user/sven/linux.git/security, branch v4.9.326 Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v4.9.326 2022-08-25T09:09:22Z selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling 2022-08-25T09:09:22Z Paul Moore paul@paul-moore.com 2020-11-03T16:49:38Z urn:sha1:381595049d2f688abc6beee19448cfaac8207dc1 commit 200ea5a2292dc444a818b096ae6a32ba3caa51b9 upstream. A previous fix, commit 83370b31a915 ("selinux: fix error initialization in inode_doinit_with_dentry()"), changed how failures were handled before a SELinux policy was loaded. Unfortunately that patch was potentially problematic for two reasons: it set the isec->initialized state without holding a lock, and it didn't set the inode's SELinux label to the "default" for the particular filesystem. The later can be a problem if/when a later attempt to revalidate the inode fails and SELinux reverts to the existing inode label. This patch should restore the default inode labeling that existed before the original fix, without affecting the LABEL_INVALID marking such that revalidation will still be attempted in the future. Fixes: 83370b31a915 ("selinux: fix error initialization in inode_doinit_with_dentry()") Reported-by: Sven Schnelle <svens@linux.ibm.com> Tested-by: Sven Schnelle <svens@linux.ibm.com> Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Alexander Grund <theflamefire89@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> selinux: fix error initialization in inode_doinit_with_dentry() 2022-08-25T09:09:21Z Tianyue Ren rentianyue@kylinos.cn 2020-10-09T01:36:30Z urn:sha1:c00fcec32cd2559529438bda6b3ae98c2e43ceeb commit 83370b31a915493231e5b9addc72e4bef69f8d31 upstream. Mark the inode security label as invalid if we cannot find a dentry so that we will retry later rather than marking it initialized with the unlabeled SID. Fixes: 9287aed2ad1f ("selinux: Convert isec->lock into a spinlock") Signed-off-by: Tianyue Ren <rentianyue@kylinos.cn> [PM: minor comment tweaks] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Alexander Grund <theflamefire89@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> selinux: Convert isec->lock into a spinlock 2022-08-25T09:09:21Z Andreas Gruenbacher agruenba@redhat.com 2016-11-15T10:06:40Z urn:sha1:4ec11eb727dac020393dbb473b57e869537624bc commit 9287aed2ad1ff1bde5eb190bcd6dccd5f1cf47d3 upstream. Convert isec->lock from a mutex into a spinlock. Instead of holding the lock while sleeping in inode_doinit_with_dentry, set isec->initialized to LABEL_PENDING and release the lock. Then, when the sid has been determined, re-acquire the lock. If isec->initialized is still set to LABEL_PENDING, set isec->sid; otherwise, the sid has been set by another task (LABEL_INITIALIZED) or invalidated (LABEL_INVALID) in the meantime. This fixes a deadlock on gfs2 where * one task is in inode_doinit_with_dentry -> gfs2_getxattr, holds isec->lock, and tries to acquire the inode's glock, and * another task is in do_xmote -> inode_go_inval -> selinux_inode_invalidate_secctx, holds the inode's glock, and tries to acquire isec->lock. Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> [PM: minor tweaks to keep checkpatch.pl happy] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Alexander Grund <theflamefire89@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> selinux: Clean up initialization of isec->sclass 2022-08-25T09:09:21Z Andreas Gruenbacher agruenba@redhat.com 2016-11-10T21:18:29Z urn:sha1:ac17e88ff04fcf21330dcdacac2d318a4de83a71 commit 13457d073c29da92001f6ee809075eaa8757fb96 upstream. Now that isec->initialized == LABEL_INITIALIZED implies that isec->sclass is valid, skip such inodes immediately in inode_doinit_with_dentry. For the remaining inodes, initialize isec->sclass at the beginning of inode_doinit_with_dentry to simplify the code. Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Alexander Grund <theflamefire89@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> proc: Pass file mode to proc_pid_make_inode 2022-08-25T09:09:21Z Andreas Gruenbacher agruenba@redhat.com 2016-11-10T21:18:28Z urn:sha1:891160f1661febd279d7c2c64420fc4cadf16a2e commit db978da8fa1d0819b210c137d31a339149b88875 upstream. Pass the file mode of the proc inode to be created to proc_pid_make_inode. In proc_pid_make_inode, initialize inode->i_mode before calling security_task_to_inode. This allows selinux to set isec->sclass right away without introducing "half-initialized" inode security structs. Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Alexander Grund <theflamefire89@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> selinux: Minor cleanups 2022-08-25T09:09:21Z Andreas Gruenbacher agruenba@redhat.com 2016-11-10T21:18:27Z urn:sha1:81000b69e45e8f1ed038b961033cb0170f0d43ad commit 420591128cb206201dc444c2d42fb6f299b2ecd0 upstream. Fix the comment for function __inode_security_revalidate, which returns an integer. Use the LABEL_* constants consistently for isec->initialized. Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Alexander Grund <theflamefire89@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> security,selinux,smack: kill security_task_wait hook 2022-07-29T15:05:44Z Stephen Smalley sds@tycho.nsa.gov 2017-01-10T17:28:32Z urn:sha1:ab83798bd5a38f3c6781a170e0f8cef05df65fd7 commit 3a2f5a59a695a73e0cde9a61e0feae5fa730e936 upstream. As reported by yangshukui, a permission denial from security_task_wait() can lead to a soft lockup in zap_pid_ns_processes() since it only expects sys_wait4() to return 0 or -ECHILD. Further, security_task_wait() can in general lead to zombies; in the absence of some way to automatically reparent a child process upon a denial, the hook is not useful. Remove the security hook and its implementations in SELinux and Smack. Smack already removed its check from its hook. Reported-by: yangshukui <yangshukui@huawei.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Alexander Grund <theflamefire89@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Fix incorrect type in assignment of ipv6 port for audit 2022-04-20T07:06:38Z Casey Schaufler casey@schaufler-ca.com 2022-02-28T23:45:32Z urn:sha1:8c62a90cd2231124a603c186d33bc91fd7f3bb84 [ Upstream commit a5cd1ab7ab679d252a6d2f483eee7d45ebf2040c ] Remove inappropriate use of ntohs() and assign the port value directly. Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Sasha Levin <sashal@kernel.org> selinux: use correct type for context length 2022-04-20T07:06:38Z Christian Göttsche cgzones@googlemail.com 2022-02-17T14:21:25Z urn:sha1:6f7fad6056af08a202cd34e499f214668dae157e [ Upstream commit b97df7c098c531010e445da88d02b7bf7bf59ef6 ] security_sid_to_context() expects a pointer to an u32 as the address where to store the length of the computed context. Reported by sparse: security/selinux/xfrm.c:359:39: warning: incorrect type in arg 4 (different signedness) security/selinux/xfrm.c:359:39: expected unsigned int [usertype] *scontext_len security/selinux/xfrm.c:359:39: got int * Signed-off-by: Christian Göttsche <cgzones@googlemail.com> [PM: wrapped commit description] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Sasha Levin <sashal@kernel.org> TOMOYO: fix __setup handlers return values 2022-04-20T07:06:35Z Randy Dunlap rdunlap@infradead.org 2022-02-22T21:45:33Z urn:sha1:387a8f09c25f344073ac6b5a3a59ddf11df3a8e2 [ Upstream commit 39844b7e3084baecef52d1498b5fa81afa2cefa9 ] __setup() handlers should return 1 if the parameter is handled. Returning 0 causes the entire string to be added to init's environment strings (limited to 32 strings), unnecessarily polluting it. Using the documented strings "TOMOYO_loader=string1" and "TOMOYO_trigger=string2" causes an Unknown parameter message: Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc5 TOMOYO_loader=string1 \ TOMOYO_trigger=string2", will be passed to user space. and these strings are added to init's environment string space: Run /sbin/init as init process with arguments: /sbin/init with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc5 TOMOYO_loader=string1 TOMOYO_trigger=string2 With this change, these __setup handlers act as expected, and init's environment is not polluted with these strings. Fixes: 0e4ae0e0dec63 ("TOMOYO: Make several options configurable.") Signed-off-by: Randy Dunlap <rdunlap@infradead.org> Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru> Link: https://lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Cc: James Morris <jmorris@namei.org> Cc: Kentaro Takeda <takedakn@nttdata.co.jp> Cc: tomoyo-dev-en@lists.osdn.me Cc: "Serge E. Hallyn" <serge@hallyn.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Sasha Levin <sashal@kernel.org>