1. 14 May, 2017 1 commit
    • Mickaël Salaün's avatar
      LSM: Enable multiple calls to security_add_hooks() for the same LSM · 3bb857e4
      Mickaël Salaün authored
      The commit d69dece5 ("LSM: Add /sys/kernel/security/lsm") extend
      security_add_hooks() with a new parameter to register the LSM name,
      which may be useful to make the list of currently loaded LSM available
      to userspace. However, there is no clean way for an LSM to split its
      hook declarations into multiple files, which may reduce the mess with
      all the included files (needed for LSM hook argument types) and make the
      source code easier to review and maintain.
      
      This change allows an LSM to register multiple times its hook while
      keeping a consistent list of LSM names as described in
      Documentation/security/LSM.txt . The list reflects the order in which
      checks are made. This patch only check for the last registered LSM. If
      an LSM register multiple times its hooks, interleaved with other LSM
      registrations (which should not happen), its name will still appear in
      the same order that the hooks are called, hence multiple times.
      
      To sum up, "capability,selinux,foo,foo" will be replaced with
      "capability,selinux,foo", however "capability,foo,selinux,foo" will
      remain as is.
      Signed-off-by: default avatarMickaël Salaün <mic@digikod.net>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      3bb857e4
  2. 24 Apr, 2017 4 commits
  3. 19 Apr, 2017 1 commit
  4. 18 Apr, 2017 2 commits
  5. 17 Apr, 2017 1 commit
  6. 11 Apr, 2017 1 commit
  7. 06 Apr, 2017 6 commits
    • John Johansen's avatar
      apparmor: Make path_max parameter readonly · 622f6e32
      John Johansen authored
      The path_max parameter determines the max size of buffers allocated
      but it should  not be setable at run time. If can be used to cause an
      oops
      
      root@ubuntu:~# echo 16777216 > /sys/module/apparmor/parameters/path_max
      root@ubuntu:~# cat /sys/module/apparmor/parameters/path_max
      Killed
      
      [  122.141911] BUG: unable to handle kernel paging request at ffff880080945fff
      [  122.143497] IP: [<ffffffff81228844>] d_absolute_path+0x44/0xa0
      [  122.144742] PGD 220c067 PUD 0
      [  122.145453] Oops: 0002 [#1] SMP
      [  122.146204] Modules linked in: vmw_vsock_vmci_transport vsock ppdev vmw_balloon snd_ens1371 btusb snd_ac97_codec gameport snd_rawmidi btrtl snd_seq_device ac97_bus btbcm btintel snd_pcm input_leds bluetooth snd_timer snd joydev soundcore serio_raw coretemp shpchp nfit parport_pc i2c_piix4 8250_fintek vmw_vmci parport mac_hid ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd vmwgfx psmouse mptspi ttm mptscsih drm_kms_helper mptbase syscopyarea scsi_transport_spi sysfillrect
      [  122.163365]  ahci sysimgblt e1000 fb_sys_fops libahci drm pata_acpi fjes
      [  122.164747] CPU: 3 PID: 1501 Comm: bash Not tainted 4.4.0-59-generic #80-Ubuntu
      [  122.166250] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
      [  122.168611] task: ffff88003496aa00 ti: ffff880076474000 task.ti: ffff880076474000
      [  122.170018] RIP: 0010:[<ffffffff81228844>]  [<ffffffff81228844>] d_absolute_path+0x44/0xa0
      [  122.171525] RSP: 0018:ffff880076477b90  EFLAGS: 00010206
      [  122.172462] RAX: ffff880080945fff RBX: 0000000000000000 RCX: 0000000001000000
      [  122.173709] RDX: 0000000000ffffff RSI: ffff880080946000 RDI: ffff8800348a1010
      [  122.174978] RBP: ffff880076477bb8 R08: ffff880076477c80 R09: 0000000000000000
      [  122.176227] R10: 00007ffffffff000 R11: ffff88007f946000 R12: ffff88007f946000
      [  122.177496] R13: ffff880076477c80 R14: ffff8800348a1010 R15: ffff8800348a2400
      [  122.178745] FS:  00007fd459eb4700(0000) GS:ffff88007b6c0000(0000) knlGS:0000000000000000
      [  122.180176] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  122.181186] CR2: ffff880080945fff CR3: 0000000073422000 CR4: 00000000001406e0
      [  122.182469] Stack:
      [  122.182843]  00ffffff00000001 ffff880080946000 0000000000000000 0000000000000000
      [  122.184409]  00000000570f789c ffff880076477c30 ffffffff81385671 ffff88007a2e7a58
      [  122.185810]  0000000000000000 ffff880076477c88 01000000008a1000 0000000000000000
      [  122.187231] Call Trace:
      [  122.187680]  [<ffffffff81385671>] aa_path_name+0x81/0x370
      [  122.188637]  [<ffffffff813875dd>] profile_transition+0xbd/0xb80
      [  122.190181]  [<ffffffff811af9bc>] ? zone_statistics+0x7c/0xa0
      [  122.191674]  [<ffffffff81389b20>] apparmor_bprm_set_creds+0x9b0/0xac0
      [  122.193288]  [<ffffffff812e1971>] ? ext4_xattr_get+0x81/0x220
      [  122.194793]  [<ffffffff812e800c>] ? ext4_xattr_security_get+0x1c/0x30
      [  122.196392]  [<ffffffff813449b9>] ? get_vfs_caps_from_disk+0x69/0x110
      [  122.198004]  [<ffffffff81232d4f>] ? mnt_may_suid+0x3f/0x50
      [  122.199737]  [<ffffffff81344b03>] ? cap_bprm_set_creds+0xa3/0x600
      [  122.201377]  [<ffffffff81346e53>] security_bprm_set_creds+0x33/0x50
      [  122.203024]  [<ffffffff81214ce5>] prepare_binprm+0x85/0x190
      [  122.204515]  [<ffffffff81216545>] do_execveat_common.isra.33+0x485/0x710
      [  122.206200]  [<ffffffff81216a6a>] SyS_execve+0x3a/0x50
      [  122.207615]  [<ffffffff81838795>] stub_execve+0x5/0x5
      [  122.208978]  [<ffffffff818384f2>] ? entry_SYSCALL_64_fastpath+0x16/0x71
      [  122.210615] Code: f8 31 c0 48 63 c2 83 ea 01 48 c7 45 e8 00 00 00 00 48 01 c6 85 d2 48 c7 45 f0 00 00 00 00 48 89 75 e0 89 55 dc 78 0c 48 8d 46 ff <c6> 46 ff 00 48 89 45 e0 48 8d 55 e0 48 8d 4d dc 48 8d 75 e8 e8
      [  122.217320] RIP  [<ffffffff81228844>] d_absolute_path+0x44/0xa0
      [  122.218860]  RSP <ffff880076477b90>
      [  122.219919] CR2: ffff880080945fff
      [  122.220936] ---[ end trace 506cdbd85eb6c55e ]---
      Reported-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      622f6e32
    • John Johansen's avatar
      apparmor: fix parameters so that the permission test is bypassed at boot · 545de8fe
      John Johansen authored
      Boot parameters are written before apparmor is ready to answer whether
      the user is policy_view_capable(). Setting the parameters at boot results
      in an oops and failure to boot. Setting the parameters at boot is
      obviously allowed so skip the permission check when apparmor is not
      initialized.
      
      While we are at it move the more complicated check to last.
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      545de8fe
    • John Johansen's avatar
      apparmor: fix invalid reference to index variable of iterator line 836 · b9b144bc
      John Johansen authored
      Once the loop on lines 836-853 is complete and exits normally, ent is a
      pointer to the dummy list head value.  The derefernces accessible from eg
      the goto fail on line 860 or the various goto fail_lock's afterwards thus
      seem incorrect.
      Reported-by: default avatarJulia Lawall <julia.lawall@lip6.fr>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      b9b144bc
    • Nicolas Iooss's avatar
      apparmor: use SHASH_DESC_ON_STACK · 9814448d
      Nicolas Iooss authored
      When building the kernel with clang, the compiler fails to build
      security/apparmor/crypto.c with the following error:
      
          security/apparmor/crypto.c:36:8: error: fields must have a constant
          size: 'variable length array in structure' extension will never be
          supported
                          char ctx[crypto_shash_descsize(apparmor_tfm)];
                               ^
      
      Since commit a0a77af1 ("crypto: LLVMLinux: Add macro to remove use
      of VLAIS in crypto code"), include/crypto/hash.h defines
      SHASH_DESC_ON_STACK to work around this issue. Use it in aa_calc_hash()
      and aa_calc_profile_hash().
      Signed-off-by: default avatarNicolas Iooss <nicolas.iooss_linux@m4x.org>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      9814448d
    • Valentin Rothberg's avatar
      security/apparmor/lsm.c: set debug messages · eea7a05f
      Valentin Rothberg authored
      Add the _APPARMOR substring to reference the intended Kconfig option.
      Signed-off-by: default avatarValentin Rothberg <valentinrothberg@gmail.com>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      eea7a05f
    • kbuild test robot's avatar
      apparmor: fix boolreturn.cocci warnings · b9c42ac7
      kbuild test robot authored
      security/apparmor/lib.c:132:9-10: WARNING: return of 0/1 in function 'aa_policy_init' with return type bool
      
       Return statements in functions returning bool should use
       true/false instead of 1/0.
      Generated by: scripts/coccinelle/misc/boolreturn.cocci
      Signed-off-by: default avatarFengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      b9c42ac7
  8. 04 Apr, 2017 11 commits
    • Tetsuo Handa's avatar
      Smack: Use GFP_KERNEL for smk_netlbl_mls(). · af96f0d6
      Tetsuo Handa authored
      Since all callers of smk_netlbl_mls() are GFP_KERNEL context
      (smk_set_cipso() calls memdup_user_nul(), init_smk_fs() calls
      __kernfs_new_node(), smk_import_entry() calls kzalloc(GFP_KERNEL)),
      it is safe to use GFP_KERNEL from netlbl_catmap_setbit().
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      af96f0d6
    • Tetsuo Handa's avatar
      smack: fix double free in smack_parse_opts_str() · c3c8dc9f
      Tetsuo Handa authored
      smack_parse_opts_str() calls kfree(opts->mnt_opts) when kcalloc() for
      opts->mnt_opts_flags failed. But it should not have called it because
      security_free_mnt_opts() will call kfree(opts->mnt_opts).
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      fixes: 3bf2789c ("smack: allow mount opts setting over filesystems with binary mount data")
      Cc: Vivek Trivedi <t.vivek@samsung.com>
      Cc: Amit Sahrawat <a.sahrawat@samsung.com>
      Cc: Casey Schaufler <casey@schaufler-ca.com>
      c3c8dc9f
    • Stephan Mueller's avatar
      KEYS: add SP800-56A KDF support for DH · f1c316a3
      Stephan Mueller authored
      SP800-56A defines the use of DH with key derivation function based on a
      counter. The input to the KDF is defined as (DH shared secret || other
      information). The value for the "other information" is to be provided by
      the caller.
      
      The KDF is implemented using the hash support from the kernel crypto API.
      The implementation uses the symmetric hash support as the input to the
      hash operation is usually very small. The caller is allowed to specify
      the hash name that he wants to use to derive the key material allowing
      the use of all supported hashes provided with the kernel crypto API.
      
      As the KDF implements the proper truncation of the DH shared secret to
      the requested size, this patch fills the caller buffer up to its size.
      
      The patch is tested with a new test added to the keyutils user space
      code which uses a CAVS test vector testing the compliance with
      SP800-56A.
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      f1c316a3
    • David Howells's avatar
      Merge branch 'keyctl-restrict' of... · f0df90cd
      David Howells authored
      Merge branch 'keyctl-restrict' of git://git.kernel.org/pub/scm/linux/kernel/git/martineau/linux into keys-next
      
      To quote Mat Martineau:
      
      """
      Keyrings recently acquired the ability to validate keys before they are
      linked using kernel internal APIs. This patch set enables configuration
      of restricted keyrings from userspace.
      
      These patches apply to linux-fs/keys-misc and are also available here:
      
          https://git.kernel.org/cgit/linux/kernel/git/martineau/linux.git/log/?h=keyctl-restrict
      
      v13: Detect and avoid cycles in restriction references, and change
      restrictions to store a single key pointer rather than arbitrary data.
      
      v12: Rework the KEYCTL_RESTRICT_KEYRING command to take an additional
      parameter, renamed some functions based on feedback, and dropped an
      unnecessary locking change (patch 1 in previous set).
      
      v11: Configure restrictions using KEYCTL_RESTRICT_KEYRING instead of
      using a keyring payload at creation time. Make the garbage collector
      aware of restrictions.
      
      v10: Fixups from maintainer feedback. Added some missing documentation.
      
      v9: Rebased on linux-fs/keys-misc (v4.9-rc5)
      
      v8: Add option to look for signing keys within the destination keyring.
      Fix a consistency issue with keyring locking and restriction checks.
      
      v7: Rework key restriction payload syntax. Move key-type-specific payload
      parsing to the key-type. Attach more restriction information to keyrings
      (restriction function, data, and data free) so future restrictions are not
      limited to storing a key ID to use for key validation. Validate key before
      using it to verify another key. Modify key type locking model to allow key
      type lookup during keyring creation.
      
      v6: Return error if only restrict_key is supplied, address misc. review
      comments.
      
      v5: Fixed signature bypass problem in patch 3/6
      
      v4: Added userspace restriction options based on builtin keyrings.
      restrict_link_by_signature implementation is no longer modified. Split
      up v3's patch 2/5 to isolate the change to key.h.
      
      v3: Updated commit message for patch 2/5 (restrict_link_by_signature_indirect)
      
      v2: Payload is now preparsed
      """
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      f0df90cd
    • Mat Martineau's avatar
      KEYS: Keyring asymmetric key restrict method with chaining · 8e323a02
      Mat Martineau authored
      Add a restrict_link_by_key_or_keyring_chain link restriction that
      searches for signing keys in the destination keyring in addition to the
      signing key or keyring designated when the destination keyring was
      created. Userspace enables this behavior by including the "chain" option
      in the keyring restriction:
      
        keyctl(KEYCTL_RESTRICT_KEYRING, keyring, "asymmetric",
               "key_or_keyring:<signing key>:chain");
      Signed-off-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      8e323a02
    • Mat Martineau's avatar
      KEYS: Restrict asymmetric key linkage using a specific keychain · 7e3c4d22
      Mat Martineau authored
      Adds restrict_link_by_signature_keyring(), which uses the restrict_key
      member of the provided destination_keyring data structure as the
      key or keyring to search for signing keys.
      Signed-off-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      7e3c4d22
    • Mat Martineau's avatar
      KEYS: Add a lookup_restriction function for the asymmetric key type · 97d3aa0f
      Mat Martineau authored
      Look up asymmetric keyring restriction information using the key-type
      lookup_restrict hook.
      Signed-off-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      97d3aa0f
    • Mat Martineau's avatar
      KEYS: Add KEYCTL_RESTRICT_KEYRING · 6563c91f
      Mat Martineau authored
      Keyrings recently gained restrict_link capabilities that allow
      individual keys to be validated prior to linking.  This functionality
      was only available using internal kernel APIs.
      
      With the KEYCTL_RESTRICT_KEYRING command existing keyrings can be
      configured to check the content of keys before they are linked, and
      then allow or disallow linkage of that key to the keyring.
      
      To restrict a keyring, call:
      
        keyctl(KEYCTL_RESTRICT_KEYRING, key_serial_t keyring, const char *type,
               const char *restriction)
      
      where 'type' is the name of a registered key type and 'restriction' is a
      string describing how key linkage is to be restricted. The restriction
      option syntax is specific to each key type.
      Signed-off-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      6563c91f
    • Mat Martineau's avatar
      KEYS: Consistent ordering for __key_link_begin and restrict check · 4a420896
      Mat Martineau authored
      The keyring restrict callback was sometimes called before
      __key_link_begin and sometimes after, which meant that the keyring
      semaphores were not always held during the restrict callback.
      
      If the semaphores are consistently acquired before checking link
      restrictions, keyring contents cannot be changed after the restrict
      check is complete but before the evaluated key is linked to the keyring.
      Signed-off-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      4a420896
    • Mat Martineau's avatar
      KEYS: Add an optional lookup_restriction hook to key_type · efba797b
      Mat Martineau authored
      The restrict_link functions used to validate keys as they are linked
      to a keyring can be associated with specific key types.  Each key type
      may be loaded (or not) at runtime, so lookup of restrict_link
      functions needs to be part of the key type implementation to ensure
      that the requested keys can be examined.
      Signed-off-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      efba797b
    • Mat Martineau's avatar
      KEYS: Use structure to capture key restriction function and data · 2b6aa412
      Mat Martineau authored
      Replace struct key's restrict_link function pointer with a pointer to
      the new struct key_restriction. The structure contains pointers to the
      restriction function as well as relevant data for evaluating the
      restriction.
      
      The garbage collector checks restrict_link->keytype when key types are
      unregistered. Restrictions involving a removed key type are converted
      to use restrict_link_reject so that restrictions cannot be removed by
      unregistering key types.
      Signed-off-by: default avatarMat Martineau <mathew.j.martineau@linux.intel.com>
      2b6aa412
  9. 03 Apr, 2017 13 commits