1. 19 8月, 2009 2 次提交
  2. 17 8月, 2009 1 次提交
    • E
      Security/SELinux: seperate lsm specific mmap_min_addr · 788084ab
      Eric Paris 提交于
      Currently SELinux enforcement of controls on the ability to map low memory
      is determined by the mmap_min_addr tunable.  This patch causes SELinux to
      ignore the tunable and instead use a seperate Kconfig option specific to how
      much space the LSM should protect.
      
      The tunable will now only control the need for CAP_SYS_RAWIO and SELinux
      permissions will always protect the amount of low memory designated by
      CONFIG_LSM_MMAP_MIN_ADDR.
      
      This allows users who need to disable the mmap_min_addr controls (usual reason
      being they run WINE as a non-root user) to do so and still have SELinux
      controls preventing confined domains (like a web server) from being able to
      map some area of low memory.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      788084ab
  3. 04 6月, 2009 1 次提交
  4. 12 2月, 2009 1 次提交
  5. 06 2月, 2009 1 次提交
    • M
      integrity: IMA as an integrity service provider · 3323eec9
      Mimi Zohar 提交于
      IMA provides hardware (TPM) based measurement and attestation for
      file measurements. As the Trusted Computing (TPM) model requires,
      IMA measures all files before they are accessed in any way (on the
      integrity_bprm_check, integrity_path_check and integrity_file_mmap
      hooks), and commits the measurements to the TPM. Once added to the
      TPM, measurements can not be removed.
      
      In addition, IMA maintains a list of these file measurements, which
      can be used to validate the aggregate value stored in the TPM.  The
      TPM can sign these measurements, and thus the system can prove, to
      itself and to a third party, the system's integrity in a way that
      cannot be circumvented by malicious or compromised software.
      
      - alloc ima_template_entry before calling ima_store_template()
      - log ima_add_boot_aggregate() failure
      - removed unused IMA_TEMPLATE_NAME_LEN
      - replaced hard coded string length with #define name
      Signed-off-by: NMimi Zohar <zohar@us.ibm.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      3323eec9
  6. 01 1月, 2009 1 次提交
  7. 28 8月, 2008 1 次提交
  8. 25 7月, 2008 1 次提交
  9. 14 7月, 2008 2 次提交
  10. 18 4月, 2008 1 次提交
  11. 06 2月, 2008 2 次提交
    • E
      security: allow Kconfig to set default mmap_min_addr protection · a5ecbcb8
      Eric Paris 提交于
      Since it was decided that low memory protection from userspace couldn't
      be turned on by default add a Kconfig option to allow users/distros to
      set a default at compile time.  This value is still tunable after boot
      in /proc/sys/vm/mmap_min_addr
      
      Discussion:
      http://www.mail-archive.com/linux-security-module@vger.kernel.org/msg02543.htmlSigned-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      a5ecbcb8
    • C
      Smack: Simplified Mandatory Access Control Kernel · e114e473
      Casey Schaufler 提交于
      Smack is the Simplified Mandatory Access Control Kernel.
      
      Smack implements mandatory access control (MAC) using labels
      attached to tasks and data containers, including files, SVIPC,
      and other tasks. Smack is a kernel based scheme that requires
      an absolute minimum of application support and a very small
      amount of configuration data.
      
      Smack uses extended attributes and
      provides a set of general mount options, borrowing technics used
      elsewhere. Smack uses netlabel for CIPSO labeling. Smack provides
      a pseudo-filesystem smackfs that is used for manipulation of
      system Smack attributes.
      
      The patch, patches for ls and sshd, a README, a startup script,
      and x86 binaries for ls and sshd are also available on
      
          http://www.schaufler-ca.com
      
      Development has been done using Fedora Core 7 in a virtual machine
      environment and on an old Sony laptop.
      
      Smack provides mandatory access controls based on the label attached
      to a task and the label attached to the object it is attempting to
      access. Smack labels are deliberately short (1-23 characters) text
      strings. Single character labels using special characters are reserved
      for system use. The only operation applied to Smack labels is equality
      comparison. No wildcards or expressions, regular or otherwise, are
      used. Smack labels are composed of printable characters and may not
      include "/".
      
      A file always gets the Smack label of the task that created it.
      
      Smack defines and uses these labels:
      
          "*" - pronounced "star"
          "_" - pronounced "floor"
          "^" - pronounced "hat"
          "?" - pronounced "huh"
      
      The access rules enforced by Smack are, in order:
      
      1. Any access requested by a task labeled "*" is denied.
      2. A read or execute access requested by a task labeled "^"
         is permitted.
      3. A read or execute access requested on an object labeled "_"
         is permitted.
      4. Any access requested on an object labeled "*" is permitted.
      5. Any access requested by a task on an object with the same
         label is permitted.
      6. Any access requested that is explicitly defined in the loaded
         rule set is permitted.
      7. Any other access is denied.
      
      Rules may be explicitly defined by writing subject,object,access
      triples to /smack/load.
      
      Smack rule sets can be easily defined that describe Bell&LaPadula
      sensitivity, Biba integrity, and a variety of interesting
      configurations. Smack rule sets can be modified on the fly to
      accommodate changes in the operating environment or even the time
      of day.
      
      Some practical use cases:
      
      Hierarchical levels. The less common of the two usual uses
      for MLS systems is to define hierarchical levels, often
      unclassified, confidential, secret, and so on. To set up smack
      to support this, these rules could be defined:
      
         C        Unclass rx
         S        C       rx
         S        Unclass rx
         TS       S       rx
         TS       C       rx
         TS       Unclass rx
      
      A TS process can read S, C, and Unclass data, but cannot write it.
      An S process can read C and Unclass. Note that specifying that
      TS can read S and S can read C does not imply TS can read C, it
      has to be explicitly stated.
      
      Non-hierarchical categories. This is the more common of the
      usual uses for an MLS system. Since the default rule is that a
      subject cannot access an object with a different label no
      access rules are required to implement compartmentalization.
      
      A case that the Bell & LaPadula policy does not allow is demonstrated
      with this Smack access rule:
      
      A case that Bell&LaPadula does not allow that Smack does:
      
          ESPN    ABC   r
          ABC     ESPN  r
      
      On my portable video device I have two applications, one that
      shows ABC programming and the other ESPN programming. ESPN wants
      to show me sport stories that show up as news, and ABC will
      only provide minimal information about a sports story if ESPN
      is covering it. Each side can look at the other's info, neither
      can change the other. Neither can see what FOX is up to, which
      is just as well all things considered.
      
      Another case that I especially like:
      
          SatData Guard   w
          Guard   Publish w
      
      A program running with the Guard label opens a UDP socket and
      accepts messages sent by a program running with a SatData label.
      The Guard program inspects the message to ensure it is wholesome
      and if it is sends it to a program running with the Publish label.
      This program then puts the information passed in an appropriate
      place. Note that the Guard program cannot write to a Publish
      file system object because file system semanitic require read as
      well as write.
      
      The four cases (categories, levels, mutual read, guardbox) here
      are all quite real, and problems I've been asked to solve over
      the years. The first two are easy to do with traditonal MLS systems
      while the last two you can't without invoking privilege, at least
      for a while.
      Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>
      Cc: Joshua Brindle <method@manicmethod.com>
      Cc: Paul Moore <paul.moore@hp.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Cc: James Morris <jmorris@namei.org>
      Cc: "Ahmed S. Darwish" <darwish.07@gmail.com>
      Cc: Andrew G. Morgan <morgan@kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      e114e473
  12. 30 1月, 2008 1 次提交
  13. 17 10月, 2007 2 次提交
    • S
      Implement file posix capabilities · b5376771
      Serge E. Hallyn 提交于
      Implement file posix capabilities.  This allows programs to be given a
      subset of root's powers regardless of who runs them, without having to use
      setuid and giving the binary all of root's powers.
      
      This version works with Kaigai Kohei's userspace tools, found at
      http://www.kaigai.gr.jp/index.php.  For more information on how to use this
      patch, Chris Friedhoff has posted a nice page at
      http://www.friedhoff.org/fscaps.html.
      
      Changelog:
      	Nov 27:
      	Incorporate fixes from Andrew Morton
      	(security-introduce-file-caps-tweaks and
      	security-introduce-file-caps-warning-fix)
      	Fix Kconfig dependency.
      	Fix change signaling behavior when file caps are not compiled in.
      
      	Nov 13:
      	Integrate comments from Alexey: Remove CONFIG_ ifdef from
      	capability.h, and use %zd for printing a size_t.
      
      	Nov 13:
      	Fix endianness warnings by sparse as suggested by Alexey
      	Dobriyan.
      
      	Nov 09:
      	Address warnings of unused variables at cap_bprm_set_security
      	when file capabilities are disabled, and simultaneously clean
      	up the code a little, by pulling the new code into a helper
      	function.
      
      	Nov 08:
      	For pointers to required userspace tools and how to use
      	them, see http://www.friedhoff.org/fscaps.html.
      
      	Nov 07:
      	Fix the calculation of the highest bit checked in
      	check_cap_sanity().
      
      	Nov 07:
      	Allow file caps to be enabled without CONFIG_SECURITY, since
      	capabilities are the default.
      	Hook cap_task_setscheduler when !CONFIG_SECURITY.
      	Move capable(TASK_KILL) to end of cap_task_kill to reduce
      	audit messages.
      
      	Nov 05:
      	Add secondary calls in selinux/hooks.c to task_setioprio and
      	task_setscheduler so that selinux and capabilities with file
      	cap support can be stacked.
      
      	Sep 05:
      	As Seth Arnold points out, uid checks are out of place
      	for capability code.
      
      	Sep 01:
      	Define task_setscheduler, task_setioprio, cap_task_kill, and
      	task_setnice to make sure a user cannot affect a process in which
      	they called a program with some fscaps.
      
      	One remaining question is the note under task_setscheduler: are we
      	ok with CAP_SYS_NICE being sufficient to confine a process to a
      	cpuset?
      
      	It is a semantic change, as without fsccaps, attach_task doesn't
      	allow CAP_SYS_NICE to override the uid equivalence check.  But since
      	it uses security_task_setscheduler, which elsewhere is used where
      	CAP_SYS_NICE can be used to override the uid equivalence check,
      	fixing it might be tough.
      
      	     task_setscheduler
      		 note: this also controls cpuset:attach_task.  Are we ok with
      		     CAP_SYS_NICE being used to confine to a cpuset?
      	     task_setioprio
      	     task_setnice
      		 sys_setpriority uses this (through set_one_prio) for another
      		 process.  Need same checks as setrlimit
      
      	Aug 21:
      	Updated secureexec implementation to reflect the fact that
      	euid and uid might be the same and nonzero, but the process
      	might still have elevated caps.
      
      	Aug 15:
      	Handle endianness of xattrs.
      	Enforce capability version match between kernel and disk.
      	Enforce that no bits beyond the known max capability are
      	set, else return -EPERM.
      	With this extra processing, it may be worth reconsidering
      	doing all the work at bprm_set_security rather than
      	d_instantiate.
      
      	Aug 10:
      	Always call getxattr at bprm_set_security, rather than
      	caching it at d_instantiate.
      
      [morgan@kernel.org: file-caps clean up for linux/capability.h]
      [bunk@kernel.org: unexport cap_inode_killpriv]
      Signed-off-by: NSerge E. Hallyn <serue@us.ibm.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: James Morris <jmorris@namei.org>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Cc: Andrew Morgan <morgan@kernel.org>
      Signed-off-by: NAndrew Morgan <morgan@kernel.org>
      Signed-off-by: NAdrian Bunk <bunk@kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      b5376771
    • J
      security: Convert LSM into a static interface · 20510f2f
      James Morris 提交于
      Convert LSM into a static interface, as the ability to unload a security
      module is not required by in-tree users and potentially complicates the
      overall security architecture.
      
      Needlessly exported LSM symbols have been unexported, to help reduce API
      abuse.
      
      Parameters for the capability and root_plug modules are now specified
      at boot.
      
      The SECURITY_FRAMEWORK_VERSION macro has also been removed.
      
      In a nutshell, there is no safe way to unload an LSM.  The modular interface
      is thus unecessary and broken infrastructure.  It is used only by out-of-tree
      modules, which are often binary-only, illegal, abusive of the API and
      dangerous, e.g.  silently re-vectoring SELinux.
      
      [akpm@linux-foundation.org: cleanups]
      [akpm@linux-foundation.org: USB Kconfig fix]
      [randy.dunlap@oracle.com: fix LSM kernel-doc]
      Signed-off-by: NJames Morris <jmorris@namei.org>
      Acked-by: NChris Wright <chrisw@sous-sol.org>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: "Serge E. Hallyn" <serue@us.ibm.com>
      Acked-by: NArjan van de Ven <arjan@infradead.org>
      Signed-off-by: NRandy Dunlap <randy.dunlap@oracle.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      20510f2f
  14. 30 9月, 2006 1 次提交
  15. 27 6月, 2006 1 次提交
  16. 04 1月, 2006 1 次提交
    • T
      [LSM-IPSec]: Security association restriction. · df71837d
      Trent Jaeger 提交于
      This patch series implements per packet access control via the
      extension of the Linux Security Modules (LSM) interface by hooks in
      the XFRM and pfkey subsystems that leverage IPSec security
      associations to label packets.  Extensions to the SELinux LSM are
      included that leverage the patch for this purpose.
      
      This patch implements the changes necessary to the XFRM subsystem,
      pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
      socket to use only authorized security associations (or no security
      association) to send/receive network packets.
      
      Patch purpose:
      
      The patch is designed to enable access control per packets based on
      the strongly authenticated IPSec security association.  Such access
      controls augment the existing ones based on network interface and IP
      address.  The former are very coarse-grained, and the latter can be
      spoofed.  By using IPSec, the system can control access to remote
      hosts based on cryptographic keys generated using the IPSec mechanism.
      This enables access control on a per-machine basis or per-application
      if the remote machine is running the same mechanism and trusted to
      enforce the access control policy.
      
      Patch design approach:
      
      The overall approach is that policy (xfrm_policy) entries set by
      user-level programs (e.g., setkey for ipsec-tools) are extended with a
      security context that is used at policy selection time in the XFRM
      subsystem to restrict the sockets that can send/receive packets via
      security associations (xfrm_states) that are built from those
      policies.
      
      A presentation available at
      www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
      from the SELinux symposium describes the overall approach.
      
      Patch implementation details:
      
      On output, the policy retrieved (via xfrm_policy_lookup or
      xfrm_sk_policy_lookup) must be authorized for the security context of
      the socket and the same security context is required for resultant
      security association (retrieved or negotiated via racoon in
      ipsec-tools).  This is enforced in xfrm_state_find.
      
      On input, the policy retrieved must also be authorized for the socket
      (at __xfrm_policy_check), and the security context of the policy must
      also match the security association being used.
      
      The patch has virtually no impact on packets that do not use IPSec.
      The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
      before.
      
      Also, if IPSec is used without security contexts, the impact is
      minimal.  The LSM must allow such policies to be selected for the
      combination of socket and remote machine, but subsequent IPSec
      processing proceeds as in the original case.
      
      Testing:
      
      The pfkey interface is tested using the ipsec-tools.  ipsec-tools have
      been modified (a separate ipsec-tools patch is available for version
      0.5) that supports assignment of xfrm_policy entries and security
      associations with security contexts via setkey and the negotiation
      using the security contexts via racoon.
      
      The xfrm_user interface is tested via ad hoc programs that set
      security contexts.  These programs are also available from me, and
      contain programs for setting, getting, and deleting policy for testing
      this interface.  Testing of sa functions was done by tracing kernel
      behavior.
      Signed-off-by: NTrent Jaeger <tjaeger@cse.psu.edu>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      df71837d
  17. 23 8月, 2005 1 次提交
  18. 17 4月, 2005 1 次提交
    • L
      Linux-2.6.12-rc2 · 1da177e4
      Linus Torvalds 提交于
      Initial git repository build. I'm not bothering with the full history,
      even though we have it. We can create a separate "historical" git
      archive of that later if we want to, and in the meantime it's about
      3.2GB when imported into git - space that would just make the early
      git days unnecessarily complicated, when we don't have a lot of good
      infrastructure for it.
      
      Let it rip!
      1da177e4