1. 02 Sep, 2009 9 commits
    • David Howells's avatar
      KEYS: Add a keyctl to install a process's session keyring on its parent [try #6] · ee18d64c
      David Howells authored
      Add a keyctl to install a process's session keyring onto its parent.  This
      replaces the parent's session keyring.  Because the COW credential code does
      not permit one process to change another process's credentials directly, the
      change is deferred until userspace next starts executing again.  Normally this
      will be after a wait*() syscall.
      
      To support this, three new security hooks have been provided:
      cred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in
      the blank security creds and key_session_to_parent() - which asks the LSM if
      the process may replace its parent's session keyring.
      
      The replacement may only happen if the process has the same ownership details
      as its parent, and the process has LINK permission on the session keyring, and
      the session keyring is owned by the process, and the LSM permits it.
      
      Note that this requires alteration to each architecture's notify_resume path.
      This has been done for all arches barring blackfin, m68k* and xtensa, all of
      which need assembly alteration to support TIF_NOTIFY_RESUME.  This allows the
      replacement to be performed at the point the parent process resumes userspace
      execution.
      
      This allows the userspace AFS pioctl emulation to fully emulate newpag() and
      the VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to
      alter the parent process's PAG membership.  However, since kAFS doesn't use
      PAGs per se, but rather dumps the keys into the session keyring, the session
      keyring of the parent must be replaced if, for example, VIOCSETTOK is passed
      the newpag flag.
      
      This can be tested with the following program:
      
      	#include <stdio.h>
      	#include <stdlib.h>
      	#include <keyutils.h>
      
      	#define KEYCTL_SESSION_TO_PARENT	18
      
      	#define OSERROR(X, S) do { if ((long)(X) == -1) { perror(S); exit(1); } } while(0)
      
      	int main(int argc, char **argv)
      	{
      		key_serial_t keyring, key;
      		long ret;
      
      		keyring = keyctl_join_session_keyring(argv[1]);
      		OSERROR(keyring, "keyctl_join_session_keyring");
      
      		key = add_key("user", "a", "b", 1, keyring);
      		OSERROR(key, "add_key");
      
      		ret = keyctl(KEYCTL_SESSION_TO_PARENT);
      		OSERROR(ret, "KEYCTL_SESSION_TO_PARENT");
      
      		return 0;
      	}
      
      Compiled and linked with -lkeyutils, you should see something like:
      
      	[dhowells@andromeda ~]$ keyctl show
      	Session Keyring
      	       -3 --alswrv   4043  4043  keyring: _ses
      	355907932 --alswrv   4043    -1   \_ keyring: _uid.4043
      	[dhowells@andromeda ~]$ /tmp/newpag
      	[dhowells@andromeda ~]$ keyctl show
      	Session Keyring
      	       -3 --alswrv   4043  4043  keyring: _ses
      	1055658746 --alswrv   4043  4043   \_ user: a
      	[dhowells@andromeda ~]$ /tmp/newpag hello
      	[dhowells@andromeda ~]$ keyctl show
      	Session Keyring
      	       -3 --alswrv   4043  4043  keyring: hello
      	340417692 --alswrv   4043  4043   \_ user: a
      
      Where the test program creates a new session keyring, sticks a user key named
      'a' into it and then installs it on its parent.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      ee18d64c
    • David Howells's avatar
      KEYS: Extend TIF_NOTIFY_RESUME to (almost) all architectures [try #6] · d0420c83
      David Howells authored
      Implement TIF_NOTIFY_RESUME for most of those architectures in which isn't yet
      available, and, whilst we're at it, have it call the appropriate tracehook.
      
      After this patch, blackfin, m68k* and xtensa still lack support and need
      alteration of assembly code to make it work.
      
      Resume notification can then be used (by a later patch) to install a new
      session keyring on the parent of a process.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      
      cc: linux-arch@vger.kernel.org
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      d0420c83
    • David Howells's avatar
      KEYS: Do some whitespace cleanups [try #6] · 7b1b9164
      David Howells authored
      Do some whitespace cleanups in the key management code.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      7b1b9164
    • Serge E. Hallyn's avatar
      KEYS: Make /proc/keys use keyid not numread as file position [try #6] · ad73a717
      Serge E. Hallyn authored
      Make the file position maintained by /proc/keys represent the ID of the key
      just read rather than the number of keys read.  This should make it faster to
      perform a lookup as we don't have to scan the key ID tree from the beginning to
      find the current position.
      Signed-off-by: default avatarSerge E. Hallyn <serue@us.ibm.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      ad73a717
    • David Howells's avatar
      KEYS: Add garbage collection for dead, revoked and expired keys. [try #6] · 5d135440
      David Howells authored
      Add garbage collection for dead, revoked and expired keys.  This involved
      erasing all links to such keys from keyrings that point to them.  At that
      point, the key will be deleted in the normal manner.
      
      Keyrings from which garbage collection occurs are shrunk and their quota
      consumption reduced as appropriate.
      
      Dead keys (for which the key type has been removed) will be garbage collected
      immediately.
      
      Revoked and expired keys will hang around for a number of seconds, as set in
      /proc/sys/kernel/keys/gc_delay before being automatically removed.  The default
      is 5 minutes.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      5d135440
    • David Howells's avatar
      KEYS: Flag dead keys to induce EKEYREVOKED [try #6] · f041ae2f
      David Howells authored
      Set the KEY_FLAG_DEAD flag on keys for which the type has been removed.  This
      causes the key_permission() function to return EKEYREVOKED in response to
      various commands.  It does not, however, prevent unlinking or clearing of
      keyrings from detaching the key.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      f041ae2f
    • David Howells's avatar
      KEYS: Allow keyctl_revoke() on keys that have SETATTR but not WRITE perm [try #6] · 0c2c9a3f
      David Howells authored
      Allow keyctl_revoke() to operate on keys that have SETATTR but not WRITE
      permission, rather than only on keys that have WRITE permission.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      0c2c9a3f
    • David Howells's avatar
      KEYS: Deal with dead-type keys appropriately [try #6] · 5593122e
      David Howells authored
      Allow keys for which the key type has been removed to be unlinked.  Currently
      dead-type keys can only be disposed of by completely clearing the keyrings
      that point to them.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      5593122e
    • David Howells's avatar
      CRED: Add some configurable debugging [try #6] · e0e81739
      David Howells authored
      Add a config option (CONFIG_DEBUG_CREDENTIALS) to turn on some debug checking
      for credential management.  The additional code keeps track of the number of
      pointers from task_structs to any given cred struct, and checks to see that
      this number never exceeds the usage count of the cred struct (which includes
      all references, not just those from task_structs).
      
      Furthermore, if SELinux is enabled, the code also checks that the security
      pointer in the cred struct is never seen to be invalid.
      
      This attempts to catch the bug whereby inode_has_perm() faults in an nfsd
      kernel thread on seeing cred->security be a NULL pointer (it appears that the
      credential struct has been previously released):
      
      	http://www.kerneloops.org/oops.php?number=252883Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      e0e81739
  2. 31 Aug, 2009 2 commits
    • Paul Moore's avatar
      selinux: Support for the new TUN LSM hooks · ed6d76e4
      Paul Moore authored
      Add support for the new TUN LSM hooks: security_tun_dev_create(),
      security_tun_dev_post_create() and security_tun_dev_attach().  This includes
      the addition of a new object class, tun_socket, which represents the socks
      associated with TUN devices.  The _tun_dev_create() and _tun_dev_post_create()
      hooks are fairly similar to the standard socket functions but _tun_dev_attach()
      is a bit special.  The _tun_dev_attach() is unique because it involves a
      domain attaching to an existing TUN device and its associated tun_socket
      object, an operation which does not exist with standard sockets and most
      closely resembles a relabel operation.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Acked-by: default avatarEric Paris <eparis@parisplace.org>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      ed6d76e4
    • Paul Moore's avatar
      lsm: Add hooks to the TUN driver · 2b980dbd
      Paul Moore authored
      The TUN driver lacks any LSM hooks which makes it difficult for LSM modules,
      such as SELinux, to enforce access controls on network traffic generated by
      TUN users; this is particularly problematic for virtualization apps such as
      QEMU and KVM.  This patch adds three new LSM hooks designed to control the
      creation and attachment of TUN devices, the hooks are:
      
       * security_tun_dev_create()
         Provides access control for the creation of new TUN devices
      
       * security_tun_dev_post_create()
         Provides the ability to create the necessary socket LSM state for newly
         created TUN devices
      
       * security_tun_dev_attach()
         Provides access control for attaching to existing, persistent TUN devices
         and the ability to update the TUN device's socket LSM state as necessary
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Acked-by: default avatarEric Paris <eparis@parisplace.org>
      Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
      Acked-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      2b980dbd
  3. 24 Aug, 2009 1 commit
  4. 21 Aug, 2009 2 commits
  5. 19 Aug, 2009 12 commits
  6. 18 Aug, 2009 14 commits