21 Dec, 2019
1 commit
-
In AVC update we don't call avc_node_kill() when avc_xperms_populate()
fails, resulting in the avc->avc_cache.active_nodes counter having a
false value. In last patch this changes was missed , so correcting it.Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls")
Signed-off-by: Jaihind Yadav
Signed-off-by: Ravi Kumar Siddojigari
[PM: merge fuzz, minor description cleanup]
Signed-off-by: Paul Moore
11 Dec, 2019
1 commit
-
Fix avc_insert() to call avc_node_kill() if we've already allocated
an AVC node and the code fails to insert the node in the cache.Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls")
Reported-by: rsiddoji@codeaurora.org
Suggested-by: Stephen Smalley
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore
10 Dec, 2019
2 commits
-
commit bda0be7ad994 ("security: make inode_follow_link RCU-walk aware")
passed down the rcu flag to the SELinux AVC, but failed to adjust the
test in slow_avc_audit() to also return -ECHILD on LSM_AUDIT_DATA_DENTRY.
Previously, we only returned -ECHILD if generating an audit record with
LSM_AUDIT_DATA_INODE since this was only relevant from inode_permission.
Move the handling of MAY_NOT_BLOCK to avc_audit() and its inlined
equivalent in selinux_inode_permission() immediately after we determine
that audit is required, and always fall back to ref-walk in this case.Fixes: bda0be7ad994 ("security: make inode_follow_link RCU-walk aware")
Reported-by: Will Deacon
Suggested-by: Al Viro
Signed-off-by: Stephen Smalley
Signed-off-by: Paul Moore -
This reverts commit e46e01eebbbc ("selinux: stop passing MAY_NOT_BLOCK
to the AVC upon follow_link"). The correct fix is to instead fall
back to ref-walk if audit is required irrespective of the specific
audit data type. This is done in the next commit.Fixes: e46e01eebbbc ("selinux: stop passing MAY_NOT_BLOCK to the AVC upon follow_link")
Reported-by: Will Deacon
Signed-off-by: Stephen Smalley
Signed-off-by: Paul Moore
19 Jun, 2019
1 commit
-
Based on 2 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundationthis program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundation #extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-only
has been chosen to replace the boilerplate/reference in 4122 file(s).
Signed-off-by: Thomas Gleixner
Reviewed-by: Enrico Weigelt
Reviewed-by: Kate Stewart
Reviewed-by: Allison Randal
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de
Signed-off-by: Greg Kroah-Hartman
12 Jun, 2019
1 commit
-
These strings may come from untrusted sources (e.g. file xattrs) so they
need to be properly escaped.Reproducer:
# setenforce 0
# touch /tmp/test
# setfattr -n security.selinux -v 'kuřecí řízek' /tmp/test
# runcon system_u:system_r:sshd_t:s0 cat /tmp/test
(look at the generated AVCs)Actual result:
type=AVC [...] trawcon=kuřecí řízekExpected result:
type=AVC [...] trawcon=6B75C5996563C3AD20C599C3AD7A656BFixes: fede148324c3 ("selinux: log invalid contexts in AVCs")
Cc: stable@vger.kernel.org # v5.1+
Signed-off-by: Ondrej Mosnacek
Acked-by: Richard Guy Briggs
Signed-off-by: Paul Moore
06 Feb, 2019
1 commit
-
commit a2c513835bb6c6 ("selinux: inline some AVC functions used only once")
introduced usage of audit_log_string() in place of audit_log_format()
for fixed strings. However, audit_log_string() quotes the string.
This breaks the avc audit message format and userspace audit parsers.
Switch back to using audit_log_format().Fixes: a2c513835bb6c6 ("selinux: inline some AVC functions used only once")
Signed-off-by: Stephen Smalley
Signed-off-by: Paul Moore
29 Jan, 2019
1 commit
-
These checks are only guarding against programming errors that could
silently grant too many permissions. These cases are better handled with
WARN_ON(), since it doesn't really help much to crash the machine in
this case.Signed-off-by: Ondrej Mosnacek
Reviewed-by: Stephen Smalley
Signed-off-by: Paul Moore
26 Jan, 2019
3 commits
-
In case a file has an invalid context set, in an AVC record generated
upon access to such file, the target context is always reported as
unlabeled. This patch adds new optional fields to the AVC record
(srawcon and trawcon) that report the actual context string if it
differs from the one reported in scontext/tcontext. This is useful for
diagnosing SELinux denials involving invalid contexts.To trigger an AVC that illustrates this situation:
# setenforce 0
# touch /tmp/testfile
# setfattr -n security.selinux -v system_u:object_r:banana_t:s0 /tmp/testfile
# runcon system_u:system_r:sshd_t:s0 cat /tmp/testfileAVC before:
type=AVC msg=audit(1547801083.248:11): avc: denied { open } for pid=1149 comm="cat" path="/tmp/testfile" dev="tmpfs" ino=6608 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file permissive=1
AVC after:
type=AVC msg=audit(1547801083.248:11): avc: denied { open } for pid=1149 comm="cat" path="/tmp/testfile" dev="tmpfs" ino=6608 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:object_r:unlabeled_t:s15:c0.c1023 tclass=file permissive=1 trawcon=system_u:object_r:banana_t:s0
Note that it is also possible to encounter this situation with the
'scontext' field - e.g. when a new policy is loaded while a process is
running, whose context is not valid in the new policy.Link: https://bugzilla.redhat.com/show_bug.cgi?id=1135683
Cc: Daniel Walsh
Signed-off-by: Ondrej Mosnacek
Reviewed-by: Stephen Smalley
Signed-off-by: Paul Moore -
We don't need to crash the machine in these cases. Let's just detect the
buggy state early and error out with a warning.Signed-off-by: Ondrej Mosnacek
Reviewed-by: Stephen Smalley
Signed-off-by: Paul Moore -
avc_dump_av() and avc_dump_query() are each used only in one place. Get
rid of them and open code their contents in the call sites.Signed-off-by: Ondrej Mosnacek
Reviewed-by: Stephen Smalley
Signed-off-by: Paul Moore
11 Jan, 2019
2 commits
-
commit bda0be7ad9948 ("security: make inode_follow_link RCU-walk aware")
switched selinux_inode_follow_link() to use avc_has_perm_flags() and
pass down the MAY_NOT_BLOCK flag if called during RCU walk. However,
the only test of MAY_NOT_BLOCK occurs during slow_avc_audit()
and only if passing an inode as audit data (LSM_AUDIT_DATA_INODE). Since
selinux_inode_follow_link() passes a dentry directly, passing MAY_NOT_BLOCK
here serves no purpose. Switch selinux_inode_follow_link() to use
avc_has_perm() and drop avc_has_perm_flags() since there are no other
users.Signed-off-by: Stephen Smalley
Signed-off-by: Paul Moore -
commit 0dc1ba24f7fff6 ("SELINUX: Make selinux cache VFS RCU walks safe")
results in no audit messages at all if in permissive mode because the
cache is updated during the rcu walk and thus no denial occurs on
the subsequent ref walk. Fix this by not updating the cache when
performing a non-blocking permission check. This only affects search
and symlink read checks during rcu walk.Fixes: 0dc1ba24f7fff6 ("SELINUX: Make selinux cache VFS RCU walks safe")
Reported-by: BMK
Signed-off-by: Stephen Smalley
Signed-off-by: Paul Moore
20 Jun, 2018
1 commit
-
Replace printk with pr_* to avoid checkpatch warnings.
Signed-off-by: Peter Enderborg
Signed-off-by: Paul Moore
21 Mar, 2018
1 commit
-
Wrap the AVC state within the selinux_state structure and
pass it explicitly to all AVC functions. The AVC private state
is encapsulated in a selinux_avc structure that is referenced
from the selinux_state.This change should have no effect on SELinux behavior or
APIs (userspace or LSM).Signed-off-by: Stephen Smalley
Reviewed-by: James Morris
Signed-off-by: Paul Moore
03 Mar, 2018
1 commit
-
Rename is_enforcing() to enforcing_enabled() and
enforcing_set() to set_enforcing().Signed-off-by: Paul Moore
02 Mar, 2018
1 commit
-
Define a selinux state structure (struct selinux_state) for
global SELinux state and pass it explicitly to all security server
functions. The public portion of the structure contains state
that is used throughout the SELinux code, such as the enforcing mode.
The structure also contains a pointer to a selinux_ss structure whose
definition is private to the security server and contains security
server specific state such as the policy database and SID table.This change should have no effect on SELinux behavior or APIs
(userspace or LSM). It merely wraps SELinux state and passes it
explicitly as needed.Signed-off-by: Stephen Smalley
[PM: minor fixups needed due to collisions with the SCTP patches]
Signed-off-by: Paul Moore
13 Sep, 2017
1 commit
-
Pull selinux updates from Paul Moore:
"A relatively quiet period for SELinux, 11 patches with only two/three
having any substantive changes.These noteworthy changes include another tweak to the NNP/nosuid
handling, per-file labeling for cgroups, and an object class fix for
AF_UNIX/SOCK_RAW sockets; the rest of the changes are minor tweaks or
administrative updates (Stephen's email update explains the file
explosion in the diffstat).Everything passes the selinux-testsuite"
[ Also a couple of small patches from the security tree from Tetsuo
Handa for Tomoyo and LSM cleanup. The separation of security policy
updates wasn't all that clean - Linus ]* tag 'selinux-pr-20170831' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
selinux: constify nf_hook_ops
selinux: allow per-file labeling for cgroupfs
lsm_audit: update my email address
selinux: update my email address
MAINTAINERS: update the NetLabel and Labeled Networking information
selinux: use GFP_NOWAIT in the AVC kmem_caches
selinux: Generalize support for NNP/nosuid SELinux domain transitions
selinux: genheaders should fail if too many permissions are defined
selinux: update the selinux info in MAINTAINERS
credits: update Paul Moore's info
selinux: Assign proper class to PF_UNIX/SOCK_RAW sockets
tomoyo: Update URLs in Documentation/admin-guide/LSM/tomoyo.rst
LSM: Remove security_task_create() hook.
05 Sep, 2017
1 commit
-
In the process of normalizing audit log messages, it was noticed that the AVC
initialization code registered an audit log KERNEL record that didn't fit the
standard format. In the process of attempting to normalize it it was
determined that this record was not even necessary. Remove it.Ref: http://marc.info/?l=selinux&m=149614868525826&w=2
See: https://github.com/linux-audit/audit-kernel/issues/48
Signed-off-by: Richard Guy Briggs
Acked-by: Stephen Smalley
Acked-by: Steve Grubb
Signed-off-by: Paul Moore
18 Aug, 2017
1 commit
-
Update my email address since epoch.ncsc.mil no longer exists.
MAINTAINERS and CREDITS are already correct.Signed-off-by: Stephen Smalley
Signed-off-by: Paul Moore
08 Aug, 2017
1 commit
-
There is a strange __GFP_NOMEMALLOC usage pattern in SELinux,
specifically GFP_ATOMIC | __GFP_NOMEMALLOC which doesn't make much
sense. GFP_ATOMIC on its own allows to access memory reserves while
__GFP_NOMEMALLOC dictates we cannot use memory reserves. Replace this
with the much more sane GFP_NOWAIT in the AVC code as we can tolerate
memory allocation failures in that code.Signed-off-by: Michal Hocko
Acked-by: Mel Gorman
Signed-off-by: Paul Moore
15 Aug, 2015
1 commit
14 Jul, 2015
2 commits
-
Ensure that we catch any cases where tclass == 0.
Signed-off-by: Stephen Smalley
Signed-off-by: Paul Moore -
Add extended permissions logic to selinux. Extended permissions
provides additional permissions in 256 bit increments. Extend the
generic ioctl permission check to use the extended permissions for
per-command filtering. Source/target/class sets including the ioctl
permission may additionally include a set of commands. Example:allowxperm : ioctl unpriv_app_socket_cmds
auditallowxperm : ioctl priv_gpu_cmdsWhere unpriv_app_socket_cmds and priv_gpu_cmds are macros
representing commonly granted sets of ioctl commands.When ioctl commands are omitted only the permissions are checked.
This feature is intended to provide finer granularity for the ioctl
permission that may be too imprecise. For example, the same driver
may use ioctls to provide important and benign functionality such as
driver version or socket type as well as dangerous capabilities such
as debugging features, read/write/execute to physical memory or
access to sensitive data. Per-command filtering provides a mechanism
to reduce the attack surface of the kernel, and limit applications
to the subset of commands required.The format of the policy binary has been modified to include ioctl
commands, and the policy version number has been incremented to
POLICYDB_VERSION_XPERMS_IOCTL=30 to account for the format
change.The extended permissions logic is deliberately generic to allow
components to be reused e.g. netlink filtersSigned-off-by: Jeff Vander Stoep
Acked-by: Nick Kralevich
Signed-off-by: Paul Moore
11 May, 2015
1 commit
-
This allows MAY_NOT_BLOCK to be passed, in RCU-walk mode, through
the new avc_has_perm_flags() to avc_audit() and thence the slow_avc_audit.Signed-off-by: NeilBrown
Signed-off-by: Al Viro
07 Apr, 2015
1 commit
-
Commit f01e1af445fa ("selinux: don't pass in NULL avd to avc_has_perm_noaudit")
made this pointer reassignment unnecessary. Avd should continue to reference
the stack-based copy.Signed-off-by: Jeff Vander Stoep
Acked-by: Stephen Smalley
[PM: tweaked subject line]
Signed-off-by: Paul Moore
05 Feb, 2015
1 commit
-
Remove the function avc_sidcmp() that is not used anywhere.
This was partially found by using a static code analysis program called cppcheck.
Signed-off-by: Rickard Strandqvist
[PM: rewrite the patch subject line]
Signed-off-by: Paul Moore
04 Jun, 2014
1 commit
-
We cannot presently tell from an avc: denied message whether access was in
fact denied or was allowed due to global or per-domain permissive mode.
Add a permissive= field to the avc message to reflect this information.Signed-off-by: Stephen Smalley
Acked-by: Eric Paris
Signed-off-by: Paul Moore
05 Oct, 2013
2 commits
-
Now avc_audit() has no more users with that parameter. Remove it.
Signed-off-by: Linus Torvalds
-
.. so get rid of it. The only indirect users were all the
avc_has_perm() callers which just expanded to have a zero flags
argument.Signed-off-by: Linus Torvalds
28 Feb, 2013
1 commit
-
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;type T;
expression a,c,d,e;
identifier b;
statement S;
@@-T b;
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin
Acked-by: Paul E. McKenney
Signed-off-by: Sasha Levin
Cc: Wu Fengguang
Cc: Marcelo Tosatti
Cc: Gleb Natapov
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
01 Aug, 2012
1 commit
-
Failing to allocate a cache entry will only harm performance not
correctness. Do not consume valuable reserve pages for something like
that.Signed-off-by: Peter Zijlstra
Signed-off-by: Mel Gorman
Acked-by: Eric Paris
Acked-by: Rik van Riel
Cc: James Morris
Cc: Christoph Hellwig
Cc: David S. Miller
Cc: Eric B Munson
Cc: Mel Gorman
Cc: Mike Christie
Cc: Neil Brown
Cc: Sebastian Andrzej Siewior
Cc: Trond Myklebust
Cc: Xiaotian Feng
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
10 Apr, 2012
6 commits
-
avc_add_callback now just used for registering reset functions
in initcalls, and the callback functions just did reset operations.
So, reducing the arguments to only one event is enough now.Signed-off-by: Wanlong Gao
Signed-off-by: Eric Paris -
avc_add_callback now only called from initcalls, so replace the
weak GFP_ATOMIC to GFP_KERNEL, and mark this function __init
to make a warning when not been called from initcalls.Signed-off-by: Wanlong Gao
Signed-off-by: Eric Paris -
We no longer need the distinction. We only need data after we decide to do an
audit. So turn the "late" audit data into just "data" and remove what we
currently have as "data".Signed-off-by: Eric Paris
-
It isn't needed. If you don't set the type of the data associated with
that type it is a pretty obvious programming bug. So why waste the cycles?Signed-off-by: Eric Paris
-
Just open code it so grep on the source code works better.
Signed-off-by: Eric Paris
-
We pay a rather large overhead initializing the common_audit_data.
Since we only need this information if we actually emit an audit
message there is little need to set it up in the hot path. This patch
splits the functionality of avc_has_perm() into avc_has_perm_noaudit(),
avc_audit_required() and slow_avc_audit(). But we take care of setting
up to audit between required() and the actual audit call. Thus saving
measurable time in a hot path.Signed-off-by: Stephen Smalley
Signed-off-by: Eric Paris
04 Apr, 2012
2 commits
-
It just bloats the audit data structure for no good reason, since the
only time those fields are filled are just before calling the
common_lsm_audit() function, which is also the only user of those
fields.So just make them be the arguments to common_lsm_audit(), rather than
bloating that structure that is passed around everywhere, and is
initialized in hot paths.Signed-off-by: Linus Torvalds
-
Instead of declaring the entire selinux_audit_data on the stack when we
start an operation on declare it on the stack if we are going to use it.
We know it's usefulness at the end of the security decision and can declare
it there.Signed-off-by: Eric Paris
Signed-off-by: Linus Torvalds