Eric Lee / smarc-fsl-linux-kernel

13 Oct, 2011

1 commit

  • 828716c28   Smack: check permissions from user space (v2) ... Browse Code »

    Adds a new file into SmackFS called 'access'. Wanted
    Smack permission is written into /smack/access.
    After that result can be read from the opened file.
    If access applies result contains 1 and otherwise
    0. File access is protected from race conditions
    by using simple_transaction_get()/set() API.

    Fixes from the previous version:
    - Removed smack.h changes, refactoring left-over
    from previous version.
    - Removed #include , refactoring
    left-over from previous version.

    Signed-off-by: Jarkko Sakkinen
    Signed-off-by: Casey Schaufler

    Jarkko Sakkinen
     

12 Oct, 2011

2 commits

28 Sep, 2011

1 commit

  • e00fb3f7a   TOMOYO: Fix domain transition failure warning. ... Browse Code »

    Commit bd03a3e4 "TOMOYO: Add policy namespace support." introduced policy
    namespace. But as of /sbin/modprobe is executed from initramfs/initrd, profiles
    for target domain's namespace is not defined because /sbin/tomoyo-init is not
    yet called.

    Reported-by: Jamie Nguyen
    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     

27 Sep, 2011

1 commit

26 Sep, 2011

3 commits

  • a427fd14d   TOMOYO: Remove tomoyo_policy_memory_lock spinlock. ... Browse Code »

    tomoyo_policy_lock mutex already protects it.

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     
  • f9732ea14   TOMOYO: Simplify garbage collector. ... Browse Code »

    When TOMOYO started using garbage collector at commit 847b173e "TOMOYO: Add
    garbage collector.", we waited for close() before kfree(). Thus, elements to be
    kfree()d were queued up using tomoyo_gc_list list.

    But it turned out that tomoyo_element_linked_by_gc() tends to choke garbage
    collector when certain pattern of entries are queued.

    Since garbage collector is no longer waiting for close() since commit 2e503bbb
    "TOMOYO: Fix lockdep warning.", we can remove tomoyo_gc_list list and
    tomoyo_element_linked_by_gc() by doing sequential processing.

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     
  • 778c4a4d6   TOMOYO: Fix make namespacecheck warnings. ... Browse Code »

    Commit efe836ab "TOMOYO: Add built-in policy support." introduced
    tomoyo_load_builtin_policy() but was by error called from nowhere.

    Commit b22b8b9f "TOMOYO: Rename meminfo to stat and show more statistics."
    introduced tomoyo_update_stat() but was by error not called from
    tomoyo_assign_domain().

    Also, mark tomoyo_io_printf() and tomoyo_path_permission() static functions,
    as reported by "make namespacecheck".

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     

21 Sep, 2011

4 commits

  • 8c35ad202   target: check hex2bin result ... Browse Code »

    Now that hex2bin does error checking, on error add debugging error msg.

    Changelog v1 (update):
    - fixed definition of 'ret'
    - hex2bin now returns an int

    Signed-off-by: Mimi Zohar
    Acked-by: Andy Shevchenko

    Mimi Zohar
     
  • 2b3ff6319   encrypted-keys: check hex2bin result ... Browse Code »

    For each hex2bin call in encrypted keys, check that the ascii hex string
    is valid. On failure, return -EINVAL.

    Changelog v1:
    - hex2bin now returns an int

    Signed-off-by: Mimi Zohar
    Acked-by: Andy Shevchenko

    Mimi Zohar
     
  • 2684bf7f2   trusted-keys: check hex2bin result ... Browse Code »

    For each hex2bin call in trusted keys, check that the ascii hex string is
    valid. On failure, return -EINVAL.

    Changelog v1:
    - hex2bin now returns an int

    Signed-off-by: Mimi Zohar
    Acked-by: Andy Shevchenko

    Mimi Zohar
     
  • b78049831   lib: add error checking to hex2bin ... Browse Code »

    hex2bin converts a hexadecimal string to its binary representation.
    The original version of hex2bin did not do any error checking. This
    patch adds error checking and returns the result.

    Changelog v1:
    - removed unpack_hex_byte()
    - changed return code from boolean to int

    Changelog:
    - use the new unpack_hex_byte()
    - add __must_check compiler option (Andy Shevchenko's suggestion)
    - change function API to return error checking result
    (based on Tetsuo Handa's initial patch)

    Signed-off-by: Mimi Zohar
    Acked-by: Andy Shevchenko

    Mimi Zohar
     

19 Sep, 2011

1 commit

  • 6bce98edc   TOMOYO: Allow specifying domain transition preference. ... Browse Code »

    I got an opinion that it is difficult to use exception policy's domain
    transition control directives because they need to match the pathname specified
    to "file execute" directives. For example, if "file execute /bin/\*\-ls\-cat"
    is given, corresponding domain transition control directive needs to be like
    "no_keep_domain /bin/\*\-ls\-cat from any".

    If we can specify like below, it will become more convenient.

    file execute /bin/ls keep exec.realpath="/bin/ls" exec.argv[0]="ls"
    file execute /bin/cat keep exec.realpath="/bin/cat" exec.argv[0]="cat"
    file execute /bin/\*\-ls\-cat child
    file execute /usr/sbin/httpd exec.realpath="/usr/sbin/httpd" exec.argv[0]="/usr/sbin/httpd"

    In above examples, "keep" works as if keep_domain is specified, "child" works
    as if "no_reset_domain" and "no_initialize_domain" and "no_keep_domain" are
    specified, "" causes domain transition to domain upon
    successful execve() operation.

    Moreover, we can also allow transition to different domains based on conditions
    like below example.

    /usr/sbin/sshd
    file execute /bin/bash /usr/sbin/sshd //batch-session exec.argc=2 exec.argv[1]="-c"
    file execute /bin/bash /usr/sbin/sshd //root-session task.uid=0
    file execute /bin/bash /usr/sbin/sshd //nonroot-session task.uid!=0

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     

16 Sep, 2011

1 commit

  • cc100551b   encrypted-keys: IS_ERR need include/err.h ... Browse Code »

    Fixes this build error:

    security/keys/encrypted-keys/masterkey_trusted.c: In function 'request_trusted_key':
    security/keys/encrypted-keys/masterkey_trusted.c:35:2: error: implicit declaration of function 'IS_ERR'

    Signed-off-by: Stephen Rothwell
    Signed-off-by: Mimi Zohar

    Stephen Rothwell
     

15 Sep, 2011

10 commits

  • 8de6ac7f5   Merge branch 'next-evm' of git://github.com/mzohar/linux-evm into next Browse Code »
    James Morris
     
  • 843d183cd   TOMOYO: Bump version. ... Browse Code »

    Tell userland tools that this is TOMOYO 2.5.

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     
  • fb788d8b9   evm: clean verification status ... Browse Code »

    When allocating from slab, initialization is done the first time in
    init_once() and subsequently on free. Because evm_status was not
    re-initialized on free, evm_verify_hmac() skipped verifications.

    This patch re-initializes evm_status.

    Signed-off-by: Dmitry Kasatkin
    Signed-off-by: Mimi Zohar

    Dmitry Kasatkin
     
  • 566be59ab   evm: permit mode bits to be updated ... Browse Code »

    Before permitting 'security.evm' to be updated, 'security.evm' must
    exist and be valid. In the case that there are no existing EVM protected
    xattrs, it is safe for posix acls to update the mode bits.

    To differentiate between no 'security.evm' xattr and no xattrs used to
    calculate 'security.evm', this patch defines INTEGRITY_NOXATTR.

    Signed-off-by: Mimi Zohar

    Mimi Zohar
     
  • bf6d0f5dc   evm: posix acls modify i_mode ... Browse Code »

    The posix xattr acls are 'system' prefixed, which normally would not
    affect security.evm. An interesting side affect of writing posix xattr
    acls is their modifying of the i_mode, which is included in security.evm.

    This patch updates security.evm when posix xattr acls are written.

    Signed-off-by: Mimi Zohar

    Mimi Zohar
     
  • a924ce0b3   evm: limit verifying current security.evm integrity ... Browse Code »

    evm_protect_xattr unnecessarily validates the current security.evm
    integrity, before updating non-evm protected extended attributes
    and other file metadata. This patch limits validating the current
    security.evm integrity to evm protected metadata.

    Signed-off-by: Mimi Zohar

    Mimi Zohar
     
  • fb88c2b6c   evm: fix security/security_old_init_security return code ... Browse Code »

    security_inode_init_security previously returned -EOPNOTSUPP, for S_PRIVATE
    inodes, and relied on the callers to change it to 0. As the callers do not
    change the return code anymore, return 0, intead of -EOPNOTSUPP.

    Signed-off-by: Mimi Zohar

    Mimi Zohar
     
  • 1d714057e   evm: remove TCG_TPM dependency ... Browse Code »

    All tristates selected by EVM(boolean) are forced to be builtin, except
    in the TCG_TPM(tristate) dependency case. Arnaud Lacombe summarizes the
    Kconfig bug as, "So it would seem direct dependency state influence the
    state of reverse dependencies.." For a detailed explanation, refer to
    Arnaud Lacombe's posting http://lkml.org/lkml/2011/8/23/498.

    With the "encrypted-keys: remove trusted-keys dependency" patch, EVM
    can now be built without a dependency on TCG_TPM. The trusted-keys
    dependency requires trusted-keys to either be builtin or not selected.
    This dependency will prevent the boolean/tristate mismatch from
    occuring.

    Reported-by: Stephen Rothwell ,
    Randy Dunlap
    Signed-off-by: Mimi Zohar

    Mimi Zohar
     
  • 982e617a3   encrypted-keys: remove trusted-keys dependency ... Browse Code »

    Encrypted keys are decrypted/encrypted using either a trusted-key or,
    for those systems without a TPM, a user-defined key. This patch
    removes the trusted-keys and TCG_TPM dependencies.

    Signed-off-by: Mimi Zohar

    Mimi Zohar
     
  • 61cf45d01   encrypted-keys: create encrypted-keys directory ... Browse Code »

    Move all files associated with encrypted keys to keys/encrypted-keys.

    Signed-off-by: Mimi Zohar

    Mimi Zohar
     

14 Sep, 2011

5 commits

  • a8f764096   TOMOYO: Avoid race when retrying "file execute" permission check. ... Browse Code »

    There was a race window that the pathname which is subjected to "file execute"
    permission check when retrying via supervisor's decision because the pathname
    was recalculated upon retry. Though, there is an inevitable race window even
    without supervisor, for we have to calculate the symbolic link's pathname from
    "struct linux_binprm"->filename rather than from "struct linux_binprm"->file
    because we cannot back calculate the symbolic link's pathname from the
    dereferenced pathname.

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     
  • 731d37aa7   TOMOYO: Allow domain transition without execve(). ... Browse Code »

    To be able to split permissions for Apache's CGI programs which are executed
    without execve(), add special domain transition which is performed by writing
    a TOMOYO's domainname to /sys/kernel/security/tomoyo/self_domain interface.

    This is an API for TOMOYO-aware userland applications. However, since I expect
    TOMOYO and other LSM modules to run in parallel, this patch does not use
    /proc/self/attr/ interface in order to avoid conflicts with other LSM modules
    when it became possible to run multiple LSM modules in parallel.

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     
  • 1f067a682   TOMOYO: Allow controlling generation of access granted logs for per an entry basis. ... Browse Code »

    Add per-entry flag which controls generation of grant logs because Xen and KVM
    issues ioctl requests so frequently. For example,

    file ioctl /dev/null 0x5401 grant_log=no

    will suppress /sys/kernel/security/tomoyo/audit even if preference says
    grant_log=yes .

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     
  • 059d84dbb   TOMOYO: Add socket operation restriction support. ... Browse Code »

    This patch adds support for permission checks for PF_INET/PF_INET6/PF_UNIX
    socket's bind()/listen()/connect()/send() operations.

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     
  • d58e0da85   TOMOYO: Add environment variable name restriction support. ... Browse Code »

    This patch adds support for checking environment variable's names.
    Although TOMOYO already provides ability to check argv[]/envp[] passed to
    execve() requests,

    file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="bar"

    will reject execution of /bin/sh if environment variable LD_LIBRARY_PATH is not
    defined. To grant execution of /bin/sh if LD_LIBRARY_PATH is not defined,
    administrators have to specify like

    file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="/system/lib"
    file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]=NULL

    . Since there are many environment variables whereas conditional checks are
    applied as "&&", it is difficult to cover all combinations. Therefore, this
    patch supports conditional checks that are applied as "||", by specifying like

    file execute /bin/sh
    misc env LD_LIBRARY_PATH exec.envp["LD_LIBRARY_PATH"]="/system/lib"

    which means "grant execution of /bin/sh if environment variable is not defined
    or is defined and its value is /system/lib".

    Signed-off-by: Tetsuo Handa
    Signed-off-by: James Morris

    Tetsuo Handa
     

10 Sep, 2011

11 commits