Re: [PATCH v5 4/4] vduse: Add LSM hook to check Virtio device type

On 12/12/2023 9:59 AM, Michael S. Tsirkin wrote: > On Tue, Dec 12, 2023 at 08:33:39AM -0800, Casey Schaufler wrote: >> On 12/12/2023 5:17 AM, Maxime Coquelin wrote: >>> This patch introduces a LSM hook for devices creation, >>> destruction (ioctl()) and opening (open(

Re: [PATCH v5 4/4] vduse: Add LSM hook to check Virtio device type

On 12/12/2023 5:17 AM, Maxime Coquelin wrote: > This patch introduces a LSM hook for devices creation, > destruction (ioctl()) and opening (open()) operations, > checking the application is allowed to perform these > operations for the Virtio device type. My earlier comments on a vduse specific

Re: [PATCH 0/5] evm: Prepare for moving to the LSM infrastructure

On 4/16/2021 9:37 AM, Roberto Sassu wrote: >> From: Casey Schaufler [mailto:ca...@schaufler-ca.com] >> Sent: Thursday, April 15, 2021 10:44 PM >> On 4/15/2021 3:04 AM, Roberto Sassu wrote: >>> This patch set depends on: >>> >>> https://lore.ker

Re: [PATCH 0/5] evm: Prepare for moving to the LSM infrastructure

On 4/15/2021 3:04 AM, Roberto Sassu wrote: > This patch set depends on: > > https://lore.kernel.org/linux-integrity/20210409114313.4073-1-roberto.sa...@huawei.com/ > https://lore.kernel.org/linux-integrity/20210407105252.30721-1-roberto.sa...@huawei.com/ > > One of the challenges that must be

Re: [PATCH v33 00/12] Landlock LSM

On 4/8/2021 6:48 PM, James Morris wrote: > I've added this to my tree at: > > git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git > landlock_lsm_v33 > > and merged that into the next-testing branch which is pulled into Linux > next. Thank you.

Re: [PATCH] selinux:Delete selinux_xfrm_policy_lookup() useless argument

On 4/8/2021 1:49 AM, Zhongjun Tan wrote: > From: Zhongjun Tan > > Delete selinux selinux_xfrm_policy_lookup() useless argument. > > Signed-off-by: Zhongjun Tan > --- > include/linux/lsm_hook_defs.h | 3 +-- > include/linux/security.h| 4 ++-- > net/xfrm/xfrm_policy.c | 6

Re: [PATCH v5 04/12] ima: Move ima_reset_appraise_flags() call to post hooks

t; > This patch introduces the post hooks ima_inode_post_setxattr() and > ima_inode_post_removexattr(), and adds the call to > ima_reset_appraise_flags() in the new functions. > > Cc: Casey Schaufler > Signed-off-by: Roberto Sassu > --- > fs/xattr.c

Re: Commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab breaks Smack TCP connections

and hangs after. Is this a bug fix? > In openssh case, it use SSH_LISTEN_BACKLOG as 128. > > At 2021-03-30 23:42:04, "Casey Schaufler" wrote: >> Commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab 'net: correct >> sk_acceptq_is_full()' breaks a system with the Smack

Re: [PATCH v5 1/1] fs: Allow no_new_privs tasks to call chroot(2)

On 3/30/2021 12:28 PM, Mickaël Salaün wrote: > On 30/03/2021 20:40, Casey Schaufler wrote: >> On 3/30/2021 11:11 AM, Mickaël Salaün wrote: >>> On 30/03/2021 19:19, Casey Schaufler wrote: >>>> On 3/30/2021 10:01 AM, Mickaël Salaün wrote: >>>>> Hi, &g

Re: [PATCH v5 1/1] fs: Allow no_new_privs tasks to call chroot(2)

On 3/30/2021 11:11 AM, Mickaël Salaün wrote: > On 30/03/2021 19:19, Casey Schaufler wrote: >> On 3/30/2021 10:01 AM, Mickaël Salaün wrote: >>> Hi, >>> >>> Is there new comments on this patch? Could we move forward? >> I don't see that new comments are

Re: [PATCH v5 1/1] fs: Allow no_new_privs tasks to call chroot(2)

On 3/30/2021 11:11 AM, Mickaël Salaün wrote: > On 30/03/2021 19:19, Casey Schaufler wrote: >> On 3/30/2021 10:01 AM, Mickaël Salaün wrote: >>> Hi, >>> >>> Is there new comments on this patch? Could we move forward? >> I don't see that new comments are

Re: [PATCH v5 1/1] fs: Allow no_new_privs tasks to call chroot(2)

On 3/30/2021 10:01 AM, Mickaël Salaün wrote: > Hi, > > Is there new comments on this patch? Could we move forward? I don't see that new comments are necessary when I don't see that you've provided compelling counters to some of the old ones. It's possible to use minimal privilege with

Commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab breaks Smack TCP connections

Commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab 'net: correct sk_acceptq_is_full()' breaks a system with the Smack LSM. Reverting this change results in a return to correct behavior. The Smack testsuite can be found at: https://github.com/smack-team/smack-testsuite.git The failing test

Re: [PATCH] tomoyo: don't special case PF_IO_WORKER for PF_KTHREAD

On 3/25/2021 5:44 PM, Jens Axboe wrote: > The io_uring PF_IO_WORKER threads no longer have PF_KTHREAD set, so no > need to special case them for credential checks. Could you cite the commit where that change was made? > > Cc: Tetsuo Handa > Signed-off-by: Jens Axboe > --- >

Re: [PATCH] Revert "Smack: Handle io_uring kernel thread privileges"

ouldn't want to see this change back-ported to a kernel that doesn't have that change as well. > > Cc: Casey Schaufler > Signed-off-by: Jens Axboe > --- > security/smack/smack_access.c | 5 ++--- > 1 file changed, 2 insertions(+), 3 deletions(-) > > diff --git a/security/s

Re: [RFC PATCH 2/2] integrity: double check iint_cache was initialized

On 3/24/2021 4:58 AM, Dmitry Vyukov wrote: > On Wed, Mar 24, 2021 at 12:49 PM Mimi Zohar wrote: >> On Wed, 2021-03-24 at 12:37 +0100, Dmitry Vyukov wrote: >>> On Wed, Mar 24, 2021 at 12:21 PM Tetsuo Handa >>> wrote: On 2021/03/24 20:10, Mimi Zohar wrote: > On Wed, 2021-03-24 at 19:10

Re: [PATCH v1 0/1] Unprivileged chroot

On 3/10/2021 10:17 AM, Mickaël Salaün wrote: > On 10/03/2021 18:22, Casey Schaufler wrote: >> On 3/10/2021 8:09 AM, Mickaël Salaün wrote: >>> Hi, >>> >>> The chroot system call is currently limited to be used by processes with >>> the CAP_SYS_CHROOT

Re: [PATCH v1 0/1] Unprivileged chroot

On 3/10/2021 8:09 AM, Mickaël Salaün wrote: > Hi, > > The chroot system call is currently limited to be used by processes with > the CAP_SYS_CHROOT capability. This protects against malicious > procesess willing to trick SUID-like binaries. The following patch > allows unprivileged users to

[PATCH v25 25/25] AppArmor: Remove the exclusive flag

interferes in the multiple LSM case. Acked-by: Stephen Smalley Acked-by: John Johansen Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler --- security/apparmor/lsm.c | 20 +--- 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/security/apparmor/lsm.c b/security/appa

[PATCH v25 24/25] LSM: Add /proc attr entry for full LSM context

case none of the information will be displayed. Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler Cc: linux-...@vger.kernel.org Cc: linux-...@vger.kernel.org --- Documentation/ABI/testing/procfs-attr-context | 14 Documentation/security/lsm.rst| 14 fs/p

[PATCH v25 23/25] Audit: Add a new record for multiple object LSM attributes

(1601152467.009:1050): obj_selinux=unconfined_u:object_r:user_home_t:s0 Not all security modules that can provide object information do so in all cases. It is possible that a security module won't apply an object attribute in all cases. Signed-off-by: Casey Schaufler Cc: linux-au

[PATCH v25 22/25] Audit: Add new record for multiple process LSM attributes

x even though it may not actually do so. Signed-off-by: Casey Schaufler To: p...@paul-moore.com To: linux-au...@redhat.com To: r...@redhat.com Cc: net...@vger.kernel.org --- drivers/android/binder.c| 2 +- include/linux/audit.h | 24 include/linux/security.h

[PATCH v25 21/25] audit: add support for non-syscall auxiliary records

is discarded immediately after the local associated records are produced. Signed-off-by: Richard Guy Briggs Signed-off-by: Casey Schaufler Cc: linux-au...@redhat.com To: Richard Guy Briggs --- include/linux/audit.h | 8 kernel/audit.h| 1 + kernel/auditsc.c | 33

[PATCH v25 20/25] LSM: Verify LSM display sanity in binder

Verify that the tasks on the ends of a binder transaction use the same "display" security module. This prevents confusion of security "contexts". Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Scha

[PATCH v25 19/25] NET: Store LSM netlabel data in a lsmblob

netlabel use the lsm_id.slot to access the correct secid when using netlabel. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: net...@vger.kernel.org --- include/net/netlabel.h | 8 +-- net/ipv4

[PATCH v25 18/25] LSM: security_secid_to_secctx in netlink netfilter

Change netlink netfilter interfaces to use lsmcontext pointers, and remove scaffolding. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Pablo Neira Ayuso Signed-off-by: Casey Schaufler Cc: net...@vger.kernel.org Cc: netfilter-de...@vger.kernel.org

[PATCH v25 17/25] LSM: Use lsmcontext in security_inode_getsecctx

Reviewed-by: John Johansen Signed-off-by: Casey Schaufler Cc: linux-...@vger.kernel.org --- fs/nfsd/nfs4xdr.c| 23 +-- include/linux/security.h | 5 +++-- security/security.c | 13 +++-- 3 files changed, 23 insertions(+), 18 deletions(-) diff --git a/fs/nfsd

[PATCH v25 16/25] LSM: Use lsmcontext in security_secid_to_secctx

the new structure. Reviewed-by: Kees Cook Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: net...@vger.kernel.org Cc: linux-au...@redhat.com Cc: netfilter-de...@vger.kernel.org --- drivers/android/binder.c| 26 +++- include/linux

[PATCH v25 15/25] LSM: Ensure the correct LSM context releaser

allocates and destroys them on each use, whereas Smack provides a pointer to an entry in a list that never goes away. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Signed-off-by: Casey Schaufler Cc: linux-integr...@vger.kernel.org Cc: net...@vger.kernel.org Cc

[PATCH v25 14/25] LSM: Specify which LSM to display

ot;interface_lsm" requires that all security modules using setprocattr hooks allow the action. Each security module is responsible for defining its policy. AppArmor hook provided by John Johansen SELinux hook provided by Stephen Smalley Signed-off-by: Casey Schaufler Cc: Kees Cook Cc: S

[PATCH v25 13/25] IMA: Change internal interfaces to use lsmblobs

The IMA interfaces ima_get_action() and ima_match_policy() call LSM functions that use lsmblobs. Change the IMA functions to pass the lsmblob to be compatible with the LSM functions. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Signed-off-by: Casey Schaufler Cc

[PATCH v25 12/25] LSM: Use lsmblob in security_cred_getsecid

-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integr...@vger.kernel.org Cc: linux-au...@redhat.com --- include/linux/security.h | 2 +- kernel/audit.c| 25 +++ kernel/audit.h| 3 ++- kernel

[PATCH v25 11/25] LSM: Use lsmblob in security_inode_getsecid

-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integr...@vger.kernel.org Cc: linux-au...@redhat.com --- include/linux/security.h| 7 --- kernel/auditsc.c| 6 +- security/integrity/ima/ima_policy.c | 4 +--- security/security.c | 11

[PATCH v25 10/25] LSM: Use lsmblob in security_task_getsecid

-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integr...@vger.kernel.org Cc: linux-au...@redhat.com Cc: net...@vger.kernel.org --- drivers/android/binder.c | 12 +- include/linux/security.h | 7 ++-- kernel/audit.c| 16 +++- kernel

[PATCH v25 09/25] LSM: Use lsmblob in security_ipc_getsecid

-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-au...@redhat.com --- include/linux/security.h | 7 --- kernel/auditsc.c | 7 ++- security/security.c | 12 +--- 3 files changed, 19 insertions(+), 7 deletions

[PATCH v25 08/25] LSM: Use lsmblob in security_secid_to_secctx

a secid to a string, as can occur in the audit code. Signed-off-by: Casey Schaufler Cc: net...@vger.kernel.org Cc: linux-au...@redhat.com Cc: netfilter-de...@vger.kernel.org To: Pablo Neira Ayuso To: Paul Moore --- drivers/android/binder.c| 12 +- include/linux

[PATCH v25 07/25] LSM: Use lsmblob in security_secctx_to_secid

the lsmblob. Signed-off-by: Casey Schaufler Cc: net...@vger.kernel.org Cc: netfilter-de...@vger.kernel.org To: Pablo Neira Ayuso --- include/linux/security.h | 26 ++-- kernel/cred.c | 4 +--- net/netfilter/nft_meta.c | 10 net/netfilter

[PATCH v25 06/25] LSM: Use lsmblob in security_kernel_act_as

instead of a secid. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler To: David Howells --- include/linux/cred.h | 3 ++- include/linux/security.h | 5 +++-- kernel/cred.c| 10 ++ security

[PATCH v25 05/25] LSM: Use lsmblob in security_audit_rule_match

() is dropped. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-au...@redhat.com Cc: linux-integr...@vger.kernel.org To: Mimi Zohar --- include/linux/security.h| 7 --- kernel/auditfilter.c

[PATCH v25 04/25] IMA: avoid label collisions with stacked LSMs

registered module that supports the audit_rule_match() LSM hook. Allow the user to specify in the IMA policy an lsm= option to specify the security module to use for a particular rule. Signed-off-by: Casey Schaufler To: Mimi Zohar To: linux-integr...@vger.kernel.org --- Documentation/ABI/testing

[PATCH v25 03/25] LSM: provide lsm name and id slot mappings

Provide interfaces to map LSM slot numbers and LSM names. Update the LSM registration code to save this information. Signed-off-by: Casey Schaufler --- include/linux/security.h | 4 security/security.c | 45 2 files changed, 49 insertions

[PATCH v25 02/25] LSM: Add the lsmblob data structure.

. Acked-by: Stephen Smalley Acked-by: Paul Moore Acked-by: John Johansen Signed-off-by: Casey Schaufler Cc: Cc: linux-au...@redhat.com Cc: linux-security-mod...@vger.kernel.org Cc: seli...@vger.kernel.org To: Mimi Zohar --- include/linux/audit.h | 4 +- include/linux/lsm_ho

[PATCH v25 01/25] LSM: Infrastructure management of the sock security

ore Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/apparmor/include/net.h | 6 ++- security/apparmor/lsm.c | 38 --- security/security.c |

[PATCH v25 00/25] LSM: Module stacking for AppArmor

is using an earlier version of this patchset in their distribution to enable stacking for containers. Performance measurements to date have the change within the "noise". The sockperf and dbench results are on the order of 0.2% to 0.8% difference, with better performance being as common

Re: [PATCH v4 04/11] ima: Move ima_reset_appraise_flags() call to post hooks

iately invoke EVM as well. Instead of: ima_do_stuff(x, y, z); evm_do_stuff(x, y, z); how about integrity_do_stuff(x, y, z); > > Cc: Casey Schaufler > Signed-off-by: Roberto Sassu > --- > fs/xattr.c| 2 ++ > include/linux/ima.h

Re: [PATCH v24 04/25] IMA: avoid label collisions with stacked LSMs

On 2/14/2021 10:21 AM, Mimi Zohar wrote: > Hi Casey, > > On Tue, 2021-01-26 at 08:40 -0800, Casey Schaufler wrote: >> Integrity measurement may filter on security module information >> and needs to be clear in the case of multiple active security >> modules which app

Re: [PATCH v3 1/1] security: Add CONFIG_LSM_AUTO to handle default LSM stack ordering

On 2/22/2021 1:12 PM, Nicolas Iooss wrote: > On Mon, Feb 22, 2021 at 9:32 PM Casey Schaufler > wrote: >> On 2/22/2021 10:31 AM, Mickaël Salaün wrote: >>> On 22/02/2021 17:51, Casey Schaufler wrote: >>>> On 2/22/2021 7:06 AM, Mickaël Salaün wrote: >>&g

Re: [PATCH v3 1/1] security: Add CONFIG_LSM_AUTO to handle default LSM stack ordering

On 2/22/2021 10:31 AM, Mickaël Salaün wrote: > On 22/02/2021 17:51, Casey Schaufler wrote: >> On 2/22/2021 7:06 AM, Mickaël Salaün wrote: >>> From: Mickaël Salaün >>> >>> Add a new option CONFIG_LSM_AUTO to enable users to delegate default LSM >>> stac

Re: [PATCH v3 1/1] security: Add CONFIG_LSM_AUTO to handle default LSM stack ordering

th a make > oldconfig. > > CONFIG_LSM and CONFIG_LSM_AUTO depend on CONFIG_SECURITY, which makes > sense because an LSM depends on the security framework. > > Cc: Casey Schaufler > Cc: James Morris > Cc: Kees Cook > Cc: Serge E. Hallyn > Signed-off-by: Mickaël Salaün > L

[GIT PULL] Smack patches for v5.12

Hello Linus Here is a Smack change for the 5.12 release. It introduces bound checking for the smackfs administrative interfaces where they were missing. -- The following changes since commit 1048ba83fb1c00cd24172e23e8263972f6b5d9ac: Linux 5.11-rc6 (2021-01-31 13:50:09 -0800) are available

Re: [PATCH v24 04/25] IMA: avoid label collisions with stacked LSMs

On 2/14/2021 10:21 AM, Mimi Zohar wrote: > Hi Casey, > > On Tue, 2021-01-26 at 08:40 -0800, Casey Schaufler wrote: >> Integrity measurement may filter on security module information >> and needs to be clear in the case of multiple active security >> modules which app

Re: [PATCH v28 05/12] LSM: Infrastructure management of the superblock

On 2/5/2021 6:17 AM, Serge E. Hallyn wrote: > On Tue, Feb 02, 2021 at 05:27:03PM +0100, Mickaël Salaün wrote: >> From: Casey Schaufler >> >> Move management of the superblock->sb_security blob out of the >> individual security modules and into the security infrastruc

Re: [PATCH v28 05/12] LSM: Infrastructure management of the superblock

On 2/5/2021 6:17 AM, Serge E. Hallyn wrote: > On Tue, Feb 02, 2021 at 05:27:03PM +0100, Mickaël Salaün wrote: >> From: Casey Schaufler >> >> Move management of the superblock->sb_security blob out of the >> individual security modules and into the security infrastruc

Re: [PATCH v2] smackfs: restrict bytes count in smackfs write functions

On 2/2/2021 11:13 AM, Sabyrzhan Tasbolatov wrote: >> if PAGE_SIZE >= SMK_LOADSIZE all legitimate requests can be made >> using PAGE_SIZE as a limit. Your example with 19990 spaces before >> the data demonstrates that the interface is inadequately documented. >> Tizen and Automotive Grade Linux are

Re: [PATCH v24 00/25] LSM: Module stacking for AppArmor

On 2/2/2021 9:12 AM, Topi Miettinen wrote: > On 2.2.2021 17.30, Casey Schaufler wrote: >> On 2/2/2021 4:05 AM, Topi Miettinen wrote: >>> On 26.1.2021 18.40, Casey Schaufler wrote: >>>> This patchset provides the changes required for >>>> the AppArmor secu

Re: [PATCH v24 00/25] LSM: Module stacking for AppArmor

On 2/2/2021 4:05 AM, Topi Miettinen wrote: > On 26.1.2021 18.40, Casey Schaufler wrote: >> This patchset provides the changes required for >> the AppArmor security module to stack safely with any other. > > In my test, when kernel command line has apparmor before selinux in ls

Re: forkat(int pidfd), execveat(int pidfd), other awful things?

On 2/1/2021 9:47 AM, Jason A. Donenfeld wrote: > Hi Andy & others, > > I was reversing some NT stuff recently and marveling over how wild and > crazy things are over in Windows-land. A few things related to process > creation caught my interest: > > - It's possible to create a new process with an

Re: [PATCH v2] smackfs: restrict bytes count in smackfs write functions

On 1/28/2021 6:24 AM, Tetsuo Handa wrote: > On 2021/01/28 22:27, Sabyrzhan Tasbolatov wrote: >>> Doesn't this change break legitimate requests like >>> >>> char buffer[2]; >>> >>> memset(buffer, ' ', sizeof(buffer)); >>> memcpy(buffer + sizeof(buffer) - 10, "foo", 3); >>> write(fd,

Re: [PATCH v24 21/25] audit: add support for non-syscall auxiliary records

On 1/26/2021 10:42 AM, Richard Guy Briggs wrote: > On 2021-01-26 08:41, Casey Schaufler wrote: >> Standalone audit records have the timestamp and serial number generated >> on the fly and as such are unique, making them standalone. This new >> function audit_alloc_local() ge

[PATCH v24 25/25] AppArmor: Remove the exclusive flag

interferes in the multiple LSM case. Acked-by: Stephen Smalley Acked-by: John Johansen Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler --- security/apparmor/lsm.c | 20 +--- 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/security/apparmor/lsm.c b/security/appa

[PATCH v24 24/25] LSM: Add /proc attr entry for full LSM context

case none of the information will be displayed. Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler Cc: linux-...@vger.kernel.org Cc: linux-...@vger.kernel.org --- Documentation/ABI/testing/procfs-attr-context | 14 Documentation/security/lsm.rst| 14 fs/p

[PATCH v24 23/25] Audit: Add a new record for multiple object LSM attributes

(1601152467.009:1050): obj_selinux=unconfined_u:object_r:user_home_t:s0 Not all security modules that can provide object information do so in all cases. It is possible that a security module won't apply an object attribute in all cases. Signed-off-by: Casey Schaufler Cc: linux-au

[PATCH v24 22/25] Audit: Add new record for multiple process LSM attributes

x even though it may not actually do so. Signed-off-by: Casey Schaufler To: p...@paul-moore.com To: linux-au...@redhat.com To: r...@redhat.com Cc: net...@vger.kernel.org --- drivers/android/binder.c| 2 +- include/linux/audit.h | 24 include/linux/security.h

[PATCH v24 21/25] audit: add support for non-syscall auxiliary records

is discarded immediately after the local associated records are produced. Signed-off-by: Richard Guy Briggs Signed-off-by: Casey Schaufler Cc: linux-au...@redhat.com To: Richard Guy Briggs --- include/linux/audit.h | 8 kernel/audit.h| 1 + kernel/auditsc.c | 33

[PATCH v24 20/25] LSM: Verify LSM display sanity in binder

Verify that the tasks on the ends of a binder transaction use the same "display" security module. This prevents confusion of security "contexts". Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Scha

[PATCH v24 11/25] LSM: Use lsmblob in security_inode_getsecid

-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integr...@vger.kernel.org Cc: linux-au...@redhat.com --- include/linux/security.h| 7 --- kernel/auditsc.c| 6 +- security/integrity/ima/ima_policy.c | 4 +--- security/security.c | 11

[PATCH v24 02/25] LSM: Add the lsmblob data structure.

. Acked-by: Stephen Smalley Acked-by: Paul Moore Acked-by: John Johansen Signed-off-by: Casey Schaufler Cc: Cc: linux-au...@redhat.com Cc: linux-security-mod...@vger.kernel.org Cc: seli...@vger.kernel.org To: Mimi Zohar --- include/linux/audit.h | 4 +- include/linux/lsm_ho

[PATCH v24 19/25] NET: Store LSM netlabel data in a lsmblob

netlabel use the lsm_id.slot to access the correct secid when using netlabel. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: net...@vger.kernel.org --- include/net/netlabel.h | 8 +-- net/ipv4

[PATCH v24 01/25] LSM: Infrastructure management of the sock security

ore Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/apparmor/include/net.h | 6 ++- security/apparmor/lsm.c | 38 --- security/security.c |

[PATCH v24 10/25] LSM: Use lsmblob in security_task_getsecid

-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integr...@vger.kernel.org Cc: linux-au...@redhat.com Cc: net...@vger.kernel.org --- drivers/android/binder.c | 12 +- include/linux/security.h | 7 ++-- kernel/audit.c| 16 +++- kernel

[PATCH v24 00/25] LSM: Module stacking for AppArmor

ate have the change within the "noise". The sockperf and dbench results are on the order of 0.2% to 0.8% difference, with better performance being as common as worse. The benchmarks were run with AppArmor and Smack on Ubuntu. https://github.com/cschaufler/lsm-stacking.git#stack-5.11

[PATCH v24 18/25] LSM: security_secid_to_secctx in netlink netfilter

Change netlink netfilter interfaces to use lsmcontext pointers, and remove scaffolding. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Pablo Neira Ayuso Signed-off-by: Casey Schaufler Cc: net...@vger.kernel.org Cc: netfilter-de...@vger.kernel.org

[PATCH v24 09/25] LSM: Use lsmblob in security_ipc_getsecid

-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-au...@redhat.com --- include/linux/security.h | 7 --- kernel/auditsc.c | 7 ++- security/security.c | 12 +--- 3 files changed, 19 insertions(+), 7 deletions

[PATCH v24 17/25] LSM: Use lsmcontext in security_inode_getsecctx

Reviewed-by: John Johansen Signed-off-by: Casey Schaufler Cc: linux-...@vger.kernel.org --- fs/nfsd/nfs4xdr.c| 23 +-- include/linux/security.h | 5 +++-- security/security.c | 13 +++-- 3 files changed, 23 insertions(+), 18 deletions(-) diff --git a/fs/nfsd

[PATCH v24 08/25] LSM: Use lsmblob in security_secid_to_secctx

a secid to a string, as can occur in the audit code. Signed-off-by: Casey Schaufler Cc: net...@vger.kernel.org Cc: linux-au...@redhat.com Cc: netfilter-de...@vger.kernel.org To: Pablo Neira Ayuso To: Paul Moore --- drivers/android/binder.c| 12 +- include/linux

[PATCH v24 07/25] LSM: Use lsmblob in security_secctx_to_secid

the lsmblob. Signed-off-by: Casey Schaufler Cc: net...@vger.kernel.org Cc: netfilter-de...@vger.kernel.org To: Pablo Neira Ayuso --- include/linux/security.h | 26 ++-- kernel/cred.c | 4 +--- net/netfilter/nft_meta.c | 10 net/netfilter

[PATCH v24 16/25] LSM: Use lsmcontext in security_secid_to_secctx

the new structure. Reviewed-by: Kees Cook Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: net...@vger.kernel.org Cc: linux-au...@redhat.com Cc: netfilter-de...@vger.kernel.org --- drivers/android/binder.c| 26 +++- include/linux

[PATCH v24 06/25] LSM: Use lsmblob in security_kernel_act_as

instead of a secid. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler To: David Howells --- include/linux/cred.h | 3 ++- include/linux/security.h | 5 +++-- kernel/cred.c| 10 ++ security

[PATCH v24 15/25] LSM: Ensure the correct LSM context releaser

allocates and destroys them on each use, whereas Smack provides a pointer to an entry in a list that never goes away. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Signed-off-by: Casey Schaufler Cc: linux-integr...@vger.kernel.org Cc: net...@vger.kernel.org Cc

[PATCH v24 04/25] IMA: avoid label collisions with stacked LSMs

registered module that supports the audit_rule_match() LSM hook. Allow the user to specify in the IMA policy an lsm= option to specify the security module to use for a particular rule. Signed-off-by: Casey Schaufler To: Mimi Zohar To: linux-integr...@vger.kernel.org --- Documentation/ABI/testing

[PATCH v24 14/25] LSM: Specify which LSM to display

ot;interface_lsm" requires that all security modules using setprocattr hooks allow the action. Each security module is responsible for defining its policy. AppArmor hook provided by John Johansen SELinux hook provided by Stephen Smalley Signed-off-by: Casey Schaufler Cc: Kees Cook Cc: S

[PATCH v24 05/25] LSM: Use lsmblob in security_audit_rule_match

() is dropped. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-au...@redhat.com Cc: linux-integr...@vger.kernel.org To: Mimi Zohar --- include/linux/security.h| 7 --- kernel/auditfilter.c

[PATCH v24 13/25] IMA: Change internal interfaces to use lsmblobs

The IMA interfaces ima_get_action() and ima_match_policy() call LSM functions that use lsmblobs. Change the IMA functions to pass the lsmblob to be compatible with the LSM functions. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Signed-off-by: Casey Schaufler Cc

[PATCH v24 03/25] LSM: provide lsm name and id slot mappings

Provide interfaces to map LSM slot numbers and LSM names. Update the LSM registration code to save this information. Signed-off-by: Casey Schaufler --- include/linux/security.h | 4 security/security.c | 45 2 files changed, 49 insertions

[PATCH v24 12/25] LSM: Use lsmblob in security_cred_getsecid

-by: Stephen Smalley Acked-by: Paul Moore Signed-off-by: Casey Schaufler Cc: linux-integr...@vger.kernel.org Cc: linux-au...@redhat.com --- include/linux/security.h | 2 +- kernel/audit.c| 25 +++ kernel/audit.h| 3 ++- kernel

Re: [PATCH] smackfs: restrict bytes count in smackfs write functions

On 1/24/2021 6:36 AM, Sabyrzhan Tasbolatov wrote: > syzbot found WARNINGs in several smackfs write operations where > bytes count is passed to memdup_user_nul which exceeds > GFP MAX_ORDER. Check count size if bigger SMK_LONGLABEL, > for smk_write_syslog if bigger than PAGE_SIZE - 1. > >

Re: [RFC PATCH v2] selinux: security: Move selinux_state to a separate page

On 1/12/2021 1:36 AM, pna...@codeaurora.org wrote: > On 2021-01-08 22:41, Casey Schaufler wrote: >> On 1/8/2021 1:49 AM, Preeti Nagar wrote: >>> The changes introduce a new security feature, RunTime Integrity Check >>> (RTIC), designed to protect Linux Kernel at runtime

Re: [RFC PATCH v2] selinux: security: Move selinux_state to a separate page

On 1/8/2021 1:49 AM, Preeti Nagar wrote: > The changes introduce a new security feature, RunTime Integrity Check > (RTIC), designed to protect Linux Kernel at runtime. The motivation > behind these changes is: > 1. The system protection offered by SE for Android relies on the > assumption of

Re: [PATCH v23 02/23] LSM: Create and manage the lsmblob data structure.

On 12/28/2020 5:53 PM, Mimi Zohar wrote: > On Mon, 2020-12-28 at 15:20 -0800, Casey Schaufler wrote: >> On 12/28/2020 2:14 PM, Mimi Zohar wrote: >>> On Mon, 2020-12-28 at 12:06 -0800, Casey Schaufler wrote: >>>> On 12/28/2020 11:24 AM, Mimi Zohar wrote: >>>&

Re: [PATCH v23 02/23] LSM: Create and manage the lsmblob data structure.

On 12/28/2020 2:14 PM, Mimi Zohar wrote: > On Mon, 2020-12-28 at 12:06 -0800, Casey Schaufler wrote: >> On 12/28/2020 11:24 AM, Mimi Zohar wrote: >>> Hi Casey, >>> >>> On Fri, 2020-11-20 at 12:14 -0800, Casey Schaufler wrote: >>>> diff --git a/secu

Re: [PATCH v23 02/23] LSM: Create and manage the lsmblob data structure.

On 12/28/2020 11:24 AM, Mimi Zohar wrote: > Hi Casey, > > On Fri, 2020-11-20 at 12:14 -0800, Casey Schaufler wrote: >> diff --git a/security/security.c b/security/security.c >> index 5da8b3643680..d01363cb0082 100644 >> --- a/security/security.c >> +++ b/sec

Re: [PATCH v23 02/23] LSM: Create and manage the lsmblob data structure.

On 12/28/2020 9:54 AM, Mimi Zohar wrote: > Hi Casey, > > On Fri, 2020-11-20 at 12:14 -0800, Casey Schaufler wrote: >> When more than one security module is exporting data to >> audit and networking sub-systems a single 32 bit integer >> is no longer sufficient

[GIT PULL] Smack additional patch for v5.11

-for-5.11 for you to fetch changes up to 942cb357ae7d9249088e3687ee6a00ed2745a0c7: Smack: Handle io_uring kernel thread privileges (2020-12-22 15:34:24 -0800) Casey Schaufler (1): Smack: Handle io_uring kernel thread privileges

[PATCH] Smack: Handle io_uring kernel thread privileges.

Smack assumes that kernel threads are privileged for smackfs operations. This was necessary because the credential of the kernel thread was not related to a user operation. With io_uring the credential does reflect a user's rights and can be used. Suggested-by: Jens Axboe Signed-off-by: Casey

Re: [PATCH v2] proc: Allow pid_revalidate() during LOOKUP_RCU

On 12/15/2020 2:04 PM, Eric W. Biederman wrote: > Casey Schaufler writes: > >> On 12/13/2020 3:00 PM, Paul Moore wrote: >>> On Sun, Dec 13, 2020 at 11:30 AM Matthew Wilcox wrote: >>>> On Sun, Dec 13, 2020 at 08:22:32AM -0600, Eric W. Biederman wr

[GIT PULL] Smack patches for v5.11

Hello Linus Here are the Smack tree changes for the v5.11 release. There are no functional changes. There a code clean-up and some function header comment corrections. -- The following changes since commit f8394f232b1eab649ce2df5c5f15b0e528c92091: Linux 5.10-rc3 (2020-11-08 16:10:16 -0800)

Re: [PATCH v2] proc: Allow pid_revalidate() during LOOKUP_RCU

On 12/13/2020 3:00 PM, Paul Moore wrote: > On Sun, Dec 13, 2020 at 11:30 AM Matthew Wilcox wrote: >> On Sun, Dec 13, 2020 at 08:22:32AM -0600, Eric W. Biederman wrote: >>> Matthew Wilcox writes: >>> On Thu, Dec 03, 2020 at 04:02:12PM -0800, Stephen Brennan wrote: > -void

Re: [PATCH v2] proc: Allow pid_revalidate() during LOOKUP_RCU

On 12/13/2020 8:29 AM, Matthew Wilcox wrote: > On Sun, Dec 13, 2020 at 08:22:32AM -0600, Eric W. Biederman wrote: >> Matthew Wilcox writes: >> >>> On Thu, Dec 03, 2020 at 04:02:12PM -0800, Stephen Brennan wrote: -void pid_update_inode(struct task_struct *task, struct inode *inode)

[PATCH v23 21/23] Audit: Add a new record for multiple object LSM attributes

(1601152467.009:1050): obj_selinux=unconfined_u:object_r:user_home_t:s0 Not all security modules that can provide object information do so in all cases. It is possible that a security module won't apply an object attribute in all cases. Signed-off-by: Casey Schaufler Cc: linux-au

[PATCH v23 23/23] AppArmor: Remove the exclusive flag

interferes in the multiple LSM case. Acked-by: Stephen Smalley Acked-by: John Johansen Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler --- security/apparmor/lsm.c | 20 +--- 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/security/apparmor/lsm.c b/security/appa

  1   2   3   4   5   6   7   8   9   10   >