Eric Lee / smarc-ti-linux-kernel

05 Apr, 2014

1 commit

  • f7789dc0d   Merge branch 'locks-3.15' of git://git.samba.org/jlayton/linux ... Browse Code »

    Pull file locking updates from Jeff Layton:
    "Highlights:

    - maintainership change for fs/locks.c. Willy's not interested in
    maintaining it these days, and is OK with Bruce and I taking it.
    - fix for open vs setlease race that Al ID'ed
    - cleanup and consolidation of file locking code
    - eliminate unneeded BUG() call
    - merge of file-private lock implementation"

    * 'locks-3.15' of git://git.samba.org/jlayton/linux:
    locks: make locks_mandatory_area check for file-private locks
    locks: fix locks_mandatory_locked to respect file-private locks
    locks: require that flock->l_pid be set to 0 for file-private locks
    locks: add new fcntl cmd values for handling file private locks
    locks: skip deadlock detection on FL_FILE_PVT locks
    locks: pass the cmd value to fcntl_getlk/getlk64
    locks: report l_pid as -1 for FL_FILE_PVT locks
    locks: make /proc/locks show IS_FILE_PVT locks as type "FLPVT"
    locks: rename locks_remove_flock to locks_remove_file
    locks: consolidate checks for compatible filp->f_mode values in setlk handlers
    locks: fix posix lock range overflow handling
    locks: eliminate BUG() call when there's an unexpected lock on file close
    locks: add __acquires and __releases annotations to locks_start and locks_stop
    locks: remove "inline" qualifier from fl_link manipulation functions
    locks: clean up comment typo
    locks: close potential race between setlease and open
    MAINTAINERS: update entry for fs/locks.c

    Linus Torvalds
     

04 Apr, 2014

1 commit

  • bea803183   Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security ... Browse Code »

    Pull security subsystem updates from James Morris:
    "Apart from reordering the SELinux mmap code to ensure DAC is called
    before MAC, these are minor maintenance updates"

    * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (23 commits)
    selinux: correctly label /proc inodes in use before the policy is loaded
    selinux: put the mmap() DAC controls before the MAC controls
    selinux: fix the output of ./scripts/get_maintainer.pl for SELinux
    evm: enable key retention service automatically
    ima: skip memory allocation for empty files
    evm: EVM does not use MD5
    ima: return d_name.name if d_path fails
    integrity: fix checkpatch errors
    ima: fix erroneous removal of security.ima xattr
    security: integrity: Use a more current logging style
    MAINTAINERS: email updates and other misc. changes
    ima: reduce memory usage when a template containing the n field is used
    ima: restore the original behavior for sending data with ima template
    Integrity: Pass commname via get_task_comm()
    fs: move i_readcount
    ima: use static const char array definitions
    security: have cap_dentry_init_security return error
    ima: new helper: file_inode(file)
    kernel: Mark function as static in kernel/seccomp.c
    capability: Use current logging styles
    ...

    Linus Torvalds
     

31 Mar, 2014

1 commit

  • 5d50ffd7c   locks: add new fcntl cmd values for handling file private locks ... Browse Code »

    Due to some unfortunate history, POSIX locks have very strange and
    unhelpful semantics. The thing that usually catches people by surprise
    is that they are dropped whenever the process closes any file descriptor
    associated with the inode.

    This is extremely problematic for people developing file servers that
    need to implement byte-range locks. Developers often need a "lock
    management" facility to ensure that file descriptors are not closed
    until all of the locks associated with the inode are finished.

    Additionally, "classic" POSIX locks are owned by the process. Locks
    taken between threads within the same process won't conflict with one
    another, which renders them useless for synchronization between threads.

    This patchset adds a new type of lock that attempts to address these
    issues. These locks conflict with classic POSIX read/write locks, but
    have semantics that are more like BSD locks with respect to inheritance
    and behavior on close.

    This is implemented primarily by changing how fl_owner field is set for
    these locks. Instead of having them owned by the files_struct of the
    process, they are instead owned by the filp on which they were acquired.
    Thus, they are inherited across fork() and are only released when the
    last reference to a filp is put.

    These new semantics prevent them from being merged with classic POSIX
    locks, even if they are acquired by the same process. These locks will
    also conflict with classic POSIX locks even if they are acquired by
    the same process or on the same file descriptor.

    The new locks are managed using a new set of cmd values to the fcntl()
    syscall. The initial implementation of this converts these values to
    "classic" cmd values at a fairly high level, and the details are not
    exposed to the underlying filesystem. We may eventually want to push
    this handing out to the lower filesystem code but for now I don't
    see any need for it.

    Also, note that with this implementation the new cmd values are only
    available via fcntl64() on 32-bit arches. There's little need to
    add support for legacy apps on a new interface like this.

    Signed-off-by: Jeff Layton

    Jeff Layton
     

20 Mar, 2014

2 commits

  • f64410ec6   selinux: correctly label /proc inodes in use before the policy is loaded ... Browse Code »
    5

    This patch is based on an earlier patch by Eric Paris, he describes
    the problem below:

    "If an inode is accessed before policy load it will get placed on a
    list of inodes to be initialized after policy load. After policy
    load we call inode_doinit() which calls inode_doinit_with_dentry()
    on all inodes accessed before policy load. In the case of inodes
    in procfs that means we'll end up at the bottom where it does:

    /* Default to the fs superblock SID. */
    isec->sid = sbsec->sid;

    if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
    if (opt_dentry) {
    isec->sclass = inode_mode_to_security_class(...)
    rc = selinux_proc_get_sid(opt_dentry,
    isec->sclass,
    &sid);
    if (rc)
    goto out_unlock;
    isec->sid = sid;
    }
    }

    Since opt_dentry is null, we'll never call selinux_proc_get_sid()
    and will leave the inode labeled with the label on the superblock.
    I believe a fix would be to mimic the behavior of xattrs. Look
    for an alias of the inode. If it can't be found, just leave the
    inode uninitialized (and pick it up later) if it can be found, we
    should be able to call selinux_proc_get_sid() ..."

    On a system exhibiting this problem, you will notice a lot of files in
    /proc with the generic "proc_t" type (at least the ones that were
    accessed early in the boot), for example:

    # ls -Z /proc/sys/kernel/shmmax | awk '{ print $4 " " $5 }'
    system_u:object_r:proc_t:s0 /proc/sys/kernel/shmmax

    However, with this patch in place we see the expected result:

    # ls -Z /proc/sys/kernel/shmmax | awk '{ print $4 " " $5 }'
    system_u:object_r:sysctl_kernel_t:s0 /proc/sys/kernel/shmmax

    Cc: Eric Paris
    Signed-off-by: Paul Moore
    Acked-by: Eric Paris

    Paul Moore
     
  • 98883bfd9   selinux: put the mmap() DAC controls before the MAC controls ... Browse Code »

    It turns out that doing the SELinux MAC checks for mmap() before the
    DAC checks was causing users and the SELinux policy folks headaches
    as users were seeing a lot of SELinux AVC denials for the
    memprotect:mmap_zero permission that would have also been denied by
    the normal DAC capability checks (CAP_SYS_RAWIO).

    Example:

    # cat mmap_test.c
    #include
    #include
    #include
    #include

    int main(int argc, char *argv[])
    {
    int rc;
    void *mem;

    mem = mmap(0x0, 4096,
    PROT_READ | PROT_WRITE,
    MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
    if (mem == MAP_FAILED)
    return errno;
    printf("mem = %p\n", mem);
    munmap(mem, 4096);

    return 0;
    }
    # gcc -g -O0 -o mmap_test mmap_test.c
    # ./mmap_test
    mem = (nil)
    # ausearch -m AVC | grep mmap_zero
    type=AVC msg=audit(...): avc: denied { mmap_zero }
    for pid=1025 comm="mmap_test"
    scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    tclass=memprotect

    This patch corrects things so that when the above example is run by a
    user without CAP_SYS_RAWIO the SELinux AVC is no longer generated as
    the DAC capability check fails before the SELinux permission check.

    Signed-off-by: Paul Moore
    Acked-by: Stephen Smalley

    Paul Moore
     

10 Mar, 2014

1 commit

  • 52a4c6404   selinux: add gfp argument to security_xfrm_policy_alloc and fix callers ... Browse Code »

    security_xfrm_policy_alloc can be called in atomic context so the
    allocation should be done with GFP_ATOMIC. Add an argument to let the
    callers choose the appropriate way. In order to do so a gfp argument
    needs to be added to the method xfrm_policy_alloc_security in struct
    security_operations and to the internal function
    selinux_xfrm_alloc_user. After that switch to GFP_ATOMIC in the atomic
    callers and leave GFP_KERNEL as before for the rest.
    The path that needed the gfp argument addition is:
    security_xfrm_policy_alloc -> security_ops.xfrm_policy_alloc_security ->
    all users of xfrm_policy_alloc_security (e.g. selinux_xfrm_policy_alloc) ->
    selinux_xfrm_alloc_user (here the allocation used to be GFP_KERNEL only)

    Now adding a gfp argument to selinux_xfrm_alloc_user requires us to also
    add it to security_context_to_sid which is used inside and prior to this
    patch did only GFP_KERNEL allocation. So add gfp argument to
    security_context_to_sid and adjust all of its callers as well.

    CC: Paul Moore
    CC: Dave Jones
    CC: Steffen Klassert
    CC: Fan Du
    CC: David S. Miller
    CC: LSM list
    CC: SELinux list

    Signed-off-by: Nikolay Aleksandrov
    Acked-by: Paul Moore
    Signed-off-by: Steffen Klassert

    Nikolay Aleksandrov
     

06 Feb, 2014

1 commit

22 Jan, 2014

1 commit

  • fb2e2c853   Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security ... Browse Code »

    Pull security layer updates from James Morris:
    "Changes for this kernel include maintenance updates for Smack, SELinux
    (and several networking fixes), IMA and TPM"

    * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (39 commits)
    SELinux: Fix memory leak upon loading policy
    tpm/tpm-sysfs: active_show() can be static
    tpm: tpm_tis: Fix compile problems with CONFIG_PM_SLEEP/CONFIG_PNP
    tpm: Make tpm-dev allocate a per-file structure
    tpm: Use the ops structure instead of a copy in tpm_vendor_specific
    tpm: Create a tpm_class_ops structure and use it in the drivers
    tpm: Pull all driver sysfs code into tpm-sysfs.c
    tpm: Move sysfs functions from tpm-interface to tpm-sysfs
    tpm: Pull everything related to /dev/tpmX into tpm-dev.c
    char: tpm: nuvoton: remove unused variable
    tpm: MAINTAINERS: Cleanup TPM Maintainers file
    tpm/tpm_i2c_atmel: fix coccinelle warnings
    tpm/tpm_ibmvtpm: fix unreachable code warning (smatch warning)
    tpm/tpm_i2c_stm_st33: Check return code of get_burstcount
    tpm/tpm_ppi: Check return value of acpi_get_name
    tpm/tpm_ppi: Do not compare strcmp(a,b) == -1
    ima: remove unneeded size_limit argument from ima_eventdigest_init_common()
    ima: update IMA-templates.txt documentation
    ima: pass HASH_ALGO__LAST as hash algo in ima_eventdigest_init()
    ima: change the default hash algorithm to SHA1 in ima_eventdigest_ng_init()
    ...

    Linus Torvalds
     

12 Jan, 2014

1 commit

  • 3dc91d433   SELinux: Fix possible NULL pointer dereference in selinux_inode_permission() ... Browse Code »
    18

    While running stress tests on adding and deleting ftrace instances I hit
    this bug:

    BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
    IP: selinux_inode_permission+0x85/0x160
    PGD 63681067 PUD 7ddbe067 PMD 0
    Oops: 0000 [#1] PREEMPT
    CPU: 0 PID: 5634 Comm: ftrace-test-mki Not tainted 3.13.0-rc4-test-00033-gd2a6dde-dirty #20
    Hardware name: /DG965MQ, BIOS MQ96510J.86A.0372.2006.0605.1717 06/05/2006
    task: ffff880078375800 ti: ffff88007ddb0000 task.ti: ffff88007ddb0000
    RIP: 0010:[] [] selinux_inode_permission+0x85/0x160
    RSP: 0018:ffff88007ddb1c48 EFLAGS: 00010246
    RAX: 0000000000000000 RBX: 0000000000800000 RCX: ffff88006dd43840
    RDX: 0000000000000001 RSI: 0000000000000081 RDI: ffff88006ee46000
    RBP: ffff88007ddb1c88 R08: 0000000000000000 R09: ffff88007ddb1c54
    R10: 6e6576652f6f6f66 R11: 0000000000000003 R12: 0000000000000000
    R13: 0000000000000081 R14: ffff88006ee46000 R15: 0000000000000000
    FS: 00007f217b5b6700(0000) GS:ffffffff81e21000(0000) knlGS:0000000000000000
    CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033^M
    CR2: 0000000000000020 CR3: 000000006a0fe000 CR4: 00000000000007f0
    Call Trace:
    security_inode_permission+0x1c/0x30
    __inode_permission+0x41/0xa0
    inode_permission+0x18/0x50
    link_path_walk+0x66/0x920
    path_openat+0xa6/0x6c0
    do_filp_open+0x43/0xa0
    do_sys_open+0x146/0x240
    SyS_open+0x1e/0x20
    system_call_fastpath+0x16/0x1b
    Code: 84 a1 00 00 00 81 e3 00 20 00 00 89 d8 83 c8 02 40 f6 c6 04 0f 45 d8 40 f6 c6 08 74 71 80 cf 02 49 8b 46 38 4c 8d 4d cc 45 31 c0 b7 50 20 8b 70 1c 48 8b 41 70 89 d9 8b 78 04 e8 36 cf ff ff
    RIP selinux_inode_permission+0x85/0x160
    CR2: 0000000000000020

    Investigating, I found that the inode->i_security was NULL, and the
    dereference of it caused the oops.

    in selinux_inode_permission():

    isec = inode->i_security;

    rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd);

    Note, the crash came from stressing the deletion and reading of debugfs
    files. I was not able to recreate this via normal files. But I'm not
    sure they are safe. It may just be that the race window is much harder
    to hit.

    What seems to have happened (and what I have traced), is the file is
    being opened at the same time the file or directory is being deleted.
    As the dentry and inode locks are not held during the path walk, nor is
    the inodes ref counts being incremented, there is nothing saving these
    structures from being discarded except for an rcu_read_lock().

    The rcu_read_lock() protects against freeing of the inode, but it does
    not protect freeing of the inode_security_struct. Now if the freeing of
    the i_security happens with a call_rcu(), and the i_security field of
    the inode is not changed (it gets freed as the inode gets freed) then
    there will be no issue here. (Linus Torvalds suggested not setting the
    field to NULL such that we do not need to check if it is NULL in the
    permission check).

    Note, this is a hack, but it fixes the problem at hand. A real fix is
    to restructure the destroy_inode() to call all the destructor handlers
    from the RCU callback. But that is a major job to do, and requires a
    lot of work. For now, we just band-aid this bug with this fix (it
    works), and work on a more maintainable solution in the future.

    Link: http://lkml.kernel.org/r/20140109101932.0508dec7@gandalf.local.home
    Link: http://lkml.kernel.org/r/20140109182756.17abaaa8@gandalf.local.home

    Cc: stable@vger.kernel.org
    Signed-off-by: Steven Rostedt
    Signed-off-by: Linus Torvalds

    Steven Rostedt
     

06 Jan, 2014

1 commit

24 Dec, 2013

2 commits

  • c0c143954   selinux: selinux_setprocattr()->ptrace_parent() needs rcu_read_lock() ... Browse Code »
    2

    selinux_setprocattr() does ptrace_parent(p) under task_lock(p),
    but task_struct->alloc_lock doesn't pin ->parent or ->ptrace,
    this looks confusing and triggers the "suspicious RCU usage"
    warning because ptrace_parent() does rcu_dereference_check().

    And in theory this is wrong, spin_lock()->preempt_disable()
    doesn't necessarily imply rcu_read_lock() we need to access
    the ->parent.

    Reported-by: Evan McNabb
    Signed-off-by: Oleg Nesterov
    Cc: stable@vger.kernel.org
    Signed-off-by: Paul Moore

    Oleg Nesterov
     
  • 46d01d632   selinux: fix broken peer recv check ... Browse Code »
    2

    Fix a broken networking check. Return an error if peer recv fails. If
    secmark is active and the packet recv succeeds the peer recv error is
    ignored.

    Signed-off-by: Chad Hanson
    Cc: stable@vger.kernel.org
    Signed-off-by: Paul Moore

    Chad Hanson
     

17 Dec, 2013

2 commits

16 Dec, 2013

2 commits

  • b5745c596   Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security ... Browse Code »

    Pull SELinux fixes from James Morris.

    * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
    selinux: process labeled IPsec TCP SYN-ACK packets properly in selinux_ip_postroute()
    selinux: look for IPsec labels on both inbound and outbound packets
    selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute()
    selinux: handle TCP SYN-ACK packets correctly in selinux_ip_output()
    selinux: fix possible memory leak

    Linus Torvalds
     
  • 29b1deb2a   Revert "selinux: consider filesystem subtype in policies" ... Browse Code »

    This reverts commit 102aefdda4d8275ce7d7100bc16c88c74272b260.

    Tom London reports that it causes sync() to hang on Fedora rawhide:

    https://bugzilla.redhat.com/show_bug.cgi?id=1033965

    and Josh Boyer bisected it down to this commit. Reverting the commit in
    the rawhide kernel fixes the problem.

    Eric Paris root-caused it to incorrect subtype matching in that commit
    breaking fuse, and has a tentative patch, but by now we're better off
    retrying this in 3.14 rather than playing with it any more.

    Reported-by: Tom London
    Bisected-by: Josh Boyer
    Acked-by: Eric Paris
    Cc: James Morris
    Cc: Anand Avati
    Cc: Paul Moore
    Signed-off-by: Linus Torvalds

    Linus Torvalds
     

14 Dec, 2013

1 commit

  • 4d546f817   selinux: revert 102aefdda4d8275ce7d7100bc16c88c74272b260 ... Browse Code »

    Revert "selinux: consider filesystem subtype in policies"

    This reverts commit 102aefdda4d8275ce7d7100bc16c88c74272b260.

    Explanation from Eric Paris:

    SELinux policy can specify if it should use a filesystem's
    xattrs or not. In current policy we have a specification that
    fuse should not use xattrs but fuse.glusterfs should use
    xattrs. This patch has a bug in which non-glusterfs
    filesystems would match the rule saying fuse.glusterfs should
    use xattrs. If both fuse and the particular filesystem in
    question are not written to handle xattr calls during the mount
    command, they will deadlock.

    I have fixed the bug to do proper matching, however I believe a
    revert is still the correct solution. The reason I believe
    that is because the code still does not work. The s_subtype is
    not set until after the SELinux hook which attempts to match on
    the ".gluster" portion of the rule. So we cannot match on the
    rule in question. The code is useless.

    Signed-off-by: Paul Moore

    Paul Moore
     

13 Dec, 2013

5 commits

  • d93aca605   Merge branch 'master' of git://git.infradead.org/users/pcmoore/selinux_fixes into for-linus Browse Code »
    James Morris
     
  • c0828e504   selinux: process labeled IPsec TCP SYN-ACK packets properly in selinux_ip_postroute() ... Browse Code »
    13

    Due to difficulty in arriving at the proper security label for
    TCP SYN-ACK packets in selinux_ip_postroute(), we need to check packets
    while/before they are undergoing XFRM transforms instead of waiting
    until afterwards so that we can determine the correct security label.

    Reported-by: Janak Desai
    Cc: stable@vger.kernel.org
    Signed-off-by: Paul Moore

    Paul Moore
     
  • 817eff718   selinux: look for IPsec labels on both inbound and outbound packets ... Browse Code »

    Previously selinux_skb_peerlbl_sid() would only check for labeled
    IPsec security labels on inbound packets, this patch enables it to
    check both inbound and outbound traffic for labeled IPsec security
    labels.

    Reported-by: Janak Desai
    Cc: stable@vger.kernel.org
    Signed-off-by: Paul Moore

    Paul Moore
     
  • 446b80243   selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute() ... Browse Code »
    2

    In selinux_ip_postroute() we perform access checks based on the
    packet's security label. For locally generated traffic we get the
    packet's security label from the associated socket; this works in all
    cases except for TCP SYN-ACK packets. In the case of SYN-ACK packet's
    the correct security label is stored in the connection's request_sock,
    not the server's socket. Unfortunately, at the point in time when
    selinux_ip_postroute() is called we can't query the request_sock
    directly, we need to recreate the label using the same logic that
    originally labeled the associated request_sock.

    See the inline comments for more explanation.

    Reported-by: Janak Desai
    Tested-by: Janak Desai
    Cc: stable@vger.kernel.org
    Signed-off-by: Paul Moore

    Paul Moore
     
  • 471800682   selinux: handle TCP SYN-ACK packets correctly in selinux_ip_output() ... Browse Code »
    2

    In selinux_ip_output() we always label packets based on the parent
    socket. While this approach works in almost all cases, it doesn't
    work in the case of TCP SYN-ACK packets when the correct label is not
    the label of the parent socket, but rather the label of the larval
    socket represented by the request_sock struct.

    Unfortunately, since the request_sock isn't queued on the parent
    socket until *after* the SYN-ACK packet is sent, we can't lookup the
    request_sock to determine the correct label for the packet; at this
    point in time the best we can do is simply pass/NF_ACCEPT the packet.
    It must be said that simply passing the packet without any explicit
    labeling action, while far from ideal, is not terrible as the SYN-ACK
    packet will inherit any IP option based labeling from the initial
    connection request so the label *should* be correct and all our
    access controls remain in place so we shouldn't have to worry about
    information leaks.

    Reported-by: Janak Desai
    Tested-by: Janak Desai
    Cc: stable@vger.kernel.org
    Signed-off-by: Paul Moore

    Paul Moore
     

12 Dec, 2013

1 commit

11 Dec, 2013

1 commit

10 Dec, 2013

1 commit

05 Dec, 2013

3 commits

  • 0b1f24e6d   selinux: pull address family directly from the request_sock struct ... Browse Code »

    We don't need to inspect the packet to determine if the packet is an
    IPv4 packet arriving on an IPv6 socket when we can query the
    request_sock directly.

    Signed-off-by: Paul Moore

    Paul Moore
     
  • 7f721643d   selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute() ... Browse Code »

    In selinux_ip_postroute() we perform access checks based on the
    packet's security label. For locally generated traffic we get the
    packet's security label from the associated socket; this works in all
    cases except for TCP SYN-ACK packets. In the case of SYN-ACK packet's
    the correct security label is stored in the connection's request_sock,
    not the server's socket. Unfortunately, at the point in time when
    selinux_ip_postroute() is called we can't query the request_sock
    directly, we need to recreate the label using the same logic that
    originally labeled the associated request_sock.

    See the inline comments for more explanation.

    Reported-by: Janak Desai
    Tested-by: Janak Desai
    Cc: stable@vger.kernel.org
    Signed-off-by: Paul Moore

    Paul Moore
     
  • da2ea0d05   selinux: handle TCP SYN-ACK packets correctly in selinux_ip_output() ... Browse Code »

    In selinux_ip_output() we always label packets based on the parent
    socket. While this approach works in almost all cases, it doesn't
    work in the case of TCP SYN-ACK packets when the correct label is not
    the label of the parent socket, but rather the label of the larval
    socket represented by the request_sock struct.

    Unfortunately, since the request_sock isn't queued on the parent
    socket until *after* the SYN-ACK packet is sent, we can't lookup the
    request_sock to determine the correct label for the packet; at this
    point in time the best we can do is simply pass/NF_ACCEPT the packet.
    It must be said that simply passing the packet without any explicit
    labeling action, while far from ideal, is not terrible as the SYN-ACK
    packet will inherit any IP option based labeling from the initial
    connection request so the label *should* be correct and all our
    access controls remain in place so we shouldn't have to worry about
    information leaks.

    Reported-by: Janak Desai
    Tested-by: Janak Desai
    Cc: stable@vger.kernel.org
    Signed-off-by: Paul Moore

    Paul Moore
     

27 Nov, 2013

1 commit

22 Nov, 2013

1 commit

  • 78dc53c42   Merge branch 'for-linus2' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security ... Browse Code »

    Pull security subsystem updates from James Morris:
    "In this patchset, we finally get an SELinux update, with Paul Moore
    taking over as maintainer of that code.

    Also a significant update for the Keys subsystem, as well as
    maintenance updates to Smack, IMA, TPM, and Apparmor"

    and since I wanted to know more about the updates to key handling,
    here's the explanation from David Howells on that:

    "Okay. There are a number of separate bits. I'll go over the big bits
    and the odd important other bit, most of the smaller bits are just
    fixes and cleanups. If you want the small bits accounting for, I can
    do that too.

    (1) Keyring capacity expansion.

    KEYS: Consolidate the concept of an 'index key' for key access
    KEYS: Introduce a search context structure
    KEYS: Search for auth-key by name rather than target key ID
    Add a generic associative array implementation.
    KEYS: Expand the capacity of a keyring

    Several of the patches are providing an expansion of the capacity of a
    keyring. Currently, the maximum size of a keyring payload is one page.
    Subtract a small header and then divide up into pointers, that only gives
    you ~500 pointers on an x86_64 box. However, since the NFS idmapper uses
    a keyring to store ID mapping data, that has proven to be insufficient to
    the cause.

    Whatever data structure I use to handle the keyring payload, it can only
    store pointers to keys, not the keys themselves because several keyrings
    may point to a single key. This precludes inserting, say, and rb_node
    struct into the key struct for this purpose.

    I could make an rbtree of records such that each record has an rb_node
    and a key pointer, but that would use four words of space per key stored
    in the keyring. It would, however, be able to use much existing code.

    I selected instead a non-rebalancing radix-tree type approach as that
    could have a better space-used/key-pointer ratio. I could have used the
    radix tree implementation that we already have and insert keys into it by
    their serial numbers, but that means any sort of search must iterate over
    the whole radix tree. Further, its nodes are a bit on the capacious side
    for what I want - especially given that key serial numbers are randomly
    allocated, thus leaving a lot of empty space in the tree.

    So what I have is an associative array that internally is a radix-tree
    with 16 pointers per node where the index key is constructed from the key
    type pointer and the key description. This means that an exact lookup by
    type+description is very fast as this tells us how to navigate directly to
    the target key.

    I made the data structure general in lib/assoc_array.c as far as it is
    concerned, its index key is just a sequence of bits that leads to a
    pointer. It's possible that someone else will be able to make use of it
    also. FS-Cache might, for example.

    (2) Mark keys as 'trusted' and keyrings as 'trusted only'.

    KEYS: verify a certificate is signed by a 'trusted' key
    KEYS: Make the system 'trusted' keyring viewable by userspace
    KEYS: Add a 'trusted' flag and a 'trusted only' flag
    KEYS: Separate the kernel signature checking keyring from module signing

    These patches allow keys carrying asymmetric public keys to be marked as
    being 'trusted' and allow keyrings to be marked as only permitting the
    addition or linkage of trusted keys.

    Keys loaded from hardware during kernel boot or compiled into the kernel
    during build are marked as being trusted automatically. New keys can be
    loaded at runtime with add_key(). They are checked against the system
    keyring contents and if their signatures can be validated with keys that
    are already marked trusted, then they are marked trusted also and can
    thus be added into the master keyring.

    Patches from Mimi Zohar make this usable with the IMA keyrings also.

    (3) Remove the date checks on the key used to validate a module signature.

    X.509: Remove certificate date checks

    It's not reasonable to reject a signature just because the key that it was
    generated with is no longer valid datewise - especially if the kernel
    hasn't yet managed to set the system clock when the first module is
    loaded - so just remove those checks.

    (4) Make it simpler to deal with additional X.509 being loaded into the kernel.

    KEYS: Load *.x509 files into kernel keyring
    KEYS: Have make canonicalise the paths of the X.509 certs better to deduplicate

    The builder of the kernel now just places files with the extension ".x509"
    into the kernel source or build trees and they're concatenated by the
    kernel build and stuffed into the appropriate section.

    (5) Add support for userspace kerberos to use keyrings.

    KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches
    KEYS: Implement a big key type that can save to tmpfs

    Fedora went to, by default, storing kerberos tickets and tokens in tmpfs.
    We looked at storing it in keyrings instead as that confers certain
    advantages such as tickets being automatically deleted after a certain
    amount of time and the ability for the kernel to get at these tokens more
    easily.

    To make this work, two things were needed:

    (a) A way for the tickets to persist beyond the lifetime of all a user's
    sessions so that cron-driven processes can still use them.

    The problem is that a user's session keyrings are deleted when the
    session that spawned them logs out and the user's user keyring is
    deleted when the UID is deleted (typically when the last log out
    happens), so neither of these places is suitable.

    I've added a system keyring into which a 'persistent' keyring is
    created for each UID on request. Each time a user requests their
    persistent keyring, the expiry time on it is set anew. If the user
    doesn't ask for it for, say, three days, the keyring is automatically
    expired and garbage collected using the existing gc. All the kerberos
    tokens it held are then also gc'd.

    (b) A key type that can hold really big tickets (up to 1MB in size).

    The problem is that Active Directory can return huge tickets with lots
    of auxiliary data attached. We don't, however, want to eat up huge
    tracts of unswappable kernel space for this, so if the ticket is
    greater than a certain size, we create a swappable shmem file and dump
    the contents in there and just live with the fact we then have an
    inode and a dentry overhead. If the ticket is smaller than that, we
    slap it in a kmalloc()'d buffer"

    * 'for-linus2' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (121 commits)
    KEYS: Fix keyring content gc scanner
    KEYS: Fix error handling in big_key instantiation
    KEYS: Fix UID check in keyctl_get_persistent()
    KEYS: The RSA public key algorithm needs to select MPILIB
    ima: define '_ima' as a builtin 'trusted' keyring
    ima: extend the measurement list to include the file signature
    kernel/system_certificate.S: use real contents instead of macro GLOBAL()
    KEYS: fix error return code in big_key_instantiate()
    KEYS: Fix keyring quota misaccounting on key replacement and unlink
    KEYS: Fix a race between negating a key and reading the error set
    KEYS: Make BIG_KEYS boolean
    apparmor: remove the "task" arg from may_change_ptraced_domain()
    apparmor: remove parent task info from audit logging
    apparmor: remove tsk field from the apparmor_audit_struct
    apparmor: fix capability to not use the current task, during reporting
    Smack: Ptrace access check mode
    ima: provide hash algo info in the xattr
    ima: enable support for larger default filedata hash algorithms
    ima: define kernel parameter 'ima_template=' to change configured default
    ima: add Kconfig default measurement list template
    ...

    Linus Torvalds
     

09 Nov, 2013

1 commit

24 Oct, 2013

1 commit

22 Oct, 2013

1 commit

14 Oct, 2013

1 commit

05 Oct, 2013

2 commits

01 Oct, 2013

1 commit

  • 0bbf87d85   net ipv4: Convert ipv4.ip_local_port_range to be per netns v3 ... Browse Code »

    - Move sysctl_local_ports from a global variable into struct netns_ipv4.
    - Modify inet_get_local_port_range to take a struct net, and update all
    of the callers.
    - Move the initialization of sysctl_local_ports into
    sysctl_net_ipv4.c:ipv4_sysctl_init_net from inet_connection_sock.c

    v2:
    - Ensure indentation used tabs
    - Fixed ip.h so it applies cleanly to todays net-next

    v3:
    - Compile fixes of strange callers of inet_get_local_port_range.
    This patch now successfully passes an allmodconfig build.
    Removed manual inlining of inet_get_local_port_range in ipv4_local_port_range

    Originally-by: Samya
    Acked-by: Nicolas Dichtel
    Signed-off-by: "Eric W. Biederman"
    Signed-off-by: David S. Miller

    Eric W. Biederman
     

19 Sep, 2013

1 commit

  • 98f700f31   Merge git://git.infradead.org/users/eparis/selinux ... Browse Code »

    Conflicts:
    security/selinux/hooks.c

    Pull Eric's existing SELinux tree as there are a number of patches in
    there that are not yet upstream. There was some minor fixup needed to
    resolve a conflict in security/selinux/hooks.c:selinux_set_mnt_opts()
    between the labeled NFS patches and Eric's security_fs_use()
    simplification patch.

    Paul Moore
     

29 Aug, 2013

2 commits

  • 0b4bdb357   Revert "SELinux: do not handle seclabel as a special flag" ... Browse Code »

    This reverts commit 308ab70c465d97cf7e3168961dfd365535de21a6.

    It breaks my FC6 test box. /dev/pts is not mounted. dmesg says

    SELinux: mount invalid. Same superblock, different security settings
    for (dev devpts, type devpts)

    Cc: Peter Hurley
    Cc: Greg KH
    Signed-off-by: Andrew Morton
    Signed-off-by: Eric Paris

    Eric Paris
     
  • 102aefdda   selinux: consider filesystem subtype in policies ... Browse Code »

    Not considering sub filesystem has the following limitation. Support
    for SELinux in FUSE is dependent on the particular userspace
    filesystem, which is identified by the subtype. For e.g, GlusterFS,
    a FUSE based filesystem supports SELinux (by mounting and processing
    FUSE requests in different threads, avoiding the mount time
    deadlock), whereas other FUSE based filesystems (identified by a
    different subtype) have the mount time deadlock.

    By considering the subtype of the filesytem in the SELinux policies,
    allows us to specify a filesystem subtype, in the following way:

    fs_use_xattr fuse.glusterfs gen_context(system_u:object_r:fs_t,s0);

    This way not all FUSE filesystems are put in the same bucket and
    subjected to the limitations of the other subtypes.

    Signed-off-by: Anand Avati
    Signed-off-by: Eric Paris

    Anand Avati