1. 08 Nov, 2009 1 commit
  2. 03 Nov, 2009 1 commit
  3. 01 Nov, 2009 1 commit
  4. 29 Oct, 2009 3 commits
    • Serge E. Hallyn's avatar
      define convenient securebits masks for prctl users (v2) · 5975c725
      Serge E. Hallyn authored
      Hi James, would you mind taking the following into
      security-testing?
      
      The securebits are used by passing them to prctl with the
      PR_{S,G}ET_SECUREBITS commands.  But the defines must be
      shifted to be used in prctl, which begs to be confused and
      misused by userspace.  So define some more convenient
      values for userspace to specify.  This way userspace does
      
      	prctl(PR_SET_SECUREBITS, SECBIT_NOROOT);
      
      instead of
      
      	prctl(PR_SET_SECUREBITS, 1 << SECURE_NOROOT);
      
      (Thanks to Michael for the idea)
      
      This patch also adds include/linux/securebits to the installed headers.
      Then perhaps it can be included by glibc's sys/prctl.h.
      
      Changelog:
      	Oct 29: Stephen Rothwell points out that issecure can
      		be under __KERNEL__.
      	Oct 14: (Suggestions by Michael Kerrisk):
      		1. spell out SETUID in SECBIT_NO_SETUID*
      		2. SECBIT_X_LOCKED does not imply SECBIT_X
      		3. add definitions for keepcaps
              Oct 14: As suggested by Michael Kerrisk, don't
      		use SB_* as that convention is already in
      		use.  Use SECBIT_ prefix instead.
      Signed-off-by: default avatarSerge E. Hallyn <serue@us.ibm.com>
      Acked-by: default avatarAndrew G. Morgan <morgan@kernel.org>
      Acked-by: default avatarMichael Kerrisk <mtk.manpages@gmail.com>
      Cc: Ulrich Drepper <drepper@redhat.com>
      Cc: James Morris <jmorris@namei.org>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      5975c725
    • Randy Dunlap's avatar
      tpm: fix header for modular build · ff76ec18
      Randy Dunlap authored
      Fix build for TCG_TPM=m.  Header file doesn't handle this
      and incorrectly builds stubs.
      
      drivers/char/tpm/tpm.c:720: error: redefinition of 'tpm_pcr_read'
      include/linux/tpm.h:35: error:previous definition of 'tpm_pcr_read' was here
      drivers/char/tpm/tpm.c:752: error: redefinition of 'tpm_pcr_extend'
      include/linux/tpm.h:38: error:previous definition of 'tpm_pcr_extend' was here
      
      Repairs linux-next's
      
      commit d6ba4521
      Author: Mimi Zohar <zohar@linux.vnet.ibm.com>
      Date:   Mon Oct 26 09:26:18 2009 -0400
      
          tpm add default function definitions
      Signed-off-by: default avatarRandy Dunlap <randy.dunlap@oracle.com>
      Cc: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
      Cc: Mimi Zohar <zohar@us.ibm.com>
      Cc: James Morris <jmorris@namei.org>
      Cc: Eric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      ff76ec18
    • Stephen Hemminger's avatar
      tomoyo: improve hash bucket dispersion · 024e1a49
      Stephen Hemminger authored
      When examining the network device name hash, it was discovered that
      the low order bits of full_name_hash() are not very well dispersed
      across the possible values. When used by filesystem code, this is handled
      by folding with the function hash_long().
      
      The only other non-filesystem usage of full_name_hash() at this time
      appears to be in TOMOYO. This patch should fix that.
      
      I do not use TOMOYO at this time, so this patch is build tested only.
      Signed-off-by: default avatarStephen Hemminger <shemminger@vyatta.com>
      Acked-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      024e1a49
  5. 27 Oct, 2009 1 commit
  6. 25 Oct, 2009 1 commit
  7. 24 Oct, 2009 1 commit
  8. 20 Oct, 2009 2 commits
  9. 13 Oct, 2009 1 commit
  10. 11 Oct, 2009 3 commits
  11. 07 Oct, 2009 3 commits
    • Stephen Smalley's avatar
      selinux: drop remapping of netlink classes · 941fc5b2
      Stephen Smalley authored
      Drop remapping of netlink classes and bypass of permission checking
      based on netlink message type for policy version < 18.  This removes
      compatibility code introduced when the original single netlink
      security class used for all netlink sockets was split into
      finer-grained netlink classes based on netlink protocol and when
      permission checking was added based on netlink message type in Linux
      2.6.8.  The only known distribution that shipped with SELinux and
      policy < 18 was Fedora Core 2, which was EOL'd on 2005-04-11.
      
      Given that the remapping code was never updated to address the
      addition of newer netlink classes, that the corresponding userland
      support was dropped in 2005, and that the assumptions made by the
      remapping code about the fixed ordering among netlink classes in the
      policy may be violated in the future due to the dynamic class/perm
      discovery support, we should drop this compatibility code now.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      941fc5b2
    • Stephen Smalley's avatar
      selinux: generate flask headers during kernel build · 8753f6be
      Stephen Smalley authored
      Add a simple utility (scripts/selinux/genheaders) and invoke it to
      generate the kernel-private class and permission indices in flask.h
      and av_permissions.h automatically during the kernel build from the
      security class mapping definitions in classmap.h.  Adding new kernel
      classes and permissions can then be done just by adding them to classmap.h.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      8753f6be
    • Stephen Smalley's avatar
      selinux: dynamic class/perm discovery · c6d3aaa4
      Stephen Smalley authored
      Modify SELinux to dynamically discover class and permission values
      upon policy load, based on the dynamic object class/perm discovery
      logic from libselinux.  A mapping is created between kernel-private
      class and permission indices used outside the security server and the
      policy values used within the security server.
      
      The mappings are only applied upon kernel-internal computations;
      similar mappings for the private indices of userspace object managers
      is handled on a per-object manager basis by the userspace AVC.  The
      interfaces for compute_av and transition_sid are split for kernel
      vs. userspace; the userspace functions are distinguished by a _user
      suffix.
      
      The kernel-private class indices are no longer tied to the policy
      values and thus do not need to skip indices for userspace classes;
      thus the kernel class index values are compressed.  The flask.h
      definitions were regenerated by deleting the userspace classes from
      refpolicy's definitions and then regenerating the headers.  Going
      forward, we can just maintain the flask.h, av_permissions.h, and
      classmap.h definitions separately from policy as they are no longer
      tied to the policy values.  The next patch introduces a utility to
      automate generation of flask.h and av_permissions.h from the
      classmap.h definitions.
      
      The older kernel class and permission string tables are removed and
      replaced by a single security class mapping table that is walked at
      policy load to generate the mapping.  The old kernel class validation
      logic is completely replaced by the mapping logic.
      
      The handle unknown logic is reworked.  reject_unknown=1 is handled
      when the mappings are computed at policy load time, similar to the old
      handling by the class validation logic.  allow_unknown=1 is handled
      when computing and mapping decisions - if the permission was not able
      to be mapped (i.e. undefined, mapped to zero), then it is
      automatically added to the allowed vector.  If the class was not able
      to be mapped (i.e. undefined, mapped to zero), then all permissions
      are allowed for it if allow_unknown=1.
      
      avc_audit leverages the new security class mapping table to lookup the
      class and permission names from the kernel-private indices.
      
      The mdp program is updated to use the new table when generating the
      class definitions and allow rules for a minimal boot policy for the
      kernel.  It should be noted that this policy will not include any
      userspace classes, nor will its policy index values for the kernel
      classes correspond with the ones in refpolicy (they will instead match
      the kernel-private indices).
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      c6d3aaa4
  12. 30 Sep, 2009 2 commits
  13. 29 Sep, 2009 1 commit
  14. 27 Sep, 2009 14 commits
  15. 26 Sep, 2009 5 commits