1. 01 Jul, 2006 2 commits
  2. 30 Jun, 2006 3 commits
  3. 29 Jun, 2006 3 commits
    • Catherine Zhang's avatar
      [AF_UNIX]: Datagram getpeersec · 877ce7c1
      Catherine Zhang authored
      This patch implements an API whereby an application can determine the
      label of its peer's Unix datagram sockets via the auxiliary data mechanism of
      recvmsg.
      
      Patch purpose:
      
      This patch enables a security-aware application to retrieve the
      security context of the peer of a Unix datagram socket.  The application
      can then use this security context to determine the security context for
      processing on behalf of the peer who sent the packet.
      
      Patch design and implementation:
      
      The design and implementation is very similar to the UDP case for INET
      sockets.  Basically we build upon the existing Unix domain socket API for
      retrieving user credentials.  Linux offers the API for obtaining user
      credentials via ancillary messages (i.e., out of band/control messages
      that are bundled together with a normal message).  To retrieve the security
      context, the application first indicates to the kernel such desire by
      setting the SO_PASSSEC option via getsockopt.  Then the application
      retrieves the security context using the auxiliary data mechanism.
      
      An example server application for Unix datagram socket should look like this:
      
      toggle = 1;
      toggle_len = sizeof(toggle);
      
      setsockopt(sockfd, SOL_SOCKET, SO_PASSSEC, &toggle, &toggle_len);
      recvmsg(sockfd, &msg_hdr, 0);
      if (msg_hdr.msg_controllen > sizeof(struct cmsghdr)) {
          cmsg_hdr = CMSG_FIRSTHDR(&msg_hdr);
          if (cmsg_hdr->cmsg_len <= CMSG_LEN(sizeof(scontext)) &&
              cmsg_hdr->cmsg_level == SOL_SOCKET &&
              cmsg_hdr->cmsg_type == SCM_SECURITY) {
              memcpy(&scontext, CMSG_DATA(cmsg_hdr), sizeof(scontext));
          }
      }
      
      sock_setsockopt is enhanced with a new socket option SOCK_PASSSEC to allow
      a server socket to receive security context of the peer.
      
      Testing:
      
      We have tested the patch by setting up Unix datagram client and server
      applications.  We verified that the server can retrieve the security context
      using the auxiliary data mechanism of recvmsg.
      Signed-off-by: default avatarCatherine Zhang <cxzhang@watson.ibm.com>
      Acked-by: default avatarAcked-by: James Morris <jmorris@namei.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      877ce7c1
    • Darrel Goeddel's avatar
      [NETLINK]: Encapsulate eff_cap usage within security framework. · c7bdb545
      Darrel Goeddel authored
      This patch encapsulates the usage of eff_cap (in netlink_skb_params) within
      the security framework by extending security_netlink_recv to include a required
      capability parameter and converting all direct usage of eff_caps outside
      of the lsm modules to use the interface.  It also updates the SELinux
      implementation of the security_netlink_send and security_netlink_recv
      hooks to take advantage of the sid in the netlink_skb_params struct.
      This also enables SELinux to perform auditing of netlink capability checks.
      Please apply, for 2.6.18 if possible.
      Signed-off-by: default avatarDarrel Goeddel <dgoeddel@trustedcs.com>
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c7bdb545
    • David Howells's avatar
      [PATCH] Keys: Allow in-kernel key requestor to pass auxiliary data to upcaller · 4e54f085
      David Howells authored
      The proposed NFS key type uses its own method of passing key requests to
      userspace (upcalling) rather than invoking /sbin/request-key.  This is
      because the responsible userspace daemon should already be running and will
      be contacted through rpc_pipefs.
      
      This patch permits the NFS filesystem to pass auxiliary data to the upcall
      operation (struct key_type::request_key) so that the upcaller can use a
      pre-existing communications channel more easily.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-By: default avatarKevin Coffman <kwc@citi.umich.edu>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      4e54f085
  4. 28 Jun, 2006 2 commits
  5. 26 Jun, 2006 7 commits
  6. 23 Jun, 2006 4 commits
    • David Quigley's avatar
      [PATCH] SELinux: add task_movememory hook · 35601547
      David Quigley authored
      This patch adds new security hook, task_movememory, to be called when memory
      owened by a task is to be moved (e.g.  when migrating pages to a this hook is
      identical to the setscheduler implementation, but a separate hook introduced
      to allow this check to be specialized in the future if necessary.
      
      Since the last posting, the hook has been renamed following feedback from
      Christoph Lameter.
      Signed-off-by: default avatarDavid Quigley <dpquigl@tycho.nsa.gov>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      Cc: Christoph Lameter <clameter@sgi.com>
      Cc: Andi Kleen <ak@muc.de>
      Acked-by: default avatarChris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      35601547
    • James Morris's avatar
      [PATCH] lsm: add task_setioprio hook · 03e68060
      James Morris authored
      Implement an LSM hook for setting a task's IO priority, similar to the hook
      for setting a tasks's nice value.
      
      A previous version of this LSM hook was included in an older version of
      multiadm by Jan Engelhardt, although I don't recall it being submitted
      upstream.
      
      Also included is the corresponding SELinux hook, which re-uses the setsched
      permission in the proccess class.
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Cc: Jan Engelhardt <jengelh@linux01.gwdg.de>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Cc: Jens Axboe <axboe@suse.de>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      03e68060
    • David Howells's avatar
      [PATCH] VFS: Permit filesystem to perform statfs with a known root dentry · 726c3342
      David Howells authored
      Give the statfs superblock operation a dentry pointer rather than a superblock
      pointer.
      
      This complements the get_sb() patch.  That reduced the significance of
      sb->s_root, allowing NFS to place a fake root there.  However, NFS does
      require a dentry to use as a target for the statfs operation.  This permits
      the root in the vfsmount to be used instead.
      
      linux/mount.h has been added where necessary to make allyesconfig build
      successfully.
      
      Interest has also been expressed for use with the FUSE and XFS filesystems.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Cc: Nathan Scott <nathans@sgi.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      726c3342
    • David Howells's avatar
      [PATCH] VFS: Permit filesystem to override root dentry on mount · 454e2398
      David Howells authored
      Extend the get_sb() filesystem operation to take an extra argument that
      permits the VFS to pass in the target vfsmount that defines the mountpoint.
      
      The filesystem is then required to manually set the superblock and root dentry
      pointers.  For most filesystems, this should be done with simple_set_mnt()
      which will set the superblock pointer and then set the root dentry to the
      superblock's s_root (as per the old default behaviour).
      
      The get_sb() op now returns an integer as there's now no need to return the
      superblock pointer.
      
      This patch permits a superblock to be implicitly shared amongst several mount
      points, such as can be done with NFS to avoid potential inode aliasing.  In
      such a case, simple_set_mnt() would not be called, and instead the mnt_root
      and mnt_sb would be set directly.
      
      The patch also makes the following changes:
      
       (*) the get_sb_*() convenience functions in the core kernel now take a vfsmount
           pointer argument and return an integer, so most filesystems have to change
           very little.
      
       (*) If one of the convenience function is not used, then get_sb() should
           normally call simple_set_mnt() to instantiate the vfsmount. This will
           always return 0, and so can be tail-called from get_sb().
      
       (*) generic_shutdown_super() now calls shrink_dcache_sb() to clean up the
           dcache upon superblock destruction rather than shrink_dcache_anon().
      
           This is required because the superblock may now have multiple trees that
           aren't actually bound to s_root, but that still need to be cleaned up. The
           currently called functions assume that the whole tree is rooted at s_root,
           and that anonymous dentries are not the roots of trees which results in
           dentries being left unculled.
      
           However, with the way NFS superblock sharing are currently set to be
           implemented, these assumptions are violated: the root of the filesystem is
           simply a dummy dentry and inode (the real inode for '/' may well be
           inaccessible), and all the vfsmounts are rooted on anonymous[*] dentries
           with child trees.
      
           [*] Anonymous until discovered from another tree.
      
       (*) The documentation has been adjusted, including the additional bit of
           changing ext2_* into foo_* in the documentation.
      
      [akpm@osdl.org: convert ipath_fs, do other stuff]
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Cc: Nathan Scott <nathans@sgi.com>
      Cc: Roland Dreier <rolandd@cisco.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      454e2398
  7. 22 Jun, 2006 2 commits
    • David Howells's avatar
      [PATCH] Keys: Fix race between two instantiators of a key · 04c567d9
      David Howells authored
      Add a revocation notification method to the key type and calls it whilst
      the key's semaphore is still write-locked after setting the revocation
      flag.
      
      The patch then uses this to maintain a reference on the task_struct of the
      process that calls request_key() for as long as the authorisation key
      remains unrevoked.
      
      This fixes a potential race between two processes both of which have
      assumed the authority to instantiate a key (one may have forked the other
      for example).  The problem is that there's no locking around the check for
      revocation of the auth key and the use of the task_struct it points to, nor
      does the auth key keep a reference on the task_struct.
      
      Access to the "context" pointer in the auth key must thenceforth be done
      with the auth key semaphore held.  The revocation method is called with the
      target key semaphore held write-locked and the search of the context
      process's keyrings is done with the auth key semaphore read-locked.
      
      The check for the revocation state of the auth key just prior to searching
      it is done after the auth key is read-locked for the search.  This ensures
      that the auth key can't be revoked between the check and the search.
      
      The revocation notification method is added so that the context task_struct
      can be released as soon as instantiation happens rather than waiting for
      the auth key to be destroyed, thus avoiding the unnecessary pinning of the
      requesting process.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      04c567d9
    • Michael LeMay's avatar
      [PATCH] selinux: add hooks for key subsystem · d720024e
      Michael LeMay authored
      Introduce SELinux hooks to support the access key retention subsystem
      within the kernel.  Incorporate new flask headers from a modified version
      of the SELinux reference policy, with support for the new security class
      representing retained keys.  Extend the "key_alloc" security hook with a
      task parameter representing the intended ownership context for the key
      being allocated.  Attach security information to root's default keyrings
      within the SELinux initialization routine.
      
      Has passed David's testsuite.
      Signed-off-by: default avatarMichael LeMay <mdlemay@epoch.ncsc.mil>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      Acked-by: default avatarChris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      d720024e
  8. 20 Jun, 2006 1 commit
  9. 18 Jun, 2006 5 commits
    • James Morris's avatar
      [SECMARK]: Add new packet controls to SELinux · 4e5ab4cb
      James Morris authored
      Add new per-packet access controls to SELinux, replacing the old
      packet controls.
      
      Packets are labeled with the iptables SECMARK and CONNSECMARK targets,
      then security policy for the packets is enforced with these controls.
      
      To allow for a smooth transition to the new controls, the old code is
      still present, but not active by default.  To restore previous
      behavior, the old controls may be activated at runtime by writing a
      '1' to /selinux/compat_net, and also via the kernel boot parameter
      selinux_compat_net.  Switching between the network control models
      requires the security load_policy permission.  The old controls will
      probably eventually be removed and any continued use is discouraged.
      
      With this patch, the new secmark controls for SElinux are disabled by
      default, so existing behavior is entirely preserved, and the user is
      not affected at all.
      
      It also provides a config option to enable the secmark controls by
      default (which can always be overridden at boot and runtime).  It is
      also noted in the kconfig help that the user will need updated
      userspace if enabling secmark controls for SELinux and that they'll
      probably need the SECMARK and CONNMARK targets, and conntrack protocol
      helpers, although such decisions are beyond the scope of kernel
      configuration.
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4e5ab4cb
    • James Morris's avatar
      [SECMARK]: Add SELinux exports · c749b29f
      James Morris authored
      Add and export new functions to the in-kernel SELinux API in support of the
      new secmark-based packet controls.
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c749b29f
    • James Morris's avatar
      [SECMARK]: Add new flask definitions to SELinux · 29a395ea
      James Morris authored
      Secmark implements a new scheme for adding security markings to
      packets via iptables, as well as changes to SELinux to use these
      markings for security policy enforcement.  The rationale for this
      scheme is explained and discussed in detail in the original threads:
      
       http://thread.gmane.org/gmane.linux.network/34927/
       http://thread.gmane.org/gmane.linux.network/35244/
      
      Examples of policy and rulesets, as well as a full archive of patches
      for iptables and SELinux userland, may be found at:
      
      http://people.redhat.com/jmorris/selinux/secmark/
      
      The code has been tested with various compilation options and in
      several scenarios, including with 'complicated' protocols such as FTP
      and also with the new generic conntrack code with IPv6 connection
      tracking.
      
      This patch:
      
      Add support for a new object class ('packet'), and associated
      permissions ('send', 'recv', 'relabelto').  These are used to enforce
      security policy for network packets labeled with SECMARK, and for
      adding labeling rules.
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      29a395ea
    • Christopher J. PeBenito's avatar
      [SELINUX]: add security class for appletalk sockets · 3e3ff15e
      Christopher J. PeBenito authored
      Add a security class for appletalk sockets so that they can be
      distinguished in SELinux policy.  Please apply.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3e3ff15e
    • Catherine Zhang's avatar
      [LSM-IPsec]: SELinux Authorize · c8c05a8e
      Catherine Zhang authored
      This patch contains a fix for the previous patch that adds security
      contexts to IPsec policies and security associations.  In the previous
      patch, no authorization (besides the check for write permissions to
      SAD and SPD) is required to delete IPsec policies and security
      assocations with security contexts.  Thus a user authorized to change
      SAD and SPD can bypass the IPsec policy authorization by simply
      deleteing policies with security contexts.  To fix this security hole,
      an additional authorization check is added for removing security
      policies and security associations with security contexts.
      
      Note that if no security context is supplied on add or present on
      policy to be deleted, the SELinux module allows the change
      unconditionally.  The hook is called on deletion when no context is
      present, which we may want to change.  At present, I left it up to the
      module.
      
      LSM changes:
      
      The patch adds two new LSM hooks: xfrm_policy_delete and
      xfrm_state_delete.  The new hooks are necessary to authorize deletion
      of IPsec policies that have security contexts.  The existing hooks
      xfrm_policy_free and xfrm_state_free lack the context to do the
      authorization, so I decided to split authorization of deletion and
      memory management of security data, as is typical in the LSM
      interface.
      
      Use:
      
      The new delete hooks are checked when xfrm_policy or xfrm_state are
      deleted by either the xfrm_user interface (xfrm_get_policy,
      xfrm_del_sa) or the pfkey interface (pfkey_spddelete, pfkey_delete).
      
      SELinux changes:
      
      The new policy_delete and state_delete functions are added.
      Signed-off-by: default avatarCatherine Zhang <cxzhang@watson.ibm.com>
      Signed-off-by: default avatarTrent Jaeger <tjaeger@cse.psu.edu>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c8c05a8e
  10. 09 Jun, 2006 1 commit
  11. 05 Jun, 2006 1 commit
  12. 21 May, 2006 1 commit
  13. 15 May, 2006 1 commit
  14. 03 May, 2006 1 commit
  15. 01 May, 2006 4 commits
  16. 21 Apr, 2006 1 commit
  17. 19 Apr, 2006 1 commit