1. 12 Jun, 2019 2 commits
  2. 11 Jun, 2019 1 commit
  3. 21 May, 2019 1 commit
  4. 29 Apr, 2019 1 commit
  5. 15 Apr, 2019 1 commit
  6. 04 Apr, 2019 1 commit
    • Ondrej Mosnacek's avatar
      kernfs: fix xattr name handling in LSM helpers · 1537ad15
      Ondrej Mosnacek authored
      The implementation of kernfs_security_xattr_*() helpers reuses the
      kernfs_node_xattr_*() functions, which take the suffix of the xattr name
      and extract full xattr name from it using xattr_full_name(). However,
      this function relies on the fact that the suffix passed to xattr
      handlers from VFS is always constructed from the full name by just
      incerementing the pointer. This doesn't necessarily hold for the callers
      of kernfs_security_xattr_*(), so their usage will easily lead to
      out-of-bounds access.
      
      Fix this by moving the xattr name reconstruction to the VFS xattr
      handlers and replacing the kernfs_security_xattr_*() helpers with more
      general kernfs_xattr_*() helpers that take full xattr name and allow
      accessing all kernfs node's xattrs.
      Reported-by: default avatarkernel test robot <rong.a.chen@intel.com>
      Fixes: b230d5ab ("LSM: add new hook for kernfs node initialization")
      Fixes: ec882da5 ("selinux: implement the kernfs_init_security hook")
      Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      1537ad15
  7. 30 Mar, 2019 1 commit
  8. 25 Mar, 2019 3 commits
  9. 22 Mar, 2019 1 commit
  10. 21 Mar, 2019 7 commits
    • Ondrej Mosnacek's avatar
      kernfs: initialize security of newly created nodes · e19dfdc8
      Ondrej Mosnacek authored
      Use the new security_kernfs_init_security() hook to allow LSMs to
      possibly assign a non-default security context to a newly created kernfs
      node based on the attributes of the new node and also its parent node.
      
      This fixes an issue with cgroupfs under SELinux, where newly created
      cgroup subdirectories/files would not inherit its parent's context if
      it had been set explicitly to a non-default value (other than the genfs
      context specified by the policy). This can be reproduced as follows (on
      Fedora/RHEL):
      
          # mkdir /sys/fs/cgroup/unified/test
          # # Need permissive to change the label under Fedora policy:
          # setenforce 0
          # chcon -t container_file_t /sys/fs/cgroup/unified/test
          # ls -lZ /sys/fs/cgroup/unified
          total 0
          -r--r--r--.  1 root root system_u:object_r:cgroup_t:s0         0 Jan 29 03:06 cgroup.controllers
          -rw-r--r--.  1 root root system_u:object_r:cgroup_t:s0         0 Jan 29 03:06 cgroup.max.depth
          -rw-r--r--.  1 root root system_u:object_r:cgroup_t:s0         0 Jan 29 03:06 cgroup.max.descendants
          -rw-r--r--.  1 root root system_u:object_r:cgroup_t:s0         0 Jan 29 03:06 cgroup.procs
          -r--r--r--.  1 root root system_u:object_r:cgroup_t:s0         0 Jan 29 03:06 cgroup.stat
          -rw-r--r--.  1 root root system_u:object_r:cgroup_t:s0         0 Jan 29 03:06 cgroup.subtree_control
          -rw-r--r--.  1 root root system_u:object_r:cgroup_t:s0         0 Jan 29 03:06 cgroup.threads
          drwxr-xr-x.  2 root root system_u:object_r:cgroup_t:s0         0 Jan 29 03:06 init.scope
          drwxr-xr-x. 26 root root system_u:object_r:cgroup_t:s0         0 Jan 29 03:21 system.slice
          drwxr-xr-x.  3 root root system_u:object_r:container_file_t:s0 0 Jan 29 03:15 test
          drwxr-xr-x.  3 root root system_u:object_r:cgroup_t:s0         0 Jan 29 03:06 user.slice
          # mkdir /sys/fs/cgroup/unified/test/subdir
      
      Actual result:
      
          # ls -ldZ /sys/fs/cgroup/unified/test/subdir
          drwxr-xr-x. 2 root root system_u:object_r:cgroup_t:s0 0 Jan 29 03:15 /sys/fs/cgroup/unified/test/subdir
      
      Expected result:
      
          # ls -ldZ /sys/fs/cgroup/unified/test/subdir
          drwxr-xr-x. 2 root root unconfined_u:object_r:container_file_t:s0 0 Jan 29 03:15 /sys/fs/cgroup/unified/test/subdir
      
      Link: https://github.com/SELinuxProject/selinux-kernel/issues/39Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      e19dfdc8
    • Ondrej Mosnacek's avatar
      selinux: implement the kernfs_init_security hook · ec882da5
      Ondrej Mosnacek authored
      The hook applies the same logic as selinux_determine_inode_label(), with
      the exception of the super_block handling, which will be enforced on the
      actual inodes later by other hooks.
      Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      [PM: minor merge fixes]
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      ec882da5
    • Ondrej Mosnacek's avatar
      LSM: add new hook for kernfs node initialization · b230d5ab
      Ondrej Mosnacek authored
      This patch introduces a new security hook that is intended for
      initializing the security data for newly created kernfs nodes, which
      provide a way of storing a non-default security context, but need to
      operate independently from mounts (and therefore may not have an
      associated inode at the moment of creation).
      
      The main motivation is to allow kernfs nodes to inherit the context of
      the parent under SELinux, similar to the behavior of
      security_inode_init_security(). Other LSMs may implement their own logic
      for handling the creation of new nodes.
      
      This patch also adds helper functions to <linux/kernfs.h> for
      getting/setting security xattrs of a kernfs node so that LSMs hooks are
      able to do their job. Other important attributes should be accessible
      direcly in the kernfs_node fields (in case there is need for more, then
      new helpers should be added to kernfs.h along with the patch that needs
      them).
      Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      [PM: more manual merge fixes]
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      b230d5ab
    • Ondrej Mosnacek's avatar
      kernfs: use simple_xattrs for security attributes · 0ac6075a
      Ondrej Mosnacek authored
      Replace the special handling of security xattrs with simple_xattrs, as
      is already done for the trusted xattrs. This simplifies the code and
      allows LSMs to use more than just a single xattr to do their business.
      Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      [PM: manual merge fixes]
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      0ac6075a
    • Ondrej Mosnacek's avatar
      selinux: try security xattr after genfs for kernfs filesystems · b754026b
      Ondrej Mosnacek authored
      Since kernfs supports the security xattr handlers, we can simply use
      these to determine the inode's context, dropping the need to update it
      from kernfs explicitly using a security_inode_notifysecctx() call.
      
      We achieve this by setting a new sbsec flag SE_SBGENFS_XATTR to all
      mounts that are known to use kernfs under the hood and then fetching the
      xattrs after determining the fallback genfs sid in
      inode_doinit_with_dentry() when this flag is set.
      
      This will allow implementing full security xattr support in kernfs and
      removing the ...notifysecctx() call in a subsequent patch.
      Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      [PM: more manual merge fixups]
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      b754026b
    • Ondrej Mosnacek's avatar
      kernfs: do not alloc iattrs in kernfs_xattr_get · d0c9c153
      Ondrej Mosnacek authored
      This is a read-only operation, so we can simply return -ENODATA if
      kn->iattr is NULL.
      Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      [PM: minor merge fixes]
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      d0c9c153
    • Ondrej Mosnacek's avatar
      kernfs: clean up struct kernfs_iattrs · 05895219
      Ondrej Mosnacek authored
      Right now, kernfs_iattrs embeds the whole struct iattr, even though it
      doesn't really use half of its fields... This both leads to wasting
      space and makes the code look awkward. Let's just list the few fields
      we need directly in struct kernfs_iattrs.
      Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      [PM: merged a number of chunks manually due to fuzz]
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      05895219
  11. 19 Mar, 2019 1 commit
  12. 18 Mar, 2019 2 commits
    • Paulo Alcantara's avatar
      selinux: use kernel linux/socket.h for genheaders and mdp · ff1bf4c0
      Paulo Alcantara authored
      When compiling genheaders and mdp from a newer host kernel, the
      following error happens:
      
          In file included from scripts/selinux/genheaders/genheaders.c:18:
          ./security/selinux/include/classmap.h:238:2: error: #error New
          address family defined, please update secclass_map.  #error New
          address family defined, please update secclass_map.  ^~~~~
          make[3]: *** [scripts/Makefile.host:107:
          scripts/selinux/genheaders/genheaders] Error 1 make[2]: ***
          [scripts/Makefile.build:599: scripts/selinux/genheaders] Error 2
          make[1]: *** [scripts/Makefile.build:599: scripts/selinux] Error 2
          make[1]: *** Waiting for unfinished jobs....
      
      Instead of relying on the host definition, include linux/socket.h in
      classmap.h to have PF_MAX.
      Signed-off-by: default avatarPaulo Alcantara <paulo@paulo.ac>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      [PM: manually merge in mdp.c, subject line tweaks]
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      ff1bf4c0
    • Stephen Smalley's avatar
      scripts/selinux: modernize mdp · e37c1877
      Stephen Smalley authored
      Derived in part from a patch by Dominick Grift.
      
      The MDP example no longer works on modern systems.  Fix it.
      While we are at it, add MLS support and enable it.
      
      NB This still does not work on systems using dbus-daemon instead of
      dbus-broker because dbus-daemon does not yet gracefully handle unknown
      classes/permissions.  This appears to be a deficiency in libselinux's
      selinux_set_mapping() interface and underlying implementation,
      which was never fully updated to deal with unknown classes/permissions
      unlike the kernel.  The same problem also occurs with XSELinux.
      Programs that instead use selinux_check_access() like dbus-broker
      should not have this problem.
      
      Changes to mdp:
      Add support for devtmpfs, required by modern Linux distributions.
      Add MLS support, with sample sensitivities, categories, and constraints.
      Generate fs_use and genfscon rules based on kernel configuration.
      Update list of filesystem types for fs_use and genfscon rules.
      Use object_r for object contexts.
      
      Changes to install_policy.sh:
      Bail immediately on any errors.
      Provide more helpful error messages when unable to find userspace tools.
      Refuse to run if SELinux is already enabled.
      Unconditionally move aside /etc/selinux/config and create a new one.
      Build policy with -U allow so that userspace object managers do not break.
      Build policy with MLS enabled by default.
      Create seusers, failsafe_context, and default_contexts for use by
      pam_selinux / libselinux.
      Create x_contexts for the SELinux X extension.
      Create virtual_domain_context and virtual_image_context for libvirtd.
      Set to permissive mode rather than enforcing to permit initial autorelabel.
      Update the list of filesystem types to be relabeled.
      Write -F to /.autorelabel to cause a forced autorelabel on reboot.
      Drop broken attempt to relabel the /dev mountpoint directory.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: default avatarDominick Grift <dominick.grift@defensec.nl>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      e37c1877
  13. 17 Mar, 2019 14 commits
  14. 16 Mar, 2019 4 commits
    • Linus Torvalds's avatar
      Merge tag 'pidfd-v5.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux · a9dce667
      Linus Torvalds authored
      Pull pidfd system call from Christian Brauner:
       "This introduces the ability to use file descriptors from /proc/<pid>/
        as stable handles on struct pid. Even if a pid is recycled the handle
        will not change. For a start these fds can be used to send signals to
        the processes they refer to.
      
        With the ability to use /proc/<pid> fds as stable handles on struct
        pid we can fix a long-standing issue where after a process has exited
        its pid can be reused by another process. If a caller sends a signal
        to a reused pid it will end up signaling the wrong process.
      
        With this patchset we enable a variety of use cases. One obvious
        example is that we can now safely delegate an important part of
        process management - sending signals - to processes other than the
        parent of a given process by sending file descriptors around via scm
        rights and not fearing that the given process will have been recycled
        in the meantime. It also allows for easy testing whether a given
        process is still alive or not by sending signal 0 to a pidfd which is
        quite handy.
      
        There has been some interest in this feature e.g. from systems
        management (systemd, glibc) and container managers. I have requested
        and gotten comments from glibc to make sure that this syscall is
        suitable for their needs as well. In the future I expect it to take on
        most other pid-based signal syscalls. But such features are left for
        the future once they are needed.
      
        This has been sitting in linux-next for quite a while and has not
        caused any issues. It comes with selftests which verify basic
        functionality and also test that a recycled pid cannot be signaled via
        a pidfd.
      
        Jon has written about a prior version of this patchset. It should
        cover the basic functionality since not a lot has changed since then:
      
            https://lwn.net/Articles/773459/
      
        The commit message for the syscall itself is extensively documenting
        the syscall, including it's functionality and extensibility"
      
      * tag 'pidfd-v5.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux:
        selftests: add tests for pidfd_send_signal()
        signal: add pidfd_send_signal() syscall
      a9dce667
    • Linus Torvalds's avatar
      Merge tag 'devdax-for-5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm · f67e3fb4
      Linus Torvalds authored
      Pull device-dax updates from Dan Williams:
       "New device-dax infrastructure to allow persistent memory and other
        "reserved" / performance differentiated memories, to be assigned to
        the core-mm as "System RAM".
      
        Some users want to use persistent memory as additional volatile
        memory. They are willing to cope with potential performance
        differences, for example between DRAM and 3D Xpoint, and want to use
        typical Linux memory management apis rather than a userspace memory
        allocator layered over an mmap() of a dax file. The administration
        model is to decide how much Persistent Memory (pmem) to use as System
        RAM, create a device-dax-mode namespace of that size, and then assign
        it to the core-mm. The rationale for device-dax is that it is a
        generic memory-mapping driver that can be layered over any "special
        purpose" memory, not just pmem. On subsequent boots udev rules can be
        used to restore the memory assignment.
      
        One implication of using pmem as RAM is that mlock() no longer keeps
        data off persistent media. For this reason it is recommended to enable
        NVDIMM Security (previously merged for 5.0) to encrypt pmem contents
        at rest. We considered making this recommendation an actively enforced
        requirement, but in the end decided to leave it as a distribution /
        administrator policy to allow for emulation and test environments that
        lack security capable NVDIMMs.
      
        Summary:
      
         - Replace the /sys/class/dax device model with /sys/bus/dax, and
           include a compat driver so distributions can opt-in to the new ABI.
      
         - Allow for an alternative driver for the device-dax address-range
      
         - Introduce the 'kmem' driver to hotplug / assign a device-dax
           address-range to the core-mm.
      
         - Arrange for the device-dax target-node to be onlined so that the
           newly added memory range can be uniquely referenced by numa apis"
      
      NOTE! I'm not entirely happy with the whole "PMEM as RAM" model because
      we currently have special - and very annoying rules in the kernel about
      accessing PMEM only with the "MC safe" accessors, because machine checks
      inside the regular repeat string copy functions can be fatal in some
      (not described) circumstances.
      
      And apparently the PMEM modules can cause that a lot more than regular
      RAM.  The argument is that this happens because PMEM doesn't necessarily
      get scrubbed at boot like RAM does, but that is planned to be added for
      the user space tooling.
      
      Quoting Dan from another email:
       "The exposure can be reduced in the volatile-RAM case by scanning for
        and clearing errors before it is onlined as RAM. The userspace tooling
        for that can be in place before v5.1-final. There's also runtime
        notifications of errors via acpi_nfit_uc_error_notify() from
        background scrubbers on the DIMM devices. With that mechanism the
        kernel could proactively clear newly discovered poison in the volatile
        case, but that would be additional development more suitable for v5.2.
      
        I understand the concern, and the need to highlight this issue by
        tapping the brakes on feature development, but I don't see PMEM as RAM
        making the situation worse when the exposure is also there via DAX in
        the PMEM case. Volatile-RAM is arguably a safer use case since it's
        possible to repair pages where the persistent case needs active
        application coordination"
      
      * tag 'devdax-for-5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
        device-dax: "Hotplug" persistent memory for use like normal RAM
        mm/resource: Let walk_system_ram_range() search child resources
        mm/memory-hotplug: Allow memory resources to be children
        mm/resource: Move HMM pr_debug() deeper into resource code
        mm/resource: Return real error codes from walk failures
        device-dax: Add a 'modalias' attribute to DAX 'bus' devices
        device-dax: Add a 'target_node' attribute
        device-dax: Auto-bind device after successful new_id
        acpi/nfit, device-dax: Identify differentiated memory with a unique numa-node
        device-dax: Add /sys/class/dax backwards compatibility
        device-dax: Add support for a dax override driver
        device-dax: Move resource pinning+mapping into the common driver
        device-dax: Introduce bus + driver model
        device-dax: Start defining a dax bus model
        device-dax: Remove multi-resource infrastructure
        device-dax: Kill dax_region base
        device-dax: Kill dax_region ida
      f67e3fb4
    • Linus Torvalds's avatar
      Merge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 477558d7
      Linus Torvalds authored
      Pull more SCSI updates from James Bottomley:
       "This is the final round of mostly small fixes and performance
        improvements to our initial submit.
      
        The main regression fix is the ia64 simscsi build failure which was
        missed in the serial number elimination conversion"
      
      * tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (24 commits)
        scsi: ia64: simscsi: use request tag instead of serial_number
        scsi: aacraid: Fix performance issue on logical drives
        scsi: lpfc: Fix error codes in lpfc_sli4_pci_mem_setup()
        scsi: libiscsi: Hold back_lock when calling iscsi_complete_task
        scsi: hisi_sas: Change SERDES_CFG init value to increase reliability of HiLink
        scsi: hisi_sas: Send HARD RESET to clear the previous affiliation of STP target port
        scsi: hisi_sas: Set PHY linkrate when disconnected
        scsi: hisi_sas: print PHY RX errors count for later revision of v3 hw
        scsi: hisi_sas: Fix a timeout race of driver internal and SMP IO
        scsi: hisi_sas: Change return variable type in phy_up_v3_hw()
        scsi: qla2xxx: check for kstrtol() failure
        scsi: lpfc: fix 32-bit format string warning
        scsi: lpfc: fix unused variable warning
        scsi: target: tcmu: Switch to bitmap_zalloc()
        scsi: libiscsi: fall back to sendmsg for slab pages
        scsi: qla2xxx: avoid printf format warning
        scsi: lpfc: resolve static checker warning in lpfc_sli4_hba_unset
        scsi: lpfc: Correct __lpfc_sli_issue_iocb_s4 lockdep check
        scsi: ufs: hisi: fix ufs_hba_variant_ops passing
        scsi: qla2xxx: Fix panic in qla_dfs_tgt_counters_show
        ...
      477558d7
    • Linus Torvalds's avatar
      Merge tag 'for-5.1/block-post-20190315' of git://git.kernel.dk/linux-block · 11efae35
      Linus Torvalds authored
      Pull more block layer changes from Jens Axboe:
       "This is a collection of both stragglers, and fixes that came in after
        I finalized the initial pull. This contains:
      
         - An MD pull request from Song, with a few minor fixes
      
         - Set of NVMe patches via Christoph
      
         - Pull request from Konrad, with a few fixes for xen/blkback
      
         - pblk fix IO calculation fix (Javier)
      
         - Segment calculation fix for pass-through (Ming)
      
         - Fallthrough annotation for blkcg (Mathieu)"
      
      * tag 'for-5.1/block-post-20190315' of git://git.kernel.dk/linux-block: (25 commits)
        blkcg: annotate implicit fall through
        nvme-tcp: support C2HData with SUCCESS flag
        nvmet: ignore EOPNOTSUPP for discard
        nvme: add proper write zeroes setup for the multipath device
        nvme: add proper discard setup for the multipath device
        nvme: remove nvme_ns_config_oncs
        nvme: disable Write Zeroes for qemu controllers
        nvmet-fc: bring Disconnect into compliance with FC-NVME spec
        nvmet-fc: fix issues with targetport assoc_list list walking
        nvme-fc: reject reconnect if io queue count is reduced to zero
        nvme-fc: fix numa_node when dev is null
        nvme-fc: use nr_phys_segments to determine existence of sgl
        nvme-loop: init nvmet_ctrl fatal_err_work when allocate
        nvme: update comment to make the code easier to read
        nvme: put ns_head ref if namespace fails allocation
        nvme-trace: fix cdw10 buffer overrun
        nvme: don't warn on block content change effects
        nvme: add get-feature to admin cmds tracer
        md: Fix failed allocation of md_register_thread
        It's wrong to add len to sector_nr in raid10 reshape twice
        ...
      11efae35