summaryrefslogtreecommitdiff
path: root/security
AgeCommit message (Collapse)AuthorFilesLines
2017-01-16apparmor: rename context abreviation cxt to the more standard ctxJohn Johansen5-144/+150
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: fail task profile update if current_cred isn't real_credJohn Johansen1-0/+3
Trying to update the task cred while the task current cred is not the real cred will result in an error at the cred layer. Avoid this by failing early and delaying the update. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add per policy ns .load, .replace, .remove interface filesJohn Johansen2-22/+130
Having per policy ns interface files helps with containers restoring policy. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: pass the subject profile into profile replace/removeJohn Johansen3-16/+21
This is just setup for new ns specific .load, .replace, .remove interface files. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: audit policy ns specified in policy loadJohn Johansen3-24/+77
Verify that profiles in a load set specify the same policy ns and audit the name of the policy ns that policy is being loaded for. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: allow introspecting the loaded policy pre internal transformJohn Johansen8-58/+278
Store loaded policy and allow introspecting it through apparmorfs. This has several uses from debugging, policy validation, and policy checkpoint and restore for containers. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add ns name to the audit data for policy loadsJohn Johansen2-10/+25
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add profile and ns params to aa_may_manage_policy()John Johansen3-14/+12
Policy management will be expanded beyond traditional unconfined root. This will require knowning the profile of the task doing the management and the ns view. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add ns being viewed as a param to policy_admin_capable()John Johansen3-10/+16
Prepare for a tighter pairing of user namespaces and apparmor policy namespaces, by making the ns to be viewed available. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add ns being viewed as a param to policy_view_capable()John Johansen4-8/+35
Prepare for a tighter pairing of user namespaces and apparmor policy namespaces, by making the ns to be viewed available and checking that the user namespace level is the same as the policy ns level. This strict pairing will be relaxed once true support of user namespaces lands. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: allow specifying the profile doing the managementJohn Johansen1-11/+21
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: allow introspecting the policy namespace nameJohn Johansen1-0/+24
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: Make aa_remove_profile() callable from a different viewJohn Johansen3-5/+7
This is prep work for fs operations being able to remove namespaces. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: track ns level so it can be used to help in view checksJohn Johansen1-0/+1
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add special .null file used to "close" fds at execJohn Johansen3-1/+81
Borrow the special null device file from selinux to "close" fds that don't have sufficient permissions at exec time. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: provide userspace flag indicating binfmt_elf_mmap changeJohn Johansen1-0/+1
Commit 9f834ec18def ("binfmt_elf: switch to new creds when switching to new mm") changed when the creds are installed by the binfmt_elf handler. This affects which creds are used to mmap the executable into the address space. Which can have an affect on apparmor policy. Add a flag to apparmor at /sys/kernel/security/apparmor/features/domain/fix_binfmt_elf_mmap to make it possible to detect this semantic change so that the userspace tools and the regression test suite can correctly deal with the change. BugLink: http://bugs.launchpad.net/bugs/1630069 Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add a default null dfaJohn Johansen6-2/+46
Instead of testing whether a given dfa exists in every code path, have a default null dfa that is used when loaded policy doesn't provide a dfa. This will let us get rid of special casing and avoid dereference bugs when special casing is missed. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: allow policydb to be used as the file dfaJohn Johansen1-4/+8
Newer policy will combine the file and policydb dfas, allowing for better optimizations. However to support older policy we need to keep the ability to address the "file" dfa separately. So dup the policydb as if it is the file dfa and set the appropriate start state. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add get_dfa() fnJohn Johansen1-0/+15
The dfa is currently setup to be shared (has the basis of refcounting) but currently can't be because the count can't be increased. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: prepare to support newer versions of policyJohn Johansen2-10/+25
Newer policy encodes more than just version in the version tag, so add masking to make sure the comparison remains correct. Note: this is fully compatible with older policy as it will never set the bits being masked out. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add support for force complain flag to support learning modeJohn Johansen1-1/+3
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: remove paranoid load switchJohn Johansen2-16/+10
Policy should always under go a full paranoid verification. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: name null-XXX profiles after the executableJohn Johansen3-17/+47
When possible its better to name a learning profile after the missing profile in question. This allows for both more informative names and for profile reuse. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: pass gfp_t parameter into profile allocationJohn Johansen4-8/+9
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: refactor prepare_ns() and make usable from different viewsJohn Johansen5-38/+79
prepare_ns() will need to be called from alternate views, and namespaces will need to be created via different interfaces. So refactor and allow specifying the view ns. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: update policy_destroy to use new debug assertsJohn Johansen1-9/+2
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: pass gfp param into aa_policy_init()John Johansen4-7/+7
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: constify policy name and hnameJohn Johansen3-4/+4
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: rename hname_tail to basenameJohn Johansen3-4/+4
Rename to the shorter and more familiar shell cmd name Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: rename mediated_filesystem() to path_mediated_fs()John Johansen2-8/+8
Rename to indicate the test is only about whether path mediation is used, not whether other types of mediation might be used. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add debug assert AA_BUG and Kconfig to control debug infoJohn Johansen3-4/+43
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add macro for bug asserts to check that a lock is heldJohn Johansen1-0/+11
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: allow ns visibility question to consider subnsesJohn Johansen4-8/+14
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add fn to lookup profiles by fqnameJohn Johansen4-7/+38
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add lib fn to find the "split" for fqnamesJohn Johansen2-0/+55
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add strn version of aa_find_nsJohn Johansen2-6/+29
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add strn version of lookup_profile fnJohn Johansen2-11/+27
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: rename replacedby to proxyJohn Johansen5-65/+65
Proxy is shorter and a better fit than replaceby, so rename it. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: rename PFLAG_INVALID to PFLAG_STALEJohn Johansen3-5/+5
Invalid does not convey the meaning of the flag anymore so rename it. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: rename sid to secidJohn Johansen4-65/+65
Move to common terminology with other LSMs and kernel infrastucture Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: rename namespace to ns to improve code line lengthsJohn Johansen8-128/+122
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: split apparmor policy namespaces code into its own fileJohn Johansen10-391/+454
Policy namespaces will be diverging from profile management and expanding so put it in its own file. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: split out shared policy_XXX fns to libJohn Johansen4-132/+137
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: move lib definitions into separate lib includeJohn Johansen5-82/+99
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: use designated initializersKees Cook2-5/+7
Prepare to mark sensitive kernel structures for randomization by making sure they're using designated initializers. These were identified during allyesconfig builds of x86, arm, and arm64, with most initializer fixes extracted from grsecurity. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16AppArmor: Use GFP_KERNEL for __aa_kvmalloc().Tetsuo Handa1-1/+2
Calling kmalloc(GFP_NOIO) with order == PAGE_ALLOC_COSTLY_ORDER is not recommended because it might fall into infinite retry loop without invoking the OOM killer. Since aa_dfa_unpack() is the only caller of kvzalloc() and aa_dfa_unpack() which is calling kvzalloc() via unpack_table() is doing kzalloc(GFP_KERNEL), it is safe to use GFP_KERNEL from __aa_kvmalloc(). Since aa_simple_write_to_buffer() is the only caller of kvmalloc() and aa_simple_write_to_buffer() is calling copy_from_user() which is GFP_KERNEL context (see memdup_user_nul()), it is safe to use GFP_KERNEL from __aa_kvmalloc(). Therefore, replace GFP_NOIO with GFP_KERNEL. Also, since we have vmalloc() fallback, add __GFP_NORETRY so that we don't invoke the OOM killer by kmalloc(GFP_KERNEL) with order == PAGE_ALLOC_COSTLY_ORDER. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-14locking/atomic, kref: Use kref_get_unless_zero() morePeter Zijlstra2-8/+2
For some obscure reason apparmor thinks its needs to locally implement kref primitives that already exist. Stop doing this. Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: linux-kernel@vger.kernel.org Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-01-12security,selinux,smack: kill security_task_wait hookStephen Smalley3-33/+0
As reported by yangshukui, a permission denial from security_task_wait() can lead to a soft lockup in zap_pid_ns_processes() since it only expects sys_wait4() to return 0 or -ECHILD. Further, security_task_wait() can in general lead to zombies; in the absence of some way to automatically reparent a child process upon a denial, the hook is not useful. Remove the security hook and its implementations in SELinux and Smack. Smack already removed its check from its hook. Reported-by: yangshukui <yangshukui@huawei.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
2017-01-12selinux: drop unused socket security classesStephen Smalley2-12/+0
Several of the extended socket classes introduced by commit da69a5306ab92e07 ("selinux: support distinctions among all network address families") are never used because sockets can never be created with the associated address family. Remove these unused socket security classes. The removed classes are bridge_socket for PF_BRIDGE, ib_socket for PF_IB, and mpls_socket for PF_MPLS. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
2017-01-10Smack: ignore private inode for file functionsSeung-Woo Kim1-0/+12
The access to fd from anon_inode is always failed because there is no set xattr operations. So this patch fixes to ignore private inode including anon_inode for file functions. It was only ignored for smack_file_receive() to share dma-buf fd, but dma-buf has other functions like ioctl and mmap. Reference: https://lkml.org/lkml/2015/4/17/16 Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>