07 Sep, 2009
1 commit
-
- As ima_counts_put() may be called after the inode has been freed,
verify that the inode is not NULL, before dereferencing it.- Maintain the IMA file counters in may_open() properly, decrementing
any counter increments on subsequent errors.Reported-by: Ciprian Docan
Reported-by: J.R. Okajima
Signed-off-by: Mimi Zohar
Acked-by: Eric Paris
27 Aug, 2009
2 commits
-
…s/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
IMA: iint put in ima_counts_get and put -
ima_counts_get() calls ima_iint_find_insert_get() which takes a reference
to the iint in question, but does not put that reference at the end of the
function. This can lead to a nasty memory leak. Easy enough to reproduce:#include
#includeint main (void)
{
int i;
void *ptr;for (i=0; i < 100000; i++) {
ptr = mmap(NULL, 4096, PROT_READ|PROT_WRITE,
MAP_SHARED|MAP_ANONYMOUS, -1, 0);
if (ptr == MAP_FAILED)
return 2;
munmap(ptr, 4096);
}return 0;
}Signed-off-by: Eric Paris
Signed-off-by: James Morris
24 Aug, 2009
1 commit
-
Hashing files larger than INT_MAX causes process to loop.
Dependent on redefining kernel_read() offset type to loff_t.(http://bugzilla.kernel.org/show_bug.cgi?id=13909)
Cc: stable@kernel.org
Signed-off-by: Mimi Zohar
Signed-off-by: James Morris
19 Aug, 2009
2 commits
-
Fix prompt for LSM_MMAP_MIN_ADDR.
(Verbs are cool!)
Signed-off-by: Andreas Schwab
Acked-by: Eric Paris
Signed-off-by: James Morris -
Commit 788084aba2ab7348257597496befcbccabdc98a3 added the LSM_MMAP_MIN_ADDR
option, whose help text states "For most ia64, ppc64 and x86 users with lots
of address space a value of 65536 is reasonable and should cause no problems."
Which implies that it's default setting was typoed.Signed-off-by: Dave Jones
Acked-by: Eric Paris
Signed-off-by: James Morris
17 Aug, 2009
3 commits
-
Currently SELinux enforcement of controls on the ability to map low memory
is determined by the mmap_min_addr tunable. This patch causes SELinux to
ignore the tunable and instead use a seperate Kconfig option specific to how
much space the LSM should protect.The tunable will now only control the need for CAP_SYS_RAWIO and SELinux
permissions will always protect the amount of low memory designated by
CONFIG_LSM_MMAP_MIN_ADDR.This allows users who need to disable the mmap_min_addr controls (usual reason
being they run WINE as a non-root user) to do so and still have SELinux
controls preventing confined domains (like a web server) from being able to
map some area of low memory.Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Currently SELinux does not check CAP_SYS_RAWIO in the file_mmap hook. This
means there is no DAC check on the ability to mmap low addresses in the
memory space. This function adds the DAC check for CAP_SYS_RAWIO while
maintaining the selinux check on mmap_zero. This means that processes
which need to mmap low memory will need CAP_SYS_RAWIO and mmap_zero but will
NOT need the SELinux sys_rawio capability.Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Currently we duplicate the mmap_min_addr test in cap_file_mmap and in
security_file_mmap if !CONFIG_SECURITY. This patch moves cap_file_mmap
into commoncap.c and then calls that function directly from
security_file_mmap ifndef CONFIG_SECURITY like all of the other capability
checks are done.Signed-off-by: Eric Paris
Acked-by: Serge Hallyn
Signed-off-by: James Morris
11 Aug, 2009
1 commit
-
Fix memory leakage in /security/selinux/hooks.c
The buffer always needs to be freed here; we either error
out or allocate more memory.Reported-by: iceberg
Signed-off-by: James Morris
Acked-by: Stephen Smalley
29 Jun, 2009
2 commits
-
This patch fixes an imbalance message as reported by J.R. Okajima.
The IMA file counters are incremented in ima_path_check. If the
actual open fails, such as ETXTBSY, decrement the counters to
prevent unnecessary imbalance messages.Reported-by: J.R. Okajima
Signed-off-by: Mimi Zohar
Signed-off-by: James Morris -
Audit the file name, not the template name.
Signed-off-by: Mimi Zohar
Signed-off-by: James Morris
19 Jun, 2009
1 commit
-
While walking through the whitelist, if the DEV_ALL item is found, no more
check is needed.Signed-off-by: Li Zefan
Acked-by: Serge Hallyn
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
15 Jun, 2009
1 commit
-
Conflicts:
Documentation/feature-removal-schedule.txt
drivers/scsi/fcoe/fcoe.c
net/core/drop_monitor.c
net/core/net-traces.c
12 Jun, 2009
1 commit
-
…s/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (44 commits)
nommu: Provide mmap_min_addr definition.
TOMOYO: Add description of lists and structures.
TOMOYO: Remove unused field.
integrity: ima audit dentry_open failure
TOMOYO: Remove unused parameter.
security: use mmap_min_addr indepedently of security models
TOMOYO: Simplify policy reader.
TOMOYO: Remove redundant markers.
SELinux: define audit permissions for audit tree netlink messages
TOMOYO: Remove unused mutex.
tomoyo: avoid get+put of task_struct
smack: Remove redundant initialization.
integrity: nfsd imbalance bug fix
rootplug: Remove redundant initialization.
smack: do not beyond ARRAY_SIZE of data
integrity: move ima_counts_get
integrity: path_check update
IMA: Add __init notation to ima functions
IMA: Minimal IMA policy and boot param for TCB IMA policy
selinux: remove obsolete read buffer limit from sel_read_bool
...
11 Jun, 2009
1 commit
-
* 'rcu-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
rcu: rcu_sched_grace_period(): kill the bogus flush_signals()
rculist: use list_entry_rcu in places where it's appropriate
rculist.h: introduce list_entry_rcu() and list_first_entry_rcu()
rcu: Update RCU tracing documentation for __rcu_pending
rcu: Add __rcu_pending tracing to hierarchical RCU
RCU: make treercu be default
09 Jun, 2009
3 commits
-
This patch adds some descriptions of lists and structures.
This patch contains no code changes.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
TOMOYO 2.2.0 is not using total_len field of "struct tomoyo_path_info".
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
05 Jun, 2009
1 commit
-
Until we start appraising measurements, the ima_path_check()
return code should always be 0.- Update the ima_path_check() return code comment
- Instead of the pr_info, audit the dentry_open failureSigned-off-by: Mimi Zohar
Acked-by: Eric Paris
Signed-off-by: James Morris
04 Jun, 2009
2 commits
-
TOMOYO 2.2.0 does not check argv[] and envp[] upon execve().
We don't need to pass "struct tomoyo_page_buffer".Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
This patch removes the dependency of mmap_min_addr on CONFIG_SECURITY.
It also sets a default mmap_min_addr of 4096.mmapping of addresses below 4096 will only be possible for processes
with CAP_SYS_RAWIO.Signed-off-by: Christoph Lameter
Acked-by: Eric Paris
Looks-ok-by: Linus Torvalds
Signed-off-by: James Morris
03 Jun, 2009
4 commits
-
Define three accessors to get/set dst attached to a skb
struct dst_entry *skb_dst(const struct sk_buff *skb)
void skb_dst_set(struct sk_buff *skb, struct dst_entry *dst)
void skb_dst_drop(struct sk_buff *skb)
This one should replace occurrences of :
dst_release(skb->dst)
skb->dst = NULL;Delete skb->dst field
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
We can directly assign the result of tomoyo_io_printf() to done flag.
Signed-off-by: Kentaro Takeda
Signed-off-by: Tetsuo Handa
Signed-off-by: Toshiharu Harada
Signed-off-by: James Morris -
Remove '/***** START/STOP *****/' markers.
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Audit trees defined 2 new netlink messages but the netlink mapping tables for
selinux permissions were not set up. This patch maps these 2 new operations
to AUDIT_WRITE.Signed-off-by: Eric Paris
Signed-off-by: James Morris
02 Jun, 2009
2 commits
-
I forgot to remove on TOMOYO's 15th posting.
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Use task_cred_xxx(task, security) in tomoyo_real_domain() to
avoid a get+put of the target cred.Signed-off-by: Serge E. Hallyn
Acked-by: Tetsuo Handa
Signed-off-by: James Morris
28 May, 2009
1 commit
-
We don't need to explicitly initialize to cap_* because
it will be filled by security_fixup_ops().Signed-off-by: Tetsuo Handa
Acked-by: Serge Hallyn
Acked-by: Casey Schaufler
Signed-off-by: James Morris
27 May, 2009
2 commits
-
We don't need to explicitly initialize to cap_* because
it will be filled by security_fixup_ops().Signed-off-by: Tetsuo Handa
Acked-by: Serge Hallyn
Signed-off-by: James Morris -
cap_bprm_set_creds() has to be called from security_bprm_set_creds().
TOMOYO forgot to call cap_bprm_set_creds() from tomoyo_bprm_set_creds()
and suid executables were not being working.Make sure we call cap_bprm_set_creds() with TOMOYO, to set credentials
properly inside tomoyo_bprm_set_creds().Signed-off-by: Herton Ronaldo Krzesinski
Acked-by: Tetsuo Handa
Signed-off-by: James Morris
22 May, 2009
5 commits
-
Conflicts:
fs/exec.cRemoved IMA changes (the IMA checks are now performed via may_open()).
Signed-off-by: James Morris
-
Do not go beyond ARRAY_SIZE of data
Signed-off-by: Roel Kluin
Acked-by: Casey Schaufler
Signed-off-by: James Morris -
- Add support in ima_path_check() for integrity checking without
incrementing the counts. (Required for nfsd.)
- rename and export opencount_get to ima_counts_get
- replace ima_shm_check calls with ima_counts_get
- export ima_path_checkSigned-off-by: Mimi Zohar
Signed-off-by: James Morris -
A number of IMA functions only used during init are not marked with __init.
Add those notations so they are freed automatically.Signed-off-by: Eric Paris
Acked-by: Mimi Zohar
Signed-off-by: James Morris -
The IMA TCB policy is dangerous. A normal use can use all of a system's
memory (which cannot be freed) simply by building and running lots of
executables. The TCB policy is also nearly useless because logging in as root
often causes a policy violation when dealing with utmp, thus rendering the
measurements meaningless.There is no good fix for this in the kernel. A full TCB policy would need to
be loaded in userspace using LSM rule matching to get both a protected and
useful system. But, if too little is measured before userspace can load a real
policy one again ends up with a meaningless set of measurements. One option
would be to put the policy load inside the initrd in order to get it early
enough in the boot sequence to be useful, but this runs into trouble with the
LSM. For IMA to measure the LSM policy and the LSM policy loading mechanism
it needs rules to do so, but we already talked about problems with defaulting
to such broad rules....IMA also depends on the files being measured to be on an FS which implements
and supports i_version. Since the only FS with this support (ext4) doesn't
even use it by default it seems silly to have any IMA rules by default.This should reduce the performance overhead of IMA to near 0 while still
letting users who choose to configure their machine as such to inclue the
ima_tcb kernel paramenter and get measurements during boot before they can
load a customized, reasonable policy in userspace.Signed-off-by: Eric Paris
Acked-by: Mimi Zohar
Signed-off-by: James Morris
19 May, 2009
2 commits
-
On Tue, 2009-05-19 at 00:05 -0400, Eamon Walsh wrote:
> Recent versions of coreutils have bumped the read buffer size from 4K to
> 32K in several of the utilities.
>
> This means that "cat /selinux/booleans/xserver_object_manager" no longer
> works, it returns "Invalid argument" on F11. getsebool works fine.
>
> sel_read_bool has a check for "count > PAGE_SIZE" that doesn't seem to
> be present in the other read functions. Maybe it could be removed?Yes, that check is obsoleted by the conversion of those functions to
using simple_read_from_buffer(), which will reduce count if necessary to
what is available in the buffer.Signed-off-by: Stephen Smalley
Signed-off-by: James Morris -
The selinuxfs superblock magic is used inside the IMA code, but is being
defined in two places and could someday get out of sync. This patch moves the
declaration into magic.h so it is only done once.Signed-off-by: Eric Paris
Signed-off-by: James Morris
15 May, 2009
2 commits
-
The IMA default policy measures every single file opened by root. This is
terrible for most users. Consider a system (like mine) with virtual machine
images. When those images are touched (which happens at boot for me) those
images are measured. This is just way too much for the default case.Signed-off-by: Eric Paris
Acked-by: Mimi Zohar
Signed-off-by: James Morris -
The IMA policy file does not implement read. Trying to just open/read/close
the file will load a blank policy and you cannot then change the policy
without a reboot. This removes the read permission from the file so one must
at least be attempting to write...Signed-off-by: Eric Paris
Acked-by: Mimi Zohar
Signed-off-by: James Morris