1. 14 Jan, 2015 1 commit
  2. 04 Dec, 2014 1 commit
  3. 01 Dec, 2014 1 commit
  4. 26 Nov, 2014 1 commit
  5. 21 Nov, 2014 1 commit
    • Andrey Ryabinin's avatar
      security: smack: fix out-of-bounds access in smk_parse_smack() · 5c1b6624
      Andrey Ryabinin authored
      Setting smack label on file (e.g. 'attr -S -s SMACK64 -V "test" test')
      triggered following spew on the kernel with KASan applied:
          ==================================================================
          BUG: AddressSanitizer: out of bounds access in strncpy+0x28/0x60 at addr ffff8800059ad064
          =============================================================================
          BUG kmalloc-8 (Not tainted): kasan error
          -----------------------------------------------------------------------------
      
          Disabling lock debugging due to kernel taint
          INFO: Slab 0xffffea0000166b40 objects=128 used=7 fp=0xffff8800059ad080 flags=0x4000000000000080
          INFO: Object 0xffff8800059ad060 @offset=96 fp=0xffff8800059ad080
      
          Bytes b4 ffff8800059ad050: a0 df 9a 05 00 88 ff ff 5a 5a 5a 5a 5a 5a 5a 5a  ........ZZZZZZZZ
          Object ffff8800059ad060: 74 65 73 74 6b 6b 6b a5                          testkkk.
          Redzone ffff8800059ad068: cc cc cc cc cc cc cc cc                          ........
          Padding ffff8800059ad078: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
          CPU: 0 PID: 528 Comm: attr Tainted: G    B          3.18.0-rc1-mm1+ #5
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
           0000000000000000 ffff8800059ad064 ffffffff81534cf2 ffff880005a5bc40
           ffffffff8112fe1a 0000000100800006 0000000f059ad060 ffff880006000f90
           0000000000000296 ffffea0000166b40 ffffffff8107ca97 ffff880005891060
          Call Trace:
          ? dump_stack (lib/dump_stack.c:52)
          ? kasan_report_error (mm/kasan/report.c:102 mm/kasan/report.c:178)
          ? preempt_count_sub (kernel/sched/core.c:2651)
          ? __asan_load1 (mm/kasan/kasan.h:50 mm/kasan/kasan.c:248 mm/kasan/kasan.c:358)
          ? strncpy (lib/string.c:121)
          ? strncpy (lib/string.c:121)
          ? smk_parse_smack (security/smack/smack_access.c:457)
          ? setxattr (fs/xattr.c:343)
          ? smk_import_entry (security/smack/smack_access.c:514)
          ? smack_inode_setxattr (security/smack/smack_lsm.c:1093 (discriminator 1))
          ? security_inode_setxattr (security/security.c:602)
          ? vfs_setxattr (fs/xattr.c:134)
          ? setxattr (fs/xattr.c:343)
          ? setxattr (fs/xattr.c:360)
          ? get_parent_ip (kernel/sched/core.c:2606)
          ? preempt_count_sub (kernel/sched/core.c:2651)
          ? __percpu_counter_add (arch/x86/include/asm/preempt.h:98 lib/percpu_counter.c:90)
          ? get_parent_ip (kernel/sched/core.c:2606)
          ? preempt_count_sub (kernel/sched/core.c:2651)
          ? __mnt_want_write (arch/x86/include/asm/preempt.h:98 fs/namespace.c:359)
          ? path_setxattr (fs/xattr.c:380)
          ? SyS_lsetxattr (fs/xattr.c:397)
          ? system_call_fastpath (arch/x86/kernel/entry_64.S:423)
          Read of size 1 by task attr:
          Memory state around the buggy address:
           ffff8800059ace80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
           ffff8800059acf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
           ffff8800059acf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          >ffff8800059ad000: 00 fc fc fc 00 fc fc fc 05 fc fc fc 04 fc fc fc
                                                                 ^
           ffff8800059ad080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
           ffff8800059ad100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
           ffff8800059ad180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
          ==================================================================
      
      strncpy() copies one byte more than the source string has.
      Fix this by passing the correct length to strncpy().
      
      Now we can remove initialization of the last byte in 'smack' string
      because kzalloc() already did this for us.
      Signed-off-by: default avatarAndrey Ryabinin <a.ryabinin@samsung.com>
      5c1b6624
  6. 19 Nov, 2014 2 commits
  7. 18 Nov, 2014 6 commits
  8. 12 Nov, 2014 1 commit
  9. 31 Oct, 2014 1 commit
    • Rohit's avatar
      Security: smack: replace kzalloc with kmem_cache for inode_smack · 1a5b472b
      Rohit authored
      The patch use kmem_cache to allocate/free inode_smack since they are
      alloced in high volumes making it a perfect case for kmem_cache.
      
      As per analysis, 24 bytes of memory is wasted per allocation due
      to internal fragmentation. With kmem_cache, this can be avoided.
      
      Accounting of memory allocation is below :
       total       slack            net      count-alloc/free        caller
      Before (with kzalloc)
      1919872      719952          1919872      29998/0          new_inode_smack+0x14
      
      After (with kmem_cache)
      1201680          0           1201680      30042/0          new_inode_smack+0x18
      
      >From above data, we found that 719952 bytes(~700 KB) of memory is
      saved on allocation of 29998 smack inodes.
      Signed-off-by: default avatarRohit <rohit.kr@samsung.com>
      1a5b472b
  10. 28 Oct, 2014 1 commit
    • Casey Schaufler's avatar
      Smack: Lock mode for the floor and hat labels · 6c892df2
      Casey Schaufler authored
      The lock access mode allows setting a read lock on a file
      for with the process has only read access. The floor label is
      defined to make it easy to have the basic system installed such
      that everyone can read it. Once there's a desire to read lock
      (rationally or otherwise) a floor file a rule needs to get set.
      This happens all the time, so make the floor label a little bit
      more special and allow everyone lock access, too. By implication,
      give processes with the hat label (hat can read everything)
      lock access as well. This reduces clutter in the Smack rule set.
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      6c892df2
  11. 15 Oct, 2014 1 commit
    • Stephen Smalley's avatar
      selinux: fix inode security list corruption · 923190d3
      Stephen Smalley authored
      sb_finish_set_opts() can race with inode_free_security()
      when initializing inode security structures for inodes
      created prior to initial policy load or by the filesystem
      during ->mount().   This appears to have always been
      a possible race, but commit 3dc91d43 ("SELinux:  Fix possible
      NULL pointer dereference in selinux_inode_permission()")
      made it more evident by immediately reusing the unioned
      list/rcu element  of the inode security structure for call_rcu()
      upon an inode_free_security().  But the underlying issue
      was already present before that commit as a possible use-after-free
      of isec.
      
      Shivnandan Kumar reported the list corruption and proposed
      a patch to split the list and rcu elements out of the union
      as separate fields of the inode_security_struct so that setting
      the rcu element would not affect the list element.  However,
      this would merely hide the issue and not truly fix the code.
      
      This patch instead moves up the deletion of the list entry
      prior to dropping the sbsec->isec_lock initially.  Then,
      if the inode is dropped subsequently, there will be no further
      references to the isec.
      Reported-by: default avatarShivnandan Kumar <shivnandan.k@samsung.com>
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      923190d3
  12. 13 Oct, 2014 5 commits
    • Roberto Sassu's avatar
      ima: added support for new kernel cmdline parameter ima_template_fmt · c2426d2a
      Roberto Sassu authored
      This patch allows users to provide a custom template format through the
      new kernel command line parameter 'ima_template_fmt'. If the supplied
      format is not valid, IMA uses the default template descriptor.
      
      Changelog:
       - v3:
         - added check for 'fields' and 'num_fields' in
           template_desc_init_fields() (suggested by Mimi Zohar)
      
       - v2:
         - using template_desc_init_fields() to validate a format string
           (Roberto Sassu)
         - updated documentation by stating that only the chosen template
           descriptor is initialized (Roberto Sassu)
      
       - v1:
         - simplified code of ima_template_fmt_setup()
           (Roberto Sassu, suggested by Mimi Zohar)
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      c2426d2a
    • Roberto Sassu's avatar
      ima: allocate field pointers array on demand in template_desc_init_fields() · 1bd7face
      Roberto Sassu authored
      The allocation of a field pointers array is moved at the end of
      template_desc_init_fields() and done only if the value of the 'fields'
      and 'num_fields' parameters is not NULL. For just validating a template
      format string, retrieved template field pointers are placed in a temporary
      array.
      
      Changelog:
       - v3:
         - do not check in this patch if 'fields' and 'num_fields' are NULL
           (suggested by Mimi Zohar)
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      1bd7face
    • Roberto Sassu's avatar
      ima: don't allocate a copy of template_fmt in template_desc_init_fields() · 9f3166b8
      Roberto Sassu authored
      This patch removes the allocation of a copy of 'template_fmt', needed for
      iterating over all fields in the passed template format string. The removal
      was possible by replacing strcspn(), which modifies the passed string,
      with strchrnul(). The currently processed template field is copied in
      a temporary variable.
      
      The purpose of this change is use template_desc_init_fields() in two ways:
      for just validating a template format string (the function should work
      if called by a setup function, when memory cannot be allocated), and for
      actually initializing a template descriptor. The implementation of this
      feature will be complete with the next patch.
      
      Changelog:
       - v3:
         - added 'goto out' in template_desc_init_fields() to free allocated
           memory if a template field length is not valid (suggested by
           Mimi Zohar)
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      9f3166b8
    • Roberto Sassu's avatar
      ima: display template format in meas. list if template name length is zero · 7dbdb420
      Roberto Sassu authored
      With the introduction of the 'ima_template_fmt' kernel cmdline parameter,
      a user can define a new template descriptor with custom format. However,
      in this case, userspace tools will be unable to parse the measurements
      list because the new template is unknown. For this reason, this patch
      modifies the current IMA behavior to display in the list the template
      format instead of the name (only if the length of the latter is zero)
      so that a tool can extract needed information if it can handle listed
      fields.
      
      This patch also correctly displays the error log message in
      ima_init_template() if the selected template cannot be initialized.
      
      Changelog:
       - v3:
         - check the first byte of 'e->template_desc->name' instead of using
           strlen() in ima_fs.c (suggested by Mimi Zohar)
      
       - v2:
         - print the template format in ima_init_template(), if the selected
           template is custom (Roberto Sassu)
      
       - v1:
         - fixed patch description (Roberto Sassu, suggested by Mimi Zohar)
         - set 'template_name' variable in ima_fs.c only once
           (Roberto Sassu, suggested by Mimi Zohar)
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      7dbdb420
    • Roberto Sassu's avatar
      ima: added error messages to template-related functions · 71fed2ee
      Roberto Sassu authored
      This patch adds some error messages to inform users about the following
      events: template descriptor not found, invalid template descriptor,
      template field not found and template initialization failed.
      
      Changelog:
       - v2:
         - display an error message if the format string contains too many
           fields (Roberto Sassu)
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      71fed2ee
  13. 12 Oct, 2014 4 commits
  14. 07 Oct, 2014 4 commits
  15. 06 Oct, 2014 5 commits
  16. 05 Oct, 2014 2 commits
  17. 04 Oct, 2014 1 commit
  18. 03 Oct, 2014 2 commits