1. 19 Jul, 2011 1 commit
  2. 25 Apr, 2011 4 commits
  3. 22 Apr, 2011 1 commit
  4. 31 Mar, 2011 1 commit
  5. 09 Feb, 2011 2 commits
  6. 01 Feb, 2011 1 commit
    • Eric Paris's avatar
      fs/vfs/security: pass last path component to LSM on inode creation · 2a7dba39
      Eric Paris authored
      SELinux would like to implement a new labeling behavior of newly created
      inodes.  We currently label new inodes based on the parent and the creating
      process.  This new behavior would also take into account the name of the
      new object when deciding the new label.  This is not the (supposed) full path,
      just the last component of the path.
      This is very useful because creating /etc/shadow is different than creating
      /etc/passwd but the kernel hooks are unable to differentiate these
      operations.  We currently require that userspace realize it is doing some
      difficult operation like that and than userspace jumps through SELinux hoops
      to get things set up correctly.  This patch does not implement new
      behavior, that is obviously contained in a seperate SELinux patch, but it
      does pass the needed name down to the correct LSM hook.  If no such name
      exists it is fine to pass NULL.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
  7. 17 Jan, 2011 1 commit
    • Casey Schaufler's avatar
      Subject: [PATCH] Smack: mmap controls for library containment · 7898e1f8
      Casey Schaufler authored
        In the embedded world there are often situations
        where libraries are updated from a variety of sources,
        for a variety of reasons, and with any number of
        security characteristics. These differences
        might include privilege required for a given library
        provided interface to function properly, as occurs
        from time to time in graphics libraries. There are
        also cases where it is important to limit use of
        libraries based on the provider of the library and
        the security aware application may make choices
        based on that criteria.
        These issues are addressed by providing an additional
        Smack label that may optionally be assigned to an object,
        the SMACK64MMAP attribute. An mmap operation is allowed
        if there is no such attribute.
        If there is a SMACK64MMAP attribute the mmap is permitted
        only if a subject with that label has all of the access
        permitted a subject with the current task label.
        Security aware applications may from time to time
        wish to reduce their "privilege" to avoid accidental use
        of privilege. One case where this arises is the
        environment in which multiple sources provide libraries
        to perform the same functions. An application may know
        that it should eschew services made available from a
        particular vendor, or of a particular version.
        In support of this a secondary list of Smack rules has
        been added that is local to the task. This list is
        consulted only in the case where the global list has
        approved access. It can only further restrict access.
        Unlike the global last, if no entry is found on the
        local list access is granted. An application can add
        entries to its own list by writing to /smack/load-self.
        The changes appear large as they involve refactoring
        the list handling to accomodate there being more
        than one rule list.
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
  8. 05 Jan, 2011 1 commit
  9. 07 Dec, 2010 1 commit
    • Jarkko Sakkinen's avatar
      Smack: Transmute labels on specified directories · 5c6d1125
      Jarkko Sakkinen authored
      In a situation where Smack access rules allow processes
      with multiple labels to write to a directory it is easy
      to get into a situation where the directory gets cluttered
      with files that the owner can't deal with because while
      they could be written to the directory a process at the
      label of the directory can't write them. This is generally
      the desired behavior, but when it isn't it is a real
      This patch introduces a new attribute SMACK64TRANSMUTE that
      instructs Smack to create the file with the label of the directory
      under certain circumstances.
      A new access mode, "t" for transmute, is made available to
      Smack access rules, which are expanded from "rwxa" to "rwxat".
      If a file is created in a directory marked as transmutable
      and if access was granted to perform the operation by a rule
      that included the transmute mode, then the file gets the
      Smack label of the directory instead of the Smack label of the
      creating process.
      Note that this is equivalent to creating an empty file at the
      label of the directory and then having the other process write
      to it. The transmute scheme requires that both the access rule
      allows transmutation and that the directory be explicitly marked.
      Signed-off-by: default avatarJarkko Sakkinen <ext-jarkko.2.sakkinen@nokia.com>
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
  10. 02 Dec, 2010 1 commit
    • Casey Schaufler's avatar
      This patch adds a new security attribute to Smack called · 676dac4b
      Casey Schaufler authored
      SMACK64EXEC. It defines label that is used while task is
      Exception: in smack_task_wait() child task is checked
      for write access to parent task using label inherited
      from the task that forked it.
      Fixed issues from previous submit:
      - SMACK64EXEC was not read when SMACK64 was not set.
      - inode security blob was not updated after setting
      - inode security blob was not updated when removing
  11. 28 Nov, 2010 1 commit
    • Casey Schaufler's avatar
      Smack: UDS revision · b4e0d5f0
      Casey Schaufler authored
      This patch addresses a number of long standing issues
          with the way Smack treats UNIX domain sockets.
          All access control was being done based on the label of
          the file system object. This is inconsistant with the
          internet domain, in which access is done based on the
          IPIN and IPOUT attributes of the socket. As a result
          of the inode label policy it was not possible to use
          a UDS socket for label cognizant services, including
          dbus and the X11 server.
          Support for SCM_PEERSEC on UDS sockets is also provided.
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
  12. 15 Nov, 2010 1 commit
  13. 20 Oct, 2010 2 commits
  14. 01 Aug, 2010 2 commits
  15. 16 Jun, 2010 1 commit
  16. 26 Apr, 2010 1 commit
  17. 07 Apr, 2010 1 commit
  18. 30 Mar, 2010 1 commit
    • Tejun Heo's avatar
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking... · 5a0e3ad6
      Tejun Heo authored
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
      percpu.h is included by sched.h and module.h and thus ends up being
      included when building most .c files.  percpu.h includes slab.h which
      in turn includes gfp.h making everything defined by the two files
      universally available and complicating inclusion dependencies.
      percpu.h -> slab.h dependency is about to be removed.  Prepare for
      this change by updating users of gfp and slab facilities include those
      headers directly instead of assuming availability.  As this conversion
      needs to touch large number of source files, the following script is
      used as the basis of conversion.
      The script does the followings.
      * Scan files for gfp and slab usages and update includes such that
        only the necessary includes are there.  ie. if only gfp is used,
        gfp.h, if slab is used, slab.h.
      * When the script inserts a new include, it looks at the include
        blocks and try to put the new include such that its order conforms
        to its surrounding.  It's put in the include block which contains
        core kernel includes, in the same order that the rest are ordered -
        alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
        doesn't seem to be any matching order.
      * If the script can't find a place to put a new include (mostly
        because the file doesn't have fitting include block), it prints out
        an error message indicating which .h file needs to be added to the
      The conversion was done in the following steps.
      1. The initial automatic conversion of all .c files updated slightly
         over 4000 files, deleting around 700 includes and adding ~480 gfp.h
         and ~3000 slab.h inclusions.  The script emitted errors for ~400
      2. Each error was manually checked.  Some didn't need the inclusion,
         some needed manual addition while adding it to implementation .h or
         embedding .c file was more appropriate for others.  This step added
         inclusions to around 150 files.
      3. The script was run again and the output was compared to the edits
         from #2 to make sure no file was left behind.
      4. Several build tests were done and a couple of problems were fixed.
         e.g. lib/decompress_*.c used malloc/free() wrappers around slab
         APIs requiring slab.h to be added manually.
      5. The script was run on all .h files but without automatically
         editing them as sprinkling gfp.h and slab.h inclusions around .h
         files could easily lead to inclusion dependency hell.  Most gfp.h
         inclusion directives were ignored as stuff from gfp.h was usually
         wildly available and often used in preprocessor macros.  Each
         slab.h inclusion directive was examined and added manually as
      6. percpu.h was updated not to include slab.h.
      7. Build test were done on the following configurations and failures
         were fixed.  CONFIG_GCOV_KERNEL was turned off for all tests (as my
         distributed build env didn't work with gcov compiles) and a few
         more options had to be turned off depending on archs to make things
         build (like ipr on powerpc/64 which failed due to missing writeq).
         * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
         * powerpc and powerpc64 SMP allmodconfig
         * sparc and sparc64 SMP allmodconfig
         * ia64 SMP allmodconfig
         * s390 SMP allmodconfig
         * alpha SMP allmodconfig
         * um on x86_64 SMP allmodconfig
      8. percpu.h modifications were reverted so that it could be applied as
         a separate patch and serve as bisection point.
      Given the fact that I had only a couple of failures from tests on step
      6, I'm fairly confident about the coverage of this conversion patch.
      If there is a breakage, it's likely to be something in one of the arch
      headers which should be easily discoverable easily on most builds of
      the specific arch.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Guess-its-ok-by: default avatarChristoph Lameter <cl@linux-foundation.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
  19. 03 Mar, 2010 1 commit
    • Al Viro's avatar
      fix mnt_mountpoint abuse in smack · de27a5bf
      Al Viro authored
      (mnt,mnt_mountpoint) pair is conceptually wrong; if you want
      to use it for generating pathname and for nothing else *and*
      if you know that vfsmount tree is unchanging, you can get
      away with that, but the right solution for that is (mnt,mnt_root).
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
  20. 03 Feb, 2010 1 commit
  21. 20 Nov, 2009 1 commit
  22. 23 Sep, 2009 1 commit
  23. 09 Sep, 2009 2 commits
    • David P. Quigley's avatar
      sysfs: Add labeling support for sysfs · ddd29ec6
      David P. Quigley authored
      This patch adds a setxattr handler to the file, directory, and symlink
      inode_operations structures for sysfs. The patch uses hooks introduced in the
      previous patch to handle the getting and setting of security information for
      the sysfs inodes. As was suggested by Eric Biederman the struct iattr in the
      sysfs_dirent structure has been replaced by a structure which contains the
      iattr, secdata and secdata length to allow the changes to persist in the event
      that the inode representing the sysfs_dirent is evicted. Because sysfs only
      stores this information when a change is made all the optional data is moved
      into one dynamically allocated field.
      This patch addresses an issue where SELinux was denying virtd access to the PCI
      configuration entries in sysfs. The lack of setxattr handlers for sysfs
      required that a single label be assigned to all entries in sysfs. Granting virtd
      access to every entry in sysfs is not an acceptable solution so fine grained
      labeling of sysfs is required such that individual entries can be labeled
      [sds:  Fixed compile-time warnings, coding style, and setting of inode security init flags.]
      Signed-off-by: default avatarDavid P. Quigley <dpquigl@tycho.nsa.gov>
      Signed-off-by: default avatarStephen D. Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
    • David P. Quigley's avatar
      LSM/SELinux: inode_{get,set,notify}secctx hooks to access LSM security context information. · 1ee65e37
      David P. Quigley authored
      This patch introduces three new hooks. The inode_getsecctx hook is used to get
      all relevant information from an LSM about an inode. The inode_setsecctx is
      used to set both the in-core and on-disk state for the inode based on a context
      derived from inode_getsecctx.The final hook inode_notifysecctx will notify the
      LSM of a change for the in-core state of the inode in question. These hooks are
      for use in the labeled NFS code and addresses concerns of how to set security
      on an inode in a multi-xattr LSM. For historical reasons Stephen Smalley's
      explanation of the reason for these hooks is pasted below.
      Quote Stephen Smalley
      inode_setsecctx:  Change the security context of an inode.  Updates the
      in core security context managed by the security module and invokes the
      fs code as needed (via __vfs_setxattr_noperm) to update any backing
      xattrs that represent the context.  Example usage:  NFS server invokes
      this hook to change the security context in its incore inode and on the
      backing file system to a value provided by the client on a SETATTR
      inode_notifysecctx:  Notify the security module of what the security
      context of an inode should be.  Initializes the incore security context
      managed by the security module for this inode.  Example usage:  NFS
      client invokes this hook to initialize the security context in its
      incore inode to the value provided by the server for the file when the
      server returned the file's attributes to the client.
      Signed-off-by: default avatarDavid P. Quigley <dpquigl@tycho.nsa.gov>
      Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
  24. 02 Sep, 2009 1 commit
    • David Howells's avatar
      KEYS: Add a keyctl to install a process's session keyring on its parent [try #6] · ee18d64c
      David Howells authored
      Add a keyctl to install a process's session keyring onto its parent.  This
      replaces the parent's session keyring.  Because the COW credential code does
      not permit one process to change another process's credentials directly, the
      change is deferred until userspace next starts executing again.  Normally this
      will be after a wait*() syscall.
      To support this, three new security hooks have been provided:
      cred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in
      the blank security creds and key_session_to_parent() - which asks the LSM if
      the process may replace its parent's session keyring.
      The replacement may only happen if the process has the same ownership details
      as its parent, and the process has LINK permission on the session keyring, and
      the session keyring is owned by the process, and the LSM permits it.
      Note that this requires alteration to each architecture's notify_resume path.
      This has been done for all arches barring blackfin, m68k* and xtensa, all of
      which need assembly alteration to support TIF_NOTIFY_RESUME.  This allows the
      replacement to be performed at the point the parent process resumes userspace
      This allows the userspace AFS pioctl emulation to fully emulate newpag() and
      the VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to
      alter the parent process's PAG membership.  However, since kAFS doesn't use
      PAGs per se, but rather dumps the keys into the session keyring, the session
      keyring of the parent must be replaced if, for example, VIOCSETTOK is passed
      the newpag flag.
      This can be tested with the following program:
      	#include <stdio.h>
      	#include <stdlib.h>
      	#include <keyutils.h>
      	#define KEYCTL_SESSION_TO_PARENT	18
      	#define OSERROR(X, S) do { if ((long)(X) == -1) { perror(S); exit(1); } } while(0)
      	int main(int argc, char **argv)
      		key_serial_t keyring, key;
      		long ret;
      		keyring = keyctl_join_session_keyring(argv[1]);
      		OSERROR(keyring, "keyctl_join_session_keyring");
      		key = add_key("user", "a", "b", 1, keyring);
      		OSERROR(key, "add_key");
      		ret = keyctl(KEYCTL_SESSION_TO_PARENT);
      		return 0;
      Compiled and linked with -lkeyutils, you should see something like:
      	[dhowells@andromeda ~]$ keyctl show
      	Session Keyring
      	       -3 --alswrv   4043  4043  keyring: _ses
      	355907932 --alswrv   4043    -1   \_ keyring: _uid.4043
      	[dhowells@andromeda ~]$ /tmp/newpag
      	[dhowells@andromeda ~]$ keyctl show
      	Session Keyring
      	       -3 --alswrv   4043  4043  keyring: _ses
      	1055658746 --alswrv   4043  4043   \_ user: a
      	[dhowells@andromeda ~]$ /tmp/newpag hello
      	[dhowells@andromeda ~]$ keyctl show
      	Session Keyring
      	       -3 --alswrv   4043  4043  keyring: hello
      	340417692 --alswrv   4043  4043   \_ user: a
      Where the test program creates a new session keyring, sticks a user key named
      'a' into it and then installs it on its parent.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
  25. 05 Aug, 2009 1 commit
  26. 24 Jun, 2009 1 commit
  27. 27 May, 2009 1 commit
  28. 17 Apr, 2009 1 commit
  29. 13 Apr, 2009 1 commit
  30. 27 Mar, 2009 3 commits
    • Etienne Basset's avatar
      smack: Add a new '-CIPSO' option to the network address label configuration · 4303154e
      Etienne Basset authored
      This patch adds a new special option '-CIPSO' to the Smack subsystem. When used
      in the netlabel list, it means "use CIPSO networking". A use case is when your
      local network speaks CIPSO and you want also to connect to the unlabeled
      Internet. This patch also add some documentation describing that. The patch
      also corrects an oops when setting a '' SMACK64 xattr to a file.
      Signed-off-by: default avatarEtienne Basset <etienne.basset@numericable.fr>
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
    • Paul Moore's avatar
      netlabel: Cleanup the Smack/NetLabel code to fix incoming TCP connections · 07feee8f
      Paul Moore authored
      This patch cleans up a lot of the Smack network access control code.  The
      largest changes are to fix the labeling of incoming TCP connections in a
      manner similar to the recent SELinux changes which use the
      security_inet_conn_request() hook to label the request_sock and let the label
      move to the child socket via the normal network stack mechanisms.  In addition
      to the incoming TCP connection fixes this patch also removes the smk_labled
      field from the socket_smack struct as the minor optimization advantage was
      outweighed by the difficulty in maintaining it's proper state.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
    • Paul Moore's avatar
      netlabel: Label incoming TCP connections correctly in SELinux · 389fb800
      Paul Moore authored
      The current NetLabel/SELinux behavior for incoming TCP connections works but
      only through a series of happy coincidences that rely on the limited nature of
      standard CIPSO (only able to convey MLS attributes) and the write equality
      imposed by the SELinux MLS constraints.  The problem is that network sockets
      created as the result of an incoming TCP connection were not on-the-wire
      labeled based on the security attributes of the parent socket but rather based
      on the wire label of the remote peer.  The issue had to do with how IP options
      were managed as part of the network stack and where the LSM hooks were in
      relation to the code which set the IP options on these newly created child
      sockets.  While NetLabel/SELinux did correctly set the socket's on-the-wire
      label it was promptly cleared by the network stack and reset based on the IP
      options of the remote peer.
      This patch, in conjunction with a prior patch that adjusted the LSM hook
      locations, works to set the correct on-the-wire label format for new incoming
      connections through the security_inet_conn_request() hook.  Besides the
      correct behavior there are many advantages to this change, the most significant
      is that all of the NetLabel socket labeling code in SELinux now lives in hooks
      which can return error codes to the core stack which allows us to finally get
      ride of the selinux_netlbl_inode_permission() logic which greatly simplfies
      the NetLabel/SELinux glue code.  In the process of developing this patch I
      also ran into a small handful of AF_INET6 cleanliness issues that have been
      fixed which should make the code safer and easier to extend in the future.
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
  31. 25 Mar, 2009 1 commit