02 Aug, 2010
23 commits
-
Current selinux policy can have over 3000 types. The type_attr_map in
policy is an array sized by the number of types times sizeof(struct ebitmap)
(12 on x86_64). Basic math tells us the array is going to be of length
3000 x 12 = 36,000 bytes. The largest 'safe' allocation on a long running
system is 16k. Most of the time a 32k allocation will work. But on long
running systems a 64k allocation (what we need) can fail quite regularly.
In order to deal with this I am converting the type_attr_map to use
flex_arrays. Let the library code deal with breaking this into PAGE_SIZE
pieces.-v2
rework some of the if(!obj) BUG() to be BUG_ON(!obj)
drop flex_array_put() calls and just use a _get() object directly-v3
make apply to James' tree (drop the policydb_write changes)Signed-off-by: Eric Paris
Acked-by: Stephen D. Smalley
Signed-off-by: James Morris -
execmod "could" show up on non regular files and non chr files. The current
implementation would actually make these checks against non-existant bits
since the code assumes the execmod permission is same for all file types.
To make this line up for chr files we had to define execute_no_trans and
entrypoint permissions. These permissions are unreachable and only existed
to to make FILE__EXECMOD and CHR_FILE__EXECMOD the same. This patch drops
those needless perms as well.Signed-off-by: Eric Paris
Acked-by: Stephen D. Smalley
Signed-off-by: James Morris -
kernel can dynamically remap perms. Drop the open lookup table and put open
in the common file perms.Signed-off-by: Eric Paris
Acked-by: Stephen D. Smalley
Signed-off-by: James Morris -
Currently there are a number of applications (nautilus being the main one) which
calls access() on files in order to determine how they should be displayed. It
is normal and expected that nautilus will want to see if files are executable
or if they are really read/write-able. access() should return the real
permission. SELinux policy checks are done in access() and can result in lots
of AVC denials as policy denies RWX on files which DAC allows. Currently
SELinux must dontaudit actual attempts to read/write/execute a file in
order to silence these messages (and not flood the logs.) But dontaudit rules
like that can hide real attacks. This patch addes a new common file
permission audit_access. This permission is special in that it is meaningless
and should never show up in an allow rule. Instead the only place this
permission has meaning is in a dontaudit rule like so:dontaudit nautilus_t sbin_t:file audit_access
With such a rule if nautilus just checks access() we will still get denied and
thus userspace will still get the correct answer but we will not log the denial.
If nautilus attempted to actually perform one of the forbidden actions
(rather than just querying access(2) about it) we would still log a denial.
This type of dontaudit rule should be used sparingly, as it could be a
method for an attacker to probe the system permissions without detection.Signed-off-by: Eric Paris
Acked-by: Stephen D. Smalley
Signed-off-by: James Morris -
SELinux needs to pass the MAY_ACCESS flag so it can handle auditting
correctly. Presently the masking of MAY_* flags is done in the VFS. In
order to allow LSMs to decide what flags they care about and what flags
they don't just pass them all and the each LSM mask off what they don't
need. This patch should contain no functional changes to either the VFS or
any LSM.Signed-off-by: Eric Paris
Acked-by: Stephen D. Smalley
Signed-off-by: James Morris -
Move the reading of ocontext type data out of policydb_read() in a separate
function ocontext_read()Signed-off-by: Eric Paris
Acked-by: Stephen D. Smalley
Signed-off-by: James Morris -
move genfs read functionality out of policydb_read() and into a new
function called genfs_read()Signed-off-by: Eric Paris
Acked-by: Stephen D. Smalley
Signed-off-by: James Morris -
hashtab_create() only returns NULL on allocation failures to -ENOMEM is
appropriate here.Signed-off-by: Dan Carpenter
Acked-by: Eric Paris
Acked-by: Stephen D. Smalley
Signed-off-by: James Morris -
The original code always returned -1 (-EPERM) on error. The new code
returns either -ENOMEM, or -EINVAL or it propagates the error codes from
lower level functions next_entry() or hashtab_insert().next_entry() returns -EINVAL.
hashtab_insert() returns -EINVAL, -EEXIST, or -ENOMEM.Signed-off-by: Dan Carpenter
Acked-by: Stephen D. Smalley
Signed-off-by: James Morris -
It's better to propagate the error code from avtab_init() instead of
returning -1 (-EPERM). It turns out that avtab_init() never fails so
this patch doesn't change how the code runs but it's still a clean up.Signed-off-by: Dan Carpenter
Acked-by: Stephen D. Smalley
Signed-off-by: James Morris -
Originally cond_read_node() returned -1 (-EPERM) on errors which was
incorrect. Now it either propagates the error codes from lower level
functions next_entry() or cond_read_av_list() or it returns -ENOMEM or
-EINVAL.next_entry() returns -EINVAL.
cond_read_av_list() returns -EINVAL or -ENOMEM.Signed-off-by: Dan Carpenter
Acked-by: Stephen D. Smalley
Signed-off-by: James Morris -
After this patch cond_read_av_list() no longer returns -1 for any
errors. It just propagates error code back from lower levels. Those can
either be -EINVAL or -ENOMEM.I also modified cond_insertf() since cond_read_av_list() passes that as a
function pointer to avtab_read_item(). It isn't used anywhere else.Signed-off-by: Dan Carpenter
Acked-by: Stephen D. Smalley
Signed-off-by: James Morris -
These are passed back when the security module gets loaded.
The original code always returned -1 (-EPERM) on error but after this
patch it can return -EINVAL, or -ENOMEM or propagate the error code from
cond_read_node(). cond_read_node() still returns -1 all the time, but I
fix that in a later patch.Signed-off-by: Dan Carpenter
Acked-by: Stephen D. Smalley
Signed-off-by: James Morris -
The avtab_read_item() function tends to return -1 as a default error
code which is wrong (-1 means -EPERM). I modified it to return
appropriate error codes which is -EINVAL or the error code from
next_entry() or insertf().next_entry() returns -EINVAL.
insertf() is a function pointer to either avtab_insert() or
cond_insertf().
avtab_insert() returns -EINVAL, -ENOMEM, and -EEXIST.
cond_insertf() currently returns -1, but I will fix it in a later patch.There is code in avtab_read() which translates the -1 returns from
avtab_read_item() to -EINVAL. The translation is no longer needed, so I
removed it.Signed-off-by: Dan Carpenter
Acked-by: Stephen D. Smalley
Signed-off-by: James Morris -
The default for llseek will change to no_llseek,
so selinuxfs needs to add explicit .llseek
assignments. Since we're dealing with regular
files from a VFS perspective, use generic_file_llseek.Signed-off-by: Arnd Bergmann
Cc: Stephen Smalley
Cc: Eric Paris
Signed-off-by: James Morris -
Make the security extended attributes names global. Updated to move
the remaining Smack xattrs.Signed-off-by: Mimi Zohar
Acked-by: Serge Hallyn
Signed-off-by: James Morris -
There were a number of places using the following code pattern:
struct cred *cred = current_cred();
struct task_security_struct *tsec = cred->security;... which were simplified to the following:
struct task_security_struct *tsec = current_security();
Signed-off-by: Paul Moore
Acked-by: Eric Paris
Signed-off-by: James Morris -
At present, the socket related access controls use a mix of inode and
socket labels; while there should be no practical difference (they
_should_ always be the same), it makes the code more confusing. This
patch attempts to convert all of the socket related access control
points (with the exception of some of the inode/fd based controls) to
use the socket's own label. In the process, I also converted the
socket_has_perm() function to take a 'sock' argument instead of a
'socket' since that was adding a bit more overhead in some cases.Signed-off-by: Paul Moore
Acked-by: Eric Paris
Signed-off-by: James Morris -
The sk_alloc_security() and sk_free_security() functions were only being
called by the selinux_sk_alloc_security() and selinux_sk_free_security()
functions so we just move the guts of the alloc/free routines to the
callers and eliminate a layer of indirection.Signed-off-by: Paul Moore
Acked-by: Eric Paris
Signed-off-by: James Morris -
Consolidate the basic sockcreate_sid logic into a single helper function
which allows us to do some cleanups in the related code.Signed-off-by: Paul Moore
Acked-by: Eric Paris
Signed-off-by: James Morris -
Correct a problem where we weren't setting the peer label correctly on
the client end of a pair of connected UNIX sockets.Signed-off-by: Paul Moore
Acked-by: Eric Paris
Signed-off-by: James Morris -
Move the range transition rule to a separate function, range_read(), rather
than doing it all in policydb_read()Signed-off-by: Eric Paris
Acked-by: Stephen Smalley
Signed-off-by: James Morris -
Remove all rcu head inits. We don't care about the RCU head state before passing
it to call_rcu() anyway. Only leave the "on_stack" variants so debugobjects can
keep track of objects on stack.Signed-off-by: Mathieu Desnoyers
Signed-off-by: Paul E. McKenney
Cc: Stephen Smalley
Reviewed-by: James Morris
Cc: Eric Paris
Signed-off-by: James Morris
22 May, 2010
1 commit
-
... kill their private list, while we are at it
Signed-off-by: Al Viro
17 May, 2010
1 commit
-
Use kstrdup when the goal of an allocation is copy a string into the
allocated region.The semantic patch that makes this change is as follows:
(http://coccinelle.lip6.fr/)//
@@
expression from,to;
expression flag,E1,E2;
statement S;
@@- to = kmalloc(strlen(from) + 1,flag);
+ to = kstrdup(from, flag);
... when != \(from = E1 \| to = E1 \)
if (to==NULL || ...) S
... when != \(from = E2 \| to = E2 \)
- strcpy(to, from);
//Signed-off-by: Julia Lawall
Acked-by: Eric Paris
Signed-off-by: James Morris
06 May, 2010
1 commit
29 Apr, 2010
1 commit
-
On Tue, 2010-04-27 at 11:47 -0700, David Miller wrote:
> From: "Tom \"spot\" Callaway"
> Date: Tue, 27 Apr 2010 14:20:21 -0400
>
> > [root@apollo ~]$ cat /proc/2174/maps
> > 00010000-00014000 r-xp 00000000 fd:00 15466577
> > /sbin/mingetty
> > 00022000-00024000 rwxp 00002000 fd:00 15466577
> > /sbin/mingetty
> > 00024000-00046000 rwxp 00000000 00:00 0
> > [heap]
>
> SELINUX probably barfs on the executable heap, the PLT is in the HEAP
> just like powerpc32 and that's why VM_DATA_DEFAULT_FLAGS has to set
> both executable and writable.
>
> You also can't remove the CONFIG_PPC32 ifdefs in selinux, since
> because of the VM_DATA_DEFAULT_FLAGS setting used still in that arch,
> the heap will always have executable permission, just like sparc does.
> You have to support those binaries forever, whether you like it or not.
>
> Let's just replace the CONFIG_PPC32 ifdef in SELINUX with CONFIG_PPC32
> || CONFIG_SPARC as in Tom's original patch and let's be done with
> this.
>
> In fact I would go through all the arch/ header files and check the
> VM_DATA_DEFAULT_FLAGS settings and add the necessary new ifdefs to the
> SELINUX code so that other platforms don't have the pain of having to
> go through this process too.To avoid maintaining per-arch ifdefs, it seems that we could just
directly use (VM_DATA_DEFAULT_FLAGS & VM_EXEC) as the basis for deciding
whether to enable or disable these checks. VM_DATA_DEFAULT_FLAGS isn't
constant on some architectures but instead depends on
current->personality, but we want this applied uniformly. So we'll just
use the initial task state to determine whether or not to enable these
checks.Signed-off-by: Stephen Smalley
Acked-by: David S. Miller
Signed-off-by: James Morris
28 Apr, 2010
1 commit
-
Most of the LSM common audit work uses LSM_AUDIT_DATA_* for the naming.
This was not so for LSM_AUDIT_NO_AUDIT which means the generic initializer
cannot be used. This patch just renames the flag so the generic
initializer can be used.Signed-off-by: Eric Paris
Signed-off-by: James Morris
21 Apr, 2010
1 commit
-
policy load failure always return EINVAL even if the failure was for some
other reason (usually ENOMEM). This patch passes error codes back up the
stack where they will make their way to userspace. This might help in
debugging future problems with policy load.Signed-off-by: Eric Paris
Acked-by: Stephen Smalley
Signed-off-by: James Morris
15 Apr, 2010
1 commit
-
Reduce MAX_AVTAB_HASH_BITS so that the avtab allocation is an order 2
allocation rather than an order 4 allocation on x86_64. This
addresses reports of page allocation failures:
http://marc.info/?l=selinux&m=126757230625867&w=2
https://bugzilla.redhat.com/show_bug.cgi?id=570433Reported-by: Russell Coker
Signed-off-by: Stephen D. Smalley
Acked-by: Eric Paris
Signed-off-by: James Morris
09 Apr, 2010
1 commit
-
Fix coding style in security/
Signed-off-by: Zhitong Wang
Signed-off-by: James Morris
08 Apr, 2010
1 commit
-
trying to grep everything that messes with a sk_security_struct isn't easy
since we don't always call it sksec. Just rename everything sksec.Signed-off-by: Eric Paris
Signed-off-by: James Morris
31 Mar, 2010
1 commit
30 Mar, 2010
1 commit
-
…it slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
16 Mar, 2010
1 commit
-
Reduce MAX_AVTAB_HASH_BITS so that the avtab allocation is an order 2
allocation rather than an order 4 allocation on x86_64. This
addresses reports of page allocation failures:
http://marc.info/?l=selinux&m=126757230625867&w=2
https://bugzilla.redhat.com/show_bug.cgi?id=570433Reported-by: Russell Coker
Signed-off-by: Stephen D. Smalley
Acked-by: Eric Paris
Signed-off-by: James Morris
09 Mar, 2010
1 commit
08 Mar, 2010
2 commits
-
Conflicts:
Documentation/filesystems/proc.txt
arch/arm/mach-u300/include/mach/debug-macro.S
drivers/net/qlge/qlge_ethtool.c
drivers/net/qlge/qlge_main.c
drivers/net/typhoon.c -
Several places strings tables are used that should be declared
const.Signed-off-by: Stephen Hemminger
Signed-off-by: James Morris
04 Mar, 2010
1 commit
-
skbuff.h is already included by netlink.h, so remove it.
Signed-off-by: Zhitong Wang
Signed-off-by: James Morris
03 Mar, 2010
1 commit
-
slab.h is unused in symtab.c, so remove it.
Signed-off-by: Zhitong Wang
Signed-off-by: James Morris