1. 23 8月, 2007 1 次提交
    • A
      fix NULL pointer dereference in __vm_enough_memory() · 34b4e4aa
      Alan Cox 提交于
      The new exec code inserts an accounted vma into an mm struct which is not
      current->mm.  The existing memory check code has a hard coded assumption
      that this does not happen as does the security code.
      
      As the correct mm is known we pass the mm to the security method and the
      helper function.  A new security test is added for the case where we need
      to pass the mm and the existing one is modified to pass current->mm to
      avoid the need to change large amounts of code.
      
      (Thanks to Tobias for fixing rejects and testing)
      Signed-off-by: NAlan Cox <alan@redhat.com>
      Cc: WU Fengguang <wfg@mail.ustc.edu.cn>
      Cc: James Morris <jmorris@redhat.com>
      Cc: Tobias Diedrich <ranma+kernel@tdiedrich.de>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      34b4e4aa
  2. 16 8月, 2007 1 次提交
  3. 02 8月, 2007 2 次提交
  4. 01 8月, 2007 1 次提交
  5. 26 7月, 2007 1 次提交
  6. 23 7月, 2007 1 次提交
  7. 22 7月, 2007 1 次提交
    • A
      [PATCH] get rid of AVC_PATH postponed treatment · 4259fa01
      Al Viro 提交于
              Selinux folks had been complaining about the lack of AVC_PATH
      records when audit is disabled.  I must admit my stupidity - I assumed
      that avc_audit() really couldn't use audit_log_d_path() because of
      deadlocks (== could be called with dcache_lock or vfsmount_lock held).
      Shouldn't have made that assumption - it never gets called that way.
      It _is_ called under spinlocks, but not those.
      
              Since audit_log_d_path() uses ab->gfp_mask for allocations,
      kmalloc() in there is not a problem.  IOW, the simple fix is sufficient:
      let's rip AUDIT_AVC_PATH out and simply generate pathname as part of main
      record.  It's trivial to do.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      Acked-by: NJames Morris <jmorris@namei.org>
      4259fa01
  8. 20 7月, 2007 2 次提交
  9. 19 7月, 2007 2 次提交
    • P
      SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel · f36158c4
      Paul Moore 提交于
      These changes will make NetLabel behave like labeled IPsec where there is an
      access check for both labeled and unlabeled packets as well as providing the
      ability to restrict domains to receiving only labeled packets when NetLabel is
      in use.  The changes to the policy are straight forward with the following
      necessary to receive labeled traffic (with SECINITSID_NETMSG defined as
      "netlabel_peer_t"):
      
       allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
      
      The policy for unlabeled traffic would be:
      
       allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
      
      These policy changes, as well as more general NetLabel support, are included in
      the latest SELinux Reference Policy release 20070629 or later.  Users who make
      use of NetLabel are strongly encouraged to upgrade their policy to avoid
      network problems.  Users who do not make use of NetLabel will not notice any
      difference.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      f36158c4
    • P
      SELinux: enable dynamic activation/deactivation of NetLabel/SELinux enforcement · 23bcdc1a
      Paul Moore 提交于
      Create a new NetLabel KAPI interface, netlbl_enabled(), which reports on the
      current runtime status of NetLabel based on the existing configuration.  LSMs
      that make use of NetLabel, i.e. SELinux, can use this new function to determine
      if they should perform NetLabel access checks.  This patch changes the
      NetLabel/SELinux glue code such that SELinux only enforces NetLabel related
      access checks when netlbl_enabled() returns true.
      
      At present NetLabel is considered to be enabled when there is at least one
      labeled protocol configuration present.  The result is that by default NetLabel
      is considered to be disabled, however, as soon as an administrator configured
      a CIPSO DOI definition NetLabel is enabled and SELinux starts enforcing
      NetLabel related access controls - including unlabeled packet controls.
      
      This patch also tries to consolidate the multiple "#ifdef CONFIG_NETLABEL"
      blocks into a single block to ease future review as recommended by Linus.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      23bcdc1a
  10. 18 7月, 2007 2 次提交
    • J
      usermodehelper: Tidy up waiting · 86313c48
      Jeremy Fitzhardinge 提交于
      Rather than using a tri-state integer for the wait flag in
      call_usermodehelper_exec, define a proper enum, and use that.  I've
      preserved the integer values so that any callers I've missed should
      still work OK.
      Signed-off-by: NJeremy Fitzhardinge <jeremy@xensource.com>
      Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
      Cc: Randy Dunlap <randy.dunlap@oracle.com>
      Cc: Christoph Hellwig <hch@infradead.org>
      Cc: Andi Kleen <ak@suse.de>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Johannes Berg <johannes@sipsolutions.net>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Bjorn Helgaas <bjorn.helgaas@hp.com>
      Cc: Joel Becker <joel.becker@oracle.com>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Kay Sievers <kay.sievers@vrfy.org>
      Cc: Srivatsa Vaddagiri <vatsa@in.ibm.com>
      Cc: Oleg Nesterov <oleg@tv-sign.ru>
      Cc: David Howells <dhowells@redhat.com>
      86313c48
    • S
      Introduce is_owner_or_cap() to wrap CAP_FOWNER use with fsuid check · 3bd858ab
      Satyam Sharma 提交于
      Introduce is_owner_or_cap() macro in fs.h, and convert over relevant
      users to it. This is done because we want to avoid bugs in the future
      where we check for only effective fsuid of the current task against a
      file's owning uid, without simultaneously checking for CAP_FOWNER as
      well, thus violating its semantics.
      [ XFS uses special macros and structures, and in general looked ...
      untouchable, so we leave it alone -- but it has been looked over. ]
      
      The (current->fsuid != inode->i_uid) check in generic_permission() and
      exec_permission_lite() is left alone, because those operations are
      covered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH. Similarly operations
      falling under the purview of CAP_CHOWN and CAP_LEASE are also left alone.
      Signed-off-by: NSatyam Sharma <ssatyam@cse.iitk.ac.in>
      Cc: Al Viro <viro@ftp.linux.org.uk>
      Acked-by: NSerge E. Hallyn <serge@hallyn.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      3bd858ab
  11. 17 7月, 2007 1 次提交
    • M
      Audit: add TTY input auditing · 522ed776
      Miloslav Trmac 提交于
      Add TTY input auditing, used to audit system administrator's actions.  This is
      required by various security standards such as DCID 6/3 and PCI to provide
      non-repudiation of administrator's actions and to allow a review of past
      actions if the administrator seems to overstep their duties or if the system
      becomes misconfigured for unknown reasons.  These requirements do not make it
      necessary to audit TTY output as well.
      
      Compared to an user-space keylogger, this approach records TTY input using the
      audit subsystem, correlated with other audit events, and it is completely
      transparent to the user-space application (e.g.  the console ioctls still
      work).
      
      TTY input auditing works on a higher level than auditing all system calls
      within the session, which would produce an overwhelming amount of mostly
      useless audit events.
      
      Add an "audit_tty" attribute, inherited across fork ().  Data read from TTYs
      by process with the attribute is sent to the audit subsystem by the kernel.
      The audit netlink interface is extended to allow modifying the audit_tty
      attribute, and to allow sending explanatory audit events from user-space (for
      example, a shell might send an event containing the final command, after the
      interactive command-line editing and history expansion is performed, which
      might be difficult to decipher from the TTY input alone).
      
      Because the "audit_tty" attribute is inherited across fork (), it would be set
      e.g.  for sshd restarted within an audited session.  To prevent this, the
      audit_tty attribute is cleared when a process with no open TTY file
      descriptors (e.g.  after daemon startup) opens a TTY.
      
      See https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html for a
      more detailed rationale document for an older version of this patch.
      
      [akpm@linux-foundation.org: build fix]
      Signed-off-by: NMiloslav Trmac <mitr@redhat.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
      Cc: Paul Fulghum <paulkf@microgate.com>
      Cc: Casey Schaufler <casey@schaufler-ca.com>
      Cc: Steve Grubb <sgrubb@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      522ed776
  12. 14 7月, 2007 1 次提交
  13. 12 7月, 2007 10 次提交
  14. 09 6月, 2007 1 次提交
  15. 09 5月, 2007 3 次提交
  16. 03 5月, 2007 1 次提交
  17. 27 4月, 2007 1 次提交
  18. 26 4月, 2007 8 次提交