27 May, 2009
1 commit
-
cap_bprm_set_creds() has to be called from security_bprm_set_creds().
TOMOYO forgot to call cap_bprm_set_creds() from tomoyo_bprm_set_creds()
and suid executables were not being working.Make sure we call cap_bprm_set_creds() with TOMOYO, to set credentials
properly inside tomoyo_bprm_set_creds().Signed-off-by: Herton Ronaldo Krzesinski
Acked-by: Tetsuo Handa
Signed-off-by: James Morris
09 May, 2009
1 commit
-
... use kern_path() where possible
[folded a fix from rdd]
Signed-off-by: Al Viro
05 May, 2009
1 commit
-
The CRED patch incorrectly converted the SELinux send_sigiotask hook to
use the current task SID rather than the target task SID in its
permission check, yielding the wrong permission check. This fixes the
hook function. Detected by the ltp selinux testsuite and confirmed to
correct the test failure.Signed-off-by: Stephen Smalley
Signed-off-by: James Morris
18 Apr, 2009
1 commit
-
the following patch moves checks for SMACK xattr validity
from smack_inode_post_setxattr (which cannot return an error to the user)
to smack_inode_setxattr (which can return an error).Signed-off-by: Etienne Basset
Acked-by: Casey Schaufler
Signed-off-by: James Morris
14 Apr, 2009
1 commit
-
Signed-off-by: Kentaro Takeda
Signed-off-by: Tetsuo Handa
Signed-off-by: Toshiharu Harada
Signed-off-by: James Morris
10 Apr, 2009
1 commit
-
When request_key() is called, without there being any standard process
keyrings on which to fall back if a destination keyring is not specified, an
oops is liable to occur when construct_alloc_key() calls down_write() on
dest_keyring's semaphore.Due to function inlining this may be seen as an oops in down_write() as called
from request_key_and_link().This situation crops up during boot, where request_key() is called from within
the kernel (such as in CIFS mounts) where nobody is actually logged in, and so
PAM has not had a chance to create a session keyring and user keyrings to act
as the fallback.To fix this, make construct_alloc_key() not attempt to cache a key if there is
no fallback key if no destination keyring is given specifically.Signed-off-by: David Howells
Tested-by: Jeff Layton
Signed-off-by: Linus Torvalds
09 Apr, 2009
1 commit
-
One-liner: capsh --print is broken without this patch.
In certain cases, cap_prctl returns error > 0 for success. However,
the 'no_change' label was always setting error to 0. As a result,
for example, 'prctl(CAP_BSET_READ, N)' would always return 0.
It should return 1 if a process has N in its bounding set (as
by default it does).I'm keeping the no_change label even though it's now functionally
the same as 'error'.Signed-off-by: Serge Hallyn
Acked-by: David Howells
Signed-off-by: James Morris
07 Apr, 2009
1 commit
-
Since TOMOYO's policy management tools does not use the "undelete domain"
command, we decided to remove that command.Signed-off-by: Kentaro Takeda
Signed-off-by: Tetsuo Handa
Signed-off-by: Toshiharu Harada
Signed-off-by: James Morris
03 Apr, 2009
3 commits
-
Export a number of functions for CacheFiles's use.
Signed-off-by: David Howells
Acked-by: Steve Dickson
Acked-by: Trond Myklebust
Acked-by: Rik van Riel
Acked-by: Al Viro
Tested-by: Daire Byrne -
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:
Remove two unneeded exports and make two symbols static in fs/mpage.c
Cleanup after commit 585d3bc06f4ca57f975a5a1f698f65a45ea66225
Trim includes of fdtable.h
Don't crap into descriptor table in binfmt_som
Trim includes in binfmt_elf
Don't mess with descriptor table in load_elf_binary()
Get rid of indirect include of fs_struct.h
New helper - current_umask()
check_unsafe_exec() doesn't care about signal handlers sharing
New locking/refcounting for fs_struct
Take fs_struct handling to new file (fs/fs_struct.c)
Get rid of bumping fs_struct refcount in pivot_root(2)
Kill unsharing fs_struct in __set_personality() -
There is nothing special that has to be protected by cgroup_lock,
so introduce devcgroup_mtuex for it's own use.Signed-off-by: Li Zefan
Cc: Paul Menage
Acked-by: Serge Hallyn
Cc: Balbir Singh
Cc: KAMEZAWA Hiroyuki
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
01 Apr, 2009
1 commit
-
Don't pull it in sched.h; very few files actually need it and those
can include directly. sched.h itself only needs forward declaration
of struct fs_struct;Signed-off-by: Al Viro
28 Mar, 2009
5 commits
-
This patch adds a new special option '-CIPSO' to the Smack subsystem. When used
in the netlabel list, it means "use CIPSO networking". A use case is when your
local network speaks CIPSO and you want also to connect to the unlabeled
Internet. This patch also add some documentation describing that. The patch
also corrects an oops when setting a '' SMACK64 xattr to a file.Signed-off-by: Etienne Basset
Signed-off-by: Paul Moore
Acked-by: Casey Schaufler
Signed-off-by: James Morris -
This patch cleans up a lot of the Smack network access control code. The
largest changes are to fix the labeling of incoming TCP connections in a
manner similar to the recent SELinux changes which use the
security_inet_conn_request() hook to label the request_sock and let the label
move to the child socket via the normal network stack mechanisms. In addition
to the incoming TCP connection fixes this patch also removes the smk_labled
field from the socket_smack struct as the minor optimization advantage was
outweighed by the difficulty in maintaining it's proper state.Signed-off-by: Paul Moore
Acked-by: Casey Schaufler
Signed-off-by: James Morris -
The socket_post_accept() hook is not currently used by any in-tree modules
and its existence continues to cause problems by confusing people about
what can be safely accomplished using this hook. If a legitimate need for
this hook arises in the future it can always be reintroduced.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
The SELinux "compat_net" is marked as deprecated, the time has come to
finally remove it from the kernel. Further code simplifications are
likely in the future, but this patch was intended to be a simple,
straight-up removal of the compat_net code.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
The current NetLabel/SELinux behavior for incoming TCP connections works but
only through a series of happy coincidences that rely on the limited nature of
standard CIPSO (only able to convey MLS attributes) and the write equality
imposed by the SELinux MLS constraints. The problem is that network sockets
created as the result of an incoming TCP connection were not on-the-wire
labeled based on the security attributes of the parent socket but rather based
on the wire label of the remote peer. The issue had to do with how IP options
were managed as part of the network stack and where the LSM hooks were in
relation to the code which set the IP options on these newly created child
sockets. While NetLabel/SELinux did correctly set the socket's on-the-wire
label it was promptly cleared by the network stack and reset based on the IP
options of the remote peer.This patch, in conjunction with a prior patch that adjusted the LSM hook
locations, works to set the correct on-the-wire label format for new incoming
connections through the security_inet_conn_request() hook. Besides the
correct behavior there are many advantages to this change, the most significant
is that all of the NetLabel socket labeling code in SELinux now lives in hooks
which can return error codes to the core stack which allows us to finally get
ride of the selinux_netlbl_inode_permission() logic which greatly simplfies
the NetLabel/SELinux glue code. In the process of developing this patch I
also ran into a small handful of AF_INET6 cleanliness issues that have been
fixed which should make the code safer and easier to extend in the future.Signed-off-by: Paul Moore
Acked-by: Casey Schaufler
Signed-off-by: James Morris
27 Mar, 2009
1 commit
-
Fix a typo.
Reported-by: Pavel Machek
Signed-off-by: Kentaro Takeda
Signed-off-by: Tetsuo Handa
Signed-off-by: Toshiharu Harada
Signed-off-by: James Morris
26 Mar, 2009
1 commit
-
the following patch (on top of 2.6.29) converts Smack lists to standard linux lists
Please review and consider for inclusion in 2.6.30-rcregards,
EtienneSigned-off-by: Etienne Basset
Acked-by: Casey Schaufler
24 Mar, 2009
1 commit
10 Mar, 2009
1 commit
-
Drop the printk message when an inode is found without an associated
dentry. This should only happen when userspace can't be accessing those
inodes and those labels will get set correctly on the next d_instantiate.
Thus there is no reason to send this message.Signed-off-by: Eric Paris
Signed-off-by: James Morris
06 Mar, 2009
2 commits
-
New selinux permission to separate the ability to turn on tty auditing from
the ability to set audit rules.Signed-off-by: Eric Paris
Acked-by: Stephen Smalley
Signed-off-by: James Morris -
When I did open permissions I didn't think any sockets would have an open.
Turns out AF_UNIX sockets can have an open when they are bound to the
filesystem namespace. This patch adds a new SOCK_FILE__OPEN permission.
It's safe to add this as the open perms are already predicated on
capabilities and capabilities means we have unknown perm handling so
systems should be as backwards compatible as the policy wants them to
be.https://bugzilla.redhat.com/show_bug.cgi?id=475224
Signed-off-by: Eric Paris
Acked-by: Stephen Smalley
Signed-off-by: James Morris
05 Mar, 2009
2 commits
-
The following patch (against 2.6.29rc5) fixes a few issues in the
smack/netlabel "unlabeled host support" functionnality that was added in
2.6.29rc. It should go in before -final.1) smack_host_label disregard a "0.0.0.0/0 @" rule (or other label),
preventing 'tagged' tasks to access Internet (many systems drop packets with
IP options)2) netmasks were not handled correctly, they were stored in a way _not
equivalent_ to conversion to be32 (it was equivalent for /0, /8, /16, /24,
/32 masks but not other masks)3) smack_netlbladdr prefixes (IP/mask) were not consistent (mask&IP was not
done), so there could have been different list entries for the same IP
prefix; if those entries had different labels, well ...4) they were not sorted
1) 2) 3) are bugs, 4) is a more cosmetic issue.
The patch :-creates a new helper smk_netlbladdr_insert to insert a smk_netlbladdr,
-sorted by netmask length-use the new sorted nature of smack_netlbladdrs list to simplify
smack_host_label : the first match _will_ be the more specific-corrects endianness issues in smk_write_netlbladdr & netlbladdr_seq_show
Signed-off-by:
Acked-by: Casey Schaufler
Reviewed-by: Paul Moore
Signed-off-by: James Morris -
The following patch (against 2.6.29rc5) fixes a few issues in the
smack/netlabel "unlabeled host support" functionnality that was added in
2.6.29rc. It should go in before -final.1) smack_host_label disregard a "0.0.0.0/0 @" rule (or other label),
preventing 'tagged' tasks to access Internet (many systems drop packets with
IP options)2) netmasks were not handled correctly, they were stored in a way _not
equivalent_ to conversion to be32 (it was equivalent for /0, /8, /16, /24,
/32 masks but not other masks)3) smack_netlbladdr prefixes (IP/mask) were not consistent (mask&IP was not
done), so there could have been different list entries for the same IP
prefix; if those entries had different labels, well ...4) they were not sorted
1) 2) 3) are bugs, 4) is a more cosmetic issue.
The patch :-creates a new helper smk_netlbladdr_insert to insert a smk_netlbladdr,
-sorted by netmask length-use the new sorted nature of smack_netlbladdrs list to simplify
smack_host_label : the first match _will_ be the more specific-corrects endianness issues in smk_write_netlbladdr & netlbladdr_seq_show
Signed-off-by:
Acked-by: Casey Schaufler
Reviewed-by: Paul Moore
Signed-off-by: James Morris
02 Mar, 2009
1 commit
-
Rick McNeal from LSI identified a panic in selinux_netlbl_inode_permission()
caused by a certain sequence of SUNRPC operations. The problem appears to be
due to the lack of NULL pointer checking in the function; this patch adds the
pointer checks so the function will exit safely in the cases where the socket
is not completely initialized.Signed-off-by: Paul Moore
Signed-off-by: James Morris
27 Feb, 2009
4 commits
-
Restrict the /proc/keys and /proc/key-users output to keys
belonging to the same user namespace as the reading task.We may want to make this more complicated - so that any
keys in a user-namespace which is belongs to the reading
task are also shown. But let's see if anyone wants that
first.Signed-off-by: Serge E. Hallyn
Acked-by: David Howells
Signed-off-by: James Morris -
When listing keys, do not return keys belonging to the
same uid in another user namespace. Otherwise uid 500
in another user namespace will return keyrings called
uid.500 for another user namespace.Signed-off-by: Serge E. Hallyn
Acked-by: David Howells
Signed-off-by: James Morris -
If a key is owned by another user namespace, then treat the
key as though it is owned by both another uid and gid.Signed-off-by: Serge E. Hallyn
Acked-by: David Howells
Signed-off-by: James Morris -
per-uid keys were looked by uid only. Use the user namespace
to distinguish the same uid in different namespaces.This does not address key_permission. So a task can for instance
try to join a keyring owned by the same uid in another namespace.
That will be handled by a separate patch.Signed-off-by: Serge E. Hallyn
Acked-by: David Howells
Signed-off-by: James Morris
23 Feb, 2009
3 commits
-
At some point we (okay, I) managed to break the ability for users to use the
setsockopt() syscall to set IPv4 options when NetLabel was not active on the
socket in question. The problem was noticed by someone trying to use the
"-R" (record route) option of ping:# ping -R 10.0.0.1
ping: record route: No message of desired typeThe solution is relatively simple, we catch the unlabeled socket case and
clear the error code, allowing the operation to succeed. Please note that we
still deny users the ability to override IPv4 options on socket's which have
NetLabel labeling active; this is done to ensure the labeling remains intact.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
Based on Andrew Morton's comments:
- add missing locks around radix_tree_lookup in ima_iint_insert()Signed-off-by: Mimi Zohar
Cc: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: James Morris -
tomoyo_realpath_init() is unconditionally called by security_initcall().
But nobody will use realpath related functions if TOMOYO is not registered.So, let tomoyo_init() call tomoyo_realpath_init().
This patch saves 4KB of memory allocation if TOMOYO is not registered.
Signed-off-by: Kentaro Takeda
Signed-off-by: Tetsuo Handa
Signed-off-by: Toshiharu Harada
Signed-off-by: James Morris
20 Feb, 2009
1 commit
-
Based on Alexander Beregalov's post http://lkml.org/lkml/2009/2/19/198
- replaced sg_set_buf() with sg_init_one()
kernel BUG at include/linux/scatterlist.h:65!
invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
last sysfs file:
CPU 2
Modules linked in:
Pid: 1, comm: swapper Not tainted 2.6.29-rc5-next-20090219 #5 PowerEdge 1950
RIP: 0010:[] [] ima_calc_hash+0xc0/0x160
RSP: 0018:ffff88007f46bc40 EFLAGS: 00010286
RAX: ffffe200032c45e8 RBX: 00000000fffffff4 RCX: 0000000087654321
RDX: 0000000000000002 RSI: 0000000000000001 RDI: ffff88007cf71048
RBP: ffff88007f46bcd0 R08: 0000000000000000 R09: 0000000000000163
R10: ffff88007f4707a8 R11: 0000000000000000 R12: ffff88007cf71048
R13: 0000000000001000 R14: 0000000000000000 R15: 0000000000009d98
FS: 0000000000000000(0000) GS:ffff8800051ac000(0000) knlGS:0000000000000000
CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: 0000000000000000 CR3: 0000000000201000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400Signed-off-by: Mimi Zohar
Tested-by: Alexander Beregalov
Signed-off-by: James Morris
19 Feb, 2009
1 commit
-
Fix/add kernel-doc notation and fix typos in security/smack/.
Signed-off-by: Randy Dunlap
Acked-by: Casey Schaufler
Signed-off-by: James Morris
16 Feb, 2009
1 commit
-
TOMOYO should not create /sys/kernel/security/tomoyo/ interface unless
TOMOYO is registered.Signed-off-by: Kentaro Takeda
Signed-off-by: Tetsuo Handa
Signed-off-by: Toshiharu Harada
Signed-off-by: James Morris
14 Feb, 2009
4 commits
-
Due to wrong initialization, "cat /sys/kernel/security/tomoyo/exception_policy"
returned nothing.Signed-off-by: Kentaro Takeda
Signed-off-by: Tetsuo Handa
Signed-off-by: Toshiharu Harada
Signed-off-by: James Morris -
We do not need O(1) access to the tail of the avc cache lists and so we are
wasting lots of space using struct list_head instead of struct hlist_head.
This patch converts the avc cache to use hlists in which there is a single
pointer from the head which saves us about 4k of global memory.Resulted in about a 1.5% decrease in time spent in avc_has_perm_noaudit based
on oprofile sampling of tbench. Although likely within the noise....Signed-off-by: Eric Paris
Reviewed-by: Paul Moore
Signed-off-by: James Morris -
The code making use of struct avc_cache was not easy to read thanks to liberal
use of &avc_cache.{slots_lock,slots}[hvalue] throughout. This patch simply
creates local pointers and uses those instead of the long global names.Signed-off-by: Eric Paris
Signed-off-by: James Morris -
It appears there was an intention to have the security server only decide
certain permissions and leave other for later as some sort of a portential
performance win. We are currently always deciding all 32 bits of
permissions and this is a useless couple of branches and wasted space.
This patch completely drops the av.decided concept.This in a 17% reduction in the time spent in avc_has_perm_noaudit
based on oprofile sampling of a tbench benchmark.Signed-off-by: Eric Paris
Reviewed-by: Paul Moore
Acked-by: Stephen Smalley
Signed-off-by: James Morris