diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2012-12-16 18:40:50 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2012-12-16 18:40:50 -0500 |
| commit | 2a74dbb9a86e8102dcd07d284135b4530a84826e (patch) | |
| tree | a54403e312b6062dfb57bd904ba8b8ce3b11e720 | |
| parent | 770b6cb4d21fb3e3df2a7a51e186a3c14db1ec30 (diff) | |
| parent | e93072374112db9dc86635934ee761249be28370 (diff) | |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris:
"A quiet cycle for the security subsystem with just a few maintenance
updates."
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
Smack: create a sysfs mount point for smackfs
Smack: use select not depends in Kconfig
Yama: remove locking from delete path
Yama: add RCU to drop read locking
drivers/char/tpm: remove tasklet and cleanup
KEYS: Use keyring_alloc() to create special keyrings
KEYS: Reduce initial permissions on keys
KEYS: Make the session and process keyrings per-thread
seccomp: Make syscall skipping and nr changes more consistent
key: Fix resource leak
keys: Fix unreachable code
KEYS: Add payload preparsing opportunity prior to key instantiate or update
| -rw-r--r-- | Documentation/prctl/seccomp_filter.txt | 74 | ||||
| -rw-r--r-- | Documentation/security/keys.txt | 17 | ||||
| -rw-r--r-- | arch/x86/kernel/vsyscall_64.c | 110 | ||||
| -rw-r--r-- | drivers/char/tpm/tpm_ibmvtpm.c | 81 | ||||
| -rw-r--r-- | drivers/char/tpm/tpm_ibmvtpm.h | 5 | ||||
| -rw-r--r-- | fs/cifs/cifsacl.c | 12 | ||||
| -rw-r--r-- | fs/nfs/idmap.c | 12 | ||||
| -rw-r--r-- | include/linux/cred.h | 17 | ||||
| -rw-r--r-- | include/linux/key.h | 1 | ||||
| -rw-r--r-- | kernel/cred.c | 127 | ||||
| -rw-r--r-- | kernel/seccomp.c | 13 | ||||
| -rw-r--r-- | net/dns_resolver/dns_key.c | 15 | ||||
| -rw-r--r-- | security/keys/key.c | 6 | ||||
| -rw-r--r-- | security/keys/keyctl.c | 15 | ||||
| -rw-r--r-- | security/keys/keyring.c | 10 | ||||
| -rw-r--r-- | security/keys/process_keys.c | 92 | ||||
| -rw-r--r-- | security/keys/request_key.c | 21 | ||||
| -rw-r--r-- | security/smack/Kconfig | 6 | ||||
| -rw-r--r-- | security/smack/smackfs.c | 17 | ||||
| -rw-r--r-- | security/yama/yama_lsm.c | 88 |
20 files changed, 369 insertions, 370 deletions
diff --git a/Documentation/prctl/seccomp_filter.txt b/Documentation/prctl/seccomp_filter.txt index 597c3c581375..1e469ef75778 100644 --- a/Documentation/prctl/seccomp_filter.txt +++ b/Documentation/prctl/seccomp_filter.txt | |||
| @@ -95,12 +95,15 @@ SECCOMP_RET_KILL: | |||
| 95 | 95 | ||
| 96 | SECCOMP_RET_TRAP: | 96 | SECCOMP_RET_TRAP: |
| 97 | Results in the kernel sending a SIGSYS signal to the triggering | 97 | Results in the kernel sending a SIGSYS signal to the triggering |
| 98 | task without executing the system call. The kernel will | 98 | task without executing the system call. siginfo->si_call_addr |
| 99 | rollback the register state to just before the system call | 99 | will show the address of the system call instruction, and |
| 100 | entry such that a signal handler in the task will be able to | 100 | siginfo->si_syscall and siginfo->si_arch will indicate which |
| 101 | inspect the ucontext_t->uc_mcontext registers and emulate | 101 | syscall was attempted. The program counter will be as though |
| 102 | system call success or failure upon return from the signal | 102 | the syscall happened (i.e. it will not point to the syscall |
| 103 | handler. | 103 | instruction). The return value register will contain an arch- |
| 104 | dependent value -- if resuming execution, set it to something | ||
| 105 | sensible. (The architecture dependency is because replacing | ||
| 106 | it with -ENOSYS could overwrite some useful information.) | ||
| 104 | 107 | ||
| 105 | The SECCOMP_RET_DATA portion of the return value will be passed | 108 | The SECCOMP_RET_DATA portion of the return value will be passed |
| 106 | as si_errno. | 109 | as si_errno. |
| @@ -123,6 +126,18 @@ SECCOMP_RET_TRACE: | |||
| 123 | the BPF program return value will be available to the tracer | 126 | the BPF program return value will be available to the tracer |
| 124 | via PTRACE_GETEVENTMSG. | 127 | via PTRACE_GETEVENTMSG. |
| 125 | 128 | ||
| 129 | The tracer can skip the system call by changing the syscall number | ||
| 130 | to -1. Alternatively, the tracer can change the system call | ||
| 131 | requested by changing the system call to a valid syscall number. If | ||
| 132 | the tracer asks to skip the system call, then the system call will | ||
| 133 | appear to return the value that the tracer puts in the return value | ||
| 134 | register. | ||
| 135 | |||
| 136 | The seccomp check will not be run again after the tracer is | ||
| 137 | notified. (This means that seccomp-based sandboxes MUST NOT | ||
| 138 | allow use of ptrace, even of other sandboxed processes, without | ||
| 139 | extreme care; ptracers can use this mechanism to escape.) | ||
| 140 | |||
| 126 | SECCOMP_RET_ALLOW: | 141 | SECCOMP_RET_ALLOW: |
| 127 | Results in the system call being executed. | 142 | Results in the system call being executed. |
| 128 | 143 | ||
| @@ -161,3 +176,50 @@ architecture supports both ptrace_event and seccomp, it will be able to | |||
| 161 | support seccomp filter with minor fixup: SIGSYS support and seccomp return | 176 | support seccomp filter with minor fixup: SIGSYS support and seccomp return |
| 162 | value checking. Then it must just add CONFIG_HAVE_ARCH_SECCOMP_FILTER | 177 | value checking. Then it must just add CONFIG_HAVE_ARCH_SECCOMP_FILTER |
| 163 | to its arch-specific Kconfig. | 178 | to its arch-specific Kconfig. |
| 179 | |||
| 180 | |||
| 181 | |||
| 182 | Caveats | ||
| 183 | ------- | ||
| 184 | |||
| 185 | The vDSO can cause some system calls to run entirely in userspace, | ||
| 186 | leading to surprises when you run programs on different machines that | ||
| 187 | fall back to real syscalls. To minimize these surprises on x86, make | ||
| 188 | sure you test with | ||
| 189 | /sys/devices/system/clocksource/clocksource0/current_clocksource set to | ||
| 190 | something like acpi_pm. | ||
| 191 | |||
| 192 | On x86-64, vsyscall emulation is enabled by default. (vsyscalls are | ||
| 193 | legacy variants on vDSO calls.) Currently, emulated vsyscalls will honor seccomp, with a few oddities: | ||
| 194 | |||
| 195 | - A return value of SECCOMP_RET_TRAP will set a si_call_addr pointing to | ||
| 196 | the vsyscall entry for the given call and not the address after the | ||
| 197 | 'syscall' instruction. Any code which wants to restart the call | ||
| 198 | should be aware that (a) a ret instruction has been emulated and (b) | ||
| 199 | trying to resume the syscall will again trigger the standard vsyscall | ||
| 200 | emulation security checks, making resuming the syscall mostly | ||
| 201 | pointless. | ||
| 202 | |||
| 203 | - A return value of SECCOMP_RET_TRACE will signal the tracer as usual, | ||
| 204 | but the syscall may not be changed to another system call using the | ||
| 205 | orig_rax register. It may only be changed to -1 order to skip the | ||
| 206 | currently emulated call. Any other change MAY terminate the process. | ||
| 207 | The rip value seen by the tracer will be the syscall entry address; | ||
| 208 | this is different from normal behavior. The tracer MUST NOT modify | ||
| 209 | rip or rsp. (Do not rely on other changes terminating the process. | ||
| 210 | They might work. For example, on some kernels, choosing a syscall | ||
| 211 | that only exists in future kernels will be correctly emulated (by | ||
| 212 | returning -ENOSYS). | ||
| 213 | |||
| 214 | To detect this quirky behavior, check for addr & ~0x0C00 == | ||
| 215 | 0xFFFFFFFFFF600000. (For SECCOMP_RET_TRACE, use rip. For | ||
| 216 | SECCOMP_RET_TRAP, use siginfo->si_call_addr.) Do not check any other | ||
| 217 | condition: future kernels may improve vsyscall emulation and current | ||
| 218 | kernels in vsyscall=native mode will behave differently, but the | ||
| 219 | instructions at 0xF...F600{0,4,8,C}00 will not be system calls in these | ||
| 220 | cases. | ||
| 221 | |||
| 222 | Note that modern systems are unlikely to use vsyscalls at all -- they | ||
| 223 | are a legacy feature and they are considerably slower than standard | ||
| 224 | syscalls. New code will use the vDSO, and vDSO-issued system calls | ||
| 225 | are indistinguishable from normal system calls. | ||
diff --git a/Documentation/security/keys.txt b/Documentation/security/keys.txt index 7d9ca92022d8..7b4145d00452 100644 --- a/Documentation/security/keys.txt +++ b/Documentation/security/keys.txt | |||
| @@ -994,6 +994,23 @@ payload contents" for more information. | |||
| 994 | reference pointer if successful. | 994 | reference pointer if successful. |
| 995 | 995 | ||
| 996 | 996 | ||
| 997 | (*) A keyring can be created by: | ||
| 998 | |||
| 999 | struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid, | ||
| 1000 | const struct cred *cred, | ||
| 1001 | key_perm_t perm, | ||
| 1002 | unsigned long flags, | ||
| 1003 | struct key *dest); | ||
| 1004 | |||
| 1005 | This creates a keyring with the given attributes and returns it. If dest | ||
| 1006 | is not NULL, the new keyring will be linked into the keyring to which it | ||
| 1007 | points. No permission checks are made upon the destination keyring. | ||
| 1008 | |||
| 1009 | Error EDQUOT can be returned if the keyring would overload the quota (pass | ||
| 1010 | KEY_ALLOC_NOT_IN_QUOTA in flags if the keyring shouldn't be accounted | ||
| 1011 | towards the user's quota). Error ENOMEM can also be returned. | ||
| 1012 | |||
| 1013 | |||
| 997 | (*) To check the validity of a key, this function can be called: | 1014 | (*) To check the validity of a key, this function can be called: |
| 998 | 1015 | ||
| 999 | int validate_key(struct key *key); | 1016 | int validate_key(struct key *key); |
diff --git a/arch/x86/kernel/vsyscall_64.c b/arch/x86/kernel/vsyscall_64.c index 3a3e8c9e280d..9a907a67be8f 100644 --- a/arch/x86/kernel/vsyscall_64.c +++ b/arch/x86/kernel/vsyscall_64.c | |||
| @@ -145,19 +145,6 @@ static int addr_to_vsyscall_nr(unsigned long addr) | |||
| 145 | return nr; | 145 | return nr; |
| 146 | } | 146 | } |
| 147 | 147 | ||
| 148 | #ifdef CONFIG_SECCOMP | ||
| 149 | static int vsyscall_seccomp(struct task_struct *tsk, int syscall_nr) | ||
| 150 | { | ||
| 151 | if (!seccomp_mode(&tsk->seccomp)) | ||
| 152 | return 0; | ||
| 153 | task_pt_regs(tsk)->orig_ax = syscall_nr; | ||
| 154 | task_pt_regs(tsk)->ax = syscall_nr; | ||
| 155 | return __secure_computing(syscall_nr); | ||
| 156 | } | ||
| 157 | #else | ||
| 158 | #define vsyscall_seccomp(_tsk, _nr) 0 | ||
| 159 | #endif | ||
| 160 | |||
| 161 | static bool write_ok_or_segv(unsigned long ptr, size_t size) | 148 | static bool write_ok_or_segv(unsigned long ptr, size_t size) |
| 162 | { | 149 | { |
| 163 | /* | 150 | /* |
| @@ -190,10 +177,9 @@ bool emulate_vsyscall(struct pt_regs *regs, unsigned long address) | |||
| 190 | { | 177 | {< |
