- 03 8月, 2017 1 次提交
-
-
由 Stephen Smalley 提交于
As systemd ramps up enabling NNP (NoNewPrivileges) for system services, it is increasingly breaking SELinux domain transitions for those services and their descendants. systemd enables NNP not only for services whose unit files explicitly specify NoNewPrivileges=yes but also for services whose unit files specify any of the following options in combination with running without CAP_SYS_ADMIN (e.g. specifying User= or a CapabilityBoundingSet= without CAP_SYS_ADMIN): SystemCallFilter=, SystemCallArchitectures=, RestrictAddressFamilies=, RestrictNamespaces=, PrivateDevices=, ProtectKernelTunables=, ProtectKernelModules=, MemoryDenyWriteExecute=, or RestrictRealtime= as per the systemd.exec(5) man page. The end result is bad for the security of both SELinux-disabled and SELinux-enabled systems. Packagers have to turn off these options in the unit files to preserve SELinux domain transitions. For users who choose to disable SELinux, this means that they miss out on at least having the systemd-supported protections. For users who keep SELinux enabled, they may still be missing out on some protections because it isn't necessarily guaranteed that the SELinux policy for that service provides the same protections in all cases. commit 7b0d0b40 ("selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID.") allowed bounded transitions under NNP in order to support limited usage for sandboxing programs. However, defining typebounds for all of the affected service domains is impractical to implement in policy, since typebounds requires us to ensure that each domain is allowed everything all of its descendant domains are allowed, and this has to be repeated for the entire chain of domain transitions. There is no way to clone all allow rules from descendants to their ancestors in policy currently, and doing so would be undesirable even if it were practical, as it requires leaking permissions to objects and operations into ancestor domains that could weaken their own security in order to allow them to the descendants (e.g. if a descendant requires execmem permission, then so do all of its ancestors; if a descendant requires execute permission to a file, then so do all of its ancestors; if a descendant requires read to a symbolic link or temporary file, then so do all of its ancestors...). SELinux domains are intentionally not hierarchical / bounded in this manner normally, and making them so would undermine their protections and least privilege. We have long had a similar tension with SELinux transitions and nosuid mounts, albeit not as severe. Users often have had to choose between retaining nosuid on a mount and allowing SELinux domain transitions on files within those mounts. This likewise leads to unfortunate tradeoffs in security. Decouple NNP/nosuid from SELinux transitions, so that we don't have to make a choice between them. Introduce a nnp_nosuid_transition policy capability that enables transitions under NNP/nosuid to be based on a permission (nnp_transition for NNP; nosuid_transition for nosuid) between the old and new contexts in addition to the current support for bounded transitions. Domain transitions can then be allowed in policy without requiring the parent to be a strict superset of all of its children. With this change, systemd unit files can be left unmodified from upstream. SELinux-disabled and SELinux-enabled users will benefit from retaining any of the systemd-provided protections. SELinux policy will only need to be adapted to enable the new policy capability and to allow the new permissions between domain pairs as appropriate. NB: Allowing nnp_transition between two contexts opens up the potential for the old context to subvert the new context by installing seccomp filters before the execve. Allowing nosuid_transition between two contexts opens up the potential for a context transition to occur on a file from an untrusted filesystem (e.g. removable media or remote filesystem). Use with care. Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
- 26 7月, 2017 1 次提交
-
-
由 Luis Ressel 提交于
For PF_UNIX, SOCK_RAW is synonymous with SOCK_DGRAM (cf. net/unix/af_unix.c). This is a tad obscure, but libpcap uses it. Signed-off-by: NLuis Ressel <aranea@aixah.de> Acked-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
- 21 6月, 2017 2 次提交
-
-
由 Julien Gomes 提交于
New NEWCACHEREPORT message type to be used for cache reports sent via Netlink, effectively allowing splitting cache report reception from mroute programming. Suggested-by: NRyan Halbrook <halbrook@arista.com> Signed-off-by: NJulien Gomes <julien@arista.com> Reviewed-by: NNikolay Aleksandrov <nikolay@cumulusnetworks.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Jeff Vander Stoep 提交于
In kernel version 4.1, tracefs was separated from debugfs into its own filesystem. Prior to this split, files in /sys/kernel/debug/tracing could be labeled during filesystem creation using genfscon or later from userspace using setxattr. This change re-enables support for genfscon labeling. Signed-off-by: NJeff Vander Stoep <jeffv@google.com> Acked-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
- 13 6月, 2017 1 次提交
-
-
由 Paul Moore 提交于
This patch is based on a discussion generated by an earlier patch from Tetsuo Handa: * https://marc.info/?t=149035659300001&r=1&w=2 The double free problem involves the mnt_opts field of the security_mnt_opts struct, selinux_parse_opts_str() frees the memory on error, but doesn't set the field to NULL so if the caller later attempts to call security_free_mnt_opts() we trigger the problem. In order to play it safe we change selinux_parse_opts_str() to call security_free_mnt_opts() on error instead of free'ing the memory directly. This should ensure that everything is handled correctly, regardless of what the caller may do. Fixes: e0007529 ("LSM/SELinux: Interfaces to allow FS to control mount options") Cc: stable@vger.kernel.org Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Reported-by: NDmitry Vyukov <dvyukov@google.com> Signed-off-by: NPaul Moore <paul@paul-moore.com> Signed-off-by: NJames Morris <james.l.morris@oracle.com>
-
- 10 6月, 2017 2 次提交
-
-
由 Scott Mayhew 提交于
When an NFSv4 client performs a mount operation, it first mounts the NFSv4 root and then does path walk to the exported path and performs a submount on that, cloning the security mount options from the root's superblock to the submount's superblock in the process. Unless the NFS server has an explicit fsid=0 export with the "security_label" option, the NFSv4 root superblock will not have SBLABEL_MNT set, and neither will the submount superblock after cloning the security mount options. As a result, setxattr's of security labels over NFSv4.2 will fail. In a similar fashion, NFSv4.2 mounts mounted with the context= mount option will not show the correct labels because the nfs_server->caps flags of the cloned superblock will still have NFS_CAP_SECURITY_LABEL set. Allowing the NFSv4 client to enable or disable SECURITY_LSM_NATIVE_LABELS behavior will ensure that the SBLABEL_MNT flag has the correct value when the client traverses from an exported path without the "security_label" option to one with the "security_label" option and vice versa. Similarly, checking to see if SECURITY_LSM_NATIVE_LABELS is set upon return from security_sb_clone_mnt_opts() and clearing NFS_CAP_SECURITY_LABEL if necessary will allow the correct labels to be displayed for NFSv4.2 mounts mounted with the context= mount option. Resolves: https://github.com/SELinuxProject/selinux-kernel/issues/35Signed-off-by: NScott Mayhew <smayhew@redhat.com> Reviewed-by: NStephen Smalley <sds@tycho.nsa.gov> Tested-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Junil Lee 提交于
The allocated size for each ebitmap_node is 192byte by kzalloc(). Then, ebitmap_node size is fixed, so it's possible to use only 144byte for each object by kmem_cache_zalloc(). It can reduce some dynamic allocation size. Signed-off-by: NJunil Lee <junil0814.lee@lge.com> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
- 02 6月, 2017 1 次提交
-
-
由 Florian Westphal 提交于
It will allow us to remove the old netfilter hook api in the near future. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
- 26 5月, 2017 1 次提交
-
-
由 Al Viro 提交于
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
- 24 5月, 2017 6 次提交
-
-
由 Daniel Jurgens 提交于
It is likely that the SID for the same PKey will be requested many times. To reduce the time to modify QPs and process MADs use a cache to store PKey SIDs. This code is heavily based on the "netif" and "netport" concept originally developed by James Morris <jmorris@redhat.com> and Paul Moore <paul@paul-moore.com> (see security/selinux/netif.c and security/selinux/netport.c for more information) Signed-off-by: NDaniel Jurgens <danielj@mellanox.com> Acked-by: NDoug Ledford <dledford@redhat.com> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Daniel Jurgens 提交于
Add a type for Infiniband ports and an access vector for subnet management packets. Implement the ib_port_smp hook to check that the caller has permission to send and receive SMPs on the end port specified by the device name and port. Add interface to query the SID for a IB port, which walks the IB_PORT ocontexts to find an entry for the given name and port. Signed-off-by: NDaniel Jurgens <danielj@mellanox.com> Reviewed-by: NJames Morris <james.l.morris@oracle.com> Acked-by: NDoug Ledford <dledford@redhat.com> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Daniel Jurgens 提交于
Add a type and access vector for PKeys. Implement the ib_pkey_access hook to check that the caller has permission to access the PKey on the given subnet prefix. Add an interface to get the PKey SID. Walk the PKey ocontexts to find an entry for the given subnet prefix and pkey. Signed-off-by: NDaniel Jurgens <danielj@mellanox.com> Reviewed-by: NJames Morris <james.l.morris@oracle.com> Acked-by: NDoug Ledford <dledford@redhat.com> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Daniel Jurgens 提交于
Implement and attach hooks to allocate and free Infiniband object security structures. Signed-off-by: NDaniel Jurgens <danielj@mellanox.com> Reviewed-by: NJames Morris <james.l.morris@oracle.com> Acked-by: NDoug Ledford <dledford@redhat.com> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Daniel Jurgens 提交于
Support for Infiniband requires the addition of two new object contexts, one for infiniband PKeys and another IB Ports. Added handlers to read and write the new ocontext types when reading or writing a binary policy representation. Signed-off-by: NDaniel Jurgens <danielj@mellanox.com> Reviewed-by: NEli Cohen <eli@mellanox.com> Reviewed-by: NJames Morris <james.l.morris@oracle.com> Acked-by: NDoug Ledford <dledford@redhat.com> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Daniel Jurgens 提交于
Add a generic notificaiton mechanism in the LSM. Interested consumers can register a callback with the LSM and security modules can produce events. Because access to Infiniband QPs are enforced in the setup phase of a connection security should be enforced again if the policy changes. Register infiniband devices for policy change notification and check all QPs on that device when the notification is received. Add a call to the notification mechanism from SELinux when the AVC cache changes or setenforce is cleared. Signed-off-by: NDaniel Jurgens <danielj@mellanox.com> Acked-by: NJames Morris <james.l.morris@oracle.com> Acked-by: NDoug Ledford <dledford@redhat.com> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
- 23 5月, 2017 8 次提交
-
-
由 Matthias Kaehlcke 提交于
The check is already performed in ocontext_read() when the policy is loaded. Removing the array also fixes the following warning when building with clang: security/selinux/hooks.c:338:20: error: variable 'labeling_behaviors' is not needed and will not be emitted [-Werror,-Wunneeded-internal-declaration] Signed-off-by: NMatthias Kaehlcke <mka@chromium.org> Acked-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Stephen Smalley 提交于
Log the state of SELinux policy capabilities when a policy is loaded. For each policy capability known to the kernel, log the policy capability name and the value set in the policy. For policy capabilities that are set in the loaded policy but unknown to the kernel, log the policy capability index, since this is the only information presently available in the policy. Sample output with a policy created with a new capability defined that is not known to the kernel: SELinux: policy capability network_peer_controls=1 SELinux: policy capability open_perms=1 SELinux: policy capability extended_socket_class=1 SELinux: policy capability always_check_network=0 SELinux: policy capability cgroup_seclabel=0 SELinux: unknown policy capability 5 Resolves: https://github.com/SELinuxProject/selinux-kernel/issues/32Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Stephen Smalley 提交于
open permission is currently only defined for files in the kernel (COMMON_FILE_PERMS rather than COMMON_FILE_SOCK_PERMS). Construction of an artificial test case that tries to open a socket via /proc/pid/fd will generate a recvfrom avc denial because recvfrom and open happen to map to the same permission bit in socket vs file classes. open of a socket via /proc/pid/fd is not supported by the kernel regardless and will ultimately return ENXIO. But we hit the permission check first and can thus produce these odd/misleading denials. Omit the open check when operating on a socket. Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Stephen Smalley 提交于
Add a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). When a file is opened and then read or written via syscalls like read(2)/write(2), we revalidate access on each read/write operation via selinux_file_permission() and therefore can revoke access if the process context, the file context, or the policy changes in such a manner that access is no longer allowed. When a file is opened and then memory mapped via mmap(2) and then subsequently read or written directly in memory, we presently have no way to revalidate or revoke access. The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Stephen Smalley 提交于
SELinux uses CAP_MAC_ADMIN to control the ability to get or set a raw, uninterpreted security context unknown to the currently loaded security policy. When performing these checks, we only want to perform a base capabilities check and a SELinux permission check. If any other modules that implement a capable hook are stacked with SELinux, we do not want to require them to also have to authorize CAP_MAC_ADMIN, since it may have different implications for their security model. Rework the CAP_MAC_ADMIN checks within SELinux to only invoke the capabilities module and the SELinux permission checking. Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Markus Elfring 提交于
* Return an error code without storing it in an intermediate variable. * Delete the local variable "rc" and the jump label "out" which became unnecessary with this refactoring. Signed-off-by: NMarkus Elfring <elfring@users.sourceforge.net> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Markus Elfring 提交于
Replace five goto statements (and previous variable assignments) by direct returns after a memory allocation failure in this function. Signed-off-by: NMarkus Elfring <elfring@users.sourceforge.net> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Tetsuo Handa 提交于
This patch is a preparation for getting rid of task_create hook because task_alloc hook which can do what task_create hook can do was revived. Creating a new thread is unlikely prohibited by security policy, for fork()/execve()/exit() is fundamental of how processes are managed in Unix. If a program is known to create a new thread, it is likely that permission to create a new thread is given to that program. Therefore, a situation where security_task_create() returns an error is likely that the program was exploited and lost control. Even if SELinux failed to check permission to create a thread at security_task_create(), SELinux can later check it at security_task_alloc(). Since the new thread is not yet visible from the rest of the system, nobody can do bad things using the new thread. What we waste will be limited to some initialization steps such as dup_task_struct(), copy_creds() and audit_alloc() in copy_process(). We can tolerate these overhead for unlikely situation. Therefore, this patch changes SELinux to use task_alloc hook rather than task_create hook so that we can remove task_create hook. Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
- 27 4月, 2017 1 次提交
-
-
由 Eric Biggers 提交于
simple_fill_super() is passed an array of tree_descr structures which describe the files to create in the filesystem's root directory. Since these arrays are never modified intentionally, they should be 'const' so that they are placed in .rodata and benefit from memory protection. This patch updates the function signature and all users, and also constifies tree_descr.name. Signed-off-by: NEric Biggers <ebiggers@google.com> Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
- 01 4月, 2017 1 次提交
-
-
由 Dan Carpenter 提交于
We removed this initialization as a cleanup but it is probably required. The concern is that "nel" can be zero. I'm not an expert on SELinux code but I think it looks possible to write an SELinux policy which triggers this bug. GCC doesn't catch this, but my static checker does. Fixes: 9c312e79 ("selinux: Delete an unnecessary variable initialisation in range_read()") Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com> Acked-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
- 30 3月, 2017 1 次提交
-
-
由 Matthias Kaehlcke 提交于
'perms' will never be NULL since it isn't a plain pointer but an array of u32 values. This fixes the following warning when building with clang: security/selinux/ss/services.c:158:16: error: address of array 'p_in->perms' will always evaluate to 'true' [-Werror,-Wpointer-bool-conversion] while (p_in->perms && p_in->perms[k]) { Signed-off-by: NMatthias Kaehlcke <mka@chromium.org> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
- 29 3月, 2017 14 次提交
-
-
由 Markus Elfring 提交于
A string which did not contain data format specifications should be put into a sequence. Thus use the corresponding function "seq_puts". This issue was detected by using the Coccinelle software. Signed-off-by: NMarkus Elfring <elfring@users.sourceforge.net> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Markus Elfring 提交于
The script "checkpatch.pl" pointed information out like the following. Comparison to NULL could be written !… Thus fix affected source code places. Signed-off-by: NMarkus Elfring <elfring@users.sourceforge.net> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Markus Elfring 提交于
A multiplication for the size determination of a memory allocation indicated that an array data structure should be processed. Thus use the corresponding function "kmalloc_array". This issue was detected by using the Coccinelle software. Signed-off-by: NMarkus Elfring <elfring@users.sourceforge.net> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Markus Elfring 提交于
Return directly after a call of the function "kzalloc" failed at the beginning. Signed-off-by: NMarkus Elfring <elfring@users.sourceforge.net> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Markus Elfring 提交于
Return directly after a call of the function "kzalloc" failed at the beginning. Signed-off-by: NMarkus Elfring <elfring@users.sourceforge.net> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Markus Elfring 提交于
Return directly after a call of the function "kzalloc" failed at the beginning. Signed-off-by: NMarkus Elfring <elfring@users.sourceforge.net> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Markus Elfring 提交于
Return directly after a call of the function "kzalloc" failed at the beginning. Signed-off-by: NMarkus Elfring <elfring@users.sourceforge.net> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Markus Elfring 提交于
Return directly after a call of the function "kzalloc" failed at the beginning. Signed-off-by: NMarkus Elfring <elfring@users.sourceforge.net> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Markus Elfring 提交于
Return directly after a call of the function "kzalloc" failed at the beginning. Signed-off-by: NMarkus Elfring <elfring@users.sourceforge.net> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Markus Elfring 提交于
Return directly after a call of the function "kzalloc" failed at the beginning. Signed-off-by: NMarkus Elfring <elfring@users.sourceforge.net> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Markus Elfring 提交于
Replace the specification of a data type by a pointer dereference as the parameter for the operator "sizeof" to make the corresponding size determination a bit safer according to the Linux coding style convention. Signed-off-by: NMarkus Elfring <elfring@users.sourceforge.net> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Markus Elfring 提交于
Return directly after a call of the function "kzalloc" failed at the beginning. Signed-off-by: NMarkus Elfring <elfring@users.sourceforge.net> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 Markus Elfring 提交于
Return directly after a call of the function "kzalloc" failed at the beginning. Signed-off-by: NMarkus Elfring <elfring@users.sourceforge.net> Signed-off-by: NPaul Moore <paul@paul-moore.com>
-
由 David Ahern 提交于
Signed-off-by: NDavid Ahern <dsa@cumulusnetworks.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-