01 Feb, 2008
1 commit
-
As pointed out by Adrian Bunk, commit
45c950e0f839fded922ebc0bfd59b1081cc71b70 ("fix memory leak in netlabel
code") caused a double-free when security_netlbl_sid_to_secattr()
fails. This patch fixes this by removing the netlbl_secattr_destroy()
call from that function since we are already releasing the secattr
memory in selinux_netlbl_sock_setsid().Signed-off-by: Paul Moore
Signed-off-by: David S. Miller
30 Jan, 2008
14 commits
-
Capabilities have long been the default when CONFIG_SECURITY=n,
and its help text suggests turning it on when CONFIG_SECURITY=y.
But it is set to default n.Default it to y instead.
Signed-off-by: Serge Hallyn
Acked-by: Matt LaPlante
Signed-off-by: James Morris -
selinux_set_mnt_opts() can become static.
Signed-off-by: Adrian Bunk
Signed-off-by: James Morris -
Currently network traffic can be sliently dropped due to non-avc errors which
can lead to much confusion when trying to debug the problem. This patch adds
warning messages so that when these events occur there is a user visible
notification.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
This patch implements packet ingress/egress controls for SELinux which allow
SELinux security policy to control the flow of all IPv4 and IPv6 packets into
and out of the system. Currently SELinux does not have proper control over
forwarded packets and this patch corrects this problem.Special thanks to Venkat Yekkirala whose earlier
work on this topic eventually led to this patch.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
Now that the SELinux NetLabel "base SID" is always the netmsg initial SID we
can do a big optimization - caching the SID and not just the MLS attributes.
This not only saves a lot of per-packet memory allocations and copies but it
has a nice side effect of removing a chunk of code.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
This patch introduces a mechanism for checking when labeled IPsec or SECMARK
are in use by keeping introducing a configuration reference counter for each
subsystem. In the case of labeled IPsec, whenever a labeled SA or SPD entry
is created the labeled IPsec/XFRM reference count is increased and when the
entry is removed it is decreased. In the case of SECMARK, when a SECMARK
target is created the reference count is increased and later decreased when the
target is removed. These reference counters allow SELinux to quickly determine
if either of these subsystems are enabled.NetLabel already has a similar mechanism which provides the netlbl_enabled()
function.This patch also renames the selinux_relabel_packet_permission() function to
selinux_secmark_relabel_packet_permission() as the original name and
description were misleading in that they referenced a single packet label which
is not the case.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
Rework the handling of network peer labels so that the different peer labeling
subsystems work better together. This includes moving both subsystems to a
single "peer" object class which involves not only changes to the permission
checks but an improved method of consolidating multiple packet peer labels.
As part of this work the inbound packet permission check code has been heavily
modified to handle both the old and new behavior in as sane a fashion as
possible.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
Add additional Flask definitions to support the new "peer" object class and
additional permissions to the netif, node, and packet object classes. Also,
bring the kernel Flask definitions up to date with the Fedora SELinux policies
by adding the "flow_in" and "flow_out" permissions to the "packet" class.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
Add a new policy capabilities bitmap to SELinux policy version 22. This bitmap
will enable the security server to query the policy to determine which features
it supports.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
This patch adds a SELinux IP address/node SID caching mechanism similar to the
sel_netif_*() functions. The node SID queries in the SELinux hooks files are
also modified to take advantage of this new functionality. In addition, remove
the address length information from the sk_buff parsing routines as it is
redundant since we already have the address family.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
Instead of storing the packet's network interface name store the ifindex. This
allows us to defer the need to lookup the net_device structure until the audit
record is generated meaning that in the majority of cases we never need to
bother with this at all.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
The current SELinux netif code requires the caller have a valid net_device
struct pointer to lookup network interface information. However, we don't
always have a valid net_device pointer so convert the netif code to use
the ifindex values we always have as part of the sk_buff. This patch also
removes the default message SID from the network interface record, it is
not being used and therefore is "dead code".Signed-off-by: Paul Moore
Signed-off-by: James Morris -
In order to do any sort of IP header inspection of incoming packets we need to
know which address family, AF_INET/AF_INET6/etc., it belongs to and since the
sk_buff structure does not store this information we need to pass along the
address family separate from the packet itself.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
This patch adds support to the NetLabel LSM secattr struct for a secid token
and a type field, paving the way for full LSM/SELinux context support and
"static" or "fallback" labels. In addition, this patch adds a fair amount
of documentation to the core NetLabel structures used as part of the
NetLabel kernel API.Signed-off-by: Paul Moore
Signed-off-by: James Morris
29 Jan, 2008
1 commit
-
The IPv4 and IPv6 hook values are identical, yet some code tries to figure
out the "correct" value by looking at the address family. Introduce NF_INET_*
values for both IPv4 and IPv6. The old values are kept in a #ifndef __KERNEL__
section for userspace compatibility.Signed-off-by: Patrick McHardy
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
26 Jan, 2008
2 commits
-
The proc net rewrite had a side effect on selinux, leading it to mislabel
the /proc/net inodes, thereby leading to incorrect denials. Fix
security_genfs_sid to ignore extra leading / characters in the path supplied
by selinux_proc_get_sid since we now get "//net/..." rather than "/net/...".Signed-off-by: Stephen Smalley
Signed-off-by: James Morris -
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:
selinux: make mls_compute_sid always polyinstantiate
security/selinux: constify function pointer tables and fields
security: add a secctx_to_secid() hook
security: call security_file_permission from rw_verify_area
security: remove security_sb_post_mountroot hook
Security: remove security.h include from mm.h
Security: remove security_file_mmap hook sparse-warnings (NULL as 0).
Security: add get, set, and cloning of superblock security information
security/selinux: Add missing "space"
25 Jan, 2008
11 commits
-
There is no need for kobject_unregister() anymore, thanks to Kay's
kobject cleanup changes, so replace all instances of it with
kobject_put().Cc: Kay Sievers
Signed-off-by: Greg Kroah-Hartman -
kernel_kset does not need to be a kset, but a much simpler kobject now
that we have kobj_attributes.We also rename kernel_kset to kernel_kobj to catch all users of this
symbol with a build error instead of an easy-to-ignore build warning.Cc: Kay Sievers
Signed-off-by: Greg Kroah-Hartman -
Dynamically create the kset instead of declaring it statically. We also
rename kernel_subsys to kernel_kset to catch all users of this symbol
with a build error instead of an easy-to-ignore build warning.Cc: Kay Sievers
Signed-off-by: Greg Kroah-Hartman -
We don't need a kset here, a simple kobject will do just fine, so
dynamically create the kobject and use it.Cc: Kay Sievers
Acked-by: Chris Wright
Signed-off-by: Greg Kroah-Hartman -
We don't need a "default" ktype for a kset. We should set this
explicitly every time for each kset. This change is needed so that we
can make ksets dynamic, and cleans up one of the odd, undocumented
assumption that the kset/kobject/ktype model has.This patch is based on a lot of help from Kay Sievers.
Nasty bug in the block code was found by Dave Young
Cc: Kay Sievers
Cc: Dave Young
Signed-off-by: Greg Kroah-Hartman -
This patch removes the requirement that the new and related object types
differ in order to polyinstantiate by MLS level. This allows MLS
polyinstantiation to occur in the absence of explicit type_member rules or
when the type has not changed.Potential users of this support include pam_namespace.so (directory
polyinstantiation) and the SELinux X support (property polyinstantiation).Signed-off-by: Eamon Walsh
Acked-by: Stephen Smalley
Signed-off-by: James Morris -
Constify function pointer tables and fields.
Signed-off-by: Jan Engelhardt
Signed-off-by: James Morris -
Add a secctx_to_secid() LSM hook to go along with the existing
secid_to_secctx() LSM hook. This patch also includes the SELinux
implementation for this hook.Signed-off-by: Paul Moore
Acked-by: Stephen Smalley
Signed-off-by: James Morris -
The security_sb_post_mountroot() hook is long-since obsolete, and is
fundamentally broken: it is never invoked if someone uses initramfs.
This is particularly damaging, because the existence of this hook has
been used as motivation for not using initramfs.Stephen Smalley confirmed on 2007-07-19 that this hook was originally
used by SELinux but can now be safely removed:http://marc.info/?l=linux-kernel&m=118485683612916&w=2
Cc: Stephen Smalley
Cc: James Morris
Cc: Eric Paris
Cc: Chris Wright
Signed-off-by: H. Peter Anvin
Signed-off-by: James Morris -
Adds security_get_sb_mnt_opts, security_set_sb_mnt_opts, and
security_clont_sb_mnt_opts to the LSM and to SELinux. This will allow
filesystems to directly own and control all of their mount options if they
so choose. This interface deals only with option identifiers and strings so
it should generic enough for any LSM which may come in the future.Filesystems which pass text mount data around in the kernel (almost all of
them) need not currently make use of this interface when dealing with
SELinux since it will still parse those strings as it always has. I assume
future LSM's would do the same. NFS is the primary FS which does not use
text mount data and thus must make use of this interface.An LSM would need to implement these functions only if they had mount time
options, such as selinux has context= or fscontext=. If the LSM has no
mount time options they could simply not implement and let the dummy ops
take care of things.An LSM other than SELinux would need to define new option numbers in
security.h and any FS which decides to own there own security options would
need to be patched to use this new interface for every possible LSM. This
is because it was stated to me very clearly that LSM's should not attempt to
understand FS mount data and the burdon to understand security should be in
the FS which owns the options.Signed-off-by: Eric Paris
Acked-by: Stephen D. Smalley
Signed-off-by: James Morris -
Add missing space.
Signed-off-by: Joe Perches
Signed-off-by: James Morris
22 Jan, 2008
3 commits
-
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:
selinux: fix memory leak in netlabel code -
In linux-2.6.24-rc1, security/commoncap.c:cap_inh_is_capped() was
introduced. It has the exact reverse of its intended behavior. This
led to an unintended privilege esculation involving a process'
inheritable capability set.To be exposed to this bug, you need to have Filesystem Capabilities
enabled and in use. That is:- CONFIG_SECURITY_FILE_CAPABILITIES must be defined for the buggy code
to be compiled in.- You also need to have files on your system marked with fI bits raised.
Signed-off-by: Andrew G. Morgan
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Fix a memory leak in security_netlbl_sid_to_secattr() as reported here:
* https://bugzilla.redhat.com/show_bug.cgi?id=352281Signed-off-by: Paul Moore
Signed-off-by: James Morris
05 Dec, 2007
3 commits
-
On a kernel with CONFIG_SECURITY but without an LSM which implements
security_file_mmap it is impossible for an application to mmap addresses
lower than mmap_min_addr. Based on a suggestion from a developer in the
openwall community this patch adds a check for CAP_SYS_RAWIO. It is
assumed that any process with this capability can harm the system a lot
more easily than writing some stuff on the zero page and then trying to
get the kernel to trip over itself. It also means that programs like X
on i686 which use vm86 emulation can work even with mmap_min_addr set.Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Instead of using f_op to detect dead booleans, check the inode index
against the number of booleans and check the dentry name against the
boolean name for that index on reads and writes. This prevents
incorrect use of a boolean file opened prior to a policy reload while
allowing valid use of it as long as it still corresponds to the same
boolean in the policy.Signed-off-by: Stephen Smalley
Signed-off-by: James Morris -
Do not clear f_op when removing entries since it isn't safe to do.
Signed-off-by: Stephen Smalley
Signed-off-by: James Morris
30 Nov, 2007
1 commit
-
An unprivileged process must be able to kill a setuid root program started
by the same user. This is legacy behavior needed for instance for xinit to
kill X when the window manager exits.When an unprivileged user runs a setuid root program in !SECURE_NOROOT
mode, fP, fI, and fE are set full on, so pP' and pE' are full on. Then
cap_task_kill() prevents the user from signaling the setuid root task.
This is a change in behavior compared to when
!CONFIG_SECURITY_FILE_CAPABILITIES.This patch introduces a special check into cap_task_kill() just to check
whether a non-root user is signaling a setuid root program started by the
same user. If so, then signal is allowed.Signed-off-by: Serge E. Hallyn
Cc: Andrew Morgan
Cc: Stephen Smalley
Cc: Chris Wright
Cc: James Morris
Cc: Casey Schaufler
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
15 Nov, 2007
1 commit
-
Fix http://bugzilla.kernel.org/show_bug.cgi?id=9247
Allow sigcont to be sent to a process with greater capabilities if it is in
the same session. Otherwise, a shell from which I've started a root shell
and done 'suspend' can't be restarted by the parent shell.Also don't do file-capabilities signaling checks when uids for the
processes don't match, since the standard check_kill_permission will have
done those checks.[akpm@linux-foundation.org: coding-style cleanups]
Signed-off-by: Serge E. Hallyn
Acked-by: Andrew Morgan
Cc: Chris Wright
Tested-by: "Theodore Ts'o"
Cc: Stephen Smalley
Cc: "Rafael J. Wysocki"
Cc: Chris Wright
Cc: James Morris
Cc: Stephen Smalley
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
08 Nov, 2007
3 commits
-
Add more validity checks at policy load time to reject malformed
policies and prevent subsequent out-of-range indexing when in permissive
mode. Resolves the NULL pointer dereference reported in
https://bugzilla.redhat.com/show_bug.cgi?id=357541.Signed-off-by: Stephen Smalley
Signed-off-by: James Morris -
The "e_iter = e_iter->next;" statement in the inner for loop is primally
bug. It should be moved to outside of the for loop.Signed-off-by: KaiGai Kohei
Acked-by: Stephen Smalley
Signed-off-by: James Morris -
On PowerPC allmodconfig build we get this:
security/selinux/xfrm.c:214: warning: comparison is always false due to limited range of data type
Signed-off-by: Stephen Rothwell
Signed-off-by: James Morris
