If a user is accessing a file in selinuxfs with a pointer to a userspace
buffer that is backed by e.g. a userfaultfd, the userspace access can
stall indefinitely, which can block fsi->mutex if it is held.
For sel_read_policy(), remove the locking, since this method doesn't seem
to access anything
On Tue, Jun 26, 2018 at 2:15 PM Stephen Smalley wrote:
>
> On 06/25/2018 12:34 PM, Jann Horn wrote:
> > If a user is accessing a file in selinuxfs with a pointer to a userspace
> > buffer that is backed by e.g. a userfaultfd, the userspace access can
> > stall indefinitely, which can block
On Tue, Jun 26, 2018 at 12:36 AM Paul Moore wrote:
>
> On Mon, Jun 25, 2018 at 12:34 PM Jann Horn wrote:
> > If a user is accessing a file in selinuxfs with a pointer to a userspace
> > buffer that is backed by e.g. a userfaultfd, the userspace access can
> > stall indefinitely, which can block
On Fri, Jun 29, 2018 at 2:38 AM Paul Moore wrote:
>
> On Thu, Jun 28, 2018 at 8:23 PM Paul Moore wrote:
> > On Tue, Jun 26, 2018 at 8:15 AM Stephen Smalley wrote:
> > > On 06/25/2018 12:34 PM, Jann Horn wrote:
> > > > If a user is accessing a file in selinuxfs with a pointer to a userspace
> >
mls_context_to_sid incorrectly accepted MLS context strings that are
followed by a dash and trailing garbage.
Before this change, the following command works:
# mount -t tmpfs -o 'context=system_u:object_r:tmp_t:s0-s0:c0-BLAH' \
none mount
After this change, it fails with the following error
On Sat, Aug 4, 2018 at 2:01 AM Paul Moore wrote:
>
> On Fri, Aug 3, 2018 at 5:36 AM Jann Horn wrote:
> >
> > mls_context_to_sid incorrectly accepted MLS context strings that are
> > followed by a dash and trailing garbage.
> >
> > Before this change, the following command works:
> >
> > # mount
On Thu, Aug 16, 2018 at 11:51 AM Casey Schaufler
wrote:
>
> From: Casey Schaufler
>
> When switching between tasks it may be necessary
> to set an indirect branch prediction barrier if the
> tasks are potentially vulnerable to side-channel
> attacks. This adds a call to
On Thu, Aug 16, 2018 at 11:51 AM Casey Schaufler
wrote:
>
> From: Casey Schaufler
>
> The sidechannel LSM checks for cases where a side-channel
> attack may be dangerous based on security attributes of tasks.
> This includes:
> Effective UID of the tasks is different
> Capablity
On Thu, Aug 16, 2018 at 11:52 AM Casey Schaufler
wrote:
>
> SELinux considers tasks to be side-channel safe if they
> have PROCESS_SHARE access.
>
> Signed-off-by: Casey Schaufler
> ---
> security/selinux/hooks.c | 9 +
> 1 file changed, 9 insertions(+)
>
> diff --git
The intended behavior change for this patch is to reject any MLS strings
that contain (trailing) garbage if p->mls_enabled is true.
As suggested by Paul Moore, change mls_context_to_sid() so that the two
parts of the range are extracted before the rest of the parsing. Because
now we don't have to
On Thu, Aug 9, 2018 at 4:07 AM Paul Moore wrote:
>
> On Wed, Aug 8, 2018 at 9:56 PM Paul Moore wrote:
> >
> > On Mon, Aug 6, 2018 at 5:19 PM Jann Horn wrote:
> > >
> > > The intended behavior change for this patch is to reject any MLS strings
> > > that contain (trailing) garbage if
On Mon, Aug 20, 2018 at 4:45 PM Schaufler, Casey
wrote:
>
> > -Original Message-
> > From: Jann Horn [mailto:ja...@google.com]
> > Sent: Friday, August 17, 2018 4:55 PM
> > To: Schaufler, Casey
> > Cc: Kernel Hardening ; kernel list
> > ; linux-security-module > mod...@vger.kernel.org>;
On Tue, Aug 21, 2018 at 2:05 AM Casey Schaufler
wrote:
>
> The sidechannel LSM checks for cases where a side-channel
> attack may be dangerous based on security attributes of tasks.
> This includes:
> Effective UID of the tasks is different
> Capablity sets are different
>
On Sat, Aug 18, 2018 at 12:17 AM Casey Schaufler
wrote:
>
> From: Casey Schaufler
>
> When switching between tasks it may be necessary
> to set an indirect branch prediction barrier if the
> tasks are potentially vulnerable to side-channel
> attacks. This adds a call to
On Sat, Aug 18, 2018 at 12:17 AM Casey Schaufler
wrote:
>
> From: Casey Schaufler
>
> The sidechannel LSM checks for cases where a side-channel
> attack may be dangerous based on security attributes of tasks.
> This includes:
> Effective UID of the tasks is different
> Capablity
On Sat, Aug 25, 2018 at 12:42 AM Casey Schaufler
wrote:
> +config SECURITY_SIDECHANNEL_CAPABILITIES
> + bool "Sidechannel check on capability sets"
> + depends on SECURITY_SIDECHANNEL
> + depends on !SECURITY_SIDECHANNEL_ALWAYS
> + default n
> + select
On Tue, Aug 21, 2018 at 6:37 PM Schaufler, Casey
wrote:
>
> > -Original Message-
> > From: Jann Horn [mailto:ja...@google.com]
> > Sent: Tuesday, August 21, 2018 3:20 AM
> > To: Schaufler, Casey
> > Cc: Kernel Hardening ; kernel list
> > ; linux-security-module >
On Wed, Aug 22, 2018 at 1:44 AM Schaufler, Casey
wrote:
>
> > -Original Message-
> > From: Jann Horn [mailto:ja...@google.com]
> > Sent: Tuesday, August 21, 2018 10:24 AM
> > To: Schaufler, Casey
> > Cc: Kernel Hardening ; kernel list
> > ; linux-security-module >
On Wed, Sep 26, 2018 at 10:35 PM Casey Schaufler
wrote:
> A ptrace access check with mode PTRACE_MODE_SCHED gets called
> from process switching code. This precludes the use of audit,
> as the locking is incompatible. Don't do audit in the PTRACE_MODE_SCHED
> case.
Why is this separate from
+Jiri
On Thu, Sep 27, 2018 at 12:54 AM Schaufler, Casey
wrote:
> > -Original Message-
> > From: Jann Horn [mailto:ja...@google.com]
> > Sent: Wednesday, September 26, 2018 2:31 PM
> > To: Schaufler, Casey
> > Cc: Kernel Hardening ; kernel list
> > ; linux-security-module >
On Wed, Sep 26, 2018 at 10:35 PM Casey Schaufler
wrote:
> A ptrace access check with mode PTRACE_MODE_SCHED gets called
> from process switching code. This precludes the use of audit,
> as the locking is incompatible. Don't do audit in the PTRACE_MODE_SCHED
> case.
>
> Signed-off-by: Casey
On Wed, Sep 26, 2018 at 10:35 PM Casey Schaufler
wrote:
> Allow a complete ptrace access check with mode PTRACE_MODE_SCHED.
> Disable the inappropriate privilege check in the capability code
> that does incompatible locking.
What's that locking you're talking about?
> Signed-off-by: Casey
On Wed, Sep 26, 2018 at 11:16 PM Jann Horn wrote:
>
> On Wed, Sep 26, 2018 at 10:35 PM Casey Schaufler
> wrote:
> > A ptrace access check with mode PTRACE_MODE_SCHED gets called
> > from process switching code. This precludes the use of audit,
> > as the locking is incompatible. Don't do audit
Hi!
There is that old deadlock of cred_guard_mutex that I originally heard
about from Oleg, and that has come up on LKML sometimes since then; to
recap, essentially, the problem is demonstrated by the following
testcase:
#include
#include
#include
#include
#include
void
+cc selinux people explicitly, since they probably have opinions on this
On Tue, Oct 9, 2018 at 3:29 PM Christian Brauner wrote:
> On Tue, Oct 09, 2018 at 02:39:53PM +0200, Jann Horn wrote:
> > On Mon, Oct 8, 2018 at 8:18 PM Christian Brauner
> > wrote:
> > > On Mon, Oct 08, 2018 at 06:42:00PM
On Tue, Oct 9, 2018 at 3:49 PM Christian Brauner wrote:
>
> On Tue, Oct 09, 2018 at 03:36:04PM +0200, Jann Horn wrote:
> > +cc selinux people explicitly, since they probably have opinions on this
> >
> > On Tue, Oct 9, 2018 at 3:29 PM Christian Brauner
> > wrote:
> > > On Tue, Oct 09, 2018 at
On Tue, Oct 9, 2018 at 4:09 PM Christian Brauner wrote:
> On Tue, Oct 09, 2018 at 03:50:53PM +0200, Jann Horn wrote:
> > On Tue, Oct 9, 2018 at 3:49 PM Christian Brauner
> > wrote:
> > > On Tue, Oct 09, 2018 at 03:36:04PM +0200, Jann Horn wrote:
> > > > On Tue, Oct 9, 2018 at 3:29 PM Christian
On Tue, Oct 9, 2018 at 6:20 PM Christian Brauner wrote:
> On Tue, Oct 09, 2018 at 05:26:26PM +0200, Jann Horn wrote:
> > On Tue, Oct 9, 2018 at 4:09 PM Christian Brauner
> > wrote:
> > > On Tue, Oct 09, 2018 at 03:50:53PM +0200, Jann Horn wrote:
> > > > On Tue, Oct 9, 2018 at 3:49 PM Christian
On Wed, Oct 10, 2018 at 2:54 PM Christian Brauner wrote:
> On Tue, Oct 09, 2018 at 06:26:47PM +0200, Jann Horn wrote:
> > On Tue, Oct 9, 2018 at 6:20 PM Christian Brauner
> > wrote:
> > > On Tue, Oct 09, 2018 at 05:26:26PM +0200, Jann Horn wrote:
> > > > On Tue, Oct 9, 2018 at 4:09 PM Christian
On Wed, Oct 10, 2018 at 5:32 PM Paul Moore wrote:
> On Tue, Oct 9, 2018 at 9:36 AM Jann Horn wrote:
> > +cc selinux people explicitly, since they probably have opinions on this
>
> I just spent about twenty minutes working my way through this thread,
> and digging through the containers archive
On Thu, Oct 4, 2018 at 9:47 AM Jiri Kosina wrote:
> On Thu, 27 Sep 2018, Jann Horn wrote:
> > > Yes. Since the PTRACE_MODE_NOAUDIT was in PTRACE_MODE_IBPB in Jiri's
> > > previous patch set and not in PTRACE_MODE_SCHED in this one I assumed
> > > that there was a good reason for it.
> >
> > Jiri,
On Thu, Aug 9, 2018 at 3:56 AM Paul Moore wrote:
>
> On Mon, Aug 6, 2018 at 5:19 PM Jann Horn wrote:
> >
> > The intended behavior change for this patch is to reject any MLS strings
> > that contain (trailing) garbage if p->mls_enabled is true.
> >
> > As suggested by Paul Moore, change
On Fri, Sep 28, 2018 at 1:43 AM James Morris wrote:
> On Thu, 27 Sep 2018, Schaufler, Casey wrote:
> > > > On 9/27/2018 2:45 PM, James Morris wrote:
> > > > > On Wed, 26 Sep 2018, Casey Schaufler wrote:
> > > > >
> > > > >> + /*
> > > > >> + * Namespace checks. Considered safe if:
> >
On Thu, Sep 27, 2018 at 9:17 PM Casey Schaufler
wrote:
>
> From: Casey Schaufler
>
> The PTRACE_MODE_SCHED check erroniously returns 0 in
> all cases. It should be returning -EPERM. This fixes
> the logic to correct that error.
>
> Signed-off-by: Casey Schaufler
Reviewed-by: Jann Horn
> ---
34 matches
Mail list logo