1. 02 Apr, 2009 1 commit
    • Kees Cook's avatar
      modules: sysctl to block module loading · 3d43321b
      Kees Cook authored
      
      
      Implement a sysctl file that disables module-loading system-wide since
      there is no longer a viable way to remove CAP_SYS_MODULE after the system
      bounding capability set was removed in 2.6.25.
      
      Value can only be set to "1", and is tested only if standard capability
      checks allow CAP_SYS_MODULE.  Given existing /dev/mem protections, this
      should allow administrators a one-way method to block module loading
      after initial boot-time module loading has finished.
      Signed-off-by: default avatarKees Cook <kees.cook@canonical.com>
      Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      3d43321b
  2. 01 Apr, 2009 1 commit
    • KaiGai Kohei's avatar
      Permissive domain in userspace object manager · 8a6f83af
      KaiGai Kohei authored
      
      
      This patch enables applications to handle permissive domain correctly.
      
      Since the v2.6.26 kernel, SELinux has supported an idea of permissive
      domain which allows certain processes to work as if permissive mode,
      even if the global setting is enforcing mode.
      However, we don't have an application program interface to inform
      what domains are permissive one, and what domains are not.
      It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL
      and so on) cannot handle permissive domain correctly.
      
      This patch add the sixth field (flags) on the reply of the /selinux/access
      interface which is used to make an access control decision from userspace.
      If the first bit of the flags field is positive, it means the required
      access control decision is on permissive domain, so application should
      allow any required actions, as the kernel doing.
      
      This patch also has a side benefit. The av_decision.flags is set at
      context_struct_compute_av(). It enables to check required permissions
      without read_lock(&policy_rwlock).
      Signed-off-by: default avatarKaiGai Kohei <kaigai@ak.jp.nec.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: default avatarEric Paris <eparis@redhat.com>
      --
       security/selinux/avc.c              |    2 +-
       security/selinux/include/security.h |    4 +++-
       security/selinux/selinuxfs.c        |    4 ++--
       security/selinux/ss/services.c      |   30 +++++-------------------------
       4 files changed, 11 insertions(+), 29 deletions(-)
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      8a6f83af
  3. 28 Mar, 2009 38 commits