03 Nov, 2018
1 commit
-
…git/jj/linux-apparmor
Pull apparmor updates from John Johansen:
"Features/Improvements:
- replace spin_is_locked() with lockdep
- add base support for secmark labeling and matchingCleanups:
- clean an indentation issue, remove extraneous space
- remove no-op permission check in policy_unpack
- fix checkpatch missing spaces error in Parse secmark policy
- fix network performance issue in aa_label_sk_permBug fixes:
- add #ifdef checks for secmark filtering
- fix an error code in __aa_create_ns()
- don't try to replace stale label in ptrace checks
- fix failure to audit context info in build_change_hat
- check buffer bounds when mapping permissions mask
- fully initialize aa_perms struct when answering userspace query
- fix uninitialized value in aa_split_fqname"* tag 'apparmor-pr-2018-11-01' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
apparmor: clean an indentation issue, remove extraneous space
apparmor: fix checkpatch error in Parse secmark policy
apparmor: add #ifdef checks for secmark filtering
apparmor: Fix uninitialized value in aa_split_fqname
apparmor: don't try to replace stale label in ptraceme check
apparmor: Replace spin_is_locked() with lockdep
apparmor: Allow filtering based on secmark policy
apparmor: Parse secmark policy
apparmor: Add a wildcard secid
apparmor: don't try to replace stale label in ptrace access check
apparmor: Fix network performance issue in aa_label_sk_perm
02 Nov, 2018
2 commits
-
Trivial fix to clean up an indentation issue, remove space
Signed-off-by: Colin Ian King
Signed-off-by: John Johansen -
Fix missed spacing error reported by checkpatch for
9caafbe2b4cf ("Parse secmark policy")Signed-off-by: John Johansen
26 Oct, 2018
6 commits
-
Signed-off-by: Denis Kenzior
Signed-off-by: David Howells
Tested-by: Marcel Holtmann
Reviewed-by: Marcel Holtmann
Signed-off-by: James Morris -
This patch exposes some common functionality needed to send TPM commands.
Several functions from keys/trusted.c are exposed for use by the new tpm
key subtype and a module dependency is introduced.In the future, common functionality between the trusted key type and the
asym_tpm subtype should be factored out into a common utility library.Signed-off-by: Denis Kenzior
Signed-off-by: David Howells
Tested-by: Marcel Holtmann
Reviewed-by: Marcel Holtmann
Signed-off-by: James Morris -
Provide five keyctl functions that permit userspace to make use of the new
key type ops for accessing and driving asymmetric keys.(*) Query an asymmetric key.
long keyctl(KEYCTL_PKEY_QUERY,
key_serial_t key, unsigned long reserved,
struct keyctl_pkey_query *info);Get information about an asymmetric key. The information is returned
in the keyctl_pkey_query struct:__u32 supported_ops;
A bit mask of flags indicating which ops are supported. This is
constructed from a bitwise-OR of:KEYCTL_SUPPORTS_{ENCRYPT,DECRYPT,SIGN,VERIFY}
__u32 key_size;
The size in bits of the key.
__u16 max_data_size;
__u16 max_sig_size;
__u16 max_enc_size;
__u16 max_dec_size;The maximum sizes in bytes of a blob of data to be signed, a signature
blob, a blob to be encrypted and a blob to be decrypted.reserved must be set to 0. This is intended for future use to hand
over one or more passphrases needed unlock a key.If successful, 0 is returned. If the key is not an asymmetric key,
EOPNOTSUPP is returned.(*) Encrypt, decrypt, sign or verify a blob using an asymmetric key.
long keyctl(KEYCTL_PKEY_ENCRYPT,
const struct keyctl_pkey_params *params,
const char *info,
const void *in,
void *out);long keyctl(KEYCTL_PKEY_DECRYPT,
const struct keyctl_pkey_params *params,
const char *info,
const void *in,
void *out);long keyctl(KEYCTL_PKEY_SIGN,
const struct keyctl_pkey_params *params,
const char *info,
const void *in,
void *out);long keyctl(KEYCTL_PKEY_VERIFY,
const struct keyctl_pkey_params *params,
const char *info,
const void *in,
const void *in2);Use an asymmetric key to perform a public-key cryptographic operation
a blob of data.The parameter block pointed to by params contains a number of integer
values:__s32 key_id;
__u32 in_len;
__u32 out_len;
__u32 in2_len;For a given operation, the in and out buffers are used as follows:
Operation ID in,in_len out,out_len in2,in2_len
======================= =============== =============== ===========
KEYCTL_PKEY_ENCRYPT Raw data Encrypted data -
KEYCTL_PKEY_DECRYPT Encrypted data Raw data -
KEYCTL_PKEY_SIGN Raw data Signature -
KEYCTL_PKEY_VERIFY Raw data - Signatureinfo is a string of key=value pairs that supply supplementary
information.The __spare space in the parameter block must be set to 0. This is
intended, amongst other things, to allow the passing of passphrases
required to unlock a key.If successful, encrypt, decrypt and sign all return the amount of data
written into the output buffer. Verification returns 0 on success.Signed-off-by: David Howells
Tested-by: Marcel Holtmann
Reviewed-by: Marcel Holtmann
Reviewed-by: Denis Kenzior
Tested-by: Denis Kenzior
Signed-off-by: James Morris -
Pull LoadPin updates from James Morris:
"From Kees: This is a small reporting improvement and the param change
needed for the ordering series (but since the loadpin change is
desired and separable, I'm putting it here)"* 'next-loadpin' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
LoadPin: Rename boot param "enabled" to "enforce"
LoadPin: Report friendly block device name -
Pull smack updates from James Morris:
"From Casey: three patches for Smack for 4.20. Two clean up warnings
and one is a rarely encountered ptrace capability check"* 'next-smack' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
Smack: Mark expected switch fall-through
Smack: ptrace capability use fixes
Smack: remove set but not used variable 'root_inode' -
…morris/linux-security
Pull integrity updates from James Morris:
"From Mimi: This contains a couple of bug fixes, including one for a
recent problem with calculating file hashes on overlayfs, and some
code cleanup"* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
MAINTAINERS: add Jarkko as maintainer for trusted keys
ima: open a new file instance if no read permissions
ima: fix showing large 'violations' or 'runtime_measurements_count'
security/integrity: remove unnecessary 'init_keyring' variable
security/integrity: constify some read-only data
vfs: require i_size <= SIZE_MAX in kernel_read_file()
24 Oct, 2018
3 commits
-
Pull security subsystem updates from James Morris:
"In this patchset, there are a couple of minor updates, as well as some
reworking of the LSM initialization code from Kees Cook (these prepare
the way for ordered stackable LSMs, but are a valuable cleanup on
their own)"* 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
LSM: Don't ignore initialization failures
LSM: Provide init debugging infrastructure
LSM: Record LSM name in struct lsm_info
LSM: Convert security_initcall() into DEFINE_LSM()
vmlinux.lds.h: Move LSM_TABLE into INIT_DATA
LSM: Convert from initcall to struct lsm_info
LSM: Remove initcall tracing
LSM: Rename .security_initcall section to .lsm_info
vmlinux.lds.h: Avoid copy/paste of security_init section
LSM: Correctly announce start of LSM initialization
security: fix LSM description location
keys: Fix the use of the C++ keyword "private" in uapi/linux/keyctl.h
seccomp: remove unnecessary unlikely()
security: tomoyo: Fix obsolete function
security/capabilities: remove check for -EINVAL -
Pull SELinux updates from Paul Moore:
"Three SELinux patches for v4.20, all fall under the bug-fix or
behave-better category, which is good. All three have pretty good
descriptions too, which is even better"* tag 'selinux-pr-20181022' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
selinux: Add __GFP_NOWARN to allocation at str_read()
selinux: refactor mls_context_to_sid() and make it stricter
selinux: fix mounting of cgroup2 under older policies -
…iederm/user-namespace
Pull siginfo updates from Eric Biederman:
"I have been slowly sorting out siginfo and this is the culmination of
that work.The primary result is in several ways the signal infrastructure has
been made less error prone. The code has been updated so that manually
specifying SEND_SIG_FORCED is never necessary. The conversion to the
new siginfo sending functions is now complete, which makes it
difficult to send a signal without filling in the proper siginfo
fields.At the tail end of the patchset comes the optimization of decreasing
the size of struct siginfo in the kernel from 128 bytes to about 48
bytes on 64bit. The fundamental observation that enables this is by
definition none of the known ways to use struct siginfo uses the extra
bytes.This comes at the cost of a small user space observable difference.
For the rare case of siginfo being injected into the kernel only what
can be copied into kernel_siginfo is delivered to the destination, the
rest of the bytes are set to 0. For cases where the signal and the
si_code are known this is safe, because we know those bytes are not
used. For cases where the signal and si_code combination is unknown
the bits that won't fit into struct kernel_siginfo are tested to
verify they are zero, and the send fails if they are not.I made an extensive search through userspace code and I could not find
anything that would break because of the above change. If it turns out
I did break something it will take just the revert of a single change
to restore kernel_siginfo to the same size as userspace siginfo.Testing did reveal dependencies on preferring the signo passed to
sigqueueinfo over si->signo, so bit the bullet and added the
complexity necessary to handle that case.Testing also revealed bad things can happen if a negative signal
number is passed into the system calls. Something no sane application
will do but something a malicious program or a fuzzer might do. So I
have fixed the code that performs the bounds checks to ensure negative
signal numbers are handled"* 'siginfo-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: (80 commits)
signal: Guard against negative signal numbers in copy_siginfo_from_user32
signal: Guard against negative signal numbers in copy_siginfo_from_user
signal: In sigqueueinfo prefer sig not si_signo
signal: Use a smaller struct siginfo in the kernel
signal: Distinguish between kernel_siginfo and siginfo
signal: Introduce copy_siginfo_from_user and use it's return value
signal: Remove the need for __ARCH_SI_PREABLE_SIZE and SI_PAD_SIZE
signal: Fail sigqueueinfo if si_signo != sig
signal/sparc: Move EMT_TAGOVF into the generic siginfo.h
signal/unicore32: Use force_sig_fault where appropriate
signal/unicore32: Generate siginfo in ucs32_notify_die
signal/unicore32: Use send_sig_fault where appropriate
signal/arc: Use force_sig_fault where appropriate
signal/arc: Push siginfo generation into unhandled_exception
signal/ia64: Use force_sig_fault where appropriate
signal/ia64: Use the force_sig(SIGSEGV,...) in ia64_rt_sigreturn
signal/ia64: Use the generic force_sigsegv in setup_frame
signal/arm/kvm: Use send_sig_mceerr
signal/arm: Use send_sig_fault where appropriate
signal/arm: Use force_sig_fault where appropriate
...
19 Oct, 2018
3 commits
-
…/git/kees/linux into next-loadpin
LoadPin: report improvement and parameter renaming
- Report human-readable device name during init
- Change boot parameter and Kconfig "enabled" to "enforce" -
LoadPin's "enabled" setting is really about enforcement, not whether
or not the LSM is using LSM hooks. Instead, split this out so that LSM
enabling can be logically distinct from whether enforcement is happening
(for example, the pinning happens when the LSM is enabled, but the pin
is only checked when "enforce" is set). This allows LoadPin to continue
to operate sanely in test environments once LSM enable/disable is
centrally handled (i.e. we want LoadPin to be enabled separately from
its enforcement).Signed-off-by: Kees Cook
Reviewed-by: Casey Schaufler
Reviewed-by: John Johansen -
Instead of only reporting major/minor, include the actual block device
name, at least as seen by the kernel.Signed-off-by: Kees Cook
13 Oct, 2018
1 commit
-
The newly added code fails to build when either SECMARK or
NETFILTER are disabled:security/apparmor/lsm.c: In function 'apparmor_socket_sock_rcv_skb':
security/apparmor/lsm.c:1138:12: error: 'struct sk_buff' has no member named 'secmark'; did you mean 'mark'?security/apparmor/lsm.c:1671:21: error: 'struct nf_hook_state' declared inside parameter list will not be visible outside of this definition or declaration [-Werror]
Add a set of #ifdef checks around it to only enable the code that
we can compile and that makes sense in that configuration.Fixes: ab9f2115081a ("apparmor: Allow filtering based on secmark policy")
Signed-off-by: Arnd Bergmann
Signed-off-by: John Johansen
11 Oct, 2018
12 commits
-
LSM initialization failures have traditionally been ignored. We should
at least WARN when something goes wrong.Signed-off-by: Kees Cook
Reviewed-by: Casey Schaufler
Reviewed-by: John Johansen
Signed-off-by: James Morris -
Booting with "lsm.debug" will report future details on how LSM ordering
decisions are being made.Signed-off-by: Kees Cook
Reviewed-by: Casey Schaufler
Reviewed-by: John Johansen
Reviewed-by: James Morris
Signed-off-by: James Morris -
In preparation for making LSM selections outside of the LSMs, include
the name of LSMs in struct lsm_info.Signed-off-by: Kees Cook
Reviewed-by: Casey Schaufler
Signed-off-by: James Morris -
Instead of using argument-based initializers, switch to defining the
contents of struct lsm_info on a per-LSM basis. This also drops
the final use of the now inaccurate "initcall" naming.Signed-off-by: Kees Cook
Reviewed-by: Casey Schaufler
Reviewed-by: James Morris
Signed-off-by: James Morris -
In preparation for doing more interesting LSM init probing, this converts
the existing initcall system into an explicit call into a function pointer
from a section-collected struct lsm_info array.Signed-off-by: Kees Cook
Reviewed-by: Casey Schaufler
Reviewed-by: James Morris
Reviewed-by: John Johansen
Signed-off-by: James Morris -
This partially reverts commit 58eacfffc417 ("init, tracing: instrument
security and console initcall trace events") since security init calls
are about to no longer resemble regular init calls.Signed-off-by: Kees Cook
Reviewed-by: Casey Schaufler
Reviewed-by: James Morris
Signed-off-by: James Morris -
In preparation for switching from initcall to just a regular set of
pointers in a section, rename the internal section name.Signed-off-by: Kees Cook
Reviewed-by: Casey Schaufler
Reviewed-by: James Morris
Reviewed-by: John Johansen
Signed-off-by: James Morris -
For a while now, the LSM core has said it was "initializED", rather than
"initializING". This adjust the report to be more accurate (i.e. before
this was reported before any LSMs had been initialized.)Signed-off-by: Kees Cook
Reviewed-by: Casey Schaufler
Reviewed-by: James Morris
Reviewed-by: John Johansen
Signed-off-by: James Morris -
Open a new file instance as opposed to changing file->f_mode when
the file is not readable. This is done to accomodate overlayfs
stacked file operations change. The real struct file is hidden
behind the overlays struct file. So, any file->f_mode manipulations are
not reflected on the real struct file. Open the file again in read mode
if original file cannot be read, read and calculate the hash.Signed-off-by: Goldwyn Rodrigues
Cc: stable@vger.kernel.org (linux-4.19)
Signed-off-by: Mimi Zohar -
The 12 character temporary buffer is not necessarily long enough to hold
a 'long' value. Increase it.Signed-off-by: Eric Biggers
Cc: stable@vger.kernel.org
Signed-off-by: Mimi Zohar -
The 'init_keyring' variable actually just gave the value of
CONFIG_INTEGRITY_TRUSTED_KEYRING. We should check the config option
directly instead. No change in behavior; this just simplifies the code.Signed-off-by: Eric Biggers
Signed-off-by: Mimi Zohar -
Constify some static data that is never modified,
so that it is placed in .rodata.Signed-off-by: Eric Biggers
Signed-off-by: Mimi Zohar
03 Oct, 2018
7 commits
-
Linus recently observed that if we did not worry about the padding
member in struct siginfo it is only about 48 bytes, and 48 bytes is
much nicer than 128 bytes for allocating on the stack and copying
around in the kernel.The obvious thing of only adding the padding when userspace is
including siginfo.h won't work as there are sigframe definitions in
the kernel that embed struct siginfo.So split siginfo in two; kernel_siginfo and siginfo. Keeping the
traditional name for the userspace definition. While the version that
is used internally to the kernel and ultimately will not be padded to
128 bytes is called kernel_siginfo.The definition of struct kernel_siginfo I have put in include/signal_types.h
A set of buildtime checks has been added to verify the two structures have
the same field offsets.To make it easy to verify the change kernel_siginfo retains the same
size as siginfo. The reduction in size comes in a following change.Signed-off-by: "Eric W. Biederman"
-
Syzkaller reported a OOB-read with the stacktrace below. This occurs
inside __aa_lookupn_ns as `n` is not initialized. `n` is obtained from
aa_splitn_fqname. In cases where `name` is invalid, aa_splitn_fqname
returns without initializing `ns_name` and `ns_len`.Fix this by always initializing `ns_name` and `ns_len`.
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113
print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
memcmp+0xe3/0x160 lib/string.c:861
strnstr+0x4b/0x70 lib/string.c:934
__aa_lookupn_ns+0xc1/0x570 security/apparmor/policy_ns.c:209
aa_lookupn_ns+0x88/0x1e0 security/apparmor/policy_ns.c:240
aa_fqlookupn_profile+0x1b9/0x1010 security/apparmor/policy.c:468
fqlookupn_profile+0x80/0xc0 security/apparmor/label.c:1844
aa_label_strn_parse+0xa3a/0x1230 security/apparmor/label.c:1908
aa_label_parse+0x42/0x50 security/apparmor/label.c:1943
aa_change_profile+0x513/0x3510 security/apparmor/domain.c:1362
apparmor_setprocattr+0xaa4/0x1150 security/apparmor/lsm.c:658
security_setprocattr+0x66/0xc0 security/security.c:1298
proc_pid_attr_write+0x301/0x540 fs/proc/base.c:2555
__vfs_write+0x119/0x9f0 fs/read_write.c:485
vfs_write+0x1fc/0x560 fs/read_write.c:549
ksys_write+0x101/0x260 fs/read_write.c:598
__do_sys_write fs/read_write.c:610 [inline]
__se_sys_write fs/read_write.c:607 [inline]
__x64_sys_write+0x73/0xb0 fs/read_write.c:607
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbeFixes: 3b0aaf5866bf ("apparmor: add lib fn to find the "split" for fqnames")
Reported-by: syzbot+61e4b490d9d2da591b50@syzkaller.appspotmail.com
Signed-off-by: Zubin Mithra
Reviewed-by: Kees Cook
Signed-off-by: John Johansen -
begin_current_label_crit_section() must run in sleepable context because
when label_is_stale() is true, aa_replace_current_label() runs, which uses
prepare_creds(), which can sleep.Until now, the ptraceme access check (which runs with tasklist_lock held)
violated this rule.Fixes: b2d09ae449ced ("apparmor: move ptrace checks to using labels")
Reported-by: Cyrill Gorcunov
Reported-by: kernel test robot
Signed-off-by: Jann Horn
Signed-off-by: John Johansen -
lockdep_assert_held() is better suited to checking locking requirements,
since it won't get confused when someone else holds the lock. This is
also a step towards possibly removing spin_is_locked().Signed-off-by: Lance Roy
Cc: John Johansen
Cc: James Morris
Cc: "Serge E. Hallyn"
Cc:
Signed-off-by: John Johansen -
Add support for dropping or accepting packets based on their secmark
tags.Signed-off-by: Matthew Garrett
Signed-off-by: John Johansen -
Add support for parsing secmark policy provided by userspace, and
store that in the overall policy.Signed-off-by: Matthew Garrett
Signed-off-by: John Johansen -
Reserve a secid value that we can use as a wildcard, allowing us to
define policy that's expected to match against all secids.Signed-off-by: Matthew Garrett
Signed-off-by: John Johansen
25 Sep, 2018
1 commit
-
This changes UAPI, breaking iwd and libell:
ell/key.c: In function 'kernel_dh_compute':
ell/key.c:205:38: error: 'struct keyctl_dh_params' has no member named 'private'; did you mean 'dh_private'?
struct keyctl_dh_params params = { .private = private,
^~~~~~~
dh_privateThis reverts commit 8a2336e549d385bb0b46880435b411df8d8200e8.
Fixes: 8a2336e549d3 ("uapi/linux/keyctl.h: don't use C++ reserved keyword as a struct member name")
Signed-off-by: Lubomir Rintel
Signed-off-by: David Howells
cc: Randy Dunlap
cc: Mat Martineau
cc: Stephan Mueller
cc: James Morris
cc: "Serge E. Hallyn"
cc: Mat Martineau
cc: Andrew Morton
cc: Linus Torvalds
cc:
Signed-off-by: James Morris
Signed-off-by: Greg Kroah-Hartman
19 Sep, 2018
3 commits
-
In preparation to enabling -Wimplicit-fallthrough, mark switch cases
where we are expecting to fall through.Notice that in this particular case, I replaced "No break" with a
proper "Fall through" annotation, which is what GCC is expecting
to find.Warning level 2 was used: -Wimplicit-fallthrough=2
Addresses-Coverity-ID: 115051 ("Missing break in switch")
Signed-off-by: Gustavo A. R. Silva
Signed-off-by: Casey Schaufler -
This fixes a pair of problems in the Smack ptrace checks
related to checking capabilities. In both cases, as reported
by Lukasz Pawelczyk, the raw capability calls are used rather
than the Smack wrapper that check addition restrictions.
In one case, as reported by Jann Horn, the wrong task is being
checked for capabilities.Signed-off-by: Casey Schaufler
-
Fixes gcc '-Wunused-but-set-variable' warning:
security/smack/smackfs.c: In function 'smk_fill_super':
security/smack/smackfs.c:2856:16: warning:
variable 'root_inode' set but not used [-Wunused-but-set-variable]Signed-off-by: YueHaibing
Signed-off-by: Casey Schaufler
14 Sep, 2018
1 commit
-
This reverts commit 1f40a46cf47c12d93a5ad9dccd82bd36ff8f956a.
It turned out that this patch is not sufficient to enable PTI on 32 bit
systems with legacy 2-level page-tables. In this paging mode the huge-page
PTEs are in the top-level page-table directory, where also the mirroring to
the user-space page-table happens. So every huge PTE exits twice, in the
kernel and in the user page-table.That means that accessed/dirty bits need to be fetched from two PTEs in
this mode to be safe, but this is not trivial to implement because it needs
changes to generic code just for the sake of enabling PTI with 32-bit
legacy paging. As all systems that need PTI should support PAE anyway,
remove support for PTI when 32-bit legacy paging is used.Fixes: 7757d607c6b3 ('x86/pti: Allow CONFIG_PAGE_TABLE_ISOLATION for x86_32')
Reported-by: Meelis Roos
Signed-off-by: Joerg Roedel
Signed-off-by: Thomas Gleixner
Cc: hpa@zytor.com
Cc: linux-mm@kvack.org
Cc: Linus Torvalds
Cc: Andy Lutomirski
Cc: Dave Hansen
Cc: Borislav Petkov
Cc: Andrea Arcangeli
Link: https://lkml.kernel.org/r/1536922754-31379-1-git-send-email-joro@8bytes.org
