)]}' { "log": [ { "commit": "82b88bb24e28dd4fb4bec30e75412f41326130f0", "tree": "61b1d0eb6ae6059e879571517a0f36bcffdabf34", "parents": [ "60b8b1de0dd2bf246f0e074d287bb3f0bc42a755", "ded509880f6a0213b09f8ae7bef84acb16eaccbf" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jun 15 09:41:48 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jun 15 09:41:48 2011 +1000" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.infradead.org/users/eparis/selinux into for-linus\n" }, { "commit": "ded509880f6a0213b09f8ae7bef84acb16eaccbf", "tree": "ac8819a1b23a13b0f04ca34ab2983040c9d66e99", "parents": [ "0f7e4c33eb2c40b1e9cc24d2eab6de5921bc619c" ], "author": { "name": "Roy.Li", "email": "rongqing.li@windriver.com", "time": "Fri May 20 10:38:06 2011 +0800" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Jun 14 12:58:51 2011 -0400" }, "message": "SELinux: skip file_name_trans_write() when policy downgraded.\n\nWhen policy version is less than POLICYDB_VERSION_FILENAME_TRANS,\nskip file_name_trans_write().\n\nSigned-off-by: Roy.Li \u003crongqing.li@windriver.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "95f4efb2d78661065aaf0be57f5bf00e4d2aea1d", "tree": "e344402e6428194515a0550ef30cf7cb8eeb0fdf", "parents": [ "4c1f683a4a343808536a5617ede85dfc34430472" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jun 08 15:11:56 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Jun 08 15:11:56 2011 -0700" }, "message": "selinux: simplify and clean up inode_has_perm()\n\nThis is a rather hot function that is called with a potentially NULL\n\"struct common_audit_data\" pointer argument. And in that case it has to\nprovide and initialize its own dummy common_audit_data structure.\n\nHowever, all the _common_ cases already pass it a real audit-data\nstructure, so that uncommon NULL case not only creates a silly run-time\ntest, more importantly it causes that function to have a big stack frame\nfor the dummy variable that isn\u0027t even used in the common case!\n\nSo get rid of that stupid run-time behavior, and make the (few)\nfunctions that currently call with a NULL pointer just call a new helper\nfunction instead (naturally called inode_has_perm_noapd(), since it has\nno adp argument).\n\nThis makes the run-time test be a static code generation issue instead,\nand allows for a much denser stack since none of the common callers need\nthe dummy structure. And a denser stack not only means less stack space\nusage, it means better cache behavior. So we have a win-win-win from\nthis simplification: less code executed, smaller stack footprint, and\nbetter cache behavior.\n\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "f01e1af445fac107e91d62a2d59dd535f633810b", "tree": "f5da7e4162f0a6f4bb50e4cb41f6a06c672f66b0", "parents": [ "bc9bc72e2f9bb07384c00604d1a40d0b5f62be6c" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Tue May 24 13:48:51 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 26 18:13:57 2011 -0700" }, "message": "selinux: don\u0027t pass in NULL avd to avc_has_perm_noaudit\n\nRight now security_get_user_sids() will pass in a NULL avd pointer to\navc_has_perm_noaudit(), which then forces that function to have a dummy\nentry for that case and just generally test it.\n\nDon\u0027t do it. The normal callers all pass a real avd pointer, and this\nhelper function is incredibly hot. So don\u0027t make avc_has_perm_noaudit()\ndo conditional stuff that isn\u0027t needed for the common case.\n\nThis also avoids some duplicated stack space.\n\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "0f7e4c33eb2c40b1e9cc24d2eab6de5921bc619c", "tree": "793c5f834751215dfc93b05540fa9ed46c64ee07", "parents": [ "ea77f7a2e8561012cf100c530170f12351c3b53e" ], "author": { "name": "Kohei Kaigai", "email": "Kohei.Kaigai@emea.nec.com", "time": "Thu May 26 14:59:25 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu May 26 17:20:53 2011 -0400" }, "message": "selinux: fix case of names with whitespace/multibytes on /selinux/create\n\nI submit the patch again, according to patch submission convension.\n\nThis patch enables to accept percent-encoded object names as forth\nargument of /selinux/create interface to avoid possible bugs when we\ngive an object name including whitespace or multibutes.\n\nE.g) if and when a userspace object manager tries to create a new object\n named as \"resolve.conf but fake\", it shall give this name as the forth\n argument of the /selinux/create. But sscanf() logic in kernel space\n fetches only the part earlier than the first whitespace.\n In this case, selinux may unexpectedly answer a default security context\n configured to \"resolve.conf\", but it is bug.\n\nAlthough I could not test this patch on named TYPE_TRANSITION rules\nactually, But debug printk() message seems to me the logic works\ncorrectly.\nI assume the libselinux provides an interface to apply this logic\ntransparently, so nothing shall not be changed from the viewpoint of\napplication.\n\nSigned-off-by: KaiGai Kohei \u003ckohei.kaigai@emea.nec.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "ea77f7a2e8561012cf100c530170f12351c3b53e", "tree": "7302ac1064f4e364aadda84020a176804fb86e22", "parents": [ "7a627e3b9a2bd0f06945bbe64bcf403e788ecf6e", "61c4f2c81c61f73549928dfd9f3e8f26aa36a8cf" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu May 26 17:20:14 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu May 26 17:20:14 2011 -0400" }, "message": "Merge commit \u0027v2.6.39\u0027 into 20110526\n\nConflicts:\n\tlib/flex_array.c\n\tsecurity/selinux/avc.c\n\tsecurity/selinux/hooks.c\n\tsecurity/selinux/ss/policydb.c\n\tsecurity/smack/smack_lsm.c\n" }, { "commit": "b7b57551bbda1390959207f79f2038aa7adb72ae", "tree": "d591a08e7e45615b51d8b5ee1634a29920f62c3f", "parents": [ "434d42cfd05a7cc452457a81d2029540cba12150", "7a627e3b9a2bd0f06945bbe64bcf403e788ecf6e" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 24 23:20:19 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue May 24 23:20:19 2011 +1000" }, "message": "Merge branch \u0027master\u0027 of git://git.infradead.org/users/eparis/selinux into for-linus\n\nConflicts:\n\tlib/flex_array.c\n\tsecurity/selinux/avc.c\n\tsecurity/selinux/hooks.c\n\tsecurity/selinux/ss/policydb.c\n\tsecurity/smack/smack_lsm.c\n\nManually resolve conflicts.\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "57d19e80f459dd845fb3cfeba8e6df8471bac142", "tree": "8254766715720228db3d50f1ef3c7fe003c06d65", "parents": [ "ee9ec4f82049c678373a611ce20ac67fe9ad836e", "e64851f5a0ad6ec991f74ebb3108c35aa0323d5f" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon May 23 09:12:26 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon May 23 09:12:26 2011 -0700" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial: (39 commits)\n b43: fix comment typo reqest -\u003e request\n Haavard Skinnemoen has left Atmel\n cris: typo in mach-fs Makefile\n Kconfig: fix copy/paste-ism for dell-wmi-aio driver\n doc: timers-howto: fix a typo (\"unsgined\")\n perf: Only include annotate.h once in tools/perf/util/ui/browsers/annotate.c\n md, raid5: Fix spelling error in comment (\u0027Ofcourse\u0027 --\u003e \u0027Of course\u0027).\n treewide: fix a few typos in comments\n regulator: change debug statement be consistent with the style of the rest\n Revert \"arm: mach-u300/gpio: Fix mem_region resource size miscalculations\"\n audit: acquire creds selectively to reduce atomic op overhead\n rtlwifi: don\u0027t touch with treewide double semicolon removal\n treewide: cleanup continuations and remove logging message whitespace\n ath9k_hw: don\u0027t touch with treewide double semicolon removal\n include/linux/leds-regulator.h: fix syntax in example code\n tty: fix typo in descripton of tty_termios_encode_baud_rate\n xtensa: remove obsolete BKL kernel option from defconfig\n m68k: fix comment typo \u0027occcured\u0027\n arch:Kconfig.locks Remove unused config option.\n treewide: remove extra semicolons\n ...\n" }, { "commit": "257313b2a87795e07a0bdf58d0fffbdba8b31051", "tree": "ff5043526b0381cdc1f1f68d3c6f8ed3635e0ddb", "parents": [ "044aea9b83614948c98564000db07d1d32b2d29b" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 19 21:22:53 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 19 21:22:53 2011 -0700" }, "message": "selinux: avoid unnecessary avc cache stat hit count\n\nThere is no point in counting hits - we can calculate it from the number\nof lookups and misses.\n\nThis makes the avc statistics a bit smaller, and makes the code\ngeneration better too.\n\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "044aea9b83614948c98564000db07d1d32b2d29b", "tree": "b1f13ed2f4bb0bd40f7915a89aafaf449b6145cd", "parents": [ "39ab05c8e0b519ff0a04a869f065746e6e8c3d95" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 19 18:59:47 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 19 18:59:47 2011 -0700" }, "message": "selinux: de-crapify avc cache stat code generation\n\nYou can turn off the avc cache stats, but distributions seem to not do\nthat (perhaps because several performance tuning how-to\u0027s talk about the\navc cache statistics).\n\nWhich is sad, because the code it generates is truly horrendous, with\nthe statistics update being sandwitched between get_cpu/put_cpu which in\nturn causes preemption disables etc. We\u0027re talking ten+ instructions\njust to increment a per-cpu variable in some pretty hot code.\n\nFix the craziness by just using \u0027this_cpu_inc()\u0027 instead. Suddenly we\nonly need a single \u0027inc\u0027 instruction to increment the statistics. This\nis quite noticeable in the incredibly hot avc_has_perm_noaudit()\nfunction (which triggers all the statistics by virtue of doing an\navc_lookup() call).\n\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "eb04f2f04ed1227c266b3219c0aaeda525639718", "tree": "7f224483a3cd0e439cd64a8666ec9dc5ed178a3d", "parents": [ "5765040ebfc9a28d9dcfaaaaf3d25840d922de96", "80d02085d99039b3b7f3a73c8896226b0cb1ba07" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 19 18:14:34 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Thu May 19 18:14:34 2011 -0700" }, "message": "Merge branch \u0027core-rcu-for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip\n\n* \u0027core-rcu-for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: (78 commits)\n Revert \"rcu: Decrease memory-barrier usage based on semi-formal proof\"\n net,rcu: convert call_rcu(prl_entry_destroy_rcu) to kfree\n batman,rcu: convert call_rcu(softif_neigh_free_rcu) to kfree_rcu\n batman,rcu: convert call_rcu(neigh_node_free_rcu) to kfree()\n batman,rcu: convert call_rcu(gw_node_free_rcu) to kfree_rcu\n net,rcu: convert call_rcu(kfree_tid_tx) to kfree_rcu()\n net,rcu: convert call_rcu(xt_osf_finger_free_rcu) to kfree_rcu()\n net/mac80211,rcu: convert call_rcu(work_free_rcu) to kfree_rcu()\n net,rcu: convert call_rcu(wq_free_rcu) to kfree_rcu()\n net,rcu: convert call_rcu(phonet_device_rcu_free) to kfree_rcu()\n perf,rcu: convert call_rcu(swevent_hlist_release_rcu) to kfree_rcu()\n perf,rcu: convert call_rcu(free_ctx) to kfree_rcu()\n net,rcu: convert call_rcu(__nf_ct_ext_free_rcu) to kfree_rcu()\n net,rcu: convert call_rcu(net_generic_release) to kfree_rcu()\n net,rcu: convert call_rcu(netlbl_unlhsh_free_addr6) to kfree_rcu()\n net,rcu: convert call_rcu(netlbl_unlhsh_free_addr4) to kfree_rcu()\n security,rcu: convert call_rcu(sel_netif_free) to kfree_rcu()\n net,rcu: convert call_rcu(xps_dev_maps_release) to kfree_rcu()\n net,rcu: convert call_rcu(xps_map_release) to kfree_rcu()\n net,rcu: convert call_rcu(rps_map_release) to kfree_rcu()\n ...\n" }, { "commit": "ca7d12000895ae5dfef8b8ff2648a0d50abd397c", "tree": "259fb1e473ef6129b9fa5faf771c9e811ab572c4", "parents": [ "411f05f123cbd7f8aa1edcae86970755a6e2a9d9", "93826c092c385549c04af184fbebd43f36995c69" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri May 13 09:52:16 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Fri May 13 09:52:16 2011 +1000" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.infradead.org/users/eparis/selinux into for-linus\n" }, { "commit": "93826c092c385549c04af184fbebd43f36995c69", "tree": "20f77a85a74a24ed3418da8818e12b439f70fc81", "parents": [ "bf69d41d198138e3c601e9a6645f4f1369aff7e0" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 07 14:46:59 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu May 12 16:02:42 2011 -0400" }, "message": "SELinux: delete debugging printks from filename_trans rule processing\n\nThe filename_trans rule processing has some printk(KERN_ERR ) messages\nwhich were intended as debug aids in creating the code but weren\u0027t removed\nbefore it was submitted. Remove them.\n\nReported-by: Paul Bolle \u003cpebolle@tiscali.nl\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "7a627e3b9a2bd0f06945bbe64bcf403e788ecf6e", "tree": "5d79dfee7868debdf428640477adce32be10968f", "parents": [ "2875fa00830be62431f5ac22d8f85d57f9fa3033" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@suse.de", "time": "Tue May 10 15:34:16 2011 -0700" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed May 11 12:58:09 2011 -0400" }, "message": "SELINUX: add /sys/fs/selinux mount point to put selinuxfs\n\nIn the interest of keeping userspace from having to create new root\nfilesystems all the time, let\u0027s follow the lead of the other in-kernel\nfilesystems and provide a proper mount point for it in sysfs.\n\nFor selinuxfs, this mount point should be in /sys/fs/selinux/\n\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Eric Paris \u003ceparis@parisplace.org\u003e\nCc: Lennart Poettering \u003cmzerqung@0pointer.de\u003e\nCc: Daniel J Walsh \u003cdwalsh@redhat.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@suse.de\u003e\n[include kobject.h - Eric Paris]\n[use selinuxfs_obj throughout - Eric Paris]\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "690273fc70e94a07d70044881e5e52926301bcd3", "tree": "f72c7942fb91d74e9f18ab169c213a21f1b40505", "parents": [ "b55071eb6011413af3b9c434ae77dea8832069c8" ], "author": { "name": "Lai Jiangshan", "email": "laijs@cn.fujitsu.com", "time": "Fri Mar 18 12:03:19 2011 +0800" }, "committer": { "name": "Paul E. McKenney", "email": "paulmck@linux.vnet.ibm.com", "time": "Sat May 07 22:51:05 2011 -0700" }, "message": "security,rcu: convert call_rcu(sel_netif_free) to kfree_rcu()\n\nThe rcu callback sel_netif_free() just calls a kfree(),\nso we use kfree_rcu() instead of the call_rcu(sel_netif_free).\n\nSigned-off-by: Lai Jiangshan \u003claijs@cn.fujitsu.com\u003e\nAcked-by: David S. Miller \u003cdavem@davemloft.net\u003e\nSigned-off-by: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nReviewed-by: Josh Triplett \u003cjosh@joshtriplett.org\u003e\n" }, { "commit": "6f239284542bae297d27355d06afbb8df23c5db9", "tree": "b0ba42fb54cd05178c61584e0913be38a57f0384", "parents": [ "609cfda586c7fe3e5d1a02c51edb587506294167", "bf69d41d198138e3c601e9a6645f4f1369aff7e0" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 04 11:59:34 2011 +1000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 04 11:59:34 2011 +1000" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.infradead.org/users/eparis/selinux into for-linus\n" }, { "commit": "5d30b10bd68df007e7ae21e77d1e0ce184b53040", "tree": "61d97a80d0fac7c6dfd97db7040fedd75771adda", "parents": [ "cb1e922fa104bb0bb3aa5fc6ca7f7e070f3b55e9" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 15:55:52 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 16:12:47 2011 -0400" }, "message": "flex_array: flex_array_prealloc takes a number of elements, not an end\n\nChange flex_array_prealloc to take the number of elements for which space\nshould be allocated instead of the last (inclusive) element. Users\nand documentation are updated accordingly. flex_arrays got introduced before\nthey had users. When folks started using it, they ended up needing a\ndifferent API than was coded up originally. This swaps over to the API that\nfolks apparently need.\n\nBased-on-patch-by: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nTested-by: Chris Richards \u003cgizmo@giz-works.com\u003e\nAcked-by: Dave Hansen \u003cdave@linux.vnet.ibm.com\u003e\nCc: stable@kernel.org [2.6.38+]\n" }, { "commit": "cb1e922fa104bb0bb3aa5fc6ca7f7e070f3b55e9", "tree": "c776ceca8e63dd8de70f242fe6883320004884eb", "parents": [ "fe3fa43039d47ee4e22caf460b79b62a14937f79" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 15:11:21 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 16:12:41 2011 -0400" }, "message": "SELinux: pass last path component in may_create\n\nNew inodes are created in a two stage process. We first will compute the\nlabel on a new inode in security_inode_create() and check if the\noperation is allowed. We will then actually re-compute that same label and\napply it in security_inode_init_security(). The change to do new label\ncalculations based in part on the last component of the path name only\npassed the path component information all the way down the\nsecurity_inode_init_security hook. Down the security_inode_create hook the\npath information did not make it past may_create. Thus the two calculations\ncame up differently and the permissions check might not actually be against\nthe label that is created. Pass and use the same information in both places\nto harmonize the calculations and checks.\n\nReported-by: Dominick Grift \u003cdomg472@gmail.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "2875fa00830be62431f5ac22d8f85d57f9fa3033", "tree": "541fdb15e39711fb1ad901223d823421c7b77526", "parents": [ "a8d05c81fb238bbb18878ccfae7599ca79448dd3" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 16:04:24 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 16:09:59 2011 -0400" }, "message": "SELinux: introduce path_has_perm\n\nWe currently have inode_has_perm and dentry_has_perm. dentry_has_perm just\ncalls inode_has_perm with additional audit data. But dentry_has_perm can\ntake either a dentry or a path. Split those to make the code obvious and\nto fix the previous problem where I thought dentry_has_perm always had a\nvalid dentry and mnt.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "5a3ea8782c63d3501cb764c176f153c0d9a400e1", "tree": "3ff57105c8c3f3ad696b29511d1cf69f434caeab", "parents": [ "562abf624175e3f8487b7f064e516805e437e597" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 15:55:52 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 15:56:06 2011 -0400" }, "message": "flex_array: flex_array_prealloc takes a number of elements, not an end\n\nChange flex_array_prealloc to take the number of elements for which space\nshould be allocated instead of the last (inclusive) element. Users\nand documentation are updated accordingly. flex_arrays got introduced before\nthey had users. When folks started using it, they ended up needing a\ndifferent API than was coded up originally. This swaps over to the API that\nfolks apparently need.\n\nBased-on-patch-by: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nTested-by: Chris Richards \u003cgizmo@giz-works.com\u003e\nAcked-by: Dave Hansen \u003cdave@linux.vnet.ibm.com\u003e\nCc: stable@kernel.org [2.6.38+]\n" }, { "commit": "562abf624175e3f8487b7f064e516805e437e597", "tree": "75e52d8f8f91fc42c28ca2e0b7196b9fd16c25e0", "parents": [ "2463c26d50adc282d19317013ba0ff473823ca47" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 15:11:21 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 15:15:54 2011 -0400" }, "message": "SELinux: pass last path component in may_create\n\nNew inodes are created in a two stage process. We first will compute the\nlabel on a new inode in security_inode_create() and check if the\noperation is allowed. We will then actually re-compute that same label and\napply it in security_inode_init_security(). The change to do new label\ncalculations based in part on the last component of the path name only\npassed the path component information all the way down the\nsecurity_inode_init_security hook. Down the security_inode_create hook the\npath information did not make it past may_create. Thus the two calculations\ncame up differently and the permissions check might not actually be against\nthe label that is created. Pass and use the same information in both places\nto harmonize the calculations and checks.\n\nReported-by: Dominick Grift \u003cdomg472@gmail.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "2463c26d50adc282d19317013ba0ff473823ca47", "tree": "e92438150bb380c0dc0867b00f1ae89f73646b2a", "parents": [ "3f058ef7787e1b48720622346de9a5317aeb749a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 15:11:21 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 15:15:53 2011 -0400" }, "message": "SELinux: put name based create rules in a hashtable\n\nTo shorten the list we need to run if filename trans rules exist for the type\nof the given parent directory I put them in a hashtable. Given the policy we\nare expecting to use in Fedora this takes the worst case list run from about\n5,000 entries to 17.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "3f058ef7787e1b48720622346de9a5317aeb749a", "tree": "3cfdfa068b6eae4716f3be7d02f44bbd15e64573", "parents": [ "be30b16d43f4781406de0c08c96501dae4cc5a77" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 15:11:21 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 15:15:52 2011 -0400" }, "message": "SELinux: generic hashtab entry counter\n\nInstead of a hashtab entry counter function only useful for range\ntransition rules make a function generic for any hashtable to use.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "be30b16d43f4781406de0c08c96501dae4cc5a77", "tree": "957792a2eae5f16a87b79f4ca8aa434b6fa9c7de", "parents": [ "03a4c0182a156547edd5f2717c1702590fe36bbf" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 15:11:21 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 15:15:52 2011 -0400" }, "message": "SELinux: calculate and print hashtab stats with a generic function\n\nWe have custom debug functions like rangetr_hash_eval and symtab_hash_eval\nwhich do the same thing. Just create a generic function that takes the name\nof the hash table as an argument instead of having custom functions.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "03a4c0182a156547edd5f2717c1702590fe36bbf", "tree": "c4585fab7c37d4eb2cc46e93c925e7c2a5e7b1a2", "parents": [ "2667991f60e67d28c495b8967aaabf84b4ccd560" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 15:11:21 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 15:15:52 2011 -0400" }, "message": "SELinux: skip filename trans rules if ttype does not match parent dir\n\nRight now we walk to filename trans rule list for every inode that is\ncreated. First passes at policy using this facility creates around 5000\nfilename trans rules. Running a list of 5000 entries every time is a bad\nidea. This patch adds a new ebitmap to policy which has a bit set for each\nttype that has at least 1 filename trans rule. Thus when an inode is\ncreated we can quickly determine if any rules exist for this parent\ndirectory type and can skip the list if we know there is definitely no\nrelevant entry.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2667991f60e67d28c495b8967aaabf84b4ccd560", "tree": "893c006121f2be1b44e270fc5b43d8f94435dc81", "parents": [ "4742600cf536c0c115b6f769eda82ee377d199c9" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 15:11:20 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 15:15:51 2011 -0400" }, "message": "SELinux: rename filename_compute_type argument to *type instead of *con\n\nfilename_compute_type() takes as arguments the numeric value of the type of\nthe subject and target. It does not take a context. Thus the names are\nmisleading. Fix the argument names.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "4742600cf536c0c115b6f769eda82ee377d199c9", "tree": "599922c770c628c3d484ee7460fe1fc361c3c509", "parents": [ "92f4250901476fcadc4f52ace36e453c61f5591d" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 15:11:20 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 28 15:15:51 2011 -0400" }, "message": "SELinux: fix comment to state filename_compute_type takes an objname not a qstr\n\nfilename_compute_type used to take a qstr, but it now takes just a name.\nFix the comments to indicate it is an objname, not a qstr.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "07f9479a40cc778bc1462ada11f95b01360ae4ff", "tree": "0676cf38df3844004bb3ebfd99dfa67a4a8998f5", "parents": [ "9d5e6bdb3013acfb311ab407eeca0b6a6a3dedbf", "cd2e49e90f1cae7726c9a2c54488d881d7f1cd1c" ], "author": { "name": "Jiri Kosina", "email": "jkosina@suse.cz", "time": "Tue Apr 26 10:22:15 2011 +0200" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.cz", "time": "Tue Apr 26 10:22:59 2011 +0200" }, "message": "Merge branch \u0027master\u0027 into for-next\n\nFast-forwarded to current state of Linus\u0027 tree as there are patches to be\napplied for files that didn\u0027t exist on the old branch.\n" }, { "commit": "9ade0cf440a1e5800dc68eef2e77b8d9d83a6dff", "tree": "17a06970af5a26cd340b785a894f20f262335575", "parents": [ "1879fd6a26571fd4e8e1f4bb3e7537bc936b1fe7" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 25 16:26:29 2011 -0400" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Apr 25 18:16:32 2011 -0700" }, "message": "SELINUX: Make selinux cache VFS RCU walks safe\n\nNow that the security modules can decide whether they support the\ndcache RCU walk or not it\u0027s possible to make selinux a bit more\nRCU friendly. The SELinux AVC and security server access decision\ncode is RCU safe. A specific piece of the LSM audit code may not\nbe RCU safe.\n\nThis patch makes the VFS RCU walk retry if it would hit the non RCU\nsafe chunk of code. It will normally just work under RCU. This is\ndone simply by passing the VFS RCU state as a flag down into the\navc_audit() code and returning ECHILD there if it would have an issue.\n\nBased-on-patch-by: Andi Kleen \u003cak@linux.intel.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "a269434d2fb48a4d66c1d7bf821b7874b59c5b41", "tree": "9c84b5f3e9f3adb3dd4a7e9da2b72dd7fe7eec49", "parents": [ "f48b7399840b453e7282b523f535561fe9638a2d" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 25 13:10:27 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 25 18:14:07 2011 -0400" }, "message": "LSM: separate LSM_AUDIT_DATA_DENTRY from LSM_AUDIT_DATA_PATH\n\nThis patch separates and audit message that only contains a dentry from\none that contains a full path. This allows us to make it harder to\nmisuse the interfaces or for the interfaces to be implemented wrong.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n" }, { "commit": "f48b7399840b453e7282b523f535561fe9638a2d", "tree": "29eed009469d35473367708ea60b9c5b01fc0c5f", "parents": [ "0dc1ba24f7fff659725eecbba2c9ad679a0954cd" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 25 12:54:27 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 25 18:13:15 2011 -0400" }, "message": "LSM: split LSM_AUDIT_DATA_FS into _PATH and _INODE\n\nThe lsm common audit code has wacky contortions making sure which pieces\nof information are set based on if it was given a path, dentry, or\ninode. Split this into path and inode to get rid of some of the code\ncomplexity.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n" }, { "commit": "0dc1ba24f7fff659725eecbba2c9ad679a0954cd", "tree": "ad5831b52b38ca8157dd3ba4e5dfb75768bd372f", "parents": [ "1c9904297451f558191e211a48d8838b4bf792b0" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 21 17:23:20 2011 -0700" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 25 16:24:41 2011 -0400" }, "message": "SELINUX: Make selinux cache VFS RCU walks safe\n\nNow that the security modules can decide whether they support the\ndcache RCU walk or not it\u0027s possible to make selinux a bit more\nRCU friendly. The SELinux AVC and security server access decision\ncode is RCU safe. A specific piece of the LSM audit code may not\nbe RCU safe.\n\nThis patch makes the VFS RCU walk retry if it would hit the non RCU\nsafe chunk of code. It will normally just work under RCU. This is\ndone simply by passing the VFS RCU state as a flag down into the\navc_audit() code and returning ECHILD there if it would have an issue.\n\nBased-on-patch-by: Andi Kleen \u003cak@linux.intel.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "1c9904297451f558191e211a48d8838b4bf792b0", "tree": "9c7cabec6ce3d6604147de73953cfaca672f1c0d", "parents": [ "6b697323a78bed254ee372f71b1a6a2901bb4b7a" ], "author": { "name": "Andi Kleen", "email": "ak@linux.intel.com", "time": "Thu Apr 21 17:23:19 2011 -0700" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 25 10:20:32 2011 -0400" }, "message": "SECURITY: Move exec_permission RCU checks into security modules\n\nRight now all RCU walks fall back to reference walk when CONFIG_SECURITY\nis enabled, even though just the standard capability module is active.\nThis is because security_inode_exec_permission unconditionally fails\nRCU walks.\n\nMove this decision to the low level security module. This requires\npassing the RCU flags down the security hook. This way at least\nthe capability module and a few easy cases in selinux/smack work\nwith RCU walks with CONFIG_SECURITY\u003dy\n\nSigned-off-by: Andi Kleen \u003cak@linux.intel.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "6b697323a78bed254ee372f71b1a6a2901bb4b7a", "tree": "ef1282bd99f549074253b33deeb6436809566ad4", "parents": [ "a35c6c8368d88deae6890205e73ed330b6df1db7" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 20 10:21:28 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 25 10:19:02 2011 -0400" }, "message": "SELinux: security_read_policy should take a size_t not ssize_t\n\nThe len should be an size_t but is a ssize_t. Easy enough fix to silence\nbuild warnings. We have no need for signed-ness.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "a35c6c8368d88deae6890205e73ed330b6df1db7", "tree": "f61c3da7460bb5ab39353404456d92e005e9000e", "parents": [ "425b473de5372cad6fffc6b98a758ed8e3fc70ce" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 20 10:21:28 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Apr 25 10:18:27 2011 -0400" }, "message": "SELinux: silence build warning when !CONFIG_BUG\n\nIf one builds a kernel without CONFIG_BUG there are a number of \u0027may be\nused uninitialized\u0027 warnings. Silence these by returning after the BUG().\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8c9e80ed276fc4b9c9fadf29d8bf6b3576112f1a", "tree": "7595dd217545593675d40f85cfb11d69697a8300", "parents": [ "8d082f8f3fb89e8a1fcb5120ad98cd9860c8a3e8" ], "author": { "name": "Andi Kleen", "email": "ak@linux.intel.com", "time": "Thu Apr 21 17:23:19 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Apr 22 16:17:29 2011 -0700" }, "message": "SECURITY: Move exec_permission RCU checks into security modules\n\nRight now all RCU walks fall back to reference walk when CONFIG_SECURITY\nis enabled, even though just the standard capability module is active.\nThis is because security_inode_exec_permission unconditionally fails\nRCU walks.\n\nMove this decision to the low level security module. This requires\npassing the RCU flags down the security hook. This way at least\nthe capability module and a few easy cases in selinux/smack work\nwith RCU walks with CONFIG_SECURITY\u003dy\n\nSigned-off-by: Andi Kleen \u003cak@linux.intel.com\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "425b473de5372cad6fffc6b98a758ed8e3fc70ce", "tree": "532811d99d68d2ba58bc111b33a959ddb8a1a1e2", "parents": [ "1214eac73f798bccabc6adb55e7b2d787527c13c" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 07 14:46:59 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Apr 20 11:45:14 2011 -0400" }, "message": "SELinux: delete debugging printks from filename_trans rule processing\n\nThe filename_trans rule processing has some printk(KERN_ERR ) messages\nwhich were intended as debug aids in creating the code but weren\u0027t removed\nbefore it was submitted. Remove them.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "6eab04a87677a37cf15b52e2b4b4fd57917102ad", "tree": "dc92e25473e7e5c9183312d7feeeaeabb2157baf", "parents": [ "9f0af69b2dd34d2c21817d599db7bdb3c972a759" ], "author": { "name": "Justin P. Mattock", "email": "justinmattock@gmail.com", "time": "Fri Apr 08 19:49:08 2011 -0700" }, "committer": { "name": "Jiri Kosina", "email": "jkosina@suse.cz", "time": "Sun Apr 10 17:01:05 2011 +0200" }, "message": "treewide: remove extra semicolons\n\nSigned-off-by: Justin P. Mattock \u003cjustinmattock@gmail.com\u003e\nSigned-off-by: Jiri Kosina \u003cjkosina@suse.cz\u003e\n" }, { "commit": "1214eac73f798bccabc6adb55e7b2d787527c13c", "tree": "4b379622da0d56be88d7ea87af558ef719317c7d", "parents": [ "eba71de2cb7c02c5ae4f2ad3656343da71bc4661" ], "author": { "name": "Harry Ciao", "email": "qingtao.cao@windriver.com", "time": "Thu Apr 07 14:12:57 2011 +0800" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 07 12:00:26 2011 -0400" }, "message": "Initialize policydb.process_class eariler.\n\nInitialize policydb.process_class once all symtabs read from policy image,\nso that it could be used to setup the role_trans.tclass field when a lower\nversion policy.X is loaded.\n\nSigned-off-by: Harry Ciao \u003cqingtao.cao@windriver.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "eba71de2cb7c02c5ae4f2ad3656343da71bc4661", "tree": "3eb37c447b2023c86d2c2cadc7b84656c134b646", "parents": [ "f50a3ec961f90e38c0311411179d5dfee1412192" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Fri Mar 25 10:13:43 2011 -0400" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Apr 07 12:00:12 2011 -0400" }, "message": "selinux: Fix regression for Xorg\n\nCommit 6f5317e730505d5cbc851c435a2dfe3d5a21d343 introduced a bug in the\nhandling of userspace object classes that is causing breakage for Xorg\nwhen XSELinux is enabled. Fix the bug by changing map_class() to return\nSECCLASS_NULL when the class cannot be mapped to a kernel object class.\n\nReported-by: \"Justin P. Mattock\" \u003cjustinmattock@gmail.com\u003e\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "f50a3ec961f90e38c0311411179d5dfee1412192", "tree": "600b7909964cd116af1252ecabb5b1415c01d7a0", "parents": [ "6bde95ce33e1c2ac9b5cb3d814722105131090ec" ], "author": { "name": "Kohei Kaigai", "email": "Kohei.Kaigai@eu.nec.com", "time": "Fri Apr 01 15:39:26 2011 +0100" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Apr 01 17:13:23 2011 -0400" }, "message": "selinux: add type_transition with name extension support for selinuxfs\n\nThe attached patch allows /selinux/create takes optional 4th argument\nto support TYPE_TRANSITION with name extension for userspace object\nmanagers.\nIf 4th argument is not supplied, it shall perform as existing kernel.\nIn fact, the regression test of SE-PostgreSQL works well on the patched\nkernel.\n\nThanks,\n\nSigned-off-by: KaiGai Kohei \u003ckohei.kaigai@eu.nec.com\u003e\n[manually verify fuzz was not an issue, and it wasn\u0027t: eparis]\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "25985edcedea6396277003854657b5f3cb31a628", "tree": "f026e810210a2ee7290caeb737c23cb6472b7c38", "parents": [ "6aba74f2791287ec407e0f92487a725a25908067" ], "author": { "name": "Lucas De Marchi", "email": "lucas.demarchi@profusion.mobi", "time": "Wed Mar 30 22:57:33 2011 -0300" }, "committer": { "name": "Lucas De Marchi", "email": "lucas.demarchi@profusion.mobi", "time": "Thu Mar 31 11:26:23 2011 -0300" }, "message": "Fix common misspellings\n\nFixes generated by \u0027codespell\u0027 and manually reviewed.\n\nSigned-off-by: Lucas De Marchi \u003clucas.demarchi@profusion.mobi\u003e\n" }, { "commit": "85cd6da53a8073d3f4503f56e4ea6cddccbb1c7f", "tree": "9c71a1426c09767e7470fea2c244c9ebd3ec4d8c", "parents": [ "036a98263a30930a329e7bb184d5e77f27358e40" ], "author": { "name": "Stephen Smalley", "email": "sds@tycho.nsa.gov", "time": "Fri Mar 25 10:13:43 2011 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 29 10:26:30 2011 +1100" }, "message": "selinux: Fix regression for Xorg\n\nCommit 6f5317e730505d5cbc851c435a2dfe3d5a21d343 introduced a bug in the\nhandling of userspace object classes that is causing breakage for Xorg\nwhen XSELinux is enabled. Fix the bug by changing map_class() to return\nSECCLASS_NULL when the class cannot be mapped to a kernel object class.\n\nReported-by: \"Justin P. Mattock\" \u003cjustinmattock@gmail.com\u003e\nSigned-off-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c900ff323d761753a56d8d6a67b034ceee277b6e", "tree": "0294cfb5904eec80cf8e84004d46cb8734b714e7", "parents": [ "63a312ca55d09a3f6526919df495fff1073c88f4" ], "author": { "name": "Harry Ciao", "email": "qingtao.cao@windriver.com", "time": "Fri Mar 25 13:52:00 2011 +0800" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Mar 28 14:21:05 2011 -0400" }, "message": "SELinux: Write class field in role_trans_write.\n\nIf kernel policy version is \u003e\u003d 26, then write the class field of the\nrole_trans structure into the binary reprensentation.\n\nSigned-off-by: Harry Ciao \u003cqingtao.cao@windriver.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "63a312ca55d09a3f6526919df495fff1073c88f4", "tree": "43fe9a17837fff6bc71e789dbb8fa0f8d03d01aa", "parents": [ "8023976cf4627d9f1d82ad468ec40e32eb87d211" ], "author": { "name": "Harry Ciao", "email": "harrytaurus200@hotmail.com", "time": "Fri Mar 25 13:51:58 2011 +0800" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Mar 28 14:21:01 2011 -0400" }, "message": "SELinux: Compute role in newcontext for all classes\n\nApply role_transition rules for all kinds of classes.\n\nSigned-off-by: Harry Ciao \u003cqingtao.cao@windriver.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "8023976cf4627d9f1d82ad468ec40e32eb87d211", "tree": "82af1157ffbb00be2a8d2357a8c2fd88826233b1", "parents": [ "fe3fa43039d47ee4e22caf460b79b62a14937f79" ], "author": { "name": "Harry Ciao", "email": "qingtao.cao@windriver.com", "time": "Fri Mar 25 13:51:56 2011 +0800" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Mar 28 14:20:58 2011 -0400" }, "message": "SELinux: Add class support to the role_trans structure\n\nIf kernel policy version is \u003e\u003d 26, then the binary representation of\nthe role_trans structure supports specifying the class for the current\nsubject or the newly created object.\n\nIf kernel policy version is \u003c 26, then the class field would be default\nto the process class.\n\nSigned-off-by: Harry Ciao \u003cqingtao.cao@windriver.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "2e1496707560ecf98e9b0604622c0990f94861d3", "tree": "d1473b70fad31a903fedc87221680678a6c6c5f6", "parents": [ "e795b71799ff0b27365020c9ddaa25d0d83f99c8" ], "author": { "name": "Serge E. Hallyn", "email": "serge@hallyn.com", "time": "Wed Mar 23 16:43:26 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 23 19:47:13 2011 -0700" }, "message": "userns: rename is_owner_or_cap to inode_owner_or_capable\n\nAnd give it a kernel-doc comment.\n\n[akpm@linux-foundation.org: btrfs changed in linux-next]\nSigned-off-by: Serge E. Hallyn \u003cserge.hallyn@canonical.com\u003e\nCc: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\nCc: Daniel Lezcano \u003cdaniel.lezcano@free.fr\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "3486740a4f32a6a466f5ac931654d154790ba648", "tree": "ac5d968a66057fa84933b8f89fd3e916270dffed", "parents": [ "59607db367c57f515183cb203642291bb14d9c40" ], "author": { "name": "Serge E. Hallyn", "email": "serge@hallyn.com", "time": "Wed Mar 23 16:43:17 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 23 19:47:02 2011 -0700" }, "message": "userns: security: make capabilities relative to the user namespace\n\n- Introduce ns_capable to test for a capability in a non-default\n user namespace.\n- Teach cap_capable to handle capabilities in a non-default\n user namespace.\n\nThe motivation is to get to the unprivileged creation of new\nnamespaces. It looks like this gets us 90% of the way there, with\nonly potential uid confusion issues left.\n\nI still need to handle getting all caps after creation but otherwise I\nthink I have a good starter patch that achieves all of your goals.\n\nChangelog:\n\t11/05/2010: [serge] add apparmor\n\t12/14/2010: [serge] fix capabilities to created user namespaces\n\tWithout this, if user serge creates a user_ns, he won\u0027t have\n\tcapabilities to the user_ns he created. THis is because we\n\twere first checking whether his effective caps had the caps\n\the needed and returning -EPERM if not, and THEN checking whether\n\the was the creator. Reverse those checks.\n\t12/16/2010: [serge] security_real_capable needs ns argument in !security case\n\t01/11/2011: [serge] add task_ns_capable helper\n\t01/11/2011: [serge] add nsown_capable() helper per Bastian Blank suggestion\n\t02/16/2011: [serge] fix a logic bug: the root user is always creator of\n\t\t init_user_ns, but should not always have capabilities to\n\t\t it! Fix the check in cap_capable().\n\t02/21/2011: Add the required user_ns parameter to security_capable,\n\t\t fixing a compile failure.\n\t02/23/2011: Convert some macros to functions as per akpm comments. Some\n\t\t couldn\u0027t be converted because we can\u0027t easily forward-declare\n\t\t them (they are inline if !SECURITY, extern if SECURITY). Add\n\t\t a current_user_ns function so we can use it in capability.h\n\t\t without #including cred.h. Move all forward declarations\n\t\t together to the top of the #ifdef __KERNEL__ section, and use\n\t\t kernel-doc format.\n\t02/23/2011: Per dhowells, clean up comment in cap_capable().\n\t02/23/2011: Per akpm, remove unreachable \u0027return -EPERM\u0027 in cap_capable.\n\n(Original written and signed off by Eric; latest, modified version\nacked by him)\n\n[akpm@linux-foundation.org: fix build]\n[akpm@linux-foundation.org: export current_user_ns() for ecryptfs]\n[serge.hallyn@canonical.com: remove unneeded extra argument in selinux\u0027s task_has_capability]\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nSigned-off-by: Serge E. Hallyn \u003cserge.hallyn@canonical.com\u003e\nAcked-by: \"Eric W. Biederman\" \u003cebiederm@xmission.com\u003e\nAcked-by: Daniel Lezcano \u003cdaniel.lezcano@free.fr\u003e\nAcked-by: David Howells \u003cdhowells@redhat.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Serge E. Hallyn \u003cserge.hallyn@canonical.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "7a6362800cb7d1d618a697a650c7aaed3eb39320", "tree": "087f9bc6c13ef1fad4b392c5cf9325cd28fa8523", "parents": [ "6445ced8670f37cfc2c5e24a9de9b413dbfc788d", "ceda86a108671294052cbf51660097b6534672f5" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 16 16:29:25 2011 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Wed Mar 16 16:29:25 2011 -0700" }, "message": "Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6\n\n* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6: (1480 commits)\n bonding: enable netpoll without checking link status\n xfrm: Refcount destination entry on xfrm_lookup\n net: introduce rx_handler results and logic around that\n bonding: get rid of IFF_SLAVE_INACTIVE netdev-\u003epriv_flag\n bonding: wrap slave state work\n net: get rid of multiple bond-related netdevice-\u003epriv_flags\n bonding: register slave pointer for rx_handler\n be2net: Bump up the version number\n be2net: Copyright notice change. Update to Emulex instead of ServerEngines\n e1000e: fix kconfig for crc32 dependency\n netfilter ebtables: fix xt_AUDIT to work with ebtables\n xen network backend driver\n bonding: Improve syslog message at device creation time\n bonding: Call netif_carrier_off after register_netdevice\n bonding: Incorrect TX queue offset\n net_sched: fix ip_tos2prio\n xfrm: fix __xfrm_route_forward()\n be2net: Fix UDP packet detected status in RX compl\n Phonet: fix aligned-mode pipe socket buffer header reserve\n netxen: support for GbE port settings\n ...\n\nFix up conflicts in drivers/staging/brcm80211/brcmsmac/wl_mac80211.c\nwith the staging updates.\n" }, { "commit": "1d28f42c1bd4bb2363d88df74d0128b4da135b4a", "tree": "cb2e652fe79a2bc307e871bc2d3fa51cc8051e45", "parents": [ "ca116922afa8cc5ad46b00c0a637b1cde5ca478a" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Mar 12 00:29:39 2011 -0500" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Mar 12 15:08:44 2011 -0800" }, "message": "net: Put flowi_* prefix on AF independent members of struct flowi\n\nI intend to turn struct flowi into a union of AF specific flowi\nstructs. There will be a common structure that each variant includes\nfirst, much like struct sock_common.\n\nThis is the first step to move in that direction.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "fe3fa43039d47ee4e22caf460b79b62a14937f79", "tree": "9eab8d00f1227b9fe0959f32a62d892ed35803ba", "parents": [ "ee009e4a0d4555ed522a631bae9896399674f064", "026eb167ae77244458fa4b4b9fc171209c079ba7" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 11:38:10 2011 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 11:38:10 2011 +1100" }, "message": "Merge branch \u0027master\u0027 of git://git.infradead.org/users/eparis/selinux into next\n" }, { "commit": "1cc26bada9f6807814806db2f0d78792eecdac71", "tree": "5509b5139db04af6c13db0a580c84116a4a54039", "parents": [ "eae61f3c829439f8f9121b5cd48a14be04df451f", "214d93b02c4fe93638ad268613c9702a81ed9192" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 10:55:06 2011 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Mar 08 10:55:06 2011 +1100" }, "message": "Merge branch \u0027master\u0027; commit \u0027v2.6.38-rc7\u0027 into next\n" }, { "commit": "026eb167ae77244458fa4b4b9fc171209c079ba7", "tree": "1e66fcfeb0b43a6fb764e1d07f8f0200d0c99094", "parents": [ "ff36fe2c845cab2102e4826c1ffa0a6ebf487c65" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 03 16:09:14 2011 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 03 16:12:28 2011 -0500" }, "message": "SELinux: implement the new sb_remount LSM hook\n\nFor SELinux we do not allow security information to change during a remount\noperation. Thus this hook simply strips the security module options from\nthe data and verifies that those are the same options as exist on the\ncurrent superblock.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2ad18bdf3b8f84c85c7da7e4de365f7c5701fb3f", "tree": "7b45743dee9e9de69714da3801aa3f987a3db365", "parents": [ "6f5317e730505d5cbc851c435a2dfe3d5a21d343" ], "author": { "name": "Harry Ciao", "email": "qingtao.cao@windriver.com", "time": "Wed Mar 02 13:32:34 2011 +0800" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 03 15:19:44 2011 -0500" }, "message": "SELinux: Compute SID for the newly created socket\n\nThe security context for the newly created socket shares the same\nuser, role and MLS attribute as its creator but may have a different\ntype, which could be specified by a type_transition rule in the relevant\npolicy package.\n\nSigned-off-by: Harry Ciao \u003cqingtao.cao@windriver.com\u003e\n[fix call to security_transition_sid to include qstr, Eric Paris]\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "6f5317e730505d5cbc851c435a2dfe3d5a21d343", "tree": "02088cf519a00db5c6fbdb2cc8776402413eb662", "parents": [ "4bc6c2d5d8386800fde23a8e78cd4f04a0ade0ad" ], "author": { "name": "Harry Ciao", "email": "qingtao.cao@windriver.com", "time": "Wed Mar 02 13:32:33 2011 +0800" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 03 15:19:43 2011 -0500" }, "message": "SELinux: Socket retains creator role and MLS attribute\n\nThe socket SID would be computed on creation and no longer inherit\nits creator\u0027s SID by default. Socket may have a different type but\nneeds to retain the creator\u0027s role and MLS attribute in order not\nto break labeled networking and network access control.\n\nThe kernel value for a class would be used to determine if the class\nif one of socket classes. If security_compute_sid is called from\nuserspace the policy value for a class would be mapped to the relevant\nkernel value first.\n\nSigned-off-by: Harry Ciao \u003cqingtao.cao@windriver.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "4bc6c2d5d8386800fde23a8e78cd4f04a0ade0ad", "tree": "9ed72f305050b876d846b44ccf13f63fcbab1ff4", "parents": [ "0b24dcb7f2f7a0ce9b762eef0362c21c88f47b32" ], "author": { "name": "Harry Ciao", "email": "qingtao.cao@windriver.com", "time": "Wed Mar 02 13:46:08 2011 +0800" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Mar 03 15:19:43 2011 -0500" }, "message": "SELinux: Auto-generate security_is_socket_class\n\nThe security_is_socket_class() is auto-generated by genheaders based\non classmap.h to reduce maintenance effort when a new class is defined\nin SELinux kernel. The name for any socket class should be suffixed by\n\"socket\" and doesn\u0027t contain more than one substr of \"socket\".\n\nSigned-off-by: Harry Ciao \u003cqingtao.cao@windriver.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "c53fa1ed92cd671a1dfb1e7569e9ab672612ddc6", "tree": "9bb539a7731af94cac0112b8f13771e4a33e0450", "parents": [ "06dc94b1ed05f91e246315afeb1c652d6d0dc9ab" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Thu Mar 03 10:55:40 2011 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Mar 03 10:55:40 2011 -0800" }, "message": "netlink: kill loginuid/sessionid/sid members from struct netlink_skb_parms\n\nNetlink message processing in the kernel is synchronous these days, the\nsession information can be collected when needed.\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "0b24dcb7f2f7a0ce9b762eef0362c21c88f47b32", "tree": "9c7dc83e169cd4a2e5fd248e4b940f82131627b6", "parents": [ "47ac19ea429aee561f66e9cd05b908e8ffbc498a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Feb 25 15:39:20 2011 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Feb 25 15:40:00 2011 -0500" }, "message": "Revert \"selinux: simplify ioctl checking\"\n\nThis reverts commit 242631c49d4cf39642741d6627750151b058233b.\n\nConflicts:\n\n\tsecurity/selinux/hooks.c\n\nSELinux used to recognize certain individual ioctls and check\npermissions based on the knowledge of the individual ioctl. In commit\n242631c49d4cf396 the SELinux code stopped trying to understand\nindividual ioctls and to instead looked at the ioctl access bits to\ndetermine in we should check read or write for that operation. This\nsame suggestion was made to SMACK (and I believe copied into TOMOYO).\nBut this suggestion is total rubbish. The ioctl access bits are\nactually the access requirements for the structure being passed into the\nioctl, and are completely unrelated to the operation of the ioctl or the\nobject the ioctl is being performed upon.\n\nTake FS_IOC_FIEMAP as an example. FS_IOC_FIEMAP is defined as:\n\nFS_IOC_FIEMAP _IOWR(\u0027f\u0027, 11, struct fiemap)\n\nSo it has access bits R and W. What this really means is that the\nkernel is going to both read and write to the struct fiemap. It has\nnothing at all to do with the operations that this ioctl might perform\non the file itself!\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "47ac19ea429aee561f66e9cd05b908e8ffbc498a", "tree": "22a95f4b75ab4dd71949f8f337463638ff6711e3", "parents": [ "4a7ab3dcad0b66a486c468ccf0d6197c5dbe3326" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Feb 25 15:39:20 2011 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Feb 25 15:40:00 2011 -0500" }, "message": "selinux: drop unused packet flow permissions\n\nThese permissions are not used and can be dropped in the kernel\ndefinitions.\n\nSuggested-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\n" }, { "commit": "4a7ab3dcad0b66a486c468ccf0d6197c5dbe3326", "tree": "b88badda1de339ed01149caf05601400d2e2a9dd", "parents": [ "b9679a76187694138099e09d7f5091b73086e6d7" ], "author": { "name": "Steffen Klassert", "email": "steffen.klassert@secunet.com", "time": "Wed Feb 23 12:56:23 2011 +0100" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Feb 25 15:00:51 2011 -0500" }, "message": "selinux: Fix packet forwarding checks on postrouting\n\nThe IPSKB_FORWARDED and IP6SKB_FORWARDED flags are used only in the\nmulticast forwarding case to indicate that a packet looped back after\nforward. So these flags are not a good indicator for packet forwarding.\nA better indicator is the incoming interface. If we have no socket context,\nbut an incoming interface and we see the packet in the ip postroute hook,\nthe packet is going to be forwarded.\n\nWith this patch we use the incoming interface as an indicator on packet\nforwarding.\n\nSigned-off-by: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nAcked-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "b9679a76187694138099e09d7f5091b73086e6d7", "tree": "224bfa579013b55ed6c459879ba0aab6d28e8ae2", "parents": [ "8f82a6880d8d03961181d973388e1df2772a8b24" ], "author": { "name": "Steffen Klassert", "email": "steffen.klassert@secunet.com", "time": "Wed Feb 23 12:55:21 2011 +0100" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Feb 25 15:00:47 2011 -0500" }, "message": "selinux: Fix wrong checks for selinux_policycap_netpeer\n\nselinux_sock_rcv_skb_compat and selinux_ip_postroute_compat are just\ncalled if selinux_policycap_netpeer is not set. However in these\nfunctions we check if selinux_policycap_netpeer is set. This leads\nto some dead code and to the fact that selinux_xfrm_postroute_last\nis never executed. This patch removes the dead code and the checks\nfor selinux_policycap_netpeer in the compatibility functions.\n\nSigned-off-by: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nAcked-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "8f82a6880d8d03961181d973388e1df2772a8b24", "tree": "b2eb1374f143610dbf06a686fcfee6b77bff110b", "parents": [ "4916ca401e3051dad326ddd69765bd0e3f32fb9b" ], "author": { "name": "Steffen Klassert", "email": "steffen.klassert@secunet.com", "time": "Wed Feb 23 12:54:33 2011 +0100" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Feb 25 15:00:44 2011 -0500" }, "message": "selinux: Fix check for xfrm selinux context algorithm\n\nselinux_xfrm_sec_ctx_alloc accidentally checks the xfrm domain of\ninterpretation against the selinux context algorithm. This patch\nfixes this by checking ctx_alg against the selinux context algorithm.\n\nSigned-off-by: Steffen Klassert \u003csteffen.klassert@secunet.com\u003e\nAcked-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "e33f770426674a565a188042caf3f974f8b3722d", "tree": "6ee309a1cbccec1cef9972fc6c8f8d9b280978f5", "parents": [ "e1ad2ab2cf0cabcd81861e2c61870fc27bb27ded" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Feb 22 18:13:15 2011 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Feb 22 18:13:15 2011 -0800" }, "message": "xfrm: Mark flowi arg to security_xfrm_state_pol_flow_match() const.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "2edeaa34a6e3f2c43b667f6c4f7b27944b811695", "tree": "37dd9156645491a86844ba9198fe05e4e6fe44c5", "parents": [ "257a65d79581880032e0bf0c452f4041b693664c" ], "author": { "name": "Tetsuo Handa", "email": "penguin-kernel@I-love.SAKURA.ne.jp", "time": "Mon Feb 07 13:36:10 2011 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Feb 07 14:04:00 2011 -0800" }, "message": "CRED: Fix BUG() upon security_cred_alloc_blank() failure\n\nIn cred_alloc_blank() since 2.6.32, abort_creds(new) is called with\nnew-\u003esecurity \u003d\u003d NULL and new-\u003emagic \u003d\u003d 0 when security_cred_alloc_blank()\nreturns an error. As a result, BUG() will be triggered if SELinux is enabled\nor CONFIG_DEBUG_CREDENTIALS\u003dy.\n\nIf CONFIG_DEBUG_CREDENTIALS\u003dy, BUG() is called from __invalid_creds() because\ncred-\u003emagic \u003d\u003d 0. Failing that, BUG() is called from selinux_cred_free()\nbecause selinux_cred_free() is not expecting cred-\u003esecurity \u003d\u003d NULL. This does\nnot affect smack_cred_free(), tomoyo_cred_free() or apparmor_cred_free().\n\nFix these bugs by\n\n(1) Set new-\u003emagic before calling security_cred_alloc_blank().\n\n(2) Handle null cred-\u003esecurity in creds_are_invalid() and selinux_cred_free().\n\nSigned-off-by: Tetsuo Handa \u003cpenguin-kernel@I-love.SAKURA.ne.jp\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "8e6c96935fcc1ed3dbebc96fddfef3f2f2395afc", "tree": "c26297c8ca479972010cadf2058aacd63ce1744f", "parents": [ "652bb9b0d6ce007f37c098947b2cc0c45efa3f66" ], "author": { "name": "Lucian Adrian Grijincu", "email": "lucian.grijincu@gmail.com", "time": "Tue Feb 01 18:42:22 2011 +0200" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Feb 01 11:53:54 2011 -0500" }, "message": "security/selinux: fix /proc/sys/ labeling\n\nThis fixes an old (2007) selinux regression: filesystem labeling for\n/proc/sys returned\n -r--r--r-- unknown /proc/sys/fs/file-nr\ninstead of\n -r--r--r-- system_u:object_r:sysctl_fs_t:s0 /proc/sys/fs/file-nr\n\nEvents that lead to breaking of /proc/sys/ selinux labeling:\n\n1) sysctl was reimplemented to route all calls through /proc/sys/\n\n commit 77b14db502cb85a031fe8fde6c85d52f3e0acb63\n [PATCH] sysctl: reimplement the sysctl proc support\n\n2) proc_dir_entry was removed from ctl_table:\n\n commit 3fbfa98112fc3962c416452a0baf2214381030e6\n [PATCH] sysctl: remove the proc_dir_entry member for the sysctl tables\n\n3) selinux still walked the proc_dir_entry tree to apply\n labeling. Because ctl_tables don\u0027t have a proc_dir_entry, we did\n not label /proc/sys/ inodes any more. To achieve this the /proc/sys/\n inodes were marked private and private inodes were ignored by\n selinux.\n\n commit bbaca6c2e7ef0f663bc31be4dad7cf530f6c4962\n [PATCH] selinux: enhance selinux to always ignore private inodes\n\n commit 86a71dbd3e81e8870d0f0e56b87875f57e58222b\n [PATCH] sysctl: hide the sysctl proc inodes from selinux\n\nAccess control checks have been done by means of a special sysctl hook\nthat was called for read/write accesses to any /proc/sys/ entry.\n\nWe don\u0027t have to do this because, instead of walking the\nproc_dir_entry tree we can walk the dentry tree (as done in this\npatch). With this patch:\n* we don\u0027t mark /proc/sys/ inodes as private\n* we don\u0027t need the sysclt security hook\n* we walk the dentry tree to find the path to the inode.\n\nWe have to strip the PID in /proc/PID/ entries that have a\nproc_dir_entry because selinux does not know how to label paths like\n\u0027/1/net/rpc/nfsd.fh\u0027 (and defaults to \u0027proc_t\u0027 labeling). Selinux does\nknow of \u0027/net/rpc/nfsd.fh\u0027 (and applies the \u0027sysctl_rpc_t\u0027 label).\n\nPID stripping from the path was done implicitly in the previous code\nbecause the proc_dir_entry tree had the root in \u0027/net\u0027 in the example\nfrom above. The dentry tree has the root in \u0027/1\u0027.\n\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nSigned-off-by: Lucian Adrian Grijincu \u003clucian.grijincu@gmail.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "652bb9b0d6ce007f37c098947b2cc0c45efa3f66", "tree": "7bf76f04a1fcaa401761a9a734b94682e2ac8b8c", "parents": [ "2a7dba391e5628ad665ce84ef9a6648da541ebab" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Feb 01 11:05:40 2011 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Feb 01 11:12:30 2011 -0500" }, "message": "SELinux: Use dentry name in new object labeling\n\nCurrently SELinux has rules which label new objects according to 3 criteria.\nThe label of the process creating the object, the label of the parent\ndirectory, and the type of object (reg, dir, char, block, etc.) This patch\nadds a 4th criteria, the dentry name, thus we can distinguish between\ncreating a file in an etc_t directory called shadow and one called motd.\n\nThere is no file globbing, regex parsing, or anything mystical. Either the\npolicy exactly (strcmp) matches the dentry name of the object or it doesn\u0027t.\nThis patch has no changes from today if policy does not implement the new\nrules.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "2a7dba391e5628ad665ce84ef9a6648da541ebab", "tree": "ba0722bd74d2c883dbda7ff721850bab411cac04", "parents": [ "821404434f3324bf23f545050ff64055a149766e" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Feb 01 11:05:39 2011 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Feb 01 11:12:29 2011 -0500" }, "message": "fs/vfs/security: pass last path component to LSM on inode creation\n\nSELinux would like to implement a new labeling behavior of newly created\ninodes. We currently label new inodes based on the parent and the creating\nprocess. This new behavior would also take into account the name of the\nnew object when deciding the new label. This is not the (supposed) full path,\njust the last component of the path.\n\nThis is very useful because creating /etc/shadow is different than creating\n/etc/passwd but the kernel hooks are unable to differentiate these\noperations. We currently require that userspace realize it is doing some\ndifficult operation like that and than userspace jumps through SELinux hoops\nto get things set up correctly. This patch does not implement new\nbehavior, that is obviously contained in a seperate SELinux patch, but it\ndoes pass the needed name down to the correct LSM hook. If no such name\nexists it is fine to pass NULL.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "3ac285ff23cd6e1bc402b6db836521bce006eb89", "tree": "449a7788ba52f3ac0cb7a5ae6a467934163745c2", "parents": [ "e5cce6c13c25d9ac56955a3ae2fd562719848172" ], "author": { "name": "Davidlohr Bueso", "email": "dave@gnu.org", "time": "Fri Jan 21 12:28:04 2011 -0300" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 24 11:35:47 2011 +1100" }, "message": "selinux: return -ENOMEM when memory allocation fails\n\nReturn -ENOMEM when memory allocation fails in cond_init_bool_indexes,\ncorrectly propagating error code to caller.\n\nSigned-off-by: Davidlohr Bueso \u003cdave@gnu.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ced3b93018a9633447ddeb12a96f25e08154cbe7", "tree": "3d227ef6d2630c35127f8f25c123b1c4a0a4ad1f", "parents": [ "7898e1f8e9eb1bee88c92d636e0ab93f2cbe31c6" ], "author": { "name": "Shan Wei", "email": "shanwei@cn.fujitsu.com", "time": "Wed Jan 19 17:21:44 2011 +0800" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 24 10:36:11 2011 +1100" }, "message": "security:selinux: kill unused MAX_AVTAB_HASH_MASK and ebitmap_startbit\n\nKill unused MAX_AVTAB_HASH_MASK and ebitmap_startbit.\n\nSigned-off-by: Shan Wei \u003cshanwei@cn.fujitsu.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e0e736fc0d33861335e2a132e4f688f7fd380c61", "tree": "d9febe9ca1ef1e24efc5e6e1e34e412316d246bd", "parents": [ "a08948812b30653eb2c536ae613b635a989feb6f", "aeda4ac3efc29e4d55989abd0a73530453aa69ba" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jan 10 11:18:59 2011 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jan 10 11:18:59 2011 -0800" }, "message": "Merge branch \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6\n\n* \u0027for-linus\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (30 commits)\n MAINTAINERS: Add tomoyo-dev-en ML.\n SELinux: define permissions for DCB netlink messages\n encrypted-keys: style and other cleanup\n encrypted-keys: verify datablob size before converting to binary\n trusted-keys: kzalloc and other cleanup\n trusted-keys: additional TSS return code and other error handling\n syslog: check cap_syslog when dmesg_restrict\n Smack: Transmute labels on specified directories\n selinux: cache sidtab_context_to_sid results\n SELinux: do not compute transition labels on mountpoint labeled filesystems\n This patch adds a new security attribute to Smack called SMACK64EXEC. It defines label that is used while task is running.\n SELinux: merge policydb_index_classes and policydb_index_others\n selinux: convert part of the sym_val_to_name array to use flex_array\n selinux: convert type_val_to_struct to flex_array\n flex_array: fix flex_array_put_ptr macro to be valid C\n SELinux: do not set automatic i_ino in selinuxfs\n selinux: rework security_netlbl_secattr_to_sid\n SELinux: standardize return code handling in selinuxfs.c\n SELinux: standardize return code handling in selinuxfs.c\n SELinux: standardize return code handling in policydb.c\n ...\n" }, { "commit": "37721e1b0cf98cb65895f234d8c500d270546529", "tree": "6fb3ec6910513b18e100b17432864fa8c46d55e4", "parents": [ "9f99a2f0e44663517b99b69a3e4a499d0ba877df" ], "author": { "name": "Alexey Dobriyan", "email": "adobriyan@gmail.com", "time": "Mon Jan 10 08:17:10 2011 +0200" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Jan 10 08:51:44 2011 -0800" }, "message": "headers: path.h redux\n\nRemove path.h from sched.h and other files.\n\nSigned-off-by: Alexey Dobriyan \u003cadobriyan@gmail.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "aeda4ac3efc29e4d55989abd0a73530453aa69ba", "tree": "35b3d2cca8bfb49cf08bf1c6b55b586c1e5971e7", "parents": [ "d2e7ad19229f982fc1eb731827d82ceac90abfb3", "350e4f31e0eaf56dfc3b328d24a11bdf42a41fb8" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 10 10:40:42 2011 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 10 10:40:42 2011 +1100" }, "message": "Merge branch \u0027master\u0027 of git://git.infradead.org/users/eparis/selinux into next\n" }, { "commit": "d2e7ad19229f982fc1eb731827d82ceac90abfb3", "tree": "98a3741b4d4b27a48b3c7ea9babe331e539416a8", "parents": [ "d03a5d888fb688c832d470b749acc5ed38e0bc1d", "0c21e3aaf6ae85bee804a325aa29c325209180fd" ], "author": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 10 09:46:24 2011 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Jan 10 09:46:24 2011 +1100" }, "message": "Merge branch \u0027master\u0027 into next\n\nConflicts:\n\tsecurity/smack/smack_lsm.c\n\nVerified and added fix by Stephen Rothwell \u003csfr@canb.auug.org.au\u003e\nOk\u0027d by Casey Schaufler \u003ccasey@schaufler-ca.com\u003e\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "b4a45f5fe8078bfc10837dbd5b98735058bc4698", "tree": "df6f13a27610a3ec7eb4a661448cd779a8f84c79", "parents": [ "01539ba2a706ab7d35fc0667dff919ade7f87d63", "b3e19d924b6eaf2ca7d22cba99a517c5171007b6" ], "author": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jan 07 08:56:33 2011 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jan 07 08:56:33 2011 -0800" }, "message": "Merge branch \u0027vfs-scale-working\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/npiggin/linux-npiggin\n\n* \u0027vfs-scale-working\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/npiggin/linux-npiggin: (57 commits)\n fs: scale mntget/mntput\n fs: rename vfsmount counter helpers\n fs: implement faster dentry memcmp\n fs: prefetch inode data in dcache lookup\n fs: improve scalability of pseudo filesystems\n fs: dcache per-inode inode alias locking\n fs: dcache per-bucket dcache hash locking\n bit_spinlock: add required includes\n kernel: add bl_list\n xfs: provide simple rcu-walk ACL implementation\n btrfs: provide simple rcu-walk ACL implementation\n ext2,3,4: provide simple rcu-walk ACL implementation\n fs: provide simple rcu-walk generic_check_acl implementation\n fs: provide rcu-walk aware permission i_ops\n fs: rcu-walk aware d_revalidate method\n fs: cache optimise dentry and inode for rcu-walk\n fs: dcache reduce branches in lookup path\n fs: dcache remove d_mounted\n fs: fs_struct use seqlock\n fs: rcu-walk for path lookup\n ...\n" }, { "commit": "dc0474be3e27463d4d4a2793f82366eed906f223", "tree": "41f75e638442cb343bacdcfbabb17ffc3bd5b4ce", "parents": [ "357f8e658bba8a085c4a5d4331e30894be8096b8" ], "author": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Fri Jan 07 17:49:43 2011 +1100" }, "committer": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Fri Jan 07 17:50:24 2011 +1100" }, "message": "fs: dcache rationalise dget variants\n\ndget_locked was a shortcut to avoid the lazy lru manipulation when we already\nheld dcache_lock (lru manipulation was relatively cheap at that point).\nHowever, how that the lru lock is an innermost one, we never hold it at any\ncaller, so the lock cost can now be avoided. We already have well working lazy\ndcache LRU, so it should be fine to defer LRU manipulations to scan time.\n\nSigned-off-by: Nick Piggin \u003cnpiggin@kernel.dk\u003e\n" }, { "commit": "b5c84bf6f6fa3a7dfdcb556023a62953574b60ee", "tree": "7a2c299a180713e21d5cb653cb933121adf53c31", "parents": [ "949854d02455080d20cd3e1db28a3a18daf7599d" ], "author": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Fri Jan 07 17:49:38 2011 +1100" }, "committer": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Fri Jan 07 17:50:23 2011 +1100" }, "message": "fs: dcache remove dcache_lock\n\ndcache_lock no longer protects anything. remove it.\n\nSigned-off-by: Nick Piggin \u003cnpiggin@kernel.dk\u003e\n" }, { "commit": "2fd6b7f50797f2e993eea59e0a0b8c6399c811dc", "tree": "ce33b94b34844c09103836cf4cfa4364b742f217", "parents": [ "da5029563a0a026c64821b09e8e7b4fd81d3fe1b" ], "author": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Fri Jan 07 17:49:34 2011 +1100" }, "committer": { "name": "Nick Piggin", "email": "npiggin@kernel.dk", "time": "Fri Jan 07 17:50:21 2011 +1100" }, "message": "fs: dcache scale subdirs\n\nProtect d_subdirs and d_child with d_lock, except in filesystems that aren\u0027t\nusing dcache_lock for these anyway (eg. using i_mutex).\n\nNote: if we change the locking rule in future so that -\u003ed_child protection is\nprovided only with -\u003ed_parent-\u003ed_lock, it may allow us to reduce some locking.\nBut it would be an exception to an otherwise regular locking scheme, so we\u0027d\nhave to see some good results. Probably not worthwhile.\n\nSigned-off-by: Nick Piggin \u003cnpiggin@kernel.dk\u003e\n" }, { "commit": "3610cda53f247e176bcbb7a7cca64bc53b12acdb", "tree": "d780bc1e405116e75a194b2f4693a6f9bbe9f58f", "parents": [ "44b8288308ac9da27eab7d7bdbf1375a568805c3" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Jan 05 15:38:53 2011 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Jan 05 15:38:53 2011 -0800" }, "message": "af_unix: Avoid socket-\u003esk NULL OOPS in stream connect security hooks.\n\nunix_release() can asynchornously set socket-\u003esk to NULL, and\nit does so without holding the unix_state_lock() on \"other\"\nduring stream connects.\n\nHowever, the reverse mapping, sk-\u003esk_socket, is only transitioned\nto NULL under the unix_state_lock().\n\nTherefore make the security hooks follow the reverse mapping instead\nof the forward mapping.\n\nReported-by: Jeremy Fitzhardinge \u003cjeremy@goop.org\u003e\nReported-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "17f7f4d9fcce8f1b75b5f735569309dee7665968", "tree": "14d7e49ca0053a0fcab3c33b5023bf3f90c5c08a", "parents": [ "041110a439e21cd40709ead4ffbfa8034619ad77", "d7c1255a3a21e98bdc64df8ccf005a174d7e6289" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sun Dec 26 22:37:05 2010 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sun Dec 26 22:37:05 2010 -0800" }, "message": "Merge branch \u0027master\u0027 of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6\n\nConflicts:\n\tnet/ipv4/fib_frontend.c\n" }, { "commit": "350e4f31e0eaf56dfc3b328d24a11bdf42a41fb8", "tree": "8b825e93e80367fc55f43641037301abfcca0b17", "parents": [ "73ff5fc0a86b28b77e02a6963b388d1dbfa0a263" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Dec 16 11:46:51 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Dec 16 12:50:17 2010 -0500" }, "message": "SELinux: define permissions for DCB netlink messages\n\nCommit 2f90b865 added two new netlink message types to the netlink route\nsocket. SELinux has hooks to define if netlink messages are allowed to\nbe sent or received, but it did not know about these two new message\ntypes. By default we allow such actions so noone likely noticed. This\npatch adds the proper definitions and thus proper permissions\nenforcement.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "73ff5fc0a86b28b77e02a6963b388d1dbfa0a263", "tree": "7b84f738078e6b96f6b35805c8b6c4fa699968ed", "parents": [ "415103f9932d45f7927f4b17e3a9a13834cdb9a1" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Dec 07 16:17:28 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Dec 07 16:44:01 2010 -0500" }, "message": "selinux: cache sidtab_context_to_sid results\n\nsidtab_context_to_sid takes up a large share of time when creating large\nnumbers of new inodes (~30-40% in oprofile runs). This patch implements a\ncache of 3 entries which is checked before we do a full context_to_sid lookup.\nOn one system this showed over a x3 improvement in the number of inodes that\ncould be created per second and around a 20% improvement on another system.\n\nAny time we look up the same context string sucessivly (imagine ls -lZ) we\nshould hit this cache hot. A cache miss should have a relatively minor affect\non performance next to doing the full table search.\n\nAll operations on the cache are done COMPLETELY lockless. We know that all\nstruct sidtab_node objects created will never be deleted until a new policy is\nloaded thus we never have to worry about a pointer being dereferenced. Since\nwe also know that pointer assignment is atomic we know that the cache will\nalways have valid pointers. Given this information we implement a FIFO cache\nin an array of 3 pointers. Every result (whether a cache hit or table lookup)\nwill be places in the 0 spot of the cache and the rest of the entries moved\ndown one spot. The 3rd entry will be lost.\n\nRaces are possible and are even likely to happen. Lets assume that 4 tasks\nare hitting sidtab_context_to_sid. The first task checks against the first\nentry in the cache and it is a miss. Now lets assume a second task updates\nthe cache with a new entry. This will push the first entry back to the second\nspot. Now the first task might check against the second entry (which it\nalready checked) and will miss again. Now say some third task updates the\ncache and push the second entry to the third spot. The first task my check\nthe third entry (for the third time!) and again have a miss. At which point\nit will just do a full table lookup. No big deal!\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "415103f9932d45f7927f4b17e3a9a13834cdb9a1", "tree": "271746ba59ca5b19185574538b5af3e30178c04f", "parents": [ "1d9bc6dc5b6b9cc9299739f0245ce4841f066b92" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Dec 02 16:13:40 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Thu Dec 02 16:14:51 2010 -0500" }, "message": "SELinux: do not compute transition labels on mountpoint labeled filesystems\n\nselinux_inode_init_security computes transitions sids even for filesystems\nthat use mount point labeling. It shouldn\u0027t do that. It should just use\nthe mount point label always and no matter what.\n\nThis causes 2 problems. 1) it makes file creation slower than it needs to be\nsince we calculate the transition sid and 2) it allows files to be created\nwith a different label than the mount point!\n\n# id -Z\nstaff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023\n# sesearch --type --class file --source sysadm_t --target tmp_t\nFound 1 semantic te rules:\n type_transition sysadm_t tmp_t : file user_tmp_t;\n\n# mount -o loop,context\u003d\"system_u:object_r:tmp_t:s0\" /tmp/fs /mnt/tmp\n\n# ls -lZ /mnt/tmp\ndrwx------. root root system_u:object_r:tmp_t:s0 lost+found\n# touch /mnt/tmp/file1\n# ls -lZ /mnt/tmp\n-rw-r--r--. root root staff_u:object_r:user_tmp_t:s0 file1\ndrwx------. root root system_u:object_r:tmp_t:s0 lost+found\n\nWhoops, we have a mount point labeled filesystem tmp_t with a user_tmp_t\nlabeled file!\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Reviewed-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "1d9bc6dc5b6b9cc9299739f0245ce4841f066b92", "tree": "aa1fe241ebdd6fb74ae468c1cf301dff4315db49", "parents": [ "ac76c05becb6beedbb458d0827d3deaa6f479a72" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Nov 29 15:47:09 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 30 17:28:58 2010 -0500" }, "message": "SELinux: merge policydb_index_classes and policydb_index_others\n\nWe duplicate functionality in policydb_index_classes() and\npolicydb_index_others(). This patch merges those functions just to make it\nclear there is nothing special happening here.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "ac76c05becb6beedbb458d0827d3deaa6f479a72", "tree": "255276b52f7b031671ae5948b39d7c92e50ba420", "parents": [ "23bdecb000c806cf4ec52764499a600f7200d7a9" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Nov 29 15:47:09 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 30 17:28:58 2010 -0500" }, "message": "selinux: convert part of the sym_val_to_name array to use flex_array\n\nThe sym_val_to_name type array can be quite large as it grows linearly with\nthe number of types. With known policies having over 5k types these\nallocations are growing large enough that they are likely to fail. Convert\nthose to flex_array so no allocation is larger than PAGE_SIZE\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "23bdecb000c806cf4ec52764499a600f7200d7a9", "tree": "f13a523f6bec22c5e7ec58ea02a4988aefe7c8ac", "parents": [ "c41ab6a1b9028de33e74101cb0aae13098a56fdb" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Nov 29 15:47:09 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 30 17:28:57 2010 -0500" }, "message": "selinux: convert type_val_to_struct to flex_array\n\nIn rawhide type_val_to_struct will allocate 26848 bytes, an order 3\nallocations. While this hasn\u0027t been seen to fail it isn\u0027t outside the\nrealm of possibiliy on systems with severe memory fragmentation. Convert\nto flex_array so no allocation will ever be bigger than PAGE_SIZE.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "c9e86a9b95f198d7df49b25fcd808ee39cba218f", "tree": "0e62d348103f25a612d649c796cab225db2372c3", "parents": [ "7ae9f23cbd3ef9daff7f768da4bfd4c56b19300d" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Nov 29 15:46:39 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 30 17:28:57 2010 -0500" }, "message": "SELinux: do not set automatic i_ino in selinuxfs\n\nselinuxfs carefully uses i_ino to figure out what the inode refers to. The\nVFS used to generically set this value and we would reset it to something\nuseable. After 85fe4025c616 each filesystem sets this value to a default\nif needed. Since selinuxfs doesn\u0027t use the default value and it can only\nlead to problems (I\u0027d rather have 2 inodes with i_ino \u003d\u003d 0 than one\npointing to the wrong data) lets just stop setting a default.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "7ae9f23cbd3ef9daff7f768da4bfd4c56b19300d", "tree": "8a92d6d1f05268c27f0e37d5684e947c6111d89e", "parents": [ "4b02b524487622ce1cf472123899520b583f47dc" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 23 11:40:09 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 30 17:28:57 2010 -0500" }, "message": "selinux: rework security_netlbl_secattr_to_sid\n\nsecurity_netlbl_secattr_to_sid is difficult to follow, especially the\nreturn codes. Try to make the function obvious.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "4b02b524487622ce1cf472123899520b583f47dc", "tree": "58802e2968852cb1eb0f8f6303fbfaf3d85ecc53", "parents": [ "b77a493b1dc8010245feeac001e5c7ed0988678f" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 23 11:40:08 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 30 17:28:57 2010 -0500" }, "message": "SELinux: standardize return code handling in selinuxfs.c\n\nselinuxfs.c has lots of different standards on how to handle return paths on\nerror. For the most part transition to\n\n\trc\u003derrno\n\tif (failure)\n\t\tgoto out;\n[...]\nout:\n\tcleanup()\n\treturn rc;\n\nInstead of doing cleanup mid function, or having multiple returns or other\noptions. This doesn\u0027t do that for every function, but most of the complex\nfunctions which have cleanup routines on error.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "b77a493b1dc8010245feeac001e5c7ed0988678f", "tree": "f0d2364ce8ed46ab569f3a41cbebb9a51bffb0f0", "parents": [ "9398c7f794078dc1768cc061b3da8cdd59f179a5" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 23 11:40:08 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 30 17:28:57 2010 -0500" }, "message": "SELinux: standardize return code handling in selinuxfs.c\n\nselinuxfs.c has lots of different standards on how to handle return paths on\nerror. For the most part transition to\n\n\trc\u003derrno\n\tif (failure)\n\t\tgoto out;\n[...]\nout:\n\tcleanup()\n\treturn rc;\n\nInstead of doing cleanup mid function, or having multiple returns or other\noptions. This doesn\u0027t do that for every function, but most of the complex\nfunctions which have cleanup routines on error.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "9398c7f794078dc1768cc061b3da8cdd59f179a5", "tree": "16e665d3bf7160e2da67b236b27a6bf87a73d5e2", "parents": [ "e8a7e48bb248a1196484d3f8afa53bded2b24e71" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 23 11:40:08 2010 -0500" }, "committer": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 30 17:28:56 2010 -0500" }, "message": "SELinux: standardize return code handling in policydb.c\n\npolicydb.c has lots of different standards on how to handle return paths on\nerror. For the most part transition to\n\n\trc\u003derrno\n\tif (failure)\n\t\tgoto out;\n[...]\nout:\n\tcleanup()\n\treturn rc;\n\nInstead of doing cleanup mid function, or having multiple returns or other\noptions. This doesn\u0027t do that for every function, but most of the complex\nfunctions which have cleanup routines on error.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\n" }, { "commit": "ce6ada35bdf710d16582cc4869c26722547e6f11", "tree": "c2b5fd46c883f4b7285b191bac55940022662b43", "parents": [ "1d6d75684d869406e5bb2ac5d3ed9454f52d0cab" ], "author": { "name": "Serge E. Hallyn", "email": "serge@hallyn.com", "time": "Thu Nov 25 17:11:32 2010 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Mon Nov 29 08:35:12 2010 +1100" }, "message": "security: Define CAP_SYSLOG\n\nPrivileged syslog operations currently require CAP_SYS_ADMIN. Split\nthis off into a new CAP_SYSLOG privilege which we can sanely take away\nfrom a container through the capability bounding set.\n\nWith this patch, an lxc container can be prevented from messing with\nthe host\u0027s syslog (i.e. dmesg -c).\n\nChangelog: mar 12 2010: add selinux capability2:cap_syslog perm\nChangelog: nov 22 2010:\n\t. port to new kernel\n\t. add a WARN_ONCE if userspace isn\u0027t using CAP_SYSLOG\n\nSigned-off-by: Serge Hallyn \u003cserge.hallyn@ubuntu.com\u003e\nAcked-by: Andrew G. Morgan \u003cmorgan@kernel.org\u003e\nAcked-By: Kees Cook \u003ckees.cook@canonical.com\u003e\nCc: James Morris \u003cjmorris@namei.org\u003e\nCc: Michael Kerrisk \u003cmtk.manpages@gmail.com\u003e\nCc: Stephen Smalley \u003csds@tycho.nsa.gov\u003e\nCc: \"Christopher J. PeBenito\" \u003ccpebenito@tresys.com\u003e\nCc: Eric Paris \u003ceparis@parisplace.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "2fe66ec242d3f76e3b0101f36419e7e5405bcff3", "tree": "2091420d53ae1bf9e7673c2275b36c6b1e6aac1b", "parents": [ "04f6d70f6e64900a5d70a5fc199dd9d5fa787738" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 23 06:28:08 2010 +0000" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Nov 23 10:50:17 2010 -0800" }, "message": "SELinux: indicate fatal error in compat netfilter code\n\nThe SELinux ip postroute code indicates when policy rejected a packet and\npasses the error back up the stack. The compat code does not. This patch\nsends the same kind of error back up the stack in the compat code.\n\nBased-on-patch-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "04f6d70f6e64900a5d70a5fc199dd9d5fa787738", "tree": "68d369f422f98842031ae4ada17e391140165b54", "parents": [ "eb06acdc85585f28864261f28659157848762ee4" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 23 06:28:02 2010 +0000" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Nov 23 10:50:17 2010 -0800" }, "message": "SELinux: Only return netlink error when we know the return is fatal\n\nSome of the SELinux netlink code returns a fatal error when the error might\nactually be transient. This patch just silently drops packets on\npotentially transient errors but continues to return a permanant error\nindicator when the denial was because of policy.\n\nBased-on-comments-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nReviewed-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "1f1aaf82825865a50cef0b4722607abb12aeee52", "tree": "9ab2495097fa2944404ab41bfb3038de374f5626", "parents": [ "ee58681195bf243bafc44ca53f3c24429d096cce" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Tue Nov 16 11:52:57 2010 +0000" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Nov 17 10:54:35 2010 -0800" }, "message": "SELinux: return -ECONNREFUSED from ip_postroute to signal fatal error\n\nThe SELinux netfilter hooks just return NF_DROP if they drop a packet. We\nwant to signal that a drop in this hook is a permanant fatal error and is not\ntransient. If we do this the error will be passed back up the stack in some\nplaces and applications will get a faster interaction that something went\nwrong.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "12b3052c3ee8f508b2c7ee4ddd63ed03423409d8", "tree": "b97d0f209f363cfad94ce9d075312274e349da89", "parents": [ "6800e4c0ea3e96cf78953b8b5743381cb1bb9e37" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Mon Nov 15 18:36:29 2010 -0500" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Mon Nov 15 15:40:01 2010 -0800" }, "message": "capabilities/syslog: open code cap_syslog logic to fix build failure\n\nThe addition of CONFIG_SECURITY_DMESG_RESTRICT resulted in a build\nfailure when CONFIG_PRINTK\u003dn. This is because the capabilities code\nwhich used the new option was built even though the variable in question\ndidn\u0027t exist.\n\nThe patch here fixes this by moving the capabilities checks out of the\nLSM and into the caller. All (known) LSMs should have been calling the\ncapabilities hook already so it actually makes the code organization\nbetter to eliminate the hook altogether.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "fc14f2fef682df677d64a145256dbd263df2aa7b", "tree": "74f6b939fbad959a43c04ec646cd0adc8af5f53a", "parents": [ "848b83a59b772b8f102bc5e3f1187c2fa5676959" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Sun Jul 25 01:48:30 2010 +0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Fri Oct 29 04:16:28 2010 -0400" }, "message": "convert get_sb_single() users\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "85fe4025c616a7c0ed07bc2fc8c5371b07f3888c", "tree": "7a5db7accb6192f2911f2473b4e3191227b914cc", "parents": [ "f991bd2e14210fb93d722cb23e54991de20e8a3d" ], "author": { "name": "Christoph Hellwig", "email": "hch@lst.de", "time": "Sat Oct 23 11:19:54 2010 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Oct 25 21:26:11 2010 -0400" }, "message": "fs: do not assign default i_ino in new_inode\n\nInstead of always assigning an increasing inode number in new_inode\nmove the call to assign it into those callers that actually need it.\nFor now callers that need it is estimated conservatively, that is\nthe call is added to all filesystems that do not assign an i_ino\nby themselves. For a few more filesystems we can avoid assigning\nany inode number given that they aren\u0027t user visible, and for others\nit could be done lazily when an inode number is actually needed,\nbut that\u0027s left for later patches.\n\nSigned-off-by: Christoph Hellwig \u003chch@lst.de\u003e\nSigned-off-by: Dave Chinner \u003cdchinner@redhat.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "f0d3d9894e43fc68d47948e2c6f03e32da88b799", "tree": "685f386b1f114a29c6db8d5f2f947620b4df0285", "parents": [ "ff660c80d00b52287f1f67ee6c115dc0057bcdde" ], "author": { "name": "Stephen Rothwell", "email": "sfr@canb.auug.org.au", "time": "Wed Oct 20 16:08:00 2010 +1100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:13:01 2010 +1100" }, "message": "selinux: include vmalloc.h for vmalloc_user\n\nInclude vmalloc.h for vmalloc_user (fixes ppc build warning).\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\n\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "845ca30fe9691f1bab7cfbf30b6d11c944eb4abd", "tree": "eabf2b17957c2214375f870387eaab6c43d9e931", "parents": [ "cee74f47a6baba0ac457e87687fdcf0abd599f0a" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 13 17:50:31 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:59 2010 +1100" }, "message": "selinux: implement mmap on /selinux/policy\n\n/selinux/policy allows a user to copy the policy back out of the kernel.\nThis patch allows userspace to actually mmap that file and use it directly.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "cee74f47a6baba0ac457e87687fdcf0abd599f0a", "tree": "3d9fdb073050664e62d9cdb6c28112090cd138da", "parents": [ "00d85c83ac52e2c1a66397f1abc589f80c543425" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Oct 13 17:50:25 2010 -0400" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Thu Oct 21 10:12:58 2010 +1100" }, "message": "SELinux: allow userspace to read policy back out of the kernel\n\nThere is interest in being able to see what the actual policy is that was\nloaded into the kernel. The patch creates a new selinuxfs file\n/selinux/policy which can be read by userspace. The actual policy that is\nloaded into the kernel will be written back out to userspace.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" } ], "next": "00d85c83ac52e2c1a66397f1abc589f80c543425" }