Eric Lee / smarc-fsl-linux-kernel

15 Jan, 2012

1 commit

  • c49c41a41   Merge branch 'for-linus' of git://selinuxproject.org/~jmorris/linux-security ... Browse Code »

    * 'for-linus' of git://selinuxproject.org/~jmorris/linux-security:
    capabilities: remove __cap_full_set definition
    security: remove the security_netlink_recv hook as it is equivalent to capable()
    ptrace: do not audit capability check when outputing /proc/pid/stat
    capabilities: remove task_ns_* functions
    capabitlies: ns_capable can use the cap helpers rather than lsm call
    capabilities: style only - move capable below ns_capable
    capabilites: introduce new has_ns_capabilities_noaudit
    capabilities: call has_ns_capability from has_capability
    capabilities: remove all _real_ interfaces
    capabilities: introduce security_capable_noaudit
    capabilities: reverse arguments to security_capable
    capabilities: remove the task from capable LSM hook entirely
    selinux: sparse fix: fix several warnings in the security server cod
    selinux: sparse fix: fix warnings in netlink code
    selinux: sparse fix: eliminate warnings for selinuxfs
    selinux: sparse fix: declare selinux_disable() in security.h
    selinux: sparse fix: move selinux_complete_init
    selinux: sparse fix: make selinux_secmark_refcount static
    SELinux: Fix RCU deref check warning in sel_netport_insert()

    Manually fix up a semantic mis-merge wrt security_netlink_recv():

    - the interface was removed in commit fd7784615248 ("security: remove
    the security_netlink_recv hook as it is equivalent to capable()")

    - a new user of it appeared in commit a38f7907b926 ("crypto: Add
    userspace configuration API")

    causing no automatic merge conflict, but Eric Paris pointed out the
    issue.

    Linus Torvalds
     

13 Jan, 2012

1 commit

11 Jan, 2012

1 commit

  • e7691a1ce   Merge branch 'for-linus' of git://selinuxproject.org/~jmorris/linux-security ... Browse Code »

    * 'for-linus' of git://selinuxproject.org/~jmorris/linux-security: (32 commits)
    ima: fix invalid memory reference
    ima: free duplicate measurement memory
    security: update security_file_mmap() docs
    selinux: Casting (void *) value returned by kmalloc is useless
    apparmor: fix module parameter handling
    Security: tomoyo: add .gitignore file
    tomoyo: add missing rcu_dereference()
    apparmor: add missing rcu_dereference()
    evm: prevent racing during tfm allocation
    evm: key must be set once during initialization
    mpi/mpi-mpow: NULL dereference on allocation failure
    digsig: build dependency fix
    KEYS: Give key types their own lockdep class for key->sem
    TPM: fix transmit_cmd error logic
    TPM: NSC and TIS drivers X86 dependency fix
    TPM: Export wait_for_stat for other vendor specific drivers
    TPM: Use vendor specific function for status probe
    tpm_tis: add delay after aborting command
    tpm_tis: Check return code from getting timeouts/durations
    tpm: Introduce function to poll for result of self test
    ...

    Fix up trivial conflict in lib/Makefile due to addition of CONFIG_MPI
    and SIGSIG next to CONFIG_DQL addition.

    Linus Torvalds
     

07 Jan, 2012

1 commit

06 Jan, 2012

1 commit

  • 6a9de4911   capabilities: remove the task from capable LSM hook entirely ... Browse Code »

    The capabilities framework is based around credentials, not necessarily the
    current task. Yet we still passed the current task down into LSMs from the
    security_capable() LSM hook as if it was a meaningful portion of the security
    decision. This patch removes the 'generic' passing of current and instead
    forces individual LSMs to use current explicitly if they think it is
    appropriate. In our case those LSMs are SELinux and AppArmor.

    I believe the AppArmor use of current is incorrect, but that is wholely
    unrelated to this patch. This patch does not change what AppArmor does, it
    just makes it clear in the AppArmor code that it is doing it.

    The SELinux code still uses current in it's audit message, which may also be
    wrong and needs further investigation. Again this is NOT a change, it may
    have always been wrong, this patch just makes it clear what is happening.

    Signed-off-by: Eric Paris

    Eric Paris
     

04 Jan, 2012

3 commits

16 Dec, 2011

1 commit

  • b8aa09fd8   apparmor: fix module parameter handling ... Browse Code »

    The 'aabool' wrappers actually pass off to the 'bool' parse functions,
    so you should use the same check function. Similarly for aauint and
    uint.

    (Note that 'bool' module parameters also allow 'int', which is why you
    got away with this, but that's changing very soon.)

    Cc: linux-security-module@vger.kernel.org
    Signed-off-by: Rusty Russell
    Acked-by: John Johansen
    Signed-off-by: James Morris

    Rusty Russell
     

29 Jun, 2011

1 commit

  • 25e75dff5   AppArmor: Fix masking of capabilities in complain mode ... Browse Code »
    1

    AppArmor is masking the capabilities returned by capget against the
    capabilities mask in the profile. This is wrong, in complain mode the
    profile has effectively all capabilities, as the profile restrictions are
    not being enforced, merely tested against to determine if an access is
    known by the profile.

    This can result in the wrong behavior of security conscience applications
    like sshd which examine their capability set, and change their behavior
    accordingly. In this case because of the masked capability set being
    returned sshd fails due to DAC checks, even when the profile is in complain
    mode.

    Kernels affected: 2.6.36 - 3.0.

    Signed-off-by: John Johansen

    John Johansen
     

09 Jun, 2011

1 commit

  • 1780f2d38   AppArmor: Fix sleep in invalid context from task_setrlimit ... Browse Code »

    Affected kernels 2.6.36 - 3.0

    AppArmor may do a GFP_KERNEL memory allocation with task_lock(tsk->group_leader);
    held when called from security_task_setrlimit. This will only occur when the
    task's current policy has been replaced, and the task's creds have not been
    updated before entering the LSM security_task_setrlimit() hook.

    BUG: sleeping function called from invalid context at mm/slub.c:847
    in_atomic(): 1, irqs_disabled(): 0, pid: 1583, name: cupsd
    2 locks held by cupsd/1583:
    #0: (tasklist_lock){.+.+.+}, at: [] do_prlimit+0x61/0x189
    #1: (&(&p->alloc_lock)->rlock){+.+.+.}, at: []
    do_prlimit+0x94/0x189
    Pid: 1583, comm: cupsd Not tainted 3.0.0-rc2-git1 #7
    Call Trace:
    [] __might_sleep+0x10d/0x112
    [] slab_pre_alloc_hook.isra.49+0x2d/0x33
    [] kmem_cache_alloc+0x22/0x132
    [] prepare_creds+0x35/0xe4
    [] aa_replace_current_profile+0x35/0xb2
    [] aa_current_profile+0x45/0x4c
    [] apparmor_task_setrlimit+0x19/0x3a
    [] security_task_setrlimit+0x11/0x13
    [] do_prlimit+0xd2/0x189
    [] sys_setrlimit+0x3b/0x48
    [] system_call_fastpath+0x16/0x1b

    Signed-off-by: John Johansen
    Reported-by: Miles Lane
    Cc: stable@kernel.org
    Signed-off-by: James Morris

    John Johansen
     

01 Jun, 2011

1 commit

  • a5b2c5b2a   AppArmor: fix oops in apparmor_setprocattr ... Browse Code »

    When invalid parameters are passed to apparmor_setprocattr a NULL deref
    oops occurs when it tries to record an audit message. This is because
    it is passing NULL for the profile parameter for aa_audit. But aa_audit
    now requires that the profile passed is not NULL.

    Fix this by passing the current profile on the task that is trying to
    setprocattr.

    Signed-off-by: Kees Cook
    Signed-off-by: John Johansen
    Cc: stable@kernel.org
    Signed-off-by: James Morris

    Kees Cook
     

24 Mar, 2011

1 commit

  • 3486740a4   userns: security: make capabilities relative to the user namespace ... Browse Code »

    - Introduce ns_capable to test for a capability in a non-default
    user namespace.
    - Teach cap_capable to handle capabilities in a non-default
    user namespace.

    The motivation is to get to the unprivileged creation of new
    namespaces. It looks like this gets us 90% of the way there, with
    only potential uid confusion issues left.

    I still need to handle getting all caps after creation but otherwise I
    think I have a good starter patch that achieves all of your goals.

    Changelog:
    11/05/2010: [serge] add apparmor
    12/14/2010: [serge] fix capabilities to created user namespaces
    Without this, if user serge creates a user_ns, he won't have
    capabilities to the user_ns he created. THis is because we
    were first checking whether his effective caps had the caps
    he needed and returning -EPERM if not, and THEN checking whether
    he was the creator. Reverse those checks.
    12/16/2010: [serge] security_real_capable needs ns argument in !security case
    01/11/2011: [serge] add task_ns_capable helper
    01/11/2011: [serge] add nsown_capable() helper per Bastian Blank suggestion
    02/16/2011: [serge] fix a logic bug: the root user is always creator of
    init_user_ns, but should not always have capabilities to
    it! Fix the check in cap_capable().
    02/21/2011: Add the required user_ns parameter to security_capable,
    fixing a compile failure.
    02/23/2011: Convert some macros to functions as per akpm comments. Some
    couldn't be converted because we can't easily forward-declare
    them (they are inline if !SECURITY, extern if SECURITY). Add
    a current_user_ns function so we can use it in capability.h
    without #including cred.h. Move all forward declarations
    together to the top of the #ifdef __KERNEL__ section, and use
    kernel-doc format.
    02/23/2011: Per dhowells, clean up comment in cap_capable().
    02/23/2011: Per akpm, remove unreachable 'return -EPERM' in cap_capable.

    (Original written and signed off by Eric; latest, modified version
    acked by him)

    [akpm@linux-foundation.org: fix build]
    [akpm@linux-foundation.org: export current_user_ns() for ecryptfs]
    [serge.hallyn@canonical.com: remove unneeded extra argument in selinux's task_has_capability]
    Signed-off-by: Eric W. Biederman
    Signed-off-by: Serge E. Hallyn
    Acked-by: "Eric W. Biederman"
    Acked-by: Daniel Lezcano
    Acked-by: David Howells
    Cc: James Morris
    Signed-off-by: Serge E. Hallyn
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Serge E. Hallyn
     

09 Mar, 2011

1 commit

11 Nov, 2010

1 commit

08 Sep, 2010

1 commit

17 Aug, 2010

1 commit

  • 7cb4dc9fc   AppArmor: fix task_setrlimit prototype ... Browse Code »

    After rlimits tree was merged we get the following errors:
    security/apparmor/lsm.c:663:2: warning: initialization from incompatible pointer type

    It is because AppArmor was merged in the meantime, but uses the old
    prototype. So fix it by adding struct task_struct as a first parameter
    of apparmor_task_setrlimit.

    NOTE that this is ONLY a compilation warning fix (and crashes caused
    by that). It needs proper handling in AppArmor depending on who is the
    'task'.

    Signed-off-by: Jiri Slaby
    Signed-off-by: John Johansen
    Signed-off-by: James Morris

    Jiri Slaby
     

11 Aug, 2010

1 commit

  • 101d6c826   AppArmor: update for module_param_named API change ... Browse Code »

    Fixes these build errors:
    security/apparmor/lsm.c:701: error: 'param_ops_aabool' undeclared here (not in a function)
    security/apparmor/lsm.c:721: error: 'param_ops_aalockpolicy' undeclared here (not in a function)
    security/apparmor/lsm.c:729: error: 'param_ops_aauint' undeclared here (not in a function)

    Signed-off-by: Stephen Rothwell
    Signed-off-by: John Johansen
    Signed-off-by: Rusty Russell

    Stephen Rothwell
     

02 Aug, 2010

2 commits