summaryrefslogtreecommitdiffstats
path: root/security/apparmor
AgeCommit message (Collapse)Author
2012-05-31split ->file_mmap() into ->mmap_addr()/->mmap_file()Al Viro
... i.e. file-dependent and address-dependent checks. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-05-31split cap_mmap_addr() out of cap_file_mmap()Al Viro
... switch callers. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-05-22Merge branch 'master' of git://git.infradead.org/users/eparis/selinux into nextJames Morris
Per pull request, for 3.5.
2012-05-18apparmor: fix long path failure due to disconnected pathJohn Johansen
BugLink: http://bugs.launchpad.net/bugs/955892 All failures from __d_path where being treated as disconnected paths, however __d_path can also fail when the generated pathname is too long. The initial ENAMETOOLONG error was being lost, and ENAMETOOLONG was only returned if the subsequent dentry_path call resulted in that error. Other wise if the path was split across a mount point such that the dentry_path fit within the buffer when the __d_path did not the failure was treated as a disconnected path. Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-05-18apparmor: fix profile lookup for unconfinedJohn Johansen
BugLink: http://bugs.launchpad.net/bugs/978038 also affects apparmor portion of BugLink: http://bugs.launchpad.net/bugs/987371 The unconfined profile is not stored in the regular profile list, but change_profile and exec transitions may want access to it when setting up specialized transitions like switch to the unconfined profile of a new policy namespace. Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-04-14Fix execve behavior apparmor for PR_{GET,SET}_NO_NEW_PRIVSJohn Johansen
Add support for AppArmor to explicitly fail requested domain transitions if NO_NEW_PRIVS is set and the task is not unconfined. Transitions from unconfined are still allowed because this always results in a reduction of privileges. Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: Will Drewry <wad@chromium.org> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andy Lutomirski <luto@amacapital.net> v18: new acked-by, new description Signed-off-by: James Morris <james.l.morris@oracle.com>
2012-04-14Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privsAndy Lutomirski
With this change, calling prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) disables privilege granting operations at execve-time. For example, a process will not be able to execute a setuid binary to change their uid or gid if this bit is set. The same is true for file capabilities. Additionally, LSM_UNSAFE_NO_NEW_PRIVS is defined to ensure that LSMs respect the requested behavior. To determine if the NO_NEW_PRIVS bit is set, a task may call prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0); It returns 1 if set and 0 if it is not set. If any of the arguments are non-zero, it will return -1 and set errno to -EINVAL. (PR_SET_NO_NEW_PRIVS behaves similarly.) This functionality is desired for the proposed seccomp filter patch series. By using PR_SET_NO_NEW_PRIVS, it allows a task to modify the system call behavior for itself and its child tasks without being able to impact the behavior of a more privileged task. Another potential use is making certain privileged operations unprivileged. For example, chroot may be considered "safe" if it cannot affect privileged tasks. Note, this patch causes execve to fail when PR_SET_NO_NEW_PRIVS is set and AppArmor is in use. It is fixed in a subsequent patch. Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Will Drewry <wad@chromium.org> Acked-by: Eric Paris <eparis@redhat.com> Acked-by: Kees Cook <keescook@chromium.org> v18: updated change desc v17: using new define values as per 3.4 Signed-off-by: James Morris <james.l.morris@oracle.com>
2012-04-09LSM: do not initialize common_audit_data to 0Eric Paris
It isn't needed. If you don't set the type of the data associated with that type it is a pretty obvious programming bug. So why waste the cycles? Signed-off-by: Eric Paris <eparis@redhat.com>
2012-04-09apparmor: move task from common_audit_data to apparmor_audit_dataEric Paris
apparmor is the only LSM that uses the common_audit_data tsk field. Instead of making all LSMs pay for the stack space move the aa usage into the apparmor_audit_data. Signed-off-by: Eric Paris <eparis@redhat.com>
2012-04-09LSM: remove the COMMON_AUDIT_DATA_INIT type expansionEric Paris
Just open code it so grep on the source code works better. Signed-off-by: Eric Paris <eparis@redhat.com>
2012-04-09SELinux: rename dentry_open to file_openEric Paris
dentry_open takes a file, rename it to file_open Signed-off-by: Eric Paris <eparis@redhat.com>
2012-04-03lsm_audit: don't specify the audit pre/post callbacks in 'struct ↵Linus Torvalds
common_audit_data' It just bloats the audit data structure for no good reason, since the only time those fields are filled are just before calling the common_lsm_audit() function, which is also the only user of those fields. So just make them be the arguments to common_lsm_audit(), rather than bloating that structure that is passed around everywhere, and is initialized in hot paths. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-04-03LSM: shrink sizeof LSM specific portion of common_audit_dataEric Paris
Linus found that the gigantic size of the common audit data caused a big perf hit on something as simple as running stat() in a loop. This patch requires LSMs to declare the LSM specific portion separately rather than doing it in a union. Thus each LSM can be responsible for shrinking their portion and don't have to pay a penalty just because other LSMs have a bigger space requirement. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-03-28apparmor: Fix change_onexec when called from a confined taskJohn Johansen
Fix failure in aa_change_onexec api when the request is made from a confined task. This failure was caused by two problems The AA_MAY_ONEXEC perm was not being mapped correctly for this case. The executable name was being checked as second time instead of using the requested onexec profile name, which may not be the same as the exec profile name. This mistake can not be exploited to grant extra permission because of the above flaw where the ONEXEC permission was not being mapped so it will not be granted. BugLink: http://bugs.launchpad.net/bugs/963756 Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
2012-03-19AppArmor: Fix location of const qualifier on generated string tablesTetsuo Handa
Signed-off-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-03-14AppArmor: add const qualifiers to string arraysJan Engelhardt
Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-03-14AppArmor: Add ability to load extended policyJohn Johansen
Add the base support for the new policy extensions. This does not bring any additional functionality, or change current semantics. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
2012-03-14AppArmor: Move path failure information into aa_get_name and renameJohn Johansen
Move the path name lookup failure messages into the main path name lookup routine, as the information is useful in more than just aa_path_perm. Also rename aa_get_name to aa_path_name as it is not getting a reference counted object with a corresponding put fn. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
2012-03-14AppArmor: Update dfa matching routines.John Johansen
Update aa_dfa_match so that it doesn't result in an input string being walked twice (once to get its length and another time to match) Add a single step functions aa_dfa_next Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
2012-03-14AppArmor: Minor cleanup of d_namespace_path to consolidate error handlingJohn Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
2012-03-14AppArmor: Retrieve the dentry_path for error reporting when path lookup failsJohn Johansen
When __d_path and d_absolute_path fail due to the name being outside of the current namespace no name is reported. Use dentry_path to provide some hint as to which file was being accessed. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
2012-03-14AppArmor: Add const qualifiers to generated string tablesJohn Johansen
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-03-14AppArmor: Fix oops in policy unpack auditingJohn Johansen
Post unpacking of policy a verification pass is made on x transition indexes. When this fails a call to audit_iface is made resulting in an oops, because audit_iface is expecting a valid buffer position but since the failure comes from post unpack verification there is none. Make the position argument optional so that audit_iface can be called from post unpack verification. Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-03-14AppArmor: Fix error returned when a path lookup is disconnectedJohn Johansen
The returning of -ESATLE when a path lookup fails as disconnected is wrong. Since AppArmor is rejecting the access return -EACCES instead. This also fixes a bug in complain (learning) mode where disconnected paths are denied because -ESTALE errors are not ignored causing failures that can change application behavior. Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-27AppArmor: Fix the error case for chroot relative path name lookupJohn Johansen
When a chroot relative pathname lookup fails it is falling through to do a d_absolute_path lookup. This is incorrect as d_absolute_path should only be used to lookup names for namespace absolute paths. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
2012-02-27AppArmor: fix mapping of META_READ to audit and quiet flagsJohn Johansen
The mapping of AA_MAY_META_READ for the allow mask was also being mapped to the audit and quiet masks. This would result in some operations being audited when the should not. This flaw was hidden by the previous audit bug which would drop some messages that where supposed to be audited. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
2012-02-27AppArmor: Fix underflow in xindex calculationJohn Johansen
If the xindex value stored in the accept tables is 0, the extraction of that value will result in an underflow (0 - 4). In properly compiled policy this should not happen for file rules but it may be possible for other rule types in the future. To exploit this underflow a user would have to be able to load a corrupt policy, which requires CAP_MAC_ADMIN, overwrite system policy in kernel memory or know of a compiler error resulting in the flaw being present for loaded policy (no such flaw is known at this time). Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
2012-02-27AppArmor: Fix dropping of allowed operations that are force auditedJohn Johansen
The audit permission flag, that specifies an audit message should be provided when an operation is allowed, was being ignored in some cases. This is because the auto audit mode (which determines the audit mode from system flags) was incorrectly assigned the same value as audit mode. The shared value would result in messages that should be audited going through a second evaluation as to whether they should be audited based on the auto audit, resulting in some messages being dropped. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
2012-02-27AppArmor: Add mising end of structure test to caps unpackingJohn Johansen
The unpacking of struct capsx is missing a check for the end of the caps structure. This can lead to unpack failures depending on what else is packed into the policy file being unpacked. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
2012-02-27AppArmor: export known rlimit names/value mappings in securityfsKees Cook
Since the parser needs to know which rlimits are known to the kernel, export the list via a mask file in the "rlimit" subdirectory in the securityfs "features" directory. Signed-off-by: Kees Cook <kees@ubuntu.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-27AppArmor: add "file" details to securityfsKees Cook
Create the "file" directory in the securityfs for tracking features related to files. Signed-off-by: Kees Cook <kees@ubuntu.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-27AppArmor: add initial "features" directory to securityfsKees Cook
This adds the "features" subdirectory to the AppArmor securityfs to display boolean features flags and the known capability mask. Signed-off-by: Kees Cook <kees@ubuntu.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-27AppArmor: refactor securityfs to use structuresKees Cook
Use a file tree structure to represent the AppArmor securityfs. Signed-off-by: Kees Cook <kees@ubuntu.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-01-14Merge branch 'for-linus' of git://selinuxproject.org/~jmorris/linux-securityLinus Torvalds
* 'for-linus' of git://selinuxproject.org/~jmorris/linux-security: capabilities: remove __cap_full_set definition security: remove the security_netlink_recv hook as it is equivalent to capable() ptrace: do not audit capability check when outputing /proc/pid/stat capabilities: remove task_ns_* functions capabitlies: ns_capable can use the cap helpers rather than lsm call capabilities: style only - move capable below ns_capable capabilites: introduce new has_ns_capabilities_noaudit capabilities: call has_ns_capability from has_capability capabilities: remove all _real_ interfaces capabilities: introduce security_capable_noaudit capabilities: reverse arguments to security_capable capabilities: remove the task from capable LSM hook entirely selinux: sparse fix: fix several warnings in the security server cod selinux: sparse fix: fix warnings in netlink code selinux: sparse fix: eliminate warnings for selinuxfs selinux: sparse fix: declare selinux_disable() in security.h selinux: sparse fix: move selinux_complete_init selinux: sparse fix: make selinux_secmark_refcount static SELinux: Fix RCU deref check warning in sel_netport_insert() Manually fix up a semantic mis-merge wrt security_netlink_recv(): - the interface was removed in commit fd7784615248 ("security: remove the security_netlink_recv hook as it is equivalent to capable()") - a new user of it appeared in commit a38f7907b926 ("crypto: Add userspace configuration API") causing no automatic merge conflict, but Eric Paris pointed out the issue.
2012-01-13module_param: make bool parameters really bool (drivers & misc)Rusty Russell
module_param(bool) used to counter-intuitively take an int. In fddd5201 (mid-2009) we allowed bool or int/unsigned int using a messy trick. It's time to remove the int/unsigned int option. For this version it'll simply give a warning, but it'll break next kernel version. Acked-by: Mauro Carvalho Chehab <mchehab@redhat.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-01-10Merge branch 'for-linus' of git://selinuxproject.org/~jmorris/linux-securityLinus Torvalds
* 'for-linus' of git://selinuxproject.org/~jmorris/linux-security: (32 commits) ima: fix invalid memory reference ima: free duplicate measurement memory security: update security_file_mmap() docs selinux: Casting (void *) value returned by kmalloc is useless apparmor: fix module parameter handling Security: tomoyo: add .gitignore file tomoyo: add missing rcu_dereference() apparmor: add missing rcu_dereference() evm: prevent racing during tfm allocation evm: key must be set once during initialization mpi/mpi-mpow: NULL dereference on allocation failure digsig: build dependency fix KEYS: Give key types their own lockdep class for key->sem TPM: fix transmit_cmd error logic TPM: NSC and TIS drivers X86 dependency fix TPM: Export wait_for_stat for other vendor specific drivers TPM: Use vendor specific function for status probe tpm_tis: add delay after aborting command tpm_tis: Check return code from getting timeouts/durations tpm: Introduce function to poll for result of self test ... Fix up trivial conflict in lib/Makefile due to addition of CONFIG_MPI and SIGSIG next to CONFIG_DQL addition.
2012-01-09Merge branch 'next' into for-linusJames Morris
Conflicts: security/integrity/evm/evm_crypto.c Resolved upstream fix vs. next conflict manually. Signed-off-by: James Morris <jmorris@namei.org>
2012-01-06switch security_path_chmod() to struct path *Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-01-05capabilities: remove the task from capable LSM hook entirelyEric Paris
The capabilities framework is based around credentials, not necessarily the current task. Yet we still passed the current task down into LSMs from the security_capable() LSM hook as if it was a meaningful portion of the security decision. This patch removes the 'generic' passing of current and instead forces individual LSMs to use current explicitly if they think it is appropriate. In our case those LSMs are SELinux and AppArmor. I believe the AppArmor use of current is incorrect, but that is wholely unrelated to this patch. This patch does not change what AppArmor does, it just makes it clear in the AppArmor code that it is doing it. The SELinux code still uses current in it's audit message, which may also be wrong and needs further investigation. Again this is NOT a change, it may have always been wrong, this patch just makes it clear what is happening. Signed-off-by: Eric Paris <eparis@redhat.com>
2012-01-03switch ->path_mknod() to umode_tAl Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-01-03switch ->path_mkdir() to umode_tAl Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-01-03switch securityfs_create_file() to umode_tAl Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-01-03switch security_path_chmod() to umode_tAl Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-01-03btrfs, nfs, apparmor: don't pull mnt_namespace.h for no reason...Al Viro
it's not needed anymore; we used to, back when we had to do mount_subtree() by hand, complete with put_mnt_ns() in it. No more... Apparmor didn't need it since the __d_path() fix. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2011-12-16apparmor: fix module parameter handlingRusty Russell
The 'aabool' wrappers actually pass off to the 'bool' parse functions, so you should use the same check function. Similarly for aauint and uint. (Note that 'bool' module parameters also allow 'int', which is why you got away with this, but that's changing very soon.) Cc: linux-security-module@vger.kernel.org Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
2011-12-09apparmor: add missing rcu_dereference()Kees Cook
Adds a missed rcu_dereference() around real_parent. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
2011-12-06fix apparmor dereferencing potentially freed dentry, sanitize __d_path() APIAl Viro
__d_path() API is asking for trouble and in case of apparmor d_namespace_path() getting just that. The root cause is that when __d_path() misses the root it had been told to look for, it stores the location of the most remote ancestor in *root. Without grabbing references. Sure, at the moment of call it had been pinned down by what we have in *path. And if we raced with umount -l, we could have very well stopped at vfsmount/dentry that got freed as soon as prepend_path() dropped vfsmount_lock. It is safe to compare these pointers with pre-existing (and known to be still alive) vfsmount and dentry, as long as all we are asking is "is it the same address?". Dereferencing is not safe and apparmor ended up stepping into that. d_namespace_path() really wants to examine the place where we stopped, even if it's not connected to our namespace. As the result, it looked at ->d_sb->s_magic of a dentry that might've been already freed by that point. All other callers had been careful enough to avoid that, but it's really a bad interface - it invites that kind of trouble. The fix is fairly straightforward, even though it's bigger than I'd like: * prepend_path() root argument becomes const. * __d_path() is never called with NULL/NULL root. It was a kludge to start with. Instead, we have an explicit function - d_absolute_root(). Same as __d_path(), except that it doesn't get root passed and stops where it stops. apparmor and tomoyo are using it. * __d_path() returns NULL on path outside of root. The main caller is show_mountinfo() and that's precisely what we pass root for - to skip those outside chroot jail. Those who don't want that can (and do) use d_path(). * __d_path() root argument becomes const. Everyone agrees, I hope. * apparmor does *NOT* try to use __d_path() or any of its variants when it sees that path->mnt is an internal vfsmount. In that case it's definitely not mounted anywhere and dentry_path() is exactly what we want there. Handling of sysctl()-triggered weirdness is moved to that place. * if apparmor is asked to do pathname relative to chroot jail and __d_path() tells it we it's not in that jail, the sucker just calls d_absolute_path() instead. That's the other remaining caller of __d_path(), BTW. * seq_path_root() does _NOT_ return -ENAMETOOLONG (it's stupid anyway - the normal seq_file logics will take care of growing the buffer and redoing the call of ->show() just fine). However, if it gets path not reachable from root, it returns SEQ_SKIP. The only caller adjusted (i.e. stopped ignoring the return value as it used to do). Reviewed-by: John Johansen <john.johansen@canonical.com> ACKed-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Cc: stable@vger.kernel.org
2011-09-09apparmor: sparse fix: include procattr.h in procattr.cJames Morris
Fix sparse warnings: security/apparmor/procattr.c:35:5: warning: symbol 'aa_getprocattr' was not declared. Should it be static? security/apparmor/procattr.c:113:5: warning: symbol 'aa_setprocattr_changehat' was not declared. Should it be static? security/apparmor/procattr.c:158:5: warning: symbol 'aa_setprocattr_changeprofile' was not declared. Should it be static? security/apparmor/procattr.c:166:5: warning: symbol 'aa_setprocattr_permipc' was not declared. Should it be static? Signed-off-by: James Morris <jmorris@namei.org> Acked-by: John Johansen <john.johansen@canonical.com>
2011-09-09apparmor: sparse fix: rename shadowed variables in policy_unpack.cJames Morris
Fix the following warnings: security/apparmor/policy_unpack.c:384:35: warning: symbol 'size' shadows an earlier one security/apparmor/policy_unpack.c:370:24: originally declared here security/apparmor/policy_unpack.c:443:29: warning: symbol 'tmp' shadows an earlier one security/apparmor/policy_unpack.c:434:21: originally declared here Signed-off-by: James Morris <jmorris@namei.org> Acked-by: John Johansen <john.johansen@canonical.com>
2011-09-09apparmor: sparse fix: add apparmor.h to lib.cJames Morris
Fix the following sparse warnings: security/apparmor/lib.c:37:6: warning: symbol 'aa_split_fqname' was not declared. Should it be static? security/apparmor/lib.c:63:6: warning: symbol 'aa_info_message' was not declared. Should it be static? security/apparmor/lib.c:83:6: warning: symbol 'kvmalloc' was not declared. Should it be static? security/apparmor/lib.c:123:6: warning: symbol 'kvfree' was not declared. Should it be static? Signed-off-by: James Morris <jmorris@namei.org>