07 Jan, 2012
1 commit
-
Signed-off-by: Al Viro
04 Jan, 2012
6 commits
-
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
-
vfs_create() ignores everything outside of 16bit subset of its
mode argument; switching it to umode_t is obviously equivalent
and it's the only caller of the methodSigned-off-by: Al Viro
-
vfs_mkdir() gets int, but immediately drops everything that might not
fit into umode_t and that's the only caller of ->mkdir()...Signed-off-by: Al Viro
20 Jul, 2011
1 commit
-
pass that via mask instead.
Signed-off-by: Al Viro
23 Apr, 2011
1 commit
-
Right now all RCU walks fall back to reference walk when CONFIG_SECURITY
is enabled, even though just the standard capability module is active.
This is because security_inode_exec_permission unconditionally fails
RCU walks.Move this decision to the low level security module. This requires
passing the RCU flags down the security hook. This way at least
the capability module and a few easy cases in selinux/smack work
with RCU walks with CONFIG_SECURITY=ySigned-off-by: Andi Kleen
Acked-by: Eric Paris
Signed-off-by: Linus Torvalds
17 Mar, 2011
1 commit
-
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6: (1480 commits)
bonding: enable netpoll without checking link status
xfrm: Refcount destination entry on xfrm_lookup
net: introduce rx_handler results and logic around that
bonding: get rid of IFF_SLAVE_INACTIVE netdev->priv_flag
bonding: wrap slave state work
net: get rid of multiple bond-related netdevice->priv_flags
bonding: register slave pointer for rx_handler
be2net: Bump up the version number
be2net: Copyright notice change. Update to Emulex instead of ServerEngines
e1000e: fix kconfig for crc32 dependency
netfilter ebtables: fix xt_AUDIT to work with ebtables
xen network backend driver
bonding: Improve syslog message at device creation time
bonding: Call netif_carrier_off after register_netdevice
bonding: Incorrect TX queue offset
net_sched: fix ip_tos2prio
xfrm: fix __xfrm_route_forward()
be2net: Fix UDP packet detected status in RX compl
Phonet: fix aligned-mode pipe socket buffer header reserve
netxen: support for GbE port settings
...Fix up conflicts in drivers/staging/brcm80211/brcmsmac/wl_mac80211.c
with the staging updates.
04 Mar, 2011
1 commit
-
The VFS mount code passes the mount options to the LSM. The LSM will remove
options it understands from the data and the VFS will then pass the remaining
options onto the underlying filesystem. This is how options like the
SELinux context= work. The problem comes in that -o remount never calls
into LSM code. So if you include an LSM specific option it will get passed
to the filesystem and will cause the remount to fail. An example of where
this is a problem is the 'seclabel' option. The SELinux LSM hook will
print this word in /proc/mounts if the filesystem is being labeled using
xattrs. If you pass this word on mount it will be silently stripped and
ignored. But if you pass this word on remount the LSM never gets called
and it will be passed to the FS. The FS doesn't know what seclabel means
and thus should fail the mount. For example an ext3 fs mounted over loop# mount -o loop /tmp/fs /mnt/tmp
# cat /proc/mounts | grep /mnt/tmp
/dev/loop0 /mnt/tmp ext3 rw,seclabel,relatime,errors=continue,barrier=0,data=ordered 0 0
# mount -o remount /mnt/tmp
mount: /mnt/tmp not mounted already, or bad option
# dmesg
EXT3-fs (loop0): error: unrecognized mount option "seclabel" or missing valueThis patch passes the remount mount options to an new LSM hook.
Signed-off-by: Eric Paris
Reviewed-by: James Morris
23 Feb, 2011
1 commit
-
Signed-off-by: David S. Miller
02 Feb, 2011
2 commits
-
The only user for this hook was selinux. sysctl routes every call
through /proc/sys/. Selinux and other security modules use the file
system checks for sysctl too, so no need for this hook any more.Signed-off-by: Lucian Adrian Grijincu
Signed-off-by: Eric Paris -
SELinux would like to implement a new labeling behavior of newly created
inodes. We currently label new inodes based on the parent and the creating
process. This new behavior would also take into account the name of the
new object when deciding the new label. This is not the (supposed) full path,
just the last component of the path.This is very useful because creating /etc/shadow is different than creating
/etc/passwd but the kernel hooks are unable to differentiate these
operations. We currently require that userspace realize it is doing some
difficult operation like that and than userspace jumps through SELinux hoops
to get things set up correctly. This patch does not implement new
behavior, that is obviously contained in a seperate SELinux patch, but it
does pass the needed name down to the correct LSM hook. If no such name
exists it is fine to pass NULL.Signed-off-by: Eric Paris
06 Jan, 2011
1 commit
-
unix_release() can asynchornously set socket->sk to NULL, and
it does so without holding the unix_state_lock() on "other"
during stream connects.However, the reverse mapping, sk->sk_socket, is only transitioned
to NULL under the unix_state_lock().Therefore make the security hooks follow the reverse mapping instead
of the forward mapping.Reported-by: Jeremy Fitzhardinge
Reported-by: Linus Torvalds
Signed-off-by: David S. Miller
16 Nov, 2010
1 commit
-
The addition of CONFIG_SECURITY_DMESG_RESTRICT resulted in a build
failure when CONFIG_PRINTK=n. This is because the capabilities code
which used the new option was built even though the variable in question
didn't exist.The patch here fixes this by moving the capabilities checks out of the
LSM and into the caller. All (known) LSMs should have been calling the
capabilities hook already so it actually makes the code organization
better to eliminate the hook altogether.Signed-off-by: Eric Paris
Acked-by: James Morris
Signed-off-by: Linus Torvalds
21 Oct, 2010
1 commit
-
Right now secmark has lots of direct selinux calls. Use all LSM calls and
remove all SELinux specific knowledge. The only SELinux specific knowledge
we leave is the mode. The only point is to make sure that other LSMs at
least test this generic code before they assume it works. (They may also
have to make changes if they do not represent labels as strings)Signed-off-by: Eric Paris
Acked-by: Paul Moore
Acked-by: Patrick McHardy
Signed-off-by: James Morris
11 Aug, 2010
1 commit
-
* 'writable_limits' of git://decibel.fi.muni.cz/~xslaby/linux:
unistd: add __NR_prlimit64 syscall numbers
rlimits: implement prlimit64 syscall
rlimits: switch more rlimit syscalls to do_prlimit
rlimits: redo do_setrlimit to more generic do_prlimit
rlimits: add rlimit64 structure
rlimits: do security check under task_lock
rlimits: allow setrlimit to non-current tasks
rlimits: split sys_setrlimit
rlimits: selinux, do rlimits changes under task_lock
rlimits: make sure ->rlim_max never grows in sys_setrlimit
rlimits: add task_struct to update_rlimit_cpu
rlimits: security, add task_struct to setrlimitFix up various system call number conflicts. We not only added fanotify
system calls in the meantime, but asm-generic/unistd.h added a wait4
along with a range of reserved per-architecture system calls.
02 Aug, 2010
2 commits
-
This fix a little code style issue deleting a space between a function
name and a open parenthesis.Signed-off-by: Chihau Chau
Acked-by: Andrew G. Morgan
Signed-off-by: James Morris -
When commit be6d3e56a6b9b3a4ee44a0685e39e595073c6f0d "introduce new LSM hooks
where vfsmount is available." was proposed, regarding security_path_truncate(),
only "struct file *" argument (which AppArmor wanted to use) was removed.
But length and time_attrs arguments are not used by TOMOYO nor AppArmor.
Thus, let's remove these arguments.Signed-off-by: Tetsuo Handa
Acked-by: Nick Piggin
Signed-off-by: James Morris
16 Jul, 2010
1 commit
-
Add task_struct to task_setrlimit of security_operations to be able to set
rlimit of task other than current.Signed-off-by: Jiri Slaby
Acked-by: Eric Paris
Acked-by: James Morris
17 May, 2010
1 commit
-
register_security() became __init function.
So do verify() and security_fixup_ops().Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
12 Apr, 2010
13 commits
-
Unused hook. Remove.
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Unused hook. Remove.
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Unused hook. Remove.
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Unused hook. Remove.
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Unused hook. Remove.
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Unused hook. Remove.
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Unused hook. Remove.
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Unused hook. Remove.
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Unused hook. Remove.
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Unused hook. Remove.
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Unused hook. Remove.
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Unused hook. Remove.
Signed-off-by: Eric Paris
Signed-off-by: James Morris -
Unused hook. Remove it.
Signed-off-by: Eric Paris
Signed-off-by: James Morris
24 Feb, 2010
1 commit
-
Enhance the security framework to support resetting the active security
module. This eliminates the need for direct use of the security_ops and
default_security_ops variables outside of security.c, so make security_ops
and default_security_ops static. Also remove the secondary_ops variable as
a cleanup since there is no use for that. secondary_ops was originally used by
SELinux to call the "secondary" security module (capability or dummy),
but that was replaced by direct calls to capability and the only
remaining use is to save and restore the original security ops pointer
value if SELinux is disabled by early userspace based on /etc/selinux/config.
Further, if we support this directly in the security framework, then we can
just use &default_security_ops for this purpose since that is now available.Signed-off-by: Zhitong Wang
Acked-by: Stephen Smalley
Signed-off-by: James Morris
10 Nov, 2009
1 commit
-
For SELinux to do better filtering in userspace we send the name of the
module along with the AVC denial when a program is denied module_request.Example output:
type=SYSCALL msg=audit(11/03/2009 10:59:43.510:9) : arch=x86_64 syscall=write success=yes exit=2 a0=3 a1=7fc28c0d56c0 a2=2 a3=7fffca0d7440 items=0 ppid=1727 pid=1729 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc.nfsd exe=/usr/sbin/rpc.nfsd subj=system_u:system_r:nfsd_t:s0 key=(null)
type=AVC msg=audit(11/03/2009 10:59:43.510:9) : avc: denied { module_request } for pid=1729 comm=rpc.nfsd kmod="net-pf-10" scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=systemSigned-off-by: Eric Paris
Signed-off-by: James Morris
12 Oct, 2009
2 commits
-
This patch allows pathname based LSM modules to check chroot() operations.
This hook is used by TOMOYO.
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
This patch allows pathname based LSM modules to check chmod()/chown()
operations. Since notify_change() does not receive "struct vfsmount *",
we add security_path_chmod() and security_path_chown() to the caller of
notify_change().These hooks are used by TOMOYO.
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
10 Sep, 2009
1 commit
-
This patch introduces three new hooks. The inode_getsecctx hook is used to get
all relevant information from an LSM about an inode. The inode_setsecctx is
used to set both the in-core and on-disk state for the inode based on a context
derived from inode_getsecctx.The final hook inode_notifysecctx will notify the
LSM of a change for the in-core state of the inode in question. These hooks are
for use in the labeled NFS code and addresses concerns of how to set security
on an inode in a multi-xattr LSM. For historical reasons Stephen Smalley's
explanation of the reason for these hooks is pasted below.Quote Stephen Smalley
inode_setsecctx: Change the security context of an inode. Updates the
in core security context managed by the security module and invokes the
fs code as needed (via __vfs_setxattr_noperm) to update any backing
xattrs that represent the context. Example usage: NFS server invokes
this hook to change the security context in its incore inode and on the
backing file system to a value provided by the client on a SETATTR
operation.inode_notifysecctx: Notify the security module of what the security
context of an inode should be. Initializes the incore security context
managed by the security module for this inode. Example usage: NFS
client invokes this hook to initialize the security context in its
incore inode to the value provided by the server for the file when the
server returned the file's attributes to the client.Signed-off-by: David P. Quigley
Acked-by: Serge Hallyn
Signed-off-by: James Morris