diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2012-03-21 16:25:04 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2012-03-21 16:25:04 -0400 |
| commit | 3556485f1595e3964ba539e39ea682acbb835cee (patch) | |
| tree | 7f5ee254f425b1427ac0059b5f347a307f8538a1 | |
| parent | b8716614a7cc2fc15ea2a518edd04755fb08d922 (diff) | |
| parent | 09f61cdbb32a9d812c618d3922db533542736bb0 (diff) | |
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates for 3.4 from James Morris:
"The main addition here is the new Yama security module from Kees Cook,
which was discussed at the Linux Security Summit last year. Its
purpose is to collect miscellaneous DAC security enhancements in one
place. This also marks a departure in policy for LSM modules, which
were previously limited to being standalone access control systems.
Chromium OS is using Yama, and I believe there are plans for Ubuntu,
at least.
This patchset also includes maintenance updates for AppArmor, TOMOYO
and others."
Fix trivial conflict in <net/sock.h> due to the jumo_label->static_key
rename.
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (38 commits)
AppArmor: Fix location of const qualifier on generated string tables
TOMOYO: Return error if fails to delete a domain
AppArmor: add const qualifiers to string arrays
AppArmor: Add ability to load extended policy
TOMOYO: Return appropriate value to poll().
AppArmor: Move path failure information into aa_get_name and rename
AppArmor: Update dfa matching routines.
AppArmor: Minor cleanup of d_namespace_path to consolidate error handling
AppArmor: Retrieve the dentry_path for error reporting when path lookup fails
AppArmor: Add const qualifiers to generated string tables
AppArmor: Fix oops in policy unpack auditing
AppArmor: Fix error returned when a path lookup is disconnected
KEYS: testing wrong bit for KEY_FLAG_REVOKED
TOMOYO: Fix mount flags checking order.
security: fix ima kconfig warning
AppArmor: Fix the error case for chroot relative path name lookup
AppArmor: fix mapping of META_READ to audit and quiet flags
AppArmor: Fix underflow in xindex calculation
AppArmor: Fix dropping of allowed operations that are force audited
AppArmor: Add mising end of structure test to caps unpacking
...
71 files changed, 1034 insertions, 250 deletions
diff --git a/Documentation/networking/dns_resolver.txt b/Documentation/networking/dns_resolver.txt index 7f531ad83285..d86adcdae420 100644 --- a/Documentation/networking/dns_resolver.txt +++ b/Documentation/networking/dns_resolver.txt | |||
| @@ -102,6 +102,10 @@ implemented in the module can be called after doing: | |||
| 102 | If _expiry is non-NULL, the expiry time (TTL) of the result will be | 102 | If _expiry is non-NULL, the expiry time (TTL) of the result will be |
| 103 | returned also. | 103 | returned also. |
| 104 | 104 | ||
| 105 | The kernel maintains an internal keyring in which it caches looked up keys. | ||
| 106 | This can be cleared by any process that has the CAP_SYS_ADMIN capability by | ||
| 107 | the use of KEYCTL_KEYRING_CLEAR on the keyring ID. | ||
| 108 | |||
| 105 | 109 | ||
| 106 | =============================== | 110 | =============================== |
| 107 | READING DNS KEYS FROM USERSPACE | 111 | READING DNS KEYS FROM USERSPACE |
diff --git a/Documentation/security/00-INDEX b/Documentation/security/00-INDEX index 99b85d39751c..eeed1de546d4 100644 --- a/Documentation/security/00-INDEX +++ b/Documentation/security/00-INDEX | |||
| @@ -6,6 +6,8 @@ SELinux.txt | |||
| 6 | - how to get started with the SELinux security enhancement. | 6 | - how to get started with the SELinux security enhancement. |
| 7 | Smack.txt | 7 | Smack.txt |
| 8 | - documentation on the Smack Linux Security Module. | 8 | - documentation on the Smack Linux Security Module. |
| 9 | Yama.txt | ||
| 10 | - documentation on the Yama Linux Security Module. | ||
| 9 | apparmor.txt | 11 | apparmor.txt |
| 10 | - documentation on the AppArmor security extension. | 12 | - documentation on the AppArmor security extension. |
| 11 | credentials.txt | 13 | credentials.txt |
diff --git a/Documentation/security/Yama.txt b/Documentation/security/Yama.txt new file mode 100644 index 000000000000..a9511f179069 --- /dev/null +++ b/Documentation/security/Yama.txt | |||
| @@ -0,0 +1,65 @@ | |||
| 1 | Yama is a Linux Security Module that collects a number of system-wide DAC | ||
| 2 | security protections that are not handled by the core kernel itself. To | ||
| 3 | select it at boot time, specify "security=yama" (though this will disable | ||
| 4 | any other LSM). | ||
| 5 | |||
| 6 | Yama is controlled through sysctl in /proc/sys/kernel/yama: | ||
| 7 | |||
| 8 | - ptrace_scope | ||
| 9 | |||
| 10 | ============================================================== | ||
| 11 | |||
| 12 | ptrace_scope: | ||
| 13 | |||
| 14 | As Linux grows in popularity, it will become a larger target for | ||
| 15 | malware. One particularly troubling weakness of the Linux process | ||
| 16 | interfaces is that a single user is able to examine the memory and | ||
| 17 | running state of any of their processes. For example, if one application | ||
| 18 | (e.g. Pidgin) was compromised, it would be possible for an attacker to | ||
| 19 | attach to other running processes (e.g. Firefox, SSH sessions, GPG agent, | ||
| 20 | etc) to extract additional credentials and continue to expand the scope | ||
| 21 | of their attack without resorting to user-assisted phishing. | ||
| 22 | |||
| 23 | This is not a theoretical problem. SSH session hijacking | ||
| 24 | (http://www.storm.net.nz/projects/7) and arbitrary code injection | ||
| 25 | (http://c-skills.blogspot.com/2007/05/injectso.html) attacks already | ||
| 26 | exist and remain possible if ptrace is allowed to operate as before. | ||
| 27 | Since ptrace is not commonly used by non-developers and non-admins, system | ||
| 28 | builders should be allowed the option to disable this debugging system. | ||
| 29 | |||
| 30 | For a solution, some applications use prctl(PR_SET_DUMPABLE, ...) to | ||
| 31 | specifically disallow such ptrace attachment (e.g. ssh-agent), but many | ||
| 32 | do not. A more general solution is to only allow ptrace directly from a | ||
| 33 | parent to a child process (i.e. direct "gdb EXE" and "strace EXE" still | ||
| 34 | work), or with CAP_SYS_PTRACE (i.e. "gdb --pid=PID", and "strace -p PID" | ||
| 35 | still work as root). | ||
| 36 | |||
| 37 | For software that has defined application-specific relationships | ||
| 38 | between a debugging process and its inferior (crash handlers, etc), | ||
| 39 | prctl(PR_SET_PTRACER, pid, ...) can be used. An inferior can declare which | ||
| 40 | other process (and its descendents) are allowed to call PTRACE_ATTACH | ||
| 41 | against it. Only one such declared debugging process can exists for | ||
| 42 | each inferior at a time. For example, this is used by KDE, Chromium, and | ||
