1. 16 Jun, 2015 3 commits
  2. 12 Jun, 2015 2 commits
  3. 05 Jun, 2015 1 commit
    • J. Bruce Fields's avatar
      selinux: fix setting of security labels on NFS · 9fc2b4b4
      J. Bruce Fields authored
      Before calling into the filesystem, vfs_setxattr calls
      security_inode_setxattr, which ends up calling selinux_inode_setxattr in
      our case.  That returns -EOPNOTSUPP whenever SBLABEL_MNT is not set.
      SBLABEL_MNT was supposed to be set by sb_finish_set_opts, which sets it
      only if selinux_is_sblabel_mnt returns true.
      
      The selinux_is_sblabel_mnt logic was broken by eadcabc6 "SELinux: do
      all flags twiddling in one place", which didn't take into the account
      the SECURITY_FS_USE_NATIVE behavior that had been introduced for nfs
      with eb9ae686 "SELinux: Add new labeling type native labels".
      
      This caused setxattr's of security labels over NFSv4.2 to fail.
      
      Cc: stable@kernel.org # 3.13
      Cc: Eric Paris <eparis@redhat.com>
      Cc: David Quigley <dpquigl@davequigley.com>
      Reported-by: default avatarRichard Chan <rc556677@outlook.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      [PM: added the stable dependency]
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      9fc2b4b4
  4. 04 Jun, 2015 6 commits
    • Stephen Smalley's avatar
      selinux: Remove unused permission definitions · 42a9699a
      Stephen Smalley authored
      Remove unused permission definitions from SELinux.
      Many of these were only ever used in pre-mainline
      versions of SELinux, prior to Linux 2.6.0.  Some of them
      were used in the legacy network or compat_net=1 checks
      that were disabled by default in Linux 2.6.18 and
      fully removed in Linux 2.6.30.
      
      Permissions never used in mainline Linux:
      file swapon
      filesystem transition
      tcp_socket { connectto newconn acceptfrom }
      node enforce_dest
      unix_stream_socket { newconn acceptfrom }
      
      Legacy network checks, removed in 2.6.30:
      socket { recv_msg send_msg }
      node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
      netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      42a9699a
    • Stephen Smalley's avatar
      selinux: enable genfscon labeling for sysfs and pstore files · 8e014720
      Stephen Smalley authored
      Support per-file labeling of sysfs and pstore files based on
      genfscon policy entries.  This is safe because the sysfs
      and pstore directory tree cannot be manipulated by userspace,
      except to unlink pstore entries.
      This provides an alternative method of assigning per-file labeling
      to sysfs or pstore files without needing to set the labels from
      userspace on each boot.  The advantages of this approach are that
      the labels are assigned as soon as the dentry is first instantiated
      and userspace does not need to walk the sysfs or pstore tree and
      set the labels on each boot.  The limitations of this approach are
      that the labels can only be assigned based on pathname prefix matching.
      You can initially assign labels using this mechanism and then change
      them at runtime via setxattr if allowed to do so by policy.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Suggested-by: default avatarDominick Grift <dac.override@gmail.com>
      Acked-by: default avatarJeff Vander Stoep <jeffv@google.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      8e014720
    • Stephen Smalley's avatar
      selinux: enable per-file labeling for debugfs files. · 134509d5
      Stephen Smalley authored
      Add support for per-file labeling of debugfs files so that
      we can distinguish them in policy.  This is particularly
      important in Android where certain debugfs files have to be writable
      by apps and therefore the debugfs directory tree can be read and
      searched by all.
      
      Since debugfs is entirely kernel-generated, the directory tree is
      immutable by userspace, and the inodes are pinned in memory, we can
      simply use the same approach as with proc and label the inodes from
      policy based on pathname from the root of the debugfs filesystem.
      Generalize the existing labeling support used for proc and reuse it
      for debugfs too.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      134509d5
    • Stephen Smalley's avatar
      selinux: update netlink socket classes · 6c6d2e9b
      Stephen Smalley authored
      Update the set of SELinux netlink socket class definitions to match
      the set of netlink protocols implemented by the kernel.  The
      ip_queue implementation for the NETLINK_FIREWALL and NETLINK_IP6_FW protocols
      was removed in d16cf20e, so we can remove
      the corresponding class definitions as this is dead code.  Add new
      classes for NETLINK_ISCSI, NETLINK_FIB_LOOKUP, NETLINK_CONNECTOR,
      NETLINK_NETFILTER, NETLINK_GENERIC, NETLINK_SCSITRANSPORT, NETLINK_RDMA,
      and NETLINK_CRYPTO so that we can distinguish among sockets created
      for each of these protocols.  This change does not define the finer-grained
      nlsmsg_read/write permissions or map specific nlmsg_type values to those
      permissions in the SELinux nlmsgtab; if finer-grained control of these
      sockets is desired/required, that can be added as a follow-on change.
      We do not define a SELinux class for NETLINK_ECRYPTFS as the implementation
      was removed in 624ae528.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      6c6d2e9b
    • Oleg Nesterov's avatar
      signals: don't abuse __flush_signals() in selinux_bprm_committed_creds() · 9e7c8f8c
      Oleg Nesterov authored
      selinux_bprm_committed_creds()->__flush_signals() is not right, we
      shouldn't clear TIF_SIGPENDING unconditionally. There can be other
      reasons for signal_pending(): freezing(), JOBCTL_PENDING_MASK, and
      potentially more.
      
      Also change this code to check fatal_signal_pending() rather than
      SIGNAL_GROUP_EXIT, it looks a bit better.
      
      Now we can kill __flush_signals() before it finds another buggy user.
      
      Note: this code looks racy, we can flush a signal which was sent after
      the task SID has been updated.
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      9e7c8f8c
    • Marek Milkovic's avatar
      selinux: Print 'sclass' as string when unrecognized netlink message occurs · cded3fff
      Marek Milkovic authored
      This prints the 'sclass' field as string instead of index in unrecognized netlink message.
      The textual representation makes it easier to distinguish the right class.
      Signed-off-by: default avatarMarek Milkovic <mmilkovi@redhat.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      [PM: 80-char width fixes]
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      cded3fff
  5. 03 Jun, 2015 1 commit
  6. 02 Jun, 2015 2 commits
    • Rafal Krypa's avatar
      Smack: allow multiple labels in onlycap · c0d77c88
      Rafal Krypa authored
      Smack onlycap allows limiting of CAP_MAC_ADMIN and CAP_MAC_OVERRIDE to
      processes running with the configured label. But having single privileged
      label is not enough in some real use cases. On a complex system like Tizen,
      there maybe few programs that need to configure Smack policy in run-time
      and running them all with a single label is not always practical.
      This patch extends onlycap feature for multiple labels. They are configured
      in the same smackfs "onlycap" interface, separated by spaces.
      Signed-off-by: default avatarRafal Krypa <r.krypa@samsung.com>
      c0d77c88
    • Rafal Krypa's avatar
      Smack: fix seq operations in smackfs · 01fa8474
      Rafal Krypa authored
      Use proper RCU functions and read locking in smackfs seq_operations.
      
      Smack gets away with not using proper RCU functions in smackfs, because
      it never removes entries from these lists. But now one list will be
      needed (with interface in smackfs) that will have both elements added and
      removed to it.
      This change will also help any future changes implementing removal of
      unneeded entries from other Smack lists.
      
      The patch also fixes handling of pos argument in smk_seq_start and
      smk_seq_next. This fixes a bug in case when smackfs is read with a small
      buffer:
      
      Kernel panic - not syncing: Kernel mode fault at addr 0xfa0000011b
      CPU: 0 PID: 1292 Comm: dd Not tainted 4.1.0-rc1-00012-g98179b8 #13
      Stack:
       00000003 0000000d 7ff39e48 7f69fd00
       7ff39ce0 601ae4b0 7ff39d50 600e587b
       00000010 6039f690 7f69fd40 00612003
      Call Trace:
       [<601ae4b0>] load2_seq_show+0x19/0x1d
       [<600e587b>] seq_read+0x168/0x331
       [<600c5943>] __vfs_read+0x21/0x101
       [<601a595e>] ? security_file_permission+0xf8/0x105
       [<600c5ec6>] ? rw_verify_area+0x86/0xe2
       [<600c5fc3>] vfs_read+0xa1/0x14c
       [<600c68e2>] SyS_read+0x57/0xa0
       [<6001da60>] handle_syscall+0x60/0x80
       [<6003087d>] userspace+0x442/0x548
       [<6001aa77>] ? interrupt_end+0x0/0x80
       [<6001daae>] ? copy_chunk_to_user+0x0/0x2b
       [<6002cb6b>] ? save_registers+0x1f/0x39
       [<60032ef7>] ? arch_prctl+0xf5/0x170
       [<6001a92d>] fork_handler+0x85/0x87
      Signed-off-by: default avatarRafal Krypa <r.krypa@samsung.com>
      01fa8474
  7. 21 May, 2015 10 commits
  8. 15 May, 2015 2 commits
    • Lukasz Pawelczyk's avatar
      smack: pass error code through pointers · e774ad68
      Lukasz Pawelczyk authored
      This patch makes the following functions to use ERR_PTR() and related
      macros to pass the appropriate error code through returned pointers:
      
      smk_parse_smack()
      smk_import_entry()
      smk_fetch()
      
      It also makes all the other functions that use them to handle the
      error cases properly. This ways correct error codes from places
      where they happened can be propagated to the user space if necessary.
      
      Doing this it fixes a bug in onlycap and unconfined files
      handling. Previously their content was cleared on any error from
      smk_import_entry/smk_parse_smack, be it EINVAL (as originally intended)
      or ENOMEM. Right now it only reacts on EINVAL passing other codes
      properly to userspace.
      
      Comments have been updated accordingly.
      Signed-off-by: default avatarLukasz Pawelczyk <l.pawelczyk@samsung.com>
      e774ad68
    • Seung-Woo Kim's avatar
      Smack: ignore private inode for smack_file_receive · 9777582e
      Seung-Woo Kim authored
      The dmabuf fd can be shared between processes via unix domain
      socket. The file of dmabuf fd is came from anon_inode. The inode
      has no set and get xattr operations, so it can not be shared
      between processes with smack. This patch fixes just to ignore
      private inode including anon_inode for smack_file_receive.
      Signed-off-by: default avatarSeung-Woo Kim <sw0312.kim@samsung.com>
      9777582e
  9. 13 May, 2015 2 commits
  10. 12 May, 2015 7 commits
  11. 27 Apr, 2015 4 commits
    • Linus Torvalds's avatar
      Linux 4.1-rc1 · b787f68c
      Linus Torvalds authored
      b787f68c
    • Andy Lutomirski's avatar
      x86_64, asm: Work around AMD SYSRET SS descriptor attribute issue · 61f01dd9
      Andy Lutomirski authored
      AMD CPUs don't reinitialize the SS descriptor on SYSRET, so SYSRET with
      SS == 0 results in an invalid usermode state in which SS is apparently
      equal to __USER_DS but causes #SS if used.
      
      Work around the issue by setting SS to __KERNEL_DS __switch_to, thus
      ensuring that SYSRET never happens with SS set to NULL.
      
      This was exposed by a recent vDSO cleanup.
      
      Fixes: e7d6eefa x86/vdso32/syscall.S: Do not load __USER32_DS to %ss
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Cc: Peter Anvin <hpa@zytor.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Denys Vlasenko <vda.linux@googlemail.com>
      Cc: Brian Gerst <brgerst@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      61f01dd9
    • Linus Torvalds's avatar
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · 1190944f
      Linus Torvalds authored
      Pull intel drm fixes from Dave Airlie.
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
        drm/i915: vlv: fix save/restore of GFX_MAX_REQ_COUNT reg
        drm/i915: Workaround to avoid lite restore with HEAD==TAIL
        drm/i915: cope with large i2c transfers
      1190944f
    • Linus Torvalds's avatar
      Merge git://git.infradead.org/intel-iommu · 9f86262d
      Linus Torvalds authored
      Pull intel iommu updates from David Woodhouse:
       "This lays a little of the groundwork for upcoming Shared Virtual
        Memory support — fixing some bogus #defines for capability bits and
        adding the new ones, and starting to use the new wider page tables
        where we can, in anticipation of actually filling in the new fields
        therein.
      
        It also allows graphics devices to be assigned to VM guests again.
        This got broken in 3.17 by disallowing assignment of RMRR-afflicted
        devices.  Like USB, we do understand why there's an RMRR for graphics
        devices — and unlike USB, it's actually sane.  So we can make an
        exception for graphics devices, just as we do USB controllers.
      
        Finally, tone down the warning about the X2APIC_OPT_OUT bit, due to
        persistent requests.  X2APIC_OPT_OUT was added to the spec as a nasty
        hack to allow broken BIOSes to forbid us from using X2APIC when they
        do stupid and invasive things and would break if we did.
      
        Someone noticed that since Windows doesn't have full IOMMU support for
        DMA protection, setting the X2APIC_OPT_OUT bit made Windows avoid
        initialising the IOMMU on the graphics unit altogether.
      
        This means that it would be available for use in "driver mode", where
        the IOMMU registers are made available through a BAR of the graphics
        device and the graphics driver can do SVM all for itself.
      
        So they started setting the X2APIC_OPT_OUT bit on *all* platforms with
        SVM capabilities.  And even the platforms which *might*, if the
        planets had been aligned correctly, possibly have had SVM capability
        but which in practice actually don't"
      
      * git://git.infradead.org/intel-iommu:
        iommu/vt-d: support extended root and context entries
        iommu/vt-d: Add new extended capabilities from v2.3 VT-d specification
        iommu/vt-d: Allow RMRR on graphics devices too
        iommu/vt-d: Print x2apic opt out info instead of printing a warning
        iommu/vt-d: kill bogus ecap_niotlb_iunits()
      9f86262d