1. 26 4月, 2011 1 次提交
    • E
      SELINUX: Make selinux cache VFS RCU walks safe · 0dc1ba24
      Eric Paris 提交于
      Now that the security modules can decide whether they support the
      dcache RCU walk or not it's possible to make selinux a bit more
      RCU friendly.  The SELinux AVC and security server access decision
      code is RCU safe.  A specific piece of the LSM audit code may not
      be RCU safe.
      
      This patch makes the VFS RCU walk retry if it would hit the non RCU
      safe chunk of code.  It will normally just work under RCU.  This is
      done simply by passing the VFS RCU state as a flag down into the
      avc_audit() code and returning ECHILD there if it would have an issue.
      Based-on-patch-by: NAndi Kleen <ak@linux.intel.com>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      0dc1ba24
  2. 11 1月, 2011 1 次提交
  3. 17 8月, 2009 1 次提交
    • T
      SELinux: Convert avc_audit to use lsm_audit.h · 2bf49690
      Thomas Liu 提交于
      Convert avc_audit in security/selinux/avc.c to use lsm_audit.h,
      for better maintainability.
      
       - changed selinux to use common_audit_data instead of
          avc_audit_data
       - eliminated code in avc.c and used code from lsm_audit.h instead.
      
      Had to add a LSM_AUDIT_NO_AUDIT to lsm_audit.h so that avc_audit
      can call common_lsm_audit and do the pre and post callbacks without
      doing the actual dump.  This makes it so that the patched version
      behaves the same way as the unpatched version.
      
      Also added a denied field to the selinux_audit_data private space,
      once again to make it so that the patched version behaves like the
      unpatched.
      
      I've tested and confirmed that AVCs look the same before and after
      this patch.
      Signed-off-by: NThomas Liu <tliu@redhat.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      2bf49690
  4. 13 7月, 2009 2 次提交
  5. 25 6月, 2009 1 次提交
  6. 18 6月, 2009 1 次提交
    • K
      Add audit messages on type boundary violations · 44c2d9bd
      KaiGai Kohei 提交于
      The attached patch adds support to generate audit messages on two cases.
      
      The first one is a case when a multi-thread process tries to switch its
      performing security context using setcon(3), but new security context is
      not bounded by the old one.
      
        type=SELINUX_ERR msg=audit(1245311998.599:17):        \
            op=security_bounded_transition result=denied      \
            oldcontext=system_u:system_r:httpd_t:s0           \
            newcontext=system_u:system_r:guest_webapp_t:s0
      
      The other one is a case when security_compute_av() masked any permissions
      due to the type boundary violation.
      
        type=SELINUX_ERR msg=audit(1245312836.035:32):	\
            op=security_compute_av reason=bounds              \
            scontext=system_u:object_r:user_webapp_t:s0       \
            tcontext=system_u:object_r:shadow_t:s0:c0         \
            tclass=file perms=getattr,open
      Signed-off-by: NKaiGai Kohei <kaigai@ak.jp.nec.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      44c2d9bd
  7. 28 8月, 2008 1 次提交
    • K
      SELinux: add boundary support and thread context assignment · d9250dea
      KaiGai Kohei 提交于
      The purpose of this patch is to assign per-thread security context
      under a constraint. It enables multi-threaded server application
      to kick a request handler with its fair security context, and
      helps some of userspace object managers to handle user's request.
      
      When we assign a per-thread security context, it must not have wider
      permissions than the original one. Because a multi-threaded process
      shares a single local memory, an arbitary per-thread security context
      also means another thread can easily refer violated information.
      
      The constraint on a per-thread security context requires a new domain
      has to be equal or weaker than its original one, when it tries to assign
      a per-thread security context.
      
      Bounds relationship between two types is a way to ensure a domain can
      never have wider permission than its bounds. We can define it in two
      explicit or implicit ways.
      
      The first way is using new TYPEBOUNDS statement. It enables to define
      a boundary of types explicitly. The other one expand the concept of
      existing named based hierarchy. If we defines a type with "." separated
      name like "httpd_t.php", toolchain implicitly set its bounds on "httpd_t".
      
      This feature requires a new policy version.
      The 24th version (POLICYDB_VERSION_BOUNDARY) enables to ship them into
      kernel space, and the following patch enables to handle it.
      Signed-off-by: NKaiGai Kohei <kaigai@ak.jp.nec.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      d9250dea
  8. 14 7月, 2008 1 次提交
  9. 15 2月, 2008 1 次提交
  10. 30 1月, 2008 1 次提交
  11. 17 10月, 2007 1 次提交
  12. 12 7月, 2007 1 次提交
    • S
      SELinux: allow preemption between transition permission checks · 2c3c05db
      Stephen Smalley 提交于
      In security_get_user_sids, move the transition permission checks
      outside of the section holding the policy rdlock, and use the AVC to
      perform the checks, calling cond_resched after each one.  These
      changes should allow preemption between the individual checks and
      enable caching of the results.  It may however increase the overall
      time spent in the function in some cases, particularly in the cache
      miss case.
      
      The long term fix will be to take much of this logic to userspace by
      exporting additional state via selinuxfs, and ultimately deprecating
      and eliminating this interface from the kernel.
      Tested-by: NIngo Molnar <mingo@elte.hu>
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      2c3c05db
  13. 05 12月, 2006 1 次提交
  14. 17 4月, 2005 1 次提交
    • L
      Linux-2.6.12-rc2 · 1da177e4
      Linus Torvalds 提交于
      Initial git repository build. I'm not bothering with the full history,
      even though we have it. We can create a separate "historical" git
      archive of that later if we want to, and in the meantime it's about
      3.2GB when imported into git - space that would just make the early
      git days unnecessarily complicated, when we don't have a lot of good
      infrastructure for it.
      
      Let it rip!
      1da177e4