24 Dec, 2013
2 commits
-
selinux_setprocattr() does ptrace_parent(p) under task_lock(p),
but task_struct->alloc_lock doesn't pin ->parent or ->ptrace,
this looks confusing and triggers the "suspicious RCU usage"
warning because ptrace_parent() does rcu_dereference_check().And in theory this is wrong, spin_lock()->preempt_disable()
doesn't necessarily imply rcu_read_lock() we need to access
the ->parent.Reported-by: Evan McNabb
Signed-off-by: Oleg Nesterov
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moore -
Fix a broken networking check. Return an error if peer recv fails. If
secmark is active and the packet recv succeeds the peer recv error is
ignored.Signed-off-by: Chad Hanson
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moore
16 Dec, 2013
2 commits
-
Pull SELinux fixes from James Morris.
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
selinux: process labeled IPsec TCP SYN-ACK packets properly in selinux_ip_postroute()
selinux: look for IPsec labels on both inbound and outbound packets
selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute()
selinux: handle TCP SYN-ACK packets correctly in selinux_ip_output()
selinux: fix possible memory leak -
This reverts commit 102aefdda4d8275ce7d7100bc16c88c74272b260.
Tom London reports that it causes sync() to hang on Fedora rawhide:
https://bugzilla.redhat.com/show_bug.cgi?id=1033965
and Josh Boyer bisected it down to this commit. Reverting the commit in
the rawhide kernel fixes the problem.Eric Paris root-caused it to incorrect subtype matching in that commit
breaking fuse, and has a tentative patch, but by now we're better off
retrying this in 3.14 rather than playing with it any more.Reported-by: Tom London
Bisected-by: Josh Boyer
Acked-by: Eric Paris
Cc: James Morris
Cc: Anand Avati
Cc: Paul Moore
Signed-off-by: Linus Torvalds
13 Dec, 2013
6 commits
-
Due to difficulty in arriving at the proper security label for
TCP SYN-ACK packets in selinux_ip_postroute(), we need to check packets
while/before they are undergoing XFRM transforms instead of waiting
until afterwards so that we can determine the correct security label.Reported-by: Janak Desai
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moore -
Previously selinux_skb_peerlbl_sid() would only check for labeled
IPsec security labels on inbound packets, this patch enables it to
check both inbound and outbound traffic for labeled IPsec security
labels.Reported-by: Janak Desai
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moore -
In selinux_ip_postroute() we perform access checks based on the
packet's security label. For locally generated traffic we get the
packet's security label from the associated socket; this works in all
cases except for TCP SYN-ACK packets. In the case of SYN-ACK packet's
the correct security label is stored in the connection's request_sock,
not the server's socket. Unfortunately, at the point in time when
selinux_ip_postroute() is called we can't query the request_sock
directly, we need to recreate the label using the same logic that
originally labeled the associated request_sock.See the inline comments for more explanation.
Reported-by: Janak Desai
Tested-by: Janak Desai
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moore -
In selinux_ip_output() we always label packets based on the parent
socket. While this approach works in almost all cases, it doesn't
work in the case of TCP SYN-ACK packets when the correct label is not
the label of the parent socket, but rather the label of the larval
socket represented by the request_sock struct.Unfortunately, since the request_sock isn't queued on the parent
socket until *after* the SYN-ACK packet is sent, we can't lookup the
request_sock to determine the correct label for the packet; at this
point in time the best we can do is simply pass/NF_ACCEPT the packet.
It must be said that simply passing the packet without any explicit
labeling action, while far from ideal, is not terrible as the SYN-ACK
packet will inherit any IP option based labeling from the initial
connection request so the label *should* be correct and all our
access controls remain in place so we shouldn't have to worry about
information leaks.Reported-by: Janak Desai
Tested-by: Janak Desai
Cc: stable@vger.kernel.org
Signed-off-by: Paul Moore -
Pull misc keyrings fixes from David Howells:
"These break down into five sets:- A patch to error handling in the big_key type for huge payloads.
If the payload is larger than the "low limit" and the backing store
allocation fails, then big_key_instantiate() doesn't clear the
payload pointers in the key, assuming them to have been previously
cleared - but only one of them is.Unfortunately, the garbage collector still calls big_key_destroy()
when sees one of the pointers with a weird value in it (and not
NULL) which it then tries to clean up.- Three patches to fix the keyring type:
* A patch to fix the hash function to correctly divide keyrings off
from keys in the topology of the tree inside the associative
array. This is only a problem if searching through nested
keyrings - and only if the hash function incorrectly puts the a
keyring outside of the 0 branch of the root node.* A patch to fix keyrings' use of the associative array. The
__key_link_begin() function initially passes a NULL key pointer
to assoc_array_insert() on the basis that it's holding a place in
the tree whilst it does more allocation and stuff.This is only a problem when a node contains 16 keys that match at
that level and we want to add an also matching 17th. This should
easily be manufactured with a keyring full of keyrings (without
chucking any other sort of key into the mix) - except for (a)
above which makes it on average adding the 65th keyring.* A patch to fix searching down through nested keyrings, where any
keyring in the set has more than 16 keyrings and none of the
first keyrings we look through has a match (before the tree
iteration needs to step to a more distal node).Test in keyutils test suite:
http://git.kernel.org/cgit/linux/kernel/git/dhowells/keyutils.git/commit/?id=8b4ae963ed92523aea18dfbb8cab3f4979e13bd1
- A patch to fix the big_key type's use of a shmem file as its
backing store causing audit messages and LSM check failures. This
is done by setting S_PRIVATE on the file to avoid LSM checks on the
file (access to the shmem file goes through the keyctl() interface
and so is gated by the LSM that way).This isn't normally a problem if a key is used by the context that
generated it - and it's currently only used by libkrb5.Test in keyutils test suite:
http://git.kernel.org/cgit/linux/kernel/git/dhowells/keyutils.git/commit/?id=d9a53cbab42c293962f2f78f7190253fc73bd32e
- A patch to add a generated file to .gitignore.
- A patch to fix the alignment of the system certificate data such
that it it works on s390. As I understand it, on the S390 arch,
symbols must be 2-byte aligned because loading the address discards
the least-significant bit"* tag 'keys-devel-20131210' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
KEYS: correct alignment of system_certificate_list content in assembly file
Ignore generated file kernel/x509_certificate_list
security: shmem: implement kernel private shmem inodes
KEYS: Fix searching of nested keyrings
KEYS: Fix multiple key add into associative array
KEYS: Fix the keyring hash function
KEYS: Pre-clear struct key on allocation
05 Dec, 2013
1 commit
-
Free 'ctx_str' when necessary.
Signed-off-by: Geyslan G. Bem
Signed-off-by: Paul Moore
03 Dec, 2013
2 commits
-
The new templates management mechanism records information associated
to an event into an array of 'ima_field_data' structures and makes it
available through the 'template_data' field of the 'ima_template_entry'
structure (the element of the measurements list created by IMA).Since 'ima_field_data' contains dynamically allocated data (which length
varies depending on the data associated to a selected template field),
it is not enough to just free the memory reserved for a
'ima_template_entry' structure if something goes wrong.This patch creates the new function ima_free_template_entry() which
walks the array of 'ima_field_data' structures, frees the memory
referenced by the 'data' pointer and finally the space reserved for
the 'ima_template_entry' structure. Further, it replaces existing kfree()
that have a pointer to an 'ima_template_entry' structure as argument
with calls to the new function.Fixes: a71dc65: ima: switch to new template management mechanism
Signed-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar -
7bc5f447ce9d0 (ima: define new function ima_alloc_init_template() to
API) moved the initialization of 'entry' in ima_add_boot_aggregate() a
bit more below, after the if (ima_used_chip).So, 'entry' is not initialized while being inside this if-block. So, we
should not attempt to free it.Found by Coverity (CID: 1131971)
Fixes: 7bc5f447ce9d0 (ima: define new function ima_alloc_init_template() to API)
Signed-off-by: Christoph Paasch
Signed-off-by: Mimi Zohar
02 Dec, 2013
5 commits
-
We have a problem where the big_key key storage implementation uses a
shmem backed inode to hold the key contents. Because of this detail of
implementation LSM checks are being done between processes trying to
read the keys and the tmpfs backed inode. The LSM checks are already
being handled on the key interface level and should not be enforced at
the inode level (since the inode is an implementation detail, not a
part of the security model)This patch implements a new function shmem_kernel_file_setup() which
returns the equivalent to shmem_file_setup() only the underlying inode
has S_PRIVATE set. This means that all LSM checks for the inode in
question are skipped. It should only be used for kernel internal
operations where the inode is not exposed to userspace without proper
LSM checking. It is possible that some other users of
shmem_file_setup() should use the new interface, but this has not been
explored.Reproducing this bug is a little bit difficult. The steps I used on
Fedora are:(1) Turn off selinux enforcing:
setenforce 0
(2) Create a huge key
k=`dd if=/dev/zero bs=8192 count=1 | keyctl padd big_key test-key @s`
(3) Access the key in another context:
runcon system_u:system_r:httpd_t:s0-s0:c0.c1023 keyctl print $k >/dev/null
(4) Examine the audit logs:
ausearch -m AVC -i --subject httpd_t | audit2allow
If the last command's output includes a line that looks like:
allow httpd_t user_tmpfs_t:file { open read };
There was an inode check between httpd and the tmpfs filesystem. With
this patch no such denial will be seen. (NOTE! you should clear your
audit log if you have tested for this previously)(Please return you box to enforcing)
Signed-off-by: Eric Paris
Signed-off-by: David Howells
cc: Hugh Dickins
cc: linux-mm@kvack.org -
If a keyring contains more than 16 keyrings (the capacity of a single node in
the associative array) then those keyrings are split over multiple nodes
arranged as a tree.If search_nested_keyrings() is called to search the keyring then it will
attempt to manually walk over just the 0 branch of the associative array tree
where all the keyring links are stored. This works provided the key is found
before the algorithm steps from one node containing keyrings to a child node
or if there are sufficiently few keyring links that the keyrings are all in
one node.However, if the algorithm does need to step from a node to a child node, it
doesn't change the node pointer unless a shortcut also gets transited. This
means that the algorithm will keep scanning the same node over and over again
without terminating and without returning.To fix this, move the internal-pointer-to-node translation from inside the
shortcut transit handler so that it applies it to node arrival as well.This can be tested by:
r=`keyctl newring sandbox @s`
for ((i=0; i
Tested-by: Stephen Gallagher -
If sufficient keys (or keyrings) are added into a keyring such that a node in
the associative array's tree overflows (each node has a capacity N, currently
16) and such that all N+1 keys have the same index key segment for that level
of the tree (the level'th nibble of the index key), then assoc_array_insert()
calls ops->diff_objects() to indicate at which bit position the two index keys
vary.However, __key_link_begin() passes a NULL object to assoc_array_insert() with
the intention of supplying the correct pointer later before we commit the
change. This means that keyring_diff_objects() is given a NULL pointer as one
of its arguments which it does not expect. This results in an oops like the
attached.With the previous patch to fix the keyring hash function, this can be forced
much more easily by creating a keyring and only adding keyrings to it. Add any
other sort of key and a different insertion path is taken - all 16+1 objects
must want to cluster in the same node slot.This can be tested by:
r=`keyctl newring sandbox @s`
for ((i=0; idiff_objects() is always called with the first pointer pointing to
the object to be inserted (ie. the NULL pointer), we can fix the problem by
changing the to-be-inserted object pointer to point to the index key passed
into assoc_array_insert() instead.Whilst we're at it, we also switch the arguments so that they are the same as
for ->compare_object().BUG: unable to handle kernel NULL pointer dereference at 0000000000000088
IP: [] hash_key_type_and_desc+0x18/0xb0
...
RIP: 0010:[] hash_key_type_and_desc+0x18/0xb0
...
Call Trace:
[] keyring_diff_objects+0x21/0xd2
[] assoc_array_insert+0x3b6/0x908
[] __key_link_begin+0x78/0xe5
[] key_create_or_update+0x17d/0x36a
[] SyS_add_key+0x123/0x183
[] tracesys+0xdd/0xe2Signed-off-by: David Howells
Tested-by: Stephen Gallagher -
The keyring hash function (used by the associative array) is supposed to clear
the bottommost nibble of the index key (where the hash value resides) for
keyrings and make sure it is non-zero for non-keyrings. This is done to make
keyrings cluster together on one branch of the tree separately to other keys.Unfortunately, the wrong mask is used, so only the bottom two bits are
examined and cleared and not the whole bottom nibble. This means that keys
and keyrings can still be successfully searched for under most circumstances
as the hash is consistent in its miscalculation, but if a keyring's
associative array bottom node gets filled up then approx 75% of the keyrings
will not be put into the 0 branch.The consequence of this is that a key in a keyring linked to by another
keyring, ie.keyring A -> keyring B -> key
may not be found if the search starts at keyring A and then descends into
keyring B because search_nested_keyrings() only searches up the 0 branch (as it
"knows" all keyrings must be there and not elsewhere in the tree).The fix is to use the right mask.
This can be tested with:
r=`keyctl newring sandbox @s`
for ((i=0; i
Signed-off-by: David Howells
Tested-by: Stephen Gallagher -
The second word of key->payload does not get initialised in key_alloc(), but
the big_key type is relying on it having been cleared. The problem comes when
big_key fails to instantiate a large key and doesn't then set the payload. The
big_key_destroy() op is called from the garbage collector and this assumes that
the dentry pointer stored in the second word will be NULL if instantiation did
not complete.Therefore just pre-clear the entire struct key on allocation rather than trying
to be clever and only initialising to 0 only those bits that aren't otherwise
initialised.The lack of initialisation can lead to a bug report like the following if
big_key failed to initialise its file:general protection fault: 0000 [#1] SMP
Modules linked in: ...
CPU: 0 PID: 51 Comm: kworker/0:1 Not tainted 3.10.0-53.el7.x86_64 #1
Hardware name: Dell Inc. PowerEdge 1955/0HC513, BIOS 1.4.4 12/09/2008
Workqueue: events key_garbage_collector
task: ffff8801294f5680 ti: ffff8801296e2000 task.ti: ffff8801296e2000
RIP: 0010:[] dput+0x21/0x2d0
...
Call Trace:
[] path_put+0x16/0x30
[] big_key_destroy+0x44/0x60
[] key_gc_unused_keys.constprop.2+0x5b/0xe0
[] key_garbage_collector+0x1df/0x3c0
[] process_one_work+0x17b/0x460
[] worker_thread+0x11b/0x400
[] ? rescuer_thread+0x3e0/0x3e0
[] kthread+0xc0/0xd0
[] ? kthread_create_on_node+0x110/0x110
[] ret_from_fork+0x7c/0xb0
[] ? kthread_create_on_node+0x110/0x110Reported-by: Patrik Kis
Signed-off-by: David Howells
Reviewed-by: Stephen Gallagher
30 Nov, 2013
1 commit
-
This patch stores the address of the 'template_fmt_copy' variable in a new
variable, called 'template_fmt_ptr', so that the latter is passed as an
argument of strsep() instead of the former. This modification is needed
in order to correctly free the memory area referenced by
'template_fmt_copy' (strsep() modifies the pointer of the passed string).Signed-off-by: Roberto Sassu
Reported-by: Sebastian Ott
Signed-off-by: Mimi Zohar
Signed-off-by: James Morris
27 Nov, 2013
1 commit
-
Linux 3.12
26 Nov, 2013
1 commit
-
This patch makes a copy of the 'template_fmt' function argument so that
the latter will not be modified by strsep(), which does the splitting by
replacing the given separator with '\0'.IMA: No TPM chip found, activating TPM-bypass!
Unable to handle kernel pointer dereference at virtual kernel address 0000000000842000
Oops: 0004 [#1] SMP
Modules linked in:
CPU: 3 PID: 1 Comm: swapper/0 Not tainted 3.12.0-rc2-00098-g3ce1217d6cd5 #17
task: 000000003ffa0000 ti: 000000003ff84000 task.ti: 000000003ff84000
Krnl PSW : 0704e00180000000 000000000044bf88 (strsep+0x7c/0xa0)
R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 EA:3
Krnl GPRS: 000000000000007c 000000000000007c 000000003ff87d90 0000000000821fd8
0000000000000000 000000000000007c 0000000000aa37e0 0000000000aa9008
0000000000000051 0000000000a114d8 0000000100000002 0000000000842bde
0000000000842bdf 00000000006f97f0 000000000040062c 000000003ff87cf0
Krnl Code: 000000000044bf7c: a7f4000a brc 15,44bf90
000000000044bf80: b90200cc ltgr %r12,%r12
#000000000044bf84: a7840006 brc 8,44bf90
>000000000044bf88: 9200c000 mvi 0(%r12),0
000000000044bf8c: 41c0c001 la %r12,1(%r12)
000000000044bf90: e3c020000024 stg %r12,0(%r2)
000000000044bf96: b904002b lgr %r2,%r11
000000000044bf9a: ebbcf0700004 lmg %r11,%r12,112(%r15)
Call Trace:
([] ima_init_template+0xa2/0x1bc)
[] ima_init+0x7a/0xa8
[] init_ima+0x24/0x40
[] do_one_initcall+0x68/0x128
[] kernel_init_freeable+0x20a/0x2b4
[] kernel_init+0x30/0x178
[] kernel_thread_starter+0x6/0xc
[] kernel_thread_starter+0x0/0xc
Last Breaking-Event-Address:
[] strsep+0x36/0xa0Fixes commit: adf53a7 ima: new templates management mechanism
Changelog v1:
- make template_fmt 'const char *' (reported-by James Morris)
- fix kstrdup memory leak (reported-by James Morris)Reported-by: Heiko Carstens
Signed-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar
Tested-by: Heiko Carstens
25 Nov, 2013
2 commits
-
This patch defines a new value for the 'ima_show_type' enumerator
(IMA_SHOW_BINARY_NO_FIELD_LEN) to prevent that the field length
is transmitted through the 'binary_runtime_measurements' interface
for the digest field of the 'ima' template.Fixes commit: 3ce1217 ima: define template fields library and new helpers
Signed-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar -
To maintain compatibility with userspace tools, the field length must not
be included in the template digest calculation for the 'ima' template.Fixes commit: a71dc65 ima: switch to new template management mechanism
Signed-off-by: Roberto Sassu
Signed-off-by: Mimi Zohar
24 Nov, 2013
1 commit
-
This reverts commit 217091dd7a7a1bdac027ddb7c5a25f6ac0b8e241, which
caused the following build error:security/integrity/digsig.c:70:5: error: redefinition of ‘integrity_init_keyring’
security/integrity/integrity.h:149:12: note: previous definition of ‘integrity_init_keyring’ w
security/integrity/integrity.h:149:12: warning: ‘integrity_init_keyring’ defined but not usedreported by Krzysztof Kolasa. Mimi says:
"I made the classic mistake of requesting this patch to be upstreamed
at the last second, rather than waiting until the next open window.At this point, the best course would probably be to revert the two
commits and fix them for the next open window"Reported-by: Krzysztof Kolasa
Acked-by: Mimi Zohar
Signed-off-by: Linus Torvalds
22 Nov, 2013
2 commits
-
Pull security subsystem updates from James Morris:
"In this patchset, we finally get an SELinux update, with Paul Moore
taking over as maintainer of that code.Also a significant update for the Keys subsystem, as well as
maintenance updates to Smack, IMA, TPM, and Apparmor"and since I wanted to know more about the updates to key handling,
here's the explanation from David Howells on that:"Okay. There are a number of separate bits. I'll go over the big bits
and the odd important other bit, most of the smaller bits are just
fixes and cleanups. If you want the small bits accounting for, I can
do that too.(1) Keyring capacity expansion.
KEYS: Consolidate the concept of an 'index key' for key access
KEYS: Introduce a search context structure
KEYS: Search for auth-key by name rather than target key ID
Add a generic associative array implementation.
KEYS: Expand the capacity of a keyringSeveral of the patches are providing an expansion of the capacity of a
keyring. Currently, the maximum size of a keyring payload is one page.
Subtract a small header and then divide up into pointers, that only gives
you ~500 pointers on an x86_64 box. However, since the NFS idmapper uses
a keyring to store ID mapping data, that has proven to be insufficient to
the cause.Whatever data structure I use to handle the keyring payload, it can only
store pointers to keys, not the keys themselves because several keyrings
may point to a single key. This precludes inserting, say, and rb_node
struct into the key struct for this purpose.I could make an rbtree of records such that each record has an rb_node
and a key pointer, but that would use four words of space per key stored
in the keyring. It would, however, be able to use much existing code.I selected instead a non-rebalancing radix-tree type approach as that
could have a better space-used/key-pointer ratio. I could have used the
radix tree implementation that we already have and insert keys into it by
their serial numbers, but that means any sort of search must iterate over
the whole radix tree. Further, its nodes are a bit on the capacious side
for what I want - especially given that key serial numbers are randomly
allocated, thus leaving a lot of empty space in the tree.So what I have is an associative array that internally is a radix-tree
with 16 pointers per node where the index key is constructed from the key
type pointer and the key description. This means that an exact lookup by
type+description is very fast as this tells us how to navigate directly to
the target key.I made the data structure general in lib/assoc_array.c as far as it is
concerned, its index key is just a sequence of bits that leads to a
pointer. It's possible that someone else will be able to make use of it
also. FS-Cache might, for example.(2) Mark keys as 'trusted' and keyrings as 'trusted only'.
KEYS: verify a certificate is signed by a 'trusted' key
KEYS: Make the system 'trusted' keyring viewable by userspace
KEYS: Add a 'trusted' flag and a 'trusted only' flag
KEYS: Separate the kernel signature checking keyring from module signingThese patches allow keys carrying asymmetric public keys to be marked as
being 'trusted' and allow keyrings to be marked as only permitting the
addition or linkage of trusted keys.Keys loaded from hardware during kernel boot or compiled into the kernel
during build are marked as being trusted automatically. New keys can be
loaded at runtime with add_key(). They are checked against the system
keyring contents and if their signatures can be validated with keys that
are already marked trusted, then they are marked trusted also and can
thus be added into the master keyring.Patches from Mimi Zohar make this usable with the IMA keyrings also.
(3) Remove the date checks on the key used to validate a module signature.
X.509: Remove certificate date checks
It's not reasonable to reject a signature just because the key that it was
generated with is no longer valid datewise - especially if the kernel
hasn't yet managed to set the system clock when the first module is
loaded - so just remove those checks.(4) Make it simpler to deal with additional X.509 being loaded into the kernel.
KEYS: Load *.x509 files into kernel keyring
KEYS: Have make canonicalise the paths of the X.509 certs better to deduplicateThe builder of the kernel now just places files with the extension ".x509"
into the kernel source or build trees and they're concatenated by the
kernel build and stuffed into the appropriate section.(5) Add support for userspace kerberos to use keyrings.
KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches
KEYS: Implement a big key type that can save to tmpfsFedora went to, by default, storing kerberos tickets and tokens in tmpfs.
We looked at storing it in keyrings instead as that confers certain
advantages such as tickets being automatically deleted after a certain
amount of time and the ability for the kernel to get at these tokens more
easily.To make this work, two things were needed:
(a) A way for the tickets to persist beyond the lifetime of all a user's
sessions so that cron-driven processes can still use them.The problem is that a user's session keyrings are deleted when the
session that spawned them logs out and the user's user keyring is
deleted when the UID is deleted (typically when the last log out
happens), so neither of these places is suitable.I've added a system keyring into which a 'persistent' keyring is
created for each UID on request. Each time a user requests their
persistent keyring, the expiry time on it is set anew. If the user
doesn't ask for it for, say, three days, the keyring is automatically
expired and garbage collected using the existing gc. All the kerberos
tokens it held are then also gc'd.(b) A key type that can hold really big tickets (up to 1MB in size).
The problem is that Active Directory can return huge tickets with lots
of auxiliary data attached. We don't, however, want to eat up huge
tracts of unswappable kernel space for this, so if the ticket is
greater than a certain size, we create a swappable shmem file and dump
the contents in there and just live with the fact we then have an
inode and a dentry overhead. If the ticket is smaller than that, we
slap it in a kmalloc()'d buffer"* 'for-linus2' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (121 commits)
KEYS: Fix keyring content gc scanner
KEYS: Fix error handling in big_key instantiation
KEYS: Fix UID check in keyctl_get_persistent()
KEYS: The RSA public key algorithm needs to select MPILIB
ima: define '_ima' as a builtin 'trusted' keyring
ima: extend the measurement list to include the file signature
kernel/system_certificate.S: use real contents instead of macro GLOBAL()
KEYS: fix error return code in big_key_instantiate()
KEYS: Fix keyring quota misaccounting on key replacement and unlink
KEYS: Fix a race between negating a key and reading the error set
KEYS: Make BIG_KEYS boolean
apparmor: remove the "task" arg from may_change_ptraced_domain()
apparmor: remove parent task info from audit logging
apparmor: remove tsk field from the apparmor_audit_struct
apparmor: fix capability to not use the current task, during reporting
Smack: Ptrace access check mode
ima: provide hash algo info in the xattr
ima: enable support for larger default filedata hash algorithms
ima: define kernel parameter 'ima_template=' to change configured default
ima: add Kconfig default measurement list template
... -
Pull audit updates from Eric Paris:
"Nothing amazing. Formatting, small bug fixes, couple of fixes where
we didn't get records due to some old VFS changes, and a change to how
we collect execve info..."Fixed conflict in fs/exec.c as per Eric and linux-next.
* git://git.infradead.org/users/eparis/audit: (28 commits)
audit: fix type of sessionid in audit_set_loginuid()
audit: call audit_bprm() only once to add AUDIT_EXECVE information
audit: move audit_aux_data_execve contents into audit_context union
audit: remove unused envc member of audit_aux_data_execve
audit: Kill the unused struct audit_aux_data_capset
audit: do not reject all AUDIT_INODE filter types
audit: suppress stock memalloc failure warnings since already managed
audit: log the audit_names record type
audit: add child record before the create to handle case where create fails
audit: use given values in tty_audit enable api
audit: use nlmsg_len() to get message payload length
audit: use memset instead of trying to initialize field by field
audit: fix info leak in AUDIT_GET requests
audit: update AUDIT_INODE filter rule to comparator function
audit: audit feature to set loginuid immutable
audit: audit feature to only allow unsetting the loginuid
audit: allow unsetting the loginuid (with priv)
audit: remove CONFIG_AUDIT_LOGINUID_IMMUTABLE
audit: loginuid functions coding style
selinux: apply selinux checks on new audit message types
...
14 Nov, 2013
2 commits
-
Key pointers stored in the keyring are marked in bit 1 to indicate if they
point to a keyring. We need to strip off this bit before using the pointer
when iterating over the keyring for the purpose of looking for links to garbage
collect.This means that expirable keyrings aren't correctly expiring because the
checker is seeing their key pointer with 2 added to it.Since the fix for this involves knowing about the internals of the keyring,
key_gc_keyring() is moved to keyring.c and merged into keyring_gc().This can be tested by:
echo 2 >/proc/sys/kernel/keys/gc_delay
keyctl timeout `keyctl add keyring qwerty "" @s` 2
cat /proc/keys
sleep 5; cat /proc/keyswhich should see a keyring called "qwerty" appear in the session keyring and
then disappear after it expires, and:echo 2 >/proc/sys/kernel/keys/gc_delay
a=`keyctl get_persistent @s`
b=`keyctl add keyring 0 "" $a`
keyctl add user a a $b
keyctl timeout $b 2
cat /proc/keys
sleep 5; cat /proc/keyswhich should see a keyring called "0" with a key called "a" in it appear in the
user's persistent keyring (which will be attached to the session keyring) and
then both the "0" keyring and the "a" key should disappear when the "0" keyring
expires.Signed-off-by: David Howells
Acked-by: Simo Sorce -
In the big_key_instantiate() function we return 0 if kernel_write() returns us
an error rather than returning an error. This can potentially lead to
dentry_open() giving a BUG when called from big_key_read() with an unset
tmpfile path.------------[ cut here ]------------
kernel BUG at fs/open.c:798!
...
RIP: 0010:[] dentry_open+0xd1/0xe0
...
Call Trace:
[] big_key_read+0x55/0x100
[] keyctl_read_key+0xb4/0xe0
[] SyS_keyctl+0xf8/0x1d0
[] system_call_fastpath+0x16/0x1bSigned-off-by: David Howells
Reviewed-by: Stephen Gallagher
13 Nov, 2013
2 commits
-
Pull networking updates from David Miller:
1) The addition of nftables. No longer will we need protocol aware
firewall filtering modules, it can all live in userspace.At the core of nftables is a, for lack of a better term, virtual
machine that executes byte codes to inspect packet or metadata
(arriving interface index, etc.) and make verdict decisions.Besides support for loading packet contents and comparing them, the
interpreter supports lookups in various datastructures as
fundamental operations. For example sets are supports, and
therefore one could create a set of whitelist IP address entries
which have ACCEPT verdicts attached to them, and use the appropriate
byte codes to do such lookups.Since the interpreted code is composed in userspace, userspace can
do things like optimize things before giving it to the kernel.Another major improvement is the capability of atomically updating
portions of the ruleset. In the existing netfilter implementation,
one has to update the entire rule set in order to make a change and
this is very expensive.Userspace tools exist to create nftables rules using existing
netfilter rule sets, but both kernel implementations will need to
co-exist for quite some time as we transition from the old to the
new stuff.Kudos to Patrick McHardy, Pablo Neira Ayuso, and others who have
worked so hard on this.2) Daniel Borkmann and Hannes Frederic Sowa made several improvements
to our pseudo-random number generator, mostly used for things like
UDP port randomization and netfitler, amongst other things.In particular the taus88 generater is updated to taus113, and test
cases are added.3) Support 64-bit rates in HTB and TBF schedulers, from Eric Dumazet
and Yang Yingliang.4) Add support for new 577xx tigon3 chips to tg3 driver, from Nithin
Sujir.5) Fix two fatal flaws in TCP dynamic right sizing, from Eric Dumazet,
Neal Cardwell, and Yuchung Cheng.6) Allow IP_TOS and IP_TTL to be specified in sendmsg() ancillary
control message data, much like other socket option attributes.
From Francesco Fusco.7) Allow applications to specify a cap on the rate computed
automatically by the kernel for pacing flows, via a new
SO_MAX_PACING_RATE socket option. From Eric Dumazet.8) Make the initial autotuned send buffer sizing in TCP more closely
reflect actual needs, from Eric Dumazet.9) Currently early socket demux only happens for TCP sockets, but we
can do it for connected UDP sockets too. Implementation from Shawn
Bohrer.10) Refactor inet socket demux with the goal of improving hash demux
performance for listening sockets. With the main goals being able
to use RCU lookups on even request sockets, and eliminating the
listening lock contention. From Eric Dumazet.11) The bonding layer has many demuxes in it's fast path, and an RCU
conversion was started back in 3.11, several changes here extend the
RCU usage to even more locations. From Ding Tianhong and Wang
Yufen, based upon suggestions by Nikolay Aleksandrov and Veaceslav
Falico.12) Allow stackability of segmentation offloads to, in particular, allow
segmentation offloading over tunnels. From Eric Dumazet.13) Significantly improve the handling of secret keys we input into the
various hash functions in the inet hashtables, TCP fast open, as
well as syncookies. From Hannes Frederic Sowa. The key fundamental
operation is "net_get_random_once()" which uses static keys.Hannes even extended this to ipv4/ipv6 fragmentation handling and
our generic flow dissector.14) The generic driver layer takes care now to set the driver data to
NULL on device removal, so it's no longer necessary for drivers to
explicitly set it to NULL any more. Many drivers have been cleaned
up in this way, from Jingoo Han.15) Add a BPF based packet scheduler classifier, from Daniel Borkmann.
16) Improve CRC32 interfaces and generic SKB checksum iterators so that
SCTP's checksumming can more cleanly be handled. Also from Daniel
Borkmann.17) Add a new PMTU discovery mode, IP_PMTUDISC_INTERFACE, which forces
using the interface MTU value. This helps avoid PMTU attacks,
particularly on DNS servers. From Hannes Frederic Sowa.18) Use generic XPS for transmit queue steering rather than internal
(re-)implementation in virtio-net. From Jason Wang.* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next: (1622 commits)
random32: add test cases for taus113 implementation
random32: upgrade taus88 generator to taus113 from errata paper
random32: move rnd_state to linux/random.h
random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized
random32: add periodic reseeding
random32: fix off-by-one in seeding requirement
PHY: Add RTL8201CP phy_driver to realtek
xtsonic: add missing platform_set_drvdata() in xtsonic_probe()
macmace: add missing platform_set_drvdata() in mace_probe()
ethernet/arc/arc_emac: add missing platform_set_drvdata() in arc_emac_probe()
ipv6: protect for_each_sk_fl_rcu in mem_check with rcu_read_lock_bh
vlan: Implement vlan_dev_get_egress_qos_mask as an inline.
ixgbe: add warning when max_vfs is out of range.
igb: Update link modes display in ethtool
netfilter: push reasm skb through instead of original frag skbs
ip6_output: fragment outgoing reassembled skb properly
MAINTAINERS: mv643xx_eth: take over maintainership from Lennart
net_sched: tbf: support of 64bit rates
ixgbe: deleting dfwd stations out of order can cause null ptr deref
ixgbe: fix build err, num_rx_queues is only available with CONFIG_RPS
... -
Pull cgroup changes from Tejun Heo:
"Not too much activity this time around. css_id is finally killed and
a minor update to device_cgroup"* 'for-3.13' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
device_cgroup: remove can_attach
cgroup: kill css_id
memcg: stop using css id
memcg: fail to create cgroup if the cgroup id is too big
memcg: convert to use cgroup id
memcg: convert to use cgroup_is_descendant()
06 Nov, 2013
3 commits
-
If the UID is specified by userspace when calling the KEYCTL_GET_PERSISTENT
function and the process does not have the CAP_SETUID capability, then the
function will return -EPERM if the current process's uid, suid, euid and fsuid
all match the requested UID. This is incorrect.Fix it such that when a non-privileged caller requests a persistent keyring by
a specific UID they can only request their own (ie. the specified UID matches
either then process's UID or the process's EUID).This can be tested by logging in as the user and doing:
keyctl get_persistent @p
keyctl get_persistent @p `id -u`
keyctl get_persistent @p 0The first two should successfully print the same key ID. The third should do
the same if called by UID 0 or indicate Operation Not Permitted otherwise.Signed-off-by: David Howells
Acked-by: Stephen Gallagher -
Supress the stock memory allocation failure warnings for audit buffers
since audit alreay takes care of memory allocation failure warnings, including
rate-limiting, in audit_log_start().Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris -
We use the read check to get the feature set (like AUDIT_GET) and the
write check to set the features (like AUDIT_SET).Signed-off-by: Eric Paris
Signed-off-by: Richard Guy Briggs
Signed-off-by: Eric Paris
01 Nov, 2013
2 commits
-
Require all keys added to the IMA keyring be signed by an
existing trusted key on the system trusted keyring.Changelog:
- define stub integrity_init_keyring() function (reported-by Fengguang Wu)
- differentiate between regular and trusted keyring names.
- replace printk with pr_info (D. Kasatkin)Signed-off-by: Mimi Zohar
-
This patch defines a new template called 'ima-sig', which includes
the file signature in the template data, in addition to the file's
digest and pathname.A template is composed of a set of fields. Associated with each
field is an initialization and display function. This patch defines
a new template field called 'sig', the initialization function
ima_eventsig_init(), and the display function ima_show_template_sig().This patch modifies the .field_init() function definition to include
the 'security.ima' extended attribute and length.Changelog:
- remove unused code (Dmitry Kasatkin)
- avoid calling ima_write_template_field_data() unnecesarily (Roberto Sassu)
- rename DATA_FMT_SIG to DATA_FMT_HEX
- cleanup ima_eventsig_init() based on Roberto's commentsSigned-off-by: Mimi Zohar
Signed-off-by: Dmitry Kasatkin
Signed-off-by: Roberto Sassu
31 Oct, 2013
1 commit
-
…lls/linux-fs into ra-next
30 Oct, 2013
4 commits
-
Fix to return a negative error code from the error handling
case instead of 0, as done elsewhere in this function.Signed-off-by: Wei Yongjun
Signed-off-by: David Howells -
If a key is displaced from a keyring by a matching one, then four more bytes
of quota are allocated to the keyring - despite the fact that the keyring does
not change in size.Further, when a key is unlinked from a keyring, the four bytes of quota
allocated the link isn't recovered and returned to the user's pool.The first can be tested by repeating:
keyctl add big_key a fred @s
cat /proc/key-users(Don't put it in a shell loop otherwise the garbage collector won't have time
to clear the displaced keys, thus affecting the result).This was causing the kerberos keyring to run out of room fairly quickly.
The second can be tested by:
cat /proc/key-users
a=`keyctl add user a a @s`
cat /proc/key-users
keyctl unlink $a
sleep 1 # Give RCU a chance to delete the key
cat /proc/key-usersassuming no system activity that otherwise adds/removes keys, the amount of
key data allocated should go up (say 40/20000 -> 47/20000) and then return to
the original value at the end.Reported-by: Stephen Gallagher
Signed-off-by: David Howells -
key_reject_and_link() marking a key as negative and setting the error with
which it was negated races with keyring searches and other things that read
that error.The fix is to switch the order in which the assignments are done in
key_reject_and_link() and to use memory barriers.Kudos to Dave Wysochanski and Scott Mayhew
for tracking this down.This may be the cause of:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000070
IP: [] wait_for_key_construction+0x31/0x80
PGD c6b2c3067 PUD c59879067 PMD 0
Oops: 0000 [#1] SMP
last sysfs file: /sys/devices/system/cpu/cpu3/cache/index2/shared_cpu_map
CPU 0
Modules linked in: ...Pid: 13359, comm: amqzxma0 Not tainted 2.6.32-358.20.1.el6.x86_64 #1 IBM System x3650 M3 -[7945PSJ]-/00J6159
RIP: 0010:[] wait_for_key_construction+0x31/0x80
RSP: 0018:ffff880c6ab33758 EFLAGS: 00010246
RAX: ffffffff81219080 RBX: 0000000000000000 RCX: 0000000000000002
RDX: ffffffff81219060 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff880c6ab33768 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffff880adfcbce40
R13: ffffffffa03afb84 R14: ffff880adfcbce40 R15: ffff880adfcbce43
FS: 00007f29b8042700(0000) GS:ffff880028200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000070 CR3: 0000000c613dc000 CR4: 00000000000007f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process amqzxma0 (pid: 13359, threadinfo ffff880c6ab32000, task ffff880c610deae0)
Stack:
ffff880adfcbce40 0000000000000000 ffff880c6ab337b8 ffffffff81219695
0000000000000000 ffff880a000000d0 ffff880c6ab337a8 000000000000000f
ffffffffa03afb93 000000000000000f ffff88186c7882c0 0000000000000014
Call Trace:
[] request_key+0x65/0xa0
[] nfs_idmap_request_key+0xc5/0x170 [nfs]
[] nfs_idmap_lookup_id+0x34/0x80 [nfs]
[] nfs_map_group_to_gid+0x75/0xa0 [nfs]
[] decode_getfattr_attrs+0xbdd/0xfb0 [nfs]
[] ? __dequeue_entity+0x30/0x50
[] ? __switch_to+0x26e/0x320
[] decode_getfattr+0x83/0xe0 [nfs]
[] ? nfs4_xdr_dec_getattr+0x0/0xa0 [nfs]
[] nfs4_xdr_dec_getattr+0x8f/0xa0 [nfs]
[] rpcauth_unwrap_resp+0x84/0xb0 [sunrpc]
[] ? nfs4_xdr_dec_getattr+0x0/0xa0 [nfs]
[] call_decode+0x1b3/0x800 [sunrpc]
[] ? wake_bit_function+0x0/0x50
[] ? call_decode+0x0/0x800 [sunrpc]
[] __rpc_execute+0x77/0x350 [sunrpc]
[] ? bit_waitqueue+0x17/0xd0
[] rpc_execute+0x61/0xa0 [sunrpc]
[] rpc_run_task+0x75/0x90 [sunrpc]
[] rpc_call_sync+0x42/0x70 [sunrpc]
[] _nfs4_call_sync+0x30/0x40 [nfs]
[] _nfs4_proc_getattr+0xac/0xc0 [nfs]
[] ? futex_wait+0x227/0x380
[] nfs4_proc_getattr+0x56/0x80 [nfs]
[] __nfs_revalidate_inode+0xe3/0x220 [nfs]
[] nfs_revalidate_mapping+0x4e/0x170 [nfs]
[] nfs_file_read+0x77/0x130 [nfs]
[] do_sync_read+0xfa/0x140
[] ? autoremove_wake_function+0x0/0x40
[] ? apic_timer_interrupt+0xe/0x20
[] ? common_interrupt+0xe/0x13
[] ? selinux_file_permission+0xfb/0x150
[] ? security_file_permission+0x16/0x20
[] vfs_read+0xb5/0x1a0
[] sys_read+0x51/0x90
[] ? __audit_syscall_exit+0x265/0x290
[] system_call_fastpath+0x16/0x1bSigned-off-by: David Howells
cc: Dave Wysochanski
cc: Scott Mayhew -
Having the big_keys functionality as a module is very marginally useful.
The userspace code that would use this functionality will get odd error
messages from the keys layer if the module isn't loaded. The code itself
is fairly small, so just have this as a boolean option and not a tristate.Signed-off-by: Josh Boyer
Signed-off-by: David Howells
