- 07 12月, 2014 2 次提交
-
-
由 Michael Ellerman 提交于
On powerpc we can end up with IMA=y and PPC_PSERIES=n which leads to: warning: (IMA) selects TCG_IBMVTPM which has unmet direct dependencies (TCG_TPM && PPC_PSERIES) tpm_ibmvtpm.c:(.text+0x14f3e8): undefined reference to `.plpar_hcall_norets' I'm not sure why IMA needs to select those user-visible symbols, but if it must then the simplest fix is to just express the proper dependencies on the select. Tested-by: NHon Ching (Vicky) Lo <lo1@us.ibm.com> Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
由 Takashi Iwai 提交于
When loading encrypted-keys module, if the last check of aes_get_sizes() in init_encrypted() fails, the driver just returns an error without unregistering its key type. This results in the stale entry in the list. In addition to memory leaks, this leads to a kernel crash when registering a new key type later. This patch fixes the problem by swapping the calls of aes_get_sizes() and register_key_type(), and releasing resources properly at the error paths. Bugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=908163 Cc: <stable@vger.kernel.org> Signed-off-by: NTakashi Iwai <tiwai@suse.de> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
- 02 12月, 2014 4 次提交
-
-
由 David Howells 提交于
Since the keyring facility can be viewed as a cache (at least in some applications), the local expiration time on the key should probably be viewed as a 'needs updating after this time' property rather than an absolute 'anyone now wanting to use this object is out of luck' property. Since request_key() is the main interface for the usage of keys, this should update or replace an expired key rather than issuing EKEYEXPIRED if the local expiration has been reached (ie. it should refresh the cache). For absolute conditions where refreshing the cache probably doesn't help, the key can be negatively instantiated using KEYCTL_REJECT_KEY with EKEYEXPIRED given as the error to issue. This will still cause request_key() to return EKEYEXPIRED as that was explicitly set. In the future, if the key type has an update op available, we might want to upcall with the expired key and allow the upcall to update it. We would pass a different operation name (the first column in /etc/request-key.conf) to the request-key program. request_key() returning EKEYEXPIRED is causing an NFS problem which Chuck Lever describes thusly: After about 10 minutes, my NFSv4 functional tests fail because the ownership of the test files goes to "-2". Looking at /proc/keys shows that the id_resolv keys that map to my test user ID have expired. The ownership problem persists until the expired keys are purged from the keyring, and fresh keys are obtained. I bisected the problem to 3.13 commit b2a4df20 ("KEYS: Expand the capacity of a keyring"). This commit inadvertantly changes the API contract of the internal function keyring_search_aux(). The root cause appears to be that b2a4df20 made "no state check" the default behavior. "No state check" means the keyring search iterator function skips checking the key's expiry timeout, and returns expired keys. request_key_and_link() depends on getting an -EAGAIN result code to know when to perform an upcall to refresh an expired key. This patch can be tested directly by: keyctl request2 user debug:fred a @s keyctl timeout %user:debug:fred 3 sleep 4 keyctl request2 user debug:fred a @s Without the patch, the last command gives error EKEYEXPIRED, but with the command it gives a new key. Reported-by: NCarl Hetherington <cth@carlh.net> Reported-by: NChuck Lever <chuck.lever@oracle.com> Signed-off-by: NDavid Howells <dhowells@redhat.com> Tested-by: NChuck Lever <chuck.lever@oracle.com>
-
由 David Howells 提交于
Simplify KEYRING_SEARCH_{NO,DO}_STATE_CHECK flags to be two variations of the same flag. They are effectively mutually exclusive and one or the other should be provided, but not both. Keyring cycle detection and key possession determination are the only things that set NO_STATE_CHECK, except that neither flag really does anything there because neither purpose makes use of the keyring_search_iterator() function, but rather provides their own. For cycle detection we definitely want to check inside of expired keyrings, just so that we don't create a cycle we can't get rid of. Revoked keyrings are cleared at revocation time and can't then be reused, so shouldn't be a problem either way. For possession determination, we *might* want to validate each keyring before searching it: do you possess a key that's hidden behind an expired or just plain inaccessible keyring? Currently, the answer is yes. Note that you cannot, however, possess a key behind a revoked keyring because they are cleared on revocation. keyring_search() sets DO_STATE_CHECK, which is correct. request_key_and_link() currently doesn't specify whether to check the key state or not - but it should set DO_STATE_CHECK. key_get_instantiation_authkey() also currently doesn't specify whether to check the key state or not - but it probably should also set DO_STATE_CHECK. Signed-off-by: NDavid Howells <dhowells@redhat.com> Tested-by: NChuck Lever <chuck.lever@oracle.com>
-
由 David Howells 提交于
When a key description argument is imported into the kernel from userspace, as happens in add_key(), request_key(), KEYCTL_JOIN_SESSION_KEYRING, KEYCTL_SEARCH, the description is copied into a buffer up to PAGE_SIZE in size. PAGE_SIZE, however, is a variable quantity, depending on the arch. Fix this at 4096 instead (ie. 4095 plus a NUL termination) and define a constant (KEY_MAX_DESC_SIZE) to this end. When reading the description back with KEYCTL_DESCRIBE, a PAGE_SIZE internal buffer is allocated into which the information and description will be rendered. This means that the description will get truncated if an extremely long description it has to be crammed into the buffer with the stringified information. There is no particular need to copy the description into the buffer, so just copy it directly to userspace in a separate operation. Reported-by: NChristian Kastner <debian@kvr.at> Signed-off-by: NDavid Howells <dhowells@redhat.com> Tested-by: NChristian Kastner <debian@kvr.at>
-
由 Yao Dongdong 提交于
security_ops is not used in this file. Signed-off-by: NYao Dongdong <yaodongdong@huawei.com> Signed-off-by: NPaul Moore <pmoore@redhat.com>
-
- 22 11月, 2014 1 次提交
-
-
由 Andrey Ryabinin 提交于
Setting smack label on file (e.g. 'attr -S -s SMACK64 -V "test" test') triggered following spew on the kernel with KASan applied: ================================================================== BUG: AddressSanitizer: out of bounds access in strncpy+0x28/0x60 at addr ffff8800059ad064 ============================================================================= BUG kmalloc-8 (Not tainted): kasan error ----------------------------------------------------------------------------- Disabling lock debugging due to kernel taint INFO: Slab 0xffffea0000166b40 objects=128 used=7 fp=0xffff8800059ad080 flags=0x4000000000000080 INFO: Object 0xffff8800059ad060 @offset=96 fp=0xffff8800059ad080 Bytes b4 ffff8800059ad050: a0 df 9a 05 00 88 ff ff 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ Object ffff8800059ad060: 74 65 73 74 6b 6b 6b a5 testkkk. Redzone ffff8800059ad068: cc cc cc cc cc cc cc cc ........ Padding ffff8800059ad078: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ CPU: 0 PID: 528 Comm: attr Tainted: G B 3.18.0-rc1-mm1+ #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 0000000000000000 ffff8800059ad064 ffffffff81534cf2 ffff880005a5bc40 ffffffff8112fe1a 0000000100800006 0000000f059ad060 ffff880006000f90 0000000000000296 ffffea0000166b40 ffffffff8107ca97 ffff880005891060 Call Trace: ? dump_stack (lib/dump_stack.c:52) ? kasan_report_error (mm/kasan/report.c:102 mm/kasan/report.c:178) ? preempt_count_sub (kernel/sched/core.c:2651) ? __asan_load1 (mm/kasan/kasan.h:50 mm/kasan/kasan.c:248 mm/kasan/kasan.c:358) ? strncpy (lib/string.c:121) ? strncpy (lib/string.c:121) ? smk_parse_smack (security/smack/smack_access.c:457) ? setxattr (fs/xattr.c:343) ? smk_import_entry (security/smack/smack_access.c:514) ? smack_inode_setxattr (security/smack/smack_lsm.c:1093 (discriminator 1)) ? security_inode_setxattr (security/security.c:602) ? vfs_setxattr (fs/xattr.c:134) ? setxattr (fs/xattr.c:343) ? setxattr (fs/xattr.c:360) ? get_parent_ip (kernel/sched/core.c:2606) ? preempt_count_sub (kernel/sched/core.c:2651) ? __percpu_counter_add (arch/x86/include/asm/preempt.h:98 lib/percpu_counter.c:90) ? get_parent_ip (kernel/sched/core.c:2606) ? preempt_count_sub (kernel/sched/core.c:2651) ? __mnt_want_write (arch/x86/include/asm/preempt.h:98 fs/namespace.c:359) ? path_setxattr (fs/xattr.c:380) ? SyS_lsetxattr (fs/xattr.c:397) ? system_call_fastpath (arch/x86/kernel/entry_64.S:423) Read of size 1 by task attr: Memory state around the buggy address: ffff8800059ace80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8800059acf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8800059acf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8800059ad000: 00 fc fc fc 00 fc fc fc 05 fc fc fc 04 fc fc fc ^ ffff8800059ad080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8800059ad100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8800059ad180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== strncpy() copies one byte more than the source string has. Fix this by passing the correct length to strncpy(). Now we can remove initialization of the last byte in 'smack' string because kzalloc() already did this for us. Signed-off-by: NAndrey Ryabinin <a.ryabinin@samsung.com>
-
- 20 11月, 2014 2 次提交
-
-
由 Al Viro 提交于
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
由 Al Viro 提交于
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
- 18 11月, 2014 6 次提交
-
-
由 Dmitry Kasatkin 提交于
integrity_kernel_read() duplicates the file read operations code in vfs_read(). This patch refactors vfs_read() code creating a helper function __vfs_read(). It is used by both vfs_read() and integrity_kernel_read(). Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
由 Dmitry Kasatkin 提交于
This patch provides CONFIG_IMA_APPRAISE_SIGNED_INIT kernel configuration option to force IMA appraisal using signatures. This is useful, when EVM key is not initialized yet and we want securely initialize integrity or any other functionality. It forces embedded policy to require signature. Signed initialization script can initialize EVM key, update the IMA policy and change further requirement of everything to be signed. Changes in v3: * kernel parameter fixed to configuration option in the patch description Changes in v2: * policy change of this patch separated from the key loading patch Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
由 Dmitry Kasatkin 提交于
Keys can only be loaded once the rootfs is mounted. Initcalls are not suitable for that. This patch defines a special hook to load the x509 public keys onto the IMA keyring, before attempting to access any file. The keys are required for verifying the file's signature. The hook is called after the root filesystem is mounted and before the kernel calls 'init'. Changes in v3: * added more explanation to the patch description (Mimi) Changes in v2: * Hook renamed as 'integrity_load_keys()' to handle both IMA and EVM keys by integrity subsystem. * Hook patch moved after defining loading functions Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
由 Dmitry Kasatkin 提交于
Define configuration option to load X509 certificate into the IMA trusted kernel keyring. It implements ima_load_x509() hook to load X509 certificate into the .ima trusted kernel keyring from the root filesystem. Changes in v3: * use ima_policy_flag in ima_get_action() ima_load_x509 temporarily clears ima_policy_flag to disable appraisal to load key. Use it to skip appraisal rules. * Key directory path changed to /etc/keys (Mimi) * Expand IMA_LOAD_X509 Kconfig help Changes in v2: * added '__init' * use ima_policy_flag to disable appraisal to load keys Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
由 Dmitry Kasatkin 提交于
Provide the function to load x509 certificates from the kernel into the integrity kernel keyring. Changes in v2: * configuration option removed * function declared as '__init' Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
由 Dmitry Kasatkin 提交于
This patch defines a new function called integrity_read_file() to read file from the kernel into a buffer. Subsequent patches will read a file containing the public keys and load them onto the IMA keyring. This patch moves and renames ima_kernel_read(), the non-security checking version of kernel_read(), to integrity_kernel_read(). Changes in v3: * Patch descriptions improved (Mimi) * Add missing cast (kbuild test robot) Changes in v2: * configuration option removed * function declared as '__init' Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
- 13 11月, 2014 1 次提交
-
-
由 Richard Guy Briggs 提交于
Convert WARN_ONCE() to printk() in selinux_nlmsg_perm(). After conversion from audit_log() in commit e173fb26, WARN_ONCE() was deemed too alarmist, so switch it to printk(). Signed-off-by: NRichard Guy Briggs <rgb@redhat.com> [PM: Changed to printk(WARNING) so we catch all of the different invalid netlink messages. In Richard's defense, he brought this point up earlier, but I didn't understand his point at the time.] Signed-off-by: NPaul Moore <pmoore@redhat.com>
-
- 04 11月, 2014 1 次提交
-
-
由 Al Viro 提交于
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
-
- 01 11月, 2014 1 次提交
-
-
由 Rohit 提交于
The patch use kmem_cache to allocate/free inode_smack since they are alloced in high volumes making it a perfect case for kmem_cache. As per analysis, 24 bytes of memory is wasted per allocation due to internal fragmentation. With kmem_cache, this can be avoided. Accounting of memory allocation is below : total slack net count-alloc/free caller Before (with kzalloc) 1919872 719952 1919872 29998/0 new_inode_smack+0x14 After (with kmem_cache) 1201680 0 1201680 30042/0 new_inode_smack+0x18 >From above data, we found that 719952 bytes(~700 KB) of memory is saved on allocation of 29998 smack inodes. Signed-off-by: NRohit <rohit.kr@samsung.com>
-
- 28 10月, 2014 3 次提交
-
-
由 Casey Schaufler 提交于
The lock access mode allows setting a read lock on a file for with the process has only read access. The floor label is defined to make it easy to have the basic system installed such that everyone can read it. Once there's a desire to read lock (rationally or otherwise) a floor file a rule needs to get set. This happens all the time, so make the floor label a little bit more special and allow everyone lock access, too. By implication, give processes with the hat label (hat can read everything) lock access as well. This reduces clutter in the Smack rule set. Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>
-
由 Dmitry Kasatkin 提交于
evm_inode_setxattr() can be called with no value. The function does not check the length so that following command can be used to produce the kernel oops: setfattr -n security.evm FOO. This patch fixes it. Changes in v3: * there is no reason to return different error codes for EVM_XATTR_HMAC and non EVM_XATTR_HMAC. Remove unnecessary test then. Changes in v2: * testing for validity of xattr type [ 1106.396921] BUG: unable to handle kernel NULL pointer dereference at (null) [ 1106.398192] IP: [<ffffffff812af7b8>] evm_inode_setxattr+0x2a/0x48 [ 1106.399244] PGD 29048067 PUD 290d7067 PMD 0 [ 1106.399953] Oops: 0000 [#1] SMP [ 1106.400020] Modules linked in: bridge stp llc evdev serio_raw i2c_piix4 button fuse [ 1106.400020] CPU: 0 PID: 3635 Comm: setxattr Not tainted 3.16.0-kds+ #2936 [ 1106.400020] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 1106.400020] task: ffff8800291a0000 ti: ffff88002917c000 task.ti: ffff88002917c000 [ 1106.400020] RIP: 0010:[<ffffffff812af7b8>] [<ffffffff812af7b8>] evm_inode_setxattr+0x2a/0x48 [ 1106.400020] RSP: 0018:ffff88002917fd50 EFLAGS: 00010246 [ 1106.400020] RAX: 0000000000000000 RBX: ffff88002917fdf8 RCX: 0000000000000000 [ 1106.400020] RDX: 0000000000000000 RSI: ffffffff818136d3 RDI: ffff88002917fdf8 [ 1106.400020] RBP: ffff88002917fd68 R08: 0000000000000000 R09: 00000000003ec1df [ 1106.400020] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800438a0a00 [ 1106.400020] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 1106.400020] FS: 00007f7dfa7d7740(0000) GS:ffff88005da00000(0000) knlGS:0000000000000000 [ 1106.400020] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1106.400020] CR2: 0000000000000000 CR3: 000000003763e000 CR4: 00000000000006f0 [ 1106.400020] Stack: [ 1106.400020] ffff8800438a0a00 ffff88002917fdf8 0000000000000000 ffff88002917fd98 [ 1106.400020] ffffffff812a1030 ffff8800438a0a00 ffff88002917fdf8 0000000000000000 [ 1106.400020] 0000000000000000 ffff88002917fde0 ffffffff8116d08a ffff88002917fdc8 [ 1106.400020] Call Trace: [ 1106.400020] [<ffffffff812a1030>] security_inode_setxattr+0x5d/0x6a [ 1106.400020] [<ffffffff8116d08a>] vfs_setxattr+0x6b/0x9f [ 1106.400020] [<ffffffff8116d1e0>] setxattr+0x122/0x16c [ 1106.400020] [<ffffffff811687e8>] ? mnt_want_write+0x21/0x45 [ 1106.400020] [<ffffffff8114d011>] ? __sb_start_write+0x10f/0x143 [ 1106.400020] [<ffffffff811687e8>] ? mnt_want_write+0x21/0x45 [ 1106.400020] [<ffffffff811687c0>] ? __mnt_want_write+0x48/0x4f [ 1106.400020] [<ffffffff8116d3e6>] SyS_setxattr+0x6e/0xb0 [ 1106.400020] [<ffffffff81529da9>] system_call_fastpath+0x16/0x1b [ 1106.400020] Code: c3 0f 1f 44 00 00 55 48 89 e5 41 55 49 89 d5 41 54 49 89 fc 53 48 89 f3 48 c7 c6 d3 36 81 81 48 89 df e8 18 22 04 00 85 c0 75 07 <41> 80 7d 00 02 74 0d 48 89 de 4c 89 e7 e8 5a fe ff ff eb 03 83 [ 1106.400020] RIP [<ffffffff812af7b8>] evm_inode_setxattr+0x2a/0x48 [ 1106.400020] RSP <ffff88002917fd50> [ 1106.400020] CR2: 0000000000000000 [ 1106.428061] ---[ end trace ae08331628ba3050 ]--- Reported-by: NJan Kara <jack@suse.cz> Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com> Cc: stable@vger.kernel.org Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
由 Dmitry Kasatkin 提交于
ima_inode_setxattr() can be called with no value. Function does not check the length so that following command can be used to produce kernel oops: setfattr -n security.ima FOO. This patch fixes it. Changes in v3: * for stable reverted "allow setting hash only in fix or log mode" It will be a separate patch. Changes in v2: * testing validity of xattr type * allow setting hash only in fix or log mode (Mimi) [ 261.562522] BUG: unable to handle kernel NULL pointer dereference at (null) [ 261.564109] IP: [<ffffffff812af272>] ima_inode_setxattr+0x3e/0x5a [ 261.564109] PGD 3112f067 PUD 42965067 PMD 0 [ 261.564109] Oops: 0000 [#1] SMP [ 261.564109] Modules linked in: bridge stp llc evdev serio_raw i2c_piix4 button fuse [ 261.564109] CPU: 0 PID: 3299 Comm: setxattr Not tainted 3.16.0-kds+ #2924 [ 261.564109] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 261.564109] task: ffff8800428c2430 ti: ffff880042be0000 task.ti: ffff880042be0000 [ 261.564109] RIP: 0010:[<ffffffff812af272>] [<ffffffff812af272>] ima_inode_setxattr+0x3e/0x5a [ 261.564109] RSP: 0018:ffff880042be3d50 EFLAGS: 00010246 [ 261.564109] RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000015 [ 261.564109] RDX: 0000001500000000 RSI: 0000000000000000 RDI: ffff8800375cc600 [ 261.564109] RBP: ffff880042be3d68 R08: 0000000000000000 R09: 00000000004d6256 [ 261.564109] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88002149ba00 [ 261.564109] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 261.564109] FS: 00007f6c1e219740(0000) GS:ffff88005da00000(0000) knlGS:0000000000000000 [ 261.564109] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 261.564109] CR2: 0000000000000000 CR3: 000000003b35a000 CR4: 00000000000006f0 [ 261.564109] Stack: [ 261.564109] ffff88002149ba00 ffff880042be3df8 0000000000000000 ffff880042be3d98 [ 261.564109] ffffffff812a101b ffff88002149ba00 ffff880042be3df8 0000000000000000 [ 261.564109] 0000000000000000 ffff880042be3de0 ffffffff8116d08a ffff880042be3dc8 [ 261.564109] Call Trace: [ 261.564109] [<ffffffff812a101b>] security_inode_setxattr+0x48/0x6a [ 261.564109] [<ffffffff8116d08a>] vfs_setxattr+0x6b/0x9f [ 261.564109] [<ffffffff8116d1e0>] setxattr+0x122/0x16c [ 261.564109] [<ffffffff811687e8>] ? mnt_want_write+0x21/0x45 [ 261.564109] [<ffffffff8114d011>] ? __sb_start_write+0x10f/0x143 [ 261.564109] [<ffffffff811687e8>] ? mnt_want_write+0x21/0x45 [ 261.564109] [<ffffffff811687c0>] ? __mnt_want_write+0x48/0x4f [ 261.564109] [<ffffffff8116d3e6>] SyS_setxattr+0x6e/0xb0 [ 261.564109] [<ffffffff81529da9>] system_call_fastpath+0x16/0x1b [ 261.564109] Code: 48 89 f7 48 c7 c6 58 36 81 81 53 31 db e8 73 27 04 00 85 c0 75 28 bf 15 00 00 00 e8 8a a5 d9 ff 84 c0 75 05 83 cb ff eb 15 31 f6 <41> 80 7d 00 03 49 8b 7c 24 68 40 0f 94 c6 e8 e1 f9 ff ff 89 d8 [ 261.564109] RIP [<ffffffff812af272>] ima_inode_setxattr+0x3e/0x5a [ 261.564109] RSP <ffff880042be3d50> [ 261.564109] CR2: 0000000000000000 [ 261.599998] ---[ end trace 39a89a3fc267e652 ]--- Reported-by: NJan Kara <jack@suse.cz> Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com> Cc: stable@vger.kernel.org Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
- 15 10月, 2014 1 次提交
-
-
由 Stephen Smalley 提交于
sb_finish_set_opts() can race with inode_free_security() when initializing inode security structures for inodes created prior to initial policy load or by the filesystem during ->mount(). This appears to have always been a possible race, but commit 3dc91d43 ("SELinux: Fix possible NULL pointer dereference in selinux_inode_permission()") made it more evident by immediately reusing the unioned list/rcu element of the inode security structure for call_rcu() upon an inode_free_security(). But the underlying issue was already present before that commit as a possible use-after-free of isec. Shivnandan Kumar reported the list corruption and proposed a patch to split the list and rcu elements out of the union as separate fields of the inode_security_struct so that setting the rcu element would not affect the list element. However, this would merely hide the issue and not truly fix the code. This patch instead moves up the deletion of the list entry prior to dropping the sbsec->isec_lock initially. Then, if the inode is dropped subsequently, there will be no further references to the isec. Reported-by: NShivnandan Kumar <shivnandan.k@samsung.com> Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Cc: stable@vger.kernel.org Signed-off-by: NPaul Moore <pmoore@redhat.com>
-
- 14 10月, 2014 1 次提交
-
-
由 Behan Webster 提交于
Replaced the use of a Variable Length Array In Struct (VLAIS) with a C99 compliant equivalent. This patch allocates the appropriate amount of memory using a char array using the SHASH_DESC_ON_STACK macro. The new code can be compiled with both gcc and clang. Signed-off-by: NBehan Webster <behanw@converseincode.com> Reviewed-by: NMark Charlebois <charlebm@gmail.com> Reviewed-by: NJan-Simon Möller <dl9pf@gmx.de> Acked-by: NHerbert Xu <herbert@gondor.apana.org.au> Acked-by: NDmitry Kasatkin <d.kasatkin@samsung.com> Cc: tglx@linutronix.de
-
- 13 10月, 2014 5 次提交
-
-
由 Roberto Sassu 提交于
This patch allows users to provide a custom template format through the new kernel command line parameter 'ima_template_fmt'. If the supplied format is not valid, IMA uses the default template descriptor. Changelog: - v3: - added check for 'fields' and 'num_fields' in template_desc_init_fields() (suggested by Mimi Zohar) - v2: - using template_desc_init_fields() to validate a format string (Roberto Sassu) - updated documentation by stating that only the chosen template descriptor is initialized (Roberto Sassu) - v1: - simplified code of ima_template_fmt_setup() (Roberto Sassu, suggested by Mimi Zohar) Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
由 Roberto Sassu 提交于
The allocation of a field pointers array is moved at the end of template_desc_init_fields() and done only if the value of the 'fields' and 'num_fields' parameters is not NULL. For just validating a template format string, retrieved template field pointers are placed in a temporary array. Changelog: - v3: - do not check in this patch if 'fields' and 'num_fields' are NULL (suggested by Mimi Zohar) Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
由 Roberto Sassu 提交于
This patch removes the allocation of a copy of 'template_fmt', needed for iterating over all fields in the passed template format string. The removal was possible by replacing strcspn(), which modifies the passed string, with strchrnul(). The currently processed template field is copied in a temporary variable. The purpose of this change is use template_desc_init_fields() in two ways: for just validating a template format string (the function should work if called by a setup function, when memory cannot be allocated), and for actually initializing a template descriptor. The implementation of this feature will be complete with the next patch. Changelog: - v3: - added 'goto out' in template_desc_init_fields() to free allocated memory if a template field length is not valid (suggested by Mimi Zohar) Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
由 Roberto Sassu 提交于
With the introduction of the 'ima_template_fmt' kernel cmdline parameter, a user can define a new template descriptor with custom format. However, in this case, userspace tools will be unable to parse the measurements list because the new template is unknown. For this reason, this patch modifies the current IMA behavior to display in the list the template format instead of the name (only if the length of the latter is zero) so that a tool can extract needed information if it can handle listed fields. This patch also correctly displays the error log message in ima_init_template() if the selected template cannot be initialized. Changelog: - v3: - check the first byte of 'e->template_desc->name' instead of using strlen() in ima_fs.c (suggested by Mimi Zohar) - v2: - print the template format in ima_init_template(), if the selected template is custom (Roberto Sassu) - v1: - fixed patch description (Roberto Sassu, suggested by Mimi Zohar) - set 'template_name' variable in ima_fs.c only once (Roberto Sassu, suggested by Mimi Zohar) Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
由 Roberto Sassu 提交于
This patch adds some error messages to inform users about the following events: template descriptor not found, invalid template descriptor, template field not found and template initialization failed. Changelog: - v2: - display an error message if the format string contains too many fields (Roberto Sassu) Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
- 12 10月, 2014 4 次提交
-
-
由 Dmitry Kasatkin 提交于
The current implementation uses an atomic counter to provide exclusive access to the sysfs 'policy' entry to update the IMA policy. While it is highly unlikely, the usage of a counter might potentially allow another process to overflow the counter, open the interface and insert additional rules into the policy being loaded. This patch replaces using an atomic counter with atomic bit operations which is more reliable and a widely used method to provide exclusive access. As bit operation keep the interface locked after successful update, it makes it unnecessary to verify if the default policy was set or not during parsing and interface closing. This patch also removes that code. Changes in v3: * move audit log message to ima_relead_policy() to report successful and unsuccessful result * unnecessary comment removed Changes in v2: * keep interface locked after successful policy load as in original design * remove sysfs entry as in original design Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
由 Dmitry Kasatkin 提交于
Empty policy lines cause parsing failures which is, especially for new users, hard to spot. This patch prevents it. Changes in v2: * strip leading blanks and tabs in rules to prevent parsing failures Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
由 Dmitry Kasatkin 提交于
If a rule is a comment, there is no need to allocate an entry. Move the checking for comments before allocating the entry. Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
由 Dmitry Kasatkin 提交于
Audit messages are rate limited, often causing the policy update info to not be visible. Report policy loading status also using pr_info. Changes in v2: * reporting moved to ima_release_policy to notice parsing errors * reporting both completed and failed status Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
- 08 10月, 2014 4 次提交
-
-
由 Dmitry Kasatkin 提交于
__getname() uses slab allocation which is faster than kmalloc. Make use of it. Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
由 Dmitry Kasatkin 提交于
If filesystem is mounted read-only or file is immutable, updating xattr will fail. This is a usual case during early boot until filesystem is remount read-write. This patch verifies conditions to skip unnecessary attempt to calculate HMAC and set xattr. Changes in v2: * indention changed according to Lindent (requested by Mimi) Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
由 Dmitry Kasatkin 提交于
integrity_init_keyring() is used only from kernel '__init' functions. Add it there as well. Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-
由 Dmitry Kasatkin 提交于
This patch completes the switching to the 'ima_policy_flag' variable in the checks at the beginning of IMA functions, starting with the commit a756024e. Checking 'iint_initialized' is completely unnecessary, because S_IMA flag is unset if iint was not allocated. At the same time the integrity cache is allocated with SLAB_PANIC and the kernel will panic if the allocation fails during kernel initialization. So on a running system iint_initialized is always true and can be removed. Changes in v3: * not limiting test to IMA_APPRAISE (spotted by Roberto Sassu) Changes in v2: * 'iint_initialized' removal patch merged to this patch (requested by Mimi) Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com> Acked-by: NRoberto Sassu <roberto.sassu@polito.it>
-
- 07 10月, 2014 1 次提交
-
-
由 Dmitry Kasatkin 提交于
Latest KEYS code return error if hexadecimal string length id odd. Fix it. Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: NDavid Howells <dhowells@redhat.com>
-
- 23 9月, 2014 2 次提交
-
-
由 Richard Guy Briggs 提交于
Restructure to keyword=value pairs without spaces. Drop superfluous words in text. Make invalid_context a keyword. Change result= keyword to seresult=. Signed-off-by: NRichard Guy Briggs <rgb@redhat.com> [Minor rewrite to the patch subject line] Signed-off-by: NPaul Moore <pmoore@redhat.com>
-
由 Richard Guy Briggs 提交于
Convert audit_log() call to WARN_ONCE(). Rename "type=" to nlmsg_type=" to avoid confusion with the audit record type. Added "protocol=" to help track down which protocol (NETLINK_AUDIT?) was used within the netlink protocol family. Signed-off-by: NRichard Guy Briggs <rgb@redhat.com> [Rewrote the patch subject line] Signed-off-by: NPaul Moore <pmoore@redhat.com>
-
- 18 9月, 2014 1 次提交
-
-
由 Roberto Sassu 提交于
This patch fixes the detection of the 'open_writers' violation for mmaped files. before) an 'open_writers' violation is detected if the policy contains a rule with the criteria: func=FILE_CHECK mask=MAY_READ after) an 'open_writers' violation is detected if the current event matches one of the policy rules. With the old behaviour, the 'open_writers' violation is not detected in the following case: policy: measure func=FILE_MMAP mask=MAY_EXEC steps: 1) open a shared library for writing 2) execute a binary that links that shared library 3) during the binary execution, modify the shared library and save the change result: the 'open_writers' violation measurement is not present in the IMA list. Only binaries executed are protected from writes. For libraries mapped in memory there is the flag MAP_DENYWRITE for this purpose, but according to the output of 'man mmap', the mmap flag is ignored. Since ima_rdwr_violation_check() is now called by process_measurement() the information about if the inode must be measured is already provided by ima_get_action(). Thus the unnecessary function ima_must_measure() has been removed. Changes in v3 (Dmitry Kasatkin): - Violation for MMAP_CHECK function are verified since this patch - Changed patch description a bit Signed-off-by: NRoberto Sassu <roberto.sassu@polito.it> Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
-