- 26 Sep, 2011 4 commits
-
-
-
Tetsuo Handa authored
tomoyo_policy_lock mutex already protects it. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-
Tetsuo Handa authored
When TOMOYO started using garbage collector at commit 847b173e "TOMOYO: Add garbage collector.", we waited for close() before kfree(). Thus, elements to be kfree()d were queued up using tomoyo_gc_list list. But it turned out that tomoyo_element_linked_by_gc() tends to choke garbage collector when certain pattern of entries are queued. Since garbage collector is no longer waiting for close() since commit 2e503bbb "TOMOYO: Fix lockdep warning.", we can remove tomoyo_gc_list list and tomoyo_element_linked_by_gc() by doing sequential processing. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-
Tetsuo Handa authored
Commit efe836ab "TOMOYO: Add built-in policy support." introduced tomoyo_load_builtin_policy() but was by error called from nowhere. Commit b22b8b9f "TOMOYO: Rename meminfo to stat and show more statistics." introduced tomoyo_update_stat() but was by error not called from tomoyo_assign_domain(). Also, mark tomoyo_io_printf() and tomoyo_path_permission() static functions, as reported by "make namespacecheck". Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-
- 21 Sep, 2011 4 commits
-
-
Mimi Zohar authored
Now that hex2bin does error checking, on error add debugging error msg. Changelog v1 (update): - fixed definition of 'ret' - hex2bin now returns an int Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Andy Shevchenko <andy.shevchenko@gmail.com>
-
Mimi Zohar authored
For each hex2bin call in encrypted keys, check that the ascii hex string is valid. On failure, return -EINVAL. Changelog v1: - hex2bin now returns an int Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Andy Shevchenko <andy.shevchenko@gmail.com>
-
Mimi Zohar authored
For each hex2bin call in trusted keys, check that the ascii hex string is valid. On failure, return -EINVAL. Changelog v1: - hex2bin now returns an int Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Andy Shevchenko <andy.shevchenko@gmail.com>
-
Mimi Zohar authored
hex2bin converts a hexadecimal string to its binary representation. The original version of hex2bin did not do any error checking. This patch adds error checking and returns the result. Changelog v1: - removed unpack_hex_byte() - changed return code from boolean to int Changelog: - use the new unpack_hex_byte() - add __must_check compiler option (Andy Shevchenko's suggestion) - change function API to return error checking result (based on Tetsuo Handa's initial patch) Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: Andy Shevchenko <andy.shevchenko@gmail.com>
-
- 19 Sep, 2011 1 commit
-
-
Tetsuo Handa authored
I got an opinion that it is difficult to use exception policy's domain transition control directives because they need to match the pathname specified to "file execute" directives. For example, if "file execute /bin/\*\-ls\-cat" is given, corresponding domain transition control directive needs to be like "no_keep_domain /bin/\*\-ls\-cat from any". If we can specify like below, it will become more convenient. file execute /bin/ls keep exec.realpath="/bin/ls" exec.argv[0]="ls" file execute /bin/cat keep exec.realpath="/bin/cat" exec.argv[0]="cat" file execute /bin/\*\-ls\-cat child file execute /usr/sbin/httpd <apache> exec.realpath="/usr/sbin/httpd" exec.argv[0]="/usr/sbin/httpd" In above examples, "keep" works as if keep_domain is specified, "child" works as if "no_reset_domain" and "no_initialize_domain" and "no_keep_domain" are specified, "<apache>" causes domain transition to <apache> domain upon successful execve() operation. Moreover, we can also allow transition to different domains based on conditions like below example. <kernel> /usr/sbin/sshd file execute /bin/bash <kernel> /usr/sbin/sshd //batch-session exec.argc=2 exec.argv[1]="-c" file execute /bin/bash <kernel> /usr/sbin/sshd //root-session task.uid=0 file execute /bin/bash <kernel> /usr/sbin/sshd //nonroot-session task.uid!=0 Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-
- 15 Sep, 2011 1 commit
-
-
Stephen Rothwell authored
Fixes this build error: security/keys/encrypted-keys/masterkey_trusted.c: In function 'request_trusted_key': security/keys/encrypted-keys/masterkey_trusted.c:35:2: error: implicit declaration of function 'IS_ERR' Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
-
- 14 Sep, 2011 10 commits
-
-
-
Tetsuo Handa authored
Tell userland tools that this is TOMOYO 2.5. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-
Dmitry Kasatkin authored
When allocating from slab, initialization is done the first time in init_once() and subsequently on free. Because evm_status was not re-initialized on free, evm_verify_hmac() skipped verifications. This patch re-initializes evm_status. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
-
Mimi Zohar authored
Before permitting 'security.evm' to be updated, 'security.evm' must exist and be valid. In the case that there are no existing EVM protected xattrs, it is safe for posix acls to update the mode bits. To differentiate between no 'security.evm' xattr and no xattrs used to calculate 'security.evm', this patch defines INTEGRITY_NOXATTR. Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
-
Mimi Zohar authored
The posix xattr acls are 'system' prefixed, which normally would not affect security.evm. An interesting side affect of writing posix xattr acls is their modifying of the i_mode, which is included in security.evm. This patch updates security.evm when posix xattr acls are written. Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
-
Mimi Zohar authored
evm_protect_xattr unnecessarily validates the current security.evm integrity, before updating non-evm protected extended attributes and other file metadata. This patch limits validating the current security.evm integrity to evm protected metadata. Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
-
Mimi Zohar authored
security_inode_init_security previously returned -EOPNOTSUPP, for S_PRIVATE inodes, and relied on the callers to change it to 0. As the callers do not change the return code anymore, return 0, intead of -EOPNOTSUPP. Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
-
Mimi Zohar authored
All tristates selected by EVM(boolean) are forced to be builtin, except in the TCG_TPM(tristate) dependency case. Arnaud Lacombe summarizes the Kconfig bug as, "So it would seem direct dependency state influence the state of reverse dependencies.." For a detailed explanation, refer to Arnaud Lacombe's posting http://lkml.org/lkml/2011/8/23/498. With the "encrypted-keys: remove trusted-keys dependency" patch, EVM can now be built without a dependency on TCG_TPM. The trusted-keys dependency requires trusted-keys to either be builtin or not selected. This dependency will prevent the boolean/tristate mismatch from occuring. Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>, Randy Dunlap <rdunlap@xenotimenet> Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
-
Mimi Zohar authored
Encrypted keys are decrypted/encrypted using either a trusted-key or, for those systems without a TPM, a user-defined key. This patch removes the trusted-keys and TCG_TPM dependencies. Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
-
Mimi Zohar authored
Move all files associated with encrypted keys to keys/encrypted-keys. Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
-
- 13 Sep, 2011 5 commits
-
-
Tetsuo Handa authored
There was a race window that the pathname which is subjected to "file execute" permission check when retrying via supervisor's decision because the pathname was recalculated upon retry. Though, there is an inevitable race window even without supervisor, for we have to calculate the symbolic link's pathname from "struct linux_binprm"->filename rather than from "struct linux_binprm"->file because we cannot back calculate the symbolic link's pathname from the dereferenced pathname. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-
Tetsuo Handa authored
To be able to split permissions for Apache's CGI programs which are executed without execve(), add special domain transition which is performed by writing a TOMOYO's domainname to /sys/kernel/security/tomoyo/self_domain interface. This is an API for TOMOYO-aware userland applications. However, since I expect TOMOYO and other LSM modules to run in parallel, this patch does not use /proc/self/attr/ interface in order to avoid conflicts with other LSM modules when it became possible to run multiple LSM modules in parallel. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-
Tetsuo Handa authored
Add per-entry flag which controls generation of grant logs because Xen and KVM issues ioctl requests so frequently. For example, file ioctl /dev/null 0x5401 grant_log=no will suppress /sys/kernel/security/tomoyo/audit even if preference says grant_log=yes . Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-
Tetsuo Handa authored
This patch adds support for permission checks for PF_INET/PF_INET6/PF_UNIX socket's bind()/listen()/connect()/send() operations. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-
Tetsuo Handa authored
This patch adds support for checking environment variable's names. Although TOMOYO already provides ability to check argv[]/envp[] passed to execve() requests, file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="bar" will reject execution of /bin/sh if environment variable LD_LIBRARY_PATH is not defined. To grant execution of /bin/sh if LD_LIBRARY_PATH is not defined, administrators have to specify like file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="/system/lib" file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]=NULL . Since there are many environment variables whereas conditional checks are applied as "&&", it is difficult to cover all combinations. Therefore, this patch supports conditional checks that are applied as "||", by specifying like file execute /bin/sh misc env LD_LIBRARY_PATH exec.envp["LD_LIBRARY_PATH"]="/system/lib" which means "grant execution of /bin/sh if environment variable is not defined or is defined and its value is /system/lib". Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
-
- 09 Sep, 2011 15 commits
-
-
James Morris authored
Fix sparse warning by moving declaraion to global header. Signed-off-by: James Morris <jmorris@namei.org>
-
James Morris authored
Fix several sparse warnings in the SELinux security server code. Signed-off-by: James Morris <jmorris@namei.org>
-
James Morris authored
Fix warning: security/selinux/exports.c:18:6: warning: symbol 'selinux_is_enabled' was not declared. Should it be static? Signed-off-by: James Morris <jmorris@namei.org>
-
James Morris authored
Fix sparse warnings in SELinux Netlink code. Signed-off-by: James Morris <jmorris@namei.org>
-
James Morris authored
Fixes several sparse warnings for selinuxfs.c Signed-off-by: James Morris <jmorris@namei.org>
-
James Morris authored
Fixes sparse warnings: security/integrity/ima/ima_main.c:105:6: warning: symbol 'ima_file_free' was not declared. Should it be static? security/integrity/ima/ima_main.c:167:5: warning: symbol 'ima_file_mmap' was not declared. Should it be static? security/integrity/ima/ima_main.c:192:5: warning: symbol 'ima_bprm_check' was not declared. Should it be static? security/integrity/ima/ima_main.c:211:5: warning: symbol 'ima_file_check' was not declared. Should it be static? Signed-off-by: James Morris <jmorris@namei.org>
-
James Morris authored
Fixes sparse warning: security/integrity/ima/ima_fs.c:290:5: warning: symbol 'ima_open_policy' was not declared. Should it be static? Signed-off-by: James Morris <jmorris@namei.org>
-
James Morris authored
Fix sparse warnings: security/apparmor/procattr.c:35:5: warning: symbol 'aa_getprocattr' was not declared. Should it be static? security/apparmor/procattr.c:113:5: warning: symbol 'aa_setprocattr_changehat' was not declared. Should it be static? security/apparmor/procattr.c:158:5: warning: symbol 'aa_setprocattr_changeprofile' was not declared. Should it be static? security/apparmor/procattr.c:166:5: warning: symbol 'aa_setprocattr_permipc' was not declared. Should it be static? Signed-off-by: James Morris <jmorris@namei.org> Acked-by: John Johansen <john.johansen@canonical.com>
-
James Morris authored
Fix the following warnings: security/apparmor/policy_unpack.c:384:35: warning: symbol 'size' shadows an earlier one security/apparmor/policy_unpack.c:370:24: originally declared here security/apparmor/policy_unpack.c:443:29: warning: symbol 'tmp' shadows an earlier one security/apparmor/policy_unpack.c:434:21: originally declared here Signed-off-by: James Morris <jmorris@namei.org> Acked-by: John Johansen <john.johansen@canonical.com>
-
James Morris authored
Fix the following sparse warnings: security/apparmor/lib.c:37:6: warning: symbol 'aa_split_fqname' was not declared. Should it be static? security/apparmor/lib.c:63:6: warning: symbol 'aa_info_message' was not declared. Should it be static? security/apparmor/lib.c:83:6: warning: symbol 'kvmalloc' was not declared. Should it be static? security/apparmor/lib.c:123:6: warning: symbol 'kvfree' was not declared. Should it be static? Signed-off-by: James Morris <jmorris@namei.org>
-
James Morris authored
Include ipc.h to eliminate sparse warnings. security/apparmor/ipc.c:61:5: warning: symbol 'aa_may_ptrace' was not declared. Should it be static? security/apparmor/ipc.c:83:5: warning: symbol 'aa_ptrace' was not declared. Should it be static Signed-off-by: James Morris <jmorris@namei.org> Acked-by: John Johansen <john.johansen@canonical.com>
-
James Morris authored
Sparse fix: declare selinux_disable() in security.h Signed-off-by: James Morris <jmorris@namei.org>
-
James Morris authored
Sparse fix: move selinux_complete_init Signed-off-by: James Morris <jmorris@namei.org>
-
James Morris authored
Sparse fix: make selinux_secmark_refcount static. Signed-off-by: James Morris <jmorris@namei.org>
-
James Morris authored
Sparse fix: make aa_create_aafs static. Signed-off-by: James Morris <jmorris@namei.org> Acked-by: John Johansen <john.johansen@canonical.com>
-