1. 19 Mar, 2021 3 commits
    • Ondrej Mosnacek's avatar
      selinuxfs: unify policy load error reporting · ee5de60a
      Ondrej Mosnacek authored
      Let's drop the pr_err()s from sel_make_policy_nodes() and just add one
      pr_warn_ratelimited() call to the sel_make_policy_nodes() error path in
      sel_write_load().
      
      Changing from error to warning makes sense, since after 02a52c5c
      ("selinux: move policy commit after updating selinuxfs"), this error
      path no longer leads to a broken selinuxfs tree (it's just kept in the
      original state and policy load is aborted).
      
      I also added _ratelimited to be consistent with the other prtin in the
      same function (it's probably not necessary, but can't really hurt...
      there are likely more important error messages to be printed when
      filesystem entry creation starts erroring out).
      Suggested-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      ee5de60a
    • Ondrej Mosnacek's avatar
      selinux: fix variable scope issue in live sidtab conversion · 6406887a
      Ondrej Mosnacek authored
      Commit 02a52c5c ("selinux: move policy commit after updating
      selinuxfs") moved the selinux_policy_commit() call out of
      security_load_policy() into sel_write_load(), which caused a subtle yet
      rather serious bug.
      
      The problem is that security_load_policy() passes a reference to the
      convert_params local variable to sidtab_convert(), which stores it in
      the sidtab, where it may be accessed until the policy is swapped over
      and RCU synchronized. Before 02a52c5c, selinux_policy_commit() was
      called directly from security_load_policy(), so the convert_params
      pointer remained valid all the way until the old sidtab was destroyed,
      but now that's no longer the case and calls to sidtab_context_to_sid()
      on the old sidtab after security_load_policy() returns may cause invalid
      memory accesses.
      
      This can be easily triggered using the stress test from commit
      ee1a84fd ("selinux: overhaul sidtab to fix bug and improve
      performance"):
      ```
      function rand_cat() {
      	echo $(( $RANDOM % 1024 ))
      }
      
      function do_work() {
      	while true; do
      		echo -n "system_u:system_r:kernel_t:s0:c$(rand_cat),c$(rand_cat)" \
      			>/sys/fs/selinux/context 2>/dev/null || true
      	done
      }
      
      do_work >/dev/null &
      do_work >/dev/null &
      do_work >/dev/null &
      
      while load_policy; do echo -n .; sleep 0.1; done
      
      kill %1
      kill %2
      kill %3
      ```
      
      Fix this by allocating the temporary sidtab convert structures
      dynamically and passing them among the
      selinux_policy_{load,cancel,commit} functions.
      
      Fixes: 02a52c5c ("selinux: move policy commit after updating selinuxfs")
      Cc: stable@vger.kernel.org
      Tested-by: default avatarTyler Hicks <tyhicks@linux.microsoft.com>
      Reviewed-by: default avatarTyler Hicks <tyhicks@linux.microsoft.com>
      Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      [PM: merge fuzz in security.h and services.c]
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      6406887a
    • Ondrej Mosnacek's avatar
      selinux: don't log MAC_POLICY_LOAD record on failed policy load · 519dad3b
      Ondrej Mosnacek authored
      If sel_make_policy_nodes() fails, we should jump to 'out', not 'out1',
      as the latter would incorrectly log an MAC_POLICY_LOAD audit record,
      even though the policy hasn't actually been reloaded. The 'out1' jump
      label now becomes unused and can be removed.
      
      Fixes: 02a52c5c ("selinux: move policy commit after updating selinuxfs")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      519dad3b
  2. 15 Jan, 2021 1 commit
  3. 14 Jan, 2021 4 commits
    • Daniel Colascione's avatar
      userfaultfd: use secure anon inodes for userfaultfd · b537900f
      Daniel Colascione authored
      This change gives userfaultfd file descriptors a real security
      context, allowing policy to act on them.
      Signed-off-by: default avatarDaniel Colascione <dancol@google.com>
      [LG: Remove owner inode from userfaultfd_ctx]
      [LG: Use anon_inode_getfd_secure() in userfaultfd syscall]
      [LG: Use inode of file in userfaultfd_read() in resolve_userfault_fork()]
      Signed-off-by: default avatarLokesh Gidra <lokeshgidra@google.com>
      Reviewed-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      b537900f
    • Daniel Colascione's avatar
      selinux: teach SELinux about anonymous inodes · 29cd6591
      Daniel Colascione authored
      This change uses the anon_inodes and LSM infrastructure introduced in
      the previous patches to give SELinux the ability to control
      anonymous-inode files that are created using the new
      anon_inode_getfd_secure() function.
      
      A SELinux policy author detects and controls these anonymous inodes by
      adding a name-based type_transition rule that assigns a new security
      type to anonymous-inode files created in some domain. The name used
      for the name-based transition is the name associated with the
      anonymous inode for file listings --- e.g., "[userfaultfd]" or
      "[perf_event]".
      
      Example:
      
      type uffd_t;
      type_transition sysadm_t sysadm_t : anon_inode uffd_t "[userfaultfd]";
      allow sysadm_t uffd_t:anon_inode { create };
      
      (The next patch in this series is necessary for making userfaultfd
      support this new interface.  The example above is just
      for exposition.)
      Signed-off-by: default avatarDaniel Colascione <dancol@google.com>
      Signed-off-by: default avatarLokesh Gidra <lokeshgidra@google.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      29cd6591
    • Daniel Colascione's avatar
      fs: add LSM-supporting anon-inode interface · e7e832ce
      Daniel Colascione authored
      This change adds a new function, anon_inode_getfd_secure, that creates
      anonymous-node file with individual non-S_PRIVATE inode to which security
      modules can apply policy. Existing callers continue using the original
      singleton-inode kind of anonymous-inode file. We can transition anonymous
      inode users to the new kind of anonymous inode in individual patches for
      the sake of bisection and review.
      
      The new function accepts an optional context_inode parameter that callers
      can use to provide additional contextual information to security modules.
      For example, in case of userfaultfd, the created inode is a 'logical child'
      of the context_inode (userfaultfd inode of the parent process) in the sense
      that it provides the security context required during creation of the child
      process' userfaultfd inode.
      Signed-off-by: default avatarDaniel Colascione <dancol@google.com>
      [LG: Delete obsolete comments to alloc_anon_inode()]
      [LG: Add context_inode description in comments to anon_inode_getfd_secure()]
      [LG: Remove definition of anon_inode_getfile_secure() as there are no callers]
      [LG: Make __anon_inode_getfile() static]
      [LG: Use correct error cast in __anon_inode_getfile()]
      [LG: Fix error handling in __anon_inode_getfile()]
      Signed-off-by: default avatarLokesh Gidra <lokeshgidra@google.com>
      Reviewed-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      e7e832ce
    • Lokesh Gidra's avatar
      security: add inode_init_security_anon() LSM hook · 215b674b
      Lokesh Gidra authored
      This change adds a new LSM hook, inode_init_security_anon(), that will
      be used while creating secure anonymous inodes. The hook allows/denies
      its creation and assigns a security context to the inode.
      
      The new hook accepts an optional context_inode parameter that callers
      can use to provide additional contextual information to security modules
      for granting/denying permission to create an anon-inode of the same type.
      This context_inode's security_context can also be used to initialize the
      newly created anon-inode's security_context.
      Signed-off-by: default avatarLokesh Gidra <lokeshgidra@google.com>
      Reviewed-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      215b674b
  4. 13 Jan, 2021 1 commit
  5. 12 Jan, 2021 5 commits
  6. 05 Jan, 2021 2 commits
  7. 03 Jan, 2021 1 commit
  8. 02 Jan, 2021 3 commits
    • Linus Torvalds's avatar
      Merge tag 's390-5.11-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 3516bd72
      Linus Torvalds authored
      Pull s390 cleanups from Vasily Gorbik:
       "Update defconfigs and sort config select list"
      
      * tag 's390-5.11-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/Kconfig: sort config S390 select list once again
        s390: update defconfigs
      3516bd72
    • Linus Torvalds's avatar
      Merge tag 'pm-5.11-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · d9296a7b
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These fix a crash in intel_pstate during resume from suspend-to-RAM
        that may occur after recent changes and two resource leaks in error
        paths in the operating performance points (OPP) framework, add a new
        C-states table to intel_idle and update the cpuidle MAINTAINERS entry
        to cover the governors too.
      
        Specifics:
      
         - Fix recently introduced crash in the intel_pstate driver that
           occurs if scale-invariance is disabled during resume from
           suspend-to-RAM due to inconsistent changes of APERF or MPERF MSR
           values made by the platform firmware (Rafael Wysocki).
      
         - Fix a memory leak and add a missing clk_put() in error paths in the
           OPP framework (Quanyang Wang, Viresh Kumar).
      
         - Add new C-states table for SnowRidge processors to the intel_idle
           driver (Artem Bityutskiy).
      
         - Update the MAINTAINERS entry for cpuidle to make it clear that the
           governors are covered by it too (Lukas Bulwahn)"
      
      * tag 'pm-5.11-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        intel_idle: add SnowRidge C-state table
        cpufreq: intel_pstate: Fix fast-switch fallback path
        opp: Call the missing clk_put() on error
        opp: fix memory leak in _allocate_opp_table
        MAINTAINERS: include governors into CPU IDLE TIME MANAGEMENT FRAMEWORK
      d9296a7b
    • Rafael J. Wysocki's avatar
      Merge branches 'pm-cpufreq' and 'pm-cpuidle' · 89ecf09e
      Rafael J. Wysocki authored
      * pm-cpufreq:
        cpufreq: intel_pstate: Fix fast-switch fallback path
      
      * pm-cpuidle:
        intel_idle: add SnowRidge C-state table
        MAINTAINERS: include governors into CPU IDLE TIME MANAGEMENT FRAMEWORK
      89ecf09e
  9. 01 Jan, 2021 4 commits
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · eda809ae
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "This is a load of driver fixes (12 ufs, 1 mpt3sas, 1 cxgbi).
      
        The big core two fixes are for power management ("block: Do not accept
        any requests while suspended" and "block: Fix a race in the runtime
        power management code") which finally sorts out the resume problems
        we've occasionally been having.
      
        To make the resume fix, there are seven necessary precursors which
        effectively renames REQ_PREEMPT to REQ_PM, so every "special" request
        in block is automatically a power management exempt one.
      
        All of the non-PM preempt cases are removed except for the one in the
        SCSI Parallel Interface (spi) domain validation which is a genuine
        case where we have to run requests at high priority to validate the
        bus so this becomes an autopm get/put protected request"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (22 commits)
        scsi: cxgb4i: Fix TLS dependency
        scsi: ufs: Un-inline ufshcd_vops_device_reset function
        scsi: ufs: Re-enable WriteBooster after device reset
        scsi: ufs-mediatek: Use correct path to fix compile error
        scsi: mpt3sas: Signedness bug in _base_get_diag_triggers()
        scsi: block: Do not accept any requests while suspended
        scsi: block: Remove RQF_PREEMPT and BLK_MQ_REQ_PREEMPT
        scsi: core: Only process PM requests if rpm_status != RPM_ACTIVE
        scsi: scsi_transport_spi: Set RQF_PM for domain validation commands
        scsi: ide: Mark power management requests with RQF_PM instead of RQF_PREEMPT
        scsi: ide: Do not set the RQF_PREEMPT flag for sense requests
        scsi: block: Introduce BLK_MQ_REQ_PM
        scsi: block: Fix a race in the runtime power management code
        scsi: ufs-pci: Enable UFSHCD_CAP_RPM_AUTOSUSPEND for Intel controllers
        scsi: ufs-pci: Fix recovery from hibernate exit errors for Intel controllers
        scsi: ufs-pci: Ensure UFS device is in PowerDown mode for suspend-to-disk ->poweroff()
        scsi: ufs-pci: Fix restore from S4 for Intel controllers
        scsi: ufs-mediatek: Keep VCC always-on for specific devices
        scsi: ufs: Allow regulators being always-on
        scsi: ufs: Clear UAC for RPMB after ufshcd resets
        ...
      eda809ae
    • Linus Torvalds's avatar
      Merge tag 'block-5.11-2021-01-01' of git://git.kernel.dk/linux-block · 8b4805c6
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "Two minor block fixes from this last week that should go into 5.11:
      
         - Add missing NOWAIT debugfs definition (Andres)
      
         - Fix kerneldoc warning introduced this merge window (Randy)"
      
      * tag 'block-5.11-2021-01-01' of git://git.kernel.dk/linux-block:
        block: add debugfs stanza for QUEUE_FLAG_NOWAIT
        fs: block_dev.c: fix kernel-doc warnings from struct block_device changes
      8b4805c6
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.11-2021-01-01' of git://git.kernel.dk/linux-block · dc3e24b2
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
       "A few fixes that should go into 5.11, all marked for stable as well:
      
         - Fix issue around identity COW'ing and users that share a ring
           across processes
      
         - Fix a hang associated with unregistering fixed files (Pavel)
      
         - Move the 'process is exiting' cancelation a bit earlier, so
           task_works aren't affected by it (Pavel)"
      
      * tag 'io_uring-5.11-2021-01-01' of git://git.kernel.dk/linux-block:
        kernel/io_uring: cancel io_uring before task works
        io_uring: fix io_sqe_files_unregister() hangs
        io_uring: add a helper for setting a ref node
        io_uring: don't assume mm is constant across submits
      dc3e24b2
    • Linus Torvalds's avatar
      depmod: handle the case of /sbin/depmod without /sbin in PATH · cedd1862
      Linus Torvalds authored
      Commit 436e980e ("kbuild: don't hardcode depmod path") stopped
      hard-coding the path of depmod, but in the process caused trouble for
      distributions that had that /sbin location, but didn't have it in the
      PATH (generally because /sbin is limited to the super-user path).
      
      Work around it for now by just adding /sbin to the end of PATH in the
      depmod.sh script.
      Reported-and-tested-by: default avatarSedat Dilek <sedat.dilek@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      cedd1862
  10. 31 Dec, 2020 3 commits
  11. 30 Dec, 2020 6 commits
  12. 29 Dec, 2020 7 commits