1. 29 Aug, 2014 2 commits
  2. 28 Aug, 2014 1 commit
    • Casey Schaufler's avatar
      Smack: Bring-up access mode · d166c802
      Casey Schaufler authored
      People keep asking me for permissive mode, and I keep saying "no".
      
      Permissive mode is wrong for more reasons than I can enumerate,
      but the compelling one is that it's once on, never off.
      
      Nonetheless, there is an argument to be made for running a
      process with lots of permissions, logging which are required,
      and then locking the process down. There wasn't a way to do
      that with Smack, but this provides it.
      
      The notion is that you start out by giving the process an
      appropriate Smack label, such as "ATBirds". You create rules
      with a wide range of access and the "b" mode. On Tizen it
      might be:
      
      	ATBirds	System	rwxalb
      	ATBirds	User	rwxalb
      	ATBirds	_	rwxalb
      	User	ATBirds	wb
      	System	ATBirds	wb
      
      Accesses that fail will generate audit records. Accesses
      that succeed because of rules marked with a "b" generate
      log messages identifying the rule, the program and as much
      object information as is convenient.
      
      When the system is properly configured and the programs
      brought in line with the labeling scheme the "b" mode can
      be removed from the rules. When the system is ready for
      production the facility can be configured out.
      
      This provides the developer the convenience of permissive
      mode without creating a system that looks like it is
      enforcing a policy while it is not.
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      d166c802
  3. 25 Aug, 2014 1 commit
  4. 08 Aug, 2014 3 commits
    • Konstantin Khlebnikov's avatar
      Smack: remove unneeded NULL-termination from securtity label · da1b6356
      Konstantin Khlebnikov authored
      Values of extended attributes are stored as binary blobs. NULL-termination
      of them isn't required. It just wastes disk space and confuses command-line
      tools like getfattr because they have to print that zero byte at the end.
      
      This patch removes terminating zero byte from initial security label in
      smack_inode_init_security and cuts it out in function smack_inode_getsecurity
      which is used by syscall getxattr. This change seems completely safe, because
      function smk_parse_smack ignores everything after first zero byte.
      Signed-off-by: default avatarKonstantin Khlebnikov <k.khlebnikov@samsung.com>
      da1b6356
    • Konstantin Khlebnikov's avatar
      Smack: handle zero-length security labels without panic · b862e561
      Konstantin Khlebnikov authored
      Zero-length security labels are invalid but kernel should handle them.
      
      This patch fixes kernel panic after setting zero-length security labels:
      # attr -S -s "SMACK64" -V "" file
      
      And after writing zero-length string into smackfs files syslog and onlycp:
      # python -c 'import os; os.write(1, "")' > /smack/syslog
      
      The problem is caused by brain-damaged logic in function smk_parse_smack()
      which takes pointer to buffer and its length but if length below or equal zero
      it thinks that the buffer is zero-terminated. Unfortunately callers of this
      function are widely used and proper fix requires serious refactoring.
      Signed-off-by: default avatarKonstantin Khlebnikov <k.khlebnikov@samsung.com>
      b862e561
    • Konstantin Khlebnikov's avatar
      Smack: fix behavior of smack_inode_listsecurity · fd5c9d23
      Konstantin Khlebnikov authored
      Security operation ->inode_listsecurity is used for generating list of
      available extended attributes for syscall listxattr. Currently it's used
      only in nfs4 or if filesystem doesn't provide i_op->listxattr.
      
      The list is the set of NULL-terminated names, one after the other.
      This method must include zero byte at the and into result.
      
      Also this function must return length even if string does not fit into
      output buffer or it is NULL, see similar method in selinux and man listxattr.
      Signed-off-by: default avatarKonstantin Khlebnikov <k.khlebnikov@samsung.com>
      fd5c9d23
  5. 05 Aug, 2014 1 commit
  6. 03 Aug, 2014 1 commit
  7. 02 Aug, 2014 1 commit
  8. 01 Aug, 2014 4 commits
    • Paul Moore's avatar
      netlabel: shorter names for the NetLabel catmap funcs/structs · 4fbe63d1
      Paul Moore authored
      Historically the NetLabel LSM secattr catmap functions and data
      structures have had very long names which makes a mess of the NetLabel
      code and anyone who uses NetLabel.  This patch renames the catmap
      functions and structures from "*_secattr_catmap_*" to just "*_catmap_*"
      which improves things greatly.
      
      There are no substantial code or logic changes in this patch.
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Tested-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      4fbe63d1
    • Paul Moore's avatar
      netlabel: fix the catmap walking functions · d960a618
      Paul Moore authored
      The two NetLabel LSM secattr catmap walk functions didn't handle
      certain edge conditions correctly, causing incorrect security labels
      to be generated in some cases.  This patch corrects these problems and
      converts the functions to use the new _netlbl_secattr_catmap_getnode()
      function in order to reduce the amount of repeated code.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Tested-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      d960a618
    • Paul Moore's avatar
      netlabel: fix the horribly broken catmap functions · 4b8feff2
      Paul Moore authored
      The NetLabel secattr catmap functions, and the SELinux import/export
      glue routines, were broken in many horrible ways and the SELinux glue
      code fiddled with the NetLabel catmap structures in ways that we
      probably shouldn't allow.  At some point this "worked", but that was
      likely due to a bit of dumb luck and sub-par testing (both inflicted
      by yours truly).  This patch corrects these problems by basically
      gutting the code in favor of something less obtuse and restoring the
      NetLabel abstractions in the SELinux catmap glue code.
      
      Everything is working now, and if it decides to break itself in the
      future this code will be much easier to debug than the code it
      replaces.
      
      One noteworthy side effect of the changes is that it is no longer
      necessary to allocate a NetLabel catmap before calling one of the
      NetLabel APIs to set a bit in the catmap.  NetLabel will automatically
      allocate the catmap nodes when needed, resulting in less allocations
      when the lowest bit is greater than 255 and less code in the LSMs.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarChristian Evans <frodox@zoho.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Tested-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      4b8feff2
    • Paul Moore's avatar
      netlabel: fix a problem when setting bits below the previously lowest bit · 41c3bd20
      Paul Moore authored
      The NetLabel category (catmap) functions have a problem in that they
      assume categories will be set in an increasing manner, e.g. the next
      category set will always be larger than the last.  Unfortunately, this
      is not a valid assumption and could result in problems when attempting
      to set categories less than the startbit in the lowest catmap node.
      In some cases kernel panics and other nasties can result.
      
      This patch corrects the problem by checking for this and allocating a
      new catmap node instance and placing it at the front of the list.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarChristian Evans <frodox@zoho.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Tested-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      41c3bd20
  9. 31 Jul, 2014 1 commit
  10. 29 Jul, 2014 7 commits
  11. 28 Jul, 2014 4 commits
  12. 26 Jul, 2014 2 commits
  13. 25 Jul, 2014 4 commits
  14. 24 Jul, 2014 3 commits
    • Eric Paris's avatar
      CAPABILITIES: remove undefined caps from all processes · 7d8b6c63
      Eric Paris authored
      This is effectively a revert of 7b9a7ec5
      plus fixing it a different way...
      
      We found, when trying to run an application from an application which
      had dropped privs that the kernel does security checks on undefined
      capability bits.  This was ESPECIALLY difficult to debug as those
      undefined bits are hidden from /proc/$PID/status.
      
      Consider a root application which drops all capabilities from ALL 4
      capability sets.  We assume, since the application is going to set
      eff/perm/inh from an array that it will clear not only the defined caps
      less than CAP_LAST_CAP, but also the higher 28ish bits which are
      undefined future capabilities.
      
      The BSET gets cleared differently.  Instead it is cleared one bit at a
      time.  The problem here is that in security/commoncap.c::cap_task_prctl()
      we actually check the validity of a capability being read.  So any task
      which attempts to 'read all things set in bset' followed by 'unset all
      things set in bset' will not even attempt to unset the undefined bits
      higher than CAP_LAST_CAP.
      
      So the 'parent' will look something like:
      CapInh:	0000000000000000
      CapPrm:	0000000000000000
      CapEff:	0000000000000000
      CapBnd:	ffffffc000000000
      
      All of this 'should' be fine.  Given that these are undefined bits that
      aren't supposed to have anything to do with permissions.  But they do...
      
      So lets now consider a task which cleared the eff/perm/inh completely
      and cleared all of the valid caps in the bset (but not the invalid caps
      it couldn't read out of the kernel).  We know that this is exactly what
      the libcap-ng library does and what the go capabilities library does.
      They both leave you in that above situation if you try to clear all of
      you capapabilities from all 4 sets.  If that root task calls execve()
      the child task will pick up all caps not blocked by the bset.  The bset
      however does not block bits higher than CAP_LAST_CAP.  So now the child
      task has bits in eff which are not in the parent.  These are
      'meaningless' undefined bits, but still bits which the parent doesn't
      have.
      
      The problem is now in cred_cap_issubset() (or any operation which does a
      subset test) as the child, while a subset for valid cap bits, is not a
      subset for invalid cap bits!  So now we set durring commit creds that
      the child is not dumpable.  Given it is 'more priv' than its parent.  It
      also means the parent cannot ptrace the child and other stupidity.
      
      The solution here:
      1) stop hiding capability bits in status
      	This makes debugging easier!
      
      2) stop giving any task undefined capability bits.  it's simple, it you
      don't put those invalid bits in CAP_FULL_SET you won't get them in init
      and you won't get them in any other task either.
      	This fixes the cap_issubset() tests and resulting fallout (which
      	made the init task in a docker container untraceable among other
      	things)
      
      3) mask out undefined bits when sys_capset() is called as it might use
      ~0, ~0 to denote 'all capabilities' for backward/forward compatibility.
      	This lets 'capsh --caps="all=eip" -- -c /bin/bash' run.
      
      4) mask out undefined bit when we read a file capability off of disk as
      again likely all bits are set in the xattr for forward/backward
      compatibility.
      	This lets 'setcap all+pe /bin/bash; /bin/bash' run
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Andrew Vagin <avagin@openvz.org>
      Cc: Andrew G. Morgan <morgan@kernel.org>
      Cc: Serge E. Hallyn <serge.hallyn@canonical.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Steve Grubb <sgrubb@redhat.com>
      Cc: Dan Walsh <dwalsh@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      7d8b6c63
    • James Morris's avatar
      Merge tag 'keys-next-20140722' of... · 4ca332e1
      James Morris authored
      Merge tag 'keys-next-20140722' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into next
      4ca332e1
    • Tetsuo Handa's avatar
      commoncap: don't alloc the credential unless needed in cap_task_prctl · 6d6f3328
      Tetsuo Handa authored
      In function cap_task_prctl(), we would allocate a credential
      unconditionally and then check if we support the requested function.
      If not we would release this credential with abort_creds() by using
      RCU method. But on some archs such as powerpc, the sys_prctl is heavily
      used to get/set the floating point exception mode. So the unnecessary
      allocating/releasing of credential not only introduce runtime overhead
      but also do cause OOM due to the RCU implementation.
      
      This patch removes abort_creds() from cap_task_prctl() by calling
      prepare_creds() only when we need to modify it.
      Reported-by: default avatarKevin Hao <haokexin@gmail.com>
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Reviewed-by: default avatarPaul Moore <paul@paul-moore.com>
      Acked-by: default avatarSerge E. Hallyn <serge.hallyn@ubuntu.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      6d6f3328
  15. 22 Jul, 2014 5 commits
    • David Howells's avatar
      633706a2
    • David Howells's avatar
    • David Howells's avatar
      Merge tag 'keys-pefile-20140709' into keys-next · 6204e002
      David Howells authored
      Here's a set of changes that implement a PE file signature checker.
      
      This provides the following facility:
      
       (1) Extract the signature from the PE file.  This is a PKCS#7 message
           containing, as its data, a hash of the signed parts of the file.
      
       (2) Digest the signed parts of the file.
      
       (3) Compare the digest with the one from the PKCS#7 message.
      
       (4) Validate the signatures on the PKCS#7 message and indicate
           whether it was matched by a trusted key.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      6204e002
    • David Howells's avatar
      Merge tag 'keys-pkcs7-20140708' into keys-next · 1ca72c96
      David Howells authored
      Here's a set of changes that implement a PKCS#7 message parser in the kernel.
      
      The PKCS#7 message parsing will then be used to limit kexec to authenticated
      kernels only if so configured.
      
      The changes provide the following facilities:
      
       (1) Parse an ASN.1 PKCS#7 message and pick out useful bits such as the data
           content and the X.509 certificates used to sign it and all the data
           signatures.
      
       (2) Verify all the data signatures against the set of X.509 certificates
           available in the message.
      
       (3) Follow the certificate chains and verify that:
      
           (a) for every self-signed X.509 certificate, check that it validly signed
           	 itself, and:
      
           (b) for every non-self-signed certificate, if we have a 'parent'
           	 certificate, the former is validly signed by the latter.
      
       (4) Look for intersections between the certificate chains and the trusted
           keyring, if any intersections are found, verify that the trusted
           certificates signed the intersection point in the chain.
      
       (5) For testing purposes, a key type can be made available that will take a
           PKCS#7 message, check that the message is trustworthy, and if so, add its
           data content into the key.
      
      Note that (5) has to be altered to take account of the preparsing patches
      already committed to this branch.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      1ca72c96
    • David Howells's avatar
      Merge tag 'keys-preparse-1-20140722' into keys-next · a19e3c22
      David Howells authored
      Here are a set of changes that make all but encrypted and trusted keys use
      preparsing.  Unfortunately, encrypted and trusted keys incorrectly use the
      update op to alter a key, so other changes will need to be made for them.
      
      These changes permit payload parsing when instantiating or updating a key to be
      done before locks are taken and to determine the amount of quota that will be
      required in advance.  The latter will make it possible to do LRU discard before
      any locks are taken.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      a19e3c22