1. 13 Jul, 2015 2 commits
    • Jeff Vander Stoep's avatar
      selinux: extended permissions for ioctls · fa1aa143
      Jeff Vander Stoep authored
      Add extended permissions logic to selinux. Extended permissions
      provides additional permissions in 256 bit increments. Extend the
      generic ioctl permission check to use the extended permissions for
      per-command filtering. Source/target/class sets including the ioctl
      permission may additionally include a set of commands. Example:
      
      allowxperm <source> <target>:<class> ioctl unpriv_app_socket_cmds
      auditallowxperm <source> <target>:<class> ioctl priv_gpu_cmds
      
      Where unpriv_app_socket_cmds and priv_gpu_cmds are macros
      representing commonly granted sets of ioctl commands.
      
      When ioctl commands are omitted only the permissions are checked.
      This feature is intended to provide finer granularity for the ioctl
      permission that may be too imprecise. For example, the same driver
      may use ioctls to provide important and benign functionality such as
      driver version or socket type as well as dangerous capabilities such
      as debugging features, read/write/execute to physical memory or
      access to sensitive data. Per-command filtering provides a mechanism
      to reduce the attack surface of the kernel, and limit applications
      to the subset of commands required.
      
      The format of the policy binary has been modified to include ioctl
      commands, and the policy version number has been incremented to
      POLICYDB_VERSION_XPERMS_IOCTL=30 to account for the format
      change.
      
      The extended permissions logic is deliberately generic to allow
      components to be reused e.g. netlink filters
      Signed-off-by: default avatarJeff Vander Stoep <jeffv@google.com>
      Acked-by: default avatarNick Kralevich <nnk@google.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      fa1aa143
    • Jeff Vander Stoep's avatar
      security: add ioctl specific auditing to lsm_audit · 671a2781
      Jeff Vander Stoep authored
      Add information about ioctl calls to the LSM audit data. Log the
      file path and command number.
      Signed-off-by: default avatarJeff Vander Stoep <jeffv@google.com>
      Acked-by: default avatarNick Kralevich <nnk@google.com>
      [PM: subject line tweak]
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      671a2781
  2. 10 Jul, 2015 1 commit
    • Stephen Smalley's avatar
      selinux: fix mprotect PROT_EXEC regression caused by mm change · 892e8cac
      Stephen Smalley authored
      commit 66fc1303 ("mm: shmem_zero_setup
      skip security check and lockdep conflict with XFS") caused a regression
      for SELinux by disabling any SELinux checking of mprotect PROT_EXEC on
      shared anonymous mappings.  However, even before that regression, the
      checking on such mprotect PROT_EXEC calls was inconsistent with the
      checking on a mmap PROT_EXEC call for a shared anonymous mapping.  On a
      mmap, the security hook is passed a NULL file and knows it is dealing
      with an anonymous mapping and therefore applies an execmem check and no
      file checks.  On a mprotect, the security hook is passed a vma with a
      non-NULL vm_file (as this was set from the internally-created shmem
      file during mmap) and therefore applies the file-based execute check
      and no execmem check.  Since the aforementioned commit now marks the
      shmem zero inode with the S_PRIVATE flag, the file checks are disabled
      and we have no checking at all on mprotect PROT_EXEC.  Add a test to
      the mprotect hook logic for such private inodes, and apply an execmem
      check in that case.  This makes the mmap and mprotect checking
      consistent for shared anonymous mappings, as well as for /dev/zero and
      ashmem.
      
      Cc: <stable@vger.kernel.org> # 4.1.x
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      892e8cac
  3. 09 Jul, 2015 1 commit
    • Paul Moore's avatar
      selinux: don't waste ebitmap space when importing NetLabel categories · 33246035
      Paul Moore authored
      At present we don't create efficient ebitmaps when importing NetLabel
      category bitmaps.  This can present a problem when comparing ebitmaps
      since ebitmap_cmp() is very strict about these things and considers
      these wasteful ebitmaps not equal when compared to their more
      efficient counterparts, even if their values are the same.  This isn't
      likely to cause problems on 64-bit systems due to a bit of luck on
      how NetLabel/CIPSO works and the default ebitmap size, but it can be
      a problem on 32-bit systems.
      
      This patch fixes this problem by being a bit more intelligent when
      importing NetLabel category bitmaps by skipping over empty sections
      which should result in a nice, efficient ebitmap.
      
      Cc: stable@vger.kernel.org # 3.17
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      33246035
  4. 05 Jun, 2015 1 commit
    • J. Bruce Fields's avatar
      selinux: fix setting of security labels on NFS · 9fc2b4b4
      J. Bruce Fields authored
      Before calling into the filesystem, vfs_setxattr calls
      security_inode_setxattr, which ends up calling selinux_inode_setxattr in
      our case.  That returns -EOPNOTSUPP whenever SBLABEL_MNT is not set.
      SBLABEL_MNT was supposed to be set by sb_finish_set_opts, which sets it
      only if selinux_is_sblabel_mnt returns true.
      
      The selinux_is_sblabel_mnt logic was broken by eadcabc6 "SELinux: do
      all flags twiddling in one place", which didn't take into the account
      the SECURITY_FS_USE_NATIVE behavior that had been introduced for nfs
      with eb9ae686 "SELinux: Add new labeling type native labels".
      
      This caused setxattr's of security labels over NFSv4.2 to fail.
      
      Cc: stable@kernel.org # 3.13
      Cc: Eric Paris <eparis@redhat.com>
      Cc: David Quigley <dpquigl@davequigley.com>
      Reported-by: default avatarRichard Chan <rc556677@outlook.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      [PM: added the stable dependency]
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      9fc2b4b4
  5. 04 Jun, 2015 6 commits
    • Stephen Smalley's avatar
      selinux: Remove unused permission definitions · 42a9699a
      Stephen Smalley authored
      Remove unused permission definitions from SELinux.
      Many of these were only ever used in pre-mainline
      versions of SELinux, prior to Linux 2.6.0.  Some of them
      were used in the legacy network or compat_net=1 checks
      that were disabled by default in Linux 2.6.18 and
      fully removed in Linux 2.6.30.
      
      Permissions never used in mainline Linux:
      file swapon
      filesystem transition
      tcp_socket { connectto newconn acceptfrom }
      node enforce_dest
      unix_stream_socket { newconn acceptfrom }
      
      Legacy network checks, removed in 2.6.30:
      socket { recv_msg send_msg }
      node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
      netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      42a9699a
    • Stephen Smalley's avatar
      selinux: enable genfscon labeling for sysfs and pstore files · 8e014720
      Stephen Smalley authored
      Support per-file labeling of sysfs and pstore files based on
      genfscon policy entries.  This is safe because the sysfs
      and pstore directory tree cannot be manipulated by userspace,
      except to unlink pstore entries.
      This provides an alternative method of assigning per-file labeling
      to sysfs or pstore files without needing to set the labels from
      userspace on each boot.  The advantages of this approach are that
      the labels are assigned as soon as the dentry is first instantiated
      and userspace does not need to walk the sysfs or pstore tree and
      set the labels on each boot.  The limitations of this approach are
      that the labels can only be assigned based on pathname prefix matching.
      You can initially assign labels using this mechanism and then change
      them at runtime via setxattr if allowed to do so by policy.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Suggested-by: default avatarDominick Grift <dac.override@gmail.com>
      Acked-by: default avatarJeff Vander Stoep <jeffv@google.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      8e014720
    • Stephen Smalley's avatar
      selinux: enable per-file labeling for debugfs files. · 134509d5
      Stephen Smalley authored
      Add support for per-file labeling of debugfs files so that
      we can distinguish them in policy.  This is particularly
      important in Android where certain debugfs files have to be writable
      by apps and therefore the debugfs directory tree can be read and
      searched by all.
      
      Since debugfs is entirely kernel-generated, the directory tree is
      immutable by userspace, and the inodes are pinned in memory, we can
      simply use the same approach as with proc and label the inodes from
      policy based on pathname from the root of the debugfs filesystem.
      Generalize the existing labeling support used for proc and reuse it
      for debugfs too.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      134509d5
    • Stephen Smalley's avatar
      selinux: update netlink socket classes · 6c6d2e9b
      Stephen Smalley authored
      Update the set of SELinux netlink socket class definitions to match
      the set of netlink protocols implemented by the kernel.  The
      ip_queue implementation for the NETLINK_FIREWALL and NETLINK_IP6_FW protocols
      was removed in d16cf20e, so we can remove
      the corresponding class definitions as this is dead code.  Add new
      classes for NETLINK_ISCSI, NETLINK_FIB_LOOKUP, NETLINK_CONNECTOR,
      NETLINK_NETFILTER, NETLINK_GENERIC, NETLINK_SCSITRANSPORT, NETLINK_RDMA,
      and NETLINK_CRYPTO so that we can distinguish among sockets created
      for each of these protocols.  This change does not define the finer-grained
      nlsmsg_read/write permissions or map specific nlmsg_type values to those
      permissions in the SELinux nlmsgtab; if finer-grained control of these
      sockets is desired/required, that can be added as a follow-on change.
      We do not define a SELinux class for NETLINK_ECRYPTFS as the implementation
      was removed in 624ae528.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      6c6d2e9b
    • Oleg Nesterov's avatar
      signals: don't abuse __flush_signals() in selinux_bprm_committed_creds() · 9e7c8f8c
      Oleg Nesterov authored
      selinux_bprm_committed_creds()->__flush_signals() is not right, we
      shouldn't clear TIF_SIGPENDING unconditionally. There can be other
      reasons for signal_pending(): freezing(), JOBCTL_PENDING_MASK, and
      potentially more.
      
      Also change this code to check fatal_signal_pending() rather than
      SIGNAL_GROUP_EXIT, it looks a bit better.
      
      Now we can kill __flush_signals() before it finds another buggy user.
      
      Note: this code looks racy, we can flush a signal which was sent after
      the task SID has been updated.
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      9e7c8f8c
    • Marek Milkovic's avatar
      selinux: Print 'sclass' as string when unrecognized netlink message occurs · cded3fff
      Marek Milkovic authored
      This prints the 'sclass' field as string instead of index in unrecognized netlink message.
      The textual representation makes it easier to distinguish the right class.
      Signed-off-by: default avatarMarek Milkovic <mmilkovi@redhat.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      [PM: 80-char width fixes]
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      cded3fff
  6. 03 Jun, 2015 1 commit
  7. 02 Jun, 2015 2 commits
    • Rafal Krypa's avatar
      Smack: allow multiple labels in onlycap · c0d77c88
      Rafal Krypa authored
      Smack onlycap allows limiting of CAP_MAC_ADMIN and CAP_MAC_OVERRIDE to
      processes running with the configured label. But having single privileged
      label is not enough in some real use cases. On a complex system like Tizen,
      there maybe few programs that need to configure Smack policy in run-time
      and running them all with a single label is not always practical.
      This patch extends onlycap feature for multiple labels. They are configured
      in the same smackfs "onlycap" interface, separated by spaces.
      Signed-off-by: default avatarRafal Krypa <r.krypa@samsung.com>
      c0d77c88
    • Rafal Krypa's avatar
      Smack: fix seq operations in smackfs · 01fa8474
      Rafal Krypa authored
      Use proper RCU functions and read locking in smackfs seq_operations.
      
      Smack gets away with not using proper RCU functions in smackfs, because
      it never removes entries from these lists. But now one list will be
      needed (with interface in smackfs) that will have both elements added and
      removed to it.
      This change will also help any future changes implementing removal of
      unneeded entries from other Smack lists.
      
      The patch also fixes handling of pos argument in smk_seq_start and
      smk_seq_next. This fixes a bug in case when smackfs is read with a small
      buffer:
      
      Kernel panic - not syncing: Kernel mode fault at addr 0xfa0000011b
      CPU: 0 PID: 1292 Comm: dd Not tainted 4.1.0-rc1-00012-g98179b8 #13
      Stack:
       00000003 0000000d 7ff39e48 7f69fd00
       7ff39ce0 601ae4b0 7ff39d50 600e587b
       00000010 6039f690 7f69fd40 00612003
      Call Trace:
       [<601ae4b0>] load2_seq_show+0x19/0x1d
       [<600e587b>] seq_read+0x168/0x331
       [<600c5943>] __vfs_read+0x21/0x101
       [<601a595e>] ? security_file_permission+0xf8/0x105
       [<600c5ec6>] ? rw_verify_area+0x86/0xe2
       [<600c5fc3>] vfs_read+0xa1/0x14c
       [<600c68e2>] SyS_read+0x57/0xa0
       [<6001da60>] handle_syscall+0x60/0x80
       [<6003087d>] userspace+0x442/0x548
       [<6001aa77>] ? interrupt_end+0x0/0x80
       [<6001daae>] ? copy_chunk_to_user+0x0/0x2b
       [<6002cb6b>] ? save_registers+0x1f/0x39
       [<60032ef7>] ? arch_prctl+0xf5/0x170
       [<6001a92d>] fork_handler+0x85/0x87
      Signed-off-by: default avatarRafal Krypa <r.krypa@samsung.com>
      01fa8474
  8. 21 May, 2015 10 commits
  9. 15 May, 2015 2 commits
    • Lukasz Pawelczyk's avatar
      smack: pass error code through pointers · e774ad68
      Lukasz Pawelczyk authored
      This patch makes the following functions to use ERR_PTR() and related
      macros to pass the appropriate error code through returned pointers:
      
      smk_parse_smack()
      smk_import_entry()
      smk_fetch()
      
      It also makes all the other functions that use them to handle the
      error cases properly. This ways correct error codes from places
      where they happened can be propagated to the user space if necessary.
      
      Doing this it fixes a bug in onlycap and unconfined files
      handling. Previously their content was cleared on any error from
      smk_import_entry/smk_parse_smack, be it EINVAL (as originally intended)
      or ENOMEM. Right now it only reacts on EINVAL passing other codes
      properly to userspace.
      
      Comments have been updated accordingly.
      Signed-off-by: default avatarLukasz Pawelczyk <l.pawelczyk@samsung.com>
      e774ad68
    • Seung-Woo Kim's avatar
      Smack: ignore private inode for smack_file_receive · 9777582e
      Seung-Woo Kim authored
      The dmabuf fd can be shared between processes via unix domain
      socket. The file of dmabuf fd is came from anon_inode. The inode
      has no set and get xattr operations, so it can not be shared
      between processes with smack. This patch fixes just to ignore
      private inode including anon_inode for smack_file_receive.
      Signed-off-by: default avatarSeung-Woo Kim <sw0312.kim@samsung.com>
      9777582e
  10. 13 May, 2015 2 commits
  11. 12 May, 2015 7 commits
  12. 27 Apr, 2015 5 commits
    • Linus Torvalds's avatar
      Linux 4.1-rc1 · b787f68c
      Linus Torvalds authored
      b787f68c
    • Andy Lutomirski's avatar
      x86_64, asm: Work around AMD SYSRET SS descriptor attribute issue · 61f01dd9
      Andy Lutomirski authored
      AMD CPUs don't reinitialize the SS descriptor on SYSRET, so SYSRET with
      SS == 0 results in an invalid usermode state in which SS is apparently
      equal to __USER_DS but causes #SS if used.
      
      Work around the issue by setting SS to __KERNEL_DS __switch_to, thus
      ensuring that SYSRET never happens with SS set to NULL.
      
      This was exposed by a recent vDSO cleanup.
      
      Fixes: e7d6eefa x86/vdso32/syscall.S: Do not load __USER32_DS to %ss
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Cc: Peter Anvin <hpa@zytor.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Denys Vlasenko <vda.linux@googlemail.com>
      Cc: Brian Gerst <brgerst@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      61f01dd9
    • Linus Torvalds's avatar
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · 1190944f
      Linus Torvalds authored
      Pull intel drm fixes from Dave Airlie.
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
        drm/i915: vlv: fix save/restore of GFX_MAX_REQ_COUNT reg
        drm/i915: Workaround to avoid lite restore with HEAD==TAIL
        drm/i915: cope with large i2c transfers
      1190944f
    • Linus Torvalds's avatar
      Merge git://git.infradead.org/intel-iommu · 9f86262d
      Linus Torvalds authored
      Pull intel iommu updates from David Woodhouse:
       "This lays a little of the groundwork for upcoming Shared Virtual
        Memory support — fixing some bogus #defines for capability bits and
        adding the new ones, and starting to use the new wider page tables
        where we can, in anticipation of actually filling in the new fields
        therein.
      
        It also allows graphics devices to be assigned to VM guests again.
        This got broken in 3.17 by disallowing assignment of RMRR-afflicted
        devices.  Like USB, we do understand why there's an RMRR for graphics
        devices — and unlike USB, it's actually sane.  So we can make an
        exception for graphics devices, just as we do USB controllers.
      
        Finally, tone down the warning about the X2APIC_OPT_OUT bit, due to
        persistent requests.  X2APIC_OPT_OUT was added to the spec as a nasty
        hack to allow broken BIOSes to forbid us from using X2APIC when they
        do stupid and invasive things and would break if we did.
      
        Someone noticed that since Windows doesn't have full IOMMU support for
        DMA protection, setting the X2APIC_OPT_OUT bit made Windows avoid
        initialising the IOMMU on the graphics unit altogether.
      
        This means that it would be available for use in "driver mode", where
        the IOMMU registers are made available through a BAR of the graphics
        device and the graphics driver can do SVM all for itself.
      
        So they started setting the X2APIC_OPT_OUT bit on *all* platforms with
        SVM capabilities.  And even the platforms which *might*, if the
        planets had been aligned correctly, possibly have had SVM capability
        but which in practice actually don't"
      
      * git://git.infradead.org/intel-iommu:
        iommu/vt-d: support extended root and context entries
        iommu/vt-d: Add new extended capabilities from v2.3 VT-d specification
        iommu/vt-d: Allow RMRR on graphics devices too
        iommu/vt-d: Print x2apic opt out info instead of printing a warning
        iommu/vt-d: kill bogus ecap_niotlb_iunits()
      9f86262d
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · 85f2901b
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "This has a mixture of merge window cleanups and bugfixes"
      
      * 'i2c/for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: st: add include for pinctrl
        i2c: mux: use proper dev when removing "channel-X" symlinks
        i2c: digicolor: remove duplicate include
        i2c: Mark adapter devices with pm_runtime_no_callbacks
        i2c: pca-platform: fix broken email address
        i2c: mxs: fix broken email address
        i2c: rk3x: report number of messages transmitted
      85f2901b