1. 30 1月, 2008 2 次提交
  2. 29 1月, 2008 1 次提交
  3. 25 1月, 2008 2 次提交
    • D
      security: add a secctx_to_secid() hook · 63cb3449
      David Howells 提交于
      Add a secctx_to_secid() LSM hook to go along with the existing
      secid_to_secctx() LSM hook.  This patch also includes the SELinux
      implementation for this hook.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      63cb3449
    • E
      Security: add get, set, and cloning of superblock security information · c9180a57
      Eric Paris 提交于
      Adds security_get_sb_mnt_opts, security_set_sb_mnt_opts, and
      security_clont_sb_mnt_opts to the LSM and to SELinux.  This will allow
      filesystems to directly own and control all of their mount options if they
      so choose.  This interface deals only with option identifiers and strings so
      it should generic enough for any LSM which may come in the future.
      
      Filesystems which pass text mount data around in the kernel (almost all of
      them) need not currently make use of this interface when dealing with
      SELinux since it will still parse those strings as it always has.  I assume
      future LSM's would do the same.  NFS is the primary FS which does not use
      text mount data and thus must make use of this interface.
      
      An LSM would need to implement these functions only if they had mount time
      options, such as selinux has context= or fscontext=.  If the LSM has no
      mount time options they could simply not implement and let the dummy ops
      take care of things.
      
      An LSM other than SELinux would need to define new option numbers in
      security.h and any FS which decides to own there own security options would
      need to be patched to use this new interface for every possible LSM.  This
      is because it was stated to me very clearly that LSM's should not attempt to
      understand FS mount data and the burdon to understand security should be in
      the FS which owns the options.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Acked-by: NStephen D. Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      c9180a57
  4. 23 10月, 2007 1 次提交
    • E
      SELinux: always check SIGCHLD in selinux_task_wait · 8a535140
      Eric Paris 提交于
      When checking if we can wait on a child we were looking at
      p->exit_signal and trying to make the decision based on if the signal
      would eventually be allowed.  One big flaw is that p->exit_signal is -1
      for NPTL threads and so aignal_to_av was not actually checking SIGCHLD
      which is what would have been sent.  Even is exit_signal was set to
      something strange it wouldn't change the fact that the child was there
      and needed to be waited on.  This patch just assumes wait is based on
      SIGCHLD.  Specific permission checks are made when the child actually
      attempts to send a signal.
      
      This resolves the problem of things like using GDB on confined domains
      such as in RH BZ 232371.  The confined domain did not have permission to
      send a generic signal (exit_signal == -1) back to the unconfined GDB.
      With this patch the GDB wait works and since the actual signal sent is
      allowed everything functions as it should.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      8a535140
  5. 17 10月, 2007 4 次提交
    • A
      security/ cleanups · cbfee345
      Adrian Bunk 提交于
      This patch contains the following cleanups that are now possible:
      - remove the unused security_operations->inode_xattr_getsuffix
      - remove the no longer used security_operations->unregister_security
      - remove some no longer required exit code
      - remove a bunch of no longer used exports
      Signed-off-by: NAdrian Bunk <bunk@kernel.org>
      Acked-by: NJames Morris <jmorris@namei.org>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: Serge Hallyn <serue@us.ibm.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      cbfee345
    • S
      Implement file posix capabilities · b5376771
      Serge E. Hallyn 提交于
      Implement file posix capabilities.  This allows programs to be given a
      subset of root's powers regardless of who runs them, without having to use
      setuid and giving the binary all of root's powers.
      
      This version works with Kaigai Kohei's userspace tools, found at
      http://www.kaigai.gr.jp/index.php.  For more information on how to use this
      patch, Chris Friedhoff has posted a nice page at
      http://www.friedhoff.org/fscaps.html.
      
      Changelog:
      	Nov 27:
      	Incorporate fixes from Andrew Morton
      	(security-introduce-file-caps-tweaks and
      	security-introduce-file-caps-warning-fix)
      	Fix Kconfig dependency.
      	Fix change signaling behavior when file caps are not compiled in.
      
      	Nov 13:
      	Integrate comments from Alexey: Remove CONFIG_ ifdef from
      	capability.h, and use %zd for printing a size_t.
      
      	Nov 13:
      	Fix endianness warnings by sparse as suggested by Alexey
      	Dobriyan.
      
      	Nov 09:
      	Address warnings of unused variables at cap_bprm_set_security
      	when file capabilities are disabled, and simultaneously clean
      	up the code a little, by pulling the new code into a helper
      	function.
      
      	Nov 08:
      	For pointers to required userspace tools and how to use
      	them, see http://www.friedhoff.org/fscaps.html.
      
      	Nov 07:
      	Fix the calculation of the highest bit checked in
      	check_cap_sanity().
      
      	Nov 07:
      	Allow file caps to be enabled without CONFIG_SECURITY, since
      	capabilities are the default.
      	Hook cap_task_setscheduler when !CONFIG_SECURITY.
      	Move capable(TASK_KILL) to end of cap_task_kill to reduce
      	audit messages.
      
      	Nov 05:
      	Add secondary calls in selinux/hooks.c to task_setioprio and
      	task_setscheduler so that selinux and capabilities with file
      	cap support can be stacked.
      
      	Sep 05:
      	As Seth Arnold points out, uid checks are out of place
      	for capability code.
      
      	Sep 01:
      	Define task_setscheduler, task_setioprio, cap_task_kill, and
      	task_setnice to make sure a user cannot affect a process in which
      	they called a program with some fscaps.
      
      	One remaining question is the note under task_setscheduler: are we
      	ok with CAP_SYS_NICE being sufficient to confine a process to a
      	cpuset?
      
      	It is a semantic change, as without fsccaps, attach_task doesn't
      	allow CAP_SYS_NICE to override the uid equivalence check.  But since
      	it uses security_task_setscheduler, which elsewhere is used where
      	CAP_SYS_NICE can be used to override the uid equivalence check,
      	fixing it might be tough.
      
      	     task_setscheduler
      		 note: this also controls cpuset:attach_task.  Are we ok with
      		     CAP_SYS_NICE being used to confine to a cpuset?
      	     task_setioprio
      	     task_setnice
      		 sys_setpriority uses this (through set_one_prio) for another
      		 process.  Need same checks as setrlimit
      
      	Aug 21:
      	Updated secureexec implementation to reflect the fact that
      	euid and uid might be the same and nonzero, but the process
      	might still have elevated caps.
      
      	Aug 15:
      	Handle endianness of xattrs.
      	Enforce capability version match between kernel and disk.
      	Enforce that no bits beyond the known max capability are
      	set, else return -EPERM.
      	With this extra processing, it may be worth reconsidering
      	doing all the work at bprm_set_security rather than
      	d_instantiate.
      
      	Aug 10:
      	Always call getxattr at bprm_set_security, rather than
      	caching it at d_instantiate.
      
      [morgan@kernel.org: file-caps clean up for linux/capability.h]
      [bunk@kernel.org: unexport cap_inode_killpriv]
      Signed-off-by: NSerge E. Hallyn <serue@us.ibm.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: James Morris <jmorris@namei.org>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Cc: Andrew Morgan <morgan@kernel.org>
      Signed-off-by: NAndrew Morgan <morgan@kernel.org>
      Signed-off-by: NAdrian Bunk <bunk@kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      b5376771
    • J
      security: Convert LSM into a static interface · 20510f2f
      James Morris 提交于
      Convert LSM into a static interface, as the ability to unload a security
      module is not required by in-tree users and potentially complicates the
      overall security architecture.
      
      Needlessly exported LSM symbols have been unexported, to help reduce API
      abuse.
      
      Parameters for the capability and root_plug modules are now specified
      at boot.
      
      The SECURITY_FRAMEWORK_VERSION macro has also been removed.
      
      In a nutshell, there is no safe way to unload an LSM.  The modular interface
      is thus unecessary and broken infrastructure.  It is used only by out-of-tree
      modules, which are often binary-only, illegal, abusive of the API and
      dangerous, e.g.  silently re-vectoring SELinux.
      
      [akpm@linux-foundation.org: cleanups]
      [akpm@linux-foundation.org: USB Kconfig fix]
      [randy.dunlap@oracle.com: fix LSM kernel-doc]
      Signed-off-by: NJames Morris <jmorris@namei.org>
      Acked-by: NChris Wright <chrisw@sous-sol.org>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: "Serge E. Hallyn" <serue@us.ibm.com>
      Acked-by: NArjan van de Ven <arjan@infradead.org>
      Signed-off-by: NRandy Dunlap <randy.dunlap@oracle.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      20510f2f
    • Y
      SELinux: Improve read/write performance · 788e7dd4
      Yuichi Nakamura 提交于
      It reduces the selinux overhead on read/write by only revalidating
      permissions in selinux_file_permission if the task or inode labels have
      changed or the policy has changed since the open-time check.  A new LSM
      hook, security_dentry_open, is added to capture the necessary state at open
      time to allow this optimization.
      
      (see http://marc.info/?l=selinux&m=118972995207740&w=2)
      
      Signed-off-by: Yuichi Nakamura<ynakam@hitachisoft.jp>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      788e7dd4
  6. 16 10月, 2007 1 次提交
  7. 11 10月, 2007 1 次提交
  8. 20 9月, 2007 1 次提交
  9. 31 8月, 2007 1 次提交
  10. 23 8月, 2007 1 次提交
    • A
      fix NULL pointer dereference in __vm_enough_memory() · 34b4e4aa
      Alan Cox 提交于
      The new exec code inserts an accounted vma into an mm struct which is not
      current->mm.  The existing memory check code has a hard coded assumption
      that this does not happen as does the security code.
      
      As the correct mm is known we pass the mm to the security method and the
      helper function.  A new security test is added for the case where we need
      to pass the mm and the existing one is modified to pass current->mm to
      avoid the need to change large amounts of code.
      
      (Thanks to Tobias for fixing rejects and testing)
      Signed-off-by: NAlan Cox <alan@redhat.com>
      Cc: WU Fengguang <wfg@mail.ustc.edu.cn>
      Cc: James Morris <jmorris@redhat.com>
      Cc: Tobias Diedrich <ranma+kernel@tdiedrich.de>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      34b4e4aa
  11. 02 8月, 2007 1 次提交
  12. 20 7月, 2007 1 次提交
    • P
      mm: Remove slab destructors from kmem_cache_create(). · 20c2df83
      Paul Mundt 提交于
      Slab destructors were no longer supported after Christoph's
      c59def9f change. They've been
      BUGs for both slab and slub, and slob never supported them
      either.
      
      This rips out support for the dtor pointer from kmem_cache_create()
      completely and fixes up every single callsite in the kernel (there were
      about 224, not including the slab allocator definitions themselves,
      or the documentation references).
      Signed-off-by: NPaul Mundt <lethal@linux-sh.org>
      20c2df83
  13. 19 7月, 2007 1 次提交
    • P
      SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel · f36158c4
      Paul Moore 提交于
      These changes will make NetLabel behave like labeled IPsec where there is an
      access check for both labeled and unlabeled packets as well as providing the
      ability to restrict domains to receiving only labeled packets when NetLabel is
      in use.  The changes to the policy are straight forward with the following
      necessary to receive labeled traffic (with SECINITSID_NETMSG defined as
      "netlabel_peer_t"):
      
       allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
      
      The policy for unlabeled traffic would be:
      
       allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
      
      These policy changes, as well as more general NetLabel support, are included in
      the latest SELinux Reference Policy release 20070629 or later.  Users who make
      use of NetLabel are strongly encouraged to upgrade their policy to avoid
      network problems.  Users who do not make use of NetLabel will not notice any
      difference.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      f36158c4
  14. 18 7月, 2007 1 次提交
    • S
      Introduce is_owner_or_cap() to wrap CAP_FOWNER use with fsuid check · 3bd858ab
      Satyam Sharma 提交于
      Introduce is_owner_or_cap() macro in fs.h, and convert over relevant
      users to it. This is done because we want to avoid bugs in the future
      where we check for only effective fsuid of the current task against a
      file's owning uid, without simultaneously checking for CAP_FOWNER as
      well, thus violating its semantics.
      [ XFS uses special macros and structures, and in general looked ...
      untouchable, so we leave it alone -- but it has been looked over. ]
      
      The (current->fsuid != inode->i_uid) check in generic_permission() and
      exec_permission_lite() is left alone, because those operations are
      covered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH. Similarly operations
      falling under the purview of CAP_CHOWN and CAP_LEASE are also left alone.
      Signed-off-by: NSatyam Sharma <ssatyam@cse.iitk.ac.in>
      Cc: Al Viro <viro@ftp.linux.org.uk>
      Acked-by: NSerge E. Hallyn <serge@hallyn.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      3bd858ab
  15. 14 7月, 2007 1 次提交
  16. 12 7月, 2007 3 次提交
    • P
      SELinux: use SECINITSID_NETMSG instead of SECINITSID_UNLABELED for NetLabel · 9faf65fb
      Paul Moore 提交于
      These changes will make NetLabel behave like labeled IPsec where there is an
      access check for both labeled and unlabeled packets as well as providing the
      ability to restrict domains to receiving only labeled packets when NetLabel
      is in use.  The changes to the policy are straight forward with the
      following necessary to receive labeled traffic (with SECINITSID_NETMSG
      defined as "netlabel_peer_t"):
      
       allow mydom_t netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
      
      The policy for unlabeled traffic would be:
      
       allow mydom_t unlabeled_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
      
      These policy changes, as well as more general NetLabel support, are included
      in the SELinux Reference Policy SVN tree, r2352 or later.  Users who enable
      NetLabel support in the kernel are strongly encouraged to upgrade their
      policy to avoid network problems.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      9faf65fb
    • E
      security: Protection for exploiting null dereference using mmap · ed032189
      Eric Paris 提交于
      Add a new security check on mmap operations to see if the user is attempting
      to mmap to low area of the address space.  The amount of space protected is
      indicated by the new proc tunable /proc/sys/vm/mmap_min_addr and defaults to
      0, preserving existing behavior.
      
      This patch uses a new SELinux security class "memprotect."  Policy already
      contains a number of allow rules like a_t self:process * (unconfined_t being
      one of them) which mean that putting this check in the process class (its
      best current fit) would make it useless as all user processes, which we also
      want to protect against, would be allowed. By taking the memprotect name of
      the new class it will also make it possible for us to move some of the other
      memory protect permissions out of 'process' and into the new class next time
      we bump the policy version number (which I also think is a good future idea)
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: NChris Wright <chrisw@sous-sol.org>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      ed032189
    • S
      SELinux: allow preemption between transition permission checks · 2c3c05db
      Stephen Smalley 提交于
      In security_get_user_sids, move the transition permission checks
      outside of the section holding the policy rdlock, and use the AVC to
      perform the checks, calling cond_resched after each one.  These
      changes should allow preemption between the individual checks and
      enable caching of the results.  It may however increase the overall
      time spent in the function in some cases, particularly in the cache
      miss case.
      
      The long term fix will be to take much of this logic to userspace by
      exporting additional state via selinuxfs, and ultimately deprecating
      and eliminating this interface from the kernel.
      Tested-by: NIngo Molnar <mingo@elte.hu>
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      2c3c05db
  17. 09 5月, 2007 2 次提交
  18. 26 4月, 2007 4 次提交
  19. 15 3月, 2007 1 次提交
  20. 27 2月, 2007 1 次提交
    • E
      Reassign printk levels in selinux kernel code · fadcdb45
      Eric Paris 提交于
      Below is a patch which demotes many printk lines to KERN_DEBUG from
      KERN_INFO.  It should help stop the spamming of logs with messages in
      which users are not interested nor is there any action that users should
      take.  It also promotes some KERN_INFO to KERN_ERR such as when there
      are improper attempts to register/unregister security modules.
      
      A similar patch was discussed a while back on list:
      http://marc.theaimsgroup.com/?t=116656343500003&r=1&w=2
      This patch addresses almost all of the issues raised.  I believe the
      only advice not taken was in the demoting of messages related to
      undefined permissions and classes.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      
       security/selinux/hooks.c       |   20 ++++++++++----------
       security/selinux/ss/avtab.c    |    2 +-
       security/selinux/ss/policydb.c |    6 +++---
       security/selinux/ss/sidtab.c   |    2 +-
       4 files changed, 15 insertions(+), 15 deletions(-)
      Signed-off-by: NJames Morris <jmorris@namei.org>
      fadcdb45
  21. 15 2月, 2007 3 次提交
  22. 12 2月, 2007 2 次提交
  23. 11 12月, 2006 1 次提交
    • V
      [PATCH] fdtable: Make fdarray and fdsets equal in size · bbea9f69
      Vadim Lobanov 提交于
      Currently, each fdtable supports three dynamically-sized arrays of data: the
      fdarray and two fdsets.  The code allows the number of fds supported by the
      fdarray (fdtable->max_fds) to differ from the number of fds supported by each
      of the fdsets (fdtable->max_fdset).
      
      In practice, it is wasteful for these two sizes to differ: whenever we hit a
      limit on the smaller-capacity structure, we will reallocate the entire fdtable
      and all the dynamic arrays within it, so any delta in the memory used by the
      larger-capacity structure will never be touched at all.
      
      Rather than hogging this excess, we shouldn't even allocate it in the first
      place, and keep the capacities of the fdarray and the fdsets equal.  This
      patch removes fdtable->max_fdset.  As an added bonus, most of the supporting
      code becomes simpler.
      Signed-off-by: NVadim Lobanov <vlobanov@speakeasy.net>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Dipankar Sarma <dipankar@in.ibm.com>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      bbea9f69
  24. 09 12月, 2006 2 次提交
    • J
      [PATCH] struct path: convert selinux · 3d5ff529
      Josef Sipek 提交于
      Signed-off-by: NJosef Sipek <jsipek@fsl.cs.sunysb.edu>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      3d5ff529
    • P
      [PATCH] tty: ->signal->tty locking · 24ec839c
      Peter Zijlstra 提交于
      Fix the locking of signal->tty.
      
      Use ->sighand->siglock to protect ->signal->tty; this lock is already used
      by most other members of ->signal/->sighand.  And unless we are 'current'
      or the tasklist_lock is held we need ->siglock to access ->signal anyway.
      
      (NOTE: sys_unshare() is broken wrt ->sighand locking rules)
      
      Note that tty_mutex is held over tty destruction, so while holding
      tty_mutex any tty pointer remains valid.  Otherwise the lifetime of ttys
      are governed by their open file handles.  This leaves some holes for tty
      access from signal->tty (or any other non file related tty access).
      
      It solves the tty SLAB scribbles we were seeing.
      
      (NOTE: the change from group_send_sig_info to __group_send_sig_info needs to
             be examined by someone familiar with the security framework, I think
             it is safe given the SEND_SIG_PRIV from other __group_send_sig_info
             invocations)
      
      [schwidefsky@de.ibm.com: 3270 fix]
      [akpm@osdl.org: various post-viro fixes]
      Signed-off-by: NPeter Zijlstra <a.p.zijlstra@chello.nl>
      Acked-by: NAlan Cox <alan@redhat.com>
      Cc: Oleg Nesterov <oleg@tv-sign.ru>
      Cc: Prarit Bhargava <prarit@redhat.com>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Cc: Roland McGrath <roland@redhat.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: James Morris <jmorris@namei.org>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Jeff Dike <jdike@addtoit.com>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Jan Kara <jack@ucw.cz>
      Signed-off-by: NMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      24ec839c
  25. 08 12月, 2006 1 次提交