1. 20 Jul, 2012 1 commit
    • Alexey Dobriyan's avatar
      net: remove mm.h inclusion from netdevice.h · 3a1fc5fb
      Alexey Dobriyan authored
      Remove linux/mm.h inclusion from netdevice.h -- it's unused (I've checked manually).
      To prevent mm.h inclusion via other channels also extract "enum dma_data_direction"
      definition into separate header. This tiny piece is what gluing netdevice.h with mm.h
      via "netdevice.h => dmaengine.h => dma-mapping.h => scatterlist.h => mm.h".
      Removal of mm.h from scatterlist.h was tried and was found not feasible
      on most archs, so the link was cutoff earlier.
      Hope people are OK with tiny include file.
      Note, that mm_types.h is still dragged in, but it is a separate story.
      Signed-off-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  2. 01 Jun, 2012 1 commit
  3. 22 Apr, 2012 2 commits
  4. 13 Apr, 2012 1 commit
    • Tetsuo Handa's avatar
      TOMOYO: Fix mount flags checking order. · d5748309
      Tetsuo Handa authored
      commit df91e494 upstream.
      Userspace can pass in arbitrary combinations of MS_* flags to mount().
      passed, device name which should be checked for MS_BIND was not checked because
      If both one of MS_BIND/MS_MOVE and MS_REMOUNT are passed, device name which
      should not be checked for MS_REMOUNT was checked because MS_BIND/MS_MOVE had
      higher priority than MS_REMOUNT.
      Fix these bugs by changing priority to MS_REMOUNT -> MS_BIND ->
      MS_SHARED/MS_PRIVATE/MS_SLAVE/MS_UNBINDABLE -> MS_MOVE as with do_mount() does.
      Also, unconditionally return -EINVAL if more than one of
      generate inaccurate audit logs, for commit 7a2e8a8f "VFS: Sanity check mount
      flags passed to change_mnt_propagation()" clarified that these flags must be
      exclusively passed.
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      Signed-off-by: default avatarJonathan Nieder <jrnieder@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
  5. 26 Jan, 2012 2 commits
  6. 06 Jan, 2012 1 commit
    • David Howells's avatar
      SELinux: Fix RCU deref check warning in sel_netport_insert() · 52367e47
      David Howells authored
      commit 50345f1e upstream.
      Fix the following bug in sel_netport_insert() where rcu_dereference() should
      be rcu_dereference_protected() as sel_netport_lock is held.
      [ INFO: suspicious rcu_dereference_check() usage. ]
      security/selinux/netport.c:127 invoked rcu_dereference_check() without protection!
      other info that might help us debug this:
      rcu_scheduler_active = 1, debug_locks = 0
      1 lock held by ossec-rootcheck/3323:
       #0:  (sel_netport_lock){+.....}, at: [<ffffffff8117d775>] sel_netport_sid+0xbb/0x226
      stack backtrace:
      Pid: 3323, comm: ossec-rootcheck Not tainted 3.1.0-rc8-fsdevel+ #1095
      Call Trace:
       [<ffffffff8105cfb7>] lockdep_rcu_dereference+0xa7/0xb0
       [<ffffffff8117d871>] sel_netport_sid+0x1b7/0x226
       [<ffffffff8117d6ba>] ? sel_netport_avc_callback+0xbc/0xbc
       [<ffffffff8117556c>] selinux_socket_bind+0x115/0x230
       [<ffffffff810a5388>] ? might_fault+0x4e/0x9e
       [<ffffffff810a53d1>] ? might_fault+0x97/0x9e
       [<ffffffff81171cf4>] security_socket_bind+0x11/0x13
       [<ffffffff812ba967>] sys_bind+0x56/0x95
       [<ffffffff81380dac>] ? sysret_check+0x27/0x62
       [<ffffffff8105b767>] ? trace_hardirqs_on_caller+0x11e/0x155
       [<ffffffff81076fcd>] ? audit_syscall_entry+0x17b/0x1ae
       [<ffffffff811b5eae>] ? trace_hardirqs_on_thunk+0x3a/0x3f
       [<ffffffff81380d7b>] system_call_fastpath+0x16/0x1b
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarPaul Moore <paul@paul-moore.com>
      Acked-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
  7. 21 Dec, 2011 1 commit
    • Al Viro's avatar
      fix apparmor dereferencing potentially freed dentry, sanitize __d_path() API · 58a48c4b
      Al Viro authored
      commit 02125a82 upstream.
      __d_path() API is asking for trouble and in case of apparmor d_namespace_path()
      getting just that.  The root cause is that when __d_path() misses the root
      it had been told to look for, it stores the location of the most remote ancestor
      in *root.  Without grabbing references.  Sure, at the moment of call it had
      been pinned down by what we have in *path.  And if we raced with umount -l, we
      could have very well stopped at vfsmount/dentry that got freed as soon as
      prepend_path() dropped vfsmount_lock.
      It is safe to compare these pointers with pre-existing (and known to be still
      alive) vfsmount and dentry, as long as all we are asking is "is it the same
      address?".  Dereferencing is not safe and apparmor ended up stepping into
      that.  d_namespace_path() really wants to examine the place where we stopped,
      even if it's not connected to our namespace.  As the result, it looked
      at ->d_sb->s_magic of a dentry that might've been already freed by that point.
      All other callers had been careful enough to avoid that, but it's really
      a bad interface - it invites that kind of trouble.
      The fix is fairly straightforward, even though it's bigger than I'd like:
      	* prepend_path() root argument becomes const.
      	* __d_path() is never called with NULL/NULL root.  It was a kludge
      to start with.  Instead, we have an explicit function - d_absolute_root().
      Same as __d_path(), except that it doesn't get root passed and stops where
      it stops.  apparmor and tomoyo are using it.
      	* __d_path() returns NULL on path outside of root.  The main
      caller is show_mountinfo() and that's precisely what we pass root for - to
      skip those outside chroot jail.  Those who don't want that can (and do)
      use d_path().
      	* __d_path() root argument becomes const.  Everyone agrees, I hope.
      	* apparmor does *NOT* try to use __d_path() or any of its variants
      when it sees that path->mnt is an internal vfsmount.  In that case it's
      definitely not mounted anywhere and dentry_path() is exactly what we want
      there.  Handling of sysctl()-triggered weirdness is moved to that place.
      	* if apparmor is asked to do pathname relative to chroot jail
      and __d_path() tells it we it's not in that jail, the sucker just calls
      d_absolute_path() instead.  That's the other remaining caller of __d_path(),
              * seq_path_root() does _NOT_ return -ENAMETOOLONG (it's stupid anyway -
      the normal seq_file logics will take care of growing the buffer and redoing
      the call of ->show() just fine).  However, if it gets path not reachable
      from root, it returns SEQ_SKIP.  The only caller adjusted (i.e. stopped
      ignoring the return value as it used to do).
      Reviewed-by: default avatarJohn Johansen <john.johansen@canonical.com>
      ACKed-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
  8. 21 Nov, 2011 1 commit
    • David Howells's avatar
      KEYS: Fix a NULL pointer deref in the user-defined key type · 31a05f7d
      David Howells authored
      commit 9f35a33b upstream.
      Fix a NULL pointer deref in the user-defined key type whereby updating a
      negative key into a fully instantiated key will cause an oops to occur
      when the code attempts to free the non-existent old payload.
      This results in an oops that looks something like the following:
        BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
        IP: [<ffffffff81085fa1>] __call_rcu+0x11/0x13e
        PGD 3391d067 PUD 3894a067 PMD 0
        Oops: 0002 [#1] SMP
        CPU 1
        Pid: 4354, comm: keyctl Not tainted 3.1.0-fsdevel+ #1140                  /DG965RY
        RIP: 0010:[<ffffffff81085fa1>]  [<ffffffff81085fa1>] __call_rcu+0x11/0x13e
        RSP: 0018:ffff88003d591df8  EFLAGS: 00010246
        RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000006e
        RDX: ffffffff8161d0c0 RSI: 0000000000000000 RDI: 0000000000000000
        RBP: ffff88003d591e18 R08: 0000000000000000 R09: ffffffff8152fa6c
        R10: 0000000000000000 R11: 0000000000000300 R12: ffff88003b8f9538
        R13: ffffffff8161d0c0 R14: ffff88003b8f9d50 R15: ffff88003c69f908
        FS:  00007f97eb18c720(0000) GS:ffff88003bd00000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 0000000000000008 CR3: 000000003d47a000 CR4: 00000000000006e0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
        Process keyctl (pid: 4354, threadinfo ffff88003d590000, task ffff88003c78a040)
         ffff88003e0ffde0 ffff88003b8f9538 0000000000000001 ffff88003b8f9d50
         ffff88003d591e28 ffffffff810860f0 ffff88003d591e68 ffffffff8117bfea
         ffff88003d591e68 ffffffff00000000 ffff88003e0ffde1 ffff88003e0ffde0
        Call Trace:
         [<ffffffff810860f0>] call_rcu_sched+0x10/0x12
         [<ffffffff8117bfea>] user_update+0x8d/0xa2
         [<ffffffff8117723a>] key_create_or_update+0x236/0x270
         [<ffffffff811789b1>] sys_add_key+0x123/0x17e
         [<ffffffff813b84bb>] system_call_fastpath+0x16/0x1b
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarJeff Layton <jlayton@redhat.com>
      Acked-by: default avatarNeil Horman <nhorman@redhat.com>
      Acked-by: default avatarSteve Dickson <steved@redhat.com>
      Acked-by: default avatarJames Morris <jmorris@namei.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
  9. 05 Aug, 2011 2 commits
  10. 22 Jun, 2011 1 commit
    • David Howells's avatar
      KEYS: Fix error handling in construct_key_and_link() · b1d7dd80
      David Howells authored
      Fix error handling in construct_key_and_link().
      If construct_alloc_key() returns an error, it shouldn't pass out through
      the normal path as the key_serial() called by the kleave() statement
      will oops when it gets an error code in the pointer:
        BUG: unable to handle kernel paging request at ffffffffffffff84
        IP: [<ffffffff8120b401>] request_key_and_link+0x4d7/0x52f
        Call Trace:
         [<ffffffff8120b52c>] request_key+0x41/0x75
         [<ffffffffa00ed6e8>] cifs_get_spnego_key+0x206/0x226 [cifs]
         [<ffffffffa00eb0c9>] CIFS_SessSetup+0x511/0x1234 [cifs]
         [<ffffffffa00d9799>] cifs_setup_session+0x90/0x1ae [cifs]
         [<ffffffffa00d9c02>] cifs_get_smb_ses+0x34b/0x40f [cifs]
         [<ffffffffa00d9e05>] cifs_mount+0x13f/0x504 [cifs]
         [<ffffffffa00caabb>] cifs_do_mount+0xc4/0x672 [cifs]
         [<ffffffff8113ae8c>] mount_fs+0x69/0x155
         [<ffffffff8114ff0e>] vfs_kern_mount+0x63/0xa0
         [<ffffffff81150be2>] do_kern_mount+0x4d/0xdf
         [<ffffffff81152278>] do_mount+0x63c/0x69f
         [<ffffffff8115255c>] sys_mount+0x88/0xc2
         [<ffffffff814fbdc2>] system_call_fastpath+0x16/0x1b
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  11. 20 Jun, 2011 1 commit
  12. 17 Jun, 2011 1 commit
    • David Howells's avatar
      KEYS/DNS: Fix ____call_usermodehelper() to not lose the session keyring · 87966996
      David Howells authored
      ____call_usermodehelper() now erases any credentials set by the
      subprocess_inf::init() function.  The problem is that commit
      17f60a7d ("capabilites: allow the application of capability limits
      to usermode helpers") creates and commits new credentials with
      prepare_kernel_cred() after the call to the init() function.  This wipes
      all keyrings after umh_keys_init() is called.
      The best way to deal with this is to put the init() call just prior to
      the commit_creds() call, and pass the cred pointer to init().  That
      means that umh_keys_init() and suchlike can modify the credentials
      _before_ they are published and potentially in use by the rest of the
      This prevents request_key() from working as it is prevented from passing
      the session keyring it set up with the authorisation token to
      /sbin/request-key, and so the latter can't assume the authority to
      instantiate the key.  This causes the in-kernel DNS resolver to fail
      with ENOKEY unconditionally.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarEric Paris <eparis@redhat.com>
      Tested-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  13. 14 Jun, 2011 2 commits
  14. 09 Jun, 2011 1 commit
    • John Johansen's avatar
      AppArmor: Fix sleep in invalid context from task_setrlimit · 1780f2d3
      John Johansen authored
      Affected kernels 2.6.36 - 3.0
      AppArmor may do a GFP_KERNEL memory allocation with task_lock(tsk->group_leader);
      held when called from security_task_setrlimit.  This will only occur when the
      task's current policy has been replaced, and the task's creds have not been
      updated before entering the LSM security_task_setrlimit() hook.
      BUG: sleeping function called from invalid context at mm/slub.c:847
       in_atomic(): 1, irqs_disabled(): 0, pid: 1583, name: cupsd
       2 locks held by cupsd/1583:
        #0:  (tasklist_lock){.+.+.+}, at: [<ffffffff8104dafa>] do_prlimit+0x61/0x189
        #1:  (&(&p->alloc_lock)->rlock){+.+.+.}, at: [<ffffffff8104db2d>]
       Pid: 1583, comm: cupsd Not tainted 3.0.0-rc2-git1 #7
       Call Trace:
        [<ffffffff8102ebf2>] __might_sleep+0x10d/0x112
        [<ffffffff810e6f46>] slab_pre_alloc_hook.isra.49+0x2d/0x33
        [<ffffffff810e7bc4>] kmem_cache_alloc+0x22/0x132
        [<ffffffff8105b6e6>] prepare_creds+0x35/0xe4
        [<ffffffff811c0675>] aa_replace_current_profile+0x35/0xb2
        [<ffffffff811c4d2d>] aa_current_profile+0x45/0x4c
        [<ffffffff811c4d4d>] apparmor_task_setrlimit+0x19/0x3a
        [<ffffffff811beaa5>] security_task_setrlimit+0x11/0x13
        [<ffffffff8104db6b>] do_prlimit+0xd2/0x189
        [<ffffffff8104dea9>] sys_setrlimit+0x3b/0x48
        [<ffffffff814062bb>] system_call_fastpath+0x16/0x1b
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Reported-by: default avatarMiles Lane <miles.lane@gmail.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
  15. 08 Jun, 2011 1 commit
    • Linus Torvalds's avatar
      selinux: simplify and clean up inode_has_perm() · 95f4efb2
      Linus Torvalds authored
      This is a rather hot function that is called with a potentially NULL
      "struct common_audit_data" pointer argument.  And in that case it has to
      provide and initialize its own dummy common_audit_data structure.
      However, all the _common_ cases already pass it a real audit-data
      structure, so that uncommon NULL case not only creates a silly run-time
      test, more importantly it causes that function to have a big stack frame
      for the dummy variable that isn't even used in the common case!
      So get rid of that stupid run-time behavior, and make the (few)
      functions that currently call with a NULL pointer just call a new helper
      function instead (naturally called inode_has_perm_noapd(), since it has
      no adp argument).
      This makes the run-time test be a static code generation issue instead,
      and allows for a much denser stack since none of the common callers need
      the dummy structure.  And a denser stack not only means less stack space
      usage, it means better cache behavior.  So we have a win-win-win from
      this simplification: less code executed, smaller stack footprint, and
      better cache behavior.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  16. 01 Jun, 2011 1 commit
  17. 27 May, 2011 2 commits
    • Linus Torvalds's avatar
      selinux: don't pass in NULL avd to avc_has_perm_noaudit · f01e1af4
      Linus Torvalds authored
      Right now security_get_user_sids() will pass in a NULL avd pointer to
      avc_has_perm_noaudit(), which then forces that function to have a dummy
      entry for that case and just generally test it.
      Don't do it.  The normal callers all pass a real avd pointer, and this
      helper function is incredibly hot.  So don't make avc_has_perm_noaudit()
      do conditional stuff that isn't needed for the common case.
      This also avoids some duplicated stack space.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • Ben Blum's avatar
      cgroups: add per-thread subsystem callbacks · f780bdb7
      Ben Blum authored
      Add cgroup subsystem callbacks for per-thread attachment in atomic contexts
      Add can_attach_task(), pre_attach(), and attach_task() as new callbacks
      for cgroups's subsystem interface.  Unlike can_attach and attach, these
      are for per-thread operations, to be called potentially many times when
      attaching an entire threadgroup.
      Also, the old "bool threadgroup" interface is removed, as replaced by
      this.  All subsystems are modified for the new interface - of note is
      cpuset, which requires from/to nodemasks for attach to be globally scoped
      (though per-cpuset would work too) to persist from its pre_attach to
      attach_task and attach.
      This is a pre-patch for cgroup-procs-writable.patch.
      Signed-off-by: default avatarBen Blum <bblum@andrew.cmu.edu>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Cc: Li Zefan <lizf@cn.fujitsu.com>
      Cc: Matt Helsley <matthltc@us.ibm.com>
      Reviewed-by: default avatarPaul Menage <menage@google.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Miao Xie <miaox@cn.fujitsu.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  18. 26 May, 2011 2 commits
    • Kohei Kaigai's avatar
      selinux: fix case of names with whitespace/multibytes on /selinux/create · 0f7e4c33
      Kohei Kaigai authored
      I submit the patch again, according to patch submission convension.
      This patch enables to accept percent-encoded object names as forth
      argument of /selinux/create interface to avoid possible bugs when we
      give an object name including whitespace or multibutes.
      E.g) if and when a userspace object manager tries to create a new object
       named as "resolve.conf but fake", it shall give this name as the forth
       argument of the /selinux/create. But sscanf() logic in kernel space
       fetches only the part earlier than the first whitespace.
       In this case, selinux may unexpectedly answer a default security context
       configured to "resolve.conf", but it is bug.
      Although I could not test this patch on named TYPE_TRANSITION rules
      actually, But debug printk() message seems to me the logic works
      I assume the libselinux provides an interface to apply this logic
      transparently, so nothing shall not be changed from the viewpoint of
      Signed-off-by: default avatarKaiGai Kohei <kohei.kaigai@emea.nec.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
    • Serge E. Hallyn's avatar
      Set cred->user_ns in key_replace_session_keyring · f7285b5d
      Serge E. Hallyn authored
      Since this cred was not created with copy_creds(), it needs to get
      initialized.  Otherwise use of syscall(__NR_keyctl, KEYCTL_SESSION_TO_PARENT);
      can lead to a NULL deref.  Thanks to Robert for finding this.
      But introduced by commit 47a150ed ("Cache user_ns in struct cred").
      Signed-off-by: default avatarSerge E. Hallyn <serge.hallyn@canonical.com>
      Reported-by: default avatarRobert Święcki <robert@swiecki.net>
      Cc: David Howells <dhowells@redhat.com>
      Cc: stable@kernel.org (2.6.39)
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  19. 20 May, 2011 2 commits
    • Linus Torvalds's avatar
      selinux: avoid unnecessary avc cache stat hit count · 257313b2
      Linus Torvalds authored
      There is no point in counting hits - we can calculate it from the number
      of lookups and misses.
      This makes the avc statistics a bit smaller, and makes the code
      generation better too.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • Linus Torvalds's avatar
      selinux: de-crapify avc cache stat code generation · 044aea9b
      Linus Torvalds authored
      You can turn off the avc cache stats, but distributions seem to not do
      that (perhaps because several performance tuning how-to's talk about the
      avc cache statistics).
      Which is sad, because the code it generates is truly horrendous, with
      the statistics update being sandwitched between get_cpu/put_cpu which in
      turn causes preemption disables etc.  We're talking ten+ instructions
      just to increment a per-cpu variable in some pretty hot code.
      Fix the craziness by just using 'this_cpu_inc()' instead.  Suddenly we
      only need a single 'inc' instruction to increment the statistics.  This
      is quite noticeable in the incredibly hot avc_has_perm_noaudit()
      function (which triggers all the statistics by virtue of doing an
      avc_lookup() call).
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  20. 19 May, 2011 1 commit
    • Randy Dunlap's avatar
      Create Documentation/security/, · d410fa4e
      Randy Dunlap authored
      move LSM-, credentials-, and keys-related files from Documentation/
        to Documentation/security/,
      add Documentation/security/00-INDEX, and
      update all occurrences of Documentation/<moved_file>
        to Documentation/security/<moved_file>.
  21. 12 May, 2011 2 commits
  22. 11 May, 2011 1 commit
    • Greg Kroah-Hartman's avatar
      SELINUX: add /sys/fs/selinux mount point to put selinuxfs · 7a627e3b
      Greg Kroah-Hartman authored
      In the interest of keeping userspace from having to create new root
      filesystems all the time, let's follow the lead of the other in-kernel
      filesystems and provide a proper mount point for it in sysfs.
      For selinuxfs, this mount point should be in /sys/fs/selinux/
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: James Morris <jmorris@namei.org>
      Cc: Eric Paris <eparis@parisplace.org>
      Cc: Lennart Poettering <mzerqung@0pointer.de>
      Cc: Daniel J Walsh <dwalsh@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      [include kobject.h - Eric Paris]
      [use selinuxfs_obj throughout - Eric Paris]
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
  23. 08 May, 2011 2 commits
  24. 28 Apr, 2011 8 commits