- 11 Apr, 2014 4 commits
-
-
Lukasz Pawelczyk authored
This allows to limit ptrace beyond the regular smack access rules. It adds a smackfs/ptrace interface that allows smack to be configured to require equal smack labels for PTRACE_MODE_ATTACH access. See the changes in Documentation/security/Smack.txt below for details. Signed-off-by:
Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com> Signed-off-by:
Rafal Krypa <r.krypa@samsung.com>
-
Lukasz Pawelczyk authored
The decision whether we can trace a process is made in the following functions: smack_ptrace_traceme() smack_ptrace_access_check() smack_bprm_set_creds() (in case the proces is traced) This patch unifies all those decisions by introducing one function that checks whether ptrace is allowed: smk_ptrace_rule_check(). This makes possible to actually trace with TRACEME where first the TRACEME itself must be allowed and then exec() on a traced process. Additional bugs fixed: - The decision is made according to the mode parameter that is now correctly translated from PTRACE_MODE_* to MAY_* instead of being treated 1:1. PTRACE_MODE_READ requires MAY_READ. PTRACE_MODE_ATTACH requires MAY_READWRITE. - Add a smack audit log in case of exec() refused by bprm_set_creds(). - Honor the PTRACE_MODE_NOAUDIT flag and don't put smack audit info in case this flag is set. Signed-off-by:
-
Lukasz Pawelczyk authored
The order of subject/object is currently reversed in smack_ptrace_traceme(). It is currently checked if the tracee has a capability to trace tracer and according to this rule a decision is made whether the tracer will be allowed to trace tracee. Signed-off-by:
-
José Bollo authored
Fix a possible memory access fault when transmute is true and isp is NULL. Signed-off-by:José Bollo <jose.bollo@open.eurogiciel.org>
-
- 19 Mar, 2014 3 commits
-
-
Paul Moore authored
This patch is based on an earlier patch by Eric Paris, he describes the problem below: "If an inode is accessed before policy load it will get placed on a list of inodes to be initialized after policy load. After policy load we call inode_doinit() which calls inode_doinit_with_dentry() on all inodes accessed before policy load. In the case of inodes in procfs that means we'll end up at the bottom where it does: /* Default to the fs superblock SID. */ isec->sid = sbsec->sid; if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) { if (opt_dentry) { isec->sclass = inode_mode_to_security_class(...) rc = selinux_proc_get_sid(opt_dentry, isec->sclass, &sid); if (rc) goto out_unlock; isec->sid = sid; } } Since opt_dentry is null, we'll never call selinux_proc_get_sid() and will leave the inode labeled with the label on the superblock. I believe a fix would be to mimic the behavior of xattrs. Look for an alias of the inode. If it can't be found, just leave the inode uninitialized (and pick it up later) if it can be found, we should be able to call selinux_proc_get_sid() ..." On a system exhibiting this problem, you will notice a lot of files in /proc with the generic "proc_t" type (at least the ones that were accessed early in the boot), for example: # ls -Z /proc/sys/kernel/shmmax | awk '{ print $4 " " $5 }' system_u:object_r:proc_t:s0 /proc/sys/kernel/shmmax However, with this patch in place we see the expected result: # ls -Z /proc/sys/kernel/shmmax | awk '{ print $4 " " $5 }' system_u:object_r:sysctl_kernel_t:s0 /proc/sys/kernel/shmmax Cc: Eric Paris <eparis@redhat.com> Signed-off-by:Paul Moore <pmoore@redhat.com> Acked-by:
Eric Paris <eparis@redhat.com>
-
Paul Moore authored
It turns out that doing the SELinux MAC checks for mmap() before the DAC checks was causing users and the SELinux policy folks headaches as users were seeing a lot of SELinux AVC denials for the memprotect:mmap_zero permission that would have also been denied by the normal DAC capability checks (CAP_SYS_RAWIO). Example: # cat mmap_test.c #include <stdlib.h> #include <stdio.h> #include <errno.h> #include <sys/mman.h> int main(int argc, char *argv[]) { int rc; void *mem; mem = mmap(0x0, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); if (mem == MAP_FAILED) return errno; printf("mem = %p\n", mem); munmap(mem, 4096); return 0; } # gcc -g -O0 -o mmap_test mmap_test.c # ./mmap_test mem = (nil) # ausearch -m AVC | grep mmap_zero type=AVC msg=audit(...): avc: denied { mmap_zero } for pid=1025 comm="mmap_test" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect This patch corrects things so that when the above example is run by a user without CAP_SYS_RAWIO the SELinux AVC is no longer generated as the DAC capability check fails before the SELinux permission check. Signed-off-by:Stephen Smalley <sds@tycho.nsa.gov>
-
Paul Moore authored
Correctly tag the SELinux mailing list as moderated for non-subscribers and do some shuffling of the SELinux maintainers to try and make things more clear when the scripts/get_maintainer.pl script is used. # ./scripts/get_maintainer.pl -f security/selinux Paul Moore <paul@paul-moore.com> (supporter:SELINUX SECURITY...) Stephen Smalley <sds@tycho.nsa.gov> (supporter:SELINUX SECURITY...) Eric Paris <eparis@parisplace.org> (supporter:SELINUX SECURITY...) James Morris <james.l.morris@oracle.com> (supporter:SECURITY SUBSYSTEM) selinux@tycho.nsa.gov (moderated list:SELINUX SECURITY...) linux-security-module@vger.kernel.org (open list:SECURITY SUBSYSTEM) linux-kernel@vger.kernel.org (open list) Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Eric Paris <eparis@parisplace.org> Cc: James Morris <james.l.morris@oracle.com> Signed-off-by:
-
- 12 Mar, 2014 1 commit
-
-
James Morris authored
Merge branch 'next-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity into next
-
- 07 Mar, 2014 14 commits
-
-
Dmitry Kasatkin authored
If keys are not enabled, EVM is not visible in the configuration menu. It may be difficult to figure out what to do unless you really know. Other subsystems as NFS, CIFS select keys automatically. This patch does the same. This patch also removes '(TRUSTED_KEYS=y || TRUSTED_KEYS=n)' dependency, which is unnecessary. EVM does not depend on trusted keys, but on encrypted keys. evm.h provides compile time dependency. Signed-off-by:
Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by:
Mimi Zohar <zohar@linux.vnet.ibm.com>
-
Dmitry Kasatkin authored
Memory allocation is unnecessary for empty files. This patch calculates the hash without memory allocation. Signed-off-by:
-
Dmitry Kasatkin authored
EVM does not use MD5 HMAC. Selection of CRYPTO_MD5 can be safely removed. Signed-off-by:
-
Dmitry Kasatkin authored
This is a small refactoring so ima_d_path() returns dentry name if path reconstruction fails. It simplifies callers actions and removes code duplication. Signed-off-by:
-
Dmitry Kasatkin authored
Between checkpatch changes (eg. sizeof) and inconsistencies between Lindent and checkpatch, unfixed checkpatch errors make it difficult to see new errors. This patch fixes them. Some lines with over 80 chars remained unchanged to improve code readability. The "extern" keyword is removed from internal evm.h to make it consistent with internal ima.h. Signed-off-by:
-
Dmitry Kasatkin authored
ima_inode_post_setattr() calls ima_must_appraise() to check if the file needs to be appraised. If it does not then it removes security.ima xattr. With original policy matching code it might happen that even file needs to be appraised with FILE_CHECK hook, it might not be for POST_SETATTR hook. 'security.ima' might be erronously removed. This patch treats POST_SETATTR as special wildcard function and will cause ima_must_appraise() to be true if any of the hooks rules matches. security.ima will not be removed if any of the hooks would require appraisal. Signed-off-by:
-
Joe Perches authored
Convert printks to pr_<level>. Add pr_fmt. Remove embedded prefixes. Signed-off-by:
Joe Perches <joe@perches.com> Signed-off-by:
-
Mimi Zohar authored
Changes for Trusted/Encrypted keys, EVM, and IMA. Signed-off-by: -
Roberto Sassu authored
Before this change, to correctly calculate the template digest for the 'ima' template, the event name field (id: 'n') length was set to the fixed size of 256 bytes. This patch reduces the length of the event name field to the string length incremented of one (to make room for the termination character '\0') and handles the specific case of the digest calculation for the 'ima' template directly in ima_calc_field_array_hash_tfm(). Signed-off-by:
Roberto Sassu <roberto.sassu@polito.it> Signed-off-by:
-
Roberto Sassu authored
With the new template mechanism introduced in IMA since kernel 3.13, the format of data sent through the binary_runtime_measurements interface is slightly changed. Now, for a generic measurement, the format of template data (after the template name) is: template_len | field1_len | field1 | ... | fieldN_len | fieldN In addition, fields containing a string now include the '\0' termination character. Instead, the format for the 'ima' template should be: SHA1 digest | event name length | event name It must be noted that while in the IMA 3.13 code 'event name length' is 'IMA_EVENT_NAME_LEN_MAX + 1' (256 bytes), so that the template digest is calculated correctly, and 'event name' contains '\0', in the pre 3.13 code 'event name length' is exactly the string length and 'event name' does not contain the termination character. The patch restores the behavior of the IMA code pre 3.13 for the 'ima' template so that legacy userspace tools obtain a consistent behavior when receiving data from the binary_runtime_measurements interface regardless of which kernel version is used. Signed-off-by:
-
Tetsuo Handa authored
When we pass task->comm to audit_log_untrustedstring(), we need to pass it via get_task_comm() because task->comm can be changed to contain untrusted string by other threads after audit_log_untrustedstring() confirmed that task->comm does not contain untrusted string. Signed-off-by:
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by:
-
Mimi Zohar authored
On a 64-bit system, a hole exists in the 'inode' structure after i_writecount. This patch moves i_readcount to fill this hole. Reported-by:
David Howells <dhowells@redhat.com> Signed-off-by:
-
Mimi Zohar authored
A const char pointer allocates memory for a pointer as well as for a string, This patch replaces a number of the const char pointers throughout IMA, with a static const char array. Suggested-by:
-
Jeff Layton authored
Currently, cap_dentry_init_security returns 0 without actually initializing the security label. This confuses its only caller (nfs4_label_init_security) which expects an error in that situation, and causes it to end up sending out junk onto the wire instead of simply suppressing the label in the attributes sent. When CONFIG_SECURITY is disabled, security_dentry_init_security returns -EOPNOTSUPP. Have cap_dentry_init_security do the same. Signed-off-by:
Jeff Layton <jlayton@redhat.com> Acked-by:
Serge E. Hallyn <serge.hallyn@ubuntu.com> Signed-off-by:
James Morris <james.l.morris@oracle.com>
-
- 04 Mar, 2014 1 commit
-
-
Libo Chen authored
Replace "file->f_dentry->d_inode" with the new file_inode() helper function. Signed-off-by:
Libo Chen <clbchenlibo.chen@huawei.com> Signed-off-by:
-
- 28 Feb, 2014 1 commit
-
-
Rashika Kheria authored
Mark function as static in kernel/seccomp.c because it is not used outside this file. This eliminates the following warning in kernel/seccomp.c: kernel/seccomp.c:296:6: warning: no previous prototype for ?seccomp_attach_user_filter? [-Wmissing-prototypes] Signed-off-by:
Rashika Kheria <rashika.kheria@gmail.com> Reviewed-by:
Josh Triplett <josh@joshtriplett.org> Acked-by:
Kees Cook <keescook@chromium.org> Acked-by:
Will Drewry <wad@chromium.org> Signed-off-by:
-
- 24 Feb, 2014 1 commit
-
-
Joe Perches authored
Prefix logging output with "capability: " via pr_fmt. Convert printks to pr_<level>. Use pr_<level>_once instead of guard flags. Coalesce formats. Signed-off-by:
-
- 17 Feb, 2014 1 commit
-
-
Sam Ravnborg authored
The Makefiles in security/ uses a non-standard way to specify sub-directories for building. Fix it up so the normal (and documented) approach is used. Signed-off-by:
Sam Ravnborg <sam@ravnborg.org> Cc: Michal Marek <mmarek@suse.cz> Signed-off-by:
-
- 06 Feb, 2014 2 commits
-
-
Paul Moore authored
Correctly tag the SELinux mailing list as moderated for non-subscribers and do some shuffling of the SELinux maintainers to try and make things more clear when the scripts/get_maintainer.pl script is used. # ./scripts/get_maintainer.pl -f security/selinux Paul Moore <paul@paul-moore.com> (supporter:SELINUX SECURITY...) Stephen Smalley <sds@tycho.nsa.gov> (supporter:SELINUX SECURITY...) Eric Paris <eparis@parisplace.org> (supporter:SELINUX SECURITY...) James Morris <james.l.morris@oracle.com> (supporter:SECURITY SUBSYSTEM) selinux@tycho.nsa.gov (moderated list:SELINUX SECURITY...) linux-security-module@vger.kernel.org (open list:SECURITY SUBSYSTEM) linux-kernel@vger.kernel.org (open list) Cc: Eric Paris <eparis@parisplace.org> Acked-by:
-
Jingoo Han authored
The usage of strict_strto*() is not preferred, because strict_strto*() is obsolete. Thus, kstrto*() should be used. Signed-off-by:
Jingoo Han <jg1.han@samsung.com> Signed-off-by:
-
- 08 Jan, 2014 1 commit
-
-
- 07 Jan, 2014 1 commit
-
-
Tetsuo Handa authored
Hello. I got below leak with linux-3.10.0-54.0.1.el7.x86_64 . [ 681.903890] kmemleak: 5538 new suspected memory leaks (see /sys/kernel/debug/kmemleak) Below is a patch, but I don't know whether we need special handing for undoing ebitmap_set_bit() call. ---------- >>From fe97527a90fe95e2239dfbaa7558f0ed559c0992 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Date: Mon, 6 Jan 2014 16:30:21 +0900 Subject: [PATCH] SELinux: Fix memory leak upon loading policy Commit 2463c26d "SELinux: put name based create rules in a hashtable" did not check return value from hashtab_insert() in filename_trans_read(). It leaks memory if hashtab_insert() returns error. unreferenced object 0xffff88005c9160d0 (size 8): comm "systemd", pid 1, jiffies 4294688674 (age 235.265s) hex dump (first 8 bytes): 57 0b 00 00 6b 6b 6b a5 W...kkk. backtrace: [<ffffffff816604ae>] kmemleak_alloc+0x4e/0xb0 [<ffffffff811cba5e>] kmem_cache_alloc_trace+0x12e/0x360 [<ffffffff812aec5d>] policydb_read+0xd1d/0xf70 [<ffffffff812b345c>] security_load_policy+0x6c/0x500 [<ffffffff812a623c>] sel_write_load+0xac/0x750 [<ffffffff811eb680>] vfs_write+0xc0/0x1f0 [<ffffffff811ec08c>] SyS_write+0x4c/0xa0 [<ffffffff81690419>] system_call_fastpath+0x16/0x1b [<ffffffffffffffff>] 0xffffffffffffffff However, we should not return EEXIST error to the caller, or the systemd will show below message and the boot sequence freezes. systemd[1]: Failed to load SELinux policy. Freezing. Signed-off-by:
-
- 06 Jan, 2014 10 commits
-
-
git://git.infradead.org/users/pcmoore/selinuxJames Morris authored
Conflicts: security/selinux/hooks.c Resolved using request struct. Signed-off-by: -
Fengguang Wu authored
so we make it static CC: Jason Gunthorpe <jgunthorpe@obsidianresearch.com> CC: Peter Huewe <peterhuewe@gmx.de> Signed-off-by:
Fengguang Wu <fengguang.wu@intel.com> Signed-off-by:
Peter Huewe <peterhuewe@gmx.de>
-
Jason Gunthorpe authored
If CONFIG_PM_SLEEP=n, CONFIG_PNP=y we get this warning: drivers/char/tpm/tpm_tis.c:706:13: warning: 'tpm_tis_reenable_interrupts' defined but not used [-Wunused-function] This seems to have been introduced in a2fa3fb0 'tpm: convert tpm_tis driver to use dev_pm_ops from legacy pm_ops' Also, unpon reviewing, the #ifdefs around tpm_tis_pm are not right, the first reference is protected, the second is not. tpm_tis_pm is always defined so we can drop the #ifdef. Signed-off-by:
Jason Gunthorpe <jgunthorpe@obsidianresearch.com> Signed-off-by:
-
Jason Gunthorpe authored
This consolidates everything that is only used within tpm-dev.c into tpm-dev.c and out of the publicly visible struct tpm_chip. The per-file allocation lays the ground work for someday fixing the strange forced O_EXCL behaviour of the current code. Signed-off-by:
Joel Schopp <jschopp@linux.vnet.ibm.com> Reviewed-by:
Ashley Lai <adlai@linux.vnet.ibm.com> Signed-off-by:
-
Jason Gunthorpe authored
This builds on the last commit to use the ops structure in the core and reduce the size of tpm_vendor_specific. Signed-off-by:
-
Jason Gunthorpe authored
This replaces the static initialization of a tpm_vendor_specific structure in the drivers with the standard Linux idiom of providing a const structure of function pointers. Signed-off-by:
-
Jason Gunthorpe authored
The tpm core now sets up and controls all sysfs attributes, instead of having each driver have a unique take on it. All drivers now now have a uniform set of attributes, and no sysfs related entry points are exported from the tpm core module. This also uses the new method used to declare sysfs attributes with DEVICE_ATTR_RO and 'struct attribute *' Signed-off-by:
-
Jason Gunthorpe authored
CLASS-sysfs.c is a common idiom for linux subsystems. This is the first step to pulling all the sysfs support code from the drivers into tpm-sysfs. This is a plain text copy from tpm-interface with support changes to make it compile. _tpm_pcr_read is made non-static and is called tpm_pcr_read_dev. Signed-off-by:
-
Jason Gunthorpe authored
CLASS-dev.c is a common idiom for Linux subsystems This pulls all the code related to the miscdev into tpm-dev.c and makes it static. The identical file_operation structs in the drivers are purged and the tpm common code unconditionally creates the miscdev. Signed-off-by:
-
Michal Nazarewicz authored
“wait” wait queue is defined but never used in the function, thus it can be removed. Signed-off-by:
Michal Nazarewicz <mina86@mina86.com> Acked-by:
-
