Eric Lee / smarc-ti-linux-kernel | Embedian Git Server

27 Mar, 2013

1 commit

eddc0a3ab yama: Better permission check for ptraceme ... Browse Code »

Change the permission check for yama_ptrace_ptracee to the standard
ptrace permission check, testing if the traceer has CAP_SYS_PTRACE
in the tracees user namespace.

Reviewed-by: Kees Cook
Signed-off-by: "Eric W. Biederman"

Eric W. Biederman
2013-03-27 04:17:58 +0800

18 Dec, 2012

1 commit

6a2b60b17 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace ... Browse Code »

Pull user namespace changes from Eric Biederman:
"While small this set of changes is very significant with respect to
containers in general and user namespaces in particular. The user
space interface is now complete.

This set of changes adds support for unprivileged users to create user
namespaces and as a user namespace root to create other namespaces.
The tyranny of supporting suid root preventing unprivileged users from
using cool new kernel features is broken.

This set of changes completes the work on setns, adding support for
the pid, user, mount namespaces.

This set of changes includes a bunch of basic pid namespace
cleanups/simplifications. Of particular significance is the rework of
the pid namespace cleanup so it no longer requires sending out
tendrils into all kinds of unexpected cleanup paths for operation. At
least one case of broken error handling is fixed by this cleanup.

The files under /proc//ns/ have been converted from regular files
to magic symlinks which prevents incorrect caching by the VFS,
ensuring the files always refer to the namespace the process is
currently using and ensuring that the ptrace_mayaccess permission
checks are always applied.

The files under /proc//ns/ have been given stable inode numbers
so it is now possible to see if different processes share the same
namespaces.

Through the David Miller's net tree are changes to relax many of the
permission checks in the networking stack to allowing the user
namespace root to usefully use the networking stack. Similar changes
for the mount namespace and the pid namespace are coming through my
tree.

Two small changes to add user namespace support were commited here adn
in David Miller's -net tree so that I could complete the work on the
/proc//ns/ files in this tree.

Work remains to make it safe to build user namespaces and 9p, afs,
ceph, cifs, coda, gfs2, ncpfs, nfs, nfsd, ocfs2, and xfs so the
Kconfig guard remains in place preventing that user namespaces from
being built when any of those filesystems are enabled.

Future design work remains to allow root users outside of the initial
user namespace to mount more than just /proc and /sys."

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: (38 commits)
proc: Usable inode numbers for the namespace file descriptors.
proc: Fix the namespace inode permission checks.
proc: Generalize proc inode allocation
userns: Allow unprivilged mounts of proc and sysfs
userns: For /proc/self/{uid,gid}_map derive the lower userns from the struct file
procfs: Print task uids and gids in the userns that opened the proc file
userns: Implement unshare of the user namespace
userns: Implent proc namespace operations
userns: Kill task_user_ns
userns: Make create_new_namespaces take a user_ns parameter
userns: Allow unprivileged use of setns.
userns: Allow unprivileged users to create new namespaces
userns: Allow setting a userns mapping to your current uid.
userns: Allow chown and setgid preservation
userns: Allow unprivileged users to create user namespaces.
userns: Ignore suid and sgid on binaries if the uid or gid can not be mapped
userns: fix return value on mntns_install() failure
vfs: Allow unprivileged manipulation of the mount namespace.
vfs: Only support slave subtrees across different user namespaces
vfs: Add a user namespace reference from struct mnt_namespace
...

Linus Torvalds
2012-12-18 07:44:47 +0800

21 Nov, 2012

2 commits

235e75278 Yama: remove locking from delete path ... Browse Code »

Instead of locking the list during a delete, mark entries as invalid
and trigger a workqueue to clean them up. This lets us easily handle
task_free from interrupt context.

Signed-off-by: Kees Cook

Kees Cook
2012-11-21 02:32:08 +0800
93b69d437 Yama: add RCU to drop read locking ... Browse Code »

Stop using spinlocks in the read path. Add RCU list to handle the readers.

Signed-off-by: Kees Cook
Reviewed-by: Serge E. Hallyn
Acked-by: John Johansen

Kees Cook
2012-11-21 02:32:07 +0800

20 Nov, 2012

1 commit

4c44aaafa userns: Kill task_user_ns ... Browse Code »

The task_user_ns function hides the fact that it is getting the user
namespace from struct cred on the task. struct cred may go away as
soon as the rcu lock is released. This leads to a race where we
can dereference a stale user namespace pointer.

To make it obvious a struct cred is involved kill task_user_ns.

To kill the race modify the users of task_user_ns to only
reference the user namespace while the rcu lock is held.

Cc: Kees Cook
Cc: James Morris
Acked-by: Kees Cook
Acked-by: Serge Hallyn
Signed-off-by: "Eric W. Biederman"

Eric W. Biederman
2012-11-20 20:17:44 +0800

28 Sep, 2012

1 commit

bf5308344 Merge tag 'v3.6-rc7' into next ... Browse Code »

Linux 3.6-rc7

Requested by David Howells so he can merge his key susbsystem work into
my tree with requisite -linus changesets.

James Morris
2012-09-28 11:37:32 +0800

07 Sep, 2012

1 commit

2e4930eb7 Yama: handle 32-bit userspace prctl ... Browse Code »

When running a 64-bit kernel and receiving prctls from a 32-bit
userspace, the "-1" used as an unsigned long will end up being
misdetected. The kernel is looking for 0xffffffffffffffff instead of
0xffffffff. Since prctl lacks a distinct compat interface, Yama needs
to handle this translation itself. As such, support either value as
meaning PR_SET_PTRACER_ANY, to avoid breaking the ABI for 64-bit.

Signed-off-by: Kees Cook
Acked-by: John Johansen
Cc: stable@vger.kernel.org
Signed-off-by: James Morris

Kees Cook
2012-09-07 23:06:14 +0800

06 Sep, 2012

1 commit

c6993e4ac security: allow Yama to be unconditionally stacked ... Browse Code »

Unconditionally call Yama when CONFIG_SECURITY_YAMA_STACKED is selected,
no matter what LSM module is primary.

Ubuntu and Chrome OS already carry patches to do this, and Fedora
has voiced interest in doing this as well. Instead of having multiple
distributions (or LSM authors) carrying these patches, just allow Yama
to be called unconditionally when selected by the new CONFIG.

Signed-off-by: Kees Cook
Acked-by: Serge E. Hallyn
Acked-by: Eric Paris
Acked-by: John Johansen
Signed-off-by: James Morris

Kees Cook
2012-09-06 05:12:31 +0800

17 Aug, 2012

1 commit

7612bfeec Yama: access task_struct->comm directly ... Browse Code »

The core ptrace access checking routine holds a task lock, and when
reporting a failure, Yama takes a separate task lock. To avoid a
potential deadlock with two ptracers taking the opposite locks, do not
use get_task_comm() and just use ->comm directly since accuracy is not
important for the report.

Reported-by: Fengguang Wu
Suggested-by: Oleg Nesterov
CC: stable@vger.kernel.org
Signed-off-by: Kees Cook
Acked-by: John Johansen
Signed-off-by: James Morris

Kees Cook
2012-08-17 18:40:38 +0800

10 Aug, 2012

1 commit

9d8dad742 Yama: higher restrictions should block PTRACE_TRACEME ... Browse Code »

The higher ptrace restriction levels should be blocking even
PTRACE_TRACEME requests. The comments in the LSM documentation are
misleading about when the checks happen (the parent does not go through
security_ptrace_access_check() on a PTRACE_TRACEME call).

Signed-off-by: Kees Cook
Cc: stable@vger.kernel.org # 3.5.x and later
Signed-off-by: James Morris

Kees Cook
2012-08-10 17:58:07 +0800

15 May, 2012

1 commit

2cc8a7164 Yama: replace capable() with ns_capable() ... Browse Code »

When checking capabilities, the question we want to be asking is "does
current() have the capability in the child's namespace?"

Signed-off-by: Kees Cook
Signed-off-by: James Morris

Kees Cook
2012-05-15 08:27:57 +0800

23 Apr, 2012

1 commit

08162e6a2 Yama: remove an unused variable ... Browse Code »

GCC complains that we don't use "one" any more after 389da25f93 "Yama:
add additional ptrace scopes".

security/yama/yama_lsm.c:322:12: warning: ?one? defined but not used
[-Wunused-variable]

Signed-off-by: Dan Carpenter
Acked-by: Kees Cook
Signed-off-by: James Morris

Dan Carpenter
2012-04-23 15:20:22 +0800

19 Apr, 2012

1 commit

389da25f9 Yama: add additional ptrace scopes ... Browse Code »

This expands the available Yama ptrace restrictions to include two more
modes. Mode 2 requires CAP_SYS_PTRACE for PTRACE_ATTACH, and mode 3
completely disables PTRACE_ATTACH (and locks the sysctl).

Signed-off-by: Kees Cook
Signed-off-by: James Morris

Kees Cook
2012-04-19 11:39:56 +0800

16 Feb, 2012

1 commit

bf06189e4 Yama: add PR_SET_PTRACER_ANY ... Browse Code »

For a process to entirely disable Yama ptrace restrictions, it can use
the special PR_SET_PTRACER_ANY pid to indicate that any otherwise allowed
process may ptrace it. This is stronger than calling PR_SET_PTRACER with
pid "1" because it includes processes in external pid namespaces. This is
currently needed by the Chrome renderer, since its crash handler (Breakpad)
runs external to the renderer's pid namespace.

Signed-off-by: Kees Cook
Signed-off-by: James Morris

Kees Cook
2012-02-16 07:25:18 +0800

10 Feb, 2012

1 commit

2d514487f security: Yama LSM ... Browse Code »

This adds the Yama Linux Security Module to collect DAC security
improvements (specifically just ptrace restrictions for now) that have
existed in various forms over the years and have been carried outside the
mainline kernel by other Linux distributions like Openwall and grsecurity.

Signed-off-by: Kees Cook
Acked-by: John Johansen
Signed-off-by: James Morris

Kees Cook
2012-02-10 06:18:52 +0800