| Commit message (Collapse) | Author | Age |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BugLink: http://bugs.launchpad.net/bugs/1008697
commit 154c50ca4eb9ae472f50b6a481213e21ead4457d upstream.
We reset the bool names and values array to NULL, but do not reset the
number of entries in these arrays to 0. If we error out and then get back
into this function we will walk these NULL pointers based on the belief
that they are non-zero length.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BugLink: http://bugs.launchpad.net/bugs/987283
commit 51b79bee627d526199b2f6a6bef8ee0c0739b6d1 upstream.
Add missing "personality.h"
security/commoncap.c: In function 'cap_bprm_set_creds':
security/commoncap.c:510: error: 'PER_CLEAR_ON_SETID' undeclared (first use in this function)
security/commoncap.c:510: error: (Each undeclared identifier is reported only once
security/commoncap.c:510: error: for each function it appears in.)
Signed-off-by: Jonghwan Choi <jhbird.choi@samsung.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Cc: Eric Paris <eparis@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BugLink: http://bugs.launchpad.net/bugs/987283
commit d52fc5dde171f030170a6cb78034d166b13c9445 upstream.
If a process increases permissions using fcaps all of the dangerous
personality flags which are cleared for suid apps should also be cleared.
Thus programs given priviledge with fcaps will continue to have address space
randomization enabled even if the parent tried to disable it to make it
easier to attack.
Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BugLink: http://bugs.launchpad.net/bugs/983326
commit df91e49477a9be15921cb2854e1d12a3bdb5e425 upstream.
Userspace can pass in arbitrary combinations of MS_* flags to mount().
If both MS_BIND and one of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE are
passed, device name which should be checked for MS_BIND was not checked because
MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE had higher priority than MS_BIND.
If both one of MS_BIND/MS_MOVE and MS_REMOUNT are passed, device name which
should not be checked for MS_REMOUNT was checked because MS_BIND/MS_MOVE had
higher priority than MS_REMOUNT.
Fix these bugs by changing priority to MS_REMOUNT -> MS_BIND ->
MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE -> MS_MOVE as with do_mount() does.
Also, unconditionally return -EINVAL if more than one of
MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE is passed so that TOMOYO will not
generate inaccurate audit logs, for commit 7a2e8a8f "VFS: Sanity check mount
flags passed to change_mnt_propagation()" clarified that these flags must be
exclusively passed.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BugLink: http://bugs.launchpad.net/bugs/963685
No functional changes. It is not sane to use UMH_KILLABLE with enum
umh_wait, but obviously we do not want another argument in
call_usermodehelper_* helpers. Kill this enum, use the plain int.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Tejun Heo <tj@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 9d944ef32e83405a07376f112e9f02161d3e9731)
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Andy Whitcroft <andy.whitcroft@canonical.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BugLink: http://bugs.launchpad.net/bugs/963685
A few call_usermodehelper() callers use the hardcoded constant instead of
the proper UMH_WAIT_PROC, fix them.
Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Lars Ellenberg <drbd-dev@lists.linbit.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Michal Januszewski <spock@gentoo.org>
Cc: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
Cc: Kentaro Takeda <takedakn@nttdata.co.jp>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(back ported from commit 70834d3070c3f3015ab5c05176d54bd4a0100546)
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Andy Whitcroft <andy.whitcroft@canonical.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
BugLink: http://bugs.launchpad.net/bugs/922799
commit 7b7e5916aa2f46e57f8bd8cb89c34620ebfda5da upstream.
Don't free a valid measurement entry on TPM PCR extend failure.
Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BugLink: http://bugs.launchpad.net/bugs/922799
commit 45fae7493970d7c45626ccd96d4a74f5f1eea5a9 upstream.
Info about new measurements are cached in the iint for performance. When
the inode is flushed from cache, the associated iint is flushed as well.
Subsequent access to the inode will cause the inode to be re-measured and
will attempt to add a duplicate entry to the measurement list.
This patch frees the duplicate measurement memory, fixing a memory leak.
Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BugLink: http://bugs.launchpad.net/bugs/913373
commit 50345f1ea9cda4618d9c26e590a97ecd4bc7ac75 upstream.
Fix the following bug in sel_netport_insert() where rcu_dereference() should
be rcu_dereference_protected() as sel_netport_lock is held.
===================================================
[ INFO: suspicious rcu_dereference_check() usage. ]
---------------------------------------------------
security/selinux/netport.c:127 invoked rcu_dereference_check() without protection!
other info that might help us debug this:
rcu_scheduler_active = 1, debug_locks = 0
1 lock held by ossec-rootcheck/3323:
#0: (sel_netport_lock){+.....}, at: [<ffffffff8117d775>] sel_netport_sid+0xbb/0x226
stack backtrace:
Pid: 3323, comm: ossec-rootcheck Not tainted 3.1.0-rc8-fsdevel+ #1095
Call Trace:
[<ffffffff8105cfb7>] lockdep_rcu_dereference+0xa7/0xb0
[<ffffffff8117d871>] sel_netport_sid+0x1b7/0x226
[<ffffffff8117d6ba>] ? sel_netport_avc_callback+0xbc/0xbc
[<ffffffff8117556c>] selinux_socket_bind+0x115/0x230
[<ffffffff810a5388>] ? might_fault+0x4e/0x9e
[<ffffffff810a53d1>] ? might_fault+0x97/0x9e
[<ffffffff81171cf4>] security_socket_bind+0x11/0x13
[<ffffffff812ba967>] sys_bind+0x56/0x95
[<ffffffff81380dac>] ? sysret_check+0x27/0x62
[<ffffffff8105b767>] ? trace_hardirqs_on_caller+0x11e/0x155
[<ffffffff81076fcd>] ? audit_syscall_entry+0x17b/0x1ae
[<ffffffff811b5eae>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[<ffffffff81380d7b>] system_call_fastpath+0x16/0x1b
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Brad Figg <brad.figg@canonical.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BugLink: http://bugs.launchpad.net/bugs/907778
commit 02125a826459a6ad142f8d91c5b6357562f96615 upstream.
__d_path() API is asking for trouble and in case of apparmor d_namespace_path()
getting just that. The root cause is that when __d_path() misses the root
it had been told to look for, it stores the location of the most remote ancestor
in *root. Without grabbing references. Sure, at the moment of call it had
been pinned down by what we have in *path. And if we raced with umount -l, we
could have very well stopped at vfsmount/dentry that got freed as soon as
prepend_path() dropped vfsmount_lock.
It is safe to compare these pointers with pre-existing (and known to be still
alive) vfsmount and dentry, as long as all we are asking is "is it the same
address?". Dereferencing is not safe and apparmor ended up stepping into
that. d_namespace_path() really wants to examine the place where we stopped,
even if it's not connected to our namespace. As the result, it looked
at ->d_sb->s_magic of a dentry that might've been already freed by that point.
All other callers had been careful enough to avoid that, but it's really
a bad interface - it invites that kind of trouble.
The fix is fairly straightforward, even though it's bigger than I'd like:
* prepend_path() root argument becomes const.
* __d_path() is never called with NULL/NULL root. It was a kludge
to start with. Instead, we have an explicit function - d_absolute_root().
Same as __d_path(), except that it doesn't get root passed and stops where
it stops. apparmor and tomoyo are using it.
* __d_path() returns NULL on path outside of root. The main
caller is show_mountinfo() and that's precisely what we pass root for - to
skip those outside chroot jail. Those who don't want that can (and do)
use d_path().
* __d_path() root argument becomes const. Everyone agrees, I hope.
* apparmor does *NOT* try to use __d_path() or any of its variants
when it sees that path->mnt is an internal vfsmount. In that case it's
definitely not mounted anywhere and dentry_path() is exactly what we want
there. Handling of sysctl()-triggered weirdness is moved to that place.
* if apparmor is asked to do pathname relative to chroot jail
and __d_path() tells it we it's not in that jail, the sucker just calls
d_absolute_path() instead. That's the other remaining caller of __d_path(),
BTW.
* seq_path_root() does _NOT_ return -ENAMETOOLONG (it's stupid anyway -
the normal seq_file logics will take care of growing the buffer and redoing
the call of ->show() just fine). However, if it gets path not reachable
from root, it returns SEQ_SKIP. The only caller adjusted (i.e. stopped
ignoring the return value as it used to do).
Reviewed-by: John Johansen <john.johansen@canonical.com>
ACKed-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Brad Figg <brad.figg@canonical.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BugLink: http://bugs.launchpad.net/bugs/893741
commit 9f35a33b8d06263a165efe3541d9aa0cdbd70b3b upstream.
Fix a NULL pointer deref in the user-defined key type whereby updating a
negative key into a fully instantiated key will cause an oops to occur
when the code attempts to free the non-existent old payload.
This results in an oops that looks something like the following:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
IP: [<ffffffff81085fa1>] __call_rcu+0x11/0x13e
PGD 3391d067 PUD 3894a067 PMD 0
Oops: 0002 [#1] SMP
CPU 1
Pid: 4354, comm: keyctl Not tainted 3.1.0-fsdevel+ #1140 /DG965RY
RIP: 0010:[<ffffffff81085fa1>] [<ffffffff81085fa1>] __call_rcu+0x11/0x13e
RSP: 0018:ffff88003d591df8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000006e
RDX: ffffffff8161d0c0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff88003d591e18 R08: 0000000000000000 R09: ffffffff8152fa6c
R10: 0000000000000000 R11: 0000000000000300 R12: ffff88003b8f9538
R13: ffffffff8161d0c0 R14: ffff88003b8f9d50 R15: ffff88003c69f908
FS: 00007f97eb18c720(0000) GS:ffff88003bd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 000000003d47a000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process keyctl (pid: 4354, threadinfo ffff88003d590000, task ffff88003c78a040)
Stack:
ffff88003e0ffde0 ffff88003b8f9538 0000000000000001 ffff88003b8f9d50
ffff88003d591e28 ffffffff810860f0 ffff88003d591e68 ffffffff8117bfea
ffff88003d591e68 ffffffff00000000 ffff88003e0ffde1 ffff88003e0ffde0
Call Trace:
[<ffffffff810860f0>] call_rcu_sched+0x10/0x12
[<ffffffff8117bfea>] user_update+0x8d/0xa2
[<ffffffff8117723a>] key_create_or_update+0x236/0x270
[<ffffffff811789b1>] sys_add_key+0x123/0x17e
[<ffffffff813b84bb>] system_call_fastpath+0x16/0x1b
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Neil Horman <nhorman@redhat.com>
Acked-by: Steve Dickson <steved@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change adds a new seccomp mode which specifies the allowed system
calls dynamically. When in the new mode (13), all system calls are
checked against process-defined filters - first by system call number,
then by a filter string. If an entry exists for a given system call and
all filter predicates evaluate to true, then the task may proceed.
Otherwise, the task is killed.
Filter string parsing and evaluation is handled by the ftrace filter
engine. Related patches tweak to the perf filter trace and free
allowing the calls to be shared. Filters inherit their understanding of
types and arguments for each system call from the CONFIG_FTRACE_SYSCALLS
subsystem which already populates this information in syscall_metadata
associated enter_event (and exit_event) structures. If
CONFIG_FTRACE_SYSCALLS is not compiled in, only filter strings of "1"
will be allowed.
The net result is a process may have its system calls filtered using the
ftrace filter engine's inherent understanding of systems calls. The set
of filters is specified through the PR_SET_SECCOMP_FILTER argument in
prctl(). For example, a filterset for a process, like pdftotext, that
should only process read-only input could (roughly) look like:
sprintf(rdonly, "flags == %u", O_RDONLY|O_LARGEFILE);
type = PR_SECCOMP_FILTER_SYSCALL;
prctl(PR_SET_SECCOMP_FILTER, type, __NR_open, rdonly);
prctl(PR_SET_SECCOMP_FILTER, type, __NR__llseek, "1");
prctl(PR_SET_SECCOMP_FILTER, type, __NR_brk, "1");
prctl(PR_SET_SECCOMP_FILTER, type, __NR_close, "1");
prctl(PR_SET_SECCOMP_FILTER, type, __NR_exit_group, "1");
prctl(PR_SET_SECCOMP_FILTER, type, __NR_fstat64, "1");
prctl(PR_SET_SECCOMP_FILTER, type, __NR_mmap2, "1");
prctl(PR_SET_SECCOMP_FILTER, type, __NR_munmap, "1");
prctl(PR_SET_SECCOMP_FILTER, type, __NR_read, "1");
prctl(PR_SET_SECCOMP_FILTER, type, __NR_write, "fd == 1 || fd == 2");
prctl(PR_SET_SECCOMP, 13);
Subsequent calls to PR_SET_SECCOMP_FILTER for the same system call will
be &&'d together to ensure that attack surface may only be reduced:
prctl(PR_SET_SECCOMP_FILTER, __NR_write, "fd != 2");
With the earlier example, the active filter becomes:
"(fd == 1 || fd == 2) && (fd != 2)"
The patch also adds PR_CLEAR_SECCOMP_FILTER and PR_GET_SECCOMP_FILTER.
The latter returns the current filter for a system call to userspace:
prctl(PR_GET_SECCOMP_FILTER, type, __NR_write, buf, bufsize);
while the former clears any filters for a given system call changing it
back to a defaulty deny:
prctl(PR_CLEAR_SECCOMP_FILTER, type, __NR_write);
Note, type may be either PR_SECCOMP_FILTER_EVENT or
PR_SECCOMP_FILTER_SYSCALL. This allows for ftrace event ids to be used
in lieu of system call numbers. At present, only syscalls:sys_enter_*
event id are supported, but this allows for potential future extension
of the backend.
v11: - Use mode "13" to avoid future overlap; with comment update
- Use kref; extra memset; other clean up from msb@chromium.org
- Cleaned up Makefile object merging since locally shared symbols are gone
v10: - Note that PERF_EVENTS are also needed for ftrace filter engine support.
- Removed dependency on ftrace code changes for event_filters
(wrapping with perf_events and violating opaqueness for the filter str)
- pulled in all the hacks to get access to syscall_metadata and build
call objects for filter evaluation.
v9: - rebase on to de505e709ffb09a7382ca8e0d8c7dbb171ba5
- disallow PR_SECCOMP_FILTER_EVENT when a compat task is calling
as ftrace has no compat_syscalls awareness yet.
- return -ENOSYS when filter engine strings are used on a compat call
as there are no compat_syscalls events to reference yet.
v8: - expand parenthical use during SET_SECCOMP_FILTER to avoid operator
precedence undermining attack surface reduction (caught by
segoon@openwall.com). Opted to waste bytes on () than reparse to
avoid OP_OR precedence overriding extend_filter's intentions.
- remove more lingering references to @state
- fix incorrect compat mismatch check (anyone up for a Tested-By?)
v7: - disallow seccomp_filter inheritance across fork except when seccomp
is active. This avoids filters leaking across processes when they
are not actively in use but ensure an allowed fork/clone doesn't drop
filters.
- remove the Mode: print from show as it reflected current and not the
filters holder.
v6: - clean up minor unnecessary changes (empty lines, ordering, etc)
- fix one overly long line
- add refcount overflow BUG_ON
v5: - drop mutex usage when the task_struct is safe to access directly
v4: - move off of RCU to a read/write guarding mutex after
paulmck@linux.vnet.ibm.com's feedback (mem leak, rcu fail)
- stopped inc/dec refcounts in mutex guard sections
- added required changes to init the mutex in INIT_TASK and safely
lock around fork inheritance.
- added id_type support to the prctl interface to support using
ftrace event ids as an alternative to syscall numbers. Behavior
is identical otherwise (as per discussion with mingo@elte.hu)
v3: - always block execve calls (as per torvalds@linux-foundation.org)
- add __NR_seccomp_execve(_32) to seccomp-supporting arches
- ensure compat tasks can't reach ftrace:syscalls
- dropped new defines for seccomp modes.
- two level array instead of hlists (sugg. by olofj@chromium.org)
- added generic Kconfig entry that is not connected.
- dropped internal seccomp.h
- move prctl helpers to seccomp_filter
- killed seccomp_t typedef (as per checkpatch)
v2: - changed to use the existing syscall number ABI.
- prctl changes to minimize parsing in the kernel:
prctl(PR_SET_SECCOMP, {0 | 1 | 2 }, { 0 | ON_EXEC });
prctl(PR_SET_SECCOMP_FILTER, __NR_read, "fd == 5");
prctl(PR_CLEAR_SECCOMP_FILTER, __NR_read);
prctl(PR_GET_SECCOMP_FILTER, __NR_read, buf, bufsize);
- defined PR_SECCOMP_MODE_STRICT and ..._FILTER
- added flags
- provide a default fail syscall_nr_to_meta in ftrace
- provides fallback for unhooked system calls
- use -ENOSYS and ERR_PTR(-ENOSYS) for stubbed functionality
- added kernel/seccomp.h to share seccomp.c/seccomp_filter.c
- moved to a hlist and 4 bit hash of linked lists
- added support to operate without CONFIG_FTRACE_SYSCALLS
- moved Kconfig support next to SECCOMP
- made Kconfig entries dependent on EXPERIMENTAL
- added macros to avoid ifdefs from kernel/fork.c
- added compat task/filter matching
- drop seccomp.h inclusion in sched.h and drop seccomp_t
- added Filtering to "show" output
- added on_exec state dup'ing when enabling after a fast-path accept.
Signed-off-by: Will Drewry <wad@chromium.org>
BUG=chromium-os:14496
TEST=built in x86-alex. Out of tree commandline helper test confirms functionality works. Will check in a test into the minijail repo which can be used from autotest.
Change-Id: I901595e3399914783739d113a058d83550ddf8e2
Reviewed-on: http://gerrit.chromium.org/gerrit/4814
Reviewed-by: Sonny Rao <sonnyrao@chromium.org>
Tested-by: Will Drewry <wad@chromium.org>
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
use it
When we are checking permissions on hardlinks we use generic_permissions()
to work out if the user actually has read/write permissions and only
then allow the link. However where the underlying filesystem supplies
a permissions() op there is no guarentee that the inode ownership is
actually valid and we must use that op instead.
Add a new function mirroring the core fragment from inode_permission
using the filesystem specific permissions() op falling back to
generic_permissions() when it is not present.
With this in place links in overlayfs behave as expected.
Signed-off-by: Andy Whitcroft <apw@canonical.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
yama_ptracer_del can be called in softirq context, so
ptracer_relations_lock may be held in softirq context.
This patch replaces spin_[un]lock with spin_[un]lock_bh for
&ptracer_relations_lock to fix reported lockdep warning and
avoid possible dealock.
BugLink: http://bugs.launchpad.net/bugs/791019
Signed-off-by: Ming Lei <ming.lei@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix build error:
ERROR: "__devcgroup_inode_permission" [ubuntu/aufs/aufs.ko] undefined!
Result of upstream commit:
commit 482e0cd3dbaa70f2a2bead4b5f2c0d203ef654ba
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Jun 19 13:01:04 2011 -0400
devcgroup_inode_permission: take "is it a device node" checks to inlined wrapper
Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>
|
| |
|
|
|
|
|
|
| |
This patch forces the LSM to always chain through the Yama LSM
regardless of which LSM is selected as the primary LSM.
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some application suites have external crash handlers that depend
on being able to use ptrace to generate crash reports (KDE, Wine,
Chromium, Firefox, etc). Since the inferior process has a defined
application-specific relationship with the debugger, allow the inferior
to express that relationship by declaring who can call PTRACE_ATTACH
against it. The inferior can use prctl() with PR_SET_PTRACER to allow a
specific PID and its descendants to perform the ptrace instead of only
a direct ancestor.
Signed-off-by: Kees Cook <kees.cook@canonical.com>
---
v2:
- kmalloc, spinlock init, and doc typo corrections from Tetsuo Handa.
- make sure to replace if possible on add, thanks to Eric Paris.
v3:
- make sure to use thread group leader when searching for exceptions.
v4:
- make sure to use thread group leader when creating exceptions.
v5:
- make sure to use thread group leader when deleting exceptions.
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
|
| |
|
|
|
|
|
|
|
| |
The current LSM interface to cred_free is not sufficient for allowing
an LSM to track the life and death of a task. This patch adds the
task_free hook so that an LSM can clean up resources on task death.
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds the Yama Linux Security Module to collect several security
features (symlink, hardlink, and ptrace restrictions) that have existed
in various forms over the years and have been carried outside the mainline
kernel by other Linux distributions like Openwall and grsecurity.
Signed-off-by: Kees Cook <kees.cook@canonical.com>
---
v2:
- add rcu locking, thanks to Tetsuo Handa.
- add Documentation/Yama.txt for summary of features.
v3:
- drop needless cap_ callbacks.
- fix usage of get_task_comm.
- drop CONFIG_ of sysctl defaults, as recommended by Andi Kleen.
- require SYSCTL.
v4:
- drop accidentally included fs/exec.c chunk.
v5:
- resend, with ptrace relationship interface
v6:
- merge with 2.6.39, thanks to Andy Whitcroft
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
|
| |
|
|
| |
Signed-off-by: Andy Whitcroft <apw@canonical.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The unpacking of network rules, unpacks 1 more rule than it should. It
should drop all rules with network types AF_MAX or greater.
Fix suggested by Tetsuo Handa in
https://lists.ubuntu.com/archives/kernel-team/2010-November/013327.html
Reported-by: Tetsuo Handa <from-ubuntu@I-love.SAKURA.ne.jp>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
|
| |
|
|
|
| |
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
|
| |
|
|
|
|
|
| |
Add compatibility for v5 network rules.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow broken Lucid userspace tools to load policy, on Maverick kernel.
The fix for http://launchpad.net/bugs/581525 blocks Lucid tools from
loading policy, this provides compatibility with Lucid tools without
reintroducing the bug.
The apparmor_parser when compiling policy could generate invalid dfas
that did not have sufficient padding to avoid invalid references, when
used by the kernel. The kernels check to verify the next/check table
size was broken meaning invalid dfas were being created by userspace
and not caught.
To remain compatible with old tools that are not fixed, pad the loaded
dfas next/check table. The dfa's themselves are valid except for the
high padding for potentially invalid transitions (high bounds error),
which have a maximimum is 256 entries. So just allocate an extra null filled
256 entries for the next/check tables. This will guarentee all bounds
are good and invalid transitions go to the null (0) state.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit 25e75dff519bcce2cb35023105e7df51d7b9e691 upstream.
AppArmor is masking the capabilities returned by capget against the
capabilities mask in the profile. This is wrong, in complain mode the
profile has effectively all capabilities, as the profile restrictions are
not being enforced, merely tested against to determine if an access is
known by the profile.
This can result in the wrong behavior of security conscience applications
like sshd which examine their capability set, and change their behavior
accordingly. In this case because of the masked capability set being
returned sshd fails due to DAC checks, even when the profile is in complain
mode.
Kernels affected: 2.6.36 - 3.0.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit 04fdc099f9c80c7775dbac388fc97e156d4d47e7 upstream.
The pointer returned from tracehook_tracer_task() is only valid inside
the rcu_read_lock. However the tracer pointer obtained is being passed
to aa_may_ptrace outside of the rcu_read_lock critical section.
Mover the aa_may_ptrace test into the rcu_read_lock critical section, to
fix this.
Kernels affected: 2.6.36 - 3.0
Reported-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|