summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi/0001-Smack-File-receive-for-sockets.patch65
-rw-r--r--meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi/0002-smack-fix-cache-of-access-labels.patch43
-rw-r--r--meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi/0003-Smack-ignore-null-signal-in-smack_task_kill.patch39
-rw-r--r--meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch49
-rw-r--r--meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi_4.4.bbappend12
5 files changed, 208 insertions, 0 deletions
diff --git a/meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi/0001-Smack-File-receive-for-sockets.patch b/meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi/0001-Smack-File-receive-for-sockets.patch
new file mode 100644
index 000000000..4021e5d38
--- /dev/null
+++ b/meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi/0001-Smack-File-receive-for-sockets.patch
@@ -0,0 +1,65 @@
+From 2b206c36b16e72cfe41cd22448d8527359ffd962 Mon Sep 17 00:00:00 2001
+From: Casey Schaufler <casey@schaufler-ca.com>
+Date: Mon, 7 Dec 2015 14:34:32 -0800
+Subject: [PATCH 1/4] Smack: File receive for sockets
+
+The existing file receive hook checks for access on
+the file inode even for UDS. This is not right, as
+the inode is not used by Smack to make access checks
+for sockets. This change checks for an appropriate
+access relationship between the receiving (current)
+process and the socket. If the process can't write
+to the socket's send label or the socket's receive
+label can't write to the process fail.
+
+This will allow the legitimate cases, where the
+socket sender and socket receiver can freely communicate.
+Only strangly set socket labels should cause a problem.
+
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+---
+ security/smack/smack_lsm.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index ff81026..b20ef06 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -1860,12 +1860,34 @@ static int smack_file_receive(struct file *file)
+ int may = 0;
+ struct smk_audit_info ad;
+ struct inode *inode = file_inode(file);
++ struct socket *sock;
++ struct task_smack *tsp;
++ struct socket_smack *ssp;
+
+ if (unlikely(IS_PRIVATE(inode)))
+ return 0;
+
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
+ smk_ad_setfield_u_fs_path(&ad, file->f_path);
++
++ if (S_ISSOCK(inode->i_mode)) {
++ sock = SOCKET_I(inode);
++ ssp = sock->sk->sk_security;
++ tsp = current_security();
++ /*
++ * If the receiving process can't write to the
++ * passed socket or if the passed socket can't
++ * write to the receiving process don't accept
++ * the passed socket.
++ */
++ rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad);
++ rc = smk_bu_file(file, may, rc);
++ if (rc < 0)
++ return rc;
++ rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad);
++ rc = smk_bu_file(file, may, rc);
++ return rc;
++ }
+ /*
+ * This code relies on bitmasks.
+ */
+--
+2.7.4
+
diff --git a/meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi/0002-smack-fix-cache-of-access-labels.patch b/meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi/0002-smack-fix-cache-of-access-labels.patch
new file mode 100644
index 000000000..c516f3aa5
--- /dev/null
+++ b/meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi/0002-smack-fix-cache-of-access-labels.patch
@@ -0,0 +1,43 @@
+From 99267706991ab84bd44ceaea9a7ec886bbdd58e0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jobol@nonadev.net>
+Date: Tue, 12 Jan 2016 21:23:40 +0100
+Subject: [PATCH 2/4] smack: fix cache of access labels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Before this commit, removing the access property of
+a file, aka, the extended attribute security.SMACK64
+was not effictive until the cache had been cleaned.
+
+This patch fixes that problem.
+
+Signed-off-by: José Bollo <jobol@nonadev.net>
+Acked-by: Casey Schaufler <casey@schaufler-ca.com>
+---
+ security/smack/smack_lsm.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index b20ef06..b2bcb14 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -1444,9 +1444,13 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
+ * Don't do anything special for these.
+ * XATTR_NAME_SMACKIPIN
+ * XATTR_NAME_SMACKIPOUT
+- * XATTR_NAME_SMACKEXEC
+ */
+- if (strcmp(name, XATTR_NAME_SMACK) == 0)
++ if (strcmp(name, XATTR_NAME_SMACK) == 0) {
++ struct super_block *sbp = d_backing_inode(dentry)->i_sb;
++ struct superblock_smack *sbsp = sbp->s_security;
++
++ isp->smk_inode = sbsp->smk_default;
++ } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0)
+ isp->smk_task = NULL;
+ else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0)
+ isp->smk_mmap = NULL;
+--
+2.7.4
+
diff --git a/meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi/0003-Smack-ignore-null-signal-in-smack_task_kill.patch b/meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi/0003-Smack-ignore-null-signal-in-smack_task_kill.patch
new file mode 100644
index 000000000..c9180bb9f
--- /dev/null
+++ b/meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi/0003-Smack-ignore-null-signal-in-smack_task_kill.patch
@@ -0,0 +1,39 @@
+From ec4eb03af07b0fbc330aecca6ac4ebd6accd8825 Mon Sep 17 00:00:00 2001
+From: Rafal Krypa <r.krypa@samsung.com>
+Date: Mon, 4 Apr 2016 11:14:53 +0200
+Subject: [PATCH 3/4] Smack: ignore null signal in smack_task_kill
+
+Kill with signal number 0 is commonly used for checking PID existence.
+Smack treated such cases like any other kills, although no signal is
+actually delivered when sig == 0.
+
+Checking permissions when sig == 0 didn't prevent an unprivileged caller
+from learning whether PID exists or not. When it existed, kernel returned
+EPERM, when it didn't - ESRCH. The only effect of policy check in such
+case is noise in audit logs.
+
+This change lets Smack silently ignore kill() invocations with sig == 0.
+
+Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
+Acked-by: Casey Schaufler <casey@schaufler-ca.com>
+---
+ security/smack/smack_lsm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index b2bcb14..cf8a93f 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -2239,6 +2239,9 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
+ struct smack_known *tkp = smk_of_task_struct(p);
+ int rc;
+
++ if (!sig)
++ return 0; /* null signal; existence test */
++
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
+ smk_ad_setfield_u_tsk(&ad, p);
+ /*
+--
+2.7.4
+
diff --git a/meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch b/meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch
new file mode 100644
index 000000000..a1eeac3d7
--- /dev/null
+++ b/meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch
@@ -0,0 +1,49 @@
+From c8bbb0f916de54610513e376070aea531af19dd6 Mon Sep 17 00:00:00 2001
+From: jooseong lee <jooseong.lee@samsung.com>
+Date: Thu, 3 Nov 2016 10:55:43 +0100
+Subject: [PATCH 4/4] Smack: Assign smack_known_web label for kernel thread's
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Assign smack_known_web label for kernel thread's socket in the sk_alloc_security hook
+
+Creating struct sock by sk_alloc function in various kernel subsystems
+like bluetooth dosen't call smack_socket_post_create(). In such case,
+received sock label is the floor('_') label and makes access deny.
+
+Refers-to: https://review.tizen.org/gerrit/#/c/80717/4
+
+Change-Id: I2e5c9359bfede84a988fd4d4d74cdb9dfdfc52d8
+Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ security/smack/smack_lsm.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index cf8a93f..21651bc 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -2321,8 +2321,16 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
+ if (ssp == NULL)
+ return -ENOMEM;
+
+- ssp->smk_in = skp;
+- ssp->smk_out = skp;
++ /*
++ * Sockets created by kernel threads receive web label.
++ */
++ if (unlikely(current->flags & PF_KTHREAD)) {
++ ssp->smk_in = &smack_known_web;
++ ssp->smk_out = &smack_known_web;
++ } else {
++ ssp->smk_in = skp;
++ ssp->smk_out = skp;
++ }
+ ssp->smk_packet = NULL;
+
+ sk->sk_security = ssp;
+--
+2.7.4
+
diff --git a/meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi_4.4.bbappend b/meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi_4.4.bbappend
index e5cdb2aff..a2b2a42f2 100644
--- a/meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi_4.4.bbappend
+++ b/meta-agl-bsp/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi_4.4.bbappend
@@ -8,6 +8,18 @@ SRC_URI_append = "\
${@base_conditional('USE_FAYTECH_MONITOR', '1', 'file://0002-faytech-fix-rpi.patch', '', d)} \
"
+#-------------------------------------------------------------------------
+# smack patches for handling bluetooth
+
+SRC_URI_append_smack = "\
+ file://0001-Smack-File-receive-for-sockets.patch \
+ file://0002-smack-fix-cache-of-access-labels.patch \
+ file://0003-Smack-ignore-null-signal-in-smack_task_kill.patch \
+ file://0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch \
+"
+
+
+
do_configure_append_smack() {
# SMACK and Co
kernel_configure_variable IP_NF_SECURITY m