You need to sign in or sign up before continuing.
- 25 4月, 2011 3 次提交
-
-
由 Andi Kleen 提交于
Right now all RCU walks fall back to reference walk when CONFIG_SECURITY is enabled, even though just the standard capability module is active. This is because security_inode_exec_permission unconditionally fails RCU walks. Move this decision to the low level security module. This requires passing the RCU flags down the security hook. This way at least the capability module and a few easy cases in selinux/smack work with RCU walks with CONFIG_SECURITY=y Signed-off-by: NAndi Kleen <ak@linux.intel.com> Signed-off-by: NEric Paris <eparis@redhat.com>
-
由 Eric Paris 提交于
The len should be an size_t but is a ssize_t. Easy enough fix to silence build warnings. We have no need for signed-ness. Signed-off-by: NEric Paris <eparis@redhat.com> Reviewed-by: NJames Morris <jmorris@namei.org>
-
由 Eric Paris 提交于
If one builds a kernel without CONFIG_BUG there are a number of 'may be used uninitialized' warnings. Silence these by returning after the BUG(). Signed-off-by: NEric Paris <eparis@redhat.com> Reviewed-by: NJames Morris <jmorris@namei.org>
-
- 20 4月, 2011 1 次提交
-
-
由 Eric Paris 提交于
The filename_trans rule processing has some printk(KERN_ERR ) messages which were intended as debug aids in creating the code but weren't removed before it was submitted. Remove them. Signed-off-by: NEric Paris <eparis@redhat.com>
-
- 08 4月, 2011 2 次提交
-
-
由 Harry Ciao 提交于
Initialize policydb.process_class once all symtabs read from policy image, so that it could be used to setup the role_trans.tclass field when a lower version policy.X is loaded. Signed-off-by: NHarry Ciao <qingtao.cao@windriver.com> Signed-off-by: NEric Paris <eparis@redhat.com>
-
由 Stephen Smalley 提交于
Commit 6f5317e7 introduced a bug in the handling of userspace object classes that is causing breakage for Xorg when XSELinux is enabled. Fix the bug by changing map_class() to return SECCLASS_NULL when the class cannot be mapped to a kernel object class. Reported-by: N"Justin P. Mattock" <justinmattock@gmail.com> Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NJames Morris <jmorris@namei.org>
-
- 02 4月, 2011 1 次提交
-
-
由 Kohei Kaigai 提交于
The attached patch allows /selinux/create takes optional 4th argument to support TYPE_TRANSITION with name extension for userspace object managers. If 4th argument is not supplied, it shall perform as existing kernel. In fact, the regression test of SE-PostgreSQL works well on the patched kernel. Thanks, Signed-off-by: NKaiGai Kohei <kohei.kaigai@eu.nec.com> [manually verify fuzz was not an issue, and it wasn't: eparis] Signed-off-by: NEric Paris <eparis@redhat.com>
-
- 29 3月, 2011 3 次提交
-
-
由 Harry Ciao 提交于
If kernel policy version is >= 26, then write the class field of the role_trans structure into the binary reprensentation. Signed-off-by: NHarry Ciao <qingtao.cao@windriver.com> Acked-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NEric Paris <eparis@redhat.com>
-
由 Harry Ciao 提交于
Apply role_transition rules for all kinds of classes. Signed-off-by: NHarry Ciao <qingtao.cao@windriver.com> Acked-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NEric Paris <eparis@redhat.com>
-
由 Harry Ciao 提交于
If kernel policy version is >= 26, then the binary representation of the role_trans structure supports specifying the class for the current subject or the newly created object. If kernel policy version is < 26, then the class field would be default to the process class. Signed-off-by: NHarry Ciao <qingtao.cao@windriver.com> Acked-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NEric Paris <eparis@redhat.com>
-
- 08 3月, 2011 4 次提交
-
-
由 David Howells 提交于
Add a keyctl op (KEYCTL_INSTANTIATE_IOV) that is like KEYCTL_INSTANTIATE, but takes an iovec array and concatenates the data in-kernel into one buffer. Since the KEYCTL_INSTANTIATE copies the data anyway, this isn't too much of a problem. Signed-off-by: NDavid Howells <dhowells@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 David Howells 提交于
Add a new keyctl op to reject a key with a specified error code. This works much the same as negating a key, and so keyctl_negate_key() is made a special case of keyctl_reject_key(). The difference is that keyctl_negate_key() selects ENOKEY as the error to be reported. Typically the key would be rejected with EKEYEXPIRED, EKEYREVOKED or EKEYREJECTED, but this is not mandatory. Signed-off-by: NDavid Howells <dhowells@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 David Howells 提交于
Add a key type operation to permit the key type to vet the description of a new key that key_alloc() is about to allocate. The operation may reject the description if it wishes with an error of its choosing. If it does this, the key will not be allocated. Signed-off-by: NDavid Howells <dhowells@redhat.com> Reviewed-by: NMimi Zohar <zohar@us.ibm.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 David Howells 提交于
Add an RCU payload dereference macro as this seems to be a common piece of code amongst key types that use RCU referenced payloads. Signed-off-by: NDavid Howells <dhowells@redhat.com> Signed-off-by: NMimi Zohar <zohar@us.ibm.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
- 04 3月, 2011 5 次提交
-
-
由 Eric Paris 提交于
For SELinux we do not allow security information to change during a remount operation. Thus this hook simply strips the security module options from the data and verifies that those are the same options as exist on the current superblock. Signed-off-by: NEric Paris <eparis@redhat.com> Reviewed-by: NJames Morris <jmorris@namei.org>
-
由 Eric Paris 提交于
The VFS mount code passes the mount options to the LSM. The LSM will remove options it understands from the data and the VFS will then pass the remaining options onto the underlying filesystem. This is how options like the SELinux context= work. The problem comes in that -o remount never calls into LSM code. So if you include an LSM specific option it will get passed to the filesystem and will cause the remount to fail. An example of where this is a problem is the 'seclabel' option. The SELinux LSM hook will print this word in /proc/mounts if the filesystem is being labeled using xattrs. If you pass this word on mount it will be silently stripped and ignored. But if you pass this word on remount the LSM never gets called and it will be passed to the FS. The FS doesn't know what seclabel means and thus should fail the mount. For example an ext3 fs mounted over loop # mount -o loop /tmp/fs /mnt/tmp # cat /proc/mounts | grep /mnt/tmp /dev/loop0 /mnt/tmp ext3 rw,seclabel,relatime,errors=continue,barrier=0,data=ordered 0 0 # mount -o remount /mnt/tmp mount: /mnt/tmp not mounted already, or bad option # dmesg EXT3-fs (loop0): error: unrecognized mount option "seclabel" or missing value This patch passes the remount mount options to an new LSM hook. Signed-off-by: NEric Paris <eparis@redhat.com> Reviewed-by: NJames Morris <jmorris@namei.org>
-
由 Harry Ciao 提交于
The security context for the newly created socket shares the same user, role and MLS attribute as its creator but may have a different type, which could be specified by a type_transition rule in the relevant policy package. Signed-off-by: NHarry Ciao <qingtao.cao@windriver.com> [fix call to security_transition_sid to include qstr, Eric Paris] Signed-off-by: NEric Paris <eparis@redhat.com> Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
-
由 Harry Ciao 提交于
The socket SID would be computed on creation and no longer inherit its creator's SID by default. Socket may have a different type but needs to retain the creator's role and MLS attribute in order not to break labeled networking and network access control. The kernel value for a class would be used to determine if the class if one of socket classes. If security_compute_sid is called from userspace the policy value for a class would be mapped to the relevant kernel value first. Signed-off-by: NHarry Ciao <qingtao.cao@windriver.com> Signed-off-by: NEric Paris <eparis@redhat.com> Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
-
由 Harry Ciao 提交于
The security_is_socket_class() is auto-generated by genheaders based on classmap.h to reduce maintenance effort when a new class is defined in SELinux kernel. The name for any socket class should be suffixed by "socket" and doesn't contain more than one substr of "socket". Signed-off-by: NHarry Ciao <qingtao.cao@windriver.com> Signed-off-by: NEric Paris <eparis@redhat.com> Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
-
- 03 3月, 2011 1 次提交
-
-
由 Tetsuo Handa 提交于
In tomoyo_check_open_permission() since 2.6.36, TOMOYO was by error recalculating already calculated pathname when checking allow_rewrite permission. As a result, memory will leak whenever a file is opened for writing without O_APPEND flag. Also, performance will degrade because TOMOYO is calculating pathname regardless of profile configuration. This patch fixes the leak and performance degrade. Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: NJames Morris <jmorris@namei.org>
-
- 26 2月, 2011 5 次提交
-
-
由 Eric Paris 提交于
This reverts commit 242631c4. Conflicts: security/selinux/hooks.c SELinux used to recognize certain individual ioctls and check permissions based on the knowledge of the individual ioctl. In commit 242631c4 the SELinux code stopped trying to understand individual ioctls and to instead looked at the ioctl access bits to determine in we should check read or write for that operation. This same suggestion was made to SMACK (and I believe copied into TOMOYO). But this suggestion is total rubbish. The ioctl access bits are actually the access requirements for the structure being passed into the ioctl, and are completely unrelated to the operation of the ioctl or the object the ioctl is being performed upon. Take FS_IOC_FIEMAP as an example. FS_IOC_FIEMAP is defined as: FS_IOC_FIEMAP _IOWR('f', 11, struct fiemap) So it has access bits R and W. What this really means is that the kernel is going to both read and write to the struct fiemap. It has nothing at all to do with the operations that this ioctl might perform on the file itself! Signed-off-by: NEric Paris <eparis@redhat.com> Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
-
由 Eric Paris 提交于
These permissions are not used and can be dropped in the kernel definitions. Suggested-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NEric Paris <eparis@redhat.com> Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
-
由 Steffen Klassert 提交于
The IPSKB_FORWARDED and IP6SKB_FORWARDED flags are used only in the multicast forwarding case to indicate that a packet looped back after forward. So these flags are not a good indicator for packet forwarding. A better indicator is the incoming interface. If we have no socket context, but an incoming interface and we see the packet in the ip postroute hook, the packet is going to be forwarded. With this patch we use the incoming interface as an indicator on packet forwarding. Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com> Acked-by: NPaul Moore <paul.moore@hp.com> Signed-off-by: NEric Paris <eparis@redhat.com>
-
由 Steffen Klassert 提交于
selinux_sock_rcv_skb_compat and selinux_ip_postroute_compat are just called if selinux_policycap_netpeer is not set. However in these functions we check if selinux_policycap_netpeer is set. This leads to some dead code and to the fact that selinux_xfrm_postroute_last is never executed. This patch removes the dead code and the checks for selinux_policycap_netpeer in the compatibility functions. Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com> Acked-by: NPaul Moore <paul.moore@hp.com> Signed-off-by: NEric Paris <eparis@redhat.com>
-
由 Steffen Klassert 提交于
selinux_xfrm_sec_ctx_alloc accidentally checks the xfrm domain of interpretation against the selinux context algorithm. This patch fixes this by checking ctx_alg against the selinux context algorithm. Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com> Acked-by: NPaul Moore <paul.moore@hp.com> Signed-off-by: NEric Paris <eparis@redhat.com>
-
- 24 2月, 2011 1 次提交
-
-
由 Mimi Zohar 提交于
The original ima_must_measure() function based its results on cached iint information, which required an iint be allocated for all files. Currently, an iint is allocated only for files in policy. As a result, for those files in policy, ima_must_measure() is now called twice: once to determine if the inode is in the measurement policy and, the second time, to determine if it needs to be measured/re-measured. The second call to ima_must_measure() unnecessarily checks to see if the file is in policy. As we already know the file is in policy, this patch removes the second unnecessary call to ima_must_measure(), removes the vestige iint parameter, and just checks the iint directly to determine if the inode has been measured or needs to be measured/re-measured. Signed-off-by: NMimi Zohar <zohar@us.ibm.com> Acked-by: NEric Paris <eparis@redhat.com>
-
- 11 2月, 2011 1 次提交
-
-
由 Chris Wright 提交于
Expand security_capable() to include cred, so that it can be usable in a wider range of call sites. Signed-off-by: NChris Wright <chrisw@sous-sol.org> Acked-by: NSerge Hallyn <serge.hallyn@canonical.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
- 10 2月, 2011 5 次提交
-
-
由 Mimi Zohar 提交于
Now that i_readcount is maintained by the VFS layer, remove the imbalance checking in IMA. Cleans up the IMA code nicely. Signed-off-by: NMimi Zohar <zohar@us.ibm.com> Acked-by: NEric Paris <eparis@redhat.com>
-
由 Mimi Zohar 提交于
ima_counts_get() updated the readcount and invalidated the PCR, as necessary. Only update the i_readcount in the VFS layer. Move the PCR invalidation checks to ima_file_check(), where it belongs. Maintaining the i_readcount in the VFS layer, will allow other subsystems to use i_readcount. Signed-off-by: NMimi Zohar <zohar@us.ibm.com> Acked-by: NEric Paris <eparis@redhat.com>
-
由 Mimi Zohar 提交于
Convert the inode's i_readcount from an unsigned int to atomic. Signed-off-by: NMimi Zohar <zohar@us.ibm.com> Acked-by: NEric Paris <eparis@redhat.com>
-
由 Casey Schaufler 提交于
The mmap policy enforcement checks the access of the SMACK64MMAP subject against the current subject incorrectly. The check as written works correctly only if the access rules involved have the same access. This is the common case, so initial testing did not find a problem. Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>
-
由 Shan Wei 提交于
Kill unused macros of SMACK_LIST_MAX, MAY_ANY and MAY_ANYWRITE. v2: As Casey Schaufler's advice, also remove MAY_ANY. Signed-off-by: NShan Wei <shanwei@cn.fujitsu.com> Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>
-
- 09 2月, 2011 1 次提交
-
-
由 Casey Schaufler 提交于
The mmap policy enforcement was not properly handling the interaction between the global and local rule lists. Instead of going through one and then the other, which missed the important case where a rule specified that there should be no access, combine the access limitations where there is a rule in each list. Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
- 08 2月, 2011 1 次提交
-
-
由 Tetsuo Handa 提交于
In cred_alloc_blank() since 2.6.32, abort_creds(new) is called with new->security == NULL and new->magic == 0 when security_cred_alloc_blank() returns an error. As a result, BUG() will be triggered if SELinux is enabled or CONFIG_DEBUG_CREDENTIALS=y. If CONFIG_DEBUG_CREDENTIALS=y, BUG() is called from __invalid_creds() because cred->magic == 0. Failing that, BUG() is called from selinux_cred_free() because selinux_cred_free() is not expecting cred->security == NULL. This does not affect smack_cred_free(), tomoyo_cred_free() or apparmor_cred_free(). Fix these bugs by (1) Set new->magic before calling security_cred_alloc_blank(). (2) Handle null cred->security in creds_are_invalid() and selinux_cred_free(). Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: NDavid Howells <dhowells@redhat.com> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
- 02 2月, 2011 4 次提交
-
-
由 Lucian Adrian Grijincu 提交于
The only user for this hook was selinux. sysctl routes every call through /proc/sys/. Selinux and other security modules use the file system checks for sysctl too, so no need for this hook any more. Signed-off-by: NLucian Adrian Grijincu <lucian.grijincu@gmail.com> Signed-off-by: NEric Paris <eparis@redhat.com>
-
由 Lucian Adrian Grijincu 提交于
This fixes an old (2007) selinux regression: filesystem labeling for /proc/sys returned -r--r--r-- unknown /proc/sys/fs/file-nr instead of -r--r--r-- system_u:object_r:sysctl_fs_t:s0 /proc/sys/fs/file-nr Events that lead to breaking of /proc/sys/ selinux labeling: 1) sysctl was reimplemented to route all calls through /proc/sys/ commit 77b14db5 [PATCH] sysctl: reimplement the sysctl proc support 2) proc_dir_entry was removed from ctl_table: commit 3fbfa981 [PATCH] sysctl: remove the proc_dir_entry member for the sysctl tables 3) selinux still walked the proc_dir_entry tree to apply labeling. Because ctl_tables don't have a proc_dir_entry, we did not label /proc/sys/ inodes any more. To achieve this the /proc/sys/ inodes were marked private and private inodes were ignored by selinux. commit bbaca6c2 [PATCH] selinux: enhance selinux to always ignore private inodes commit 86a71dbd [PATCH] sysctl: hide the sysctl proc inodes from selinux Access control checks have been done by means of a special sysctl hook that was called for read/write accesses to any /proc/sys/ entry. We don't have to do this because, instead of walking the proc_dir_entry tree we can walk the dentry tree (as done in this patch). With this patch: * we don't mark /proc/sys/ inodes as private * we don't need the sysclt security hook * we walk the dentry tree to find the path to the inode. We have to strip the PID in /proc/PID/ entries that have a proc_dir_entry because selinux does not know how to label paths like '/1/net/rpc/nfsd.fh' (and defaults to 'proc_t' labeling). Selinux does know of '/net/rpc/nfsd.fh' (and applies the 'sysctl_rpc_t' label). PID stripping from the path was done implicitly in the previous code because the proc_dir_entry tree had the root in '/net' in the example from above. The dentry tree has the root in '/1'. Signed-off-by: NEric W. Biederman <ebiederm@xmission.com> Signed-off-by: NLucian Adrian Grijincu <lucian.grijincu@gmail.com> Signed-off-by: NEric Paris <eparis@redhat.com>
-
由 Eric Paris 提交于
Currently SELinux has rules which label new objects according to 3 criteria. The label of the process creating the object, the label of the parent directory, and the type of object (reg, dir, char, block, etc.) This patch adds a 4th criteria, the dentry name, thus we can distinguish between creating a file in an etc_t directory called shadow and one called motd. There is no file globbing, regex parsing, or anything mystical. Either the policy exactly (strcmp) matches the dentry name of the object or it doesn't. This patch has no changes from today if policy does not implement the new rules. Signed-off-by: NEric Paris <eparis@redhat.com>
-
由 Eric Paris 提交于
SELinux would like to implement a new labeling behavior of newly created inodes. We currently label new inodes based on the parent and the creating process. This new behavior would also take into account the name of the new object when deciding the new label. This is not the (supposed) full path, just the last component of the path. This is very useful because creating /etc/shadow is different than creating /etc/passwd but the kernel hooks are unable to differentiate these operations. We currently require that userspace realize it is doing some difficult operation like that and than userspace jumps through SELinux hoops to get things set up correctly. This patch does not implement new behavior, that is obviously contained in a seperate SELinux patch, but it does pass the needed name down to the correct LSM hook. If no such name exists it is fine to pass NULL. Signed-off-by: NEric Paris <eparis@redhat.com>
-
- 26 1月, 2011 1 次提交
-
-
由 David Howells 提交于
Fix __key_link_end()'s attempt to fix up the quota if an error occurs. There are two erroneous cases: Firstly, we always decrease the quota if the preallocated replacement keyring needs cleaning up, irrespective of whether or not we should (we may have replaced a pointer rather than adding another pointer). Secondly, we never clean up the quota if we added a pointer without the keyring storage being extended (we allocate multiple pointers at a time, even if we're not going to use them all immediately). We handle this by setting the bottom bit of the preallocation pointer in __key_link_begin() to indicate that the quota needs fixing up, which is then passed to __key_link() (which clears the whole thing) and __key_link_end(). Signed-off-by: NDavid Howells <dhowells@redhat.com> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
- 24 1月, 2011 1 次提交
-
-
由 Davidlohr Bueso 提交于
Return -ENOMEM when memory allocation fails in cond_init_bool_indexes, correctly propagating error code to caller. Signed-off-by: NDavidlohr Bueso <dave@gnu.org> Signed-off-by: NJames Morris <jmorris@namei.org>
-