aboutsummaryrefslogtreecommitdiffstats
path: root/security
AgeCommit message (Collapse)AuthorFilesLines
2017-01-27ima: allow to check MAY_APPENDLans Zhang2-4/+5
Otherwise some mask and inmask tokens with MAY_APPEND flag may not work as expected. Signed-off-by: Lans Zhang <jia.zhang@windriver.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2017-01-27ima: fix ima_d_path() possible race with renameMimi Zohar3-6/+24
On failure to return a pathname from ima_d_path(), a pointer to dname is returned, which is subsequently used in the IMA measurement list, the IMA audit records, and other audit logging. Saving the pointer to dname for later use has the potential to race with rename. Intead of returning a pointer to dname on failure, this patch returns a pointer to a copy of the filename. Reported-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: stable@vger.kernel.org
2017-01-27Merge branch 'smack-for-4.11' of git://github.com/cschaufler/smack-next into nextJames Morris3-27/+95
2017-01-24Introduce a sysctl that modifies the value of PROT_SOCK.Krister Johansen1-1/+2
Add net.ipv4.ip_unprivileged_port_start, which is a per namespace sysctl that denotes the first unprivileged inet port in the namespace. To disable all privileged ports set this to zero. It also checks for overlap with the local port range. The privileged and local range may not overlap. The use case for this change is to allow containerized processes to bind to priviliged ports, but prevent them from ever being allowed to modify their container's network configuration. The latter is accomplished by ensuring that the network namespace is not a child of the user namespace. This modification was needed to allow the container manager to disable a namespace's priviliged port restrictions without exposing control of the network namespace to processes in the user namespace. Signed-off-by: Krister Johansen <kjlx@templeofstupid.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2017-01-24exec: Remove LSM_UNSAFE_PTRACE_CAPEric W. Biederman4-5/+4
With previous changes every location that tests for LSM_UNSAFE_PTRACE_CAP also tests for LSM_UNSAFE_PTRACE making the LSM_UNSAFE_PTRACE_CAP redundant, so remove it. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2017-01-24exec: Test the ptracer's saved cred to see if the tracee can gain capsEric W. Biederman1-1/+2
Now that we have user namespaces and non-global capabilities verify the tracer has capabilities in the relevant user namespace instead of in the current_user_ns(). As the test for setting LSM_UNSAFE_PTRACE_CAP is currently ptracer_capable(p, current_user_ns()) and the new task credentials are in current_user_ns() this change does not have any user visible change and simply moves the test to where it is used, making the code easier to read. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2017-01-24exec: Don't reset euid and egid when the tracee has CAP_SETUIDEric W. Biederman1-1/+1
Don't reset euid and egid when the tracee has CAP_SETUID in it's user namespace. I punted on relaxing this permission check long ago but now that I have read this code closely it is clear it is safe to test against CAP_SETUID in the user namespace. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2017-01-19Introduce STATIC_USERMODEHELPER to mediate call_usermodehelper()Greg Kroah-Hartman1-0/+35
Some usermode helper applications are defined at kernel build time, while others can be changed at runtime. To provide a sane way to filter these, add a new kernel option "STATIC_USERMODEHELPER". This option routes all call_usermodehelper() calls through this binary, no matter what the caller wishes to have called. The new binary (by default set to /sbin/usermode-helper, but can be changed through the STATIC_USERMODEHELPER_PATH option) can properly filter the requested programs to be run by the kernel by looking at the first argument that is passed to it. All other options should then be passed onto the proper program if so desired. To disable all call_usermodehelper() calls by the kernel, set STATIC_USERMODEHELPER_PATH to an empty string. Thanks to Neil Brown for the idea of this feature. Cc: NeilBrown <neilb@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-01-19Make static usermode helper binaries constantGreg Kroah-Hartman1-3/+4
There are a number of usermode helper binaries that are "hard coded" in the kernel today, so mark them as "const" to make it harder for someone to change where the variables point to. Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Thomas Sailer <t.sailer@alumni.ethz.ch> Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com> Cc: Johan Hovold <johan@kernel.org> Cc: Alex Elder <elder@kernel.org> Cc: "J. Bruce Fields" <bfields@fieldses.org> Cc: Jeff Layton <jlayton@poochiereds.net> Cc: David Howells <dhowells@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-01-19LSM: Add /sys/kernel/security/lsmCasey Schaufler9-9/+71
I am still tired of having to find indirect ways to determine what security modules are active on a system. I have added /sys/kernel/security/lsm, which contains a comma separated list of the active security modules. No more groping around in /proc/filesystems or other clever hacks. Unchanged from previous versions except for being updated to the latest security next branch. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: John Johansen <john.johansen@canonical.com> Acked-by: Paul Moore <paul@paul-moore.com> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.l.morris@oracle.com>
2017-01-16apparmor: fix undefined reference to `aa_g_hash_policy'John Johansen1-1/+1
The kernel build bot turned up a bad config combination when CONFIG_SECURITY_APPARMOR is y and CONFIG_SECURITY_APPARMOR_HASH is n, resulting in the build error security/built-in.o: In function `aa_unpack': (.text+0x841e2): undefined reference to `aa_g_hash_policy' Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: replace remaining BUG_ON() asserts with AA_BUG()John Johansen4-5/+5
AA_BUG() uses WARN and won't break the kernel like BUG_ON(). Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: fix restricted endian type warnings for policy unpackJohn Johansen1-6/+6
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: fix restricted endian type warnings for dfa unpackJohn Johansen2-12/+12
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add check for apparmor enabled in module parameters missing itJohn Johansen1-0/+10
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add per cpu work buffers to avoid allocating buffers at every hookJohn Johansen2-1/+103
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: sysctl to enable unprivileged user ns AppArmor policy loadingTyler Hicks2-1/+47
If this sysctl is set to non-zero and a process with CAP_MAC_ADMIN in the root namespace has created an AppArmor policy namespace, unprivileged processes will be able to change to a profile in the newly created AppArmor policy namespace and, if the profile allows CAP_MAC_ADMIN and appropriate file permissions, will be able to load policy in the respective policy namespace. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: support querying extended trusted helper extra dataWilliam Hua5-0/+245
Allow a profile to carry extra data that can be queried via userspace. This provides a means to store extra data in a profile that a trusted helper can extract and use from live policy. Signed-off-by: William Hua <william.hua@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: update cap audit to check SECURITY_CAP_NOAUDITJohn Johansen1-6/+10
apparmor should be checking the SECURITY_CAP_NOAUDIT constant. Also in complain mode make it so apparmor can elect to log a message, informing of the check. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: make computing policy hashes conditional on kernel parameterJohn Johansen2-29/+32
Allow turning off the computation of the policy hashes via the apparmor.hash_policy kernel parameter. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: convert change_profile to use fqname later to give better controlJohn Johansen5-66/+28
Moving the use of fqname to later allows learning profiles to be based on the fqname request instead of just the hname. It also allows cleaning up some of the name parsing and lookup by allowing the use of the fqlookupn_profile() lib fn. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: fix change_hat debug outputJohn Johansen1-4/+5
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: remove unused op parameter from simple_write_to_buffer()John Johansen1-6/+3
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: change aad apparmor_audit_data macro to a fn macroJohn Johansen12-157/+151
The aad macro can replace aad strings when it is not intended to. Switch to a fn macro so it is only applied when intended. Also at the same time cleanup audit_data initialization by putting common boiler plate behind a macro, and dropping the gfp_t parameter which will become useless. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: change op from int to const char *John Johansen10-126/+76
Having ops be an integer that is an index into an op name table is awkward and brittle. Every op change requires an edit for both the op constant and a string in the table. Instead switch to using const strings directly, eliminating the need for the table that needs to be kept in sync. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: rename context abreviation cxt to the more standard ctxJohn Johansen5-144/+150
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: fail task profile update if current_cred isn't real_credJohn Johansen1-0/+3
Trying to update the task cred while the task current cred is not the real cred will result in an error at the cred layer. Avoid this by failing early and delaying the update. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add per policy ns .load, .replace, .remove interface filesJohn Johansen2-22/+130
Having per policy ns interface files helps with containers restoring policy. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: pass the subject profile into profile replace/removeJohn Johansen3-16/+21
This is just setup for new ns specific .load, .replace, .remove interface files. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: audit policy ns specified in policy loadJohn Johansen3-24/+77
Verify that profiles in a load set specify the same policy ns and audit the name of the policy ns that policy is being loaded for. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: allow introspecting the loaded policy pre internal transformJohn Johansen8-58/+278
Store loaded policy and allow introspecting it through apparmorfs. This has several uses from debugging, policy validation, and policy checkpoint and restore for containers. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add ns name to the audit data for policy loadsJohn Johansen2-10/+25
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add profile and ns params to aa_may_manage_policy()John Johansen3-14/+12
Policy management will be expanded beyond traditional unconfined root. This will require knowning the profile of the task doing the management and the ns view. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add ns being viewed as a param to policy_admin_capable()John Johansen3-10/+16
Prepare for a tighter pairing of user namespaces and apparmor policy namespaces, by making the ns to be viewed available. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add ns being viewed as a param to policy_view_capable()John Johansen4-8/+35
Prepare for a tighter pairing of user namespaces and apparmor policy namespaces, by making the ns to be viewed available and checking that the user namespace level is the same as the policy ns level. This strict pairing will be relaxed once true support of user namespaces lands. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: allow specifying the profile doing the managementJohn Johansen1-11/+21
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: allow introspecting the policy namespace nameJohn Johansen1-0/+24
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: Make aa_remove_profile() callable from a different viewJohn Johansen3-5/+7
This is prep work for fs operations being able to remove namespaces. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: track ns level so it can be used to help in view checksJohn Johansen1-0/+1
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add special .null file used to "close" fds at execJohn Johansen3-1/+81
Borrow the special null device file from selinux to "close" fds that don't have sufficient permissions at exec time. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: provide userspace flag indicating binfmt_elf_mmap changeJohn Johansen1-0/+1
Commit 9f834ec18def ("binfmt_elf: switch to new creds when switching to new mm") changed when the creds are installed by the binfmt_elf handler. This affects which creds are used to mmap the executable into the address space. Which can have an affect on apparmor policy. Add a flag to apparmor at /sys/kernel/security/apparmor/features/domain/fix_binfmt_elf_mmap to make it possible to detect this semantic change so that the userspace tools and the regression test suite can correctly deal with the change. BugLink: http://bugs.launchpad.net/bugs/1630069 Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add a default null dfaJohn Johansen6-2/+46
Instead of testing whether a given dfa exists in every code path, have a default null dfa that is used when loaded policy doesn't provide a dfa. This will let us get rid of special casing and avoid dereference bugs when special casing is missed. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: allow policydb to be used as the file dfaJohn Johansen1-4/+8
Newer policy will combine the file and policydb dfas, allowing for better optimizations. However to support older policy we need to keep the ability to address the "file" dfa separately. So dup the policydb as if it is the file dfa and set the appropriate start state. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add get_dfa() fnJohn Johansen1-0/+15
The dfa is currently setup to be shared (has the basis of refcounting) but currently can't be because the count can't be increased. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: prepare to support newer versions of policyJohn Johansen2-10/+25
Newer policy encodes more than just version in the version tag, so add masking to make sure the comparison remains correct. Note: this is fully compatible with older policy as it will never set the bits being masked out. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: add support for force complain flag to support learning modeJohn Johansen1-1/+3
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: remove paranoid load switchJohn Johansen2-16/+10
Policy should always under go a full paranoid verification. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: name null-XXX profiles after the executableJohn Johansen3-17/+47
When possible its better to name a learning profile after the missing profile in question. This allows for both more informative names and for profile reuse. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: pass gfp_t parameter into profile allocationJohn Johansen4-8/+9
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: refactor prepare_ns() and make usable from different viewsJohn Johansen5-38/+79
prepare_ns() will need to be called from alternate views, and namespaces will need to be created via different interfaces. So refactor and allow specifying the view ns. Signed-off-by: John Johansen <john.johansen@canonical.com>