14 Aug, 2008

1 commit

• 5cd9c58fb   security: Fix setting of PF_SUPERPRIV by __capable() ... Browse Code »

  Fix the setting of PF_SUPERPRIV by __capable() as it could corrupt the flags
  the target process if that is not the current process and it is trying to
  change its own flags in a different way at the same time.

  __capable() is using neither atomic ops nor locking to protect t->flags. This
  patch removes __capable() and introduces has_capability() that doesn't set
  PF_SUPERPRIV on the process being queried.

  This patch further splits security_ptrace() in two:

  (1) security_ptrace_may_access(). This passes judgement on whether one
  process may access another only (PTRACE_MODE_ATTACH for ptrace() and
  PTRACE_MODE_READ for /proc), and takes a pointer to the child process.
  current is the parent.

  (2) security_ptrace_traceme(). This passes judgement on PTRACE_TRACEME only,
  and takes only a pointer to the parent process. current is the child.

  In Smack and commoncap, this uses has_capability() to determine whether
  the parent will be permitted to use PTRACE_ATTACH if normal checks fail.
  This does not set PF_SUPERPRIV.

  Two of the instances of __capable() actually only act on current, and so have
  been changed to calls to capable().

  Of the places that were using __capable():

  (1) The OOM killer calls __capable() thrice when weighing the killability of a
  process. All of these now use has_capability().

  (2) cap_ptrace() and smack_ptrace() were using __capable() to check to see
  whether the parent was allowed to trace any process. As mentioned above,
  these have been split. For PTRACE_ATTACH and /proc, capable() is now
  used, and for PTRACE_TRACEME, has_capability() is used.

  (3) cap_safe_nice() only ever saw current, so now uses capable().

  (4) smack_setprocattr() rejected accesses to tasks other than current just
  after calling __capable(), so the order of these two tests have been
  switched and capable() is used instead.

  (5) In smack_file_send_sigiotask(), we need to allow privileged processes to
  receive SIGIO on files they're manipulating.

  (6) In smack_task_wait(), we let a process wait for a privileged process,
  whether or not the process doing the waiting is privileged.

  I've tested this with the LTP SELinux and syscalls testscripts.

  Signed-off-by: David Howells
  Acked-by: Serge Hallyn
  Acked-by: Casey Schaufler
  Acked-by: Andrew G. Morgan
  Acked-by: Al Viro
  Signed-off-by: James Morris

  David Howells

  2008-08-14 20:59:43 +0800  

14 Jul, 2008

1 commit

• 6f0f0fd49   security: remove register_security hook ... Browse Code »

  The register security hook is no longer required, as the capability
  module is always registered. LSMs wishing to stack capability as
  a secondary module should do so explicitly.

  Signed-off-by: James Morris
  Acked-by: Stephen Smalley
  Acked-by: Greg Kroah-Hartman

  James Morris

  2008-07-14 13:04:06 +0800  

28 Apr, 2008

1 commit

• 55d00ccfb   root_plug: use cap_task_prctl ... Browse Code »

  With the introduction of per-process securebits, the capabilities-related
  prctl callbacks were moved into cap_task_prctl(). Have root_plug use
  cap_task_prctl() so that PR_SET_KEEPCAPS is defined.

  Signed-off-by: Serge E. Hallyn
  Acked-by: Greg Kroah-Hartman
  Signed-off-by: Andrew Morton
  Signed-off-by: Linus Torvalds

  Serge E. Hallyn

  2008-04-28 23:58:27 +0800  

18 Apr, 2008

1 commit

• dd6f953ad   security: replace remaining __FUNCTION__ occurrences ... Browse Code »

  __FUNCTION__ is gcc-specific, use __func__

  Signed-off-by: Harvey Harrison
  Cc: James Morris
  Cc: Stephen Smalley
  Signed-off-by: Andrew Morton
  Signed-off-by: James Morris

  Harvey Harrison

  2008-04-18 18:26:07 +0800  

17 Oct, 2007

1 commit

• 20510f2f4   security: Convert LSM into a static interface ... Browse Code »

  Convert LSM into a static interface, as the ability to unload a security
  module is not required by in-tree users and potentially complicates the
  overall security architecture.

  Needlessly exported LSM symbols have been unexported, to help reduce API
  abuse.

  Parameters for the capability and root_plug modules are now specified
  at boot.

  The SECURITY_FRAMEWORK_VERSION macro has also been removed.

  In a nutshell, there is no safe way to unload an LSM. The modular interface
  is thus unecessary and broken infrastructure. It is used only by out-of-tree
  modules, which are often binary-only, illegal, abusive of the API and
  dangerous, e.g. silently re-vectoring SELinux.

  [akpm@linux-foundation.org: cleanups]
  [akpm@linux-foundation.org: USB Kconfig fix]
  [randy.dunlap@oracle.com: fix LSM kernel-doc]
  Signed-off-by: James Morris
  Acked-by: Chris Wright
  Cc: Stephen Smalley
  Cc: "Serge E. Hallyn"
  Acked-by: Arjan van de Ven
  Signed-off-by: Randy Dunlap
  Signed-off-by: Andrew Morton
  Signed-off-by: Linus Torvalds

  James Morris

  2007-10-17 23:43:07 +0800  

01 Jul, 2006

1 commit

• 6ab3d5624   Remove obsolete #include <linux/config.h> ... Browse Code »

  Signed-off-by: Jörn Engel
  Signed-off-by: Adrian Bunk

  Jörn Engel

  2006-07-01 01:25:36 +0800  

17 Apr, 2005

1 commit

• 1da177e4c   Linux-2.6.12-rc2 ... Browse Code »

  Initial git repository build. I'm not bothering with the full history,
  even though we have it. We can create a separate "historical" git
  archive of that later if we want to, and in the meantime it's about
  3.2GB when imported into git - space that would just make the early
  git days unnecessarily complicated, when we don't have a lot of good
  infrastructure for it.

  Let it rip!

  Linus Torvalds

  2005-04-17 06:20:36 +0800