Re: Login broken with old userspace (was Re: [PATCH v2] selinux: introduce an initial SID for early boot processes)

2023-08-01 Thread Ondrej Mosnacek
On Fri, Jul 28, 2023 at 5:12 PM Paul Moore wrote: > > On Fri, Jul 28, 2023 at 9:24 AM Christian Göttsche > wrote: > > > > On Fri, 28 Jul 2023 at 15:14, Ondrej Mosnacek wrote: > > > > > > On Fri, Jul 28, 2023 at 1:52 PM Stephen Smalley > > >

Re: Login broken with old userspace (was Re: [PATCH v2] selinux: introduce an initial SID for early boot processes)

2023-07-28 Thread Ondrej Mosnacek
On Fri, Jul 28, 2023 at 1:52 PM Stephen Smalley wrote: > > On Fri, Jul 28, 2023 at 7:36 AM Ondrej Mosnacek wrote: > > > > On Fri, Jul 28, 2023 at 4:12 AM Michael Ellerman > > wrote: > > > > > > Ondrej Mosnacek writes: > > > > Currentl

Re: Login broken with old userspace (was Re: [PATCH v2] selinux: introduce an initial SID for early boot processes)

2023-07-28 Thread Ondrej Mosnacek
On Fri, Jul 28, 2023 at 4:12 AM Michael Ellerman wrote: > > Ondrej Mosnacek writes: > > Currently, SELinux doesn't allow distinguishing between kernel threads > > and userspace processes that are started before the policy is first > > loaded - both get the label co

Re: [PATCH v4] lockdown,selinux: fix wrong subject in some SELinux lockdown checks

2021-09-15 Thread Ondrej Mosnacek
On Thu, Sep 16, 2021 at 4:59 AM Paul Moore wrote: > On Mon, Sep 13, 2021 at 5:05 PM Paul Moore wrote: > > > > On Mon, Sep 13, 2021 at 10:02 AM Ondrej Mosnacek > > wrote: > > > > > > Commit 59438b46471a ("security,lockdown,selinux: implement SELinux

[PATCH v4] lockdown, selinux: fix wrong subject in some SELinux lockdown checks

2021-09-13 Thread Ondrej Mosnacek
lert" denials with SELinux. Thus, let's pass NULL instead of current_cred() here faute de mieux. Improvements-suggested-by: Casey Schaufler Improvements-suggested-by: Paul Moore Fixes: 59438b46471a ("security,lockdown,selinux: implement SELinux lockdown") Acked-by:

Re: [PATCH v3] lockdown,selinux: fix wrong subject in some SELinux lockdown checks

2021-08-31 Thread Ondrej Mosnacek
On Sat, Jun 19, 2021 at 12:18 AM Dan Williams wrote: > On Wed, Jun 16, 2021 at 1:51 AM Ondrej Mosnacek wrote: > > > > Commit 59438b46471a ("security,lockdown,selinux: implement SELinux > > lockdown") added an implementation of the locked_down LSM hook to > &

Re: [PATCH v3] lockdown,selinux: fix wrong subject in some SELinux lockdown checks

2021-08-31 Thread Ondrej Mosnacek
On Fri, Jun 18, 2021 at 5:40 AM Paul Moore wrote: > On Wed, Jun 16, 2021 at 4:51 AM Ondrej Mosnacek wrote: > > > > Commit 59438b46471a ("security,lockdown,selinux: implement SELinux > > lockdown") added an implementation of the locked_down LSM hook to > > SE

[PATCH v3] lockdown, selinux: fix wrong subject in some SELinux lockdown checks

2021-06-16 Thread Ondrej Mosnacek
lert" denials with SELinux. Thus, let's pass NULL instead of current_cred() here faute de mieux. Improvements-suggested-by: Casey Schaufler Improvements-suggested-by: Paul Moore Fixes: 59438b46471a ("security,lockdown,selinux: implement SELinux lockdown") Signed-of

Re: [PATCH v2] lockdown,selinux: avoid bogus SELinux lockdown permission checks

2021-06-08 Thread Ondrej Mosnacek
On Thu, Jun 3, 2021 at 7:46 PM Paul Moore wrote: > On Wed, Jun 2, 2021 at 9:40 AM Ondrej Mosnacek wrote: > > On Fri, May 28, 2021 at 3:37 AM Paul Moore wrote: [...] > > > I know you and Casey went back and forth on this in v1, but I agree > > > with Casey that hav

Re: [PATCH v2] lockdown,selinux: avoid bogus SELinux lockdown permission checks

2021-06-02 Thread Ondrej Mosnacek
On Fri, May 28, 2021 at 3:37 AM Paul Moore wrote: > On Mon, May 17, 2021 at 5:22 AM Ondrej Mosnacek wrote: > > > > Commit 59438b46471a ("security,lockdown,selinux: implement SELinux > > lockdown") added an implementation of the locked_down LSM hook to > > SE

Re: [PATCH v2] lockdown,selinux: avoid bogus SELinux lockdown permission checks

2021-05-28 Thread Ondrej Mosnacek
1 3:37 AM, Paul Moore wrote: > >> On Mon, May 17, 2021 at 5:22 AM Ondrej Mosnacek > >> wrote: > >>> > >>> Commit 59438b46471a ("security,lockdown,selinux: implement SELinux > >>> lockdown") added an implementation of the locked_do

Re: [PATCH v2] lockdown,selinux: avoid bogus SELinux lockdown permission checks

2021-05-26 Thread Ondrej Mosnacek
On Mon, May 17, 2021 at 1:00 PM Michael Ellerman wrote: > Ondrej Mosnacek writes: > > Commit 59438b46471a ("security,lockdown,selinux: implement SELinux > > lockdown") added an implementation of the locked_down LSM hook to > > SELinux, with the aim to restri

[PATCH v2] lockdown, selinux: avoid bogus SELinux lockdown permission checks

2021-05-17 Thread Ondrej Mosnacek
7;t care about the actual key value, so the check could generate a lot of noise. Improvements-suggested-by: Casey Schaufler Fixes: 59438b46471a ("security,lockdown,selinux: implement SELinux lockdown") Signed-off-by: Ondrej Mosnacek --- v2: - change to a single hook

Re: [PATCH] lockdown, selinux: fix bogus SELinux lockdown permission checks

2021-05-17 Thread Ondrej Mosnacek
On Sat, May 15, 2021 at 2:57 AM Casey Schaufler wrote: > On 5/14/2021 8:12 AM, Ondrej Mosnacek wrote: > > On Wed, May 12, 2021 at 7:12 PM Casey Schaufler > > wrote: > >> On 5/12/2021 9:44 AM, Ondrej Mosnacek wrote: > >>> On Wed, May 12, 2021 at 6:18 PM Casey

Re: [PATCH] lockdown, selinux: fix bogus SELinux lockdown permission checks

2021-05-14 Thread Ondrej Mosnacek
On Wed, May 12, 2021 at 7:12 PM Casey Schaufler wrote: > > On 5/12/2021 9:44 AM, Ondrej Mosnacek wrote: > > On Wed, May 12, 2021 at 6:18 PM Casey Schaufler > > wrote: > >> On 5/12/2021 6:21 AM, Ondrej Mosnacek wrote: > >>> On Sat, May 8, 2021 at 12:17 AM C

Re: [PATCH] lockdown, selinux: fix bogus SELinux lockdown permission checks

2021-05-12 Thread Ondrej Mosnacek
On Wed, May 12, 2021 at 6:18 PM Casey Schaufler wrote: > On 5/12/2021 6:21 AM, Ondrej Mosnacek wrote: > > On Sat, May 8, 2021 at 12:17 AM Casey Schaufler > > wrote: > >> On 5/7/2021 4:40 AM, Ondrej Mosnacek wrote: > >>> Commit 59438b46471a ("sec

Re: [PATCH] lockdown, selinux: fix bogus SELinux lockdown permission checks

2021-05-12 Thread Ondrej Mosnacek
On Sat, May 8, 2021 at 12:17 AM Casey Schaufler wrote: > On 5/7/2021 4:40 AM, Ondrej Mosnacek wrote: > > Commit 59438b46471a ("security,lockdown,selinux: implement SELinux > > lockdown") added an implementation of the locked_down LSM hook to > > SELinux, with the ai

[PATCH] lockdown, selinux: fix bogus SELinux lockdown permission checks

2021-05-07 Thread Ondrej Mosnacek
the eventual leak can be circumvented anyway via b), plus there is no way for the task to indicate that it doesn't care about the actual key value, so the check could generate a lot of noise. Fixes: 59438b46471a ("security,lockdown,selinux: implement SELinux lockdo

Re: [PATCH] powerpc/perf: Fix handling of privilege level checks in perf interrupt context

2021-02-23 Thread Ondrej Mosnacek
ctly from interrupt context. > +*/ > + event->pmu_private = (void *)(long)(perf_allow_kernel(&event->attr) > == 0); I don't think you need this. Unless I'm missing something, you can simply use "event->attr.exclude_kernel" in place of "!event_allow_kernel(event)". If it is set, then there must have been a successful perf_allow_kernel() check in perf_event_open(2) before the event was created. power_pmu_event_init() would be called shortly after via perf_event_alloc() -> perf_init_event(), so I don't think this additional check would add much value. > + > event->hw.config = events[n]; > event->hw.event_base = cflags[n]; > event->hw.last_period = event->hw.sample_period; > -- > 1.8.3.1 > -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.

Re: [PATCH 4.4.y] crypto: vmx - Fix sleep-in-atomic bugs

2018-09-10 Thread Ondrej Mosnacek
On Mon, Sep 10, 2018 at 9:42 AM Ondrej Mosnacek wrote: > commit 0522236d4f9c5ab2e79889cb020d1acbe5da416e upstream. > > Conflicts: > drivers/crypto/vmx/ > aes_cbc.c - adapted enable/disable calls to v4.4 state > aes_xts.c - did not exist yet in v4.4 > > This pat

[PATCH 4.4.y] crypto: vmx - Fix sleep-in-atomic bugs

2018-09-10 Thread Ondrej Mosnacek
] __sys_recvmsg+0x68/0xe0 [ 891.866631] [c00338757e30] [c000bbe4] system_call+0x5c/0x70 Fixes: 8c755ace357c ("crypto: vmx - Adding CBC routines for VMX module") Fixes: c07f5d3da643 ("crypto: vmx - Adding support for XTS") Cc: sta...@vger.kernel.org Signed-off-by: On

Re: [PATCH v2] crypto: vmx - Fix sleep-in-atomic bugs

2018-08-24 Thread Ondrej Mosnacek
egards, > >> Marcelo > >> > >> On Wed, Aug 22, 2018 at 08:26:31AM +0200, Ondrej Mosnacek wrote: > >>> This patch fixes sleep-in-atomic bugs in AES-CBC and AES-XTS VMX > >>> implementations. The problem is that the blkcipher_* functions should > &

[PATCH v2] crypto: vmx - Fix sleep-in-atomic bugs

2018-08-22 Thread Ondrej Mosnacek
es: c07f5d3da643 ("crypto: vmx - Adding support for XTS") Cc: sta...@vger.kernel.org Signed-off-by: Ondrej Mosnacek --- Still untested, please test and review if possible. Changes in v2: - fix leaving preemtption, etc. disabled when leaving the function (I switched to the more obvious and