aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2012-05-21 23:27:36 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2012-05-21 23:27:36 -0400
commitcb60e3e65c1b96a4d6444a7a13dc7dd48bc15a2b (patch)
tree4322be35db678f6299348a76ad60a2023954af7d
parent99262a3dafa3290866512ddfb32609198f8973e9 (diff)
parentff2bb047c4bce9742e94911eeb44b4d6ff4734ab (diff)
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris: "New notable features: - The seccomp work from Will Drewry - PR_{GET,SET}_NO_NEW_PRIVS from Andy Lutomirski - Longer security labels for Smack from Casey Schaufler - Additional ptrace restriction modes for Yama by Kees Cook" Fix up trivial context conflicts in arch/x86/Kconfig and include/linux/filter.h * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (65 commits) apparmor: fix long path failure due to disconnected path apparmor: fix profile lookup for unconfined ima: fix filename hint to reflect script interpreter name KEYS: Don't check for NULL key pointer in key_validate() Smack: allow for significantly longer Smack labels v4 gfp flags for security_inode_alloc()? Smack: recursive tramsmute Yama: replace capable() with ns_capable() TOMOYO: Accept manager programs which do not start with / . KEYS: Add invalidation support KEYS: Do LRU discard in full keyrings KEYS: Permit in-place link replacement in keyring list KEYS: Perform RCU synchronisation on keys prior to key destruction KEYS: Announce key type (un)registration KEYS: Reorganise keys Makefile KEYS: Move the key config into security/keys/Kconfig KEYS: Use the compat keyctl() syscall wrapper on Sparc64 for Sparc32 compat Yama: remove an unused variable samples/seccomp: fix dependencies on arch macros Yama: add additional ptrace scopes ...
-rw-r--r--Documentation/prctl/seccomp_filter.txt163
-rw-r--r--Documentation/security/Smack.txt204
-rw-r--r--Documentation/security/Yama.txt10
-rw-r--r--Documentation/security/keys.txt17
-rw-r--r--MAINTAINERS3
-rw-r--r--arch/Kconfig23
-rw-r--r--arch/microblaze/kernel/ptrace.c2
-rw-r--r--arch/mips/kernel/ptrace.c2
-rw-r--r--arch/powerpc/kernel/ptrace.c2
-rw-r--r--arch/s390/kernel/ptrace.c2
-rw-r--r--arch/sh/kernel/ptrace_32.c2
-rw-r--r--arch/sh/kernel/ptrace_64.c2
-rw-r--r--arch/sparc/Kconfig3
-rw-r--r--arch/sparc/kernel/ptrace_64.c2
-rw-r--r--arch/sparc/kernel/systbls_64.S2
-rw-r--r--arch/x86/Kconfig1
-rw-r--r--arch/x86/ia32/ia32_signal.c4
-rw-r--r--arch/x86/include/asm/ia32.h6
-rw-r--r--arch/x86/include/asm/syscall.h27
-rw-r--r--arch/x86/kernel/ptrace.c7
-rw-r--r--fs/exec.c10
-rw-r--r--fs/open.c2
-rw-r--r--include/asm-generic/siginfo.h22
-rw-r--r--include/asm-generic/syscall.h14
-rw-r--r--include/keys/keyring-type.h2
-rw-r--r--include/linux/Kbuild1
-rw-r--r--include/linux/audit.h8
-rw-r--r--include/linux/filter.h12
-rw-r--r--include/linux/key.h11
-rw-r--r--include/linux/keyctl.h1
-rw-r--r--include/linux/lsm_audit.h6
-rw-r--r--include/linux/prctl.h15
-rw-r--r--include/linux/ptrace.h5
-rw-r--r--include/linux/sched.h4
-rw-r--r--include/linux/seccomp.h107
-rw-r--r--include/linux/security.h14
-rw-r--r--kernel/auditsc.c8
-rw-r--r--kernel/fork.c3
-rw-r--r--kernel/seccomp.c458
-rw-r--r--kernel/signal.c9
-rw-r--r--kernel/sys.c12
-rw-r--r--net/compat.c8
-rw-r--r--net/core/filter.c6
-rw-r--r--net/dns_resolver/dns_key.c5
-rw-r--r--net/xfrm/xfrm_policy.c1
-rw-r--r--samples/Makefile2
-rw-r--r--samples/seccomp/Makefile32
-rw-r--r--samples/seccomp/bpf-direct.c190
-rw-r--r--samples/seccomp/bpf-fancy.c102
-rw-r--r--samples/seccomp/bpf-helper.c89
-rw-r--r--samples/seccomp/bpf-helper.h238
-rw-r--r--samples/seccomp/dropper.c68
-rw-r--r--security/Kconfig68
-rw-r--r--security/apparmor/audit.c11
-rw-r--r--security/apparmor/capability.c4
-rw-r--r--security/apparmor/domain.c35
-rw-r--r--security/apparmor/file.c2
-rw-r--r--security/apparmor/include/audit.h1
-rw-r--r--security/apparmor/ipc.c2
-rw-r--r--security/apparmor/lib.c2
-rw-r--r--security/apparmor/lsm.c6
-rw-r--r--security/apparmor/path.c2
-rw-r--r--security/apparmor/policy.c6
-rw-r--r--security/apparmor/policy_unpack.c2
-rw-r--r--security/apparmor/resource.c2
-rw-r--r--security/capability.c4
-rw-r--r--security/commoncap.c7
-rw-r--r--security/integrity/ima/ima_main.c4
-rw-r--r--security/keys/Kconfig71
-rw-r--r--security/keys/Makefile12
-rw-r--r--security/keys/compat.c3
-rw-r--r--security/keys/gc.c94
-rw-r--r--security/keys/internal.h15
-rw-r--r--security/keys/key.c25
-rw-r--r--security/keys/keyctl.c34
-rw-r--r--security/keys/keyring.c167
-rw-r--r--security/keys/permission.c43
-rw-r--r--security/keys/proc.c3
-rw-r--r--security/keys/process_keys.c2
-rw-r--r--security/lsm_audit.c15
-rw-r--r--security/security.c4
-rw-r--r--security/selinux/avc.c130
-rw-r--r--security/selinux/hooks.c268
-rw-r--r--security/selinux/include/avc.h100
-rw-r--r--security/selinux/include/security.h4
-rw-r--r--security/selinux/netif.c6
-rw-r--r--security/selinux/netnode.c6
-rw-r--r--security/selinux/netport.c6
-rw-r--r--security/selinux/selinuxfs.c11
-rw-r--r--security/selinux/ss/context.h20
-rw-r--r--security/selinux/ss/mls.c24
-rw-r--r--security/selinux/ss/policydb.c44
-rw-r--r--security/selinux/ss/policydb.h14
-rw-r--r--security/selinux/ss/services.c56
-rw-r--r--security/smack/smack.h59
-rw-r--r--security/smack/smack_access.c233
-rw-r--r--security/smack/smack_lsm.c243
-rw-r--r--security/smack/smackfs.c993
-rw-r--r--security/tomoyo/common.c26
-rw-r--r--security/tomoyo/common.h1
-rw-r--r--security/tomoyo/tomoyo.c6
-rw-r--r--security/yama/yama_lsm.c63
102 files changed, 3678 insertions, 1230 deletions
diff --git a/Documentation/prctl/seccomp_filter.txt b/Documentation/prctl/seccomp_filter.txt
new file mode 100644
index 00000000000..597c3c58137
--- /dev/null
+++ b/Documentation/prctl/seccomp_filter.txt
@@ -0,0 +1,163 @@
1 SECure COMPuting with filters
2 =============================
3
4Introduction
5------------
6
7A large number of system calls are exposed to every userland process
8with many of them going unused for the entire lifetime of the process.
9As system calls change and mature, bugs are found and eradicated. A
10certain subset of userland applications benefit by having a reduced set
11of available system calls. The resulting set reduces the total kernel
12surface exposed to the application. System call filtering is meant for
13use with those applications.
14
15Seccomp filtering provides a means for a process to specify a filter for
16incoming system calls. The filter is expressed as a Berkeley Packet
17Filter (BPF) program, as with socket filters, except that the data
18operated on is related to the system call being made: system call
19number and the system call arguments. This allows for expressive
20filtering of system calls using a filter program language with a long
21history of being exposed to userland and a straightforward data set.
22
23Additionally, BPF makes it impossible for users of seccomp to fall prey
24to time-of-check-time-of-use (TOCTOU) attacks that are common in system
25call interposition frameworks. BPF programs may not dereference
26pointers which constrains all filters to solely evaluating the system
27call arguments directly.
28
29What it isn't
30-------------
31
32System call filtering isn't a sandbox. It provides a clearly defined
33mechanism for minimizing the exposed kernel surface. It is meant to be
34a tool for sandbox developers to use. Beyond that, policy for logical
35behavior and information flow should be managed with a combination of
36other system hardening techniques and, potentially, an LSM of your
37choosing. Expressive, dynamic filters provide further options down this
38path (avoiding pathological sizes or selecting which of the multiplexed
39system calls in socketcall() is allowed, for instance) which could be
40construed, incorrectly, as a more complete sandboxing solution.
41
42Usage
43-----