| Age | Commit message (Collapse) | Author |
|---|
|
* v3.18/topic/aosp: (25 commits)
wakeup: Add the guard condition for len in pm_get_active_wakeup_sources
CHROMIUM: android: Unconditionally remove callbacks in sync_fence_free()
CHROMIUM: android: fix warning when releasing active sync point
mm: reorder can_do_mlock to fix audit denial
staging: ion: debugfs to shrink pool
usb: gadget: configfs: handle gadget reset request for android
Enable adb with android-pipe in IA image
selinux: Android kernel compatibility with M userspace
selinux: extended permissions for ioctls
security: add ioctl specific auditing to lsm_audit
selinux: remove unnecessary pointer reassignment
Revert "security: lsm_audit: add ioctl specific auditing"
Revert "SELinux: per-command whitelisting of ioctls"
Revert "SELinux: use deletion-safe iterator to free list"
Revert "SELinux: ss: Fix policy write for ioctl operations"
android: add CONFIG_DEBUG_RODATA to recommended config
arm: mm: support ARCH_MMAP_RND_BITS.
mm: mmap: Add new /proc tunable for mmap_base ASLR.
Don't kill IPv4 sockets when killing IPv6 sockets was requested.
uid_cputime: Check for the range while removing range of UIDs.
...
Conflicts:
drivers/usb/gadget/Kconfig
Conflict due to android-3.18 merge trying to sneak in Android
Composite Gadget "USB_G_ANDROID" changes into
drivers/usb/gadget/Kconfig which we have already moved to
drivers/usb/gadget/legacy/Kconfig during last restructuring.
Resolution (as recommended by Amit Pundir)
Delete "USB_G_ANDROID" and dependent config option and keep only
USB_CONFIGFS_F_MIDI specific changes from AOSP commit 2ccf4f4f216f
"usb: gadget: Remove circular dependency on Config".
|
|
NOT intended for new Android devices - this commit is unnecessary
for a target device that does not have a previous M variant.
DO NOT upstream. Android only.
Motivation:
This commit mitigates a mismatch between selinux kernel and
selinux userspace. The selinux ioctl white-listing binary policy
format that was accepted into Android M differs slightly from what
was later accepted into the upstream kernel. This leaves Android
master branch kernels incompatible with Android M releases. This
patch restores backwards compatibility. This is important because:
1. kernels may be updated on a different cycle than the rest of the
OS e.g. security patching.
2. Android M bringup may still be ongoing for some devices. The
same kernel should work for both M and master.
Backwards compatibility is achieved by checking for an Android M
policy characteristic during initial policy read and converting to
upstream policy format. The inverse conversion is done for policy
write as required for CTS testing.
Bug: 22846070
Change-Id: I2f1ee2eee402f37cf3c9df9f9e03c1b9ddec1929
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
|
|
(cherry picked from commit fa1aa143ac4a682c7f5fd52a3cf05f5a6fe44a0a)
Add extended permissions logic to selinux. Extended permissions
provides additional permissions in 256 bit increments. Extend the
generic ioctl permission check to use the extended permissions for
per-command filtering. Source/target/class sets including the ioctl
permission may additionally include a set of commands. Example:
allowxperm <source> <target>:<class> ioctl unpriv_app_socket_cmds
auditallowxperm <source> <target>:<class> ioctl priv_gpu_cmds
Where unpriv_app_socket_cmds and priv_gpu_cmds are macros
representing commonly granted sets of ioctl commands.
When ioctl commands are omitted only the permissions are checked.
This feature is intended to provide finer granularity for the ioctl
permission that may be too imprecise. For example, the same driver
may use ioctls to provide important and benign functionality such as
driver version or socket type as well as dangerous capabilities such
as debugging features, read/write/execute to physical memory or
access to sensitive data. Per-command filtering provides a mechanism
to reduce the attack surface of the kernel, and limit applications
to the subset of commands required.
The format of the policy binary has been modified to include ioctl
commands, and the policy version number has been incremented to
POLICYDB_VERSION_XPERMS_IOCTL=30 to account for the format
change.
The extended permissions logic is deliberately generic to allow
components to be reused e.g. netlink filters
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Nick Kralevich <nnk@google.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Bug: 22846070
Change-Id: I7c6bdc0362657b47aa1388936c5a1300bc5c0b42
|
|
(cherry pick from commit 671a2781ff01abf4fdc8904881fc3abd3a8279af)
Add information about ioctl calls to the LSM audit data. Log the
file path and command number.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Nick Kralevich <nnk@google.com>
[PM: subject line tweak]
Signed-off-by: Paul Moore <pmoore@redhat.com>
Bug: 22846070
Change-Id: I88a6ecdd59297a315a6fb9c82c0a798bdb6bafaa
|
|
(cherry pick from commit 83d4a806ae46397f606de7376b831524bd3a21e5)
Commit f01e1af445fa ("selinux: don't pass in NULL avd to avc_has_perm_noaudit")
made this pointer reassignment unnecessary. Avd should continue to reference
the stack-based copy.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: tweaked subject line]
Signed-off-by: Paul Moore <pmoore@redhat.com>
Bug: 22846070
Change-Id: I8fcba45a5acc4de862bd5b3f07bf4980f67133c4
|
|
This reverts commit b9417e527039f72073a0d368955bd1267f92ba70.
Bug: 22846070
Change-Id: I11d8880135a32b54e8eb8b95091b0226aa16735e
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
|
|
This reverts commit ba733f9857b966459316d0cd33b8da2e22f62d7d.
Bug: 22846070
Change-Id: I4b5d9ce72996b7cf5b972dbcae22fbd6aff05149
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
|
|
This reverts commit e623b152f30f6f1204919315df37244d69e5d55e.
Bug: 22846070
Change-Id: Ief7a906b613adcf316e734270a1da2fbd1ce6cb8
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
|
|
This reverts commit 6bdf36786e225facf5ad2ed383a29ffd488e60ac.
Bug: 22846070
Change-Id: I47ae4ef40c688d96e2e5062506998808b9e4f603
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
|
|
git://android.git.linaro.org/kernel/linaro-android into linux-linaro-lsk-v3.18-android
|
|
|
|
* android-3.18: (65 commits)
UPSTREAM: arm64: add better page protections to arm64
UPSTREAM: arm64: use fixmap for text patching
UPSTREAM: arm64: remove the unnecessary arm64_swiotlb_init()
UPSTREAM: arm64/efi: remove idmap manipulations from UEFI code
UPSTREAM: arm64/efi: add missing call to early_ioremap_reset()
UPSTREAM: arm64/efi: remove free_boot_services() and friends
UPSTREAM: arm64/efi: move SetVirtualAddressMap() to UEFI stub
UPSTREAM: arm64/efi: set EFI_ALLOC_ALIGN to 64 KB
UPSTREAM: efi: efistub: allow allocation alignment larger than EFI_PAGE_SIZE
UPSTREAM: efi: split off remapping code from efi_config_init()
UPSTREAM: arm64/mm: add create_pgd_mapping() to create private page tables
UPSTREAM: arm64/mm: add explicit struct_mm argument to __create_mapping()
UPSTREAM: efi: efi-stub: notify on DTB absence
UPSTREAM: arm64: dmi: set DMI string as dump stack arch description
UPSTREAM: arm64: dmi: Add SMBIOS/DMI support
UPSTREAM: dmi: add support for SMBIOS 3.0 64-bit entry point
UPSTREAM: efi: dmi: add support for SMBIOS 3.0 UEFI configuration table
UPSTREAM: arm64/efi: drop redundant set_bit(EFI_CONFIG_TABLES)
UPSTREAM: arm64/efi: invert UEFI memory region reservation logic
UPSTREAM: arm64/efi: set PE/COFF file alignment to 512 bytes
...
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Conflicts:
arch/arm64/Kconfig.debug
==> Add changes from LSK commit 62b089faf1c1 "coresight:
moving to new "hwtracing" directory" as well as changes
from AOSP commit 43e0bfd3b440 "UPSTREAM: arm64: add
better page protections to arm64".
arch/arm64/kernel/efi.c
arch/arm64/kernel/setup.c
==> Pick changes from AOSP commits 3b9b326050d5 "UPSTREAM:
arm64/efi: move SetVirtualAddressMap() to UEFI stub"
and 40ab942b678f "UPSTREAM: arm64/efi: remove idmap
manipulations from UEFI code" instead.
drivers/firmware/dmi_scan.c
==> Add changes from LSK commit d9b300555107 "firmware:
dmi_scan: Fix ordering of product_uuid" as well as
changes from AOSP commit 9390abcdbc7c "UPSTREAM: dmi:
add support for SMBIOS 3.0 64-bit entry point".
include/net/route.h
==> Pick changes from AOSP commit 83511cc43b56 "net: core:
fix UID-based routing build" instead of Linaro commit
a9e5d955dea "net: core: fix Null ptr dereference in
UID-based routing".
lib/lz4/lz4_decompress.c
==> Pick changes from AOSP commit e5cf8538cd09 "lz4: fix
system halt at boot kernel on x86_64" instead.
|
|
Use the ATTR_FILE attribute to distinguish between truncate()
and ftruncate() system calls. The two other cases where
do_truncate is called with a filp (and therefore ATTR_FILE is set)
are for coredump files and for open(O_TRUNC). In both of those cases
the open permission has already been checked during file open and
therefore does not need to be repeated.
Commit 95dbf739313f ("SELinux: check OPEN on truncate calls")
fixed a major issue where domains were allowed to truncate files
without the open permission. However, it introduced a new bug where
a domain with the write permission can no longer ftruncate files
without the open permission, even when they receive an already open
file.
(cherry picked from commit b21800f304392ee5d20f411c37470183cc779f11)
Bug: 22567870
Change-Id: I2525a0e244c8d635b2d0c1f966071edbb365a43a
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <pmoore@redhat.com>
|
|
[ Upstream commit 747cadeb108665b0474624a374aa9e13f12c9274 ]
commit 4351c294b8c1028077280f761e158d167b592974 upstream.
The current "mask" policy option matches files opened as MAY_READ,
MAY_WRITE, MAY_APPEND or MAY_EXEC. This patch extends the "mask"
option to match files opened containing one of these modes. For
example, "mask=^MAY_READ" would match files opened read-write.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Dr. Greg Wettstein <gw@idfusion.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
|
|
[ Upstream commit 139069eff7388407f19794384c42a534d618ccd7 ]
The new "euid" policy condition measures files with the specified
effective uid (euid). In addition, for CAP_SETUID files it measures
files with the specified uid or suid.
Changelog:
- fixed checkpatch.pl warnings
- fixed avc denied {setuid} messages - based on Roberto's feedback
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Dr. Greg Wettstein <gw@idfusion.org>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
|
|
|
|
* linux-linaro-lsk-v3.18: (237 commits)
Linux 3.18.19
x86/xen: allow privcmd hypercalls to be preempted
rtnl: restore notifications for deleted interfaces
Input: synaptics - add min/max quirk for Lenovo S540
Revert "Input: synaptics - add min/max quirk for Lenovo S540"
Revert "nfs: take extra reference to fl->fl_file when running a LOCKU operation"
fs/ufs: restore s_lock mutex_init()
ufs: Fix possible deadlock when looking up directories
ufs: Fix warning from unlock_new_inode()
vfs: Ignore unlocked mounts in fs_fully_visible
KVM: x86: properly restore LVT0
KVM: s390: virtio-ccw: don't overwrite config space values
selinux: fix setting of security labels on NFS
usb: gadget: f_fs: add extra check before unregister_gadget_item
perf/x86: Honor the architectural performance monitoring version
perf: Fix ring_buffer_attach() RCU sync, again
x86/boot: Fix overflow warning with 32-bit binutils
vfs: Remove incorrect debugging WARN in prepend_path
KVM: x86: make vapics_in_nmi_mode atomic
arm: KVM: force execution of HCPTR access on VM exit
...
Conflicts:
security/selinux/hooks.c
Resolution summary:
Conflict between upstream LTS commit f0f61c29dfb0 (selinux: fix
setting of security labels on NFS) and android-3.18 commit 96f8
bcf4a398 (pstore: selinux: add security in-core xattr support for
pstore and debugfs.) Resolution: simple combination.
|
|
[ Upstream commit 5101a1850bb7ccbf107929dee9af0cd2f400940f ]
To prevent offline stripping of existing file xattrs and relabeling of
them at runtime, EVM allows only newly created files to be labeled. As
pseudo filesystems are not persistent, stripping of xattrs is not a
concern.
Some LSMs defer file labeling on pseudo filesystems. This patch
permits the labeling of existing files on pseudo files systems.
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
|
|
[ Upstream commit HEAD ]
commit ca4da5dd1f99fe9c59f1709fb43e818b18ad20e0 upstream.
__key_link_end is not freeing the associated array edit structure
and this leads to a 512 byte memory leak each time an identical
existing key is added with add_key().
The reason the add_key() system call returns okay is that
key_create_or_update() calls __key_link_begin() before checking to see
whether it can update a key directly rather than adding/replacing - which
it turns out it can. Thus __key_link() is not called through
__key_instantiate_and_link() and __key_link_end() must cancel the edit.
CVE-2015-1333
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit c9cd9b18dac801040ada16562dc579d5ac366d75)
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
|
|
[ Upstream commit 9fc2b4b436cff7d8403034676014f1be9d534942 ]
Before calling into the filesystem, vfs_setxattr calls
security_inode_setxattr, which ends up calling selinux_inode_setxattr in
our case. That returns -EOPNOTSUPP whenever SBLABEL_MNT is not set.
SBLABEL_MNT was supposed to be set by sb_finish_set_opts, which sets it
only if selinux_is_sblabel_mnt returns true.
The selinux_is_sblabel_mnt logic was broken by eadcabc697e9 "SELinux: do
all flags twiddling in one place", which didn't take into the account
the SECURITY_FS_USE_NATIVE behavior that had been introduced for nfs
with eb9ae686507b "SELinux: Add new labeling type native labels".
This caused setxattr's of security labels over NFSv4.2 to fail.
Cc: stable@kernel.org # 3.13
Cc: Eric Paris <eparis@redhat.com>
Cc: David Quigley <dpquigl@davequigley.com>
Reported-by: Richard Chan <rc556677@outlook.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: added the stable dependency]
Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
|
|
[ Upstream commit 45b26133b97871896b8c5241d59f4ff7839db7b2 ]
This patch fixes a bug introduced in "4d7aeee ima: define new template
ima-ng and template fields d-ng and n-ng".
Changelog:
- change int to uint32 (Roberto Sassu's suggestion)
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Roberto Sassu <rsassu@suse.de>
Cc: stable@vger.kernel.org # 3.13
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
|
|
[ Upstream commit bd2cba07381a6dba60bc1c87ed8b37931d244da1 ]
This command is missing.
Fixes: 3a2dfbe8acb1 ("xfrm: Notify changes in UDP encapsulation via netlink")
CC: Martin Willi <martin@strongswan.org>
Reported-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
|
|
[ Upstream commit 8d465bb777179c4bea731b828ec484088cc9fbc1 ]
This command is missing.
Fixes: 5c79de6e79cd ("[XFRM]: User interface for handling XFRM_MSG_MIGRATE")
Reported-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
|
|
[ Upstream commit b0b59b0056acd6f157a04cc895f7e24692fb08aa ]
This command is missing.
Fixes: 97a64b4577ae ("[XFRM]: Introduce XFRM_MSG_REPORT.")
Reported-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
|
|
[ Upstream commit 5b5800fad072133e4a9c2efbf735baaac83dec86 ]
These commands are missing.
Fixes: 28d8909bc790 ("[XFRM]: Export SAD info.")
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
|
|
[ Upstream commit 5e6deebafb45fb271ae6939d48832e920b8fb74e ]
This command is missing.
Fixes: ecfd6b183780 ("[XFRM]: Export SPD info")
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
|
|
[ Upstream commit 2b7834d3e1b828429faa5dc41a480919e52d3f31 ]
This new command is missing.
Fixes: 880a6fab8f6b ("xfrm: configure policy hash table thresholds by netlink")
Reported-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
|
|
https://android.googlesource.com/kernel/common into linux-linaro-lsk-v3.18-android
* 'android-3.18' of https://android.googlesource.com/kernel/common:
sched: cpufreq: update power usage only if cpufreq_stat is enabled
cpufreq: Iterate over all the possible cpus to create powerstats.
uid_cputime: Extends the cputime functionality to report power per uid
sched: cpufreq: Adds a field cpu_power in the task_struct
cpufreq_stats: Adds the fucntionality to load current values for each frequency for all the cores.
cgroup: Fix issues in allow_attach callback
New Build Breakage in branch: kernel-m-dev-tegra-flounder-3.10 @ 1960706
net/unix: sk_socket can disappear when state is unlocked
selinux: enable genfscon labeling for sysfs and pstore files
ext4: don't save the error information if the block device is read-only
selinux: enable per-file labeling for debugfs files.
cpufreq: interactive: Rearm governor timer at max freq
cpufreq: interactive: Implement cluster-based min_sample_time
cpufreq: interactive: Exercise hispeed settings at a policy level
cpufreq: interactive: Round up timer_rate to match jiffy
cpufreq: interactive: Don't set floor_validate_time during boost
|
|
Support per-file labeling of sysfs and pstore files based on
genfscon policy entries. This is safe because the sysfs
and pstore directory tree cannot be manipulated by userspace,
except to unlink pstore entries.
This provides an alternative method of assigning per-file labeling
to sysfs or pstore files without needing to set the labels from
userspace on each boot. The advantages of this approach are that
the labels are assigned as soon as the dentry is first instantiated
and userspace does not need to walk the sysfs or pstore tree and
set the labels on each boot. The limitations of this approach are
that the labels can only be assigned based on pathname prefix matching.
You can initially assign labels using this mechanism and then change
them at runtime via setxattr if allowed to do so by policy.
Change-Id: If5999785fdc1d24d869b23ae35cd302311e94562
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Suggested-by: Dominick Grift <dac.override@gmail.com>
|
|
upstream commit 6f29997f4a3117169eeabd41dbea4c1bd94a739c
Add support for per-file labeling of debugfs files so that
we can distinguish them in policy. This is particularly
important in Android where certain debugfs files have to be writable
by apps and therefore the debugfs directory tree can be read and
searched by all.
Since debugfs is entirely kernel-generated, the directory tree is
immutable by userspace, and the inodes are pinned in memory, we can
simply use the same approach as with proc and label the inodes from
policy based on pathname from the root of the debugfs filesystem.
Generalize the existing labeling support used for proc and reuse it
for debugfs too.
Change-Id: I6460fbed6bb6bd36eb8554ac8c4fdd574edf3b07
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
|
https://android.googlesource.com/kernel/common into linux-linaro-lsk-v3.18-android
* 'android-3.18' of https://android.googlesource.com/kernel/common: (560 commits)
nf: IDLETIMER: Fix broken uid field in the msg
UPSTREAM: staging: android: Assign bool to true
UPSTREAM: Staging: android: ion: fix typos in comments
UPSTREAM: staging: android: ion: Replace "the the " with "the"
usb: gadget: Do not disconnect unregistered dev
ipv4: Missing sk_nulls_node_init() in ping_unhash().
arm64: fix ftrace due to bad cherry-picks from mainline v3.19
SELinux: ss: Fix policy write for ioctl operations
nf: IDLETIMER: Adds the uid field in the msg
arm64: ptrace: add NT_ARM_SYSTEM_CALL regset
android: configs: Enable SELinux and its dependencies.
arm64: add seccomp support
arm64: add SIGSYS siginfo for compat task
arm64: add seccomp syscall for compat task
asm-generic: add generic seccomp.h for secure computing mode 1
arm64: ptrace: allow tracer to skip a system call
arm64: entry: avoid writing lr explicitly for constructing return paths
Revert "arm64: ptrace: add PTRACE_SET_SYSCALL"
Revert "arm64: ptrace: allow tracer to skip a system call"
Revert "asm-generic: add generic seccomp.h for secure computing mode 1"
...
Conflicts:
arch/arm64/include/asm/cpufeature.h
arch/arm64/kernel/cpuinfo.c
arch/arm64/kernel/setup.c
drivers/clk/clk.c
Conflict Resolution Summary:
Conflict:
Upstream commit 44b82b7700d0 (arm64: Fix up /proc/cpuinfo) exists in
the Android tree as commit 93f223009750 (arm64: Fix up /proc/cpuinfo),
but the android commit has a call to dump_stack_set_arch_desc() in
setup_machine_fdt() that doesn't exist upstream.
Resolution: leave the extra call.
Conflict:
Upstream commit 04597a65c5ef (arm64: Track system support for mixed
endian EL0) picked into Android tree as commit d11d7e575ba2 (arm64:
Track system support for mixed endian EL0) causing some trivial
add-add conflicts between this and the arm64 errata framework which
was pulled in from stable/3.18.y
Resolution: add both sides
Conflict:
Android commit 3a3804ba0a4a (clk: debugfs: Support frequency stats
accounting), which is not upstream, had some trivial add-add conflicts
with upstream commit af33873cc77b (clk: Fix debugfs clk removal before
inited).
Resolution: add both sides
Conflict:
Minor conflict between upstream commit af33873cc77b (clk: Fix debugfs
clk removal before inited) and android commit 3a3804ba0a4a (clk:
debugfs: Support frequency stats accounting) because android commit
applied to upstream before the fix was applied.
Resolution: remove stray comment.
|
|
Security server omits the type field when writing out the contents of the
avtab from /sys/fs/selinux/policy. This leads to a corrupt output. No impact
on the running kernel or its loaded policy. Impacts CTS neverallow tests.
Bug: 20665861
Change-Id: I657e18013dd5a1f40052bc2b02dd8e0afee9bcfb
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
(cherry picked from commit 8cdfb356b51e29494ca0b9e4e86727d6f841a52d)
|
|
[ Upstream commit 6436a123a147db51a0b06024a8350f4c230e73ff ]
Return a negative error value like the rest of the entries in this function.
Cc: <stable@vger.kernel.org>
Signed-off-by: Joe Perches <joe@perches.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: tweaked subject line]
Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
|
|
This code is not exercised by policy version 26, but will be upon
upgrade to policy version 30.
Bug: 18087110
Change-Id: I07c6f34607713294a6a12c43a64d9936f0602200
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
|
|
Extend the generic ioctl permission check with support for per-command
filtering. Source/target/class sets including the ioctl permission may
additionally include a set of commands. Example:
allow <source> <target>:<class> { 0x8910-0x8926 0x892A-0x8935 }
auditallow <source> <target>:<class> 0x892A
When ioctl commands are omitted only the permissions are checked. This
feature is intended to provide finer granularity for the ioctl
permission which may be too imprecise in some circumstances. For
example, the same driver may use ioctls to provide important and
benign functionality such as driver version or socket type as well as
dangerous capabilities such as debugging features, read/write/execute
to physical memory or access to sensitive data. Per-command filtering
provides a mechanism to reduce the attack surface of the kernel, and
limit applications to the subset of commands required.
The format of the policy binary has been modified to include ioctl
commands, and the policy version number has been incremented to
POLICYDB_VERSION_IOCTL_OPERATIONS=30 to account for the format change.
Bug: 18087110
Change-Id: Ibf0e36728f6f3f0d5af56ccdeddee40800af689d
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
|
|
Add information about ioctl calls to the LSM audit data. Log the
file path and command number.
Bug: 18087110
Change-Id: Idbbd106db6226683cb30022d9e8f6f3b8fab7f84
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
|
|
commit bd2cba07381a6dba60bc1c87ed8b37931d244da1 upstream (net-next).
This command is missing.
Change-Id: Ida52130382e42355e5f3b39134aa61a1ea98026d
Fixes: 3a2dfbe8acb1 ("xfrm: Notify changes in UDP encapsulation via netlink")
CC: Martin Willi <martin@strongswan.org>
Reported-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
commit 8d465bb777179c4bea731b828ec484088cc9fbc1 upstream (net-next).
This command is missing.
Change-Id: Id2c9344ca1ab2c96e0b758ad1efb38e16cf23b86
Fixes: 5c79de6e79cd ("[XFRM]: User interface for handling XFRM_MSG_MIGRATE")
Reported-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
commit b0b59b0056acd6f157a04cc895f7e24692fb08aa upstream (net-next).
This command is missing.
Change-Id: I8fa3b1b9815296d3b001244d2212f79f5654bd01
Fixes: 97a64b4577ae ("[XFRM]: Introduce XFRM_MSG_REPORT.")
Reported-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
commit 5b5800fad072133e4a9c2efbf735baaac83dec86 upstream (net-next).
These commands are missing.
Change-Id: I3fd1d3d700592c653e1a5c5199125805d55aaa95
Fixes: 28d8909bc790 ("[XFRM]: Export SAD info.")
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
commit 5e6deebafb45fb271ae6939d48832e920b8fb74e upstream (net-next).
This command is missing.
Change-Id: Id0a0d9bf7a4af98a8f761fec902d1296138a911f
Fixes: ecfd6b183780 ("[XFRM]: Export SPD info")
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
commit 2b7834d3e1b828429faa5dc41a480919e52d3f31 upstream (net-next).
This new command is missing.
Change-Id: If511000c19aa9af7220ff775d88ace9834b35dcb
Fixes: 880a6fab8f6b ("xfrm: configure policy hash table thresholds by netlink")
Reported-by: Christophe Gouault <christophe.gouault@6wind.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
commit 6d1cff2a885850b78b40c34777b46cf5da5d1050 upstream.
We hit use after free on dereferncing pointer to task_smack struct in
smk_of_task() called from smack_task_to_inode().
task_security() macro uses task_cred_xxx() to get pointer to the task_smack.
task_cred_xxx() could be used only for non-pointer members of task's
credentials. It cannot be used for pointer members since what they point
to may disapper after dropping RCU read lock.
Mainly task_security() used this way:
smk_of_task(task_security(p))
Intead of this introduce function smk_of_task_struct() which
takes task_struct as argument and returns pointer to smk_known struct
and do this under RCU read lock.
Bogus task_security() macro is not used anymore, so remove it.
KASan's report for this:
AddressSanitizer: use after free in smack_task_to_inode+0x50/0x70 at addr c4635600
=============================================================================
BUG kmalloc-64 (Tainted: PO): kasan error
-----------------------------------------------------------------------------
Disabling lock debugging due to kernel taint
INFO: Allocated in new_task_smack+0x44/0xd8 age=39 cpu=0 pid=1866
kmem_cache_alloc_trace+0x88/0x1bc
new_task_smack+0x44/0xd8
smack_cred_prepare+0x48/0x21c
security_prepare_creds+0x44/0x4c
prepare_creds+0xdc/0x110
smack_setprocattr+0x104/0x150
security_setprocattr+0x4c/0x54
proc_pid_attr_write+0x12c/0x194
vfs_write+0x1b0/0x370
SyS_write+0x5c/0x94
ret_fast_syscall+0x0/0x48
INFO: Freed in smack_cred_free+0xc4/0xd0 age=27 cpu=0 pid=1564
kfree+0x270/0x290
smack_cred_free+0xc4/0xd0
security_cred_free+0x34/0x3c
put_cred_rcu+0x58/0xcc
rcu_process_callbacks+0x738/0x998
__do_softirq+0x264/0x4cc
do_softirq+0x94/0xf4
irq_exit+0xbc/0x120
handle_IRQ+0x104/0x134
gic_handle_irq+0x70/0xac
__irq_svc+0x44/0x78
_raw_spin_unlock+0x18/0x48
sync_inodes_sb+0x17c/0x1d8
sync_filesystem+0xac/0xfc
vdfs_file_fsync+0x90/0xc0
vfs_fsync_range+0x74/0x7c
INFO: Slab 0xd3b23f50 objects=32 used=31 fp=0xc4635600 flags=0x4080
INFO: Object 0xc4635600 @offset=5632 fp=0x (null)
Bytes b4 c46355f0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
Object c4635600: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object c4635610: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object c4635620: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object c4635630: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk.
Redzone c4635640: bb bb bb bb ....
Padding c46356e8: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
Padding c46356f8: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ
CPU: 5 PID: 834 Comm: launchpad_prelo Tainted: PBO 3.10.30 #1
Backtrace:
[<c00233a4>] (dump_backtrace+0x0/0x158) from [<c0023dec>] (show_stack+0x20/0x24)
r7:c4634010 r6:d3b23f50 r5:c4635600 r4:d1002140
[<c0023dcc>] (show_stack+0x0/0x24) from [<c06d6d7c>] (dump_stack+0x20/0x28)
[<c06d6d5c>] (dump_stack+0x0/0x28) from [<c01c1d50>] (print_trailer+0x124/0x144)
[<c01c1c2c>] (print_trailer+0x0/0x144) from [<c01c1e88>] (object_err+0x3c/0x44)
r7:c4635600 r6:d1002140 r5:d3b23f50 r4:c4635600
[<c01c1e4c>] (object_err+0x0/0x44) from [<c01cac18>] (kasan_report_error+0x2b8/0x538)
r6:d1002140 r5:d3b23f50 r4:c6429cf8 r3:c09e1aa7
[<c01ca960>] (kasan_report_error+0x0/0x538) from [<c01c9430>] (__asan_load4+0xd4/0xf8)
[<c01c935c>] (__asan_load4+0x0/0xf8) from [<c031e168>] (smack_task_to_inode+0x50/0x70)
r5:c4635600 r4:ca9da000
[<c031e118>] (smack_task_to_inode+0x0/0x70) from [<c031af64>] (security_task_to_inode+0x3c/0x44)
r5:cca25e80 r4:c0ba9780
[<c031af28>] (security_task_to_inode+0x0/0x44) from [<c023d614>] (pid_revalidate+0x124/0x178)
r6:00000000 r5:cca25e80 r4:cbabe3c0 r3:00008124
[<c023d4f0>] (pid_revalidate+0x0/0x178) from [<c01db98c>] (lookup_fast+0x35c/0x43y4)
r9:c6429efc r8:00000101 r7:c079d940 r6:c6429e90 r5:c6429ed8 r4:c83c4148
[<c01db630>] (lookup_fast+0x0/0x434) from [<c01deec8>] (do_last.isra.24+0x1c0/0x1108)
[<c01ded08>] (do_last.isra.24+0x0/0x1108) from [<c01dff04>] (path_openat.isra.25+0xf4/0x648)
[<c01dfe10>] (path_openat.isra.25+0x0/0x648) from [<c01e1458>] (do_filp_open+0x3c/0x88)
[<c01e141c>] (do_filp_open+0x0/0x88) from [<c01ccb28>] (do_sys_open+0xf0/0x198)
r7:00000001 r6:c0ea2180 r5:0000000b r4:00000000
[<c01cca38>] (do_sys_open+0x0/0x198) from [<c01ccc00>] (SyS_open+0x30/0x34)
[<c01ccbd0>] (SyS_open+0x0/0x34) from [<c001db80>] (ret_fast_syscall+0x0/0x48)
Read of size 4 by thread T834:
Memory state around the buggy address:
c4635380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
c4635400: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
c4635480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
c4635500: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
c4635580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>c4635600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
c4635680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
c4635700: 00 00 00 00 04 fc fc fc fc fc fc fc fc fc fc fc
c4635780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
c4635800: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc
c4635880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Commit 899838b25f063a94594b1df6e0100aea1ec57fac eliminated the need
to initialize selinux_audit_data except in the slow path, when it is
handled by slow_avc_audit(). That commit removed all other initializations
of selinux_audit_data but this one remained since the binder security
hooks are not yet upstream (posted them to linux-kernel today).
Change-Id: I735e4500cde23275686cb3208068cbf8dd7bccd7
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
|
- add "pstore" and "debugfs" to list of in-core exceptions
- change fstype checks to boolean equation
- change from strncmp to strcmp for checking
Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Bug: 18917345
Bug: 18935184
Change-Id: Ib648f30ce4b5d6c96f11465836d6fee89bec1c72
|
|
rootfs (ramfs) can support setting of security contexts
by userspace due to the vfs fallback behavior of calling
the security module to set the in-core inode state
for security.* attributes when the filesystem does not
provide an xattr handler. No xattr handler required
as the inodes are pinned in memory and have no backing
store.
This is useful in allowing early userspace to label individual
files within a rootfs while still providing a policy-defined
default via genfs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
|
|
The COMMON_AUDIT_DATA_INIT macros have been removed, and are
now replaced with open coded ad.type initialization.
Thus, this patch updates the selinux_binder_transfer_file function
so it builds.
Change-Id: Ide41069a87638e294899768d09302f4013794e4c
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Arve Hjønnevåg <arve@android.com>
Cc: Android Kernel Team <kernel-team@android.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
|
|
Add security hooks to the binder and implement the hooks for SELinux.
The security hooks enable security modules such as SELinux to implement
controls over binder IPC. The security hooks include support for
controlling what process can become the binder context manager
(binder_set_context_mgr), controlling the ability of a process
to invoke a binder transaction/IPC to another process (binder_transaction),
controlling the ability a process to transfer a binder reference to
another process (binder_transfer_binder), and controlling the ability
of a process to transfer an open file to another process (binder_transfer_file).
This support is used by SE Android, http://selinuxproject.org/page/SEAndroid.
Change-Id: I9a64a87825df2e60b9c51400377af4a9cd1c4049
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
|
Commit b641072 ("security: Add AID_NET_RAW and AID_NET_ADMIN capability
check in cap_capable().") introduces additional checks for AID_NET_xxx
macros. Since the header file including those macros are conditionally
included, the checks should also be conditionally executed.
Change-Id: Iaec5208d5b95a46b1ac3f2db8449c661e803fa5b
Signed-off-by: Tushar Behera <tushar.behera@linaro.org>
Signed-off-by: Andrey Konovalov <andrey.konovalov@linaro.org>
|
|
Signed-off-by: Chia-chi Yeh <chiachi@android.com>
|
