1. 28 Mar, 2016 1 commit
  2. 19 Feb, 2016 1 commit
  3. 27 Jan, 2016 1 commit
  4. 08 Jan, 2016 1 commit
  5. 24 Dec, 2015 7 commits
  6. 09 Nov, 2015 1 commit
  7. 05 Nov, 2015 1 commit
  8. 21 Oct, 2015 5 commits
  9. 16 Oct, 2015 1 commit
  10. 11 Oct, 2015 1 commit
  11. 18 Sep, 2015 1 commit
  12. 04 Sep, 2015 1 commit
    • Kees Cook's avatar
      fs: create and use seq_show_option for escaping · a068acf2
      Kees Cook authored
      Many file systems that implement the show_options hook fail to correctly
      escape their output which could lead to unescaped characters (e.g.  new
      lines) leaking into /proc/mounts and /proc/[pid]/mountinfo files.  This
      could lead to confusion, spoofed entries (resulting in things like
      systemd issuing false d-bus "mount" notifications), and who knows what
      else.  This looks like it would only be the root user stepping on
      themselves, but it's possible weird things could happen in containers or
      in other situations with delegated mount privileges.
      Here's an example using overlay with setuid fusermount trusting the
      contents of /proc/mounts (via the /etc/mtab symlink).  Imagine the use
      of "sudo" is something more sneaky:
        $ BASE="ovl"
        $ MNT="$BASE/mnt"
        $ LOW="$BASE/lower"
        $ UP="$BASE/upper"
        $ WORK="$BASE/work/ 0 0
        none /proc fuse.pwn user_id=1000"
        $ mkdir -p "$LOW" "$UP" "$WORK"
        $ sudo mount -t overlay -o "lowerdir=$LOW,upperdir=$UP,workdir=$WORK" none /mnt
        $ cat /proc/mounts
        none /root/ovl/mnt overlay rw,relatime,lowerdir=ovl/lower,upperdir=ovl/upper,workdir=ovl/work/ 0 0
        none /proc fuse.pwn user_id=1000 0 0
        $ fusermount -u /proc
        $ cat /proc/mounts
        cat: /proc/mounts: No such file or directory
      This fixes the problem by adding new seq_show_option and
      seq_show_option_n helpers, and updating the vulnerable show_option
      handlers to use them as needed.  Some, like SELinux, need to be open
      coded due to unusual existing escape mechanisms.
      [akpm@linux-foundation.org: add lost chunk, per Kees]
      [keescook@chromium.org: seq_show_option should be using const parameters]
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
      Acked-by: default avatarJan Kara <jack@suse.com>
      Acked-by: default avatarPaul Moore <paul@paul-moore.com>
      Cc: J. R. Okajima <hooanon05g@gmail.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  13. 13 Jul, 2015 4 commits
    • David Howells's avatar
      selinux: Create a common helper to determine an inode label [ver #3] · c3c188b2
      David Howells authored
      Create a common helper function to determine the label for a new inode.
      This is then used by:
      	- may_create()
      	- selinux_dentry_init_security()
      	- selinux_inode_init_security()
      This will change the behaviour of the functions slightly, bringing them
      all into line.
      Suggested-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
    • Stephen Smalley's avatar
      selinux: initialize sock security class to default value · 5dee25d0
      Stephen Smalley authored
      Initialize the security class of sock security structures
      to the generic socket class.  This is similar to what is
      already done in inode_alloc_security for files.  Generally
      the sclass field will later by set by socket_post_create
      or sk_clone or sock_graft, but for protocol implementations
      that fail to call any of these for newly accepted sockets,
      we want some sane default that will yield a legitimate
      avc denied message with non-garbage values for class and
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
    • Waiman Long's avatar
      selinux: reduce locking overhead in inode_free_security() · 9629d04a
      Waiman Long authored
      The inode_free_security() function just took the superblock's isec_lock
      before checking and trying to remove the inode security struct from the
      linked list. In many cases, the list was empty and so the lock taking
      is wasteful as no useful work is done. On multi-socket systems with
      a large number of CPUs, there can also be a fair amount of spinlock
      contention on the isec_lock if many tasks are exiting at the same time.
      This patch changes the code to check the state of the list first before
      taking the lock and attempting to dequeue it. The list_del_init()
      can be called more than once on the same list with no harm as long
      as they are properly serialized. It should not be possible to have
      inode_free_security() called concurrently with list_add(). For better
      safety, however, we use list_empty_careful() here even though it is
      still not completely safe in case that happens.
      Signed-off-by: default avatarWaiman Long <Waiman.Long@hp.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
    • Jeff Vander Stoep's avatar
      selinux: extended permissions for ioctls · fa1aa143
      Jeff Vander Stoep authored
      Add extended permissions logic to selinux. Extended permissions
      provides additional permissions in 256 bit increments. Extend the
      generic ioctl permission check to use the extended permissions for
      per-command filtering. Source/target/class sets including the ioctl
      permission may additionally include a set of commands. Example:
      allowxperm <source> <target>:<class> ioctl unpriv_app_socket_cmds
      auditallowxperm <source> <target>:<class> ioctl priv_gpu_cmds
      Where unpriv_app_socket_cmds and priv_gpu_cmds are macros
      representing commonly granted sets of ioctl commands.
      When ioctl commands are omitted only the permissions are checked.
      This feature is intended to provide finer granularity for the ioctl
      permission that may be too imprecise. For example, the same driver
      may use ioctls to provide important and benign functionality such as
      driver version or socket type as well as dangerous capabilities such
      as debugging features, read/write/execute to physical memory or
      access to sensitive data. Per-command filtering provides a mechanism
      to reduce the attack surface of the kernel, and limit applications
      to the subset of commands required.
      The format of the policy binary has been modified to include ioctl
      commands, and the policy version number has been incremented to
      POLICYDB_VERSION_XPERMS_IOCTL=30 to account for the format
      The extended permissions logic is deliberately generic to allow
      components to be reused e.g. netlink filters
      Signed-off-by: default avatarJeff Vander Stoep <jeffv@google.com>
      Acked-by: default avatarNick Kralevich <nnk@google.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
  14. 10 Jul, 2015 1 commit
    • Stephen Smalley's avatar
      selinux: fix mprotect PROT_EXEC regression caused by mm change · 892e8cac
      Stephen Smalley authored
      commit 66fc1303
       ("mm: shmem_zero_setup
      skip security check and lockdep conflict with XFS") caused a regression
      for SELinux by disabling any SELinux checking of mprotect PROT_EXEC on
      shared anonymous mappings.  However, even before that regression, the
      checking on such mprotect PROT_EXEC calls was inconsistent with the
      checking on a mmap PROT_EXEC call for a shared anonymous mapping.  On a
      mmap, the security hook is passed a NULL file and knows it is dealing
      with an anonymous mapping and therefore applies an execmem check and no
      file checks.  On a mprotect, the security hook is passed a vma with a
      non-NULL vm_file (as this was set from the internally-created shmem
      file during mmap) and therefore applies the file-based execute check
      and no execmem check.  Since the aforementioned commit now marks the
      shmem zero inode with the S_PRIVATE flag, the file checks are disabled
      and we have no checking at all on mprotect PROT_EXEC.  Add a test to
      the mprotect hook logic for such private inodes, and apply an execmem
      check in that case.  This makes the mmap and mprotect checking
      consistent for shared anonymous mappings, as well as for /dev/zero and
      Cc: <stable@vger.kernel.org> # 4.1.x
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
  15. 05 Jun, 2015 1 commit
    • J. Bruce Fields's avatar
      selinux: fix setting of security labels on NFS · 9fc2b4b4
      J. Bruce Fields authored
      Before calling into the filesystem, vfs_setxattr calls
      security_inode_setxattr, which ends up calling selinux_inode_setxattr in
      our case.  That returns -EOPNOTSUPP whenever SBLABEL_MNT is not set.
      SBLABEL_MNT was supposed to be set by sb_finish_set_opts, which sets it
      only if selinux_is_sblabel_mnt returns true.
      The selinux_is_sblabel_mnt logic was broken by eadcabc6 "SELinux: do
      all flags twiddling in one place", which didn't take into the account
      the SECURITY_FS_USE_NATIVE behavior that had been introduced for nfs
      with eb9ae686
       "SELinux: Add new labeling type native labels".
      This caused setxattr's of security labels over NFSv4.2 to fail.
      Cc: stable@kernel.org # 3.13
      Cc: Eric Paris <eparis@redhat.com>
      Cc: David Quigley <dpquigl@davequigley.com>
      Reported-by: default avatarRichard Chan <rc556677@outlook.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      [PM: added the stable dependency]
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
  16. 04 Jun, 2015 5 commits
    • Stephen Smalley's avatar
      selinux: enable genfscon labeling for sysfs and pstore files · 8e014720
      Stephen Smalley authored
      Support per-file labeling of sysfs and pstore files based on
      genfscon policy entries.  This is safe because the sysfs
      and pstore directory tree cannot be manipulated by userspace,
      except to unlink pstore entries.
      This provides an alternative method of assigning per-file labeling
      to sysfs or pstore files without needing to set the labels from
      userspace on each boot.  The advantages of this approach are that
      the labels are assigned as soon as the dentry is first instantiated
      and userspace does not need to walk the sysfs or pstore tree and
      set the labels on each boot.  The limitations of this approach are
      that the labels can only be assigned based on pathname prefix matching.
      You can initially assign labels using this mechanism and then change
      them at runtime via setxattr if allowed to do so by policy.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Suggested-by: default avatarDominick Grift <dac.override@gmail.com>
      Acked-by: default avatarJeff Vander Stoep <jeffv@google.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
    • Stephen Smalley's avatar
      selinux: enable per-file labeling for debugfs files. · 134509d5
      Stephen Smalley authored
      Add support for per-file labeling of debugfs files so that
      we can distinguish them in policy.  This is particularly
      important in Android where certain debugfs files have to be writable
      by apps and therefore the debugfs directory tree can be read and
      searched by all.
      Since debugfs is entirely kernel-generated, the directory tree is
      immutable by userspace, and the inodes are pinned in memory, we can
      simply use the same approach as with proc and label the inodes from
      policy based on pathname from the root of the debugfs filesystem.
      Generalize the existing labeling support used for proc and reuse it
      for debugfs too.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
    • Stephen Smalley's avatar
      selinux: update netlink socket classes · 6c6d2e9b
      Stephen Smalley authored
      Update the set of SELinux netlink socket class definitions to match
      the set of netlink protocols implemented by the kernel.  The
      ip_queue implementation for the NETLINK_FIREWALL and NETLINK_IP6_FW protocols
      was removed in d16cf20e, so we can remove
      the corresponding class definitions as this is dead code.  Add new
      and NETLINK_CRYPTO so that we can distinguish among sockets created
      for each of these protocols.  This change does not define the finer-grained
      nlsmsg_read/write permissions or map specific nlmsg_type values to those
      permissions in the SELinux nlmsgtab; if finer-grained control of these
      sockets is desired/required, that can be added as a follow-on change.
      We do not define a SELinux class for NETLINK_ECRYPTFS as the implementation
      was removed in 624ae528
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
    • Oleg Nesterov's avatar
      signals: don't abuse __flush_signals() in selinux_bprm_committed_creds() · 9e7c8f8c
      Oleg Nesterov authored
      selinux_bprm_committed_creds()->__flush_signals() is not right, we
      shouldn't clear TIF_SIGPENDING unconditionally. There can be other
      reasons for signal_pending(): freezing(), JOBCTL_PENDING_MASK, and
      potentially more.
      Also change this code to check fatal_signal_pending() rather than
      SIGNAL_GROUP_EXIT, it looks a bit better.
      Now we can kill __flush_signals() before it finds another buggy user.
      Note: this code looks racy, we can flush a signal which was sent after
      the task SID has been updated.
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
    • Marek Milkovic's avatar
      selinux: Print 'sclass' as string when unrecognized netlink message occurs · cded3fff
      Marek Milkovic authored
      This prints the 'sclass' field as string instead of index in unrecognized netlink message.
      The textual representation makes it easier to distinguish the right class.
      Signed-off-by: default avatarMarek Milkovic <mmilkovi@redhat.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      [PM: 80-char width fixes]
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
  17. 12 May, 2015 3 commits
  18. 11 May, 2015 3 commits
  19. 15 Apr, 2015 1 commit