kernel/linux.git/security/security.c, branch v6.5.12

vfs, security: Fix automount superblock LSM init problem, preventing NFS sb sharing

2023-09-13T07:52:58+00:00

[ Upstream commit d80a8f1b58c2bc8d7c6bfb65401ea4f7ec8cddc2 ] When NFS superblocks are created by automounting, their LSM parameters aren't set in the fs_context struct prior to sget_fc() being called, leading to failure to match existing superblocks. This bug leads to messages like the following appearing in dmesg when fscache is enabled: NFS: Cache volume key already in use (nfs,4.2,2,108,106a8c0,1,,,,100000,100000,2ee,3a98,1d4c,3a98,1) Fix this by adding a new LSM hook to load fc->security for submount creation. Signed-off-by: David Howells Signed-off-by: Jeff Layton Link: https://lore.kernel.org/r/165962680944.3334508.6610023900349142034.stgit@warthog.procyon.org.uk/ # v1 Link: https://lore.kernel.org/r/165962729225.3357250.14350728846471527137.stgit@warthog.procyon.org.uk/ # v2 Link: https://lore.kernel.org/r/165970659095.2812394.6868894171102318796.stgit@warthog.procyon.org.uk/ # v3 Link: https://lore.kernel.org/r/166133579016.3678898.6283195019480567275.stgit@warthog.procyon.org.uk/ # v4 Link: https://lore.kernel.org/r/217595.1662033775@warthog.procyon.org.uk/ # v5 Fixes: 9bc61ab18b1d ("vfs: Introduce fs_context, switch vfs_kern_mount() to it.") Fixes: 779df6a5480f ("NFS: Ensure security label is set for root inode") Tested-by: Jeff Layton Acked-by: Casey Schaufler Acked-by: "Christian Brauner (Microsoft)" Acked-by: Paul Moore Reviewed-by: Jeff Layton Message-Id: <20230808-master-v9-1-e0ecde888221@kernel.org> Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin

Merge tag 'lsm-pr-20230626' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm

2023-06-28T00:24:26+00:00

Pull lsm updates from Paul Moore: - A SafeSetID patch to correct what appears to be a cut-n-paste typo in the code causing a UID to be printed where a GID was desired. This is coming via the LSM tree because we haven't been able to get a response from the SafeSetID maintainer (Micah Morton) in several months. Hopefully we are able to get in touch with Micah, but until we do I'm going to pick them up in the LSM tree. - A small fix to the reiserfs LSM xattr code. We're continuing to work through some issues with the reiserfs code as we try to fixup the LSM xattr handling, but in the process we're uncovering some ugly problems in reiserfs and we may just end up removing the LSM xattr support in reiserfs prior to reiserfs' removal. For better or worse, this shouldn't impact any of the reiserfs users, as we discovered that LSM xattrs on reiserfs were completely broken, meaning no one is currently using the combo of reiserfs and a file labeling LSM. - A tweak to how the cap_user_data_t struct/typedef is declared in the header file to appease the Sparse gods. - In the process of trying to sort out the SafeSetID lost-maintainer problem I realized that I needed to update the labeled networking entry to "Supported". - Minor comment/documentation and spelling fixes. * tag 'lsm-pr-20230626' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm: device_cgroup: Fix kernel-doc warnings in device_cgroup SafeSetID: fix UID printed instead of GID MAINTAINERS: move labeled networking to "supported" capability: erase checker warnings about struct __user_cap_data_struct lsm: fix a number of misspellings reiserfs: Initialize sec->length in reiserfs_security_init(). capability: fix kernel-doc warnings in capability.c

lsm: fix a number of misspellings

2023-05-25T21:52:15+00:00

A random collection of spelling fixes for source files in the LSM layer. Reviewed-by: Casey Schaufler Signed-off-by: Paul Moore

security, lsm: Introduce security_mptcp_add_subflow()

2023-05-18T17:11:09+00:00

MPTCP can create subflows in kernel context, and later indirectly expose them to user-space, via the owning MPTCP socket. As discussed in the reported link, the above causes unexpected failures for server, MPTCP-enabled applications. Let's introduce a new LSM hook to allow the security module to relabel the subflow according to the owning user-space process, via the MPTCP socket owning the subflow. Note that the new hook requires both the MPTCP socket and the new subflow. This could allow future extensions, e.g. explicitly validating the MPTCP <-> subflow linkage. Link: https://lore.kernel.org/mptcp/CAHC9VhTNh-YwiyTds=P1e3rixEDqbRTFj22bpya=+qJqfcaMfg@mail.gmail.com/ Signed-off-by: Paolo Abeni Acked-by: Matthieu Baerts Signed-off-by: Matthieu Baerts Signed-off-by: Paul Moore

Merge tag 'lsm-pr-20230420' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm

2023-04-24T18:21:50+00:00

Pull lsm updates from Paul Moore: - Move the LSM hook comment blocks into security/security.c For many years the LSM hook comment blocks were located in a very odd place, include/linux/lsm_hooks.h, where they lived on their own, disconnected from both the function prototypes and definitions. In keeping with current kernel conventions, this moves all of these comment blocks to the top of the function definitions, transforming them into the kdoc format in the process. This should make it much easier to maintain these comments, which are the main source of LSM hook documentation. For the most part the comment contents were left as-is, although some glaring errors were corrected. Expect additional edits in the future as we slowly update and correct the comment blocks. This is the bulk of the diffstat. - Introduce LSM_ORDER_LAST Similar to how LSM_ORDER_FIRST is used to specify LSMs which should be ordered before "normal" LSMs, the LSM_ORDER_LAST is used to specify LSMs which should be ordered after "normal" LSMs. This is one of the prerequisites for transitioning IMA/EVM to a proper LSM. - Remove the security_old_inode_init_security() hook The security_old_inode_init_security() LSM hook only allows for a single xattr which is problematic both for LSM stacking and the IMA/EVM-as-a-LSM effort. This finishes the conversion over to the security_inode_init_security() hook and removes the single-xattr LSM hook. - Fix a reiserfs problem with security xattrs During the security_old_inode_init_security() removal work it became clear that reiserfs wasn't handling security xattrs properly so we fixed it. * tag 'lsm-pr-20230420' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm: (32 commits) reiserfs: Add security prefix to xattr name in reiserfs_security_write() security: Remove security_old_inode_init_security() ocfs2: Switch to security_inode_init_security() reiserfs: Switch to security_inode_init_security() security: Remove integrity from the LSM list in Kconfig Revert "integrity: double check iint_cache was initialized" security: Introduce LSM_ORDER_LAST and set it for the integrity LSM device_cgroup: Fix typo in devcgroup_css_alloc description lsm: fix a badly named parameter in security_get_getsecurity() lsm: fix doc warnings in the LSM hook comments lsm: styling fixes to security/security.c lsm: move the remaining LSM hook comments to security/security.c lsm: move the io_uring hook comments to security/security.c lsm: move the perf hook comments to security/security.c lsm: move the bpf hook comments to security/security.c lsm: move the audit hook comments to security/security.c lsm: move the binder hook comments to security/security.c lsm: move the sysv hook comments to security/security.c lsm: move the key hook comments to security/security.c lsm: move the xfrm hook comments to security/security.c ...

security: Remove security_old_inode_init_security()

2023-03-23T23:38:44+00:00

As the remaining two users reiserfs and ocfs2 switched to security_inode_init_security(), security_old_inode_init_security() can be now removed. Out-of-tree kernel modules should switch to security_inode_init_security() too. Signed-off-by: Roberto Sassu Reviewed-by: Casey Schaufler Reviewed-by: Mimi Zohar Signed-off-by: Paul Moore

selinux: remove the runtime disable functionality

2023-03-20T16:34:23+00:00

After working with the larger SELinux-based distros for several years, we're finally at a place where we can disable the SELinux runtime disable functionality. The existing kernel deprecation notice explains the functionality and why we want to remove it: The selinuxfs "disable" node allows SELinux to be disabled at runtime prior to a policy being loaded into the kernel. If disabled via this mechanism, SELinux will remain disabled until the system is rebooted. The preferred method of disabling SELinux is via the "selinux=0" boot parameter, but the selinuxfs "disable" node was created to make it easier for systems with primitive bootloaders that did not allow for easy modification of the kernel command line. Unfortunately, allowing for SELinux to be disabled at runtime makes it difficult to secure the kernel's LSM hooks using the "__ro_after_init" feature. It is that last sentence, mentioning the '__ro_after_init' hardening, which is the real motivation for this change, and if you look at the diffstat you'll see that the impact of this patch reaches across all the different LSMs, helping prevent tampering at the LSM hook level. From a SELinux perspective, it is important to note that if you continue to disable SELinux via "/etc/selinux/config" it may appear that SELinux is disabled, but it is simply in an uninitialized state. If you load a policy with `load_policy -i`, you will see SELinux come alive just as if you had loaded the policy during early-boot. It is also worth noting that the "/sys/fs/selinux/disable" file is always writable now, regardless of the Kconfig settings, but writing to the file has no effect on the system, other than to display an error on the console if a non-zero/true value is written. Finally, in the several years where we have been working on deprecating this functionality, there has only been one instance of someone mentioning any user visible breakage. In this particular case it was an individual's kernel test system, and the workaround documented in the deprecation notice ("selinux=0" on the kernel command line) resolved the issue without problem. Acked-by: Casey Schaufler Signed-off-by: Paul Moore

security: Introduce LSM_ORDER_LAST and set it for the integrity LSM

2023-03-10T23:31:35+00:00

Introduce LSM_ORDER_LAST, to satisfy the requirement of LSMs needing to be last, e.g. the 'integrity' LSM, without changing the kernel command line or configuration. Also, set this order for the 'integrity' LSM. While not enforced, this is the only LSM expected to use it. Similarly to LSM_ORDER_FIRST, LSMs with LSM_ORDER_LAST are always enabled and put at the end of the LSM list, if selected in the kernel configuration. Setting one of these orders alone, does not cause the LSMs to be selected and compiled built-in in the kernel. Finally, for LSM_ORDER_MUTABLE LSMs, set the found variable to true if an LSM is found, regardless of its order. In this way, the kernel would not wrongly report that the LSM is not built-in in the kernel if its order is LSM_ORDER_LAST. Fixes: 79f7865d844c ("LSM: Introduce "lsm=" for boottime LSM selection") Signed-off-by: Roberto Sassu Acked-by: Mimi Zohar Signed-off-by: Paul Moore

lsm: fix a badly named parameter in security_get_getsecurity()

2023-03-08T18:29:49+00:00

There is no good reason for why the "_buffer" parameter needs an underscore, get rid of it. Signed-off-by: Paul Moore

lsm: fix doc warnings in the LSM hook comments

2023-03-08T18:26:27+00:00

Signed-off-by: Paul Moore