1. 02 9月, 2009 2 次提交
    • D
      KEYS: Add a keyctl to install a process's session keyring on its parent [try #6] · ee18d64c
      David Howells 提交于
      Add a keyctl to install a process's session keyring onto its parent.  This
      replaces the parent's session keyring.  Because the COW credential code does
      not permit one process to change another process's credentials directly, the
      change is deferred until userspace next starts executing again.  Normally this
      will be after a wait*() syscall.
      
      To support this, three new security hooks have been provided:
      cred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in
      the blank security creds and key_session_to_parent() - which asks the LSM if
      the process may replace its parent's session keyring.
      
      The replacement may only happen if the process has the same ownership details
      as its parent, and the process has LINK permission on the session keyring, and
      the session keyring is owned by the process, and the LSM permits it.
      
      Note that this requires alteration to each architecture's notify_resume path.
      This has been done for all arches barring blackfin, m68k* and xtensa, all of
      which need assembly alteration to support TIF_NOTIFY_RESUME.  This allows the
      replacement to be performed at the point the parent process resumes userspace
      execution.
      
      This allows the userspace AFS pioctl emulation to fully emulate newpag() and
      the VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to
      alter the parent process's PAG membership.  However, since kAFS doesn't use
      PAGs per se, but rather dumps the keys into the session keyring, the session
      keyring of the parent must be replaced if, for example, VIOCSETTOK is passed
      the newpag flag.
      
      This can be tested with the following program:
      
      	#include <stdio.h>
      	#include <stdlib.h>
      	#include <keyutils.h>
      
      	#define KEYCTL_SESSION_TO_PARENT	18
      
      	#define OSERROR(X, S) do { if ((long)(X) == -1) { perror(S); exit(1); } } while(0)
      
      	int main(int argc, char **argv)
      	{
      		key_serial_t keyring, key;
      		long ret;
      
      		keyring = keyctl_join_session_keyring(argv[1]);
      		OSERROR(keyring, "keyctl_join_session_keyring");
      
      		key = add_key("user", "a", "b", 1, keyring);
      		OSERROR(key, "add_key");
      
      		ret = keyctl(KEYCTL_SESSION_TO_PARENT);
      		OSERROR(ret, "KEYCTL_SESSION_TO_PARENT");
      
      		return 0;
      	}
      
      Compiled and linked with -lkeyutils, you should see something like:
      
      	[dhowells@andromeda ~]$ keyctl show
      	Session Keyring
      	       -3 --alswrv   4043  4043  keyring: _ses
      	355907932 --alswrv   4043    -1   \_ keyring: _uid.4043
      	[dhowells@andromeda ~]$ /tmp/newpag
      	[dhowells@andromeda ~]$ keyctl show
      	Session Keyring
      	       -3 --alswrv   4043  4043  keyring: _ses
      	1055658746 --alswrv   4043  4043   \_ user: a
      	[dhowells@andromeda ~]$ /tmp/newpag hello
      	[dhowells@andromeda ~]$ keyctl show
      	Session Keyring
      	       -3 --alswrv   4043  4043  keyring: hello
      	340417692 --alswrv   4043  4043   \_ user: a
      
      Where the test program creates a new session keyring, sticks a user key named
      'a' into it and then installs it on its parent.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      ee18d64c
    • D
      CRED: Add some configurable debugging [try #6] · e0e81739
      David Howells 提交于
      Add a config option (CONFIG_DEBUG_CREDENTIALS) to turn on some debug checking
      for credential management.  The additional code keeps track of the number of
      pointers from task_structs to any given cred struct, and checks to see that
      this number never exceeds the usage count of the cred struct (which includes
      all references, not just those from task_structs).
      
      Furthermore, if SELinux is enabled, the code also checks that the security
      pointer in the cred struct is never seen to be invalid.
      
      This attempts to catch the bug whereby inode_has_perm() faults in an nfsd
      kernel thread on seeing cred->security be a NULL pointer (it appears that the
      credential struct has been previously released):
      
      	http://www.kerneloops.org/oops.php?number=252883Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      e0e81739
  2. 01 9月, 2009 1 次提交
    • P
      selinux: Support for the new TUN LSM hooks · ed6d76e4
      Paul Moore 提交于
      Add support for the new TUN LSM hooks: security_tun_dev_create(),
      security_tun_dev_post_create() and security_tun_dev_attach().  This includes
      the addition of a new object class, tun_socket, which represents the socks
      associated with TUN devices.  The _tun_dev_create() and _tun_dev_post_create()
      hooks are fairly similar to the standard socket functions but _tun_dev_attach()
      is a bit special.  The _tun_dev_attach() is unique because it involves a
      domain attaching to an existing TUN device and its associated tun_socket
      object, an operation which does not exist with standard sockets and most
      closely resembles a relabel operation.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Acked-by: NEric Paris <eparis@parisplace.org>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      ed6d76e4
  3. 21 8月, 2009 1 次提交
  4. 17 8月, 2009 3 次提交
    • E
      Security/SELinux: seperate lsm specific mmap_min_addr · 788084ab
      Eric Paris 提交于
      Currently SELinux enforcement of controls on the ability to map low memory
      is determined by the mmap_min_addr tunable.  This patch causes SELinux to
      ignore the tunable and instead use a seperate Kconfig option specific to how
      much space the LSM should protect.
      
      The tunable will now only control the need for CAP_SYS_RAWIO and SELinux
      permissions will always protect the amount of low memory designated by
      CONFIG_LSM_MMAP_MIN_ADDR.
      
      This allows users who need to disable the mmap_min_addr controls (usual reason
      being they run WINE as a non-root user) to do so and still have SELinux
      controls preventing confined domains (like a web server) from being able to
      map some area of low memory.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      788084ab
    • E
      SELinux: call cap_file_mmap in selinux_file_mmap · 8cf948e7
      Eric Paris 提交于
      Currently SELinux does not check CAP_SYS_RAWIO in the file_mmap hook.  This
      means there is no DAC check on the ability to mmap low addresses in the
      memory space.  This function adds the DAC check for CAP_SYS_RAWIO while
      maintaining the selinux check on mmap_zero.  This means that processes
      which need to mmap low memory will need CAP_SYS_RAWIO and mmap_zero but will
      NOT need the SELinux sys_rawio capability.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      8cf948e7
    • T
      SELinux: Convert avc_audit to use lsm_audit.h · 2bf49690
      Thomas Liu 提交于
      Convert avc_audit in security/selinux/avc.c to use lsm_audit.h,
      for better maintainability.
      
       - changed selinux to use common_audit_data instead of
          avc_audit_data
       - eliminated code in avc.c and used code from lsm_audit.h instead.
      
      Had to add a LSM_AUDIT_NO_AUDIT to lsm_audit.h so that avc_audit
      can call common_lsm_audit and do the pre and post callbacks without
      doing the actual dump.  This makes it so that the patched version
      behaves the same way as the unpatched version.
      
      Also added a denied field to the selinux_audit_data private space,
      once again to make it so that the patched version behaves like the
      unpatched.
      
      I've tested and confirmed that AVCs look the same before and after
      this patch.
      Signed-off-by: NThomas Liu <tliu@redhat.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      2bf49690
  5. 14 8月, 2009 1 次提交
  6. 11 8月, 2009 1 次提交
  7. 06 8月, 2009 2 次提交
    • E
      Security/SELinux: seperate lsm specific mmap_min_addr · a2551df7
      Eric Paris 提交于
      Currently SELinux enforcement of controls on the ability to map low memory
      is determined by the mmap_min_addr tunable.  This patch causes SELinux to
      ignore the tunable and instead use a seperate Kconfig option specific to how
      much space the LSM should protect.
      
      The tunable will now only control the need for CAP_SYS_RAWIO and SELinux
      permissions will always protect the amount of low memory designated by
      CONFIG_LSM_MMAP_MIN_ADDR.
      
      This allows users who need to disable the mmap_min_addr controls (usual reason
      being they run WINE as a non-root user) to do so and still have SELinux
      controls preventing confined domains (like a web server) from being able to
      map some area of low memory.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      a2551df7
    • E
      SELinux: call cap_file_mmap in selinux_file_mmap · 84336d1a
      Eric Paris 提交于
      Currently SELinux does not check CAP_SYS_RAWIO in the file_mmap hook.  This
      means there is no DAC check on the ability to mmap low addresses in the
      memory space.  This function adds the DAC check for CAP_SYS_RAWIO while
      maintaining the selinux check on mmap_zero.  This means that processes
      which need to mmap low memory will need CAP_SYS_RAWIO and mmap_zero but will
      NOT need the SELinux sys_rawio capability.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      84336d1a
  8. 17 7月, 2009 1 次提交
  9. 13 7月, 2009 2 次提交
  10. 25 6月, 2009 1 次提交
  11. 24 6月, 2009 1 次提交
  12. 23 6月, 2009 1 次提交
  13. 18 6月, 2009 2 次提交
    • K
      Add audit messages on type boundary violations · 44c2d9bd
      KaiGai Kohei 提交于
      The attached patch adds support to generate audit messages on two cases.
      
      The first one is a case when a multi-thread process tries to switch its
      performing security context using setcon(3), but new security context is
      not bounded by the old one.
      
        type=SELINUX_ERR msg=audit(1245311998.599:17):        \
            op=security_bounded_transition result=denied      \
            oldcontext=system_u:system_r:httpd_t:s0           \
            newcontext=system_u:system_r:guest_webapp_t:s0
      
      The other one is a case when security_compute_av() masked any permissions
      due to the type boundary violation.
      
        type=SELINUX_ERR msg=audit(1245312836.035:32):	\
            op=security_compute_av reason=bounds              \
            scontext=system_u:object_r:user_webapp_t:s0       \
            tcontext=system_u:object_r:shadow_t:s0:c0         \
            tclass=file perms=getattr,open
      Signed-off-by: NKaiGai Kohei <kaigai@ak.jp.nec.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      44c2d9bd
    • K
      cleanup in ss/services.c · caabbdc0
      KaiGai Kohei 提交于
      It is a cleanup patch to cut down a line within 80 columns.
      Signed-off-by: NKaiGai Kohei <kaigai@ak.jp.nec.com>
      --
       security/selinux/ss/services.c |    6 +++---
       1 files changed, 3 insertions(+), 3 deletions(-)
      Signed-off-by: NJames Morris <jmorris@namei.org>
      caabbdc0
  14. 03 6月, 2009 2 次提交
  15. 19 5月, 2009 2 次提交
    • S
      selinux: remove obsolete read buffer limit from sel_read_bool · c5642f4b
      Stephen Smalley 提交于
      On Tue, 2009-05-19 at 00:05 -0400, Eamon Walsh wrote:
      > Recent versions of coreutils have bumped the read buffer size from 4K to
      > 32K in several of the utilities.
      >
      > This means that "cat /selinux/booleans/xserver_object_manager" no longer
      > works, it returns "Invalid argument" on F11.  getsebool works fine.
      >
      > sel_read_bool has a check for "count > PAGE_SIZE" that doesn't seem to
      > be present in the other read functions.  Maybe it could be removed?
      
      Yes, that check is obsoleted by the conversion of those functions to
      using simple_read_from_buffer(), which will reduce count if necessary to
      what is available in the buffer.
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      c5642f4b
    • E
      SELinux: move SELINUX_MAGIC into magic.h · 75834fc3
      Eric Paris 提交于
      The selinuxfs superblock magic is used inside the IMA code, but is being
      defined in two places and could someday get out of sync.  This patch moves the
      declaration into magic.h so it is only done once.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      75834fc3
  16. 05 5月, 2009 1 次提交
  17. 30 4月, 2009 3 次提交
  18. 02 4月, 2009 1 次提交
    • K
      Permissive domain in userspace object manager · 8a6f83af
      KaiGai Kohei 提交于
      This patch enables applications to handle permissive domain correctly.
      
      Since the v2.6.26 kernel, SELinux has supported an idea of permissive
      domain which allows certain processes to work as if permissive mode,
      even if the global setting is enforcing mode.
      However, we don't have an application program interface to inform
      what domains are permissive one, and what domains are not.
      It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL
      and so on) cannot handle permissive domain correctly.
      
      This patch add the sixth field (flags) on the reply of the /selinux/access
      interface which is used to make an access control decision from userspace.
      If the first bit of the flags field is positive, it means the required
      access control decision is on permissive domain, so application should
      allow any required actions, as the kernel doing.
      
      This patch also has a side benefit. The av_decision.flags is set at
      context_struct_compute_av(). It enables to check required permissions
      without read_lock(&policy_rwlock).
      Signed-off-by: NKaiGai Kohei <kaigai@ak.jp.nec.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: NEric Paris <eparis@redhat.com>
      --
       security/selinux/avc.c              |    2 +-
       security/selinux/include/security.h |    4 +++-
       security/selinux/selinuxfs.c        |    4 ++--
       security/selinux/ss/services.c      |   30 +++++-------------------------
       4 files changed, 11 insertions(+), 29 deletions(-)
      Signed-off-by: NJames Morris <jmorris@namei.org>
      8a6f83af
  19. 28 3月, 2009 2 次提交
    • P
      selinux: Remove the "compat_net" compatibility code · 58bfbb51
      Paul Moore 提交于
      The SELinux "compat_net" is marked as deprecated, the time has come to
      finally remove it from the kernel.  Further code simplifications are
      likely in the future, but this patch was intended to be a simple,
      straight-up removal of the compat_net code.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      58bfbb51
    • P
      netlabel: Label incoming TCP connections correctly in SELinux · 389fb800
      Paul Moore 提交于
      The current NetLabel/SELinux behavior for incoming TCP connections works but
      only through a series of happy coincidences that rely on the limited nature of
      standard CIPSO (only able to convey MLS attributes) and the write equality
      imposed by the SELinux MLS constraints.  The problem is that network sockets
      created as the result of an incoming TCP connection were not on-the-wire
      labeled based on the security attributes of the parent socket but rather based
      on the wire label of the remote peer.  The issue had to do with how IP options
      were managed as part of the network stack and where the LSM hooks were in
      relation to the code which set the IP options on these newly created child
      sockets.  While NetLabel/SELinux did correctly set the socket's on-the-wire
      label it was promptly cleared by the network stack and reset based on the IP
      options of the remote peer.
      
      This patch, in conjunction with a prior patch that adjusted the LSM hook
      locations, works to set the correct on-the-wire label format for new incoming
      connections through the security_inet_conn_request() hook.  Besides the
      correct behavior there are many advantages to this change, the most significant
      is that all of the NetLabel socket labeling code in SELinux now lives in hooks
      which can return error codes to the core stack which allows us to finally get
      ride of the selinux_netlbl_inode_permission() logic which greatly simplfies
      the NetLabel/SELinux glue code.  In the process of developing this patch I
      also ran into a small handful of AF_INET6 cleanliness issues that have been
      fixed which should make the code safer and easier to extend in the future.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Acked-by: NCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      389fb800
  20. 10 3月, 2009 1 次提交
  21. 06 3月, 2009 2 次提交
  22. 02 3月, 2009 1 次提交
  23. 23 2月, 2009 1 次提交
    • P
      selinux: Fix the NetLabel glue code for setsockopt() · 09c50b4a
      Paul Moore 提交于
      At some point we (okay, I) managed to break the ability for users to use the
      setsockopt() syscall to set IPv4 options when NetLabel was not active on the
      socket in question.  The problem was noticed by someone trying to use the
      "-R" (record route) option of ping:
      
       # ping -R 10.0.0.1
       ping: record route: No message of desired type
      
      The solution is relatively simple, we catch the unlabeled socket case and
      clear the error code, allowing the operation to succeed.  Please note that we
      still deny users the ability to override IPv4 options on socket's which have
      NetLabel labeling active; this is done to ensure the labeling remains intact.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      09c50b4a
  24. 14 2月, 2009 5 次提交