Linux kernel source tree https://git.amat.us/linux/atom/security?h=v2.6.24-rc4 2007-11-29T17:24:53Z 2007-11-29T17:24:53Z Serge E. Hallyn serue@us.ibm.com 2007-11-29T00:21:47Z urn:sha1:8ec2328f1138a58eaea55ec6150985a1623b01c5 An unprivileged process must be able to kill a setuid root program started by the same user. This is legacy behavior needed for instance for xinit to kill X when the window manager exits. When an unprivileged user runs a setuid root program in !SECURE_NOROOT mode, fP, fI, and fE are set full on, so pP' and pE' are full on. Then cap_task_kill() prevents the user from signaling the setuid root task. This is a change in behavior compared to when !CONFIG_SECURITY_FILE_CAPABILITIES. This patch introduces a special check into cap_task_kill() just to check whether a non-root user is signaling a setuid root program started by the same user. If so, then signal is allowed. Signed-off-by: Serge E. Hallyn <serue@us.ibm.com> Cc: Andrew Morgan <morgan@kernel.org> Cc: Stephen Smalley <sds@epoch.ncsc.mil> Cc: Chris Wright <chrisw@sous-sol.org> Cc: James Morris <jmorris@namei.org> Cc: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2007-11-15T02:45:44Z Serge E. Hallyn serue@us.ibm.com 2007-11-15T01:00:34Z urn:sha1:91ad997a34d7abca1f04e819e31eb9f3d4e20585 Fix http://bugzilla.kernel.org/show_bug.cgi?id=9247 Allow sigcont to be sent to a process with greater capabilities if it is in the same session. Otherwise, a shell from which I've started a root shell and done 'suspend' can't be restarted by the parent shell. Also don't do file-capabilities signaling checks when uids for the processes don't match, since the standard check_kill_permission will have done those checks. [akpm@linux-foundation.org: coding-style cleanups] Signed-off-by: Serge E. Hallyn <serue@us.ibm.com> Acked-by: Andrew Morgan <morgan@kernel.org> Cc: Chris Wright <chrisw@sous-sol.org> Tested-by: "Theodore Ts'o" <tytso@mit.edu> Cc: Stephen Smalley <sds@epoch.ncsc.mil> Cc: "Rafael J. Wysocki" <rjw@sisk.pl> Cc: Chris Wright <chrisw@sous-sol.org> Cc: James Morris <jmorris@namei.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2007-11-07T21:56:23Z Stephen Smalley sds@tycho.nsa.gov 2007-11-07T15:08:00Z urn:sha1:45e5421eb5bbcd9efa037d682dd357284e3ef982 Add more validity checks at policy load time to reject malformed policies and prevent subsequent out-of-range indexing when in permissive mode. Resolves the NULL pointer dereference reported in https://bugzilla.redhat.com/show_bug.cgi?id=357541. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org> 2007-11-07T21:55:10Z KaiGai Kohei kaigai@kaigai.gr.jp 2007-11-06T16:17:16Z urn:sha1:6d2b685564ba417f4c6d80c3661f0dfee13fff85 The "e_iter = e_iter->next;" statement in the inner for loop is primally bug. It should be moved to outside of the for loop. Signed-off-by: KaiGai Kohei <kaigai@kaigai.gr.jp> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org> 2007-11-07T21:55:04Z Stephen Rothwell sfr@canb.auug.org.au 2007-10-31T05:47:19Z urn:sha1:57002bfb31283e84f694763ed4db0fb761b7d6a9 On PowerPC allmodconfig build we get this: security/selinux/xfrm.c:214: warning: comparison is always false due to limited range of data type Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: James Morris <jmorris@namei.org> 2007-10-23T15:59:46Z Linus Torvalds torvalds@woody.linux-foundation.org 2007-10-23T15:59:46Z urn:sha1:48d2268473a66fe3aa78fb13b09ee59d6ee95073 * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6: SELinux: always check SIGCHLD in selinux_task_wait 2007-10-22T22:47:48Z Eric Paris eparis@redhat.com 2007-10-22T20:10:31Z urn:sha1:8a53514043e380aa573baa805298a7727c993985 When checking if we can wait on a child we were looking at p->exit_signal and trying to make the decision based on if the signal would eventually be allowed. One big flaw is that p->exit_signal is -1 for NPTL threads and so aignal_to_av was not actually checking SIGCHLD which is what would have been sent. Even is exit_signal was set to something strange it wouldn't change the fact that the child was there and needed to be waited on. This patch just assumes wait is based on SIGCHLD. Specific permission checks are made when the child actually attempts to send a signal. This resolves the problem of things like using GDB on confined domains such as in RH BZ 232371. The confined domain did not have permission to send a generic signal (exit_signal == -1) back to the unconfined GDB. With this patch the GDB wait works and since the actual signal sent is allowed everything functions as it should. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org> 2007-10-22T15:13:18Z Serge E. Hallyn serue@us.ibm.com 2007-10-21T23:41:38Z urn:sha1:b68680e4731abbd78863063aaa0dca2a6d8cc723 Simplify the vfs_cap_data structure. Also fix get_file_caps which was declaring __le32 v1caps[XATTR_CAPS_SZ] on the stack, but XATTR_CAPS_SZ is already * sizeof(__le32). [akpm@linux-foundation.org: coding-style fixes] Signed-off-by: Serge E. Hallyn <serue@us.ibm.com> Cc: Andrew Morgan <morgan@kernel.org> Cc: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2007-10-19T18:53:37Z Serge E. Hallyn serue@us.ibm.com 2007-10-19T06:39:52Z urn:sha1:b460cbc581a53cc088ceba80608021dd49c63c43 is_init() is an ambiguous name for the pid==1 check. Split it into is_global_init() and is_container_init(). A cgroup init has it's tsk->pid == 1. A global init also has it's tsk->pid == 1 and it's active pid namespace is the init_pid_ns. But rather than check the active pid namespace, compare the task structure with 'init_pid_ns.child_reaper', which is initialized during boot to the /sbin/init process and never changes. Changelog: 2.6.22-rc4-mm2-pidns1: - Use 'init_pid_ns.child_reaper' to determine if a given task is the global init (/sbin/init) process. This would improve performance and remove dependence on the task_pid(). 2.6.21-mm2-pidns2: - [Sukadev Bhattiprolu] Changed is_container_init() calls in {powerpc, ppc,avr32}/traps.c for the _exception() call to is_global_init(). This way, we kill only the cgroup if the cgroup's init has a bug rather than force a kernel panic. [akpm@linux-foundation.org: fix comment] [sukadev@us.ibm.com: Use is_global_init() in arch/m32r/mm/fault.c] [bunk@stusta.de: kernel/pid.c: remove unused exports] [sukadev@us.ibm.com: Fix capability.c to work with threaded init] Signed-off-by: Serge E. Hallyn <serue@us.ibm.com> Signed-off-by: Sukadev Bhattiprolu <sukadev@us.ibm.com> Acked-by: Pavel Emelianov <xemul@openvz.org> Cc: Eric W. Biederman <ebiederm@xmission.com> Cc: Cedric Le Goater <clg@fr.ibm.com> Cc: Dave Hansen <haveblue@us.ibm.com> Cc: Herbert Poetzel <herbert@13thfloor.at> Cc: Kirill Korotaev <dev@sw.ru> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2007-10-18T21:37:31Z Stephen Hemminger shemminger@linux-foundation.org 2007-10-18T10:07:05Z urn:sha1:c80544dc0b87bb65038355e7aafdc30be16b26ab Get rid of sparse related warnings from places that use integer as NULL pointer. [akpm@linux-foundation.org: coding-style fixes] Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org> Cc: Andi Kleen <ak@suse.de> Cc: Jeff Garzik <jeff@garzik.org> Cc: Matt Mackall <mpm@selenic.com> Cc: Ian Kent <raven@themaw.net> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Davide Libenzi <davidel@xmailserver.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>