1. 21 9月, 2012 1 次提交
  2. 23 7月, 2012 1 次提交
  3. 30 5月, 2012 1 次提交
  4. 10 4月, 2012 4 次提交
    • E
      SELinux: if sel_make_bools errors don't leave inconsistent state · 154c50ca
      Eric Paris 提交于
      We reset the bool names and values array to NULL, but do not reset the
      number of entries in these arrays to 0.  If we error out and then get back
      into this function we will walk these NULL pointers based on the belief
      that they are non-zero length.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      cc: stable@kernel.org
      154c50ca
    • E
      SELinux: remove needless sel_div function · 92ae9e82
      Eric Paris 提交于
      I'm not really sure what the idea behind the sel_div function is, but it's
      useless.  Since a and b are both unsigned, it's impossible for a % b < 0.
      That means that part of the function never does anything.  Thus it's just a
      normal /.  Just do that instead.  I don't even understand what that operation
      was supposed to mean in the signed case however....
      
      If it was signed:
      sel_div(-2, 4) == ((-2 / 4) - ((-2 % 4) < 0))
      		  ((0)      - ((-2)     < 0))
      		  ((0)      - (1))
      		  (-1)
      
      What actually happens:
      sel_div(-2, 4) == ((18446744073709551614 / 4) - ((18446744073709551614 % 4) < 0))
      		  ((4611686018427387903)      - ((2 < 0))
      		  (4611686018427387903        - 0)
      		  ((unsigned int)4611686018427387903)
      		  (4294967295)
      
      Neither makes a whole ton of sense to me.  So I'm getting rid of the
      function entirely.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      92ae9e82
    • E
      SELinux: loosen DAC perms on reading policy · 72e8c859
      Eric Paris 提交于
      There is no reason the DAC perms on reading the policy file need to be root
      only.  There are selinux checks which should control this access.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      72e8c859
    • E
      SELinux: allow seek operations on the file exposing policy · 47a93a5b
      Eric Paris 提交于
      sesearch uses:
      lseek(3, 0, SEEK_SET)                   = -1 ESPIPE (Illegal seek)
      
      Make that work.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      47a93a5b
  5. 01 4月, 2012 1 次提交
  6. 06 1月, 2012 3 次提交
  7. 16 11月, 2011 1 次提交
  8. 10 9月, 2011 3 次提交
  9. 02 8月, 2011 2 次提交
  10. 24 7月, 2011 1 次提交
    • T
      VFS : mount lock scalability for internal mounts · 423e0ab0
      Tim Chen 提交于
      For a number of file systems that don't have a mount point (e.g. sockfs
      and pipefs), they are not marked as long term. Therefore in
      mntput_no_expire, all locks in vfs_mount lock are taken instead of just
      local cpu's lock to aggregate reference counts when we release
      reference to file objects.  In fact, only local lock need to have been
      taken to update ref counts as these file systems are in no danger of
      going away until we are ready to unregister them.
      
      The attached patch marks file systems using kern_mount without
      mount point as long term.  The contentions of vfs_mount lock
      is now eliminated.  Before un-registering such file system,
      kern_unmount should be called to remove the long term flag and
      make the mount point ready to be freed.
      Signed-off-by: NTim Chen <tim.c.chen@linux.intel.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      423e0ab0
  11. 27 5月, 2011 1 次提交
    • K
      selinux: fix case of names with whitespace/multibytes on /selinux/create · 0f7e4c33
      Kohei Kaigai 提交于
      I submit the patch again, according to patch submission convension.
      
      This patch enables to accept percent-encoded object names as forth
      argument of /selinux/create interface to avoid possible bugs when we
      give an object name including whitespace or multibutes.
      
      E.g) if and when a userspace object manager tries to create a new object
       named as "resolve.conf but fake", it shall give this name as the forth
       argument of the /selinux/create. But sscanf() logic in kernel space
       fetches only the part earlier than the first whitespace.
       In this case, selinux may unexpectedly answer a default security context
       configured to "resolve.conf", but it is bug.
      
      Although I could not test this patch on named TYPE_TRANSITION rules
      actually, But debug printk() message seems to me the logic works
      correctly.
      I assume the libselinux provides an interface to apply this logic
      transparently, so nothing shall not be changed from the viewpoint of
      application.
      Signed-off-by: NKaiGai Kohei <kohei.kaigai@emea.nec.com>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      0f7e4c33
  12. 20 5月, 2011 1 次提交
  13. 12 5月, 2011 1 次提交
    • G
      SELINUX: add /sys/fs/selinux mount point to put selinuxfs · 7a627e3b
      Greg Kroah-Hartman 提交于
      In the interest of keeping userspace from having to create new root
      filesystems all the time, let's follow the lead of the other in-kernel
      filesystems and provide a proper mount point for it in sysfs.
      
      For selinuxfs, this mount point should be in /sys/fs/selinux/
      
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: James Morris <jmorris@namei.org>
      Cc: Eric Paris <eparis@parisplace.org>
      Cc: Lennart Poettering <mzerqung@0pointer.de>
      Cc: Daniel J Walsh <dwalsh@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
      [include kobject.h - Eric Paris]
      [use selinuxfs_obj throughout - Eric Paris]
      Signed-off-by: NEric Paris <eparis@redhat.com>
      7a627e3b
  14. 10 4月, 2011 1 次提交
  15. 02 4月, 2011 1 次提交
  16. 07 1月, 2011 3 次提交
    • N
      fs: dcache rationalise dget variants · dc0474be
      Nick Piggin 提交于
      dget_locked was a shortcut to avoid the lazy lru manipulation when we already
      held dcache_lock (lru manipulation was relatively cheap at that point).
      However, how that the lru lock is an innermost one, we never hold it at any
      caller, so the lock cost can now be avoided. We already have well working lazy
      dcache LRU, so it should be fine to defer LRU manipulations to scan time.
      Signed-off-by: NNick Piggin <npiggin@kernel.dk>
      dc0474be
    • N
      fs: dcache remove dcache_lock · b5c84bf6
      Nick Piggin 提交于
      dcache_lock no longer protects anything. remove it.
      Signed-off-by: NNick Piggin <npiggin@kernel.dk>
      b5c84bf6
    • N
      fs: dcache scale subdirs · 2fd6b7f5
      Nick Piggin 提交于
      Protect d_subdirs and d_child with d_lock, except in filesystems that aren't
      using dcache_lock for these anyway (eg. using i_mutex).
      
      Note: if we change the locking rule in future so that ->d_child protection is
      provided only with ->d_parent->d_lock, it may allow us to reduce some locking.
      But it would be an exception to an otherwise regular locking scheme, so we'd
      have to see some good results. Probably not worthwhile.
      Signed-off-by: NNick Piggin <npiggin@kernel.dk>
      2fd6b7f5
  17. 01 12月, 2010 2 次提交
    • E
      SELinux: do not set automatic i_ino in selinuxfs · c9e86a9b
      Eric Paris 提交于
      selinuxfs carefully uses i_ino to figure out what the inode refers to.  The
      VFS used to generically set this value and we would reset it to something
      useable.  After 85fe4025 each filesystem sets this value to a default
      if needed.  Since selinuxfs doesn't use the default value and it can only
      lead to problems (I'd rather have 2 inodes with i_ino == 0 than one
      pointing to the wrong data) lets just stop setting a default.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Acked-by: NJames Morris <jmorris@namei.org>
      c9e86a9b
    • E
      SELinux: standardize return code handling in selinuxfs.c · b77a493b
      Eric Paris 提交于
      selinuxfs.c has lots of different standards on how to handle return paths on
      error.  For the most part transition to
      
      	rc=errno
      	if (failure)
      		goto out;
      [...]
      out:
      	cleanup()
      	return rc;
      
      Instead of doing cleanup mid function, or having multiple returns or other
      options.  This doesn't do that for every function, but most of the complex
      functions which have cleanup routines on error.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      b77a493b
  18. 29 10月, 2010 1 次提交
  19. 26 10月, 2010 1 次提交
    • C
      fs: do not assign default i_ino in new_inode · 85fe4025
      Christoph Hellwig 提交于
      Instead of always assigning an increasing inode number in new_inode
      move the call to assign it into those callers that actually need it.
      For now callers that need it is estimated conservatively, that is
      the call is added to all filesystems that do not assign an i_ino
      by themselves.  For a few more filesystems we can avoid assigning
      any inode number given that they aren't user visible, and for others
      it could be done lazily when an inode number is actually needed,
      but that's left for later patches.
      Signed-off-by: NChristoph Hellwig <hch@lst.de>
      Signed-off-by: NDave Chinner <dchinner@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      85fe4025
  20. 21 10月, 2010 3 次提交
    • E
      selinux: implement mmap on /selinux/policy · 845ca30f
      Eric Paris 提交于
      /selinux/policy allows a user to copy the policy back out of the kernel.
      This patch allows userspace to actually mmap that file and use it directly.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      845ca30f
    • E
      SELinux: allow userspace to read policy back out of the kernel · cee74f47
      Eric Paris 提交于
      There is interest in being able to see what the actual policy is that was
      loaded into the kernel.  The patch creates a new selinuxfs file
      /selinux/policy which can be read by userspace.  The actual policy that is
      loaded into the kernel will be written back out to userspace.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      cee74f47
    • K
      selinux: fast status update interface (/selinux/status) · 11904167
      KaiGai Kohei 提交于
      This patch provides a new /selinux/status entry which allows applications
      read-only mmap(2).
      This region reflects selinux_kernel_status structure in kernel space.
        struct selinux_kernel_status
        {
                u32     length;         /* length of this structure */
                u32     sequence;       /* sequence number of seqlock logic */
                u32     enforcing;      /* current setting of enforcing mode */
                u32     policyload;     /* times of policy reloaded */
                u32     deny_unknown;   /* current setting of deny_unknown */
        };
      
      When userspace object manager caches access control decisions provided
      by SELinux, it needs to invalidate the cache on policy reload and setenforce
      to keep consistency.
      However, the applications need to check the kernel state for each accesses
      on userspace avc, or launch a background worker process.
      In heuristic, frequency of invalidation is much less than frequency of
      making access control decision, so it is annoying to invoke a system call
      to check we don't need to invalidate the userspace cache.
      If we can use a background worker thread, it allows to receive invalidation
      messages from the kernel. But it requires us an invasive coding toward the
      base application in some cases; E.g, when we provide a feature performing
      with SELinux as a plugin module, it is unwelcome manner to launch its own
      worker thread from the module.
      
      If we could map /selinux/status to process memory space, application can
      know updates of selinux status; policy reload or setenforce.
      
      A typical application checks selinux_kernel_status::sequence when it tries
      to reference userspace avc. If it was changed from the last time when it
      checked userspace avc, it means something was updated in the kernel space.
      Then, the application can reset userspace avc or update current enforcing
      mode, without any system call invocations.
      This sequence number is updated according to the seqlock logic, so we need
      to wait for a while if it is odd number.
      Signed-off-by: NKaiGai Kohei <kaigai@ak.jp.nec.com>
      Acked-by: NEric Paris <eparis@redhat.com>
      --
       security/selinux/include/security.h |   21 ++++++
       security/selinux/selinuxfs.c        |   56 +++++++++++++++
       security/selinux/ss/Makefile        |    2 +-
       security/selinux/ss/services.c      |    3 +
       security/selinux/ss/status.c        |  129 +++++++++++++++++++++++++++++++++++
       5 files changed, 210 insertions(+), 1 deletions(-)
      Signed-off-by: NJames Morris <jmorris@namei.org>
      11904167
  21. 02 8月, 2010 1 次提交
  22. 09 4月, 2010 1 次提交
  23. 09 2月, 2010 1 次提交
    • X
      selinux: fix memory leak in sel_make_bools · 8007f102
      Xiaotian Feng 提交于
      In sel_make_bools, kernel allocates memory for bool_pending_names[i]
      with security_get_bools. So if we just free bool_pending_names, those
      memories for bool_pending_names[i] will be leaked.
      
      This patch resolves dozens of following kmemleak report after resuming
      from suspend:
      unreferenced object 0xffff88022e4c7380 (size 32):
        comm "init", pid 1, jiffies 4294677173
        backtrace:
          [<ffffffff810f76b5>] create_object+0x1a2/0x2a9
          [<ffffffff810f78bb>] kmemleak_alloc+0x26/0x4b
          [<ffffffff810ef3eb>] __kmalloc+0x18f/0x1b8
          [<ffffffff811cd511>] security_get_bools+0xd7/0x16f
          [<ffffffff811c48c0>] sel_write_load+0x12e/0x62b
          [<ffffffff810f9a39>] vfs_write+0xae/0x10b
          [<ffffffff810f9b56>] sys_write+0x4a/0x6e
          [<ffffffff81011b82>] system_call_fastpath+0x16/0x1b
          [<ffffffffffffffff>] 0xffffffffffffffff
      Signed-off-by: NXiaotian Feng <dfeng@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      8007f102
  24. 04 2月, 2010 1 次提交
  25. 18 1月, 2010 1 次提交
    • S
      selinux: change the handling of unknown classes · 19439d05
      Stephen Smalley 提交于
      If allow_unknown==deny, SELinux treats an undefined kernel security
      class as an error condition rather than as a typical permission denial
      and thus does not allow permissions on undefined classes even when in
      permissive mode.  Change the SELinux logic so that this case is handled
      as a typical permission denial, subject to the usual permissive mode and
      permissive domain handling.
      
      Also drop the 'requested' argument from security_compute_av() and
      helpers as it is a legacy of the original security server interface and
      is unused.
      
      Changes:
      - Handle permissive domains consistently by moving up the test for a
      permissive domain.
      - Make security_compute_av_user() consistent with security_compute_av();
      the only difference now is that security_compute_av() performs mapping
      between the kernel-private class and permission indices and the policy
      values.  In the userspace case, this mapping is handled by libselinux.
      - Moved avd_init inside the policy lock.
      
      Based in part on a patch by Paul Moore <paul.moore@hp.com>.
      Reported-by: NAndrew Worsley <amworsley@gmail.com>
      Signed-off-by: NStephen D. Smalley <sds@tycho.nsa.gov>
      Reviewed-by: NPaul Moore <paul.moore@hp.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      19439d05
  26. 07 10月, 2009 1 次提交
    • S
      selinux: dynamic class/perm discovery · c6d3aaa4
      Stephen Smalley 提交于
      Modify SELinux to dynamically discover class and permission values
      upon policy load, based on the dynamic object class/perm discovery
      logic from libselinux.  A mapping is created between kernel-private
      class and permission indices used outside the security server and the
      policy values used within the security server.
      
      The mappings are only applied upon kernel-internal computations;
      similar mappings for the private indices of userspace object managers
      is handled on a per-object manager basis by the userspace AVC.  The
      interfaces for compute_av and transition_sid are split for kernel
      vs. userspace; the userspace functions are distinguished by a _user
      suffix.
      
      The kernel-private class indices are no longer tied to the policy
      values and thus do not need to skip indices for userspace classes;
      thus the kernel class index values are compressed.  The flask.h
      definitions were regenerated by deleting the userspace classes from
      refpolicy's definitions and then regenerating the headers.  Going
      forward, we can just maintain the flask.h, av_permissions.h, and
      classmap.h definitions separately from policy as they are no longer
      tied to the policy values.  The next patch introduces a utility to
      automate generation of flask.h and av_permissions.h from the
      classmap.h definitions.
      
      The older kernel class and permission string tables are removed and
      replaced by a single security class mapping table that is walked at
      policy load to generate the mapping.  The old kernel class validation
      logic is completely replaced by the mapping logic.
      
      The handle unknown logic is reworked.  reject_unknown=1 is handled
      when the mappings are computed at policy load time, similar to the old
      handling by the class validation logic.  allow_unknown=1 is handled
      when computing and mapping decisions - if the permission was not able
      to be mapped (i.e. undefined, mapped to zero), then it is
      automatically added to the allowed vector.  If the class was not able
      to be mapped (i.e. undefined, mapped to zero), then all permissions
      are allowed for it if allow_unknown=1.
      
      avc_audit leverages the new security class mapping table to lookup the
      class and permission names from the kernel-private indices.
      
      The mdp program is updated to use the new table when generating the
      class definitions and allow rules for a minimal boot policy for the
      kernel.  It should be noted that this policy will not include any
      userspace classes, nor will its policy index values for the kernel
      classes correspond with the ones in refpolicy (they will instead match
      the kernel-private indices).
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      c6d3aaa4
  27. 19 5月, 2009 1 次提交
    • S
      selinux: remove obsolete read buffer limit from sel_read_bool · c5642f4b
      Stephen Smalley 提交于
      On Tue, 2009-05-19 at 00:05 -0400, Eamon Walsh wrote:
      > Recent versions of coreutils have bumped the read buffer size from 4K to
      > 32K in several of the utilities.
      >
      > This means that "cat /selinux/booleans/xserver_object_manager" no longer
      > works, it returns "Invalid argument" on F11.  getsebool works fine.
      >
      > sel_read_bool has a check for "count > PAGE_SIZE" that doesn't seem to
      > be present in the other read functions.  Maybe it could be removed?
      
      Yes, that check is obsoleted by the conversion of those functions to
      using simple_read_from_buffer(), which will reduce count if necessary to
      what is available in the buffer.
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      c5642f4b