kernel/linux.git/security/tomoyo, branch v5.4.269

lsm: new security_file_ioctl_compat() hook

2024-02-23T07:25:15+00:00

commit f1bb47a31dff6d4b34fb14e99850860ee74bb003 upstream. Some ioctl commands do not require ioctl permission, but are routed to other permissions such as FILE_GETATTR or FILE_SETATTR. This routing is done by comparing the ioctl cmd to a set of 64-bit flags (FS_IOC_*). However, if a 32-bit process is running on a 64-bit kernel, it emits 32-bit flags (FS_IOC32_*) for certain ioctl operations. These flags are being checked erroneously, which leads to these ioctl operations being routed to the ioctl permission, rather than the correct file permissions. This was also noted in a RED-PEN finding from a while back - "/* RED-PEN how should LSM module know it's handling 32bit? */". This patch introduces a new hook, security_file_ioctl_compat(), that is called from the compat ioctl syscall. All current LSMs have been changed to support this hook. Reviewing the three places where we are currently using security_file_ioctl(), it appears that only SELinux needs a dedicated compat change; TOMOYO and SMACK appear to be functional without any change. Cc: stable@vger.kernel.org Fixes: 0b24dcb7f2f7 ("Revert "selinux: simplify ioctl checking"") Signed-off-by: Alfred Piccioni Reviewed-by: Stephen Smalley [PM: subject tweak, line length fixes, and alignment corrections] Signed-off-by: Paul Moore Signed-off-by: Eric Biggers Signed-off-by: Greg Kroah-Hartman

tomoyo: fix broken dependency on *.conf.default

2023-02-06T06:52:35+00:00

[ Upstream commit eaf2213ba563b2d74a1f2c13a6b258273f689802 ] If *.conf.default is updated, builtin-policy.h should be rebuilt, but this does not work when compiled with O= option. [Without this commit] $ touch security/tomoyo/policy/exception_policy.conf.default $ make O=/tmp security/tomoyo/ make[1]: Entering directory '/tmp' GEN Makefile CALL /home/masahiro/ref/linux/scripts/checksyscalls.sh DESCEND objtool make[1]: Leaving directory '/tmp' [With this commit] $ touch security/tomoyo/policy/exception_policy.conf.default $ make O=/tmp security/tomoyo/ make[1]: Entering directory '/tmp' GEN Makefile CALL /home/masahiro/ref/linux/scripts/checksyscalls.sh DESCEND objtool POLICY security/tomoyo/builtin-policy.h CC security/tomoyo/common.o AR security/tomoyo/built-in.a make[1]: Leaving directory '/tmp' $(srctree)/ is essential because $(wildcard ) does not follow VPATH. Fixes: f02dee2d148b ("tomoyo: Do not generate empty policy files") Signed-off-by: Masahiro Yamada Signed-off-by: Tetsuo Handa Signed-off-by: Sasha Levin

TOMOYO: fix __setup handlers return values

2022-04-15T12:18:13+00:00

[ Upstream commit 39844b7e3084baecef52d1498b5fa81afa2cefa9 ] __setup() handlers should return 1 if the parameter is handled. Returning 0 causes the entire string to be added to init's environment strings (limited to 32 strings), unnecessarily polluting it. Using the documented strings "TOMOYO_loader=string1" and "TOMOYO_trigger=string2" causes an Unknown parameter message: Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc5 TOMOYO_loader=string1 \ TOMOYO_trigger=string2", will be passed to user space. and these strings are added to init's environment string space: Run /sbin/init as init process with arguments: /sbin/init with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc5 TOMOYO_loader=string1 TOMOYO_trigger=string2 With this change, these __setup handlers act as expected, and init's environment is not polluted with these strings. Fixes: 0e4ae0e0dec63 ("TOMOYO: Make several options configurable.") Signed-off-by: Randy Dunlap Reported-by: Igor Zhbanov Link: https://lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Cc: James Morris Cc: Kentaro Takeda Cc: tomoyo-dev-en@lists.osdn.me Cc: "Serge E. Hallyn" Signed-off-by: Tetsuo Handa Signed-off-by: Sasha Levin

tomoyo: Check exceeded quota early in tomoyo_domain_quota_is_ok().

2022-01-05T11:37:43+00:00

[ Upstream commit 04e57a2d952bbd34bc45744e72be3eecdc344294 ] If tomoyo is used in a testing/fuzzing environment in learning mode, for lots of domains the quota will be exceeded and stay exceeded for prolonged periods of time. In such cases it's pointless (and slow) to walk the whole acl list again and again just to rediscover that the quota is exceeded. We already have the TOMOYO_DIF_QUOTA_WARNED flag that notes the overflow condition. Check it early to avoid the slowdown. [penguin-kernel] This patch causes a user visible change that the learning mode will not be automatically resumed after the quota is increased. To resume the learning mode, administrator will need to explicitly clear TOMOYO_DIF_QUOTA_WARNED flag after increasing the quota. But I think that this change is generally preferable, for administrator likely wants to optimize the acl list for that domain before increasing the quota, or that domain likely hits the quota again. Therefore, don't try to care to clear TOMOYO_DIF_QUOTA_WARNED flag automatically when the quota for that domain changed. Signed-off-by: Dmitry Vyukov Signed-off-by: Tetsuo Handa Signed-off-by: Sasha Levin

tomoyo: Use atomic_t for statistics counter

2020-02-05T21:22:41+00:00

commit a8772fad0172aeae339144598b809fd8d4823331 upstream. syzbot is reporting that there is a race at tomoyo_stat_update() [1]. Although it is acceptable to fail to track exact number of times policy was updated, convert to atomic_t because this is not a hot path. [1] https://syzkaller.appspot.com/bug?id=a4d7b973972eeed410596e6604580e0133b0fc04 Reported-by: syzbot Signed-off-by: Tetsuo Handa Signed-off-by: Greg Kroah-Hartman

tomoyo: Suppress RCU warning at list_for_each_entry_rcu().

2020-01-17T18:49:05+00:00

[ Upstream commit 6bd5ce6089b561f5392460bfb654dea89356ab1b ] John Garry has reported that allmodconfig kernel on arm64 causes flood of "RCU-list traversed in non-reader section!!" warning. I don't know what change caused this warning, but this warning is safe because TOMOYO uses SRCU lock instead. Let's suppress this warning by explicitly telling that the caller is holding SRCU lock. Reported-and-tested-by: John Garry Signed-off-by: Tetsuo Handa Signed-off-by: Sasha Levin

tomoyo: Don't use nifty names on sockets.

2020-01-04T18:18:42+00:00

commit 6f7c41374b62fd80bbd8aae3536c43688c54d95e upstream. syzbot is reporting that use of SOCKET_I()->sk from open() can result in use after free problem [1], for socket's inode is still reachable via /proc/pid/fd/n despite destruction of SOCKET_I()->sk already completed. At first I thought that this race condition applies to only open/getattr permission checks. But James Morris has pointed out that there are more permission checks where this race condition applies to. Thus, get rid of tomoyo_get_socket_name() instead of conditionally bypassing permission checks on sockets. As a side effect of this patch, "socket:[family=\$:type=\$:protocol=\$]" in the policy files has to be rewritten to "socket:[\$]". [1] https://syzkaller.appspot.com/bug?id=73d590010454403d55164cca23bd0565b1eb3b74 Signed-off-by: Tetsuo Handa Reported-by: syzbot Reported-by: James Morris Signed-off-by: Greg Kroah-Hartman

treewide: Add SPDX license identifier - Makefile/Kconfig

2019-05-21T08:50:46+00:00

Add SPDX license identifiers to all Make/Kconfig files which: - Have no license information of any form These files fall under the project license, GPL v2 only. The resulting SPDX license identifier is: GPL-2.0-only Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman

tomoyo: Don't emit WARNING: string while fuzzing testing.

2019-05-10T21:58:35+00:00

Commit cff0e6c3ec3e6230 ("tomoyo: Add a kernel config option for fuzzing testing.") enabled the learning mode, but syzkaller is detecting any "WARNING:" string as a crash. Thus, disable TOMOYO's quota warning if built for fuzzing testing. Signed-off-by: Tetsuo Handa Cc: Dmitry Vyukov Signed-off-by: James Morris

tomoyo: Change pathname calculation for read-only filesystems.

2019-05-10T21:58:30+00:00

Commit 5625f2e3266319fd ("TOMOYO: Change pathname for non-rename()able filesystems.") intended to be applied to filesystems where the content is not controllable from the userspace (e.g. proc, sysfs, securityfs), based on an assumption that such filesystems do not support rename() operation. But it turned out that read-only filesystems also do not support rename() operation despite the content is controllable from the userspace, and that commit is annoying TOMOYO users who want to use e.g. squashfs as the root filesystem due to use of local name which does not start with '/'. Therefore, based on an assumption that filesystems which require the device argument upon mount() request is an indication that the content is controllable from the userspace, do not use local name if a filesystem does not support rename() operation but requires the device argument upon mount() request. Signed-off-by: Tetsuo Handa Signed-off-by: James Morris