--
-
To unsubscribe from this list: send the line unsubscribe
linux-security-module in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/namei.c |2 +-
include/linux/security.h |9 ++---
Required by a later patch that adds a struct vfsmount parameter to
notify_change().
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/ntfs/file.c |2 +-
fs/splice.c
The vfsmount parameter must be set appropriately for files visibile
outside the kernel. Files that are only used in a filesystem (e.g.,
reiserfs xattr files) will have a NULL vfsmount.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by:
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/ecryptfs/inode.c |5 -
fs/namei.c|
On Oct 25 2007 19:56, Greg KH wrote:
I'm trying to compile a list of all known external modules and drivers
and work to get them included in the main kernel tree to help prevent
these kinds of things. If you know of any that are not on the list at:
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/namei.c |2 +-
include/linux/security.h |7 +--
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/stat.c|2 +-
include/linux/security.h |8 +---
Switch from file_permission() to vfs_permission() in do_path_lookup():
this avoids calling permission() with a NULL nameidata here.
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/namei.c | 13 ++---
1 file changed, 6
Signed-off-by: John Johansen [EMAIL PROTECTED]
Signed-off-by: Jesse Michael [EMAIL PROTECTED]
---
security/apparmor/Makefile |7 +
security/apparmor/apparmor.h |7 +
security/apparmor/lsm.c | 147 ++-
Convert the selinux sysctl pathname computation code into a standalone
function.
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
include/linux/sysctl.h |2 ++
kernel/sysctl.c | 27 +++
Struct iattr already contains ia_file since commit cc4e69de from
Miklos (which is related to commit befc649c). Use this to pass
struct file down the setattr hooks. This allows LSMs to distinguish
operations on file descriptors from operations on paths.
Signed-off-by: Andreas Gruenbacher [EMAIL
First, when __d_path() hits a lazily unmounted mount point, it tries to prepend
the name of the lazily unmounted dentry to the path name. It gets this wrong,
and also overwrites the slash that separates the name from the following
pathname component. This patch fixes that; if a process was in
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/nfsd/vfs.c |7 ---
fs/xattr.c|
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/nfsd/vfs.c | 16 +++-
fs/xattr.c
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/ecryptfs/inode.c |9 +++--
fs/namei.c |
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/namei.c |6 --
include/linux/security.h | 13 ++---
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/namei.c |2 +-
include/linux/security.h | 10 +++---
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/xattr.c |2 +-
include/linux/security.h | 14 +-
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/namei.c |3 ++-
include/linux/security.h | 16 +++-
If we unhash the dentry before calling the security_inode_rmdir hook,
we cannot compute the file's pathname in the hook anymore. AppArmor
needs to know the filename in order to decide whether a file may be
deleted, though.
Signed-off-by: John Johansen [EMAIL PROTECTED]
Signed-off-by: Andreas
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/ecryptfs/inode.c |3 ++-
fs/namei.c|4
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/namei.c |2 +-
include/linux/security.h | 10 +++---
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/ecryptfs/inode.c |7 ++-
fs/namei.c | 19
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/xattr.c |4 ++--
include/linux/security.h | 35
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/nfsd/nfs4xdr.c |2 +-
fs/nfsd/vfs.c
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/xattr.c |2 +-
include/linux/security.h | 11 +++
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/xattr.c| 25 ++---
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/xattr.c |2 +-
include/linux/security.h |9 +
The path that __d_path() computes can become slightly inconsistent when it
races with mount operations: it grabs the vfsmount_lock when traversing mount
points but immediately drops it again, only to re-grab it when it reaches the
next mount point. The result is that the filename computed is not
In AppArmor, we are interested in pathnames relative to the namespace root.
This is the same as d_path() except for the root where the search ends. Add
a function for computing the namespace-relative path.
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL
Set the LOOKUP_CONTINUE flag when checking parent permissions. This allows
permission functions to tell between parent and leaf checks.
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/namei.c |6 ++
1 file changed, 6
The underlying functions by which the AppArmor LSM hooks are implemented.
Signed-off-by: John Johansen [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
---
security/apparmor/main.c | 1361 +++
1 file changed, 1361 insertions(+)
Pathname matching, transition table loading, profile loading and
manipulation.
Signed-off-by: John Johansen [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
---
security/apparmor/match.c| 273 +++
security/apparmor/match.h| 85 +++
All the things that didn't nicely fit in a category on their own: kbuild
code, declararions and inline functions, /sys/kernel/security/apparmor
filesystem for controlling apparmor from user space, profile list
functions, locking documentation, /proc/$pid/task/$tid/attr/current
access.
Signed-off-by: John Johansen [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
---
security/Kconfig |1 +
security/Makefile |1 +
security/apparmor/Kconfig | 21 +++--
3 files changed, 21 insertions(+), 2 deletions(-)
---
Switch from file_permission() to vfs_permission() in sys_fchdir(): this
avoids calling permission() with a NULL nameidata here.
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/open.c | 16 +++-
1 file changed, 7
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones [EMAIL PROTECTED]
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
---
fs/namei.c |2 +-
include/linux/security.h |8 ++--
On Thu, Oct 25, 2007 at 11:40:24PM -0700, [EMAIL PROTECTED] wrote:
Sorry this got dropped some how.
This submission of the AppArmor security module is based against -mm.
Any comments and feedback to improve implementation are appreciated.
The patch series consists of five areas:
(1) Pass
On Thu, 25 Oct 2007 19:56:47 -0700, Greg KH wrote:
On Fri, Oct 26, 2007 at 01:09:14AM +0200, Tilman Schmidt wrote:
Am 25.10.2007 00:31 schrieb Adrian Bunk:
Generally, the goal is to get external modules included into the kernel.
[...] even though it might sound harsh breaking
external
Hi.
You know, you really are supposed to understand the code you are modifying...
Quiz: what are those vfsmounts and how are they related?
These two vfsmounts should be same since the kernel doesn't support
rename or link operations that accrosses mount points.
So, we don't have to pass both
On Thu, 25 Oct 2007, [EMAIL PROTECTED] wrote:
Convert the selinux sysctl pathname computation code into a standalone
function.
Signed-off-by: Andreas Gruenbacher [EMAIL PROTECTED]
Signed-off-by: John Johansen [EMAIL PROTECTED]
Reviewed-by: James Morris [EMAIL PROTECTED]
--
James Morris
On Thu, 2007-10-25 at 17:41 -0700, Chris Wright wrote:
* Casey Schaufler ([EMAIL PROTECTED]) wrote:
--- Chris Wright [EMAIL PROTECTED] wrote:
* Serge E. Hallyn ([EMAIL PROTECTED]) wrote:
Here is a new version of the 64-bit capability patches I was supposed
to send last week I
On Fri, 2007-10-26 at 13:30 +0200, Miklos Szeredi wrote:
So I think the correct solution (which was suggested by Trond and
others) is to define an f_op-fsetattr() method, which interested
filesystems can define.
And here's the patch, which applies on top of the f_op-fgetattr()
patch,
On Thu, 2007-10-25 at 23:40 -0700, [EMAIL PROTECTED] wrote:
plain text document attachment (file-handle-ops.diff)
Struct iattr already contains ia_file since commit cc4e69de from
Miklos (which is related to commit befc649c). Use this to pass
struct file down the setattr hooks. This allows
On Thu, 2007-10-25 at 19:02 -0500, Serge E. Hallyn wrote:
Quoting David P. Quigley ([EMAIL PROTECTED]):
This patch modifies the interface to inode_getsecurity to have the
function return a buffer containing the security blob and its length via
parameters instead of relying on the
On Thu, 25 Oct 2007 23:40:24 -0700
[EMAIL PROTECTED] wrote:
before going into the LSM / security side of things, I'd like to get
the VFS guys to look at your VFS interaction code.
In addition, I'd like to ask you to put a file in Documentation/
somewhere that describes what AppArmor is intended
On Fri, 2007-10-26 at 10:02 -0500, Serge E. Hallyn wrote:
Quoting David P. Quigley ([EMAIL PROTECTED]):
On Thu, 2007-10-25 at 19:02 -0500, Serge E. Hallyn wrote:
Quoting David P. Quigley ([EMAIL PROTECTED]):
static int task_alloc_security(struct task_struct *task)
@@ -2423,14
On Fri, 2007-10-26 at 10:02 -0500, Serge E. Hallyn wrote:
Quoting David P. Quigley ([EMAIL PROTECTED]):
On Thu, 2007-10-25 at 19:02 -0500, Serge E. Hallyn wrote:
Quoting David P. Quigley ([EMAIL PROTECTED]):
static int task_alloc_security(struct task_struct *task)
@@ -2423,14
On Fri, 2007-10-26 at 11:13 -0400, David P. Quigley wrote:
On Fri, 2007-10-26 at 10:02 -0500, Serge E. Hallyn wrote:
Quoting David P. Quigley ([EMAIL PROTECTED]):
On Thu, 2007-10-25 at 19:02 -0500, Serge E. Hallyn wrote:
Quoting David P. Quigley ([EMAIL PROTECTED]):
static int
Quoting David P. Quigley ([EMAIL PROTECTED]):
On Thu, 2007-10-25 at 19:02 -0500, Serge E. Hallyn wrote:
Quoting David P. Quigley ([EMAIL PROTECTED]):
static int task_alloc_security(struct task_struct *task)
@@ -2423,14 +2397,22 @@ static const char
Casey Schaufler wrote:
The Smack patch and Paul Moore's netlabel API patch,
together for 2.6.24-rc1. Paul's changes are identical
to the previous posting, but it's been a while so they're
here again.
The sole intent of change has been to address locking
and/or list processing issues. Please
On Fri, 2007-10-26 at 10:07 -0500, Serge E. Hallyn wrote:
Quoting David P. Quigley ([EMAIL PROTECTED]):
On Thu, 2007-10-25 at 19:02 -0500, Serge E. Hallyn wrote:
Quoting David P. Quigley ([EMAIL PROTECTED]):
This patch modifies the interface to inode_getsecurity to have
the
Quoting Stephen Smalley ([EMAIL PROTECTED]):
On Fri, 2007-10-26 at 10:02 -0500, Serge E. Hallyn wrote:
Quoting David P. Quigley ([EMAIL PROTECTED]):
On Thu, 2007-10-25 at 19:02 -0500, Serge E. Hallyn wrote:
Quoting David P. Quigley ([EMAIL PROTECTED]):
static int
On Fri, Oct 26, 2007 at 11:46:39AM +0200, Tilman Schmidt wrote:
On Thu, 25 Oct 2007 19:56:47 -0700, Greg KH wrote:
I'm trying to compile a list of all known external modules and drivers
and work to get them included in the main kernel tree to help prevent
these kinds of things. If you know
On Fri, Oct 26, 2007 at 09:09:05AM +0200, Jan Engelhardt wrote:
On Oct 25 2007 19:56, Greg KH wrote:
I'm trying to compile a list of all known external modules and drivers
and work to get them included in the main kernel tree to help prevent
these kinds of things. If you know of any that
Quoting David P. Quigley ([EMAIL PROTECTED]):
On Fri, 2007-10-26 at 10:02 -0500, Serge E. Hallyn wrote:
Quoting David P. Quigley ([EMAIL PROTECTED]):
On Thu, 2007-10-25 at 19:02 -0500, Serge E. Hallyn wrote:
Quoting David P. Quigley ([EMAIL PROTECTED]):
static int
On 26/10/07 16:58, Greg KH wrote:
On Fri, Oct 26, 2007 at 11:46:39AM +0200, Tilman Schmidt wrote:
On Thu, 25 Oct 2007 19:56:47 -0700, Greg KH wrote:
I'm trying to compile a list of all known external modules and drivers
and work to get them included in the main kernel tree to help prevent
On Fri, 2007-10-26 at 10:02 -0500, Serge E. Hallyn wrote:
Quoting David P. Quigley ([EMAIL PROTECTED]):
On Thu, 2007-10-25 at 19:02 -0500, Serge E. Hallyn wrote:
Quoting David P. Quigley ([EMAIL PROTECTED]):
static int task_alloc_security(struct task_struct *task)
@@ -2423,14
On Fri, 2007-10-26 at 11:36 -0500, Serge E. Hallyn wrote:
Quoting David P. Quigley ([EMAIL PROTECTED]):
On Fri, 2007-10-26 at 10:02 -0500, Serge E. Hallyn wrote:
Quoting David P. Quigley ([EMAIL PROTECTED]):
On Thu, 2007-10-25 at 19:02 -0500, Serge E. Hallyn wrote:
Quoting David P.
On Fri, Oct 26, 2007 at 08:37:49AM +0100, Al Viro wrote:
On Thu, Oct 25, 2007 at 11:40:43PM -0700, [EMAIL PROTECTED] wrote:
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
You know, you really are supposed to understand the code you are modifying...
On Fri, Oct 26, 2007 at 07:37:21AM -0700, Arjan van de Ven wrote:
On Thu, 25 Oct 2007 23:40:24 -0700
[EMAIL PROTECTED] wrote:
before going into the LSM / security side of things, I'd like to get
the VFS guys to look at your VFS interaction code.
yes, the vfs interaction definitely need
On Fri, Oct 26, 2007 at 01:30:52PM +0200, Miklos Szeredi wrote:
On Thu, 2007-10-25 at 23:40 -0700, [EMAIL PROTECTED] wrote:
plain text document attachment (file-handle-ops.diff)
Struct iattr already contains ia_file since commit cc4e69de from
Miklos (which is related to commit befc649c).
On Friday 26 October 2007 13:30, Miklos Szeredi wrote:
There's a slight problem (other than HCH not liking it) with this
approach of passing the open file in iattr: for special files, the
struct file pointer makes no sense to the filesystem, since it is always
opened by the generic functions.
On Friday 26 October 2007 16:37, Arjan van de Ven wrote:
In addition, I'd like to ask you to put a file in Documentation/
somewhere that describes what AppArmor is intended security protection
is (it's different from SELinux for sure for example); by having such a
document for each LSM user,
On Fri, Oct 26, 2007 at 11:23:53AM -0700, John Johansen wrote:
In the current code, both vfsmounts are always identical, and so one of
the two should go, agreed.
The thought behind passing both vfsmounts was that they could differ but
point to the same super_block, in which case renames
On Fri, 2007-10-26 at 22:24 +0200, Andreas Gruenbacher wrote:
On Friday 26 October 2007 13:30, Miklos Szeredi wrote:
There's a slight problem (other than HCH not liking it) with this
approach of passing the open file in iattr: for special files, the
struct file pointer makes no sense to
On Friday 26 October 2007 22:58:11 Miklos Szeredi wrote:
For special files, f_op-fsetattr will be NULL, since
init_special_inode() will set up i_fop that way.
So the filesystem's fsetattr() will only be called for regular files
and/or directories, depending on how it sets up i_fop.
With the
On Fri, 26 Oct 2007 15:16:53 -0700
Crispin Cowan [EMAIL PROTECTED] wrote:
On the first part (discussion of the model) I doubt we can get
people to agree, that's pretty much phylosophical... on the second
part (how well the code/design lives up to its own goals) the
analysis can be
On Fri, Oct 26, 2007 at 11:46:39AM +0200, Tilman Schmidt wrote:
On Thu, 25 Oct 2007 19:56:47 -0700, Greg KH wrote:
On Fri, Oct 26, 2007 at 01:09:14AM +0200, Tilman Schmidt wrote:
Am 25.10.2007 00:31 schrieb Adrian Bunk:
Generally, the goal is to get external modules included into the
70 matches
Mail list logo
