linux_dsm_epyc7002/tools/testing/selftests
Jann Horn 4f72123da5 LSM: SafeSetID: verify transitive constrainedness
Someone might write a ruleset like the following, expecting that it
securely constrains UID 1 to UIDs 1, 2 and 3:

    1:2
    1:3

However, because no constraints are applied to UIDs 2 and 3, an attacker
with UID 1 can simply first switch to UID 2, then switch to any UID from
there. The secure way to write this ruleset would be:

    1:2
    1:3
    2:2
    3:3

, which uses "transition to self" as a way to inhibit the default-allow
policy without allowing anything specific.

This is somewhat unintuitive. To make sure that policy authors don't
accidentally write insecure policies because of this, let the kernel verify
that a new ruleset does not contain any entries that are constrained, but
transitively unconstrained.

Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Micah Morton <mortonm@chromium.org>
2019-07-15 08:07:51 -07:00
..
android treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
bpf Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-07-08 19:48:57 -07:00
breakpoints treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282 2019-06-05 17:36:37 +02:00
capabilities selftests: Add test plan API to kselftest.h and adjust callers 2019-04-25 13:15:46 -06:00
cgroup kselftests: cgroup: remove duplicated include from test_freezer.c 2019-07-02 13:29:43 -06:00
cpu-hotplug selftests: cpu-hotplug: fix case where CPUs offline > CPUs present 2019-01-25 14:57:45 -07:00
cpufreq
drivers linux-kselftest-5.3-rc1 2019-07-12 16:08:21 -07:00
efivarfs treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
exec treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 166 2019-05-30 11:26:39 -07:00
filesystems selftests: add binderfs selftests 2019-01-30 15:19:56 +01:00
firmware selftests: firmware: Add compressed firmware tests 2019-06-18 09:11:22 +02:00
ftrace treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 472 2019-06-19 17:09:11 +02:00
futex treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
gpio treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
ia64 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
intel_pstate
ipc selftests/ipc: Fix msgque compiler warnings 2019-04-19 17:18:00 -06:00
ir media updates for v5.1-rc1 2019-03-09 14:45:54 -08:00
kcmp treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
kexec treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
kmod treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
kselftest selftests: Remove forced unbuffering for test running 2019-05-21 09:24:30 -06:00
kvm ARM: 2019-07-12 15:35:14 -07:00
lib treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
livepatch selftests/livepatch: Add functions.sh to TEST_PROGS_EXTENDED 2019-04-15 10:43:21 +02:00
locking
media_tests media: selftests: media_dev_allocator api test 2019-04-22 11:23:14 -04:00
membarrier treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
memfd selftests/memfd: add tests for F_SEAL_FUTURE_WRITE seal 2019-03-05 21:07:19 -08:00
memory-hotplug selftests: memory-hotplug: add required configs 2018-09-05 10:58:31 -06:00
mount selftests: mount: remove no longer needed config option 2018-08-09 11:26:07 -06:00
mqueue
net Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-07-08 19:48:57 -07:00
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2019-05-23 14:45:36 -07:00
networking/timestamping selftests: timestamping: Fix SIOCGSTAMP undeclared build failure 2019-06-28 14:31:12 -06:00
nsfs treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
ntb treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 25 2019-05-21 11:52:39 +02:00
pidfd tests: add pidfd_open() tests 2019-06-28 12:17:55 +02:00
powerpc powerpc updates for 5.3 2019-07-13 16:08:36 -07:00
prctl
proc treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
pstore treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 472 2019-06-19 17:09:11 +02:00
ptp selftests: ptp: Add Physical Hardware Clock test 2019-06-13 22:34:55 -07:00
ptrace treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
rcutorture torture: Suppress propagating trace_printk() warning 2019-05-28 09:06:09 -07:00
rseq rseq/selftests: Fix Thumb mode build failure on arm32 2019-07-08 13:00:41 -06:00
rtc SPDX update for 5.2-rc3, round 1 2019-05-31 08:34:32 -07:00
safesetid LSM: SafeSetID: verify transitive constrainedness 2019-07-15 08:07:51 -07:00
seccomp treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 481 2019-06-19 17:09:51 +02:00
sigaltstack treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
size treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 166 2019-05-30 11:26:39 -07:00
sparc64
splice
static_keys treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
sync selftests: Add test plan API to kselftest.h and adjust callers 2019-04-25 13:15:46 -06:00
sysctl treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
tc-testing tc-tests: updated skbedit tests 2019-07-12 15:33:14 -07:00
timers kselftests: timers: freq-step: Update maximum acceptable precision and errors 2019-06-22 11:28:53 +02:00
tmpfs treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
tpm2 selftests/tpm2: Open tpm dev in unbuffered mode 2019-04-08 15:58:55 -07:00
uevent
user treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
vDSO treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 180 2019-05-30 11:29:20 -07:00
vm treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 499 2019-06-19 17:09:53 +02:00
watchdog selftests: watchdog: fix spelling mistake "experies" -> "expires" 2018-12-13 13:03:19 -07:00
x86 It's been a relatively busy cycle for docs: 2019-07-09 12:34:26 -07:00
zram treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 25 2019-05-21 11:52:39 +02:00
.gitignore selftests: Extract single-test shell logic from lib.mk 2019-04-25 13:14:13 -06:00
gen_kselftest_tar.sh
kselftest_harness.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 481 2019-06-19 17:09:51 +02:00
kselftest_install.sh
kselftest_module.h kselftest: Add test module framework header 2019-04-08 16:44:20 -06:00
kselftest_module.sh kselftest: Add test runner creation script 2019-04-08 16:44:11 -06:00
kselftest.h selftests: Add test plan API to kselftest.h and adjust callers 2019-04-25 13:15:46 -06:00
lib.mk kbuild: replace KBUILD_SRCTREE with boolean building_out_of_srctree 2019-07-11 00:05:09 +09:00
Makefile kbuild: replace KBUILD_SRCTREE with boolean building_out_of_srctree 2019-07-11 00:05:09 +09:00