linux-stable.git/security/tomoyo, branch v5.3.2 Linux kernel stable tree treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21T08:50:46+00:00 Thomas Gleixner tglx@linutronix.de 2019-05-19T12:07:45+00:00 ec8f24b7faaf3d4799a7c3f4c1b87f6b02778ad1 Add SPDX license identifiers to all Make/Kconfig files which: - Have no license information of any form These files fall under the project license, GPL v2 only. The resulting SPDX license identifier is: GPL-2.0-only Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Add SPDX license identifiers to all Make/Kconfig files which:

 - Have no license information of any form

These files fall under the project license, GPL v2 only. The resulting SPDX
license identifier is:

  GPL-2.0-only

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
tomoyo: Don't emit WARNING: string while fuzzing testing. 2019-05-10T21:58:35+00:00 Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp 2019-05-07T11:34:22+00:00 4ad98ac46490d5f8441025930070eaf028cfd0f2 Commit cff0e6c3ec3e6230 ("tomoyo: Add a kernel config option for fuzzing testing.") enabled the learning mode, but syzkaller is detecting any "WARNING:" string as a crash. Thus, disable TOMOYO's quota warning if built for fuzzing testing. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Cc: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: James Morris <jamorris@linux.microsoft.com> 
Commit cff0e6c3ec3e6230 ("tomoyo: Add a kernel config option for fuzzing
testing.") enabled the learning mode, but syzkaller is detecting any
"WARNING:" string as a crash. Thus, disable TOMOYO's quota warning if
built for fuzzing testing.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: James Morris <jamorris@linux.microsoft.com>
tomoyo: Change pathname calculation for read-only filesystems. 2019-05-10T21:58:30+00:00 Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp 2019-02-27T14:19:24+00:00 27df4b4a1b5fe2bef54ebc49d64bf5b39125f26a Commit 5625f2e3266319fd ("TOMOYO: Change pathname for non-rename()able filesystems.") intended to be applied to filesystems where the content is not controllable from the userspace (e.g. proc, sysfs, securityfs), based on an assumption that such filesystems do not support rename() operation. But it turned out that read-only filesystems also do not support rename() operation despite the content is controllable from the userspace, and that commit is annoying TOMOYO users who want to use e.g. squashfs as the root filesystem due to use of local name which does not start with '/'. Therefore, based on an assumption that filesystems which require the device argument upon mount() request is an indication that the content is controllable from the userspace, do not use local name if a filesystem does not support rename() operation but requires the device argument upon mount() request. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jamorris@linux.microsoft.com> 
Commit 5625f2e3266319fd ("TOMOYO: Change pathname for non-rename()able
filesystems.") intended to be applied to filesystems where the content is
not controllable from the userspace (e.g. proc, sysfs, securityfs), based
on an assumption that such filesystems do not support rename() operation.

But it turned out that read-only filesystems also do not support rename()
operation despite the content is controllable from the userspace, and that
commit is annoying TOMOYO users who want to use e.g. squashfs as the root
filesystem due to use of local name which does not start with '/'.

Therefore, based on an assumption that filesystems which require the
device argument upon mount() request is an indication that the content
is controllable from the userspace, do not use local name if a filesystem
does not support rename() operation but requires the device argument upon
mount() request.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jamorris@linux.microsoft.com>
tomoyo: Check address length before reading address family 2019-05-10T21:58:25+00:00 Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp 2019-04-12T10:59:36+00:00 e6193f78bb689f3f424559bb45f4a091c8b314df KMSAN will complain if valid address length passed to bind()/connect()/ sendmsg() is shorter than sizeof("struct sockaddr"->sa_family) bytes. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jamorris@linux.microsoft.com> 
KMSAN will complain if valid address length passed to bind()/connect()/
sendmsg() is shorter than sizeof("struct sockaddr"->sa_family) bytes.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jamorris@linux.microsoft.com>
tomoyo: Add a kernel config option for fuzzing testing. 2019-05-10T21:58:11+00:00 Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp 2019-04-12T11:04:54+00:00 e80b18599a39a625bc8b2e39ba3004a62f78805a syzbot is reporting kernel panic triggered by memory allocation fault injection before loading TOMOYO's policy [1]. To make the fuzzing tests useful, we need to assign a profile other than "disabled" (no-op) mode. Therefore, let's allow syzbot to load TOMOYO's built-in policy for "learning" mode using a kernel config option. This option must not be enabled for kernels built for production system, for this option also disables domain/program checks when modifying policy configuration via /sys/kernel/security/tomoyo/ interface. [1] https://syzkaller.appspot.com/bug?extid=29569ed06425fcf67a95 Reported-by: syzbot <syzbot+e1b8084e532b6ee7afab@syzkaller.appspotmail.com> Reported-by: syzbot <syzbot+29569ed06425fcf67a95@syzkaller.appspotmail.com> Reported-by: syzbot <syzbot+2ee3f8974c2e7dc69feb@syzkaller.appspotmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jamorris@linux.microsoft.com> 
syzbot is reporting kernel panic triggered by memory allocation fault
injection before loading TOMOYO's policy [1]. To make the fuzzing tests
useful, we need to assign a profile other than "disabled" (no-op) mode.
Therefore, let's allow syzbot to load TOMOYO's built-in policy for
"learning" mode using a kernel config option. This option must not be
enabled for kernels built for production system, for this option also
disables domain/program checks when modifying policy configuration via
/sys/kernel/security/tomoyo/ interface.

[1] https://syzkaller.appspot.com/bug?extid=29569ed06425fcf67a95

Reported-by: syzbot <syzbot+e1b8084e532b6ee7afab@syzkaller.appspotmail.com>
Reported-by: syzbot <syzbot+29569ed06425fcf67a95@syzkaller.appspotmail.com>
Reported-by: syzbot <syzbot+2ee3f8974c2e7dc69feb@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jamorris@linux.microsoft.com>
tomoyo: Bump version. 2019-02-19T22:17:25+00:00 Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp 2019-02-17T06:52:47+00:00 861f4bcffcc9d8bca93374ad555801d990cb980c Update URLs and profile version. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <james.morris@microsoft.com> 
Update URLs and profile version.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <james.morris@microsoft.com>
tomoyo: Allow multiple use_group lines. 2019-01-24T22:50:27+00:00 Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp 2019-01-24T09:37:36+00:00 4b42564181d683d767b495d7041b1f229468042f Being able to specify multiple "use_group" lines makes it easier to write whitelisted policies. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <james.morris@microsoft.com> 
Being able to specify multiple "use_group" lines makes it
easier to write whitelisted policies.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <james.morris@microsoft.com>
tomoyo: Coding style fix. 2019-01-24T22:50:27+00:00 Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp 2019-01-24T09:37:35+00:00 cdcf6723add57a0ffb37cfde1ca54a00f5715b71 Follow many of recommendations by scripts/checkpatch.pl, and follow "lift switch variables out of switches" by Kees Cook. This patch makes no functional change. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <james.morris@microsoft.com> 
Follow many of recommendations by scripts/checkpatch.pl, and follow
"lift switch variables out of switches" by Kees Cook.
This patch makes no functional change.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <james.morris@microsoft.com>
tomoyo: Swicth from cred->security to task_struct->security. 2019-01-23T19:36:15+00:00 Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp 2019-01-19T14:11:40+00:00 8c6cb983cd52d78ab4e4c0191c73a11dcb60b866 TOMOYO security module is designed to use "struct task_struct"->security in order to allow per "struct task_struct" tracking without being disturbed by unable to update "struct cred"->security due to override mechanism. Now that infrastructure-managed security blob is ready, this patch updates TOMOYO to use "struct task_struct"->security. Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <james.morris@microsoft.com> 
TOMOYO security module is designed to use "struct task_struct"->security
in order to allow per "struct task_struct" tracking without being disturbed
by unable to update "struct cred"->security due to override mechanism.

Now that infrastructure-managed security blob is ready, this patch updates
TOMOYO to use "struct task_struct"->security.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <james.morris@microsoft.com>
LSM: Make lsm_early_cred() and lsm_early_task() local functions. 2019-01-18T19:44:02+00:00 Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp 2019-01-18T10:15:59+00:00 1cfb2a512e74e577bb0ed7c8d76df90a41a83f6a Since current->cred == current->real_cred when ordered_lsm_init() is called, and lsm_early_cred()/lsm_early_task() need to be called between the amount of required bytes is determined and module specific initialization function is called, we can move these calls from individual modules to ordered_lsm_init(). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: James Morris <james.morris@microsoft.com> 
Since current->cred == current->real_cred when ordered_lsm_init()
is called, and lsm_early_cred()/lsm_early_task() need to be called
between the amount of required bytes is determined and module specific
initialization function is called, we can move these calls from
individual modules to ordered_lsm_init().

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: James Morris <james.morris@microsoft.com>