kernel/security, branch linux-2.6.26.y

file caps: always start with clear bprm->caps_*

2008-11-10T19:17:55Z

commit 3318a386e4ca68c76e0294363d29bdc46fcad670 upstream While Linux doesn't honor setuid on scripts. However, it mistakenly behaves differently for file capabilities. This patch fixes that behavior by making sure that get_file_caps() begins with empty bprm->caps_*. That way when a script is loaded, its bprm->caps_* may be filled when binfmt_misc calls prepare_binprm(), but they will be cleared again when binfmt_elf calls prepare_binprm() next to read the interpreter's file capabilities. Signed-off-by: Serge Hallyn Acked-by: David Howells Acked-by: Andrew G. Morgan Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman

devcgroup: fix permission check when adding entry to child cgroup

2008-07-13T19:51:18Z

# cat devices.list c 1:3 r # echo 'c 1:3 w' > sub/devices.allow # cat sub/devices.list c 1:3 w As illustrated, the parent group has no write permission to /dev/null, so it's child should not be allowed to add this write permission. Signed-off-by: Li Zefan Acked-by: Serge Hallyn Cc: Serge Hallyn Cc: Paul Menage Cc: Pavel Emelyanov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

devcgroup: always show positive major/minor num

2008-07-13T19:51:18Z

# echo "b $((0x7fffffff)):$((0x80000000)) rwm" > devices.allow # cat devices.list b 214748364:-21474836 rwm though a major/minor number of 0x800000000 is meaningless, we should not cast it to a negative value. Signed-off-by: Li Zefan Acked-by: Serge Hallyn Cc: Serge Hallyn Cc: Paul Menage Cc: Pavel Emelyanov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

devcgroup: fix odd behaviour when writing 'a' to devices.allow

2008-07-04T17:40:10Z

# cat /devcg/devices.list a *:* rwm # echo a > devices.allow # cat /devcg/devices.list a *:* rwm a 0:0 rwm This is odd and maybe confusing. With this patch, writing 'a' to devices.allow will add 'a *:* rwm' to the whitelist. Also a few fixes and updates to the document. Signed-off-by: Li Zefan Cc: Pavel Emelyanov Cc: Serge E. Hallyn Cc: Paul Menage Cc: Balbir Singh Cc: James Morris Cc: Chris Wright Cc: Stephen Smalley Cc: KAMEZAWA Hiroyuki Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

security: filesystem capabilities: fix CAP_SETPCAP handling

2008-07-04T17:40:08Z

The filesystem capability support meaning for CAP_SETPCAP is less powerful than the non-filesystem capability support. As such, when filesystem capabilities are configured, we should not permit CAP_SETPCAP to 'enhance' the current process through strace manipulation of a child process. Signed-off-by: Andrew G. Morgan Acked-by: Serge Hallyn Cc: David Howells Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

capabilities: add (back) dummy support for KEEPCAPS

2008-06-13T01:05:40Z

The dummy module is used by folk that run security conscious code(!?). A feature of such code (for example, dhclient) is that it tries to operate with minimum privilege (dropping unneeded capabilities). While the dummy module doesn't restrict code execution based on capability state, the user code expects the kernel to appear to support it. This patch adds back faked support for the PR_SET_KEEPCAPS etc., calls - making the kernel behave as before 2.6.26. For details see: http://bugzilla.kernel.org/show_bug.cgi?id=10748 Signed-off-by: Andrew G. Morgan Acked-by: Serge Hallyn Cc: James Morris Cc: Stephen Smalley Cc: Chris Wright Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

keys: remove unused key_alloc_sem

2008-06-06T18:29:11Z

This semaphore doesn't appear to be used, so remove it. Signed-off-by: Daniel Walker Cc: David Howells Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

devscgroup: make white list more compact in some cases

2008-06-06T18:29:11Z

Consider you added a 'c foo:bar r' permission to some cgroup and then (a bit later) 'c'foo:bar w' for it. After this you'll see the c foo:bar r c foo:bar w lines in a devices.list file. Another example - consider you added 10 'c foo:bar r' permissions to some cgroup (e.g. by mistake). After this you'll see 10 c foo:bar r lines in a list file. This is weird. This situation also has one more annoying consequence. Having many items in a white list makes permissions checking slower, sine it has to walk a longer list. The proposal is to merge permissions for items, that correspond to the same device. Signed-off-by: Pavel Emelyanov Acked-by: Serge Hallyn Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

devscgroup: relax task to dev_cgroup conversion

2008-06-06T18:29:11Z

Two functions, that need to get a device_cgroup from a task (they are devcgroup_inode_permission and devcgroup_inode_mknod) make it in a strange way: They get a css_set from task, then a subsys_state from css_set, then a cgroup from the state and then a subsys_state again from the cgroup. Besides, the devices_subsys_id is read from memory, whilst there's a enum-ed constant for it. Optimize this part a bit: 1. Get the subsys_stats form the task and be done - no 2 extra dereferences, 2. Use the device_subsys_id constant, not the value from memory (i.e. one less dereference). Found while preparing 2.6.26 OpenVZ port. Signed-off-by: Pavel Emelyanov Acked-by: Serge Hallyn Acked-by: Paul Menage Cc: Balbir Singh Cc: James Morris Cc: Chris Wright Cc: Stephen Smalley Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds

devcgroup: make a helper to convert cgroup_subsys_state to devs_cgroup

2008-06-06T18:29:11Z

This is just picking the container_of out of cgroup_to_devcgroup into a separate function. This new css_to_devcgroup will be used in the 2nd patch. Signed-off-by: Pavel Emelyanov Acked-by: Serge Hallyn Cc: Paul Menage Cc: Balbir Singh Cc: James Morris Cc: Chris Wright Cc: Stephen Smalley Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds