gmane.linux.kernel.lsm
http://blog.gmane.org/gmane.linux.kernel.lsm
hourly11901-01-01T00:00+00:00Gmanehttp://gmane.org/img/gmane-25t.png
http://gmane.org
[PATCH] Smack: Maintainer Record
http://comments.gmane.org/gmane.linux.kernel.lsm/16468
<pre>From: Casey Schaufler <casey< at >schaufler-ca.com>
Subject: [PATCH] Smack: Maintainer Record
Add a maintainer record for the Smack LSM.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler <casey< at >schaufler-ca.com>
---
MAINTAINERS | 9 +++++++++
1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/MAINTAINERS b/MAINTAINERS
index d7ca204..ccc8a14 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
< at >< at > -6133,6 +6133,15 < at >< at > S:Maintained
F:include/linux/sl?b*.h
F:mm/sl?b.c
+SMACK SECURITY MODULE
+M:Casey Schaufler <casey< at >schaufler-ca.com>
+L:linux-security-module< at >vger.kernel.org
+W:http://schaufler-ca.com
+T:git git://git.gitorious.org/smack-next/kernel.git
+S:Maintained
+F:Documentation/security/Smack.txt
+F:security/smack/
+
SMC91x ETHERNET DRIVER
M:Nicolas Pitre <nico< at >fluxnic.net>
S:Odd Fixes
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
</pre>Casey Schaufler2012-05-24T01:34:52[PATCH] Smack: fix smack_new_inode bogosities
http://comments.gmane.org/gmane.linux.kernel.lsm/16467
<pre>From: Casey Schaufler <casey< at >schaufler-ca.com>
Subject: [PATCH] Smack: fix smack_new_inode bogosities
In January of 2012 Al Viro pointed out three bits of code that
he titled "new_inode_smack bogosities". This patch repairs these
errors.
1. smack_sb_kern_mount() included a NULL check that is impossible.
The check and NULL case are removed.
2. smack_kb_kern_mount() included pointless locking. The locking is
removed. Since this is the only place that lock was used the lock
is removed from the superblock_smack structure.
3. smk_fill_super() incorrectly and unnecessarily set the Smack label
for the smackfs root inode. The assignment has been removed.
Targeted for git://gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler <casey< at >schaufler-ca.com>
---
security/smack/smack.h | 1 -
security/smack/smack_lsm.c | 8 ++------
security/smack/smackfs.c | 1 -
3 files changed, 2 insertions(+), 8 deletions(-)
diff --git a/security/smack/smack.h b/security/smack/smack.h
index cc361b8..76feb31 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
< at >< at > -43,7 +43,6 < at >< at > struct superblock_smack {
char*smk_hat;
char*smk_default;
intsmk_initialized;
-spinlock_tsmk_sblock;/* for initialization */
};
struct socket_smack {
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index d583c05..5a4d52c 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
< at >< at > -251,7 +251,6 < at >< at > static int smack_sb_alloc_security(struct super_block *sb)
sbsp->smk_floor = smack_known_floor.smk_known;
sbsp->smk_hat = smack_known_hat.smk_known;
sbsp->smk_initialized = 0;
-spin_lock_init(&sbsp->smk_sblock);
sb->s_security = sbsp;
< at >< at > -332,13 +331,10 < at >< at > static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
char *commap;
char *nsp;
-spin_lock(&sp->smk_sblock);
-if (sp->smk_initialized != 0) {
-spin_unlock(&sp->smk_sblock);
+if (sp->smk_initialized != 0)
return 0;
-}
+
sp->smk_initialized = 1;
-spin_unlock(&sp->smk_sblock);
for (op = data; op != NULL; op = commap) {
commap = strchr(op, ',');
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 1810c9a..3686db7 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
< at >< at > -2051,7 +2051,6 < at >< at > static int smk_fill_super(struct super_block *sb, void *data, int silent)
}
root_inode = sb->s_root->d_inode;
-root_inode->i_security = new_inode_smack(smack_known_floor.smk_known);
return 0;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
</pre>Casey Schaufler2012-05-24T00:46:58[PATCH 00/23] Crypto keys and module signing
http://comments.gmane.org/gmane.linux.kernel.lsm/16436
<pre>
Okay Rusty,
Here's a set of patches that does module signing attaching the signature in the
way you wanted. I do not agree with doing it this way. However, as you
insisted rather forcefully...
===============
<<< WARNING >>>
===============
Anyone wanting to use the module signing facility contained in these
patches MUST FIRST make sure that modules are not stripped after being
signed. This includes by packaging systems (such as rpmbuild) extracting
debug information and due to size reduction for initramfs composition.
This is likely to require alterations to userspace packages, both on the
build machine and the installed machine.
If the module is passed through strip, but the signature is _not_
discarded, then the module load will be rejected, potentially resulting in
an unbootable machine. If you are in FIPS mode the kernel will panic.
To make the modules more usable from an initramfs (which may have limited
capacity), the module files are maximally stripped (by both strip -x -g and
eu-strip) before being signed. This appears to result in the smallest,
still-viable module possible.
However, all debug information is discarded, along with chunks of the symbol
and string tables that might otherwise be useful. An unstripped, unsigned copy
of the module is left in the build tree (called foo.ko.unsigned) that should be
usable for debugging purposes.
The extended module file format is as follows:
The module signature is appended to the end of the module file, followed by
"< at >mod_size< at >\n< at >sig_size< at >\nThis Is A Crypto Signed Module".
The EOF must follow the magic string directly, so nothing further must be
appended to the file.
mod_size and sig_size are left-aligned decimal numbers, space-padded to 8
characters. mod_size is the size of the module payload part of the file and
sig_size is the size of the signature blob.
Note the first patch is a bugfix to kernel/module.c (look for "Guard check in
module loader against integer overflow").
The patches can also be found here:
http://git.kernel.org/?p=linux/kernel/git/dhowells/linux-modsign.git;a=shortlog;h=refs/heads/modsign-rusty
David
---
Changes made 22/05/2012:
(*) Fixes for the PGP/keys handling parts:
- Fix some checkpatch noise [Thanks to Tetsuo Handa].
- Preclear array on stack [Thanks to Tetsuo Handa].
- Check (sub)packet length [Thanks to Stephan Mueller].
- Decrease (not increase) remnant length in signature parsing.
- Handle new-format 5-octet length encoding.
- Better report encounter of Partial Body Length spec.
- Adjust the error handling.
(*) Completely redo how signature is attached to the module file to comply
with Rusty's specified method. Also pre-strip modules.
(*) Drop the MPILIB extra-exports patch as it's only required for the DSA
algorithm.
Changes made 10/05/2012:
(*) Overhauled the ELF checking code and module signing code.
- Moved into one file.
- Removed a lot of redundant ELF checks, relying a lot on the signature to
catch stuff.
- Rearranged the ELF checker function.
- Commented thoroughly and documented things better in the commit messages.
- Made it possible to exclude REL or RELA relocation handling.
- Rearranged the modsign patch subset to be more logical.
- Massively reduced the code size.
(*) Applied a patch to handle short signatures.
(*) Fixed a potential overflow in a check in the core module code.
Changes made 07/12/2011:
(*) Dropped the DSA algorithm.
Changes made 02/12/2011:
(*) Completely overhauled the architecture.
- Introduced data parsers.
- Reduced subtype to cryptographic data carrier.
- Extracted out the common PGP bits of DSA and RSA algorithms.
- Defined an asymmetric public-key subtype.
- Reduced DSA and RSA algorithms to minimum.
- Rolled verification initiation and key selection together into one.
- Moved verification add_data/finish/cancel op pointers into verification
context.
Changes made 29/11/2011:
(*) Added RSA signature verification.
(*) Stopped signature verification crashing on unsupported hash algorithm.
(*) Fixed ENOMEM handling bug in MPI.
(*) Worked around ccache problems with compilation of PGP public keyring into
kernel (ccache hashes the preprocessor output, but the assembler includes
the binary data, so ccache doesn't see that it changed).
(*) Added a choice in kernel config for hash algorithm to use; forced the
appropriate crypto module to be built directly into the kernel.
(*) Cleaned out some debugging code.
(*) Updated documentation.
---
David Howells (23):
MODSIGN: Panic the kernel if FIPS is enabled upon module signing failure
MODSIGN: Automatically generate module signing keys if missing
MODSIGN: Module signature verification
MODSIGN: Provide module signing public keys to the kernel
MODSIGN: Sign modules during the build process
MODSIGN: Provide Documentation and Kconfig options
MODSIGN: Provide gitignore and make clean rules for extra files
KEYS: Provide a function to load keys from a PGP keyring blob
KEYS: PGP format signature parser
KEYS: PGP-based public key signature verification
KEYS: PGP data parser
PGPLIB: Signature parser
PGPLIB: Basic packet parser
PGPLIB: PGP definitions (RFC 4880)
Fix signature verification for shorter signatures
KEYS: RSA signature verification algorithm
KEYS: Asymmetric public-key algorithm crypto key subtype
KEYS: Add signature verification facility
KEYS: Create a key type that can be used for general cryptographic operations
KEYS: Reorganise keys Makefile
KEYS: Announce key type (un)registration
KEYS: Move the key config into security/keys/Kconfig
Guard check in module loader against integer overflow
.gitignore | 13 +
Documentation/module-signing.txt | 183 +++++++++++
Documentation/security/keys-crypto.txt | 302 ++++++++++++++++++
Makefile | 1
include/keys/crypto-subtype.h | 77 ++++
include/keys/crypto-type.h | 37 ++
include/linux/modsign.h | 27 ++
include/linux/module.h | 3
include/linux/pgp.h | 255 +++++++++++++++
init/Kconfig | 62 ++++
kernel/Makefile | 42 ++
kernel/modsign-pubkey.c | 74 ++++
kernel/module-verify.c | 153 +++++++++
kernel/module-verify.h | 20 +
kernel/module.c | 29 +-
net/dns_resolver/dns_key.c | 5
scripts/Makefile.modpost | 98 ++++++
security/Kconfig | 68 ----
security/keys/Kconfig | 73 ++++
security/keys/Makefile | 13 +
security/keys/crypto/Kconfig | 51 +++
security/keys/crypto/Makefile | 17 +
security/keys/crypto/crypto_keys.h | 28 ++
security/keys/crypto/crypto_rsa.c | 290 +++++++++++++++++
security/keys/crypto/crypto_type.c | 228 +++++++++++++
security/keys/crypto/crypto_verify.c | 111 ++++++
security/keys/crypto/pgp_key_parser.c | 347 ++++++++++++++++++++
security/keys/crypto/pgp_library.c | 550 ++++++++++++++++++++++++++++++++
security/keys/crypto/pgp_parser.h | 35 ++
security/keys/crypto/pgp_preload.c | 90 +++++
security/keys/crypto/pgp_pubkey_sig.c | 324 +++++++++++++++++++
security/keys/crypto/pgp_sig_parser.c | 113 +++++++
security/keys/crypto/public_key.c | 55 +++
security/keys/crypto/public_key.h | 108 ++++++
security/keys/key.c | 3
35 files changed, 3803 insertions(+), 82 deletions(-)
create mode 100644 Documentation/module-signing.txt
create mode 100644 Documentation/security/keys-crypto.txt
create mode 100644 include/keys/crypto-subtype.h
create mode 100644 include/keys/crypto-type.h
create mode 100644 include/linux/modsign.h
create mode 100644 include/linux/pgp.h
create mode 100644 kernel/modsign-pubkey.c
create mode 100644 kernel/module-verify.c
create mode 100644 kernel/module-verify.h
create mode 100644 security/keys/Kconfig
create mode 100644 security/keys/crypto/Kconfig
create mode 100644 security/keys/crypto/Makefile
create mode 100644 security/keys/crypto/crypto_keys.h
create mode 100644 security/keys/crypto/crypto_rsa.c
create mode 100644 security/keys/crypto/crypto_type.c
create mode 100644 security/keys/crypto/crypto_verify.c
create mode 100644 security/keys/crypto/pgp_key_parser.c
create mode 100644 security/keys/crypto/pgp_library.c
create mode 100644 security/keys/crypto/pgp_parser.h
create mode 100644 security/keys/crypto/pgp_preload.c
create mode 100644 security/keys/crypto/pgp_pubkey_sig.c
create mode 100644 security/keys/crypto/pgp_sig_parser.c
create mode 100644 security/keys/crypto/public_key.c
create mode 100644 security/keys/crypto/public_key.h
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
</pre>David Howells2012-05-22T23:02:19[GIT] Security subsystem updates for 3.5
http://comments.gmane.org/gmane.linux.kernel.lsm/16421
<pre>Hi Linus,
New notable features:
- The seccomp work from Will Drewry
- PR_{GET,SET}_NO_NEW_PRIVS from Andy Lutomirski
- Longer security labels for Smack from Casey Schaufler
- Additional ptrace restriction modes for Yama by Kees Cook
Please pull.
The following changes since commit 76e10d158efb6d4516018846f60c2ab5501900bc:
Linus Torvalds (1):
Linux 3.4
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next
Andy Lutomirski (1):
Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs
Casey Schaufler (2):
Smack: recursive tramsmute
Smack: allow for significantly longer Smack labels v4
Dan Carpenter (1):
Yama: remove an unused variable
David Howells (9):
KEYS: Use the compat keyctl() syscall wrapper on Sparc64 for Sparc32 compat
KEYS: Move the key config into security/keys/Kconfig
KEYS: Reorganise keys Makefile
KEYS: Announce key type (un)registration
KEYS: Perform RCU synchronisation on keys prior to key destruction
KEYS: Permit in-place link replacement in keyring list
KEYS: Do LRU discard in full keyrings
KEYS: Add invalidation support
KEYS: Don't check for NULL key pointer in key_validate()
Eric Paris (22):
SELinux: allow seek operations on the file exposing policy
SELinux: loosen DAC perms on reading policy
SELinux: include flow.h where used rather than get it indirectly
SELinux: allow default source/target selectors for user/role/range
SELinux: add default_type statements
SELinux: check OPEN on truncate calls
SELinux: rename dentry_open to file_open
SELinux: audit failed attempts to set invalid labels
SELinux: possible NULL deref in context_struct_to_string
SELinux: remove needless sel_div function
SELinux: if sel_make_bools errors don't leave inconsistent state
SELinux: delay initialization of audit data in selinux_inode_permission
SELinux: remove inode_has_perm_noadp
SELinux: move common_audit_data to a noinline slow path function
LSM: remove the COMMON_AUDIT_DATA_INIT type expansion
apparmor: move task from common_audit_data to apparmor_audit_data
LSM: remove the task field from common_audit_data
LSM: BUILD_BUG_ON if the common_audit_data union ever grows
LSM: do not initialize common_audit_data to 0
SELinux: remove auditdeny from selinux_audit_data
SELinux: unify the selinux_audit_data and selinux_late_audit_data
SELinux: remove unused common_audit_data in flush_unauthorized_files
James Morris (6):
Merge branch 'linus-master'; commit 'v3.4-rc2' into next
maintainers: add kernel/capability.c to capabilities entry
maintainers: update wiki url for the security subsystem
Merge tag 'v3.4-rc5' into next
Merge branch 'for-1205' of http://git.gitorious.org/smack-next/kernel into next
Merge branch 'master' of git://git.infradead.org/users/eparis/selinux into next
John Johansen (3):
Fix execve behavior apparmor for PR_{GET,SET}_NO_NEW_PRIVS
apparmor: fix profile lookup for unconfined
apparmor: fix long path failure due to disconnected path
Kees Cook (3):
seccomp: remove duplicated failure logging
Yama: add additional ptrace scopes
Yama: replace capable() with ns_capable()
Mimi Zohar (1):
ima: fix filename hint to reflect script interpreter name
Stephen Rothwell (1):
seccomp: use a static inline for a function stub
Tetsuo Handa (2):
TOMOYO: Accept manager programs which do not start with / .
gfp flags for security_inode_alloc()?
Wanlong Gao (2):
SELinux: replace weak GFP_ATOMIC to GFP_KERNEL in avc_add_callback
SELinux: avc: remove the useless fields in avc_add_callback
Will Drewry (15):
sk_run_filter: add BPF_S_ANC_SECCOMP_LD_W
net/compat.c,linux/filter.h: share compat_sock_fprog
seccomp: kill the seccomp_t typedef
asm/syscall.h: add syscall_get_arch
arch/x86: add syscall_get_arch to syscall.h
seccomp: add system call filtering using BPF
seccomp: add SECCOMP_RET_ERRNO
signal, x86: add SIGSYS info and make it synchronous.
seccomp: Add SECCOMP_RET_TRAP
ptrace,seccomp: Add PTRACE_SECCOMP support
x86: Enable HAVE_ARCH_SECCOMP_FILTER
Documentation: prctl/seccomp_filter
seccomp: ignore secure_computing return values
seccomp: fix build warnings when there is no CONFIG_SECCOMP_FILTER
samples/seccomp: fix dependencies on arch macros
Documentation/prctl/seccomp_filter.txt | 163 ++++++
Documentation/security/Smack.txt | 204 +++++--
Documentation/security/Yama.txt | 10 +-
Documentation/security/keys.txt | 17 +
MAINTAINERS | 3 +-
arch/Kconfig | 23 +
arch/microblaze/kernel/ptrace.c | 2 +-
arch/mips/kernel/ptrace.c | 2 +-
arch/powerpc/kernel/ptrace.c | 2 +-
arch/s390/kernel/ptrace.c | 2 +-
arch/sh/kernel/ptrace_32.c | 2 +-
arch/sh/kernel/ptrace_64.c | 2 +-
arch/sparc/Kconfig | 3 +
arch/sparc/kernel/ptrace_64.c | 2 +-
arch/sparc/kernel/systbls_64.S | 2 +-
arch/x86/Kconfig | 1 +
arch/x86/ia32/ia32_signal.c | 4 +
arch/x86/include/asm/ia32.h | 6 +
arch/x86/include/asm/syscall.h | 27 +
arch/x86/kernel/ptrace.c | 7 +-
fs/exec.c | 10 +-
fs/open.c | 2 +-
include/asm-generic/siginfo.h | 22 +
include/asm-generic/syscall.h | 14 +
include/keys/keyring-type.h | 2 +-
include/linux/Kbuild | 1 +
include/linux/audit.h | 8 +-
include/linux/filter.h | 12 +
include/linux/key.h | 11 +-
include/linux/keyctl.h | 1 +
include/linux/lsm_audit.h | 6 -
include/linux/prctl.h | 15 +
include/linux/ptrace.h | 5 +-
include/linux/sched.h | 4 +-
include/linux/seccomp.h | 107 +++-
include/linux/security.h | 14 +-
kernel/auditsc.c | 8 +-
kernel/fork.c | 3 +
kernel/seccomp.c | 458 ++++++++++++++-
kernel/signal.c | 9 +-
kernel/sys.c | 12 +-
net/compat.c | 8 -
net/core/filter.c | 6 +
net/dns_resolver/dns_key.c | 5 -
net/xfrm/xfrm_policy.c | 1 +
samples/Makefile | 2 +-
samples/seccomp/Makefile | 32 +
samples/seccomp/bpf-direct.c | 190 ++++++
samples/seccomp/bpf-fancy.c | 102 ++++
samples/seccomp/bpf-helper.c | 89 +++
samples/seccomp/bpf-helper.h | 238 ++++++++
samples/seccomp/dropper.c | 68 +++
security/Kconfig | 68 +--
security/apparmor/audit.c | 11 +-
security/apparmor/capability.c | 4 +-
security/apparmor/domain.c | 35 ++
security/apparmor/file.c | 2 +-
security/apparmor/include/audit.h | 1 +
security/apparmor/ipc.c | 2 +-
security/apparmor/lib.c | 2 +-
security/apparmor/lsm.c | 6 +-
security/apparmor/path.c | 2 +
security/apparmor/policy.c | 6 +-
security/apparmor/policy_unpack.c | 2 +-
security/apparmor/resource.c | 2 +-
security/capability.c | 4 +-
security/commoncap.c | 7 +-
security/integrity/ima/ima_main.c | 4 +-
security/keys/Kconfig | 71 +++
security/keys/Makefile | 12 +-
security/keys/compat.c | 3 +
security/keys/gc.c | 94 +--
security/keys/internal.h | 15 +-
security/keys/key.c | 25 +
security/keys/keyctl.c | 34 ++
security/keys/keyring.c | 167 ++++--
security/keys/permission.c | 43 +-
security/keys/proc.c | 3 +-
security/keys/process_keys.c | 2 +
security/lsm_audit.c | 15 +-
security/security.c | 4 +-
security/selinux/avc.c | 130 +----
security/selinux/hooks.c | 268 ++++-----
security/selinux/include/avc.h | 100 +++-
security/selinux/include/security.h | 4 +-
security/selinux/netif.c | 6 +-
security/selinux/netnode.c | 6 +-
security/selinux/netport.c | 6 +-
security/selinux/selinuxfs.c | 11 +-
security/selinux/ss/context.h | 20 +
security/selinux/ss/mls.c | 24 +
security/selinux/ss/policydb.c | 44 ++
security/selinux/ss/policydb.h | 14 +
security/selinux/ss/services.c | 56 +-
security/smack/smack.h | 59 +-
security/smack/smack_access.c | 233 ++++----
security/smack/smack_lsm.c | 243 +++-----
security/smack/smackfs.c | 993 ++++++++++++++++++++++++--------
security/tomoyo/common.c | 26 +-
security/tomoyo/common.h | 1 -
security/tomoyo/tomoyo.c | 6 +-
security/yama/yama_lsm.c | 63 +-
102 files changed, 3678 insertions(+), 1230 deletions(-)
create mode 100644 Documentation/prctl/seccomp_filter.txt
create mode 100644 samples/seccomp/Makefile
create mode 100644 samples/seccomp/bpf-direct.c
create mode 100644 samples/seccomp/bpf-fancy.c
create mode 100644 samples/seccomp/bpf-helper.c
create mode 100644 samples/seccomp/bpf-helper.h
create mode 100644 samples/seccomp/dropper.c
create mode 100644 security/keys/Kconfig
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
</pre>James Morris2012-05-22T02:24:22[GIT PULL] SELinux changes intended for 3.5
http://comments.gmane.org/gmane.linux.kernel.lsm/16417
<pre>Been in next for a month and a half. Just checked and merge should be clean.
The following changes since commit 0034102808e0dbbf3a2394b82b1bb40b5778de9e:
Linux 3.4-rc2 (2012-04-07 18:30:41 -0700)
are available in the git repository at:
git://git.infradead.org/users/eparis/selinux.git master
Eric Paris (22):
SELinux: allow seek operations on the file exposing policy
SELinux: loosen DAC perms on reading policy
SELinux: include flow.h where used rather than get it indirectly
SELinux: allow default source/target selectors for user/role/range
SELinux: add default_type statements
SELinux: check OPEN on truncate calls
SELinux: rename dentry_open to file_open
SELinux: audit failed attempts to set invalid labels
SELinux: possible NULL deref in context_struct_to_string
SELinux: remove needless sel_div function
SELinux: if sel_make_bools errors don't leave inconsistent state
SELinux: delay initialization of audit data in selinux_inode_permission
SELinux: remove inode_has_perm_noadp
SELinux: move common_audit_data to a noinline slow path function
LSM: remove the COMMON_AUDIT_DATA_INIT type expansion
apparmor: move task from common_audit_data to apparmor_audit_data
LSM: remove the task field from common_audit_data
LSM: BUILD_BUG_ON if the common_audit_data union ever grows
LSM: do not initialize common_audit_data to 0
SELinux: remove auditdeny from selinux_audit_data
SELinux: unify the selinux_audit_data and selinux_late_audit_data
SELinux: remove unused common_audit_data in flush_unauthorized_files
Wanlong Gao (2):
SELinux: replace weak GFP_ATOMIC to GFP_KERNEL in avc_add_callback
SELinux: avc: remove the useless fields in avc_add_callback
fs/open.c | 2 +-
include/linux/lsm_audit.h | 6 -
include/linux/security.h | 13 +-
net/xfrm/xfrm_policy.c | 1 +
security/apparmor/audit.c | 11 ++-
security/apparmor/capability.c | 4 +-
security/apparmor/file.c | 2 +-
security/apparmor/include/audit.h | 1 +
security/apparmor/ipc.c | 2 +-
security/apparmor/lib.c | 2 +-
security/apparmor/lsm.c | 6 +-
security/apparmor/policy.c | 2 +-
security/apparmor/policy_unpack.c | 2 +-
security/apparmor/resource.c | 2 +-
security/capability.c | 4 +-
security/lsm_audit.c | 15 ++-
security/security.c | 4 +-
security/selinux/avc.c | 130 ++++--------------
security/selinux/hooks.c | 258 ++++++++++++++++-------------------
security/selinux/include/avc.h | 100 +++++++++++---
security/selinux/include/security.h | 4 +-
security/selinux/netif.c | 6 +-
security/selinux/netnode.c | 6 +-
security/selinux/netport.c | 6 +-
security/selinux/selinuxfs.c | 11 +-
security/selinux/ss/context.h | 20 +++
security/selinux/ss/mls.c | 24 ++++
security/selinux/ss/policydb.c | 44 ++++++
security/selinux/ss/policydb.h | 14 ++
security/selinux/ss/services.c | 56 ++++++--
security/smack/smack.h | 2 +-
security/smack/smack_lsm.c | 6 +-
security/tomoyo/tomoyo.c | 6 +-
33 files changed, 422 insertions(+), 350 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
</pre>Eric Paris2012-05-21T20:19:03seccomp and ptrace. what is the correct order?
http://comments.gmane.org/gmane.linux.kernel.lsm/16411
<pre>Viro ask me a question today and I didn't have a good answer.
Lets assume I set a seccomp filter that will allow read and will
deny/kill ioctl. If something else is tracing me I could call read.
The read will pass the seccomp hook and move onto the ptrace hook.
The tracer could then change the syscall number to ioctl and I would
then actually perform an ioctl.
Is that what we want? Do we want to do the permission check based on
what a process ask at syscall enter or do we want to do the permission
check based on what the kernel is actually going to do on behalf of
the process?
Does the question make sense?
-Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
</pre>Eric Paris2012-05-21T18:21:57[PATCH] x86, relocs: build clean fix
http://comments.gmane.org/gmane.linux.kernel.lsm/16410
<pre>relocs was not cleaned up when "make clean" is issued. This
patch fixes the issue.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen< at >intel.com>
---
arch/x86/Makefile | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/x86/Makefile b/arch/x86/Makefile
index 94e91e4..b1c611e 100644
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
< at >< at > -206,6 +206,7 < at >< at > archclean:
$(Q)rm -rf $(objtree)/arch/i386
$(Q)rm -rf $(objtree)/arch/x86_64
$(Q)$(MAKE) $(clean)=$(boot)
+$(Q)$(MAKE) $(clean)=arch/x86/tools
define archhelp
echo '* bzImage - Compressed kernel image (arch/x86/boot/bzImage)'
</pre>Jarkko Sakkinen2012-05-21T17:49:03[PATCH] [RFC] KEYS: Make the session and process keyrings per-thread [ver #2]
http://comments.gmane.org/gmane.linux.kernel.lsm/16409
<pre>Make the session keyring per-thread rather than per-process, but still
inherited from the parent thread to solve a problem with PAM and gdm.
The problem is that join_session_keyring() will reject attempts to change the
session keyring of a multithreaded program but gdm is now multithreaded before
it gets to the point of starting PAM and running pam_keyinit to create the
session keyring. See:
https://bugs.freedesktop.org/show_bug.cgi?id=49211
The reason that join_session_keyring() will only change the session keyring
under a single-threaded environment is that it's hard to alter the other
thread's credentials to effect the change in a multi-threaded program. The
problems are such as:
(1) How to prevent two threads both running join_session_keyring() from
racing.
(2) Another thread's credentials may not be modified directly by this process.
(3) The number of threads is uncertain whilst we're not holding the
appropriate spinlock, making preallocation slightly tricky.
(4) We could use TIF_NOTIFY_RESUME and key_replace_session_keyring() to get
another thread to replace its keyring, but that means preallocating for
each thread.
A reasonable way around this is to make the session keyring per-thread rather
than per-process and just document that if you want a common session keyring,
you must get it before you spawn any threads - which is the current situation
anyway.
Whilst we're at it, we can the process keyring behave in the same way. This
means we can clean up some of the ickyness in the creds code.
Basically, after this patch, the session, process and thread keyrings are about
inheritance rules only and not about sharing changes of keyring.
NOTE: This must be applied after "KEYS: Perform RCU synchronisation on keys
prior to key destruction" as that permits me to assume I don't need to perform
RCU synchronisation prior to doing a key_put().
Signed-off-by: David Howells <dhowells< at >redhat.com>
cc: rstrode< at >redhat.com
cc: grawity< at >gmail.com
---
include/linux/cred.h | 17 +-----
kernel/cred.c | 127 +++++-------------------------------------
security/keys/keyctl.c | 10 ++-
security/keys/process_keys.c | 66 +++++++---------------
security/keys/request_key.c | 10 ++-
5 files changed, 49 insertions(+), 181 deletions(-)
diff --git a/include/linux/cred.h b/include/linux/cred.h
index adadf71..e90b147 100644
--- a/include/linux/cred.h
+++ b/include/linux/cred.h
< at >< at > -76,21 +76,6 < at >< at > extern int in_group_p(gid_t);
extern int in_egroup_p(gid_t);
/*
- * The common credentials for a thread group
- * - shared by CLONE_THREAD
- */
-#ifdef CONFIG_KEYS
-struct thread_group_cred {
-atomic_tusage;
-pid_ttgid;/* thread group process ID */
-spinlock_tlock;
-struct key __rcu *session_keyring;/* keyring inherited over fork */
-struct key*process_keyring;/* keyring private to this process */
-struct rcu_headrcu;/* RCU deletion hook */
-};
-#endif
-
-/*
* The security context of a task
*
* The parts of the context break down into two categories:
< at >< at > -138,6 +123,8 < at >< at > struct cred {
#ifdef CONFIG_KEYS
unsigned charjit_keyring;/* default keyring to attach requested
* keys to */
+struct key __rcu *session_keyring; /* keyring inherited over fork */
+struct key*process_keyring; /* keyring private to this process */
struct key*thread_keyring; /* keyring private to this thread */
struct key*request_key_auth; /* assumed request_key authority */
struct thread_group_cred *tgcred; /* thread-group shared credentials */
diff --git a/kernel/cred.c b/kernel/cred.c
index e70683d..7932075 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
< at >< at > -30,17 +30,6 < at >< at >
static struct kmem_cache *cred_jar;
/*
- * The common credentials for the initial task's thread group
- */
-#ifdef CONFIG_KEYS
-static struct thread_group_cred init_tgcred = {
-.usage= ATOMIC_INIT(2),
-.tgid= 0,
-.lock= __SPIN_LOCK_UNLOCKED(init_cred.tgcred.lock),
-};
-#endif
-
-/*
* The initial credentials for the initial task
*/
struct cred init_cred = {
< at >< at > -57,9 +46,6 < at >< at > struct cred init_cred = {
.user= INIT_USER,
.user_ns= &init_user_ns,
.group_info= &init_groups,
-#ifdef CONFIG_KEYS
-.tgcred= &init_tgcred,
-#endif
};
static inline void set_cred_subscribers(struct cred *cred, int n)
< at >< at > -88,36 +74,6 < at >< at > static inline void alter_cred_subscribers(const struct cred *_cred, int n)
}
/*
- * Dispose of the shared task group credentials
- */
-#ifdef CONFIG_KEYS
-static void release_tgcred_rcu(struct rcu_head *rcu)
-{
-struct thread_group_cred *tgcred =
-container_of(rcu, struct thread_group_cred, rcu);
-
-BUG_ON(atomic_read(&tgcred->usage) != 0);
-
-key_put(tgcred->session_keyring);
-key_put(tgcred->process_keyring);
-kfree(tgcred);
-}
-#endif
-
-/*
- * Release a set of thread group credentials.
- */
-static void release_tgcred(struct cred *cred)
-{
-#ifdef CONFIG_KEYS
-struct thread_group_cred *tgcred = cred->tgcred;
-
-if (atomic_dec_and_test(&tgcred->usage))
-call_rcu(&tgcred->rcu, release_tgcred_rcu);
-#endif
-}
-
-/*
* The RCU callback to actually dispose of a set of credentials
*/
static void put_cred_rcu(struct rcu_head *rcu)
< at >< at > -142,9 +98,10 < at >< at > static void put_cred_rcu(struct rcu_head *rcu)
#endif
security_cred_free(cred);
+key_put(cred->session_keyring);
+key_put(cred->process_keyring);
key_put(cred->thread_keyring);
key_put(cred->request_key_auth);
-release_tgcred(cred);
if (cred->group_info)
put_group_info(cred->group_info);
free_uid(cred->user);
< at >< at > -244,15 +201,6 < at >< at > struct cred *cred_alloc_blank(void)
if (!new)
return NULL;
-#ifdef CONFIG_KEYS
-new->tgcred = kzalloc(sizeof(*new->tgcred), GFP_KERNEL);
-if (!new->tgcred) {
-kmem_cache_free(cred_jar, new);
-return NULL;
-}
-atomic_set(&new->tgcred->usage, 1);
-#endif
-
atomic_set(&new->usage, 1);
#ifdef CONFIG_DEBUG_CREDENTIALS
new->magic = CRED_MAGIC;
< at >< at > -305,9 +253,10 < at >< at > struct cred *prepare_creds(void)
get_uid(new->user);
#ifdef CONFIG_KEYS
+key_get(new->session_keyring);
+key_get(new->process_keyring);
key_get(new->thread_keyring);
key_get(new->request_key_auth);
-atomic_inc(&new->tgcred->usage);
#endif
#ifdef CONFIG_SECURITY
< at >< at > -331,39 +280,20 < at >< at > EXPORT_SYMBOL(prepare_creds);
*/
struct cred *prepare_exec_creds(void)
{
-struct thread_group_cred *tgcred = NULL;
struct cred *new;
-#ifdef CONFIG_KEYS
-tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
-if (!tgcred)
-return NULL;
-#endif
-
new = prepare_creds();
-if (!new) {
-kfree(tgcred);
+if (!new)
return new;
-}
#ifdef CONFIG_KEYS
/* newly exec'd tasks don't get a thread keyring */
key_put(new->thread_keyring);
new->thread_keyring = NULL;
-/* create a new per-thread-group creds for all this set of threads to
- * share */
-memcpy(tgcred, new->tgcred, sizeof(struct thread_group_cred));
-
-atomic_set(&tgcred->usage, 1);
-spin_lock_init(&tgcred->lock);
-
/* inherit the session keyring; new process keyring */
-key_get(tgcred->session_keyring);
-tgcred->process_keyring = NULL;
-
-release_tgcred(new);
-new->tgcred = tgcred;
+key_put(new->process_keyring);
+new->process_keyring = NULL;
#endif
return new;
< at >< at > -380,9 +310,6 < at >< at > struct cred *prepare_exec_creds(void)
*/
int copy_creds(struct task_struct *p, unsigned long clone_flags)
{
-#ifdef CONFIG_KEYS
-struct thread_group_cred *tgcred;
-#endif
struct cred *new;
int ret;
< at >< at > -429,22 +356,12 < at >< at > int copy_creds(struct task_struct *p, unsigned long clone_flags)
install_thread_keyring_to_cred(new);
}
-/* we share the process and session keyrings between all the threads in
- * a process - this is slightly icky as we violate COW credentials a
- * bit */
+/* The process keyring is only shared between the threads in a process;
+ * anything outside of those threads doesn't inherit.
+ */
if (!(clone_flags & CLONE_THREAD)) {
-tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
-if (!tgcred) {
-ret = -ENOMEM;
-goto error_put;
-}
-atomic_set(&tgcred->usage, 1);
-spin_lock_init(&tgcred->lock);
-tgcred->process_keyring = NULL;
-tgcred->session_keyring = key_get(new->tgcred->session_keyring);
-
-release_tgcred(new);
-new->tgcred = tgcred;
+key_put(new->process_keyring);
+new->process_keyring = NULL;
}
#endif
< at >< at > -647,9 +564,6 < at >< at > void __init cred_init(void)
*/
struct cred *prepare_kernel_cred(struct task_struct *daemon)
{
-#ifdef CONFIG_KEYS
-struct thread_group_cred *tgcred;
-#endif
const struct cred *old;
struct cred *new;
< at >< at > -657,14 +571,6 < at >< at > struct cred *prepare_kernel_cred(struct task_struct *daemon)
if (!new)
return NULL;
-#ifdef CONFIG_KEYS
-tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
-if (!tgcred) {
-kmem_cache_free(cred_jar, new);
-return NULL;
-}
-#endif
-
kdebug("prepare_kernel_cred() alloc %p", new);
if (daemon)
< at >< at > -681,13 +587,10 < at >< at > struct cred *prepare_kernel_cred(struct task_struct *daemon)
get_group_info(new->group_info);
#ifdef CONFIG_KEYS
-atomic_set(&tgcred->usage, 1);
-spin_lock_init(&tgcred->lock);
-tgcred->process_keyring = NULL;
-tgcred->session_keyring = NULL;
-new->tgcred = tgcred;
-new->request_key_auth = NULL;
+new->session_keyring = NULL;
+new->process_keyring = NULL;
new->thread_keyring = NULL;
+new->request_key_auth = NULL;
new->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
#endif
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index b61c063..8cb5ae0 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
< at >< at > -1473,7 +1473,7 < at >< at > long keyctl_session_to_parent(void)
if (!cred)
goto error_keyring;
-cred->tgcred->session_keyring = key_ref_to_ptr(keyring_r);
+cred->session_keyring = key_ref_to_ptr(keyring_r);
keyring_r = NULL;
me = current;
< at >< at > -1496,7 +1496,7 < at >< at > long keyctl_session_to_parent(void)
mycred = current_cred();
pcred = __task_cred(parent);
if (mycred == pcred ||
- mycred->tgcred->session_keyring == pcred->tgcred->session_keyring)
+ mycred->session_keyring == pcred->session_keyring)
goto already_same;
/* the parent must have the same effective ownership and mustn't be
< at >< at > -1510,9 +1510,9 < at >< at > long keyctl_session_to_parent(void)
goto not_permitted;
/* the keyrings must have the same UID */
-if ((pcred->tgcred->session_keyring &&
- pcred->tgcred->session_keyring->uid != mycred->euid) ||
- mycred->tgcred->session_keyring->uid != mycred->euid)
+if ((pcred->session_keyring &&
+ pcred->session_keyring->uid != mycred->euid) ||
+ mycred->session_keyring->uid != mycred->euid)
goto not_permitted;
/* if there's an already pending keyring replacement, then we replace
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index e137fcd..848bc7c 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
< at >< at > -169,9 +169,8 < at >< at > static int install_thread_keyring(void)
int install_process_keyring_to_cred(struct cred *new)
{
struct key *keyring;
-int ret;
-if (new->tgcred->process_keyring)
+if (new->process_keyring)
return -EEXIST;
keyring = keyring_alloc("_pid", new->uid, new->gid,
< at >< at > -179,17 +178,8 < at >< at > int install_process_keyring_to_cred(struct cred *new)
if (IS_ERR(keyring))
return PTR_ERR(keyring);
-spin_lock_irq(&new->tgcred->lock);
-if (!new->tgcred->process_keyring) {
-new->tgcred->process_keyring = keyring;
-keyring = NULL;
-ret = 0;
-} else {
-ret = -EEXIST;
-}
-spin_unlock_irq(&new->tgcred->lock);
-key_put(keyring);
-return ret;
+new->process_keyring = keyring;
+return 0;
}
/*
< at >< at > -230,7 +220,7 < at >< at > int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
/* create an empty session keyring */
if (!keyring) {
flags = KEY_ALLOC_QUOTA_OVERRUN;
-if (cred->tgcred->session_keyring)
+if (cred->session_keyring)
flags = KEY_ALLOC_IN_QUOTA;
keyring = keyring_alloc("_ses", cred->uid, cred->gid,
< at >< at > -242,17 +232,11 < at >< at > int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
}
/* install the keyring */
-spin_lock_irq(&cred->tgcred->lock);
-old = cred->tgcred->session_keyring;
-rcu_assign_pointer(cred->tgcred->session_keyring, keyring);
-spin_unlock_irq(&cred->tgcred->lock);
-
-/* we're using RCU on the pointer, but there's no point synchronising
- * on it if it didn't previously point to anything */
-if (old) {
-synchronize_rcu();
+old = cred->session_keyring;
+rcu_assign_pointer(cred->session_keyring, keyring);
+
+if (old)
key_put(old);
-}
return 0;
}
< at >< at > -369,9 +353,9 < at >< at > key_ref_t search_my_process_keyrings(struct key_type *type,
}
/* search the process keyring second */
-if (cred->tgcred->process_keyring) {
+if (cred->process_keyring) {
key_ref = keyring_search_aux(
-make_key_ref(cred->tgcred->process_keyring, 1),
+make_key_ref(cred->process_keyring, 1),
cred, type, description, match, no_state_check);
if (!IS_ERR(key_ref))
goto found;
< at >< at > -390,12 +374,10 < at >< at > key_ref_t search_my_process_keyrings(struct key_type *type,
}
/* search the session keyring */
-if (cred->tgcred->session_keyring) {
+if (cred->session_keyring) {
rcu_read_lock();
key_ref = keyring_search_aux(
-make_key_ref(rcu_dereference(
- cred->tgcred->session_keyring),
- 1),
+make_key_ref(rcu_dereference(cred->session_keyring), 1),
cred, type, description, match, no_state_check);
rcu_read_unlock();
< at >< at > -565,7 +547,7 < at >< at > try_again:
break;
case KEY_SPEC_PROCESS_KEYRING:
-if (!cred->tgcred->process_keyring) {
+if (!cred->process_keyring) {
if (!(lflags & KEY_LOOKUP_CREATE))
goto error;
< at >< at > -577,13 +559,13 < at >< at > try_again:
goto reget_creds;
}
-key = cred->tgcred->process_keyring;
+key = cred->process_keyring;
atomic_inc(&key->usage);
key_ref = make_key_ref(key, 1);
break;
case KEY_SPEC_SESSION_KEYRING:
-if (!cred->tgcred->session_keyring) {
+if (!cred->session_keyring) {
/* always install a session keyring upon access if one
* doesn't exist yet */
ret = install_user_keyrings();
< at >< at > -598,7 +580,7 < at >< at > try_again:
if (ret < 0)
goto error;
goto reget_creds;
-} else if (cred->tgcred->session_keyring ==
+} else if (cred->session_keyring ==
cred->user->session_keyring &&
lflags & KEY_LOOKUP_CREATE) {
ret = join_session_keyring(NULL);
< at >< at > -608,7 +590,7 < at >< at > try_again:
}
rcu_read_lock();
-key = rcu_dereference(cred->tgcred->session_keyring);
+key = rcu_dereference(cred->session_keyring);
atomic_inc(&key->usage);
rcu_read_unlock();
key_ref = make_key_ref(key, 1);
< at >< at > -768,12 +750,6 < at >< at > long join_session_keyring(const char *name)
struct key *keyring;
long ret, serial;
-/* only permit this if there's a single thread in the thread group -
- * this avoids us having to adjust the creds on all threads and risking
- * ENOMEM */
-if (!current_is_single_threaded())
-return -EMLINK;
-
new = prepare_creds();
if (!new)
return -ENOMEM;
< at >< at > -785,7 +761,7 < at >< at > long join_session_keyring(const char *name)
if (ret < 0)
goto error;
-serial = new->tgcred->session_keyring->serial;
+serial = new->session_keyring->serial;
ret = commit_creds(new);
if (ret == 0)
ret = serial;
< at >< at > -808,6 +784,9 < at >< at > long join_session_keyring(const char *name)
} else if (IS_ERR(keyring)) {
ret = PTR_ERR(keyring);
goto error2;
+} else if (keyring == new->session_keyring) {
+ret = 0;
+goto error2;
}
/* we've got a keyring - now to install it */
< at >< at > -871,8 +850,7 < at >< at > void key_replace_session_keyring(void)
new->jit_keyring= old->jit_keyring;
new->thread_keyring= key_get(old->thread_keyring);
-new->tgcred->tgid= old->tgcred->tgid;
-new->tgcred->process_keyring = key_get(old->tgcred->process_keyring);
+new->process_keyring= key_get(old->process_keyring);
security_transfer_creds(new, old);
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index cc37903..11b7f31 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
< at >< at > -157,12 +157,12 < at >< at > static int call_sbin_request_key(struct key_construction *cons,
cred->thread_keyring ? cred->thread_keyring->serial : 0);
prkey = 0;
-if (cred->tgcred->process_keyring)
-prkey = cred->tgcred->process_keyring->serial;
+if (cred->process_keyring)
+prkey = cred->process_keyring->serial;
sprintf(keyring_str[1], "%d", prkey);
rcu_read_lock();
-session = rcu_dereference(cred->tgcred->session_keyring);
+session = rcu_dereference(cred->session_keyring);
if (!session)
session = cred->user->session_keyring;
sskey = session->serial;
< at >< at > -304,14 +304,14 < at >< at > static void construct_get_dest_keyring(struct key **_dest_keyring)
break;
case KEY_REQKEY_DEFL_PROCESS_KEYRING:
-dest_keyring = key_get(cred->tgcred->process_keyring);
+dest_keyring = key_get(cred->process_keyring);
if (dest_keyring)
break;
case KEY_REQKEY_DEFL_SESSION_KEYRING:
rcu_read_lock();
dest_keyring = key_get(
-rcu_dereference(cred->tgcred->session_keyring));
+rcu_dereference(cred->session_keyring));
rcu_read_unlock();
if (dest_keyring)
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
</pre>David Howells2012-05-21T12:06:18[PATCH] KEYS: Fix some sparse warnings
http://comments.gmane.org/gmane.linux.kernel.lsm/16407
<pre>Fix some sparse warnings in the keyrings code:
(1) compat_keyctl_instantiate_key_iov() should be static.
(2) There were a couple of places where a pointer was being compared against
integer 0 rather than NULL.
(3) keyctl_instantiate_key_common() should not take a __user-labelled iovec
pointer as the caller must have copied the iovec to kernel space.
(4) __key_link_begin() takes and __key_link_end() releases
keyring_serialise_link_sem under some circumstances and so this should be
declared.
Note that adding __acquires() and __releases() for this doesn't help cure
the warnings messages - something only commenting out both helps.
Signed-off-by: David Howells <dhowells< at >redhat.com>
---
security/keys/compat.c | 4 ++--
security/keys/internal.h | 2 +-
security/keys/keyctl.c | 2 +-
security/keys/keyring.c | 2 ++
4 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/security/keys/compat.c b/security/keys/compat.c
index fab4f8d..e35ae1d 100644
--- a/security/keys/compat.c
+++ b/security/keys/compat.c
< at >< at > -24,7 +24,7 < at >< at >
*
* If successful, 0 will be returned.
*/
-long compat_keyctl_instantiate_key_iov(
+static long compat_keyctl_instantiate_key_iov(
key_serial_t id,
const struct compat_iovec __user *_payload_iov,
unsigned ioc,
< at >< at > -33,7 +33,7 < at >< at > long compat_keyctl_instantiate_key_iov(
struct iovec iovstack[UIO_FASTIOV], *iov = iovstack;
long ret;
-if (_payload_iov == 0 || ioc == 0)
+if (!_payload_iov || !ioc)
goto no_payload;
ret = compat_rw_copy_check_uvector(WRITE, _payload_iov, ioc,
diff --git a/security/keys/internal.h b/security/keys/internal.h
index f711b09..f173be2 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
< at >< at > -240,7 +240,7 < at >< at > extern long keyctl_instantiate_key_iov(key_serial_t,
extern long keyctl_invalidate_key(key_serial_t);
extern long keyctl_instantiate_key_common(key_serial_t,
- const struct iovec __user *,
+ const struct iovec *,
unsigned, size_t, key_serial_t);
/*
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index ddb3e05..b61c063 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
< at >< at > -1106,7 +1106,7 < at >< at > long keyctl_instantiate_key_iov(key_serial_t id,
struct iovec iovstack[UIO_FASTIOV], *iov = iovstack;
long ret;
-if (_payload_iov == 0 || ioc == 0)
+if (!_payload_iov || !ioc)
goto no_payload;
ret = rw_copy_check_uvector(WRITE, _payload_iov, ioc,
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 7445875..81e7852 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
< at >< at > -751,6 +751,7 < at >< at > static void keyring_unlink_rcu_disposal(struct rcu_head *rcu)
int __key_link_begin(struct key *keyring, const struct key_type *type,
const char *description, unsigned long *_prealloc)
__acquires(&keyring->sem)
+__acquires(&keyring_serialise_link_sem)
{
struct keyring_list *klist, *nklist;
unsigned long prealloc;
< at >< at > -960,6 +961,7 < at >< at > void __key_link(struct key *keyring, struct key *key,
void __key_link_end(struct key *keyring, struct key_type *type,
unsigned long prealloc)
__releases(&keyring->sem)
+__releases(&keyring_serialise_link_sem)
{
BUG_ON(type == NULL);
BUG_ON(type->name == NULL);
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
</pre>David Howells2012-05-21T11:32:13[PATCH] [RFC] KEYS: Make the session and process keyrings per-thread
http://comments.gmane.org/gmane.linux.kernel.lsm/16406
<pre>Make the session keyring per-thread rather than per-process, but still
inherited from the parent thread to solve a problem with PAM and gdm.
The problem is that join_session_keyring() will reject attempts to change the
session keyring of a multithreaded program but gdm is now multithreaded before
it gets to the point of starting PAM and running pam_keyinit to create the
session keyring. See:
https://bugs.freedesktop.org/show_bug.cgi?id=49211
The reason that join_session_keyring() will only change the session keyring
under a single-threaded environment is that it's hard to alter the other
thread's credentials to effect the change in a multi-threaded program. The
problems are such as:
(1) How to prevent two threads both running join_session_keyring() from
racing.
(2) Another thread's credentials may not be modified directly by this process.
(3) The number of threads is uncertain whilst we're not holding the
appropriate spinlock, making preallocation slightly tricky.
(4) We could use TIF_NOTIFY_RESUME and key_replace_session_keyring() to get
another thread to replace its keyring, but that means preallocating for
each thread.
A reasonable way around this is to make the session keyring per-thread rather
than per-process and just document that if you want a common session keyring,
you must get it before you spawn any threads - which is the current situation
anyway.
Whilst we're at it, we can the process keyring behave in the same way. This
means we can clean up some of the ickyness in the creds code.
Basically, after this patch, the session, process and thread keyrings are about
inheritance rules only and not about sharing changes of keyring.
NOTE: This must be applied after "KEYS: Perform RCU synchronisation on keys
prior to key destruction" as that permits me to assume I don't need to perform
RCU synchronisation prior to doing a key_put().
Signed-off-by: David Howells <dhowells< at >redhat.com>
cc: rstrode< at >redhat.com
cc: grawity< at >gmail.com
---
include/linux/cred.h | 17 +-----
kernel/cred.c | 127 +++++-------------------------------------
security/keys/keyctl.c | 10 ++-
security/keys/process_keys.c | 57 ++++++-------------
security/keys/request_key.c | 10 ++-
5 files changed, 46 insertions(+), 175 deletions(-)
diff --git a/include/linux/cred.h b/include/linux/cred.h
index adadf71..e90b147 100644
--- a/include/linux/cred.h
+++ b/include/linux/cred.h
< at >< at > -76,21 +76,6 < at >< at > extern int in_group_p(gid_t);
extern int in_egroup_p(gid_t);
/*
- * The common credentials for a thread group
- * - shared by CLONE_THREAD
- */
-#ifdef CONFIG_KEYS
-struct thread_group_cred {
-atomic_tusage;
-pid_ttgid;/* thread group process ID */
-spinlock_tlock;
-struct key __rcu *session_keyring;/* keyring inherited over fork */
-struct key*process_keyring;/* keyring private to this process */
-struct rcu_headrcu;/* RCU deletion hook */
-};
-#endif
-
-/*
* The security context of a task
*
* The parts of the context break down into two categories:
< at >< at > -138,6 +123,8 < at >< at > struct cred {
#ifdef CONFIG_KEYS
unsigned charjit_keyring;/* default keyring to attach requested
* keys to */
+struct key __rcu *session_keyring; /* keyring inherited over fork */
+struct key*process_keyring; /* keyring private to this process */
struct key*thread_keyring; /* keyring private to this thread */
struct key*request_key_auth; /* assumed request_key authority */
struct thread_group_cred *tgcred; /* thread-group shared credentials */
diff --git a/kernel/cred.c b/kernel/cred.c
index e70683d..7932075 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
< at >< at > -30,17 +30,6 < at >< at >
static struct kmem_cache *cred_jar;
/*
- * The common credentials for the initial task's thread group
- */
-#ifdef CONFIG_KEYS
-static struct thread_group_cred init_tgcred = {
-.usage= ATOMIC_INIT(2),
-.tgid= 0,
-.lock= __SPIN_LOCK_UNLOCKED(init_cred.tgcred.lock),
-};
-#endif
-
-/*
* The initial credentials for the initial task
*/
struct cred init_cred = {
< at >< at > -57,9 +46,6 < at >< at > struct cred init_cred = {
.user= INIT_USER,
.user_ns= &init_user_ns,
.group_info= &init_groups,
-#ifdef CONFIG_KEYS
-.tgcred= &init_tgcred,
-#endif
};
static inline void set_cred_subscribers(struct cred *cred, int n)
< at >< at > -88,36 +74,6 < at >< at > static inline void alter_cred_subscribers(const struct cred *_cred, int n)
}
/*
- * Dispose of the shared task group credentials
- */
-#ifdef CONFIG_KEYS
-static void release_tgcred_rcu(struct rcu_head *rcu)
-{
-struct thread_group_cred *tgcred =
-container_of(rcu, struct thread_group_cred, rcu);
-
-BUG_ON(atomic_read(&tgcred->usage) != 0);
-
-key_put(tgcred->session_keyring);
-key_put(tgcred->process_keyring);
-kfree(tgcred);
-}
-#endif
-
-/*
- * Release a set of thread group credentials.
- */
-static void release_tgcred(struct cred *cred)
-{
-#ifdef CONFIG_KEYS
-struct thread_group_cred *tgcred = cred->tgcred;
-
-if (atomic_dec_and_test(&tgcred->usage))
-call_rcu(&tgcred->rcu, release_tgcred_rcu);
-#endif
-}
-
-/*
* The RCU callback to actually dispose of a set of credentials
*/
static void put_cred_rcu(struct rcu_head *rcu)
< at >< at > -142,9 +98,10 < at >< at > static void put_cred_rcu(struct rcu_head *rcu)
#endif
security_cred_free(cred);
+key_put(cred->session_keyring);
+key_put(cred->process_keyring);
key_put(cred->thread_keyring);
key_put(cred->request_key_auth);
-release_tgcred(cred);
if (cred->group_info)
put_group_info(cred->group_info);
free_uid(cred->user);
< at >< at > -244,15 +201,6 < at >< at > struct cred *cred_alloc_blank(void)
if (!new)
return NULL;
-#ifdef CONFIG_KEYS
-new->tgcred = kzalloc(sizeof(*new->tgcred), GFP_KERNEL);
-if (!new->tgcred) {
-kmem_cache_free(cred_jar, new);
-return NULL;
-}
-atomic_set(&new->tgcred->usage, 1);
-#endif
-
atomic_set(&new->usage, 1);
#ifdef CONFIG_DEBUG_CREDENTIALS
new->magic = CRED_MAGIC;
< at >< at > -305,9 +253,10 < at >< at > struct cred *prepare_creds(void)
get_uid(new->user);
#ifdef CONFIG_KEYS
+key_get(new->session_keyring);
+key_get(new->process_keyring);
key_get(new->thread_keyring);
key_get(new->request_key_auth);
-atomic_inc(&new->tgcred->usage);
#endif
#ifdef CONFIG_SECURITY
< at >< at > -331,39 +280,20 < at >< at > EXPORT_SYMBOL(prepare_creds);
*/
struct cred *prepare_exec_creds(void)
{
-struct thread_group_cred *tgcred = NULL;
struct cred *new;
-#ifdef CONFIG_KEYS
-tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
-if (!tgcred)
-return NULL;
-#endif
-
new = prepare_creds();
-if (!new) {
-kfree(tgcred);
+if (!new)
return new;
-}
#ifdef CONFIG_KEYS
/* newly exec'd tasks don't get a thread keyring */
key_put(new->thread_keyring);
new->thread_keyring = NULL;
-/* create a new per-thread-group creds for all this set of threads to
- * share */
-memcpy(tgcred, new->tgcred, sizeof(struct thread_group_cred));
-
-atomic_set(&tgcred->usage, 1);
-spin_lock_init(&tgcred->lock);
-
/* inherit the session keyring; new process keyring */
-key_get(tgcred->session_keyring);
-tgcred->process_keyring = NULL;
-
-release_tgcred(new);
-new->tgcred = tgcred;
+key_put(new->process_keyring);
+new->process_keyring = NULL;
#endif
return new;
< at >< at > -380,9 +310,6 < at >< at > struct cred *prepare_exec_creds(void)
*/
int copy_creds(struct task_struct *p, unsigned long clone_flags)
{
-#ifdef CONFIG_KEYS
-struct thread_group_cred *tgcred;
-#endif
struct cred *new;
int ret;
< at >< at > -429,22 +356,12 < at >< at > int copy_creds(struct task_struct *p, unsigned long clone_flags)
install_thread_keyring_to_cred(new);
}
-/* we share the process and session keyrings between all the threads in
- * a process - this is slightly icky as we violate COW credentials a
- * bit */
+/* The process keyring is only shared between the threads in a process;
+ * anything outside of those threads doesn't inherit.
+ */
if (!(clone_flags & CLONE_THREAD)) {
-tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
-if (!tgcred) {
-ret = -ENOMEM;
-goto error_put;
-}
-atomic_set(&tgcred->usage, 1);
-spin_lock_init(&tgcred->lock);
-tgcred->process_keyring = NULL;
-tgcred->session_keyring = key_get(new->tgcred->session_keyring);
-
-release_tgcred(new);
-new->tgcred = tgcred;
+key_put(new->process_keyring);
+new->process_keyring = NULL;
}
#endif
< at >< at > -647,9 +564,6 < at >< at > void __init cred_init(void)
*/
struct cred *prepare_kernel_cred(struct task_struct *daemon)
{
-#ifdef CONFIG_KEYS
-struct thread_group_cred *tgcred;
-#endif
const struct cred *old;
struct cred *new;
< at >< at > -657,14 +571,6 < at >< at > struct cred *prepare_kernel_cred(struct task_struct *daemon)
if (!new)
return NULL;
-#ifdef CONFIG_KEYS
-tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
-if (!tgcred) {
-kmem_cache_free(cred_jar, new);
-return NULL;
-}
-#endif
-
kdebug("prepare_kernel_cred() alloc %p", new);
if (daemon)
< at >< at > -681,13 +587,10 < at >< at > struct cred *prepare_kernel_cred(struct task_struct *daemon)
get_group_info(new->group_info);
#ifdef CONFIG_KEYS
-atomic_set(&tgcred->usage, 1);
-spin_lock_init(&tgcred->lock);
-tgcred->process_keyring = NULL;
-tgcred->session_keyring = NULL;
-new->tgcred = tgcred;
-new->request_key_auth = NULL;
+new->session_keyring = NULL;
+new->process_keyring = NULL;
new->thread_keyring = NULL;
+new->request_key_auth = NULL;
new->jit_keyring = KEY_REQKEY_DEFL_THREAD_KEYRING;
#endif
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index ddb3e05..c906237 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
< at >< at > -1473,7 +1473,7 < at >< at > long keyctl_session_to_parent(void)
if (!cred)
goto error_keyring;
-cred->tgcred->session_keyring = key_ref_to_ptr(keyring_r);
+cred->session_keyring = key_ref_to_ptr(keyring_r);
keyring_r = NULL;
me = current;
< at >< at > -1496,7 +1496,7 < at >< at > long keyctl_session_to_parent(void)
mycred = current_cred();
pcred = __task_cred(parent);
if (mycred == pcred ||
- mycred->tgcred->session_keyring == pcred->tgcred->session_keyring)
+ mycred->session_keyring == pcred->session_keyring)
goto already_same;
/* the parent must have the same effective ownership and mustn't be
< at >< at > -1510,9 +1510,9 < at >< at > long keyctl_session_to_parent(void)
goto not_permitted;
/* the keyrings must have the same UID */
-if ((pcred->tgcred->session_keyring &&
- pcred->tgcred->session_keyring->uid != mycred->euid) ||
- mycred->tgcred->session_keyring->uid != mycred->euid)
+if ((pcred->session_keyring &&
+ pcred->session_keyring->uid != mycred->euid) ||
+ mycred->session_keyring->uid != mycred->euid)
goto not_permitted;
/* if there's an already pending keyring replacement, then we replace
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index e137fcd..877867d 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
< at >< at > -169,9 +169,8 < at >< at > static int install_thread_keyring(void)
int install_process_keyring_to_cred(struct cred *new)
{
struct key *keyring;
-int ret;
-if (new->tgcred->process_keyring)
+if (new->process_keyring)
return -EEXIST;
keyring = keyring_alloc("_pid", new->uid, new->gid,
< at >< at > -179,17 +178,8 < at >< at > int install_process_keyring_to_cred(struct cred *new)
if (IS_ERR(keyring))
return PTR_ERR(keyring);
-spin_lock_irq(&new->tgcred->lock);
-if (!new->tgcred->process_keyring) {
-new->tgcred->process_keyring = keyring;
-keyring = NULL;
-ret = 0;
-} else {
-ret = -EEXIST;
-}
-spin_unlock_irq(&new->tgcred->lock);
-key_put(keyring);
-return ret;
+new->process_keyring = keyring;
+return 0;
}
/*
< at >< at > -230,7 +220,7 < at >< at > int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
/* create an empty session keyring */
if (!keyring) {
flags = KEY_ALLOC_QUOTA_OVERRUN;
-if (cred->tgcred->session_keyring)
+if (cred->session_keyring)
flags = KEY_ALLOC_IN_QUOTA;
keyring = keyring_alloc("_ses", cred->uid, cred->gid,
< at >< at > -242,17 +232,11 < at >< at > int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
}
/* install the keyring */
-spin_lock_irq(&cred->tgcred->lock);
-old = cred->tgcred->session_keyring;
-rcu_assign_pointer(cred->tgcred->session_keyring, keyring);
-spin_unlock_irq(&cred->tgcred->lock);
-
-/* we're using RCU on the pointer, but there's no point synchronising
- * on it if it didn't previously point to anything */
-if (old) {
-synchronize_rcu();
+old = cred->session_keyring;
+rcu_assign_pointer(cred->session_keyring, keyring);
+
+if (old)
key_put(old);
-}
return 0;
}
< at >< at > -369,9 +353,9 < at >< at > key_ref_t search_my_process_keyrings(struct key_type *type,
}
/* search the process keyring second */
-if (cred->tgcred->process_keyring) {
+if (cred->process_keyring) {
key_ref = keyring_search_aux(
-make_key_ref(cred->tgcred->process_keyring, 1),
+make_key_ref(cred->process_keyring, 1),
cred, type, description, match, no_state_check);
if (!IS_ERR(key_ref))
goto found;
< at >< at > -390,12 +374,10 < at >< at > key_ref_t search_my_process_keyrings(struct key_type *type,
}
/* search the session keyring */
-if (cred->tgcred->session_keyring) {
+if (cred->session_keyring) {
rcu_read_lock();
key_ref = keyring_search_aux(
-make_key_ref(rcu_dereference(
- cred->tgcred->session_keyring),
- 1),
+make_key_ref(rcu_dereference(cred->session_keyring), 1),
cred, type, description, match, no_state_check);
rcu_read_unlock();
< at >< at > -565,7 +547,7 < at >< at > try_again:
break;
case KEY_SPEC_PROCESS_KEYRING:
-if (!cred->tgcred->process_keyring) {
+if (!cred->process_keyring) {
if (!(lflags & KEY_LOOKUP_CREATE))
goto error;
< at >< at > -577,13 +559,13 < at >< at > try_again:
goto reget_creds;
}
-key = cred->tgcred->process_keyring;
+key = cred->process_keyring;
atomic_inc(&key->usage);
key_ref = make_key_ref(key, 1);
break;
case KEY_SPEC_SESSION_KEYRING:
-if (!cred->tgcred->session_keyring) {
+if (!cred->session_keyring) {
/* always install a session keyring upon access if one
* doesn't exist yet */
ret = install_user_keyrings();
< at >< at > -598,7 +580,7 < at >< at > try_again:
if (ret < 0)
goto error;
goto reget_creds;
-} else if (cred->tgcred->session_keyring ==
+} else if (cred->session_keyring ==
cred->user->session_keyring &&
lflags & KEY_LOOKUP_CREATE) {
ret = join_session_keyring(NULL);
< at >< at > -608,7 +590,7 < at >< at > try_again:
}
rcu_read_lock();
-key = rcu_dereference(cred->tgcred->session_keyring);
+key = rcu_dereference(cred->session_keyring);
atomic_inc(&key->usage);
rcu_read_unlock();
key_ref = make_key_ref(key, 1);
< at >< at > -785,7 +767,7 < at >< at > long join_session_keyring(const char *name)
if (ret < 0)
goto error;
-serial = new->tgcred->session_keyring->serial;
+serial = new->session_keyring->serial;
ret = commit_creds(new);
if (ret == 0)
ret = serial;
< at >< at > -871,8 +853,7 < at >< at > void key_replace_session_keyring(void)
new->jit_keyring= old->jit_keyring;
new->thread_keyring= key_get(old->thread_keyring);
-new->tgcred->tgid= old->tgcred->tgid;
-new->tgcred->process_keyring = key_get(old->tgcred->process_keyring);
+new->process_keyring= key_get(old->process_keyring);
security_transfer_creds(new, old);
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index cc37903..11b7f31 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
< at >< at > -157,12 +157,12 < at >< at > static int call_sbin_request_key(struct key_construction *cons,
cred->thread_keyring ? cred->thread_keyring->serial : 0);
prkey = 0;
-if (cred->tgcred->process_keyring)
-prkey = cred->tgcred->process_keyring->serial;
+if (cred->process_keyring)
+prkey = cred->process_keyring->serial;
sprintf(keyring_str[1], "%d", prkey);
rcu_read_lock();
-session = rcu_dereference(cred->tgcred->session_keyring);
+session = rcu_dereference(cred->session_keyring);
if (!session)
session = cred->user->session_keyring;
sskey = session->serial;
< at >< at > -304,14 +304,14 < at >< at > static void construct_get_dest_keyring(struct key **_dest_keyring)
break;
case KEY_REQKEY_DEFL_PROCESS_KEYRING:
-dest_keyring = key_get(cred->tgcred->process_keyring);
+dest_keyring = key_get(cred->process_keyring);
if (dest_keyring)
break;
case KEY_REQKEY_DEFL_SESSION_KEYRING:
rcu_read_lock();
dest_keyring = key_get(
-rcu_dereference(cred->tgcred->session_keyring));
+rcu_dereference(cred->session_keyring));
rcu_read_unlock();
if (dest_keyring)
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
</pre>David Howells2012-05-21T10:32:50[PATCH]security:selinux:fixed spacing issues relating to : and ? operators.
http://comments.gmane.org/gmane.linux.kernel.lsm/16400
<pre>Fixed spacing issues of : and ? operators found by
checkpatch.pl in security/selinux/xfrm.c
Signed-off-by: Jeffrin Jose <ahiliation< at >yahoo.co.in>
---
security/selinux/xfrm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 48665ec..a3cb878 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
< at >< at > -140,7 +140,7 < at >< at > int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *
rc = avc_has_perm(fl->flowi_secid, state_sid, SECCLASS_ASSOCIATION,
ASSOCIATION__SENDTO,
- NULL)? 0:1;
+ NULL) ? 0 : 1;
/*
* We don't need a separate SA Vs. policy polmatch check
</pre>Jeffrin Jose2012-05-20T18:23:49[RFC] audit logging hashes of exec'd binaries.
http://comments.gmane.org/gmane.linux.kernel.lsm/16388
<pre>For the purposes of tracking malware in an enterprise, I'm interested
in logging the hash of binaries as they are exec'd. The following
patch (mostly) adds this functionality.
When a binary is executed, gih_file_check is called which checks to
see if this inode has been exec'd before. If not, it's sha1 hash is
taken and logged to auditd along with its pid, ppid, uid, euid,
loginuid & path and the inode is stored the list of previously hashed
binaries. Subsequent exec's incur no extra hashing.
There's still some work to be done on this, eg finding a more
efficient way to search exec'd inodes, making sure there are no memory
leaks, etc. In the meantime, I'm interested in knowing if other
people/organizations are interested in this feature and also on my
approach to solving the problem. Are there any obvious issues that I'm
missing because I'm new at this, etc?
If code looks similar to IMA at all, that's because I borrowed a fair
bit of it directly from IMA. Since IMA already does the hashing I've
was looking for, I asked in Feb. if it would be possible to audit log
the calculated hashes. The result was that it didn't seem like
modifying IMA was the right approach.
My very unscientific (*) showed about a 1%-2% performance hit.
(*) the test was running 'make -j 4' of the kernel in a qemu instance
running on my desktop while I was using the desktop for regular
desktop-y stuff.
Cheers,
peter
Signed-off-by: Peter Moody <pmoody< at >google.com>
---
fs/namei.c | 2 +
include/linux/gih.h | 25 +++++
include/linux/sched.h | 8 ++
security/integrity/Kconfig | 1 +
security/integrity/Makefile | 2 +
security/integrity/gih/Kconfig | 6 +
security/integrity/gih/Makefile | 7 ++
security/integrity/gih/gih.h | 18 ++++
security/integrity/gih/gih_crypto.c | 64 ++++++++++++
security/integrity/gih/gih_fs.c | 149 +++++++++++++++++++++++++++
security/integrity/gih/gih_main.c | 189 +++++++++++++++++++++++++++++++++++
11 files changed, 471 insertions(+), 0 deletions(-)
create mode 100644 include/linux/gih.h
create mode 100644 security/integrity/gih/Kconfig
create mode 100644 security/integrity/gih/Makefile
create mode 100644 security/integrity/gih/gih.h
create mode 100644 security/integrity/gih/gih_crypto.c
create mode 100644 security/integrity/gih/gih_fs.c
create mode 100644 security/integrity/gih/gih_main.c
diff --git a/fs/namei.c b/fs/namei.c
index c427919..fc208ef 100644
--- a/fs/namei.c
+++ b/fs/namei.c
< at >< at > -23,6 +23,7 < at >< at >
#include <linux/fsnotify.h>
#include <linux/personality.h>
#include <linux/security.h>
+#include <linux/gih.h>
#include <linux/ima.h>
#include <linux/syscalls.h>
#include <linux/mount.h>
< at >< at > -2336,6 +2337,7 < at >< at > common:
goto exit;
filp = nameidata_to_filp(nd);
if (!IS_ERR(filp)) {
+gih_file_check(filp, op->acc_mode);
error = ima_file_check(filp, op->acc_mode);
if (error) {
fput(filp);
diff --git a/include/linux/gih.h b/include/linux/gih.h
new file mode 100644
index 0000000..5d7120b
--- /dev/null
+++ b/include/linux/gih.h
< at >< at > -0,0 +1,25 < at >< at >
+#ifndef _LINUX_GIH_H
+#define _LINUX_GIH_H
+
+#include <linux/fs.h>
+#include <linux/list.h>
+#include <linux/path.h>
+
+#ifdef CONFIG_GOOGLE_IMAGE_HASH
+
+/* saved hashes keyed on inode */
+struct gih_entry {
+unsigned int ref;
+struct inode *inode;
+struct path path;
+struct list_head cache_entries;
+};
+
+extern void gih_file_check(struct file *file, int mask);
+
+#else
+
+static inline void gih_file_check(struct file *file, int mask) { }
+
+#endif
+#endif
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 81a173c..6f73279 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
< at >< at > -93,6 +93,10 < at >< at > struct sched_param {
#include <asm/processor.h>
+#ifdef CONFIG_GOOGLE_IMAGE_HASH
+#include <crypto/sha.h>
+#endif
+
struct exec_domain;
struct futex_pi_state;
struct robust_list_head;
< at >< at > -1354,6 +1358,10 < at >< at > struct task_struct {
pid_t pid;
pid_t tgid;
+#ifdef CONFIG_GOOGLE_IMAGE_HASH
+/* md5/sha1 hash of the image */
+u8 digest[SHA1_DIGEST_SIZE];
+#endif
#ifdef CONFIG_CC_STACKPROTECTOR
/* Canary value for the -fstack-protector gcc feature */
unsigned long stack_canary;
diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index 5bd1cc1..481b4a3 100644
--- a/security/integrity/Kconfig
+++ b/security/integrity/Kconfig
< at >< at > -19,3 +19,4 < at >< at > config INTEGRITY_SIGNATURE
source security/integrity/ima/Kconfig
source security/integrity/evm/Kconfig
+source security/integrity/gih/Kconfig
diff --git a/security/integrity/Makefile b/security/integrity/Makefile
index d43799c..16ed8c6 100644
--- a/security/integrity/Makefile
+++ b/security/integrity/Makefile
< at >< at > -11,3 +11,5 < at >< at > subdir-$(CONFIG_IMA)+= ima
obj-$(CONFIG_IMA)+= ima/built-in.o
subdir-$(CONFIG_EVM)+= evm
obj-$(CONFIG_EVM)+= evm/built-in.o
+subdir-$(CONFIG_GOOGLE_IMAGE_HASH) += gih
+obj-$(CONFIG_GOOGLE_IMAGE_HASH) += gih/built-in.o
diff --git a/security/integrity/gih/Kconfig b/security/integrity/gih/Kconfig
new file mode 100644
index 0000000..701c298
--- /dev/null
+++ b/security/integrity/gih/Kconfig
< at >< at > -0,0 +1,6 < at >< at >
+config GOOGLE_IMAGE_HASH
+bool "binary image hashing"
+def_bool y
+depends on SECURITY
+help
+ store sha1 hash of binaries.
diff --git a/security/integrity/gih/Makefile b/security/integrity/gih/Makefile
new file mode 100644
index 0000000..e1fbb2b
--- /dev/null
+++ b/security/integrity/gih/Makefile
< at >< at > -0,0 +1,7 < at >< at >
+#
+# Makefile for building mah own shit.
+#
+
+obj-$(CONFIG_GOOGLE_IMAGE_HASH) += gih.o
+
+gih-y := gih_fs.o gih_crypto.o gih_main.o
diff --git a/security/integrity/gih/gih.h b/security/integrity/gih/gih.h
new file mode 100644
index 0000000..6a981a2
--- /dev/null
+++ b/security/integrity/gih/gih.h
< at >< at > -0,0 +1,18 < at >< at >
+#ifndef _GIH_H
+#define _GIH_H
+
+#include <linux/gih.h>
+#include <linux/audit.h>
+
+#define MAX_GIH_CACHE_ENTRIES 500
+
+extern int gih_enabled;
+extern int gih_initialized;
+extern int gih_cache_size;
+extern int count;
+
+int gih_calc_hash(struct file *, u8 *);
+int gih_init_fs(void);
+void gih_audit_msg(struct gih_entry *, int, const char *);
+
+#endif
diff --git a/security/integrity/gih/gih_crypto.c
b/security/integrity/gih/gih_crypto.c
new file mode 100644
index 0000000..2cc56da
--- /dev/null
+++ b/security/integrity/gih/gih_crypto.c
< at >< at > -0,0 +1,64 < at >< at >
+#include <linux/crypto.h>
+#include <linux/scatterlist.h>
+
+#include "gih.h"
+
+static int init_desc(struct hash_desc *desc)
+{
+int rc;
+desc->tfm = crypto_alloc_hash("sha1", 0, CRYPTO_ALG_ASYNC);
+if (IS_ERR(desc->tfm)) {
+pr_info("image_hash: failed to load sha1 transform: %ld\n",
+PTR_ERR(desc->tfm));
+rc = PTR_ERR(desc->tfm);
+return rc;
+}
+desc->flags = 0;
+rc = crypto_hash_init(desc);
+if (rc)
+crypto_free_hash(desc->tfm);
+return rc;
+}
+
+int gih_calc_hash(struct file *file, u8 *digest)
+{
+struct hash_desc desc;
+struct scatterlist sg[1];
+loff_t i_size, offset = 0;
+char *rbuf;
+int rc;
+
+rc = init_desc(&desc);
+if (rc != 0)
+return rc;
+
+rbuf = kzalloc(PAGE_SIZE, GFP_KERNEL);
+if (!rbuf) {
+rc = -ENOMEM;
+goto out;
+}
+
+i_size = i_size_read(file->f_dentry->d_inode);
+while (offset < i_size) {
+int rbuf_len;
+rbuf_len = kernel_read(file, offset, rbuf, PAGE_SIZE);
+if (rbuf_len < 0) {
+rc = rbuf_len;
+break;
+}
+if (rbuf_len == 0)
+break;
+offset += rbuf_len;
+sg_init_one(sg, rbuf, rbuf_len);
+
+rc = crypto_hash_update(&desc, sg, rbuf_len);
+if (rc)
+break;
+}
+kfree(rbuf);
+if (!rc)
+rc = crypto_hash_final(&desc, digest);
+out:
+crypto_free_hash(desc.tfm);
+return rc;
+}
diff --git a/security/integrity/gih/gih_fs.c b/security/integrity/gih/gih_fs.c
new file mode 100644
index 0000000..b06ca42
--- /dev/null
+++ b/security/integrity/gih/gih_fs.c
< at >< at > -0,0 +1,149 < at >< at >
+#include <linux/fs.h>
+#include <linux/security.h>
+#include <linux/seq_file.h>
+#include <linux/uaccess.h>
+#include <linux/kernel.h>
+
+#include "gih.h"
+
+static struct dentry *gih_dir;
+static struct dentry *on_off_switch_d;
+static struct dentry *cache_size_d;
+int gih_cache_size;
+
+static ssize_t gih_on_off_switch_write(struct file *file, const char
__user *buf,
+ size_t datalen, loff_t *ppos)
+{
+ssize_t result;
+char *data = NULL;
+int val;
+
+if (datalen >= PAGE_SIZE)
+datalen = PAGE_SIZE -1;
+
+result = -EINVAL;
+if (*ppos != 0)
+goto out;
+
+result = -ENOMEM;
+data = (char*)kmalloc(datalen + 1, GFP_KERNEL);
+if (!data)
+goto out;
+
+*(data + datalen) = '\0';
+
+result = -EFAULT;
+if (copy_from_user(data, buf, datalen))
+goto out;
+
+result = datalen;
+val = simple_strtol(data, NULL, 10);
+if (val > 0)
+val = 1;
+else if (val < 0)
+val = 0;
+
+if (val == 1 && gih_enabled == 0) {
+gih_audit_msg(NULL, AUDIT_CONFIG_CHANGE, "enabling gih");
+gih_enabled = 1;
+} else if (val == 0 && gih_enabled == 1) {
+gih_audit_msg(NULL, AUDIT_CONFIG_CHANGE, "disabling gih");
+gih_enabled = 0;
+}
+
+out:
+if (data)
+kfree(data);
+return result;
+}
+
+static int gih_on_off_switch_show(struct seq_file *m, void *v)
+{
+seq_printf(m, "%d\n", gih_enabled);
+return 0;
+}
+
+static int gih_on_off_switch_open(struct inode *inode, struct file *file)
+{
+return single_open(file, gih_on_off_switch_show, inode);
+}
+
+static const struct file_operations gih_on_off_switch_ops = {
+.open = gih_on_off_switch_open,
+.write = gih_on_off_switch_write,
+.read = seq_read,
+.release = single_release,
+.llseek = generic_file_llseek,
+};
+
+static int gih_cache_size_show(struct seq_file *m, void *v)
+{
+seq_printf(m, "%d\n", count);
+return 0;
+}
+
+static ssize_t gih_cache_size_write(struct file *file, const char __user *buf,
+ size_t datalen, loff_t *ppos)
+{
+ssize_t result;
+char *data = NULL;
+int cache_size;
+
+if (datalen >= PAGE_SIZE)
+datalen = PAGE_SIZE -1;
+
+result = -EINVAL;
+if (*ppos != 0)
+goto out;
+
+result = -ENOMEM;
+data = (char*)kmalloc(datalen + 1, GFP_KERNEL);
+if (!data)
+goto out;
+
+*(data + datalen) = '\0';
+
+result = -EFAULT;
+if (copy_from_user(data, buf, datalen))
+goto out;
+
+result = datalen;
+
+cache_size = simple_strtol(data, NULL, 0);
+if (cache_size < MAX_GIH_CACHE_ENTRIES)
+cache_size = MAX_GIH_CACHE_ENTRIES;
+gih_cache_size = cache_size;
+
+out:
+if (data)
+kfree(data);
+return result;
+}
+
+static int gih_cache_size_open(struct inode *inode, struct file *file)
+{
+return single_open(file, gih_cache_size_show, inode);
+}
+
+static const struct file_operations gih_cache_size_ops = {
+.open = gih_cache_size_open,
+.read = seq_read,
+.write = gih_cache_size_write,
+.release = single_release,
+.llseek = generic_file_llseek,
+};
+
+int __init gih_init_fs(void)
+{
+gih_dir = securityfs_create_dir("gih", NULL);
+if (IS_ERR(gih_dir))
+return -1;
+
+on_off_switch_d = securityfs_create_file("toggle", S_IRUSR | S_IRGRP,
+ gih_dir, NULL,
+ &gih_on_off_switch_ops);
+cache_size_d = securityfs_create_file("cache_size", S_IRUSR | S_IRGRP,
+ gih_dir, NULL,
+ &gih_cache_size_ops);
+return 0;
+}
diff --git a/security/integrity/gih/gih_main.c
b/security/integrity/gih/gih_main.c
new file mode 100644
index 0000000..116956b
--- /dev/null
+++ b/security/integrity/gih/gih_main.c
< at >< at > -0,0 +1,189 < at >< at >
+#include <linux/module.h>
+#include <linux/hash.h>
+#include <linux/crypto.h>
+#include <linux/scatterlist.h>
+#include <crypto/sha.h>
+#include <linux/seq_file.h>
+#include <linux/fs.h>
+#include <linux/mm.h>
+#include <linux/pid.h>
+#include <linux/sched.h>
+#include <linux/proc_fs.h>
+#include <linux/slab.h>
+#include <linux/spinlock.h>
+#include <linux/gih.h>
+#include <linux/list.h>
+#include <linux/security.h>
+
+#include "gih.h"
+
+static struct kmem_cache *gih_cache __read_mostly;
+static DEFINE_SPINLOCK(gih_cache_lock);
+static LIST_HEAD(cache_entries);
+
+int gih_initialized;
+int gih_enabled;
+int cache_size;
+int count;
+
+void gih_audit_msg(struct gih_entry *entry, int msgno, const char *msg)
+{
+struct audit_buffer *ab;
+
+if (!current->digest) {
+return;
+} else if (!entry) {
+/* Messages about gih starting/stopping */
+ab = audit_log_start(current->audit_context, GFP_KERNEL, msgno);
+if (!ab)
+return;
+audit_log_format(ab, "%s", msg);
+audit_log_task_context(ab);
+audit_log_end(ab);
+} else {
+char *hash;
+int i;
+hash = (char*)kmalloc(PAGE_SIZE, GFP_TEMPORARY);
+if (!hash)
+goto out;
+memset(hash, 0, PAGE_SIZE);
+
+for (i = 0; i < SHA1_DIGEST_SIZE; i++) {
+snprintf(hash + (i*2), 4, "%02x", current->digest[i]);
+}
+
+ab = audit_log_start(current->audit_context, GFP_KERNEL,
+ AUDIT_INTEGRITY_RULE);
+if (!ab)
+goto out;
+audit_log_format(ab, "pid=%d ppid=%d uid=%d euid=%d loginuid=%d ",
+ current->pid, current->real_parent->pid,
+ current->real_cred->uid, current->cred->uid,
+ current->loginuid);
+audit_log_d_path(ab, "path=", &entry->path);
+audit_log_format(ab, " hash=%s", hash);
+audit_log_task_context(ab);
+audit_log_end(ab);
+out:
+if (hash)
+kfree(hash);
+}
+}
+
+static struct gih_entry *gih_inode_alloc(struct file *file, u8 *digest)
+{
+struct gih_entry *entry;
+
+entry = kmem_cache_alloc(gih_cache, GFP_NOFS);
+if (!entry)
+return NULL;
+__iget(file->f_path.dentry->d_inode);
+entry->inode = file->f_path.dentry->d_inode;
+entry->path = file->f_path;
+entry->ref = 1;
+return entry;
+}
+
+static struct gih_entry *__gih_find_entry(struct inode *inode)
+{
+struct gih_entry *entry = NULL;
+
+list_for_each_entry(entry, &cache_entries, cache_entries)
+if (entry->inode->i_ino == inode->i_ino) {
+return entry;
+}
+return NULL;
+}
+
+static struct gih_entry *gih_find_entry(struct inode *inode)
+{
+struct gih_entry *entry;
+if (count < 1)
+return NULL;
+
+spin_lock(&gih_cache_lock);
+entry = __gih_find_entry(inode);
+spin_unlock(&gih_cache_lock);
+
+return entry;
+}
+
+static void gih_add_entry(struct gih_entry *entry)
+{
+spin_lock(&gih_cache_lock);
+list_add(&(entry->cache_entries), &cache_entries);
+count++;
+spin_unlock(&gih_cache_lock);
+}
+
+void gih_file_check(struct file *file, int mask)
+{
+if (!gih_initialized || !gih_enabled)
+return;
+
+if (mask & MAY_EXEC) {
+struct gih_entry *entry;
+struct inode *inode = file->f_path.dentry->d_inode;
+entry = gih_find_entry(inode);
+if (entry == NULL) {
+u8 *digest;
+
+digest = (u8*)kmalloc(SHA1_DIGEST_SIZE, GFP_TEMPORARY);
+if (!digest)
+return;
+memset(digest, 0, SHA1_DIGEST_SIZE);
+
+gih_calc_hash(file, digest);
+
+entry = gih_inode_alloc(file, digest);
+if (!entry) {
+printk(KERN_ERR "error allocating new entry");
+kfree(digest);
+return;
+}
+
+gih_add_entry(entry);
+memcpy(&current->digest, digest, SHA1_DIGEST_SIZE);
+gih_audit_msg(entry, AUDIT_INTEGRITY_RULE, NULL);
+} else {
+entry->ref++;
+}
+}
+}
+
+EXPORT_SYMBOL_GPL(gih_file_check);
+
+static int __exit cleanup_image_hash(void)
+{
+struct gih_entry *entry = NULL;
+
+spin_lock(&gih_cache_lock);
+list_for_each_entry(entry, &cache_entries, cache_entries) {
+kfree(entry);
+}
+spin_unlock(&gih_cache_lock);
+count = 0;
+gih_enabled = 0;
+gih_initialized = 0;
+
+return 0;
+}
+
+static int __init init_image_hash(void)
+{
+gih_cache = kmem_cache_create("gih_cache", sizeof(struct gih_entry), 0,
+ SLAB_PANIC, NULL);
+count = 0;
+gih_enabled = 1;
+gih_init_fs();
+gih_initialized = 1;
+gih_cache_size = MAX_GIH_CACHE_ENTRIES;
+
+printk(KERN_INFO "gih enabled\n");
+return 0;
+}
+
+__initcall(init_image_hash);
+
+MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("Cryptographic image hashing");
</pre>Peter Moody2012-05-18T22:58:42[PATCH] Trace event for capable().
http://comments.gmane.org/gmane.linux.kernel.lsm/16380
<pre>Add a simple trace event for capable().
There's been a lot of discussion around capable(), and there
are plenty of tools to help reduce capabilities' usage from
userspace. A major gap however is that it's almost impossible
to see or verify which bits are requested from either userspace
or in the kernel.
This patch adds a minimal tracer that will print out which
CAPs are requested and whether the request was granted.
Signed-off-by: Auke Kok <auke-jan.h.kok< at >intel.com>
Cc: linux-security-module< at >vger.kernel.org
Cc: linux-kernel< at >vger.kernel.org
Cc: Serge Hallyn <serge.hallyn< at >canonical.com>
Cc: Eric Paris <eparis< at >redhat.com>
---
include/trace/events/capabilities.h | 33 +++++++++++++++++++++++++++++++++
kernel/capability.c | 5 +++++
2 files changed, 38 insertions(+)
create mode 100644 include/trace/events/capabilities.h
diff --git a/include/trace/events/capabilities.h b/include/trace/events/capabilities.h
new file mode 100644
index 0000000..97997fa
--- /dev/null
+++ b/include/trace/events/capabilities.h
< at >< at > -0,0 +1,33 < at >< at >
+#undef TRACE_SYSTEM
+#define TRACE_SYSTEM capabilities
+
+#if !defined(_TRACE_CAPABILITIES_H) || defined(TRACE_HEADER_MULTI_READ)
+#define _TRACE_CAPABILITIES_H
+
+#include <linux/tracepoint.h>
+
+TRACE_EVENT(capable,
+
+TP_PROTO(pid_t pid, int cap, bool rc),
+
+TP_ARGS(pid, cap, rc),
+
+TP_STRUCT__entry(
+__field(pid_t, pid)
+__field(int, cap)
+__field(bool, rc)
+),
+
+TP_fast_assign(
+__entry->pid = pid;
+__entry->cap = cap;
+__entry->rc = rc;
+),
+
+TP_printk("pid=%d cap=%d rc=%d", __entry->pid, __entry->cap, __entry->rc)
+);
+
+#endif /* _TRACE_CAPABILITIES_H */
+
+/* This part must be outside protection */
+#include <trace/define_trace.h>
diff --git a/kernel/capability.c b/kernel/capability.c
index 3f1adb6..2941f37 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
< at >< at > -17,6 +17,9 < at >< at >
#include <linux/user_namespace.h>
#include <asm/uaccess.h>
+#define CREATE_TRACE_POINTS
+#include <trace/events/capabilities.h>
+
/*
* Leveraged for setting/resetting capabilities
*/
< at >< at > -386,8 +389,10 < at >< at > bool ns_capable(struct user_namespace *ns, int cap)
if (security_capable(current_cred(), ns, cap) == 0) {
current->flags |= PF_SUPERPRIV;
+trace_capable(current->pid, cap, true);
return true;
}
+trace_capable(current->pid, cap, false);
return false;
}
EXPORT_SYMBOL(ns_capable);
</pre>Auke Kok2012-05-17T19:50:00[PATCH] KEYS: Don't check for NULL key pointer in key_validate()
http://comments.gmane.org/gmane.linux.kernel.lsm/16344
<pre>Don't bother checking for NULL key pointer in key_validate() as all of the
places that call it will crash anyway if the relevant key pointer is NULL by
the time they call key_validate(). Therefore, the checking must be done prior
to calling here.
Whilst we're at it, simplify the key_validate() function a bit and mark its
argument const.
Reported-by: Dan Carpenter <dan.carpenter< at >oracle.com>
Signed-off-by: David Howells <dhowells< at >redhat.com>
cc: Dan Carpenter <dan.carpenter< at >oracle.com>
---
include/linux/key.h | 2 +-
security/keys/permission.c | 40 ++++++++++++++++------------------------
2 files changed, 17 insertions(+), 25 deletions(-)
diff --git a/include/linux/key.h b/include/linux/key.h
index b145b05..52318007 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
< at >< at > -242,7 +242,7 < at >< at > extern struct key *request_key_async_with_auxdata(struct key_type *type,
extern int wait_for_key_construction(struct key *key, bool intr);
-extern int key_validate(struct key *key);
+extern int key_validate(const struct key *key);
extern key_ref_t key_create_or_update(key_ref_t keyring,
const char *type,
diff --git a/security/keys/permission.c b/security/keys/permission.c
index 5f4c00c..57d9636 100644
--- a/security/keys/permission.c
+++ b/security/keys/permission.c
< at >< at > -91,33 +91,25 < at >< at > EXPORT_SYMBOL(key_task_permission);
* key is invalidated, -EKEYREVOKED if the key's type has been removed or if
* the key has been revoked or -EKEYEXPIRED if the key has expired.
*/
-int key_validate(struct key *key)
+int key_validate(const struct key *key)
{
-struct timespec now;
unsigned long flags = key->flags;
-int ret = 0;
-
-if (key) {
-ret = -ENOKEY;
-if (flags & (1 << KEY_FLAG_INVALIDATED))
-goto error;
-
-/* check it's still accessible */
-ret = -EKEYREVOKED;
-if (flags & ((1 << KEY_FLAG_REVOKED) |
- (1 << KEY_FLAG_DEAD)))
-goto error;
-
-/* check it hasn't expired */
-ret = 0;
-if (key->expiry) {
-now = current_kernel_time();
-if (now.tv_sec >= key->expiry)
-ret = -EKEYEXPIRED;
-}
+
+if (flags & (1 << KEY_FLAG_INVALIDATED))
+return -ENOKEY;
+
+/* check it's still accessible */
+if (flags & ((1 << KEY_FLAG_REVOKED) |
+ (1 << KEY_FLAG_DEAD)))
+return -EKEYREVOKED;
+
+/* check it hasn't expired */
+if (key->expiry) {
+struct timespec now = current_kernel_time();
+if (now.tv_sec >= key->expiry)
+return -EKEYEXPIRED;
}
-error:
-return ret;
+return 0;
}
EXPORT_SYMBOL(key_validate);
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
</pre>David Howells2012-05-15T13:11:11[PULL} Smack: changes for linux 3.5
http://comments.gmane.org/gmane.linux.kernel.lsm/16337
<pre>
Please pull the following changes for the Linux 3.5 merge window.
These changes are available in the git repository:
http://git.gitorious.org/smack-next/kernel.git for-1205
commit 2267b13a7cad1f9dfe0073c1f902d45953f9faff
Author: Casey Schaufler <casey< at >schaufler-ca.com>
Date: Tue Mar 13 19:14:19 2012 -0700
Smack: recursive tramsmute
The transmuting directory feature of Smack requires that
the transmuting attribute be explicitly set in all cases.
It seems the users of this facility would expect that the
transmuting attribute be inherited by subdirectories that
are created in a transmuting directory. This does not seem
to add any additional complexity to the understanding of
how the system works.
Signed-off-by: Casey Schaufler <casey< at >schaufler-ca.com>
commit ceffec5541cc22486d3ff492e3d76a33a68fbfa3
Author: Tetsuo Handa <penguin-kernel< at >I-love.SAKURA.ne.jp>
Date: Thu Mar 29 16:19:05 2012 +0900
gfp flags for security_inode_alloc()?
Dave Chinner wrote:
> Yes, because you have no idea what the calling context is except
> for the fact that is from somewhere inside filesystem code and the
> filesystem could be holding locks. Therefore, GFP_NOFS is really the
> only really safe way to allocate memory here.
I see. Thank you.
I'm not sure, but can call trace happen where somewhere inside network
filesystem or stackable filesystem code with locks held invokes operations that
involves GFP_KENREL memory allocation outside that filesystem?
----------
[PATCH] SMACK: Fix incorrect GFP_KERNEL usage.
new_inode_smack() which can be called from smack_inode_alloc_security() needs
to use GFP_NOFS like SELinux's inode_alloc_security() does, for
security_inode_alloc() is called from inode_init_always() and
inode_init_always() is called from xfs_inode_alloc() which is using GFP_NOFS.
smack_inode_init_security() needs to use GFP_NOFS like
selinux_inode_init_security() does, for initxattrs() callback function (e.g.
btrfs_initxattrs()) which is called from security_inode_init_security() is
using GFP_NOFS.
smack_audit_rule_match() needs to use GFP_ATOMIC, for
security_audit_rule_match() can be called from audit_filter_user_rules() and
audit_filter_user_rules() is called from audit_filter_user() with RCU read lock
held.
Signed-off-by: Tetsuo Handa <penguin-kernel< at >I-love.SAKURA.ne.jp>
Signed-off-by: Casey Schaufler <cschaufler< at >cschaufler-intel.(none)>
commit f7112e6c9abf1c70f001dcf097c1d6e218a93f5c
Author: Casey Schaufler <casey< at >schaufler-ca.com>
Date: Sun May 6 15:22:02 2012 -0700
Smack: allow for significantly longer Smack labels v4
V4 updated to current linux-security#next
Targeted for git://gitorious.org/smack-next/kernel.git
Modern application runtime environments like to use
naming schemes that are structured and generated without
human intervention. Even though the Smack limit of 23
characters for a label name is perfectly rational for
human use there have been complaints that the limit is
a problem in environments where names are composed from
a set or sources, including vendor, author, distribution
channel and application name. Names like
softwarehouse-pgwodehouse-coolappstore-mellowmuskrats
are becoming harder to avoid. This patch introduces long
label support in Smack. Labels are now limited to 255
characters instead of the old 23.
The primary reason for limiting the labels to 23 characters
was so they could be directly contained in CIPSO category sets.
This is still done were possible, but for labels that are too
large a mapping is required. This is perfectly safe for communication
that stays "on the box" and doesn't require much coordination
between boxes beyond what would have been required to keep label
names consistent.
The bulk of this patch is in smackfs, adding and updating
administrative interfaces. Because existing APIs can't be
changed new ones that do much the same things as old ones
have been introduced.
The Smack specific CIPSO data representation has been removed
and replaced with the data format used by netlabel. The CIPSO
header is now computed when a label is imported rather than
on use. This results in improved IP performance. The smack
label is now allocated separately from the containing structure,
allowing for larger strings.
Four new /smack interfaces have been introduced as four
of the old interfaces strictly required labels be specified
in fixed length arrays.
The access interface is supplemented with the check interface:
access "Subject Object rwxat"
access2 "Subject Object rwaxt"
The load interface is supplemented with the rules interface:
load "Subject Object rwxat"
load2 "Subject Object rwaxt"
The load-self interface is supplemented with the self-rules interface:
load-self "Subject Object rwxat"
load-self2 "Subject Object rwaxt"
The cipso interface is supplemented with the wire interface:
cipso "Subject lvl cnt c1 c2 ..."
cipso2 "Subject lvl cnt c1 c2 ..."
The old interfaces are maintained for compatibility.
Signed-off-by: Casey Schaufler <casey< at >schaufler-ca.com>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
</pre>Casey Schaufler2012-05-15T05:37:02[PATCH] ima: fix filename hint to reflect script interpreter name
http://comments.gmane.org/gmane.linux.kernel.lsm/16336
<pre>From: Mimi Zohar <zohar< at >us.ibm.com>
When IMA was first upstreamed, the bprm filename and interp were
always the same. Currently, the bprm->filename and bprm->interp
are the same, except for when only bprm->interp contains the
interpreter name. So instead of using the bprm->filename as
the IMA filename hint in the measurement list, we could replace
it with bprm->interp, but this feels too fragil.
The following patch is not much better, but at least there is some
indication that sometimes we're passing the filename and other times
the interpreter name.
Reported-by: Andrew Lunn <andrew< at >lunn.ch>
Signed-off-by: Mimi Zohar <zohar< at >linux.vnet.ibm.com>
---
security/integrity/ima/ima_main.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 1eff5cb..b17be79 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
< at >< at > -194,7 +194,9 < at >< at > int ima_bprm_check(struct linux_binprm *bprm)
{
int rc;
-rc = process_measurement(bprm->file, bprm->filename,
+rc = process_measurement(bprm->file,
+ (strcmp(bprm->filename, bprm->interp) == 0) ?
+ bprm->filename : bprm->interp,
MAY_EXEC, BPRM_CHECK);
return 0;
}
</pre>Mimi Zohar2012-05-15T01:50:11[PATCH] Yama: replace capable() with ns_capable()
http://comments.gmane.org/gmane.linux.kernel.lsm/16330
<pre>When checking capabilities, the question we want to be asking is "does
current() have the capability in the child's namespace?"
Signed-off-by: Kees Cook <keescook< at >chromium.org>
---
security/yama/yama_lsm.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index afb04cb..7ba673b 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
< at >< at > -264,11 +264,11 < at >< at > static int yama_ptrace_access_check(struct task_struct *child,
case YAMA_SCOPE_RELATIONAL:
if (!task_is_descendant(current, child) &&
!ptracer_exception_found(current, child) &&
- !capable(CAP_SYS_PTRACE))
+ !ns_capable(task_user_ns(child), CAP_SYS_PTRACE))
rc = -EPERM;
break;
case YAMA_SCOPE_CAPABILITY:
-if (!capable(CAP_SYS_PTRACE))
+if (!ns_capable(task_user_ns(child), CAP_SYS_PTRACE))
rc = -EPERM;
break;
case YAMA_SCOPE_NO_ATTACH:
</pre>Kees Cook2012-05-14T17:19:28[PATCH] vfs: fix IMA lockdep circular locking dependency
http://comments.gmane.org/gmane.linux.kernel.lsm/16325
<pre>From: Mimi Zohar <zohar< at >linux.vnet.ibm.com>
This patch has been updated to move the ima_file_mmap() call from
security_file_mmap() to the new vm_mmap() function.
---
The circular lockdep is caused by allocating the 'iint' for mmapped
files. Originally when an 'iint' was allocated for every inode
in inode_alloc_security(), before the inode was accessible, no
locking was necessary. Commits bc7d2a3e and 196f518 changed this
behavior and allocated the 'iint' on a per need basis, resulting in
the mmap_sem being taken before the i_mutex for mmapped files.
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&mm->mmap_sem);
lock(&sb->s_type->i_mutex_key);
lock(&mm->mmap_sem);
lock(&sb->s_type->i_mutex_key);
The existing security_file_mmap() hook is after the mmap_sem is taken.
This patch moves the ima_file_mmap() call from security_file_mmap() to
prior to the mmap_sem being taken.
Changelog v2:
- With commit "6be5ceb VM: add "vm_mmap()" helper function", moving the
ima_file_mmap() call is simplified. This patch moves the ima_file_mmap()
call to vm_mmap(), and to binfmt_elf.c: elf_map().
Changelog v1:
- Instead of just pre-allocating the iint in a new hook, do ALL of the
work in the new/moved ima_file_mmap() hook. (Based on Eric Paris' suggestion.)
- Removed do_mmap_with_sem() helper function.
- export ima_file_mmap()
Signed-off-by: Mimi Zohar <zohar< at >us.ibm.com>
Acked-by: Eric Paris <eparis< at >redhat.com>
---
fs/binfmt_elf.c | 6 ++++++
mm/mmap.c | 11 +++++++++++
mm/nommu.c | 11 +++++++++++
security/integrity/ima/ima_main.c | 1 +
security/security.c | 7 +------
5 files changed, 30 insertions(+), 6 deletions(-)
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 16f7354..0d0514f 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
< at >< at > -28,6 +28,7 < at >< at >
#include <linux/highmem.h>
#include <linux/pagemap.h>
#include <linux/security.h>
+#include <linux/ima.h>
#include <linux/random.h>
#include <linux/elf.h>
#include <linux/utsname.h>
< at >< at > -321,6 +322,7 < at >< at > static unsigned long elf_map(struct file *filep, unsigned long addr,
unsigned long map_addr;
unsigned long size = eppnt->p_filesz + ELF_PAGEOFFSET(eppnt->p_vaddr);
unsigned long off = eppnt->p_offset - ELF_PAGEOFFSET(eppnt->p_vaddr);
+unsigned long ret;
addr = ELF_PAGESTART(addr);
size = ELF_PAGEALIGN(size);
< at >< at > -329,6 +331,10 < at >< at > static unsigned long elf_map(struct file *filep, unsigned long addr,
if (!size)
return addr;
+ret = ima_file_mmap(filep, prot);
+if (ret < 0)
+return ret;
+
down_write(&current->mm->mmap_sem);
/*
* total_size is the size of the ELF (interpreter) image.
diff --git a/mm/mmap.c b/mm/mmap.c
index 848ef52..87e6948 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
< at >< at > -20,6 +20,7 < at >< at >
#include <linux/fs.h>
#include <linux/personality.h>
#include <linux/security.h>
+#include <linux/ima.h>
#include <linux/hugetlb.h>
#include <linux/profile.h>
#include <linux/export.h>
< at >< at > -1109,9 +1110,14 < at >< at > unsigned long vm_mmap(struct file *file, unsigned long addr,
unsigned long ret;
struct mm_struct *mm = current->mm;
+ret = ima_file_mmap(file, prot);
+if (ret < 0)
+goto err;
+
down_write(&mm->mmap_sem);
ret = do_mmap(file, addr, len, prot, flag, offset);
up_write(&mm->mmap_sem);
+err:
return ret;
}
EXPORT_SYMBOL(vm_mmap);
< at >< at > -1147,10 +1153,15 < at >< at > SYSCALL_DEFINE6(mmap_pgoff, unsigned long, addr, unsigned long, len,
flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+retval = ima_file_mmap(file, prot);
+if (retval < 0)
+goto err_out;
+
down_write(&current->mm->mmap_sem);
retval = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
up_write(&current->mm->mmap_sem);
+err_out:
if (file)
fput(file);
out:
diff --git a/mm/nommu.c b/mm/nommu.c
index bb8f4f0..2b13bd3 100644
--- a/mm/nommu.c
+++ b/mm/nommu.c
< at >< at > -27,6 +27,7 < at >< at >
#include <linux/mount.h>
#include <linux/personality.h>
#include <linux/security.h>
+#include <linux/ima.h>
#include <linux/syscalls.h>
#include <linux/audit.h>
< at >< at > -1490,9 +1491,14 < at >< at > unsigned long vm_mmap(struct file *file, unsigned long addr,
unsigned long ret;
struct mm_struct *mm = current->mm;
+ret = ima_file_mmap(file, prot);
+if (ret < 0)
+goto err;
+
down_write(&mm->mmap_sem);
ret = do_mmap(file, addr, len, prot, flag, offset);
up_write(&mm->mmap_sem);
+err:
return ret;
}
EXPORT_SYMBOL(vm_mmap);
< at >< at > -1513,10 +1519,15 < at >< at > SYSCALL_DEFINE6(mmap_pgoff, unsigned long, addr, unsigned long, len,
flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
+retval = ima_file_mmap(file, prot);
+if (retval < 0)
+goto err_out;
+
down_write(&current->mm->mmap_sem);
retval = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
up_write(&current->mm->mmap_sem);
+err_out:
if (file)
fput(file);
out:
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index b17be79..91eda7f 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
< at >< at > -176,6 +176,7 < at >< at > int ima_file_mmap(struct file *file, unsigned long prot)
MAY_EXEC, FILE_MMAP);
return 0;
}
+EXPORT_SYMBOL_GPL(ima_file_mmap);
/**
* ima_bprm_check - based on policy, collect/store measurement.
diff --git a/security/security.c b/security/security.c
index bf619ff..e50bbf4 100644
--- a/security/security.c
+++ b/security/security.c
< at >< at > -661,12 +661,7 < at >< at > int security_file_mmap(struct file *file, unsigned long reqprot,
unsigned long prot, unsigned long flags,
unsigned long addr, unsigned long addr_only)
{
-int ret;
-
-ret = security_ops->file_mmap(file, reqprot, prot, flags, addr, addr_only);
-if (ret)
-return ret;
-return ima_file_mmap(file, prot);
+return security_ops->file_mmap(file, reqprot, prot, flags, addr, addr_only);
}
int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
</pre>Mimi Zohar2012-05-14T02:47:11Smack Updates for security-testing
http://comments.gmane.org/gmane.linux.kernel.lsm/16321
<pre>
The next branch of security-testing has:
$ git status
# On branch next
# Changes not staged for commit:
# (use "git add <file>..." to update what will be committed)
# (use "git checkout -- <file>..." to discard changes in working
directory)
#
# modified: include/linux/netfilter/xt_CONNMARK.h
# modified: include/linux/netfilter/xt_DSCP.h
# modified: include/linux/netfilter/xt_MARK.h
# modified: include/linux/netfilter/xt_RATEEST.h
# modified: include/linux/netfilter/xt_TCPMSS.h
# modified: include/linux/netfilter_ipv4/ipt_ECN.h
# modified: include/linux/netfilter_ipv4/ipt_TTL.h
# modified: include/linux/netfilter_ipv6/ip6t_HL.h
# modified: net/netfilter/xt_DSCP.c
# modified: net/netfilter/xt_HL.c
# modified: net/netfilter/xt_RATEEST.c
# modified: net/netfilter/xt_TCPMSS.c
#
no changes added to commit (use "git add" and/or "git commit -a")
I think that this needs to get resolved before I can sync up
the branch I want you to pull.
Thank you
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
</pre>Casey Schaufler2012-05-13T21:55:06[PATCH v4] Add security.* XATTR support for the UBIFS
http://comments.gmane.org/gmane.linux.kernel.lsm/16319
<pre>From: Subodh Nijsure <snijsure< at >grid-net.com>
Also fix couple of bugs in UBIFS extended attribute length calculation.
Changes in v4:
Fix lock issues introduced in v3.
Tested with CONFIG_SECURITY enabled & disabled.
Changes in v3:
Remove #ifdef CONFIG_UBIFS_FS_XATTR
Changes in v2:
Instead of just handling security.selinux extended attribute handle
all security.* attributes.
TESTING: Tested on MX28 based platforms using Micron MT29F2G08ABAEAH4 NAND
With these change we are able to label UBIFS filesystem with
security.selinux and run system with selinux enabled.
This change also allows one to set other security.* extended
attributes, such as security.smack security.evm, security.ima
Ran integck test on UBI filesystem.
This patch set has been tested with CONFIG_LOCKDEP=y and other options
suggested in Submitchecklist
Signed-off-by: Subodh Nijsure <snijsure< at >grid-net.com>
---
fs/ubifs/dir.c | 29 ++++++++-
fs/ubifs/file.c | 4 +
fs/ubifs/journal.c | 12 +++-
fs/ubifs/super.c | 1 +
fs/ubifs/ubifs.h | 8 +++
fs/ubifs/xattr.c | 164 ++++++++++++++++++++++++++++++++++++++++++++++------
6 files changed, 193 insertions(+), 25 deletions(-)
diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c
index ad6e550..0781d3a 100644
--- a/fs/ubifs/dir.c
+++ b/fs/ubifs/dir.c
< at >< at > -288,8 +288,14 < at >< at > static int ubifs_create(struct inode *dir, struct dentry *dentry, umode_t mode,
err = ubifs_jnl_update(c, dir, &dentry->d_name, inode, 0, 0);
if (err)
goto out_cancel;
-mutex_unlock(&dir_ui->ui_mutex);
+err = ubifs_init_security(dir, inode, &dentry->d_name);
+if (err) {
+ubifs_err("cannot initialize extended attribute, error %d",
+ err);
+goto out_cancel;
+}
+mutex_unlock(&dir_ui->ui_mutex);
ubifs_release_budget(c, &req);
insert_inode_hash(inode);
d_instantiate(dentry, inode);
< at >< at > -750,8 +756,13 < at >< at > static int ubifs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
ubifs_err("cannot create directory, error %d", err);
goto out_cancel;
}
+err = ubifs_init_security(dir, inode, &dentry->d_name);
+if (err) {
+ubifs_err("cannot initialize extended attribute, error %d",
+ err);
+goto out_cancel;
+}
mutex_unlock(&dir_ui->ui_mutex);
-
ubifs_release_budget(c, &req);
d_instantiate(dentry, inode);
return 0;
< at >< at > -826,8 +837,13 < at >< at > static int ubifs_mknod(struct inode *dir, struct dentry *dentry,
err = ubifs_jnl_update(c, dir, &dentry->d_name, inode, 0, 0);
if (err)
goto out_cancel;
+err = ubifs_init_security(dir, inode, &dentry->d_name);
+if (err) {
+ubifs_err("cannot initialize extended attribute, error %d",
+ err);
+goto out_cancel;
+}
mutex_unlock(&dir_ui->ui_mutex);
-
ubifs_release_budget(c, &req);
insert_inode_hash(inode);
d_instantiate(dentry, inode);
< at >< at > -902,8 +918,13 < at >< at > static int ubifs_symlink(struct inode *dir, struct dentry *dentry,
err = ubifs_jnl_update(c, dir, &dentry->d_name, inode, 0, 0);
if (err)
goto out_cancel;
+err = ubifs_init_security(dir, inode, &dentry->d_name);
+if (err) {
+ubifs_err("cannot initialize extended attribute, error %d",
+ err);
+goto out_cancel;
+}
mutex_unlock(&dir_ui->ui_mutex);
-
ubifs_release_budget(c, &req);
insert_inode_hash(inode);
d_instantiate(dentry, inode);
diff --git a/fs/ubifs/file.c b/fs/ubifs/file.c
index 0fe640c..8629da0 100644
--- a/fs/ubifs/file.c
+++ b/fs/ubifs/file.c
< at >< at > -1573,6 +1573,10 < at >< at > const struct inode_operations ubifs_symlink_inode_operations = {
.follow_link = ubifs_follow_link,
.setattr = ubifs_setattr,
.getattr = ubifs_getattr,
+.setxattr = ubifs_symlink_setxattr,
+.getxattr = ubifs_symlink_getxattr,
+.listxattr = ubifs_listxattr,
+.removexattr = ubifs_removexattr,
};
const struct file_operations ubifs_file_operations = {
diff --git a/fs/ubifs/journal.c b/fs/ubifs/journal.c
index bc75e9d..5086823 100644
--- a/fs/ubifs/journal.c
+++ b/fs/ubifs/journal.c
< at >< at > -553,7 +553,8 < at >< at > int ubifs_jnl_update(struct ubifs_info *c, const struct inode *dir,
dbg_jnl("ino %lu, dent '%.*s', data len %d in dir ino %lu",
inode->i_ino, nm->len, nm->name, ui->data_len, dir->i_ino);
-ubifs_assert(dir_ui->data_len == 0);
+if (!xent)
+ubifs_assert(dir_ui->data_len == 0);
ubifs_assert(mutex_is_locked(&dir_ui->ui_mutex));
dlen = UBIFS_DENT_NODE_SZ + nm->len + 1;
< at >< at > -572,7 +573,11 < at >< at > int ubifs_jnl_update(struct ubifs_info *c, const struct inode *dir,
aligned_dlen = ALIGN(dlen, 8);
aligned_ilen = ALIGN(ilen, 8);
-len = aligned_dlen + aligned_ilen + UBIFS_INO_NODE_SZ;
+/* Make sure to account for dir_ui+data_len in length calculation
+ * in case there is extended attribute.
+ */
+len = aligned_dlen + aligned_ilen +
+ UBIFS_INO_NODE_SZ + dir_ui->data_len;
dent = kmalloc(len, GFP_NOFS);
if (!dent)
return -ENOMEM;
< at >< at > -649,7 +654,8 < at >< at > int ubifs_jnl_update(struct ubifs_info *c, const struct inode *dir,
ino_key_init(c, &ino_key, dir->i_ino);
ino_offs += aligned_ilen;
-err = ubifs_tnc_add(c, &ino_key, lnum, ino_offs, UBIFS_INO_NODE_SZ);
+err = ubifs_tnc_add(c, &ino_key, lnum, ino_offs,
+ UBIFS_INO_NODE_SZ + dir_ui->data_len);
if (err)
goto out_ro;
diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
index 76e4e05..228c69d 100644
--- a/fs/ubifs/super.c
+++ b/fs/ubifs/super.c
< at >< at > -2061,6 +2061,7 < at >< at > static int ubifs_fill_super(struct super_block *sb, void *data, int silent)
if (c->max_inode_sz > MAX_LFS_FILESIZE)
sb->s_maxbytes = c->max_inode_sz = MAX_LFS_FILESIZE;
sb->s_op = &ubifs_super_operations;
+sb->s_xattr = ubifs_xattr_handlers;
mutex_lock(&c->umount_mutex);
err = mount_ubifs(c);
diff --git a/fs/ubifs/ubifs.h b/fs/ubifs/ubifs.h
index 93d59ac..a486c87 100644
--- a/fs/ubifs/ubifs.h
+++ b/fs/ubifs/ubifs.h
< at >< at > -36,6 +36,7 < at >< at >
#include <linux/mtd/ubi.h>
#include <linux/pagemap.h>
#include <linux/backing-dev.h>
+#include <linux/security.h>
#include "ubifs-media.h"
/* Version of this UBIFS implementation */
< at >< at > -1454,6 +1455,7 < at >< at > extern spinlock_t ubifs_infos_lock;
extern atomic_long_t ubifs_clean_zn_cnt;
extern struct kmem_cache *ubifs_inode_slab;
extern const struct super_operations ubifs_super_operations;
+extern const struct xattr_handler *ubifs_xattr_handlers[];
extern const struct address_space_operations ubifs_file_address_operations;
extern const struct file_operations ubifs_file_operations;
extern const struct inode_operations ubifs_file_inode_operations;
< at >< at > -1738,8 +1740,14 < at >< at > int ubifs_getattr(struct vfsmount *mnt, struct dentry *dentry,
/* xattr.c */
int ubifs_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size, int flags);
+int ubifs_init_security(struct inode *dentry, struct inode *inode,
+const struct qstr *qstr);
+int ubifs_symlink_setxattr(struct dentry *dentry, const char *name,
+ const void *value, size_t size, int flags);
ssize_t ubifs_getxattr(struct dentry *dentry, const char *name, void *buf,
size_t size);
+ssize_t ubifs_symlink_getxattr(struct dentry *dentry, const char *name,
+ void *buf, size_t size);
ssize_t ubifs_listxattr(struct dentry *dentry, char *buffer, size_t size);
int ubifs_removexattr(struct dentry *dentry, const char *name);
diff --git a/fs/ubifs/xattr.c b/fs/ubifs/xattr.c
index 85b2722..a1f289b 100644
--- a/fs/ubifs/xattr.c
+++ b/fs/ubifs/xattr.c
< at >< at > -107,8 +107,12 < at >< at > static int create_xattr(struct ubifs_info *c, struct inode *host,
.new_ino_d = ALIGN(size, 8), .dirtied_ino = 1,
.dirtied_ino_d = ALIGN(host_ui->data_len, 8) };
-if (host_ui->xattr_cnt >= MAX_XATTRS_PER_INODE)
+ubifs_assert(mutex_is_locked(&host_ui->ui_mutex));
+if (host_ui->xattr_cnt >= MAX_XATTRS_PER_INODE) {
+ubifs_err("ubifs xattr_cnt %d exceeds MAX_XATTR_PER_NODE (%d)",
+ host_ui->xattr_cnt, MAX_XATTRS_PER_INODE);
return -ENOSPC;
+}
/*
* Linux limits the maximum size of the extended attribute names list
* to %XATTR_LIST_MAX. This means we should not allow creating more
< at >< at > -116,8 +120,13 < at >< at > static int create_xattr(struct ubifs_info *c, struct inode *host,
* is artificial for UBIFS, though.
*/
if (host_ui->xattr_names + host_ui->xattr_cnt +
-nm->len + 1 > XATTR_LIST_MAX)
+nm->len + 1 > XATTR_LIST_MAX) {
+ubifs_err("xattr name list too large %d > %d",
+ host_ui->xattr_names + host_ui->xattr_cnt +
+ nm->len + 1,
+ XATTR_LIST_MAX);
return -ENOSPC;
+}
err = ubifs_budget_space(c, &req);
if (err)
< at >< at > -146,18 +155,14 < at >< at > static int create_xattr(struct ubifs_info *c, struct inode *host,
inode->i_size = ui->ui_size = size;
ui->data_len = size;
-mutex_lock(&host_ui->ui_mutex);
host->i_ctime = ubifs_current_time(host);
host_ui->xattr_cnt += 1;
host_ui->xattr_size += CALC_DENT_SIZE(nm->len);
host_ui->xattr_size += CALC_XATTR_BYTES(size);
host_ui->xattr_names += nm->len;
-
err = ubifs_jnl_update(c, host, nm, inode, 0, 1);
if (err)
goto out_cancel;
-mutex_unlock(&host_ui->ui_mutex);
-
ubifs_release_budget(c, &req);
insert_inode_hash(inode);
iput(inode);
< at >< at > -167,7 +172,6 < at >< at > out_cancel:
host_ui->xattr_cnt -= 1;
host_ui->xattr_size -= CALC_DENT_SIZE(nm->len);
host_ui->xattr_size -= CALC_XATTR_BYTES(size);
-mutex_unlock(&host_ui->ui_mutex);
out_free:
make_bad_inode(inode);
iput(inode);
< at >< at > -209,11 +213,11 < at >< at > static int change_xattr(struct ubifs_info *c, struct inode *host,
goto out_free;
}
inode->i_size = ui->ui_size = size;
-ui->data_len = size;
mutex_lock(&host_ui->ui_mutex);
host->i_ctime = ubifs_current_time(host);
host_ui->xattr_size -= CALC_XATTR_BYTES(ui->data_len);
+ui->data_len = size;
host_ui->xattr_size += CALC_XATTR_BYTES(size);
/*
< at >< at > -293,18 +297,16 < at >< at > static struct inode *iget_xattr(struct ubifs_info *c, ino_t inum)
return ERR_PTR(-EINVAL);
}
-int ubifs_setxattr(struct dentry *dentry, const char *name,
- const void *value, size_t size, int flags)
+static int __ubifs_setxattr(struct inode *host, const char *name,
+ const void *value, size_t size, int flags)
{
-struct inode *inode, *host = dentry->d_inode;
+struct inode *inode;
struct ubifs_info *c = host->i_sb->s_fs_info;
struct qstr nm = { .name = name, .len = strlen(name) };
struct ubifs_dent_node *xent;
union ubifs_key key;
int err, type;
-dbg_gen("xattr '%s', host ino %lu ('%.*s'), size %zd", name,
-host->i_ino, dentry->d_name.len, dentry->d_name.name, size);
ubifs_assert(mutex_is_locked(&host->i_mutex));
if (size > UBIFS_MAX_INO_DATA)
< at >< at > -356,10 +358,29 < at >< at > out_free:
return err;
}
-ssize_t ubifs_getxattr(struct dentry *dentry, const char *name, void *buf,
- size_t size)
+int ubifs_symlink_setxattr(struct dentry *dentry, const char *name,
+ const void *value, size_t size, int flags)
{
-struct inode *inode, *host = dentry->d_inode;
+struct inode *host = dentry->d_inode;
+dbg_gen("xattr '%s', host ino %lu ('%.*s'), size %zd", name,
+host->i_ino, dentry->d_name.len, dentry->d_name.name, size);
+return __ubifs_setxattr(host, name, value, size, flags);
+}
+
+int ubifs_setxattr(struct dentry *dentry, const char *name,
+ const void *value, size_t size, int flags)
+{
+struct inode *host = dentry->d_inode;
+dbg_gen("xattr '%s', host ino %lu ('%.*s'), size %zd", name,
+host->i_ino, dentry->d_name.len, dentry->d_name.name, size);
+return __ubifs_setxattr(host, name, value, size, flags);
+}
+
+static
+ssize_t __ubifs_getxattr(struct inode *host, const char *name, void *buf,
+ size_t size)
+{
+struct inode *inode;
struct ubifs_info *c = host->i_sb->s_fs_info;
struct qstr nm = { .name = name, .len = strlen(name) };
struct ubifs_inode *ui;
< at >< at > -367,8 +388,8 < at >< at > ssize_t ubifs_getxattr(struct dentry *dentry, const char *name, void *buf,
union ubifs_key key;
int err;
-dbg_gen("xattr '%s', ino %lu ('%.*s'), buf size %zd", name,
-host->i_ino, dentry->d_name.len, dentry->d_name.name, size);
+dbg_gen("xattr '%s', ino %lu buf size %zd", name,
+host->i_ino, size);
err = check_namespace(&nm);
if (err < 0)
< at >< at > -416,6 +437,25 < at >< at > out_unlock:
return err;
}
+ssize_t ubifs_symlink_getxattr(struct dentry *dentry, const char *name,
+ void *buf, size_t size)
+{
+struct inode *host = dentry->d_inode;
+dbg_gen("xattr '%s', ino %lu ('%.*s'), buf size %zd", name,
+host->i_ino, dentry->d_name.len, dentry->d_name.name, size);
+return __ubifs_getxattr(host, name, buf, size);
+}
+
+ssize_t ubifs_getxattr(struct dentry *dentry, const char *name, void *buf,
+ size_t size)
+{
+struct inode *host = dentry->d_inode;
+dbg_gen("xattr '%s', ino %lu ('%.*s'), buf size %zd", name,
+host->i_ino, dentry->d_name.len, dentry->d_name.name, size);
+return __ubifs_getxattr(host, name, buf, size);
+}
+
+
ssize_t ubifs_listxattr(struct dentry *dentry, char *buffer, size_t size)
{
union ubifs_key key;
< at >< at > -568,3 +608,91 < at >< at > out_free:
kfree(xent);
return err;
}
+
+size_t
+ubifs_security_listxattr(struct dentry *d, char *list, size_t list_size,
+ const char *name, size_t name_len, int flags)
+{
+const int prefix_len = XATTR_SECURITY_PREFIX_LEN;
+const size_t total_len = prefix_len + name_len + 1;
+if (list && total_len <= list_size) {
+memcpy(list, XATTR_SECURITY_PREFIX, prefix_len);
+memcpy(list+prefix_len, name, name_len);
+list[prefix_len + name_len] = '\0';
+}
+return total_len;
+}
+
+
+int ubifs_security_getxattr(struct dentry *d, const char *name,
+ void *buffer, size_t size, int flags)
+{
+if (strcmp(name, "") == 0)
+return -EINVAL;
+return __ubifs_getxattr(d->d_inode, name, buffer, size);
+}
+
+
+int ubifs_security_setxattr(struct dentry *d, const char *name,
+ const void *value, size_t size,
+ int flags, int handler_flags)
+{
+if (strcmp(name, "") == 0)
+return -EINVAL;
+return __ubifs_setxattr(d->d_inode, name, value,
+size, flags);
+}
+
+struct xattr_handler ubifs_xattr_security_handler = {
+.prefix = XATTR_SECURITY_PREFIX,
+.list = ubifs_security_listxattr,
+.get = ubifs_security_getxattr,
+.set = ubifs_security_setxattr,
+};
+
+const struct xattr_handler *ubifs_xattr_handlers[] = {
+&ubifs_xattr_security_handler,
+NULL
+};
+
+static int ubifs_initxattrs(struct inode *inode,
+ const struct xattr *xattr_array, void *fs_info)
+{
+const struct xattr *xattr;
+char *name;
+int err = 0;
+
+for (xattr = xattr_array; xattr->name != NULL; xattr++) {
+name = kmalloc(XATTR_SECURITY_PREFIX_LEN +
+ strlen(xattr->name) + 1, GFP_NOFS);
+if (!name) {
+err = -ENOMEM;
+break;
+}
+strcpy(name, XATTR_SECURITY_PREFIX);
+strcpy(name + XATTR_SECURITY_PREFIX_LEN, xattr->name);
+err = __ubifs_setxattr(inode, name, xattr->value,
+ xattr->value_len, 0);
+kfree(name);
+if (err < 0)
+break;
+}
+return err;
+}
+
+int
+ubifs_init_security(struct inode *dentry, struct inode *inode,
+ const struct qstr *qstr)
+{
+struct ubifs_inode *dir_ui = ubifs_inode(inode);
+int err = 0;
+
+mutex_lock(&inode->i_mutex);
+mutex_lock(&dir_ui->ui_mutex);
+
+err = security_inode_init_security(inode, dentry, qstr,
+ &ubifs_initxattrs, 0);
+mutex_unlock(&inode->i_mutex);
+mutex_unlock(&dir_ui->ui_mutex);
+return err;
+}
</pre>snijsure< at >grid-net.com2012-05-13T13:24:48haalloo,
http://comments.gmane.org/gmane.linux.kernel.lsm/16317
<pre>haalloo,
how are you doing,i hope you are fine,my name is miss abi okom i got your
contact and want us to be a good friend,
please try and write back to me so that i will give you my pictures and tell
you more about me,
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo< at >vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
</pre>abi2012-05-12T17:06:25Search EngineSearch the mailing list at Gmanequery
http://search.gmane.org/?group=$group=gmane.linux.kernel.lsm