Eric Lee / smarc-fsl-linux-kernel

26 Oct, 2020

1 commit

05 Oct, 2020

3 commits

  • 2039bda1f   LSM: Add "contents" flag to kernel_read_file hook ... Browse Code »

    As with the kernel_load_data LSM hook, add a "contents" flag to the
    kernel_read_file LSM hook that indicates whether the LSM can expect
    a matching call to the kernel_post_read_file LSM hook with the full
    contents of the file. With the coming addition of partial file read
    support for kernel_read_file*() API, the LSM will no longer be able
    to always see the entire contents of a file during the read calls.

    For cases where the LSM must read examine the complete file contents,
    it will need to do so on its own every time the kernel_read_file
    hook is called with contents=false (or reject such cases). Adjust all
    existing LSMs to retain existing behavior.

    Signed-off-by: Kees Cook
    Reviewed-by: Mimi Zohar
    Link: https://lore.kernel.org/r/20201002173828.2099543-12-keescook@chromium.org
    Signed-off-by: Greg Kroah-Hartman

    Kees Cook
     
  • b64fcae74   LSM: Introduce kernel_post_load_data() hook ... Browse Code »

    There are a few places in the kernel where LSMs would like to have
    visibility into the contents of a kernel buffer that has been loaded or
    read. While security_kernel_post_read_file() (which includes the
    buffer) exists as a pairing for security_kernel_read_file(), no such
    hook exists to pair with security_kernel_load_data().

    Earlier proposals for just using security_kernel_post_read_file() with a
    NULL file argument were rejected (i.e. "file" should always be valid for
    the security_..._file hooks, but it appears at least one case was
    left in the kernel during earlier refactoring. (This will be fixed in
    a subsequent patch.)

    Since not all cases of security_kernel_load_data() can have a single
    contiguous buffer made available to the LSM hook (e.g. kexec image
    segments are separately loaded), there needs to be a way for the LSM to
    reason about its expectations of the hook coverage. In order to handle
    this, add a "contents" argument to the "kernel_load_data" hook that
    indicates if the newly added "kernel_post_load_data" hook will be called
    with the full contents once loaded. That way, LSMs requiring full contents
    can choose to unilaterally reject "kernel_load_data" with contents=false
    (which is effectively the existing hook coverage), but when contents=true
    they can allow it and later evaluate the "kernel_post_load_data" hook
    once the buffer is loaded.

    With this change, LSMs can gain coverage over non-file-backed data loads
    (e.g. init_module(2) and firmware userspace helper), which will happen
    in subsequent patches.

    Additionally prepare IMA to start processing these cases.

    Signed-off-by: Kees Cook
    Reviewed-by: KP Singh
    Link: https://lore.kernel.org/r/20201002173828.2099543-9-keescook@chromium.org
    Signed-off-by: Greg Kroah-Hartman

    Kees Cook
     
  • b89999d00   fs/kernel_read_file: Split into separate include file ... Browse Code »

    Move kernel_read_file* out of linux/fs.h to its own linux/kernel_read_file.h
    include file. That header gets pulled in just about everywhere
    and doesn't really need functions not related to the general fs interface.

    Suggested-by: Christoph Hellwig
    Signed-off-by: Scott Branden
    Signed-off-by: Kees Cook
    Reviewed-by: Christoph Hellwig
    Reviewed-by: Mimi Zohar
    Reviewed-by: Luis Chamberlain
    Acked-by: Greg Kroah-Hartman
    Acked-by: James Morris
    Link: https://lore.kernel.org/r/20200706232309.12010-2-scott.branden@broadcom.com
    Link: https://lore.kernel.org/r/20201002173828.2099543-4-keescook@chromium.org
    Signed-off-by: Greg Kroah-Hartman

    Scott Branden
     

06 Jul, 2020

1 commit

25 Jun, 2020

1 commit

24 Jun, 2020

3 commits

15 Jun, 2020

2 commits

  • 4a87b197c   Merge tag 'LSM-add-setgid-hook-5.8-author-fix' of git://github.com/micah-morton/linux ... Browse Code »

    Pull SafeSetID update from Micah Morton:
    "Add additional LSM hooks for SafeSetID

    SafeSetID is capable of making allow/deny decisions for set*uid calls
    on a system, and we want to add similar functionality for set*gid
    calls.

    The work to do that is not yet complete, so probably won't make it in
    for v5.8, but we are looking to get this simple patch in for v5.8
    since we have it ready.

    We are planning on the rest of the work for extending the SafeSetID
    LSM being merged during the v5.9 merge window"

    * tag 'LSM-add-setgid-hook-5.8-author-fix' of git://github.com/micah-morton/linux:
    security: Add LSM hooks to set*gid syscalls

    Linus Torvalds
     
  • 39030e135   security: Add LSM hooks to set*gid syscalls ... Browse Code »

    The SafeSetID LSM uses the security_task_fix_setuid hook to filter
    set*uid() syscalls according to its configured security policy. In
    preparation for adding analagous support in the LSM for set*gid()
    syscalls, we add the requisite hook here. Tested by putting print
    statements in the security_task_fix_setgid hook and seeing them get hit
    during kernel boot.

    Signed-off-by: Thomas Cedeno
    Signed-off-by: Micah Morton

    Thomas Cedeno
     

14 Jun, 2020

1 commit

  • 6c3297841   Merge tag 'notifications-20200601' of git://git.kernel.org/pub/scm/linux/kernel/… ... Browse Code »

    …git/dhowells/linux-fs

    Pull notification queue from David Howells:
    "This adds a general notification queue concept and adds an event
    source for keys/keyrings, such as linking and unlinking keys and
    changing their attributes.

    Thanks to Debarshi Ray, we do have a pull request to use this to fix a
    problem with gnome-online-accounts - as mentioned last time:

    https://gitlab.gnome.org/GNOME/gnome-online-accounts/merge_requests/47

    Without this, g-o-a has to constantly poll a keyring-based kerberos
    cache to find out if kinit has changed anything.

    [ There are other notification pending: mount/sb fsinfo notifications
    for libmount that Karel Zak and Ian Kent have been working on, and
    Christian Brauner would like to use them in lxc, but let's see how
    this one works first ]

    LSM hooks are included:

    - A set of hooks are provided that allow an LSM to rule on whether or
    not a watch may be set. Each of these hooks takes a different
    "watched object" parameter, so they're not really shareable. The
    LSM should use current's credentials. [Wanted by SELinux & Smack]

    - A hook is provided to allow an LSM to rule on whether or not a
    particular message may be posted to a particular queue. This is
    given the credentials from the event generator (which may be the
    system) and the watch setter. [Wanted by Smack]

    I've provided SELinux and Smack with implementations of some of these
    hooks.

    WHY
    ===

    Key/keyring notifications are desirable because if you have your
    kerberos tickets in a file/directory, your Gnome desktop will monitor
    that using something like fanotify and tell you if your credentials
    cache changes.

    However, we also have the ability to cache your kerberos tickets in
    the session, user or persistent keyring so that it isn't left around
    on disk across a reboot or logout. Keyrings, however, cannot currently
    be monitored asynchronously, so the desktop has to poll for it - not
    so good on a laptop. This facility will allow the desktop to avoid the
    need to poll.

    DESIGN DECISIONS
    ================

    - The notification queue is built on top of a standard pipe. Messages
    are effectively spliced in. The pipe is opened with a special flag:

    pipe2(fds, O_NOTIFICATION_PIPE);

    The special flag has the same value as O_EXCL (which doesn't seem
    like it will ever be applicable in this context)[?]. It is given up
    front to make it a lot easier to prohibit splice&co from accessing
    the pipe.

    [?] Should this be done some other way? I'd rather not use up a new
    O_* flag if I can avoid it - should I add a pipe3() system call
    instead?

    The pipe is then configured::

    ioctl(fds[1], IOC_WATCH_QUEUE_SET_SIZE, queue_depth);
    ioctl(fds[1], IOC_WATCH_QUEUE_SET_FILTER, &filter);

    Messages are then read out of the pipe using read().

    - It should be possible to allow write() to insert data into the
    notification pipes too, but this is currently disabled as the
    kernel has to be able to insert messages into the pipe *without*
    holding pipe->mutex and the code to make this work needs careful
    auditing.

    - sendfile(), splice() and vmsplice() are disabled on notification
    pipes because of the pipe->mutex issue and also because they
    sometimes want to revert what they just did - but one or more
    notification messages might've been interleaved in the ring.

    - The kernel inserts messages with the wait queue spinlock held. This
    means that pipe_read() and pipe_write() have to take the spinlock
    to update the queue pointers.

    - Records in the buffer are binary, typed and have a length so that
    they can be of varying size.

    This allows multiple heterogeneous sources to share a common
    buffer; there are 16 million types available, of which I've used
    just a few, so there is scope for others to be used. Tags may be
    specified when a watchpoint is created to help distinguish the
    sources.

    - Records are filterable as types have up to 256 subtypes that can be
    individually filtered. Other filtration is also available.

    - Notification pipes don't interfere with each other; each may be
    bound to a different set of watches. Any particular notification
    will be copied to all the queues that are currently watching for it
    - and only those that are watching for it.

    - When recording a notification, the kernel will not sleep, but will
    rather mark a queue as having lost a message if there's
    insufficient space. read() will fabricate a loss notification
    message at an appropriate point later.

    - The notification pipe is created and then watchpoints are attached
    to it, using one of:

    keyctl_watch_key(KEY_SPEC_SESSION_KEYRING, fds[1], 0x01);
    watch_mount(AT_FDCWD, "/", 0, fd, 0x02);
    watch_sb(AT_FDCWD, "/mnt", 0, fd, 0x03);

    where in both cases, fd indicates the queue and the number after is
    a tag between 0 and 255.

    - Watches are removed if either the notification pipe is destroyed or
    the watched object is destroyed. In the latter case, a message will
    be generated indicating the enforced watch removal.

    Things I want to avoid:

    - Introducing features that make the core VFS dependent on the
    network stack or networking namespaces (ie. usage of netlink).

    - Dumping all this stuff into dmesg and having a daemon that sits
    there parsing the output and distributing it as this then puts the
    responsibility for security into userspace and makes handling
    namespaces tricky. Further, dmesg might not exist or might be
    inaccessible inside a container.

    - Letting users see events they shouldn't be able to see.

    TESTING AND MANPAGES
    ====================

    - The keyutils tree has a pipe-watch branch that has keyctl commands
    for making use of notifications. Proposed manual pages can also be
    found on this branch, though a couple of them really need to go to
    the main manpages repository instead.

    If the kernel supports the watching of keys, then running "make
    test" on that branch will cause the testing infrastructure to spawn
    a monitoring process on the side that monitors a notifications pipe
    for all the key/keyring changes induced by the tests and they'll
    all be checked off to make sure they happened.

    https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git/log/?h=pipe-watch

    - A test program is provided (samples/watch_queue/watch_test) that
    can be used to monitor for keyrings, mount and superblock events.
    Information on the notifications is simply logged to stdout"

    * tag 'notifications-20200601' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
    smack: Implement the watch_key and post_notification hooks
    selinux: Implement the watch_key security hook
    keys: Make the KEY_NEED_* perms an enum rather than a mask
    pipe: Add notification lossage handling
    pipe: Allow buffers to be marked read-whole-or-error for notifications
    Add sample notification program
    watch_queue: Add a key/keyring notification facility
    security: Add hooks to rule on setting a watch
    pipe: Add general notification queue support
    pipe: Add O_NOTIFICATION_PIPE
    security: Add a hook for the point of notification insertion
    uapi: General notification queue definitions

    Linus Torvalds
     

10 Jun, 2020

1 commit

  • 52435c86b   Merge tag 'ovl-update-5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs ... Browse Code »

    Pull overlayfs updates from Miklos Szeredi:
    "Fixes:

    - Resolve mount option conflicts consistently

    - Sync before remount R/O

    - Fix file handle encoding corner cases

    - Fix metacopy related issues

    - Fix an unintialized return value

    - Add missing permission checks for underlying layers

    Optimizations:

    - Allow multipe whiteouts to share an inode

    - Optimize small writes by inheriting SB_NOSEC from upper layer

    - Do not call ->syncfs() multiple times for sync(2)

    - Do not cache negative lookups on upper layer

    - Make private internal mounts longterm"

    * tag 'ovl-update-5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs: (27 commits)
    ovl: remove unnecessary lock check
    ovl: make oip->index bool
    ovl: only pass ->ki_flags to ovl_iocb_to_rwf()
    ovl: make private mounts longterm
    ovl: get rid of redundant members in struct ovl_fs
    ovl: add accessor for ofs->upper_mnt
    ovl: initialize error in ovl_copy_xattr
    ovl: drop negative dentry in upper layer
    ovl: check permission to open real file
    ovl: call secutiry hook in ovl_real_ioctl()
    ovl: verify permissions in ovl_path_open()
    ovl: switch to mounter creds in readdir
    ovl: pass correct flags for opening real directory
    ovl: fix redirect traversal on metacopy dentries
    ovl: initialize OVL_UPPERDATA in ovl_lookup()
    ovl: use only uppermetacopy state in ovl_lookup()
    ovl: simplify setting of origin for index lookup
    ovl: fix out of bounds access warning in ovl_check_fb_len()
    ovl: return required buffer size for file handles
    ovl: sync dirty data when remounting to ro mode
    ...

    Linus Torvalds
     

07 Jun, 2020

1 commit

  • 3c0ad98c2   Merge tag 'integrity-v5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity ... Browse Code »

    Pull integrity updates from Mimi Zohar:
    "The main changes are extending the TPM 2.0 PCR banks with bank
    specific file hashes, calculating the "boot_aggregate" based on other
    TPM PCR banks, using the default IMA hash algorithm, instead of SHA1,
    as the basis for the cache hash table key, and preventing the mprotect
    syscall to circumvent an IMA mmap appraise policy rule.

    - In preparation for extending TPM 2.0 PCR banks with bank specific
    digests, commit 0b6cf6b97b7e ("tpm: pass an array of
    tpm_extend_digest structures to tpm_pcr_extend()") modified
    tpm_pcr_extend(). The original SHA1 file digests were
    padded/truncated, before being extended into the other TPM PCR
    banks. This pull request calculates and extends the TPM PCR banks
    with bank specific file hashes completing the above change.

    - The "boot_aggregate", the first IMA measurement list record, is the
    "trusted boot" link between the pre-boot environment and the
    running OS. With TPM 2.0, the "boot_aggregate" record is not
    limited to being based on the SHA1 TPM PCR bank, but can be
    calculated based on any enabled bank, assuming the hash algorithm
    is also enabled in the kernel.

    Other changes include the following and five other bug fixes/code
    clean up:

    - supporting both a SHA1 and a larger "boot_aggregate" digest in a
    custom template format containing both the the SHA1 ('d') and
    larger digests ('d-ng') fields.

    - Initial hash table key fix, but additional changes would be good"

    * tag 'integrity-v5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
    ima: Directly free *entry in ima_alloc_init_template() if digests is NULL
    ima: Call ima_calc_boot_aggregate() in ima_eventdigest_init()
    ima: Directly assign the ima_default_policy pointer to ima_rules
    ima: verify mprotect change is consistent with mmap policy
    evm: Fix possible memory leak in evm_calc_hmac_or_hash()
    ima: Set again build_ima_appraise variable
    ima: Remove redundant policy rule set in add_rules()
    ima: Fix ima digest hash table key calculation
    ima: Use ima_hash_algo for collision detection in the measurement list
    ima: Calculate and extend PCR with digests in ima_template_entry
    ima: Allocate and initialize tfm for each PCR bank
    ima: Switch to dynamically allocated buffer for template digests
    ima: Store template digest directly in ima_template_entry
    ima: Evaluate error in init_ima()
    ima: Switch to ima_hash_algo for boot aggregate

    Linus Torvalds
     

05 Jun, 2020

1 commit

  • 15a2bc4db   Merge branch 'exec-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace ... Browse Code »

    Pull execve updates from Eric Biederman:
    "Last cycle for the Nth time I ran into bugs and quality of
    implementation issues related to exec that could not be easily be
    fixed because of the way exec is implemented. So I have been digging
    into exec and cleanup up what I can.

    I don't think I have exec sorted out enough to fix the issues I
    started with but I have made some headway this cycle with 4 sets of
    changes.

    - promised cleanups after introducing exec_update_mutex

    - trivial cleanups for exec

    - control flow simplifications

    - remove the recomputation of bprm->cred

    The net result is code that is a bit easier to understand and work
    with and a decrease in the number of lines of code (if you don't count
    the added tests)"

    * 'exec-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: (24 commits)
    exec: Compute file based creds only once
    exec: Add a per bprm->file version of per_clear
    binfmt_elf_fdpic: fix execfd build regression
    selftests/exec: Add binfmt_script regression test
    exec: Remove recursion from search_binary_handler
    exec: Generic execfd support
    exec/binfmt_script: Don't modify bprm->buf and then return -ENOEXEC
    exec: Move the call of prepare_binprm into search_binary_handler
    exec: Allow load_misc_binary to call prepare_binprm unconditionally
    exec: Convert security_bprm_set_creds into security_bprm_repopulate_creds
    exec: Factor security_bprm_creds_for_exec out of security_bprm_set_creds
    exec: Teach prepare_exec_creds how exec treats uids & gids
    exec: Set the point of no return sooner
    exec: Move handling of the point of no return to the top level
    exec: Run sync_mm_rss before taking exec_update_mutex
    exec: Fix spelling of search_binary_handler in a comment
    exec: Move the comment from above de_thread to above unshare_sighand
    exec: Rename flush_old_exec begin_new_exec
    exec: Move most of setup_new_exec into flush_old_exec
    exec: In setup_new_exec cache current in the local variable me
    ...

    Linus Torvalds
     

03 Jun, 2020

1 commit

30 May, 2020

1 commit

  • 56305aa9b   exec: Compute file based creds only once ... Browse Code »

    Move the computation of creds from prepare_binfmt into begin_new_exec
    so that the creds need only be computed once. This is just code
    reorganization no semantic changes of any kind are made.

    Moving the computation is safe. I have looked through the kernel and
    verified none of the binfmts look at bprm->cred directly, and that
    there are no helpers that look at bprm->cred indirectly. Which means
    that it is not a problem to compute the bprm->cred later in the
    execution flow as it is not used until it becomes current->cred.

    A new function bprm_creds_from_file is added to contain the work that
    needs to be done. bprm_creds_from_file first computes which file
    bprm->executable or most likely bprm->file that the bprm->creds
    will be computed from.

    The funciton bprm_fill_uid is updated to receive the file instead of
    accessing bprm->file. The now unnecessary work needed to reset the
    bprm->cred->euid, and bprm->cred->egid is removed from brpm_fill_uid.
    A small comment to document that bprm_fill_uid now only deals with the
    work to handle suid and sgid files. The default case is already
    heandled by prepare_exec_creds.

    The function security_bprm_repopulate_creds is renamed
    security_bprm_creds_from_file and now is explicitly passed the file
    from which to compute the creds. The documentation of the
    bprm_creds_from_file security hook is updated to explain when the hook
    is called and what it needs to do. The file is passed from
    cap_bprm_creds_from_file into get_file_caps so that the caps are
    computed for the appropriate file. The now unnecessary work in
    cap_bprm_creds_from_file to reset the ambient capabilites has been
    removed. A small comment to document that the work of
    cap_bprm_creds_from_file is to read capabilities from the files
    secureity attribute and derive capabilities from the fact the
    user had uid 0 has been added.

    Reviewed-by: Kees Cook
    Signed-off-by: "Eric W. Biederman"

    Eric W. Biederman
     

29 May, 2020

1 commit

25 May, 2020

1 commit

23 May, 2020

1 commit

  • 8eb613c0b   ima: verify mprotect change is consistent with mmap policy ... Browse Code »

    Files can be mmap'ed read/write and later changed to execute to circumvent
    IMA's mmap appraise policy rules. Due to locking issues (mmap semaphore
    would be taken prior to i_mutex), files can not be measured or appraised at
    this point. Eliminate this integrity gap, by denying the mprotect
    PROT_EXECUTE change, if an mmap appraise policy rule exists.

    On mprotect change success, return 0. On failure, return -EACESS.

    Reviewed-by: Lakshmi Ramasubramanian
    Signed-off-by: Mimi Zohar

    Mimi Zohar
     

21 May, 2020

3 commits

  • 112b71475   exec: Convert security_bprm_set_creds into security_bprm_repopulate_creds ... Browse Code »

    Rename bprm->cap_elevated to bprm->active_secureexec and initialize it
    in prepare_binprm instead of in cap_bprm_set_creds. Initializing
    bprm->active_secureexec in prepare_binprm allows multiple
    implementations of security_bprm_repopulate_creds to play nicely with
    each other.

    Rename security_bprm_set_creds to security_bprm_reopulate_creds to
    emphasize that this path recomputes part of bprm->cred. This
    recomputation avoids the time of check vs time of use problems that
    are inherent in unix #! interpreters.

    In short two renames and a move in the location of initializing
    bprm->active_secureexec.

    Link: https://lkml.kernel.org/r/87o8qkzrxp.fsf_-_@x220.int.ebiederm.org
    Acked-by: Linus Torvalds
    Reviewed-by: Kees Cook
    Signed-off-by: "Eric W. Biederman"

    Eric W. Biederman
     
  • 0550cfe8c   security: Fix hook iteration for secid_to_secctx ... Browse Code »

    secid_to_secctx is not stackable, and since the BPF LSM registers this
    hook by default, the call_int_hook logic is not suitable which
    "bails-on-fail" and casues issues when other LSMs register this hook and
    eventually breaks Audit.

    In order to fix this, directly iterate over the security hooks instead
    of using call_int_hook as suggested in:

    https: //lore.kernel.org/bpf/9d0eb6c6-803a-ff3a-5603-9ad6d9edfc00@schaufler-ca.com/#t

    Fixes: 98e828a0650f ("security: Refactor declaration of LSM hooks")
    Fixes: 625236ba3832 ("security: Fix the default value of secid_to_secctx hook")
    Reported-by: Alexei Starovoitov
    Signed-off-by: KP Singh
    Signed-off-by: Alexei Starovoitov
    Acked-by: James Morris
    Link: https://lore.kernel.org/bpf/20200520125616.193765-1-kpsingh@chromium.org

    KP Singh
     
  • b8bff5992   exec: Factor security_bprm_creds_for_exec out of security_bprm_set_creds ... Browse Code »

    Today security_bprm_set_creds has several implementations:
    apparmor_bprm_set_creds, cap_bprm_set_creds, selinux_bprm_set_creds,
    smack_bprm_set_creds, and tomoyo_bprm_set_creds.

    Except for cap_bprm_set_creds they all test bprm->called_set_creds and
    return immediately if it is true. The function cap_bprm_set_creds
    ignores bprm->calld_sed_creds entirely.

    Create a new LSM hook security_bprm_creds_for_exec that is called just
    before prepare_binprm in __do_execve_file, resulting in a LSM hook
    that is called exactly once for the entire of exec. Modify the bits
    of security_bprm_set_creds that only want to be called once per exec
    into security_bprm_creds_for_exec, leaving only cap_bprm_set_creds
    behind.

    Remove bprm->called_set_creds all of it's former users have been moved
    to security_bprm_creds_for_exec.

    Add or upate comments a appropriate to bring them up to date and
    to reflect this change.

    Link: https://lkml.kernel.org/r/87v9kszrzh.fsf_-_@x220.int.ebiederm.org
    Acked-by: Linus Torvalds
    Acked-by: Casey Schaufler # For the LSM and Smack bits
    Reviewed-by: Kees Cook
    Signed-off-by: "Eric W. Biederman"

    Eric W. Biederman
     

19 May, 2020

3 commits

  • 8c0637e95   keys: Make the KEY_NEED_* perms an enum rather than a mask ... Browse Code »

    Since the meaning of combining the KEY_NEED_* constants is undefined, make
    it so that you can't do that by turning them into an enum.

    The enum is also given some extra values to represent special
    circumstances, such as:

    (1) The '0' value is reserved and causes a warning to trap the parameter
    being unset.

    (2) The key is to be unlinked and we require no permissions on it, only
    the keyring, (this replaces the KEY_LOOKUP_FOR_UNLINK flag).

    (3) An override due to CAP_SYS_ADMIN.

    (4) An override due to an instantiation token being present.

    (5) The permissions check is being deferred to later key_permission()
    calls.

    The extra values give the opportunity for LSMs to audit these situations.

    [Note: This really needs overhauling so that lookup_user_key() tells
    key_task_permission() and the LSM what operation is being done and leaves
    it to those functions to decide how to map that onto the available
    permits. However, I don't really want to make these change in the middle
    of the notifications patchset.]

    Signed-off-by: David Howells
    cc: Jarkko Sakkinen
    cc: Paul Moore
    cc: Stephen Smalley
    cc: Casey Schaufler
    cc: keyrings@vger.kernel.org
    cc: selinux@vger.kernel.org

    David Howells
     
  • 998f50407   security: Add hooks to rule on setting a watch ... Browse Code »

    Add security hooks that will allow an LSM to rule on whether or not a watch
    may be set. More than one hook is required as the watches watch different
    types of object.

    Signed-off-by: David Howells
    Acked-by: James Morris
    cc: Casey Schaufler
    cc: Stephen Smalley
    cc: linux-security-module@vger.kernel.org

    David Howells
     
  • 344fa64ef   security: Add a hook for the point of notification insertion ... Browse Code »

    Add a security hook that allows an LSM to rule on whether a notification
    message is allowed to be inserted into a particular watch queue.

    The hook is given the following information:

    (1) The credentials of the triggerer (which may be init_cred for a system
    notification, eg. a hardware error).

    (2) The credentials of the whoever set the watch.

    (3) The notification message.

    Signed-off-by: David Howells
    Acked-by: James Morris
    cc: Casey Schaufler
    cc: Stephen Smalley
    cc: linux-security-module@vger.kernel.org

    David Howells
     

30 Apr, 2020

1 commit

  • 43fd3e30c   ANDROID: sdcardfs: fix export symbol type ... Browse Code »

    In commit c0dbfed5ff9f ("ANDROID: sdcardfs: Enable modular sdcardfs") a
    new symbol was exported, but it should have been set as a _GPL symbol.

    Fix this up by properly changing the export type.

    Bug: 35142419
    Cc: Daniel Rosenberg
    Cc: Guenter Roeck
    Cc: Alistair Strachan
    Cc: Yongqin Liu
    Signed-off-by: Greg Kroah-Hartman
    Change-Id: Iab657f0c901496cf2eb59a5ee3087d76d7c14ea3

    Greg Kroah-Hartman
     

04 Apr, 2020

1 commit

30 Mar, 2020

1 commit

  • 98e828a06   security: Refactor declaration of LSM hooks ... Browse Code »

    The information about the different types of LSM hooks is scattered
    in two locations i.e. union security_list_options and
    struct security_hook_heads. Rather than duplicating this information
    even further for BPF_PROG_TYPE_LSM, define all the hooks with the
    LSM_HOOK macro in lsm_hook_defs.h which is then used to generate all
    the data structures required by the LSM framework.

    The LSM hooks are defined as:

    LSM_HOOK(, , , args...)

    with acccessible in security.c as:

    LSM_RET_DEFAULT()

    Signed-off-by: KP Singh
    Signed-off-by: Daniel Borkmann
    Reviewed-by: Brendan Jackman
    Reviewed-by: Florent Revest
    Reviewed-by: Kees Cook
    Reviewed-by: Casey Schaufler
    Acked-by: James Morris
    Link: https://lore.kernel.org/bpf/20200329004356.27286-3-kpsingh@chromium.org

    KP Singh
     

04 Feb, 2020

1 commit

03 Feb, 2020

1 commit

30 Jan, 2020

1 commit

29 Jan, 2020

1 commit

28 Jan, 2020

1 commit

10 Dec, 2019

1 commit

  • 59438b464   security,lockdown,selinux: implement SELinux lockdown ... Browse Code »

    Implement a SELinux hook for lockdown. If the lockdown module is also
    enabled, then a denial by the lockdown module will take precedence over
    SELinux, so SELinux can only further restrict lockdown decisions.
    The SELinux hook only distinguishes at the granularity of integrity
    versus confidentiality similar to the lockdown module, but includes the
    full lockdown reason as part of the audit record as a hint in diagnosing
    what triggered the denial. To support this auditing, move the
    lockdown_reasons[] string array from being private to the lockdown
    module to the security framework so that it can be used by the lsm audit
    code and so that it is always available even when the lockdown module
    is disabled.

    Note that the SELinux implementation allows the integrity and
    confidentiality reasons to be controlled independently from one another.
    Thus, in an SELinux policy, one could allow operations that specify
    an integrity reason while blocking operations that specify a
    confidentiality reason. The SELinux hook implementation is
    stricter than the lockdown module in validating the provided reason value.

    Sample AVC audit output from denials:
    avc: denied { integrity } for pid=3402 comm="fwupd"
    lockdown_reason="/dev/mem,kmem,port" scontext=system_u:system_r:fwupd_t:s0
    tcontext=system_u:system_r:fwupd_t:s0 tclass=lockdown permissive=0

    avc: denied { confidentiality } for pid=4628 comm="cp"
    lockdown_reason="/proc/kcore access"
    scontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
    tcontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
    tclass=lockdown permissive=0

    Signed-off-by: Stephen Smalley
    Reviewed-by: James Morris
    [PM: some merge fuzz do the the perf hooks]
    Signed-off-by: Paul Moore

    Stephen Smalley
     

09 Dec, 2019

1 commit

18 Oct, 2019

1 commit

  • da97e1845   perf_event: Add support for LSM and SELinux checks ... Browse Code »

    In current mainline, the degree of access to perf_event_open(2) system
    call depends on the perf_event_paranoid sysctl. This has a number of
    limitations:

    1. The sysctl is only a single value. Many types of accesses are controlled
    based on the single value thus making the control very limited and
    coarse grained.
    2. The sysctl is global, so if the sysctl is changed, then that means
    all processes get access to perf_event_open(2) opening the door to
    security issues.

    This patch adds LSM and SELinux access checking which will be used in
    Android to access perf_event_open(2) for the purposes of attaching BPF
    programs to tracepoints, perf profiling and other operations from
    userspace. These operations are intended for production systems.

    5 new LSM hooks are added:
    1. perf_event_open: This controls access during the perf_event_open(2)
    syscall itself. The hook is called from all the places that the
    perf_event_paranoid sysctl is checked to keep it consistent with the
    systctl. The hook gets passed a 'type' argument which controls CPU,
    kernel and tracepoint accesses (in this context, CPU, kernel and
    tracepoint have the same semantics as the perf_event_paranoid sysctl).
    Additionally, I added an 'open' type which is similar to
    perf_event_paranoid sysctl == 3 patch carried in Android and several other
    distros but was rejected in mainline [1] in 2016.

    2. perf_event_alloc: This allocates a new security object for the event
    which stores the current SID within the event. It will be useful when
    the perf event's FD is passed through IPC to another process which may
    try to read the FD. Appropriate security checks will limit access.

    3. perf_event_free: Called when the event is closed.

    4. perf_event_read: Called from the read(2) and mmap(2) syscalls for the event.

    5. perf_event_write: Called from the ioctl(2) syscalls for the event.

    [1] https://lwn.net/Articles/696240/

    Since Peter had suggest LSM hooks in 2016 [1], I am adding his
    Suggested-by tag below.

    To use this patch, we set the perf_event_paranoid sysctl to -1 and then
    apply selinux checking as appropriate (default deny everything, and then
    add policy rules to give access to domains that need it). In the future
    we can remove the perf_event_paranoid sysctl altogether.

    Suggested-by: Peter Zijlstra
    Co-developed-by: Peter Zijlstra
    Signed-off-by: Joel Fernandes (Google)
    Signed-off-by: Peter Zijlstra (Intel)
    Acked-by: James Morris
    Cc: Arnaldo Carvalho de Melo
    Cc: rostedt@goodmis.org
    Cc: Yonghong Song
    Cc: Kees Cook
    Cc: Ingo Molnar
    Cc: Alexei Starovoitov
    Cc: jeffv@google.com
    Cc: Jiri Olsa
    Cc: Daniel Borkmann
    Cc: primiano@google.com
    Cc: Song Liu
    Cc: rsavitski@google.com
    Cc: Namhyung Kim
    Cc: Matthew Garrett
    Link: https://lkml.kernel.org/r/20191014170308.70668-1-joel@joelfernandes.org

    Joel Fernandes (Google)
     

03 Oct, 2019

1 commit

02 Oct, 2019

1 commit

28 Sep, 2019

1 commit

  • aefcf2f4b   Merge branch 'next-lockdown' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security ... Browse Code »

    Pull kernel lockdown mode from James Morris:
    "This is the latest iteration of the kernel lockdown patchset, from
    Matthew Garrett, David Howells and others.

    From the original description:

    This patchset introduces an optional kernel lockdown feature,
    intended to strengthen the boundary between UID 0 and the kernel.
    When enabled, various pieces of kernel functionality are restricted.
    Applications that rely on low-level access to either hardware or the
    kernel may cease working as a result - therefore this should not be
    enabled without appropriate evaluation beforehand.

    The majority of mainstream distributions have been carrying variants
    of this patchset for many years now, so there's value in providing a
    doesn't meet every distribution requirement, but gets us much closer
    to not requiring external patches.

    There are two major changes since this was last proposed for mainline:

    - Separating lockdown from EFI secure boot. Background discussion is
    covered here: https://lwn.net/Articles/751061/

    - Implementation as an LSM, with a default stackable lockdown LSM
    module. This allows the lockdown feature to be policy-driven,
    rather than encoding an implicit policy within the mechanism.

    The new locked_down LSM hook is provided to allow LSMs to make a
    policy decision around whether kernel functionality that would allow
    tampering with or examining the runtime state of the kernel should be
    permitted.

    The included lockdown LSM provides an implementation with a simple
    policy intended for general purpose use. This policy provides a coarse
    level of granularity, controllable via the kernel command line:

    lockdown={integrity|confidentiality}

    Enable the kernel lockdown feature. If set to integrity, kernel features
    that allow userland to modify the running kernel are disabled. If set to
    confidentiality, kernel features that allow userland to extract
    confidential information from the kernel are also disabled.

    This may also be controlled via /sys/kernel/security/lockdown and
    overriden by kernel configuration.

    New or existing LSMs may implement finer-grained controls of the
    lockdown features. Refer to the lockdown_reason documentation in
    include/linux/security.h for details.

    The lockdown feature has had signficant design feedback and review
    across many subsystems. This code has been in linux-next for some
    weeks, with a few fixes applied along the way.

    Stephen Rothwell noted that commit 9d1f8be5cf42 ("bpf: Restrict bpf
    when kernel lockdown is in confidentiality mode") is missing a
    Signed-off-by from its author. Matthew responded that he is providing
    this under category (c) of the DCO"

    * 'next-lockdown' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (31 commits)
    kexec: Fix file verification on S390
    security: constify some arrays in lockdown LSM
    lockdown: Print current->comm in restriction messages
    efi: Restrict efivar_ssdt_load when the kernel is locked down
    tracefs: Restrict tracefs when the kernel is locked down
    debugfs: Restrict debugfs when the kernel is locked down
    kexec: Allow kexec_file() with appropriate IMA policy when locked down
    lockdown: Lock down perf when in confidentiality mode
    bpf: Restrict bpf when kernel lockdown is in confidentiality mode
    lockdown: Lock down tracing and perf kprobes when in confidentiality mode
    lockdown: Lock down /proc/kcore
    x86/mmiotrace: Lock down the testmmiotrace module
    lockdown: Lock down module params that specify hardware parameters (eg. ioport)
    lockdown: Lock down TIOCSSERIAL
    lockdown: Prohibit PCMCIA CIS storage when the kernel is locked down
    acpi: Disable ACPI table override if the kernel is locked down
    acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down
    ACPI: Limit access to custom_method when the kernel is locked down
    x86/msr: Restrict MSR access when the kernel is locked down
    x86: Lock down IO port access when the kernel is locked down
    ...

    Linus Torvalds