summaryrefslogtreecommitdiffstats
path: root/security
Commit message (Collapse)AuthorAgeFilesLines
* Security: Introduce security= boot parameterAhmed S. Darwish2008-04-196-4/+65
| | | | | | | | | | | | | | | | | | | | | Add the security= boot parameter. This is done to avoid LSM registration clashes in case of more than one bult-in module. User can choose a security module to enable at boot. If no security= boot parameter is specified, only the first LSM asking for registration will be loaded. An invalid security module name will be treated as if no module has been chosen. LSM modules must check now if they are allowed to register by calling security_module_enable(ops) first. Modify SELinux and SMACK to do so. Do not let SMACK register smackfs if it was not chosen on boot. Smackfs assumes that smack hooks are registered and the initial task security setup (swapper->security) is done. Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com> Acked-by: James Morris <jmorris@namei.org>
* Audit: Final renamings and cleanupAhmed S. Darwish2008-04-191-0/+65
| | | | | | | | | Rename the se_str and se_rule audit fields elements to lsm_str and lsm_rule to avoid confusion. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com> Acked-by: James Morris <jmorris@namei.org>
* SELinux: use new audit hooks, remove redundant exportsAhmed S. Darwish2008-04-192-11/+42
| | | | | | | | | | | | | Setup the new Audit LSM hooks for SELinux. Remove the now redundant exported SELinux Audit interface. Audit: Export 'audit_krule' and 'audit_field' to the public since their internals are needed by the implementation of the new LSM hook 'audit_rule_known'. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com> Acked-by: James Morris <jmorris@namei.org>
* LSM/Audit: Introduce generic Audit LSM hooksAhmed S. Darwish2008-04-192-1/+55
| | | | | | | | | | | | | | | | | Introduce a generic Audit interface for security modules by adding the following new LSM hooks: audit_rule_init(field, op, rulestr, lsmrule) audit_rule_known(krule) audit_rule_match(secid, field, op, rule, actx) audit_rule_free(rule) Those hooks are only available if CONFIG_AUDIT is enabled. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com> Acked-by: James Morris <jmorris@namei.org> Reviewed-by: Paul Moore <paul.moore@hp.com>
* SELinux: remove redundant exportsAhmed S. Darwish2008-04-191-42/+0
| | | | | | | | | | | | | | | | | | | | Remove the following exported SELinux interfaces: selinux_get_inode_sid(inode, sid) selinux_get_ipc_sid(ipcp, sid) selinux_get_task_sid(tsk, sid) selinux_sid_to_string(sid, ctx, len) They can be substitued with the following generic equivalents respectively: new LSM hook, inode_getsecid(inode, secid) new LSM hook, ipc_getsecid*(ipcp, secid) LSM hook, task_getsecid(tsk, secid) LSM hook, sid_to_secctx(sid, ctx, len) Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com> Acked-by: James Morris <jmorris@namei.org> Reviewed-by: Paul Moore <paul.moore@hp.com>
* SELinux: setup new inode/ipc getsecid hooksAhmed S. Darwish2008-04-191-2/+17
| | | | | | | | | | Setup the new inode_getsecid and ipc_getsecid() LSM hooks for SELinux. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com> Acked-by: James Morris <jmorris@namei.org> Reviewed-by: Paul Moore <paul.moore@hp.com>
* LSM: Introduce inode_getsecid and ipc_getsecid hooksAhmed S. Darwish2008-04-192-1/+25
| | | | | | | | | | | | | | | | Introduce inode_getsecid(inode, secid) and ipc_getsecid(ipcp, secid) LSM hooks. These hooks will be used instead of similar exported SELinux interfaces. Let {inode,ipc,task}_getsecid hooks set the secid to 0 by default if CONFIG_SECURITY is not defined or if the hook is set to NULL (dummy). This is done to notify the caller that no valid secid exists. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com> Acked-by: James Morris <jmorris@namei.org> Reviewed-by: Paul Moore <paul.moore@hp.com>
* security: enhance DEFAULT_MMAP_MIN_ADDR descriptionmaximilian attems2008-04-181-4/+6
| | | | | | | | | | | | | | | | | Got burned by setting the proposed default of 65536 across all Debian archs. Thus proposing to be more specific on which archs you may set this. Also propose a value for arm and friends that doesn't break sshd. Reword to mention working archs ia64 and ppc64 too. Signed-off-by: maximilian attems <max@stro.at> Cc: Martin Michlmayr <tbm@cyrius.com> Cc: Gordon Farquharson <gordonfarquharson@gmail.com> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: add netport.[ch]James Morris2008-04-182-0/+317
| | | | | | Thank you, git. Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: Add network port SID cachePaul Moore2008-04-185-21/+17
| | | | | | | | | | | | | | Much like we added a network node cache, this patch adds a network port cache. The design is taken almost completely from the network node cache which in turn was taken from the network interface cache. The basic idea is to cache entries in a hash table based on protocol/port information. The hash function only takes the port number into account since the number of different protocols in use at any one time is expected to be relatively small. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: turn mount options strings into definesEric Paris2008-04-182-8/+13
| | | | | | | | | Convert the strings used for mount options into #defines rather than retyping the string throughout the SELinux code. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* selinux/ss/services.c should #include <linux/selinux.h>Adrian Bunk2008-04-181-0/+1
| | | | | | | | Every file should include the headers containing the externs for its global code. Signed-off-by: Adrian Bunk <bunk@kernel.org> Signed-off-by: James Morris <jmorris@namei.org>
* selinux: introduce permissive typesEric Paris2008-04-186-6/+48
| | | | | | | | | | | | | Introduce the concept of a permissive type. A new ebitmap is introduced to the policy database which indicates if a given type has the permissive bit set or not. This bit is tested for the scontext of any denial. The bit is meaningless on types which only appear as the target of a decision and never the source. A domain running with a permissive type will be allowed to perform any action similarly to when the system is globally set permissive. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* selinux: remove ptrace_sidRoland McGrath2008-04-182-25/+47
| | | | | | | | | | | This changes checks related to ptrace to get rid of the ptrace_sid tracking. It's good to disentangle the security model from the ptrace implementation internals. It's sufficient to check against the SID of the ptracer at the time a tracee attempts a transition. Signed-off-by: Roland McGrath <roland@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: requesting no permissions in avc_has_perm_noaudit is a BUG()Eric Paris2008-04-181-1/+3
| | | | | | | | | | | | | This patch turns the case where we have a call into avc_has_perm with no requested permissions into a BUG_ON. All callers to this should be in the kernel and thus should be a function we need to fix if we ever hit this. The /selinux/access permission checking it done directly in the security server and not through the avc, so those requests which we cannot control from userspace should not be able to trigger this BUG_ON. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* security: code cleanupAndrew Morton2008-04-181-1/+1
| | | | | | | | | | | | | | | | | | | | ERROR: "(foo*)" should be "(foo *)" #168: FILE: security/selinux/hooks.c:2656: + "%s, rc=%d\n", __func__, (char*)value, -rc); total: 1 errors, 0 warnings, 195 lines checked ./patches/security-replace-remaining-__function__-occurences.patch has style problems, please review. If any of these errors are false positives report them to the maintainer, see CHECKPATCH in MAINTAINERS. Please run checkpatch prior to sending patches Cc: Harvey Harrison <harvey.harrison@gmail.com> Cc: James Morris <jmorris@namei.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: James Morris <jmorris@namei.org>
* security: replace remaining __FUNCTION__ occurrencesHarvey Harrison2008-04-188-26/+26
| | | | | | | | | | __FUNCTION__ is gcc-specific, use __func__ Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com> Cc: James Morris <jmorris@namei.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: create new open permissionEric Paris2008-04-186-2/+47
| | | | | | | | | | | | | | | Adds a new open permission inside SELinux when 'opening' a file. The idea is that opening a file and reading/writing to that file are not the same thing. Its different if a program had its stdout redirected to /tmp/output than if the program tried to directly open /tmp/output. This should allow policy writers to more liberally give read/write permissions across the policy while still blocking many design and programing flaws SELinux is so good at catching today. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Reviewed-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* selinux: selinux/netlabel.c should #include "netlabel.h"Adrian Bunk2008-04-181-0/+1
| | | | | | | | | Every file should include the headers containing the externs for its global code. Signed-off-by: Adrian Bunk <bunk@kernel.org> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: unify printk messagesJames Morris2008-04-185-76/+76
| | | | | | | | Replace "security:" prefixes in printk messages with "SELinux" to help users identify the source of the messages. Also fix a couple of minor formatting issues. Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: remove unused backpointers from security objectsJames Morris2008-04-182-14/+0
| | | | | | Remove unused backpoiters from security objects. Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: Correct the NetLabel locking for the sk_security_structPaul Moore2008-04-184-87/+15
| | | | | | | | | | | | The RCU/spinlock locking approach for the nlbl_state in the sk_security_struct was almost certainly overkill. This patch removes both the RCU and spinlock locking, relying on the existing socket locks to handle the case of multiple writers. This change also makes several code reductions possible. Less locking, less code - it's a Good Thing. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: don't BUG if fs reuses a superblockEric Paris2008-04-101-4/+4
| | | | | | | | | | | | | I (wrongly) assumed that nfs_xdev_get_sb() would not ever share a superblock and so cloning mount options would always be correct. Turns out that isn't the case and we could fall over a BUG_ON() that wasn't a BUG at all. Since there is little we can do to reconcile different mount options this patch just leaves the sb alone and the first set of options wins. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Trond Myklebust <trond.myklebust@fys.uio.no> Signed-off-by: James Morris <jmorris@namei.org>
* SELinux: more GFP_NOFS fixups to prevent selinux from re-entering the fs codeStephen Smalley2008-04-083-9/+13
| | | | | | | | More cases where SELinux must not re-enter the fs code. Called from the d_instantiate security hook. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* selinux: prevent rentry into the FSJosef Bacik2008-04-041-2/+2
| | | | | | | | | | | BUG fix. Keep us from re-entering the fs when we aren't supposed to. See discussion at http://marc.info/?t=120716967100004&r=1&w=2 Signed-off-by: Josef Bacik <jbacik@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* selinux: handle files opened with flags 3 by checking ioctl permissionStephen Smalley2008-04-021-0/+6
| | | | | | | | | | | | | Handle files opened with flags 3 by checking ioctl permission. Default to returning FILE__IOCTL from file_to_av() if the f_mode has neither FMODE_READ nor FMODE_WRITE, and thus check ioctl permission on exec or transfer, thereby validating such descriptors early as with normal r/w descriptors and catching leaks of them prior to attempted usage. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* smackfs: remove redundant lock, fix open(,O_RDWR)Ahmed S. Darwish2008-03-241-33/+2
| | | | | | | | | | | | | | | | Older smackfs was parsing MAC rules by characters, thus a need of locking write sessions on open() was needed. This lock is no longer useful now since each rule is handled by a single write() call. This is also a bugfix since seq_open() was not called if an open() O_RDWR flag was given, leading to a seq_read() without an initialized seq_file, thus an Oops. Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com> Reported-by: Jonathan Corbet <corbet@lwn.net> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* file capabilities: remove cap_task_kill()Serge Hallyn2008-03-203-46/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | The original justification for cap_task_kill() was as follows: check_kill_permission() does appropriate uid equivalence checks. However with file capabilities it becomes possible for an unprivileged user to execute a file with file capabilities resulting in a more privileged task with the same uid. However now that cap_task_kill() always returns 0 (permission granted) when p->uid==current->uid, the whole hook is worthless, and only likely to create more subtle problems in the corner cases where it might still be called but return -EPERM. Those cases are basically when uids are different but euid/suid is equivalent as per the check in check_kill_permission(). One example of a still-broken application is 'at' for non-root users. This patch removes cap_task_kill(). Signed-off-by: Serge Hallyn <serge@hallyn.com> Acked-by: Andrew G. Morgan <morgan@kernel.org> Earlier-version-tested-by: Luiz Fernando N. Capitulino <lcapitulino@mandriva.com.br> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* smack: do not dereference NULL ipc objectAhmed S. Darwish2008-03-191-3/+6
| | | | | | | | | | | | | | In the SYSV ipc msgctl(),semctl(),shmctl() family, if the user passed *_INFO as the desired operation, no specific object is meant to be controlled and only system-wide information is returned. This leads to a NULL IPC object in the LSM hooks if the _INFO flag is given. Avoid dereferencing this NULL pointer in Smack ipc *ctl() methods. Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* make selinux_parse_opts_str() staticAdrian Bunk2008-03-181-1/+2
| | | | | | | | This patch makes the needlessly global selinux_parse_opts_str() static. Signed-off-by: Adrian Bunk <bunk@kernel.org> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* smackfs: do not trust `count' in inodes write()sAhmed S. Darwish2008-03-132-19/+20
| | | | | | | | | | | | | | | | Smackfs write() implementation does not put a higher bound on the number of bytes to copy from user-space. This may lead to a DOS attack if a malicious `count' field is given. Assure that given `count' is exactly the length needed for a /smack/load rule. In case of /smack/cipso where the length is relative, assure that `count' does not exceed the size needed for a buffer representing maximum possible number of CIPSO 2.2 categories. Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* LSM/SELinux: Interfaces to allow FS to control mount optionsEric Paris2008-03-065-107/+128
| | | | | | | | | | | | | | | | | | Introduce new LSM interfaces to allow an FS to deal with their own mount options. This includes a new string parsing function exported from the LSM that an FS can use to get a security data blob and a new security data blob. This is particularly useful for an FS which uses binary mount data, like NFS, which does not pass strings into the vfs to be handled by the loaded LSM. Also fix a BUG() in both SELinux and SMACK when dealing with binary mount data. If the binary mount data is less than one page the copy_page() in security_sb_copy_data() can cause an illegal page fault and boom. Remove all NFSisms from the SELinux code since they were broken by past NFS changes. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: James Morris <jmorris@namei.org>
* Smack: update for file capabilitiesCasey Schaufler2008-02-231-13/+74
| | | | | | | | | | | | | | Update the Smack LSM to allow the registration of the capability "module" as a secondary LSM. Integrate the new hooks required for file based capabilities. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: Serge Hallyn <serue@us.ibm.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Paul Moore <paul.moore@hp.com> Cc: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* file capabilities: simplify signal checkSerge E. Hallyn2008-02-231-1/+1
| | | | | | | | | | | | | Simplify the uid equivalence check in cap_task_kill(). Anyone can kill a process owned by the same uid. Without this patch wireshark is reported to fail. Signed-off-by: Serge E. Hallyn <serue@us.ibm.com> Signed-off-by: Andrew G. Morgan <morgan@kernel.org> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* Smack: unlabeled outgoing ambient packetsCasey Schaufler2008-02-192-23/+74
| | | | | | | | | | | | | | | | | | | | | Smack uses CIPSO labeling, but allows for unlabeled packets by specifying an "ambient" label that is applied to incoming unlabeled packets. Because the other end of the connection may dislike IP options, and ssh is one know application that behaves thus, it is prudent to respond in kind. This patch changes the network labeling behavior such that an outgoing packet that would be given a CIPSO label that matches the ambient label is left unlabeled. An "unlbl" domain is added and the netlabel defaulting mechanism invoked rather than assuming that everything is CIPSO. Locking has been added around changes to the ambient label as the mechanisms used to do so are more involved. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* d_path: Use struct path in struct avc_audit_dataJan Blunck2008-02-143-25/+24
| | | | | | | | | | | | | | | | | audit_log_d_path() is a d_path() wrapper that is used by the audit code. To use a struct path in audit_log_d_path() I need to embed it into struct avc_audit_data. [akpm@linux-foundation.org: coding-style fixes] Signed-off-by: Jan Blunck <jblunck@suse.de> Acked-by: Christoph Hellwig <hch@infradead.org> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: "J. Bruce Fields" <bfields@fieldses.org> Cc: Neil Brown <neilb@suse.de> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* Embed a struct path into struct nameidata instead of nd->{dentry,mnt}Jan Blunck2008-02-142-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is the central patch of a cleanup series. In most cases there is no good reason why someone would want to use a dentry for itself. This series reflects that fact and embeds a struct path into nameidata. Together with the other patches of this series - it enforced the correct order of getting/releasing the reference count on <dentry,vfsmount> pairs - it prepares the VFS for stacking support since it is essential to have a struct path in every place where the stack can be traversed - it reduces the overall code size: without patch series: text data bss dec hex filename 5321639 858418 715768 6895825 6938d1 vmlinux with patch series: text data bss dec hex filename 5320026 858418 715768 6894212 693284 vmlinux This patch: Switch from nd->{dentry,mnt} to nd->path.{dentry,mnt} everywhere. [akpm@linux-foundation.org: coding-style fixes] [akpm@linux-foundation.org: fix cifs] [akpm@linux-foundation.org: fix smack] Signed-off-by: Jan Blunck <jblunck@suse.de> Signed-off-by: Andreas Gruenbacher <agruen@suse.de> Acked-by: Christoph Hellwig <hch@lst.de> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* Smack: check for 'struct socket' with NULL skAhmed S. Darwish2008-02-131-4/+5
| | | | | | | | | | | | | | There's a small problem with smack and NFS. A similar report was also sent here: http://lkml.org/lkml/2007/10/27/85 I've also added similar checks in inode_{get/set}security(). Cheating from SELinux post_create_socket(), it does the same. [akpm@linux-foundation.org: remove uneeded BUG_ON()] Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com> Acked-by: Casey Schaufler <casey@schuafler-ca.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* selinux: support 64-bit capabilitiesStephen Smalley2008-02-115-2/+27
| | | | | | | | | Fix SELinux to handle 64-bit capabilities correctly, and to catch future extensions of capabilities beyond 64 bits to ensure that SELinux is properly updated. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
* Convert ERR_PTR(PTR_ERR(p)) instances to ERR_CAST(p)David Howells2008-02-074-4/+4
| | | | | | | | | | Convert instances of ERR_PTR(PTR_ERR(p)) to ERR_CAST(p) using: perl -spi -e 's/ERR_PTR[(]PTR_ERR[(](.*)[)][)]/ERR_CAST(\1)/' `grep -rl 'ERR_PTR[(]*PTR_ERR' fs crypto net security` Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* SELinux: Remove security_get_policycaps()Paul Moore2008-02-062-34/+0
| | | | | | | | | The security_get_policycaps() functions has a couple of bugs in it and it isn't currently used by any in-tree code, so get rid of it and all of it's bugginess. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@localhost.localdomain>
* security: allow Kconfig to set default mmap_min_addr protectionEric Paris2008-02-062-1/+21
| | | | | | | | | | | | | Since it was decided that low memory protection from userspace couldn't be turned on by default add a Kconfig option to allow users/distros to set a default at compile time. This value is still tunable after boot in /proc/sys/vm/mmap_min_addr Discussion: http://www.mail-archive.com/linux-security-module@vger.kernel.org/msg02543.html Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
* Smack: Simplified Mandatory Access Control KernelCasey Schaufler2008-02-058-0/+4095
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Smack is the Simplified Mandatory Access Control Kernel. Smack implements mandatory access control (MAC) using labels attached to tasks and data containers, including files, SVIPC, and other tasks. Smack is a kernel based scheme that requires an absolute minimum of application support and a very small amount of configuration data. Smack uses extended attributes and provides a set of general mount options, borrowing technics used elsewhere. Smack uses netlabel for CIPSO labeling. Smack provides a pseudo-filesystem smackfs that is used for manipulation of system Smack attributes. The patch, patches for ls and sshd, a README, a startup script, and x86 binaries for ls and sshd are also available on http://www.schaufler-ca.com Development has been done using Fedora Core 7 in a virtual machine environment and on an old Sony laptop. Smack provides mandatory access controls based on the label attached to a task and the label attached to the object it is attempting to access. Smack labels are deliberately short (1-23 characters) text strings. Single character labels using special characters are reserved for system use. The only operation applied to Smack labels is equality comparison. No wildcards or expressions, regular or otherwise, are used. Smack labels are composed of printable characters and may not include "/". A file always gets the Smack label of the task that created it. Smack defines and uses these labels: "*" - pronounced "star" "_" - pronounced "floor" "^" - pronounced "hat" "?" - pronounced "huh" The access rules enforced by Smack are, in order: 1. Any access requested by a task labeled "*" is denied. 2. A read or execute access requested by a task labeled "^" is permitted. 3. A read or execute access requested on an object labeled "_" is permitted. 4. Any access requested on an object labeled "*" is permitted. 5. Any access requested by a task on an object with the same label is permitted. 6. Any access requested that is explicitly defined in the loaded rule set is permitted. 7. Any other access is denied. Rules may be explicitly defined by writing subject,object,access triples to /smack/load. Smack rule sets can be easily defined that describe Bell&LaPadula sensitivity, Biba integrity, and a variety of interesting configurations. Smack rule sets can be modified on the fly to accommodate changes in the operating environment or even the time of day. Some practical use cases: Hierarchical levels. The less common of the two usual uses for MLS systems is to define hierarchical levels, often unclassified, confidential, secret, and so on. To set up smack to support this, these rules could be defined: C Unclass rx S C rx S Unclass rx TS S rx TS C rx TS Unclass rx A TS process can read S, C, and Unclass data, but cannot write it. An S process can read C and Unclass. Note that specifying that TS can read S and S can read C does not imply TS can read C, it has to be explicitly stated. Non-hierarchical categories. This is the more common of the usual uses for an MLS system. Since the default rule is that a subject cannot access an object with a different label no access rules are required to implement compartmentalization. A case that the Bell & LaPadula policy does not allow is demonstrated with this Smack access rule: A case that Bell&LaPadula does not allow that Smack does: ESPN ABC r ABC ESPN r On my portable video device I have two applications, one that shows ABC programming and the other ESPN programming. ESPN wants to show me sport stories that show up as news, and ABC will only provide minimal information about a sports story if ESPN is covering it. Each side can look at the other's info, neither can change the other. Neither can see what FOX is up to, which is just as well all things considered. Another case that I especially like: SatData Guard w Guard Publish w A program running with the Guard label opens a UDP socket and accepts messages sent by a program running with a SatData label. The Guard program inspects the message to ensure it is wholesome and if it is sends it to a program running with the Publish label. This program then puts the information passed in an appropriate place. Note that the Guard program cannot write to a Publish file system object because file system semanitic require read as well as write. The four cases (categories, levels, mutual read, guardbox) here are all quite real, and problems I've been asked to solve over the years. The first two are easy to do with traditonal MLS systems while the last two you can't without invoking privilege, at least for a while. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: Joshua Brindle <method@manicmethod.com> Cc: Paul Moore <paul.moore@hp.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Chris Wright <chrisw@sous-sol.org> Cc: James Morris <jmorris@namei.org> Cc: "Ahmed S. Darwish" <darwish.07@gmail.com> Cc: Andrew G. Morgan <morgan@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* capabilities: introduce per-process capability bounding setSerge E. Hallyn2008-02-051-17/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The capability bounding set is a set beyond which capabilities cannot grow. Currently cap_bset is per-system. It can be manipulated through sysctl, but only init can add capabilities. Root can remove capabilities. By default it includes all caps except CAP_SETPCAP. This patch makes the bounding set per-process when file capabilities are enabled. It is inherited at fork from parent. Noone can add elements, CAP_SETPCAP is required to remove them. One example use of this is to start a safer container. For instance, until device namespaces or per-container device whitelists are introduced, it is best to take CAP_MKNOD away from a container. The bounding set will not affect pP and pE immediately. It will only affect pP' and pE' after subsequent exec()s. It also does not affect pI, and exec() does not constrain pI'. So to really start a shell with no way of regain CAP_MKNOD, you would do prctl(PR_CAPBSET_DROP, CAP_MKNOD); cap_t cap = cap_get_proc(); cap_value_t caparray[1]; caparray[0] = CAP_MKNOD; cap_set_flag(cap, CAP_INHERITABLE, 1, caparray, CAP_DROP); cap_set_proc(cap); cap_free(cap); The following test program will get and set the bounding set (but not pI). For instance ./bset get (lists capabilities in bset) ./bset drop cap_net_raw (starts shell with new bset) (use capset, setuid binary, or binary with file capabilities to try to increase caps) ************************************************************ cap_bound.c ************************************************************ #include <sys/prctl.h> #include <linux/capability.h> #include <sys/types.h> #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #ifndef PR_CAPBSET_READ #define PR_CAPBSET_READ 23 #endif #ifndef PR_CAPBSET_DROP #define PR_CAPBSET_DROP 24 #endif int usage(char *me) { printf("Usage: %s get\n", me); printf(" %s drop <capability>\n", me); return 1; } #define numcaps 32 char *captable[numcaps] = { "cap_chown", "cap_dac_override", "cap_dac_read_search", "cap_fowner", "cap_fsetid", "cap_kill", "cap_setgid", "cap_setuid", "cap_setpcap", "cap_linux_immutable", "cap_net_bind_service", "cap_net_broadcast", "cap_net_admin", "cap_net_raw", "cap_ipc_lock", "cap_ipc_owner", "cap_sys_module", "cap_sys_rawio", "cap_sys_chroot", "cap_sys_ptrace", "cap_sys_pacct", "cap_sys_admin", "cap_sys_boot", "cap_sys_nice", "cap_sys_resource", "cap_sys_time", "cap_sys_tty_config", "cap_mknod", "cap_lease", "cap_audit_write", "cap_audit_control", "cap_setfcap" }; int getbcap(void) { int comma=0; unsigned long i; int ret; printf("i know of %d capabilities\n", numcaps); printf("capability bounding set:"); for (i=0; i<numcaps; i++) { ret = prctl(PR_CAPBSET_READ, i); if (ret < 0) perror("prctl"); else if (ret==1) printf("%s%s", (comma++) ? ", " : " ", captable[i]); } printf("\n"); return 0; } int capdrop(char *str) { unsigned long i; int found=0; for (i=0; i<numcaps; i++) { if (strcmp(captable[i], str) == 0) { found=1; break; } } if (!found) return 1; if (prctl(PR_CAPBSET_DROP, i)) { perror("prctl"); return 1; } return 0; } int main(int argc, char *argv[]) { if (argc<2) return usage(argv[0]); if (strcmp(argv[1], "get")==0) return getbcap(); if (strcmp(argv[1], "drop")!=0 || argc<3) return usage(argv[0]); if (capdrop(argv[2])) { printf("unknown capability\n"); return 1; } return execl("/bin/bash", "/bin/bash", NULL); } ************************************************************ [serue@us.ibm.com: fix typo] Signed-off-by: Serge E. Hallyn <serue@us.ibm.com> Signed-off-by: Andrew G. Morgan <morgan@kernel.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: James Morris <jmorris@namei.org> Cc: Chris Wright <chrisw@sous-sol.org> Cc: Casey Schaufler <casey@schaufler-ca.com>a Signed-off-by: "Serge E. Hallyn" <serue@us.ibm.com> Tested-by: Jiri Slaby <jirislaby@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* Add 64-bit capability support to the kernelAndrew Morgan2008-02-052-36/+68
| | | | | | | | | | | | | | | | | | | | | | | | | | | The patch supports legacy (32-bit) capability userspace, and where possible translates 32-bit capabilities to/from userspace and the VFS to 64-bit kernel space capabilities. If a capability set cannot be compressed into 32-bits for consumption by user space, the system call fails, with -ERANGE. FWIW libcap-2.00 supports this change (and earlier capability formats) http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/ [akpm@linux-foundation.org: coding-syle fixes] [akpm@linux-foundation.org: use get_task_comm()] [ezk@cs.sunysb.edu: build fix] [akpm@linux-foundation.org: do not initialise statics to 0 or NULL] [akpm@linux-foundation.org: unused var] [serue@us.ibm.com: export __cap_ symbols] Signed-off-by: Andrew G. Morgan <morgan@kernel.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Serge Hallyn <serue@us.ibm.com> Cc: Chris Wright <chrisw@sous-sol.org> Cc: James Morris <jmorris@namei.org> Cc: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Erez Zadok <ezk@cs.sunysb.edu> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* revert "capabilities: clean up file capability reading"Andrew Morton2008-02-051-15/+8
| | | | | | | | | | | | | | | | | | | | | | | Revert b68680e4731abbd78863063aaa0dca2a6d8cc723 to make way for the next patch: "Add 64-bit capability support to the kernel". We want to keep the vfs_cap_data.data[] structure, using two 'data's for 64-bit caps (and later three for 96-bit caps), whereas b68680e4731abbd78863063aaa0dca2a6d8cc723 had gotten rid of the 'data' struct made its members inline. The 64-bit caps patch keeps the stack abuse fix at get_file_caps(), which was the more important part of that patch. [akpm@linux-foundation.org: coding-style fixes] Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Serge Hallyn <serue@us.ibm.com> Cc: Chris Wright <chrisw@sous-sol.org> Cc: James Morris <jmorris@namei.org> Cc: Casey Schaufler <casey@schaufler-ca.com> Cc: Andrew Morgan <morgan@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* VFS/Security: Rework inode_getsecurity and callers to return resulting bufferDavid P. Quigley2008-02-053-31/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | This patch modifies the interface to inode_getsecurity to have the function return a buffer containing the security blob and its length via parameters instead of relying on the calling function to give it an appropriately sized buffer. Security blobs obtained with this function should be freed using the release_secctx LSM hook. This alleviates the problem of the caller having to guess a length and preallocate a buffer for this function allowing it to be used elsewhere for Labeled NFS. The patch also removed the unused err parameter. The conversion is similar to the one performed by Al Viro for the security_getprocattr hook. Signed-off-by: David P. Quigley <dpquigl@tycho.nsa.gov> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Chris Wright <chrisw@sous-sol.org> Acked-by: James Morris <jmorris@namei.org> Acked-by: Serge Hallyn <serue@us.ibm.com> Cc: Casey Schaufler <casey@schaufler-ca.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Christoph Hellwig <hch@lst.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* [AUDIT] add session id to audit messagesEric Paris2008-02-012-9/+13
| | | | | | | | | In order to correlate audit records to an individual login add a session id. This is incremented every time a user logs in and is included in almost all messages which currently output the auid. The field is labeled ses= or oses= Signed-off-by: Eric Paris <eparis@redhat.com>
* [PATCH] switch audit_get_loginuid() to task_struct *Al Viro2008-02-012-4/+4
| | | | | | all callers pass something->audit_context Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* [SELinux]: Fix double free in selinux_netlbl_sock_setsid()Paul Moore2008-01-311-1/+0
| | | | | | | | | | | | As pointed out by Adrian Bunk, commit 45c950e0f839fded922ebc0bfd59b1081cc71b70 ("fix memory leak in netlabel code") caused a double-free when security_netlbl_sid_to_secattr() fails. This patch fixes this by removing the netlbl_secattr_destroy() call from that function since we are already releasing the secattr memory in selinux_netlbl_sock_setsid(). Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
OpenPOWER on IntegriCloud