1. 16 Nov, 2011 1 commit
  2. 28 Oct, 2011 1 commit
  3. 22 Oct, 2011 2 commits
  4. 20 Oct, 2011 1 commit
  5. 19 Oct, 2011 1 commit
  6. 18 Oct, 2011 1 commit
  7. 14 Oct, 2011 1 commit
  8. 12 Oct, 2011 9 commits
    • Jarkko Sakkinen's avatar
      Smack: fix for /smack/access output, use string instead of byte · f8859d98
      Jarkko Sakkinen authored
      Small fix for the output of access SmackFS file. Use string
      is instead of byte. Makes it easier to extend API if it is
      needed.
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@intel.com>
      f8859d98
    • Jarkko Sakkinen's avatar
      Smack: domain transition protections (v3) · 84088ba2
      Jarkko Sakkinen authored
      Protections for domain transition:
      
      - BPRM unsafe flags
      - Secureexec
      - Clear unsafe personality bits.
      - Clear parent death signal
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@intel.com>
      84088ba2
    • Casey Schaufler's avatar
      Smack: Provide information for UDS getsockopt(SO_PEERCRED) · 975d5e55
      Casey Schaufler authored
      This patch is targeted for the smack-next tree.
      
      This patch takes advantage of the recent changes for performance
      and points the packet labels on UDS connect at the output label of
      the far side. This makes getsockopt(...SO_PEERCRED...) function
      properly. Without this change the getsockopt does not provide any
      information.
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      975d5e55
    • Casey Schaufler's avatar
      Smack: Clean up comments · ce8a4321
      Casey Schaufler authored
      There are a number of comments in the Smack code that
      are either malformed or include code. This patch cleans
      them up.
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      ce8a4321
    • Casey Schaufler's avatar
      Smack: Repair processing of fcntl · 531f1d45
      Casey Schaufler authored
      Al Viro pointed out that the processing of fcntl done
      by Smack appeared poorly designed. He was right. There
      are three things that required change. Most obviously,
      the list of commands that really imply writing is limited
      to those involving file locking and signal handling.
      The initialization if the file security blob was
      incomplete, requiring use of a heretofore unused LSM hook.
      Finally, the audit information coming from a helper
      masked the identity of the LSM hook. This patch corrects
      all three of these defects.
      
      This is targeted for the smack-next tree pending comments.
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      531f1d45
    • Casey Schaufler's avatar
      Smack: Rule list lookup performance · 272cd7a8
      Casey Schaufler authored
      This patch is targeted for the smack-next tree.
      
      Smack access checks suffer from two significant performance
      issues. In cases where there are large numbers of rules the
      search of the single list of rules is wasteful. Comparing the
      string values of the smack labels is less efficient than a
      numeric comparison would.
      
      These changes take advantage of the Smack label list, which
      maintains the mapping of Smack labels to secids and optional
      CIPSO labels. Because the labels are kept perpetually, an
      access check can be done strictly based on the address of the
      label in the list without ever looking at the label itself.
      Rather than keeping one global list of rules the rules with
      a particular subject label can be based off of that label
      list entry. The access check need never look at entries that
      do not use the current subject label.
      
      This requires that packets coming off the network with
      CIPSO direct Smack labels that have never been seen before
      be treated carefully. The only case where they could be
      delivered is where the receiving socket has an IPIN star
      label, so that case is explicitly addressed.
      
      On a system with 39,800 rules (200 labels in all permutations)
      a system with this patch runs an access speed test in 5% of
      the time of the old version. That should be a best case
      improvement. If all of the rules are associated with the
      same subject label and all of the accesses are for processes
      with that label (unlikely) the improvement is about 30%.
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      272cd7a8
    • Jarkko Sakkinen's avatar
      Smack: check permissions from user space (v2) · 828716c2
      Jarkko Sakkinen authored
      Adds a new file into SmackFS called 'access'. Wanted
      Smack permission is written into /smack/access.
      After that result can be read from the opened file.
      If access applies result contains 1 and otherwise
      0. File access is protected from race conditions
      by using simple_transaction_get()/set() API.
      
      Fixes from the previous version:
      - Removed smack.h changes, refactoring left-over
      from previous version.
      - Removed #include <linux/smack.h>, refactoring
      left-over from previous version.
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@intel.com>
      Signed-off-by: default avatarCasey Schaufler <cschaufler@cschaufler-intel.(none)>
      828716c2
    • Tetsuo Handa's avatar
      TOMOYO: Fix quota and garbage collector. · 545a7260
      Tetsuo Handa authored
      Commit 059d84db "TOMOYO: Add socket operation restriction support" and
      commit 731d37aa "TOMOYO: Allow domain transition without execve()." forgot to
      update tomoyo_domain_quota_is_ok() and tomoyo_del_acl() which results in
      incorrect quota counting and memory leak.
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      545a7260
    • Tetsuo Handa's avatar
      TOMOYO: Remove redundant tasklist_lock. · e2b8b25a
      Tetsuo Handa authored
      rcu_read_lock() is sufficient for calling find_task_by_pid_ns()/find_task_by_vpid().
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      e2b8b25a
  9. 28 Sep, 2011 1 commit
  10. 26 Sep, 2011 4 commits
  11. 21 Sep, 2011 4 commits
  12. 19 Sep, 2011 1 commit
    • Tetsuo Handa's avatar
      TOMOYO: Allow specifying domain transition preference. · 6bce98ed
      Tetsuo Handa authored
      I got an opinion that it is difficult to use exception policy's domain
      transition control directives because they need to match the pathname specified
      to "file execute" directives. For example, if "file execute /bin/\*\-ls\-cat"
      is given, corresponding domain transition control directive needs to be like
      "no_keep_domain /bin/\*\-ls\-cat from any".
      
      If we can specify like below, it will become more convenient.
      
        file execute /bin/ls keep exec.realpath="/bin/ls" exec.argv[0]="ls"
        file execute /bin/cat keep exec.realpath="/bin/cat" exec.argv[0]="cat"
        file execute /bin/\*\-ls\-cat child
        file execute /usr/sbin/httpd <apache> exec.realpath="/usr/sbin/httpd" exec.argv[0]="/usr/sbin/httpd"
      
      In above examples, "keep" works as if keep_domain is specified, "child" works
      as if "no_reset_domain" and "no_initialize_domain" and "no_keep_domain" are
      specified, "<apache>" causes domain transition to <apache> domain upon
      successful execve() operation.
      
      Moreover, we can also allow transition to different domains based on conditions
      like below example.
      
        <kernel> /usr/sbin/sshd
        file execute /bin/bash <kernel> /usr/sbin/sshd //batch-session exec.argc=2 exec.argv[1]="-c"
        file execute /bin/bash <kernel> /usr/sbin/sshd //root-session task.uid=0
        file execute /bin/bash <kernel> /usr/sbin/sshd //nonroot-session task.uid!=0
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      6bce98ed
  13. 15 Sep, 2011 1 commit
  14. 14 Sep, 2011 10 commits
  15. 13 Sep, 2011 2 commits
    • Tetsuo Handa's avatar
      TOMOYO: Avoid race when retrying "file execute" permission check. · a8f76409
      Tetsuo Handa authored
      There was a race window that the pathname which is subjected to "file execute"
      permission check when retrying via supervisor's decision because the pathname
      was recalculated upon retry. Though, there is an inevitable race window even
      without supervisor, for we have to calculate the symbolic link's pathname from
      "struct linux_binprm"->filename rather than from "struct linux_binprm"->file
      because we cannot back calculate the symbolic link's pathname from the
      dereferenced pathname.
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      a8f76409
    • Tetsuo Handa's avatar
      TOMOYO: Allow domain transition without execve(). · 731d37aa
      Tetsuo Handa authored
      To be able to split permissions for Apache's CGI programs which are executed
      without execve(), add special domain transition which is performed by writing
      a TOMOYO's domainname to /sys/kernel/security/tomoyo/self_domain interface.
      
      This is an API for TOMOYO-aware userland applications. However, since I expect
      TOMOYO and other LSM modules to run in parallel, this patch does not use
      /proc/self/attr/ interface in order to avoid conflicts with other LSM modules
      when it became possible to run multiple LSM modules in parallel.
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      731d37aa