summaryrefslogtreecommitdiffstats
path: root/security (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds2015-11-113-9/+10
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Pull networking fixes from David Miller: 1) Fix null deref in xt_TEE netfilter module, from Eric Dumazet. 2) Several spots need to get to the original listner for SYN-ACK packets, most spots got this ok but some were not. Whilst covering the remaining cases, create a helper to do this. From Eric Dumazet. 3) Missiing check of return value from alloc_netdev() in CAIF SPI code, from Rasmus Villemoes. 4) Don't sleep while != TASK_RUNNING in macvtap, from Vlad Yasevich. 5) Use after free in mvneta driver, from Justin Maggard. 6) Fix race on dst->flags access in dst_release(), from Eric Dumazet. 7) Add missing ZLIB_INFLATE dependency for new qed driver. From Arnd Bergmann. 8) Fix multicast getsockopt deadlock, from WANG Cong. 9) Fix deadlock in btusb, from Kuba Pawlak. 10) Some ipv6_add_dev() failure paths were not cleaning up the SNMP6 counter state. From Sabrina Dubroca. 11) Fix packet_bind() race, which can cause lost notifications, from Francesco Ruggeri. 12) Fix MAC restoration in qlcnic driver during bonding mode changes, from Jarod Wilson. 13) Revert bridging forward delay change which broke libvirt and other userspace things, from Vlad Yasevich. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (65 commits) Revert "bridge: Allow forward delay to be cfgd when STP enabled" bpf_trace: Make dependent on PERF_EVENTS qed: select ZLIB_INFLATE net: fix a race in dst_release() net: mvneta: Fix memory use after free. net: Documentation: Fix default value tcp_limit_output_bytes macvtap: Resolve possible __might_sleep warning in macvtap_do_read() mvneta: add FIXED_PHY dependency net: caif: check return value of alloc_netdev net: hisilicon: NET_VENDOR_HISILICON should depend on HAS_DMA drivers: net: xgene: fix RGMII 10/100Mb mode netfilter: nft_meta: use skb_to_full_sk() helper net_sched: em_meta: use skb_to_full_sk() helper sched: cls_flow: use skb_to_full_sk() helper netfilter: xt_owner: use skb_to_full_sk() helper smack: use skb_to_full_sk() helper net: add skb_to_full_sk() helper and use it in selinux_netlbl_skbuff_setsid() bpf: doc: correct arch list for supported eBPF JIT dwc_eth_qos: Delete an unnecessary check before the function call "of_node_put" bonding: fix panic on non-ARPHRD_ETHER enslave failure ...
| * smack: use skb_to_full_sk() helperEric Dumazet2015-11-091-4/+7
| | | | | | | | | | | | | | | | | | This module wants to access sk->sk_security, which is not available for request sockets. Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener") Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * net: add skb_to_full_sk() helper and use it in selinux_netlbl_skbuff_setsid()Eric Dumazet2015-11-092-15/+3
| | | | | | | | | | | | | | | | | | | | | | | | Generalize selinux_skb_sk() added in commit 212cd0895330 ("selinux: fix random read in selinux_ip_postroute_compat()") so that we can use it other contexts. Use it right away in selinux_netlbl_skbuff_setsid() Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener") Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * selinux: fix random read in selinux_ip_postroute_compat()Eric Dumazet2015-11-051-4/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In commit e446f9dfe17b ("net: synack packets can be attached to request sockets"), I missed one remaining case of invalid skb->sk->sk_security access. Dmitry Vyukov got a KASan report pointing to it. Add selinux_skb_sk() helper that is responsible to get back to the listener if skb is attached to a request socket, instead of duplicating the logic. Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Dmitry Vyukov <dvyukov@google.com> Cc: Paul Moore <paul@paul-moore.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | mm, page_alloc: rename __GFP_WAIT to __GFP_RECLAIMMel Gorman2015-11-071-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | __GFP_WAIT was used to signal that the caller was in atomic context and could not sleep. Now it is possible to distinguish between true atomic context and callers that are not willing to sleep. The latter should clear __GFP_DIRECT_RECLAIM so kswapd will still wake. As clearing __GFP_WAIT behaves differently, there is a risk that people will clear the wrong flags. This patch renames __GFP_WAIT to __GFP_RECLAIM to clearly indicate what it does -- setting it allows all reclaim activity, clearing them prevents it. [akpm@linux-foundation.org: fix build] [akpm@linux-foundation.org: coding-style fixes] Signed-off-by: Mel Gorman <mgorman@techsingularity.net> Acked-by: Michal Hocko <mhocko@suse.com> Acked-by: Vlastimil Babka <vbabka@suse.cz> Acked-by: Johannes Weiner <hannes@cmpxchg.org> Cc: Christoph Lameter <cl@linux.com> Acked-by: David Rientjes <rientjes@google.com> Cc: Vitaly Wool <vitalywool@gmail.com> Cc: Rik van Riel <riel@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* | Merge branch 'next' of ↵Linus Torvalds2015-11-0625-183/+393
|\ \ | |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull security subsystem update from James Morris: "This is mostly maintenance updates across the subsystem, with a notable update for TPM 2.0, and addition of Jarkko Sakkinen as a maintainer of that" * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (40 commits) apparmor: clarify CRYPTO dependency selinux: Use a kmem_cache for allocation struct file_security_struct selinux: ioctl_has_perm should be static selinux: use sprintf return value selinux: use kstrdup() in security_get_bools() selinux: use kmemdup in security_sid_to_context_core() selinux: remove pointless cast in selinux_inode_setsecurity() selinux: introduce security_context_str_to_sid selinux: do not check open perm on ftruncate call selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default KEYS: Merge the type-specific data with the payload data KEYS: Provide a script to extract a module signature KEYS: Provide a script to extract the sys cert list from a vmlinux file keys: Be more consistent in selection of union members used certs: add .gitignore to stop git nagging about x509_certificate_list KEYS: use kvfree() in add_key Smack: limited capability for changing process label TPM: remove unnecessary little endian conversion vTPM: support little endian guests char: Drop owner assignment from i2c_driver ...
| * Merge tag 'keys-next-20151021' of ↵James Morris2015-10-2313-75/+84
| |\ | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into next
| | * KEYS: Merge the type-specific data with the payload dataDavid Howells2015-10-2113-67/+82
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Merge the type-specific data with the payload data into one four-word chunk as it seems pointless to keep them separate. Use user_key_payload() for accessing the payloads of overloaded user-defined keys. Signed-off-by: David Howells <dhowells@redhat.com> cc: linux-cifs@vger.kernel.org cc: ecryptfs@vger.kernel.org cc: linux-ext4@vger.kernel.org cc: linux-f2fs-devel@lists.sourceforge.net cc: linux-nfs@vger.kernel.org cc: ceph-devel@vger.kernel.org cc: linux-ima-devel@lists.sourceforge.net
| | * keys: Be more consistent in selection of union members usedInsu Yun2015-10-211-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | key->description and key->index_key.description are same because they are unioned. But, for readability, using same name for duplication and validation seems better. Signed-off-by: Insu Yun <wuninsu@gmail.com> Signed-off-by: David Howells <dhowells@redhat.com>
| | * KEYS: use kvfree() in add_keyGeliang Tang2015-10-211-7/+1
| | | | | | | | | | | | | | | | | | | | | | | | There is no need to make a flag to tell that this memory is allocated by kmalloc or vmalloc. Just use kvfree to free the memory. Signed-off-by: Geliang Tang <geliangtang@163.com> Signed-off-by: David Howells <dhowells@redhat.com>
| * | Merge branch 'upstream' of git://git.infradead.org/users/pcmoore/selinux ↵James Morris2015-10-225-45/+36
| |\ \ | | | | | | | | | | | | into next
| | * | selinux: Use a kmem_cache for allocation struct file_security_structSangwoo2015-10-211-2/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The size of struct file_security_struct is 16byte at my setup. But, the real allocation size for per each file_security_struct is 64bytes in my setup that kmalloc min size is 64bytes because ARCH_DMA_MINALIGN is 64. This allocation is called every times at file allocation(alloc_file()). So, the total slack memory size(allocated size - request size) is increased exponentially. E.g) Min Kmalloc Size : 64bytes, Unit : bytes Allocated Size | Request Size | Slack Size | Allocation Count --------------------------------------------------------------- 770048 | 192512 | 577536 | 12032 At the result, this change reduce memory usage 42bytes per each file_security_struct Signed-off-by: Sangwoo <sangwoo2.park@lge.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> [PM: removed extra subject prefix] Signed-off-by: Paul Moore <pmoore@redhat.com>
| | * | selinux: ioctl_has_perm should be staticGeliang Tang2015-10-211-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following sparse warning: security/selinux/hooks.c:3242:5: warning: symbol 'ioctl_has_perm' was not declared. Should it be static? Signed-off-by: Geliang Tang <geliangtang@163.com> Acked-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <pmoore@redhat.com>
| | * | selinux: use sprintf return valueRasmus Villemoes2015-10-211-4/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | sprintf returns the number of characters printed (excluding '\0'), so we can use that and avoid duplicating the length computation. Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <pmoore@redhat.com>
| | * | selinux: use kstrdup() in security_get_bools()Rasmus Villemoes2015-10-211-7/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is much simpler. Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <pmoore@redhat.com>
| | * | selinux: use kmemdup in security_sid_to_context_core()Rasmus Villemoes2015-10-211-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <pmoore@redhat.com>
| | * | selinux: remove pointless cast in selinux_inode_setsecurity()Rasmus Villemoes2015-10-211-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | security_context_to_sid() expects a const char* argument, so there's no point in casting away the const qualifier of value. Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <pmoore@redhat.com>
| | * | selinux: introduce security_context_str_to_sidRasmus Villemoes2015-10-214-25/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There seems to be a little confusion as to whether the scontext_len parameter of security_context_to_sid() includes the nul-byte or not. Reading security_context_to_sid_core(), it seems that the expectation is that it does not (both the string copying and the test for scontext_len being zero hint at that). Introduce the helper security_context_str_to_sid() to do the strlen() call and fix all callers. Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <pmoore@redhat.com>
| | * | selinux: do not check open perm on ftruncate callJeff Vander Stoep2015-10-211-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use the ATTR_FILE attribute to distinguish between truncate() and ftruncate() system calls. The two other cases where do_truncate is called with a filp (and therefore ATTR_FILE is set) are for coredump files and for open(O_TRUNC). In both of those cases the open permission has already been checked during file open and therefore does not need to be repeated. Commit 95dbf739313f ("SELinux: check OPEN on truncate calls") fixed a major issue where domains were allowed to truncate files without the open permission. However, it introduced a new bug where a domain with the write permission can no longer ftruncate files without the open permission, even when they receive an already open file. Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <pmoore@redhat.com>
| | * | selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE defaultPaul Moore2015-10-211-2/+2
| | |/ | | | | | | | | | | | | | | | | | | | | | Change the SELinux checkreqprot default value to 0 so that SELinux performs access control checking on the actual memory protections used by the kernel and not those requested by the application. Signed-off-by: Paul Moore <pmoore@redhat.com>
| * / apparmor: clarify CRYPTO dependencyArnd Bergmann2015-10-221-1/+1
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The crypto framework can be built as a loadable module, but the apparmor hash code can only be built-in, which then causes a link error: security/built-in.o: In function `aa_calc_profile_hash': integrity_audit.c:(.text+0x21610): undefined reference to `crypto_shash_update' security/built-in.o: In function `init_profile_hash': integrity_audit.c:(.init.text+0xb4c): undefined reference to `crypto_alloc_shash' This changes Apparmor to use 'select CRYPTO' like a lot of other subsystems do. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
| * Merge branch 'smack-for-4.4' of https://github.com/cschaufler/smack-next ↵James Morris2015-10-214-47/+238
| |\ | | | | | | | | | into next
| | * Smack: limited capability for changing process labelZbigniew Jasinski2015-10-194-41/+229
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This feature introduces new kernel interface: - <smack_fs>/relabel-self - for setting transition labels list This list is used to control smack label transition mechanism. List is set by, and per process. Process can transit to new label only if label is on the list. Only process with CAP_MAC_ADMIN capability can add labels to this list. With this list, process can change it's label without CAP_MAC_ADMIN but only once. After label changing, list is unset. Changes in v2: * use list_for_each_entry instead of _rcu during label write * added missing description in security/Smack.txt Changes in v3: * squashed into one commit Changes in v4: * switch from global list to per-task list * since the per-task list is accessed only by the task itself there is no need to use synchronization mechanisms on it Changes in v5: * change smackfs interface of relabel-self to the one used for onlycap multiple labels are accepted, separated by space, which replace the previous list upon write Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com> Signed-off-by: Rafal Krypa <r.krypa@samsung.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
| | * Smack: pipefs fix in smack_d_instantiateRoman Kubiak2015-10-101-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fix writes the task label when smack_d_instantiate is called, before the label of the superblock was written on the pipe's inode. Signed-off-by: Roman Kubiak <r.kubiak@samsung.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
| | * Smack: Minor initialisation improvementJosé Bollo2015-10-102-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change has two goals: - delay the setting of 'smack_enabled' until it will be really effective - ensure that smackfs is valid only if 'smack_enabled' is set (it is already the case in smack_netfilter.c) Signed-off-by: José Bollo <jose.bollo@iot.bzh> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
| | * smack: smk_ipv6_port_list should be staticGeliang Tang2015-10-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following sparse warning: security/smack/smack_lsm.c:55:1: warning: symbol 'smk_ipv6_port_list' was not declared. Should it be static? Signed-off-by: Geliang Tang <geliangtang@163.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
| | * Smack: fix a NULL dereference in wrong smack_import_entry() usageLukasz Pawelczyk2015-10-101-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 'commit e774ad683f42 ("smack: pass error code through pointers")' made this function return proper error codes instead of NULL. Reflect that. This is a fix for a NULL dereference introduced in 'commit 21abb1ec414c ("Smack: IPv6 host labeling")' echo "$SOME_IPV6_ADDR \"test" > /smack/ipv6host (this should return EINVAL, it doesn't) cat /smack/ipv6host (derefences 0x000a) Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@samsung.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com>
| * | Merge branch 'next' of ↵James Morris2015-10-201-1/+1
| |\ \ | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity into next
| | * | integrity: prevent loading untrusted certificates on the IMA trusted keyringDmitry Kasatkin2015-10-091-1/+1
| | |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If IMA_LOAD_X509 is enabled, either directly or indirectly via IMA_APPRAISE_SIGNED_INIT, certificates are loaded onto the IMA trusted keyring by the kernel via key_create_or_update(). When the KEY_ALLOC_TRUSTED flag is provided, certificates are loaded without first verifying the certificate is properly signed by a trusted key on the system keyring. This patch removes the KEY_ALLOC_TRUSTED flag. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com> Cc: <stable@vger.kernel.org> # 3.19+ Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| * | keys, trusted: seal/unseal with TPM 2.0 chipsJarkko Sakkinen2015-10-191-3/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Call tpm_seal_trusted() and tpm_unseal_trusted() for TPM 2.0 chips. We require explicit 'keyhandle=' option because there's no a fixed storage root key inside TPM2 chips. Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Reviewed-by: Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de> Tested-by: Mimi Zohar <zohar@linux.vnet.ibm.com> (on TPM 1.2) Tested-by: Chris J Arges <chris.j.arges@canonical.com> Tested-by: Colin Ian King <colin.king@canonical.com> Tested-by: Kevin Strasser <kevin.strasser@intel.com> Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
| * | keys, trusted: move struct trusted_key_options to trusted-type.hJarkko Sakkinen2015-10-191-11/+0
| |/ | | | | | | | | | | | | | | Moved struct trusted_key_options to trustes-type.h so that the fields can be accessed from drivers/char/tpm. Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
* | Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netDavid S. Miller2015-11-012-2/+7
|\ \
| * | KEYS: Don't permit request_key() to construct a new keyringDavid Howells2015-10-191-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If request_key() is used to find a keyring, only do the search part - don't do the construction part if the keyring was not found by the search. We don't really want keyrings in the negative instantiated state since the rejected/negative instantiation error value in the payload is unioned with keyring metadata. Now the kernel gives an error: request_key("keyring", "#selinux,bdekeyring", "keyring", KEY_SPEC_USER_SESSION_KEYRING) = -1 EPERM (Operation not permitted) Signed-off-by: David Howells <dhowells@redhat.com>
| * | KEYS: Fix crash when attempt to garbage collect an uninstantiated keyringDavid Howells2015-10-151-2/+4
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The following sequence of commands: i=`keyctl add user a a @s` keyctl request2 keyring foo bar @t keyctl unlink $i @s tries to invoke an upcall to instantiate a keyring if one doesn't already exist by that name within the user's keyring set. However, if the upcall fails, the code sets keyring->type_data.reject_error to -ENOKEY or some other error code. When the key is garbage collected, the key destroy function is called unconditionally and keyring_destroy() uses list_empty() on keyring->type_data.link - which is in a union with reject_error. Subsequently, the kernel tries to unlink the keyring from the keyring names list - which oopses like this: BUG: unable to handle kernel paging request at 00000000ffffff8a IP: [<ffffffff8126e051>] keyring_destroy+0x3d/0x88 ... Workqueue: events key_garbage_collector ... RIP: 0010:[<ffffffff8126e051>] keyring_destroy+0x3d/0x88 RSP: 0018:ffff88003e2f3d30 EFLAGS: 00010203 RAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40 RBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000 R10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900 R13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000 ... CR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0 ... Call Trace: [<ffffffff8126c756>] key_gc_unused_keys.constprop.1+0x5d/0x10f [<ffffffff8126ca71>] key_garbage_collector+0x1fa/0x351 [<ffffffff8105ec9b>] process_one_work+0x28e/0x547 [<ffffffff8105fd17>] worker_thread+0x26e/0x361 [<ffffffff8105faa9>] ? rescuer_thread+0x2a8/0x2a8 [<ffffffff810648ad>] kthread+0xf3/0xfb [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2 [<ffffffff815f2ccf>] ret_from_fork+0x3f/0x70 [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2 Note the value in RAX. This is a 32-bit representation of -ENOKEY. The solution is to only call ->destroy() if the key was successfully instantiated. Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Dmitry Vyukov <dvyukov@google.com>
* | Merge branch 'master' of ↵Pablo Neira Ayuso2015-10-171-4/+8
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next This merge resolves conflicts with 75aec9df3a78 ("bridge: Remove br_nf_push_frag_xmit_sk") as part of Eric Biederman's effort to improve netns support in the network stack that reached upstream via David's net-next tree. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Conflicts: net/bridge/br_netfilter_hooks.c
| * | net: synack packets can be attached to request socketsEric Dumazet2015-10-111-4/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | selinux needs few changes to accommodate fact that SYNACK messages can be attached to a request socket, lacking sk_security pointer (Only syncookies are still attached to a TCP_LISTEN socket) Adds a new sk_listener() helper, and use it in selinux and sch_fq Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported by: kernel test robot <ying.huang@linux.intel.com> Cc: Paul Moore <paul@paul-moore.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Eric Paris <eparis@parisplace.org> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | netfilter: remove hook owner refcountingFlorian Westphal2015-10-162-7/+0
|/ / | | | | | | | | | | | | | | | | | | | | since commit 8405a8fff3f8 ("netfilter: nf_qeueue: Drop queue entries on nf_unregister_hook") all pending queued entries are discarded. So we can simply remove all of the owner handling -- when module is removed it also needs to unregister all its hooks. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netDavid S. Miller2015-10-021-4/+4
|\| | | | | | | | | | | | | | | | | Conflicts: net/dsa/slave.c net/dsa/slave.c simply had overlapping changes. Signed-off-by: David S. Miller <davem@davemloft.net>
| * KEYS: Fix race between key destruction and finding a keyring by nameDavid Howells2015-09-251-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There appears to be a race between: (1) key_gc_unused_keys() which frees key->security and then calls keyring_destroy() to unlink the name from the name list (2) find_keyring_by_name() which calls key_permission(), thus accessing key->security, on a key before checking to see whether the key usage is 0 (ie. the key is dead and might be cleaned up). Fix this by calling ->destroy() before cleaning up the core key data - including key->security. Reported-by: Petr Matousek <pmatouse@redhat.com> Signed-off-by: David Howells <dhowells@redhat.com>
* | Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netDavid S. Miller2015-09-271-1/+1
|\| | | | | | | | | | | | | | | | | | | Conflicts: net/ipv4/arp.c The net/ipv4/arp.c conflict was one commit adding a new local variable while another commit was deleting one. Signed-off-by: David S. Miller <davem@davemloft.net>
| * Merge branch 'core-urgent-for-linus' of ↵Linus Torvalds2015-09-171-1/+1
| |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull RCU fix from Ingo Molnar: "Fix a false positive warning" * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: security/device_cgroup: Fix RCU_LOCKDEP_WARN() condition
| | * Merge branch 'for-mingo' of ↵Ingo Molnar2015-09-121-1/+1
| | |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu into core/urgent Pull RCU fix from Paul E. McKenney, fixing an inverted RCU_LOCKDEP_WARN() condition. Signed-off-by: Ingo Molnar <mingo@kernel.org>
| | | * security/device_cgroup: Fix RCU_LOCKDEP_WARN() conditionPaul E. McKenney2015-09-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | f78f5b90c4ff ("rcu: Rename rcu_lockdep_assert() to RCU_LOCKDEP_WARN()") introduced a bug by incorrectly inverting the condition when moving from rcu_lockdep_assert() to RCU_LOCKDEP_WARN(). This commit therefore fixes the inversion. Reported-by: Felipe Balbi <balbi@ti.com> Reported-by: Tejun Heo <tj@kernel.org> Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Tested-by: Josh Boyer <jwboyer@fedoraproject.org>
* | | | netfilter: Pass priv instead of nf_hook_ops to netfilter hooksEric W. Biederman2015-09-182-7/+7
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | Only pass the void *priv parameter out of the nf_hook_ops. That is all any of the functions are interested now, and by limiting what is passed it becomes simpler to change implementation details. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | | mm: mark most vm_operations_struct constKirill A. Shutemov2015-09-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With two exceptions (drm/qxl and drm/radeon) all vm_operations_struct structs should be constant. Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Reviewed-by: Oleg Nesterov <oleg@redhat.com> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: Ingo Molnar <mingo@elte.hu> Cc: Minchan Kim <minchan@kernel.org> Cc: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* | | Merge branch 'next' of ↵Linus Torvalds2015-09-0820-362/+1732
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull security subsystem updates from James Morris: "Highlights: - PKCS#7 support added to support signed kexec, also utilized for module signing. See comments in 3f1e1bea. ** NOTE: this requires linking against the OpenSSL library, which must be installed, e.g. the openssl-devel on Fedora ** - Smack - add IPv6 host labeling; ignore labels on kernel threads - support smack labeling mounts which use binary mount data - SELinux: - add ioctl whitelisting (see http://kernsec.org/files/lss2015/vanderstoep.pdf) - fix mprotect PROT_EXEC regression caused by mm change - Seccomp: - add ptrace options for suspend/resume" * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (57 commits) PKCS#7: Add OIDs for sha224, sha284 and sha512 hash algos and use them Documentation/Changes: Now need OpenSSL devel packages for module signing scripts: add extract-cert and sign-file to .gitignore modsign: Handle signing key in source tree modsign: Use if_changed rule for extracting cert from module signing key Move certificate handling to its own directory sign-file: Fix warning about BIO_reset() return value PKCS#7: Add MODULE_LICENSE() to test module Smack - Fix build error with bringup unconfigured sign-file: Document dependency on OpenSSL devel libraries PKCS#7: Appropriately restrict authenticated attributes and content type KEYS: Add a name for PKEY_ID_PKCS7 PKCS#7: Improve and export the X.509 ASN.1 time object decoder modsign: Use extract-cert to process CONFIG_SYSTEM_TRUSTED_KEYS extract-cert: Cope with multiple X.509 certificates in a single file sign-file: Generate CMS message as signature instead of PKCS#7 PKCS#7: Support CMS messages also [RFC5652] X.509: Change recorded SKID & AKID to not include Subject or Issuer PKCS#7: Check content type and versions MAINTAINERS: The keyrings mailing list has moved ...
| * \ \ Merge branch 'next' of git://git.infradead.org/users/pcmoore/selinux into nextJames Morris2015-08-1512-110/+907
| |\ \ \
| | * | | selinux: Create a common helper to determine an inode label [ver #3]David Howells2015-07-131-46/+41
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Create a common helper function to determine the label for a new inode. This is then used by: - may_create() - selinux_dentry_init_security() - selinux_inode_init_security() This will change the behaviour of the functions slightly, bringing them all into line. Suggested-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <pmoore@redhat.com>
| | * | | selinux: Augment BUG_ON assertion for secclass_map.Stephen Smalley2015-07-131-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ensure that we catch any cases where tclass == 0. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <pmoore@redhat.com>
| | * | | selinux: initialize sock security class to default valueStephen Smalley2015-07-131-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Initialize the security class of sock security structures to the generic socket class. This is similar to what is already done in inode_alloc_security for files. Generally the sclass field will later by set by socket_post_create or sk_clone or sock_graft, but for protocol implementations that fail to call any of these for newly accepted sockets, we want some sane default that will yield a legitimate avc denied message with non-garbage values for class and permission. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <pmoore@redhat.com>