kernel/linux.git/security/tomoyo, branch v5.11.6

tomoyo: recognize kernel threads correctly

2021-03-09T10:21:23+00:00

commit 9c83465f3245c2faa82ffeb7016f40f02bfaa0ad upstream. Commit db68ce10c4f0a27c ("new helper: uaccess_kernel()") replaced segment_eq(get_fs(), KERNEL_DS) with uaccess_kernel(). But the correct method for tomoyo to check whether current is a kernel thread in order to assume that kernel threads are privileged for socket operations was (current->flags & PF_KTHREAD). Now that uaccess_kernel() became 0 on x86, tomoyo has to fix this problem. Do like commit 942cb357ae7d9249 ("Smack: Handle io_uring kernel thread privileges") does. Signed-off-by: Tetsuo Handa Signed-off-by: Greg Kroah-Hartman

tomoyo: ignore data race while checking quota

2021-03-07T11:35:45+00:00

commit 5797e861e402fff2bedce4ec8b7c89f4248b6073 upstream. syzbot is reporting that tomoyo's quota check is racy [1]. But this check is tolerant of some degree of inaccuracy. Thus, teach KCSAN to ignore this data race. [1] https://syzkaller.appspot.com/bug?id=999533deec7ba6337f8aa25d8bd1a4d5f7e50476 Reported-by: syzbot Signed-off-by: Tetsuo Handa Signed-off-by: Greg Kroah-Hartman

tomoyo: Fix typo in comments.

2020-12-06T04:44:57+00:00

Spotted by developers and codespell program. Co-developed-by: Xiaoming Ni Signed-off-by: Xiaoming Ni Co-developed-by: Souptick Joarder Signed-off-by: Souptick Joarder Signed-off-by: Tetsuo Handa

tomoyo: Fix null pointer check

2020-11-27T10:36:11+00:00

Since tomoyo_memory_ok() will check for null pointer returned by kzalloc() in tomoyo_assign_profile(), tomoyo_assign_namespace(), tomoyo_get_name() and tomoyo_commit_ok(), then emit OOM warnings if needed. And this is the expected behavior as informed by Tetsuo Handa. Let's add __GFP_NOWARN to kzalloc() in those related functions. Besides, to achieve this goal, remove the null check for entry right after kzalloc() in tomoyo_assign_namespace(). Reported-by: Hulk Robot Suggested-by: Tetsuo Handa Signed-off-by: Zheng Zengkai Signed-off-by: Tetsuo Handa

tomoyo: Limit wildcard recursion depth.

2020-11-03T04:50:02+00:00

Since wildcards that need recursion consume kernel stack memory (or might cause CPU stall warning problem), we cannot allow infinite recursion. Since TOMOYO 1.8 survived with 20 recursions limit for 5 years, nobody would complain if applying this limit to TOMOYO 2.6. Signed-off-by: Tetsuo Handa

tomoyo: fix clang pointer arithmetic warning

2020-10-28T14:21:43+00:00

clang warns about additions on NULL pointers being undefined in C: security/tomoyo/securityfs_if.c:226:59: warning: arithmetic on a null pointer treated as a cast from integer to pointer is a GNU extension [-Wnull-pointer-arithmetic] securityfs_create_file(name, mode, parent, ((u8 *) NULL) + key, Change the code to instead use a cast through uintptr_t to avoid the warning. Signed-off-by: Arnd Bergmann Signed-off-by: Tetsuo Handa

tomoyo: Loosen pathname/domainname validation.

2020-10-12T10:53:34+00:00

Since commit e2dc9bf3f5275ca3 ("umd: Transform fork_usermode_blob into fork_usermode_driver") started calling execve() on a program written in a local mount which is not connected to mount tree, tomoyo_realpath_from_path() started returning a pathname in "$fsname:/$pathname" format which violates TOMOYO's domainname rule that it must start with "<$namespace>" followed by zero or more repetitions of pathnames which start with '/'. Since $fsname must not contain '.' since commit 79c0b2df79eb56fc ("add filesystem subtype support"), tomoyo_correct_path() can recognize a token which appears '/' before '.' appears (e.g. proc:/self/exe ) as a pathname while rejecting a token which appears '.' before '/' appears (e.g. exec.realpath="/bin/bash" ) as a condition parameter. Therefore, accept domainnames which contain pathnames which do not start with '/' but contain '/' before '.' (e.g. tmpfs:/bpfilter_umh ). Signed-off-by: Tetsuo Handa

treewide: Use fallthrough pseudo-keyword

2020-08-23T22:36:59+00:00

Replace the existing /* fall through */ comments and its variants with the new pseudo-keyword macro fallthrough[1]. Also, remove unnecessary fall-through markings when it is the case. [1] https://www.kernel.org/doc/html/v5.7/process/deprecated.html?highlight=fallthrough#implicit-switch-case-fall-through Signed-off-by: Gustavo A. R. Silva

mm/gup: remove task_struct pointer for all gup code

2020-08-12T17:58:04+00:00

After the cleanup of page fault accounting, gup does not need to pass task_struct around any more. Remove that parameter in the whole gup stack. Signed-off-by: Peter Xu Signed-off-by: Andrew Morton Reviewed-by: John Hubbard Link: http://lkml.kernel.org/r/20200707225021.200906-26-peterx@redhat.com Signed-off-by: Linus Torvalds

exec: Implement kernel_execve

2020-07-21T13:24:52+00:00

To allow the kernel not to play games with set_fs to call exec implement kernel_execve. The function kernel_execve takes pointers into kernel memory and copies the values pointed to onto the new userspace stack. The calls with arguments from kernel space of do_execve are replaced with calls to kernel_execve. The calls do_execve and do_execveat are made static as there are now no callers outside of exec. The comments that mention do_execve are updated to refer to kernel_execve or execve depending on the circumstances. In addition to correcting the comments, this makes it easy to grep for do_execve and verify it is not used. Inspired-by: https://lkml.kernel.org/r/20200627072704.2447163-1-hch@lst.de Reviewed-by: Kees Cook Link: https://lkml.kernel.org/r/87wo365ikj.fsf@x220.int.ebiederm.org Signed-off-by: "Eric W. Biederman"