1. 28 Jun, 2011 1 commit
    • Tetsuo Handa's avatar
      TOMOYO: Cleanup part 1. · 7c75964f
      Tetsuo Handa authored
      In order to synchronize with TOMOYO 1.8's syntax,
      
      (1) Remove special handling for allow_read/write permission.
      (2) Replace deny_rewrite/allow_rewrite permission with allow_append permission.
      (3) Remove file_pattern keyword.
      (4) Remove allow_read permission from exception policy.
      (5) Allow creating domains in enforcing mode without calling supervisor.
      (6) Add permission check for opening directory for reading.
      (7) Add permission check for stat() operation.
      (8) Make "cat < /sys/kernel/security/tomoyo/self_domain" behave as if
          "cat /sys/kernel/security/tomoyo/self_domain".
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      7c75964f
  2. 27 Jun, 2011 7 commits
  3. 14 Jun, 2011 1 commit
  4. 09 Jun, 2011 2 commits
    • eparis@redhat's avatar
      cgroupfs: use init_cred when populating new cgroupfs mount · 2ce9738b
      eparis@redhat authored
      We recently found that in some configurations SELinux was blocking the ability
      for cgroupfs to be mounted.  The reason for this is because cgroupfs creates
      files and directories during the get_sb() call and also uses lookup_one_len()
      during that same get_sb() call.  This is a problem since the security
      subsystem cannot initialize the superblock and the inodes in that filesystem
      until after the get_sb() call returns.  Thus we leave the inodes in
      an unitialized state during get_sb().  For the vast majority of filesystems
      this is not an issue, but since cgroupfs uses lookup_on_len() it does
      search permission checks on the directories in the path it walks.  Since the
      inode security state is not set up SELinux does these checks as if the inodes
      were 'unlabeled.'
      
      Many 'normal' userspace process do not have permission to interact with
      unlabeled inodes.  The solution presented here is to do the permission checks
      of path walk and inode creation as the kernel rather than as the task that
      called mount.  Since the kernel has permission to read/write/create
      unlabeled inodes the get_sb() call will complete successfully and the SELinux
      code will be able to initialize the superblock and those inodes created during
      the get_sb() call.
      
      This appears to be the same solution used by other filesystems such as devtmpfs
      to solve the same issue and should thus have no negative impact on other LSMs
      which currently work.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Acked-by: default avatarPaul Menage <menage@google.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      2ce9738b
    • James Morris's avatar
      f55cf3c7
  5. 08 Jun, 2011 29 commits