1. 02 8月, 2010 7 次提交
  2. 22 5月, 2010 1 次提交
  3. 29 4月, 2010 1 次提交
    • S
      selinux: generalize disabling of execmem for plt-in-heap archs · fcaaade1
      Stephen Smalley 提交于
      On Tue, 2010-04-27 at 11:47 -0700, David Miller wrote:
      > From: "Tom \"spot\" Callaway" <tcallawa@redhat.com>
      > Date: Tue, 27 Apr 2010 14:20:21 -0400
      >
      > > [root@apollo ~]$ cat /proc/2174/maps
      > > 00010000-00014000 r-xp 00000000 fd:00 15466577
      > >  /sbin/mingetty
      > > 00022000-00024000 rwxp 00002000 fd:00 15466577
      > >  /sbin/mingetty
      > > 00024000-00046000 rwxp 00000000 00:00 0
      > >  [heap]
      >
      > SELINUX probably barfs on the executable heap, the PLT is in the HEAP
      > just like powerpc32 and that's why VM_DATA_DEFAULT_FLAGS has to set
      > both executable and writable.
      >
      > You also can't remove the CONFIG_PPC32 ifdefs in selinux, since
      > because of the VM_DATA_DEFAULT_FLAGS setting used still in that arch,
      > the heap will always have executable permission, just like sparc does.
      > You have to support those binaries forever, whether you like it or not.
      >
      > Let's just replace the CONFIG_PPC32 ifdef in SELINUX with CONFIG_PPC32
      > || CONFIG_SPARC as in Tom's original patch and let's be done with
      > this.
      >
      > In fact I would go through all the arch/ header files and check the
      > VM_DATA_DEFAULT_FLAGS settings and add the necessary new ifdefs to the
      > SELINUX code so that other platforms don't have the pain of having to
      > go through this process too.
      
      To avoid maintaining per-arch ifdefs, it seems that we could just
      directly use (VM_DATA_DEFAULT_FLAGS & VM_EXEC) as the basis for deciding
      whether to enable or disable these checks.   VM_DATA_DEFAULT_FLAGS isn't
      constant on some architectures but instead depends on
      current->personality, but we want this applied uniformly.  So we'll just
      use the initial task state to determine whether or not to enable these
      checks.
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      fcaaade1
  4. 08 4月, 2010 1 次提交
  5. 08 3月, 2010 1 次提交
  6. 26 2月, 2010 1 次提交
  7. 24 2月, 2010 1 次提交
    • W
      Security: add static to security_ops and default_security_ops variable · 189b3b1c
      wzt.wzt@gmail.com 提交于
      Enhance the security framework to support resetting the active security
      module. This eliminates the need for direct use of the security_ops and
      default_security_ops variables outside of security.c, so make security_ops
      and default_security_ops static. Also remove the secondary_ops variable as
      a cleanup since there is no use for that. secondary_ops was originally used by
      SELinux to call the "secondary" security module (capability or dummy),
      but that was replaced by direct calls to capability and the only
      remaining use is to save and restore the original security ops pointer
      value if SELinux is disabled by early userspace based on /etc/selinux/config.
      Further, if we support this directly in the security framework, then we can
      just use &default_security_ops for this purpose since that is now available.
      Signed-off-by: NZhitong Wang <zhitong.wangzt@alibaba-inc.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      189b3b1c
  8. 04 2月, 2010 2 次提交
  9. 04 1月, 2010 1 次提交
  10. 21 11月, 2009 1 次提交
  11. 10 11月, 2009 1 次提交
    • E
      security: report the module name to security_module_request · dd8dbf2e
      Eric Paris 提交于
      For SELinux to do better filtering in userspace we send the name of the
      module along with the AVC denial when a program is denied module_request.
      
      Example output:
      
      type=SYSCALL msg=audit(11/03/2009 10:59:43.510:9) : arch=x86_64 syscall=write success=yes exit=2 a0=3 a1=7fc28c0d56c0 a2=2 a3=7fffca0d7440 items=0 ppid=1727 pid=1729 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc.nfsd exe=/usr/sbin/rpc.nfsd subj=system_u:system_r:nfsd_t:s0 key=(null)
      type=AVC msg=audit(11/03/2009 10:59:43.510:9) : avc:  denied  { module_request } for  pid=1729 comm=rpc.nfsd kmod="net-pf-10" scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      dd8dbf2e
  12. 07 10月, 2009 1 次提交
    • S
      selinux: drop remapping of netlink classes · 941fc5b2
      Stephen Smalley 提交于
      Drop remapping of netlink classes and bypass of permission checking
      based on netlink message type for policy version < 18.  This removes
      compatibility code introduced when the original single netlink
      security class used for all netlink sockets was split into
      finer-grained netlink classes based on netlink protocol and when
      permission checking was added based on netlink message type in Linux
      2.6.8.  The only known distribution that shipped with SELinux and
      policy < 18 was Fedora Core 2, which was EOL'd on 2005-04-11.
      
      Given that the remapping code was never updated to address the
      addition of newer netlink classes, that the corresponding userland
      support was dropped in 2005, and that the assumptions made by the
      remapping code about the fixed ordering among netlink classes in the
      policy may be violated in the future due to the dynamic class/perm
      discovery support, we should drop this compatibility code now.
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      941fc5b2
  13. 30 9月, 2009 1 次提交
    • E
      SELinux: reset the security_ops before flushing the avc cache · af8ff049
      Eric Paris 提交于
      This patch resets the security_ops to the secondary_ops before it flushes
      the avc.  It's still possible that a task on another processor could have
      already passed the security_ops dereference and be executing an selinux hook
      function which would add a new avc entry.  That entry would still not be
      freed.  This should however help to reduce the number of needless avcs the
      kernel has when selinux is disabled at run time.  There is no wasted
      memory if selinux is disabled on the command line or not compiled.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      af8ff049
  14. 24 9月, 2009 1 次提交
  15. 10 9月, 2009 2 次提交
    • D
      sysfs: Add labeling support for sysfs · ddd29ec6
      David P. Quigley 提交于
      This patch adds a setxattr handler to the file, directory, and symlink
      inode_operations structures for sysfs. The patch uses hooks introduced in the
      previous patch to handle the getting and setting of security information for
      the sysfs inodes. As was suggested by Eric Biederman the struct iattr in the
      sysfs_dirent structure has been replaced by a structure which contains the
      iattr, secdata and secdata length to allow the changes to persist in the event
      that the inode representing the sysfs_dirent is evicted. Because sysfs only
      stores this information when a change is made all the optional data is moved
      into one dynamically allocated field.
      
      This patch addresses an issue where SELinux was denying virtd access to the PCI
      configuration entries in sysfs. The lack of setxattr handlers for sysfs
      required that a single label be assigned to all entries in sysfs. Granting virtd
      access to every entry in sysfs is not an acceptable solution so fine grained
      labeling of sysfs is required such that individual entries can be labeled
      appropriately.
      
      [sds:  Fixed compile-time warnings, coding style, and setting of inode security init flags.]
      Signed-off-by: NDavid P. Quigley <dpquigl@tycho.nsa.gov>
      Signed-off-by: NStephen D. Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      ddd29ec6
    • D
      LSM/SELinux: inode_{get,set,notify}secctx hooks to access LSM security context information. · 1ee65e37
      David P. Quigley 提交于
      This patch introduces three new hooks. The inode_getsecctx hook is used to get
      all relevant information from an LSM about an inode. The inode_setsecctx is
      used to set both the in-core and on-disk state for the inode based on a context
      derived from inode_getsecctx.The final hook inode_notifysecctx will notify the
      LSM of a change for the in-core state of the inode in question. These hooks are
      for use in the labeled NFS code and addresses concerns of how to set security
      on an inode in a multi-xattr LSM. For historical reasons Stephen Smalley's
      explanation of the reason for these hooks is pasted below.
      
      Quote Stephen Smalley
      
      inode_setsecctx:  Change the security context of an inode.  Updates the
      in core security context managed by the security module and invokes the
      fs code as needed (via __vfs_setxattr_noperm) to update any backing
      xattrs that represent the context.  Example usage:  NFS server invokes
      this hook to change the security context in its incore inode and on the
      backing file system to a value provided by the client on a SETATTR
      operation.
      
      inode_notifysecctx:  Notify the security module of what the security
      context of an inode should be.  Initializes the incore security context
      managed by the security module for this inode.  Example usage:  NFS
      client invokes this hook to initialize the security context in its
      incore inode to the value provided by the server for the file when the
      server returned the file's attributes to the client.
      Signed-off-by: NDavid P. Quigley <dpquigl@tycho.nsa.gov>
      Acked-by: NSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      1ee65e37
  16. 02 9月, 2009 2 次提交
    • D
      KEYS: Add a keyctl to install a process's session keyring on its parent [try #6] · ee18d64c
      David Howells 提交于
      Add a keyctl to install a process's session keyring onto its parent.  This
      replaces the parent's session keyring.  Because the COW credential code does
      not permit one process to change another process's credentials directly, the
      change is deferred until userspace next starts executing again.  Normally this
      will be after a wait*() syscall.
      
      To support this, three new security hooks have been provided:
      cred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in
      the blank security creds and key_session_to_parent() - which asks the LSM if
      the process may replace its parent's session keyring.
      
      The replacement may only happen if the process has the same ownership details
      as its parent, and the process has LINK permission on the session keyring, and
      the session keyring is owned by the process, and the LSM permits it.
      
      Note that this requires alteration to each architecture's notify_resume path.
      This has been done for all arches barring blackfin, m68k* and xtensa, all of
      which need assembly alteration to support TIF_NOTIFY_RESUME.  This allows the
      replacement to be performed at the point the parent process resumes userspace
      execution.
      
      This allows the userspace AFS pioctl emulation to fully emulate newpag() and
      the VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to
      alter the parent process's PAG membership.  However, since kAFS doesn't use
      PAGs per se, but rather dumps the keys into the session keyring, the session
      keyring of the parent must be replaced if, for example, VIOCSETTOK is passed
      the newpag flag.
      
      This can be tested with the following program:
      
      	#include <stdio.h>
      	#include <stdlib.h>
      	#include <keyutils.h>
      
      	#define KEYCTL_SESSION_TO_PARENT	18
      
      	#define OSERROR(X, S) do { if ((long)(X) == -1) { perror(S); exit(1); } } while(0)
      
      	int main(int argc, char **argv)
      	{
      		key_serial_t keyring, key;
      		long ret;
      
      		keyring = keyctl_join_session_keyring(argv[1]);
      		OSERROR(keyring, "keyctl_join_session_keyring");
      
      		key = add_key("user", "a", "b", 1, keyring);
      		OSERROR(key, "add_key");
      
      		ret = keyctl(KEYCTL_SESSION_TO_PARENT);
      		OSERROR(ret, "KEYCTL_SESSION_TO_PARENT");
      
      		return 0;
      	}
      
      Compiled and linked with -lkeyutils, you should see something like:
      
      	[dhowells@andromeda ~]$ keyctl show
      	Session Keyring
      	       -3 --alswrv   4043  4043  keyring: _ses
      	355907932 --alswrv   4043    -1   \_ keyring: _uid.4043
      	[dhowells@andromeda ~]$ /tmp/newpag
      	[dhowells@andromeda ~]$ keyctl show
      	Session Keyring
      	       -3 --alswrv   4043  4043  keyring: _ses
      	1055658746 --alswrv   4043  4043   \_ user: a
      	[dhowells@andromeda ~]$ /tmp/newpag hello
      	[dhowells@andromeda ~]$ keyctl show
      	Session Keyring
      	       -3 --alswrv   4043  4043  keyring: hello
      	340417692 --alswrv   4043  4043   \_ user: a
      
      Where the test program creates a new session keyring, sticks a user key named
      'a' into it and then installs it on its parent.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      ee18d64c
    • D
      CRED: Add some configurable debugging [try #6] · e0e81739
      David Howells 提交于
      Add a config option (CONFIG_DEBUG_CREDENTIALS) to turn on some debug checking
      for credential management.  The additional code keeps track of the number of
      pointers from task_structs to any given cred struct, and checks to see that
      this number never exceeds the usage count of the cred struct (which includes
      all references, not just those from task_structs).
      
      Furthermore, if SELinux is enabled, the code also checks that the security
      pointer in the cred struct is never seen to be invalid.
      
      This attempts to catch the bug whereby inode_has_perm() faults in an nfsd
      kernel thread on seeing cred->security be a NULL pointer (it appears that the
      credential struct has been previously released):
      
      	http://www.kerneloops.org/oops.php?number=252883Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      e0e81739
  17. 01 9月, 2009 1 次提交
    • P
      selinux: Support for the new TUN LSM hooks · ed6d76e4
      Paul Moore 提交于
      Add support for the new TUN LSM hooks: security_tun_dev_create(),
      security_tun_dev_post_create() and security_tun_dev_attach().  This includes
      the addition of a new object class, tun_socket, which represents the socks
      associated with TUN devices.  The _tun_dev_create() and _tun_dev_post_create()
      hooks are fairly similar to the standard socket functions but _tun_dev_attach()
      is a bit special.  The _tun_dev_attach() is unique because it involves a
      domain attaching to an existing TUN device and its associated tun_socket
      object, an operation which does not exist with standard sockets and most
      closely resembles a relabel operation.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Acked-by: NEric Paris <eparis@parisplace.org>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      ed6d76e4
  18. 21 8月, 2009 1 次提交
  19. 17 8月, 2009 3 次提交
    • E
      Security/SELinux: seperate lsm specific mmap_min_addr · 788084ab
      Eric Paris 提交于
      Currently SELinux enforcement of controls on the ability to map low memory
      is determined by the mmap_min_addr tunable.  This patch causes SELinux to
      ignore the tunable and instead use a seperate Kconfig option specific to how
      much space the LSM should protect.
      
      The tunable will now only control the need for CAP_SYS_RAWIO and SELinux
      permissions will always protect the amount of low memory designated by
      CONFIG_LSM_MMAP_MIN_ADDR.
      
      This allows users who need to disable the mmap_min_addr controls (usual reason
      being they run WINE as a non-root user) to do so and still have SELinux
      controls preventing confined domains (like a web server) from being able to
      map some area of low memory.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      788084ab
    • E
      SELinux: call cap_file_mmap in selinux_file_mmap · 8cf948e7
      Eric Paris 提交于
      Currently SELinux does not check CAP_SYS_RAWIO in the file_mmap hook.  This
      means there is no DAC check on the ability to mmap low addresses in the
      memory space.  This function adds the DAC check for CAP_SYS_RAWIO while
      maintaining the selinux check on mmap_zero.  This means that processes
      which need to mmap low memory will need CAP_SYS_RAWIO and mmap_zero but will
      NOT need the SELinux sys_rawio capability.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      8cf948e7
    • T
      SELinux: Convert avc_audit to use lsm_audit.h · 2bf49690
      Thomas Liu 提交于
      Convert avc_audit in security/selinux/avc.c to use lsm_audit.h,
      for better maintainability.
      
       - changed selinux to use common_audit_data instead of
          avc_audit_data
       - eliminated code in avc.c and used code from lsm_audit.h instead.
      
      Had to add a LSM_AUDIT_NO_AUDIT to lsm_audit.h so that avc_audit
      can call common_lsm_audit and do the pre and post callbacks without
      doing the actual dump.  This makes it so that the patched version
      behaves the same way as the unpatched version.
      
      Also added a denied field to the selinux_audit_data private space,
      once again to make it so that the patched version behaves like the
      unpatched.
      
      I've tested and confirmed that AVCs look the same before and after
      this patch.
      Signed-off-by: NThomas Liu <tliu@redhat.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      2bf49690
  20. 14 8月, 2009 1 次提交
  21. 11 8月, 2009 1 次提交
  22. 06 8月, 2009 2 次提交
    • E
      Security/SELinux: seperate lsm specific mmap_min_addr · a2551df7
      Eric Paris 提交于
      Currently SELinux enforcement of controls on the ability to map low memory
      is determined by the mmap_min_addr tunable.  This patch causes SELinux to
      ignore the tunable and instead use a seperate Kconfig option specific to how
      much space the LSM should protect.
      
      The tunable will now only control the need for CAP_SYS_RAWIO and SELinux
      permissions will always protect the amount of low memory designated by
      CONFIG_LSM_MMAP_MIN_ADDR.
      
      This allows users who need to disable the mmap_min_addr controls (usual reason
      being they run WINE as a non-root user) to do so and still have SELinux
      controls preventing confined domains (like a web server) from being able to
      map some area of low memory.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      a2551df7
    • E
      SELinux: call cap_file_mmap in selinux_file_mmap · 84336d1a
      Eric Paris 提交于
      Currently SELinux does not check CAP_SYS_RAWIO in the file_mmap hook.  This
      means there is no DAC check on the ability to mmap low addresses in the
      memory space.  This function adds the DAC check for CAP_SYS_RAWIO while
      maintaining the selinux check on mmap_zero.  This means that processes
      which need to mmap low memory will need CAP_SYS_RAWIO and mmap_zero but will
      NOT need the SELinux sys_rawio capability.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      84336d1a
  23. 17 7月, 2009 1 次提交
  24. 13 7月, 2009 2 次提交
  25. 25 6月, 2009 1 次提交
  26. 24 6月, 2009 1 次提交
  27. 23 6月, 2009 1 次提交