18 Apr, 2012
1 commit
-
A kernel with Smack enabled will fail if tmpfs has xattr support.
Move the initialization of predefined Smack label
list entries to the LSM initialization from the
smackfs setup. This became an issue when tmpfs
acquired xattr support, but was never correct.Signed-off-by: Casey Schaufler
Signed-off-by: James Morris
11 Apr, 2012
1 commit
-
This fixes builds where CONFIG_AUDIT is not defined and
CONFIG_SECURITY_SMACK=y.This got introduced by the stack-usage reducation commit 48c62af68a40
("LSM: shrink the common_audit_data data union").Signed-off-by: Kees Cook
Acked-by: Eric Paris
Signed-off-by: Linus Torvalds
04 Apr, 2012
3 commits
-
It just bloats the audit data structure for no good reason, since the
only time those fields are filled are just before calling the
common_lsm_audit() function, which is also the only user of those
fields.So just make them be the arguments to common_lsm_audit(), rather than
bloating that structure that is passed around everywhere, and is
initialized in hot paths.Signed-off-by: Linus Torvalds
-
After shrinking the common_audit_data stack usage for private LSM data I'm
not going to shrink the data union. To do this I'm going to move anything
larger than 2 void * ptrs to it's own structure and require it to be declared
separately on the calling stack. Thus hot paths which don't need more than
a couple pointer don't have to declare space to hold large unneeded
structures. I could get this down to one void * by dealing with the key
struct and the struct path. We'll see if that is helpful after taking care of
networking.Signed-off-by: Eric Paris
Signed-off-by: Linus Torvalds -
Linus found that the gigantic size of the common audit data caused a big
perf hit on something as simple as running stat() in a loop. This patch
requires LSMs to declare the LSM specific portion separately rather than
doing it in a union. Thus each LSM can be responsible for shrinking their
portion and don't have to pay a penalty just because other LSMs have a
bigger space requirement.Signed-off-by: Eric Paris
Signed-off-by: Linus Torvalds
14 Feb, 2012
1 commit
-
Trim security.h
Signed-off-by: Al Viro
Signed-off-by: James Morris
07 Jan, 2012
1 commit
-
Signed-off-by: Al Viro
12 Nov, 2011
1 commit
-
Commit 272cd7a8c67dd40a31ecff76a503bbb84707f757 introduced
a change to the way rule lists are handled and reported in
the smackfs filesystem. One of the issues addressed had to
do with the termination of read requests on /smack/load.
This change introduced a error in /smack/cipso, which shares
some of the same list processing code.This patch updates all the file access list handling in
smackfs to use the code introduced for /smack/load.Signed-off-by: Casey Schaufler
21 Oct, 2011
1 commit
-
Allow query access as a normal user removing the need
for CAP_MAC_ADMIN. Give RW access to /smack/access
for UGO. Do not import smack labels in access check.Signed-off-by: Jarkko Sakkinen
Signed-off-by: Casey Schaufler
19 Oct, 2011
1 commit
-
Forgot to update simple_transaction_set() to take terminator
character into account.Signed-off-by: Jarkko Sakkinen
Signed-off-by: Casey Schaufler
14 Oct, 2011
1 commit
-
On some build configurations PER_CLEAR_ON_SETID symbol was not
found when compiling smack_lsm.c. This patch fixes the issue by
explicitly doing #include .Signed-off-by: Jarkko Sakkinen
Signed-off-by: Casey Schaufler
13 Oct, 2011
7 commits
-
Small fix for the output of access SmackFS file. Use string
is instead of byte. Makes it easier to extend API if it is
needed.Signed-off-by: Jarkko Sakkinen
-
Protections for domain transition:
- BPRM unsafe flags
- Secureexec
- Clear unsafe personality bits.
- Clear parent death signalSigned-off-by: Jarkko Sakkinen
-
This patch is targeted for the smack-next tree.
This patch takes advantage of the recent changes for performance
and points the packet labels on UDS connect at the output label of
the far side. This makes getsockopt(...SO_PEERCRED...) function
properly. Without this change the getsockopt does not provide any
information.Signed-off-by: Casey Schaufler
-
There are a number of comments in the Smack code that
are either malformed or include code. This patch cleans
them up.Signed-off-by: Casey Schaufler
-
Al Viro pointed out that the processing of fcntl done
by Smack appeared poorly designed. He was right. There
are three things that required change. Most obviously,
the list of commands that really imply writing is limited
to those involving file locking and signal handling.
The initialization if the file security blob was
incomplete, requiring use of a heretofore unused LSM hook.
Finally, the audit information coming from a helper
masked the identity of the LSM hook. This patch corrects
all three of these defects.This is targeted for the smack-next tree pending comments.
Signed-off-by: Casey Schaufler
-
This patch is targeted for the smack-next tree.
Smack access checks suffer from two significant performance
issues. In cases where there are large numbers of rules the
search of the single list of rules is wasteful. Comparing the
string values of the smack labels is less efficient than a
numeric comparison would.These changes take advantage of the Smack label list, which
maintains the mapping of Smack labels to secids and optional
CIPSO labels. Because the labels are kept perpetually, an
access check can be done strictly based on the address of the
label in the list without ever looking at the label itself.
Rather than keeping one global list of rules the rules with
a particular subject label can be based off of that label
list entry. The access check need never look at entries that
do not use the current subject label.This requires that packets coming off the network with
CIPSO direct Smack labels that have never been seen before
be treated carefully. The only case where they could be
delivered is where the receiving socket has an IPIN star
label, so that case is explicitly addressed.On a system with 39,800 rules (200 labels in all permutations)
a system with this patch runs an access speed test in 5% of
the time of the old version. That should be a best case
improvement. If all of the rules are associated with the
same subject label and all of the accesses are for processes
with that label (unlikely) the improvement is about 30%.Signed-off-by: Casey Schaufler
-
Adds a new file into SmackFS called 'access'. Wanted
Smack permission is written into /smack/access.
After that result can be read from the opened file.
If access applies result contains 1 and otherwise
0. File access is protected from race conditions
by using simple_transaction_get()/set() API.Fixes from the previous version:
- Removed smack.h changes, refactoring left-over
from previous version.
- Removed #include , refactoring
left-over from previous version.Signed-off-by: Jarkko Sakkinen
Signed-off-by: Casey Schaufler
02 Aug, 2011
1 commit
-
My @hp.com will no longer be valid starting August 5, 2011 so an update is
necessary. My new email address is employer independent so we don't have
to worry about doing this again any time soon.Signed-off-by: Paul Moore
Signed-off-by: Paul Moore
Signed-off-by: David S. Miller
20 Jul, 2011
1 commit
-
pass that via mask instead.
Signed-off-by: Al Viro
24 May, 2011
1 commit
-
Conflicts:
lib/flex_array.c
security/selinux/avc.c
security/selinux/hooks.c
security/selinux/ss/policydb.c
security/smack/smack_lsm.cManually resolve conflicts.
Signed-off-by: James Morris
26 Apr, 2011
3 commits
-
smack_file_lock has a struct path, so use that instead of only the
dentry.Signed-off-by: Eric Paris
Acked-by: Casey Schaufler -
This patch separates and audit message that only contains a dentry from
one that contains a full path. This allows us to make it harder to
misuse the interfaces or for the interfaces to be implemented wrong.Signed-off-by: Eric Paris
Acked-by: Casey Schaufler -
The lsm common audit code has wacky contortions making sure which pieces
of information are set based on if it was given a path, dentry, or
inode. Split this into path and inode to get rid of some of the code
complexity.Signed-off-by: Eric Paris
Acked-by: Casey Schaufler
25 Apr, 2011
1 commit
-
Right now all RCU walks fall back to reference walk when CONFIG_SECURITY
is enabled, even though just the standard capability module is active.
This is because security_inode_exec_permission unconditionally fails
RCU walks.Move this decision to the low level security module. This requires
passing the RCU flags down the security hook. This way at least
the capability module and a few easy cases in selinux/smack work
with RCU walks with CONFIG_SECURITY=ySigned-off-by: Andi Kleen
Signed-off-by: Eric Paris
23 Apr, 2011
1 commit
-
Right now all RCU walks fall back to reference walk when CONFIG_SECURITY
is enabled, even though just the standard capability module is active.
This is because security_inode_exec_permission unconditionally fails
RCU walks.Move this decision to the low level security module. This requires
passing the RCU flags down the security hook. This way at least
the capability module and a few easy cases in selinux/smack work
with RCU walks with CONFIG_SECURITY=ySigned-off-by: Andi Kleen
Acked-by: Eric Paris
Signed-off-by: Linus Torvalds
31 Mar, 2011
1 commit
-
Fixes generated by 'codespell' and manually reviewed.
Signed-off-by: Lucas De Marchi
08 Mar, 2011
1 commit
10 Feb, 2011
2 commits
-
The mmap policy enforcement checks the access of the
SMACK64MMAP subject against the current subject incorrectly.
The check as written works correctly only if the access
rules involved have the same access. This is the common
case, so initial testing did not find a problem.Signed-off-by: Casey Schaufler
-
Kill unused macros of SMACK_LIST_MAX, MAY_ANY and MAY_ANYWRITE.
v2: As Casey Schaufler's advice, also remove MAY_ANY.Signed-off-by: Shan Wei
Signed-off-by: Casey Schaufler
09 Feb, 2011
1 commit
-
The mmap policy enforcement was not properly handling the
interaction between the global and local rule lists.
Instead of going through one and then the other, which
missed the important case where a rule specified that
there should be no access, combine the access limitations
where there is a rule in each list.Signed-off-by: Casey Schaufler
Signed-off-by: James Morris
02 Feb, 2011
1 commit
-
SELinux would like to implement a new labeling behavior of newly created
inodes. We currently label new inodes based on the parent and the creating
process. This new behavior would also take into account the name of the
new object when deciding the new label. This is not the (supposed) full path,
just the last component of the path.This is very useful because creating /etc/shadow is different than creating
/etc/passwd but the kernel hooks are unable to differentiate these
operations. We currently require that userspace realize it is doing some
difficult operation like that and than userspace jumps through SELinux hoops
to get things set up correctly. This patch does not implement new
behavior, that is obviously contained in a seperate SELinux patch, but it
does pass the needed name down to the correct LSM hook. If no such name
exists it is fine to pass NULL.Signed-off-by: Eric Paris
18 Jan, 2011
1 commit
-
In the embedded world there are often situations
where libraries are updated from a variety of sources,
for a variety of reasons, and with any number of
security characteristics. These differences
might include privilege required for a given library
provided interface to function properly, as occurs
from time to time in graphics libraries. There are
also cases where it is important to limit use of
libraries based on the provider of the library and
the security aware application may make choices
based on that criteria.These issues are addressed by providing an additional
Smack label that may optionally be assigned to an object,
the SMACK64MMAP attribute. An mmap operation is allowed
if there is no such attribute.If there is a SMACK64MMAP attribute the mmap is permitted
only if a subject with that label has all of the access
permitted a subject with the current task label.Security aware applications may from time to time
wish to reduce their "privilege" to avoid accidental use
of privilege. One case where this arises is the
environment in which multiple sources provide libraries
to perform the same functions. An application may know
that it should eschew services made available from a
particular vendor, or of a particular version.In support of this a secondary list of Smack rules has
been added that is local to the task. This list is
consulted only in the case where the global list has
approved access. It can only further restrict access.
Unlike the global last, if no entry is found on the
local list access is granted. An application can add
entries to its own list by writing to /smack/load-self.The changes appear large as they involve refactoring
the list handling to accomodate there being more
than one rule list.Signed-off-by: Casey Schaufler
10 Jan, 2011
1 commit
-
Conflicts:
security/smack/smack_lsm.cVerified and added fix by Stephen Rothwell
Ok'd by Casey SchauflerSigned-off-by: James Morris
06 Jan, 2011
1 commit
-
unix_release() can asynchornously set socket->sk to NULL, and
it does so without holding the unix_state_lock() on "other"
during stream connects.However, the reverse mapping, sk->sk_socket, is only transitioned
to NULL under the unix_state_lock().Therefore make the security hooks follow the reverse mapping instead
of the forward mapping.Reported-by: Jeremy Fitzhardinge
Reported-by: Linus Torvalds
Signed-off-by: David S. Miller
08 Dec, 2010
1 commit
-
In a situation where Smack access rules allow processes
with multiple labels to write to a directory it is easy
to get into a situation where the directory gets cluttered
with files that the owner can't deal with because while
they could be written to the directory a process at the
label of the directory can't write them. This is generally
the desired behavior, but when it isn't it is a real
issue.This patch introduces a new attribute SMACK64TRANSMUTE that
instructs Smack to create the file with the label of the directory
under certain circumstances.A new access mode, "t" for transmute, is made available to
Smack access rules, which are expanded from "rwxa" to "rwxat".
If a file is created in a directory marked as transmutable
and if access was granted to perform the operation by a rule
that included the transmute mode, then the file gets the
Smack label of the directory instead of the Smack label of the
creating process.Note that this is equivalent to creating an empty file at the
label of the directory and then having the other process write
to it. The transmute scheme requires that both the access rule
allows transmutation and that the directory be explicitly marked.Signed-off-by: Jarkko Sakkinen
Signed-off-by: Casey Schaufler
02 Dec, 2010
1 commit
-
SMACK64EXEC. It defines label that is used while task is
running.Exception: in smack_task_wait() child task is checked
for write access to parent task using label inherited
from the task that forked it.Fixed issues from previous submit:
- SMACK64EXEC was not read when SMACK64 was not set.
- inode security blob was not updated after setting
SMACK64EXEC
- inode security blob was not updated when removing
SMACK64EXEC
29 Nov, 2010
1 commit
-
This patch addresses a number of long standing issues
with the way Smack treats UNIX domain sockets.All access control was being done based on the label of
the file system object. This is inconsistant with the
internet domain, in which access is done based on the
IPIN and IPOUT attributes of the socket. As a result
of the inode label policy it was not possible to use
a UDS socket for label cognizant services, including
dbus and the X11 server.Support for SCM_PEERSEC on UDS sockets is also provided.
Signed-off-by: Casey Schaufler
Signed-off-by: James Morris
16 Nov, 2010
1 commit
-
The addition of CONFIG_SECURITY_DMESG_RESTRICT resulted in a build
failure when CONFIG_PRINTK=n. This is because the capabilities code
which used the new option was built even though the variable in question
didn't exist.The patch here fixes this by moving the capabilities checks out of the
LSM and into the caller. All (known) LSMs should have been calling the
capabilities hook already so it actually makes the code organization
better to eliminate the hook altogether.Signed-off-by: Eric Paris
Acked-by: James Morris
Signed-off-by: Linus Torvalds
29 Oct, 2010
1 commit
-
Signed-off-by: Al Viro