Linux kernel source tree https://git.amat.us/linux/atom/security?h=v2.6.19-rc5 2006-10-30T23:24:49Z 2006-10-30T23:24:49Z Paul Moore paul.moore@hp.com 2006-10-30T23:22:15Z urn:sha1:f8687afefcc821fc47c75775eec87731fe3de360 This patch makes two changes to protect applications from either removing or tampering with the CIPSOv4 IP option on a socket. The first is the requirement that applications have the CAP_NET_RAW capability to set an IPOPT_CIPSO option on a socket; this prevents untrusted applications from setting their own CIPSOv4 security attributes on the packets they send. The second change is to SELinux and it prevents applications from setting any IPv4 options when there is an IPOPT_CIPSO option already present on the socket; this prevents applications from removing CIPSOv4 security attributes from the packets they send. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net> 2006-10-16T06:14:15Z Paul Moore paul.moore@hp.com 2006-10-11T23:10:48Z urn:sha1:bf0edf39296097f20c5fcc4919ed7d339194bd75 Upon inspection it looked like the error handling for mls_export_cat() was rather poor. This patch addresses this by NULL'ing out kfree()'d pointers before returning and checking the return value of the function everywhere it is called. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org> 2006-10-12T06:59:41Z Chad Sellers csellers@tresys.com 2006-10-06T20:09:52Z urn:sha1:6e8c751e07b34d73069e9333f67fbe5ffe31ec3a This patch fixes two bugs in policydb_destroy. Two list pointers (policydb.ocontexts[i] and policydb.genfs) were not being reset to NULL when the lists they pointed to were being freed. This caused a problem when the initial policy load failed, as the policydb being destroyed was not a temporary new policydb that was thrown away, but rather was the global (active) policydb. Consequently, later functions, particularly sys_bind->selinux_socket_bind->security_node_sid and do_rw_proc->selinux_sysctl->selinux_proc_get_sid->security_genfs_sid tried to dereference memory that had previously been freed. Signed-off-by: Chad Sellers <csellers@tresys.com> Signed-off-by: James Morris <jmorris@namei.org> 2006-10-12T06:59:37Z Venkat Yekkirala vyekkirala@trustedcs.com 2006-10-05T20:42:18Z urn:sha1:5b368e61c2bcb2666bb66e2acf1d6d85ba6f474d Currently when an IPSec policy rule doesn't specify a security context, it is assumed to be "unlabeled" by SELinux, and so the IPSec policy rule fails to match to a flow that it would otherwise match to, unless one has explicitly added an SELinux policy rule allowing the flow to "polmatch" to the "unlabeled" IPSec policy rules. In the absence of such an explicitly added SELinux policy rule, the IPSec policy rule fails to match and so the packet(s) flow in clear text without the otherwise applicable xfrm(s) applied. The above SELinux behavior violates the SELinux security notion of "deny by default" which should actually translate to "encrypt by default" in the above case. This was first reported by Evgeniy Polyakov and the way James Morris was seeing the problem was when connecting via IPsec to a confined service on an SELinux box (vsftpd), which did not have the appropriate SELinux policy permissions to send packets via IPsec. With this patch applied, SELinux "polmatching" of flows Vs. IPSec policy rules will only come into play when there's a explicit context specified for the IPSec policy rule (which also means there's corresponding SELinux policy allowing appropriate domains/flows to polmatch to this context). Secondly, when a security module is loaded (in this case, SELinux), the security_xfrm_policy_lookup() hook can return errors other than access denied, such as -EINVAL. We were not handling that correctly, and in fact inverting the return logic and propagating a false "ok" back up to xfrm_lookup(), which then allowed packets to pass as if they were not associated with an xfrm policy. The solution for this is to first ensure that errno values are correctly propagated all the way back up through the various call chains from security_xfrm_policy_lookup(), and handled correctly. Then, flow_cache_lookup() is modified, so that if the policy resolver fails (typically a permission denied via the security module), the flow cache entry is killed rather than having a null policy assigned (which indicates that the packet can pass freely). This also forces any future lookups for the same flow to consult the security module (e.g. SELinux) for current security policy (rather than, say, caching the error on the flow cache entry). This patch: Fix the selinux side of things. This makes sure SELinux polmatching of flow contexts to IPSec policy rules comes into play only when an explicit context is associated with the IPSec policy rule. Also, this no longer defaults the context of a socket policy to the context of the socket since the "no explicit context" case is now handled properly. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: James Morris <jmorris@namei.org> 2006-10-12T06:59:32Z paul.moore@hp.com paul.moore@hp.com 2006-10-05T22:28:24Z urn:sha1:388b24057f90ba109d4bf855006a8809c383eb76 This patch changes NetLabel to use SECINITSID_UNLABLELED as it's source of SELinux type information when generating a NetLabel context. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org> 2006-10-12T06:59:29Z paul.moore@hp.com paul.moore@hp.com 2006-10-04T15:46:31Z urn:sha1:ffb733c65000ee701294f7b80c4eca2a5f335637 Testing revealed a problem with the NetLabel cache where a cached entry could be freed while in use by the LSM layer causing an oops and other problems. This patch fixes that problem by introducing a reference counter to the cache entry so that it is only freed when it is no longer in use. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org> 2006-10-03T20:36:44Z Matt LaPlante kernel1@cyberdogtech.com 2006-10-03T20:36:44Z urn:sha1:cab00891c5489cb6d0cde0a55d39bd5f2871fa70 Signed-off-by: Adrian Bunk <bunk@stusta.de> 2006-10-03T20:34:14Z Matt LaPlante kernel1@cyberdogtech.com 2006-10-03T20:34:14Z urn:sha1:44c09201a4178e08ed1c8cc37e7aea0683888f0a Signed-off-by: Adrian Bunk <bunk@stusta.de> 2006-10-01T07:39:30Z Dave Hansen haveblue@us.ibm.com 2006-10-01T06:29:04Z urn:sha1:d8c76e6f45c111c32a4b3e50a2adc9210737b0d8 This is mostly included for parity with dec_nlink(), where we will have some more hooks. This one should stay pretty darn straightforward for now. Signed-off-by: Dave Hansen <haveblue@us.ibm.com> Acked-by: Christoph Hellwig <hch@lst.de> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> 2006-09-29T22:58:21Z David Woodhouse dwmw2@infradead.org 2006-09-29T22:50:25Z urn:sha1:2148ccc437a9eac9f0d4b3c27cb1e41f6a48194c Accepted connections of types other than AF_INET, AF_INET6, AF_UNIX won't have an appropriate label derived from the peer, so don't use it. Signed-off-by: David Woodhouse <dwmw2@infradead.org> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: James Morris <jmorris@namei.org> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>