Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.4.214 2015-06-04T20:22:17+00:00 2015-06-04T20:22:17+00:00 Stephen Smalley sds@tycho.nsa.gov 2015-06-04T20:22:17+00:00 urn:sha1:42a9699a9fa179c0054ea3cf5ad3cc67104a6162 Remove unused permission definitions from SELinux. Many of these were only ever used in pre-mainline versions of SELinux, prior to Linux 2.6.0. Some of them were used in the legacy network or compat_net=1 checks that were disabled by default in Linux 2.6.18 and fully removed in Linux 2.6.30. Permissions never used in mainline Linux: file swapon filesystem transition tcp_socket { connectto newconn acceptfrom } node enforce_dest unix_stream_socket { newconn acceptfrom } Legacy network checks, removed in 2.6.30: socket { recv_msg send_msg } node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send } netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send } Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <pmoore@redhat.com> 2015-06-04T20:22:16+00:00 Stephen Smalley sds@tycho.nsa.gov 2015-06-04T20:22:16+00:00 urn:sha1:6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 Update the set of SELinux netlink socket class definitions to match the set of netlink protocols implemented by the kernel. The ip_queue implementation for the NETLINK_FIREWALL and NETLINK_IP6_FW protocols was removed in d16cf20e2f2f13411eece7f7fb72c17d141c4a84, so we can remove the corresponding class definitions as this is dead code. Add new classes for NETLINK_ISCSI, NETLINK_FIB_LOOKUP, NETLINK_CONNECTOR, NETLINK_NETFILTER, NETLINK_GENERIC, NETLINK_SCSITRANSPORT, NETLINK_RDMA, and NETLINK_CRYPTO so that we can distinguish among sockets created for each of these protocols. This change does not define the finer-grained nlsmsg_read/write permissions or map specific nlmsg_type values to those permissions in the SELinux nlmsgtab; if finer-grained control of these sockets is desired/required, that can be added as a follow-on change. We do not define a SELinux class for NETLINK_ECRYPTFS as the implementation was removed in 624ae5284516870657505103ada531c64dba2a9a. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <pmoore@redhat.com> 2015-01-25T17:17:57+00:00 Stephen Smalley sds@tycho.nsa.gov 2015-01-21T15:54:10+00:00 urn:sha1:79af73079d753b2d04e46f7445716d3b5f914dbd Add security hooks to the binder and implement the hooks for SELinux. The security hooks enable security modules such as SELinux to implement controls over binder IPC. The security hooks include support for controlling what process can become the binder context manager (binder_set_context_mgr), controlling the ability of a process to invoke a binder transaction/IPC to another process (binder_transaction), controlling the ability of a process to transfer a binder reference to another process (binder_transfer_binder), and controlling the ability of a process to transfer an open file to another process (binder_transfer_file). These hooks have been included in the Android kernel trees since Android 4.3. (Updated to reflect upstream relocation and changes to the binder driver, changes to the LSM audit data structures, coding style cleanups, and to add inline documentation for the hooks). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Nick Kralevich <nnk@google.com> Acked-by: Jeffrey Vander Stoep <jeffv@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-04-23T01:42:27+00:00 Richard Guy Briggs rgb@redhat.com 2014-04-23T01:31:56+00:00 urn:sha1:3a101b8de0d39403b2c7e5c23fd0b005668acf48 Register a netlink per-protocol bind fuction for audit to check userspace process capabilities before allowing a multicast group connection. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2013-01-14T23:16:59+00:00 Paul Moore pmoore@redhat.com 2013-01-14T07:12:13+00:00 urn:sha1:6f96c142f77c96a34ac377a3616ee7abcd77fb4d Add a new permission to align with the new TUN multiqueue support, "tun_socket:attach_queue". The corresponding SELinux reference policy patch is show below: diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index 28802c5..a0664a1 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -827,6 +827,9 @@ class kernel_service class tun_socket inherits socket +{ + attach_queue +} class x_pointer inherits x_device Signed-off-by: Paul Moore <pmoore@redhat.com> Acked-by: Eric Paris <eparis@parisplace.org> Tested-by: Jason Wang <jasowang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2012-07-18T20:42:44+00:00 Linus Torvalds torvalds@linux-foundation.org 2012-07-18T20:42:44+00:00 urn:sha1:e2f3b78557ff11f58d836e016900c3210f4fb1c1 Pull SELinux regression fixes from James Morris. Andrew Morton has a box that hit that open perms problem. I also renamed the "epollwakeup" selinux name for the new capability to be "block_suspend", to match the rename done by commit d9914cf66181 ("PM: Rename CAP_EPOLLWAKEUP to CAP_BLOCK_SUSPEND"). * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: SELinux: do not check open perms if they are not known to policy SELinux: include definition of new capabilities 2012-07-16T01:40:31+00:00 Eric Paris eparis@redhat.com 2012-07-06T18:13:29+00:00 urn:sha1:64919e60915c5151b3dd4c8d2d9237a115ca990c The kernel has added CAP_WAKE_ALARM and CAP_EPOLLWAKEUP. We need to define these in SELinux so they can be mediated by policy. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> 2011-03-03T20:19:43+00:00 Harry Ciao qingtao.cao@windriver.com 2011-03-02T05:46:08+00:00 urn:sha1:4bc6c2d5d8386800fde23a8e78cd4f04a0ade0ad The security_is_socket_class() is auto-generated by genheaders based on classmap.h to reduce maintenance effort when a new class is defined in SELinux kernel. The name for any socket class should be suffixed by "socket" and doesn't contain more than one substr of "socket". Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> 2011-02-25T20:40:00+00:00 Eric Paris eparis@redhat.com 2011-02-25T20:39:20+00:00 urn:sha1:47ac19ea429aee561f66e9cd05b908e8ffbc498a These permissions are not used and can be dropped in the kernel definitions. Suggested-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> 2010-11-28T21:35:12+00:00 Serge E. Hallyn serge@hallyn.com 2010-11-25T17:11:32+00:00 urn:sha1:ce6ada35bdf710d16582cc4869c26722547e6f11 Privileged syslog operations currently require CAP_SYS_ADMIN. Split this off into a new CAP_SYSLOG privilege which we can sanely take away from a container through the capability bounding set. With this patch, an lxc container can be prevented from messing with the host's syslog (i.e. dmesg -c). Changelog: mar 12 2010: add selinux capability2:cap_syslog perm Changelog: nov 22 2010: . port to new kernel . add a WARN_ONCE if userspace isn't using CAP_SYSLOG Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Andrew G. Morgan <morgan@kernel.org> Acked-By: Kees Cook <kees.cook@canonical.com> Cc: James Morris <jmorris@namei.org> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: "Christopher J. PeBenito" <cpebenito@tresys.com> Cc: Eric Paris <eparis@parisplace.org> Signed-off-by: James Morris <jmorris@namei.org>