summaryrefslogtreecommitdiff
path: root/security
AgeCommit message (Collapse)AuthorFilesLines
2014-04-11Smack: fix the subject/object order in smack_ptrace_traceme()Lukasz Pawelczyk3-9/+29
The order of subject/object is currently reversed in smack_ptrace_traceme(). It is currently checked if the tracee has a capability to trace tracer and according to this rule a decision is made whether the tracer will be allowed to trace tracee. Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com> Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
2014-04-11Minor improvement of 'smack_sb_kern_mount'José Bollo1-3/+5
Fix a possible memory access fault when transmute is true and isp is NULL. Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
2014-03-19selinux: correctly label /proc inodes in use before the policy is loadedPaul Moore1-9/+27
This patch is based on an earlier patch by Eric Paris, he describes the problem below: "If an inode is accessed before policy load it will get placed on a list of inodes to be initialized after policy load. After policy load we call inode_doinit() which calls inode_doinit_with_dentry() on all inodes accessed before policy load. In the case of inodes in procfs that means we'll end up at the bottom where it does: /* Default to the fs superblock SID. */ isec->sid = sbsec->sid; if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) { if (opt_dentry) { isec->sclass = inode_mode_to_security_class(...) rc = selinux_proc_get_sid(opt_dentry, isec->sclass, &sid); if (rc) goto out_unlock; isec->sid = sid; } } Since opt_dentry is null, we'll never call selinux_proc_get_sid() and will leave the inode labeled with the label on the superblock. I believe a fix would be to mimic the behavior of xattrs. Look for an alias of the inode. If it can't be found, just leave the inode uninitialized (and pick it up later) if it can be found, we should be able to call selinux_proc_get_sid() ..." On a system exhibiting this problem, you will notice a lot of files in /proc with the generic "proc_t" type (at least the ones that were accessed early in the boot), for example: # ls -Z /proc/sys/kernel/shmmax | awk '{ print $4 " " $5 }' system_u:object_r:proc_t:s0 /proc/sys/kernel/shmmax However, with this patch in place we see the expected result: # ls -Z /proc/sys/kernel/shmmax | awk '{ print $4 " " $5 }' system_u:object_r:sysctl_kernel_t:s0 /proc/sys/kernel/shmmax Cc: Eric Paris <eparis@redhat.com> Signed-off-by: Paul Moore <pmoore@redhat.com> Acked-by: Eric Paris <eparis@redhat.com>
2014-03-19selinux: put the mmap() DAC controls before the MAC controlsPaul Moore1-12/+8
It turns out that doing the SELinux MAC checks for mmap() before the DAC checks was causing users and the SELinux policy folks headaches as users were seeing a lot of SELinux AVC denials for the memprotect:mmap_zero permission that would have also been denied by the normal DAC capability checks (CAP_SYS_RAWIO). Example: # cat mmap_test.c #include <stdlib.h> #include <stdio.h> #include <errno.h> #include <sys/mman.h> int main(int argc, char *argv[]) { int rc; void *mem; mem = mmap(0x0, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); if (mem == MAP_FAILED) return errno; printf("mem = %p\n", mem); munmap(mem, 4096); return 0; } # gcc -g -O0 -o mmap_test mmap_test.c # ./mmap_test mem = (nil) # ausearch -m AVC | grep mmap_zero type=AVC msg=audit(...): avc: denied { mmap_zero } for pid=1025 comm="mmap_test" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=memprotect This patch corrects things so that when the above example is run by a user without CAP_SYS_RAWIO the SELinux AVC is no longer generated as the DAC capability check fails before the SELinux permission check. Signed-off-by: Paul Moore <pmoore@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-12Merge branch 'next-fixes' of ↵James Morris18-134/+153
git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity into next
2014-03-07evm: enable key retention service automaticallyDmitry Kasatkin1-2/+3
If keys are not enabled, EVM is not visible in the configuration menu. It may be difficult to figure out what to do unless you really know. Other subsystems as NFS, CIFS select keys automatically. This patch does the same. This patch also removes '(TRUSTED_KEYS=y || TRUSTED_KEYS=n)' dependency, which is unnecessary. EVM does not depend on trusted keys, but on encrypted keys. evm.h provides compile time dependency. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-03-07ima: skip memory allocation for empty filesDmitry Kasatkin1-8/+12
Memory allocation is unnecessary for empty files. This patch calculates the hash without memory allocation. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-03-07evm: EVM does not use MD5Dmitry Kasatkin1-1/+0
EVM does not use MD5 HMAC. Selection of CRYPTO_MD5 can be safely removed. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-03-07ima: return d_name.name if d_path failsDmitry Kasatkin2-7/+2
This is a small refactoring so ima_d_path() returns dentry name if path reconstruction fails. It simplifies callers actions and removes code duplication. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-03-07integrity: fix checkpatch errorsDmitry Kasatkin11-70/+69
Between checkpatch changes (eg. sizeof) and inconsistencies between Lindent and checkpatch, unfixed checkpatch errors make it difficult to see new errors. This patch fixes them. Some lines with over 80 chars remained unchanged to improve code readability. The "extern" keyword is removed from internal evm.h to make it consistent with internal ima.h. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-03-07ima: fix erroneous removal of security.ima xattrDmitry Kasatkin1-2/+4
ima_inode_post_setattr() calls ima_must_appraise() to check if the file needs to be appraised. If it does not then it removes security.ima xattr. With original policy matching code it might happen that even file needs to be appraised with FILE_CHECK hook, it might not be for POST_SETATTR hook. 'security.ima' might be erronously removed. This patch treats POST_SETATTR as special wildcard function and will cause ima_must_appraise() to be true if any of the hooks rules matches. security.ima will not be removed if any of the hooks would require appraisal. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-03-07security: integrity: Use a more current logging styleJoe Perches7-11/+27
Convert printks to pr_<level>. Add pr_fmt. Remove embedded prefixes. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-03-07ima: reduce memory usage when a template containing the n field is usedRoberto Sassu2-17/+13
Before this change, to correctly calculate the template digest for the 'ima' template, the event name field (id: 'n') length was set to the fixed size of 256 bytes. This patch reduces the length of the event name field to the string length incremented of one (to make room for the termination character '\0') and handles the specific case of the digest calculation for the 'ima' template directly in ima_calc_field_array_hash_tfm(). Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-03-07ima: restore the original behavior for sending data with ima templateRoberto Sassu3-4/+10
With the new template mechanism introduced in IMA since kernel 3.13, the format of data sent through the binary_runtime_measurements interface is slightly changed. Now, for a generic measurement, the format of template data (after the template name) is: template_len | field1_len | field1 | ... | fieldN_len | fieldN In addition, fields containing a string now include the '\0' termination character. Instead, the format for the 'ima' template should be: SHA1 digest | event name length | event name It must be noted that while in the IMA 3.13 code 'event name length' is 'IMA_EVENT_NAME_LEN_MAX + 1' (256 bytes), so that the template digest is calculated correctly, and 'event name' contains '\0', in the pre 3.13 code 'event name length' is exactly the string length and 'event name' does not contain the termination character. The patch restores the behavior of the IMA code pre 3.13 for the 'ima' template so that legacy userspace tools obtain a consistent behavior when receiving data from the binary_runtime_measurements interface regardless of which kernel version is used. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Cc: <stable@vger.kernel.org> # 3.3.13: 3ce1217 ima: define template fields library Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-03-07Integrity: Pass commname via get_task_comm()Tetsuo Handa1-1/+2
When we pass task->comm to audit_log_untrustedstring(), we need to pass it via get_task_comm() because task->comm can be changed to contain untrusted string by other threads after audit_log_untrustedstring() confirmed that task->comm does not contain untrusted string. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-03-07ima: use static const char array definitionsMimi Zohar4-10/+10
A const char pointer allocates memory for a pointer as well as for a string, This patch replaces a number of the const char pointers throughout IMA, with a static const char array. Suggested-by: David Howells <dhowells@redhat.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: David Howells <dhowells@redhat.com>
2014-03-07security: have cap_dentry_init_security return errorJeff Layton1-1/+1
Currently, cap_dentry_init_security returns 0 without actually initializing the security label. This confuses its only caller (nfs4_label_init_security) which expects an error in that situation, and causes it to end up sending out junk onto the wire instead of simply suppressing the label in the attributes sent. When CONFIG_SECURITY is disabled, security_dentry_init_security returns -EOPNOTSUPP. Have cap_dentry_init_security do the same. Signed-off-by: Jeff Layton <jlayton@redhat.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
2014-03-04ima: new helper: file_inode(file)Libo Chen1-1/+1
Replace "file->f_dentry->d_inode" with the new file_inode() helper function. Signed-off-by: Libo Chen <clbchenlibo.chen@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-02-17security: cleanup Makefiles to use standard syntax for specifying ↵Sam Ravnborg2-8/+8
sub-directories The Makefiles in security/ uses a non-standard way to specify sub-directories for building. Fix it up so the normal (and documented) approach is used. Signed-off-by: Sam Ravnborg <sam@ravnborg.org> Cc: Michal Marek <mmarek@suse.cz> Signed-off-by: James Morris <james.l.morris@oracle.com>
2014-02-06security: replace strict_strto*() with kstrto*()Jingoo Han7-12/+12
The usage of strict_strto*() is not preferred, because strict_strto*() is obsolete. Thus, kstrto*() should be used. Signed-off-by: Jingoo Han <jg1.han@samsung.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
2014-01-08Merge branch 'master' of git://git.infradead.org/users/pcmoore/selinux into nextJames Morris1-1/+13
2014-01-07SELinux: Fix memory leak upon loading policyTetsuo Handa1-1/+13
Hello. I got below leak with linux-3.10.0-54.0.1.el7.x86_64 . [ 681.903890] kmemleak: 5538 new suspected memory leaks (see /sys/kernel/debug/kmemleak) Below is a patch, but I don't know whether we need special handing for undoing ebitmap_set_bit() call. ---------- >>From fe97527a90fe95e2239dfbaa7558f0ed559c0992 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Date: Mon, 6 Jan 2014 16:30:21 +0900 Subject: [PATCH] SELinux: Fix memory leak upon loading policy Commit 2463c26d "SELinux: put name based create rules in a hashtable" did not check return value from hashtab_insert() in filename_trans_read(). It leaks memory if hashtab_insert() returns error. unreferenced object 0xffff88005c9160d0 (size 8): comm "systemd", pid 1, jiffies 4294688674 (age 235.265s) hex dump (first 8 bytes): 57 0b 00 00 6b 6b 6b a5 W...kkk. backtrace: [<ffffffff816604ae>] kmemleak_alloc+0x4e/0xb0 [<ffffffff811cba5e>] kmem_cache_alloc_trace+0x12e/0x360 [<ffffffff812aec5d>] policydb_read+0xd1d/0xf70 [<ffffffff812b345c>] security_load_policy+0x6c/0x500 [<ffffffff812a623c>] sel_write_load+0xac/0x750 [<ffffffff811eb680>] vfs_write+0xc0/0x1f0 [<ffffffff811ec08c>] SyS_write+0x4c/0xa0 [<ffffffff81690419>] system_call_fastpath+0x16/0x1b [<ffffffffffffffff>] 0xffffffffffffffff However, we should not return EEXIST error to the caller, or the systemd will show below message and the boot sequence freezes. systemd[1]: Failed to load SELinux policy. Freezing. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: Eric Paris <eparis@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Paul Moore <pmoore@redhat.com>
2014-01-07Merge branch 'master' of git://git.infradead.org/users/pcmoore/selinux into nextJames Morris7-39/+164
Conflicts: security/selinux/hooks.c Resolved using request struct. Signed-off-by: James Morris <james.l.morris@oracle.com>
2014-01-06Merge to v3.13-rc7 for prerequisite changes in the Xen code for TPMJames Morris29-326/+361
2014-01-03ima: remove unneeded size_limit argument from ima_eventdigest_init_common()Roberto Sassu1-8/+6
This patch removes the 'size_limit' argument from ima_eventdigest_init_common(). Since the 'd' field will never include the hash algorithm as prefix and the 'd-ng' will always have it, we can use the hash algorithm to differentiate the two cases in the modified function (it is equal to HASH_ALGO__LAST in the first case, the opposite in the second). Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-01-03ima: pass HASH_ALGO__LAST as hash algo in ima_eventdigest_init()Roberto Sassu1-2/+2
Replace the '-1' value with HASH_ALGO__LAST in ima_eventdigest_init() as the called function ima_eventdigest_init_common() expects an unsigned char. Fix commit: 4d7aeee ima: define new template ima-ng and template fields d-ng and n-ng Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2014-01-03ima: change the default hash algorithm to SHA1 in ima_eventdigest_ng_init()Roberto Sassu1-1/+1
Replace HASH_ALGO__LAST with HASH_ALGO_SHA1 as the initial value of the hash algorithm so that the prefix 'sha1:' is added to violation digests. Fix commit: 4d7aeee ima: define new template ima-ng and template fields d-ng and n-ng Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Cc: <stable@vger.kernel.org> # 3.13.x Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2013-12-31Smack: File receive audit correctionCasey Schaufler1-1/+1
Eric Paris politely points out: Inside smack_file_receive() it seems like you are initting the audit field with LSM_AUDIT_DATA_TASK. And then use smk_ad_setfield_u_fs_path(). Seems like LSM_AUDIT_DATA_PATH would make more sense. (and depending on how it's used fix a crash...) He is correct. This puts things in order. Targeted for git://git.gitorious.org/smack-next/kernel.git Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2013-12-31Smack: Rationalize mount restrictionsCasey Schaufler1-54/+29
The mount restrictions imposed by Smack rely heavily on the use of the filesystem "floor", which is the label that all processes writing to the filesystem must have access to. It turns out that while the "floor" notion is sound, it has yet to be fully implemented and has never been used. The sb_mount and sb_umount hooks only make sense if the filesystem floor is used actively, and it isn't. They can be reintroduced if a rational restriction comes up. Until then, they get removed. The sb_kern_mount hook is required for the option processing. It is too permissive in the case of unprivileged mounts, effectively bypassing the CAP_MAC_ADMIN restrictions if any of the smack options are specified. Unprivileged mounts are no longer allowed to set Smack filesystem options. Additionally, the root and default values are set to the label of the caller, in keeping with the policy that objects get the label of their creator. Targeted for git://git.gitorious.org/smack-next/kernel.git Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2013-12-23Smack: change rule cap checkCasey Schaufler1-1/+1
smk_write_change_rule() is calling capable rather than the more correct smack_privileged(). This allows for setting rules in violation of the onlycap facility. This is the simple repair. Targeted for git://git.gitorious.org/smack-next/kernel.git Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2013-12-23Smack: Make the syslog control configurableCasey Schaufler3-13/+99
The syslog control requires that the calling proccess have the floor ("_") Smack label. Tizen does not run any processes except for kernel helpers with the floor label. This changes allows the admin to configure a specific label for syslog. The default value is the star ("*") label, effectively removing the restriction. The value can be set using smackfs/syslog for anyone who wants a more restrictive behavior. Targeted for git://git.gitorious.org/smack-next/kernel.git Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2013-12-23selinux: selinux_setprocattr()->ptrace_parent() needs rcu_read_lock()Oleg Nesterov1-2/+2
selinux_setprocattr() does ptrace_parent(p) under task_lock(p), but task_struct->alloc_lock doesn't pin ->parent or ->ptrace, this looks confusing and triggers the "suspicious RCU usage" warning because ptrace_parent() does rcu_dereference_check(). And in theory this is wrong, spin_lock()->preempt_disable() doesn't necessarily imply rcu_read_lock() we need to access the ->parent. Reported-by: Evan McNabb <emcnabb@redhat.com> Signed-off-by: Oleg Nesterov <oleg@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Paul Moore <pmoore@redhat.com>
2013-12-23selinux: fix broken peer recv checkChad Hanson1-1/+3
Fix a broken networking check. Return an error if peer recv fails. If secmark is active and the packet recv succeeds the peer recv error is ignored. Signed-off-by: Chad Hanson <chanson@trustedcs.com> Cc: stable@vger.kernel.org Signed-off-by: Paul Moore <pmoore@redhat.com>
2013-12-19Smack: Prevent the * and @ labels from being used in SMACK64EXECCasey Schaufler1-16/+37
Smack prohibits processes from using the star ("*") and web ("@") labels because we don't want files with those labels getting created implicitly. All setting of those labels should be done explicitly. The trouble is that there is no check for these labels in the processing of SMACK64EXEC. That is repaired. Targeted for git://git.gitorious.org/smack-next/kernel.git Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2013-12-16selinux: selinux_setprocattr()->ptrace_parent() needs rcu_read_lock()Oleg Nesterov1-2/+2
selinux_setprocattr() does ptrace_parent(p) under task_lock(p), but task_struct->alloc_lock doesn't pin ->parent or ->ptrace, this looks confusing and triggers the "suspicious RCU usage" warning because ptrace_parent() does rcu_dereference_check(). And in theory this is wrong, spin_lock()->preempt_disable() doesn't necessarily imply rcu_read_lock() we need to access the ->parent. Reported-by: Evan McNabb <emcnabb@redhat.com> Signed-off-by: Oleg Nesterov <oleg@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Paul Moore <pmoore@redhat.com>
2013-12-16SELinux: remove duplicated include from hooks.cWei Yongjun1-1/+0
Remove duplicated include. Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn> Signed-off-by: Paul Moore <pmoore@redhat.com>
2013-12-15Merge branch 'for-linus' of ↵Linus Torvalds3-42/+165
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull SELinux fixes from James Morris. * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: selinux: process labeled IPsec TCP SYN-ACK packets properly in selinux_ip_postroute() selinux: look for IPsec labels on both inbound and outbound packets selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute() selinux: handle TCP SYN-ACK packets correctly in selinux_ip_output() selinux: fix possible memory leak
2013-12-15Revert "selinux: consider filesystem subtype in policies"Linus Torvalds2-60/+22
This reverts commit 102aefdda4d8275ce7d7100bc16c88c74272b260. Tom London reports that it causes sync() to hang on Fedora rawhide: https://bugzilla.redhat.com/show_bug.cgi?id=1033965 and Josh Boyer bisected it down to this commit. Reverting the commit in the rawhide kernel fixes the problem. Eric Paris root-caused it to incorrect subtype matching in that commit breaking fuse, and has a tentative patch, but by now we're better off retrying this in 3.14 rather than playing with it any more. Reported-by: Tom London <selinux@gmail.com> Bisected-by: Josh Boyer <jwboyer@fedoraproject.org> Acked-by: Eric Paris <eparis@redhat.com> Cc: James Morris <jmorris@namei.org> Cc: Anand Avati <avati@redhat.com> Cc: Paul Moore <paul@paul-moore.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-12-13selinux: revert 102aefdda4d8275ce7d7100bc16c88c74272b260Paul Moore2-60/+22
Revert "selinux: consider filesystem subtype in policies" This reverts commit 102aefdda4d8275ce7d7100bc16c88c74272b260. Explanation from Eric Paris: SELinux policy can specify if it should use a filesystem's xattrs or not. In current policy we have a specification that fuse should not use xattrs but fuse.glusterfs should use xattrs. This patch has a bug in which non-glusterfs filesystems would match the rule saying fuse.glusterfs should use xattrs. If both fuse and the particular filesystem in question are not written to handle xattr calls during the mount command, they will deadlock. I have fixed the bug to do proper matching, however I believe a revert is still the correct solution. The reason I believe that is because the code still does not work. The s_subtype is not set until after the SELinux hook which attempts to match on the ".gluster" portion of the rule. So we cannot match on the rule in question. The code is useless. Signed-off-by: Paul Moore <pmoore@redhat.com>
2013-12-13Merge branch 'master' of git://git.infradead.org/users/pcmoore/selinux_fixes ↵James Morris3-42/+165
into for-linus
2013-12-12selinux: process labeled IPsec TCP SYN-ACK packets properly in ↵Paul Moore1-7/+35
selinux_ip_postroute() Due to difficulty in arriving at the proper security label for TCP SYN-ACK packets in selinux_ip_postroute(), we need to check packets while/before they are undergoing XFRM transforms instead of waiting until afterwards so that we can determine the correct security label. Reported-by: Janak Desai <Janak.Desai@gtri.gatech.edu> Cc: stable@vger.kernel.org Signed-off-by: Paul Moore <pmoore@redhat.com>
2013-12-12selinux: look for IPsec labels on both inbound and outbound packetsPaul Moore3-14/+47
Previously selinux_skb_peerlbl_sid() would only check for labeled IPsec security labels on inbound packets, this patch enables it to check both inbound and outbound traffic for labeled IPsec security labels. Reported-by: Janak Desai <Janak.Desai@gtri.gatech.edu> Cc: stable@vger.kernel.org Signed-off-by: Paul Moore <pmoore@redhat.com>
2013-12-12selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute()Paul Moore1-15/+53
In selinux_ip_postroute() we perform access checks based on the packet's security label. For locally generated traffic we get the packet's security label from the associated socket; this works in all cases except for TCP SYN-ACK packets. In the case of SYN-ACK packet's the correct security label is stored in the connection's request_sock, not the server's socket. Unfortunately, at the point in time when selinux_ip_postroute() is called we can't query the request_sock directly, we need to recreate the label using the same logic that originally labeled the associated request_sock. See the inline comments for more explanation. Reported-by: Janak Desai <Janak.Desai@gtri.gatech.edu> Tested-by: Janak Desai <Janak.Desai@gtri.gatech.edu> Cc: stable@vger.kernel.org Signed-off-by: Paul Moore <pmoore@redhat.com>
2013-12-12selinux: handle TCP SYN-ACK packets correctly in selinux_ip_output()Paul Moore1-2/+23
In selinux_ip_output() we always label packets based on the parent socket. While this approach works in almost all cases, it doesn't work in the case of TCP SYN-ACK packets when the correct label is not the label of the parent socket, but rather the label of the larval socket represented by the request_sock struct. Unfortunately, since the request_sock isn't queued on the parent socket until *after* the SYN-ACK packet is sent, we can't lookup the request_sock to determine the correct label for the packet; at this point in time the best we can do is simply pass/NF_ACCEPT the packet. It must be said that simply passing the packet without any explicit labeling action, while far from ideal, is not terrible as the SYN-ACK packet will inherit any IP option based labeling from the initial connection request so the label *should* be correct and all our access controls remain in place so we shouldn't have to worry about information leaks. Reported-by: Janak Desai <Janak.Desai@gtri.gatech.edu> Tested-by: Janak Desai <Janak.Desai@gtri.gatech.edu> Cc: stable@vger.kernel.org Signed-off-by: Paul Moore <pmoore@redhat.com>
2013-12-12Merge tag 'keys-devel-20131210' of ↵Linus Torvalds3-17/+10
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs Pull misc keyrings fixes from David Howells: "These break down into five sets: - A patch to error handling in the big_key type for huge payloads. If the payload is larger than the "low limit" and the backing store allocation fails, then big_key_instantiate() doesn't clear the payload pointers in the key, assuming them to have been previously cleared - but only one of them is. Unfortunately, the garbage collector still calls big_key_destroy() when sees one of the pointers with a weird value in it (and not NULL) which it then tries to clean up. - Three patches to fix the keyring type: * A patch to fix the hash function to correctly divide keyrings off from keys in the topology of the tree inside the associative array. This is only a problem if searching through nested keyrings - and only if the hash function incorrectly puts the a keyring outside of the 0 branch of the root node. * A patch to fix keyrings' use of the associative array. The __key_link_begin() function initially passes a NULL key pointer to assoc_array_insert() on the basis that it's holding a place in the tree whilst it does more allocation and stuff. This is only a problem when a node contains 16 keys that match at that level and we want to add an also matching 17th. This should easily be manufactured with a keyring full of keyrings (without chucking any other sort of key into the mix) - except for (a) above which makes it on average adding the 65th keyring. * A patch to fix searching down through nested keyrings, where any keyring in the set has more than 16 keyrings and none of the first keyrings we look through has a match (before the tree iteration needs to step to a more distal node). Test in keyutils test suite: http://git.kernel.org/cgit/linux/kernel/git/dhowells/keyutils.git/commit/?id=8b4ae963ed92523aea18dfbb8cab3f4979e13bd1 - A patch to fix the big_key type's use of a shmem file as its backing store causing audit messages and LSM check failures. This is done by setting S_PRIVATE on the file to avoid LSM checks on the file (access to the shmem file goes through the keyctl() interface and so is gated by the LSM that way). This isn't normally a problem if a key is used by the context that generated it - and it's currently only used by libkrb5. Test in keyutils test suite: http://git.kernel.org/cgit/linux/kernel/git/dhowells/keyutils.git/commit/?id=d9a53cbab42c293962f2f78f7190253fc73bd32e - A patch to add a generated file to .gitignore. - A patch to fix the alignment of the system certificate data such that it it works on s390. As I understand it, on the S390 arch, symbols must be 2-byte aligned because loading the address discards the least-significant bit" * tag 'keys-devel-20131210' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs: KEYS: correct alignment of system_certificate_list content in assembly file Ignore generated file kernel/x509_certificate_list security: shmem: implement kernel private shmem inodes KEYS: Fix searching of nested keyrings KEYS: Fix multiple key add into associative array KEYS: Fix the keyring hash function KEYS: Pre-clear struct key on allocation
2013-12-11selinux: fix broken peer recv checkChad Hanson1-1/+3
Fix a broken networking check. Return an error if peer recv fails. If secmark is active and the packet recv succeeds the peer recv error is ignored. Signed-off-by: Chad Hanson <chanson@trustedcs.com> Signed-off-by: Paul Moore <pmoore@redhat.com>
2013-12-11smack: fix: allow either entry be missing on access/access2 check (v2)Jarkko Sakkinen1-14/+15
This is a regression caused by f7112e6c. When either subject or object is not found the answer for access should be no. This patch fixes the situation. '0' is written back instead of failing with -EINVAL. v2: cosmetic style fixes Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
2013-12-10selinux: process labeled IPsec TCP SYN-ACK packets properly in ↵Paul Moore1-7/+35
selinux_ip_postroute() Due to difficulty in arriving at the proper security label for TCP SYN-ACK packets in selinux_ip_postroute(), we need to check packets while/before they are undergoing XFRM transforms instead of waiting until afterwards so that we can determine the correct security label. Reported-by: Janak Desai <Janak.Desai@gtri.gatech.edu> Cc: stable@vger.kernel.org Signed-off-by: Paul Moore <pmoore@redhat.com>
2013-12-09selinux: look for IPsec labels on both inbound and outbound packetsPaul Moore3-14/+47
Previously selinux_skb_peerlbl_sid() would only check for labeled IPsec security labels on inbound packets, this patch enables it to check both inbound and outbound traffic for labeled IPsec security labels. Reported-by: Janak Desai <Janak.Desai@gtri.gatech.edu> Cc: stable@vger.kernel.org Signed-off-by: Paul Moore <pmoore@redhat.com>
2013-12-04selinux: fix possible memory leakGeyslan G. Bem1-4/+7
Free 'ctx_str' when necessary. Signed-off-by: Geyslan G. Bem <geyslan@gmail.com> Signed-off-by: Paul Moore <pmoore@redhat.com>