aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2012-12-16 18:40:50 -0500
committerLinus Torvalds <torvalds@linux-foundation.org>2012-12-16 18:40:50 -0500
commit2a74dbb9a86e8102dcd07d284135b4530a84826e (patch)
treea54403e312b6062dfb57bd904ba8b8ce3b11e720
parent770b6cb4d21fb3e3df2a7a51e186a3c14db1ec30 (diff)
parente93072374112db9dc86635934ee761249be28370 (diff)
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris: "A quiet cycle for the security subsystem with just a few maintenance updates." * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: Smack: create a sysfs mount point for smackfs Smack: use select not depends in Kconfig Yama: remove locking from delete path Yama: add RCU to drop read locking drivers/char/tpm: remove tasklet and cleanup KEYS: Use keyring_alloc() to create special keyrings KEYS: Reduce initial permissions on keys KEYS: Make the session and process keyrings per-thread seccomp: Make syscall skipping and nr changes more consistent key: Fix resource leak keys: Fix unreachable code KEYS: Add payload preparsing opportunity prior to key instantiate or update
-rw-r--r--Documentation/prctl/seccomp_filter.txt74
-rw-r--r--Documentation/security/keys.txt17
-rw-r--r--arch/x86/kernel/vsyscall_64.c110
-rw-r--r--drivers/char/tpm/tpm_ibmvtpm.c81
-rw-r--r--drivers/char/tpm/tpm_ibmvtpm.h5
-rw-r--r--fs/cifs/cifsacl.c12
-rw-r--r--fs/nfs/idmap.c12
-rw-r--r--include/linux/cred.h17
-rw-r--r--include/linux/key.h1
-rw-r--r--kernel/cred.c127
-rw-r--r--kernel/seccomp.c13
-rw-r--r--net/dns_resolver/dns_key.c15
-rw-r--r--security/keys/key.c6
-rw-r--r--security/keys/keyctl.c15
-rw-r--r--security/keys/keyring.c10
-rw-r--r--security/keys/process_keys.c92
-rw-r--r--security/keys/request_key.c21
-rw-r--r--security/smack/Kconfig6
-rw-r--r--security/smack/smackfs.c17
-rw-r--r--security/yama/yama_lsm.c88
20 files changed, 369 insertions, 370 deletions
diff --git a/Documentation/prctl/seccomp_filter.txt b/Documentation/prctl/seccomp_filter.txt
index 597c3c581375..1e469ef75778 100644
--- a/Documentation/prctl/seccomp_filter.txt
+++ b/Documentation/prctl/seccomp_filter.txt
@@ -95,12 +95,15 @@ SECCOMP_RET_KILL:
95 95
96SECCOMP_RET_TRAP: 96SECCOMP_RET_TRAP:
97 Results in the kernel sending a SIGSYS signal to the triggering 97 Results in the kernel sending a SIGSYS signal to the triggering
98 task without executing the system call. The kernel will 98 task without executing the system call. siginfo->si_call_addr
99 rollback the register state to just before the system call 99 will show the address of the system call instruction, and
100 entry such that a signal handler in the task will be able to 100 siginfo->si_syscall and siginfo->si_arch will indicate which
101 inspect the ucontext_t->uc_mcontext registers and emulate 101 syscall was attempted. The program counter will be as though
102 system call success or failure upon return from the signal 102 the syscall happened (i.e. it will not point to the syscall
103 handler. 103 instruction). The return value register will contain an arch-
104 dependent value -- if resuming execution, set it to something
105 sensible. (The architecture dependency is because replacing
106 it with -ENOSYS could overwrite some useful information.)
104 107
105 The SECCOMP_RET_DATA portion of the return value will be passed 108 The SECCOMP_RET_DATA portion of the return value will be passed
106 as si_errno. 109 as si_errno.
@@ -123,6 +126,18 @@ SECCOMP_RET_TRACE:
123 the BPF program return value will be available to the tracer 126 the BPF program return value will be available to the tracer
124 via PTRACE_GETEVENTMSG. 127 via PTRACE_GETEVENTMSG.
125 128
129 The tracer can skip the system call by changing the syscall number
130 to -1. Alternatively, the tracer can change the system call
131 requested by changing the system call to a valid syscall number. If
132 the tracer asks to skip the system call, then the system call will
133 appear to return the value that the tracer puts in the return value
134 register.
135
136 The seccomp check will not be run again after the tracer is
137 notified. (This means that seccomp-based sandboxes MUST NOT
138 allow use of ptrace, even of other sandboxed processes, without
139 extreme care; ptracers can use this mechanism to escape.)
140
126SECCOMP_RET_ALLOW: 141SECCOMP_RET_ALLOW:
127 Results in the system call being executed. 142 Results in the system call being executed.
128 143
@@ -161,3 +176,50 @@ architecture supports both ptrace_event and seccomp, it will be able to
161support seccomp filter with minor fixup: SIGSYS support and seccomp return 176support seccomp filter with minor fixup: SIGSYS support and seccomp return
162value checking. Then it must just add CONFIG_HAVE_ARCH_SECCOMP_FILTER 177value checking. Then it must just add CONFIG_HAVE_ARCH_SECCOMP_FILTER
163to its arch-specific Kconfig. 178to its arch-specific Kconfig.
179
180
181
182Caveats
183-------
184
185The vDSO can cause some system calls to run entirely in userspace,
186leading to surprises when you run programs on different machines that
187fall back to real syscalls. To minimize these surprises on x86, make
188sure you test with
189/sys/devices/system/clocksource/clocksource0/current_clocksource set to
190something like acpi_pm.
191
192On x86-64, vsyscall emulation is enabled by default. (vsyscalls are
193legacy variants on vDSO calls.) Currently, emulated vsyscalls will honor seccomp, with a few oddities:
194
195- A return value of SECCOMP_RET_TRAP will set a si_call_addr pointing to
196 the vsyscall entry for the given call and not the address after the
197 'syscall' instruction. Any code which wants to restart the call
198 should be aware that (a) a ret instruction has been emulated and (b)
199 trying to resume the syscall will again trigger the standard vsyscall
200 emulation security checks, making resuming the syscall mostly
201 pointless.
202
203- A return value of SECCOMP_RET_TRACE will signal the tracer as usual,
204 but the syscall may not be changed to another system call using the
205 orig_rax register. It may only be changed to -1 order to skip the
206 currently emulated call. Any other change MAY terminate the process.
207 The rip value seen by the tracer will be the syscall entry address;
208 this is different from normal behavior. The tracer MUST NOT modify
209 rip or rsp. (Do not rely on other changes terminating the process.
210 They might work. For example, on some kernels, choosing a syscall
211 that only exists in future kernels will be correctly emulated (by
212 returning -ENOSYS).
213
214To detect this quirky behavior, check for addr & ~0x0C00 ==
2150xFFFFFFFFFF600000. (For SECCOMP_RET_TRACE, use rip. For
216SECCOMP_RET_TRAP, use siginfo->si_call_addr.) Do not check any other
217condition: future kernels may improve vsyscall emulation and current
218kernels in vsyscall=native mode will behave differently, but the
219instructions at 0xF...F600{0,4,8,C}00 will not be system calls in these
220cases.
221
222Note that modern systems are unlikely to use vsyscalls at all -- they
223are a legacy feature and they are considerably slower than standard
224syscalls. New code will use the vDSO, and vDSO-issued system calls
225are indistinguishable from normal system calls.
diff --git a/Documentation/security/keys.txt b/Documentation/security/keys.txt
index 7d9ca92022d8..7b4145d00452 100644
--- a/Documentation/security/keys.txt
+++ b/Documentation/security/keys.txt
@@ -994,6 +994,23 @@ payload contents" for more information.
994 reference pointer if successful. 994 reference pointer if successful.
995 995
996 996
997(*) A keyring can be created by:
998
999 struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
1000 const struct cred *cred,
1001 key_perm_t perm,
1002 unsigned long flags,
1003 struct key *dest);
1004
1005 This creates a keyring with the given attributes and returns it. If dest
1006 is not NULL, the new keyring will be linked into the keyring to which it
1007 points. No permission checks are made upon the destination keyring.
1008
1009 Error EDQUOT can be returned if the keyring would overload the quota (pass
1010 KEY_ALLOC_NOT_IN_QUOTA in flags if the keyring shouldn't be accounted
1011 towards the user's quota). Error ENOMEM can also be returned.
1012
1013
997(*) To check the validity of a key, this function can be called: 1014(*) To check the validity of a key, this function can be called:
998 1015
999 int validate_key(struct key *key); 1016 int validate_key(struct key *key);
diff --git a/arch/x86/kernel/vsyscall_64.c b/arch/x86/kernel/vsyscall_64.c
index 3a3e8c9e280d..9a907a67be8f 100644
--- a/arch/x86/kernel/vsyscall_64.c
+++ b/arch/x86/kernel/vsyscall_64.c
@@ -145,19 +145,6 @@ static int addr_to_vsyscall_nr(unsigned long addr)
145 return nr; 145 return nr;
146} 146}
147 147
148#ifdef CONFIG_SECCOMP
149static int vsyscall_seccomp(struct task_struct *tsk, int syscall_nr)
150{
151 if (!seccomp_mode(&tsk->seccomp))
152 return 0;
153 task_pt_regs(tsk)->orig_ax = syscall_nr;
154 task_pt_regs(tsk)->ax = syscall_nr;
155 return __secure_computing(syscall_nr);
156}
157#else
158#define vsyscall_seccomp(_tsk, _nr) 0
159#endif
160
161static bool write_ok_or_segv(unsigned long ptr, size_t size) 148static bool write_ok_or_segv(unsigned long ptr, size_t size)
162{ 149{
163 /* 150 /*
@@ -190,10 +177,9 @@ bool emulate_vsyscall(struct pt_regs *regs, unsigned long address)
190{ 177{<