1. 28 Apr, 2013 20 commits
  2. 20 Apr, 2013 1 commit
  3. 18 Apr, 2013 1 commit
  4. 17 Apr, 2013 1 commit
    • Duncan Laurie's avatar
      TPM: Retry SaveState command in suspend path · 32d33b29
      Duncan Laurie authored
      If the TPM has already been sent a SaveState command before the driver
      is loaded it may have problems sending that same command again later.
      
      This issue is seen with the Chromebook Pixel due to a firmware bug in
      the legacy mode boot path which is sending the SaveState command
      before booting the kernel.  More information is available at
      http://crbug.com/203524
      
      This change introduces a retry of the SaveState command in the suspend
      path in order to work around this issue.  A future firmware update
      should fix this but this is also a trivial workaround in the driver
      that has no effect on systems that do not show this problem.
      
      When this does happen the TPM responds with a non-fatal TPM_RETRY code
      that is defined in the specification:
      
        The TPM is too busy to respond to the command immediately, but the
        command could be resubmitted at a later time.  The TPM MAY return
        TPM_RETRY for any command at any time.
      
      It can take several seconds before the TPM will respond again.  I
      measured a typical time between 3 and 4 seconds and the timeout is set
      at a safe 5 seconds.
      
      It is also possible to reproduce this with commands via /dev/tpm0.
      The bug linked above has a python script attached which can be used to
      test for this problem.  I tested a variety of TPMs from Infineon,
      Nuvoton, Atmel, and STMicro but was only able to reproduce this with
      LPC and I2C TPMs from Infineon.
      
      The TPM specification only loosely defines this behavior:
      
        TPM Main Level 2 Part 3 v1.2 r116, section 3.3. TPM_SaveState:
        The TPM MAY declare all preserved values invalid in response to any
        command other than TPM_Init.
      
        TCG PC Client BIOS Spec 1.21 section 8.3.1.
        After issuing a TPM_SaveState command, the OS SHOULD NOT issue TPM
        commands before transitioning to S3 without issuing another
        TPM_SaveState command.
      
        TCG PC Client TIS 1.21, section 4. Power Management:
        The TPM_SaveState command allows a Static OS to indicate to the TPM
        that the platform may enter a low power state where the TPM will be
        required to enter into the D3 power state.  The use of the term "may"
        is significant in that there is no requirement for the platform to
        actually enter the low power state after sending the TPM_SaveState
        command.  The software may, in fact, send subsequent commands after
        sending the TPM_SaveState command.
      
      Change-Id: I52b41e826412688e5b6c8ddd3bb16409939704e9
      Signed-off-by: default avatarDuncan Laurie <dlaurie@chromium.org>
      Signed-off-by: default avatarKent Yoder <key@linux.vnet.ibm.com>
      32d33b29
  5. 12 Apr, 2013 7 commits
  6. 03 Apr, 2013 1 commit
  7. 02 Apr, 2013 1 commit
    • Jeff Layton's avatar
      selinux: make security_sb_clone_mnt_opts return an error on context mismatch · 094f7b69
      Jeff Layton authored
      I had the following problem reported a while back. If you mount the
      same filesystem twice using NFSv4 with different contexts, then the
      second context= option is ignored. For instance:
      
          # mount server:/export /mnt/test1
          # mount server:/export /mnt/test2 -o context=system_u:object_r:tmp_t:s0
          # ls -dZ /mnt/test1
          drwxrwxrwt. root root system_u:object_r:nfs_t:s0       /mnt/test1
          # ls -dZ /mnt/test2
          drwxrwxrwt. root root system_u:object_r:nfs_t:s0       /mnt/test2
      
      When we call into SELinux to set the context of a "cloned" superblock,
      it will currently just bail out when it notices that we're reusing an
      existing superblock. Since the existing superblock is already set up and
      presumably in use, we can't go overwriting its context with the one from
      the "original" sb. Because of this, the second context= option in this
      case cannot take effect.
      
      This patch fixes this by turning security_sb_clone_mnt_opts into an int
      return operation. When it finds that the "new" superblock that it has
      been handed is already set up, it checks to see whether the contexts on
      the old superblock match it. If it does, then it will just return
      success, otherwise it'll return -EBUSY and emit a printk to tell the
      admin why the second mount failed.
      
      Note that this patch may cause casualties. The NFSv4 code relies on
      being able to walk down to an export from the pseudoroot. If you mount
      filesystems that are nested within one another with different contexts,
      then this patch will make those mounts fail in new and "exciting" ways.
      
      For instance, suppose that /export is a separate filesystem on the
      server:
      
          # mount server:/ /mnt/test1
          # mount salusa:/export /mnt/test2 -o context=system_u:object_r:tmp_t:s0
          mount.nfs: an incorrect mount option was specified
      
      ...with the printk in the ring buffer. Because we *might* eventually
      walk down to /mnt/test1/export, the mount is denied due to this patch.
      The second mount needs the pseudoroot superblock, but that's already
      present with the wrong context.
      
      OTOH, if we mount these in the reverse order, then both mounts work,
      because the pseudoroot superblock created when mounting /export is
      discarded once that mount is done. If we then however try to walk into
      that directory, the automount fails for the similar reasons:
      
          # cd /mnt/test1/scratch/
          -bash: cd: /mnt/test1/scratch: Device or resource busy
      
      The story I've gotten from the SELinux folks that I've talked to is that
      this is desirable behavior. In SELinux-land, mounting the same data
      under different contexts is wrong -- there can be only one.
      
      Cc: Steve Dickson <steved@redhat.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Acked-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      094f7b69
  8. 01 Apr, 2013 1 commit
  9. 26 Mar, 2013 1 commit
  10. 19 Mar, 2013 5 commits
    • Igor Zhbanov's avatar
      Fix NULL pointer dereference in smack_inode_unlink() and smack_inode_rmdir() · cdb56b60
      Igor Zhbanov authored
      This patch fixes kernel Oops because of wrong common_audit_data type
      in smack_inode_unlink() and smack_inode_rmdir().
      
      When SMACK security module is enabled and SMACK logging is on (/smack/logging
      is not zero) and you try to delete the file which
      1) you cannot delete due to SMACK rules and logging of failures is on
      or
      2) you can delete and logging of success is on,
      
      you will see following:
      
      	Unable to handle kernel NULL pointer dereference at virtual address 000002d7
      
      	[<...>] (strlen+0x0/0x28)
      	[<...>] (audit_log_untrustedstring+0x14/0x28)
      	[<...>] (common_lsm_audit+0x108/0x6ac)
      	[<...>] (smack_log+0xc4/0xe4)
      	[<...>] (smk_curacc+0x80/0x10c)
      	[<...>] (smack_inode_unlink+0x74/0x80)
      	[<...>] (security_inode_unlink+0x2c/0x30)
      	[<...>] (vfs_unlink+0x7c/0x100)
      	[<...>] (do_unlinkat+0x144/0x16c)
      
      The function smack_inode_unlink() (and smack_inode_rmdir()) need
      to log two structures of different types. First of all it does:
      
      	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
      	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
      
      This will set common audit data type to LSM_AUDIT_DATA_DENTRY
      and store dentry for auditing (by function smk_curacc(), which in turn calls
      dump_common_audit_data(), which is actually uses provided data and logs it).
      
      	/*
      	 * You need write access to the thing you're unlinking
      	 */
      	rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad);
      	if (rc == 0) {
      		/*
      		 * You also need write access to the containing directory
      		 */
      
      Then this function wants to log anoter data:
      
      		smk_ad_setfield_u_fs_path_dentry(&ad, NULL);
      		smk_ad_setfield_u_fs_inode(&ad, dir);
      
      The function sets inode field, but don't change common_audit_data type.
      
      		rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad);
      	}
      
      So the dump_common_audit() function incorrectly interprets inode structure
      as dentry, and Oops will happen.
      
      This patch reinitializes common_audit_data structures with correct type.
      Also I removed unneeded
      	smk_ad_setfield_u_fs_path_dentry(&ad, NULL);
      initialization, because both dentry and inode pointers are stored
      in the same union.
      Signed-off-by: default avatarIgor Zhbanov <i.zhbanov@samsung.com>
      Signed-off-by: default avatarKyungmin Park <kyungmin.park@samsung.com>
      cdb56b60
    • Rafal Krypa's avatar
      Smack: add support for modification of existing rules · e05b6f98
      Rafal Krypa authored
      Rule modifications are enabled via /smack/change-rule. Format is as follows:
      "Subject Object rwaxt rwaxt"
      
      First two strings are subject and object labels up to 255 characters.
      Third string contains permissions to enable.
      Fourth string contains permissions to disable.
      
      All unmentioned permissions will be left unchanged.
      If no rule previously existed, it will be created.
      
      Targeted for git://git.gitorious.org/smack-next/kernel.gitSigned-off-by: default avatarRafal Krypa <r.krypa@samsung.com>
      e05b6f98
    • Jarkko Sakkinen's avatar
      smack: SMACK_MAGIC to include/uapi/linux/magic.h · cee7e443
      Jarkko Sakkinen authored
      SMACK_MAGIC moved to a proper place for easy user space access
      (i.e. libsmack).
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@iki.fi>
      cee7e443
    • Rafal Krypa's avatar
      Smack: add missing support for transmute bit in smack_str_from_perm() · a87d79ad
      Rafal Krypa authored
      This fixes audit logs for granting or denial of permissions to show
      information about transmute bit.
      
      Targeted for git://git.gitorious.org/smack-next/kernel.gitSigned-off-by: default avatarRafal Krypa <r.krypa@samsung.com>
      a87d79ad
    • Rafal Krypa's avatar
      Smack: prevent revoke-subject from failing when unseen label is written to it · d15d9fad
      Rafal Krypa authored
      Special file /smack/revoke-subject will silently accept labels that are not
      present on the subject label list. Nothing has to be done for such labels,
      as there are no rules for them to revoke.
      
      Targeted for git://git.gitorious.org/smack-next/kernel.gitSigned-off-by: default avatarRafal Krypa <r.krypa@samsung.com>
      d15d9fad
  11. 18 Mar, 2013 1 commit