Revision tags: v6.6.26, v6.6.25, v6.6.24 |
|
#
477ed678 |
| 28-Mar-2024 |
Christian Göttsche <cgzones@googlemail.com> |
selinux: avoid dereference of garbage after mount failure
commit 37801a36b4d68892ce807264f784d818f8d0d39b upstream.
In case kern_mount() fails and returns an error pointer return in the error branc
selinux: avoid dereference of garbage after mount failure
commit 37801a36b4d68892ce807264f784d818f8d0d39b upstream.
In case kern_mount() fails and returns an error pointer return in the error branch instead of continuing and dereferencing the error pointer.
While on it drop the never read static variable selinuxfs_mount.
Cc: stable@vger.kernel.org Fixes: 0619f0f5e36f ("selinux: wrap selinuxfs state") Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
show more ...
|
Revision tags: v6.6.23, v6.6.16, v6.6.15, v6.6.14, v6.6.13, v6.6.12, v6.6.11, v6.6.10, v6.6.9, v6.6.8, v6.6.7, v6.6.6, v6.6.5, v6.6.4, v6.6.3, v6.6.2, v6.5.11, v6.6.1, v6.5.10, v6.6, v6.5.9, v6.5.8, v6.5.7, v6.5.6, v6.5.5, v6.5.4, v6.5.3, v6.5.2, v6.1.51, v6.5.1, v6.1.50, v6.5, v6.1.49, v6.1.48, v6.1.46, v6.1.45, v6.1.44 |
|
#
97842c56 |
| 07-Aug-2023 |
Christian Göttsche <cgzones@googlemail.com> |
selinux: avoid implicit conversions in selinuxfs code
Use umode_t as parameter type for sel_make_inode(), which assigns the value to the member i_mode of struct inode.
Use identical and unsigned ty
selinux: avoid implicit conversions in selinuxfs code
Use umode_t as parameter type for sel_make_inode(), which assigns the value to the member i_mode of struct inode.
Use identical and unsigned types for loop iterators.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
Revision tags: v6.1.43 |
|
#
c50e125d |
| 28-Jul-2023 |
Christian Göttsche <cgzones@googlemail.com> |
selinux: avoid implicit conversions in services code
Use u32 as the output parameter type in security_get_classes() and security_get_permissions(), based on the type of the symtab nprim member.
Dec
selinux: avoid implicit conversions in services code
Use u32 as the output parameter type in security_get_classes() and security_get_permissions(), based on the type of the symtab nprim member.
Declare the read-only class string parameter of security_get_permissions() const.
Avoid several implicit conversions by using the identical type for the destination.
Use the type identical to the source for local variables.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com> [PM: cleanup extra whitespace in subject] Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
Revision tags: v6.1.42, v6.1.41, v6.1.40, v6.1.39 |
|
#
4c1698d3 |
| 05-Jul-2023 |
Jeff Layton <jlayton@kernel.org> |
selinux: convert to ctime accessor functions
In later patches, we're going to change how the inode's ctime field is used. Switch to using accessor functions instead of raw accesses of inode->i_ctime
selinux: convert to ctime accessor functions
In later patches, we're going to change how the inode's ctime field is used. Switch to using accessor functions instead of raw accesses of inode->i_ctime.
Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Jeff Layton <jlayton@kernel.org> Reviewed-by: Jan Kara <jack@suse.cz> Message-Id: <20230705190309.579783-89-jlayton@kernel.org> Signed-off-by: Christian Brauner <brauner@kernel.org>
show more ...
|
#
c867248c |
| 06-Jul-2023 |
Christian Göttsche <cgzones@googlemail.com> |
selinux: avoid implicit conversions regarding enforcing status
Use the type bool as parameter type in selinux_status_update_setenforce(). The related function enforcing_enabled() returns the type b
selinux: avoid implicit conversions regarding enforcing status
Use the type bool as parameter type in selinux_status_update_setenforce(). The related function enforcing_enabled() returns the type bool, while the struct selinux_kernel_status member enforcing uses an u32.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com> [PM: subject line tweaks] Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
Revision tags: v6.1.38, v6.1.37, v6.1.36, v6.4, v6.1.35, v6.1.34, v6.1.33, v6.1.32, v6.1.31, v6.1.30, v6.1.29, v6.1.28, v6.1.27, v6.1.26, v6.3 |
|
#
4158cb60 |
| 20-Apr-2023 |
Christian Göttsche <cgzones@googlemail.com> |
selinux: declare read-only data arrays const
The array of mount tokens in only used in match_opt_prefix() and never modified.
The array of symtab names is never modified and only used in the DEBUG_
selinux: declare read-only data arrays const
The array of mount tokens in only used in match_opt_prefix() and never modified.
The array of symtab names is never modified and only used in the DEBUG_HASHES configuration as output.
The array of files for the SElinux filesystem sub-directory `ss` is similar to the other `struct tree_descr` usages only read from to construct the containing entries.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
#
3d9047a0 |
| 20-Apr-2023 |
Christian Göttsche <cgzones@googlemail.com> |
selinux: adjust typos in comments
Found by codespell(1)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
|
Revision tags: v6.1.25, v6.1.24, v6.1.23, v6.1.22, v6.1.21 |
|
#
f22f9aaf |
| 17-Mar-2023 |
Paul Moore <paul@paul-moore.com> |
selinux: remove the runtime disable functionality
After working with the larger SELinux-based distros for several years, we're finally at a place where we can disable the SELinux runtime disable fun
selinux: remove the runtime disable functionality
After working with the larger SELinux-based distros for several years, we're finally at a place where we can disable the SELinux runtime disable functionality. The existing kernel deprecation notice explains the functionality and why we want to remove it:
The selinuxfs "disable" node allows SELinux to be disabled at runtime prior to a policy being loaded into the kernel. If disabled via this mechanism, SELinux will remain disabled until the system is rebooted.
The preferred method of disabling SELinux is via the "selinux=0" boot parameter, but the selinuxfs "disable" node was created to make it easier for systems with primitive bootloaders that did not allow for easy modification of the kernel command line. Unfortunately, allowing for SELinux to be disabled at runtime makes it difficult to secure the kernel's LSM hooks using the "__ro_after_init" feature.
It is that last sentence, mentioning the '__ro_after_init' hardening, which is the real motivation for this change, and if you look at the diffstat you'll see that the impact of this patch reaches across all the different LSMs, helping prevent tampering at the LSM hook level.
From a SELinux perspective, it is important to note that if you continue to disable SELinux via "/etc/selinux/config" it may appear that SELinux is disabled, but it is simply in an uninitialized state. If you load a policy with `load_policy -i`, you will see SELinux come alive just as if you had loaded the policy during early-boot.
It is also worth noting that the "/sys/fs/selinux/disable" file is always writable now, regardless of the Kconfig settings, but writing to the file has no effect on the system, other than to display an error on the console if a non-zero/true value is written.
Finally, in the several years where we have been working on deprecating this functionality, there has only been one instance of someone mentioning any user visible breakage. In this particular case it was an individual's kernel test system, and the workaround documented in the deprecation notice ("selinux=0" on the kernel command line) resolved the issue without problem.
Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
Revision tags: v6.1.20 |
|
#
a7e4676e |
| 16-Mar-2023 |
Paul Moore <paul@paul-moore.com> |
selinux: remove the 'checkreqprot' functionality
We originally promised that the SELinux 'checkreqprot' functionality would be removed no sooner than June 2021, and now that it is March 2023 it seem
selinux: remove the 'checkreqprot' functionality
We originally promised that the SELinux 'checkreqprot' functionality would be removed no sooner than June 2021, and now that it is March 2023 it seems like it is a good time to do the final removal. The deprecation notice in the kernel provides plenty of detail on why 'checkreqprot' is not desirable, with the key point repeated below:
This was a compatibility mechanism for legacy userspace and for the READ_IMPLIES_EXEC personality flag. However, if set to 1, it weakens security by allowing mappings to be made executable without authorization by policy. The default value of checkreqprot at boot was changed starting in Linux v4.4 to 0 (i.e. check the actual protection), and Android and Linux distributions have been explicitly writing a "0" to /sys/fs/selinux/checkreqprot during initialization for some time.
Along with the official deprecation notice, we have been discussing this on-list and directly with several of the larger SELinux-based distros and everyone is happy to see this feature finally removed. In an attempt to catch all of the smaller, and DIY, Linux systems we have been writing a deprecation notice URL into the kernel log, along with a growing ssleep() penalty, when admins enabled checkreqprot at runtime or via the kernel command line. We have yet to have anyone come to us and raise an objection to the deprecation or planned removal.
It is worth noting that while this patch removes the checkreqprot functionality, it leaves the user visible interfaces (kernel command line and selinuxfs file) intact, just inert. This should help prevent breakages with existing userspace tools that correctly, but unnecessarily, disable checkreqprot at boot or runtime. Admins that attempt to enable checkreqprot will be met with a removal message in the kernel log.
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
Revision tags: v6.1.19, v6.1.18, v6.1.17, v6.1.16 |
|
#
e67b7985 |
| 09-Mar-2023 |
Stephen Smalley <stephen.smalley.work@gmail.com> |
selinux: stop passing selinux_state pointers and their offspring
Linus observed that the pervasive passing of selinux_state pointers introduced by me in commit aa8e712cee93 ("selinux: wrap global se
selinux: stop passing selinux_state pointers and their offspring
Linus observed that the pervasive passing of selinux_state pointers introduced by me in commit aa8e712cee93 ("selinux: wrap global selinux state") adds overhead and complexity without providing any benefit. The original idea was to pave the way for SELinux namespaces but those have not yet been implemented and there isn't currently a concrete plan to do so. Remove the passing of the selinux_state pointers, reverting to direct use of the single global selinux_state, and likewise remove passing of child pointers like the selinux_avc. The selinux_policy pointer remains as it is needed for atomic switching of policies.
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Reported-by: kernel test robot <lkp@intel.com> Link: https://lore.kernel.org/oe-kbuild-all/202303101057.mZ3Gv5fK-lkp@intel.com/ Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
Revision tags: v6.1.15, v6.1.14, v6.1.13, v6.2, v6.1.12, v6.1.11, v6.1.10, v6.1.9 |
|
#
1c71222e |
| 26-Jan-2023 |
Suren Baghdasaryan <surenb@google.com> |
mm: replace vma->vm_flags direct modifications with modifier calls
Replace direct modifications to vma->vm_flags with calls to modifier functions to be able to track flag changes and to keep vma loc
mm: replace vma->vm_flags direct modifications with modifier calls
Replace direct modifications to vma->vm_flags with calls to modifier functions to be able to track flag changes and to keep vma locking correctness.
[akpm@linux-foundation.org: fix drivers/misc/open-dice.c, per Hyeonggon Yoo] Link: https://lkml.kernel.org/r/20230126193752.297968-5-surenb@google.com Signed-off-by: Suren Baghdasaryan <surenb@google.com> Acked-by: Michal Hocko <mhocko@suse.com> Acked-by: Mel Gorman <mgorman@techsingularity.net> Acked-by: Mike Rapoport (IBM) <rppt@kernel.org> Acked-by: Sebastian Reichel <sebastian.reichel@collabora.com> Reviewed-by: Liam R. Howlett <Liam.Howlett@Oracle.com> Reviewed-by: Hyeonggon Yoo <42.hyeyoo@gmail.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Arjun Roy <arjunroy@google.com> Cc: Axel Rasmussen <axelrasmussen@google.com> Cc: David Hildenbrand <david@redhat.com> Cc: David Howells <dhowells@redhat.com> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: David Rientjes <rientjes@google.com> Cc: Eric Dumazet <edumazet@google.com> Cc: Greg Thelen <gthelen@google.com> Cc: Hugh Dickins <hughd@google.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: Jann Horn <jannh@google.com> Cc: Joel Fernandes <joelaf@google.com> Cc: Johannes Weiner <hannes@cmpxchg.org> Cc: Kent Overstreet <kent.overstreet@linux.dev> Cc: Laurent Dufour <ldufour@linux.ibm.com> Cc: Lorenzo Stoakes <lstoakes@gmail.com> Cc: Matthew Wilcox <willy@infradead.org> Cc: Minchan Kim <minchan@google.com> Cc: Paul E. McKenney <paulmck@kernel.org> Cc: Peter Oskolkov <posk@google.com> Cc: Peter Xu <peterx@redhat.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Punit Agrawal <punit.agrawal@bytedance.com> Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Cc: Shakeel Butt <shakeelb@google.com> Cc: Soheil Hassas Yeganeh <soheil@google.com> Cc: Song Liu <songliubraving@fb.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: Will Deacon <will@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
show more ...
|
Revision tags: v6.1.8, v6.1.7, v6.1.6, v6.1.5, v6.0.19, v6.0.18, v6.1.4, v6.1.3, v6.0.17, v6.1.2, v6.0.16, v6.1.1, v6.0.15, v6.0.14, v6.0.13, v6.1, v6.0.12, v6.0.11, v6.0.10, v5.15.80, v6.0.9, v5.15.79, v6.0.8, v5.15.78, v6.0.7, v5.15.77, v5.15.76, v6.0.6, v6.0.5, v5.15.75, v6.0.4, v6.0.3, v6.0.2, v5.15.74, v5.15.73, v6.0.1, v5.15.72, v6.0, v5.15.71, v5.15.70 |
|
#
e0d82593 |
| 22-Sep-2022 |
Paul Moore <paul@paul-moore.com> |
selinux: increase the deprecation sleep for checkreqprot and runtime disable
Further the checkreqprot and runtime disable deprecation efforts by increasing the sleep time from 5 to 15 seconds to hel
selinux: increase the deprecation sleep for checkreqprot and runtime disable
Further the checkreqprot and runtime disable deprecation efforts by increasing the sleep time from 5 to 15 seconds to help make this more noticeable for any users who are still using these knobs.
Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
Revision tags: v5.15.69, v5.15.68, v5.15.67, v5.15.66, v5.15.65, v5.15.64 |
|
#
c3fae2b2 |
| 30-Aug-2022 |
Christian Göttsche <cgzones@googlemail.com> |
selinux: use int arrays for boolean values
Do not cast pointers of signed integers to pointers of unsigned integers and vice versa.
It should currently not be an issue since they hold SELinux boole
selinux: use int arrays for boolean values
Do not cast pointers of signed integers to pointers of unsigned integers and vice versa.
It should currently not be an issue since they hold SELinux boolean values which should only contain either 0's or 1's, which should have the same representation.
Reported by sparse:
.../selinuxfs.c:1485:30: warning: incorrect type in assignment (different signedness) .../selinuxfs.c:1485:30: expected unsigned int * .../selinuxfs.c:1485:30: got int *[addressable] values .../selinuxfs.c:1402:48: warning: incorrect type in argument 3 (different signedness) .../selinuxfs.c:1402:48: expected int *values .../selinuxfs.c:1402:48: got unsigned int *bool_pending_values
Signed-off-by: Christian Göttsche <cgzones@googlemail.com> [PM: minor whitespace fixes, sparse output cleanup] Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
#
5698f081 |
| 30-Aug-2022 |
ye xingchen <ye.xingchen@zte.com.cn> |
selinux: remove an unneeded variable in sel_make_class_dir_entries()
Return the value sel_make_perm_files() directly instead of storing it in another redundant variable.
Reported-by: Zeal Robot <ze
selinux: remove an unneeded variable in sel_make_class_dir_entries()
Return the value sel_make_perm_files() directly instead of storing it in another redundant variable.
Reported-by: Zeal Robot <zealci@zte.com.cn> Signed-off-by: ye xingchen <ye.xingchen@zte.com.cn> [PM: subject line tweak] Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
Revision tags: v5.15.63, v5.15.62, v5.15.61, v5.15.60, v5.15.59, v5.19, v5.15.58, v5.15.57, v5.15.56, v5.15.55, v5.15.54, v5.15.53, v5.15.52, v5.15.51, v5.15.50, v5.15.49, v5.15.48, v5.15.47, v5.15.46, v5.15.45, v5.15.44, v5.15.43, v5.15.42, v5.18, v5.15.41, v5.15.40, v5.15.39, v5.15.38, v5.15.37, v5.15.36, v5.15.35 |
|
#
6a9e261c |
| 14-Apr-2022 |
Paul Moore <paul@paul-moore.com> |
selinux: don't sleep when CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE is true
Unfortunately commit 81200b0265b1 ("selinux: checkreqprot is deprecated, add some ssleep() discomfort") added a five seco
selinux: don't sleep when CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE is true
Unfortunately commit 81200b0265b1 ("selinux: checkreqprot is deprecated, add some ssleep() discomfort") added a five second sleep during early kernel boot, e.g. start_kernel(), which could cause a "scheduling while atomic" panic. This patch fixes this problem by moving the sleep out of checkreqprot_set() and into sel_write_checkreqprot() so that we only sleep when the checkreqprot setting is set during runtime, after the kernel has booted. The error message remains the same in both cases.
Fixes: 81200b0265b1 ("selinux: checkreqprot is deprecated, add some ssleep() discomfort") Reported-by: J. Bruce Fields <bfields@fieldses.org> Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
Revision tags: v5.15.34, v5.15.33, v5.15.32, v5.15.31, v5.17, v5.15.30, v5.15.29, v5.15.28 |
|
#
81200b02 |
| 08-Mar-2022 |
Paul Moore <paul@paul-moore.com> |
selinux: checkreqprot is deprecated, add some ssleep() discomfort
The checkreqprot functionality was disabled by default back in Linux v4.4 (2015) with commit 2a35d196c160e3 ("selinux: change CONFIG
selinux: checkreqprot is deprecated, add some ssleep() discomfort
The checkreqprot functionality was disabled by default back in Linux v4.4 (2015) with commit 2a35d196c160e3 ("selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default") and it was officially marked as deprecated in Linux v5.7. It was always a bit of a hack to workaround very old userspace and to the best of our knowledge, the checkreqprot functionality has been disabled by Linux distributions for quite some time.
This patch moves the deprecation messages from KERN_WARNING to KERN_ERR and adds a five second sleep to anyone using it to help draw their attention to the deprecation and provide a URL which helps explain things in more detail.
Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
Revision tags: v5.15.27, v5.15.26 |
|
#
43b66662 |
| 01-Mar-2022 |
Paul Moore <paul@paul-moore.com> |
selinux: runtime disable is deprecated, add some ssleep() discomfort
We deprecated the SELinux runtime disable functionality in Linux v5.6, and it is time to get a bit more serious about removing it
selinux: runtime disable is deprecated, add some ssleep() discomfort
We deprecated the SELinux runtime disable functionality in Linux v5.6, and it is time to get a bit more serious about removing it. Add a five second sleep to anyone using it to help draw their attention to the deprecation and provide a URL which helps explain things in more detail, including how to add kernel command line parameters to some of the more popular Linux distributions.
Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
#
cdbec3ed |
| 01-Mar-2022 |
Paul Moore <paul@paul-moore.com> |
selinux: shorten the policy capability enum names
The SELinux policy capability enum names are rather long and follow the "POLICYDB_CAPABILITY_XXX format". While the "POLICYDB_" prefix is helpful i
selinux: shorten the policy capability enum names
The SELinux policy capability enum names are rather long and follow the "POLICYDB_CAPABILITY_XXX format". While the "POLICYDB_" prefix is helpful in tying the enums to other SELinux policy constants, macros, etc. there is no reason why we need to spell out "CAPABILITY" completely. Shorten "CAPABILITY" to "CAP" in order to make things a bit shorter and cleaner.
Moving forward, the SELinux policy capability enum names should follow the "POLICYDB_CAP_XXX" format.
Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
Revision tags: v5.15.25, v5.15.24, v5.15.23, v5.15.22, v5.15.21, v5.15.20, v5.15.19, v5.15.18, v5.15.17 |
|
#
bcb62828 |
| 25-Jan-2022 |
Christian Göttsche <cgzones@googlemail.com> |
selinux: check return value of sel_make_avc_files
sel_make_avc_files() might fail and return a negative errno value on memory allocation failures. Re-add the check of the return value, dropped in 66
selinux: check return value of sel_make_avc_files
sel_make_avc_files() might fail and return a negative errno value on memory allocation failures. Re-add the check of the return value, dropped in 66f8e2f03c02 ("selinux: sidtab reverse lookup hash table").
Reported by clang-analyzer:
security/selinux/selinuxfs.c:2129:2: warning: Value stored to 'ret' is never read [deadcode.DeadStores] ret = sel_make_avc_files(dentry); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 66f8e2f03c02 ("selinux: sidtab reverse lookup hash table") Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> [PM: description line wrapping, added proper commit ref] Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
#
01d50841 |
| 25-Jan-2022 |
Christian Göttsche <cgzones@googlemail.com> |
selinux: check return value of sel_make_avc_files
[ Upstream commit bcb62828e3e8c813b6613db6eb7fd9657db248fc ]
sel_make_avc_files() might fail and return a negative errno value on memory allocation
selinux: check return value of sel_make_avc_files
[ Upstream commit bcb62828e3e8c813b6613db6eb7fd9657db248fc ]
sel_make_avc_files() might fail and return a negative errno value on memory allocation failures. Re-add the check of the return value, dropped in 66f8e2f03c02 ("selinux: sidtab reverse lookup hash table").
Reported by clang-analyzer:
security/selinux/selinuxfs.c:2129:2: warning: Value stored to 'ret' is never read [deadcode.DeadStores] ret = sel_make_avc_files(dentry); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 66f8e2f03c02 ("selinux: sidtab reverse lookup hash table") Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> [PM: description line wrapping, added proper commit ref] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
show more ...
|
Revision tags: v5.4.173, v5.15.16, v5.15.15, v5.16, v5.15.10, v5.15.9, v5.15.8, v5.15.7, v5.15.6, v5.15.5, v5.15.4, v5.15.3, v5.15.2, v5.15.1, v5.15, v5.14.14, v5.14.13, v5.14.12, v5.14.11, v5.14.10, v5.14.9, v5.14.8, v5.14.7, v5.14.6, v5.10.67, v5.10.66, v5.14.5, v5.14.4, v5.10.65, v5.14.3, v5.10.64, v5.14.2, v5.10.63, v5.14.1, v5.10.62, v5.14, v5.10.61, v5.10.60, v5.10.53, v5.10.52, v5.10.51, v5.10.50, v5.10.49, v5.13, v5.10.46, v5.10.43, v5.10.42, v5.10.41, v5.10.40, v5.10.39, v5.4.119, v5.10.36, v5.10.35, v5.10.34, v5.4.116, v5.10.33, v5.12, v5.10.32, v5.10.31, v5.10.30, v5.10.27, v5.10.26, v5.10.25 |
|
#
ee5de60a |
| 18-Mar-2021 |
Ondrej Mosnacek <omosnace@redhat.com> |
selinuxfs: unify policy load error reporting
Let's drop the pr_err()s from sel_make_policy_nodes() and just add one pr_warn_ratelimited() call to the sel_make_policy_nodes() error path in sel_write_
selinuxfs: unify policy load error reporting
Let's drop the pr_err()s from sel_make_policy_nodes() and just add one pr_warn_ratelimited() call to the sel_make_policy_nodes() error path in sel_write_load().
Changing from error to warning makes sense, since after 02a52c5c8c3b ("selinux: move policy commit after updating selinuxfs"), this error path no longer leads to a broken selinuxfs tree (it's just kept in the original state and policy load is aborted).
I also added _ratelimited to be consistent with the other prtin in the same function (it's probably not necessary, but can't really hurt... there are likely more important error messages to be printed when filesystem entry creation starts erroring out).
Suggested-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
#
6406887a |
| 18-Mar-2021 |
Ondrej Mosnacek <omosnace@redhat.com> |
selinux: fix variable scope issue in live sidtab conversion
Commit 02a52c5c8c3b ("selinux: move policy commit after updating selinuxfs") moved the selinux_policy_commit() call out of security_load_p
selinux: fix variable scope issue in live sidtab conversion
Commit 02a52c5c8c3b ("selinux: move policy commit after updating selinuxfs") moved the selinux_policy_commit() call out of security_load_policy() into sel_write_load(), which caused a subtle yet rather serious bug.
The problem is that security_load_policy() passes a reference to the convert_params local variable to sidtab_convert(), which stores it in the sidtab, where it may be accessed until the policy is swapped over and RCU synchronized. Before 02a52c5c8c3b, selinux_policy_commit() was called directly from security_load_policy(), so the convert_params pointer remained valid all the way until the old sidtab was destroyed, but now that's no longer the case and calls to sidtab_context_to_sid() on the old sidtab after security_load_policy() returns may cause invalid memory accesses.
This can be easily triggered using the stress test from commit ee1a84fdfeed ("selinux: overhaul sidtab to fix bug and improve performance"): ``` function rand_cat() { echo $(( $RANDOM % 1024 )) }
function do_work() { while true; do echo -n "system_u:system_r:kernel_t:s0:c$(rand_cat),c$(rand_cat)" \ >/sys/fs/selinux/context 2>/dev/null || true done }
do_work >/dev/null & do_work >/dev/null & do_work >/dev/null &
while load_policy; do echo -n .; sleep 0.1; done
kill %1 kill %2 kill %3 ```
Fix this by allocating the temporary sidtab convert structures dynamically and passing them among the selinux_policy_{load,cancel,commit} functions.
Fixes: 02a52c5c8c3b ("selinux: move policy commit after updating selinuxfs") Cc: stable@vger.kernel.org Tested-by: Tyler Hicks <tyhicks@linux.microsoft.com> Reviewed-by: Tyler Hicks <tyhicks@linux.microsoft.com> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> [PM: merge fuzz in security.h and services.c] Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
#
519dad3b |
| 18-Mar-2021 |
Ondrej Mosnacek <omosnace@redhat.com> |
selinux: don't log MAC_POLICY_LOAD record on failed policy load
If sel_make_policy_nodes() fails, we should jump to 'out', not 'out1', as the latter would incorrectly log an MAC_POLICY_LOAD audit re
selinux: don't log MAC_POLICY_LOAD record on failed policy load
If sel_make_policy_nodes() fails, we should jump to 'out', not 'out1', as the latter would incorrectly log an MAC_POLICY_LOAD audit record, even though the policy hasn't actually been reloaded. The 'out1' jump label now becomes unused and can be removed.
Fixes: 02a52c5c8c3b ("selinux: move policy commit after updating selinuxfs") Cc: stable@vger.kernel.org Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
Revision tags: v5.10.24, v5.10.23, v5.10.22, v5.10.21, v5.10.20, v5.10.19, v5.4.101, v5.10.18, v5.10.17, v5.11, v5.10.16 |
|
#
2554a48f |
| 12-Feb-2021 |
Lakshmi Ramasubramanian <nramas@linux.microsoft.com> |
selinux: measure state and policy capabilities
SELinux stores the configuration state and the policy capabilities in kernel memory. Changes to this data at runtime would have an impact on the secur
selinux: measure state and policy capabilities
SELinux stores the configuration state and the policy capabilities in kernel memory. Changes to this data at runtime would have an impact on the security guarantees provided by SELinux. Measuring this data through IMA subsystem provides a tamper-resistant way for an attestation service to remotely validate it at runtime.
Measure the configuration state and policy capabilities by calling the IMA hook ima_measure_critical_data().
To enable SELinux data measurement, the following steps are required:
1, Add "ima_policy=critical_data" to the kernel command line arguments to enable measuring SELinux data at boot time. For example, BOOT_IMAGE=/boot/vmlinuz-5.11.0-rc3+ root=UUID=fd643309-a5d2-4ed3-b10d-3c579a5fab2f ro nomodeset security=selinux ima_policy=critical_data
2, Add the following rule to /etc/ima/ima-policy measure func=CRITICAL_DATA label=selinux
Sample measurement of SELinux state and policy capabilities:
10 2122...65d8 ima-buf sha256:13c2...1292 selinux-state 696e...303b
Execute the following command to extract the measured data from the IMA's runtime measurements list:
grep "selinux-state" /sys/kernel/security/integrity/ima/ascii_runtime_measurements | tail -1 | cut -d' ' -f 6 | xxd -r -p
The output should be a list of key-value pairs. For example, initialized=1;enforcing=0;checkreqprot=1;network_peer_controls=1;open_perms=1;extended_socket_class=1;always_check_network=0;cgroup_seclabel=1;nnp_nosuid_transition=1;genfs_seclabel_symlinks=0;
To verify the measurement is consistent with the current SELinux state reported on the system, compare the integer values in the following files with those set in the IMA measurement (using the following commands):
- cat /sys/fs/selinux/enforce - cat /sys/fs/selinux/checkreqprot - cat /sys/fs/selinux/policy_capabilities/[capability_file]
Note that the actual verification would be against an expected state and done on a separate system (likely an attestation server) requiring "initialized=1;enforcing=1;checkreqprot=0;" for a secure state and then whatever policy capabilities are actually set in the expected policy (which can be extracted from the policy itself via seinfo, for example).
Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Suggested-by: Stephen Smalley <stephen.smalley.work@gmail.com> Suggested-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|
Revision tags: v5.10.15, v5.10.14 |
|
#
cd2bb4cb |
| 06-Jan-2021 |
Ondrej Mosnacek <omosnace@redhat.com> |
selinux: mark some global variables __ro_after_init
All of these are never modified outside initcalls, so they can be __ro_after_init.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Signed-of
selinux: mark some global variables __ro_after_init
All of these are never modified outside initcalls, so they can be __ro_after_init.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
show more ...
|