1. 06 5月, 2009 3 次提交
  2. 01 5月, 2009 1 次提交
    • O
      do_wait: do take security_task_wait() into account · 78a3d9d5
      Oleg Nesterov 提交于
      I was never able to understand what should we actually do when
      security_task_wait() fails, but the current code doesn't look right.
      
      If ->task_wait() returns the error, we update *notask_error correctly.
      But then we either reap the child (despite the fact this was forbidden)
      or clear *notask_error (and hide the securiy policy problems).
      
      This patch assumes that "stolen by ptrace" doesn't matter. If selinux
      denies the child we should ignore it but make sure we report -EACCESS
      instead of -ECHLD if there are no other eligible children.
      Signed-off-by: NOleg Nesterov <oleg@redhat.com>
      Acked-by: NRoland McGrath <roland@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      78a3d9d5
  3. 30 4月, 2009 3 次提交
  4. 15 4月, 2009 1 次提交
    • S
      modules: Fix up build when CONFIG_MODULE_UNLOAD=n. · 19e4529e
      Stephen Rothwell 提交于
      Commit 3d43321b ("modules: sysctl to
      block module loading") introduces a modules_disabled variable that is
      only defined if CONFIG_MODULE_UNLOAD is enabled, despite being used in
      other places. This moves it up and fixes up the build.
      
        CC      kernel/module.o
      kernel/module.c: In function 'sys_init_module':
      kernel/module.c:2401: error: 'modules_disabled' undeclared (first use in this function)
      kernel/module.c:2401: error: (Each undeclared identifier is reported only once
      kernel/module.c:2401: error: for each function it appears in.)
      make[1]: *** [kernel/module.o] Error 1
      make: *** [kernel/module.o] Error 2
      Signed-off-by: NPaul Mundt <lethal@linux-sh.org>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      19e4529e
  5. 14 4月, 2009 2 次提交
  6. 07 4月, 2009 1 次提交
  7. 03 4月, 2009 2 次提交
    • S
      don't raise all privs on setuid-root file with fE set (v2) · b5f22a59
      Serge E. Hallyn 提交于
      Distributions face a backward compatibility problem with starting to use
      file capabilities.  For instance, removing setuid root from ping and
      doing setcap cap_net_raw=pe means that booting with an older kernel
      or one compiled without file capabilities means ping won't work for
      non-root users.
      
      In order to replace the setuid root bit on a capability-unaware
      program, one has to set the effective, or legacy, file capability,
      which makes the capability effective immediately.  This patch
      uses the legacy bit as a queue to not automatically add full
      privilege to a setuid-root program.
      
      So, with this patch, an ordinary setuid-root program will run with
      privilege.  But if /bin/ping has both setuid-root and cap_net_raw in
      fP and fE, then ping (when run by non-root user) will not run
      with only cap_net_raw.
      
      Changelog:
      	Apr 2 2009: Print a message once when such a binary is loaded,
      		as per James Morris' suggestion.
      	Apr 2 2009: Fix the condition to only catch uid!=0 && euid==0.
      Signed-off-by: NSerge E. Hallyn <serue@us.ibm.com>
      Acked-by: NCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      b5f22a59
    • K
      modules: sysctl to block module loading · 3d43321b
      Kees Cook 提交于
      Implement a sysctl file that disables module-loading system-wide since
      there is no longer a viable way to remove CAP_SYS_MODULE after the system
      bounding capability set was removed in 2.6.25.
      
      Value can only be set to "1", and is tested only if standard capability
      checks allow CAP_SYS_MODULE.  Given existing /dev/mem protections, this
      should allow administrators a one-way method to block module loading
      after initial boot-time module loading has finished.
      Signed-off-by: NKees Cook <kees.cook@canonical.com>
      Acked-by: NSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      3d43321b
  8. 02 4月, 2009 1 次提交
    • K
      Permissive domain in userspace object manager · 8a6f83af
      KaiGai Kohei 提交于
      This patch enables applications to handle permissive domain correctly.
      
      Since the v2.6.26 kernel, SELinux has supported an idea of permissive
      domain which allows certain processes to work as if permissive mode,
      even if the global setting is enforcing mode.
      However, we don't have an application program interface to inform
      what domains are permissive one, and what domains are not.
      It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL
      and so on) cannot handle permissive domain correctly.
      
      This patch add the sixth field (flags) on the reply of the /selinux/access
      interface which is used to make an access control decision from userspace.
      If the first bit of the flags field is positive, it means the required
      access control decision is on permissive domain, so application should
      allow any required actions, as the kernel doing.
      
      This patch also has a side benefit. The av_decision.flags is set at
      context_struct_compute_av(). It enables to check required permissions
      without read_lock(&policy_rwlock).
      Signed-off-by: NKaiGai Kohei <kaigai@ak.jp.nec.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: NEric Paris <eparis@redhat.com>
      --
       security/selinux/avc.c              |    2 +-
       security/selinux/include/security.h |    4 +++-
       security/selinux/selinuxfs.c        |    4 ++--
       security/selinux/ss/services.c      |   30 +++++-------------------------
       4 files changed, 11 insertions(+), 29 deletions(-)
      Signed-off-by: NJames Morris <jmorris@namei.org>
      8a6f83af
  9. 29 3月, 2009 26 次提交