Revision tags: openbmc-20160713-1, v4.4.15, v4.6.4, v4.6.3, v4.4.14, v4.6.2, v4.4.13, openbmc-20160606-1, v4.6.1, v4.4.12 |
|
#
2885c1e3 |
| 31-May-2016 |
Casey Schaufler <casey@schaufler-ca.com> |
LSM: Fix for security_inode_getsecurity and -EOPNOTSUPP
Serge Hallyn pointed out that the current implementation of security_inode_getsecurity() works if there is only one hook provided for it, but
LSM: Fix for security_inode_getsecurity and -EOPNOTSUPP
Serge Hallyn pointed out that the current implementation of security_inode_getsecurity() works if there is only one hook provided for it, but will fail if there is more than one and the attribute requested isn't supplied by the first module. This isn't a problem today, since only SELinux and Smack provide this hook and there is (currently) no way to enable both of those modules at the same time. Serge, however, wants to introduce a capability attribute and an inode_getsecurity hook in the capability security module to handle it. This addresses that upcoming problem, will be required for "extreme stacking" and is just a better implementation.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
show more ...
|
Revision tags: openbmc-20160521-1, v4.4.11, openbmc-20160518-1, v4.6, v4.4.10, openbmc-20160511-1, openbmc-20160505-1, v4.4.9, v4.4.8, v4.4.7 |
|
#
457db29b |
| 08-Apr-2016 |
Baolin Wang <baolin.wang@linaro.org> |
security: Introduce security_settime64()
security_settime() uses a timespec, which is not year 2038 safe on 32bit systems. Thus this patch introduces the security_settime64() function with timespec6
security: Introduce security_settime64()
security_settime() uses a timespec, which is not year 2038 safe on 32bit systems. Thus this patch introduces the security_settime64() function with timespec64 type. We also convert the cap_settime() helper function to use the 64bit types.
This patch then moves security_settime() to the header file as an inline helper function so that existing users can be iteratively converted.
None of the existing hooks is using the timespec argument and therefor the patch is not making any functional changes.
Cc: Serge Hallyn <serge.hallyn@canonical.com>, Cc: James Morris <james.l.morris@oracle.com>, Cc: "Serge E. Hallyn" <serge@hallyn.com>, Cc: Paul Moore <pmoore@redhat.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Kees Cook <keescook@chromium.org> Cc: Prarit Bhargava <prarit@redhat.com> Cc: Richard Cochran <richardcochran@gmail.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@kernel.org> Reviewed-by: James Morris <james.l.morris@oracle.com> Signed-off-by: Baolin Wang <baolin.wang@linaro.org> [jstultz: Reworded commit message] Signed-off-by: John Stultz <john.stultz@linaro.org>
show more ...
|
#
9b091556 |
| 20-Apr-2016 |
Kees Cook <keescook@chromium.org> |
LSM: LoadPin for kernel file loading restrictions
This LSM enforces that kernel-loaded files (modules, firmware, etc) must all come from the same filesystem, with the expectation that such a filesys
LSM: LoadPin for kernel file loading restrictions
This LSM enforces that kernel-loaded files (modules, firmware, etc) must all come from the same filesystem, with the expectation that such a filesystem is backed by a read-only device such as dm-verity or CDROM. This allows systems that have a verified and/or unchangeable filesystem to enforce module and firmware loading restrictions without needing to sign the files individually.
Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
show more ...
|
#
3c9d6296 |
| 08-Apr-2016 |
Paolo Abeni <pabeni@redhat.com> |
security: drop the unused hook skb_owned_by
The skb_owned_by hook was added with the commit ca10b9e9a8ca ("selinux: add a skb_owned_by() hook") and later removed when said commit was reverted.
Late
security: drop the unused hook skb_owned_by
The skb_owned_by hook was added with the commit ca10b9e9a8ca ("selinux: add a skb_owned_by() hook") and later removed when said commit was reverted.
Later on, when switching to list of hooks, a field named 'skb_owned_by' was included into the security_hook_head struct, but without any users nor caller.
This commit removes the said left-over field.
Fixes: b1d9e6b0646d ("LSM: Switch to lists of hooks") Signed-off-by: Paolo Abeni <pabeni@redhat.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Paul Moore <pmoore@paul-moore.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
show more ...
|
Revision tags: openbmc-20160329-2, openbmc-20160329-1 |
|
#
3b73b68c |
| 25-Mar-2016 |
Al Viro <viro@zeniv.linux.org.uk> |
constify security_sb_pivotroot()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
77b286c0 |
| 25-Mar-2016 |
Al Viro <viro@zeniv.linux.org.uk> |
constify security_path_chroot()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
3ccee46a |
| 25-Mar-2016 |
Al Viro <viro@zeniv.linux.org.uk> |
constify security_path_{link,rename}
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
d3607752 |
| 25-Mar-2016 |
Al Viro <viro@zeniv.linux.org.uk> |
constify security_path_{mkdir,mknod,symlink}
... as well as unix_mknod() and may_o_create()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
989f74e0 |
| 25-Mar-2016 |
Al Viro <viro@zeniv.linux.org.uk> |
constify security_path_{unlink,rmdir}
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
be01f9f2 |
| 25-Mar-2016 |
Al Viro <viro@zeniv.linux.org.uk> |
constify chmod_common/security_path_chmod
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
8a04c43b |
| 25-Mar-2016 |
Al Viro <viro@zeniv.linux.org.uk> |
constify security_sb_mount()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
7fd25dac |
| 25-Mar-2016 |
Al Viro <viro@zeniv.linux.org.uk> |
constify chown_common/security_path_chown
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
81f4c506 |
| 25-Mar-2016 |
Al Viro <viro@zeniv.linux.org.uk> |
constify security_path_truncate()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
Revision tags: openbmc-20160321-1, v4.4.6, v4.5, v4.4.5, v4.4.4, v4.4.3, openbmc-20160222-1, v4.4.2, openbmc-20160212-1, openbmc-20160210-1, openbmc-20160202-2, openbmc-20160202-1, v4.4.1, openbmc-20160127-1, openbmc-20160120-1, v4.4 |
|
#
a1db7420 |
| 30-Dec-2015 |
Mimi Zohar <zohar@linux.vnet.ibm.com> |
module: replace copy_module_from_fd with kernel version
Replace copy_module_from_fd() with kernel_read_file_from_fd().
Although none of the upstreamed LSMs define a kernel_module_from_file hook, IM
module: replace copy_module_from_fd with kernel version
Replace copy_module_from_fd() with kernel_read_file_from_fd().
Although none of the upstreamed LSMs define a kernel_module_from_file hook, IMA is called, based on policy, to prevent unsigned kernel modules from being loaded by the original kernel module syscall and to measure/appraise signed kernel modules.
The security function security_kernel_module_from_file() was called prior to reading a kernel module. Preventing unsigned kernel modules from being loaded by the original kernel module syscall remains on the pre-read kernel_read_file() security hook. Instead of reading the kernel module twice, once for measuring/appraising and again for loading the kernel module, the signature validation is moved to the kernel_post_read_file() security hook.
This patch removes the security_kernel_module_from_file() hook and security call.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Kees Cook <keescook@chromium.org> Acked-by: Luis R. Rodriguez <mcgrof@kernel.org> Cc: Rusty Russell <rusty@rustcorp.com.au>
show more ...
|
#
39eeb4fb |
| 30-Jan-2016 |
Mimi Zohar <zohar@linux.vnet.ibm.com> |
security: define kernel_read_file hook
The kernel_read_file security hook is called prior to reading the file into memory.
Changelog v4+: - export security_kernel_read_file()
Signed-off-by: Mimi Z
security: define kernel_read_file hook
The kernel_read_file security hook is called prior to reading the file into memory.
Changelog v4+: - export security_kernel_read_file()
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Kees Cook <keescook@chromium.org> Acked-by: Luis R. Rodriguez <mcgrof@kernel.org> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
show more ...
|
Revision tags: openbmc-20151217-1, openbmc-20151210-1, openbmc-20151202-1, openbmc-20151123-1 |
|
#
e40ba6d5 |
| 19-Nov-2015 |
Mimi Zohar <zohar@linux.vnet.ibm.com> |
firmware: replace call to fw_read_file_contents() with kernel version
Replace the fw_read_file_contents with kernel_file_read_from_path().
Although none of the upstreamed LSMs define a kernel_fw_fr
firmware: replace call to fw_read_file_contents() with kernel version
Replace the fw_read_file_contents with kernel_file_read_from_path().
Although none of the upstreamed LSMs define a kernel_fw_from_file hook, IMA is called by the security function to prevent unsigned firmware from being loaded and to measure/appraise signed firmware, based on policy.
Instead of reading the firmware twice, once for measuring/appraising the firmware and again for reading the firmware contents into memory, the kernel_post_read_file() security hook calculates the file hash based on the in memory file buffer. The firmware is read once.
This patch removes the LSM kernel_fw_from_file() hook and security call.
Changelog v4+: - revert dropped buf->size assignment - reported by Sergey Senozhatsky v3: - remove kernel_fw_from_file hook - use kernel_file_read_from_path() - requested by Luis v2: - reordered and squashed firmware patches - fix MAX firmware size (Kees Cook)
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Kees Cook <keescook@chromium.org> Acked-by: Luis R. Rodriguez <mcgrof@kernel.org>
show more ...
|
#
cf222217 |
| 14-Jan-2016 |
Mimi Zohar <zohar@linux.vnet.ibm.com> |
ima: define a new hook to measure and appraise a file already in memory
This patch defines a new IMA hook ima_post_read_file() for measuring and appraising files read by the kernel. The caller loads
ima: define a new hook to measure and appraise a file already in memory
This patch defines a new IMA hook ima_post_read_file() for measuring and appraising files read by the kernel. The caller loads the file into memory before calling this function, which calculates the hash followed by the normal IMA policy based processing.
Changelog v5: - fail ima_post_read_file() if either file or buf is NULL v3: - rename ima_hash_and_process_file() to ima_post_read_file()
v1: - split patch
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
show more ...
|
#
bc8ca5b9 |
| 24-Jan-2016 |
Mimi Zohar <zohar@linux.vnet.ibm.com> |
vfs: define kernel_read_file_id enumeration
To differentiate between the kernel_read_file() callers, this patch defines a new enumeration named kernel_read_file_id and includes the caller identifier
vfs: define kernel_read_file_id enumeration
To differentiate between the kernel_read_file() callers, this patch defines a new enumeration named kernel_read_file_id and includes the caller identifier as an argument.
Subsequent patches define READING_KEXEC_IMAGE, READING_KEXEC_INITRAMFS, READING_FIRMWARE, READING_MODULE, and READING_POLICY.
Changelog v3: - Replace the IMA specific enumeration with a generic one.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Kees Cook <keescook@chromium.org> Acked-by: Luis R. Rodriguez <mcgrof@kernel.org> Cc: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|
#
b44a7dfc |
| 28-Dec-2015 |
Mimi Zohar <zohar@linux.vnet.ibm.com> |
vfs: define a generic function to read a file from the kernel
For a while it was looked down upon to directly read files from Linux. These days there exists a few mechanisms in the kernel that do ju
vfs: define a generic function to read a file from the kernel
For a while it was looked down upon to directly read files from Linux. These days there exists a few mechanisms in the kernel that do just this though to load a file into a local buffer. There are minor but important checks differences on each. This patch set is the first attempt at resolving some of these differences.
This patch introduces a common function for reading files from the kernel with the corresponding security post-read hook and function.
Changelog v4+: - export security_kernel_post_read_file() - Fengguang Wu v3: - additional bounds checking - Luis v2: - To simplify patch review, re-ordered patches
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Reviewed-by: Luis R. Rodriguez <mcgrof@suse.com> Acked-by: Kees Cook <keescook@chromium.org> Cc: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|
#
6f3be9f5 |
| 24-Dec-2015 |
Andreas Gruenbacher <agruenba@redhat.com> |
security: Add hook to invalidate inode security labels
Add a hook to invalidate an inode's security label when the cached information becomes invalid.
Add the new hook in selinux: set a flag when a
security: Add hook to invalidate inode security labels
Add a hook to invalidate an inode's security label when the cached information becomes invalid.
Add the new hook in selinux: set a flag when a security label becomes invalid.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> Reviewed-by: James Morris <james.l.morris@oracle.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <pmoore@redhat.com>
show more ...
|
#
d6335d77 |
| 24-Dec-2015 |
Andreas Gruenbacher <agruenba@redhat.com> |
security: Make inode argument of inode_getsecid non-const
Make the inode argument of the inode_getsecid hook non-const so that we can use it to revalidate invalid security labels.
Signed-off-by: An
security: Make inode argument of inode_getsecid non-const
Make the inode argument of the inode_getsecid hook non-const so that we can use it to revalidate invalid security labels.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <pmoore@redhat.com>
show more ...
|
#
ea861dfd |
| 24-Dec-2015 |
Andreas Gruenbacher <agruenba@redhat.com> |
security: Make inode argument of inode_getsecurity non-const
Make the inode argument of the inode_getsecurity hook non-const so that we can use it to revalidate invalid security labels.
Signed-off-
security: Make inode argument of inode_getsecurity non-const
Make the inode argument of the inode_getsecurity hook non-const so that we can use it to revalidate invalid security labels.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <pmoore@redhat.com>
show more ...
|
Revision tags: openbmc-20151118-1, openbmc-20151104-1, v4.3, openbmc-20151102-1, openbmc-20151028-1, v4.3-rc1, v4.2 |
|
#
e308fd3b |
| 24-Aug-2015 |
Jan Beulich <JBeulich@suse.com> |
LSM: restore certain default error codes
While in most cases commit b1d9e6b064 ("LSM: Switch to lists of hooks") retained previous error returns, in three cases it altered them without any explanati
LSM: restore certain default error codes
While in most cases commit b1d9e6b064 ("LSM: Switch to lists of hooks") retained previous error returns, in three cases it altered them without any explanation in the commit message. Restore all of them - in the security_old_inode_init_security() case this led to reiserfs using uninitialized data, sooner or later crashing the system (the only other user of this function - ocfs2 - was unaffected afaict, since it passes pre-initialized structures).
Signed-off-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
show more ...
|
Revision tags: v4.2-rc8, v4.2-rc7, v4.2-rc6, v4.2-rc5, v4.2-rc4 |
|
#
730daa16 |
| 23-Jul-2015 |
Kees Cook <keescook@chromium.org> |
Yama: remove needless CONFIG_SECURITY_YAMA_STACKED
Now that minor LSMs can cleanly stack with major LSMs, remove the unneeded config for Yama to be made to explicitly stack. Just selecting the main
Yama: remove needless CONFIG_SECURITY_YAMA_STACKED
Now that minor LSMs can cleanly stack with major LSMs, remove the unneeded config for Yama to be made to explicitly stack. Just selecting the main Yama CONFIG will allow it to work, regardless of the major LSM. Since distros using Yama are already forcing it to stack, this is effectively a no-op change.
Additionally add MAINTAINERS entry.
Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.l.morris@oracle.com>
show more ...
|
Revision tags: v4.2-rc3, v4.2-rc2, v4.2-rc1 |
|
#
90f8572b |
| 29-Jun-2015 |
Eric W. Biederman <ebiederm@xmission.com> |
vfs: Commit to never having exectuables on proc and sysfs.
Today proc and sysfs do not contain any executable files. Several applications today mount proc or sysfs without noexec and nosuid and the
vfs: Commit to never having exectuables on proc and sysfs.
Today proc and sysfs do not contain any executable files. Several applications today mount proc or sysfs without noexec and nosuid and then depend on there being no exectuables files on proc or sysfs. Having any executable files show on proc or sysfs would cause a user space visible regression, and most likely security problems.
Therefore commit to never allowing executables on proc and sysfs by adding a new flag to mark them as filesystems without executables and enforce that flag.
Test the flag where MNT_NOEXEC is tested today, so that the only user visible effect will be that exectuables will be treated as if the execute bit is cleared.
The filesystems proc and sysfs do not currently incoporate any executable files so this does not result in any user visible effects.
This makes it unnecessary to vet changes to proc and sysfs tightly for adding exectuable files or changes to chattr that would modify existing files, as no matter what the individual file say they will not be treated as exectuable files by the vfs.
Not having to vet changes to closely is important as without this we are only one proc_create call (or another goof up in the implementation of notify_change) from having problematic executables on proc. Those mistakes are all too easy to make and would create a situation where there are security issues or the assumptions of some program having to be broken (and cause userspace regressions).
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
show more ...
|