02 May, 2008
1 commit
-
Initial splitoff of the low-level stuff; taken to fdtable.h
Signed-off-by: Al Viro
30 Apr, 2008
4 commits
-
Every implementation of ->task_kill() does nothing when the signal comes from
the kernel. This is correct, but means that check_kill_permission() should
call security_task_kill() only for SI_FROMUSER() case, and we can remove the
same check from ->task_kill() implementations.(sadly, check_kill_permission() is the last user of signal->session/__session
but we can't s/task_session_nr/task_session/ here).NOTE: Eric W. Biederman pointed out cap_task_kill() should die, and I think
he is very right.Signed-off-by: Oleg Nesterov
Cc: "Eric W. Biederman"
Cc: Serge Hallyn
Cc: Roland McGrath
Cc: Casey Schaufler
Cc: David Quigley
Cc: Eric Paris
Cc: Harald Welte
Cc: Pavel Emelyanov
Cc: Stephen Smalley
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Setup the new Audit hooks for Smack. SELinux Audit rule fields are recycled
to avoid `auditd' userspace modifications. Currently only equality testing
is supported on labels acting as a subject (AUDIT_SUBJ_USER) or as an object
(AUDIT_OBJ_USER).Signed-off-by: Ahmed S. Darwish
Acked-by: Casey Schaufler -
Make secctx_to_secid() take constant secdata.
Signed-off-by: David Howells
Acked-by: Casey Schaufler
Signed-off-by: James Morris -
* 'audit.b50' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current:
[PATCH] new predicate - AUDIT_FILETYPE
[patch 2/2] Use find_task_by_vpid in audit code
[patch 1/2] audit: let userspace fully control TTY input auditing
[PATCH 2/2] audit: fix sparse shadowed variable warnings
[PATCH 1/2] audit: move extern declarations to audit.h
Audit: MAINTAINERS update
Audit: increase the maximum length of the key field
Audit: standardize string audit interfaces
Audit: stop deadlock from signals under load
Audit: save audit_backlog_limit audit messages in case auditd comes back
Audit: collect sessionid in netlink messages
Audit: end printk with newline
29 Apr, 2008
13 commits
-
Since these two source files invoke kmalloc(), they should explicitly
include .Signed-off-by: Robert P. J. Day
Cc: David Howells
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Make the keyring quotas controllable through /proc/sys files:
(*) /proc/sys/kernel/keys/root_maxkeys
/proc/sys/kernel/keys/root_maxbytesMaximum number of keys that root may have and the maximum total number of
bytes of data that root may have stored in those keys.(*) /proc/sys/kernel/keys/maxkeys
/proc/sys/kernel/keys/maxbytesMaximum number of keys that each non-root user may have and the maximum
total number of bytes of data that each of those users may have stored in
their keys.Also increase the quotas as a number of people have been complaining that it's
not big enough. I'm not sure that it's big enough now either, but on the
other hand, it can now be set in /etc/sysctl.conf.Signed-off-by: David Howells
Cc:
Cc:
Cc:
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Don't generate the per-UID user and user session keyrings unless they're
explicitly accessed. This solves a problem during a login process whereby
set*uid() is called before the SELinux PAM module, resulting in the per-UID
keyrings having the wrong security labels.This also cures the problem of multiple per-UID keyrings sometimes appearing
due to PAM modules (including pam_keyinit) setuiding and causing user_structs
to come into and go out of existence whilst the session keyring pins the user
keyring. This is achieved by first searching for extant per-UID keyrings
before inventing new ones.The serial bound argument is also dropped from find_keyring_by_name() as it's
not currently made use of (setting it to 0 disables the feature).Signed-off-by: David Howells
Cc:
Cc:
Cc:
Cc: Stephen Smalley
Cc: James Morris
Cc: Chris Wright
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
The key_create_or_update() function provided by the keyring code has a default
set of permissions that are always applied to the key when created. This
might not be desirable to all clients.Here's a patch that adds a "perm" parameter to the function to address this,
which can be set to KEY_PERM_UNDEF to revert to the current behaviour.Signed-off-by: Arun Raghavan
Signed-off-by: David Howells
Cc: Satyam Sharma
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Signed-off-by: Alexey Dobriyan
Cc: David Howells
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Add a keyctl() function to get the security label of a key.
The following is added to Documentation/keys.txt:
(*) Get the LSM security context attached to a key.
long keyctl(KEYCTL_GET_SECURITY, key_serial_t key, char *buffer,
size_t buflen)This function returns a string that represents the LSM security context
attached to a key in the buffer provided.Unless there's an error, it always returns the amount of data it could
produce, even if that's too big for the buffer, but it won't copy more
than requested to userspace. If the buffer pointer is NULL then no copy
will take place.A NUL character is included at the end of the string if the buffer is
sufficiently big. This is included in the returned count. If no LSM is
in force then an empty string will be returned.A process must have view permission on the key for this function to be
successful.[akpm@linux-foundation.org: declare keyctl_get_security()]
Signed-off-by: David Howells
Acked-by: Stephen Smalley
Cc: Paul Moore
Cc: Chris Wright
Cc: James Morris
Cc: Kevin Coffman
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Allow the callout data to be passed as a blob rather than a string for
internal kernel services that call any request_key_*() interface other than
request_key(). request_key() itself still takes a NUL-terminated string.The functions that change are:
request_key_with_auxdata()
request_key_async()
request_key_async_with_auxdata()Signed-off-by: David Howells
Cc: Paul Moore
Cc: Chris Wright
Cc: Stephen Smalley
Cc: James Morris
Cc: Kevin Coffman
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Check the starting keyring as part of the search to (a) see if that is what
we're searching for, and (b) to check it is still valid for searching.The scenario: User in process A does things that cause things to be created in
its process session keyring. The user then does an su to another user and
starts a new process, B. The two processes now share the same process session
keyring.Process B does an NFS access which results in an upcall to gssd. When gssd
attempts to instantiate the context key (to be linked into the process session
keyring), it is denied access even though it has an authorization key.The order of calls is:
keyctl_instantiate_key()
lookup_user_key() (the default: case)
search_process_keyrings(current)
search_process_keyrings(rka->context) (recursive call)
keyring_search_aux()keyring_search_aux() verifies the keys and keyrings underneath the top-level
keyring it is given, but that top-level keyring is neither fully validated nor
checked to see if it is the thing being searched for.This patch changes keyring_search_aux() to:
1) do more validation on the top keyring it is given and
2) check whether that top-level keyring is the thing being searched forSigned-off-by: Kevin Coffman
Signed-off-by: David Howells
Cc: Paul Moore
Cc: Chris Wright
Cc: Stephen Smalley
Cc: James Morris
Cc: Kevin Coffman
Cc: Trond Myklebust
Cc: "J. Bruce Fields"
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Increase the size of a payload that can be used to instantiate a key in
add_key() and keyctl_instantiate_key(). This permits huge CIFS SPNEGO blobs
to be passed around. The limit is raised to 1MB. If kmalloc() can't allocate
a buffer of sufficient size, vmalloc() will be tried instead.Signed-off-by: David Howells
Cc: Paul Moore
Cc: Chris Wright
Cc: Stephen Smalley
Cc: James Morris
Cc: Kevin Coffman
Cc: Steven French
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Introduce a read_seq() helper in cftype, which uses seq_file to print out
lists. Use it in the devices cgroup. Also split devices.allow into two
files, so now devices.deny and devices.allow are the ones to use to manipulate
the whitelist, while devices.list outputs the cgroup's current whitelist.Signed-off-by: Serge E. Hallyn
Acked-by: Paul Menage
Cc: Balbir Singh
Cc: KAMEZAWA Hiroyuki
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Implement a cgroup to track and enforce open and mknod restrictions on device
files. A device cgroup associates a device access whitelist with each cgroup.
A whitelist entry has 4 fields. 'type' is a (all), c (char), or b (block).
'all' means it applies to all types and all major and minor numbers. Major
and minor are either an integer or * for all. Access is a composition of r
(read), w (write), and m (mknod).The root device cgroup starts with rwm to 'all'. A child devcg gets a copy of
the parent. Admins can then remove devices from the whitelist or add new
entries. A child cgroup can never receive a device access which is denied its
parent. However when a device access is removed from a parent it will not
also be removed from the child(ren).An entry is added using devices.allow, and removed using
devices.deny. For instanceecho 'c 1:3 mr' > /cgroups/1/devices.allow
allows cgroup 1 to read and mknod the device usually known as
/dev/null. Doingecho a > /cgroups/1/devices.deny
will remove the default 'a *:* mrw' entry.
CAP_SYS_ADMIN is needed to change permissions or move another task to a new
cgroup. A cgroup may not be granted more permissions than the cgroup's parent
has. Any task can move itself between cgroups. This won't be sufficient, but
we can decide the best way to adequately restrict movement later.[akpm@linux-foundation.org: coding-style fixes]
[akpm@linux-foundation.org: fix may-be-used-uninitialized warning]
Signed-off-by: Serge E. Hallyn
Acked-by: James Morris
Looks-good-to: Pavel Emelyanov
Cc: Daniel Hokka Zakrisson
Cc: Li Zefan
Cc: Paul Menage
Cc: Balbir Singh
Cc: KAMEZAWA Hiroyuki
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Add missing consts to xattr function arguments.
Signed-off-by: David Howells
Cc: Andreas Gruenbacher
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:
SELinux: Fix a RCU free problem with the netport cache
SELinux: Made netnode cache adds faster
SELinux: include/security.h whitespace, syntax, and other cleanups
SELinux: policydb.h whitespace, syntax, and other cleanups
SELinux: mls_types.h whitespace, syntax, and other cleanups
SELinux: mls.h whitespace, syntax, and other cleanups
SELinux: hashtab.h whitespace, syntax, and other cleanups
SELinux: context.h whitespace, syntax, and other cleanups
SELinux: ss/conditional.h whitespace, syntax, and other cleanups
SELinux: selinux/include/security.h whitespace, syntax, and other cleanups
SELinux: objsec.h whitespace, syntax, and other cleanups
SELinux: netlabel.h whitespace, syntax, and other cleanups
SELinux: avc_ss.h whitespace, syntax, and other cleanupsFixed up conflict in include/linux/security.h manually
28 Apr, 2008
19 commits
-
With the introduction of per-process securebits, the capabilities-related
prctl callbacks were moved into cap_task_prctl(). Have smack use
cap_task_prctl() so that PR_SET_KEEPCAPS is defined.Signed-off-by: Serge E. Hallyn
Acked-by: Casey Schaufler
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
The functions smk_cipso_doi and smk_unlbl_ambient are not used outside
smackfs.c and should hence be static.Signed-off-by: Casey Schaufler
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
With the introduction of per-process securebits, the capabilities-related
prctl callbacks were moved into cap_task_prctl(). Have root_plug use
cap_task_prctl() so that PR_SET_KEEPCAPS is defined.Signed-off-by: Serge E. Hallyn
Acked-by: Greg Kroah-Hartman
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
security/smack/smack_lsm.c:1257:16: warning: Using plain integer as NULL pointer
Signed-off-by: Harvey Harrison
Acked-by: Casey Schaufler
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Filesystem capability support makes it possible to do away with (set)uid-0
based privilege and use capabilities instead. That is, with filesystem
support for capabilities but without this present patch, it is (conceptually)
possible to manage a system with capabilities alone and never need to obtain
privilege via (set)uid-0.Of course, conceptually isn't quite the same as currently possible since few
user applications, certainly not enough to run a viable system, are currently
prepared to leverage capabilities to exercise privilege. Further, many
applications exist that may never get upgraded in this way, and the kernel
will continue to want to support their setuid-0 base privilege needs.Where pure-capability applications evolve and replace setuid-0 binaries, it is
desirable that there be a mechanisms by which they can contain their
privilege. In addition to leveraging the per-process bounding and inheritable
sets, this should include suppressing the privilege of the uid-0 superuser
from the process' tree of children.The feature added by this patch can be leveraged to suppress the privilege
associated with (set)uid-0. This suppression requires CAP_SETPCAP to
initiate, and only immediately affects the 'current' process (it is inherited
through fork()/exec()). This reimplementation differs significantly from the
historical support for securebits which was system-wide, unwieldy and which
has ultimately withered to a dead relic in the source of the modern kernel.With this patch applied a process, that is capable(CAP_SETPCAP), can now drop
all legacy privilege (through uid=0) for itself and all subsequently
fork()'d/exec()'d children with:prctl(PR_SET_SECUREBITS, 0x2f);
This patch represents a no-op unless CONFIG_SECURITY_FILE_CAPABILITIES is
enabled at configure time.[akpm@linux-foundation.org: fix uninitialised var warning]
[serue@us.ibm.com: capabilities: use cap_task_prctl when !CONFIG_SECURITY]
Signed-off-by: Andrew G. Morgan
Acked-by: Serge Hallyn
Reviewed-by: James Morris
Cc: Stephen Smalley
Cc: Paul Moore
Signed-off-by: Serge E. Hallyn
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
This patch standardized the string auditing interfaces. No userspace
changes will be visible and this is all just cleanup and consistancy
work. We have the following string audit interfaces to use:void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len);
void audit_log_n_string(struct audit_buffer *ab, const char *buf, size_t n);
void audit_log_string(struct audit_buffer *ab, const char *buf);void audit_log_n_untrustedstring(struct audit_buffer *ab, const char *string, size_t n);
void audit_log_untrustedstring(struct audit_buffer *ab, const char *string);This may be the first step to possibly fixing some of the issues that
people have with the string output from the kernel audit system. But we
still don't have an agreed upon solution to that problem.Signed-off-by: Eric Paris
Signed-off-by: Al Viro -
Previously I added sessionid output to all audit messages where it was
available but we still didn't know the sessionid of the sender of
netlink messages. This patch adds that information to netlink messages
so we can audit who sent netlink messages.Signed-off-by: Eric Paris
Signed-off-by: Al Viro -
The netport cache doesn't free resources in a manner which is safe or orderly.
This patch fixes this by adding in a missing call to rcu_dereference() in
sel_netport_insert() as well as some general cleanup throughout the file.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
When adding new entries to the network node cache we would walk the entire
hash bucket to make sure we didn't cross a threshold (done to bound the
cache size). This isn't a very quick or elegant solution for something
which is supposed to be quick-ish so add a counter to each hash bucket to
track the size of the bucket and eliminate the need to walk the entire
bucket list on each add.Signed-off-by: Paul Moore
Signed-off-by: James Morris -
This patch changes policydb.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)spaces followed by tabs
spaces used instead of tabs
location of * in pointer declarationsSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes mls_types.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)spaces used instead of tabs
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes mls.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)spaces used instead of tabs
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes hashtab.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)spaces used instead of tabs
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes context.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)include spaces around , in function calls
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes ss/conditional.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)location of * in pointer declarations
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes selinux/include/security.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
location of { around structs and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
no assignments in if statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes objsec.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
location of { around structs and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
no assignments in if statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes netlabel.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)spaces used instead of tabs
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
This patch changes avc_ss.h to fix whitespace and syntax issues. Things that
are fixed may include (does not not have to include)whitespace at end of lines
spaces followed by tabs
spaces used instead of tabs
spacing around parenthesis
location of { around structs and else clauses
location of * in pointer declarations
removal of initialization of static data to keep it in the right section
useless {} in if statemetns
useless checking for NULL before kfree
fixing of the indentation depth of switch statements
no assignments in if statements
and any number of other things I forgot to mentionSigned-off-by: Eric Paris
Signed-off-by: James Morris
23 Apr, 2008
1 commit
-
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:
[PATCH] get rid of __exit_files(), __exit_fs() and __put_fs_struct()
[PATCH] proc_readfd_common() race fix
[PATCH] double-free of inode on alloc_file() failure exit in create_write_pipe()
[PATCH] teach seq_file to discard entries
[PATCH] umount_tree() will unhash everything itself
[PATCH] get rid of more nameidata passing in namespace.c
[PATCH] switch a bunch of LSM hooks from nameidata to path
[PATCH] lock exclusively in collect_mounts() and drop_collected_mounts()
[PATCH] move a bunch of declarations to fs/internal.h
22 Apr, 2008
2 commits
-
The attached patch needs to move from -rt to mainline given preemptable RCU.
This patch fixes SELinux code that implicitly assumes that disabling
preemption prevents an RCU grace period from completing, an assumption that
is valid for Classic RCU, but not necessarily for preemptable RCU. Explicit
rcu_read_lock() calls are thus added.Signed-off-by: Paul E. McKenney
Acked-by: Steven Rostedt
Signed-off-by: James Morris -
Namely, ones from namespace.c
Signed-off-by: Al Viro