1. 05 Feb, 2009 4 commits
  2. 02 Feb, 2009 3 commits
  3. 01 Feb, 2009 1 commit
  4. 29 Jan, 2009 18 commits
  5. 18 Jan, 2009 3 commits
  6. 07 Jan, 2009 1 commit
  7. 06 Jan, 2009 2 commits
    • David Howells's avatar
      CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #3] · 3699c53c
      David Howells authored
      Fix a regression in cap_capable() due to:
      
      	commit 3b11a1de
      	Author: David Howells <dhowells@redhat.com>
      	Date:   Fri Nov 14 10:39:26 2008 +1100
      
      	    CRED: Differentiate objective and effective subjective credentials on a task
      
      The problem is that the above patch allows a process to have two sets of
      credentials, and for the most part uses the subjective credentials when
      accessing current's creds.
      
      There is, however, one exception: cap_capable(), and thus capable(), uses the
      real/objective credentials of the target task, whether or not it is the current
      task.
      
      Ordinarily this doesn't matter, since usually the two cred pointers in current
      point to the same set of creds.  However, sys_faccessat() makes use of this
      facility to override the credentials of the calling process to make its test,
      without affecting the creds as seen from other processes.
      
      One of the things sys_faccessat() does is to make an adjustment to the
      effective capabilities mask, which cap_capable(), as it stands, then ignores.
      
      The affected capability check is in generic_permission():
      
      	if (!(mask & MAY_EXEC) || execute_ok(inode))
      		if (capable(CAP_DAC_OVERRIDE))
      			return 0;
      
      This change passes the set of credentials to be tested down into the commoncap
      and SELinux code.  The security functions called by capable() and
      has_capability() select the appropriate set of credentials from the process
      being checked.
      
      This can be tested by compiling the following program from the XFS testsuite:
      
      /*
       *  t_access_root.c - trivial test program to show permission bug.
       *
       *  Written by Michael Kerrisk - copyright ownership not pursued.
       *  Sourced from: http://linux.derkeiler.com/Mailing-Lists/Kernel/2003-10/6030.html
      
      
       */
      #include <limits.h>
      #include <unistd.h>
      #include <stdio.h>
      #include <stdlib.h>
      #include <fcntl.h>
      #include <sys/stat.h>
      
      #define UID 500
      #define GID 100
      #define PERM 0
      #define TESTPATH "/tmp/t_access"
      
      static void
      errExit(char *msg)
      {
          perror(msg);
          exit(EXIT_FAILURE);
      } /* errExit */
      
      static void
      accessTest(char *file, int mask, char *mstr)
      {
          printf("access(%s, %s) returns %d\n", file, mstr, access(file, mask));
      } /* accessTest */
      
      int
      main(int argc, char *argv[])
      {
          int fd, perm, uid, gid;
          char *testpath;
          char cmd[PATH_MAX + 20];
      
          testpath = (argc > 1) ? argv[1] : TESTPATH;
          perm = (argc > 2) ? strtoul(argv[2], NULL, 8) : PERM;
          uid = (argc > 3) ? atoi(argv[3]) : UID;
          gid = (argc > 4) ? atoi(argv[4]) : GID;
      
          unlink(testpath);
      
          fd = open(testpath, O_RDWR | O_CREAT, 0);
          if (fd == -1) errExit("open");
      
          if (fchown(fd, uid, gid) == -1) errExit("fchown");
          if (fchmod(fd, perm) == -1) errExit("fchmod");
          close(fd);
      
          snprintf(cmd, sizeof(cmd), "ls -l %s", testpath);
          system(cmd);
      
          if (seteuid(uid) == -1) errExit("seteuid");
      
          accessTest(testpath, 0, "0");
          accessTest(testpath, R_OK, "R_OK");
          accessTest(testpath, W_OK, "W_OK");
          accessTest(testpath, X_OK, "X_OK");
          accessTest(testpath, R_OK | W_OK, "R_OK | W_OK");
          accessTest(testpath, R_OK | X_OK, "R_OK | X_OK");
          accessTest(testpath, W_OK | X_OK, "W_OK | X_OK");
          accessTest(testpath, R_OK | W_OK | X_OK, "R_OK | W_OK | X_OK");
      
          exit(EXIT_SUCCESS);
      } /* main */
      
      This can be run against an Ext3 filesystem as well as against an XFS
      filesystem.  If successful, it will show:
      
      	[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043
      	---------- 1 dhowells dhowells 0 2008-12-31 03:00 /tmp/xxx
      	access(/tmp/xxx, 0) returns 0
      	access(/tmp/xxx, R_OK) returns 0
      	access(/tmp/xxx, W_OK) returns 0
      	access(/tmp/xxx, X_OK) returns -1
      	access(/tmp/xxx, R_OK | W_OK) returns 0
      	access(/tmp/xxx, R_OK | X_OK) returns -1
      	access(/tmp/xxx, W_OK | X_OK) returns -1
      	access(/tmp/xxx, R_OK | W_OK | X_OK) returns -1
      
      If unsuccessful, it will show:
      
      	[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043
      	---------- 1 dhowells dhowells 0 2008-12-31 02:56 /tmp/xxx
      	access(/tmp/xxx, 0) returns 0
      	access(/tmp/xxx, R_OK) returns -1
      	access(/tmp/xxx, W_OK) returns -1
      	access(/tmp/xxx, X_OK) returns -1
      	access(/tmp/xxx, R_OK | W_OK) returns -1
      	access(/tmp/xxx, R_OK | X_OK) returns -1
      	access(/tmp/xxx, W_OK | X_OK) returns -1
      	access(/tmp/xxx, R_OK | W_OK | X_OK) returns -1
      
      I've also tested the fix with the SELinux and syscalls LTP testsuites.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: default avatarJ. Bruce Fields <bfields@citi.umich.edu>
      Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      3699c53c
    • James Morris's avatar
      Revert "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]" · 29881c45
      James Morris authored
      This reverts commit 14eaddc9.
      
      David has a better version to come.
      29881c45
  8. 05 Jan, 2009 1 commit
    • Eric Paris's avatar
      SELinux: shrink sizeof av_inhert selinux_class_perm and context · 76f7ba35
      Eric Paris authored
      
      
      I started playing with pahole today and decided to put it against the
      selinux structures.  Found we could save a little bit of space on x86_64
      (and no harm on i686) just reorganizing some structs.
      
      Object size changes:
      av_inherit: 24 -> 16
      selinux_class_perm: 48 -> 40
      context: 80 -> 72
      
      Admittedly there aren't many of av_inherit or selinux_class_perm's in
      the kernel (33 and 1 respectively) But the change to the size of struct
      context reverberate out a bit.  I can get some hard number if they are
      needed, but I don't see why they would be.  We do change which cacheline
      context->len and context->str would be on, but I don't see that as a
      problem since we are clearly going to have to load both if the context
      is to be of any value.  I've run with the patch and don't seem to be
      having any problems.
      
      An example of what's going on using struct av_inherit would be:
      
      form: to:
      struct av_inherit {			struct av_inherit {
      	u16 tclass;				const char **common_pts;
      	const char **common_pts;		u32 common_base;
      	u32 common_base;			u16 tclass;
      };
      
      (notice all I did was move u16 tclass to the end of the struct instead
      of the beginning)
      
      Memory layout before the change:
      struct av_inherit {
      	u16 tclass; /* 2 */
      	/* 6 bytes hole */
      	const char** common_pts; /* 8 */
      	u32 common_base; /* 4 */
      	/* 4 byes padding */
      
      	/* size: 24, cachelines: 1 */
      	/* sum members: 14, holes: 1, sum holes: 6 */
      	/* padding: 4 */
      };
      
      Memory layout after the change:
      struct av_inherit {
      	const char ** common_pts; /* 8 */
      	u32 common_base; /* 4 */
      	u16 tclass; /* 2 */
      	/* 2 bytes padding */
      
      	/* size: 16, cachelines: 1 */
      	/* sum members: 14, holes: 0, sum holes: 0 */
      	/* padding: 2 */
      };
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      76f7ba35
  9. 04 Jan, 2009 2 commits
    • David Howells's avatar
      CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2] · 14eaddc9
      David Howells authored
      Fix a regression in cap_capable() due to:
      
      	commit 5ff7711e635b32f0a1e558227d030c7e45b4a465
      	Author: David Howells <dhowells@redhat.com>
      	Date:   Wed Dec 31 02:52:28 2008 +0000
      
      	    CRED: Differentiate objective and effective subjective credentials on a task
      
      The problem is that the above patch allows a process to have two sets of
      credentials, and for the most part uses the subjective credentials when
      accessing current's creds.
      
      There is, however, one exception: cap_capable(), and thus capable(), uses the
      real/objective credentials of the target task, whether or not it is the current
      task.
      
      Ordinarily this doesn't matter, since usually the two cred pointers in current
      point to the same set of creds.  However, sys_faccessat() makes use of this
      facility to override the credentials of the calling process to make its test,
      without affecting the creds as seen from other processes.
      
      One of the things sys_faccessat() does is to make an adjustment to the
      effective capabilities mask, which cap_capable(), as it stands, then ignores.
      
      The affected capability check is in generic_permission():
      
      	if (!(mask & MAY_EXEC) || execute_ok(inode))
      		if (capable(CAP_DAC_OVERRIDE))
      			return 0;
      
      This change splits capable() from has_capability() down into the commoncap and
      SELinux code.  The capable() security op now only deals with the current
      process, and uses the current process's subjective creds.  A new security op -
      task_capable() - is introduced that can check any task's objective creds.
      
      strictly the capable() security op is superfluous with the presence of the
      task_capable() op, however it should be faster to call the capable() op since
      two fewer arguments need be passed down through the various layers.
      
      This can be tested by compiling the following program from the XFS testsuite:
      
      /*
       *  t_access_root.c - trivial test program to show permission bug.
       *
       *  Written by Michael Kerrisk - copyright ownership not pursued.
       *  Sourced from: http://linux.derkeiler.com/Mailing-Lists/Kernel/2003-10/6030.html
      
      
       */
      #include <limits.h>
      #include <unistd.h>
      #include <stdio.h>
      #include <stdlib.h>
      #include <fcntl.h>
      #include <sys/stat.h>
      
      #define UID 500
      #define GID 100
      #define PERM 0
      #define TESTPATH "/tmp/t_access"
      
      static void
      errExit(char *msg)
      {
          perror(msg);
          exit(EXIT_FAILURE);
      } /* errExit */
      
      static void
      accessTest(char *file, int mask, char *mstr)
      {
          printf("access(%s, %s) returns %d\n", file, mstr, access(file, mask));
      } /* accessTest */
      
      int
      main(int argc, char *argv[])
      {
          int fd, perm, uid, gid;
          char *testpath;
          char cmd[PATH_MAX + 20];
      
          testpath = (argc > 1) ? argv[1] : TESTPATH;
          perm = (argc > 2) ? strtoul(argv[2], NULL, 8) : PERM;
          uid = (argc > 3) ? atoi(argv[3]) : UID;
          gid = (argc > 4) ? atoi(argv[4]) : GID;
      
          unlink(testpath);
      
          fd = open(testpath, O_RDWR | O_CREAT, 0);
          if (fd == -1) errExit("open");
      
          if (fchown(fd, uid, gid) == -1) errExit("fchown");
          if (fchmod(fd, perm) == -1) errExit("fchmod");
          close(fd);
      
          snprintf(cmd, sizeof(cmd), "ls -l %s", testpath);
          system(cmd);
      
          if (seteuid(uid) == -1) errExit("seteuid");
      
          accessTest(testpath, 0, "0");
          accessTest(testpath, R_OK, "R_OK");
          accessTest(testpath, W_OK, "W_OK");
          accessTest(testpath, X_OK, "X_OK");
          accessTest(testpath, R_OK | W_OK, "R_OK | W_OK");
          accessTest(testpath, R_OK | X_OK, "R_OK | X_OK");
          accessTest(testpath, W_OK | X_OK, "W_OK | X_OK");
          accessTest(testpath, R_OK | W_OK | X_OK, "R_OK | W_OK | X_OK");
      
          exit(EXIT_SUCCESS);
      } /* main */
      
      This can be run against an Ext3 filesystem as well as against an XFS
      filesystem.  If successful, it will show:
      
      	[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043
      	---------- 1 dhowells dhowells 0 2008-12-31 03:00 /tmp/xxx
      	access(/tmp/xxx, 0) returns 0
      	access(/tmp/xxx, R_OK) returns 0
      	access(/tmp/xxx, W_OK) returns 0
      	access(/tmp/xxx, X_OK) returns -1
      	access(/tmp/xxx, R_OK | W_OK) returns 0
      	access(/tmp/xxx, R_OK | X_OK) returns -1
      	access(/tmp/xxx, W_OK | X_OK) returns -1
      	access(/tmp/xxx, R_OK | W_OK | X_OK) returns -1
      
      If unsuccessful, it will show:
      
      	[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043
      	---------- 1 dhowells dhowells 0 2008-12-31 02:56 /tmp/xxx
      	access(/tmp/xxx, 0) returns 0
      	access(/tmp/xxx, R_OK) returns -1
      	access(/tmp/xxx, W_OK) returns -1
      	access(/tmp/xxx, X_OK) returns -1
      	access(/tmp/xxx, R_OK | W_OK) returns -1
      	access(/tmp/xxx, R_OK | X_OK) returns -1
      	access(/tmp/xxx, W_OK | X_OK) returns -1
      	access(/tmp/xxx, R_OK | W_OK | X_OK) returns -1
      
      I've also tested the fix with the SELinux and syscalls LTP testsuites.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      14eaddc9
    • James Morris's avatar
  10. 31 Dec, 2008 4 commits
    • James Morris's avatar
      keys: fix sparse warning by adding __user annotation to cast · 90bd49ab
      James Morris authored
      
      
      Fix the following sparse warning:
      
            CC      security/keys/key.o
          security/keys/keyctl.c:1297:10: warning: incorrect type in argument 2 (different address spaces)
          security/keys/keyctl.c:1297:10:    expected char [noderef] <asn:1>*buffer
          security/keys/keyctl.c:1297:10:    got char *<noident>
      
      which appears to be caused by lack of __user annotation to the cast of
      a syscall argument.
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      Acked-by: default avatarDavid Howells <dhowells@redhat.com>
      90bd49ab
    • Casey Schaufler's avatar
      smack: Add support for unlabeled network hosts and networks · 6d3dc07c
      Casey Schaufler authored
      
      
      Add support for unlabeled network hosts and networks.
      Relies heavily on Paul Moore's netlabel support.
      
      Creates a new entry in /smack called netlabel. Writes to /smack/netlabel
      take the form:
      
          A.B.C.D LABEL
      or
          A.B.C.D/N LABEL
      
      where A.B.C.D is a network address, N is an integer between 0-32,
      and LABEL is the Smack label to be used. If /N is omitted /32 is
      assumed. N designates the netmask for the address. Entries are
      matched by the most specific address/mask pair. 0.0.0.0/0 will
      match everything, while 192.168.1.117/32 will match exactly one
      host.
      
      A new system label "@", pronounced "web", is defined. Processes
      can not be assigned the web label. An address assigned the web
      label can be written to by any process, and packets coming from
      a web address can be written to any socket. Use of the web label
      is a violation of any strict MAC policy, but the web label has
      been requested many times.
      
      The nltype entry has been removed from /smack. It did not work right
      and the netlabel interface can be used to specify that all hosts
      be treated as unlabeled.
      
      CIPSO labels on incoming packets will be honored, even from designated
      single label hosts. Single label hosts can only be written to by
      processes with labels that can write to the label of the host.
      Packets sent to single label hosts will always be unlabeled.
      
      Once added a single label designation cannot be removed, however
      the label may be changed.
      
      The behavior of the ambient label remains unchanged.
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      6d3dc07c
    • Paul Moore's avatar
      selinux: Deprecate and schedule the removal of the the compat_net functionality · 277d342f
      Paul Moore authored
      
      
      This patch is the first step towards removing the old "compat_net" code from
      the kernel.  Secmark, the "compat_net" replacement was first introduced in
      2.6.18 (September 2006) and the major Linux distributions with SELinux support
      have transitioned to Secmark so it is time to start deprecating the "compat_net"
      mechanism.  Testing a patched version of 2.6.28-rc6 with the initial release of
      Fedora Core 5 did not show any problems when running in enforcing mode.
      
      This patch adds an entry to the feature-removal-schedule.txt file and removes
      the SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT configuration option, forcing
      Secmark on by default although it can still be disabled at runtime.  The patch
      also makes the Secmark permission checks "dynamic" in the sense that they are
      only executed when Secmark is configured; this should help prevent problems
      with older distributions that have not yet migrated to Secmark.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      277d342f
    • Paul Moore's avatar
      netlabel: Update kernel configuration API · 6c2e8ac0
      Paul Moore authored
      
      
      Update the NetLabel kernel API to expose the new features added in kernel
      releases 2.6.25 and 2.6.28: the static/fallback label functionality and network
      address based selectors.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      6c2e8ac0
  11. 30 Dec, 2008 1 commit
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://oss.sgi.com/xfs/xfs · 6a94cb73
      Linus Torvalds authored
      * 'for-linus' of git://oss.sgi.com/xfs/xfs: (184 commits)
        [XFS] Fix race in xfs_write() between direct and buffered I/O with DMAPI
        [XFS] handle unaligned data in xfs_bmbt_disk_get_all
        [XFS] avoid memory allocations in xfs_fs_vcmn_err
        [XFS] Fix speculative allocation beyond eof
        [XFS] Remove XFS_BUF_SHUT() and friends
        [XFS] Use the incore inode size in xfs_file_readdir()
        [XFS] set b_error from bio error in xfs_buf_bio_end_io
        [XFS] use inode_change_ok for setattr permission checking
        [XFS] add a FMODE flag to make XFS invisible I/O less hacky
        [XFS] resync headers with libxfs
        [XFS] simplify projid check in xfs_rename
        [XFS] replace b_fspriv with b_mount
        [XFS] Remove unused tracing code
        [XFS] Remove unnecessary assertion
        [XFS] Remove unused variable in ktrace_free()
        [XFS] Check return value of xfs_buf_get_noaddr()
        [XFS] Fix hang after disallowed rename across directory quota domains
        [XFS] Fix compile with CONFIG_COMPAT enabled
        move inode tracing out of xfs_vnode.
        move vn_iowait / vn_iowake into xfs_aops.c
        ...
      6a94cb73