Linux kernel source tree https://git.amat.us/linux/atom/security/smack?h=v3.16 2014-05-20T04:50:09Z 2014-05-20T04:50:09Z James Morris james.l.morris@oracle.com 2014-05-20T04:50:09Z urn:sha1:2fd4e6698f0863f47558e63b67c7c3a026513541 2014-05-06T18:32:53Z Toralf Förster toralf.foerster@gmx.de 2014-04-27T17:33:34Z urn:sha1:ec554fa75ec94dcf47e52db9551755679c10235b This fixes a warning about the mismatch of types between the declared unsigned and integer. Signed-off-by: Toralf Förster <toralf.foerster@gmx.de> 2014-04-30T17:49:33Z Casey Schaufler casey@schaufler-ca.com 2014-04-28T22:23:01Z urn:sha1:36ea735b522d09826ae0dac0e540f294436c52f3 The cgroup filesystem isn't ready for an LSM to properly use extented attributes. This patch makes files created in the cgroup filesystem usable by a system running Smack and systemd. Targeted for git://git.gitorious.org/smack-next/kernel.git Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2014-04-23T15:52:39Z Casey Schaufler casey@schaufler-ca.com 2014-04-21T18:10:26Z urn:sha1:a6834c0b9114c06106efee8e9f2a11fbbb104567 Smack believes that many of the operatons that can be performed on an open file descriptor are read operations. The fstat and lseek system calls are examples. An implication of this is that files shouldn't be open if the task doesn't have read access even if it has write access and the file is being opened write only. Targeted for git://git.gitorious.org/smack-next/kernel.git Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2014-04-11T21:35:28Z Casey Schaufler casey@schaufler-ca.com 2014-04-10T23:37:08Z urn:sha1:54e70ec5eb090193b03e69d551fa6771a5a217c4 Smack IPC policy requires that the sender have write access to the receiver. UDS streams don't do per-packet checks. The only check is done at connect time. The existing code checks if the connecting process can write to the other, but not the other way around. This change adds a check that the other end can write to the connecting process. Targeted for git://git.gitorious.org/smack-next/kernel.git Signed-off-by: Casey Schuafler <casey@schaufler-ca.com> 2014-04-11T21:35:19Z Casey Schaufler casey@schaufler-ca.com 2014-04-10T23:35:36Z urn:sha1:f59bdfba3e2b0ba5182f23d96101d106f18132ca Sam Henderson points out that removing the SMACK64TRANSMUTE attribute from a directory does not result in the directory transmuting. This is because the inode flag indicating that the directory is transmuting isn't cleared. The fix is a tad less than trivial because smk_task and smk_mmap should have been broken out, too. Targeted for git://git.gitorious.org/smack-next/kernel.git Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2014-04-11T21:35:05Z José Bollo jose.bollo@open.eurogiciel.org 2014-04-03T11:48:41Z urn:sha1:9598f4c9e7069aee8639be1e04e8af26b5a77fa2 The function `smack_inode_post_setxattr` is called each time that a setxattr is done, for any value of name. The kernel allow to put value==NULL when size==0 to set an empty attribute value. The systematic call to smk_import_entry was causing the dereference of a NULL pointer hence a KERNEL PANIC! The problem can be produced easily by issuing the command `setfattr -n user.data file` under bash prompt when SMACK is active. Moving the call to smk_import_entry as proposed by this patch is correcting the behaviour because the function smack_inode_post_setxattr is called for the SMACK's attributes only if the function smack_inode_setxattr validated the value and its size (what will not be the case when size==0). It also has a benefical effect to not fill the smack hash with garbage values coming from any extended attribute write. Change-Id: Iaf0039c2be9bccb6cee11c24a3b44d209101fe47 Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org> 2014-04-11T21:34:52Z Pankaj Kumar pankaj.k2@samsung.com 2013-12-13T09:42:22Z urn:sha1:5e9ab593c2da3064136ffa1d7f712d0e957e1958 1. In order to remove any SMACK extended attribute from a file, a user should have CAP_MAC_ADMIN capability. But user without having this capability is able to remove SMACK64MMAP security attribute. 2. While validating size and value of smack extended attribute in smack_inode_setsecurity hook, wrong error code is returned. Signed-off-by: Pankaj Kumar <pamkaj.k2@samsung.com> Signed-off-by: Himanshu Shukla <himanshu.sh@samsung.com> 2014-04-11T21:34:35Z Lukasz Pawelczyk l.pawelczyk@partner.samsung.com 2014-03-11T16:07:06Z urn:sha1:668678185247303450e60df14569f94cf5775fea This allows to limit ptrace beyond the regular smack access rules. It adds a smackfs/ptrace interface that allows smack to be configured to require equal smack labels for PTRACE_MODE_ATTACH access. See the changes in Documentation/security/Smack.txt below for details. Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com> Signed-off-by: Rafal Krypa <r.krypa@samsung.com> 2014-04-11T21:34:26Z Lukasz Pawelczyk l.pawelczyk@partner.samsung.com 2014-03-11T16:07:05Z urn:sha1:5663884caab166f87ab8c68ec7c62b1cce85a400 The decision whether we can trace a process is made in the following functions: smack_ptrace_traceme() smack_ptrace_access_check() smack_bprm_set_creds() (in case the proces is traced) This patch unifies all those decisions by introducing one function that checks whether ptrace is allowed: smk_ptrace_rule_check(). This makes possible to actually trace with TRACEME where first the TRACEME itself must be allowed and then exec() on a traced process. Additional bugs fixed: - The decision is made according to the mode parameter that is now correctly translated from PTRACE_MODE_* to MAY_* instead of being treated 1:1. PTRACE_MODE_READ requires MAY_READ. PTRACE_MODE_ATTACH requires MAY_READWRITE. - Add a smack audit log in case of exec() refused by bprm_set_creds(). - Honor the PTRACE_MODE_NOAUDIT flag and don't put smack audit info in case this flag is set. Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com> Signed-off-by: Rafal Krypa <r.krypa@samsung.com>