1. 21 Sep, 2016 1 commit
  2. 19 Sep, 2016 2 commits
    • Vivek Goyal's avatar
      lsm,audit,selinux: Introduce a new audit data type LSM_AUDIT_DATA_FILE · 43af5de7
      Vivek Goyal authored
      Right now LSM_AUDIT_DATA_PATH type contains "struct path" in union "u"
      of common_audit_data. This information is used to print path of file
      at the same time it is also used to get to dentry and inode. And this
      inode information is used to get to superblock and device and print
      device information.
      
      This does not work well for layered filesystems like overlay where dentry
      contained in path is overlay dentry and not the real dentry of underlying
      file system. That means inode retrieved from dentry is also overlay
      inode and not the real inode.
      
      SELinux helpers like file_path_has_perm() are doing checks on inode
      retrieved from file_inode(). This returns the real inode and not the
      overlay inode. That means we are doing check on real inode but for audit
      purposes we are printing details of overlay inode and that can be
      confusing while debugging.
      
      Hence, introduce a new type LSM_AUDIT_DATA_FILE which carries file
      information and inode retrieved is real inode using file_inode(). That
      way right avc denied information is given to user.
      
      For example, following is one example avc before the patch.
      
        type=AVC msg=audit(1473360868.399:214): avc:  denied  { read open } for
          pid=1765 comm="cat"
          path="/root/.../overlay/container1/merged/readfile"
          dev="overlay" ino=21443
          scontext=unconfined_u:unconfined_r:test_overlay_client_t:s0:c10,c20
          tcontext=unconfined_u:object_r:test_overlay_files_ro_t:s0
          tclass=file permissive=0
      
      It looks as follows after the patch.
      
        type=AVC msg=audit(1473360017.388:282): avc:  denied  { read open } for
          pid=2530 comm="cat"
          path="/root/.../overlay/container1/merged/readfile"
          dev="dm-0" ino=2377915
          scontext=unconfined_u:unconfined_r:test_overlay_client_t:s0:c10,c20
          tcontext=unconfined_u:object_r:test_overlay_files_ro_t:s0
          tclass=file permissive=0
      
      Notice that now dev information points to "dm-0" device instead of
      "overlay" device. This makes it clear that check failed on underlying
      inode and not on the overlay inode.
      Signed-off-by: default avatarVivek Goyal <vgoyal@redhat.com>
      [PM: slight tweaks to the description to make checkpatch.pl happy]
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      43af5de7
    • James Morris's avatar
  3. 16 Sep, 2016 4 commits
  4. 15 Sep, 2016 19 commits
  5. 13 Sep, 2016 1 commit
  6. 08 Sep, 2016 1 commit
    • Casey Schaufler's avatar
      Smack: Signal delivery as an append operation · c60b9066
      Casey Schaufler authored
      Under a strict subject/object security policy delivering a
      signal or delivering network IPC could be considered either
      a write or an append operation. The original choice to make
      both write operations leads to an issue where IPC delivery
      is desired under policy, but delivery of signals is not.
      This patch provides the option of making signal delivery
      an append operation, allowing Smack rules that deny signal
      delivery while allowing IPC. This was requested for Tizen.
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      c60b9066
  7. 30 Aug, 2016 1 commit
  8. 29 Aug, 2016 2 commits
  9. 23 Aug, 2016 1 commit
  10. 19 Aug, 2016 1 commit
  11. 10 Aug, 2016 1 commit
  12. 09 Aug, 2016 6 commits