21 Jun, 2006
2 commits
-
* 'audit.b21' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current: (25 commits)
[PATCH] make set_loginuid obey audit_enabled
[PATCH] log more info for directory entry change events
[PATCH] fix AUDIT_FILTER_PREPEND handling
[PATCH] validate rule fields' types
[PATCH] audit: path-based rules
[PATCH] Audit of POSIX Message Queue Syscalls v.2
[PATCH] fix se_sen audit filter
[PATCH] deprecate AUDIT_POSSBILE
[PATCH] inline more audit helpers
[PATCH] proc_loginuid_write() uses simple_strtoul() on non-terminated array
[PATCH] update of IPC audit record cleanup
[PATCH] minor audit updates
[PATCH] fix audit_krule_to_{rule,data} return values
[PATCH] add filtering by ppid
[PATCH] log ppid
[PATCH] collect sid of those who send signals to auditd
[PATCH] execve argument logging
[PATCH] fix deadlocks in AUDIT_LIST/AUDIT_LIST_RULES
[PATCH] audit_panic() is audit-internal
[PATCH] inotify (5/5): update kernel documentation
...Manual fixup of conflict in unclude/linux/inotify.h
-
* git://git.infradead.org/~dwmw2/rbtree-2.6:
[RBTREE] Switch rb_colour() et al to en_US spelling of 'color' for consistency
Update UML kernel/physmem.c to use rb_parent() accessor macro
[RBTREE] Update hrtimers to use rb_parent() accessor macro.
[RBTREE] Add explicit alignment to sizeof(long) for struct rb_node.
[RBTREE] Merge colour and parent fields of struct rb_node.
[RBTREE] Remove dead code in rb_erase()
[RBTREE] Update JFFS2 to use rb_parent() accessor macro.
[RBTREE] Update eventpoll.c to use rb_parent() accessor macro.
[RBTREE] Update key.c to use rb_parent() accessor macro.
[RBTREE] Update ext3 to use rb_parent() accessor macro.
[RBTREE] Change rbtree off-tree marking in I/O schedulers.
[RBTREE] Add accessor macros for colour and parent fields of rb_node
20 Jun, 2006
1 commit
-
Fix a broken comparison that causes the process clearance to be checked for
both se_clr and se_sen audit filters.Signed-off-by: Darrel Goeddel
Signed-off-by: Al Viro
18 Jun, 2006
5 commits
-
Add new per-packet access controls to SELinux, replacing the old
packet controls.Packets are labeled with the iptables SECMARK and CONNSECMARK targets,
then security policy for the packets is enforced with these controls.To allow for a smooth transition to the new controls, the old code is
still present, but not active by default. To restore previous
behavior, the old controls may be activated at runtime by writing a
'1' to /selinux/compat_net, and also via the kernel boot parameter
selinux_compat_net. Switching between the network control models
requires the security load_policy permission. The old controls will
probably eventually be removed and any continued use is discouraged.With this patch, the new secmark controls for SElinux are disabled by
default, so existing behavior is entirely preserved, and the user is
not affected at all.It also provides a config option to enable the secmark controls by
default (which can always be overridden at boot and runtime). It is
also noted in the kconfig help that the user will need updated
userspace if enabling secmark controls for SELinux and that they'll
probably need the SECMARK and CONNMARK targets, and conntrack protocol
helpers, although such decisions are beyond the scope of kernel
configuration.Signed-off-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller -
Add and export new functions to the in-kernel SELinux API in support of the
new secmark-based packet controls.Signed-off-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller -
Secmark implements a new scheme for adding security markings to
packets via iptables, as well as changes to SELinux to use these
markings for security policy enforcement. The rationale for this
scheme is explained and discussed in detail in the original threads:http://thread.gmane.org/gmane.linux.network/34927/
http://thread.gmane.org/gmane.linux.network/35244/Examples of policy and rulesets, as well as a full archive of patches
for iptables and SELinux userland, may be found at:http://people.redhat.com/jmorris/selinux/secmark/
The code has been tested with various compilation options and in
several scenarios, including with 'complicated' protocols such as FTP
and also with the new generic conntrack code with IPv6 connection
tracking.This patch:
Add support for a new object class ('packet'), and associated
permissions ('send', 'recv', 'relabelto'). These are used to enforce
security policy for network packets labeled with SECMARK, and for
adding labeling rules.Signed-off-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller -
Add a security class for appletalk sockets so that they can be
distinguished in SELinux policy. Please apply.Signed-off-by: Stephen Smalley
Acked-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller -
This patch contains a fix for the previous patch that adds security
contexts to IPsec policies and security associations. In the previous
patch, no authorization (besides the check for write permissions to
SAD and SPD) is required to delete IPsec policies and security
assocations with security contexts. Thus a user authorized to change
SAD and SPD can bypass the IPsec policy authorization by simply
deleteing policies with security contexts. To fix this security hole,
an additional authorization check is added for removing security
policies and security associations with security contexts.Note that if no security context is supplied on add or present on
policy to be deleted, the SELinux module allows the change
unconditionally. The hook is called on deletion when no context is
present, which we may want to change. At present, I left it up to the
module.LSM changes:
The patch adds two new LSM hooks: xfrm_policy_delete and
xfrm_state_delete. The new hooks are necessary to authorize deletion
of IPsec policies that have security contexts. The existing hooks
xfrm_policy_free and xfrm_state_free lack the context to do the
authorization, so I decided to split authorization of deletion and
memory management of security data, as is typical in the LSM
interface.Use:
The new delete hooks are checked when xfrm_policy or xfrm_state are
deleted by either the xfrm_user interface (xfrm_get_policy,
xfrm_del_sa) or the pfkey interface (pfkey_spddelete, pfkey_delete).SELinux changes:
The new policy_delete and state_delete functions are added.
Signed-off-by: Catherine Zhang
Signed-off-by: Trent Jaeger
Acked-by: James Morris
Signed-off-by: David S. Miller
06 Jun, 2006
1 commit
-
From: Stephen Smalley
Fix unsafe nesting of sb_lock inside sb_security_lock in
selinux_complete_init. Detected by the kernel locking validator.Signed-off-by: Stephen Smalley
Acked-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
22 May, 2006
1 commit
-
Signed-off-by: Alexey Dobriyan
Cc: Stephen Smalley
Acked-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
16 May, 2006
1 commit
-
Check for NULL kmalloc return value before writing to it.
Signed-off-by: Serge E. Hallyn
Acked-by: James Morris
Cc: Stephen Smalley
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
04 May, 2006
1 commit
-
Clear selinux_enabled flag upon runtime disable of SELinux by userspace,
and make sure it is defined even if selinux= boot parameter support is
not enabled in configuration.Signed-off-by: Stephen Smalley
Acked-by: James Morris
Tested-by: Jon Smirl
Acked-by: Al Viro
Signed-off-by: Linus Torvalds
01 May, 2006
4 commits
-
The below patch should be applied after the inode and ipc sid patches.
This patch is a reworking of Tim's patch that has been updated to match
the inode and ipc patches since its similar.[updated:
> Stephen Smalley also wanted to change a variable from isec to tsec in the
> user sid patch. ]Signed-off-by: Steve Grubb
Signed-off-by: Al Viro -
Hi,
The patch below converts IPC auditing to collect sid's and convert to context
string only if it needs to output an audit record. This patch depends on the
inode audit change patch already being applied.Signed-off-by: Steve Grubb
Signed-off-by: Al Viro
-
Previously, we were gathering the context instead of the sid. Now in this patch,
we gather just the sid and convert to context only if an audit event is being
output.This patch brings the performance hit from 146% down to 23%
Signed-off-by: Al Viro
-
The following patch provides selinux interfaces that will allow the audit
system to perform filtering based on the process context (user, role, type,
sensitivity, and clearance). These interfaces will allow the selinux
module to perform efficient matches based on lower level selinux constructs,
rather than relying on context retrievals and string comparisons within
the audit module. It also allows for dominance checks on the mls portion
of the contexts that are impossible with only string comparisons.Signed-off-by: Darrel Goeddel
Signed-off-by: Al Viro
21 Apr, 2006
1 commit
-
Signed-off-by: David Woodhouse
20 Apr, 2006
1 commit
-
Fix an off-by-one error in the MLS compatibility code that was causing
contexts with a MLS suffix to be rejected, preventing sharing partitions
between FC4 and FC5. Bug reported inhttps://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188068
Signed-off-by: Stephen Smalley
Acked-by: James Morris
Cc:
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
11 Apr, 2006
2 commits
-
Remove an unnecessary memory barrier (implicit in rcu_dereference()) from
install_session_keyring().install_session_keyring() is also rearranged a little to make it slightly
more efficient.As install_*_keyring() may schedule (in synchronize_rcu() or
keyring_alloc()), they may not be entered with interrupts disabled - and so
there's no point saving the interrupt disablement state over the critical
section.exec_keys() will also be invoked with interrupts enabled, and so that doesn't
need to save the interrupt state either.Signed-off-by: David Howells
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
This fixes the problem of an oops occuring when a user attempts to add a
key to a non-keyring key [CVE-2006-1522].The problem is that __keyring_search_one() doesn't check that the
keyring it's been given is actually a keyring.I've fixed this problem by:
(1) declaring that caller of __keyring_search_one() must guarantee that
the keyring is a keyring; and(2) making key_create_or_update() check that the keyring is a keyring,
and return -ENOTDIR if it isn't.This can be tested by:
keyctl add user b b `keyctl add user a a @s`
Signed-off-by: David Howells
Signed-off-by: Linus Torvalds
10 Apr, 2006
1 commit
-
security/selinux/xfrm.c: In function 'selinux_socket_getpeer_dgram':
security/selinux/xfrm.c:284: error: 'struct sec_path' has no member named 'x'
security/selinux/xfrm.c: In function 'selinux_xfrm_sock_rcv_skb':
security/selinux/xfrm.c:317: error: 'struct sec_path' has no member named 'x'Signed-off-by: Dave Jones
Signed-off-by: David S. Miller
Signed-off-by: Linus Torvalds
26 Mar, 2006
5 commits
-
* 'audit.b3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current: (22 commits)
[PATCH] fix audit_init failure path
[PATCH] EXPORT_SYMBOL patch for audit_log, audit_log_start, audit_log_end and audit_format
[PATCH] sem2mutex: audit_netlink_sem
[PATCH] simplify audit_free() locking
[PATCH] Fix audit operators
[PATCH] promiscuous mode
[PATCH] Add tty to syscall audit records
[PATCH] add/remove rule update
[PATCH] audit string fields interface + consumer
[PATCH] SE Linux audit events
[PATCH] Minor cosmetic cleanups to the code moved into auditfilter.c
[PATCH] Fix audit record filtering with !CONFIG_AUDITSYSCALL
[PATCH] Fix IA64 success/failure indication in syscall auditing.
[PATCH] Miscellaneous bug and warning fixes
[PATCH] Capture selinux subject/object context information.
[PATCH] Exclude messages by message type
[PATCH] Collect more inode information during syscall processing.
[PATCH] Pass dentry, not just name, in fsnotify creation hooks.
[PATCH] Define new range of userspace messages.
[PATCH] Filter rule comparators
...Fixed trivial conflict in security/selinux/hooks.c
-
PTRACE_TRACEME doesn't have proper capabilities validation when parent is
less privileged than child. Issue pointed out by Ram Gupta
.Note: I haven't identified a strong security issue, and it's a small ABI
change that could break apps that rely on existing behaviour (which allows
parent that is less privileged than child to ptrace when child does
PTRACE_TRACEME).Signed-off-by: Chris Wright
Cc: Ram Gupta
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Move capable() to kernel/capability.c and eliminate duplicate
implementations. Add __capable() function which can be used to check for
capabiilty of any process.Signed-off-by: Chris Wright
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Cause an attempt to add a duplicate non-updateable key (such as a keyring) to
a keyring to discard the extant copy in favour of the new one rather than
failing with EEXIST:# do the test in an empty session
keyctl session
# create a new keyring called "a" and attach to session
keyctl newring a @s
# create another new keyring called "a" and attach to session,
# displacing the keyring added by the second command:
keyctl newring a @sWithout this patch, the third command will fail.
For updateable keys (such as those of "user" type), the update method will
still be called rather than a new key being created.Signed-off-by: David Howells
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Make key quota detection generate an error if either quota is exceeded rather
than only if both quotas are exceeded.Signed-off-by: David Howells
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
24 Mar, 2006
1 commit
-
Copies user-space string with strndup_user() and moves the type string
duplication code to a function (thus fixing a wrong check on the length of the
type.)Signed-off-by: Davi Arnaut
Cc: David Howells
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
23 Mar, 2006
1 commit
-
This patch address several issues in the current BSD Secure Levels code:
o plaintext_to_sha1: Missing check for a NULL return from __get_free_page
o passwd_write_file: A page is leaked if the password is wrong.
o fix securityfs registration order
o seclvl_init is a mess and can't properly tolerate failures, failure
path is upside down (deldif and delf should be switched)Cleanups:
o plaintext_to_sha1: Use buffers passed in
o passwd_write_file: Use kmalloc() instead of get_zeroed_page()
o passwd_write_file: hashedPassword comparison is just memcmp
o s/ENOSYS/EINVAL/
o misc(akpm: after some discussion it appears that the BSD secure levels feature
should be scheduled for removal. But for now, let's fix these problems up).Signed-off-by: Davi Arnaut
Cc: Michael Halcrow
Cc: Chris Wright
Cc: Stephen Smalley
Cc: James Morris
Cc: Serge Hallyn
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
22 Mar, 2006
11 commits
-
Add a slab cache for the SELinux inode security struct, one of which is
allocated for every inode instantiated by the system.The memory savings are considerable.
On 64-bit, instead of the size-128 cache, we have a slab object of 96
bytes, saving 32 bytes per object. After booting, I see about 4000 of
these and then about 17,000 after a kernel compile. With this patch, we
save around 530KB of kernel memory in the latter case. On 32-bit, the
savings are about half of this.Signed-off-by: James Morris
Acked-by: Stephen Smalley
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Remove an unneded pointer variable in selinux_inode_init_security().
Signed-off-by: James Morris
Acked-by: Stephen Smalley
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
A further fix is needed for selinuxfs link count management, to ensure that
the count is correct for the parent directory when a subdirectory is
created. This is only required for the root directory currently, but the
code has been updated for the general case.Signed-off-by: James Morris
Acked-by: Stephen Smalley
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Fix copy & paste error in sel_make_avc_files(), removing a supurious call to
d_genocide() in the error path. All of this will be cleaned up by
kill_litter_super().Signed-off-by: James Morris
Acked-by: Stephen Smalley
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Remove the call to sel_make_bools() from sel_fill_super(), as policy needs to
be loaded before the boolean files can be created. Policy will never be
loaded during sel_fill_super() as selinuxfs is kernel mounted during init and
the only means to load policy is via selinuxfs.Also, the call to d_genocide() on the error path of sel_make_bools() is
incorrect and replaced with sel_remove_bools().Signed-off-by: James Morris
Acked-by: Stephen Smalley
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Unify the error path of sel_fill_super() so that all errors pass through the
same point and generate an error message. Also, removes a spurious dput() in
the error path which breaks the refcounting for the filesystem
(litter_kill_super() will correctly clean things up itself on error).Signed-off-by: James Morris
Acked-by: Stephen Smalley
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Use existing sel_make_dir() helper to create booleans directory rather than
duplicating the logic.Signed-off-by: James Morris
Acked-by: Stephen Smalley
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Fix the hard link count for selinuxfs directories, which are currently one
short.Signed-off-by: James Morris
Acked-by: Stephen Smalley
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Simplify sel_read_bool to use the simple_read_from_buffer helper, like the
other selinuxfs functions.Signed-off-by: Stephen Smalley
Acked-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
Semaphore to mutex conversion.
The conversion was generated via scripts, and the result was validated
automatically via a script as well.Signed-off-by: Ingo Molnar
Cc: Stephen Smalley
Cc: James Morris
Cc: David Howells
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
This patch disables the automatic labeling of new inodes on disk
when no policy is loaded.Discussion is here:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=180296In short, we're changing the behavior so that when no policy is loaded,
SELinux does not label files at all. Currently it does add an 'unlabeled'
label in this case, which we've found causes problems later.SELinux always maintains a safe internal label if there is none, so with this
patch, we just stick with that and wait until a policy is loaded before adding
a persistent label on disk.The effect is simply that if you boot with SELinux enabled but no policy
loaded and create a file in that state, SELinux won't try to set a security
extended attribute on the new inode on the disk. This is the only sane
behavior for SELinux in that state, as it cannot determine the right label to
assign in the absence of a policy. That state usually doesn't occur, but the
rawhide installer seemed to be misbehaving temporarily so it happened to show
up on a test install.Signed-off-by: Stephen Smalley
Acked-by: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
21 Mar, 2006
1 commit
-
Signed-off-by: Catherine Zhang
Signed-off-by: Arnaldo Carvalho de Melo