]> git.karo-electronics.de Git - karo-tx-linux.git/log
karo-tx-linux.git
7 years agotpm: Fix expected number of response bytes of TPM1.2 PCR Extend
Stefan Berger [Wed, 15 Feb 2017 16:56:23 +0000 (11:56 -0500)]
tpm: Fix expected number of response bytes of TPM1.2 PCR Extend

The TPM1.2 PCR Extend operation only returns 20 bytes in the body,
which is the size of the PCR state.

This fixes a problem where IMA gets errors with every PCR Extend.

Fixes: c659af78eb7b ("tpm: Check size of response before accessing data")
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Acked-by: Mimi Zohar <zohar@us.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7 years agotpm xen: drop unneeded chip variable
Julia Lawall [Sun, 5 Feb 2017 21:39:37 +0000 (22:39 +0100)]
tpm xen: drop unneeded chip variable

The call that used chip was dropped in 1f0f30e404b3.  Drop the
leftover declaration and initialization.

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7 years agotpm: fix misspelled "facilitate" in module parameter description
Dmitry Torokhov [Mon, 6 Feb 2017 04:47:18 +0000 (20:47 -0800)]
tpm: fix misspelled "facilitate" in module parameter description

I typoed "facilitate" as "faciltate" a few years back...

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7 years agotpm_tis: fix the error handling of init_tis()
Wei Yongjun [Tue, 7 Feb 2017 15:51:47 +0000 (15:51 +0000)]
tpm_tis: fix the error handling of init_tis()

Add the missing platform_driver_unregister() and remove the duplicate
platform_device_unregister(force_pdev) in the error handling case.

Fixes: 00194826e6be ("tpm_tis: Clean up the force=1 module parameter")
Cc: stable@vger.kernel.org
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7 years agoKEYS: Use memzero_explicit() for secret data
Dan Carpenter [Thu, 9 Feb 2017 17:18:00 +0000 (17:18 +0000)]
KEYS: Use memzero_explicit() for secret data

I don't think GCC has figured out how to optimize the memset() away, but
they might eventually so let's future proof this code a bit.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
7 years agoKEYS: Fix an error code in request_master_key()
Dan Carpenter [Thu, 9 Feb 2017 17:17:52 +0000 (17:17 +0000)]
KEYS: Fix an error code in request_master_key()

This function has two callers and neither are able to handle a NULL
return.  Really, -EINVAL is the correct thing return here anyway.  This
fixes some static checker warnings like:

security/keys/encrypted-keys/encrypted.c:709 encrypted_key_decrypt()
error: uninitialized symbol 'master_key'.

Fixes: 7e70cb497850 ("keys: add new key-type encrypted")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
7 years agosign-file: fix build error in sign-file.c with libressl
Felix Fietkau [Thu, 9 Feb 2017 17:17:45 +0000 (17:17 +0000)]
sign-file: fix build error in sign-file.c with libressl

The sign-file tool failed to build against libressl. Fix this by extending
the PKCS7 check and thus making sign-file link against libressl without an
error.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
7 years agoMerge branch 'stable-4.11' of git://git.infradead.org/users/pcmoore/selinux into...
James Morris [Thu, 9 Feb 2017 23:28:49 +0000 (10:28 +1100)]
Merge branch 'stable-4.11' of git://git.infradead.org/users/pcmoore/selinux into next

7 years agoMerge branch 'stable-4.10' of git://git.infradead.org/users/pcmoore/selinux into...
James Morris [Wed, 8 Feb 2017 08:01:07 +0000 (19:01 +1100)]
Merge branch 'stable-4.10' of git://git.infradead.org/users/pcmoore/selinux into next

7 years agoselinux: allow changing labels for cgroupfs
Antonio Murdaca [Thu, 2 Feb 2017 15:22:57 +0000 (16:22 +0100)]
selinux: allow changing labels for cgroupfs

This patch allows changing labels for cgroup mounts. Previously, running
chcon on cgroupfs would throw an "Operation not supported". This patch
specifically whitelist cgroupfs.

The patch could also allow containers to write only to the systemd cgroup
for instance, while the other cgroups are kept with cgroup_t label.

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
7 years agoselinux: fix off-by-one in setprocattr
Stephen Smalley [Tue, 31 Jan 2017 16:54:04 +0000 (11:54 -0500)]
selinux: fix off-by-one in setprocattr

SELinux tries to support setting/clearing of /proc/pid/attr attributes
from the shell by ignoring terminating newlines and treating an
attribute value that begins with a NUL or newline as an attempt to
clear the attribute.  However, the test for clearing attributes has
always been wrong; it has an off-by-one error, and this could further
lead to reading past the end of the allocated buffer since commit
bb646cdb12e75d82258c2f2e7746d5952d3e321a ("proc_pid_attr_write():
switch to memdup_user()").  Fix the off-by-one error.

Even with this fix, setting and clearing /proc/pid/attr attributes
from the shell is not straightforward since the interface does not
support multiple write() calls (so shells that write the value and
newline separately will set and then immediately clear the attribute,
requiring use of echo -n to set the attribute), whereas trying to use
echo -n "" to clear the attribute causes the shell to skip the
write() call altogether since POSIX says that a zero-length write
causes no side effects. Thus, one must use echo -n to set and echo
without -n to clear, as in the following example:
$ echo -n unconfined_u:object_r:user_home_t:s0 > /proc/$$/attr/fscreate
$ cat /proc/$$/attr/fscreate
unconfined_u:object_r:user_home_t:s0
$ echo "" > /proc/$$/attr/fscreate
$ cat /proc/$$/attr/fscreate

Note the use of /proc/$$ rather than /proc/self, as otherwise
the cat command will read its own attribute value, not that of the shell.

There are no users of this facility to my knowledge; possibly we
should just get rid of it.

UPDATE: Upon further investigation it appears that a local process
with the process:setfscreate permission can cause a kernel panic as a
result of this bug.  This patch fixes CVE-2017-2618.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: added the update about CVE-2017-2618 to the commit description]
Cc: stable@vger.kernel.org # 3.5: d6ea83ec6864e
Signed-off-by: Paul Moore <paul@paul-moore.com>
7 years agotpm: silence an array overflow warning
Dan Carpenter [Fri, 3 Feb 2017 10:30:40 +0000 (13:30 +0300)]
tpm: silence an array overflow warning

We should check that we're within bounds first before checking that
"chip->active_banks[i] != TPM2_ALG_ERROR" so I've re-ordered the two
checks.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7 years agotpm: fix the type of owned field in cap_t
Stefan Berger [Tue, 31 Jan 2017 18:43:59 +0000 (13:43 -0500)]
tpm: fix the type of owned field in cap_t

In cap_t the size of the type bool is assumed to be one byte. This
commit sorts out the issue by changing the type to u8.

Fixes: c659af78eb7b ("tpm: Check size of response before accessing data")
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7 years agotpm: add securityfs support for TPM 2.0 firmware event log
Nayna Jain [Mon, 23 Jan 2017 07:26:27 +0000 (02:26 -0500)]
tpm: add securityfs support for TPM 2.0 firmware event log

Unlike the device driver support for TPM 1.2, the TPM 2.0 does
not support the securityfs pseudo files for displaying the
firmware event log.

This patch enables support for providing the TPM 2.0 event log in
binary form. TPM 2.0 event log supports a crypto agile format that
records multiple digests, which is different from TPM 1.2. This
patch enables the tpm_bios_log_setup for TPM 2.0  and adds the
event log parser which understand the TPM 2.0 crypto agile format.

Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Kenneth Goldman <kgold@linux.vnet.ibm.com>
Tested-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7 years agotpm: enhance read_log_of() to support Physical TPM event log
Nayna Jain [Mon, 23 Jan 2017 07:26:26 +0000 (02:26 -0500)]
tpm: enhance read_log_of() to support Physical TPM event log

Physical TPMs use Open Firmware Device Tree bindings that are similar
to the IBM Power virtual TPM to support event log. However, these
properties store the values in different endianness for Physical
and Virtual TPM.

This patch fixes the endianness issue by doing appropriate conversion
based on Physical or Virtual TPM.

Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Kenneth Goldman <kgold@linux.vnet.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7 years agotpm: enhance TPM 2.0 PCR extend to support multiple banks
Nayna Jain [Mon, 30 Jan 2017 09:59:41 +0000 (04:59 -0500)]
tpm: enhance TPM 2.0 PCR extend to support multiple banks

The current TPM 2.0 device driver extends only the SHA1 PCR bank
but the TCG Specification[1] recommends extending all active PCR
banks, to prevent malicious users from setting unused PCR banks with
fake measurements and quoting them.

The existing in-kernel interface(tpm_pcr_extend()) expects only a
SHA1 digest.  To extend all active PCR banks with differing
digest sizes, the SHA1 digest is padded with trailing 0's as needed.

This patch reuses the defined digest sizes from the crypto subsystem,
adding a dependency on CRYPTO_HASH_INFO module.

[1] TPM 2.0 Specification referred here is "TCG PC Client Specific
Platform Firmware Profile for TPM 2.0"

Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Kenneth Goldman <kgold@linux.vnet.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7 years agotpm: implement TPM 2.0 capability to get active PCR banks
Nayna Jain [Mon, 30 Jan 2017 09:59:40 +0000 (04:59 -0500)]
tpm: implement TPM 2.0 capability to get active PCR banks

This patch implements the TPM 2.0 capability TPM_CAP_PCRS to
retrieve the active PCR banks from the TPM. This is needed
to enable extending all active banks as recommended by TPM 2.0
TCG Specification.

Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Kenneth Goldman <kgold@linux.vnet.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7 years agotpm: fix RC value check in tpm2_seal_trusted
Jarkko Sakkinen [Wed, 25 Jan 2017 21:00:22 +0000 (23:00 +0200)]
tpm: fix RC value check in tpm2_seal_trusted

The error code handling is broken as any error code that has the same
bits set as TPM_RC_HASH passes. Implemented tpm2_rc_value() helper to
parse the error value from FMT0 and FMT1 error codes so that these types
of mistakes are prevented in the future.

Fixes: 5ca4c20cfd37 ("keys, trusted: select hash algorithm for TPM2 chips")
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
7 years agotpm_tis: fix iTPM probe via probe_itpm() function
Maciej S. Szmigiero [Wed, 25 Jan 2017 20:07:36 +0000 (22:07 +0200)]
tpm_tis: fix iTPM probe via probe_itpm() function

probe_itpm() function is supposed to send command without an itpm flag set
and if this fails to repeat it, this time with the itpm flag set.

However, commit 41a5e1cf1fe15 ("tpm/tpm_tis: Split tpm_tis driver into a
core and TCG TIS compliant phy") moved the itpm flag from an "itpm"
variable to a TPM_TIS_ITPM_POSSIBLE chip flag, so setting the
(now function-local) itpm variable no longer had any effect.

Finally, this function-local itpm variable was removed by
commit 56af322156dbe9 ("tpm/tpm_tis: remove unused itpm variable")

Tested only on non-iTPM TIS TPM.

Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7 years agotpm: Begin the process to deprecate user_read_timer
Jason Gunthorpe [Tue, 24 Jan 2017 00:06:08 +0000 (17:06 -0700)]
tpm: Begin the process to deprecate user_read_timer

For a long time the cdev read/write interface had this strange
idea that userspace had to read the result within 60 seconds otherwise
it is discarded. Perhaps this made sense under some older locking regime,
but in the modern kernel it is not required and is just dangerous.

Since something may be relying on this, double the timeout and print a
warning. We can remove the code in a few years, but this should be
enough to prevent new users.

Suggested-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7 years agotpm: remove tpm_read_index and tpm_write_index from tpm.h
Jarkko Sakkinen [Wed, 25 Jan 2017 14:47:39 +0000 (16:47 +0200)]
tpm: remove tpm_read_index and tpm_write_index from tpm.h

These are non-generic functions and do not belong to tpm.h.

Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
7 years agoima: allow to check MAY_APPEND
Lans Zhang [Fri, 6 Jan 2017 04:38:11 +0000 (12:38 +0800)]
ima: allow to check MAY_APPEND

Otherwise some mask and inmask tokens with MAY_APPEND flag may not work
as expected.

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
7 years agoima: fix ima_d_path() possible race with rename
Mimi Zohar [Tue, 17 Jan 2017 11:45:41 +0000 (06:45 -0500)]
ima: fix ima_d_path() possible race with rename

On failure to return a pathname from ima_d_path(), a pointer to
dname is returned, which is subsequently used in the IMA measurement
list, the IMA audit records, and other audit logging.  Saving the
pointer to dname for later use has the potential to race with rename.

Intead of returning a pointer to dname on failure, this patch returns
a pointer to a copy of the filename.

Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: stable@vger.kernel.org
7 years agoMerge branch 'smack-for-4.11' of git://github.com/cschaufler/smack-next into next
James Morris [Thu, 26 Jan 2017 22:23:21 +0000 (09:23 +1100)]
Merge branch 'smack-for-4.11' of git://github.com/cschaufler/smack-next into next

7 years agotpm: Check size of response before accessing data
Stefan Berger [Thu, 19 Jan 2017 12:19:12 +0000 (07:19 -0500)]
tpm: Check size of response before accessing data

Make sure that we have not received less bytes than what is indicated
in the header of the TPM response. Also, check the number of bytes in
the response before accessing its data.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkine@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkine@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkine@linux.intel.com>
7 years agotpm_tis: use default timeout value if chip reports it as zero
Maciej S. Szmigiero [Fri, 13 Jan 2017 21:37:00 +0000 (22:37 +0100)]
tpm_tis: use default timeout value if chip reports it as zero

Since commit 1107d065fdf1 ("tpm_tis: Introduce intermediate layer for
TPM access") Atmel 3203 TPM on ThinkPad X61S (TPM firmware version 13.9)
no longer works.  The initialization proceeds fine until we get and
start using chip-reported timeouts - and the chip reports C and D
timeouts of zero.

It turns out that until commit 8e54caf407b98e ("tpm: Provide a generic
means to override the chip returned timeouts") we had actually let
default timeout values remain in this case, so let's bring back this
behavior to make chips like Atmel 3203 work again.

Use a common code that was introduced by that commit so a warning is
printed in this case and /sys/class/tpm/tpm*/timeouts correctly says the
timeouts aren't chip-original.

Fixes: 1107d065fdf1 ("tpm_tis: Introduce intermediate layer for TPM access")
Cc: stable@vger.kernel.org
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7 years agotpm: Do not print an error message when doing TPM auto startup
Jason Gunthorpe [Mon, 21 Nov 2016 18:31:09 +0000 (11:31 -0700)]
tpm: Do not print an error message when doing TPM auto startup

This is a regression when this code was reworked and made the error
print unconditional. The original code deliberately suppressed printing
of the first error message so it could quietly sense
TPM_ERR_INVALID_POSTINIT.

Fixes: a502feb67b47 ("tpm: Clean up reading of timeout and duration capabilities")
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7 years agotpm, tpm_crb: Handle 64-bit resource in crb_check_resource()
Jiandi An [Mon, 19 Dec 2016 04:20:53 +0000 (22:20 -0600)]
tpm, tpm_crb: Handle 64-bit resource in crb_check_resource()

crb_check_resource() in TPM CRB driver calls
acpi_dev_resource_memory() which only handles 32-bit resources.
Adding a call to acpi_dev_resource_address_space() in TPM CRB
driver which handles 64-bit resources.

Signed-off-by: Jiandi An <anjiandi@codeaurora.org>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7 years agotpm/tpm_tis_spi: drop duplicate header module.h
Geliang Tang [Wed, 23 Nov 2016 15:18:53 +0000 (23:18 +0800)]
tpm/tpm_tis_spi: drop duplicate header module.h

Drop duplicate header module.h from tpm_tis_spi.c.

Signed-off-by: Geliang Tang <geliangtang@gmail.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7 years agotpm/st33zp24: Remove unneeded linux/miscdevice.h include
Corentin Labbe [Thu, 15 Dec 2016 17:10:17 +0000 (18:10 +0100)]
tpm/st33zp24: Remove unneeded linux/miscdevice.h include

tpm/st33zp24/st33zp24.c does not use any miscdevice so this patch remove
this unnecessary inclusion.

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7 years agotpm/vtpm: fix kdoc warnings
Winkler, Tomas [Wed, 23 Nov 2016 10:04:14 +0000 (12:04 +0200)]
tpm/vtpm: fix kdoc warnings

Use corret kdoc format for function description and eliminate warning
of type:

tpm_ibmvtpm.c:66: warning: No description found for parameter 'count'

Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7 years agotmp: use pdev for parent device in tpm_chip_alloc
Winkler, Tomas [Wed, 23 Nov 2016 10:04:13 +0000 (12:04 +0200)]
tmp: use pdev for parent device in tpm_chip_alloc

The tpm stack uses pdev name convention for the parent device.
Fix that also in tpm_chip_alloc().

Fixes: 3897cd9c8d1d ("tpm: Split out the devm stuff from tpmm_chip_alloc")'
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7 years agotpm/tpm2-chip: fix kdoc errors
Winkler, Tomas [Wed, 23 Nov 2016 10:04:12 +0000 (12:04 +0200)]
tpm/tpm2-chip: fix kdoc errors

Use correct kdoc format, describe correct parameters and return values.

Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7 years agotpm: add kdoc for tpm_transmit and tpm_transmit_cmd
Winkler, Tomas [Wed, 23 Nov 2016 10:04:11 +0000 (12:04 +0200)]
tpm: add kdoc for tpm_transmit and tpm_transmit_cmd

Functions tpm_transmit and transmit_cmd are referenced
from other functions kdoc hence deserve documentation.

Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
7 years agoseccomp: dump core when using SECCOMP_RET_KILL
Mike Frysinger [Fri, 20 Jan 2017 04:28:57 +0000 (22:28 -0600)]
seccomp: dump core when using SECCOMP_RET_KILL

The SECCOMP_RET_KILL mode is documented as immediately killing the
process as if a SIGSYS had been sent and not caught (similar to a
SIGKILL).  However, a SIGSYS is documented as triggering a coredump
which does not happen today.

This has the advantage of being able to more easily debug a process
that fails a seccomp filter.  Today, most apps need to recompile and
change their filter in order to get detailed info out, or manually run
things through strace, or enable detailed kernel auditing.  Now we get
coredumps that fit into existing system-wide crash reporting setups.

From a security pov, this shouldn't be a problem.  Unhandled signals
can already be sent externally which trigger a coredump independent of
the status of the seccomp filter.  The act of dumping core itself does
not cause change in execution of the program.

URL: https://crbug.com/676357
Signed-off-by: Mike Frysinger <vapier@chromium.org>
Acked-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.l.morris@oracle.com>
7 years agoLSM: Add /sys/kernel/security/lsm
Casey Schaufler [Thu, 19 Jan 2017 01:09:05 +0000 (17:09 -0800)]
LSM: Add /sys/kernel/security/lsm

I am still tired of having to find indirect ways to determine
what security modules are active on a system. I have added
/sys/kernel/security/lsm, which contains a comma separated
list of the active security modules. No more groping around
in /proc/filesystems or other clever hacks.

Unchanged from previous versions except for being updated
to the latest security next branch.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.l.morris@oracle.com>
7 years agoapparmor: fix undefined reference to `aa_g_hash_policy'
John Johansen [Mon, 16 Jan 2017 21:21:27 +0000 (13:21 -0800)]
apparmor: fix undefined reference to `aa_g_hash_policy'

The kernel build bot turned up a bad config combination when
CONFIG_SECURITY_APPARMOR is y and CONFIG_SECURITY_APPARMOR_HASH is n,
resulting in the build error
   security/built-in.o: In function `aa_unpack':
   (.text+0x841e2): undefined reference to `aa_g_hash_policy'

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: replace remaining BUG_ON() asserts with AA_BUG()
John Johansen [Mon, 16 Jan 2017 08:43:15 +0000 (00:43 -0800)]
apparmor: replace remaining BUG_ON() asserts with AA_BUG()

AA_BUG() uses WARN and won't break the kernel like BUG_ON().

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: fix restricted endian type warnings for policy unpack
John Johansen [Mon, 16 Jan 2017 08:43:14 +0000 (00:43 -0800)]
apparmor: fix restricted endian type warnings for policy unpack

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: fix restricted endian type warnings for dfa unpack
John Johansen [Mon, 16 Jan 2017 08:43:13 +0000 (00:43 -0800)]
apparmor: fix restricted endian type warnings for dfa unpack

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: add check for apparmor enabled in module parameters missing it
John Johansen [Mon, 16 Jan 2017 08:43:11 +0000 (00:43 -0800)]
apparmor: add check for apparmor enabled in module parameters missing it

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: add per cpu work buffers to avoid allocating buffers at every hook
John Johansen [Mon, 16 Jan 2017 08:43:10 +0000 (00:43 -0800)]
apparmor: add per cpu work buffers to avoid allocating buffers at every hook

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: sysctl to enable unprivileged user ns AppArmor policy loading
Tyler Hicks [Thu, 17 Mar 2016 00:19:10 +0000 (19:19 -0500)]
apparmor: sysctl to enable unprivileged user ns AppArmor policy loading

If this sysctl is set to non-zero and a process with CAP_MAC_ADMIN in
the root namespace has created an AppArmor policy namespace,
unprivileged processes will be able to change to a profile in the
newly created AppArmor policy namespace and, if the profile allows
CAP_MAC_ADMIN and appropriate file permissions, will be able to load
policy in the respective policy namespace.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: support querying extended trusted helper extra data
William Hua [Mon, 16 Jan 2017 00:49:28 +0000 (16:49 -0800)]
apparmor: support querying extended trusted helper extra data

Allow a profile to carry extra data that can be queried via userspace.
This provides a means to store extra data in a profile that a trusted
helper can extract and use from live policy.

Signed-off-by: William Hua <william.hua@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: update cap audit to check SECURITY_CAP_NOAUDIT
John Johansen [Mon, 16 Jan 2017 08:43:08 +0000 (00:43 -0800)]
apparmor: update cap audit to check SECURITY_CAP_NOAUDIT

apparmor should be checking the SECURITY_CAP_NOAUDIT constant. Also
in complain mode make it so apparmor can elect to log a message,
informing of the check.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: make computing policy hashes conditional on kernel parameter
John Johansen [Mon, 16 Jan 2017 08:43:07 +0000 (00:43 -0800)]
apparmor: make computing policy hashes conditional on kernel parameter

Allow turning off the computation of the policy hashes via the
apparmor.hash_policy kernel parameter.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: convert change_profile to use fqname later to give better control
John Johansen [Mon, 16 Jan 2017 08:43:06 +0000 (00:43 -0800)]
apparmor: convert change_profile to use fqname later to give better control

Moving the use of fqname to later allows learning profiles to be based
on the fqname request instead of just the hname. It also allows cleaning
up some of the name parsing and lookup by allowing the use of
the fqlookupn_profile() lib fn.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: fix change_hat debug output
John Johansen [Mon, 16 Jan 2017 08:43:05 +0000 (00:43 -0800)]
apparmor: fix change_hat debug output

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: remove unused op parameter from simple_write_to_buffer()
John Johansen [Mon, 16 Jan 2017 08:43:03 +0000 (00:43 -0800)]
apparmor: remove unused op parameter from simple_write_to_buffer()

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: change aad apparmor_audit_data macro to a fn macro
John Johansen [Mon, 16 Jan 2017 08:43:02 +0000 (00:43 -0800)]
apparmor: change aad apparmor_audit_data macro to a fn macro

The aad macro can replace aad strings when it is not intended to. Switch
to a fn macro so it is only applied when intended.

Also at the same time cleanup audit_data initialization by putting
common boiler plate behind a macro, and dropping the gfp_t parameter
which will become useless.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: change op from int to const char *
John Johansen [Mon, 16 Jan 2017 08:43:01 +0000 (00:43 -0800)]
apparmor: change op from int to const char *

Having ops be an integer that is an index into an op name table is
awkward and brittle. Every op change requires an edit for both the
op constant and a string in the table. Instead switch to using const
strings directly, eliminating the need for the table that needs to
be kept in sync.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: rename context abreviation cxt to the more standard ctx
John Johansen [Mon, 16 Jan 2017 08:43:00 +0000 (00:43 -0800)]
apparmor: rename context abreviation cxt to the more standard ctx

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: fail task profile update if current_cred isn't real_cred
John Johansen [Mon, 16 Jan 2017 08:42:59 +0000 (00:42 -0800)]
apparmor: fail task profile update if current_cred isn't real_cred

Trying to update the task cred while the task current cred is not the
real cred will result in an error at the cred layer. Avoid this by
failing early and delaying the update.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: add per policy ns .load, .replace, .remove interface files
John Johansen [Mon, 16 Jan 2017 08:42:58 +0000 (00:42 -0800)]
apparmor: add per policy ns .load, .replace, .remove interface files

Having per policy ns interface files helps with containers restoring
policy.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: pass the subject profile into profile replace/remove
John Johansen [Mon, 16 Jan 2017 08:42:57 +0000 (00:42 -0800)]
apparmor: pass the subject profile into profile replace/remove

This is just setup for new ns specific .load, .replace, .remove interface
files.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: audit policy ns specified in policy load
John Johansen [Mon, 16 Jan 2017 08:42:56 +0000 (00:42 -0800)]
apparmor: audit policy ns specified in policy load

Verify that profiles in a load set specify the same policy ns and
audit the name of the policy ns that policy is being loaded for.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: allow introspecting the loaded policy pre internal transform
John Johansen [Mon, 16 Jan 2017 08:42:55 +0000 (00:42 -0800)]
apparmor: allow introspecting the loaded policy pre internal transform

Store loaded policy and allow introspecting it through apparmorfs. This
has several uses from debugging, policy validation, and policy checkpoint
and restore for containers.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: add ns name to the audit data for policy loads
John Johansen [Mon, 16 Jan 2017 08:42:54 +0000 (00:42 -0800)]
apparmor: add ns name to the audit data for policy loads

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: add profile and ns params to aa_may_manage_policy()
John Johansen [Mon, 16 Jan 2017 08:42:52 +0000 (00:42 -0800)]
apparmor: add profile and ns params to aa_may_manage_policy()

Policy management will be expanded beyond traditional unconfined root.
This will require knowning the profile of the task doing the management
and the ns view.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: add ns being viewed as a param to policy_admin_capable()
John Johansen [Mon, 16 Jan 2017 08:42:51 +0000 (00:42 -0800)]
apparmor: add ns being viewed as a param to policy_admin_capable()

Prepare for a tighter pairing of user namespaces and apparmor policy
namespaces, by making the ns to be viewed available.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: add ns being viewed as a param to policy_view_capable()
John Johansen [Mon, 16 Jan 2017 08:42:50 +0000 (00:42 -0800)]
apparmor: add ns being viewed as a param to policy_view_capable()

Prepare for a tighter pairing of user namespaces and apparmor policy
namespaces, by making the ns to be viewed available and checking
that the user namespace level is the same as the policy ns level.

This strict pairing will be relaxed once true support of user namespaces
lands.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: allow specifying the profile doing the management
John Johansen [Mon, 16 Jan 2017 08:42:49 +0000 (00:42 -0800)]
apparmor: allow specifying the profile doing the management

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: allow introspecting the policy namespace name
John Johansen [Mon, 16 Jan 2017 08:42:48 +0000 (00:42 -0800)]
apparmor: allow introspecting the policy namespace name

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: Make aa_remove_profile() callable from a different view
John Johansen [Mon, 16 Jan 2017 08:42:47 +0000 (00:42 -0800)]
apparmor: Make aa_remove_profile() callable from a different view

This is prep work for fs operations being able to remove namespaces.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: track ns level so it can be used to help in view checks
John Johansen [Mon, 16 Jan 2017 08:42:46 +0000 (00:42 -0800)]
apparmor: track ns level so it can be used to help in view checks

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: add special .null file used to "close" fds at exec
John Johansen [Mon, 16 Jan 2017 08:42:45 +0000 (00:42 -0800)]
apparmor: add special .null file used to "close" fds at exec

Borrow the special null device file from selinux to "close" fds that
don't have sufficient permissions at exec time.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: provide userspace flag indicating binfmt_elf_mmap change
John Johansen [Mon, 16 Jan 2017 08:42:43 +0000 (00:42 -0800)]
apparmor: provide userspace flag indicating binfmt_elf_mmap change

Commit 9f834ec18def ("binfmt_elf: switch to new creds when switching to new mm")
changed when the creds are installed by the binfmt_elf handler. This
affects which creds are used to mmap the executable into the address
space. Which can have an affect on apparmor policy.

Add a flag to apparmor at
/sys/kernel/security/apparmor/features/domain/fix_binfmt_elf_mmap

to make it possible to detect this semantic change so that the userspace
tools and the regression test suite can correctly deal with the change.

BugLink: http://bugs.launchpad.net/bugs/1630069
Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: add a default null dfa
John Johansen [Mon, 16 Jan 2017 08:42:42 +0000 (00:42 -0800)]
apparmor: add a default null dfa

Instead of testing whether a given dfa exists in every code path, have
a default null dfa that is used when loaded policy doesn't provide a
dfa.

This will let us get rid of special casing and avoid dereference bugs
when special casing is missed.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: allow policydb to be used as the file dfa
John Johansen [Mon, 16 Jan 2017 08:42:41 +0000 (00:42 -0800)]
apparmor: allow policydb to be used as the file dfa

Newer policy will combine the file and policydb dfas, allowing for
better optimizations. However to support older policy we need to
keep the ability to address the "file" dfa separately. So dup
the policydb as if it is the file dfa and set the appropriate start
state.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: add get_dfa() fn
John Johansen [Mon, 16 Jan 2017 08:42:40 +0000 (00:42 -0800)]
apparmor: add get_dfa() fn

The dfa is currently setup to be shared (has the basis of refcounting)
but currently can't be because the count can't be increased.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: prepare to support newer versions of policy
John Johansen [Mon, 16 Jan 2017 08:42:39 +0000 (00:42 -0800)]
apparmor: prepare to support newer versions of policy

Newer policy encodes more than just version in the version tag,
so add masking to make sure the comparison remains correct.

Note: this is fully compatible with older policy as it will never set
the bits being masked out.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: add support for force complain flag to support learning mode
John Johansen [Mon, 16 Jan 2017 08:42:38 +0000 (00:42 -0800)]
apparmor: add support for force complain flag to support learning mode

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: remove paranoid load switch
John Johansen [Mon, 16 Jan 2017 08:42:37 +0000 (00:42 -0800)]
apparmor: remove paranoid load switch

Policy should always under go a full paranoid verification.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: name null-XXX profiles after the executable
John Johansen [Mon, 16 Jan 2017 08:42:36 +0000 (00:42 -0800)]
apparmor: name null-XXX profiles after the executable

When possible its better to name a learning profile after the missing
profile in question. This allows for both more informative names and
for profile reuse.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: pass gfp_t parameter into profile allocation
John Johansen [Mon, 16 Jan 2017 08:42:35 +0000 (00:42 -0800)]
apparmor: pass gfp_t parameter into profile allocation

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: refactor prepare_ns() and make usable from different views
John Johansen [Mon, 16 Jan 2017 08:42:34 +0000 (00:42 -0800)]
apparmor: refactor prepare_ns() and make usable from different views

prepare_ns() will need to be called from alternate views, and namespaces
will need to be created via different interfaces. So refactor and
allow specifying the view ns.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: update policy_destroy to use new debug asserts
John Johansen [Mon, 16 Jan 2017 08:42:32 +0000 (00:42 -0800)]
apparmor: update policy_destroy to use new debug asserts

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: pass gfp param into aa_policy_init()
John Johansen [Mon, 16 Jan 2017 08:42:31 +0000 (00:42 -0800)]
apparmor: pass gfp param into aa_policy_init()

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: constify policy name and hname
John Johansen [Mon, 16 Jan 2017 08:42:30 +0000 (00:42 -0800)]
apparmor: constify policy name and hname

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: rename hname_tail to basename
John Johansen [Mon, 16 Jan 2017 08:42:29 +0000 (00:42 -0800)]
apparmor: rename hname_tail to basename

Rename to the shorter and more familiar shell cmd name

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: rename mediated_filesystem() to path_mediated_fs()
John Johansen [Mon, 16 Jan 2017 08:42:28 +0000 (00:42 -0800)]
apparmor: rename mediated_filesystem() to path_mediated_fs()

Rename to indicate the test is only about whether path mediation is used,
not whether other types of mediation might be used.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: add debug assert AA_BUG and Kconfig to control debug info
John Johansen [Mon, 16 Jan 2017 08:42:27 +0000 (00:42 -0800)]
apparmor: add debug assert AA_BUG and Kconfig to control debug info

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: add macro for bug asserts to check that a lock is held
John Johansen [Mon, 16 Jan 2017 08:42:26 +0000 (00:42 -0800)]
apparmor: add macro for bug asserts to check that a lock is held

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: allow ns visibility question to consider subnses
John Johansen [Mon, 16 Jan 2017 08:42:25 +0000 (00:42 -0800)]
apparmor: allow ns visibility question to consider subnses

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: add fn to lookup profiles by fqname
John Johansen [Mon, 16 Jan 2017 08:42:24 +0000 (00:42 -0800)]
apparmor: add fn to lookup profiles by fqname

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: add lib fn to find the "split" for fqnames
John Johansen [Mon, 16 Jan 2017 08:42:23 +0000 (00:42 -0800)]
apparmor: add lib fn to find the "split" for fqnames

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: add strn version of aa_find_ns
John Johansen [Mon, 16 Jan 2017 08:42:22 +0000 (00:42 -0800)]
apparmor: add strn version of aa_find_ns

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: add strn version of lookup_profile fn
John Johansen [Mon, 16 Jan 2017 08:42:21 +0000 (00:42 -0800)]
apparmor: add strn version of lookup_profile fn

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: rename replacedby to proxy
John Johansen [Mon, 16 Jan 2017 08:42:19 +0000 (00:42 -0800)]
apparmor: rename replacedby to proxy

Proxy is shorter and a better fit than replaceby, so rename it.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: rename PFLAG_INVALID to PFLAG_STALE
John Johansen [Mon, 16 Jan 2017 08:42:18 +0000 (00:42 -0800)]
apparmor: rename PFLAG_INVALID to PFLAG_STALE

Invalid does not convey the meaning of the flag anymore so rename it.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: rename sid to secid
John Johansen [Mon, 16 Jan 2017 08:42:17 +0000 (00:42 -0800)]
apparmor: rename sid to secid

Move to common terminology with other LSMs and kernel infrastucture

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: rename namespace to ns to improve code line lengths
John Johansen [Mon, 16 Jan 2017 08:42:16 +0000 (00:42 -0800)]
apparmor: rename namespace to ns to improve code line lengths

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: split apparmor policy namespaces code into its own file
John Johansen [Mon, 16 Jan 2017 08:42:15 +0000 (00:42 -0800)]
apparmor: split apparmor policy namespaces code into its own file

Policy namespaces will be diverging from profile management and
expanding so put it in its own file.

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: split out shared policy_XXX fns to lib
John Johansen [Mon, 16 Jan 2017 08:42:14 +0000 (00:42 -0800)]
apparmor: split out shared policy_XXX fns to lib

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: move lib definitions into separate lib include
John Johansen [Mon, 16 Jan 2017 08:42:13 +0000 (00:42 -0800)]
apparmor: move lib definitions into separate lib include

Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoapparmor: use designated initializers
Kees Cook [Sat, 17 Dec 2016 01:04:13 +0000 (17:04 -0800)]
apparmor: use designated initializers

Prepare to mark sensitive kernel structures for randomization by making
sure they're using designated initializers. These were identified during
allyesconfig builds of x86, arm, and arm64, with most initializer fixes
extracted from grsecurity.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agoAppArmor: Use GFP_KERNEL for __aa_kvmalloc().
Tetsuo Handa [Mon, 14 Nov 2016 11:11:52 +0000 (20:11 +0900)]
AppArmor: Use GFP_KERNEL for __aa_kvmalloc().

Calling kmalloc(GFP_NOIO) with order == PAGE_ALLOC_COSTLY_ORDER is not
recommended because it might fall into infinite retry loop without
invoking the OOM killer.

Since aa_dfa_unpack() is the only caller of kvzalloc() and
aa_dfa_unpack() which is calling kvzalloc() via unpack_table() is
doing kzalloc(GFP_KERNEL), it is safe to use GFP_KERNEL from
__aa_kvmalloc().

Since aa_simple_write_to_buffer() is the only caller of kvmalloc()
and aa_simple_write_to_buffer() is calling copy_from_user() which
is GFP_KERNEL context (see memdup_user_nul()), it is safe to use
GFP_KERNEL from __aa_kvmalloc().

Therefore, replace GFP_NOIO with GFP_KERNEL. Also, since we have
vmalloc() fallback, add __GFP_NORETRY so that we don't invoke the OOM
killer by kmalloc(GFP_KERNEL) with order == PAGE_ALLOC_COSTLY_ORDER.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: John Johansen <john.johansen@canonical.com>
7 years agosecurity,selinux,smack: kill security_task_wait hook
Stephen Smalley [Tue, 10 Jan 2017 17:28:32 +0000 (12:28 -0500)]
security,selinux,smack: kill security_task_wait hook

As reported by yangshukui, a permission denial from security_task_wait()
can lead to a soft lockup in zap_pid_ns_processes() since it only expects
sys_wait4() to return 0 or -ECHILD. Further, security_task_wait() can
in general lead to zombies; in the absence of some way to automatically
reparent a child process upon a denial, the hook is not useful.  Remove
the security hook and its implementations in SELinux and Smack.  Smack
already removed its check from its hook.

Reported-by: yangshukui <yangshukui@huawei.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
7 years agoselinux: drop unused socket security classes
Stephen Smalley [Wed, 11 Jan 2017 21:33:54 +0000 (16:33 -0500)]
selinux: drop unused socket security classes

Several of the extended socket classes introduced by
commit da69a5306ab92e07 ("selinux: support distinctions
among all network address families") are never used because
sockets can never be created with the associated address family.
Remove these unused socket security classes.  The removed classes
are bridge_socket for PF_BRIDGE, ib_socket for PF_IB, and mpls_socket
for PF_MPLS.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
7 years agoSmack: ignore private inode for file functions
Seung-Woo Kim [Mon, 12 Dec 2016 08:35:26 +0000 (17:35 +0900)]
Smack: ignore private inode for file functions

The access to fd from anon_inode is always failed because there is
no set xattr operations. So this patch fixes to ignore private
inode including anon_inode for file functions.

It was only ignored for smack_file_receive() to share dma-buf fd,
but dma-buf has other functions like ioctl and mmap.

Reference: https://lkml.org/lkml/2015/4/17/16

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>