01 Jun, 2012
2 commits
-
... i.e. file-dependent and address-dependent checks.
Signed-off-by: Al Viro
-
... switch callers.
Signed-off-by: Al Viro
22 May, 2012
1 commit
-
Per pull request, for 3.5.
19 May, 2012
2 commits
-
BugLink: http://bugs.launchpad.net/bugs/955892
All failures from __d_path where being treated as disconnected paths,
however __d_path can also fail when the generated pathname is too long.The initial ENAMETOOLONG error was being lost, and ENAMETOOLONG was only
returned if the subsequent dentry_path call resulted in that error. Other
wise if the path was split across a mount point such that the dentry_path
fit within the buffer when the __d_path did not the failure was treated
as a disconnected path.Signed-off-by: John Johansen
-
BugLink: http://bugs.launchpad.net/bugs/978038
also affects apparmor portion of
BugLink: http://bugs.launchpad.net/bugs/987371The unconfined profile is not stored in the regular profile list, but
change_profile and exec transitions may want access to it when setting
up specialized transitions like switch to the unconfined profile of a
new policy namespace.Signed-off-by: John Johansen
14 Apr, 2012
2 commits
-
Add support for AppArmor to explicitly fail requested domain transitions
if NO_NEW_PRIVS is set and the task is not unconfined.Transitions from unconfined are still allowed because this always results
in a reduction of privileges.Acked-by: Eric Paris
Signed-off-by: Will Drewry
Signed-off-by: John Johansen
Signed-off-by: Andy Lutomirskiv18: new acked-by, new description
Signed-off-by: James Morris -
With this change, calling
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)
disables privilege granting operations at execve-time. For example, a
process will not be able to execute a setuid binary to change their uid
or gid if this bit is set. The same is true for file capabilities.Additionally, LSM_UNSAFE_NO_NEW_PRIVS is defined to ensure that
LSMs respect the requested behavior.To determine if the NO_NEW_PRIVS bit is set, a task may call
prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
It returns 1 if set and 0 if it is not set. If any of the arguments are
non-zero, it will return -1 and set errno to -EINVAL.
(PR_SET_NO_NEW_PRIVS behaves similarly.)This functionality is desired for the proposed seccomp filter patch
series. By using PR_SET_NO_NEW_PRIVS, it allows a task to modify the
system call behavior for itself and its child tasks without being
able to impact the behavior of a more privileged task.Another potential use is making certain privileged operations
unprivileged. For example, chroot may be considered "safe" if it cannot
affect privileged tasks.Note, this patch causes execve to fail when PR_SET_NO_NEW_PRIVS is
set and AppArmor is in use. It is fixed in a subsequent patch.Signed-off-by: Andy Lutomirski
Signed-off-by: Will Drewry
Acked-by: Eric Paris
Acked-by: Kees Cookv18: updated change desc
v17: using new define values as per 3.4
Signed-off-by: James Morris
10 Apr, 2012
4 commits
-
It isn't needed. If you don't set the type of the data associated with
that type it is a pretty obvious programming bug. So why waste the cycles?Signed-off-by: Eric Paris
-
apparmor is the only LSM that uses the common_audit_data tsk field.
Instead of making all LSMs pay for the stack space move the aa usage into
the apparmor_audit_data.Signed-off-by: Eric Paris
-
Just open code it so grep on the source code works better.
Signed-off-by: Eric Paris
-
dentry_open takes a file, rename it to file_open
Signed-off-by: Eric Paris
04 Apr, 2012
2 commits
-
It just bloats the audit data structure for no good reason, since the
only time those fields are filled are just before calling the
common_lsm_audit() function, which is also the only user of those
fields.So just make them be the arguments to common_lsm_audit(), rather than
bloating that structure that is passed around everywhere, and is
initialized in hot paths.Signed-off-by: Linus Torvalds
-
Linus found that the gigantic size of the common audit data caused a big
perf hit on something as simple as running stat() in a loop. This patch
requires LSMs to declare the LSM specific portion separately rather than
doing it in a union. Thus each LSM can be responsible for shrinking their
portion and don't have to pay a penalty just because other LSMs have a
bigger space requirement.Signed-off-by: Eric Paris
Signed-off-by: Linus Torvalds
27 Mar, 2012
1 commit
-
Fix failure in aa_change_onexec api when the request is made from a confined
task. This failure was caused by two problemsThe AA_MAY_ONEXEC perm was not being mapped correctly for this case.
The executable name was being checked as second time instead of using the
requested onexec profile name, which may not be the same as the exec
profile name. This mistake can not be exploited to grant extra permission
because of the above flaw where the ONEXEC permission was not being mapped
so it will not be granted.BugLink: http://bugs.launchpad.net/bugs/963756
Signed-off-by: John Johansen
Signed-off-by: James Morris
20 Mar, 2012
1 commit
-
Signed-off-by: Tetsuo Handa
Signed-off-by: John Johansen
15 Mar, 2012
2 commits
-
Signed-off-by: Jan Engelhardt
Signed-off-by: John Johansen -
Add the base support for the new policy extensions. This does not bring
any additional functionality, or change current semantics.Signed-off-by: John Johansen
Acked-by: Kees Cook
14 Mar, 2012
7 commits
-
Move the path name lookup failure messages into the main path name lookup
routine, as the information is useful in more than just aa_path_perm.Also rename aa_get_name to aa_path_name as it is not getting a reference
counted object with a corresponding put fn.Signed-off-by: John Johansen
Acked-by: Kees Cook -
Update aa_dfa_match so that it doesn't result in an input string being
walked twice (once to get its length and another time to match)Add a single step functions
aa_dfa_nextSigned-off-by: John Johansen
Acked-by: Kees Cook -
Signed-off-by: John Johansen
Acked-by: Kees Cook -
When __d_path and d_absolute_path fail due to the name being outside of
the current namespace no name is reported. Use dentry_path to provide
some hint as to which file was being accessed.Signed-off-by: John Johansen
Acked-by: Kees Cook -
Signed-off-by: John Johansen
-
Post unpacking of policy a verification pass is made on x transition
indexes. When this fails a call to audit_iface is made resulting in an
oops, because audit_iface is expecting a valid buffer position but
since the failure comes from post unpack verification there is none.Make the position argument optional so that audit_iface can be called
from post unpack verification.Signed-off-by: John Johansen
-
The returning of -ESATLE when a path lookup fails as disconnected is wrong.
Since AppArmor is rejecting the access return -EACCES instead.This also fixes a bug in complain (learning) mode where disconnected paths
are denied because -ESTALE errors are not ignored causing failures that
can change application behavior.Signed-off-by: John Johansen
28 Feb, 2012
9 commits
-
When a chroot relative pathname lookup fails it is falling through to
do a d_absolute_path lookup. This is incorrect as d_absolute_path should
only be used to lookup names for namespace absolute paths.Signed-off-by: John Johansen
Acked-by: Kees Cook -
The mapping of AA_MAY_META_READ for the allow mask was also being mapped
to the audit and quiet masks. This would result in some operations being
audited when the should not.This flaw was hidden by the previous audit bug which would drop some
messages that where supposed to be audited.Signed-off-by: John Johansen
Acked-by: Kees Cook -
If the xindex value stored in the accept tables is 0, the extraction of
that value will result in an underflow (0 - 4).In properly compiled policy this should not happen for file rules but
it may be possible for other rule types in the future.To exploit this underflow a user would have to be able to load a corrupt
policy, which requires CAP_MAC_ADMIN, overwrite system policy in kernel
memory or know of a compiler error resulting in the flaw being present
for loaded policy (no such flaw is known at this time).Signed-off-by: John Johansen
Acked-by: Kees Cook -
The audit permission flag, that specifies an audit message should be
provided when an operation is allowed, was being ignored in some cases.This is because the auto audit mode (which determines the audit mode from
system flags) was incorrectly assigned the same value as audit mode. The
shared value would result in messages that should be audited going through
a second evaluation as to whether they should be audited based on the
auto audit, resulting in some messages being dropped.Signed-off-by: John Johansen
Acked-by: Kees Cook -
The unpacking of struct capsx is missing a check for the end of the
caps structure. This can lead to unpack failures depending on what else
is packed into the policy file being unpacked.Signed-off-by: John Johansen
Acked-by: Kees Cook -
Since the parser needs to know which rlimits are known to the kernel,
export the list via a mask file in the "rlimit" subdirectory in the
securityfs "features" directory.Signed-off-by: Kees Cook
Signed-off-by: John Johansen -
Create the "file" directory in the securityfs for tracking features
related to files.Signed-off-by: Kees Cook
Signed-off-by: John Johansen -
This adds the "features" subdirectory to the AppArmor securityfs
to display boolean features flags and the known capability mask.Signed-off-by: Kees Cook
Signed-off-by: John Johansen -
Use a file tree structure to represent the AppArmor securityfs.
Signed-off-by: Kees Cook
Signed-off-by: John Johansen
15 Jan, 2012
1 commit
-
* 'for-linus' of git://selinuxproject.org/~jmorris/linux-security:
capabilities: remove __cap_full_set definition
security: remove the security_netlink_recv hook as it is equivalent to capable()
ptrace: do not audit capability check when outputing /proc/pid/stat
capabilities: remove task_ns_* functions
capabitlies: ns_capable can use the cap helpers rather than lsm call
capabilities: style only - move capable below ns_capable
capabilites: introduce new has_ns_capabilities_noaudit
capabilities: call has_ns_capability from has_capability
capabilities: remove all _real_ interfaces
capabilities: introduce security_capable_noaudit
capabilities: reverse arguments to security_capable
capabilities: remove the task from capable LSM hook entirely
selinux: sparse fix: fix several warnings in the security server cod
selinux: sparse fix: fix warnings in netlink code
selinux: sparse fix: eliminate warnings for selinuxfs
selinux: sparse fix: declare selinux_disable() in security.h
selinux: sparse fix: move selinux_complete_init
selinux: sparse fix: make selinux_secmark_refcount static
SELinux: Fix RCU deref check warning in sel_netport_insert()Manually fix up a semantic mis-merge wrt security_netlink_recv():
- the interface was removed in commit fd7784615248 ("security: remove
the security_netlink_recv hook as it is equivalent to capable()")- a new user of it appeared in commit a38f7907b926 ("crypto: Add
userspace configuration API")causing no automatic merge conflict, but Eric Paris pointed out the
issue.
13 Jan, 2012
1 commit
-
module_param(bool) used to counter-intuitively take an int. In
fddd5201 (mid-2009) we allowed bool or int/unsigned int using a messy
trick.It's time to remove the int/unsigned int option. For this version
it'll simply give a warning, but it'll break next kernel version.Acked-by: Mauro Carvalho Chehab
Signed-off-by: Rusty Russell
11 Jan, 2012
1 commit
-
* 'for-linus' of git://selinuxproject.org/~jmorris/linux-security: (32 commits)
ima: fix invalid memory reference
ima: free duplicate measurement memory
security: update security_file_mmap() docs
selinux: Casting (void *) value returned by kmalloc is useless
apparmor: fix module parameter handling
Security: tomoyo: add .gitignore file
tomoyo: add missing rcu_dereference()
apparmor: add missing rcu_dereference()
evm: prevent racing during tfm allocation
evm: key must be set once during initialization
mpi/mpi-mpow: NULL dereference on allocation failure
digsig: build dependency fix
KEYS: Give key types their own lockdep class for key->sem
TPM: fix transmit_cmd error logic
TPM: NSC and TIS drivers X86 dependency fix
TPM: Export wait_for_stat for other vendor specific drivers
TPM: Use vendor specific function for status probe
tpm_tis: add delay after aborting command
tpm_tis: Check return code from getting timeouts/durations
tpm: Introduce function to poll for result of self test
...Fix up trivial conflict in lib/Makefile due to addition of CONFIG_MPI
and SIGSIG next to CONFIG_DQL addition.
09 Jan, 2012
1 commit
-
Conflicts:
security/integrity/evm/evm_crypto.cResolved upstream fix vs. next conflict manually.
Signed-off-by: James Morris
07 Jan, 2012
1 commit
-
Signed-off-by: Al Viro
06 Jan, 2012
1 commit
-
The capabilities framework is based around credentials, not necessarily the
current task. Yet we still passed the current task down into LSMs from the
security_capable() LSM hook as if it was a meaningful portion of the security
decision. This patch removes the 'generic' passing of current and instead
forces individual LSMs to use current explicitly if they think it is
appropriate. In our case those LSMs are SELinux and AppArmor.I believe the AppArmor use of current is incorrect, but that is wholely
unrelated to this patch. This patch does not change what AppArmor does, it
just makes it clear in the AppArmor code that it is doing it.The SELinux code still uses current in it's audit message, which may also be
wrong and needs further investigation. Again this is NOT a change, it may
have always been wrong, this patch just makes it clear what is happening.Signed-off-by: Eric Paris
04 Jan, 2012
1 commit
-
Signed-off-by: Al Viro