- 03 2月, 2009 1 次提交
-
-
由 Serge E. Hallyn 提交于
If there is an error creating a file through securityfs_create_file, NULL is not returned, rather the error is propagated. Signed-off-by: NSerge E. Hallyn <serue@us.ibm.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
- 02 2月, 2009 1 次提交
-
-
由 James Morris 提交于
Remove SELinux hooks which do nothing except defer to the capabilites hooks (or in one case, replicates the function). Signed-off-by: NJames Morris <jmorris@namei.org> Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
-
- 30 1月, 2009 18 次提交
-
-
由 James Morris 提交于
Remove secondary ops call to shm_shmat, which is a noop in capabilities. Acked-by: NSerge Hallyn <serue@us.ibm.com> Acked-by: NEric Paris <eparis@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 James Morris 提交于
Remove secondary ops call to unix_stream_connect, which is a noop in capabilities. Acked-by: NSerge Hallyn <serue@us.ibm.com> Acked-by: NEric Paris <eparis@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 James Morris 提交于
Remove secondary ops call to task_kill, which is a noop in capabilities. Acked-by: NSerge Hallyn <serue@us.ibm.com> Acked-by: NEric Paris <eparis@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 James Morris 提交于
Remove secondary ops call to task_setrlimit, which is a noop in capabilities. Acked-by: NSerge Hallyn <serue@us.ibm.com> Acked-by: NEric Paris <eparis@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 James Morris 提交于
Remove unused cred_commit hook from SELinux. This currently calls into the capabilities hook, which is a noop. Acked-by: NSerge Hallyn <serue@us.ibm.com> Acked-by: NEric Paris <eparis@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 James Morris 提交于
Remove secondary ops call to task_create, which is a noop in capabilities. Acked-by: NSerge Hallyn <serue@us.ibm.com> Acked-by: NEric Paris <eparis@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 James Morris 提交于
Remove secondary ops call to file_mprotect, which is a noop in capabilities. Acked-by: NSerge Hallyn <serue@us.ibm.com> Acked-by: NEric Paris <eparis@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 James Morris 提交于
Remove secondary ops call to inode_setattr, which is a noop in capabilities. Acked-by: NSerge Hallyn <serue@us.ibm.com> Acked-by: NEric Paris <eparis@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 James Morris 提交于
Remove secondary ops call to inode_permission, which is a noop in capabilities. Acked-by: NSerge Hallyn <serue@us.ibm.com> Acked-by: NEric Paris <eparis@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 James Morris 提交于
Remove secondary ops call to inode_follow_link, which is a noop in capabilities. Acked-by: NSerge Hallyn <serue@us.ibm.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 James Morris 提交于
Remove secondary ops call to inode_mknod, which is a noop in capabilities. Acked-by: NSerge Hallyn <serue@us.ibm.com> Acked-by: NEric Paris <eparis@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 James Morris 提交于
Remove secondary ops call to inode_unlink, which is a noop in capabilities. Acked-by: NSerge Hallyn <serue@us.ibm.com> Acked-by: NEric Paris <eparis@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 James Morris 提交于
Remove secondary ops call to inode_link, which is a noop in capabilities. Acked-by: NSerge Hallyn <serue@us.ibm.com> Acked-by: NEric Paris <eparis@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 James Morris 提交于
Remove secondary ops call to sb_umount, which is a noop in capabilities. Acked-by: NSerge Hallyn <serue@us.ibm.com> Acked-by: NEric Paris <eparis@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 James Morris 提交于
Remove secondary ops call to sb_mount, which is a noop in capabilities. Acked-by: NSerge Hallyn <serue@us.ibm.com> Acked-by: NEric Paris <eparis@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 James Morris 提交于
Remove secondary ops call to bprm_committed_creds, which is a noop in capabilities. Acked-by: NSerge Hallyn <serue@us.ibm.com> Acked-by: NEric Paris <eparis@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 James Morris 提交于
Remove secondary ops call to bprm_committing_creds, which is a noop in capabilities. Acked-by: NSerge Hallyn <serue@us.ibm.com> Acked-by: NEric Paris <eparis@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 James Morris 提交于
Remove unused bprm_check_security hook from SELinux. This currently calls into the capabilities hook, which is a noop. Acked-by: NEric Paris <eparis@redhat.com> Acked-by: NSerge Hallyn <serue@us.ibm.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
- 19 1月, 2009 3 次提交
-
-
由 David P. Quigley 提交于
Context mounts and genfs labeled file systems behave differently with respect to setting file system labels. This patch brings genfs labeled file systems in line with context mounts in that setxattr calls to them should return EOPNOTSUPP and fscreate calls will be ignored. Signed-off-by: NDavid P. Quigley <dpquigl@tycho.nsa.gov> Acked-by: NEric Paris <eparis@redhat.com> Signed-off-by: NJames Morris <jmorris@macbook.localdomain>
-
由 David P. Quigley 提交于
There is no easy way to tell if a file system supports SELinux security labeling. Because of this a new flag is being added to the super block security structure to indicate that the particular super block supports labeling. This flag is set for file systems using the xattr, task, and transition labeling methods unless that behavior is overridden by context mounts. Signed-off-by: NDavid P. Quigley <dpquigl@tycho.nsa.gov> Acked-by: NEric Paris <eparis@redhat.com> Signed-off-by: NJames Morris <jmorris@macbook.localdomain>
-
由 David P. Quigley 提交于
The super block security structure currently has three fields for what are essentially flags. The flags field is used for mount options while two other char fields are used for initialization and proc flags. These latter two fields are essentially bit fields since the only used values are 0 and 1. These fields have been collapsed into the flags field and new bit masks have been added for them. The code is also fixed to work with these new flags. Signed-off-by: NDavid P. Quigley <dpquigl@tycho.nsa.gov> Acked-by: NEric Paris <eparis@redhat.com> Signed-off-by: NJames Morris <jmorris@macbook.localdomain>
-
- 07 1月, 2009 2 次提交
-
-
由 David Howells 提交于
Fix a regression in cap_capable() due to: commit 3b11a1de Author: David Howells <dhowells@redhat.com> Date: Fri Nov 14 10:39:26 2008 +1100 CRED: Differentiate objective and effective subjective credentials on a task The problem is that the above patch allows a process to have two sets of credentials, and for the most part uses the subjective credentials when accessing current's creds. There is, however, one exception: cap_capable(), and thus capable(), uses the real/objective credentials of the target task, whether or not it is the current task. Ordinarily this doesn't matter, since usually the two cred pointers in current point to the same set of creds. However, sys_faccessat() makes use of this facility to override the credentials of the calling process to make its test, without affecting the creds as seen from other processes. One of the things sys_faccessat() does is to make an adjustment to the effective capabilities mask, which cap_capable(), as it stands, then ignores. The affected capability check is in generic_permission(): if (!(mask & MAY_EXEC) || execute_ok(inode)) if (capable(CAP_DAC_OVERRIDE)) return 0; This change passes the set of credentials to be tested down into the commoncap and SELinux code. The security functions called by capable() and has_capability() select the appropriate set of credentials from the process being checked. This can be tested by compiling the following program from the XFS testsuite: /* * t_access_root.c - trivial test program to show permission bug. * * Written by Michael Kerrisk - copyright ownership not pursued. * Sourced from: http://linux.derkeiler.com/Mailing-Lists/Kernel/2003-10/6030.html */ #include <limits.h> #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <sys/stat.h> #define UID 500 #define GID 100 #define PERM 0 #define TESTPATH "/tmp/t_access" static void errExit(char *msg) { perror(msg); exit(EXIT_FAILURE); } /* errExit */ static void accessTest(char *file, int mask, char *mstr) { printf("access(%s, %s) returns %d\n", file, mstr, access(file, mask)); } /* accessTest */ int main(int argc, char *argv[]) { int fd, perm, uid, gid; char *testpath; char cmd[PATH_MAX + 20]; testpath = (argc > 1) ? argv[1] : TESTPATH; perm = (argc > 2) ? strtoul(argv[2], NULL, 8) : PERM; uid = (argc > 3) ? atoi(argv[3]) : UID; gid = (argc > 4) ? atoi(argv[4]) : GID; unlink(testpath); fd = open(testpath, O_RDWR | O_CREAT, 0); if (fd == -1) errExit("open"); if (fchown(fd, uid, gid) == -1) errExit("fchown"); if (fchmod(fd, perm) == -1) errExit("fchmod"); close(fd); snprintf(cmd, sizeof(cmd), "ls -l %s", testpath); system(cmd); if (seteuid(uid) == -1) errExit("seteuid"); accessTest(testpath, 0, "0"); accessTest(testpath, R_OK, "R_OK"); accessTest(testpath, W_OK, "W_OK"); accessTest(testpath, X_OK, "X_OK"); accessTest(testpath, R_OK | W_OK, "R_OK | W_OK"); accessTest(testpath, R_OK | X_OK, "R_OK | X_OK"); accessTest(testpath, W_OK | X_OK, "W_OK | X_OK"); accessTest(testpath, R_OK | W_OK | X_OK, "R_OK | W_OK | X_OK"); exit(EXIT_SUCCESS); } /* main */ This can be run against an Ext3 filesystem as well as against an XFS filesystem. If successful, it will show: [root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043 ---------- 1 dhowells dhowells 0 2008-12-31 03:00 /tmp/xxx access(/tmp/xxx, 0) returns 0 access(/tmp/xxx, R_OK) returns 0 access(/tmp/xxx, W_OK) returns 0 access(/tmp/xxx, X_OK) returns -1 access(/tmp/xxx, R_OK | W_OK) returns 0 access(/tmp/xxx, R_OK | X_OK) returns -1 access(/tmp/xxx, W_OK | X_OK) returns -1 access(/tmp/xxx, R_OK | W_OK | X_OK) returns -1 If unsuccessful, it will show: [root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043 ---------- 1 dhowells dhowells 0 2008-12-31 02:56 /tmp/xxx access(/tmp/xxx, 0) returns 0 access(/tmp/xxx, R_OK) returns -1 access(/tmp/xxx, W_OK) returns -1 access(/tmp/xxx, X_OK) returns -1 access(/tmp/xxx, R_OK | W_OK) returns -1 access(/tmp/xxx, R_OK | X_OK) returns -1 access(/tmp/xxx, W_OK | X_OK) returns -1 access(/tmp/xxx, R_OK | W_OK | X_OK) returns -1 I've also tested the fix with the SELinux and syscalls LTP testsuites. Signed-off-by: NDavid Howells <dhowells@redhat.com> Tested-by: NJ. Bruce Fields <bfields@citi.umich.edu> Acked-by: NSerge Hallyn <serue@us.ibm.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 James Morris 提交于
This reverts commit 14eaddc9. David has a better version to come.
-
- 05 1月, 2009 2 次提交
-
-
由 Eric Paris 提交于
I started playing with pahole today and decided to put it against the selinux structures. Found we could save a little bit of space on x86_64 (and no harm on i686) just reorganizing some structs. Object size changes: av_inherit: 24 -> 16 selinux_class_perm: 48 -> 40 context: 80 -> 72 Admittedly there aren't many of av_inherit or selinux_class_perm's in the kernel (33 and 1 respectively) But the change to the size of struct context reverberate out a bit. I can get some hard number if they are needed, but I don't see why they would be. We do change which cacheline context->len and context->str would be on, but I don't see that as a problem since we are clearly going to have to load both if the context is to be of any value. I've run with the patch and don't seem to be having any problems. An example of what's going on using struct av_inherit would be: form: to: struct av_inherit { struct av_inherit { u16 tclass; const char **common_pts; const char **common_pts; u32 common_base; u32 common_base; u16 tclass; }; (notice all I did was move u16 tclass to the end of the struct instead of the beginning) Memory layout before the change: struct av_inherit { u16 tclass; /* 2 */ /* 6 bytes hole */ const char** common_pts; /* 8 */ u32 common_base; /* 4 */ /* 4 byes padding */ /* size: 24, cachelines: 1 */ /* sum members: 14, holes: 1, sum holes: 6 */ /* padding: 4 */ }; Memory layout after the change: struct av_inherit { const char ** common_pts; /* 8 */ u32 common_base; /* 4 */ u16 tclass; /* 2 */ /* 2 bytes padding */ /* size: 16, cachelines: 1 */ /* sum members: 14, holes: 0, sum holes: 0 */ /* padding: 2 */ }; Signed-off-by: NEric Paris <eparis@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 David Howells 提交于
Fix a regression in cap_capable() due to: commit 5ff7711e635b32f0a1e558227d030c7e45b4a465 Author: David Howells <dhowells@redhat.com> Date: Wed Dec 31 02:52:28 2008 +0000 CRED: Differentiate objective and effective subjective credentials on a task The problem is that the above patch allows a process to have two sets of credentials, and for the most part uses the subjective credentials when accessing current's creds. There is, however, one exception: cap_capable(), and thus capable(), uses the real/objective credentials of the target task, whether or not it is the current task. Ordinarily this doesn't matter, since usually the two cred pointers in current point to the same set of creds. However, sys_faccessat() makes use of this facility to override the credentials of the calling process to make its test, without affecting the creds as seen from other processes. One of the things sys_faccessat() does is to make an adjustment to the effective capabilities mask, which cap_capable(), as it stands, then ignores. The affected capability check is in generic_permission(): if (!(mask & MAY_EXEC) || execute_ok(inode)) if (capable(CAP_DAC_OVERRIDE)) return 0; This change splits capable() from has_capability() down into the commoncap and SELinux code. The capable() security op now only deals with the current process, and uses the current process's subjective creds. A new security op - task_capable() - is introduced that can check any task's objective creds. strictly the capable() security op is superfluous with the presence of the task_capable() op, however it should be faster to call the capable() op since two fewer arguments need be passed down through the various layers. This can be tested by compiling the following program from the XFS testsuite: /* * t_access_root.c - trivial test program to show permission bug. * * Written by Michael Kerrisk - copyright ownership not pursued. * Sourced from: http://linux.derkeiler.com/Mailing-Lists/Kernel/2003-10/6030.html */ #include <limits.h> #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <sys/stat.h> #define UID 500 #define GID 100 #define PERM 0 #define TESTPATH "/tmp/t_access" static void errExit(char *msg) { perror(msg); exit(EXIT_FAILURE); } /* errExit */ static void accessTest(char *file, int mask, char *mstr) { printf("access(%s, %s) returns %d\n", file, mstr, access(file, mask)); } /* accessTest */ int main(int argc, char *argv[]) { int fd, perm, uid, gid; char *testpath; char cmd[PATH_MAX + 20]; testpath = (argc > 1) ? argv[1] : TESTPATH; perm = (argc > 2) ? strtoul(argv[2], NULL, 8) : PERM; uid = (argc > 3) ? atoi(argv[3]) : UID; gid = (argc > 4) ? atoi(argv[4]) : GID; unlink(testpath); fd = open(testpath, O_RDWR | O_CREAT, 0); if (fd == -1) errExit("open"); if (fchown(fd, uid, gid) == -1) errExit("fchown"); if (fchmod(fd, perm) == -1) errExit("fchmod"); close(fd); snprintf(cmd, sizeof(cmd), "ls -l %s", testpath); system(cmd); if (seteuid(uid) == -1) errExit("seteuid"); accessTest(testpath, 0, "0"); accessTest(testpath, R_OK, "R_OK"); accessTest(testpath, W_OK, "W_OK"); accessTest(testpath, X_OK, "X_OK"); accessTest(testpath, R_OK | W_OK, "R_OK | W_OK"); accessTest(testpath, R_OK | X_OK, "R_OK | X_OK"); accessTest(testpath, W_OK | X_OK, "W_OK | X_OK"); accessTest(testpath, R_OK | W_OK | X_OK, "R_OK | W_OK | X_OK"); exit(EXIT_SUCCESS); } /* main */ This can be run against an Ext3 filesystem as well as against an XFS filesystem. If successful, it will show: [root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043 ---------- 1 dhowells dhowells 0 2008-12-31 03:00 /tmp/xxx access(/tmp/xxx, 0) returns 0 access(/tmp/xxx, R_OK) returns 0 access(/tmp/xxx, W_OK) returns 0 access(/tmp/xxx, X_OK) returns -1 access(/tmp/xxx, R_OK | W_OK) returns 0 access(/tmp/xxx, R_OK | X_OK) returns -1 access(/tmp/xxx, W_OK | X_OK) returns -1 access(/tmp/xxx, R_OK | W_OK | X_OK) returns -1 If unsuccessful, it will show: [root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043 ---------- 1 dhowells dhowells 0 2008-12-31 02:56 /tmp/xxx access(/tmp/xxx, 0) returns 0 access(/tmp/xxx, R_OK) returns -1 access(/tmp/xxx, W_OK) returns -1 access(/tmp/xxx, X_OK) returns -1 access(/tmp/xxx, R_OK | W_OK) returns -1 access(/tmp/xxx, R_OK | X_OK) returns -1 access(/tmp/xxx, W_OK | X_OK) returns -1 access(/tmp/xxx, R_OK | W_OK | X_OK) returns -1 I've also tested the fix with the SELinux and syscalls LTP testsuites. Signed-off-by: NDavid Howells <dhowells@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
- 01 1月, 2009 4 次提交
-
-
由 James Morris 提交于
Fix the following sparse warning: CC security/keys/key.o security/keys/keyctl.c:1297:10: warning: incorrect type in argument 2 (different address spaces) security/keys/keyctl.c:1297:10: expected char [noderef] <asn:1>*buffer security/keys/keyctl.c:1297:10: got char *<noident> which appears to be caused by lack of __user annotation to the cast of a syscall argument. Signed-off-by: NJames Morris <jmorris@namei.org> Acked-by: NDavid Howells <dhowells@redhat.com>
-
由 Casey Schaufler 提交于
Add support for unlabeled network hosts and networks. Relies heavily on Paul Moore's netlabel support. Creates a new entry in /smack called netlabel. Writes to /smack/netlabel take the form: A.B.C.D LABEL or A.B.C.D/N LABEL where A.B.C.D is a network address, N is an integer between 0-32, and LABEL is the Smack label to be used. If /N is omitted /32 is assumed. N designates the netmask for the address. Entries are matched by the most specific address/mask pair. 0.0.0.0/0 will match everything, while 192.168.1.117/32 will match exactly one host. A new system label "@", pronounced "web", is defined. Processes can not be assigned the web label. An address assigned the web label can be written to by any process, and packets coming from a web address can be written to any socket. Use of the web label is a violation of any strict MAC policy, but the web label has been requested many times. The nltype entry has been removed from /smack. It did not work right and the netlabel interface can be used to specify that all hosts be treated as unlabeled. CIPSO labels on incoming packets will be honored, even from designated single label hosts. Single label hosts can only be written to by processes with labels that can write to the label of the host. Packets sent to single label hosts will always be unlabeled. Once added a single label designation cannot be removed, however the label may be changed. The behavior of the ambient label remains unchanged. Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com> Signed-off-by: NPaul Moore <paul.moore@hp.com>
-
由 Paul Moore 提交于
This patch is the first step towards removing the old "compat_net" code from the kernel. Secmark, the "compat_net" replacement was first introduced in 2.6.18 (September 2006) and the major Linux distributions with SELinux support have transitioned to Secmark so it is time to start deprecating the "compat_net" mechanism. Testing a patched version of 2.6.28-rc6 with the initial release of Fedora Core 5 did not show any problems when running in enforcing mode. This patch adds an entry to the feature-removal-schedule.txt file and removes the SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT configuration option, forcing Secmark on by default although it can still be disabled at runtime. The patch also makes the Secmark permission checks "dynamic" in the sense that they are only executed when Secmark is configured; this should help prevent problems with older distributions that have not yet migrated to Secmark. Signed-off-by: NPaul Moore <paul.moore@hp.com> Acked-by: NJames Morris <jmorris@namei.org>
-
由 Paul Moore 提交于
Update the NetLabel kernel API to expose the new features added in kernel releases 2.6.25 and 2.6.28: the static/fallback label functionality and network address based selectors. Signed-off-by: NPaul Moore <paul.moore@hp.com>
-
- 29 12月, 2008 1 次提交
-
-
由 David Howells 提交于
Fix variable uninitialisation warnings introduced in: commit 8bbf4976 Author: David Howells <dhowells@redhat.com> Date: Fri Nov 14 10:39:14 2008 +1100 KEYS: Alter use of key instantiation link-to-keyring argument As: security/keys/keyctl.c: In function 'keyctl_negate_key': security/keys/keyctl.c:976: warning: 'dest_keyring' may be used uninitialized in this function security/keys/keyctl.c: In function 'keyctl_instantiate_key': security/keys/keyctl.c:898: warning: 'dest_keyring' may be used uninitialized in this function Some versions of gcc notice that get_instantiation_key() doesn't always set *_dest_keyring, but fail to observe that if this happens then *_dest_keyring will not be read by the caller. Reported-by: NLinus Torvalds <torvalds@linux-foundation.org> Signed-off-by: NDavid Howells <dhowells@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
- 25 12月, 2008 1 次提交
-
-
由 Sergio Luis 提交于
smackfs: check for allocation failures in smk_set_access() While adding a new subject/object pair to smack_list, smk_set_access() didn't check the return of kzalloc(). This patch changes smk_set_access() to return 0 or -ENOMEM, based on kzalloc()'s return. It also updates its caller, smk_write_load(), to check for smk_set_access()'s return, given it is no longer a void return function. Signed-off-by: NSergio Luis <sergio@larces.uece.br> To: Casey Schaufler <casey@schaufler-ca.com> Cc: Ahmed S. Darwish <darwish.07@gmail.com> Cc: LSM <linux-security-module@vger.kernel.org> Cc: LKLM <linux-kernel@vger.kernel.org> Acked-by: NCasey Schaufler <casey@schaufler-ca.com>
-
- 20 12月, 2008 3 次提交
-
-
由 James Morris 提交于
Don't bother checking permissions when the kernel performs an internal mount, as this should always be allowed. Signed-off-by: NJames Morris <jmorris@namei.org> Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
-
由 James Morris 提交于
Pass mount flags to security_sb_kern_mount(), so security modules can determine if a mount operation is being performed by the kernel. Signed-off-by: NJames Morris <jmorris@namei.org> Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
-
由 Stephen Smalley 提交于
Map all of these proc/ filesystem types to "proc" for the policy lookup at filesystem mount time. Signed-off-by: NJames Morris <jmorris@namei.org>
-
- 25 11月, 2008 1 次提交
-
-
由 Hannes Eder 提交于
Impact: fix sparse warnings Fix the following sparse warnings: security/security.c:228:2: warning: returning void-valued expression security/security.c:233:2: warning: returning void-valued expression security/security.c:616:2: warning: returning void-valued expression Signed-off-by: NHannes Eder <hannes@hanneseder.net> Signed-off-by: NJames Morris <jmorris@namei.org>
-
- 15 11月, 2008 1 次提交
-
-
由 Eric Paris 提交于
When CONFIG_SECURITY_FILE_CAPABILITIES is not set the audit system may try to call into the capabilities function vfs_cap_from_file. This patch defines that function so kernels can build and work. Signed-off-by: NEric Paris <eparis@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
- 14 11月, 2008 2 次提交
-
-
由 David Howells 提交于
Allow kernel services to override LSM settings appropriate to the actions performed by a task by duplicating a set of credentials, modifying it and then using task_struct::cred to point to it when performing operations on behalf of a task. This is used, for example, by CacheFiles which has to transparently access the cache on behalf of a process that thinks it is doing, say, NFS accesses with a potentially inappropriate (with respect to accessing the cache) set of credentials. This patch provides two LSM hooks for modifying a task security record: (*) security_kernel_act_as() which allows modification of the security datum with which a task acts on other objects (most notably files). (*) security_kernel_create_files_as() which allows modification of the security datum that is used to initialise the security data on a file that a task creates. The patch also provides four new credentials handling functions, which wrap the LSM functions: (1) prepare_kernel_cred() Prepare a set of credentials for a kernel service to use, based either on a daemon's credentials or on init_cred. All the keyrings are cleared. (2) set_security_override() Set the LSM security ID in a set of credentials to a specific security context, assuming permission from the LSM policy. (3) set_security_override_from_ctx() As (2), but takes the security context as a string. (4) set_create_files_as() Set the file creation LSM security ID in a set of credentials to be the same as that on a particular inode. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> [Smack changes] Signed-off-by: NDavid Howells <dhowells@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 David Howells 提交于
Add a 'kernel_service' object class to SELinux and give this object class two access vectors: 'use_as_override' and 'create_files_as'. The first vector is used to grant a process the right to nominate an alternate process security ID for the kernel to use as an override for the SELinux subjective security when accessing stuff on behalf of another process. For example, CacheFiles when accessing the cache on behalf on a process accessing an NFS file needs to use a subjective security ID appropriate to the cache rather then the one the calling process is using. The cachefilesd daemon will nominate the security ID to be used. The second vector is used to grant a process the right to nominate a file creation label for a kernel service to use. Signed-off-by: NDavid Howells <dhowells@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-