#
15a2460e |
| 13-Nov-2008 |
David Howells <dhowells@redhat.com> |
CRED: Constify the kernel_cap_t arguments to the capset LSM hooks
Constify the kernel_cap_t arguments to the capset LSM hooks.
Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Serge Hal
CRED: Constify the kernel_cap_t arguments to the capset LSM hooks
Constify the kernel_cap_t arguments to the capset LSM hooks.
Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
1cdcbec1 |
| 13-Nov-2008 |
David Howells <dhowells@redhat.com> |
CRED: Neuter sys_capset()
Take away the ability for sys_capset() to affect processes other than current.
This means that current will not need to lock its own credentials when reading them against
CRED: Neuter sys_capset()
Take away the ability for sys_capset() to affect processes other than current.
This means that current will not need to lock its own credentials when reading them against interference by other processes.
This has effectively been the case for a while anyway, since:
(1) Without LSM enabled, sys_capset() is disallowed.
(2) With file-based capabilities, sys_capset() is neutered.
Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Acked-by: Andrew G. Morgan <morgan@kernel.org> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
06112163 |
| 11-Nov-2008 |
Eric Paris <eparis@redhat.com> |
Add a new capable interface that will be used by systems that use audit to make an A or B type decision instead of a security decision. Currently this is the case at least for filesystems when decid
Add a new capable interface that will be used by systems that use audit to make an A or B type decision instead of a security decision. Currently this is the case at least for filesystems when deciding if a process can use the reserved 'root' blocks and for the case of things like the oom algorithm determining if processes are root processes and should be less likely to be killed. These types of security system requests should not be audited or logged since they are not really security decisions. It would be possible to solve this problem like the vm_enough_memory security check did by creating a new LSM interface and moving all of the policy into that interface but proves the needlessly bloat the LSM and provide complex indirection.
This merely allows those decisions to be made where they belong and to not flood logs or printk with denials for thing that are not security decisions.
Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
731572d3 |
| 29-Oct-2008 |
Alan Cox <alan@redhat.com> |
nfsd: fix vm overcommit crash
Junjiro R. Okajima reported a problem where knfsd crashes if you are using it to export shmemfs objects and run strict overcommit. In this situation the current->mm b
nfsd: fix vm overcommit crash
Junjiro R. Okajima reported a problem where knfsd crashes if you are using it to export shmemfs objects and run strict overcommit. In this situation the current->mm based modifier to the overcommit goes through a NULL pointer.
We could simply check for NULL and skip the modifier but we've caught other real bugs in the past from mm being NULL here - cases where we did need a valid mm set up (eg the exec bug about a year ago).
To preserve the checks and get the logic we want shuffle the checking around and add a new helper to the vm_ security wrappers
Also fix a current->mm reference in nommu that should use the passed mm
[akpm@linux-foundation.org: coding-style fixes] [akpm@linux-foundation.org: fix build] Reported-by: Junjiro R. Okajima <hooanon05@yahoo.co.jp> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: Alan Cox <alan@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
show more ...
|
#
3f23d815 |
| 17-Aug-2008 |
Randy Dunlap <randy.dunlap@oracle.com> |
security: add/fix security kernel-doc
Add security/inode.c functions to the kernel-api docbook. Use '%' on constants in kernel-doc notation. Fix several typos/spellos in security function descriptio
security: add/fix security kernel-doc
Add security/inode.c functions to the kernel-api docbook. Use '%' on constants in kernel-doc notation. Fix several typos/spellos in security function descriptions.
Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
5cd9c58f |
| 14-Aug-2008 |
David Howells <dhowells@redhat.com> |
security: Fix setting of PF_SUPERPRIV by __capable()
Fix the setting of PF_SUPERPRIV by __capable() as it could corrupt the flags the target process if that is not the current process and it is tryi
security: Fix setting of PF_SUPERPRIV by __capable()
Fix the setting of PF_SUPERPRIV by __capable() as it could corrupt the flags the target process if that is not the current process and it is trying to change its own flags in a different way at the same time.
__capable() is using neither atomic ops nor locking to protect t->flags. This patch removes __capable() and introduces has_capability() that doesn't set PF_SUPERPRIV on the process being queried.
This patch further splits security_ptrace() in two:
(1) security_ptrace_may_access(). This passes judgement on whether one process may access another only (PTRACE_MODE_ATTACH for ptrace() and PTRACE_MODE_READ for /proc), and takes a pointer to the child process. current is the parent.
(2) security_ptrace_traceme(). This passes judgement on PTRACE_TRACEME only, and takes only a pointer to the parent process. current is the child.
In Smack and commoncap, this uses has_capability() to determine whether the parent will be permitted to use PTRACE_ATTACH if normal checks fail. This does not set PF_SUPERPRIV.
Two of the instances of __capable() actually only act on current, and so have been changed to calls to capable().
Of the places that were using __capable():
(1) The OOM killer calls __capable() thrice when weighing the killability of a process. All of these now use has_capability().
(2) cap_ptrace() and smack_ptrace() were using __capable() to check to see whether the parent was allowed to trace any process. As mentioned above, these have been split. For PTRACE_ATTACH and /proc, capable() is now used, and for PTRACE_TRACEME, has_capability() is used.
(3) cap_safe_nice() only ever saw current, so now uses capable().
(4) smack_setprocattr() rejected accesses to tasks other than current just after calling __capable(), so the order of these two tests have been switched and capable() is used instead.
(5) In smack_file_send_sigiotask(), we need to allow privileged processes to receive SIGIO on files they're manipulating.
(6) In smack_task_wait(), we let a process wait for a privileged process, whether or not the process doing the waiting is privileged.
I've tested this with the LTP SELinux and syscalls testscripts.
Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Andrew G. Morgan <morgan@kernel.org> Acked-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
b1da47e2 |
| 01-Jul-2008 |
Miklos Szeredi <mszeredi@suse.cz> |
[patch 3/4] fat: dont call notify_change
The FAT_IOCTL_SET_ATTRIBUTES ioctl() calls notify_change() to change the file mode before changing the inode attributes. Replace with explicit calls to secu
[patch 3/4] fat: dont call notify_change
The FAT_IOCTL_SET_ATTRIBUTES ioctl() calls notify_change() to change the file mode before changing the inode attributes. Replace with explicit calls to security_inode_setattr(), fat_setattr() and fsnotify_change().
This is equivalent to the original. The reason it is needed, is that later in the series we move the immutable check into notify_change(). That would break the FAT_IOCTL_SET_ATTRIBUTES ioctl, as it needs to perform the mode change regardless of the immutability of the file.
[Fix error if fat is built as a module. Thanks to OGAWA Hirofumi for noticing.]
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Acked-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|
#
b77b0646 |
| 17-Jul-2008 |
Al Viro <viro@zeniv.linux.org.uk> |
[PATCH] pass MAY_OPEN to vfs_permission() explicitly
... and get rid of the last "let's deduce mask from nameidata->flags" bit.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
6f0f0fd4 |
| 10-Jul-2008 |
James Morris <jmorris@namei.org> |
security: remove register_security hook
The register security hook is no longer required, as the capability module is always registered. LSMs wishing to stack capability as a secondary module shoul
security: remove register_security hook
The register security hook is no longer required, as the capability module is always registered. LSMs wishing to stack capability as a secondary module should do so explicitly.
Signed-off-by: James Morris <jmorris@namei.org> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Greg Kroah-Hartman <gregkh@suse.de>
show more ...
|
#
5915eb53 |
| 03-Jul-2008 |
Miklos Szeredi <mszeredi@suse.cz> |
security: remove dummy module
Remove the dummy module and make the "capability" module the default.
Compile and boot tested.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Acked-by: Serge Hallyn
security: remove dummy module
Remove the dummy module and make the "capability" module the default.
Compile and boot tested.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
b478a9f9 |
| 03-Jul-2008 |
Miklos Szeredi <mszeredi@suse.cz> |
security: remove unused sb_get_mnt_opts hook
The sb_get_mnt_opts() hook is unused, and is superseded by the sb_show_options() hook.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Acked-by: James
security: remove unused sb_get_mnt_opts hook
The sb_get_mnt_opts() hook is unused, and is superseded by the sb_show_options() hook.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Acked-by: James Morris <jmorris@namei.org>
show more ...
|
#
2069f457 |
| 03-Jul-2008 |
Eric Paris <eparis@redhat.com> |
LSM/SELinux: show LSM mount options in /proc/mounts
This patch causes SELinux mount options to show up in /proc/mounts. As with other code in the area seq_put errors are ignored. Other LSM's will
LSM/SELinux: show LSM mount options in /proc/mounts
This patch causes SELinux mount options to show up in /proc/mounts. As with other code in the area seq_put errors are ignored. Other LSM's will not have their mount options displayed until they fill in their own security_sb_show_options() function.
Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
65fc7668 |
| 11-Jun-2008 |
James Morris <jmorris@namei.org> |
security: fix return of void-valued expressions
Fix several warnings generated by sparse of the form "returning void-valued expression".
Signed-off-by: James Morris <jmorris@namei.org> Acked-by: Ca
security: fix return of void-valued expressions
Fix several warnings generated by sparse of the form "returning void-valued expression".
Signed-off-by: James Morris <jmorris@namei.org> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Serge Hallyn <serue@us.ibm.com>
show more ...
|
#
006ebb40 |
| 19-May-2008 |
Stephen Smalley <sds@tycho.nsa.gov> |
Security: split proc ptrace checking into read vs. attach
Enable security modules to distinguish reading of process state via proc from full ptrace access by renaming ptrace_may_attach to ptrace_may
Security: split proc ptrace checking into read vs. attach
Enable security modules to distinguish reading of process state via proc from full ptrace access by renaming ptrace_may_attach to ptrace_may_access and adding a mode argument indicating whether only read access or full attach access is requested. This allows security modules to permit access to reading process state without granting full ptrace access. The base DAC/capability checking remains unchanged.
Read access to /proc/pid/mem continues to apply a full ptrace attach check since check_mem_permission() already requires the current task to already be ptracing the target. The other ptrace checks within proc for elements like environ, maps, and fds are changed to pass the read mode instead of attach.
In the SELinux case, we model such reading of process state as a reading of a proc file labeled with the target process' label. This enables SELinux policy to permit such reading of process state without permitting control or manipulation of the target process, as there are a number of cases where programs probe for such information via proc but do not need to be able to control the target (e.g. procps, lsof, PolicyKit, ConsoleKit). At present we have to choose between allowing full ptrace in policy (more permissive than required/desired) or breaking functionality (or in some cases just silencing the denials via dontaudit rules but this can hide genuine attacks).
This version of the patch incorporates comments from Casey Schaufler (change/replace existing ptrace_may_attach interface, pass access mode), and Chris Wright (provide greater consistency in the checking).
Note that like their predecessors __ptrace_may_attach and ptrace_may_attach, the __ptrace_may_access and ptrace_may_access interfaces use different return value conventions from each other (0 or -errno vs. 1 or 0). I retained this difference to avoid any changes to the caller logic but made the difference clearer by changing the latter interface to return a bool rather than an int and by adding a comment about it to ptrace.h for any future callers.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
7bf570dc |
| 29-Apr-2008 |
David Howells <dhowells@redhat.com> |
Security: Make secctx_to_secid() take const secdata
Make secctx_to_secid() take constant secdata.
Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-fo
Security: Make secctx_to_secid() take const secdata
Make secctx_to_secid() take constant secdata.
Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
show more ...
|
#
70a5bb72 |
| 29-Apr-2008 |
David Howells <dhowells@redhat.com> |
keys: add keyctl function to get a security label
Add a keyctl() function to get the security label of a key.
The following is added to Documentation/keys.txt:
(*) Get the LSM security context at
keys: add keyctl function to get a security label
Add a keyctl() function to get the security label of a key.
The following is added to Documentation/keys.txt:
(*) Get the LSM security context attached to a key.
long keyctl(KEYCTL_GET_SECURITY, key_serial_t key, char *buffer, size_t buflen)
This function returns a string that represents the LSM security context attached to a key in the buffer provided.
Unless there's an error, it always returns the amount of data it could produce, even if that's too big for the buffer, but it won't copy more than requested to userspace. If the buffer pointer is NULL then no copy will take place.
A NUL character is included at the end of the string if the buffer is sufficiently big. This is included in the returned count. If no LSM is in force then an empty string will be returned.
A process must have view permission on the key for this function to be successful.
[akpm@linux-foundation.org: declare keyctl_get_security()] Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Cc: Paul Moore <paul.moore@hp.com> Cc: Chris Wright <chrisw@sous-sol.org> Cc: James Morris <jmorris@namei.org> Cc: Kevin Coffman <kwc@citi.umich.edu> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
show more ...
|
#
8f0cfa52 |
| 29-Apr-2008 |
David Howells <dhowells@redhat.com> |
xattr: add missing consts to function arguments
Add missing consts to xattr function arguments.
Signed-off-by: David Howells <dhowells@redhat.com> Cc: Andreas Gruenbacher <agruen@suse.de> Signed-of
xattr: add missing consts to function arguments
Add missing consts to xattr function arguments.
Signed-off-by: David Howells <dhowells@redhat.com> Cc: Andreas Gruenbacher <agruen@suse.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
show more ...
|
#
3898b1b4 |
| 28-Apr-2008 |
Andrew G. Morgan <morgan@kernel.org> |
capabilities: implement per-process securebits
Filesystem capability support makes it possible to do away with (set)uid-0 based privilege and use capabilities instead. That is, with filesystem supp
capabilities: implement per-process securebits
Filesystem capability support makes it possible to do away with (set)uid-0 based privilege and use capabilities instead. That is, with filesystem support for capabilities but without this present patch, it is (conceptually) possible to manage a system with capabilities alone and never need to obtain privilege via (set)uid-0.
Of course, conceptually isn't quite the same as currently possible since few user applications, certainly not enough to run a viable system, are currently prepared to leverage capabilities to exercise privilege. Further, many applications exist that may never get upgraded in this way, and the kernel will continue to want to support their setuid-0 base privilege needs.
Where pure-capability applications evolve and replace setuid-0 binaries, it is desirable that there be a mechanisms by which they can contain their privilege. In addition to leveraging the per-process bounding and inheritable sets, this should include suppressing the privilege of the uid-0 superuser from the process' tree of children.
The feature added by this patch can be leveraged to suppress the privilege associated with (set)uid-0. This suppression requires CAP_SETPCAP to initiate, and only immediately affects the 'current' process (it is inherited through fork()/exec()). This reimplementation differs significantly from the historical support for securebits which was system-wide, unwieldy and which has ultimately withered to a dead relic in the source of the modern kernel.
With this patch applied a process, that is capable(CAP_SETPCAP), can now drop all legacy privilege (through uid=0) for itself and all subsequently fork()'d/exec()'d children with:
prctl(PR_SET_SECUREBITS, 0x2f);
This patch represents a no-op unless CONFIG_SECURITY_FILE_CAPABILITIES is enabled at configure time.
[akpm@linux-foundation.org: fix uninitialised var warning] [serue@us.ibm.com: capabilities: use cap_task_prctl when !CONFIG_SECURITY] Signed-off-by: Andrew G. Morgan <morgan@kernel.org> Acked-by: Serge Hallyn <serue@us.ibm.com> Reviewed-by: James Morris <jmorris@namei.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Paul Moore <paul.moore@hp.com> Signed-off-by: Serge E. Hallyn <serue@us.ibm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
show more ...
|
#
b5266eb4 |
| 22-Mar-2008 |
Al Viro <viro@zeniv.linux.org.uk> |
[PATCH] switch a bunch of LSM hooks from nameidata to path
Namely, ones from namespace.c
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
7cea51be |
| 06-Mar-2008 |
James Morris <jmorris@namei.org> |
security: fix up documentation for security_module_enable
security_module_enable() can only be called during kernel init.
Signed-off-by: James Morris <jmorris@namei.org>
|
#
076c54c5 |
| 06-Mar-2008 |
Ahmed S. Darwish <darwish.07@gmail.com> |
Security: Introduce security= boot parameter
Add the security= boot parameter. This is done to avoid LSM registration clashes in case of more than one bult-in module.
User can choose a security mod
Security: Introduce security= boot parameter
Add the security= boot parameter. This is done to avoid LSM registration clashes in case of more than one bult-in module.
User can choose a security module to enable at boot. If no security= boot parameter is specified, only the first LSM asking for registration will be loaded. An invalid security module name will be treated as if no module has been chosen.
LSM modules must check now if they are allowed to register by calling security_module_enable(ops) first. Modify SELinux and SMACK to do so.
Do not let SMACK register smackfs if it was not chosen on boot. Smackfs assumes that smack hooks are registered and the initial task security setup (swapper->security) is done.
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com> Acked-by: James Morris <jmorris@namei.org>
show more ...
|
#
03d37d25 |
| 01-Mar-2008 |
Ahmed S. Darwish <darwish.07@gmail.com> |
LSM/Audit: Introduce generic Audit LSM hooks
Introduce a generic Audit interface for security modules by adding the following new LSM hooks:
audit_rule_init(field, op, rulestr, lsmrule) audit_rule_
LSM/Audit: Introduce generic Audit LSM hooks
Introduce a generic Audit interface for security modules by adding the following new LSM hooks:
audit_rule_init(field, op, rulestr, lsmrule) audit_rule_known(krule) audit_rule_match(secid, field, op, rule, actx) audit_rule_free(rule)
Those hooks are only available if CONFIG_AUDIT is enabled.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com> Acked-by: James Morris <jmorris@namei.org> Reviewed-by: Paul Moore <paul.moore@hp.com>
show more ...
|
#
8a076191 |
| 01-Mar-2008 |
Ahmed S. Darwish <darwish.07@gmail.com> |
LSM: Introduce inode_getsecid and ipc_getsecid hooks
Introduce inode_getsecid(inode, secid) and ipc_getsecid(ipcp, secid) LSM hooks. These hooks will be used instead of similar exported SELinux inte
LSM: Introduce inode_getsecid and ipc_getsecid hooks
Introduce inode_getsecid(inode, secid) and ipc_getsecid(ipcp, secid) LSM hooks. These hooks will be used instead of similar exported SELinux interfaces.
Let {inode,ipc,task}_getsecid hooks set the secid to 0 by default if CONFIG_SECURITY is not defined or if the hook is set to NULL (dummy). This is done to notify the caller that no valid secid exists.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com> Acked-by: James Morris <jmorris@namei.org> Reviewed-by: Paul Moore <paul.moore@hp.com>
show more ...
|
#
dd6f953a |
| 05-Mar-2008 |
Harvey Harrison <harvey.harrison@gmail.com> |
security: replace remaining __FUNCTION__ occurrences
__FUNCTION__ is gcc-specific, use __func__
Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com> Cc: James Morris <jmorris@namei.org> Cc: S
security: replace remaining __FUNCTION__ occurrences
__FUNCTION__ is gcc-specific, use __func__
Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com> Cc: James Morris <jmorris@namei.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
03e1ad7b |
| 12-Apr-2008 |
Paul Moore <paul.moore@hp.com> |
LSM: Make the Labeled IPsec hooks more stack friendly
The xfrm_get_policy() and xfrm_add_pol_expire() put some rather large structs on the stack to work around the LSM API. This patch attempts to f
LSM: Make the Labeled IPsec hooks more stack friendly
The xfrm_get_policy() and xfrm_add_pol_expire() put some rather large structs on the stack to work around the LSM API. This patch attempts to fix that problem by changing the LSM API to require only the relevant "security" pointers instead of the entire SPD entry; we do this for all of the security_xfrm_policy*() functions to keep things consistent.
Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
show more ...
|