1. 05 3月, 2009 1 次提交
    • E
      smack: fixes for unlabeled host support · 211a40c0
      etienne 提交于
      The following patch (against 2.6.29rc5) fixes a few issues in the
      smack/netlabel "unlabeled host support" functionnality that was added in
      2.6.29rc.  It should go in before -final.
      
      1) smack_host_label disregard a "0.0.0.0/0 @" rule (or other label),
      preventing 'tagged' tasks to access Internet (many systems drop packets with
      IP options)
      
      2) netmasks were not handled correctly, they were stored in a way _not
      equivalent_ to conversion to be32 (it was equivalent for /0, /8, /16, /24,
      /32 masks but not other masks)
      
      3) smack_netlbladdr prefixes (IP/mask) were not consistent (mask&IP was not
      done), so there could have been different list entries for the same IP
      prefix; if those entries had different labels, well ...
      
      4) they were not sorted
      
      1) 2) 3) are bugs, 4) is a more cosmetic issue.
      The patch :
      
      -creates a new helper smk_netlbladdr_insert to insert a smk_netlbladdr,
      -sorted by netmask length
      
      -use the new sorted nature of  smack_netlbladdrs list to simplify
       smack_host_label : the first match _will_ be the more specific
      
      -corrects endianness issues in smk_write_netlbladdr &  netlbladdr_seq_show
      
      Signed-off-by: <etienne.basset@numericable.fr>
      Acked-by: NCasey Schaufler <casey@schaufler-ca.com>
      Reviewed-by: NPaul Moore <paul.moore@hp.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      211a40c0
  2. 02 3月, 2009 1 次提交
  3. 23 2月, 2009 1 次提交
    • P
      selinux: Fix the NetLabel glue code for setsockopt() · 09c50b4a
      Paul Moore 提交于
      At some point we (okay, I) managed to break the ability for users to use the
      setsockopt() syscall to set IPv4 options when NetLabel was not active on the
      socket in question.  The problem was noticed by someone trying to use the
      "-R" (record route) option of ping:
      
       # ping -R 10.0.0.1
       ping: record route: No message of desired type
      
      The solution is relatively simple, we catch the unlabeled socket case and
      clear the error code, allowing the operation to succeed.  Please note that we
      still deny users the ability to override IPv4 options on socket's which have
      NetLabel labeling active; this is done to ensure the labeling remains intact.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      09c50b4a
  4. 28 1月, 2009 1 次提交
  5. 18 1月, 2009 1 次提交
  6. 14 1月, 2009 2 次提交
  7. 09 1月, 2009 3 次提交
  8. 07 1月, 2009 2 次提交
    • D
      CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #3] · 3699c53c
      David Howells 提交于
      Fix a regression in cap_capable() due to:
      
      	commit 3b11a1de
      	Author: David Howells <dhowells@redhat.com>
      	Date:   Fri Nov 14 10:39:26 2008 +1100
      
      	    CRED: Differentiate objective and effective subjective credentials on a task
      
      The problem is that the above patch allows a process to have two sets of
      credentials, and for the most part uses the subjective credentials when
      accessing current's creds.
      
      There is, however, one exception: cap_capable(), and thus capable(), uses the
      real/objective credentials of the target task, whether or not it is the current
      task.
      
      Ordinarily this doesn't matter, since usually the two cred pointers in current
      point to the same set of creds.  However, sys_faccessat() makes use of this
      facility to override the credentials of the calling process to make its test,
      without affecting the creds as seen from other processes.
      
      One of the things sys_faccessat() does is to make an adjustment to the
      effective capabilities mask, which cap_capable(), as it stands, then ignores.
      
      The affected capability check is in generic_permission():
      
      	if (!(mask & MAY_EXEC) || execute_ok(inode))
      		if (capable(CAP_DAC_OVERRIDE))
      			return 0;
      
      This change passes the set of credentials to be tested down into the commoncap
      and SELinux code.  The security functions called by capable() and
      has_capability() select the appropriate set of credentials from the process
      being checked.
      
      This can be tested by compiling the following program from the XFS testsuite:
      
      /*
       *  t_access_root.c - trivial test program to show permission bug.
       *
       *  Written by Michael Kerrisk - copyright ownership not pursued.
       *  Sourced from: http://linux.derkeiler.com/Mailing-Lists/Kernel/2003-10/6030.html
       */
      #include <limits.h>
      #include <unistd.h>
      #include <stdio.h>
      #include <stdlib.h>
      #include <fcntl.h>
      #include <sys/stat.h>
      
      #define UID 500
      #define GID 100
      #define PERM 0
      #define TESTPATH "/tmp/t_access"
      
      static void
      errExit(char *msg)
      {
          perror(msg);
          exit(EXIT_FAILURE);
      } /* errExit */
      
      static void
      accessTest(char *file, int mask, char *mstr)
      {
          printf("access(%s, %s) returns %d\n", file, mstr, access(file, mask));
      } /* accessTest */
      
      int
      main(int argc, char *argv[])
      {
          int fd, perm, uid, gid;
          char *testpath;
          char cmd[PATH_MAX + 20];
      
          testpath = (argc > 1) ? argv[1] : TESTPATH;
          perm = (argc > 2) ? strtoul(argv[2], NULL, 8) : PERM;
          uid = (argc > 3) ? atoi(argv[3]) : UID;
          gid = (argc > 4) ? atoi(argv[4]) : GID;
      
          unlink(testpath);
      
          fd = open(testpath, O_RDWR | O_CREAT, 0);
          if (fd == -1) errExit("open");
      
          if (fchown(fd, uid, gid) == -1) errExit("fchown");
          if (fchmod(fd, perm) == -1) errExit("fchmod");
          close(fd);
      
          snprintf(cmd, sizeof(cmd), "ls -l %s", testpath);
          system(cmd);
      
          if (seteuid(uid) == -1) errExit("seteuid");
      
          accessTest(testpath, 0, "0");
          accessTest(testpath, R_OK, "R_OK");
          accessTest(testpath, W_OK, "W_OK");
          accessTest(testpath, X_OK, "X_OK");
          accessTest(testpath, R_OK | W_OK, "R_OK | W_OK");
          accessTest(testpath, R_OK | X_OK, "R_OK | X_OK");
          accessTest(testpath, W_OK | X_OK, "W_OK | X_OK");
          accessTest(testpath, R_OK | W_OK | X_OK, "R_OK | W_OK | X_OK");
      
          exit(EXIT_SUCCESS);
      } /* main */
      
      This can be run against an Ext3 filesystem as well as against an XFS
      filesystem.  If successful, it will show:
      
      	[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043
      	---------- 1 dhowells dhowells 0 2008-12-31 03:00 /tmp/xxx
      	access(/tmp/xxx, 0) returns 0
      	access(/tmp/xxx, R_OK) returns 0
      	access(/tmp/xxx, W_OK) returns 0
      	access(/tmp/xxx, X_OK) returns -1
      	access(/tmp/xxx, R_OK | W_OK) returns 0
      	access(/tmp/xxx, R_OK | X_OK) returns -1
      	access(/tmp/xxx, W_OK | X_OK) returns -1
      	access(/tmp/xxx, R_OK | W_OK | X_OK) returns -1
      
      If unsuccessful, it will show:
      
      	[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043
      	---------- 1 dhowells dhowells 0 2008-12-31 02:56 /tmp/xxx
      	access(/tmp/xxx, 0) returns 0
      	access(/tmp/xxx, R_OK) returns -1
      	access(/tmp/xxx, W_OK) returns -1
      	access(/tmp/xxx, X_OK) returns -1
      	access(/tmp/xxx, R_OK | W_OK) returns -1
      	access(/tmp/xxx, R_OK | X_OK) returns -1
      	access(/tmp/xxx, W_OK | X_OK) returns -1
      	access(/tmp/xxx, R_OK | W_OK | X_OK) returns -1
      
      I've also tested the fix with the SELinux and syscalls LTP testsuites.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Tested-by: NJ. Bruce Fields <bfields@citi.umich.edu>
      Acked-by: NSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      3699c53c
    • J
      Revert "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]" · 29881c45
      James Morris 提交于
      This reverts commit 14eaddc9.
      
      David has a better version to come.
      29881c45
  9. 06 1月, 2009 2 次提交
    • A
      zero i_uid/i_gid on inode allocation · 56ff5efa
      Al Viro 提交于
      ... and don't bother in callers.  Don't bother with zeroing i_blocks,
      while we are at it - it's already been zeroed.
      
      i_mode is not worth the effort; it has no common default value.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      56ff5efa
    • A
      inode->i_op is never NULL · acfa4380
      Al Viro 提交于
      We used to have rather schizophrenic set of checks for NULL ->i_op even
      though it had been eliminated years ago.  You'd need to go out of your
      way to set it to NULL explicitly _and_ a bunch of code would die on
      such inodes anyway.  After killing two remaining places that still
      did that bogosity, all that crap can go away.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      acfa4380
  10. 05 1月, 2009 3 次提交
    • E
      SELinux: shrink sizeof av_inhert selinux_class_perm and context · 76f7ba35
      Eric Paris 提交于
      I started playing with pahole today and decided to put it against the
      selinux structures.  Found we could save a little bit of space on x86_64
      (and no harm on i686) just reorganizing some structs.
      
      Object size changes:
      av_inherit: 24 -> 16
      selinux_class_perm: 48 -> 40
      context: 80 -> 72
      
      Admittedly there aren't many of av_inherit or selinux_class_perm's in
      the kernel (33 and 1 respectively) But the change to the size of struct
      context reverberate out a bit.  I can get some hard number if they are
      needed, but I don't see why they would be.  We do change which cacheline
      context->len and context->str would be on, but I don't see that as a
      problem since we are clearly going to have to load both if the context
      is to be of any value.  I've run with the patch and don't seem to be
      having any problems.
      
      An example of what's going on using struct av_inherit would be:
      
      form: to:
      struct av_inherit {			struct av_inherit {
      	u16 tclass;				const char **common_pts;
      	const char **common_pts;		u32 common_base;
      	u32 common_base;			u16 tclass;
      };
      
      (notice all I did was move u16 tclass to the end of the struct instead
      of the beginning)
      
      Memory layout before the change:
      struct av_inherit {
      	u16 tclass; /* 2 */
      	/* 6 bytes hole */
      	const char** common_pts; /* 8 */
      	u32 common_base; /* 4 */
      	/* 4 byes padding */
      
      	/* size: 24, cachelines: 1 */
      	/* sum members: 14, holes: 1, sum holes: 6 */
      	/* padding: 4 */
      };
      
      Memory layout after the change:
      struct av_inherit {
      	const char ** common_pts; /* 8 */
      	u32 common_base; /* 4 */
      	u16 tclass; /* 2 */
      	/* 2 bytes padding */
      
      	/* size: 16, cachelines: 1 */
      	/* sum members: 14, holes: 0, sum holes: 0 */
      	/* padding: 2 */
      };
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      76f7ba35
    • D
      CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2] · 14eaddc9
      David Howells 提交于
      Fix a regression in cap_capable() due to:
      
      	commit 5ff7711e635b32f0a1e558227d030c7e45b4a465
      	Author: David Howells <dhowells@redhat.com>
      	Date:   Wed Dec 31 02:52:28 2008 +0000
      
      	    CRED: Differentiate objective and effective subjective credentials on a task
      
      The problem is that the above patch allows a process to have two sets of
      credentials, and for the most part uses the subjective credentials when
      accessing current's creds.
      
      There is, however, one exception: cap_capable(), and thus capable(), uses the
      real/objective credentials of the target task, whether or not it is the current
      task.
      
      Ordinarily this doesn't matter, since usually the two cred pointers in current
      point to the same set of creds.  However, sys_faccessat() makes use of this
      facility to override the credentials of the calling process to make its test,
      without affecting the creds as seen from other processes.
      
      One of the things sys_faccessat() does is to make an adjustment to the
      effective capabilities mask, which cap_capable(), as it stands, then ignores.
      
      The affected capability check is in generic_permission():
      
      	if (!(mask & MAY_EXEC) || execute_ok(inode))
      		if (capable(CAP_DAC_OVERRIDE))
      			return 0;
      
      This change splits capable() from has_capability() down into the commoncap and
      SELinux code.  The capable() security op now only deals with the current
      process, and uses the current process's subjective creds.  A new security op -
      task_capable() - is introduced that can check any task's objective creds.
      
      strictly the capable() security op is superfluous with the presence of the
      task_capable() op, however it should be faster to call the capable() op since
      two fewer arguments need be passed down through the various layers.
      
      This can be tested by compiling the following program from the XFS testsuite:
      
      /*
       *  t_access_root.c - trivial test program to show permission bug.
       *
       *  Written by Michael Kerrisk - copyright ownership not pursued.
       *  Sourced from: http://linux.derkeiler.com/Mailing-Lists/Kernel/2003-10/6030.html
       */
      #include <limits.h>
      #include <unistd.h>
      #include <stdio.h>
      #include <stdlib.h>
      #include <fcntl.h>
      #include <sys/stat.h>
      
      #define UID 500
      #define GID 100
      #define PERM 0
      #define TESTPATH "/tmp/t_access"
      
      static void
      errExit(char *msg)
      {
          perror(msg);
          exit(EXIT_FAILURE);
      } /* errExit */
      
      static void
      accessTest(char *file, int mask, char *mstr)
      {
          printf("access(%s, %s) returns %d\n", file, mstr, access(file, mask));
      } /* accessTest */
      
      int
      main(int argc, char *argv[])
      {
          int fd, perm, uid, gid;
          char *testpath;
          char cmd[PATH_MAX + 20];
      
          testpath = (argc > 1) ? argv[1] : TESTPATH;
          perm = (argc > 2) ? strtoul(argv[2], NULL, 8) : PERM;
          uid = (argc > 3) ? atoi(argv[3]) : UID;
          gid = (argc > 4) ? atoi(argv[4]) : GID;
      
          unlink(testpath);
      
          fd = open(testpath, O_RDWR | O_CREAT, 0);
          if (fd == -1) errExit("open");
      
          if (fchown(fd, uid, gid) == -1) errExit("fchown");
          if (fchmod(fd, perm) == -1) errExit("fchmod");
          close(fd);
      
          snprintf(cmd, sizeof(cmd), "ls -l %s", testpath);
          system(cmd);
      
          if (seteuid(uid) == -1) errExit("seteuid");
      
          accessTest(testpath, 0, "0");
          accessTest(testpath, R_OK, "R_OK");
          accessTest(testpath, W_OK, "W_OK");
          accessTest(testpath, X_OK, "X_OK");
          accessTest(testpath, R_OK | W_OK, "R_OK | W_OK");
          accessTest(testpath, R_OK | X_OK, "R_OK | X_OK");
          accessTest(testpath, W_OK | X_OK, "W_OK | X_OK");
          accessTest(testpath, R_OK | W_OK | X_OK, "R_OK | W_OK | X_OK");
      
          exit(EXIT_SUCCESS);
      } /* main */
      
      This can be run against an Ext3 filesystem as well as against an XFS
      filesystem.  If successful, it will show:
      
      	[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043
      	---------- 1 dhowells dhowells 0 2008-12-31 03:00 /tmp/xxx
      	access(/tmp/xxx, 0) returns 0
      	access(/tmp/xxx, R_OK) returns 0
      	access(/tmp/xxx, W_OK) returns 0
      	access(/tmp/xxx, X_OK) returns -1
      	access(/tmp/xxx, R_OK | W_OK) returns 0
      	access(/tmp/xxx, R_OK | X_OK) returns -1
      	access(/tmp/xxx, W_OK | X_OK) returns -1
      	access(/tmp/xxx, R_OK | W_OK | X_OK) returns -1
      
      If unsuccessful, it will show:
      
      	[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043
      	---------- 1 dhowells dhowells 0 2008-12-31 02:56 /tmp/xxx
      	access(/tmp/xxx, 0) returns 0
      	access(/tmp/xxx, R_OK) returns -1
      	access(/tmp/xxx, W_OK) returns -1
      	access(/tmp/xxx, X_OK) returns -1
      	access(/tmp/xxx, R_OK | W_OK) returns -1
      	access(/tmp/xxx, R_OK | X_OK) returns -1
      	access(/tmp/xxx, W_OK | X_OK) returns -1
      	access(/tmp/xxx, R_OK | W_OK | X_OK) returns -1
      
      I've also tested the fix with the SELinux and syscalls LTP testsuites.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      14eaddc9
    • A
      audit: validate comparison operations, store them in sane form · 5af75d8d
      Al Viro 提交于
      Don't store the field->op in the messy (and very inconvenient for e.g.
      audit_comparator()) form; translate to dense set of values and do full
      validation of userland-submitted value while we are at it.
      
      ->audit_init_rule() and ->audit_match_rule() get new values now; in-tree
      instances updated.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      5af75d8d
  11. 01 1月, 2009 6 次提交
    • R
      cpumask: prepare for iterators to only go to nr_cpu_ids/nr_cpumask_bits.: core · 4f4b6c1a
      Rusty Russell 提交于
      Impact: cleanup
      
      In future, all cpumask ops will only be valid (in general) for bit
      numbers < nr_cpu_ids.  So use that instead of NR_CPUS in iterators
      and other comparisons.
      
      This is always safe: no cpu number can be >= nr_cpu_ids, and
      nr_cpu_ids is initialized to NR_CPUS at boot.
      Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: NMike Travis <travis@sgi.com>
      Acked-by: NIngo Molnar <mingo@elte.hu>
      Acked-by: NJames Morris <jmorris@namei.org>
      Cc: Eric Biederman <ebiederm@xmission.com>
      4f4b6c1a
    • J
      keys: fix sparse warning by adding __user annotation to cast · 90bd49ab
      James Morris 提交于
      Fix the following sparse warning:
      
            CC      security/keys/key.o
          security/keys/keyctl.c:1297:10: warning: incorrect type in argument 2 (different address spaces)
          security/keys/keyctl.c:1297:10:    expected char [noderef] <asn:1>*buffer
          security/keys/keyctl.c:1297:10:    got char *<noident>
      
      which appears to be caused by lack of __user annotation to the cast of
      a syscall argument.
      Signed-off-by: NJames Morris <jmorris@namei.org>
      Acked-by: NDavid Howells <dhowells@redhat.com>
      90bd49ab
    • K
      introduce new LSM hooks where vfsmount is available. · be6d3e56
      Kentaro Takeda 提交于
      Add new LSM hooks for path-based checks.  Call them on directory-modifying
      operations at the points where we still know the vfsmount involved.
      Signed-off-by: NKentaro Takeda <takedakn@nttdata.co.jp>
      Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: NToshiharu Harada <haradats@nttdata.co.jp>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      be6d3e56
    • C
      smack: Add support for unlabeled network hosts and networks · 6d3dc07c
      Casey Schaufler 提交于
      Add support for unlabeled network hosts and networks.
      Relies heavily on Paul Moore's netlabel support.
      
      Creates a new entry in /smack called netlabel. Writes to /smack/netlabel
      take the form:
      
          A.B.C.D LABEL
      or
          A.B.C.D/N LABEL
      
      where A.B.C.D is a network address, N is an integer between 0-32,
      and LABEL is the Smack label to be used. If /N is omitted /32 is
      assumed. N designates the netmask for the address. Entries are
      matched by the most specific address/mask pair. 0.0.0.0/0 will
      match everything, while 192.168.1.117/32 will match exactly one
      host.
      
      A new system label "@", pronounced "web", is defined. Processes
      can not be assigned the web label. An address assigned the web
      label can be written to by any process, and packets coming from
      a web address can be written to any socket. Use of the web label
      is a violation of any strict MAC policy, but the web label has
      been requested many times.
      
      The nltype entry has been removed from /smack. It did not work right
      and the netlabel interface can be used to specify that all hosts
      be treated as unlabeled.
      
      CIPSO labels on incoming packets will be honored, even from designated
      single label hosts. Single label hosts can only be written to by
      processes with labels that can write to the label of the host.
      Packets sent to single label hosts will always be unlabeled.
      
      Once added a single label designation cannot be removed, however
      the label may be changed.
      
      The behavior of the ambient label remains unchanged.
      Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      6d3dc07c
    • P
      selinux: Deprecate and schedule the removal of the the compat_net functionality · 277d342f
      Paul Moore 提交于
      This patch is the first step towards removing the old "compat_net" code from
      the kernel.  Secmark, the "compat_net" replacement was first introduced in
      2.6.18 (September 2006) and the major Linux distributions with SELinux support
      have transitioned to Secmark so it is time to start deprecating the "compat_net"
      mechanism.  Testing a patched version of 2.6.28-rc6 with the initial release of
      Fedora Core 5 did not show any problems when running in enforcing mode.
      
      This patch adds an entry to the feature-removal-schedule.txt file and removes
      the SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT configuration option, forcing
      Secmark on by default although it can still be disabled at runtime.  The patch
      also makes the Secmark permission checks "dynamic" in the sense that they are
      only executed when Secmark is configured; this should help prevent problems
      with older distributions that have not yet migrated to Secmark.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Acked-by: NJames Morris <jmorris@namei.org>
      277d342f
    • P
      netlabel: Update kernel configuration API · 6c2e8ac0
      Paul Moore 提交于
      Update the NetLabel kernel API to expose the new features added in kernel
      releases 2.6.25 and 2.6.28: the static/fallback label functionality and network
      address based selectors.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      6c2e8ac0
  12. 29 12月, 2008 1 次提交
    • D
      KEYS: Fix variable uninitialisation warnings · eca1bf5b
      David Howells 提交于
      Fix variable uninitialisation warnings introduced in:
      
      	commit 8bbf4976
      	Author: David Howells <dhowells@redhat.com>
      	Date:   Fri Nov 14 10:39:14 2008 +1100
      
      	KEYS: Alter use of key instantiation link-to-keyring argument
      
      As:
      
        security/keys/keyctl.c: In function 'keyctl_negate_key':
        security/keys/keyctl.c:976: warning: 'dest_keyring' may be used uninitialized in this function
        security/keys/keyctl.c: In function 'keyctl_instantiate_key':
        security/keys/keyctl.c:898: warning: 'dest_keyring' may be used uninitialized in this function
      
      Some versions of gcc notice that get_instantiation_key() doesn't always set
      *_dest_keyring, but fail to observe that if this happens then *_dest_keyring
      will not be read by the caller.
      Reported-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      eca1bf5b
  13. 25 12月, 2008 1 次提交
    • S
      smackfs: check for allocation failures in smk_set_access() · 81ea714b
      Sergio Luis 提交于
      smackfs: check for allocation failures in smk_set_access()
      
       While adding a new subject/object pair to smack_list, smk_set_access()
       didn't check the return of kzalloc().
      
       This patch changes smk_set_access() to return 0 or -ENOMEM, based on
       kzalloc()'s return. It also updates its caller, smk_write_load(), to
       check for smk_set_access()'s return, given it is no longer a void
       return function.
      Signed-off-by: NSergio Luis <sergio@larces.uece.br>
       To: Casey Schaufler <casey@schaufler-ca.com>
       Cc: Ahmed S. Darwish <darwish.07@gmail.com>
       Cc: LSM <linux-security-module@vger.kernel.org>
       Cc: LKLM <linux-kernel@vger.kernel.org>
      Acked-by: NCasey Schaufler <casey@schaufler-ca.com>
      81ea714b
  14. 20 12月, 2008 3 次提交
  15. 25 11月, 2008 1 次提交
  16. 15 11月, 2008 1 次提交
  17. 14 11月, 2008 10 次提交
    • D
      CRED: Allow kernel services to override LSM settings for task actions · 3a3b7ce9
      David Howells 提交于
      Allow kernel services to override LSM settings appropriate to the actions
      performed by a task by duplicating a set of credentials, modifying it and then
      using task_struct::cred to point to it when performing operations on behalf of
      a task.
      
      This is used, for example, by CacheFiles which has to transparently access the
      cache on behalf of a process that thinks it is doing, say, NFS accesses with a
      potentially inappropriate (with respect to accessing the cache) set of
      credentials.
      
      This patch provides two LSM hooks for modifying a task security record:
      
       (*) security_kernel_act_as() which allows modification of the security datum
           with which a task acts on other objects (most notably files).
      
       (*) security_kernel_create_files_as() which allows modification of the
           security datum that is used to initialise the security data on a file that
           a task creates.
      
      The patch also provides four new credentials handling functions, which wrap the
      LSM functions:
      
       (1) prepare_kernel_cred()
      
           Prepare a set of credentials for a kernel service to use, based either on
           a daemon's credentials or on init_cred.  All the keyrings are cleared.
      
       (2) set_security_override()
      
           Set the LSM security ID in a set of credentials to a specific security
           context, assuming permission from the LSM policy.
      
       (3) set_security_override_from_ctx()
      
           As (2), but takes the security context as a string.
      
       (4) set_create_files_as()
      
           Set the file creation LSM security ID in a set of credentials to be the
           same as that on a particular inode.
      
      Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> [Smack changes]
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      3a3b7ce9
    • D
      CRED: Add a kernel_service object class to SELinux · 1bfdc75a
      David Howells 提交于
      Add a 'kernel_service' object class to SELinux and give this object class two
      access vectors: 'use_as_override' and 'create_files_as'.
      
      The first vector is used to grant a process the right to nominate an alternate
      process security ID for the kernel to use as an override for the SELinux
      subjective security when accessing stuff on behalf of another process.
      
      For example, CacheFiles when accessing the cache on behalf on a process
      accessing an NFS file needs to use a subjective security ID appropriate to the
      cache rather then the one the calling process is using.  The cachefilesd
      daemon will nominate the security ID to be used.
      
      The second vector is used to grant a process the right to nominate a file
      creation label for a kernel service to use.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      1bfdc75a
    • D
      CRED: Differentiate objective and effective subjective credentials on a task · 3b11a1de
      David Howells 提交于
      Differentiate the objective and real subjective credentials from the effective
      subjective credentials on a task by introducing a second credentials pointer
      into the task_struct.
      
      task_struct::real_cred then refers to the objective and apparent real
      subjective credentials of a task, as perceived by the other tasks in the
      system.
      
      task_struct::cred then refers to the effective subjective credentials of a
      task, as used by that task when it's actually running.  These are not visible
      to the other tasks in the system.
      
      __task_cred(task) then refers to the objective/real credentials of the task in
      question.
      
      current_cred() refers to the effective subjective credentials of the current
      task.
      
      prepare_creds() uses the objective creds as a base and commit_creds() changes
      both pointers in the task_struct (indeed commit_creds() requires them to be the
      same).
      
      override_creds() and revert_creds() change the subjective creds pointer only,
      and the former returns the old subjective creds.  These are used by NFSD,
      faccessat() and do_coredump(), and will by used by CacheFiles.
      
      In SELinux, current_has_perm() is provided as an alternative to
      task_has_perm().  This uses the effective subjective context of current,
      whereas task_has_perm() uses the objective/real context of the subject.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      3b11a1de
    • D
      CRED: Prettify commoncap.c · 1d045980
      David Howells 提交于
      Prettify commoncap.c.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Acked-by: NSerge Hallyn <serue@us.ibm.com>
      Reviewed-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      1d045980
    • D
      CRED: Make execve() take advantage of copy-on-write credentials · a6f76f23
      David Howells 提交于
      Make execve() take advantage of copy-on-write credentials, allowing it to set
      up the credentials in advance, and then commit the whole lot after the point
      of no return.
      
      This patch and the preceding patches have been tested with the LTP SELinux
      testsuite.
      
      This patch makes several logical sets of alteration:
      
       (1) execve().
      
           The credential bits from struct linux_binprm are, for the most part,
           replaced with a single credentials pointer (bprm->cred).  This means that
           all the creds can be calculated in advance and then applied at the point
           of no return with no possibility of failure.
      
           I would like to replace bprm->cap_effective with:
      
      	cap_isclear(bprm->cap_effective)
      
           but this seems impossible due to special behaviour for processes of pid 1
           (they always retain their parent's capability masks where normally they'd
           be changed - see cap_bprm_set_creds()).
      
           The following sequence of events now happens:
      
           (a) At the start of do_execve, the current task's cred_exec_mutex is
           	 locked to prevent PTRACE_ATTACH from obsoleting the calculation of
           	 creds that we make.
      
           (a) prepare_exec_creds() is then called to make a copy of the current
           	 task's credentials and prepare it.  This copy is then assigned to
           	 bprm->cred.
      
        	 This renders security_bprm_alloc() and security_bprm_free()
           	 unnecessary, and so they've been removed.
      
           (b) The determination of unsafe execution is now performed immediately
           	 after (a) rather than later on in the code.  The result is stored in
           	 bprm->unsafe for future reference.
      
           (c) prepare_binprm() is called, possibly multiple times.
      
           	 (i) This applies the result of set[ug]id binaries to the new creds
           	     attached to bprm->cred.  Personality bit clearance is recorded,
           	     but now deferred on the basis that the exec procedure may yet
           	     fail.
      
               (ii) This then calls the new security_bprm_set_creds().  This should
      	     calculate the new LSM and capability credentials into *bprm->cred.
      
      	     This folds together security_bprm_set() and parts of
      	     security_bprm_apply_creds() (these two have been removed).
      	     Anything that might fail must be done at this point.
      
               (iii) bprm->cred_prepared is set to 1.
      
      	     bprm->cred_prepared is 0 on the first pass of the security
      	     calculations, and 1 on all subsequent passes.  This allows SELinux
      	     in (ii) to base its calculations only on the initial script and
      	     not on the interpreter.
      
           (d) flush_old_exec() is called to commit the task to execution.  This
           	 performs the following steps with regard to credentials:
      
      	 (i) Clear pdeath_signal and set dumpable on certain circumstances that
      	     may not be covered by commit_creds().
      
               (ii) Clear any bits in current->personality that were deferred from
                   (c.i).
      
           (e) install_exec_creds() [compute_creds() as was] is called to install the
           	 new credentials.  This performs the following steps with regard to
           	 credentials:
      
               (i) Calls security_bprm_committing_creds() to apply any security
                   requirements, such as flushing unauthorised files in SELinux, that
                   must be done before the credentials are changed.
      
      	     This is made up of bits of security_bprm_apply_creds() and
      	     security_bprm_post_apply_creds(), both of which have been removed.
      	     This function is not allowed to fail; anything that might fail
      	     must have been done in (c.ii).
      
               (ii) Calls commit_creds() to apply the new credentials in a single
                   assignment (more or less).  Possibly pdeath_signal and dumpable
                   should be part of struct creds.
      
      	 (iii) Unlocks the task's cred_replace_mutex, thus allowing
      	     PTRACE_ATTACH to take place.
      
               (iv) Clears The bprm->cred pointer as the credentials it was holding
                   are now immutable.
      
               (v) Calls security_bprm_committed_creds() to apply any security
                   alterations that must be done after the creds have been changed.
                   SELinux uses this to flush signals and signal handlers.
      
           (f) If an error occurs before (d.i), bprm_free() will call abort_creds()
           	 to destroy the proposed new credentials and will then unlock
           	 cred_replace_mutex.  No changes to the credentials will have been
           	 made.
      
       (2) LSM interface.
      
           A number of functions have been changed, added or removed:
      
           (*) security_bprm_alloc(), ->bprm_alloc_security()
           (*) security_bprm_free(), ->bprm_free_security()
      
           	 Removed in favour of preparing new credentials and modifying those.
      
           (*) security_bprm_apply_creds(), ->bprm_apply_creds()
           (*) security_bprm_post_apply_creds(), ->bprm_post_apply_creds()
      
           	 Removed; split between security_bprm_set_creds(),
           	 security_bprm_committing_creds() and security_bprm_committed_creds().
      
           (*) security_bprm_set(), ->bprm_set_security()
      
           	 Removed; folded into security_bprm_set_creds().
      
           (*) security_bprm_set_creds(), ->bprm_set_creds()
      
           	 New.  The new credentials in bprm->creds should be checked and set up
           	 as appropriate.  bprm->cred_prepared is 0 on the first call, 1 on the
           	 second and subsequent calls.
      
           (*) security_bprm_committing_creds(), ->bprm_committing_creds()
           (*) security_bprm_committed_creds(), ->bprm_committed_creds()
      
           	 New.  Apply the security effects of the new credentials.  This
           	 includes closing unauthorised files in SELinux.  This function may not
           	 fail.  When the former is called, the creds haven't yet been applied
           	 to the process; when the latter is called, they have.
      
       	 The former may access bprm->cred, the latter may not.
      
       (3) SELinux.
      
           SELinux has a number of changes, in addition to those to support the LSM
           interface changes mentioned above:
      
           (a) The bprm_security_struct struct has been removed in favour of using
           	 the credentials-under-construction approach.
      
           (c) flush_unauthorized_files() now takes a cred pointer and passes it on
           	 to inode_has_perm(), file_has_perm() and dentry_open().
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Acked-by: NJames Morris <jmorris@namei.org>
      Acked-by: NSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      a6f76f23
    • D
      CRED: Inaugurate COW credentials · d84f4f99
      David Howells 提交于
      Inaugurate copy-on-write credentials management.  This uses RCU to manage the
      credentials pointer in the task_struct with respect to accesses by other tasks.
      A process may only modify its own credentials, and so does not need locking to
      access or modify its own credentials.
      
      A mutex (cred_replace_mutex) is added to the task_struct to control the effect
      of PTRACE_ATTACHED on credential calculations, particularly with respect to
      execve().
      
      With this patch, the contents of an active credentials struct may not be
      changed directly; rather a new set of credentials must be prepared, modified
      and committed using something like the following sequence of events:
      
      	struct cred *new = prepare_creds();
      	int ret = blah(new);
      	if (ret < 0) {
      		abort_creds(new);
      		return ret;
      	}
      	return commit_creds(new);
      
      There are some exceptions to this rule: the keyrings pointed to by the active
      credentials may be instantiated - keyrings violate the COW rule as managing
      COW keyrings is tricky, given that it is possible for a task to directly alter
      the keys in a keyring in use by another task.
      
      To help enforce this, various pointers to sets of credentials, such as those in
      the task_struct, are declared const.  The purpose of this is compile-time
      discouragement of altering credentials through those pointers.  Once a set of
      credentials has been made public through one of these pointers, it may not be
      modified, except under special circumstances:
      
        (1) Its reference count may incremented and decremented.
      
        (2) The keyrings to which it points may be modified, but not replaced.
      
      The only safe way to modify anything else is to create a replacement and commit
      using the functions described in Documentation/credentials.txt (which will be
      added by a later patch).
      
      This patch and the preceding patches have been tested with the LTP SELinux
      testsuite.
      
      This patch makes several logical sets of alteration:
      
       (1) execve().
      
           This now prepares and commits credentials in various places in the
           security code rather than altering the current creds directly.
      
       (2) Temporary credential overrides.
      
           do_coredump() and sys_faccessat() now prepare their own credentials and
           temporarily override the ones currently on the acting thread, whilst
           preventing interference from other threads by holding cred_replace_mutex
           on the thread being dumped.
      
           This will be replaced in a future patch by something that hands down the
           credentials directly to the functions being called, rather than altering
           the task's objective credentials.
      
       (3) LSM interface.
      
           A number of functions have been changed, added or removed:
      
           (*) security_capset_check(), ->capset_check()
           (*) security_capset_set(), ->capset_set()
      
           	 Removed in favour of security_capset().
      
           (*) security_capset(), ->capset()
      
           	 New.  This is passed a pointer to the new creds, a pointer to the old
           	 creds and the proposed capability sets.  It should fill in the new
           	 creds or return an error.  All pointers, barring the pointer to the
           	 new creds, are now const.
      
           (*) security_bprm_apply_creds(), ->bprm_apply_creds()
      
           	 Changed; now returns a value, which will cause the process to be
           	 killed if it's an error.
      
           (*) security_task_alloc(), ->task_alloc_security()
      
           	 Removed in favour of security_prepare_creds().
      
           (*) security_cred_free(), ->cred_free()
      
           	 New.  Free security data attached to cred->security.
      
           (*) security_prepare_creds(), ->cred_prepare()
      
           	 New. Duplicate any security data attached to cred->security.
      
           (*) security_commit_creds(), ->cred_commit()
      
           	 New. Apply any security effects for the upcoming installation of new
           	 security by commit_creds().
      
           (*) security_task_post_setuid(), ->task_post_setuid()
      
           	 Removed in favour of security_task_fix_setuid().
      
           (*) security_task_fix_setuid(), ->task_fix_setuid()
      
           	 Fix up the proposed new credentials for setuid().  This is used by
           	 cap_set_fix_setuid() to implicitly adjust capabilities in line with
           	 setuid() changes.  Changes are made to the new credentials, rather
           	 than the task itself as in security_task_post_setuid().
      
           (*) security_task_reparent_to_init(), ->task_reparent_to_init()
      
           	 Removed.  Instead the task being reparented to init is referred
           	 directly to init's credentials.
      
      	 NOTE!  This results in the loss of some state: SELinux's osid no
      	 longer records the sid of the thread that forked it.
      
           (*) security_key_alloc(), ->key_alloc()
           (*) security_key_permission(), ->key_permission()
      
           	 Changed.  These now take cred pointers rather than task pointers to
           	 refer to the security context.
      
       (4) sys_capset().
      
           This has been simplified and uses less locking.  The LSM functions it
           calls have been merged.
      
       (5) reparent_to_kthreadd().
      
           This gives the current thread the same credentials as init by simply using
           commit_thread() to point that way.
      
       (6) __sigqueue_alloc() and switch_uid()
      
           __sigqueue_alloc() can't stop the target task from changing its creds
           beneath it, so this function gets a reference to the currently applicable
           user_struct which it then passes into the sigqueue struct it returns if
           successful.
      
           switch_uid() is now called from commit_creds(), and possibly should be
           folded into that.  commit_creds() should take care of protecting
           __sigqueue_alloc().
      
       (7) [sg]et[ug]id() and co and [sg]et_current_groups.
      
           The set functions now all use prepare_creds(), commit_creds() and
           abort_creds() to build and check a new set of credentials before applying
           it.
      
           security_task_set[ug]id() is called inside the prepared section.  This
           guarantees that nothing else will affect the creds until we've finished.
      
           The calling of set_dumpable() has been moved into commit_creds().
      
           Much of the functionality of set_user() has been moved into
           commit_creds().
      
           The get functions all simply access the data directly.
      
       (8) security_task_prctl() and cap_task_prctl().
      
           security_task_prctl() has been modified to return -ENOSYS if it doesn't
           want to handle a function, or otherwise return the return value directly
           rather than through an argument.
      
           Additionally, cap_task_prctl() now prepares a new set of credentials, even
           if it doesn't end up using it.
      
       (9) Keyrings.
      
           A number of changes have been made to the keyrings code:
      
           (a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
           	 all been dropped and built in to the credentials functions directly.
           	 They may want separating out again later.
      
           (b) key_alloc() and search_process_keyrings() now take a cred pointer
           	 rather than a task pointer to specify the security context.
      
           (c) copy_creds() gives a new thread within the same thread group a new
           	 thread keyring if its parent had one, otherwise it discards the thread
           	 keyring.
      
           (d) The authorisation key now points directly to the credentials to extend
           	 the search into rather pointing to the task that carries them.
      
           (e) Installing thread, process or session keyrings causes a new set of
           	 credentials to be created, even though it's not strictly necessary for
           	 process or session keyrings (they're shared).
      
      (10) Usermode helper.
      
           The usermode helper code now carries a cred struct pointer in its
           subprocess_info struct instead of a new session keyring pointer.  This set
           of credentials is derived from init_cred and installed on the new process
           after it has been cloned.
      
           call_usermodehelper_setup() allocates the new credentials and
           call_usermodehelper_freeinfo() discards them if they haven't been used.  A
           special cred function (prepare_usermodeinfo_creds()) is provided
           specifically for call_usermodehelper_setup() to call.
      
           call_usermodehelper_setkeys() adjusts the credentials to sport the
           supplied keyring as the new session keyring.
      
      (11) SELinux.
      
           SELinux has a number of changes, in addition to those to support the LSM
           interface changes mentioned above:
      
           (a) selinux_setprocattr() no longer does its check for whether the
           	 current ptracer can access processes with the new SID inside the lock
           	 that covers getting the ptracer's SID.  Whilst this lock ensures that
           	 the check is done with the ptracer pinned, the result is only valid
           	 until the lock is released, so there's no point doing it inside the
           	 lock.
      
      (12) is_single_threaded().
      
           This function has been extracted from selinux_setprocattr() and put into
           a file of its own in the lib/ directory as join_session_keyring() now
           wants to use it too.
      
           The code in SELinux just checked to see whether a task shared mm_structs
           with other tasks (CLONE_VM), but that isn't good enough.  We really want
           to know if they're part of the same thread group (CLONE_THREAD).
      
      (13) nfsd.
      
           The NFS server daemon now has to use the COW credentials to set the
           credentials it is going to use.  It really needs to pass the credentials
           down to the functions it calls, but it can't do that until other patches
           in this series have been applied.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Acked-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      d84f4f99
    • D
      CRED: Pass credentials through dentry_open() · 745ca247
      David Howells 提交于
      Pass credentials through dentry_open() so that the COW creds patch can have
      SELinux's flush_unauthorized_files() pass the appropriate creds back to itself
      when it opens its null chardev.
      
      The security_dentry_open() call also now takes a creds pointer, as does the
      dentry_open hook in struct security_operations.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Acked-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      745ca247
    • D
      CRED: Make inode_has_perm() and file_has_perm() take a cred pointer · 88e67f3b
      David Howells 提交于
      Make inode_has_perm() and file_has_perm() take a cred pointer rather than a
      task pointer.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Acked-by: NJames Morris <jmorris@namei.org>
      Acked-by: NSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      88e67f3b
    • D
      CRED: Separate per-task-group keyrings from signal_struct · bb952bb9
      David Howells 提交于
      Separate per-task-group keyrings from signal_struct and dangle their anchor
      from the cred struct rather than the signal_struct.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Reviewed-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      bb952bb9
    • D
      CRED: Wrap access to SELinux's task SID · 275bb41e
      David Howells 提交于
      Wrap access to SELinux's task SID, using task_sid() and current_sid() as
      appropriate.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Acked-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      275bb41e