| Age | Commit message (Collapse) | Author |
|---|
|
This patch should fix the avc_alloc_node() oom condition that Andrew
reported when no policy is loaded in SELinux.
Prior to this patch, when no policy was loaded, the SELinux "security
server" (policy engine) was only returning allowed decisions for the
requested permissions for each access check. This caused the cache to
thrash when trying to use SELinux for real work with no policy loaded
(typically, the no policy loaded state is only for bootstrapping to the
point where we can load an initial policy).
This patch changes the SELinux security server to return the complete
allowed access vector at once, and then to reset the cache after the
initial policy load to flush the initial cache state created during
bootstrapping.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch provides finer grained permissions for the audit family of
Netlink sockets under SELinux.
1. We need a way to differentiate between privileged and unprivileged
reads of kernel data maintained by the audit subsystem. The AUDIT_GET
operation is unprivileged: it returns the current status of the audit
subsystem (e.g. whether it's enabled etc.). The AUDIT_LIST operation
however returns a list of the current audit ruleset, which is considered
privileged by the audit folk. To deal with this, a new SELinux
permission has been implemented and applied to the operation:
nlmsg_readpriv, which can be allocated to appropriately privileged
domains. Unprivileged domains would only be allocated nlmsg_read.
2. There is a requirement for certain domains to generate audit events
from userspace. These events need to be collected by the kernel,
collated and transmitted sequentially back to the audit daemon. An
example is user level login, an auditable event under CAPP, where
login-related domains generate AUDIT_USER messages via PAM which are
relayed back to auditd via the kernel. To prevent handing out
nlmsg_write permissions to such domains, a new permission has been
added, nlmsg_relay, which is intended for this type of purpose: data is
passed via the kernel back to userspace but no privileged information is
written to the kernel.
Also, AUDIT_LOGIN messages are now valid only for kernel->user messaging,
so this value has been removed from the SELinux nlmsgtab (which is only
used to check user->kernel messages).
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch removes the sclass argument from ipc_has_perm in the SELinux
module, as it can be obtained from the ipc security structure. The use of
a separate argument was a legacy of the older precondition function
handling in SELinux and is obsolete. Please apply.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
The SELinux hooks invoke ipv6_skip_exthdr() with an incorrect
length final argument. However, the length argument turns out
to be superfluous.
I was just reading ipv6_skip_exthdr and it occured to me that we can
get rid of len altogether. The only place where len is used is to
check whether the skb has two bytes for ipv6_opt_hdr. This check
is done by skb_header_pointer/skb_copy_bits anyway.
Now it might appear that we've made the code slower by deferring
the check to skb_copy_bits. However, this check should not trigger
in the common case so this is OK.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
This fixes a deadlock on the dcache lock detected during testing at IBM
by moving the logging of the current executable information from the
SELinux avc_audit function to audit_log_exit (via an audit_log_task_info
helper) for processing upon syscall exit.
For consistency, the patch also removes the logging of other
task-related information from avc_audit, deferring handling to
audit_log_exit instead.
This allows simplification of the avc_audit code, allows the exe
information to be obtained more reliably, always includes the comm
information (useful for scripts), and avoids including bogus task
information for checks performed from irq or softirq.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch adds SELinux support for the KOBJECT_UEVENT Netlink family, so
that SELinux can apply finer grained controls to it. For example, security
policy for hald can be locked down to the KOBJECT_UEVENT Netlink family
only. Currently, this family simply defaults to the default Netlink socket
class.
Note that some new permission definitions are added to sync with changes in
the core userspace policy package, which auto-generates header files.
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch fixes a bug in the SELinux Netlink message type detection code,
where the wrong constant was being used in a case statement. The incorrect
value is not valid for this class of object so it would not have been
reached, and fallen through to a default handler for all Netlink messages.
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch against -bk eliminates the use of i_sock by SELinux as it
appears to have been removed recently, breaking the build of SELinux in
-bk. Simply replacing the i_sock test with an S_ISSOCK test would be
unsafe in the SELinux code, as the latter will also return true for the
inodes of socket files in the filesystem, not just the actual socket
objects IIUC. Hence this patch reworks the SELinux code to avoid the
need to apply such a test in the first place, part of which was
obsoleted anyway by earlier changes to SELinux. Please apply.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
This patch adds a name_connect permission check to SELinux to provide
control over outbound TCP connections to particular ports distinct from the
general controls over sending and receiving packets.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch changes SELinux to audit any unrecognized netlink messages in
controlled classes rather than silently rejecting them, and to allow them
if in permissive mode. Please apply.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch alters the SELinux handling of inodes with invalid security
contexts so that a filesystem with a root inode that has an invalid
security context can still be mounted for administrative recovery without
disabling SELinux altogether.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch from Adrian Bunk makes needlessly global code static and removes
a number of unused global and static functions from SELinux. Please apply.
Author: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
security/built-in.o(.text+0xe2fc): In function `selinux_socket_bind':
: undefined reference to `sysctl_local_port_range'
Acked-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This is a megarollup of ~60 patches which give various things static scope.
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
The attached patch causes process and session keyrings to be shared
properly when CLONE_THREAD is in force. It does this by moving the keyring
pointers into struct signal_struct[*].
[*] I have a patch to rename this to struct thread_group that I'll revisit
after the advent of 2.6.11.
Furthermore, once this patch is applied, process keyrings will no longer be
allocated at fork, but will instead only be allocated when needed.
Allocating them at fork was a way of half getting around the sharing across
threads problem, but that's no longer necessary.
This revision of the patch has the documentation changes patch rolled into it
and no longer abstracts the locking for signal_struct into a pair of macros.
Signed-Off-By: David Howells <dhowells@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
I looked at some of the oops reports against keyrings, I think the problem
is that the search isn't restarted after dropping the key_user_lock, *p
will still be NULL when we get back to try_again and look through the tree.
It looks like the intention was that the search start over from scratch.
Signed-off-by: Alexander Nyberg <alexn@dsv.su.se>
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch changes the selinux_setprocattr hook function (which handles
writes to nodes in the /proc/pid/attr directory) to ignore an optional
terminating newline at the end of the value, and to handle a value
beginning with a newline or a null in the same manner as a zero length
value (clearing the attribute for the process and resetting it to using the
default policy behavior). This change is to address the divergence from
POSIX in the existing API, as POSIX says that write(2) with a zero count
will return zero with no other effect, as well as to simplify use of the
API from scripts (although that isn't recommended).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch adds a reqprot parameter to the security_file_mmap and
security_file_mprotect hooks that is the original requested protection
value prior to any modification for read-implies-exec, and changes the
SELinux module to allow a mode of operation (controllable via a
checkreqprot setting) where it applies checks based on that protection
value rather than the protection that will be applied by the kernel,
effectively restoring SELinux's original behavior prior to the introduction
of the read-implies-exec logic in the mainline kernel. The patch also
disables execmem and execmod checking entirely on PPC32, as the PPC32 ELF
ABI presently requires RWE segments per Ulrich Drepper.
At present, the read-implies-exec logic causes SELinux to see every
mmap/mprotect read request by legacy binaries or binaries marked with
PT_GNU_STACK RWE as a read|execute request, which tends to distort policy
even if it reflects what is ultimately possible. The checkreqprot setting
allows one to set the desired behavior for SELinux, so either the current
behavior or the original behavior is possible. The checkreqprot value has
a compile-time configurable default value and can also be set via boot
parameter or at runtime via /selinux/checkreqprot if allowed by policy.
Thanks to Chris Wright, James Morris, and Colin Walters for comments on an
earlier version of the patch.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch replaces the original experimental Multi-Level Security (MLS)
implementation in SELinux with an enhanced MLS implementation contributed
by Trusted Computer Solutions (TCS).
The enhanced MLS implementation replaces the hardcoded MLS logic with a
flexible constraint-based system and replaces the compile-time option for
MLS support with a policy load-time enable based on whether MLS support was
enabled in the policy when it was built.
The latter change allows a single kernel and policy toolchain to support
both MLS and non-MLS policies. Compatibility is still provided as usual
for existing policies.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
POSIX requires that the RLIMIT_CPU resource limit that generates SIGXCPU be
counted on a per-process basis. Currently, Linux implements this for
individual threads. This patch fixes the semantics to conform with POSIX.
The essential machinery for the process CPU limit is is tied into the new
posix-timers code for process CPU clocks and timers.
Signed-off-by: Roland McGrath <roland@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch applies the IS_PRIVATE test to the selinux internal inode loop.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
The 'bad' label will call function that unconditionally dereferences the
NULL pointer.
Found by the Coverity tool
Signed-off-by: Alexander Nyberg <alexn@dsv.su.se>
Acked-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
There's a leak here in the first error path.
Found by the Coverity tool.
Signed-off-by: Alexander Nyberg <alexn@dsv.su.se>
Acked-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
The attached patch makes keyctl() use the correct argument when invoking
the KEYCTL_JOIN_SESSION_KEYRING function.
I'm not sure how this evaded testing before, but I suspect the compiler was
kind and made both argument registers hold the same value.
Thanks to Kevin Coffman <kwc@citi.umich.edu> for spotting this.
Signed-Off-By: David Howells <dhowells@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This fixes the selinux_inode_setattr hook function to honor the ATTR_FORCE
flag, skipping any permission checking in that case. Otherwise, it is
possible though unlikely for a denial from the hook to prevent proper
updating, e.g. for remove_suid upon writing to a file. This would only
occur if the process had write permission to a suid file but lacked setattr
permission to it.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch changes SELinux to display any permission values that could not
be mapped to names as a hex value when generating an audit message.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch regenerates the SELinux module headers to define the execmod
permission for character device files in order to provide proper auditing
of such checks on /dev/zero.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
Use the new lock initializers DEFINE_SPIN_LOCK and DEFINE_RW_LOCK
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch adds Netlink message types related to the TC action code,
allowing finer grained SELinux control of this.
Author: jamal <hadi@cyberus.ca>
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
The audit control messages are sent over netlink. Permission checks are
done on the process receiving the message, which may not be the same as the
process sending the message. This patch switches the netlink_send security
hooks to calculate the effective capabilities based on the sender. Then
audit_receive_msg performs capability checks based on that.
It also introduces the CAP_AUDIT_WRITE and CAP_AUDIT_CONTROL capabilities,
and replaces the previous CAP_SYS_ADMIN checks in audit code with the
appropriate checks.
- Simplified dummy_netlink_send given that dummy now keeps track of
capabilities.
- Many fixes based on feedback from <linux-audit@redhat.com> list.
- Removed the netlink_msg_type helper function.
- Switch to using CAP_AUDIT_WRITE and CAP_AUDIT_CONTROL.
Signed-off-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
Here are some Kconfig fixes:
- typo fixes
- unused token removes (empty or duplicated 'help')
- non ASCII characters replaces
- e-mail address and URL format corrections
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch fixes a different bug in the code for SELinux policy loading.
It ensures that the loaded policy version number is not updated until the
new policy is successfully committed. It also fixes the type on the loaded
policy version.
Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch fixes several bugs in the error handling code for SELinux policy
loading that were introduced by my earlier patch to eliminate unaligned
accesses by that code.
Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
*** Warning: "crypto_free_tfm" [security/seclvl.ko] undefined!
*** Warning: "crypto_alloc_tfm" [security/seclvl.ko] undefined!
*** Warning: "crypto_unregister_alg" [crypto/sha1.ko] undefined!
*** Warning: "crypto_register_alg" [crypto/sha1.ko] undefined!
Signed-off-by: Akinobu Mita <amgta@yacht.ocn.ne.jp>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
The vm_enough_memory functionality was replicated in three separate places,
and not always kept in sync. It also used capable() for authorization checks.
This caused any process which ends up checking for this permission to have
PF_SUPERPRIV set (inappropriately), and caused poor dependencies between
stacked modules, since each LSM was generically asked to moderate
capable(CAP_SYS_ADMIN) without knowing why.
Signed-off-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
The following patch splits bprm_apply_creds into two functions,
bprm_apply_creds and bprm_post_apply_creds. The latter is called after the
task_lock has been dropped. Without this patch, SELinux must drop the
task_lock and re-acquire it during apply_creds, making the 'unsafe' flag
meaningless to any later security modules. Please apply.
Signed-off-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch rewrites the SELinux next_entry() function and all callers to
copy entry data from the binary policy into properly aligned buffers,
eliminating unaligned accesses. This patch is in response to a bug report
from Prarit Bhargava for SELinux and ia64, and he has confirmed that this
patch eliminates the unaligned access warnings.
Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch adds a member node to selinuxfs to export the security_member_sid
interface to userspace for obtaining security polyinstantiation decisions.
Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch adds new permission checks to the SELinux mmap and mprotect hooks
to enable control over the ability to make executable a mapping that can
contain data not covered by the existing file-based permission checks.
The task->self execmem permission controls the ability to create an executable
anonymous mapping or a writable executable private file mapping. The
task->file execmod permission controls the ability to make executable a
previously written private file mapping, e.g. for text relocations. Thanks
to Roland McGrath for input and feedback on earlier versions of this patch.
Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch for adds dynamic context transition support to SELinux via writes
to the existing /proc/pid/attr/current interface.
Previously, SELinux only supported exec-based context transitions. This
functionality allows privileged applications to apply privilege bracketing
without necessarily being refactored to an exec-based model (although such a
model has advantages in least privilege and isolation).
A process must have setcurrent permission to use this mechanism at all, and
the dyntransition permission must be granted between the old and new security
contexts. Multi-threaded processes are not allowed to use this operation, as
it will yield an inconsistency among the security contexts of the threads
sharing the same mm.
Ptrace permission is revalidated against the new context if the process is
being ptraced.
Author: Darrel Goeddel <dgoeddel@trustedcs.com>
Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch ensures that the comm is included in the audit message if avc_audit
is unable to determine the exe due to the mmap_sem being held. This is
helpful in tracking down the causes of permission denials that occur in the
mmap/mprotect hooks.
Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch updates the selinux_task_setscheduler hook function to use the
standard helper for task permission checks since it is now safe to audit from
this hook (due to the upstream change to setscheduler() to not hold the
runqueue lock during the security hook call).
Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch regenerates the SELinux module headers to use a new format and
updates their use by the AVC.
Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
This patch adds an selinuxfs based API to the AVC, to allow monitoring of
the cache, and tuning of the cache size. The latter is mediated via the
new setsecparam permission.
AVC statistics may be monitored via the avcstat utility:
http://people.redhat.com/jmorris/selinux/perf/avcstat.c
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
Atomic underflow debugging in this kernel exposed a bug in the AVC RCU
code, fix below. The effect of this bug would be delayed node reclamation.
Signed-off-by: James Morris <jmorris@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
The following patch improves the scalability of SELinux by replacing the
global avc_lock with an RCU based scheme by Kaigai Kohei. The size of the
cache is made tunable, to allow administrators to tune systems for different
workloads, while statistics are exported via selinuxfs to allow AVC
performance to be monitored at a low level.
AVC nodes are also allocated now via a slab cache, and AVC references have
been removed from the code.
This code has been extensively tested and benchmarked (see benchmark results
below). Baseline performance is not improved, although it is clear that
dramatic scalability improvements are achieved.
Baseline performance and networking scalability are areas where work is
ongoing (in particular, we need to add caching of some network security
objects so that we don't fallback to policy database lookups on each
permission call).
Benchmark results:
===============================================================================================
System: 4 node 16-way IA64 NUMA
- 'Stream' is based on http://www.cs.virginia.edu/stream/ , HPC memory bandwidth test,
higher result is better.
- Hackbench: scheduler scalability benchmark by Rusty, lower is better.
Standard kernel:
2.6.9-1.648_EL SELINUX=0 : Stream 6159.987MB/s HackBench 53.144
2.6.9-1.648_EL SELINUX=1 : Stream 5872.529MB/s HackBench 1043.132
Kernel with RCU/AVC patches:
2.6.9-1.689_avcrcu.root SELINUX=0 : Stream 8829.647MB/s HackBench 53.976
2.6.9-1.689_avcrcu.root SELINUX=1 : Stream 8817.117MB/s HackBench 50.975
===============================================================================================
System: 8-way PIII 900Mhz Xeon with 9GB RAM
Fileystem: ext2 for all testing.
Notes:
AVC was reset before tests, so avc was flushed.
System was run in enforcing mode.
Key:
std-nolsm: standard kernel with LSM disabled
std-lsmcap: standard kernel with LSM enabled, capabilities LSM
std-sel-strict: standard kernel with SELinux enabled, capabilities secondary LSM
rcu-sel-strict: as above with RCU & AVC stats patches
|
|
There is really no point in each task_struct having its own waitchld_exit.
In the only use of it, the waitchld_exit of each thread in a group gets
woken up at the same time. So, there might as well just be one wait queue
for the whole thread group. This patch does that by moving the field from
task_struct to signal_struct. It should have no effect on the behavior,
but saves a little work and a little storage in the multithreaded case.
Signed-off-by: Roland McGrath <roland@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
The attached patch makes it possible to support gp-rel addressing for small
variables. Since the FR-V cpu's have fixed-length instructions and plenty of
general-purpose registers, one register is nominated as a base for the small
data area. This makes it possible to use single-insn accesses to access
global and static variables instead of having to use multiple instructions.
This, however, causes problems with small variables used to pinpoint the
beginning and end of sections. The compiler assumes it can use gp-rel
addressing for these, but the linker then complains because the displacement
is out of range.
By declaring certain variables as arrays or by forcing them into named
sections, the compiler is persuaded to access them as if they can be outside
the displacement range. Declaring the variables as "const void" type also
works.
Signed-Off-By: David Howells <dhowells@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
The attached patch removes checks from kernel/capability.c which are
redundant with cap_capset_check() code, and moves the capset_check() calls
to immediately before the capset_set() calls. This allows capset_check()
to accurately check the setter's permission to set caps on the target.
Please apply.
Signed-off-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Stephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
|
OK, somehow I managed to botch this one. It happens to work fine, but I
should have been more careful with forward porting this 1+ year old patch.
The exec-time calc should go in bprm_apply_creds, not bprm_free_security.
Thanks to Stephen for spotting my mistake.
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
|
