| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The current policy management makes it impossible to use IPE
in a general purpose distribution. In such cases the users are not
building the kernel, the distribution is, and access to the private
key included in the trusted keyring is, for obvious reason, not
available.
This means that users have no way to enable IPE, since there will
be no built-in generic policy, and no access to the key to sign
updates validated by the trusted keyring.
Just as we do for dm-verity, kernel modules and more, allow the
secondary and platform keyrings to also validate policies. This
allows users enrolling their own keys in UEFI db or MOK to also
sign policies, and enroll them. This makes it sensible to enable
IPE in general purpose distributions, as it becomes usable by
any user wishing to do so. Keys in these keyrings can already
load kernels and kernel modules, so there is no security
downgrade.
Add a kconfig each, like dm-verity does, but default to enabled if
the dependencies are available.
Signed-off-by: Luca Boccassi <[email protected]>
Reviewed-by: Serge Hallyn <[email protected]>
[FW: fixed some style issues]
Signed-off-by: Fan Wu <[email protected]>
|
|
Currently IPE accepts an update that has the same version as the policy
being updated, but it doesn't make it a no-op nor it checks that the
old and new policyes are the same. So it is possible to change the
content of a policy, without changing its version. This is very
confusing from userspace when managing policies.
Instead change the update logic to reject updates that have the same
version with ESTALE, as that is much clearer and intuitive behaviour.
Signed-off-by: Luca Boccassi <[email protected]>
Reviewed-by: Serge Hallyn <[email protected]>
Signed-off-by: Fan Wu <[email protected]>
|
|
Add IPE's admin and developer documentation to the kernel tree.
Co-developed-by: Fan Wu <[email protected]>
Signed-off-by: Deven Bowers <[email protected]>
Signed-off-by: Fan Wu <[email protected]>
Signed-off-by: Paul Moore <[email protected]>
|
|
TOMOYO project has moved to SourceForge.net .
Signed-off-by: Tetsuo Handa <[email protected]>
|
|
Loadpin cmdline interface "enabled" has been renamed to "enforce"
for a long time, but the User Description Document was not updated.
(Meaning unchanged)
And kernel_read_file* were moved from linux/fs.h to its own
linux/kernel_read_file.h include file. So update that change here.
Signed-off-by: Jiele zhao <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jonathan Corbet <[email protected]>
|
|
As reported by Sphinx 2.4.4:
docs/Documentation/admin-guide/LSM/SafeSetID.rst:110: WARNING: Title underline too short.
Note on GID policies and setgroups()
==================
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Link: https://lore.kernel.org/r/4afa281c170daabd1ce522653d5d5d5078ebd92c.1603791716.git.mchehab+huawei@kernel.org
Signed-off-by: Jonathan Corbet <[email protected]>
|
|
The SafeSetID LSM has functionality for restricting setuid() calls based
on its configured security policies. This patch adds the analogous
functionality for setgid() calls. This is mostly a copy-and-paste change
with some code deduplication, plus slight modifications/name changes to
the policy-rule-related structs (now contain GID rules in addition to
the UID ones) and some type generalization since SafeSetID now needs to
deal with kgid_t and kuid_t types.
Signed-off-by: Thomas Cedeno <[email protected]>
Signed-off-by: Micah Morton <[email protected]>
|
|
Replace one dead link for the same person's original presentation on the
topic and swap an HTTP URL with HTTPS. While here, linkify the text to
make it more readable when rendered.
Link: https://lore.kernel.org/lkml/[email protected]/
Co-developed-by: Alexander A. Klimov <[email protected]>
Signed-off-by: Alexander A. Klimov <[email protected]>
Signed-off-by: Kees Cook <[email protected]>
Link: https://lore.kernel.org/r/202007091141.C008B89EC@keescook
Signed-off-by: Jonathan Corbet <[email protected]>
|
|
Rationale:
Reduces attack surface on kernel devs opening the links for MITM
as HTTPS traffic is much harder to manipulate.
Deterministic algorithm:
For each file:
For each line:
If doesn't contain `\bxmlns\b`:
For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`:
If both the HTTP and HTTPS versions
return 200 OK and serve the same content:
Replace HTTP with HTTPS.
Signed-off-by: Alexander A. Klimov <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jonathan Corbet <[email protected]>
|
|
It appears that some smart quotes were changed to "???" by even smarter
software; change them to the dumb but legible variety.
Signed-off-by: Christian Kujau <[email protected]>
Signed-off-by: Jonathan Corbet <[email protected]>
|
|
Linux kernel already provide MODULE_SIG and KEXEC_VERIFY_SIG to
make sure loaded kernel module and kernel image are trusted. This
patch adds a kernel command line option "loadpin.exclude" which
allows to exclude specific file types from LoadPin. This is useful
when people want to use different mechanisms to verify module and
kernel image while still use LoadPin to protect the integrity of
other files kernel loads.
Signed-off-by: Ke Wu <[email protected]>
Reviewed-by: James Morris <[email protected]>
[kees: fix array size issue reported by Coverity via Colin Ian King]
Signed-off-by: Kees Cook <[email protected]>
|
|
SafeSetID gates the setid family of syscalls to restrict UID/GID
transitions from a given UID/GID to only those approved by a
system-wide whitelist. These restrictions also prohibit the given
UIDs/GIDs from obtaining auxiliary privileges associated with
CAP_SET{U/G}ID, such as allowing a user to set up user namespace UID
mappings. For now, only gating the set*uid family of syscalls is
supported, with support for set*gid coming in a future patch set.
Signed-off-by: Micah Morton <[email protected]>
Acked-by: Kees Cook <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Back in 2007 I made what turned out to be a rather serious
mistake in the implementation of the Smack security module.
The SELinux module used an interface in /proc to manipulate
the security context on processes. Rather than use a similar
interface, I used the same interface. The AppArmor team did
likewise. Now /proc/.../attr/current will tell you the
security "context" of the process, but it will be different
depending on the security module you're using.
This patch provides a subdirectory in /proc/.../attr for
Smack. Smack user space can use the "current" file in
this subdirectory and never have to worry about getting
SELinux attributes by mistake. Programs that use the
old interface will continue to work (or fail, as the case
may be) as before.
The proposed S.A.R.A security module is dependent on
the mechanism to create its own attr subdirectory.
The original implementation is by Kees Cook.
Signed-off-by: Casey Schaufler <[email protected]>
Reviewed-by: Kees Cook <[email protected]>
Signed-off-by: Kees Cook <[email protected]>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull smack updates from James Morris:
"Two Smack patches for 4.21.
Jose's patch adds missing documentation and Zoran's fleshes out the
access checks on keyrings"
* 'next-smack' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
Smack: Improve Documentation
smack: fix access permissions for keyring
|
|
Add some words about the mount option "smackfstransmute=label".
Signed-off-by: José Bollo <[email protected]>
Signed-off-by: Casey Schaufler <[email protected]>
|
|
Signed-off-by: Petr Vorel <[email protected]>
Signed-off-by: Paul Moore <[email protected]>
|
|
Current phrasing is ambiguous since it's unclear if attaching to a
children through PTRACE_TRACEME requires CAP_SYS_PTRACE. Rephrase the
sentence to make that clear.
Signed-off-by: Yves-Alexis Perez <[email protected]>
Acked-by: Kees Cook <[email protected]>
Signed-off-by: Jonathan Corbet <[email protected]>
|
|
The apparmor information in the apparmor.rst file is out of date.
Update it to the correct git reference for the master apparmor tree.
Update the wiki location to use apparmor.net which forwards to the
current wiki location on gitlab.com. Update user space tools address
to gitlab.com.
Signed-off-by: Jordan Glover <[email protected]>
Signed-off-by: John Johansen <[email protected]>
|
|
Fix outdated links.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Adjusts for ReST markup and moves under LSM admin guide.
Acked-by: Casey Schaufler <[email protected]>
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: Jonathan Corbet <[email protected]>
|
|
Adjusts for ReST markup and moves under LSM admin guide.
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: Jonathan Corbet <[email protected]>
|
|
Adjusts for ReST markup and moves under LSM admin guide.
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: Jonathan Corbet <[email protected]>
|
|
Adjusts for ReST markup and moves under LSM admin guide.
Cc: Tetsuo Handa <[email protected]>
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: Jonathan Corbet <[email protected]>
|
|
Adjusts for ReST markup and moves under LSM admin guide.
Acked-by: John Johansen <[email protected]>
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: Jonathan Corbet <[email protected]>
|
|
Adjusts for ReST markup and moves under LSM admin guide.
Cc: Paul Moore <[email protected]>
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: Jonathan Corbet <[email protected]>
|
|
The existing LSM.txt file covered both usage and development, so split
this into two files, one under admin-guide and one under kernel
development.
Cc: James Morris <[email protected]>
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: Jonathan Corbet <[email protected]>
|