1. 02 Mar, 2017 6 commits
  2. 01 Mar, 2017 2 commits
    • Stephen Smalley's avatar
      selinux: wrap cgroup seclabel support with its own policy capability · 2651225b
      Stephen Smalley authored
      commit 1ea0ce40 ("selinux: allow
      changing labels for cgroupfs") broke the Android init program,
      which looks up security contexts whenever creating directories
      and attempts to assign them via setfscreatecon().
      When creating subdirectories in cgroup mounts, this would previously
      be ignored since cgroup did not support userspace setting of security
      contexts.  However, after the commit, SELinux would attempt to honor
      the requested context on cgroup directories and fail due to permission
      denial.  Avoid breaking existing userspace/policy by wrapping this change
      with a conditional on a new cgroup_seclabel policy capability.  This
      preserves existing behavior until/unless a new policy explicitly enables
      this capability.
      Reported-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Signed-off-by: Stephen Smalley's avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      2651225b
    • David Howells's avatar
      KEYS: Differentiate uses of rcu_dereference_key() and user_key_payload() · 0837e49a
      David Howells authored
      rcu_dereference_key() and user_key_payload() are currently being used in
      two different, incompatible ways:
      
       (1) As a wrapper to rcu_dereference() - when only the RCU read lock used
           to protect the key.
      
       (2) As a wrapper to rcu_dereference_protected() - when the key semaphor is
           used to protect the key and the may be being modified.
      
      Fix this by splitting both of the key wrappers to produce:
      
       (1) RCU accessors for keys when caller has the key semaphore locked:
      
      	dereference_key_locked()
      	user_key_payload_locked()
      
       (2) RCU accessors for keys when caller holds the RCU read lock:
      
      	dereference_key_rcu()
      	user_key_payload_rcu()
      
      This should fix following warning in the NFS idmapper
      
        ===============================
        [ INFO: suspicious RCU usage. ]
        4.10.0 #1 Tainted: G        W
        -------------------------------
        ./include/keys/user-type.h:53 suspicious rcu_dereference_protected() usage!
        other info that might help us debug this:
        rcu_scheduler_active = 2, debug_locks = 0
        1 lock held by mount.nfs/5987:
          #0:  (rcu_read_lock){......}, at: [<d000000002527abc>] nfs_idmap_get_key+0x15c/0x420 [nfsv4]
        stack backtrace:
        CPU: 1 PID: 5987 Comm: mount.nfs Tainted: G        W       4.10.0 #1
        Call Trace:
          dump_stack+0xe8/0x154 (unreliable)
          lockdep_rcu_suspicious+0x140/0x190
          nfs_idmap_get_key+0x380/0x420 [nfsv4]
          nfs_map_name_to_uid+0x2a0/0x3b0 [nfsv4]
          decode_getfattr_attrs+0xfac/0x16b0 [nfsv4]
          decode_getfattr_generic.constprop.106+0xbc/0x150 [nfsv4]
          nfs4_xdr_dec_lookup_root+0xac/0xb0 [nfsv4]
          rpcauth_unwrap_resp+0xe8/0x140 [sunrpc]
          call_decode+0x29c/0x910 [sunrpc]
          __rpc_execute+0x140/0x8f0 [sunrpc]
          rpc_run_task+0x170/0x200 [sunrpc]
          nfs4_call_sync_sequence+0x68/0xa0 [nfsv4]
          _nfs4_lookup_root.isra.44+0xd0/0xf0 [nfsv4]
          nfs4_lookup_root+0xe0/0x350 [nfsv4]
          nfs4_lookup_root_sec+0x70/0xa0 [nfsv4]
          nfs4_find_root_sec+0xc4/0x100 [nfsv4]
          nfs4_proc_get_rootfh+0x5c/0xf0 [nfsv4]
          nfs4_get_rootfh+0x6c/0x190 [nfsv4]
          nfs4_server_common_setup+0xc4/0x260 [nfsv4]
          nfs4_create_server+0x278/0x3c0 [nfsv4]
          nfs4_remote_mount+0x50/0xb0 [nfsv4]
          mount_fs+0x74/0x210
          vfs_kern_mount+0x78/0x220
          nfs_do_root_mount+0xb0/0x140 [nfsv4]
          nfs4_try_mount+0x60/0x100 [nfsv4]
          nfs_fs_mount+0x5ec/0xda0 [nfs]
          mount_fs+0x74/0x210
          vfs_kern_mount+0x78/0x220
          do_mount+0x254/0xf70
          SyS_mount+0x94/0x100
          system_call+0x38/0xe0
      Reported-by: Jan Stancek's avatarJan Stancek <jstancek@redhat.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: Jan Stancek's avatarJan Stancek <jstancek@redhat.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      0837e49a
  3. 28 Feb, 2017 1 commit
  4. 25 Feb, 2017 1 commit
  5. 10 Feb, 2017 2 commits
  6. 08 Feb, 2017 2 commits
    • Stephen Smalley's avatar
      selinux: fix off-by-one in setprocattr · 0c461cb7
      Stephen Smalley authored
      SELinux tries to support setting/clearing of /proc/pid/attr attributes
      from the shell by ignoring terminating newlines and treating an
      attribute value that begins with a NUL or newline as an attempt to
      clear the attribute.  However, the test for clearing attributes has
      always been wrong; it has an off-by-one error, and this could further
      lead to reading past the end of the allocated buffer since commit
      bb646cdb ("proc_pid_attr_write():
      switch to memdup_user()").  Fix the off-by-one error.
      
      Even with this fix, setting and clearing /proc/pid/attr attributes
      from the shell is not straightforward since the interface does not
      support multiple write() calls (so shells that write the value and
      newline separately will set and then immediately clear the attribute,
      requiring use of echo -n to set the attribute), whereas trying to use
      echo -n "" to clear the attribute causes the shell to skip the
      write() call altogether since POSIX says that a zero-length write
      causes no side effects. Thus, one must use echo -n to set and echo
      without -n to clear, as in the following example:
      $ echo -n unconfined_u:object_r:user_home_t:s0 > /proc/$$/attr/fscreate
      $ cat /proc/$$/attr/fscreate
      unconfined_u:object_r:user_home_t:s0
      $ echo "" > /proc/$$/attr/fscreate
      $ cat /proc/$$/attr/fscreate
      
      Note the use of /proc/$$ rather than /proc/self, as otherwise
      the cat command will read its own attribute value, not that of the shell.
      
      There are no users of this facility to my knowledge; possibly we
      should just get rid of it.
      
      UPDATE: Upon further investigation it appears that a local process
      with the process:setfscreate permission can cause a kernel panic as a
      result of this bug.  This patch fixes CVE-2017-2618.
      Signed-off-by: Stephen Smalley's avatarStephen Smalley <sds@tycho.nsa.gov>
      [PM: added the update about CVE-2017-2618 to the commit description]
      Cc: stable@vger.kernel.org # 3.5: d6ea83ecSigned-off-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      0c461cb7
    • Antonio Murdaca's avatar
      selinux: allow changing labels for cgroupfs · 1ea0ce40
      Antonio Murdaca authored
      This patch allows changing labels for cgroup mounts. Previously, running
      chcon on cgroupfs would throw an "Operation not supported". This patch
      specifically whitelist cgroupfs.
      
      The patch could also allow containers to write only to the systemd cgroup
      for instance, while the other cgroups are kept with cgroup_t label.
      Signed-off-by: default avatarAntonio Murdaca <runcom@redhat.com>
      Acked-by: Stephen Smalley's avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      1ea0ce40
  7. 07 Feb, 2017 1 commit
    • Stephen Smalley's avatar
      selinux: fix off-by-one in setprocattr · a050a570
      Stephen Smalley authored
      SELinux tries to support setting/clearing of /proc/pid/attr attributes
      from the shell by ignoring terminating newlines and treating an
      attribute value that begins with a NUL or newline as an attempt to
      clear the attribute.  However, the test for clearing attributes has
      always been wrong; it has an off-by-one error, and this could further
      lead to reading past the end of the allocated buffer since commit
      bb646cdb ("proc_pid_attr_write():
      switch to memdup_user()").  Fix the off-by-one error.
      
      Even with this fix, setting and clearing /proc/pid/attr attributes
      from the shell is not straightforward since the interface does not
      support multiple write() calls (so shells that write the value and
      newline separately will set and then immediately clear the attribute,
      requiring use of echo -n to set the attribute), whereas trying to use
      echo -n "" to clear the attribute causes the shell to skip the
      write() call altogether since POSIX says that a zero-length write
      causes no side effects. Thus, one must use echo -n to set and echo
      without -n to clear, as in the following example:
      $ echo -n unconfined_u:object_r:user_home_t:s0 > /proc/$$/attr/fscreate
      $ cat /proc/$$/attr/fscreate
      unconfined_u:object_r:user_home_t:s0
      $ echo "" > /proc/$$/attr/fscreate
      $ cat /proc/$$/attr/fscreate
      
      Note the use of /proc/$$ rather than /proc/self, as otherwise
      the cat command will read its own attribute value, not that of the shell.
      
      There are no users of this facility to my knowledge; possibly we
      should just get rid of it.
      
      UPDATE: Upon further investigation it appears that a local process
      with the process:setfscreate permission can cause a kernel panic as a
      result of this bug.  This patch fixes CVE-2017-2618.
      Signed-off-by: Stephen Smalley's avatarStephen Smalley <sds@tycho.nsa.gov>
      [PM: added the update about CVE-2017-2618 to the commit description]
      Cc: stable@vger.kernel.org # 3.5: d6ea83ecSigned-off-by: default avatarPaul Moore <paul@paul-moore.com>
      a050a570
  8. 27 Jan, 2017 2 commits
  9. 24 Jan, 2017 1 commit
    • Krister Johansen's avatar
      Introduce a sysctl that modifies the value of PROT_SOCK. · 4548b683
      Krister Johansen authored
      Add net.ipv4.ip_unprivileged_port_start, which is a per namespace sysctl
      that denotes the first unprivileged inet port in the namespace.  To
      disable all privileged ports set this to zero.  It also checks for
      overlap with the local port range.  The privileged and local range may
      not overlap.
      
      The use case for this change is to allow containerized processes to bind
      to priviliged ports, but prevent them from ever being allowed to modify
      their container's network configuration.  The latter is accomplished by
      ensuring that the network namespace is not a child of the user
      namespace.  This modification was needed to allow the container manager
      to disable a namespace's priviliged port restrictions without exposing
      control of the network namespace to processes in the user namespace.
      Signed-off-by: default avatarKrister Johansen <kjlx@templeofstupid.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4548b683
  10. 23 Jan, 2017 3 commits
  11. 19 Jan, 2017 3 commits
    • Greg Kroah-Hartman's avatar
      Introduce STATIC_USERMODEHELPER to mediate call_usermodehelper() · 64e90a8a
      Greg Kroah-Hartman authored
      Some usermode helper applications are defined at kernel build time, while
      others can be changed at runtime.  To provide a sane way to filter these, add a
      new kernel option "STATIC_USERMODEHELPER".  This option routes all
      call_usermodehelper() calls through this binary, no matter what the caller
      wishes to have called.
      
      The new binary (by default set to /sbin/usermode-helper, but can be changed
      through the STATIC_USERMODEHELPER_PATH option) can properly filter the
      requested programs to be run by the kernel by looking at the first argument
      that is passed to it.  All other options should then be passed onto the proper
      program if so desired.
      
      To disable all call_usermodehelper() calls by the kernel, set
      STATIC_USERMODEHELPER_PATH to an empty string.
      
      Thanks to Neil Brown for the idea of this feature.
      
      Cc: NeilBrown <neilb@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      64e90a8a
    • Greg Kroah-Hartman's avatar
      Make static usermode helper binaries constant · 377e7a27
      Greg Kroah-Hartman authored
      There are a number of usermode helper binaries that are "hard coded" in
      the kernel today, so mark them as "const" to make it harder for someone
      to change where the variables point to.
      
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Thomas Sailer <t.sailer@alumni.ethz.ch>
      Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
      Cc: Johan Hovold <johan@kernel.org>
      Cc: Alex Elder <elder@kernel.org>
      Cc: "J. Bruce Fields" <bfields@fieldses.org>
      Cc: Jeff Layton <jlayton@poochiereds.net>
      Cc: David Howells <dhowells@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      377e7a27
    • Casey Schaufler's avatar
      LSM: Add /sys/kernel/security/lsm · d69dece5
      Casey Schaufler authored
      I am still tired of having to find indirect ways to determine
      what security modules are active on a system. I have added
      /sys/kernel/security/lsm, which contains a comma separated
      list of the active security modules. No more groping around
      in /proc/filesystems or other clever hacks.
      
      Unchanged from previous versions except for being updated
      to the latest security next branch.
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Acked-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Acked-by: default avatarPaul Moore <paul@paul-moore.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      d69dece5
  12. 16 Jan, 2017 16 commits