1. 10 6月, 2017 1 次提交
  2. 02 6月, 2017 1 次提交
  3. 24 5月, 2017 8 次提交
    • D
      selinux: Add a cache for quicker retreival of PKey SIDs · 409dcf31
      Daniel Jurgens 提交于
      It is likely that the SID for the same PKey will be requested many
      times. To reduce the time to modify QPs and process MADs use a cache to
      store PKey SIDs.
      
      This code is heavily based on the "netif" and "netport" concept
      originally developed by James Morris <jmorris@redhat.com> and Paul Moore
      <paul@paul-moore.com> (see security/selinux/netif.c and
      security/selinux/netport.c for more information)
      Signed-off-by: NDaniel Jurgens <danielj@mellanox.com>
      Acked-by: NDoug Ledford <dledford@redhat.com>
      Signed-off-by: NPaul Moore <paul@paul-moore.com>
      409dcf31
    • D
      selinux: Add IB Port SMP access vector · ab861dfc
      Daniel Jurgens 提交于
      Add a type for Infiniband ports and an access vector for subnet
      management packets. Implement the ib_port_smp hook to check that the
      caller has permission to send and receive SMPs on the end port specified
      by the device name and port. Add interface to query the SID for a IB
      port, which walks the IB_PORT ocontexts to find an entry for the
      given name and port.
      Signed-off-by: NDaniel Jurgens <danielj@mellanox.com>
      Reviewed-by: NJames Morris <james.l.morris@oracle.com>
      Acked-by: NDoug Ledford <dledford@redhat.com>
      Signed-off-by: NPaul Moore <paul@paul-moore.com>
      ab861dfc
    • D
      selinux: Implement Infiniband PKey "Access" access vector · cfc4d882
      Daniel Jurgens 提交于
      Add a type and access vector for PKeys. Implement the ib_pkey_access
      hook to check that the caller has permission to access the PKey on the
      given subnet prefix. Add an interface to get the PKey SID. Walk the PKey
      ocontexts to find an entry for the given subnet prefix and pkey.
      Signed-off-by: NDaniel Jurgens <danielj@mellanox.com>
      Reviewed-by: NJames Morris <james.l.morris@oracle.com>
      Acked-by: NDoug Ledford <dledford@redhat.com>
      Signed-off-by: NPaul Moore <paul@paul-moore.com>
      cfc4d882
    • D
      selinux: Allocate and free infiniband security hooks · 3a976fa6
      Daniel Jurgens 提交于
      Implement and attach hooks to allocate and free Infiniband object
      security structures.
      Signed-off-by: NDaniel Jurgens <danielj@mellanox.com>
      Reviewed-by: NJames Morris <james.l.morris@oracle.com>
      Acked-by: NDoug Ledford <dledford@redhat.com>
      Signed-off-by: NPaul Moore <paul@paul-moore.com>
      3a976fa6
    • D
      selinux: Create policydb version for Infiniband support · a806f7a1
      Daniel Jurgens 提交于
      Support for Infiniband requires the addition of two new object contexts,
      one for infiniband PKeys and another IB Ports. Added handlers to read
      and write the new ocontext types when reading or writing a binary policy
      representation.
      Signed-off-by: NDaniel Jurgens <danielj@mellanox.com>
      Reviewed-by: NEli Cohen <eli@mellanox.com>
      Reviewed-by: NJames Morris <james.l.morris@oracle.com>
      Acked-by: NDoug Ledford <dledford@redhat.com>
      Signed-off-by: NPaul Moore <paul@paul-moore.com>
      a806f7a1
    • D
      IB/core: Enforce security on management datagrams · 47a2b338
      Daniel Jurgens 提交于
      Allocate and free a security context when creating and destroying a MAD
      agent.  This context is used for controlling access to PKeys and sending
      and receiving SMPs.
      
      When sending or receiving a MAD check that the agent has permission to
      access the PKey for the Subnet Prefix of the port.
      
      During MAD and snoop agent registration for SMI QPs check that the
      calling process has permission to access the manage the subnet  and
      register a callback with the LSM to be notified of policy changes. When
      notificaiton of a policy change occurs recheck permission and set a flag
      indicating sending and receiving SMPs is allowed.
      
      When sending and receiving MADs check that the agent has access to the
      SMI if it's on an SMI QP.  Because security policy can change it's
      possible permission was allowed when creating the agent, but no longer
      is.
      Signed-off-by: NDaniel Jurgens <danielj@mellanox.com>
      Acked-by: NDoug Ledford <dledford@redhat.com>
      [PM: remove the LSM hook init code]
      Signed-off-by: NPaul Moore <paul@paul-moore.com>
      47a2b338
    • D
      selinux lsm IB/core: Implement LSM notification system · 8f408ab6
      Daniel Jurgens 提交于
      Add a generic notificaiton mechanism in the LSM. Interested consumers
      can register a callback with the LSM and security modules can produce
      events.
      
      Because access to Infiniband QPs are enforced in the setup phase of a
      connection security should be enforced again if the policy changes.
      Register infiniband devices for policy change notification and check all
      QPs on that device when the notification is received.
      
      Add a call to the notification mechanism from SELinux when the AVC
      cache changes or setenforce is cleared.
      Signed-off-by: NDaniel Jurgens <danielj@mellanox.com>
      Acked-by: NJames Morris <james.l.morris@oracle.com>
      Acked-by: NDoug Ledford <dledford@redhat.com>
      Signed-off-by: NPaul Moore <paul@paul-moore.com>
      8f408ab6
    • D
      IB/core: Enforce PKey security on QPs · d291f1a6
      Daniel Jurgens 提交于
      Add new LSM hooks to allocate and free security contexts and check for
      permission to access a PKey.
      
      Allocate and free a security context when creating and destroying a QP.
      This context is used for controlling access to PKeys.
      
      When a request is made to modify a QP that changes the port, PKey index,
      or alternate path, check that the QP has permission for the PKey in the
      PKey table index on the subnet prefix of the port. If the QP is shared
      make sure all handles to the QP also have access.
      
      Store which port and PKey index a QP is using. After the reset to init
      transition the user can modify the port, PKey index and alternate path
      independently. So port and PKey settings changes can be a merge of the
      previous settings and the new ones.
      
      In order to maintain access control if there are PKey table or subnet
      prefix change keep a list of all QPs are using each PKey index on
      each port. If a change occurs all QPs using that device and port must
      have access enforced for the new cache settings.
      
      These changes add a transaction to the QP modify process. Association
      with the old port and PKey index must be maintained if the modify fails,
      and must be removed if it succeeds. Association with the new port and
      PKey index must be established prior to the modify and removed if the
      modify fails.
      
      1. When a QP is modified to a particular Port, PKey index or alternate
         path insert that QP into the appropriate lists.
      
      2. Check permission to access the new settings.
      
      3. If step 2 grants access attempt to modify the QP.
      
      4a. If steps 2 and 3 succeed remove any prior associations.
      
      4b. If ether fails remove the new setting associations.
      
      If a PKey table or subnet prefix changes walk the list of QPs and
      check that they have permission. If not send the QP to the error state
      and raise a fatal error event. If it's a shared QP make sure all the
      QPs that share the real_qp have permission as well. If the QP that
      owns a security structure is denied access the security structure is
      marked as such and the QP is added to an error_list. Once the moving
      the QP to error is complete the security structure mark is cleared.
      
      Maintaining the lists correctly turns QP destroy into a transaction.
      The hardware driver for the device frees the ib_qp structure, so while
      the destroy is in progress the ib_qp pointer in the ib_qp_security
      struct is undefined. When the destroy process begins the ib_qp_security
      structure is marked as destroying. This prevents any action from being
      taken on the QP pointer. After the QP is destroyed successfully it
      could still listed on an error_list wait for it to be processed by that
      flow before cleaning up the structure.
      
      If the destroy fails the QPs port and PKey settings are reinserted into
      the appropriate lists, the destroying flag is cleared, and access control
      is enforced, in case there were any cache changes during the destroy
      flow.
      
      To keep the security changes isolated a new file is used to hold security
      related functionality.
      Signed-off-by: NDaniel Jurgens <danielj@mellanox.com>
      Acked-by: NDoug Ledford <dledford@redhat.com>
      [PM: merge fixup in ib_verbs.h and uverbs_cmd.c]
      Signed-off-by: NPaul Moore <paul@paul-moore.com>
      d291f1a6
  4. 23 5月, 2017 9 次提交
  5. 22 5月, 2017 9 次提交
    • J
      d68c51e0
    • L
      Linux 4.12-rc2 · 08332893
      Linus Torvalds 提交于
      08332893
    • L
      x86: fix 32-bit case of __get_user_asm_u64() · 33c9e972
      Linus Torvalds 提交于
      The code to fetch a 64-bit value from user space was entirely buggered,
      and has been since the code was merged in early 2016 in commit
      b2f68038 ("x86/mm/32: Add support for 64-bit __get_user() on 32-bit
      kernels").
      
      Happily the buggered routine is almost certainly entirely unused, since
      the normal way to access user space memory is just with the non-inlined
      "get_user()", and the inlined version didn't even historically exist.
      
      The normal "get_user()" case is handled by external hand-written asm in
      arch/x86/lib/getuser.S that doesn't have either of these issues.
      
      There were two independent bugs in __get_user_asm_u64():
      
       - it still did the STAC/CLAC user space access marking, even though
         that is now done by the wrapper macros, see commit 11f1a4b9
         ("x86: reorganize SMAP handling in user space accesses").
      
         This didn't result in a semantic error, it just means that the
         inlined optimized version was hugely less efficient than the
         allegedly slower standard version, since the CLAC/STAC overhead is
         quite high on modern Intel CPU's.
      
       - the double register %eax/%edx was marked as an output, but the %eax
         part of it was touched early in the asm, and could thus clobber other
         inputs to the asm that gcc didn't expect it to touch.
      
         In particular, that meant that the generated code could look like
         this:
      
              mov    (%eax),%eax
              mov    0x4(%eax),%edx
      
         where the load of %edx obviously was _supposed_ to be from the 32-bit
         word that followed the source of %eax, but because %eax was
         overwritten by the first instruction, the source of %edx was
         basically random garbage.
      
      The fixes are trivial: remove the extraneous STAC/CLAC entries, and mark
      the 64-bit output as early-clobber to let gcc know that no inputs should
      alias with the output register.
      
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Benjamin LaHaise <bcrl@kvack.org>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: stable@kernel.org   # v4.8+
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      33c9e972
    • L
      Clean up x86 unsafe_get/put_user() type handling · 334a023e
      Linus Torvalds 提交于
      Al noticed that unsafe_put_user() had type problems, and fixed them in
      commit a7cc722f ("fix unsafe_put_user()"), which made me look more
      at those functions.
      
      It turns out that unsafe_get_user() had a type issue too: it limited the
      largest size of the type it could handle to "unsigned long".  Which is
      fine with the current users, but doesn't match our existing normal
      get_user() semantics, which can also handle "u64" even when that does
      not fit in a long.
      
      While at it, also clean up the type cast in unsafe_put_user().  We
      actually want to just make it an assignment to the expected type of the
      pointer, because we actually do want warnings from types that don't
      convert silently.  And it makes the code more readable by not having
      that one very long and complex line.
      
      [ This patch might become stable material if we ever end up back-porting
        any new users of the unsafe uaccess code, but as things stand now this
        doesn't matter for any current existing uses. ]
      
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      334a023e
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · f3926e4c
      Linus Torvalds 提交于
      Pull misc uaccess fixes from Al Viro:
       "Fix for unsafe_put_user() (no callers currently in mainline, but
        anyone starting to use it will step into that) + alpha osf_wait4()
        infoleak fix"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        osf_wait4(): fix infoleak
        fix unsafe_put_user()
      f3926e4c
    • L
      Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 970c305a
      Linus Torvalds 提交于
      Pull scheduler fix from Thomas Gleixner:
       "A single scheduler fix:
      
        Prevent idle task from ever being preempted. That makes sure that
        synchronize_rcu_tasks() which is ignoring idle task does not pretend
        that no task is stuck in preempted state. If that happens and idle was
        preempted on a ftrace trampoline the machine crashes due to
        inconsistent state"
      
      * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/core: Call __schedule() from do_idle() without enabling preemption
      970c305a
    • L
      Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · e7a3d627
      Linus Torvalds 提交于
      Pull irq fixes from Thomas Gleixner:
       "A set of small fixes for the irq subsystem:
      
         - Cure a data ordering problem with chained interrupts
      
         - Three small fixlets for the mbigen irq chip"
      
      * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        genirq: Fix chained interrupt data ordering
        irqchip/mbigen: Fix the clear register offset calculation
        irqchip/mbigen: Fix potential NULL dereferencing
        irqchip/mbigen: Fix memory mapping code
      e7a3d627
    • A
      osf_wait4(): fix infoleak · a8c39544
      Al Viro 提交于
      failing sys_wait4() won't fill struct rusage...
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      a8c39544
    • A
      fix unsafe_put_user() · a7cc722f
      Al Viro 提交于
      __put_user_size() relies upon its first argument having the same type as what
      the second one points to; the only other user makes sure of that and
      unsafe_put_user() should do the same.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      a7cc722f
  6. 21 5月, 2017 9 次提交
  7. 20 5月, 2017 3 次提交
    • L
      Merge tag 'usb-4.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 32026293
      Linus Torvalds 提交于
      Pull USB fixes from Greg KH:
       "Here are a number of small USB fixes for 4.12-rc2
      
        Most of them come from Johan, in his valiant quest to fix up all
        drivers that could be affected by "malicious" USB devices. There's
        also some fixes for more "obscure" drivers to handle some of the
        vmalloc stack fallout (which for USB drivers, was always the case, but
        very few people actually ran those systems...)
      
        Other than that, the normal set of xhci and gadget and musb driver
        fixes as well.
      
        All have been in linux-next with no reported issues"
      
      * tag 'usb-4.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (42 commits)
        usb: musb: tusb6010_omap: Do not reset the other direction's packet size
        usb: musb: Fix trying to suspend while active for OTG configurations
        usb: host: xhci-plat: propagate return value of platform_get_irq()
        xhci: Fix command ring stop regression in 4.11
        xhci: remove GFP_DMA flag from allocation
        USB: xhci: fix lock-inversion problem
        usb: host: xhci-ring: don't need to clear interrupt pending for MSI enabled hcd
        usb: host: xhci-mem: allocate zeroed Scratchpad Buffer
        xhci: apply PME_STUCK_QUIRK and MISSING_CAS quirk for Denverton
        usb: xhci: trace URB before giving it back instead of after
        USB: serial: qcserial: add more Lenovo EM74xx device IDs
        USB: host: xhci: use max-port define
        USB: hub: fix SS max number of ports
        USB: hub: fix non-SS hub-descriptor handling
        USB: hub: fix SS hub-descriptor handling
        USB: usbip: fix nonconforming hub descriptor
        USB: gadget: dummy_hcd: fix hub-descriptor removable fields
        doc-rst: fixed kernel-doc directives in usb/typec.rst
        USB: core: of: document reference taken by companion helper
        USB: ehci-platform: fix companion-device leak
        ...
      32026293
    • L
      Merge tag 'char-misc-4.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 331da109
      Linus Torvalds 提交于
      Pull char/misc driver fixes from Greg KH:
       "Here are five small bugfixes for reported issues with 4.12-rc1 and
        earlier kernels. Nothing huge here, just a lp, mem, vpd, and uio
        driver fix, along with a Kconfig fixup for one of the misc drivers.
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'char-misc-4.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        firmware: Google VPD: Fix memory allocation error handling
        drivers: char: mem: Check for address space wraparound with mmap()
        uio: fix incorrect memory leak cleanup
        misc: pci_endpoint_test: select CRC32
        char: lp: fix possible integer overflow in lp_setup()
      331da109
    • L
      Merge git://www.linux-watchdog.org/linux-watchdog · ec53c027
      Linus Torvalds 提交于
      Pull watchdog fixes from Wim Van Sebroeck:
       - orion_wdt compile-test dependencies
       - sama5d4_wdt: WDDIS handling and a race confition
       - pcwd_usb: fix NULL-deref at probe
       - cadence_wdt: fix timeout setting
       - wdt_pci: fix build error if SOFTWARE_REBOOT is defined
       - iTCO_wdt: all versions count down twice
       - zx2967: remove redundant dev_err call in zx2967_wdt_probe()
       - bcm281xx: Fix use of uninitialized spinlock
      
      * git://www.linux-watchdog.org/linux-watchdog:
        watchdog: bcm281xx: Fix use of uninitialized spinlock.
        watchdog: zx2967: remove redundant dev_err call in zx2967_wdt_probe()
        iTCO_wdt: all versions count down twice
        watchdog: wdt_pci: fix build error if define SOFTWARE_REBOOT
        watchdog: cadence_wdt: fix timeout setting
        watchdog: pcwd_usb: fix NULL-deref at probe
        watchdog: sama5d4: fix race condition
        watchdog: sama5d4: fix WDDIS handling
        watchdog: orion: fix compile-test dependencies
      ec53c027