Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris: - Extend LSM stacking to allow sharing of cred, file, ipc, inode, and task blobs. This paves the way for more full-featured LSMs to be merged, and is specifically aimed at LandLock and SARA LSMs. This work is from Casey and Kees. - There's a new LSM from Micah Morton: "SafeSetID gates the setid family of syscalls to restrict UID/GID transitions from a given UID/GID to only those approved by a system-wide whitelist." This feature is currently shipping in ChromeOS. * 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (62 commits) keys: fix missing __user in KEYCTL_PKEY_QUERY LSM: Update list of SECURITYFS users in Kconfig LSM: Ignore "security=" when "lsm=" is specified LSM: Update function documentation for cap_capable security: mark expected switch fall-throughs and add a missing break tomoyo: Bump version. LSM: fix return value check in safesetid_init_securityfs() LSM: SafeSetID: add selftest LSM: SafeSetID: remove unused include LSM: SafeSetID: 'depend' on CONFIG_SECURITY LSM: Add 'name' field for SafeSetID in DEFINE_LSM LSM: add SafeSetID module that gates setid calls LSM: add SafeSetID module that gates setid calls tomoyo: Allow multiple use_group lines. tomoyo: Coding style fix. tomoyo: Swicth from cred->security to task_struct->security. security: keys: annotate implicit fall throughs security: keys: annotate implicit fall throughs security: keys: annotate implicit fall through capabilities:: annotate implicit fall through ...
This commit is contained in:
Linus Torvalds
@@ -209,6 +209,7 @@ extern bool has_ns_capability_noaudit(struct task_struct *t,
|
||||
extern bool capable(int cap);
|
||||
extern bool ns_capable(struct user_namespace *ns, int cap);
|
||||
extern bool ns_capable_noaudit(struct user_namespace *ns, int cap);
|
||||
extern bool ns_capable_setid(struct user_namespace *ns, int cap);
|
||||
#else
|
||||
static inline bool has_capability(struct task_struct *t, int cap)
|
||||
{
|
||||
@@ -240,6 +241,10 @@ static inline bool ns_capable_noaudit(struct user_namespace *ns, int cap)
|
||||
{
|
||||
return true;
|
||||
}
|
||||
static inline bool ns_capable_setid(struct user_namespace *ns, int cap)
|
||||
{
|
||||
return true;
|
||||
}
|
||||
#endif /* CONFIG_MULTIUSER */
|
||||
extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *inode);
|
||||
extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
|
||||
|
||||
@@ -15,7 +15,6 @@
|
||||
#include <linux/capability.h>
|
||||
#include <linux/init.h>
|
||||
#include <linux/key.h>
|
||||
#include <linux/selinux.h>
|
||||
#include <linux/atomic.h>
|
||||
#include <linux/uidgid.h>
|
||||
#include <linux/sched.h>
|
||||
|
||||
@@ -1270,7 +1270,7 @@
|
||||
* @cred contains the credentials to use.
|
||||
* @ns contains the user namespace we want the capability in
|
||||
* @cap contains the capability <include/linux/capability.h>.
|
||||
* @audit contains whether to write an audit message or not
|
||||
* @opts contains options for the capable check <include/linux/security.h>
|
||||
* Return 0 if the capability is granted for @tsk.
|
||||
* @syslog:
|
||||
* Check permission before accessing the kernel message ring or changing
|
||||
@@ -1446,8 +1446,10 @@ union security_list_options {
|
||||
const kernel_cap_t *effective,
|
||||
const kernel_cap_t *inheritable,
|
||||
const kernel_cap_t *permitted);
|
||||
int (*capable)(const struct cred *cred, struct user_namespace *ns,
|
||||
int cap, int audit);
|
||||
int (*capable)(const struct cred *cred,
|
||||
struct user_namespace *ns,
|
||||
int cap,
|
||||
unsigned int opts);
|
||||
int (*quotactl)(int cmds, int type, int id, struct super_block *sb);
|
||||
int (*quota_on)(struct dentry *dentry);
|
||||
int (*syslog)(int type);
|
||||
@@ -2027,6 +2029,18 @@ struct security_hook_list {
|
||||
char *lsm;
|
||||
} __randomize_layout;
|
||||
|
||||
/*
|
||||
* Security blob size or offset data.
|
||||
*/
|
||||
struct lsm_blob_sizes {
|
||||
int lbs_cred;
|
||||
int lbs_file;
|
||||
int lbs_inode;
|
||||
int lbs_ipc;
|
||||
int lbs_msg_msg;
|
||||
int lbs_task;
|
||||
};
|
||||
|
||||
/*
|
||||
* Initializing a security_hook_list structure takes
|
||||
* up a lot of space in a source file. This macro takes
|
||||
@@ -2042,9 +2056,21 @@ extern char *lsm_names;
|
||||
extern void security_add_hooks(struct security_hook_list *hooks, int count,
|
||||
char *lsm);
|
||||
|
||||
#define LSM_FLAG_LEGACY_MAJOR BIT(0)
|
||||
#define LSM_FLAG_EXCLUSIVE BIT(1)
|
||||
|
||||
enum lsm_order {
|
||||
LSM_ORDER_FIRST = -1, /* This is only for capabilities. */
|
||||
LSM_ORDER_MUTABLE = 0,
|
||||
};
|
||||
|
||||
struct lsm_info {
|
||||
const char *name; /* Required. */
|
||||
enum lsm_order order; /* Optional: default is LSM_ORDER_MUTABLE */
|
||||
unsigned long flags; /* Optional: flags describing LSM */
|
||||
int *enabled; /* Optional: controlled by CONFIG_LSM */
|
||||
int (*init)(void); /* Required. */
|
||||
struct lsm_blob_sizes *blobs; /* Optional: for blob sharing. */
|
||||
};
|
||||
|
||||
extern struct lsm_info __start_lsm_info[], __end_lsm_info[];
|
||||
@@ -2084,17 +2110,6 @@ static inline void security_delete_hooks(struct security_hook_list *hooks,
|
||||
#define __lsm_ro_after_init __ro_after_init
|
||||
#endif /* CONFIG_SECURITY_WRITABLE_HOOKS */
|
||||
|
||||
extern int __init security_module_enable(const char *module);
|
||||
extern void __init capability_add_hooks(void);
|
||||
#ifdef CONFIG_SECURITY_YAMA
|
||||
extern void __init yama_add_hooks(void);
|
||||
#else
|
||||
static inline void __init yama_add_hooks(void) { }
|
||||
#endif
|
||||
#ifdef CONFIG_SECURITY_LOADPIN
|
||||
void __init loadpin_add_hooks(void);
|
||||
#else
|
||||
static inline void loadpin_add_hooks(void) { };
|
||||
#endif
|
||||
extern int lsm_inode_alloc(struct inode *inode);
|
||||
|
||||
#endif /* ! __LINUX_LSM_HOOKS_H */
|
||||
|
||||
@@ -54,9 +54,12 @@ struct xattr;
|
||||
struct xfrm_sec_ctx;
|
||||
struct mm_struct;
|
||||
|
||||
/* Default (no) options for the capable function */
|
||||
#define CAP_OPT_NONE 0x0
|
||||
/* If capable should audit the security request */
|
||||
#define SECURITY_CAP_NOAUDIT 0
|
||||
#define SECURITY_CAP_AUDIT 1
|
||||
#define CAP_OPT_NOAUDIT BIT(1)
|
||||
/* If capable is being called by a setid function */
|
||||
#define CAP_OPT_INSETID BIT(2)
|
||||
|
||||
/* LSM Agnostic defines for sb_set_mnt_opts */
|
||||
#define SECURITY_LSM_NATIVE_LABELS 1
|
||||
@@ -72,7 +75,7 @@ enum lsm_event {
|
||||
|
||||
/* These functions are in security/commoncap.c */
|
||||
extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
|
||||
int cap, int audit);
|
||||
int cap, unsigned int opts);
|
||||
extern int cap_settime(const struct timespec64 *ts, const struct timezone *tz);
|
||||
extern int cap_ptrace_access_check(struct task_struct *child, unsigned int mode);
|
||||
extern int cap_ptrace_traceme(struct task_struct *parent);
|
||||
@@ -207,10 +210,10 @@ int security_capset(struct cred *new, const struct cred *old,
|
||||
const kernel_cap_t *effective,
|
||||
const kernel_cap_t *inheritable,
|
||||
const kernel_cap_t *permitted);
|
||||
int security_capable(const struct cred *cred, struct user_namespace *ns,
|
||||
int cap);
|
||||
int security_capable_noaudit(const struct cred *cred, struct user_namespace *ns,
|
||||
int cap);
|
||||
int security_capable(const struct cred *cred,
|
||||
struct user_namespace *ns,
|
||||
int cap,
|
||||
unsigned int opts);
|
||||
int security_quotactl(int cmds, int type, int id, struct super_block *sb);
|
||||
int security_quota_on(struct dentry *dentry);
|
||||
int security_syslog(int type);
|
||||
@@ -366,8 +369,10 @@ int security_sem_semctl(struct kern_ipc_perm *sma, int cmd);
|
||||
int security_sem_semop(struct kern_ipc_perm *sma, struct sembuf *sops,
|
||||
unsigned nsops, int alter);
|
||||
void security_d_instantiate(struct dentry *dentry, struct inode *inode);
|
||||
int security_getprocattr(struct task_struct *p, char *name, char **value);
|
||||
int security_setprocattr(const char *name, void *value, size_t size);
|
||||
int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
|
||||
char **value);
|
||||
int security_setprocattr(const char *lsm, const char *name, void *value,
|
||||
size_t size);
|
||||
int security_netlink_send(struct sock *sk, struct sk_buff *skb);
|
||||
int security_ismaclabel(const char *name);
|
||||
int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
|
||||
@@ -462,14 +467,11 @@ static inline int security_capset(struct cred *new,
|
||||
}
|
||||
|
||||
static inline int security_capable(const struct cred *cred,
|
||||
struct user_namespace *ns, int cap)
|
||||
struct user_namespace *ns,
|
||||
int cap,
|
||||
unsigned int opts)
|
||||
{
|
||||
return cap_capable(cred, ns, cap, SECURITY_CAP_AUDIT);
|
||||
}
|
||||
|
||||
static inline int security_capable_noaudit(const struct cred *cred,
|
||||
struct user_namespace *ns, int cap) {
|
||||
return cap_capable(cred, ns, cap, SECURITY_CAP_NOAUDIT);
|
||||
return cap_capable(cred, ns, cap, opts);
|
||||
}
|
||||
|
||||
static inline int security_quotactl(int cmds, int type, int id,
|
||||
@@ -1112,15 +1114,18 @@ static inline int security_sem_semop(struct kern_ipc_perm *sma,
|
||||
return 0;
|
||||
}
|
||||
|
||||
static inline void security_d_instantiate(struct dentry *dentry, struct inode *inode)
|
||||
static inline void security_d_instantiate(struct dentry *dentry,
|
||||
struct inode *inode)
|
||||
{ }
|
||||
|
||||
static inline int security_getprocattr(struct task_struct *p, char *name, char **value)
|
||||
static inline int security_getprocattr(struct task_struct *p, const char *lsm,
|
||||
char *name, char **value)
|
||||
{
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
static inline int security_setprocattr(char *name, void *value, size_t size)
|
||||
static inline int security_setprocattr(const char *lsm, char *name,
|
||||
void *value, size_t size)
|
||||
{
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
@@ -1,35 +0,0 @@
|
||||
/*
|
||||
* SELinux services exported to the rest of the kernel.
|
||||
*
|
||||
* Author: James Morris <jmorris@redhat.com>
|
||||
*
|
||||
* Copyright (C) 2005 Red Hat, Inc., James Morris <jmorris@redhat.com>
|
||||
* Copyright (C) 2006 Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
|
||||
* Copyright (C) 2006 IBM Corporation, Timothy R. Chavez <tinytim@us.ibm.com>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2,
|
||||
* as published by the Free Software Foundation.
|
||||
*/
|
||||
#ifndef _LINUX_SELINUX_H
|
||||
#define _LINUX_SELINUX_H
|
||||
|
||||
struct selinux_audit_rule;
|
||||
struct audit_context;
|
||||
struct kern_ipc_perm;
|
||||
|
||||
#ifdef CONFIG_SECURITY_SELINUX
|
||||
|
||||
/**
|
||||
* selinux_is_enabled - is SELinux enabled?
|
||||
*/
|
||||
bool selinux_is_enabled(void);
|
||||
#else
|
||||
|
||||
static inline bool selinux_is_enabled(void)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
#endif /* CONFIG_SECURITY_SELINUX */
|
||||
|
||||
#endif /* _LINUX_SELINUX_H */
|
||||
Reference in New Issue
Block a user