1. 12 Feb, 2019 1 commit
    • Zoran Markovic's avatar
      smack: fix access permissions for keyring · ea2e6a09
      Zoran Markovic authored
      [ Upstream commit 5b841bfa ]
      
      Function smack_key_permission() only issues smack requests for the
      following operations:
       - KEY_NEED_READ (issues MAY_READ)
       - KEY_NEED_WRITE (issues MAY_WRITE)
       - KEY_NEED_LINK (issues MAY_WRITE)
       - KEY_NEED_SETATTR (issues MAY_WRITE)
      A blank smack request is issued in all other cases, resulting in
      smack access being granted if there is any rule defined between
      subject and object, or denied with -EACCES otherwise.
      
      Request MAY_READ access for KEY_NEED_SEARCH and KEY_NEED_VIEW.
      Fix the logic in the unlikely case when both MAY_READ and
      MAY_WRITE are needed. Validate access permission field for valid
      contents.
      Signed-off-by: default avatarZoran Markovic <zmarkovic@sierrawireless.com>
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Cc: Casey Schaufler <casey@schaufler-ca.com>
      Cc: James Morris <jmorris@namei.org>
      Cc: "Serge E. Hallyn" <serge@hallyn.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ea2e6a09
  2. 26 Jan, 2019 1 commit
    • Ondrej Mosnáček's avatar
      selinux: always allow mounting submounts · cf635148
      Ondrej Mosnáček authored
      [ Upstream commit 2cbdcb88 ]
      
      If a superblock has the MS_SUBMOUNT flag set, we should always allow
      mounting it. These mounts are done automatically by the kernel either as
      part of mounting some parent mount (e.g. debugfs always mounts tracefs
      under "tracing" for compatibility) or they are mounted automatically as
      needed on subdirectory accesses (e.g. NFS crossmnt mounts). Since such
      automounts are either an implicit consequence of the parent mount (which
      is already checked) or they can happen during regular accesses (where it
      doesn't make sense to check against the current task's context), the
      mount permission check should be skipped for them.
      
      Without this patch, attempts to access contents of an automounted
      directory can cause unexpected SELinux denials.
      
      In the current kernel tree, the MS_SUBMOUNT flag is set only via
      vfs_submount(), which is called only from the following places:
       - AFS, when automounting special "symlinks" referencing other cells
       - CIFS, when automounting "referrals"
       - NFS, when automounting subtrees
       - debugfs, when automounting tracefs
      
      In all cases the submounts are meant to be transparent to the user and
      it makes sense that if mounting the master is allowed, then so should be
      the automounts. Note that CAP_SYS_ADMIN capability checking is already
      skipped for (SB_KERNMOUNT|SB_SUBMOUNT) in:
       - sget_userns() in fs/super.c:
      	if (!(flags & (SB_KERNMOUNT|SB_SUBMOUNT)) &&
      	    !(type->fs_flags & FS_USERNS_MOUNT) &&
      	    !capable(CAP_SYS_ADMIN))
      		return ERR_PTR(-EPERM);
       - sget() in fs/super.c:
              /* Ensure the requestor has permissions over the target filesystem */
              if (!(flags & (SB_KERNMOUNT|SB_SUBMOUNT)) && !ns_capable(user_ns, CAP_SYS_ADMIN))
                      return ERR_PTR(-EPERM);
      
      Verified internally on patched RHEL 7.6 with a reproducer using
      NFS+httpd and selinux-tesuite.
      
      Fixes: 93faccbb ("fs: Better permission checking for submounts")
      Signed-off-by: Ondrej Mosnáček's avatarOndrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      cf635148
  3. 22 Jan, 2019 3 commits
  4. 13 Jan, 2019 1 commit
    • Ondrej Mosnáček's avatar
      selinux: policydb - fix byte order and alignment issues · 33068413
      Ondrej Mosnáček authored
      commit 5df275cd upstream.
      
      Do the LE conversions before doing the Infiniband-related range checks.
      The incorrect checks are otherwise causing a failure to load any policy
      with an ibendportcon rule on BE systems. This can be reproduced by
      running (on e.g. ppc64):
      
      cat >my_module.cil <<EOF
      (type test_ibendport_t)
      (roletype object_r test_ibendport_t)
      (ibendportcon mlx4_0 1 (system_u object_r test_ibendport_t ((s0) (s0))))
      EOF
      semodule -i my_module.cil
      
      Also, fix loading/storing the 64-bit subnet prefix for OCON_IBPKEY to
      use a correctly aligned buffer.
      
      Finally, do not use the 'nodebuf' (u32) buffer where 'buf' (__le32)
      should be used instead.
      
      Tested internally on a ppc64 machine with a RHEL 7 kernel with this
      patch applied.
      
      Cc: Daniel Jurgens <danielj@mellanox.com>
      Cc: Eli Cohen <eli@mellanox.com>
      Cc: James Morris <jmorris@namei.org>
      Cc: Doug Ledford <dledford@redhat.com>
      Cc: <stable@vger.kernel.org> # 4.13+
      Fixes: a806f7a1 ("selinux: Create policydb version for Infiniband support")
      Signed-off-by: Ondrej Mosnáček's avatarOndrej Mosnacek <omosnace@redhat.com>
      Acked-by: Stephen Smalley's avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      33068413
  5. 09 Jan, 2019 1 commit
  6. 18 Dec, 2018 2 commits
    • Mimi Zohar's avatar
      ima: cleanup the match_token policy code · 1a9430db
      Mimi Zohar authored
      Start the policy_tokens and the associated enumeration from zero,
      simplifying the pt macro.
      Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      1a9430db
    • Linus Torvalds's avatar
      security: don't use a negative Opt_err token index · 94c13f66
      Linus Torvalds authored
      The code uses a bitmap to check for duplicate tokens during parsing, and
      that doesn't work at all for the negative Opt_err token case.
      
      There is absolutely no reason to make Opt_err be negative, and in fact
      it only confuses things, since some of the affected functions actually
      return a positive Opt_xyz enum _or_ a regular negative error code (eg
      -EINVAL), and using -1 for Opt_err makes no sense.
      
      There are similar problems in ima_policy.c and key encryption, but they
      don't have the immediate bug wrt bitmap handing, and ima_policy.c in
      particular needs a different patch to make the enum values match the
      token array index.  Mimi is sending that separately.
      
      Reported-by: syzbot+a22e0dc07567662c50bc@syzkaller.appspotmail.com
      Reported-by: default avatarEric Biggers <ebiggers@kernel.org>
      Fixes: 5208cc83 ("keys, trusted: fix: *do not* allow duplicate key options")
      Fixes: 00d60fd3 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]")
      Cc: James Morris James Morris <jmorris@namei.org>
      Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
      Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Cc: Peter Huewe <peterhuewe@gmx.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      94c13f66
  7. 29 Nov, 2018 1 commit
  8. 14 Nov, 2018 1 commit
  9. 13 Nov, 2018 2 commits
  10. 02 Nov, 2018 2 commits
  11. 26 Oct, 2018 3 commits
    • Denis Kenzior's avatar
    • Denis Kenzior's avatar
      KEYS: trusted: Expose common functionality [ver #2] · e1ea9f86
      Denis Kenzior authored
      This patch exposes some common functionality needed to send TPM commands.
      Several functions from keys/trusted.c are exposed for use by the new tpm
      key subtype and a module dependency is introduced.
      
      In the future, common functionality between the trusted key type and the
      asym_tpm subtype should be factored out into a common utility library.
      Signed-off-by: default avatarDenis Kenzior <denkenz@gmail.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: Marcel Holtmann's avatarMarcel Holtmann <marcel@holtmann.org>
      Reviewed-by: Marcel Holtmann's avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarJames Morris <james.morris@microsoft.com>
      e1ea9f86
    • David Howells's avatar
      KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2] · 00d60fd3
      David Howells authored
      Provide five keyctl functions that permit userspace to make use of the new
      key type ops for accessing and driving asymmetric keys.
      
       (*) Query an asymmetric key.
      
      	long keyctl(KEYCTL_PKEY_QUERY,
      		    key_serial_t key, unsigned long reserved,
      		    struct keyctl_pkey_query *info);
      
           Get information about an asymmetric key.  The information is returned
           in the keyctl_pkey_query struct:
      
      	__u32	supported_ops;
      
           A bit mask of flags indicating which ops are supported.  This is
           constructed from a bitwise-OR of:
      
      	KEYCTL_SUPPORTS_{ENCRYPT,DECRYPT,SIGN,VERIFY}
      
      	__u32	key_size;
      
           The size in bits of the key.
      
      	__u16	max_data_size;
      	__u16	max_sig_size;
      	__u16	max_enc_size;
      	__u16	max_dec_size;
      
           The maximum sizes in bytes of a blob of data to be signed, a signature
           blob, a blob to be encrypted and a blob to be decrypted.
      
           reserved must be set to 0.  This is intended for future use to hand
           over one or more passphrases needed unlock a key.
      
           If successful, 0 is returned.  If the key is not an asymmetric key,
           EOPNOTSUPP is returned.
      
       (*) Encrypt, decrypt, sign or verify a blob using an asymmetric key.
      
      	long keyctl(KEYCTL_PKEY_ENCRYPT,
      		    const struct keyctl_pkey_params *params,
      		    const char *info,
      		    const void *in,
      		    void *out);
      
      	long keyctl(KEYCTL_PKEY_DECRYPT,
      		    const struct keyctl_pkey_params *params,
      		    const char *info,
      		    const void *in,
      		    void *out);
      
      	long keyctl(KEYCTL_PKEY_SIGN,
      		    const struct keyctl_pkey_params *params,
      		    const char *info,
      		    const void *in,
      		    void *out);
      
      	long keyctl(KEYCTL_PKEY_VERIFY,
      		    const struct keyctl_pkey_params *params,
      		    const char *info,
      		    const void *in,
      		    const void *in2);
      
           Use an asymmetric key to perform a public-key cryptographic operation
           a blob of data.
      
           The parameter block pointed to by params contains a number of integer
           values:
      
      	__s32		key_id;
      	__u32		in_len;
      	__u32		out_len;
      	__u32		in2_len;
      
           For a given operation, the in and out buffers are used as follows:
      
      	Operation ID		in,in_len	out,out_len	in2,in2_len
      	=======================	===============	===============	===========
      	KEYCTL_PKEY_ENCRYPT	Raw data	Encrypted data	-
      	KEYCTL_PKEY_DECRYPT	Encrypted data	Raw data	-
      	KEYCTL_PKEY_SIGN	Raw data	Signature	-
      	KEYCTL_PKEY_VERIFY	Raw data	-		Signature
      
           info is a string of key=value pairs that supply supplementary
           information.
      
           The __spare space in the parameter block must be set to 0.  This is
           intended, amongst other things, to allow the passing of passphrases
           required to unlock a key.
      
           If successful, encrypt, decrypt and sign all return the amount of data
           written into the output buffer.  Verification returns 0 on success.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: Marcel Holtmann's avatarMarcel Holtmann <marcel@holtmann.org>
      Reviewed-by: Marcel Holtmann's avatarMarcel Holtmann <marcel@holtmann.org>
      Reviewed-by: default avatarDenis Kenzior <denkenz@gmail.com>
      Tested-by: default avatarDenis Kenzior <denkenz@gmail.com>
      Signed-off-by: default avatarJames Morris <james.morris@microsoft.com>
      00d60fd3
  12. 18 Oct, 2018 2 commits
  13. 13 Oct, 2018 1 commit
    • Arnd Bergmann's avatar
      apparmor: add #ifdef checks for secmark filtering · e1af4779
      Arnd Bergmann authored
      The newly added code fails to build when either SECMARK or
      NETFILTER are disabled:
      
      security/apparmor/lsm.c: In function 'apparmor_socket_sock_rcv_skb':
      security/apparmor/lsm.c:1138:12: error: 'struct sk_buff' has no member named 'secmark'; did you mean 'mark'?
      
      security/apparmor/lsm.c:1671:21: error: 'struct nf_hook_state' declared inside parameter list will not be visible outside of this definition or declaration [-Werror]
      
      Add a set of #ifdef checks around it to only enable the code that
      we can compile and that makes sense in that configuration.
      
      Fixes: ab9f2115 ("apparmor: Allow filtering based on secmark policy")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      e1af4779
  14. 11 Oct, 2018 8 commits
  15. 10 Oct, 2018 4 commits
  16. 03 Oct, 2018 7 commits
    • Eric W. Biederman's avatar
      signal: Distinguish between kernel_siginfo and siginfo · ae7795bc
      Eric W. Biederman authored
      Linus recently observed that if we did not worry about the padding
      member in struct siginfo it is only about 48 bytes, and 48 bytes is
      much nicer than 128 bytes for allocating on the stack and copying
      around in the kernel.
      
      The obvious thing of only adding the padding when userspace is
      including siginfo.h won't work as there are sigframe definitions in
      the kernel that embed struct siginfo.
      
      So split siginfo in two; kernel_siginfo and siginfo.  Keeping the
      traditional name for the userspace definition.  While the version that
      is used internally to the kernel and ultimately will not be padded to
      128 bytes is called kernel_siginfo.
      
      The definition of struct kernel_siginfo I have put in include/signal_types.h
      
      A set of buildtime checks has been added to verify the two structures have
      the same field offsets.
      
      To make it easy to verify the change kernel_siginfo retains the same
      size as siginfo.  The reduction in size comes in a following change.
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      ae7795bc
    • Zubin Mithra's avatar
      apparmor: Fix uninitialized value in aa_split_fqname · 250f2da4
      Zubin Mithra authored
      Syzkaller reported a OOB-read with the stacktrace below. This occurs
      inside __aa_lookupn_ns as `n` is not initialized. `n` is obtained from
      aa_splitn_fqname. In cases where `name` is invalid, aa_splitn_fqname
      returns without initializing `ns_name` and `ns_len`.
      
      Fix this by always initializing `ns_name` and `ns_len`.
      
      	__dump_stack lib/dump_stack.c:77 [inline]
      	dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113
      	print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
      	kasan_report_error mm/kasan/report.c:354 [inline]
      	kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
      	__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
      	memcmp+0xe3/0x160 lib/string.c:861
      	strnstr+0x4b/0x70 lib/string.c:934
      	__aa_lookupn_ns+0xc1/0x570 security/apparmor/policy_ns.c:209
      	aa_lookupn_ns+0x88/0x1e0 security/apparmor/policy_ns.c:240
      	aa_fqlookupn_profile+0x1b9/0x1010 security/apparmor/policy.c:468
      	fqlookupn_profile+0x80/0xc0 security/apparmor/label.c:1844
      	aa_label_strn_parse+0xa3a/0x1230 security/apparmor/label.c:1908
      	aa_label_parse+0x42/0x50 security/apparmor/label.c:1943
      	aa_change_profile+0x513/0x3510 security/apparmor/domain.c:1362
      	apparmor_setprocattr+0xaa4/0x1150 security/apparmor/lsm.c:658
      	security_setprocattr+0x66/0xc0 security/security.c:1298
      	proc_pid_attr_write+0x301/0x540 fs/proc/base.c:2555
      	__vfs_write+0x119/0x9f0 fs/read_write.c:485
      	vfs_write+0x1fc/0x560 fs/read_write.c:549
      	ksys_write+0x101/0x260 fs/read_write.c:598
      	__do_sys_write fs/read_write.c:610 [inline]
      	__se_sys_write fs/read_write.c:607 [inline]
      	__x64_sys_write+0x73/0xb0 fs/read_write.c:607
      	do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
      	entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: 3b0aaf58 ("apparmor: add lib fn to find the "split" for fqnames")
      Reported-by: syzbot+61e4b490d9d2da591b50@syzkaller.appspotmail.com
      Signed-off-by: default avatarZubin Mithra <zsm@chromium.org>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      250f2da4
    • Jann Horn's avatar
      apparmor: don't try to replace stale label in ptraceme check · ca3fde52
      Jann Horn authored
      begin_current_label_crit_section() must run in sleepable context because
      when label_is_stale() is true, aa_replace_current_label() runs, which uses
      prepare_creds(), which can sleep.
      
      Until now, the ptraceme access check (which runs with tasklist_lock held)
      violated this rule.
      
      Fixes: b2d09ae4 ("apparmor: move ptrace checks to using labels")
      Reported-by: Cyrill Gorcunov's avatarCyrill Gorcunov <gorcunov@gmail.com>
      Reported-by: default avatarkernel test robot <rong.a.chen@intel.com>
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      ca3fde52
    • Lance Roy's avatar
      apparmor: Replace spin_is_locked() with lockdep · 0fb871cc
      Lance Roy authored
      lockdep_assert_held() is better suited to checking locking requirements,
      since it won't get confused when someone else holds the lock. This is
      also a step towards possibly removing spin_is_locked().
      Signed-off-by: Lance Roy's avatarLance Roy <ldr709@gmail.com>
      Cc: John Johansen <john.johansen@canonical.com>
      Cc: James Morris <jmorris@namei.org>
      Cc: "Serge E. Hallyn" <serge@hallyn.com>
      Cc: <linux-security-module@vger.kernel.org>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      0fb871cc
    • Matthew Garrett's avatar
      apparmor: Allow filtering based on secmark policy · ab9f2115
      Matthew Garrett authored
      Add support for dropping or accepting packets based on their secmark
      tags.
      Signed-off-by: default avatarMatthew Garrett <mjg59@google.com>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      ab9f2115
    • Matthew Garrett's avatar
      apparmor: Parse secmark policy · 9caafbe2
      Matthew Garrett authored
      Add support for parsing secmark policy provided by userspace, and
      store that in the overall policy.
      Signed-off-by: default avatarMatthew Garrett <mjg59@google.com>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      9caafbe2
    • Matthew Garrett's avatar
      apparmor: Add a wildcard secid · 617a629c
      Matthew Garrett authored
      Reserve a secid value that we can use as a wildcard, allowing us to
      define policy that's expected to match against all secids.
      Signed-off-by: default avatarMatthew Garrett <mjg59@google.com>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      617a629c