Revision tags: v2.6.35-rc6, v2.6.35-rc5 |
|
#
57a62c23 |
| 07-Jul-2010 |
Arnd Bergmann <arnd@arndb.de> |
selinux: use generic_file_llseek
The default for llseek will change to no_llseek, so selinuxfs needs to add explicit .llseek assignments. Since we're dealing with regular files from a VFS perspectiv
selinux: use generic_file_llseek
The default for llseek will change to no_llseek, so selinuxfs needs to add explicit .llseek assignments. Since we're dealing with regular files from a VFS perspective, use generic_file_llseek.
Signed-off-by: Arnd Bergmann <arnd@arndb.de> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Eric Paris <eparis@parisplace.org> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
Revision tags: v2.6.35-rc4, v2.6.35-rc3, v2.6.35-rc2, v2.6.35-rc1, v2.6.34, v2.6.34-rc7, v2.6.34-rc6, v2.6.34-rc5, v2.6.34-rc4 |
|
#
c1a7368a |
| 09-Apr-2010 |
wzt.wzt@gmail.com <wzt.wzt@gmail.com> |
Security: Fix coding style in security/
Fix coding style in security/
Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com> Signed-off-by: James Morris <jmorris@namei.org>
|
Revision tags: v2.6.34-rc3, v2.6.34-rc2, v2.6.34-rc1, v2.6.33, v2.6.33-rc8 |
|
#
8007f102 |
| 08-Feb-2010 |
Xiaotian Feng <dfeng@redhat.com> |
selinux: fix memory leak in sel_make_bools
In sel_make_bools, kernel allocates memory for bool_pending_names[i] with security_get_bools. So if we just free bool_pending_names, those memories for boo
selinux: fix memory leak in sel_make_bools
In sel_make_bools, kernel allocates memory for bool_pending_names[i] with security_get_bools. So if we just free bool_pending_names, those memories for bool_pending_names[i] will be leaked.
This patch resolves dozens of following kmemleak report after resuming from suspend: unreferenced object 0xffff88022e4c7380 (size 32): comm "init", pid 1, jiffies 4294677173 backtrace: [<ffffffff810f76b5>] create_object+0x1a2/0x2a9 [<ffffffff810f78bb>] kmemleak_alloc+0x26/0x4b [<ffffffff810ef3eb>] __kmalloc+0x18f/0x1b8 [<ffffffff811cd511>] security_get_bools+0xd7/0x16f [<ffffffff811c48c0>] sel_write_load+0x12e/0x62b [<ffffffff810f9a39>] vfs_write+0xae/0x10b [<ffffffff810f9b56>] sys_write+0x4a/0x6e [<ffffffff81011b82>] system_call_fastpath+0x16/0x1b [<ffffffffffffffff>] 0xffffffffffffffff
Signed-off-by: Xiaotian Feng <dfeng@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
Revision tags: v2.6.33-rc7 |
|
#
0719aaf5 |
| 03-Feb-2010 |
Guido Trentalancia <guido@trentalancia.com> |
selinux: allow MLS->non-MLS and vice versa upon policy reload
Allow runtime switching between different policy types (e.g. from a MLS/MCS policy to a non-MLS/non-MCS policy or viceversa).
Signed-of
selinux: allow MLS->non-MLS and vice versa upon policy reload
Allow runtime switching between different policy types (e.g. from a MLS/MCS policy to a non-MLS/non-MCS policy or viceversa).
Signed-off-by: Guido Trentalancia <guido@trentalancia.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
Revision tags: v2.6.33-rc6, v2.6.33-rc5 |
|
#
19439d05 |
| 14-Jan-2010 |
Stephen Smalley <sds@tycho.nsa.gov> |
selinux: change the handling of unknown classes
If allow_unknown==deny, SELinux treats an undefined kernel security class as an error condition rather than as a typical permission denial and thus do
selinux: change the handling of unknown classes
If allow_unknown==deny, SELinux treats an undefined kernel security class as an error condition rather than as a typical permission denial and thus does not allow permissions on undefined classes even when in permissive mode. Change the SELinux logic so that this case is handled as a typical permission denial, subject to the usual permissive mode and permissive domain handling.
Also drop the 'requested' argument from security_compute_av() and helpers as it is a legacy of the original security server interface and is unused.
Changes: - Handle permissive domains consistently by moving up the test for a permissive domain. - Make security_compute_av_user() consistent with security_compute_av(); the only difference now is that security_compute_av() performs mapping between the kernel-private class and permission indices and the policy values. In the userspace case, this mapping is handled by libselinux. - Moved avd_init inside the policy lock.
Based in part on a patch by Paul Moore <paul.moore@hp.com>.
Reported-by: Andrew Worsley <amworsley@gmail.com> Signed-off-by: Stephen D. Smalley <sds@tycho.nsa.gov> Reviewed-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
Revision tags: v2.6.33-rc4, v2.6.33-rc3, v2.6.33-rc2, v2.6.33-rc1, v2.6.32, v2.6.32-rc8, v2.6.32-rc7, v2.6.32-rc6, v2.6.32-rc5, v2.6.32-rc4, v2.6.32-rc3 |
|
#
c6d3aaa4 |
| 30-Sep-2009 |
Stephen Smalley <sds@tycho.nsa.gov> |
selinux: dynamic class/perm discovery
Modify SELinux to dynamically discover class and permission values upon policy load, based on the dynamic object class/perm discovery logic from libselinux. A
selinux: dynamic class/perm discovery
Modify SELinux to dynamically discover class and permission values upon policy load, based on the dynamic object class/perm discovery logic from libselinux. A mapping is created between kernel-private class and permission indices used outside the security server and the policy values used within the security server.
The mappings are only applied upon kernel-internal computations; similar mappings for the private indices of userspace object managers is handled on a per-object manager basis by the userspace AVC. The interfaces for compute_av and transition_sid are split for kernel vs. userspace; the userspace functions are distinguished by a _user suffix.
The kernel-private class indices are no longer tied to the policy values and thus do not need to skip indices for userspace classes; thus the kernel class index values are compressed. The flask.h definitions were regenerated by deleting the userspace classes from refpolicy's definitions and then regenerating the headers. Going forward, we can just maintain the flask.h, av_permissions.h, and classmap.h definitions separately from policy as they are no longer tied to the policy values. The next patch introduces a utility to automate generation of flask.h and av_permissions.h from the classmap.h definitions.
The older kernel class and permission string tables are removed and replaced by a single security class mapping table that is walked at policy load to generate the mapping. The old kernel class validation logic is completely replaced by the mapping logic.
The handle unknown logic is reworked. reject_unknown=1 is handled when the mappings are computed at policy load time, similar to the old handling by the class validation logic. allow_unknown=1 is handled when computing and mapping decisions - if the permission was not able to be mapped (i.e. undefined, mapped to zero), then it is automatically added to the allowed vector. If the class was not able to be mapped (i.e. undefined, mapped to zero), then all permissions are allowed for it if allow_unknown=1.
avc_audit leverages the new security class mapping table to lookup the class and permission names from the kernel-private indices.
The mdp program is updated to use the new table when generating the class definitions and allow rules for a minimal boot policy for the kernel. It should be noted that this policy will not include any userspace classes, nor will its policy index values for the kernel classes correspond with the ones in refpolicy (they will instead match the kernel-private indices).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
Revision tags: v2.6.32-rc1, v2.6.32-rc2, v2.6.31, v2.6.31-rc9, v2.6.31-rc8, v2.6.31-rc7, v2.6.31-rc6, v2.6.31-rc5, v2.6.31-rc4, v2.6.31-rc3, v2.6.31-rc2, v2.6.31-rc1, v2.6.30, v2.6.30-rc8, v2.6.30-rc7 |
|
#
c5642f4b |
| 19-May-2009 |
Stephen Smalley <sds@tycho.nsa.gov> |
selinux: remove obsolete read buffer limit from sel_read_bool
On Tue, 2009-05-19 at 00:05 -0400, Eamon Walsh wrote: > Recent versions of coreutils have bumped the read buffer size from 4K to > 32K i
selinux: remove obsolete read buffer limit from sel_read_bool
On Tue, 2009-05-19 at 00:05 -0400, Eamon Walsh wrote: > Recent versions of coreutils have bumped the read buffer size from 4K to > 32K in several of the utilities. > > This means that "cat /selinux/booleans/xserver_object_manager" no longer > works, it returns "Invalid argument" on F11. getsebool works fine. > > sel_read_bool has a check for "count > PAGE_SIZE" that doesn't seem to > be present in the other read functions. Maybe it could be removed?
Yes, that check is obsoleted by the conversion of those functions to using simple_read_from_buffer(), which will reduce count if necessary to what is available in the buffer.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
Revision tags: v2.6.30-rc6, v2.6.30-rc5, v2.6.30-rc4, v2.6.30-rc3, v2.6.30-rc2, v2.6.30-rc1 |
|
#
8a6f83af |
| 31-Mar-2009 |
KaiGai Kohei <kaigai@ak.jp.nec.com> |
Permissive domain in userspace object manager
This patch enables applications to handle permissive domain correctly.
Since the v2.6.26 kernel, SELinux has supported an idea of permissive domain whi
Permissive domain in userspace object manager
This patch enables applications to handle permissive domain correctly.
Since the v2.6.26 kernel, SELinux has supported an idea of permissive domain which allows certain processes to work as if permissive mode, even if the global setting is enforcing mode. However, we don't have an application program interface to inform what domains are permissive one, and what domains are not. It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL and so on) cannot handle permissive domain correctly.
This patch add the sixth field (flags) on the reply of the /selinux/access interface which is used to make an access control decision from userspace. If the first bit of the flags field is positive, it means the required access control decision is on permissive domain, so application should allow any required actions, as the kernel doing.
This patch also has a side benefit. The av_decision.flags is set at context_struct_compute_av(). It enables to check required permissions without read_lock(&policy_rwlock).
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Eric Paris <eparis@redhat.com> -- security/selinux/avc.c | 2 +- security/selinux/include/security.h | 4 +++- security/selinux/selinuxfs.c | 4 ++-- security/selinux/ss/services.c | 30 +++++------------------------- 4 files changed, 11 insertions(+), 29 deletions(-) Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
58bfbb51 |
| 27-Mar-2009 |
Paul Moore <paul.moore@hp.com> |
selinux: Remove the "compat_net" compatibility code
The SELinux "compat_net" is marked as deprecated, the time has come to finally remove it from the kernel. Further code simplifications are likely
selinux: Remove the "compat_net" compatibility code
The SELinux "compat_net" is marked as deprecated, the time has come to finally remove it from the kernel. Further code simplifications are likely in the future, but this patch was intended to be a simple, straight-up removal of the compat_net code.
Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
Revision tags: v2.6.29, v2.6.29-rc8, v2.6.29-rc7, v2.6.29-rc6, v2.6.29-rc5 |
|
#
f1c6381a |
| 12-Feb-2009 |
Eric Paris <eparis@redhat.com> |
SELinux: remove unused av.decided field
It appears there was an intention to have the security server only decide certain permissions and leave other for later as some sort of a portential performan
SELinux: remove unused av.decided field
It appears there was an intention to have the security server only decide certain permissions and leave other for later as some sort of a portential performance win. We are currently always deciding all 32 bits of permissions and this is a useless couple of branches and wasted space. This patch completely drops the av.decided concept.
This in a 17% reduction in the time spent in avc_has_perm_noaudit based on oprofile sampling of a tbench benchmark.
Signed-off-by: Eric Paris <eparis@redhat.com> Reviewed-by: Paul Moore <paul.moore@hp.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
Revision tags: v2.6.29-rc4, v2.6.29-rc3, v2.6.29-rc2, v2.6.29-rc1, v2.6.28, v2.6.28-rc9, v2.6.28-rc8 |
|
#
56ff5efa |
| 09-Dec-2008 |
Al Viro <viro@zeniv.linux.org.uk> |
zero i_uid/i_gid on inode allocation
... and don't bother in callers. Don't bother with zeroing i_blocks, while we are at it - it's already been zeroed.
i_mode is not worth the effort; it has no c
zero i_uid/i_gid on inode allocation
... and don't bother in callers. Don't bother with zeroing i_blocks, while we are at it - it's already been zeroed.
i_mode is not worth the effort; it has no common default value.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
show more ...
|
#
4f4b6c1a |
| 31-Dec-2008 |
Rusty Russell <rusty@rustcorp.com.au> |
cpumask: prepare for iterators to only go to nr_cpu_ids/nr_cpumask_bits.: core
Impact: cleanup
In future, all cpumask ops will only be valid (in general) for bit numbers < nr_cpu_ids. So use that
cpumask: prepare for iterators to only go to nr_cpu_ids/nr_cpumask_bits.: core
Impact: cleanup
In future, all cpumask ops will only be valid (in general) for bit numbers < nr_cpu_ids. So use that instead of NR_CPUS in iterators and other comparisons.
This is always safe: no cpu number can be >= nr_cpu_ids, and nr_cpu_ids is initialized to NR_CPUS at boot.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: Mike Travis <travis@sgi.com> Acked-by: Ingo Molnar <mingo@elte.hu> Acked-by: James Morris <jmorris@namei.org> Cc: Eric Biederman <ebiederm@xmission.com>
show more ...
|
#
277d342f |
| 31-Dec-2008 |
Paul Moore <paul.moore@hp.com> |
selinux: Deprecate and schedule the removal of the the compat_net functionality
This patch is the first step towards removing the old "compat_net" code from the kernel. Secmark, the "compat_net" re
selinux: Deprecate and schedule the removal of the the compat_net functionality
This patch is the first step towards removing the old "compat_net" code from the kernel. Secmark, the "compat_net" replacement was first introduced in 2.6.18 (September 2006) and the major Linux distributions with SELinux support have transitioned to Secmark so it is time to start deprecating the "compat_net" mechanism. Testing a patched version of 2.6.28-rc6 with the initial release of Fedora Core 5 did not show any problems when running in enforcing mode.
This patch adds an entry to the feature-removal-schedule.txt file and removes the SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT configuration option, forcing Secmark on by default although it can still be disabled at runtime. The patch also makes the Secmark permission checks "dynamic" in the sense that they are only executed when Secmark is configured; this should help prevent problems with older distributions that have not yet migrated to Secmark.
Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org>
show more ...
|
Revision tags: v2.6.28-rc7, v2.6.28-rc6, v2.6.28-rc5 |
|
#
c69e8d9c |
| 13-Nov-2008 |
David Howells <dhowells@redhat.com> |
CRED: Use RCU to access another task's creds and to release a task's own creds
Use RCU to access another task's creds and to release a task's own creds. This means that it will be possible for the c
CRED: Use RCU to access another task's creds and to release a task's own creds
Use RCU to access another task's creds and to release a task's own creds. This means that it will be possible for the credentials of a task to be replaced without another task (a) requiring a full lock to read them, and (b) seeing deallocated memory.
Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: James Morris <jmorris@namei.org> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
b6dff3ec |
| 13-Nov-2008 |
David Howells <dhowells@redhat.com> |
CRED: Separate task security context from task_struct
Separate the task security context from task_struct. At this point, the security data is temporarily embedded in the task_struct with two point
CRED: Separate task security context from task_struct
Separate the task security context from task_struct. At this point, the security data is temporarily embedded in the task_struct with two pointers pointing to it.
Note that the Alpha arch is altered as it refers to (E)UID and (E)GID in entry.S via asm-offsets.
With comment fixes Signed-off-by: Marc Dionne <marc.c.dionne@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: James Morris <jmorris@namei.org> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
Revision tags: v2.6.28-rc4, v2.6.28-rc3, v2.6.28-rc2, v2.6.28-rc1, v2.6.27, v2.6.27-rc9, v2.6.27-rc8, v2.6.27-rc7, v2.6.27-rc6, v2.6.27-rc5, v2.6.27-rc4, v2.6.27-rc3, v2.6.27-rc2, v2.6.27-rc1, v2.6.26, v2.6.26-rc9, v2.6.26-rc8, v2.6.26-rc7, v2.6.26-rc6 |
|
#
6cbe2706 |
| 09-Jun-2008 |
Eric Paris <eparis@redhat.com> |
SELinux: more user friendly unknown handling printk
I've gotten complaints and reports about people not understanding the meaning of the current unknown class/perm handling the kernel emits on every
SELinux: more user friendly unknown handling printk
I've gotten complaints and reports about people not understanding the meaning of the current unknown class/perm handling the kernel emits on every policy load. Hopefully this will make make it clear to everyone the meaning of the message and won't waste a printk the user won't care about anyway on systems where the kernel and the policy agree on everything.
Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
Revision tags: v2.6.26-rc5, v2.6.26-rc4, v2.6.26-rc3 |
|
#
f5269710 |
| 14-May-2008 |
Eric Paris <eparis@redhat.com> |
SELinux: keep the code clean formating and syntax
Formatting and syntax changes
whitespace, tabs to spaces, trailing space put open { on same line as struct def remove unneeded {} after if statemen
SELinux: keep the code clean formating and syntax
Formatting and syntax changes
whitespace, tabs to spaces, trailing space put open { on same line as struct def remove unneeded {} after if statements change printk("Lu") to printk("llu") convert asm/uaccess.h to linux/uaacess.h includes remove unnecessary asm/bug.h includes convert all users of simple_strtol to strict_strtol
Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
Revision tags: v2.6.26-rc2, v2.6.26-rc1 |
|
#
1872981b |
| 17-Apr-2008 |
Eric Paris <eparis@redhat.com> |
SELinux: cleanup on isle selinuxfs.c
Why would anyone just clean up white space all day? Because they were out too late last night and don't want to think for a day. So here is a nice clean selinu
SELinux: cleanup on isle selinuxfs.c
Why would anyone just clean up white space all day? Because they were out too late last night and don't want to think for a day. So here is a nice clean selinuxfs.c patch.
Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
744ba35e |
| 17-Apr-2008 |
Eric Paris <eparis@redhat.com> |
SELinux: clean up printks
Make sure all printk start with KERN_* Make sure all printk end with \n Make sure all printk have the word 'selinux' in them Change "function name" to "%s", __func__ (found
SELinux: clean up printks
Make sure all printk start with KERN_* Make sure all printk end with \n Make sure all printk have the word 'selinux' in them Change "function name" to "%s", __func__ (found 2 wrong)
Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
Revision tags: v2.6.25, v2.6.25-rc9, v2.6.25-rc8, v2.6.25-rc7, v2.6.25-rc6, v2.6.25-rc5, v2.6.25-rc4 |
|
#
d7b1acd3 |
| 26-Feb-2008 |
Matthew Wilcox <matthew@wil.cx> |
security: Remove unnecessary inclusions of asm/semaphore.h
None of these files use any of the functionality promised by asm/semaphore.h.
Signed-off-by: Matthew Wilcox <willy@linux.intel.com>
|
#
dd6f953a |
| 05-Mar-2008 |
Harvey Harrison <harvey.harrison@gmail.com> |
security: replace remaining __FUNCTION__ occurrences
__FUNCTION__ is gcc-specific, use __func__
Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com> Cc: James Morris <jmorris@namei.org> Cc: S
security: replace remaining __FUNCTION__ occurrences
__FUNCTION__ is gcc-specific, use __func__
Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com> Cc: James Morris <jmorris@namei.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
#
b0c636b9 |
| 28-Feb-2008 |
Eric Paris <eparis@redhat.com> |
SELinux: create new open permission
Adds a new open permission inside SELinux when 'opening' a file. The idea is that opening a file and reading/writing to that file are not the same thing. Its di
SELinux: create new open permission
Adds a new open permission inside SELinux when 'opening' a file. The idea is that opening a file and reading/writing to that file are not the same thing. Its different if a program had its stdout redirected to /tmp/output than if the program tried to directly open /tmp/output. This should allow policy writers to more liberally give read/write permissions across the policy while still blocking many design and programing flaws SELinux is so good at catching today.
Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Reviewed-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|
Revision tags: v2.6.25-rc3, v2.6.25-rc2, v2.6.25-rc1, v2.6.24, v2.6.24-rc8 |
|
#
4746ec5b |
| 08-Jan-2008 |
Eric Paris <eparis@redhat.com> |
[AUDIT] add session id to audit messages
In order to correlate audit records to an individual login add a session id. This is incremented every time a user logs in and is included in almost all mes
[AUDIT] add session id to audit messages
In order to correlate audit records to an individual login add a session id. This is incremented every time a user logs in and is included in almost all messages which currently output the auid. The field is labeled ses= or oses=
Signed-off-by: Eric Paris <eparis@redhat.com>
show more ...
|
#
0c11b942 |
| 10-Jan-2008 |
Al Viro <viro@zeniv.linux.org.uk> |
[PATCH] switch audit_get_loginuid() to task_struct *
all callers pass something->audit_context
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
#
3bb56b25 |
| 29-Jan-2008 |
Paul Moore <paul.moore@hp.com> |
SELinux: Add a capabilities bitmap to SELinux policy version 22
Add a new policy capabilities bitmap to SELinux policy version 22. This bitmap will enable the security server to query the policy to
SELinux: Add a capabilities bitmap to SELinux policy version 22
Add a new policy capabilities bitmap to SELinux policy version 22. This bitmap will enable the security server to query the policy to determine which features it supports.
Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
show more ...
|