1. 26 8月, 2014 1 次提交
  2. 09 8月, 2014 3 次提交
    • K
      Smack: remove unneeded NULL-termination from securtity label · da1b6356
      Konstantin Khlebnikov 提交于
      Values of extended attributes are stored as binary blobs. NULL-termination
      of them isn't required. It just wastes disk space and confuses command-line
      tools like getfattr because they have to print that zero byte at the end.
      
      This patch removes terminating zero byte from initial security label in
      smack_inode_init_security and cuts it out in function smack_inode_getsecurity
      which is used by syscall getxattr. This change seems completely safe, because
      function smk_parse_smack ignores everything after first zero byte.
      Signed-off-by: NKonstantin Khlebnikov <k.khlebnikov@samsung.com>
      da1b6356
    • K
      Smack: handle zero-length security labels without panic · b862e561
      Konstantin Khlebnikov 提交于
      Zero-length security labels are invalid but kernel should handle them.
      
      This patch fixes kernel panic after setting zero-length security labels:
      # attr -S -s "SMACK64" -V "" file
      
      And after writing zero-length string into smackfs files syslog and onlycp:
      # python -c 'import os; os.write(1, "")' > /smack/syslog
      
      The problem is caused by brain-damaged logic in function smk_parse_smack()
      which takes pointer to buffer and its length but if length below or equal zero
      it thinks that the buffer is zero-terminated. Unfortunately callers of this
      function are widely used and proper fix requires serious refactoring.
      Signed-off-by: NKonstantin Khlebnikov <k.khlebnikov@samsung.com>
      b862e561
    • K
      Smack: fix behavior of smack_inode_listsecurity · fd5c9d23
      Konstantin Khlebnikov 提交于
      Security operation ->inode_listsecurity is used for generating list of
      available extended attributes for syscall listxattr. Currently it's used
      only in nfs4 or if filesystem doesn't provide i_op->listxattr.
      
      The list is the set of NULL-terminated names, one after the other.
      This method must include zero byte at the and into result.
      
      Also this function must return length even if string does not fit into
      output buffer or it is NULL, see similar method in selinux and man listxattr.
      Signed-off-by: NKonstantin Khlebnikov <k.khlebnikov@samsung.com>
      fd5c9d23
  3. 05 8月, 2014 1 次提交
  4. 03 8月, 2014 1 次提交
  5. 02 8月, 2014 1 次提交
  6. 01 8月, 2014 4 次提交
    • P
      netlabel: shorter names for the NetLabel catmap funcs/structs · 4fbe63d1
      Paul Moore 提交于
      Historically the NetLabel LSM secattr catmap functions and data
      structures have had very long names which makes a mess of the NetLabel
      code and anyone who uses NetLabel.  This patch renames the catmap
      functions and structures from "*_secattr_catmap_*" to just "*_catmap_*"
      which improves things greatly.
      
      There are no substantial code or logic changes in this patch.
      Signed-off-by: NPaul Moore <pmoore@redhat.com>
      Tested-by: NCasey Schaufler <casey@schaufler-ca.com>
      4fbe63d1
    • P
      netlabel: fix the catmap walking functions · d960a618
      Paul Moore 提交于
      The two NetLabel LSM secattr catmap walk functions didn't handle
      certain edge conditions correctly, causing incorrect security labels
      to be generated in some cases.  This patch corrects these problems and
      converts the functions to use the new _netlbl_secattr_catmap_getnode()
      function in order to reduce the amount of repeated code.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NPaul Moore <pmoore@redhat.com>
      Tested-by: NCasey Schaufler <casey@schaufler-ca.com>
      d960a618
    • P
      netlabel: fix the horribly broken catmap functions · 4b8feff2
      Paul Moore 提交于
      The NetLabel secattr catmap functions, and the SELinux import/export
      glue routines, were broken in many horrible ways and the SELinux glue
      code fiddled with the NetLabel catmap structures in ways that we
      probably shouldn't allow.  At some point this "worked", but that was
      likely due to a bit of dumb luck and sub-par testing (both inflicted
      by yours truly).  This patch corrects these problems by basically
      gutting the code in favor of something less obtuse and restoring the
      NetLabel abstractions in the SELinux catmap glue code.
      
      Everything is working now, and if it decides to break itself in the
      future this code will be much easier to debug than the code it
      replaces.
      
      One noteworthy side effect of the changes is that it is no longer
      necessary to allocate a NetLabel catmap before calling one of the
      NetLabel APIs to set a bit in the catmap.  NetLabel will automatically
      allocate the catmap nodes when needed, resulting in less allocations
      when the lowest bit is greater than 255 and less code in the LSMs.
      
      Cc: stable@vger.kernel.org
      Reported-by: NChristian Evans <frodox@zoho.com>
      Signed-off-by: NPaul Moore <pmoore@redhat.com>
      Tested-by: NCasey Schaufler <casey@schaufler-ca.com>
      4b8feff2
    • P
      netlabel: fix a problem when setting bits below the previously lowest bit · 41c3bd20
      Paul Moore 提交于
      The NetLabel category (catmap) functions have a problem in that they
      assume categories will be set in an increasing manner, e.g. the next
      category set will always be larger than the last.  Unfortunately, this
      is not a valid assumption and could result in problems when attempting
      to set categories less than the startbit in the lowest catmap node.
      In some cases kernel panics and other nasties can result.
      
      This patch corrects the problem by checking for this and allocating a
      new catmap node instance and placing it at the front of the list.
      
      Cc: stable@vger.kernel.org
      Reported-by: NChristian Evans <frodox@zoho.com>
      Signed-off-by: NPaul Moore <pmoore@redhat.com>
      Tested-by: NCasey Schaufler <casey@schaufler-ca.com>
      41c3bd20
  7. 31 7月, 2014 1 次提交
  8. 30 7月, 2014 5 次提交
  9. 29 7月, 2014 2 次提交
  10. 28 7月, 2014 4 次提交
  11. 26 7月, 2014 5 次提交
  12. 25 7月, 2014 1 次提交
  13. 24 7月, 2014 3 次提交
    • E
      CAPABILITIES: remove undefined caps from all processes · 7d8b6c63
      Eric Paris 提交于
      This is effectively a revert of 7b9a7ec5
      plus fixing it a different way...
      
      We found, when trying to run an application from an application which
      had dropped privs that the kernel does security checks on undefined
      capability bits.  This was ESPECIALLY difficult to debug as those
      undefined bits are hidden from /proc/$PID/status.
      
      Consider a root application which drops all capabilities from ALL 4
      capability sets.  We assume, since the application is going to set
      eff/perm/inh from an array that it will clear not only the defined caps
      less than CAP_LAST_CAP, but also the higher 28ish bits which are
      undefined future capabilities.
      
      The BSET gets cleared differently.  Instead it is cleared one bit at a
      time.  The problem here is that in security/commoncap.c::cap_task_prctl()
      we actually check the validity of a capability being read.  So any task
      which attempts to 'read all things set in bset' followed by 'unset all
      things set in bset' will not even attempt to unset the undefined bits
      higher than CAP_LAST_CAP.
      
      So the 'parent' will look something like:
      CapInh:	0000000000000000
      CapPrm:	0000000000000000
      CapEff:	0000000000000000
      CapBnd:	ffffffc000000000
      
      All of this 'should' be fine.  Given that these are undefined bits that
      aren't supposed to have anything to do with permissions.  But they do...
      
      So lets now consider a task which cleared the eff/perm/inh completely
      and cleared all of the valid caps in the bset (but not the invalid caps
      it couldn't read out of the kernel).  We know that this is exactly what
      the libcap-ng library does and what the go capabilities library does.
      They both leave you in that above situation if you try to clear all of
      you capapabilities from all 4 sets.  If that root task calls execve()
      the child task will pick up all caps not blocked by the bset.  The bset
      however does not block bits higher than CAP_LAST_CAP.  So now the child
      task has bits in eff which are not in the parent.  These are
      'meaningless' undefined bits, but still bits which the parent doesn't
      have.
      
      The problem is now in cred_cap_issubset() (or any operation which does a
      subset test) as the child, while a subset for valid cap bits, is not a
      subset for invalid cap bits!  So now we set durring commit creds that
      the child is not dumpable.  Given it is 'more priv' than its parent.  It
      also means the parent cannot ptrace the child and other stupidity.
      
      The solution here:
      1) stop hiding capability bits in status
      	This makes debugging easier!
      
      2) stop giving any task undefined capability bits.  it's simple, it you
      don't put those invalid bits in CAP_FULL_SET you won't get them in init
      and you won't get them in any other task either.
      	This fixes the cap_issubset() tests and resulting fallout (which
      	made the init task in a docker container untraceable among other
      	things)
      
      3) mask out undefined bits when sys_capset() is called as it might use
      ~0, ~0 to denote 'all capabilities' for backward/forward compatibility.
      	This lets 'capsh --caps="all=eip" -- -c /bin/bash' run.
      
      4) mask out undefined bit when we read a file capability off of disk as
      again likely all bits are set in the xattr for forward/backward
      compatibility.
      	This lets 'setcap all+pe /bin/bash; /bin/bash' run
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Reviewed-by: NKees Cook <keescook@chromium.org>
      Cc: Andrew Vagin <avagin@openvz.org>
      Cc: Andrew G. Morgan <morgan@kernel.org>
      Cc: Serge E. Hallyn <serge.hallyn@canonical.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Steve Grubb <sgrubb@redhat.com>
      Cc: Dan Walsh <dwalsh@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NJames Morris <james.l.morris@oracle.com>
      7d8b6c63
    • J
      Merge tag 'keys-next-20140722' of... · 4ca332e1
      James Morris 提交于
      Merge tag 'keys-next-20140722' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into next
      4ca332e1
    • T
      commoncap: don't alloc the credential unless needed in cap_task_prctl · 6d6f3328
      Tetsuo Handa 提交于
      In function cap_task_prctl(), we would allocate a credential
      unconditionally and then check if we support the requested function.
      If not we would release this credential with abort_creds() by using
      RCU method. But on some archs such as powerpc, the sys_prctl is heavily
      used to get/set the floating point exception mode. So the unnecessary
      allocating/releasing of credential not only introduce runtime overhead
      but also do cause OOM due to the RCU implementation.
      
      This patch removes abort_creds() from cap_task_prctl() by calling
      prepare_creds() only when we need to modify it.
      Reported-by: NKevin Hao <haokexin@gmail.com>
      Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Reviewed-by: NPaul Moore <paul@paul-moore.com>
      Acked-by: NSerge E. Hallyn <serge.hallyn@ubuntu.com>
      Reviewed-by: NKees Cook <keescook@chromium.org>
      Signed-off-by: NJames Morris <james.l.morris@oracle.com>
      6d6f3328
  14. 23 7月, 2014 8 次提交