14 Jan, 2006
1 commit
-
There are errors and inconsistency in the display of NIP6 strings.
ie: net/ipv6/ip6_flowlabel.cThere are errors and inconsistency in the display of NIPQUAD strings too.
ie: net/netfilter/nf_conntrack_ftp.cThis patch:
adds NIP6_FMT to kernel.h
changes all code to use NIP6_FMT
fixes net/ipv6/ip6_flowlabel.c
adds NIPQUAD_FMT to kernel.h
fixes net/netfilter/nf_conntrack_ftp.c
changes a few uses of "%u.%u.%u.%u" to NIPQUAD_FMT for symmetry to NIP6_FMTSigned-off-by: Joe Perches
Signed-off-by: David S. Miller
12 Jan, 2006
1 commit
-
- Move capable() from sched.h to capability.h;
- Use where capable() is used
(in include/, block/, ipc/, kernel/, a few drivers/,
mm/, security/, & sound/;
many more drivers/ to go)Signed-off-by: Randy Dunlap
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
11 Jan, 2006
1 commit
-
Remove redundant casts of k*alloc() return values in
security/selinux/ss/services.cSigned-off-by: Jesper Juhl
Acked-by: Stephen Smalley
Cc: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
10 Jan, 2006
1 commit
-
This patch converts the inode semaphore to a mutex. I have tested it on
XFS and compiled as much as one can consider on an ia64. Anyway your
luck with it might be different.Modified-by: Ingo Molnar
(finished the conversion)
Signed-off-by: Jes Sorensen
Signed-off-by: Ingo Molnar
09 Jan, 2006
5 commits
-
Some long time ago, dentry struct was carefully tuned so that on 32 bits
UP, sizeof(struct dentry) was exactly 128, ie a power of 2, and a multiple
of memory cache lines.Then RCU was added and dentry struct enlarged by two pointers, with nice
results for SMP, but not so good on UP, because breaking the above tuning
(128 + 8 = 136 bytes)This patch reverts this unwanted side effect, by using an union (d_u),
where d_rcu and d_child are placed so that these two fields can share their
memory needs.At the time d_free() is called (and d_rcu is really used), d_child is known
to be empty and not touched by the dentry freeing.Lockless lookups only access d_name, d_parent, d_lock, d_op, d_flags (so
the previous content of d_child is not needed if said dentry was unhashed
but still accessed by a CPU because of RCU constraints)As dentry cache easily contains millions of entries, a size reduction is
worth the extra complexity of the ugly C union.Signed-off-by: Eric Dumazet
Cc: Dipankar Sarma
Cc: Maneesh Soni
Cc: Miklos Szeredi
Cc: "Paul E. McKenney"
Cc: Ian Kent
Cc: Paul Jackson
Cc: Al Viro
Cc: Christoph Hellwig
Cc: Trond Myklebust
Cc: Neil Brown
Cc: James Morris
Cc: Stephen Smalley
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Make it possible for a running process (such as gssapid) to be able to
instantiate a key, as was requested by Trond Myklebust for NFS4.The patch makes the following changes:
(1) A new, optional key type method has been added. This permits a key type
to intercept requests at the point /sbin/request-key is about to be
spawned and do something else with them - passing them over the
rpc_pipefs files or netlink sockets for instance.The uninstantiated key, the authorisation key and the intended operation
name are passed to the method.(2) The callout_info is no longer passed as an argument to /sbin/request-key
to prevent unauthorised viewing of this data using ps or by looking in
/proc/pid/cmdline.This means that the old /sbin/request-key program will not work with the
patched kernel as it will expect to see an extra argument that is no
longer there.A revised keyutils package will be made available tomorrow.
(3) The callout_info is now attached to the authorisation key. Reading this
key will retrieve the information.(4) A new field has been added to the task_struct. This holds the
authorisation key currently active for a thread. Searches now look here
for the caller's set of keys rather than looking for an auth key in the
lowest level of the session keyring.This permits a thread to be servicing multiple requests at once and to
switch between them. Note that this is per-thread, not per-process, and
so is usable in multithreaded programs.The setting of this field is inherited across fork and exec.
(5) A new keyctl function (KEYCTL_ASSUME_AUTHORITY) has been added that
permits a thread to assume the authority to deal with an uninstantiated
key. Assumption is only permitted if the authorisation key associated
with the uninstantiated key is somewhere in the thread's keyrings.This function can also clear the assumption.
(6) A new magic key specifier has been added to refer to the currently
assumed authorisation key (KEY_SPEC_REQKEY_AUTH_KEY).(7) Instantiation will only proceed if the appropriate authorisation key is
assumed first. The assumed authorisation key is discarded if
instantiation is successful.(8) key_validate() is moved from the file of request_key functions to the
file of permissions functions.(9) The documentation is updated.
From:
Build fix.
Signed-off-by: David Howells
Cc: Trond Myklebust
Cc: Alexander Zangerl
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Cause any links within a keyring to keys that match a key to be linked into
that keyring to be discarded as a link to the new key is added. The match is
contingent on the type and description strings being the same.This permits requests, adds and searches to displace negative, expired,
revoked and dead keys easily. After some discussion it was concluded that
duplicate valid keys should probably be discarded also as they would otherwise
hide the new key.Since request_key() is intended to be the primary method by which keys are
added to a keyring, duplicate valid keys wouldn't be an issue there as that
function would return an existing match in preference to creating a new key.Signed-off-by: David Howells
Cc: Trond Myklebust
Cc: Alexander Zangerl
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Add a new keyctl function that allows the expiry time to be set on a key or
removed from a key, provided the caller has attribute modification access.Signed-off-by: David Howells
Cc: Trond Myklebust
Cc: Alexander Zangerl
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Use atomic_inc_not_zero for rcu files instead of special case rcuref.
Signed-off-by: Nick Piggin
Cc: "Paul E. McKenney"
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
08 Jan, 2006
1 commit
-
security/selinux/xfrm.c:155:10: warning: Using plain integer as NULL pointer
Signed-off-by: Luiz Capitulino
Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller
07 Jan, 2006
8 commits
-
This patch contains two corrections to the LSM-IPsec Nethooks patches
previously applied.(1) free a security context on a failed insert via xfrm_user
interface in xfrm_add_policy. Memory leak.(2) change the authorization of the allocation of a security context
in a xfrm_policy or xfrm_state from both relabelfrom and relabelto
to setcontext.Signed-off-by: Trent Jaeger
Signed-off-by: David S. Miller -
Now when kbuild passes KBUILD_MODNAME with "" do not __stringify it when
used. Remove __stringnify for all users.
This also fixes the output of:$ ls -l /sys/module/
drwxr-xr-x 4 root root 0 2006-01-05 14:24 pcmcia
drwxr-xr-x 4 root root 0 2006-01-05 14:24 pcmcia_core
drwxr-xr-x 3 root root 0 2006-01-05 14:24 "processor"
drwxr-xr-x 3 root root 0 2006-01-05 14:24 "psmouse"The quoting of the module names will be gone again.
Thanks to GregKH + Kay Sievers for reproting this.Signed-off-by: Sam Ravnborg
-
make needlessly global code static
Signed-off-by: Adrian Bunk
Cc: David Howells
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Remove the key duplication stuff since there's nothing that uses it, no way
to get at it and it's awkward to deal with for LSM purposes.Signed-off-by: David Howells
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Further ARRAY_SIZE cleanups under security/selinux.
Signed-off-by: Tobias Klauser
Signed-off-by: Stephen Smalley
Acked-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Use ARRAY_SIZE macro instead of sizeof(x)/sizeof(x[0]).
Signed-off-by: Nicolas Kaiser
Signed-off-by: Stephen Smalley
Acked-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
04 Jan, 2006
2 commits
-
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.This patch implements the changes necessary to the SELinux LSM to
create, deallocate, and use security contexts for policies
(xfrm_policy) and security associations (xfrm_state) that enable
control of a socket's ability to send and receive packets.Patch purpose:
The patch is designed to enable the SELinux LSM to implement access
control on individual packets based on the strongly authenticated
IPSec security association. Such access controls augment the existing
ones in SELinux based on network interface and IP address. The former
are very coarse-grained, and the latter can be spoofed. By using
IPSec, the SELinux can control access to remote hosts based on
cryptographic keys generated using the IPSec mechanism. This enables
access control on a per-machine basis or per-application if the remote
machine is running the same mechanism and trusted to enforce the
access control policy.Patch design approach:
The patch's main function is to authorize a socket's access to a IPSec
policy based on their security contexts. Since the communication is
implemented by a security association, the patch ensures that the
security association's negotiated and used have the same security
context. The patch enables allocation and deallocation of such
security contexts for policies and security associations. It also
enables copying of the security context when policies are cloned.
Lastly, the patch ensures that packets that are sent without using a
IPSec security assocation with a security context are allowed to be
sent in that manner.A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.Patch implementation details:
The function which authorizes a socket to perform a requested
operation (send/receive) on a IPSec policy (xfrm_policy) is
selinux_xfrm_policy_lookup. The Netfilter and rcv_skb hooks ensure
that if a IPSec SA with a securit y association has not been used,
then the socket is allowed to send or receive the packet,
respectively.The patch implements SELinux function for allocating security contexts
when policies (xfrm_policy) are created via the pfkey or xfrm_user
interfaces via selinux_xfrm_policy_alloc. When a security association
is built, SELinux allocates the security context designated by the
XFRM subsystem which is based on that of the authorized policy via
selinux_xfrm_state_alloc.When a xfrm_policy is cloned, the security context of that policy, if
any, is copied to the clone via selinux_xfrm_policy_clone.When a xfrm_policy or xfrm_state is freed, its security context, if
any is also freed at selinux_xfrm_policy_free or
selinux_xfrm_state_free.Testing:
The SELinux authorization function is tested using ipsec-tools. We
created policies and security associations with particular security
contexts and added SELinux access control policy entries to verify the
authorization decision. We also made sure that packets for which no
security context was supplied (which either did or did not use
security associations) were authorized using an unlabelled context.Signed-off-by: Trent Jaeger
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.Signed-off-by: Trent Jaeger
Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
02 Dec, 2005
1 commit
-
Permit add_key() to once again update a matching key rather than adding a
new one if a matching key already exists in the target keyring.This bug causes add_key() to always add a new key, displacing the old from
the target keyring.Signed-off-by: David Howells
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
09 Nov, 2005
3 commits
-
This patch extends the selinuxfs context interface to allow return the
canonical form of the context to userspace.Signed-off-by: Stephen Smalley
Signed-off-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
This patch disables the setting of SELinux xattrs on files created in
filesystems labeled via mountpoint labeling (mounted with the context=
option). selinux_inode_setxattr already prevents explicit setxattr from
userspace on such filesystems, so this provides consistent behavior for
file creation.Signed-off-by: Stephen Smalley
Signed-off-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
This patch enables files created on a MLS-enabled SELinux system to be
accessible on a non-MLS SELinux system, by skipping the MLS component of
the security context in the non-MLS case.Signed-off-by: Stephen Smalley
Signed-off-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
07 Nov, 2005
2 commits
-
This is the security/ part of the big kfree cleanup patch.
Remove pointless checks for NULL prior to calling kfree() in security/.
Signed-off-by: Jesper Juhl
Acked-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
The attached patch removes a couple of incorrect and obsolete '!' operators
left over from the conversion of the key permission functions from
true/false returns to zero/error returns.Signed-Off-By: David Howells
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
31 Oct, 2005
9 commits
-
This patch simplifies some checks for magic siginfo values. It should not
change the behaviour in any way.Signed-off-by: Oleg Nesterov
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
This patch replaces hardcoded SEND_SIG_xxx constants with
their symbolic names.No changes in affected .o files.
Signed-off-by: Oleg Nesterov
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
The attached patch adds LSM hooks for key management facilities. The notable
changes are:(1) The key struct now supports a security pointer for the use of security
modules. This will permit key labelling and restrictions on which
programs may access a key.(2) Security modules get a chance to note (or abort) the allocation of a key.
(3) The key permission checking can now be enhanced by the security modules;
the permissions check consults LSM if all other checks bear out.(4) The key permissions checking functions now return an error code rather
than a boolean value.(5) An extra permission has been added to govern the modification of
attributes (UID, GID, permissions).Note that there isn't an LSM hook specifically for each keyctl() operation,
but rather the permissions hook allows control of individual operations based
on the permission request bits.Key management access control through LSM is enabled by automatically if both
CONFIG_KEYS and CONFIG_SECURITY are enabled.This should be applied on top of the patch ensubjected:
[PATCH] Keys: Possessor permissions should be additive
Signed-Off-By: David Howells
Signed-off-by: Chris Wright
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Export user-defined key operations so that those who wish to define their
own key type based on the user-defined key operations may do so (as has
been requested).The header file created has been placed into include/keys/user-type.h, thus
creating a directory where other key types may also be placed. Any
objections to doing this?Signed-Off-By: David Howells
Signed-Off-By: Arjan van de Ven
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Now that RCU applied on 'struct file' seems stable, we can place f_rcuhead
in a memory location that is not anymore used at call_rcu(&f->f_rcuhead,
file_free_rcu) time, to reduce the size of this critical kernel object.The trick I used is to move f_rcuhead and f_list in an union called f_u
The callers are changed so that f_rcuhead becomes f_u.fu_rcuhead and f_list
becomes f_u.f_listSigned-off-by: Eric Dumazet
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
This patch removes a bunch of unecessary checks for (size_t < 0) in
selinuxfs.Signed-off-by: James Morris
Acked-by: Stephen Smalley
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
security/selinux/hooks.c: In function `selinux_inode_getxattr':
security/selinux/hooks.c:2193: warning: unused variable `sbsec'Cc: James Morris
Cc: Stephen Smalley
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
This patch allows SELinux to canonicalize the value returned from
getxattr() via the security_inode_getsecurity() hook, which is called after
the fs level getxattr() function.The purpose of this is to allow the in-core security context for an inode
to override the on-disk value. This could happen in cases such as
upgrading a system to a different labeling form (e.g. standard SELinux to
MLS) without needing to do a full relabel of the filesystem.In such cases, we want getxattr() to return the canonical security context
that the kernel is using rather than what is stored on disk.The implementation hooks into the inode_getsecurity(), adding another
parameter to indicate the result of the preceding fs-level getxattr() call,
so that SELinux knows whether to compare a value obtained from disk with
the kernel value.We also now allow getxattr() to work for mountpoint labeled filesystems
(i.e. mount with option context=foo_t), as we are able to return the
kernel value to the user.Signed-off-by: James Morris
Signed-off-by: Stephen Smalley
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
This patch converts SELinux code from kmalloc/memset to the new kazalloc
unction. On i386, this results in a text saving of over 1K.Before:
text data bss dec hex filename
86319 4642 15236 106197 19ed5 security/selinux/built-in.oAfter:
text data bss dec hex filename
85278 4642 15236 105156 19ac4 security/selinux/built-in.oSigned-off-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
28 Oct, 2005
1 commit
-
Signed-off-by: Al Viro
Signed-off-by: Linus Torvalds
24 Oct, 2005
2 commits
-
This patch fixes error handling in sel_make_bools(), where currently we'd
get a memory leak via security_get_bools() and try to kfree() the wrong
pointer if called again.Signed-off-by: James Morris
Acked-by: Stephen Smalley
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
This patch fixes a possible NULL dereference in policydb_destroy, where
p->type_attr_map can be NULL if policydb_destroy is called to clean up a
partially loaded policy upon an error during policy load. Please apply.Signed-off-by: Stephen Smalley
Acked-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
09 Oct, 2005
2 commits
-
This patch makes the possessor permissions on a key additive with
user/group/other permissions on the same key.This permits extra rights to be granted to the possessor of a key without
taking away any rights conferred by them owning the key or having common group
membership.Signed-Off-By: David Howells
Signed-off-by: Linus Torvalds -
The attached patch splits key permissions checking out of key-ui.h and
moves it into a .c file. It's quite large and called quite a lot, and
it's about to get bigger with the addition of LSM support for keys...key_any_permission() is also discarded as it's no longer used.
Signed-Off-By: David Howells
Signed-off-by: Linus Torvalds