Commit Graph

20 Commits

Author SHA1 Message Date
Thomas Cedeno 5294bac97e LSM: SafeSetID: Add GID security policy handling
The SafeSetID LSM has functionality for restricting setuid() calls based
on its configured security policies. This patch adds the analogous
functionality for setgid() calls. This is mostly a copy-and-paste change
with some code deduplication, plus slight modifications/name changes to
the policy-rule-related structs (now contain GID rules in addition to
the UID ones) and some type generalization since SafeSetID now needs to
deal with kgid_t and kuid_t types.

Signed-off-by: Thomas Cedeno <thomascedeno@google.com>
Signed-off-by: Micah Morton <mortonm@chromium.org>
2020-10-13 09:17:35 -07:00
Kees Cook 9d1bd9e8e0 doc: yama: Swap HTTP for HTTPS and replace dead link
Replace one dead link for the same person's original presentation on the
topic and swap an HTTP URL with HTTPS. While here, linkify the text to
make it more readable when rendered.

Link: https://lore.kernel.org/lkml/20200708073346.13177-1-grandmaster@al2klimov.de/
Co-developed-by: Alexander A. Klimov <grandmaster@al2klimov.de>
Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/202007091141.C008B89EC@keescook
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
2020-07-13 09:40:42 -06:00
Alexander A. Klimov 93431e0607 Replace HTTP links with HTTPS ones: documentation
Rationale:
Reduces attack surface on kernel devs opening the links for MITM
as HTTPS traffic is much harder to manipulate.

Deterministic algorithm:
For each file:
  For each line:
    If doesn't contain `\bxmlns\b`:
      For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`:
        If both the HTTP and HTTPS versions
        return 200 OK and serve the same content:
          Replace HTTP with HTTPS.

Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de>
Link: https://lore.kernel.org/r/20200526060544.25127-1-grandmaster@al2klimov.de
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
2020-06-08 09:30:19 -06:00
Christian Kujau 0e3901891a docs: SafeSetID.rst: Remove spurious '???' characters
It appears that some smart quotes were changed to "???" by even smarter
software; change them to the dumb but legible variety.

Signed-off-by: Christian Kujau <lists@nerdbynature.de>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
2019-10-11 09:58:38 -06:00
Ke Wu 0ff9848067 security/loadpin: Allow to exclude specific file types
Linux kernel already provide MODULE_SIG and KEXEC_VERIFY_SIG to
make sure loaded kernel module and kernel image are trusted. This
patch adds a kernel command line option "loadpin.exclude" which
allows to exclude specific file types from LoadPin. This is useful
when people want to use different mechanisms to verify module and
kernel image while still use LoadPin to protect the integrity of
other files kernel loads.

Signed-off-by: Ke Wu <mikewu@google.com>
Reviewed-by: James Morris <jamorris@linux.microsoft.com>
[kees: fix array size issue reported by Coverity via Colin Ian King]
Signed-off-by: Kees Cook <keescook@chromium.org>
2019-05-31 13:57:40 -07:00
Micah Morton aeca4e2ca6 LSM: add SafeSetID module that gates setid calls
SafeSetID gates the setid family of syscalls to restrict UID/GID
transitions from a given UID/GID to only those approved by a
system-wide whitelist. These restrictions also prohibit the given
UIDs/GIDs from obtaining auxiliary privileges associated with
CAP_SET{U/G}ID, such as allowing a user to set up user namespace UID
mappings. For now, only gating the set*uid family of syscalls is
supported, with support for set*gid coming in a future patch set.

Signed-off-by: Micah Morton <mortonm@chromium.org>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.morris@microsoft.com>
2019-01-25 11:22:45 -08:00
Casey Schaufler 6d9c939dbe procfs: add smack subdir to attrs
Back in 2007 I made what turned out to be a rather serious
mistake in the implementation of the Smack security module.
The SELinux module used an interface in /proc to manipulate
the security context on processes. Rather than use a similar
interface, I used the same interface. The AppArmor team did
likewise. Now /proc/.../attr/current will tell you the
security "context" of the process, but it will be different
depending on the security module you're using.

This patch provides a subdirectory in /proc/.../attr for
Smack. Smack user space can use the "current" file in
this subdirectory and never have to worry about getting
SELinux attributes by mistake. Programs that use the
old interface will continue to work (or fail, as the case
may be) as before.

The proposed S.A.R.A security module is dependent on
the mechanism to create its own attr subdirectory.

The original implementation is by Kees Cook.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
2019-01-08 13:18:44 -08:00
Linus Torvalds 19f2e267a5 Merge branch 'next-smack' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull smack updates from James Morris:
 "Two Smack patches for 4.21.

  Jose's patch adds missing documentation and Zoran's fleshes out the
  access checks on keyrings"

* 'next-smack' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  Smack: Improve Documentation
  smack: fix access permissions for keyring
2019-01-02 10:56:09 -08:00
José Bollo 55b078f031 Smack: Improve Documentation
Add some words about the mount option "smackfstransmute=label".

Signed-off-by: José Bollo <jobol@nonadev.net>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
2018-12-13 13:31:01 -08:00
Petr Vorel 0427612cdd Documentation: Update SELinux reference policy URL
Signed-off-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2018-11-19 12:40:48 -05:00
Yves-Alexis Perez 31527da5d6 yama: clarify ptrace_scope=2 in Yama documentation
Current phrasing is ambiguous since it's unclear if attaching to a
children through PTRACE_TRACEME requires CAP_SYS_PTRACE. Rephrase the
sentence to make that clear.

Signed-off-by: Yves-Alexis Perez <corsac@corsac.net>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
2018-10-07 09:16:38 -06:00
Jordan Glover b896c54e8d apparmor: update git and wiki locations in AppArmor docs
The apparmor information in the apparmor.rst  file is out of date.
Update it to the correct git reference for the master apparmor tree.
Update the wiki location to use apparmor.net which forwards to the
current wiki location on gitlab.com. Update user space tools address
to gitlab.com.

Signed-off-by: Jordan Glover <Golden_Miller83@protonmail.ch>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-06-07 01:50:47 -07:00
Tetsuo Handa 31368ce83c tomoyo: Update URLs in Documentation/admin-guide/LSM/tomoyo.rst
Fix outdated links.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <james.l.morris@oracle.com>
2017-07-25 11:00:26 +10:00
Kees Cook a5606ced28 doc: ReSTify Smack.txt
Adjusts for ReST markup and moves under LSM admin guide.

Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
2017-05-18 10:33:24 -06:00
Kees Cook 30da4f77aa doc: ReSTify LoadPin.txt
Adjusts for ReST markup and moves under LSM admin guide.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
2017-05-18 10:33:12 -06:00
Kees Cook 90bb766440 doc: ReSTify Yama.txt
Adjusts for ReST markup and moves under LSM admin guide.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
2017-05-18 10:33:04 -06:00
Kees Cook 5ea672c752 doc: ReSTify tomoyo.txt
Adjusts for ReST markup and moves under LSM admin guide.

Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
2017-05-18 10:32:57 -06:00
Kees Cook 26fccd9ed2 doc: ReSTify apparmor.txt
Adjusts for ReST markup and moves under LSM admin guide.

Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
2017-05-18 10:32:38 -06:00
Kees Cook 229fd05c56 doc: ReSTify SELinux.txt
Adjusts for ReST markup and moves under LSM admin guide.

Cc: Paul Moore <paul@paul-moore.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
2017-05-18 10:31:30 -06:00
Kees Cook 504f231cda doc: ReSTify and split LSM.txt
The existing LSM.txt file covered both usage and development, so split
this into two files, one under admin-guide and one under kernel
development.

Cc: James Morris <james.l.morris@oracle.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
2017-05-18 10:31:24 -06:00