re
> from_kuid(_user_ns, audit_get_loginuid(current)),
> - audit_get_sessionid(current));
> + audit_get_sessionid(current), 0, 1);
> }
>
> length = count;
> --
> 1.8.3.1
>
> --
> Linux-audit mailing list
> linux-au...@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
Ondrej Mosnacek
Associate Software Engineer, Security Technologies
Red Hat, Inc.
2018-04-16 16:11 GMT+02:00 Richard Guy Briggs <r...@redhat.com>:
> On 2018-04-16 09:26, Ondrej Mosnacek wrote:
>> 2018-04-10 1:34 GMT+02:00 Richard Guy Briggs <r...@redhat.com>:
>> > There were two formats of the audit MAC_STATUS record, one of which was
>>
a1616f ("selinux: Create policydb version for Infiniband support")
Signed-off-by: Ondrej Mosnacek
---
security/selinux/ss/policydb.c | 28 +++-
1 file changed, 15 insertions(+), 13 deletions(-)
Changes in v2:
- add reproducer to commit message
- update e-mail
The kernel checks if the port is in the range 1-255 when loading an
ibenportcon rule. Add the same check to libsepol.
Fixes: 118c0cd1038e ("libsepol: Add ibendport ocontext handling")
Signed-off-by: Ondrej Mosnacek
---
libsepol/src/policydb.c | 11 +--
1 file changed, 9 insert
On Fri, Oct 19, 2018 at 4:26 PM Stephen Smalley wrote:
> On 10/18/2018 03:47 AM, Ondrej Mosnacek wrote:
> > Do the LE conversions before doing the Infiniband-related range checks.
> > The incorrect checks are otherwise causing a failure to load any policy
> > with
On Sat, Oct 20, 2018 at 3:05 AM William Roberts
wrote:
> On Fri, Oct 19, 2018 at 7:28 AM Stephen Smalley wrote:
> >
> > On 10/18/2018 03:47 AM, Ondrej Mosnacek wrote:
> > > Do the LE conversions before doing the Infiniband-related range checks.
> > > The incor
is
Cc: Doug Ledford
Cc: # 4.13+
Fixes: a806f7a1616f ("selinux: Create policydb version for Infiniband support")
Signed-off-by: Ondrej Mosnacek
---
security/selinux/ss/policydb.c | 51 --
1 file changed, 36 insertions(+), 15 deletions(-)
Changes in v
On Mon, Oct 22, 2018 at 4:49 PM William Roberts
wrote:
> On Mon, Oct 22, 2018 at 1:18 AM Ondrej Mosnacek wrote:
> >
> > The kernel checks if the port is in the range 1-255 when loading an
> > ibenportcon rule. Add the same check to libsepol.
> >
> > Fixes: 118c0
The kernel checks if the port is in the range 1-255 when loading an
ibenportcon rule. Add the same check to libsepol.
Fixes: 118c0cd1038e ("libsepol: Add ibendport ocontext handling")
Signed-off-by: Ondrej Mosnacek
---
libsepol/src/policydb.c | 11 +--
1 file changed, 9 insert
On Tue, Oct 16, 2018 at 4:19 PM Ondrej Mosnacek wrote:
> On Tue, Oct 16, 2018 at 2:53 PM Stephen Smalley wrote:
> > On 10/16/2018 03:09 AM, Ondrej Mosnacek wrote:
> > > Add missing LE conversions to the Infiniband-related range checks. These
> > > were causing a
On Wed, Oct 17, 2018 at 6:07 PM William Roberts
wrote:
> On Wed, Oct 17, 2018 at 7:48 AM Ondrej Mosnacek wrote:
> >
> > We need to convert from little-endian before dong range checks on the
> > ibpkey port numbers, otherwise we would be checking a wrong value.
> &
We need to convert from little-endian before dong range checks on the
ibpkey port numbers, otherwise we would be checking a wrong value on
big-endian systems.
Fixes: 9fbb3112769a ("libsepol: Add ibpkey ocontext handling")
Signed-off-by: Ondrej Mosnacek
---
libsepol/src/polic
is
Cc: Doug Ledford
Cc: # 4.13+
Fixes: a806f7a1616f ("selinux: Create policydb version for Infiniband support")
Signed-off-by: Ondrej Mosnacek
---
security/selinux/ss/policydb.c | 46 +++---
1 file changed, 32 insertions(+), 14 deletions(-)
Changes in v4:
-
is
Cc: Doug Ledford
Cc: # 4.13+
Fixes: a806f7a1616f ("selinux: Create policydb version for Infiniband support")
Signed-off-by: Ondrej Mosnacek
---
security/selinux/ss/policydb.c | 41 ++
1 file changed, 27 insertions(+), 14 deletions(-)
Changes in v3:
On Tue, Oct 16, 2018 at 2:53 PM Stephen Smalley wrote:
> On 10/16/2018 03:09 AM, Ondrej Mosnacek wrote:
> > Add missing LE conversions to the Infiniband-related range checks. These
> > were causing a failure to load any policy with an ibendportcon rule on
> > BE systems. T
We need to convert from little-endian before dong range checks on the
ibpkey port numbers, otherwise we would be checking a wrong value.
Fixes: 9fbb3112769a ("libsepol: Add ibpkey ocontext handling")
Signed-off-by: Ondrej Mosnacek
---
libsepol/src/policydb.c | 14 ++
1 fi
is
Cc: Doug Ledford
Cc: # 4.13+
Fixes: a806f7a1616f ("selinux: Create policydb version for Infiniband support")
Signed-off-by: Ondrej Mosnacek
---
security/selinux/ss/policydb.c | 51 --
1 file changed, 36 insertions(+), 15 deletions(-)
Changes in v
to deal with sidtab
growing while we are allocating a new one.
Reported-by: Orion Poplawski
Reported-by: Li Kun
Link: https://github.com/SELinuxProject/selinux-kernel/issues/38
Signed-off-by: Ondrej Mosnacek
---
security/selinux/ss/mls.c | 16 ++---
security/selinux/ss/mls.h | 3 +-
s
On Wed, Oct 31, 2018 at 1:28 PM Ondrej Mosnacek wrote:
> Before this patch, during a policy reload the sidtab would become frozen
> and trying to map a new context to SID would be unable to add a new
> entry to sidtab and fail with -ENOMEM.
>
> Such failures are usually propagated
$(( $RANDOM % 1024 ))
}
function do_work() {
while runcon -l s0:c$(rand_cat),c$(rand_cat) echo -n x; do :; done
}
do_work >/dev/null &
do_work >/dev/null &
do_work >/dev/null &
while load_policy; do echo -n .; sleep 0.1; done
kill %1
kill %2
kill %3
--
Ondrej Mosnace
handle the unified
lookup in both sidtab and isidtab, simplifying the sidtab interface.
Signed-off-by: Ondrej Mosnacek
---
security/selinux/include/security.h | 3 +
security/selinux/ss/mls.c | 6 +-
security/selinux/ss/mls.h | 2 +-
security/selinux/ss/policydb.c
On Wed, Oct 31, 2018 at 4:24 PM Ondrej Mosnacek wrote:
> On Wed, Oct 31, 2018 at 1:28 PM Ondrej Mosnacek wrote:
> > Before this patch, during a policy reload the sidtab would become frozen
> > and trying to map a new context to SID would be unable to add a new
> > ent
On Wed, Oct 31, 2018 at 9:29 PM Stephen Smalley wrote:
> On 10/31/2018 08:27 AM, Ondrej Mosnacek wrote:
> > Before this patch, during a policy reload the sidtab would become frozen
> > and trying to map a new context to SID would be unable to add a new
> > entry to sidtab
think it would make it more difficult to
do everything right than it would be now.
I have another idea how to rewrite the sidtab that should be more
RCU-conversion-ready, so maybe I'll even drop this model after all...
>
> [1]
> https://lore.kernel.org/selinux/20180530141104.28569-1-peter.ende
On Wed, Oct 31, 2018 at 6:09 PM Stephen Smalley wrote:
> On 10/31/2018 08:27 AM, Ondrej Mosnacek wrote:
> > This patch separates the lookup of the initial SIDs into a separate
> > lookup table (implemented simply by a fixed-size array), in order to
> > pave the way for
This function has only two callers, but only one of them actually needs
the special logic at the beginning. Factoring this logic out into
string_to_context_struct() allows us to drop the arguments 'oldc', 's',
and 'def_sid'.
Signed-off-by: Ondrej Mosnacek
---
Changes in v3:
- correct
, but it simplifies
further sidtab overhaul in a succeeding patch.
Signed-off-by: Ondrej Mosnacek
---
security/selinux/ss/policydb.c | 10 ++-
security/selinux/ss/services.c | 88 ++
security/selinux/ss/services.h | 2 +-
security/selinux/ss/sidtab.c | 158
dev/null &
do_work >/dev/null &
do_work >/dev/null &
while load_policy; do echo -n .; sleep 0.1; done
kill %1
kill %2
kill %3
```
Reported-by: Orion Poplawski
Reported-by: Li Kun
Link: https://github.com/SELinuxProject/selinux-kernel/issues/38
Signed-off-by: Ondrej Mosn
ACX-1vRUArNJR6kckm2SEs4dRZlijNVdCTmsNuWRGe7X3fC01YkBHpxXHnmcssxEiMF3Z7ivtXN2L5MC0ry-/pubhtml
Ondrej Mosnacek (3):
selinux: refactor sidtab conversion
selinux: use separate table for initial SID lookup
selinux: overhaul sidtab to fix bug and improve performance
security/selinux/ss/mls.c | 23 +-
security/selinux/ss/mls.h | 3 +-
secur
This is a purely cosmetic change that encapsulates the three-step sidtab
conversion logic (shutdown -> clone -> map) into a single function
defined in sidtab.c (as opposed to services.c).
Signed-off-by: Ondrej Mosnacek
---
security/selinux/ss/services.c | 22 +--
security/seli
On Wed, Nov 14, 2018 at 4:14 AM Paul Moore wrote:
> On Tue, Nov 13, 2018 at 4:10 PM Stephen Smalley wrote:
> > On 11/12/18 6:44 AM, Ondrej Mosnacek wrote:
> > > This function has only two callers, but only one of them actually needs
> > > the special logic at the begi
On Tue, Nov 13, 2018 at 10:35 PM Stephen Smalley wrote:
> On 11/13/18 8:52 AM, Ondrej Mosnacek wrote:
> > This patch is non-functional and moves handling of initial SIDs into a
> > separate table. Note that the SIDs stored in the main table are now
> > shifted by SECINIT
s
etuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace
sys_rawio sys_resource sys_time sys_tty_config };
Therefore I would say it is perfectly fine to add such rule to your
policy as well.
Cheers,
--
Ondrej Mosnacek
Associate Software Engineer, Security Technologies
Red Hat, Inc.
_
This function has only two callers, but only one of them actually needs
the special logic at the beginning. Factoring this logic out into
string_to_context_struct() allows us to drop the arguments 'oldc', 's',
and 'def_sid'.
Signed-off-by: Ondrej Mosnacek
---
security/selinux/ss/mls.c | 44
This function has only two callers, but only one of them actually needs
the special logic at the beginning. Factoring this logic out into
string_to_context_struct() allows us to drop the arguments 'oldc', 's',
and 'def_sid'.
Signed-off-by: Ondrej Mosnacek
---
Changes in v2:
- also drop
-able")
Signed-off-by: Ondrej Mosnacek
---
restorecond/restorecond.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/restorecond/restorecond.c b/restorecond/restorecond.c
index e1d26cb9..7b984b29 100644
--- a/restorecond/restorecond.c
+++ b/restorecond/restorecond.c
oject/selinux-kernel/issues/42
Fixes: ad52184b705c ("selinuxfs: don't open-code d_genocide()")
Cc: # 4.0+
Cc: Stephen Smalley
Cc: Al Viro
Signed-off-by: Ondrej Mosnacek
---
security/selinux/selinuxfs.c | 88 ++--
1 file changed, 85 insertions(+), 3 de
Hi Al,
On Tue, Oct 2, 2018 at 5:58 PM Al Viro wrote:
> On Tue, Oct 02, 2018 at 01:18:30PM +0200, Ondrej Mosnacek wrote:
>
> No. With the side of Hell, No. The bug is real, but this is
> not the way to fix it.
>
> First of all, it's still broken - e.g. mount something o
On Tue, Nov 20, 2018 at 10:47 PM Paul Moore wrote:
> On Tue, Nov 13, 2018 at 8:53 AM Ondrej Mosnacek wrote:
> > This is a purely cosmetic change that encapsulates the three-step sidtab
> > conversion logic (shutdown -> clone -> map) into a single function
> > defi
On Tue, Nov 20, 2018 at 10:06 PM Paul Moore wrote:
> On Mon, Nov 12, 2018 at 6:44 AM Ondrej Mosnacek wrote:
> > This function has only two callers, but only one of them actually needs
> > the special logic at the beginning. Factoring this logic out into
> > string_to_conte
.flags = LSM_FLAG_LEGACY_MAJOR,
> > .init = smack_init,
> > };
> > diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
> > index 1b5b5097efd7..09f7af130d3a 100644
> > --- a/security/tomoyo/tomoyo.c
> > +++ b/security/tomoyo/tomoyo.c
> > @@ -552,5 +552
41 matches
Mail list logo