17 Mar, 2011

2 commits

  • * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6: (1480 commits)
    bonding: enable netpoll without checking link status
    xfrm: Refcount destination entry on xfrm_lookup
    net: introduce rx_handler results and logic around that
    bonding: get rid of IFF_SLAVE_INACTIVE netdev->priv_flag
    bonding: wrap slave state work
    net: get rid of multiple bond-related netdevice->priv_flags
    bonding: register slave pointer for rx_handler
    be2net: Bump up the version number
    be2net: Copyright notice change. Update to Emulex instead of ServerEngines
    e1000e: fix kconfig for crc32 dependency
    netfilter ebtables: fix xt_AUDIT to work with ebtables
    xen network backend driver
    bonding: Improve syslog message at device creation time
    bonding: Call netif_carrier_off after register_netdevice
    bonding: Incorrect TX queue offset
    net_sched: fix ip_tos2prio
    xfrm: fix __xfrm_route_forward()
    be2net: Fix UDP packet detected status in RX compl
    Phonet: fix aligned-mode pipe socket buffer header reserve
    netxen: support for GbE port settings
    ...

    Fix up conflicts in drivers/staging/brcm80211/brcmsmac/wl_mac80211.c
    with the staging updates.

    Linus Torvalds
     
  • …s/security-testing-2.6

    * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (33 commits)
    AppArmor: kill unused macros in lsm.c
    AppArmor: cleanup generated files correctly
    KEYS: Add an iovec version of KEYCTL_INSTANTIATE
    KEYS: Add a new keyctl op to reject a key with a specified error code
    KEYS: Add a key type op to permit the key description to be vetted
    KEYS: Add an RCU payload dereference macro
    AppArmor: Cleanup make file to remove cruft and make it easier to read
    SELinux: implement the new sb_remount LSM hook
    LSM: Pass -o remount options to the LSM
    SELinux: Compute SID for the newly created socket
    SELinux: Socket retains creator role and MLS attribute
    SELinux: Auto-generate security_is_socket_class
    TOMOYO: Fix memory leak upon file open.
    Revert "selinux: simplify ioctl checking"
    selinux: drop unused packet flow permissions
    selinux: Fix packet forwarding checks on postrouting
    selinux: Fix wrong checks for selinux_policycap_netpeer
    selinux: Fix check for xfrm selinux context algorithm
    ima: remove unnecessary call to ima_must_measure
    IMA: remove IMA imbalance checking
    ...

    Linus Torvalds
     

16 Mar, 2011

1 commit

  • …l/git/tip/linux-2.6-tip

    * 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: (62 commits)
    posix-clocks: Check write permissions in posix syscalls
    hrtimer: Remove empty hrtimer_init_hres_timer()
    hrtimer: Update hrtimer->state documentation
    hrtimer: Update base[CLOCK_BOOTTIME].offset correctly
    timers: Export CLOCK_BOOTTIME via the posix timers interface
    timers: Add CLOCK_BOOTTIME hrtimer base
    time: Extend get_xtime_and_monotonic_offset() to also return sleep
    time: Introduce get_monotonic_boottime and ktime_get_boottime
    hrtimers: extend hrtimer base code to handle more then 2 clockids
    ntp: Remove redundant and incorrect parameter check
    mn10300: Switch do_timer() to xtimer_update()
    posix clocks: Introduce dynamic clocks
    posix-timers: Cleanup namespace
    posix-timers: Add support for fd based clocks
    x86: Add clock_adjtime for x86
    posix-timers: Introduce a syscall for clock tuning.
    time: Splitout compat timex accessors
    ntp: Add ADJ_SETOFFSET mode bit
    time: Introduce timekeeping_inject_offset
    posix-timer: Update comment
    ...

    Fix up new system-call-related conflicts in
    arch/x86/ia32/ia32entry.S
    arch/x86/include/asm/unistd_32.h
    arch/x86/include/asm/unistd_64.h
    arch/x86/kernel/syscall_table_32.S
    (name_to_handle_at()/open_by_handle_at() vs clock_adjtime()), and some
    due to movement of get_jiffies_64() in:
    kernel/time.c

    Linus Torvalds
     

13 Mar, 2011

1 commit


09 Mar, 2011

3 commits


08 Mar, 2011

6 commits


05 Mar, 2011

1 commit


04 Mar, 2011

7 commits

  • Netlink message processing in the kernel is synchronous these days,
    capabilities can be checked directly in security_netlink_recv() from
    the current process.

    Signed-off-by: Patrick McHardy
    Reviewed-by: James Morris
    [chrisw: update to include pohmelfs and uvesafb]
    Signed-off-by: Chris Wright
    Signed-off-by: David S. Miller

    Patrick McHardy
     
  • For SELinux we do not allow security information to change during a remount
    operation. Thus this hook simply strips the security module options from
    the data and verifies that those are the same options as exist on the
    current superblock.

    Signed-off-by: Eric Paris
    Reviewed-by: James Morris

    Eric Paris
     
  • The VFS mount code passes the mount options to the LSM. The LSM will remove
    options it understands from the data and the VFS will then pass the remaining
    options onto the underlying filesystem. This is how options like the
    SELinux context= work. The problem comes in that -o remount never calls
    into LSM code. So if you include an LSM specific option it will get passed
    to the filesystem and will cause the remount to fail. An example of where
    this is a problem is the 'seclabel' option. The SELinux LSM hook will
    print this word in /proc/mounts if the filesystem is being labeled using
    xattrs. If you pass this word on mount it will be silently stripped and
    ignored. But if you pass this word on remount the LSM never gets called
    and it will be passed to the FS. The FS doesn't know what seclabel means
    and thus should fail the mount. For example an ext3 fs mounted over loop

    # mount -o loop /tmp/fs /mnt/tmp
    # cat /proc/mounts | grep /mnt/tmp
    /dev/loop0 /mnt/tmp ext3 rw,seclabel,relatime,errors=continue,barrier=0,data=ordered 0 0
    # mount -o remount /mnt/tmp
    mount: /mnt/tmp not mounted already, or bad option
    # dmesg
    EXT3-fs (loop0): error: unrecognized mount option "seclabel" or missing value

    This patch passes the remount mount options to an new LSM hook.

    Signed-off-by: Eric Paris
    Reviewed-by: James Morris

    Eric Paris
     
  • The security context for the newly created socket shares the same
    user, role and MLS attribute as its creator but may have a different
    type, which could be specified by a type_transition rule in the relevant
    policy package.

    Signed-off-by: Harry Ciao
    [fix call to security_transition_sid to include qstr, Eric Paris]
    Signed-off-by: Eric Paris
    Acked-by: Stephen Smalley

    Harry Ciao
     
  • The socket SID would be computed on creation and no longer inherit
    its creator's SID by default. Socket may have a different type but
    needs to retain the creator's role and MLS attribute in order not
    to break labeled networking and network access control.

    The kernel value for a class would be used to determine if the class
    if one of socket classes. If security_compute_sid is called from
    userspace the policy value for a class would be mapped to the relevant
    kernel value first.

    Signed-off-by: Harry Ciao
    Signed-off-by: Eric Paris
    Acked-by: Stephen Smalley

    Harry Ciao
     
  • The security_is_socket_class() is auto-generated by genheaders based
    on classmap.h to reduce maintenance effort when a new class is defined
    in SELinux kernel. The name for any socket class should be suffixed by
    "socket" and doesn't contain more than one substr of "socket".

    Signed-off-by: Harry Ciao
    Signed-off-by: Eric Paris
    Acked-by: Stephen Smalley

    Harry Ciao
     
  • Netlink message processing in the kernel is synchronous these days, the
    session information can be collected when needed.

    Signed-off-by: Patrick McHardy
    Signed-off-by: David S. Miller

    Patrick McHardy
     

03 Mar, 2011

1 commit

  • In tomoyo_check_open_permission() since 2.6.36, TOMOYO was by error
    recalculating already calculated pathname when checking allow_rewrite
    permission. As a result, memory will leak whenever a file is opened for writing
    without O_APPEND flag. Also, performance will degrade because TOMOYO is
    calculating pathname regardless of profile configuration.
    This patch fixes the leak and performance degrade.

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     

26 Feb, 2011

5 commits

  • This reverts commit 242631c49d4cf39642741d6627750151b058233b.

    Conflicts:

    security/selinux/hooks.c

    SELinux used to recognize certain individual ioctls and check
    permissions based on the knowledge of the individual ioctl. In commit
    242631c49d4cf396 the SELinux code stopped trying to understand
    individual ioctls and to instead looked at the ioctl access bits to
    determine in we should check read or write for that operation. This
    same suggestion was made to SMACK (and I believe copied into TOMOYO).
    But this suggestion is total rubbish. The ioctl access bits are
    actually the access requirements for the structure being passed into the
    ioctl, and are completely unrelated to the operation of the ioctl or the
    object the ioctl is being performed upon.

    Take FS_IOC_FIEMAP as an example. FS_IOC_FIEMAP is defined as:

    FS_IOC_FIEMAP _IOWR('f', 11, struct fiemap)

    So it has access bits R and W. What this really means is that the
    kernel is going to both read and write to the struct fiemap. It has
    nothing at all to do with the operations that this ioctl might perform
    on the file itself!

    Signed-off-by: Eric Paris
    Acked-by: Stephen Smalley

    Eric Paris
     
  • These permissions are not used and can be dropped in the kernel
    definitions.

    Suggested-by: Stephen Smalley
    Signed-off-by: Eric Paris
    Acked-by: Stephen Smalley

    Eric Paris
     
  • The IPSKB_FORWARDED and IP6SKB_FORWARDED flags are used only in the
    multicast forwarding case to indicate that a packet looped back after
    forward. So these flags are not a good indicator for packet forwarding.
    A better indicator is the incoming interface. If we have no socket context,
    but an incoming interface and we see the packet in the ip postroute hook,
    the packet is going to be forwarded.

    With this patch we use the incoming interface as an indicator on packet
    forwarding.

    Signed-off-by: Steffen Klassert
    Acked-by: Paul Moore
    Signed-off-by: Eric Paris

    Steffen Klassert
     
  • selinux_sock_rcv_skb_compat and selinux_ip_postroute_compat are just
    called if selinux_policycap_netpeer is not set. However in these
    functions we check if selinux_policycap_netpeer is set. This leads
    to some dead code and to the fact that selinux_xfrm_postroute_last
    is never executed. This patch removes the dead code and the checks
    for selinux_policycap_netpeer in the compatibility functions.

    Signed-off-by: Steffen Klassert
    Acked-by: Paul Moore
    Signed-off-by: Eric Paris

    Steffen Klassert
     
  • selinux_xfrm_sec_ctx_alloc accidentally checks the xfrm domain of
    interpretation against the selinux context algorithm. This patch
    fixes this by checking ctx_alg against the selinux context algorithm.

    Signed-off-by: Steffen Klassert
    Acked-by: Paul Moore
    Signed-off-by: Eric Paris

    Steffen Klassert
     

24 Feb, 2011

1 commit

  • The original ima_must_measure() function based its results on cached
    iint information, which required an iint be allocated for all files.
    Currently, an iint is allocated only for files in policy. As a result,
    for those files in policy, ima_must_measure() is now called twice: once
    to determine if the inode is in the measurement policy and, the second
    time, to determine if it needs to be measured/re-measured.

    The second call to ima_must_measure() unnecessarily checks to see if
    the file is in policy. As we already know the file is in policy, this
    patch removes the second unnecessary call to ima_must_measure(), removes
    the vestige iint parameter, and just checks the iint directly to determine
    if the inode has been measured or needs to be measured/re-measured.

    Signed-off-by: Mimi Zohar
    Acked-by: Eric Paris

    Mimi Zohar
     

23 Feb, 2011

1 commit


11 Feb, 2011

1 commit


10 Feb, 2011

5 commits


09 Feb, 2011

1 commit

  • The mmap policy enforcement was not properly handling the
    interaction between the global and local rule lists.
    Instead of going through one and then the other, which
    missed the important case where a rule specified that
    there should be no access, combine the access limitations
    where there is a rule in each list.

    Signed-off-by: Casey Schaufler
    Signed-off-by: James Morris

    Casey Schaufler
     

08 Feb, 2011

1 commit

  • In cred_alloc_blank() since 2.6.32, abort_creds(new) is called with
    new->security == NULL and new->magic == 0 when security_cred_alloc_blank()
    returns an error. As a result, BUG() will be triggered if SELinux is enabled
    or CONFIG_DEBUG_CREDENTIALS=y.

    If CONFIG_DEBUG_CREDENTIALS=y, BUG() is called from __invalid_creds() because
    cred->magic == 0. Failing that, BUG() is called from selinux_cred_free()
    because selinux_cred_free() is not expecting cred->security == NULL. This does
    not affect smack_cred_free(), tomoyo_cred_free() or apparmor_cred_free().

    Fix these bugs by

    (1) Set new->magic before calling security_cred_alloc_blank().

    (2) Handle null cred->security in creds_are_invalid() and selinux_cred_free().

    Signed-off-by: Tetsuo Handa
    Signed-off-by: David Howells
    Signed-off-by: Linus Torvalds

    Tetsuo Handa
     

02 Feb, 2011

3 commits

  • Both settimeofday() and clock_settime() promise with a 'const'
    attribute not to alter the arguments passed in. This patch adds the
    missing 'const' attribute into the various kernel functions
    implementing these calls.

    Signed-off-by: Richard Cochran
    Acked-by: John Stultz
    LKML-Reference:
    Signed-off-by: Thomas Gleixner

    Richard Cochran
     
  • The only user for this hook was selinux. sysctl routes every call
    through /proc/sys/. Selinux and other security modules use the file
    system checks for sysctl too, so no need for this hook any more.

    Signed-off-by: Lucian Adrian Grijincu
    Signed-off-by: Eric Paris

    Lucian Adrian Grijincu
     
  • This fixes an old (2007) selinux regression: filesystem labeling for
    /proc/sys returned
    -r--r--r-- unknown /proc/sys/fs/file-nr
    instead of
    -r--r--r-- system_u:object_r:sysctl_fs_t:s0 /proc/sys/fs/file-nr

    Events that lead to breaking of /proc/sys/ selinux labeling:

    1) sysctl was reimplemented to route all calls through /proc/sys/

    commit 77b14db502cb85a031fe8fde6c85d52f3e0acb63
    [PATCH] sysctl: reimplement the sysctl proc support

    2) proc_dir_entry was removed from ctl_table:

    commit 3fbfa98112fc3962c416452a0baf2214381030e6
    [PATCH] sysctl: remove the proc_dir_entry member for the sysctl tables

    3) selinux still walked the proc_dir_entry tree to apply
    labeling. Because ctl_tables don't have a proc_dir_entry, we did
    not label /proc/sys/ inodes any more. To achieve this the /proc/sys/
    inodes were marked private and private inodes were ignored by
    selinux.

    commit bbaca6c2e7ef0f663bc31be4dad7cf530f6c4962
    [PATCH] selinux: enhance selinux to always ignore private inodes

    commit 86a71dbd3e81e8870d0f0e56b87875f57e58222b
    [PATCH] sysctl: hide the sysctl proc inodes from selinux

    Access control checks have been done by means of a special sysctl hook
    that was called for read/write accesses to any /proc/sys/ entry.

    We don't have to do this because, instead of walking the
    proc_dir_entry tree we can walk the dentry tree (as done in this
    patch). With this patch:
    * we don't mark /proc/sys/ inodes as private
    * we don't need the sysclt security hook
    * we walk the dentry tree to find the path to the inode.

    We have to strip the PID in /proc/PID/ entries that have a
    proc_dir_entry because selinux does not know how to label paths like
    '/1/net/rpc/nfsd.fh' (and defaults to 'proc_t' labeling). Selinux does
    know of '/net/rpc/nfsd.fh' (and applies the 'sysctl_rpc_t' label).

    PID stripping from the path was done implicitly in the previous code
    because the proc_dir_entry tree had the root in '/net' in the example
    from above. The dentry tree has the root in '/1'.

    Signed-off-by: Eric W. Biederman
    Signed-off-by: Lucian Adrian Grijincu
    Signed-off-by: Eric Paris

    Lucian Adrian Grijincu