<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/git/stable/linux.git/security/smack, branch linux-2.6.29.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<id>https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/atom?h=linux-2.6.29.y</id>
<link rel='self' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/atom?h=linux-2.6.29.y'/>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/'/>
<updated>2009-05-18T23:34:54+00:00</updated>
<entry>
<title>smack: Set the proper NetLabel security attributes for connection requests</title>
<updated>2009-05-18T23:34:54+00:00</updated>
<author>
<name>Paul Moore</name>
<email>paul.moore@hp.com</email>
</author>
<published>2009-05-08T21:59:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6c3823bc3abf2d10f9220cb1847060aa20cee77e'/>
<id>urn:sha1:6c3823bc3abf2d10f9220cb1847060aa20cee77e</id>
<content type='text'>
[NOTE: based on 07feee8f812f7327a46186f7604df312c8c81962]

This patch ensures the correct labeling of new network connection requests
using Smack and NetLabel.

Signed-off-by: Paul Moore &lt;paul.moore@hp.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;
</content>
</entry>
<entry>
<title>security/smack: fix oops when setting a size 0 SMACK64 xattr</title>
<updated>2009-04-27T17:36:51+00:00</updated>
<author>
<name>Etienne Basset</name>
<email>etienne.basset@numericable.fr</email>
</author>
<published>2009-03-31T21:54:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=97ecdadc284e820931f27c6345b0ff8b85792346'/>
<id>urn:sha1:97ecdadc284e820931f27c6345b0ff8b85792346</id>
<content type='text'>
upstream commit: 4303154e86597885bc3cbc178a48ccbc8213875f

this patch fix an oops in smack when setting a size 0 SMACK64 xattr eg  
attr -S -s SMACK64  -V '' somefile
This oops because smk_import_entry treats a 0 length as SMK_MAXLEN

Signed-off-by: Etienne Basset &lt;etienne.basset@numericable.fr&gt;
Reviewed-by: James Morris &lt;jmorris@namei.org&gt;
Acked-by: Casey Schaufler &lt;casey@schaufler-ca.com&gt;
Signed-off-by: Chris Wright &lt;chrisw@sous-sol.org&gt;
</content>
</entry>
<entry>
<title>smack: fixes for unlabeled host support</title>
<updated>2009-03-04T21:36:34+00:00</updated>
<author>
<name>etienne</name>
<email>etienne.basset@numericable.fr</email>
</author>
<published>2009-03-04T06:33:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=211a40c0870457b29100cffea0180fa5083caf96'/>
<id>urn:sha1:211a40c0870457b29100cffea0180fa5083caf96</id>
<content type='text'>
The following patch (against 2.6.29rc5) fixes a few issues in the
smack/netlabel "unlabeled host support" functionnality that was added in
2.6.29rc.  It should go in before -final.

1) smack_host_label disregard a "0.0.0.0/0 @" rule (or other label),
preventing 'tagged' tasks to access Internet (many systems drop packets with
IP options)

2) netmasks were not handled correctly, they were stored in a way _not
equivalent_ to conversion to be32 (it was equivalent for /0, /8, /16, /24,
/32 masks but not other masks)

3) smack_netlbladdr prefixes (IP/mask) were not consistent (mask&amp;IP was not
done), so there could have been different list entries for the same IP
prefix; if those entries had different labels, well ...

4) they were not sorted

1) 2) 3) are bugs, 4) is a more cosmetic issue.
The patch :

-creates a new helper smk_netlbladdr_insert to insert a smk_netlbladdr,
-sorted by netmask length

-use the new sorted nature of  smack_netlbladdrs list to simplify
 smack_host_label : the first match _will_ be the more specific

-corrects endianness issues in smk_write_netlbladdr &amp;  netlbladdr_seq_show

Signed-off-by: &lt;etienne.basset@numericable.fr&gt;
Acked-by: Casey Schaufler &lt;casey@schaufler-ca.com&gt;
Reviewed-by: Paul Moore &lt;paul.moore@hp.com&gt;
Signed-off-by: James Morris &lt;jmorris@namei.org&gt;
</content>
</entry>
<entry>
<title>smackfs load append mode fix</title>
<updated>2009-01-28T04:13:32+00:00</updated>
<author>
<name>Casey Schaufler</name>
<email>casey@schaufler-ca.com</email>
</author>
<published>2009-01-28T03:56:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=152a649b647a8ef47bb74ff9e11850fa6001bedc'/>
<id>urn:sha1:152a649b647a8ef47bb74ff9e11850fa6001bedc</id>
<content type='text'>
Given just how hard it is to find the code that uses MAY_APPEND
it's probably not a big surprise that this went unnoticed for so
long. The Smack rules loading code is incorrectly setting the
MAY_READ bit when MAY_APPEND is requested.

Signed-off-by: Casey Schaufler &lt;casey@schaufler-ca.com&gt;
Reviewed-by: James Morris &lt;jmorris@namei.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
</entry>
<entry>
<title>remove lots of double-semicolons</title>
<updated>2009-01-08T16:31:14+00:00</updated>
<author>
<name>Fernando Carrijo</name>
<email>fcarrijo@yahoo.com.br</email>
</author>
<published>2009-01-08T02:09:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c19a28e1193a6c854738d609ae9b2fe2f6e6bea4'/>
<id>urn:sha1:c19a28e1193a6c854738d609ae9b2fe2f6e6bea4</id>
<content type='text'>
Cc: Ingo Molnar &lt;mingo@elte.hu&gt;
Cc: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Acked-by: Theodore Ts'o &lt;tytso@mit.edu&gt;
Acked-by: Mark Fasheh &lt;mfasheh@suse.com&gt;
Acked-by: David S. Miller &lt;davem@davemloft.net&gt;
Cc: James Morris &lt;jmorris@namei.org&gt;
Acked-by: Casey Schaufler &lt;casey@schaufler-ca.com&gt;
Acked-by: Takashi Iwai &lt;tiwai@suse.de&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
</entry>
<entry>
<title>Merge branch 'next' into for-linus</title>
<updated>2009-01-06T22:58:22+00:00</updated>
<author>
<name>James Morris</name>
<email>jmorris@namei.org</email>
</author>
<published>2009-01-06T22:58:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ac8cc0fa5395fe2278e305a4cbed48e90d88d878'/>
<id>urn:sha1:ac8cc0fa5395fe2278e305a4cbed48e90d88d878</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Revert "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]"</title>
<updated>2009-01-06T22:21:54+00:00</updated>
<author>
<name>James Morris</name>
<email>jmorris@namei.org</email>
</author>
<published>2009-01-06T22:21:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=29881c4502ba05f46bc12ae8053d4e08d7e2615c'/>
<id>urn:sha1:29881c4502ba05f46bc12ae8053d4e08d7e2615c</id>
<content type='text'>
This reverts commit 14eaddc967b16017d4a1a24d2be6c28ecbe06ed8.

David has a better version to come.
</content>
</entry>
<entry>
<title>CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]</title>
<updated>2009-01-05T00:17:04+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2008-12-31T15:15:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=14eaddc967b16017d4a1a24d2be6c28ecbe06ed8'/>
<id>urn:sha1:14eaddc967b16017d4a1a24d2be6c28ecbe06ed8</id>
<content type='text'>
Fix a regression in cap_capable() due to:

	commit 5ff7711e635b32f0a1e558227d030c7e45b4a465
	Author: David Howells &lt;dhowells@redhat.com&gt;
	Date:   Wed Dec 31 02:52:28 2008 +0000

	    CRED: Differentiate objective and effective subjective credentials on a task

The problem is that the above patch allows a process to have two sets of
credentials, and for the most part uses the subjective credentials when
accessing current's creds.

There is, however, one exception: cap_capable(), and thus capable(), uses the
real/objective credentials of the target task, whether or not it is the current
task.

Ordinarily this doesn't matter, since usually the two cred pointers in current
point to the same set of creds.  However, sys_faccessat() makes use of this
facility to override the credentials of the calling process to make its test,
without affecting the creds as seen from other processes.

One of the things sys_faccessat() does is to make an adjustment to the
effective capabilities mask, which cap_capable(), as it stands, then ignores.

The affected capability check is in generic_permission():

	if (!(mask &amp; MAY_EXEC) || execute_ok(inode))
		if (capable(CAP_DAC_OVERRIDE))
			return 0;

This change splits capable() from has_capability() down into the commoncap and
SELinux code.  The capable() security op now only deals with the current
process, and uses the current process's subjective creds.  A new security op -
task_capable() - is introduced that can check any task's objective creds.

strictly the capable() security op is superfluous with the presence of the
task_capable() op, however it should be faster to call the capable() op since
two fewer arguments need be passed down through the various layers.

This can be tested by compiling the following program from the XFS testsuite:

/*
 *  t_access_root.c - trivial test program to show permission bug.
 *
 *  Written by Michael Kerrisk - copyright ownership not pursued.
 *  Sourced from: http://linux.derkeiler.com/Mailing-Lists/Kernel/2003-10/6030.html
 */
#include &lt;limits.h&gt;
#include &lt;unistd.h&gt;
#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;fcntl.h&gt;
#include &lt;sys/stat.h&gt;

#define UID 500
#define GID 100
#define PERM 0
#define TESTPATH "/tmp/t_access"

static void
errExit(char *msg)
{
    perror(msg);
    exit(EXIT_FAILURE);
} /* errExit */

static void
accessTest(char *file, int mask, char *mstr)
{
    printf("access(%s, %s) returns %d\n", file, mstr, access(file, mask));
} /* accessTest */

int
main(int argc, char *argv[])
{
    int fd, perm, uid, gid;
    char *testpath;
    char cmd[PATH_MAX + 20];

    testpath = (argc &gt; 1) ? argv[1] : TESTPATH;
    perm = (argc &gt; 2) ? strtoul(argv[2], NULL, 8) : PERM;
    uid = (argc &gt; 3) ? atoi(argv[3]) : UID;
    gid = (argc &gt; 4) ? atoi(argv[4]) : GID;

    unlink(testpath);

    fd = open(testpath, O_RDWR | O_CREAT, 0);
    if (fd == -1) errExit("open");

    if (fchown(fd, uid, gid) == -1) errExit("fchown");
    if (fchmod(fd, perm) == -1) errExit("fchmod");
    close(fd);

    snprintf(cmd, sizeof(cmd), "ls -l %s", testpath);
    system(cmd);

    if (seteuid(uid) == -1) errExit("seteuid");

    accessTest(testpath, 0, "0");
    accessTest(testpath, R_OK, "R_OK");
    accessTest(testpath, W_OK, "W_OK");
    accessTest(testpath, X_OK, "X_OK");
    accessTest(testpath, R_OK | W_OK, "R_OK | W_OK");
    accessTest(testpath, R_OK | X_OK, "R_OK | X_OK");
    accessTest(testpath, W_OK | X_OK, "W_OK | X_OK");
    accessTest(testpath, R_OK | W_OK | X_OK, "R_OK | W_OK | X_OK");

    exit(EXIT_SUCCESS);
} /* main */

This can be run against an Ext3 filesystem as well as against an XFS
filesystem.  If successful, it will show:

	[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043
	---------- 1 dhowells dhowells 0 2008-12-31 03:00 /tmp/xxx
	access(/tmp/xxx, 0) returns 0
	access(/tmp/xxx, R_OK) returns 0
	access(/tmp/xxx, W_OK) returns 0
	access(/tmp/xxx, X_OK) returns -1
	access(/tmp/xxx, R_OK | W_OK) returns 0
	access(/tmp/xxx, R_OK | X_OK) returns -1
	access(/tmp/xxx, W_OK | X_OK) returns -1
	access(/tmp/xxx, R_OK | W_OK | X_OK) returns -1

If unsuccessful, it will show:

	[root@andromeda src]# ./t_access_root /tmp/xxx 0 4043 4043
	---------- 1 dhowells dhowells 0 2008-12-31 02:56 /tmp/xxx
	access(/tmp/xxx, 0) returns 0
	access(/tmp/xxx, R_OK) returns -1
	access(/tmp/xxx, W_OK) returns -1
	access(/tmp/xxx, X_OK) returns -1
	access(/tmp/xxx, R_OK | W_OK) returns -1
	access(/tmp/xxx, R_OK | X_OK) returns -1
	access(/tmp/xxx, W_OK | X_OK) returns -1
	access(/tmp/xxx, R_OK | W_OK | X_OK) returns -1

I've also tested the fix with the SELinux and syscalls LTP testsuites.

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Signed-off-by: James Morris &lt;jmorris@namei.org&gt;
</content>
</entry>
<entry>
<title>audit: validate comparison operations, store them in sane form</title>
<updated>2009-01-04T20:14:42+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2008-12-16T10:59:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5af75d8d58d0f9f7b7c0515b35786b22892d5f12'/>
<id>urn:sha1:5af75d8d58d0f9f7b7c0515b35786b22892d5f12</id>
<content type='text'>
Don't store the field-&gt;op in the messy (and very inconvenient for e.g.
audit_comparator()) form; translate to dense set of values and do full
validation of userland-submitted value while we are at it.

-&gt;audit_init_rule() and -&gt;audit_match_rule() get new values now; in-tree
instances updated.

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</content>
</entry>
<entry>
<title>smack: Add support for unlabeled network hosts and networks</title>
<updated>2008-12-31T17:54:12+00:00</updated>
<author>
<name>Casey Schaufler</name>
<email>casey@schaufler-ca.com</email>
</author>
<published>2008-12-31T17:54:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6d3dc07cbb1e88deed2e8710e215f232a56b1dce'/>
<id>urn:sha1:6d3dc07cbb1e88deed2e8710e215f232a56b1dce</id>
<content type='text'>
Add support for unlabeled network hosts and networks.
Relies heavily on Paul Moore's netlabel support.

Creates a new entry in /smack called netlabel. Writes to /smack/netlabel
take the form:

    A.B.C.D LABEL
or
    A.B.C.D/N LABEL

where A.B.C.D is a network address, N is an integer between 0-32,
and LABEL is the Smack label to be used. If /N is omitted /32 is
assumed. N designates the netmask for the address. Entries are
matched by the most specific address/mask pair. 0.0.0.0/0 will
match everything, while 192.168.1.117/32 will match exactly one
host.

A new system label "@", pronounced "web", is defined. Processes
can not be assigned the web label. An address assigned the web
label can be written to by any process, and packets coming from
a web address can be written to any socket. Use of the web label
is a violation of any strict MAC policy, but the web label has
been requested many times.

The nltype entry has been removed from /smack. It did not work right
and the netlabel interface can be used to specify that all hosts
be treated as unlabeled.

CIPSO labels on incoming packets will be honored, even from designated
single label hosts. Single label hosts can only be written to by
processes with labels that can write to the label of the host.
Packets sent to single label hosts will always be unlabeled.

Once added a single label designation cannot be removed, however
the label may be changed.

The behavior of the ambient label remains unchanged.


Signed-off-by: Casey Schaufler &lt;casey@schaufler-ca.com&gt;
Signed-off-by: Paul Moore &lt;paul.moore@hp.com&gt;
</content>
</entry>
</feed>
