Eric Lee / smarc-fsl-linux-kernel

20 Jul, 2011

1 commit

23 Apr, 2011

1 commit

  • 8c9e80ed2   SECURITY: Move exec_permission RCU checks into security modules ... Browse Code »

    Right now all RCU walks fall back to reference walk when CONFIG_SECURITY
    is enabled, even though just the standard capability module is active.
    This is because security_inode_exec_permission unconditionally fails
    RCU walks.

    Move this decision to the low level security module. This requires
    passing the RCU flags down the security hook. This way at least
    the capability module and a few easy cases in selinux/smack work
    with RCU walks with CONFIG_SECURITY=y

    Signed-off-by: Andi Kleen
    Acked-by: Eric Paris
    Signed-off-by: Linus Torvalds

    Andi Kleen
     

17 Mar, 2011

1 commit

  • 7a6362800   Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 ... Browse Code »

    * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6: (1480 commits)
    bonding: enable netpoll without checking link status
    xfrm: Refcount destination entry on xfrm_lookup
    net: introduce rx_handler results and logic around that
    bonding: get rid of IFF_SLAVE_INACTIVE netdev->priv_flag
    bonding: wrap slave state work
    net: get rid of multiple bond-related netdevice->priv_flags
    bonding: register slave pointer for rx_handler
    be2net: Bump up the version number
    be2net: Copyright notice change. Update to Emulex instead of ServerEngines
    e1000e: fix kconfig for crc32 dependency
    netfilter ebtables: fix xt_AUDIT to work with ebtables
    xen network backend driver
    bonding: Improve syslog message at device creation time
    bonding: Call netif_carrier_off after register_netdevice
    bonding: Incorrect TX queue offset
    net_sched: fix ip_tos2prio
    xfrm: fix __xfrm_route_forward()
    be2net: Fix UDP packet detected status in RX compl
    Phonet: fix aligned-mode pipe socket buffer header reserve
    netxen: support for GbE port settings
    ...

    Fix up conflicts in drivers/staging/brcm80211/brcmsmac/wl_mac80211.c
    with the staging updates.

    Linus Torvalds
     

04 Mar, 2011

1 commit

  • ff36fe2c8   LSM: Pass -o remount options to the LSM ... Browse Code »

    The VFS mount code passes the mount options to the LSM. The LSM will remove
    options it understands from the data and the VFS will then pass the remaining
    options onto the underlying filesystem. This is how options like the
    SELinux context= work. The problem comes in that -o remount never calls
    into LSM code. So if you include an LSM specific option it will get passed
    to the filesystem and will cause the remount to fail. An example of where
    this is a problem is the 'seclabel' option. The SELinux LSM hook will
    print this word in /proc/mounts if the filesystem is being labeled using
    xattrs. If you pass this word on mount it will be silently stripped and
    ignored. But if you pass this word on remount the LSM never gets called
    and it will be passed to the FS. The FS doesn't know what seclabel means
    and thus should fail the mount. For example an ext3 fs mounted over loop

    # mount -o loop /tmp/fs /mnt/tmp
    # cat /proc/mounts | grep /mnt/tmp
    /dev/loop0 /mnt/tmp ext3 rw,seclabel,relatime,errors=continue,barrier=0,data=ordered 0 0
    # mount -o remount /mnt/tmp
    mount: /mnt/tmp not mounted already, or bad option
    # dmesg
    EXT3-fs (loop0): error: unrecognized mount option "seclabel" or missing value

    This patch passes the remount mount options to an new LSM hook.

    Signed-off-by: Eric Paris
    Reviewed-by: James Morris

    Eric Paris
     

23 Feb, 2011

1 commit

02 Feb, 2011

2 commits

  • 4916ca401   security: remove unused security_sysctl hook ... Browse Code »

    The only user for this hook was selinux. sysctl routes every call
    through /proc/sys/. Selinux and other security modules use the file
    system checks for sysctl too, so no need for this hook any more.

    Signed-off-by: Lucian Adrian Grijincu
    Signed-off-by: Eric Paris

    Lucian Adrian Grijincu
     
  • 2a7dba391   fs/vfs/security: pass last path component to LSM on inode creation ... Browse Code »

    SELinux would like to implement a new labeling behavior of newly created
    inodes. We currently label new inodes based on the parent and the creating
    process. This new behavior would also take into account the name of the
    new object when deciding the new label. This is not the (supposed) full path,
    just the last component of the path.

    This is very useful because creating /etc/shadow is different than creating
    /etc/passwd but the kernel hooks are unable to differentiate these
    operations. We currently require that userspace realize it is doing some
    difficult operation like that and than userspace jumps through SELinux hoops
    to get things set up correctly. This patch does not implement new
    behavior, that is obviously contained in a seperate SELinux patch, but it
    does pass the needed name down to the correct LSM hook. If no such name
    exists it is fine to pass NULL.

    Signed-off-by: Eric Paris

    Eric Paris
     

06 Jan, 2011

1 commit

  • 3610cda53   af_unix: Avoid socket->sk NULL OOPS in stream connect security hooks. ... Browse Code »

    unix_release() can asynchornously set socket->sk to NULL, and
    it does so without holding the unix_state_lock() on "other"
    during stream connects.

    However, the reverse mapping, sk->sk_socket, is only transitioned
    to NULL under the unix_state_lock().

    Therefore make the security hooks follow the reverse mapping instead
    of the forward mapping.

    Reported-by: Jeremy Fitzhardinge
    Reported-by: Linus Torvalds
    Signed-off-by: David S. Miller

    David S. Miller
     

16 Nov, 2010

1 commit

  • 12b3052c3   capabilities/syslog: open code cap_syslog logic to fix build failure ... Browse Code »

    The addition of CONFIG_SECURITY_DMESG_RESTRICT resulted in a build
    failure when CONFIG_PRINTK=n. This is because the capabilities code
    which used the new option was built even though the variable in question
    didn't exist.

    The patch here fixes this by moving the capabilities checks out of the
    LSM and into the caller. All (known) LSMs should have been calling the
    capabilities hook already so it actually makes the code organization
    better to eliminate the hook altogether.

    Signed-off-by: Eric Paris
    Acked-by: James Morris
    Signed-off-by: Linus Torvalds

    Eric Paris
     

21 Oct, 2010

1 commit

  • 2606fd1fa   secmark: make secmark object handling generic ... Browse Code »

    Right now secmark has lots of direct selinux calls. Use all LSM calls and
    remove all SELinux specific knowledge. The only SELinux specific knowledge
    we leave is the mode. The only point is to make sure that other LSMs at
    least test this generic code before they assume it works. (They may also
    have to make changes if they do not represent labels as strings)

    Signed-off-by: Eric Paris
    Acked-by: Paul Moore
    Acked-by: Patrick McHardy
    Signed-off-by: James Morris

    Eric Paris
     

11 Aug, 2010

1 commit

  • b34d8915c   Merge branch 'writable_limits' of git://decibel.fi.muni.cz/~xslaby/linux ... Browse Code »

    * 'writable_limits' of git://decibel.fi.muni.cz/~xslaby/linux:
    unistd: add __NR_prlimit64 syscall numbers
    rlimits: implement prlimit64 syscall
    rlimits: switch more rlimit syscalls to do_prlimit
    rlimits: redo do_setrlimit to more generic do_prlimit
    rlimits: add rlimit64 structure
    rlimits: do security check under task_lock
    rlimits: allow setrlimit to non-current tasks
    rlimits: split sys_setrlimit
    rlimits: selinux, do rlimits changes under task_lock
    rlimits: make sure ->rlim_max never grows in sys_setrlimit
    rlimits: add task_struct to update_rlimit_cpu
    rlimits: security, add task_struct to setrlimit

    Fix up various system call number conflicts. We not only added fanotify
    system calls in the meantime, but asm-generic/unistd.h added a wait4
    along with a range of reserved per-architecture system calls.

    Linus Torvalds
     

02 Aug, 2010

2 commits

  • dce3a3d2e   Security: capability: code style issue ... Browse Code »

    This fix a little code style issue deleting a space between a function
    name and a open parenthesis.

    Signed-off-by: Chihau Chau
    Acked-by: Andrew G. Morgan
    Signed-off-by: James Morris

    Chihau Chau
     
  • ea0d3ab23   LSM: Remove unused arguments from security_path_truncate(). ... Browse Code »

    When commit be6d3e56a6b9b3a4ee44a0685e39e595073c6f0d "introduce new LSM hooks
    where vfsmount is available." was proposed, regarding security_path_truncate(),
    only "struct file *" argument (which AppArmor wanted to use) was removed.
    But length and time_attrs arguments are not used by TOMOYO nor AppArmor.
    Thus, let's remove these arguments.

    Signed-off-by: Tetsuo Handa
    Acked-by: Nick Piggin
    Signed-off-by: James Morris

    Tetsuo Handa
     

16 Jul, 2010

1 commit

17 May, 2010

1 commit

12 Apr, 2010

13 commits

24 Feb, 2010

1 commit

  • 189b3b1c8   Security: add static to security_ops and default_security_ops variable ... Browse Code »

    Enhance the security framework to support resetting the active security
    module. This eliminates the need for direct use of the security_ops and
    default_security_ops variables outside of security.c, so make security_ops
    and default_security_ops static. Also remove the secondary_ops variable as
    a cleanup since there is no use for that. secondary_ops was originally used by
    SELinux to call the "secondary" security module (capability or dummy),
    but that was replaced by direct calls to capability and the only
    remaining use is to save and restore the original security ops pointer
    value if SELinux is disabled by early userspace based on /etc/selinux/config.
    Further, if we support this directly in the security framework, then we can
    just use &default_security_ops for this purpose since that is now available.

    Signed-off-by: Zhitong Wang
    Acked-by: Stephen Smalley
    Signed-off-by: James Morris

    wzt.wzt@gmail.com
     

10 Nov, 2009

1 commit

  • dd8dbf2e6   security: report the module name to security_module_request ... Browse Code »

    For SELinux to do better filtering in userspace we send the name of the
    module along with the AVC denial when a program is denied module_request.

    Example output:

    type=SYSCALL msg=audit(11/03/2009 10:59:43.510:9) : arch=x86_64 syscall=write success=yes exit=2 a0=3 a1=7fc28c0d56c0 a2=2 a3=7fffca0d7440 items=0 ppid=1727 pid=1729 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc.nfsd exe=/usr/sbin/rpc.nfsd subj=system_u:system_r:nfsd_t:s0 key=(null)
    type=AVC msg=audit(11/03/2009 10:59:43.510:9) : avc: denied { module_request } for pid=1729 comm=rpc.nfsd kmod="net-pf-10" scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system

    Signed-off-by: Eric Paris
    Signed-off-by: James Morris

    Eric Paris
     

12 Oct, 2009

2 commits

10 Sep, 2009

1 commit

  • 1ee65e37e   LSM/SELinux: inode_{get,set,notify}secctx hooks to access LSM security context information. ... Browse Code »

    This patch introduces three new hooks. The inode_getsecctx hook is used to get
    all relevant information from an LSM about an inode. The inode_setsecctx is
    used to set both the in-core and on-disk state for the inode based on a context
    derived from inode_getsecctx.The final hook inode_notifysecctx will notify the
    LSM of a change for the in-core state of the inode in question. These hooks are
    for use in the labeled NFS code and addresses concerns of how to set security
    on an inode in a multi-xattr LSM. For historical reasons Stephen Smalley's
    explanation of the reason for these hooks is pasted below.

    Quote Stephen Smalley

    inode_setsecctx: Change the security context of an inode. Updates the
    in core security context managed by the security module and invokes the
    fs code as needed (via __vfs_setxattr_noperm) to update any backing
    xattrs that represent the context. Example usage: NFS server invokes
    this hook to change the security context in its incore inode and on the
    backing file system to a value provided by the client on a SETATTR
    operation.

    inode_notifysecctx: Notify the security module of what the security
    context of an inode should be. Initializes the incore security context
    managed by the security module for this inode. Example usage: NFS
    client invokes this hook to initialize the security context in its
    incore inode to the value provided by the server for the file when the
    server returned the file's attributes to the client.

    Signed-off-by: David P. Quigley
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    David P. Quigley
     

02 Sep, 2009

1 commit

  • ee18d64c1   KEYS: Add a keyctl to install a process's session keyring on its parent [try #6] ... Browse Code »

    Add a keyctl to install a process's session keyring onto its parent. This
    replaces the parent's session keyring. Because the COW credential code does
    not permit one process to change another process's credentials directly, the
    change is deferred until userspace next starts executing again. Normally this
    will be after a wait*() syscall.

    To support this, three new security hooks have been provided:
    cred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in
    the blank security creds and key_session_to_parent() - which asks the LSM if
    the process may replace its parent's session keyring.

    The replacement may only happen if the process has the same ownership details
    as its parent, and the process has LINK permission on the session keyring, and
    the session keyring is owned by the process, and the LSM permits it.

    Note that this requires alteration to each architecture's notify_resume path.
    This has been done for all arches barring blackfin, m68k* and xtensa, all of
    which need assembly alteration to support TIF_NOTIFY_RESUME. This allows the
    replacement to be performed at the point the parent process resumes userspace
    execution.

    This allows the userspace AFS pioctl emulation to fully emulate newpag() and
    the VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to
    alter the parent process's PAG membership. However, since kAFS doesn't use
    PAGs per se, but rather dumps the keys into the session keyring, the session
    keyring of the parent must be replaced if, for example, VIOCSETTOK is passed
    the newpag flag.

    This can be tested with the following program:

    #include
    #include
    #include

    #define KEYCTL_SESSION_TO_PARENT 18

    #define OSERROR(X, S) do { if ((long)(X) == -1) { perror(S); exit(1); } } while(0)

    int main(int argc, char **argv)
    {
    key_serial_t keyring, key;
    long ret;

    keyring = keyctl_join_session_keyring(argv[1]);
    OSERROR(keyring, "keyctl_join_session_keyring");

    key = add_key("user", "a", "b", 1, keyring);
    OSERROR(key, "add_key");

    ret = keyctl(KEYCTL_SESSION_TO_PARENT);
    OSERROR(ret, "KEYCTL_SESSION_TO_PARENT");

    return 0;
    }

    Compiled and linked with -lkeyutils, you should see something like:

    [dhowells@andromeda ~]$ keyctl show
    Session Keyring
    -3 --alswrv 4043 4043 keyring: _ses
    355907932 --alswrv 4043 -1 \_ keyring: _uid.4043
    [dhowells@andromeda ~]$ /tmp/newpag
    [dhowells@andromeda ~]$ keyctl show
    Session Keyring
    -3 --alswrv 4043 4043 keyring: _ses
    1055658746 --alswrv 4043 4043 \_ user: a
    [dhowells@andromeda ~]$ /tmp/newpag hello
    [dhowells@andromeda ~]$ keyctl show
    Session Keyring
    -3 --alswrv 4043 4043 keyring: hello
    340417692 --alswrv 4043 4043 \_ user: a

    Where the test program creates a new session keyring, sticks a user key named
    'a' into it and then installs it on its parent.

    Signed-off-by: David Howells
    Signed-off-by: James Morris

    David Howells
     

01 Sep, 2009

1 commit

  • 2b980dbd7   lsm: Add hooks to the TUN driver ... Browse Code »

    The TUN driver lacks any LSM hooks which makes it difficult for LSM modules,
    such as SELinux, to enforce access controls on network traffic generated by
    TUN users; this is particularly problematic for virtualization apps such as
    QEMU and KVM. This patch adds three new LSM hooks designed to control the
    creation and attachment of TUN devices, the hooks are:

    * security_tun_dev_create()
    Provides access control for the creation of new TUN devices

    * security_tun_dev_post_create()
    Provides the ability to create the necessary socket LSM state for newly
    created TUN devices

    * security_tun_dev_attach()
    Provides access control for attaching to existing, persistent TUN devices
    and the ability to update the TUN device's socket LSM state as necessary

    Signed-off-by: Paul Moore
    Acked-by: Eric Paris
    Acked-by: Serge Hallyn
    Acked-by: David S. Miller
    Signed-off-by: James Morris

    Paul Moore
     

14 Aug, 2009

1 commit

  • 9188499cd   security: introducing security_request_module ... Browse Code »

    Calling request_module() will trigger a userspace upcall which will load a
    new module into the kernel. This can be a dangerous event if the process
    able to trigger request_module() is able to control either the modprobe
    binary or the module binary. This patch adds a new security hook to
    request_module() which can be used by an LSM to control a processes ability
    to call request_module().

    Signed-off-by: Eric Paris
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    Eric Paris
     

06 Aug, 2009

1 commit

  • 7c73875e7   Capabilities: move cap_file_mmap to commoncap.c ... Browse Code »

    Currently we duplicate the mmap_min_addr test in cap_file_mmap and in
    security_file_mmap if !CONFIG_SECURITY. This patch moves cap_file_mmap
    into commoncap.c and then calls that function directly from
    security_file_mmap ifndef CONFIG_SECURITY like all of the other capability
    checks are done.

    Signed-off-by: Eric Paris
    Acked-by: Serge Hallyn
    Signed-off-by: James Morris

    Eric Paris
     

24 Jun, 2009

1 commit

  • 9e48858f7   security: rename ptrace_may_access => ptrace_access_check ... Browse Code »

    The ->ptrace_may_access() methods are named confusingly - the real
    ptrace_may_access() returns a bool, while these security checks have
    a retval convention.

    Rename it to ptrace_access_check, to reduce the confusion factor.

    [ Impact: cleanup, no code changed ]

    Signed-off-by: Ingo Molnar
    Signed-off-by: James Morris

    Ingo Molnar
     

28 Mar, 2009

1 commit

  • 8651d5c0b   lsm: Remove the socket_post_accept() hook ... Browse Code »

    The socket_post_accept() hook is not currently used by any in-tree modules
    and its existence continues to cause problems by confusing people about
    what can be safely accomplished using this hook. If a legitimate need for
    this hook arises in the future it can always be reintroduced.

    Signed-off-by: Paul Moore
    Signed-off-by: James Morris

    Paul Moore
     

01 Jan, 2009

1 commit