Linux Kernel https://git.etezian.org/cgit.cgi/linux.git/atom?h=master 2016-12-21T15:39:25+00:00 2016-12-21T15:39:25+00:00 Paul Moore paul@paul-moore.com 2016-12-21T15:39:25+00:00 urn:sha1:bfc5e3a6af397dcf9c99a6c1872458e7867c4680 Commit 3322d0d64f4e ("selinux: keep SELinux in sync with new capability definitions") added a check on the defined capabilities without explicitly including the capability header file which caused problems when building genheaders for users of clang/llvm. Resolve this by using the kernel headers when building genheaders, which is arguably the right thing to do regardless, and explicitly including the kernel's capability.h header file in classmap.h. We also update the mdp build, even though it wasn't causing an error we really should be using the headers from the kernel we are building. Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org> Signed-off-by: Paul Moore <paul@paul-moore.com> 2016-11-22T22:44:02+00:00 Andreas Gruenbacher agruenba@redhat.com 2016-11-15T10:06:40+00:00 urn:sha1:9287aed2ad1ff1bde5eb190bcd6dccd5f1cf47d3 Convert isec->lock from a mutex into a spinlock. Instead of holding the lock while sleeping in inode_doinit_with_dentry, set isec->initialized to LABEL_PENDING and release the lock. Then, when the sid has been determined, re-acquire the lock. If isec->initialized is still set to LABEL_PENDING, set isec->sid; otherwise, the sid has been set by another task (LABEL_INITIALIZED) or invalidated (LABEL_INVALID) in the meantime. This fixes a deadlock on gfs2 where * one task is in inode_doinit_with_dentry -> gfs2_getxattr, holds isec->lock, and tries to acquire the inode's glock, and * another task is in do_xmote -> inode_go_inval -> selinux_inode_invalidate_secctx, holds the inode's glock, and tries to acquire isec->lock. Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> [PM: minor tweaks to keep checkpatch.pl happy] Signed-off-by: Paul Moore <paul@paul-moore.com> 2016-11-21T20:37:24+00:00 Stephen Smalley sds@tycho.nsa.gov 2016-11-18T15:23:09+00:00 urn:sha1:3322d0d64f4e942862a152f6f11137a1f5eac2e9 When a new capability is defined, SELinux needs to be updated. Trigger a build error if a new capability is defined without corresponding update to security/selinux/include/classmap.h's COMMON_CAP2_PERMS. This is similar to BUILD_BUG_ON() guards in the SELinux nlmsgtab code to ensure that SELinux tracks new netlink message types as needed. Note that there is already a similar build guard in security/selinux/hooks.c to detect when more than 64 capabilities are defined, since that will require adding a third capability class to SELinux. A nicer way to do this would be to extend scripts/selinux/genheaders or a similar tool to auto-generate the necessary definitions and code for SELinux capability checking from include/uapi/linux/capability.h. AppArmor does something similar in its Makefile, although it only needs to generate a single table of names. That is left as future work. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> [PM: reformat the description to keep checkpatch.pl happy] Signed-off-by: Paul Moore <paul@paul-moore.com> 2016-08-19T00:01:15+00:00 William Roberts william.c.roberts@intel.com 2016-08-15T19:42:12+00:00 urn:sha1:348a0db9e69e4c214bf5d7677f17cb99cdc47db0 Remove the SECURITY_SELINUX_POLICYDB_VERSION_MAX Kconfig option Per: https://github.com/SELinuxProject/selinux/wiki/Kernel-Todo This was only needed on Fedora 3 and 4 and just causes issues now, so drop it. The MAX and MIN should just be whatever the kernel can support. Signed-off-by: William Roberts <william.c.roberts@intel.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2016-06-27T19:06:16+00:00 Huw Davies huw@codeweavers.com 2016-06-27T19:06:16+00:00 urn:sha1:a04e71f631fa3d2fd2aa0404c11484739d1e9073 This makes it possible to route the error to the appropriate labelling engine. CALIPSO is far less verbose than CIPSO when encountering a bogus packet, so there is no need for a CALIPSO error handler. Signed-off-by: Huw Davies <huw@codeweavers.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2016-04-26T19:41:43+00:00 Stephen Smalley sds@tycho.nsa.gov 2016-04-08T17:52:00+00:00 urn:sha1:8e4ff6f228e4722cac74db716e308d1da33d744f Distinguish capability checks against a target associated with the init user namespace versus capability checks against a target associated with a non-init user namespace by defining and using separate security classes for the latter. This is needed to support e.g. Chrome usage of user namespaces for the Chrome sandbox without needing to allow Chrome to also exercise capabilities on targets in the init user namespace. Suggested-by: Dan Walsh <dwalsh@redhat.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com> 2016-04-14T15:24:50+00:00 Prarit Bhargava prarit@redhat.com 2016-04-14T14:40:57+00:00 urn:sha1:0fd71a620be8648486a126fccadf9f7c2a818676 security_get_bool_value(int bool) argument "bool" conflicts with in-kernel macros such as BUILD_BUG(). This patch changes this to index which isn't a type. Cc: Paul Moore <paul@paul-moore.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Eric Paris <eparis@parisplace.org> Cc: James Morris <james.l.morris@oracle.com> Cc: "Serge E. Hallyn" <serge@hallyn.com> Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk> Cc: Andrew Perepechko <anserper@ya.ru> Cc: Jeff Vander Stoep <jeffv@google.com> Cc: selinux@tycho.nsa.gov Cc: Eric Paris <eparis@redhat.com> Cc: Paul Moore <pmoore@redhat.com> Cc: David Howells <dhowells@redhat.com> Signed-off-by: Prarit Bhargava <prarit@redhat.com> Acked-by: David Howells <dhowells@redhat.com> [PM: wrapped description for checkpatch.pl, use "selinux:..." as subj] Signed-off-by: Paul Moore <paul@paul-moore.com> 2016-04-05T20:11:56+00:00 Jeff Vander Stoep jeffv@google.com 2016-04-05T20:06:27+00:00 urn:sha1:61d612ea731e57dc510472fb746b55cdc017f371 Utilize existing kernel_read_file hook on kernel module load. Add module_load permission to the system class. Enforces restrictions on kernel module origin when calling the finit_module syscall. The hook checks that source type has permission module_load for the target type. Example for finit_module: allow foo bar_file:system module_load; Similarly restrictions are enforced on kernel module loading when calling the init_module syscall. The hook checks that source type has permission module_load with itself as the target object because the kernel module is sourced from the calling process. Example for init_module: allow foo foo:system module_load; Signed-off-by: Jeff Vander Stoep <jeffv@google.com> [PM: fixed return value of selinux_kernel_read_file()] Signed-off-by: Paul Moore <paul@paul-moore.com> 2016-04-05T20:10:55+00:00 Paul Moore paul@paul-moore.com 2016-03-28T19:16:53+00:00 urn:sha1:4b57d6bcd94034e2eb168bdec2474e3b2b848e44 There really is no need for LABEL_MISSING as we really only care if the inode's label is INVALID or INITIALIZED. Also adjust the revalidate code to reload the label whenever the label is not INITIALIZED so we are less sensitive to label state in the future. Signed-off-by: Paul Moore <paul@paul-moore.com> 2015-12-24T16:09:41+00:00 Andrew Perepechko anserper@ya.ru 2015-12-24T16:09:41+00:00 urn:sha1:f9df6458218f4fe8a1c3bf0af89c1fa9eaf0db39 Make validatetrans decisions available through selinuxfs. "/validatetrans" is added to selinuxfs for this purpose. This functionality is needed by file system servers implemented in userspace or kernelspace without the VFS layer. Writing "$oldcontext $newcontext $tclass $taskcontext" to /validatetrans is expected to return 0 if the transition is allowed and -EPERM otherwise. Signed-off-by: Andrew Perepechko <anserper@ya.ru> CC: andrew.perepechko@seagate.com Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <pmoore@redhat.com>