| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Signed-off-by: Al Viro <[email protected]>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup
Pull cgroup changes from Tejun Heo:
"Out of the 8 commits, one fixes a long-standing locking issue around
tasklist walking and others are cleanups."
* 'for-3.4' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
cgroup: Walk task list under tasklist_lock in cgroup_enable_task_cg_list
cgroup: Remove wrong comment on cgroup_enable_task_cg_list()
cgroup: remove cgroup_subsys argument from callbacks
cgroup: remove extra calls to find_existing_css_set
cgroup: replace tasklist_lock with rcu_read_lock
cgroup: simplify double-check locking in cgroup_attach_proc
cgroup: move struct cgroup_pidlist out from the header file
cgroup: remove cgroup_attach_task_current_cg()
|
|
Acked-by: Tetsuo Handa <[email protected]>
Signed-off-by: Cong Wang <[email protected]>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor into next
|
|
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: John Johansen <[email protected]>
|
|
Call sequence:
tomoyo_write_domain() --> tomoyo_delete_domain()
In 'tomoyo_delete_domain', return -EINTR if locking attempt is
interrupted by signal.
At present it returns success to its caller 'tomoyo_write_domain()'
even though domain is not deleted. 'tomoyo_write_domain()' assumes
domain is deleted and returns success to its caller. This is wrong behaviour.
'tomoyo_write_domain' should return error from tomoyo_delete_domain() to its
caller.
Signed-off-by: Santosh Nayak <[email protected]>
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor into next
|
|
Signed-off-by: Jan Engelhardt <[email protected]>
Signed-off-by: John Johansen <[email protected]>
|
|
Add the base support for the new policy extensions. This does not bring
any additional functionality, or change current semantics.
Signed-off-by: John Johansen <[email protected]>
Acked-by: Kees Cook <[email protected]>
|
|
"struct file_operations"->poll() expects "unsigned int" return value.
All files in /sys/kernel/security/tomoyo/ directory other than
/sys/kernel/security/tomoyo/query and /sys/kernel/security/tomoyo/audit should
return POLLIN | POLLRDNORM | POLLOUT | POLLWRNORM rather than -ENOSYS.
Also, /sys/kernel/security/tomoyo/query and /sys/kernel/security/tomoyo/audit
should return POLLOUT | POLLWRNORM rather than 0 when there is no data to read.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Move the path name lookup failure messages into the main path name lookup
routine, as the information is useful in more than just aa_path_perm.
Also rename aa_get_name to aa_path_name as it is not getting a reference
counted object with a corresponding put fn.
Signed-off-by: John Johansen <[email protected]>
Acked-by: Kees Cook <[email protected]>
|
|
Update aa_dfa_match so that it doesn't result in an input string being
walked twice (once to get its length and another time to match)
Add a single step functions
aa_dfa_next
Signed-off-by: John Johansen <[email protected]>
Acked-by: Kees Cook <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
Acked-by: Kees Cook <[email protected]>
|
|
When __d_path and d_absolute_path fail due to the name being outside of
the current namespace no name is reported. Use dentry_path to provide
some hint as to which file was being accessed.
Signed-off-by: John Johansen <[email protected]>
Acked-by: Kees Cook <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Post unpacking of policy a verification pass is made on x transition
indexes. When this fails a call to audit_iface is made resulting in an
oops, because audit_iface is expecting a valid buffer position but
since the failure comes from post unpack verification there is none.
Make the position argument optional so that audit_iface can be called
from post unpack verification.
Signed-off-by: John Johansen <[email protected]>
|
|
The returning of -ESATLE when a path lookup fails as disconnected is wrong.
Since AppArmor is rejecting the access return -EACCES instead.
This also fixes a bug in complain (learning) mode where disconnected paths
are denied because -ESTALE errors are not ignored causing failures that
can change application behavior.
Signed-off-by: John Johansen <[email protected]>
|
|
The test for "if (cred->request_key_auth->flags & KEY_FLAG_REVOKED) {"
should actually testing that the (1 << KEY_FLAG_REVOKED) bit is set.
The current code actually checks for KEY_FLAG_DEAD.
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: David Howells <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
The keyctl_set_timeout function isn't exported to other parts of the
kernel, but I want to use it for the NFS idmapper. I already have the
key, but I wanted a generic way to set the timeout.
Signed-off-by: Bryan Schumaker <[email protected]>
Acked-by: David Howells <[email protected]>
Signed-off-by: Trond Myklebust <[email protected]>
|
|
Userspace can pass in arbitrary combinations of MS_* flags to mount().
If both MS_BIND and one of MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE are
passed, device name which should be checked for MS_BIND was not checked because
MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE had higher priority than MS_BIND.
If both one of MS_BIND/MS_MOVE and MS_REMOUNT are passed, device name which
should not be checked for MS_REMOUNT was checked because MS_BIND/MS_MOVE had
higher priority than MS_REMOUNT.
Fix these bugs by changing priority to MS_REMOUNT -> MS_BIND ->
MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE -> MS_MOVE as with do_mount() does.
Also, unconditionally return -EINVAL if more than one of
MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE is passed so that TOMOYO will not
generate inaccurate audit logs, for commit 7a2e8a8f "VFS: Sanity check mount
flags passed to change_mnt_propagation()" clarified that these flags must be
exclusively passed.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Fix IMA kconfig warning on non-X86 architectures:
warning: (IMA) selects TCG_TIS which has unmet direct dependencies
(TCG_TPM && X86)
Signed-off-by: Randy Dunlap <[email protected]>
Reported-by: Geert Uytterhoeven <[email protected]>
Acked-by: Rajiv Andrade <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
When a chroot relative pathname lookup fails it is falling through to
do a d_absolute_path lookup. This is incorrect as d_absolute_path should
only be used to lookup names for namespace absolute paths.
Signed-off-by: John Johansen <[email protected]>
Acked-by: Kees Cook <[email protected]>
|
|
The mapping of AA_MAY_META_READ for the allow mask was also being mapped
to the audit and quiet masks. This would result in some operations being
audited when the should not.
This flaw was hidden by the previous audit bug which would drop some
messages that where supposed to be audited.
Signed-off-by: John Johansen <[email protected]>
Acked-by: Kees Cook <[email protected]>
|
|
If the xindex value stored in the accept tables is 0, the extraction of
that value will result in an underflow (0 - 4).
In properly compiled policy this should not happen for file rules but
it may be possible for other rule types in the future.
To exploit this underflow a user would have to be able to load a corrupt
policy, which requires CAP_MAC_ADMIN, overwrite system policy in kernel
memory or know of a compiler error resulting in the flaw being present
for loaded policy (no such flaw is known at this time).
Signed-off-by: John Johansen <[email protected]>
Acked-by: Kees Cook <[email protected]>
|
|
The audit permission flag, that specifies an audit message should be
provided when an operation is allowed, was being ignored in some cases.
This is because the auto audit mode (which determines the audit mode from
system flags) was incorrectly assigned the same value as audit mode. The
shared value would result in messages that should be audited going through
a second evaluation as to whether they should be audited based on the
auto audit, resulting in some messages being dropped.
Signed-off-by: John Johansen <[email protected]>
Acked-by: Kees Cook <[email protected]>
|
|
The unpacking of struct capsx is missing a check for the end of the
caps structure. This can lead to unpack failures depending on what else
is packed into the policy file being unpacked.
Signed-off-by: John Johansen <[email protected]>
Acked-by: Kees Cook <[email protected]>
|
|
Since the parser needs to know which rlimits are known to the kernel,
export the list via a mask file in the "rlimit" subdirectory in the
securityfs "features" directory.
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: John Johansen <[email protected]>
|
|
Create the "file" directory in the securityfs for tracking features
related to files.
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: John Johansen <[email protected]>
|
|
This adds the "features" subdirectory to the AppArmor securityfs
to display boolean features flags and the known capability mask.
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: John Johansen <[email protected]>
|
|
Use a file tree structure to represent the AppArmor securityfs.
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: John Johansen <[email protected]>
|
|
Replace the fd_sets in struct fdtable with an array of unsigned longs and then
use the standard non-atomic bit operations rather than the FD_* macros.
This:
(1) Removes the abuses of struct fd_set:
(a) Since we don't want to allocate a full fd_set the vast majority of the
time, we actually, in effect, just allocate a just-big-enough array of
unsigned longs and cast it to an fd_set type - so why bother with the
fd_set at all?
(b) Some places outside of the core fdtable handling code (such as
SELinux) want to look inside the array of unsigned longs hidden inside
the fd_set struct for more efficient iteration over the entire set.
(2) Eliminates the use of FD_*() macros in the kernel completely.
(3) Permits the __FD_*() macros to be deleted entirely where not exposed to
userspace.
Signed-off-by: David Howells <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: H. Peter Anvin <[email protected]>
Cc: Al Viro <[email protected]>
|
|
The audit res field ususally indicates success with a 1 and 0 for a
failure. So make IMA do it the same way.
Signed-off-by: Eric Paris <[email protected]>
Signed-off-by: Mimi Zohar <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
For a process to entirely disable Yama ptrace restrictions, it can use
the special PR_SET_PTRACER_ANY pid to indicate that any otherwise allowed
process may ptrace it. This is stronger than calling PR_SET_PTRACER with
pid "1" because it includes processes in external pid namespaces. This is
currently needed by the Chrome renderer, since its crash handler (Breakpad)
runs external to the renderer's pid namespace.
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Trim security.h
Signed-off-by: Al Viro <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Collapse security_vm_enough_memory() variants into a single function.
Signed-off-by: Al Viro <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
This adds the Yama Linux Security Module to collect DAC security
improvements (specifically just ptrace restrictions for now) that have
existed in various forms over the years and have been carried outside the
mainline kernel by other Linux distributions like Openwall and grsecurity.
Signed-off-by: Kees Cook <[email protected]>
Acked-by: John Johansen <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
The current LSM interface to cred_free is not sufficient for allowing
an LSM to track the life and death of a task. This patch adds the
task_free hook so that an LSM can clean up resources on task death.
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
|
|
The argument is not used at all, and it's not necessary, because
a specific callback handler of course knows which subsys it
belongs to.
Now only ->pupulate() takes this argument, because the handlers of
this callback always call cgroup_add_file()/cgroup_add_files().
So we reduce a few lines of code, though the shrinking of object size
is minimal.
16 files changed, 113 insertions(+), 162 deletions(-)
text data bss dec hex filename
5486240 656987 7039960 13183187 c928d3 vmlinux.o.orig
5486170 656987 7039960 13183117 c9288d vmlinux.o
Signed-off-by: Li Zefan <[email protected]>
Signed-off-by: Tejun Heo <[email protected]>
|
|
* git://git.samba.org/sfrench/cifs-2.6:
CIFS: Rename *UCS* functions to *UTF16*
[CIFS] ACL and FSCACHE support no longer EXPERIMENTAL
[CIFS] Fix build break with multiuser patch when LANMAN disabled
cifs: warn about impending deprecation of legacy MultiuserMount code
cifs: fetch credentials out of keyring for non-krb5 auth multiuser mounts
cifs: sanitize username handling
keys: add a "logon" key type
cifs: lower default wsize when unix extensions are not used
cifs: better instrumentation for coalesce_t2
cifs: integer overflow in parse_dacl()
cifs: Fix sparse warning when calling cifs_strtoUCS
CIFS: Add descriptions to the brlock cache functions
|
|
Don't measure ramfs files.
Signed-off-by: Dmitry Kasatkin <[email protected]>
Signed-off-by: Mimi Zohar <[email protected]>
|
|
Fix the following build warning:
warning: (IMA) selects TCG_TPM which has unmet direct dependencies
(HAS_IOMEM && EXPERIMENTAL)
Suggested-by: Rajiv Andrade <[email protected]>
Signed-off-by: Fabio Estevam <[email protected]>
Signed-off-by: Rajiv Andrade <[email protected]>
Cc: <[email protected]>
Signed-off-by: Mimi Zohar <[email protected]>
|
|
Replace the rcu_assign_pointer() calls with rcu_assign_keypointer().
Signed-off-by: Mimi Zohar <[email protected]>
Signed-off-by: David Howells <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Fix ima_policy.c sparse "warning: dereference of noderef expression"
message, by accessing cred->uid using current_cred().
Changelog v1:
- Change __cred to just cred (based on David Howell's comment)
Signed-off-by: Mimi Zohar <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
The kernel contains some special internal keyrings, for instance the DNS
resolver keyring :
2a93faf1 I----- 1 perm 1f030000 0 0 keyring .dns_resolver: empty
It would occasionally be useful to allow the contents of such keyrings to be
flushed by root (cache invalidation).
Allow a flag to be set on a keyring to mark that someone possessing the
sysadmin capability can clear the keyring, even without normal write access to
the keyring.
Set this flag on the special keyrings created by the DNS resolver, the NFS
identity mapper and the CIFS identity mapper.
Signed-off-by: David Howells <[email protected]>
Acked-by: Jeff Layton <[email protected]>
Acked-by: Steve Dickson <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
For CIFS, we want to be able to store NTLM credentials (aka username
and password) in the keyring. We do not, however want to allow users
to fetch those keys back out of the keyring since that would be a
security risk.
Unfortunately, due to the nuances of key permission bits, it's not
possible to do this. We need to grant search permissions so the kernel
can find these keys, but that also implies permissions to read the
payload.
Resolve this by adding a new key_type. This key type is essentially
the same as key_type_user, but does not define a .read op. This
prevents the payload from ever being visible from userspace. This
key type also vets the description to ensure that it's "qualified"
by checking to ensure that it has a ':' in it that is preceded by
other characters.
Acked-by: David Howells <[email protected]>
Signed-off-by: Jeff Layton <[email protected]>
Signed-off-by: Steve French <[email protected]>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
integrity: digital signature config option name change
lib: Removed MPILIB, MPILIB_EXTRA, and SIGNATURE prompts
lib: MPILIB Kconfig description update
lib: digital signature dependency fix
lib: digital signature config option name change
encrypted-keys: fix rcu and sparse messages
keys: fix trusted/encrypted keys sparse rcu_assign_pointer messages
KEYS: Add missing smp_rmb() primitives to the keyring search code
TOMOYO: Accept \000 as a valid character.
security: update MAINTAINERS file with new git repo
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit: (29 commits)
audit: no leading space in audit_log_d_path prefix
audit: treat s_id as an untrusted string
audit: fix signedness bug in audit_log_execve_info()
audit: comparison on interprocess fields
audit: implement all object interfield comparisons
audit: allow interfield comparison between gid and ogid
audit: complex interfield comparison helper
audit: allow interfield comparison in audit rules
Kernel: Audit Support For The ARM Platform
audit: do not call audit_getname on error
audit: only allow tasks to set their loginuid if it is -1
audit: remove task argument to audit_set_loginuid
audit: allow audit matching on inode gid
audit: allow matching on obj_uid
audit: remove audit_finish_fork as it can't be called
audit: reject entry,always rules
audit: inline audit_free to simplify the look of generic code
audit: drop audit_set_macxattr as it doesn't do anything
audit: inline checks for not needing to collect aux records
audit: drop some potentially inadvisable likely notations
...
Use evil merge to fix up grammar mistakes in Kconfig file.
Bad speling and horrible grammar (and copious swearing) is to be
expected, but let's keep it to commit messages and comments, rather than
expose it to users in config help texts or printouts.
|
|
Similar to SIGNATURE, rename INTEGRITY_DIGSIG to INTEGRITY_SIGNATURE.
Signed-off-by: Dmitry Kasatkin <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
It was reported that DIGSIG is confusing name for digital signature
module. It was suggested to rename DIGSIG to SIGNATURE.
Requested-by: Linus Torvalds <[email protected]>
Suggested-by: Pavel Machek <[email protected]>
Signed-off-by: Dmitry Kasatkin <[email protected]>
Signed-off-by: James Morris <[email protected]>
|