- 21 10月, 2010 13 次提交
-
-
由 Eric Paris 提交于
Right now secmark has lots of direct selinux calls. Use all LSM calls and remove all SELinux specific knowledge. The only SELinux specific knowledge we leave is the mode. The only point is to make sure that other LSMs at least test this generic code before they assume it works. (They may also have to make changes if they do not represent labels as strings) Signed-off-by: NEric Paris <eparis@redhat.com> Acked-by: NPaul Moore <paul.moore@hp.com> Acked-by: NPatrick McHardy <kaber@trash.net> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 John Johansen 提交于
Actually I think in this case the appropriate thing to do is to BUG as there is currently a case (remove) where the alloc_size needs to be larger than the copy_size, and if copy_size is ever greater than alloc_size there is a mistake in the caller code. Signed-off-by: NJohn Johansen <john.johansen@canonical.com> Acked-by: NKees Cook <kees.cook@canonical.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 Tetsuo Handa 提交于
Configuration files for TOMOYO 2.3 are not compatible with TOMOYO 2.2. But current panic() message is too unfriendly and is confusing users. Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Reviewed-by: NKOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 KOSAKI Motohiro 提交于
All security modules shouldn't change sched_param parameter of security_task_setscheduler(). This is not only meaningless, but also make a harmful result if caller pass a static variable. This patch remove policy and sched_param parameter from security_task_setscheduler() becuase none of security module is using it. Cc: James Morris <jmorris@namei.org> Signed-off-by: NKOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 KaiGai Kohei 提交于
This patch fixes up coding-style problem at this commit: 4f27a7d49789b04404eca26ccde5f527231d01d5 selinux: fast status update interface (/selinux/status) Signed-off-by: NKaiGai Kohei <kaigai@ak.jp.nec.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 matt mooney 提交于
Replace EXTRA_CFLAGS with ccflags-y. Signed-off-by: Nmatt mooney <mfm@muteddisk.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 Paul Gortmaker 提交于
While the previous change to the selinux Makefile reduced the window significantly for this failure, it is still possible to see a compile failure where cpp starts processing selinux files before the auto generated flask.h file is completed. This is easily reproduced by adding the following temporary change to expose the issue everytime: - cmd_flask = scripts/selinux/genheaders/genheaders ... + cmd_flask = sleep 30 ; scripts/selinux/genheaders/genheaders ... This failure happens because the creation of the object files in the ss subdir also depends on flask.h. So simply incorporate them into the parent Makefile, as the ss/Makefile really doesn't do anything unique. With this change, compiling of all selinux files is dependent on completion of the header file generation, and this test case with the "sleep 30" now confirms it is functioning as expected. Signed-off-by: NPaul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 Paul Gortmaker 提交于
Selinux has an autogenerated file, "flask.h" which is included by two other selinux files. The current makefile has a single dependency on the first object file in the selinux-y list, assuming that will get flask.h generated before anyone looks for it, but that assumption breaks down in a "make -jN" situation and you get: selinux/selinuxfs.c:35: fatal error: flask.h: No such file or directory compilation terminated. remake[9]: *** [security/selinux/selinuxfs.o] Error 1 Since flask.h is included by security.h which in turn is included nearly everywhere, make the dependency apply to all of the selinux-y list of objs. Signed-off-by: NPaul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 KaiGai Kohei 提交于
This patch provides a new /selinux/status entry which allows applications read-only mmap(2). This region reflects selinux_kernel_status structure in kernel space. struct selinux_kernel_status { u32 length; /* length of this structure */ u32 sequence; /* sequence number of seqlock logic */ u32 enforcing; /* current setting of enforcing mode */ u32 policyload; /* times of policy reloaded */ u32 deny_unknown; /* current setting of deny_unknown */ }; When userspace object manager caches access control decisions provided by SELinux, it needs to invalidate the cache on policy reload and setenforce to keep consistency. However, the applications need to check the kernel state for each accesses on userspace avc, or launch a background worker process. In heuristic, frequency of invalidation is much less than frequency of making access control decision, so it is annoying to invoke a system call to check we don't need to invalidate the userspace cache. If we can use a background worker thread, it allows to receive invalidation messages from the kernel. But it requires us an invasive coding toward the base application in some cases; E.g, when we provide a feature performing with SELinux as a plugin module, it is unwelcome manner to launch its own worker thread from the module. If we could map /selinux/status to process memory space, application can know updates of selinux status; policy reload or setenforce. A typical application checks selinux_kernel_status::sequence when it tries to reference userspace avc. If it was changed from the last time when it checked userspace avc, it means something was updated in the kernel space. Then, the application can reset userspace avc or update current enforcing mode, without any system call invocations. This sequence number is updated according to the seqlock logic, so we need to wait for a while if it is odd number. Signed-off-by: NKaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: NEric Paris <eparis@redhat.com> -- security/selinux/include/security.h | 21 ++++++ security/selinux/selinuxfs.c | 56 +++++++++++++++ security/selinux/ss/Makefile | 2 +- security/selinux/ss/services.c | 3 + security/selinux/ss/status.c | 129 +++++++++++++++++++++++++++++++++++ 5 files changed, 210 insertions(+), 1 deletions(-) Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 Yong Zhang 提交于
Signed-off-by: NYong Zhang <yong.zhang0@gmail.com> Signed-off-by: NJohn Johansen <john.johansen@canonical.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 Tetsuo Handa 提交于
We can set default LSM module to DAC (which means "enable no LSM module"). If default LSM module was set to DAC, security_module_enable() must return 0 unless overridden via boot time parameter. Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: NSerge E. Hallyn <serge@hallyn.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 Eric Paris 提交于
type is not used at all, stop declaring and assigning it. Signed-off-by: NEric Paris <eparis@redhat.com> Acked-by: NStephen Smalley <sds@tycho.nsa.gov> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 Dan Carpenter 提交于
If domain is NULL then &domain->list is a bogus address. Let's leave head->r.domain NULL instead of saving an unusable pointer. This is just a cleanup. The current code always checks head->r.eof before dereferencing head->r.domain. Signed-off-by: NDan Carpenter <error27@gmail.com> Acked-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
-
- 27 9月, 2010 1 次提交
-
-
由 Ben Hutchings 提交于
System call entry functions sys_*() are never to be called from general kernel code. The fact that they aren't declared in header files should have been a clue. These functions also don't exist on Alpha since it has sys_getxpid() instead. Signed-off-by: NBen Hutchings <ben@decadent.org.uk> Acked-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: NJames Morris <jmorris@namei.org>
-
- 10 9月, 2010 2 次提交
-
-
由 David Howells 提交于
Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership of the parent process's session keyring whether or not the parent has a session keyring [CVE-2010-2960]. This results in the following oops: BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0 IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443 ... Call Trace: [<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443 [<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0 [<ffffffff811af98c>] sys_keyctl+0xb4/0xb8 [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b if the parent process has no session keyring. If the system is using pam_keyinit then it mostly protected against this as all processes derived from a login will have inherited the session keyring created by pam_keyinit during the log in procedure. To test this, pam_keyinit calls need to be commented out in /etc/pam.d/. Reported-by: NTavis Ormandy <taviso@cmpxchg8b.com> Signed-off-by: NDavid Howells <dhowells@redhat.com> Acked-by: NTavis Ormandy <taviso@cmpxchg8b.com> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
由 David Howells 提交于
There's an protected access to the parent process's credentials in the middle of keyctl_session_to_parent(). This results in the following RCU warning: =================================================== [ INFO: suspicious rcu_dereference_check() usage. ] --------------------------------------------------- security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection! other info that might help us debug this: rcu_scheduler_active = 1, debug_locks = 0 1 lock held by keyctl-session-/2137: #0: (tasklist_lock){.+.+..}, at: [<ffffffff811ae2ec>] keyctl_session_to_parent+0x60/0x236 stack backtrace: Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1 Call Trace: [<ffffffff8105606a>] lockdep_rcu_dereference+0xaa/0xb3 [<ffffffff811ae379>] keyctl_session_to_parent+0xed/0x236 [<ffffffff811af77e>] sys_keyctl+0xb4/0xb6 [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b The code should take the RCU read lock to make sure the parents credentials don't go away, even though it's holding a spinlock and has IRQ disabled. Signed-off-by: NDavid Howells <dhowells@redhat.com> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
- 08 9月, 2010 5 次提交
-
-
由 Mimi Zohar 提交于
commit 8262bb85da allocated the inode integrity struct (iint) before any inodes were created. Only after IMA was initialized in late_initcall were the counters updated. This patch updates the counters, whether or not IMA has been initialized, to resolve 'imbalance' messages. This patch fixes the bug as reported in bugzilla: 15673. When the i915 is builtin, the ring_buffer is initialized before IMA, causing the imbalance message on suspend. Reported-by: NThomas Meyer <thomas@m3y3r.de> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com> Tested-by: NThomas Meyer <thomas@m3y3r.de> Tested-by: David Safford<safford@watson.ibm.com> Cc: Stable Kernel <stable@kernel.org> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 John Johansen 提交于
The locking for profile namespace removal is wrong, when removing a profile namespace, it needs to be removed from its parent's list. Lock the parent of namespace list instead of the namespace being removed. Signed-off-by: NJohn Johansen <john.johansen@canonical.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 John Johansen 提交于
As per Dan Carpenter <error27@gmail.com> If we have a ns name without a following profile then in the original code it did "*ns_name = &name[1];". "name" is NULL so "*ns_name" is 0x1. That isn't useful and could cause an oops when this function is called from aa_remove_profiles(). Beyond this the assignment of the namespace name was wrong in the case where the profile name was provided as it was being set to &name[1] after name = skip_spaces(split + 1); Move the ns_name assignment before updating name for the split and also add skip_spaces, making the interface more robust. Signed-off-by: NJohn Johansen <john.johansen@canonical.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 John Johansen 提交于
2.6.36 introduced the abilitiy to specify the task that is having its rlimits set. Update mediation to ensure that confined tasks can only set their own group_leader as expected by current policy. Add TODO note about extending policy to support setting other tasks rlimits. Signed-off-by: NJohn Johansen <john.johansen@canonical.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 John Johansen 提交于
The 2.6.36 kernel has refactored __d_path() so that it no longer appends " (deleted)" to unlinked paths. So drop the hack that was used to detect and remove the appended string. Signed-off-by: NJohn Johansen <john.johansen@canonical.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
- 18 8月, 2010 4 次提交
-
-
由 Nick Piggin 提交于
tty: fix fu_list abuse tty code abuses fu_list, which causes a bug in remount,ro handling. If a tty device node is opened on a filesystem, then the last link to the inode removed, the filesystem will be allowed to be remounted readonly. This is because fs_may_remount_ro does not find the 0 link tty inode on the file sb list (because the tty code incorrectly removed it to use for its own purpose). This can result in a filesystem with errors after it is marked "clean". Taking idea from Christoph's initial patch, allocate a tty private struct at file->private_data and put our required list fields in there, linking file and tty. This makes tty nodes behave the same way as other device nodes and avoid meddling with the vfs, and avoids this bug. The error handling is not trivial in the tty code, so for this bugfix, I take the simple approach of using __GFP_NOFAIL and don't worry about memory errors. This is not a problem because our allocator doesn't fail small allocs as a rule anyway. So proper error handling is left as an exercise for tty hackers. [ Arguably filesystem's device inode would ideally be divorced from the driver's pseudo inode when it is opened, but in practice it's not clear whether that will ever be worth implementing. ] Cc: linux-kernel@vger.kernel.org Cc: Christoph Hellwig <hch@infradead.org> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Cc: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: NNick Piggin <npiggin@kernel.dk> Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
由 Nick Piggin 提交于
fs: cleanup files_lock locking Lock tty_files with a new spinlock, tty_files_lock; provide helpers to manipulate the per-sb files list; unexport the files_lock spinlock. Cc: linux-kernel@vger.kernel.org Cc: Christoph Hellwig <hch@infradead.org> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Acked-by: NAndi Kleen <ak@linux.intel.com> Acked-by: NGreg Kroah-Hartman <gregkh@suse.de> Signed-off-by: NNick Piggin <npiggin@kernel.dk> Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
由 Nick Piggin 提交于
apparmor: use task path helpers Signed-off-by: NNick Piggin <npiggin@kernel.dk> Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
由 David Howells 提交于
Make do_execve() take a const filename pointer so that kernel_execve() compiles correctly on ARM: arch/arm/kernel/sys_arm.c:88: warning: passing argument 1 of 'do_execve' discards qualifiers from pointer target type This also requires the argv and envp arguments to be consted twice, once for the pointer array and once for the strings the array points to. This is because do_execve() passes a pointer to the filename (now const) to copy_strings_kernel(). A simpler alternative would be to cast the filename pointer in do_execve() when it's passed to copy_strings_kernel(). do_execve() may not change any of the strings it is passed as part of the argv or envp lists as they are some of them in .rodata, so marking these strings as const should be fine. Further kernel_execve() and sys_execve() need to be changed to match. This has been test built on x86_64, frv, arm and mips. Signed-off-by: NDavid Howells <dhowells@redhat.com> Tested-by: NRalf Baechle <ralf@linux-mips.org> Acked-by: NRussell King <rmk+kernel@arm.linux.org.uk> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
- 17 8月, 2010 1 次提交
-
-
由 Jiri Slaby 提交于
After rlimits tree was merged we get the following errors: security/apparmor/lsm.c:663:2: warning: initialization from incompatible pointer type It is because AppArmor was merged in the meantime, but uses the old prototype. So fix it by adding struct task_struct as a first parameter of apparmor_task_setrlimit. NOTE that this is ONLY a compilation warning fix (and crashes caused by that). It needs proper handling in AppArmor depending on who is the 'task'. Signed-off-by: NJiri Slaby <jslaby@suse.cz> Signed-off-by: NJohn Johansen <john.johansen@canonical.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
- 13 8月, 2010 1 次提交
-
-
由 David Howells 提交于
Add a dummy printk function for the maintenance of unused printks through gcc format checking, and also so that side-effect checking is maintained too. Signed-off-by: NDavid Howells <dhowells@redhat.com> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
- 11 8月, 2010 1 次提交
-
-
由 Stephen Rothwell 提交于
Fixes these build errors: security/apparmor/lsm.c:701: error: 'param_ops_aabool' undeclared here (not in a function) security/apparmor/lsm.c:721: error: 'param_ops_aalockpolicy' undeclared here (not in a function) security/apparmor/lsm.c:729: error: 'param_ops_aauint' undeclared here (not in a function) Signed-off-by: NStephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: NJohn Johansen <john.johansen@canonical.com> Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
-
- 07 8月, 2010 2 次提交
-
-
由 Ralf Baechle 提交于
Fix build error caused by a stale security/selinux/av_permissions.h in the $(src) directory which will override a more recent version in $(obj) that is it appears to strike only when building with a separate object directory. Signed-off-by: NRalf Baechle <ralf@linux-mips.org> Acked-by: NEric Paris <eparis@redhat.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 David Howells 提交于
request_key() should return -ENOKEY if the key it constructs has been negatively instantiated. Without this, request_key() can return an unusable key to its caller, and if the caller then does key_validate() that won't catch the problem. Signed-off-by: NDavid Howells <dhowells@redhat.com> Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
-
- 05 8月, 2010 1 次提交
-
-
由 Randy Dunlap 提交于
SECURITY_APPARMOR should depend on NET since AUDIT needs (depends on) NET. Fixes 70-80 errors that occur when CONFIG_NET is not enabled, but APPARMOR selects AUDIT without qualification. E.g.: audit.c:(.text+0x33361): undefined reference to `netlink_unicast' (.text+0x333df): undefined reference to `netlink_unicast' audit.c:(.text+0x3341d): undefined reference to `skb_queue_tail' audit.c:(.text+0x33424): undefined reference to `kfree_skb' audit.c:(.text+0x334cb): undefined reference to `kfree_skb' audit.c:(.text+0x33597): undefined reference to `skb_put' audit.c:(.text+0x3369b): undefined reference to `__alloc_skb' audit.c:(.text+0x336d7): undefined reference to `kfree_skb' (.text+0x3374c): undefined reference to `__alloc_skb' auditfilter.c:(.text+0x35305): undefined reference to `skb_queue_tail' lsm_audit.c:(.text+0x2873): undefined reference to `init_net' lsm_audit.c:(.text+0x2878): undefined reference to `dev_get_by_index' Signed-off-by: NRandy Dunlap <randy.dunlap@oracle.com> Signed-off-by: NJohn Johansen <john.johansen@canonical.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
- 02 8月, 2010 9 次提交
-
-
由 James Morris 提交于
Fix build warnings for non-const use of get_task_cred. Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 Eric Paris 提交于
Current selinux policy can have over 3000 types. The type_attr_map in policy is an array sized by the number of types times sizeof(struct ebitmap) (12 on x86_64). Basic math tells us the array is going to be of length 3000 x 12 = 36,000 bytes. The largest 'safe' allocation on a long running system is 16k. Most of the time a 32k allocation will work. But on long running systems a 64k allocation (what we need) can fail quite regularly. In order to deal with this I am converting the type_attr_map to use flex_arrays. Let the library code deal with breaking this into PAGE_SIZE pieces. -v2 rework some of the if(!obj) BUG() to be BUG_ON(!obj) drop flex_array_put() calls and just use a _get() object directly -v3 make apply to James' tree (drop the policydb_write changes) Signed-off-by: NEric Paris <eparis@redhat.com> Acked-by: NStephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 John Johansen 提交于
Kconfig and Makefiles to enable configuration and building of AppArmor. Signed-off-by: NJohn Johansen <john.johansen@canonical.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 Tetsuo Handa 提交于
Commit c9e69318 "TOMOYO: Allow wildcard for execute permission." changed execute permission and domainname to accept wildcards. But tomoyo_find_next_domain() was using pathname passed to execve() rather than pathname specified by the execute permission. As a result, processes were not able to transit to domains which contain wildcards in their domainnames. This patch passes pathname specified by the execute permission back to tomoyo_find_next_domain() so that processes can transit to domains which contain wildcards in their domainnames. Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 James Morris 提交于
Remove extraneous path_truncate arguments from the AppArmor hook, as they've been removed from the LSM API. Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 John Johansen 提交于
The basic routines and defines for AppArmor policy. AppArmor policy is defined by a few basic components. profiles - the basic unit of confinement contain all the information to enforce policy on a task Profiles tend to be named after an executable that they will attach to but this is not required. namespaces - a container for a set of profiles that will be used during attachment and transitions between profiles. sids - which provide a unique id for each profile Signed-off-by: NJohn Johansen <john.johansen@canonical.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 John Johansen 提交于
AppArmor policy is loaded in a platform independent flattened binary stream. Verify and unpack the data converting it to the internal format needed for enforcement. Signed-off-by: NJohn Johansen <john.johansen@canonical.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 John Johansen 提交于
ipc: AppArmor ipc is currently limited to mediation done by file mediation and basic ptrace tests. Improved mediation is a wip. rlimits: AppArmor provides basic abilities to set and control rlimits at a per profile level. Only resources specified in a profile are controled or set. AppArmor rules set the hard limit to a value <= to the current hard limit (ie. they can not currently raise hard limits), and if necessary will lower the soft limit to the new hard limit value. AppArmor does not track resource limits to reset them when a profile is left so that children processes inherit the limits set by the parent even if they are not confined by the same profile. Capabilities: AppArmor provides a per profile mask of capabilities, that will further restrict. Signed-off-by: NJohn Johansen <john.johansen@canonical.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-
由 John Johansen 提交于
AppArmor hooks to interface with the LSM, module parameters and module initialization. Signed-off-by: NJohn Johansen <john.johansen@canonical.com> Signed-off-by: NJames Morris <jmorris@namei.org>
-