#
d8c6e854 |
| 22-Mar-2018 |
Eric W. Biederman <ebiederm@xmission.com> |
msg/security: Pass kern_ipc_perm not msg_queue into the msg_queue security hooks
All of the implementations of security hooks that take msg_queue only access q_perm the struct kern_ipc_perm member.
msg/security: Pass kern_ipc_perm not msg_queue into the msg_queue security hooks
All of the implementations of security hooks that take msg_queue only access q_perm the struct kern_ipc_perm member. This means the dependencies of the msg_queue security hooks can be simplified by passing the kern_ipc_perm member of msg_queue.
Making this change will allow struct msg_queue to become private to ipc/msg.c.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
show more ...
|
#
7191adff |
| 22-Mar-2018 |
Eric W. Biederman <ebiederm@xmission.com> |
shm/security: Pass kern_ipc_perm not shmid_kernel into the shm security hooks
All of the implementations of security hooks that take shmid_kernel only access shm_perm the struct kern_ipc_perm member
shm/security: Pass kern_ipc_perm not shmid_kernel into the shm security hooks
All of the implementations of security hooks that take shmid_kernel only access shm_perm the struct kern_ipc_perm member. This means the dependencies of the shm security hooks can be simplified by passing the kern_ipc_perm member of shmid_kernel..
Making this change will allow struct shmid_kernel to become private to ipc/shm.c.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
show more ...
|
#
aefad959 |
| 22-Mar-2018 |
Eric W. Biederman <ebiederm@xmission.com> |
sem/security: Pass kern_ipc_perm not sem_array into the sem security hooks
All of the implementations of security hooks that take sem_array only access sem_perm the struct kern_ipc_perm member. Thi
sem/security: Pass kern_ipc_perm not sem_array into the sem security hooks
All of the implementations of security hooks that take sem_array only access sem_perm the struct kern_ipc_perm member. This means the dependencies of the sem security hooks can be simplified by passing the kern_ipc_perm member of sem_array.
Making this change will allow struct sem and struct sem_array to become private to ipc/sem.c.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
show more ...
|
Revision tags: v4.13.16, v4.14, v4.13.5 |
|
#
6b4f3d01 |
| 08-Sep-2017 |
Stephen Smalley <sds@tycho.nsa.gov> |
usb, signal, security: only pass the cred, not the secid, to kill_pid_info_as_cred and security_task_kill
commit d178bc3a708f39cbfefc3fab37032d3f2511b4ec ("user namespace: usb: make usb urbs user n
usb, signal, security: only pass the cred, not the secid, to kill_pid_info_as_cred and security_task_kill
commit d178bc3a708f39cbfefc3fab37032d3f2511b4ec ("user namespace: usb: make usb urbs user namespace aware (v2)") changed kill_pid_info_as_uid to kill_pid_info_as_cred, saving and passing a cred structure instead of uids. Since the secid can be obtained from the cred, drop the secid fields from the usb_dev_state and async structures, and drop the secid argument to kill_pid_info_as_cred. Replace the secid argument to security_task_kill with the cred. Update SELinux, Smack, and AppArmor to use the cred, which avoids the need for Smack and AppArmor to use a secid at all in this hook. Further changes to Smack might still be required to take full advantage of this change, since it should now be possible to perform capability checking based on the supplied cred. The changes to Smack and AppArmor have only been compile-tested.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Paul Moore <paul@paul-moore.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <james.morris@microsoft.com>
show more ...
|
#
72e89f50 |
| 13-Feb-2018 |
Richard Haines <richard_c_haines@btinternet.com> |
security: Add support for SCTP security hooks
The SCTP security hooks are explained in: Documentation/security/LSM-sctp.rst
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> Signed-of
security: Add support for SCTP security hooks
The SCTP security hooks are explained in: Documentation/security/LSM-sctp.rst
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
#
afdb09c7 |
| 18-Oct-2017 |
Chenbo Feng <fengc@google.com> |
security: bpf: Add LSM hooks for bpf object related syscall
Introduce several LSM hooks for the syscalls that will allow the userspace to access to eBPF object such as eBPF programs and eBPF maps. T
security: bpf: Add LSM hooks for bpf object related syscall
Introduce several LSM hooks for the syscalls that will allow the userspace to access to eBPF object such as eBPF programs and eBPF maps. The security check is aimed to enforce a per object security protection for eBPF object so only processes with the right priviliges can read/write to a specific map or use a specific eBPF program. Besides that, a general security hook is added before the multiplexer of bpf syscall to check the cmd and the attribute used for the command. The actual security module can decide which command need to be checked and how the cmd should be checked.
Signed-off-by: Chenbo Feng <fengc@google.com> Acked-by: James Morris <james.l.morris@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
Revision tags: v4.13 |
|
#
2af62280 |
| 18-Jul-2017 |
Kees Cook <keescook@chromium.org> |
LSM: drop bprm_secureexec hook
This removes the bprm_secureexec hook since the logic has been folded into the bprm_set_creds hook for all LSMs now.
Cc: Eric W. Biederman <ebiederm@xmission.com> Sig
LSM: drop bprm_secureexec hook
This removes the bprm_secureexec hook since the logic has been folded into the bprm_set_creds hook for all LSMs now.
Cc: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: James Morris <james.l.morris@oracle.com> Acked-by: Serge Hallyn <serge@hallyn.com>
show more ...
|
#
3cf29931 |
| 14-Jul-2017 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
LSM: Remove security_task_create() hook.
Since commit a79be238600d1a03 ("selinux: Use task_alloc hook rather than task_create hook") changed to use task_alloc hook, task_create hook is no longer use
LSM: Remove security_task_create() hook.
Since commit a79be238600d1a03 ("selinux: Use task_alloc hook rather than task_create hook") changed to use task_alloc hook, task_create hook is no longer used.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <james.l.morris@oracle.com>
show more ...
|
Revision tags: v4.12 |
|
#
0b4d3452 |
| 05-Jun-2017 |
Scott Mayhew <smayhew@redhat.com> |
security/selinux: allow security_sb_clone_mnt_opts to enable/disable native labeling behavior
When an NFSv4 client performs a mount operation, it first mounts the NFSv4 root and then does path walk
security/selinux: allow security_sb_clone_mnt_opts to enable/disable native labeling behavior
When an NFSv4 client performs a mount operation, it first mounts the NFSv4 root and then does path walk to the exported path and performs a submount on that, cloning the security mount options from the root's superblock to the submount's superblock in the process.
Unless the NFS server has an explicit fsid=0 export with the "security_label" option, the NFSv4 root superblock will not have SBLABEL_MNT set, and neither will the submount superblock after cloning the security mount options. As a result, setxattr's of security labels over NFSv4.2 will fail. In a similar fashion, NFSv4.2 mounts mounted with the context= mount option will not show the correct labels because the nfs_server->caps flags of the cloned superblock will still have NFS_CAP_SECURITY_LABEL set.
Allowing the NFSv4 client to enable or disable SECURITY_LSM_NATIVE_LABELS behavior will ensure that the SBLABEL_MNT flag has the correct value when the client traverses from an exported path without the "security_label" option to one with the "security_label" option and vice versa. Similarly, checking to see if SECURITY_LSM_NATIVE_LABELS is set upon return from security_sb_clone_mnt_opts() and clearing NFS_CAP_SECURITY_LABEL if necessary will allow the correct labels to be displayed for NFSv4.2 mounts mounted with the context= mount option.
Resolves: https://github.com/SELinuxProject/selinux-kernel/issues/35
Signed-off-by: Scott Mayhew <smayhew@redhat.com> Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov> Tested-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
Revision tags: v4.10.17 |
|
#
47a2b338 |
| 19-May-2017 |
Daniel Jurgens <danielj@mellanox.com> |
IB/core: Enforce security on management datagrams
Allocate and free a security context when creating and destroying a MAD agent. This context is used for controlling access to PKeys and sending and
IB/core: Enforce security on management datagrams
Allocate and free a security context when creating and destroying a MAD agent. This context is used for controlling access to PKeys and sending and receiving SMPs.
When sending or receiving a MAD check that the agent has permission to access the PKey for the Subnet Prefix of the port.
During MAD and snoop agent registration for SMI QPs check that the calling process has permission to access the manage the subnet and register a callback with the LSM to be notified of policy changes. When notificaiton of a policy change occurs recheck permission and set a flag indicating sending and receiving SMPs is allowed.
When sending and receiving MADs check that the agent has access to the SMI if it's on an SMI QP. Because security policy can change it's possible permission was allowed when creating the agent, but no longer is.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com> Acked-by: Doug Ledford <dledford@redhat.com> [PM: remove the LSM hook init code] Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
#
8f408ab6 |
| 19-May-2017 |
Daniel Jurgens <danielj@mellanox.com> |
selinux lsm IB/core: Implement LSM notification system
Add a generic notificaiton mechanism in the LSM. Interested consumers can register a callback with the LSM and security modules can produce eve
selinux lsm IB/core: Implement LSM notification system
Add a generic notificaiton mechanism in the LSM. Interested consumers can register a callback with the LSM and security modules can produce events.
Because access to Infiniband QPs are enforced in the setup phase of a connection security should be enforced again if the policy changes. Register infiniband devices for policy change notification and check all QPs on that device when the notification is received.
Add a call to the notification mechanism from SELinux when the AVC cache changes or setenforce is cleared.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com> Acked-by: James Morris <james.l.morris@oracle.com> Acked-by: Doug Ledford <dledford@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
#
d291f1a6 |
| 19-May-2017 |
Daniel Jurgens <danielj@mellanox.com> |
IB/core: Enforce PKey security on QPs
Add new LSM hooks to allocate and free security contexts and check for permission to access a PKey.
Allocate and free a security context when creating and dest
IB/core: Enforce PKey security on QPs
Add new LSM hooks to allocate and free security contexts and check for permission to access a PKey.
Allocate and free a security context when creating and destroying a QP. This context is used for controlling access to PKeys.
When a request is made to modify a QP that changes the port, PKey index, or alternate path, check that the QP has permission for the PKey in the PKey table index on the subnet prefix of the port. If the QP is shared make sure all handles to the QP also have access.
Store which port and PKey index a QP is using. After the reset to init transition the user can modify the port, PKey index and alternate path independently. So port and PKey settings changes can be a merge of the previous settings and the new ones.
In order to maintain access control if there are PKey table or subnet prefix change keep a list of all QPs are using each PKey index on each port. If a change occurs all QPs using that device and port must have access enforced for the new cache settings.
These changes add a transaction to the QP modify process. Association with the old port and PKey index must be maintained if the modify fails, and must be removed if it succeeds. Association with the new port and PKey index must be established prior to the modify and removed if the modify fails.
1. When a QP is modified to a particular Port, PKey index or alternate path insert that QP into the appropriate lists.
2. Check permission to access the new settings.
3. If step 2 grants access attempt to modify the QP.
4a. If steps 2 and 3 succeed remove any prior associations.
4b. If ether fails remove the new setting associations.
If a PKey table or subnet prefix changes walk the list of QPs and check that they have permission. If not send the QP to the error state and raise a fatal error event. If it's a shared QP make sure all the QPs that share the real_qp have permission as well. If the QP that owns a security structure is denied access the security structure is marked as such and the QP is added to an error_list. Once the moving the QP to error is complete the security structure mark is cleared.
Maintaining the lists correctly turns QP destroy into a transaction. The hardware driver for the device frees the ib_qp structure, so while the destroy is in progress the ib_qp pointer in the ib_qp_security struct is undefined. When the destroy process begins the ib_qp_security structure is marked as destroying. This prevents any action from being taken on the QP pointer. After the QP is destroyed successfully it could still listed on an error_list wait for it to be processed by that flow before cleaning up the structure.
If the destroy fails the QPs port and PKey settings are reinserted into the appropriate lists, the destroying flag is cleared, and access control is enforced, in case there were any cache changes during the destroy flow.
To keep the security changes isolated a new file is used to hold security related functionality.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com> Acked-by: Doug Ledford <dledford@redhat.com> [PM: merge fixup in ib_verbs.h and uverbs_cmd.c] Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
Revision tags: v4.10.16 |
|
#
3bb857e4 |
| 10-May-2017 |
Mickaël Salaün <mic@digikod.net> |
LSM: Enable multiple calls to security_add_hooks() for the same LSM
The commit d69dece5f5b6 ("LSM: Add /sys/kernel/security/lsm") extend security_add_hooks() with a new parameter to register the LSM
LSM: Enable multiple calls to security_add_hooks() for the same LSM
The commit d69dece5f5b6 ("LSM: Add /sys/kernel/security/lsm") extend security_add_hooks() with a new parameter to register the LSM name, which may be useful to make the list of currently loaded LSM available to userspace. However, there is no clean way for an LSM to split its hook declarations into multiple files, which may reduce the mess with all the included files (needed for LSM hook argument types) and make the source code easier to review and maintain.
This change allows an LSM to register multiple times its hook while keeping a consistent list of LSM names as described in Documentation/security/LSM.txt . The list reflects the order in which checks are made. This patch only check for the last registered LSM. If an LSM register multiple times its hooks, interleaved with other LSM registrations (which should not happen), its name will still appear in the same order that the hooks are called, hence multiple times.
To sum up, "capability,selinux,foo,foo" will be replaced with "capability,selinux,foo", however "capability,foo,selinux,foo" will remain as is.
Signed-off-by: Mickaël Salaün <mic@digikod.net> Acked-by: Kees Cook <keescook@chromium.org> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
show more ...
|
Revision tags: v4.10.15, v4.10.14, v4.10.13, v4.10.12, v4.10.11, v4.10.10, v4.10.9, v4.10.8 |
|
#
0e056eb5 |
| 30-Mar-2017 |
mchehab@s-opensource.com <mchehab@s-opensource.com> |
kernel-api.rst: fix a series of errors when parsing C files
./lib/string.c:134: WARNING: Inline emphasis start-string without end-string. ./mm/filemap.c:522: WARNING: Inline interpreted text or phra
kernel-api.rst: fix a series of errors when parsing C files
./lib/string.c:134: WARNING: Inline emphasis start-string without end-string. ./mm/filemap.c:522: WARNING: Inline interpreted text or phrase reference start-string without end-string. ./mm/filemap.c:1283: ERROR: Unexpected indentation. ./mm/filemap.c:3003: WARNING: Inline interpreted text or phrase reference start-string without end-string. ./mm/vmalloc.c:1544: WARNING: Inline emphasis start-string without end-string. ./mm/page_alloc.c:4245: ERROR: Unexpected indentation. ./ipc/util.c:676: ERROR: Unexpected indentation. ./drivers/pci/irq.c:35: WARNING: Block quote ends without a blank line; unexpected unindent. ./security/security.c:109: ERROR: Unexpected indentation. ./security/security.c:110: WARNING: Definition list ends without a blank line; unexpected unindent. ./block/genhd.c:275: WARNING: Inline strong start-string without end-string. ./block/genhd.c:283: WARNING: Inline strong start-string without end-string. ./include/linux/clk.h:134: WARNING: Inline emphasis start-string without end-string. ./include/linux/clk.h:134: WARNING: Inline emphasis start-string without end-string. ./ipc/util.c:477: ERROR: Unknown target name: "s".
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> Acked-by: Bjorn Helgaas <bhelgaas@google.com> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
show more ...
|
Revision tags: v4.10.7, v4.10.6 |
|
#
e4e55b47 |
| 24-Mar-2017 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
LSM: Revive security_task_alloc() hook and per "struct task_struct" security blob.
We switched from "struct task_struct"->security to "struct cred"->security in Linux 2.6.29. But not all LSM modules
LSM: Revive security_task_alloc() hook and per "struct task_struct" security blob.
We switched from "struct task_struct"->security to "struct cred"->security in Linux 2.6.29. But not all LSM modules were happy with that change. TOMOYO LSM module is an example which want to use per "struct task_struct" security blob, for TOMOYO's security context is defined based on "struct task_struct" rather than "struct cred". AppArmor LSM module is another example which want to use it, for AppArmor is currently abusing the cred a little bit to store the change_hat and setexeccon info. Although security_task_free() hook was revived in Linux 3.4 because Yama LSM module wanted to release per "struct task_struct" security blob, security_task_alloc() hook and "struct task_struct"->security field were not revived. Nowadays, we are getting proposals of lightweight LSM modules which want to use per "struct task_struct" security blob.
We are already allowing multiple concurrent LSM modules (up to one fully armored module which uses "struct cred"->security field or exclusive hooks like security_xfrm_state_pol_flow_match(), plus unlimited number of lightweight modules which do not use "struct cred"->security nor exclusive hooks) as long as they are built into the kernel. But this patch does not implement variable length "struct task_struct"->security field which will become needed when multiple LSM modules want to use "struct task_struct"-> security field. Although it won't be difficult to implement variable length "struct task_struct"->security field, let's think about it after we merged this patch.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: John Johansen <john.johansen@canonical.com> Acked-by: Serge Hallyn <serge@hallyn.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Tested-by: Djalal Harouni <tixxdz@gmail.com> Acked-by: José Bollo <jobol@nonadev.net> Cc: Paul Moore <paul@paul-moore.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Eric Paris <eparis@parisplace.org> Cc: Kees Cook <keescook@chromium.org> Cc: James Morris <james.l.morris@oracle.com> Cc: José Bollo <jobol@nonadev.net> Signed-off-by: James Morris <james.l.morris@oracle.com>
show more ...
|
Revision tags: v4.10.5 |
|
#
3dfc9b02 |
| 22-Mar-2017 |
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
LSM: Initialize security_hook_heads upon registration.
"struct security_hook_heads" is an array of "struct list_head" where elements can be initialized just before registration.
There is no need to
LSM: Initialize security_hook_heads upon registration.
"struct security_hook_heads" is an array of "struct list_head" where elements can be initialized just before registration.
There is no need to waste 350+ lines for initialization. Let's initialize "struct security_hook_heads" just before registration.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: Kees Cook <keescook@chromium.org> Cc: John Johansen <john.johansen@canonical.com> Cc: Kees Cook <keescook@chromium.org> Cc: Paul Moore <paul@paul-moore.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Casey Schaufler <casey@schaufler-ca.com> Cc: James Morris <james.l.morris@oracle.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
show more ...
|
Revision tags: v4.10.4, v4.10.3, v4.10.2, v4.10.1, v4.10 |
|
#
ca97d939 |
| 14-Feb-2017 |
James Morris <jmorris@namei.org> |
security: mark LSM hooks as __ro_after_init
Mark all of the registration hooks as __ro_after_init (via the __lsm_ro_after_init macro).
Signed-off-by: James Morris <james.l.morris@oracle.com> Acked-
security: mark LSM hooks as __ro_after_init
Mark all of the registration hooks as __ro_after_init (via the __lsm_ro_after_init macro).
Signed-off-by: James Morris <james.l.morris@oracle.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Kees Cook <keescook@chromium.org>
show more ...
|
#
791ec491 |
| 17-Feb-2017 |
Stephen Smalley <sds@tycho.nsa.gov> |
prlimit,security,selinux: add a security hook for prlimit
When SELinux was first added to the kernel, a process could only get and set its own resource limits via getrlimit(2) and setrlimit(2), so n
prlimit,security,selinux: add a security hook for prlimit
When SELinux was first added to the kernel, a process could only get and set its own resource limits via getrlimit(2) and setrlimit(2), so no MAC checks were required for those operations, and thus no security hooks were defined for them. Later, SELinux introduced a hook for setlimit(2) with a check if the hard limit was being changed in order to be able to rely on the hard limit value as a safe reset point upon context transitions.
Later on, when prlimit(2) was added to the kernel with the ability to get or set resource limits (hard or soft) of another process, LSM/SELinux was not updated other than to pass the target process to the setrlimit hook. This resulted in incomplete control over both getting and setting the resource limits of another process.
Add a new security_task_prlimit() hook to the check_prlimit_permission() function to provide complete mediation. The hook is only called when acting on another task, and only if the existing DAC/capability checks would allow access. Pass flags down to the hook to indicate whether the prlimit(2) call will read, write, or both read and write the resource limits of the target process.
The existing security_task_setrlimit() hook is left alone; it continues to serve a purpose in supporting the ability to make decisions based on the old and/or new resource limit values when setting limits. This is consistent with the DAC/capability logic, where check_prlimit_permission() performs generic DAC/capability checks for acting on another task, while do_prlimit() performs a capability check based on a comparison of the old and new resource limits. Fix the inline documentation for the hook to match the code.
Implement the new hook for SELinux. For setting resource limits, we reuse the existing setrlimit permission. Note that this does overload the setrlimit permission to mean the ability to set the resource limit (soft or hard) of another process or the ability to change one's own hard limit. For getting resource limits, a new getrlimit permission is defined. This was not originally defined since getrlimit(2) could only be used to obtain a process' own limits.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <james.l.morris@oracle.com>
show more ...
|
#
d69dece5 |
| 18-Jan-2017 |
Casey Schaufler <casey@schaufler-ca.com> |
LSM: Add /sys/kernel/security/lsm
I am still tired of having to find indirect ways to determine what security modules are active on a system. I have added /sys/kernel/security/lsm, which contains a
LSM: Add /sys/kernel/security/lsm
I am still tired of having to find indirect ways to determine what security modules are active on a system. I have added /sys/kernel/security/lsm, which contains a comma separated list of the active security modules. No more groping around in /proc/filesystems or other clever hacks.
Unchanged from previous versions except for being updated to the latest security next branch.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: John Johansen <john.johansen@canonical.com> Acked-by: Paul Moore <paul@paul-moore.com> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.l.morris@oracle.com>
show more ...
|
#
3a2f5a59 |
| 10-Jan-2017 |
Stephen Smalley <sds@tycho.nsa.gov> |
security,selinux,smack: kill security_task_wait hook
As reported by yangshukui, a permission denial from security_task_wait() can lead to a soft lockup in zap_pid_ns_processes() since it only expect
security,selinux,smack: kill security_task_wait hook
As reported by yangshukui, a permission denial from security_task_wait() can lead to a soft lockup in zap_pid_ns_processes() since it only expects sys_wait4() to return 0 or -ECHILD. Further, security_task_wait() can in general lead to zombies; in the absence of some way to automatically reparent a child process upon a denial, the hook is not useful. Remove the security hook and its implementations in SELinux and Smack. Smack already removed its check from its hook.
Reported-by: yangshukui <yangshukui@huawei.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
#
b21507e2 |
| 09-Jan-2017 |
Stephen Smalley <sds@tycho.nsa.gov> |
proc,security: move restriction on writing /proc/pid/attr nodes to proc
Processes can only alter their own security attributes via /proc/pid/attr nodes. This is presently enforced by each individua
proc,security: move restriction on writing /proc/pid/attr nodes to proc
Processes can only alter their own security attributes via /proc/pid/attr nodes. This is presently enforced by each individual security module and is also imposed by the Linux credentials implementation, which only allows a task to alter its own credentials. Move the check enforcing this restriction from the individual security modules to proc_pid_attr_write() before calling the security hook, and drop the unnecessary task argument to the security hook since it can only ever be the current task.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
Revision tags: v4.9, openbmc-4.4-20161121-1, v4.4.33, v4.4.32, v4.4.31, v4.4.30, v4.4.29, v4.4.28, v4.4.27, v4.7.10, openbmc-4.4-20161021-1, v4.7.9, v4.4.26, v4.7.8, v4.4.25, v4.4.24, v4.7.7, v4.8, v4.4.23, v4.7.6, v4.7.5, v4.4.22, v4.4.21, v4.7.4, v4.7.3, v4.4.20, v4.7.2, v4.4.19, openbmc-4.4-20160819-1, v4.7.1, v4.4.18, v4.4.17, openbmc-4.4-20160804-1, v4.4.16, v4.7, openbmc-4.4-20160722-1, openbmc-20160722-1 |
|
#
2602625b |
| 13-Jul-2016 |
Vivek Goyal <vgoyal@redhat.com> |
security, overlayfs: Provide hook to correctly label newly created files
During a new file creation we need to make sure new file is created with the right label. New file is created in upper/ so ef
security, overlayfs: Provide hook to correctly label newly created files
During a new file creation we need to make sure new file is created with the right label. New file is created in upper/ so effectively file should get label as if task had created file in upper/.
We switched to mounter's creds for actual file creation. Also if there is a whiteout present, then file will be created in work/ dir first and then renamed in upper. In none of the cases file will be labeled as we want it to be.
This patch introduces a new hook dentry_create_files_as(), which determines the label/context dentry will get if it had been created by task in upper and modify passed set of creds appropriately. Caller makes use of these new creds for file creation.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> [PM: fix whitespace issues found with checkpatch.pl] [PM: changes to use stat->mode in ovl_create_or_link()] Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
#
121ab822 |
| 13-Jul-2016 |
Vivek Goyal <vgoyal@redhat.com> |
security,overlayfs: Provide security hook for copy up of xattrs for overlay file
Provide a security hook which is called when xattrs of a file are being copied up. This hook is called once for each
security,overlayfs: Provide security hook for copy up of xattrs for overlay file
Provide a security hook which is called when xattrs of a file are being copied up. This hook is called once for each xattr and LSM can return 0 if the security module wants the xattr to be copied up, 1 if the security module wants the xattr to be discarded on the copy, -EOPNOTSUPP if the security module does not handle/manage the xattr, or a -errno upon an error.
Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> [PM: whitespace cleanup for checkpatch.pl] Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
#
d8ad8b49 |
| 13-Jul-2016 |
Vivek Goyal <vgoyal@redhat.com> |
security, overlayfs: provide copy up security hook for unioned files
Provide a security hook to label new file correctly when a file is copied up from lower layer to upper layer of a overlay/union m
security, overlayfs: provide copy up security hook for unioned files
Provide a security hook to label new file correctly when a file is copied up from lower layer to upper layer of a overlay/union mount.
This hook can prepare a new set of creds which are suitable for new file creation during copy up. Caller will use new creds to create file and then revert back to old creds and release new creds.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> [PM: whitespace cleanup to appease checkpatch.pl] Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
#
4f3ccd76 |
| 20-Jul-2016 |
Al Viro <viro@zeniv.linux.org.uk> |
qstr: constify dentry_init_security
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|