
xattr_value_len, calc.digest); xattr_value_len, calc.digest);
if (rc) if (rc)
......
...@@ -147,8 +147,6 @@ void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len, ...@@ -147,8 +147,6 @@ void ima_get_hash_algo(struct evm_ima_xattr_data *xattr_value, int xattr_len,
break; break;
case IMA_XATTR_DIGEST_NG: case IMA_XATTR_DIGEST_NG:
hash->algo = xattr_value->digest[0]; hash->algo = xattr_value->digest[0];
if (hash->algo >= HASH_ALGO__LAST)
hash->algo = ima_hash_algo;
break; break;
case IMA_XATTR_DIGEST: case IMA_XATTR_DIGEST:
/* this is for backward compatibility */ /* this is for backward compatibility */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment