28 Mar, 2016
1 commit
-
Signed-off-by: Al Viro
12 Apr, 2015
2 commits
-
Signed-off-by: Al Viro
-
Signed-off-by: Al Viro
30 Apr, 2013
1 commit
-
Signed-off-by: Al Viro
12 Oct, 2012
1 commit
-
Signed-off-by: Al Viro
21 Sep, 2012
1 commit
-
Acked-by: Tetsuo Handa
Acked-by: Serge Hallyn
Signed-off-by: Eric W. Biederman
15 May, 2012
1 commit
-
The pathname of /usr/sbin/tomoyo-editpolicy seen from Ubuntu 12.04 Live CD is
squashfs:/usr/sbin/tomoyo-editpolicy rather than /usr/sbin/tomoyo-editpolicy .
Therefore, we need to accept manager programs which do not start with / .Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
15 Mar, 2012
1 commit
-
"struct file_operations"->poll() expects "unsigned int" return value.
All files in /sys/kernel/security/tomoyo/ directory other than
/sys/kernel/security/tomoyo/query and /sys/kernel/security/tomoyo/audit should
return POLLIN | POLLRDNORM | POLLOUT | POLLWRNORM rather than -ENOSYS.
Also, /sys/kernel/security/tomoyo/query and /sys/kernel/security/tomoyo/audit
should return POLLOUT | POLLWRNORM rather than 0 when there is no data to read.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
11 Jan, 2012
1 commit
-
* 'for-linus' of git://selinuxproject.org/~jmorris/linux-security: (32 commits)
ima: fix invalid memory reference
ima: free duplicate measurement memory
security: update security_file_mmap() docs
selinux: Casting (void *) value returned by kmalloc is useless
apparmor: fix module parameter handling
Security: tomoyo: add .gitignore file
tomoyo: add missing rcu_dereference()
apparmor: add missing rcu_dereference()
evm: prevent racing during tfm allocation
evm: key must be set once during initialization
mpi/mpi-mpow: NULL dereference on allocation failure
digsig: build dependency fix
KEYS: Give key types their own lockdep class for key->sem
TPM: fix transmit_cmd error logic
TPM: NSC and TIS drivers X86 dependency fix
TPM: Export wait_for_stat for other vendor specific drivers
TPM: Use vendor specific function for status probe
tpm_tis: add delay after aborting command
tpm_tis: Check return code from getting timeouts/durations
tpm: Introduce function to poll for result of self test
...Fix up trivial conflict in lib/Makefile due to addition of CONFIG_MPI
and SIGSIG next to CONFIG_DQL addition.
04 Jan, 2012
1 commit
-
Signed-off-by: Al Viro
12 Dec, 2011
1 commit
-
Adds a missed rcu_dereference() around real_parent.
Signed-off-by: Kees Cook
Acked-by: Tetsuo Handa
Signed-off-by: James Morris
26 Sep, 2011
3 commits
-
tomoyo_policy_lock mutex already protects it.
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
When TOMOYO started using garbage collector at commit 847b173e "TOMOYO: Add
garbage collector.", we waited for close() before kfree(). Thus, elements to be
kfree()d were queued up using tomoyo_gc_list list.But it turned out that tomoyo_element_linked_by_gc() tends to choke garbage
collector when certain pattern of entries are queued.Since garbage collector is no longer waiting for close() since commit 2e503bbb
"TOMOYO: Fix lockdep warning.", we can remove tomoyo_gc_list list and
tomoyo_element_linked_by_gc() by doing sequential processing.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Commit efe836ab "TOMOYO: Add built-in policy support." introduced
tomoyo_load_builtin_policy() but was by error called from nowhere.Commit b22b8b9f "TOMOYO: Rename meminfo to stat and show more statistics."
introduced tomoyo_update_stat() but was by error not called from
tomoyo_assign_domain().Also, mark tomoyo_io_printf() and tomoyo_path_permission() static functions,
as reported by "make namespacecheck".Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
19 Sep, 2011
1 commit
-
I got an opinion that it is difficult to use exception policy's domain
transition control directives because they need to match the pathname specified
to "file execute" directives. For example, if "file execute /bin/\*\-ls\-cat"
is given, corresponding domain transition control directive needs to be like
"no_keep_domain /bin/\*\-ls\-cat from any".If we can specify like below, it will become more convenient.
file execute /bin/ls keep exec.realpath="/bin/ls" exec.argv[0]="ls"
file execute /bin/cat keep exec.realpath="/bin/cat" exec.argv[0]="cat"
file execute /bin/\*\-ls\-cat child
file execute /usr/sbin/httpd exec.realpath="/usr/sbin/httpd" exec.argv[0]="/usr/sbin/httpd"In above examples, "keep" works as if keep_domain is specified, "child" works
as if "no_reset_domain" and "no_initialize_domain" and "no_keep_domain" are
specified, "" causes domain transition to domain upon
successful execve() operation.Moreover, we can also allow transition to different domains based on conditions
like below example./usr/sbin/sshd
file execute /bin/bash /usr/sbin/sshd //batch-session exec.argc=2 exec.argv[1]="-c"
file execute /bin/bash /usr/sbin/sshd //root-session task.uid=0
file execute /bin/bash /usr/sbin/sshd //nonroot-session task.uid!=0Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
15 Sep, 2011
1 commit
-
Tell userland tools that this is TOMOYO 2.5.
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
14 Sep, 2011
4 commits
-
To be able to split permissions for Apache's CGI programs which are executed
without execve(), add special domain transition which is performed by writing
a TOMOYO's domainname to /sys/kernel/security/tomoyo/self_domain interface.This is an API for TOMOYO-aware userland applications. However, since I expect
TOMOYO and other LSM modules to run in parallel, this patch does not use
/proc/self/attr/ interface in order to avoid conflicts with other LSM modules
when it became possible to run multiple LSM modules in parallel.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Add per-entry flag which controls generation of grant logs because Xen and KVM
issues ioctl requests so frequently. For example,file ioctl /dev/null 0x5401 grant_log=no
will suppress /sys/kernel/security/tomoyo/audit even if preference says
grant_log=yes .Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
This patch adds support for permission checks for PF_INET/PF_INET6/PF_UNIX
socket's bind()/listen()/connect()/send() operations.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
This patch adds support for checking environment variable's names.
Although TOMOYO already provides ability to check argv[]/envp[] passed to
execve() requests,file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="bar"
will reject execution of /bin/sh if environment variable LD_LIBRARY_PATH is not
defined. To grant execution of /bin/sh if LD_LIBRARY_PATH is not defined,
administrators have to specify likefile execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="/system/lib"
file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]=NULL. Since there are many environment variables whereas conditional checks are
applied as "&&", it is difficult to cover all combinations. Therefore, this
patch supports conditional checks that are applied as "||", by specifying likefile execute /bin/sh
misc env LD_LIBRARY_PATH exec.envp["LD_LIBRARY_PATH"]="/system/lib"which means "grant execution of /bin/sh if environment variable is not defined
or is defined and its value is /system/lib".Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
11 Jul, 2011
5 commits
-
Enable conditional ACL by passing object's pointers.
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
This patch adds support for permission checks using argv[]/envp[] of execve()
request. Hooks are in the last patch of this pathset.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
This patch adds support for permission checks using executable file's realpath
upon execve() and symlink's target upon symlink(). Hooks are in the last patch
of this pathset.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
This patch adds support for permission checks using file object's DAC
attributes (e.g. owner/group) when checking file's pathnames. Hooks for passing
file object's pointers are in the last patch of this pathset.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
This patch adds support for permission checks using current thread's UID/GID
etc. in addition to pathnames.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
08 Jul, 2011
1 commit
-
/sys/kernel/security/tomoyo/.domain_status can be easily emulated using
/sys/kernel/security/tomoyo/domain_policy . We can remove this interface by
updating /usr/sbin/tomoyo-setprofile utility.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
30 Jun, 2011
1 commit
-
Sort by alphabetic order.
Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris
29 Jun, 2011
13 commits
-
To be able to start using enforcing mode from the early stage of boot sequence,
this patch adds support for built-in policy configuration (and next patch adds
support for activating access control without calling external policy loader
program).Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Show statistics such as last policy update time and last policy violation time
in addition to memory usage.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Gather string constants to one file in order to make the object size smaller.
Use unsigned type where appropriate.
read()/write() returns ssize_t.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Currently TOMOYO holds SRCU lock upon open() and releases it upon close()
because list elements stored in the "struct tomoyo_io_buffer" instances are
accessed until close() is called. However, such SRCU usage causes lockdep to
complain about leaving the kernel with SRCU lock held.This patch solves the warning by holding/releasing SRCU upon each
read()/write(). This patch is doing something similar to calling kfree()
without calling synchronize_srcu(), by selectively deferring kfree() by keeping
track of the "struct tomoyo_io_buffer" instances.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Mauras Olivier reported that it is difficult to use TOMOYO in LXC environments,
for TOMOYO cannot distinguish between environments outside the container and
environments inside the container since LXC environments are created using
pivot_root(). To address this problem, this patch introduces policy namespace.Each policy namespace has its own set of domain policy, exception policy and
profiles, which are all independent of other namespaces. This independency
allows users to develop policy without worrying interference among namespaces.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
ACL group allows administrator to globally grant not only "file read"
permission but also other permissions.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Add /sys/kernel/security/tomoyo/audit interface. This interface generates audit
logs in the form of domain policy so that /usr/sbin/tomoyo-auditd can reuse
audit logs for appending to /sys/kernel/security/tomoyo/domain_policy
interface.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Remove global preference from profile structure in order to make code simpler.
Due to this structure change, printk() warnings upon policy violation are
temporarily disabled. They will be replaced by
/sys/kernel/security/tomoyo/audit by next patch.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Convert "allow_..." style directives to "file ..." style directives.
By converting to the latter style, we can pack policy like
"file read/write/execute /path/to/file".Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Use structure for passing ACL line, in preparation for supporting policy
namespace and conditional parameters.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Use common structure for ACL with "struct list_head" + "atomic_t".
Use array/struct where possible.
Remove is_group from "struct tomoyo_name_union"/"struct tomoyo_number_union".
Pass "struct file"->private_data rather than "struct file".
Update some of comments.
Bring tomoyo_same_acl_head() from common.h to domain.c .
Bring tomoyo_invalid()/tomoyo_valid() from common.h to util.c .Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
Update (or temporarily remove) comments.
Remove or replace some of #define lines.Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris -
In order to synchronize with TOMOYO 1.8's syntax,
(1) Remove special handling for allow_read/write permission.
(2) Replace deny_rewrite/allow_rewrite permission with allow_append permission.
(3) Remove file_pattern keyword.
(4) Remove allow_read permission from exception policy.
(5) Allow creating domains in enforcing mode without calling supervisor.
(6) Add permission check for opening directory for reading.
(7) Add permission check for stat() operation.
(8) Make "cat < /sys/kernel/security/tomoyo/self_domain" behave as if
"cat /sys/kernel/security/tomoyo/self_domain".Signed-off-by: Tetsuo Handa
Signed-off-by: James Morris