1. 18 4月, 2008 6 次提交
  2. 10 4月, 2008 1 次提交
  3. 08 4月, 2008 1 次提交
  4. 04 4月, 2008 1 次提交
  5. 02 4月, 2008 1 次提交
  6. 18 3月, 2008 1 次提交
  7. 06 3月, 2008 1 次提交
  8. 15 2月, 2008 2 次提交
  9. 11 2月, 2008 1 次提交
  10. 06 2月, 2008 1 次提交
  11. 30 1月, 2008 10 次提交
  12. 29 1月, 2008 1 次提交
  13. 25 1月, 2008 2 次提交
    • D
      security: add a secctx_to_secid() hook · 63cb3449
      David Howells 提交于
      Add a secctx_to_secid() LSM hook to go along with the existing
      secid_to_secctx() LSM hook.  This patch also includes the SELinux
      implementation for this hook.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      63cb3449
    • E
      Security: add get, set, and cloning of superblock security information · c9180a57
      Eric Paris 提交于
      Adds security_get_sb_mnt_opts, security_set_sb_mnt_opts, and
      security_clont_sb_mnt_opts to the LSM and to SELinux.  This will allow
      filesystems to directly own and control all of their mount options if they
      so choose.  This interface deals only with option identifiers and strings so
      it should generic enough for any LSM which may come in the future.
      
      Filesystems which pass text mount data around in the kernel (almost all of
      them) need not currently make use of this interface when dealing with
      SELinux since it will still parse those strings as it always has.  I assume
      future LSM's would do the same.  NFS is the primary FS which does not use
      text mount data and thus must make use of this interface.
      
      An LSM would need to implement these functions only if they had mount time
      options, such as selinux has context= or fscontext=.  If the LSM has no
      mount time options they could simply not implement and let the dummy ops
      take care of things.
      
      An LSM other than SELinux would need to define new option numbers in
      security.h and any FS which decides to own there own security options would
      need to be patched to use this new interface for every possible LSM.  This
      is because it was stated to me very clearly that LSM's should not attempt to
      understand FS mount data and the burdon to understand security should be in
      the FS which owns the options.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Acked-by: NStephen D. Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      c9180a57
  14. 23 10月, 2007 1 次提交
    • E
      SELinux: always check SIGCHLD in selinux_task_wait · 8a535140
      Eric Paris 提交于
      When checking if we can wait on a child we were looking at
      p->exit_signal and trying to make the decision based on if the signal
      would eventually be allowed.  One big flaw is that p->exit_signal is -1
      for NPTL threads and so aignal_to_av was not actually checking SIGCHLD
      which is what would have been sent.  Even is exit_signal was set to
      something strange it wouldn't change the fact that the child was there
      and needed to be waited on.  This patch just assumes wait is based on
      SIGCHLD.  Specific permission checks are made when the child actually
      attempts to send a signal.
      
      This resolves the problem of things like using GDB on confined domains
      such as in RH BZ 232371.  The confined domain did not have permission to
      send a generic signal (exit_signal == -1) back to the unconfined GDB.
      With this patch the GDB wait works and since the actual signal sent is
      allowed everything functions as it should.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      8a535140
  15. 17 10月, 2007 4 次提交
    • A
      security/ cleanups · cbfee345
      Adrian Bunk 提交于
      This patch contains the following cleanups that are now possible:
      - remove the unused security_operations->inode_xattr_getsuffix
      - remove the no longer used security_operations->unregister_security
      - remove some no longer required exit code
      - remove a bunch of no longer used exports
      Signed-off-by: NAdrian Bunk <bunk@kernel.org>
      Acked-by: NJames Morris <jmorris@namei.org>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: Serge Hallyn <serue@us.ibm.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      cbfee345
    • S
      Implement file posix capabilities · b5376771
      Serge E. Hallyn 提交于
      Implement file posix capabilities.  This allows programs to be given a
      subset of root's powers regardless of who runs them, without having to use
      setuid and giving the binary all of root's powers.
      
      This version works with Kaigai Kohei's userspace tools, found at
      http://www.kaigai.gr.jp/index.php.  For more information on how to use this
      patch, Chris Friedhoff has posted a nice page at
      http://www.friedhoff.org/fscaps.html.
      
      Changelog:
      	Nov 27:
      	Incorporate fixes from Andrew Morton
      	(security-introduce-file-caps-tweaks and
      	security-introduce-file-caps-warning-fix)
      	Fix Kconfig dependency.
      	Fix change signaling behavior when file caps are not compiled in.
      
      	Nov 13:
      	Integrate comments from Alexey: Remove CONFIG_ ifdef from
      	capability.h, and use %zd for printing a size_t.
      
      	Nov 13:
      	Fix endianness warnings by sparse as suggested by Alexey
      	Dobriyan.
      
      	Nov 09:
      	Address warnings of unused variables at cap_bprm_set_security
      	when file capabilities are disabled, and simultaneously clean
      	up the code a little, by pulling the new code into a helper
      	function.
      
      	Nov 08:
      	For pointers to required userspace tools and how to use
      	them, see http://www.friedhoff.org/fscaps.html.
      
      	Nov 07:
      	Fix the calculation of the highest bit checked in
      	check_cap_sanity().
      
      	Nov 07:
      	Allow file caps to be enabled without CONFIG_SECURITY, since
      	capabilities are the default.
      	Hook cap_task_setscheduler when !CONFIG_SECURITY.
      	Move capable(TASK_KILL) to end of cap_task_kill to reduce
      	audit messages.
      
      	Nov 05:
      	Add secondary calls in selinux/hooks.c to task_setioprio and
      	task_setscheduler so that selinux and capabilities with file
      	cap support can be stacked.
      
      	Sep 05:
      	As Seth Arnold points out, uid checks are out of place
      	for capability code.
      
      	Sep 01:
      	Define task_setscheduler, task_setioprio, cap_task_kill, and
      	task_setnice to make sure a user cannot affect a process in which
      	they called a program with some fscaps.
      
      	One remaining question is the note under task_setscheduler: are we
      	ok with CAP_SYS_NICE being sufficient to confine a process to a
      	cpuset?
      
      	It is a semantic change, as without fsccaps, attach_task doesn't
      	allow CAP_SYS_NICE to override the uid equivalence check.  But since
      	it uses security_task_setscheduler, which elsewhere is used where
      	CAP_SYS_NICE can be used to override the uid equivalence check,
      	fixing it might be tough.
      
      	     task_setscheduler
      		 note: this also controls cpuset:attach_task.  Are we ok with
      		     CAP_SYS_NICE being used to confine to a cpuset?
      	     task_setioprio
      	     task_setnice
      		 sys_setpriority uses this (through set_one_prio) for another
      		 process.  Need same checks as setrlimit
      
      	Aug 21:
      	Updated secureexec implementation to reflect the fact that
      	euid and uid might be the same and nonzero, but the process
      	might still have elevated caps.
      
      	Aug 15:
      	Handle endianness of xattrs.
      	Enforce capability version match between kernel and disk.
      	Enforce that no bits beyond the known max capability are
      	set, else return -EPERM.
      	With this extra processing, it may be worth reconsidering
      	doing all the work at bprm_set_security rather than
      	d_instantiate.
      
      	Aug 10:
      	Always call getxattr at bprm_set_security, rather than
      	caching it at d_instantiate.
      
      [morgan@kernel.org: file-caps clean up for linux/capability.h]
      [bunk@kernel.org: unexport cap_inode_killpriv]
      Signed-off-by: NSerge E. Hallyn <serue@us.ibm.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: James Morris <jmorris@namei.org>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Cc: Andrew Morgan <morgan@kernel.org>
      Signed-off-by: NAndrew Morgan <morgan@kernel.org>
      Signed-off-by: NAdrian Bunk <bunk@kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      b5376771
    • J
      security: Convert LSM into a static interface · 20510f2f
      James Morris 提交于
      Convert LSM into a static interface, as the ability to unload a security
      module is not required by in-tree users and potentially complicates the
      overall security architecture.
      
      Needlessly exported LSM symbols have been unexported, to help reduce API
      abuse.
      
      Parameters for the capability and root_plug modules are now specified
      at boot.
      
      The SECURITY_FRAMEWORK_VERSION macro has also been removed.
      
      In a nutshell, there is no safe way to unload an LSM.  The modular interface
      is thus unecessary and broken infrastructure.  It is used only by out-of-tree
      modules, which are often binary-only, illegal, abusive of the API and
      dangerous, e.g.  silently re-vectoring SELinux.
      
      [akpm@linux-foundation.org: cleanups]
      [akpm@linux-foundation.org: USB Kconfig fix]
      [randy.dunlap@oracle.com: fix LSM kernel-doc]
      Signed-off-by: NJames Morris <jmorris@namei.org>
      Acked-by: NChris Wright <chrisw@sous-sol.org>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: "Serge E. Hallyn" <serue@us.ibm.com>
      Acked-by: NArjan van de Ven <arjan@infradead.org>
      Signed-off-by: NRandy Dunlap <randy.dunlap@oracle.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      20510f2f
    • Y
      SELinux: Improve read/write performance · 788e7dd4
      Yuichi Nakamura 提交于
      It reduces the selinux overhead on read/write by only revalidating
      permissions in selinux_file_permission if the task or inode labels have
      changed or the policy has changed since the open-time check.  A new LSM
      hook, security_dentry_open, is added to capture the necessary state at open
      time to allow this optimization.
      
      (see http://marc.info/?l=selinux&m=118972995207740&w=2)
      
      Signed-off-by: Yuichi Nakamura<ynakam@hitachisoft.jp>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      788e7dd4
  16. 16 10月, 2007 1 次提交
  17. 11 10月, 2007 1 次提交
  18. 20 9月, 2007 1 次提交
  19. 31 8月, 2007 1 次提交
  20. 23 8月, 2007 1 次提交
    • A
      fix NULL pointer dereference in __vm_enough_memory() · 34b4e4aa
      Alan Cox 提交于
      The new exec code inserts an accounted vma into an mm struct which is not
      current->mm.  The existing memory check code has a hard coded assumption
      that this does not happen as does the security code.
      
      As the correct mm is known we pass the mm to the security method and the
      helper function.  A new security test is added for the case where we need
      to pass the mm and the existing one is modified to pass current->mm to
      avoid the need to change large amounts of code.
      
      (Thanks to Tobias for fixing rejects and testing)
      Signed-off-by: NAlan Cox <alan@redhat.com>
      Cc: WU Fengguang <wfg@mail.ustc.edu.cn>
      Cc: James Morris <jmorris@redhat.com>
      Cc: Tobias Diedrich <ranma+kernel@tdiedrich.de>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      34b4e4aa
  21. 02 8月, 2007 1 次提交