for cap_task_setnice() instead
>
> Signed-off-by: Randy Dunlap
> Cc: Serge Hallyn
> Cc: James Morris
> Cc: linux-security-mod...@vger.kernel.org
Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git
fixes-v5.12
--
James Morris
I've added this to my tree at:
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git
landlock_lsm_v33
and merged that into the next-testing branch which is pulled into Linux
next.
--
James Morris
t;option" with "flag" in hook_sb_mount() comment.
Good to see these changes.
Al: any further comments now on this patch?
--
James Morris
foo;
> > + struct integrity_iint_cache *iint = (struct integrity_iint_cache
> > *)foo;
> >
> >memset(iint, 0, sizeof(*iint));
> >iint->ima_file_status = INTEGRITY_UNKNOWN;
>
--
James Morris
ate NULL check to tell gcc about it as well.
>
> Signed-off-by: Arnd Bergmann
Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git
fixes-v5.12
--
James Morris
? The code is in the repo and discussions can
easily be found by searching for subjects or message IDs.
Is anyone else doing this self linking?
--
James Morris
during that time will be helpful.
--
James Morris
> This commit adds a minimal set of supported filesystem access-control
> which doesn't enable to restrict all file-related actions.
It would be great to get some more review/acks on this patch, particularly
from VFS/FS folk.
--
James Morris
mmit
#linuxsecuritysummit
PROGRAM COMMITTEE
The program committee for LSS 2021 is:
* James Morris, Microsoft
* Serge Hallyn, Cisco
* Paul Moore, Cisco
* Stephen Smalley, NSA
* Elena Reshetova, Intel
* John Johansen, Canonical
* Kees Cook, Google
* Casey Schaufler, I
ling list when modifying
capabilities or other LSM-related things.
--
James Morris
Guillemet
Acked-by: Casey Schaufler
Signed-off-by: Serge Hallyn
Signed-off-by: Andrew G. Morgan
Signed-off-by: James Morris
diff --git a/include/linux/security.h b/include/linux/security.h
index 0a0a03b36a3b..2befc0a25eb3 100644
--- a/include/linux/security.h
+++ b/include/linux/
> can skip this check by presenting benign flags first and then overwriting
> them to non-benign flags.
Is this a security bug which should be fixed in stable?
--
James Morris
ed to do anyway.
>
> Signed-off-by: Miklos Szeredi
Acked-by: James Morris
--
James Morris
s-5.10
and next-testing
--
James Morris
0644
> > > --- a/include/linux/security.h
> > > +++ b/include/linux/security.h
> > > @@ -869,7 +869,7 @@ static inline int security_inode_killpriv(struct
> > > dentry *dentry)
> > >
> > > static inline int security_inode_getsecurity(struct inode *inode, const
> > > char *name, void **buffer, bool alloc)
> > > {
> > > - return -EOPNOTSUPP;
> > > + return cap_inode_getsecurity(inode, name, buffer, alloc);
> > > }
> > >
> > > static inline int security_inode_setsecurity(struct inode *inode, const
> > > char *name, const void *value, size_t size, int flags)
> > > --
> > > 2.25.1
> > >
> > >
>
--
James Morris
On Sat, 21 Nov 2020, Jann Horn wrote:
> On Thu, Nov 12, 2020 at 9:52 PM Mickaël Salaün wrote:
> > This documentation can be built with the Sphinx framework.
> >
> > Cc: James Morris
> > Cc: Jann Horn
> > Cc: Kees Cook
> > Cc: Serge E. Hallyn
> >
to detect a competent
attack. Is that correct?
--
James Morris
On Tue, 17 Nov 2020, Andrew G. Morgan wrote:
> Signed-off-by: Andrew G. Morgan
This should be Acked-by or Reviewed-by, unless this is your patch, or it
came via your tree.
--
James Morris
hon 3.7"
Wrong bug ID?
--
James Morris
ame, void **buffer, bool alloc)
> {
> - return -EOPNOTSUPP;
> + return cap_inode_getsecurity(inode, name, buffer, alloc);
> }
>
> static inline int security_inode_setsecurity(struct inode *inode, const char
> *name, const void *value, size_t size, int flags)
>
--
James Morris
On Thu, 12 Nov 2020, Mickaël Salaün wrote:
> Cc: James Morris
> Cc: Jann Horn
> Cc: Kees Cook
> Cc: Serge E. Hallyn
> Signed-off-by: Mickaël Salaün
> ---
>
> Changes since v23:
> * Always intersect access rights. Following the filesystem change
> lo
On Wed, 11 Nov 2020, Mickaël Salaün wrote:
> Improve comments and make get_inode_object() more readable. The kfree()
> call is correct but we should mimimize as much as possible lock windows.
>
> Cc: James Morris
> Cc: Jann Horn
> Cc: Serge E. Hallyn
> Signed-o
me in. I'll drop
the previous patchset from my tree and wait until the latest code is fully
reviewed.
Fundamental locking issues and similar should be worked out before
submitting for mainline merge.
--
James Morris
| 34 ++---
> security/landlock/syscall.c| 24 ++--
> tools/testing/selftests/landlock/fs_test.c | 140 +++--
> 8 files changed, 239 insertions(+), 73 deletions(-)
>
>
> base-commit: 96b3198c4025c11347651700b77e45a686d78553
>
--
James Morris
0 +627,8 @@ nfqnl_build_packet_message(struct net *net, struct
> > nfqnl_instance *queue,
> > }
> >
> > nlh->nlmsg_len = skb->len;
> > - if (seclen) {
> > - lsmcontext_init(, secdata, seclen, 0);
> > - security_release_secctx();
> > - }
> > + if (context.len)
> > + security_release_secctx();
> > return skb;
> >
> > nla_put_failure:
> > @@ -643,10 +636,8 @@ nfqnl_build_packet_message(struct net *net, struct
> > nfqnl_instance *queue,
> > kfree_skb(skb);
> > net_err_ratelimited("nf_queue: error creating packet message\n");
> > nlmsg_failure:
> > - if (seclen) {
> > - lsmcontext_init(, secdata, seclen, 0);
> > - security_release_secctx();
> > - }
> > + if (context.len)
> > + security_release_secctx();
> > return NULL;
> > }
> >
> > --
> > 2.24.1
> >
>
--
James Morris
mary maintainers on the
To: line or they may miss the email.
--
James Morris
ng back a secid.
> The infrastructure passes the correct entry from the lsmblob.
>
> Signed-off-by: Casey Schaufler
> Cc: net...@vger.kernel.org
You probably need to include Netfilter maintainers specifically for this
(added them + the Netfilter list).
This also needs signoffs from LSM owners.
--
James Morris
o linux-next).
Please make any further changes against the branch in my tree.
--
James Morris
t; > [...]
>
> What tree should these changes go to?
>
Mine, but more signoffs/acks are required.
> Is there anyone else who is not on the recipient list but still might
> be interested in the series?
>
--
James Morris
the modules
> tell the infrastructure how much space is required, and the space is
> allocated there.
>
> Cc: Kees Cook
> Cc: John Johansen
> Signed-off-by: Casey Schaufler
> Signed-off-by: Mickaël Salaün
> Reviewed-by: Stephen Smalley
It would be good to see review from JJ here.
--
James Morris
y Landlock to release (ephemerally) tagged
> struct inodes. This comes from the unprivileged nature of Landlock
> described in the next commit.
>
> Cc: Al Viro
> Cc: James Morris
> Cc: Jann Horn
> Cc: Kees Cook
> Cc: Serge E. Hallyn
> Signed-off-by: Mickaël Salaün
On Tue, 27 Oct 2020, Mickaël Salaün wrote:
> From: Mickaël Salaün
>
> Wire up the following system calls for all architectures:
> * landlock_create_ruleset(2)
> * landlock_add_rule(2)
> * landlock_enforce_ruleset_current(2)
>
> Cc: Arnd Bergmann
> Cc: James Morris
rsion.
>
> Reported-by: Roman Kiryanov
> https://android-review.googlesource.com/c/device/generic/goldfish/+/1468545/
> Signed-off-by: Jeff Vander Stoep
Reviewed-by: James Morris
--
James Morris
On Mon, 19 Oct 2020, t...@redhat.com wrote:
> From: Tom Rix
>
> A break is not needed if it is preceded by a return
>
> Signed-off-by: Tom Rix
Acked-by: James Morris
--
James Morris
On Wed, 14 Oct 2020, Mickaël Salaün wrote:
>
> On 14/10/2020 20:52, Mickaël Salaün wrote:
> >
> > On 14/10/2020 20:07, James Morris wrote:
> >> On Thu, 8 Oct 2020, Mickaël Salaün wrote:
> >>
> >>> +config ARCH_EPHEMERAL_STATES
> >>&g
g
> + else (e.g. the host kernel for an UML kernel).
> +
This is used to disable Landlock for UML, correct? I wonder if it could be
more specific: "ephemeral states" is a very broad term.
How about something like ARCH_OWN_INODES ?
--
James Morris
On Wed, 7 Oct 2020, Lokesh Gidra wrote:
> Is there anything else that needs to be done before merging this
> patch series? I urge the reviewers to please take a look.
>
It looks generally fine to me from a security POV, we really need some
feedback from VFS folk.
--
James Morris
On Fri, 2 Oct 2020, Kees Cook wrote:
> Signed-off-by: Kees Cook
> Reviewed-by: Mimi Zohar
Reviewed-by: James Morris
--
James Morris
On Fri, 2 Oct 2020, Kees Cook wrote:
> Now that there is an API for checking loaded contents for modules
> loaded without a file, call into the LSM hooks.
>
> Signed-off-by: Kees Cook
> Reviewed-by: KP Singh
> Acked-by: Jessica Yu
Reviewed-by: James Morris
--
James Morris
Chamberlain
> Acked-by: Scott Branden
Reviewed-by: James Morris
--
James Morris
ocated buffer)")
> Signed-off-by: Kees Cook
> Reviewed-by: Mimi Zohar
> Reviewed-by: Luis Chamberlain
> Acked-by: Scott Branden
> Cc: sta...@vger.kernel.org
Reviewed-by: James Morris
--
James Morris
xperience in
SunOS, Solaris, Unixware, Realtime, SVR4, and Linux.
--
James Morris
/device_cgroup.c:355 RCU-list traversed in
non-reader section!!
Signed-off-by: Amol Grover
Signed-off-by: James Morris
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index 43ab0ad45c1b..04375df52fc9 100644
--- a/security/device_cgroup.c
+++ b/security
is file?"
The caller doesn't know, for example, if the script file it's about to
execute has been signed, or if it's from a noexec mount. It's asking the
kernel, which does know. (Note that this could also be extended to reading
configuration files).
How about: should_faccessat ?
--
James Morris
u want to tell LSM have a look at given fs object in a special
> way, *add* *a* *new* *system* *call* *for* *doing* *just* *that*.
It's not just for LSM, though, and it has identical semantics from the
caller's POV as faccessat().
--
James Morris
ctly as part of development and maintenance.
--
James Morris
rcontent.com/PaulRenauld/fe3ee7b51121556e03c181432c8b3dd5/raw/00e414b73e0c38c2eae8f05d5363a745179ba285/faster-lsm-results.png
>
> Cc: Alexei Starovoitov
> Cc: Daniel Borkmann
> Cc: James Morris
> Cc: p...@google.com
> Cc: ja...@google.com
> Cc: pet...@infradead.org
> Cc: rafael.j
) and
> applying policy to the new SIDs thus produced.
Can you expand more on why this would be useful, e.g. use-cases?
--
James Morris
this patch. Has it been superceded, or is it still
> necessary?
It appears to be necessary.
Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git
fixes-v5.9
--
James Morris
usted
rootfs. Future versions will support FS-Verity, at least.
IPE was designed to be extensible in this way, with a strong separation of
mechanism and policy.
Whatever is implemented for NFS should be able to plug in to IPE pretty
easily.
--
James Morris
is able to attend, so I've submitted a
BoF proposal:
https://www.linuxplumbersconf.org/event/7/abstracts/732/
--
James Morris
A couple of minor documentation updates only for this release. Please
pull.
---
The following changes since commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162:
Linux 5.7 (2020-05-31 16:49:15 -0700)
are available in the Git repository at:
On Thu, 6 Aug 2020, Mimi Zohar wrote:
> On Thu, 2020-08-06 at 09:51 +1000, James Morris wrote:
> > On Wed, 5 Aug 2020, Mimi Zohar wrote:
> >
> > > If block layer integrity was enough, there wouldn't have been a need
> > > for fs-verity. Even fs-verity is
On Wed, 5 Aug 2020, Mimi Zohar wrote:
> If block layer integrity was enough, there wouldn't have been a need
> for fs-verity. Even fs-verity is limited to read only filesystems,
> which makes validating file integrity so much easier. From the
> beginning, we've said that fs-verity signatures
differentiate yours by making it more Kconfig
> based, but policy has a way of becoming user space supplied because
> the distros hate config options, so I think you're going to end up
> with a policy parser very like IMAs.
--
James Morris
On Thu, 30 Jul 2020, Stephen Rothwell wrote:
> Hi James,
>
> On Thu, 30 Jul 2020 12:35:03 +1000 (AEST) James Morris
> wrote:
> >
> > On Thu, 30 Jul 2020, Stephen Rothwell wrote:
> >
> > > > I am still applying the above patch ...
>
k.
Please drop secure_uffd_v5.9 for the time being.
--
James Morris
wed-by: Mimi Zohar
> Reviewed-by: Luis Chamberlain
> Signed-off-by: Kees Cook
Reviewed-by: James Morris
--
James Morris
hamberlain
> Signed-off-by: Kees Cook
Reviewed-by: James Morris
--
James Morris
> Acked-by: Scott Branden
> Reviewed-by: Mimi Zohar
> Reviewed-by: Luis Chamberlain
> Signed-off-by: Kees Cook
Reviewed-by: James Morris
--
James Morris
is Chamberlain
> Signed-off-by: Kees Cook
Acked-by: James Morris
--
James Morris
ck etc.)
--
James Morris
On Fri, 17 Jul 2020, Randy Dunlap wrote:
> From: Randy Dunlap
>
> Drop the doubled words "the" and "and" in comments.
>
> Signed-off-by: Randy Dunlap
Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git
next-general
--
James Morris
truct signature_v2_hdr *)sig;
> struct key *key;
> - int ret = -ENOMEM;
> + int ret;
Assuming Mimi will grab this.
Acked-by: James Morris
--
James Morris
pplied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git
next-general
--
James Morris
Please pull (now using signed tags).
The following changes since commit 48778464bb7d346b47157d21ffde2af6b2d39110:
Linux 5.8-rc2 (2020-06-21 15:45:29 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git
ux/kernel/git/jmorris/linux-security.git
fixes-v5.8
NOTE: please cc: the LSM list with patches such as these.
--
James Morris
On Mon, 15 Jun 2020, Micah Morton wrote:
> On Sun, Jun 14, 2020 at 10:21 PM James Morris wrote:
> >
> > On Sun, 14 Jun 2020, Micah Morton wrote:
> >
> > > This patch was sent to the security mailing list and there were no
> > > objections.
> >
> &
jections" should be considered "not reviewed".
Can you add your tree to linux-next?
https://www.kernel.org/doc/man-pages/linux-next.html
--
James Morris
et this
upstream for v5.9.
I had to make some minor fixups, please review.
--
James Morris
On Wed, 3 Jun 2020, Casey Schaufler wrote:
> On 6/3/2020 3:12 PM, James Morris wrote:
> > On Wed, 3 Jun 2020, Casey Schaufler wrote:
> >
> >> The use of security modules was expected to be rare.
> > This is not correct. Capabilities were ported to LSM and s
On Wed, 3 Jun 2020, Casey Schaufler wrote:
> The use of security modules was expected to be rare.
This is not correct. Capabilities were ported to LSM and stacked from the
beginning, and several major distros worked on LSM so they could ship
their own security modules.
--
James Morris
On Tue, 2 Jun 2020, Linus Torvalds wrote:
> On Mon, Jun 1, 2020 at 7:15 PM James Morris wrote:
> >
> > Just one update for the security subsystem: allows unprivileged users to
> > see the status of the lockdown feature. From Jeremy Cline.
>
> Hmm.
>
> That bran
ty.git
next-general
--
James Morris
remy Cline
Signed-off-by: James Morris
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 40b790536def..ae594c0a127f 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -175,7 +175,7 @@ static int __init lockdown_secfs_init(void)
{
Refactor declaration of LSM hooks")
> > > Fixes: 625236ba3832 ("security: Fix the default value of secid_to_secctx
> > > hook"
> > > Reported-by: Alexei Starovoitov
> > > Signed-off-by: KP Singh
> >
> > This looks fine.
>
> Tested. audit works now.
> I fixed missing ')' in the commit log
> and applied to bpf tree.
> It will be on the way to Linus tree soon.
Please add:
Acked-by: James Morris
--
James Morris
caps can be merged into the
>* secureexec flag.
>*/
> - bprm->secureexec |= bprm->cap_elevated;
> + bprm->secureexec |= bprm->active_secureexec;
Which kernel tree are these patches for? Seems like begin_new_exec() is
from a prerequisite patchset.
--
James Morris
ic W. Biederman"
Nice cleanup.
Reviewed-by: James Morris
--
James Morris
_cred(current_cred());
> > new_tsec = selinux_cred(bprm->cred);
>
> As you've done in the other LSMs, I think this comment can be removed
> (or moved to the top of the function) too.
I'd prefer moved to top of the function.
--
James Morris
_hook_defs.h
> > @@ -243,7 +243,7 @@ LSM_HOOK(int, -EINVAL, getprocattr, struct task_struct
> > *p, char *name,
> > char **value)
> > LSM_HOOK(int, -EINVAL, setprocattr, const char *name, void *value, size_t
> > size)
> > LSM_HOOK(int, 0, ismaclabel, const char *name)
> > -LSM_HOOK(int, 0, secid_to_secctx, u32 secid, char **secdata,
> > +LSM_HOOK(int, -EOPNOTSUPP, secid_to_secctx, u32 secid, char **secdata,
> > u32 *seclen)
> > LSM_HOOK(int, 0, secctx_to_secid, const char *secdata, u32 seclen, u32
> > *secid)
> > LSM_HOOK(void, LSM_RET_VOID, release_secctx, char *secdata, u32 seclen)
> > --
> > 2.20.1
> >
>
--
James Morris
Thank you Arnd for helping me figure out what went wrong.
>
> CC: Arnd Bergmann
> Fixes: 98e828a0650f ("security: Refactor declaration of LSM hooks")
> Signed-off-by: Anders Roxell
Note, this patch should have been sent to me and cc'd the LSM list.
Acked-by: James Morris
--
James Morris
On Thu, 14 May 2020, Mickaël Salaün wrote:
> > fsnotify is not an LSM.
>
> Yes, so I'll need to add a new LSM hook for this (release) call, right?
Unless an existing one will work.
--
James Morris
be using the LSM API (and extending that as needed).
> Anyway, we also need to have a call to landlock_release_inodes() in
> generic_shutdown_super(), which does not fit the LSM framework, and I
> think it is not an issue. Landlock handling of inodes is quite similar
> to fsnotify.
fsnotify is not an LSM.
--
James Morris
rris/linux-security.git
next-general
--
James Morris
tacking.
See Casey's old patch:
https://lore.kernel.org/linux-security-module/20190829232935.7099-2-ca...@schaufler-ca.com/
--
James Morris
a practical application of this scheme?
--
James Morris
On Mon, 11 May 2020, Jeremy Cline wrote:
> On Sat, Feb 22, 2020 at 03:51:24AM +1100, James Morris wrote:
> > On Thu, 20 Feb 2020, Jeremy Cline wrote:
> >
> > > A number of userspace tools, such as systemtap, need a way to see the
> > > current lockdown
and
a failure to mount the root filesystem.
Fixes: 98e828a0650f ("security: Refactor declaration of LSM hooks")
Reported-by: Mikko Ylinen
Signed-off-by: KP Singh
Signed-off-by: James Morris
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_de
ttrs initxattrs, void *fs_data);
> +int security_inode_init_security_anon(struct inode *inode,
> + const struct qstr *name,
> + const struct inode *context_inode);
> int security_old_inode_init_security(struct inode *inode, struct inode *dir,
>const struct qstr *qstr, const char **name,
>void **value, size_t *len);
> diff --git a/security/security.c b/security/security.c
> index 565bc9b67276..70bfebada024 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -1033,6 +1033,15 @@ int security_inode_init_security(struct inode *inode,
> struct inode *dir,
> }
> EXPORT_SYMBOL(security_inode_init_security);
>
> +int
> +security_inode_init_security_anon(struct inode *inode,
> + const struct qstr *name,
> + const struct inode *context_inode)
> +{
> + return call_int_hook(inode_init_security_anon, 0, inode, name,
> + context_inode);
> +}
> +
> int security_old_inode_init_security(struct inode *inode, struct inode *dir,
>const struct qstr *qstr, const char **name,
>void **value, size_t *len)
>
--
James Morris
l.
Sounds good.
--
James Morris
le.
RESOLVE_MAYEXEC as a new flag should have well-defined, stable semantics.
--
James Morris
ed-by: James Morris
--
James Morris
> Reviewed-by: Philippe Trébuchet
> Reviewed-by: Thibaut Sautereau
> Cc: Aleksa Sarai
> Cc: Al Viro
> Cc: Kees Cook
Are there any existing LSMs which plan to use this aspect?
--
James Morris
by bringing the ability to check the use of scripts [1].
> Other uses are expected, such as for openat2(2) [2], SGX integration
> [3], bpffs [4] or IPE [5].
Confirming that this is a highly desirable feature for the proposed IPE
LSM.
--
James Morris
dc69fa080..7288f0ad44af 100644
> > --- a/include/uapi/linux/capability.h
> > +++ b/include/uapi/linux/capability.h
> > @@ -332,6 +332,8 @@ struct vfs_ns_cap_data {
> >
> > #define CAP_AUDIT_CONTROL30
> >
> > +/* Set or remove capabilities on files */
>
On Thu, 30 Apr 2020, KP Singh wrote:
> From: KP Singh
>
Applied to:
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git
for-v5.7
--
James Morris
aufler
> > ---
> > Documentation/security/lsm.rst | 202
> > ++---
> > 1 file changed, 66 insertions(+), 136 deletions(-)
>
> James, are you planning to pick this up, or should I grab it?
You can grab it, but I don't think this patch ended up on the lsm list for
review (I only caught it in the moderation queue for lss-pc).
--
James Morris
+++
> security/security.c | 8 +++
> security/selinux/hooks.c| 68 +++
> security/selinux/include/classmap.h | 2 +
> 12 files changed, 256 insertions(+), 40 deletions(-)
For any changes to security/ please include the linux-security-module
list.
--
James Morris
e operations are intended for production systems.
Acked-by: James Morris
--
James Morris
de as simple as possible. As soon as multiple LSMs
determine they need to share the blob, we can convert the code to blob
sharing.
--
James Morris
1 - 100 of 2193 matches
Mail list logo
