path: root/security (unfollow)
AgeCommit message (Collapse)AuthorFilesLines
2020-02-18ima: add sm3 algorithm to hash algorithm configuration listTianjia Zhang1-0/+5
sm3 has been supported by the ima hash algorithm, but it is not yet in the Kconfig configuration list. After adding, both ima and tpm2 can support sm3 well. Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2020-02-18efi: Only print errors about failing to get certs if EFI vars are foundJavier Martinez Canillas1-14/+26
If CONFIG_LOAD_UEFI_KEYS is enabled, the kernel attempts to load the certs from the db, dbx and MokListRT EFI variables into the appropriate keyrings. But it just assumes that the variables will be present and prints an error if the certs can't be loaded, even when is possible that the variables may not exist. For example the MokListRT variable will only be present if shim is used. So only print an error message about failing to get the certs list from an EFI variable if this is found. Otherwise these printed errors just pollute the kernel log ring buffer with confusing messages like the following: [ 5.427251] Couldn't get size: 0x800000000000000e [ 5.427261] MODSIGN: Couldn't get UEFI db list [ 5.428012] Couldn't get size: 0x800000000000000e [ 5.428023] Couldn't get UEFI MokListRT Reported-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> Tested-by: Hans de Goede <hdegoede@redhat.com> Acked-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2020-02-07fs_parse: fold fs_parameter_desc/fs_parameter_specAl Viro2-13/+5
The former contains nothing but a pointer to an array of the latter... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2020-02-07fs_parser: remove fs_parameter_description name fieldEric Sandeen2-3/+1
Unused now. Signed-off-by: Eric Sandeen <sandeen@redhat.com> Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2020-02-05selinux: fix sidtab string cache lockingOndrej Mosnacek1-9/+3
Avoiding taking a lock in an IRQ context is not enough to prevent deadlocks, as discovered by syzbot: === WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected 5.5.0-syzkaller #0 Not tainted ----------------------------------------------------- syz-executor.0/8927 [HC0[0]:SC0[2]:HE1:SE0] is trying to acquire: ffff888027c94098 (&(&s->cache_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:338 [inline] ffff888027c94098 (&(&s->cache_lock)->rlock){+.+.}, at: sidtab_sid2str_put.part.0+0x36/0x880 security/selinux/ss/sidtab.c:533 and this task is already holding: ffffffff898639b0 (&(&nf_conntrack_locks[i])->rlock){+.-.}, at: spin_lock include/linux/spinlock.h:338 [inline] ffffffff898639b0 (&(&nf_conntrack_locks[i])->rlock){+.-.}, at: nf_conntrack_lock+0x17/0x70 net/netfilter/nf_conntrack_core.c:91 which would create a new lock dependency: (&(&nf_conntrack_locks[i])->rlock){+.-.} -> (&(&s->cache_lock)->rlock){+.+.} but this new dependency connects a SOFTIRQ-irq-safe lock: (&(&nf_conntrack_locks[i])->rlock){+.-.} [...] other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&(&s->cache_lock)->rlock); local_irq_disable(); lock(&(&nf_conntrack_locks[i])->rlock); lock(&(&s->cache_lock)->rlock); <Interrupt> lock(&(&nf_conntrack_locks[i])->rlock); *** DEADLOCK *** [...] === Fix this by simply locking with irqsave/irqrestore and stop giving up on !in_task(). It makes the locking a bit slower, but it shouldn't make a big difference in real workloads. Under the scenario from [1] (only cache hits) it only increased the runtime overhead from the security_secid_to_secctx() function from ~2% to ~3% (it was ~5-65% before introducing the cache). [1] https://bugzilla.redhat.com/show_bug.cgi?id=1733259 Fixes: d97bd23c2d7d ("selinux: cache the SID -> context string translation") Reported-by: syzbot+61cba5033e2072d61806@syzkaller.appspotmail.com Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-02-05selinux: fix typo in filesystem nameHridya Valsaraju1-1/+1
Correct the filesystem name to "binder" to enable genfscon per-file labelling for binderfs. Fixes: 7a4b5194747 ("selinux: allow per-file labelling for binderfs") Signed-off-by: Hridya Valsaraju <hridya@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> [PM: slight style changes to the subj/description] Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-02-05broken ping to ipv6 linklocal addresses on debian busterCasey Schaufler1-22/+19
I am seeing ping failures to IPv6 linklocal addresses with Debian buster. Easiest example to reproduce is: $ ping -c1 -w1 ff02::1%eth1 connect: Invalid argument $ ping -c1 -w1 ff02::1%eth1 PING ff02::01%eth1(ff02::1%eth1) 56 data bytes 64 bytes from fe80::e0:f9ff:fe0c:37%eth1: icmp_seq=1 ttl=64 time=0.059 ms git bisect traced the failure to commit b9ef5513c99b ("smack: Check address length before reading address family") Arguably ping is being stupid since the buster version is not setting the address family properly (ping on stretch for example does): $ strace -e connect ping6 -c1 -w1 ff02::1%eth1 connect(5, {sa_family=AF_UNSPEC, sa_data="\4\1\0\0\0\0\377\2\0\0\0\0\0\0\0\0\0\0\0\0\0\1\3\0\0\0"}, 28) = -1 EINVAL (Invalid argument) but the command works fine on kernels prior to this commit, so this is breakage which goes against the Linux paradigm of "don't break userspace" Cc: stable@vger.kernel.org Reported-by: David Ahern <dsahern@gmail.com> Suggested-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>  security/smack/smack_lsm.c | 41 +++++++++++++++++++---------------------- 1 file changed, 19 insertions(+), 22 deletions(-)
2020-01-27security: remove EARLY_LSM_COUNT which never usedAlex Shi1-1/+0
This macro is never used from it was introduced in commit e6b1db98cf4d5 ("security: Support early LSMs"), better to remove it. Signed-off-by: Alex Shi <alex.shi@linux.alibaba.com> Acked-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: James Morris <jmorris@namei.org>
2020-01-23IMA: Defined delayed workqueue to free the queued keysLakshmi Ramasubramanian3-6/+48
Keys queued for measurement should be freed if a custom IMA policy was not loaded. Otherwise, the keys will remain queued forever consuming kernel memory. This patch defines a delayed workqueue to handle the above scenario. The workqueue handler is setup to execute 5 minutes after IMA initialization is completed. If a custom IMA policy is loaded before the workqueue handler is scheduled to execute, the workqueue task is cancelled and any queued keys are processed for measurement. But if a custom policy was not loaded then the queued keys are just freed when the delayed workqueue handler is run. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Reported-by: kernel test robot <rong.a.chen@intel.com> # sleeping function called from invalid context Reported-by: kbuild test robot <lkp@intel.com> # redefinition of ima_init_key_queue() function. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2020-01-23IMA: Call workqueue functions to measure queued keysLakshmi Ramasubramanian2-0/+11
Measuring keys requires a custom IMA policy to be loaded. Keys should be queued for measurement if a custom IMA policy is not yet loaded. Keys queued for measurement, if any, should be processed when a custom policy is loaded. This patch updates the IMA hook function ima_post_key_create_or_update() to queue the key if a custom IMA policy has not yet been loaded. And, ima_update_policy() function, which is called when a custom IMA policy is loaded, is updated to process queued keys. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2020-01-23IMA: Define workqueue for early boot key measurementsLakshmi Ramasubramanian4-0/+166
Measuring keys requires a custom IMA policy to be loaded. Keys created or updated before a custom IMA policy is loaded should be queued and will be processed after a custom policy is loaded. This patch defines a workqueue for queuing keys when a custom IMA policy has not yet been loaded. An intermediate Kconfig boolean option namely IMA_QUEUE_EARLY_BOOT_KEYS is used to declare the workqueue functions. A flag namely ima_process_keys is used to check if the key should be queued or should be processed immediately. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2020-01-22IMA: pre-allocate buffer to hold keyrings stringLakshmi Ramasubramanian1-8/+30
ima_match_keyring() is called while holding rcu read lock. Since this function executes in atomic context, it should not call any function that can sleep (such as kstrdup()). This patch pre-allocates a buffer to hold the keyrings string read from the IMA policy and uses that to match the given keyring. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Fixes: e9085e0ad38a ("IMA: Add support to limit measuring keys") Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2020-01-22ima: ima/lsm policy rule loading logic bug fixesJanne Karhunen1-18/+26
Keep the ima policy rules around from the beginning even if they appear invalid at the time of loading, as they may become active after an lsm policy load. However, loading a custom IMA policy with unknown LSM labels is only safe after we have transitioned from the "built-in" policy rules to a custom IMA policy. Patch also fixes the rule re-use during the lsm policy reload and makes some prints a bit more human readable. Changelog: v4: - Do not allow the initial policy load refer to non-existing lsm rules. v3: - Fix too wide policy rule matching for non-initialized LSMs v2: - Fix log prints Fixes: b16942455193 ("ima: use the lsm policy update notifier") Cc: Casey Schaufler <casey@schaufler-ca.com> Reported-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Janne Karhunen <janne.karhunen@gmail.com> Signed-off-by: Konsta Karsisto <konsta.karsisto@gmail.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2020-01-22ima: add the ability to query the cached hash of a given fileFlorent Revest1-0/+49
This allows other parts of the kernel (perhaps a stacked LSM allowing system monitoring, eg. the proposed KRSI LSM [1]) to retrieve the hash of a given file from IMA if it's present in the iint cache. It's true that the existence of the hash means that it's also in the audit logs or in /sys/kernel/security/ima/ascii_runtime_measurements, but it can be difficult to pull that information out for every subsequent exec. This is especially true if a given host has been up for a long time and the file was first measured a long time ago. It should be kept in mind that this function gives access to cached entries which can be removed, for instance on security_inode_free(). This is based on Peter Moody's patch: https://sourceforge.net/p/linux-ima/mailman/message/33036180/ [1] https://lkml.org/lkml/2019/9/10/393 Signed-off-by: Florent Revest <revest@google.com> Reviewed-by: KP Singh <kpsingh@chromium.org> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2020-01-22ima: Add a space after printing LSM rules for readabilityClay Chang1-0/+1
When reading ima_policy from securityfs, there is a missing space between output string of LSM rules and the remaining rules. Signed-off-by: Clay Chang <clayc@hpe.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2020-01-20selinux: fix regression introduced by move_mount(2) syscallStephen Smalley1-0/+10
commit 2db154b3ea8e ("vfs: syscall: Add move_mount(2) to move mounts around") introduced a new move_mount(2) system call and a corresponding new LSM security_move_mount hook but did not implement this hook for any existing LSM. This creates a regression for SELinux with respect to consistent checking of mounts; the existing selinux_mount hook checks mounton permission to the mount point path. Provide a SELinux hook implementation for move_mount that applies this same check for consistency. In the future we may wish to add a new move_mount filesystem permission and check as well, but this addresses the immediate regression. Fixes: 2db154b3ea8e ("vfs: syscall: Add move_mount(2) to move mounts around") Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-01-16selinux: do not allocate ancillary buffer on first loadOndrej Mosnacek1-15/+13
In security_load_policy(), we can defer allocating the newpolicydb ancillary array to after checking state->initialized, thereby avoiding the pointless allocation when loading policy the first time. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> [PM: merged portions by hand] Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-01-16selinux: remove redundant allocation and helper functionsPaul Moore1-58/+36
This patch removes the inode, file, and superblock security blob allocation functions and moves the associated code into the respective LSM hooks. This patch also removes the inode_doinit() function as it was a trivial wrapper around inode_doinit_with_dentry() and called from one location in the code. Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-01-16selinux: remove redundant selinux_nlmsg_permHuaisheng Ye1-39/+34
selinux_nlmsg_perm is used for only by selinux_netlink_send. Remove the redundant function to simplify the code. Fix a typo by suggestion from Stephen. Signed-off-by: Huaisheng Ye <yehs1@lenovo.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-01-16selinux: fix wrong buffer types in policydb.cOndrej Mosnacek1-2/+2
Two places used u32 where there should have been __le32. Fixes sparse warnings: CHECK [...]/security/selinux/ss/services.c [...]/security/selinux/ss/policydb.c:2669:16: warning: incorrect type in assignment (different base types) [...]/security/selinux/ss/policydb.c:2669:16: expected unsigned int [...]/security/selinux/ss/policydb.c:2669:16: got restricted __le32 [usertype] [...]/security/selinux/ss/policydb.c:2674:24: warning: incorrect type in assignment (different base types) [...]/security/selinux/ss/policydb.c:2674:24: expected unsigned int [...]/security/selinux/ss/policydb.c:2674:24: got restricted __le32 [usertype] [...]/security/selinux/ss/policydb.c:2675:24: warning: incorrect type in assignment (different base types) [...]/security/selinux/ss/policydb.c:2675:24: expected unsigned int [...]/security/selinux/ss/policydb.c:2675:24: got restricted __le32 [usertype] [...]/security/selinux/ss/policydb.c:2676:24: warning: incorrect type in assignment (different base types) [...]/security/selinux/ss/policydb.c:2676:24: expected unsigned int [...]/security/selinux/ss/policydb.c:2676:24: got restricted __le32 [usertype] [...]/security/selinux/ss/policydb.c:2681:32: warning: incorrect type in assignment (different base types) [...]/security/selinux/ss/policydb.c:2681:32: expected unsigned int [...]/security/selinux/ss/policydb.c:2681:32: got restricted __le32 [usertype] [...]/security/selinux/ss/policydb.c:2701:16: warning: incorrect type in assignment (different base types) [...]/security/selinux/ss/policydb.c:2701:16: expected unsigned int [...]/security/selinux/ss/policydb.c:2701:16: got restricted __le32 [usertype] [...]/security/selinux/ss/policydb.c:2706:24: warning: incorrect type in assignment (different base types) [...]/security/selinux/ss/policydb.c:2706:24: expected unsigned int [...]/security/selinux/ss/policydb.c:2706:24: got restricted __le32 [usertype] [...]/security/selinux/ss/policydb.c:2707:24: warning: incorrect type in assignment (different base types) [...]/security/selinux/ss/policydb.c:2707:24: expected unsigned int [...]/security/selinux/ss/policydb.c:2707:24: got restricted __le32 [usertype] Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-01-15net: bridge: vlan: add rtm definitions and dump supportNikolay Aleksandrov1-1/+4
This patch adds vlan rtm definitions: - NEWVLAN: to be used for creating vlans, setting options and notifications - DELVLAN: to be used for deleting vlans - GETVLAN: used for dumping vlan information Dumping vlans which can span multiple messages is added now with basic information (vid and flags). We use nlmsg_parse() to validate the header length in order to be able to extend the message with filtering attributes later. Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2020-01-10kunit: building kunit as a module breaks allmodconfigAlan Maguire1-1/+1
kunit tests that do not support module build should depend on KUNIT=y rather than just KUNIT in Kconfig, otherwise they will trigger compilation errors for "make allmodconfig" builds. Fixes: 9fe124bf1b77 ("kunit: allow kunit to be loaded as a module") Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Alan Maguire <alan.maguire@oracle.com> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
2020-01-10selinux: reorder hooks to make runtime disable less brokenOndrej Mosnacek1-31/+70
Commit b1d9e6b0646d ("LSM: Switch to lists of hooks") switched the LSM infrastructure to use per-hook lists, which meant that removing the hooks for a given module was no longer atomic. Even though the commit clearly documents that modules implementing runtime revmoval of hooks (only SELinux attempts this madness) need to take special precautions to avoid race conditions, SELinux has never addressed this. By inserting an artificial delay between the loop iterations of security_delete_hooks() (I used 100 ms), booting to a state where SELinux is enabled, but policy is not yet loaded, and running these commands: while true; do ping -c 1 <some IP>; done & echo -n 1 >/sys/fs/selinux/disable kill %1 wait ...I was able to trigger NULL pointer dereferences in various places. I also have a report of someone getting panics on a stock RHEL-8 kernel after setting SELINUX=disabled in /etc/selinux/config and rebooting (without adding "selinux=0" to kernel command-line). Reordering the SELinux hooks such that those that allocate structures are removed last seems to prevent these panics. It is very much possible that this doesn't make the runtime disable completely race-free, but at least it makes the operation much less fragile. Cc: stable@vger.kernel.org Fixes: b1d9e6b0646d ("LSM: Switch to lists of hooks") Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-01-10selinux: treat atomic flags more carefullyOndrej Mosnacek3-31/+61
The disabled/enforcing/initialized flags are all accessed concurrently by threads so use the appropriate accessors that ensure atomicity and document that it is expected. Use smp_load/acquire...() helpers (with memory barriers) for the initialized flag, since it gates access to the rest of the state structures. Note that the disabled flag is currently not used for anything other than avoiding double disable, but it will be used for bailing out of hooks once security_delete_hooks() is removed. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: James Morris <jamorris@linux.microsoft.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-01-10selinux: make default_noexec read-only after initStephen Smalley1-1/+1
SELinux checks whether VM_EXEC is set in the VM_DATA_DEFAULT_FLAGS during initialization and saves the result in default_noexec for use in its mmap and mprotect hook function implementations to decide whether to apply EXECMEM, EXECHEAP, EXECSTACK, and EXECMOD checks. Mark default_noexec as ro_after_init to prevent later clearing it and thereby disabling these checks. It is only set legitimately from init code. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-01-10selinux: move ibpkeys code under CONFIG_SECURITY_INFINIBAND.Ravi Kumar Siddojigari2-2/+15
Move cache based pkey sid retrieval code which was added with commit "409dcf31" under CONFIG_SECURITY_INFINIBAND. As its going to alloc a new cache which impacts low RAM devices which was enabled by default. Suggested-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org> [PM: checkpatch.pl cleanups, fixed capitalization in the description] Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-01-10selinux: remove redundant msg_msg_alloc_securityHuaisheng Ye1-11/+6
selinux_msg_msg_alloc_security only calls msg_msg_alloc_security but do nothing else. And also msg_msg_alloc_security is just used by the former. Remove the redundant function to simplify the code. Signed-off-by: Huaisheng Ye <yehs1@lenovo.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-01-09apparmor: add AppArmor KUnit tests for policy unpackMike Salvatore3-0/+627
Add KUnit tests to test AppArmor unpacking of userspace policies. AppArmor uses a serialized binary format for loading policies. To find policy format documentation see Documentation/admin-guide/LSM/apparmor.rst. In order to write the tests against the policy unpacking code, some static functions needed to be exposed for testing purposes. One of the goals of this patch is to establish a pattern for which testing these kinds of functions should be done in the future. Signed-off-by: Brendan Higgins <brendanhiggins@google.com> Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
2020-01-09IMA: fix measuring asymmetric keys KconfigLakshmi Ramasubramanian2-1/+7
As a result of the asymmetric public keys subtype Kconfig option being defined as tristate, with the existing IMA Makefile, ima_asymmetric_keys.c could be built as a kernel module. To prevent this from happening, this patch defines and uses an intermediate Kconfig boolean option named IMA_MEASURE_ASYMMETRIC_KEYS. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Suggested-by: James.Bottomley <James.Bottomley@HansenPartnership.com> Cc: David Howells <dhowells@redhat.com> Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reported-by: kbuild test robot <lkp@intel.com> # ima_asymmetric_keys.c is built as a kernel module. Fixes: 88e70da170e8 ("IMA: Define an IMA hook to measure keys") Fixes: cb1aa3823c92 ("KEYS: Call the IMA hook to measure keys") [zohar@linux.ibm.com: updated patch description] Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2020-01-07Documentation,selinux: fix references to old selinuxfs mount pointStephen Smalley1-3/+4
selinuxfs was originally mounted on /selinux, and various docs and kconfig help texts referred to nodes under it. In Linux 3.0, /sys/fs/selinux was introduced as the preferred mount point for selinuxfs. Fix all the old references to /selinux/ to /sys/fs/selinux/. While we are there, update the description of the selinux boot parameter to reflect the fact that the default value is always 1 since commit be6ec88f41ba94 ("selinux: Remove SECURITY_SELINUX_BOOTPARAM_VALUE") and drop discussion of runtime disable since it is deprecated. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-01-07selinux: deprecate disabling SELinux and runtimePaul Moore2-0/+10
Deprecate the CONFIG_SECURITY_SELINUX_DISABLE functionality. The code was originally developed to make it easier for Linux distributions to support architectures where adding parameters to the kernel command line was difficult. Unfortunately, supporting runtime disable meant we had to make some security trade-offs when it came to the LSM hooks, as documented in the Kconfig help text: NOTE: selecting this option will disable the '__ro_after_init' kernel hardening feature for security hooks. Please consider using the selinux=0 boot parameter instead of enabling this option. Fortunately it looks as if that the original motivation for the runtime disable functionality is gone, and Fedora/RHEL appears to be the only major distribution enabling this capability at build time so we are now taking steps to remove it entirely from the kernel. The first step is to mark the functionality as deprecated and print an error when it is used (what this patch is doing). As Fedora/RHEL makes progress in transitioning the distribution away from runtime disable, we will introduce follow-up patches over several kernel releases which will block for increasing periods of time when the runtime disable is used. Finally we will remove the option entirely once we believe all users have moved to the kernel cmdline approach. Acked-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Ondrej Mosnacek <omosnace@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-01-06selinux: allow per-file labelling for binderfsHridya Valsaraju1-0/+1
This patch allows genfscon per-file labeling for binderfs. This is required to have separate permissions to allow access to binder, hwbinder and vndbinder devices which are relocating to binderfs. Acked-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Mark Salyzyn <salyzyn@android.com> Signed-off-by: Hridya Valsaraju <hridya@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-01-06selinuxfs: use scnprintf to get real length for inodeliuyang341-2/+2
The return value of snprintf maybe over the size of TMPBUFLEN, use scnprintf instead in sel_read_class and sel_read_perm. Signed-off-by: liuyang34 <liuyang34@xiaomi.com> [PM: cleaned up the description] Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-01-04apparmor: fix aa_xattrs_match() may sleep while holding a RCU lockJohn Johansen3-42/+46
aa_xattrs_match() is unfortunately calling vfs_getxattr_alloc() from a context protected by an rcu_read_lock. This can not be done as vfs_getxattr_alloc() may sleep regardles of the gfp_t value being passed to it. Fix this by breaking the rcu_read_lock on the policy search when the xattr match feature is requested and restarting the search if a policy changes occur. Fixes: 8e51f9087f40 ("apparmor: Add support for attaching profiles via xattr, presence and value") Reported-by: Jia-Ju Bai <baijiaju1990@gmail.com> Reported-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: John Johansen <john.johansen@canonical.com>
2020-01-02apparmor: only get a label reference if the fast path check failsJohn Johansen1-4/+8
The common fast path check can be done under rcu_read_lock() and doesn't need a reference count on the label. Only take a reference count if entering the slow path. Fixes reported hackbench regression - sha1 79e178a57dae ("Merge tag 'apparmor-pr-2019-12-03' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor") hackbench -l (256000/#grp) -g #grp 128 groups 19.679 ┬▒0.90% - previous sha1 01d1dff64662 ("Merge tag 's390-5.5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux") hackbench -l (256000/#grp) -g #grp 128 groups 3.1689 ┬▒3.04% Reported-by: Vincent Guittot <vincent.guittot@linaro.org> Tested-by: Vincent Guittot <vincent.guittot@linaro.org> Tested-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Fixes: bce4e7e9c45e ("apparmor: reduce rcu_read_lock scope for aa_file_perm mediation") Signed-off-by: John Johansen <john.johansen@canonical.com>
2020-01-02apparmor: fix bind mounts aborting with -ENOMEMPatrick Steinhardt1-1/+1
With commit df323337e507 ("apparmor: Use a memory pool instead per-CPU caches, 2019-05-03"), AppArmor code was converted to use memory pools. In that conversion, a bug snuck into the code that polices bind mounts that causes all bind mounts to fail with -ENOMEM, as we erroneously error out if `aa_get_buffer` returns a pointer instead of erroring out when it does _not_ return a valid pointer. Fix the issue by correctly checking for valid pointers returned by `aa_get_buffer` to fix bind mounts with AppArmor. Fixes: df323337e507 ("apparmor: Use a memory pool instead per-CPU caches") Signed-off-by: Patrick Steinhardt <ps@pks.im> Signed-off-by: John Johansen <john.johansen@canonical.com>
2020-01-02tomoyo: Use atomic_t for statistics counterTetsuo Handa1-7/+4
syzbot is reporting that there is a race at tomoyo_stat_update() [1]. Although it is acceptable to fail to track exact number of times policy was updated, convert to atomic_t because this is not a hot path. [1] https://syzkaller.appspot.com/bug?id=a4d7b973972eeed410596e6604580e0133b0fc04 Reported-by: syzbot <syzbot+efea72d4a0a1d03596cd@syzkaller.appspotmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
2019-12-24selinux: remove set but not used variable 'sidtab'YueHaibing1-8/+0
security/selinux/ss/services.c: In function security_port_sid: security/selinux/ss/services.c:2346:17: warning: variable sidtab set but not used [-Wunused-but-set-variable] security/selinux/ss/services.c: In function security_ib_endport_sid: security/selinux/ss/services.c:2435:17: warning: variable sidtab set but not used [-Wunused-but-set-variable] security/selinux/ss/services.c: In function security_netif_sid: security/selinux/ss/services.c:2480:17: warning: variable sidtab set but not used [-Wunused-but-set-variable] security/selinux/ss/services.c: In function security_fs_use: security/selinux/ss/services.c:2831:17: warning: variable sidtab set but not used [-Wunused-but-set-variable] Since commit 66f8e2f03c02 ("selinux: sidtab reverse lookup hash table") 'sidtab' is not used any more, so remove it. Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: YueHaibing <yuehaibing@huawei.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
2019-12-23selinux: ensure the policy has been loaded before reading the sidtab statsPaul Moore1-0/+6
Check to make sure we have loaded a policy before we query the sidtab's hash stats. Failure to do so could result in a kernel panic/oops due to a dereferenced NULL pointer. Fixes: 66f8e2f03c02 ("selinux: sidtab reverse lookup hash table") Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
2019-12-21selinux: ensure we cleanup the internal AVC counters on error in avc_update()Jaihind Yadav1-1/+1
In AVC update we don't call avc_node_kill() when avc_xperms_populate() fails, resulting in the avc->avc_cache.active_nodes counter having a false value. In last patch this changes was missed , so correcting it. Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") Signed-off-by: Jaihind Yadav <jaihindyadav@codeaurora.org> Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org> [PM: merge fuzz, minor description cleanup] Signed-off-by: Paul Moore <paul@paul-moore.com>
2019-12-18selinux: randomize layout of key structuresStephen Smalley4-4/+4
Randomize the layout of key selinux data structures. Initially this is applied to the selinux_state, selinux_ss, policydb, and task_security_struct data structures. NB To test/use this mechanism, one must install the necessary build-time dependencies, e.g. gcc-plugin-devel on Fedora, and enable CONFIG_GCC_PLUGIN_RANDSTRUCT in the kernel configuration. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Reviewed-by: Kees Cook <keescook@chromium.org> [PM: double semi-colon fixed] Signed-off-by: Paul Moore <paul@paul-moore.com>
2019-12-18selinux: clean up selinux_enabled/disabled/enforcing_bootStephen Smalley7-18/+17
Rename selinux_enabled to selinux_enabled_boot to make it clear that it only reflects whether SELinux was enabled at boot. Replace the references to it in the MAC_STATUS audit log in sel_write_enforce() with hardcoded "1" values because this code is only reachable if SELinux is enabled and does not change its value, and update the corresponding MAC_STATUS audit log in sel_write_disable(). Stop clearing selinux_enabled in selinux_disable() since it is not used outside of initialization code that runs before selinux_disable() can be reached. Mark both selinux_enabled_boot and selinux_enforcing_boot as __initdata since they are only used in initialization code. Wrap the disabled field in the struct selinux_state with CONFIG_SECURITY_SELINUX_DISABLE since it is only used for runtime disable. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
2019-12-17security: keys: trusted: fix lost handle flushJames Bottomley1-0/+1
The original code, before it was moved into security/keys/trusted-keys had a flush after the blob unseal. Without that flush, the volatile handles increase in the TPM until it becomes unusable and the system either has to be rebooted or the TPM volatile area manually flushed. Fix by adding back the lost flush, which we now have to export because of the relocation of the trusted key code may cause the consumer to be modular. Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Fixes: 2e19e10131a0 ("KEYS: trusted: Move TPM2 trusted keys code") Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
2019-12-16tomoyo: Suppress RCU warning at list_for_each_entry_rcu().Tetsuo Handa4-13/+26
John Garry has reported that allmodconfig kernel on arm64 causes flood of "RCU-list traversed in non-reader section!!" warning. I don't know what change caused this warning, but this warning is safe because TOMOYO uses SRCU lock instead. Let's suppress this warning by explicitly telling that the caller is holding SRCU lock. Reported-and-tested-by: John Garry <john.garry@huawei.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
2019-12-12KEYS: remove CONFIG_KEYS_COMPATEric Biggers4-12/+3
KEYS_COMPAT now always takes the value of COMPAT && KEYS. But the security/keys/ directory is only compiled if KEYS is enabled, so in practice KEYS_COMPAT is the same as COMPAT. Therefore, remove the unnecessary KEYS_COMPAT and just use COMPAT directly. (Also remove an outdated comment from compat.c.) Reviewed-by: James Morris <jamorris@linux.microsoft.com> Signed-off-by: Eric Biggers <ebiggers@google.com> Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
2019-12-12IMA: Read keyrings= option from the IMA policyLakshmi Ramasubramanian1-1/+28
Read "keyrings=" option, if specified in the IMA policy, and store in the list of IMA rules when the configured IMA policy is read. This patch defines a new policy token enum namely Opt_keyrings and an option flag IMA_KEYRINGS for reading "keyrings=" option from the IMA policy. Updated ima_parse_rule() to parse "keyrings=" option in the policy. Updated ima_policy_show() to display "keyrings=" option. The following example illustrates how key measurement can be verified. Sample "key" measurement rule in the IMA policy: measure func=KEY_CHECK uid=0 keyrings=.ima|.evm template=ima-buf Display "key" measurement in the IMA measurement list: cat /sys/kernel/security/ima/ascii_runtime_measurements 10 faf3...e702 ima-buf sha256:27c915b8ddb9fae7214cf0a8a7043cc3eeeaa7539bcb136f8427067b5f6c3b7b .ima 308202863082...4aee Verify "key" measurement data for a key added to ".ima" keyring: cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements | grep -m 1 "\.ima" | cut -d' ' -f 6 | xxd -r -p |tee ima-cert.der | sha256sum | cut -d' ' -f 1 The output of the above command should match the template hash of the first "key" measurement entry in the IMA measurement list for the key added to ".ima" keyring. The file namely "ima-cert.der" generated by the above command should be a valid x509 certificate (in DER format) and should match the one that was used to import the key to the ".ima" keyring. The certificate file can be verified using openssl tool. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2019-12-12IMA: Add support to limit measuring keysLakshmi Ramasubramanian6-17/+82
Limit measuring keys to those keys being loaded onto a given set of keyrings only and when the user id (uid) matches if uid is specified in the policy. This patch defines a new IMA policy option namely "keyrings=" that can be used to specify a set of keyrings. If this option is specified in the policy for "measure func=KEY_CHECK" then only the keys loaded onto a keyring given in the "keyrings=" option are measured. If uid is specified in the policy then the key is measured only if the current user id matches the one specified in the policy. Added a new parameter namely "keyring" (name of the keyring) to process_buffer_measurement(). The keyring name is passed to ima_get_action() to determine the required action. ima_match_rules() is updated to check keyring in the policy, if specified, for KEY_CHECK function. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2019-12-12KEYS: Call the IMA hook to measure keysLakshmi Ramasubramanian1-0/+10
Call the IMA hook from key_create_or_update() function to measure the payload when a new key is created or an existing key is updated. This patch adds the call to the IMA hook from key_create_or_update() function to measure the key on key create or update. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Cc: David Howells <dhowells@redhat.com> Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2019-12-12IMA: Define an IMA hook to measure keysLakshmi Ramasubramanian2-0/+53
Measure asymmetric keys used for verifying file signatures, certificates, etc. This patch defines a new IMA hook namely ima_post_key_create_or_update() to measure the payload used to create a new asymmetric key or update an existing asymmetric key. Asymmetric key structure is defined only when CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is defined. Since the IMA hook measures asymmetric keys, the IMA hook is defined in a new file namely ima_asymmetric_keys.c which is built only if CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is defined. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2019-12-12IMA: Add KEY_CHECK func to measure keysLakshmi Ramasubramanian2-1/+4
Measure keys loaded onto any keyring. This patch defines a new IMA policy func namely KEY_CHECK to measure keys. Updated ima_match_rules() to check for KEY_CHECK and ima_parse_rule() to handle KEY_CHECK. Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>