Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp24862imm; Fri, 21 Sep 2018 17:18:29 -0700 (PDT) X-Google-Smtp-Source: ANB0VdaDmcgEnsPKGCZ8EyBGJ9U51t6TwU0qZ22bg0CjnIICgvv40upc7ex/2KLbZzH2GkdyoJdv X-Received: by 2002:a62:6283:: with SMTP id w125-v6mr141016pfb.108.1537575509403; Fri, 21 Sep 2018 17:18:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537575509; cv=none; d=google.com; s=arc-20160816; b=qXgwQPLdJcZT2gu2gT7lc/H3SwgMYUhgC8Ljs6fM7M9OguLz41Lq+KpNvIIZJFDg8F NypY8yktPmbYYcyLfsEsZSfw0szLYcr8sXfFS5lf2P7/QWgV7NFSD/dR6FwvkuiK8ziy RFv1XF1fJMbtTBU3A1j54Wb8+c+NRrhLDmCEE2lMYgUWEtmouhrYVWC851WggaHd8/DK Pxea6yIlSMCULfvdYGlUqbTMJThgamF0TLKSvGXAkuxgLD0PZ/aTjnIjNnumV/82Muf7 3s8V/9ldJlPfuvbCmGfQz+c0KH0oAVgG+MuTOGh8nQlWXN+o2saICVMfittCwFDSm6v2 +Mqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:dkim-signature; bh=fgnGW7YBVBAQItw8fK/1P4rs3EmF4/uKZk7uW14uDgU=; b=tlbQycz7l27rm7fPUqXHcihvHUddJn9ntR0nrNbj5BLlKDAkmSfmHpXglsiGxEuY6M RVTfLVRRFQAsWNuIzxQSoe8EB85q/jwNgUt7xWY7gQb64GiWk5zbdOp3t/9XVpcZRAR8 DHQ9XhAtE3W2U7W05YvCtblI1B+yre+NTeFjLq+7+35B499qntCdVTdMOypfzg/O+afE y+ZAuauDPgck6KnVBigt+6HzfgjBUaQVBxxGA3CSzNo9z7ylRDIHIaDCi+Basr6T/rXe /BRjNtHlKNfT3EI3Z1sOO5E71OMod/h83hcUSKE8/60eHpOKM/R7dS4H0ip5GdNlxNqg wAkQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b="sZp+05X/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a143-v6si31611751pfd.241.2018.09.21.17.18.13; Fri, 21 Sep 2018 17:18:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b="sZp+05X/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391743AbeIVGIu (ORCPT + 99 others); Sat, 22 Sep 2018 02:08:50 -0400 Received: from sonic306-10.consmr.mail.bf2.yahoo.com ([74.6.132.49]:34988 "EHLO sonic306-10.consmr.mail.bf2.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391716AbeIVGIu (ORCPT ); Sat, 22 Sep 2018 02:08:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1537575453; bh=fgnGW7YBVBAQItw8fK/1P4rs3EmF4/uKZk7uW14uDgU=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=sZp+05X/LVMSqts2ZPDB+I1rDwHd9zVDHItscHIPtI8GCJMslmbTM+IlN0p/YDOvf3hlhfpPBPTx0sNghsCdccFggJr2m+gVOQlT70J7wtaAKCSQV3Ki94qVafOlJgx9p8mao8GgNDxq7mJlRppT6RJ5vxNFQLLB9lW8lTqQd1IwvFmz3TM8HBOk0zNhiMq09CIqXFZppeSciEVYXNVW92nYUVteEOuFJTL7FfHqxkgoKjwgA3ue33T6f4NHTE3DNZ+BFd2l8yZncPeCVm3PbsXq9KWm6SjftWqSC4rr3GhbB5ERhOlgVq7i6AmKFAv1FQszmlXpSPCTNHe6UIq3xA== X-YMail-OSG: eS2hAUoVM1mavthSOPBKXr164KY3Fc_SMuVv3QP91Jhb4MBkYvZM8rl1ne1mnWx d0Fo55Jcri5Jh_v553qUGYR8q6yK3HFHtPzfIiqvoYuSUGyorJjkXJTKxf7Hjz8ifTlPhqBwkPWt oD.0763lQ2qwrBGGIsGzJv7wgGrUDD18U3PV9ahX9d0bfr3Z9V1aP0UGv2Cn5ZBgTDXZjPfTQV1Z _PzImruRJoiVJCvb3Rd2QpAbZNPWDj30p9blG3VvBGcNLV9l8LrG9k1uQyEfZRu.3RsB2HM0M3YA qI4mSlVslT3Q9wxeYNjGtM_SMuUPnwKcmOcCfdUM66WvnDe2w8x.WC9QXg6brI8yP7w8JiB5sda7 GbGzlSSe_D03aIrOPENvA_nqEZCAcXnsuA0p.nm_iyYm9IFQw3vxRl3jQyE_OqsQs1s.3palSXtH 9JoTxcaDek9NQJMVhBfarjtrF5pN7rMSrjzYyBIP6iXnbUVKinEAfUQ7mNrOvgMUGYe8sYmkiXA6 S3.G85F65D4lfuZ3_WXwudA64kuzQWxgYPrgjQN4n1qW86BnlR_7nxDWus_jDyqhQnE6q_c.PrJP 8EHBJ.GxHSAhNn1o77q1.dyfCFcIt.vWL9OSyafh9pO.oJ2WJXEckc.M9315JwyWPl8fsljJhWQb ghCl9Zwpx6yTdQhHCarLpnZfLllzQo_C8GLleg.z_t1lZaJHA9m05DMO3WRrszJdtQ1nlmazYRH8 5YL9INi0HHPKH0LvyCCv74fMzJKt4nLbXmvOvDlQ494r9ygmdipbk0gY_tVEs8E9zIJgo3A6eb60 XXkUu.013I81MIFmXaUjofAi6EGVYCUUnAy2Edy1noE.CUTFMMCRun3JrkTI8aWmxCPGrJsUkH.o 5iy0h3SmRuH1UemdriA34qB8iZi8A9rAlY4m8jNknSOTLSanK6F7DX2wQPeBEtQ7_6w8kldhKNaQ _pOrLJSvmYVMof73c0qhRWRLbQWHneJiqzrvdvtXcw5OOX3q6sJZ_cvWGMiVjzivwMy_a8Swwurt fyqRQwbgucWQK0FeZjFXbV3sYoVK8LNI- Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.bf2.yahoo.com with HTTP; Sat, 22 Sep 2018 00:17:33 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.102]) ([67.169.65.224]) by smtp429.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID e31236e55fb46ae50941c78f1aaaf6e2; Sat, 22 Sep 2018 00:17:30 +0000 (UTC) Subject: [PATCH v4 04/19] SELinux: Remove cred security blob poisoning To: LSM , James Morris , SE Linux , LKLM , John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , Stephen Smalley , "linux-fsdevel@vger.kernel.org" , Alexey Dobriyan , =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= , Salvatore Mesoraca References: From: Casey Schaufler Message-ID: <5360cd42-5827-58af-515c-6e1ded1d9154@schaufler-ca.com> Date: Fri, 21 Sep 2018 17:17:25 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The SELinux specific credential poisioning only makes sense if SELinux is managing the credentials. As the intent of this patch set is to move the blob management out of the modules and into the infrastructure, the SELinux specific code has to go. The poisioning could be introduced into the infrastructure at some later date. Signed-off-by: Casey Schaufler --- kernel/cred.c | 13 ------------- security/selinux/hooks.c | 6 ------ 2 files changed, 19 deletions(-) diff --git a/kernel/cred.c b/kernel/cred.c index ecf03657e71c..fa2061ee4955 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -704,19 +704,6 @@ bool creds_are_invalid(const struct cred *cred) { if (cred->magic != CRED_MAGIC) return true; -#ifdef CONFIG_SECURITY_SELINUX - /* - * cred->security == NULL if security_cred_alloc_blank() or - * security_prepare_creds() returned an error. - */ - if (selinux_is_enabled() && cred->security) { - if ((unsigned long) cred->security < PAGE_SIZE) - return true; - if ((*(u32 *)cred->security & 0xffffff00) == - (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8)) - return true; - } -#endif return false; } EXPORT_SYMBOL(creds_are_invalid); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9d6cdd21acb6..80614ca25a2b 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -3920,12 +3920,6 @@ static void selinux_cred_free(struct cred *cred) { struct task_security_struct *tsec = selinux_cred(cred); - /* - * cred->security == NULL if security_cred_alloc_blank() or - * security_prepare_creds() returned an error. - */ - BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); - cred->security = (void *) 0x7UL; kfree(tsec); } -- 2.17.1