This patch provides a general mechanism for passing flags to the
security_capable LSM hook. It replaces the specific 'audit' flag that is
used to tell security_capable whether it should log an audit message for
the given capability check. The reason for generalizing this flag
passing is so we can add an additional flag that signifies whether
security_capable is being called by a setid syscall (which is needed by
the proposed SafeSetID LSM).
Change-Id: I4ff373b2041e13808422201744f2aac23ec5b4c2
Signed-off-by: Micah Morton <mortonm@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Naveen <133593113+elohim-etz@users.noreply.github.com>
commit f1bb47a31dff6d4b34fb14e99850860ee74bb003 upstream.
Some ioctl commands do not require ioctl permission, but are routed to
other permissions such as FILE_GETATTR or FILE_SETATTR. This routing is
done by comparing the ioctl cmd to a set of 64-bit flags (FS_IOC_*).
However, if a 32-bit process is running on a 64-bit kernel, it emits
32-bit flags (FS_IOC32_*) for certain ioctl operations. These flags are
being checked erroneously, which leads to these ioctl operations being
routed to the ioctl permission, rather than the correct file
permissions.
This was also noted in a RED-PEN finding from a while back -
"/* RED-PEN how should LSM module know it's handling 32bit? */".
This patch introduces a new hook, security_file_ioctl_compat(), that is
called from the compat ioctl syscall. All current LSMs have been changed
to support this hook.
Reviewing the three places where we are currently using
security_file_ioctl(), it appears that only SELinux needs a dedicated
compat change; TOMOYO and SMACK appear to be functional without any
change.
Cc: stable@vger.kernel.org
Fixes: 0b24dcb7f2 ("Revert "selinux: simplify ioctl checking"")
Signed-off-by: Alfred Piccioni <alpic@google.com>
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
[PM: subject tweak, line length fixes, and alignment corrections]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit f8f51085b4be6132762ce0d8940071ccdcce2504)
[vegard: fix conflict due to missing commit
df0ce17331e2501dbffc060041dfc6c5f85227b5 ("security: convert security
hooks to use hlist")]
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Changes in 4.14.308
ARM: dts: rockchip: add power-domains property to dp node on rk3288
btrfs: send: limit number of clones and allocated memory size
IB/hfi1: Assign npages earlier
net: Remove WARN_ON_ONCE(sk->sk_forward_alloc) from sk_stream_kill_queues().
bpf: Do not use ax register in interpreter on div/mod
bpf: fix subprog verifier bypass by div/mod by 0 exception
bpf: Fix 32 bit src register truncation on div/mod
bpf: Fix truncation handling for mod32 dst reg wrt zero
dmaengine: sh: rcar-dmac: Check for error num after dma_set_max_seg_size
USB: serial: option: add support for VW/Skoda "Carstick LTE"
USB: core: Don't hold device lock while reading the "descriptors" sysfs file
HID: asus: Remove check for same LED brightness on set
HID: asus: use spinlock to protect concurrent accesses
HID: asus: use spinlock to safely schedule workers
ARM: OMAP2+: Fix memory leak in realtime_counter_init()
ARM: zynq: Fix refcount leak in zynq_early_slcr_init
arm64: dts: meson-gx: Fix Ethernet MAC address unit name
arm64: dts: meson-gx: Fix the SCPI DVFS node name and unit address
ARM: OMAP1: call platform_device_put() in error case in omap1_dm_timer_init()
ARM: dts: exynos: correct wr-active property in Exynos3250 Rinato
arm64: dts: amlogic: meson-gx: fix SCPI clock dvfs node name
arm64: dts: amlogic: meson-gx: add missing unit address to rng node name
arm64: dts: amlogic: meson-gxl: add missing unit address to eth-phy-mux node name
block: bio-integrity: Copy flags when bio_integrity_payload is cloned
wifi: libertas: fix memory leak in lbs_init_adapter()
wifi: rtl8xxxu: don't call dev_kfree_skb() under spin_lock_irqsave()
wifi: ipw2200: fix memory leak in ipw_wdev_init()
wifi: brcmfmac: fix potential memory leak in brcmf_netdev_start_xmit()
wifi: brcmfmac: unmap dma buffer in brcmf_msgbuf_alloc_pktid()
wifi: libertas: main: don't call kfree_skb() under spin_lock_irqsave()
wifi: libertas: cmdresp: don't call kfree_skb() under spin_lock_irqsave()
wifi: wl3501_cs: don't call kfree_skb() under spin_lock_irqsave()
genirq: Fix the return type of kstat_cpu_irqs_sum()
lib/mpi: Fix buffer overrun when SG is too long
ACPICA: nsrepair: handle cases without a return value correctly
wifi: orinoco: check return value of hermes_write_wordrec()
wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function
wifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback()
ACPI: battery: Fix missing NUL-termination with large strings
crypto: seqiv - Handle EBUSY correctly
net/mlx5: Enhance debug print in page allocation failure
irqchip/alpine-msi: Fix refcount leak in alpine_msix_init_domains
irqchip/irq-mvebu-gicp: Fix refcount leak in mvebu_gicp_probe
cpufreq: davinci: Fix clk use after free
Bluetooth: L2CAP: Fix potential user-after-free
crypto: rsa-pkcs1pad - Use akcipher_request_complete
m68k: /proc/hardware should depend on PROC_FS
wifi: mwifiex: fix loop iterator in mwifiex_update_ampdu_txwinsize()
can: esd_usb: Move mislocated storage of SJA1000_ECC_SEG bits in case of a bus error
irqchip/irq-bcm7120-l2: Set IRQ_LEVEL for level triggered interrupts
drm: mxsfb: DRM_MXSFB should depend on ARCH_MXS || ARCH_MXC
drm/bridge: megachips: Fix error handling in i2c_register_driver()
gpu: ipu-v3: common: Add of_node_put() for reference returned by of_graph_get_port_by_id()
drm/msm/hdmi: Add missing check for alloc_ordered_workqueue
pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups
ALSA: hda/ca0132: minor fix for allocation size
drm/mipi-dsi: Fix byte order of 16-bit DCS set/get brightness
drm/mediatek: Drop unbalanced obj unref
ASoC: soc-compress.c: fixup private_data on snd_soc_new_compress()
gpio: vf610: connect GPIO label to dev name
hwmon: (ltc2945) Handle error case in ltc2945_value_store
scsi: aic94xx: Add missing check for dma_map_single()
dm: remove flush_scheduled_work() during local_exit()
mfd: pcf50633-adc: Fix potential memleak in pcf50633_adc_async_read()
mtd: rawnand: sunxi: Fix the size of the last OOB region
Input: ads7846 - don't report pressure for ads7845
Input: ads7846 - don't check penirq immediately for 7845
powerpc/powernv/ioda: Skip unallocated resources when mapping to PE
powerpc/pseries/lparcfg: add missing RTAS retry status handling
MIPS: vpe-mt: drop physical_memsize
media: platform: ti: Add missing check for devm_regulator_get
media: rc: Fix use-after-free bugs caused by ene_tx_irqsim()
media: usb: siano: Fix use after free bugs caused by do_submit_urb
rpmsg: glink: Avoid infinite loop on intent for missing channel
udf: Define EFSCORRUPTED error code
ARM: dts: exynos: Use Exynos5420 compatible for the MIPI video phy
wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds()
rcu: Suppress smp_processor_id() complaint in synchronize_rcu_expedited_wait()
thermal: intel: Fix unsigned comparison with less than zero
timers: Prevent union confusion from unexpected restart_syscall()
x86/bugs: Reset speculation control settings on init
inet: fix fast path in __inet_hash_connect()
ACPI: Don't build ACPICA with '-Os'
net: bcmgenet: Add a check for oversized packets
m68k: Check syscall_trace_enter() return code
ACPI: video: Fix Lenovo Ideapad Z570 DMI match
drm/radeon: free iio for atombios when driver shutdown
drm/msm/dsi: Add missing check for alloc_ordered_workqueue
docs/scripts/gdb: add necessary make scripts_gdb step
ASoC: kirkwood: Iterate over array indexes instead of using pointer math
regulator: max77802: Bounds check regulator id against opmode
regulator: s5m8767: Bounds check id indexing into arrays
pinctrl: at91: use devm_kasprintf() to avoid potential leaks
dm thin: add cond_resched() to various workqueue loops
dm cache: add cond_resched() to various workqueue loops
spi: bcm63xx-hsspi: Fix multi-bit mode setting
wifi: rtl8xxxu: fixing transmisison failure for rtl8192eu
rtc: pm8xxx: fix set-alarm race
s390/kprobes: fix irq mask clobbering on kprobe reenter from post_handler
s390/kprobes: fix current_kprobe never cleared after kprobes reenter
hfs: fix missing hfs_bnode_get() in __hfs_bnode_create
fs: hfsplus: fix UAF issue in hfsplus_put_super
f2fs: fix information leak in f2fs_move_inline_dirents()
ocfs2: fix defrag path triggering jbd2 ASSERT
ocfs2: fix non-auto defrag path not working issue
udf: Truncate added extents on failed expansion
udf: Do not bother merging very long extents
udf: Do not update file length for failed writes to inline files
udf: Fix file corruption when appending just after end of preallocated extent
x86/virt: Force GIF=1 prior to disabling SVM (for reboot flows)
x86/crash: Disable virt in core NMI crash handler to avoid double shootdown
x86/reboot: Disable virtualization in an emergency if SVM is supported
x86/reboot: Disable SVM, not just VMX, when stopping CPUs
x86/kprobes: Fix __recover_optprobed_insn check optimizing logic
x86/kprobes: Fix arch_check_optimized_kprobe check within optimized_kprobe range
x86/microcode/amd: Remove load_microcode_amd()'s bsp parameter
x86/microcode/AMD: Add a @cpu parameter to the reloading functions
x86/microcode/AMD: Fix mixed steppings support
x86/speculation: Allow enabling STIBP with legacy IBRS
Documentation/hw-vuln: Document the interaction between IBRS and STIBP
ima: Align ima_file_mmap() parameters with mmap_file LSM hook
irqdomain: Fix association race
irqdomain: Fix disassociation race
irqdomain: Drop bogus fwspec-mapping error handling
ALSA: ice1712: Do not left ice->gpio_mutex locked in aureon_add_controls()
ext4: optimize ea_inode block expansion
ext4: refuse to create ea block when umounted
wifi: rtl8xxxu: Use a longer retry limit of 48
wifi: cfg80211: Fix use after free for wext
dm flakey: fix logic when corrupting a bio
dm flakey: don't corrupt the zero page
ARM: dts: exynos: correct TMU phandle in Exynos4
ARM: dts: exynos: correct TMU phandle in Odroid XU
rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails
alpha: fix FEN fault handling
mips: fix syscall_get_nr
ktest.pl: Fix missing "end_monitor" when machine check fails
scsi: qla2xxx: Fix link failure in NPIV environment
scsi: qla2xxx: Fix erroneous link down
scsi: ses: Don't attach if enclosure has no components
scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process()
scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses
scsi: ses: Fix possible desc_ptr out-of-bounds accesses
scsi: ses: Fix slab-out-of-bounds in ses_intf_remove()
PCI: Avoid FLR for AMD FCH AHCI adapters
drm/radeon: Fix eDP for single-display iMac11,2
kbuild: Port silent mode detection to future gnu make.
net/sched: Retire tcindex classifier
fs/jfs: fix shift exponent db_agl2size negative
pwm: stm32-lp: fix the check on arr and cmp registers update
ubi: ensure that VID header offset + VID header size <= alloc, size
ubifs: Rectify space budget for ubifs_xrename()
ubifs: Fix wrong dirty space budget for dirty inode
ubifs: Reserve one leb for each journal head while doing budget
ubi: Fix use-after-free when volume resizing failed
ubi: Fix unreferenced object reported by kmemleak in ubi_resize_volume()
ubi: Fix possible null-ptr-deref in ubi_free_volume()
ubifs: Re-statistic cleaned znode count if commit failed
ubifs: dirty_cow_znode: Fix memleak in error handling path
ubifs: ubifs_writepage: Mark page dirty after writing inode failed
ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()
ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed
x86: um: vdso: Add '%rcx' and '%r11' to the syscall clobber list
watchdog: at91sam9_wdt: use devm_request_irq to avoid missing free_irq() in error path
watchdog: Fix kmemleak in watchdog_cdev_register
watchdog: pcwd_usb: Fix attempting to access uninitialized memory
netfilter: ctnetlink: fix possible refcount leak in ctnetlink_create_conntrack()
net: fix __dev_kfree_skb_any() vs drop monitor
9p/xen: fix version parsing
9p/xen: fix connection sequence
nfc: fix memory leak of se_io context in nfc_genl_se_io
ARM: dts: spear320-hmi: correct STMPE GPIO compatible
tcp: tcp_check_req() can be called from process context
scsi: ipr: Work around fortify-string warning
thermal: intel: quark_dts: fix error pointer dereference
tracing: Add NULL checks for buffer in ring_buffer_free_read_page()
firmware/efi sysfb_efi: Add quirk for Lenovo IdeaPad Duet 3
media: uvcvideo: Handle cameras with invalid descriptors
tty: fix out-of-bounds access in tty_driver_lookup_tty()
tty: serial: fsl_lpuart: disable the CTS when send break signal
tools/iio/iio_utils:fix memory leak
iio: accel: mma9551_core: Prevent uninitialized variable in mma9551_read_status_word()
iio: accel: mma9551_core: Prevent uninitialized variable in mma9551_read_config_word()
usb: host: xhci: mvebu: Iterate over array indexes instead of using pointer math
USB: ene_usb6250: Allocate enough memory for full object
usb: uvc: Enumerate valid values for color matching
phy: rockchip-typec: Fix unsigned comparison with less than zero
Bluetooth: hci_sock: purge socket queues in the destruct() callback
s390/maccess: add no DAT mode to kernel_write
s390/setup: init jump labels before command line parsing
tcp: Fix listen() regression in 4.14.303.
thermal: intel: powerclamp: Fix cur_state for multi package system
Linux 4.14.308
Change-Id: Iad2a41de33ff004df8050f949aa00955604b4cf6
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 4971c268b85e1c7a734a61622fc0813c86e2362e upstream.
Commit 98de59bfe4 ("take calculation of final prot in
security_mmap_file() into a helper") moved the code to update prot, to be
the actual protections applied to the kernel, to a new helper called
mmap_prot().
However, while without the helper ima_file_mmap() was getting the updated
prot, with the helper ima_file_mmap() gets the original prot, which
contains the protections requested by the application.
A possible consequence of this change is that, if an application calls
mmap() with only PROT_READ, and the kernel applies PROT_EXEC in addition,
that application would have access to executable memory without having this
event recorded in the IMA measurement list. This situation would occur for
example if the application, before mmap(), calls the personality() system
call with READ_IMPLIES_EXEC as the first argument.
Align ima_file_mmap() parameters with those of the mmap_file LSM hook, so
that IMA can receive both the requested prot and the final prot. Since the
requested protections are stored in a new variable, and the final
protections are stored in the existing variable, this effectively restores
the original behavior of the MMAP_CHECK hook.
Cc: stable@vger.kernel.org
Fixes: 98de59bfe4 ("take calculation of final prot in security_mmap_file() into a helper")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 52f88693378a58094c538662ba652aff0253c4fe upstream.
Since binder was integrated with selinux, it has passed
'struct task_struct' associated with the binder_proc
to represent the source and target of transactions.
The conversion of task to SID was then done in the hook
implementations. It turns out that there are race conditions
which can result in an incorrect security context being used.
Fix by using the 'struct cred' saved during binder_open and pass
it to the selinux subsystem.
Cc: stable@vger.kernel.org # 5.14 (need backport for earlier stables)
Fixes: 79af73079d ("Add security hooks to binder and implement the hooks for SELinux.")
Suggested-by: Jann Horn <jannh@google.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 52f88693378a58094c538662ba652aff0253c4fe upstream.
Since binder was integrated with selinux, it has passed
'struct task_struct' associated with the binder_proc
to represent the source and target of transactions.
The conversion of task to SID was then done in the hook
implementations. It turns out that there are race conditions
which can result in an incorrect security context being used.
Fix by using the 'struct cred' saved during binder_open and pass
it to the selinux subsystem.
Cc: stable@vger.kernel.org # 5.14 (need backport for earlier stables)
Fixes: 79af73079d ("Add security hooks to binder and implement the hooks for SELinux.")
Suggested-by: Jann Horn <jannh@google.com>
Signed-off-by: Todd Kjos <tkjos@google.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Change-Id: Id7157515d2b08f11683aeb8ad9b8f1da075d34e7
Bug: 200688826
[ tkjos@ fixed minor conflict ]
Signed-off-by: Todd Kjos <tkjos@google.com>
In current mainline, the degree of access to perf_event_open(2) system
call depends on the perf_event_paranoid sysctl. This has a number of
limitations:
1. The sysctl is only a single value. Many types of accesses are controlled
based on the single value thus making the control very limited and
coarse grained.
2. The sysctl is global, so if the sysctl is changed, then that means
all processes get access to perf_event_open(2) opening the door to
security issues.
This patch adds LSM and SELinux access checking which will be used in
Android to access perf_event_open(2) for the purposes of attaching BPF
programs to tracepoints, perf profiling and other operations from
userspace. These operations are intended for production systems.
5 new LSM hooks are added:
1. perf_event_open: This controls access during the perf_event_open(2)
syscall itself. The hook is called from all the places that the
perf_event_paranoid sysctl is checked to keep it consistent with the
systctl. The hook gets passed a 'type' argument which controls CPU,
kernel and tracepoint accesses (in this context, CPU, kernel and
tracepoint have the same semantics as the perf_event_paranoid sysctl).
Additionally, I added an 'open' type which is similar to
perf_event_paranoid sysctl == 3 patch carried in Android and several other
distros but was rejected in mainline [1] in 2016.
2. perf_event_alloc: This allocates a new security object for the event
which stores the current SID within the event. It will be useful when
the perf event's FD is passed through IPC to another process which may
try to read the FD. Appropriate security checks will limit access.
3. perf_event_free: Called when the event is closed.
4. perf_event_read: Called from the read(2) and mmap(2) syscalls for the event.
5. perf_event_write: Called from the ioctl(2) syscalls for the event.
[1] https://lwn.net/Articles/696240/
Since Peter had suggest LSM hooks in 2016 [1], I am adding his
Suggested-by tag below.
To use this patch, we set the perf_event_paranoid sysctl to -1 and then
apply selinux checking as appropriate (default deny everything, and then
add policy rules to give access to domains that need it). In the future
we can remove the perf_event_paranoid sysctl altogether.
Suggested-by: Peter Zijlstra <peterz@infradead.org>
Co-developed-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: James Morris <jmorris@namei.org>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: rostedt@goodmis.org
Cc: Yonghong Song <yhs@fb.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: jeffv@google.com
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: primiano@google.com
Cc: Song Liu <songliubraving@fb.com>
Cc: rsavitski@google.com
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Matthew Garrett <matthewgarrett@google.com>
Link: https://lkml.kernel.org/r/20191014170308.70668-1-joel@joelfernandes.org
(cherry picked from commit da97e18458fb42d7c00fac5fd1c56a3896ec666e)
[ Ryan Savitski: adapted for older APIs, and folded in upstream
ae79d5588a04 (perf/core: Fix !CONFIG_PERF_EVENTS build warnings and
failures). This should fix the build errors from the previous backport
attempt, where certain configurations would end up with functions
referring to the perf_event struct prior to its declaration (and
therefore declaring it with a different scope). ]
Bug: 137092007
Change-Id: Iece194b3519dc5016ccbe127fc4e5c425ee7c442
Signed-off-by: Ryan Savitski <rsavitski@google.com>
This reverts commit f81151cd3a.
Reason for revert: collides with aosp/1137243 and breaks build
Change-Id: I6d0216ccaa1a759fb1732c07601f5877b81a5f03
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
In current mainline, the degree of access to perf_event_open(2) system
call depends on the perf_event_paranoid sysctl. This has a number of
limitations:
1. The sysctl is only a single value. Many types of accesses are controlled
based on the single value thus making the control very limited and
coarse grained.
2. The sysctl is global, so if the sysctl is changed, then that means
all processes get access to perf_event_open(2) opening the door to
security issues.
This patch adds LSM and SELinux access checking which will be used in
Android to access perf_event_open(2) for the purposes of attaching BPF
programs to tracepoints, perf profiling and other operations from
userspace. These operations are intended for production systems.
5 new LSM hooks are added:
1. perf_event_open: This controls access during the perf_event_open(2)
syscall itself. The hook is called from all the places that the
perf_event_paranoid sysctl is checked to keep it consistent with the
systctl. The hook gets passed a 'type' argument which controls CPU,
kernel and tracepoint accesses (in this context, CPU, kernel and
tracepoint have the same semantics as the perf_event_paranoid sysctl).
Additionally, I added an 'open' type which is similar to
perf_event_paranoid sysctl == 3 patch carried in Android and several other
distros but was rejected in mainline [1] in 2016.
2. perf_event_alloc: This allocates a new security object for the event
which stores the current SID within the event. It will be useful when
the perf event's FD is passed through IPC to another process which may
try to read the FD. Appropriate security checks will limit access.
3. perf_event_free: Called when the event is closed.
4. perf_event_read: Called from the read(2) and mmap(2) syscalls for the event.
5. perf_event_write: Called from the ioctl(2) syscalls for the event.
[1] https://lwn.net/Articles/696240/
Since Peter had suggest LSM hooks in 2016 [1], I am adding his
Suggested-by tag below.
To use this patch, we set the perf_event_paranoid sysctl to -1 and then
apply selinux checking as appropriate (default deny everything, and then
add policy rules to give access to domains that need it). In the future
we can remove the perf_event_paranoid sysctl altogether.
Suggested-by: Peter Zijlstra <peterz@infradead.org>
Co-developed-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: James Morris <jmorris@namei.org>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: rostedt@goodmis.org
Cc: Yonghong Song <yhs@fb.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: jeffv@google.com
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: primiano@google.com
Cc: Song Liu <songliubraving@fb.com>
Cc: rsavitski@google.com
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Matthew Garrett <matthewgarrett@google.com>
Link: https://lkml.kernel.org/r/20191014170308.70668-1-joel@joelfernandes.org
Bug: 137092007
Change-Id: Ibb356813b0b2f0cedab7806ee21ce4c00469be32
(cherry picked from commit da97e18458fb42d7c00fac5fd1c56a3896ec666e)
[ Ryan Savitski:
Adapted for older APIs, e.g. hlist -> list, removed refs to
selinux_state. No new functionality. ]
Signed-off-by: Ryan Savitski <rsavitski@google.com>
Changes in 4.14.95
tty/ldsem: Wake up readers after timed out down_write()
tty: Hold tty_ldisc_lock() during tty_reopen()
tty: Simplify tty->count math in tty_reopen()
tty: Don't hold ldisc lock in tty_reopen() if ldisc present
can: gw: ensure DLC boundaries after CAN frame modification
mmc: sdhci-msm: Disable CDR function on TX
media: em28xx: Fix misplaced reset of dev->v4l::field_count
sched/fair: Fix bandwidth timer clock drift condition
Revert "scsi: target: iscsi: cxgbit: fix csk leak"
scsi: target: iscsi: cxgbit: fix csk leak
arm64/kvm: consistently handle host HCR_EL2 flags
arm64: Don't trap host pointer auth use to EL2
ipv6: fix kernel-infoleak in ipv6_local_error()
net: bridge: fix a bug on using a neighbour cache entry without checking its state
packet: Do not leak dev refcounts on error exit
bonding: update nest level on unlink
ip: on queued skb use skb_header_pointer instead of pskb_may_pull
crypto: caam - fix zero-length buffer DMA mapping
crypto: authencesn - Avoid twice completion call in decrypt path
crypto: bcm - convert to use crypto_authenc_extractkeys()
crypto: authenc - fix parsing key with misaligned rta_len
Revert "btrfs: balance dirty metadata pages in btrfs_finish_ordered_io"
btrfs: wait on ordered extents on abort cleanup
Yama: Check for pid death before checking ancestry
scsi: core: Synchronize request queue PM status only on successful resume
scsi: sd: Fix cache_type_store()
crypto: talitos - reorder code in talitos_edesc_alloc()
crypto: talitos - fix ablkcipher for CONFIG_VMAP_STACK
mips: fix n32 compat_ipc_parse_version
MIPS: lantiq: Fix IPI interrupt handling
OF: properties: add missing of_node_put
mfd: tps6586x: Handle interrupts on suspend
media: v4l: ioctl: Validate num_planes for debug messages
pstore/ram: Avoid allocation and leak of platform data
arm64: kaslr: ensure randomized quantities are clean to the PoC
Disable MSI also when pcie-octeon.pcie_disable on
omap2fb: Fix stack memory disclosure
media: vivid: fix error handling of kthread_run
media: vivid: set min width/height to a value > 0
bpf: in __bpf_redirect_no_mac pull mac only if present
LSM: Check for NULL cred-security on free
media: vb2: vb2_mmap: move lock up
sunrpc: handle ENOMEM in rpcb_getport_async
netfilter: ebtables: account ebt_table_info to kmemcg
selinux: fix GPF on invalid policy
blockdev: Fix livelocks on loop device
sctp: allocate sctp_sockaddr_entry with kzalloc
tipc: fix uninit-value in tipc_nl_compat_link_reset_stats
tipc: fix uninit-value in tipc_nl_compat_bearer_enable
tipc: fix uninit-value in tipc_nl_compat_link_set
tipc: fix uninit-value in tipc_nl_compat_name_table_dump
tipc: fix uninit-value in tipc_nl_compat_doit
block/loop: Don't grab "struct file" for vfs_getattr() operation.
block/loop: Use global lock for ioctl() operation.
loop: Fold __loop_release into loop_release
loop: Get rid of loop_index_mutex
loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl()
loop: drop caches if offset or block_size are changed
drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock
media: vb2: be sure to unlock mutex on errors
nbd: Use set_blocksize() to set device blocksize
Linux 4.14.95
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Changes in 4.14.72
be2net: Fix memory leak in be_cmd_get_profile_config()
net/mlx5: Fix use-after-free in self-healing flow
net: qca_spi: Fix race condition in spi transfers
rds: fix two RCU related problems
net/mlx5: Check for error in mlx5_attach_interface
net/mlx5: Fix debugfs cleanup in the device init/remove flow
net/mlx5: E-Switch, Fix memory leak when creating switchdev mode FDB tables
net/tls: Set count of SG entries if sk_alloc_sg returns -ENOSPC
erspan: fix error handling for erspan tunnel
erspan: return PACKET_REJECT when the appropriate tunnel is not found
tcp: really ignore MSG_ZEROCOPY if no SO_ZEROCOPY
hv/netvsc: Fix NULL dereference at single queue mode fallback
usb: dwc3: change stream event enable bit back to 13
iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register
iommu/io-pgtable-arm-v7s: Abort allocation when table address overflows the PTE
ALSA: msnd: Fix the default sample sizes
ALSA: usb-audio: Fix multiple definitions in AU0828_DEVICE() macro
xfrm: fix 'passing zero to ERR_PTR()' warning
amd-xgbe: use dma_mapping_error to check map errors
gfs2: Special-case rindex for gfs2_grow
clk: imx6ul: fix missing of_node_put()
clk: core: Potentially free connection id
clk: clk-fixed-factor: Clear OF_POPULATED flag in case of failure
kbuild: add .DELETE_ON_ERROR special target
media: tw686x: Fix oops on buffer alloc failure
dmaengine: pl330: fix irq race with terminate_all
MIPS: ath79: fix system restart
media: videobuf2-core: check for q->error in vb2_core_qbuf()
IB/rxe: Drop QP0 silently
block: allow max_discard_segments to be stacked
IB/ipoib: Fix error return code in ipoib_dev_init()
mtd/maps: fix solutionengine.c printk format warnings
media: ov5645: Supported external clock is 24MHz
perf test: Fix subtest number when showing results
gfs2: Don't reject a supposedly full bitmap if we have blocks reserved
perf tools: Synthesize GROUP_DESC feature in pipe mode
fbdev: omapfb: off by one in omapfb_register_client()
perf tools: Fix struct comm_str removal crash
video: goldfishfb: fix memory leak on driver remove
fbdev/via: fix defined but not used warning
perf powerpc: Fix callchain ip filtering when return address is in a register
video: fbdev: pxafb: clear allocated memory for video modes
fbdev: Distinguish between interlaced and progressive modes
ARM: exynos: Clear global variable on init error path
perf powerpc: Fix callchain ip filtering
nvme-rdma: unquiesce queues when deleting the controller
KVM: arm/arm64: vgic: Fix possible spectre-v1 write in vgic_mmio_write_apr()
powerpc/powernv: opal_put_chars partial write fix
staging: bcm2835-camera: fix timeout handling in wait_for_completion_timeout
staging: bcm2835-camera: handle wait_for_completion_timeout return properly
ASoC: rt5514: Fix the issue of the delay volume applied
MIPS: jz4740: Bump zload address
mac80211: restrict delayed tailroom needed decrement
Smack: Fix handling of IPv4 traffic received by PF_INET6 sockets
wan/fsl_ucc_hdlc: use IS_ERR_VALUE() to check return value of qe_muram_alloc
arm64: fix possible spectre-v1 write in ptrace_hbp_set_event()
reset: imx7: Fix always writing bits as 0
efi/arm: preserve early mapping of UEFI memory map longer for BGRT
nfp: avoid buffer leak when FW communication fails
xen-netfront: fix queue name setting
arm64: dts: qcom: db410c: Fix Bluetooth LED trigger
ARM: dts: qcom: msm8974-hammerhead: increase load on l20 for sdhci
s390/qeth: fix race in used-buffer accounting
s390/qeth: reset layer2 attribute on layer switch
platform/x86: toshiba_acpi: Fix defined but not used build warnings
KVM: arm/arm64: Fix vgic init race
drivers/base: stop new probing during shutdown
i2c: aspeed: Fix initial values of master and slave state
dmaengine: mv_xor_v2: kill the tasklets upon exit
crypto: sharah - Unregister correct algorithms for SAHARA 3
x86/pti: Check the return value of pti_user_pagetable_walk_p4d()
x86/pti: Check the return value of pti_user_pagetable_walk_pmd()
x86/mm/pti: Add an overflow check to pti_clone_pmds()
xen-netfront: fix warn message as irq device name has '/'
RDMA/cma: Protect cma dev list with lock
pstore: Fix incorrect persistent ram buffer mapping
xen/netfront: fix waiting for xenbus state change
IB/ipoib: Avoid a race condition between start_xmit and cm_rep_handler
s390/crypto: Fix return code checking in cbc_paes_crypt()
mmc: omap_hsmmc: fix wakeirq handling on removal
ipmi: Fix I2C client removal in the SSIF driver
Tools: hv: Fix a bug in the key delete code
misc: hmc6352: fix potential Spectre v1
xhci: Fix use after free for URB cancellation on a reallocated endpoint
usb: Don't die twice if PCI xhci host is not responding in resume
mei: ignore not found client in the enumeration
mei: bus: need to unlink client before freeing
USB: Add quirk to support DJI CineSSD
usb: uas: add support for more quirk flags
usb: Avoid use-after-free by flushing endpoints early in usb_set_interface()
usb: host: u132-hcd: Fix a sleep-in-atomic-context bug in u132_get_frame()
USB: add quirk for WORLDE Controller KS49 or Prodipe MIDI 49C USB controller
usb: gadget: udc: renesas_usb3: fix maxpacket size of ep0
USB: net2280: Fix erroneous synchronization change
USB: serial: io_ti: fix array underflow in completion handler
usb: misc: uss720: Fix two sleep-in-atomic-context bugs
USB: serial: ti_usb_3410_5052: fix array underflow in completion handler
USB: yurex: Fix buffer over-read in yurex_write()
usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()
Revert "cdc-acm: implement put_char() and flush_chars()"
cifs: prevent integer overflow in nxt_dir_entry()
CIFS: fix wrapping bugs in num_entries()
xtensa: ISS: don't allocate memory in platform_setup
perf/core: Force USER_DS when recording user stack data
x86/EISA: Don't probe EISA bus for Xen PV guests
NFSv4.1 fix infinite loop on I/O.
binfmt_elf: Respect error return from `regset->active'
net/mlx5: Add missing SET_DRIVER_VERSION command translation
arm64: dts: uniphier: Add missing cooling device properties for CPUs
audit: fix use-after-free in audit_add_watch
mtdchar: fix overflows in adjustment of `count`
vfs: fix freeze protection in mnt_want_write_file() for overlayfs
Bluetooth: Use lock_sock_nested in bt_accept_enqueue
evm: Don't deadlock if a crypto algorithm is unavailable
KVM: PPC: Book3S HV: Add of_node_put() in success path
security: check for kstrdup() failure in lsm_append()
MIPS: loongson64: cs5536: Fix PCI_OHCI_INT_REG reads
configfs: fix registered group removal
pinctrl: rza1: Fix selector use for groups and functions
sched/core: Use smp_mb() in wake_woken_function()
efi/esrt: Only call efi_mem_reserve() for boot services memory
ARM: hisi: handle of_iomap and fix missing of_node_put
ARM: hisi: fix error handling and missing of_node_put
ARM: hisi: check of_iomap and fix missing of_node_put
liquidio: fix hang when re-binding VF host drv after running DPDK VF driver
gpu: ipu-v3: csi: pass back mbus_code_to_bus_cfg error codes
tty: fix termios input-speed encoding when using BOTHER
tty: fix termios input-speed encoding
mmc: sdhci-of-esdhc: set proper dma mask for ls104x chips
mmc: tegra: prevent HS200 on Tegra 3
mmc: sdhci: do not try to use 3.3V signaling if not supported
drm/nouveau: Fix runtime PM leak in drm_open()
drm/nouveau/debugfs: Wake up GPU before doing any reclocking
drm/nouveau: tegra: Detach from ARM DMA/IOMMU mapping
parport: sunbpp: fix error return code
sched/fair: Fix util_avg of new tasks for asymmetric systems
coresight: Handle errors in finding input/output ports
coresight: tpiu: Fix disabling timeouts
coresight: ETM: Add support for Arm Cortex-A73 and Cortex-A35
staging: bcm2835-audio: Don't leak workqueue if open fails
gpio: pxa: Fix potential NULL dereference
gpiolib: Mark gpio_suffixes array with __maybe_unused
mfd: 88pm860x-i2c: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT)
input: rohm_bu21023: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT)
drm/amdkfd: Fix error codes in kfd_get_process
rtc: bq4802: add error handling for devm_ioremap
ALSA: pcm: Fix snd_interval_refine first/last with open min/max
scsi: libfc: fixup 'sleeping function called from invalid context'
selftest: timers: Tweak raw_skew to SKIP when ADJ_OFFSET/other clock adjustments are in progress
drm/panel: type promotion bug in s6e8aa0_read_mtp_id()
blk-mq: only attempt to merge bio if there is rq in sw queue
blk-mq: avoid to synchronize rcu inside blk_cleanup_queue()
pinctrl: msm: Fix msm_config_group_get() to be compliant
pinctrl: qcom: spmi-gpio: Fix pmic_gpio_config_get() to be compliant
clk: tegra: bpmp: Don't crash when a clock fails to register
mei: bus: type promotion bug in mei_nfc_if_version()
earlycon: Initialize port->uartclk based on clock-frequency property
earlycon: Remove hardcoded port->uartclk initialization in of_setup_earlycon
ASoC: samsung: i2s: Fix error handling path in i2s_set_sysclk()
ASoC: samsung: Fix invalid argument when devm_gpiod_get is called
drm/i915: Apply the GTT write flush for all !llc machines
net/ipv6: prevent use after free in ip6_route_mpath_notify
e1000e: Remove Other from EIAC
Partial revert "e1000e: Avoid receiver overrun interrupt bursts"
e1000e: Fix queue interrupt re-raising in Other interrupt
e1000e: Avoid missed interrupts following ICR read
Revert "e1000e: Separate signaling for link check/link up"
e1000e: Fix link check race condition
e1000e: Fix check_for_link return value with autoneg off
Linux 4.14.72
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Introduce several LSM hooks for the syscalls that will allow the
userspace to access to eBPF object such as eBPF programs and eBPF maps.
The security check is aimed to enforce a per object security protection
for eBPF object so only processes with the right priviliges can
read/write to a specific map or use a specific eBPF program. Besides
that, a general security hook is added before the multiplexer of bpf
syscall to check the cmd and the attribute used for the command. The
actual security module can decide which command need to be checked and
how the cmd should be checked.
Signed-off-by: Chenbo Feng <fengc@google.com>
Acked-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bug: 30950746
Change-Id: Ieb3ac74392f531735fc7c949b83346a5f587a77b
(cherry picked from commit afdb09c720b62b8090584c11151d856df330e57d)
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Pull selinux updates from Paul Moore:
"A relatively quiet period for SELinux, 11 patches with only two/three
having any substantive changes.
These noteworthy changes include another tweak to the NNP/nosuid
handling, per-file labeling for cgroups, and an object class fix for
AF_UNIX/SOCK_RAW sockets; the rest of the changes are minor tweaks or
administrative updates (Stephen's email update explains the file
explosion in the diffstat).
Everything passes the selinux-testsuite"
[ Also a couple of small patches from the security tree from Tetsuo
Handa for Tomoyo and LSM cleanup. The separation of security policy
updates wasn't all that clean - Linus ]
* tag 'selinux-pr-20170831' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
selinux: constify nf_hook_ops
selinux: allow per-file labeling for cgroupfs
lsm_audit: update my email address
selinux: update my email address
MAINTAINERS: update the NetLabel and Labeled Networking information
selinux: use GFP_NOWAIT in the AVC kmem_caches
selinux: Generalize support for NNP/nosuid SELinux domain transitions
selinux: genheaders should fail if too many permissions are defined
selinux: update the selinux info in MAINTAINERS
credits: update Paul Moore's info
selinux: Assign proper class to PF_UNIX/SOCK_RAW sockets
tomoyo: Update URLs in Documentation/admin-guide/LSM/tomoyo.rst
LSM: Remove security_task_create() hook.
When an NFSv4 client performs a mount operation, it first mounts the
NFSv4 root and then does path walk to the exported path and performs a
submount on that, cloning the security mount options from the root's
superblock to the submount's superblock in the process.
Unless the NFS server has an explicit fsid=0 export with the
"security_label" option, the NFSv4 root superblock will not have
SBLABEL_MNT set, and neither will the submount superblock after cloning
the security mount options. As a result, setxattr's of security labels
over NFSv4.2 will fail. In a similar fashion, NFSv4.2 mounts mounted
with the context= mount option will not show the correct labels because
the nfs_server->caps flags of the cloned superblock will still have
NFS_CAP_SECURITY_LABEL set.
Allowing the NFSv4 client to enable or disable SECURITY_LSM_NATIVE_LABELS
behavior will ensure that the SBLABEL_MNT flag has the correct value
when the client traverses from an exported path without the
"security_label" option to one with the "security_label" option and
vice versa. Similarly, checking to see if SECURITY_LSM_NATIVE_LABELS is
set upon return from security_sb_clone_mnt_opts() and clearing
NFS_CAP_SECURITY_LABEL if necessary will allow the correct labels to
be displayed for NFSv4.2 mounts mounted with the context= mount option.
Resolves: https://github.com/SELinuxProject/selinux-kernel/issues/35
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
Tested-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Allocate and free a security context when creating and destroying a MAD
agent. This context is used for controlling access to PKeys and sending
and receiving SMPs.
When sending or receiving a MAD check that the agent has permission to
access the PKey for the Subnet Prefix of the port.
During MAD and snoop agent registration for SMI QPs check that the
calling process has permission to access the manage the subnet and
register a callback with the LSM to be notified of policy changes. When
notificaiton of a policy change occurs recheck permission and set a flag
indicating sending and receiving SMPs is allowed.
When sending and receiving MADs check that the agent has access to the
SMI if it's on an SMI QP. Because security policy can change it's
possible permission was allowed when creating the agent, but no longer
is.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Acked-by: Doug Ledford <dledford@redhat.com>
[PM: remove the LSM hook init code]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Add a generic notificaiton mechanism in the LSM. Interested consumers
can register a callback with the LSM and security modules can produce
events.
Because access to Infiniband QPs are enforced in the setup phase of a
connection security should be enforced again if the policy changes.
Register infiniband devices for policy change notification and check all
QPs on that device when the notification is received.
Add a call to the notification mechanism from SELinux when the AVC
cache changes or setenforce is cleared.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Acked-by: James Morris <james.l.morris@oracle.com>
Acked-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Add new LSM hooks to allocate and free security contexts and check for
permission to access a PKey.
Allocate and free a security context when creating and destroying a QP.
This context is used for controlling access to PKeys.
When a request is made to modify a QP that changes the port, PKey index,
or alternate path, check that the QP has permission for the PKey in the
PKey table index on the subnet prefix of the port. If the QP is shared
make sure all handles to the QP also have access.
Store which port and PKey index a QP is using. After the reset to init
transition the user can modify the port, PKey index and alternate path
independently. So port and PKey settings changes can be a merge of the
previous settings and the new ones.
In order to maintain access control if there are PKey table or subnet
prefix change keep a list of all QPs are using each PKey index on
each port. If a change occurs all QPs using that device and port must
have access enforced for the new cache settings.
These changes add a transaction to the QP modify process. Association
with the old port and PKey index must be maintained if the modify fails,
and must be removed if it succeeds. Association with the new port and
PKey index must be established prior to the modify and removed if the
modify fails.
1. When a QP is modified to a particular Port, PKey index or alternate
path insert that QP into the appropriate lists.
2. Check permission to access the new settings.
3. If step 2 grants access attempt to modify the QP.
4a. If steps 2 and 3 succeed remove any prior associations.
4b. If ether fails remove the new setting associations.
If a PKey table or subnet prefix changes walk the list of QPs and
check that they have permission. If not send the QP to the error state
and raise a fatal error event. If it's a shared QP make sure all the
QPs that share the real_qp have permission as well. If the QP that
owns a security structure is denied access the security structure is
marked as such and the QP is added to an error_list. Once the moving
the QP to error is complete the security structure mark is cleared.
Maintaining the lists correctly turns QP destroy into a transaction.
The hardware driver for the device frees the ib_qp structure, so while
the destroy is in progress the ib_qp pointer in the ib_qp_security
struct is undefined. When the destroy process begins the ib_qp_security
structure is marked as destroying. This prevents any action from being
taken on the QP pointer. After the QP is destroyed successfully it
could still listed on an error_list wait for it to be processed by that
flow before cleaning up the structure.
If the destroy fails the QPs port and PKey settings are reinserted into
the appropriate lists, the destroying flag is cleared, and access control
is enforced, in case there were any cache changes during the destroy
flow.
To keep the security changes isolated a new file is used to hold security
related functionality.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Acked-by: Doug Ledford <dledford@redhat.com>
[PM: merge fixup in ib_verbs.h and uverbs_cmd.c]
Signed-off-by: Paul Moore <paul@paul-moore.com>
The commit d69dece5f5 ("LSM: Add /sys/kernel/security/lsm") extend
security_add_hooks() with a new parameter to register the LSM name,
which may be useful to make the list of currently loaded LSM available
to userspace. However, there is no clean way for an LSM to split its
hook declarations into multiple files, which may reduce the mess with
all the included files (needed for LSM hook argument types) and make the
source code easier to review and maintain.
This change allows an LSM to register multiple times its hook while
keeping a consistent list of LSM names as described in
Documentation/security/LSM.txt . The list reflects the order in which
checks are made. This patch only check for the last registered LSM. If
an LSM register multiple times its hooks, interleaved with other LSM
registrations (which should not happen), its name will still appear in
the same order that the hooks are called, hence multiple times.
To sum up, "capability,selinux,foo,foo" will be replaced with
"capability,selinux,foo", however "capability,foo,selinux,foo" will
remain as is.
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Pull security subsystem updates from James Morris:
"Highlights:
IMA:
- provide ">" and "<" operators for fowner/uid/euid rules
KEYS:
- add a system blacklist keyring
- add KEYCTL_RESTRICT_KEYRING, exposes keyring link restriction
functionality to userland via keyctl()
LSM:
- harden LSM API with __ro_after_init
- add prlmit security hook, implement for SELinux
- revive security_task_alloc hook
TPM:
- implement contextual TPM command 'spaces'"
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (98 commits)
tpm: Fix reference count to main device
tpm_tis: convert to using locality callbacks
tpm: fix handling of the TPM 2.0 event logs
tpm_crb: remove a cruft constant
keys: select CONFIG_CRYPTO when selecting DH / KDF
apparmor: Make path_max parameter readonly
apparmor: fix parameters so that the permission test is bypassed at boot
apparmor: fix invalid reference to index variable of iterator line 836
apparmor: use SHASH_DESC_ON_STACK
security/apparmor/lsm.c: set debug messages
apparmor: fix boolreturn.cocci warnings
Smack: Use GFP_KERNEL for smk_netlbl_mls().
smack: fix double free in smack_parse_opts_str()
KEYS: add SP800-56A KDF support for DH
KEYS: Keyring asymmetric key restrict method with chaining
KEYS: Restrict asymmetric key linkage using a specific keychain
KEYS: Add a lookup_restriction function for the asymmetric key type
KEYS: Add KEYCTL_RESTRICT_KEYRING
KEYS: Consistent ordering for __key_link_begin and restrict check
KEYS: Add an optional lookup_restriction hook to key_type
...
We switched from "struct task_struct"->security to "struct cred"->security
in Linux 2.6.29. But not all LSM modules were happy with that change.
TOMOYO LSM module is an example which want to use per "struct task_struct"
security blob, for TOMOYO's security context is defined based on "struct
task_struct" rather than "struct cred". AppArmor LSM module is another
example which want to use it, for AppArmor is currently abusing the cred
a little bit to store the change_hat and setexeccon info. Although
security_task_free() hook was revived in Linux 3.4 because Yama LSM module
wanted to release per "struct task_struct" security blob,
security_task_alloc() hook and "struct task_struct"->security field were
not revived. Nowadays, we are getting proposals of lightweight LSM modules
which want to use per "struct task_struct" security blob.
We are already allowing multiple concurrent LSM modules (up to one fully
armored module which uses "struct cred"->security field or exclusive hooks
like security_xfrm_state_pol_flow_match(), plus unlimited number of
lightweight modules which do not use "struct cred"->security nor exclusive
hooks) as long as they are built into the kernel. But this patch does not
implement variable length "struct task_struct"->security field which will
become needed when multiple LSM modules want to use "struct task_struct"->
security field. Although it won't be difficult to implement variable length
"struct task_struct"->security field, let's think about it after we merged
this patch.
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Tested-by: Djalal Harouni <tixxdz@gmail.com>
Acked-by: José Bollo <jobol@nonadev.net>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Eric Paris <eparis@parisplace.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: James Morris <james.l.morris@oracle.com>
Cc: José Bollo <jobol@nonadev.net>
Signed-off-by: James Morris <james.l.morris@oracle.com>
When SELinux was first added to the kernel, a process could only get
and set its own resource limits via getrlimit(2) and setrlimit(2), so no
MAC checks were required for those operations, and thus no security hooks
were defined for them. Later, SELinux introduced a hook for setlimit(2)
with a check if the hard limit was being changed in order to be able to
rely on the hard limit value as a safe reset point upon context
transitions.
Later on, when prlimit(2) was added to the kernel with the ability to get
or set resource limits (hard or soft) of another process, LSM/SELinux was
not updated other than to pass the target process to the setrlimit hook.
This resulted in incomplete control over both getting and setting the
resource limits of another process.
Add a new security_task_prlimit() hook to the check_prlimit_permission()
function to provide complete mediation. The hook is only called when
acting on another task, and only if the existing DAC/capability checks
would allow access. Pass flags down to the hook to indicate whether the
prlimit(2) call will read, write, or both read and write the resource
limits of the target process.
The existing security_task_setrlimit() hook is left alone; it continues
to serve a purpose in supporting the ability to make decisions based on
the old and/or new resource limit values when setting limits. This
is consistent with the DAC/capability logic, where
check_prlimit_permission() performs generic DAC/capability checks for
acting on another task, while do_prlimit() performs a capability check
based on a comparison of the old and new resource limits. Fix the
inline documentation for the hook to match the code.
Implement the new hook for SELinux. For setting resource limits, we
reuse the existing setrlimit permission. Note that this does overload
the setrlimit permission to mean the ability to set the resource limit
(soft or hard) of another process or the ability to change one's own
hard limit. For getting resource limits, a new getrlimit permission
is defined. This was not originally defined since getrlimit(2) could
only be used to obtain a process' own limits.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <james.l.morris@oracle.com>
I am still tired of having to find indirect ways to determine
what security modules are active on a system. I have added
/sys/kernel/security/lsm, which contains a comma separated
list of the active security modules. No more groping around
in /proc/filesystems or other clever hacks.
Unchanged from previous versions except for being updated
to the latest security next branch.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.l.morris@oracle.com>
As reported by yangshukui, a permission denial from security_task_wait()
can lead to a soft lockup in zap_pid_ns_processes() since it only expects
sys_wait4() to return 0 or -ECHILD. Further, security_task_wait() can
in general lead to zombies; in the absence of some way to automatically
reparent a child process upon a denial, the hook is not useful. Remove
the security hook and its implementations in SELinux and Smack. Smack
already removed its check from its hook.
Reported-by: yangshukui <yangshukui@huawei.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Processes can only alter their own security attributes via
/proc/pid/attr nodes. This is presently enforced by each individual
security module and is also imposed by the Linux credentials
implementation, which only allows a task to alter its own credentials.
Move the check enforcing this restriction from the individual
security modules to proc_pid_attr_write() before calling the security hook,
and drop the unnecessary task argument to the security hook since it can
only ever be the current task.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
During a new file creation we need to make sure new file is created with the
right label. New file is created in upper/ so effectively file should get
label as if task had created file in upper/.
We switched to mounter's creds for actual file creation. Also if there is a
whiteout present, then file will be created in work/ dir first and then
renamed in upper. In none of the cases file will be labeled as we want it to
be.
This patch introduces a new hook dentry_create_files_as(), which determines
the label/context dentry will get if it had been created by task in upper
and modify passed set of creds appropriately. Caller makes use of these new
creds for file creation.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: fix whitespace issues found with checkpatch.pl]
[PM: changes to use stat->mode in ovl_create_or_link()]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Provide a security hook which is called when xattrs of a file are being
copied up. This hook is called once for each xattr and LSM can return
0 if the security module wants the xattr to be copied up, 1 if the
security module wants the xattr to be discarded on the copy, -EOPNOTSUPP
if the security module does not handle/manage the xattr, or a -errno
upon an error.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: whitespace cleanup for checkpatch.pl]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Provide a security hook to label new file correctly when a file is copied
up from lower layer to upper layer of a overlay/union mount.
This hook can prepare a new set of creds which are suitable for new file
creation during copy up. Caller will use new creds to create file and then
revert back to old creds and release new creds.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: whitespace cleanup to appease checkpatch.pl]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Pull qstr constification updates from Al Viro:
"Fairly self-contained bunch - surprising lot of places passes struct
qstr * as an argument when const struct qstr * would suffice; it
complicates analysis for no good reason.
I'd prefer to feed that separately from the assorted fixes (those are
in #for-linus and with somewhat trickier topology)"
* 'work.const-qstr' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
qstr: constify instances in adfs
qstr: constify instances in lustre
qstr: constify instances in f2fs
qstr: constify instances in ext2
qstr: constify instances in vfat
qstr: constify instances in procfs
qstr: constify instances in fuse
qstr constify instances in fs/dcache.c
qstr: constify instances in nfs
qstr: constify instances in ocfs2
qstr: constify instances in autofs4
qstr: constify instances in hfs
qstr: constify instances in hfsplus
qstr: constify instances in logfs
qstr: constify dentry_init_security
Serge Hallyn pointed out that the current implementation of
security_inode_getsecurity() works if there is only one hook
provided for it, but will fail if there is more than one and
the attribute requested isn't supplied by the first module.
This isn't a problem today, since only SELinux and Smack
provide this hook and there is (currently) no way to enable
both of those modules at the same time. Serge, however, wants
to introduce a capability attribute and an inode_getsecurity
hook in the capability security module to handle it. This
addresses that upcoming problem, will be required for "extreme
stacking" and is just a better implementation.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Pull security subsystem updates from James Morris:
"Highlights:
- A new LSM, "LoadPin", from Kees Cook is added, which allows forcing
of modules and firmware to be loaded from a specific device (this
is from ChromeOS, where the device as a whole is verified
cryptographically via dm-verity).
This is disabled by default but can be configured to be enabled by
default (don't do this if you don't know what you're doing).
- Keys: allow authentication data to be stored in an asymmetric key.
Lots of general fixes and updates.
- SELinux: add restrictions for loading of kernel modules via
finit_module(). Distinguish non-init user namespace capability
checks. Apply execstack check on thread stacks"
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (48 commits)
LSM: LoadPin: provide enablement CONFIG
Yama: use atomic allocations when reporting
seccomp: Fix comment typo
ima: add support for creating files using the mknodat syscall
ima: fix ima_inode_post_setattr
vfs: forbid write access when reading a file into memory
fs: fix over-zealous use of "const"
selinux: apply execstack check on thread stacks
selinux: distinguish non-init user namespace capability checks
LSM: LoadPin for kernel file loading restrictions
fs: define a string representation of the kernel_read_file_id enumeration
Yama: consolidate error reporting
string_helpers: add kstrdup_quotable_file
string_helpers: add kstrdup_quotable_cmdline
string_helpers: add kstrdup_quotable
selinux: check ss_initialized before revalidating an inode label
selinux: delay inode label lookup as long as possible
selinux: don't revalidate an inode's label when explicitly setting it
selinux: Change bool variable name to index.
KEYS: Add KEYCTL_DH_COMPUTE command
...
Pull 'struct path' constification update from Al Viro:
"'struct path' is passed by reference to a bunch of Linux security
methods; in theory, there's nothing to stop them from modifying the
damn thing and LSM community being what it is, sooner or later some
enterprising soul is going to decide that it's a good idea.
Let's remove the temptation and constify all of those..."
* 'work.const-path' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
constify ima_d_path()
constify security_sb_pivotroot()
constify security_path_chroot()
constify security_path_{link,rename}
apparmor: remove useless checks for NULL ->mnt
constify security_path_{mkdir,mknod,symlink}
constify security_path_{unlink,rmdir}
apparmor: constify common_perm_...()
apparmor: constify aa_path_link()
apparmor: new helper - common_path_perm()
constify chmod_common/security_path_chmod
constify security_sb_mount()
constify chown_common/security_path_chown
tomoyo: constify assorted struct path *
apparmor_path_truncate(): path->mnt is never NULL
constify vfs_truncate()
constify security_path_truncate()
[apparmor] constify struct path * in a bunch of helpers
security_settime() uses a timespec, which is not year 2038 safe
on 32bit systems. Thus this patch introduces the security_settime64()
function with timespec64 type. We also convert the cap_settime() helper
function to use the 64bit types.
This patch then moves security_settime() to the header file as an
inline helper function so that existing users can be iteratively
converted.
None of the existing hooks is using the timespec argument and therefor
the patch is not making any functional changes.
Cc: Serge Hallyn <serge.hallyn@canonical.com>,
Cc: James Morris <james.l.morris@oracle.com>,
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
Cc: Paul Moore <pmoore@redhat.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Kees Cook <keescook@chromium.org>
Cc: Prarit Bhargava <prarit@redhat.com>
Cc: Richard Cochran <richardcochran@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@kernel.org>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
[jstultz: Reworded commit message]
Signed-off-by: John Stultz <john.stultz@linaro.org>
This LSM enforces that kernel-loaded files (modules, firmware, etc)
must all come from the same filesystem, with the expectation that
such a filesystem is backed by a read-only device such as dm-verity
or CDROM. This allows systems that have a verified and/or unchangeable
filesystem to enforce module and firmware loading restrictions without
needing to sign the files individually.
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
The skb_owned_by hook was added with the commit ca10b9e9a8
("selinux: add a skb_owned_by() hook") and later removed
when said commit was reverted.
Later on, when switching to list of hooks, a field named
'skb_owned_by' was included into the security_hook_head struct,
but without any users nor caller.
This commit removes the said left-over field.
Fixes: b1d9e6b064 ("LSM: Switch to lists of hooks")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Paul Moore <pmoore@paul-moore.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
