summaryrefslogtreecommitdiffstats
path: root/Documentation/admin-guide/LSM (follow)
Commit message (Collapse)AuthorAgeFilesLines
* security/loadpin: Update the changing interface in the source code.Jiele zhao2021-03-151-3/+3
| | | | | | | | | | | | | Loadpin cmdline interface "enabled" has been renamed to "enforce" for a long time, but the User Description Document was not updated. (Meaning unchanged) And kernel_read_file* were moved from linux/fs.h to its own linux/kernel_read_file.h include file. So update that change here. Signed-off-by: Jiele zhao <unclexiaole@gmail.com> Link: https://lore.kernel.org/r/20210308020358.102836-1-unclexiaole@gmail.com Signed-off-by: Jonathan Corbet <corbet@lwn.net>
* docs: SafeSetID: fix a warningMauro Carvalho Chehab2020-10-281-1/+1
| | | | | | | | | | | | | As reported by Sphinx 2.4.4: docs/Documentation/admin-guide/LSM/SafeSetID.rst:110: WARNING: Title underline too short. Note on GID policies and setgroups() ================== Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> Link: https://lore.kernel.org/r/4afa281c170daabd1ce522653d5d5d5078ebd92c.1603791716.git.mchehab+huawei@kernel.org Signed-off-by: Jonathan Corbet <corbet@lwn.net>
* LSM: SafeSetID: Add GID security policy handlingThomas Cedeno2020-10-131-9/+20
| | | | | | | | | | | | | The SafeSetID LSM has functionality for restricting setuid() calls based on its configured security policies. This patch adds the analogous functionality for setgid() calls. This is mostly a copy-and-paste change with some code deduplication, plus slight modifications/name changes to the policy-rule-related structs (now contain GID rules in addition to the UID ones) and some type generalization since SafeSetID now needs to deal with kgid_t and kuid_t types. Signed-off-by: Thomas Cedeno <thomascedeno@google.com> Signed-off-by: Micah Morton <mortonm@chromium.org>
* doc: yama: Swap HTTP for HTTPS and replace dead linkKees Cook2020-07-131-3/+4
| | | | | | | | | | | | | Replace one dead link for the same person's original presentation on the topic and swap an HTTP URL with HTTPS. While here, linkify the text to make it more readable when rendered. Link: https://lore.kernel.org/lkml/20200708073346.13177-1-grandmaster@al2klimov.de/ Co-developed-by: Alexander A. Klimov <grandmaster@al2klimov.de> Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/202007091141.C008B89EC@keescook Signed-off-by: Jonathan Corbet <corbet@lwn.net>
* Replace HTTP links with HTTPS ones: documentationAlexander A. Klimov2020-06-081-8/+8
| | | | | | | | | | | | | | | | | | | Rationale: Reduces attack surface on kernel devs opening the links for MITM as HTTPS traffic is much harder to manipulate. Deterministic algorithm: For each file: For each line: If doesn't contain `\bxmlns\b`: For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`: If both the HTTP and HTTPS versions return 200 OK and serve the same content: Replace HTTP with HTTPS. Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de> Link: https://lore.kernel.org/r/20200526060544.25127-1-grandmaster@al2klimov.de Signed-off-by: Jonathan Corbet <corbet@lwn.net>
* docs: SafeSetID.rst: Remove spurious '???' charactersChristian Kujau2019-10-111-2/+2
| | | | | | | | It appears that some smart quotes were changed to "???" by even smarter software; change them to the dumb but legible variety. Signed-off-by: Christian Kujau <lists@nerdbynature.de> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
* security/loadpin: Allow to exclude specific file typesKe Wu2019-05-311-0/+10
| | | | | | | | | | | | | | | Linux kernel already provide MODULE_SIG and KEXEC_VERIFY_SIG to make sure loaded kernel module and kernel image are trusted. This patch adds a kernel command line option "loadpin.exclude" which allows to exclude specific file types from LoadPin. This is useful when people want to use different mechanisms to verify module and kernel image while still use LoadPin to protect the integrity of other files kernel loads. Signed-off-by: Ke Wu <mikewu@google.com> Reviewed-by: James Morris <jamorris@linux.microsoft.com> [kees: fix array size issue reported by Coverity via Colin Ian King] Signed-off-by: Kees Cook <keescook@chromium.org>
* LSM: add SafeSetID module that gates setid callsMicah Morton2019-01-252-0/+108
| | | | | | | | | | | | | | SafeSetID gates the setid family of syscalls to restrict UID/GID transitions from a given UID/GID to only those approved by a system-wide whitelist. These restrictions also prohibit the given UIDs/GIDs from obtaining auxiliary privileges associated with CAP_SET{U/G}ID, such as allowing a user to set up user namespace UID mappings. For now, only gating the set*uid family of syscalls is supported, with support for set*gid coming in a future patch set. Signed-off-by: Micah Morton <mortonm@chromium.org> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.morris@microsoft.com>
* procfs: add smack subdir to attrsCasey Schaufler2019-01-081-3/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | Back in 2007 I made what turned out to be a rather serious mistake in the implementation of the Smack security module. The SELinux module used an interface in /proc to manipulate the security context on processes. Rather than use a similar interface, I used the same interface. The AppArmor team did likewise. Now /proc/.../attr/current will tell you the security "context" of the process, but it will be different depending on the security module you're using. This patch provides a subdirectory in /proc/.../attr for Smack. Smack user space can use the "current" file in this subdirectory and never have to worry about getting SELinux attributes by mistake. Programs that use the old interface will continue to work (or fail, as the case may be) as before. The proposed S.A.R.A security module is dependent on the mechanism to create its own attr subdirectory. The original implementation is by Kees Cook. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Kees Cook <keescook@chromium.org>
* Merge branch 'next-smack' of ↵Linus Torvalds2019-01-021-0/+4
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull smack updates from James Morris: "Two Smack patches for 4.21. Jose's patch adds missing documentation and Zoran's fleshes out the access checks on keyrings" * 'next-smack' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: Smack: Improve Documentation smack: fix access permissions for keyring
| * Smack: Improve DocumentationJosé Bollo2018-12-131-0/+4
| | | | | | | | | | | | | | Add some words about the mount option "smackfstransmute=label". Signed-off-by: José Bollo <jobol@nonadev.net> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
* | Documentation: Update SELinux reference policy URLPetr Vorel2018-11-191-1/+1
|/ | | | | Signed-off-by: Petr Vorel <pvorel@suse.cz> Signed-off-by: Paul Moore <paul@paul-moore.com>
* yama: clarify ptrace_scope=2 in Yama documentationYves-Alexis Perez2018-10-071-2/+2
| | | | | | | | | | Current phrasing is ambiguous since it's unclear if attaching to a children through PTRACE_TRACEME requires CAP_SYS_PTRACE. Rephrase the sentence to make that clear. Signed-off-by: Yves-Alexis Perez <corsac@corsac.net> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
* apparmor: update git and wiki locations in AppArmor docsJordan Glover2018-06-071-3/+3
| | | | | | | | | | | The apparmor information in the apparmor.rst file is out of date. Update it to the correct git reference for the master apparmor tree. Update the wiki location to use apparmor.net which forwards to the current wiki location on gitlab.com. Update user space tools address to gitlab.com. Signed-off-by: Jordan Glover <Golden_Miller83@protonmail.ch> Signed-off-by: John Johansen <john.johansen@canonical.com>
* tomoyo: Update URLs in Documentation/admin-guide/LSM/tomoyo.rstTetsuo Handa2017-07-251-12/+12
| | | | | | | Fix outdated links. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <james.l.morris@oracle.com>
* doc: ReSTify Smack.txtKees Cook2017-05-182-0/+858
| | | | | | | | Adjusts for ReST markup and moves under LSM admin guide. Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
* doc: ReSTify LoadPin.txtKees Cook2017-05-182-0/+22
| | | | | | | Adjusts for ReST markup and moves under LSM admin guide. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
* doc: ReSTify Yama.txtKees Cook2017-05-182-0/+75
| | | | | | | Adjusts for ReST markup and moves under LSM admin guide. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
* doc: ReSTify tomoyo.txtKees Cook2017-05-182-0/+66
| | | | | | | | Adjusts for ReST markup and moves under LSM admin guide. Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
* doc: ReSTify apparmor.txtKees Cook2017-05-182-0/+52
| | | | | | | | Adjusts for ReST markup and moves under LSM admin guide. Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
* doc: ReSTify SELinux.txtKees Cook2017-05-182-0/+38
| | | | | | | | Adjusts for ReST markup and moves under LSM admin guide. Cc: Paul Moore <paul@paul-moore.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
* doc: ReSTify and split LSM.txtKees Cook2017-05-181-0/+31
The existing LSM.txt file covered both usage and development, so split this into two files, one under admin-guide and one under kernel development. Cc: James Morris <james.l.morris@oracle.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net>