29 Jun, 2011
15 commits
-
To be able to start using enforcing mode from the early stage of boot sequence,
this patch adds support for activating access control without calling external
policy loader program. This will be useful for systems where operations which
can lead to the hijacking of the boot sequence are needed before loading the
policy. For example, you can activate immediately after loading the fixed part
of policy which will allow only operations needed for mounting a partition
which contains the variant part of policy and verifying (e.g. running GPG
check) and loading the variant part of policy. Since you can start using
enforcing mode from the beginning, you can reduce the possibility of hijacking
the boot sequence.This patch makes several variables configurable on build time. This patch also
adds TOMOYO_loader= and TOMOYO_trigger= kernel command line option to boot the
same kernel in two different init systems (BSD-style init and systemd).Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
To be able to start using enforcing mode from the early stage of boot sequence,
this patch adds support for built-in policy configuration (and next patch adds
support for activating access control without calling external policy loader
program).Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Show statistics such as last policy update time and last policy violation time
in addition to memory usage.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Gather string constants to one file in order to make the object size smaller.
Use unsigned type where appropriate.
read()/write() returns ssize_t.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Currently TOMOYO holds SRCU lock upon open() and releases it upon close()
because list elements stored in the "struct tomoyo_io_buffer" instances are
accessed until close() is called. However, such SRCU usage causes lockdep to
complain about leaving the kernel with SRCU lock held.This patch solves the warning by holding/releasing SRCU upon each
read()/write(). This patch is doing something similar to calling kfree()
without calling synchronize_srcu(), by selectively deferring kfree() by keeping
track of the "struct tomoyo_io_buffer" instances.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
TOMOYO wants to use /proc/self/ rather than /proc/$PID/ if $PID matches current
thread's process ID in order to prevent current thread from accessing other
process's information unless needed.But since procfs can be mounted on various locations (e.g. /proc/ /proc2/ /p/
/tmp/foo/100/p/ ), TOMOYO cannot tell that whether the numeric part in the
string returned by __d_path() represents process ID or not.Therefore, to be able to convert from $PID to self no matter where procfs is
mounted, this patch changes pathname representations for filesystems which do
not support rename() operation (e.g. proc, sysfs, securityfs).Examples:
/proc/self/mounts => proc:/self/mounts
/sys/kernel/security/ => sys:/kernel/security/
/dev/pts/0 => devpts:/0Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Mauras Olivier reported that it is difficult to use TOMOYO in LXC environments,
for TOMOYO cannot distinguish between environments outside the container and
environments inside the container since LXC environments are created using
pivot_root(). To address this problem, this patch introduces policy namespace.Each policy namespace has its own set of domain policy, exception policy and
profiles, which are all independent of other namespaces. This independency
allows users to develop policy without worrying interference among namespaces.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
ACL group allows administrator to globally grant not only "file read"
permission but also other permissions.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Add /sys/kernel/security/tomoyo/audit interface. This interface generates audit
logs in the form of domain policy so that /usr/sbin/tomoyo-auditd can reuse
audit logs for appending to /sys/kernel/security/tomoyo/domain_policy
interface.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Remove global preference from profile structure in order to make code simpler.
Due to this structure change, printk() warnings upon policy violation are
temporarily disabled. They will be replaced by
/sys/kernel/security/tomoyo/audit by next patch.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Convert "allow_..." style directives to "file ..." style directives.
By converting to the latter style, we can pack policy like
"file read/write/execute /path/to/file".Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Use structure for passing ACL line, in preparation for supporting policy
namespace and conditional parameters.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Use common structure for ACL with "struct list_head" + "atomic_t".
Use array/struct where possible.
Remove is_group from "struct tomoyo_name_union"/"struct tomoyo_number_union".
Pass "struct file"->private_data rather than "struct file".
Update some of comments.
Bring tomoyo_same_acl_head() from common.h to domain.c .
Bring tomoyo_invalid()/tomoyo_valid() from common.h to util.c .Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Update (or temporarily remove) comments.
Remove or replace some of #define lines.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
In order to synchronize with TOMOYO 1.8's syntax,
(1) Remove special handling for allow_read/write permission.
(2) Replace deny_rewrite/allow_rewrite permission with allow_append permission.
(3) Remove file_pattern keyword.
(4) Remove allow_read permission from exception policy.
(5) Allow creating domains in enforcing mode without calling supervisor.
(6) Add permission check for opening directory for reading.
(7) Add permission check for stat() operation.
(8) Make "cat < /sys/kernel/security/tomoyo/self_domain" behave as if
"cat /sys/kernel/security/tomoyo/self_domain".Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
27 Jun, 2011
7 commits
-
The function ecryptfs_keyring_auth_tok_for_sig() has been modified in order
to search keys of both 'user' and 'encrypted' types.Signed-off-by: Roberto Sassu
Acked-by: Gianluca Ramunno
Acked-by: Tyler Hicks
Signed-off-by: Mimi Zohar -
The 'encrypted' key type defines its own payload format which contains a
symmetric key randomly generated that cannot be used directly to mount
an eCryptfs filesystem, because it expects an authentication token
structure.This patch introduces the new format 'ecryptfs' that allows to store an
authentication token structure inside the encrypted key payload containing
a randomly generated symmetric key, as the same for the format 'default'.More details about the usage of encrypted keys with the eCryptfs
filesystem can be found in the file 'Documentation/keys-ecryptfs.txt'.Signed-off-by: Roberto Sassu
Acked-by: Gianluca Ramunno
Acked-by: Tyler Hicks
Signed-off-by: Mimi Zohar -
Some eCryptfs specific definitions, such as the current version and the
authentication token structure, are moved to the new include file
'include/linux/ecryptfs.h', in order to be available for all kernel
subsystems.Signed-off-by: Roberto Sassu
Acked-by: Gianluca Ramunno
Acked-by: Tyler Hicks
Acked-by: David Howells
Signed-off-by: Mimi Zohar -
This patch introduces a new parameter, called 'format', that defines the
format of data stored by encrypted keys. The 'default' format identifies
encrypted keys containing only the symmetric key, while other formats can
be defined to support additional information. The 'format' parameter is
written in the datablob produced by commands 'keyctl print' or
'keyctl pipe' and is integrity protected by the HMAC.Signed-off-by: Roberto Sassu
Acked-by: Gianluca Ramunno
Acked-by: David Howells
Signed-off-by: Mimi Zohar -
Some debug messages have been added in the function datablob_parse() in
order to better identify errors returned when dealing with 'encrypted'
keys.Changelog from version v4:
- made the debug messages more understandableSigned-off-by: Roberto Sassu
Acked-by: Gianluca Ramunno
Signed-off-by: Mimi Zohar -
Valid key type prefixes for the parameter 'key-type' are: 'trusted' and
'user'.Signed-off-by: Roberto Sassu
Acked-by: Gianluca Ramunno
Acked-by: David Howells
Signed-off-by: Mimi Zohar -
Do not dump the master key if an error is encountered during the request.
Signed-off-by: Roberto Sassu
Acked-by: Gianluca Ramunno
Signed-off-by: Mimi Zohar
14 Jun, 2011
1 commit
-
Don't return EAGAIN to keyctl_assume_authority() to indicate that a key could
not be found (ENOKEY is only returned if a negative key is found). Instead
return ENOKEY in both cases.Signed-off-by: David Howells
Signed-off-by: James Morris
09 Jun, 2011
14 commits
-
We recently found that in some configurations SELinux was blocking the ability
for cgroupfs to be mounted. The reason for this is because cgroupfs creates
files and directories during the get_sb() call and also uses lookup_one_len()
during that same get_sb() call. This is a problem since the security
subsystem cannot initialize the superblock and the inodes in that filesystem
until after the get_sb() call returns. Thus we leave the inodes in
an unitialized state during get_sb(). For the vast majority of filesystems
this is not an issue, but since cgroupfs uses lookup_on_len() it does
search permission checks on the directories in the path it walks. Since the
inode security state is not set up SELinux does these checks as if the inodes
were 'unlabeled.'Many 'normal' userspace process do not have permission to interact with
unlabeled inodes. The solution presented here is to do the permission checks
of path walk and inode creation as the kernel rather than as the task that
called mount. Since the kernel has permission to read/write/create
unlabeled inodes the get_sb() call will complete successfully and the SELinux
code will be able to initialize the superblock and those inodes created during
the get_sb() call.This appears to be the same solution used by other filesystems such as devtmpfs
to solve the same issue and should thus have no negative impact on other LSMs
which currently work.Signed-off-by: Eric Paris
Acked-by: Paul Menage
Signed-off-by: James Morris -
* 'pm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/suspend-2.6:
PM / Runtime: Fix loops in pm_runtime_clk_notify()
PM / Intel IOMMU: Fix init_iommu_pm_ops() for CONFIG_PM unset -
This tries to make the 'struct inode' accesses denser in the data cache
by moving a commonly accessed field (i_security) closer to other fields
that are accessed often.It also makes 'i_state' just an 'unsigned int' rather than 'unsigned
long', since we only use a few bits of that field, and moves it next to
the existing 'i_flags' so that we potentially get better structure
layout (although depending on config options, i_flags may already have
packed in the same word as i_lock, so this improves packing only for the
case of spinlock debugging)Out 'struct inode' is still way too big, and we should probably move
some other fields around too (the acl fields in particular) for better
data cache access density. Other fields (like the inode hash) are
likely to be entirely irrelevant under most loads.Signed-off-by: Linus Torvalds
-
This is a rather hot function that is called with a potentially NULL
"struct common_audit_data" pointer argument. And in that case it has to
provide and initialize its own dummy common_audit_data structure.However, all the _common_ cases already pass it a real audit-data
structure, so that uncommon NULL case not only creates a silly run-time
test, more importantly it causes that function to have a big stack frame
for the dummy variable that isn't even used in the common case!So get rid of that stupid run-time behavior, and make the (few)
functions that currently call with a NULL pointer just call a new helper
function instead (naturally called inode_has_perm_noapd(), since it has
no adp argument).This makes the run-time test be a static code generation issue instead,
and allows for a much denser stack since none of the common callers need
the dummy structure. And a denser stack not only means less stack space
usage, it means better cache behavior. So we have a win-win-win from
this simplification: less code executed, smaller stack footprint, and
better cache behavior.Signed-off-by: Linus Torvalds
-
* 'usb-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6: (28 commits)
MAINTAINERS: add a maintainer to Gadget Framework
USB: serial: add another 4N-GALAXY.DE PID to ftdi_sio driver
Revert "USB: option: add ID for ZTE MF 330"
drivers/usb/host/ohci-pxa27x.c: add missing clk_put
USB: CONFIG_USB_GADGET_DUALSPEED is not user-configurable
USB: dummy-hcd needs the has_tt flag
usb-storage: redo incorrect reads
usb/renesas_usbhs: free uep on removal
usb/s3c-hsudc: fix error path
usb/pxa25x_udc: cleanup the LUBBOCK err path
usb/mv_udc_core: fix compile
usb: gadget: include to fix compiling error
USB: s3c-hsotg: Tone down debugging
usb: remove bad dput after dentry_unhash
USB: core: Tolerate protocol stall during hub and port status read
musb: fix prefetch build failure
USB: cdc-acm: Adding second ACM channel support for Nokia E7 and C7
usb-gadget: unlock data->lock mutex on error path in ep_write()
USB: option Add blacklist for ZTE K3765-Z (19d2:2002)
option: add Prolink PH300 modem IDs
... -
I'll be continuing the amazing work Dave has
done with the Gadget Framework.Signed-off-by: Felipe Balbi
Signed-off-by: Greg Kroah-Hartman -
* 'spi/merge' of git://git.secretlab.ca/git/linux-2.6:
spi/rtc-m41t93: Use spi_get_drvdata() for SPI devices
spi/omap2: fix uninitialized variable -
* git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6:
cifs: trivial: add space in fsc error message
cifs: silence printk when establishing first session on socket
CIFS ACL support needs CONFIG_KEYS, so depend on it
possible memory corruption in cifs_parse_mount_options()
cifs: make CIFS depend on CRYPTO_ECB
cifs: fix the kernel release version in the default security warning message -
This is needed to get the following MAINTAINERS patch to apply properly.
Signed-off-by: Greg Kroah-Hartman
-
E.g. newer CAN 2.0 A/B USB 2.0 converters report idProduct=f3c2.
Signed-off-by: Steffen Sledz
Cc: stable
Signed-off-by: Greg Kroah-Hartman -
One new offender detected by the recently increased type checking in
platform_get_drvdata():drivers/rtc/rtc-m41t93.c: In function ‘m41t93_remove’:
drivers/rtc/rtc-m41t93.c:192: warning: passing argument 1 of ‘platform_get_drvdata’ from incompatible pointer typeUse spi_get_drvdata() instead of platform_get_drvdata(), cfr. commit
42fea15d6dc410e62dac6a764142045280624a5b ("spi/rtc-{ds1390,ds3234,m41t94}:
Use spi_get_drvdata() for SPI devices")Signed-off-by: Geert Uytterhoeven
Signed-off-by: Grant Likely -
* 'stable/bug.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen:
xen: off by one errors in multicalls.c
xen: use the trigger info we already have to choose the irq handler -
Signed-off-by: Jeff Layton
Signed-off-by: Steve French
08 Jun, 2011
3 commits
-
…l/git/tip/linux-2.6-tip
* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
perf: Fix comments in include/linux/perf_event.h
perf: Comment /proc/sys/kernel/perf_event_paranoid to be part of user ABI
perf python: Fix argument name list of read_on_cpu()
perf evlist: Don't die if sample_{id_all|type} is invalid
perf python: Use exception to propagate errors
perf evlist: Remove dependency on debug routines
perf, cgroups: Fix up for new API -
* 'gpio/merge' of git://git.secretlab.ca/git/linux-2.6:
gpio/samsung: make Kconfig options def_bool
gpio/exynos4: Fix incorrect mapping of gpio pull-up macro to register setting
GPIO: OMAP: add locking around calls to _set_gpio_triggering
GPIO: OMAP: fix setting IRQWAKEN bits for OMAP4
GPIO: OMAP: fix section mismatch warnings
gpio: Fix gpio-exynos4 build fails in mainline -
* 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-2.6:
[media] soc_camera: preserve const attribute
[media] uvc_entity: initialize return value
[media] media: Fix media device minor registration
[media] Make nchg variable signed because the code compares this variable against negative values
[media] omap3isp: fix compiler warning
[media] v4l: Fix media_entity_to_video_device macro argument name
[media] ivtv: Internally separate encoder & decoder standard setting
[media] ivtvfb: Add sanity check to ivtvfb_pan_display()
[media] ivtvfb: use display information in info not in var for panning
[media] ivtv: Make two ivtv_msleep_timeout calls uninterruptable
[media] anysee: return EOPNOTSUPP for unsupported I2C messages
[media] gspca - ov519: Set the default frame rate to 15 fps
[media] gspca - stv06xx: Set a lower default value of gain for hdcs sensors
[media] gspca: Remove coarse_expo_autogain.h
[media] gspca - ov519: Change the ovfx2 bulk transfer size
[media] gspca - ov519: Fix a regression for ovfx2 webcams