On 2007-06-25T17:14:11, Pavel Machek <[EMAIL PROTECTED]> wrote:
> Actually, I surprised Lars a lot by telling him ln /etc/shadow /tmp/
> allows any user to make AA ineffective on large part of systems -- in
> internal discussion. (It is not actually a _bug_, but it is certainly
> unexpected).
Pav
On Mon, Jun 25, 2007 at 10:57:31PM -0500, Serge E. Hallyn wrote:
> Quoting James Morris ([EMAIL PROTECTED]):
> > On Mon, 25 Jun 2007, Andreas Gruenbacher wrote:
> >
> > > It's useful for some LSMs to be modular, and LSMs which are y/n options
> > > won't
> > > have any security architecture issu
Quoting Kyle Moffett ([EMAIL PROTECTED]):
> On Jun 25, 2007, at 16:37:58, Andreas Gruenbacher wrote:
> >On Monday 25 June 2007 06:33, James Morris wrote:
> >>Convert LSM into a static interface, as the ability to unload a
> >>security module is not required by in-tree users and potentially
> >>
Quoting Adrian Bunk ([EMAIL PROTECTED]):
> On Mon, Jun 25, 2007 at 10:57:31PM -0500, Serge E. Hallyn wrote:
> > Quoting James Morris ([EMAIL PROTECTED]):
> > > On Mon, 25 Jun 2007, Andreas Gruenbacher wrote:
> > >
> > > > It's useful for some LSMs to be modular, and LSMs which are y/n options
> >
On Tue, Jun 26, 2007 at 09:06:44AM -0500, Serge E. Hallyn wrote:
> Quoting Adrian Bunk ([EMAIL PROTECTED]):
> > On Mon, Jun 25, 2007 at 10:57:31PM -0500, Serge E. Hallyn wrote:
> > > Quoting James Morris ([EMAIL PROTECTED]):
> > > > On Mon, 25 Jun 2007, Andreas Gruenbacher wrote:
> > > >
> > > > >
--- "Kazuki Omo(Company)" <[EMAIL PROTECTED]> wrote:
> Folks,
>
> May I ask some foolish questions?
So long as you're not afraid of foolish answers.
> I just want to make sure what do we need
> if we want to put new security module(which is using LSM) in mainline.
>
> 1. Does it have to provi
Quoting Adrian Bunk ([EMAIL PROTECTED]):
> On Tue, Jun 26, 2007 at 09:06:44AM -0500, Serge E. Hallyn wrote:
> > Quoting Adrian Bunk ([EMAIL PROTECTED]):
> > > On Mon, Jun 25, 2007 at 10:57:31PM -0500, Serge E. Hallyn wrote:
> > > > Quoting James Morris ([EMAIL PROTECTED]):
> > > > > On Mon, 25 Jun
On Tue, Jun 26, 2007 at 09:06:44AM -0500, Serge E. Hallyn wrote:
> Quoting Adrian Bunk ([EMAIL PROTECTED]):
> > On Mon, Jun 25, 2007 at 10:57:31PM -0500, Serge E. Hallyn wrote:
> > > Quoting James Morris ([EMAIL PROTECTED]):
> > > > On Mon, 25 Jun 2007, Andreas Gruenbacher wrote:
> > > >
> > > > >
Quoting Greg KH ([EMAIL PROTECTED]):
> On Tue, Jun 26, 2007 at 09:06:44AM -0500, Serge E. Hallyn wrote:
> > Quoting Adrian Bunk ([EMAIL PROTECTED]):
> > > On Mon, Jun 25, 2007 at 10:57:31PM -0500, Serge E. Hallyn wrote:
> > > > Quoting James Morris ([EMAIL PROTECTED]):
> > > > > On Mon, 25 Jun 2007
On Tue, Jun 26, 2007 at 10:53:29AM -0500, Serge E. Hallyn wrote:
> Quoting Adrian Bunk ([EMAIL PROTECTED]):
> > On Tue, Jun 26, 2007 at 09:06:44AM -0500, Serge E. Hallyn wrote:
> > > Quoting Adrian Bunk ([EMAIL PROTECTED]):
> > > > On Mon, Jun 25, 2007 at 10:57:31PM -0500, Serge E. Hallyn wrote:
>
Chris Wright wrote:
> * Chris Mason ([EMAIL PROTECTED]) wrote:
>> I'm sure people there will have a different versions of events. The
>> one part that was discussed was if pathname based security was
>> useful, and a number of the people in the room (outside of
>> novell) said it was. Now, it
This post contains patches to include the AppArmor application security
framework, with request for inclusion into -mm for wider testing.
These patches are currently against lkml but we will gladly rebase them
against -mm so that they will apply cleanly.
Any comments and feedback to improve imple
The vfsmount parameter must be set appropriately for files visibile
outside the kernel. Files that are only used in a filesystem (e.g.,
reiserfs xattr files) will have a NULL vfsmount.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-b
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/namei.c |2 +-
include/linux/security.h |9 ++---
sec
Required by a later patch that adds a struct vfsmount parameter to
notify_change().
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/ntfs/file.c |2 +-
fs/reiserfs/file.c
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/ecryptfs/inode.c |5 -
fs/namei.c
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/namei.c |2 +-
include/linux/security.h |8 ++--
secu
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/ecryptfs/inode.c |4 +++-
fs/namei.c |
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/namei.c |2 +-
include/linux/security.h |7 +--
secur
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/ecryptfs/inode.c |5 -
fs/namei.c |
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/namei.c |2 +-
include/linux/security.h |9 ++---
sec
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/stat.c|2 +-
include/linux/security.h | 11 +++
s
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/namei.c |3 ++-
include/linux/security.h | 18 +
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/ecryptfs/inode.c |4 +++-
fs/namei.c
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/namei.c |2 +-
include/linux/security.h | 12
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/ecryptfs/inode.c |3 ++-
fs/namei.c|
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/namei.c |2 +-
include/linux/security.h | 12
If we unhash the dentry before calling the security_inode_rmdir hook,
we cannot compute the file's pathname in the hook anymore. AppArmor
needs to know the filename in order to decide whether a file may be
deleted, though.
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gru
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/ecryptfs/inode.c |7 ++-
fs/namei.c |
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/namei.c |6 --
include/linux/security.h | 18 ++
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/nfsd/nfs4xdr.c |2 +-
fs/nfsd/vfs.c
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/xattr.c |4 ++--
include/linux/security.h | 40
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/nfsd/vfs.c | 16 +++-
fs/xattr.c
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/xattr.c| 25 ++---
i
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/nfsd/vfs.c |7 ---
fs/xattr.c
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/xattr.c |2 +-
include/linux/security.h | 15 +-
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/xattr.c |2 +-
include/linux/security.h | 12 +++-
The vfsmount will be passed down to the LSM hook so that LSMs can compute
pathnames.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/ecryptfs/inode.c |9 +++--
fs/namei.c
The path that __d_path() computes can become slightly inconsistent when it
races with mount operations: it grabs the vfsmount_lock when traversing mount
points but immediately drops it again, only to re-grab it when it reaches the
next mount point. The result is that the filename computed is not a
First, when __d_path() hits a lazily unmounted mount point, it tries to prepend
the name of the lazily unmounted dentry to the path name. It gets this wrong,
and also overwrites the slash that separates the name from the following
pathname component. This patch fixes that; if a process was in dire
Struct iattr already contains ia_file since commit cc4e69de from
Miklos (which is related to commit befc649c). Use this to pass
struct file down the setattr hooks. This allows LSMs to distinguish
operations on file descriptors from operations on paths.
Signed-off-by: Andreas Gruenbacher <[EMAIL P
Convert the selinux sysctl pathname computation code into a standalone
function.
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
include/linux/sysctl.h |2 ++
kernel/sysctl.c | 27 +++
security/s
This allows LSMs to also distinguish between file descriptor and path
access for the xattr operations. (The other relevant operations are
covered by the setattr hook.)
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/xattr.c
Set the LOOKUP_CONTINUE flag when checking parent permissions. This allows
permission functions to tell between parent and leaf checks.
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/namei.c |6 ++
1 file changed, 6 insertio
Update kenel audit range comments to show AppArmor's registered range of
1500-1599. This range used to be reserved for LSPP but LSPP uses the
SE Linux range and the range was given to AppArmor.
Adds necessary export symbols for audit subsystem routines.
Changes audit_log_vformat to be externally v
The underlying functions by which the AppArmor LSM hooks are implemented.
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
---
security/apparmor/main.c | 1255 +++
1 file changed, 1255 insertions(+
Module parameters, LSM hooks, initialization and teardown.
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
---
security/apparmor/lsm.c | 817
1 file changed, 817 insertions(+)
--- /dev/null
Pathname matching, transition table loading, profile loading and
manipulation.
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
---
security/apparmor/match.c| 248 ++
security/apparmor/match.h| 83
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
---
security/Kconfig |1 +
security/Makefile |1 +
security/apparmor/Kconfig |3 ++-
3 files changed, 4 insertions(+), 1 deletion(-)
--- a/security/Kconfig
+++ b/s
All the things that didn't nicely fit in a category on their own: kbuild
code, declararions and inline functions, /sys/kernel/security/apparmor
filesystem for controlling apparmor from user space, profile list
functions, locking documentation, /proc/$pid/task/$tid/attr/current
access.
Signed-off-b
Switch from file_permission() to vfs_permission() in do_path_lookup():
this avoids calling permission() with a NULL nameidata here.
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/namei.c | 13 ++---
1 file changed, 6 inser
We cannot easily switch from file_permission() to vfs_permission()
everywhere, so fix file_permission() to not use a NULL nameidata
for the remaining users.
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/namei.c |8 +++-
1 f
Switch from file_permission() to vfs_permission() in sys_fchdir(): this
avoids calling permission() with a NULL nameidata here.
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/open.c | 16 +++-
1 file changed, 7 inserti
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/attr.c|4 ++--
include/linux/security.h |8 ++--
se
--
This post is a request for discussion on creating a second smaller
nameidata struct to eliminate conditionally passing of vfsmounts
to the LSM.
It contains a series of patches that apply on top of the AppArmor
patch series. These patches were previously post on May 14,
but received no feedba
Create a nameidata2 struct in nfsd and mqueue so that vfs_create does
need to conditionally pass the vfsmnt.
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/namei.c|2 +-
fs/nfsd/vfs.c | 42 +
Create nameidata2 struct xattr_permission so that it does not pass NULL
to permission.
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/xattr.c | 18 +-
1 file changed, 13 insertions(+), 5 deletions(-)
--- a/fs/xatt
Construct a nameidata object and pass it down to permission(), so
that we can do the proper mount flag checks there.
Note that confining nfsd with AppArmor makes no sense, and so this
patch is not necessary for AppArmor alone.
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by:
On Tue, 2007-06-26 at 16:15 -0700, [EMAIL PROTECTED] wrote:
> To remove conditionally passing of vfsmounts to the LSM, a nameidata
> struct can be instantiated in the nfsd and mqueue filesystems. This
> however results in useless information being passed down, as not
> all fields in the nameidata
On Tue, 26 Jun 2007 16:07:56 -0700
[EMAIL PROTECTED] wrote:
> This post contains patches to include the AppArmor application security
> framework, with request for inclusion into -mm for wider testing.
Patches 24 and 31 didn't come through.
Rolled-up diffstat (excluding 24&31):
fs/attr.c
On Jun 26, 2007, at 09:47:12, Serge E. Hallyn wrote:
Quoting Kyle Moffett ([EMAIL PROTECTED]):
On Jun 25, 2007, at 16:37:58, Andreas Gruenbacher wrote:
It's useful for some LSMs to be modular, and LSMs which are y/n
options won't have any security architecture issues with
unloading at all. T
In message <[EMAIL PROTECTED]>, [EMAIL PROTECTED] writes:
> The create, lookup, and permission inode operations are all passed a
> full nameidata. This is unfortunate because in nfsd and the mqueue
> filesystem, we must instantiate a struct nameidata but cannot provide
> all of the same informatio
Kyle Moffett wrote:
> Let's go over the differences between "my fs" and "my LSM", and the
> similarities between "my VM" and "my LSM": Filesystems don't get
> hooked from virtually every userspace-initiated operation, whereas
> both VMs and LSMs do. VMs and LSMs attach anonymous state data to a
>
This is needed for computing pathnames in the AppArmor LSM.
Signed-off-by: Tony Jones <[EMAIL PROTECTED]>
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL PROTECTED]>
---
fs/xattr.c |2 +-
include/linux/security.h | 13 -
In AppArmor, we are interested in pathnames relative to the namespace root.
This is the same as d_path() except for the root where the search ends. Add
a function for computing the namespace-relative path.
Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>
Signed-off-by: John Johansen <[EMAIL
On Jun 26, 2007, at 20:57:53, Crispin Cowan wrote:
Kyle Moffett wrote:
Let's go over the differences between "my fs" and "my LSM", and
the similarities between "my VM" and "my LSM": Filesystems don't
get hooked from virtually every userspace-initiated operation,
whereas both VMs and LSMs d
On Tue, Jun 26, 2007 at 04:52:02PM -0700, Andrew Morton wrote:
> On Tue, 26 Jun 2007 16:07:56 -0700
> [EMAIL PROTECTED] wrote:
>
> > This post contains patches to include the AppArmor application security
> > framework, with request for inclusion into -mm for wider testing.
>
> Patches 24 and 31
On Tue, 26 Jun 2007 19:24:03 -0700 John Johansen <[EMAIL PROTECTED]> wrote:
> >
> > so... where do we stand with this? Fundamental, irreconcilable
> > differences over the use of pathname-based security?
> >
> There certainly seems to be some differences of opinion over the use
> of pathname-b
* Crispin Cowan ([EMAIL PROTECTED]) wrote:
> and simple LSMs that can be
> unloaded safely can permit it.
there are none, and making the above possible is prohibitively
expensive.
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Serge E. Hallyn wrote:
>
>> I don't particularly mind, but can you point out any case where
>> it is an advantage to have the one bit for f'E rather than just
>> drop f'E altogether? Instead of having
>
>> f'I=something
>> f'P=something
>>
On Tue, Jun 26, 2007 at 07:47:00PM -0700, Andrew Morton wrote:
> On Tue, 26 Jun 2007 19:24:03 -0700 John Johansen <[EMAIL PROTECTED]> wrote:
>
> > >
> > > so... where do we stand with this? Fundamental, irreconcilable
> > > differences over the use of pathname-based security?
> > >
> > There c
71 matches
Mail list logo