1. 18 6月, 2006 2 次提交
    • C
      [SELINUX]: add security class for appletalk sockets · 3e3ff15e
      Christopher J. PeBenito 提交于
      Add a security class for appletalk sockets so that they can be
      distinguished in SELinux policy.  Please apply.
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3e3ff15e
    • C
      [LSM-IPsec]: SELinux Authorize · c8c05a8e
      Catherine Zhang 提交于
      This patch contains a fix for the previous patch that adds security
      contexts to IPsec policies and security associations.  In the previous
      patch, no authorization (besides the check for write permissions to
      SAD and SPD) is required to delete IPsec policies and security
      assocations with security contexts.  Thus a user authorized to change
      SAD and SPD can bypass the IPsec policy authorization by simply
      deleteing policies with security contexts.  To fix this security hole,
      an additional authorization check is added for removing security
      policies and security associations with security contexts.
      
      Note that if no security context is supplied on add or present on
      policy to be deleted, the SELinux module allows the change
      unconditionally.  The hook is called on deletion when no context is
      present, which we may want to change.  At present, I left it up to the
      module.
      
      LSM changes:
      
      The patch adds two new LSM hooks: xfrm_policy_delete and
      xfrm_state_delete.  The new hooks are necessary to authorize deletion
      of IPsec policies that have security contexts.  The existing hooks
      xfrm_policy_free and xfrm_state_free lack the context to do the
      authorization, so I decided to split authorization of deletion and
      memory management of security data, as is typical in the LSM
      interface.
      
      Use:
      
      The new delete hooks are checked when xfrm_policy or xfrm_state are
      deleted by either the xfrm_user interface (xfrm_get_policy,
      xfrm_del_sa) or the pfkey interface (pfkey_spddelete, pfkey_delete).
      
      SELinux changes:
      
      The new policy_delete and state_delete functions are added.
      Signed-off-by: NCatherine Zhang <cxzhang@watson.ibm.com>
      Signed-off-by: NTrent Jaeger <tjaeger@cse.psu.edu>
      Acked-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c8c05a8e
  2. 06 6月, 2006 1 次提交
  3. 22 5月, 2006 1 次提交
  4. 16 5月, 2006 1 次提交
  5. 04 5月, 2006 1 次提交
  6. 01 5月, 2006 4 次提交
  7. 20 4月, 2006 1 次提交
  8. 11 4月, 2006 2 次提交
    • D
      [PATCH] Keys: Improve usage of memory barriers and remove IRQ disablement · 1a26feb9
      David Howells 提交于
      Remove an unnecessary memory barrier (implicit in rcu_dereference()) from
      install_session_keyring().
      
      install_session_keyring() is also rearranged a little to make it slightly
      more efficient.
      
      As install_*_keyring() may schedule (in synchronize_rcu() or
      keyring_alloc()), they may not be entered with interrupts disabled - and so
      there's no point saving the interrupt disablement state over the critical
      section.
      
      exec_keys() will also be invoked with interrupts enabled, and so that doesn't
      need to save the interrupt state either.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      1a26feb9
    • D
      [Security] Keys: Fix oops when adding key to non-keyring · c3a9d654
      David Howells 提交于
      This fixes the problem of an oops occuring when a user attempts to add a
      key to a non-keyring key [CVE-2006-1522].
      
      The problem is that __keyring_search_one() doesn't check that the
      keyring it's been given is actually a keyring.
      
      I've fixed this problem by:
      
       (1) declaring that caller of __keyring_search_one() must guarantee that
           the keyring is a keyring; and
      
       (2) making key_create_or_update() check that the keyring is a keyring,
           and return -ENOTDIR if it isn't.
      
      This can be tested by:
      
      	keyctl add user b b `keyctl add user a a @s`
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      c3a9d654
  9. 10 4月, 2006 1 次提交
  10. 26 3月, 2006 4 次提交
  11. 24 3月, 2006 1 次提交
  12. 23 3月, 2006 1 次提交
    • D
      [PATCH] Bug fixes and cleanup for the BSD Secure Levels LSM · 6bb08da4
      Davi Arnaut 提交于
      This patch address several issues in the current BSD Secure Levels code:
      
      o plaintext_to_sha1: Missing check for a NULL return from __get_free_page
      
      o passwd_write_file: A page is leaked if the password is wrong.
      
      o fix securityfs registration order
      
      o seclvl_init is a mess and can't properly tolerate failures, failure
        path is upside down (deldif and delf should be switched)
      
      Cleanups:
      
      o plaintext_to_sha1: Use buffers passed in
      o passwd_write_file: Use kmalloc() instead of get_zeroed_page()
      o passwd_write_file: hashedPassword comparison is just memcmp
      o s/ENOSYS/EINVAL/
      o misc
      
      (akpm: after some discussion it appears that the BSD secure levels feature
      should be scheduled for removal.  But for now, let's fix these problems up).
      Signed-off-by: NDavi Arnaut <davi.arnaut@gmail.com>
      Cc: Michael Halcrow <mhalcrow@us.ibm.com>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Cc: Stephen Smalley <sds@epoch.ncsc.mil>
      Cc: James Morris <jmorris@namei.org>
      Cc: Serge Hallyn <serue@us.ibm.com>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      6bb08da4
  13. 22 3月, 2006 11 次提交
  14. 21 3月, 2006 9 次提交
    • C
    • A
      [SECURITY] getpeersec: Fix build breakage · c841aa03
      Arnaldo Carvalho de Melo 提交于
      A recent changeset removes dummy_socket_getpeersec, replacing it with
      two new functions, but still references the removed function in the
      security_fixup_ops table, fix it by doing the replacement operation in
      the fixup table too.
      Signed-off-by: NArnaldo Carvalho de Melo <acme@mandriva.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c841aa03
    • C
      [SECURITY]: TCP/UDP getpeersec · 2c7946a7
      Catherine Zhang 提交于
      This patch implements an application of the LSM-IPSec networking
      controls whereby an application can determine the label of the
      security association its TCP or UDP sockets are currently connected to
      via getsockopt and the auxiliary data mechanism of recvmsg.
      
      Patch purpose:
      
      This patch enables a security-aware application to retrieve the
      security context of an IPSec security association a particular TCP or
      UDP socket is using.  The application can then use this security
      context to determine the security context for processing on behalf of
      the peer at the other end of this connection.  In the case of UDP, the
      security context is for each individual packet.  An example
      application is the inetd daemon, which could be modified to start
      daemons running at security contexts dependent on the remote client.
      
      Patch design approach:
      
      - Design for TCP
      The patch enables the SELinux LSM to set the peer security context for
      a socket based on the security context of the IPSec security
      association.  The application may retrieve this context using
      getsockopt.  When called, the kernel determines if the socket is a
      connected (TCP_ESTABLISHED) TCP socket and, if so, uses the dst_entry
      cache on the socket to retrieve the security associations.  If a
      security association has a security context, the context string is
      returned, as for UNIX domain sockets.
      
      - Design for UDP
      Unlike TCP, UDP is connectionless.  This requires a somewhat different
      API to retrieve the peer security context.  With TCP, the peer
      security context stays the same throughout the connection, thus it can
      be retrieved at any time between when the connection is established
      and when it is torn down.  With UDP, each read/write can have
      different peer and thus the security context might change every time.
      As a result the security context retrieval must be done TOGETHER with
      the packet retrieval.
      
      The solution is to build upon the existing Unix domain socket API for
      retrieving user credentials.  Linux offers the API for obtaining user
      credentials via ancillary messages (i.e., out of band/control messages
      that are bundled together with a normal message).
      
      Patch implementation details:
      
      - Implementation for TCP
      The security context can be retrieved by applications using getsockopt
      with the existing SO_PEERSEC flag.  As an example (ignoring error
      checking):
      
      getsockopt(sockfd, SOL_SOCKET, SO_PEERSEC, optbuf, &optlen);
      printf("Socket peer context is: %s\n", optbuf);
      
      The SELinux function, selinux_socket_getpeersec, is extended to check
      for labeled security associations for connected (TCP_ESTABLISHED ==
      sk->sk_state) TCP sockets only.  If so, the socket has a dst_cache of
      struct dst_entry values that may refer to security associations.  If
      these have security associations with security contexts, the security
      context is returned.
      
      getsockopt returns a buffer that contains a security context string or
      the buffer is unmodified.
      
      - Implementation for UDP
      To retrieve the security context, the application first indicates to
      the kernel such desire by setting the IP_PASSSEC option via
      getsockopt.  Then the application retrieves the security context using
      the auxiliary data mechanism.
      
      An example server application for UDP should look like this:
      
      toggle = 1;
      toggle_len = sizeof(toggle);
      
      setsockopt(sockfd, SOL_IP, IP_PASSSEC, &toggle, &toggle_len);
      recvmsg(sockfd, &msg_hdr, 0);
      if (msg_hdr.msg_controllen > sizeof(struct cmsghdr)) {
          cmsg_hdr = CMSG_FIRSTHDR(&msg_hdr);
          if (cmsg_hdr->cmsg_len <= CMSG_LEN(sizeof(scontext)) &&
              cmsg_hdr->cmsg_level == SOL_IP &&
              cmsg_hdr->cmsg_type == SCM_SECURITY) {
              memcpy(&scontext, CMSG_DATA(cmsg_hdr), sizeof(scontext));
          }
      }
      
      ip_setsockopt is enhanced with a new socket option IP_PASSSEC to allow
      a server socket to receive security context of the peer.  A new
      ancillary message type SCM_SECURITY.
      
      When the packet is received we get the security context from the
      sec_path pointer which is contained in the sk_buff, and copy it to the
      ancillary message space.  An additional LSM hook,
      selinux_socket_getpeersec_udp, is defined to retrieve the security
      context from the SELinux space.  The existing function,
      selinux_socket_getpeersec does not suit our purpose, because the
      security context is copied directly to user space, rather than to
      kernel space.
      
      Testing:
      
      We have tested the patch by setting up TCP and UDP connections between
      applications on two machines using the IPSec policies that result in
      labeled security associations being built.  For TCP, we can then
      extract the peer security context using getsockopt on either end.  For
      UDP, the receiving end can retrieve the security context using the
      auxiliary data mechanism of recvmsg.
      Signed-off-by: NCatherine Zhang <cxzhang@watson.ibm.com>
      Acked-by: NJames Morris <jmorris@namei.org>
      Acked-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2c7946a7
    • J
      [IPSEC]: Sync series - update selinux · 8c29bfe1
      Jamal Hadi Salim 提交于
      Add new netlink messages to selinux framework
      Signed-off-by: NJamal Hadi Salim <hadi@cyberus.ca>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8c29bfe1
    • A
      [PATCH] audit string fields interface + consumer · 93315ed6
      Amy Griffis 提交于
      Updated patch to dynamically allocate audit rule fields in kernel's
      internal representation.  Added unlikely() calls for testing memory
      allocation result.
      
      Amy Griffis wrote:     [Wed Jan 11 2006, 02:02:31PM EST]
      > Modify audit's kernel-userspace interface to allow the specification
      > of string fields in audit rules.
      >
      > Signed-off-by: Amy Griffis <amy.griffis@hp.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      (cherry picked from 5ffc4a863f92351b720fe3e9c5cd647accff9e03 commit)
      93315ed6
    • S
      [PATCH] SE Linux audit events · af601e46
      Steve Grubb 提交于
      Attached is a patch that hardwires important SE Linux events to the audit
      system. Please Apply.
      Signed-off-by: NSteve Grubb <sgrubb@redhat.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
      af601e46
    • D
      [PATCH] Miscellaneous bug and warning fixes · 7306a0b9
      Dustin Kirkland 提交于
      This patch fixes a couple of bugs revealed in new features recently
      added to -mm1:
      * fixes warnings due to inconsistent use of const struct inode *inode
      * fixes bug that prevent a kernel from booting with audit on, and SELinux off
        due to a missing function in security/dummy.c
      * fixes a bug that throws spurious audit_panic() messages due to a missing
        return just before an error_path label
      * some reasonable house cleaning in audit_ipc_context(),
        audit_inode_context(), and audit_log_task_context()
      Signed-off-by: NDustin Kirkland <dustin.kirkland@us.ibm.com>
      Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
      7306a0b9
    • D
      [PATCH] Capture selinux subject/object context information. · 8c8570fb
      Dustin Kirkland 提交于
      This patch extends existing audit records with subject/object context
      information. Audit records associated with filesystem inodes, ipc, and
      tasks now contain SELinux label information in the field "subj" if the
      item is performing the action, or in "obj" if the item is the receiver
      of an action.
      
      These labels are collected via hooks in SELinux and appended to the
      appropriate record in the audit code.
      
      This additional information is required for Common Criteria Labeled
      Security Protection Profile (LSPP).
      
      [AV: fixed kmalloc flags use]
      [folded leak fixes]
      [folded cleanup from akpm (kfree(NULL)]
      [folded audit_inode_context() leak fix]
      [folded akpm's fix for audit_ipc_perm() definition in case of !CONFIG_AUDIT]
      Signed-off-by: NDustin Kirkland <dustin.kirkland@us.ibm.com>
      Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      8c8570fb
    • S
      [PATCH] Define new range of userspace messages. · 90d526c0
      Steve Grubb 提交于
      The attached patch updates various items for the new user space
      messages. Please apply.
      Signed-off-by: NSteve Grubb <sgrubb@redhat.com>
      Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
      90d526c0