26 Feb, 2016
1 commit
20 Feb, 2016
1 commit
-
The inode_getsecid hook is called from contexts in which sleeping is not
allowed, so we cannot revalidate inode security labels from there. Use
the non-validating version of inode_security() instead.Reported-by: Benjamin Coddington
Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore
12 Feb, 2016
1 commit
-
This patch fixes vulnerability CVE-2016-2085. The problem exists
because the vm_verify_hmac() function includes a use of memcmp().
Unfortunately, this allows timing side channel attacks; specifically
a MAC forgery complexity drop from 2^128 to 2^12. This patch changes
the memcmp() to the cryptographically safe crypto_memneq().Reported-by: Xiaofei Rex Guo
Signed-off-by: Ryan Ware
Cc: stable@vger.kernel.org
Signed-off-by: Mimi Zohar
Signed-off-by: James Morris
09 Feb, 2016
1 commit
-
Without this, using SOCK_DESTROY in enforcing mode results in:
SELinux: unrecognized netlink message type=21 for sclass=32
Signed-off-by: Lorenzo Colitti
Signed-off-by: David S. Miller
28 Jan, 2016
1 commit
-
KEY_FLAG_KEEP should only be applied to a key if the keyring it is being
linked into has KEY_FLAG_KEEP set.To this end, partially revert the following patch:
commit 1d6d167c2efcfe9539d9cffb1a1be9c92e39c2c0
Author: Mimi Zohar
Date: Thu Jan 7 07:46:36 2016 -0500
KEYS: refcount bug fixto undo the change that made it unconditional (Mimi got it right the first
time).Without undoing this change, it becomes impossible to delete, revoke or
invalidate keys added to keyrings through __key_instantiate_and_link()
where the keyring has itself been linked to. To test this, run the
following command sequence:keyctl newring foo @s
keyctl add user a a %:foo
keyctl unlink %user:a %:foo
keyctl clear %:fooWith the commit mentioned above the third and fourth commands fail with
EPERM when they should succeed.Reported-by: Stephen Gallager
Signed-off-by: David Howells
Acked-by: Mimi Zohar
cc: Mimi Zohar
cc: keyrings@vger.kernel.org
cc: stable@vger.kernel.org
Signed-off-by: James Morris
23 Jan, 2016
1 commit
-
parallel to mutex_{lock,unlock,trylock,is_locked,lock_nested},
inode_foo(inode) being mutex_foo(&inode->i_mutex).Please, use those for access to ->i_mutex; over the coming cycle
->i_mutex will become rwsem, with ->lookup() done with it held
only shared.Signed-off-by: Al Viro
21 Jan, 2016
2 commits
-
By checking the effective credentials instead of the real UID / permitted
capabilities, ensure that the calling process actually intended to use its
credentials.To ensure that all ptrace checks use the correct caller credentials (e.g.
in case out-of-tree code or newly added code omits the PTRACE_MODE_*CREDS
flag), use two new flags and require one of them to be set.The problem was that when a privileged task had temporarily dropped its
privileges, e.g. by calling setreuid(0, user_uid), with the intent to
perform following syscalls with the credentials of a user, it still passed
ptrace access checks that the user would not be able to pass.While an attacker should not be able to convince the privileged task to
perform a ptrace() syscall, this is a problem because the ptrace access
check is reused for things in procfs.In particular, the following somewhat interesting procfs entries only rely
on ptrace access checks:/proc/$pid/stat - uses the check for determining whether pointers
should be visible, useful for bypassing ASLR
/proc/$pid/maps - also useful for bypassing ASLR
/proc/$pid/cwd - useful for gaining access to restricted
directories that contain files with lax permissions, e.g. in
this scenario:
lrwxrwxrwx root root /proc/13020/cwd -> /root/foobar
drwx------ root root /root
drwxr-xr-x root root /root/foobar
-rw-r--r-- root root /root/foobar/secretTherefore, on a system where a root-owned mode 6755 binary changes its
effective credentials as described and then dumps a user-specified file,
this could be used by an attacker to reveal the memory layout of root's
processes or reveal the contents of files he is not allowed to access
(through /proc/$pid/cwd).[akpm@linux-foundation.org: fix warning]
Signed-off-by: Jann Horn
Acked-by: Kees Cook
Cc: Casey Schaufler
Cc: Oleg Nesterov
Cc: Ingo Molnar
Cc: James Morris
Cc: "Serge E. Hallyn"
Cc: Andy Shevchenko
Cc: Andy Lutomirski
Cc: Al Viro
Cc: "Eric W. Biederman"
Cc: Willy Tarreau
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
It looks like smack and yama weren't aware that the ptrace mode
can have flags ORed into it - PTRACE_MODE_NOAUDIT until now, but
only for /proc/$pid/stat, and with the PTRACE_MODE_*CREDS patch,
all modes have flags ORed into them.Signed-off-by: Jann Horn
Acked-by: Kees Cook
Acked-by: Casey Schaufler
Cc: Oleg Nesterov
Cc: Ingo Molnar
Cc: James Morris
Cc: "Serge E. Hallyn"
Cc: Andy Shevchenko
Cc: Andy Lutomirski
Cc: Al Viro
Cc: "Eric W. Biederman"
Cc: Willy Tarreau
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
20 Jan, 2016
1 commit
-
This fixes CVE-2016-0728.
If a thread is asked to join as a session keyring the keyring that's already
set as its session, we leak a keyring reference.This can be tested with the following program:
#include
#include
#include
#includeint main(int argc, const char *argv[])
{
int i = 0;
key_serial_t serial;serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
"leaked-keyring");
if (serial < 0) {
perror("keyctl");
return -1;
}if (keyctl(KEYCTL_SETPERM, serial,
KEY_POS_ALL | KEY_USR_ALL) < 0) {
perror("keyctl");
return -1;
}for (i = 0; i < 100; i++) {
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
"leaked-keyring");
if (serial < 0) {
perror("keyctl");
return -1;
}
}return 0;
}If, after the program has run, there something like the following line in
/proc/keys:3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty
with a usage count of 100 * the number of times the program has been run,
then the kernel is malfunctioning. If leaked-keyring has zero usages or
has been garbage collected, then the problem is fixed.Reported-by: Yevgeny Pats
Signed-off-by: David Howells
Acked-by: Don Zickus
Acked-by: Prarit Bhargava
Acked-by: Jarod Wilson
Signed-off-by: James Morris
18 Jan, 2016
1 commit
-
Pull security subsystem updates from James Morris:
- EVM gains support for loading an x509 cert from the kernel
(EVM_LOAD_X509), into the EVM trusted kernel keyring.- Smack implements 'file receive' process-based permission checking for
sockets, rather than just depending on inode checks.- Misc enhancments for TPM & TPM2.
- Cleanups and bugfixes for SELinux, Keys, and IMA.
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (41 commits)
selinux: Inode label revalidation performance fix
KEYS: refcount bug fix
ima: ima_write_policy() limit locking
IMA: policy can be updated zero times
selinux: rate-limit netlink message warnings in selinux_nlmsg_perm()
selinux: export validatetrans decisions
gfs2: Invalid security labels of inodes when they go invalid
selinux: Revalidate invalid inode security labels
security: Add hook to invalidate inode security labels
selinux: Add accessor functions for inode->i_security
security: Make inode argument of inode_getsecid non-const
security: Make inode argument of inode_getsecurity non-const
selinux: Remove unused variable in selinux_inode_init_security
keys, trusted: seal with a TPM2 authorization policy
keys, trusted: select hash algorithm for TPM2 chips
keys, trusted: fix: *do not* allow duplicate key options
tpm_ibmvtpm: properly handle interrupted packet receptions
tpm_tis: Tighten IRQ auto-probing
tpm_tis: Refactor the interrupt setup
tpm_tis: Get rid of the duplicate IRQ probing code
...
14 Jan, 2016
1 commit
13 Jan, 2016
1 commit
-
Pull misc vfs updates from Al Viro:
"All kinds of stuff. That probably should've been 5 or 6 separate
branches, but by the time I'd realized how large and mixed that bag
had become it had been too close to -final to play with rebasing.Some fs/namei.c cleanups there, memdup_user_nul() introduction and
switching open-coded instances, burying long-dead code, whack-a-mole
of various kinds, several new helpers for ->llseek(), assorted
cleanups and fixes from various people, etc.One piece probably deserves special mention - Neil's
lookup_one_len_unlocked(). Similar to lookup_one_len(), but gets
called without ->i_mutex and tries to avoid ever taking it. That, of
course, means that it's not useful for any directory modifications,
but things like getting inode attributes in nfds readdirplus are fine
with that. I really should've asked for moratorium on lookup-related
changes this cycle, but since I hadn't done that early enough... I
*am* asking for that for the coming cycle, though - I'm going to try
and get conversion of i_mutex to rwsem with ->lookup() done under lock
taken shared.There will be a patch closer to the end of the window, along the lines
of the one Linus had posted last May - mechanical conversion of
->i_mutex accesses to inode_lock()/inode_unlock()/inode_trylock()/
inode_is_locked()/inode_lock_nested(). To quote Linus back then:-----
| This is an automated patch using
|
| sed 's/mutex_lock(&\(.*\)->i_mutex)/inode_lock(\1)/'
| sed 's/mutex_unlock(&\(.*\)->i_mutex)/inode_unlock(\1)/'
| sed 's/mutex_lock_nested(&\(.*\)->i_mutex,[ ]*I_MUTEX_\([A-Z0-9_]*\))/inode_lock_nested(\1, I_MUTEX_\2)/'
| sed 's/mutex_is_locked(&\(.*\)->i_mutex)/inode_is_locked(\1)/'
| sed 's/mutex_trylock(&\(.*\)->i_mutex)/inode_trylock(\1)/'
|
| with a very few manual fixups
-----I'm going to send that once the ->i_mutex-affecting stuff in -next
gets mostly merged (or when Linus says he's about to stop taking
merges)"* 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (63 commits)
nfsd: don't hold i_mutex over userspace upcalls
fs:affs:Replace time_t with time64_t
fs/9p: use fscache mutex rather than spinlock
proc: add a reschedule point in proc_readfd_common()
logfs: constify logfs_block_ops structures
fcntl: allow to set O_DIRECT flag on pipe
fs: __generic_file_splice_read retry lookup on AOP_TRUNCATED_PAGE
fs: xattr: Use kvfree()
[s390] page_to_phys() always returns a multiple of PAGE_SIZE
nbd: use ->compat_ioctl()
fs: use block_device name vsprintf helper
lib/vsprintf: add %*pg format specifier
fs: use gendisk->disk_name where possible
poll: plug an unused argument to do_poll
amdkfd: don't open-code memdup_user()
cdrom: don't open-code memdup_user()
rsxx: don't open-code memdup_user()
mtip32xx: don't open-code memdup_user()
[um] mconsole: don't open-code memdup_user_nul()
[um] hostaudio: don't open-code memdup_user()
...
12 Jan, 2016
1 commit
-
Pull vfs xattr updates from Al Viro:
"Andreas' xattr cleanup series.It's a followup to his xattr work that went in last cycle; -0.5KLoC"
* 'work.xattr' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
xattr handlers: Simplify list operation
ocfs2: Replace list xattr handler operations
nfs: Move call to security_inode_listsecurity into nfs_listxattr
xfs: Change how listxattr generates synthetic attributes
tmpfs: listxattr should include POSIX ACL xattrs
tmpfs: Use xattr handler infrastructure
btrfs: Use xattr handler infrastructure
vfs: Distinguish between full xattr names and proper prefixes
posix acls: Remove duplicate xattr name definitions
gfs2: Remove gfs2_xattr_acl_chmod
vfs: Remove vfs_xattr_cmp
10 Jan, 2016
1 commit
-
…-integrity into ra-next
09 Jan, 2016
2 commits
-
Commit 5d226df4 has introduced a performance regression of about
10% in the UnixBench pipe benchmark. It turns out that the call
to inode_security in selinux_file_permission can be moved below
the zero-mask test and that inode_security_revalidate can be
removed entirely, which brings us back to roughly the original
performance.Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore
08 Jan, 2016
1 commit
-
This patch fixes the key_ref leak, removes the unnecessary KEY_FLAG_KEEP
test before setting the flag, and cleans up the if/then brackets style
introduced in commit:
d3600bc KEYS: prevent keys from being removed from specified keyringsReported-by: David Howells
Signed-off-by: Mimi Zohar
Acked-by: David Howells
04 Jan, 2016
4 commits
-
Signed-off-by: Al Viro
-
Nothing in there gives a damn about the buffer alignment - it
just parses its contents. So the use of get_zeroed_page()
doesn't buy us anything - might as well had been kmalloc(),
which makes that code equivalent to open-coded memdup_user_nul()Signed-off-by: Al Viro
-
A _lot_ of ->write() instances were open-coding it; some are
converted to memdup_user_nul(), a lot more remain...Signed-off-by: Al Viro
-
There is no need to hold the ima_write_mutex for so long. We only need it
around ima_parse_add_rule().Changelog:
- The return path now takes into account failed kmalloc() call.Reported-by: Al Viro
Signed-off-by: Petko Manolov
Signed-off-by: Mimi Zohar
26 Dec, 2015
3 commits
25 Dec, 2015
9 commits
-
Commit "IMA: policy can now be updated multiple times" assumed that the
policy would be updated at least once.If there are zero updates, the temporary list head object will get added
to the policy list, and later dereferenced as an IMA policy object, which
means that invalid memory will be accessed.Changelog:
- Move list_empty() test to ima_release_policy(), before audit msg - MimiSigned-off-by: Sasha Levin
Signed-off-by: Mimi Zohar -
Any process is able to send netlink messages with invalid types.
Make the warning rate-limited to prevent too much log spam.The warning is supposed to help to find misbehaving programs, so
print the triggering command name and pid.Reported-by: Florian Weimer
Signed-off-by: Vladis Dronov
[PM: subject line tweak to make checkpatch.pl happy]
Signed-off-by: Paul Moore -
Make validatetrans decisions available through selinuxfs.
"/validatetrans" is added to selinuxfs for this purpose.
This functionality is needed by file system servers
implemented in userspace or kernelspace without the VFS
layer.Writing "$oldcontext $newcontext $tclass $taskcontext"
to /validatetrans is expected to return 0 if the transition
is allowed and -EPERM otherwise.Signed-off-by: Andrew Perepechko
CC: andrew.perepechko@seagate.com
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore -
When fetching an inode's security label, check if it is still valid, and
try reloading it if it is not. Reloading will fail when we are in RCU
context which doesn't allow sleeping, or when we can't find a dentry for
the inode. (Reloading happens via iop->getxattr which takes a dentry
parameter.) When reloading fails, continue using the old, invalid
label.Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore -
Add a hook to invalidate an inode's security label when the cached
information becomes invalid.Add the new hook in selinux: set a flag when a security label becomes
invalid.Signed-off-by: Andreas Gruenbacher
Reviewed-by: James Morris
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore -
Add functions dentry_security and inode_security for accessing
inode->i_security. These functions initially don't do much, but they
will later be used to revalidate the security labels when necessary.Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore -
Make the inode argument of the inode_getsecid hook non-const so that we
can use it to revalidate invalid security labels.Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore -
Make the inode argument of the inode_getsecurity hook non-const so that
we can use it to revalidate invalid security labels.Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore -
Signed-off-by: Andreas Gruenbacher
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore
20 Dec, 2015
3 commits
-
TPM2 supports authorization policies, which are essentially
combinational logic statements repsenting the conditions where the data
can be unsealed based on the TPM state. This patch enables to use
authorization policies to seal trusted keys.Two following new options have been added for trusted keys:
* 'policydigest=': provide an auth policy digest for sealing.
* 'policyhandle=': provide a policy session handle for unsealing.If 'hash=' option is supplied after 'policydigest=' option, this
will result an error because the state of the option would become
mixed.Signed-off-by: Jarkko Sakkinen
Tested-by: Colin Ian King
Reviewed-by: Mimi Zohar
Acked-by: Peter Huewe -
Added 'hash=' option for selecting the hash algorithm for add_key()
syscall and documentation for it.Added entry for sm3-256 to the following tables in order to support
TPM_ALG_SM3_256:* hash_algo_name
* hash_digest_sizeIncludes support for the following hash algorithms:
* sha1
* sha256
* sha384
* sha512
* sm3-256Signed-off-by: Jarkko Sakkinen
Tested-by: Colin Ian King
Reviewed-by: James Morris
Reviewed-by: Mimi Zohar
Acked-by: Peter Huewe -
The trusted keys option parsing allows specifying the same option
multiple times. The last option value specified is used.This is problematic because:
* No gain.
* This makes complicated to specify options that are dependent on other
options.This patch changes the behavior in a way that option can be specified
only once.Reported-by: James Morris James Morris
Reviewed-by: Mimi Zohar
Signed-off-by: Jarkko Sakkinen
Acked-by: Peter Huewe
19 Dec, 2015
1 commit
-
This fixes CVE-2015-7550.
There's a race between keyctl_read() and keyctl_revoke(). If the revoke
happens between keyctl_read() checking the validity of a key and the key's
semaphore being taken, then the key type read method will see a revoked key.This causes a problem for the user-defined key type because it assumes in
its read method that there will always be a payload in a non-revoked key
and doesn't check for a NULL pointer.Fix this by making keyctl_read() check the validity of a key after taking
semaphore instead of before.I think the bug was introduced with the original keyrings code.
This was discovered by a multithreaded test program generated by syzkaller
(http://github.com/google/syzkaller). Here's a cleaned up version:#include
#include
#include
void *thr0(void *arg)
{
key_serial_t key = (unsigned long)arg;
keyctl_revoke(key);
return 0;
}
void *thr1(void *arg)
{
key_serial_t key = (unsigned long)arg;
char buffer[16];
keyctl_read(key, buffer, 16);
return 0;
}
int main()
{
key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
pthread_t th[5];
pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
pthread_join(th[0], 0);
pthread_join(th[1], 0);
pthread_join(th[2], 0);
pthread_join(th[3], 0);
return 0;
}Build as:
cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
Run as:
while keyctl-race; do :; done
as it may need several iterations to crash the kernel. The crash can be
summarised as:BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
IP: [] user_read+0x56/0xa3
...
Call Trace:
[] keyctl_read_key+0xb6/0xd7
[] SyS_keyctl+0x83/0xe0
[] entry_SYSCALL_64_fastpath+0x12/0x6fReported-by: Dmitry Vyukov
Signed-off-by: David Howells
Tested-by: Dmitry Vyukov
Cc: stable@vger.kernel.org
Signed-off-by: James Morris
18 Dec, 2015
1 commit
-
Smack security handler for sendmsg() syscall
is vulnerable to type confusion issue what
can allow to privilege escalation into root
or cause denial of service.A malicious attacker can create socket of one
type for example AF_UNIX and pass is into
sendmsg() function ensuring that this is
AF_INET socket.Remedy
Do not trust user supplied data.
Proposed fix below.Signed-off-by: Roman Kubiak
Signed-off-by: Mateusz Fruba
Acked-by: Casey Schaufler
15 Dec, 2015
2 commits
-
The Kconfig currently controlling compilation of this code is:
ima/Kconfig:config IMA_MOK_KEYRING
ima/Kconfig: bool "Create IMA machine owner keys (MOK) and blacklist keyrings"...meaning that it currently is not being built as a module by anyone.
Lets remove the couple of traces of modularity so that when reading the
driver there is no doubt it really is builtin-only.Since module_init translates to device_initcall in the non-modular
case, the init ordering remains unchanged with this commit.Cc: Mimi Zohar
Cc: Dmitry Kasatkin
Cc: James Morris
Cc: "Serge E. Hallyn"
Cc: linux-ima-devel@lists.sourceforge.net
Cc: linux-ima-user@lists.sourceforge.net
Cc: linux-security-module@vger.kernel.org
Signed-off-by: Paul Gortmaker
Signed-off-by: Mimi Zohar -
While creating a temporary list of new rules, the ima_appraise flag is
updated, but not reverted on failure to append the new rules to the
existing policy. This patch defines temp_ima_appraise flag. Only when
the new rules are appended to the policy is the flag updated.Signed-off-by: Mimi Zohar
Acked-by: Petko Manolov
