1. 13 Nov, 2008 1 commit
  2. 11 Nov, 2008 1 commit
    • Eric Paris's avatar
      Add a new capable interface that will be used by systems that use audit to · 06112163
      Eric Paris authored
      make an A or B type decision instead of a security decision.  Currently
      this is the case at least for filesystems when deciding if a process can use
      the reserved 'root' blocks and for the case of things like the oom
      algorithm determining if processes are root processes and should be less
      likely to be killed.  These types of security system requests should not be
      audited or logged since they are not really security decisions.  It would be
      possible to solve this problem like the vm_enough_memory security check did
      by creating a new LSM interface and moving all of the policy into that
      interface but proves the needlessly bloat the LSM and provide complex
      This merely allows those decisions to be made where they belong and to not
      flood logs or printk with denials for thing that are not security decisions.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
  3. 30 Oct, 2008 1 commit
    • Alan Cox's avatar
      nfsd: fix vm overcommit crash · 731572d3
      Alan Cox authored
      Junjiro R.  Okajima reported a problem where knfsd crashes if you are
      using it to export shmemfs objects and run strict overcommit.  In this
      situation the current->mm based modifier to the overcommit goes through a
      NULL pointer.
      We could simply check for NULL and skip the modifier but we've caught
      other real bugs in the past from mm being NULL here - cases where we did
      need a valid mm set up (eg the exec bug about a year ago).
      To preserve the checks and get the logic we want shuffle the checking
      around and add a new helper to the vm_ security wrappers
      Also fix a current->mm reference in nommu that should use the passed mm
      [akpm@linux-foundation.org: coding-style fixes]
      [akpm@linux-foundation.org: fix build]
      Reported-by: default avatarJunjiro R. Okajima <hooanon05@yahoo.co.jp>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      Signed-off-by: default avatarAlan Cox <alan@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  4. 28 Aug, 2008 1 commit
  5. 17 Aug, 2008 1 commit
  6. 14 Aug, 2008 1 commit
    • David Howells's avatar
      security: Fix setting of PF_SUPERPRIV by __capable() · 5cd9c58f
      David Howells authored
      Fix the setting of PF_SUPERPRIV by __capable() as it could corrupt the flags
      the target process if that is not the current process and it is trying to
      change its own flags in a different way at the same time.
      __capable() is using neither atomic ops nor locking to protect t->flags.  This
      patch removes __capable() and introduces has_capability() that doesn't set
      PF_SUPERPRIV on the process being queried.
      This patch further splits security_ptrace() in two:
       (1) security_ptrace_may_access().  This passes judgement on whether one
           process may access another only (PTRACE_MODE_ATTACH for ptrace() and
           PTRACE_MODE_READ for /proc), and takes a pointer to the child process.
           current is the parent.
       (2) security_ptrace_traceme().  This passes judgement on PTRACE_TRACEME only,
           and takes only a pointer to the parent process.  current is the child.
           In Smack and commoncap, this uses has_capability() to determine whether
           the parent will be permitted to use PTRACE_ATTACH if normal checks fail.
           This does not set PF_SUPERPRIV.
      Two of the instances of __capable() actually only act on current, and so have
      been changed to calls to capable().
      Of the places that were using __capable():
       (1) The OOM killer calls __capable() thrice when weighing the killability of a
           process.  All of these now use has_capability().
       (2) cap_ptrace() and smack_ptrace() were using __capable() to check to see
           whether the parent was allowed to trace any process.  As mentioned above,
           these have been split.  For PTRACE_ATTACH and /proc, capable() is now
           used, and for PTRACE_TRACEME, has_capability() is used.
       (3) cap_safe_nice() only ever saw current, so now uses capable().
       (4) smack_setprocattr() rejected accesses to tasks other than current just
           after calling __capable(), so the order of these two tests have been
           switched and capable() is used instead.
       (5) In smack_file_send_sigiotask(), we need to allow privileged processes to
           receive SIGIO on files they're manipulating.
       (6) In smack_task_wait(), we let a process wait for a privileged process,
           whether or not the process doing the waiting is privileged.
      I've tested this with the LTP SELinux and syscalls testscripts.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Acked-by: default avatarAndrew G. Morgan <morgan@kernel.org>
      Acked-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
  7. 27 Jul, 2008 1 commit
  8. 24 Jul, 2008 1 commit
  9. 14 Jul, 2008 4 commits
    • James Morris's avatar
      security: remove register_security hook · 6f0f0fd4
      James Morris authored
      The register security hook is no longer required, as the capability
      module is always registered.  LSMs wishing to stack capability as
      a secondary module should do so explicitly.
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
    • Miklos Szeredi's avatar
      security: remove unused sb_get_mnt_opts hook · b478a9f9
      Miklos Szeredi authored
      The sb_get_mnt_opts() hook is unused, and is superseded by the
      sb_show_options() hook.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
    • Eric Paris's avatar
      LSM/SELinux: show LSM mount options in /proc/mounts · 2069f457
      Eric Paris authored
      This patch causes SELinux mount options to show up in /proc/mounts.  As
      with other code in the area seq_put errors are ignored.  Other LSM's
      will not have their mount options displayed until they fill in their own
      security_sb_show_options() function.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
    • Stephen Smalley's avatar
      Security: split proc ptrace checking into read vs. attach · 006ebb40
      Stephen Smalley authored
      Enable security modules to distinguish reading of process state via
      proc from full ptrace access by renaming ptrace_may_attach to
      ptrace_may_access and adding a mode argument indicating whether only
      read access or full attach access is requested.  This allows security
      modules to permit access to reading process state without granting
      full ptrace access.  The base DAC/capability checking remains unchanged.
      Read access to /proc/pid/mem continues to apply a full ptrace attach
      check since check_mem_permission() already requires the current task
      to already be ptracing the target.  The other ptrace checks within
      proc for elements like environ, maps, and fds are changed to pass the
      read mode instead of attach.
      In the SELinux case, we model such reading of process state as a
      reading of a proc file labeled with the target process' label.  This
      enables SELinux policy to permit such reading of process state without
      permitting control or manipulation of the target process, as there are
      a number of cases where programs probe for such information via proc
      but do not need to be able to control the target (e.g. procps,
      lsof, PolicyKit, ConsoleKit).  At present we have to choose between
      allowing full ptrace in policy (more permissive than required/desired)
      or breaking functionality (or in some cases just silencing the denials
      via dontaudit rules but this can hide genuine attacks).
      This version of the patch incorporates comments from Casey Schaufler
      (change/replace existing ptrace_may_attach interface, pass access
      mode), and Chris Wright (provide greater consistency in the checking).
      Note that like their predecessors __ptrace_may_attach and
      ptrace_may_attach, the __ptrace_may_access and ptrace_may_access
      interfaces use different return value conventions from each other (0
      or -errno vs. 1 or 0).  I retained this difference to avoid any
      changes to the caller logic but made the difference clearer by
      changing the latter interface to return a bool rather than an int and
      by adding a comment about it to ptrace.h for any future callers.
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: default avatarChris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
  10. 29 Apr, 2008 4 commits
  11. 28 Apr, 2008 1 commit
    • Andrew G. Morgan's avatar
      capabilities: implement per-process securebits · 3898b1b4
      Andrew G. Morgan authored
      Filesystem capability support makes it possible to do away with (set)uid-0
      based privilege and use capabilities instead.  That is, with filesystem
      support for capabilities but without this present patch, it is (conceptually)
      possible to manage a system with capabilities alone and never need to obtain
      privilege via (set)uid-0.
      Of course, conceptually isn't quite the same as currently possible since few
      user applications, certainly not enough to run a viable system, are currently
      prepared to leverage capabilities to exercise privilege.  Further, many
      applications exist that may never get upgraded in this way, and the kernel
      will continue to want to support their setuid-0 base privilege needs.
      Where pure-capability applications evolve and replace setuid-0 binaries, it is
      desirable that there be a mechanisms by which they can contain their
      privilege.  In addition to leveraging the per-process bounding and inheritable
      sets, this should include suppressing the privilege of the uid-0 superuser
      from the process' tree of children.
      The feature added by this patch can be leveraged to suppress the privilege
      associated with (set)uid-0.  This suppression requires CAP_SETPCAP to
      initiate, and only immediately affects the 'current' process (it is inherited
      through fork()/exec()).  This reimplementation differs significantly from the
      historical support for securebits which was system-wide, unwieldy and which
      has ultimately withered to a dead relic in the source of the modern kernel.
      With this patch applied a process, that is capable(CAP_SETPCAP), can now drop
      all legacy privilege (through uid=0) for itself and all subsequently
      fork()'d/exec()'d children with:
        prctl(PR_SET_SECUREBITS, 0x2f);
      This patch represents a no-op unless CONFIG_SECURITY_FILE_CAPABILITIES is
      enabled at configure time.
      [akpm@linux-foundation.org: fix uninitialised var warning]
      [serue@us.ibm.com: capabilities: use cap_task_prctl when !CONFIG_SECURITY]
      Signed-off-by: default avatarAndrew G. Morgan <morgan@kernel.org>
      Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
      Reviewed-by: default avatarJames Morris <jmorris@namei.org>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: Paul Moore <paul.moore@hp.com>
      Signed-off-by: default avatarSerge E. Hallyn <serue@us.ibm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  12. 27 Apr, 2008 1 commit
    • Eric Paris's avatar
      SELinux: include/security.h whitespace, syntax, and other cleanups · 7b41b173
      Eric Paris authored
      This patch changes include/security.h to fix whitespace and syntax issues.  Things that
      are fixed may include (does not not have to include)
      whitespace at end of lines
      spaces followed by tabs
      spaces used instead of tabs
      spacing around parenthesis
      location of { around structs and else clauses
      location of * in pointer declarations
      removal of initialization of static data to keep it in the right section
      useless {} in if statemetns
      useless checking for NULL before kfree
      fixing of the indentation depth of switch statements
      no assignments in if statements
      include spaces around , in function calls
      and any number of other things I forgot to mention
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
  13. 22 Apr, 2008 1 commit
  14. 19 Apr, 2008 1 commit
    • Ahmed S. Darwish's avatar
      Security: Introduce security= boot parameter · 076c54c5
      Ahmed S. Darwish authored
      Add the security= boot parameter. This is done to avoid LSM
      registration clashes in case of more than one bult-in module.
      User can choose a security module to enable at boot. If no
      security= boot parameter is specified, only the first LSM
      asking for registration will be loaded. An invalid security
      module name will be treated as if no module has been chosen.
      LSM modules must check now if they are allowed to register
      by calling security_module_enable(ops) first. Modify SELinux
      and SMACK to do so.
      Do not let SMACK register smackfs if it was not chosen on
      boot. Smackfs assumes that smack hooks are registered and
      the initial task security setup (swapper->security) is done.
      Signed-off-by: default avatarAhmed S. Darwish <darwish.07@gmail.com>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
  15. 18 Apr, 2008 2 commits
  16. 13 Apr, 2008 1 commit
  17. 20 Mar, 2008 1 commit
  18. 05 Mar, 2008 1 commit
    • Eric Paris's avatar
      LSM/SELinux: Interfaces to allow FS to control mount options · e0007529
      Eric Paris authored
      Introduce new LSM interfaces to allow an FS to deal with their own mount
      options.  This includes a new string parsing function exported from the
      LSM that an FS can use to get a security data blob and a new security
      data blob.  This is particularly useful for an FS which uses binary
      mount data, like NFS, which does not pass strings into the vfs to be
      handled by the loaded LSM.  Also fix a BUG() in both SELinux and SMACK
      when dealing with binary mount data.  If the binary mount data is less
      than one page the copy_page() in security_sb_copy_data() can cause an
      illegal page fault and boom.  Remove all NFSisms from the SELinux code
      since they were broken by past NFS changes.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
  19. 05 Feb, 2008 2 commits
    • Serge E. Hallyn's avatar
      capabilities: introduce per-process capability bounding set · 3b7391de
      Serge E. Hallyn authored
      The capability bounding set is a set beyond which capabilities cannot grow.
       Currently cap_bset is per-system.  It can be manipulated through sysctl,
      but only init can add capabilities.  Root can remove capabilities.  By
      default it includes all caps except CAP_SETPCAP.
      This patch makes the bounding set per-process when file capabilities are
      enabled.  It is inherited at fork from parent.  Noone can add elements,
      CAP_SETPCAP is required to remove them.
      One example use of this is to start a safer container.  For instance, until
      device namespaces or per-container device whitelists are introduced, it is
      best to take CAP_MKNOD away from a container.
      The bounding set will not affect pP and pE immediately.  It will only
      affect pP' and pE' after subsequent exec()s.  It also does not affect pI,
      and exec() does not constrain pI'.  So to really start a shell with no way
      of regain CAP_MKNOD, you would do
      	cap_t cap = cap_get_proc();
      	cap_value_t caparray[1];
      	caparray[0] = CAP_MKNOD;
      	cap_set_flag(cap, CAP_INHERITABLE, 1, caparray, CAP_DROP);
      The following test program will get and set the bounding
      set (but not pI).  For instance
      	./bset get
      		(lists capabilities in bset)
      	./bset drop cap_net_raw
      		(starts shell with new bset)
      		(use capset, setuid binary, or binary with
      		file capabilities to try to increase caps)
       #include <sys/prctl.h>
       #include <linux/capability.h>
       #include <sys/types.h>
       #include <unistd.h>
       #include <stdio.h>
       #include <stdlib.h>
       #include <string.h>
       #ifndef PR_CAPBSET_READ
       #define PR_CAPBSET_READ 23
       #ifndef PR_CAPBSET_DROP
       #define PR_CAPBSET_DROP 24
      int usage(char *me)
      	printf("Usage: %s get\n", me);
      	printf("       %s drop <capability>\n", me);
      	return 1;
       #define numcaps 32
      char *captable[numcaps] = {
      int getbcap(void)
      	int comma=0;
      	unsigned long i;
      	int ret;
      	printf("i know of %d capabilities\n", numcaps);
      	printf("capability bounding set:");
      	for (i=0; i<numcaps; i++) {
      		ret = prctl(PR_CAPBSET_READ, i);
      		if (ret < 0)
      		else if (ret==1)
      			printf("%s%s", (comma++) ? ", " : " ", captable[i]);
      	return 0;
      int capdrop(char *str)
      	unsigned long i;
      	int found=0;
      	for (i=0; i<numcaps; i++) {
      		if (strcmp(captable[i], str) == 0) {
      	if (!found)
      		return 1;
      	if (prctl(PR_CAPBSET_DROP, i)) {
      		return 1;
      	return 0;
      int main(int argc, char *argv[])
      	if (argc<2)
      		return usage(argv[0]);
      	if (strcmp(argv[1], "get")==0)
      		return getbcap();
      	if (strcmp(argv[1], "drop")!=0 || argc<3)
      		return usage(argv[0]);
      	if (capdrop(argv[2])) {
      		printf("unknown capability\n");
      		return 1;
      	return execl("/bin/bash", "/bin/bash", NULL);
      [serue@us.ibm.com: fix typo]
      Signed-off-by: default avatarSerge E. Hallyn <serue@us.ibm.com>
      Signed-off-by: default avatarAndrew G. Morgan <morgan@kernel.org>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: James Morris <jmorris@namei.org>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Cc: Casey Schaufler <casey@schaufler-ca.com>a
      Signed-off-by: default avatar"Serge E. Hallyn" <serue@us.ibm.com>
      Tested-by: default avatarJiri Slaby <jirislaby@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • David P. Quigley's avatar
      VFS/Security: Rework inode_getsecurity and callers to return resulting buffer · 42492594
      David P. Quigley authored
      This patch modifies the interface to inode_getsecurity to have the function
      return a buffer containing the security blob and its length via parameters
      instead of relying on the calling function to give it an appropriately sized
      Security blobs obtained with this function should be freed using the
      release_secctx LSM hook.  This alleviates the problem of the caller having to
      guess a length and preallocate a buffer for this function allowing it to be
      used elsewhere for Labeled NFS.
      The patch also removed the unused err parameter.  The conversion is similar to
      the one performed by Al Viro for the security_getprocattr hook.
      Signed-off-by: default avatarDavid P. Quigley <dpquigl@tycho.nsa.gov>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
      Cc: Casey Schaufler <casey@schaufler-ca.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Christoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  20. 25 Jan, 2008 4 commits
  21. 19 Oct, 2007 1 commit
  22. 18 Oct, 2007 1 commit
    • Andrew Morgan's avatar
      V3 file capabilities: alter behavior of cap_setpcap · 72c2d582
      Andrew Morgan authored
      The non-filesystem capability meaning of CAP_SETPCAP is that a process, p1,
      can change the capabilities of another process, p2.  This is not the
      meaning that was intended for this capability at all, and this
      implementation came about purely because, without filesystem capabilities,
      there was no way to use capabilities without one process bestowing them on
      Since we now have a filesystem support for capabilities we can fix the
      implementation of CAP_SETPCAP.
      The most significant thing about this change is that, with it in effect, no
      process can set the capabilities of another process.
      The capabilities of a program are set via the capability convolution
         pI(post-exec) = pI(pre-exec)
         pP(post-exec) = (X(aka cap_bset) & fP) | (pI(post-exec) & fI)
         pE(post-exec) = fE ? pP(post-exec) : 0
      at exec() time.  As such, the only influence the pre-exec() program can
      have on the post-exec() program's capabilities are through the pI
      capability set.
      The correct implementation for CAP_SETPCAP (and that enabled by this patch)
      is that it can be used to add extra pI capabilities to the current process
      - to be picked up by subsequent exec()s when the above convolution rules
      are applied.
      Here is how it works:
      Let's say we have a process, p. It has capability sets, pE, pP and pI.
      Generally, p, can change the value of its own pI to pI' where
         (pI' & ~pI) & ~pP = 0.
      That is, the only new things in pI' that were not present in pI need to
      be present in pP.
      The role of CAP_SETPCAP is basically to permit changes to pI beyond
      the above:
         if (pE & CAP_SETPCAP) {
            pI' = anything; /* ie., even (pI' & ~pI) & ~pP != 0  */
      This capability is useful for things like login, which (say, via
      pam_cap) might want to raise certain inheritable capabilities for use
      by the children of the logged-in user's shell, but those capabilities
      are not useful to or needed by the login program itself.
      One such use might be to limit who can run ping. You set the
      capabilities of the 'ping' program to be "= cap_net_raw+i", and then
      only shells that have (pI & CAP_NET_RAW) will be able to run
      it. Without CAP_SETPCAP implemented as described above, login(pam_cap)
      would have to also have (pP & CAP_NET_RAW) in order to raise this
      capability and pass it on through the inheritable set.
      Signed-off-by: default avatarAndrew Morgan <morgan@kernel.org>
      Signed-off-by: default avatarSerge E. Hallyn <serue@us.ibm.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: James Morris <jmorris@namei.org>
      Cc: Casey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  23. 17 Oct, 2007 3 commits
    • Adrian Bunk's avatar
      security/ cleanups · cbfee345
      Adrian Bunk authored
      This patch contains the following cleanups that are now possible:
      - remove the unused security_operations->inode_xattr_getsuffix
      - remove the no longer used security_operations->unregister_security
      - remove some no longer required exit code
      - remove a bunch of no longer used exports
      Signed-off-by: default avatarAdrian Bunk <bunk@kernel.org>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: Serge Hallyn <serue@us.ibm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • Serge E. Hallyn's avatar
      Implement file posix capabilities · b5376771
      Serge E. Hallyn authored
      Implement file posix capabilities.  This allows programs to be given a
      subset of root's powers regardless of who runs them, without having to use
      setuid and giving the binary all of root's powers.
      This version works with Kaigai Kohei's userspace tools, found at
      http://www.kaigai.gr.jp/index.php.  For more information on how to use this
      patch, Chris Friedhoff has posted a nice page at
      	Nov 27:
      	Incorporate fixes from Andrew Morton
      	(security-introduce-file-caps-tweaks and
      	Fix Kconfig dependency.
      	Fix change signaling behavior when file caps are not compiled in.
      	Nov 13:
      	Integrate comments from Alexey: Remove CONFIG_ ifdef from
      	capability.h, and use %zd for printing a size_t.
      	Nov 13:
      	Fix endianness warnings by sparse as suggested by Alexey
      	Nov 09:
      	Address warnings of unused variables at cap_bprm_set_security
      	when file capabilities are disabled, and simultaneously clean
      	up the code a little, by pulling the new code into a helper
      	Nov 08:
      	For pointers to required userspace tools and how to use
      	them, see http://www.friedhoff.org/fscaps.html.
      	Nov 07:
      	Fix the calculation of the highest bit checked in
      	Nov 07:
      	Allow file caps to be enabled without CONFIG_SECURITY, since
      	capabilities are the default.
      	Hook cap_task_setscheduler when !CONFIG_SECURITY.
      	Move capable(TASK_KILL) to end of cap_task_kill to reduce
      	audit messages.
      	Nov 05:
      	Add secondary calls in selinux/hooks.c to task_setioprio and
      	task_setscheduler so that selinux and capabilities with file
      	cap support can be stacked.
      	Sep 05:
      	As Seth Arnold points out, uid checks are out of place
      	for capability code.
      	Sep 01:
      	Define task_setscheduler, task_setioprio, cap_task_kill, and
      	task_setnice to make sure a user cannot affect a process in which
      	they called a program with some fscaps.
      	One remaining question is the note under task_setscheduler: are we
      	ok with CAP_SYS_NICE being sufficient to confine a process to a
      	It is a semantic change, as without fsccaps, attach_task doesn't
      	allow CAP_SYS_NICE to override the uid equivalence check.  But since
      	it uses security_task_setscheduler, which elsewhere is used where
      	CAP_SYS_NICE can be used to override the uid equivalence check,
      	fixing it might be tough.
      		 note: this also controls cpuset:attach_task.  Are we ok with
      		     CAP_SYS_NICE being used to confine to a cpuset?
      		 sys_setpriority uses this (through set_one_prio) for another
      		 process.  Need same checks as setrlimit
      	Aug 21:
      	Updated secureexec implementation to reflect the fact that
      	euid and uid might be the same and nonzero, but the process
      	might still have elevated caps.
      	Aug 15:
      	Handle endianness of xattrs.
      	Enforce capability version match between kernel and disk.
      	Enforce that no bits beyond the known max capability are
      	set, else return -EPERM.
      	With this extra processing, it may be worth reconsidering
      	doing all the work at bprm_set_security rather than
      	Aug 10:
      	Always call getxattr at bprm_set_security, rather than
      	caching it at d_instantiate.
      [morgan@kernel.org: file-caps clean up for linux/capability.h]
      [bunk@kernel.org: unexport cap_inode_killpriv]
      Signed-off-by: default avatarSerge E. Hallyn <serue@us.ibm.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: James Morris <jmorris@namei.org>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Cc: Andrew Morgan <morgan@kernel.org>
      Signed-off-by: default avatarAndrew Morgan <morgan@kernel.org>
      Signed-off-by: default avatarAdrian Bunk <bunk@kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • James Morris's avatar
      security: Convert LSM into a static interface · 20510f2f
      James Morris authored
      Convert LSM into a static interface, as the ability to unload a security
      module is not required by in-tree users and potentially complicates the
      overall security architecture.
      Needlessly exported LSM symbols have been unexported, to help reduce API
      Parameters for the capability and root_plug modules are now specified
      at boot.
      The SECURITY_FRAMEWORK_VERSION macro has also been removed.
      In a nutshell, there is no safe way to unload an LSM.  The modular interface
      is thus unecessary and broken infrastructure.  It is used only by out-of-tree
      modules, which are often binary-only, illegal, abusive of the API and
      dangerous, e.g.  silently re-vectoring SELinux.
      [akpm@linux-foundation.org: cleanups]
      [akpm@linux-foundation.org: USB Kconfig fix]
      [randy.dunlap@oracle.com: fix LSM kernel-doc]
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      Acked-by: default avatarChris Wright <chrisw@sous-sol.org>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: "Serge E. Hallyn" <serue@us.ibm.com>
      Acked-by: default avatarArjan van de Ven <arjan@infradead.org>
      Signed-off-by: default avatarRandy Dunlap <randy.dunlap@oracle.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  24. 16 Oct, 2007 1 commit
  25. 23 Aug, 2007 1 commit
    • Alan Cox's avatar
      fix NULL pointer dereference in __vm_enough_memory() · 34b4e4aa
      Alan Cox authored
      The new exec code inserts an accounted vma into an mm struct which is not
      current->mm.  The existing memory check code has a hard coded assumption
      that this does not happen as does the security code.
      As the correct mm is known we pass the mm to the security method and the
      helper function.  A new security test is added for the case where we need
      to pass the mm and the existing one is modified to pass current->mm to
      avoid the need to change large amounts of code.
      (Thanks to Tobias for fixing rejects and testing)
      Signed-off-by: default avatarAlan Cox <alan@redhat.com>
      Cc: WU Fengguang <wfg@mail.ustc.edu.cn>
      Cc: James Morris <jmorris@redhat.com>
      Cc: Tobias Diedrich <ranma+kernel@tdiedrich.de>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  26. 12 Jul, 2007 1 commit
    • Eric Paris's avatar
      security: Protection for exploiting null dereference using mmap · ed032189
      Eric Paris authored
      Add a new security check on mmap operations to see if the user is attempting
      to mmap to low area of the address space.  The amount of space protected is
      indicated by the new proc tunable /proc/sys/vm/mmap_min_addr and defaults to
      0, preserving existing behavior.
      This patch uses a new SELinux security class "memprotect."  Policy already
      contains a number of allow rules like a_t self:process * (unconfined_t being
      one of them) which mean that putting this check in the process class (its
      best current fit) would make it useless as all user processes, which we also
      want to protect against, would be allowed. By taking the memprotect name of
      the new class it will also make it possible for us to move some of the other
      memory protect permissions out of 'process' and into the new class next time
      we bump the policy version number (which I also think is a good future idea)
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: default avatarChris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
  27. 09 May, 2007 1 commit