Revision tags: v3.9-rc5, v3.9-rc4, v3.9-rc3, v3.9-rc2, v3.9-rc1, v3.8, v3.8-rc7, v3.8-rc6, v3.8-rc5, v3.8-rc4 |
|
#
5dbbaf2d |
| 14-Jan-2013 |
Paul Moore <pmoore@redhat.com> |
tun: fix LSM/SELinux labeling of tun/tap devices
This patch corrects some problems with LSM/SELinux that were introduced with the multiqueue patchset. The problem stems from the fact that the multi
tun: fix LSM/SELinux labeling of tun/tap devices
This patch corrects some problems with LSM/SELinux that were introduced with the multiqueue patchset. The problem stems from the fact that the multiqueue work changed the relationship between the tun device and its associated socket; before the socket persisted for the life of the device, however after the multiqueue changes the socket only persisted for the life of the userspace connection (fd open). For non-persistent devices this is not an issue, but for persistent devices this can cause the tun device to lose its SELinux label.
We correct this problem by adding an opaque LSM security blob to the tun device struct which allows us to have the LSM security state, e.g. SELinux labeling information, persist for the lifetime of the tun device. In the process we tweak the LSM hooks to work with this new approach to TUN device/socket labeling and introduce a new LSM hook, security_tun_dev_attach_queue(), to approve requests to attach to a TUN queue via TUNSETQUEUE.
The SELinux code has been adjusted to match the new LSM hooks, the other LSMs do not make use of the LSM TUN controls. This patch makes use of the recently added "tun_socket:attach_queue" permission to restrict access to the TUNSETQUEUE operation. On older SELinux policies which do not define the "tun_socket:attach_queue" permission the access control decision for TUNSETQUEUE will be handled according to the SELinux policy's unknown permission setting.
Signed-off-by: Paul Moore <pmoore@redhat.com> Acked-by: Eric Paris <eparis@parisplace.org> Tested-by: Jason Wang <jasowang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|
Revision tags: v3.8-rc3, v3.8-rc2, v3.8-rc1, v3.7, v3.7-rc8, v3.7-rc7, v3.7-rc6, v3.7-rc5, v3.7-rc4, v3.7-rc3, v3.7-rc2 |
|
#
fdf90729 |
| 15-Oct-2012 |
Mimi Zohar <zohar@linux.vnet.ibm.com> |
ima: support new kernel module syscall
With the addition of the new kernel module syscall, which defines two arguments - a file descriptor to the kernel module and a pointer to a NULL terminated str
ima: support new kernel module syscall
With the addition of the new kernel module syscall, which defines two arguments - a file descriptor to the kernel module and a pointer to a NULL terminated string of module arguments - it is now possible to measure and appraise kernel modules like any other file on the file system.
This patch adds support to measure and appraise kernel modules in an extensible and consistent manner.
To support filesystems without extended attribute support, additional patches could pass the signature as the first parameter.
Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
show more ...
|
#
2e72d51b |
| 15-Oct-2012 |
Kees Cook <keescook@chromium.org> |
security: introduce kernel_module_from_file hook
Now that kernel module origins can be reasoned about, provide a hook to the LSMs to make policy decisions about the module file. This will let Chrome
security: introduce kernel_module_from_file hook
Now that kernel module origins can be reasoned about, provide a hook to the LSMs to make policy decisions about the module file. This will let Chrome OS enforce that loadable kernel modules can only come from its read-only hash-verified root filesystem. Other LSMs can, for example, read extended attributes for signatures, etc.
Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com> Acked-by: Eric Paris <eparis@redhat.com> Acked-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: James Morris <james.l.morris@oracle.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
show more ...
|
Revision tags: v3.7-rc1 |
|
#
808d4e3c |
| 11-Oct-2012 |
Al Viro <viro@zeniv.linux.org.uk> |
consitify do_mount() arguments
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
Revision tags: v3.6, v3.6-rc7, v3.6-rc6, v3.6-rc5, v3.6-rc4, v3.6-rc3, v3.6-rc2, v3.6-rc1, v3.5, v3.5-rc7, v3.5-rc6, v3.5-rc5, v3.5-rc4, v3.5-rc3, v3.5-rc2, v3.5-rc1 |
|
#
d2b31ca6 |
| 01-Jun-2012 |
Eric W. Biederman <ebiederm@xmission.com> |
userns: Teach security_path_chown to take kuids and kgids
Don't make the security modules deal with raw user space uid and gids instead pass in a kuid_t and a kgid_t so that security modules only ha
userns: Teach security_path_chown to take kuids and kgids
Don't make the security modules deal with raw user space uid and gids instead pass in a kuid_t and a kgid_t so that security modules only have to deal with internal kernel uids and gids.
Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: James Morris <james.l.morris@oracle.com> Cc: John Johansen <john.johansen@canonical.com> Cc: Kentaro Takeda <takedakn@nttdata.co.jp> Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
show more ...
|
Revision tags: v3.4, v3.4-rc7, v3.4-rc6, v3.4-rc5, v3.4-rc4, v3.4-rc3, v3.4-rc2, v3.4-rc1, v3.3, v3.3-rc7, v3.3-rc6, v3.3-rc5, v3.3-rc4, v3.3-rc3, v3.3-rc2, v3.3-rc1, v3.2, v3.2-rc7, v3.2-rc6, v3.2-rc5, v3.2-rc4, v3.2-rc3, v3.2-rc2, v3.2-rc1, v3.1, v3.1-rc10, v3.1-rc9, v3.1-rc8, v3.1-rc7, v3.1-rc6, v3.1-rc5, v3.1-rc4, v3.1-rc3, v3.1-rc2, v3.1-rc1, v3.0, v3.0-rc7, v3.0-rc6, v3.0-rc5, v3.0-rc4, v3.0-rc3, v3.0-rc2, v3.0-rc1, v2.6.39, v2.6.39-rc7, v2.6.39-rc6, v2.6.39-rc5, v2.6.39-rc4, v2.6.39-rc3, v2.6.39-rc2, v2.6.39-rc1, v2.6.38 |
|
#
42c63330 |
| 10-Mar-2011 |
Mimi Zohar <zohar@linux.vnet.ibm.com> |
ima: add ima_inode_setxattr/removexattr function and calls
Based on xattr_permission comments, the restriction to modify 'security' xattr is left up to the underlying fs or lsm. Ensure that not just
ima: add ima_inode_setxattr/removexattr function and calls
Based on xattr_permission comments, the restriction to modify 'security' xattr is left up to the underlying fs or lsm. Ensure that not just anyone can modify or remove 'security.ima'.
Changelog v1: - Unless IMA-APPRAISE is configured, use stub ima_inode_removexattr()/setxattr() functions. (Moved ima_inode_removexattr()/setxattr() to ima_appraise.c)
Changelog: - take i_mutex to fix locking (Dmitry Kasatkin) - ima_reset_appraise_flags should only be called when modifying or removing the 'security.ima' xattr. Requires CAP_SYS_ADMIN privilege. (Incorporated fix from Roberto Sassu) - Even if allowed to update security.ima, reset the appraisal flags, forcing re-appraisal. - Replace CAP_MAC_ADMIN with CAP_SYS_ADMIN - static inline ima_inode_setxattr()/ima_inode_removexattr() stubs - ima_protect_xattr should be static
Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
show more ...
|
#
c6993e4a |
| 04-Sep-2012 |
Kees Cook <keescook@chromium.org> |
security: allow Yama to be unconditionally stacked
Unconditionally call Yama when CONFIG_SECURITY_YAMA_STACKED is selected, no matter what LSM module is primary.
Ubuntu and Chrome OS already carry
security: allow Yama to be unconditionally stacked
Unconditionally call Yama when CONFIG_SECURITY_YAMA_STACKED is selected, no matter what LSM module is primary.
Ubuntu and Chrome OS already carry patches to do this, and Fedora has voiced interest in doing this as well. Instead of having multiple distributions (or LSM authors) carrying these patches, just allow Yama to be called unconditionally when selected by the new CONFIG.
Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com> Acked-by: Eric Paris <eparis@redhat.com> Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
show more ...
|
#
75331a59 |
| 02-Jul-2012 |
Paul Mundt <lethal@linux-sh.org> |
security: Fix nommu build.
The security + nommu configuration presently blows up with an undefined reference to BDI_CAP_EXEC_MAP:
security/security.c: In function 'mmap_prot': security/security.c:6
security: Fix nommu build.
The security + nommu configuration presently blows up with an undefined reference to BDI_CAP_EXEC_MAP:
security/security.c: In function 'mmap_prot': security/security.c:687:36: error: dereferencing pointer to incomplete type security/security.c:688:16: error: 'BDI_CAP_EXEC_MAP' undeclared (first use in this function) security/security.c:688:16: note: each undeclared identifier is reported only once for each function it appears in
include backing-dev.h directly to fix it up.
Signed-off-by: Paul Mundt <lethal@linux-sh.org> Signed-off-by: James Morris <james.l.morris@oracle.com>
show more ...
|
#
659b5e76 |
| 02-Jul-2012 |
Paul Mundt <lethal@linux-sh.org> |
security: Fix nommu build.
The security + nommu configuration presently blows up with an undefined reference to BDI_CAP_EXEC_MAP:
security/security.c: In function 'mmap_prot': security/security.c:6
security: Fix nommu build.
The security + nommu configuration presently blows up with an undefined reference to BDI_CAP_EXEC_MAP:
security/security.c: In function 'mmap_prot': security/security.c:687:36: error: dereferencing pointer to incomplete type security/security.c:688:16: error: 'BDI_CAP_EXEC_MAP' undeclared (first use in this function) security/security.c:688:16: note: each undeclared identifier is reported only once for each function it appears in
include backing-dev.h directly to fix it up.
Signed-off-by: Paul Mundt <lethal@linux-sh.org> Signed-off-by: James Morris <james.l.morris@oracle.com>
show more ...
|
#
98de59bf |
| 30-May-2012 |
Al Viro <viro@zeniv.linux.org.uk> |
take calculation of final prot in security_mmap_file() into a helper
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
8b3ec681 |
| 30-May-2012 |
Al Viro <viro@zeniv.linux.org.uk> |
take security_mmap_file() outside of ->mmap_sem
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
e5467859 |
| 30-May-2012 |
Al Viro <viro@zeniv.linux.org.uk> |
split ->file_mmap() into ->mmap_addr()/->mmap_file()
... i.e. file-dependent and address-dependent checks.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
83d49856 |
| 04-Apr-2012 |
Eric Paris <eparis@redhat.com> |
SELinux: rename dentry_open to file_open
dentry_open takes a file, rename it to file_open
Signed-off-by: Eric Paris <eparis@redhat.com>
|
#
40401530 |
| 12-Feb-2012 |
Al Viro <viro@ftp.linux.org.uk> |
security: trim security.h
Trim security.h
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: James Morris <jmorris@namei.org>
|
#
191c5424 |
| 12-Feb-2012 |
Al Viro <viro@ftp.linux.org.uk> |
mm: collapse security_vm_enough_memory() variants into a single function
Collapse security_vm_enough_memory() variants into a single function.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signe
mm: collapse security_vm_enough_memory() variants into a single function
Collapse security_vm_enough_memory() variants into a single function.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
1a2a4d06 |
| 21-Dec-2011 |
Kees Cook <keescook@chromium.org> |
security: create task_free security callback
The current LSM interface to cred_free is not sufficient for allowing an LSM to track the life and death of a task. This patch adds the task_free hook so
security: create task_free security callback
The current LSM interface to cred_free is not sufficient for allowing an LSM to track the life and death of a task. This patch adds the task_free hook so that an LSM can clean up resources on task death.
Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
cdcf116d |
| 08-Dec-2011 |
Al Viro <viro@zeniv.linux.org.uk> |
switch security_path_chmod() to struct path *
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
fd778461 |
| 03-Jan-2012 |
Eric Paris <eparis@redhat.com> |
security: remove the security_netlink_recv hook as it is equivalent to capable()
Once upon a time netlink was not sync and we had to get the effective capabilities from the skb that was being receiv
security: remove the security_netlink_recv hook as it is equivalent to capable()
Once upon a time netlink was not sync and we had to get the effective capabilities from the skb that was being received. Today we instead get the capabilities from the current task. This has rendered the entire purpose of the hook moot as it is now functionally equivalent to the capable() call.
Signed-off-by: Eric Paris <eparis@redhat.com>
show more ...
|
#
2920a840 |
| 03-Jan-2012 |
Eric Paris <eparis@redhat.com> |
capabilities: remove all _real_ interfaces
The name security_real_capable and security_real_capable_noaudit just don't make much sense to me. Convert them to use security_capable and security_capab
capabilities: remove all _real_ interfaces
The name security_real_capable and security_real_capable_noaudit just don't make much sense to me. Convert them to use security_capable and security_capable_noaudit.
Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com>
show more ...
|
#
c7eba4a9 |
| 03-Jan-2012 |
Eric Paris <eparis@redhat.com> |
capabilities: introduce security_capable_noaudit
Exactly like security_capable except don't audit any denials. This is for places where the kernel may make decisions about what to do if a task has
capabilities: introduce security_capable_noaudit
Exactly like security_capable except don't audit any denials. This is for places where the kernel may make decisions about what to do if a task has a given capability, but which failing that capability is not a sign of a security policy violation. An example is checking if a task has CAP_SYS_ADMIN to lower it's likelyhood of being killed by the oom killer. This check is not a security violation if it is denied.
Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com>
show more ...
|
#
b7e724d3 |
| 03-Jan-2012 |
Eric Paris <eparis@redhat.com> |
capabilities: reverse arguments to security_capable
security_capable takes ns, cred, cap. But the LSM capable() hook takes cred, ns, cap. The capability helper functions also take cred, ns, cap. R
capabilities: reverse arguments to security_capable
security_capable takes ns, cred, cap. But the LSM capable() hook takes cred, ns, cap. The capability helper functions also take cred, ns, cap. Rather than flip argument order just to flip it back, leave them alone. Heck, this should be a little faster since argument will be in the right place!
Signed-off-by: Eric Paris <eparis@redhat.com>
show more ...
|
#
6a9de491 |
| 03-Jan-2012 |
Eric Paris <eparis@redhat.com> |
capabilities: remove the task from capable LSM hook entirely
The capabilities framework is based around credentials, not necessarily the current task. Yet we still passed the current task down into
capabilities: remove the task from capable LSM hook entirely
The capabilities framework is based around credentials, not necessarily the current task. Yet we still passed the current task down into LSMs from the security_capable() LSM hook as if it was a meaningful portion of the security decision. This patch removes the 'generic' passing of current and instead forces individual LSMs to use current explicitly if they think it is appropriate. In our case those LSMs are SELinux and AppArmor.
I believe the AppArmor use of current is incorrect, but that is wholely unrelated to this patch. This patch does not change what AppArmor does, it just makes it clear in the AppArmor code that it is doing it.
The SELinux code still uses current in it's audit message, which may also be wrong and needs further investigation. Again this is NOT a change, it may have always been wrong, this patch just makes it clear what is happening.
Signed-off-by: Eric Paris <eparis@redhat.com>
show more ...
|
#
04fc66e7 |
| 21-Nov-2011 |
Al Viro <viro@zeniv.linux.org.uk> |
switch ->path_mknod() to umode_t
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
4572befe |
| 21-Nov-2011 |
Al Viro <viro@zeniv.linux.org.uk> |
switch ->path_mkdir() to umode_t
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
910f4ece |
| 26-Jul-2011 |
Al Viro <viro@zeniv.linux.org.uk> |
switch security_path_chmod() to umode_t
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|