linux/security, branch v2.6.25

SELinux: don't BUG if fs reuses a superblock

2008-04-09T22:51:01Z

I (wrongly) assumed that nfs_xdev_get_sb() would not ever share a superblock and so cloning mount options would always be correct. Turns out that isn't the case and we could fall over a BUG_ON() that wasn't a BUG at all. Since there is little we can do to reconcile different mount options this patch just leaves the sb alone and the first set of options wins. Signed-off-by: Eric Paris Acked-by: Stephen Smalley Acked-by: Trond Myklebust Signed-off-by: James Morris

SELinux: more GFP_NOFS fixups to prevent selinux from re-entering the fs code

2008-04-07T22:30:14Z

More cases where SELinux must not re-enter the fs code. Called from the d_instantiate security hook. Signed-off-by: Stephen Smalley Signed-off-by: James Morris

selinux: prevent rentry into the FS

2008-04-03T22:35:05Z

BUG fix. Keep us from re-entering the fs when we aren't supposed to. See discussion at http://marc.info/?t=120716967100004&r=1&w=2 Signed-off-by: Josef Bacik Acked-by: Stephen Smalley Signed-off-by: James Morris

selinux: handle files opened with flags 3 by checking ioctl permission

2008-04-02T05:05:52Z

Handle files opened with flags 3 by checking ioctl permission. Default to returning FILE__IOCTL from file_to_av() if the f_mode has neither FMODE_READ nor FMODE_WRITE, and thus check ioctl permission on exec or transfer, thereby validating such descriptors early as with normal r/w descriptors and catching leaks of them prior to attempted usage. Signed-off-by: Stephen Smalley Acked-by: Eric Paris Signed-off-by: James Morris

smackfs: remove redundant lock, fix open(,O_RDWR)

2008-03-25T02:22:19Z

Older smackfs was parsing MAC rules by characters, thus a need of locking write sessions on open() was needed. This lock is no longer useful now since each rule is handled by a single write() call. This is also a bugfix since seq_open() was not called if an open() O_RDWR flag was given, leading to a seq_read() without an initialized seq_file, thus an Oops. Signed-off-by: Ahmed S. Darwish Reported-by: Jonathan Corbet Acked-by: Casey Schaufler Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

file capabilities: remove cap_task_kill()

2008-03-20T16:46:36Z

The original justification for cap_task_kill() was as follows: check_kill_permission() does appropriate uid equivalence checks. However with file capabilities it becomes possible for an unprivileged user to execute a file with file capabilities resulting in a more privileged task with the same uid. However now that cap_task_kill() always returns 0 (permission granted) when p->uid==current->uid, the whole hook is worthless, and only likely to create more subtle problems in the corner cases where it might still be called but return -EPERM. Those cases are basically when uids are different but euid/suid is equivalent as per the check in check_kill_permission(). One example of a still-broken application is 'at' for non-root users. This patch removes cap_task_kill(). Signed-off-by: Serge Hallyn Acked-by: Andrew G. Morgan Earlier-version-tested-by: Luiz Fernando N. Capitulino Acked-by: Casey Schaufler Signed-off-by: Linus Torvalds

smack: do not dereference NULL ipc object

2008-03-20T01:53:36Z

In the SYSV ipc msgctl(),semctl(),shmctl() family, if the user passed *_INFO as the desired operation, no specific object is meant to be controlled and only system-wide information is returned. This leads to a NULL IPC object in the LSM hooks if the _INFO flag is given. Avoid dereferencing this NULL pointer in Smack ipc *ctl() methods. Signed-off-by: Ahmed S. Darwish Acked-by: Casey Schaufler Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

make selinux_parse_opts_str() static

2008-03-17T22:17:22Z

This patch makes the needlessly global selinux_parse_opts_str() static. Signed-off-by: Adrian Bunk Acked-by: Eric Paris Signed-off-by: James Morris

smackfs: do not trust `count' in inodes write()s

2008-03-13T20:11:43Z

Smackfs write() implementation does not put a higher bound on the number of bytes to copy from user-space. This may lead to a DOS attack if a malicious `count' field is given. Assure that given `count' is exactly the length needed for a /smack/load rule. In case of /smack/cipso where the length is relative, assure that `count' does not exceed the size needed for a buffer representing maximum possible number of CIPSO 2.2 categories. Signed-off-by: Ahmed S. Darwish Acked-by: Casey Schaufler Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

LSM/SELinux: Interfaces to allow FS to control mount options

2008-03-05T21:40:53Z

Introduce new LSM interfaces to allow an FS to deal with their own mount options. This includes a new string parsing function exported from the LSM that an FS can use to get a security data blob and a new security data blob. This is particularly useful for an FS which uses binary mount data, like NFS, which does not pass strings into the vfs to be handled by the loaded LSM. Also fix a BUG() in both SELinux and SMACK when dealing with binary mount data. If the binary mount data is less than one page the copy_page() in security_sb_copy_data() can cause an illegal page fault and boom. Remove all NFSisms from the SELinux code since they were broken by past NFS changes. Signed-off-by: Eric Paris Acked-by: Stephen Smalley Acked-by: Casey Schaufler Signed-off-by: James Morris