summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch 'for-linus' of ↵Linus Torvalds2011-07-2736-2839/+6483
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6 * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (54 commits) tpm_nsc: Fix bug when loading multiple TPM drivers tpm: Move tpm_tis_reenable_interrupts out of CONFIG_PNP block tpm: Fix compilation warning when CONFIG_PNP is not defined TOMOYO: Update kernel-doc. tpm: Fix a typo tpm_tis: Probing function for Intel iTPM bug tpm_tis: Fix the probing for interrupts tpm_tis: Delay ACPI S3 suspend while the TPM is busy tpm_tis: Re-enable interrupts upon (S3) resume tpm: Fix display of data in pubek sysfs entry tpm_tis: Add timeouts sysfs entry tpm: Adjust interface timeouts if they are too small tpm: Use interface timeouts returned from the TPM tpm_tis: Introduce durations sysfs entry tpm: Adjust the durations if they are too small tpm: Use durations returned from TPM TOMOYO: Enable conditional ACL. TOMOYO: Allow using argv[]/envp[] of execve() as conditions. TOMOYO: Allow using executable's realpath and symlink's target as conditions. TOMOYO: Allow using owner/group etc. of file objects as conditions. ... Fix up trivial conflict in security/tomoyo/realpath.c
| * tpm_nsc: Fix bug when loading multiple TPM driversStefan Berger2011-07-261-7/+7
| | | | | | | | | | | | | | | | | | | | | | This patch fixes kernel bugzilla 34572. https://bugzilla.kernel.org/show_bug.cgi?id=34572 Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reported-by: Witold Baryluk <baryluk@smp.if.uj.edu.pl> Tested-by: Witold Baryluk <baryluk@smp.if.uj.edu.pl> Signed-off-by: James Morris <jmorris@namei.org>
| * tpm: Move tpm_tis_reenable_interrupts out of CONFIG_PNP blockStefan Berger2011-07-221-22/+23
| | | | | | | | | | | | | | | | | | | | | | This patch moves the tpm_tis_reenable_interrupts function out of the CONFIG_PNP-surrounded #define block. This solves a compilation error in case CONFIG_PNP is not defined. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reported-by: Randy Dunlap <rdunlap@xenotime.net> Acked-by: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: James Morris <jmorris@namei.org>
| * tpm: Fix compilation warning when CONFIG_PNP is not definedStefan Berger2011-07-211-6/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The is_itpm() function is only accessed from a block surrounded by #ifdef CONFIG_PNP. Therefore, also surround it with #ifdef CONFIG_PNP and remove the #else branch causing the warning. http://lxr.linux.no/#linux+v2.6.39/drivers/char/tpm/tpm_tis.c#L622 v2: - fixes a previous typo Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Reported-by: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: James Morris <jmorris@namei.org>
| * TOMOYO: Update kernel-doc.Tetsuo Handa2011-07-1413-62/+269
| | | | | | | | | | | | | | | | Update comments for scripts/kernel-doc and fix some of errors reported by scripts/checkpatch.pl . Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * tpm: Fix a typoStefan Berger2011-07-121-1/+1
| | | | | | | | | | | | | | This patch fixes a typo. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
| * tpm_tis: Probing function for Intel iTPM bugStefan Berger2011-07-121-4/+73
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch introduces a function for automatic probing for the Intel iTPM STS_DATA_EXPECT flaw. The patch splits the current tpm_tis_send function into 2 parts where the 1st part is now called tpm_tis_send_data() and merely sends the data to the TPM. This function is then used for probing. The new tpm_tis_send function now first calls tpm_tis_send_data and if that succeeds has the TPM process the command and waits until the response is there. The probing for the Intel iTPM is only invoked if the user has not passed itpm=1 as parameter for the module *or* if such a TPM was detected via ACPI. Previously it was necessary to pass itpm=1 when also passing force=1 to the module when doing a 'modprobe'. This function is more general than the ACPI test function and the function relying on ACPI could probably be removed. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
| * tpm_tis: Fix the probing for interruptsStefan Berger2011-07-122-6/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes several aspects of the probing for interrupts. This patch reads the TPM's timeouts before probing for the interrupts. The tpm_get_timeouts() function is invoked in polling mode and gets the proper timeouts from the TPM so that we don't need to fall back to 2 minutes timeouts for short duration commands while the interrupt probing is happening. This patch introduces a variable probed_irq into the vendor structure that gets the irq number if an interrupt is received while the the tpm_gen_interrupt() function is run in polling mode during interrupt probing. Previously some parts of tpm_gen_interrupt() were run in polling mode, then the irq variable was set in the interrupt handler when an interrupt was received and execution of tpm_gen_interrupt() ended up switching over to interrupt mode. tpm_gen_interrupt() execution ended up on an event queue where it eventually timed out since the probing handler doesn't wake any queues. Before calling into free_irq() clear all interrupt flags that may have been set by the TPM. The reason is that free_irq() will call into the probing interrupt handler and may otherwise fool us into thinking that a real interrupt happened (because we see the flags as being set) while the TPM's interrupt line is not even connected to anything on the motherboard. This solves a problem on one machine I did testing on (Thinkpad T60). If a TPM claims to use a specifc interrupt, the probing is done as well to verify that the interrupt is actually working. If a TPM indicates that it does not use a specific interrupt (returns '0'), probe all interrupts from 3 to 15. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
| * tpm_tis: Delay ACPI S3 suspend while the TPM is busyStefan Berger2011-07-121-5/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch delays the (ACPI S3) suspend while the TPM is busy processing a command and the TPM TIS driver is run in interrupt mode. This is the same behavior as we already have it for the TPM TIS driver in polling mode. Reasoning: Some of the TPM's commands advance the internal state of the TPM. An example would be the extending of one of its PCR registers. Upper layers, such as IMA or TSS (TrouSerS), would certainly want to be sure that the command succeeded rather than getting an error code (-62 = -ETIME) that may not give a conclusive answer as for what reason the command failed. Reissuing such a command would put the TPM into the wrong state, so waiting for it to finish is really the only option. The downside is that some commands (key creation) can take a long time and actually prevent the machine from entering S3 at all before the 20 second timeout of the power management subsystem arrives. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
| * tpm_tis: Re-enable interrupts upon (S3) resumeStefan Berger2011-07-121-0/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch makes sure that if the TPM TIS interface is run in interrupt mode (rather than polling mode) that all interrupts are enabled in the TPM's interrupt enable register after a resume from ACPI S3 suspend. The registers may either have been cleared by the TPM loosing its state during device sleep or by the BIOS leaving the TPM in polling mode (after sending a command to the TPM for starting it up again) You may want to check if your TPM runs with interrupts by doing cat /proc/interrupts | grep -i tpm and see whether there is an entry or otherwise for it to use interrupts: modprobe tpm_tis interrupts=1 [add 'itpm=1' for Intel TPM ] v2: - the patch was adapted to work with the pnp and platform driver implementations in tpm_tis.c Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
| * tpm: Fix display of data in pubek sysfs entryStefan Berger2011-07-121-10/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes the TPM's pubek sysfs entry that is accessible as long as the TPM doesn't have an owner. It was necessary to shift the access to the data by -10 -- the first byte immediately follows the 10 byte header. The line data = tpm_cmd.params.readpubek_out_buffer; sets it at the offset '10' in the packet, so we can read the data array starting at offset '0'. Before: Algorithm: 00 0C 00 00 Encscheme: 08 00 Sigscheme: 00 00 Parameters: 00 00 00 00 01 00 AC E2 5E 3C A0 78 Modulus length: -563306801 Modulus: 28 21 08 0F 82 CD F2 B1 E7 49 F7 74 70 BE 59 8C 43 78 B1 24 EA 52 E2 FE 52 5C 3A 12 3B DC 61 71 [...] After: Algorithm: 00 00 00 01 Encscheme: 00 03 Sigscheme: 00 01 Parameters: 00 00 08 00 00 00 00 02 00 00 00 00 Modulus length: 256 Modulus: AC E2 5E 3C A0 78 DE 6C 9E CF 28 21 08 0F 82 CD F2 B1 E7 49 F7 74 70 BE 59 8C 43 78 B1 24 EA 52 [...] Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
| * tpm_tis: Add timeouts sysfs entryStefan Berger2011-07-123-1/+22
| | | | | | | | | | | | | | | | | | Display the TPM's interface timeouts in a 'timeouts' sysfs entry. Display the entries as having been adjusted when they were scaled due to their values being reported in milliseconds rather than microseconds. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
| * tpm: Adjust interface timeouts if they are too smallStefan Berger2011-07-121-4/+9
| | | | | | | | | | | | | | | | | | Adjust the interface timeouts if they are found to be too small, i.e., if they are returned in milliseconds rather than microseconds as we heared from Infineon that some (old) Infineon TPMs do. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
| * tpm: Use interface timeouts returned from the TPMStefan Berger2011-07-121-3/+4
| | | | | | | | | | | | | | | | | | | | | | The TPM driver currently discards the interface timeout values returned from the TPM. The check of the response packet needs to consider that the return_code field is 0 on success and the size of the expected packet is equivalent to the header size + u32 length indicator for the TPM_GetCapability() result + 4 interface timeout indicators of type u32. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
| * tpm_tis: Introduce durations sysfs entryStefan Berger2011-07-123-1/+21
| | | | | | | | | | | | | | | | | | | | Display the TPM's command timeouts in a 'durations' sysfs entry. Display the entries as having been adjusted when they were scaled due to their values being reported in milliseconds rather than microseconds. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Tested-by: Guillaume Chazarain <guichaz@gmail.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
| * tpm: Adjust the durations if they are too smallStefan Berger2011-07-121-6/+11
| | | | | | | | | | | | | | | | | | Adjust the durations if they are found to be too small, i.e., if they are returned in milliseconds rather than microseconds as some Infineon TPMs are reported to do. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
| * tpm: Use durations returned from TPMStefan Berger2011-07-121-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The TPM driver currently discards the durations values returned from the TPM. The check of the response packet needs to consider that the return_code field is 0 on success and the size of the expected packet is equivalent to the header size + u32 length indicator for the TPM_GetCapability() result + 3 timeout indicators of type u32. v4: - sysfs entry 'durations' is now a patch of its own - the work-around for TPMs reporting durations in milliseconds is now in a patch of its own v3: - sysfs entry now called 'durations' to resemble TPM-speak (previously was called 'timeouts') v2: - adjusting all timeouts for TPM devices reporting timeouts in msec rather than usec - also displaying in sysfs whether the timeouts are 'original' or 'adjusted' Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> Tested-by: Guillaume Chazarain <guichaz@gmail.com> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
| * TOMOYO: Enable conditional ACL.Tetsuo Handa2011-07-115-33/+80
| | | | | | | | | | | | | | Enable conditional ACL by passing object's pointers. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * TOMOYO: Allow using argv[]/envp[] of execve() as conditions.Tetsuo Handa2011-07-116-10/+589
| | | | | | | | | | | | | | | | This patch adds support for permission checks using argv[]/envp[] of execve() request. Hooks are in the last patch of this pathset. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * TOMOYO: Allow using executable's realpath and symlink's target as conditions.Tetsuo Handa2011-07-115-4/+228
| | | | | | | | | | | | | | | | | | This patch adds support for permission checks using executable file's realpath upon execve() and symlink's target upon symlink(). Hooks are in the last patch of this pathset. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * TOMOYO: Allow using owner/group etc. of file objects as conditions.Tetsuo Handa2011-07-114-0/+457
| | | | | | | | | | | | | | | | | | This patch adds support for permission checks using file object's DAC attributes (e.g. owner/group) when checking file's pathnames. Hooks for passing file object's pointers are in the last patch of this pathset. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * TOMOYO: Allow using UID/GID etc. of current thread as conditions.Tetsuo Handa2011-07-118-37/+651
| | | | | | | | | | | | | | | | This patch adds support for permission checks using current thread's UID/GID etc. in addition to pathnames. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * TOMOYO: Remove /sys/kernel/security/tomoyo/.domain_status interface.Tetsuo Handa2011-07-083-76/+0
| | | | | | | | | | | | | | | | | | /sys/kernel/security/tomoyo/.domain_status can be easily emulated using /sys/kernel/security/tomoyo/domain_policy . We can remove this interface by updating /usr/sbin/tomoyo-setprofile utility. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * TOMOYO: Fix wrong domainname in tomoyo_init_log().Tetsuo Handa2011-07-011-1/+1
| | | | | | | | | | | | | | | | Commit eadd99cc "TOMOYO: Add auditing interface." by error replaced "struct tomoyo_request_info"->domain with tomoyo_domain(). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * encrypted-keys: move ecryptfs documentation to proper locationMimi Zohar2011-06-301-0/+0
| | | | | | | | | | | | | | Move keys-ecryptfs.txt to Documentation/security. Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
| * TOMOYO: Cleanup header file.Tetsuo Handa2011-06-301-117/+96
| | | | | | | | | | | | | | Sort by alphabetic order. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * TOMOYO: Update MAINTAINERS file.Tetsuo Handa2011-06-301-1/+1
| | | | | | | | | | Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * TOMOYO: Fix build error with CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER=y .Tetsuo Handa2011-06-301-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | I forgot to add #ifndef in commit 0e4ae0e0 "TOMOYO: Make several options configurable.", resulting security/built-in.o: In function `tomoyo_bprm_set_creds': tomoyo.c:(.text+0x4698e): undefined reference to `tomoyo_load_policy' error. Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * Merge branch 'for-security' of ↵James Morris2011-06-302-2/+2
| |\ | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev into next
| | * AppArmor: Fix masking of capabilities in complain modeJohn Johansen2011-06-291-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | AppArmor is masking the capabilities returned by capget against the capabilities mask in the profile. This is wrong, in complain mode the profile has effectively all capabilities, as the profile restrictions are not being enforced, merely tested against to determine if an access is known by the profile. This can result in the wrong behavior of security conscience applications like sshd which examine their capability set, and change their behavior accordingly. In this case because of the masked capability set being returned sshd fails due to DAC checks, even when the profile is in complain mode. Kernels affected: 2.6.36 - 3.0. Signed-off-by: John Johansen <john.johansen@canonical.com>
| | * AppArmor: Fix reference to rcu protected pointer outside of rcu_read_lockJohn Johansen2011-06-291-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The pointer returned from tracehook_tracer_task() is only valid inside the rcu_read_lock. However the tracer pointer obtained is being passed to aa_may_ptrace outside of the rcu_read_lock critical section. Mover the aa_may_ptrace test into the rcu_read_lock critical section, to fix this. Kernels affected: 2.6.36 - 3.0 Reported-by: Oleg Nesterov <oleg@redhat.com> Cc: stable@kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com>
| * | Merge branch 'linus' into nextJames Morris2011-06-30813-4643/+10195
| |\ \
| * | | TOMOYO: Make several options configurable.Tetsuo Handa2011-06-293-23/+117
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To be able to start using enforcing mode from the early stage of boot sequence, this patch adds support for activating access control without calling external policy loader program. This will be useful for systems where operations which can lead to the hijacking of the boot sequence are needed before loading the policy. For example, you can activate immediately after loading the fixed part of policy which will allow only operations needed for mounting a partition which contains the variant part of policy and verifying (e.g. running GPG check) and loading the variant part of policy. Since you can start using enforcing mode from the beginning, you can reduce the possibility of hijacking the boot sequence. This patch makes several variables configurable on build time. This patch also adds TOMOYO_loader= and TOMOYO_trigger= kernel command line option to boot the same kernel in two different init systems (BSD-style init and systemd). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * | | TOMOYO: Add built-in policy support.Tetsuo Handa2011-06-294-10/+108
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To be able to start using enforcing mode from the early stage of boot sequence, this patch adds support for built-in policy configuration (and next patch adds support for activating access control without calling external policy loader program). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * | | TOMOYO: Rename meminfo to stat and show more statistics.Tetsuo Handa2011-06-296-143/+206
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Show statistics such as last policy update time and last policy violation time in addition to memory usage. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * | | TOMOYO: Cleanup part 4.Tetsuo Handa2011-06-296-121/+177
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Gather string constants to one file in order to make the object size smaller. Use unsigned type where appropriate. read()/write() returns ssize_t. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * | | TOMOYO: Fix lockdep warning.Tetsuo Handa2011-06-293-51/+276
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently TOMOYO holds SRCU lock upon open() and releases it upon close() because list elements stored in the "struct tomoyo_io_buffer" instances are accessed until close() is called. However, such SRCU usage causes lockdep to complain about leaving the kernel with SRCU lock held. This patch solves the warning by holding/releasing SRCU upon each read()/write(). This patch is doing something similar to calling kfree() without calling synchronize_srcu(), by selectively deferring kfree() by keeping track of the "struct tomoyo_io_buffer" instances. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * | | TOMOYO: Change pathname for non-rename()able filesystems.Tetsuo Handa2011-06-292-54/+180
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TOMOYO wants to use /proc/self/ rather than /proc/$PID/ if $PID matches current thread's process ID in order to prevent current thread from accessing other process's information unless needed. But since procfs can be mounted on various locations (e.g. /proc/ /proc2/ /p/ /tmp/foo/100/p/ ), TOMOYO cannot tell that whether the numeric part in the string returned by __d_path() represents process ID or not. Therefore, to be able to convert from $PID to self no matter where procfs is mounted, this patch changes pathname representations for filesystems which do not support rename() operation (e.g. proc, sysfs, securityfs). Examples: /proc/self/mounts => proc:/self/mounts /sys/kernel/security/ => sys:/kernel/security/ /dev/pts/0 => devpts:/0 Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * | | TOMOYO: Add policy namespace support.Tetsuo Handa2011-06-298-299/+669
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Mauras Olivier reported that it is difficult to use TOMOYO in LXC environments, for TOMOYO cannot distinguish between environments outside the container and environments inside the container since LXC environments are created using pivot_root(). To address this problem, this patch introduces policy namespace. Each policy namespace has its own set of domain policy, exception policy and profiles, which are all independent of other namespaces. This independency allows users to develop policy without worrying interference among namespaces. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * | | TOMOYO: Add ACL group support.Tetsuo Handa2011-06-295-11/+88
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ACL group allows administrator to globally grant not only "file read" permission but also other permissions. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * | | TOMOYO: Add auditing interface.Tetsuo Handa2011-06-299-235/+557
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add /sys/kernel/security/tomoyo/audit interface. This interface generates audit logs in the form of domain policy so that /usr/sbin/tomoyo-auditd can reuse audit logs for appending to /sys/kernel/security/tomoyo/domain_policy interface. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * | | TOMOYO: Simplify profile structure.Tetsuo Handa2011-06-293-168/+83
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove global preference from profile structure in order to make code simpler. Due to this structure change, printk() warnings upon policy violation are temporarily disabled. They will be replaced by /sys/kernel/security/tomoyo/audit by next patch. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * | | TOMOYO: Rename directives.Tetsuo Handa2011-06-294-59/+113
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Convert "allow_..." style directives to "file ..." style directives. By converting to the latter style, we can pack policy like "file read/write/execute /path/to/file". Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * | | TOMOYO: Use struct for passing ACL line.Tetsuo Handa2011-06-298-371/+347
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use structure for passing ACL line, in preparation for supporting policy namespace and conditional parameters. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * | | TOMOYO: Cleanup part 3.Tetsuo Handa2011-06-299-153/+410
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use common structure for ACL with "struct list_head" + "atomic_t". Use array/struct where possible. Remove is_group from "struct tomoyo_name_union"/"struct tomoyo_number_union". Pass "struct file"->private_data rather than "struct file". Update some of comments. Bring tomoyo_same_acl_head() from common.h to domain.c . Bring tomoyo_invalid()/tomoyo_valid() from common.h to util.c . Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * | | TOMOYO: Cleanup part 2.Tetsuo Handa2011-06-295-359/+204
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update (or temporarily remove) comments. Remove or replace some of #define lines. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * | | TOMOYO: Cleanup part 1.Tetsuo Handa2011-06-298-535/+71
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In order to synchronize with TOMOYO 1.8's syntax, (1) Remove special handling for allow_read/write permission. (2) Replace deny_rewrite/allow_rewrite permission with allow_append permission. (3) Remove file_pattern keyword. (4) Remove allow_read permission from exception policy. (5) Allow creating domains in enforcing mode without calling supervisor. (6) Add permission check for opening directory for reading. (7) Add permission check for stat() operation. (8) Make "cat < /sys/kernel/security/tomoyo/self_domain" behave as if "cat /sys/kernel/security/tomoyo/self_domain". Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
| * | | eCryptfs: added support for the encrypted key typeRoberto Sassu2011-06-272-7/+47
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The function ecryptfs_keyring_auth_tok_for_sig() has been modified in order to search keys of both 'user' and 'encrypted' types. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Acked-by: Gianluca Ramunno <ramunno@polito.it> Acked-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * | | encrypted-keys: add ecryptfs format supportRoberto Sassu2011-06-276-10/+252
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The 'encrypted' key type defines its own payload format which contains a symmetric key randomly generated that cannot be used directly to mount an eCryptfs filesystem, because it expects an authentication token structure. This patch introduces the new format 'ecryptfs' that allows to store an authentication token structure inside the encrypted key payload containing a randomly generated symmetric key, as the same for the format 'default'. More details about the usage of encrypted keys with the eCryptfs filesystem can be found in the file 'Documentation/keys-ecryptfs.txt'. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Acked-by: Gianluca Ramunno <ramunno@polito.it> Acked-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * | | eCryptfs: export global eCryptfs definitions to include/linux/ecryptfs.hRoberto Sassu2011-06-272-108/+114
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some eCryptfs specific definitions, such as the current version and the authentication token structure, are moved to the new include file 'include/linux/ecryptfs.h', in order to be available for all kernel subsystems. Signed-off-by: Roberto Sassu <roberto.sassu@polito.it> Acked-by: Gianluca Ramunno <ramunno@polito.it> Acked-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com> Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>