1. 30 9月, 2006 1 次提交
    • C
      [PATCH] SELinux: support mls categories for context mounts · 3528a953
      Cory Olmo 提交于
      Allows commas to be embedded into context mount options (i.e.  "-o
      context=some_selinux_context_t"), to better support multiple categories,
      which are separated by commas and confuse mount.
      
      For example, with the current code:
      
        mount -t iso9660 /dev/cdrom /media/cdrom -o \
        ro,context=system_u:object_r:iso9660_t:s0:c1,c3,c4,exec
      
      The context option that will be interpreted by SELinux is
      context=system_u:object_r:iso9660_t:s0:c1
      
      instead of
      context=system_u:object_r:iso9660_t:s0:c1,c3,c4
      
      The options that will be passed on to the file system will be
      ro,c3,c4,exec.
      
      The proposed solution is to allow/require the SELinux context option
      specified to mount to use quotes when the context contains a comma.
      
      This patch modifies the option parsing in parse_opts(), contained in
      mount.c, to take options after finding a comma only if it hasn't seen a
      quote or if the quotes are matched.  It also introduces a new function that
      will strip the quotes from the context option prior to translation.  The
      quotes are replaced after the translation is completed to insure that in
      the event the raw context contains commas the kernel will be able to
      interpret the correct context.
      Signed-off-by: NCory Olmo <colmo@TrustedCS.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      3528a953
  2. 26 9月, 2006 4 次提交
  3. 23 9月, 2006 8 次提交
  4. 03 8月, 2006 1 次提交
    • C
      [AF_UNIX]: Kernel memory leak fix for af_unix datagram getpeersec patch · dc49c1f9
      Catherine Zhang 提交于
      From: Catherine Zhang <cxzhang@watson.ibm.com>
      
      This patch implements a cleaner fix for the memory leak problem of the
      original unix datagram getpeersec patch.  Instead of creating a
      security context each time a unix datagram is sent, we only create the
      security context when the receiver requests it.
      
      This new design requires modification of the current
      unix_getsecpeer_dgram LSM hook and addition of two new hooks, namely,
      secid_to_secctx and release_secctx.  The former retrieves the security
      context and the latter releases it.  A hook is required for releasing
      the security context because it is up to the security module to decide
      how that's done.  In the case of Selinux, it's a simple kfree
      operation.
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      dc49c1f9
  5. 15 7月, 2006 1 次提交
  6. 11 7月, 2006 2 次提交
  7. 01 7月, 2006 3 次提交
  8. 30 6月, 2006 2 次提交
    • C
      [AF_UNIX]: Datagram getpeersec · 877ce7c1
      Catherine Zhang 提交于
      This patch implements an API whereby an application can determine the
      label of its peer's Unix datagram sockets via the auxiliary data mechanism of
      recvmsg.
      
      Patch purpose:
      
      This patch enables a security-aware application to retrieve the
      security context of the peer of a Unix datagram socket.  The application
      can then use this security context to determine the security context for
      processing on behalf of the peer who sent the packet.
      
      Patch design and implementation:
      
      The design and implementation is very similar to the UDP case for INET
      sockets.  Basically we build upon the existing Unix domain socket API for
      retrieving user credentials.  Linux offers the API for obtaining user
      credentials via ancillary messages (i.e., out of band/control messages
      that are bundled together with a normal message).  To retrieve the security
      context, the application first indicates to the kernel such desire by
      setting the SO_PASSSEC option via getsockopt.  Then the application
      retrieves the security context using the auxiliary data mechanism.
      
      An example server application for Unix datagram socket should look like this:
      
      toggle = 1;
      toggle_len = sizeof(toggle);
      
      setsockopt(sockfd, SOL_SOCKET, SO_PASSSEC, &toggle, &toggle_len);
      recvmsg(sockfd, &msg_hdr, 0);
      if (msg_hdr.msg_controllen > sizeof(struct cmsghdr)) {
          cmsg_hdr = CMSG_FIRSTHDR(&msg_hdr);
          if (cmsg_hdr->cmsg_len <= CMSG_LEN(sizeof(scontext)) &&
              cmsg_hdr->cmsg_level == SOL_SOCKET &&
              cmsg_hdr->cmsg_type == SCM_SECURITY) {
              memcpy(&scontext, CMSG_DATA(cmsg_hdr), sizeof(scontext));
          }
      }
      
      sock_setsockopt is enhanced with a new socket option SOCK_PASSSEC to allow
      a server socket to receive security context of the peer.
      
      Testing:
      
      We have tested the patch by setting up Unix datagram client and server
      applications.  We verified that the server can retrieve the security context
      using the auxiliary data mechanism of recvmsg.
      Signed-off-by: NCatherine Zhang <cxzhang@watson.ibm.com>
      Acked-by: NAcked-by: James Morris <jmorris@namei.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      877ce7c1
    • D
      [NETLINK]: Encapsulate eff_cap usage within security framework. · c7bdb545
      Darrel Goeddel 提交于
      This patch encapsulates the usage of eff_cap (in netlink_skb_params) within
      the security framework by extending security_netlink_recv to include a required
      capability parameter and converting all direct usage of eff_caps outside
      of the lsm modules to use the interface.  It also updates the SELinux
      implementation of the security_netlink_send and security_netlink_recv
      hooks to take advantage of the sid in the netlink_skb_params struct.
      This also enables SELinux to perform auditing of netlink capability checks.
      Please apply, for 2.6.18 if possible.
      Signed-off-by: NDarrel Goeddel <dgoeddel@trustedcs.com>
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c7bdb545
  9. 28 6月, 2006 1 次提交
  10. 27 6月, 2006 3 次提交
    • E
      [PATCH] SELinux: Add sockcreate node to procattr API · 42c3e03e
      Eric Paris 提交于
      Below is a patch to add a new /proc/self/attr/sockcreate A process may write a
      context into this interface and all subsequent sockets created will be labeled
      with that context.  This is the same idea as the fscreate interface where a
      process can specify the label of a file about to be created.  At this time one
      envisioned user of this will be xinetd.  It will be able to better label
      sockets for the actual services.  At this time all sockets take the label of
      the creating process, so all xinitd sockets would just be labeled the same.
      
      I tested this by creating a tcp sender and listener.  The sender was able to
      write to this new proc file and then create sockets with the specified label.
      I am able to be sure the new label was used since the avc denial messages
      kicked out by the kernel included both the new security permission
      setsockcreate and all the socket denials were for the new label, not the label
      of the running process.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      42c3e03e
    • M
      [PATCH] keys: add a way to store the appropriate context for newly-created keys · 4eb582cf
      Michael LeMay 提交于
      Add a /proc/<pid>/attr/keycreate entry that stores the appropriate context for
      newly-created keys.  Modify the selinux_key_alloc hook to make use of the new
      entry.  Update the flask headers to include a new "setkeycreate" permission
      for processes.  Update the flask headers to include a new "create" permission
      for keys.  Use the create permission to restrict which SIDs each task can
      assign to newly-created keys.  Add a new parameter to the security hook
      "security_key_alloc" to indicate whether it is being invoked by the kernel, or
      from userspace.  If it is being invoked by the kernel, the security hook
      should never fail.  Update the documentation to reflect these changes.
      Signed-off-by: NMichael LeMay <mdlemay@epoch.ncsc.mil>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      4eb582cf
    • D
      [PATCH] keys: sort out key quota system · 7e047ef5
      David Howells 提交于
      Add the ability for key creation to overrun the user's quota in some
      circumstances - notably when a session keyring is created and assigned to a
      process that didn't previously have one.
      
      This means it's still possible to log in, should PAM require the creation of a
      new session keyring, and fix an overburdened key quota.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      7e047ef5
  11. 23 6月, 2006 4 次提交
  12. 18 6月, 2006 3 次提交
    • J
      [SECMARK]: Add new packet controls to SELinux · 4e5ab4cb
      James Morris 提交于
      Add new per-packet access controls to SELinux, replacing the old
      packet controls.
      
      Packets are labeled with the iptables SECMARK and CONNSECMARK targets,
      then security policy for the packets is enforced with these controls.
      
      To allow for a smooth transition to the new controls, the old code is
      still present, but not active by default.  To restore previous
      behavior, the old controls may be activated at runtime by writing a
      '1' to /selinux/compat_net, and also via the kernel boot parameter
      selinux_compat_net.  Switching between the network control models
      requires the security load_policy permission.  The old controls will
      probably eventually be removed and any continued use is discouraged.
      
      With this patch, the new secmark controls for SElinux are disabled by
      default, so existing behavior is entirely preserved, and the user is
      not affected at all.
      
      It also provides a config option to enable the secmark controls by
      default (which can always be overridden at boot and runtime).  It is
      also noted in the kconfig help that the user will need updated
      userspace if enabling secmark controls for SELinux and that they'll
      probably need the SECMARK and CONNMARK targets, and conntrack protocol
      helpers, although such decisions are beyond the scope of kernel
      configuration.
      Signed-off-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4e5ab4cb
    • C
      [SELINUX]: add security class for appletalk sockets · 3e3ff15e
      Christopher J. PeBenito 提交于
      Add a security class for appletalk sockets so that they can be
      distinguished in SELinux policy.  Please apply.
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NAndrew Morton <akpm@osdl.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3e3ff15e
    • C
      [LSM-IPsec]: SELinux Authorize · c8c05a8e
      Catherine Zhang 提交于
      This patch contains a fix for the previous patch that adds security
      contexts to IPsec policies and security associations.  In the previous
      patch, no authorization (besides the check for write permissions to
      SAD and SPD) is required to delete IPsec policies and security
      assocations with security contexts.  Thus a user authorized to change
      SAD and SPD can bypass the IPsec policy authorization by simply
      deleteing policies with security contexts.  To fix this security hole,
      an additional authorization check is added for removing security
      policies and security associations with security contexts.
      
      Note that if no security context is supplied on add or present on
      policy to be deleted, the SELinux module allows the change
      unconditionally.  The hook is called on deletion when no context is
      present, which we may want to change.  At present, I left it up to the
      module.
      
      LSM changes:
      
      The patch adds two new LSM hooks: xfrm_policy_delete and
      xfrm_state_delete.  The new hooks are necessary to authorize deletion
      of IPsec policies that have security contexts.  The existing hooks
      xfrm_policy_free and xfrm_state_free lack the context to do the
      authorization, so I decided to split authorization of deletion and
      memory management of security data, as is typical in the LSM
      interface.
      
      Use:
      
      The new delete hooks are checked when xfrm_policy or xfrm_state are
      deleted by either the xfrm_user interface (xfrm_get_policy,
      xfrm_del_sa) or the pfkey interface (pfkey_spddelete, pfkey_delete).
      
      SELinux changes:
      
      The new policy_delete and state_delete functions are added.
      Signed-off-by: NCatherine Zhang <cxzhang@watson.ibm.com>
      Signed-off-by: NTrent Jaeger <tjaeger@cse.psu.edu>
      Acked-by: NJames Morris <jmorris@namei.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c8c05a8e
  13. 06 6月, 2006 1 次提交
  14. 22 5月, 2006 1 次提交
  15. 04 5月, 2006 1 次提交
  16. 01 5月, 2006 1 次提交
  17. 22 3月, 2006 3 次提交