1. 13 6月, 2008 1 次提交
  2. 30 4月, 2008 2 次提交
  3. 29 4月, 2008 2 次提交
  4. 28 4月, 2008 1 次提交
    • A
      capabilities: implement per-process securebits · 3898b1b4
      Andrew G. Morgan 提交于
      Filesystem capability support makes it possible to do away with (set)uid-0
      based privilege and use capabilities instead.  That is, with filesystem
      support for capabilities but without this present patch, it is (conceptually)
      possible to manage a system with capabilities alone and never need to obtain
      privilege via (set)uid-0.
      
      Of course, conceptually isn't quite the same as currently possible since few
      user applications, certainly not enough to run a viable system, are currently
      prepared to leverage capabilities to exercise privilege.  Further, many
      applications exist that may never get upgraded in this way, and the kernel
      will continue to want to support their setuid-0 base privilege needs.
      
      Where pure-capability applications evolve and replace setuid-0 binaries, it is
      desirable that there be a mechanisms by which they can contain their
      privilege.  In addition to leveraging the per-process bounding and inheritable
      sets, this should include suppressing the privilege of the uid-0 superuser
      from the process' tree of children.
      
      The feature added by this patch can be leveraged to suppress the privilege
      associated with (set)uid-0.  This suppression requires CAP_SETPCAP to
      initiate, and only immediately affects the 'current' process (it is inherited
      through fork()/exec()).  This reimplementation differs significantly from the
      historical support for securebits which was system-wide, unwieldy and which
      has ultimately withered to a dead relic in the source of the modern kernel.
      
      With this patch applied a process, that is capable(CAP_SETPCAP), can now drop
      all legacy privilege (through uid=0) for itself and all subsequently
      fork()'d/exec()'d children with:
      
        prctl(PR_SET_SECUREBITS, 0x2f);
      
      This patch represents a no-op unless CONFIG_SECURITY_FILE_CAPABILITIES is
      enabled at configure time.
      
      [akpm@linux-foundation.org: fix uninitialised var warning]
      [serue@us.ibm.com: capabilities: use cap_task_prctl when !CONFIG_SECURITY]
      Signed-off-by: NAndrew G. Morgan <morgan@kernel.org>
      Acked-by: NSerge Hallyn <serue@us.ibm.com>
      Reviewed-by: NJames Morris <jmorris@namei.org>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: Paul Moore <paul.moore@hp.com>
      Signed-off-by: NSerge E. Hallyn <serue@us.ibm.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      3898b1b4
  5. 22 4月, 2008 1 次提交
  6. 19 4月, 2008 3 次提交
  7. 13 4月, 2008 1 次提交
  8. 06 3月, 2008 1 次提交
  9. 06 2月, 2008 2 次提交
  10. 25 1月, 2008 3 次提交
    • D
      security: add a secctx_to_secid() hook · 63cb3449
      David Howells 提交于
      Add a secctx_to_secid() LSM hook to go along with the existing
      secid_to_secctx() LSM hook.  This patch also includes the SELinux
      implementation for this hook.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      63cb3449
    • H
      security: remove security_sb_post_mountroot hook · bced9528
      H. Peter Anvin 提交于
      The security_sb_post_mountroot() hook is long-since obsolete, and is
      fundamentally broken: it is never invoked if someone uses initramfs.
      This is particularly damaging, because the existence of this hook has
      been used as motivation for not using initramfs.
      
      Stephen Smalley confirmed on 2007-07-19 that this hook was originally
      used by SELinux but can now be safely removed:
      
           http://marc.info/?l=linux-kernel&m=118485683612916&w=2
      
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: James Morris <jmorris@namei.org>
      Cc: Eric Paris <eparis@parisplace.org>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Signed-off-by: NH. Peter Anvin <hpa@zytor.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      bced9528
    • E
      Security: add get, set, and cloning of superblock security information · c9180a57
      Eric Paris 提交于
      Adds security_get_sb_mnt_opts, security_set_sb_mnt_opts, and
      security_clont_sb_mnt_opts to the LSM and to SELinux.  This will allow
      filesystems to directly own and control all of their mount options if they
      so choose.  This interface deals only with option identifiers and strings so
      it should generic enough for any LSM which may come in the future.
      
      Filesystems which pass text mount data around in the kernel (almost all of
      them) need not currently make use of this interface when dealing with
      SELinux since it will still parse those strings as it always has.  I assume
      future LSM's would do the same.  NFS is the primary FS which does not use
      text mount data and thus must make use of this interface.
      
      An LSM would need to implement these functions only if they had mount time
      options, such as selinux has context= or fscontext=.  If the LSM has no
      mount time options they could simply not implement and let the dummy ops
      take care of things.
      
      An LSM other than SELinux would need to define new option numbers in
      security.h and any FS which decides to own there own security options would
      need to be patched to use this new interface for every possible LSM.  This
      is because it was stated to me very clearly that LSM's should not attempt to
      understand FS mount data and the burdon to understand security should be in
      the FS which owns the options.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Acked-by: NStephen D. Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      c9180a57
  11. 05 12月, 2007 1 次提交
    • E
      Security: allow capable check to permit mmap or low vm space · ab5a91a8
      Eric Paris 提交于
      On a kernel with CONFIG_SECURITY but without an LSM which implements
      security_file_mmap it is impossible for an application to mmap addresses
      lower than mmap_min_addr.  Based on a suggestion from a developer in the
      openwall community this patch adds a check for CAP_SYS_RAWIO.  It is
      assumed that any process with this capability can harm the system a lot
      more easily than writing some stuff on the zero page and then trying to
      get the kernel to trip over itself.  It also means that programs like X
      on i686 which use vm86 emulation can work even with mmap_min_addr set.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      ab5a91a8
  12. 19 10月, 2007 1 次提交
    • A
      V3 file capabilities: alter behavior of cap_setpcap · 72c2d582
      Andrew Morgan 提交于
      The non-filesystem capability meaning of CAP_SETPCAP is that a process, p1,
      can change the capabilities of another process, p2.  This is not the
      meaning that was intended for this capability at all, and this
      implementation came about purely because, without filesystem capabilities,
      there was no way to use capabilities without one process bestowing them on
      another.
      
      Since we now have a filesystem support for capabilities we can fix the
      implementation of CAP_SETPCAP.
      
      The most significant thing about this change is that, with it in effect, no
      process can set the capabilities of another process.
      
      The capabilities of a program are set via the capability convolution
      rules:
      
         pI(post-exec) = pI(pre-exec)
         pP(post-exec) = (X(aka cap_bset) & fP) | (pI(post-exec) & fI)
         pE(post-exec) = fE ? pP(post-exec) : 0
      
      at exec() time.  As such, the only influence the pre-exec() program can
      have on the post-exec() program's capabilities are through the pI
      capability set.
      
      The correct implementation for CAP_SETPCAP (and that enabled by this patch)
      is that it can be used to add extra pI capabilities to the current process
      - to be picked up by subsequent exec()s when the above convolution rules
      are applied.
      
      Here is how it works:
      
      Let's say we have a process, p. It has capability sets, pE, pP and pI.
      Generally, p, can change the value of its own pI to pI' where
      
         (pI' & ~pI) & ~pP = 0.
      
      That is, the only new things in pI' that were not present in pI need to
      be present in pP.
      
      The role of CAP_SETPCAP is basically to permit changes to pI beyond
      the above:
      
         if (pE & CAP_SETPCAP) {
            pI' = anything; /* ie., even (pI' & ~pI) & ~pP != 0  */
         }
      
      This capability is useful for things like login, which (say, via
      pam_cap) might want to raise certain inheritable capabilities for use
      by the children of the logged-in user's shell, but those capabilities
      are not useful to or needed by the login program itself.
      
      One such use might be to limit who can run ping. You set the
      capabilities of the 'ping' program to be "= cap_net_raw+i", and then
      only shells that have (pI & CAP_NET_RAW) will be able to run
      it. Without CAP_SETPCAP implemented as described above, login(pam_cap)
      would have to also have (pP & CAP_NET_RAW) in order to raise this
      capability and pass it on through the inheritable set.
      Signed-off-by: NAndrew Morgan <morgan@kernel.org>
      Signed-off-by: NSerge E. Hallyn <serue@us.ibm.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: James Morris <jmorris@namei.org>
      Cc: Casey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      72c2d582
  13. 17 10月, 2007 4 次提交
    • A
      security/ cleanups · cbfee345
      Adrian Bunk 提交于
      This patch contains the following cleanups that are now possible:
      - remove the unused security_operations->inode_xattr_getsuffix
      - remove the no longer used security_operations->unregister_security
      - remove some no longer required exit code
      - remove a bunch of no longer used exports
      Signed-off-by: NAdrian Bunk <bunk@kernel.org>
      Acked-by: NJames Morris <jmorris@namei.org>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: Serge Hallyn <serue@us.ibm.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      cbfee345
    • S
      Implement file posix capabilities · b5376771
      Serge E. Hallyn 提交于
      Implement file posix capabilities.  This allows programs to be given a
      subset of root's powers regardless of who runs them, without having to use
      setuid and giving the binary all of root's powers.
      
      This version works with Kaigai Kohei's userspace tools, found at
      http://www.kaigai.gr.jp/index.php.  For more information on how to use this
      patch, Chris Friedhoff has posted a nice page at
      http://www.friedhoff.org/fscaps.html.
      
      Changelog:
      	Nov 27:
      	Incorporate fixes from Andrew Morton
      	(security-introduce-file-caps-tweaks and
      	security-introduce-file-caps-warning-fix)
      	Fix Kconfig dependency.
      	Fix change signaling behavior when file caps are not compiled in.
      
      	Nov 13:
      	Integrate comments from Alexey: Remove CONFIG_ ifdef from
      	capability.h, and use %zd for printing a size_t.
      
      	Nov 13:
      	Fix endianness warnings by sparse as suggested by Alexey
      	Dobriyan.
      
      	Nov 09:
      	Address warnings of unused variables at cap_bprm_set_security
      	when file capabilities are disabled, and simultaneously clean
      	up the code a little, by pulling the new code into a helper
      	function.
      
      	Nov 08:
      	For pointers to required userspace tools and how to use
      	them, see http://www.friedhoff.org/fscaps.html.
      
      	Nov 07:
      	Fix the calculation of the highest bit checked in
      	check_cap_sanity().
      
      	Nov 07:
      	Allow file caps to be enabled without CONFIG_SECURITY, since
      	capabilities are the default.
      	Hook cap_task_setscheduler when !CONFIG_SECURITY.
      	Move capable(TASK_KILL) to end of cap_task_kill to reduce
      	audit messages.
      
      	Nov 05:
      	Add secondary calls in selinux/hooks.c to task_setioprio and
      	task_setscheduler so that selinux and capabilities with file
      	cap support can be stacked.
      
      	Sep 05:
      	As Seth Arnold points out, uid checks are out of place
      	for capability code.
      
      	Sep 01:
      	Define task_setscheduler, task_setioprio, cap_task_kill, and
      	task_setnice to make sure a user cannot affect a process in which
      	they called a program with some fscaps.
      
      	One remaining question is the note under task_setscheduler: are we
      	ok with CAP_SYS_NICE being sufficient to confine a process to a
      	cpuset?
      
      	It is a semantic change, as without fsccaps, attach_task doesn't
      	allow CAP_SYS_NICE to override the uid equivalence check.  But since
      	it uses security_task_setscheduler, which elsewhere is used where
      	CAP_SYS_NICE can be used to override the uid equivalence check,
      	fixing it might be tough.
      
      	     task_setscheduler
      		 note: this also controls cpuset:attach_task.  Are we ok with
      		     CAP_SYS_NICE being used to confine to a cpuset?
      	     task_setioprio
      	     task_setnice
      		 sys_setpriority uses this (through set_one_prio) for another
      		 process.  Need same checks as setrlimit
      
      	Aug 21:
      	Updated secureexec implementation to reflect the fact that
      	euid and uid might be the same and nonzero, but the process
      	might still have elevated caps.
      
      	Aug 15:
      	Handle endianness of xattrs.
      	Enforce capability version match between kernel and disk.
      	Enforce that no bits beyond the known max capability are
      	set, else return -EPERM.
      	With this extra processing, it may be worth reconsidering
      	doing all the work at bprm_set_security rather than
      	d_instantiate.
      
      	Aug 10:
      	Always call getxattr at bprm_set_security, rather than
      	caching it at d_instantiate.
      
      [morgan@kernel.org: file-caps clean up for linux/capability.h]
      [bunk@kernel.org: unexport cap_inode_killpriv]
      Signed-off-by: NSerge E. Hallyn <serue@us.ibm.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: James Morris <jmorris@namei.org>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Cc: Andrew Morgan <morgan@kernel.org>
      Signed-off-by: NAndrew Morgan <morgan@kernel.org>
      Signed-off-by: NAdrian Bunk <bunk@kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      b5376771
    • J
      security: Convert LSM into a static interface · 20510f2f
      James Morris 提交于
      Convert LSM into a static interface, as the ability to unload a security
      module is not required by in-tree users and potentially complicates the
      overall security architecture.
      
      Needlessly exported LSM symbols have been unexported, to help reduce API
      abuse.
      
      Parameters for the capability and root_plug modules are now specified
      at boot.
      
      The SECURITY_FRAMEWORK_VERSION macro has also been removed.
      
      In a nutshell, there is no safe way to unload an LSM.  The modular interface
      is thus unecessary and broken infrastructure.  It is used only by out-of-tree
      modules, which are often binary-only, illegal, abusive of the API and
      dangerous, e.g.  silently re-vectoring SELinux.
      
      [akpm@linux-foundation.org: cleanups]
      [akpm@linux-foundation.org: USB Kconfig fix]
      [randy.dunlap@oracle.com: fix LSM kernel-doc]
      Signed-off-by: NJames Morris <jmorris@namei.org>
      Acked-by: NChris Wright <chrisw@sous-sol.org>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: "Serge E. Hallyn" <serue@us.ibm.com>
      Acked-by: NArjan van de Ven <arjan@infradead.org>
      Signed-off-by: NRandy Dunlap <randy.dunlap@oracle.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      20510f2f
    • Y
      SELinux: Improve read/write performance · 788e7dd4
      Yuichi Nakamura 提交于
      It reduces the selinux overhead on read/write by only revalidating
      permissions in selinux_file_permission if the task or inode labels have
      changed or the policy has changed since the open-time check.  A new LSM
      hook, security_dentry_open, is added to capture the necessary state at open
      time to allow this optimization.
      
      (see http://marc.info/?l=selinux&m=118972995207740&w=2)
      
      Signed-off-by: Yuichi Nakamura<ynakam@hitachisoft.jp>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      788e7dd4
  14. 23 8月, 2007 1 次提交
    • A
      fix NULL pointer dereference in __vm_enough_memory() · 34b4e4aa
      Alan Cox 提交于
      The new exec code inserts an accounted vma into an mm struct which is not
      current->mm.  The existing memory check code has a hard coded assumption
      that this does not happen as does the security code.
      
      As the correct mm is known we pass the mm to the security method and the
      helper function.  A new security test is added for the case where we need
      to pass the mm and the existing one is modified to pass current->mm to
      avoid the need to change large amounts of code.
      
      (Thanks to Tobias for fixing rejects and testing)
      Signed-off-by: NAlan Cox <alan@redhat.com>
      Cc: WU Fengguang <wfg@mail.ustc.edu.cn>
      Cc: James Morris <jmorris@redhat.com>
      Cc: Tobias Diedrich <ranma+kernel@tdiedrich.de>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      34b4e4aa
  15. 20 7月, 2007 1 次提交
  16. 12 7月, 2007 1 次提交
    • E
      security: Protection for exploiting null dereference using mmap · ed032189
      Eric Paris 提交于
      Add a new security check on mmap operations to see if the user is attempting
      to mmap to low area of the address space.  The amount of space protected is
      indicated by the new proc tunable /proc/sys/vm/mmap_min_addr and defaults to
      0, preserving existing behavior.
      
      This patch uses a new SELinux security class "memprotect."  Policy already
      contains a number of allow rules like a_t self:process * (unconfined_t being
      one of them) which mean that putting this check in the process class (its
      best current fit) would make it useless as all user processes, which we also
      want to protect against, would be allowed. By taking the memprotect name of
      the new class it will also make it possible for us to move some of the other
      memory protect permissions out of 'process' and into the new class next time
      we bump the policy version number (which I also think is a good future idea)
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: NChris Wright <chrisw@sous-sol.org>
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      ed032189
  17. 15 3月, 2007 1 次提交
  18. 03 12月, 2006 3 次提交
    • V
      SELinux: Fix SA selection semantics · 67f83cbf
      Venkat Yekkirala 提交于
      Fix the selection of an SA for an outgoing packet to be at the same
      context as the originating socket/flow. This eliminates the SELinux
      policy's ability to use/sendto SAs with contexts other than the socket's.
      
      With this patch applied, the SELinux policy will require one or more of the
      following for a socket to be able to communicate with/without SAs:
      
      1. To enable a socket to communicate without using labeled-IPSec SAs:
      
      allow socket_t unlabeled_t:association { sendto recvfrom }
      
      2. To enable a socket to communicate with labeled-IPSec SAs:
      
      allow socket_t self:association { sendto };
      allow socket_t peer_sa_t:association { recvfrom };
      Signed-off-by: NVenkat Yekkirala <vyekkirala@TrustedCS.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      67f83cbf
    • V
      SELinux: Return correct context for SO_PEERSEC · 6b877699
      Venkat Yekkirala 提交于
      Fix SO_PEERSEC for tcp sockets to return the security context of
      the peer (as represented by the SA from the peer) as opposed to the
      SA used by the local/source socket.
      Signed-off-by: NVenkat Yekkirala <vyekkirala@TrustedCS.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      6b877699
    • V
      SELinux: Various xfrm labeling fixes · c1a856c9
      Venkat Yekkirala 提交于
      Since the upstreaming of the mlsxfrm modification a few months back,
      testing has resulted in the identification of the following issues/bugs that
      are resolved in this patch set.
      
      1. Fix the security context used in the IKE negotiation to be the context
         of the socket as opposed to the context of the SPD rule.
      
      2. Fix SO_PEERSEC for tcp sockets to return the security context of
         the peer as opposed to the source.
      
      3. Fix the selection of an SA for an outgoing packet to be at the same
         context as the originating socket/flow.
      
      The following would be the result of applying this patchset:
      
      - SO_PEERSEC will now correctly return the peer's context.
      
      - IKE deamons will receive the context of the source socket/flow
        as opposed to the SPD rule's context so that the negotiated SA
        will be at the same context as the source socket/flow.
      
      - The SELinux policy will require one or more of the
        following for a socket to be able to communicate with/without SAs:
      
        1. To enable a socket to communicate without using labeled-IPSec SAs:
      
           allow socket_t unlabeled_t:association { sendto recvfrom }
      
        2. To enable a socket to communicate with labeled-IPSec SAs:
      
           allow socket_t self:association { sendto };
           allow socket_t peer_sa_t:association { recvfrom };
      
      This Patch: Pass correct security context to IKE for use in negotiation
      
      Fix the security context passed to IKE for use in negotiation to be the
      context of the socket as opposed to the context of the SPD rule so that
      the SA carries the label of the originating socket/flow.
      Signed-off-by: NVenkat Yekkirala <vyekkirala@TrustedCS.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      c1a856c9
  19. 12 10月, 2006 1 次提交
    • V
      IPsec: correct semantics for SELinux policy matching · 5b368e61
      Venkat Yekkirala 提交于
      Currently when an IPSec policy rule doesn't specify a security
      context, it is assumed to be "unlabeled" by SELinux, and so
      the IPSec policy rule fails to match to a flow that it would
      otherwise match to, unless one has explicitly added an SELinux
      policy rule allowing the flow to "polmatch" to the "unlabeled"
      IPSec policy rules. In the absence of such an explicitly added
      SELinux policy rule, the IPSec policy rule fails to match and
      so the packet(s) flow in clear text without the otherwise applicable
      xfrm(s) applied.
      
      The above SELinux behavior violates the SELinux security notion of
      "deny by default" which should actually translate to "encrypt by
      default" in the above case.
      
      This was first reported by Evgeniy Polyakov and the way James Morris
      was seeing the problem was when connecting via IPsec to a
      confined service on an SELinux box (vsftpd), which did not have the
      appropriate SELinux policy permissions to send packets via IPsec.
      
      With this patch applied, SELinux "polmatching" of flows Vs. IPSec
      policy rules will only come into play when there's a explicit context
      specified for the IPSec policy rule (which also means there's corresponding
      SELinux policy allowing appropriate domains/flows to polmatch to this context).
      
      Secondly, when a security module is loaded (in this case, SELinux), the
      security_xfrm_policy_lookup() hook can return errors other than access denied,
      such as -EINVAL.  We were not handling that correctly, and in fact
      inverting the return logic and propagating a false "ok" back up to
      xfrm_lookup(), which then allowed packets to pass as if they were not
      associated with an xfrm policy.
      
      The solution for this is to first ensure that errno values are
      correctly propagated all the way back up through the various call chains
      from security_xfrm_policy_lookup(), and handled correctly.
      
      Then, flow_cache_lookup() is modified, so that if the policy resolver
      fails (typically a permission denied via the security module), the flow
      cache entry is killed rather than having a null policy assigned (which
      indicates that the packet can pass freely).  This also forces any future
      lookups for the same flow to consult the security module (e.g. SELinux)
      for current security policy (rather than, say, caching the error on the
      flow cache entry).
      
      This patch: Fix the selinux side of things.
      
      This makes sure SELinux polmatching of flow contexts to IPSec policy
      rules comes into play only when an explicit context is associated
      with the IPSec policy rule.
      
      Also, this no longer defaults the context of a socket policy to
      the context of the socket since the "no explicit context" case
      is now handled properly.
      Signed-off-by: NVenkat Yekkirala <vyekkirala@TrustedCS.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      5b368e61
  20. 23 9月, 2006 6 次提交
  21. 03 8月, 2006 1 次提交
    • C
      [AF_UNIX]: Kernel memory leak fix for af_unix datagram getpeersec patch · dc49c1f9
      Catherine Zhang 提交于
      From: Catherine Zhang <cxzhang@watson.ibm.com>
      
      This patch implements a cleaner fix for the memory leak problem of the
      original unix datagram getpeersec patch.  Instead of creating a
      security context each time a unix datagram is sent, we only create the
      security context when the receiver requests it.
      
      This new design requires modification of the current
      unix_getsecpeer_dgram LSM hook and addition of two new hooks, namely,
      secid_to_secctx and release_secctx.  The former retrieves the security
      context and the latter releases it.  A hook is required for releasing
      the security context because it is up to the security module to decide
      how that's done.  In the case of Selinux, it's a simple kfree
      operation.
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      dc49c1f9
  22. 01 7月, 2006 2 次提交