1. 08 May, 2012 1 commit
    • Pablo Neira Ayuso's avatar
      netfilter: remove ip_queue support · d16cf20e
      Pablo Neira Ayuso authored
      This patch removes ip_queue support which was marked as obsolete
      years ago. The nfnetlink_queue modules provides more advanced
      user-space packet queueing mechanism.
      
      This patch also removes capability code included in SELinux that
      refers to ip_queue. Otherwise, we break compilation.
      
      Several warning has been sent regarding this to the mailing list
      in the past month without anyone rising the hand to stop this
      with some strong argument.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      d16cf20e
  2. 14 Apr, 2012 1 commit
    • Andy Lutomirski's avatar
      Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs · 259e5e6c
      Andy Lutomirski authored
      With this change, calling
        prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)
      disables privilege granting operations at execve-time.  For example, a
      process will not be able to execute a setuid binary to change their uid
      or gid if this bit is set.  The same is true for file capabilities.
      
      Additionally, LSM_UNSAFE_NO_NEW_PRIVS is defined to ensure that
      LSMs respect the requested behavior.
      
      To determine if the NO_NEW_PRIVS bit is set, a task may call
        prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
      It returns 1 if set and 0 if it is not set. If any of the arguments are
      non-zero, it will return -1 and set errno to -EINVAL.
      (PR_SET_NO_NEW_PRIVS behaves similarly.)
      
      This functionality is desired for the proposed seccomp filter patch
      series.  By using PR_SET_NO_NEW_PRIVS, it allows a task to modify the
      system call behavior for itself and its child tasks without being
      able to impact the behavior of a more privileged task.
      
      Another potential use is making certain privileged operations
      unprivileged.  For example, chroot may be considered "safe" if it cannot
      affect privileged tasks.
      
      Note, this patch causes execve to fail when PR_SET_NO_NEW_PRIVS is
      set and AppArmor is in use.  It is fixed in a subsequent patch.
      Signed-off-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Signed-off-by: default avatarWill Drewry <wad@chromium.org>
      Acked-by: default avatarEric Paris <eparis@redhat.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      
      v18: updated change desc
      v17: using new define values as per 3.4
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      259e5e6c
  3. 09 Apr, 2012 21 commits
    • Eric Paris's avatar
      SELinux: remove unused common_audit_data in flush_unauthorized_files · c737f828
      Eric Paris authored
      We don't need this variable and it just eats stack space.  Remove it.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      c737f828
    • Wanlong Gao's avatar
      SELinux: avc: remove the useless fields in avc_add_callback · 562c99f2
      Wanlong Gao authored
      avc_add_callback now just used for registering reset functions
      in initcalls, and the callback functions just did reset operations.
      So, reducing the arguments to only one event is enough now.
      Signed-off-by: default avatarWanlong Gao <gaowanlong@cn.fujitsu.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      562c99f2
    • Wanlong Gao's avatar
      SELinux: replace weak GFP_ATOMIC to GFP_KERNEL in avc_add_callback · 0b36e44c
      Wanlong Gao authored
      avc_add_callback now only called from initcalls, so replace the
      weak GFP_ATOMIC to GFP_KERNEL, and mark this function __init
      to make a warning when not been called from initcalls.
      Signed-off-by: default avatarWanlong Gao <gaowanlong@cn.fujitsu.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      0b36e44c
    • Eric Paris's avatar
      SELinux: unify the selinux_audit_data and selinux_late_audit_data · 899838b2
      Eric Paris authored
      We no longer need the distinction.  We only need data after we decide to do an
      audit.  So turn the "late" audit data into just "data" and remove what we
      currently have as "data".
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      899838b2
    • Eric Paris's avatar
      SELinux: remove auditdeny from selinux_audit_data · 1d349292
      Eric Paris authored
      It's just takin' up space.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      1d349292
    • Eric Paris's avatar
      LSM: do not initialize common_audit_data to 0 · 50c205f5
      Eric Paris authored
      It isn't needed.  If you don't set the type of the data associated with
      that type it is a pretty obvious programming bug.  So why waste the cycles?
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      50c205f5
    • Eric Paris's avatar
      LSM: remove the task field from common_audit_data · b466066f
      Eric Paris authored
      There are no legitimate users.  Always use current and get back some stack
      space for the common_audit_data.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      b466066f
    • Eric Paris's avatar
      LSM: remove the COMMON_AUDIT_DATA_INIT type expansion · bd5e50f9
      Eric Paris authored
      Just open code it so grep on the source code works better.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      bd5e50f9
    • Eric Paris's avatar
      SELinux: move common_audit_data to a noinline slow path function · d4cf970d
      Eric Paris authored
      selinux_inode_has_perm is a hot path.  Instead of declaring the
      common_audit_data on the stack move it to a noinline function only used in
      the rare case we need to send an audit message.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      d4cf970d
    • Eric Paris's avatar
      SELinux: remove inode_has_perm_noadp · 602a8dd6
      Eric Paris authored
      Both callers could better be using file_has_perm() to get better audit
      results.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      602a8dd6
    • Eric Paris's avatar
      SELinux: delay initialization of audit data in selinux_inode_permission · 2e334057
      Eric Paris authored
      We pay a rather large overhead initializing the common_audit_data.
      Since we only need this information if we actually emit an audit
      message there is little need to set it up in the hot path.  This patch
      splits the functionality of avc_has_perm() into avc_has_perm_noaudit(),
      avc_audit_required() and slow_avc_audit().  But we take care of setting
      up to audit between required() and the actual audit call.  Thus saving
      measurable time in a hot path.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      2e334057
    • Eric Paris's avatar
      SELinux: if sel_make_bools errors don't leave inconsistent state · 154c50ca
      Eric Paris authored
      We reset the bool names and values array to NULL, but do not reset the
      number of entries in these arrays to 0.  If we error out and then get back
      into this function we will walk these NULL pointers based on the belief
      that they are non-zero length.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      cc: stable@kernel.org
      154c50ca
    • Eric Paris's avatar
      SELinux: remove needless sel_div function · 92ae9e82
      Eric Paris authored
      I'm not really sure what the idea behind the sel_div function is, but it's
      useless.  Since a and b are both unsigned, it's impossible for a % b < 0.
      That means that part of the function never does anything.  Thus it's just a
      normal /.  Just do that instead.  I don't even understand what that operation
      was supposed to mean in the signed case however....
      
      If it was signed:
      sel_div(-2, 4) == ((-2 / 4) - ((-2 % 4) < 0))
      		  ((0)      - ((-2)     < 0))
      		  ((0)      - (1))
      		  (-1)
      
      What actually happens:
      sel_div(-2, 4) == ((18446744073709551614 / 4) - ((18446744073709551614 % 4) < 0))
      		  ((4611686018427387903)      - ((2 < 0))
      		  (4611686018427387903        - 0)
      		  ((unsigned int)4611686018427387903)
      		  (4294967295)
      
      Neither makes a whole ton of sense to me.  So I'm getting rid of the
      function entirely.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      92ae9e82
    • Eric Paris's avatar
      SELinux: possible NULL deref in context_struct_to_string · bb7081ab
      Eric Paris authored
      It's possible that the caller passed a NULL for scontext.  However if this
      is a defered mapping we might still attempt to call *scontext=kstrdup().
      This is bad.  Instead just return the len.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      bb7081ab
    • Eric Paris's avatar
      SELinux: audit failed attempts to set invalid labels · d6ea83ec
      Eric Paris authored
      We know that some yum operation is causing CAP_MAC_ADMIN failures.  This
      implies that an RPM is laying down (or attempting to lay down) a file with
      an invalid label.  The problem is that we don't have any information to
      track down the cause.  This patch will cause such a failure to report the
      failed label in an SELINUX_ERR audit message.  This is similar to the
      SELINUX_ERR reports on invalid transitions and things like that.  It should
      help run down problems on what is trying to set invalid labels in the
      future.
      
      Resulting records look something like:
      type=AVC msg=audit(1319659241.138:71): avc:  denied  { mac_admin } for pid=2594 comm="chcon" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2
      type=SELINUX_ERR msg=audit(1319659241.138:71): op=setxattr invalid_context=unconfined_u:object_r:hello:s0
      type=SYSCALL msg=audit(1319659241.138:71): arch=c000003e syscall=188 success=no exit=-22 a0=a2c0e0 a1=390341b79b a2=a2d620 a3=1f items=1 ppid=2519 pid=2594 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="chcon" exe="/usr/bin/chcon" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
      type=CWD msg=audit(1319659241.138:71):  cwd="/root" type=PATH msg=audit(1319659241.138:71): item=0 name="test" inode=785879 dev=fc:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      d6ea83ec
    • Eric Paris's avatar
      SELinux: rename dentry_open to file_open · 83d49856
      Eric Paris authored
      dentry_open takes a file, rename it to file_open
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      83d49856
    • Eric Paris's avatar
      SELinux: check OPEN on truncate calls · 95dbf739
      Eric Paris authored
      In RH BZ 578841 we realized that the SELinux sandbox program was allowed to
      truncate files outside of the sandbox.  The reason is because sandbox
      confinement is determined almost entirely by the 'open' permission.  The idea
      was that if the sandbox was unable to open() files it would be unable to do
      harm to those files.  This turns out to be false in light of syscalls like
      truncate() and chmod() which don't require a previous open() call.  I looked
      at the syscalls that did not have an associated 'open' check and found that
      truncate(), did not have a seperate permission and even if it did have a
      separate permission such a permission owuld be inadequate for use by
      sandbox (since it owuld have to be granted so liberally as to be useless).
      This patch checks the OPEN permission on truncate.  I think a better solution
      for sandbox is a whole new permission, but at least this fixes what we have
      today.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      95dbf739
    • Eric Paris's avatar
      SELinux: add default_type statements · eed7795d
      Eric Paris authored
      Because Fedora shipped userspace based on my development tree we now
      have policy version 27 in the wild defining only default user, role, and
      range.  Thus to add default_type we need a policy.28.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      eed7795d
    • Eric Paris's avatar
      SELinux: allow default source/target selectors for user/role/range · aa893269
      Eric Paris authored
      When new objects are created we have great and flexible rules to
      determine the type of the new object.  We aren't quite as flexible or
      mature when it comes to determining the user, role, and range.  This
      patch adds a new ability to specify the place a new objects user, role,
      and range should come from.  For users and roles it can come from either
      the source or the target of the operation.  aka for files the user can
      either come from the source (the running process and todays default) or
      it can come from the target (aka the parent directory of the new file)
      
      examples always are done with
      directory context: system_u:object_r:mnt_t:s0-s0:c0.c512
      process context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
      
      [no rule]
      	unconfined_u:object_r:mnt_t:s0   test_none
      [default user source]
      	unconfined_u:object_r:mnt_t:s0   test_user_source
      [default user target]
      	system_u:object_r:mnt_t:s0       test_user_target
      [default role source]
      	unconfined_u:unconfined_r:mnt_t:s0 test_role_source
      [default role target]
      	unconfined_u:object_r:mnt_t:s0   test_role_target
      [default range source low]
      	unconfined_u:object_r:mnt_t:s0 test_range_source_low
      [default range source high]
      	unconfined_u:object_r:mnt_t:s0:c0.c1023 test_range_source_high
      [default range source low-high]
      	unconfined_u:object_r:mnt_t:s0-s0:c0.c1023 test_range_source_low-high
      [default range target low]
      	unconfined_u:object_r:mnt_t:s0 test_range_target_low
      [default range target high]
      	unconfined_u:object_r:mnt_t:s0:c0.c512 test_range_target_high
      [default range target low-high]
      	unconfined_u:object_r:mnt_t:s0-s0:c0.c512 test_range_target_low-high
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      aa893269
    • Eric Paris's avatar
      SELinux: loosen DAC perms on reading policy · 72e8c859
      Eric Paris authored
      There is no reason the DAC perms on reading the policy file need to be root
      only.  There are selinux checks which should control this access.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      72e8c859
    • Eric Paris's avatar
      SELinux: allow seek operations on the file exposing policy · 47a93a5b
      Eric Paris authored
      sesearch uses:
      lseek(3, 0, SEEK_SET)                   = -1 ESPIPE (Illegal seek)
      
      Make that work.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      47a93a5b
  4. 03 Apr, 2012 6 commits
  5. 31 Mar, 2012 4 commits
    • Al Viro's avatar
      get rid of pointless includes of ext2_fs.h · 2f99c369
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      2f99c369
    • Al Viro's avatar
      a1c2aa1e
    • Linus Torvalds's avatar
      selinux: inline avc_audit() and avc_has_perm_noaudit() into caller · cdb0f9a1
      Linus Torvalds authored
      Now that all the slow-path code is gone from these functions, we can
      inline them into the main caller - avc_has_perm_flags().
      
      Now the compiler can see that 'avc' is allocated on the stack for this
      case, which helps register pressure a bit.  It also actually shrinks the
      total stack frame, because the stack frame that avc_has_perm_flags()
      always needed (for that 'avc' allocation) is now sufficient for the
      inlined functions too.
      
      Inlining isn't bad - but mindless inlining of cold code (see the
      previous commit) is.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      cdb0f9a1
    • Linus Torvalds's avatar
      selinux: don't inline slow-path code into avc_has_perm_noaudit() · a554bea8
      Linus Torvalds authored
      The selinux AVC paths remain some of the hottest (and deepest) codepaths
      at filename lookup time, and we make it worse by having the slow path
      cases take up I$ and stack space even when they don't trigger.  Gcc
      tends to always want to inline functions that are just called once -
      never mind that this might make for slower and worse code in the caller.
      
      So this tries to improve on it a bit by making the slow-path cases
      explicitly separate functions that are marked noinline, causing gcc to
      at least no longer allocate stack space for them unless they are
      actually called.  It also seems to help register allocation a tiny bit,
      since gcc now doesn't take the slow case code into account.
      
      Uninlining the slow path may also allow us to inline the remaining hot
      path into the one caller that actually matters: avc_has_perm_flags().
      I'll have to look at that separately, but both avc_audit() and
      avc_has_perm_noaudit() are now small and lean enough that inlining them
      may make sense.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a554bea8
  6. 28 Mar, 2012 1 commit
  7. 26 Mar, 2012 1 commit
    • David Howells's avatar
      SELinux: selinux/xfrm.h needs net/flow.h · 778aae84
      David Howells authored
      selinux/xfrm.h needs to #include net/flow.h or else suffer:
      
      In file included from security/selinux/ss/services.c:69:0:
      security/selinux/include/xfrm.h: In function 'selinux_xfrm_notify_policyload':
      security/selinux/include/xfrm.h:53:14: error: 'flow_cache_genid' undeclared (first use in this function)
      security/selinux/include/xfrm.h:53:14: note: each undeclared identifier is reported only once for each function it appears in
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      778aae84
  8. 23 Mar, 2012 1 commit
    • Linus Torvalds's avatar
      security: optimize avc_audit() common path · 48aab2f7
      Linus Torvalds authored
      avc_audit() did a lot of jumping around and had a big stack frame, all
      for the uncommon case.
      
      Split up the uncommon case (which we really can't make go fast anyway)
      into its own slow function, and mark the conditional branches
      appropriately for the common likely case.
      
      This causes avc_audit() to no longer show up as one of the hottest
      functions on the branch profiles (the new "perf -b" thing), and makes
      the cycle profiles look really nice and dense too.
      
      The whole audit path is still annoyingly very much one of the biggest
      costs of name lookup, so these things are worth optimizing for.  I wish
      we could just tell people to turn it off, but realistically we do need
      it: we just need to make sure that the overhead of the necessary evil is
      as low as possible.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      48aab2f7
  9. 19 Feb, 2012 1 commit
    • David Howells's avatar
      Replace the fd_sets in struct fdtable with an array of unsigned longs · 1fd36adc
      David Howells authored
      Replace the fd_sets in struct fdtable with an array of unsigned longs and then
      use the standard non-atomic bit operations rather than the FD_* macros.
      
      This:
      
       (1) Removes the abuses of struct fd_set:
      
           (a) Since we don't want to allocate a full fd_set the vast majority of the
           	 time, we actually, in effect, just allocate a just-big-enough array of
           	 unsigned longs and cast it to an fd_set type - so why bother with the
           	 fd_set at all?
      
           (b) Some places outside of the core fdtable handling code (such as
           	 SELinux) want to look inside the array of unsigned longs hidden inside
           	 the fd_set struct for more efficient iteration over the entire set.
      
       (2) Eliminates the use of FD_*() macros in the kernel completely.
      
       (3) Permits the __FD_*() macros to be deleted entirely where not exposed to
           userspace.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Link: http://lkml.kernel.org/r/20120216174954.23314.48147.stgit@warthog.procyon.org.ukSigned-off-by: default avatarH. Peter Anvin <hpa@zytor.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      1fd36adc
  10. 13 Feb, 2012 1 commit
  11. 07 Jan, 2012 1 commit
  12. 05 Jan, 2012 1 commit