| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
We can use callback function since parameters are passed via
"const struct tomoyo_request_info".
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
To make it possible to use callback function, pass parameters via
"struct tomoyo_request_info".
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
tomoyo_file_perm() and tomoyo_path_permission() are similar.
We can embed tomoyo_file_perm() into tomoyo_path_permission().
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Move the range transition rule to a separate function, range_read(), rather
than doing it all in policydb_read()
Signed-off-by: Eric Paris <[email protected]>
Acked-by: Stephen Smalley <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Use common code for elements using "struct list_head" + "bool" structure.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Use common code for elements using "struct list_head" + "bool" structure.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Use common "struct list_head" + "bool" structure.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Use common "struct list_head" + "bool" + "u8" structure and
use common code for elements using that structure.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Make /proc/keys check to see if the calling process possesses each key before
performing the security check. The possession check can be skipped if the key
doesn't have the possessor-view permission bit set.
This causes the keys a process possesses to show up in /proc/keys, even if they
don't have matching user/group/other view permissions.
Signed-off-by: David Howells <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Authorise a process to perform keyctl_set_timeout() on an uninstantiated key if
that process has the authorisation key for it.
This allows the instantiator to set the timeout on a key it is instantiating -
provided it does it before instantiating the key.
For instance, the test upcall script provided with the keyutils package could
be modified to set the expiry to an hour hence before instantiating the key:
[/usr/share/keyutils/request-key-debug.sh]
if [ "$3" != "neg" ]
then
+ keyctl timeout $1 3600
keyctl instantiate $1 "Debug $3" $4 || exit 1
else
Signed-off-by: David Howells <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
This patch allows users to change access control mode for per-operation basis.
This feature comes from non LSM version of TOMOYO which is designed for
permitting users to use SELinux and TOMOYO at the same time.
SELinux does not care filename in a directory whereas TOMOYO does. Change of
filename can change how the file is used. For example, renaming index.txt to
.htaccess will change how the file is used. Thus, letting SELinux to enforce
read()/write()/mmap() etc. restriction and letting TOMOYO to enforce rename()
restriction is an example usage of this feature.
What is unfortunate for me is that currently LSM does not allow users to use
SELinux and LSM version of TOMOYO at the same time...
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
This patch allows users to aggregate programs which provide similar
functionality (e.g. /usr/bin/vi and /usr/bin/emacs ).
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Some applications create and execute programs dynamically. We need to accept
wildcard for execute permission because such programs contain random suffix
in their filenames. This patch loosens up regulation of string parameters.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Allow pathnames longer than 4000 bytes.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
When commit be6d3e56a6b9b3a4ee44a0685e39e595073c6f0d "introduce new LSM hooks
where vfsmount is available." was proposed, regarding security_path_truncate(),
only "struct file *" argument (which AppArmor wanted to use) was removed.
But length and time_attrs arguments are not used by TOMOYO nor AppArmor.
Thus, let's remove these arguments.
Signed-off-by: Tetsuo Handa <[email protected]>
Acked-by: Nick Piggin <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
This patch removes some unneeded code for if opt_dentry is null because
that can never happen.
The function dereferences "opt_dentry" earlier when it checks
"if (opt_dentry->d_parent == opt_dentry) {". That code was added in
2008.
This function called from security_d_instantiate(). I checked all the
places which call security_d_instantiate() and dentry is always non-null.
I also checked the selinux version of this hook and there is a comment
which says that dentry should be non-null if called from
d_instantiate().
Signed-off-by: Dan Carpenter <[email protected]>
Acked-by: Casey Schaufler <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
security/tomoyo/common.c became too large to read.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Since the behavior of the system is restricted by policy, we may need to update
policy when you update packages.
We need to update policy in the following cases.
* The pathname of files has changed.
* The dependency of files has changed.
* The access permissions required has increased.
The ideal way to update policy is to rebuild from the scratch using learning
mode. But it is not desirable to change from enforcing mode to other mode if
the system has once entered in production state. Suppose MAC could support
per-application enforcing mode, the MAC becomes useless if an application that
is not running in enforcing mode was cracked. For example, the whole system
becomes vulnerable if only HTTP server application is running in learning mode
to rebuild policy for the application. So, in TOMOYO Linux, updating policy is
done while the system is running in enforcing mode.
This patch implements "interactive enforcing mode" which allows administrators
to judge whether to accept policy violation in enforcing mode or not.
A demo movie is available at http://www.youtube.com/watch?v=b9q1Jo25LPA .
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
mount(2) has three string and one numeric parameters.
Split mount restriction code from security/tomoyo/file.c .
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Check numeric parameters for operations that deal them
(e.g. chmod/chown/ioctl).
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Use "struct tomoyo_request_info" instead of passing individual arguments.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
This patch adds numeric values grouping support, which is useful for grouping
numeric values such as file's UID, DAC's mode, ioctl()'s cmd number.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Remove all rcu head inits. We don't care about the RCU head state before passing
it to call_rcu() anyway. Only leave the "on_stack" variants so debugobjects can
keep track of objects on stack.
Signed-off-by: Mathieu Desnoyers <[email protected]>
Signed-off-by: Paul E. McKenney <[email protected]>
Cc: Stephen Smalley <[email protected]>
Reviewed-by: James Morris <[email protected]>
Cc: Eric Paris <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
introduce a new fsnotify hook, fsnotify_perm(), which is called from the
security code. This hook is used to allow fsnotify groups to make access
control decisions about events on the system. We also must change the
generic fsnotify function to return an error code if we intend these hooks
to be in any way useful.
Signed-off-by: Eric Paris <[email protected]>
|
|
When doing an exec, selinux updates rlimits in its code of current
process depending on current max. Make sure max or cur doesn't change
in the meantime by grabbing task_lock which do_prlimit needs for
changing limits too.
While at it, use rlimit helper for accessing CPU rlimit a line below.
To have a volatile access too.
Signed-off-by: Jiri Slaby <[email protected]>
Cc: Oleg Nesterov <[email protected]>
|
|
Add task_struct as a parameter to update_rlimit_cpu to be able to set
rlimit_cpu of different task than current.
Signed-off-by: Jiri Slaby <[email protected]>
Acked-by: James Morris <[email protected]>
|
|
Add task_struct to task_setrlimit of security_operations to be able to set
rlimit of task other than current.
Signed-off-by: Jiri Slaby <[email protected]>
Acked-by: Eric Paris <[email protected]>
Acked-by: James Morris <[email protected]>
|
|
This is from a Smatch check I'm writing.
strncpy_from_user() returns -EFAULT on error so the first change just
silences a warning but doesn't change how the code works.
The other change is a bug fix because install_thread_keyring_to_cred()
can return a variety of errors such as -EINVAL, -EEXIST, -ENOMEM or
-EKEYREVOKED.
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: David Howells <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
|
|
|
|
Signed-off-by: Uwe Kleine-König <[email protected]>
Signed-off-by: Jiri Kosina <[email protected]>
|
|
No functional changes.
keyctl_session_to_parent() is the only user of signal->count which needs
the correct value. Change it to use thread_group_empty() instead, this
must be strictly equivalent under tasklist, and imho looks better.
Signed-off-by: Oleg Nesterov <[email protected]>
Acked-by: David Howells <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Acked-by: Roland McGrath <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
|
|
call_usermodehelper_keys() uses call_usermodehelper_setkeys() to change
subprocess_info->cred in advance. Now that we have info->init() we can
change this code to set tgcred->session_keyring in context of execing
kernel thread.
Note: since currently call_usermodehelper_keys() is never called with
UMH_NO_WAIT, call_usermodehelper_keys()->key_get() and umh_keys_cleanup()
are not really needed, we could rely on install_session_keyring_to_cred()
which does key_get() on success.
Signed-off-by: Oleg Nesterov <[email protected]>
Acked-by: Neil Horman <[email protected]>
Acked-by: David Howells <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
|
|
SHRT_MAX and SHRT_MIN
- C99 knows about USHRT_MAX/SHRT_MAX/SHRT_MIN, not
USHORT_MAX/SHORT_MAX/SHORT_MIN.
- Make SHRT_MIN of type s16, not int, for consistency.
[[email protected]: fix drivers/dma/timb_dma.c]
[[email protected]: fix security/keys/keyring.c]
Signed-off-by: Alexey Dobriyan <[email protected]>
Acked-by: WANG Cong <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
|
|
... kill their private list, while we are at it
Signed-off-by: Al Viro <[email protected]>
|
|
Of the three uses of kref_set in the kernel:
One really should be kref_put as the code is letting go of a
reference,
Two really should be kref_init because the kref is being
initialised.
This suggests that making kref_set available encourages bad code.
So fix the three uses and remove kref_set completely.
Signed-off-by: NeilBrown <[email protected]>
Acked-by: Mimi Zohar <[email protected]>
Acked-by: Serge Hallyn <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
We were using the wrong variable here so the error codes weren't being returned
properly. The original code returns -ENOKEY.
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: David Howells <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
register_security() became __init function.
So do verify() and security_fixup_ops().
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
This patch adds pathname grouping support, which is useful for grouping
pathnames that cannot be represented using /\{dir\}/ pattern.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
The ACPI dependency moved to the TPM, where it belongs. Although
IMA per-se does not require access to the bios measurement log,
verifying the IMA boot aggregate does, which requires ACPI.
This patch prereq's 'TPM: ACPI/PNP dependency removal'
http://lkml.org/lkml/2010/5/4/378.
Signed-off-by: Mimi Zohar <[email protected]>
Reported-by: Jean-Christophe Dubois <[email protected]>
Acked-by: Serge Hallyn <[email protected]>
Tested-by: Serge Hallyn <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Use kstrdup when the goal of an allocation is copy a string into the
allocated region.
The semantic patch that makes this change is as follows:
(http://coccinelle.lip6.fr/)
// <smpl>
@@
expression from,to;
expression flag,E1,E2;
statement S;
@@
- to = kmalloc(strlen(from) + 1,flag);
+ to = kstrdup(from, flag);
... when != \(from = E1 \| to = E1 \)
if (to==NULL || ...) S
... when != \(from = E2 \| to = E2 \)
- strcpy(to, from);
// </smpl>
Signed-off-by: Julia Lawall <[email protected]>
Acked-by: Eric Paris <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Use stack memory for pending entry to reduce kmalloc() which will be kfree()d.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
This reverts commit a674fa46c79ffa37995bd1c8e4daa2b3be5a95ae.
Previous revert was a prereq.
Signed-off-by: James Morris <[email protected]>
|
|
Do preallocation for __key_link() so that the various callers in request_key.c
can deal with any errors from this source before attempting to construct a key.
This allows them to assume that the actual linkage step is guaranteed to be
successful.
Signed-off-by: David Howells <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Conflicts:
security/keys/keyring.c
Resolved conflict with whitespace fix in find_keyring_by_name()
Signed-off-by: James Morris <[email protected]>
|
|
Some of TOMOYO's functions may sleep after mutex_lock(). If OOM-killer selected
a process which is waiting at mutex_lock(), the to-be-killed process can't be
killed. Thus, replace mutex_lock() with mutex_lock_interruptible() so that the
to-be-killed process can immediately return from TOMOYO's functions.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
Errors from construct_alloc_key() shouldn't just be ignored in the way they are
by construct_key_and_link(). The only error that can be ignored so is
EINPROGRESS as that is used to indicate that we've found a key and don't need
to construct one.
We don't, however, handle ENOMEM, EDQUOT or EACCES to indicate allocation
failures of one sort or another.
Reported-by: Vegard Nossum <[email protected]>
Signed-off-by: David Howells <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
keyring_serialise_link_sem is only needed for keyring->keyring links as it's
used to prevent cycle detection from being avoided by parallel keyring
additions.
Signed-off-by: David Howells <[email protected]>
Signed-off-by: James Morris <[email protected]>
|
|
|
|
In Ubuntu, security_path_*() hooks are exported to Unionfs. Thus, prepare for
being called from inside VFS functions because I'm not sure whether it is safe
to use GFP_KERNEL or not.
Signed-off-by: Tetsuo Handa <[email protected]>
Signed-off-by: James Morris <[email protected]>
|