summaryrefslogtreecommitdiff
path: root/security/smack/smackfs.c
AgeCommit message (Collapse)AuthorFilesLines
2022-06-05Merge tag 'pull-18-rc1-work.mount' of ↵Linus Torvalds1-0/+1
git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull mount handling updates from Al Viro: "Cleanups (and one fix) around struct mount handling. The fix is usermode_driver.c one - once you've done kern_mount(), you must kern_unmount(); simple mntput() will end up with a leak. Several failure exits in there messed up that way... In practice you won't hit those particular failure exits without fault injection, though" * tag 'pull-18-rc1-work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: move mount-related externs from fs.h to mount.h blob_to_mnt(): kern_unmount() is needed to undo kern_mount() m->mnt_root->d_inode->i_sb is a weird way to spell m->mnt_sb... linux/mount.h: trim includes uninline may_mount() and don't opencode it in fspick(2)/fsopen(2)
2022-05-23smack: Remove redundant assignmentsMichal Orzel1-1/+0
Get rid of redundant assignments which end up in values not being read either because they are overwritten or the function ends. Reported by clang-tidy [deadcode.DeadStores] Signed-off-by: Michal Orzel <michalorzel.eng@gmail.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2022-05-20move mount-related externs from fs.h to mount.hAl Viro1-0/+1
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2021-10-22smackfs: use netlbl_cfg_cipsov4_del() for deleting cipso_v4_doiTetsuo Handa1-1/+1
syzbot is reporting UAF at cipso_v4_doi_search() [1], for smk_cipso_doi() is calling kfree() without removing from the cipso_v4_doi_list list after netlbl_cfg_cipsov4_map_add() returned an error. We need to use netlbl_cfg_cipsov4_del() in order to remove from the list and wait for RCU grace period before kfree(). Link: https://syzkaller.appspot.com/bug?extid=93dba5b91f0fed312cbd [1] Reported-by: syzbot <syzbot+93dba5b91f0fed312cbd@syzkaller.appspotmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Fixes: 6c2e8ac0953fccdd ("netlabel: Update kernel configuration API") Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2021-10-22smackfs: use __GFP_NOFAIL for smk_cipso_doi()Tetsuo Handa1-3/+1
syzbot is reporting kernel panic at smk_cipso_doi() due to memory allocation fault injection [1]. The reason for need to use panic() was not explained. But since no fix was proposed for 18 months, for now let's use __GFP_NOFAIL for utilizing syzbot resource on other bugs. Link: https://syzkaller.appspot.com/bug?extid=89731ccb6fec15ce1c22 [1] Reported-by: syzbot <syzbot+89731ccb6fec15ce1c22@syzkaller.appspotmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2021-09-16smackfs: Fix use-after-free in netlbl_catmap_walk()Pawan Gupta1-1/+4
Syzkaller reported use-after-free bug as described in [1]. The bug is triggered when smk_set_cipso() tries to free stale category bitmaps while there are concurrent reader(s) using the same bitmaps. Wait for RCU grace period to finish before freeing the category bitmaps in smk_set_cipso(). This makes sure that there are no more readers using the stale bitmaps and freeing them should be safe. [1] https://lore.kernel.org/netdev/000000000000a814c505ca657a4e@google.com/ Reported-by: syzbot+3f91de0b813cc3d19a80@syzkaller.appspotmail.com Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2021-05-10smackfs: restrict bytes count in smk_set_cipso()Tetsuo Handa1-0/+2
Oops, I failed to update subject line. From 07571157c91b98ce1a4aa70967531e64b78e8346 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Date: Mon, 12 Apr 2021 22:25:06 +0900 Subject: [PATCH] smackfs: restrict bytes count in smk_set_cipso() Commit 7ef4c19d245f3dc2 ("smackfs: restrict bytes count in smackfs write functions") missed that count > SMK_CIPSOMAX check applies to only format == SMK_FIXED24_FMT case. Reported-by: syzbot <syzbot+77c53db50c9fff774e8e@syzkaller.appspotmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2021-05-10security/smack/: fix misspellings using codespell toolXiong Zhenwu1-1/+1
A typo is found out by codespell tool in 383th line of smackfs.c: $ codespell ./security/smack/ ./smackfs.c:383: numer ==> number Fix a typo found by codespell. Signed-off-by: Xiong Zhenwu <xiong.zhenwu@zte.com.cn> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2021-02-03smackfs: restrict bytes count in smackfs write functionsSabyrzhan Tasbolatov1-2/+19
syzbot found WARNINGs in several smackfs write operations where bytes count is passed to memdup_user_nul which exceeds GFP MAX_ORDER. Check count size if bigger than PAGE_SIZE. Per smackfs doc, smk_write_net4addr accepts any label or -CIPSO, smk_write_net6addr accepts any label or -DELETE. I couldn't find any general rule for other label lengths except SMK_LABELLEN, SMK_LONGLABEL, SMK_CIPSOMAX which are documented. Let's constrain, in general, smackfs label lengths for PAGE_SIZE. Although fuzzer crashes write to smackfs/netlabel on 0x400000 length. Here is a quick way to reproduce the WARNING: python -c "print('A' * 0x400000)" > /sys/fs/smackfs/netlabel Reported-by: syzbot+a71a442385a0b2815497@syzkaller.appspotmail.com Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2020-11-13Smack: fix kernel-doc interface on functionsAlex Shi1-3/+4
The are some kernel-doc interface issues: security/smack/smackfs.c:1950: warning: Function parameter or member 'list' not described in 'smk_parse_label_list' security/smack/smackfs.c:1950: warning: Excess function parameter 'private' description in 'smk_parse_label_list' security/smack/smackfs.c:1979: warning: Function parameter or member 'list' not described in 'smk_destroy_label_list' security/smack/smackfs.c:1979: warning: Excess function parameter 'head' description in 'smk_destroy_label_list' security/smack/smackfs.c:2141: warning: Function parameter or member 'count' not described in 'smk_read_logging' security/smack/smackfs.c:2141: warning: Excess function parameter 'cn' description in 'smk_read_logging' security/smack/smackfs.c:2278: warning: Function parameter or member 'format' not described in 'smk_user_access' Correct them in this patch. Signed-off-by: Alex Shi <alex.shi@linux.alibaba.com> Cc: Casey Schaufler <casey@schaufler-ca.com> Cc: James Morris <jmorris@namei.org> Cc: "Serge E. Hallyn" <serge@hallyn.com> Cc: linux-security-module@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2020-09-12Smack: Use the netlabel cacheCasey Schaufler1-14/+9
Utilize the Netlabel cache mechanism for incoming packet matching. Refactor the initialization of secattr structures, as it was being done in two places. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2020-07-27Smack: prevent underflow in smk_set_cipso()Dan Carpenter1-1/+1
We have an upper bound on "maplevel" but forgot to check for negative values. Fixes: e114e473771c ("Smack: Simplified Mandatory Access Control Kernel") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2020-07-27Smack: fix another vsscanf out of boundsDan Carpenter1-0/+4
This is similar to commit 84e99e58e8d1 ("Smack: slab-out-of-bounds in vsscanf") where we added a bounds check on "rule". Reported-by: syzbot+a22c6092d003d6fe1122@syzkaller.appspotmail.com Fixes: f7112e6c9abf ("Smack: allow for significantly longer Smack labels v4") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2020-07-14Smack: fix use-after-free in smk_write_relabel_self()Eric Biggers1-2/+11
smk_write_relabel_self() frees memory from the task's credentials with no locking, which can easily cause a use-after-free because multiple tasks can share the same credentials structure. Fix this by using prepare_creds() and commit_creds() to correctly modify the task's credentials. Reproducer for "BUG: KASAN: use-after-free in smk_write_relabel_self": #include <fcntl.h> #include <pthread.h> #include <unistd.h> static void *thrproc(void *arg) { int fd = open("/sys/fs/smackfs/relabel-self", O_WRONLY); for (;;) write(fd, "foo", 3); } int main() { pthread_t t; pthread_create(&t, NULL, thrproc, NULL); thrproc(NULL); } Reported-by: syzbot+e6416dabb497a650da40@syzkaller.appspotmail.com Fixes: 38416e53936e ("Smack: limited capability for changing process label") Cc: <stable@vger.kernel.org> # v4.4+ Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2020-05-07Smack: slab-out-of-bounds in vsscanfCasey Schaufler1-0/+10
Add barrier to soob. Return -EOVERFLOW if the buffer is exceeded. Suggested-by: Hillf Danton <hdanton@sina.com> Reported-by: syzbot+bfdd4a2f07be52351350@syzkaller.appspotmail.com Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2019-07-19Merge branch 'work.mount0' of ↵Linus Torvalds1-12/+22
git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull vfs mount updates from Al Viro: "The first part of mount updates. Convert filesystems to use the new mount API" * 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (63 commits) mnt_init(): call shmem_init() unconditionally constify ksys_mount() string arguments don't bother with registering rootfs init_rootfs(): don't bother with init_ramfs_fs() vfs: Convert smackfs to use the new mount API vfs: Convert selinuxfs to use the new mount API vfs: Convert securityfs to use the new mount API vfs: Convert apparmorfs to use the new mount API vfs: Convert openpromfs to use the new mount API vfs: Convert xenfs to use the new mount API vfs: Convert gadgetfs to use the new mount API vfs: Convert oprofilefs to use the new mount API vfs: Convert ibmasmfs to use the new mount API vfs: Convert qib_fs/ipathfs to use the new mount API vfs: Convert efivarfs to use the new mount API vfs: Convert configfs to use the new mount API vfs: Convert binfmt_misc to use the new mount API convenience helper: get_tree_single() convenience helper get_tree_nodev() vfs: Kill sget_userns() ...
2019-07-05vfs: Convert smackfs to use the new mount APIDavid Howells1-12/+22
Convert the smackfs filesystem to the new internal mount API as the old one will be obsoleted and removed. This allows greater flexibility in communication of mount parameters between userspace, the VFS and the filesystem. See Documentation/filesystems/mount_api.txt for more information. Signed-off-by: David Howells <dhowells@redhat.com> cc: Casey Schaufler <casey@schaufler-ca.com> cc: linux-security-module@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2019-06-05treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 372Thomas Gleixner1-5/+1
Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation version 2 extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 135 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Allison Randal <allison@lohutok.net> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190531081036.435762997@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-04-02Smack: Create smack_rule cache to optimize memory usageCasey Schaufler1-1/+1
This patch allows for small memory optimization by creating the kmem cache for "struct smack_rule" instead of using kzalloc. For adding new smack rule, kzalloc is used to allocate the memory for "struct smack_rule". kzalloc will always allocate 32 or 64 bytes for 1 structure depending upon the kzalloc cache sizes available in system. Although the size of structure is 20 bytes only, resulting in memory wastage per object in the default pool. For e.g., if there are 20000 rules, then it will save 240KB(20000*12) which is crucial for small memory targets. Signed-off-by: Vishal Goel <vishal.goel@samsung.com> Signed-off-by: Amit Sahrawat <a.sahrawat@samsung.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2019-04-02smack: removal of global rule listVishal Goel1-38/+15
In this patch, global rule list has been removed. Now all smack rules will be read using "smack_known_list". This list contains all the smack labels and internally each smack label structure maintains the list of smack rules corresponding to that smack label. So there is no need to maintain extra list. 1) Small Memory Optimization For eg. if there are 20000 rules, then it will save 625KB(20000*32), which is critical for small embedded systems. 2) Reducing the time taken in writing rules on load/load2 interface 3) Since global rule list is just used to read the rules, so there will be no performance impact on system Signed-off-by: Vishal Goel <vishal.goel@samsung.com> Signed-off-by: Amit Sahrawat <a.sahrawat@samsung.com> Signed-off-by: Casey Schaufler <cschaufler@localhost.localdomain>
2019-01-09Smack: Abstract use of cred security blobCasey Schaufler1-9/+9
Don't use the cred->security pointer directly. Provide a helper function that provides the security blob pointer. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Kees Cook <keescook@chromium.org> [kees: adjusted for ordered init series] Signed-off-by: Kees Cook <keescook@chromium.org>
2018-09-18Smack: remove set but not used variable 'root_inode'YueHaibing1-3/+0
Fixes gcc '-Wunused-but-set-variable' warning: security/smack/smackfs.c: In function 'smk_fill_super': security/smack/smackfs.c:2856:16: warning: variable 'root_inode' set but not used [-Wunused-but-set-variable] Signed-off-by: YueHaibing <yuehaibing@huawei.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2017-04-27fs: constify tree_descr arrays passed to simple_fill_super()Eric Biggers1-1/+1
simple_fill_super() is passed an array of tree_descr structures which describe the files to create in the filesystem's root directory. Since these arrays are never modified intentionally, they should be 'const' so that they are placed in .rodata and benefit from memory protection. This patch updates the function signature and all users, and also constifies tree_descr.name. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-01-10SMACK: Add new lock for adding entry in smack master listVishal Goel1-0/+5
"smk_set_access()" function adds a new rule entry in subject label specific list(rule_list) and in global rule list(smack_rule_list) both. Mutex lock (rule_lock) is used to avoid simultaneous updates. But this lock is subject label specific lock. If 2 processes tries to add different rules(i.e with different subject labels) simultaneously, then both the processes can take the "rule_lock" respectively. So it will cause a problem while adding entries in master rule list. Now a new mutex lock(smack_master_list_lock) has been taken to add entry in smack_rule_list to avoid simultaneous updates of different rules. Signed-off-by: Vishal Goel <vishal.goel@samsung.com> Signed-off-by: Himanshu Shukla <himanshu.sh@samsung.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2016-11-15Smack: Remove unnecessary smack_known_invalidCasey Schaufler1-3/+0
The invalid Smack label ("") and the Huh ("?") Smack label serve the same purpose and having both is unnecessary. While pulling out the invalid label it became clear that the use of smack_from_secid() was inconsistent, so that is repaired. The setting of inode labels to the invalid label could never happen in a functional system, has never been observed in the wild and is not what you'd really want for a failure behavior in any case. That is removed. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2016-08-23Smack: Use memdup_user() rather than duplicating its implementationMarkus Elfring1-8/+3
Reuse existing functionality from memdup_user() instead of keeping duplicate source code. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
2016-01-04convert a bunch of open-coded instances of memdup_user_nul()Al Viro1-82/+32
A _lot_ of ->write() instances were open-coding it; some are converted to memdup_user_nul(), a lot more remain... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2015-10-19Smack: limited capability for changing process labelZbigniew Jasinski1-35/+167
This feature introduces new kernel interface: - <smack_fs>/relabel-self - for setting transition labels list This list is used to control smack label transition mechanism. List is set by, and per process. Process can transit to new label only if label is on the list. Only process with CAP_MAC_ADMIN capability can add labels to this list. With this list, process can change it's label without CAP_MAC_ADMIN but only once. After label changing, list is unset. Changes in v2: * use list_for_each_entry instead of _rcu during label write * added missing description in security/Smack.txt Changes in v3: * squashed into one commit Changes in v4: * switch from global list to per-task list * since the per-task list is accessed only by the task itself there is no need to use synchronization mechanisms on it Changes in v5: * change smackfs interface of relabel-self to the one used for onlycap multiple labels are accepted, separated by space, which replace the previous list upon write Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com> Signed-off-by: Rafal Krypa <r.krypa@samsung.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
2015-10-10Smack: Minor initialisation improvementJosé Bollo1-1/+1
This change has two goals: - delay the setting of 'smack_enabled' until it will be really effective - ensure that smackfs is valid only if 'smack_enabled' is set (it is already the case in smack_netfilter.c) Signed-off-by: José Bollo <jose.bollo@iot.bzh> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
2015-10-10Smack: fix a NULL dereference in wrong smack_import_entry() usageLukasz Pawelczyk1-2/+2
'commit e774ad683f42 ("smack: pass error code through pointers")' made this function return proper error codes instead of NULL. Reflect that. This is a fix for a NULL dereference introduced in 'commit 21abb1ec414c ("Smack: IPv6 host labeling")' echo "$SOME_IPV6_ADDR \"test" > /smack/ipv6host (this should return EINVAL, it doesn't) cat /smack/ipv6host (derefences 0x000a) Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@samsung.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
2015-07-31Smack: Three symbols that should be staticCasey Schaufler1-1/+1
The kbuild test robot reported a couple of these, and the third showed up by inspection. Making the symbols static is proper. Reported-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2015-07-28Smack: IPv6 host labelingCasey Schaufler1-76/+352
IPv6 appears to be (finally) coming of age with the influx of autonomous devices. In support of this, add the ability to associate a Smack label with IPv6 addresses. This patch also cleans up some of the conditional compilation associated with the introduction of secmark processing. It's now more obvious which bit of code goes with which feature. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2015-07-22sysfs: fix simple_return.cocci warningskbuild test robot1-5/+1
security/smack/smackfs.c:2251:1-4: WARNING: end returns can be simpified and declaration on line 2250 can be dropped Simplify a trivial if-return sequence. Possibly combine with a preceding function call. Generated by: scripts/coccinelle/misc/simple_return.cocci Signed-off-by: Fengguang Wu <fengguang.wu@intel.com> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
2015-07-04Merge branch 'for-linus' of ↵Linus Torvalds1-4/+4
git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace Pull user namespace updates from Eric Biederman: "Long ago and far away when user namespaces where young it was realized that allowing fresh mounts of proc and sysfs with only user namespace permissions could violate the basic rule that only root gets to decide if proc or sysfs should be mounted at all. Some hacks were put in place to reduce the worst of the damage could be done, and the common sense rule was adopted that fresh mounts of proc and sysfs should allow no more than bind mounts of proc and sysfs. Unfortunately that rule has not been fully enforced. There are two kinds of gaps in that enforcement. Only filesystems mounted on empty directories of proc and sysfs should be ignored but the test for empty directories was insufficient. So in my tree directories on proc, sysctl and sysfs that will always be empty are created specially. Every other technique is imperfect as an ordinary directory can have entries added even after a readdir returns and shows that the directory is empty. Special creation of directories for mount points makes the code in the kernel a smidge clearer about it's purpose. I asked container developers from the various container projects to help test this and no holes were found in the set of mount points on proc and sysfs that are created specially. This set of changes also starts enforcing the mount flags of fresh mounts of proc and sysfs are consistent with the existing mount of proc and sysfs. I expected this to be the boring part of the work but unfortunately unprivileged userspace winds up mounting fresh copies of proc and sysfs with noexec and nosuid clear when root set those flags on the previous mount of proc and sysfs. So for now only the atime, read-only and nodev attributes which userspace happens to keep consistent are enforced. Dealing with the noexec and nosuid attributes remains for another time. This set of changes also addresses an issue with how open file descriptors from /proc/<pid>/ns/* are displayed. Recently readlink of /proc/<pid>/fd has been triggering a WARN_ON that has not been meaningful since it was added (as all of the code in the kernel was converted) and is not now actively wrong. There is also a short list of issues that have not been fixed yet that I will mention briefly. It is possible to rename a directory from below to above a bind mount. At which point any directory pointers below the renamed directory can be walked up to the root directory of the filesystem. With user namespaces enabled a bind mount of the bind mount can be created allowing the user to pick a directory whose children they can rename to outside of the bind mount. This is challenging to fix and doubly so because all obvious solutions must touch code that is in the performance part of pathname resolution. As mentioned above there is also a question of how to ensure that developers by accident or with purpose do not introduce exectuable files on sysfs and proc and in doing so introduce security regressions in the current userspace that will not be immediately obvious and as such are likely to require breaking userspace in painful ways once they are recognized" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: vfs: Remove incorrect debugging WARN in prepend_path mnt: Update fs_fully_visible to test for permanently empty directories sysfs: Create mountpoints with sysfs_create_mount_point sysfs: Add support for permanently empty directories to serve as mount points. kernfs: Add support for always empty directories. proc: Allow creating permanently empty directories that serve as mount points sysctl: Allow creating permanently empty directories that serve as mountpoints. fs: Add helper functions for permanently empty directories. vfs: Ignore unlocked mounts in fs_fully_visible mnt: Modify fs_fully_visible to deal with locked ro nodev and atime mnt: Refactor the logic for mounting sysfs and proc in a user namespace
2015-07-01sysfs: Create mountpoints with sysfs_create_mount_pointEric W. Biederman1-4/+4
This allows for better documentation in the code and it allows for a simpler and fully correct version of fs_fully_visible to be written. The mount points converted and their filesystems are: /sys/hypervisor/s390/ s390_hypfs /sys/kernel/config/ configfs /sys/kernel/debug/ debugfs /sys/firmware/efi/efivars/ efivarfs /sys/fs/fuse/connections/ fusectl /sys/fs/pstore/ pstore /sys/kernel/tracing/ tracefs /sys/fs/cgroup/ cgroup /sys/kernel/security/ securityfs /sys/fs/selinux/ selinuxfs /sys/fs/smackfs/ smackfs Cc: stable@vger.kernel.org Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2015-06-12Smack: freeing an error pointer in smk_write_revoke_subj()Dan Carpenter1-7/+9
This code used to rely on the fact that kfree(NULL) was a no-op, but then we changed smk_parse_smack() to return error pointers on failure instead of NULL. Calling kfree() on an error pointer will oops. I have re-arranged things a bit so that we only free things if they have been allocated. Fixes: e774ad683f42 ('smack: pass error code through pointers') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
2015-06-02Smack: allow multiple labels in onlycapRafal Krypa1-53/+110
Smack onlycap allows limiting of CAP_MAC_ADMIN and CAP_MAC_OVERRIDE to processes running with the configured label. But having single privileged label is not enough in some real use cases. On a complex system like Tizen, there maybe few programs that need to configure Smack policy in run-time and running them all with a single label is not always practical. This patch extends onlycap feature for multiple labels. They are configured in the same smackfs "onlycap" interface, separated by spaces. Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
2015-06-02Smack: fix seq operations in smackfsRafal Krypa1-30/+22
Use proper RCU functions and read locking in smackfs seq_operations. Smack gets away with not using proper RCU functions in smackfs, because it never removes entries from these lists. But now one list will be needed (with interface in smackfs) that will have both elements added and removed to it. This change will also help any future changes implementing removal of unneeded entries from other Smack lists. The patch also fixes handling of pos argument in smk_seq_start and smk_seq_next. This fixes a bug in case when smackfs is read with a small buffer: Kernel panic - not syncing: Kernel mode fault at addr 0xfa0000011b CPU: 0 PID: 1292 Comm: dd Not tainted 4.1.0-rc1-00012-g98179b8 #13 Stack: 00000003 0000000d 7ff39e48 7f69fd00 7ff39ce0 601ae4b0 7ff39d50 600e587b 00000010 6039f690 7f69fd40 00612003 Call Trace: [<601ae4b0>] load2_seq_show+0x19/0x1d [<600e587b>] seq_read+0x168/0x331 [<600c5943>] __vfs_read+0x21/0x101 [<601a595e>] ? security_file_permission+0xf8/0x105 [<600c5ec6>] ? rw_verify_area+0x86/0xe2 [<600c5fc3>] vfs_read+0xa1/0x14c [<600c68e2>] SyS_read+0x57/0xa0 [<6001da60>] handle_syscall+0x60/0x80 [<6003087d>] userspace+0x442/0x548 [<6001aa77>] ? interrupt_end+0x0/0x80 [<6001daae>] ? copy_chunk_to_user+0x0/0x2b [<6002cb6b>] ? save_registers+0x1f/0x39 [<60032ef7>] ? arch_prctl+0xf5/0x170 [<6001a92d>] fork_handler+0x85/0x87 Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
2015-05-15smack: pass error code through pointersLukasz Pawelczyk1-47/+69
This patch makes the following functions to use ERR_PTR() and related macros to pass the appropriate error code through returned pointers: smk_parse_smack() smk_import_entry() smk_fetch() It also makes all the other functions that use them to handle the error cases properly. This ways correct error codes from places where they happened can be propagated to the user space if necessary. Doing this it fixes a bug in onlycap and unconfined files handling. Previously their content was cleared on any error from smk_import_entry/smk_parse_smack, be it EINVAL (as originally intended) or ENOMEM. Right now it only reacts on EINVAL passing other codes properly to userspace. Comments have been updated accordingly. Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@samsung.com>
2015-05-12LSM: Switch to lists of hooksCasey Schaufler1-1/+1
Instead of using a vector of security operations with explicit, special case stacking of the capability and yama hooks use lists of hooks with capability and yama hooks included as appropriate. The security_operations structure is no longer required. Instead, there is a union of the function pointers that allows all the hooks lists to use a common mechanism for list management while retaining typing. Each module supplies an array describing the hooks it provides instead of a sparsely populated security_operations structure. The description includes the element that gets put on the hook list, avoiding the issues surrounding individual element allocation. The method for registering security modules is changed to reflect the information available. The method for removing a module, currently only used by SELinux, has also changed. It should be generic now, however if there are potential race conditions based on ordering of hook removal that needs to be addressed by the calling module. The security hooks are called from the lists and the first failure is returned. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <keescook@chromium.org> Acked-by: Paul Moore <paul@paul-moore.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <james.l.morris@oracle.com>
2015-04-27Merge branch 'for-linus' of ↵Linus Torvalds1-1/+1
git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull fourth vfs update from Al Viro: "d_inode() annotations from David Howells (sat in for-next since before the beginning of merge window) + four assorted fixes" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: RCU pathwalk breakage when running into a symlink overmounting something fix I_DIO_WAKEUP definition direct-io: only inc/dec inode->i_dio_count for file systems fs/9p: fix readdir() VFS: assorted d_backing_inode() annotations VFS: fs/inode.c helpers: d_inode() annotations VFS: fs/cachefiles: d_backing_inode() annotations VFS: fs library helpers: d_inode() annotations VFS: assorted weird filesystems: d_inode() annotations VFS: normal filesystems (and lustre): d_inode() annotations VFS: security/: d_inode() annotations VFS: security/: d_backing_inode() annotations VFS: net/: d_inode() annotations VFS: net/unix: d_backing_inode() annotations VFS: kernel/: d_inode() annotations VFS: audit: d_backing_inode() annotations VFS: Fix up some ->d_inode accesses in the chelsio driver VFS: Cachefiles should perform fs modifications on the top layer only VFS: AF_UNIX sockets should call mknod on the top layer only
2015-04-15VFS: security/: d_inode() annotationsDavid Howells1-1/+1
... except where that code acts as a filesystem driver, rather than working with dentries given to it. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2015-03-23smack: Fix gcc warning from unused smack_syslog_lock mutex in smackfs.cPaul Gortmaker1-1/+0
In commit 00f84f3f2e9d088f06722f4351d67f5f577abe22 ("Smack: Make the syslog control configurable") this mutex was added, but the rest of the final commit never actually made use of it, resulting in: In file included from include/linux/mutex.h:29:0, from include/linux/notifier.h:13, from include/linux/memory_hotplug.h:6, from include/linux/mmzone.h:821, from include/linux/gfp.h:5, from include/linux/slab.h:14, from include/linux/security.h:27, from security/smack/smackfs.c:21: security/smack/smackfs.c:63:21: warning: ‘smack_syslog_lock’ defined but not used [-Wunused-variable] static DEFINE_MUTEX(smack_syslog_lock); ^ A git grep shows no other instances/references to smack_syslog_lock. Delete it, assuming that the mutex addition was just a leftover from an earlier work in progress version of the change. Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
2015-03-23Smack: Allow an unconfined label in bringup modeCasey Schaufler1-0/+96
I have vehemently opposed adding a "permissive" mode to Smack for the simple reasons that it would be subject to massive abuse and that developers refuse to turn it off come product release. I still believe that this is true, and still refuse to add a general "permissive mode". So don't ask again. Bumjin Im suggested an approach that addresses most of the concerns, and I have implemented it here. I still believe that we'd be better off without this sort of thing, but it looks like this minimizes the abuse potential. Firstly, you have to configure Smack Bringup Mode. That allows for "release" software to be ammune from abuse. Second, only one label gets to be "permissive" at a time. You can use it for debugging, but that's about it. A label written to smackfs/unconfined is treated specially. If either the subject or object label of an access check matches the "unconfined" label, and the access would not have been allowed otherwise an audit record and a console message are generated. The audit record "request" string is marked with either "(US)" or "(UO)", to indicate that the request was granted because of an unconfined label. The fact that an inode was accessed by an unconfined label is remembered, and subsequent accesses to that "impure" object are noted in the log. The impurity is not stored in the filesystem, so a file mislabled as a side effect of using an unconfined label may still cause concern after a reboot. So, it's there, it's dangerous, but so many application developers seem incapable of living without it I have given in. I've tried to make it as safe as I can, but in the end it's still a chain saw. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2014-08-29Make Smack operate on smack_known struct where it still used char*Lukasz Pawelczyk1-28/+33
Smack used to use a mix of smack_known struct and char* throughout its APIs and implementation. This patch unifies the behaviour and makes it store and operate exclusively on smack_known struct pointers when managing labels. Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@samsung.com> Conflicts: security/smack/smack_access.c security/smack/smack_lsm.c
2014-08-29Smack: Bring-up access modeCasey Schaufler1-1/+10
People keep asking me for permissive mode, and I keep saying "no". Permissive mode is wrong for more reasons than I can enumerate, but the compelling one is that it's once on, never off. Nonetheless, there is an argument to be made for running a process with lots of permissions, logging which are required, and then locking the process down. There wasn't a way to do that with Smack, but this provides it. The notion is that you start out by giving the process an appropriate Smack label, such as "ATBirds". You create rules with a wide range of access and the "b" mode. On Tizen it might be: ATBirds System rwxalb ATBirds User rwxalb ATBirds _ rwxalb User ATBirds wb System ATBirds wb Accesses that fail will generate audit records. Accesses that succeed because of rules marked with a "b" generate log messages identifying the rule, the program and as much object information as is convenient. When the system is properly configured and the programs brought in line with the labeling scheme the "b" mode can be removed from the rules. When the system is ready for production the facility can be configured out. This provides the developer the convenience of permissive mode without creating a system that looks like it is enforcing a policy while it is not. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2014-08-09Smack: handle zero-length security labels without panicKonstantin Khlebnikov1-2/+2
Zero-length security labels are invalid but kernel should handle them. This patch fixes kernel panic after setting zero-length security labels: # attr -S -s "SMACK64" -V "" file And after writing zero-length string into smackfs files syslog and onlycp: # python -c 'import os; os.write(1, "")' > /smack/syslog The problem is caused by brain-damaged logic in function smk_parse_smack() which takes pointer to buffer and its length but if length below or equal zero it thinks that the buffer is zero-terminated. Unfortunately callers of this function are widely used and proper fix requires serious refactoring. Signed-off-by: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
2014-08-02Merge branch 'next' of git://git.infradead.org/users/pcmoore/selinux into nextJames Morris1-7/+7
2014-08-01netlabel: shorter names for the NetLabel catmap funcs/structsPaul Moore1-7/+7
Historically the NetLabel LSM secattr catmap functions and data structures have had very long names which makes a mess of the NetLabel code and anyone who uses NetLabel. This patch renames the catmap functions and structures from "*_secattr_catmap_*" to just "*_catmap_*" which improves things greatly. There are no substantial code or logic changes in this patch. Signed-off-by: Paul Moore <pmoore@redhat.com> Tested-by: Casey Schaufler <casey@schaufler-ca.com>
2014-05-06Warning in scanf string typingToralf Förster1-1/+1
This fixes a warning about the mismatch of types between the declared unsigned and integer. Signed-off-by: Toralf Förster <toralf.foerster@gmx.de>