11 Nov, 2015
1 commit
-
Pull networking fixes from David Miller:
1) Fix null deref in xt_TEE netfilter module, from Eric Dumazet.
2) Several spots need to get to the original listner for SYN-ACK
packets, most spots got this ok but some were not. Whilst covering
the remaining cases, create a helper to do this. From Eric Dumazet.3) Missiing check of return value from alloc_netdev() in CAIF SPI code,
from Rasmus Villemoes.4) Don't sleep while != TASK_RUNNING in macvtap, from Vlad Yasevich.
5) Use after free in mvneta driver, from Justin Maggard.
6) Fix race on dst->flags access in dst_release(), from Eric Dumazet.
7) Add missing ZLIB_INFLATE dependency for new qed driver. From Arnd
Bergmann.8) Fix multicast getsockopt deadlock, from WANG Cong.
9) Fix deadlock in btusb, from Kuba Pawlak.
10) Some ipv6_add_dev() failure paths were not cleaning up the SNMP6
counter state. From Sabrina Dubroca.11) Fix packet_bind() race, which can cause lost notifications, from
Francesco Ruggeri.12) Fix MAC restoration in qlcnic driver during bonding mode changes,
from Jarod Wilson.13) Revert bridging forward delay change which broke libvirt and other
userspace things, from Vlad Yasevich.* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (65 commits)
Revert "bridge: Allow forward delay to be cfgd when STP enabled"
bpf_trace: Make dependent on PERF_EVENTS
qed: select ZLIB_INFLATE
net: fix a race in dst_release()
net: mvneta: Fix memory use after free.
net: Documentation: Fix default value tcp_limit_output_bytes
macvtap: Resolve possible __might_sleep warning in macvtap_do_read()
mvneta: add FIXED_PHY dependency
net: caif: check return value of alloc_netdev
net: hisilicon: NET_VENDOR_HISILICON should depend on HAS_DMA
drivers: net: xgene: fix RGMII 10/100Mb mode
netfilter: nft_meta: use skb_to_full_sk() helper
net_sched: em_meta: use skb_to_full_sk() helper
sched: cls_flow: use skb_to_full_sk() helper
netfilter: xt_owner: use skb_to_full_sk() helper
smack: use skb_to_full_sk() helper
net: add skb_to_full_sk() helper and use it in selinux_netlbl_skbuff_setsid()
bpf: doc: correct arch list for supported eBPF JIT
dwc_eth_qos: Delete an unnecessary check before the function call "of_node_put"
bonding: fix panic on non-ARPHRD_ETHER enslave failure
...
09 Nov, 2015
2 commits
-
This module wants to access sk->sk_security, which is not
available for request sockets.Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener")
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
Generalize selinux_skb_sk() added in commit 212cd0895330
("selinux: fix random read in selinux_ip_postroute_compat()")
so that we can use it other contexts.Use it right away in selinux_netlbl_skbuff_setsid()
Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener")
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
07 Nov, 2015
1 commit
-
__GFP_WAIT was used to signal that the caller was in atomic context and
could not sleep. Now it is possible to distinguish between true atomic
context and callers that are not willing to sleep. The latter should
clear __GFP_DIRECT_RECLAIM so kswapd will still wake. As clearing
__GFP_WAIT behaves differently, there is a risk that people will clear the
wrong flags. This patch renames __GFP_WAIT to __GFP_RECLAIM to clearly
indicate what it does -- setting it allows all reclaim activity, clearing
them prevents it.[akpm@linux-foundation.org: fix build]
[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Mel Gorman
Acked-by: Michal Hocko
Acked-by: Vlastimil Babka
Acked-by: Johannes Weiner
Cc: Christoph Lameter
Acked-by: David Rientjes
Cc: Vitaly Wool
Cc: Rik van Riel
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
06 Nov, 2015
2 commits
-
Pull security subsystem update from James Morris:
"This is mostly maintenance updates across the subsystem, with a
notable update for TPM 2.0, and addition of Jarkko Sakkinen as a
maintainer of that"* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (40 commits)
apparmor: clarify CRYPTO dependency
selinux: Use a kmem_cache for allocation struct file_security_struct
selinux: ioctl_has_perm should be static
selinux: use sprintf return value
selinux: use kstrdup() in security_get_bools()
selinux: use kmemdup in security_sid_to_context_core()
selinux: remove pointless cast in selinux_inode_setsecurity()
selinux: introduce security_context_str_to_sid
selinux: do not check open perm on ftruncate call
selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default
KEYS: Merge the type-specific data with the payload data
KEYS: Provide a script to extract a module signature
KEYS: Provide a script to extract the sys cert list from a vmlinux file
keys: Be more consistent in selection of union members used
certs: add .gitignore to stop git nagging about x509_certificate_list
KEYS: use kvfree() in add_key
Smack: limited capability for changing process label
TPM: remove unnecessary little endian conversion
vTPM: support little endian guests
char: Drop owner assignment from i2c_driver
... -
In commit e446f9dfe17b ("net: synack packets can be attached to request
sockets"), I missed one remaining case of invalid skb->sk->sk_security
access.Dmitry Vyukov got a KASan report pointing to it.
Add selinux_skb_sk() helper that is responsible to get back to the
listener if skb is attached to a request socket, instead of
duplicating the logic.Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener")
Signed-off-by: Eric Dumazet
Reported-by: Dmitry Vyukov
Cc: Paul Moore
Signed-off-by: David S. Miller
01 Nov, 2015
1 commit
23 Oct, 2015
1 commit
-
…dhowells/linux-fs into next
22 Oct, 2015
11 commits
-
The crypto framework can be built as a loadable module, but the
apparmor hash code can only be built-in, which then causes a
link error:security/built-in.o: In function `aa_calc_profile_hash':
integrity_audit.c:(.text+0x21610): undefined reference to `crypto_shash_update'
security/built-in.o: In function `init_profile_hash':
integrity_audit.c:(.init.text+0xb4c): undefined reference to `crypto_alloc_shash'This changes Apparmor to use 'select CRYPTO' like a lot of other
subsystems do.Signed-off-by: Arnd Bergmann
Acked-by: John Johansen
Signed-off-by: James Morris -
The size of struct file_security_struct is 16byte at my setup.
But, the real allocation size for per each file_security_struct
is 64bytes in my setup that kmalloc min size is 64bytes
because ARCH_DMA_MINALIGN is 64.This allocation is called every times at file allocation(alloc_file()).
So, the total slack memory size(allocated size - request size)
is increased exponentially.E.g) Min Kmalloc Size : 64bytes, Unit : bytes
Allocated Size | Request Size | Slack Size | Allocation Count
---------------------------------------------------------------
770048 | 192512 | 577536 | 12032At the result, this change reduce memory usage 42bytes per each
file_security_structSigned-off-by: Sangwoo
Acked-by: Stephen Smalley
[PM: removed extra subject prefix]
Signed-off-by: Paul Moore -
Fixes the following sparse warning:
security/selinux/hooks.c:3242:5: warning: symbol 'ioctl_has_perm' was
not declared. Should it be static?Signed-off-by: Geliang Tang
Acked-by: Jeff Vander Stoep
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore -
sprintf returns the number of characters printed (excluding '\0'), so
we can use that and avoid duplicating the length computation.Signed-off-by: Rasmus Villemoes
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore -
This is much simpler.
Signed-off-by: Rasmus Villemoes
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore -
Signed-off-by: Rasmus Villemoes
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore -
security_context_to_sid() expects a const char* argument, so there's
no point in casting away the const qualifier of value.Signed-off-by: Rasmus Villemoes
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore -
There seems to be a little confusion as to whether the scontext_len
parameter of security_context_to_sid() includes the nul-byte or
not. Reading security_context_to_sid_core(), it seems that the
expectation is that it does not (both the string copying and the test
for scontext_len being zero hint at that).Introduce the helper security_context_str_to_sid() to do the strlen()
call and fix all callers.Signed-off-by: Rasmus Villemoes
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore -
Use the ATTR_FILE attribute to distinguish between truncate()
and ftruncate() system calls. The two other cases where
do_truncate is called with a filp (and therefore ATTR_FILE is set)
are for coredump files and for open(O_TRUNC). In both of those cases
the open permission has already been checked during file open and
therefore does not need to be repeated.Commit 95dbf739313f ("SELinux: check OPEN on truncate calls")
fixed a major issue where domains were allowed to truncate files
without the open permission. However, it introduced a new bug where
a domain with the write permission can no longer ftruncate files
without the open permission, even when they receive an already open
file.Signed-off-by: Jeff Vander Stoep
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore -
Change the SELinux checkreqprot default value to 0 so that SELinux
performs access control checking on the actual memory protections
used by the kernel and not those requested by the application.Signed-off-by: Paul Moore
21 Oct, 2015
4 commits
-
Merge the type-specific data with the payload data into one four-word chunk
as it seems pointless to keep them separate.Use user_key_payload() for accessing the payloads of overloaded
user-defined keys.Signed-off-by: David Howells
cc: linux-cifs@vger.kernel.org
cc: ecryptfs@vger.kernel.org
cc: linux-ext4@vger.kernel.org
cc: linux-f2fs-devel@lists.sourceforge.net
cc: linux-nfs@vger.kernel.org
cc: ceph-devel@vger.kernel.org
cc: linux-ima-devel@lists.sourceforge.net -
key->description and key->index_key.description are same because
they are unioned. But, for readability, using same name for
duplication and validation seems better.Signed-off-by: Insu Yun
Signed-off-by: David Howells -
There is no need to make a flag to tell that this memory is allocated by
kmalloc or vmalloc. Just use kvfree to free the memory.Signed-off-by: Geliang Tang
Signed-off-by: David Howells
20 Oct, 2015
2 commits
-
This feature introduces new kernel interface:
- /relabel-self - for setting transition labels list
This list is used to control smack label transition mechanism.
List is set by, and per process. Process can transit to new label only if
label is on the list. Only process with CAP_MAC_ADMIN capability can add
labels to this list. With this list, process can change it's label without
CAP_MAC_ADMIN but only once. After label changing, list is unset.Changes in v2:
* use list_for_each_entry instead of _rcu during label write
* added missing description in security/Smack.txtChanges in v3:
* squashed into one commitChanges in v4:
* switch from global list to per-task list
* since the per-task list is accessed only by the task itself
there is no need to use synchronization mechanisms on itChanges in v5:
* change smackfs interface of relabel-self to the one used for onlycap
multiple labels are accepted, separated by space, which
replace the previous list upon writeSigned-off-by: Zbigniew Jasinski
Signed-off-by: Rafal Krypa
Acked-by: Casey Schaufler
19 Oct, 2015
3 commits
-
If request_key() is used to find a keyring, only do the search part - don't
do the construction part if the keyring was not found by the search. We
don't really want keyrings in the negative instantiated state since the
rejected/negative instantiation error value in the payload is unioned with
keyring metadata.Now the kernel gives an error:
request_key("keyring", "#selinux,bdekeyring", "keyring", KEY_SPEC_USER_SESSION_KEYRING) = -1 EPERM (Operation not permitted)
Signed-off-by: David Howells
-
Call tpm_seal_trusted() and tpm_unseal_trusted() for TPM 2.0 chips.
We require explicit 'keyhandle=' option because there's no a fixed
storage root key inside TPM2 chips.Signed-off-by: Jarkko Sakkinen
Reviewed-by: Andreas Fuchs
Tested-by: Mimi Zohar (on TPM 1.2)
Tested-by: Chris J Arges
Tested-by: Colin Ian King
Tested-by: Kevin Strasser
Signed-off-by: Peter Huewe -
Moved struct trusted_key_options to trustes-type.h so that the fields
can be accessed from drivers/char/tpm.Signed-off-by: Jarkko Sakkinen
Signed-off-by: Peter Huewe
17 Oct, 2015
2 commits
-
This merge resolves conflicts with 75aec9df3a78 ("bridge: Remove
br_nf_push_frag_xmit_sk") as part of Eric Biederman's effort to improve
netns support in the network stack that reached upstream via David's
net-next tree.Signed-off-by: Pablo Neira Ayuso
Conflicts:
net/bridge/br_netfilter_hooks.c -
since commit 8405a8fff3f8 ("netfilter: nf_qeueue: Drop queue entries on
nf_unregister_hook") all pending queued entries are discarded.So we can simply remove all of the owner handling -- when module is
removed it also needs to unregister all its hooks.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
16 Oct, 2015
1 commit
-
The following sequence of commands:
i=`keyctl add user a a @s`
keyctl request2 keyring foo bar @t
keyctl unlink $i @stries to invoke an upcall to instantiate a keyring if one doesn't already
exist by that name within the user's keyring set. However, if the upcall
fails, the code sets keyring->type_data.reject_error to -ENOKEY or some
other error code. When the key is garbage collected, the key destroy
function is called unconditionally and keyring_destroy() uses list_empty()
on keyring->type_data.link - which is in a union with reject_error.
Subsequently, the kernel tries to unlink the keyring from the keyring names
list - which oopses like this:BUG: unable to handle kernel paging request at 00000000ffffff8a
IP: [] keyring_destroy+0x3d/0x88
...
Workqueue: events key_garbage_collector
...
RIP: 0010:[] keyring_destroy+0x3d/0x88
RSP: 0018:ffff88003e2f3d30 EFLAGS: 00010203
RAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40
RBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000
R10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900
R13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000
...
CR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0
...
Call Trace:
[] key_gc_unused_keys.constprop.1+0x5d/0x10f
[] key_garbage_collector+0x1fa/0x351
[] process_one_work+0x28e/0x547
[] worker_thread+0x26e/0x361
[] ? rescuer_thread+0x2a8/0x2a8
[] kthread+0xf3/0xfb
[] ? kthread_create_on_node+0x1c2/0x1c2
[] ret_from_fork+0x3f/0x70
[] ? kthread_create_on_node+0x1c2/0x1c2Note the value in RAX. This is a 32-bit representation of -ENOKEY.
The solution is to only call ->destroy() if the key was successfully
instantiated.Reported-by: Dmitry Vyukov
Signed-off-by: David Howells
Tested-by: Dmitry Vyukov
11 Oct, 2015
1 commit
-
selinux needs few changes to accommodate fact that SYNACK messages
can be attached to a request socket, lacking sk_security pointer(Only syncookies are still attached to a TCP_LISTEN socket)
Adds a new sk_listener() helper, and use it in selinux and sch_fq
Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener")
Signed-off-by: Eric Dumazet
Reported by: kernel test robot
Cc: Paul Moore
Cc: Stephen Smalley
Cc: Eric Paris
Acked-by: Paul Moore
Signed-off-by: David S. Miller
10 Oct, 2015
5 commits
-
This fix writes the task label when
smack_d_instantiate is called, before the
label of the superblock was written on the
pipe's inode.Signed-off-by: Roman Kubiak
Acked-by: Casey Schaufler -
This change has two goals:
- delay the setting of 'smack_enabled' until
it will be really effective
- ensure that smackfs is valid only if 'smack_enabled'
is set (it is already the case in smack_netfilter.c)Signed-off-by: José Bollo
Acked-by: Casey Schaufler -
Fixes the following sparse warning:
security/smack/smack_lsm.c:55:1: warning: symbol 'smk_ipv6_port_list'
was not declared. Should it be static?Signed-off-by: Geliang Tang
Acked-by: Casey Schaufler -
'commit e774ad683f42 ("smack: pass error code through pointers")'
made this function return proper error codes instead of NULL. Reflect that.This is a fix for a NULL dereference introduced in
'commit 21abb1ec414c ("Smack: IPv6 host labeling")'echo "$SOME_IPV6_ADDR \"test" > /smack/ipv6host
(this should return EINVAL, it doesn't)
cat /smack/ipv6host
(derefences 0x000a)Signed-off-by: Lukasz Pawelczyk
Acked-by: Casey Schaufler -
If IMA_LOAD_X509 is enabled, either directly or indirectly via
IMA_APPRAISE_SIGNED_INIT, certificates are loaded onto the IMA
trusted keyring by the kernel via key_create_or_update(). When
the KEY_ALLOC_TRUSTED flag is provided, certificates are loaded
without first verifying the certificate is properly signed by a
trusted key on the system keyring. This patch removes the
KEY_ALLOC_TRUSTED flag.Signed-off-by: Dmitry Kasatkin
Cc: # 3.19+
Signed-off-by: Mimi Zohar
02 Oct, 2015
1 commit
-
Conflicts:
net/dsa/slave.cnet/dsa/slave.c simply had overlapping changes.
Signed-off-by: David S. Miller
27 Sep, 2015
1 commit
-
Conflicts:
net/ipv4/arp.cThe net/ipv4/arp.c conflict was one commit adding a new
local variable while another commit was deleting one.Signed-off-by: David S. Miller
25 Sep, 2015
1 commit
-
There appears to be a race between:
(1) key_gc_unused_keys() which frees key->security and then calls
keyring_destroy() to unlink the name from the name list(2) find_keyring_by_name() which calls key_permission(), thus accessing
key->security, on a key before checking to see whether the key usage is 0
(ie. the key is dead and might be cleaned up).Fix this by calling ->destroy() before cleaning up the core key data -
including key->security.Reported-by: Petr Matousek
Signed-off-by: David Howells