1. 24 8月, 2016 1 次提交
  2. 04 1月, 2016 1 次提交
  3. 20 10月, 2015 1 次提交
    • Z
      Smack: limited capability for changing process label · 38416e53
      Zbigniew Jasinski 提交于
      This feature introduces new kernel interface:
      
      - <smack_fs>/relabel-self - for setting transition labels list
      
      This list is used to control smack label transition mechanism.
      List is set by, and per process. Process can transit to new label only if
      label is on the list. Only process with CAP_MAC_ADMIN capability can add
      labels to this list. With this list, process can change it's label without
      CAP_MAC_ADMIN but only once. After label changing, list is unset.
      
      Changes in v2:
      * use list_for_each_entry instead of _rcu during label write
      * added missing description in security/Smack.txt
      
      Changes in v3:
      * squashed into one commit
      
      Changes in v4:
      * switch from global list to per-task list
      * since the per-task list is accessed only by the task itself
        there is no need to use synchronization mechanisms on it
      
      Changes in v5:
      * change smackfs interface of relabel-self to the one used for onlycap
        multiple labels are accepted, separated by space, which
        replace the previous list upon write
      Signed-off-by: NZbigniew Jasinski <z.jasinski@samsung.com>
      Signed-off-by: NRafal Krypa <r.krypa@samsung.com>
      Acked-by: NCasey Schaufler <casey@schaufler-ca.com>
      38416e53
  4. 10 10月, 2015 2 次提交
  5. 01 8月, 2015 1 次提交
  6. 28 7月, 2015 1 次提交
    • C
      Smack: IPv6 host labeling · 21abb1ec
      Casey Schaufler 提交于
      IPv6 appears to be (finally) coming of age with the
      influx of autonomous devices. In support of this, add
      the ability to associate a Smack label with IPv6 addresses.
      
      This patch also cleans up some of the conditional
      compilation associated with the introduction of
      secmark processing. It's now more obvious which bit
      of code goes with which feature.
      Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>
      21abb1ec
  7. 23 7月, 2015 1 次提交
  8. 01 7月, 2015 1 次提交
  9. 13 6月, 2015 1 次提交
  10. 03 6月, 2015 2 次提交
    • R
      Smack: allow multiple labels in onlycap · c0d77c88
      Rafal Krypa 提交于
      Smack onlycap allows limiting of CAP_MAC_ADMIN and CAP_MAC_OVERRIDE to
      processes running with the configured label. But having single privileged
      label is not enough in some real use cases. On a complex system like Tizen,
      there maybe few programs that need to configure Smack policy in run-time
      and running them all with a single label is not always practical.
      This patch extends onlycap feature for multiple labels. They are configured
      in the same smackfs "onlycap" interface, separated by spaces.
      Signed-off-by: NRafal Krypa <r.krypa@samsung.com>
      c0d77c88
    • R
      Smack: fix seq operations in smackfs · 01fa8474
      Rafal Krypa 提交于
      Use proper RCU functions and read locking in smackfs seq_operations.
      
      Smack gets away with not using proper RCU functions in smackfs, because
      it never removes entries from these lists. But now one list will be
      needed (with interface in smackfs) that will have both elements added and
      removed to it.
      This change will also help any future changes implementing removal of
      unneeded entries from other Smack lists.
      
      The patch also fixes handling of pos argument in smk_seq_start and
      smk_seq_next. This fixes a bug in case when smackfs is read with a small
      buffer:
      
      Kernel panic - not syncing: Kernel mode fault at addr 0xfa0000011b
      CPU: 0 PID: 1292 Comm: dd Not tainted 4.1.0-rc1-00012-g98179b8 #13
      Stack:
       00000003 0000000d 7ff39e48 7f69fd00
       7ff39ce0 601ae4b0 7ff39d50 600e587b
       00000010 6039f690 7f69fd40 00612003
      Call Trace:
       [<601ae4b0>] load2_seq_show+0x19/0x1d
       [<600e587b>] seq_read+0x168/0x331
       [<600c5943>] __vfs_read+0x21/0x101
       [<601a595e>] ? security_file_permission+0xf8/0x105
       [<600c5ec6>] ? rw_verify_area+0x86/0xe2
       [<600c5fc3>] vfs_read+0xa1/0x14c
       [<600c68e2>] SyS_read+0x57/0xa0
       [<6001da60>] handle_syscall+0x60/0x80
       [<6003087d>] userspace+0x442/0x548
       [<6001aa77>] ? interrupt_end+0x0/0x80
       [<6001daae>] ? copy_chunk_to_user+0x0/0x2b
       [<6002cb6b>] ? save_registers+0x1f/0x39
       [<60032ef7>] ? arch_prctl+0xf5/0x170
       [<6001a92d>] fork_handler+0x85/0x87
      Signed-off-by: NRafal Krypa <r.krypa@samsung.com>
      01fa8474
  11. 15 5月, 2015 1 次提交
    • L
      smack: pass error code through pointers · e774ad68
      Lukasz Pawelczyk 提交于
      This patch makes the following functions to use ERR_PTR() and related
      macros to pass the appropriate error code through returned pointers:
      
      smk_parse_smack()
      smk_import_entry()
      smk_fetch()
      
      It also makes all the other functions that use them to handle the
      error cases properly. This ways correct error codes from places
      where they happened can be propagated to the user space if necessary.
      
      Doing this it fixes a bug in onlycap and unconfined files
      handling. Previously their content was cleared on any error from
      smk_import_entry/smk_parse_smack, be it EINVAL (as originally intended)
      or ENOMEM. Right now it only reacts on EINVAL passing other codes
      properly to userspace.
      
      Comments have been updated accordingly.
      Signed-off-by: NLukasz Pawelczyk <l.pawelczyk@samsung.com>
      e774ad68
  12. 12 5月, 2015 1 次提交
    • C
      LSM: Switch to lists of hooks · b1d9e6b0
      Casey Schaufler 提交于
      Instead of using a vector of security operations
      with explicit, special case stacking of the capability
      and yama hooks use lists of hooks with capability and
      yama hooks included as appropriate.
      
      The security_operations structure is no longer required.
      Instead, there is a union of the function pointers that
      allows all the hooks lists to use a common mechanism for
      list management while retaining typing. Each module
      supplies an array describing the hooks it provides instead
      of a sparsely populated security_operations structure.
      The description includes the element that gets put on
      the hook list, avoiding the issues surrounding individual
      element allocation.
      
      The method for registering security modules is changed to
      reflect the information available. The method for removing
      a module, currently only used by SELinux, has also changed.
      It should be generic now, however if there are potential
      race conditions based on ordering of hook removal that needs
      to be addressed by the calling module.
      
      The security hooks are called from the lists and the first
      failure is returned.
      Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>
      Acked-by: NJohn Johansen <john.johansen@canonical.com>
      Acked-by: NKees Cook <keescook@chromium.org>
      Acked-by: NPaul Moore <paul@paul-moore.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: NJames Morris <james.l.morris@oracle.com>
      b1d9e6b0
  13. 16 4月, 2015 1 次提交
  14. 24 3月, 2015 2 次提交
    • P
      smack: Fix gcc warning from unused smack_syslog_lock mutex in smackfs.c · f43b65ba
      Paul Gortmaker 提交于
      In commit 00f84f3f ("Smack: Make the
      syslog control configurable") this mutex was added, but the rest of
      the final commit never actually made use of it, resulting in:
      
       In file included from include/linux/mutex.h:29:0,
                        from include/linux/notifier.h:13,
                        from include/linux/memory_hotplug.h:6,
                        from include/linux/mmzone.h:821,
                        from include/linux/gfp.h:5,
                        from include/linux/slab.h:14,
                        from include/linux/security.h:27,
                        from security/smack/smackfs.c:21:
       security/smack/smackfs.c:63:21: warning: ‘smack_syslog_lock’ defined but not used [-Wunused-variable]
        static DEFINE_MUTEX(smack_syslog_lock);
                            ^
      
      A git grep shows no other instances/references to smack_syslog_lock.
      Delete it, assuming that the mutex addition was just a leftover from
      an earlier work in progress version of the change.
      Signed-off-by: NPaul Gortmaker <paul.gortmaker@windriver.com>
      f43b65ba
    • C
      Smack: Allow an unconfined label in bringup mode · bf4b2fee
      Casey Schaufler 提交于
      I have vehemently opposed adding a "permissive" mode to Smack
      for the simple reasons that it would be subject to massive abuse
      and that developers refuse to turn it off come product release.
      I still believe that this is true, and still refuse to add a
      general "permissive mode". So don't ask again.
      
      Bumjin Im suggested an approach that addresses most of the concerns,
      and I have implemented it here. I still believe that we'd be better
      off without this sort of thing, but it looks like this minimizes the
      abuse potential.
      
      Firstly, you have to configure Smack Bringup Mode. That allows
      for "release" software to be ammune from abuse. Second, only one
      label gets to be "permissive" at a time. You can use it for
      debugging, but that's about it.
      
      A label written to smackfs/unconfined is treated specially.
      If either the subject or object label of an access check
      matches the "unconfined" label, and the access would not
      have been allowed otherwise an audit record and a console
      message are generated. The audit record "request" string is
      marked with either "(US)" or "(UO)", to indicate that the
      request was granted because of an unconfined label. The
      fact that an inode was accessed by an unconfined label is
      remembered, and subsequent accesses to that "impure"
      object are noted in the log. The impurity is not stored in
      the filesystem, so a file mislabled as a side effect of
      using an unconfined label may still cause concern after
      a reboot.
      
      So, it's there, it's dangerous, but so many application
      developers seem incapable of living without it I have
      given in. I've tried to make it as safe as I can, but
      in the end it's still a chain saw.
      Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>
      bf4b2fee
  15. 30 8月, 2014 1 次提交
  16. 29 8月, 2014 1 次提交
    • C
      Smack: Bring-up access mode · d166c802
      Casey Schaufler 提交于
      People keep asking me for permissive mode, and I keep saying "no".
      
      Permissive mode is wrong for more reasons than I can enumerate,
      but the compelling one is that it's once on, never off.
      
      Nonetheless, there is an argument to be made for running a
      process with lots of permissions, logging which are required,
      and then locking the process down. There wasn't a way to do
      that with Smack, but this provides it.
      
      The notion is that you start out by giving the process an
      appropriate Smack label, such as "ATBirds". You create rules
      with a wide range of access and the "b" mode. On Tizen it
      might be:
      
      	ATBirds	System	rwxalb
      	ATBirds	User	rwxalb
      	ATBirds	_	rwxalb
      	User	ATBirds	wb
      	System	ATBirds	wb
      
      Accesses that fail will generate audit records. Accesses
      that succeed because of rules marked with a "b" generate
      log messages identifying the rule, the program and as much
      object information as is convenient.
      
      When the system is properly configured and the programs
      brought in line with the labeling scheme the "b" mode can
      be removed from the rules. When the system is ready for
      production the facility can be configured out.
      
      This provides the developer the convenience of permissive
      mode without creating a system that looks like it is
      enforcing a policy while it is not.
      Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>
      d166c802
  17. 09 8月, 2014 1 次提交
    • K
      Smack: handle zero-length security labels without panic · b862e561
      Konstantin Khlebnikov 提交于
      Zero-length security labels are invalid but kernel should handle them.
      
      This patch fixes kernel panic after setting zero-length security labels:
      # attr -S -s "SMACK64" -V "" file
      
      And after writing zero-length string into smackfs files syslog and onlycp:
      # python -c 'import os; os.write(1, "")' > /smack/syslog
      
      The problem is caused by brain-damaged logic in function smk_parse_smack()
      which takes pointer to buffer and its length but if length below or equal zero
      it thinks that the buffer is zero-terminated. Unfortunately callers of this
      function are widely used and proper fix requires serious refactoring.
      Signed-off-by: NKonstantin Khlebnikov <k.khlebnikov@samsung.com>
      b862e561
  18. 01 8月, 2014 1 次提交
  19. 07 5月, 2014 1 次提交
  20. 12 4月, 2014 1 次提交
  21. 24 12月, 2013 2 次提交
  22. 12 12月, 2013 1 次提交
  23. 19 10月, 2013 1 次提交
    • C
      Smack: Implement lock security mode · c0ab6e56
      Casey Schaufler 提交于
      Linux file locking does not follow the same rules
      as other mechanisms. Even though it is a write operation
      a process can set a read lock on files which it has open
      only for read access. Two programs with read access to
      a file can use read locks to communicate.
      
      This is not acceptable in a Mandatory Access Control
      environment. Smack treats setting a read lock as the
      write operation that it is. Unfortunately, many programs
      assume that setting a read lock is a read operation.
      These programs are unhappy in the Smack environment.
      
      This patch introduces a new access mode (lock) to address
      this problem. A process with lock access to a file can
      set a read lock. A process with write access to a file can
      set a read lock or a write lock. This prevents a situation
      where processes are granted write access just so they can
      set read locks.
      
      Targeted for git://git.gitorious.org/smack-next/kernel.gitSigned-off-by: NCasey Schaufler <casey@schaufler-ca.com>
      c0ab6e56
  24. 13 8月, 2013 1 次提交
    • R
      Smack: parse multiple rules per write to load2, up to PAGE_SIZE-1 bytes · 10289b0f
      Rafal Krypa 提交于
      Smack interface for loading rules has always parsed only single rule from
      data written to it. This requires user program to call one write() per
      each rule it wants to load.
      This change makes it possible to write multiple rules, separated by new
      line character. Smack will load at most PAGE_SIZE-1 characters and properly
      return number of processed bytes. In case when user buffer is larger, it
      will be additionally truncated. All characters after last \n will not get
      parsed to avoid partial rule near input buffer boundary.
      Signed-off-by: NRafal Krypa <r.krypa@samsung.com>
      10289b0f
  25. 02 8月, 2013 2 次提交
  26. 04 6月, 2013 1 次提交
  27. 29 5月, 2013 1 次提交
  28. 03 4月, 2013 1 次提交
  29. 20 3月, 2013 2 次提交
  30. 15 12月, 2012 1 次提交
  31. 19 9月, 2012 1 次提交
  32. 30 7月, 2012 1 次提交
  33. 14 7月, 2012 2 次提交