1. 16 Jun, 2015 4 commits
    • Mimi Zohar's avatar
      ima: update builtin policies · 24fd03c8
      Mimi Zohar authored
      This patch defines a builtin measurement policy "tcb", similar to the
      existing "ima_tcb", but with additional rules to also measure files
      based on the effective uid and to measure files opened with the "read"
      mode bit set (eg. read, read-write).
      
      Changing the builtin "ima_tcb" policy could potentially break existing
      users.  Instead of defining a new separate boot command line option each
      time the builtin measurement policy is modified, this patch defines a
      single generic boot command line option "ima_policy=" to specify the
      builtin policy and deprecates the use of the builtin ima_tcb policy.
      
      [The "ima_policy=" boot command line option is based on Roberto Sassu's
      "ima: added new policy type exec" patch.]
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarDr. Greg Wettstein <gw@idfusion.org>
      Cc: stable@vger.kernel.org
      24fd03c8
    • Mimi Zohar's avatar
      ima: extend "mask" policy matching support · 4351c294
      Mimi Zohar authored
      The current "mask" policy option matches files opened as MAY_READ,
      MAY_WRITE, MAY_APPEND or MAY_EXEC.  This patch extends the "mask"
      option to match files opened containing one of these modes.  For
      example, "mask=^MAY_READ" would match files opened read-write.
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarDr. Greg Wettstein <gw@idfusion.org>
      Cc: stable@vger.kernel.org
      4351c294
    • Mimi Zohar's avatar
      ima: add support for new "euid" policy condition · 139069ef
      Mimi Zohar authored
      The new "euid" policy condition measures files with the specified
      effective uid (euid).  In addition, for CAP_SETUID files it measures
      files with the specified uid or suid.
      
      Changelog:
      - fixed checkpatch.pl warnings
      - fixed avc denied {setuid} messages - based on Roberto's feedback
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarDr. Greg Wettstein <gw@idfusion.org>
      Cc: stable@vger.kernel.org
      139069ef
    • Mimi Zohar's avatar
      ima: fix ima_show_template_data_ascii() · 45b26133
      Mimi Zohar authored
      This patch fixes a bug introduced in "4d7aeee ima: define new template
      ima-ng and template fields d-ng and n-ng".
      
      Changelog:
      - change int to uint32 (Roberto Sassu's suggestion)
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarRoberto Sassu <rsassu@suse.de>
      Cc: stable@vger.kernel.org # 3.13
      45b26133
  2. 12 Jun, 2015 2 commits
  3. 05 Jun, 2015 1 commit
    • J. Bruce Fields's avatar
      selinux: fix setting of security labels on NFS · 9fc2b4b4
      J. Bruce Fields authored
      Before calling into the filesystem, vfs_setxattr calls
      security_inode_setxattr, which ends up calling selinux_inode_setxattr in
      our case.  That returns -EOPNOTSUPP whenever SBLABEL_MNT is not set.
      SBLABEL_MNT was supposed to be set by sb_finish_set_opts, which sets it
      only if selinux_is_sblabel_mnt returns true.
      
      The selinux_is_sblabel_mnt logic was broken by eadcabc6 "SELinux: do
      all flags twiddling in one place", which didn't take into the account
      the SECURITY_FS_USE_NATIVE behavior that had been introduced for nfs
      with eb9ae686 "SELinux: Add new labeling type native labels".
      
      This caused setxattr's of security labels over NFSv4.2 to fail.
      
      Cc: stable@kernel.org # 3.13
      Cc: Eric Paris <eparis@redhat.com>
      Cc: David Quigley <dpquigl@davequigley.com>
      Reported-by: default avatarRichard Chan <rc556677@outlook.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      [PM: added the stable dependency]
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      9fc2b4b4
  4. 04 Jun, 2015 6 commits
    • Stephen Smalley's avatar
      selinux: Remove unused permission definitions · 42a9699a
      Stephen Smalley authored
      Remove unused permission definitions from SELinux.
      Many of these were only ever used in pre-mainline
      versions of SELinux, prior to Linux 2.6.0.  Some of them
      were used in the legacy network or compat_net=1 checks
      that were disabled by default in Linux 2.6.18 and
      fully removed in Linux 2.6.30.
      
      Permissions never used in mainline Linux:
      file swapon
      filesystem transition
      tcp_socket { connectto newconn acceptfrom }
      node enforce_dest
      unix_stream_socket { newconn acceptfrom }
      
      Legacy network checks, removed in 2.6.30:
      socket { recv_msg send_msg }
      node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
      netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      42a9699a
    • Stephen Smalley's avatar
      selinux: enable genfscon labeling for sysfs and pstore files · 8e014720
      Stephen Smalley authored
      Support per-file labeling of sysfs and pstore files based on
      genfscon policy entries.  This is safe because the sysfs
      and pstore directory tree cannot be manipulated by userspace,
      except to unlink pstore entries.
      This provides an alternative method of assigning per-file labeling
      to sysfs or pstore files without needing to set the labels from
      userspace on each boot.  The advantages of this approach are that
      the labels are assigned as soon as the dentry is first instantiated
      and userspace does not need to walk the sysfs or pstore tree and
      set the labels on each boot.  The limitations of this approach are
      that the labels can only be assigned based on pathname prefix matching.
      You can initially assign labels using this mechanism and then change
      them at runtime via setxattr if allowed to do so by policy.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Suggested-by: default avatarDominick Grift <dac.override@gmail.com>
      Acked-by: default avatarJeff Vander Stoep <jeffv@google.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      8e014720
    • Stephen Smalley's avatar
      selinux: enable per-file labeling for debugfs files. · 134509d5
      Stephen Smalley authored
      Add support for per-file labeling of debugfs files so that
      we can distinguish them in policy.  This is particularly
      important in Android where certain debugfs files have to be writable
      by apps and therefore the debugfs directory tree can be read and
      searched by all.
      
      Since debugfs is entirely kernel-generated, the directory tree is
      immutable by userspace, and the inodes are pinned in memory, we can
      simply use the same approach as with proc and label the inodes from
      policy based on pathname from the root of the debugfs filesystem.
      Generalize the existing labeling support used for proc and reuse it
      for debugfs too.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      134509d5
    • Stephen Smalley's avatar
      selinux: update netlink socket classes · 6c6d2e9b
      Stephen Smalley authored
      Update the set of SELinux netlink socket class definitions to match
      the set of netlink protocols implemented by the kernel.  The
      ip_queue implementation for the NETLINK_FIREWALL and NETLINK_IP6_FW protocols
      was removed in d16cf20e, so we can remove
      the corresponding class definitions as this is dead code.  Add new
      classes for NETLINK_ISCSI, NETLINK_FIB_LOOKUP, NETLINK_CONNECTOR,
      NETLINK_NETFILTER, NETLINK_GENERIC, NETLINK_SCSITRANSPORT, NETLINK_RDMA,
      and NETLINK_CRYPTO so that we can distinguish among sockets created
      for each of these protocols.  This change does not define the finer-grained
      nlsmsg_read/write permissions or map specific nlmsg_type values to those
      permissions in the SELinux nlmsgtab; if finer-grained control of these
      sockets is desired/required, that can be added as a follow-on change.
      We do not define a SELinux class for NETLINK_ECRYPTFS as the implementation
      was removed in 624ae528.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      6c6d2e9b
    • Oleg Nesterov's avatar
      signals: don't abuse __flush_signals() in selinux_bprm_committed_creds() · 9e7c8f8c
      Oleg Nesterov authored
      selinux_bprm_committed_creds()->__flush_signals() is not right, we
      shouldn't clear TIF_SIGPENDING unconditionally. There can be other
      reasons for signal_pending(): freezing(), JOBCTL_PENDING_MASK, and
      potentially more.
      
      Also change this code to check fatal_signal_pending() rather than
      SIGNAL_GROUP_EXIT, it looks a bit better.
      
      Now we can kill __flush_signals() before it finds another buggy user.
      
      Note: this code looks racy, we can flush a signal which was sent after
      the task SID has been updated.
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      9e7c8f8c
    • Marek Milkovic's avatar
      selinux: Print 'sclass' as string when unrecognized netlink message occurs · cded3fff
      Marek Milkovic authored
      This prints the 'sclass' field as string instead of index in unrecognized netlink message.
      The textual representation makes it easier to distinguish the right class.
      Signed-off-by: default avatarMarek Milkovic <mmilkovi@redhat.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      [PM: 80-char width fixes]
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      cded3fff
  5. 03 Jun, 2015 1 commit
  6. 02 Jun, 2015 2 commits
    • Rafal Krypa's avatar
      Smack: allow multiple labels in onlycap · c0d77c88
      Rafal Krypa authored
      Smack onlycap allows limiting of CAP_MAC_ADMIN and CAP_MAC_OVERRIDE to
      processes running with the configured label. But having single privileged
      label is not enough in some real use cases. On a complex system like Tizen,
      there maybe few programs that need to configure Smack policy in run-time
      and running them all with a single label is not always practical.
      This patch extends onlycap feature for multiple labels. They are configured
      in the same smackfs "onlycap" interface, separated by spaces.
      Signed-off-by: default avatarRafal Krypa <r.krypa@samsung.com>
      c0d77c88
    • Rafal Krypa's avatar
      Smack: fix seq operations in smackfs · 01fa8474
      Rafal Krypa authored
      Use proper RCU functions and read locking in smackfs seq_operations.
      
      Smack gets away with not using proper RCU functions in smackfs, because
      it never removes entries from these lists. But now one list will be
      needed (with interface in smackfs) that will have both elements added and
      removed to it.
      This change will also help any future changes implementing removal of
      unneeded entries from other Smack lists.
      
      The patch also fixes handling of pos argument in smk_seq_start and
      smk_seq_next. This fixes a bug in case when smackfs is read with a small
      buffer:
      
      Kernel panic - not syncing: Kernel mode fault at addr 0xfa0000011b
      CPU: 0 PID: 1292 Comm: dd Not tainted 4.1.0-rc1-00012-g98179b8 #13
      Stack:
       00000003 0000000d 7ff39e48 7f69fd00
       7ff39ce0 601ae4b0 7ff39d50 600e587b
       00000010 6039f690 7f69fd40 00612003
      Call Trace:
       [<601ae4b0>] load2_seq_show+0x19/0x1d
       [<600e587b>] seq_read+0x168/0x331
       [<600c5943>] __vfs_read+0x21/0x101
       [<601a595e>] ? security_file_permission+0xf8/0x105
       [<600c5ec6>] ? rw_verify_area+0x86/0xe2
       [<600c5fc3>] vfs_read+0xa1/0x14c
       [<600c68e2>] SyS_read+0x57/0xa0
       [<6001da60>] handle_syscall+0x60/0x80
       [<6003087d>] userspace+0x442/0x548
       [<6001aa77>] ? interrupt_end+0x0/0x80
       [<6001daae>] ? copy_chunk_to_user+0x0/0x2b
       [<6002cb6b>] ? save_registers+0x1f/0x39
       [<60032ef7>] ? arch_prctl+0xf5/0x170
       [<6001a92d>] fork_handler+0x85/0x87
      Signed-off-by: default avatarRafal Krypa <r.krypa@samsung.com>
      01fa8474
  7. 21 May, 2015 10 commits
  8. 15 May, 2015 2 commits
    • Lukasz Pawelczyk's avatar
      smack: pass error code through pointers · e774ad68
      Lukasz Pawelczyk authored
      This patch makes the following functions to use ERR_PTR() and related
      macros to pass the appropriate error code through returned pointers:
      
      smk_parse_smack()
      smk_import_entry()
      smk_fetch()
      
      It also makes all the other functions that use them to handle the
      error cases properly. This ways correct error codes from places
      where they happened can be propagated to the user space if necessary.
      
      Doing this it fixes a bug in onlycap and unconfined files
      handling. Previously their content was cleared on any error from
      smk_import_entry/smk_parse_smack, be it EINVAL (as originally intended)
      or ENOMEM. Right now it only reacts on EINVAL passing other codes
      properly to userspace.
      
      Comments have been updated accordingly.
      Signed-off-by: default avatarLukasz Pawelczyk <l.pawelczyk@samsung.com>
      e774ad68
    • Seung-Woo Kim's avatar
      Smack: ignore private inode for smack_file_receive · 9777582e
      Seung-Woo Kim authored
      The dmabuf fd can be shared between processes via unix domain
      socket. The file of dmabuf fd is came from anon_inode. The inode
      has no set and get xattr operations, so it can not be shared
      between processes with smack. This patch fixes just to ignore
      private inode including anon_inode for smack_file_receive.
      Signed-off-by: default avatarSeung-Woo Kim <sw0312.kim@samsung.com>
      9777582e
  9. 13 May, 2015 2 commits
  10. 12 May, 2015 7 commits
  11. 27 Apr, 2015 3 commits