#
c1a85a00 |
| 07-Jan-2019 |
Micah Morton <mortonm@chromium.org> |
LSM: generalize flag passing to security_capable
This patch provides a general mechanism for passing flags to the security_capable LSM hook. It replaces the specific 'audit' flag that is used to tel
LSM: generalize flag passing to security_capable
This patch provides a general mechanism for passing flags to the security_capable LSM hook. It replaces the specific 'audit' flag that is used to tell security_capable whether it should log an audit message for the given capability check. The reason for generalizing this flag passing is so we can add an additional flag that signifies whether security_capable is being called by a setid syscall (which is needed by the proposed SafeSetID LSM).
Signed-off-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.morris@microsoft.com>
show more ...
|
#
ecd5f82e |
| 20-Nov-2018 |
Casey Schaufler <casey@schaufler-ca.com> |
LSM: Infrastructure management of the ipc security blob
Move management of the kern_ipc_perm->security and msg_msg->security blobs out of the individual security modules and into the security infras
LSM: Infrastructure management of the ipc security blob
Move management of the kern_ipc_perm->security and msg_msg->security blobs out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Kees Cook <keescook@chromium.org> [kees: adjusted for ordered init series] Signed-off-by: Kees Cook <keescook@chromium.org>
show more ...
|
Revision tags: v4.19, v4.18.16, v4.18.15, v4.18.14, v4.18.13, v4.18.12, v4.18.11, v4.18.10 |
|
#
f4ad8f2c |
| 21-Sep-2018 |
Casey Schaufler <casey@schaufler-ca.com> |
LSM: Infrastructure management of the task security
Move management of the task_struct->security blob out of the individual security modules and into the security infrastructure. Instead of allocati
LSM: Infrastructure management of the task security
Move management of the task_struct->security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. The only user of this blob is AppArmor. The AppArmor use is abstracted to avoid future conflict.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Kees Cook <keescook@chromium.org> [kees: adjusted for ordered init series] Signed-off-by: Kees Cook <keescook@chromium.org>
show more ...
|
#
afb1cbe3 |
| 21-Sep-2018 |
Casey Schaufler <casey@schaufler-ca.com> |
LSM: Infrastructure management of the inode security
Move management of the inode->i_security blob out of the individual security modules and into the security infrastructure. Instead of allocating
LSM: Infrastructure management of the inode security
Move management of the inode->i_security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Kees Cook <keescook@chromium.org> [kees: adjusted for ordered init series] Signed-off-by: Kees Cook <keescook@chromium.org>
show more ...
|
#
33bf60ca |
| 12-Nov-2018 |
Casey Schaufler <casey@schaufler-ca.com> |
LSM: Infrastructure management of the file security
Move management of the file->f_security blob out of the individual security modules and into the infrastructure. The modules no longer allocate or
LSM: Infrastructure management of the file security
Move management of the file->f_security blob out of the individual security modules and into the infrastructure. The modules no longer allocate or free the data, instead they tell the infrastructure how much space they require.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Kees Cook <keescook@chromium.org> [kees: adjusted for ordered init series] Signed-off-by: Kees Cook <keescook@chromium.org>
show more ...
|
#
bbd3662a |
| 12-Nov-2018 |
Casey Schaufler <casey@schaufler-ca.com> |
Infrastructure management of the cred security blob
Move management of the cred security blob out of the security modules and into the security infrastructre. Instead of allocating and freeing space
Infrastructure management of the cred security blob
Move management of the cred security blob out of the security modules and into the security infrastructre. Instead of allocating and freeing space the security modules tell the infrastructure how much space they require.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Kees Cook <keescook@chromium.org> [kees: adjusted for ordered init series] Signed-off-by: Kees Cook <keescook@chromium.org>
show more ...
|
#
6d9c939d |
| 21-Sep-2018 |
Casey Schaufler <casey@schaufler-ca.com> |
procfs: add smack subdir to attrs
Back in 2007 I made what turned out to be a rather serious mistake in the implementation of the Smack security module. The SELinux module used an interface in /proc
procfs: add smack subdir to attrs
Back in 2007 I made what turned out to be a rather serious mistake in the implementation of the Smack security module. The SELinux module used an interface in /proc to manipulate the security context on processes. Rather than use a similar interface, I used the same interface. The AppArmor team did likewise. Now /proc/.../attr/current will tell you the security "context" of the process, but it will be different depending on the security module you're using.
This patch provides a subdirectory in /proc/.../attr for Smack. Smack user space can use the "current" file in this subdirectory and never have to worry about getting SELinux attributes by mistake. Programs that use the old interface will continue to work (or fail, as the case may be) as before.
The proposed S.A.R.A security module is dependent on the mechanism to create its own attr subdirectory.
The original implementation is by Kees Cook.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Kees Cook <keescook@chromium.org>
show more ...
|
Revision tags: v4.18.9 |
|
#
d117a154 |
| 14-Sep-2018 |
Kees Cook <keescook@chromium.org> |
capability: Initialize as LSM_ORDER_FIRST
This converts capabilities to use the new LSM_ORDER_FIRST position.
Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Casey Schaufler <casey@sc
capability: Initialize as LSM_ORDER_FIRST
This converts capabilities to use the new LSM_ORDER_FIRST position.
Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
show more ...
|
#
e2bc445b |
| 19-Sep-2018 |
Kees Cook <keescook@chromium.org> |
LSM: Introduce enum lsm_order
In preparation for distinguishing the "capability" LSM from other LSMs, it must be ordered first. This introduces LSM_ORDER_MUTABLE for the general LSMs and LSM_ORDER_F
LSM: Introduce enum lsm_order
In preparation for distinguishing the "capability" LSM from other LSMs, it must be ordered first. This introduces LSM_ORDER_MUTABLE for the general LSMs and LSM_ORDER_FIRST for capability. In the future LSM_ORDER_LAST for could be added for anything that must run last (e.g. Landlock may use this).
Signed-off-by: Kees Cook <keescook@chromium.org>
show more ...
|
#
d6aed64b |
| 14-Sep-2018 |
Kees Cook <keescook@chromium.org> |
Yama: Initialize as ordered LSM
This converts Yama from being a direct "minor" LSM into an ordered LSM.
Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Casey Schaufler <casey@schaufle
Yama: Initialize as ordered LSM
This converts Yama from being a direct "minor" LSM into an ordered LSM.
Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
show more ...
|
#
70b62c25 |
| 14-Sep-2018 |
Kees Cook <keescook@chromium.org> |
LoadPin: Initialize as ordered LSM
This converts LoadPin from being a direct "minor" LSM into an ordered LSM.
Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Casey Schaufler <casey@sc
LoadPin: Initialize as ordered LSM
This converts LoadPin from being a direct "minor" LSM into an ordered LSM.
Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
show more ...
|
#
d8e9bbd4 |
| 10-Oct-2018 |
Kees Cook <keescook@chromium.org> |
LSM: Split LSM preparation from initialization
Since we already have to do a pass through the LSMs to figure out if exclusive LSMs should be disabled after the first one is seen as enabled, this spl
LSM: Split LSM preparation from initialization
Since we already have to do a pass through the LSMs to figure out if exclusive LSMs should be disabled after the first one is seen as enabled, this splits the logic up a bit more cleanly. Now we do a full "prepare" pass through the LSMs (which also allows for later use by the blob-sharing code), before starting the LSM initialization pass.
Signed-off-by: Kees Cook <keescook@chromium.org>
show more ...
|
#
c91d8106 |
| 19-Nov-2018 |
Casey Schaufler <casey@schaufler-ca.com> |
LSM: Add all exclusive LSMs to ordered initialization
This removes CONFIG_DEFAULT_SECURITY in favor of the explicit ordering offered by CONFIG_LSM and adds all the exclusive LSMs to the ordered LSM
LSM: Add all exclusive LSMs to ordered initialization
This removes CONFIG_DEFAULT_SECURITY in favor of the explicit ordering offered by CONFIG_LSM and adds all the exclusive LSMs to the ordered LSM initialization. The old meaning of CONFIG_DEFAULT_SECURITY is now captured by which exclusive LSM is listed first in the LSM order. All LSMs not added to the ordered list are explicitly disabled.
Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
show more ...
|
#
14bd99c8 |
| 19-Sep-2018 |
Kees Cook <keescook@chromium.org> |
LSM: Separate idea of "major" LSM from "exclusive" LSM
In order to both support old "security=" Legacy Major LSM selection, and handling real exclusivity, this creates LSM_FLAG_EXCLUSIVE and updates
LSM: Separate idea of "major" LSM from "exclusive" LSM
In order to both support old "security=" Legacy Major LSM selection, and handling real exclusivity, this creates LSM_FLAG_EXCLUSIVE and updates the selection logic to handle them.
Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
show more ...
|
#
7e611486 |
| 19-Sep-2018 |
Kees Cook <keescook@chromium.org> |
LSM: Refactor "security=" in terms of enable/disable
For what are marked as the Legacy Major LSMs, make them effectively exclusive when selected on the "security=" boot parameter, to handle the futu
LSM: Refactor "security=" in terms of enable/disable
For what are marked as the Legacy Major LSMs, make them effectively exclusive when selected on the "security=" boot parameter, to handle the future case of when a previously major LSMs become non-exclusive (e.g. when TOMOYO starts blob-sharing).
Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
show more ...
|
#
5ef4e419 |
| 19-Sep-2018 |
Kees Cook <keescook@chromium.org> |
LSM: Prepare for reorganizing "security=" logic
This moves the string handling for "security=" boot parameter into a stored pointer instead of a string duplicate. This will allow easier handling of
LSM: Prepare for reorganizing "security=" logic
This moves the string handling for "security=" boot parameter into a stored pointer instead of a string duplicate. This will allow easier handling of the string when switching logic to use the coming enable/disable infrastructure.
Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: John Johansen <john.johansen@canonical.com>
show more ...
|
#
a8027fb0 |
| 09-Oct-2018 |
Kees Cook <keescook@chromium.org> |
LSM: Tie enabling logic to presence in ordered list
Until now, any LSM without an enable storage variable was considered enabled. This inverts the logic and sets defaults to true only if the LSM get
LSM: Tie enabling logic to presence in ordered list
Until now, any LSM without an enable storage variable was considered enabled. This inverts the logic and sets defaults to true only if the LSM gets added to the ordered initialization list. (And an exception continues for the major LSMs until they are integrated into the ordered initialization in a later patch.)
Signed-off-by: Kees Cook <keescook@chromium.org>
show more ...
|
#
79f7865d |
| 19-Sep-2018 |
Kees Cook <keescook@chromium.org> |
LSM: Introduce "lsm=" for boottime LSM selection
Provide a way to explicitly choose LSM initialization order via the new "lsm=" comma-separated list of LSMs.
Signed-off-by: Kees Cook <keescook@chro
LSM: Introduce "lsm=" for boottime LSM selection
Provide a way to explicitly choose LSM initialization order via the new "lsm=" comma-separated list of LSMs.
Signed-off-by: Kees Cook <keescook@chromium.org>
show more ...
|
#
13e735c0 |
| 09-Oct-2018 |
Kees Cook <keescook@chromium.org> |
LSM: Introduce CONFIG_LSM
This provides a way to declare LSM initialization order via the new CONFIG_LSM. Currently only non-major LSMs are recognized. This will be expanded in future patches.
Sign
LSM: Introduce CONFIG_LSM
This provides a way to declare LSM initialization order via the new CONFIG_LSM. Currently only non-major LSMs are recognized. This will be expanded in future patches.
Signed-off-by: Kees Cook <keescook@chromium.org>
show more ...
|
#
2d4d5119 |
| 19-Sep-2018 |
Kees Cook <keescook@chromium.org> |
LSM: Build ordered list of LSMs to initialize
This constructs an ordered list of LSMs to initialize, using a hard-coded list of only "integrity": minor LSMs continue to have direct hook calls, and m
LSM: Build ordered list of LSMs to initialize
This constructs an ordered list of LSMs to initialize, using a hard-coded list of only "integrity": minor LSMs continue to have direct hook calls, and major LSMs continue to initialize separately.
Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
show more ...
|
#
f4941d75 |
| 14-Sep-2018 |
Kees Cook <keescook@chromium.org> |
LSM: Lift LSM selection out of individual LSMs
As a prerequisite to adjusting LSM selection logic in the future, this moves the selection logic up out of the individual major LSMs, making their init
LSM: Lift LSM selection out of individual LSMs
As a prerequisite to adjusting LSM selection logic in the future, this moves the selection logic up out of the individual major LSMs, making their init functions only run when actually enabled. This considers all LSMs enabled by default unless they specified an external "enable" variable.
Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: John Johansen <john.johansen@canonical.com>
show more ...
|
#
657d910b |
| 19-Sep-2018 |
Kees Cook <keescook@chromium.org> |
LSM: Provide separate ordered initialization
This provides a place for ordered LSMs to be initialized, separate from the "major" LSMs. This is mainly a copy/paste from major_lsm_init() to ordered_ls
LSM: Provide separate ordered initialization
This provides a place for ordered LSMs to be initialized, separate from the "major" LSMs. This is mainly a copy/paste from major_lsm_init() to ordered_lsm_init(), but it will change drastically in later patches.
What is not obvious in the patch is that this change moves the integrity LSM from major_lsm_init() into ordered_lsm_init(), since it is not marked with the LSM_FLAG_LEGACY_MAJOR. As it is the only LSM in the "ordered" list, there is no reordering yet created.
Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: John Johansen <john.johansen@canonical.com>
show more ...
|
#
757cbe59 |
| 14-Dec-2018 |
Al Viro <viro@zeniv.linux.org.uk> |
LSM: new method: ->sb_add_mnt_opt()
Adding options to growing mnt_opts. NFS kludge with passing context= down into non-text-options mount switched to it, and with that the last use of ->sb_parse_op
LSM: new method: ->sb_add_mnt_opt()
Adding options to growing mnt_opts. NFS kludge with passing context= down into non-text-options mount switched to it, and with that the last use of ->sb_parse_opts_str() is gone.
Reviewed-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|
#
204cc0cc |
| 13-Dec-2018 |
Al Viro <viro@zeniv.linux.org.uk> |
LSM: hide struct security_mnt_opts from any generic code
Keep void * instead, allocate on demand (in parse_str_opts, at the moment). Eventually both selinux and smack will be better off with privat
LSM: hide struct security_mnt_opts from any generic code
Keep void * instead, allocate on demand (in parse_str_opts, at the moment). Eventually both selinux and smack will be better off with private structures with several strings in those, rather than this "counter and two pointers to dynamically allocated arrays" ugliness. This commit allows to do that at leisure, without disrupting anything outside of given module.
Changes: * instead of struct security_mnt_opt use an opaque pointer initialized to NULL. * security_sb_eat_lsm_opts(), security_sb_parse_opts_str() and security_free_mnt_opts() take it as var argument (i.e. as void **); call sites are unchanged. * security_sb_set_mnt_opts() and security_sb_remount() take it by value (i.e. as void *). * new method: ->sb_free_mnt_opts(). Takes void *, does whatever freeing that needs to be done. * ->sb_set_mnt_opts() and ->sb_remount() might get NULL as mnt_opts argument, meaning "empty".
Reviewed-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|
#
5b400239 |
| 12-Dec-2018 |
Al Viro <viro@zeniv.linux.org.uk> |
LSM: turn sb_eat_lsm_opts() into a method
Kill ->sb_copy_data() - it's used only in combination with immediately following ->sb_parse_opts_str(). Turn that combination into a new method.
This is j
LSM: turn sb_eat_lsm_opts() into a method
Kill ->sb_copy_data() - it's used only in combination with immediately following ->sb_parse_opts_str(). Turn that combination into a new method.
This is just a mechanical move - cleanups will be the next step.
Reviewed-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|