[GIT PULL] security subsystem changes for v5.1
From: James Morris
Date: Tue Mar 05 2019 - 13:57:09 EST
Please pull these changes for the security subsystem.
Summary:
- Extend LSM stacking to allow sharing of cred, file, ipc, inode, and task
blobs. This paves the way for more full-featured LSMs to be merged, and is
specifically aimed at LandLock and SARA LSMs. This work is from Casey and
Kees.
- There's a new LSM from Micah Morton: "SafeSetID gates the setid family
of syscalls to restrict UID/GID transitions from a given UID/GID to only
those approved by a system-wide whitelist." This feature is currently
shipping in ChromeOS.
---
The following changes since commit 49a57857aeea06ca831043acbb0fa5e0f50602fd:
Linux 5.0-rc3 (2019-01-21 13:14:44 +1300)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-general
for you to fetch changes up to 468e91cecb3218afd684b8c422490dfebe0691bb:
keys: fix missing __user in KEYCTL_PKEY_QUERY (2019-03-04 15:48:37 -0800)
----------------------------------------------------------------
Ben Dooks (1):
keys: fix missing __user in KEYCTL_PKEY_QUERY
Casey Schaufler (19):
LSM: Add all exclusive LSMs to ordered initialization
procfs: add smack subdir to attrs
Smack: Abstract use of cred security blob
SELinux: Abstract use of cred security blob
SELinux: Remove cred security blob poisoning
SELinux: Remove unused selinux_is_enabled
AppArmor: Abstract use of cred security blob
TOMOYO: Abstract use of cred security blob
Infrastructure management of the cred security blob
SELinux: Abstract use of file security blob
Smack: Abstract use of file security blob
LSM: Infrastructure management of the file security
SELinux: Abstract use of inode security blob
Smack: Abstract use of inode security blob
LSM: Infrastructure management of the inode security
LSM: Infrastructure management of the task security
SELinux: Abstract use of ipc security blobs
Smack: Abstract use of ipc security blobs
LSM: Infrastructure management of the ipc security blob
Gustavo A. R. Silva (1):
security: mark expected switch fall-throughs and add a missing break
James Morris (3):
Merge tag 'v5.0-rc1' into next-general
Merge tag 'blob-stacking-security-next' of https://git.kernel.org/.../kees/linux into next-general
Merge tag 'v5.0-rc3' into next-general
Kees Cook (20):
LSM: Introduce LSM_FLAG_LEGACY_MAJOR
LSM: Provide separate ordered initialization
LSM: Plumb visibility into optional "enabled" state
LSM: Lift LSM selection out of individual LSMs
LSM: Build ordered list of LSMs to initialize
LSM: Introduce CONFIG_LSM
LSM: Introduce "lsm=" for boottime LSM selection
LSM: Tie enabling logic to presence in ordered list
LSM: Prepare for reorganizing "security=" logic
LSM: Refactor "security=" in terms of enable/disable
LSM: Separate idea of "major" LSM from "exclusive" LSM
apparmor: Remove SECURITY_APPARMOR_BOOTPARAM_VALUE
selinux: Remove SECURITY_SELINUX_BOOTPARAM_VALUE
LSM: Split LSM preparation from initialization
LoadPin: Initialize as ordered LSM
Yama: Initialize as ordered LSM
LSM: Introduce enum lsm_order
capability: Initialize as LSM_ORDER_FIRST
TOMOYO: Update LSM flags to no longer be exclusive
LSM: Ignore "security=" when "lsm=" is specified
Mathieu Malaterre (4):
capabilities:: annotate implicit fall through
security: keys: annotate implicit fall through
security: keys: annotate implicit fall throughs
security: keys: annotate implicit fall throughs
Micah Morton (8):
LSM: generalize flag passing to security_capable
LSM: add SafeSetID module that gates setid calls
LSM: add SafeSetID module that gates setid calls
LSM: Add 'name' field for SafeSetID in DEFINE_LSM
LSM: SafeSetID: 'depend' on CONFIG_SECURITY
LSM: SafeSetID: remove unused include
LSM: SafeSetID: add selftest
LSM: Update function documentation for cap_capable
Petr Vorel (1):
LSM: Update list of SECURITYFS users in Kconfig
Tetsuo Handa (6):
LSM: Make lsm_early_cred() and lsm_early_task() local functions.
apparmor: Adjust offset when accessing task blob.
tomoyo: Swicth from cred->security to task_struct->security.
tomoyo: Coding style fix.
tomoyo: Allow multiple use_group lines.
tomoyo: Bump version.
Wei Yongjun (2):
LSM: Make some functions static
LSM: fix return value check in safesetid_init_securityfs()
Documentation/admin-guide/LSM/SafeSetID.rst | 107 ++++
Documentation/admin-guide/LSM/index.rst | 14 +-
Documentation/admin-guide/kernel-parameters.txt | 12 +-
MAINTAINERS | 11 +-
fs/proc/base.c | 64 +-
fs/proc/internal.h | 1 +
include/linux/capability.h | 5 +
include/linux/cred.h | 1 -
include/linux/lsm_hooks.h | 45 +-
include/linux/security.h | 43 +-
include/linux/selinux.h | 35 --
kernel/capability.c | 45 +-
kernel/cred.c | 13 -
kernel/seccomp.c | 4 +-
kernel/sys.c | 10 +-
security/Kconfig | 45 +-
security/Makefile | 2 +
security/apparmor/Kconfig | 16 -
security/apparmor/capability.c | 14 +-
security/apparmor/domain.c | 4 +-
security/apparmor/include/capability.h | 2 +-
security/apparmor/include/cred.h | 16 +-
security/apparmor/include/file.h | 5 +-
security/apparmor/include/lib.h | 4 +
security/apparmor/include/task.h | 18 +-
security/apparmor/ipc.c | 3 +-
security/apparmor/lsm.c | 67 +--
security/apparmor/resource.c | 2 +-
security/apparmor/task.c | 6 +-
security/commoncap.c | 28 +-
security/integrity/ima/ima_appraise.c | 1 +
security/integrity/ima/ima_policy.c | 4 +
security/integrity/ima/ima_template_lib.c | 1 +
security/keys/keyctl.c | 2 +-
security/keys/keyring.c | 1 +
security/keys/process_keys.c | 3 +
security/keys/request_key.c | 4 +
security/loadpin/loadpin.c | 8 +-
security/safesetid/Kconfig | 14 +
security/safesetid/Makefile | 7 +
security/safesetid/lsm.c | 277 +++++++++
security/safesetid/lsm.h | 33 ++
security/safesetid/securityfs.c | 193 ++++++
security/security.c | 648 ++++++++++++++++++---
security/selinux/Kconfig | 15 -
security/selinux/Makefile | 2 +-
security/selinux/exports.c | 23 -
security/selinux/hooks.c | 362 +++---------
security/selinux/include/audit.h | 3 -
security/selinux/include/objsec.h | 38 +-
security/selinux/selinuxfs.c | 4 +-
security/selinux/ss/services.c | 1 -
security/selinux/xfrm.c | 4 +-
security/smack/smack.h | 44 +-
security/smack/smack_access.c | 6 +-
security/smack/smack_lsm.c | 317 ++++------
security/smack/smackfs.c | 18 +-
security/tomoyo/audit.c | 31 +-
security/tomoyo/common.c | 199 +++++--
security/tomoyo/common.h | 51 +-
security/tomoyo/condition.c | 59 +-
security/tomoyo/domain.c | 76 ++-
security/tomoyo/file.c | 20 +
security/tomoyo/gc.c | 19 +
security/tomoyo/group.c | 5 +
security/tomoyo/load_policy.c | 8 +-
security/tomoyo/memory.c | 9 +-
security/tomoyo/mount.c | 2 +
security/tomoyo/realpath.c | 18 +-
security/tomoyo/securityfs_if.c | 30 +-
security/tomoyo/tomoyo.c | 160 +++--
security/tomoyo/util.c | 23 +-
security/yama/yama_lsm.c | 8 +-
tools/testing/selftests/safesetid/.gitignore | 1 +
tools/testing/selftests/safesetid/Makefile | 8 +
tools/testing/selftests/safesetid/config | 2 +
tools/testing/selftests/safesetid/safesetid-test.c | 334 +++++++++++
.../testing/selftests/safesetid/safesetid-test.sh | 26 +
78 files changed, 2674 insertions(+), 1090 deletions(-)
create mode 100644 Documentation/admin-guide/LSM/SafeSetID.rst
delete mode 100644 include/linux/selinux.h
create mode 100644 security/safesetid/Kconfig
create mode 100644 security/safesetid/Makefile
create mode 100644 security/safesetid/lsm.c
create mode 100644 security/safesetid/lsm.h
create mode 100644 security/safesetid/securityfs.c
delete mode 100644 security/selinux/exports.c
create mode 100644 tools/testing/selftests/safesetid/.gitignore
create mode 100644 tools/testing/selftests/safesetid/Makefile
create mode 100644 tools/testing/selftests/safesetid/config
create mode 100644 tools/testing/selftests/safesetid/safesetid-test.c
create mode 100755 tools/testing/selftests/safesetid/safesetid-test.sh