- 24 8月, 2016 1 次提交
-
-
由 Markus Elfring 提交于
Reuse existing functionality from memdup_user() instead of keeping duplicate source code. This issue was detected by using the Coccinelle software. Signed-off-by: NMarkus Elfring <elfring@users.sourceforge.net> Acked-by: NCasey Schaufler <casey@schaufler-ca.com>
-
- 04 1月, 2016 1 次提交
-
-
由 Al Viro 提交于
A _lot_ of ->write() instances were open-coding it; some are converted to memdup_user_nul(), a lot more remain... Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
- 20 10月, 2015 1 次提交
-
-
由 Zbigniew Jasinski 提交于
This feature introduces new kernel interface: - <smack_fs>/relabel-self - for setting transition labels list This list is used to control smack label transition mechanism. List is set by, and per process. Process can transit to new label only if label is on the list. Only process with CAP_MAC_ADMIN capability can add labels to this list. With this list, process can change it's label without CAP_MAC_ADMIN but only once. After label changing, list is unset. Changes in v2: * use list_for_each_entry instead of _rcu during label write * added missing description in security/Smack.txt Changes in v3: * squashed into one commit Changes in v4: * switch from global list to per-task list * since the per-task list is accessed only by the task itself there is no need to use synchronization mechanisms on it Changes in v5: * change smackfs interface of relabel-self to the one used for onlycap multiple labels are accepted, separated by space, which replace the previous list upon write Signed-off-by: NZbigniew Jasinski <z.jasinski@samsung.com> Signed-off-by: NRafal Krypa <r.krypa@samsung.com> Acked-by: NCasey Schaufler <casey@schaufler-ca.com>
-
- 10 10月, 2015 2 次提交
-
-
由 José Bollo 提交于
This change has two goals: - delay the setting of 'smack_enabled' until it will be really effective - ensure that smackfs is valid only if 'smack_enabled' is set (it is already the case in smack_netfilter.c) Signed-off-by: NJosé Bollo <jose.bollo@iot.bzh> Acked-by: NCasey Schaufler <casey@schaufler-ca.com>
-
由 Lukasz Pawelczyk 提交于
'commit e774ad68 ("smack: pass error code through pointers")' made this function return proper error codes instead of NULL. Reflect that. This is a fix for a NULL dereference introduced in 'commit 21abb1ec ("Smack: IPv6 host labeling")' echo "$SOME_IPV6_ADDR \"test" > /smack/ipv6host (this should return EINVAL, it doesn't) cat /smack/ipv6host (derefences 0x000a) Signed-off-by: NLukasz Pawelczyk <l.pawelczyk@samsung.com> Acked-by: NCasey Schaufler <casey@schaufler-ca.com>
-
- 01 8月, 2015 1 次提交
-
-
由 Casey Schaufler 提交于
The kbuild test robot reported a couple of these, and the third showed up by inspection. Making the symbols static is proper. Reported-by: NFengguang Wu <fengguang.wu@intel.com> Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>
-
- 28 7月, 2015 1 次提交
-
-
由 Casey Schaufler 提交于
IPv6 appears to be (finally) coming of age with the influx of autonomous devices. In support of this, add the ability to associate a Smack label with IPv6 addresses. This patch also cleans up some of the conditional compilation associated with the introduction of secmark processing. It's now more obvious which bit of code goes with which feature. Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>
-
- 23 7月, 2015 1 次提交
-
-
由 kbuild test robot 提交于
security/smack/smackfs.c:2251:1-4: WARNING: end returns can be simpified and declaration on line 2250 can be dropped Simplify a trivial if-return sequence. Possibly combine with a preceding function call. Generated by: scripts/coccinelle/misc/simple_return.cocci Signed-off-by: NFengguang Wu <fengguang.wu@intel.com> Acked-by: NSerge Hallyn <serge.hallyn@canonical.com> Acked-by: NCasey Schaufler <casey@schaufler-ca.com>
-
- 01 7月, 2015 1 次提交
-
-
由 Eric W. Biederman 提交于
This allows for better documentation in the code and it allows for a simpler and fully correct version of fs_fully_visible to be written. The mount points converted and their filesystems are: /sys/hypervisor/s390/ s390_hypfs /sys/kernel/config/ configfs /sys/kernel/debug/ debugfs /sys/firmware/efi/efivars/ efivarfs /sys/fs/fuse/connections/ fusectl /sys/fs/pstore/ pstore /sys/kernel/tracing/ tracefs /sys/fs/cgroup/ cgroup /sys/kernel/security/ securityfs /sys/fs/selinux/ selinuxfs /sys/fs/smackfs/ smackfs Cc: stable@vger.kernel.org Acked-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
-
- 13 6月, 2015 1 次提交
-
-
由 Dan Carpenter 提交于
This code used to rely on the fact that kfree(NULL) was a no-op, but then we changed smk_parse_smack() to return error pointers on failure instead of NULL. Calling kfree() on an error pointer will oops. I have re-arranged things a bit so that we only free things if they have been allocated. Fixes: e774ad68 ('smack: pass error code through pointers') Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
-
- 03 6月, 2015 2 次提交
-
-
由 Rafal Krypa 提交于
Smack onlycap allows limiting of CAP_MAC_ADMIN and CAP_MAC_OVERRIDE to processes running with the configured label. But having single privileged label is not enough in some real use cases. On a complex system like Tizen, there maybe few programs that need to configure Smack policy in run-time and running them all with a single label is not always practical. This patch extends onlycap feature for multiple labels. They are configured in the same smackfs "onlycap" interface, separated by spaces. Signed-off-by: NRafal Krypa <r.krypa@samsung.com>
-
由 Rafal Krypa 提交于
Use proper RCU functions and read locking in smackfs seq_operations. Smack gets away with not using proper RCU functions in smackfs, because it never removes entries from these lists. But now one list will be needed (with interface in smackfs) that will have both elements added and removed to it. This change will also help any future changes implementing removal of unneeded entries from other Smack lists. The patch also fixes handling of pos argument in smk_seq_start and smk_seq_next. This fixes a bug in case when smackfs is read with a small buffer: Kernel panic - not syncing: Kernel mode fault at addr 0xfa0000011b CPU: 0 PID: 1292 Comm: dd Not tainted 4.1.0-rc1-00012-g98179b8 #13 Stack: 00000003 0000000d 7ff39e48 7f69fd00 7ff39ce0 601ae4b0 7ff39d50 600e587b 00000010 6039f690 7f69fd40 00612003 Call Trace: [<601ae4b0>] load2_seq_show+0x19/0x1d [<600e587b>] seq_read+0x168/0x331 [<600c5943>] __vfs_read+0x21/0x101 [<601a595e>] ? security_file_permission+0xf8/0x105 [<600c5ec6>] ? rw_verify_area+0x86/0xe2 [<600c5fc3>] vfs_read+0xa1/0x14c [<600c68e2>] SyS_read+0x57/0xa0 [<6001da60>] handle_syscall+0x60/0x80 [<6003087d>] userspace+0x442/0x548 [<6001aa77>] ? interrupt_end+0x0/0x80 [<6001daae>] ? copy_chunk_to_user+0x0/0x2b [<6002cb6b>] ? save_registers+0x1f/0x39 [<60032ef7>] ? arch_prctl+0xf5/0x170 [<6001a92d>] fork_handler+0x85/0x87 Signed-off-by: NRafal Krypa <r.krypa@samsung.com>
-
- 15 5月, 2015 1 次提交
-
-
由 Lukasz Pawelczyk 提交于
This patch makes the following functions to use ERR_PTR() and related macros to pass the appropriate error code through returned pointers: smk_parse_smack() smk_import_entry() smk_fetch() It also makes all the other functions that use them to handle the error cases properly. This ways correct error codes from places where they happened can be propagated to the user space if necessary. Doing this it fixes a bug in onlycap and unconfined files handling. Previously their content was cleared on any error from smk_import_entry/smk_parse_smack, be it EINVAL (as originally intended) or ENOMEM. Right now it only reacts on EINVAL passing other codes properly to userspace. Comments have been updated accordingly. Signed-off-by: NLukasz Pawelczyk <l.pawelczyk@samsung.com>
-
- 12 5月, 2015 1 次提交
-
-
由 Casey Schaufler 提交于
Instead of using a vector of security operations with explicit, special case stacking of the capability and yama hooks use lists of hooks with capability and yama hooks included as appropriate. The security_operations structure is no longer required. Instead, there is a union of the function pointers that allows all the hooks lists to use a common mechanism for list management while retaining typing. Each module supplies an array describing the hooks it provides instead of a sparsely populated security_operations structure. The description includes the element that gets put on the hook list, avoiding the issues surrounding individual element allocation. The method for registering security modules is changed to reflect the information available. The method for removing a module, currently only used by SELinux, has also changed. It should be generic now, however if there are potential race conditions based on ordering of hook removal that needs to be addressed by the calling module. The security hooks are called from the lists and the first failure is returned. Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com> Acked-by: NJohn Johansen <john.johansen@canonical.com> Acked-by: NKees Cook <keescook@chromium.org> Acked-by: NPaul Moore <paul@paul-moore.com> Acked-by: NStephen Smalley <sds@tycho.nsa.gov> Acked-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: NJames Morris <james.l.morris@oracle.com>
-
- 16 4月, 2015 1 次提交
-
-
由 David Howells 提交于
... except where that code acts as a filesystem driver, rather than working with dentries given to it. Signed-off-by: NDavid Howells <dhowells@redhat.com> Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
- 24 3月, 2015 2 次提交
-
-
由 Paul Gortmaker 提交于
In commit 00f84f3f ("Smack: Make the syslog control configurable") this mutex was added, but the rest of the final commit never actually made use of it, resulting in: In file included from include/linux/mutex.h:29:0, from include/linux/notifier.h:13, from include/linux/memory_hotplug.h:6, from include/linux/mmzone.h:821, from include/linux/gfp.h:5, from include/linux/slab.h:14, from include/linux/security.h:27, from security/smack/smackfs.c:21: security/smack/smackfs.c:63:21: warning: ‘smack_syslog_lock’ defined but not used [-Wunused-variable] static DEFINE_MUTEX(smack_syslog_lock); ^ A git grep shows no other instances/references to smack_syslog_lock. Delete it, assuming that the mutex addition was just a leftover from an earlier work in progress version of the change. Signed-off-by: NPaul Gortmaker <paul.gortmaker@windriver.com>
-
由 Casey Schaufler 提交于
I have vehemently opposed adding a "permissive" mode to Smack for the simple reasons that it would be subject to massive abuse and that developers refuse to turn it off come product release. I still believe that this is true, and still refuse to add a general "permissive mode". So don't ask again. Bumjin Im suggested an approach that addresses most of the concerns, and I have implemented it here. I still believe that we'd be better off without this sort of thing, but it looks like this minimizes the abuse potential. Firstly, you have to configure Smack Bringup Mode. That allows for "release" software to be ammune from abuse. Second, only one label gets to be "permissive" at a time. You can use it for debugging, but that's about it. A label written to smackfs/unconfined is treated specially. If either the subject or object label of an access check matches the "unconfined" label, and the access would not have been allowed otherwise an audit record and a console message are generated. The audit record "request" string is marked with either "(US)" or "(UO)", to indicate that the request was granted because of an unconfined label. The fact that an inode was accessed by an unconfined label is remembered, and subsequent accesses to that "impure" object are noted in the log. The impurity is not stored in the filesystem, so a file mislabled as a side effect of using an unconfined label may still cause concern after a reboot. So, it's there, it's dangerous, but so many application developers seem incapable of living without it I have given in. I've tried to make it as safe as I can, but in the end it's still a chain saw. Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>
-
- 30 8月, 2014 1 次提交
-
-
由 Lukasz Pawelczyk 提交于
Smack used to use a mix of smack_known struct and char* throughout its APIs and implementation. This patch unifies the behaviour and makes it store and operate exclusively on smack_known struct pointers when managing labels. Signed-off-by: NLukasz Pawelczyk <l.pawelczyk@samsung.com> Conflicts: security/smack/smack_access.c security/smack/smack_lsm.c
-
- 29 8月, 2014 1 次提交
-
-
由 Casey Schaufler 提交于
People keep asking me for permissive mode, and I keep saying "no". Permissive mode is wrong for more reasons than I can enumerate, but the compelling one is that it's once on, never off. Nonetheless, there is an argument to be made for running a process with lots of permissions, logging which are required, and then locking the process down. There wasn't a way to do that with Smack, but this provides it. The notion is that you start out by giving the process an appropriate Smack label, such as "ATBirds". You create rules with a wide range of access and the "b" mode. On Tizen it might be: ATBirds System rwxalb ATBirds User rwxalb ATBirds _ rwxalb User ATBirds wb System ATBirds wb Accesses that fail will generate audit records. Accesses that succeed because of rules marked with a "b" generate log messages identifying the rule, the program and as much object information as is convenient. When the system is properly configured and the programs brought in line with the labeling scheme the "b" mode can be removed from the rules. When the system is ready for production the facility can be configured out. This provides the developer the convenience of permissive mode without creating a system that looks like it is enforcing a policy while it is not. Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>
-
- 09 8月, 2014 1 次提交
-
-
由 Konstantin Khlebnikov 提交于
Zero-length security labels are invalid but kernel should handle them. This patch fixes kernel panic after setting zero-length security labels: # attr -S -s "SMACK64" -V "" file And after writing zero-length string into smackfs files syslog and onlycp: # python -c 'import os; os.write(1, "")' > /smack/syslog The problem is caused by brain-damaged logic in function smk_parse_smack() which takes pointer to buffer and its length but if length below or equal zero it thinks that the buffer is zero-terminated. Unfortunately callers of this function are widely used and proper fix requires serious refactoring. Signed-off-by: NKonstantin Khlebnikov <k.khlebnikov@samsung.com>
-
- 01 8月, 2014 1 次提交
-
-
由 Paul Moore 提交于
Historically the NetLabel LSM secattr catmap functions and data structures have had very long names which makes a mess of the NetLabel code and anyone who uses NetLabel. This patch renames the catmap functions and structures from "*_secattr_catmap_*" to just "*_catmap_*" which improves things greatly. There are no substantial code or logic changes in this patch. Signed-off-by: NPaul Moore <pmoore@redhat.com> Tested-by: NCasey Schaufler <casey@schaufler-ca.com>
-
- 07 5月, 2014 1 次提交
-
-
由 Toralf Förster 提交于
This fixes a warning about the mismatch of types between the declared unsigned and integer. Signed-off-by: NToralf Förster <toralf.foerster@gmx.de>
-
- 12 4月, 2014 1 次提交
-
-
由 Lukasz Pawelczyk 提交于
This allows to limit ptrace beyond the regular smack access rules. It adds a smackfs/ptrace interface that allows smack to be configured to require equal smack labels for PTRACE_MODE_ATTACH access. See the changes in Documentation/security/Smack.txt below for details. Signed-off-by: NLukasz Pawelczyk <l.pawelczyk@partner.samsung.com> Signed-off-by: NRafal Krypa <r.krypa@samsung.com>
-
- 24 12月, 2013 2 次提交
-
-
由 Casey Schaufler 提交于
smk_write_change_rule() is calling capable rather than the more correct smack_privileged(). This allows for setting rules in violation of the onlycap facility. This is the simple repair. Targeted for git://git.gitorious.org/smack-next/kernel.gitSigned-off-by: NCasey Schaufler <casey@schaufler-ca.com>
-
由 Casey Schaufler 提交于
The syslog control requires that the calling proccess have the floor ("_") Smack label. Tizen does not run any processes except for kernel helpers with the floor label. This changes allows the admin to configure a specific label for syslog. The default value is the star ("*") label, effectively removing the restriction. The value can be set using smackfs/syslog for anyone who wants a more restrictive behavior. Targeted for git://git.gitorious.org/smack-next/kernel.gitSigned-off-by: NCasey Schaufler <casey@schaufler-ca.com>
-
- 12 12月, 2013 1 次提交
-
-
由 Jarkko Sakkinen 提交于
This is a regression caused by f7112e6c. When either subject or object is not found the answer for access should be no. This patch fixes the situation. '0' is written back instead of failing with -EINVAL. v2: cosmetic style fixes Signed-off-by: NJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
-
- 19 10月, 2013 1 次提交
-
-
由 Casey Schaufler 提交于
Linux file locking does not follow the same rules as other mechanisms. Even though it is a write operation a process can set a read lock on files which it has open only for read access. Two programs with read access to a file can use read locks to communicate. This is not acceptable in a Mandatory Access Control environment. Smack treats setting a read lock as the write operation that it is. Unfortunately, many programs assume that setting a read lock is a read operation. These programs are unhappy in the Smack environment. This patch introduces a new access mode (lock) to address this problem. A process with lock access to a file can set a read lock. A process with write access to a file can set a read lock or a write lock. This prevents a situation where processes are granted write access just so they can set read locks. Targeted for git://git.gitorious.org/smack-next/kernel.gitSigned-off-by: NCasey Schaufler <casey@schaufler-ca.com>
-
- 13 8月, 2013 1 次提交
-
-
由 Rafal Krypa 提交于
Smack interface for loading rules has always parsed only single rule from data written to it. This requires user program to call one write() per each rule it wants to load. This change makes it possible to write multiple rules, separated by new line character. Smack will load at most PAGE_SIZE-1 characters and properly return number of processed bytes. In case when user buffer is larger, it will be additionally truncated. All characters after last \n will not get parsed to avoid partial rule near input buffer boundary. Signed-off-by: NRafal Krypa <r.krypa@samsung.com>
-
- 02 8月, 2013 2 次提交
-
-
由 Casey Schaufler 提交于
The Smack code that matches incoming CIPSO tags with Smack labels reaches through the NetLabel interfaces and compares the network data with the CIPSO header associated with a Smack label. This was done in a ill advised attempt to optimize performance. It works so long as the categories fit in a single capset, but this isn't always the case. This patch changes the Smack code to use the appropriate NetLabel interfaces to compare the incoming CIPSO header with the CIPSO header associated with a label. It will always match the CIPSO headers correctly. Targeted for git://git.gitorious.org/smack-next/kernel.gitSigned-off-by: NCasey Schaufler <casey@schaufler-ca.com>
-
由 Tomasz Stanislawski 提交于
The smack_parsed_rule structure is allocated. If a rule is successfully installed then the last reference to the object is lost. This patch fixes this leak. Moreover smack_parsed_rule is allocated on stack because it no longer needed ofter smk_write_rules_list() is finished. Signed-off-by: NTomasz Stanislawski <t.stanislaws@samsung.com>
-
- 04 6月, 2013 1 次提交
-
-
由 Passion,Zhao 提交于
Bug report: https://tizendev.org/bugs/browse/TDIS-3891 The reason is userspace libsmack only use "smackfs/cipso2" long-label interface, but the code's logical is still for orginal fixed length label. Now update smack_cipso_apply() to support flexible label (<=256 including tailing '\0') There is also a bug in kernel/security/smack/smackfs.c: When smk_set_cipso() parsing the CIPSO setting from userspace, the offset of CIPSO level should be "strlen(label)+1" instead of "strlen(label)" Signed-off-by: NPassion,Zhao <passion.zhao@intel.com>
-
- 29 5月, 2013 1 次提交
-
-
由 Casey Schaufler 提交于
Each Smack label that the kernel has seen is added to a list of labels. The list of access rules for a given subject label hangs off of the label list entry for the label. This patch changes the structures that contain subject labels to point at the label list entry rather that the label itself. Doing so removes a label list lookup in smk_access() that was accounting for the largest single chunk of Smack overhead. Targeted for git://git.gitorious.org/smack-next/kernel.gitSigned-off-by: NCasey Schaufler <casey@schaufler-ca.com>
-
- 03 4月, 2013 1 次提交
-
-
由 Casey Schaufler 提交于
As reported for linux-next: Tree for Apr 2 (smack) Add the required include for smackfs.c Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com> Reported-by: NRandy Dunlap <rdunlap@infradead.org> Acked-by: NRandy Dunlap <rdunlap@infradead.org> Signed-off-by: NJames Morris <james.l.morris@oracle.com>
-
- 20 3月, 2013 2 次提交
-
-
由 Rafal Krypa 提交于
Rule modifications are enabled via /smack/change-rule. Format is as follows: "Subject Object rwaxt rwaxt" First two strings are subject and object labels up to 255 characters. Third string contains permissions to enable. Fourth string contains permissions to disable. All unmentioned permissions will be left unchanged. If no rule previously existed, it will be created. Targeted for git://git.gitorious.org/smack-next/kernel.gitSigned-off-by: NRafal Krypa <r.krypa@samsung.com>
-
由 Rafal Krypa 提交于
Special file /smack/revoke-subject will silently accept labels that are not present on the subject label list. Nothing has to be done for such labels, as there are no rules for them to revoke. Targeted for git://git.gitorious.org/smack-next/kernel.gitSigned-off-by: NRafal Krypa <r.krypa@samsung.com>
-
- 15 12月, 2012 1 次提交
-
-
由 Casey Schaufler 提交于
There are a number of "conventions" for where to put LSM filesystems. Smack adheres to none of them. Create a mount point at /sys/fs/smackfs for mounting smackfs so that Smack can be conventional. Targeted for git://git.gitorious.org/smack-next/kernel.gitSigned-off-by: NCasey Schaufler <casey@schaufler-ca.com>
-
- 19 9月, 2012 1 次提交
-
-
由 Rafal Krypa 提交于
Add /smack/revoke-subject special file. Writing a SMACK label to this file will set the access to '-' for all access rules with that subject label. Targeted for git://git.gitorious.org/smack-next/kernel.gitSigned-off-by: NRafal Krypa <r.krypa@samsung.com>
-
- 30 7月, 2012 1 次提交
-
-
由 Alan Cox 提交于
Consider the input case of a rule that consists entirely of non space symbols followed by a \0. Say 64 + \0 In this case strlen(data) = 64 kzalloc of subject and object are 64 byte objects sscanfdata, "%s %s %s", subject, ...) will put 65 bytes into subject. Signed-off-by: NAlan Cox <alan@linux.intel.com> Acked-by: NCasey Schaufler <casey@schaufler-ca.com> Cc: stable@vger.kernel.org Signed-off-by: NJames Morris <james.l.morris@oracle.com>
-
- 14 7月, 2012 2 次提交
-
-
由 Rafal Krypa 提交于
This patch removes empty rules (i.e. with access set to '-') from the rule list presented to user space. Smack by design never removes labels nor rules from its lists. Access for a rule may be set to '-' to effectively disable it. Such rules would show up in the listing generated when /smack/load or /smack/load2 is read. This may cause clutter if many rules were disabled. As a rule with access set to '-' is equivalent to no rule at all, they may be safely hidden from the listing. Targeted for git://git.gitorious.org/smack-next/kernel.gitSigned-off-by: NRafal Krypa <r.krypa@samsung.com> Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>
-
由 Casey Schaufler 提交于
Some of the bounds checking used on the /smack/access interface was lost when support for long labels was added. No kernel access checks are affected, however this is a case where /smack/access could be used incorrectly and fail to detect the error. This patch reintroduces the original checks. Targeted for git://git.gitorious.org/smack-next/kernel.gitSigned-off-by: NCasey Schaufler <casey@schaufler-ca.com>
-