Skip to content

L
linux
Switch branch/tag
  1. 15 Apr, 2015 1 commit
    • Richard Guy Briggs's avatar
      lsm: copy comm before calling audit_log to avoid race in string printing · 5deeb5ce
      Richard Guy Briggs authored 
      When task->comm is passed directly to audit_log_untrustedstring() without
getting a copy or using the task_lock, there is a race that could happen that
would output a NULL (\0) in the middle of the output string that would
effectively truncate the rest of the report text after the comm= field in the
audit log message, losing fields.

Using get_task_comm() to get a copy while acquiring the task_lock to prevent
this and to prevent the result from being a mixture of old and new values of
comm would incur potentially unacceptable overhead, considering that the value
can be influenced by userspace and therefore untrusted anyways.

Copy the value before passing it to audit_log_untrustedstring() ensures that a
local copy is used to calculate the length *and* subsequently printed.  Even if
this value contains a mix of old and new values, it will only calculate and
copy up to the first NULL, preventing the rest of the audit log message being
truncated.

Use a second local copy of comm to avoid a race between the first and second
calls to audit_log_untrustedstring() with comm.
Reported-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      5deeb5ce
  3. 13 Apr, 2015 1 commit
  5. 07 Apr, 2015 8 commits
  7. 02 Apr, 2015 1 commit
  9. 31 Mar, 2015 1 commit
  11. 27 Mar, 2015 2 commits
  13. 23 Mar, 2015 4 commits
    • Paul Gortmaker's avatar
      smack: Fix gcc warning from unused smack_syslog_lock mutex in smackfs.c · f43b65ba
      Paul Gortmaker authored 
      In commit 00f84f3f ("Smack: Make the
syslog control configurable") this mutex was added, but the rest of
the final commit never actually made use of it, resulting in:

 In file included from include/linux/mutex.h:29:0,
                  from include/linux/notifier.h:13,
                  from include/linux/memory_hotplug.h:6,
                  from include/linux/mmzone.h:821,
                  from include/linux/gfp.h:5,
                  from include/linux/slab.h:14,
                  from include/linux/security.h:27,
                  from security/smack/smackfs.c:21:
 security/smack/smackfs.c:63:21: warning: ‘smack_syslog_lock’ defined but not used [-Wunused-variable]
  static DEFINE_MUTEX(smack_syslog_lock);
                      ^

A git grep shows no other instances/references to smack_syslog_lock.
Delete it, assuming that the mutex addition was just a leftover from
an earlier work in progress version of the change.
Signed-off-by: default avatarPaul Gortmaker <paul.gortmaker@windriver.com>
      f43b65ba
    • Casey Schaufler's avatar
      Smack: Allow an unconfined label in bringup mode · bf4b2fee
      Casey Schaufler authored 
      I have vehemently opposed adding a "permissive" mode to Smack
for the simple reasons that it would be subject to massive abuse
and that developers refuse to turn it off come product release.
I still believe that this is true, and still refuse to add a
general "permissive mode". So don't ask again.

Bumjin Im suggested an approach that addresses most of the concerns,
and I have implemented it here. I still believe that we'd be better
off without this sort of thing, but it looks like this minimizes the
abuse potential.

Firstly, you have to configure Smack Bringup Mode. That allows
for "release" software to be ammune from abuse. Second, only one
label gets to be "permissive" at a time. You can use it for
debugging, but that's about it.

A label written to smackfs/unconfined is treated specially.
If either the subject or object label of an access check
matches the "unconfined" label, and the access would not
have been allowed otherwise an audit record and a console
message are generated. The audit record "request" string is
marked with either "(US)" or "(UO)", to indicate that the
request was granted because of an unconfined label. The
fact that an inode was accessed by an unconfined label is
remembered, and subsequent accesses to that "impure"
object are noted in the log. The impurity is not stored in
the filesystem, so a file mislabled as a side effect of
using an unconfined label may still cause concern after
a reboot.

So, it's there, it's dangerous, but so many application
developers seem incapable of living without it I have
given in. I've tried to make it as safe as I can, but
in the end it's still a chain saw.
Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      bf4b2fee
    • José Bollo's avatar
      Smack: getting the Smack security context of keys · 7fc5f36e
      José Bollo authored 
      With this commit, the LSM Smack implements the LSM
side part of the system call keyctl with the action
code KEYCTL_GET_SECURITY.

It is now possible to get the context of, for example,
the user session key using the command "keyctl security @s".

The original patch has been modified for merge.
Signed-off-by: default avatarJosé Bollo <jose.bollo@open.eurogiciel.org>
Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      7fc5f36e
    • Marcin Lis's avatar
      Smack: Assign smack_known_web as default smk_in label for kernel thread's socket · 7412301b
      Marcin Lis authored 
      This change fixes the bug associated with sockets owned by kernel threads. These
sockets, created usually by network devices' drivers tasks, received smk_in
label from the task that created them - the "floor" label in the most cases. The
result was that they were not able to receive data packets because of missing
smack rules. The main reason of the access deny is that the socket smk_in label
is placed as the object during smk check, kernel thread's capabilities are
omitted.
Signed-off-by: default avatarMarcin Lis <m.lis@samsung.com>
      7412301b
  15. 18 Mar, 2015 8 commits
  17. 05 Mar, 2015 2 commits
    • Jarkko Sakkinen's avatar
      tpm: fix call order in tpm-chip.c · d972b052
      Jarkko Sakkinen authored 
      - tpm_dev_add_device(): cdev_add() must be done before uevent is
  propagated in order to avoid races.
- tpm_chip_register(): tpm_dev_add_device() must be done as the
  last step before exposing device to the user space in order to
  avoid races.

In addition clarified description in tpm_chip_register().

Fixes: 313d21ee ("tpm: device class for tpm")
Fixes: afb5abc2 ("tpm: two-phase chip management functions")
Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: default avatarPeter Huewe <peterhuewe@gmx.de>
Signed-off-by: default avatarPeter Huewe <peterhuewe@gmx.de>
      d972b052
    • jmlatten@linux.vnet.ibm.com's avatar
      tpm/ibmvtpm: Additional LE support for tpm_ibmvtpm_send · 6da2517d
      jmlatten@linux.vnet.ibm.com authored 
      Problem: When IMA and VTPM are both enabled in kernel config,
kernel hangs during bootup on LE OS.

Why?: IMA calls tpm_pcr_read() which results in tpm_ibmvtpm_send
and tpm_ibmtpm_recv getting called. A trace showed that
tpm_ibmtpm_recv was hanging.

Resolution: tpm_ibmtpm_recv was hanging because tpm_ibmvtpm_send
was sending CRQ message that probably did not make much sense
to phype because of Endianness. The fix below sends correctly
converted CRQ for LE. This was not caught before because it
seems IMA is not enabled by default in kernel config and
IMA exercises this particular code path in vtpm.

Tested with IMA and VTPM enabled in kernel config and VTPM
enabled on both a BE OS and a LE OS ppc64 lpar. This exercised
CRQ and TPM command code paths in vtpm.
Patch is against Peter's tpmdd tree on github which included
Vicky's previous vtpm le patches.
Signed-off-by: default avatarJoy Latten <jmlatten@linux.vnet.ibm.com>
Cc: <stable@vger.kernel.org> # eb71f8a5: "Added Little Endian support to vtpm module"
Cc: <stable@vger.kernel.org>
Reviewed-by: default avatarAshley Lai <ashley@ahsleylai.com>
Signed-off-by: default avatarPeter Huewe <peterhuewe@gmx.de>
      6da2517d
  19. 03 Mar, 2015 1 commit
  21. 28 Feb, 2015 2 commits
  23. 23 Feb, 2015 3 commits
    • Linus Torvalds's avatar
      Linux 4.0-rc1 · c517d838
      Linus Torvalds authored 
      .. after extensive statistical analysis of my G+ polling, I've come to
the inescapable conclusion that internet polls are bad.

Big surprise.

But "Hurr durr I'ma sheep" trounced "I like online polls" by a 62-to-38%
margin, in a poll that people weren't even supposed to participate in.
Who can argue with solid numbers like that? 5,796 votes from people who
can't even follow the most basic directions?

In contrast, "v4.0" beat out "v3.20" by a slimmer margin of 56-to-44%,
but with a total of 29,110 votes right now.

Now, arguably, that vote spread is only about 3,200 votes, which is less
than the almost six thousand votes that the "please ignore" poll got, so
it could be considered noise.

But hey, I asked, so I'll honor the votes.
      c517d838
    • Linus Torvalds's avatar
      Merge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 · feaf2229
      Linus Torvalds authored 
      Pull ext4 fixes from Ted Ts'o:
 "Ext4 bug fixes.

  We also reserved code points for encryption and read-only images (for
  which the implementation is mostly just the reserved code point for a
  read-only feature :-)"

* tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
  ext4: fix indirect punch hole corruption
  ext4: ignore journal checksum on remount; don't fail
  ext4: remove duplicate remount check for JOURNAL_CHECKSUM change
  ext4: fix mmap data corruption in nodelalloc mode when blocksize < pagesize
  ext4: support read-only images
  ext4: change to use setup_timer() instead of init_timer()
  ext4: reserve codepoints used by the ext4 encryption feature
  jbd2: complain about descriptor block checksum errors
      feaf2229
    • Linus Torvalds's avatar
      Merge branch 'for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · be5e6616
      Linus Torvalds authored 
      Pull more vfs updates from Al Viro:
 "Assorted stuff from this cycle.  The big ones here are multilayer
  overlayfs from Miklos and beginning of sorting ->d_inode accesses out
  from David"

* 'for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (51 commits)
  autofs4 copy_dev_ioctl(): keep the value of ->size we'd used for allocation
  procfs: fix race between symlink removals and traversals
  debugfs: leave freeing a symlink body until inode eviction
  Documentation/filesystems/Locking: ->get_sb() is long gone
  trylock_super(): replacement for grab_super_passive()
  fanotify: Fix up scripted S_ISDIR/S_ISREG/S_ISLNK conversions
  Cachefiles: Fix up scripted S_ISDIR/S_ISREG/S_ISLNK conversions
  VFS: (Scripted) Convert S_ISLNK/DIR/REG(dentry->d_inode) to d_is_*(dentry)
  SELinux: Use d_is_positive() rather than testing dentry->d_inode
  Smack: Use d_is_positive() rather than testing dentry->d_inode
  TOMOYO: Use d_is_dir() rather than d_inode and S_ISDIR()
  Apparmor: Use d_is_positive/negative() rather than testing dentry->d_inode
  Apparmor: mediated_filesystem() should use dentry->d_sb not inode->i_sb
  VFS: Split DCACHE_FILE_TYPE into regular and special types
  VFS: Add a fallthrough flag for marking virtual dentries
  VFS: Add a whiteout dentry type
  VFS: Introduce inode-getting helpers for layered/unioned fs environments
  Infiniband: Fix potential NULL d_inode dereference
  posix_acl: fix reference leaks in posix_acl_create
  autofs4: Wrong format for printing dentry
  ...
      be5e6616
  25. 22 Feb, 2015 6 commits
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7