1. 09 1月, 2019 8 次提交
  2. 22 12月, 2018 8 次提交
  3. 13 12月, 2018 1 次提交
    • P
      security: audit and remove any unnecessary uses of module.h · 876979c9
      Paul Gortmaker 提交于
      Historically a lot of these existed because we did not have
      a distinction between what was modular code and what was providing
      support to modules via EXPORT_SYMBOL and friends.  That changed
      when we forked out support for the latter into the export.h file.
      This means we should be able to reduce the usage of module.h
      in code that is obj-y Makefile or bool Kconfig.
      
      The advantage in removing such instances is that module.h itself
      sources about 15 other headers; adding significantly to what we feed
      cpp, and it can obscure what headers we are effectively using.
      
      Since module.h might have been the implicit source for init.h
      (for __init) and for export.h (for EXPORT_SYMBOL) we consider each
      instance for the presence of either and replace as needed.
      
      Cc: James Morris <jmorris@namei.org>
      Cc: "Serge E. Hallyn" <serge@hallyn.com>
      Cc: John Johansen <john.johansen@canonical.com>
      Cc: Mimi Zohar <zohar@linux.ibm.com>
      Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
      Cc: David Howells <dhowells@redhat.com>
      Cc: linux-security-module@vger.kernel.org
      Cc: linux-integrity@vger.kernel.org
      Cc: keyrings@vger.kernel.org
      Signed-off-by: NPaul Gortmaker <paul.gortmaker@windriver.com>
      Signed-off-by: NJames Morris <james.morris@microsoft.com>
      876979c9
  4. 11 10月, 2018 6 次提交
  5. 03 10月, 2018 1 次提交
    • E
      signal: Distinguish between kernel_siginfo and siginfo · ae7795bc
      Eric W. Biederman 提交于
      Linus recently observed that if we did not worry about the padding
      member in struct siginfo it is only about 48 bytes, and 48 bytes is
      much nicer than 128 bytes for allocating on the stack and copying
      around in the kernel.
      
      The obvious thing of only adding the padding when userspace is
      including siginfo.h won't work as there are sigframe definitions in
      the kernel that embed struct siginfo.
      
      So split siginfo in two; kernel_siginfo and siginfo.  Keeping the
      traditional name for the userspace definition.  While the version that
      is used internally to the kernel and ultimately will not be padded to
      128 bytes is called kernel_siginfo.
      
      The definition of struct kernel_siginfo I have put in include/signal_types.h
      
      A set of buildtime checks has been added to verify the two structures have
      the same field offsets.
      
      To make it easy to verify the change kernel_siginfo retains the same
      size as siginfo.  The reduction in size comes in a following change.
      Signed-off-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      ae7795bc
  6. 23 8月, 2018 1 次提交
  7. 18 7月, 2018 3 次提交
    • M
      integrity: prevent deadlock during digsig verification. · 6eb864c1
      Mikhail Kurinnoi 提交于
      This patch aimed to prevent deadlock during digsig verification.The point
      of issue - user space utility modprobe and/or it's dependencies (ld-*.so,
      libz.so.*, libc-*.so and /lib/modules/ files) that could be used for
      kernel modules load during digsig verification and could be signed by
      digsig in the same time.
      
      First at all, look at crypto_alloc_tfm() work algorithm:
      crypto_alloc_tfm() will first attempt to locate an already loaded
      algorithm. If that fails and the kernel supports dynamically loadable
      modules, it will then attempt to load a module of the same name or alias.
      If that fails it will send a query to any loaded crypto manager to
      construct an algorithm on the fly.
      
      We have situation, when public_key_verify_signature() in case of RSA
      algorithm use alg_name to store internal information in order to construct
      an algorithm on the fly, but crypto_larval_lookup() will try to use
      alg_name in order to load kernel module with same name.
      
      1) we can't do anything with crypto module work, since it designed to work
      exactly in this way;
      2) we can't globally filter module requests for modprobe, since it
      designed to work with any requests.
      
      In this patch, I propose add an exception for "crypto-pkcs1pad(rsa,*)"
      module requests only in case of enabled integrity asymmetric keys support.
      Since we don't have any real "crypto-pkcs1pad(rsa,*)" kernel modules for
      sure, we are safe to fail such module request from crypto_larval_lookup().
      In this way we prevent modprobe execution during digsig verification and
      avoid possible deadlock if modprobe and/or it's dependencies also signed
      with digsig.
      
      Requested "crypto-pkcs1pad(rsa,*)" kernel module name formed by:
      1) "pkcs1pad(rsa,%s)" in public_key_verify_signature();
      2) "crypto-%s" / "crypto-%s-all" in crypto_larval_lookup().
      "crypto-pkcs1pad(rsa," part of request is a constant and unique and could
      be used as filter.
      Signed-off-by: NMikhail Kurinnoi <viewizard@viewizard.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      
       include/linux/integrity.h              | 13 +++++++++++++
       security/integrity/digsig_asymmetric.c | 23 +++++++++++++++++++++++
       security/security.c                    |  7 ++++++-
       3 files changed, 42 insertions(+), 1 deletion(-)
      6eb864c1
    • E
      security: check for kstrdup() failure in lsm_append() · 87ea5843
      Eric Biggers 提交于
      lsm_append() should return -ENOMEM if memory allocation failed.
      
      Fixes: d69dece5 ("LSM: Add /sys/kernel/security/lsm")
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NJames Morris <james.morris@microsoft.com>
      87ea5843
    • A
      security: export security_kernel_load_data function · 83a68a06
      Arnd Bergmann 提交于
      The firmware_loader can be built as a loadable module, which now
      fails when CONFIG_SECURITY is enabled, because a call to the
      security_kernel_load_data() function got added, and this is
      not exported to modules:
      
      ERROR: "security_kernel_load_data" [drivers/base/firmware_loader/firmware_class.ko] undefined!
      
      Add an EXPORT_SYMBOL_GPL() to make it available here.
      
      Fixes: 6e852651 ("firmware: add call to LSM hook before firmware sysfs fallback")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NJames Morris <james.morris@microsoft.com>
      83a68a06
  8. 17 7月, 2018 2 次提交
  9. 12 7月, 2018 2 次提交
  10. 05 5月, 2018 1 次提交
    • D
      security: add hook for socketpair() · aae7cfcb
      David Herrmann 提交于
      Right now the LSM labels for socketpairs are always uninitialized,
      since there is no security hook for the socketpair() syscall. This
      patch adds the required hooks so LSMs can properly label socketpairs.
      This allows SO_PEERSEC to return useful information on those sockets.
      
      Note that the behavior of socketpair() can be emulated by creating a
      listener socket, connecting to it, and then discarding the initial
      listener socket. With this workaround, SO_PEERSEC would return the
      caller's security context. However, with socketpair(), the uninitialized
      context is returned unconditionally. This is unexpected and makes
      socketpair() less useful in situations where the security context is
      crucial to the application.
      
      With the new socketpair-hook this disparity can be solved by making
      socketpair() return the expected security context.
      Acked-by: NSerge Hallyn <serge@hallyn.com>
      Signed-off-by: NTom Gundersen <teg@jklm.no>
      Signed-off-by: NDavid Herrmann <dh.herrmann@gmail.com>
      Signed-off-by: NJames Morris <james.morris@microsoft.com>
      aae7cfcb
  11. 06 4月, 2018 1 次提交
  12. 31 3月, 2018 1 次提交
  13. 23 3月, 2018 4 次提交
  14. 07 3月, 2018 1 次提交