Eric Lee / smarc-fsl-linux-kernel

21 Oct, 2011

1 commit

13 Oct, 2011

2 commits

  • ce8a43219   Smack: Clean up comments ... Browse Code »

    There are a number of comments in the Smack code that
    are either malformed or include code. This patch cleans
    them up.

    Signed-off-by: Casey Schaufler

    Casey Schaufler
     
  • 272cd7a8c   Smack: Rule list lookup performance ... Browse Code »

    This patch is targeted for the smack-next tree.

    Smack access checks suffer from two significant performance
    issues. In cases where there are large numbers of rules the
    search of the single list of rules is wasteful. Comparing the
    string values of the smack labels is less efficient than a
    numeric comparison would.

    These changes take advantage of the Smack label list, which
    maintains the mapping of Smack labels to secids and optional
    CIPSO labels. Because the labels are kept perpetually, an
    access check can be done strictly based on the address of the
    label in the list without ever looking at the label itself.
    Rather than keeping one global list of rules the rules with
    a particular subject label can be based off of that label
    list entry. The access check need never look at entries that
    do not use the current subject label.

    This requires that packets coming off the network with
    CIPSO direct Smack labels that have never been seen before
    be treated carefully. The only case where they could be
    delivered is where the receiving socket has an IPIN star
    label, so that case is explicitly addressed.

    On a system with 39,800 rules (200 labels in all permutations)
    a system with this patch runs an access speed test in 5% of
    the time of the old version. That should be a best case
    improvement. If all of the rules are associated with the
    same subject label and all of the accesses are for processes
    with that label (unlikely) the improvement is about 30%.

    Signed-off-by: Casey Schaufler

    Casey Schaufler
     

26 Apr, 2011

2 commits

10 Feb, 2011

1 commit

18 Jan, 2011

1 commit

  • 7898e1f8e   Subject: [PATCH] Smack: mmap controls for library containment ... Browse Code »

    In the embedded world there are often situations
    where libraries are updated from a variety of sources,
    for a variety of reasons, and with any number of
    security characteristics. These differences
    might include privilege required for a given library
    provided interface to function properly, as occurs
    from time to time in graphics libraries. There are
    also cases where it is important to limit use of
    libraries based on the provider of the library and
    the security aware application may make choices
    based on that criteria.

    These issues are addressed by providing an additional
    Smack label that may optionally be assigned to an object,
    the SMACK64MMAP attribute. An mmap operation is allowed
    if there is no such attribute.

    If there is a SMACK64MMAP attribute the mmap is permitted
    only if a subject with that label has all of the access
    permitted a subject with the current task label.

    Security aware applications may from time to time
    wish to reduce their "privilege" to avoid accidental use
    of privilege. One case where this arises is the
    environment in which multiple sources provide libraries
    to perform the same functions. An application may know
    that it should eschew services made available from a
    particular vendor, or of a particular version.

    In support of this a secondary list of Smack rules has
    been added that is local to the task. This list is
    consulted only in the case where the global list has
    approved access. It can only further restrict access.
    Unlike the global last, if no entry is found on the
    local list access is granted. An application can add
    entries to its own list by writing to /smack/load-self.

    The changes appear large as they involve refactoring
    the list handling to accomodate there being more
    than one rule list.

    Signed-off-by: Casey Schaufler

    Casey Schaufler
     

08 Dec, 2010

1 commit

  • 5c6d1125f   Smack: Transmute labels on specified directories ... Browse Code »

    In a situation where Smack access rules allow processes
    with multiple labels to write to a directory it is easy
    to get into a situation where the directory gets cluttered
    with files that the owner can't deal with because while
    they could be written to the directory a process at the
    label of the directory can't write them. This is generally
    the desired behavior, but when it isn't it is a real
    issue.

    This patch introduces a new attribute SMACK64TRANSMUTE that
    instructs Smack to create the file with the label of the directory
    under certain circumstances.

    A new access mode, "t" for transmute, is made available to
    Smack access rules, which are expanded from "rwxa" to "rwxat".
    If a file is created in a directory marked as transmutable
    and if access was granted to perform the operation by a rule
    that included the transmute mode, then the file gets the
    Smack label of the directory instead of the Smack label of the
    creating process.

    Note that this is equivalent to creating an empty file at the
    label of the directory and then having the other process write
    to it. The transmute scheme requires that both the access rule
    allows transmutation and that the directory be explicitly marked.

    Signed-off-by: Jarkko Sakkinen
    Signed-off-by: Casey Schaufler

    Jarkko Sakkinen
     

02 Dec, 2010

1 commit

  • 676dac4b1   This patch adds a new security attribute to Smack called ... Browse Code »

    SMACK64EXEC. It defines label that is used while task is
    running.

    Exception: in smack_task_wait() child task is checked
    for write access to parent task using label inherited
    from the task that forked it.

    Fixed issues from previous submit:
    - SMACK64EXEC was not read when SMACK64 was not set.
    - inode security blob was not updated after setting
    SMACK64EXEC
    - inode security blob was not updated when removing
    SMACK64EXEC

    Casey Schaufler
     

02 Aug, 2010

1 commit

10 Jul, 2009

2 commits

14 Apr, 2009

1 commit

  • ecfcc53fe   smack: implement logging V3 ... Browse Code »

    the following patch, add logging of Smack security decisions.
    This is of course very useful to understand what your current smack policy does.
    As suggested by Casey, it also now forbids labels with ', " or \

    It introduces a '/smack/logging' switch :
    0: no logging
    1: log denied (default)
    2: log accepted
    3: log denied&accepted

    Signed-off-by: Etienne Basset
    Acked-by: Casey Schaufler
    Acked-by: Eric Paris
    Signed-off-by: James Morris

    Etienne Basset
     

28 Mar, 2009

2 commits

  • 4303154e8   smack: Add a new '-CIPSO' option to the network address label configuration ... Browse Code »

    This patch adds a new special option '-CIPSO' to the Smack subsystem. When used
    in the netlabel list, it means "use CIPSO networking". A use case is when your
    local network speaks CIPSO and you want also to connect to the unlabeled
    Internet. This patch also add some documentation describing that. The patch
    also corrects an oops when setting a '' SMACK64 xattr to a file.

    Signed-off-by: Etienne Basset
    Signed-off-by: Paul Moore
    Acked-by: Casey Schaufler
    Signed-off-by: James Morris

    Etienne Basset
     
  • 07feee8f8   netlabel: Cleanup the Smack/NetLabel code to fix incoming TCP connections ... Browse Code »

    This patch cleans up a lot of the Smack network access control code. The
    largest changes are to fix the labeling of incoming TCP connections in a
    manner similar to the recent SELinux changes which use the
    security_inet_conn_request() hook to label the request_sock and let the label
    move to the child socket via the normal network stack mechanisms. In addition
    to the incoming TCP connection fixes this patch also removes the smk_labled
    field from the socket_smack struct as the minor optimization advantage was
    outweighed by the difficulty in maintaining it's proper state.

    Signed-off-by: Paul Moore
    Acked-by: Casey Schaufler
    Signed-off-by: James Morris

    Paul Moore
     

26 Mar, 2009

1 commit

01 Jan, 2009

1 commit

  • 6d3dc07cb   smack: Add support for unlabeled network hosts and networks ... Browse Code »

    Add support for unlabeled network hosts and networks.
    Relies heavily on Paul Moore's netlabel support.

    Creates a new entry in /smack called netlabel. Writes to /smack/netlabel
    take the form:

    A.B.C.D LABEL
    or
    A.B.C.D/N LABEL

    where A.B.C.D is a network address, N is an integer between 0-32,
    and LABEL is the Smack label to be used. If /N is omitted /32 is
    assumed. N designates the netmask for the address. Entries are
    matched by the most specific address/mask pair. 0.0.0.0/0 will
    match everything, while 192.168.1.117/32 will match exactly one
    host.

    A new system label "@", pronounced "web", is defined. Processes
    can not be assigned the web label. An address assigned the web
    label can be written to by any process, and packets coming from
    a web address can be written to any socket. Use of the web label
    is a violation of any strict MAC policy, but the web label has
    been requested many times.

    The nltype entry has been removed from /smack. It did not work right
    and the netlabel interface can be used to specify that all hosts
    be treated as unlabeled.

    CIPSO labels on incoming packets will be honored, even from designated
    single label hosts. Single label hosts can only be written to by
    processes with labels that can write to the label of the host.
    Packets sent to single label hosts will always be unlabeled.

    Once added a single label designation cannot be removed, however
    the label may be changed.

    The behavior of the ambient label remains unchanged.

    Signed-off-by: Casey Schaufler
    Signed-off-by: Paul Moore

    Casey Schaufler
     

05 Aug, 2008

1 commit

  • 154462353   smack: limit privilege by label ... Browse Code »

    There have been a number of requests to make the Smack LSM
    enforce MAC even in the face of privilege, either capability
    based or superuser based. This is not universally desired,
    however, so it seems desirable to make it optional. Further,
    at least one legacy OS implemented a scheme whereby only
    processes running with one particular label could be exempt
    from MAC. This patch supports these three cases.

    If /smack/onlycap is empty (unset or null-string) privilege
    is enforced in the normal way.

    If /smack/onlycap contains a label only processes running with
    that label may be MAC exempt.

    If the label in /smack/onlycap is the star label ("*") the
    semantics of the star label combine with the privilege
    restrictions to prevent any violations of MAC, even in the
    presence of privilege.

    Again, this will be independent of the privilege scheme.

    Signed-off-by: Casey Schaufler
    Reviewed-by: James Morris

    Casey Schaufler
     

19 Apr, 2008

1 commit

  • 076c54c5b   Security: Introduce security= boot parameter ... Browse Code »

    Add the security= boot parameter. This is done to avoid LSM
    registration clashes in case of more than one bult-in module.

    User can choose a security module to enable at boot. If no
    security= boot parameter is specified, only the first LSM
    asking for registration will be loaded. An invalid security
    module name will be treated as if no module has been chosen.

    LSM modules must check now if they are allowed to register
    by calling security_module_enable(ops) first. Modify SELinux
    and SMACK to do so.

    Do not let SMACK register smackfs if it was not chosen on
    boot. Smackfs assumes that smack hooks are registered and
    the initial task security setup (swapper->security) is done.

    Signed-off-by: Ahmed S. Darwish
    Acked-by: James Morris

    Ahmed S. Darwish
     

14 Mar, 2008

1 commit

  • b500ce8d2   smackfs: do not trust `count' in inodes write()s ... Browse Code »

    Smackfs write() implementation does not put a higher bound on the number of
    bytes to copy from user-space. This may lead to a DOS attack if a malicious
    `count' field is given.

    Assure that given `count' is exactly the length needed for a /smack/load rule.
    In case of /smack/cipso where the length is relative, assure that `count'
    does not exceed the size needed for a buffer representing maximum possible
    number of CIPSO 2.2 categories.

    Signed-off-by: Ahmed S. Darwish
    Acked-by: Casey Schaufler
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Ahmed S. Darwish
     

06 Feb, 2008

1 commit

  • e114e4737   Smack: Simplified Mandatory Access Control Kernel ... Browse Code »

    Smack is the Simplified Mandatory Access Control Kernel.

    Smack implements mandatory access control (MAC) using labels
    attached to tasks and data containers, including files, SVIPC,
    and other tasks. Smack is a kernel based scheme that requires
    an absolute minimum of application support and a very small
    amount of configuration data.

    Smack uses extended attributes and
    provides a set of general mount options, borrowing technics used
    elsewhere. Smack uses netlabel for CIPSO labeling. Smack provides
    a pseudo-filesystem smackfs that is used for manipulation of
    system Smack attributes.

    The patch, patches for ls and sshd, a README, a startup script,
    and x86 binaries for ls and sshd are also available on

    http://www.schaufler-ca.com

    Development has been done using Fedora Core 7 in a virtual machine
    environment and on an old Sony laptop.

    Smack provides mandatory access controls based on the label attached
    to a task and the label attached to the object it is attempting to
    access. Smack labels are deliberately short (1-23 characters) text
    strings. Single character labels using special characters are reserved
    for system use. The only operation applied to Smack labels is equality
    comparison. No wildcards or expressions, regular or otherwise, are
    used. Smack labels are composed of printable characters and may not
    include "/".

    A file always gets the Smack label of the task that created it.

    Smack defines and uses these labels:

    "*" - pronounced "star"
    "_" - pronounced "floor"
    "^" - pronounced "hat"
    "?" - pronounced "huh"

    The access rules enforced by Smack are, in order:

    1. Any access requested by a task labeled "*" is denied.
    2. A read or execute access requested by a task labeled "^"
    is permitted.
    3. A read or execute access requested on an object labeled "_"
    is permitted.
    4. Any access requested on an object labeled "*" is permitted.
    5. Any access requested by a task on an object with the same
    label is permitted.
    6. Any access requested that is explicitly defined in the loaded
    rule set is permitted.
    7. Any other access is denied.

    Rules may be explicitly defined by writing subject,object,access
    triples to /smack/load.

    Smack rule sets can be easily defined that describe Bell&LaPadula
    sensitivity, Biba integrity, and a variety of interesting
    configurations. Smack rule sets can be modified on the fly to
    accommodate changes in the operating environment or even the time
    of day.

    Some practical use cases:

    Hierarchical levels. The less common of the two usual uses
    for MLS systems is to define hierarchical levels, often
    unclassified, confidential, secret, and so on. To set up smack
    to support this, these rules could be defined:

    C Unclass rx
    S C rx
    S Unclass rx
    TS S rx
    TS C rx
    TS Unclass rx

    A TS process can read S, C, and Unclass data, but cannot write it.
    An S process can read C and Unclass. Note that specifying that
    TS can read S and S can read C does not imply TS can read C, it
    has to be explicitly stated.

    Non-hierarchical categories. This is the more common of the
    usual uses for an MLS system. Since the default rule is that a
    subject cannot access an object with a different label no
    access rules are required to implement compartmentalization.

    A case that the Bell & LaPadula policy does not allow is demonstrated
    with this Smack access rule:

    A case that Bell&LaPadula does not allow that Smack does:

    ESPN ABC r
    ABC ESPN r

    On my portable video device I have two applications, one that
    shows ABC programming and the other ESPN programming. ESPN wants
    to show me sport stories that show up as news, and ABC will
    only provide minimal information about a sports story if ESPN
    is covering it. Each side can look at the other's info, neither
    can change the other. Neither can see what FOX is up to, which
    is just as well all things considered.

    Another case that I especially like:

    SatData Guard w
    Guard Publish w

    A program running with the Guard label opens a UDP socket and
    accepts messages sent by a program running with a SatData label.
    The Guard program inspects the message to ensure it is wholesome
    and if it is sends it to a program running with the Publish label.
    This program then puts the information passed in an appropriate
    place. Note that the Guard program cannot write to a Publish
    file system object because file system semanitic require read as
    well as write.

    The four cases (categories, levels, mutual read, guardbox) here
    are all quite real, and problems I've been asked to solve over
    the years. The first two are easy to do with traditonal MLS systems
    while the last two you can't without invoking privilege, at least
    for a while.

    Signed-off-by: Casey Schaufler
    Cc: Joshua Brindle
    Cc: Paul Moore
    Cc: Stephen Smalley
    Cc: Chris Wright
    Cc: James Morris
    Cc: "Ahmed S. Darwish"
    Cc: Andrew G. Morgan
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Casey Schaufler