- Oct 22, 2021
-
-
Tetsuo Handa authored
syzbot is reporting UAF at cipso_v4_doi_search() [1], for smk_cipso_doi() is calling kfree() without removing from the cipso_v4_doi_list list after netlbl_cfg_cipsov4_map_add() returned an error. We need to use netlbl_cfg_cipsov4_del() in order to remove from the list and wait for RCU grace period before kfree(). Link: https://syzkaller.appspot.com/bug?extid=93dba5b91f0fed312cbd [1] Reported-by:
syzbot <syzbot+93dba5b91f0fed312cbd@syzkaller.appspotmail.com> Signed-off-by:
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Fixes: 6c2e8ac0 ("netlabel: Update kernel configuration API") Signed-off-by:
Casey Schaufler <casey@schaufler-ca.com>
-
Tetsuo Handa authored
syzbot is reporting kernel panic at smk_cipso_doi() due to memory allocation fault injection [1]. The reason for need to use panic() was not explained. But since no fix was proposed for 18 months, for now let's use __GFP_NOFAIL for utilizing syzbot resource on other bugs. Link: https://syzkaller.appspot.com/bug?extid=89731ccb6fec15ce1c22 [1] Reported-by:
syzbot <syzbot+89731ccb6fec15ce1c22@syzkaller.appspotmail.com> Signed-off-by:
-
- Oct 13, 2021
-
-
Casey Schaufler authored
A couple of functions had malformed comment blocks. Namespace parameters were added without updating the comment blocks. These are all repaired in the Smack code, so "% make W=1 security/smack" is warning free. Signed-off-by:
-
- Oct 12, 2021
-
-
Florian Westphal authored
ipv4 and ipv6 hook functions are identical, remove one. Signed-off-by:
Florian Westphal <fw@strlen.de> Signed-off-by:
-
- Sep 28, 2021
-
-
Vishal Goel authored
Currently in "smack_inode_copy_up()" function, process label is changed with the label on parent inode. Due to which, process is assigned directory label and whatever file or directory created by the process are also getting directory label which is wrong label. Changes has been done to use label of overlay inode instead of parent inode. Signed-off-by:
Vishal Goel <vishal.goel@samsung.com> Signed-off-by:
-
- Sep 24, 2021
-
-
Sebastian Andrzej Siewior authored
The mutex smack_ipv6_lock is only used with the SMACK_IPV6_PORT_LABELING block but its definition is outside of the block. This leads to a defined-but-not-used warning on PREEMPT_RT. Moving smack_ipv6_lock down to the block where it is used where it used raises the question why is smk_ipv6_port_list read if nothing is added to it. Turns out, only smk_ipv6_port_check() is using it outside of an ifdef SMACK_IPV6_PORT_LABELING block. However two of three caller invoke smk_ipv6_port_check() from a ifdef block and only one is using __is_defined() macro which requires the function and smk_ipv6_port_list to be around. Put the lock and list inside an ifdef SMACK_IPV6_PORT_LABELING block to avoid the warning regarding unused mutex. Extend the ifdef-block to also cover smk_ipv6_port_check(). Make smack_socket_connect() use ifdef instead of __is_defined() to avoid complains about missing function. Cc: Casey Schaufler <casey@schaufler-ca.com> Cc: James Morris <jmorris@namei.org> Cc: "Serge E. Hallyn" <serge@hallyn.com> Signed-off-by:
Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by:
-
- Sep 23, 2021
-
-
Paul Moore authored
Jann Horn reported a problem with commit eb1231f7 ("selinux: clarify task subjective and objective credentials") where some LSM hooks were attempting to access the subjective credentials of a task other than the current task. Generally speaking, it is not safe to access another task's subjective credentials and doing so can cause a number of problems. Further, while looking into the problem, I realized that Smack was suffering from a similar problem brought about by a similar commit 1fb057dc ("smack: differentiate between subjective and objective task credentials"). This patch addresses this problem by restoring the use of the task's objective credentials in those cases where the task is other than the current executing task. Not only does this resolve the problem reported by Jann, it is arguably the correct thing to do in these cases. Cc: stable@vger.kernel.org Fixes: eb1231f7 ("selinux: clarify task subjective and objective credentials") Fixes: 1fb057dc ("smack: differentiate between subjective and objective task credentials") Reported-by:
Jann Horn <jannh@google.com> Acked-by:
Eric W. Biederman <ebiederm@xmission.com> Acked-by:
Paul Moore <paul@paul-moore.com>
-
- Sep 20, 2021
-
-
Casey Schaufler authored
Add Smack privilege checks for io_uring. Use CAP_MAC_OVERRIDE for the override_creds case and CAP_MAC_ADMIN for creating a polling thread. These choices are based on conjecture regarding the intent of the surrounding code. Signed-off-by:
-
- Sep 15, 2021
-
-
Pawan Gupta authored
Syzkaller reported use-after-free bug as described in [1]. The bug is triggered when smk_set_cipso() tries to free stale category bitmaps while there are concurrent reader(s) using the same bitmaps. Wait for RCU grace period to finish before freeing the category bitmaps in smk_set_cipso(). This makes sure that there are no more readers using the stale bitmaps and freeing them should be safe. [1] https://lore.kernel.org/netdev/000000000000a814c505ca657a4e@google.com/ Reported-by:
<syzbot+3f91de0b813cc3d19a80@syzkaller.appspotmail.com> Signed-off-by:
Pawan Gupta <pawan.kumar.gupta@linux.intel.com> Signed-off-by:
-
- Jul 20, 2021
-
-
Austin Kim authored
Mark 'smack_enabled' as __initdata since it is only used during initialization code. Signed-off-by:
Austin Kim <austin.kim@lge.com> Signed-off-by:
-
Tianjia Zhang authored
In the smk_access_entry() function, if no matching rule is found in the rust_list, a negative error code will be used to perform bit operations with the MAY_ enumeration value. This is semantically wrong. This patch fixes this issue. Signed-off-by:
Tianjia Zhang <tianjia.zhang@linux.alibaba.com> Signed-off-by:
-
- Jun 08, 2021
-
-
ChenXiaoSong authored
Fix gcc W=1 warning: security/smack/smack_access.c:342: warning: Function parameter or member 'ad' not described in 'smack_log' security/smack/smack_access.c:403: warning: Function parameter or member 'skp' not described in 'smk_insert_entry' security/smack/smack_access.c:487: warning: Function parameter or member 'level' not described in 'smk_netlbl_mls' security/smack/smack_access.c:487: warning: Function parameter or member 'len' not described in 'smk_netlbl_mls' Signed-off-by:
ChenXiaoSong <chenxiaosong2@huawei.com> Signed-off-by:
-
- May 18, 2021
-
-
Jens Axboe authored
This reverts commit 942cb357. The io_uring PF_IO_WORKER threads no longer have PF_KTHREAD set, so no need to special case them for credential checks. Cc: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by:
Jens Axboe <axboe@kernel.dk> Signed-off-by:
-
- May 10, 2021
-
-
Tetsuo Handa authored
Oops, I failed to update subject line. From 07571157c91b98ce1a4aa70967531e64b78e8346 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Date: Mon, 12 Apr 2021 22:25:06 +0900 Subject: [PATCH] smackfs: restrict bytes count in smk_set_cipso() Commit 7ef4c19d ("smackfs: restrict bytes count in smackfs write functions") missed that count > SMK_CIPSOMAX check applies to only format == SMK_FIXED24_FMT case. Reported-by:
syzbot <syzbot+77c53db50c9fff774e8e@syzkaller.appspotmail.com> Signed-off-by:
-
Xiong Zhenwu authored
A typo is found out by codespell tool in 383th line of smackfs.c: $ codespell ./security/smack/ ./smackfs.c:383: numer ==> number Fix a typo found by codespell. Signed-off-by:
Xiong Zhenwu <xiong.zhenwu@zte.com.cn> Signed-off-by:
-
- Apr 22, 2021
-
-
Casey Schaufler authored
Move management of the superblock->sb_security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules, the modules tell the infrastructure how much space is required, and the space is allocated there. Cc: John Johansen <john.johansen@canonical.com> Signed-off-by:
Mickaël Salaün <mic@linux.microsoft.com> Reviewed-by:
Stephen Smalley <stephen.smalley.work@gmail.com> Acked-by:
Serge Hallyn <serge@hallyn.com> Reviewed-by:
Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20210422154123.13086-6-mic@digikod.net Signed-off-by:
James Morris <jamorris@linux.microsoft.com>
-
- Mar 22, 2021
-
-
Paul Moore authored
With the split of the security_task_getsecid() into subjective and objective variants it's time to update Smack to ensure it is using the correct task creds. Acked-by:
Richard Guy Briggs <rgb@redhat.com> Reviewed-by:
John Johansen <john.johansen@canonical.com> Signed-off-by:
-
Paul Moore authored
Of the three LSMs that implement the security_task_getsecid() LSM hook, all three LSMs provide the task's objective security credentials. This turns out to be unfortunate as most of the hook's callers seem to expect the task's subjective credentials, although a small handful of callers do correctly expect the objective credentials. This patch is the first step towards fixing the problem: it splits the existing security_task_getsecid() hook into two variants, one for the subjective creds, one for the objective creds. void security_task_getsecid_subj(struct task_struct *p, u32 *secid); void security_task_getsecid_obj(struct task_struct *p, u32 *secid); While this patch does fix all of the callers to use the correct variant, in order to keep this patch focused on the callers and to ease review, the LSMs continue to use the same implementation for both hooks. The net effect is that this patch should not change the behavior of the kernel in any way, it will be up to the latter LSM specific patches in this series to change the hook implementations and return the correct credentials. Acked-by: Mimi Zohar <zohar@linux.ibm.com> (IMA) Acked-by:
-
- Feb 03, 2021
-
-
Sabyrzhan Tasbolatov authored
syzbot found WARNINGs in several smackfs write operations where bytes count is passed to memdup_user_nul which exceeds GFP MAX_ORDER. Check count size if bigger than PAGE_SIZE. Per smackfs doc, smk_write_net4addr accepts any label or -CIPSO, smk_write_net6addr accepts any label or -DELETE. I couldn't find any general rule for other label lengths except SMK_LABELLEN, SMK_LONGLABEL, SMK_CIPSOMAX which are documented. Let's constrain, in general, smackfs label lengths for PAGE_SIZE. Although fuzzer crashes write to smackfs/netlabel on 0x400000 length. Here is a quick way to reproduce the WARNING: python -c "print('A' * 0x400000)" > /sys/fs/smackfs/netlabel Reported-by:<syzbot+a71a442385a0b2815497@syzkaller.appspotmail.com> Signed-off-by:
Sabyrzhan Tasbolatov <snovitoll@gmail.com> Signed-off-by:
-
- Jan 24, 2021
-
-
Christian Brauner authored
When interacting with user namespace and non-user namespace aware filesystem capabilities the vfs will perform various security checks to determine whether or not the filesystem capabilities can be used by the caller, whether they need to be removed and so on. The main infrastructure for this resides in the capability codepaths but they are called through the LSM security infrastructure even though they are not technically an LSM or optional. This extends the existing security hooks security_inode_removexattr(), security_inode_killpriv(), security_inode_getsecurity() to pass down the mount's user namespace and makes them aware of idmapped mounts. In order to actually get filesystem capabilities from disk the capability infrastructure exposes the get_vfs_caps_from_disk() helper. For user namespace aware filesystem capabilities a root uid is stored alongside the capabilities. In order to determine whether the caller can make use of the filesystem capability or whether it needs to be ignored it is translated according to the superblock's user namespace. If it can be translated to uid 0 according to that id mapping the caller can use the filesystem capabilities stored on disk. If we are accessing the inode that holds the filesystem capabilities through an idmapped mount we map the root uid according to the mount's user namespace. Afterwards the checks are identical to non-idmapped mounts: reading filesystem caps from disk enforces that the root uid associated with the filesystem capability must have a mapping in the superblock's user namespace and that the caller is either in the same user namespace or is a descendant of the superblock's user namespace. For filesystems that are mountable inside user namespace the caller can just mount the filesystem and won't usually need to idmap it. If they do want to idmap it they can create an idmapped mount and mark it with a user namespace they created and which is thus a descendant of s_user_ns. For filesystems that are not mountable inside user namespaces the descendant rule is trivially true because the s_user_ns will be the initial user namespace. If the initial user namespace is passed nothing changes so non-idmapped mounts will see identical behavior as before. Link: https://lore.kernel.org/r/20210121131959.646623-11-christian.brauner@ubuntu.com Cc: Christoph Hellwig <hch@lst.de> Cc: David Howells <dhowells@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: linux-fsdevel@vger.kernel.org Reviewed-by:
Christoph Hellwig <hch@lst.de> Acked-by:
Christian Brauner <christian.brauner@ubuntu.com>
-
Tycho Andersen authored
When interacting with extended attributes the vfs verifies that the caller is privileged over the inode with which the extended attribute is associated. For posix access and posix default extended attributes a uid or gid can be stored on-disk. Let the functions handle posix extended attributes on idmapped mounts. If the inode is accessed through an idmapped mount we need to map it according to the mount's user namespace. Afterwards the checks are identical to non-idmapped mounts. This has no effect for e.g. security xattrs since they don't store uids or gids and don't perform permission checks on them like posix acls do. Link: https://lore.kernel.org/r/20210121131959.646623-10-christian.brauner@ubuntu.com Cc: Christoph Hellwig <hch@lst.de> Cc: David Howells <dhowells@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: linux-fsdevel@vger.kernel.org Reviewed-by:
Tycho Andersen <tycho@tycho.pizza> Signed-off-by:
-
- Dec 22, 2020
-
-
Casey Schaufler authored
Smack assumes that kernel threads are privileged for smackfs operations. This was necessary because the credential of the kernel thread was not related to a user operation. With io_uring the credential does reflect a user's rights and can be used. Suggested-by:
-
- Dec 03, 2020
-
-
Florian Westphal authored
A followup change to tcp_request_sock_op would have to drop the 'const' qualifier from the 'route_req' function as the 'security_inet_conn_request' call is moved there - and that function expects a 'struct sock *'. However, it turns out its also possible to add a const qualifier to security_inet_conn_request instead. Signed-off-by:
Jakub Kicinski <kuba@kernel.org>
-
- Nov 17, 2020
-
-
Alex Shi authored
This varible isn't used and can be removed to avoid a gcc warning: security/smack/smack_lsm.c:3873:6: warning: variable ‘rc’ set but not used [-Wunused-but-set-variable] Signed-off-by:
Alex Shi <alex.shi@linux.alibaba.com> Cc: Casey Schaufler <casey@schaufler-ca.com> Cc: James Morris <jmorris@namei.org> Cc: "Serge E. Hallyn" <serge@hallyn.com> Cc: linux-security-module@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by:
-
- Nov 13, 2020
-
-
Alex Shi authored
The are some kernel-doc interface issues: security/smack/smackfs.c:1950: warning: Function parameter or member 'list' not described in 'smk_parse_label_list' security/smack/smackfs.c:1950: warning: Excess function parameter 'private' description in 'smk_parse_label_list' security/smack/smackfs.c:1979: warning: Function parameter or member 'list' not described in 'smk_destroy_label_list' security/smack/smackfs.c:1979: warning: Excess function parameter 'head' description in 'smk_destroy_label_list' security/smack/smackfs.c:2141: warning: Function parameter or member 'count' not described in 'smk_read_logging' security/smack/smackfs.c:2141: warning: Excess function parameter 'cn' description in 'smk_read_logging' security/smack/smackfs.c:2278: warning: Function parameter or member 'format' not described in 'smk_user_access' Correct them in this patch. Signed-off-by:
-
- Oct 05, 2020
-
-
Casey Schaufler authored
The initialization of rc in smack_from_netlbl() is pointless. Reported-by:
kernel test robot <lkp@intel.com> Signed-off-by:
-
- Sep 22, 2020
-
-
Casey Schaufler authored
Use proper conditional compilation for the secmark field in the network skb. Reported-by:
-
- Sep 11, 2020
-
-
Casey Schaufler authored
Utilize the Netlabel cache mechanism for incoming packet matching. Refactor the initialization of secattr structures, as it was being done in two places. Signed-off-by: -
Casey Schaufler authored
Refactor the IP send checks so that the netlabel value is set only when necessary, not on every send. Some functions get renamed as the changes made the old name misleading. Signed-off-by: -
Casey Schaufler authored
Add a function smack_from_skb() that returns the Smack label identified by a network secmark. Replace the explicit uses of the secmark with this function. Signed-off-by:
-
- Aug 23, 2020
-
-
Gustavo A. R. Silva authored
Replace the existing /* fall through */ comments and its variants with the new pseudo-keyword macro fallthrough[1]. Also, remove unnecessary fall-through markings when it is the case. [1] https://www.kernel.org/doc/html/v5.7/process/deprecated.html?highlight=fallthrough#implicit-switch-case-fall-through Signed-off-by:
Gustavo A. R. Silva <gustavoars@kernel.org>
-
- Jul 27, 2020
-
-
Dan Carpenter authored
We have an upper bound on "maplevel" but forgot to check for negative values. Fixes: e114e473 ("Smack: Simplified Mandatory Access Control Kernel") Signed-off-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
-
Dan Carpenter authored
This is similar to commit 84e99e58 ("Smack: slab-out-of-bounds in vsscanf") where we added a bounds check on "rule". Reported-by:
<syzbot+a22c6092d003d6fe1122@syzkaller.appspotmail.com> Fixes: f7112e6c ("Smack: allow for significantly longer Smack labels v4") Signed-off-by:
-
- Jul 14, 2020
-
-
Eric Biggers authored
smk_write_relabel_self() frees memory from the task's credentials with no locking, which can easily cause a use-after-free because multiple tasks can share the same credentials structure. Fix this by using prepare_creds() and commit_creds() to correctly modify the task's credentials. Reproducer for "BUG: KASAN: use-after-free in smk_write_relabel_self": #include <fcntl.h> #include <pthread.h> #include <unistd.h> static void *thrproc(void *arg) { int fd = open("/sys/fs/smackfs/relabel-self", O_WRONLY); for (;;) write(fd, "foo", 3); } int main() { pthread_t t; pthread_create(&t, NULL, thrproc, NULL); thrproc(NULL); } Reported-by:<syzbot+e6416dabb497a650da40@syzkaller.appspotmail.com> Fixes: 38416e53 ("Smack: limited capability for changing process label") Cc: <stable@vger.kernel.org> # v4.4+ Signed-off-by:
Eric Biggers <ebiggers@google.com> Signed-off-by:
-
- May 20, 2020
-
-
Eric W. Biederman authored
Today security_bprm_set_creds has several implementations: apparmor_bprm_set_creds, cap_bprm_set_creds, selinux_bprm_set_creds, smack_bprm_set_creds, and tomoyo_bprm_set_creds. Except for cap_bprm_set_creds they all test bprm->called_set_creds and return immediately if it is true. The function cap_bprm_set_creds ignores bprm->calld_sed_creds entirely. Create a new LSM hook security_bprm_creds_for_exec that is called just before prepare_binprm in __do_execve_file, resulting in a LSM hook that is called exactly once for the entire of exec. Modify the bits of security_bprm_set_creds that only want to be called once per exec into security_bprm_creds_for_exec, leaving only cap_bprm_set_creds behind. Remove bprm->called_set_creds all of it's former users have been moved to security_bprm_creds_for_exec. Add or upate comments a appropriate to bring them up to date and to reflect this change. Link: https://lkml.kernel.org/r/87v9kszrzh.fsf_-_@x220.int.ebiederm.org Acked-by:
Linus Torvalds <torvalds@linux-foundation.org> Acked-by: Casey Schaufler <casey@schaufler-ca.com> # For the LSM and Smack bits Reviewed-by:
-
- May 19, 2020
-
-
David Howells authored
Implement the watch_key security hook in Smack to make sure that a key grants the caller Read permission in order to set a watch on a key. Also implement the post_notification security hook to make sure that the notification source is granted Write permission by the watch queue. For the moment, the watch_devices security hook is left unimplemented as it's not obvious what the object should be since the queue is global and didn't previously exist. Signed-off-by:
David Howells <dhowells@redhat.com> Acked-by:
-
David Howells authored
Since the meaning of combining the KEY_NEED_* constants is undefined, make it so that you can't do that by turning them into an enum. The enum is also given some extra values to represent special circumstances, such as: (1) The '0' value is reserved and causes a warning to trap the parameter being unset. (2) The key is to be unlinked and we require no permissions on it, only the keyring, (this replaces the KEY_LOOKUP_FOR_UNLINK flag). (3) An override due to CAP_SYS_ADMIN. (4) An override due to an instantiation token being present. (5) The permissions check is being deferred to later key_permission() calls. The extra values give the opportunity for LSMs to audit these situations. [Note: This really needs overhauling so that lookup_user_key() tells key_task_permission() and the LSM what operation is being done and leaves it to those functions to decide how to map that onto the available permits. However, I don't really want to make these change in the middle of the notifications patchset.] Signed-off-by:
-
- May 11, 2020
-
-
YueHaibing authored
commit a269434d ("LSM: separate LSM_AUDIT_DATA_DENTRY from LSM_AUDIT_DATA_PATH") left behind this, remove it. Signed-off-by:
YueHaibing <yuehaibing@huawei.com> Signed-off-by:
-
- May 06, 2020
-
-
Casey Schaufler authored
The inode_smack cache is no longer used. Remove it. Signed-off-by:
-
Casey Schaufler authored
"smk_lock" mutex is used during inode instantiation in smack_d_instantiate()function. It has been used to avoid simultaneous access on same inode security structure. Since smack related initialization is done only once i.e during inode creation. If the inode has already been instantiated then smack_d_instantiate() function just returns without doing anything. So it means mutex lock is required only during inode creation. But since 2 processes can't create same inodes or files simultaneously. Also linking or some other file operation can't be done simultaneously when the file is getting created since file lookup will fail before dentry inode linkup which is done after smack initialization. So no mutex lock is required in inode_smack structure. It will save memory as well as improve some performance. If 40000 inodes are created in system, it will save 1.5 MB on 32-bit systems & 2.8 MB on 64-bit systems. Signed-off-by:
Amit Sahrawat <a.sahrawat@samsung.com> Signed-off-by:
-
