1. 14 May, 2018 1 commit
  2. 17 Aug, 2017 1 commit
  3. 23 May, 2017 2 commits
  4. 19 Sep, 2016 1 commit
    • Vivek Goyal's avatar
      lsm,audit,selinux: Introduce a new audit data type LSM_AUDIT_DATA_FILE · 43af5de7
      Vivek Goyal authored
      Right now LSM_AUDIT_DATA_PATH type contains "struct path" in union "u"
      of common_audit_data. This information is used to print path of file
      at the same time it is also used to get to dentry and inode. And this
      inode information is used to get to superblock and device and print
      device information.
      This does not work well for layered filesystems like overlay where dentry
      contained in path is overlay dentry and not the real dentry of underlying
      file system. That means inode retrieved from dentry is also overlay
      inode and not the real inode.
      SELinux helpers like file_path_has_perm() are doing checks on inode
      retrieved from file_inode(). This returns the real inode and not the
      overlay inode. That means we are doing check on real inode but for audit
      purposes we are printing details of overlay inode and that can be
      confusing while debugging.
      Hence, introduce a new type LSM_AUDIT_DATA_FILE which carries file
      information and inode retrieved is real inode using file_inode(). That
      way right avc denied information is given to user.
      For example, following is one example avc before the patch.
        type=AVC msg=audit(1473360868.399:214): avc:  denied  { read open } for
          pid=1765 comm="cat"
          dev="overlay" ino=21443
          tclass=file permissive=0
      It looks as follows after the patch.
        type=AVC msg=audit(1473360017.388:282): avc:  denied  { read open } for
          pid=2530 comm="cat"
          dev="dm-0" ino=2377915
          tclass=file permissive=0
      Notice that now dev information points to "dm-0" device instead of
      "overlay" device. This makes it clear that check failed on underlying
      inode and not on the overlay inode.
      Signed-off-by: default avatarVivek Goyal <vgoyal@redhat.com>
      [PM: slight tweaks to the description to make checkpatch.pl happy]
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
  5. 30 Aug, 2016 1 commit
  6. 08 Aug, 2016 2 commits
  7. 13 Jul, 2015 1 commit
  8. 29 May, 2015 1 commit
  9. 15 Apr, 2015 2 commits
    • David Howells's avatar
      VFS: security/: d_backing_inode() annotations · c6f493d6
      David Howells authored
      most of the ->d_inode uses there refer to the same inode IO would
      go to, i.e. d_backing_inode()
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
    • Richard Guy Briggs's avatar
      lsm: copy comm before calling audit_log to avoid race in string printing · 5deeb5ce
      Richard Guy Briggs authored
      When task->comm is passed directly to audit_log_untrustedstring() without
      getting a copy or using the task_lock, there is a race that could happen that
      would output a NULL (\0) in the middle of the output string that would
      effectively truncate the rest of the report text after the comm= field in the
      audit log message, losing fields.
      Using get_task_comm() to get a copy while acquiring the task_lock to prevent
      this and to prevent the result from being a mixture of old and new values of
      comm would incur potentially unacceptable overhead, considering that the value
      can be influenced by userspace and therefore untrusted anyways.
      Copy the value before passing it to audit_log_untrustedstring() ensures that a
      local copy is used to calculate the length *and* subsequently printed.  Even if
      this value contains a mix of old and new values, it will only calculate and
      copy up to the first NULL, preventing the rest of the audit log message being
      Use a second local copy of comm to avoid a race between the first and second
      calls to audit_log_untrustedstring() with comm.
      Reported-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
  10. 20 Mar, 2014 1 commit
  11. 05 Nov, 2013 1 commit
  12. 09 Oct, 2013 2 commits
    • Eric Dumazet's avatar
      net: fix build errors if ipv6 is disabled · c2bb06db
      Eric Dumazet authored
      CONFIG_IPV6=n is still a valid choice ;)
      It appears we can remove dead code.
      Reported-by: default avatarWu Fengguang <fengguang.wu@intel.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Eric Dumazet's avatar
      ipv6: make lookups simpler and faster · efe4208f
      Eric Dumazet authored
      TCP listener refactoring, part 4 :
      To speed up inet lookups, we moved IPv4 addresses from inet to struct
      Now is time to do the same for IPv6, because it permits us to have fast
      lookups for all kind of sockets, including upcoming SYN_RECV.
      Getting IPv6 addresses in TCP lookups currently requires two extra cache
      lines, plus a dereference (and memory stall).
      inet6_sk(sk) does the dereference of inet_sk(__sk)->pinet6
      This patch is way bigger than its IPv4 counter part, because for IPv4,
      we could add aliases (inet_daddr, inet_rcv_saddr), while on IPv6,
      it's not doable easily.
      inet6_sk(sk)->daddr becomes sk->sk_v6_daddr
      inet6_sk(sk)->rcv_saddr becomes sk->sk_v6_rcv_saddr
      And timewait socket also have tw->tw_v6_daddr & tw->tw_v6_rcv_saddr
      at the same offset.
      We get rid of INET6_TW_MATCH() as INET6_MATCH() is now the generic
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  13. 09 Apr, 2012 2 commits
  14. 03 Apr, 2012 2 commits
  15. 21 Mar, 2012 1 commit
  16. 17 Jan, 2012 2 commits
  17. 03 Dec, 2011 1 commit
  18. 22 Nov, 2011 1 commit
  19. 25 Apr, 2011 2 commits
  20. 27 Apr, 2010 1 commit
  21. 30 Mar, 2010 1 commit
    • Tejun Heo's avatar
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking... · 5a0e3ad6
      Tejun Heo authored
      include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
      percpu.h is included by sched.h and module.h and thus ends up being
      included when building most .c files.  percpu.h includes slab.h which
      in turn includes gfp.h making everything defined by the two files
      universally available and complicating inclusion dependencies.
      percpu.h -> slab.h dependency is about to be removed.  Prepare for
      this change by updating users of gfp and slab facilities include those
      headers directly instead of assuming availability.  As this conversion
      needs to touch large number of source files, the following script is
      used as the basis of conversion.
      The script does the followings.
      * Scan files for gfp and slab usages and update includes such that
        only the necessary includes are there.  ie. if only gfp is used,
        gfp.h, if slab is used, slab.h.
      * When the script inserts a new include, it looks at the include
        blocks and try to put the new include such that its order conforms
        to its surrounding.  It's put in the include block which contains
        core kernel includes, in the same order that the rest are ordered -
        alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
        doesn't seem to be any matching order.
      * If the script can't find a place to put a new include (mostly
        because the file doesn't have fitting include block), it prints out
        an error message indicating which .h file needs to be added to the
      The conversion was done in the following steps.
      1. The initial automatic conversion of all .c files updated slightly
         over 4000 files, deleting around 700 includes and adding ~480 gfp.h
         and ~3000 slab.h inclusions.  The script emitted errors for ~400
      2. Each error was manually checked.  Some didn't need the inclusion,
         some needed manual addition while adding it to implementation .h or
         embedding .c file was more appropriate for others.  This step added
         inclusions to around 150 files.
      3. The script was run again and the output was compared to the edits
         from #2 to make sure no file was left behind.
      4. Several build tests were done and a couple of problems were fixed.
         e.g. lib/decompress_*.c used malloc/free() wrappers around slab
         APIs requiring slab.h to be added manually.
      5. The script was run on all .h files but without automatically
         editing them as sprinkling gfp.h and slab.h inclusions around .h
         files could easily lead to inclusion dependency hell.  Most gfp.h
         inclusion directives were ignored as stuff from gfp.h was usually
         wildly available and often used in preprocessor macros.  Each
         slab.h inclusion directive was examined and added manually as
      6. percpu.h was updated not to include slab.h.
      7. Build test were done on the following configurations and failures
         were fixed.  CONFIG_GCOV_KERNEL was turned off for all tests (as my
         distributed build env didn't work with gcov compiles) and a few
         more options had to be turned off depending on archs to make things
         build (like ipr on powerpc/64 which failed due to missing writeq).
         * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
         * powerpc and powerpc64 SMP allmodconfig
         * sparc and sparc64 SMP allmodconfig
         * ia64 SMP allmodconfig
         * s390 SMP allmodconfig
         * alpha SMP allmodconfig
         * um on x86_64 SMP allmodconfig
      8. percpu.h modifications were reverted so that it could be applied as
         a separate patch and serve as bisection point.
      Given the fact that I had only a couple of failures from tests on step
      6, I'm fairly confident about the coverage of this conversion patch.
      If there is a breakage, it's likely to be something in one of the arch
      headers which should be easily discoverable easily on most builds of
      the specific arch.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Guess-its-ok-by: default avatarChristoph Lameter <cl@linux-foundation.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
  22. 09 Nov, 2009 1 commit
    • Eric Paris's avatar
      security: report the module name to security_module_request · dd8dbf2e
      Eric Paris authored
      For SELinux to do better filtering in userspace we send the name of the
      module along with the AVC denial when a program is denied module_request.
      Example output:
      type=SYSCALL msg=audit(11/03/2009 10:59:43.510:9) : arch=x86_64 syscall=write success=yes exit=2 a0=3 a1=7fc28c0d56c0 a2=2 a3=7fffca0d7440 items=0 ppid=1727 pid=1729 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc.nfsd exe=/usr/sbin/rpc.nfsd subj=system_u:system_r:nfsd_t:s0 key=(null)
      type=AVC msg=audit(11/03/2009 10:59:43.510:9) : avc:  denied  { module_request } for  pid=1729 comm=rpc.nfsd kmod="net-pf-10" scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
  23. 19 Oct, 2009 1 commit
    • Eric Dumazet's avatar
      inet: rename some inet_sock fields · c720c7e8
      Eric Dumazet authored
      In order to have better cache layouts of struct sock (separate zones
      for rx/tx paths), we need this preliminary patch.
      Goal is to transfert fields used at lookup time in the first
      read-mostly cache line (inside struct sock_common) and move sk_refcnt
      to a separate cache line (only written by rx path)
      This patch adds inet_ prefix to daddr, rcv_saddr, dport, num, saddr,
      sport and id fields. This allows a future patch to define these
      fields as macros, like sk_refcnt, without name clashes.
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  24. 24 Sep, 2009 1 commit
    • Paul Moore's avatar
      lsm: Use a compressed IPv6 string format in audit events · d8116591
      Paul Moore authored
      Currently the audit subsystem prints uncompressed IPv6 addresses which not
      only differs from common usage but also results in ridiculously large audit
      strings which is not a good thing.  This patch fixes this by simply converting
      audit to always print compressed IPv6 addresses.
      Old message example:
       audit(1253576792.161:30): avc:  denied  { ingress } for
        saddr=0000:0000:0000:0000:0000:0000:0000:0001 src=5000
        daddr=0000:0000:0000:0000:0000:0000:0000:0001 dest=35502 netif=lo
        tcontext=system_u:object_r:lo_netif_t:s0-s15:c0.c1023 tclass=netif
      New message example:
       audit(1253576792.161:30): avc:  denied  { ingress } for
        saddr=::1 src=5000 daddr=::1 dest=35502 netif=lo
        tcontext=system_u:object_r:lo_netif_t:s0-s15:c0.c1023 tclass=netif
      Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
  25. 16 Aug, 2009 1 commit
    • Thomas Liu's avatar
      SELinux: Convert avc_audit to use lsm_audit.h · 2bf49690
      Thomas Liu authored
      Convert avc_audit in security/selinux/avc.c to use lsm_audit.h,
      for better maintainability.
       - changed selinux to use common_audit_data instead of
       - eliminated code in avc.c and used code from lsm_audit.h instead.
      Had to add a LSM_AUDIT_NO_AUDIT to lsm_audit.h so that avc_audit
      can call common_lsm_audit and do the pre and post callbacks without
      doing the actual dump.  This makes it so that the patched version
      behaves the same way as the unpatched version.
      Also added a denied field to the selinux_audit_data private space,
      once again to make it so that the patched version behaves like the
      I've tested and confirmed that AVCs look the same before and after
      this patch.
      Signed-off-by: default avatarThomas Liu <tliu@redhat.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
  26. 13 Apr, 2009 1 commit