1. 17 Oct, 2007 3 commits
    • Adrian Bunk's avatar
      security/ cleanups · cbfee345
      Adrian Bunk authored
      
      This patch contains the following cleanups that are now possible:
      - remove the unused security_operations->inode_xattr_getsuffix
      - remove the no longer used security_operations->unregister_security
      - remove some no longer required exit code
      - remove a bunch of no longer used exports
      Signed-off-by: default avatarAdrian Bunk <bunk@kernel.org>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: Serge Hallyn <serue@us.ibm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      cbfee345
    • Serge E. Hallyn's avatar
      Implement file posix capabilities · b5376771
      Serge E. Hallyn authored
      Implement file posix capabilities.  This allows programs to be given a
      subset of root's powers regardless of who runs them, without having to use
      setuid and giving the binary all of root's powers.
      
      This version works with Kaigai Kohei's userspace tools, found at
      http://www.kaigai.gr.jp/index.php.  For more information on how to use this
      patch, Chris Friedhoff has posted a nice page at
      http://www.friedhoff.org/fscaps.html.
      
      Changelog:
      	Nov 27:
      	Incorporate fixes from Andrew Morton
      	(security-introduce-file-caps-tweaks and
      	security-introduce-file-caps-warning-fix)
      	Fix Kconfig dependency.
      	Fix change signaling behavior when file caps are not compiled in.
      
      	Nov 13:
      	Integrate comments from Alexey: Remove CONFIG_ ifdef from
      	capability.h, and use %zd for printing a size_t.
      
      	Nov 13:
      	Fix endianness warnings by sparse as suggested by Alexey
      	Dobriyan.
      
      	Nov 09:
      	Address warnings of unused variables at cap_bprm_set_security
      	when file capabilities are disabled, and simultaneously clean
      	up the code a little, by pulling the new code into a helper
      	function.
      
      	Nov 08:
      	For pointers to required userspace tools and how to use
      	them, see http://www.friedhoff.org/fscaps.html
      
      .
      
      	Nov 07:
      	Fix the calculation of the highest bit checked in
      	check_cap_sanity().
      
      	Nov 07:
      	Allow file caps to be enabled without CONFIG_SECURITY, since
      	capabilities are the default.
      	Hook cap_task_setscheduler when !CONFIG_SECURITY.
      	Move capable(TASK_KILL) to end of cap_task_kill to reduce
      	audit messages.
      
      	Nov 05:
      	Add secondary calls in selinux/hooks.c to task_setioprio and
      	task_setscheduler so that selinux and capabilities with file
      	cap support can be stacked.
      
      	Sep 05:
      	As Seth Arnold points out, uid checks are out of place
      	for capability code.
      
      	Sep 01:
      	Define task_setscheduler, task_setioprio, cap_task_kill, and
      	task_setnice to make sure a user cannot affect a process in which
      	they called a program with some fscaps.
      
      	One remaining question is the note under task_setscheduler: are we
      	ok with CAP_SYS_NICE being sufficient to confine a process to a
      	cpuset?
      
      	It is a semantic change, as without fsccaps, attach_task doesn't
      	allow CAP_SYS_NICE to override the uid equivalence check.  But since
      	it uses security_task_setscheduler, which elsewhere is used where
      	CAP_SYS_NICE can be used to override the uid equivalence check,
      	fixing it might be tough.
      
      	     task_setscheduler
      		 note: this also controls cpuset:attach_task.  Are we ok with
      		     CAP_SYS_NICE being used to confine to a cpuset?
      	     task_setioprio
      	     task_setnice
      		 sys_setpriority uses this (through set_one_prio) for another
      		 process.  Need same checks as setrlimit
      
      	Aug 21:
      	Updated secureexec implementation to reflect the fact that
      	euid and uid might be the same and nonzero, but the process
      	might still have elevated caps.
      
      	Aug 15:
      	Handle endianness of xattrs.
      	Enforce capability version match between kernel and disk.
      	Enforce that no bits beyond the known max capability are
      	set, else return -EPERM.
      	With this extra processing, it may be worth reconsidering
      	doing all the work at bprm_set_security rather than
      	d_instantiate.
      
      	Aug 10:
      	Always call getxattr at bprm_set_security, rather than
      	caching it at d_instantiate.
      
      [morgan@kernel.org: file-caps clean up for linux/capability.h]
      [bunk@kernel.org: unexport cap_inode_killpriv]
      Signed-off-by: default avatarSerge E. Hallyn <serue@us.ibm.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: James Morris <jmorris@namei.org>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Cc: Andrew Morgan <morgan@kernel.org>
      Signed-off-by: default avatarAndrew Morgan <morgan@kernel.org>
      Signed-off-by: default avatarAdrian Bunk <bunk@kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b5376771
    • James Morris's avatar
      security: Convert LSM into a static interface · 20510f2f
      James Morris authored
      
      Convert LSM into a static interface, as the ability to unload a security
      module is not required by in-tree users and potentially complicates the
      overall security architecture.
      
      Needlessly exported LSM symbols have been unexported, to help reduce API
      abuse.
      
      Parameters for the capability and root_plug modules are now specified
      at boot.
      
      The SECURITY_FRAMEWORK_VERSION macro has also been removed.
      
      In a nutshell, there is no safe way to unload an LSM.  The modular interface
      is thus unecessary and broken infrastructure.  It is used only by out-of-tree
      modules, which are often binary-only, illegal, abusive of the API and
      dangerous, e.g.  silently re-vectoring SELinux.
      
      [akpm@linux-foundation.org: cleanups]
      [akpm@linux-foundation.org: USB Kconfig fix]
      [randy.dunlap@oracle.com: fix LSM kernel-doc]
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      Acked-by: default avatarChris Wright <chrisw@sous-sol.org>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: "Serge E. Hallyn" <serue@us.ibm.com>
      Acked-by: default avatarArjan van de Ven <arjan@infradead.org>
      Signed-off-by: default avatarRandy Dunlap <randy.dunlap@oracle.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      20510f2f
  2. 16 Oct, 2007 1 commit
  3. 22 Aug, 2007 1 commit
    • Alan Cox's avatar
      fix NULL pointer dereference in __vm_enough_memory() · 34b4e4aa
      Alan Cox authored
      
      The new exec code inserts an accounted vma into an mm struct which is not
      current->mm.  The existing memory check code has a hard coded assumption
      that this does not happen as does the security code.
      
      As the correct mm is known we pass the mm to the security method and the
      helper function.  A new security test is added for the case where we need
      to pass the mm and the existing one is modified to pass current->mm to
      avoid the need to change large amounts of code.
      
      (Thanks to Tobias for fixing rejects and testing)
      Signed-off-by: default avatarAlan Cox <alan@redhat.com>
      Cc: WU Fengguang <wfg@mail.ustc.edu.cn>
      Cc: James Morris <jmorris@redhat.com>
      Cc: Tobias Diedrich <ranma+kernel@tdiedrich.de>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      34b4e4aa
  4. 11 Jul, 2007 1 commit
    • Eric Paris's avatar
      security: Protection for exploiting null dereference using mmap · ed032189
      Eric Paris authored
      
      Add a new security check on mmap operations to see if the user is attempting
      to mmap to low area of the address space.  The amount of space protected is
      indicated by the new proc tunable /proc/sys/vm/mmap_min_addr and defaults to
      0, preserving existing behavior.
      
      This patch uses a new SELinux security class "memprotect."  Policy already
      contains a number of allow rules like a_t self:process * (unconfined_t being
      one of them) which mean that putting this check in the process class (its
      best current fit) would make it useless as all user processes, which we also
      want to protect against, would be allowed. By taking the memprotect name of
      the new class it will also make it possible for us to move some of the other
      memory protect permissions out of 'process' and into the new class next time
      we bump the policy version number (which I also think is a good future idea)
      Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: default avatarChris Wright <chrisw@sous-sol.org>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      ed032189
  5. 09 May, 2007 1 commit
  6. 14 Mar, 2007 1 commit
  7. 12 Feb, 2007 1 commit
  8. 11 Feb, 2007 1 commit
  9. 03 Dec, 2006 3 commits
    • Venkat Yekkirala's avatar
      SELinux: Fix SA selection semantics · 67f83cbf
      Venkat Yekkirala authored
      
      Fix the selection of an SA for an outgoing packet to be at the same
      context as the originating socket/flow. This eliminates the SELinux
      policy's ability to use/sendto SAs with contexts other than the socket's.
      
      With this patch applied, the SELinux policy will require one or more of the
      following for a socket to be able to communicate with/without SAs:
      
      1. To enable a socket to communicate without using labeled-IPSec SAs:
      
      allow socket_t unlabeled_t:association { sendto recvfrom }
      
      2. To enable a socket to communicate with labeled-IPSec SAs:
      
      allow socket_t self:association { sendto };
      allow socket_t peer_sa_t:association { recvfrom };
      Signed-off-by: default avatarVenkat Yekkirala <vyekkirala@TrustedCS.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      67f83cbf
    • Venkat Yekkirala's avatar
      SELinux: Return correct context for SO_PEERSEC · 6b877699
      Venkat Yekkirala authored
      
      Fix SO_PEERSEC for tcp sockets to return the security context of
      the peer (as represented by the SA from the peer) as opposed to the
      SA used by the local/source socket.
      Signed-off-by: default avatarVenkat Yekkirala <vyekkirala@TrustedCS.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      6b877699
    • Venkat Yekkirala's avatar
      SELinux: Various xfrm labeling fixes · c1a856c9
      Venkat Yekkirala authored
      
      Since the upstreaming of the mlsxfrm modification a few months back,
      testing has resulted in the identification of the following issues/bugs that
      are resolved in this patch set.
      
      1. Fix the security context used in the IKE negotiation to be the context
         of the socket as opposed to the context of the SPD rule.
      
      2. Fix SO_PEERSEC for tcp sockets to return the security context of
         the peer as opposed to the source.
      
      3. Fix the selection of an SA for an outgoing packet to be at the same
         context as the originating socket/flow.
      
      The following would be the result of applying this patchset:
      
      - SO_PEERSEC will now correctly return the peer's context.
      
      - IKE deamons will receive the context of the source socket/flow
        as opposed to the SPD rule's context so that the negotiated SA
        will be at the same context as the source socket/flow.
      
      - The SELinux policy will require one or more of the
        following for a socket to be able to communicate with/without SAs:
      
        1. To enable a socket to communicate without using labeled-IPSec SAs:
      
           allow socket_t unlabeled_t:association { sendto recvfrom }
      
        2. To enable a socket to communicate with labeled-IPSec SAs:
      
           allow socket_t self:association { sendto };
           allow socket_t peer_sa_t:association { recvfrom };
      
      This Patch: Pass correct security context to IKE for use in negotiation
      
      Fix the security context passed to IKE for use in negotiation to be the
      context of the socket as opposed to the context of the SPD rule so that
      the SA carries the label of the originating socket/flow.
      Signed-off-by: default avatarVenkat Yekkirala <vyekkirala@TrustedCS.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      c1a856c9
  10. 12 Oct, 2006 1 commit
    • Venkat Yekkirala's avatar
      IPsec: correct semantics for SELinux policy matching · 5b368e61
      Venkat Yekkirala authored
      
      Currently when an IPSec policy rule doesn't specify a security
      context, it is assumed to be "unlabeled" by SELinux, and so
      the IPSec policy rule fails to match to a flow that it would
      otherwise match to, unless one has explicitly added an SELinux
      policy rule allowing the flow to "polmatch" to the "unlabeled"
      IPSec policy rules. In the absence of such an explicitly added
      SELinux policy rule, the IPSec policy rule fails to match and
      so the packet(s) flow in clear text without the otherwise applicable
      xfrm(s) applied.
      
      The above SELinux behavior violates the SELinux security notion of
      "deny by default" which should actually translate to "encrypt by
      default" in the above case.
      
      This was first reported by Evgeniy Polyakov and the way James Morris
      was seeing the problem was when connecting via IPsec to a
      confined service on an SELinux box (vsftpd), which did not have the
      appropriate SELinux policy permissions to send packets via IPsec.
      
      With this patch applied, SELinux "polmatching" of flows Vs. IPSec
      policy rules will only come into play when there's a explicit context
      specified for the IPSec policy rule (which also means there's corresponding
      SELinux policy allowing appropriate domains/flows to polmatch to this context).
      
      Secondly, when a security module is loaded (in this case, SELinux), the
      security_xfrm_policy_lookup() hook can return errors other than access denied,
      such as -EINVAL.  We were not handling that correctly, and in fact
      inverting the return logic and propagating a false "ok" back up to
      xfrm_lookup(), which then allowed packets to pass as if they were not
      associated with an xfrm policy.
      
      The solution for this is to first ensure that errno values are
      correctly propagated all the way back up through the various call chains
      from security_xfrm_policy_lookup(), and handled correctly.
      
      Then, flow_cache_lookup() is modified, so that if the policy resolver
      fails (typically a permission denied via the security module), the flow
      cache entry is killed rather than having a null policy assigned (which
      indicates that the packet can pass freely).  This also forces any future
      lookups for the same flow to consult the security module (e.g. SELinux)
      for current security policy (rather than, say, caching the error on the
      flow cache entry).
      
      This patch: Fix the selinux side of things.
      
      This makes sure SELinux polmatching of flow contexts to IPSec policy
      rules comes into play only when an explicit context is associated
      with the IPSec policy rule.
      
      Also, this no longer defaults the context of a socket policy to
      the context of the socket since the "no explicit context" case
      is now handled properly.
      Signed-off-by: default avatarVenkat Yekkirala <vyekkirala@TrustedCS.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      5b368e61
  11. 29 Sep, 2006 1 commit
    • Alexey Dobriyan's avatar
      [PATCH] fs.h: ifdef security fields · 50462062
      Alexey Dobriyan authored
      
      [assuming BSD security levels are deleted]
      The only user of i_security, f_security, s_security fields is SELinux,
      however, quite a few security modules are trying to get into kernel.
      So, wrap them under CONFIG_SECURITY. Adding config option for each
      security field is likely an overkill.
      
      Following Stephen Smalley's suggestion, i_security initialization is
      moved to security_inode_alloc() to not clutter core code with ifdefs
      and make alloc_inode() codepath tiny little bit smaller and faster.
      
      The user of (highly greppable) struct fown_struct::security field is
      still to be found. I've checked every "fown_struct" and every "f_owner"
      occurence. Additionally it's removal doesn't break i386 allmodconfig
      build.
      
      struct inode, struct file, struct super_block, struct fown_struct
      become smaller.
      
      P.S. Combined with two reiserfs inode shrinking patches sent to
      linux-fsdevel, I can finally suck 12 reiserfs inodes into one page.
      
      		/proc/slabinfo
      
      	-ext2_inode_cache	388	10
      	+ext2_inode_cache	384	10
      	-inode_cache		280	14
      	+inode_cache		276	14
      	-proc_inode_cache	296	13
      	+proc_inode_cache	292	13
      	-reiser_inode_cache	336	11
      	+reiser_inode_cache	332	12 <=
      	-shmem_inode_cache	372	10
      	+shmem_inode_cache	368	10
      Signed-off-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      50462062
  12. 22 Sep, 2006 6 commits
  13. 02 Aug, 2006 2 commits
  14. 30 Jun, 2006 2 commits
  15. 29 Jun, 2006 1 commit
  16. 26 Jun, 2006 1 commit
  17. 23 Jun, 2006 3 commits
  18. 22 Jun, 2006 1 commit
  19. 18 Jun, 2006 2 commits
    • David S. Miller's avatar
      [NET]: Fix warnings after LSM-IPSEC changes. · 6f68dc37
      David S. Miller authored
      
      Assignment used as truth value in xfrm_del_sa()
      and xfrm_get_policy().
      
      Wrong argument type declared for security_xfrm_state_delete()
      when SELINUX is disabled.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6f68dc37
    • Catherine Zhang's avatar
      [LSM-IPsec]: SELinux Authorize · c8c05a8e
      Catherine Zhang authored
      
      This patch contains a fix for the previous patch that adds security
      contexts to IPsec policies and security associations.  In the previous
      patch, no authorization (besides the check for write permissions to
      SAD and SPD) is required to delete IPsec policies and security
      assocations with security contexts.  Thus a user authorized to change
      SAD and SPD can bypass the IPsec policy authorization by simply
      deleteing policies with security contexts.  To fix this security hole,
      an additional authorization check is added for removing security
      policies and security associations with security contexts.
      
      Note that if no security context is supplied on add or present on
      policy to be deleted, the SELinux module allows the change
      unconditionally.  The hook is called on deletion when no context is
      present, which we may want to change.  At present, I left it up to the
      module.
      
      LSM changes:
      
      The patch adds two new LSM hooks: xfrm_policy_delete and
      xfrm_state_delete.  The new hooks are necessary to authorize deletion
      of IPsec policies that have security contexts.  The existing hooks
      xfrm_policy_free and xfrm_state_free lack the context to do the
      authorization, so I decided to split authorization of deletion and
      memory management of security data, as is typical in the LSM
      interface.
      
      Use:
      
      The new delete hooks are checked when xfrm_policy or xfrm_state are
      deleted by either the xfrm_user interface (xfrm_get_policy,
      xfrm_del_sa) or the pfkey interface (pfkey_spddelete, pfkey_delete).
      
      SELinux changes:
      
      The new policy_delete and state_delete functions are added.
      Signed-off-by: default avatarCatherine Zhang <cxzhang@watson.ibm.com>
      Signed-off-by: default avatarTrent Jaeger <tjaeger@cse.psu.edu>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c8c05a8e
  20. 01 May, 2006 1 commit
  21. 25 Mar, 2006 1 commit
  22. 21 Mar, 2006 1 commit
    • Catherine Zhang's avatar
      [SECURITY]: TCP/UDP getpeersec · 2c7946a7
      Catherine Zhang authored
      
      This patch implements an application of the LSM-IPSec networking
      controls whereby an application can determine the label of the
      security association its TCP or UDP sockets are currently connected to
      via getsockopt and the auxiliary data mechanism of recvmsg.
      
      Patch purpose:
      
      This patch enables a security-aware application to retrieve the
      security context of an IPSec security association a particular TCP or
      UDP socket is using.  The application can then use this security
      context to determine the security context for processing on behalf of
      the peer at the other end of this connection.  In the case of UDP, the
      security context is for each individual packet.  An example
      application is the inetd daemon, which could be modified to start
      daemons running at security contexts dependent on the remote client.
      
      Patch design approach:
      
      - Design for TCP
      The patch enables the SELinux LSM to set the peer security context for
      a socket based on the security context of the IPSec security
      association.  The application may retrieve this context using
      getsockopt.  When called, the kernel determines if the socket is a
      connected (TCP_ESTABLISHED) TCP socket and, if so, uses the dst_entry
      cache on the socket to retrieve the security associations.  If a
      security association has a security context, the context string is
      returned, as for UNIX domain sockets.
      
      - Design for UDP
      Unlike TCP, UDP is connectionless.  This requires a somewhat different
      API to retrieve the peer security context.  With TCP, the peer
      security context stays the same throughout the connection, thus it can
      be retrieved at any time between when the connection is established
      and when it is torn down.  With UDP, each read/write can have
      different peer and thus the security context might change every time.
      As a result the security context retrieval must be done TOGETHER with
      the packet retrieval.
      
      The solution is to build upon the existing Unix domain socket API for
      retrieving user credentials.  Linux offers the API for obtaining user
      credentials via ancillary messages (i.e., out of band/control messages
      that are bundled together with a normal message).
      
      Patch implementation details:
      
      - Implementation for TCP
      The security context can be retrieved by applications using getsockopt
      with the existing SO_PEERSEC flag.  As an example (ignoring error
      checking):
      
      getsockopt(sockfd, SOL_SOCKET, SO_PEERSEC, optbuf, &optlen);
      printf("Socket peer context is: %s\n", optbuf);
      
      The SELinux function, selinux_socket_getpeersec, is extended to check
      for labeled security associations for connected (TCP_ESTABLISHED ==
      sk->sk_state) TCP sockets only.  If so, the socket has a dst_cache of
      struct dst_entry values that may refer to security associations.  If
      these have security associations with security contexts, the security
      context is returned.
      
      getsockopt returns a buffer that contains a security context string or
      the buffer is unmodified.
      
      - Implementation for UDP
      To retrieve the security context, the application first indicates to
      the kernel such desire by setting the IP_PASSSEC option via
      getsockopt.  Then the application retrieves the security context using
      the auxiliary data mechanism.
      
      An example server application for UDP should look like this:
      
      toggle = 1;
      toggle_len = sizeof(toggle);
      
      setsockopt(sockfd, SOL_IP, IP_PASSSEC, &toggle, &toggle_len);
      recvmsg(sockfd, &msg_hdr, 0);
      if (msg_hdr.msg_controllen > sizeof(struct cmsghdr)) {
          cmsg_hdr = CMSG_FIRSTHDR(&msg_hdr);
          if (cmsg_hdr->cmsg_len <= CMSG_LEN(sizeof(scontext)) &&
              cmsg_hdr->cmsg_level == SOL_IP &&
              cmsg_hdr->cmsg_type == SCM_SECURITY) {
              memcpy(&scontext, CMSG_DATA(cmsg_hdr), sizeof(scontext));
          }
      }
      
      ip_setsockopt is enhanced with a new socket option IP_PASSSEC to allow
      a server socket to receive security context of the peer.  A new
      ancillary message type SCM_SECURITY.
      
      When the packet is received we get the security context from the
      sec_path pointer which is contained in the sk_buff, and copy it to the
      ancillary message space.  An additional LSM hook,
      selinux_socket_getpeersec_udp, is defined to retrieve the security
      context from the SELinux space.  The existing function,
      selinux_socket_getpeersec does not suit our purpose, because the
      security context is copied directly to user space, rather than to
      kernel space.
      
      Testing:
      
      We have tested the patch by setting up TCP and UDP connections between
      applications on two machines using the IPSec policies that result in
      labeled security associations being built.  For TCP, we can then
      extract the peer security context using getsockopt on either end.  For
      UDP, the receiving end can retrieve the security context using the
      auxiliary data mechanism of recvmsg.
      Signed-off-by: default avatarCatherine Zhang <cxzhang@watson.ibm.com>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2c7946a7
  23. 20 Mar, 2006 2 commits
    • Dustin Kirkland's avatar
      [PATCH] Miscellaneous bug and warning fixes · 7306a0b9
      Dustin Kirkland authored
      
      This patch fixes a couple of bugs revealed in new features recently
      added to -mm1:
      * fixes warnings due to inconsistent use of const struct inode *inode
      * fixes bug that prevent a kernel from booting with audit on, and SELinux off
        due to a missing function in security/dummy.c
      * fixes a bug that throws spurious audit_panic() messages due to a missing
        return just before an error_path label
      * some reasonable house cleaning in audit_ipc_context(),
        audit_inode_context(), and audit_log_task_context()
      Signed-off-by: default avatarDustin Kirkland <dustin.kirkland@us.ibm.com>
      Signed-off-by: default avatarDavid Woodhouse <dwmw2@infradead.org>
      7306a0b9
    • Dustin Kirkland's avatar
      [PATCH] Capture selinux subject/object context information. · 8c8570fb
      Dustin Kirkland authored
      
      This patch extends existing audit records with subject/object context
      information. Audit records associated with filesystem inodes, ipc, and
      tasks now contain SELinux label information in the field "subj" if the
      item is performing the action, or in "obj" if the item is the receiver
      of an action.
      
      These labels are collected via hooks in SELinux and appended to the
      appropriate record in the audit code.
      
      This additional information is required for Common Criteria Labeled
      Security Protection Profile (LSPP).
      
      [AV: fixed kmalloc flags use]
      [folded leak fixes]
      [folded cleanup from akpm (kfree(NULL)]
      [folded audit_inode_context() leak fix]
      [folded akpm's fix for audit_ipc_perm() definition in case of !CONFIG_AUDIT]
      Signed-off-by: default avatarDustin Kirkland <dustin.kirkland@us.ibm.com>
      Signed-off-by: default avatarDavid Woodhouse <dwmw2@infradead.org>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      8c8570fb
  24. 03 Feb, 2006 1 commit
  25. 01 Feb, 2006 1 commit
    • Randy Dunlap's avatar
      [PATCH] tpm_bios: needs more securityfs_ functions · ed5a9270
      Randy Dunlap authored
      tpm_bios.c needs securityfs_xyz() functions.
      
      Does include/linux/security.h need stubs for these, or should
      char/tpm/Makefile just be modified to say:
      
      ifdef CONFIG_ACPI
      ifdef CONFIG_SECURITY
      	obj-$(CONFIG_TCG_TPM) += tpm_bios.o
      endif
      endif
      
      drivers/char/tpm/tpm_bios.c:494: warning: implicit declaration of function 'securityfs_create_dir'
      drivers/char/tpm/tpm_bios.c:494: warning: assignment makes pointer from integer without a cast
      drivers/char/tpm/tpm_bios.c:499: warning: implicit declaration of function 'securityfs_create_file'
      drivers/char/tpm/tpm_bios.c:501: warning: assignment makes pointer from integer without a cast
      drivers/char/tpm/tpm_bios.c:508: warning: assignment makes pointer from integer without a cast
      drivers/char/tpm/tpm_bios.c:523: warning: implicit declaration of function 'securityfs_remove'
      *** Warning: "securityfs_create_file" [drivers/char/tpm/tpm_bios.ko] undefined!
      *** Warning: "securityfs_create_dir" [drivers/char/tpm/tpm_bios.ko] undefined!
      *** Warning: "securityfs_remove" [drivers/char/tpm/tpm_bios.ko] undefined!
      
      There are also some gcc and sparse warnings that could be fixed.
      (see http://www.xenotime.net/linux/doc/build-tpm.out
      
      )
      Signed-off-by: default avatarRandy Dunlap <rdunlap@xenotime.net>
      Cc: Serge Hallyn <serue@us.ibm.com>
      Cc: Greg KH <greg@kroah.com>
      Cc: Kylene Jo Hall <kjhall@us.ibm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      ed5a9270