Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=linux-4.13.y 2017-10-12T09:56:13+00:00 2017-10-12T09:56:13+00:00 Casey Schaufler casey@schaufler-ca.com 2017-09-19T16:39:08+00:00 urn:sha1:c43960d699932f6f70b3eabdc9f94afe86412a33 commit 57e7ba04d422c3d41c8426380303ec9b7533ded9 upstream. security_inode_getsecurity() provides the text string value of a security attribute. It does not provide a "secctx". The code in xattr_getsecurity() that calls security_inode_getsecurity() and then calls security_release_secctx() happened to work because SElinux and Smack treat the attribute and the secctx the same way. It fails for cap_inode_getsecurity(), because that module has no secctx that ever needs releasing. It turns out that Smack is the one that's doing things wrong by not allocating memory when instructed to do so by the "alloc" parameter. The fix is simple enough. Change the security_release_secctx() to kfree() because it isn't a secctx being returned by security_inode_getsecurity(). Change Smack to allocate the string when told to do so. Note: this also fixes memory leaks for LSMs which implement inode_getsecurity but not release_secctx, such as capabilities. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reported-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> Signed-off-by: James Morris <james.l.morris@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-06-01T16:27:21+00:00 Casey Schaufler casey@schaufler-ca.com 2017-05-31T20:23:41+00:00 urn:sha1:f28e783ff668cf5757182f6b00d488be37226bff Use cap_capable() rather than capable() in the Smack privilege check as the former does not invoke other security module privilege check, while the later does. This becomes important when stacking. It may be a problem even with minor modules. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2017-06-01T16:27:12+00:00 Casey Schaufler casey@schaufler-ca.com 2017-05-31T15:53:42+00:00 urn:sha1:51d59af26fe81967e0d7ec92bd9381d3b26434f3 The check of S_ISSOCK() in smack_file_receive() is not appropriate if the passed descriptor is a socket. Reported-by: Stephen Smalley <sds@tyco.nsa.gov> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2017-06-01T16:26:43+00:00 Florian Westphal fw@strlen.de 2017-04-21T09:49:08+00:00 urn:sha1:e661a58279132da0127c67705e59d12f6027858d It will allow us to remove the old netfilter hook api in the near future. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2017-05-09T16:12:53+00:00 Linus Torvalds torvalds@linux-foundation.org 2017-05-09T16:12:53+00:00 urn:sha1:11fbf53d66ec302fe50b06bd7cb4863dbb98775a Pull misc vfs updates from Al Viro: "Assorted bits and pieces from various people. No common topic in this pile, sorry" * 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: fs/affs: add rename exchange fs/affs: add rename2 to prepare multiple methods Make stat/lstat/fstatat pass AT_NO_AUTOMOUNT to vfs_statx() fs: don't set *REFERENCED on single use objects fs: compat: Remove warning from COMPATIBLE_IOCTL remove pointless extern of atime_need_update_rcu() fs: completely ignore unknown open flags fs: add a VALID_OPEN_FLAGS fs: remove _submit_bh() fs: constify tree_descr arrays passed to simple_fill_super() fs: drop duplicate header percpu-rwsem.h fs/affs: bugfix: Write files greater than page size on OFS fs/affs: bugfix: enable writes on OFS disks fs/affs: remove node generation check fs/affs: import amigaffs.h fs/affs: bugfix: make symbolic links work again 2017-04-27T03:54:06+00:00 Eric Biggers ebiggers@google.com 2017-03-26T04:15:37+00:00 urn:sha1:cda37124f4e95ad5ccb11394a5802b0972668b32 simple_fill_super() is passed an array of tree_descr structures which describe the files to create in the filesystem's root directory. Since these arrays are never modified intentionally, they should be 'const' so that they are placed in .rodata and benefit from memory protection. This patch updates the function signature and all users, and also constifies tree_descr.name. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2017-04-04T22:41:15+00:00 Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp 2016-11-14T11:12:56+00:00 urn:sha1:af96f0d6394a0af59c4dd71d6bcd3b1ddfba5196 Since all callers of smk_netlbl_mls() are GFP_KERNEL context (smk_set_cipso() calls memdup_user_nul(), init_smk_fs() calls __kernfs_new_node(), smk_import_entry() calls kzalloc(GFP_KERNEL)), it is safe to use GFP_KERNEL from netlbl_catmap_setbit(). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2017-04-04T22:41:15+00:00 Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp 2017-03-24T11:42:05+00:00 urn:sha1:c3c8dc9f13e2e13013822ee54a529a6fe284f1e1 smack_parse_opts_str() calls kfree(opts->mnt_opts) when kcalloc() for opts->mnt_opts_flags failed. But it should not have called it because security_free_mnt_opts() will call kfree(opts->mnt_opts). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> fixes: 3bf2789cad9e6573 ("smack: allow mount opts setting over filesystems with binary mount data") Cc: Vivek Trivedi <t.vivek@samsung.com> Cc: Amit Sahrawat <a.sahrawat@samsung.com> Cc: Casey Schaufler <casey@schaufler-ca.com> 2017-03-06T00:00:15+00:00 James Morris jmorris@namei.org 2017-02-14T13:18:51+00:00 urn:sha1:ca97d939db114c8d1619e10a3b82af8615372dae Mark all of the registration hooks as __ro_after_init (via the __lsm_ro_after_init macro). Signed-off-by: James Morris <james.l.morris@oracle.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Kees Cook <keescook@chromium.org> 2017-02-24T04:33:51+00:00 Linus Torvalds torvalds@linux-foundation.org 2017-02-24T04:33:51+00:00 urn:sha1:f1ef09fde17f9b77ca1435a5b53a28b203afb81c Pull namespace updates from Eric Biederman: "There is a lot here. A lot of these changes result in subtle user visible differences in kernel behavior. I don't expect anything will care but I will revert/fix things immediately if any regressions show up. From Seth Forshee there is a continuation of the work to make the vfs ready for unpriviled mounts. We had thought the previous changes prevented the creation of files outside of s_user_ns of a filesystem, but it turns we missed the O_CREAT path. Ooops. Pavel Tikhomirov and Oleg Nesterov worked together to fix a long standing bug in the implemenation of PR_SET_CHILD_SUBREAPER where only children that are forked after the prctl are considered and not children forked before the prctl. The only known user of this prctl systemd forks all children after the prctl. So no userspace regressions will occur. Holding earlier forked children to the same rules as later forked children creates a semantic that is sane enough to allow checkpoing of processes that use this feature. There is a long delayed change by Nikolay Borisov to limit inotify instances inside a user namespace. Michael Kerrisk extends the API for files used to maniuplate namespaces with two new trivial ioctls to allow discovery of the hierachy and properties of namespaces. Konstantin Khlebnikov with the help of Al Viro adds code that when a network namespace exits purges it's sysctl entries from the dcache. As in some circumstances this could use a lot of memory. Vivek Goyal fixed a bug with stacked filesystems where the permissions on the wrong inode were being checked. I continue previous work on ptracing across exec. Allowing a file to be setuid across exec while being ptraced if the tracer has enough credentials in the user namespace, and if the process has CAP_SETUID in it's own namespace. Proc files for setuid or otherwise undumpable executables are now owned by the root in the user namespace of their mm. Allowing debugging of setuid applications in containers to work better. A bug I introduced with permission checking and automount is now fixed. The big change is to mark the mounts that the kernel initiates as a result of an automount. This allows the permission checks in sget to be safely suppressed for this kind of mount. As the permission check happened when the original filesystem was mounted. Finally a special case in the mount namespace is removed preventing unbounded chains in the mount hash table, and making the semantics simpler which benefits CRIU. The vfs fix along with related work in ima and evm I believe makes us ready to finish developing and merge fully unprivileged mounts of the fuse filesystem. The cleanups of the mount namespace makes discussing how to fix the worst case complexity of umount. The stacked filesystem fixes pave the way for adding multiple mappings for the filesystem uids so that efficient and safer containers can be implemented" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: proc/sysctl: Don't grab i_lock under sysctl_lock. vfs: Use upper filesystem inode in bprm_fill_uid() proc/sysctl: prune stale dentries during unregistering mnt: Tuck mounts under others instead of creating shadow/side mounts. prctl: propagate has_child_subreaper flag to every descendant introduce the walk_process_tree() helper nsfs: Add an ioctl() to return owner UID of a userns fs: Better permission checking for submounts exit: fix the setns() && PR_SET_CHILD_SUBREAPER interaction vfs: open() with O_CREAT should not create inodes with unknown ids nsfs: Add an ioctl() to return the namespace type proc: Better ownership of files for non-dumpable tasks in user namespaces exec: Remove LSM_UNSAFE_PTRACE_CAP exec: Test the ptracer's saved cred to see if the tracee can gain caps exec: Don't reset euid and egid when the tracee has CAP_SETUID inotify: Convert to using per-namespace limits