[PATCH] fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks

generic_permission() presently checks CAP_DAC_OVERRIDE prior to CAP_DAC_READ_SEARCH. This can cause misleading audit messages when using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE may not be required for the operation. Flip the order of the tests so that CAP_DAC_OVERRIDE is only

Re: [kernel-hardening] Re: [RFC v2 PATCH 1/2] security: introduce CONFIG_SECURITY_WRITABLE_HOOKS

On 2/17/2017 7:05 AM, Tetsuo Handa wrote: > Casey Schaufler wrote: >> On 2/16/2017 3:00 AM, Tetsuo Handa wrote: >>> Casey Schaufler wrote: I can't say that I'm buying the value of the additional complexity here. Sure, you're protecting part of the data all the time, but you're

Re: [PATCH] prlimit, security, selinux: add a security hook for prlimit

On Thu, Feb 16, 2017 at 10:24 PM, James Morris wrote: > On Thu, 16 Feb 2017, Stephen Smalley wrote: > >> When SELinux was first added to the kernel, a process could only get >> and set its own resource limits via getrlimit(2) and setrlimit(2), so no >> MAC checks were required

Re: [PATCH] libsepol/cil: Destroy cil_tree_node stacks when finished resolving AST

On 02/08/2017 11:17 AM, James Carter wrote: CIL uses separate cil_tree_node stacks for optionals and blocks to check for statements not allowed in optionals or blocks and to know which optional to disable when necessary. But these stacks were not being destroyed when exiting cil_resolve_ast().

Re: [RFC v2 PATCH 2/2] security: mark LSM hooks as __ro_after_init

On Wed, 2017-02-15 at 00:18 +1100, James Morris wrote: > Mark all of the registration hooks as __ro_after_init (via the  > __lsm_ro_after_init macro). > > Signed-off-by: James Morris Acked-by: Stephen Smalley > --- >  security/apparmor/lsm.c| 

Re: [RFC v2 PATCH 1/2] security: introduce CONFIG_SECURITY_WRITABLE_HOOKS

On Wed, 2017-02-15 at 00:17 +1100, James Morris wrote: > Subsequent patches will add RO hardening to LSM hooks, however, > SELinux > still needs to be able to perform runtime disablement after init to > handle > architectures where init-time disablement via boot parameters is not > feasible. > >

Re: [kernel-hardening] Re: [RFC v2 PATCH 1/2] security: introduce CONFIG_SECURITY_WRITABLE_HOOKS

Casey Schaufler wrote: > On 2/16/2017 3:00 AM, Tetsuo Handa wrote: > > Casey Schaufler wrote: > >> I can't say that I'm buying the value of the additional > >> complexity here. Sure, you're protecting part of the data > >> all the time, but you're exposing part all the time, too. > > Will you

[PATCH] timerfd: only check CAP_WAKE_ALARM when it is needed

timerfd_create() and do_timerfd_settime() presently always call capable(CAP_WAKE_ALARM) although CAP_WAKE_ALARM is only required for CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM. This can cause extraneous audit messages when using a LSM such as SELinux, incorrectly causes PF_SUPERPRIV to be set

[PATCH v2] prlimit,security,selinux: add a security hook for prlimit

When SELinux was first added to the kernel, a process could only get and set its own resource limits via getrlimit(2) and setrlimit(2), so no MAC checks were required for those operations, and thus no security hooks were defined for them. Later, SELinux introduced a hook for setlimit(2) with a