linux.git/Documentation/admin-guide/LSM, branch v6.6.132 Clone of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git security/loadpin: Update the changing interface in the source code. 2021-03-15T19:32:32+00:00 Jiele zhao unclexiaole@gmail.com 2021-03-08T02:03:58+00:00 0860b72d535f869e26252df66d4f634e1655f84a Loadpin cmdline interface "enabled" has been renamed to "enforce" for a long time, but the User Description Document was not updated. (Meaning unchanged) And kernel_read_file* were moved from linux/fs.h to its own linux/kernel_read_file.h include file. So update that change here. Signed-off-by: Jiele zhao <unclexiaole@gmail.com> Link: https://lore.kernel.org/r/20210308020358.102836-1-unclexiaole@gmail.com Signed-off-by: Jonathan Corbet <corbet@lwn.net> 
Loadpin cmdline interface "enabled" has been renamed to "enforce"
for a long time, but the User Description Document was not updated.
(Meaning unchanged)

And kernel_read_file* were moved from linux/fs.h to its own
linux/kernel_read_file.h include file. So update that change here.

Signed-off-by: Jiele zhao <unclexiaole@gmail.com>
Link: https://lore.kernel.org/r/20210308020358.102836-1-unclexiaole@gmail.com
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
docs: SafeSetID: fix a warning 2020-10-28T17:42:02+00:00 Mauro Carvalho Chehab mchehab+huawei@kernel.org 2020-10-27T09:51:36+00:00 afc74ce7b484da5c5698d8eb2472a58c547cbc2b As reported by Sphinx 2.4.4: docs/Documentation/admin-guide/LSM/SafeSetID.rst:110: WARNING: Title underline too short. Note on GID policies and setgroups() ================== Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> Link: https://lore.kernel.org/r/4afa281c170daabd1ce522653d5d5d5078ebd92c.1603791716.git.mchehab+huawei@kernel.org Signed-off-by: Jonathan Corbet <corbet@lwn.net> 
As reported by Sphinx 2.4.4:

	docs/Documentation/admin-guide/LSM/SafeSetID.rst:110: WARNING: Title underline too short.

	Note on GID policies and setgroups()
	==================

Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Link: https://lore.kernel.org/r/4afa281c170daabd1ce522653d5d5d5078ebd92c.1603791716.git.mchehab+huawei@kernel.org
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
LSM: SafeSetID: Add GID security policy handling 2020-10-13T16:17:35+00:00 Thomas Cedeno thomascedeno@google.com 2020-07-16T19:52:01+00:00 5294bac97e12bdabbb97e9adf44d388612a700b8 The SafeSetID LSM has functionality for restricting setuid() calls based on its configured security policies. This patch adds the analogous functionality for setgid() calls. This is mostly a copy-and-paste change with some code deduplication, plus slight modifications/name changes to the policy-rule-related structs (now contain GID rules in addition to the UID ones) and some type generalization since SafeSetID now needs to deal with kgid_t and kuid_t types. Signed-off-by: Thomas Cedeno <thomascedeno@google.com> Signed-off-by: Micah Morton <mortonm@chromium.org> 
The SafeSetID LSM has functionality for restricting setuid() calls based
on its configured security policies. This patch adds the analogous
functionality for setgid() calls. This is mostly a copy-and-paste change
with some code deduplication, plus slight modifications/name changes to
the policy-rule-related structs (now contain GID rules in addition to
the UID ones) and some type generalization since SafeSetID now needs to
deal with kgid_t and kuid_t types.

Signed-off-by: Thomas Cedeno <thomascedeno@google.com>
Signed-off-by: Micah Morton <mortonm@chromium.org>
doc: yama: Swap HTTP for HTTPS and replace dead link 2020-07-13T15:40:42+00:00 Kees Cook keescook@chromium.org 2020-07-09T18:51:35+00:00 9d1bd9e8e028d1e1753120ba53d39fcdaeca6ea6 Replace one dead link for the same person's original presentation on the topic and swap an HTTP URL with HTTPS. While here, linkify the text to make it more readable when rendered. Link: https://lore.kernel.org/lkml/20200708073346.13177-1-grandmaster@al2klimov.de/ Co-developed-by: Alexander A. Klimov <grandmaster@al2klimov.de> Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/202007091141.C008B89EC@keescook Signed-off-by: Jonathan Corbet <corbet@lwn.net> 
Replace one dead link for the same person's original presentation on the
topic and swap an HTTP URL with HTTPS. While here, linkify the text to
make it more readable when rendered.

Link: https://lore.kernel.org/lkml/20200708073346.13177-1-grandmaster@al2klimov.de/
Co-developed-by: Alexander A. Klimov <grandmaster@al2klimov.de>
Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/202007091141.C008B89EC@keescook
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Replace HTTP links with HTTPS ones: documentation 2020-06-08T15:30:19+00:00 Alexander A. Klimov grandmaster@al2klimov.de 2020-05-26T06:05:44+00:00 93431e0607e58a3c997a134adc0fad4fdc147dab Rationale: Reduces attack surface on kernel devs opening the links for MITM as HTTPS traffic is much harder to manipulate. Deterministic algorithm: For each file: For each line: If doesn't contain `\bxmlns\b`: For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`: If both the HTTP and HTTPS versions return 200 OK and serve the same content: Replace HTTP with HTTPS. Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de> Link: https://lore.kernel.org/r/20200526060544.25127-1-grandmaster@al2klimov.de Signed-off-by: Jonathan Corbet <corbet@lwn.net> 
Rationale:
Reduces attack surface on kernel devs opening the links for MITM
as HTTPS traffic is much harder to manipulate.

Deterministic algorithm:
For each file:
  For each line:
    If doesn't contain `\bxmlns\b`:
      For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`:
        If both the HTTP and HTTPS versions
        return 200 OK and serve the same content:
          Replace HTTP with HTTPS.

Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de>
Link: https://lore.kernel.org/r/20200526060544.25127-1-grandmaster@al2klimov.de
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
docs: SafeSetID.rst: Remove spurious '???' characters 2019-10-11T15:58:38+00:00 Christian Kujau lists@nerdbynature.de 2019-10-11T03:36:16+00:00 0e3901891ab66dce0a51579035594c9b685650dd It appears that some smart quotes were changed to "???" by even smarter software; change them to the dumb but legible variety. Signed-off-by: Christian Kujau <lists@nerdbynature.de> Signed-off-by: Jonathan Corbet <corbet@lwn.net> 
It appears that some smart quotes were changed to "???" by even smarter
software; change them to the dumb but legible variety.

Signed-off-by: Christian Kujau <lists@nerdbynature.de>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
security/loadpin: Allow to exclude specific file types 2019-05-31T20:57:40+00:00 Ke Wu mikewu@google.com 2019-05-30T19:22:08+00:00 0ff9848067b7b950a4ed70de7f5028600a2157e3 Linux kernel already provide MODULE_SIG and KEXEC_VERIFY_SIG to make sure loaded kernel module and kernel image are trusted. This patch adds a kernel command line option "loadpin.exclude" which allows to exclude specific file types from LoadPin. This is useful when people want to use different mechanisms to verify module and kernel image while still use LoadPin to protect the integrity of other files kernel loads. Signed-off-by: Ke Wu <mikewu@google.com> Reviewed-by: James Morris <jamorris@linux.microsoft.com> [kees: fix array size issue reported by Coverity via Colin Ian King] Signed-off-by: Kees Cook <keescook@chromium.org> 
Linux kernel already provide MODULE_SIG and KEXEC_VERIFY_SIG to
make sure loaded kernel module and kernel image are trusted. This
patch adds a kernel command line option "loadpin.exclude" which
allows to exclude specific file types from LoadPin. This is useful
when people want to use different mechanisms to verify module and
kernel image while still use LoadPin to protect the integrity of
other files kernel loads.

Signed-off-by: Ke Wu <mikewu@google.com>
Reviewed-by: James Morris <jamorris@linux.microsoft.com>
[kees: fix array size issue reported by Coverity via Colin Ian King]
Signed-off-by: Kees Cook <keescook@chromium.org>
LSM: add SafeSetID module that gates setid calls 2019-01-25T19:22:45+00:00 Micah Morton mortonm@chromium.org 2019-01-16T15:46:06+00:00 aeca4e2ca65c1aeacfbe520684e6421719d99417 SafeSetID gates the setid family of syscalls to restrict UID/GID transitions from a given UID/GID to only those approved by a system-wide whitelist. These restrictions also prohibit the given UIDs/GIDs from obtaining auxiliary privileges associated with CAP_SET{U/G}ID, such as allowing a user to set up user namespace UID mappings. For now, only gating the set*uid family of syscalls is supported, with support for set*gid coming in a future patch set. Signed-off-by: Micah Morton <mortonm@chromium.org> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.morris@microsoft.com> 
SafeSetID gates the setid family of syscalls to restrict UID/GID
transitions from a given UID/GID to only those approved by a
system-wide whitelist. These restrictions also prohibit the given
UIDs/GIDs from obtaining auxiliary privileges associated with
CAP_SET{U/G}ID, such as allowing a user to set up user namespace UID
mappings. For now, only gating the set*uid family of syscalls is
supported, with support for set*gid coming in a future patch set.

Signed-off-by: Micah Morton <mortonm@chromium.org>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.morris@microsoft.com>
procfs: add smack subdir to attrs 2019-01-08T21:18:44+00:00 Casey Schaufler casey@schaufler-ca.com 2018-09-22T00:16:59+00:00 6d9c939dbe4d0bcea09cd4b410f624cde1acb678 Back in 2007 I made what turned out to be a rather serious mistake in the implementation of the Smack security module. The SELinux module used an interface in /proc to manipulate the security context on processes. Rather than use a similar interface, I used the same interface. The AppArmor team did likewise. Now /proc/.../attr/current will tell you the security "context" of the process, but it will be different depending on the security module you're using. This patch provides a subdirectory in /proc/.../attr for Smack. Smack user space can use the "current" file in this subdirectory and never have to worry about getting SELinux attributes by mistake. Programs that use the old interface will continue to work (or fail, as the case may be) as before. The proposed S.A.R.A security module is dependent on the mechanism to create its own attr subdirectory. The original implementation is by Kees Cook. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Kees Cook <keescook@chromium.org> 
Back in 2007 I made what turned out to be a rather serious
mistake in the implementation of the Smack security module.
The SELinux module used an interface in /proc to manipulate
the security context on processes. Rather than use a similar
interface, I used the same interface. The AppArmor team did
likewise. Now /proc/.../attr/current will tell you the
security "context" of the process, but it will be different
depending on the security module you're using.

This patch provides a subdirectory in /proc/.../attr for
Smack. Smack user space can use the "current" file in
this subdirectory and never have to worry about getting
SELinux attributes by mistake. Programs that use the
old interface will continue to work (or fail, as the case
may be) as before.

The proposed S.A.R.A security module is dependent on
the mechanism to create its own attr subdirectory.

The original implementation is by Kees Cook.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Merge branch 'next-smack' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2019-01-02T18:56:09+00:00 Linus Torvalds torvalds@linux-foundation.org 2019-01-02T18:56:09+00:00 19f2e267a5d0d26282a64f8f788c482852c95324 Pull smack updates from James Morris: "Two Smack patches for 4.21. Jose's patch adds missing documentation and Zoran's fleshes out the access checks on keyrings" * 'next-smack' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: Smack: Improve Documentation smack: fix access permissions for keyring 
Pull smack updates from James Morris:
 "Two Smack patches for 4.21.

  Jose's patch adds missing documentation and Zoran's fleshes out the
  access checks on keyrings"

* 'next-smack' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  Smack: Improve Documentation
  smack: fix access permissions for keyring