This is a sync and squash to the apparmor 3 RC 1 development snapshot.
The set of patches in this squash are available at the apparmor-3.RC1
tag in git://kernel.ubuntu.com/jj/ubuntu-utopic.git.
This cleans up several functions over the alpha6 sync, and includes
multiple bug fixes. In addition it picks up
- new network mediation
- fine grained mediation of all unix socket types
In addition to the apparmor 3 RC 1 sync this contains the backport patch
series for the 3.4 goldfish kernel
- apparmor: 3.4 backport alias file_open 83d49856
- apparmor: 3.4 backport fake no_new_privs 259e5e6c
- apparmor: 3.4 backport cap_mmap_addr d007794a
- apparmor: 3.4 backport revert file_mmap e5467859
- apparmor: 3.5 backport dentry_open params 765927b2
- apparmor: 3.6 backport provide replace_fd 8280d161
- apparmor: 3.6 backport provide iterate_fd c3c073f8
- apparmor: 3.6 backport remove const from sb_mount 808d4e3c
- apparmor: 3.6 backport kuid_t support for audit 2db81452
- apparmor: 3.6 backport define kuid_t d2b31ca64
- apparmor: 3.6 backport revert uapi for resnames 8a1ab315
- apparmor: 3.6 backport revert uapi for capnames 43c422ed
- apparmor: 3.8 backport provide file_inode helper 496ad9aa
- apparmor: 3.10 backport revert no delay vfree()
- apparmor: 3.11 backport revert module/lsm: Have apparm 5265fc62
- apparmor: 3.12 backport mtd: Move major number f83c3838
- apparmor: 3.15 backport revert nick kvfree() from apparmor
- apparmor: backport setup base backport files
BugLink: http://bugs.launchpad.net/bugs/1362199
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
replace usage of the write_can_lock macro with our own write_is_locked
macro. AppArmor's use of write_can_lock is with AA_BUG statements
to assert the correct lock is being held.
However on none SMP machines write_can_lock is always true causing
the AA_BUG assert to fail. Define our own macro that can have the
correct semantics for the assert on none SMP machines.
BugLink: http://bugs.launchpad.net/bugs/1323530
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
The apparmor/dbus support needs to allocate buffers in
atomic context (i.e: holding a spinlock) since that is
not possible, it declares a static per cpu array of
buffers and has accessor macros to get and put buffers.
Since the buffer array is a per cpu variable, it can
only be concurrently accessed by the same cpu and this
can only happen if the kernel is preempted.
So the get_buffers() macro disables preemption with
preempt_disable() so the buffer can be accessed safely.
Grabbing a spinlock also makes the kernel to disable
preemption so a raw __get_buffers() function can be used
in this case that does not call preempt_disable().
The raw __get_buffers() function was called from file_path_perm()
since a spinlock was held by the calling revalidate_tty() function.
But this is not the only place where file_path_perm() is called,
it is also called by match_file() which is not in atomic context
and thus doesn't disable preemption before so the __get_buffers()
macro was complaining with a WARN_ON(preempt_count() <= 0) and
spamming the console constantly.
This patch fix the issue by always calling {get,put}_buffers() since
preempt_{disable,enable}() functions are nestable.
BugLink: http://bugs.launchpad.net/bugs/1323526
Signed-off-by: Javier Martinez Canillas <javier.martinez@collabora.co.uk>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
This is a fix to code that is not upstream.
There is a race window in the apparmor_kill hook, that may result in a
profile refcount being decremented without a previous increment. This
can result in the profile being freed, while references still exist and
can lead to an oops.
The race window exists for the time after the profile has been replaced
but before the task cred has been updated to the new profile.
BugLink: http://bugs.launchpad.net/bugs/1308764
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
This is a fix to code that is not upstream.
When the pivotroot check was refactored into the callback fn, putting
of the target fn was not pushed down because target was referenced in
by audit_log in the error path. However target will never be set in
the cases when audit_log is called from the error path.
So instead of passing target the target value back out of profile_pivotroot
push putting the target reference down as it is not needed in aa_pivotroot.
BugLink: http://bugs.launchpad.net/bugs/1308765
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
This is a fix to code that is not upstream.
Remove label check warning that is enforcing a condition that is not
yet always valid in the trusty version of apparmor. The check leaked
in from later patches in the -dev tree and does not belong in the
trusty code base.
BugLink: http://bugs.launchpad.net/bugs/1308761
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
This is a sync and squash to the apparmor 3 alpha 6 development snapshot
backported from 3.13. The set of patches in this squash are available
is the aa3.0-presquash branch of the dev tree.
Several of the patches in the squash have been submitted upstream.
Several more will be submitted soon, and other parts are still in
active review and development.
This squash will be updated to remove patches as they are pulled
into the upstream tree, and add new patches as they become available
to the stable apparmor dev branch.
In addition to the apparmor 3 sync this contains the backport patch
series for the 3.4 goldfish kernel
- apparmor: backport setup base backport files
- apparmor: 3.12 backport mtd: Move major number f83c3838
- apparmor: 3.11 backport revert module/lsm: Have apparm 5265fc62
- apparmor: 3.10 backport revert no delay vfree()
- apparmor: 3.8 backport provide file_inode helper 496ad9aa
- apparmor: 3.6 backport revert uapi for capnames 43c422ed
- apparmor: 3.6 backport revert uapi for resnames 8a1ab315
- apparmor: 3.6 backport define kuid_t d2b31ca64
- apparmor: 3.6 backport kuid_t support for audit 2db81452
- apparmor: 3.6 backport remove const from sb_mount 808d4e3c
- apparmor: 3.6 backport provide iterate_fd c3c073f8
- apparmor: 3.6 backport provide replace_fd 8280d161
- apparmor: 3.5 backport dentry_open params 765927b2
- apparmor: 3.4 backport revert file_mmap e5467859
- apparmor: 3.4 backport cap_mmap_addr d007794a
- apparmor: 3.4 backport fake no_new_privs 259e5e6c
- apparmor: 3.4 backport alias file_open 83d49856
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Add symlink and hardlink restrictions that have shown real-world security
benefits, along with sysctl knobs to control them.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
[tyhicks: forward ported from Quantal]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Unconditionally call Yama when CONFIG_SECURITY_YAMA_STACKED is selected,
no matter what LSM module is primary.
Ubuntu and Chrome OS already carry patches to do this, and Fedora
has voiced interest in doing this as well. Instead of having multiple
distributions (or LSM authors) carrying these patches, just allow Yama
to be called unconditionally when selected by the new CONFIG.
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com>
Acked-by: Eric Paris <eparis@redhat.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
(cherry picked from c6993e4ac002c92bc75379212e9179c36d4bf7ee)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
The higher ptrace restriction levels should be blocking even
PTRACE_TRACEME requests. The comments in the LSM documentation are
misleading about when the checks happen (the parent does not go through
security_ptrace_access_check() on a PTRACE_TRACEME call).
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org # 3.5.x and later
Signed-off-by: James Morris <james.l.morris@oracle.com>
(cherry picked from 9d8dad742ad1c74d7e7210ee05d0b44961d5ea16)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
This expands the available Yama ptrace restrictions to include two more
modes. Mode 2 requires CAP_SYS_PTRACE for PTRACE_ATTACH, and mode 3
completely disables PTRACE_ATTACH (and locks the sysctl).
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.l.morris@oracle.com>
(cherry picked from 389da25f93eea8ff64181ae7e3e87da68acaef2e)
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
BugLink: http://bugs.launchpad.net/bugs/1235977
The profile introspection seq file has a locking bug when policy is viewed
from a virtual root (task in a policy namespace, introspection from the
real root is not affected).
The test for root
while (parent) {
is correct for the real root, but incorrect for tasks in a policy namespace.
This allows the task to walk backup the policy tree past its virtual root
causing it to be unlocked before the virtual root should be in the p_stop
fn.
This results in the following lockdep back trace:
[ 78.479744] [ BUG: bad unlock balance detected! ]
[ 78.479792] 3.11.0-11-generic #17 Not tainted
[ 78.479838] -------------------------------------
[ 78.479885] grep/2223 is trying to release lock (&ns->lock) at:
[ 78.479952] [<ffffffff817bf3be>] mutex_unlock+0xe/0x10
[ 78.480002] but there are no more locks to release!
[ 78.480037]
[ 78.480037] other info that might help us debug this:
[ 78.480037] 1 lock held by grep/2223:
[ 78.480037] #0: (&p->lock){+.+.+.}, at: [<ffffffff812111bd>] seq_read+0x3d/0x3d0
[ 78.480037]
[ 78.480037] stack backtrace:
[ 78.480037] CPU: 0 PID: 2223 Comm: grep Not tainted 3.11.0-11-generic #17
[ 78.480037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 78.480037] ffffffff817bf3be ffff880007763d60 ffffffff817b97ef ffff8800189d2190
[ 78.480037] ffff880007763d88 ffffffff810e1c6e ffff88001f044730 ffff8800189d2190
[ 78.480037] ffffffff817bf3be ffff880007763e00 ffffffff810e5bd6 0000000724fe56b7
[ 78.480037] Call Trace:
[ 78.480037] [<ffffffff817bf3be>] ? mutex_unlock+0xe/0x10
[ 78.480037] [<ffffffff817b97ef>] dump_stack+0x54/0x74
[ 78.480037] [<ffffffff810e1c6e>] print_unlock_imbalance_bug+0xee/0x100
[ 78.480037] [<ffffffff817bf3be>] ? mutex_unlock+0xe/0x10
[ 78.480037] [<ffffffff810e5bd6>] lock_release_non_nested+0x226/0x300
[ 78.480037] [<ffffffff817bf2fe>] ? __mutex_unlock_slowpath+0xce/0x180
[ 78.480037] [<ffffffff817bf3be>] ? mutex_unlock+0xe/0x10
[ 78.480037] [<ffffffff810e5d5c>] lock_release+0xac/0x310
[ 78.480037] [<ffffffff817bf2b3>] __mutex_unlock_slowpath+0x83/0x180
[ 78.480037] [<ffffffff817bf3be>] mutex_unlock+0xe/0x10
[ 78.480037] [<ffffffff81376c91>] p_stop+0x51/0x90
[ 78.480037] [<ffffffff81211408>] seq_read+0x288/0x3d0
[ 78.480037] [<ffffffff811e9d9e>] vfs_read+0x9e/0x170
[ 78.480037] [<ffffffff811ea8cc>] SyS_read+0x4c/0xa0
[ 78.480037] [<ffffffff817ccc9d>] system_call_fastpath+0x1a/0x1f
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
BugLink: http://bugs.launchpad.net/bugs/1208988
dependency of: fix unix domain sockets to be mediated on connection
needed to fix sleep in atomic context
Dynamically allocating buffers to store the path lookup slows mediation
down, and may require being able to sleep or accept failure of buffer
allocation. Handling fd inheritance during committing_creds, and unix
domain sockets can't fail nor can it sleep to do an allocation, so it
requires having preallocated buffers.
So add support for preallocated buffers and convert everything that
can be to use them.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
This is a sync and squash to the apparmor 3 alpha 4 development snapshot
backported from 3.12. The set of patches in this squash are available
is the aa3.0-presquash branch of the dev tree.
Several of the patches in the squash have been submitted upstream.
Several more will be submitted soon, and other parts are still in
active review and development.
This squash will be updated to remove patches as they are pulled
into the upstream tree, and add new patches as they become available
to the stable apparmor dev branch.
In addition to the apparmor 3 sync this contains the backport patch
series for the 3.4 manta kernel
- apparmor: 3.10 backport revert no delay vfree()
- apparmor: 3.8 backport provide file_inode helper 496ad9aa
- apparmor: 3.6 backport revert uapi for capnames 43c422ed
- apparmor: 3.6 backport revert uapi for resnames 8a1ab315
- apparmor: 3.6 backport define kuid_t d2b31ca64
- apparmor: 3.6 backport kuid_t support for audit 2db81452
- apparmor: 3.6 backport remove const from sb_mount 808d4e3c
- apparmor: 3.4 backport revert file_mmap e5467859
- apparmor: 3.4 backport cap_mmap_addr d007794a
- apparmor: 3.4 backport fake no_new_privs 259e5e6c
- apparmor: 3.4 backport revert task audi_data 0972c74e
- apparmor: 3.4 backport alias file_open 83d49856
- UBUNTU: SAUCE: (no-up) apparmor: update config options
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
This fixes a bug in the current apparmor3 alpha2 sync, where none root
users can not query whether the apparmor module is enabled. It has been
incorporated into the apparmor dev tree and will be integrated as part
of the next sync, at which point this patch will be reverted.
BugLink: http://bugs.launchpad.net/bugs/1199912
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
This is a squash of the following commits from the branch
v3.4-backport-of-apparmor3
Signed-off-by: John Johansen <john.johansen@canonical.com>
----------------------------------------------------------------
sync to Linux 3.10 apparmor
UBUNTU SAUCE: apparmor: sync apparmor3 dev snapshot
----------------------------------------------------------------
John Johansen (67):
apparmor: fix auditing of domain transition failures due to incomplete policy
apparmor: Remove -W1 warnings
apparmor: refactor profile mode macros
apparmor: fix error code to failure message mapping for name lookup
apparmor: add utility function to get an arbitrary tasks profile.
apparmor: add kvzalloc to handle zeroing for kvmalloc
apparmor: use common fn to clear task_context for domain transitions
apparmor: remove "permipc" command
apparmor: relax the restrictions on setting rlimits
apparmor: misc cleanup of match
apparmor: move perm defines into policy_unpack
apparmor: remove sid from profiles
apparmor: move the free_profile fn ahead of aa_alloc_profile
apparmor: reserve and mask off the top 8 bits of the base field
apparmor: fix the audit type table
apparmor: add a features/policy dir to interface
apparmor: Fix smatch warning in aa_remove_profiles
apparmor: fix sparse warnings
apparmor: localize getting the security context to a few macros
apparmor: fix setprocattr arg processing for onexec
apparmor: fix fully qualified name parsing
apparmor: enable users to query whether apparmor is enabled
apparmor: provide base for multiple profiles to be replaced at once
apparmor: convert profile lists to RCU based locking
apparmor: change how profile replacement update is done
apparmor: update how unconfined is handled
apparmor: fix namespace to be freeded via RCU
apparmor: rework namespace free path
apparmor: make free_profile available outside of policy.c
apparmor: allow setting any profile into the unconfined state
apparmor: provide the ability to boot with a default profile set on init
apparmor: fix fs extry display for default profile
apparmor: Add interface files for profiles and namespaces
FIX: collapse aa_fs_entry to a single entry instead of a null terminated array
apparmor: merge profile mode names
apparmor: fix the locking etc. in the new policy interface
apparmor: add an optional profile attachment string
apparmor: Add profile introspection file to interface
apparmor: update compatibility patch for RCU locking
FIX: more fixes to aafs/profiles file
apparmor: reuse name string from previous profile
apparmor: add basic support for implicit labeling of files
apparmor: directly free a label if it has not been added to a labelset
FIX: ensure label is only inserted if not already in tree
apparmor: baby step - now add labels to the labelset trees
FIX: ensure all profiles get added to the correct lists
apparmor: move replacedby to use labels instead of profiles
apparmor: introduce using labels from contexts
apparmor: add abilitiy to print labels and update interface to use
apparmor: rework auditing to use the label
apparmor: audit the profile and namespace for all messages
apparmor: treat each task as if the label can have mutiple entries
apparmor: use most recent label available, when possible.
apparmor: remove FLAG_MEDIATE_DELETED
apparmor: move aa_label_insert
apparmor: add a log fn to generate log message for each profile in a label
apparmor: add helper for getting the newest profile
apparmor: add the ability to create a new label based on merging 2 labels
apparmor: invalidate compound labels, and replace
apparmor: set up base labeling on sockets
apparmor: Add the ability to mediate mount
apparmor: convert mount to label instead of profile
apparmor: treat mount as if each task may have multi-profile labels
apparmor: implement profile-based query interface in apparmorfs
apparmor: update profile permission query interface to use labels
apparmor: fix returning -einval when should be no perms on query interface
apparmor: add a features/dbus dir to securityfs interface
security/apparmor/.gitignore | 1 +
security/apparmor/Kconfig | 35 ++
security/apparmor/Makefile | 42 ++-
security/apparmor/apparmorfs.c | 757 +++++++++++++++++++++++++++++++++++++-
security/apparmor/audit.c | 30 +-
security/apparmor/context.c | 122 ++++---
security/apparmor/domain.c | 123 ++++---
security/apparmor/file.c | 173 +++++----
security/apparmor/include/apparmor.h | 58 ++-
security/apparmor/include/apparmorfs.h | 39 ++
security/apparmor/include/audit.h | 21 +-
security/apparmor/include/context.h | 158 +++++---
security/apparmor/include/domain.h | 2 +
security/apparmor/include/file.h | 23 +-
security/apparmor/include/ipc.h | 4 +-
security/apparmor/include/label.h | 325 +++++++++++++++++
security/apparmor/include/match.h | 21 +-
security/apparmor/include/mount.h | 54 +++
security/apparmor/include/net.h | 54 +++
security/apparmor/include/path.h | 2 +-
security/apparmor/include/policy.h | 214 ++++++-----
security/apparmor/include/policy_unpack.h | 21 +-
security/apparmor/include/procattr.h | 3 +-
security/apparmor/include/resource.h | 4 +-
security/apparmor/include/sid.h | 4 +-
security/apparmor/ipc.c | 48 +--
security/apparmor/label.c | 1626 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
security/apparmor/lib.c | 37 +-
security/apparmor/lsm.c | 645 ++++++++++++++++++++++++++++-----
security/apparmor/match.c | 23 +-
security/apparmor/mount.c | 704 ++++++++++++++++++++++++++++++++++++
security/apparmor/net.c | 169 +++++++++
security/apparmor/path.c | 2 +-
security/apparmor/policy.c | 871 +++++++++++++++++++++++++++-----------------
security/apparmor/policy_unpack.c | 188 ++++++++--
security/apparmor/procattr.c | 57 +--
security/apparmor/resource.c | 91 +++--
37 files changed, 5790 insertions(+), 961 deletions(-)
create mode 100644 security/apparmor/include/label.h
create mode 100644 security/apparmor/include/mount.h
create mode 100644 security/apparmor/include/net.h
create mode 100644 security/apparmor/label.c
create mode 100644 security/apparmor/mount.c
create mode 100644 security/apparmor/net.c
UBUNTU SAUCE: apparmor: 3.8 backport provide file_inode helper 496ad9aa
support changes from commit 496ad9aa8ef448058e36ca7a787c61f2e63f0f54
UBUNTU SAUCE: apparmor: 3.6 backport revert uapi for capnames 43c422ed
partial revert of 43c422eda99b894f18d1cca17bcd2401efaf7bd0
UBUNTU SAUCE: apparmor: 3.6 backport revert uapi for resnames 8a1ab315
partial revert 8a1ab3155c2ac7fbe5f2038d6e26efeb607a1498
UBUNTU SAUCE: apparmor: 3.6 backport define kuid_t d2b31ca64
support changes from commit d2b31ca644fdc8704de3367a6a56a5c958c77f53
UBUNTU SAUCE: apparmor: 3.6 backport kuid_t support for audit 2db81452
support changes from commit 2db81452931eb51cc739d6e495cf1bd4860c3c99
UBUNTU SAUCE: apparmor: 3.6 backport remove const from sb_mount 808d4e3c
partial revert of 808d4e3cfdcc52b19276175464f6dbca4df13b09
UBUNTU SAUCE: apparmor: 3.4 backport revert file_mmap e5467859
partial revert of e5467859f7f79b69fc49004403009dfdba3bec53
UBUNTU SAUCE: apparmor: 3.4 backport cap_mmap_addr d007794a
support changes from d007794a182bc072a7b7479909dbd0d67ba341be
UBUNTU SAUCE: apparmor: 3.4 backport fake no_new_privs 259e5e6c
support interface from 259e5e6c75a910f3b5e656151dc602f53f9d7548
c29bceb3967398cf2ac8bf8edf9634fdb722df7d
UBUNTU SAUCE: apparmor: 3.4 backport alias file_open 83d49856
add support for 83d498569e9a7a4b92c4c5d3566f2d6a604f28c9
Add security hooks to the binder and implement the hooks for SELinux.
The security hooks enable security modules such as SELinux to implement
controls over binder IPC. The security hooks include support for
controlling what process can become the binder context manager
(binder_set_context_mgr), controlling the ability of a process
to invoke a binder transaction/IPC to another process (binder_transaction),
controlling the ability a process to transfer a binder reference to
another process (binder_transfer_binder), and controlling the ability
of a process to transfer an open file to another process (binder_transfer_file).
This support is used by SE Android, http://selinuxproject.org/page/SEAndroid.
Change-Id: I9a64a87825df2e60b9c51400377af4a9cd1c4049
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Commit b641072 ("security: Add AID_NET_RAW and AID_NET_ADMIN capability
check in cap_capable().") introduces additional checks for AID_NET_xxx
macros. Since the header file including those macros are conditionally
included, the checks should also be conditionally executed.
Change-Id: Iaec5208d5b95a46b1ac3f2db8449c661e803fa5b
Signed-off-by: Tushar Behera <tushar.behera@linaro.org>
Signed-off-by: Andrey Konovalov <andrey.konovalov@linaro.org>
Add missing "personality.h"
security/commoncap.c: In function 'cap_bprm_set_creds':
security/commoncap.c:510: error: 'PER_CLEAR_ON_SETID' undeclared (first use in this function)
security/commoncap.c:510: error: (Each undeclared identifier is reported only once
security/commoncap.c:510: error: for each function it appears in.)
Signed-off-by: Jonghwan Choi <jhbird.choi@samsung.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
If a process increases permissions using fcaps all of the dangerous
personality flags which are cleared for suid apps should also be cleared.
Thus programs given priviledge with fcaps will continue to have address space
randomization enabled even if the parent tried to disable it to make it
easier to attack.
Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
A kernel with Smack enabled will fail if tmpfs has xattr support.
Move the initialization of predefined Smack label
list entries to the LSM initialization from the
smackfs setup. This became an issue when tmpfs
acquired xattr support, but was never correct.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
This fixes builds where CONFIG_AUDIT is not defined and
CONFIG_SECURITY_SMACK=y.
This got introduced by the stack-usage reducation commit 48c62af68a
("LSM: shrink the common_audit_data data union").
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
It just bloats the audit data structure for no good reason, since the
only time those fields are filled are just before calling the
common_lsm_audit() function, which is also the only user of those
fields.
So just make them be the arguments to common_lsm_audit(), rather than
bloating that structure that is passed around everywhere, and is
initialized in hot paths.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Instead of declaring the entire selinux_audit_data on the stack when we
start an operation on declare it on the stack if we are going to use it.
We know it's usefulness at the end of the security decision and can declare
it there.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
