1. 24 5月, 2017 1 次提交
  2. 23 5月, 2017 1 次提交
    • S
      selinux: log policy capability state when a policy is loaded · 4dc2fce3
      Stephen Smalley 提交于
      Log the state of SELinux policy capabilities when a policy is loaded.
      For each policy capability known to the kernel, log the policy capability
      name and the value set in the policy.  For policy capabilities that are
      set in the loaded policy but unknown to the kernel, log the policy
      capability index, since this is the only information presently available
      in the policy.
      
      Sample output with a policy created with a new capability defined
      that is not known to the kernel:
      SELinux:  policy capability network_peer_controls=1
      SELinux:  policy capability open_perms=1
      SELinux:  policy capability extended_socket_class=1
      SELinux:  policy capability always_check_network=0
      SELinux:  policy capability cgroup_seclabel=0
      SELinux:  unknown policy capability 5
      
      Resolves: https://github.com/SELinuxProject/selinux-kernel/issues/32Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NPaul Moore <paul@paul-moore.com>
      4dc2fce3
  3. 27 4月, 2017 1 次提交
  4. 29 3月, 2017 1 次提交
  5. 02 3月, 2017 1 次提交
  6. 25 2月, 2017 1 次提交
  7. 09 1月, 2017 4 次提交
    • G
      selinux: default to security isid in sel_make_bools() if no sid is found · 900fde06
      Gary Tierney 提交于
      Use SECINITSID_SECURITY as the default SID for booleans which don't have
      a matching SID returned from security_genfs_sid(), also update the
      error message to a warning which matches this.
      
      This prevents the policy failing to load (and consequently the system
      failing to boot) when there is no default genfscon statement matched for
      the selinuxfs in the new policy.
      Signed-off-by: NGary Tierney <gary.tierney@gmx.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NPaul Moore <paul@paul-moore.com>
      900fde06
    • G
      selinux: log errors when loading new policy · 4262fb51
      Gary Tierney 提交于
      Adds error logging to the code paths which can fail when loading a new
      policy in sel_write_load().  If the policy fails to be loaded from
      userspace then a warning message is printed, whereas if a failure occurs
      after loading policy from userspace an error message will be printed
      with details on where policy loading failed (recreating one of /classes/,
      /policy_capabilities/, /booleans/ in the SELinux fs).
      
      Also, if sel_make_bools() fails to obtain an SID for an entry in
      /booleans/* an error will be printed indicating the path of the
      boolean.
      Signed-off-by: NGary Tierney <gary.tierney@gmx.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NPaul Moore <paul@paul-moore.com>
      4262fb51
    • S
      selinux: clean up cred usage and simplify · be0554c9
      Stephen Smalley 提交于
      SELinux was sometimes using the task "objective" credentials when
      it could/should use the "subjective" credentials.  This was sometimes
      hidden by the fact that we were unnecessarily passing around pointers
      to the current task, making it appear as if the task could be something
      other than current, so eliminate all such passing of current.  Inline
      various permission checking helper functions that can be reduced to a
      single avc_has_perm() call.
      
      Since the credentials infrastructure only allows a task to alter
      its own credentials, we can always assume that current must be the same
      as the target task in selinux_setprocattr after the check. We likely
      should move this check from selinux_setprocattr() to proc_pid_attr_write()
      and drop the task argument to the security hook altogether; it can only
      serve to confuse things.
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NPaul Moore <paul@paul-moore.com>
      be0554c9
    • S
      selinux: support distinctions among all network address families · da69a530
      Stephen Smalley 提交于
      Extend SELinux to support distinctions among all network address families
      implemented by the kernel by defining new socket security classes
      and mapping to them. Otherwise, many sockets are mapped to the generic
      socket class and are indistinguishable in policy.  This has come up
      previously with regard to selectively allowing access to bluetooth sockets,
      and more recently with regard to selectively allowing access to AF_ALG
      sockets.  Guido Trentalancia submitted a patch that took a similar approach
      to add only support for distinguishing AF_ALG sockets, but this generalizes
      his approach to handle all address families implemented by the kernel.
      Socket security classes are also added for ICMP and SCTP sockets.
      Socket security classes were not defined for AF_* values that are reserved
      but unimplemented in the kernel, e.g. AF_NETBEUI, AF_SECURITY, AF_ASH,
      AF_ECONET, AF_SNA, AF_WANPIPE.
      
      Backward compatibility is provided by only enabling the finer-grained
      socket classes if a new policy capability is set in the policy; older
      policies will behave as before.  The legacy redhat1 policy capability
      that was only ever used in testing within Fedora for ptrace_child
      is reclaimed for this purpose; as far as I can tell, this policy
      capability is not enabled in any supported distro policy.
      
      Add a pair of conditional compilation guards to detect when new AF_* values
      are added so that we can update SELinux accordingly rather than having to
      belatedly update it long after new address families are introduced.
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NPaul Moore <paul@paul-moore.com>
      da69a530
  8. 21 11月, 2016 1 次提交
    • S
      selinux: normalize input to /sys/fs/selinux/enforce · ea49d10e
      Stephen Smalley 提交于
      At present, one can write any signed integer value to
      /sys/fs/selinux/enforce and it will be stored,
      e.g. echo -1 > /sys/fs/selinux/enforce or echo 2 >
      /sys/fs/selinux/enforce. This makes no real difference
      to the kernel, since it only ever cares if it is zero or non-zero,
      but some userspace code compares it with 1 to decide if SELinux
      is enforcing, and this could confuse it. Only a process that is
      already root and is allowed the setenforce permission in SELinux
      policy can write to /sys/fs/selinux/enforce, so this is not considered
      to be a security issue, but it should be fixed.
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NPaul Moore <paul@paul-moore.com>
      ea49d10e
  9. 15 11月, 2016 1 次提交
  10. 28 9月, 2016 1 次提交
  11. 16 6月, 2016 1 次提交
  12. 23 1月, 2016 1 次提交
    • A
      wrappers for ->i_mutex access · 5955102c
      Al Viro 提交于
      parallel to mutex_{lock,unlock,trylock,is_locked,lock_nested},
      inode_foo(inode) being mutex_foo(&inode->i_mutex).
      
      Please, use those for access to ->i_mutex; over the coming cycle
      ->i_mutex will become rwsem, with ->lookup() done with it held
      only shared.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      5955102c
  13. 04 1月, 2016 1 次提交
    • A
      selinuxfs: switch to memdup_user_nul() · 8365a719
      Al Viro 提交于
      Nothing in there gives a damn about the buffer alignment - it
      just parses its contents.  So the use of get_zeroed_page()
      doesn't buy us anything - might as well had been kmalloc(),
      which makes that code equivalent to open-coded memdup_user_nul()
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      8365a719
  14. 25 12月, 2015 1 次提交
  15. 22 10月, 2015 1 次提交
  16. 11 9月, 2015 1 次提交
  17. 01 7月, 2015 1 次提交
  18. 16 4月, 2015 1 次提交
  19. 26 3月, 2015 1 次提交
  20. 26 1月, 2015 1 次提交
  21. 04 11月, 2014 1 次提交
  22. 10 3月, 2014 1 次提交
    • N
      selinux: add gfp argument to security_xfrm_policy_alloc and fix callers · 52a4c640
      Nikolay Aleksandrov 提交于
      security_xfrm_policy_alloc can be called in atomic context so the
      allocation should be done with GFP_ATOMIC. Add an argument to let the
      callers choose the appropriate way. In order to do so a gfp argument
      needs to be added to the method xfrm_policy_alloc_security in struct
      security_operations and to the internal function
      selinux_xfrm_alloc_user. After that switch to GFP_ATOMIC in the atomic
      callers and leave GFP_KERNEL as before for the rest.
      The path that needed the gfp argument addition is:
      security_xfrm_policy_alloc -> security_ops.xfrm_policy_alloc_security ->
      all users of xfrm_policy_alloc_security (e.g. selinux_xfrm_policy_alloc) ->
      selinux_xfrm_alloc_user (here the allocation used to be GFP_KERNEL only)
      
      Now adding a gfp argument to selinux_xfrm_alloc_user requires us to also
      add it to security_context_to_sid which is used inside and prior to this
      patch did only GFP_KERNEL allocation. So add gfp argument to
      security_context_to_sid and adjust all of its callers as well.
      
      CC: Paul Moore <paul@paul-moore.com>
      CC: Dave Jones <davej@redhat.com>
      CC: Steffen Klassert <steffen.klassert@secunet.com>
      CC: Fan Du <fan.du@windriver.com>
      CC: David S. Miller <davem@davemloft.net>
      CC: LSM list <linux-security-module@vger.kernel.org>
      CC: SELinux list <selinux@tycho.nsa.gov>
      Signed-off-by: NNikolay Aleksandrov <nikolay@redhat.com>
      Acked-by: NPaul Moore <paul@paul-moore.com>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      52a4c640
  23. 06 2月, 2014 1 次提交
  24. 26 7月, 2013 1 次提交
    • C
      Add SELinux policy capability for always checking packet and peer classes. · 2be4d74f
      Chris PeBenito 提交于
      Currently the packet class in SELinux is not checked if there are no
      SECMARK rules in the security or mangle netfilter tables.  Some systems
      prefer that packets are always checked, for example, to protect the system
      should the netfilter rules fail to load or if the nefilter rules
      were maliciously flushed.
      
      Add the always_check_network policy capability which, when enabled, treats
      SECMARK as enabled, even if there are no netfilter SECMARK rules and
      treats peer labeling as enabled, even if there is no Netlabel or
      labeled IPSEC configuration.
      
      Includes definition of "redhat1" SELinux policy capability, which
      exists in the SELinux userpace library, to keep ordering correct.
      
      The SELinux userpace portion of this was merged last year, but this kernel
      change fell on the floor.
      Signed-off-by: NChris PeBenito <cpebenito@tresys.com>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      2be4d74f
  25. 23 2月, 2013 1 次提交
  26. 09 10月, 2012 1 次提交
    • K
      mm: kill vma flag VM_RESERVED and mm->reserved_vm counter · 314e51b9
      Konstantin Khlebnikov 提交于
      A long time ago, in v2.4, VM_RESERVED kept swapout process off VMA,
      currently it lost original meaning but still has some effects:
      
       | effect                 | alternative flags
      -+------------------------+---------------------------------------------
      1| account as reserved_vm | VM_IO
      2| skip in core dump      | VM_IO, VM_DONTDUMP
      3| do not merge or expand | VM_IO, VM_DONTEXPAND, VM_HUGETLB, VM_PFNMAP
      4| do not mlock           | VM_IO, VM_DONTEXPAND, VM_HUGETLB, VM_PFNMAP
      
      This patch removes reserved_vm counter from mm_struct.  Seems like nobody
      cares about it, it does not exported into userspace directly, it only
      reduces total_vm showed in proc.
      
      Thus VM_RESERVED can be replaced with VM_IO or pair VM_DONTEXPAND | VM_DONTDUMP.
      
      remap_pfn_range() and io_remap_pfn_range() set VM_IO|VM_DONTEXPAND|VM_DONTDUMP.
      remap_vmalloc_range() set VM_DONTEXPAND | VM_DONTDUMP.
      
      [akpm@linux-foundation.org: drivers/vfio/pci/vfio_pci.c fixup]
      Signed-off-by: NKonstantin Khlebnikov <khlebnikov@openvz.org>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: Carsten Otte <cotte@de.ibm.com>
      Cc: Chris Metcalf <cmetcalf@tilera.com>
      Cc: Cyrill Gorcunov <gorcunov@openvz.org>
      Cc: Eric Paris <eparis@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: James Morris <james.l.morris@oracle.com>
      Cc: Jason Baron <jbaron@redhat.com>
      Cc: Kentaro Takeda <takedakn@nttdata.co.jp>
      Cc: Matt Helsley <matthltc@us.ibm.com>
      Cc: Nick Piggin <npiggin@kernel.dk>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Robert Richter <robert.richter@amd.com>
      Cc: Suresh Siddha <suresh.b.siddha@intel.com>
      Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Cc: Venkatesh Pallipadi <venki@google.com>
      Acked-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      314e51b9
  27. 21 9月, 2012 1 次提交
  28. 23 7月, 2012 1 次提交
  29. 30 5月, 2012 1 次提交
  30. 10 4月, 2012 4 次提交
    • E
      SELinux: if sel_make_bools errors don't leave inconsistent state · 154c50ca
      Eric Paris 提交于
      We reset the bool names and values array to NULL, but do not reset the
      number of entries in these arrays to 0.  If we error out and then get back
      into this function we will walk these NULL pointers based on the belief
      that they are non-zero length.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      cc: stable@kernel.org
      154c50ca
    • E
      SELinux: remove needless sel_div function · 92ae9e82
      Eric Paris 提交于
      I'm not really sure what the idea behind the sel_div function is, but it's
      useless.  Since a and b are both unsigned, it's impossible for a % b < 0.
      That means that part of the function never does anything.  Thus it's just a
      normal /.  Just do that instead.  I don't even understand what that operation
      was supposed to mean in the signed case however....
      
      If it was signed:
      sel_div(-2, 4) == ((-2 / 4) - ((-2 % 4) < 0))
      		  ((0)      - ((-2)     < 0))
      		  ((0)      - (1))
      		  (-1)
      
      What actually happens:
      sel_div(-2, 4) == ((18446744073709551614 / 4) - ((18446744073709551614 % 4) < 0))
      		  ((4611686018427387903)      - ((2 < 0))
      		  (4611686018427387903        - 0)
      		  ((unsigned int)4611686018427387903)
      		  (4294967295)
      
      Neither makes a whole ton of sense to me.  So I'm getting rid of the
      function entirely.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      92ae9e82
    • E
      SELinux: loosen DAC perms on reading policy · 72e8c859
      Eric Paris 提交于
      There is no reason the DAC perms on reading the policy file need to be root
      only.  There are selinux checks which should control this access.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      72e8c859
    • E
      SELinux: allow seek operations on the file exposing policy · 47a93a5b
      Eric Paris 提交于
      sesearch uses:
      lseek(3, 0, SEEK_SET)                   = -1 ESPIPE (Illegal seek)
      
      Make that work.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      47a93a5b
  31. 01 4月, 2012 1 次提交
  32. 06 1月, 2012 3 次提交