15 Jul, 2008
1 commit
-
This reverts commit 811f3799279e567aa354c649ce22688d949ac7a9.
From Eric Paris:
"Please drop this patch for now. It deadlocks on ntfs-3g. I need to
rework it to handle fuse filesystems better. (casey was right)"
14 Jul, 2008
22 commits
-
The register security hook is no longer required, as the capability
module is always registered. LSMs wishing to stack capability as
a secondary module should do so explicitly.Signed-off-by: James Morris
Acked-by: Stephen Smalley
Acked-by: Greg Kroah-Hartman -
The sb_get_mnt_opts() hook is unused, and is superseded by the
sb_show_options() hook.Signed-off-by: Miklos Szeredi
Acked-by: James Morris -
This patch causes SELinux mount options to show up in /proc/mounts. As
with other code in the area seq_put errors are ignored. Other LSM's
will not have their mount options displayed until they fill in their own
security_sb_show_options() function.Signed-off-by: Eric Paris
Signed-off-by: Miklos Szeredi
Signed-off-by: James Morris -
Currently if a FS is mounted for which SELinux policy does not define an
fs_use_* that FS will either be genfs labeled or not labeled at all.
This decision is based on the existence of a genfscon rule in policy and
is irrespective of the capabilities of the filesystem itself. This
patch allows the kernel to check if the filesystem supports security
xattrs and if so will use those if there is no fs_use_* rule in policy.
An fstype with a no fs_use_* rule but with a genfs rule will use xattrs
if available and will follow the genfs rule.This can be particularly interesting for things like ecryptfs which
actually overlays a real underlying FS. If we define excryptfs in
policy to use xattrs we will likely get this wrong at times, so with
this path we just don't need to define it!Overlay ecryptfs on top of NFS with no xattr support:
SELinux: initialized (dev ecryptfs, type ecryptfs), uses genfs_contexts
Overlay ecryptfs on top of ext4 with xattr support:
SELinux: initialized (dev ecryptfs, type ecryptfs), uses xattrIt is also useful as the kernel adds new FS we don't need to add them in
policy if they support xattrs and that is how we want to handle them.Signed-off-by: Eric Paris
Acked-by: Stephen Smalley
Signed-off-by: James Morris -
Use do_each_thread as a proper do/while block. Sparse complained.
Signed-off-by: James Morris
Acked-by: Stephen Smalley -
Remove unused and shadowed addrlen variable. Picked up by sparse.
Signed-off-by: James Morris
Acked-by: Stephen Smalley
Acked-by: Paul Moore -
I've gotten complaints and reports about people not understanding the
meaning of the current unknown class/perm handling the kernel emits on
every policy load. Hopefully this will make make it clear to everyone
the meaning of the message and won't waste a printk the user won't care
about anyway on systems where the kernel and the policy agree on
everything.Signed-off-by: Eric Paris
Signed-off-by: James Morris -
On Mon, 2008-06-09 at 01:24 -0700, Andrew Morton wrote:
> Getting a few of these with FC5:
>
> SELinux: context_struct_compute_av: unrecognized class 69
> SELinux: context_struct_compute_av: unrecognized class 69
>
> one came out when I logged in.
>
> No other symptoms, yet.Change handling of invalid classes by SELinux, reporting class values
unknown to the kernel as errors (w/ ratelimit applied) and handling
class values unknown to policy as normal denials.Signed-off-by: Stephen Smalley
Acked-by: Eric Paris
Signed-off-by: James Morris -
We used to protect against races of policy load in security_load_policy
by using the load_mutex. Since then we have added a new mutex,
sel_mutex, in sel_write_load() which is always held across all calls to
security_load_policy we are covered and can safely just drop this one.Signed-off-by: Eric Paris
Acked-by: Stephen Smalley
Signed-off-by: James Morris -
The class_to_string array is referenced by tclass. My code mistakenly
was using tclass - 1. If the proceeding class is a userspace class
rather than kernel class this may cause a denial/EINVAL even if unknown
handling is set to allow. The bug shouldn't be allowing excess
privileges since those are given based on the contents of another array
which should be correctly referenced.At this point in time its pretty unlikely this is going to cause
problems. The most recently added kernel classes which could be
affected are association, dccp_socket, and peer. Its pretty unlikely
any policy with handle_unknown=allow doesn't have association and
dccp_socket undefined (they've been around longer than unknown handling)
and peer is conditionalized on a policy cap which should only be defined
if that class exists in policy.Signed-off-by: Eric Paris
Acked-by: Stephen Smalley
Signed-off-by: James Morris -
Open code sidtab lock to make Andrew Morton happy.
Signed-off-by: James Morris
Acked-by: Stephen Smalley -
Open code load_mutex as suggested by Andrew Morton.
Signed-off-by: James Morris
-
Open code policy_rwlock, as suggested by Andrew Morton.
Signed-off-by: James Morris
Acked-by: Stephen Smalley -
Fix an endianness bug in the handling of network node addresses by
SELinux. This yields no change on little endian hardware but fixes
the incorrect handling on big endian hardware. The network node
addresses are stored in network order in memory by checkpolicy, not in
cpu/host order, and thus should not have cpu_to_le32/le32_to_cpu
conversions applied upon policy write/read unlike other data in the
policy.Bug reported by John Weeks of Sun, who noticed that binary policy
files built from the same policy source on x86 and sparc differed and
tracked it down to the ipv4 address handling in checkpolicy.Signed-off-by: Stephen Smalley
Signed-off-by: James Morris -
Simplify and improve the robustness of the SELinux ioctl checking by
using the "access mode" bits of the ioctl command to determine the
permission check rather than dealing with individual command values.
This removes any knowledge of specific ioctl commands from SELinux
and follows the same guidance we gave to Smack earlier.Signed-off-by: Stephen Smalley
Signed-off-by: James Morris -
Enable processes with CAP_MAC_ADMIN + mac_admin permission in policy
to get undefined contexts on inodes. This extends the support for
deferred mapping of security contexts in order to permit restorecon
and similar programs to see the raw file contexts unknown to the
system policy in order to check them.Signed-off-by: Stephen Smalley
Signed-off-by: James Morris -
Enable security modules to distinguish reading of process state via
proc from full ptrace access by renaming ptrace_may_attach to
ptrace_may_access and adding a mode argument indicating whether only
read access or full attach access is requested. This allows security
modules to permit access to reading process state without granting
full ptrace access. The base DAC/capability checking remains unchanged.Read access to /proc/pid/mem continues to apply a full ptrace attach
check since check_mem_permission() already requires the current task
to already be ptracing the target. The other ptrace checks within
proc for elements like environ, maps, and fds are changed to pass the
read mode instead of attach.In the SELinux case, we model such reading of process state as a
reading of a proc file labeled with the target process' label. This
enables SELinux policy to permit such reading of process state without
permitting control or manipulation of the target process, as there are
a number of cases where programs probe for such information via proc
but do not need to be able to control the target (e.g. procps,
lsof, PolicyKit, ConsoleKit). At present we have to choose between
allowing full ptrace in policy (more permissive than required/desired)
or breaking functionality (or in some cases just silencing the denials
via dontaudit rules but this can hide genuine attacks).This version of the patch incorporates comments from Casey Schaufler
(change/replace existing ptrace_may_attach interface, pass access
mode), and Chris Wright (provide greater consistency in the checking).Note that like their predecessors __ptrace_may_attach and
ptrace_may_attach, the __ptrace_may_access and ptrace_may_access
interfaces use different return value conventions from each other (0
or -errno vs. 1 or 0). I retained this difference to avoid any
changes to the caller logic but made the difference clearer by
changing the latter interface to return a bool rather than an int and
by adding a comment about it to ptrace.h for any future callers.Signed-off-by: Stephen Smalley
Acked-by: Chris Wright
Signed-off-by: James Morris -
Remove inherit field from inode_security_struct, per Stephen Smalley:
"Let's just drop inherit altogether - dead field."Signed-off-by: James Morris
-
reorder inode_security_struct to remove padding on 64 bit builds
size reduced from 72 to 64 bytes increasing objects per slab to 64.
Signed-off-by: Richard Kennedy
Signed-off-by: James Morris -
Formatting and syntax changes
whitespace, tabs to spaces, trailing space
put open { on same line as struct def
remove unneeded {} after if statements
change printk("Lu") to printk("llu")
convert asm/uaccess.h to linux/uaacess.h includes
remove unnecessary asm/bug.h includes
convert all users of simple_strtol to strict_strtolSigned-off-by: Eric Paris
Signed-off-by: James Morris -
Fix a sleeping function called from invalid context bug by moving allocation
to the callers prior to taking the policy rdlock.Signed-off-by: Stephen Smalley
Signed-off-by: James Morris -
Introduce SELinux support for deferred mapping of security contexts in
the SID table upon policy reload, and use this support for inode
security contexts when the context is not yet valid under the current
policy. Only processes with CAP_MAC_ADMIN + mac_admin permission in
policy can set undefined security contexts on inodes. Inodes with
such undefined contexts are treated as having the unlabeled context
until the context becomes valid upon a policy reload that defines the
context. Context invalidation upon policy reload also uses this
support to save the context information in the SID table and later
recover it upon a subsequent policy reload that defines the context
again.This support is to enable package managers and similar programs to set
down file contexts unknown to the system policy at the time the file
is created in order to better support placing loadable policy modules
in packages and to support build systems that need to create images of
different distro releases with different policies w/o requiring all of
the contexts to be defined or legal in the build host policy.With this patch applied, the following sequence is possible, although
in practice it is recommended that this permission only be allowed to
specific program domains such as the package manager.# rmdir baz
# rm bar
# touch bar
# chcon -t foo_exec_t bar # foo_exec_t is not yet defined
chcon: failed to change context of `bar' to `system_u:object_r:foo_exec_t': Invalid argument
# mkdir -Z system_u:object_r:foo_exec_t baz
mkdir: failed to set default file creation context to `system_u:object_r:foo_exec_t': Invalid argument
# cat setundefined.te
policy_module(setundefined, 1.0)
require {
type unconfined_t;
type unlabeled_t;
}
files_type(unlabeled_t)
allow unconfined_t self:capability2 mac_admin;
# make -f /usr/share/selinux/devel/Makefile setundefined.pp
# semodule -i setundefined.pp
# chcon -t foo_exec_t bar # foo_exec_t is not yet defined
# mkdir -Z system_u:object_r:foo_exec_t baz
# ls -Zd bar baz
-rw-r--r-- root root system_u:object_r:unlabeled_t bar
drwxr-xr-x root root system_u:object_r:unlabeled_t baz
# cat foo.te
policy_module(foo, 1.0)
type foo_exec_t;
files_type(foo_exec_t)
# make -f /usr/share/selinux/devel/Makefile foo.pp
# semodule -i foo.pp # defines foo_exec_t
# ls -Zd bar baz
-rw-r--r-- root root user_u:object_r:foo_exec_t bar
drwxr-xr-x root root system_u:object_r:foo_exec_t baz
# semodule -r foo
# ls -Zd bar baz
-rw-r--r-- root root system_u:object_r:unlabeled_t bar
drwxr-xr-x root root system_u:object_r:unlabeled_t baz
# semodule -i foo.pp
# ls -Zd bar baz
-rw-r--r-- root root user_u:object_r:foo_exec_t bar
drwxr-xr-x root root system_u:object_r:foo_exec_t baz
# semodule -r setundefined foo
# chcon -t foo_exec_t bar # no longer defined and not allowed
chcon: failed to change context of `bar' to `system_u:object_r:foo_exec_t': Invalid argument
# rmdir baz
# mkdir -Z system_u:object_r:foo_exec_t baz
mkdir: failed to set default file creation context to `system_u:object_r:foo_exec_t': Invalid argumentSigned-off-by: Stephen Smalley
Signed-off-by: James Morris
02 May, 2008
1 commit
-
Initial splitoff of the low-level stuff; taken to fdtable.h
Signed-off-by: Al Viro
30 Apr, 2008
3 commits
-
Every implementation of ->task_kill() does nothing when the signal comes from
the kernel. This is correct, but means that check_kill_permission() should
call security_task_kill() only for SI_FROMUSER() case, and we can remove the
same check from ->task_kill() implementations.(sadly, check_kill_permission() is the last user of signal->session/__session
but we can't s/task_session_nr/task_session/ here).NOTE: Eric W. Biederman pointed out cap_task_kill() should die, and I think
he is very right.Signed-off-by: Oleg Nesterov
Cc: "Eric W. Biederman"
Cc: Serge Hallyn
Cc: Roland McGrath
Cc: Casey Schaufler
Cc: David Quigley
Cc: Eric Paris
Cc: Harald Welte
Cc: Pavel Emelyanov
Cc: Stephen Smalley
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Make secctx_to_secid() take constant secdata.
Signed-off-by: David Howells
Signed-off-by: Linus Torvalds -
* 'audit.b50' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current:
[PATCH] new predicate - AUDIT_FILETYPE
[patch 2/2] Use find_task_by_vpid in audit code
[patch 1/2] audit: let userspace fully control TTY input auditing
[PATCH 2/2] audit: fix sparse shadowed variable warnings
[PATCH 1/2] audit: move extern declarations to audit.h
Audit: MAINTAINERS update
Audit: increase the maximum length of the key field
Audit: standardize string audit interfaces
Audit: stop deadlock from signals under load
Audit: save audit_backlog_limit audit messages in case auditd comes back
Audit: collect sessionid in netlink messages
Audit: end printk with newline
29 Apr, 2008
4 commits
-
Don't generate the per-UID user and user session keyrings unless they're
explicitly accessed. This solves a problem during a login process whereby
set*uid() is called before the SELinux PAM module, resulting in the per-UID
keyrings having the wrong security labels.This also cures the problem of multiple per-UID keyrings sometimes appearing
due to PAM modules (including pam_keyinit) setuiding and causing user_structs
to come into and go out of existence whilst the session keyring pins the user
keyring. This is achieved by first searching for extant per-UID keyrings
before inventing new ones.The serial bound argument is also dropped from find_keyring_by_name() as it's
not currently made use of (setting it to 0 disables the feature).Signed-off-by: David Howells
Cc:
Cc:
Cc:
Cc: Stephen Smalley
Cc: James Morris
Cc: Chris Wright
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Add a keyctl() function to get the security label of a key.
The following is added to Documentation/keys.txt:
(*) Get the LSM security context attached to a key.
long keyctl(KEYCTL_GET_SECURITY, key_serial_t key, char *buffer,
size_t buflen)This function returns a string that represents the LSM security context
attached to a key in the buffer provided.Unless there's an error, it always returns the amount of data it could
produce, even if that's too big for the buffer, but it won't copy more
than requested to userspace. If the buffer pointer is NULL then no copy
will take place.A NUL character is included at the end of the string if the buffer is
sufficiently big. This is included in the returned count. If no LSM is
in force then an empty string will be returned.A process must have view permission on the key for this function to be
successful.[akpm@linux-foundation.org: declare keyctl_get_security()]
Signed-off-by: David Howells
Acked-by: Stephen Smalley
Cc: Paul Moore
Cc: Chris Wright
Cc: James Morris
Cc: Kevin Coffman
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Add missing consts to xattr function arguments.
Signed-off-by: David Howells
Cc: Andreas Gruenbacher
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:
SELinux: Fix a RCU free problem with the netport cache
SELinux: Made netnode cache adds faster
SELinux: include/security.h whitespace, syntax, and other cleanups
SELinux: policydb.h whitespace, syntax, and other cleanups
SELinux: mls_types.h whitespace, syntax, and other cleanups
SELinux: mls.h whitespace, syntax, and other cleanups
SELinux: hashtab.h whitespace, syntax, and other cleanups
SELinux: context.h whitespace, syntax, and other cleanups
SELinux: ss/conditional.h whitespace, syntax, and other cleanups
SELinux: selinux/include/security.h whitespace, syntax, and other cleanups
SELinux: objsec.h whitespace, syntax, and other cleanups
SELinux: netlabel.h whitespace, syntax, and other cleanups
SELinux: avc_ss.h whitespace, syntax, and other cleanupsFixed up conflict in include/linux/security.h manually
28 Apr, 2008
9 commits
-
Filesystem capability support makes it possible to do away with (set)uid-0
based privilege and use capabilities instead. That is, with filesystem
support for capabilities but without this present patch, it is (conceptually)
possible to manage a system with capabilities alone and never need to obtain
privilege via (set)uid-0.Of course, conceptually isn't quite the same as currently possible since few
user applications, certainly not enough to run a viable system, are currently
prepared to leverage capabilities to exercise privilege. Further, many
applications exist that may never get upgraded in this way, and the kernel
will continue to want to support their setuid-0 base privilege needs.Where pure-capability applications evolve and replace setuid-0 binaries, it is
desirable that there be a mechanisms by which they can contain their
privilege. In addition to leveraging the per-process bounding and inheritable
sets, this should include suppressing the privilege of the uid-0 superuser
from the process' tree of children.The feature added by this patch can be leveraged to suppress the privilege
associated with (set)uid-0. This suppression requires CAP_SETPCAP to
initiate, and only immediately affects the 'current' process (it is inherited
through fork()/exec()). This reimplementation differs significantly from the
historical support for securebits which was system-wide, unwieldy and which
has ultimately withered to a dead relic in the source of the modern kernel.With this patch applied a process, that is capable(CAP_SETPCAP), can now drop
all legacy privilege (through uid=0) for itself and all subsequently
fork()'d/exec()'d children with:prctl(PR_SET_SECUREBITS, 0x2f);
This patch represents a no-op unless CONFIG_SECURITY_FILE_CAPABILITIES is
enabled at configure time.[akpm@linux-foundation.org: fix uninitialised var warning]
[serue@us.ibm.com: capabilities: use cap_task_prctl when !CONFIG_SECURITY]
Signed-off-by: Andrew G. Morgan
Acked-by: Serge Hallyn
Reviewed-by: James Morris
Cc: Stephen Smalley
Cc: Paul Moore
Signed-off-by: Serge E. Hallyn
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
This patch standardized the string auditing interfaces. No userspace
changes will be visible and this is all just cleanup and consistancy
work. We have the following string audit interfaces to use:void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len);
void audit_log_n_string(struct audit_buffer *ab, const char *buf, size_t n);
void audit_log_string(struct audit_buffer *ab, const char *buf);void audit_log_n_untrustedstring(struct audit_buffer *ab, const char *string, size_t n);
void audit_log_untrustedstring(struct audit_buffer *ab, const char *string);This may be the first step to possibly fixing some of the issues that
people have with the string output from the kernel audit system. But we
still don't have an agreed upon solution to that problem.Signed-off-by: Eric Paris
Signed-off-by: Al Viro -
The netport cache doesn't free resources in a manner which is safe or orderly.
This patch fixes this by adding in a missing call to rcu_dereference() in
sel_netport_insert() as well as some general cleanup throughout the file.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
When adding new entries to the network node cache we would walk the entire
hash bucket to make sure we didn't cross a threshold (done to bound the
cache size). This isn't a very quick or elegant solution for something
which is supposed to be quick-ish so add a counter to each hash bucket to
track the size of the bucket and eliminate the need to walk the entire
bucket list on each add.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
This patch changes policydb.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)spaces followed by tabs
spaces used instead of tabs
location of * in pointer declarationsSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes mls_types.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)spaces used instead of tabs
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes mls.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)spaces used instead of tabs
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes hashtab.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)spaces used instead of tabs
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes context.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)include spaces around , in function calls
Signed-off-by: Eric Paris
Signed-off-by: James Morris
