11 Aug, 2010
2 commits
-
* 'writable_limits' of git://decibel.fi.muni.cz/~xslaby/linux:
unistd: add __NR_prlimit64 syscall numbers
rlimits: implement prlimit64 syscall
rlimits: switch more rlimit syscalls to do_prlimit
rlimits: redo do_setrlimit to more generic do_prlimit
rlimits: add rlimit64 structure
rlimits: do security check under task_lock
rlimits: allow setrlimit to non-current tasks
rlimits: split sys_setrlimit
rlimits: selinux, do rlimits changes under task_lock
rlimits: make sure ->rlim_max never grows in sys_setrlimit
rlimits: add task_struct to update_rlimit_cpu
rlimits: security, add task_struct to setrlimitFix up various system call number conflicts. We not only added fanotify
system calls in the meantime, but asm-generic/unistd.h added a wait4
along with a range of reserved per-architecture system calls. -
* 'for-linus' of git://git.infradead.org/users/eparis/notify: (132 commits)
fanotify: use both marks when possible
fsnotify: pass both the vfsmount mark and inode mark
fsnotify: walk the inode and vfsmount lists simultaneously
fsnotify: rework ignored mark flushing
fsnotify: remove global fsnotify groups lists
fsnotify: remove group->mask
fsnotify: remove the global masks
fsnotify: cleanup should_send_event
fanotify: use the mark in handler functions
audit: use the mark in handler functions
dnotify: use the mark in handler functions
inotify: use the mark in handler functions
fsnotify: send fsnotify_mark to groups in event handling functions
fsnotify: Exchange list heads instead of moving elements
fsnotify: srcu to protect read side of inode and vfsmount locks
fsnotify: use an explicit flag to indicate fsnotify_destroy_mark has been called
fsnotify: use _rcu functions for mark list traversal
fsnotify: place marks on object in order of group memory address
vfs/fsnotify: fsnotify_close can delay the final work in fput
fsnotify: store struct file not struct path
...Fix up trivial delete/modify conflict in fs/notify/inotify/inotify.c.
02 Aug, 2010
1 commit
-
When commit be6d3e56a6b9b3a4ee44a0685e39e595073c6f0d "introduce new LSM hooks
where vfsmount is available." was proposed, regarding security_path_truncate(),
only "struct file *" argument (which AppArmor wanted to use) was removed.
But length and time_attrs arguments are not used by TOMOYO nor AppArmor.
Thus, let's remove these arguments.Signed-off-by: Tetsuo Handa
Acked-by: Nick Piggin
Signed-off-by: James Morris
28 Jul, 2010
1 commit
-
introduce a new fsnotify hook, fsnotify_perm(), which is called from the
security code. This hook is used to allow fsnotify groups to make access
control decisions about events on the system. We also must change the
generic fsnotify function to return an error code if we intend these hooks
to be in any way useful.Signed-off-by: Eric Paris
16 Jul, 2010
1 commit
-
Add task_struct to task_setrlimit of security_operations to be able to set
rlimit of task other than current.Signed-off-by: Jiri Slaby
Acked-by: Eric Paris
Acked-by: James Morris
17 May, 2010
1 commit
-
register_security() became __init function.
So do verify() and security_fixup_ops().Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
12 Apr, 2010
13 commits
-
Unused hook. Remove.
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Unused hook. Remove.
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Unused hook. Remove.
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Unused hook. Remove.
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Unused hook. Remove.
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Unused hook. Remove.
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Unused hook. Remove.
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Unused hook. Remove.
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Unused hook. Remove.
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Unused hook. Remove.
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Unused hook. Remove.
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Unused hook. Remove.
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Unused hook. Remove it.
Signed-off-by: Eric Paris
Signed-off-by: James Morris
09 Mar, 2010
1 commit
03 Mar, 2010
1 commit
-
LSM framework doesn't allow to load a security module on runtime, it must be loaded on boot time.
but in security/security.c:
int register_security(struct security_operations *ops)
{
...
if (security_ops != &default_security_ops)
return -EAGAIN;
...
}
if security_ops == &default_security_ops, it can access to register a security module. If selinux is enabled,
other security modules can't register, but if selinux is disabled on boot time, the security_ops was set to
default_security_ops, LSM allows other kernel modules to use register_security() to register a not trust
security module. For example:disable selinux on boot time(selinux=0).
#include
#include
#include
#include
#include
#include
#includeMODULE_LICENSE("GPL");
MODULE_AUTHOR("wzt");extern int register_security(struct security_operations *ops);
int (*new_register_security)(struct security_operations *ops);int rootkit_bprm_check_security(struct linux_binprm *bprm)
{
return 0;
}struct security_operations rootkit_ops = {
.bprm_check_security = rootkit_bprm_check_security,
};static int rootkit_init(void)
{
printk("Load LSM rootkit module.\n");/* cat /proc/kallsyms | grep register_security */
new_register_security = 0xc0756689;
if (new_register_security(&rootkit_ops)) {
printk("Can't register rootkit module.\n");
return 0;
}
printk("Register rootkit module ok.\n");return 0;
}static void rootkit_exit(void)
{
printk("Unload LSM rootkit module.\n");
}module_init(rootkit_init);
module_exit(rootkit_exit);Signed-off-by: Zhitong Wang
Signed-off-by: James Morris
01 Mar, 2010
1 commit
24 Feb, 2010
1 commit
-
Enhance the security framework to support resetting the active security
module. This eliminates the need for direct use of the security_ops and
default_security_ops variables outside of security.c, so make security_ops
and default_security_ops static. Also remove the secondary_ops variable as
a cleanup since there is no use for that. secondary_ops was originally used by
SELinux to call the "secondary" security module (capability or dummy),
but that was replaced by direct calls to capability and the only
remaining use is to save and restore the original security ops pointer
value if SELinux is disabled by early userspace based on /etc/selinux/config.
Further, if we support this directly in the security framework, then we can
just use &default_security_ops for this purpose since that is now available.Signed-off-by: Zhitong Wang
Acked-by: Stephen Smalley
Signed-off-by: James Morris
07 Feb, 2010
1 commit
-
Hooks: Just Say No.
Signed-off-by: Al Viro
04 Feb, 2010
1 commit
-
This allows the LSM to distinguish between syslog functions originating
from /proc/kmsg access and direct syscalls. By default, the commoncaps
will now no longer require CAP_SYS_ADMIN to read an opened /proc/kmsg
file descriptor. For example the kernel syslog reader can now drop
privileges after opening /proc/kmsg, instead of staying privileged with
CAP_SYS_ADMIN. MAC systems that implement security_syslog have unchanged
behavior.Signed-off-by: Kees Cook
Acked-by: Serge Hallyn
Acked-by: John Johansen
Signed-off-by: James Morris
15 Jan, 2010
1 commit
-
Currently, the getsecurity and setsecurity operations return zero for
kernel private inodes, where xattrs are not available directly to
userspace.This confuses some applications, and does not conform to the
man page for getxattr(2) etc., which state that these syscalls
should return ENOTSUP if xattrs are not supported or disabled.Note that in the listsecurity case, we still need to return zero
as we don't know which other xattr handlers may be active.For discussion of userland confusion, see:
http://www.mail-archive.com/bug-coreutils@gnu.org/msg17988.htmlThis patch corrects the error returns so that ENOTSUP is reported
to userspace as required.Signed-off-by: James Morris
Acked-by: Stephen Smalley
Acked-by: Serge Hallyn
08 Dec, 2009
1 commit
-
include/linux/security.h and security/capability.c are using "struct path *dir"
but security/security.c was using "struct path *path" by error.
This patch renames "struct path *path" to "struct path *dir".Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
10 Nov, 2009
1 commit
-
For SELinux to do better filtering in userspace we send the name of the
module along with the AVC denial when a program is denied module_request.Example output:
type=SYSCALL msg=audit(11/03/2009 10:59:43.510:9) : arch=x86_64 syscall=write success=yes exit=2 a0=3 a1=7fc28c0d56c0 a2=2 a3=7fffca0d7440 items=0 ppid=1727 pid=1729 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc.nfsd exe=/usr/sbin/rpc.nfsd subj=system_u:system_r:nfsd_t:s0 key=(null)
type=AVC msg=audit(11/03/2009 10:59:43.510:9) : avc: denied { module_request } for pid=1729 comm=rpc.nfsd kmod="net-pf-10" scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=systemSigned-off-by: Eric Paris
Signed-off-by: James Morris
09 Nov, 2009
1 commit
-
The LSM currently requires setting a kernel parameter at boot to select
a specific LSM. This adds a config option that allows specifying a default
LSM that is used unless overridden with the security= kernel parameter.
If the the config option is not set the current behavior of first LSM
to register is used.Signed-off-by: John Johansen
Acked-by: Serge Hallyn
Signed-off-by: James Morris
25 Oct, 2009
1 commit
-
Based on discussions on LKML and LSM, where there are consecutive
security_ and ima_ calls in the vfs layer, move the ima_ calls to
the existing security_ hooks.Signed-off-by: Mimi Zohar
Signed-off-by: James Morris
12 Oct, 2009
2 commits
-
This patch allows pathname based LSM modules to check chroot() operations.
This hook is used by TOMOYO.
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
This patch allows pathname based LSM modules to check chmod()/chown()
operations. Since notify_change() does not receive "struct vfsmount *",
we add security_path_chmod() and security_path_chown() to the caller of
notify_change().These hooks are used by TOMOYO.
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
10 Sep, 2009
1 commit
-
This patch introduces three new hooks. The inode_getsecctx hook is used to get
all relevant information from an LSM about an inode. The inode_setsecctx is
used to set both the in-core and on-disk state for the inode based on a context
derived from inode_getsecctx.The final hook inode_notifysecctx will notify the
LSM of a change for the in-core state of the inode in question. These hooks are
for use in the labeled NFS code and addresses concerns of how to set security
on an inode in a multi-xattr LSM. For historical reasons Stephen Smalley's
explanation of the reason for these hooks is pasted below.Quote Stephen Smalley
inode_setsecctx: Change the security context of an inode. Updates the
in core security context managed by the security module and invokes the
fs code as needed (via __vfs_setxattr_noperm) to update any backing
xattrs that represent the context. Example usage: NFS server invokes
this hook to change the security context in its incore inode and on the
backing file system to a value provided by the client on a SETATTR
operation.inode_notifysecctx: Notify the security module of what the security
context of an inode should be. Initializes the incore security context
managed by the security module for this inode. Example usage: NFS
client invokes this hook to initialize the security context in its
incore inode to the value provided by the server for the file when the
server returned the file's attributes to the client.Signed-off-by: David P. Quigley
Acked-by: Serge Hallyn
Signed-off-by: James Morris
02 Sep, 2009
1 commit
-
Add a keyctl to install a process's session keyring onto its parent. This
replaces the parent's session keyring. Because the COW credential code does
not permit one process to change another process's credentials directly, the
change is deferred until userspace next starts executing again. Normally this
will be after a wait*() syscall.To support this, three new security hooks have been provided:
cred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in
the blank security creds and key_session_to_parent() - which asks the LSM if
the process may replace its parent's session keyring.The replacement may only happen if the process has the same ownership details
as its parent, and the process has LINK permission on the session keyring, and
the session keyring is owned by the process, and the LSM permits it.Note that this requires alteration to each architecture's notify_resume path.
This has been done for all arches barring blackfin, m68k* and xtensa, all of
which need assembly alteration to support TIF_NOTIFY_RESUME. This allows the
replacement to be performed at the point the parent process resumes userspace
execution.This allows the userspace AFS pioctl emulation to fully emulate newpag() and
the VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to
alter the parent process's PAG membership. However, since kAFS doesn't use
PAGs per se, but rather dumps the keys into the session keyring, the session
keyring of the parent must be replaced if, for example, VIOCSETTOK is passed
the newpag flag.This can be tested with the following program:
#include
#include
#include#define KEYCTL_SESSION_TO_PARENT 18
#define OSERROR(X, S) do { if ((long)(X) == -1) { perror(S); exit(1); } } while(0)
int main(int argc, char **argv)
{
key_serial_t keyring, key;
long ret;keyring = keyctl_join_session_keyring(argv[1]);
OSERROR(keyring, "keyctl_join_session_keyring");key = add_key("user", "a", "b", 1, keyring);
OSERROR(key, "add_key");ret = keyctl(KEYCTL_SESSION_TO_PARENT);
OSERROR(ret, "KEYCTL_SESSION_TO_PARENT");return 0;
}Compiled and linked with -lkeyutils, you should see something like:
[dhowells@andromeda ~]$ keyctl show
Session Keyring
-3 --alswrv 4043 4043 keyring: _ses
355907932 --alswrv 4043 -1 \_ keyring: _uid.4043
[dhowells@andromeda ~]$ /tmp/newpag
[dhowells@andromeda ~]$ keyctl show
Session Keyring
-3 --alswrv 4043 4043 keyring: _ses
1055658746 --alswrv 4043 4043 \_ user: a
[dhowells@andromeda ~]$ /tmp/newpag hello
[dhowells@andromeda ~]$ keyctl show
Session Keyring
-3 --alswrv 4043 4043 keyring: hello
340417692 --alswrv 4043 4043 \_ user: aWhere the test program creates a new session keyring, sticks a user key named
'a' into it and then installs it on its parent.Signed-off-by: David Howells
Signed-off-by: James Morris
01 Sep, 2009
1 commit
-
The TUN driver lacks any LSM hooks which makes it difficult for LSM modules,
such as SELinux, to enforce access controls on network traffic generated by
TUN users; this is particularly problematic for virtualization apps such as
QEMU and KVM. This patch adds three new LSM hooks designed to control the
creation and attachment of TUN devices, the hooks are:* security_tun_dev_create()
Provides access control for the creation of new TUN devices* security_tun_dev_post_create()
Provides the ability to create the necessary socket LSM state for newly
created TUN devices* security_tun_dev_attach()
Provides access control for attaching to existing, persistent TUN devices
and the ability to update the TUN device's socket LSM state as necessarySigned-off-by: Paul Moore
Acked-by: Eric Paris
Acked-by: Serge Hallyn
Acked-by: David S. Miller
Signed-off-by: James Morris
14 Aug, 2009
1 commit
-
Calling request_module() will trigger a userspace upcall which will load a
new module into the kernel. This can be a dangerous event if the process
able to trigger request_module() is able to control either the modprobe
binary or the module binary. This patch adds a new security hook to
request_module() which can be used by an LSM to control a processes ability
to call request_module().Signed-off-by: Eric Paris
Acked-by: Serge Hallyn
Signed-off-by: James Morris
24 Jun, 2009
1 commit
-
The ->ptrace_may_access() methods are named confusingly - the real
ptrace_may_access() returns a bool, while these security checks have
a retval convention.Rename it to ptrace_access_check, to reduce the confusion factor.
[ Impact: cleanup, no code changed ]
Signed-off-by: Ingo Molnar
Signed-off-by: James Morris
04 Jun, 2009
1 commit
-
This patch removes the dependency of mmap_min_addr on CONFIG_SECURITY.
It also sets a default mmap_min_addr of 4096.mmapping of addresses below 4096 will only be possible for processes
with CAP_SYS_RAWIO.Signed-off-by: Christoph Lameter
Acked-by: Eric Paris
Looks-ok-by: Linus Torvalds
Signed-off-by: James Morris
03 Apr, 2009
1 commit
-
Export a number of functions for CacheFiles's use.
Signed-off-by: David Howells
Acked-by: Steve Dickson
Acked-by: Trond Myklebust
Acked-by: Rik van Riel
Acked-by: Al Viro
Tested-by: Daire Byrne
28 Mar, 2009
1 commit
-
The socket_post_accept() hook is not currently used by any in-tree modules
and its existence continues to cause problems by confusing people about
what can be safely accomplished using this hook. If a legitimate need for
this hook arises in the future it can always be reintroduced.Signed-off-by: Paul Moore
Signed-off-by: James Morris