1. 07 Dec, 2010 1 commit
    • Jarkko Sakkinen's avatar
      Smack: Transmute labels on specified directories · 5c6d1125
      Jarkko Sakkinen authored
      In a situation where Smack access rules allow processes
      with multiple labels to write to a directory it is easy
      to get into a situation where the directory gets cluttered
      with files that the owner can't deal with because while
      they could be written to the directory a process at the
      label of the directory can't write them. This is generally
      the desired behavior, but when it isn't it is a real
      issue.
      
      This patch introduces a new attribute SMACK64TRANSMUTE that
      instructs Smack to create the file with the label of the directory
      under certain circumstances.
      
      A new access mode, "t" for transmute, is made available to
      Smack access rules, which are expanded from "rwxa" to "rwxat".
      If a file is created in a directory marked as transmutable
      and if access was granted to perform the operation by a rule
      that included the transmute mode, then the file gets the
      Smack label of the directory instead of the Smack label of the
      creating process.
      
      Note that this is equivalent to creating an empty file at the
      label of the directory and then having the other process write
      to it. The transmute scheme requires that both the access rule
      allows transmutation and that the directory be explicitly marked.
      Signed-off-by: default avatarJarkko Sakkinen <ext-jarkko.2.sakkinen@nokia.com>
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      5c6d1125
  2. 02 Dec, 2010 2 commits
    • James Morris's avatar
      Merge branch 'smack-next-master' into next · fe27d4b0
      James Morris authored
      fe27d4b0
    • Casey Schaufler's avatar
      This patch adds a new security attribute to Smack called · 676dac4b
      Casey Schaufler authored
      SMACK64EXEC. It defines label that is used while task is
      running.
      
      Exception: in smack_task_wait() child task is checked
      for write access to parent task using label inherited
      from the task that forked it.
      
      Fixed issues from previous submit:
      - SMACK64EXEC was not read when SMACK64 was not set.
      - inode security blob was not updated after setting
        SMACK64EXEC
      - inode security blob was not updated when removing
        SMACK64EXEC
      676dac4b
  3. 30 Nov, 2010 1 commit
  4. 29 Nov, 2010 1 commit
  5. 28 Nov, 2010 8 commits
    • Casey Schaufler's avatar
      Smack: UDS revision · b4e0d5f0
      Casey Schaufler authored
      This patch addresses a number of long standing issues
          with the way Smack treats UNIX domain sockets.
      
          All access control was being done based on the label of
          the file system object. This is inconsistant with the
          internet domain, in which access is done based on the
          IPIN and IPOUT attributes of the socket. As a result
          of the inode label policy it was not possible to use
          a UDS socket for label cognizant services, including
          dbus and the X11 server.
      
          Support for SCM_PEERSEC on UDS sockets is also provided.
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      b4e0d5f0
    • Mimi Zohar's avatar
      keys: add new key-type encrypted · 7e70cb49
      Mimi Zohar authored
      Define a new kernel key-type called 'encrypted'. Encrypted keys are kernel
      generated random numbers, which are encrypted/decrypted with a 'trusted'
      symmetric key. Encrypted keys are created/encrypted/decrypted in the kernel.
      Userspace only ever sees/stores encrypted blobs.
      
      Changelog:
      - bug fix: replaced master-key rcu based locking with semaphore
        (reported by David Howells)
      - Removed memset of crypto_shash_digest() digest output
      - Replaced verification of 'key-type:key-desc' using strcspn(), with
        one based on string constants.
      - Moved documentation to Documentation/keys-trusted-encrypted.txt
      - Replace hash with shash (based on comments by David Howells)
      - Make lengths/counts size_t where possible (based on comments by David Howells)
        Could not convert most lengths, as crypto expects 'unsigned int'
        (size_t: on 32 bit is defined as unsigned int, but on 64 bit is unsigned long)
      - Add 'const' where possible (based on comments by David Howells)
      - allocate derived_buf dynamically to support arbitrary length master key
        (fixed by Roberto Sassu)
      - wait until late_initcall for crypto libraries to be registered
      - cleanup security/Kconfig
      - Add missing 'update' keyword (reported/fixed by Roberto Sassu)
      - Free epayload on failure to create key (reported/fixed by Roberto Sassu)
      - Increase the data size limit (requested by Roberto Sassu)
      - Crypto return codes are always 0 on success and negative on failure,
        remove unnecessary tests.
      - Replaced kzalloc() with kmalloc()
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      Signed-off-by: default avatarDavid Safford <safford@watson.ibm.com>
      Reviewed-by: default avatarRoberto Sassu <roberto.sassu@polito.it>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      7e70cb49
    • Mimi Zohar's avatar
      keys: add new trusted key-type · d00a1c72
      Mimi Zohar authored
      Define a new kernel key-type called 'trusted'.  Trusted keys are random
      number symmetric keys, generated and RSA-sealed by the TPM.  The TPM
      only unseals the keys, if the boot PCRs and other criteria match.
      Userspace can only ever see encrypted blobs.
      
      Based on suggestions by Jason Gunthorpe, several new options have been
      added to support additional usages.
      
      The new options are:
      migratable=  designates that the key may/may not ever be updated
                   (resealed under a new key, new pcrinfo or new auth.)
      
      pcrlock=n    extends the designated PCR 'n' with a random value,
                   so that a key sealed to that PCR may not be unsealed
                   again until after a reboot.
      
      keyhandle=   specifies the sealing/unsealing key handle.
      
      keyauth=     specifies the sealing/unsealing key auth.
      
      blobauth=    specifies the sealed data auth.
      
      Implementation of a kernel reserved locality for trusted keys will be
      investigated for a possible future extension.
      
      Changelog:
      - Updated and added examples to Documentation/keys-trusted-encrypted.txt
      - Moved generic TPM constants to include/linux/tpm_command.h
        (David Howell's suggestion.)
      - trusted_defined.c: replaced kzalloc with kmalloc, added pcrlock failure
        error handling, added const qualifiers where appropriate.
      - moved to late_initcall
      - updated from hash to shash (suggestion by David Howells)
      - reduced worst stack usage (tpm_seal) from 530 to 312 bytes
      - moved documentation to Documentation directory (suggestion by David Howells)
      - all the other code cleanups suggested by David Howells
      - Add pcrlock CAP_SYS_ADMIN dependency (based on comment by Jason Gunthorpe)
      - New options: migratable, pcrlock, keyhandle, keyauth, blobauth (based on
        discussions with Jason Gunthorpe)
      - Free payload on failure to create key(reported/fixed by Roberto Sassu)
      - Updated Kconfig and other descriptions (based on Serge Hallyn's suggestion)
      - Replaced kzalloc() with kmalloc() (reported by Serge Hallyn)
      Signed-off-by: default avatarDavid Safford <safford@watson.ibm.com>
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      d00a1c72
    • Mimi Zohar's avatar
      key: add tpm_send command · c749ba91
      Mimi Zohar authored
      Add internal kernel tpm_send() command used to seal/unseal keys.
      
      Changelog:
      - replaced module_put in tpm_send() with new tpm_chip_put() wrapper
        (suggested by David Howells)
      - Make tpm_send() cmd argument a 'void *' (suggested by David Howells)
      Signed-off-by: default avatarDavid Safford <safford@watson.ibm.com>
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      Acked-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarSerge E. Hallyn <serge.hallyn@canonical.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      c749ba91
    • Mimi Zohar's avatar
      tpm: add module_put wrapper · a0e39349
      Mimi Zohar authored
      For readability, define a tpm_chip_put() wrapper to call module_put().
      Replace existing module_put() calls with the wrapper.
      
      (Change based on trusted/encrypted patchset review by David Howells.)
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      Signed-off-by: default avatarDavid Safford <safford@watson.ibm.com>
      Acked-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarSerge E. Hallyn <serge.hallyn@canonical.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      a0e39349
    • Mimi Zohar's avatar
      lib: hex2bin converts ascii hexadecimal string to binary · dc88e460
      Mimi Zohar authored
      Similar to the kgdb_hex2mem() code, hex2bin converts a string
      to binary using the hex_to_bin() library call.
      
      Changelog:
      - Replace parameter names with src/dst (based on David Howell's comment)
      - Add 'const' where needed (based on David Howell's comment)
      - Replace int with size_t (based on David Howell's comment)
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      Acked-by: default avatarSerge E. Hallyn <serge@hallyn.com>
      Acked-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      dc88e460
    • Serge E. Hallyn's avatar
      security: Define CAP_SYSLOG · ce6ada35
      Serge E. Hallyn authored
      Privileged syslog operations currently require CAP_SYS_ADMIN.  Split
      this off into a new CAP_SYSLOG privilege which we can sanely take away
      from a container through the capability bounding set.
      
      With this patch, an lxc container can be prevented from messing with
      the host's syslog (i.e. dmesg -c).
      
      Changelog: mar 12 2010: add selinux capability2:cap_syslog perm
      Changelog: nov 22 2010:
      	. port to new kernel
      	. add a WARN_ONCE if userspace isn't using CAP_SYSLOG
      Signed-off-by: default avatarSerge Hallyn <serge.hallyn@ubuntu.com>
      Acked-by: default avatarAndrew G. Morgan <morgan@kernel.org>
      Acked-By: default avatarKees Cook <kees.cook@canonical.com>
      Cc: James Morris <jmorris@namei.org>
      Cc: Michael Kerrisk <mtk.manpages@gmail.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: "Christopher J. PeBenito" <cpebenito@tresys.com>
      Cc: Eric Paris <eparis@parisplace.org>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      ce6ada35
    • James Morris's avatar
      Merge branch 'master' into next · 1d6d7568
      James Morris authored
      1d6d7568
  6. 27 Nov, 2010 1 commit
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6 · 0f639a3c
      Linus Torvalds authored
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6: (30 commits)
        ALSA: hda - Use ALC_INIT_DEFAULT for really default initialization
        ASoC: Fix resource reclaim for osk5912
        ASoC: tlv320aic3x - fix variable may be used uninitialized warning
        ASoC: davinci-vcif - fix a memory leak
        ASoC: phycore-ac97: fix resource leak
        ASoC: imx-ssi: fix resource leak
        ASoC: simone: fix resource leak in simone_init error path
        ASoC: sam9g20_wm8731: fix resource leak in at91sam9g20ek_init error path
        ASoC: snd-soc-afeb9260: remove unneeded platform_device_del in error path
        ASoC: pcm030-audio-fabric: fix resource leak in pcm030_fabric_init error path
        ASoC: efika-audio-fabric: fix resource leak in efika_fabric_init error path
        ASoC: Call snd_soc_unregister_dais instead of snd_soc_unregister_dai in sh4_soc_dai_remove
        ASoC: fix SND_PXA2XX_LIB Kconfig warning
        ALSA: hda - Fix ALC660-VD/ALC861-VD capture/playback mixers
        ALSA: HDA: Add an extra DAC for Realtek ALC887-VD
        ASoC: nuc900-ac97: fix a memory leak
        ASoC: Return proper error for omap3pandora_soc_init
        ASoC: wm8961 - clear WM8961_MCLKDIV bit for freq <= 16500000
        ASoC: wm8961 - clear WM8961_DACSLOPE bit for normal mode
        ALSA: hda - Fix Acer 7730G support
        ...
      0f639a3c
  7. 26 Nov, 2010 15 commits
  8. 25 Nov, 2010 11 commits