- Aug 10, 2009
-
-
James Morris authored
Fix memory leakage in /security/selinux/hooks.c The buffer always needs to be freed here; we either error out or allocate more memory. Reported-by:
iceberg <strakh@ispras.ru> Signed-off-by:
James Morris <jmorris@namei.org> Acked-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
- Jun 28, 2009
-
-
Mimi Zohar authored
This patch fixes an imbalance message as reported by J.R. Okajima. The IMA file counters are incremented in ima_path_check. If the actual open fails, such as ETXTBSY, decrement the counters to prevent unnecessary imbalance messages. Reported-by:
J.R. Okajima <hooanon05@yahoo.co.jp> Signed-off-by:
Mimi Zohar <zohar@us.ibm.com> Signed-off-by:
-
Mimi Zohar authored
Audit the file name, not the template name. Signed-off-by:
-
- Jun 18, 2009
-
-
Li Zefan authored
While walking through the whitelist, if the DEV_ALL item is found, no more check is needed. Signed-off-by:
Li Zefan <lizf@cn.fujitsu.com> Acked-by:
Serge Hallyn <serue@us.ibm.com> Signed-off-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org>
-
- Jun 08, 2009
-
-
Tetsuo Handa authored
This patch adds some descriptions of lists and structures. This patch contains no code changes. Signed-off-by:
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by:
-
Tetsuo Handa authored
TOMOYO 2.2.0 is not using total_len field of "struct tomoyo_path_info". Signed-off-by:
-
- Jun 04, 2009
-
-
Mimi Zohar authored
Until we start appraising measurements, the ima_path_check() return code should always be 0. - Update the ima_path_check() return code comment - Instead of the pr_info, audit the dentry_open failure Signed-off-by:
Eric Paris <eparis@redhat.com> Signed-off-by:
-
Tetsuo Handa authored
TOMOYO 2.2.0 does not check argv[] and envp[] upon execve(). We don't need to pass "struct tomoyo_page_buffer". Signed-off-by:
-
Christoph Lameter authored
This patch removes the dependency of mmap_min_addr on CONFIG_SECURITY. It also sets a default mmap_min_addr of 4096. mmapping of addresses below 4096 will only be possible for processes with CAP_SYS_RAWIO. Signed-off-by:
Christoph Lameter <cl@linux-foundation.org> Acked-by:
-
- Jun 03, 2009
-
-
Eric Dumazet authored
Define three accessors to get/set dst attached to a skb struct dst_entry *skb_dst(const struct sk_buff *skb) void skb_dst_set(struct sk_buff *skb, struct dst_entry *dst) void skb_dst_drop(struct sk_buff *skb) This one should replace occurrences of : dst_release(skb->dst) skb->dst = NULL; Delete skb->dst field Signed-off-by:
Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
- Jun 02, 2009
-
-
Tetsuo Handa authored
We can directly assign the result of tomoyo_io_printf() to done flag. Signed-off-by:
Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by:
Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by:
-
Tetsuo Handa authored
Remove '/***** START/STOP *****/' markers. Signed-off-by:
-
Eric Paris authored
Audit trees defined 2 new netlink messages but the netlink mapping tables for selinux permissions were not set up. This patch maps these 2 new operations to AUDIT_WRITE. Signed-off-by:
-
Tetsuo Handa authored
I forgot to remove on TOMOYO's 15th posting. Signed-off-by:
-
Serge E. Hallyn authored
Use task_cred_xxx(task, security) in tomoyo_real_domain() to avoid a get+put of the target cred. Signed-off-by:
-
- May 28, 2009
-
-
Tetsuo Handa authored
We don't need to explicitly initialize to cap_* because it will be filled by security_fixup_ops(). Signed-off-by:
Casey Schaufler <casey@schaufler-ca.com> Signed-off-by:
-
- May 27, 2009
-
-
Tetsuo Handa authored
We don't need to explicitly initialize to cap_* because it will be filled by security_fixup_ops(). Signed-off-by:
-
- May 26, 2009
-
-
Herton Ronaldo Krzesinski authored
cap_bprm_set_creds() has to be called from security_bprm_set_creds(). TOMOYO forgot to call cap_bprm_set_creds() from tomoyo_bprm_set_creds() and suid executables were not being working. Make sure we call cap_bprm_set_creds() with TOMOYO, to set credentials properly inside tomoyo_bprm_set_creds(). Signed-off-by:
Herton Ronaldo Krzesinski <herton@mandriva.com.br> Acked-by:
-
- May 22, 2009
-
-
Roel Kluin authored
Do not go beyond ARRAY_SIZE of data Signed-off-by:
Roel Kluin <roel.kluin@gmail.com> Acked-by:
-
- May 21, 2009
-
-
Mimi Zohar authored
- Add support in ima_path_check() for integrity checking without incrementing the counts. (Required for nfsd.) - rename and export opencount_get to ima_counts_get - replace ima_shm_check calls with ima_counts_get - export ima_path_check Signed-off-by:
-
Eric Paris authored
A number of IMA functions only used during init are not marked with __init. Add those notations so they are freed automatically. Signed-off-by:
-
Eric Paris authored
The IMA TCB policy is dangerous. A normal use can use all of a system's memory (which cannot be freed) simply by building and running lots of executables. The TCB policy is also nearly useless because logging in as root often causes a policy violation when dealing with utmp, thus rendering the measurements meaningless. There is no good fix for this in the kernel. A full TCB policy would need to be loaded in userspace using LSM rule matching to get both a protected and useful system. But, if too little is measured before userspace can load a real policy one again ends up with a meaningless set of measurements. One option would be to put the policy load inside the initrd in order to get it early enough in the boot sequence to be useful, but this runs into trouble with the LSM. For IMA to measure the LSM policy and the LSM policy loading mechanism it needs rules to do so, but we already talked about problems with defaulting to such broad rules.... IMA also depends on the files being measured to be on an FS which implements and supports i_version. Since the only FS with this support (ext4) doesn't even use it by default it seems silly to have any IMA rules by default. This should reduce the performance overhead of IMA to near 0 while still letting users who choose to configure their machine as such to inclue the ima_tcb kernel paramenter and get measurements during boot before they can load a customized, reasonable policy in userspace. Signed-off-by:
-
- May 19, 2009
-
-
Stephen Smalley authored
On Tue, 2009-05-19 at 00:05 -0400, Eamon Walsh wrote: > Recent versions of coreutils have bumped the read buffer size from 4K to > 32K in several of the utilities. > > This means that "cat /selinux/booleans/xserver_object_manager" no longer > works, it returns "Invalid argument" on F11. getsebool works fine. > > sel_read_bool has a check for "count > PAGE_SIZE" that doesn't seem to > be present in the other read functions. Maybe it could be removed? Yes, that check is obsoleted by the conversion of those functions to using simple_read_from_buffer(), which will reduce count if necessary to what is available in the buffer. Signed-off-by:
-
- May 18, 2009
-
-
Eric Paris authored
The selinuxfs superblock magic is used inside the IMA code, but is being defined in two places and could someday get out of sync. This patch moves the declaration into magic.h so it is only done once. Signed-off-by:
-
- May 14, 2009
-
-
Eric Paris authored
The IMA default policy measures every single file opened by root. This is terrible for most users. Consider a system (like mine) with virtual machine images. When those images are touched (which happens at boot for me) those images are measured. This is just way too much for the default case. Signed-off-by:
-
Eric Paris authored
The IMA policy file does not implement read. Trying to just open/read/close the file will load a blank policy and you cannot then change the policy without a reboot. This removes the read permission from the file so one must at least be attempting to write... Signed-off-by:
-
- May 12, 2009
-
-
Eric Paris authored
Both of the securityfs users (TPM and IMA) can call securityfs_remove and pass an IS_ERR(dentry) in their failure paths. This patch handles those rather than panicing when it tries to start deferencing some negative memory. Signed-off-by:
-
Eric Paris authored
If IMA tried to measure a file which was larger than 4G dentry_open would fail with -EOVERFLOW since IMA wasn't passing O_LARGEFILE. This patch passes O_LARGEFILE to all IMA opens to avoid this problem. Signed-off-by:
-
Eric Paris authored
Currently IMA does not handle failures from dentry_open(). This means that we leave a pointer set to ERR_PTR(errno) and then try to use it just a few lines later in fput(). Oops. Signed-off-by:
-
Eric Paris authored
Proper invocation of the current credentials is to use current_cred() not current->cred. This patches makes IMA use the new method. Signed-off-by:
-
- May 09, 2009
-
-
Al Viro authored
... use kern_path() where possible [folded a fix from rdd] Signed-off-by:Al Viro <viro@zeniv.linux.org.uk>
-
- May 06, 2009
-
-
Mimi Zohar authored
Remove integrity audit messages from __setup() Signed-off-by:
-
Mimi Zohar authored
Based on a request from Eric Paris to simplify parsing, replace audit_log_format statements containing "%s" with audit_log_string(). Signed-off-by:
-
Mimi Zohar authored
An audit subsystem change replaced AUDIT_EQUAL with Audit_equal. Update calls to security_filter_rule_init()/match() to reflect the change. Signed-off-by:
-
- May 04, 2009
-
-
Stephen Smalley authored
The CRED patch incorrectly converted the SELinux send_sigiotask hook to use the current task SID rather than the target task SID in its permission check, yielding the wrong permission check. This fixes the hook function. Detected by the ltp selinux testsuite and confirmed to correct the test failure. Signed-off-by:
-
- Apr 29, 2009
-
-
Oleg Nesterov authored
We shouldn't worry about the tracer if current is ptraced, exec() must not succeed if the tracer has no rights to trace this task after cred changing. But we should notify ->real_parent which is, well, real parent. Also, we don't need _irq to take tasklist, and we don't need parent's ->siglock to wake_up_interruptible(real_parent->signal->wait_chldexit). Since we hold tasklist, real_parent->signal must be stable. Otherwise spin_lock(siglock) is not safe too and can't help anyway. Signed-off-by:
Oleg Nesterov <oleg@redhat.com> Signed-off-by:
-
David Howells authored
Don't flush inherited SIGKILL during execve() in SELinux's post cred commit hook. This isn't really a security problem: if the SIGKILL came before the credentials were changed, then we were right to receive it at the time, and should honour it; if it came after the creds were changed, then we definitely should honour it; and in any case, all that will happen is that the process will be scrapped before it ever returns to userspace. Signed-off-by:
David Howells <dhowells@redhat.com> Signed-off-by:
-
Eric Paris authored
We are still calling secondary_ops->sysctl even though the capabilities module does not define a sysctl operation. Signed-off-by:
-
- Apr 18, 2009
-
-
Etienne Basset authored
the following patch moves checks for SMACK xattr validity from smack_inode_post_setxattr (which cannot return an error to the user) to smack_inode_setxattr (which can return an error). Signed-off-by:
Etienne Basset <etienne.basset@numericable.fr> Acked-by:
-
- Apr 15, 2009
-
-
Jiri Pirko authored
Use previously introduced list_entry_rcu instead of an open-coded list_entry + rcu_dereference combination. Signed-off-by:
Jiri Pirko <jpirko@redhat.com> Reviewed-by:
Paul E. McKenney <paulmck@linux.vnet.ibm.com> Cc: dipankar@in.ibm.com LKML-Reference: <20090414181715.GA3634@psychotron.englab.brq.redhat.com> Signed-off-by:
Ingo Molnar <mingo@elte.hu>
-
