16 Nov, 2011
3 commits
-
Clarify the purpose of the LSM interface with some brief examples and
pointers to additional documentation.Signed-off-by: Kees Cook
Signed-off-by: James Morris -
Make the security_inode_init_security() initxattrs arg const, to match the
non-stubbed version of that function.Cc: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: James Morris -
Signed-off-by: Andy Shevchenko
Cc: Eric Paris
Cc: James Morris
Signed-off-by: Andrew Morton
Signed-off-by: James Morris
29 Oct, 2011
1 commit
-
Commit 17fcfbd9 "TOMOYO: Add interactive enforcing mode." introduced ability
to query access decision using userspace programs. It was using global PID for
reaching policy configuration of the process. However, use of PID returns stale
policy configuration when the process's subjective credentials and objective
credentials differ. Fix this problem by allowing reaching policy configuration
via query id.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
23 Oct, 2011
2 commits
-
Commit f23571e8 "TOMOYO: Copy directly to userspace buffer." introduced
tomoyo_flush() that flushes data to be read as soon as possible.
tomoyo_select_domain() (which is called by write()) enqueues data which meant
to be read by next read(), but previous read()'s read buffer's size was not
cleared. As a result, since 2.6.36, sequence likechar *cp = "select global-pid=1\n";
read(fd, buf1, sizeof(buf1));
write(fd, cp, strlen(cp));
read(fd, buf2, sizeof(buf2));causes enqueued data to be flushed to buf1 rather than buf2.
Fix this bug by clearing read buffer's size upon write() request.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
21 Oct, 2011
1 commit
-
Allow query access as a normal user removing the need
for CAP_MAC_ADMIN. Give RW access to /smack/access
for UGO. Do not import smack labels in access check.Signed-off-by: Jarkko Sakkinen
Signed-off-by: Casey Schaufler
19 Oct, 2011
2 commits
-
CONFIG_SECURITY_TOMOYO_MAX_{ACCEPT_ENTRY,AUDIT_LOG} introduced by commit
0e4ae0e0 "TOMOYO: Make several options configurable." were by error not used.Reported-by: Paul Bolle
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Forgot to update simple_transaction_set() to take terminator
character into account.Signed-off-by: Jarkko Sakkinen
Signed-off-by: Casey Schaufler
14 Oct, 2011
1 commit
-
On some build configurations PER_CLEAR_ON_SETID symbol was not
found when compiling smack_lsm.c. This patch fixes the issue by
explicitly doing #include .Signed-off-by: Jarkko Sakkinen
Signed-off-by: Casey Schaufler
13 Oct, 2011
7 commits
-
Small fix for the output of access SmackFS file. Use string
is instead of byte. Makes it easier to extend API if it is
needed.Signed-off-by: Jarkko Sakkinen
-
Protections for domain transition:
- BPRM unsafe flags
- Secureexec
- Clear unsafe personality bits.
- Clear parent death signalSigned-off-by: Jarkko Sakkinen
-
This patch is targeted for the smack-next tree.
This patch takes advantage of the recent changes for performance
and points the packet labels on UDS connect at the output label of
the far side. This makes getsockopt(...SO_PEERCRED...) function
properly. Without this change the getsockopt does not provide any
information.Signed-off-by: Casey Schaufler
-
There are a number of comments in the Smack code that
are either malformed or include code. This patch cleans
them up.Signed-off-by: Casey Schaufler
-
Al Viro pointed out that the processing of fcntl done
by Smack appeared poorly designed. He was right. There
are three things that required change. Most obviously,
the list of commands that really imply writing is limited
to those involving file locking and signal handling.
The initialization if the file security blob was
incomplete, requiring use of a heretofore unused LSM hook.
Finally, the audit information coming from a helper
masked the identity of the LSM hook. This patch corrects
all three of these defects.This is targeted for the smack-next tree pending comments.
Signed-off-by: Casey Schaufler
-
This patch is targeted for the smack-next tree.
Smack access checks suffer from two significant performance
issues. In cases where there are large numbers of rules the
search of the single list of rules is wasteful. Comparing the
string values of the smack labels is less efficient than a
numeric comparison would.These changes take advantage of the Smack label list, which
maintains the mapping of Smack labels to secids and optional
CIPSO labels. Because the labels are kept perpetually, an
access check can be done strictly based on the address of the
label in the list without ever looking at the label itself.
Rather than keeping one global list of rules the rules with
a particular subject label can be based off of that label
list entry. The access check need never look at entries that
do not use the current subject label.This requires that packets coming off the network with
CIPSO direct Smack labels that have never been seen before
be treated carefully. The only case where they could be
delivered is where the receiving socket has an IPIN star
label, so that case is explicitly addressed.On a system with 39,800 rules (200 labels in all permutations)
a system with this patch runs an access speed test in 5% of
the time of the old version. That should be a best case
improvement. If all of the rules are associated with the
same subject label and all of the accesses are for processes
with that label (unlikely) the improvement is about 30%.Signed-off-by: Casey Schaufler
-
Adds a new file into SmackFS called 'access'. Wanted
Smack permission is written into /smack/access.
After that result can be read from the opened file.
If access applies result contains 1 and otherwise
0. File access is protected from race conditions
by using simple_transaction_get()/set() API.Fixes from the previous version:
- Removed smack.h changes, refactoring left-over
from previous version.
- Removed #include , refactoring
left-over from previous version.Signed-off-by: Jarkko Sakkinen
Signed-off-by: Casey Schaufler
12 Oct, 2011
2 commits
-
Commit 059d84db "TOMOYO: Add socket operation restriction support" and
commit 731d37aa "TOMOYO: Allow domain transition without execve()." forgot to
update tomoyo_domain_quota_is_ok() and tomoyo_del_acl() which results in
incorrect quota counting and memory leak.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
rcu_read_lock() is sufficient for calling find_task_by_pid_ns()/find_task_by_vpid().
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
28 Sep, 2011
1 commit
-
Commit bd03a3e4 "TOMOYO: Add policy namespace support." introduced policy
namespace. But as of /sbin/modprobe is executed from initramfs/initrd, profiles
for target domain's namespace is not defined because /sbin/tomoyo-init is not
yet called.Reported-by: Jamie Nguyen
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
27 Sep, 2011
1 commit
26 Sep, 2011
3 commits
-
tomoyo_policy_lock mutex already protects it.
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
When TOMOYO started using garbage collector at commit 847b173e "TOMOYO: Add
garbage collector.", we waited for close() before kfree(). Thus, elements to be
kfree()d were queued up using tomoyo_gc_list list.But it turned out that tomoyo_element_linked_by_gc() tends to choke garbage
collector when certain pattern of entries are queued.Since garbage collector is no longer waiting for close() since commit 2e503bbb
"TOMOYO: Fix lockdep warning.", we can remove tomoyo_gc_list list and
tomoyo_element_linked_by_gc() by doing sequential processing.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Commit efe836ab "TOMOYO: Add built-in policy support." introduced
tomoyo_load_builtin_policy() but was by error called from nowhere.Commit b22b8b9f "TOMOYO: Rename meminfo to stat and show more statistics."
introduced tomoyo_update_stat() but was by error not called from
tomoyo_assign_domain().Also, mark tomoyo_io_printf() and tomoyo_path_permission() static functions,
as reported by "make namespacecheck".Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
21 Sep, 2011
4 commits
-
Now that hex2bin does error checking, on error add debugging error msg.
Changelog v1 (update):
- fixed definition of 'ret'
- hex2bin now returns an intSigned-off-by: Mimi Zohar
Acked-by: Andy Shevchenko -
For each hex2bin call in encrypted keys, check that the ascii hex string
is valid. On failure, return -EINVAL.Changelog v1:
- hex2bin now returns an intSigned-off-by: Mimi Zohar
Acked-by: Andy Shevchenko -
For each hex2bin call in trusted keys, check that the ascii hex string is
valid. On failure, return -EINVAL.Changelog v1:
- hex2bin now returns an intSigned-off-by: Mimi Zohar
Acked-by: Andy Shevchenko -
hex2bin converts a hexadecimal string to its binary representation.
The original version of hex2bin did not do any error checking. This
patch adds error checking and returns the result.Changelog v1:
- removed unpack_hex_byte()
- changed return code from boolean to intChangelog:
- use the new unpack_hex_byte()
- add __must_check compiler option (Andy Shevchenko's suggestion)
- change function API to return error checking result
(based on Tetsuo Handa's initial patch)Signed-off-by: Mimi Zohar
Acked-by: Andy Shevchenko
19 Sep, 2011
1 commit
-
I got an opinion that it is difficult to use exception policy's domain
transition control directives because they need to match the pathname specified
to "file execute" directives. For example, if "file execute /bin/\*\-ls\-cat"
is given, corresponding domain transition control directive needs to be like
"no_keep_domain /bin/\*\-ls\-cat from any".If we can specify like below, it will become more convenient.
file execute /bin/ls keep exec.realpath="/bin/ls" exec.argv[0]="ls"
file execute /bin/cat keep exec.realpath="/bin/cat" exec.argv[0]="cat"
file execute /bin/\*\-ls\-cat child
file execute /usr/sbin/httpd exec.realpath="/usr/sbin/httpd" exec.argv[0]="/usr/sbin/httpd"In above examples, "keep" works as if keep_domain is specified, "child" works
as if "no_reset_domain" and "no_initialize_domain" and "no_keep_domain" are
specified, "" causes domain transition to domain upon
successful execve() operation.Moreover, we can also allow transition to different domains based on conditions
like below example./usr/sbin/sshd
file execute /bin/bash /usr/sbin/sshd //batch-session exec.argc=2 exec.argv[1]="-c"
file execute /bin/bash /usr/sbin/sshd //root-session task.uid=0
file execute /bin/bash /usr/sbin/sshd //nonroot-session task.uid!=0Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
16 Sep, 2011
1 commit
-
Fixes this build error:
security/keys/encrypted-keys/masterkey_trusted.c: In function 'request_trusted_key':
security/keys/encrypted-keys/masterkey_trusted.c:35:2: error: implicit declaration of function 'IS_ERR'Signed-off-by: Stephen Rothwell
Signed-off-by: Mimi Zohar
15 Sep, 2011
10 commits
-
Tell userland tools that this is TOMOYO 2.5.
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
When allocating from slab, initialization is done the first time in
init_once() and subsequently on free. Because evm_status was not
re-initialized on free, evm_verify_hmac() skipped verifications.This patch re-initializes evm_status.
Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Before permitting 'security.evm' to be updated, 'security.evm' must
exist and be valid. In the case that there are no existing EVM protected
xattrs, it is safe for posix acls to update the mode bits.To differentiate between no 'security.evm' xattr and no xattrs used to
calculate 'security.evm', this patch defines INTEGRITY_NOXATTR.Signed-off-by: Mimi Zohar
-
The posix xattr acls are 'system' prefixed, which normally would not
affect security.evm. An interesting side affect of writing posix xattr
acls is their modifying of the i_mode, which is included in security.evm.This patch updates security.evm when posix xattr acls are written.
Signed-off-by: Mimi Zohar
-
evm_protect_xattr unnecessarily validates the current security.evm
integrity, before updating non-evm protected extended attributes
and other file metadata. This patch limits validating the current
security.evm integrity to evm protected metadata.Signed-off-by: Mimi Zohar
-
security_inode_init_security previously returned -EOPNOTSUPP, for S_PRIVATE
inodes, and relied on the callers to change it to 0. As the callers do not
change the return code anymore, return 0, intead of -EOPNOTSUPP.Signed-off-by: Mimi Zohar
-
All tristates selected by EVM(boolean) are forced to be builtin, except
in the TCG_TPM(tristate) dependency case. Arnaud Lacombe summarizes the
Kconfig bug as, "So it would seem direct dependency state influence the
state of reverse dependencies.." For a detailed explanation, refer to
Arnaud Lacombe's posting http://lkml.org/lkml/2011/8/23/498.With the "encrypted-keys: remove trusted-keys dependency" patch, EVM
can now be built without a dependency on TCG_TPM. The trusted-keys
dependency requires trusted-keys to either be builtin or not selected.
This dependency will prevent the boolean/tristate mismatch from
occuring.Reported-by: Stephen Rothwell ,
Randy Dunlap
Signed-off-by: Mimi Zohar -
Encrypted keys are decrypted/encrypted using either a trusted-key or,
for those systems without a TPM, a user-defined key. This patch
removes the trusted-keys and TCG_TPM dependencies.Signed-off-by: Mimi Zohar
-
Move all files associated with encrypted keys to keys/encrypted-keys.
Signed-off-by: Mimi Zohar
