1. 15 Jul, 2015 3 commits
    • Kees Cook's avatar
      seccomp: swap hard-coded zeros to defined name · 221272f9
      Kees Cook authored
      For clarity, if CONFIG_SECCOMP isn't defined, seccomp_mode() is returning
      "disabled". This makes that more clear, along with another 0-use, and
      results in no operational change.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      221272f9
    • Tycho Andersen's avatar
      seccomp: add ptrace options for suspend/resume · 13c4a901
      Tycho Andersen authored
      This patch is the first step in enabling checkpoint/restore of processes
      with seccomp enabled.
      
      One of the things CRIU does while dumping tasks is inject code into them
      via ptrace to collect information that is only available to the process
      itself. However, if we are in a seccomp mode where these processes are
      prohibited from making these syscalls, then what CRIU does kills the task.
      
      This patch adds a new ptrace option, PTRACE_O_SUSPEND_SECCOMP, that enables
      a task from the init user namespace which has CAP_SYS_ADMIN and no seccomp
      filters to disable (and re-enable) seccomp filters for another task so that
      they can be successfully dumped (and restored). We restrict the set of
      processes that can disable seccomp through ptrace because although today
      ptrace can be used to bypass seccomp, there is some discussion of closing
      this loophole in the future and we would like this patch to not depend on
      that behavior and be future proofed for when it is removed.
      
      Note that seccomp can be suspended before any filters are actually
      installed; this behavior is useful on criu restore, so that we can suspend
      seccomp, restore the filters, unmap our restore code from the restored
      process' address space, and then resume the task by detaching and have the
      filters resumed as well.
      
      v2 changes:
      
      * require that the tracer have no seccomp filters installed
      * drop TIF_NOTSC manipulation from the patch
      * change from ptrace command to a ptrace option and use this ptrace option
        as the flag to check. This means that as soon as the tracer
        detaches/dies, seccomp is re-enabled and as a corrollary that one can not
        disable seccomp across PTRACE_ATTACHs.
      
      v3 changes:
      
      * get rid of various #ifdefs everywhere
      * report more sensible errors when PTRACE_O_SUSPEND_SECCOMP is incorrectly
        used
      
      v4 changes:
      
      * get rid of may_suspend_seccomp() in favor of a capable() check in ptrace
        directly
      
      v5 changes:
      
      * check that seccomp is not enabled (or suspended) on the tracer
      Signed-off-by: default avatarTycho Andersen <tycho.andersen@canonical.com>
      CC: Will Drewry <wad@chromium.org>
      CC: Roland McGrath <roland@hack.frob.com>
      CC: Pavel Emelyanov <xemul@parallels.com>
      CC: Serge E. Hallyn <serge.hallyn@ubuntu.com>
      Acked-by: default avatarOleg Nesterov <oleg@redhat.com>
      Acked-by: default avatarAndy Lutomirski <luto@amacapital.net>
      [kees: access seccomp.mode through seccomp_mode() instead]
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      13c4a901
    • Pranith Kumar's avatar
      seccomp: Replace smp_read_barrier_depends() with lockless_dereference() · 8225d385
      Pranith Kumar authored
      Recently lockless_dereference() was added which can be used in place of
      hard-coding smp_read_barrier_depends(). The following PATCH makes the change.
      Signed-off-by: default avatarPranith Kumar <bobby.prani@gmail.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      8225d385
  2. 18 Jun, 2015 1 commit
  3. 16 Jun, 2015 7 commits
  4. 12 Jun, 2015 2 commits
  5. 05 Jun, 2015 1 commit
    • J. Bruce Fields's avatar
      selinux: fix setting of security labels on NFS · 9fc2b4b4
      J. Bruce Fields authored
      Before calling into the filesystem, vfs_setxattr calls
      security_inode_setxattr, which ends up calling selinux_inode_setxattr in
      our case.  That returns -EOPNOTSUPP whenever SBLABEL_MNT is not set.
      SBLABEL_MNT was supposed to be set by sb_finish_set_opts, which sets it
      only if selinux_is_sblabel_mnt returns true.
      
      The selinux_is_sblabel_mnt logic was broken by eadcabc6 "SELinux: do
      all flags twiddling in one place", which didn't take into the account
      the SECURITY_FS_USE_NATIVE behavior that had been introduced for nfs
      with eb9ae686 "SELinux: Add new labeling type native labels".
      
      This caused setxattr's of security labels over NFSv4.2 to fail.
      
      Cc: stable@kernel.org # 3.13
      Cc: Eric Paris <eparis@redhat.com>
      Cc: David Quigley <dpquigl@davequigley.com>
      Reported-by: default avatarRichard Chan <rc556677@outlook.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      [PM: added the stable dependency]
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      9fc2b4b4
  6. 04 Jun, 2015 6 commits
    • Stephen Smalley's avatar
      selinux: Remove unused permission definitions · 42a9699a
      Stephen Smalley authored
      Remove unused permission definitions from SELinux.
      Many of these were only ever used in pre-mainline
      versions of SELinux, prior to Linux 2.6.0.  Some of them
      were used in the legacy network or compat_net=1 checks
      that were disabled by default in Linux 2.6.18 and
      fully removed in Linux 2.6.30.
      
      Permissions never used in mainline Linux:
      file swapon
      filesystem transition
      tcp_socket { connectto newconn acceptfrom }
      node enforce_dest
      unix_stream_socket { newconn acceptfrom }
      
      Legacy network checks, removed in 2.6.30:
      socket { recv_msg send_msg }
      node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
      netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      42a9699a
    • Stephen Smalley's avatar
      selinux: enable genfscon labeling for sysfs and pstore files · 8e014720
      Stephen Smalley authored
      Support per-file labeling of sysfs and pstore files based on
      genfscon policy entries.  This is safe because the sysfs
      and pstore directory tree cannot be manipulated by userspace,
      except to unlink pstore entries.
      This provides an alternative method of assigning per-file labeling
      to sysfs or pstore files without needing to set the labels from
      userspace on each boot.  The advantages of this approach are that
      the labels are assigned as soon as the dentry is first instantiated
      and userspace does not need to walk the sysfs or pstore tree and
      set the labels on each boot.  The limitations of this approach are
      that the labels can only be assigned based on pathname prefix matching.
      You can initially assign labels using this mechanism and then change
      them at runtime via setxattr if allowed to do so by policy.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Suggested-by: default avatarDominick Grift <dac.override@gmail.com>
      Acked-by: default avatarJeff Vander Stoep <jeffv@google.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      8e014720
    • Stephen Smalley's avatar
      selinux: enable per-file labeling for debugfs files. · 134509d5
      Stephen Smalley authored
      Add support for per-file labeling of debugfs files so that
      we can distinguish them in policy.  This is particularly
      important in Android where certain debugfs files have to be writable
      by apps and therefore the debugfs directory tree can be read and
      searched by all.
      
      Since debugfs is entirely kernel-generated, the directory tree is
      immutable by userspace, and the inodes are pinned in memory, we can
      simply use the same approach as with proc and label the inodes from
      policy based on pathname from the root of the debugfs filesystem.
      Generalize the existing labeling support used for proc and reuse it
      for debugfs too.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      134509d5
    • Stephen Smalley's avatar
      selinux: update netlink socket classes · 6c6d2e9b
      Stephen Smalley authored
      Update the set of SELinux netlink socket class definitions to match
      the set of netlink protocols implemented by the kernel.  The
      ip_queue implementation for the NETLINK_FIREWALL and NETLINK_IP6_FW protocols
      was removed in d16cf20e, so we can remove
      the corresponding class definitions as this is dead code.  Add new
      classes for NETLINK_ISCSI, NETLINK_FIB_LOOKUP, NETLINK_CONNECTOR,
      NETLINK_NETFILTER, NETLINK_GENERIC, NETLINK_SCSITRANSPORT, NETLINK_RDMA,
      and NETLINK_CRYPTO so that we can distinguish among sockets created
      for each of these protocols.  This change does not define the finer-grained
      nlsmsg_read/write permissions or map specific nlmsg_type values to those
      permissions in the SELinux nlmsgtab; if finer-grained control of these
      sockets is desired/required, that can be added as a follow-on change.
      We do not define a SELinux class for NETLINK_ECRYPTFS as the implementation
      was removed in 624ae528.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      6c6d2e9b
    • Oleg Nesterov's avatar
      signals: don't abuse __flush_signals() in selinux_bprm_committed_creds() · 9e7c8f8c
      Oleg Nesterov authored
      selinux_bprm_committed_creds()->__flush_signals() is not right, we
      shouldn't clear TIF_SIGPENDING unconditionally. There can be other
      reasons for signal_pending(): freezing(), JOBCTL_PENDING_MASK, and
      potentially more.
      
      Also change this code to check fatal_signal_pending() rather than
      SIGNAL_GROUP_EXIT, it looks a bit better.
      
      Now we can kill __flush_signals() before it finds another buggy user.
      
      Note: this code looks racy, we can flush a signal which was sent after
      the task SID has been updated.
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      9e7c8f8c
    • Marek Milkovic's avatar
      selinux: Print 'sclass' as string when unrecognized netlink message occurs · cded3fff
      Marek Milkovic authored
      This prints the 'sclass' field as string instead of index in unrecognized netlink message.
      The textual representation makes it easier to distinguish the right class.
      Signed-off-by: default avatarMarek Milkovic <mmilkovi@redhat.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      [PM: 80-char width fixes]
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      cded3fff
  7. 03 Jun, 2015 1 commit
  8. 02 Jun, 2015 2 commits
    • Rafal Krypa's avatar
      Smack: allow multiple labels in onlycap · c0d77c88
      Rafal Krypa authored
      Smack onlycap allows limiting of CAP_MAC_ADMIN and CAP_MAC_OVERRIDE to
      processes running with the configured label. But having single privileged
      label is not enough in some real use cases. On a complex system like Tizen,
      there maybe few programs that need to configure Smack policy in run-time
      and running them all with a single label is not always practical.
      This patch extends onlycap feature for multiple labels. They are configured
      in the same smackfs "onlycap" interface, separated by spaces.
      Signed-off-by: default avatarRafal Krypa <r.krypa@samsung.com>
      c0d77c88
    • Rafal Krypa's avatar
      Smack: fix seq operations in smackfs · 01fa8474
      Rafal Krypa authored
      Use proper RCU functions and read locking in smackfs seq_operations.
      
      Smack gets away with not using proper RCU functions in smackfs, because
      it never removes entries from these lists. But now one list will be
      needed (with interface in smackfs) that will have both elements added and
      removed to it.
      This change will also help any future changes implementing removal of
      unneeded entries from other Smack lists.
      
      The patch also fixes handling of pos argument in smk_seq_start and
      smk_seq_next. This fixes a bug in case when smackfs is read with a small
      buffer:
      
      Kernel panic - not syncing: Kernel mode fault at addr 0xfa0000011b
      CPU: 0 PID: 1292 Comm: dd Not tainted 4.1.0-rc1-00012-g98179b8 #13
      Stack:
       00000003 0000000d 7ff39e48 7f69fd00
       7ff39ce0 601ae4b0 7ff39d50 600e587b
       00000010 6039f690 7f69fd40 00612003
      Call Trace:
       [<601ae4b0>] load2_seq_show+0x19/0x1d
       [<600e587b>] seq_read+0x168/0x331
       [<600c5943>] __vfs_read+0x21/0x101
       [<601a595e>] ? security_file_permission+0xf8/0x105
       [<600c5ec6>] ? rw_verify_area+0x86/0xe2
       [<600c5fc3>] vfs_read+0xa1/0x14c
       [<600c68e2>] SyS_read+0x57/0xa0
       [<6001da60>] handle_syscall+0x60/0x80
       [<6003087d>] userspace+0x442/0x548
       [<6001aa77>] ? interrupt_end+0x0/0x80
       [<6001daae>] ? copy_chunk_to_user+0x0/0x2b
       [<6002cb6b>] ? save_registers+0x1f/0x39
       [<60032ef7>] ? arch_prctl+0xf5/0x170
       [<6001a92d>] fork_handler+0x85/0x87
      Signed-off-by: default avatarRafal Krypa <r.krypa@samsung.com>
      01fa8474
  9. 21 May, 2015 10 commits
  10. 15 May, 2015 2 commits
    • Lukasz Pawelczyk's avatar
      smack: pass error code through pointers · e774ad68
      Lukasz Pawelczyk authored
      This patch makes the following functions to use ERR_PTR() and related
      macros to pass the appropriate error code through returned pointers:
      
      smk_parse_smack()
      smk_import_entry()
      smk_fetch()
      
      It also makes all the other functions that use them to handle the
      error cases properly. This ways correct error codes from places
      where they happened can be propagated to the user space if necessary.
      
      Doing this it fixes a bug in onlycap and unconfined files
      handling. Previously their content was cleared on any error from
      smk_import_entry/smk_parse_smack, be it EINVAL (as originally intended)
      or ENOMEM. Right now it only reacts on EINVAL passing other codes
      properly to userspace.
      
      Comments have been updated accordingly.
      Signed-off-by: default avatarLukasz Pawelczyk <l.pawelczyk@samsung.com>
      e774ad68
    • Seung-Woo Kim's avatar
      Smack: ignore private inode for smack_file_receive · 9777582e
      Seung-Woo Kim authored
      The dmabuf fd can be shared between processes via unix domain
      socket. The file of dmabuf fd is came from anon_inode. The inode
      has no set and get xattr operations, so it can not be shared
      between processes with smack. This patch fixes just to ignore
      private inode including anon_inode for smack_file_receive.
      Signed-off-by: default avatarSeung-Woo Kim <sw0312.kim@samsung.com>
      9777582e
  11. 13 May, 2015 2 commits
  12. 12 May, 2015 3 commits