03 Apr, 2013
1 commit
-
As reported for linux-next: Tree for Apr 2 (smack)
Add the required include for smackfs.cSigned-off-by: Casey Schaufler
Reported-by: Randy Dunlap
Acked-by: Randy Dunlap
Signed-off-by: James Morris
20 Mar, 2013
5 commits
-
This patch fixes kernel Oops because of wrong common_audit_data type
in smack_inode_unlink() and smack_inode_rmdir().When SMACK security module is enabled and SMACK logging is on (/smack/logging
is not zero) and you try to delete the file which
1) you cannot delete due to SMACK rules and logging of failures is on
or
2) you can delete and logging of success is on,you will see following:
Unable to handle kernel NULL pointer dereference at virtual address 000002d7
[] (strlen+0x0/0x28)
[] (audit_log_untrustedstring+0x14/0x28)
[] (common_lsm_audit+0x108/0x6ac)
[] (smack_log+0xc4/0xe4)
[] (smk_curacc+0x80/0x10c)
[] (smack_inode_unlink+0x74/0x80)
[] (security_inode_unlink+0x2c/0x30)
[] (vfs_unlink+0x7c/0x100)
[] (do_unlinkat+0x144/0x16c)The function smack_inode_unlink() (and smack_inode_rmdir()) need
to log two structures of different types. First of all it does:smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
smk_ad_setfield_u_fs_path_dentry(&ad, dentry);This will set common audit data type to LSM_AUDIT_DATA_DENTRY
and store dentry for auditing (by function smk_curacc(), which in turn calls
dump_common_audit_data(), which is actually uses provided data and logs it)./*
* You need write access to the thing you're unlinking
*/
rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad);
if (rc == 0) {
/*
* You also need write access to the containing directory
*/Then this function wants to log anoter data:
smk_ad_setfield_u_fs_path_dentry(&ad, NULL);
smk_ad_setfield_u_fs_inode(&ad, dir);The function sets inode field, but don't change common_audit_data type.
rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad);
}So the dump_common_audit() function incorrectly interprets inode structure
as dentry, and Oops will happen.This patch reinitializes common_audit_data structures with correct type.
Also I removed unneeded
smk_ad_setfield_u_fs_path_dentry(&ad, NULL);
initialization, because both dentry and inode pointers are stored
in the same union.Signed-off-by: Igor Zhbanov
Signed-off-by: Kyungmin Park -
Rule modifications are enabled via /smack/change-rule. Format is as follows:
"Subject Object rwaxt rwaxt"First two strings are subject and object labels up to 255 characters.
Third string contains permissions to enable.
Fourth string contains permissions to disable.All unmentioned permissions will be left unchanged.
If no rule previously existed, it will be created.Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Rafal Krypa
-
SMACK_MAGIC moved to a proper place for easy user space access
(i.e. libsmack).Signed-off-by: Jarkko Sakkinen
-
This fixes audit logs for granting or denial of permissions to show
information about transmute bit.Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Rafal Krypa
-
Special file /smack/revoke-subject will silently accept labels that are not
present on the subject label list. Nothing has to be done for such labels,
as there are no rules for them to revoke.Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Rafal Krypa
23 Feb, 2013
1 commit
-
Signed-off-by: Al Viro
17 Dec, 2012
1 commit
-
Pull security subsystem updates from James Morris:
"A quiet cycle for the security subsystem with just a few maintenance
updates."* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
Smack: create a sysfs mount point for smackfs
Smack: use select not depends in Kconfig
Yama: remove locking from delete path
Yama: add RCU to drop read locking
drivers/char/tpm: remove tasklet and cleanup
KEYS: Use keyring_alloc() to create special keyrings
KEYS: Reduce initial permissions on keys
KEYS: Make the session and process keyrings per-thread
seccomp: Make syscall skipping and nr changes more consistent
key: Fix resource leak
keys: Fix unreachable code
KEYS: Add payload preparsing opportunity prior to key instantiate or update
15 Dec, 2012
2 commits
-
There are a number of "conventions" for where to put LSM filesystems.
Smack adheres to none of them. Create a mount point at /sys/fs/smackfs
for mounting smackfs so that Smack can be conventional.Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler
-
The components NETLABEL and SECURITY_NETWORK are required by
Smack. Using "depends" in Kconfig hides the Smack option
if the user hasn't figured out that they need to be enabled
while using make menuconfig. Using select is a better choice.
Because select is not recursive depends on NET and SECURITY
are added. The reflects similar usage in TOMOYO and AppArmor.Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler
12 Oct, 2012
1 commit
-
Signed-off-by: Al Viro
19 Sep, 2012
3 commits
-
The data structure allocations being done in prepare_creds
are duplicated in smack_setprocattr. This results in the
structure allocated in prepare_creds being orphaned and
never freed. The duplicate code is removed from
smack_setprocattr.Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler
-
Add /smack/revoke-subject special file. Writing a SMACK label to this file will
set the access to '-' for all access rules with that subject label.Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Rafal Krypa
-
On 12/20/2011 11:20 PM, Jarkko Sakkinen wrote:
> Allow SIGCHLD to be passed to child process without
> explicit policy. This will help to keep the access
> control policy simple and easily maintainable with
> complex applications that require use of multiple
> security contexts. It will also help to keep them
> as isolated as possible.
>
> Signed-off-by: Jarkko SakkinenI have a slightly different version that applies to the
current smack-next tree.Allow SIGCHLD to be passed to child process without
explicit policy. This will help to keep the access
control policy simple and easily maintainable with
complex applications that require use of multiple
security contexts. It will also help to keep them
as isolated as possible.Signed-off-by: Casey Schaufler
security/smack/smack_lsm.c | 37 ++++++++-----------------------------
1 files changed, 8 insertions(+), 29 deletions(-)
30 Jul, 2012
1 commit
-
Consider the input case of a rule that consists entirely of non space
symbols followed by a \0. Say 64 + \0In this case strlen(data) = 64
kzalloc of subject and object are 64 byte objects
sscanfdata, "%s %s %s", subject, ...)will put 65 bytes into subject.
Signed-off-by: Alan Cox
Acked-by: Casey Schaufler
Cc: stable@vger.kernel.org
Signed-off-by: James Morris
14 Jul, 2012
4 commits
-
This patch removes empty rules (i.e. with access set to '-') from the
rule list presented to user space.Smack by design never removes labels nor rules from its lists. Access
for a rule may be set to '-' to effectively disable it. Such rules would
show up in the listing generated when /smack/load or /smack/load2 is
read. This may cause clutter if many rules were disabled.As a rule with access set to '-' is equivalent to no rule at all, they
may be safely hidden from the listing.Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Rafal Krypa
Signed-off-by: Casey Schaufler -
Some of the bounds checking used on the /smack/access
interface was lost when support for long labels was
added. No kernel access checks are affected, however
this is a case where /smack/access could be used
incorrectly and fail to detect the error. This patch
reintroduces the original checks.Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler
-
Smack is integrated with the POSIX capabilities scheme,
using the capabilities CAP_MAC_OVERRIDE and CAP_MAC_ADMIN to
determine if a process is allowed to ignore Smack checks or
change Smack related data respectively. Smack provides an
additional restriction that if an onlycap value is set
by writing to /smack/onlycap only tasks with that Smack
label are allowed to use CAP_MAC_OVERRIDE.This change adds CAP_MAC_ADMIN as a capability that is affected
by the onlycap mechanism.Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler
-
In January of 2012 Al Viro pointed out three bits of code that
he titled "new_inode_smack bogosities". This patch repairs these
errors.1. smack_sb_kern_mount() included a NULL check that is impossible.
The check and NULL case are removed.
2. smack_kb_kern_mount() included pointless locking. The locking is
removed. Since this is the only place that lock was used the lock
is removed from the superblock_smack structure.
3. smk_fill_super() incorrectly and unnecessarily set the Smack label
for the smackfs root inode. The assignment has been removed.Targeted for git://gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler
01 Jun, 2012
2 commits
-
... i.e. file-dependent and address-dependent checks.
Signed-off-by: Al Viro
-
... switch callers.
Signed-off-by: Al Viro
22 May, 2012
1 commit
-
Per pull request, for 3.5.
15 May, 2012
3 commits
-
V4 updated to current linux-security#next
Targeted for git://gitorious.org/smack-next/kernel.gitModern application runtime environments like to use
naming schemes that are structured and generated without
human intervention. Even though the Smack limit of 23
characters for a label name is perfectly rational for
human use there have been complaints that the limit is
a problem in environments where names are composed from
a set or sources, including vendor, author, distribution
channel and application name. Names likesoftwarehouse-pgwodehouse-coolappstore-mellowmuskrats
are becoming harder to avoid. This patch introduces long
label support in Smack. Labels are now limited to 255
characters instead of the old 23.The primary reason for limiting the labels to 23 characters
was so they could be directly contained in CIPSO category sets.
This is still done were possible, but for labels that are too
large a mapping is required. This is perfectly safe for communication
that stays "on the box" and doesn't require much coordination
between boxes beyond what would have been required to keep label
names consistent.The bulk of this patch is in smackfs, adding and updating
administrative interfaces. Because existing APIs can't be
changed new ones that do much the same things as old ones
have been introduced.The Smack specific CIPSO data representation has been removed
and replaced with the data format used by netlabel. The CIPSO
header is now computed when a label is imported rather than
on use. This results in improved IP performance. The smack
label is now allocated separately from the containing structure,
allowing for larger strings.Four new /smack interfaces have been introduced as four
of the old interfaces strictly required labels be specified
in fixed length arrays.The access interface is supplemented with the check interface:
access "Subject Object rwxat"
access2 "Subject Object rwaxt"The load interface is supplemented with the rules interface:
load "Subject Object rwxat"
load2 "Subject Object rwaxt"The load-self interface is supplemented with the self-rules interface:
load-self "Subject Object rwxat"
load-self2 "Subject Object rwaxt"The cipso interface is supplemented with the wire interface:
cipso "Subject lvl cnt c1 c2 ..."
cipso2 "Subject lvl cnt c1 c2 ..."The old interfaces are maintained for compatibility.
Signed-off-by: Casey Schaufler
-
Dave Chinner wrote:
> Yes, because you have no idea what the calling context is except
> for the fact that is from somewhere inside filesystem code and the
> filesystem could be holding locks. Therefore, GFP_NOFS is really the
> only really safe way to allocate memory here.I see. Thank you.
I'm not sure, but can call trace happen where somewhere inside network
filesystem or stackable filesystem code with locks held invokes operations that
involves GFP_KENREL memory allocation outside that filesystem?
----------
[PATCH] SMACK: Fix incorrect GFP_KERNEL usage.new_inode_smack() which can be called from smack_inode_alloc_security() needs
to use GFP_NOFS like SELinux's inode_alloc_security() does, for
security_inode_alloc() is called from inode_init_always() and
inode_init_always() is called from xfs_inode_alloc() which is using GFP_NOFS.smack_inode_init_security() needs to use GFP_NOFS like
selinux_inode_init_security() does, for initxattrs() callback function (e.g.
btrfs_initxattrs()) which is called from security_inode_init_security() is
using GFP_NOFS.smack_audit_rule_match() needs to use GFP_ATOMIC, for
security_audit_rule_match() can be called from audit_filter_user_rules() and
audit_filter_user_rules() is called from audit_filter_user() with RCU read lock
held.Signed-off-by: Tetsuo Handa
Signed-off-by: Casey Schaufler -
The transmuting directory feature of Smack requires that
the transmuting attribute be explicitly set in all cases.
It seems the users of this facility would expect that the
transmuting attribute be inherited by subdirectories that
are created in a transmuting directory. This does not seem
to add any additional complexity to the understanding of
how the system works.Signed-off-by: Casey Schaufler
18 Apr, 2012
1 commit
-
A kernel with Smack enabled will fail if tmpfs has xattr support.
Move the initialization of predefined Smack label
list entries to the LSM initialization from the
smackfs setup. This became an issue when tmpfs
acquired xattr support, but was never correct.Signed-off-by: Casey Schaufler
Signed-off-by: James Morris
11 Apr, 2012
1 commit
-
This fixes builds where CONFIG_AUDIT is not defined and
CONFIG_SECURITY_SMACK=y.This got introduced by the stack-usage reducation commit 48c62af68a40
("LSM: shrink the common_audit_data data union").Signed-off-by: Kees Cook
Acked-by: Eric Paris
Signed-off-by: Linus Torvalds
10 Apr, 2012
2 commits
-
It isn't needed. If you don't set the type of the data associated with
that type it is a pretty obvious programming bug. So why waste the cycles?Signed-off-by: Eric Paris
-
dentry_open takes a file, rename it to file_open
Signed-off-by: Eric Paris
04 Apr, 2012
3 commits
-
It just bloats the audit data structure for no good reason, since the
only time those fields are filled are just before calling the
common_lsm_audit() function, which is also the only user of those
fields.So just make them be the arguments to common_lsm_audit(), rather than
bloating that structure that is passed around everywhere, and is
initialized in hot paths.Signed-off-by: Linus Torvalds
-
After shrinking the common_audit_data stack usage for private LSM data I'm
not going to shrink the data union. To do this I'm going to move anything
larger than 2 void * ptrs to it's own structure and require it to be declared
separately on the calling stack. Thus hot paths which don't need more than
a couple pointer don't have to declare space to hold large unneeded
structures. I could get this down to one void * by dealing with the key
struct and the struct path. We'll see if that is helpful after taking care of
networking.Signed-off-by: Eric Paris
Signed-off-by: Linus Torvalds -
Linus found that the gigantic size of the common audit data caused a big
perf hit on something as simple as running stat() in a loop. This patch
requires LSMs to declare the LSM specific portion separately rather than
doing it in a union. Thus each LSM can be responsible for shrinking their
portion and don't have to pay a penalty just because other LSMs have a
bigger space requirement.Signed-off-by: Eric Paris
Signed-off-by: Linus Torvalds
14 Feb, 2012
1 commit
-
Trim security.h
Signed-off-by: Al Viro
Signed-off-by: James Morris
07 Jan, 2012
1 commit
-
Signed-off-by: Al Viro
12 Nov, 2011
1 commit
-
Commit 272cd7a8c67dd40a31ecff76a503bbb84707f757 introduced
a change to the way rule lists are handled and reported in
the smackfs filesystem. One of the issues addressed had to
do with the termination of read requests on /smack/load.
This change introduced a error in /smack/cipso, which shares
some of the same list processing code.This patch updates all the file access list handling in
smackfs to use the code introduced for /smack/load.Signed-off-by: Casey Schaufler
21 Oct, 2011
1 commit
-
Allow query access as a normal user removing the need
for CAP_MAC_ADMIN. Give RW access to /smack/access
for UGO. Do not import smack labels in access check.Signed-off-by: Jarkko Sakkinen
Signed-off-by: Casey Schaufler
19 Oct, 2011
1 commit
-
Forgot to update simple_transaction_set() to take terminator
character into account.Signed-off-by: Jarkko Sakkinen
Signed-off-by: Casey Schaufler
14 Oct, 2011
1 commit
-
On some build configurations PER_CLEAR_ON_SETID symbol was not
found when compiling smack_lsm.c. This patch fixes the issue by
explicitly doing #include .Signed-off-by: Jarkko Sakkinen
Signed-off-by: Casey Schaufler
13 Oct, 2011
2 commits
-
Small fix for the output of access SmackFS file. Use string
is instead of byte. Makes it easier to extend API if it is
needed.Signed-off-by: Jarkko Sakkinen
-
Protections for domain transition:
- BPRM unsafe flags
- Secureexec
- Clear unsafe personality bits.
- Clear parent death signalSigned-off-by: Jarkko Sakkinen
