28 Sep, 2017

1 commit


26 Sep, 2017

2 commits

  • This started out as just replacing the use of crypto/rng with
    get_random_bytes_wait, so that we wouldn't use bad randomness at boot
    time. But, upon looking further, it appears that there were even deeper
    underlying cryptographic problems, and that this seems to have been
    committed with very little crypto review. So, I rewrote the whole thing,
    trying to keep to the conventions introduced by the previous author, to
    fix these cryptographic flaws.

    It makes no sense to seed crypto/rng at boot time and then keep
    using it like this, when in fact there's already get_random_bytes_wait,
    which can ensure there's enough entropy and be a much more standard way
    of generating keys. Since this sensitive material is being stored
    untrusted, using ECB and no authentication is simply not okay at all. I
    find it surprising and a bit horrifying that this code even made it past
    basic crypto review, which perhaps points to some larger issues. This
    patch moves from using AES-ECB to using AES-GCM. Since keys are uniquely
    generated each time, we can set the nonce to zero. There was also a race
    condition in which the same key would be reused at the same time in
    different threads. A mutex fixes this issue now.

    So, to summarize, this commit fixes the following vulnerabilities:

    * Low entropy key generation, allowing an attacker to potentially
    guess or predict keys.
    * Unauthenticated encryption, allowing an attacker to modify the
    cipher text in particular ways in order to manipulate the plaintext,
    which is is even more frightening considering the next point.
    * Use of ECB mode, allowing an attacker to trivially swap blocks or
    compare identical plaintext blocks.
    * Key re-use.
    * Faulty memory zeroing.

    Signed-off-by: Jason A. Donenfeld
    Reviewed-by: Eric Biggers
    Signed-off-by: David Howells
    Cc: Herbert Xu
    Cc: Kirill Marinushkin
    Cc: security@kernel.org
    Cc: stable@vger.kernel.org

    Jason A. Donenfeld
     
  • Error paths forgot to zero out sensitive material, so this patch changes
    some kfrees into a kzfrees.

    Signed-off-by: Jason A. Donenfeld
    Signed-off-by: David Howells
    Reviewed-by: Eric Biggers
    Cc: Herbert Xu
    Cc: Kirill Marinushkin
    Cc: security@kernel.org
    Cc: stable@vger.kernel.org

    Jason A. Donenfeld
     

25 Sep, 2017

11 commits

  • kmemdup() is preferred to kmalloc() followed by memcpy().

    Signed-off-by: Eric Biggers
    Signed-off-by: David Howells

    Eric Biggers
     
  • When checking for permission to view keys whilst reading from
    /proc/keys, we should use the credentials with which the /proc/keys file
    was opened. This is because, in a classic type of exploit, it can be
    possible to bypass checks for the *current* credentials by passing the
    file descriptor to a suid program.

    Following commit 34dbbcdbf633 ("Make file credentials available to the
    seqfile interfaces") we can finally fix it. So let's do it.

    Signed-off-by: Eric Biggers
    Signed-off-by: David Howells

    Eric Biggers
     
  • In key_user_lookup(), if there is no key_user for the given uid, we drop
    key_user_lock, allocate a new key_user, and search the tree again. But
    we failed to set 'parent' to NULL at the beginning of the second search.
    If the tree were to be empty for the second search, the insertion would
    be done with an invalid 'parent', scribbling over freed memory.

    Fortunately this can't actually happen currently because the tree always
    contains at least the root_key_user. But it still should be fixed to
    make the code more robust.

    Signed-off-by: Eric Biggers
    Signed-off-by: David Howells

    Eric Biggers
     
  • Because keyctl_read_key() looks up the key with no permissions
    requested, it may find a negatively instantiated key. If the key is
    also possessed, we went ahead and called ->read() on the key. But the
    key payload will actually contain the ->reject_error rather than the
    normal payload. Thus, the kernel oopses trying to read the
    user_key_payload from memory address (int)-ENOKEY = 0x00000000ffffff82.

    Fortunately the payload data is stored inline, so it shouldn't be
    possible to abuse this as an arbitrary memory read primitive...

    Reproducer:
    keyctl new_session
    keyctl request2 user desc '' @s
    keyctl read $(keyctl show | awk '/user: desc/ {print $1}')

    It causes a crash like the following:
    BUG: unable to handle kernel paging request at 00000000ffffff92
    IP: user_read+0x33/0xa0
    PGD 36a54067 P4D 36a54067 PUD 0
    Oops: 0000 [#1] SMP
    CPU: 0 PID: 211 Comm: keyctl Not tainted 4.14.0-rc1 #337
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014
    task: ffff90aa3b74c3c0 task.stack: ffff9878c0478000
    RIP: 0010:user_read+0x33/0xa0
    RSP: 0018:ffff9878c047bee8 EFLAGS: 00010246
    RAX: 0000000000000001 RBX: ffff90aa3d7da340 RCX: 0000000000000017
    RDX: 0000000000000000 RSI: 00000000ffffff82 RDI: ffff90aa3d7da340
    RBP: ffff9878c047bf00 R08: 00000024f95da94f R09: 0000000000000000
    R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
    R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
    FS: 00007f58ece69740(0000) GS:ffff90aa3e200000(0000) knlGS:0000000000000000
    CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00000000ffffff92 CR3: 0000000036adc001 CR4: 00000000003606f0
    Call Trace:
    keyctl_read_key+0xac/0xe0
    SyS_keyctl+0x99/0x120
    entry_SYSCALL_64_fastpath+0x1f/0xbe
    RIP: 0033:0x7f58ec787bb9
    RSP: 002b:00007ffc8d401678 EFLAGS: 00000206 ORIG_RAX: 00000000000000fa
    RAX: ffffffffffffffda RBX: 00007ffc8d402800 RCX: 00007f58ec787bb9
    RDX: 0000000000000000 RSI: 00000000174a63ac RDI: 000000000000000b
    RBP: 0000000000000004 R08: 00007ffc8d402809 R09: 0000000000000020
    R10: 0000000000000000 R11: 0000000000000206 R12: 00007ffc8d402800
    R13: 00007ffc8d4016e0 R14: 0000000000000000 R15: 0000000000000000
    Code: e5 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb e8 a4 b4 ad ff 85 c0 74 09 80 3d b9 4c 96 00 00 74 43 48 8b b3 20 01 00 00 4d 85 ed b7 5e 10 74 29 4d 85 e4 74 24 4c 39 e3 4c 89 e2 4c 89 ef 48
    RIP: user_read+0x33/0xa0 RSP: ffff9878c047bee8
    CR2: 00000000ffffff92

    Fixes: 61ea0c0ba904 ("KEYS: Skip key state checks when checking for possession")
    Cc: [v3.13+]
    Signed-off-by: Eric Biggers
    Signed-off-by: David Howells

    Eric Biggers
     
  • It was possible for an unprivileged user to create the user and user
    session keyrings for another user. For example:

    sudo -u '#3000' sh -c 'keyctl add keyring _uid.4000 "" @u
    keyctl add keyring _uid_ses.4000 "" @u
    sleep 15' &
    sleep 1
    sudo -u '#4000' keyctl describe @u
    sudo -u '#4000' keyctl describe @us

    This is problematic because these "fake" keyrings won't have the right
    permissions. In particular, the user who created them first will own
    them and will have full access to them via the possessor permissions,
    which can be used to compromise the security of a user's keys:

    -4: alswrv-----v------------ 3000 0 keyring: _uid.4000
    -5: alswrv-----v------------ 3000 0 keyring: _uid_ses.4000

    Fix it by marking user and user session keyrings with a flag
    KEY_FLAG_UID_KEYRING. Then, when searching for a user or user session
    keyring by name, skip all keyrings that don't have the flag set.

    Fixes: 69664cf16af4 ("keys: don't generate user and user session keyrings unless they're accessed")
    Cc: [v2.6.26+]
    Signed-off-by: Eric Biggers
    Signed-off-by: David Howells

    Eric Biggers
     
  • Userspace can call keyctl_read() on a keyring to get the list of IDs of
    keys in the keyring. But if the user-supplied buffer is too small, the
    kernel would write the full list anyway --- which will corrupt whatever
    userspace memory happened to be past the end of the buffer. Fix it by
    only filling the space that is available.

    Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring")
    Cc: [v3.13+]
    Signed-off-by: Eric Biggers
    Signed-off-by: David Howells

    Eric Biggers
     
  • In keyctl_read_key(), if key_permission() were to return an error code
    other than EACCES, we would leak a the reference to the key. This can't
    actually happen currently because key_permission() can only return an
    error code other than EACCES if security_key_permission() does, only
    SELinux and Smack implement that hook, and neither can return an error
    code other than EACCES. But it should still be fixed, as it is a bug
    waiting to happen.

    Fixes: 29db91906340 ("[PATCH] Keys: Add LSM hooks for key management [try #3]")
    Signed-off-by: Eric Biggers
    Signed-off-by: David Howells

    Eric Biggers
     
  • In keyctl_assume_authority(), if keyctl_change_reqkey_auth() were to
    fail, we would leak the reference to the 'authkey'. Currently this can
    only happen if prepare_creds() fails to allocate memory. But it still
    should be fixed, as it is a more severe bug waiting to happen.

    This patch also moves the read of 'authkey->serial' to before the
    reference to the authkey is dropped. Doing the read after dropping the
    reference is very fragile because it assumes we still hold another
    reference to the key. (Which we do, in current->cred->request_key_auth,
    but there's no reason not to write it in the "obviously correct" way.)

    Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials")
    Signed-off-by: Eric Biggers
    Signed-off-by: David Howells

    Eric Biggers
     
  • If key_instantiate_and_link() were to fail (which fortunately isn't
    possible currently), the call to key_revoke(authkey) would crash with a
    NULL pointer dereference in request_key_auth_revoke() because the key
    has not yet been instantiated.

    Fix this by removing the call to key_revoke(). key_put() is sufficient,
    as it's not possible for an uninstantiated authkey to have been used for
    anything yet.

    Fixes: b5f545c880a2 ("[PATCH] keys: Permit running process to instantiate keys")
    Signed-off-by: Eric Biggers
    Signed-off-by: David Howells

    Eric Biggers
     
  • In request_key_auth_new(), if key_alloc() or key_instantiate_and_link()
    were to fail, we would leak a reference to the 'struct cred'. Currently
    this can only happen if key_alloc() fails to allocate memory. But it
    still should be fixed, as it is a more severe bug waiting to happen.

    Fix it by cleaning things up to use a helper function which frees a
    'struct request_key_auth' correctly.

    Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials")
    Signed-off-by: Eric Biggers
    Signed-off-by: David Howells

    Eric Biggers
     
  • Pull misc security layer update from James Morris:
    "This is the remaining 'general' change in the security tree for v4.14,
    following the direct merging of SELinux (+ TOMOYO), AppArmor, and
    seccomp.

    That's everything now for the security tree except IMA, which will
    follow shortly (I've been traveling for the past week with patchy
    internet)"

    * 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
    security: fix description of values returned by cap_inode_need_killpriv

    Linus Torvalds
     

24 Sep, 2017

1 commit


23 Sep, 2017

18 commits

  • …git/jj/linux-apparmor

    Pull apparmor updates from John Johansen:
    "This is the apparmor pull request, similar to SELinux and seccomp.

    It's the same series that I was sent to James' security tree + one
    regression fix that was found after the series was sent to James and
    would have been sent for v4.14-rc2.

    Features:
    - in preparation for secid mapping add support for absolute root view
    based labels
    - add base infastructure for socket mediation
    - add mount mediation
    - add signal mediation

    minor cleanups and changes:
    - be defensive, ensure unconfined profiles have dfas initialized
    - add more debug asserts to apparmorfs
    - enable policy unpacking to audit different reasons for failure
    - cleanup conditional check for label in label_print
    - Redundant condition: prev_ns. in [label.c:1498]

    Bug Fixes:
    - fix regression in apparmorfs DAC access permissions
    - fix build failure on sparc caused by undeclared signals
    - fix sparse report of incorrect type assignment when freeing label proxies
    - fix race condition in null profile creation
    - Fix an error code in aafs_create()
    - Fix logical error in verify_header()
    - Fix shadowed local variable in unpack_trans_table()"

    * tag 'apparmor-pr-2017-09-22' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
    apparmor: fix apparmorfs DAC access permissions
    apparmor: fix build failure on sparc caused by undeclared signals
    apparmor: fix incorrect type assignment when freeing proxies
    apparmor: ensure unconfined profiles have dfas initialized
    apparmor: fix race condition in null profile creation
    apparmor: move new_null_profile to after profile lookup fns()
    apparmor: add base infastructure for socket mediation
    apparmor: add more debug asserts to apparmorfs
    apparmor: make policy_unpack able to audit different info messages
    apparmor: add support for absolute root view based labels
    apparmor: cleanup conditional check for label in label_print
    apparmor: add mount mediation
    apparmor: add the ability to mediate signals
    apparmor: Redundant condition: prev_ns. in [label.c:1498]
    apparmor: Fix an error code in aafs_create()
    apparmor: Fix logical error in verify_header()
    apparmor: Fix shadowed local variable in unpack_trans_table()

    Linus Torvalds
     
  • The DAC access permissions for several apparmorfs files are wrong.

    .access - needs to be writable by all tasks to perform queries
    the others in the set only provide a read fn so should be read only.

    With policy namespace virtualization all apparmor needs to control
    the permission and visibility checks directly which means DAC
    access has to be allowed for all user, group, and other.

    BugLink: http://bugs.launchpad.net/bugs/1713103
    Fixes: c97204baf840b ("apparmor: rename apparmor file fns and data to indicate use")
    Signed-off-by: John Johansen

    John Johansen
     
  • In file included from security/apparmor/ipc.c:23:0:
    security/apparmor/include/sig_names.h:26:3: error: 'SIGSTKFLT' undeclared here (not in a function)
    [SIGSTKFLT] = 16, /* -, 16, - */
    ^
    security/apparmor/include/sig_names.h:26:3: error: array index in initializer not of integer type
    security/apparmor/include/sig_names.h:26:3: note: (near initialization for 'sig_map')
    security/apparmor/include/sig_names.h:51:3: error: 'SIGUNUSED' undeclared here (not in a function)
    [SIGUNUSED] = 34, /* -, 31, - */
    ^
    security/apparmor/include/sig_names.h:51:3: error: array index in initializer not of integer type
    security/apparmor/include/sig_names.h:51:3: note: (near initialization for 'sig_map')

    Reported-by: Stephen Rothwell
    Fixes: c6bf1adaecaa ("apparmor: add the ability to mediate signals")
    Signed-off-by: John Johansen

    John Johansen
     
  • sparse reports

    poisoning the proxy->label before freeing the struct is resulting in
    a sparse build warning.
    ../security/apparmor/label.c:52:30: warning: incorrect type in assignment (different address spaces)
    ../security/apparmor/label.c:52:30: expected struct aa_label [noderef] *label
    ../security/apparmor/label.c:52:30: got struct aa_label *

    fix with RCU_INIT_POINTER as this is one of those cases where
    rcu_assign_pointer() is not needed.

    Signed-off-by: John Johansen

    John Johansen
     
  • Generally unconfined has early bailout tests and does not need the
    dfas initialized, however if an early bailout test is ever missed
    it will result in an oops.

    Be defensive and initialize the unconfined profile to have null dfas
    (no permission) so if an early bailout test is missed we fail
    closed (no perms granted) instead of oopsing.

    Signed-off-by: John Johansen

    John Johansen
     
  • There is a race when null- profile is being created between the
    initial lookup/creation of the profile and lock/addition of the
    profile. This could result in multiple version of a profile being
    added to the list which need to be removed/replaced.

    Since these are learning profile their is no affect on mediation.

    Signed-off-by: John Johansen

    John Johansen
     
  • new_null_profile will need to use some of the profile lookup fns()
    so move instead of doing forward fn declarations.

    Signed-off-by: John Johansen

    John Johansen
     
  • Provide a basic mediation of sockets. This is not a full net mediation
    but just whether a spcific family of socket can be used by an
    application, along with setting up some basic infrastructure for
    network mediation to follow.

    the user space rule hav the basic form of
    NETWORK RULE = [ QUALIFIERS ] 'network' [ DOMAIN ]
    [ TYPE | PROTOCOL ]

    DOMAIN = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' |
    'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' |
    'netbeui' | 'security' | 'key' | 'packet' | 'ash' |
    'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' |
    'wanpipe' | 'bluetooth' | 'netlink' | 'unix' | 'rds' |
    'llc' | 'can' | 'tipc' | 'iucv' | 'rxrpc' | 'isdn' |
    'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' |
    'vsock' | 'mpls' | 'ib' | 'kcm' ) ','

    TYPE = ( 'stream' | 'dgram' | 'seqpacket' | 'rdm' | 'raw' |
    'packet' )

    PROTOCOL = ( 'tcp' | 'udp' | 'icmp' )

    eg.
    network,
    network inet,

    Signed-off-by: John Johansen
    Acked-by: Seth Arnold

    John Johansen
     
  • Signed-off-by: John Johansen
    Acked-by: Seth Arnold

    John Johansen
     
  • Switch unpack auditing to using the generic name field in the audit
    struct and make it so we can start adding new info messages about
    why an unpack failed.

    Signed-off-by: John Johansen
    Acked-by: Seth Arnold

    John Johansen
     
  • With apparmor policy virtualization based on policy namespace View's
    we don't generally want/need absolute root based views, however there
    are cases like debugging and some secid based conversions where
    using a root based view is important.

    Signed-off-by: John Johansen
    Acked-by: Seth Arnold

    John Johansen
     
  • Signed-off-by: John Johansen
    Acked-by: Seth Arnold

    John Johansen
     
  • Add basic mount mediation. That allows controlling based on basic
    mount parameters. It does not include special mount parameters for
    apparmor, super block labeling, or any triggers for apparmor namespace
    parameter modifications on pivot root.

    default userspace policy rules have the form of
    MOUNT RULE = ( MOUNT | REMOUNT | UMOUNT )

    MOUNT = [ QUALIFIERS ] 'mount' [ MOUNT CONDITIONS ] [ SOURCE FILEGLOB ]
    [ '->' MOUNTPOINT FILEGLOB ]

    REMOUNT = [ QUALIFIERS ] 'remount' [ MOUNT CONDITIONS ]
    MOUNTPOINT FILEGLOB

    UMOUNT = [ QUALIFIERS ] 'umount' [ MOUNT CONDITIONS ] MOUNTPOINT FILEGLOB

    MOUNT CONDITIONS = [ ( 'fstype' | 'vfstype' ) ( '=' | 'in' )
    MOUNT FSTYPE EXPRESSION ]
    [ 'options' ( '=' | 'in' ) MOUNT FLAGS EXPRESSION ]

    MOUNT FSTYPE EXPRESSION = ( MOUNT FSTYPE LIST | MOUNT EXPRESSION )

    MOUNT FSTYPE LIST = Comma separated list of valid filesystem and
    virtual filesystem types (eg ext4, debugfs, etc)

    MOUNT FLAGS EXPRESSION = ( MOUNT FLAGS LIST | MOUNT EXPRESSION )

    MOUNT FLAGS LIST = Comma separated list of MOUNT FLAGS.

    MOUNT FLAGS = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' |
    'noexec' | 'exec' | 'sync' | 'async' | 'remount' |
    'mand' | 'nomand' | 'dirsync' | 'noatime' | 'atime' |
    'nodiratime' | 'diratime' | 'bind' | 'rbind' | 'move' |
    'verbose' | 'silent' | 'loud' | 'acl' | 'noacl' |
    'unbindable' | 'runbindable' | 'private' | 'rprivate' |
    'slave' | 'rslave' | 'shared' | 'rshared' |
    'relatime' | 'norelatime' | 'iversion' | 'noiversion' |
    'strictatime' | 'nouser' | 'user' )

    MOUNT EXPRESSION = ( ALPHANUMERIC | AARE ) ...

    PIVOT ROOT RULE = [ QUALIFIERS ] pivot_root [ oldroot=OLD PUT FILEGLOB ]
    [ NEW ROOT FILEGLOB ]

    SOURCE FILEGLOB = FILEGLOB

    MOUNTPOINT FILEGLOB = FILEGLOB

    eg.
    mount,
    mount /dev/foo,
    mount options=ro /dev/foo -> /mnt/,
    mount options in (ro,atime) /dev/foo -> /mnt/,
    mount options=ro options=atime,

    Signed-off-by: John Johansen
    Acked-by: Seth Arnold

    John Johansen
     
  • Add signal mediation where the signal can be mediated based on the
    signal, direction, or the label or the peer/target. The signal perms
    are verified on a cross check to ensure policy consistency in the case
    of incremental policy load/replacement.

    The optimization of skipping the cross check when policy is guaranteed
    to be consistent (single compile unit) remains to be done.

    policy rules have the form of
    SIGNAL_RULE = [ QUALIFIERS ] 'signal' [ SIGNAL ACCESS PERMISSIONS ]
    [ SIGNAL SET ] [ SIGNAL PEER ]

    SIGNAL ACCESS PERMISSIONS = SIGNAL ACCESS | SIGNAL ACCESS LIST

    SIGNAL ACCESS LIST = '(' Comma or space separated list of SIGNAL
    ACCESS ')'

    SIGNAL ACCESS = ( 'r' | 'w' | 'rw' | 'read' | 'write' | 'send' |
    'receive' )

    SIGNAL SET = 'set' '=' '(' SIGNAL LIST ')'

    SIGNAL LIST = Comma or space separated list of SIGNALS

    SIGNALS = ( 'hup' | 'int' | 'quit' | 'ill' | 'trap' | 'abrt' |
    'bus' | 'fpe' | 'kill' | 'usr1' | 'segv' | 'usr2' |
    'pipe' | 'alrm' | 'term' | 'stkflt' | 'chld' | 'cont' |
    'stop' | 'stp' | 'ttin' | 'ttou' | 'urg' | 'xcpu' |
    'xfsz' | 'vtalrm' | 'prof' | 'winch' | 'io' | 'pwr' |
    'sys' | 'emt' | 'exists' | 'rtmin+0' ... 'rtmin+32'
    )

    SIGNAL PEER = 'peer' '=' AARE

    eg.
    signal, # allow all signals
    signal send set=(hup, kill) peer=foo,

    Signed-off-by: John Johansen
    Acked-by: Seth Arnold

    John Johansen
     
  • Reported-by: David Binderman
    Signed-off-by: John Johansen

    John Johansen
     
  • We accidentally forgot to set the error code on this path. It means we
    return NULL instead of an error pointer. I looked through a bunch of
    callers and I don't think it really causes a big issue, but the
    documentation says we're supposed to return error pointers here.

    Signed-off-by: Dan Carpenter
    Acked-by: Serge Hallyn
    Signed-off-by: John Johansen

    Dan Carpenter
     
  • verify_header() is currently checking whether interface version is less
    than 5 *and* greater than 7, which always evaluates to false. Instead it
    should check whether it is less than 5 *or* greater than 7.

    Signed-off-by: Christos Gkekas
    Signed-off-by: John Johansen

    Christos Gkekas
     
  • with W=2:

    security/apparmor/policy_unpack.c: In function ‘unpack_trans_table’:
    security/apparmor/policy_unpack.c:469: warning: declaration of ‘pos’ shadows a previous local
    security/apparmor/policy_unpack.c:451: warning: shadowed declaration is here

    Rename the old "pos" to "saved_pos" to fix this.

    Fixes: 5379a3312024a8be ("apparmor: support v7 transition format compatible with label_parse")
    Signed-off-by: Geert Uytterhoeven
    Reviewed-by: Serge Hallyn
    Signed-off-by: John Johansen

    Geert Uytterhoeven
     

15 Sep, 2017

1 commit

  • Pull more set_fs removal from Al Viro:
    "Christoph's 'use kernel_read and friends rather than open-coding
    set_fs()' series"

    * 'work.set_fs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
    fs: unexport vfs_readv and vfs_writev
    fs: unexport vfs_read and vfs_write
    fs: unexport __vfs_read/__vfs_write
    lustre: switch to kernel_write
    gadget/f_mass_storage: stop messing with the address limit
    mconsole: switch to kernel_read
    btrfs: switch write_buf to kernel_write
    net/9p: switch p9_fd_read to kernel_write
    mm/nommu: switch do_mmap_private to kernel_read
    serial2002: switch serial2002_tty_write to kernel_{read/write}
    fs: make the buf argument to __kernel_write a void pointer
    fs: fix kernel_write prototype
    fs: fix kernel_read prototype
    fs: move kernel_read to fs/read_write.c
    fs: move kernel_write to fs/read_write.c
    autofs4: switch autofs4_write to __kernel_write
    ashmem: switch to ->read_iter

    Linus Torvalds
     

13 Sep, 2017

1 commit

  • Pull selinux updates from Paul Moore:
    "A relatively quiet period for SELinux, 11 patches with only two/three
    having any substantive changes.

    These noteworthy changes include another tweak to the NNP/nosuid
    handling, per-file labeling for cgroups, and an object class fix for
    AF_UNIX/SOCK_RAW sockets; the rest of the changes are minor tweaks or
    administrative updates (Stephen's email update explains the file
    explosion in the diffstat).

    Everything passes the selinux-testsuite"

    [ Also a couple of small patches from the security tree from Tetsuo
    Handa for Tomoyo and LSM cleanup. The separation of security policy
    updates wasn't all that clean - Linus ]

    * tag 'selinux-pr-20170831' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
    selinux: constify nf_hook_ops
    selinux: allow per-file labeling for cgroupfs
    lsm_audit: update my email address
    selinux: update my email address
    MAINTAINERS: update the NetLabel and Labeled Networking information
    selinux: use GFP_NOWAIT in the AVC kmem_caches
    selinux: Generalize support for NNP/nosuid SELinux domain transitions
    selinux: genheaders should fail if too many permissions are defined
    selinux: update the selinux info in MAINTAINERS
    credits: update Paul Moore's info
    selinux: Assign proper class to PF_UNIX/SOCK_RAW sockets
    tomoyo: Update URLs in Documentation/admin-guide/LSM/tomoyo.rst
    LSM: Remove security_task_create() hook.

    Linus Torvalds
     

12 Sep, 2017

1 commit

  • Pull namespace updates from Eric Biederman:
    "Life has been busy and I have not gotten half as much done this round
    as I would have liked. I delayed it so that a minor conflict
    resolution with the mips tree could spend a little time in linux-next
    before I sent this pull request.

    This includes two long delayed user namespace changes from Kirill
    Tkhai. It also includes a very useful change from Serge Hallyn that
    allows the security capability attribute to be used inside of user
    namespaces. The practical effect of this is people can now untar
    tarballs and install rpms in user namespaces. It had been suggested to
    generalize this and encode some of the namespace information
    information in the xattr name. Upon close inspection that makes the
    things that should be hard easy and the things that should be easy
    more expensive.

    Then there is my bugfix/cleanup for signal injection that removes the
    magic encoding of the siginfo union member from the kernel internal
    si_code. The mips folks reported the case where I had used FPE_FIXME
    me is impossible so I have remove FPE_FIXME from mips, while at the
    same time including a return statement in that case to keep gcc from
    complaining about unitialized variables.

    I almost finished the work to get make copy_siginfo_to_user a trivial
    copy to user. The code is available at:

    git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git neuter-copy_siginfo_to_user-v3

    But I did not have time/energy to get the code posted and reviewed
    before the merge window opened.

    I was able to see that the security excuse for just copying fields
    that we know are initialized doesn't work in practice there are buggy
    initializations that don't initialize the proper fields in siginfo. So
    we still sometimes copy unitialized data to userspace"

    * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
    Introduce v3 namespaced file capabilities
    mips/signal: In force_fcr31_sig return in the impossible case
    signal: Remove kernel interal si_code magic
    fcntl: Don't use ambiguous SIG_POLL si_codes
    prctl: Allow local CAP_SYS_ADMIN changing exe_file
    security: Use user_namespace::level to avoid redundant iterations in cap_capable()
    userns,pidns: Verify the userns for new pid namespaces
    signal/testing: Don't look for __SI_FAULT in userspace
    signal/mips: Document a conflict with SI_USER with SIGFPE
    signal/sparc: Document a conflict with SI_USER with SIGFPE
    signal/ia64: Document a conflict with SI_USER with SIGFPE
    signal/alpha: Document a conflict with SI_USER for SIGTRAP

    Linus Torvalds
     

08 Sep, 2017

2 commits

  • Pull audit updates from Paul Moore:
    "A small pull request for audit this time, only four patches and only
    two with any real code changes.

    Those two changes are the removal of a pointless SELinux AVC
    initialization audit event and a fix to improve the audit timestamp
    overhead.

    The other two patches are comment cleanup and administrative updates,
    nothing very exciting.

    Everything passes our tests"

    * tag 'audit-pr-20170907' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
    audit: update the function comments
    selinux: remove AVC init audit log message
    audit: update the audit info in MAINTAINERS
    audit: Reduce overhead using a coarse clock

    Linus Torvalds
     
  • Pull secureexec update from Kees Cook:
    "This series has the ultimate goal of providing a sane stack rlimit
    when running set*id processes.

    To do this, the bprm_secureexec LSM hook is collapsed into the
    bprm_set_creds hook so the secureexec-ness of an exec can be
    determined early enough to make decisions about rlimits and the
    resulting memory layouts. Other logic acting on the secureexec-ness of
    an exec is similarly consolidated. Capabilities needed some special
    handling, but the refactoring removed other special handling, so that
    was a wash"

    * tag 'secureexec-v4.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
    exec: Consolidate pdeath_signal clearing
    exec: Use sane stack rlimit under secureexec
    exec: Consolidate dumpability logic
    smack: Remove redundant pdeath_signal clearing
    exec: Use secureexec for clearing pdeath_signal
    exec: Use secureexec for setting dumpability
    LSM: drop bprm_secureexec hook
    commoncap: Move cap_elevated calculation into bprm_set_creds
    commoncap: Refactor to remove bprm_secureexec hook
    smack: Refactor to remove bprm_secureexec hook
    selinux: Refactor to remove bprm_secureexec hook
    apparmor: Refactor to remove bprm_secureexec hook
    binfmt: Introduce secureexec flag
    exec: Correct comments about "point of no return"
    exec: Rename bprm->cred_prepared to called_set_creds

    Linus Torvalds
     

05 Sep, 2017

2 commits

  • In the process of normalizing audit log messages, it was noticed that the AVC
    initialization code registered an audit log KERNEL record that didn't fit the
    standard format. In the process of attempting to normalize it it was
    determined that this record was not even necessary. Remove it.

    Ref: http://marc.info/?l=selinux&m=149614868525826&w=2
    See: https://github.com/linux-audit/audit-kernel/issues/48
    Signed-off-by: Richard Guy Briggs
    Acked-by: Stephen Smalley
    Acked-by: Steve Grubb
    Signed-off-by: Paul Moore

    Richard Guy Briggs
     
  • Make the position an in/out argument like all the other read/write
    helpers and and make the buf argument a void pointer.

    Signed-off-by: Christoph Hellwig
    Signed-off-by: Al Viro

    Christoph Hellwig