Subject: [PATCH] sysctl: require CAP_SYS_RAWIO to set
mmap_min_addr - msg#00043

Previous Message by Date:

Re: [Patch 0/12] AppArmor security module

Tetsuo Handa wrote: > Hello. > > I browsed using lxr. > > > >> static int aa_audit_caps(struct aa_profile *profile, struct aa_audit_caps >> *sa) > ...snipped... >> ent = &get_cpu_var(audit_cache); >> if (sa->base.task == ent->task && cap_raised(ent->caps, sa->cap)) { > > put_cpu_var(audit_cache); ? > yep thanks for the catch >> if (PROFILE_COMPLAIN(profile)) >> return 0; >> return sa->base.error; >> } else { >> ent->task = sa->base.task; >> cap_raise(ent->caps, sa->cap); >> } >> put_cpu_var(audit_cache); > ...snipped... > > > > Regarding unpack_*(), I'm not sure, but e seems to be no longer used after > once > unpack_*() failed. If so, we can remove > >> void *pos = e->pos; > > and > >> fail: >> e->pos = pos; > actually it is used sometimes for optional elements. However this could be cleaned up some because optional elements should only ever fail on the name or type tags, not the actual data it self. It is also used in reporting failure position to user space but that only gets the tag location, it might be better to return the true location of failure, I'll have a look. > > > Also, please add comments regarding > > memory allocated here is released by ... > > refcount obtained here is released by ... > > the caller of this function need to hold ... lock > will do > as it is difficult for me to track memleak/refcounter/locking bugs. > For example, in function apparmor_dentry_open(), from > > fcxt->profile = aa_get_profile(profile); > > to something like > > /* released by ... */ > fcxt->profile = aa_get_profile(profile); > > (Oh, is it correct to get refcount even if aa_path_perm() failed?) > yes as long as the refcount is put, there are several possible reasons for grabbing a refcount, like passing the object to auditing, or just optimizing the success path. Of course it could also just be a bug or code that could use some cleaning up too. Thanks again Tetsuo john -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/

Next Message by Date:

Re: [PATCH] sysctl: require CAP_SYS_RAWIO to set mmap_min_addr

Quoting Kees Cook (kees.cook@xxxxxxxxxxxxx): > Currently the mmap_min_addr value can only be bypassed during mmap when > the task has CAP_SYS_RAWIO. However, the mmap_min_addr sysctl value itself > can be adjusted to 0 if euid == 0, allowing a bypass without CAP_SYS_RAWIO. > This patch adds a check for the capability before allowing mmap_min_addr to > be changed. > > Signed-off-by: Kees Cook <kees.cook@xxxxxxxxxxxxx> Sounds good. Acked-by: Serge Hallyn <serue@xxxxxxxxxx> thanks, -serge > --- > security/min_addr.c | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > > diff --git a/security/min_addr.c b/security/min_addr.c > index c844eed..fc43c9d 100644 > --- a/security/min_addr.c > +++ b/security/min_addr.c > @@ -33,6 +33,9 @@ int mmap_min_addr_handler(struct ctl_table *table, int > write, > { > int ret; > > + if (!capable(CAP_SYS_RAWIO)) > + return -EPERM; > + > ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos); > > update_mmap_min_addr(); > -- > 1.6.5 > > > -- > Kees Cook > Ubuntu Security Team > -- > To unsubscribe from this list: send the line "unsubscribe > linux-security-module" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html

Previous Message by Thread:

[PATCH] Config option to set a default LSM

The LSM currently requires setting a kernel parameter at boot to select a specific LSM. This adds a config option that allows specifying a default LSM that is used unless overridden with the security= kernel parameter. If the the config option is not set the current behavior of first LSM to register is used. Signed-off-by: John Johansen <john.johansen@xxxxxxxxxxxxx> --- security/Kconfig | 9 +++++++++ security/security.c | 9 ++++++--- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/security/Kconfig b/security/Kconfig index 2f5fb0f..b37ec61 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -60,6 +60,15 @@ config SECURITYFS If you are unsure how to answer this question, answer N. +config SECURITY_DEFAULT + string "Default security module" + depends on SECURITY + default "" + help + This determines the security module used if the security= + boot parmater is not provided. If a security module is not + specified the first security module to register will be used. + config SECURITY_NETWORK bool "Socket and Networking Security Hooks" depends on SECURITY diff --git a/security/security.c b/security/security.c index c4c6732..2b043c9 100644 --- a/security/security.c +++ b/security/security.c @@ -18,7 +18,8 @@ #include <linux/security.h> /* Boot-time LSM user choice */ -static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1]; +static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = + CONFIG_SECURITY_DEFAULT; /* things that live in capability.c */ extern struct security_operations default_security_ops; @@ -79,8 +80,10 @@ __setup("security=", choose_lsm); * * Return true if: * -The passed LSM is the one chosen by user at boot time, - * -or user didn't specify a specific LSM and we're the first to ask - * for registration permission, + * -or the passed LSM is configured as the default and the user did not + * choose an alternate LSM at boot time, + * -or there is no default LSM set and the user didn't specify a + * specific LSM and we're the first to ask for registration permission, * -or the passed LSM is currently loaded. * Otherwise, return false. */ -- 1.6.3.3 -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html

Next Message by Thread:

Re: [PATCH] sysctl: require CAP_SYS_RAWIO to set mmap_min_addr

Quoting Kees Cook (kees.cook@xxxxxxxxxxxxx): > Currently the mmap_min_addr value can only be bypassed during mmap when > the task has CAP_SYS_RAWIO. However, the mmap_min_addr sysctl value itself > can be adjusted to 0 if euid == 0, allowing a bypass without CAP_SYS_RAWIO. > This patch adds a check for the capability before allowing mmap_min_addr to > be changed. > > Signed-off-by: Kees Cook <kees.cook@xxxxxxxxxxxxx> Sounds good. Acked-by: Serge Hallyn <serue@xxxxxxxxxx> thanks, -serge > --- > security/min_addr.c | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > > diff --git a/security/min_addr.c b/security/min_addr.c > index c844eed..fc43c9d 100644 > --- a/security/min_addr.c > +++ b/security/min_addr.c > @@ -33,6 +33,9 @@ int mmap_min_addr_handler(struct ctl_table *table, int > write, > { > int ret; > > + if (!capable(CAP_SYS_RAWIO)) > + return -EPERM; > + > ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos); > > update_mmap_min_addr(); > -- > 1.6.5 > > > -- > Kees Cook > Ubuntu Security Team > -- > To unsubscribe from this list: send the line "unsubscribe > linux-security-module" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html