| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Originally cond_read_node() returned -1 (-EPERM) on errors which was
incorrect. Now it either propagates the error codes from lower level
functions next_entry() or cond_read_av_list() or it returns -ENOMEM or
-EINVAL.
next_entry() returns -EINVAL.
cond_read_av_list() returns -EINVAL or -ENOMEM.
Signed-off-by: Dan Carpenter <[email protected]>
Acked-by: Stephen D. Smalley <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
After this patch cond_read_av_list() no longer returns -1 for any
errors. It just propagates error code back from lower levels. Those can
either be -EINVAL or -ENOMEM.
I also modified cond_insertf() since cond_read_av_list() passes that as a
function pointer to avtab_read_item(). It isn't used anywhere else.
Signed-off-by: Dan Carpenter <[email protected]>
Acked-by: Stephen D. Smalley <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
These are passed back when the security module gets loaded.
The original code always returned -1 (-EPERM) on error but after this
patch it can return -EINVAL, or -ENOMEM or propagate the error code from
cond_read_node(). cond_read_node() still returns -1 all the time, but I
fix that in a later patch.
Signed-off-by: Dan Carpenter <[email protected]>
Acked-by: Stephen D. Smalley <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
The avtab_read_item() function tends to return -1 as a default error
code which is wrong (-1 means -EPERM). I modified it to return
appropriate error codes which is -EINVAL or the error code from
next_entry() or insertf().
next_entry() returns -EINVAL.
insertf() is a function pointer to either avtab_insert() or
cond_insertf().
avtab_insert() returns -EINVAL, -ENOMEM, and -EEXIST.
cond_insertf() currently returns -1, but I will fix it in a later patch.
There is code in avtab_read() which translates the -1 returns from
avtab_read_item() to -EINVAL. The translation is no longer needed, so I
removed it.
Signed-off-by: Dan Carpenter <[email protected]>
Acked-by: Stephen D. Smalley <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
This fix a little code style issue deleting a space between a function
name and a open parenthesis.
Signed-off-by: Chihau Chau <[email protected]>
Acked-by: Andrew G. Morgan <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
lookup_one_len increments dentry reference count which is not decremented
when the create operation fails. This can cause a kernel BUG at
fs/dcache.c:676 at unmount time. Also error code returned when new_inode()
fails was replaced with more appropriate -ENOMEM.
Signed-off-by: Tvrtko Ursulin <[email protected]>
Acked-by: Serge E. Hallyn <[email protected]>
Acked-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
The default for llseek will change to no_llseek,
so selinuxfs needs to add explicit .llseek
assignments. Since we're dealing with regular
files from a VFS perspective, use generic_file_llseek.
Signed-off-by: Arnd Bergmann <[email protected]>
Cc: Stephen Smalley <[email protected]>
Cc: Eric Paris <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
The default for llseek will change to no_llseek,
so securityfs users need to add explicit .llseek
assignments. Since we're dealing with regular
files from a VFS perspective, use generic_file_llseek.
Signed-off-by: Arnd Bergmann <[email protected]>
Cc: Mimi Zohar <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
TOMOYO does not deal offset pointer. Thus seek operation makes
no sense. Changing default seek operation from default_llseek()
to no_llseek() might break some applications. Thus, explicitly
set noop_llseek().
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Make the security extended attributes names global. Updated to move
the remaining Smack xattrs.
Signed-off-by: Mimi Zohar <[email protected]>
Acked-by: Serge Hallyn <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
In commit bb952bb98a7e479262c7eb25d5592545a3af147d there was the accidental
deletion of a statement from call_sbin_request_key() to render the process
keyring ID to a text string so that it can be passed to /sbin/request-key.
With gcc 4.6.0 this causes the following warning:
CC security/keys/request_key.o
security/keys/request_key.c: In function 'call_sbin_request_key':
security/keys/request_key.c:102:15: warning: variable 'prkey' set but not used
This patch reinstates that statement.
Without this statement, /sbin/request-key will get some random rubbish from the
stack as that parameter.
Signed-off-by: Justin P. Mattock <[email protected]>
Signed-off-by: David Howells <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
keyctl_describe_key() turns the key reference it gets into a usable key pointer
and assigns that to a variable called 'key', which it then ignores in favour of
recomputing the key pointer each time it needs it. Make it use the precomputed
pointer instead.
Without this patch, gcc 4.6 reports that the variable key is set but not used:
building with gcc 4.6 I'm getting a warning message:
CC security/keys/keyctl.o
security/keys/keyctl.c: In function 'keyctl_describe_key':
security/keys/keyctl.c:472:14: warning: variable 'key' set but not used
Reported-by: Justin P. Mattock <[email protected]>
Signed-off-by: David Howells <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Commit 1dae08c "TOMOYO: Add interactive enforcing mode." forgot to register
poll() hook. As a result, /usr/sbin/tomoyo-queryd was doing busy loop.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Use shorter name in order to make it easier to fit 80 columns limit.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Split tomoyo_write_profile() into several functions.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
When userspace program reads policy from /sys/kernel/security/tomoyo/
interface, TOMOYO uses line buffered mode. A line has at least one word.
Commit 006dacc "TOMOYO: Support longer pathname." changed a word's max length
from 4000 bytes to max kmalloc()able bytes. By that commit, a line's max length
changed from 8192 bytes to more than max kmalloc()able bytes.
Max number of words in a line remains finite. This patch changes the way of
buffering so that all words in a line are firstly directly copied to userspace
buffer as much as possible and are secondly queued for next read request.
Words queued are guaranteed to be valid until /sys/kernel/security/tomoyo/
interface is close()d.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
tomoyo_print_..._acl() are similar. Merge them.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Policy editor needs to know allow_execute entries in order to build domain
transition tree. Reading all entries is slow. Thus, allow reading only
allow_execute entries.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Change list_for_each_cookie to
(1) start from current position rather than next position
(2) remove temporary cursor
(3) check that srcu_read_lock() is held
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Use common code for "initialize_domain"/"no_initialize_domain"/"keep_domain"/
"no_keep_domain" keywords.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Some programs behave differently depending on argv[0] passed to execve().
TOMOYO has "alias" keyword in order to allow administrators to define different
domains if requested pathname passed to execve() is a symlink. But "alias"
keyword is incomplete because this keyword assumes that requested pathname and
argv[0] are identical. Thus, remove "alias" keyword (by this patch) and add
syntax for checking argv[0] (by future patches).
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Use common code for "path_group" and "number_group".
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Now lists are accessible via array index. Aggregate reader functions using index.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Assign list id and make the lists as array of "struct list_head".
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
"struct tomoyo_path_group" and "struct tomoyo_number_group" are identical.
Rename tomoyo_path_group/tomoyo_number_group to tomoyo_group and
tomoyo_path_group_member to tomoyo_path_group and
tomoyo_number_group_member to tomoyo_unmber_group.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
There were a number of places using the following code pattern:
struct cred *cred = current_cred();
struct task_security_struct *tsec = cred->security;
... which were simplified to the following:
struct task_security_struct *tsec = current_security();
Signed-off-by: Paul Moore <[email protected]>
Acked-by: Eric Paris <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
At present, the socket related access controls use a mix of inode and
socket labels; while there should be no practical difference (they
_should_ always be the same), it makes the code more confusing. This
patch attempts to convert all of the socket related access control
points (with the exception of some of the inode/fd based controls) to
use the socket's own label. In the process, I also converted the
socket_has_perm() function to take a 'sock' argument instead of a
'socket' since that was adding a bit more overhead in some cases.
Signed-off-by: Paul Moore <[email protected]>
Acked-by: Eric Paris <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
The sk_alloc_security() and sk_free_security() functions were only being
called by the selinux_sk_alloc_security() and selinux_sk_free_security()
functions so we just move the guts of the alloc/free routines to the
callers and eliminate a layer of indirection.
Signed-off-by: Paul Moore <[email protected]>
Acked-by: Eric Paris <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Consolidate the basic sockcreate_sid logic into a single helper function
which allows us to do some cleanups in the related code.
Signed-off-by: Paul Moore <[email protected]>
Acked-by: Eric Paris <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Correct a problem where we weren't setting the peer label correctly on
the client end of a pair of connected UNIX sockets.
Signed-off-by: Paul Moore <[email protected]>
Acked-by: Eric Paris <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Pass "struct list_head" to tomoyo_add_to_gc() and bring
list_del_rcu() to tomoyo_add_to_gc().
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Read functions do not fail. Make them from int to void.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Embed tomoyo_path_number_perm2() into tomoyo_path_number_perm().
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Keyword strings are read-only. We can directly access them to reduce code size.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
If invalid combination of mount flags are given, it will be rejected later.
Thus, no need for TOMOYO to reject invalid combination of mount flags.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Use shorter name in order to make it easier to fix 80 columns limit.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
We can use callback function since parameters are passed via
"const struct tomoyo_request_info".
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
To make it possible to use callback function, pass parameters via
"struct tomoyo_request_info".
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
tomoyo_file_perm() and tomoyo_path_permission() are similar.
We can embed tomoyo_file_perm() into tomoyo_path_permission().
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Move the range transition rule to a separate function, range_read(), rather
than doing it all in policydb_read()
Signed-off-by: Eric Paris <[email protected]>
Acked-by: Stephen Smalley <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Use common code for elements using "struct list_head" + "bool" structure.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Use common code for elements using "struct list_head" + "bool" structure.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Use common "struct list_head" + "bool" structure.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Use common "struct list_head" + "bool" + "u8" structure and
use common code for elements using that structure.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Make /proc/keys check to see if the calling process possesses each key before
performing the security check. The possession check can be skipped if the key
doesn't have the possessor-view permission bit set.
This causes the keys a process possesses to show up in /proc/keys, even if they
don't have matching user/group/other view permissions.
Signed-off-by: David Howells <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Authorise a process to perform keyctl_set_timeout() on an uninstantiated key if
that process has the authorisation key for it.
This allows the instantiator to set the timeout on a key it is instantiating -
provided it does it before instantiating the key.
For instance, the test upcall script provided with the keyutils package could
be modified to set the expiry to an hour hence before instantiating the key:
[/usr/share/keyutils/request-key-debug.sh]
if [ "$3" != "neg" ]
then
+ keyctl timeout $1 3600
keyctl instantiate $1 "Debug $3" $4 || exit 1
else
Signed-off-by: David Howells <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
This patch allows users to change access control mode for per-operation basis.
This feature comes from non LSM version of TOMOYO which is designed for
permitting users to use SELinux and TOMOYO at the same time.
SELinux does not care filename in a directory whereas TOMOYO does. Change of
filename can change how the file is used. For example, renaming index.txt to
.htaccess will change how the file is used. Thus, letting SELinux to enforce
read()/write()/mmap() etc. restriction and letting TOMOYO to enforce rename()
restriction is an example usage of this feature.
What is unfortunate for me is that currently LSM does not allow users to use
SELinux and LSM version of TOMOYO at the same time...
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
This patch allows users to aggregate programs which provide similar
functionality (e.g. /usr/bin/vi and /usr/bin/emacs ).
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Some applications create and execute programs dynamically. We need to accept
wildcard for execute permission because such programs contain random suffix
in their filenames. This patch loosens up regulation of string parameters.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Allow pathnames longer than 4000 bytes.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|