| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
Holding tasklist_lock is no longer sufficient for find_task_by_vpid().
Explicit rcu_read_lock() is required.
Signed-off-by: Tetsuo Handa <[email protected]>
--
security/tomoyo/common.c | 4 ++++
1 file changed, 4 insertions(+)
Signed-off-by: James Morris <[email protected]>
|
|
__func__ is used for only debug printk(). We can remove it.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
tomoyo_path_perm() tomoyo_path2_perm() and tomoyo_check_rewrite_permission()
always receive tomoyo_domain(). We can move it from caller to callee.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Use shorter name to reduce newlines needed for 80 columns limit.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Use enum to declare index numbers.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
This patch adds garbage collector support to TOMOYO.
Elements are protected by "struct srcu_struct tomoyo_ss".
Signed-off-by: Tetsuo Handa <[email protected]>
Acked-by: Serge Hallyn <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Add refcounter to "struct tomoyo_domain_info" since garbage collector needs to
determine whether this struct is referred by "struct cred"->security or not.
Signed-off-by: Tetsuo Handa <[email protected]>
Acked-by: Serge Hallyn <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Gather structures and constants scattered around security/tomoyo/ directory.
This is for preparation for adding garbage collector since garbage collector
needs to know structures and constants which TOMOYO uses.
Signed-off-by: Tetsuo Handa <[email protected]>
Acked-by: Serge Hallyn <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Add refcounter to "struct tomoyo_name_entry" and replace tomoyo_save_name()
with tomoyo_get_name()/tomoyo_put_name() pair so that we can kfree() when
garbage collector is added.
Signed-off-by: Tetsuo Handa <[email protected]>
Acked-by: Serge Hallyn <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Since the codes for adding an entry and removing an entry are similar, we can
save some lines by using "if (is_delete) { ... } else { ... }" branches.
Signed-off-by: Tetsuo Handa <[email protected]>
Acked-by: Serge Hallyn <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Since list elements are rounded up to kmalloc() size rather than sizeof(int),
saving one byte by using bitfields is no longer helpful.
Signed-off-by: Tetsuo Handa <[email protected]>
Acked-by: Serge Hallyn <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
TOMOYO was using own memory usage counter for detecting memory leak.
But as kernel 2.6.31 introduced memory leak detection mechanism
( CONFIG_DEBUG_KMEMLEAK ), we no longer need to have own counter.
We remove usage counter for memory used for permission checks, but we keep
usage counter for memory used for policy so that we can apply quota.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
|
|
commit 5300990c0370e804e49d9a59d928c5d53fb73487 had stepped on a rather
nasty mess: definitions of ACC_MODE used to be different. Fixed the
resulting breakage, converting them to variant that takes O_... value;
all callers have that and it actually simplifies life (see tomoyo part
of changes).
Signed-off-by: Al Viro <[email protected]>
|
|
Currently, TOMOYO allocates memory for list elements from memory pool allocated
by kmalloc(PAGE_SIZE). But that makes it difficult to kfree() when garbage
collector is added. Thus, remove memory pool and use kmalloc(sizeof()).
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Currently, TOMOYO allocates memory for string data from memory pool allocated
by kmalloc(PAGE_SIZE). But that makes it difficult to kfree() when garbage
collector is added. Thus, remove memory pool and use kmalloc(strlen()).
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Since readers no longer use down_read(), writers no longer
need to use rw_semaphore. Replace individual rw_semaphore by
single mutex.
Signed-off-by: Tetsuo Handa <[email protected]>
Acked-by: Serge Hallyn <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
* pull ACC_MODE to fs.h; we have several copies all over the place
* nightmarish expression calculating f_mode by f_flags deserves a helper
too (OPEN_FMODE(flags))
Signed-off-by: Al Viro <[email protected]>
|
|
Replace list operation with RCU primitives and replace
down_read()/up_read() with srcu_read_lock()/srcu_read_unlock().
Signed-off-by: Tetsuo Handa <[email protected]>
Acked-by: Serge Hallyn <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Please apply below one after merging 1557d33007f63dd96e5d15f33af389378e5f2e54
(Merge git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/sysctl-2.6).
----------
[PATCH for 2.6.33] TOMOYO: Compare filesystem by magic number rather than by name.
We can use magic number for checking whether the filesystem is procfs or not.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
|
|
* git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/sysctl-2.6: (43 commits)
security/tomoyo: Remove now unnecessary handling of security_sysctl.
security/tomoyo: Add a special case to handle accesses through the internal proc mount.
sysctl: Drop & in front of every proc_handler.
sysctl: Remove CTL_NONE and CTL_UNNUMBERED
sysctl: kill dead ctl_handler definitions.
sysctl: Remove the last of the generic binary sysctl support
sysctl net: Remove unused binary sysctl code
sysctl security/tomoyo: Don't look at ctl_name
sysctl arm: Remove binary sysctl support
sysctl x86: Remove dead binary sysctl support
sysctl sh: Remove dead binary sysctl support
sysctl powerpc: Remove dead binary sysctl support
sysctl ia64: Remove dead binary sysctl support
sysctl s390: Remove dead sysctl binary support
sysctl frv: Remove dead binary sysctl support
sysctl mips/lasat: Remove dead binary sysctl support
sysctl drivers: Remove dead binary sysctl support
sysctl crypto: Remove dead binary sysctl support
sysctl security/keys: Remove dead binary sysctl support
sysctl kernel: Remove binary sysctl logic
...
|
|
LSM hooks for chmod()/chown()/chroot() are now ready.
This patch utilizes these hooks.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
TOMOYO 1.7.1 has recursive directory matching operator support.
I want to add it to TOMOYO for Linux 2.6.33 .
----------
[PATCH] TOMOYO: Add recursive directory matching operator support.
This patch introduces new operator /\{dir\}/ which matches
'/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/ /dir/dir/dir/ ).
Signed-off-by: Tetsuo Handa <[email protected]>
Acked-by: John Johansen <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Now that sys_sysctl is an emulation on top of proc sys all sysctl
operations look like normal filesystem operations and we don't need
to use the special sysctl hook to authenticate them.
Acked-by: Tetsuo Handa <[email protected]>
Signed-off-by: Eric W. Biederman <[email protected]>
|
|
proc mount.
With the change of sys_sysctl going through the internal proc mount we no
longer need to handle security_sysctl in tomoyo as we have valid pathnames
for all sysctl accesses. There is one slight caveat to that in that
all of the paths from the internal mount look like
"/sys/net/ipv4/ip_local_port_range" instead of
"/proc/sys/net/ipv4/ip_local_port_range" so tomoyo needs to add the
"/proc" portion manually when resolving to full path names to get what it expects.
This change teaches tomoyo perform that modification.
Acked-by: Tetsuo Handa <[email protected]>
Acked-by: John Johansen <[email protected]>
Signed-off-by: Eric W. Biederman <[email protected]>
|
|
ctl_name field was removed. Always use procname field.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: Eric W. Biederman <[email protected]>
|
|
When examining the network device name hash, it was discovered that
the low order bits of full_name_hash() are not very well dispersed
across the possible values. When used by filesystem code, this is handled
by folding with the function hash_long().
The only other non-filesystem usage of full_name_hash() at this time
appears to be in TOMOYO. This patch should fix that.
I do not use TOMOYO at this time, so this patch is build tested only.
Signed-off-by: Stephen Hemminger <[email protected]>
Acked-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Add a keyctl to install a process's session keyring onto its parent. This
replaces the parent's session keyring. Because the COW credential code does
not permit one process to change another process's credentials directly, the
change is deferred until userspace next starts executing again. Normally this
will be after a wait*() syscall.
To support this, three new security hooks have been provided:
cred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in
the blank security creds and key_session_to_parent() - which asks the LSM if
the process may replace its parent's session keyring.
The replacement may only happen if the process has the same ownership details
as its parent, and the process has LINK permission on the session keyring, and
the session keyring is owned by the process, and the LSM permits it.
Note that this requires alteration to each architecture's notify_resume path.
This has been done for all arches barring blackfin, m68k* and xtensa, all of
which need assembly alteration to support TIF_NOTIFY_RESUME. This allows the
replacement to be performed at the point the parent process resumes userspace
execution.
This allows the userspace AFS pioctl emulation to fully emulate newpag() and
the VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to
alter the parent process's PAG membership. However, since kAFS doesn't use
PAGs per se, but rather dumps the keys into the session keyring, the session
keyring of the parent must be replaced if, for example, VIOCSETTOK is passed
the newpag flag.
This can be tested with the following program:
#include <stdio.h>
#include <stdlib.h>
#include <keyutils.h>
#define KEYCTL_SESSION_TO_PARENT 18
#define OSERROR(X, S) do { if ((long)(X) == -1) { perror(S); exit(1); } } while(0)
int main(int argc, char **argv)
{
key_serial_t keyring, key;
long ret;
keyring = keyctl_join_session_keyring(argv[1]);
OSERROR(keyring, "keyctl_join_session_keyring");
key = add_key("user", "a", "b", 1, keyring);
OSERROR(key, "add_key");
ret = keyctl(KEYCTL_SESSION_TO_PARENT);
OSERROR(ret, "KEYCTL_SESSION_TO_PARENT");
return 0;
}
Compiled and linked with -lkeyutils, you should see something like:
[dhowells@andromeda ~]$ keyctl show
Session Keyring
-3 --alswrv 4043 4043 keyring: _ses
355907932 --alswrv 4043 -1 \_ keyring: _uid.4043
[dhowells@andromeda ~]$ /tmp/newpag
[dhowells@andromeda ~]$ keyctl show
Session Keyring
-3 --alswrv 4043 4043 keyring: _ses
1055658746 --alswrv 4043 4043 \_ user: a
[dhowells@andromeda ~]$ /tmp/newpag hello
[dhowells@andromeda ~]$ keyctl show
Session Keyring
-3 --alswrv 4043 4043 keyring: hello
340417692 --alswrv 4043 4043 \_ user: a
Where the test program creates a new session keyring, sticks a user key named
'a' into it and then installs it on its parent.
Signed-off-by: David Howells <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
We can update bprm->cred->security inside tomoyo_find_next_domain().
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
We can mark tomoyo_delete_domain() as a "static" function
by moving it from domain.c to common.c .
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
This patch adds some descriptions of lists and structures.
This patch contains no code changes.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
TOMOYO 2.2.0 is not using total_len field of "struct tomoyo_path_info".
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
|
|
TOMOYO 2.2.0 does not check argv[] and envp[] upon execve().
We don't need to pass "struct tomoyo_page_buffer".
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
We can directly assign the result of tomoyo_io_printf() to done flag.
Signed-off-by: Kentaro Takeda <[email protected]>
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: Toshiharu Harada <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Remove '/***** START/STOP *****/' markers.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
I forgot to remove on TOMOYO's 15th posting.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Use task_cred_xxx(task, security) in tomoyo_real_domain() to
avoid a get+put of the target cred.
Signed-off-by: Serge E. Hallyn <[email protected]>
Acked-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
cap_bprm_set_creds() has to be called from security_bprm_set_creds().
TOMOYO forgot to call cap_bprm_set_creds() from tomoyo_bprm_set_creds()
and suid executables were not being working.
Make sure we call cap_bprm_set_creds() with TOMOYO, to set credentials
properly inside tomoyo_bprm_set_creds().
Signed-off-by: Herton Ronaldo Krzesinski <[email protected]>
Acked-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
... use kern_path() where possible
[folded a fix from rdd]
Signed-off-by: Al Viro <[email protected]>
|
|
Signed-off-by: Kentaro Takeda <[email protected]>
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: Toshiharu Harada <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Since TOMOYO's policy management tools does not use the "undelete domain"
command, we decided to remove that command.
Signed-off-by: Kentaro Takeda <[email protected]>
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: Toshiharu Harada <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Don't pull it in sched.h; very few files actually need it and those
can include directly. sched.h itself only needs forward declaration
of struct fs_struct;
Signed-off-by: Al Viro <[email protected]>
|
|
Fix a typo.
Reported-by: Pavel Machek <[email protected]>
Signed-off-by: Kentaro Takeda <[email protected]>
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: Toshiharu Harada <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
tomoyo_realpath_init() is unconditionally called by security_initcall().
But nobody will use realpath related functions if TOMOYO is not registered.
So, let tomoyo_init() call tomoyo_realpath_init().
This patch saves 4KB of memory allocation if TOMOYO is not registered.
Signed-off-by: Kentaro Takeda <[email protected]>
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: Toshiharu Harada <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
TOMOYO should not create /sys/kernel/security/tomoyo/ interface unless
TOMOYO is registered.
Signed-off-by: Kentaro Takeda <[email protected]>
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: Toshiharu Harada <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Due to wrong initialization, "cat /sys/kernel/security/tomoyo/exception_policy"
returned nothing.
Signed-off-by: Kentaro Takeda <[email protected]>
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: Toshiharu Harada <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Fix sparse warning.
$ make C=2 SUBDIRS=security/tomoyo CF="-D__cold__="
CHECK security/tomoyo/common.c
CHECK security/tomoyo/realpath.c
CHECK security/tomoyo/tomoyo.c
security/tomoyo/tomoyo.c:110:8: warning: symbol 'buf' shadows an earlier one
security/tomoyo/tomoyo.c:100:7: originally declared here
Signed-off-by: Kentaro Takeda <[email protected]>
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: Toshiharu Harada <[email protected]>
Signed-off-by: James Morris <[email protected]>
|