1. 09 Aug, 2016 3 commits
  2. 21 Jul, 2016 1 commit
  3. 06 Jun, 2016 1 commit
    • Casey Schaufler's avatar
      LSM: Fix for security_inode_getsecurity and -EOPNOTSUPP · 2885c1e3
      Casey Schaufler authored
      Serge Hallyn pointed out that the current implementation of
      security_inode_getsecurity() works if there is only one hook
      provided for it, but will fail if there is more than one and
      the attribute requested isn't supplied by the first module.
      This isn't a problem today, since only SELinux and Smack
      provide this hook and there is (currently) no way to enable
      both of those modules at the same time. Serge, however, wants
      to introduce a capability attribute and an inode_getsecurity
      hook in the capability security module to handle it. This
      addresses that upcoming problem, will be required for "extreme
      stacking" and is just a better implementation.
      Signed-off-by: default avatarCasey Schaufler <[email protected]>
      Acked-by: Serge Hallyn's avatarSerge Hallyn <[email protected]>
      Signed-off-by: default avatarJames Morris <[email protected]>
  4. 22 Apr, 2016 1 commit
  5. 21 Apr, 2016 1 commit
  6. 11 Apr, 2016 1 commit
  7. 28 Mar, 2016 9 commits
  8. 21 Feb, 2016 4 commits
    • Mimi Zohar's avatar
      module: replace copy_module_from_fd with kernel version · a1db7420
      Mimi Zohar authored
      Replace copy_module_from_fd() with kernel_read_file_from_fd().
      Although none of the upstreamed LSMs define a kernel_module_from_file
      hook, IMA is called, based on policy, to prevent unsigned kernel modules
      from being loaded by the original kernel module syscall and to
      measure/appraise signed kernel modules.
      The security function security_kernel_module_from_file() was called prior
      to reading a kernel module.  Preventing unsigned kernel modules from being
      loaded by the original kernel module syscall remains on the pre-read
      kernel_read_file() security hook.  Instead of reading the kernel module
      twice, once for measuring/appraising and again for loading the kernel
      module, the signature validation is moved to the kernel_post_read_file()
      security hook.
      This patch removes the security_kernel_module_from_file() hook and security
      Signed-off-by: default avatarMimi Zohar <[email protected]>
      Acked-by: default avatarKees Cook <[email protected]>
      Acked-by: default avatarLuis R. Rodriguez <[email protected]>
      Cc: Rusty Russell <[email protected]>
    • Mimi Zohar's avatar
      security: define kernel_read_file hook · 39eeb4fb
      Mimi Zohar authored
      The kernel_read_file security hook is called prior to reading the file
      into memory.
      Changelog v4+:
      - export security_kernel_read_file()
      Signed-off-by: default avatarMimi Zohar <[email protected]>
      Acked-by: default avatarKees Cook <[email protected]>
      Acked-by: default avatarLuis R. Rodriguez <[email protected]>
      Acked-by: default avatarCasey Schaufler <[email protected]>
    • Mimi Zohar's avatar
      firmware: replace call to fw_read_file_contents() with kernel version · e40ba6d5
      Mimi Zohar authored
      Replace the fw_read_file_contents with kernel_file_read_from_path().
      Although none of the upstreamed LSMs define a kernel_fw_from_file hook,
      IMA is called by the security function to prevent unsigned firmware from
      being loaded and to measure/appraise signed firmware, based on policy.
      Instead of reading the firmware twice, once for measuring/appraising the
      firmware and again for reading the firmware contents into memory, the
      kernel_post_read_file() security hook calculates the file hash based on
      the in memory file buffer.  The firmware is read once.
      This patch removes the LSM kernel_fw_from_file() hook and security call.
      Changelog v4+:
      - revert dropped buf->size assignment - reported by Sergey Senozhatsky
      - remove kernel_fw_from_file hook
      - use kernel_file_read_from_path() - requested by Luis
      - reordered and squashed firmware patches
      - fix MAX firmware size (Kees Cook)
      Signed-off-by: default avatarMimi Zohar <[email protected]>
      Acked-by: default avatarKees Cook <[email protected]>
      Acked-by: default avatarLuis R. Rodriguez <[email protected]>
    • Mimi Zohar's avatar
      ima: define a new hook to measure and appraise a file already in memory · cf222217
      Mimi Zohar authored
      This patch defines a new IMA hook ima_post_read_file() for measuring
      and appraising files read by the kernel. The caller loads the file into
      memory before calling this function, which calculates the hash followed by
      the normal IMA policy based processing.
      Changelog v5:
      - fail ima_post_read_file() if either file or buf is NULL
      - rename ima_hash_and_process_file() to ima_post_read_file()
      - split patch
      Signed-off-by: default avatarMimi Zohar <[email protected]>
      Acked-by: default avatarDmitry Kasatkin <[email protected]>
  9. 18 Feb, 2016 2 commits
  10. 24 Dec, 2015 3 commits
  11. 25 Aug, 2015 1 commit
  12. 28 Jul, 2015 1 commit
  13. 10 Jul, 2015 1 commit
    • Eric W. Biederman's avatar
      vfs: Commit to never having exectuables on proc and sysfs. · 90f8572b
      Eric W. Biederman authored
      Today proc and sysfs do not contain any executable files.  Several
      applications today mount proc or sysfs without noexec and nosuid and
      then depend on there being no exectuables files on proc or sysfs.
      Having any executable files show on proc or sysfs would cause
      a user space visible regression, and most likely security problems.
      Therefore commit to never allowing executables on proc and sysfs by
      adding a new flag to mark them as filesystems without executables and
      enforce that flag.
      Test the flag where MNT_NOEXEC is tested today, so that the only user
      visible effect will be that exectuables will be treated as if the
      execute bit is cleared.
      The filesystems proc and sysfs do not currently incoporate any
      executable files so this does not result in any user visible effects.
      This makes it unnecessary to vet changes to proc and sysfs tightly for
      adding exectuable files or changes to chattr that would modify
      existing files, as no matter what the individual file say they will
      not be treated as exectuable files by the vfs.
      Not having to vet changes to closely is important as without this we
      are only one proc_create call (or another goof up in the
      implementation of notify_change) from having problematic executables
      on proc.  Those mistakes are all too easy to make and would create
      a situation where there are security issues or the assumptions of
      some program having to be broken (and cause userspace regressions).
      Signed-off-by: default avatar"Eric W. Biederman" <[email protected]>
  14. 12 May, 2015 3 commits
  15. 11 May, 2015 2 commits
    • NeilBrown's avatar
      security: make inode_follow_link RCU-walk aware · bda0be7a
      NeilBrown authored
      inode_follow_link now takes an inode and rcu flag as well as the
      inode is used in preference to d_backing_inode(dentry), particularly
      in RCU-walk mode.
      selinux_inode_follow_link() gets dentry_has_perm() and
      inode_has_perm() open-coded into it so that it can call
      avc_has_perm_flags() in way that is safe if LOOKUP_RCU is set.
      Calling avc_has_perm_flags() with rcu_read_lock() held means
      that when avc_has_perm_noaudit calls avc_compute_av(), the attempt
      to rcu_read_unlock() before calling security_compute_av() will not
      actually drop the RCU read-lock.
      However as security_compute_av() is completely in a read_lock()ed
      region, it should be safe with the RCU read-lock held.
      Signed-off-by: default avatarNeilBrown <[email protected]>
      Signed-off-by: default avatarAl Viro <[email protected]>
    • NeilBrown's avatar
      SECURITY: remove nameidata arg from inode_follow_link. · 37882db0
      NeilBrown authored
      No ->inode_follow_link() methods use the nameidata arg, and
      it is about to become private to namei.c.
      So remove from all inode_follow_link() functions.
      Signed-off-by: default avatarNeilBrown <[email protected]>
      Signed-off-by: default avatarAl Viro <[email protected]>
  16. 15 Apr, 2015 1 commit
  17. 12 Apr, 2015 1 commit
  18. 21 Mar, 2015 1 commit
  19. 25 Jan, 2015 1 commit
    • Stephen Smalley's avatar
      Add security hooks to binder and implement the hooks for SELinux. · 79af7307
      Stephen Smalley authored
      Add security hooks to the binder and implement the hooks for SELinux.
      The security hooks enable security modules such as SELinux to implement
      controls over binder IPC.  The security hooks include support for
      controlling what process can become the binder context manager
      (binder_set_context_mgr), controlling the ability of a process
      to invoke a binder transaction/IPC to another process (binder_transaction),
      controlling the ability of a process to transfer a binder reference to
      another process (binder_transfer_binder), and controlling the ability
      of a process to transfer an open file to another process (binder_transfer_file).
      These hooks have been included in the Android kernel trees since Android 4.3.
      (Updated to reflect upstream relocation and changes to the binder driver,
      changes to the LSM audit data structures, coding style cleanups, and
      to add inline documentation for the hooks).
      Signed-off-by: Stephen Smalley's avatarStephen Smalley <[email protected]>
      Acked-by: Nick Kralevich's avatarNick Kralevich <[email protected]>
      Acked-by: default avatarJeffrey Vander Stoep <[email protected]>
      Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
  20. 20 Jan, 2015 1 commit
  21. 09 Sep, 2014 1 commit