Commit Graph

12 Commits

Author SHA1 Message Date
James Morris
1ad1f10cd9 Merge branch 'master' into next 2009-12-09 19:01:03 +11:00
Tetsuo Handa
937bf6133b TOMOYO: Add rest of file operation restrictions.
LSM hooks for chmod()/chown()/chroot() are now ready.
This patch utilizes these hooks.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
2009-12-08 14:58:05 +11:00
Eric W. Biederman
c656ae95d1 security/tomoyo: Remove now unnecessary handling of security_sysctl.
Now that sys_sysctl is an emulation on top of proc sys all sysctl
operations look like normal filesystem operations and we don't need
to use the special sysctl hook to authenticate them.

Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
2009-11-20 09:37:51 -08:00
Tetsuo Handa
86b1bc68e2 sysctl security/tomoyo: Don't look at ctl_name
ctl_name field was removed. Always use procname field.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
2009-11-12 02:05:05 -08:00
David Howells
ee18d64c1f KEYS: Add a keyctl to install a process's session keyring on its parent [try #6]
Add a keyctl to install a process's session keyring onto its parent.  This
replaces the parent's session keyring.  Because the COW credential code does
not permit one process to change another process's credentials directly, the
change is deferred until userspace next starts executing again.  Normally this
will be after a wait*() syscall.

To support this, three new security hooks have been provided:
cred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in
the blank security creds and key_session_to_parent() - which asks the LSM if
the process may replace its parent's session keyring.

The replacement may only happen if the process has the same ownership details
as its parent, and the process has LINK permission on the session keyring, and
the session keyring is owned by the process, and the LSM permits it.

Note that this requires alteration to each architecture's notify_resume path.
This has been done for all arches barring blackfin, m68k* and xtensa, all of
which need assembly alteration to support TIF_NOTIFY_RESUME.  This allows the
replacement to be performed at the point the parent process resumes userspace
execution.

This allows the userspace AFS pioctl emulation to fully emulate newpag() and
the VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to
alter the parent process's PAG membership.  However, since kAFS doesn't use
PAGs per se, but rather dumps the keys into the session keyring, the session
keyring of the parent must be replaced if, for example, VIOCSETTOK is passed
the newpag flag.

This can be tested with the following program:

	#include <stdio.h>
	#include <stdlib.h>
	#include <keyutils.h>

	#define KEYCTL_SESSION_TO_PARENT	18

	#define OSERROR(X, S) do { if ((long)(X) == -1) { perror(S); exit(1); } } while(0)

	int main(int argc, char **argv)
	{
		key_serial_t keyring, key;
		long ret;

		keyring = keyctl_join_session_keyring(argv[1]);
		OSERROR(keyring, "keyctl_join_session_keyring");

		key = add_key("user", "a", "b", 1, keyring);
		OSERROR(key, "add_key");

		ret = keyctl(KEYCTL_SESSION_TO_PARENT);
		OSERROR(ret, "KEYCTL_SESSION_TO_PARENT");

		return 0;
	}

Compiled and linked with -lkeyutils, you should see something like:

	[dhowells@andromeda ~]$ keyctl show
	Session Keyring
	       -3 --alswrv   4043  4043  keyring: _ses
	355907932 --alswrv   4043    -1   \_ keyring: _uid.4043
	[dhowells@andromeda ~]$ /tmp/newpag
	[dhowells@andromeda ~]$ keyctl show
	Session Keyring
	       -3 --alswrv   4043  4043  keyring: _ses
	1055658746 --alswrv   4043  4043   \_ user: a
	[dhowells@andromeda ~]$ /tmp/newpag hello
	[dhowells@andromeda ~]$ keyctl show
	Session Keyring
	       -3 --alswrv   4043  4043  keyring: hello
	340417692 --alswrv   4043  4043   \_ user: a

Where the test program creates a new session keyring, sticks a user key named
'a' into it and then installs it on its parent.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
2009-09-02 21:29:22 +10:00
Tetsuo Handa
56f8c9bc41 TOMOYO: Remove next_domain from tomoyo_find_next_domain().
We can update bprm->cred->security inside tomoyo_find_next_domain().

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
2009-06-19 18:48:18 +10:00
Tetsuo Handa
c3fa109a58 TOMOYO: Add description of lists and structures.
This patch adds some descriptions of lists and structures.
This patch contains no code changes.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
2009-06-09 09:30:24 +10:00
Herton Ronaldo Krzesinski
b1338d199d tomoyo: add missing call to cap_bprm_set_creds
cap_bprm_set_creds() has to be called from security_bprm_set_creds().
TOMOYO forgot to call cap_bprm_set_creds() from tomoyo_bprm_set_creds()
and suid executables were not being working.

Make sure we call cap_bprm_set_creds() with TOMOYO, to set credentials
properly inside tomoyo_bprm_set_creds().

Signed-off-by: Herton Ronaldo Krzesinski <herton@mandriva.com.br>
Acked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: James Morris <jmorris@namei.org>
2009-05-27 09:46:48 +10:00
Tetsuo Handa
39826a1e17 tomoyo: version bump to 2.2.0.
Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
2009-04-14 09:15:02 +10:00
Tetsuo Handa
1581e7ddbd TOMOYO: Do not call tomoyo_realpath_init unless registered.
tomoyo_realpath_init() is unconditionally called by security_initcall().
But nobody will use realpath related functions if TOMOYO is not registered.

So, let tomoyo_init() call tomoyo_realpath_init().

This patch saves 4KB of memory allocation if TOMOYO is not registered.

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
2009-02-23 09:45:05 +11:00
Tetsuo Handa
35d50e60e8 tomoyo: fix sparse warning
Fix sparse warning.

$ make C=2 SUBDIRS=security/tomoyo CF="-D__cold__="
 CHECK   security/tomoyo/common.c
 CHECK   security/tomoyo/realpath.c
 CHECK   security/tomoyo/tomoyo.c
security/tomoyo/tomoyo.c:110:8: warning: symbol 'buf' shadows an earlier one
security/tomoyo/tomoyo.c💯7: originally declared here

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
2009-02-12 20:21:10 +11:00
Kentaro Takeda
f743324377 LSM adapter functions.
DAC's permissions and TOMOYO's permissions are not one-to-one mapping.

Regarding DAC, there are "read", "write", "execute" permissions.
Regarding TOMOYO, there are "allow_read", "allow_write", "allow_read/write",
"allow_execute", "allow_create", "allow_unlink", "allow_mkdir", "allow_rmdir",
"allow_mkfifo", "allow_mksock", "allow_mkblock", "allow_mkchar",
"allow_truncate", "allow_symlink", "allow_rewrite", "allow_link",
"allow_rename" permissions.

+----------------------------------+----------------------------------+
| requested operation              | required TOMOYO's permission     |
+----------------------------------+----------------------------------+
| sys_open(O_RDONLY)               | allow_read                       |
+----------------------------------+----------------------------------+
| sys_open(O_WRONLY)               | allow_write                      |
+----------------------------------+----------------------------------+
| sys_open(O_RDWR)                 | allow_read/write                 |
+----------------------------------+----------------------------------+
| open_exec() from do_execve()     | allow_execute                    |
+----------------------------------+----------------------------------+
| open_exec() from !do_execve()    | allow_read                       |
+----------------------------------+----------------------------------+
| sys_read()                       | (none)                           |
+----------------------------------+----------------------------------+
| sys_write()                      | (none)                           |
+----------------------------------+----------------------------------+
| sys_mmap()                       | (none)                           |
+----------------------------------+----------------------------------+
| sys_uselib()                     | allow_read                       |
+----------------------------------+----------------------------------+
| sys_open(O_CREAT)                | allow_create                     |
+----------------------------------+----------------------------------+
| sys_open(O_TRUNC)                | allow_truncate                   |
+----------------------------------+----------------------------------+
| sys_truncate()                   | allow_truncate                   |
+----------------------------------+----------------------------------+
| sys_ftruncate()                  | allow_truncate                   |
+----------------------------------+----------------------------------+
| sys_open() without O_APPEND      | allow_rewrite                    |
+----------------------------------+----------------------------------+
| setfl() without O_APPEND         | allow_rewrite                    |
+----------------------------------+----------------------------------+
| sys_sysctl() for writing         | allow_write                      |
+----------------------------------+----------------------------------+
| sys_sysctl() for reading         | allow_read                       |
+----------------------------------+----------------------------------+
| sys_unlink()                     | allow_unlink                     |
+----------------------------------+----------------------------------+
| sys_mknod(S_IFREG)               | allow_create                     |
+----------------------------------+----------------------------------+
| sys_mknod(0)                     | allow_create                     |
+----------------------------------+----------------------------------+
| sys_mknod(S_IFIFO)               | allow_mkfifo                     |
+----------------------------------+----------------------------------+
| sys_mknod(S_IFSOCK)              | allow_mksock                     |
+----------------------------------+----------------------------------+
| sys_bind(AF_UNIX)                | allow_mksock                     |
+----------------------------------+----------------------------------+
| sys_mknod(S_IFBLK)               | allow_mkblock                    |
+----------------------------------+----------------------------------+
| sys_mknod(S_IFCHR)               | allow_mkchar                     |
+----------------------------------+----------------------------------+
| sys_symlink()                    | allow_symlink                    |
+----------------------------------+----------------------------------+
| sys_mkdir()                      | allow_mkdir                      |
+----------------------------------+----------------------------------+
| sys_rmdir()                      | allow_rmdir                      |
+----------------------------------+----------------------------------+
| sys_link()                       | allow_link                       |
+----------------------------------+----------------------------------+
| sys_rename()                     | allow_rename                     |
+----------------------------------+----------------------------------+

TOMOYO requires "allow_execute" permission of a pathname passed to do_execve()
but does not require "allow_read" permission of that pathname.
Let's consider 3 patterns (statically linked, dynamically linked,
shell script). This description is to some degree simplified.

  $ cat hello.c
  #include <stdio.h>
  int main() {
          printf("Hello\n");
          return 0;
  }
  $ cat hello.sh
  #! /bin/sh
  echo "Hello"
  $ gcc -static -o hello-static hello.c
  $ gcc -o hello-dynamic hello.c
  $ chmod 755 hello.sh

Case 1 -- Executing hello-static from bash.

  (1) The bash process calls fork() and the child process requests
      do_execve("hello-static").

  (2) The kernel checks "allow_execute hello-static" from "bash" domain.

  (3) The kernel calculates "bash hello-static" as the domain to transit to.

  (4) The kernel overwrites the child process by "hello-static".

  (5) The child process transits to "bash hello-static" domain.

  (6) The "hello-static" starts and finishes.

Case 2 -- Executing hello-dynamic from bash.

  (1) The bash process calls fork() and the child process requests
      do_execve("hello-dynamic").

  (2) The kernel checks "allow_execute hello-dynamic" from "bash" domain.

  (3) The kernel calculates "bash hello-dynamic" as the domain to transit to.

  (4) The kernel checks "allow_read ld-linux.so" from "bash hello-dynamic"
      domain. I think permission to access ld-linux.so should be charged
      hello-dynamic program, for "hello-dynamic needs ld-linux.so" is not
      a fault of bash program.

  (5) The kernel overwrites the child process by "hello-dynamic".

  (6) The child process transits to "bash hello-dynamic" domain.

  (7) The "hello-dynamic" starts and finishes.

Case 3 -- Executing hello.sh from bash.

  (1) The bash process calls fork() and the child process requests
      do_execve("hello.sh").

  (2) The kernel checks "allow_execute hello.sh" from "bash" domain.

  (3) The kernel calculates "bash hello.sh" as the domain to transit to.

  (4) The kernel checks "allow_read /bin/sh" from "bash hello.sh" domain.
      I think permission to access /bin/sh should be charged hello.sh program,
      for "hello.sh needs /bin/sh" is not a fault of bash program.

  (5) The kernel overwrites the child process by "/bin/sh".

  (6) The child process transits to "bash hello.sh" domain.

  (7) The "/bin/sh" requests open("hello.sh").

  (8) The kernel checks "allow_read hello.sh" from  "bash hello.sh" domain.

  (9) The "/bin/sh" starts and finishes.

Whether a file is interpreted as a program or not depends on an application.
The kernel cannot know whether the file is interpreted as a program or not.
Thus, TOMOYO treats "hello-static" "hello-dynamic" "ld-linux.so" "hello.sh"
"/bin/sh" equally as merely files; no distinction between executable and
non-executable. Therefore, TOMOYO doesn't check DAC's execute permission.
TOMOYO checks "allow_read" permission instead.

Calling do_execve() is a bold gesture that an old program's instance (i.e.
current process) is ready to be overwritten by a new program and is ready to
transfer control to the new program. To split purview of programs, TOMOYO
requires "allow_execute" permission of the new program against the old
program's instance and performs domain transition. If do_execve() succeeds,
the old program is no longer responsible against the consequence of the new
program's behavior. Only the new program is responsible for all consequences.

But TOMOYO doesn't require "allow_read" permission of the new program.
If TOMOYO requires "allow_read" permission of the new program, TOMOYO will
allow an attacker (who hijacked the old program's instance) to open the new
program and steal data from the new program. Requiring "allow_read" permission
will widen purview of the old program.

Not requiring "allow_read" permission of the new program against the old
program's instance is my design for reducing purview of the old program.
To be able to know whether the current process is in do_execve() or not,
I want to add in_execve flag to "task_struct".

Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: James Morris <jmorris@namei.org>
2009-02-12 15:15:05 +11:00