WSL2-Linux-Kernel

The source for the Linux kernel used in Windows Subsystem for Linux 2 (WSL2)

Перейти к файлу

Stephen Smalley af63f4193f selinux: Generalize support for NNP/nosuid SELinux domain transitions As systemd ramps up enabling NNP (NoNewPrivileges) for system services, it is increasingly breaking SELinux domain transitions for those services and their descendants. systemd enables NNP not only for services whose unit files explicitly specify NoNewPrivileges=yes but also for services whose unit files specify any of the following options in combination with running without CAP_SYS_ADMIN (e.g. specifying User= or a CapabilityBoundingSet= without CAP_SYS_ADMIN): SystemCallFilter=, SystemCallArchitectures=, RestrictAddressFamilies=, RestrictNamespaces=, PrivateDevices=, ProtectKernelTunables=, ProtectKernelModules=, MemoryDenyWriteExecute=, or RestrictRealtime= as per the systemd.exec(5) man page. The end result is bad for the security of both SELinux-disabled and SELinux-enabled systems. Packagers have to turn off these options in the unit files to preserve SELinux domain transitions. For users who choose to disable SELinux, this means that they miss out on at least having the systemd-supported protections. For users who keep SELinux enabled, they may still be missing out on some protections because it isn't necessarily guaranteed that the SELinux policy for that service provides the same protections in all cases. commit `7b0d0b40cd` ("selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID.") allowed bounded transitions under NNP in order to support limited usage for sandboxing programs. However, defining typebounds for all of the affected service domains is impractical to implement in policy, since typebounds requires us to ensure that each domain is allowed everything all of its descendant domains are allowed, and this has to be repeated for the entire chain of domain transitions. There is no way to clone all allow rules from descendants to their ancestors in policy currently, and doing so would be undesirable even if it were practical, as it requires leaking permissions to objects and operations into ancestor domains that could weaken their own security in order to allow them to the descendants (e.g. if a descendant requires execmem permission, then so do all of its ancestors; if a descendant requires execute permission to a file, then so do all of its ancestors; if a descendant requires read to a symbolic link or temporary file, then so do all of its ancestors...). SELinux domains are intentionally not hierarchical / bounded in this manner normally, and making them so would undermine their protections and least privilege. We have long had a similar tension with SELinux transitions and nosuid mounts, albeit not as severe. Users often have had to choose between retaining nosuid on a mount and allowing SELinux domain transitions on files within those mounts. This likewise leads to unfortunate tradeoffs in security. Decouple NNP/nosuid from SELinux transitions, so that we don't have to make a choice between them. Introduce a nnp_nosuid_transition policy capability that enables transitions under NNP/nosuid to be based on a permission (nnp_transition for NNP; nosuid_transition for nosuid) between the old and new contexts in addition to the current support for bounded transitions. Domain transitions can then be allowed in policy without requiring the parent to be a strict superset of all of its children. With this change, systemd unit files can be left unmodified from upstream. SELinux-disabled and SELinux-enabled users will benefit from retaining any of the systemd-provided protections. SELinux policy will only need to be adapted to enable the new policy capability and to allow the new permissions between domain pairs as appropriate. NB: Allowing nnp_transition between two contexts opens up the potential for the old context to subvert the new context by installing seccomp filters before the execve. Allowing nosuid_transition between two contexts opens up the potential for a context transition to occur on a file from an untrusted filesystem (e.g. removable media or remote filesystem). Use with care. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>		2017-08-02 16:36:04 -04:00
Documentation	tomoyo: Update URLs in Documentation/admin-guide/LSM/tomoyo.rst	2017-07-25 11:00:26 +10:00
arch	xen/x86: fix cpu hotplug	2017-07-23 08:13:11 +02:00
block	bfq: dispatch request to prevent queue stalling after the request completion	2017-07-12 08:32:04 -06:00
certs	modsign: add markers to endif-statements in certs/Makefile	2017-07-14 11:01:37 +10:00
crypto	Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6	2017-07-14 22:49:50 -07:00
drivers	xen/balloon: don't online new memory initially	2017-07-23 08:13:18 +02:00
firmware	firmware/Makefile: force recompilation if makefile changes	2017-05-08 17:15:10 -07:00
fs	NFS client bugfixes for 4.13	2017-07-21 16:26:01 -07:00
include	sync to Linus v4.13-rc2 for subsystem developers to work against	2017-07-25 10:44:18 +10:00
init	random: do not ignore early device randomness	2017-07-12 16:26:00 -07:00
ipc	ipc/util.h: update documentation for ipc_getref() and ipc_putref()	2017-07-12 16:26:02 -07:00
kernel	sync to Linus v4.13-rc2 for subsystem developers to work against	2017-07-25 10:44:18 +10:00
lib	Add wait_for_random_bytes() and get_random_*_wait() functions so that	2017-07-15 12:44:02 -07:00
mm	Merge branch 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2017-07-15 12:00:42 -07:00
net	NFS client bugfixes for 4.13	2017-07-21 16:26:01 -07:00
samples	Merge branch 'akpm' (patches from Andrew)	2017-07-13 12:38:49 -07:00
scripts	selinux: genheaders should fail if too many permissions are defined	2017-07-31 19:03:02 -04:00
security	selinux: Generalize support for NNP/nosuid SELinux domain transitions	2017-08-02 16:36:04 -04:00
sound	sound fixes for 4.13-rc1	2017-07-14 12:44:00 -07:00
tools	Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2017-07-21 11:12:48 -07:00
usr	ramfs: clarify help text that compression applies to ramfs as well as legacy ramdisk.	2017-07-06 16:24:30 -07:00
virt	Second batch of KVM updates for v4.13	2017-07-15 10:18:16 -07:00
.cocciconfig	scripts: add Linux .cocciconfig for coccinelle	2016-07-22 12:13:39 +02:00
.get_maintainer.ignore	Add hch to .get_maintainer.ignore	2015-08-21 14:30:10 -07:00
.gitattributes	.gitattributes: set git diff driver for C source code files	2016-10-07 18:46:30 -07:00
.gitignore	kbuild: Add support to generate LLVM assembly files	2017-04-25 08:13:52 +09:00
.mailmap	power supply and reset changes for the v4.12 series (part 2)	2017-05-12 12:02:21 -07:00
COPYING	…
CREDITS	credits: update Paul Moore's info	2017-07-25 15:13:41 -04:00
Kbuild	kbuild: Consolidate header generation from ASM offset information	2017-04-13 05:43:37 +09:00
Kconfig	…
MAINTAINERS	selinux: update the selinux info in MAINTAINERS	2017-07-28 16:47:18 -04:00
Makefile	Linux 4.13-rc2	2017-07-23 16:15:17 -07:00
README	README: add a new README file, pointing to the Documentation/	2016-10-24 08:12:35 -02:00

README

Linux kernel
============

This file was moved to Documentation/admin-guide/README.rst

Please notice that there are several guides for kernel developers and users.
These guides can be rendered in a number of formats, like HTML and PDF.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.
See Documentation/00-INDEX for a list of what is contained in each file.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.