date:20171012

Re: travis CI

2017-10-12 Thread Stephen Smalley

On Thu, 2017-10-12 at 11:29 -0700, William Roberts wrote:
> I see a travis.yml file, recently modified by Nicolas, but I failed
> to
> find the Travis CI instance on travis.org, where is it?
> 
> We should likely have it running on commits to the repo and PRs so we
> can have some independent way of verifying that our run of the tests
> was compromised by some env variation or mistake.
> 
> Thoughts?

To date he has just run it on his own fork.  Not opposed to enabling
it, just haven't looked into that...

Re: [PATCH net-next v3 5/5] selinux: bpf: Add addtional check for bpf object file receive

2017-10-12 Thread Chenbo Feng via Selinux

On Thu, Oct 12, 2017 at 5:25 AM, Stephen Smalley  wrote:
> On Wed, 2017-10-11 at 13:43 -0700, Chenbo Feng via Selinux wrote:
>> On Wed, Oct 11, 2017 at 5:54 AM, Stephen Smalley 
>> wrote:
>> > On Tue, 2017-10-10 at 17:09 -0700, Chenbo Feng wrote:
>> > > From: Chenbo Feng 
>> > >
>> > > Introduce a bpf object related check when sending and receiving
>> > > files
>> > > through unix domain socket as well as binder. It checks if the
>> > > receiving
>> > > process have privilege to read/write the bpf map or use the bpf
>> > > program.
>> > > This check is necessary because the bpf maps and programs are
>> > > using a
>> > > anonymous inode as their shared inode so the normal way of
>> > > checking
>> > > the
>> > > files and sockets when passing between processes cannot work
>> > > properly
>> > > on
>> > > eBPF object. This check only works when the BPF_SYSCALL is
>> > > configured.
>> > > The information stored inside the file security struct is the
>> > > same as
>> > > the information in bpf object security struct.
>> > >
>> > > Signed-off-by: Chenbo Feng 
>> > > ---
>> > >  include/linux/lsm_hooks.h | 17 ++
>> > >  include/linux/security.h  |  9 ++
>> > >  kernel/bpf/syscall.c  | 27 ++--
>> > >  security/security.c   |  8 +
>> > >  security/selinux/hooks.c  | 67
>> > > +++
>> > >  security/selinux/include/objsec.h |  9 ++
>> > >  6 files changed, 135 insertions(+), 2 deletions(-)
>> > >
>> > > diff --git a/include/linux/lsm_hooks.h
>> > > b/include/linux/lsm_hooks.h
>> > > index 7161d8e7ee79..517dea60b87b 100644
>> > > --- a/include/linux/lsm_hooks.h
>> > > +++ b/include/linux/lsm_hooks.h
>> > > @@ -1385,6 +1385,19 @@
>> > >   * @bpf_prog_free_security:
>> > >   *   Clean up the security information stored inside bpf prog.
>> > >   *
>> > > + * @bpf_map_file:
>> > > + *   When creating a bpf map fd, set up the file security
>> > > information with
>> > > + *   the bpf security information stored in the map struct. So
>> > > when the map
>> > > + *   fd is passed between processes, the security module can
>> > > directly read
>> > > + *   the security information from file security struct rather
>> > > than the bpf
>> > > + *   security struct.
>> > > + *
>> > > + * @bpf_prog_file:
>> > > + *   When creating a bpf prog fd, set up the file security
>> > > information with
>> > > + *   the bpf security information stored in the prog struct. So
>> > > when the prog
>> > > + *   fd is passed between processes, the security module can
>> > > directly read
>> > > + *   the security information from file security struct rather
>> > > than the bpf
>> > > + *   security struct.
>> > >   */
>> > >  union security_list_options {
>> > >   int (*binder_set_context_mgr)(struct task_struct *mgr);
>> > > @@ -1726,6 +1739,8 @@ union security_list_options {
>> > >   void (*bpf_map_free_security)(struct bpf_map *map);
>> > >   int (*bpf_prog_alloc_security)(struct bpf_prog_aux *aux);
>> > >   void (*bpf_prog_free_security)(struct bpf_prog_aux *aux);
>> > > + void (*bpf_map_file)(struct bpf_map *map, struct file
>> > > *file);
>> > > + void (*bpf_prog_file)(struct bpf_prog_aux *aux, struct file
>> > > *file);
>> > >  #endif /* CONFIG_BPF_SYSCALL */
>> > >  };
>> > >
>> > > @@ -1954,6 +1969,8 @@ struct security_hook_heads {
>> > >   struct list_head bpf_map_free_security;
>> > >   struct list_head bpf_prog_alloc_security;
>> > >   struct list_head bpf_prog_free_security;
>> > > + struct list_head bpf_map_file;
>> > > + struct list_head bpf_prog_file;
>> > >  #endif /* CONFIG_BPF_SYSCALL */
>> > >  } __randomize_layout;
>> > >
>> > > diff --git a/include/linux/security.h b/include/linux/security.h
>> > > index 18800b0911e5..57573b794e2d 100644
>> > > --- a/include/linux/security.h
>> > > +++ b/include/linux/security.h
>> > > @@ -1740,6 +1740,8 @@ extern int security_bpf_map_alloc(struct
>> > > bpf_map *map);
>> > >  extern void security_bpf_map_free(struct bpf_map *map);
>> > >  extern int security_bpf_prog_alloc(struct bpf_prog_aux *aux);
>> > >  extern void security_bpf_prog_free(struct bpf_prog_aux *aux);
>> > > +extern void security_bpf_map_file(struct bpf_map *map, struct
>> > > file
>> > > *file);
>> > > +extern void security_bpf_prog_file(struct bpf_prog_aux *aux,
>> > > struct
>> > > file *file);
>> > >  #else
>> > >  static inline int security_bpf(int cmd, union bpf_attr *attr,
>> > >unsigned int size)
>> > > @@ -1772,6 +1774,13 @@ static inline int
>> > > security_bpf_prog_alloc(struct bpf_prog_aux *aux)
>> > >
>> > >  static inline void security_bpf_prog_free(struct bpf_prog_aux
>> > > *aux)
>> > >  { }
>> > > +
>> > > +static inline void security_bpf_map_file(struct bpf_map *map,
>> > > struct
>> > > file *file)
>> > > +{ }
>> > > +
>> > >

travis CI

2017-10-12 Thread William Roberts

I see a travis.yml file, recently modified by Nicolas, but I failed to
find the Travis CI instance on travis.org, where is it?

We should likely have it running on commits to the repo and PRs so we
can have some independent way of verifying that our run of the tests
was compromised by some env variation or mistake.

Thoughts?

Bill

Re: [PATCH] semodule-utils: remove semodule_deps

2017-10-12 Thread William Roberts

Applied: https://github.com/SELinuxProject/selinux/pull/65

On Tue, Oct 3, 2017 at 7:21 AM, Stephen Smalley  wrote:
> As discussed in https://github.com/SELinuxProject/selinux/issues/64,
> semodule_deps has apparently been broken for a very long time for
> binary modules and is completely irrelevant for CIL modules.  If there
> are any users of it, they ought to be rewritten anyway since it is
> not producing correct dependency information, and the ultimate goal
> is to stop using binary modules altogether so it is not worth fixing.
> Remove it to avoid any further broken usage.
>
> Signed-off-by: Stephen Smalley 
> ---
>  semodule-utils/.gitignore|   1 -
>  semodule-utils/Makefile  |   2 +-
>  semodule-utils/semodule_deps/Makefile|  28 --
>  semodule-utils/semodule_deps/semodule_deps.8 |  46 ---
>  semodule-utils/semodule_deps/semodule_deps.c | 401 
> ---
>  5 files changed, 1 insertion(+), 477 deletions(-)
>  delete mode 100644 semodule-utils/semodule_deps/Makefile
>  delete mode 100644 semodule-utils/semodule_deps/semodule_deps.8
>  delete mode 100644 semodule-utils/semodule_deps/semodule_deps.c
>
> diff --git a/semodule-utils/.gitignore b/semodule-utils/.gitignore
> index 1667564..6ec4efe 100644
> --- a/semodule-utils/.gitignore
> +++ b/semodule-utils/.gitignore
> @@ -1,5 +1,4 @@
>  semodule_package/semodule_package
>  semodule_package/semodule_unpackage
> -semodule_deps/semodule_deps
>  semodule_expand/semodule_expand
>  semodule_link/semodule_link
> diff --git a/semodule-utils/Makefile b/semodule-utils/Makefile
> index 6bf4aee..e0a6579 100644
> --- a/semodule-utils/Makefile
> +++ b/semodule-utils/Makefile
> @@ -1,4 +1,4 @@
> -SUBDIRS = semodule_package semodule_link semodule_expand semodule_deps
> +SUBDIRS = semodule_package semodule_link semodule_expand
>
>  all install relabel clean indent:
> @for subdir in $(SUBDIRS); do \
> diff --git a/semodule-utils/semodule_deps/Makefile 
> b/semodule-utils/semodule_deps/Makefile
> deleted file mode 100644
> index 328a503..000
> --- a/semodule-utils/semodule_deps/Makefile
> +++ /dev/null
> @@ -1,28 +0,0 @@
> -# Installation directories.
> -PREFIX ?= $(DESTDIR)/usr
> -INCLUDEDIR ?= $(PREFIX)/include
> -BINDIR ?= $(PREFIX)/bin
> -LIBDIR ?= $(PREFIX)/lib
> -MANDIR ?= $(PREFIX)/share/man
> -LIBSEPOLA ?= $(LIBDIR)/libsepol.a
> -
> -CFLAGS ?= -Werror -Wall -W
> -
> -all: semodule_deps
> -
> -semodule_deps:  semodule_deps.o $(LIBSEPOLA)
> -
> -install: all
> -   -mkdir -p $(BINDIR)
> -   install -m 755 semodule_deps $(BINDIR)
> -   test -d $(MANDIR)/man8 || install -m 755 -d $(MANDIR)/man8
> -   install -m 644 semodule_deps.8 $(MANDIR)/man8/
> -
> -relabel:
> -
> -clean:
> -   -rm -f semodule_deps *.o
> -
> -indent:
> -   ../../scripts/Lindent $(wildcard *.[ch])
> -
> diff --git a/semodule-utils/semodule_deps/semodule_deps.8 
> b/semodule-utils/semodule_deps/semodule_deps.8
> deleted file mode 100644
> index 6f21a64..000
> --- a/semodule-utils/semodule_deps/semodule_deps.8
> +++ /dev/null
> @@ -1,46 +0,0 @@
> -.TH SEMODULE_DEPS "8" "June 2006" "Security Enhanced Linux" NSA
> -.SH NAME
> -semodule_deps \- show the dependencies between SELinux policy packages.
> -
> -.SH SYNOPSIS
> -.B semodule_deps [\-v \-g \-b] basemodpkg modpkg1 [modpkg2 ... ]
> -.br
> -.SH DESCRIPTION
> -.PP
> -semodule_deps is a developer tool for showing the dependencies
> -between policy packages. For each module it prints a list of
> -modules that must be present for a module's requirements to
> -be satisfied. It only deals with requirements, not optional
> -dependencies.
> -
> -In order for semodule_deps to give useful information the list
> -of packages passed in cannot have unsatisfied dependencies. In
> -general this means that the list of modules will usually be
> -quite long.
> -
> -By default options to the base module are excluded as almost every
> -module has this dependency. The \-b option will include these
> -dependencies.
> -
> -In addition to human readable output, semodule_deps can output the
> -dependencies in the Graphviz dot format (http://www.graphviz.org/)
> -using the \-g option. This is useful for producing a picture of the
> -dependencies.
> -
> -.SH "OPTIONS"
> -.TP
> -.B \-v
> -verbose mode
> -.TP
> -.B \-g
> -output dependency information in Graphviz dot format
> -.TP
> -.B \-b
> -include dependencies to the base module - by default these are excluded
> -
> -.SH SEE ALSO
> -.B checkmodule(8), semodule_package(8), semodule(8), semodule_link(8)
> -.SH AUTHORS
> -.nf
> -This manual page was written by Karl MacMillan 
> .
> -The program was written by Karl MacMillan .
> diff --git a/semodule-utils/semodule_deps/semodule_deps.c 
> b/semodule-utils/semodule_deps/semodule_deps.c
> deleted file mode 100644
> index 7a7ff2f..000
> ---

Re: [PATCH net-next v3 5/5] selinux: bpf: Add addtional check for bpf object file receive

2017-10-12 Thread Stephen Smalley

On Wed, 2017-10-11 at 13:43 -0700, Chenbo Feng via Selinux wrote:
> On Wed, Oct 11, 2017 at 5:54 AM, Stephen Smalley 
> wrote:
> > On Tue, 2017-10-10 at 17:09 -0700, Chenbo Feng wrote:
> > > From: Chenbo Feng 
> > > 
> > > Introduce a bpf object related check when sending and receiving
> > > files
> > > through unix domain socket as well as binder. It checks if the
> > > receiving
> > > process have privilege to read/write the bpf map or use the bpf
> > > program.
> > > This check is necessary because the bpf maps and programs are
> > > using a
> > > anonymous inode as their shared inode so the normal way of
> > > checking
> > > the
> > > files and sockets when passing between processes cannot work
> > > properly
> > > on
> > > eBPF object. This check only works when the BPF_SYSCALL is
> > > configured.
> > > The information stored inside the file security struct is the
> > > same as
> > > the information in bpf object security struct.
> > > 
> > > Signed-off-by: Chenbo Feng 
> > > ---
> > >  include/linux/lsm_hooks.h | 17 ++
> > >  include/linux/security.h  |  9 ++
> > >  kernel/bpf/syscall.c  | 27 ++--
> > >  security/security.c   |  8 +
> > >  security/selinux/hooks.c  | 67
> > > +++
> > >  security/selinux/include/objsec.h |  9 ++
> > >  6 files changed, 135 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/include/linux/lsm_hooks.h
> > > b/include/linux/lsm_hooks.h
> > > index 7161d8e7ee79..517dea60b87b 100644
> > > --- a/include/linux/lsm_hooks.h
> > > +++ b/include/linux/lsm_hooks.h
> > > @@ -1385,6 +1385,19 @@
> > >   * @bpf_prog_free_security:
> > >   *   Clean up the security information stored inside bpf prog.
> > >   *
> > > + * @bpf_map_file:
> > > + *   When creating a bpf map fd, set up the file security
> > > information with
> > > + *   the bpf security information stored in the map struct. So
> > > when the map
> > > + *   fd is passed between processes, the security module can
> > > directly read
> > > + *   the security information from file security struct rather
> > > than the bpf
> > > + *   security struct.
> > > + *
> > > + * @bpf_prog_file:
> > > + *   When creating a bpf prog fd, set up the file security
> > > information with
> > > + *   the bpf security information stored in the prog struct. So
> > > when the prog
> > > + *   fd is passed between processes, the security module can
> > > directly read
> > > + *   the security information from file security struct rather
> > > than the bpf
> > > + *   security struct.
> > >   */
> > >  union security_list_options {
> > >   int (*binder_set_context_mgr)(struct task_struct *mgr);
> > > @@ -1726,6 +1739,8 @@ union security_list_options {
> > >   void (*bpf_map_free_security)(struct bpf_map *map);
> > >   int (*bpf_prog_alloc_security)(struct bpf_prog_aux *aux);
> > >   void (*bpf_prog_free_security)(struct bpf_prog_aux *aux);
> > > + void (*bpf_map_file)(struct bpf_map *map, struct file
> > > *file);
> > > + void (*bpf_prog_file)(struct bpf_prog_aux *aux, struct file
> > > *file);
> > >  #endif /* CONFIG_BPF_SYSCALL */
> > >  };
> > > 
> > > @@ -1954,6 +1969,8 @@ struct security_hook_heads {
> > >   struct list_head bpf_map_free_security;
> > >   struct list_head bpf_prog_alloc_security;
> > >   struct list_head bpf_prog_free_security;
> > > + struct list_head bpf_map_file;
> > > + struct list_head bpf_prog_file;
> > >  #endif /* CONFIG_BPF_SYSCALL */
> > >  } __randomize_layout;
> > > 
> > > diff --git a/include/linux/security.h b/include/linux/security.h
> > > index 18800b0911e5..57573b794e2d 100644
> > > --- a/include/linux/security.h
> > > +++ b/include/linux/security.h
> > > @@ -1740,6 +1740,8 @@ extern int security_bpf_map_alloc(struct
> > > bpf_map *map);
> > >  extern void security_bpf_map_free(struct bpf_map *map);
> > >  extern int security_bpf_prog_alloc(struct bpf_prog_aux *aux);
> > >  extern void security_bpf_prog_free(struct bpf_prog_aux *aux);
> > > +extern void security_bpf_map_file(struct bpf_map *map, struct
> > > file
> > > *file);
> > > +extern void security_bpf_prog_file(struct bpf_prog_aux *aux,
> > > struct
> > > file *file);
> > >  #else
> > >  static inline int security_bpf(int cmd, union bpf_attr *attr,
> > >    unsigned int size)
> > > @@ -1772,6 +1774,13 @@ static inline int
> > > security_bpf_prog_alloc(struct bpf_prog_aux *aux)
> > > 
> > >  static inline void security_bpf_prog_free(struct bpf_prog_aux
> > > *aux)
> > >  { }
> > > +
> > > +static inline void security_bpf_map_file(struct bpf_map *map,
> > > struct
> > > file *file)
> > > +{ }
> > > +
> > > +static inline void security_bpf_prog_file(struct bpf_prog_aux
> > > *aux,
> > > +   struct file *file)
> > > +{ }
> > >  #endif /* CONFIG_SECURITY */
> > >

Re: [PATCH net-next 2/4] security: bpf: Add LSM hooks for bpf object related syscall

2017-10-12 Thread James Morris

On Wed, 4 Oct 2017, Chenbo Feng wrote:

>  int bpf_map_new_fd(struct bpf_map *map, int flags)
>  {
> + if (security_bpf_map(map, OPEN_FMODE(flags)))
> + return -EPERM;
> +

Don't hardcode -EPERM here, return the actual error from 
security_bpf_map().

> + if (security_bpf_prog(prog))
> + return -EPERM;
> +

Same.

> + err = security_bpf(cmd, , size);
> + if (err)
> + return -EPERM;

Same.

- James

Re: [PATCH net-next v3 5/5] selinux: bpf: Add addtional check for bpf object file receive

2017-10-12 Thread Chenbo Feng via Selinux

On Wed, Oct 11, 2017 at 5:54 AM, Stephen Smalley  wrote:
> On Tue, 2017-10-10 at 17:09 -0700, Chenbo Feng wrote:
>> From: Chenbo Feng 
>>
>> Introduce a bpf object related check when sending and receiving files
>> through unix domain socket as well as binder. It checks if the
>> receiving
>> process have privilege to read/write the bpf map or use the bpf
>> program.
>> This check is necessary because the bpf maps and programs are using a
>> anonymous inode as their shared inode so the normal way of checking
>> the
>> files and sockets when passing between processes cannot work properly
>> on
>> eBPF object. This check only works when the BPF_SYSCALL is
>> configured.
>> The information stored inside the file security struct is the same as
>> the information in bpf object security struct.
>>
>> Signed-off-by: Chenbo Feng 
>> ---
>>  include/linux/lsm_hooks.h | 17 ++
>>  include/linux/security.h  |  9 ++
>>  kernel/bpf/syscall.c  | 27 ++--
>>  security/security.c   |  8 +
>>  security/selinux/hooks.c  | 67
>> +++
>>  security/selinux/include/objsec.h |  9 ++
>>  6 files changed, 135 insertions(+), 2 deletions(-)
>>
>> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
>> index 7161d8e7ee79..517dea60b87b 100644
>> --- a/include/linux/lsm_hooks.h
>> +++ b/include/linux/lsm_hooks.h
>> @@ -1385,6 +1385,19 @@
>>   * @bpf_prog_free_security:
>>   *   Clean up the security information stored inside bpf prog.
>>   *
>> + * @bpf_map_file:
>> + *   When creating a bpf map fd, set up the file security
>> information with
>> + *   the bpf security information stored in the map struct. So
>> when the map
>> + *   fd is passed between processes, the security module can
>> directly read
>> + *   the security information from file security struct rather
>> than the bpf
>> + *   security struct.
>> + *
>> + * @bpf_prog_file:
>> + *   When creating a bpf prog fd, set up the file security
>> information with
>> + *   the bpf security information stored in the prog struct. So
>> when the prog
>> + *   fd is passed between processes, the security module can
>> directly read
>> + *   the security information from file security struct rather
>> than the bpf
>> + *   security struct.
>>   */
>>  union security_list_options {
>>   int (*binder_set_context_mgr)(struct task_struct *mgr);
>> @@ -1726,6 +1739,8 @@ union security_list_options {
>>   void (*bpf_map_free_security)(struct bpf_map *map);
>>   int (*bpf_prog_alloc_security)(struct bpf_prog_aux *aux);
>>   void (*bpf_prog_free_security)(struct bpf_prog_aux *aux);
>> + void (*bpf_map_file)(struct bpf_map *map, struct file
>> *file);
>> + void (*bpf_prog_file)(struct bpf_prog_aux *aux, struct file
>> *file);
>>  #endif /* CONFIG_BPF_SYSCALL */
>>  };
>>
>> @@ -1954,6 +1969,8 @@ struct security_hook_heads {
>>   struct list_head bpf_map_free_security;
>>   struct list_head bpf_prog_alloc_security;
>>   struct list_head bpf_prog_free_security;
>> + struct list_head bpf_map_file;
>> + struct list_head bpf_prog_file;
>>  #endif /* CONFIG_BPF_SYSCALL */
>>  } __randomize_layout;
>>
>> diff --git a/include/linux/security.h b/include/linux/security.h
>> index 18800b0911e5..57573b794e2d 100644
>> --- a/include/linux/security.h
>> +++ b/include/linux/security.h
>> @@ -1740,6 +1740,8 @@ extern int security_bpf_map_alloc(struct
>> bpf_map *map);
>>  extern void security_bpf_map_free(struct bpf_map *map);
>>  extern int security_bpf_prog_alloc(struct bpf_prog_aux *aux);
>>  extern void security_bpf_prog_free(struct bpf_prog_aux *aux);
>> +extern void security_bpf_map_file(struct bpf_map *map, struct file
>> *file);
>> +extern void security_bpf_prog_file(struct bpf_prog_aux *aux, struct
>> file *file);
>>  #else
>>  static inline int security_bpf(int cmd, union bpf_attr *attr,
>>unsigned int size)
>> @@ -1772,6 +1774,13 @@ static inline int
>> security_bpf_prog_alloc(struct bpf_prog_aux *aux)
>>
>>  static inline void security_bpf_prog_free(struct bpf_prog_aux *aux)
>>  { }
>> +
>> +static inline void security_bpf_map_file(struct bpf_map *map, struct
>> file *file)
>> +{ }
>> +
>> +static inline void security_bpf_prog_file(struct bpf_prog_aux *aux,
>> +   struct file *file)
>> +{ }
>>  #endif /* CONFIG_SECURITY */
>>  #endif /* CONFIG_BPF_SYSCALL */
>>
>> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
>> index 1cf31ddd7616..aee69e564c50 100644
>> --- a/kernel/bpf/syscall.c
>> +++ b/kernel/bpf/syscall.c
>> @@ -324,11 +324,22 @@ static const struct file_operations
>> bpf_map_fops = {
>>
>>  int bpf_map_new_fd(struct bpf_map *map, int flags)
>>  {
>> + int fd;
>> + struct fd f;
>>   if (security_bpf_map(map, OPEN_FMODE(flags)))
>>   return -EPERM;
>>
>>

Re: travis CI

Re: [PATCH net-next v3 5/5] selinux: bpf: Add addtional check for bpf object file receive

travis CI

Re: [PATCH] semodule-utils: remove semodule_deps

Re: [PATCH net-next v3 5/5] selinux: bpf: Add addtional check for bpf object file receive

Re: [PATCH net-next 2/4] security: bpf: Add LSM hooks for bpf object related syscall

Re: [PATCH net-next v3 5/5] selinux: bpf: Add addtional check for bpf object file receive

7 matches

Site Navigation

Mail list logo

Footer information