1. 02 Aug, 2010 1 commit
  2. 27 Apr, 2010 1 commit
  3. 05 Feb, 2010 1 commit
  4. 02 Feb, 2010 1 commit
  5. 17 Jan, 2010 1 commit
    • Stephen Smalley's avatar
      selinux: change the handling of unknown classes · 19439d05
      Stephen Smalley authored
      
      
      If allow_unknown==deny, SELinux treats an undefined kernel security
      class as an error condition rather than as a typical permission denial
      and thus does not allow permissions on undefined classes even when in
      permissive mode.  Change the SELinux logic so that this case is handled
      as a typical permission denial, subject to the usual permissive mode and
      permissive domain handling.
      
      Also drop the 'requested' argument from security_compute_av() and
      helpers as it is a legacy of the original security server interface and
      is unused.
      
      Changes:
      - Handle permissive domains consistently by moving up the test for a
      permissive domain.
      - Make security_compute_av_user() consistent with security_compute_av();
      the only difference now is that security_compute_av() performs mapping
      between the kernel-private class and permission indices and the policy
      values.  In the userspace case, this mapping is handled by libselinux.
      - Moved avd_init inside the policy lock.
      
      Based in part on a patch by Paul Moore <paul.moore@hp.com>.
      Reported-by: default avatarAndrew Worsley <amworsley@gmail.com>
      Signed-off-by: default avatarStephen D. Smalley <sds@tycho.nsa.gov>
      Reviewed-by: default avatarPaul Moore <paul.moore@hp.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      19439d05
  6. 24 Nov, 2009 1 commit
    • Eric Paris's avatar
      SELinux: print denials for buggy kernel with unknown perms · 0bce9527
      Eric Paris authored
      
      
      Historically we've seen cases where permissions are requested for classes
      where they do not exist.  In particular we have seen CIFS forget to set
      i_mode to indicate it is a directory so when we later check something like
      remove_name we have problems since it wasn't defined in tclass file.  This
      used to result in a avc which included the permission 0x2000 or something.
      Currently the kernel will deny the operations (good thing) but will not
      print ANY information (bad thing).  First the auditdeny field is no
      extended to include unknown permissions.  After that is fixed the logic in
      avc_dump_query to output this information isn't right since it will remove
      the permission from the av and print the phrase "<NULL>".  This takes us
      back to the behavior before the classmap rewrite.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      0bce9527
  7. 07 Oct, 2009 1 commit
    • Stephen Smalley's avatar
      selinux: dynamic class/perm discovery · c6d3aaa4
      Stephen Smalley authored
      
      
      Modify SELinux to dynamically discover class and permission values
      upon policy load, based on the dynamic object class/perm discovery
      logic from libselinux.  A mapping is created between kernel-private
      class and permission indices used outside the security server and the
      policy values used within the security server.
      
      The mappings are only applied upon kernel-internal computations;
      similar mappings for the private indices of userspace object managers
      is handled on a per-object manager basis by the userspace AVC.  The
      interfaces for compute_av and transition_sid are split for kernel
      vs. userspace; the userspace functions are distinguished by a _user
      suffix.
      
      The kernel-private class indices are no longer tied to the policy
      values and thus do not need to skip indices for userspace classes;
      thus the kernel class index values are compressed.  The flask.h
      definitions were regenerated by deleting the userspace classes from
      refpolicy's definitions and then regenerating the headers.  Going
      forward, we can just maintain the flask.h, av_permissions.h, and
      classmap.h definitions separately from policy as they are no longer
      tied to the policy values.  The next patch introduces a utility to
      automate generation of flask.h and av_permissions.h from the
      classmap.h definitions.
      
      The older kernel class and permission string tables are removed and
      replaced by a single security class mapping table that is walked at
      policy load to generate the mapping.  The old kernel class validation
      logic is completely replaced by the mapping logic.
      
      The handle unknown logic is reworked.  reject_unknown=1 is handled
      when the mappings are computed at policy load time, similar to the old
      handling by the class validation logic.  allow_unknown=1 is handled
      when computing and mapping decisions - if the permission was not able
      to be mapped (i.e. undefined, mapped to zero), then it is
      automatically added to the allowed vector.  If the class was not able
      to be mapped (i.e. undefined, mapped to zero), then all permissions
      are allowed for it if allow_unknown=1.
      
      avc_audit leverages the new security class mapping table to lookup the
      class and permission names from the kernel-private indices.
      
      The mdp program is updated to use the new table when generating the
      class definitions and allow rules for a minimal boot policy for the
      kernel.  It should be noted that this policy will not include any
      userspace classes, nor will its policy index values for the kernel
      classes correspond with the ones in refpolicy (they will instead match
      the kernel-private indices).
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      c6d3aaa4
  8. 23 Sep, 2009 1 commit
    • Eric Paris's avatar
      SELinux: do not destroy the avc_cache_nodep · 5224ee08
      Eric Paris authored
      
      
      The security_ops reset done when SELinux is disabled at run time is done
      after the avc cache is freed and after the kmem_cache for the avc is also
      freed.  This means that between the time the selinux disable code destroys
      the avc_node_cachep another process could make a security request and could
      try to allocate from the cache.  We are just going to leave the cachep around,
      like we always have.
      
      SELinux:  Disabled at runtime.
      BUG: unable to handle kernel NULL pointer dereference at (null)
      IP: [<ffffffff81122537>] kmem_cache_alloc+0x9a/0x185
      PGD 0
      Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
      last sysfs file:
      CPU 1
      Modules linked in:
      Pid: 12, comm: khelper Not tainted 2.6.31-tip-05525-g0eeacc6-dirty #14819
      System Product Name
      RIP: 0010:[<ffffffff81122537>]  [<ffffffff81122537>]
      kmem_cache_alloc+0x9a/0x185
      RSP: 0018:ffff88003f9258b0  EFLAGS: 00010086
      RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000078c0129e
      RDX: 0000000000000000 RSI: ffffffff8130b626 RDI: ffffffff81122528
      RBP: ffff88003f925900 R08: 0000000078c0129e R09: 0000000000000001
      R10: 0000000000000000 R11: 0000000078c0129e R12: 0000000000000246
      R13: 0000000000008020 R14: ffff88003f8586d8 R15: 0000000000000001
      FS:  0000000000000000(0000) GS:ffff880002b00000(0000)
      knlGS:0000000000000000
      CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
      CR2: 0000000000000000 CR3: 0000000001001000 CR4: 00000000000006e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: ffffffff827bd420 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process khelper (pid: 12, threadinfo ffff88003f924000, task
      ffff88003f928000)
      Stack:
       0000000000000246 0000802000000246 ffffffff8130b626 0000000000000001
      <0> 0000000078c0129e 0000000000000000 ffff88003f925a70 0000000000000002
      <0> 0000000000000001 0000000000000001 ffff88003f925960 ffffffff8130b626
      Call Trace:
       [<ffffffff8130b626>] ? avc_alloc_node+0x36/0x273
       [<ffffffff8130b626>] avc_alloc_node+0x36/0x273
       [<ffffffff8130b545>] ? avc_latest_notif_update+0x7d/0x9e
       [<ffffffff8130b8b4>] avc_insert+0x51/0x18d
       [<ffffffff8130bcce>] avc_has_perm_noaudit+0x9d/0x128
       [<ffffffff8130bf20>] avc_has_perm+0x45/0x88
       [<ffffffff8130f99d>] current_has_perm+0x52/0x6d
       [<ffffffff8130fbb2>] selinux_task_create+0x2f/0x45
       [<ffffffff81303bf7>] security_task_create+0x29/0x3f
       [<ffffffff8105c6ba>] copy_process+0x82/0xdf0
       [<ffffffff81091578>] ? register_lock_class+0x2f/0x36c
       [<ffffffff81091a13>] ? mark_lock+0x2e/0x1e1
       [<ffffffff8105d596>] do_fork+0x16e/0x382
       [<ffffffff81091578>] ? register_lock_class+0x2f/0x36c
       [<ffffffff810d9166>] ? probe_workqueue_execution+0x57/0xf9
       [<ffffffff81091a13>] ? mark_lock+0x2e/0x1e1
       [<ffffffff810d9166>] ? probe_workqueue_execution+0x57/0xf9
       [<ffffffff8100cdb2>] kernel_thread+0x82/0xe0
       [<ffffffff81078b1f>] ? ____call_usermodehelper+0x0/0x139
       [<ffffffff8100ce10>] ? child_rip+0x0/0x20
       [<ffffffff81078aea>] ? __call_usermodehelper+0x65/0x9a
       [<ffffffff8107a5c7>] run_workqueue+0x171/0x27e
       [<ffffffff8107a573>] ? run_workqueue+0x11d/0x27e
       [<ffffffff81078a85>] ? __call_usermodehelper+0x0/0x9a
       [<ffffffff8107a7bc>] worker_thread+0xe8/0x10f
       [<ffffffff810808e2>] ? autoremove_wake_function+0x0/0x63
       [<ffffffff8107a6d4>] ? worker_thread+0x0/0x10f
       [<ffffffff8108042e>] kthread+0x91/0x99
       [<ffffffff8100ce1a>] child_rip+0xa/0x20
       [<ffffffff8100c754>] ? restore_args+0x0/0x30
       [<ffffffff8108039d>] ? kthread+0x0/0x99
       [<ffffffff8100ce10>] ? child_rip+0x0/0x20
      Code: 0f 85 99 00 00 00 9c 58 66 66 90 66 90 49 89 c4 fa 66 66 90 66 66 90
      e8 83 34 fb ff e8 d7 e9 26 00 48 98 49 8b 94 c6 10 01 00 00 <48> 8b 1a 44
      8b 7a 18 48 85 db 74 0f 8b 42 14 48 8b 04 c3 ff 42
      RIP  [<ffffffff81122537>] kmem_cache_alloc+0x9a/0x185
       RSP <ffff88003f9258b0>
      CR2: 0000000000000000
      ---[ end trace 42f41a982344e606 ]---
      Reported-by: default avatarIngo Molnar <mingo@elte.hu>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      5224ee08
  9. 14 Sep, 2009 2 commits
  10. 16 Aug, 2009 1 commit
    • Thomas Liu's avatar
      SELinux: Convert avc_audit to use lsm_audit.h · 2bf49690
      Thomas Liu authored
      
      
      Convert avc_audit in security/selinux/avc.c to use lsm_audit.h,
      for better maintainability.
      
       - changed selinux to use common_audit_data instead of
          avc_audit_data
       - eliminated code in avc.c and used code from lsm_audit.h instead.
      
      Had to add a LSM_AUDIT_NO_AUDIT to lsm_audit.h so that avc_audit
      can call common_lsm_audit and do the pre and post callbacks without
      doing the actual dump.  This makes it so that the patched version
      behaves the same way as the unpatched version.
      
      Also added a denied field to the selinux_audit_data private space,
      once again to make it so that the patched version behaves like the
      unpatched.
      
      I've tested and confirmed that AVCs look the same before and after
      this patch.
      Signed-off-by: default avatarThomas Liu <tliu@redhat.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      2bf49690
  11. 13 Jul, 2009 1 commit
  12. 12 Jul, 2009 1 commit
  13. 24 Jun, 2009 1 commit
  14. 18 Jun, 2009 1 commit
    • KaiGai Kohei's avatar
      Add audit messages on type boundary violations · 44c2d9bd
      KaiGai Kohei authored
      
      
      The attached patch adds support to generate audit messages on two cases.
      
      The first one is a case when a multi-thread process tries to switch its
      performing security context using setcon(3), but new security context is
      not bounded by the old one.
      
        type=SELINUX_ERR msg=audit(1245311998.599:17):        \
            op=security_bounded_transition result=denied      \
            oldcontext=system_u:system_r:httpd_t:s0           \
            newcontext=system_u:system_r:guest_webapp_t:s0
      
      The other one is a case when security_compute_av() masked any permissions
      due to the type boundary violation.
      
        type=SELINUX_ERR msg=audit(1245312836.035:32):	\
            op=security_compute_av reason=bounds              \
            scontext=system_u:object_r:user_webapp_t:s0       \
            tcontext=system_u:object_r:shadow_t:s0:c0         \
            tclass=file perms=getattr,open
      Signed-off-by: default avatarKaiGai Kohei <kaigai@ak.jp.nec.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      44c2d9bd
  15. 01 Apr, 2009 1 commit
    • KaiGai Kohei's avatar
      Permissive domain in userspace object manager · 8a6f83af
      KaiGai Kohei authored
      
      
      This patch enables applications to handle permissive domain correctly.
      
      Since the v2.6.26 kernel, SELinux has supported an idea of permissive
      domain which allows certain processes to work as if permissive mode,
      even if the global setting is enforcing mode.
      However, we don't have an application program interface to inform
      what domains are permissive one, and what domains are not.
      It means applications focuses on SELinux (XACE/SELinux, SE-PostgreSQL
      and so on) cannot handle permissive domain correctly.
      
      This patch add the sixth field (flags) on the reply of the /selinux/access
      interface which is used to make an access control decision from userspace.
      If the first bit of the flags field is positive, it means the required
      access control decision is on permissive domain, so application should
      allow any required actions, as the kernel doing.
      
      This patch also has a side benefit. The av_decision.flags is set at
      context_struct_compute_av(). It enables to check required permissions
      without read_lock(&policy_rwlock).
      Signed-off-by: default avatarKaiGai Kohei <kaigai@ak.jp.nec.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: default avatarEric Paris <eparis@redhat.com>
      --
       security/selinux/avc.c              |    2 +-
       security/selinux/include/security.h |    4 +++-
       security/selinux/selinuxfs.c        |    4 ++--
       security/selinux/ss/services.c      |   30 +++++-------------------------
       4 files changed, 11 insertions(+), 29 deletions(-)
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      8a6f83af
  16. 13 Feb, 2009 6 commits
  17. 05 Jan, 2009 1 commit
    • Eric Paris's avatar
      SELinux: shrink sizeof av_inhert selinux_class_perm and context · 76f7ba35
      Eric Paris authored
      
      
      I started playing with pahole today and decided to put it against the
      selinux structures.  Found we could save a little bit of space on x86_64
      (and no harm on i686) just reorganizing some structs.
      
      Object size changes:
      av_inherit: 24 -> 16
      selinux_class_perm: 48 -> 40
      context: 80 -> 72
      
      Admittedly there aren't many of av_inherit or selinux_class_perm's in
      the kernel (33 and 1 respectively) But the change to the size of struct
      context reverberate out a bit.  I can get some hard number if they are
      needed, but I don't see why they would be.  We do change which cacheline
      context->len and context->str would be on, but I don't see that as a
      problem since we are clearly going to have to load both if the context
      is to be of any value.  I've run with the patch and don't seem to be
      having any problems.
      
      An example of what's going on using struct av_inherit would be:
      
      form: to:
      struct av_inherit {			struct av_inherit {
      	u16 tclass;				const char **common_pts;
      	const char **common_pts;		u32 common_base;
      	u32 common_base;			u16 tclass;
      };
      
      (notice all I did was move u16 tclass to the end of the struct instead
      of the beginning)
      
      Memory layout before the change:
      struct av_inherit {
      	u16 tclass; /* 2 */
      	/* 6 bytes hole */
      	const char** common_pts; /* 8 */
      	u32 common_base; /* 4 */
      	/* 4 byes padding */
      
      	/* size: 24, cachelines: 1 */
      	/* sum members: 14, holes: 1, sum holes: 6 */
      	/* padding: 4 */
      };
      
      Memory layout after the change:
      struct av_inherit {
      	const char ** common_pts; /* 8 */
      	u32 common_base; /* 4 */
      	u16 tclass; /* 2 */
      	/* 2 bytes padding */
      
      	/* size: 16, cachelines: 1 */
      	/* sum members: 14, holes: 0, sum holes: 0 */
      	/* padding: 2 */
      };
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      76f7ba35
  18. 31 Oct, 2008 1 commit
  19. 29 Oct, 2008 1 commit
  20. 28 Oct, 2008 1 commit
  21. 28 Aug, 2008 1 commit
    • KaiGai Kohei's avatar
      SELinux: add boundary support and thread context assignment · d9250dea
      KaiGai Kohei authored
      
      
      The purpose of this patch is to assign per-thread security context
      under a constraint. It enables multi-threaded server application
      to kick a request handler with its fair security context, and
      helps some of userspace object managers to handle user's request.
      
      When we assign a per-thread security context, it must not have wider
      permissions than the original one. Because a multi-threaded process
      shares a single local memory, an arbitary per-thread security context
      also means another thread can easily refer violated information.
      
      The constraint on a per-thread security context requires a new domain
      has to be equal or weaker than its original one, when it tries to assign
      a per-thread security context.
      
      Bounds relationship between two types is a way to ensure a domain can
      never have wider permission than its bounds. We can define it in two
      explicit or implicit ways.
      
      The first way is using new TYPEBOUNDS statement. It enables to define
      a boundary of types explicitly. The other one expand the concept of
      existing named based hierarchy. If we defines a type with "." separated
      name like "httpd_t.php", toolchain implicitly set its bounds on "httpd_t".
      
      This feature requires a new policy version.
      The 24th version (POLICYDB_VERSION_BOUNDARY) enables to ship them into
      kernel space, and the following patch enables to handle it.
      Signed-off-by: default avatarKaiGai Kohei <kaigai@ak.jp.nec.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      d9250dea
  22. 28 Apr, 2008 1 commit
    • Eric Paris's avatar
      Audit: standardize string audit interfaces · b556f8ad
      Eric Paris authored
      
      
      This patch standardized the string auditing interfaces.  No userspace
      changes will be visible and this is all just cleanup and consistancy
      work.  We have the following string audit interfaces to use:
      
      void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len);
      
      void audit_log_n_string(struct audit_buffer *ab, const char *buf, size_t n);
      void audit_log_string(struct audit_buffer *ab, const char *buf);
      
      void audit_log_n_untrustedstring(struct audit_buffer *ab, const char *string, size_t n);
      void audit_log_untrustedstring(struct audit_buffer *ab, const char *string);
      
      This may be the first step to possibly fixing some of the issues that
      people have with the string output from the kernel audit system.  But we
      still don't have an agreed upon solution to that problem.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      b556f8ad
  23. 22 Apr, 2008 1 commit
  24. 21 Apr, 2008 2 commits
  25. 18 Apr, 2008 2 commits
  26. 15 Feb, 2008 1 commit
  27. 29 Jan, 2008 1 commit
  28. 16 Oct, 2007 1 commit
  29. 22 Jul, 2007 1 commit
    • Al Viro's avatar
      [PATCH] get rid of AVC_PATH postponed treatment · 4259fa01
      Al Viro authored
      
      
              Selinux folks had been complaining about the lack of AVC_PATH
      records when audit is disabled.  I must admit my stupidity - I assumed
      that avc_audit() really couldn't use audit_log_d_path() because of
      deadlocks (== could be called with dcache_lock or vfsmount_lock held).
      Shouldn't have made that assumption - it never gets called that way.
      It _is_ called under spinlocks, but not those.
      
              Since audit_log_d_path() uses ab->gfp_mask for allocations,
      kmalloc() in there is not a problem.  IOW, the simple fix is sufficient:
      let's rip AUDIT_AVC_PATH out and simply generate pathname as part of main
      record.  It's trivial to do.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      4259fa01
  30. 20 Jul, 2007 1 commit
    • Paul Mundt's avatar
      mm: Remove slab destructors from kmem_cache_create(). · 20c2df83
      Paul Mundt authored
      Slab destructors were no longer supported after Christoph's
      c59def9f
      
       change. They've been
      BUGs for both slab and slub, and slob never supported them
      either.
      
      This rips out support for the dtor pointer from kmem_cache_create()
      completely and fixes up every single callsite in the kernel (there were
      about 224, not including the slab allocator definitions themselves,
      or the documentation references).
      Signed-off-by: default avatarPaul Mundt <lethal@linux-sh.org>
      20c2df83
  31. 12 Jul, 2007 2 commits