Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.18.22 2024-10-04T15:41:22+00:00 2024-10-04T15:41:22+00:00 Paul Moore paul@paul-moore.com 2024-10-03T20:43:39+00:00 urn:sha1:c5e3cdbf2afedef77b64229fd0aed693abf0a0c4 This patch reverts two TOMOYO patches that were merged into Linus' tree during the v6.12 merge window: 8b985bbfabbe ("tomoyo: allow building as a loadable LSM module") 268225a1de1a ("tomoyo: preparation step for building as a loadable LSM module") Together these two patches introduced the CONFIG_SECURITY_TOMOYO_LKM Kconfig build option which enabled a TOMOYO specific dynamic LSM loading mechanism (see the original commits for more details). Unfortunately, this approach was widely rejected by the LSM community as well as some members of the general kernel community. Objections included concerns over setting a bad precedent regarding individual LSMs managing their LSM callback registrations as well as general kernel symbol exporting practices. With little to no support for the CONFIG_SECURITY_TOMOYO_LKM approach outside of Tetsuo, and multiple objections, we need to revert these changes. Link: https://lore.kernel.org/all/0c4b443a-9c72-4800-97e8-a3816b6a9ae2@I-love.SAKURA.ne.jp Link: https://lore.kernel.org/all/CAHC9VhR=QjdoHG3wJgHFJkKYBg7vkQH2MpffgVzQ0tAByo_wRg@mail.gmail.com Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2024-09-23T10:00:21+00:00 Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp 2024-09-23T10:00:21+00:00 urn:sha1:268225a1de1a021bac4884e7d61fe047345cc9be In order to allow Makefile to generate tomoyo.ko as output, rename tomoyo.c to hooks.h and cut out LSM hook registration part that will be built into vmlinux from hooks.h to init.c . Also, update comments and relocate some variables. No behavior changes. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> 2021-12-15T11:13:55+00:00 Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp 2021-12-15T11:13:55+00:00 urn:sha1:f702e1107601230eec707739038a89018ea3468d hwight16() is much faster. While we are at it, no need to include "perm =" part into data_race() macro, for perm is a local variable that cannot be accessed by other threads. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> 2021-12-15T11:11:07+00:00 Dmitry Vyukov dvyukov@google.com 2021-12-14T09:45:26+00:00 urn:sha1:04e57a2d952bbd34bc45744e72be3eecdc344294 If tomoyo is used in a testing/fuzzing environment in learning mode, for lots of domains the quota will be exceeded and stay exceeded for prolonged periods of time. In such cases it's pointless (and slow) to walk the whole acl list again and again just to rediscover that the quota is exceeded. We already have the TOMOYO_DIF_QUOTA_WARNED flag that notes the overflow condition. Check it early to avoid the slowdown. [penguin-kernel] This patch causes a user visible change that the learning mode will not be automatically resumed after the quota is increased. To resume the learning mode, administrator will need to explicitly clear TOMOYO_DIF_QUOTA_WARNED flag after increasing the quota. But I think that this change is generally preferable, for administrator likely wants to optimize the acl list for that domain before increasing the quota, or that domain likely hits the quota again. Therefore, don't try to care to clear TOMOYO_DIF_QUOTA_WARNED flag automatically when the quota for that domain changed. Signed-off-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> 2021-06-15T15:01:28+00:00 ChenXiaoSong chenxiaosong2@huawei.com 2021-06-10T07:49:00+00:00 urn:sha1:98eaa63e96273de075f3ce4eac0f18b33d28b84c Fix gcc W=1 warnings: security/tomoyo/audit.c:331: warning: Function parameter or member 'matched_acl' not described in 'tomoyo_get_audit' security/tomoyo/securityfs_if.c:146: warning: Function parameter or member 'inode' not described in 'tomoyo_release' security/tomoyo/tomoyo.c:122: warning: Function parameter or member 'path' not described in 'tomoyo_inode_getattr' security/tomoyo/tomoyo.c:497: warning: Function parameter or member 'clone_flags' not described in 'tomoyo_task_alloc' security/tomoyo/util.c:92: warning: Function parameter or member 'time64' not described in 'tomoyo_convert_time' Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com> [ penguin-kernel: Also adjust spaces and similar warnings ] Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> 2021-02-01T02:52:11+00:00 Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp 2021-02-01T02:52:11+00:00 urn:sha1:5797e861e402fff2bedce4ec8b7c89f4248b6073 syzbot is reporting that tomoyo's quota check is racy [1]. But this check is tolerant of some degree of inaccuracy. Thus, teach KCSAN to ignore this data race. [1] https://syzkaller.appspot.com/bug?id=999533deec7ba6337f8aa25d8bd1a4d5f7e50476 Reported-by: syzbot <syzbot+0789a72b46fd91431bd8@syzkaller.appspotmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> 2020-11-03T04:50:02+00:00 Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp 2020-11-03T04:17:40+00:00 urn:sha1:e991a40b3d0000a2f48729aea4ce03acf679b5ee Since wildcards that need recursion consume kernel stack memory (or might cause CPU stall warning problem), we cannot allow infinite recursion. Since TOMOYO 1.8 survived with 20 recursions limit for 5 years, nobody would complain if applying this limit to TOMOYO 2.6. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> 2020-10-12T10:53:34+00:00 Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp 2020-09-09T11:05:58+00:00 urn:sha1:a207516776769404dfa8ae89003efba1004a55df Since commit e2dc9bf3f5275ca3 ("umd: Transform fork_usermode_blob into fork_usermode_driver") started calling execve() on a program written in a local mount which is not connected to mount tree, tomoyo_realpath_from_path() started returning a pathname in "$fsname:/$pathname" format which violates TOMOYO's domainname rule that it must start with "<$namespace>" followed by zero or more repetitions of pathnames which start with '/'. Since $fsname must not contain '.' since commit 79c0b2df79eb56fc ("add filesystem subtype support"), tomoyo_correct_path() can recognize a token which appears '/' before '.' appears (e.g. proc:/self/exe ) as a pathname while rejecting a token which appears '.' before '/' appears (e.g. exec.realpath="/bin/bash" ) as a condition parameter. Therefore, accept domainnames which contain pathnames which do not start with '/' but contain '/' before '.' (e.g. <kernel> tmpfs:/bpfilter_umh ). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> 2019-12-16T14:02:27+00:00 Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp 2019-12-16T10:16:48+00:00 urn:sha1:6bd5ce6089b561f5392460bfb654dea89356ab1b John Garry has reported that allmodconfig kernel on arm64 causes flood of "RCU-list traversed in non-reader section!!" warning. I don't know what change caused this warning, but this warning is safe because TOMOYO uses SRCU lock instead. Let's suppress this warning by explicitly telling that the caller is holding SRCU lock. Reported-and-tested-by: John Garry <john.garry@huawei.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> 2019-05-10T21:58:35+00:00 Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp 2019-05-07T11:34:22+00:00 urn:sha1:4ad98ac46490d5f8441025930070eaf028cfd0f2 Commit cff0e6c3ec3e6230 ("tomoyo: Add a kernel config option for fuzzing testing.") enabled the learning mode, but syzkaller is detecting any "WARNING:" string as a crash. Thus, disable TOMOYO's quota warning if built for fuzzing testing. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Cc: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: James Morris <jamorris@linux.microsoft.com>