Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v3.6.9 2012-07-30T05:04:17Z 2012-07-30T05:04:17Z Alan Cox alan@linux.intel.com 2012-07-26T21:47:11Z urn:sha1:3b9fc37280c521b086943f9aedda767f5bf3b2d3 Consider the input case of a rule that consists entirely of non space symbols followed by a \0. Say 64 + \0 In this case strlen(data) = 64 kzalloc of subject and object are 64 byte objects sscanfdata, "%s %s %s", subject, ...) will put 65 bytes into subject. Signed-off-by: Alan Cox <alan@linux.intel.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Cc: stable@vger.kernel.org Signed-off-by: James Morris <james.l.morris@oracle.com> 2012-07-13T22:49:24Z Rafal Krypa r.krypa@samsung.com 2012-07-09T17:36:34Z urn:sha1:65ee7f45cf075adcdd6b6ef365f5a5507f1ea5c5 This patch removes empty rules (i.e. with access set to '-') from the rule list presented to user space. Smack by design never removes labels nor rules from its lists. Access for a rule may be set to '-' to effectively disable it. Such rules would show up in the listing generated when /smack/load or /smack/load2 is read. This may cause clutter if many rules were disabled. As a rule with access set to '-' is equivalent to no rule at all, they may be safely hidden from the listing. Targeted for git://git.gitorious.org/smack-next/kernel.git Signed-off-by: Rafal Krypa <r.krypa@samsung.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2012-07-13T22:49:24Z Casey Schaufler casey@schaufler-ca.com 2012-06-19T02:01:36Z urn:sha1:3518721a8932b2a243f415c374aef020380efc9d Some of the bounds checking used on the /smack/access interface was lost when support for long labels was added. No kernel access checks are affected, however this is a case where /smack/access could be used incorrectly and fail to detect the error. This patch reintroduces the original checks. Targeted for git://git.gitorious.org/smack-next/kernel.git Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2012-07-13T22:49:23Z Casey Schaufler casey@schaufler-ca.com 2012-06-05T22:28:30Z urn:sha1:1880eff77e7a7cb46c68fae7cfa33f72f0a6e70e Smack is integrated with the POSIX capabilities scheme, using the capabilities CAP_MAC_OVERRIDE and CAP_MAC_ADMIN to determine if a process is allowed to ignore Smack checks or change Smack related data respectively. Smack provides an additional restriction that if an onlycap value is set by writing to /smack/onlycap only tasks with that Smack label are allowed to use CAP_MAC_OVERRIDE. This change adds CAP_MAC_ADMIN as a capability that is affected by the onlycap mechanism. Targeted for git://git.gitorious.org/smack-next/kernel.git Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2012-07-13T22:49:23Z Casey Schaufler casey@schaufler-ca.com 2012-05-24T00:46:58Z urn:sha1:eb982cb4cf6405b97ea1f9e1d10864981f269d46 In January of 2012 Al Viro pointed out three bits of code that he titled "new_inode_smack bogosities". This patch repairs these errors. 1. smack_sb_kern_mount() included a NULL check that is impossible. The check and NULL case are removed. 2. smack_kb_kern_mount() included pointless locking. The locking is removed. Since this is the only place that lock was used the lock is removed from the superblock_smack structure. 3. smk_fill_super() incorrectly and unnecessarily set the Smack label for the smackfs root inode. The assignment has been removed. Targeted for git://gitorious.org/smack-next/kernel.git Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2012-05-31T17:11:54Z Al Viro viro@zeniv.linux.org.uk 2012-05-30T17:30:51Z urn:sha1:e5467859f7f79b69fc49004403009dfdba3bec53 ... i.e. file-dependent and address-dependent checks. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2012-05-31T17:10:54Z Al Viro viro@zeniv.linux.org.uk 2012-05-30T17:11:37Z urn:sha1:d007794a182bc072a7b7479909dbd0d67ba341be ... switch callers. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2012-05-22T01:21:06Z James Morris james.l.morris@oracle.com 2012-05-22T01:21:06Z urn:sha1:ff2bb047c4bce9742e94911eeb44b4d6ff4734ab Per pull request, for 3.5. 2012-05-15T05:48:38Z Casey Schaufler casey@schaufler-ca.com 2012-05-06T22:22:02Z urn:sha1:f7112e6c9abf1c70f001dcf097c1d6e218a93f5c V4 updated to current linux-security#next Targeted for git://gitorious.org/smack-next/kernel.git Modern application runtime environments like to use naming schemes that are structured and generated without human intervention. Even though the Smack limit of 23 characters for a label name is perfectly rational for human use there have been complaints that the limit is a problem in environments where names are composed from a set or sources, including vendor, author, distribution channel and application name. Names like softwarehouse-pgwodehouse-coolappstore-mellowmuskrats are becoming harder to avoid. This patch introduces long label support in Smack. Labels are now limited to 255 characters instead of the old 23. The primary reason for limiting the labels to 23 characters was so they could be directly contained in CIPSO category sets. This is still done were possible, but for labels that are too large a mapping is required. This is perfectly safe for communication that stays "on the box" and doesn't require much coordination between boxes beyond what would have been required to keep label names consistent. The bulk of this patch is in smackfs, adding and updating administrative interfaces. Because existing APIs can't be changed new ones that do much the same things as old ones have been introduced. The Smack specific CIPSO data representation has been removed and replaced with the data format used by netlabel. The CIPSO header is now computed when a label is imported rather than on use. This results in improved IP performance. The smack label is now allocated separately from the containing structure, allowing for larger strings. Four new /smack interfaces have been introduced as four of the old interfaces strictly required labels be specified in fixed length arrays. The access interface is supplemented with the check interface: access "Subject Object rwxat" access2 "Subject Object rwaxt" The load interface is supplemented with the rules interface: load "Subject Object rwxat" load2 "Subject Object rwaxt" The load-self interface is supplemented with the self-rules interface: load-self "Subject Object rwxat" load-self2 "Subject Object rwaxt" The cipso interface is supplemented with the wire interface: cipso "Subject lvl cnt c1 c2 ..." cipso2 "Subject lvl cnt c1 c2 ..." The old interfaces are maintained for compatibility. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2012-05-15T05:47:44Z Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp 2012-03-29T07:19:05Z urn:sha1:ceffec5541cc22486d3ff492e3d76a33a68fbfa3 Dave Chinner wrote: > Yes, because you have no idea what the calling context is except > for the fact that is from somewhere inside filesystem code and the > filesystem could be holding locks. Therefore, GFP_NOFS is really the > only really safe way to allocate memory here. I see. Thank you. I'm not sure, but can call trace happen where somewhere inside network filesystem or stackable filesystem code with locks held invokes operations that involves GFP_KENREL memory allocation outside that filesystem? ---------- [PATCH] SMACK: Fix incorrect GFP_KERNEL usage. new_inode_smack() which can be called from smack_inode_alloc_security() needs to use GFP_NOFS like SELinux's inode_alloc_security() does, for security_inode_alloc() is called from inode_init_always() and inode_init_always() is called from xfs_inode_alloc() which is using GFP_NOFS. smack_inode_init_security() needs to use GFP_NOFS like selinux_inode_init_security() does, for initxattrs() callback function (e.g. btrfs_initxattrs()) which is called from security_inode_init_security() is using GFP_NOFS. smack_audit_rule_match() needs to use GFP_ATOMIC, for security_audit_rule_match() can be called from audit_filter_user_rules() and audit_filter_user_rules() is called from audit_filter_user() with RCU read lock held. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Casey Schaufler <cschaufler@cschaufler-intel.(none)>