aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
Commit message (Collapse)AuthorAge
* Merge branch 'master' of /home/davem/src/GIT/linux-2.6/David S. Miller2009-12-05
|\ | | | | | | | | | | | | | | Conflicts: drivers/net/pcmcia/fmvj18x_cs.c drivers/net/pcmcia/nmclan_cs.c drivers/net/pcmcia/xirc2ps_cs.c drivers/net/wireless/ray_cs.c
| * SELinux: print denials for buggy kernel with unknown permsEric Paris2009-11-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Historically we've seen cases where permissions are requested for classes where they do not exist. In particular we have seen CIFS forget to set i_mode to indicate it is a directory so when we later check something like remove_name we have problems since it wasn't defined in tclass file. This used to result in a avc which included the permission 0x2000 or something. Currently the kernel will deny the operations (good thing) but will not print ANY information (bad thing). First the auditdeny field is no extended to include unknown permissions. After that is fixed the logic in avc_dump_query to output this information isn't right since it will remove the permission from the av and print the phrase "<NULL>". This takes us back to the behavior before the classmap rewrite. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
| * security: report the module name to security_module_requestEric Paris2009-11-09
| | | | | | | | | | | | | | | | | | | | | | | | | | For SELinux to do better filtering in userspace we send the name of the module along with the AVC denial when a program is denied module_request. Example output: type=SYSCALL msg=audit(11/03/2009 10:59:43.510:9) : arch=x86_64 syscall=write success=yes exit=2 a0=3 a1=7fc28c0d56c0 a2=2 a3=7fffca0d7440 items=0 ppid=1727 pid=1729 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc.nfsd exe=/usr/sbin/rpc.nfsd subj=system_u:system_r:nfsd_t:s0 key=(null) type=AVC msg=audit(11/03/2009 10:59:43.510:9) : avc: denied { module_request } for pid=1729 comm=rpc.nfsd kmod="net-pf-10" scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
| * SELinux: add .gitignore files for dynamic classesEric Paris2009-10-23
| | | | | | | | | | | | | | | | | | | | The SELinux dynamic class work in c6d3aaa4e35c71a32a86ececacd4eea7ecfc316c creates a number of dynamic header files and scripts. Add .gitignore files so git doesn't complain about these. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
| * SELinux: fix locking issue introduced with c6d3aaa4e35c71a3Stephen Smalley2009-10-19
| | | | | | | | | | | | | | | | Ensure that we release the policy read lock on all exit paths from security_compute_av. Signed-off-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
| * selinux: drop remapping of netlink classesStephen Smalley2009-10-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Drop remapping of netlink classes and bypass of permission checking based on netlink message type for policy version < 18. This removes compatibility code introduced when the original single netlink security class used for all netlink sockets was split into finer-grained netlink classes based on netlink protocol and when permission checking was added based on netlink message type in Linux 2.6.8. The only known distribution that shipped with SELinux and policy < 18 was Fedora Core 2, which was EOL'd on 2005-04-11. Given that the remapping code was never updated to address the addition of newer netlink classes, that the corresponding userland support was dropped in 2005, and that the assumptions made by the remapping code about the fixed ordering among netlink classes in the policy may be violated in the future due to the dynamic class/perm discovery support, we should drop this compatibility code now. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
| * selinux: generate flask headers during kernel buildStephen Smalley2009-10-07
| | | | | | | | | | | | | | | | | | | | | | Add a simple utility (scripts/selinux/genheaders) and invoke it to generate the kernel-private class and permission indices in flask.h and av_permissions.h automatically during the kernel build from the security class mapping definitions in classmap.h. Adding new kernel classes and permissions can then be done just by adding them to classmap.h. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
| * selinux: dynamic class/perm discoveryStephen Smalley2009-10-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Modify SELinux to dynamically discover class and permission values upon policy load, based on the dynamic object class/perm discovery logic from libselinux. A mapping is created between kernel-private class and permission indices used outside the security server and the policy values used within the security server. The mappings are only applied upon kernel-internal computations; similar mappings for the private indices of userspace object managers is handled on a per-object manager basis by the userspace AVC. The interfaces for compute_av and transition_sid are split for kernel vs. userspace; the userspace functions are distinguished by a _user suffix. The kernel-private class indices are no longer tied to the policy values and thus do not need to skip indices for userspace classes; thus the kernel class index values are compressed. The flask.h definitions were regenerated by deleting the userspace classes from refpolicy's definitions and then regenerating the headers. Going forward, we can just maintain the flask.h, av_permissions.h, and classmap.h definitions separately from policy as they are no longer tied to the policy values. The next patch introduces a utility to automate generation of flask.h and av_permissions.h from the classmap.h definitions. The older kernel class and permission string tables are removed and replaced by a single security class mapping table that is walked at policy load to generate the mapping. The old kernel class validation logic is completely replaced by the mapping logic. The handle unknown logic is reworked. reject_unknown=1 is handled when the mappings are computed at policy load time, similar to the old handling by the class validation logic. allow_unknown=1 is handled when computing and mapping decisions - if the permission was not able to be mapped (i.e. undefined, mapped to zero), then it is automatically added to the allowed vector. If the class was not able to be mapped (i.e. undefined, mapped to zero), then all permissions are allowed for it if allow_unknown=1. avc_audit leverages the new security class mapping table to lookup the class and permission names from the kernel-private indices. The mdp program is updated to use the new table when generating the class definitions and allow rules for a minimal boot policy for the kernel. It should be noted that this policy will not include any userspace classes, nor will its policy index values for the kernel classes correspond with the ones in refpolicy (they will instead match the kernel-private indices). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
| * SELinux: reset the security_ops before flushing the avc cacheEric Paris2009-09-30
| | | | | | | | | | | | | | | | | | | | | | | | | | This patch resets the security_ops to the secondary_ops before it flushes the avc. It's still possible that a task on another processor could have already passed the security_ops dereference and be executing an selinux hook function which would add a new avc entry. That entry would still not be freed. This should however help to reduce the number of needless avcs the kernel has when selinux is disabled at run time. There is no wasted memory if selinux is disabled on the command line or not compiled. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* | net: rename skb->iif to skb->skb_iifEric Dumazet2009-11-20
|/ | | | | | | To help grep games, rename iif to skb_iif Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* do_wait() wakeup optimization: change __wake_up_parent() to use filtered wakeupOleg Nesterov2009-09-24
| | | | | | | | | | | | | | | | | | | | | | | | Ratan Nalumasu reported that in a process with many threads doing unnecessary wakeups. Every waiting thread in the process wakes up to loop through the children and see that the only ones it cares about are still not ready. Now that we have struct wait_opts we can change do_wait/__wake_up_parent to use filtered wakeups. We can make child_wait_callback() more clever later, right now it only checks eligible_child(). Signed-off-by: Oleg Nesterov <oleg@redhat.com> Acked-by: Roland McGrath <roland@redhat.com> Cc: Ingo Molnar <mingo@elte.hu> Cc: Ratan Nalumasu <rnalumasu@gmail.com> Cc: Vitaly Mayatskikh <vmayatsk@redhat.com> Acked-by: James Morris <jmorris@namei.org> Tested-by: Valdis Kletnieks <valdis.kletnieks@vt.edu> Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* SELinux: do not destroy the avc_cache_nodepEric Paris2009-09-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The security_ops reset done when SELinux is disabled at run time is done after the avc cache is freed and after the kmem_cache for the avc is also freed. This means that between the time the selinux disable code destroys the avc_node_cachep another process could make a security request and could try to allocate from the cache. We are just going to leave the cachep around, like we always have. SELinux: Disabled at runtime. BUG: unable to handle kernel NULL pointer dereference at (null) IP: [<ffffffff81122537>] kmem_cache_alloc+0x9a/0x185 PGD 0 Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC last sysfs file: CPU 1 Modules linked in: Pid: 12, comm: khelper Not tainted 2.6.31-tip-05525-g0eeacc6-dirty #14819 System Product Name RIP: 0010:[<ffffffff81122537>] [<ffffffff81122537>] kmem_cache_alloc+0x9a/0x185 RSP: 0018:ffff88003f9258b0 EFLAGS: 00010086 RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000078c0129e RDX: 0000000000000000 RSI: ffffffff8130b626 RDI: ffffffff81122528 RBP: ffff88003f925900 R08: 0000000078c0129e R09: 0000000000000001 R10: 0000000000000000 R11: 0000000078c0129e R12: 0000000000000246 R13: 0000000000008020 R14: ffff88003f8586d8 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff880002b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b CR2: 0000000000000000 CR3: 0000000001001000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: ffffffff827bd420 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process khelper (pid: 12, threadinfo ffff88003f924000, task ffff88003f928000) Stack: 0000000000000246 0000802000000246 ffffffff8130b626 0000000000000001 <0> 0000000078c0129e 0000000000000000 ffff88003f925a70 0000000000000002 <0> 0000000000000001 0000000000000001 ffff88003f925960 ffffffff8130b626 Call Trace: [<ffffffff8130b626>] ? avc_alloc_node+0x36/0x273 [<ffffffff8130b626>] avc_alloc_node+0x36/0x273 [<ffffffff8130b545>] ? avc_latest_notif_update+0x7d/0x9e [<ffffffff8130b8b4>] avc_insert+0x51/0x18d [<ffffffff8130bcce>] avc_has_perm_noaudit+0x9d/0x128 [<ffffffff8130bf20>] avc_has_perm+0x45/0x88 [<ffffffff8130f99d>] current_has_perm+0x52/0x6d [<ffffffff8130fbb2>] selinux_task_create+0x2f/0x45 [<ffffffff81303bf7>] security_task_create+0x29/0x3f [<ffffffff8105c6ba>] copy_process+0x82/0xdf0 [<ffffffff81091578>] ? register_lock_class+0x2f/0x36c [<ffffffff81091a13>] ? mark_lock+0x2e/0x1e1 [<ffffffff8105d596>] do_fork+0x16e/0x382 [<ffffffff81091578>] ? register_lock_class+0x2f/0x36c [<ffffffff810d9166>] ? probe_workqueue_execution+0x57/0xf9 [<ffffffff81091a13>] ? mark_lock+0x2e/0x1e1 [<ffffffff810d9166>] ? probe_workqueue_execution+0x57/0xf9 [<ffffffff8100cdb2>] kernel_thread+0x82/0xe0 [<ffffffff81078b1f>] ? ____call_usermodehelper+0x0/0x139 [<ffffffff8100ce10>] ? child_rip+0x0/0x20 [<ffffffff81078aea>] ? __call_usermodehelper+0x65/0x9a [<ffffffff8107a5c7>] run_workqueue+0x171/0x27e [<ffffffff8107a573>] ? run_workqueue+0x11d/0x27e [<ffffffff81078a85>] ? __call_usermodehelper+0x0/0x9a [<ffffffff8107a7bc>] worker_thread+0xe8/0x10f [<ffffffff810808e2>] ? autoremove_wake_function+0x0/0x63 [<ffffffff8107a6d4>] ? worker_thread+0x0/0x10f [<ffffffff8108042e>] kthread+0x91/0x99 [<ffffffff8100ce1a>] child_rip+0xa/0x20 [<ffffffff8100c754>] ? restore_args+0x0/0x30 [<ffffffff8108039d>] ? kthread+0x0/0x99 [<ffffffff8100ce10>] ? child_rip+0x0/0x20 Code: 0f 85 99 00 00 00 9c 58 66 66 90 66 90 49 89 c4 fa 66 66 90 66 66 90 e8 83 34 fb ff e8 d7 e9 26 00 48 98 49 8b 94 c6 10 01 00 00 <48> 8b 1a 44 8b 7a 18 48 85 db 74 0f 8b 42 14 48 8b 04 c3 ff 42 RIP [<ffffffff81122537>] kmem_cache_alloc+0x9a/0x185 RSP <ffff88003f9258b0> CR2: 0000000000000000 ---[ end trace 42f41a982344e606 ]--- Reported-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: flush the avc before disabling SELinuxEric Paris2009-09-13
| | | | | | | | Before SELinux is disabled at boot it can create AVC entries. This patch will flush those entries before disabling SELinux. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: seperate avc_cache flushingEric Paris2009-09-13
| | | | | | | | Move the avc_cache flushing into it's own function so it can be reused when disabling SELinux. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* Creds: creds->security can be NULL is selinux is disabledEric Paris2009-09-13
| | | | | | | | __validate_process_creds should check if selinux is actually enabled before running tests on the selinux portion of the credentials struct. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* sysfs: Add labeling support for sysfsDavid P. Quigley2009-09-09
| | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a setxattr handler to the file, directory, and symlink inode_operations structures for sysfs. The patch uses hooks introduced in the previous patch to handle the getting and setting of security information for the sysfs inodes. As was suggested by Eric Biederman the struct iattr in the sysfs_dirent structure has been replaced by a structure which contains the iattr, secdata and secdata length to allow the changes to persist in the event that the inode representing the sysfs_dirent is evicted. Because sysfs only stores this information when a change is made all the optional data is moved into one dynamically allocated field. This patch addresses an issue where SELinux was denying virtd access to the PCI configuration entries in sysfs. The lack of setxattr handlers for sysfs required that a single label be assigned to all entries in sysfs. Granting virtd access to every entry in sysfs is not an acceptable solution so fine grained labeling of sysfs is required such that individual entries can be labeled appropriately. [sds: Fixed compile-time warnings, coding style, and setting of inode security init flags.] Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov> Signed-off-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* LSM/SELinux: inode_{get,set,notify}secctx hooks to access LSM security ↵David P. Quigley2009-09-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | context information. This patch introduces three new hooks. The inode_getsecctx hook is used to get all relevant information from an LSM about an inode. The inode_setsecctx is used to set both the in-core and on-disk state for the inode based on a context derived from inode_getsecctx.The final hook inode_notifysecctx will notify the LSM of a change for the in-core state of the inode in question. These hooks are for use in the labeled NFS code and addresses concerns of how to set security on an inode in a multi-xattr LSM. For historical reasons Stephen Smalley's explanation of the reason for these hooks is pasted below. Quote Stephen Smalley inode_setsecctx: Change the security context of an inode. Updates the in core security context managed by the security module and invokes the fs code as needed (via __vfs_setxattr_noperm) to update any backing xattrs that represent the context. Example usage: NFS server invokes this hook to change the security context in its incore inode and on the backing file system to a value provided by the client on a SETATTR operation. inode_notifysecctx: Notify the security module of what the security context of an inode should be. Initializes the incore security context managed by the security module for this inode. Example usage: NFS client invokes this hook to initialize the security context in its incore inode to the value provided by the server for the file when the server returned the file's attributes to the client. Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
* KEYS: Add a keyctl to install a process's session keyring on its parent [try #6]David Howells2009-09-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a keyctl to install a process's session keyring onto its parent. This replaces the parent's session keyring. Because the COW credential code does not permit one process to change another process's credentials directly, the change is deferred until userspace next starts executing again. Normally this will be after a wait*() syscall. To support this, three new security hooks have been provided: cred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in the blank security creds and key_session_to_parent() - which asks the LSM if the process may replace its parent's session keyring. The replacement may only happen if the process has the same ownership details as its parent, and the process has LINK permission on the session keyring, and the session keyring is owned by the process, and the LSM permits it. Note that this requires alteration to each architecture's notify_resume path. This has been done for all arches barring blackfin, m68k* and xtensa, all of which need assembly alteration to support TIF_NOTIFY_RESUME. This allows the replacement to be performed at the point the parent process resumes userspace execution. This allows the userspace AFS pioctl emulation to fully emulate newpag() and the VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to alter the parent process's PAG membership. However, since kAFS doesn't use PAGs per se, but rather dumps the keys into the session keyring, the session keyring of the parent must be replaced if, for example, VIOCSETTOK is passed the newpag flag. This can be tested with the following program: #include <stdio.h> #include <stdlib.h> #include <keyutils.h> #define KEYCTL_SESSION_TO_PARENT 18 #define OSERROR(X, S) do { if ((long)(X) == -1) { perror(S); exit(1); } } while(0) int main(int argc, char **argv) { key_serial_t keyring, key; long ret; keyring = keyctl_join_session_keyring(argv[1]); OSERROR(keyring, "keyctl_join_session_keyring"); key = add_key("user", "a", "b", 1, keyring); OSERROR(key, "add_key"); ret = keyctl(KEYCTL_SESSION_TO_PARENT); OSERROR(ret, "KEYCTL_SESSION_TO_PARENT"); return 0; } Compiled and linked with -lkeyutils, you should see something like: [dhowells@andromeda ~]$ keyctl show Session Keyring -3 --alswrv 4043 4043 keyring: _ses 355907932 --alswrv 4043 -1 \_ keyring: _uid.4043 [dhowells@andromeda ~]$ /tmp/newpag [dhowells@andromeda ~]$ keyctl show Session Keyring -3 --alswrv 4043 4043 keyring: _ses 1055658746 --alswrv 4043 4043 \_ user: a [dhowells@andromeda ~]$ /tmp/newpag hello [dhowells@andromeda ~]$ keyctl show Session Keyring -3 --alswrv 4043 4043 keyring: hello 340417692 --alswrv 4043 4043 \_ user: a Where the test program creates a new session keyring, sticks a user key named 'a' into it and then installs it on its parent. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* CRED: Add some configurable debugging [try #6]David Howells2009-09-02
| | | | | | | | | | | | | | | | | | | | Add a config option (CONFIG_DEBUG_CREDENTIALS) to turn on some debug checking for credential management. The additional code keeps track of the number of pointers from task_structs to any given cred struct, and checks to see that this number never exceeds the usage count of the cred struct (which includes all references, not just those from task_structs). Furthermore, if SELinux is enabled, the code also checks that the security pointer in the cred struct is never seen to be invalid. This attempts to catch the bug whereby inode_has_perm() faults in an nfsd kernel thread on seeing cred->security be a NULL pointer (it appears that the credential struct has been previously released): http://www.kerneloops.org/oops.php?number=252883 Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* selinux: Support for the new TUN LSM hooksPaul Moore2009-08-31
| | | | | | | | | | | | | | | | Add support for the new TUN LSM hooks: security_tun_dev_create(), security_tun_dev_post_create() and security_tun_dev_attach(). This includes the addition of a new object class, tun_socket, which represents the socks associated with TUN devices. The _tun_dev_create() and _tun_dev_post_create() hooks are fairly similar to the standard socket functions but _tun_dev_attach() is a bit special. The _tun_dev_attach() is unique because it involves a domain attaching to an existing TUN device and its associated tun_socket object, an operation which does not exist with standard sockets and most closely resembles a relabel operation. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Eric Paris <eparis@parisplace.org> Signed-off-by: James Morris <jmorris@namei.org>
* selinux: adjust rules for ATTR_FORCEAmerigo Wang2009-08-21
| | | | | | | | | | | | | | | | | | | As suggested by OGAWA Hirofumi in thread: http://lkml.org/lkml/2009/8/7/132, we should let selinux_inode_setattr() to match our ATTR_* rules. ATTR_FORCE should not force things like ATTR_SIZE. [hirofumi@mail.parknet.co.jp: tweaks] Signed-off-by: WANG Cong <amwang@redhat.com> Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Eric Paris <eparis@redhat.com> Cc: Eugene Teo <eteo@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Christoph Hellwig <hch@lst.de> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: James Morris <jmorris@namei.org>
* Merge branch 'master' into nextJames Morris2009-08-19
|\ | | | | | | | | | | | | | | | | Conflicts: security/Kconfig Manual fix. Signed-off-by: James Morris <jmorris@namei.org>
| * Security/SELinux: seperate lsm specific mmap_min_addrEric Paris2009-08-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently SELinux enforcement of controls on the ability to map low memory is determined by the mmap_min_addr tunable. This patch causes SELinux to ignore the tunable and instead use a seperate Kconfig option specific to how much space the LSM should protect. The tunable will now only control the need for CAP_SYS_RAWIO and SELinux permissions will always protect the amount of low memory designated by CONFIG_LSM_MMAP_MIN_ADDR. This allows users who need to disable the mmap_min_addr controls (usual reason being they run WINE as a non-root user) to do so and still have SELinux controls preventing confined domains (like a web server) from being able to map some area of low memory. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
| * SELinux: call cap_file_mmap in selinux_file_mmapEric Paris2009-08-17
| | | | | | | | | | | | | | | | | | | | | | | | Currently SELinux does not check CAP_SYS_RAWIO in the file_mmap hook. This means there is no DAC check on the ability to mmap low addresses in the memory space. This function adds the DAC check for CAP_SYS_RAWIO while maintaining the selinux check on mmap_zero. This means that processes which need to mmap low memory will need CAP_SYS_RAWIO and mmap_zero but will NOT need the SELinux sys_rawio capability. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
| * SELinux: fix memory leakage in /security/selinux/hooks.cJames Morris2009-08-10
| | | | | | | | | | | | | | | | | | | | | | Fix memory leakage in /security/selinux/hooks.c The buffer always needs to be freed here; we either error out or allocate more memory. Reported-by: iceberg <strakh@ispras.ru> Signed-off-by: James Morris <jmorris@namei.org> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
* | SELinux: Convert avc_audit to use lsm_audit.hThomas Liu2009-08-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Convert avc_audit in security/selinux/avc.c to use lsm_audit.h, for better maintainability. - changed selinux to use common_audit_data instead of avc_audit_data - eliminated code in avc.c and used code from lsm_audit.h instead. Had to add a LSM_AUDIT_NO_AUDIT to lsm_audit.h so that avc_audit can call common_lsm_audit and do the pre and post callbacks without doing the actual dump. This makes it so that the patched version behaves the same way as the unpatched version. Also added a denied field to the selinux_audit_data private space, once again to make it so that the patched version behaves like the unpatched. I've tested and confirmed that AVCs look the same before and after this patch. Signed-off-by: Thomas Liu <tliu@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* | SELinux: add selinux_kernel_module_requestEric Paris2009-08-13
| | | | | | | | | | | | | | | | | | | | | | This patch adds a new selinux hook so SELinux can arbitrate if a given process should be allowed to trigger a request for the kernel to try to load a module. This is a different operation than a process trying to load a module itself, which is already protected by CAP_SYS_MODULE. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
* | Security/SELinux: seperate lsm specific mmap_min_addrEric Paris2009-08-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently SELinux enforcement of controls on the ability to map low memory is determined by the mmap_min_addr tunable. This patch causes SELinux to ignore the tunable and instead use a seperate Kconfig option specific to how much space the LSM should protect. The tunable will now only control the need for CAP_SYS_RAWIO and SELinux permissions will always protect the amount of low memory designated by CONFIG_LSM_MMAP_MIN_ADDR. This allows users who need to disable the mmap_min_addr controls (usual reason being they run WINE as a non-root user) to do so and still have SELinux controls preventing confined domains (like a web server) from being able to map some area of low memory. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* | SELinux: call cap_file_mmap in selinux_file_mmapEric Paris2009-08-05
| | | | | | | | | | | | | | | | | | | | | | | | Currently SELinux does not check CAP_SYS_RAWIO in the file_mmap hook. This means there is no DAC check on the ability to mmap low addresses in the memory space. This function adds the DAC check for CAP_SYS_RAWIO while maintaining the selinux check on mmap_zero. This means that processes which need to mmap low memory will need CAP_SYS_RAWIO and mmap_zero but will NOT need the SELinux sys_rawio capability. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* | kernel: rename is_single_threaded(task) to current_is_single_threaded(void)Oleg Nesterov2009-07-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | - is_single_threaded(task) is not safe unless task == current, we can't use task->signal or task->mm. - it doesn't make sense unless task == current, the task can fork right after the check. Rename it to current_is_single_threaded() and kill the argument. Signed-off-by: Oleg Nesterov <oleg@redhat.com> Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* | Revert "SELinux: Convert avc_audit to use lsm_audit.h"James Morris2009-07-12
| | | | | | | | | | | | | | | | This reverts commit 8113a8d80f4c6a3dc3724b39b470f3fee9c426b6. The patch causes a stack overflow on my system during boot. Signed-off-by: James Morris <jmorris@namei.org>
* | SELinux: Convert avc_audit to use lsm_audit.hThomas Liu2009-07-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Convert avc_audit in security/selinux/avc.c to use lsm_audit.h, for better maintainability and for less code duplication. - changed selinux to use common_audit_data instead of avc_audit_data - eliminated code in avc.c and used code from lsm_audit.h instead. I have tested to make sure that the avcs look the same before and after this patch. Signed-off-by: Thomas Liu <tliu@redhat.com> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* | selinux: clean up avc node cache when disabling selinuxThomas Liu2009-06-24
| | | | | | | | | | | | | | | | | | | | Added a call to free the avc_node_cache when inside selinux_disable because it should not waste resources allocated during avc_init if SELinux is disabled and the cache will never be used. Signed-off-by: Thomas Liu <tliu@redhat.com> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* | security: rename ptrace_may_access => ptrace_access_checkIngo Molnar2009-06-24
| | | | | | | | | | | | | | | | | | | | | | | | | | The ->ptrace_may_access() methods are named confusingly - the real ptrace_may_access() returns a bool, while these security checks have a retval convention. Rename it to ptrace_access_check, to reduce the confusion factor. [ Impact: cleanup, no code changed ] Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: James Morris <jmorris@namei.org>
* | selinux: restore optimization to selinux_file_permissionStephen Smalley2009-06-22
| | | | | | | | | | | | | | | | | | | | | | Restore the optimization to skip revalidation in selinux_file_permission if nothing has changed since the dentry_open checks, accidentally removed by 389fb800. Also remove redundant test from selinux_revalidate_file_permission. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Reviewed-by: Paul Moore <paul.moore@hp.com> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* | Merge branch 'master' into nextJames Morris2009-06-18
|\|
| * Merge branch 'master' of ↵David S. Miller2009-06-15
| |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6 Conflicts: Documentation/feature-removal-schedule.txt drivers/scsi/fcoe/fcoe.c net/core/drop_monitor.c net/core/net-traces.c
| | * SELinux: define audit permissions for audit tree netlink messagesEric Paris2009-06-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | Audit trees defined 2 new netlink messages but the netlink mapping tables for selinux permissions were not set up. This patch maps these 2 new operations to AUDIT_WRITE. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
| | * selinux: remove obsolete read buffer limit from sel_read_boolStephen Smalley2009-05-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | On Tue, 2009-05-19 at 00:05 -0400, Eamon Walsh wrote: > Recent versions of coreutils have bumped the read buffer size from 4K to > 32K in several of the utilities. > > This means that "cat /selinux/booleans/xserver_object_manager" no longer > works, it returns "Invalid argument" on F11. getsebool works fine. > > sel_read_bool has a check for "count > PAGE_SIZE" that doesn't seem to > be present in the other read functions. Maybe it could be removed? Yes, that check is obsoleted by the conversion of those functions to using simple_read_from_buffer(), which will reduce count if necessary to what is available in the buffer. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
| | * SELinux: move SELINUX_MAGIC into magic.hEric Paris2009-05-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | The selinuxfs superblock magic is used inside the IMA code, but is being defined in two places and could someday get out of sync. This patch moves the declaration into magic.h so it is only done once. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
| | * Merge branch 'master' into nextJames Morris2009-05-08
| | |\
| | * | selinux: selinux_bprm_committed_creds() should wake up ->real_parent, not ↵Oleg Nesterov2009-04-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ->parent. We shouldn't worry about the tracer if current is ptraced, exec() must not succeed if the tracer has no rights to trace this task after cred changing. But we should notify ->real_parent which is, well, real parent. Also, we don't need _irq to take tasklist, and we don't need parent's ->siglock to wake_up_interruptible(real_parent->signal->wait_chldexit). Since we hold tasklist, real_parent->signal must be stable. Otherwise spin_lock(siglock) is not safe too and can't help anyway. Signed-off-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
| | * | SELinux: Don't flush inherited SIGKILL during execve()David Howells2009-04-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Don't flush inherited SIGKILL during execve() in SELinux's post cred commit hook. This isn't really a security problem: if the SIGKILL came before the credentials were changed, then we were right to receive it at the time, and should honour it; if it came after the creds were changed, then we definitely should honour it; and in any case, all that will happen is that the process will be scrapped before it ever returns to userspace. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
| | * | SELinux: drop secondary_ops->sysctlEric Paris2009-04-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We are still calling secondary_ops->sysctl even though the capabilities module does not define a sysctl operation. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
| | * | Permissive domain in userspace object managerKaiGai Kohei2009-04-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch enables applications to handle permissive domain correctly. Since the v2.6.26 kernel, SELinux has supported an idea of permissive domain which allows certain processes to work as if permissive mode, even if the global setting is enforcing mode. However, we don't have an application program interface to inform what domains are permissive one, and what domains are not. It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL and so on) cannot handle permissive domain correctly. This patch add the sixth field (flags) on the reply of the /selinux/access interface which is used to make an access control decision from userspace. If the first bit of the flags field is positive, it means the required access control decision is on permissive domain, so application should allow any required actions, as the kernel doing. This patch also has a side benefit. The av_decision.flags is set at context_struct_compute_av(). It enables to check required permissions without read_lock(&policy_rwlock). Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Eric Paris <eparis@redhat.com> -- security/selinux/avc.c | 2 +- security/selinux/include/security.h | 4 +++- security/selinux/selinuxfs.c | 4 ++-- security/selinux/ss/services.c | 30 +++++------------------------- 4 files changed, 11 insertions(+), 29 deletions(-) Signed-off-by: James Morris <jmorris@namei.org>
| * | | net: skb->dst accessorsEric Dumazet2009-06-03
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Define three accessors to get/set dst attached to a skb struct dst_entry *skb_dst(const struct sk_buff *skb) void skb_dst_set(struct sk_buff *skb, struct dst_entry *dst) void skb_dst_drop(struct sk_buff *skb) This one should replace occurrences of : dst_release(skb->dst) skb->dst = NULL; Delete skb->dst field Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | Add audit messages on type boundary violationsKaiGai Kohei2009-06-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The attached patch adds support to generate audit messages on two cases. The first one is a case when a multi-thread process tries to switch its performing security context using setcon(3), but new security context is not bounded by the old one. type=SELINUX_ERR msg=audit(1245311998.599:17): \ op=security_bounded_transition result=denied \ oldcontext=system_u:system_r:httpd_t:s0 \ newcontext=system_u:system_r:guest_webapp_t:s0 The other one is a case when security_compute_av() masked any permissions due to the type boundary violation. type=SELINUX_ERR msg=audit(1245312836.035:32): \ op=security_compute_av reason=bounds \ scontext=system_u:object_r:user_webapp_t:s0 \ tcontext=system_u:object_r:shadow_t:s0:c0 \ tclass=file perms=getattr,open Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* | | cleanup in ss/services.cKaiGai Kohei2009-06-18
|/ / | | | | | | | | | | | | | | | | | | It is a cleanup patch to cut down a line within 80 columns. Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> -- security/selinux/ss/services.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) Signed-off-by: James Morris <jmorris@namei.org>
* / selinux: Fix send_sigiotask hookStephen Smalley2009-05-04
|/ | | | | | | | | | | The CRED patch incorrectly converted the SELinux send_sigiotask hook to use the current task SID rather than the target task SID in its permission check, yielding the wrong permission check. This fixes the hook function. Detected by the ltp selinux testsuite and confirmed to correct the test failure. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* selinux: Remove the "compat_net" compatibility codePaul Moore2009-03-28
| | | | | | | | | | The SELinux "compat_net" is marked as deprecated, the time has come to finally remove it from the kernel. Further code simplifications are likely in the future, but this patch was intended to be a simple, straight-up removal of the compat_net code. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>