1. 16 Oct, 2016 1 commit
  2. 22 Sep, 2016 1 commit
  3. 07 Sep, 2016 1 commit
  4. 19 Aug, 2016 1 commit
    • Linus Torvalds's avatar
      Make the hardened user-copy code depend on having a hardened allocator · 6040e576
      Linus Torvalds authored
      The kernel test robot reported a usercopy failure in the new hardened
      sanity checks, due to a page-crossing copy of the FPU state into the
      task structure.
      
      This happened because the kernel test robot was testing with SLOB, which
      doesn't actually do the required book-keeping for slab allocations, and
      as a result the hardening code didn't realize that the task struct
      allocation was one single allocation - and the sanity checks fail.
      
      Since SLOB doesn't even claim to support hardening (and you really
      shouldn't use it), the straightforward solution is to just make the
      usercopy hardening code depend on the allocator supporting it.
      Reported-by: default avatarkernel test robot <xiaolong.ye@intel.com>
      Cc: Kees Cook <keescook@chromium.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6040e576
  5. 27 Jul, 2016 1 commit
    • Arnd Bergmann's avatar
      apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT parameter handling · 7616ac70
      Arnd Bergmann authored
      The newly added Kconfig option could never work and just causes a build error
      when disabled:
      
      security/apparmor/lsm.c:675:25: error: 'CONFIG_SECURITY_APPARMOR_HASH_DEFAULT' undeclared here (not in a function)
       bool aa_g_hash_policy = CONFIG_SECURITY_APPARMOR_HASH_DEFAULT;
      
      The problem is that the macro undefined in this case, and we need to use the IS_ENABLED()
      helper to turn it into a boolean constant.
      
      Another minor problem with the original patch is that the option is even offered
      in sysfs when SECURITY_APPARMOR_HASH is not enabled, so this also hides the option
      in that case.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Fixes: 6059f71f ("apparmor: add parameter to control whether policy hashing is used")
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      7616ac70
  6. 26 Jul, 2016 1 commit
    • Kees Cook's avatar
      mm: Hardened usercopy · f5509cc1
      Kees Cook authored
      This is the start of porting PAX_USERCOPY into the mainline kernel. This
      is the first set of features, controlled by CONFIG_HARDENED_USERCOPY. The
      work is based on code by PaX Team and Brad Spengler, and an earlier port
      from Casey Schaufler. Additional non-slab page tests are from Rik van Riel.
      
      This patch contains the logic for validating several conditions when
      performing copy_to_user() and copy_from_user() on the kernel object
      being copied to/from:
      - address range doesn't wrap around
      - address range isn't NULL or zero-allocated (with a non-zero copy size)
      - if on the slab allocator:
        - object size must be less than or equal to copy size (when check is
          implemented in the allocator, which appear in subsequent patches)
      - otherwise, object must not span page allocations (excepting Reserved
        and CMA ranges)
      - if on the stack
        - object must not extend before/after the current process stack
        - object must be contained by a valid stack frame (when there is
          arch/build support for identifying stack frames)
      - object must not overlap with kernel text
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Tested-by: default avatarValdis Kletnieks <valdis.kletnieks@vt.edu>
      Tested-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      f5509cc1
  7. 20 Jul, 2016 1 commit
  8. 12 Jul, 2016 24 commits
  9. 07 Jul, 2016 1 commit
    • Vegard Nossum's avatar
      apparmor: fix oops, validate buffer size in apparmor_setprocattr() · 30a46a46
      Vegard Nossum authored
      When proc_pid_attr_write() was changed to use memdup_user apparmor's
      (interface violating) assumption that the setprocattr buffer was always
      a single page was violated.
      
      The size test is not strictly speaking needed as proc_pid_attr_write()
      will reject anything larger, but for the sake of robustness we can keep
      it in.
      
      SMACK and SELinux look safe to me, but somebody else should probably
      have a look just in case.
      
      Based on original patch from Vegard Nossum <vegard.nossum@oracle.com>
      modified for the case that apparmor provides null termination.
      
      Fixes: bb646cdbReported-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: John Johansen <john.johansen@canonical.com>
      Cc: Paul Moore <paul@paul-moore.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: Eric Paris <eparis@parisplace.org>
      Cc: Casey Schaufler <casey@schaufler-ca.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Reviewed-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      30a46a46
  10. 05 Jul, 2016 1 commit
  11. 29 Jun, 2016 7 commits