aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2012-03-21 16:25:04 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2012-03-21 16:25:04 -0400
commit3556485f1595e3964ba539e39ea682acbb835cee (patch)
tree7f5ee254f425b1427ac0059b5f347a307f8538a1
parentb8716614a7cc2fc15ea2a518edd04755fb08d922 (diff)
parent09f61cdbb32a9d812c618d3922db533542736bb0 (diff)
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates for 3.4 from James Morris: "The main addition here is the new Yama security module from Kees Cook, which was discussed at the Linux Security Summit last year. Its purpose is to collect miscellaneous DAC security enhancements in one place. This also marks a departure in policy for LSM modules, which were previously limited to being standalone access control systems. Chromium OS is using Yama, and I believe there are plans for Ubuntu, at least. This patchset also includes maintenance updates for AppArmor, TOMOYO and others." Fix trivial conflict in <net/sock.h> due to the jumo_label->static_key rename. * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (38 commits) AppArmor: Fix location of const qualifier on generated string tables TOMOYO: Return error if fails to delete a domain AppArmor: add const qualifiers to string arrays AppArmor: Add ability to load extended policy TOMOYO: Return appropriate value to poll(). AppArmor: Move path failure information into aa_get_name and rename AppArmor: Update dfa matching routines. AppArmor: Minor cleanup of d_namespace_path to consolidate error handling AppArmor: Retrieve the dentry_path for error reporting when path lookup fails AppArmor: Add const qualifiers to generated string tables AppArmor: Fix oops in policy unpack auditing AppArmor: Fix error returned when a path lookup is disconnected KEYS: testing wrong bit for KEY_FLAG_REVOKED TOMOYO: Fix mount flags checking order. security: fix ima kconfig warning AppArmor: Fix the error case for chroot relative path name lookup AppArmor: fix mapping of META_READ to audit and quiet flags AppArmor: Fix underflow in xindex calculation AppArmor: Fix dropping of allowed operations that are force audited AppArmor: Add mising end of structure test to caps unpacking ...
-rw-r--r--Documentation/networking/dns_resolver.txt4
-rw-r--r--Documentation/security/00-INDEX2
-rw-r--r--Documentation/security/Yama.txt65
-rw-r--r--Documentation/security/keys.txt4
-rw-r--r--drivers/char/tpm/Kconfig1
-rw-r--r--drivers/char/tpm/tpm.c3
-rw-r--r--drivers/char/tpm/tpm.h2
-rw-r--r--drivers/char/tpm/tpm_tis.c17
-rw-r--r--drivers/net/macvtap.c1
-rw-r--r--drivers/target/iscsi/iscsi_target.c1
-rw-r--r--drivers/target/iscsi/iscsi_target_login.c1
-rw-r--r--fs/cifs/cifsacl.c1
-rw-r--r--fs/nfs/client.c1
-rw-r--r--fs/nfs/idmap.c1
-rw-r--r--fs/proc/proc_sysctl.c2
-rw-r--r--fs/quota/dquot.c1
-rw-r--r--fs/super.c1
-rw-r--r--include/linux/key.h1
-rw-r--r--include/linux/prctl.h7
-rw-r--r--include/linux/security.h80
-rw-r--r--include/net/sock.h2
-rw-r--r--ipc/msgutil.c2
-rw-r--r--kernel/cred.c1
-rw-r--r--kernel/exit.c1
-rw-r--r--kernel/fork.c3
-rw-r--r--kernel/sched/core.c1
-rw-r--r--kernel/sysctl.c1
-rw-r--r--mm/mmap.c17
-rw-r--r--mm/mprotect.c2
-rw-r--r--mm/mremap.c2
-rw-r--r--mm/shmem.c4
-rw-r--r--mm/swapfile.c4
-rw-r--r--net/dns_resolver/dns_key.c1
-rw-r--r--security/Kconfig6
-rw-r--r--security/Makefile2
-rw-r--r--security/apparmor/Makefile27
-rw-r--r--security/apparmor/apparmorfs.c195
-rw-r--r--security/apparmor/audit.c7
-rw-r--r--security/apparmor/domain.c5
-rw-r--r--security/apparmor/file.c21
-rw-r--r--security/apparmor/include/apparmor.h15
-rw-r--r--security/apparmor/include/apparmorfs.h44
-rw-r--r--security/apparmor/include/audit.h9
-rw-r--r--security/apparmor/include/file.h2
-rw-r--r--security/apparmor/include/match.h3
-rw-r--r--security/apparmor/include/path.h3
-rw-r--r--security/apparmor/include/policy.h15
-rw-r--r--security/apparmor/include/resource.h4
-rw-r--r--security/apparmor/match.c80
-rw-r--r--security/apparmor/path.c56
-rw-r--r--security/apparmor/policy.c3
-rw-r--r--security/apparmor/policy_unpack.c31
-rw-r--r--security/apparmor/resource.c5
-rw-r--r--security/capability.c5
-rw-r--r--security/commoncap.c1
-rw-r--r--security/integrity/ima/Kconfig4
-rw-r--r--security/integrity/ima/ima_audit.c2
-rw-r--r--security/integrity/ima/ima_policy.c3
-rw-r--r--security/keys/keyctl.c15
-rw-r--r--security/keys/process_keys.c3
-rw-r--r--security/security.c21
-rw-r--r--security/selinux/hooks.c2
-rw-r--r--security/smack/smack_lsm.c3
-rw-r--r--security/tomoyo/audit.c4
-rw-r--r--security/tomoyo/common.c63
-rw-r--r--security/tomoyo/common.h6
-rw-r--r--security/tomoyo/mount.c38
-rw-r--r--security/tomoyo/securityfs_if.c5
-rw-r--r--security/yama/Kconfig13
-rw-r--r--security/yama/Makefile3
-rw-r--r--security/yama/yama_lsm.c323
71 files changed, 1034 insertions, 250 deletions
diff --git a/Documentation/networking/dns_resolver.txt b/Documentation/networking/dns_resolver.txt
index 7f531ad83285..d86adcdae420 100644
--- a/Documentation/networking/dns_resolver.txt
+++ b/Documentation/networking/dns_resolver.txt
@@ -102,6 +102,10 @@ implemented in the module can be called after doing:
102 If _expiry is non-NULL, the expiry time (TTL) of the result will be 102 If _expiry is non-NULL, the expiry time (TTL) of the result will be
103 returned also. 103 returned also.
104 104
105The kernel maintains an internal keyring in which it caches looked up keys.
106This can be cleared by any process that has the CAP_SYS_ADMIN capability by
107the use of KEYCTL_KEYRING_CLEAR on the keyring ID.
108
105 109
106=============================== 110===============================
107READING DNS KEYS FROM USERSPACE 111READING DNS KEYS FROM USERSPACE
diff --git a/Documentation/security/00-INDEX b/Documentation/security/00-INDEX
index 99b85d39751c..eeed1de546d4 100644
--- a/Documentation/security/00-INDEX
+++ b/Documentation/security/00-INDEX
@@ -6,6 +6,8 @@ SELinux.txt
6 - how to get started with the SELinux security enhancement. 6 - how to get started with the SELinux security enhancement.
7Smack.txt 7Smack.txt
8 - documentation on the Smack Linux Security Module. 8 - documentation on the Smack Linux Security Module.
9Yama.txt
10 - documentation on the Yama Linux Security Module.
9apparmor.txt 11apparmor.txt
10 - documentation on the AppArmor security extension. 12 - documentation on the AppArmor security extension.
11credentials.txt 13credentials.txt
diff --git a/Documentation/security/Yama.txt b/Documentation/security/Yama.txt
new file mode 100644
index 000000000000..a9511f179069
--- /dev/null
+++ b/Documentation/security/Yama.txt
@@ -0,0 +1,65 @@
1Yama is a Linux Security Module that collects a number of system-wide DAC
2security protections that are not handled by the core kernel itself. To
3select it at boot time, specify "security=yama" (though this will disable
4any other LSM).
5
6Yama is controlled through sysctl in /proc/sys/kernel/yama:
7
8- ptrace_scope
9
10==============================================================
11
12ptrace_scope:
13
14As Linux grows in popularity, it will become a larger target for
15malware. One particularly troubling weakness of the Linux process
16interfaces is that a single user is able to examine the memory and
17running state of any of their processes. For example, if one application
18(e.g. Pidgin) was compromised, it would be possible for an attacker to
19attach to other running processes (e.g. Firefox, SSH sessions, GPG agent,
20etc) to extract additional credentials and continue to expand the scope
21of their attack without resorting to user-assisted phishing.
22
23This is not a theoretical problem. SSH session hijacking
24(http://www.storm.net.nz/projects/7) and arbitrary code injection
25(http://c-skills.blogspot.com/2007/05/injectso.html) attacks already
26exist and remain possible if ptrace is allowed to operate as before.
27Since ptrace is not commonly used by non-developers and non-admins, system
28builders should be allowed the option to disable this debugging system.
29
30For a solution, some applications use prctl(PR_SET_DUMPABLE, ...) to
31specifically disallow such ptrace attachment (e.g. ssh-agent), but many
32do not. A more general solution is to only allow ptrace directly from a
33parent to a child process (i.e. direct "gdb EXE" and "strace EXE" still
34work), or with CAP_SYS_PTRACE (i.e. "gdb --pid=PID", and "strace -p PID"
35still work as root).
36
37For software that has defined application-specific relationships
38between a debugging process and its inferior (crash handlers, etc),
39prctl(PR_SET_PTRACER, pid, ...) can be used. An inferior can declare which
40other process (and its descendents) are allowed to call PTRACE_ATTACH
41against it. Only one such declared debugging process can exists for
42each inferior at a time. For example, this is used by KDE, Chromium, and