26 Sep, 2006
2 commits
-
Change NetLabel to use the 'recvfrom' socket permission and the
SECINITSID_NETMSG SELinux SID as the NetLabel base SID for incoming packets.
This patch effectively makes the old, and currently unused, SELinux NETMSG
permissions NetLabel permissions.Signed-of-by: Paul Moore
Signed-off-by: David S. Miller -
Fix a problem where NetLabel would always set the value of
sk_security_struct->peer_sid in selinux_netlbl_sock_graft() to the context of
the socket, causing problems when users would query the context of the
connection. This patch fixes this so that the value in
sk_security_struct->peer_sid is only set when the connection is NetLabel based,
otherwise the value is untouched.Signed-off-by: Paul Moore
Signed-off-by: David S. Miller
23 Sep, 2006
16 commits
-
The following fixes a bug where random mem is being tampered with in the
non-mls case; encountered by Jashua Brindle on a gentoo box.Signed-off-by: Venkat Yekkirala
Acked-by: Stephen Smalley
Signed-off-by: James Morris -
Add some missing include files to the NetLabel related header files.
Signed-off-by: Paul Moore
Signed-off-by: David S. Miller -
Uninline the selinux_netlbl_inode_permission() at the request of
Andrew Morton.Signed-off-by: Paul Moore
Signed-off-by: David S. Miller -
Rewrite ebitmap_import() so it is a bit cleaner and easier to read.
Signed-off-by: Paul Moore
Signed-off-by: David S. Miller -
Fix some incorrect comments.
Signed-off-by: Paul Moore
Signed-off-by: David S. Miller -
Fix a problem where the NetLabel specific fields of the sk_security_struct
structure were not being initialized early enough in some cases.Signed-off-by: Paul Moore
Signed-off-by: David S. Miller -
This patch makes four needlessly global functions static.
Signed-off-by: Adrian Bunk
Acked-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller -
Add NetLabel support to the SELinux LSM and modify the
socket_post_create() LSM hook to return an error code. The most
significant part of this patch is the addition of NetLabel hooks into
the following SELinux LSM hooks:* selinux_file_permission()
* selinux_socket_sendmsg()
* selinux_socket_post_create()
* selinux_socket_sock_rcv_skb()
* selinux_socket_getpeersec_stream()
* selinux_socket_getpeersec_dgram()
* selinux_sock_graft()
* selinux_inet_conn_request()The basic reasoning behind this patch is that outgoing packets are
"NetLabel'd" by labeling their socket and the NetLabel security
attributes are checked via the additional hook in
selinux_socket_sock_rcv_skb(). NetLabel itself is only a labeling
mechanism, similar to filesystem extended attributes, it is up to the
SELinux enforcement mechanism to perform the actual access checks.In addition to the changes outlined above this patch also includes
some changes to the extended bitmap (ebitmap) and multi-level security
(mls) code to import and export SELinux TE/MLS attributes into and out
of NetLabel.Signed-off-by: Paul Moore
Signed-off-by: David S. Miller -
The following patch will fix the build problem (encountered by Andrew
Morton) when SECURITY_NETWORK_XFRM is not enabled.As compared to git-net-selinux_xfrm_decode_session-build-fix.patch in
-mm, this patch sets the return parameter sid to SECSID_NULL in
selinux_xfrm_decode_session() and handles this value in the caller
selinux_inet_conn_request() appropriately.Signed-off-by: Venkat Yekkirala
Acked-by: James Morris
Signed-off-by: David S. Miller -
This automatically labels the TCP, Unix stream, and dccp child sockets
as well as openreqs to be at the same MLS level as the peer. This will
result in the selection of appropriately labeled IPSec Security
Associations.This also uses the sock's sid (as opposed to the isec sid) in SELinux
enforcement of secmark in rcv_skb and postroute_last hooks.Signed-off-by: Venkat Yekkirala
Signed-off-by: David S. Miller -
This defaults the label of socket-specific IPSec policies to be the
same as the socket they are set on.Signed-off-by: Venkat Yekkirala
Signed-off-by: David S. Miller -
This labels the flows that could utilize IPSec xfrms at the points the
flows are defined so that IPSec policy and SAs at the right label can
be used.The following protos are currently not handled, but they should
continue to be able to use single-labeled IPSec like they currently
do.ipmr
ip_gre
ipip
igmp
sit
sctp
ip6_tunnel (IPv6 over IPv6 tunnel device)
decnetSigned-off-by: Venkat Yekkirala
Signed-off-by: David S. Miller -
This implements a seemless mechanism for xfrm policy selection and
state matching based on the flow sid. This also includes the necessary
SELinux enforcement pieces.Signed-off-by: Venkat Yekkirala
Signed-off-by: David S. Miller -
This adds security for IP sockets at the sock level. Security at the
sock level is needed to enforce the SELinux security policy for
security associations even when a sock is orphaned (such as in the TCP
LAST_ACK state).This will also be used to enforce SELinux controls over data arriving
at or leaving a child socket while it's still waiting to be accepted.Signed-off-by: Venkat Yekkirala
Signed-off-by: David S. Miller -
This defines a routine that combines the Type Enforcement portion of
one sid with the MLS portion from the other sid to arrive at a new
sid. This would be used to define a sid for a security association
that is to be negotiated by IKE as well as for determing the sid for
open requests and connection-oriented child sockets.Signed-off-by: Venkat Yekkirala
Signed-off-by: David S. Miller -
The current approach to labeling Security Associations for SELinux
purposes uses a one-to-one mapping between xfrm policy rules and
security associations.This doesn't address the needs of real world MLS (Multi-level System,
traditional Bell-LaPadula) environments where a single xfrm policy
rule (pertaining to a range, classified to secret for example) might
need to map to multiple Security Associations (one each for
classified, secret, top secret and all the compartments applicable to
these security levels).This patch set addresses the above problem by allowing for the mapping
of a single xfrm policy rule to multiple security associations, with
each association used in the security context it is defined for. It
also includes the security context to be used in IKE negotiation in
the acquire messages sent to the IKE daemon so that a unique SA can be
negotiated for each unique security context. A couple of bug fixes are
also included; checks to make sure the SAs used by a packet match
policy (security context-wise) on the inbound and also that the bundle
used for the outbound matches the security context of the flow. This
patch set also makes the use of the SELinux sid in flow cache lookups
seemless by including the sid in the flow key itself. Also, open
requests as well as connection-oriented child sockets are labeled
automatically to be at the same level as the peer to allow for use of
appropriately labeled IPSec associations.Description of changes:
A "sid" member has been added to the flow cache key resulting in the
sid being available at all needed locations and the flow cache lookups
automatically using the sid. The flow sid is derived from the socket
on the outbound and the SAs (unlabeled where an SA was not used) on
the inbound.Outbound case:
1. Find policy for the socket.2. OLD: Find an SA that matches the policy.
NEW: Find an SA that matches BOTH the policy and the flow/socket.
This is necessary since not every SA that matches the policy
can be used for the flow/socket. Consider policy range Secret-TS,
and SAs each for Secret and TS. We don't want a TS socket to
use the Secret SA. Hence the additional check for the SA Vs. flow/socket.3. NEW: When looking thru bundles for a policy, make sure the
flow/socket can use the bundle. If a bundle is not found,
create one, calling for IKE if necessary. If using IKE,
include the security context in the acquire message to the IKE
daemon.Inbound case:
1. OLD: Find policy for the socket.
NEW: Find policy for the incoming packet based on the sid of the
SA(s) it used or the unlabeled sid if no SAs were
used. (Consider a case where a socket is "authorized" for two
policies (unclassified-confidential, secret-top_secret). If the
packet has come in using a secret SA, we really ought to be
using the latter policy (secret-top_secret).)2. OLD: BUG: No check to see if the SAs used by the packet agree with
the policy sec_ctx-wise.(It was indicated in selinux_xfrm_sock_rcv_skb() that
this was being accomplished by
(x->id.spi == tmpl->id.spi || !tmpl->id.spi) in xfrm_state_ok,
but it turns out tmpl->id.spi
would normally be zero (unless xfrm policy rules specify one
at the template level, which they usually don't).
NEW: The socket is checked for access to the SAs used (based on the
sid of the SAs) in selinux_xfrm_sock_rcv_skb().Forward case:
This would be Step 1 from the Inbound case, followed by Steps 2 and 3
from the Outbound case.Outstanding items/issues:
- Timewait acknowledgements and such are generated in the
current/upstream implementation using a NULL socket resulting in the
any_socket sid (SYSTEM_HIGH) to be used. This problem is not addressed
by this patch set.This patch: Add new flask definitions to SELinux
Adds a new avperm "polmatch" to arbitrate flow/state access to a xfrm
policy rule.Signed-off-by: Venkat Yekkirala
Signed-off-by: David S. Miller
21 Sep, 2006
1 commit
-
This patch converts all remaining crypto_digest users to use the new
crypto_hash interface.Signed-off-by: Herbert Xu
03 Aug, 2006
1 commit
-
From: Catherine Zhang
This patch implements a cleaner fix for the memory leak problem of the
original unix datagram getpeersec patch. Instead of creating a
security context each time a unix datagram is sent, we only create the
security context when the receiver requests it.This new design requires modification of the current
unix_getsecpeer_dgram LSM hook and addition of two new hooks, namely,
secid_to_secctx and release_secctx. The former retrieves the security
context and the latter releases it. A hook is required for releasing
the security context because it is up to the security module to decide
how that's done. In the case of Selinux, it's a simple kfree
operation.Acked-by: Stephen Smalley
Signed-off-by: David S. Miller
01 Aug, 2006
2 commits
-
Initializes newcontext sooner to allow for its destruction in all cases.
Signed-off-by: Venkat Yekkirala
Signed-off-by: Stephen Smalley
Acked-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
This patch fixes a memory leak when a policydb structure is destroyed.
Signed-off-by: Darrel Goeddel
Signed-off-by: Stephen Smalley
Acked-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
15 Jul, 2006
1 commit
-
After some discussion on the actual meaning of the filesystem class
security check in try context mount it was determined that the checks for
the context= mount options were not correct if fscontext mount option had
already been used.When labeling the superblock we should be checking relabel_from and
relabel_to. But if the superblock has already been labeled (with
fscontext) then context= is actually labeling the inodes, and so we should
be checking relabel_from and associate. This patch fixes which checks are
called depending on the mount options.Signed-off-by: Eric Paris
Acked-by: Stephen Smalley
Acked-by: James Morris
Cc: Chris Wright
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
11 Jul, 2006
2 commits
-
Introduce a new rootcontext= option to FS mounting. This option will allow
you to explicitly label the root inode of an FS being mounted before that
FS or inode because visible to userspace. This was found to be useful for
things like stateless linux, see
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=190001Signed-off-by: Eric Paris
Acked-by: Stephen Smalley
Signed-off-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Remove the conflict between fscontext and context mount options. If
context= is specified without fscontext it will operate just as before, if
both are specified we will use mount point labeling and all inodes will get
the label specified by context=. The superblock will be labeled with the
label of fscontext=, thus affecting operations which check the superblock
security context, such as associate permissions.Signed-off-by: Eric Paris
Acked-by: Stephen Smalley
Signed-off-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
01 Jul, 2006
6 commits
-
This patch introduces object audit filters based on the elements
of the SELinux context.Signed-off-by: Darrel Goeddel
Acked-by: Stephen Smalleykernel/auditfilter.c | 25 +++++++++++++++++++++++++
kernel/auditsc.c | 40 ++++++++++++++++++++++++++++++++++++++++
security/selinux/ss/services.c | 18 +++++++++++++++++-
3 files changed, 82 insertions(+), 1 deletion(-)
Signed-off-by: Al Viro -
This patch renames some audit constant definitions and adds
additional definitions used by the following patch. The renaming
avoids ambiguity with respect to the new definitions.Signed-off-by: Darrel Goeddel
include/linux/audit.h | 15 ++++++++----
kernel/auditfilter.c | 50 ++++++++++++++++++++---------------------
kernel/auditsc.c | 10 ++++----
security/selinux/ss/services.c | 32 +++++++++++++-------------
4 files changed, 56 insertions(+), 51 deletions(-)
Signed-off-by: Al Viro -
* git://git.kernel.org/pub/scm/linux/kernel/git/bunk/trivial:
Remove obsolete #include
remove obsolete swsusp_encrypt
arch/arm26/Kconfig typos
Documentation/IPMI typos
Kconfig: Typos in net/sched/Kconfig
v9fs: do not include linux/version.h
Documentation/DocBook/mtdnand.tmpl: typo fixes
typo fixes: specfic -> specific
typo fixes in Documentation/networking/pktgen.txt
typo fixes: occuring -> occurring
typo fixes: infomation -> information
typo fixes: disadvantadge -> disadvantage
typo fixes: aquire -> acquire
typo fixes: mecanism -> mechanism
typo fixes: bandwith -> bandwidth
fix a typo in the RTC_CLASS help text
smb is no longer maintainedManually merged trivial conflict in arch/um/kernel/vmlinux.lds.S
-
Add a new security hook definition for the sys_ioprio_get operation. At
present, the SELinux hook function implementation for this hook is
identical to the getscheduler implementation but a separate hook is
introduced to allow this check to be specialized in the future if
necessary.This patch also creates a helper function get_task_ioprio which handles the
access check in addition to retrieving the ioprio value for the task.Signed-off-by: David Quigley
Acked-by: Stephen Smalley
Signed-off-by: James Morris
Cc: Jens Axboe
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
This patch extends the security_task_kill hook to handle signals sent by AIO
completion. In this case, the secid of the task responsible for the signal
needs to be obtained and saved earlier, so a security_task_getsecid() hook is
added, and then this saved value is passed subsequently to the extended
task_kill hook for use in checking.Signed-off-by: David Quigley
Signed-off-by: James Morris
Cc: Stephen Smalley
Cc: Chris Wright
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Signed-off-by: Jörn Engel
Signed-off-by: Adrian Bunk
30 Jun, 2006
3 commits
-
This patch implements an API whereby an application can determine the
label of its peer's Unix datagram sockets via the auxiliary data mechanism of
recvmsg.Patch purpose:
This patch enables a security-aware application to retrieve the
security context of the peer of a Unix datagram socket. The application
can then use this security context to determine the security context for
processing on behalf of the peer who sent the packet.Patch design and implementation:
The design and implementation is very similar to the UDP case for INET
sockets. Basically we build upon the existing Unix domain socket API for
retrieving user credentials. Linux offers the API for obtaining user
credentials via ancillary messages (i.e., out of band/control messages
that are bundled together with a normal message). To retrieve the security
context, the application first indicates to the kernel such desire by
setting the SO_PASSSEC option via getsockopt. Then the application
retrieves the security context using the auxiliary data mechanism.An example server application for Unix datagram socket should look like this:
toggle = 1;
toggle_len = sizeof(toggle);setsockopt(sockfd, SOL_SOCKET, SO_PASSSEC, &toggle, &toggle_len);
recvmsg(sockfd, &msg_hdr, 0);
if (msg_hdr.msg_controllen > sizeof(struct cmsghdr)) {
cmsg_hdr = CMSG_FIRSTHDR(&msg_hdr);
if (cmsg_hdr->cmsg_len cmsg_level == SOL_SOCKET &&
cmsg_hdr->cmsg_type == SCM_SECURITY) {
memcpy(&scontext, CMSG_DATA(cmsg_hdr), sizeof(scontext));
}
}sock_setsockopt is enhanced with a new socket option SOCK_PASSSEC to allow
a server socket to receive security context of the peer.Testing:
We have tested the patch by setting up Unix datagram client and server
applications. We verified that the server can retrieve the security context
using the auxiliary data mechanism of recvmsg.Signed-off-by: Catherine Zhang
Acked-by: Acked-by: James Morris
Signed-off-by: David S. Miller -
This patch encapsulates the usage of eff_cap (in netlink_skb_params) within
the security framework by extending security_netlink_recv to include a required
capability parameter and converting all direct usage of eff_caps outside
of the lsm modules to use the interface. It also updates the SELinux
implementation of the security_netlink_send and security_netlink_recv
hooks to take advantage of the sid in the netlink_skb_params struct.
This also enables SELinux to perform auditing of netlink capability checks.
Please apply, for 2.6.18 if possible.Signed-off-by: Darrel Goeddel
Signed-off-by: Stephen Smalley
Acked-by: James Morris
Signed-off-by: David S. Miller -
The proposed NFS key type uses its own method of passing key requests to
userspace (upcalling) rather than invoking /sbin/request-key. This is
because the responsible userspace daemon should already be running and will
be contacted through rpc_pipefs.This patch permits the NFS filesystem to pass auxiliary data to the upcall
operation (struct key_type::request_key) so that the upcaller can use a
pre-existing communications channel more easily.Signed-off-by: David Howells
Acked-By: Kevin Coffman
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
28 Jun, 2006
2 commits
-
Add more poison values to include/linux/poison.h. It's not clear to me
whether some others should be added or not, so I haven't added any of
these:./include/linux/libata.h:#define ATA_TAG_POISON 0xfafbfcfdU
./arch/ppc/8260_io/fcc_enet.c:1918: memset((char *)(&(immap->im_dprambase[(mem_addr+64)])), 0x88, 32);
./drivers/usb/mon/mon_text.c:429: memset(mem, 0xe5, sizeof(struct mon_event_text));
./drivers/char/ftape/lowlevel/ftape-ctl.c:738: memset(ft_buffer[i]->address, 0xAA, FT_BUFF_SIZE);
./drivers/block/sx8.c:/* 0xf is just arbitrary, non-zero noise; this is sorta like poisoning */Signed-off-by: Randy Dunlap
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Update SELinux to cause the keycreate process attribute held in
/proc/self/attr/keycreate to be inherited across a fork and reset upon
execve. This is consistent with the handling of the other process
attributes provided by SELinux and also makes it simpler to adapt logon
programs to properly handle the keycreate attribute.Signed-off-by: Michael LeMay
Signed-off-by: David Howells
Acked-by: Stephen Smalley
Acked-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
27 Jun, 2006
4 commits
-
Below is a patch to add a new /proc/self/attr/sockcreate A process may write a
context into this interface and all subsequent sockets created will be labeled
with that context. This is the same idea as the fscreate interface where a
process can specify the label of a file about to be created. At this time one
envisioned user of this will be xinetd. It will be able to better label
sockets for the actual services. At this time all sockets take the label of
the creating process, so all xinitd sockets would just be labeled the same.I tested this by creating a tcp sender and listener. The sender was able to
write to this new proc file and then create sockets with the specified label.
I am able to be sure the new label was used since the avc denial messages
kicked out by the kernel included both the new security permission
setsockcreate and all the socket denials were for the new label, not the label
of the running process.Signed-off-by: Eric Paris
Signed-off-by: James Morris
Cc: Chris Wright
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Add a /proc//attr/keycreate entry that stores the appropriate context for
newly-created keys. Modify the selinux_key_alloc hook to make use of the new
entry. Update the flask headers to include a new "setkeycreate" permission
for processes. Update the flask headers to include a new "create" permission
for keys. Use the create permission to restrict which SIDs each task can
assign to newly-created keys. Add a new parameter to the security hook
"security_key_alloc" to indicate whether it is being invoked by the kernel, or
from userspace. If it is being invoked by the kernel, the security hook
should never fail. Update the documentation to reflect these changes.Signed-off-by: Michael LeMay
Signed-off-by: James Morris
Signed-off-by: David Howells
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Restrict /proc/keys such that only those keys to which the current task is
granted View permission are presented.The documentation is also updated to reflect these changes.
Signed-off-by: Michael LeMay
Signed-off-by: James Morris
Signed-off-by: David Howells
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Cause key_alloc_serial() to generate key serial numbers randomly rather than
in linear sequence.Using an linear sequence permits a covert communication channel to be
established, in which one process can communicate with another by creating or
not creating new keys within a certain timeframe. The second process can
probe for the expected next key serial number and judge its existence by the
error returned.This is a problem as the serial number namespace is globally shared between
all tasks, regardless of their context.For more information on this topic, this old TCSEC guide is recommended:
http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-030.html
Signed-off-by: Michael LeMay
Signed-off-by: James Morris
Signed-off-by: David Howells
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
