]> git.karo-electronics.de Git - mv-sheeva.git/log
mv-sheeva.git
12 years agoDocumentation: clarify the purpose of LSMs
Kees Cook [Wed, 2 Nov 2011 00:20:01 +0000 (17:20 -0700)]
Documentation: clarify the purpose of LSMs

Clarify the purpose of the LSM interface with some brief examples and
pointers to additional documentation.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <jmorris@namei.org>
12 years agoinclude/linux/security.h: fix security_inode_init_security() arg
Andrew Morton [Tue, 15 Nov 2011 23:11:44 +0000 (15:11 -0800)]
include/linux/security.h: fix security_inode_init_security() arg

Make the security_inode_init_security() initxattrs arg const, to match the
non-stubbed version of that function.

Cc: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: James Morris <jmorris@namei.org>
12 years agoselinuxfs: remove custom hex_to_bin()
Andy Shevchenko [Tue, 15 Nov 2011 23:11:41 +0000 (15:11 -0800)]
selinuxfs: remove custom hex_to_bin()

Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Eric Paris <eparis@parisplace.org>
Cc: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoTOMOYO: Fix interactive judgment functionality.
Tetsuo Handa [Wed, 19 Oct 2011 21:48:57 +0000 (06:48 +0900)]
TOMOYO: Fix interactive judgment functionality.

Commit 17fcfbd9 "TOMOYO: Add interactive enforcing mode." introduced ability
to query access decision using userspace programs. It was using global PID for
reaching policy configuration of the process. However, use of PID returns stale
policy configuration when the process's subjective credentials and objective
credentials differ. Fix this problem by allowing reaching policy configuration
via query id.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoMerge branch 'master' of git://gitorious.org/smack-next/kernel into next
James Morris [Sat, 22 Oct 2011 20:23:58 +0000 (22:23 +0200)]
Merge branch 'master' of git://gitorious.org/smack-next/kernel into next

13 years agoTOMOYO: Fix incomplete read after seek.
Tetsuo Handa [Fri, 21 Oct 2011 03:37:13 +0000 (12:37 +0900)]
TOMOYO: Fix incomplete read after seek.

Commit f23571e8 "TOMOYO: Copy directly to userspace buffer." introduced
tomoyo_flush() that flushes data to be read as soon as possible.
tomoyo_select_domain() (which is called by write()) enqueues data which meant
to be read by next read(), but previous read()'s read buffer's size was not
cleared. As a result, since 2.6.36, sequence like

   char *cp = "select global-pid=1\n";
   read(fd, buf1, sizeof(buf1));
   write(fd, cp, strlen(cp));
   read(fd, buf2, sizeof(buf2));

causes enqueued data to be flushed to buf1 rather than buf2.
Fix this bug by clearing read buffer's size upon write() request.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoSmack: allow to access /smack/access as normal user
Jarkko Sakkinen [Tue, 18 Oct 2011 18:21:36 +0000 (21:21 +0300)]
Smack: allow to access /smack/access as normal user

Allow query access as a normal user removing the need
for CAP_MAC_ADMIN. Give RW access to /smack/access
for UGO. Do not import smack labels in access check.

Signed-off-by: Jarkko Sakkinen <jarkko.j.sakkinen@gmail.com>
Signed-off-by: Casey Schaufler <cschaufler@cschaufler-intel.(none)>
13 years agoTOMOYO: Fix unused kernel config option.
Tetsuo Handa [Sun, 16 Oct 2011 00:43:46 +0000 (09:43 +0900)]
TOMOYO: Fix unused kernel config option.

CONFIG_SECURITY_TOMOYO_MAX_{ACCEPT_ENTRY,AUDIT_LOG} introduced by commit
0e4ae0e0 "TOMOYO: Make several options configurable." were by error not used.

Reported-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoSmack: fix: invalid length set for the result of /smack/access
Jarkko Sakkinen [Tue, 18 Oct 2011 11:34:28 +0000 (14:34 +0300)]
Smack: fix: invalid length set for the result of /smack/access

Forgot to update simple_transaction_set() to take terminator
character into account.

Signed-off-by: Jarkko Sakkinen <jarkko.j.sakkinen@gmail.com>
Signed-off-by: Casey Schaufler <cschaufler@cschaufler-intel.(none)>
13 years agoSmack: compilation fix
Jarkko Sakkinen [Fri, 14 Oct 2011 10:16:24 +0000 (13:16 +0300)]
Smack: compilation fix

On some build configurations PER_CLEAR_ON_SETID symbol was not
found when compiling smack_lsm.c. This patch fixes the issue by
explicitly doing #include <linux/personality.h>.

Signed-off-by: Jarkko Sakkinen <jarkko.j.sakkinen@gmail.com>
Signed-off-by: Casey Schaufler <cschaufler@cschaufler-intel.(none)>
13 years agoSmack: fix for /smack/access output, use string instead of byte
Jarkko Sakkinen [Mon, 10 Oct 2011 11:29:28 +0000 (14:29 +0300)]
Smack: fix for /smack/access output, use string instead of byte

Small fix for the output of access SmackFS file. Use string
is instead of byte. Makes it easier to extend API if it is
needed.

Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@intel.com>
13 years agoSmack: domain transition protections (v3)
Jarkko Sakkinen [Fri, 7 Oct 2011 06:27:53 +0000 (09:27 +0300)]
Smack: domain transition protections (v3)

Protections for domain transition:

- BPRM unsafe flags
- Secureexec
- Clear unsafe personality bits.
- Clear parent death signal

Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@intel.com>
13 years agoSmack: Provide information for UDS getsockopt(SO_PEERCRED)
Casey Schaufler [Mon, 26 Sep 2011 21:43:39 +0000 (14:43 -0700)]
Smack: Provide information for UDS getsockopt(SO_PEERCRED)

This patch is targeted for the smack-next tree.

This patch takes advantage of the recent changes for performance
and points the packet labels on UDS connect at the output label of
the far side. This makes getsockopt(...SO_PEERCRED...) function
properly. Without this change the getsockopt does not provide any
information.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
13 years agoSmack: Clean up comments
Casey Schaufler [Fri, 30 Sep 2011 01:21:01 +0000 (18:21 -0700)]
Smack: Clean up comments

There are a number of comments in the Smack code that
are either malformed or include code. This patch cleans
them up.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
13 years agoSmack: Repair processing of fcntl
Casey Schaufler [Mon, 19 Sep 2011 19:41:42 +0000 (12:41 -0700)]
Smack: Repair processing of fcntl

Al Viro pointed out that the processing of fcntl done
by Smack appeared poorly designed. He was right. There
are three things that required change. Most obviously,
the list of commands that really imply writing is limited
to those involving file locking and signal handling.
The initialization if the file security blob was
incomplete, requiring use of a heretofore unused LSM hook.
Finally, the audit information coming from a helper
masked the identity of the LSM hook. This patch corrects
all three of these defects.

This is targeted for the smack-next tree pending comments.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
13 years agoSmack: Rule list lookup performance
Casey Schaufler [Tue, 20 Sep 2011 19:24:36 +0000 (12:24 -0700)]
Smack: Rule list lookup performance

This patch is targeted for the smack-next tree.

Smack access checks suffer from two significant performance
issues. In cases where there are large numbers of rules the
search of the single list of rules is wasteful. Comparing the
string values of the smack labels is less efficient than a
numeric comparison would.

These changes take advantage of the Smack label list, which
maintains the mapping of Smack labels to secids and optional
CIPSO labels. Because the labels are kept perpetually, an
access check can be done strictly based on the address of the
label in the list without ever looking at the label itself.
Rather than keeping one global list of rules the rules with
a particular subject label can be based off of that label
list entry. The access check need never look at entries that
do not use the current subject label.

This requires that packets coming off the network with
CIPSO direct Smack labels that have never been seen before
be treated carefully. The only case where they could be
delivered is where the receiving socket has an IPIN star
label, so that case is explicitly addressed.

On a system with 39,800 rules (200 labels in all permutations)
a system with this patch runs an access speed test in 5% of
the time of the old version. That should be a best case
improvement. If all of the rules are associated with the
same subject label and all of the accesses are for processes
with that label (unlikely) the improvement is about 30%.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
13 years agoSmack: check permissions from user space (v2)
Jarkko Sakkinen [Thu, 8 Sep 2011 07:12:01 +0000 (10:12 +0300)]
Smack: check permissions from user space (v2)

Adds a new file into SmackFS called 'access'. Wanted
Smack permission is written into /smack/access.
After that result can be read from the opened file.
If access applies result contains 1 and otherwise
0. File access is protected from race conditions
by using simple_transaction_get()/set() API.

Fixes from the previous version:
- Removed smack.h changes, refactoring left-over
from previous version.
- Removed #include <linux/smack.h>, refactoring
left-over from previous version.

Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@intel.com>
Signed-off-by: Casey Schaufler <cschaufler@cschaufler-intel.(none)>
13 years agoTOMOYO: Fix quota and garbage collector.
Tetsuo Handa [Tue, 11 Oct 2011 05:06:41 +0000 (14:06 +0900)]
TOMOYO: Fix quota and garbage collector.

Commit 059d84db "TOMOYO: Add socket operation restriction support" and
commit 731d37aa "TOMOYO: Allow domain transition without execve()." forgot to
update tomoyo_domain_quota_is_ok() and tomoyo_del_acl() which results in
incorrect quota counting and memory leak.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoTOMOYO: Remove redundant tasklist_lock.
Tetsuo Handa [Tue, 11 Oct 2011 05:05:08 +0000 (14:05 +0900)]
TOMOYO: Remove redundant tasklist_lock.

rcu_read_lock() is sufficient for calling find_task_by_pid_ns()/find_task_by_vpid().

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoTOMOYO: Fix domain transition failure warning.
Tetsuo Handa [Tue, 27 Sep 2011 02:48:53 +0000 (11:48 +0900)]
TOMOYO: Fix domain transition failure warning.

Commit bd03a3e4 "TOMOYO: Add policy namespace support." introduced policy
namespace. But as of /sbin/modprobe is executed from initramfs/initrd, profiles
for target domain's namespace is not defined because /sbin/tomoyo-init is not
yet called.

Reported-by: Jamie Nguyen <jamie@tomoyolinux.co.uk>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoMerge branch 'next-hex2bin' of git://github.com/mzohar/linux-evm into next
James Morris [Mon, 26 Sep 2011 23:20:46 +0000 (09:20 +1000)]
Merge branch 'next-hex2bin' of git://github.com/mzohar/linux-evm into next

13 years agoTOMOYO: Remove tomoyo_policy_memory_lock spinlock.
Tetsuo Handa [Sun, 25 Sep 2011 08:51:06 +0000 (17:51 +0900)]
TOMOYO: Remove tomoyo_policy_memory_lock spinlock.

tomoyo_policy_lock mutex already protects it.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoTOMOYO: Simplify garbage collector.
Tetsuo Handa [Sun, 25 Sep 2011 08:50:23 +0000 (17:50 +0900)]
TOMOYO: Simplify garbage collector.

When TOMOYO started using garbage collector at commit 847b173e "TOMOYO: Add
garbage collector.", we waited for close() before kfree(). Thus, elements to be
kfree()d were queued up using tomoyo_gc_list list.

But it turned out that tomoyo_element_linked_by_gc() tends to choke garbage
collector when certain pattern of entries are queued.

Since garbage collector is no longer waiting for close() since commit 2e503bbb
"TOMOYO: Fix lockdep warning.", we can remove tomoyo_gc_list list and
tomoyo_element_linked_by_gc() by doing sequential processing.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoTOMOYO: Fix make namespacecheck warnings.
Tetsuo Handa [Sun, 25 Sep 2011 08:49:09 +0000 (17:49 +0900)]
TOMOYO: Fix make namespacecheck warnings.

Commit efe836ab "TOMOYO: Add built-in policy support." introduced
tomoyo_load_builtin_policy() but was by error called from nowhere.

Commit b22b8b9f "TOMOYO: Rename meminfo to stat and show more statistics."
introduced tomoyo_update_stat() but was by error not called from
tomoyo_assign_domain().

Also, mark tomoyo_io_printf() and tomoyo_path_permission() static functions,
as reported by "make namespacecheck".

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agotarget: check hex2bin result
Mimi Zohar [Fri, 16 Sep 2011 12:50:30 +0000 (08:50 -0400)]
target: check hex2bin result

Now that hex2bin does error checking, on error add debugging error msg.

Changelog v1 (update):
- fixed definition of 'ret'
- hex2bin now returns an int

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: Andy Shevchenko <andy.shevchenko@gmail.com>
13 years agoencrypted-keys: check hex2bin result
Mimi Zohar [Tue, 20 Sep 2011 15:23:55 +0000 (11:23 -0400)]
encrypted-keys: check hex2bin result

For each hex2bin call in encrypted keys, check that the ascii hex string
is valid.  On failure, return -EINVAL.

Changelog v1:
- hex2bin now returns an int

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: Andy Shevchenko <andy.shevchenko@gmail.com>
13 years agotrusted-keys: check hex2bin result
Mimi Zohar [Tue, 20 Sep 2011 15:23:52 +0000 (11:23 -0400)]
trusted-keys: check hex2bin result

For each hex2bin call in trusted keys, check that the ascii hex string is
valid.  On failure, return -EINVAL.

Changelog v1:
- hex2bin now returns an int

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: Andy Shevchenko <andy.shevchenko@gmail.com>
13 years agolib: add error checking to hex2bin
Mimi Zohar [Tue, 20 Sep 2011 15:23:49 +0000 (11:23 -0400)]
lib: add error checking to hex2bin

hex2bin converts a hexadecimal string to its binary representation.
The original version of hex2bin did not do any error checking.  This
patch adds error checking and returns the result.

Changelog v1:
- removed unpack_hex_byte()
- changed return code from boolean to int

Changelog:
- use the new unpack_hex_byte()
- add __must_check compiler option (Andy Shevchenko's suggestion)
- change function API to return error checking result
  (based on Tetsuo Handa's initial patch)

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: Andy Shevchenko <andy.shevchenko@gmail.com>
13 years agoTOMOYO: Allow specifying domain transition preference.
Tetsuo Handa [Fri, 16 Sep 2011 13:54:25 +0000 (22:54 +0900)]
TOMOYO: Allow specifying domain transition preference.

I got an opinion that it is difficult to use exception policy's domain
transition control directives because they need to match the pathname specified
to "file execute" directives. For example, if "file execute /bin/\*\-ls\-cat"
is given, corresponding domain transition control directive needs to be like
"no_keep_domain /bin/\*\-ls\-cat from any".

If we can specify like below, it will become more convenient.

  file execute /bin/ls keep exec.realpath="/bin/ls" exec.argv[0]="ls"
  file execute /bin/cat keep exec.realpath="/bin/cat" exec.argv[0]="cat"
  file execute /bin/\*\-ls\-cat child
  file execute /usr/sbin/httpd <apache> exec.realpath="/usr/sbin/httpd" exec.argv[0]="/usr/sbin/httpd"

In above examples, "keep" works as if keep_domain is specified, "child" works
as if "no_reset_domain" and "no_initialize_domain" and "no_keep_domain" are
specified, "<apache>" causes domain transition to <apache> domain upon
successful execve() operation.

Moreover, we can also allow transition to different domains based on conditions
like below example.

  <kernel> /usr/sbin/sshd
  file execute /bin/bash <kernel> /usr/sbin/sshd //batch-session exec.argc=2 exec.argv[1]="-c"
  file execute /bin/bash <kernel> /usr/sbin/sshd //root-session task.uid=0
  file execute /bin/bash <kernel> /usr/sbin/sshd //nonroot-session task.uid!=0

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoencrypted-keys: IS_ERR need include/err.h
Stephen Rothwell [Thu, 15 Sep 2011 07:07:15 +0000 (17:07 +1000)]
encrypted-keys: IS_ERR need include/err.h

Fixes this build error:

security/keys/encrypted-keys/masterkey_trusted.c: In function 'request_trusted_key':
security/keys/encrypted-keys/masterkey_trusted.c:35:2: error: implicit declaration of function 'IS_ERR'

Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
13 years agoMerge branch 'next-evm' of git://github.com/mzohar/linux-evm into next
James Morris [Wed, 14 Sep 2011 23:53:38 +0000 (09:53 +1000)]
Merge branch 'next-evm' of git://github.com/mzohar/linux-evm into next

13 years agoTOMOYO: Bump version.
Tetsuo Handa [Wed, 14 Sep 2011 08:03:19 +0000 (17:03 +0900)]
TOMOYO: Bump version.

Tell userland tools that this is TOMOYO 2.5.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoevm: clean verification status
Dmitry Kasatkin [Mon, 15 Aug 2011 12:30:11 +0000 (15:30 +0300)]
evm: clean verification status

When allocating from slab, initialization is done the first time in
init_once() and subsequently on free.  Because evm_status was not
re-initialized on free, evm_verify_hmac() skipped verifications.

This patch re-initializes evm_status.

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
13 years agoevm: permit mode bits to be updated
Mimi Zohar [Mon, 22 Aug 2011 13:14:18 +0000 (09:14 -0400)]
evm: permit mode bits to be updated

Before permitting 'security.evm' to be updated, 'security.evm' must
exist and be valid.  In the case that there are no existing EVM protected
xattrs, it is safe for posix acls to update the mode bits.

To differentiate between no 'security.evm' xattr and no xattrs used to
calculate 'security.evm', this patch defines INTEGRITY_NOXATTR.

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
13 years agoevm: posix acls modify i_mode
Mimi Zohar [Thu, 18 Aug 2011 22:07:44 +0000 (18:07 -0400)]
evm: posix acls modify i_mode

The posix xattr acls are 'system' prefixed, which normally would not
affect security.evm.  An interesting side affect of writing posix xattr
acls is their modifying of the i_mode, which is included in security.evm.

This patch updates security.evm when posix xattr acls are written.

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
13 years agoevm: limit verifying current security.evm integrity
Mimi Zohar [Thu, 11 Aug 2011 05:22:30 +0000 (01:22 -0400)]
evm: limit verifying current security.evm integrity

evm_protect_xattr unnecessarily validates the current security.evm
integrity, before updating non-evm protected extended attributes
and other file metadata. This patch limits validating the current
security.evm integrity to evm protected metadata.

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
13 years agoevm: fix security/security_old_init_security return code
Mimi Zohar [Mon, 15 Aug 2011 14:13:18 +0000 (10:13 -0400)]
evm: fix security/security_old_init_security return code

security_inode_init_security previously returned -EOPNOTSUPP, for S_PRIVATE
inodes, and relied on the callers to change it to 0.  As the callers do not
change the return code anymore, return 0, intead of -EOPNOTSUPP.

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
13 years agoevm: remove TCG_TPM dependency
Mimi Zohar [Sun, 28 Aug 2011 12:57:11 +0000 (08:57 -0400)]
evm: remove TCG_TPM dependency

All tristates selected by EVM(boolean) are forced to be builtin, except
in the TCG_TPM(tristate) dependency case. Arnaud Lacombe summarizes the
Kconfig bug as, "So it would seem direct dependency state influence the
state of reverse dependencies.."  For a detailed explanation, refer to
Arnaud Lacombe's posting http://lkml.org/lkml/2011/8/23/498.

With the "encrypted-keys: remove trusted-keys dependency" patch, EVM
can now be built without a dependency on TCG_TPM.  The trusted-keys
dependency requires trusted-keys to either be builtin or not selected.
This dependency will prevent the boolean/tristate mismatch from
occuring.

Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>,
             Randy Dunlap <rdunlap@xenotimenet>
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
13 years agoencrypted-keys: remove trusted-keys dependency
Mimi Zohar [Sun, 28 Aug 2011 02:21:26 +0000 (22:21 -0400)]
encrypted-keys: remove trusted-keys dependency

Encrypted keys are decrypted/encrypted using either a trusted-key or,
for those systems without a TPM, a user-defined key.  This patch
removes the trusted-keys and TCG_TPM dependencies.

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
13 years agoencrypted-keys: create encrypted-keys directory
Mimi Zohar [Wed, 14 Sep 2011 19:06:00 +0000 (15:06 -0400)]
encrypted-keys: create encrypted-keys directory

Move all files associated with encrypted keys to keys/encrypted-keys.

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
13 years agoTOMOYO: Avoid race when retrying "file execute" permission check.
Tetsuo Handa [Sat, 10 Sep 2011 06:27:12 +0000 (15:27 +0900)]
TOMOYO: Avoid race when retrying "file execute" permission check.

There was a race window that the pathname which is subjected to "file execute"
permission check when retrying via supervisor's decision because the pathname
was recalculated upon retry. Though, there is an inevitable race window even
without supervisor, for we have to calculate the symbolic link's pathname from
"struct linux_binprm"->filename rather than from "struct linux_binprm"->file
because we cannot back calculate the symbolic link's pathname from the
dereferenced pathname.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoTOMOYO: Allow domain transition without execve().
Tetsuo Handa [Sat, 10 Sep 2011 06:25:58 +0000 (15:25 +0900)]
TOMOYO: Allow domain transition without execve().

To be able to split permissions for Apache's CGI programs which are executed
without execve(), add special domain transition which is performed by writing
a TOMOYO's domainname to /sys/kernel/security/tomoyo/self_domain interface.

This is an API for TOMOYO-aware userland applications. However, since I expect
TOMOYO and other LSM modules to run in parallel, this patch does not use
/proc/self/attr/ interface in order to avoid conflicts with other LSM modules
when it became possible to run multiple LSM modules in parallel.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoTOMOYO: Allow controlling generation of access granted logs for per an entry basis.
Tetsuo Handa [Sat, 10 Sep 2011 06:24:56 +0000 (15:24 +0900)]
TOMOYO: Allow controlling generation of access granted logs for per an entry basis.

Add per-entry flag which controls generation of grant logs because Xen and KVM
issues ioctl requests so frequently. For example,

  file ioctl /dev/null 0x5401 grant_log=no

will suppress /sys/kernel/security/tomoyo/audit even if preference says
grant_log=yes .

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoTOMOYO: Add socket operation restriction support.
Tetsuo Handa [Sat, 10 Sep 2011 06:23:54 +0000 (15:23 +0900)]
TOMOYO: Add socket operation restriction support.

This patch adds support for permission checks for PF_INET/PF_INET6/PF_UNIX
socket's bind()/listen()/connect()/send() operations.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoTOMOYO: Add environment variable name restriction support.
Tetsuo Handa [Sat, 10 Sep 2011 06:22:48 +0000 (15:22 +0900)]
TOMOYO: Add environment variable name restriction support.

This patch adds support for checking environment variable's names.
Although TOMOYO already provides ability to check argv[]/envp[] passed to
execve() requests,

  file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="bar"

will reject execution of /bin/sh if environment variable LD_LIBRARY_PATH is not
defined. To grant execution of /bin/sh if LD_LIBRARY_PATH is not defined,
administrators have to specify like

  file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]="/system/lib"
  file execute /bin/sh exec.envp["LD_LIBRARY_PATH"]=NULL

. Since there are many environment variables whereas conditional checks are
applied as "&&", it is difficult to cover all combinations. Therefore, this
patch supports conditional checks that are applied as "||", by specifying like

  file execute /bin/sh
  misc env LD_LIBRARY_PATH exec.envp["LD_LIBRARY_PATH"]="/system/lib"

which means "grant execution of /bin/sh if environment variable is not defined
or is defined and its value is /system/lib".

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agosecurity: sparse fix: Move security_fixup_op to security.h
James Morris [Tue, 30 Aug 2011 03:48:53 +0000 (13:48 +1000)]
security: sparse fix: Move security_fixup_op to security.h

Fix sparse warning by moving declaraion to global header.

Signed-off-by: James Morris <jmorris@namei.org>
13 years agoselinux: sparse fix: fix several warnings in the security server code
James Morris [Tue, 30 Aug 2011 02:52:32 +0000 (12:52 +1000)]
selinux: sparse fix: fix several warnings in the security server code

Fix several sparse warnings in the SELinux security server code.

Signed-off-by: James Morris <jmorris@namei.org>
13 years agoselinux: sparse fix: include selinux.h in exports.c
James Morris [Tue, 30 Aug 2011 02:36:39 +0000 (12:36 +1000)]
selinux: sparse fix: include selinux.h in exports.c

Fix warning:
security/selinux/exports.c:18:6: warning: symbol 'selinux_is_enabled' was not declared. Should it be static?

Signed-off-by: James Morris <jmorris@namei.org>
13 years agoselinux: sparse fix: fix warnings in netlink code
James Morris [Tue, 30 Aug 2011 02:09:15 +0000 (12:09 +1000)]
selinux: sparse fix: fix warnings in netlink code

Fix sparse warnings in SELinux Netlink code.

Signed-off-by: James Morris <jmorris@namei.org>
13 years agoselinux: sparse fix: eliminate warnings for selinuxfs
James Morris [Tue, 30 Aug 2011 00:50:12 +0000 (10:50 +1000)]
selinux: sparse fix: eliminate warnings for selinuxfs

Fixes several sparse warnings for selinuxfs.c

Signed-off-by: James Morris <jmorris@namei.org>
13 years agoima: sparse fix: include linux/ima.h in ima_main.c
James Morris [Tue, 30 Aug 2011 00:19:50 +0000 (10:19 +1000)]
ima: sparse fix: include linux/ima.h in ima_main.c

Fixes sparse warnings:
security/integrity/ima/ima_main.c:105:6: warning: symbol 'ima_file_free' was not declared. Should it be static?
security/integrity/ima/ima_main.c:167:5: warning: symbol 'ima_file_mmap' was not declared. Should it be static?
security/integrity/ima/ima_main.c:192:5: warning: symbol 'ima_bprm_check' was not declared. Should it be static?
security/integrity/ima/ima_main.c:211:5: warning: symbol 'ima_file_check' was not declared. Should it be static?

Signed-off-by: James Morris <jmorris@namei.org>
13 years agoima: sparse fix: make ima_open_policy static
James Morris [Tue, 30 Aug 2011 00:18:30 +0000 (10:18 +1000)]
ima: sparse fix: make ima_open_policy static

Fixes sparse warning:
security/integrity/ima/ima_fs.c:290:5: warning: symbol 'ima_open_policy' was not declared. Should it be static?

Signed-off-by: James Morris <jmorris@namei.org>
13 years agoapparmor: sparse fix: include procattr.h in procattr.c
James Morris [Mon, 29 Aug 2011 01:45:44 +0000 (11:45 +1000)]
apparmor: sparse fix: include procattr.h in procattr.c

Fix sparse warnings:
security/apparmor/procattr.c:35:5: warning: symbol 'aa_getprocattr' was not declared. Should it be static?
security/apparmor/procattr.c:113:5: warning: symbol 'aa_setprocattr_changehat' was not declared. Should it be static?
security/apparmor/procattr.c:158:5: warning: symbol 'aa_setprocattr_changeprofile' was not declared. Should it be static?
security/apparmor/procattr.c:166:5: warning: symbol 'aa_setprocattr_permipc' was not declared. Should it be static?

Signed-off-by: James Morris <jmorris@namei.org>
Acked-by: John Johansen <john.johansen@canonical.com>
13 years agoapparmor: sparse fix: rename shadowed variables in policy_unpack.c
James Morris [Mon, 29 Aug 2011 01:43:02 +0000 (11:43 +1000)]
apparmor: sparse fix: rename shadowed variables in policy_unpack.c

Fix the following warnings:

security/apparmor/policy_unpack.c:384:35: warning: symbol 'size' shadows an earlier one
security/apparmor/policy_unpack.c:370:24: originally declared here
security/apparmor/policy_unpack.c:443:29: warning: symbol 'tmp' shadows an earlier one
security/apparmor/policy_unpack.c:434:21: originally declared here

Signed-off-by: James Morris <jmorris@namei.org>
Acked-by: John Johansen <john.johansen@canonical.com>
13 years agoapparmor: sparse fix: add apparmor.h to lib.c
James Morris [Mon, 29 Aug 2011 01:15:25 +0000 (11:15 +1000)]
apparmor: sparse fix: add apparmor.h to lib.c

Fix the following sparse warnings:
security/apparmor/lib.c:37:6: warning: symbol 'aa_split_fqname' was not declared. Should it be static?
security/apparmor/lib.c:63:6: warning: symbol 'aa_info_message' was not declared. Should it be static?
security/apparmor/lib.c:83:6: warning: symbol 'kvmalloc' was not declared. Should it be static?
security/apparmor/lib.c:123:6: warning: symbol 'kvfree' was not declared. Should it be static?

Signed-off-by: James Morris <jmorris@namei.org>
13 years agoapparmor: sparse fix: include ipc.h
James Morris [Mon, 29 Aug 2011 00:40:54 +0000 (10:40 +1000)]
apparmor: sparse fix: include ipc.h

Include ipc.h to eliminate sparse warnings.

security/apparmor/ipc.c:61:5: warning: symbol 'aa_may_ptrace' was not declared. Should it be static?
security/apparmor/ipc.c:83:5: warning: symbol 'aa_ptrace' was not declared. Should it be static

Signed-off-by: James Morris <jmorris@namei.org>
Acked-by: John Johansen <john.johansen@canonical.com>
13 years agoselinux: sparse fix: declare selinux_disable() in security.h
James Morris [Wed, 17 Aug 2011 01:17:14 +0000 (11:17 +1000)]
selinux: sparse fix: declare selinux_disable() in security.h

Sparse fix: declare selinux_disable() in security.h

Signed-off-by: James Morris <jmorris@namei.org>
13 years agoselinux: sparse fix: move selinux_complete_init
James Morris [Wed, 17 Aug 2011 01:13:31 +0000 (11:13 +1000)]
selinux: sparse fix: move selinux_complete_init

Sparse fix: move selinux_complete_init

Signed-off-by: James Morris <jmorris@namei.org>
13 years agoselinux: sparse fix: make selinux_secmark_refcount static
James Morris [Wed, 17 Aug 2011 01:08:43 +0000 (11:08 +1000)]
selinux: sparse fix: make selinux_secmark_refcount static

Sparse fix: make selinux_secmark_refcount  static.

Signed-off-by: James Morris <jmorris@namei.org>
13 years agoapparmor: sparse fix: make aa_create_aafs static
James Morris [Wed, 17 Aug 2011 01:05:21 +0000 (11:05 +1000)]
apparmor: sparse fix: make aa_create_aafs static

Sparse fix: make aa_create_aafs static.

Signed-off-by: James Morris <jmorris@namei.org>
Acked-by: John Johansen <john.johansen@canonical.com>
13 years agointegrity: sparse fix: move iint_initialized to integrity.h
James Morris [Wed, 17 Aug 2011 00:34:33 +0000 (10:34 +1000)]
integrity: sparse fix: move iint_initialized to integrity.h

Sparse fix: move iint_initialized to integrity.h

Signed-off-by: James Morris <jmorris@namei.org>
13 years agosecurity: Fix a typo
rongqing.li@windriver.com [Tue, 6 Sep 2011 03:35:36 +0000 (11:35 +0800)]
security: Fix a typo

Fix a typo.

Signed-off-by: Roy.Li <rongqing.li@windriver.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoTOMOYO: Fix incorrect enforce mode.
Tetsuo Handa [Thu, 25 Aug 2011 12:15:00 +0000 (21:15 +0900)]
TOMOYO: Fix incorrect enforce mode.

In tomoyo_get_mode() since 2.6.36, CONFIG::file::execute was by error used in
place of CONFIG::file if CONFIG::file::execute was set to other than default.
As a result, enforcing mode was not applied in a way documentation says.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agotpm: suppress durations sysfs output if not read
Stefan Berger [Tue, 23 Aug 2011 12:52:10 +0000 (08:52 -0400)]
tpm: suppress durations sysfs output if not read

Suppress the output in the 'durations' sysfs entry if they were not read
during driver initialization. This is similar to other sysfs entries
that return nothing if for some reason sending the commands to the TPM
fails.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoCRED: fix build error due to 'tgcred' undeclared
Axel Lin [Tue, 23 Aug 2011 07:23:51 +0000 (15:23 +0800)]
CRED: fix build error due to 'tgcred' undeclared

This patch adds CONFIG_KEYS guard for tgcred to fix below build error
if CONFIG_KEYS is not configured.

  CC      kernel/cred.o
kernel/cred.c: In function 'prepare_kernel_cred':
kernel/cred.c:657: error: 'tgcred' undeclared (first use in this function)
kernel/cred.c:657: error: (Each undeclared identifier is reported only once
kernel/cred.c:657: error: for each function it appears in.)
make[1]: *** [kernel/cred.o] Error 1
make: *** [kernel] Error 2

Signed-off-by: Axel Lin <axel.lin@gmail.com>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoKEYS: Correctly destroy key payloads when their keytype is removed
David Howells [Mon, 22 Aug 2011 13:09:36 +0000 (14:09 +0100)]
KEYS: Correctly destroy key payloads when their keytype is removed

unregister_key_type() has code to mark a key as dead and make it unavailable in
one loop and then destroy all those unavailable key payloads in the next loop.
However, the loop to mark keys dead renders the key undetectable to the second
loop by changing the key type pointer also.

Fix this by the following means:

 (1) The key code has two garbage collectors: one deletes unreferenced keys and
     the other alters keyrings to delete links to old dead, revoked and expired
     keys.  They can end up holding each other up as both want to scan the key
     serial tree under spinlock.  Combine these into a single routine.

 (2) Move the dead key marking, dead link removal and dead key removal into the
     garbage collector as a three phase process running over the three cycles
     of the normal garbage collection procedure.  This is tracked by the
     KEY_GC_REAPING_DEAD_1, _2 and _3 state flags.

     unregister_key_type() then just unlinks the key type from the list, wakes
     up the garbage collector and waits for the third phase to complete.

 (3) Downgrade the key types sem in unregister_key_type() once it has deleted
     the key type from the list so that it doesn't block the keyctl() syscall.

 (4) Dead keys that cannot be simply removed in the third phase have their
     payloads destroyed with the key's semaphore write-locked to prevent
     interference by the keyctl() syscall.  There should be no in-kernel users
     of dead keys of that type by the point of unregistration, though keyctl()
     may be holding a reference.

 (5) Only perform timer recalculation in the GC if the timer actually expired.
     If it didn't, we'll get another cycle when it goes off - and if the key
     that actually triggered it has been removed, it's not a problem.

 (6) Only garbage collect link if the timer expired or if we're doing dead key
     clean up phase 2.

 (7) As only key_garbage_collector() is permitted to use rb_erase() on the key
     serial tree, it doesn't need to revalidate its cursor after dropping the
     spinlock as the node the cursor points to must still exist in the tree.

 (8) Drop the spinlock in the GC if there is contention on it or if we need to
     reschedule.  After dealing with that, get the spinlock again and resume
     scanning.

This has been tested in the following ways:

 (1) Run the keyutils testsuite against it.

 (2) Using the AF_RXRPC and RxKAD modules to test keytype removal:

     Load the rxrpc_s key type:

# insmod /tmp/af-rxrpc.ko
# insmod /tmp/rxkad.ko

     Create a key (http://people.redhat.com/~dhowells/rxrpc/listen.c):

# /tmp/listen &
[1] 8173

     Find the key:

# grep rxrpc_s /proc/keys
091086e1 I--Q--     1 perm 39390000     0     0 rxrpc_s   52:2

     Link it to a session keyring, preferably one with a higher serial number:

# keyctl link 0x20e36251 @s

     Kill the process (the key should remain as it's linked to another place):

# fg
/tmp/listen
^C

     Remove the key type:

rmmod rxkad
rmmod af-rxrpc

     This can be made a more effective test by altering the following part of
     the patch:

if (unlikely(gc_state & KEY_GC_REAPING_DEAD_2)) {
/* Make sure everyone revalidates their keys if we marked a
 * bunch as being dead and make sure all keyring ex-payloads
 * are destroyed.
 */
kdebug("dead sync");
synchronize_rcu();

     To call synchronize_rcu() in GC phase 1 instead.  That causes that the
     keyring's old payload content to hang around longer until it's RCU
     destroyed - which usually happens after GC phase 3 is complete.  This
     allows the destroy_dead_key branch to be tested.

Reported-by: Benjamin Coddington <bcodding@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoKEYS: The dead key link reaper should be non-reentrant
David Howells [Mon, 22 Aug 2011 13:09:28 +0000 (14:09 +0100)]
KEYS: The dead key link reaper should be non-reentrant

The dead key link reaper should be non-reentrant as it relies on global state
to keep track of where it's got to when it returns to the work queue manager to
give it some air.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoKEYS: Make the key reaper non-reentrant
David Howells [Mon, 22 Aug 2011 13:09:20 +0000 (14:09 +0100)]
KEYS: Make the key reaper non-reentrant

Make the key reaper non-reentrant by sticking it on the appropriate system work
queue when we queue it.  This will allow it to have global state and drop
locks.  It should probably be non-reentrant already as it may spend a long time
holding the key serial spinlock, and so multiple entrants can spend long
periods of time just sitting there spinning, waiting to get the lock.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoKEYS: Move the unreferenced key reaper to the keys garbage collector file
David Howells [Mon, 22 Aug 2011 13:09:11 +0000 (14:09 +0100)]
KEYS: Move the unreferenced key reaper to the keys garbage collector file

Move the unreferenced key reaper function to the keys garbage collector file
as that's a more appropriate place with the dead key link reaper.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoCRED: Fix prepare_kernel_cred() to provide a new thread_group_cred struct
David Howells [Mon, 22 Aug 2011 13:09:00 +0000 (14:09 +0100)]
CRED: Fix prepare_kernel_cred() to provide a new thread_group_cred struct

Fix prepare_kernel_cred() to provide a new, separate thread_group_cred struct
otherwise when using request_key() ____call_usermodehelper() calls
umh_keys_init() with the new creds pointing to init_tgcred, which
umh_keys_init() then blithely alters.

The problem can be demonstrated by:

# keyctl request2 user a debug:a @s
249681132
# grep req /proc/keys
079906a5 I--Q--     1 perm 1f3f0000     0     0 keyring   _req.249681132: 1/4
38ef1626 IR----     1 expd 0b010000     0     0 .request_ key:ee1d4ec pid:4371 ci:1

The keyring _req.XXXX should have gone away, but something (init_tgcred) is
pinning it.

That key actually requested can then be removed and a new one created:

# keyctl unlink 249681132
1 links removed
[root@andromeda ~]# grep req /proc/keys
116cecac IR----     1 expd 0b010000     0     0 .request_ key:eeb4911 pid:4379 ci:1
36d1cbf8 I--Q--     1 perm 1f3f0000     0     0 keyring   _req.250300689: 1/4

which causes the old _req keyring to go away and a new one to take its place.

This is a consequence of the changes in:

commit 879669961b11e7f40b518784863a259f735a72bf
Author: David Howells <dhowells@redhat.com>
Date:   Fri Jun 17 11:25:59 2011 +0100
KEYS/DNS: Fix ____call_usermodehelper() to not lose the session keyring

and:

commit 17f60a7da150fdd0cfb9756f86a262daa72c835f
Author: Eric Paris <eparis@redhat.com>
Date:   Fri Apr 1 17:07:50 2011 -0400
capabilites: allow the application of capability limits to usermode helpers

After this patch is applied, the _req keyring and the .request_key key are
cleaned up.

Signed-off-by: David Howells <dhowells@redhat.com>
cc: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoKEYS: __key_link() should use the RCU deref wrapper for keyring payloads
David Howells [Mon, 22 Aug 2011 13:08:51 +0000 (14:08 +0100)]
KEYS: __key_link() should use the RCU deref wrapper for keyring payloads

__key_link() should use the RCU deref wrapper rcu_dereference_locked_keyring()
for accessing keyring payloads rather than calling rcu_dereference_protected()
directly.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoKEYS: keyctl_get_keyring_ID() should create a session keyring if create flag set
David Howells [Mon, 22 Aug 2011 13:08:43 +0000 (14:08 +0100)]
KEYS: keyctl_get_keyring_ID() should create a session keyring if create flag set

The keyctl call:

keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 1)

should create a session keyring if the process doesn't have one of its own
because the create flag argument is set - rather than subscribing to and
returning the user-session keyring as:

keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0)

will do.

This can be tested by commenting out pam_keyinit in the /etc/pam.d files and
running the following program a couple of times in a row:

#include <stdio.h>
#include <stdlib.h>
#include <keyutils.h>
int main(int argc, char *argv[])
{
key_serial_t uk, usk, sk, nsk;
uk  = keyctl_get_keyring_ID(KEY_SPEC_USER_KEYRING, 0);
usk = keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0);
sk  = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);
nsk = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 1);
printf("keys: %08x %08x %08x %08x\n", uk, usk, sk, nsk);
return 0;
}

Without this patch, I see:

keys: 3975ddc7 119c0c66 119c0c66 119c0c66
keys: 3975ddc7 119c0c66 119c0c66 119c0c66

With this patch, I see:

keys: 2cb4997b 34112878 34112878 17db2ce3
keys: 2cb4997b 34112878 34112878 39f3c73e

As can be seen, the session keyring starts off the same as the user-session
keyring each time, but with the patch a new session keyring is created when
the create flag is set.

Reported-by: Greg Wettstein <greg@enjellic.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Greg Wettstein <greg@enjellic.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoKEYS: If install_session_keyring() is given a keyring, it should install it
David Howells [Mon, 22 Aug 2011 13:08:33 +0000 (14:08 +0100)]
KEYS: If install_session_keyring() is given a keyring, it should install it

If install_session_keyring() is given a keyring, it should install it rather
than just creating a new one anyway.  This was accidentally broken in:

commit d84f4f992cbd76e8f39c488cf0c5d123843923b1
Author: David Howells <dhowells@redhat.com>
Date:   Fri Nov 14 10:39:23 2008 +1100
Subject: CRED: Inaugurate COW credentials

The impact of that commit is that pam_keyinit no longer works correctly if
'force' isn't specified against a login process. This is because:

keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0)

now always creates a new session keyring and thus the check whether the session
keyring and the user-session keyring are the same is always false.  This leads
pam_keyinit to conclude that a session keyring is installed and it shouldn't be
revoked by pam_keyinit here if 'revoke' is specified.

Any system that specifies 'force' against pam_keyinit in the PAM configuration
files for login methods (login, ssh, su -l, kdm, etc.) is not affected since
that bypasses the broken check and forces the creation of a new session keyring
anyway (for which the revoke flag is not cleared) - and any subsequent call to
pam_keyinit really does have a session keyring already installed, and so the
check works correctly there.

Reverting to the previous behaviour will cause the kernel to subscribe the
process to the user-session keyring as its session keyring if it doesn't have a
session keyring of its own.  pam_keyinit will detect this and install a new
session keyring anyway (and won't clear the revert flag).

This can be tested by commenting out pam_keyinit in the /etc/pam.d files and
running the following program a couple of times in a row:

#include <stdio.h>
#include <stdlib.h>
#include <keyutils.h>
int main(int argc, char *argv[])
{
key_serial_t uk, usk, sk;
uk = keyctl_get_keyring_ID(KEY_SPEC_USER_KEYRING, 0);
usk = keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0);
sk = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);
printf("keys: %08x %08x %08x\n", uk, usk, sk);
return 0;
}

Without the patch, I see:

keys: 3884e281 24c4dfcf 22825f8e
keys: 3884e281 24c4dfcf 068772be

With the patch, I see:

keys: 26be9c83 0e755ce0 0e755ce0
keys: 26be9c83 0e755ce0 0e755ce0

As can be seen, with the patch, the session keyring is the same as the
user-session keyring each time; without the patch a new session keyring is
generated each time.

Reported-by: Greg Wettstein <greg@enjellic.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Greg Wettstein <greg@enjellic.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoevm: add MAINTAINERS entry
Mimi Zohar [Wed, 17 Aug 2011 22:52:24 +0000 (18:52 -0400)]
evm: add MAINTAINERS entry

Update the MAINTAINERS file with an entry for EVM.

Reported-by: Randy Dunlap <rdunlap@xenotimenet>
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoevm: add Kconfig TCG_TPM dependency
Mimi Zohar [Wed, 17 Aug 2011 22:51:36 +0000 (18:51 -0400)]
evm: add Kconfig TCG_TPM dependency

Although the EVM encrypted-key should be encrypted/decrypted using a
trusted-key, a user-defined key could be used instead. When using a user-
defined key, a TCG_TPM dependency should not be required.  Unfortunately,
the encrypted-key code needs to be refactored a bit in order to remove
this dependency.

This patch adds the TCG_TPM dependency.

Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>,
     Randy Dunlap <rdunlap@xenotimenet>
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agotomoyo: remove tomoyo_gc_thread()->daemonize()
Oleg Nesterov [Tue, 16 Aug 2011 18:34:05 +0000 (20:34 +0200)]
tomoyo: remove tomoyo_gc_thread()->daemonize()

daemonize() is only needed when a user-space task does kernel_thread().

tomoyo_gc_thread() is kthread_create()'ed and thus it doesn't need
the soon-to-be-deprecated daemonize().

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Tejun Heo <tj@kernel.org>
Acked-by: Matt Fleming <matt.fleming@intel.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoevm: fix build problems
Mimi Zohar [Mon, 15 Aug 2011 13:09:16 +0000 (09:09 -0400)]
evm: fix build problems

- Make the previously missing security_old_inode_init_security() stub
  function definition static inline.

- The stub security_inode_init_security() function previously returned
  -EOPNOTSUPP and relied on the callers to change it to 0.  The stub
  security/security_old_inode_init_security() functions now return 0.

Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agocapabilities: initialize has_cap
Serge Hallyn [Mon, 15 Aug 2011 13:29:50 +0000 (08:29 -0500)]
capabilities: initialize has_cap

Initialize has_cap in cap_bprm_set_creds()

Reported-by: Andrew G. Morgan <morgan@kernel.org>
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agocapabilities: do not grant full privs for setuid w/ file caps + no effective caps
Zhi Li [Thu, 11 Aug 2011 05:27:50 +0000 (13:27 +0800)]
capabilities: do not grant full privs for setuid w/ file caps + no effective caps

A task (when !SECURE_NOROOT) which executes a setuid-root binary will
obtain root privileges while executing that binary.  If the binary also
has effective capabilities set, then only those capabilities will be
granted.  The rationale is that the same binary can carry both setuid-root
and the minimal file capability set, so that on a filesystem not
supporting file caps the binary can still be executed with privilege,
while on a filesystem supporting file caps it will run with minimal
privilege.

This special case currently does NOT happen if there are file capabilities
but no effective capabilities.  Since capability-aware programs can very
well start with empty pE but populated pP and move those caps to pE when
needed.  In other words, if the file has file capabilities but NOT
effective capabilities, then we should do the same thing as if there
were file capabilities, and not grant full root privileges.

This patchset does that.

(Changelog by Serge Hallyn).

Signed-off-by: Zhi Li <lizhi1215@gmail.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoCIFS: remove local xattr definitions
Mimi Zohar [Thu, 11 Aug 2011 20:00:47 +0000 (16:00 -0400)]
CIFS: remove local xattr definitions

Local XATTR_TRUSTED_PREFIX_LEN and XATTR_SECURITY_PREFIX_LEN definitions
redefined ones in 'linux/xattr.h'. This was caused by commit 9d8f13ba3f48
("security: new security_inode_init_security API adds function callback")
including 'linux/xattr.h' in 'linux/security.h'.

In file included from include/linux/security.h:39,
                 from include/net/sock.h:54,
                 from fs/cifs/cifspdu.h:25,
                 from fs/cifs/xattr.c:26:

This patch removes the local definitions.

Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoevm: fix evm_inode_init_security return code
Mimi Zohar [Thu, 11 Aug 2011 04:22:52 +0000 (00:22 -0400)]
evm: fix evm_inode_init_security return code

evm_inode_init_security() should return 0, when EVM is not enabled.
(Returning an error is a remnant of evm_inode_post_init_security.)

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoevm: building without EVM enabled fixes
Mimi Zohar [Thu, 11 Aug 2011 04:22:51 +0000 (00:22 -0400)]
evm: building without EVM enabled fixes

- Missing 'inline' on evm_inode_setattr() definition.
Introduced by commit 817b54aa45db ("evm: add evm_inode_setattr to prevent
updating an invalid security.evm").

- Missing security_old_inode_init_security() stub function definition.
Caused by commit 9d8f13ba3f48 ("security: new security_inode_init_security
API adds function callback").

Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoEVM: ensure trusted and encypted key symbols are available to EVM
James Morris [Tue, 9 Aug 2011 01:33:36 +0000 (11:33 +1000)]
EVM: ensure trusted and encypted key symbols are available to EVM

Select trusted and encrypted keys if EVM is selected, to ensure
the requisite symbols are available.  Otherwise, these can be
selected as modules while EVM is static, leading to a kernel
build failure.

Signed-off-by: James Morris <jmorris@namei.org>
13 years agoMerge branch 'next-evm' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/ima...
James Morris [Tue, 9 Aug 2011 00:31:03 +0000 (10:31 +1000)]
Merge branch 'next-evm' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/ima-2.6 into next

Conflicts:
fs/attr.c

Resolve conflict manually.

Signed-off-by: James Morris <jmorris@namei.org>
13 years agoMerge branch 'next-queue' into next
James Morris [Mon, 8 Aug 2011 04:04:10 +0000 (14:04 +1000)]
Merge branch 'next-queue' into next

13 years agoMerge branch 'linus'; commit 'v3.1-rc1' into next
James Morris [Mon, 8 Aug 2011 03:39:40 +0000 (13:39 +1000)]
Merge branch 'linus'; commit 'v3.1-rc1' into next

13 years agoLinux 3.1-rc1
Linus Torvalds [Mon, 8 Aug 2011 01:23:30 +0000 (18:23 -0700)]
Linux 3.1-rc1

13 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc
Linus Torvalds [Sun, 7 Aug 2011 22:52:19 +0000 (15:52 -0700)]
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
  sparc: Fix build with DEBUG_PAGEALLOC enabled.

13 years agosh: Fix boot crash related to SCI
Rafael J. Wysocki [Sun, 7 Aug 2011 22:26:50 +0000 (00:26 +0200)]
sh: Fix boot crash related to SCI

Commit d006199e72a9 ("serial: sh-sci: Regtype probing doesn't need to be
fatal.") made sci_init_single() return when sci_probe_regmap() succeeds,
although it should return when sci_probe_regmap() fails.  This causes
systems using the serial sh-sci driver to crash during boot.

Fix the problem by using the right return condition.

Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agoarm: remove stale export of 'sha_transform'
Linus Torvalds [Sun, 7 Aug 2011 22:49:11 +0000 (15:49 -0700)]
arm: remove stale export of 'sha_transform'

The generic library code already exports the generic function, this was
left-over from the ARM-specific version that just got removed.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agoarm: remove "optimized" SHA1 routines
Linus Torvalds [Sun, 7 Aug 2011 21:07:03 +0000 (14:07 -0700)]
arm: remove "optimized" SHA1 routines

Since commit 1eb19a12bd22 ("lib/sha1: use the git implementation of
SHA-1"), the ARM SHA1 routines no longer work.  The reason? They
depended on the larger 320-byte workspace, and now the sha1 workspace is
just 16 words (64 bytes).  So the assembly version would overwrite the
stack randomly.

The optimized asm version is also probably slower than the new improved
C version, so there's no reason to keep it around.  At least that was
the case in git, where what appears to be the same assembly language
version was removed two years ago because the optimized C BLK_SHA1 code
was faster.

Reported-and-tested-by: Joachim Eastwood <manabian@gmail.com>
Cc: Andreas Schwab <schwab@linux-m68k.org>
Cc: Nicolas Pitre <nico@fluxnic.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agofix rcu annotations noise in cred.h
Al Viro [Sun, 7 Aug 2011 17:55:11 +0000 (18:55 +0100)]
fix rcu annotations noise in cred.h

task->cred is declared as __rcu, and access to other tasks' ->cred is,
indeed, protected.  Access to current->cred does not need rcu_dereference()
at all, since only the task itself can change its ->cred.  sparse, of
course, has no way of knowing that...

Add force-cast in current_cred(), make current_fsuid() et.al. use it.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agovfs: rename 'do_follow_link' to 'should_follow_link'
Linus Torvalds [Sun, 7 Aug 2011 16:53:20 +0000 (09:53 -0700)]
vfs: rename 'do_follow_link' to 'should_follow_link'

Al points out that the do_follow_link() helper function really is
misnamed - it's about whether we should try to follow a symlink or not,
not about actually doing the following.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agoFix POSIX ACL permission check
Ari Savolainen [Sat, 6 Aug 2011 16:43:07 +0000 (19:43 +0300)]
Fix POSIX ACL permission check

After commit 3567866bf261: "RCUify freeing acls, let check_acl() go ahead in
RCU mode if acl is cached" posix_acl_permission is being called with an
unsupported flag and the permission check fails. This patch fixes the issue.

Signed-off-by: Ari Savolainen <ari.m.savolainen@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
13 years agoMerge branch 'for-linus' of git://git.open-osd.org/linux-open-osd
Linus Torvalds [Sun, 7 Aug 2011 05:56:03 +0000 (22:56 -0700)]
Merge branch 'for-linus' of git://git.open-osd.org/linux-open-osd

* 'for-linus' of git://git.open-osd.org/linux-open-osd:
  ore: Make ore its own module
  exofs: Rename raid engine from exofs/ios.c => ore
  exofs: ios: Move to a per inode components & device-table
  exofs: Move exofs specific osd operations out of ios.c
  exofs: Add offset/length to exofs_get_io_state
  exofs: Fix truncate for the raid-groups case
  exofs: Small cleanup of exofs_fill_super
  exofs: BUG: Avoid sbi realloc
  exofs: Remove pnfs-osd private definitions
  nfs_xdr: Move nfs4_string definition out of #ifdef CONFIG_NFS_V4

13 years agovfs: optimize inode cache access patterns
Linus Torvalds [Sun, 7 Aug 2011 05:45:50 +0000 (22:45 -0700)]
vfs: optimize inode cache access patterns

The inode structure layout is largely random, and some of the vfs paths
really do care.  The path lookup in particular is already quite D$
intensive, and profiles show that accessing the 'inode->i_op->xyz'
fields is quite costly.

We already optimized the dcache to not unnecessarily load the d_op
structure for members that are often NULL using the DCACHE_OP_xyz bits
in dentry->d_flags, and this does something very similar for the inode
ops that are used during pathname lookup.

It also re-orders the fields so that the fields accessed by 'stat' are
together at the beginning of the inode structure, and roughly in the
order accessed.

The effect of this seems to be in the 1-2% range for an empty kernel
"make -j" run (which is fairly kernel-intensive, mostly in filename
lookup), so it's visible.  The numbers are fairly noisy, though, and
likely depend a lot on exact microarchitecture.  So there's more tuning
to be done.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agovfs: renumber DCACHE_xyz flags, remove some stale ones
Linus Torvalds [Sun, 7 Aug 2011 05:41:50 +0000 (22:41 -0700)]
vfs: renumber DCACHE_xyz flags, remove some stale ones

Gcc tends to generate better code with small integers, including the
DCACHE_xyz flag tests - so move the common ones to be first in the list.
Also just remove the unused DCACHE_INOTIFY_PARENT_WATCHED and
DCACHE_AUTOFS_PENDING values, their users no longer exists in the source
tree.

And add a "unlikely()" to the DCACHE_OP_COMPARE test, since we want the
common case to be a nice straight-line fall-through.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Linus Torvalds [Sun, 7 Aug 2011 05:12:37 +0000 (22:12 -0700)]
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
  net: Compute protocol sequence numbers and fragment IDs using MD5.
  crypto: Move md5_transform to lib/md5.c

13 years agoore: Make ore its own module
Boaz Harrosh [Sun, 7 Aug 2011 02:22:06 +0000 (19:22 -0700)]
ore: Make ore its own module

Export everything from ore need exporting. Change Kbuild and Kconfig
to build ore.ko as an independent module. Import ore from exofs

Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>
13 years agoexofs: Rename raid engine from exofs/ios.c => ore
Boaz Harrosh [Sun, 7 Aug 2011 02:26:31 +0000 (19:26 -0700)]
exofs: Rename raid engine from exofs/ios.c => ore

ORE stands for "Objects Raid Engine"

This patch is a mechanical rename of everything that was in ios.c
and its API declaration to an ore.c and an osd_ore.h header. The ore
engine will later be used by the pnfs objects layout driver.

* File ios.c => ore.c

* Declaration of types and API are moved from exofs.h to a new
  osd_ore.h

* All used types are prefixed by ore_ from their exofs_ name.

* Shift includes from exofs.h to osd_ore.h so osd_ore.h is
  independent, include it from exofs.h.

Other than a pure rename there are no other changes. Next patch
will move the ore into it's own module and will export the API
to be used by exofs and later the layout driver

Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>