| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The builtin "ima_appraise_tcb" policy should require file signatures for
at least a few of the hooks (eg. kernel modules, firmware, and the kexec
kernel image), but changing it would break the existing userspace/kernel
ABI.
This patch defines a new builtin policy named "secure_boot", which
can be specified on the "ima_policy=" boot command line, independently
or in conjunction with the "ima_appraise_tcb" policy, by specifing
ima_policy="appraise_tcb | secure_boot". The new appraisal rules
requiring file signatures will be added prior to the "ima_appraise_tcb"
rules.
Signed-off-by: Mimi Zohar <[email protected]>
Changelog:
- Reference secure boot in the new builtin policy name. (Thiago Bauermann)
|
|
Add support for providing multiple builtin policies on the "ima_policy="
boot command line. Use "|" as the delimitor separating the policy names.
Signed-off-by: Mimi Zohar <[email protected]>
|
|
New NEWCACHEREPORT message type to be used for cache reports sent
via Netlink, effectively allowing splitting cache report reception from
mroute programming.
Suggested-by: Ryan Halbrook <[email protected]>
Signed-off-by: Julien Gomes <[email protected]>
Reviewed-by: Nikolay Aleksandrov <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
|
|
next
|
|
In kernel version 4.1, tracefs was separated from debugfs into its
own filesystem. Prior to this split, files in
/sys/kernel/debug/tracing could be labeled during filesystem
creation using genfscon or later from userspace using setxattr. This
change re-enables support for genfscon labeling.
Signed-off-by: Jeff Vander Stoep <[email protected]>
Acked-by: Stephen Smalley <[email protected]>
Signed-off-by: Paul Moore <[email protected]>
|
|
<linux/wait_bit.h>
The wait_bit*() types and APIs are mixed into wait.h, but they
are a pretty orthogonal extension of wait-queues.
Furthermore, only about 50 kernel files use these APIs, while
over 1000 use the regular wait-queue functionality.
So clean up the main wait.h by moving the wait-bit functionality
out of it, into a separate .h and .c file:
include/linux/wait_bit.h for types and APIs
kernel/sched/wait_bit.c for the implementation
Update all header dependencies.
This reduces the size of wait.h rather significantly, by about 30%.
Cc: Linus Torvalds <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: [email protected]
Signed-off-by: Ingo Molnar <[email protected]>
|
|
This patch is based on a discussion generated by an earlier patch
from Tetsuo Handa:
* https://marc.info/?t=149035659300001&r=1&w=2
The double free problem involves the mnt_opts field of the
security_mnt_opts struct, selinux_parse_opts_str() frees the memory
on error, but doesn't set the field to NULL so if the caller later
attempts to call security_free_mnt_opts() we trigger the problem.
In order to play it safe we change selinux_parse_opts_str() to call
security_free_mnt_opts() on error instead of free'ing the memory
directly. This should ensure that everything is handled correctly,
regardless of what the caller may do.
Fixes: e0007529893c1c06 ("LSM/SELinux: Interfaces to allow FS to control mount options")
Cc: [email protected]
Cc: Tetsuo Handa <[email protected]>
Reported-by: Dmitry Vyukov <[email protected]>
Signed-off-by: Paul Moore <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Allow userspace to detect that basic profile policy namespaces are
available.
Signed-off-by: John Johansen <[email protected]>
|
|
Update the user interface to support the stacked change_profile transition.
Signed-off-by: John Johansen <[email protected]>
|
|
Now that the domain label transition is complete advertise it to
userspace.
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
This is a temporary step, towards using the file->ctx for delegation,
and also helps speed up file queries, until the permission lookup
cache is introduced.
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
The cross check permission helper macros will help simplify code
that does cross task permission checks like ptrace.
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Begin the actual switch to using domain labels by storing them on
the context and converting the label to a singular profile where
possible.
Signed-off-by: John Johansen <[email protected]>
|
|
Begin moving apparmor to using broader domain labels, that will allow
run time computation of domain type splitting via "stacking" of
profiles into a domain label vec.
Signed-off-by: John Johansen <[email protected]>
|
|
Instead of running file revalidation lazily when read/write are called
copy selinux and revalidate the file table on exec. This avoids
extra mediation overhead in read/write and also prevents file handles
being passed through to a grand child unchecked.
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Instead of passing multiple booleans consolidate on a single flags
field.
Signed-off-by: John Johansen <[email protected]>
|
|
Remove the partially implemented code, until this can be properly
implemented.
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
The profile names are the same, leverage this.
Signed-off-by: John Johansen <[email protected]>
|
|
There are still a few places where profile replacement fails to update
and a stale profile is used for mediation. Fix this by moving to
accessing the current label through a critical section that will
always ensure mediation is using the current label regardless of
whether the tasks cred has been updated or not.
Signed-off-by: John Johansen <[email protected]>
|
|
There is no reason to have the small stubs that don't use domain
private functions in domain.c, instead move them to lsm.c and make
them static.
Signed-off-by: John Johansen <[email protected]>
|
|
The ns name being displayed should go through an ns view lookup.
Signed-off-by: John Johansen <[email protected]>
|
|
The data being queried isn't always the current profile and a lookup
relative to the current profile should be done.
Signed-off-by: John Johansen <[email protected]>
|
|
The namespace being passed into the replace/remove profiles fns() is
not the view, but the namespace specified by the inode from the
file hook (if present) or the loading tasks ns, if accessing the
top level virtualized load/replace file interface.
Signed-off-by: John Johansen <[email protected]>
|
|
Currently lookups are restricted to a single ns component in the
path. However when namespaces are allowed to have separate views, and
scopes this will not be sufficient, as it will be possible to have
a multiple component ns path in scope.
Add some ns lookup fns() to allow this and use them.
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Allow userspace to query a profile about permissions, through the
transaction interface that is already used to allow userspace to
query about key,value data.
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
Signed-off-by: John Johansen <[email protected]>
|
|
The simple_transaction interface is slow. It requires 4 syscalls
(open, write, read, close) per query and shares a single lock for each
queries.
So replace its use with a compatible in multi_transaction interface.
It allows for a faster 2 syscall pattern per query. After an initial
open, an arbitrary number of writes and reads can be issued. Each
write will reset the query with new data that can be read. Reads do
not clear the data, and can be issued multiple times, and used with
seek, until a new write is performed which will reset the data
available and the seek position.
Note: this keeps the single lock design, if needed moving to a per
file lock will have to come later.
Signed-off-by: John Johansen <[email protected]>
|
|
gsettings mediation needs to be able to determine if apparmor supports
label data queries. A label data query can be done to test for support
but its failure is indistinguishable from other failures, making it an
unreliable indicator.
Fix by making support of label data queries available as a flag in the
apparmorfs features dir tree.
Signed-off-by: John Johansen <[email protected]>
|
|
When setting up namespaces for containers its easier for them to use
an fs interface to create the namespace for the containers
policy. Allow mkdir/rmdir under the policy/namespaces/ dir to be used
to create and remove namespaces.
BugLink: http://bugs.launchpad.net/bugs/1611078
Signed-off-by: John Johansen <[email protected]>
|