1. 13 7月, 2009 2 次提交
  2. 25 6月, 2009 1 次提交
  3. 18 6月, 2009 1 次提交
    • K
      Add audit messages on type boundary violations · 44c2d9bd
      KaiGai Kohei 提交于
      The attached patch adds support to generate audit messages on two cases.
      
      The first one is a case when a multi-thread process tries to switch its
      performing security context using setcon(3), but new security context is
      not bounded by the old one.
      
        type=SELINUX_ERR msg=audit(1245311998.599:17):        \
            op=security_bounded_transition result=denied      \
            oldcontext=system_u:system_r:httpd_t:s0           \
            newcontext=system_u:system_r:guest_webapp_t:s0
      
      The other one is a case when security_compute_av() masked any permissions
      due to the type boundary violation.
      
        type=SELINUX_ERR msg=audit(1245312836.035:32):	\
            op=security_compute_av reason=bounds              \
            scontext=system_u:object_r:user_webapp_t:s0       \
            tcontext=system_u:object_r:shadow_t:s0:c0         \
            tclass=file perms=getattr,open
      Signed-off-by: NKaiGai Kohei <kaigai@ak.jp.nec.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      44c2d9bd
  4. 02 4月, 2009 1 次提交
    • K
      Permissive domain in userspace object manager · 8a6f83af
      KaiGai Kohei 提交于
      This patch enables applications to handle permissive domain correctly.
      
      Since the v2.6.26 kernel, SELinux has supported an idea of permissive
      domain which allows certain processes to work as if permissive mode,
      even if the global setting is enforcing mode.
      However, we don't have an application program interface to inform
      what domains are permissive one, and what domains are not.
      It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL
      and so on) cannot handle permissive domain correctly.
      
      This patch add the sixth field (flags) on the reply of the /selinux/access
      interface which is used to make an access control decision from userspace.
      If the first bit of the flags field is positive, it means the required
      access control decision is on permissive domain, so application should
      allow any required actions, as the kernel doing.
      
      This patch also has a side benefit. The av_decision.flags is set at
      context_struct_compute_av(). It enables to check required permissions
      without read_lock(&policy_rwlock).
      Signed-off-by: NKaiGai Kohei <kaigai@ak.jp.nec.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: NEric Paris <eparis@redhat.com>
      --
       security/selinux/avc.c              |    2 +-
       security/selinux/include/security.h |    4 +++-
       security/selinux/selinuxfs.c        |    4 ++--
       security/selinux/ss/services.c      |   30 +++++-------------------------
       4 files changed, 11 insertions(+), 29 deletions(-)
      Signed-off-by: NJames Morris <jmorris@namei.org>
      8a6f83af
  5. 14 2月, 2009 6 次提交
  6. 05 1月, 2009 1 次提交
    • E
      SELinux: shrink sizeof av_inhert selinux_class_perm and context · 76f7ba35
      Eric Paris 提交于
      I started playing with pahole today and decided to put it against the
      selinux structures.  Found we could save a little bit of space on x86_64
      (and no harm on i686) just reorganizing some structs.
      
      Object size changes:
      av_inherit: 24 -> 16
      selinux_class_perm: 48 -> 40
      context: 80 -> 72
      
      Admittedly there aren't many of av_inherit or selinux_class_perm's in
      the kernel (33 and 1 respectively) But the change to the size of struct
      context reverberate out a bit.  I can get some hard number if they are
      needed, but I don't see why they would be.  We do change which cacheline
      context->len and context->str would be on, but I don't see that as a
      problem since we are clearly going to have to load both if the context
      is to be of any value.  I've run with the patch and don't seem to be
      having any problems.
      
      An example of what's going on using struct av_inherit would be:
      
      form: to:
      struct av_inherit {			struct av_inherit {
      	u16 tclass;				const char **common_pts;
      	const char **common_pts;		u32 common_base;
      	u32 common_base;			u16 tclass;
      };
      
      (notice all I did was move u16 tclass to the end of the struct instead
      of the beginning)
      
      Memory layout before the change:
      struct av_inherit {
      	u16 tclass; /* 2 */
      	/* 6 bytes hole */
      	const char** common_pts; /* 8 */
      	u32 common_base; /* 4 */
      	/* 4 byes padding */
      
      	/* size: 24, cachelines: 1 */
      	/* sum members: 14, holes: 1, sum holes: 6 */
      	/* padding: 4 */
      };
      
      Memory layout after the change:
      struct av_inherit {
      	const char ** common_pts; /* 8 */
      	u32 common_base; /* 4 */
      	u16 tclass; /* 2 */
      	/* 2 bytes padding */
      
      	/* size: 16, cachelines: 1 */
      	/* sum members: 14, holes: 0, sum holes: 0 */
      	/* padding: 2 */
      };
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      76f7ba35
  7. 31 10月, 2008 1 次提交
  8. 30 10月, 2008 1 次提交
  9. 29 10月, 2008 1 次提交
  10. 28 8月, 2008 1 次提交
    • K
      SELinux: add boundary support and thread context assignment · d9250dea
      KaiGai Kohei 提交于
      The purpose of this patch is to assign per-thread security context
      under a constraint. It enables multi-threaded server application
      to kick a request handler with its fair security context, and
      helps some of userspace object managers to handle user's request.
      
      When we assign a per-thread security context, it must not have wider
      permissions than the original one. Because a multi-threaded process
      shares a single local memory, an arbitary per-thread security context
      also means another thread can easily refer violated information.
      
      The constraint on a per-thread security context requires a new domain
      has to be equal or weaker than its original one, when it tries to assign
      a per-thread security context.
      
      Bounds relationship between two types is a way to ensure a domain can
      never have wider permission than its bounds. We can define it in two
      explicit or implicit ways.
      
      The first way is using new TYPEBOUNDS statement. It enables to define
      a boundary of types explicitly. The other one expand the concept of
      existing named based hierarchy. If we defines a type with "." separated
      name like "httpd_t.php", toolchain implicitly set its bounds on "httpd_t".
      
      This feature requires a new policy version.
      The 24th version (POLICYDB_VERSION_BOUNDARY) enables to ship them into
      kernel space, and the following patch enables to handle it.
      Signed-off-by: NKaiGai Kohei <kaigai@ak.jp.nec.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      d9250dea
  11. 28 4月, 2008 1 次提交
    • E
      Audit: standardize string audit interfaces · b556f8ad
      Eric Paris 提交于
      This patch standardized the string auditing interfaces.  No userspace
      changes will be visible and this is all just cleanup and consistancy
      work.  We have the following string audit interfaces to use:
      
      void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len);
      
      void audit_log_n_string(struct audit_buffer *ab, const char *buf, size_t n);
      void audit_log_string(struct audit_buffer *ab, const char *buf);
      
      void audit_log_n_untrustedstring(struct audit_buffer *ab, const char *string, size_t n);
      void audit_log_untrustedstring(struct audit_buffer *ab, const char *string);
      
      This may be the first step to possibly fixing some of the issues that
      people have with the string output from the kernel audit system.  But we
      still don't have an agreed upon solution to that problem.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      b556f8ad
  12. 22 4月, 2008 1 次提交
  13. 21 4月, 2008 2 次提交
  14. 18 4月, 2008 2 次提交
  15. 15 2月, 2008 1 次提交
  16. 30 1月, 2008 1 次提交
  17. 17 10月, 2007 1 次提交
  18. 22 7月, 2007 1 次提交
    • A
      [PATCH] get rid of AVC_PATH postponed treatment · 4259fa01
      Al Viro 提交于
              Selinux folks had been complaining about the lack of AVC_PATH
      records when audit is disabled.  I must admit my stupidity - I assumed
      that avc_audit() really couldn't use audit_log_d_path() because of
      deadlocks (== could be called with dcache_lock or vfsmount_lock held).
      Shouldn't have made that assumption - it never gets called that way.
      It _is_ called under spinlocks, but not those.
      
              Since audit_log_d_path() uses ab->gfp_mask for allocations,
      kmalloc() in there is not a problem.  IOW, the simple fix is sufficient:
      let's rip AUDIT_AVC_PATH out and simply generate pathname as part of main
      record.  It's trivial to do.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      Acked-by: NJames Morris <jmorris@namei.org>
      4259fa01
  19. 20 7月, 2007 1 次提交
    • P
      mm: Remove slab destructors from kmem_cache_create(). · 20c2df83
      Paul Mundt 提交于
      Slab destructors were no longer supported after Christoph's
      c59def9f change. They've been
      BUGs for both slab and slub, and slob never supported them
      either.
      
      This rips out support for the dtor pointer from kmem_cache_create()
      completely and fixes up every single callsite in the kernel (there were
      about 224, not including the slab allocator definitions themselves,
      or the documentation references).
      Signed-off-by: NPaul Mundt <lethal@linux-sh.org>
      20c2df83
  20. 12 7月, 2007 2 次提交
  21. 26 4月, 2007 1 次提交
  22. 12 2月, 2007 1 次提交
  23. 08 12月, 2006 2 次提交
  24. 05 12月, 2006 1 次提交
  25. 29 11月, 2006 1 次提交
  26. 01 5月, 2006 1 次提交
    • D
      [PATCH] support for context based audit filtering · 376bd9cb
      Darrel Goeddel 提交于
      The following patch provides selinux interfaces that will allow the audit
      system to perform filtering based on the process context (user, role, type,
      sensitivity, and clearance).  These interfaces will allow the selinux
      module to perform efficient matches based on lower level selinux constructs,
      rather than relying on context retrievals and string comparisons within
      the audit module.  It also allows for dominance checks on the mls portion
      of the contexts that are impossible with only string comparisons.
      Signed-off-by: NDarrel Goeddel <dgoeddel@trustedcs.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      376bd9cb
  27. 08 2月, 2006 1 次提交
  28. 14 1月, 2006 1 次提交
    • J
      [NET]: Use NIP6_FMT in kernel.h · 46b86a2d
      Joe Perches 提交于
      There are errors and inconsistency in the display of NIP6 strings.
      	ie: net/ipv6/ip6_flowlabel.c
      
      There are errors and inconsistency in the display of NIPQUAD strings too.
      	ie: net/netfilter/nf_conntrack_ftp.c
      
      This patch:
      	adds NIP6_FMT to kernel.h
      	changes all code to use NIP6_FMT
      	fixes net/ipv6/ip6_flowlabel.c
      	adds NIPQUAD_FMT to kernel.h
      	fixes net/netfilter/nf_conntrack_ftp.c
      	changes a few uses of "%u.%u.%u.%u" to NIPQUAD_FMT for symmetry to NIP6_FMT
      Signed-off-by: NJoe Perches <joe@perches.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      46b86a2d
  29. 05 9月, 2005 1 次提交
  30. 22 6月, 2005 1 次提交
    • D
      AUDIT: Wait for backlog to clear when generating messages. · 9ad9ad38
      David Woodhouse 提交于
      Add a gfp_mask to audit_log_start() and audit_log(), to reduce the
      amount of GFP_ATOMIC allocation -- most of it doesn't need to be 
      GFP_ATOMIC. Also if the mask includes __GFP_WAIT, then wait up to
      60 seconds for the auditd backlog to clear instead of immediately 
      abandoning the message. 
      
      The timeout should probably be made configurable, but for now it'll 
      suffice that it only happens if auditd is actually running.
      Signed-off-by: NDavid Woodhouse <dwmw2@infradead.org>
      9ad9ad38